Config Reference 3 4

(September 15, 2012)
Michel Thomatis, CCIE #6778

RouteHub Group, LLC
www.RouteHub.net
Configuration Reference Guide | Configuration Reference Guide (CRG) 1

ROUTEHUB GROUP END-USER LICENSE AGREEMENT
END USER LICENSE FOR ONE (1) PERSON ONLY
IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS,
DO NOT OPEN OR USE THE TRAINING MATERIALS.
IMPORTANT! BE SURE TO CAREFULLY READ AND UNDERSTAND ALL OF THE RIGHTS AND RESTRICTIONS SET
FORTH IN THIS END-USER LICENSE AGREEMENT ("EULA"). YOU ARE NOT AUTHORIZED TO USE THIS NETWORK
CONFIGURATION GUIDE/TRAINING UNLESS AND UNTIL YOU ACCEPT THE TERMS OF THIS EULA.
This EULA is a binding legal agreement between you and ROUTEHUB GROUP, LLC (hereinafter "Licensor") for the
materials accompanying this EULA, including the accompanying computer Network Configuration Guide/Training, associated media,
printed materials and any "online" or electronic documentation (hereinafter the "Network Configuration Guide/Training"). By using
the Network Configuration Guide/Training, you agree to be bound by the terms of this EULA. If you do not agree to the terms of this
EULA, do not install or attempt to use the Network Configuration Guide/Training.
The Guide & Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual authorized to use the Guide &
Training Materials throughout the term of this License.
1. Grant of License
The Network Configuration Guide/Training is protected by copyright laws and international copyright treaties, as well as
other intellectual property laws and treaties. The Network Configuration Guide/Training is licensed, not sold. This EULA grants you
the following rights:
A. You may use, access, display and run only one copy of the Network Configuration Guide/Training, on a single
computer, workstation or terminal ("Computer"). The primary user of the Computer on which the Network Configuration
Guide/Training is installed may make a second copy for his or her exclusive use for archival purposes only.
B. You may store or install a copy of the Network Configuration Guide/Training on a storage device, such as a network
server, used only to run the Network Configuration Guide/Training on your other Computers over an internal network. You must,
however, acquire a license for each separate Computer on which the Network Configuration Guide/Training is run, displayed or
utilized from the server or similar device. A license for the Network Configuration Guide/Training may not be shared or used
concurrently on different Computers.
C. Your license rights under this EULA are non-exclusive. All rights not expressly granted herein are reserved by
Licensor.
D. You may not sell, transfer or convey the Network Configuration Guide/Training to any third party without Licensor's
prior express written consent.
2. Price and Payment
If you have not previously paid the license fee for the Network Configuration Guide/Training, then you must pay the license
fee within the period indicated in the applicable invoice sent to you by Licensor.
3. Support Services
This EULA is a license of the Network Configuration Guide/Training only, and Licensor does not assume any obligation to
provide maintenance, patches or fixes to the Network Configuration Guide/Training. Licensor further disclaims any obligation to
provide support or to prepare and distribute modifications, enhancements, updates and new releases of the Network Configuration
Guide/Training.
4. Replacement, Modification and/or Upgrades

Licensor may, from time to time, and for a fee, replace, modify or upgrade the Network Configuration Guide/Training. When
accepted by you, any such replacement or modified Network Configuration Guide/Training code or upgrade to the Network
Configuration Guide/Training will be considered part of the Network Configuration Guide/Training and subject to the terms of this
EULA (unless this EULA is superceded by a further EULA accompanying such replacement or modified version of or upgrade to the
Network Configuration Guide/Training).
5. Termination
You may terminate this EULA at any time by destroying all your copies of the Network Configuration Guide/Training. Your
license to the Network Configuration Guide/Training automatically terminates if you fail to comply with the terms of this agreement.
Upon termination, you are required to remove the Network Configuration Guide/Training from your computer and destroy any copies
of the Network Configuration Guide/Training in your possession. No refund with the product will be granted.
6. Copyright
A. All title and copyrights in and to the Network Configuration Guide/Training (including but not limited to any images,
photographs, animations, video, audio, music and text incorporated into the Network Configuration Guide/Training), the
accompanying printed materials, and any copies of the Network Configuration Guide/Training, are owned by Licensor or its
suppliers. This EULA grants you no rights to use such content. If this Network Configuration Guide/Training contains documentation
that is provided only in electronic form, you may print one copy of such electronic documentation. Except for any copies of this
EULA, you may not copy the printed materials accompanying the Network Configuration Guide/Training.
B. You may not reverse engineer, de-compile, disassemble, alter, duplicate, modify, rent, lease, loan, sublicense, make
copies of, create derivative works from, distribute or provide others with the Network Configuration Guide/Training in whole or part,
transmit or communicate the application over a network.
7. Export Restrictions
You may not export, ship, transmit or re-export Network Configuration Guide/Training in violation of any applicable law or
regulation including but not limited to Export Administration Regulations issued by the U. S. Department of Commerce.
8. Disclaimer of Warranties
LICENSOR AND ITS SUPPLIERS PROVIDE THE NETWORK CONFIGURATION GUIDE/TRAINING "AS IS" AND WITH
ALL FAULTS, AND HEREBY DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, EITHER EXPRESS, IMPLIED OR
STATUTORY, INCLUDING BUT NOT LIMITED TO ANY (IF ANY) IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF LACK OF VIRUSES, AND OF LACK OF NEGLIGENCE
OR LACK OF WORKMANLIKE EFFORT. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, OF QUIET
ENJOYMENT, OR OF NONINFRINGEMENT. THE ENTIRE RISK ARISING OUT OF THE USE OR PERFORMANCE OF THE
NETWORK CONFIGURATION GUIDE/TRAINING IS WITH YOU.
9. Limitation of Damages
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR OR ITS SUPPLIERS
BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, DIRECT, INDIRECT, SPECIAL, PUNITIVE OR OTHER DAMAGES
WHATSOEVER ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE NETWORK
CONFIGURATION GUIDE/TRAINING AND WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR
OTHERWISE, EVEN IF LICENSOR OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS
EXCLUSION OF DAMAGES WILL BE EFFECTIVE EVEN IF ANY REMEDY FAILS OF ITS ESSENTIAL PURPOSE.
10. Arbitration
Any dispute arising under this EULA will be subject to binding arbitration by a single Arbitrator with the American Arbitration
Association (AAA), in accordance with its relevant industry rules, if any. The parties agree that this EULA will be governed by and
construed and interpreted in accordance with the laws of the State of California. The arbitration will be held in California. The
Arbitrator will have the authority to grant injunctive relief and specific performance to enforce the terms of this EULA. Judgment on
any award rendered by the Arbitrator may be entered in any Court of competent jurisdiction.
11. Severability

If any term of this EULA is found to be unenforceable or contrary to law, it will be modified to the least extent necessary to
make it enforceable, and the remaining portions of this Agreement will remain in full force and effect.
12. No Waiver
No waiver of any right under this EULA will be deemed effective unless contained in writing signed by a duly authorized
representative of the party against whom the waiver is to be asserted, and no waiver of any past or present right arising from any
breach or failure to perform will be deemed to be a waiver of any future rights arising out of this EULA.
13. Entire Agreement
This EULA constitutes the entire agreement between the parties with respect to its subject matter, and supersedes all prior
agreements, proposals, negotiations, representations or communications relating to the subject matter. Both parties acknowledge
that they have not been induced to enter into this EULA by any representations or promises not specifically stated herein.

CONFIGURATION REFERENCE GUIDE (CRG)
CONFIGURATION REFERENCE GUIDE (CRG) ............................................................................................................ 5
CORE NETWORK SERVICES ..................................................................................................................................... 7
IP ROUTING...................................................................................................................................................................8
LAN SWITCHING ..........................................................................................................................................................43
MULTICAST .................................................................................................................................................................71
QUALITY OF SERVICE (QOS)............................................................................................................................................85
IPV6 ..........................................................................................................................................................................96
FIRST HOP REDUNDANCY PROTOCOLS (FHRP) .................................................................................................................106
NETWORK MANAGEMENT ............................................................................................................................................112
GENERAL AND IP SERVICES ...........................................................................................................................................121
SECURITY SERVICES ............................................................................................................................................ 143
CISCO FIREWALLS .......................................................................................................................................................144

VIRTUAL PRIVATE NETWORK (VPN) ...............................................................................................................................151
CONTENT FILTERING ....................................................................................................................................................177
SERVICES...................................................................................................................................................................178
TUNNELING SERVICES ........................................................................................................................................ 182
L3VPN ....................................................................................................................................................................183
L2VPN ....................................................................................................................................................................205
VOICE AND UNIFIED COMMUNICATON SERVICES .............................................................................................. 224
VOICE GATEWAY ........................................................................................................................................................225

CISCO CALLMANAGER EXPRESS (CME) ...........................................................................................................................233
CISCO UNITY EXPRESS (CUE) ........................................................................................................................................269
OTHER VOICE SOLUTIONS AND PRODUCTS .......................................................................................................................278
WIRELESS SERVICES ........................................................................................................................................... 281
CISCO IOS WIRELESS...................................................................................................................................................282

CISCO WIRELESS LAN CONTROLLER (WLC) .....................................................................................................................290
HARDWARE ....................................................................................................................................................... 292
GENERAL ..................................................................................................................................................................293
CISCO ASA 5500 / PIX500 / FWSM ...........................................................................................................................294
CISCO PIX 500 SERIES.................................................................................................................................................323
CISCO CATALYST 6500 SERIES.......................................................................................................................................330
CISCO ACE SERIES ......................................................................................................................................................348
CISCO NEXUS SERIES (NX-OS) ......................................................................................................................................351
WAN AND INTERNET EDGE ................................................................................................................................ 382

ACCESS CONNECTIONS AND PROTOCOLS .........................................................................................................................382
TEMPLATES AND BASE CONFIGURATION ........................................................................................................... 403
BASE CONFIGURATION.................................................................................................................................................404
TEMPLATES ...............................................................................................................................................................411
SOLUTIONS & SCENARIOS.............................................................................................................................................414
SYSTEMS AND OTHER SERVICES ......................................................................................................................... 421
MICROSOFT ...............................................................................................................................................................421

CORE NETWORK SERVICES
BACK
CORE NETWORK SERVICES ..................................................................................................................................... 7
IP ROUTING...................................................................................................................................................................8
LAN SWITCHING ..........................................................................................................................................................43
MULTICAST .................................................................................................................................................................71
IPV6 ..........................................................................................................................................................................96
IP NETWORK SERVICES ................................................................................................................................................121
Configuration Reference Guide | Core Network Services 7

IP ROUTING
BACK
IP ROUTING...................................................................................................................................................................8
OSPF .......................................................................................................................................................................9
EIGRP ...................................................................................................................................................................17
BGP ......................................................................................................................................................................21
Route Tagging......................................................................................................................................................38
Static ....................................................................................................................................................................42

OSPF
BACK
OSPF .......................................................................................................................................................................9
OSPF Routing ....................................................................................................................................................................... 9
Router ID............................................................................................................................................................................ 10
Default Routing .................................................................................................................................................................. 10
OSPF Network: Point-to-Point ........................................................................................................................................... 10
Passive Interface ................................................................................................................................................................ 10
MD5 Authentication .......................................................................................................................................................... 10
DR and BDR Selection ........................................................................................................................................................ 11
SFP and LSA Timers ............................................................................................................................................................ 12
Neighbor Timers ................................................................................................................................................................ 12
Changing Admin Distance .................................................................................................................................................. 12
Maximum Paths Per Route ................................................................................................................................................ 12
Auto Cost Reference .......................................................................................................................................................... 13
Reduce OSPF Flooding ....................................................................................................................................................... 13
OSPF Cost........................................................................................................................................................................... 13
Internal Route Summerization........................................................................................................................................... 14
External Route Summerization .......................................................................................................................................... 14
Virtual Link ......................................................................................................................................................................... 15
Route Redistribution.......................................................................................................................................................... 15
OSPF Stub: Totally Stub ..................................................................................................................................................... 16
Monitor.............................................................................................................................................................................. 16
Area 0
10.1.2.0 /24 10.1.3.0 /24

2.2.2.2 .2 .1 1.1.1.1 .1 .3 3.3.3.3
192.168.20.0 /24 192.168.10.0 /24 192.168.30.0 /24
Area 20 Area 10 Area 30
OSPF ROUTING
>>R1<<
! Enables OSPF routing process using PID of “1”
router ospf 1
! specify router ID IP address to use
router-id 1.1.1.1
log-adjacency-changes
! specify what routes to advertise and build neighbors with other OSPF routers.
network 192.168.10.0 0.0.0.255 area 10
network 10.1.2.0 0.0.0.255 area 0
network 10.1.3.0 0.0.0.255 area 0
network 1.1.1.1 0.0.0.0 area 10

ROUTER ID
>>R1<<
router ospf 1
! specifies the IP address to use for the OSPF neighbor ID.
router-id 1.1.1.1
DEFAULT ROUTING
>>R1<<
router ospf 1
! configure R1 to advertise an OSPF default route to all OSPF neighbors
default-information originate always
show ip ospf database external

BACK TO OSPF
OSPF NETWORK: POINT-TO-POINT
>>R1<<
interface FastEthernet0/1
! enables OSPF network type to be point-to-point
ip ospf network point-to-point
PASSIVE INTERFACE
>>R1<<
router ospf 1
! disables OSPF routing for all interfaces on R1 except for FE0/1 and FE0/2
passive-interface default
no passive-interface FastEthernet0/1
MD5 AUTHENTICATION
>>R1<<
! enables MD5 authentication with other OSPF routers
ip ospf authentication message-digest
! specify MD5 password
ip ospf message-digest-key 1 md5 cisco123
router ospf 1
area 10 authentication message-digest

DR AND BDR SELECTION
Never a DR or BDR
R4
.4
OSPF BDR 192.168.10.0 /24 OSPF DR
.2 .1 R1
R2
192.168.2.0 /24 .3 192.168.1.0 /24
R3
192.168.3.0 /24
* default OSPF priority is 1

* higher priority is preferred (the DR)
>> R1 <<
interface fastethernet0/1
! OSPF router will be the DR on the network (higher priority)
ip ospf priority 10
>> R2 <<
! OSPF router will be the BDR on the network (next largest priority)
ip ospf priority 5
>> R3 <<
! OSPF router will be the BDR on the network (next largest priority)
ip ospf priority 2
>> R4 <<
! never participate in DR/BDR election
ip ospf priority 0

SFP AND LSA TIMERS
>>R1<<
router ospf 1
! recommended/best practice values for tuning for LSA and SPF timers
timers throttle spf 10 100 5000
timers throttle lsa all 10 100 5000
timers lsa arrival 80
! view SPF and LSA throttle timers

show ip ospf
NEIGHBOR TIMERS
>>R1<<
! configures sub-second timers with neighbors for fast convergence
ip ospf dead-interval minimal hello-multiplier 4
OR
! specify the interval to send OSPF hello packets
ip ospf hello-interval 2
! specify the interval to wait to declare an OSPF neighbor dead if it doesn't receive a hello
message.
ip ospf dead-interval 6
CHANGING ADMIN DISTA NCE
router ospf 1
! specify custom admin distance (internal & external)
distance ospf intra-area 100
distance ospf inter-area 101
distance ospf external 102
MAXIMUM PATHS PER ROUTE
router ospf 1
! define the number of paths for a single route to be injected into the routing table
maximum-paths 2

AUTO COST REFERENCE
* default auto cost is 100 (or 100Mbps)
router ospf 1
! change the bandwidth reference number to 1000
! therefore 1000/BW will give the OSPF cost for an interface
auto-cost reference-bandwidth 1000
REDUCE OSPF FLOODING
! reduce OSPF flooding
ip ospf flood-reduction
OSPF COST
INET
2.2.2.2 10 .
.2 1.2
.0 / / 24 .3 3.3.3.3
2 4 3.0
.1.
10
.1
.1
1.1.1.1
 Cost: Lower the value more preferred
>>R1<<
! configure cost on interface to be more preferred ; no ECP
ip address 10.1.2.1 255.255.255.0
ip ospf cost 10
! configured cost on interface to be less preferred ; no ECP

ip address 10.1.3.1 255.255.255.0
ip ospf cost 100
BACK TO OSPF

INTERNAL ROUTE SUMMERIZATION
10.1.2.0 /24 10.1.3.0 /24

.2 .1 .1 .3
192.168.20.0 /24 10.1.10.0 /24 192.168.30.0 /24

10.1.20.0 /24
10.1.30.0 /24
 Only applies to OSPF routes (O, O IA)

 Configured on ABRs
>>R1<<
router ospf 1
! summarizes all subnets within 10.1.x.x (Area 10) to 10.1.0.0 /16 on R1
! Advertise the cost with the summary route to provide Equal-Cost Paths to the network where
! redundant paths exist. Recommended configuration to include.
area 10 range 10.1.0.0 255.255.0.0 cost 10
EXTERNAL ROUTE SUMMERIZATION
R2 R1 R3
10.1.2.0 /24 10.1.3.0 /24

2.2.2.2 .2 .1 1.1.1.1 .1 .3 3.3.3.3
10.2.10.0 /24
10.2.20.0 /24
10.2.30.0 /24
 Only applies to OSPF routes (O E1, E2)

 Configured on ASBRs
>>R1<<
>> R3 <<
router ospf 1
! summarizes all subnets within 10.2.x.x to 10.2.0.0 /16 on R3
summary-address 10.2.0.0 255.255.0.0

VIRTUAL LINK
Area 0 Area 10 Area 20
10.1.2.0 /24 10.1.3.0 /24

2.2.2.2 .2 .1 1.1.1.1 .1 .3 3.3.3.3
192.168.10.0 /24 192.168.30.0 /24
>> R1 <<
router ospf 1
! specify the OSPF router whose area is not directly connected to the OSPF backbone area
area 20 virtual-link 3.3.3.3
network 192.168.10.0 0.0.0.255 area 10
network 10.1.3.0 0.0.0.255 area 20
network 1.1.1.1 0.0.0.0 area 10
>> R3 <<
router ospf 2
! specify the OSPF router whose area is directly connected to the OSPF backbone area
area 20 virtual-link 1.1.1.1
network 192.168.30.0 0.0.0.255 area 20
network 10.1.3.0 0.0.0.255 area 20
network 3.3.3.3 0.0.0.0 area 20
ROUTE REDISTRIBUTION
OSPF EIGRP
10.1.2.0 /24 10.1.3.0 /24

2.2.2.2 .2 .1 1.1.1.1 .1 .3 3.3.3.3
192.168.20.0 /24 192.168.10.0 /24 192.168.30.0 /24
>>R1<<
! specifies the EIGRP routes that are allowed to be injected into OSPF
ip access-list standard ACL-EIGRP-ROUTES
permit 192.168.30.0 0.0.0.255
! associate configured ACL to a route map

route-map RM-EIGRP-ROUTES permit 10
match ip address ACL-EIGRP-ROUTES
! EIGRP routing process

router eigrp 1
network 10.1.3.0 0.0.0.255
network 192.168.10.0
router ospf 1
network 192.168.10.0 0.0.0.255 area 10
network 1.1.1.1 0.0.0.0 area 10
network 10.1.2.0 0.0.0.255 area 0
! redistribute only EIGRP routes that are listed in the ACL into OSPF
redistribute eigrp 1 subnets route-map RM-EIGRP-ROUTES

OSPF STUB: TOTALLY STUB
OSPF Area 31 Totally Stub Area
10.1.2.0 /24 10.1.3.0 /24

2.2.2.2 .2 .1 1.1.1.1 .1 .3 3.3.3.3
192.168.20.0 /24 192.168.10.0 /24 192.168.30.0 /24
>>R1<<
router ospf 1
network 10.1.2.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 10
network 10.1.3.0 0.0.0.255 area 31
! makes Area 10 on R1 a Totally Stub Area to only send a OSPF Default Route
area 31 stub no-summary
>>R3<<
router ospf 3
network 192.168.30.0 0.0.0.255 area 31
network 10.1.3.0 0.0.0.255 area 31
! makes Area 10 on R3 a Totally Stub Area only receiving an OSPF Default Route
BACK TO OSPF
MONITOR
show ip ospf
show ip route ospf
show ip ospf neighbor
show ip ospf interface
show ip ospf database

EIGRP
BACK
EIGRP ...................................................................................................................................................................17
EIGRP Routing .................................................................................................................................................................... 17
Passive Interface ................................................................................................................................................................ 17
Neighbor Timers ................................................................................................................................................................ 18
Route Summerization ........................................................................................................................................................ 18
Route Control/Filtering ...................................................................................................................................................... 19
EIGRP Stub ......................................................................................................................................................................... 19
Bandwidth Utilization ........................................................................................................................................................ 19
EIGRP Bandwidth and Delay .............................................................................................................................................. 20
Route Redistribution.......................................................................................................................................................... 20
10.1.2.0 /24 10.1.3.0 /24

2.2.2.2 .2 .1 1.1.1.1 .1 .3 3.3.3.3
192.168.20.0 /24 192.168.10.0 /24 192.168.30.0 /24
EIGRP ROUTING
>>R1<<
! Enables EIGRP routing process and specify EIGRP ASN of “1”
router eigrp 1
! specify what routes to advertise and build neighbors with other EIGRP routers.
network 192.168.10.0 0.0.255.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 1.1.1.1 0.0.0.0
! disable auto-summarization for EIGRP
no auto-summary
PASSIVE INTERFACE
>>R1<<
router eigrp 1
! disables EIGRP routing for all interfaces on R1 except for Po12 and Po13

NEIGHBOR TIMERS
>>R1<<
! configures sub-second timers with neighbors for fast convergence
ip hello-interval eigrp 1 1
ip hold-time eigrp 1 3
BACK TO EIGRP
MD5 AUTHENTICATION
>>R1<<
! configures key chain called SEIGRP using the password cisco123
key chain SEIGRP
key 1
key-string cisco123
! enable MD5 authentication and associate key-chain to interface for EIGRP
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 SEIGRP
ROUTE SUMMERIZATION
10.1.2.0 /24 10.1.3.0 /24

2.2.2.2 .2 .1 1.1.1.1 .1 .3 3.3.3.3
192.168.20.0 /24 10.1.10.0 /24 192.168.30.0 /24

10.1.20.0 /24
10.1.30.0 /24
>>R1<<
! summarizes all subnets within 10.1.x.x to 10.1.0.0 /16 to R2
ip summary-address eigrp 1 10.1.0.0 255.255.0.0 5
router eigrp 1
! specify custom admin distance (internal & external)
distance eigrp 90 170
router eigrp 1
maximum-paths 2

ROUTE CONTROL/FILTERING
>>R1<<
! configure ACL to include the EIGRP routes
ip access-list standard ACL-EIGRP-ROUTES
permit 192.168.10.0 0.0.0.255
permit 192.168.20.0 0.0.0.255
permit 192.168.30.0 0.0.0.255
router eigrp 1
! associate ACL under EIGRP to only advertise the routes listed in the ACL to all neighbors
distribute-list ACL-EIGRP-ROUTES out
OR
! associate ACL under EIGRP to only advertise the routes listed in the ACL to all neighbors out
of interface FastEthernet0/1
distribute-list ACL-EIGRP-ROUTES out FastEthernet0/1
EIGRP STUB
192.168.10.0 /24
.2 .1 R1
R2
192.168.2.0 /24 .3 192.168.1.0 /24
STUB R3
192.168.3.0 /24
Does not receive EIGRP queries nor act as a transit
>> R3 <<
router eigrp 1
! enable as a Stub router in the EIGRP ASN
! Advertise all connected subnets (192.168.3.0/24)
eigrp stub connected
! monitor command to view EIGRP stub operations

show ip eigrp neighbors detail <intf> <intf-id>
BANDWIDTH UTILIZATIO N
! define interface bandwidth usage (45%) for EIGRP
ip bandwidth-percent eigrp 1 45

EIGRP BANDWIDTH AND DELAY
INET
2.2.2.2 10 .
.2 1.2 24 .3 3.3.3.3
.0 / 0/
2 4 .3.
1 0.1
.1
.1
1.1.1.1
>>R1<<
! configure delay on interface to be more preferred ; no ECP
ip address 10.1.2.1 255.255.255.0
delay 10
! configure delay on interface to be less preferred ; no ECP

ip address 10.1.3.1 255.255.255.0
delay 100
ROUTE REDISTRIBUTION
EIGRP OSPF
10.1.2.0 /24 10.1.3.0 /24

2.2.2.2 .2 .1 1.1.1.1 .1 .3 3.3.3.3
192.168.20.0 /24 192.168.10.0 /24 192.168.30.0 /24
>>R1<<
! specifies the OSPF routes that are allowed to be injected into EIGRP
ip access-list standard ACL-OSPF-ROUTES
permit 192.168.30 0.0.0.255
! associates configured ACL to a route map

route-map RM-OSPF-ROUTES permit 10
match ip address ACL-OSPF-ROUTES
router ospf 1
network 10.1.3.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 10
router eigrp 1
network 192.168.10.0 0.0.0.255
network 1.1.1.1 0.0.0.0
network 10.1.2.0 0.0.0.255
! redistribute only EIGRP routes that are listed in the ACL into OSPF
redistribute ospf 1 metric 1000 1 255 1 1500 route-map RM-OSPF-ROUTES
BACK TO EIGRP

BGP
BACK
BGP ......................................................................................................................................................................21
EBGP Routing ..................................................................................................................................................................... 22
IBGP Routing ...................................................................................................................................................................... 22
BGP Route Advertisment ................................................................................................................................................... 23
Synchronization ................................................................................................................................................................. 23
Timers ................................................................................................................................................................................ 23
Soft Reconfiguration .......................................................................................................................................................... 23
Route Control/Filtering (Inbound) ..................................................................................................................................... 24
Route Control/Filtering (Outbound) .................................................................................................................................. 24
Route Summerization ........................................................................................................................................................ 24
IBGP: Next Hop Self ........................................................................................................................................................... 24
EBGP: Multi-Hop ................................................................................................................................................................ 25
Peer Groups ....................................................................................................................................................................... 25
Route Reflectors ................................................................................................................................................................ 26
Private ASN ........................................................................................................................................................................ 27
Removing Private ASN ....................................................................................................................................................... 28
BGP Attribute: Local Preference ........................................................................................................................................ 29
BGP Attribute: MED ........................................................................................................................................................... 30
BGP Attribute: AS PATH (Prepending, Padding) ................................................................................................................ 31
Conditional Advertisment .................................................................................................................................................. 32
BGP Communities .............................................................................................................................................................. 34
BGP using Foundry FastIron L3 Switches ........................................................................................................................... 36
Monitor.............................................................................................................................................................................. 37

ASN 6778 ASN 1
10.1.2.0 /24 10.1.3.0 /24

2.2.2.2 .2 .1 1.1.1.1 .1 .3 3.3.3.3
10.1.1.0 /24 192.168.30.0 /24

10.2.1.0 /24
EBGP ROUTING
>>R1<<
! enables BGP routing process in ASN 6778
router bgp 6778
bgp router-id 1.1.1.1
bgp log-neighbor-changes
! configures EBGP peer and the ASN for the peer which is in a different ASN (ASN 1)
neighbor 10.1.3.3 remote-as 1
neighbor 10.1.3.3 description EBGP TO ISP
neighbor 10.1.3.3 version 4
>>ISP1 ; R3<<
! enables BGP routing process into ASN 1
router bgp 1
bgp router-id 3.3.3.3
! configures EBGP peer and the ASN for the peer which is in a different ASN (ASN 6778)
neighbor 10.1.3.1 description EBGP TO CPE
neighbor 10.1.3.1 version 4
BACK TO BGP
IBGP ROUTING
>>R1<<
router bgp 6778
! configures IBGP peer and the ASN for the peer which is in the same ASN (ASN 6778)
neighbor 2.2.2.2 description IBGP TO R2
! IBGP peering will use the Loopback0 interface
neighbor 2.2.2.2 update-source Loopback0
! configures IBGP peer to use the next hop IP of R1 for routes learned from an EBGP
neighbor 2.2.2.2 next-hop-self

BGP ROUTE ADVERTISME NT
>>R1<<
router bgp 6778
! specify what networks will be advertised from R1 to other BGP routers
network 10.1.0.0 mask 255.255.255.0
network 10.2.0.0 mask 255.255.255.0
! The exact network must exist in the routing table. A network of 10.1.1.0 /24 will
! not match what is configured under BGP therefore NULL static routes should be
! configured so the BGP routes can be advertised.
ip route 10.1.0.0 255.255.0.0 Null0 253
ip route 10.2.0.0 255.255.0.0 Null0 253
SYNCHRONIZATION
>>R1<<
router bgp 6778
address-family ipv4
! disables synchronization but routes need an exact routing entry for what will be advertised
no synchronization
MD5 AUTHENTICATION
>>R1<<
router bgp 6778
! enables MD5 authentication with the configured BGP peer
neighbor 10.1.3.3 password cisco123
neighbor 2.2.2.2 password cisco123
TIMERS
! tune BGP timers to 15 sec for keepalives and 45 sec for holdtime for fast convergence
>>R1<<
router bgp 6778
timers bgp 15 45
SOFT RECONFIGURATION
>>R1<<
router bgp 6778
address-family ipv4
! soft reconfiguration configured on all BGP peers
neighbor 10.1.3.3 soft-reconfiguration inbound

ROUTE CONTROL/FILTERING (INBOUND)
>>R1<<
! configure prefix list to include routes that should be received from the ISP
ip prefix-list ISP-ROUTES seq 10 permit 192.168.30.0/24
ip prefix-list ISP-ROUTES seq 11 permit 0.0.0.0/0
router bgp 6778

address-family ipv4
! associate prefix lists to EBGP peer to only receive the routes listed in the prefix list
neighbor 10.1.3.3 prefix-list ISP-ROUTES in
ROUTE CONTROL/FILTERING (OUTBOUND)
>>R1<<
! configure prefix list to include routes that should be advertised to the EBGP peer (ISP)
ip prefix-list CL-ROUTES seq 10 permit 10.1.0.0/16
ip prefix-list CL-ROUTES seq 11 permit 10.2.0.0/16
router bgp 6778

address-family ipv4
! associate prefix list to EBGP peer to only advertise the routes listed in the prefix list
neighbor 10.1.3.3 prefix-list CL-ROUTES out
BACK TO BGP
ROUTE SUMMERIZATION
>>R1<<
router bgp 6778
address-family ipv4
! summarizes all 10.x.x.x BGP routes as a single route, 10.0.0.0/8 to all eBGP peers
aggregate-address 10.0.0.0 255.0.0.0 summary-only
IBGP: NEXT HOP SELF
>>R1<<
router bgp 6778
! configures IBGP peer to use the next hop IP of R1 for routes learned from an EBGP
BACK TO BGP

EBGP: MULTI-HOP
ASN 6778
ISP1
10.1.3.1
1.1.1.1
192.168.10.0 /24 ASN 100
192.168.11.0 /24
192.168.12.0 /24
* max hop value: 255
router bgp 6778

! the eBGP peer is not directly connected & is about 10 hops away
neighbor 10.1.3.1 ebgp-multihop 10
router bgp 6778

! specify custom admin distance (external to ASN, internal to ASN, & local routes)
distance bgp 100 200 50
PEER GROUPS
interface Loopback0
ip address 1.1.1.1 255.255.255.255
router bgp 6778

! create BGP peer group profile
neighbor RHG-IBGP-PEER peer-group
! Typical BGP neighbor configuration for peer group
neighbor RHG-IBGP-PEER version 4
neighbor RHG-IBGP-PEER next-hop-self
neighbor RHG-IBGP-PEER soft-reconfiguration inbound
neighbor RHG-IBGP-PEER update-source Loopback0
! IBGP peer
! assign BGP peer group to IBGP peer
neighbor 2.2.2.2 peer-group RHG-IBGP-PEER
show ip bgp peer-group

ROUTE REFLECTORS
CLIENT1 CLIENT2
Lo: 2.2.2.2 Lo: 3.3.3.3
RR
Lo: 1.1.1.1
Route Reflector
>> RR <<
interface Loopback0
ip address 1.1.1.1 255.255.255.255
router bgp 6778

! define IBGP peer
! specify that this peer is a route reflector client
neighbor 2.2.2.2 route-reflector-client
! define IBGP peer
! specify that this peer is a route reflector client
neighbor 3.3.3.3 route-reflector-client
>> CLIENT1 <<

interface Loopback0
ip address 2.2.2.2 255.255.255.255
router bgp 6778

! IBGP peer pointing to the RR BGP router
>> CLIENT2 <<

interface Loopback0
ip address 3.3.3.3 255.255.255.255
router bgp 6778

! IBGP peer pointing to the RR BGP router

PRIVATE ASN
ASN 65535 ASN 65534
1.1.1.1 2.2.2.2
192.168.10.0 /24 192.168.11.0 /24
* Private ASN: 64512 and 65535
>> R1 <<
interface Loopback0
ip address 1.1.1.1 255.255.255.255
! enable BGP using private ASN 65535

router bgp 65535
! EBGP peer to BGP router in private ASN 65534
>> R2 <<
interface Loopback0
ip address 2.2.2.2 255.255.255.255

router bgp 65534
router bgp 6778

maximum-paths 2
! define the number of paths for a single route learned via a EBGP
maximum-paths ebgp 2
! define the number of paths for a single route learned via a IBGP
maximum-paths ibgp 4

REMOVING PRIVATE ASN
ASN 65535 ASN 6778 ASN 100
R2 R3 R4
2.2.2.2 3.3.3.3 4.4.4.4
192.168.10.0 /24 192.168.11.0 /24 192.168.12.0 /24
>> R2 <<
interface Loopback0
ip address 2.2.2.2 255.255.255.255

router bgp 65535
! EBGP peer to BGP router in ASN 6778
! routes to advertise to other BGP peers
network 192.168.10.0
>> R3 <<
interface Loopback0
ip address 3.3.3.3 255.255.255.255
! enable BGP using ASN 6778

router bgp 6778
! remove any private ASN and replace with our ASN (6778) when forwarding routes from R2
neighbor 4.4.4.4 remove-private-as
network 192.168.11.0
>> R4 <<
interface Loopback0
ip address 4.4.4.4 255.255.255.255
! enable BGP using ASN 100

router bgp 100
network 192.168.12.0

BGP ATTRIBUTE: LOCAL PREFERENCE
ASN 1 ASN 2
INET
1.1.1.1 1.2.1.1
1.1.1.1 2.2.2.2
.1 .2
192.168.10.0 /24
ASN 6778
 Local Preference: Higher the value more preferred.

 When to Use: when all routers exist in the same ASN for Internet redundancy
>>R1<<
! route-Map specifying a local preference value of 100 (more preferred)
route-map RM-BGP-PRI-IN permit 10
set local-preference 100
router bgp 6778

address-family ipv4
network 192.168.10.0
! route-map associated with EBGP peer for all routes received from the ISP. This is
! the primary path to take for Internet access
neighbor 1.1.1.2 route-map RM-BGP-PRI-IN in
>>R2<<
! route-Map specifying a local preference value of 10 (less preferred)
route-map RM-BGP-SEC-IN permit 10
set local-preference 10
router bgp 6778

address-family ipv4
network 192.168.10.0
! route-Map associated with EBGP peer for all routes received from the ISP. This is
! the secondary path to take for Internet access
neighbor 1.2.1.2 route-map RM-BGP-SEC-IN in
BACK TO BGP

BGP ATTRIBUTE: MED
ASN 1
INET
Pri Sec
10.1.1.1 10.2.1.1
1.1.1.1 2.2.2.2
.1 .2
192.168.10.0 /24
ASN 6778
 MED: Lower the value more preferred.

 When to Use: when peering with the same ISP ASN for Internet redundancy
>>R1<<
! route-Map specifying a MED value of 10 (more preferred)
route-map RM-BGP-PRI-OUT permit 10
set metric 10
router bgp 6778

address-family ipv4
network 192.168.10.0
! route-Map associated with EBGP peer for all routes advertised to the ISP. This is
! the primary path for devices on the Internet to access ASN (6778)
neighbor 10.1.1.2 route-map RM-BGP-PRI-OUT out
>>R2<<
! route-Map specifying a MED value of 100 (less preferred)
route-map RM-BGP-SEC-OUT permit 10
set metric 100
router bgp 6778

address-family ipv4
network 192.168.10.0
! route-Map associated with EBGP peer for all routes advertised to the ISP. This is
! the secondary path for devices on the Internet to access ASN (6778)
neighbor 10.2.1.2 route-map RM-BGP-SEC-OUT out
BACK TO BGP

BGP ATTRIBUTE: AS PATH (PREPENDING, PADDING)
ASN 1 ASN 2
INET
Pri Sec
10.1.1.1 10.2.1.1
1.1.1.1 2.2.2.2
.1 .2
192.168.10.0 /24
ASN 6778
 MED: Lower the path to the ASN, the more preferred.

 When to Use: when peering with different ISP ASN for Internet redundancy
>>R1<<
router bgp 6778
address-family ipv4
network 192.168.10.0
! route-map associated with EBGP peer for all routes advertised to the ISP. This is
! the primary path for devices on the Internet to access ASN 6778
neighbor 10.1.1.2 route-map RM-BGP-PRI-OUT out
>>R2<<
! route-map specifying a longer path to our ASN through R2 (less preferred)
route-map RM-BGP-PRI-OUT permit 10
set as-path prepend 6778 6778 6778 6778 6778
router bgp 6778

address-family ipv4
network 192.168.10.0
! route-map associated with EBGP peer for all routes advertised to the ISP. This is
! the secondary path for devices on the Internet to access ASN 6778
neighbor 10.2.1.2 route-map RM-BGP-SEC-OUT out

CONDITIONAL ADVERTISMENT
ASN 200
ASN 6778 ISP2

1.2.2.1
ISP1
1.1.1.1
1.1.1.1
192.168.10.0 /24 ASN 100
192.168.11.0 /24
192.168.12.0 /24
* We are only accept a default route from the BGP peers

* Primary BGP routing (inbound/outbound) through ASN 100
* Secondary BGP routing (inbound/outbound) through ASN 200
! configure ASN ACL listing ASN of primary BGP peer

ip as-path access-list 1 permit ^100
! configure ACL listing default route

ip access-list standard RHG-ACL-DEFAULT
permit 0.0.0.0
! configure ACL listing subnets we are advertising to BGP peers

ip access-list standard RHG-ACL-SUBNETS
permit 192.168.10.0 0.0.0.255
permit 192.168.11.0 0.0.0.255
permit 192.168.12.0 0.0.0.255
! configure PBR for primary path for Internet routing

route-map RHG-RM-DEFAULT-PRI permit 10
! associate default gateway ACL
match ip address RHG-ACL-DEFAULT
! define BGP weight with higher value (preferred)
set weight 100
! configure PBR for secondary path for Internet routing

route-map RHG-RM-DEFAULT-SEC permit 10
! associate default gateway ACL
! define BGP weight with lower value (less preferred)
set weight 50

! configure PBR for subnets we want to advertise to secondary BGP peer
route-map RHG-RM-ADVERTISE permit 10
! associate ACL of our subnets
match ip address RHG-ACL-SUBNETS
! configure PBR for BGP conditional advertisement

route-map RHG-RM-NON-EXIST permit 10
! if we do not get a BGP default route from ASN 100 advertise RHG subnets to secondary BGP peer
match as-path 1
router bgp 6778

no synchronization
network 192.168.10.0
network 192.168.11.0
network 192.168.12.0
! eBGP peer in ASN 100
! PBR applied ; primary BGP path to Internet
neighbor 1.1.1.2 route-map RHG-RM-DEFAULT-PRI in
! eBGP peer in ASN 200
! PBR applied ; secondary BGP path to Internet
neighbor 2.2.2.2 route-map RHG-RM-DEFAULT-SEC in
! only advertise our BGP routes to secondary BGP peer if the BGP default route does not exist
from the primary BGP peer
neighbor 2.2.2.2 advertise-map RHG-RM-ADVERTISE non-exist-map RHG-RM-NON-EXIST
no auto-summary

BGP COMMUNITIES
ASN 6778 ASN 100
R1 R2
10.1.2.0 /24 IBGP
1.1.1.1 .1 .2 2.2.2.2 routes received:

192.168.11.0 /24
192.168.10.0 /24
192.168.12.0 /24
192.168.11.0 /24
192.168.12.0 /24
ASN 200 EBGP
routes received:
192.168.12.0 /24
>> R1 <<
interface Loopback0
ip address 1.1.1.1 255.255.255.255
! ACL listing subnet 192.168.10.0/24

ip access-list standard RHG-ACL-NET-10
permit 192.168.10.0 0.0.0.255

permit 192.168.11.0 0.0.0.255

permit 192.168.12.0 0.0.0.255
! tell BGP router (R2) to not advertise subnet 192.168.10.0 to ANY other BGP peers
route-map RHG-RM-BGP-COM permit 10
match ip address RHG-ACL-NET-10
set community no-advertise
! tell BGP router (R2) to not advertise subnet 192.168.11.0 to other EBGP peers
set community no-export
! tell BGP router (R2) to advertise subnet 192.168.12.0 to ANY BGP peer
set community internet

router bgp 6778
neighbor 10.1.2.2 remote 100
! enable & send BGP community info to BGP peer
neighbor 10.1.2.2 send-community
! associate BGP community route map to BGP peer
neighbor 10.1.2.2 route-map RHG-RM-BGP-COM out
! BGP networks that will be advertised to BGP peers
network 192.168.10.0
network 192.168.11.0
network 192.168.12.0
>> R2 <<
interface Loopback0
ip address 2.2.2.2 255.255.255.255
router bgp 100


BGP USING FOUNDRY FASTIRON L3 SWITCHES
ASN 100 ASN 200
ISP1 ISP2
1.1.1.2 2.2.2.2
12/23 12/19
VLAN91 VLAN92
1.1.1.1 2.2.2.1
Core
VLAN10
192.168.10.1
ASN 6778
! L3 interface for VLAN 91 (ISP1)

interface ve 91
ip address 1.1.1.1 255.255.255.252
! L3 interface for VLAN 92 (ISP2)

interface ve 92
ip address 2.2.2.1 255.255.255.252
! create VLAN 91
vlan 91 name ISP1
! associate interface to VLAN
untagged ethe 12/23
! associate L3 VLAN interface 91
router-interface ve 91
! create VLAN 92
vlan 92 name ISP2
! associate interface to VLAN
untagged ethe 12/19
! associate L3 VLAN interface 92
router-interface ve 92
! physical interface connected to ISP1

interface ethernet 12/23
port-name ISP1 PORT
no flow-control
! physical interface connected to ISP2

port-name ISP2 PORT
no spanning-tree
no flow-control

! L3 interface for DC network (VLAN10)
interface ve 10
ip address 192.168.10.1 255.255.255.0
! prefix to specify to DC network subnet that will be advertised

ip prefix-list RHG-SAC-PL-NET seq 5 permit 192.168.10.0/24
! route map to prepend local ASN multiple times

! used for secondary routing from Internet to DC network
route-map RHG-SAC-RM-BGP-SEC permit 10
set as-path prepend 6778 6778 6778
! enable BGP routing process

router bgp
! specify ASN
local-as 6778
maximum-paths 2
multipath ebgp
! eBGP peer to router in ASN 100
! primary path to the Internet (higher weight value)
neighbor 1.1.1.2 weight 200
! only advertise BGP subnets listed in the prefix list
neighbor 1.1.1.2 prefix-list RHG-SAC-PL-NET out
! eBGP peer to router in ASN 200
! secondary path to the Internet (lower weight value)
neighbor 2.2.2.2 weight 100
! secondary path from the Internet to DC network (longer ASN path)
neighbor 2.2.2.2 route-map out RHG-SAC-RM-BGP-SEC
! only advertise BGP subnets listed in the prefix list
neighbor 2.2.2.2 prefix-list RHG-SAC-PL-NET out
! subnet that will be advertised to eBGP peers
network 192.168.10.0 255.255.255.0
MONITOR
show ip route bgp

show ip bgp
show ip bgp summary
show ip bgp neighbors
! view what routes are received from the BGP peer
show ip bgp neighbors <x.x.x.x> received-routes
! view what routes will be advertised to the BGP peer
show ip bgp neighbors <x.x.x.x> advertised-routes

ROUTE TAGGING
BACK
ROUTE TAGGING FROM THE SOURCE
Tag 10
EIGRP 1
192.168.10.0 /24
10.1.1.0 /24
R1
.1
EIGRP 1
192.168.11.0 /24
10.1.1.0 /24 R11 OSPF
.11
Tag 11 192.168.30.0 /24
Routes Accepted:
.3 R3 192.168.10.0 /24
192.168.20.0 /24
10.1.1.0 /24
RIP
.2
192.168.20.0 /24
10.1.1.0 /24 R2
Tag 20
.22
RIP
192.168.22.0 /24
10.1.1.0 /24 R22
Tag 22
>> R1 <<
! specify a route tag of 10
route-map EIGRP-TAG permit 10
set tag 10
router eigrp 1
network 192.168.10.0
network 10.0.0.0
no auto-summary
! all EIGRP routes advertised from R1 will use tag 10
distribute-list route-map EIGRP-TAG out
>> R11 <<

route-map EIGRP-TAG permit 10
set tag 11
router eigrp 1
network 192.168.11.0
network 10.0.0.0
no auto-summary
! all EIGRP routes advertised from R11 will use tag 11
distribute-list route-map EIGRP-TAG out

>> R2 <<
route-map RIP-TAG permit 10
set tag 20
router rip
version 2
network 192.168.20.0
network 10.0.0.0
no auto-summary
! all RIP routes advertised from R22 will use tag 20
distribute-list route-map RIP-TAG out
>> R22 <<

route-map RIP-TAG permit 10
set tag 22
router rip
version 2
network 192.168.22.0
network 10.0.0.0
no auto-summary
! all RIP routes advertised from R22 will use tag 22
distribute-list route-map RIP-TAG out
>> R3 <<
router eigrp 1
network 10.0.0.0
no auto-summary
router rip
version 2
network 10.0.0.0
no auto-summary
router ospf 3
! only redistribute EIGRP routes learned from R1
redistribute eigrp 1 metric 10 subnets tag 10
! only redistribute RIP routes learned from R2
redistribute rip metric 10 subnets tag 20
network 192.168.30.0 0.0.0.255 area 0

ROUTE TAGGING FROM THE DESTINATION
EIGRP 1
192.168.10.0 /24
10.1.1.0 /24
R1
.1
EIGRP 1
192.168.11.0 /24
10.1.1.0 /24 R11
.11
OSPF
.3 192.168.30.0 /24
R3
10.1.1.0 /24
RIP Route Tag & Accepted
.2
192.168.20.0 /24 Tag 10: 192.168.10.0 /24
10.1.1.0 /24 R2 Tag 11: 192.168.11.0 /24
Tag 20: 192.168.20.0 /24
Tag 22: 192.168.22.0 /24
.22
RIP
192.168.22.0 /24
10.1.1.0 /24 R22
>> R1 <<
interface fastethernet 0/0
ip address 10.1.1.1 255.255.255.0
router eigrp 1
network 192.168.10.0
network 10.0.0.0
no auto-summary
>> R11 <<

ip address 10.1.1.11 255.255.255.0
router eigrp 1
network 192.168.11.0
network 10.0.0.0
no auto-summary
>> R2 <<
ip address 10.1.1.2 255.255.255.0
router rip
version 2
network 192.168.20.0
network 10.0.0.0
no auto-summary

>> R22 <<
ip address 10.1.1.22 255.255.255.0
router rip
version 2
network 192.168.22.0
network 10.0.0.0
no auto-summary
>> R3 <<
! ACL listing IP for R1
access-list 1 permit 10.1.1.1
! all routes received from R1 will use tag 10

route-map ROUTES-R1 permit 10
match ip route-source 1
set tag 10

set tag 11

set tag 20
router eigrp 1
network 10.0.0.0
no auto-summary
router rip
version 2
network 10.0.0.0
no auto-summary
router ospf 3
! only redistribute EIGRP routes from routers listed in the defined route-map
redistribute eigrp 1 metric 10 subnets route-map ROUTES-R1
! only redistribute RIP routes from routers listed in the defined route-map
redistribute rip metric 10 subnets route-map ROUTES-R2
network 192.168.30.0 0.0.0.255 area 0

STATIC
BACK
STATIC ROUTING
192.168.20.0 /24 192.168.10.0 /24
.1
R1
.2
R2
>> R2 <<
! to access the network 192.168.20.0 go through R1 (using IP 192.168.10.1)
ip route 192.168.20.0 255.255.255.0 192.168.10.1
! default gateway point to 192.168.10.1

ip route 0.0.0.0 0.0.0.0 192.168.10.1
show ip route static

LAN SWITCHING
BACK
LAN SWITCHING ..........................................................................................................................................................43

VLAN ....................................................................................................................................................................44
VLAN (L2) ........................................................................................................................................................................... 44
VLAN SVI (L3) ..................................................................................................................................................................... 44
Disable VLAN AutoState .................................................................................................................................................... 44
Support 4000+ VLANs ........................................................................................................................................................ 45
Private VLANs .................................................................................................................................................................... 45
Spanning Tree Protocol (STP) ...............................................................................................................................48
Rapid Spanning Tree PVST+ (RSTP) .................................................................................................................................... 48
Root Bridge ........................................................................................................................................................................ 48
Loopguard.......................................................................................................................................................................... 48
Rootguard .......................................................................................................................................................................... 48
Edge Port ........................................................................................................................................................................... 49
STP Path Cost ..................................................................................................................................................................... 49
STP Link Type ..................................................................................................................................................................... 49
MST .................................................................................................................................................................................... 49
VTP .......................................................................................................................................................................52
VTP..................................................................................................................................................................................... 52
Trunking (802.1q) ................................................................................................................................................53
802.1Q ............................................................................................................................................................................... 53
DTP .................................................................................................................................................................................... 53
Trunk Security .................................................................................................................................................................... 53
Native VLAN ....................................................................................................................................................................... 53
Tag Native VLAN ................................................................................................................................................................ 53
802.1Q Interfaces on Cisco Routers................................................................................................................................... 54
Port Channel ........................................................................................................................................................55
Hash Algorithm: Source and Destination IP ....................................................................................................................... 55
Hash Algorithm: Source and Destination IP Plus Port ........................................................................................................ 55
L3 Port CHannel between two Cisco Switches (using LACP) .............................................................................................. 55
L2 Port CHannel between two Cisco Switches (using LACP) .............................................................................................. 56
Port Channel on Cisco IOS Routers .................................................................................................................................... 57
Port Channel on Cisco 2900/3500XL Switches ................................................................................................................... 58
Port Monitor ........................................................................................................................................................59
Port Monitor ...................................................................................................................................................................... 59
RSPAN ................................................................................................................................................................................ 59
Storm Control .......................................................................................................................................................61
Broadcast Suppression ...................................................................................................................................................... 61
UDLD ....................................................................................................................................................................61
UDLD Aggressive ................................................................................................................................................................ 61
Port Security.........................................................................................................................................................61
Port Security using Maximum Value .................................................................................................................................. 61
Port Security using Mac Address ....................................................................................................................................... 62
Other Vendor Configurations ...............................................................................................................................63

L2 Port Channel between Cisco and Netgear .................................................................................................................... 63
802.1Q between Cisco and Extreme .................................................................................................................................. 65
SonicPoint Cisco Switch Port ............................................................................................................................................. 66
Voice Switch port using NEC Phone System ...................................................................................................................... 67
Jumbo Frames ......................................................................................................................................................67
Jumbo Frames on Cisco Catalyst Switches ......................................................................................................................... 67
Switching Services ................................................................................................................................................68
DHCP Snooping .................................................................................................................................................................. 68
Dynamic ARP Inspection (DAI) ........................................................................................................................................... 68
IP Source Guard ................................................................................................................................................................. 69
FlexLink .............................................................................................................................................................................. 69
Bridging ...............................................................................................................................................................70
Integrated Routing & Bridging (IRB) .................................................................................................................................. 70
VLAN
BACK
VLAN (L2)
! adds L2 VLAN to switch and associates a name for the VLAN

vlan 100
name ROUTEHUB-VLAN-USER1
! puts interface into configured VLAN

interface FastEthernet 0/10
switchport mode access
switchport access vlan 100
! to view all VLANs configured (or learned via VTP) on the switch
show vlan
VLAN SVI (L3)
! makes L2 VLAN routable on the network with other networks and VLANs
interface Vlan100
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no shutdown
DISABLE VLAN AUTOSTATE
interface Vlan1
! disable auto state. Meaning the VLAN1 interface will automatically come up.
no autostate

SUPPORT 4000+ VLANS
 Requirements: 802.1Q encapsulation for Trunking
! allows support for 4000+ VLANs when trunking with 802.1Q

spanning-tree extend system-id
PRIVATE VLANS
Vlan2000
User 2 192.168.10.1
(Consulting) Vlan 2011,2012,2021 Vlan2000
192.168.10.2
Vla Vlan 2011,2012
n 20
11
User 2
(Training) Vlan2012
Core Vlan2021
User 2
Gi0/1
(Guest)
Gi0/1
Vlan2021 Access Vlan2011
User 1 User 1
(Guest) Vlan2012 (Consulting)
User 1
(Training)
 Community: hosts can communicate with other hosts in the same community including the promiscuous router port.
 Isolated: hosts can only communicate with the promiscuous router port
>>ACCESS<<
! create the primary VLAN that will be used by all private VLAN hosts
vlan 2000
private-vlan primary
! create private community VLAN for group 1

vlan 2011
private-vlan community
! create private community VLAN for group 2

vlan 2012
private-vlan community
! create private isolated VLAN for group 3

vlan 2021
private-vlan isolated

vlan 2000
! associate all of the community and isolated VLANs to the primary VLAN
private-vlan association 2011,2012,2021
! assign interface to the private community VLAN for group 1

description Consulting Host1
switchport private-vlan host association 2000 2011
switchport mode private-vlan host
! assign interface to the private community VLAN for group 2

description Training Host1
! assign interface to the private isolated VLAN for group 3

description Guest Host1
! uplink port to the Core switch

interface gigabitethernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
>>CORE<<
! assign interface to the community VLAN for group 1
description Consulting Host2
! assign interface to the isolated VLAN for group 2

description Training Host2
! assign interface to the isolated VLAN for group 3

description Guest Host2
! downlink port to the Access switch


! interface that hosts in the two communities including the hosts in the isolated VLANs can use
! for communicating with each other this is the IP they would use for their default gateway
interface vlan2000
ip address 192.168.10.1 255.255.255.0
private-vlan mapping 2011,2012,2021
! interface that hosts in the two communities can use for communicating with each other this is
! the IP they would use for their default gateway
interface vlan2000
ip address 192.168.10.2 255.255.255.0
private-vlan mapping 2011,2012
show interfaces private-vlan mapping

show vlan private-vlan

SPANNING TREE PROTOC OL (STP)
BACK
RAPID SPANNING TREE PVST+ (RSTP)
 Notes: This STP is recommended for all L2 switches
! globally configures switch to use Rapid STP

spanning-tree mode rapid-pvst
ROOT BRIDGE
 Notes: This STP is recommended for all L2 switches

 Lower the Bridge priority (among all switches) the more preferred switch for the Root Bridge
! configures the switch to use priority 8192 for VLANs 100 to 200
spanning-tree vlan 100-200 priority 8192
OR
! configures the switch to use priority 8192 for VLANs 100 and 102
spanning-tree vlan 100,102 priority 8192
LOOPGUARD
! enables LoopGuard globally for all ports

spanning-tree loopguard default
ROOTGUARD
! enables RootGuard on interface connecting to another switch we don’t want to consider as

! the Root Bridge for any VLANs
interface GigabitEthernet 0/4
spanning-tree guard root
BACK TO STP

EDGE PORT
interface FastEthernet 0/10

! configures interface to be an access port ; recommended for edge ports
! automatically place interface into a “STP forwarding” state
spanning-tree portfast
! any BPDUs received (from switches) on this interface should be restricted
spanning-tree bpduguard enable
STP PATH COST
! enables STP port path method to use 32-bit over 16-bit (the default)
spanning-tree pathcost method long
BACK TO STP
STP LINK TYPE
interface GigabitEthernet1/0/1
spanning-tree link-type point-to-point
MST
CS01 CS02
Primary Root (MSTI 1): Secondary Root (MSTI 1):
VLAN 10-12 VLAN 10-12
Secondary Root (MSTI 2): Primary Root (MSTI 2):
VLAN 20-22 VLAN 20-22
Primary Root (IST 0) Secondary Root (IST 0)
Gi0/1 Gi0/2
ACCESS
>> CORE1 <<

! enable MST
spanning-tree mode mst
spanning-tree mst configuration

! specify MST region
name RHG-REGION
! specify instance 1 (MSTI1) containing the listed VLANs within the region
instance 1 vlan 10, 11, 12
! Core1 will be the primary root bridge for IST 0

spanning-tree mst 0 priority 8192
! Core1 will be the primary root bridge for VLANs listed in MSTI1

! Core1 will be the secondary root bridge for VLANs listed in MSTI2
! interface connected to Core2

interface GiabitEthernet0/1
! specify VLAN tags allowed between the Core switches
switchport trunk allowed vlan 10-29
! interface connected to Access switch

! specify VLAN tags allowed to access switch
>> CORE2 <<

! enable MST

name RHG-REGION
! Core2 will be the secondary root bridge for IST 0

! Core2 will be the primary root bridge for VLANs listed in MSTI2
! Core2 will be the secondary root bridge for VLANs listed in MSTI1

! specify VLAN tags allowed between the Core switches
! interface connected to Access switch

! specify VLAN tags allowed to access switch

>> ACCESS <<
! enable MST

name RHG-REGION

! specify VLAN tags allowed to Core1

! specify VLAN tags allowed to Core2
show spanning-tree mst configuration

VTP
BACK
VTP
 Recommendation: use VTP Transparent mode over Server mode to avoid L2 issues
 Mode: Other VTP modes can be client (ideal for Access switches) and Server (ideal for Core or Distributions)
! specify VTP domain for the switch

vtp domain ROUTEHUB
! specify VTP mode on the switch to be transparent where all VLANs added/removed is done locally
vtp mode transparent

TRUNKING (802.1Q)
BACK
802.1Q
interface GigabitEthernet0/1
! configures interface for 802.1Q trunking
! configures interface as a trunk
DTP
! disables DTP and establishes interface as a Trunk interface without negotiation
switchport nonegotiate
TRUNK SECURITY
! only allow VLAN tags 100 to 102 to be extended. All other VLAN access will be restricted
NATIVE VLAN
! configure NULL VLAN on switch

vlan 999
name bit-bucket
shutdown
! configures native VLAN on interface to be VLAN999, which is a NULL VLAN added
switchport trunk native vlan 999
TAG NATIVE VLAN
! force all VLANs using 802.1Q be tagged

vlan dot1q tag native

802.1Q INTERFACES ON CISCO ROUTERS
Vlan10: 192.168.10.0 /24 (LAN)
Vlan11: 192.168.11.0 /24 (Guest)
802.1q
vlan10 VLAN 10, 11 .1
192.168.10.10
vlan11
192.168.11.10
! L3 interface on Cisco IOS router
no ip address
duplex full
speed 100
! sub-interface created from physical interface used for VLAN10

interface GigabitEthernet0/0.10
! enable VLAN tag 10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
! sub-interface created from physical interface used for VLAN11

ip address 192.168.11.1 255.255.255.0

PORT CHANNEL
BACK
HASH ALGORITHM: SOURCE AND DESTINATION I P
! configures Port Channel hash algorithm based on Source and Destination IP

port-channel load-balance src-dst-ip
HASH ALGORITHM: SOURCE AND DESTINATION I P PLUS PORT
! configures Port Channel hash algorithm based on Source & Destination IP plus TCP/UDP ports
port-channel load-balance src-dst-port
L3 PORT CHANNEL BETWEEN TWO CISCO SWITCHES (USING LACP)
L3 Port Channel
10.1.2.0 /24
SW1 .1 Gi0/1-2 .2 SW2
>>SW1<<
! configures Port Channel interface to use group 1
interface Port-Channel1
! configures IP address details
ip address 10.1.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
! two interfaces added to port channel group 1 using LACP

no switchport
no ip address
channel-protocol lacp
channel-group 1 mode active
no switchport
no ip address

>>SW2<<
! configures IP address details
ip address 10.1.2.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp

no switchport
no ip address
no switchport
no ip address
L2 PORT CHANNEL BETWEEN TWO CISCO SWITCHES (USING LACP)
L2 Port Channel
SW1 .1 Gi0/1-2 .2 SW2
>>SW1<<
! L2 trunking configuration
switchport trunk allowed vlan 10-11,50,200,250

interface range GigabitEthernet0/1 - 2
>>SW2<<

interface range GigabitEthernet0/1 - 2
PORT CHANNEL ON CISC O IOS ROUTERS
Cisco IOS Router
GE0/0 GE0/1
PortChannel 1
! create port channel group using ID of 1

interface Port-channel1
no ip address
hold-queue 150 in
! port-channel sub-interface from port channel 1

interface Port-channel1.10
ip address 192.168.10.1 255.255.255.0
! physical interface
no ip address
duplex auto
speed auto
media-type rj45
! put physical interface into port channel1
channel-group 1
! create sub-interface from physical interface

channel-group 1

! physical interface
no ip address
duplex auto
speed auto
media-type rj45
channel-group 1
! create sub-interface from physical interface

channel-group 1
PORT CHANNEL ON CISC O 2900/3500XL SWITCHES
L2 Port Channel
SW1 .1 Fa0/1-2 .2 SW2
* for Catalyst 2900XL/3500XL switches ; older IOS
>>SW1<<
! creates and associate interface to port-channel group 1
port group 1

! associates interface to port-channel group 1
port group 1

PORT MONITOR
BACK
PORT MONITOR
Server
Packet Capture
Computer
(e.g. Wireshark)
Gi0/2
Firewall
Gi0/1
Gi0/24
! specify the interface(s) we want to capture traffic from

monitor session 1 source interface Gi0/1 – 2
! specify the interface where all traffic from the interface(s) listed above will be sent to
monitor session 1 destination interface Gi0/24
RSPAN
CORE
VLAN 200
Gi0/7
Gi0/1
Sniffer 802.1Q
(VLAN 200)
Gi0/1
ACCESS
Gi0/2
VLAN 200
Server Gi0/3
Server
* RSPAN allows capturing traffic from ports connected on another switch.

>>AS01TRA<< Source
! add VLAN used for RSPAN

! make sure to use a VLAN below 1005
vlan 200
remote span
! make sure trunking is enabled on all switches and allowing VLAN 200
interface GigabitEhernet 0/1
description TO: CS01TRA
switchport trunk allowed vlan 200
! specify interfaces that we want to capture traffic from.

! Let's say we have servers connected to ports 2 and 3.
monitor session 1 source interface gigabitethernet0/2
monitor session 1 source interface gigabitethernet0/3
! specify the RSPAN VLAN that we will send traffic to from ports 2 and 3 defined above
monitor session 1 destination remote vlan 200
>>CS01TRA<< Destination
! add VLAN used for RSPAN

! make sure to use a VLAN below 1005
vlan 200
remote span
! make sure trunking is enabled on all switches and allowing VLAN 200
interface GigabitEhernet 0/1
description TO: AS01TRA
! specify source RSPAN VLAN where traffic has been captured, so far, from
! ports 2 and 3 off of AS01TRA
monitor session 1 source remote vlan 200
! specify the switch port that our network sniffer is connected to, which will be port 7
monitor session 1 destination interface gigabitethernet0/7

STORM CONTROL
BACK
BROADCAST SUPPRESSIO N
! restricts no more than 20% of the interface’s bandwidth to broadcast traffic

storm-control broadcast level 20.00
UDLD
BACK
UDLD AGGRESSIVE
>>SW1<<
! enables UDLD (aggressive mode) which must be configured the same on the other side
udld port aggressive
>>SW2<<
! enables UDLD (aggressive mode) which must be configured the same on the other side
udld port aggressive
PORT SECURITY
BACK
PORT SECURITY USING MAXIMUM VALUE
! enables interface for port security and restrict no more than 5 connected devices
switchport port-security
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport port-security maximum 5
switchport port-security aging time 20

PORT SECURITY USING MAC ADDRESS
! enables interface for port security for only a connected device with MAC address 0014.1cc1.0e00
switchport port-security
switchport port-security violation restrict
switchport port-security aging type inactivity
! define MAC address that can connect to this switch port
switchport port-security mac-address 0014.1cc1.0e00
switchport port-security aging time 20

OTHER VENDOR CONFIGU RATIONS
BACK
L2 PORT CHANNEL BETWEEN CISCO AND NETGEAR
L2 Port Channel
Group 1
802.1q: VLAN 10-11
Gi0/1-2 1/0/1-2
Cisco Netgear
>> CISCO SWITCH <<
! L2 port channel created used ID of "1"

interface Port-channel1
! L2 configuration enabling 802.1q (VLAN tagging)
switchport trunk allowed vlan 1,10-11
spanning-tree portfast trunk
! L2 physical interface #1
! enable LACP
! add interface to Port channel group 1 in passive mode
channel-group 1 mode passive
! L2 physical interface #2
! enable LACP
! add interface to Port channel group 1 in passive mode
channel-group 1 mode passive

>> NETGEAR SWITCH <<
! create VLAN 10-11

vlan database
vlan 10
vlan 11
! configure Port Channel (LAG)

port-channel Stack 1
! specify physical interface added to LAG
interface 1/0/1
! LAG will use group 1
addport 0/1/1
! specify physical interface added to LAG

interface 1/0/2
! LAG will use group 1
addport 0/1/1
exit
! create LAG interface for port channel group 1

interface lag 1
description 'Stack 1'
! enable 802.1Q by specifying the VLAN tags
vlan participation include 10
vlan tagging 10
vlan tagging 11
exit
! physical interface on Netgear switch

interface 1/0/1
vlan tagging 10
vlan tagging 11
exit
! physical interface on Netgear switch

interface 1/0/2
vlan tagging 10
vlan tagging 11
exit

802.1Q BETWEEN CISCO AND EXTREME
802.1Q
VLAN 10-11
Gi0/1 1:5
Cisco Extreme
Summit
>> CISCO SWITCH <<
>> EXTREME SUMMIT 400-48T SWITCH <<
! LAN VLAN added to port 1:5 which will be configured as a trunk interface
configure vlan RHG-LAN add ports 1:5 tagged
! GUEST VLAN added to port 1:5 which will be configured as a trunk interface
configure vlan RHG-GUEST add ports 1:5 tagged
! specify VLAN tag for LAN VLAN created

configure vlan RHG-LAN tag 10
! specify VLAN tag for GUEST VLAN created
configure vlan RHG-GUEST tag 11

SONICPOINT CISCO SWITCH PORT
802.1q 802.1q
Vlan10,20 Vlan10,20
802.1q SonicPoint AP
Vlan10,20
SonicWALL
! VLAN for Public Wireless

vlan 10
name RHG-VLAN-PUBLIC
! VLAN for Private Wireless

vlan 20
name RHG-VLAN-PRIVATE
! uplink interface to another switch (e.g. Core)

! enable 802.1Q encapsulation
! VLAN tags allowed (public & private wireless)
switchport trunk allowed vlan 10,20
! enable interface as a trunk
! interface connected to SonicPoint AP

! untagged VLAN (public wireless)
! VLAN tags allowed (public & private wireless)
! enable interface as a trunk

VOICE SWITCH PORT USING NEC PHONE SYSTEM
NEC
phone system
PSTN
vlan20
802.1q
voice data
vlan vlan
(20) (10)
Data VLAN: 10
Voice VLAN: 20
description DTOP and IPPHONE PORT
! enable 802.1Q
! set native VLAN for any non-802.1Q device into the data VLAN
! allow data and voice VLAN
! enable Trunk mode
! spanning tree best practice configuration
JUMBO FRAMES
BACK
JUMBO FRAMES ON CISCO CATALYST SWITCHES
! enabled globally for 10/100 ports

system mtu 1998
! enabled globally for 1G ports

system mtu jumbo 9000

SWITCHING SERVICES
BACK
DHCP SNOOPING
CORE ACCESS
Gi0/1
>>ACCESS<<
no ip dhcp snooping information option
! define what VLANs will be enabled for DHCP snooping

ip dhcp snooping vlan 10-11
! enable DHCP snooping
ip dhcp snooping
! uplink interface to Core or Aggregation switch

ip dhcp snooping limit rate 100
! disable DHCP inspection on uplink interface.
ip dhcp snooping trust
DYNAMIC ARP INSPECTION (DAI)
CORE ACCESS
Gi0/1
>>ACCESS<<
! define what VLANs will be enabled for Dynamic ARP inspection
ip arp inspection vlan 10-11
! uplink interface to Core or Aggregation switch

ip arp inspection limit rate 100
! disable Dynamic ARP inspection on uplink interface.
ip arp inspection trust

IP SOURCE GUARD
CORE ACCESS
Gi0/1
! enable IP source guard
ip verify source
FLEXLINK
CS01 CS02
Gi0/1 Gi0/2
ACCESS
! primary interface to Core switch

interface gigabitethernet 0/1
! define backup interface to Core switch
switchport backup interface gigabitethernet 0/2
! view primary and backup interface status

show interfaces switchport backup

BRIDGING
BACK
INTEGRATED ROUTING & BRIDGING (IRB)
! enable IRB
bridge irb
! configure bridge group 10

bridge 10 protocol ieee
! enable bridge group 10 for routing (used with IRB)
bridge 10 route ip
! interface assigned to VLAN 10

interface FastEthernet1
! VLAN SVI interface added to bridge group

interface Vlan10
no ip address
bridge-group 10
bridge-group 10 spanning-disabled
! IRB interface for bridge group with IP configured

interface BVI10
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp

MULTICAST
BACK
MULTICAST .................................................................................................................................................................71
General ................................................................................................................................................................72
IGMP Snooping .................................................................................................................................................................. 72
CGMP ................................................................................................................................................................................. 72
Multicast Routing ................................................................................................................................................73
PIM Sparse Mode .............................................................................................................................................................. 73
RP Management ..................................................................................................................................................74
Static RP ............................................................................................................................................................................. 74
Auto-RP.............................................................................................................................................................................. 75
MSDP ...................................................................................................................................................................76
MSDP ................................................................................................................................................................................. 76
MSDP and MBGP (External Design) ................................................................................................................................... 77
Redundancy using MSDP and Anycast (Internal Design) ................................................................................................... 78
Other Multicast Configuration .............................................................................................................................81
SPT Threshold Infinity ........................................................................................................................................................ 81
PIM Query Interval ............................................................................................................................................................ 81
Security ................................................................................................................................................................82
Rogue Source Protection ................................................................................................................................................... 82
Rogue Source Protection for Auto-RP ............................................................................................................................... 82
IGMP Group Security (On Routers) .................................................................................................................................... 82
IGMP Filter (On Switches) .................................................................................................................................................. 83
RP Multicast Group Registration Protection ...................................................................................................................... 83
Multicast Boundary Protection .......................................................................................................................................... 83
Monitor ................................................................................................................................................................84
Monitor.............................................................................................................................................................................. 84

GENERAL
BACK
IGMP SNOOPING
! enables IGMP snooping globally on L2/L3 switches

ip igmp snooping
CGMP
! enabled CGMP server
ip cgmp
show cgmp

MULTICAST ROUTING
BACK
PIM SPARSE MODE
10.1.2.0 /24
2.2.2.2 .2 .1 1.1.1.1
LEAF RP
>> RP ROUTER <<

! enable multicast routing
ip multicast-routing
interface Loopback0
! IP used for the RP on the network
ip address 1.1.1.1 255.255.255.255
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
no switchport
ip address 10.1.2.1 255.255.255.0
ip pim sparse-mode
! specify location of the RP router on the network (which is itself)

ip pim rp-address 1.1.1.1
>> LEAF ROUTER (R2) <<

interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip pim sparse-mode
no switchport
ip address 10.1.2.2 255.255.255.0
ip pim sparse-mode
! specify location of the RP router on the network


RP MANAGEMENT
BACK
STATIC RP
10.1.2.0 /24
2.2.2.2 .2 .1 1.1.1.1
LEAF RP
>> RP ROUTER <<

interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip pim sparse-mode
no switchport
ip address 10.1.2.1 255.255.255.0
ip pim sparse-mode

>> LEAF ROUTER (R2) <<

interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip pim sparse-mode
no switchport
ip address 10.1.2.2 255.255.255.0
ip pim sparse-mode
! specify location of the RP router on the network


AUTO-RP
10.1.2.0 /24
2.2.2.2 .2 .1 1.1.1.1
LEAF RP
>> RP ROUTER <<

interface Loopback0
ip address 1.1.1.1 255.255.255.255
! enable PIM Sparse Dense mode on L3 interfaces
ip pim sparse-dense-mode
no switchport
ip address 10.1.2.1 255.255.255.0
ip pim sparse-mode
! multicast groups that will be announced through Auto-RP

access-list 1 permit 239.192.240.0 0.0.0.255
! configures Auto-AP and associates ACL for what multicast groups it will announce
! IP for Auto-AP will be the IP from the Loopback0 interface
ip pim send-rp-announce Loopback0 scope 16 group-list 1
ip pim send-rp-discovery Loopback0 scope 16

MSDP
BACK
MSDP
172.16.2.1
172.16.1.1
INET
2.2.2.2 R2
R1 1.1.1.1
192.168.20.0 /24
192.168.10.0 /24
>> R1 <<
interface Loopback0
! IP used for the RP on this multicast domain
ip address 172.16.1.1 255.255.255.255
ip pim sparse-mode
! WAN facing interface

ip address 1.1.1.1 255.255.255.0

! specify MSDP peer using the Loopback0 interface pointing to remote multicast domain (RP)
ip msdp peer 172.16.2.1 connect-source Loopback0
ip msdp description 172.16.2.1 Connecting to remote RP router
! create SA state entries on the router

ip msdp cache-sa-state
! allow MSDP peers that originate an source-active to use the IP from the Loopback interface
ip msdp originator-id Loopback0
BACK TO MSDP

MSDP AND MBGP (EXTERNAL DESIGN)
ASN 6778 ASN 1
10.1.2.0 /24 10.1.3.0 /24

2.2.2.2 .2 .1 1.1.1.1 .1 .3 3.3.3.3
10.1.1.0 /24 RP (domain 1) 192.168.30.0 /24

10.2.1.0 /24 RP (domain 2)
 FOR ADDITIONAL MULTICAST SECURITY: GO TO “SECURITY”
>> R1 <<
interface Loopback0
! IP used for the RP on this multicast domain
ip address 1.1.1.1 255.255.255.255
ip pim sparse-mode

! specify MSDP peer using the Loopback0 interface pointing to the ISP’s RP router
ip msdp description 3.3.3.3 ISP RP ROUTER

! allow MSDP peers that originate an source-active to use the IP from the Loopback interface
! enable BGP routing process in ASN 6778

router bgp 6778
! specify eBGP peer (the ISP) located in ASN 1
! enable MP-BGP process for IPv4 Unicast

address-family ipv4
neighbor 10.1.3.3 activate
exit-address-family
! enable MP-BGP process for IPv4 Multicast

address-family ipv4 multicast
no auto-summary
exit-address-family

REDUNDANCY USING MSDP AND ANYCAST (INTERNAL DESIGN)
Lo9: 1.0.0.1 Lo9: 1.0.0.1
10.1.2.0 /24 CORE1

CORE2
primary 2.2.2.2 .2 .1 1.1.1.1 secondary
 NOTES: THIS IS CONFIGURED ON THE LAN CORE

 FOR ADDITIONAL MULTICAST SECURITY: GO TO “SECURITY”
>> CORE1 <<

ip multicast-routing distributed
interface Loopback0
! IP used for MSDP peering between devices (secondary MSDP peer)
ip address 1.1.1.1 255.255.255.255
ip pim sparse-mode
interface Loopback9
! Anycast IP used for the RP on the PIM Sparse mode network
ip address 1.0.0.1 255.255.255.255
ip pim sparse-mode
no switchport
ip address 10.1.2.1 255.255.255.0
ip pim sparse-mode
! ACL for multicast groups that can register with the RP

ip access-list standard ROUTEHUB-ACL-MCAST
permit 239.0.0.0 0.255.255.255
! specify location of the RP using the Anycast IP

ip pim rp-address 1.0.0.1 ROUTEHUB-ACL-MCAST override
! specify MSDP peer using the Loopback0 interface pointing to CORE2 (primary MSDP peer)
ip msdp description 2.2.2.2 routehub-csr02

ip msdp ttl-threshold 10.1.2.2 32
access-list 100 permit ip 239.0.0.0 0.255.255.255 host 2.2.2.2

ip msdp sa-filter out 2.2.2.2 list 100

>> CORE2 <<
ip multicast-routing distributed
interface Loopback0
! IP used for MSDP peering between devices (primary MSDP peer)
ip address 2.2.2.2 255.255.255.255
ip pim sparse-mode
interface Loopback9
! Anycast IP used for the RP on the PIM Sparse mode network
ip address 1.0.0.1 255.255.255.255
ip pim sparse-mode
description CORE1
no switchport
ip address 10.1.2.2 255.255.255.0
ip pim sparse-mode
description WAN-ROUTER
no switchport
ip address 10.1.3.1 255.255.255.0
ip pim sparse-mode
! ACL for multicast groups that can register with the RP

permit 239.0.0.0 0.255.255.255
! specify location of the RP using the Anycast IP

! specify MSDP peer using the Loopback0 interface pointing to CORE1 (secondary MSDP peer)
ip msdp description 1.1.1.1 routehub-csr01

ip msdp ttl-threshold 10.1.2.1 32
access-list 100 permit ip 239.0.0.0 0.255.255.255 host 1.1.1.1

ip msdp sa-filter out 1.1.1.1 list 100

>> OTHER ROUTERS & L3 SWITCHES <<
! Example: multicast configuration for WAN routers and other L3 spokes

hostname WAN-ROUTER
interface loopback 0
description "network-mgmt"
ip address 3.3.3.3 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
description CORE2
ip address 10.1.3.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
interface Serial0/0.1 point-to-point

description WAN CLOUD
ip address 10.250.3.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode

permit 239.0.0.0 0.255.255.255

OTHER MULTICAST CONFIGURATION
BACK
SPT THRESHOLD INFINITY
! Reduces multicast state (S,G) from leaf routers by keeping traffic on the shared tree
ip pim spt-threshold infinity
PIM QUERY I NTERVAL
! configure frequency of PIM Router Query messages.

! configure interval to recommended value of 1 min (60 seconds)
interface Fastethernt0/0
ip pim query-interval 60

SECURITY
BACK
INET
192.168.30.0 /24
Source
Member AS01 .1 Vlan30 SF-AS01 239.192.240.10
Vlan10 Vlan20
GE0/1 CS01 .1
.1 GE0/1
.10
192.168.10.0 /24 1.1.1.1 192.168.20.0 /24
ROGUE SOURCE PROTECTION
 Notes: This is configured on the RP router
! ACL listing multicast source network and the multicast groups it will announce
ip access-list extended permitted-ucast-sources
permit ip 192.168.20.0 0.0.0.255 224.0.0.0 15.255.255.255
! associates ACL 101 specifying what multicast servers are permitted for multicast registration
! to the RP router
ip pim accept-register list permitted-ucast-sources
ROGUE SOURCE PROTECTION FOR AUTO-RP
 Notes: This is configured on the RP router
! configure ACL to specify valid RP routers

! configure ACL to specify valid multicast groups that RP’s can advertise
! associates ACL 10 and 11 for Auto-RP announcements & advertisement

ip pim rp-announce-filter rp-list 10 group-list 11
IGMP GROUP SECURITY (ON ROUTERS)
 Notes: This is configured on multicast routers with connected hosts that could join a multicast group
! configure ACL to specify the IP addresses of trusted multicast groups

interface Vlan10
ip address 192.168.10.1 255.255.255.0
! associates ACL 10 under the LAN interface specifying what multicast groups members can join
ip igmp access-group 10

IGMP FILTER (ON SWITCHES)
>> AS01 <<

! standard ACL listing multicast groups permitted into switch
description TO: R1
! IGMP filter using ACL 1 associated to uplink/downlink on switch port
ip igmp filter 1
RP MULTICAST GROUP REGISTRATION PROTECTION
! ACL for which multicast groups can register with the RP

permit 224.0.0.0 15.255.255.255
! specify location of the RP router and what multicast groups can register with the RP
MULTICAST BOUNDARY PROTECTION
! ACL for which multicast groups can register with the RP

ip access-list standard pim-local-domain
permit 224.0.0.0 15.255.255.255
interface Vlan30
ip address 192.168.30.1 255.255.255.0
! filter multicast traffic to not be transmitted or received beyond this interface
ip pim bsr-border
ip multicast boundary pim-local-domain
ip multicast ttl-threshold 32
BACK TO SECURITY

MONITOR
BACK
MONITOR
show ip mroute
show ip mroute count
show ip mroute <multicast-address> count
show ip mroute active
show ip igmp group
show ip pim neighbor
show ip pim rp
show ip pim interface vlan3
show multicast protocol status
show ip igmp interface vlan3
show igmp groupinfo <vlan> <mac-address>
show multicast router
show multicast group <mac-address>
show cam static <vlan>
show ip igmp group
show mls ip multicast group <multicast-address>
show mls multicast entry
show mls multicast statistics

QUALITY OF SERVICE (QOS)
BACK

General ................................................................................................................................................................85
Enabling QoS on L2/L3 Switches ........................................................................................................................................ 85
Classification and Marking ..................................................................................................................................86
CLassification using ACLs ................................................................................................................................................... 86
CLassification using NBAR .................................................................................................................................................. 86
CLassification using DSCP .................................................................................................................................................. 86
Policing ................................................................................................................................................................87
Policing using MQC ............................................................................................................................................................ 87
Policing using MQC (Bi-Directional) ................................................................................................................................... 87
CAR .................................................................................................................................................................................... 88
OC-3 Shaping ..................................................................................................................................................................... 88
Control Plane Policing (CopP) ............................................................................................................................................ 88
Queuing and Dropping.........................................................................................................................................90
AutoQoS for IP Phone+Desktop Ports ............................................................................................................................... 90
AutoQoS for Uplink/Downlink Ports .................................................................................................................................. 90
LLQ ..................................................................................................................................................................................... 90
CBWFQ............................................................................................................................................................................... 91
WRED ................................................................................................................................................................................. 91
WRED (DSCP-Based) .......................................................................................................................................................... 91
Link Efficiencies ....................................................................................................................................................92
FRTS and FRF.12................................................................................................................................................................. 92
LFI ...................................................................................................................................................................................... 93
Compression using cRTP .................................................................................................................................................... 93
Max Reserve Bandwidth .................................................................................................................................................... 94
Monitor ................................................................................................................................................................95
Monitor.............................................................................................................................................................................. 95
GENERAL
BACK
ENABLING QOS ON L2/L 3 SWITCHES
! enable QoS on L2/L3 switches

mls qos

CLASSIFICATION AND M ARKING
BACK
CLASSIFICATION USING ACLS
! ACL listing traffic (e.g. HTTP traffic)

ip access-list extended RHG-ACL-DATA-BRONZE
permit tcp any any eq www
! ACL associated to QoS class map for classifying traffic

class-map match-all RHG-CLASS-DATA-BRONZE
match access-group name RHG-ACL-DATA-BRONZE
! configure QoS policy called “RHG-POL”

policy-map RHG-POL
! associate QoS class to the QoS policy
class RHG-CLASS-DATA-BRONZE
! mark all data packets classified to DSCP AF11
set ip dscp af11
CLASSIFICATION USING NBAR
! custom NBAR port map for RDP traffic (TCP/3389)

ip nbar port-map custom-01 tcp 3389
! class-map for traffic to classify using NBAR

class-map match-any RHG-CLASS-DATA-SILVER
! classify FTP traffic
match protocol ftp
! classify RDP traffic based on custom NBAR port map
match protocol custom-01

policy-map RHG-POL
class RHG-CLASS-DATA-BRONZE
! mark all data packets classified to DSCP AF21
set ip dscp af21
CLASSIFICATION USING DSCP
! class-map for voice RTP traffic using DSCP EF

class-map match-all RHG-CLASS-VOICE-RTP
match ip dscp ef
BACK TO QOS

POLICING
BACK
POLICING USING MQC
.1 1.1.1.1
192.168.10.0 /24 6.7.7.0 /24
! ACL listing traffic (e.g. ICMP traffic)

ip access-list extended RHG-ACL-ICMP
permit icmp any any
! ACL associated to QoS class map for classifying all ICMP traffic
class-map match-any RHG-CLASS-ICMP
match access-group name RHG-ACL-ICMP

policy-map RHG-POL
class CLASS-ICMP
! police all ICMP traffic to 64Kbps and everything that exceeds that should be dropped
police 64000 8000 exceed-action drop
ip address 1.1.1.1 255.255.255.0
! associate QoS policy “inbound” to the WAN facing interface
service-policy input RHG-POL
POLICING USING MQC (BI-DIRECTIONAL)
Rate Limit a connection to 500kbps (for Async Connections like Broadband)
policy-map RHG-POL-POLICE
class class-default
police rate 500000
conform-action transmit
exceed-action drop
service-policy input RHG-POL-POLICE
service-policy output RHG-POL-POLICE
>>Speakeasy Speed Tests:<<

Download Speed: 488 kbps (61 KB/sec transfer rate) ; input
Upload Speed: 431 kbps (53.9 KB/sec transfer rate) ; output

>> Monitor Command(s):<<
show policy-map interface fastEthernet 0/0
CAR
* this is a legacy command to use.

* Recommended to use policing under the MQC
! create ACL to define traffic to rate limit

access-list 101 permit icmp any any
interface POS4/0
! rate limit all ICMP traffic to 2Mbps (with some bursting allowed)
rate-limit input access-group 101 2000000 512000 786000 conform-action transmit exceed-action
drop
OC-3 SHAPING
* applied on OC-3 interface with no sub-interfaces configured
! Traffic Shaping for OC-3

policy-map RHG-OC3-TS-POLICY
class class-default
police cir 149760000 bc 74880 be 74880 conform-action transmit exceed-action drop
CONTROL PLANE POLICING (COPP)
! define ACL of system protocols that we want to rate limit

ip access-list extended coppacl-mon
remark ICMP rate limiting on control-plane
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit icmp any any echo-reply
permit icmp any any echo
! associate ACL to a class map group

class-map match-all coppclass-mon
match access-group name coppacl-mon
! create CoPP policy

policy-map copp-policy
! associate class map with our listed control protocols to this policy
class coppclass-mon
! rate limit control traffic to 1.5Kbps
police 1500 1500 conform-action transmit exceed-action drop
class class-default
! all other control traffic not specified will be limited to 1.2Mbps with bursts up to ~4KB
police 125000 3906 3906 conform-action transmit exceed-action drop

! apply policy to control plane interface
control-plane
service-policy input copp-policy

QUEUING AND DROPPING
BACK
AUTOQOS FOR IP PHONE+DESKTOP PORTS

mls qos
! connected to IP phone and desktop

! VLAN assignment for Data VLAN used by desktop
! VLAN assignment for Voice VLAN used by IP Phone
switchport voice vlan 200
! Auto-QoS applied using IP Phone + Desktop QoS profile
auto qos voip cisco-phone
AUTOQOS FOR UPLINK/DOWNLINK PORTS

mls qos
! uplink/downlink interface connected to Access, Distribution, or Core device

! 802.1q interface tagged for Data and Voice VLANs
! apply AutoQoS to Trust all previous QoS markings in IP packets
auto qos voip trust
LLQ

match ip dscp ef
! QoS policy
policy-map RHG-POLICY
! associate class-map for Voice RTP traffic
class RHG-CLASS-VOICE-RTP
! LLQ providing 33% of priority bandwidth for Voice RTP traffic
priority percent 33
! QoS policy applied to WAN facing interface (outbound)

interface Multilink1
service-policy output RHG-POLICY
BACK TO QOS

CBWFQ
! class-map for Call Signaling traffic using either DSCP AF31 or CS3
class-map match-any RHG-CLASS-VOICE-CONTROL
match ip dscp af31
match ip dscp cs3
! QoS policy
! associate class-map for Call Signaling traffic
class RHG-CLASS-VOICE-CONTROL
! CBWFQ providing 5% of bandwidth for Call Signaling traffic
bandwidth percent 5

WRED
! QoS policy
class class-default
! enable WRED
random-detect
WRED (DSCP-BASED)
! class-map for critical data (e.g. GOLD)

class-map match-all RHG-CLASS-DATA-GOLD
match protocol ftp
! QoS policy
class RHG-CLASS-DATA-GOLD
! enable DSCP-based WRED
random-detect dscp-based
BACK TO QOS

LINK EFFICIENCIES
BACK
PVC 768Kbps
2.2.2.2 .2 10.1.2.0 /24 .1 1.1.1.1
WAN Branch WAN Aggregation
FRTS AND FRF.12

match ip dscp ef
match ip dscp af31
match ip dscp cs3
! QoS policy
! class-map and policy action (LLQ) for Voice RTP traffic
priority percent 33
! class-map and policy action (CBWFQ) for Call Signaling traffic
bandwidth percent 5
! default class-map and policy action (CBWFQ+WRED) for all other traffic
class class-default
bandwidth percent 25
random-detect
! QoS policy for FRTS

policy-map RHG-POLICY-FRTS
! default class-map for all traffic
class class-default
! Frame Relay traffic shaping based on PVC speed 768kbps
shape average 729600 7296 0
! associate main QoS policy
service-policy RHG-POLICY
! map-class for all Frame Relay traffic shaping and fragmentation

map-class frame-relay RHG-CLASS-FRTS-768
! Frame Relay fragmentation based on PVC speed 768kbps
frame-relay fragment 960
! associate QoS policy for FRTS
service-policy output RHG-POLICY-FRTS

! WAN interface connecting into Frame Relay provider
interface Serial0/0/0
! bandwidth (PVC) on interface
bandwidth 768
ip address 10.1.2.1 255.255.255.0
! enable interface to use Frame Relay
encapsulation frame-relay
! associate frame-relay map-class to interface for traffic shaping and fragmentation
frame-relay class RHG-CLASS-FRTS-768
! configure frame-relay map to remote router using local DLCI 101
frame-relay map ip 10.1.2.2 101 broadcast
LFI
! configure Multilink (ML) interface

ip address 10.1.2.1 255.255.255.0
! configure LFI on ML interface
ppp multilink
ppp multilink interleave
ppp multilink fragment delay 10
! ML will use group ID 1
ppp multilink group 1
bandwidth 768
no ip address
! enable PPP encapsulation on interface
encapsulation ppp
! associate interface to the ML group 1
ppp multilink
COMPRESSION USING CRTP

match ip dscp ef
! QoS policy
! associate class-map for Voice RTP traffic
! apply RTP compression (cRTP) for Voice RTP traffic
compress header ip rtp
ip address 10.1.2.1 255.255.255.0
BACK TO QOS

MAX RESERVE BANDWIDTH
match ip dscp af31
match ip dscp cs3
! QoS policy
! class-map and policy action (CBWFQ) for Call Signaling traffic
bandwidth percent 5
! interface that the QoS policy containing CBWFQ is applied to

ip address 10.1.2.1 255.255.255.0
! change default max-reserve-bandwidth percentage from 75% to 100% when using CBWFQ
max-reserved-bandwidth 100

MONITOR
BACK
MONITOR
show policy-map interface <interface>

show mls qos input-queue
show mls qos interface <interface> statistics
show mls qos interface <interface> buffers
show mls qos interface <interface> queueing
show mls qos queue-set
show frame-relay fragment
BACK TO QOS

IPV6
BACK
IPV6 ..........................................................................................................................................................................96
General ................................................................................................................................................................97
Base Configuration ............................................................................................................................................................ 97
Interface using Static IPv6 Address .................................................................................................................................... 97
General Prefixes................................................................................................................................................................. 97
Interface using Dynamic IPv6 Address (EUI-64) ................................................................................................................. 98
Disable Route Advertisements on Point-to-Point Links ..................................................................................................... 98
Monitor.............................................................................................................................................................................. 98
IGP Routing ..........................................................................................................................................................99
OSPFv3 ............................................................................................................................................................................... 99
Static Route ..................................................................................................................................................................... 100
Monitor............................................................................................................................................................................ 100
EGP Routing .......................................................................................................................................................101
BGPv4+ ............................................................................................................................................................................ 101
Monitor............................................................................................................................................................................ 102
Tunneling ...........................................................................................................................................................103
ISATAP (Server and CLient) on Cisco IOS ......................................................................................................................... 103
Security ..............................................................................................................................................................105
IPv6 ACL ........................................................................................................................................................................... 105
Monitor............................................................................................................................................................................ 105

INET FC00:0:4::1/128
2002:100:50::/48
.1
2002:100:20:20::/126
.2
FEC:0:0:1::0/64 FEC:0:0:2::0/64
R2 .2 .1 R1 .1 .3 R3
FC00:0:2::1/128 FC00:0:1::1/128 FC00:0:3::1/128

FEC:0:0:20::/64 FEC:0:0:10::/64 FEC:0:0:30::/64
2002:100:10:10::/64
GENERAL
BACK
BASE CONFIGURATION
! enable IPv6
ipv6 unicast-routing
ipv6 cef
INTERFACE USING STATIC IPV6 ADDRESS
! enable IPv6
ipv6 cef
! configure static IPv6 Site Local address (private IP) on interface
ipv6 address FEC:0:0:1::1/64
! enable IPv6 on interface
ipv6 enable
GENERAL PREFIXES
! configure an alias for the IPv6 subnet

ipv6 general-prefix RHG-R1-R3 FEC:0:0:2/48
! IPv6 address configured on interface using the alias followed by the host portion of the IP
ipv6 address RHG-R1-R3 ::3/64
BACK TO IPV6

INTERFACE USING DYNA MIC IPV6 ADDRESS (EUI-64)
! enable IPv6
ipv6 cef
interface Vlan10
! configure dynamic IPv6 Link Local address (private IP) on interface using EUI-64
ipv6 address FEC:0:0:10::/64 eui-64
! configure dynamic IPv6 Global address (public IP) on interface using EUI-64
ipv6 address 2002:100:10:10::/64 eui-64
ipv6 enable
DISABLE ROUTE ADVERTISEMENTS ON POINT-TO-POINT LINKS
! disable route advertisements on point-to-point connections
ipv6 nd-suppress-ra
MONITOR
show ipv6 routers

show ipv6 interface brief
show ipv6 neighbors
show ipv6 interface <interface-name>
BACK TO IPV6

IGP ROUTING
BACK
OSPFV3
! enable IPv6
ipv6 cef
interface Loopback0
! configure static IPv6 Unique Local address (private IP) on interface
ipv6 address FC00:0:1::1/128
ipv6 enable
! place interface into Area 1 (standard area) using OSPF ID of “1”
ipv6 ospf 1 area 1
ipv6 enable
! tune OSPF timers ; must be configured on both ends
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 3
! place interface into Area 0 (OSPF backbone area) using OSPF ID of “1”
ipv6 ospf 1 area 0
ipv6 enable
! tune OSPF timers ; must be configured on both ends
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 3
! place interface into Area 0 (OSPF backbone area) using OSPF ID of “1”
ipv6 ospf 1 area 0
! IPv6 OSPF process using ID “1”

ipv6 router ospf 1
! advertise OSPFv3 default route to all OSPFv3 routers
! do not advertise or establish an OSPFv3 neighbor from any interface except Gi0/1 & Gi0/2
no passive-interface GigabitEthernet0/1
no passive-interface GigabitEthernet0/2
BACK TO IPV6

STATIC ROUTE
! enable IPv6
ipv6 cef
! routing to IPv6 subnet FEC:0:0:20::/64 through next hop IPv6 router (R2), FEC:0:0:2::2
ipv6 route FEC:0:0:20::/64 FEC:0:0:2::2
MONITOR
show ipv6 route

show ipv6 interface <interface-name>
show ipv6 ospf neighbor
BACK TO IPV6

EGP ROUTING
BACK
BGPV4+
>> ISP <<

! enable IPv6
ipv6 cef
interface Loopback0
! configure static IPv6 Unique Local address (private IP) on interface
ipv6 enable
! configure static IPv6 Global address (public IP) on interface
ipv6 address 2002:100:10:10::1/126
ipv6 enable
! enable BGP process in ASN 1

router bgp 1
! specify eBGP peer with IPv6 BGP router located in ASN 6778
neighbor 2002:100:20:20::2 remote-as 6778
! MD5 password configured with eBGP peer
neighbor 2002:100:20:20::2 password cisco123
no auto-summary
! enable BGPv4+ for IPv6

address-family ipv6
! activate IPv6 eBGP peer
neighbor 2002:100:20:20::2 activate
! advertise the following IPv6 subnets to eBGP peer
network 2002:100:20:20::/126
network FC00:0:1::5/128
no synchronization
exit-address-family
>> ER01 <<

! enable IPv6
ipv6 cef
interface Loopback0
! configure IPv6 Unique Local address (private IP) on interface
ipv6 enable
! configure IPv6 Global address (public IP) on interface
ipv6 address 2002:100:20:20::2/126

ipv6 enable
! enable BGP process in ASN 6778

router bgp 6778
! specify eBGP peer (ISP) with IPv6 BGP router located in ASN 1
neighbor 2002:100:20:20::1 remote-as 1
! MD5 password configured with eBGP peer
neighbor 2002:100:20:20::1 password cisco123
no auto-summary
! enable BGPv4+ for IPv6

address-family ipv6
! activate IPv6 eBGP peer
neighbor 2002:100:20:20::1 activate
! advertise the following IPv6 subnets to eBGP peer
network 2002:100:10::/48
network FC00:0:1::1/128
no synchronization
exit-address-family
! configure NULL route for IPv6 BGP subnet to be injected and advertised to eBGP peers
ipv6 route 2002:100:10::/48 Null0
MONITOR
show ip bgp ipv6 unicast summary

show ip bgp ipv6 unicast
show ipv6 route
BACK TO IPV6

TUNNELING
BACK
ISATAP (SERVER AND C LIENT) ON CISCO IOS
Lo0: 10.1.1.1
Server
Tunnel:
2001:AAA:BBB:CCC::/64 FE0/0
EUI-64 192.168.10.1
Tunnel: FE0/0
Autoconfig 192.168.10.2
Client
>> ISATAP Server <<
! IPv4 interface used for ISATAP server

interface Loopback0
ip address 10.1.1.1 255.255.255.255
! IPv4 interface connected to IPv4 network

ip address 192.168.10.1 255.255.255.0
! Tunnel interface created

interface Tunnel1
no ip address
no ip redirects
! configure IPv6 address (EUI-64)
ipv6 address 2001:AAA:BBB:CCC::/64 eui-64
no ipv6 nd ra suppress
! source all IPv6 tunnels from the IPv4 Loopback interface
tunnel source Loopback0
! enable ISATAP
tunnel mode ipv6ip isatap

>> ISATAP Client <<
! IPv4 interface connected to IPv4 network

ip address 192.168.10.2 255.255.255.0
! Tunnel interface created

interface Tunnel1
no ip address
! will get its IPv6 address from the ISATAP server
ipv6 address autoconfig
! interface enabled for IPv6
ipv6 enable
! automatically build a IPv6 ISATAP tunnel to the destination IP listed below
tunnel mode ipv6ip
! source the tunnel from the IPv4 interface
tunnel source fastethernet0/0
! destination of the ISATAP server to build the tunnel
tunnel destination 10.1.1.1
ip route 0.0.0.0 0.0.0.0 192.168.10.1

SECURITY
BACK
IPV6 ACL
! enable IPv6
ipv6 cef
! configure IPv6 ACL policy

ipv6 access-list ROUTEHUB-ACL-IPV6
! allow ICMP from 2002:100:50::/48 subnets (ISP) to the 2002:100:10::/48 subnets (internal)
permit icmp 2002:100:50::/48 2002:100:10::/48
! allow the ISP router (::1) to establish a BGP session with this IPv6 router (::2)
permit tcp host 2002:100:20:20::1 host 2002:100:20:20::2 eq bgp
! apply ACL inbound to the WAN/Internet facing interface
ipv6 traffic-filter ROUTEHUB-ACL-IPV6 in
MONITOR
show ipv6 access-list

BACK TO IPV6

FIRST HOP REDUNDANCY PROTOCOLS (FHRP)
BACK

HSRP...................................................................................................................................................................107
HSRP ................................................................................................................................................................................ 107
HSRP Authentication ....................................................................................................................................................... 107
Tracking ........................................................................................................................................................................... 108
Redirecting ICMP ............................................................................................................................................................. 108
Monitor............................................................................................................................................................................ 109
GLBP ...................................................................................................................................................................110
GLBP with Authentication................................................................................................................................................ 110
VRRP ..................................................................................................................................................................111
VRRP ................................................................................................................................................................................ 111
Monitor............................................................................................................................................................................ 111

HSRP
BACK
VIP = .1
.2 .3
192.168.10.0 /24
HSRP
 Priority: higher the value the more preferred primary default gateway device.
>>SW1<<
! configures SW1 to be primary default gateway router for VLAN100.
interface Vlan100
ip address 192.168.10.2 255.255.255.0
standby ip 192.168.10.1
standby timers msec 250 msec 750
standby priority 110
standby preempt delay minimum 180
>>SW2<<
! configures SW2 to be the secondary default gateway router for VLAN100
interface Vlan100
ip address 192.168.10.3 255.255.255.0
standby ip 192.168.10.1
BACK TO HSRP
HSRP AUTHENTICATION
>>SW1<<
interface Vlan100
! configures HSRP password that must match with the other HSRP router
standby authentication cisco123
>>SW2<<
interface Vlan100
! configures HSRP password that must match with the other HSRP router
standby authentication cisco123
BACK TO HSRP

TRACKING
ISP1 ISP2
Fa0/1
Fa0/1
1.1.1.1 /24
1.2.1.1 /24
SW1 SW2
VIP = .1
.2 .3
192.168.10.0 /24
>>SW1<<
! configures SW2 to be the primary default gateway router for VLAN10
interface Vlan10
ip address 192.168.10.2 255.255.255.0
standby ip 192.168.10.1
! track the following interface
! If interface is down subtract 20 from priority causing SW2 to be primary
standby track FastEthernet0/1 20
>>SW2<<
interface Vlan10
ip address 192.168.10.3 255.255.255.0
standby ip 192.168.10.1
REDIRECTING ICMP
>>SW1<<
interface Vlan10
! enable redirecting ICMP under HSRP enabled interface
standby redirects enable
>>SW2<<
interface Vlan10
! enable redirecting ICMP under HSRP enabled interface
standby redirects enable

MONITOR
show standby
show standby brief
show track

GLBP
BACK
VIP = .1
.2 .3
192.168.10.0 /24
GLBP WITH AUTHENTICA TION
>> SW1 <<

! create GLBP password for authentication
key chain GLBP1
key 1
key-string cisco123

interface Vlan10
ip address 192.168.10.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
! define virtual IP for GLBP
glbp 10 ip 192.168.10.1
glbp 10 timers msec 200 msec 850
glbp 10 priority 150
glbp 10 preempt delay minimum 600
! enable GLBP authentication and associate key chain
glbp 10 authentication md5 key-chain GLBP1
>> SW2 <<

! create GLBP password for authentication
key chain GLBP1
key 0
key-string cisco123

interface Vlan10
ip address 192.168.10.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
! define virtual IP for GLBP
glbp 10 ip 192.168.10.1
glbp 10 timers msec 200 msec 850
glbp 10 preempt delay minimum 600
! enable GLBP authentication and associate key chain
glbp 10 authentication md5 key-chain GLBP1

VRRP
BACK
VIP = .1
.2 .3
192.168.10.0 /24
VRRP
 Priority: higher the value the more preferred primary default gateway device.
>>SW1<<
interface Vlan10
ip address 192.168.10.2 255.255.255.0
! define default gateway IP
vrrp 1 ip 192.168.10.1
vrrp 1 priority 110
vrrp 1 preempt
>>SW2<<
interface Vlan10
ip address 192.168.10.3 255.255.255.0
! define default gateway IP
vrrp 1 ip 192.168.10.1
vrrp 1 preempt
MONITOR
show vrrp

NETWORK MANAGEMENT
BACK

Netflow ..............................................................................................................................................................113
Netflow on Cisco IOS ....................................................................................................................................................... 113
Netflow on Cisco Catalyst 6500 (Native OS) .................................................................................................................... 114
Netflow on Cisco Catalyst 4500 ....................................................................................................................................... 115
Top Talkers on Cisco IOS .................................................................................................................................................. 115
SNMP .................................................................................................................................................................116
SNMPv2 ........................................................................................................................................................................... 116
SNMPv3 ........................................................................................................................................................................... 116
SNMP ifindex for Interface .............................................................................................................................................. 117
NTP ....................................................................................................................................................................117
NTP Server (using Local Clock) ......................................................................................................................................... 117
NTP Client ........................................................................................................................................................................ 117
Other ..................................................................................................................................................................118
Terminal Server Router.................................................................................................................................................... 118
Maintenance ......................................................................................................................................................118
IOS Recovery (ROMMON) ................................................................................................................................................ 118
Logging ............................................................................................................................................................................ 119
Error Disable Recovery .................................................................................................................................................... 120

NETFLOW
BACK
NETFLOW ON CISCO IOS
! specifies the netflow server IP address and the netflow port to use for export
ip flow-export destination 192.168.10.10 9996
! specify the interface/address that will communicate with the netflow server
ip flow-export source Loopback0
! sets the export version

ip flow-export version 5
! breaks up long-lived flows into one-minute segments

ip flow-cache timeout active 1
! ensures that flows that have finished are exported in a timely manner
ip flow-cache timeout inactive 15
! applies NetFlow to an interface for capturing all flows
ip route-cache flow
! show the current netflow configuration

show ip flow export
! command to summarize the active flows and how much data it is exporting
show ip cache flow
show ip cache verbose flow
BACK TO NETFLOW

NETFLOW ON CISCO CATALYST 6500 (N ATIVE OS)
 Requirements: Cisco Catalyst 6500 using Supervisor 2 or 720 ; IOS version 12.1.13(E) or higher
! sets the export version. Used to distinguish flows coming from the Supervisor engine and MSFC
mls nde sender version 7

mls aging long 64
mls aging normal 32
! required to put interface and routing info into the netflow export
mls flow ip full
! applies NetFlow to an interface for capturing all flows
ip route-cache flow

show ip flow export
show ip cache flow
BACK TO NETFLOW

NETFLOW ON CISCO CATALYST 4500
 Requirements: Cisco Catalyst 4500 using Supervisor IV, NetFlow daughter-card; IOS version 12.1(1)EW) or higher
! sets the export version

ip flow-export version 5

ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
! applies NetFlow to interface for capturing all flows & ensures routing info is included
ip route-cache flow infer-fields

show ip flow export
show ip cache flow
TOP TALKERS ON CISCO IOS
! enable top-talkers details on Netflow enabled interfaces

ip flow-top-talkers
! only show the top 5 talkers
top 5
! reflect the amount of Bytes used per top talker
sort-by bytes
! view top talkers details

show ip flow top-talkers
BACK TO NETFLOW

SNMP
BACK
192.168.10.0 /24
.1
.10
SNMPV2
! ACL listing the IP address of the NMS server

ip access-list standard ACL-SNMP
permit 192.168.10.10
! specify SNMP community name associating the ACL

snmp-server community RHG-SNMP RO ACL-SNMP
! specify location and contact informational details

snmp-server location Tracy, CA
snmp-server contact RHG Management
! specify IP of NMS and community name used for sending SNMP traps
snmp-server host 192.168.10.10 RHG-SNMP
SNMPV3
! configure ACL listing IP of NMS

! configure SNMP view to query all (internet) objects from the Cisco device
snmp-server view RHG-VIEW internet included
! specify SNMPv3 group. Associate SNMP view and ACL policies
snmp-server group RHG-GROUP v3 priv read RHG-VIEW access 10
! specify the username & associate SNMPv3 group
! specify the autentication protocol (SHA) and password
! specify the encryption protocol (AES 128) and password
snmp-server user RHGUSER RHG-GROUP v3 auth sha RHGPASSWORD1 priv aes 128 RHGPASSWORD2
snmp-server ifindex persist
! specify SNMP location and contact details
snmp-server location TRACY, CA
snmp-server contact support@routehub.com

SNMP IFINDEX FOR INTERFACE
! view SNMP ifindex for Interface

show snmp mib ifmib ifindex loopback0
NTP
BACK
NTP SERVER (USING LOCAL CLOCK)
* confirm that the local time is correct on the Cisco device
! specify source interface for NTP communication

ntp source BVI10
! define NTP Stratum level to 3
ntp master 3
NTP CLIENT
192.168.10.0 /24
.1
NTP Server
.2
Client
! ACL defining IP of NTP server

! NTP communication should use the following interface

ntp source Vlan10
! only communicate with the NTP server listed in the associated ACL
ntp access-group peer 10
! specify the NTP server
ntp server 192.168.10.1 prefer

OTHER
BACK
TERMINAL SERVER ROUTER
! configuration on terminal server with async ports which maps IP 10.67.78.71 to TTY port 2001
! this means if we do a "telnet" to 10.67.78.71 it will automatically connect to the console
session off of port 2001
ip host TTY-1 23 10.67.78.71

ip alias 10.67.78.71 2001
MAINTENANCE
BACK
IOS RECOVERY (ROMMON)
192.168.10.0 /24
.1
.10
* done from the rommon prompt
! specify the IP details on the Cisco device

IP_ADDRESS=192.168.10.1
IP_SUBNET_MASK=255.255.255.0
DEFAULT_GATEWAY=192.168.10.1
! specify IP of TFTP server and file to download

TFTP_SERVER=192.168.10.10
TFTP_FILE=c2801.bin
! download IOS image from TFTP server

tftpdnld

LOGGING
192.168.10.0 /24
.1
.10
! enable timestamps for Log messages

service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
! send logs for levels 0-7 to the buffer on the device up to 16KB
logging buffered 16384 debugging
! disable log messages to console
no logging console
! disable log messages to terminal monitor (via Telnet/SSH)
no logging monitor
! send logs for levels 0-4 to SYSLOG server
logging trap warning
! specify facility level
logging facility local4
! specify the source interface to send log messages from
logging source-interface Vlan10
! specify IP of SYSLOG server
logging 192.168.10.10

ERROR DISABLE RECOVE RY
! enable Error Disable recovery for all causes

errdisable recovery cause all
! Or Error Disable recovery can be enabled individual for the following (whats supported)
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause gbic-invalid
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause arp-inspection

IP NETWORK SERVICES
BACK
IP NETWORK SERVICES ................................................................................................................................................121

General ..............................................................................................................................................................122
Time-Zone ........................................................................................................................................................................ 122
ARP Timeout .................................................................................................................................................................... 122
Load Interval .................................................................................................................................................................... 122
Alias on Cisco IOS ............................................................................................................................................................. 122
Secondary IP .................................................................................................................................................................... 122
DHCP on Cisco Interface .................................................................................................................................................. 123
Copy using FTP ................................................................................................................................................................. 123
SSH ................................................................................................................................................................................... 123
Sending Messages ........................................................................................................................................................... 123
Flow Control .................................................................................................................................................................... 124
Shortcuts ............................................................................................................................................................125
Include ............................................................................................................................................................................. 125
Alias (EXEC) ...................................................................................................................................................................... 125
Do .................................................................................................................................................................................... 125
Default Interface .............................................................................................................................................................. 125
Multiple Ports/Interfaces ................................................................................................................................................ 125
Macros ...............................................................................................................................................................126
Macros for running Static Commands ............................................................................................................................. 126
Macro using Paramaters .................................................................................................................................................. 126
Macro for Voice Port ....................................................................................................................................................... 127
CEF .....................................................................................................................................................................128
CEF Load Sharing: L3/L4 Hash .......................................................................................................................................... 128
NAT ....................................................................................................................................................................128
NAT Overload using Pool of IP Addresses ........................................................................................................................ 128
NAT Overload using WAN interface................................................................................................................................. 129
Dynamic NAT Pool ........................................................................................................................................................... 130
Static NAT ........................................................................................................................................................................ 130
NAT Port Redirect using WAN interface .......................................................................................................................... 131
NAT Port Redirect using Dedicated IP.............................................................................................................................. 132
Stateful Failover ............................................................................................................................................................... 133
Monitor............................................................................................................................................................................ 134
IP Features .........................................................................................................................................................135
IP SLA with Dual ISP ......................................................................................................................................................... 135
IP Accounting ................................................................................................................................................................... 135
IP Helper .......................................................................................................................................................................... 136
DHCP Server on Cisco IOS ................................................................................................................................................ 136
Policy Based Routing (PBR) .............................................................................................................................................. 137
DDNS on Cisco IOS ........................................................................................................................................................... 138
HTTP on Cisco IOS ............................................................................................................................................................ 138
Cisco IOS SLB .................................................................................................................................................................... 139
Legacy Protocols and Features ..........................................................................................................................141
AppleTalk ......................................................................................................................................................................... 141

IPX .................................................................................................................................................................................... 141
GENERAL
BACK
TIME-ZONE
! specify timezone (PST using -8)

clock timezone pst -8
! enable Daylight Savings
clock summer-time pst recurring
ARP TIMEOUT
! changes ARP timeout from 4 hours (default) to 200 seconds

arp timeout 200
LOAD INTERVAL
! view interface stats every 60 seconds instead of 5 minutes (default)
load-interval 60
ALIAS ON CISCO IOS
! configure alias where typing in "c" will translate to "config t"

alias exec c config t
! configure alias where typing in "acl" will translate to "show access-list"
alias exec acl show access-list
! configure alias called "run-tftp" which will automatically copy config to TFTP server
alias exec run-tftp copy system:running-config tftp://192.168.10.10/RHG-config
SECONDARY IP
ip address 192.168.10.1 255.255.255.0
! second IP configured on interface
ip address 192.168.11.1 255.255.255.0 secondary

DHCP ON CISCO INTERF ACE
.1 Auto
192.168.10.0 /24 6.7.7.0 /24
! enable interface to get IP via DHCP
ip address dhcp
COPY USING FTP
! copy active config to the following FTP server (username/password included)

copy running-config ftp://admin:cisco123@192.168.10.10
SSH
! domain name required for generating RSA keys

ip domain-name routehub.local
! generate RSA 2048-bit keys for SSH encryption

crypto key generate rsa general-keys modulus 2048
! enable SSH version 2, timeout, & retries

ip ssh time-out 120
ip ssh authentication-retries 3
ip ssh version 2
SENDING MESSAGES
! send a message to all open CON/VTY sessions established

send *
OR
! send a message to open CON/VTY session using connection ID 1

send 1

FLOW CONTROL
Flow Control can be used on GE interfaces to instruct the other connected device to
slow down its current rate of traffic flow. Helps to prevent congestion and packet
drops.
! enable flow control
flowcontrol receive on
flowcontrol send off

SHORTCUTS
BACK
INCLUDE
! issue the command "show ip route" but only displays lines that contains "28416"
show ip route | include 28416
D 10.25.1.0/24 [90/28416] via 10.25.99.1, 7w0d, Vlan1
D 10.25.100.0/24 [90/28416] via 10.25.99.1, 7w0d, Vlan1
D 10.25.150.0/24 [90/28416] via 10.25.99.1, 7w0d, Vlan1
D 10.25.200.0/24 [90/28416] via 10.25.99.1, 7w0d, Vlan1
ALIAS (EXEC)
! alias where entering the command "c" will go into the config mode
! view aliases configured

show aliases
DO
! run "show" commands from configuration mode

Router(config)#do show ip route
DEFAULT INTERFACE
! removes all configuration from interface (factory default)

default interface serial 0/0
MULTIPLE PORTS/INTERFACES
! configure multiple ports/interfaces at once

interface range gi0/1 – 2

MACROS
BACK
MACROS FOR RUNNING STATIC COMMANDS
* This macro will ping a couple of IP addresses automatically
! configures macro profile called "macro_PING

macro name macro_PING
! define the commands that will ping two (or more) IP addresses
do ping 192.168.1.1
do ping 4.2.2.2
! ends macro profile
@
! runs macro that will ping the IP addresses listed in the macro automatically
macro global apply macro_PING
MACRO USING PARAMATE RS
* This macro will add new VLANs and VLAN SVIs automatically on a L2/L3 switch. This macro will
also include parameters where we can enter specific details with the macro that will be applied.
! configures macro profile called "macro_new_VLAN

macro name macro_new_VLAN
! specify syntax "vlan" following by a unique parameter called $V which
! will be used for the VLAN ID
vlan $V
! specify the syntax "name" followed by a unique parameter called $D
! which is used for the description
name $D
! configure the VLAN SVI interface using the same parameter $V that was
! defined earlier for the VLAN ID.
interface vlan $V
! specify the IP address and mask which will include number defined in the parameter $V
ip address 192.168.$V.1 255.255.255.0
no shutdown
@
! apply macro on a L2/L3 switch. This will create a new VLAN, which will be VLAN 123
! and the description of this VLAN will be called TEST_VLAN.
! The subnet for this new VLAN will be 192.168.123.0 which includes the VLAN ID we defined
! Note: the syntax "trace" means we want to see the output which is shown here:
UC01TRA(config-if)#macro trace macro_new_VLAN $V 123 $D TEST_VLAN
Applying command... 'vlan 123'
Applying command... ' name TEST_VLAN'
Applying command... 'interface vlan 123'
Applying command... ' ip address 192.168.123.1 255.255.255.0'
Applying command... ' no shutdown '

MACRO FOR VOICE PORT
* This macro will create a configuration that can be applied to a voice switch port with
connected IP phones and endpoints which will include VLANs and QoS. This can allow an engineer
to define the macro with all the necessary configuration then allow a technician to apply the
macro where needed on ports that are considered as voice ports.
! configures macro profile called "macro_PORT_VOICE"

macro name macro_PORT_VOICE
! specifies Data VLAN
! specifies Voice VLAN
! specify QoS configuration
switchport priority extend cos 1
mls qos trust cos
mls qos trust device cisco-phone
@
! applies macro to a range of interfaces with connected IP phones and endpoints

SW1(config)#interface range fa0/6-8
SW1(config)#macro apply macro_PORT_VOICE

CEF
BACK
CEF LOAD SHARING: L3/L4 HASH
! enable CEF load-sharing algorithm to use L3+L4 information for load balancing traffic
mls ip cef load-sharing full
NAT
BACK
NAT OVERLOAD USING POOL OF IP ADDRESSES
192.168.10.0 /24
.1 1.1.1.1
6.7.7.0 /24
.10
! specify IP subnet on LAN

access-list 101 permit ip 192.168.100.0 0.0.0.255 any
! configure NAT and range of Public IP's to use for NAT Overload
ip nat pool NATPOOL 1.1.1.5 1.1.1.6 netmask 255.255.255.0
! hosts in ACL 101 will NAT overload to the range of Public IP's from the NAT pool
ip nat inside source list 101 pool NATPOOL overload
ip address 1.1.1.1 255.255.255.0
! specify WAN facing interface (outside) for NAT
ip nat outside
ip address 192.168.10.1 255.255.255.0
! specify LAN facing interface (inside) for NAT
ip nat inside
! show all NAT translations through the router

show ip nat translations
BACK TO NAT

NAT OVERLOAD USING WAN INTERFACE
192.168.10.0 /24
.1 1.1.1.1
6.7.7.0 /24
.10
! specify IP subnet on LAN

! hosts in ACL 101 will NAT overload to the Public IP on the WAN interface
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip address 192.168.10.1 255.255.255.0
ip nat inside


DYNAMIC NAT POOL
192.168.10.0 /24
.1 1.1.1.1
NAT Pool:
1.1.1.10 - 1.1.1.20
.10
! define subnet that will use the dynamic NAT pool

ip access-list extended RHG-ACL-NET
permit ip 192.168.10.0 0.0.0.255 any
! define range of dedicated IP's to assign

ip nat pool RHG-NAT-POOL 192.168.20.10 192.168.20.20 netmask 255.255.255.0
! associates ACL with pool of IP's to use
ip nat inside source list RHG-ACL-NET pool RHG-NAT-POOL
STATIC NAT
192.168.10.0 /24
.1 1.1.1.1
1.1.1.10
6.7.7.0 /24
.10
! translate private IP 192.168.10.10 to use public IP 1.1.1.10

ip nat inside source static 192.168.10.10 1.1.1.10
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip address 192.168.10.1 255.255.255.0
ip nat inside


NAT PORT REDIRECT USING WAN INTERFACE
192.168.10.0 /24
.1 1.1.1.1
6.7.7.0 /24
.10
! any access to the IP configured on the WAN interface for HTTPS (TCP/443) will be
redirected to the inside server of 192.168.10.10.
ip nat inside source static tcp 192.168.10.10 443 1.1.1.1 443 extendable
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip address 192.168.10.1 255.255.255.0
ip nat inside


NAT PORT REDIRECT USING DEDICATED IP
192.168.10.0 /24
.1 1.1.1.1
6.7.7.0 /24
.10
! any access to the dedicated IP of 1.1.1.10 for HTTPS (TCP/443) will be

! redirected to the inside server of 192.168.10.10.
ip nat inside source static tcp 192.168.10.10 443 1.1.1.10 443 extendable
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip address 192.168.10.1 255.255.255.0
ip nat inside


STATEFUL FAILOVER
ISP1 ISP2
Gi0/0
Gi0/0
1.1.1.1 /24
1.2.2.1 /24
R1 R2
1.1.1.10 à 192.168.10.10 1.1.1.10 à 192.168.10.10
1.1.1.5 à 192.168.10.X 1.1.1.5 à 192.168.10.X
VIP = .1
1.1.1.6 à 192.168.10.X 1.1.1.6 à 192.168.10.X
Gi0/1 Gi0/1
.2 .3
192.168.10.0 /24
* no PAT support
>>R1<<
! define stateful NAT group using ID "1"
ip nat stateful id 1
! specify name for HSRP
redundancy SF-NAT
! specify mapping ID of "1"
mapping-id 1
! specify the HSRP enabled interface
protocol udp
! static NAT configuration associated to stateful NAT group

! dynamic NAT configuration (not NAT overload) associated to stateful NAT group
ip nat inside source list 110 pool NATPOOL mapping-id
ip nat inside source static 192.168.10.10 1.1.1.10 mapping-id 1
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip address 192.168.10.2 255.255.255.0
ip nat inside
! primary HSRP router configuration
standby ip 192.168.10.1

! HSRP will reference the stateful NAT group configured
standby name SF-NAT
>>R2<<
! define stateful NAT group using ID "1"
ip nat stateful id 1
! specify name for HSRP
redundancy SF-NAT
! specify mapping ID of "1"
mapping-id 1
! specify the HSRP enabled interface
protocol udp
! static NAT configuration associated to stateful NAT group

! dynamic NAT configuration (not NAT overload) associated to stateful NAT group
ip nat inside source list 110 pool NATPOOL mapping-id
ip nat inside source static 192.168.10.10 1.1.1.10 mapping-id 1
ip address 1.2.2.1 255.255.255.0
ip nat outside
ip address 192.168.10.3 255.255.255.0
ip nat inside
! secondary HSRP router configuration
standby ip 192.168.10.1
! HSRP will reference the stateful NAT group configured
standby name SF-NAT
MONITOR

show ip nat statistics

IP FEATURES
BACK
IP SLA WITH DUAL ISP
ISP2
1.2.2.1
ISP1
.1 1.1.1.1
192.168.10.0 /24 6.7.7.0 /24
! configure an ICMP probe pinging IP 1.1.1.2 every 5 seconds

ip sla 10
icmp-echo 1.1.1.2 source-ip 1.1.1.1
timeout 1000
frequency 5
! activates the sla probe to run forever

ip sla schedule 10 life forever start-time now
! track if the probe result is successfully using an ID of “1” with a delay of 20 seconds
track 1 rtr 10 reachability
delay down 30 up 60
! apply track ID to the primary default route. If the probe fails the route is removed
ip route 0.0.0.0 0.0.0.0 1.1.1.2 track 1
! secondary default route to the second ISP using higher admin distance
ip route 0.0.0.0 0.0.0.0 1.2.2.2 254
show track timer

show track brief
show track <ID>
IP ACCOUNTING
interface Vlan10
ip address 192.168.10.1 255.255.255.0
! enable IP accounting
ip accounting output-packets

IP HELPER
vlan10
192.168.10.X
vlan20
192.168.20.10
DHCP server
! LAN interface with connected DHCP-enabled hosts

interface Vlan10
ip address 192.168.10.1 255.255.255.0
! specify IP of DHCP server located on another network
ip helper-address 192.168.20.10
DHCP SERVER ON CISCO IOS
192.168.10.0 /24
.1
DHCP Server
DHCP-enabled
! specify range of IPs to NOT assign to DHCP-enabled hosts

ip dhcp excluded-address 192.168.10.1 192.168.10.9
! configure DHCP scope

ip dhcp pool RHG-DHCP
! specify subnet for DHCP scope
network 192.168.10.0 255.255.255.0
! specify default gateway to assign
default-router 192.168.10.1
! specify DNS servers
dns-server 192.168.10.10
! specify default domain to use
domain-name routehub.local
! specify DHCP lease time
lease infinite

POLICY BASED ROUTING (PBR)
INET INET
10.1.2.0 /24 10.1.3.0 /24

.2 .1 .1 .3
192.168.10.0 /24
192.168.11.0 /24
! ACL configured to be used with PBR

ip access-list extended PBR-ACL-INET
! specify the traffic we do not want to use PBR
deny tcp any 192.168.11.0 0.0.0.255 eq www
deny ip host 192.168.10.11 any
! specify the traffic we do want to use PBR
permit tcp any any eq 443
permit ip any host 4.2.2.3
permit ip any host 192.168.20.10
! configure PBR
route-map PBR-RM-INET permit 10
! associate ACL to PBR
match ip address PBR-ACL-INET
! all permitted entries in the ACL will be forwarded to 10.1.3.3
set ip next-hop 10.1.3.3
interface Vlan10
ip address 192.168.10.1 255.255.255.0
! associate PBR to LAN facing interface
ip policy route-map PBR-RM-INET
! all other routing will use the configured default gateway

ip route 0.0.0.0 0.0.0.0 10.1.2.2
show ip policy
show route-map

DDNS ON CISCO IOS
.1 Auto
192.168.10.0 /24 6.7.7.0 /24
* requires a DDNS account to be created with DDNS provider
! hostname of Cisco IOS device

hostname rhg-er01
! create DDNS profile called "RHG-DDNS"

ip ddns update method RHG-DDNS
HTTP
! specify DDNS account name, password, and URL (using dyndns.org)
! also specify the hostname to send to the DDNS server including the IP address currently
assigned
add http://user1:cisco123@members.dyndns.org/nic/update
<CTRL-V> then
?
system=dyndns&hostname=rhg-er01.selfip.com&myip=
! will register with DDNS registry every day
interval maximum 1 0 0 0

! enable DDNS and specify DDNS server for registration
ip ddns update hostname rhg-er01.selfip.com
ip ddns update RHG-DDNS host members.dyndns.org
! WAN interface will get its IP via DHCP
ip address dhcp
HTTP ON CISCO IOS
! create local account

username user1 password cisco123
! ACL to define who can use HTTP services on the Cisco IOS device
! enable HTTP server on Cisco IOS device

ip http server
! enable HTTPS server on Cisco IOS device
ip http secure-server
! only hosts/networks in the following ACL can access the HTTP/S server on the Cisco IOS device
ip http access-class 23
! authenticate against the local user database
ip http authentication local

CISCO IOS SLB
Server Farm
VIP: 192.168.20.10
Cisco IOS SLB

WEB01TRA
192.168.20.0 /24
ISP
.1 .2 vlan20 .1
.11
192.168.10.0 /24
WEB02TRA
.12
! create server farm group

ip slb serverfarm RHG-WEB
! define internal IP of web server 1 (and enable)
real 192.168.10.11
inservice
! define internal IP of web server 2 (and enable)
real 192.168.10.12
inservice
! create server farm virtual group

ip slb vserver RHG-VIP-WEB
! define VIP to use with server farm including the protocol and port numbers
virtual 192.168.20.10 tcp www service www
! associate server farm group
serverfarm RHG-WEB
! enables server farm virtual group
inservice
! Client/Outside network VLAN

interface Vlan20
ip address 192.168.20.2 255.255.255.0
description "Uplink to the Default Gateway"
no ip address
switchport
ip route 0.0.0.0 0.0.0.0 192.168.20.1

! Server VLAN used for the Web Server Farm
interface Vlan10
ip address 192.168.10.1 255.255.255.0
description "Connection to Web server 1"
no ip address
switchport
description "Connection to Web server 2"
no ip address
switchport
! Commands to use for monitoring IOS SLB operations

show ip slb vserver
show ip slb serverfarm

LEGACY PROTOCOLS AND FEATURES
BACK
APPLETALK
! enable AppleTalk on Cisco IOS device

appletalk routing
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
! define appletalk address range and zone
appletalk cable-range 11219-11219 11219.97
appletalk zone Classroom 4
IPX
>> R1 <<
! enable IPX
ipx routing
! LAN facing interface

interface ethernet 0
ip address 192.168.10.1 255.255.255.0
! specify unique IPX network and encapsulation type (SAP)
ipx network 10 encapsulation sap
! WAN facing interface to R2

interface serial 0
ip address 10.1.1.1 255.255.255.0
! specify IPX network shared with R2
ipx network 100
! disable IPX RIP routing process

no ipx router rip
! enable IPX EIGRP routing for all IPX configured networks (100,10)
ipx router eigrp 1
network all
>> R2 <<
! enable IPX
ipx routing

interface ethernet 0
ip address 192.168.20.1 255.255.255.0
! specify unique IPX network and encapsulation type (SAP)
ipx network 20 encapsulation sap

! WAN facing interface to R1
interface serial 0
ip address 10.1.1.2 255.255.255.0
! specify IPX network shared with R1
ipx network 100
! disable IPX RIP routing process

no ipx router rip
! enable IPX EIGRP routing for all IPX configured networks (100,20)
ipx router eigrp 1
network all

SECURITY SERVICES
BACK
SECURITY SERVICES ............................................................................................................................................ 143
CISCO FIREWALLS .......................................................................................................................................................144

SERVICES...................................................................................................................................................................178
Configuration Reference Guide | Security Services 143

CISCO FIREWALLS
BACK
CISCO FIREWALLS .......................................................................................................................................................144

Access Control List (ACL) ....................................................................................................................................145
Public Interface: Guest/DMZ ACL Policy .......................................................................................................................... 145
Internal Interface: Outbound ACL Policy ......................................................................................................................... 146
Public Interface: RFC1918 Filtering .................................................................................................................................. 146
Time-Based ACL ............................................................................................................................................................... 147
Black Hole (NULL) Routing ............................................................................................................................................... 147
Using Random TCP/UDP Ports ......................................................................................................................................... 148
ACL on VLAN Interface (In and Out directions) ................................................................................................................ 148
Cisco IOS Firewall ...............................................................................................................................................149
Reflexive ACL (rACL)......................................................................................................................................................... 149
Context-Based Access Control (CBAC) ............................................................................................................................. 150

ACCESS CONTROL LIST (ACL)
BACK
PUBLIC INTERFACE: GUEST/DMZ ACL POLICY
LAN .1 1.1.1.1
.10
192.168.10.0 /24 .1 6.7.7.0 /24
DMZ
192.168.11.0 /24
ip access-list extended public-ingress-acl

! ACL to allow access from the DMZ (192.168.200.x) to one host on the LAN (192.168.1.50)
permit ip 192.168.11.0 0.0.0.255 host 192.168.10.10 reflect reflexive-public-acl
! ACL to allow DHCP services for the DMZ
permit udp any eq bootpc host 255.255.255.255 eq bootps
! ACL restricting all access to the LAN (192.168.1.x) from the DMZ (192.168.200.x)
deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
! ACL allowing all other TCP/UDP traffic and be stateful to be allowed back in
permit udp any any reflect reflexive-public-acl
permit tcp any any reflect reflexive-public-acl
! all other traffic not specified will be dropped and logged.
deny ip any any log
! ACL allowing only ICMP and stateful traffic into the DMZ
ip access-list extended public-egress-acl
permit icmp any any
evaluate reflexive-public-acl
deny ip any any log
interface Vlan11
ip address 192.168.11.1 255.255.255.0
! apply ACL policy (inbound & outbound) to the DMZ interface
ip access-group public-ingress-acl in
ip access-group public-egress-acl out
BACK TO ACL

INTERNAL INTERFACE: OUTBOUND ACL POLICY
192.168.10.0 /24
.1 1.1.1.1
6.7.7.0 /24
.10
! ACL to only allow mail server (.201) to send emails

ip access-list extended hfc-outgoing-acl
permit tcp host 192.168.1.10 any eq smtp
deny tcp any any eq smtp log
permit ip any any
interface VLAN10
ip address 192.168.10.1 255.255.255.0
! apply ACL inbound to the LAN facing interface
ip access-group hfc-outgoing-acl in
PUBLIC INTERFACE: RFC1918 FILTERING
192.168.10.0 /24
.1 1.1.1.1
6.7.7.0 /24
.10
! ACL to restrict any source using a private IP address

access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
ip address 1.1.1.1 255.255.255.0
! apply ACL inbound to the WAN facing interface
ip access-group 100 in
BACK TO ACL

TIME-BASED ACL
LAN .1 1.1.1.1
.10
192.168.10.0 /24 .1 6.7.7.0 /24
DMZ
192.168.11.0 /24
! configure a one-time schedule to start at 12/9/2009 at 10AM and end at 12/9/2009 at 12PM
time-range "lab-time"
absolute start 10:00 09 December 2009 end 12:00 09 December 2009
ip access-list extended lab-acl

! apply time schedule to ACL entry for allowing VNC access to .199 during that schedule only
permit tcp any host 192.168.10.10 eq 5800 5900 time-range lab-time
! ACL to restrict all other access to .199
deny ip any host 192.168.10.10 any
! all other traffic will be allowed
permit ip any any
interface Vlan11
ip address 192.168.11.1 255.255.255.0
! apply ACL inbound to the interface
ip access-group lab-acl in
BACK TO ACL
BLACK HOLE (NULL) ROUTING
! any host trying to route to any host on the 6.7.7.0 network will be dropped
ip route 6.7.7.0 255.255.255.0 null0
! any host trying to route to host 7.7.7.7 will be dropped

ip route 7.7.7.7 255.255.255.255 null0

USING RANDOM TCP/UDP PORTS
192.168.10.0 /24
.1 1.1.1.1
6.7.7.0 /24
.10
! ACL listing random ports that should be allowed to 192.168.10.10

ip access-list extended ACL-FW
permit tcp any host 192.168.10.10 eq 80 443 25
ip address 1.1.1.1 255.255.255.0
! associate ACL to interface (inbound)
ip access-group ACL-FW in
ACL ON VLAN INTERFACE (IN AND OUT D IRECTIONS)
192.168.10.0 /24
VLAN10
.1
.10
! Inbound ACL used for the VLAN10 interface

ip access-list extended RHG-VLAN10-ACL-IN
permit ip host 192.168.10.10 192.168.11.0 0.0.0.255
! Outbound ACL used for the VLAN10 interface

ip access-list extended RHG-VLAN10-ACL-OUT
permit tcp 192.168.11.0 0.0.0.255 host 192.168.10.10 eq 80
interface Vlan10
ip address 192.168.10.1 255.255.255.0
! inbound ACL applied
ip access-group RHG-VLAN10-ACL-IN in
! outbound ACL applied
ip access-group RHG-VLAN10-ACL-OUT out

CISCO IOS FIREWALL
BACK
192.168.10.0 /24
.1 1.1.1.1
1.1.1.10
6.7.7.0 /24
.10
REFLEXIVE ACL (RACL)
ip reflexive-list timeout 120
ip access-list extended egress-acl

! specifies what traffic we want stateful to be allowed back in
permit icmp any any reflect reflexive-acl
permit tcp any any reflect reflexive-acl
permit udp any any reflect reflexive-acl
! specifies what traffic we want to allow out of our firewall
permit gre any any
permit esp any any
ip access-list extended ingress-acl

! restrict any host using a private IP address into the network
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
! specifies what traffic should be permitted through the firewall
permit tcp any host 1.1.1.10 eq smtp
permit tcp any host 1.1.1.10 eq 443
permit tcp any host 1.1.1.10 eq www
permit udp any host 1.1.1.1 eq isakmp
permit udp any host 1.1.1.1 eq 4500
permit esp any host 1.1.1.1
permit udp host 6.7.7.8 any eq snmp
permit tcp any eq ftp-data any
! specifies that all stateful traffic coming back into the firewall will be permitted
evaluate reflexive-acl
deny ip any any log
interface Serial0/0
ip address 1.1.1.1 255.255.255.0
! apply RACL stateful firewall policies on the WAN facing interface
ip access-group ingress-acl in
ip access-group egress-acl out
BACK TO CISCO IOS FIREWALL

CONTEXT-BASED ACCESS CONTROL (CBAC)
! specifies what traffic we want stateful to be allowed back in

ip inspect name FW http timeout 3600
ip inspect name FW ftp timeout 3600
ip inspect name FW rcmd timeout 3600
ip inspect name FW realaudio timeout 3600
ip inspect name FW esmtp timeout 3600
ip inspect name FW tftp timeout 30
ip inspect name FW tcp timeout 3600
ip inspect name FW udp timeout 15
ip inspect name FW h323 timeout 3600
ip inspect name FW snmp timeout 3600

! restrict any host using a private IP address into the network
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
! specifies what traffic should be permitted through the firewall
permit tcp any host 1.1.1.10 eq smtp
permit tcp any host 1.1.1.10 eq 443
permit tcp any host 1.1.1.10 eq www
permit udp any host 1.1.1.1 eq isakmp
permit udp host 6.7.7.8 any eq snmp
permit tcp any eq ftp-data any
deny ip any any log
interface Serial0/0
ip address 1.1.1.1 255.255.255.0
! apply CBAC stateful firewall policies on the WAN facing interface
ip inspect FW out
BACK TO CISCO IOS FIREWALL

VIRTUAL PRIVATE NETWORK (VPN)
BACK

IPSec VPN ...........................................................................................................................................................152
Site-Based VPN using Cisco IOS ....................................................................................................................................... 152
Tunnel End-Point Discovery (TED), One-Way Site VPN using Cisco IOS ........................................................................... 154
VPN-on-a-Stick (Cisco IOS) ............................................................................................................................................... 156
IPSec over GRE ................................................................................................................................................................. 158
Monitor............................................................................................................................................................................ 160
DMVPN ..............................................................................................................................................................161
DMVPN Hub ..................................................................................................................................................................... 161
DMVPN Spoke.................................................................................................................................................................. 162
Monitor............................................................................................................................................................................ 163
Using DMVPN and IPSec VPN Tunnels ............................................................................................................................. 163
GET VPN .............................................................................................................................................................167
Key Server (Primary) ........................................................................................................................................................ 167
Key Server (Secondary) .................................................................................................................................................... 168
Group Members .............................................................................................................................................................. 169
Monitor............................................................................................................................................................................ 170
EZVPN ................................................................................................................................................................171
EZVPN for Client VPN ....................................................................................................................................................... 171
SSL VPN ..............................................................................................................................................................173
WebVPN using SVC (Tunnel Mode) ................................................................................................................................. 173
Clientless SSL VPN ............................................................................................................................................................ 174
Monitor............................................................................................................................................................................ 175
VPDN ..................................................................................................................................................................176
PPTP ................................................................................................................................................................................. 176

IPSEC VPN
BACK
SITE-BASED VPN USING CISCO IOS
.1 1.1.1.1 2.2.2.2 .1
192.168.10.0 /24 192.168.20.0 /24
>> SITE1 <<

! ISAKMP policy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
! ISAKMP key and VPN peer (2.2.2.2)

crypto isakmp key ciscokey address 2.2.2.2
! IPSec transform policy

crypto ipsec transform-set ipsec-ts esp-3des esp-md5-hmac
! specifies the LAN subnets at Site #1 that will communicate with LAN subnets at Site #2
access-list 112 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
! configure IPSec policy using ISAKMP

crypto map VPN 10 ipsec-isakmp
! specify IP of other VPN peer
set peer 2.2.2.2
! associate IPSec transform policy
set transform-set ipsec-ts
set pfs group2
! associate ACL to IPsec policy
match address 112
! LAN subnets at Site #1 communicating with LAN subnets at Site #2 will not use NAT
access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
! no NAT ACL applied to PAT configuration

! no NAT ACL applied to route map

route-map no-NAT permit 10
match ip address 110
! no NAT route-map (with ACL) applied to NAT port redirect configuration

ip nat inside source static tcp 192.168.10.10 25 1.1.1.10 25 route-map no-NAT extendable
! LAN interface
ip address 192.168.10.1 255.255.255.0

! WAN interface
ip address 1.1.1.1 255.255.255.0
! apply IPSec VPN policy
crypto map vpn
>> SITE2 <<

! ISAKMP policy
encr 3des
group 2



set peer 1.1.1.1
set pfs group2
match address 112

! LAN interface
ip address 192.168.20.1 255.255.255.0
! WAN interface
ip address 2.2.2.2 255.255.255.0
crypto map vpn

TUNNEL END-POINT DISCOVERY (TED), ONE-WAY SITE VPN USING CISCO IOS
.1 1.1.1.1 2.2.2.2 .1
192.168.10.0 /24 192.168.20.0 /24
 Notes: the other VPN device initiates VPN connection to this VPN device (router)
 VPN can only be initiated from SITE2 to SITE1. Not possible from SITE1
>> SITE1 <<

! ISAKMP policy
encr 3des
group 2
! ISAKMP key accepted from any VPN peer

crypto isakmp key Cisco123 address 0.0.0.0 0.0.0.0

crypto ipsec transform-set RHG-TS-3DES-MD5 esp-3des esp-md5-hmac
! create dynamic policy and associate IPSec transform policy

crypto dynamic-map RHG-DMAP-VPN 10
set transform-set RHG-TS-3DES-MD5
match address 112
! create IPSec policy associating the dynamic policy

crypto map RHG-VPN 10 ipsec-isakmp dynamic RHG-DMAP-VPN
! LAN interface
ip address 192.168.10.1 255.255.255.0
! WAN interface
ip address 1.1.1.1 255.255.255.0
crypto map RHG-VPN

>> SITE2 <<
! ISAKMP policy
encr 3des
group 2

crypto isakmp key Cisco123 address 1.1.1.1


set peer 1.1.1.1
set pfs group2
match address 112

! LAN interface
ip address 192.168.20.1 255.255.255.0
! WAN interface
ip address 2.2.2.2 255.255.255.0
crypto map VPN
>> MONITOR <<

show crypto isakmp sa
show crypto ipsec sa
show crypto engine connections active

VPN-ON-A-STICK (CISCO IOS)
Site #1 Site #2
192.168.20.0 /24
ASA INET
1.1.1.1 1.2.2.1 ER/FW .1
.1 1.2.2.2 à192.168.20.2
.2
VPN-ON-A-STICK
192.168.10.0 /24
>> CISCO 871 (VPN on a stick device) <<
hostname VPN-ON-A-STICK
! define ISAKMP policy

encr 3des
hash md5
group 2
! define ISAKMP key and VPN peer (1.1.1.1)

crypto isakmp key Cisco123 address 1.1.1.1
! define IPSec transform policy


crypto map RHG-VPN 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set RHG-TS-3DES-MD5
match address 101
! interface connected directly to the LAN

ip address 192.168.20.2 255.255.255.0
crypto map RHG-VPN
! default gateway pointing to the EDGE ROUTER/FW connected to the Internet

ip route 0.0.0.0 0.0.0.0 192.168.20.1

>> EDGE ROUTER <<
! static NAT translation with a new Public IP mapped to the IP configured on the Cisco 871
ip nat inside source static 192.168.20.2 1.2.2.2 extendable
! ACL configured to allow all ISAKMP (UDP/500) and ESP traffic to the VPN router (871)

ip address 1.2.2.1 255.255.255.0
! ACL applied
! NAT for WAN interface enabled
ip nat outside

ip address 192.168.20.1 255.255.255.0
! NAT for LAN interface enabled
ip nat inside
! static route of VPN Site #1 subnet routing through the VPN router (871)
ip route 192.168.10.0 255.255.255.0 192.168.20.2
>> ASA <<

interface Ethernet0/0
nameif RHG-WAN
security-level 0
ip address 1.1.1.1 255.255.255.0

nameif RHG-LAN
security-level 100
ip address 192.168.10.1 255.255.255.0
access-list ACL-NONAT extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
! no NAT ACL applied to NAT configuration
nat (RHG-LAN) 0 access-list ACL-NONAT
! define ISAKMP policy & enable on WAN facing interface

crypto isakmp identity address
crypto isakmp enable RHG-WAN
encryption 3des
hash md5
group 2
lifetime 86400

access-list ACL-VPN extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

crypto map RHG-VPN 10 match address ACL-VPN
crypto map RHG-VPN 10 set peer 1.2.2.2
crypto map RHG-VPN 10 set transform-set RHG-TS-VPN
crypto map RHG-VPN interface RHG-WAN
! configures tunnel group for VPN peer at Site #2

tunnel-group 1.2.2.2 type ipsec-l2l
tunnel-group 1.2.2.2 ipsec-attributes
! specify the shared key to use
pre-shared-key Cisco123
IPSEC OVER GRE
.1 1.1.1.1 2.2.2.2 .1
192.168.10.0 /24 192.168.20.0 /24
>> SITE1 <<

! ISAKMP policy configuration
encr 3des
group 2
! Shared key configured for R2

crypto isakmp key cisco123 2.2.2.2
! IPSec framework protocol configuration using ESP

crypto ipsec transform-set TS-3DES-SHA esp-3des esp-sha-hmac
! Extended ACL defining what traffic will be encrypted (which will be the GRE tunnel)
access-list 100 permit gre host 1.1.1.1 host 2.2.2.2
! IPSec policy configuration

set peer 2.2.2.2
set transform-set TS-3DES-SHA
match address 100
! GRE interface that terminates from the WAN interface to R2

interface Tunnel0
ip address 10.1.1.1 255.255.255.252
ip mtu 1412
ip tcp adjust-mss 1360
tunnel source Fastethernt0/0

! VPN configuration enabled
crypto map VPN

ip address 1.1.1.1 255.255.255.0
crypto map VPN

ip address 192.168.10.1 255.255.255.0

router eigrp 1
network 192.168.10.0
network 10.1.1.0 0.0.0.3
no auto-summary
>> SITE2 <<

! ISAKMP policy configuration
encr 3des
group 2
! Shared key configured for R1

crypto isakmp key cisco123 1.1.1.1
! IPSec framework protocol configuration using ESP

crypto ipsec transform-set TS-3DES-SHA esp-3des esp-sha-hmac
! Extended ACL defining what traffic will be encrypted (which will be the GRE tunnel)
access-list 100 permit gre host 2.2.2.2 host 1.1.1.1
! IPSec policy configuration

set peer 1.1.1.1
set transform-set TS-3DES-SHA
match address 100
! GRE interface that terminates from the WAN interface to R2

interface Tunnel0
ip address 10.1.1.2 255.255.255.252
ip mtu 1412
tunnel source Fastethernt0/0
crypto map VPN

ip address 2.2.2.2 255.255.255.0
crypto map VPN

ip address 192.168.20.1 255.255.255.0

router eigrp 1
network 192.168.20.0
network 10.1.1.0 0.0.0.3
no auto-summary
MONITOR

BACK TO IPSEC VPN

DMVPN
BACK
10.1.1.2
10.1.1.1
INET
2.2.2.2
1.1.1.1
192.168.20.0 /24
192.168.10.0 /24
DMVPN HUB
! specify key that any spoke can use for connecting with the DMVPN hub router
crypto keyring dmvpnspokes
pre-shared-key address 0.0.0.0 0.0.0.0 key RHGauth
! ISAKMP policy
encr 3des
group 2

! specify IPSec mode to be “transport”
mode transport
! ISAKMP profile
crypto isakmp profile dmvpn-isakmp
! associate configured keyring profile
keyring dmvpnspokes
! allow any spoke using the correct security key to connect to this DMVPN hub router
match identity address 0.0.0.0
! IPSec profile
crypto ipsec profile dmvpn
set security-association lifetime seconds 120
! associate ISAKMP profile
set isakmp-profile dmvpn-isakmp
! configure GRE tunnel interface

interface Tunnel0
! IP address configured for interface
ip address 10.1.1.1 255.255.255.0
no ip redirects
! define required MTU size
ip mtu 1412
! NHRP config for DMVPN hub router to allow dynamic connections from spokes
ip nhrp authentication RHGauth
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 300

! define MSS size
! specify which interface the VPN tunnel should be established with
tunnel source FastEthernet4
! support multipoint connections between multiple spokes
tunnel mode gre multipoint
tunnel key 0
! associate IPSec profile to tunnel interface by activating DMVPN
tunnel protection ipsec profile dmvpn
! static route for a DMVPN Spoke’s subnet via 10.1.1.2 (IP on Tunnel interface for DMVPN spoke)
ip route 192.168.20.0 255.255.255.0 10.1.1.2
DMVPN SPOKE
! ISAKMP policy matching DMVPN hub

encr 3des
group 2
! ISAKMP key matching what is configured on the DMVPN hub (and other remote sites)
crypto isakmp key RHGauth address 0.0.0.0 0.0.0.0
crypto isakmp xauth timeout 45

mode transport
! configure IPSec profile

! configure GRE tunnel interface

interface Tunnel0
! unique IP address configured for interface
ip address 10.1.1.2 255.255.255.0
no ip redirects
! define required MTU size
ip mtu 1412
! NHRP config for DMVPN spoke for connecting with hub router and dynamically with other spokes
ip nhrp authentication RHGauth
! specify the Tunnel interface IP and public IP on DMVPN hub router
ip nhrp map 10.1.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp nhs 10.1.1.1
ip nhrp cache non-authoritative
! define MSS size
! specify which interface the VPN tunnel should be established with
tunnel source FastEthernet4

! support multipoint connections between DMVPN hub and spokes
tunnel key 0
! associate IPSec profile to tunnel interface by activating DMVPN
! static route for DMVPN Hub subnet via 10.1.1.1 (IP on Tunnel interface for DMVPN hub)
ip route 192.168.10.0 255.255.255.0 10.1.1.1
MONITOR
>> DMVPN Hub

show ip nhrp
show ip nhrp multicast
>> DMVPN Spoke

show ip nhrp nhs
show ip nhrp
show ip nhrp multicast
USING DMVPN AND IPSEC VPN TUNNELS
192.168.10.0/24
DMVPN IP: 10.1.1.1

H
1.1.1.1
DMVPN IP: 10.1.1.2

1.4.1.1
1.2.1.1 IPSec VPN
DMVPN S3
S1
192.168.40.0/24
192.168.20.0/24 Internet
1.3.1.1
DMVPN IP: 10.1.1.3

S2
192.168.30.0/24
Topology:
HQ: DMVPN and IPSec VPN ; LAN: 192.168.10.0/24, WAN: 10.1.1.1 (for DMVPN)
S1: DMVPN; LAN: 192.168.20.0/24, WAN: 10.1.1.2 (for DMVPN)
S2: DMVPN; LAN: 192.168.30.0/24, WAN: 10.1.1.3 (for DMVPN)
S3: IPSec VPN; LAN: 192.168.40.0/24

>> HQ: General VPN and Interface configuration

ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp

ip address 1.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
! ISAKMP profiles
encr 3des
hash md5
group 2

encr aes
group 2
lifetime 28800
>> HQ: DMVPN configuration <<
! Keyring used for DMVPN configuration

crypto keyring dmvpnspokes
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
! ISAKMP profile for DMVPN configuration

crypto isakmp profile dmvpn-isakmp
keyring dmvpnspokes
! only match IPs for the actual DMVPN routers, not the IPSec VPN routers
match identity address 1.2.1.1 255.255.255.255
match identity address 1.3.1.1 255.255.255.255
! IPSec profile for DMVPN configuration

set isakmp-profile dmvpn-isakmp
! IPSec transform set for DMVPN configuration

mode transport

! DMVPN tunnel interface configuration
interface Tunnel0
ip address 10.1.1.1 255.255.255.0
no ip redirects
ip mtu 1412
ip nhrp authentication cisco123
tunnel source FastEthernet0/0
tunnel key 0
! static routes to remote sites (S1 & S2) using DMVPN tunnels
ip route 192.168.20.0 255.255.255.0 10.1.1.2
ip route 192.168.30.0 255.255.255.0 10.1.1.3
>> HQ: static IPSec VPN configuration
! ISAKMP key used for static IPSec tunnel

crypto isakmp key cisco123 address 1.4.1.1 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 20 10
crypto isakmp xauth timeout 45
! IPSec transform set for static IPsec VPN configuration

crypto ipsec transform-set ipsec-ts2 esp-3des esp-sha-hmac
! ACL used for static IPSec VPN policy

ip access-list extended ACL-IPSEC-VPN
permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
! IPSec policy for static IPSec tunnel

crypto map vpnmap 5 ipsec-isakmp
set peer 1.4.1.1
set transform-set ipsec-ts2
set pfs group2
match address ACL-IPSEC-VPN

ip address 1.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
crypto map vpnmap

>> Other Sites <<
! S1 and S2 will have standard DMVPN configuration pointing to the HQ site
! S3 will have standard IPSec VPN configuration pointing to the HQ site

GET VPN
BACK
KS2
.2
WAN .4
10.1.1.0 /24 S1
KS1 .1
10.2.2.0 /24
.3
H
10.2.1.0 /24
KEY SERVER (PRIMARY)
! IP configured on key server connected into the IP WAN

ip address 10.1.1.1 255.255.255.0
! ISAKMP policy
encr 3des
group 2
! ISAKMP key shared with each group member and key server on the IP WAN
crypto isakmp key cisco123 address 10.1.1.2

crypto ipsec transform-set GVPN-TS esp-3des esp-sha-hmac
! IPSec profile
crypto ipsec profile gdoi-profile-gvpn1
set transform-set GVPN-TS
! ACL specifying what traffic will be encrypted using GET VPN


! GDOI policy
crypto gdoi group gvpn1
! specify the ID number (1) that will be shared with all key server and group members
identity number 1
server local
rekey lifetime seconds 10800
rekey retransmit 10 number 2
rekey authentication mypubkey rsa gvpn1-export-general
rekey transport unicast
! associate IPSec profile and ACL to GDOI
sa ipsec 1
profile gdoi-profile-gvpn1
match address ipv4 101
replay counter window-size 64
! specify the source IP that will be used to identify this key server router
address ipv4 10.1.1.1
! enable key server redundancy
redundancy
! enable to be the primary key server (higher priority value)
local priority 10
! specify IP of the other key server router (secondary)
peer address ipv4 10.1.1.2
KEY SERVER (SECONDARY)
! IP configured on secondary key server connected into the IP WAN

ip address 10.1.1.2 255.255.255.0
! ISAKMP policy
encr 3des
group 2
! ISAKMP key shared with each group member and key server on the IP WAN

crypto ipsec transform-set GVPN-TS esp-3des esp-sha-hmac
! IPSec profile
crypto ipsec profile gdoi-profile-gvpn1
set transform-set GVPN-TS
! ACL specifying what traffic will be encrypted using GET VPN


! GDOI policy
! specify the ID number (1) that will be shared with all key server and group members
identity number 1
server local
rekey lifetime seconds 10800
rekey retransmit 10 number 2
rekey authentication mypubkey rsa gvpn1-export-general
rekey transport unicast
! associate IPSec profile and ACL to GDOI
sa ipsec 1
profile gdoi-profile-gvpn1
match address ipv4 101
replay counter window-size 64
! specify the source IP that will be used to identify this key server router
address ipv4 10.1.1.2
! enable key server redundancy
redundancy
! enable to be the secondary key server (lowest priority value)
local priority 1
! specify IP of the other key server router (secondary)
peer address ipv4 10.1.1.1
GROUP MEMBERS
! ISAKMP policy
encr 3des
group 2
! ISAKMP key shared with each key server on the IP WAN

! GDOI policy
! specify the same ID number (1) configured on the key servers
identity number 1
! specify the IP for each key server on the IP WAN
server address ipv4 10.1.1.1
server address ipv4 10.1.1.2
! IPSec policy enabled for GDOI

crypto map vpn 10 gdoi
! associate GDOI policy to IPSec policy
set group gvpn1
! WAN facing interface connected into the IP WAN

ip address 10.1.1.3 255.255.255.0
! enable GET VPN on interface
crypto map vpn

BACK TO GET VPN
MONITOR
>>KEY SERVER<<
show crypto gdoi ks
show crypto gdoi group <gdoi-group>
show crypto gdoi ks members
show crypto gdoi ks policy
show crypto gdoi ks acl
>>GROUP MEMBER<<
show crypto gdoi group <gdoi-group>
BACK TO GET VPN

EZVPN
BACK
EZVPN FOR CLIENT VPN
.1 1.1.1.1
192.168.10.0 /24 192.168.100.0 /24
! local account used for client VPN login

aaa new-model
! EZVPN client users will be authenticated & authorized against the local user database
aaa authentication login userauthen local
aaa authorization network groupauthor local
! specifies the IP addresses that should be assigned to VPN users once logged in
ip local pool routehub-pool 192.168.100.10 192.168.100.50
! ACL that specifies what networks can be accessed across the VPN tunnel once established
ip access-list extended split-tunnel-acl
permit ip 192.168.10.0 0.0.0.255 any
! ACL that specifies that the LAN and VPN subnet should not use NAT
! all other communication from the LAN will use NAT
! ACL associated to policy route map (PBR)

route-map no-NAT permit 10
match ip address 110
! PBR associated to NAT where the LAN and VPN subnet should not use NAT/PAT
ip nat inside source route-map no-NAT interface FastEthernet1 overload
! client VPN profile

! specifies the Group Authentication Name (routehub-vpn) for the VPN client program
crypto isakmp client configuration group routehubvpn
! specifies the “Group Authentication Password” needed for the VPN client program
key routehub-key
! specify DNS servers to assign to VPN users
dns 192.168.10.10 4.2.2.2
! specify the domain name to use for VPN users
domain RouteHub.local
! associates address pool for VPN users
pool routehub-pool
! associates split tunnel ACL for what networks VPN users can access
acl split-tunnel-acl

! ISAKMP profile associating ISAKMP profile and AAA groups
crypto isakmp profile VPNclient
match identity group userauthen
match identity group routehubvpn
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
! configure IPSec transform policy

crypto ipsec transform-set 3des esp-3des esp-sha-hmac
! dynamic IPSec policy associating the transform and ISAKMP policies

crypto dynamic-map ezvpn 10
set transform-set 3des
set isakmp-profile VPNclient
reverse-route
! IPSec policy associating the dynamic map policy used for EZVPN
crypto map ezvpn 1 ipsec-isakmp dynamic ezvpn
! associate IPSec policy to WAN facing interface
crypto map ezvpn
BACK TO EZVPN VPN

SSL VPN
BACK
WEBVPN USING SVC (TUNNEL MODE)
.1 1.1.1.1
192.168.10.0 /24 192.168.100.0 /24

aaa new-model
! SSL VPN client users will be authenticated against the local user database
aaa authentication login RHG-AAA-SSL local
ip local pool RHG-POOL-VPN 192.168.100.30 192.168.100.50
webvpn gateway gateway_1

! enable SSL VPN on WAN facing interface using port TCP/443
ip address 1.1.1.1 port 443
! automatically redirect to TCP/443 if the WAN IP (e.g. 1.1.1.1) is accessed via port TCP/80
http-redirect port 80
! activates SSL VPN service and creates SSL certificates
inservice
! specify the SVC file located on the flash

webvpn install svc flash:/webvpn/svc.pkg
! configure portal page to include the logo (located in flash) and colors on the web page
webvpn context routehub
title "RouteHub SSL VPN"
logo file logo_routehub.gif
title-color #669999
secondary-color white
text-color black
ssl authenticate verify all
! specify message for VPN users once logged in

login-message "RouteHub Group Use Only"
policy group policy_1

! enable SVC (tunnel mode) support
functions svc-enabled
banner " RouteHub Group Use Only!"
! specify the VPN address pool that will be assigned to the VPN users
svc address-pool "RHG-POOL-VPN"
svc keep-client-installed
! specifies what networks can be accessed across the SSL VPN tunnel once established
svc split include 192.168.10.0 255.255.255.0

! specify the DNS servers that will be assigned to the users
svc dns-server primary 4.2.2.2
svc dns-server secondary 4.2.2.3
default-group-policy policy_1
! associate AAA authentication to SSL VPN profile
aaa authentication list RHG-AAA-SSL
! specify the domain name VPN users will use by default
gateway gateway_1 domain routehub.local
inservice
CLIENTLESS SSL VPN
.1 1.1.1.1
192.168.10.0 /24 6.7.7.0 /24

aaa new-model
! SSL VPN client users will be authenticated against the local database on ASA
aaa authentication login RHG-AAA-SSL local
webvpn gateway gateway_1

! enable SSL VPN on WAN facing interface using port TCP/443
ip address 1.1.1.1 port 443
! automatically redirect to TCP/443 if the WAN IP (e.g. 1.1.1.1) is accessed via port TCP/80
http-redirect port 80
! activates SSL VPN service and creates SSL certificates
inservice
! configure portal page to include the logo (located in flash) and colors on the web page
webvpn context routehub
title "RouteHub SSL VPN"
logo file logo_routehub.gif
title-color #669999
secondary-color white
text-color black
ssl authenticate verify all
! create URL list for Clientless VPN

url-list "RHG-VPN-URL"
heading "ROUTEHUB URL LIST"
! specify HTTP URL
url-text "RHG SRV1 (HTTP)" url-value "http://192.168.10.10"

! create port forwarding list for Clientless VPN
port-forward "RHG-VPN-PF"
! VPN user will use source port 5010 when connecting to HTTPS server (192.168.10.10)
local-port 5010 remote-server "192.168.10.10" remote-port 443 description "RHG SRV1 HTTPS"
! VPN user will use source port 5011 to SSH into the internal server (192.168.10.10)
local-port 5011 remote-server "192.168.10.10" remote-port 22 description "RHG SRV1 SSH"
policy group ROUTEHUB

! associate URL list to SSL VPN policy
url-list "RHG-VPN-URL"
! associate port forwarding list to SSL VPN policy
port-forward "RHG-VPN-PF" auto-download
banner " RouteHub Group Use Only!"
default-group-policy ROUTEHUB
! associate AAA authentication to SSL VPN profile
aaa authentication list RHG-AAA-SSL
! specify the gateway policy to use
gateway gateway_1
inservice
MONITOR
show webvpn context <context-name>

show webvpn context
show webvpn gateway
show webvpn gateway <gateway-name>
show webvpn session context <context-name>
show webvpn session user <username> context <context-name>
show webvpn stats
show webvpn stats httpauth
show webvpn stats tunnel
show webvpn stats sockets
show webvpn policy group <group-name> context <context-name>
BACK TO SSL VPN

VPDN
BACK
PPTP
.1 1.1.1.1
192.168.10.0 /24 192.168.100.0 /24
! create user account for PPTP login

! enable VPDN
vpdn enable
vpdn logging
! define IP pool for authenticated PPTP users

ip local pool PPTP-POOL 192.168.100.60 192.168.100.69

ip address 1.1.1.1 255.255.255.0
ip nat outside
! configure virtual interface for PPTP

interface Virtual-Template1
ip unnumbered FastEthernet0
! associate IP address pool
peer default ip address pool PPTP-POOL
! specify PPTP encryption and authentication methods to use
ppp encrypt mppe 128
ppp authentication ms-chap-v2
! configure VPDN group for PPTP access

vpdn-group 1
accept-dialin
! define protocol to use (PPTP)
protocol pptp
! specify which virtual interface to use
virtual-template 1

CONTENT FILTERING
BACK

Cisco IOS URL Filtering using Web Sense ......................................................................................................................... 177
CISCO IOS URL FILTERING USING WEB SENSE
.1 1.1.1.1
192.168.10.0 /24 6.7.7.0 /24
! enable URL filtering using the name “websec” for HTTP URL inspection
ip inspect name websec http urlfilter
ip urlfilter cache 5
! specify the domains that should be automatically blocked
ip urlfilter exclusive-domain deny .youtube.com
! specify the domains that should be automatically allowed
ip urlfilter exclusive-domain permit www.routehub.local
ip urlfilter audit-trail
ip urlfilter alert
! URL filtering server will be WebSense using 192.168.10.10
ip urlfilter server vendor websense 192.168.10.10
interface Vlan10
ip address 192.168.10.1 255.255.255.0
! enable URL filtering inbound on LAN interface
ip inspect websec in

SERVICES
BACK
SERVICES...................................................................................................................................................................178
WCCP ............................................................................................................................................................................... 178
802.1X .............................................................................................................................................................................. 179
AAA and TACACS+ ............................................................................................................................................................ 180
RADIUS............................................................................................................................................................................. 180
Lower Case ...................................................................................................................................................................... 181
Testing AAA ..................................................................................................................................................................... 181
IPS Module in Cisco ISR Series ......................................................................................................................................... 181
WCCP
.1 1.1.1.1
192.168.10.0 /24 6.7.7.0 /24

192.168.11.0 /24
! configure ACL for what should be inspected by the proxy (permit) or not (deny)
ip access-list extended wccp-acl
! individual hosts on the network that should bypass the proxy
! subnets that should be redirected to the proxy
permit 192.168.11.0.0.0.255 any
! hosts on the subnet doing HTTP requests should be redirected to the proxy
permit tcp 192.168.10.0 0.0.0.255 any eq www
! hosts on the subnet doing a HTTPS requests should bypass the proxy
deny tcp 192.168.10.0 0.0.0.255 any eq 443
! any hosts trying to access host (IP 10.1.1.10) should bypass the proxy
deny ip any host 6.7.7.10
! all other requests to the Internet should bypass the proxy for inspection
deny ip any any
! enable WCCP and redirect traffic to proxy based on the configured ACL
ip wccp 9 redirect-list wccp-acl
ip address 1.1.1.1 255.255.255.0
! enable WCCP on WAN facing interface that will use the proxy
ip wccp 9 redirect out
! interface configuration for the LAN interface

ip address 192.168.10.1 255.255.255.0

802.1X
aaa new-model
! configure AAA group to specify the RADIUS server and ports.
aaa group server radius ACS-RADIUS
server 192.168.10.10 auth-port 1812 acct-port 1813
! AAA authentication and authorization to use the RADIUS group for 802.1X
aaa authentication dot1x default group ACS-RADIUS
aaa authorization network default group ACS-RADIUS
! RADIUS requests should use interface VLAN901 for all communication

ip radius source-interface Vlan100
! specify the RADIUS server, shared key, and port numbers
radius-server host 192.168.10.10 auth-port 1812 acct-port 1813 key cisco6778
! enable 802.1X on switch

dot1x system-auth-control
! edge host port added to a User VLAN

! enable 802.1X on interface
dot1x port-control auto
dot1x reauthentication
! if host is not enabled for 802.1X place into VLAN 900
dot1x guest-vlan 900
BACK TO SERVICES

AAA AND TACACS+
! local user account configured

username admin privilege 15 secret cisco6778
aaa new-model
! configure AAA group to specify the TACACS+ server
aaa group server tacacs+ ACS-TACACS
server 192.168.10.10
! any telnet/ssh access to device will authenticate against TACACS+ then the local database
aaa authentication login default group ACS-TACACS local
aaa authentication login console line
aaa authorization exec default group ACS-TACACS local
aaa authorization commands 1 default group ACS-TACACS if-authenticated none
aaa authorization commands 15 default group ACS-TACACS local none
aaa accounting exec default start-stop group ACS-TACACS
aaa accounting commands 15 default start-stop group ACS-TACACS
aaa accounting network default start-stop group ACS-TACACS
aaa accounting system default start-stop group ACS-TACACS
! TACACS+ requests should use the IP configured on Eth0/1 for all communication
ip tacacs source-interface Ethernet0/1
! specify the TACACS+ server and shared key

tacacs-server host 192.168.10.10 key cisco6778
tacacs-server directed-request
line con 0
password cisco123
RADIUS
! enable AAA services

aaa new-model
! user authentication will use RADIUS server
aaa authentication login default group radius local
aaa authorization exec default local
! specify source interface (IP from this interface) for RADIUS communication.
ip radius source-interface FastEthernet0/0
! specify RADIUS server IP, port numbers, and shared key
radius-server host 192.168.10.10 auth-port 1812 acct-port 1813 key cisco123

LOWER CASE
! enable local accounts to be case sensative

aaa authentication login default group tacacs+ local-case
TESTING AAA
! test RADIUS configuration using the username "mthomati" in the domain of "RHG"
test aaa group radius RHG\mthomati
IPS MODULE IN CISCO ISR SERIES
.1 1.1.1.1
192.168.10.0 /24 6.7.7.0 /24
! configure static route to IPS module on Cisco router

ip route 192.168.10.12 255.255.255.255 ids-sensor0/0
! IPS module interface on the router

interface IDS-Sensor0/0
ip unnumbered Loopback0
! permit traffic if the service module fails
service-module fail-open
! connect to IPS module on Cisco router

service-module ids-Sensor 0/0 session
! traffic that will be sent to the IPS for inspection

access-list 100 permit tcp any any eq 443
! all other traffic will bypass IPS inspection
access-list 100 deny ip any any
! enable Promiscuous monitoring for the traffic listed in the associated ACL
ids-service-module monitoring promiscuous access-list 100

TUNNELING SERVICES
BACK
TUNNELING SERVICES ........................................................................................................................................ 182
L3VPN ....................................................................................................................................................................183
L2VPN ....................................................................................................................................................................205
Configuration Reference Guide | Tunneling Services 182

L3VPN
BACK
L3VPN ....................................................................................................................................................................183
Basic Tunneling ..................................................................................................................................................184
GRE Tunnel ...................................................................................................................................................................... 184
IP Tunnel (IPIP) ................................................................................................................................................................ 185
Multi-CE VRF (VRF-lite) ......................................................................................................................................186
Access Configuration (No VRF) ........................................................................................................................................ 186
Distribution/Aggregation Configuration (VRF) ................................................................................................................ 187
Core Configuration (VRF) ................................................................................................................................................. 189
Zone Configuration (No VRF) ........................................................................................................................................... 191
Firewall Between Zone and Core ..................................................................................................................................... 193
MPLS VPN ..........................................................................................................................................................196
MPLS: Provider (P) ........................................................................................................................................................... 196
MPLS: Provider Edge (PE) ................................................................................................................................................ 197
VRF (MPLS PE).................................................................................................................................................................. 198
MP-BGP (MPLS PE) .......................................................................................................................................................... 199
MPLS: Customer Edge (CE) .............................................................................................................................................. 201
MPLS over GRE ................................................................................................................................................................ 202
VRF Selection ................................................................................................................................................................... 203

BASIC TUNNELING
BACK
GRE TUNNEL
10.1.1.2
10.1.1.1
INET
2.2.2.2 P2
P1 1.1.1.1
* requires IP/47 to be allowed
>> R1 <<
! create tunnel interface
interface Tunnel0
ip address 10.1.1.1 255.255.255.252
! specify IP on WAN facing interface
tunnel source 1.1.1.1
! specify destination IP on remote end
>> R2 <<
interface Tunnel0
ip address 10.1.1.2 255.255.255.252

IP TUNNEL (IPIP)
10.1.1.2
10.1.1.1
INET
2.2.2.2 P2
P1 1.1.1.1
>> R1 <<
interface Tunnel0
ip address 10.1.1.1 255.255.255.252
! specifies that this will be an IP enabled tunnel not GRE tunnel
tunnel mode ipip
>> R2 <<
interface Tunnel0
ip address 10.1.1.2 255.255.255.252
! specifies that this will be an IP enabled tunnel not GRE tunnel
tunnel mode ipip

MULTI-CE VRF (VRF-LITE)
BACK
Client 2
Client 2
Client 2 10.2.100.0 /24 (v100)
10.2.98.0 /24 (v298)
10.2.98.0 /24 (v298) 10.2.99.0 /24 (v199)
VRF VRF
802.1q 802.1q 802.1q 802.1q
vlan198 vlan198 vlan199 vlan100
vlan298 vlan298 vlan299 vlan200
FW vlan200
ZONE CORE AGG ACCESS
vlan100
VRF VRF
Client 1
Client 1 Client 1
10.1.98.0 /24 (v198)
10.1.98.0 /24 (v198)
Client 2
10.1.100.0 /24 (v100)
10.1.99.0 /24 (v199)
Client 1
ACCESS CONFIGURATION (NO VRF)
! add VLAN for Client 1

vlan 100
name VLAN-CL1

vlan 200
name VLAN-CL2
! VLANs for Client 1 & 2 tagged up to the LAN Distribution

description TO: LAN Distribution
carrier-delay msec 0
! interface associated to Client 1 VLAN

description HOST: Client 1
spanning-tree bpdufilter enable
! interface associated to Client 2 VLAN

description HOST: Client 2
spanning-tree bpdufilter enable
BACK TO VRF-LITE

DISTRIBUTION/AGGREGATION CONFIGURATION (VRF)

vlan 100
name VLAN-CL1
! add VLAN for Client 1 Interconnection with the Core

vlan 199
name VLAN-CL1-ICT1

vlan 200
name VLAN-CL2

vlan 299
name VLAN-CL2-ICT1
! configure VRF for Client 1 using RD of 10:100

ip vrf CL1
rd 10:100
route-target export 10:100
route-target import 10:100

ip vrf CL2
rd 10:200
! VLAN SVI interface for Client 1 LAN

interface Vlan100
description VLAN: Client 1 LAN
! associate Client 1 VRF to interface
ip vrf forwarding CL1
ip address 10.1.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
! VLAN SVI interface for Client 1 Interconnection with Core

interface Vlan199
description VLAN: Client 1 ICT with Core
ip address 10.1.99.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp

! VLAN SVI interface for Client 2 LAN
interface Vlan200
description VLAN: Client 2 LAN
ip address 10.2.200.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp

interface Vlan299
description VLAN: Client 2 ICT with Core
ip address 10.2.99.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
! configure OSPF process for Client 1 VRF

router ospf 10 vrf CL1
! summarize routes for Client 1 up to the Core
area 10 range 10.1.0.0 255.255.0.0
! networks to advertise (LAN and Interconnection subnets) for Client 1
network 10.1.99.0 0.0.0.3 area 0
network 10.1.100.0 0.0.0.255 area 10
! Configure OSPF process for Client 2 VRF

! summarize routes for Client 2 up to the Core
area 20 range 10.2.0.0 255.255.0.0
! networks to advertise (LAN and Interconnection subnets) for Client 2
network 10.2.99.0 0.0.0.3 area 0
network 10.2.200.0 0.0.0.255 area 20
! VLANs for Client 1 & 2 (LAN and Interconnection) tagged up to the LAN Core
description TO: LAN Core
switchport trunk allowed vlan 100,200,199,299
! VLANs for Client 1 & 2 (LAN only) tagged down to the LAN Access
description TO: LAN Access
BACK TO VRF-LITE

CORE CONFIGURATION (VRF)
! add VLAN for Client 1 Interconnection with the Zone Router

vlan 198
name VLAN-CL1-ICT2

vlan 199
name VLAN-CL1-ICT1
! add VLAN for Client 2 Interconnection with the Zone Router

vlan 298
name VLAN-CL2-ICT2

vlan 299
name VLAN-CL2-ICT1

ip vrf CL1
rd 10:100

ip vrf CL2
rd 10:200
! VLAN SVI interface for Client 1 Interconnection with Zone router

interface Vlan198
ip address 10.1.98.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
! VLAN SVI interface for Client 1 Interconnection with Distribution

interface Vlan199
ip address 10.1.99.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp

! VLAN SVI interface for Client 2 Interconnection with Zone router
interface Vlan298
ip address 10.2.98.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
! VLAN SVI interface for Client 2 Interconnection with Distribution

interface Vlan299
ip address 10.2.99.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp

! networks to advertise (Interconnection subnets) for Client 1
network 10.1.98.0 0.0.0.3 area 0
network 10.1.99.0 0.0.0.3 area 0

network 10.2.98.0 0.0.0.3 area 0
network 10.2.99.0 0.0.0.3 area 0
! VLANs for Client 1 & 2 (Interconnection) tagged to the Zone router

description TO: LAN Core
! VLANs for Client 1 & 2 (Interconnection) tagged to the Distribution

description TO: LAN Access
BACK TO VRF-LITE

ZONE CONFIGURATION ( NO VRF)

vlan 198
name VLAN-CL1-ICT2

vlan 298
name VLAN-CL2-ICT2

interface Vlan198
ip address 10.1.98.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp

interface Vlan298
ip address 10.2.98.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
! ACL with Client 1 subnets

ip access-list standard CL1-ACL
permit 10.1.0.0 0.0.255.255
! ACL with Client 2 subnets

ip access-list standard CL2-ACL
permit 10.2.0.0 0.0.255.255
! OSPF process for Client 1

router ospf 10
! redistribute subnets from Client 2 into Client 1 OSPF process
redistribute ospf 20 subnets
network 10.1.98.0 0.0.0.3 area 0
! advertise OSPF default route within Client 1 OSPF network
! only redistribute Client 2 subnets listed in the Client 2 ACL
distribute-list CL2-ACL out ospf 20
! OSPF process for Client 2

router ospf 20
! redistribute subnets from Client 1 into Client 2 OSPF process
redistribute ospf 10 subnets
network 10.2.98.0 0.0.0.3 area 0
! advertise OSPF default route within Client 2 OSPF network
! only redistribute Client 1 subnets listed in the Client 1 ACL
distribute-list CL1-ACL out ospf 10

! VLANs for Client 1 & 2 (Interconnection) tagged to the Core
BACK TO VRF-LITE

FIREWALL BETWEEN ZONE AND CORE
! enable virtualization on Cisco ASA/FWSM

mode multiple
! operate in L2 mode
firewall transparent
! sub-interface for Client 1 Interconnection connected to Zone router (untrusted/outside)

interface gigabitethernet 0.198
no shutdown
! sub-interface for Client 2 Interconnection connected to Zone router (untrusted/outside)

no shutdown
! sub-interface for Client 1 Interconnection connected to Core (trusted/inside)

no shutdown

no shutdown
! virtualize firewall for Client 1

context CL1-FW
! associate sub-interfaces for Client 1 firewall instance
allocate-interface gigabitethernet 0.198
! location and filename for Client 1 firewall instance
configure disk0://CL1-FW.cfg

context CL2-FW
! location and filename for Client 2 firewall

! to access the Client 1 firewall instance
context CL1-FW
! firewall configuration for the Client 1 firewall instance

hostname CL1-FW
domain c1.routehub.local
passwd secret123
enable password secret123
! specify untrusted/outside interface for Client 1 firewall instance

nameif outside
security-level 0
no shutdown
! specify trusted/inside interface for Client 1 firewall instance

nameif inside
security-level 100
no shutdown
! firewall policies for Client 1 firewall instance

access-list CL1-ACL extended permit 89 any any
access-list CL1-ACL extended permit tcp any host 10.2.200.100 eq 8080
! firewall policies applied to “outside” interface

access-group CL1-ACL in interface outside

! to access the Client 2 firewall instance
context CL2-FW

hostname CL2-FW
passwd secret123
enable password secret123

nameif outside
security-level 0
no shutdown

nameif inside
security-level 100
no shutdown

! firewall policies applied to “outside” interface

BACK TO VRF-LITE

MPLS VPN
BACK
10.1.2.0 /24 10.1.3.0 /24

2.2.2.2 .2 .1 1.1.1.1 .1 .3 3.3.3.3
.2 .3
10.2.4.0 /24 10.3.5.0 /24
.4 .5
4.4.4.4 5.5.5.5
192.168.10.0 /24 192.168.20.0 /24
MPLS: PROVIDER (P)
>>P1<<
! enable MPLS to use LDP instead of Cisco’s TDP
mpls label protocol ldp
! management interface for MPLS P router

interface Loopback0
ip address 1.1.1.1 255.255.255.255
! connects to MPLS PE1 router

ip address 10.1.2.1 255.255.255.0
! enable MPLS on interface
mpls ip
! connects to MPLS PE2 router

ip address 10.1.3.1 255.255.255.0
mpls ip
! OSPF routing process

router ospf 1
network 1.1.1.1 0.0.0.0 area 1
network 10.1.2.0 0.0.0.255 area 0
network 10.1.3.0 0.0.0.255 area 0
BACK TO MPLS

MPLS: PROVIDER EDGE (PE)
>>PE1<<
! management interface for MPLS PE1 router

interface Loopback0
ip address 2.2.2.2 255.255.255.255
! connects to MPLS P router

ip address 10.1.2.2 255.255.255.0
mpls ip

router ospf 2
network 2.2.2.2 0.0.0.0 area 2
network 10.1.2.0 0.0.0.255 area 0
>>PE2<<
! management interface for MPLS PE1 router

interface Loopback0
ip address 3.3.3.3 255.255.255.255
! connects to MPLS P router

ip address 10.1.3.2 255.255.255.0
mpls ip

router ospf 3
network 3.3.3.3 0.0.0.0 area 3
network 10.1.3.0 0.0.0.255 area 0
BACK TO MPLS

VRF (MPLS PE)
>>PE1<<
! configure VRF for Client A using RD of 10:100
ip vrf CEA
rd 10:100
! interface connected to Client A CE

! associate Client A VRF to interface
ip vrf forwarding CEA
ip address 10.2.4.2 255.255.255.0
>>PE2<<
! configure VRF for Client A using RD of 10:100
ip vrf CEA
rd 10:100
! interface connected to Client A CE

ip vrf forwarding CEA
ip address 10.3.5.3 255.255.255.0
BACK TO MPLS

MP-BGP (MPLS PE)
>>PE1<<
! BGP routing process in ASN 6778
router bgp 6778
no synchronization
! specify iBGP peer to PE2
no auto-summary
! enable MP-BGP for exchanging VPNv4 routing info to PE2

address-family vpnv4
neighbor 3.3.3.3 send-community extended
exit-address-family
! enable MP-BGP for Client A VRF

address-family ipv4 vrf CEA
! redistribute all routes learned via EIGRP for Client A VRF into BGP
redistribute eigrp 10
no synchronization
exit-address-family
! IGP routing process

router eigrp 1
! IGP routing process for Client A VRF
! redistribute all routes learned via BGP for Client A VRF into EIGRP
redistribute bgp 6778
network 10.2.4.0 0.0.0.255
default-metric 10000 1 255 1 1500
no auto-summary
! specify EIGRP ASN for Client A VRF
autonomous-system 10
exit-address-family
>>PE2<<
! BGP routing process in ASN 6778
router bgp 6778
no synchronization
! specify iBGP peer to PE1
no auto-summary
! enable MP-BGP for exchanging VPNv4 routing info to PE1

address-family vpnv4
neighbor 2.2.2.2 send-community extended
exit-address-family
! enable MP-BGP for Client A VRF

! redistribute all routes learned via EIGRP for Client A VRF into BGP
redistribute eigrp 10
no synchronization

exit-address-family
! IGP routing process

router eigrp 1
! IGP routing process for Client A VRF
! redistribute all routes learned via BGP for Client A VRF into EIGRP
redistribute bgp 6778
network 10.3.5.0 0.0.0.255
default-metric 10000 1 255 1 1500
no auto-summary
! specify EIGRP ASN for Client A VRF
autonomous-system 10
exit-address-family
BACK TO MPLS

MPLS: CUSTOMER EDGE (CE)
>>CE1<<
! management interface for CE1
interface Loopback0
ip address 4.4.4.4 255.255.255.255
! WAN facing interface connecting to PE1

ip address 10.2.4.4 255.255.255.0

ip address 192.168.10.1 255.255.255.0
! EIGRP routing process using ASN 10

router eigrp 10
network 4.4.4.4 0.0.0.0
network 192.168.10.0 0.0.0.255
no auto-summary
no eigrp log-neighbor-changes
>>CE2<<
interface Loopback0
ip address 5.5.5.5 255.255.255.255
! WAN facing interface connecting to PE2

ip address 10.3.5.5 255.255.255.0

ip address 192.168.20.1 255.255.255.0
! EIGRP routing process using ASN 10

router eigrp 10
network 5.5.5.5 0.0.0.0
network 192.168.20.0 0.0.0.255
no auto-summary
no eigrp log-neighbor-changes
BACK TO MPLS

MPLS OVER GRE
172.16.1.2
172.16.1.1
INET
2.2.2.2 P2
P1 1.1.1.1
MPLS1 MPLS2
>>P1 in MPLS1<<
! GRE interface
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
! specify local interface where GRE will be established from
! specify the destination where the GRE tunnel will be terminated to
mpls ip
! interface connecting to Internet/WAN

ip address 1.1.1.1 255.255.255.0

router ospf 1
! include network used on GRE interface
network 172.16.1.0 0.0.0.255 area 0
>>P2 in MPLS2<<
! GRE interface
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
! specify local interface where GRE will be established from
! specify the destination where the GRE tunnel will be terminated to
mpls ip
! interface connecting to Internet/WAN

ip address 2.2.2.2 255.255.255.0

router ospf 1
! include network used on GRE interface
network 172.16.1.0 0.0.0.255 area 0
BACK TO MPLS
VRF SELECTION
192.168.10.0 /24
.1
Client 1 .2
PE
172.16.1.0 /24 .3
Client 2
172.16.2.0 /24
>>PE<<
! VRF for Client A
ip vrf CEA
rd 50:500
! VRF for Client B

ip vrf CEB
rd 60:600
! ACL listing subnets used for Client A

! ACL listing subnets used for Client B

! route-map used for Client A mapping

route-map ROUTEHUB-PBR-VS permit 10
! associate ACL to route-map for Client A
match ip address 1
! any node using subnet 172.16.1.0 will use VRF for Client A
set vrf CEA

! route-map used for Client B mapping
route-map ROUTEHUB-PBR-VS permit 20
! associate ACL to route-map for Client B
match ip address 2
! any node using subnet 172.16.2.0 will use VRF for Client B
set vrf CEB
! static routes pointing to each of the client networks

ip route vrf Client1 172.16.1.0 255.255.255.0 192.168.10.2
ip route vrf Client2 172.16.2.0 255.255.255.0 192.168.10.3
! interface connected to networks with Client A and Client B connected

ip vrf receive CEA
! associate Client B VRF to interface
ip vrf receive CEB
ip address 192.168.10.1 255.255.255.0
! associate route map policy for VRF selection
ip policy route-map ROUTEHUB-PBR-VS
BACK TO MPLS

L2VPN
BACK
L2VPN ....................................................................................................................................................................205
EoMPLS ..............................................................................................................................................................206
EoMPLS ............................................................................................................................................................................ 206
Monitor Commands......................................................................................................................................................... 209
L2TPv3................................................................................................................................................................210
L2TPv3 using Static Tunnels ............................................................................................................................................. 210
VPLS ...................................................................................................................................................................213
VPLS (VLAN-Based) .......................................................................................................................................................... 213
VPLS (QinQ, Port-Based) .................................................................................................................................................. 219

EOMPLS
BACK
10.1.2.0 /24 10.1.3.0 /24

2.2.2.2 .2 .1 1.1.1.1 .1 .3 3.3.3.3
802.1q 802.1q
CE CE
1 -H 1-S
1
VLAN 10, 100, 199 VLAN 10, 100, 199
EOMPLS
>>PE1<<
! interface for PE1 connecting to CE1-H
no ip address
no shutdown
interface FastEthernet0/0.10
! tag VLAN10 from CE1-H to CE1-S1
! build EoMPLS tunnel for VLAN10 to PE2
xconnect 3.3.3.3 10 encapsulation mpls
>>PE2<<
! interface for PE2 connecting to CE1-S1
no ip address
no shutdown
! tag VLAN10 from CE1-S1 to CE1-H

>>CE1-H<<
! add VLAN10 used for the Internal network
vlan 10
name RHG-CE1-INTERNAL
! add VLAN100 used for the Guest network

vlan 100
name RHG-CE1-GUEST
! add VLAN199 used for the Management network

vlan 199
name RHG-CE1-MGMT
! WAN interface connecting to PE1

interface FastEthernet1/0/1
! enable 802.1Q trunking
! tag VLANs 10,100, and 199 up to PE1
switchport trunk allowed vlan 10,100,199
no shutdown
! SVI interface for VLAN10

interface Vlan 10
description RHG VLAN SVI INTERNAL
ip address 192.168.10.1 255.255.255.0
no shutdown

interface Vlan 100
description RHG VLAN SVI GUEST
ip address 192.168.100.1 255.255.255.0
no shutdown

interface Vlan 199
description RHG VLAN SVI MGMT
ip address 192.168.199.1 255.255.255.0
no shutdown

>>CE1-S1<<
vlan 10

vlan 100
name RHG-CE1-GUEST

vlan 199
name RHG-CE1-MGMT

no shutdown
! switch port added to Internal network (VLAN10)

no shutdown
! switch port added to Guest network (VLAN100)

no shutdown
! SVI interface for VLAN199 (Management)

interface Vlan 199
ip address 192.168.199.10 255.255.255.0
no shutdown
! default gateway to CE1-H switch

ip default-gateway 192.168.199.1
BACK TO L2VPN

MONITOR COMMANDS
show mpls ldp neighbor

show xconnect peer <IP> all
show xconnect interface
show mpls l2transport vc <VC-ID>
show mpls l2transport vc <VC-ID> detail
ping
traceroute, tracert
BACK TO L2VPN

L2TPV3
BACK
10.1.2.0 /24 10.1.3.0 /24

2.2.2.2 .2 .1 1.1.1.1 .1 .3 3.3.3.3
10.4.5.4 /24 10.4.5.5 /24
4.4.4.4 5.5.5.5
192.168.10.0 /24 192.168.20.0 /24
L2TPV3 USING STATIC TUNNELS
>>PE1<<
! management interface for PE1
interface Loopback0
ip address 2.2.2.2 255.255.255.255
! WAN interface to the MPLS P router

ip address 10.1.2.2 255.255.255.0
no shutdown
! configure cookie size to 4 bytes

l2tp-class manual
cookie size 4
! enable L2TPv3 and use Loopback0 for building the tunnel to PE2
pseudowire-class manual
encapsulation l2tpv3
protocol none
ip local interface Loopback0
! interface connected to CE1

no ip address
duplex auto
speed auto
! build L2TPv3 tunnel to PE2 (using its Loopback interface)
xconnect 3.3.3.3 1 encapsulation l2tpv3 manual pw-class manual
l2tp id 1 1
l2tp cookie local 4 1
l2tp cookie remote 4 1
l2tp hello manual

>>PE2<<
interface Loopback0
ip address 3.3.3.3 255.255.255.255
! WAN interface to the MPLS P router

ip address 10.1.3.3 255.255.255.0
no shutdown
! configure cookie size to 4 bytes

l2tp-class manual
cookie size 4
! enable L2TPv3 and use Loopback0 for building the tunnel to PE1
pseudowire-class manual
encapsulation l2tpv3
protocol none
ip local interface Loopback0
! interface connected to CE2

no ip address
duplex auto
speed auto
! build L2TPv3 tunnel to PE1 (using its Loopback interface)
xconnect 2.2.2.2 1 encapsulation l2tpv3 manual pw-class manual
l2tp id 1 1
l2tp cookie local 4 1
l2tp cookie remote 4 1
l2tp hello manual
>>CE1<<
interface Loopback0
ip address 4.4.4.4 255.255.255.255

ip address 10.4.5.4 255.255.255.0
! LAN interface
ip address 192.168.10.1 255.255.255.0
! EIGRP routing process used between CE1 and CE2

router eigrp 1
network 4.4.4.4 0.0.0.0
network 10.4.5.0 0.0.0.255
network 192.168.10.0
no auto-summary

>>CE2<<
interface Loopback0
ip address 5.5.5.5 255.255.255.255

ip address 10.4.5.5 255.255.255.0
! LAN interface
ip address 192.168.20.1 255.255.255.0
! EIGRP routing process used between CE1 and CE2

router eigrp 1
network 5.5.5.5 0.0.0.0
network 10.4.5.0 0.0.0.255
network 192.168.20.0
no auto-summary
MONITOR COMMANDS
show xconnect all

show l2tun tunnel
show l2tp session
BACK TO L2VPN

VPLS
BACK
10.1.2.0 /24 10.1.3.0 /24

2.2.2.2 .2 .1 1.1.1.1 .1 .3 3.3.3.3
.1
802.1q 10.1.4.0 /24 802.1q
.4
CE CE
1 -H 4.4.4.4 1-S
1
VLAN 10, 100, 199 VLAN 10, 100, 199
802.1q
CE
1-S
2
VLAN 10, 100, 199
VPLS (VLAN-BASED)
>>PE1<<
interface Loopback0
ip address 2.2.2.2 255.255.255.255
! VPLS profile for Client 1

l2 vfi VPLS-CLIENT1 manual
! unique VPLS ID for Client 1
vpn id 50
! VPLS peers on MPLS network
neighbor 3.3.3.3 encapsulation mpls
! add VLAN10 used for Client 1

vlan 10
state active

vlan 100
name RHG-CE1-GUEST
state active

vlan 199
name RHG-CE1-MGMT
state active
interface Vlan10
! build VPLS tunnels to all VPLS peers for VLAN10
xconnect vfi VPLS-CLIENT1

interface Vlan100
interface Vlan199
! interface connected to CE1-H

switchport
! tag VLANs 10,100, and 199 to CE1-H
switchport allowed vlan 10,100,199
no shutdown
>>PE2<<
interface Loopback0
ip address 3.3.3.3 255.255.255.255

vpn id 50

vlan 10
state active

vlan 100
name RHG-CE1-GUEST
state active

vlan 199
name RHG-CE1-MGMT
state active
interface Vlan10
interface Vlan100

interface Vlan199
! interface connected to CE1-S1

switchport
! tag VLANs 10,100, and 199 to CE1-S1
no shutdown
>>PE3<<
interface Loopback0
ip address 4.4.4.4 255.255.255.255

vpn id 50

vlan 10
state active

vlan 100
name RHG-CE1-GUEST
state active

vlan 199
name RHG-CE1-MGMT
state active
interface Vlan10
interface Vlan100

interface Vlan199

switchport
! tag VLANs 10,100, and 199 to CE1-S2
no shutdown
>>CE1-H<<
vlan 10

vlan 100
name RHG-CE1-GUEST

vlan 199
name RHG-CE1-MGMT

no shutdown

interface Vlan 10
ip address 192.168.10.1 255.255.255.0
no shutdown

interface Vlan 100
ip address 192.168.100.1 255.255.255.0
no shutdown

interface Vlan 199
ip address 192.168.199.1 255.255.255.0
no shutdown

>>CE1-S1<<
vlan 10

vlan 100
name RHG-CE1-GUEST

vlan 199
name RHG-CE1-MGMT

no shutdown

no shutdown

no shutdown

interface Vlan 199
ip address 192.168.199.10 255.255.255.0
no shutdown


>>CE1-S2<<
vlan 10

vlan 100
name RHG-CE1-GUEST

vlan 199
name RHG-CE1-MGMT

no shutdown

no shutdown

no shutdown

interface Vlan 199
ip address 192.168.199.11 255.255.255.0
no shutdown

BACK TO L2VPN

VPLS (QINQ, PORT-BASED)
>>PE1<<
interface Loopback0
ip address 2.2.2.2 255.255.255.255

vpn id 50

vlan 900
name RHG-CE1-QinQ
state active
interface Vlan900
! build VPLS QinQ tunnels to all VPLS peers for Client 1
! interface connected to CE1-H

switchport
! enable QinQ
switchport mode dot1qtunnel
l2protocol-tunnel-stp
no shutdown
>>PE2<<
interface Loopback0
ip address 3.3.3.3 255.255.255.255

vpn id 50

vlan 900
name RHG-CE1-QinQ
state active

interface Vlan900

switchport
! enable QinQ
no shutdown
>>PE3<<
interface Loopback0
ip address 4.4.4.4 255.255.255.255

vpn id 50

vlan 900
name RHG-CE1-QinQ
state active
interface Vlan900

switchport
! enable QinQ
no shutdown

>>CE1-H<<
vlan 10

vlan 100
name RHG-CE1-GUEST

vlan 199
name RHG-CE1-MGMT

no shutdown

interface Vlan 10
ip address 192.168.10.1 255.255.255.0
no shutdown

interface Vlan 100
ip address 192.168.100.1 255.255.255.0
no shutdown

interface Vlan 199
ip address 192.168.199.1 255.255.255.0
no shutdown
>>CE1-S1<<
vlan 10

vlan 100
name RHG-CE1-GUEST

vlan 199

name RHG-CE1-MGMT

no shutdown

no shutdown

no shutdown

interface Vlan 199
ip address 192.168.199.10 255.255.255.0
no shutdown

>>CE1-S2<<
vlan 10

vlan 100
name RHG-CE1-GUEST

vlan 199
name RHG-CE1-MGMT


no shutdown

no shutdown

no shutdown

interface Vlan 199
ip address 192.168.199.11 255.255.255.0
no shutdown

MONITOR COMMANDS

BACK TO L2VPN

VOICE AND UNIFIED COMMUNICATON SERVICES
BACK
VOICE AND UNIFIED COMMUNICATON SERVICES .............................................................................................. 224
VOICE GATEWAY ........................................................................................................................................................225

Configuration Reference Guide | Voice and Unified Communicaton Services 224

VOICE GATEWAY
BACK
VOICE GATEWAY ........................................................................................................................................................225

MGCP ............................................................................................................................................................................... 225
Voice Gateway and PRI .................................................................................................................................................... 226
Voice Gateway and FXS Ports (Analog Devices) ............................................................................................................... 226
Voice Gateway and FXO Ports (CO/PSTN) ....................................................................................................................... 226
Analog Lines: Groundstart ............................................................................................................................................... 227
Test Calling on Voice Gateway ......................................................................................................................................... 227
SIP Trunk .......................................................................................................................................................................... 227
Hardware Conferencing & Transcoding ........................................................................................................................... 228
SRST ................................................................................................................................................................................. 229
FXS ports connecting to FAX Server (Castelle) ................................................................................................................. 231
Monitor............................................................................................................................................................................ 231
MGCP
! hostname and domain name for voice gateway

hostname vgr01
ip domain name routehub.local
! enable MGCP
mgcp
! specify Cisco UCM server
mgcp call-agent 10.67.78.181
mgcp sdp simple
! enable MGCP
ccm-manager mgcp
ccm-manager fax protocol cisco
ccm-manager music-on-hold
! specify primary Cisco UCM server
ccm-manager config server 192.168.10.10
ccm-manager config
! specify secondary Cisco UCM server
ccm-manager redundant-host 192.168.10.11
ccm-manager fallback-mgcp
ccm-manager switchback immediate
! PRI module plugged into slot 3 on Cisco voice gateway

network-clock-participate wic 3
! enable MGCP on PRI interface

controller T1 0/3/0

framing esf
linecode b8zs
pri-group timeslots 1-24 service mgcp
VOICE GATEWAY AND PRI
PRI
PSTN
VGR
controller T1 0/0/0
! specify framing, clocking, and linecode
framing esf
clock source line primary
linecode b8zs
! specify if this is a PRI (or T1) including the number of channels
pri-group timeslots 1-3,24
VOICE GATEWAY AND FXS PORTS (ANALOG DEVICES)
FXS
VGR
Analog Phone
! FXS port
voice-port 0/1/0
! specify caller-ID name for the connected analog device
station-id name Analog 3001
! specify directory number for the connected analog device
station-id number 3001
! enable caller-ID
caller-id enable
VOICE GATEWAY AND FXO PORTS (CO/PSTN)
FXO
PSTN
VGR
! FXO port
voice-port 0/2/0
supervisory disconnect dualtone pre-connect
pre-dial-delay 0
no vad
timeouts call-disconnect 2

timeouts wait-release 2
! forward incoming call to DN 5000
connection plar 5000
caller-id enable
ANALOG LINES: GROUNDSTART
voice-port 0/1/0
! specify that this FXO port is using a Groundstart analog line
signal groundStart
TEST CALLING ON VOIC E GATEWAY
! from the Cisco voice gateway dial a DID number (access code of 9)
csim start 919252302203
SIP TRUNK
192.168.10.0 /24
.1 CME
.10
DN: 7XXX
* if a user dials 7001 it will routed across this SIP trunk
dial-peer voice 601 voip

! define route pattern
destination-pattern 7...
! specify trunking protocol to be SIP
session protocol sipv2
! specify the IP of the SIP device
session target ipv4:192.168.10.11
! SIP connection will use UDP for the setup
session transport udp

HARDWARE CONFERENCING & TRANSCODING
voice-card 0
dsp services dspfarm
! enable SCCP sourced from LAN interface (only Ethernet interface on voice gateway)
sccp local FastEthernet0/0
! specify primary Cisco UCM server
sccp ccm 192.168.10.10 identifier 1 priority 1
! specify secondary Cisco UCM server
sccp ccm 192.168.10.11 identifier 2 priority 2
! enable SCCP for transcoding and conferencing resources
sccp
! enable DSP resources for Transcoding (up to 8 sessions)

dspfarm profile 1 transcode
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
maximum sessions 8
! associate the SCCP application to profile
associate application SCCP
! enable DSP resources for Conferencing (up to 2 sessions)

dspfarm profile 2 conference
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec g729r8
codec g729br8
codec g722-64
codec ilbc
maximum sessions 2
! associate the SCCP application to profile
sccp ccm group 1

! bind to the LAN facing interface
bind interface FastEthernet0/0
! associate the Cisco UCM identifiers
associate ccm 1 priority 1
! associate the DSP profiles for transcoding and conferencing
associate profile 1 register CFB00131918FF24
associate profile 2 register MTP00131918FF24
keepalive retries 5
switchover method graceful

switchback interval 60
BACK TO VOICE GATEWAY
SRST
FXO
PSTN
SRST
.1
DN 6016778
802.1q
voice data
vlan vlan
(10) (100)
192.168.20.0 /24
 Main Office: EXT:209XXXX (DID:1-209-124-XXXX) ; example 2096778 (1-209-124-6778)

 Remote Office: EXT:601XXXX (DID:1-601-510-XXXX) ; example 6016778 (1-601-510-6778)
hostname vgr01ms
voice class h323 1

h225 timeout tcp establish 3
! translate calls using the main office extension to the full DID number
voice translation-rule 1
rule 1 /^209$....$/ /1209124\1/
! translation profile with associated translation rule

voice translation-profile ROUTEHUB-TP-INTERSITE
translate called 1
! translation that will translate the DID down to a 4-digit extension

rule 1 /^1601510$....$/ /\1/
voice translation-profile voice

translate called 100
dial-peer voice 1 pots

! all incoming calls will look at the translation profile configured
translation-profile incoming voice
! all incoming calls into the voice gateway will use this dial-peer
incoming called-number .
direct-inward-dial
port 0/3/0:23

! H.323 route pattern for 911 calls
destination-pattern 911
port 0/3/0:23
forward-digits all
! H.323 route pattern for local calls

destination-pattern 9[2-9]......
port 0/3/0:23
forward-digits 7
! H.323 route pattern for long distance calls

destination-pattern 91[2-9]..[2-9]......
port 0/3/0:23
forward-digits 11
! H.323 route pattern for inter-site calls (to main office)

translation-profile outgoing ROUTEHUB-TP-INTERSITE
destination-pattern 209....
port 0/3/0:23
! enables SRST on voice gateway

call-manager-fallback
secondary-dialtone 9
! basic conferencing support during SRST mode
max-conferences 4 gain -6
transfer-system full-consult
timeouts interdigit 5
timeouts busy 22
timeouts ringing 22
! IP of the voice gateway for SRST registration
ip source-address 192.168.20.1 port 2000
max-ephones 5
max-dn 5
! specify the DID number range
dialplan-pattern 1 16015106... extension-length 4
keepalive 10
! filename (in flash) for MoH
moh Nightmares.wav
! MoH streamed from local router via multicast
multicast moh 239.1.1.1 port 16384 route 192.168.20.1
time-zone 8
BACK TO VOICE GATEWAY

FXS PORTS CONNECTING TO FAX SERVER (CASTELLE)
Analog lines
FXS 1/0/0 – 1/0/3
PRI or FXO
PSTN
VGR
Fax Server (Castelle)

DN: 6XXX
* These are FXS ports connecting to analog ports on a Fax Server (e.g. Castelle Fax server)
* Example: we have 4 ports connecting to fax server. 4-digits passed from PSTN.
* Someone sends a fax to 209-123-6111. 6111 is passed to the gateway
! FXS port connected to Fax Server on analog port 1

preference 4
! route pattern from incoming fax calls
fax rate disable
no digit-strip
direct-inward-dial
port 1/0/0
forward-digits all
...
! FXS port connected to Fax Server on analog port 4

preference 7
! route pattern from incoming fax calls
fax rate disable
no digit-strip
direct-inward-dial
port 1/0/3
forward-digits all
MONITOR
debug voip ccapi inout

debug isdn q931
show voice dsp group all
show voice dsp voice
test voice translation-rule X

CISCO CALLMANAGER EXPRESS (CME)
BACK

Base Configuration .......................................................................................................................................................... 234
Directory Numbers .......................................................................................................................................................... 235
Call Forward All ................................................................................................................................................................ 235
IP Phone Configuration .................................................................................................................................................... 235
Voice and Data VLAN Configuration ................................................................................................................................ 235
Configuring DHCP on Cisco IOS ........................................................................................................................................ 236
Mapping an Analog Line (DID) to an IP Phone ................................................................................................................. 236
Configuring FXS port as a SCCP port ................................................................................................................................ 237
CME as SIP Server for SIP Clients ..................................................................................................................................... 238
Blocking Incoming Calls from PSTN ................................................................................................................................. 239
Phone Directory ............................................................................................................................................................... 239
Single Number Reach (SNR) ............................................................................................................................................. 239
Setting up SIP Trunk to SIP Provider (with CME/CUE) ..................................................................................................... 240
Fast Dial ........................................................................................................................................................................... 245
Sending Calls to Voicemail (CUE) ..................................................................................................................................... 245
Hardware Conferencing ................................................................................................................................................... 246
Conferencing: MeetMe.................................................................................................................................................... 247
Conferencing: Adhoc ....................................................................................................................................................... 248
Paging .............................................................................................................................................................................. 248
Intercom .......................................................................................................................................................................... 249
Hunt Group ...................................................................................................................................................................... 249
Call Park ........................................................................................................................................................................... 250
How to Setup Phone Softkey Templates ......................................................................................................................... 250
Call Center ....................................................................................................................................................................... 251
How to Setup A Custom Ring Tone .................................................................................................................................. 252
Extension Mobility ........................................................................................................................................................... 253
Phone Services ................................................................................................................................................................. 253
Fax to Email using T.37 (Voice and FAX on Same FXO port) ............................................................................................ 254
Fax to Email using T.37 (FAX on a different FXO port) ..................................................................................................... 255
Cisco CME using Exchange 2007 UM ............................................................................................................................... 257
PLAR ................................................................................................................................................................................. 257
Using a XML Menu File For Phone Services ..................................................................................................................... 258
MoH Port on Cisco UC520 ............................................................................................................................................... 258
Num Exp .......................................................................................................................................................................... 259
Monitor and Watch ......................................................................................................................................................... 259
Presence .......................................................................................................................................................................... 260
Parallel Hunt Group (Call Blast) ....................................................................................................................................... 260
Whisper Intercom ............................................................................................................................................................ 260
After Hours ...................................................................................................................................................................... 261
Transfer Pattern (.T) ........................................................................................................................................................ 261
Call Forward Max Length ................................................................................................................................................. 261
Enhanced Music On Hold................................................................................................................................................. 262
IP Phone Redundancy Using HSRP ................................................................................................................................... 263
IP Phone Redundancy using Secondary CME ................................................................................................................... 263

Redundant CME using Gatekeepers ................................................................................................................................ 264
VoiceView ........................................................................................................................................................................ 265
MWI on Second Line ........................................................................................................................................................ 265
IP Phone BackLight Display .............................................................................................................................................. 265
Class of Restriction (CoR) ................................................................................................................................................. 265
FXO
PSTN
CME/CUE
.1
DN 6700
802.1q
.10 voice data

vlan vlan
(10) (100)
192.168.10.0 /24
BASE CONFIGURATION
! create Voice VLAN

vlan 10
name ROUTEHUB-VLAN
! switch port with connected IP Phone assigned to Voice VLAN

description IP Phone Port
! assign Voice VLAN to interface
! configure IP address on VLAN SVI interface for Voice network

interface Vlan10
ip address 192.168.10.1 255.255.255.0
telephony-service
! specify IP for CME and SCCP port number (2000)
! specify the amount of time (in seconds) for setting up a call
timeouts interdigit 5
! configure banner on bottom of the IP phone
system message RouteHub UC520
! specify directory number profile used for auto-registration
auto assign 19 to 19
! enable video support
Video
! specify timezone used by CME ; using PST timezone
time-zone 5
! specify voicemail pilot number
voicemail 6000
! configure username and password to access CME GUI page
web admin system name admin secret cisco123

! specify MOH file to stream
moh music-on-hold.au
call-forward pattern .T
call-forward system redirecting-expanded
transfer-system full-consult dss
transfer-pattern 9.T
secondary-dialtone 9
BACK TO CME
DIRECTORY NUMBERS
ephone-dn 10 dual-line
! specify directory number (extension)
number 6700
! specify what will be listed under the line appearance on the phone
label 6700 (Main)
! specify DN Qualified Display Name (we will use the actual DID number)
description 2091236700
! if a caller calls this DN and the line is busy forward to the voicemail pilot
call-forward busy 6000
! if a caller calls this DN with no answer within 15 seconds forward to the voicemail pilot
call-forward noan 6000 timeout 15
BACK TO CME
CALL FORWARD ALL
number 6700
! all calls made to DN 6700 will be forwarded to 4001
call-forward all 4001
IP PHONE CONFIGURATION
ephone 1
! MAC address of IP phone
mac-address 001C.58F0.7619
! specify IP phone model
type 7970
! associate DN to phone line appearance ; line 1 on the 7970 will use DN profile 10
button 1:10
VOICE AND DATA VLAN CONFIGURATION
! create Voice VLAN

vlan 10
name RHG-VOICE-VLAN
! create Data VLAN

vlan 100
name RHG-DATA-VLAN

! interface connected to IP phone with connected desktop
description EDGE: VLAN DATA+VOICE
! assign Data VLAN to interface
! specify interface mode to be an access port
! assign Voice VLAN to interface
! interface connected to a LAN Core or Aggregation layer

description UPLINK: LAN CORE OR AGG
! specify the Voice and Data VLAN tags to allow
! enable interface mode to be a trunk (using 802.1q)
CONFIGURING DHCP ON CISCO IOS
! exclude the following range of IPs for DHCP leasing

ip dhcp excluded-address 192.168.10.1 192.168.10.29
ip dhcp pool ROUTEHUB-DHCP-LAN-POOL

! subnet for DHCP
network 192.168.10.0 255.255.255.0
! specify default gateway for DHCP clients
default-router 192.168.10.1
! specify DHCP option pointing to the IP for CME
option 150 ip 192.168.10.1
dns-server 4.2.2.2 4.2.2.3
lease infinite
BACK TO CME
MAPPING AN ANALOG LI NE (DID) TO AN IP PHONE
! translation rule to translate any digit starting with 9 change to 19 for user at ext 6700
rule 1 /^9/ /19/
! translation profile associating translation rule #1

voice translation-profile TP-6700
translate called 1
! if user at extension 6700 dials any outgoing call it will use translation profile TP-6700
translation-profile incoming TP-6700
answer-address 6700

! when user at extension 6700 dials any outgoing call it will route through FXO port 1/0/0
destination-pattern 19T
port 1/0/0
voice-port 1/0/0
pre-dial-delay 0
no vad
! all incoming calls would go to extension 6700
connection plar opx 6700
caller-id enable
CONFIGURING FXS PORT AS A SCCP PORT
! enable SCCP sourced locally from VLAN10 interface

sccp local Vlan10
sccp ccm 192.168.10.1 identifier 1 priority 1 version 4.1
sccp
! define SCCP group for CCM

sccp ccm group 1
bind interface Vlan10
keepalive retries 5
switchback method graceful
! enable SCCP telephone control application associating the SCCP group ID

stcapp ccm-group 1
stcapp

! associate SCCP telephony control application to FXS port
service stcapp
! FXS port
port 0/0/0
voice-port 0/0/0
! FXS interface enabled for caller-ID
caller-id enable
ephone 2
device-security-mode none
! MAC address determined from “show stcapp device summary”

mac-address D456.7C69.0000
! specify this is an analog phone device
type anl
! associate DN to phone line appearance ; analog phone will use DN profile 10
button 1:10
BACK TO CME
CME AS SIP SERVER FOR SIP CLIENTS
! enable SIP server on Cisco router

voice register global
! operate in CME mode
mode cme
! specify IP and port for SIP server
source-address 192.168.10.1 port 5060
max-dn 12
max-pool 12
! specify timezone details
timezone 47
time-format 24
date-format YY-M-D
dst start Oct week 8 day Sun time 02:00
dst stop Mar week 8 day Sun time 02:00
! configure directory number profile (using ID 1)

voice register dn 1
! specify directory number
number 8700
! provide description of the directory number
name ROUTEHUB SIP client (X-lite)
! configure SIP phone profile

voice register pool 1
! specify MAC address for ID of SIP device
id mac 000C.F179.1682
! associate directory number profile 1 to SIP phone
number 1 dn 1
! specify SIP username and password
username 8700 password cisco6778
! specify codec to use
codec g711ulaw
! enable SIP communication between itself and other protocols on the router
voice service voip
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
supplementary-service h450.12
BACK TO CME

BLOCKING INCOMING CALLS FROM PSTN
! translation rule listing what DID numbers to block

rule 1 reject /8001234567/
! translation profile called “call_block”

voice translation-profile call_block
! associate translation for all calls placed (source) from the PSTN
translate calling 5

! apply translation profile for incoming calls that should be dropped
call-block translation-profile incoming call_block
call-block disconnect-cause incoming call-reject
! FXO interface connecting into PSTN for placing and receiving calls
destination-pattern 9.T
incoming called-number .
port 0/1/0
PHONE DIRECTORY
telephony-service
directory first-name-first
! create phone directory entry #1 with the number and the phone entry description
directory entry 1 919252302203 name ROUTEHUB (Main)
! create phone directory entry #2 with the number and the phone entry description
directory entry 2 912091234567 name Other Number (Cell)
SINGLE NUMBER REACH (SNR)
! if someone calls extension 1002 it will also ring the listed under the SNR entry
number 6700 no-reg primary
! enable mobility to support SNR
mobility
! SNR entry to dial DID number in 2 sec and if no answer within 30 sec forward to voicemail
snr 919252302203 delay 2 timeout 30 cfwd-noan 6000
BACK TO CME

SETTING UP SIP TRUNK TO SIP PROVIDER (WITH CME/CUE)
IOS Version: 15.1
voice-card 0
dspfarm
dsp services dspfarm
sip-ua
! specify SIP username (usually the SIP number) and password supplied by SIP provider
authentication username 19252302204 password cisco6778
no remote-party-id
retry invite 2
retry register 10
timers connect 100
! specify DNS (or IP) of SIP proxy server on Internet (e.g. Viatalk)
registrar dns:sipproxy.routehub.local expires 3600
sip-server dns:sipproxy.routehub.local
host-registrar
! enable SIP communication between itself and other protocols on the router
voice service voip
ip address trusted list
ipv4 0.0.0.0 0.0.0.0
! disable 302 messages
no supplementary-service sip moved-temporarily
! disable REFER messages
no supplementary-service sip refer
sip
registrar server expires max 3600 min 3600
localhost dns:sipproxy.routehub.local
! translation rule used for incoming calls from SIP trunk

! any call placed over the SIP trunk will strip off the access code “9” before routing
rule 1 /19252302204/ /6700/
! translation rule used for outgoing calls to SIP trunk

! allow if users dial 911
rule 1 /^911$/ /911/
rule 2 /^9$.*$$/ /\1/
! translation rule used for outgoing calls to SIP trunk

! any extension or DID placing a call through the SIP trunk will be translated to the SIP number
rule 1 /^.*/ /19252302204/

! translation rule used for outgoing calls from CUE
! local calls should will automatically include the local area code
rule 1 /^8$.......$$/ /925\1/
! calls from extension 6001 (AA) will map to DID 925-230-2204
rule 2 /6001/ /19252302204/
! calls from extension 6000 (VM) will map to DID 925-230-2204
rule 3 /6000/ /19252302204/
rule 4 /^8$.*$$/ /\1/
! translation profile used for incoming calling from the SIP trunk
voice translation-profile RHG-TP-SIP-IN
! associate translation rule #1 that will translate DID to user extension
translate called 1
! translation profile used for outgoing calling over the SIP trunk
voice translation-profile RHG-TP-SIP-OUT
! associate translation rule #2 for calls placed
translate called 2
! associate translation rule #3 for stripping “9” and forwarding the dialed number
translate calling 3
translate redirect-target 4
translate redirect-called 4
! translation profile used for outgoing calls from CUE

voice translation-profile RHG-TP-SIP-CUE
translate redirect-target 4
translate redirect-called 4
! specify supported codecs to use with SIP trunk

voice class codec 1
codec preference 1 g711ulaw
! configure dial peer for Incoming Calling

description INCOMING: All Incoming Calling
! associate incoming translation profile to SIP trunk
translation-profile incoming RHG-TP-SIP-IN
destination-pattern .%
! associate SIP codec class to SIP trunk
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
! specify SIP protocol
! use sip-ua configuration details
session target sip-server
! specify DTMF to use
dtmf-relay rtp-nte
no vad

! configure dial peer for 7-Digit Local Calling
description OUTGOING: 7-Digit Local Calling
! associate outgoing translation profile to SIP trunk
translation-profile outgoing RHG-TP-SIP-OUT
! specify route pattern using “9” as the access code for placing outgoing calls
voice-class codec 1
dtmf-relay rtp-nte
no vad
! configure dial peer for Long Distance Calling

description OUTGOING: Long Distance Calling
voice-class codec 1
dtmf-relay rtp-nte
no vad
! configure dial peer for Emergency Calling

description OUTGOING: Emergency Calling
! associate translation profile to SIP trunk
voice-class codec 1
dtmf-relay rtp-nte
no vad

! configure dial peer for Emergency Calling
description OUTGOING: Emergency Calling
! specify route pattern for 911 without access code for placing outgoing calls
voice-class codec 1
dtmf-relay rtp-nte
no vad
! configure dial peer for International Calling

description OUTGOING: International Calling
destination-pattern 9011T
voice-class codec 1
dtmf-relay rtp-nte
no vad
! configure dial peer for Voicemail

description CUE: Voicemail
! associate translation profile to CUE
translation-profile outgoing RHG-TS-SIP-CUE
! pilot number for voicemail
! used by CCME to send its IP address to the SIP proxy instead of CUE
b2bua
! target to the CUE
session target ipv4: 192.168.10.2
dtmf-relay sip-notify
codec g711ulaw
no vad

! configure dial peer for AA
description CUE AA
! associate translation profile to CUE
translation-profile outgoing RHG-TS-SIP-CUE
! pilot number for AA
! used by CCME to send its IP address to the SIP proxy instead of CUE
b2bua
! target to the CUE
codec g711ulaw
no vad
! configure dial peer for MWI notification

incoming called-number 800[0,1]....
codec g711ulaw
no vad
! directory numbers we don’t want to register with SIP-UA
name 6700
! directory numbers for MWI ON notification

! don’t register with SIP proxy
ephone-dn 16
number 8000.... no-reg primary
mwi on
! directory numbers for MWI OFF notification

! don’t register with SIP proxy
ephone-dn 17
mwi off
! directory numbers for SIP number

! register with SIP proxy
ephone-dn 18
number 9252302204
description “Main Number”
telephony-service
! preserves caller-ID of a call when transferred or forwarded
calling-number initiator
! enables translation rule features for forwarding
call-forward system redirecting-expanded

! For Reference: CUE configuration on CME router
interface Integrated-Service-Engine0/0
description RHG: CUE interface
ip unnumbered Vlan10
service-module ip address 192.168.10.2 255.255.255.0
service-module ip default-gateway 192.168.10.1
ip route 192.168.10.2 255.255.255.255 Integrated-Service-Engine0/0
>> Monitor <<
! Registration
show sip-ua register status
debug ccsip message
! Call setup
show ephone registered
show voice rtp connection
show sip-ua call
show call active voice brief
debug ccsip message
FAST DIAL
! go under the phone profile

ephone 1
! create fast dial entry (1) on the phone for extension 6702 with USER2 as the description
fastdial 1 6702 name USER2
SENDING CALLS TO VOICEMAIL (CUE)
! SIP trunk pointing to CUE for voicemail services

! specify route pattern for voicemail pilot number
! specify IP of CUE device
codec g711ulaw
no vad
telephony-service
voicemail 6000

! if a caller calls this DN and the line is busy forward to voicemail pilot
! if a caller calls this DN with no answer within 15 seconds forward to voicemail pilot
! directory number for MWI ON

ephone-dn 20
! directory number MWI ON will be 8000 following the 4-digit extension
! directory number will be used for MWI ON (new voicemail)
mwi on
! directory number for MWI OFF

ephone-dn 21
! directory number MWI OFF will be 8001 following the 4-digit extension
! directory number will be used for MWI OFF (no new voicemail)
mwi off
BACK TO CME
HARDWARE CONFERENCING
! enable SCCP sourced locally from VLAN10 interface

sccp local Vlan10
sccp ccm 192.168.10.1 identifier 1 priority 1 version 4.1
sccp
! define SCCP group for CCM

sccp ccm group 1
bind interface Vlan10
! use the mac address from the Vlan10 interface
associate profile 1 register mtp001d4567c690
keepalive retries 5
switchback method graceful
! create voice class for custom tones when a caller leaves the conference call
voice class custom-cptone routehub-leave
dualtone conference
frequency 900 900
cadence 150 50 150 50
! create voice class for custom tones when a caller joins a conference call
voice class custom-cptone routehub-join
dualtone conference
frequency 1200 1200
cadence 150 50 150 50

! configure DSP profile for conferencing
dspfarm profile 1 conference
! specify supported codecs
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec g729r8
codec g729br8
! specify max number of conference bridges (based on DSP resources)
maximum sessions 8
! associate the two voice class used for the custom tones
conference-join custom-cptone routehub-join
conference-leave custom-cptone routehub-leave
! associate profile to use the SCCP application
telephony-service
! specify max number of conference bridges (based on DSP resources used)
max-conferences 8 gain -6
sdspfarm conference mute-on 11 mute-off 12
sdspfarm units 3
sdspfarm tag 1 mtp001d4567c690
! enable hardware conferencing for CME
conference hardware
CONFERENCING: MEETME
 Requires Hardware Conferencing to be configured first
! directory number for Meetme conferencing

number 6999
conference meetme
no huntstop

number 6999
conference meetme
preference 1
no huntstop

number 6999
conference meetme
preference 2
no huntstop

number 6999
conference meetme
preference 3
no huntstop
CONFERENCING: ADHOC
 Requires Hardware Conferencing to be configured first
! directory number for Adhoc conferencing

number 6998
name Conference
conference ad-hoc
preference 1
no huntstop
! directory number for Adhoc conferencing

number 6998
name Conference
conference ad-hoc
preference 2
no huntstop
PAGING
! directory number profile used for Paging

ephone-dn 1
! specify directory number used for Paging
number 6001
name ROUTEHUB Paging System
! specify paging multicast IP and port number 2000
paging ip 239.192.2.1 port 2000
! associate Paging profile to IP Phone

ephone 1
paging-dn 1
! associate Paging profile to IP Phone

ephone 3
paging-dn 1

INTERCOM
! directory number profile used for Intercom

ephone-dn 12
! specify directory number A5001 used for Intercom
number A5001 no-reg primary
label Intercom
name Intercom
! start an intercom session with directory number A5002
intercom A5002
! directory number profile used for Intercom

ephone-dn 13
! specify directory number A5002 used for Intercom
number A5002 no-reg primary
label Intercom
name Intercom
! start an intercom session with directory number A5001
intercom A5001
! associate Intercom DN A5001 to the following IP phone on line 2

ephone 1
type 7970
button 1:10 2:11 3:13 4:3
! associate Intercom DN A5002 to the following IP phone on line 2

ephone 3
type 7970
button 1:10 2:12 3:4
HUNT GROUP
! configure hunt group sequentially routing calls to the first extension listed and so forth
ephone-hunt 1 sequential
! specify the pilot number for the hunt group
pilot 6701
! list the extensions that will be included in the hunt group
list 6702, 6700
! if there is no answer within 15 seconds forward to voicemail pilot
final 6000
preference 1
timeout 15, 15
BACK TO CME

CALL PARK
ephone-dn 14
! specify directory number used for Call Park
number 6002
! specify that a call can be parked for 30 seconds and can support 10 concurrent call parks
park-slot timeout 30 limit 10
name ROUTEHUB CALL PARK
HOW TO SETUP PHONE SOFTKEY TEMPLATES
! configure softkey template profile

ephone-template 1
! specify available softkeys when a call is placed on HOLD
softkeys hold Newcall Resume Select Join
! specify available softkeys when the phone is IDLE
softkeys idle Redial Newcall Cfwdall Pickup ConfList Dnd
! specify available softkeys when a call is SEIZED
softkeys seized Redial Pickup Meetme Endcall
! specify available softkeys when a call is CONNECTED or active
softkeys connected Endcall ConfList Confrn Hold Join Park RmLstC
ephone 1
! apply the custom template to an IP phone
ephone-template 1
type 7970
ephone 1
! once completed reset the phone to use the new softkey template
reset
BACK TO CME

CALL CENTER
! the following files need to be obtained from Cisco’s software center

app-b-acd-aa-2.1.2.3.tcl
app-b-acd-2.1.2.3.tcl
! copy the files to the flash on the CME router ; example below for one of the files
uc01tra#copy tftp flash:
Address or name of remote host []? 192.168.10.10
Source filename []? app-b-acd-aa-2.1.2.3.tcl
Destination filename [app-b-acd-aa-2.1.2.3.tcl]
! directory number used by Agent 1

number 2001
! directory number used by Agent 2

number 2002
! configure hunt group based on the extension that has been idle the longest
ephone-hunt 1 longest-idle
! pilot number used for the call center support group
pilot 6721
! list the extensions that will be included in the hunt group
list 2001, 2002
timeout 10, 10
! collect statistics for all call activity in this hunt group
statistics collect
telephony-service
! send call stats to the TFTP server and folder
hunt-group report url prefix tftp://192.168.10.10/data
hunt-group report url suffix 0 to 200
! send call stats to the TFTP server every 2 hours
hunt-group report every 2 hours
! add an application script (TCL) to the CME router

application
! enable the call center application on the CME router using the service name of “aa”
service aa flash:app-b-acd-aa-2.1.2.3.tcl
! the caller can press “2” to access the call center support group (the hunt group)
param aa-hunt2 6721
paramspace english index 1
! list the number of hunt groups that are configured on the CME system
param number-of-hunt-grps 1
! specify the number of callers in the queue at one time
param queue-len 5
param handoff-string aa
! the caller can press “1” to dial by extension on the CME system
param dial-by-extension-option 1
paramspace english language en
! main number to reach the main AA call center queue
param aa-pilot 6720
paramspace english location flash:
param second-greeting-time 30
param queue-manager-debugs 1
param call-retry-timer 15

! specify the amount of time a caller will wait in queue until it calls the pilot number again
param max-time-call-retry 300
! configure retry time to be 2, so after another 300 seconds forward the caller to voicemail
param max-time-vm-retry 2
! if the caller has been in the queue for more than 600 seconds forward to voicemail
param voice-mail 6000
! enable call center queuing with the call center group(s)

param service-name queue
service queue flash:app-b-acd-2.1.2.3.tcl
param queue-len 5
param queue-manager-debugs 1
param aa-hunt2 6721
param number-of-hunt-grps 1

! apply call center application to a dial peer
service aa
! main number to reach the AA call center queue. This is the number callers would dial into
! call center application is locally on the same CME router (192.168.10.1)
incoming called-number 6720
dtmf-relay h245-alphanumeric
codec g711ulaw
no vad
HOW TO SETUP A CUSTO M RING TONE
! create XML file (RingList.xml & DistinctiveRingList.xml) containing the following:

<CiscoIPPhoneRingList>
<Ring>
! specify the ring tone display name
<DisplayName>24</DisplayName>
! specify the ring tone file name (.raw format) located in the flash
<FileName>24.raw</FileName>
</Ring>
</CiscoIPPhoneRingList>
! copy ring tone file and XML files to flash on CME router via TFTP
copy tftp://192.168.10.10/24.raw flash:
copy tftp://192.168.10.10/ RingList.xml flash:
copy tftp://192.168.10.10/ DistinctiveRingList.xml flash:
! for each file copied configure TFTP entry that will be used by the IP phones
tftp-server flash:RingList.xml
tftp-server flash:DistinctiveRingList.xml
tftp-server flash:24.raw
BACK TO CME

EXTENSION MOBILITY
! configure user profile consisting of the DNs that will be associated

voice user-profile 1
pin 6778
user 78 password 78
number 6700,A5001,7700,2001 type feature-ring
! configure matching logout profile with the same details also include the username & password
voice logout-profile 1
pin 6778
! use this info for Extension Mobility login to load this profile on a phone
user 16778 password 6778
number 6700,A5001,7700,2001 type feature-ring
! associate the logout profile to the actual phone using for listed DNs today
ephone 1
logout-profile 1
telephony-service
! add URL pointing to itself for extension mobility login via the phone services button
url authentication http://192.168.10.1/voiceview/authentication/authenticate.do
PHONE SERVICES
telephony-service
! add the XML URL that will be listed under “Phone Services”
url services http://phone-xml.berbee.com/menu.xml
BACK TO CME

FAX TO EMAIL USING T.37 (VOICE AND FAX O N SAME FXO PORT)
! download TCL scripts from Cisco software center

app_faxmail_onramp.2.0.1.3.tcl
app_fax_detect.2.1.2.2.tcl
! copy files to flash on CME router (example of one file below)

Source filename []? app_faxmail_onramp.2.0.1.3.tcl
Destination filename [app_faxmail_onramp.2.0.1.3.tcl]
application
! enable TCL script applications
service onramp flash:app_faxmail_onramp.2.0.1.3.tcl
service fax_detect flash:app_fax_detect.2.1.2.2.tcl
param fax-dtmf 2
param mode listen-first
param voice-dtmf 1
! configure Fax to Email using T.37

fax interface-type fax-mail
! specify IP of mail server including port number (TCP/25)
mta send server 192.168.10.10 port 25
! specify what the Subject line will read for new Fax messages received
mta send subject You Received a Fax!
mta send with-subject both
mta send postmaster sales@routehub.local
mta send mail-from hostname routehub.local
mta send mail-from username IncomingFax
mta send return-receipt-to hostname routehub.local
mta send return-receipt-to username ROUTEHUB
mta receive aliases routehub.local
mta receive aliases 192.168.10.10
mta receive maximum-recipients 10
mta receive generate permanent-error
! FXO port connecting to PSTN

voice-port 0/1/0
pre-dial-delay 0
no vad
! all incoming calls (voice or fax) are forwarded to DN 6700
caller-id enable

! all incoming calls are sent to this dial-peer from the voice port
! apply TCL script "fax_detect" to determine if the call is a voice or fax call
service fax_detect
destination-pattern 9.T
! all incoming calls are sent to this dial-peer from the voice port
direct-inward-dial
port 0/1/0
! if the incoming call is a fax configure a MMOIP dial-peer for fax-to-email

dial-peer voice 7 mmoip
description FAX
! apply TCL script for converting fax message to TIFF format
service fax_on_vfc_onramp_app out-bound
information-type fax
! send fax message to the following email address
session target mailto:sales@routehub.local
BACK TO CME
FAX TO EMAIL USING T.37 (FAX ON A DIFFERENT FXO PORT)
! download TCL scripts from Cisco software center

app_faxmail_onramp.2.0.1.3.tcl
! copy files to flash on CME router (example of one file below)

Source filename []? app_faxmail_onramp.2.0.1.3.tcl
Destination filename [app_faxmail_onramp.2.0.1.3.tcl]
application
! enable TCL script applications
service onramp flash:app_faxmail_onramp.2.0.1.3.tcl
param fax-dtmf 2
param mode listen-first
param voice-dtmf 1
! configure Fax to Email using T.37

fax interface-type fax-mail
! specify IP of mail server including port number (TCP/25)
mta send server 192.168.10.10 port 25
! specify what the Subject line will read for new Fax messages received
mta send subject You Received a Fax!
mta send with-subject both
mta send postmaster sales@routehub.local
mta send mail-from hostname routehub.local

mta send mail-from username IncomingFax
mta send return-receipt-to hostname routehub.local
mta send return-receipt-to username ROUTEHUB
mta receive aliases routehub.local
mta receive aliases 192.168.10.10
mta receive maximum-recipients 10
mta receive generate permanent-error
! FXO port connected to PSTN

voice-port 0/1/1
! all incoming fax calls are forwarded to DN 6700
caller-id enable
! dial peer used for Fax to Email

! apply TCL script for receiving fax calls
service onramp
direct-inward-dial
port 0/1/1
dial-peer voice 7 mmoip

description FAX
! apply TCL script for converting fax message to TIFF format
service fax_on_vfc_onramp_app out-bound
information-type fax
! send fax message to the following email address
session target mailto:sales@routehub.local
BACK TO CME

CISCO CME USING EXCHANGE 2007 UM
! IP configured on LAN used for the Voice network

interface Vlan10
ip address 192.168.10.1 255.255.255.0
voice service voip

sip
bind control source-interface Vlan10
bind media source-interface Vlan10
header-passing
! SIP trunk pointing to Exchange 2007 UM

description EXCH2007-UM
! route pattern for all voicemail & AA pilot numbers on UM server
destination-pattern 671.
! specify IP of Exchange UM server
session transport tcp
dtmf-relay rtp-nte
codec g711alaw
BACK TO CME
PLAR
! voice interface (e.g. FXO or PRI) connected to PSTN

voice-port 0/1/0
! send all incoming calls to extension 6000

USING A XML MENU FIL E FOR PHONE SERVICES
! XML file (menu.xml) consisting of phone service URLs (VoiceView, Berbee)

<?xml version="1.0" encoding="utf-8" ?>
<CiscoIPPhoneMenu>
<Title>Phone Services</Title>
<Prompt>Please make your selection.</Prompt>
! phone service for VoiceView
<MenuItem>
<Name>VoiceView</Name>
<URL>http:// 192.168.10.2/voiceview/common/login.do</URL>
</MenuItem>
! phone service for Berbee
<MenuItem>
<Name>Weather,News,Stocks</Name>
<URL>http://phone-xml.berbee.com/menu.xml</URL>
</MenuItem>
</CiscoIPPhoneMenu>
telephony-service
! configure phone service URL pointing to XML file on web server
url services http://www.routehub.local/menu.xml Phone Services
! reset all phones to use the new Phone services location
restart all
MOH PORT ON CISCO UC520
* default configuration on Cisco UC520 for the MOH port
voice-port 0/4/0
auto-cut-through
signal immediate
input gain auto-control -15
description Music On Hold Port

description ** MOH Port **
destination-pattern ABC
port 0/4/0
no sip-register
ephone-dn 9
number BCD no-reg primary
description MoH
moh ip 239.10.16.8 port 2139 out-call ABC

NUM EXP
* not applicable for incoming call translations only when dialed internally
! when a user dials 6778 it will translate/forward the call to extension 201
num-exp 6778 201
MONITOR AND WATCH
* Monitor: for shared lines to monitor the visible line status indicates whether the line is in-
use or not.
* Watch: to watch all lines on the phone for which this directory number is the primary line
! DN for the Receptionist (using DN 6700)

number 6700
label 6700 (Main)
! DN for User 1 (using DN 6701)

number 6701
label 6701 (User1)
! DN for User 2 (using DN 6702)

number 6702
label 6702 (User2)
! IP Phone profile for Receptionist

ephone 10
! button one on the phone will use DN 6700
! button two on the phone will watch all line activities for the phone using DN 6701 as primary
! button three on the phone will monitor line status of DN 6702
button 1:10 2w11 3m12

PRESENCE
! enable presence on cme router

sip-ua
presence enable
presence
max-subscription 100
presence call-list
ephone-dn 11
number 6701
label 6701 (User1)
! enable DN to be watched by the presence service
allow watch
ephone 1
! phone 1 can monitor DN 6701 configured on DN-11
blf-speed-dial 1 6701 label "Duncan Rockwell"
PARALLEL HUNT GROUP (CALL BLAST)
! configure hunt group that will call to all extensions & numbers listed
voice hunt-group 1 parallel
! list the numbers that will be included in the hunt group
list 6702, 6700, 919252302203
! specify the pilot number for the hunt group
pilot 6701
WHISPER INTERCOM
* allows a user to intercom to a busy extension
ephone-dn 10
number 6700
! perform a whisper intercom call to DN 6701 on the IP Phone it will be labled as "User1"
whisper intercom speed-dial 6701 label "User1"
ephone 1
! whisper intercom and DN associated to button number 2
button 1:1 2:10

AFTER HOURS
telephony-service
! block any call that begins with 91 during the schedule defined later
after-hours block pattern 1 91
! any person dialing 900 numbers (24x7) will be blocked
after-hours block pattern 2 91900 7-24
! specify schedule when after-hours starts (7PM) and ends (8AM) for blocking the defined after
! hour rules
after-hours day mon 19:00 8:00
! IP phone will use the after hour rules

ephone 1
! IP phone that doesn't use the after-hour rules

ephone 2
after-hours exempt
! once the pin number is dialed users can dial all numbers except for 900 numbers
ephone 3
pin 677
TRANSFER PATTERN (.T)
telephony-service
! allow call transfers to any destination
transfer-pattern .T
CALL FORWARD MAX LENGTH
ephone-dn 10
number 6700
! DN 6700 can only forward up to a 4-digit number. Anything beyond that is dropped.
! Example: DN 6700 can forward calls to extension 6701, but not to local or LD number
call-forward max-length 4
ephone 1
button 1:1

ENHANCED MUSIC ON HOLD
* example: two groups (consulting & training) using a different MOH audio stream
telephony-service
! enable MOH for any IP Phone not assigned to a MOH group (default)
moh music-on-hold.au
! create MOH group 1

voice moh-group 1
! used for the consulting team
description Consulting for MOH
! specify MOH audio file to use for this group
moh music-on-hold-consulting.au
! specify unique MOH multicast address and the SCCP port number
multicast moh 239.1.1.1 port 2000
ephone-dn 10
number 6700
! MOH group 1 assigned to DN 6700 used by a consulting employee
moh-group 1
! create MOH group 2

voice moh-group 2
! used for the training team
description Training for MOH
! specify MOH audio file to use for this group
moh music-on-hold-training.au
! specify unique MOH multicast address and the SCCP port number
multicast moh 239.1.1.2 port 2000
ephone-dn 11
number 6701
! MOH group 2 assigned to DN 6701 used by a training employee
moh-group 2

IP PHONE REDUNDANCY USING HSRP
HSRP VIP
CME1 192.168.10.1 CME2
.2 .3
192.168.10.0 /24
>>CME1<<
! primary HSRP router on CME1
ip address 192.168.10.2 255.255.255.0
standby ip 192.168.10.1
standby preempt
telephony-service
! HSRP address used for the phone system (SCCP)
>>CME2<<
! secondary HSRP router on CME2
ip address 192.168.10.3 255.255.255.0
standby ip 192.168.10.1
telephony-service
! HSRP address used for the phone system (SCCP)
IP PHONE REDUNDANCY USING SECONDARY CME
CME1 CME2
.1 .2
192.168.10.0 /24
telephony-service
! specify the primary and secondary CME phone system routers
ip source-address 192.168.10.1 port 2000 secondary 192.168.10.2

REDUNDANT CME USING GATEKEEPERS
GK
WAN/ISP 192.168.11.1
CME1 CME2
.1 192.168.10.0 /24 .2
DN: 6XXX
>>CME1<<
interface loopback0
ip address 192.168.10.1 255.255.255.0
h323-gateway voip interface
! specify IP (and port number) of the gatekeeper router
h323-gateway voip id siteA ipaddr 192.168.11.1 1719
! specify ID that will be used by the gatekeeper
h323-gateway voip h323-id CME1
h323-gateway voip tech-prefix 1#
! specify the IP to use for registering with the gatekeeper
h323-gateway voip bind srcaddr 192.168.10.1
>>CME2<<
interface loopback0
ip address 192.168.10.2 255.255.255.0
h323-gateway voip interface
! specify IP (and port number) of the gatekeeper router
h323-gateway voip id siteA ipaddr 192.168.11.1 1719
! specify ID that will be used by the gatekeeper
h323-gateway voip h323-id CME2
h323-gateway voip tech-prefix 1#
! specify the IP to use for registering with the gatekeeper
h323-gateway voip bind srcaddr 192.168.10.2
>>GK<<
! enable gatekeeper services on the router
gatekeeper
! create local zone for the site with the CME routers and the local IP used for the gatekeeper
zone local TRA routehub.local 192.168.11.1
! primary call routing to IP phones using 6XXX extensions through CME1 (access code of 8)
zone prefix TRA 86... gw-priority 10 CME1
! secondary call routing to IP phones using 6XXX extensions through CME2 (access code of 8)
zone prefix TRA 86... gw-priority 9 CME2
zone gw-type prefix 1# default-technology

VOICEVIEW
! enable VoiceView under CUE

service voiceview
enable
session idletimeout 30
end
! on CME router
telephony-service
! add URL for VoiceView authentication on CME
url authentication http://192.168.10.2/voiceview/authentication/authenticate.do
! enable VoiceView URL on CME accessed under Phone Services
http://192.168.10.2/voiceview/common/login.do
MWI ON SECOND LINE
ephone 10
1:14 2:15
! enable MWI red light if a new voicemail comes in on line 2
mwi-line 2
IP PHONE BACKLIGHT DISPLAY
Router(config)# telephony-service
! keeps the backlight turned on instead of turning off
Router(config-telephony)# service phone displayOnWhenIncomingCall 1
CLASS OF RESTRICTION (COR)
First configure the CoR objects which are equivalent to partitions in CUCM
! define CoR objects for the type of calls you want to restrict/permit
dial-peer cor custom
! object/partition for 911 calls
name RHG-P-911
! object/partition for 1-800-XXX-XXXX calls
name RHG-P-TOLL-1800
! object/partition for 1-900-XXX-XXXX calls
name RHG-P-TOLL-1900
! object/partition for local calls
name RHG-P-LOCAL
! object/partition for long distance calls
name RHG-P-LD

Next configure the CoR groups which are equivalent to CSS groups in CUCM
! create CoR group for 911 calling

dial-peer cor list RHG-CSS-EMERGENCY
member RHG-P-911
! create CoR group for toll free calling

dial-peer cor list RHG-CSS-1800
member RHG-P-TOLL-1800
! create CoR group for Local calling

dial-peer cor list RHG-CSS-LOCAL
member RHG-P-LOCAL
! create CoR group for Long Distance calling

dial-peer cor list RHG-CSS-LD
member RHG-P-LD
! create CoR group for Open areas (e.g. Lobby, Break Room, Kitchen)
dial-peer cor list RHG-CSS-OPEN
! add 911 and local calling partitions
member RHG-P-911
member RHG-P-LOCAL
! create CoR group for Execs (e.g. CEO, VP, Directors, Managers)
dial-peer cor list RHG-CSS-EXEC
! add 911, 1800, 1900, local, & LD partitions
member RHG-P-911
member RHG-P-LOCAL
member RHG-P-LD
! create CoR group for employees

dial-peer cor list RHG-CSS-EMPLOYEES
! add 911, Local, and LD partitions
member RHG-P-911
member RHG-P-LOCAL
member RHG-P-LD
Associate COR group to the correct dial peer based on its calling pattern
! dial peer for local calling

port 0/3/0:23
forward-digits 7
corlist outgoing RHG-CSS-LOCAL
! dial peer for long distance calling

port 0/3/0:23
forward-digits 11
corlist outgoing RHG-CSS-LD

! dial peer for 911 calling
port 0/3/0:23
forward-digits 3
corlist outgoing RHG-CSS-EMERGENCY
! dial peer for 911 calling

port 0/3/0:23
forward-digits 3
corlist outgoing RHG-CSS-EMERGENCY
! dial peer for 1-800 calling

destination-pattern 91800&
port 0/3/0:23
forward-digits 11
corlist outgoing RHG-CSS-TOLL-1800
! dial peer for 1-900 calling

destination-pattern 91900&
port 0/3/0:23
forward-digits 11
corlist outgoing RHG-CSS-TOLL-1900
Associate COR group to corresponding extension (e.g. Employees, Exec, Lobby)
! employee using extension x1001

! this user can make local, long distance, and 911 calls
ephone-dn 1
number 1001
cor incoming RHG-CSS-EMPLOYEES
! Lobby phone using extension x1002)

! this phone can make local and 911 calls
ephone-dn 2
number 1002
cor incoming RHG-CSS-OPEN
! manager using extension x1003

! this user can make any call (local, LD, 911, 1-800, 1-900 calls)
ephone-dn 3
number 1003
cor incoming RHG-CSS-EXEC
! user extension (x1004) with no CoR group assigned

! this user can make any call (local, LD, 911, 1-800, 1-900 calls)
ephone-dn 4
number 1004

Monitor
show ephone-dn summary
show telephony-service dial-peer
show dial-peer cor
debug voip ccapi inout
debug ephone detail

CISCO UNITY EXPRESS (CUE)
BACK

Access to CUE .................................................................................................................................................................. 269
Upgrade CUE to Version 7.x ............................................................................................................................................. 270
Copying Files to CUE via CLI ............................................................................................................................................. 270
Enable Voicemail Services ............................................................................................................................................... 271
Sending Calls to Voicemail (CUE) ..................................................................................................................................... 272
Create User Voice Mailboxes ........................................................................................................................................... 273
Basic Auto Attendant (AA) ............................................................................................................................................... 274
Reseting CUE Mailbox PIN ............................................................................................................................................... 275
Voicemail Email Notifications .......................................................................................................................................... 276
Live Record ...................................................................................................................................................................... 277
FXO
PSTN
CME/CUE
.1
DN 6700
802.1q
.10 voice data

vlan vlan
(10) (100)
192.168.10.0 /24
ACCESS TO CUE
! interface used on voice network

interface Vlan10
ip address 192.168.10.1 255.255.255.0
! CUE interface (to CUE module)

interface Integrated-Service-Engine0/0
description ROUTEHUB: CUE interface
! CUE interface associated to VLAN10 interface
ip unnumbered Vlan10
ip nat inside
! IP assigned to CUE module
service-module ip address 192.168.10.2 255.255.255.0
! default gateway CUE module should use
service-module ip default-gateway 192.168.10.1

! static route to the CUE module
ip route 192.168.10.2 255.255.255.255 Integrated-Service-Engine0/0
! to console into the CUE module from the CME router

service-module integrated-Service-Engine 0/0 session
BACK TO CUE
UPGRADE CUE TO VERSION 7.X
! specify FTP location, username, and password where the CUE files are located
software download server url ftp://192.168.10.10/cue7 username admin password cisco123
! files to download from Cisco software center if using CUE 7.0.x and using CUE on ISE (UC520)
The CUE zip file: cue-cm-k9.ise.7.0.1.zip
The Language pack: cue-vm-en_US-langpack.ise.7.0.1.prt1
The License file: cue-vm-license_50mbx_cme_7.0.1.pkg
! download CUE version 7.0.1 package from FTP server

software download upgrade cue-vm-k9.ise.7.0.1.pkg
! install CUE version 7.0.1 package on CUE module

software install upgrade cue-vm-k9.ise.7.0.1.pkg
COPYING FILES TO CUE VIA CLI
! copy a file via FTP to the CCN subsystem (e.g. Prompt)

ccn copy url ftp://192.168.10.10/AAprompt1.wav prompt AAprompt1.wav
BASE CONFIGURATION
! assign hostname on CUE module

hostname cue01tra
! specify domain name to use
! specify timezone CUE will use
clock timezone America/Los_Angeles
! specify default language used by CUE
system language preferred "en_US"
! create user account "admin"

username admin create
! associate account "admin" to the "Administrators" group
groupname Administrators member admin
! create a new group on CUE called "Users"

groupname Users create

! enable SIP to CME router (default gateway for CUE)
ccn subsystem sip
gateway address "192.168.10.1"
end subsystem
BACK TO CUE
ENABLE VOICEMAIL SERVICES
! enable voicemail application on CUE

ccn application voicemail
description "voicemail"
enabled
! the number of concurrent voicemail sessions
maxsessions 6
script "voicebrowser.aef"
parameter "logoutUri" "http://localhost/voicemail/vxmlscripts/mbxLogout.jsp"
parameter "uri" "http://localhost/voicemail/vxmlscripts/login.vxml"
end application
! create DN 6000 used for the voicemail pilot

ccn trigger sip phonenumber 6000
! associate voicemail application
application "voicemail"
enabled
maxsessions 6
end trigger
! enable MWI application on CUE

ccn application ciscomwiapplication
description "ciscomwiapplication"
enabled
! the number of concurrent MWI sessions (ON and OFF)
maxsessions 4
script "setmwi.aef"
! specify MWI ON and OFF directory numbers (8000 and 8001)
parameter "CallControlGroupID" "0"
parameter "strMWI_OFF_DN" "8001"
parameter "strMWI_ON_DN" "8000"
end application
BACK TO CUE

SENDING CALLS TO VOICEMAIL (CUE)
! SIP trunk pointing to CUE for voicemail services

! specify pattern for voicemail pilot number
! specify dial peer as a SIP trunk
codec g711ulaw
no vad
telephony-service
voicemail 6000
! if a caller calls this DN and the line is busy forward to the voicemail pilot
! if a caller calls this DN with no answer within 15 seconds forward to the voicemail pilot
! directory number for MWI ON

ephone-dn 20
! directory number MWI ON will be 8000 followed by our 4-digit extension
! directory number will be used for MWI ON (new voicemail)
mwi on
! directory number for MWI OFF

ephone-dn 21
! directory number MWI OFF will be 8001 followed by our 4-digit extension
! directory number will be used for MWI OFF (no new voicemail)
mwi off
BACK TO CUE

CREATE USER VOICE MAILBOXES
! create user account

username routehub create
! associate user account to Users group

groupname Users member routehub
! associate directory number (extension) to user account

username routehub phonenumber "6700"
! associate the DID number (E.164) to user account
username routehub phonenumberE164 "12091236700"
! create voice mailbox for user supporting up to 420 seconds in total

voicemail mailbox owner "routehub" size 420
description "User DN6700 mailbox"
! specify maximum size for a single voicemail message ; 60 seconds
messagesize 60
end mailbox
voicemail callerid
! specify default language ; English (US)
voicemail default language en_US
! specify default mailbox size ; 420 seconds
voicemail default mailboxsize 420
voicemail broadcast recording time 300
! specify default voicemail message size; 240 seconds
voicemail default messagesize 240
voicemail notification restriction msg-notification
! specify the directory number to reach the Operator
voicemail operator telephone 0
! configure full name to support “Dial-By-Name” dialing ; configured in enable mode

username routehub fullname first Routehub last Group display "RHG" password cisco6778
BACK TO CUE

BASIC AUTO ATTENDANT (AA)
! FXO port forwarding all calls to DN 6003

voice-port 0/0/3
pre-dial-delay 0
no vad
caller-id enable
! route pattern that will match the incoming call and forward to the CUE module
! specify pattern for CUE services (VM, AA, Prompt management, etc.)
! specify dial peer as a SIP trunk
codec g711ulaw
no vad
! enable basic AA application on CUE

ccn application autoattendant aa
description "autoattendant"
enabled
maxsessions 6
script "aa.aef"
parameter "busClosedPrompt" "AABusinessClosed.wav"
parameter "holidayPrompt" "AAHolidayPrompt.wav"
parameter "welcomePrompt" "AAWelcome.wav"
parameter "disconnectAfterMenu" "false"
parameter "dialByFirstName" "false"
parameter "allowExternalTransfers" "false"
parameter "MaxRetry" "3"
parameter "dialByExtnAnytime" "false"
parameter "busOpenPrompt" "AABusinessOpen.wav"
parameter "businessSchedule" "systemschedule"
parameter "dialByExtnAnytimeInputLength" "4"
parameter "operExtn" "0"
end application
! create DN 6003 used for the AA pilot

application "autoattendant"
enabled
locale "en_US"
maxsessions 4
end trigger

! Prompt Management: used for creating custom prompts for the AA system
! enable the prompt management application on CUE
ccn application promptmgmt
description "promptmgmt"
enabled
maxsessions 1
script "promptmgmt.aef"
end application
! create DN 6006 used for accessing the prompt management system

application "promptmgmt"
enabled
idletimeout 5000
locale "en_US"
maxsessions 1
end trigger
BACK TO CUE
RESETING CUE MAILBOX PIN
 done from the global mode not config mode
! reset CUE mailbox user "U103" PIN to 103

username U103 pin 103

VOICEMAIL EMAIL NOTIFICATIONS
! enable voicemail notification

voicemail notification enable
voicemail notification preference all
voicemail notification allow-login
voicemail notification email attach
! specify SMTP server and authentication (e.g. none)

smtp server address 192.168.10.10 authentication none
! specify the from address for voicemail email notifications

voicemail configuration outgoing-email from-address support@routehub.local
! create user account and specify directory number

username routehub create
username routehub phonenumber “6700”
! enable voicemail notification for user account “routehub”

voicemail notification owner routehub enable
! Note: the following configuration should be done at the enable mode not config mode
! specify voicemail notification profile name (VM-6700) for user account
! specify the email address to send voicemail messages to
username routehub profile VM-6700 email address vm@routehub.local
! specify voicemail notification using email
username routehub profile VM-6700 email enable
username routehub profile VM-6700 email preference all
! voicemail messages sent via email should be sent as an attachment
username routehub profile VM-6700 email attach
! specify schedule for voicemail notification to 24-hours a day
username routehub profile VM-6700 email schedule day 1 active from 01:00 to 24:00
! commands for viewing voicemail notification for an account

show voicemail notification owner X profile
show voicemail notification owner X email
BACK TO CUE

LIVE RECORD
! configure softkey template to include the Live Record (LiveRcd) when a call is connected
ephone-template 1
softkeys connected LiveRcd Confrn Hold Park Trnsfer TrnsfVM
! apply template on the phone profiles that will use Live Record
ephone 1
ephone-template 1
telephony-service
! specify Live Record directory number
live-record 6005
! voicemail pilot number
voicemail 6000
ephone-dn 16
! configure DN 6005
number 6005
! all calls to Live Record are forwarded to the voicemail pilot
call-forward all 6000
! route pattern that will match CUE services to the CUE module
codec g711ulaw
no vad
! reset IP phones to use new phone softkey template

ephone 6
reset
! Note: configured on CUE:

! specify the number of seconds a beep will occur on the recorded call
voicemail live-record beep duration 1000
! specify pilot number for Live Record
voicemail live-record pilot-number 6005
BACK TO CUE

OTHER VOICE SOLUTIONS AND PRODUCTS
BACK
OTHER VOICE SOLUTIONS AND PRODUCTS .......................................................................................................................278

Cisco Unified CM and Microsoft OCS ............................................................................................................................... 278
CISCO UNIFIED CM AND MICROSOFT OCS
192.168.10.0 /24
.11
MOCS DN: +4XX

.10
CUCM
DN: 5XX
DID: 209-123-60XX
OCS: 192.168.10.11 | DN 4XX

UCM: 192.168.10.10 | DN 5XX
voice service voip

allow-connections h323 to sip
allow-connections sip to h323
redirect ip2ip
h323
h225 timeout setup 20
h245 tunnel disable
h245 caps mode restricted
sip
rel1xx supported "rel100"
! directory numbers with OCS start with a "+"

! this rule will remove the "+" from the 3-digit DN
rule 1 /^.*$...$/ /\1/

! translation profile for internal calling from OCS to UCM
voice translation-profile RHG-TP-OCS-CCM-internal
! translate the source (from OCS) by removing the "+"
translate calling 4
! dial plan used for internal calling from OCS to UCM

description Calling from OCS to CCM (internal)
! associate translation profile
translation-profile outgoing RHG-TP-OCS-CCM-internal
! DN pattern for UCM phones
destination-pattern 5..
! SIP trunk to UCM server
! define IP for UCM
! define codec
codec g711ulaw
! all local and LD calls placed from OCS will include a "9"
! at the beginning of the number before being routed to UCM to use the
! correct route pattern and routed to the voice gateway
rule 1 /^$1[2-9].........$$/ /9\1/
rule 2 /^$[2-9].........$$/ /9\1/
! the last 2-digits of the extension for a phone on OCS

! will be included with DID for the call
rule 1 /^.*$..$/ /20912360\1/
! translation profile for external calling from OCS through UCM

voice translation-profile RHG-TP-OCS-CCM-external
! translate the source of the call based on the rule defined
translate calling 3
! translate the destination of the call based on the rule defined
translate called 1
! dial plan used for long distance calling from OCS to UCM/PSTN
description LD Calling from OCS to CCM (external)
translation-profile outgoing RHG-TP-OCS-CCM-external
! route pattern for LD calls
destination-pattern 1[2-9].........
! define IP of UCM
! define DTMF
dtmf-relay sip-kpml
! define codec
codec g711ulaw

! dial plan used for local calling from OCS to UCM/PSTN
description Local Calling from OCS to CCM (external)
translation-profile outgoing RHG-TP-OCS-CCM-external
! route pattern for Local calls
destination-pattern [2-9].........
! define IP of UCM
! define DTMF
dtmf-relay sip-kpml
! define codec
codec g711ulaw
! phones on UCM placing internal calls to OCS will include a "+"

! at the start of the number before going to OCS
rule 1 /^424/ /+424/
rule 2 /^418/ /+418/
rule 3 /^404/ /+404/
! translation profile for internal calling from UCM to OCS

voice translation-profile RHG-TP-CCM-OCS-internal
! translate the destination of the call (to OCS) based on the rule defined
translate called 2

description Calling from CCM to OCS (internal)
translation-profile outgoing RHG-TP-CCM-OCS-internal
! route pattern for DN used on OCS
destination-pattern 4..
! SIP trunk to OCS server
! define IP of OCS
! define DTMF
dtmf-relay sip-kpml
! define codec
codec g711ulaw
no vad

WIRELESS SERVICES
BACK
WIRELESS SERVICES ........................................................................................................................................... 281
CISCO IOS WIRELESS...................................................................................................................................................282

WLAN using WPA/TKIP .................................................................................................................................................... 283
WLAN using WPA2/AES and EAP ..................................................................................................................................... 284
WLAN using WEP ............................................................................................................................................................. 285
EAP-FAST ......................................................................................................................................................................... 286
EAP-LEAP ......................................................................................................................................................................... 287
MAC Filtering ................................................................................................................................................................... 288
LAN Switch Port Configuration ........................................................................................................................................ 288
Broadcast Multiple SSID .................................................................................................................................................. 288
Monitor............................................................................................................................................................................ 289
CISCO WIRELESS LAN CONTROLLER (WLC) .....................................................................................................................290
Cisco WLC Switch Ports.................................................................................................................................................... 290
Configuration Reference Guide | Wireless Services 281

CISCO IOS WIRELESS
Vlan99: 192.168.99.0 /24 (MGMT)

Vlan10: 192.168.10.0 /24 (WIFI using WPA/TKIP)
Vlan11: 192.168.11.0 /24 (WIFI using WPA2/AES/EAP)
Vlan12: 192.168.12.0 /24 (WIFI using WEP)
Vlan20: 192.168.20.0 /24 (SERVERS)
802.1q
vlan20 Vlan99
Vlan10-12
192.168.20.10 .1
BASE CONFIGURATION
! bridge group for “management” network

! management interface for standalone AP

interface BVI1
ip address 192.168.99.10 255.255.255.0
! default gateway
! interface connected to LAN

! bring up LAN interface
no shutdown
! configure sub-interface for “management” and used for the native VLAN
interface FastEthernet0.99
! management interface will use VLAN99 to the LAN and will be untagged
encapsulation dot1Q 99 native
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
! associate default bridge group to interface
bridge-group 1
no bridge-group 1 source-learning
interface Dot11Radio0
! bring up wireless radio interface
no shutdown
station-role root access-point
! enable 802.11b and 802.11g
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
! let the AP choose the frequency channel that is the least congested
channel least-congested
BACK TO WIRELESS

WLAN USING WPA/TKIP
! define VLAN and WLAN SSID name

dot11 vlan-name private vlan 10
! Wireless SSID for “private”

dot11 ssid private
! associate WLAN SSID to VLAN10
vlan 10
authentication open
! enable WPA
authentication key-management wpa
! configure WPA password
wpa-psk ascii Cisco123
! bridge group for “private” network

! enable TKIP with WPA
encryption vlan 10 mode ciphers tkip
! associate WLAN SSID for “private” under wireless radio
ssid private
! configure sub-interface under wireless radio for “private” network

interface Dot11Radio0.10
! “private” network tagged using VLAN10
no ip route-cache
no cdp enable
! associate bridge group to interface
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 unicast-flooding
! configure sub-interface under LAN interface for “private” network

! “private” network tagged using VLAN100
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
bridge-group 10
BACK TO WIRELESS

WLAN USING WPA2/AES AND EAP

dot11 vlan-name private2 vlan 11
! define AAA group with RADIUS server IP and port numbers

aaa group server radius RADIUS-EAP
server 192.168.20.10 auth-port 1812 acct-port 1813
! RADIUS communication will use the BVI interface

ip radius source-interface BVI1
! define RADIUS server and shared key

radius-server host 192.168.20.10 auth-port 1812 acct-port 1813 key 7 Cisco123
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
! associate RADIUS for user authentication

aaa authentication login ROUTEHUB-EAP group RADIUS-EAP
! Wireless SSID for “private2”

dot11 ssid private2
vlan 11
! enable EAP authentication (e.g. PEAP) against the RADIUS server
authentication open eap ROUTEHUB-EAP
! enable WPA
! bridge group for “private2” network

! enable WPA2 using AES
encryption vlan 11 mode ciphers aes-ccm
! associate WLAN SSID for “private2” under wireless radio
ssid private2
! configure sub-interface under wireless radio for “private2” network

! “private2” network tagged using VLAN101
no ip route-cache
no cdp enable
bridge-group 11

! configure sub-interface under LAN interface for “private2” network
! “private2” network tagged using VLAN101
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
bridge-group 11
BACK TO WIRELESS
WLAN USING WEP

dot11 vlan-name private-wep vlan 12
! Wireless SSID for “private-wep”

dot11 ssid private-wep
vlan 12
authentication open
! bridge group for “private-wep” network

! enable WEP and define the 128bit key for “private-wep” (VLAN102)
encryption vlan 12 key 1 size 128bit 12345678901234567890123456 transmit-key
! using a WEP key is required for association
encryption vlan 12 mode wep mandatory
! associate WLAN SSID for “private-wep” under wireless radio
ssid private-wep
! configure sub-interface under wireless radio for “private-wep” network

! “private-wep” network tagged using VLAN102
no ip route-cache
no cdp enable
bridge-group 12

! configure sub-interface under LAN interface for “private-wep” network
! “private-wep” network tagged using VLAN102
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
bridge-group 12
EAP-FAST
Vlan13: 192.168.13.0 /24 (WIFI using EAP-FAST)
802.1q
Vlan13
* use private RADIUS server or ACS server
aaa-server
! create AAA group for RADIUS
aaa-group server radius RHG-AAA-RADIUS
! specify IP of local RADIUS server including the RADIUS key
server-private 192.168.99.10 auth-port 1812 acct-port 1813
key 0 Cisco123
! define AAA authentication to use the AAA group and to use EAP
aaa authentication login eap RHG-AAA-EAP group RHG-AAA-RADIUS
! add local RADIUS server on AP

radius-server local
! add AP into local RADIUS server and define RADIUS key
nas 192.168.99.10 key 0 Cisco123
! add user account for client authentication
username user1 password Cisco123
! support WPA and WPA2

encryption vlan 13 mode ciphers aes-ccm tkip
! SSID using EAP-FAST

dot11 ssid rhg-eap-fast
vlan 13
authentication open eap RHG-AAA-EAP

EAP-LEAP
Vlan14: 192.168.14.0 /24 (WIFI using EAP-LEAP)
802.1q
Vlan14
* use private RADIUS server or ACS server
aaa-server
! create AAA group for RADIUS
aaa-group server radius RHG-AAA-RADIUS
! specify IP of local RADIUS server including the RADIUS key
server-private 192.168.99.10 auth-port 1812 acct-port 1813
key 0 Cisco123
! define AAA authentication to use the AAA group and to use EAP
aaa authentication login eap RHG-AAA-EAP group RHG-AAA-RADIUS
! add local RADIUS server on AP

radius-server local
! add AP into local RADIUS server and define RADIUS key
nas 192.168.99.10 key 0 Cisco123
! add user account for client authentication
username user1 password Cisco123
! support WPA and WPA2

encryption vlan 14 mode ciphers aes-ccm tkip
! SSID using EAP-LEAP

dot11 ssid rhg-eap-fast
vlan 14
authentication open eap RHG-AAA-EAP
authentication network-eap RHG-AAA-EAP

MAC FILTERING
! configure allowed MAC address as a username and password

username 0013ce006c98 password 0013ce006c98
username 0013ce006c98 autocommand exit
! configure AAA group for MAC filtering authentication

aaa authentication login RHG-MAC-AUTH local
no ip address
ssid RHG-WPA
vlan 10
! enable WLAN MAC filtering on Wireless SSID
authentication open mac-address RHG-MAC-AUTH
LAN SWITCH PORT CONFIGURATION
! interface standalone AP is connected to

! define native VLAN (untagged) for interface
! only allow the following VLAN tags with the AP
BROADCAST MULTIPLE SSID
dot11 ssid private

vlan 10
authentication open
! enable broadcast SSID
mbssid guest-mode
dot11 ssid private2

vlan 11
authentication open eap ROUTEHUB-EAP
! enable broadcast SSID
mbssid guest-mode
no ip address
ssid private
ssid private2
! enable MBSSID under wireless interface
mbssid

MONITOR
show dot11 associations

show dot11 network-map
show dot11 statistics client-traffic
show dot11 associations <mac-address>
BACK TO WIRELESS

CISCO WIRELESS LAN CONTROLLER (WLC)
L2/L3 Switch
802.1q
Vlan10,20,99
802.1q AP
Vlan10,20,99
WLC
CISCO WLC SWITCH PORTS
* DHCP enabled on WLC for VLAN 99 for AP address assignment
! VLAN for Corporate/Private Wireless

vlan 10
name RHG-VLAN-WLAN-PROD
! VLAN for Guest/Public Wireless

vlan 20
name RHG-VLAN-WLAN-GUEST
! management VLAN for AP and WLC

vlan 99
name RHG-VLAN-WLAN-MGMT
>> WLC switch port
! Cisco Wireless LAN Controller (WLC) connected

description TO: rhg-wlc01-sj-ca ; WLC
! allow management, public, and private VLANs
! enable interface as a 802.1q trunk

>> Lightweight AP port
! Lightweight AP connected
description rhg-ap03-sj-ca
! APs will get IP from the management VLAN for communicating with the WLC
! allow management, public, and private VLANs
! enable interface as a 802.1q trunk

HARDWARE
BACK
HARDWARE ....................................................................................................................................................... 292
GENERAL ..................................................................................................................................................................293
CISCO PIX 500 SERIES.................................................................................................................................................323
CISCO CATALYST XL (LEGACY) SERIES .............................................................................................................................346
CISCO ACE SERIES ......................................................................................................................................................348
Configuration Reference Guide | Hardware 292

GENERAL
BACK
GENERAL ..................................................................................................................................................................293
General ..............................................................................................................................................................293
Enable AUX port on Cisco 800 ......................................................................................................................................... 293
Copy and Install TAR File.................................................................................................................................................. 293
Modules .............................................................................................................................................................293
Using Third-Party Optics in Cisco Devices ........................................................................................................................ 293
GENERAL
ENABLE AUX PORT ON CISCO 800
line con 0
! enable use of the AUX port
modem enable
COPY AND INSTALL TAR FILE
* for some Cisco Catalyst switches and APs
! copy, extract, and install tar image with http files and IOS bin
archive tar /xtract tftp://192.168.10.10/c1200-k9w7-tar.123-8.JA2.tar flash:
MODULES
BACK
USING THIRD-PARTY OPTICS IN CISCO DEVICES
! unsupported command that allows support for third-party optics (SFP, GBIC)
service unsupported-transceiver
no errdisable detect cause gbic-invalid

CISCO ASA 5500 / PIX500 / FWSM
BACK
USING ASA OS 8.2(3)

General ..............................................................................................................................................................295
Interfaces ......................................................................................................................................................................... 296
Static Routing................................................................................................................................................................... 296
Device Access (SSH, Telnet) ............................................................................................................................................. 296
ASA Image ........................................................................................................................................................................ 296
HTTP and ASDM ............................................................................................................................................................... 297
DHCP Server..................................................................................................................................................................... 297
PPPoE ............................................................................................................................................................................... 298
LDAP ................................................................................................................................................................................ 298
OSPF Routing ................................................................................................................................................................... 299
Rate Limiting (Policing) .................................................................................................................................................... 299
IP SLA with Dual ISP ......................................................................................................................................................... 300
Copy using FTP ................................................................................................................................................................. 300
802.1q (VLAN tagging) ..................................................................................................................................................... 301
RIP Routing and Authentication ...................................................................................................................................... 302
Factory Defaults for ASA 5500 ......................................................................................................................................... 302
Banner ............................................................................................................................................................................. 303
Install a License ................................................................................................................................................................ 303
DNS Requests .................................................................................................................................................................. 303
Failover ..............................................................................................................................................................304
Active/Passive Failover .................................................................................................................................................... 304
Stateful Firewall .................................................................................................................................................306
Standard Firewall Policy................................................................................................................................................... 306
Standard Firewall Policy using Objects ............................................................................................................................ 306
NAT ....................................................................................................................................................................307
PAT (NAT Overload) using Outside Interface ................................................................................................................... 307
Static NAT ........................................................................................................................................................................ 307
NAT Port Redirect: using Outside Interface ..................................................................................................................... 307
VPN ....................................................................................................................................................................308
Remote Access: SSL VPN (Tunnel Mode or SVC).............................................................................................................. 308
Remote Access: IPSec VPN .............................................................................................................................................. 309
Site-Based VPN (ASA-to-ASA) .......................................................................................................................................... 311
Site-Based VPN (ASA to Cisco IOS) ................................................................................................................................... 313
Remote Access: L2TP over IPSec...................................................................................................................................... 316
IPSec over TCP ................................................................................................................................................................. 317
Monitor............................................................................................................................................................................ 317
IPS ......................................................................................................................................................................318
IPS using the Security Module ......................................................................................................................................... 318
Application Inspection .......................................................................................................................................319
Using PPTP ....................................................................................................................................................................... 319

Virtualization .....................................................................................................................................................320
Configuration To Support Virtual Firewalls ...................................................................................................................... 320
Access and Configuration of Virtual Firewall Instances ................................................................................................... 321
Troubleshooting .................................................................................................................................................322
Proxy Arp ......................................................................................................................................................................... 322
Allow Polycom Video Conferencing ................................................................................................................................. 322
Montior............................................................................................................................................................................ 322
GENERAL
BACK
.1 1.1.1.1
192.168.10.0 /24 6.7.7.0 /24
BASE CONFIGURATION
! specifies the hostname of the firewall

hostname EFW01TRA
! configures the enable password

enable password cisco123
! configures the telnet/ssh password if AAA is not configured

passwd cisco123
! configures the time zone

clock timezone PST -8
! enable logging
logging enable
logging monitor debugging
logging buffered debugging
logging asdm information
! allows the IP configured on the outside interface to be pingable

icmp permit any outside

INTERFACES
! configures IP on the WAN interface and creates an alias on the interface called “outside”
interface Ethernet0
nameif outside
ip address 1.1.1.1 255.255.255.0
! configures IP on the LAN interface and creates an alias on the interface called “inside”
interface Ethernet1
nameif inside
ip address 192.168.10.1 255.255.255.0
STATIC ROUTING
! configures default gateway through the WAN interface (outside)

route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
BACK TO CISCO ASA/PIX/FWSM
DEVICE ACCESS (SSH, TELNET)
! specify the subnets (on the inside) that can telnet to the firewall
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 60
! configure the domain name on the firewall required for SSH

! configure the private RSA keys on the firewall required for SSH
crypto key generate rsa modulus 1024
! specify the subnets listed (inside and outside) that can ssh into the firewall
ssh 6.7.7.8 255.255.255.255 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 40
! configure a local account with privilege level 15 access (root level)

username admin password cisco123 privilege 15
! allows local user accounts to be used for Telnet and SSH sessions
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
ASA IMAGE
 Notes: after the change is completed a reload of the ASA is required
! specifies the ASA OS that will be loaded

boot system disk0:/asa804-k8.bin

HTTP AND ASDM
! enables the ASDM on the ASA to use TCP port 8080

http server enable 8080
! specifies what subnets (inside and outside) can access ASDM on the ASA.
http 192.168.10.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
! specify the ASDM image that will be loaded and used on the ASA
asdm image disk0:/asdm-613.bin
RADIUS
! define AAA group "IAS" enabled for RADIUS

aaa-server IAS protocol radius
! specify RADIUS server IP
aaa-server IAS host 192.168.10.11
! define timeout
timeout 5
! define RADIUS shared key
key cisco123
! enable RADIUS authentication for all telnet and SSH connections

aaa authentication telnet console IAS
aaa authentication ssh console IAS
DHCP SERVER
! specifies the DHCP scope for the IP subnet, DNS, WINS, and domain
dhcpd address 192.168.10.0 inside
dhcpd dns 192.168.10.10 4.2.2.2 interface inside
dhcpd wins 192.168.10.10 interface inside
dhcpd domain routehub.local interface inside
dhcpd update dns both override interface inside
! enables DHCP server on the “inside” network

dhcpd enable inside

PPPOE
! configure VPDN group called “Internet” enabled for PPPoE

vpdn group Internet request dialout pppoe
! configures PPPoE profile with the username, password, and authentication to use
vpdn group Internet localname pppoeuser
vpdn group Internet ppp authentication pap
vpdn username pppoeuser password Cisco6778 store-local
dhcpd auto_config outside
interface Ethernet0
nameif outside
security-level 0
! enables PPPoE on “outside” interface using the profile “Internet”
pppoe client vpdn group Internet
ip address pppoe setroute
LDAP
! specify the IP address and port number of LDAP server including where it is located (inside)
aaa-server RHG-AAA-LDAP protocol ldap
aaa-server RHG-AAA-LDAP (inside) host 192.168.10.10
server-port 389
! specify the domain for the LDAP server

ldap-base-dn dc=routehub,dc=local
ldap-scope subtree
! specify that users can login using their AD username and password
ldap-naming-attribute samAccountName
! specify the location of the user and password for authenticating against the LDAP server
ldap-login-dn cn=Administrator,cn=Users,dc=routehub,dc=local
server-type Microsoft
ldap-login-password cisco123

OSPF ROUTING
LAN .1 1.1.1.1
192.168.10.0 /24 .1 6.7.7.0 /24
DMZ
192.168.11.0 /24
! enables OSPF routing using a PID of “1”

router ospf 1
! specify the subnets and the area that will be advertised
network 192.168.11.0 255.255.255.0 area 10
network 192.168.10.0 255.255.255.0 area 0
log-adj-changes
! allows firewall to advertise a default route via OSPF
! tune OSPF neighbor timers for 1 (hello) and 3 (dead) seconds for fast convergence
interface Ethernet1
ip address 192.168.10.1 255.255.255.0
nameif inside
ospf hello-interval 1
ospf dead-interval 3
RATE LIMITING (POLICING)
! rate limit all traffic (in/out) to 700Kbps

policy-map rate-limit-policy
class class-default
police input 700000 1000
police output 700000 1000
! apply rate limit policy to “outside” interface

service-policy rate-limit-policy interface outside

IP SLA WITH DUAL ISP
ISP2
1.2.2.1
ISP1
.1 1.1.1.1
192.168.10.0 /24 6.7.7.0 /24
! configures an ICMP probe pinging IP 1.1.1.2 3 times every 10 seconds

sla monitor 100
type echo protocol ipIcmpEcho 1.1.1.2 interface outside-isp1
num-packets 3
frequency 10
! activates the sla probe that was configured

sla monitor schedule 100 life forever start-time now
! track if the probe result is successfully using an ID of “1”

track 1 rtr 100 reachability
! applies track ID to the primary default route. If the probe fails the route is removed
route outside-isp1 0.0.0.0 0.0.0.0 1.1.1.2 10 track 1
! secondary default route to the second ISP

route outside-isp2 0.0.0.0 0.0.0.0 1.2.2.2 254
COPY USING FTP
 FTP server IP (10.1.1.1), FTP Username/Password (cisco/cisco123)
! copy ASA file (e.g. ASA OS, ASDM) from FTP server to local flash (disk0)
copy ftp://cisco:cisco123@192.168.10.10 disk0:

802.1Q (VLAN TAGGING)
Vlan10: 192.168.10.0 /24 (LAN)

Vlan11: 192.168.11.0 /24 (Guest)
802.1q
vlan10 VLAN 10, 11 .1
192.168.10.10
vlan11
192.168.11.10

no nameif
no ip address
no shutdown
! sub-interface for the Internal network

interface Ethernet0/1.10
description RHG VLAN LAN
! specify VLAN tag for the Internal network
vlan 10
nameif RHG-LAN
security-level 100
ip address 192.168.10.1 255.255.255.0
! sub-interface for the Guest network

interface Ethernet0/1.20
description RHG VLAN GUEST
! specify VLAN tag for the Guest network
vlan 20
nameif RHG-GUEST
security-level 50
ip address 192.168.11.1 255.255.255.0

RIP ROUTING AND AUTH ENTICATION
LAN .1 1.1.1.1
192.168.10.0 /24 .1 6.7.7.0 /24
DMZ
192.168.11.0 /24
nameif RHG-LAN
security-level 100
ip address 192.168.10.1 255.255.255.0
! enable RIP MD5 authentication
rip authentication mode md5
! configure password
rip authentication key cisco123 key_id 1
! enable RIP routing process

router rip
! specify what routes to advertise and build neighbors with other RIP routers.
network 192.168.10.0
network 192.168.11.0
! disables RIP routing for all interfaces except "RHG-LAN" interface
no passive-interface RHG-LAN
! advertise default route to other RIP routers
default-information originate
! enable RIP version 2
version 2
FACTORY DEFAULTS FOR ASA 5500
! put ASA back to factory defaults (done in config mode)

config factory-default
! reload ASA
reload save-config noconfirm
! ASA will use the default IP 192.168.1.1

BANNER
! define the ASA banner to display upon login to the ASA appliance
banner exec **WARNING**
banner exec YOU ARE ATTEMPTING TO LOG INTO A PRIVATE SYSTEM.
banner exec AUTHORIZED USERS ONLY!!
banner exec ALL UNAUTHORIZED USE WILL BE PROSECUTED TO THE
banner exec FULLEST EXTENT OF THE LAW!!
INSTALL A LICENSE
! apply the new ASA license

activation-key 0x81234567 0x81234567 0x81234567 0x81234567 0x81234567
! view ASA licenses applied

show activation-key
DNS REQUESTS
! static NAT will provide the internal IP if accessing this Public IP from the inside network
static (inside,outside) 1.1.1.10 192.168.10.10 netmask 255.255.255.255 dns

FAILOVER
BACK
ACTIVE/PASSIVE FAILOVER
>>Primary ASA<<
! on primary ASA configure the outside interface IP for the primary and secondary ASA
speed 100
duplex full
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248 standby 1.1.1.2
! configure the inside interface IP for the primary and secondary ASA
speed 100
duplex full
nameif inside
security-level 100
! configure the DMZ interface IP for the primary and secondary ASA
speed 100
duplex full
nameif dmz
security-level 60
! interface used between the ASA’s for failover and exchanging state information
description LAN/STATE Failover Interface
! enable failover and ASA and indicate that this will be our primary ASA
failover
! specify this as the primary firewall
failover lan unit primary
! specify the failover and state interface that will be used
failover lan interface failover Ethernet0/3
failover link failover Ethernet0/3
! configure a key shared between the two ASA firewalls
failover key cisco6778
! configure the failover interface IP for the primary and secondary ASA

failover interface ip failover 9.9.9.1 255.255.255.252 standby 9.9.9.2
failover replication http
failover polltime unit 1 holdtime 3
failover polltime interface 1 holdtime 3
! configuration required on secondary ASA firewall

>>Secondary ASA<<
failover
failover lan unit secondary
failover lan interface failover Ethernet0/3
failover key cisco6778
failover link failover Ethernet0/3

STATEFUL FIREWALL
BACK
192.168.10.0 /24
.1 1.1.1.1
1.1.1.10
6.7.7.0 /24
.10
STANDARD FIREWALL POLICY
! configure firewall policy to allow any Internet host to access web server (using 1.1.1.10)
access-list ingress-acl extended permit tcp any host 1.1.1.10 eq 80
! apply the firewall policy inbound on the “outside” interface.

access-group ingress-acl in interface outside
STANDARD FIREWALL POLICY USING OBJECTS
! configures a group listing the individual host IP addresses (like servers)

object-group network RHG-SERVERS1
network-object host 1.1.1.10
! OR configure a group listing an IP subnet

object-group network RHG-SERVERS2
network-object 1.1.1.0 255.255.255.0
! configures a group listing TCP and UDP ports such as WWW (TCP/80)
object-group service RHG-APPS tcp-udp
port-object eq www
! configures firewall policy using the object groups allowing any Internet host to access the web
! server located at 1.1.1.10. Or any web service from the 1.1.2.0 network
access-list ingress-acl extended permit tcp any object-group RHG-SERVERS1 object-group RHG-APPS
access-list ingress-acl extended permit tcp any object-group RHG-SERVERS2 object-group RHG-APPS
! apply the firewall policy inbound on the “outside” interface.

access-group ingress-acl in interface outside

NAT
BACK
PAT (NAT OVERLOAD) USING OUTSIDE INTERFACE
! configures PAT (NAT Overload) using the IP configured on the “outside” interface
global (outside) 1 interface
! any inside host on the LAN will use the IP on the “outside” for Internet access
nat (inside) 1 192.168.10.0 255.255.255.0
STATIC NAT
192.168.10.0 /24
.1 1.1.1.1
1.1.1.10
6.7.7.0 /24
.10
! configures a static translation where inside host 192.168.10.10 is mapped to Public IP 1.1.1.10
static (inside,outside) 1.1.1.10 192.168.10.10 netmask 255.255.255.255
NAT PORT REDIRECT: USING OUTSIDE INTERFACE
192.168.10.0 /24
.1 1.1.1.1
6.7.7.0 /24
.10
! any access to the IP configured on the “outside” interface for HTTPS (TCP/443) will be
redirected to the inside server of 192.168.10.10.
static (inside,outside) tcp interface https 192.168.10.10 https netmask 255.255.255.255

VPN
BACK
REMOTE ACCESS: SSL VPN (TUNNEL MODE OR S VC)
.1 1.1.1.1
192.168.10.0 /24 192.168.100.0 /24
! ACL that specifies what networks can be accessed across the SSL VPN tunnel once established
access-list split-tunnel standard permit 192.168.10.0 255.255.255.0
! ACL that specifies that the LAN subnet and VPN subnet should not use NAT
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list nonat
! specifies the IP addresses that should be assigned to SSL VPN users once logged in
ip local pool routehub-pool 192.168.100.10-192.168.100.13 mask 255.255.255.0
! enabled SSL VPN on the “outside” interface

webvpn
enable outside
! specifies the SSL VPN client file name for Windows located on the flash (disk0)
svc image disk0:/anyc-win.pkg 1
! specifies the SSL VPN client file name for Mac systems located on the flash (disk0)
svc image disk0:/anyc-mac.pkg 2
! enables SSL VPN SVC Tunnel Mode
svc enable
tunnel-group-list enable
! configure group policy for SSL VPN, DNS servers, and enable split tunnel ACL policy
group-policy RHG-GP-SSL internal
group-policy RHG-GP-SSL attributes
dns-server value 192.168.10.10
vpn-tunnel-protocol webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value routehub.local
webvpn
! SSL VPN SVC Tunnel Mode is required for the connecting
svc required
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
! configures a local user account on the ASA used for client login
! configures tunnel group for SSL VPN which includes the address pool
tunnel-group RHG-TG-SSL type remote-access
tunnel-group RHG-TG-SSL general-attributes
address-pool routehub-pool
default-group-policy RHG-GP-SSL
tunnel-group RHG-TG-SSL webvpn-attributes

group-alias ROUTEHUB enable

REMOTE ACCESS: IPSEC VPN
.1 1.1.1.1
192.168.10.0 /24 192.168.100.0 /24
access-list split-tunnel standard permit 192.168.10.0 255.255.255.0
! enabled NAT-T
crypto isakmp nat-traversal 300
! enable ISAKMP policy (IKE Phase 1) on the “outside” using 3DES and MD5
crypto isakmp enable outside
encryption 3des
hash md5
group 2
lifetime 86400
! configure IPSec transform policy to use ESP 3DES and MD5

! configure dynamic IPSec policy for remote access using the IPSec transform policy
crypto dynamic-map RHG-DMAP-VPN 10 set transform-set RHG-TS-3DES-MD5
! configure IPSec policy (IKE Phase 2) associating the dynamic IPSec policy ; use ID 65535
! enable IPSec VPN on the “outside”
crypto map RHG-VPN interface outside
! configure group policy for SSL VPN, DNS servers, and enable split tunnel ACL policy
group-policy RHG-GP-VPN internal
group-policy RHG-GP-VPN attributes
dns-server value 192.168.10.10 4.2.2.2
vpn-idle-timeout 30
vpn-session-timeout 480
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value routehub.local

! specify Microsoft IAS RADIUS server (192.168.1.13) and the shared key for user login
aaa-server RADIUS protocol radius
timeout 5
key cisco123
! specifies the “Group Authentication Name” (ROUTEHUB) for the VPN client program
tunnel-group ROUTEHUB type remote-access
tunnel-group ROUTEHUB general-attributes
! associates address pool to use
! authenticate users against RADIUS server (IAS)
authentication-server-group IAS
default-group-policy RHG-GP-VPN
tunnel-group ROUTEHUB ipsec-attributes

pre-shared-key cisco123

SITE-BASED VPN (ASA-TO-ASA)
.1 1.1.1.1 2.2.2.2 .1
192.168.10.0 /24 192.168.20.0 /24
>>Site #1<<
! WAN interface (outside) configured on ASA at Site #1
ip address 1.1.1.1 255.255.255.252
speed 100
duplex full
nameif outside
! LAN interface (inside) configured on ASA at Site #1

ip address 192.168.10.1 255.255.255.0
speed 100
duplex full
nameif inside
nat (inside) 0 access-list ACL-NONAT
encryption 3des
hash md5
group 2
lifetime 86400

crypto ipsec transform-set RHG-TS-ESP-MD5 esp-3des esp-md5-hmac
! configures IPSec SA lifetime settings (seconds and Kbytes)
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
access-list RHG-ACL-VPN extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
! configure IPSec policy (IKE Phase 2) for connecting with ASA at Site #2 ; use ID 10
crypto map vpn 10 match address RHG-ACL-VPN
crypto map vpn 10 set pfs
crypto map vpn 10 set peer 2.2.2.2
! apply the IPSec transform policy
crypto map vpn 10 set transform-set RHG-TS-ESP-MD5
! enable IPSec on the WAN interface (outside)
crypto map vpn interface outside

! configures tunnel group for site-VPN peer at Site #2
>>Site #2<<

ip address 2.2.2.2 255.255.255.252
speed 100
duplex full
nameif outside

ip address 192.168.20.1 255.255.255.0
speed 100
duplex full
nameif inside
encryption 3des
hash md5
group 2
lifetime 86400

! specifies the LAN subnets at Site #2 that will communicate with the LAN subnets at Site #1
! enable IPSec policy (IKE Phase 2) using an ID of 10 for connecting with ASA at Site #1
crypto map vpn 10 set pfs

SITE-BASED VPN (ASA TO CISCO IOS)
Cisco ASA
Firewall Cisco IOS
Router
.1 1.1.1.1 2.2.2.2 .1
192.168.10.0 /24 192.168.20.0 /24
>>Site #1<<
ip address 1.1.1.1 255.255.255.252
speed 100
duplex full
nameif outside

ip address 192.168.10.1 255.255.255.0
speed 100
duplex full
nameif inside
encryption 3des
hash md5
group 2
lifetime 86400


! configure IPSec policy (IKE Phase 2) for connecting with ASA at Site #2 ; use ID 10
crypto map vpn 10 set pfs group2

>>Site #2<<
! ISAKMP policy
encr 3des
hash md5
group 2



set peer 1.1.1.1
set pfs group2
match address 112


! LAN interface
ip address 192.168.20.1 255.255.255.0
! WAN interface
ip address 2.2.2.2 255.255.255.0
crypto map vpn

REMOTE ACCESS: L2TP OVER IPSEC
.1 1.1.1.1
192.168.10.0 /24 192.168.100.0 /24
! specify Microsoft IAS RADIUS server (192.168.10.10) and the shared key for user login
timeout 5
key cisco123
! configure IPSec transform policies

crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
crypto ipsec transform-set 3desmd5 mode transport
crypto ipsec transform-set aes128sha esp-aes esp-sha-hmac
crypto ipsec transform-set aes128sha mode transport
crypto ipsec transform-set aes256sha esp-aes-256 esp-sha-hmac
crypto ipsec transform-set aes256sha mode transport

! create dynamic IPSec policy associating the supported transform policies
crypto dynamic-map RHG-DMAP-VPN 10 set transform-set 3desmd5 aes128sha aes256sha
! IPSec enabled on WAN facing interface
crypto map RHG-VPN interface outside
! configure various ISAKMP policies to be available

encryption 3des
hash md5
group 2
lifetime 86400

encryption 3des
hash sha
group 2
lifetime 86400

! ISAKMP enabled on WAN facing interface
! configure default group policy for L2TP over IPSec

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
! define DNS server attribute to push down to clients
dns-server value 192.168.10.10
! specify VPN protocol(s) to use
vpn-tunnel-protocol IPSec l2tp-ipsec
! default remote access tunnel group policy

tunnel-group DefaultRAGroup general-attributes
! associates address pool to use
! authenticate users against RADIUS server (IAS)
authentication-server-group IAS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes

! specifies the VPN password needed on the VPN client machine
pre-shared-key Cisco123
! specify PPP authentication protocols supported

tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
IPSEC OVER TCP
! enable IPSec over TCP using port # 10,000

crypto isakmp ipsec-over-tcp port 10000
MONITOR
show isa sa
show isakmp ipsec-over-tcp stats
show isakmp stats
show isakmp ipsec stats
show crypto protocol statistics ipsec
show crypto accelerator statistics
show vpn-sessiondb summary
show vpn-sessiondb l2l
show vpn-sessiondb remote
show vpn-sessiondb full remote

IPS
BACK
IPS USING THE SECURITY MODULE
LAN .1 1.1.1.1
.10
192.168.10.0 /24 .1 6.7.7.0 /24
DMZ
192.168.11.0 /24
! ACL defining what traffic should be inspected by IPS on the LAN

access-list RHG-ACL-IPS-LAN extended permit ip 192.168.10.0 255.255.255.0 any
! ACL defining what traffic should be inspected by IPS on the DMZ

access-list RHG-ACL-IPS-DMZ extended permit ip 192.168.11.0 255.255.255.0 any
! class map associating the ACL for LAN inspection

class-map RHG-CMAP-IPS-LAN
match access-list RHG-ACL-IPS-LAN
! class map associating the ACL for DMZ inspection

class-map RHG-CMAP-IPS-DMZ
match access-list RHG-ACL-IPS-DMZ
! define policy map for IPS inspection on the LAN

policy-map RHG-POL-IPS-LAN
class RHG-CMAP-IPS-LAN
! enable Promiscuous monitoring and permit traffic if the service module fails
ips promiscuous fail-open sensor vs0
! define policy map for IPS inspection on the DMZ

policy-map RHG-POL-IPS-DMZ
class RHG-CMAP-IPS-DMZ
! enable Promiscuous monitoring and permit traffic if the service module fails
ips promiscuous fail-open sensor vs0
! apply IPS inspection on LAN interface

service-policy RHG-POL-IPS-LAN interface inside
! apply IPS inspection on DMZ interface
service-policy RHG-POL-IPS-DMZ interface dmz

APPLICATION INSPECTI ON
BACK
USING PPTP
! configure class map for PPTP

class-map ROUTEHUB-CLASS-VPDN
match port tcp eq pptp
! apply PPTP class map under the global policy map for PPTP traffic to be inspected
policy-map global_policy
class ROUTEHUB-CLASS-VPDN
inspect pptp

VIRTUALIZATION
BACK
CONFIGURATION TO SUPPORT VIRTUAL FIREWAL LS
vlan198 vlan198
802.1q 802.1q
vlan298 vlan298
! enable virtualization on Cisco ASA/FWSM

mode multiple
! operate in L2 mode
firewall transparent
! sub-interface for Client 1 Interconnection connected to Edge router (untrusted/outside)

no shutdown
! sub-interface for Client 2 Interconnection connected to Edge router (untrusted/outside)

no shutdown

no shutdown

no shutdown

context CL1-FW

context CL2-FW
! location and filename for Client 2 firewall

ACCESS AND CONFIGURATION OF VIRTUAL FIRE WALL INSTANCES
! to access the Client 1 firewall instance from the physical firewall

context CL1-FW

hostname CL1-FW
passwd cisco123

nameif outside
security-level 0
no shutdown

nameif inside
security-level 100
no shutdown

! firewall policies applied to “outside” interface for Client 1


TROUBLESHOOTING
BACK
PROXY ARP
! disable proxy-arp functions on the inside interface (recommended)

sysopt noproxyarp inside
ALLOW POLYCOM VIDEO CONFERENCING
! updates application inspection list to inspect all H.323 traffic

policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
! make sure the global application inspection is enabled

service-policy global_policy global
MONTIOR
! VPN monitoring commands

show vpn-sessiondb
show vpn-sessiondb svc

CISCO PIX 500 SERIES
BACK
USING PIX OS 6.X OR EARLIER
CISCO PIX 500 SERIES.................................................................................................................................................323

General ..............................................................................................................................................................324
DHCP ................................................................................................................................................................................ 324
Failover ..............................................................................................................................................................325
Failover ............................................................................................................................................................................ 325
VPN ....................................................................................................................................................................326
Remote Access: IPSec VPN .............................................................................................................................................. 326
VPDN: PPTP...................................................................................................................................................................... 327
Site VPN: IPSec VPN ......................................................................................................................................................... 328
Monitor............................................................................................................................................................................ 329

GENERAL
BACK
.1 1.1.1.1
192.168.10.0 /24 6.7.7.0 /24
BASE CONFIGURATION
! General PIX configuration

hostname pptp-firewall
passwd cisco123
! configures speed and duplex on interfaces

interface ethernet0 100full
interface ethernet1 100full
! specifies security name for interfaces and security zone level

nameif ethernet0 outside security0
nameif ethernet1 inside security100
! Recommended: turns off proxy-arp on inside interface

sysopt noproxyarp inside
! configures IP address to interfaces

ip address outside 1.1.1.1 255.255.255.0
ip address inside 192.168.10.1 255.255.255.0
! configures default gateway

route outside 0 0 1.1.1.2
! configures PAT for all hosts on the LAN (inside) to use the IP configured on the WAN (outside)
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
DHCP
! create DHCP scope fror "inside" network

dhcpd address 192.168.10.10-192.168.10.79 inside
! define DNS and WINS for DHCP scope
dhcpd dns 192.168.10.10 4.2.2.2
dhcpd wins 192.168.10.10
! specify lease time (in seconds)
dhcpd lease 3600
dhcpd ping_timeout 750
! specify default domain name to use
dhcpd domain routehub.local

FAILOVER
BACK
FAILOVER
! specifies security name for interfaces and security zone level

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet7 failover security90
! configures IP address to interfaces on primary PIX

ip address dmz 192.168.11.1 255.255.255.0
ip address failover 9.9.9.1 255.255.255.252
! enables failover on the PIX

failover
failover timeout 0:00:00
! keepalive timer to poll every 15 seconds
failover poll 15
! configures IP address for interfaces on secondary PIX
failover ip address outside 1.1.1.2
failover ip address inside 192.168.10.2
failover ip address dmz 192.168.11.2
failover ip address failover 9.9.9.2
! specify the interface to use for exchanging state information
failover link failover
BACK TO CISCO PIX 500 SERIES

VPN
BACK
REMOTE ACCESS: IPSEC VPN
.1 1.1.1.1
192.168.10.0 /24 192.168.100.0 /24
access-list 108 permit ip any 192.168.10.0 255.255.255.0
nat (inside) 0 access-list 100
! IP addresses that should be assigned to VPN users once logged in successfully

ip local pool vpn 192.168.100.10-192.168.100.30
! specify Cisco ACS using TACACS+ (192.168.1.15) and the shared key
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 192.168.1.15 cisco123 timeout 10
! allow IPSec operations

sysopt connection permit-ipsec
! configure ISAKMP policy (IKE Phase 1) applied to “outside” interface

isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

crypto ipsec transform-set myset esp-3des esp-sha-hmac
! configure IPSec policy for VPN users and will be authenticated against the TACACS+ server
crypto dynamic-map dynmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap client configuration address respond
crypto map newmap client authentication TACACS+
crypto map newmap interface outside
! configures vpn group for the address pool, DNS, and default domain name clients will use
! This also specifies the Group Authentication Name (vpn-client) for the VPN client program
vpngroup vpn-client address-pool vpn
vpngroup vpn-client dns-server 192.168.10.10
vpngroup vpn-client default-domain routehub.local
! specifies what subnets VPN users can access once connected (split tunnel ACL)
vpngroup vpn-client split-tunnel 108
vpngroup vpn-client idle-time 1800
vpngroup vpn-client password cisco123

VPDN: PPTP
.1 1.1.1.1
192.168.10.0 /24 192.168.100.0 /24
! allow PPTP operations

sysopt connection permit-pptp
! specifies the IP addresses that should be assigned to PPTP users once logged in
ip local pool pptp-pool 192.168.100.10-192.168.100.100
! specify RADIUS server (192.168.1.5) and the shared key used for PPTP user login
aaa-server RADIUS (inside) host 192.168.10.11 radius-key timeout 5
! configures VPDN profile for PPTP and enables CHAP and MSCHAP PPP authentication
vpdn group 1 accept dialin pptp
! specify DNS server to use
vpdn group 1 client configuration dns 192.168.10.10
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
! associated IP address pool to PPTP VPDN profile
vpdn group 1 client configuration address local pptp-pool
! user authentication through RADIUS server
vpdn group 1 client authentication aaa RADIUS
! Enable PPTP on WAN interface (outside)

vpdn enable outside

SITE VPN: IPSEC VPN
.1 1.1.1.1 2.2.2.2 .1
192.168.10.0 /24 192.168.20.0 /24
! IP addresses assigned to inside and outside interfaces

nat (inside) 0 access-list 100
! allow IPSec operations

sysopt connection permit-ipsec
! configures ISAKMP shared key with remote site using 2.2.2.2

isakmp key routehub-key address 2.2.2.2 netmask 255.255.255.255
! configures ISAKMP policy (IKE Phase 1)

isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
! ISAMP enabled on WAN facing interface (outside)

isakmp enable outside

crypto ipsec transform-set ts esp-des esp-md5-hmac
! configure IPSec policy

crypto map vpn 10 ipsec-isakmp
! specify the ACL for what subnets will use this VPN tunnel
crypto map vpn 10 match address 100
! specify the IP of the remote VPN router ; 2.2.2.2
crypto map vpn 10 set transform-set ts

MONITOR
show isakmp sa
show crypto interface

CISCO CATALYST 6500 SERIES
BACK

General ..............................................................................................................................................................330
Power Supply Redundancy .............................................................................................................................................. 330
Monitor............................................................................................................................................................................ 330
Supervisor Redundancy ......................................................................................................................................331
Stateful Switchover (SSO) ................................................................................................................................................ 331
System Switchover .......................................................................................................................................................... 331
Non-Stop Forwarding (NSF) ............................................................................................................................................. 331
VSS .....................................................................................................................................................................332
VSS ................................................................................................................................................................................... 332
Monitor............................................................................................................................................................................ 336
Enhanced Fast Software Upgrade (eFSU) ........................................................................................................................ 336
QoS.....................................................................................................................................................................338
User-Based Rate Limiting (URBL) ..................................................................................................................................... 338
User-Based Rate Limiting (URBL) Bi-Directional .............................................................................................................. 338
Service Module: FWSM ......................................................................................................................................340
Base Configuration for Cisco Catalyst 6500 ..................................................................................................................... 340
Access FWSM from Catalyst 6500 ................................................................................................................................... 340
Interfaces ......................................................................................................................................................................... 340
Security Context .............................................................................................................................................................. 341
Failover ............................................................................................................................................................................ 341
Service Module: NAM ........................................................................................................................................342
NAM................................................................................................................................................................................. 342
GENERAL
BACK
POWER SUPPLY REDUNDA NCY
! makes one of the power supplies active while the other is a backup
power redundancy-mode redundant
MONITOR
! shows line module speed, fabric status, hotstandby support, and more
show fabric status

SUPERVISOR REDUNDANC Y
BACK
STATEFUL SWITCHOVER (SSO)
* must have two Supervisor engines installed

* enabling SSO automatically enables CEF NSF
! enable Supervisor Engine redundancy

redundancy
! enable Stateful Switchover (SSO)
mode sso
main-cpu
! synchronize the configuration between the two SUP engines.
auto-sync startup-config
auto-sync running-config
auto-sync bootvar
auto-sync standard
show redundancy states

show cef state
SYSTEM SWITCHOVER
! failover to the other available Supervisor Engine

redundancy force-switchover
NON-STOP FORWARDING (NSF)
* enable SSO on Cisco Catalyst switch
>> BGP <<

router bgp 6778
! enable NSF
bgp graceful-restart
>> OSPF <<

router ospf 1
! enable NSF
nsf
>> EIGRP <<

router eigrp 1
! enable NSF
nsf

VSS
BACK
Switch 1 Switch 2
VSS-1 (Primary) VSS-2 (Secondary)
PC 1 PC 2
VSL 1 VSL 2
tenGE: 1/4-5
tenGE 1/2/2 tenGE 2/2/2
PC 3
tenGE 1/49 tenGE 1/50
GE 1/1
Vlan 10
VSS
>> SW1 <<
> STEP 1
! single domain ID shared with all VSS switches
switch virtual domain 100
! specify switch ID in VSS cluster
switch 1
! this will be our primary VSS switch
switch 1 priority 110
! switch 2 will be our secondary VSS switch
! configures port-channel interface required for VSS

interface port-channel 1
! enables VSL for communication with switch 2
switch virtual link 1
no shutdown
! place two 10GE interfaces into VSL enabled port-channel

interface range tenGigabitEthernet 1/4 - 5
channel-group 1 mode on
no shutdown

> STEP 2
! start VSS conversion process on switch
switch convert mode virtual
At this time the switch will restart to merge the two switches configuration,
renumber the interfaces from slot/port to switch-number/port/slot, and
the negotiation of the active and standby roles through NSF/SSO
> STEP 3
! completes conversion process which will bring VSL configuration from
! standby switch and populate it into the running config
switch accept mode virtual
> Port Channel to Access/Distribution Switch
! configures port-channel that connects to AS01TRA

! enabled 802.1Q trunking
switchport
no shutdown
! put a port from switch1 and switch2 into the port-channel group
interface range tenGigabitEthernet 1/2/2, tenGigabitEthernet 2/2/2
switchport
channel-group 3 mode desirable
no shutdown
> Port Channel to Vmware ESXI host server
! configures port-channel that connects to VMware ESXI server

switchport
no shutdown
! put a port from switch1 and switch2 into the port-channel

interface range GigabitEthernet 1/3/1, GigabitEthernet 2/3/1
switchport
no shutdown

> Other Configuration
! other L2 configuration with VLAN and VTP

vlan 10
name SF1
vlan 20
name SF2
interface vlan10
ip address 192.168.10.1 255.255.255.0
no shutdown
interface vlan20
ip address 192.168.20.1 255.255.255.0
no shutdown
>> SW2 <<
> STEP 1
! single domain ID shared with all VSS switches
switch virtual domain 100
! specify switch ID in VSS cluster
switch 2
! switch 1 will be our primary VSS switch
! this switch will be our secondary VSS switch
! configures port-channel interface required for VSS

! enables VSL for communication with switch 1
switch virtual link 2
no shutdown
! place two 10GE interfaces into VSL enabled port-channel

channel-group 2 mode on
no shutdown

> STEP 2
! start VSS conversion process on switch
switch convert mode virtual
At this time the switch will restart to merge the two switches configuration,
renumber the interfaces from slot/port to switch-number/port/slot, and
the negotiation of the active and standby roles through NSF/SSO.
After the reboot is completed the console on the standby VSS switch will be disabled
All further configuration is done on the primary VSS switch
>> AS01 <<
! L2 configuration with VLAN and VTP

vlan 10
name SF1
vlan 20
name SF2
! configure port-channel that connects to VSS Core

switchport
no shutdown
! ports added to the port-channel group

! one port will connect to switch1 and the other will connect to switch2
switchport
channel-group 3 mode desirable
no shutdown
! access port added to VLAN10

interface GigabitEthernet 1/1
! view port-channel state with VSS Core.

show etherchannel summary

MONITOR
show module switch 1

show module switch 2
show run switch 1
show run switch 2
show switch virtual
show switch virtual link
show switch virtual role
show vslp lmp summary
show vslp lmp neighbors
show vslp lmp counters
show vslp rrp summary
! confirm VLS connectivity between switch 2 on 10GE 2/1/4

ping vslp output interface tenGigabitEthernet 2/1/4
! reboots the active VSS switch (using switch ID 1)

redundancy reload shelf 1
ENHANCED FAST SOFTWA RE UPGRADE (EFSU)
> Step 1: <
! make sure the new IOS image is copied to both the primary and secondary VSS switches flash
! memory specify boot variable for new image IOS image
boot system flash sup-bootdisk:new-image.bin
! execute "issu loadversion"

! 1/1 & 2/1 is the VSS-switch/slot. If you are not sure what they are type
! in "show switch virtual redundancy"
! From that command look for something like "Switch X Slot Y Processor Information"
! Use X for the first number and Y for the second.
! Example: Switch 1 Slot 1 Processor Information would be 1/1
! and Switch 2 Slot 1 Processor Information would be 2/1
! That command will also show which VSS switch is ACTIVE and which one is STANDBY HOT
issu loadversion 1/1 sup-bootdisk:new-image 2/1 slavesup-bootdisk:new-image
Secondary VSS switch will reload with new IOS image.

VSS cluster will operate in 50% bandwidth capacity as the primary VSS is only running.
This activity can be seen from the console
! After the secondary VSS is booted up with the new IOS image verify the peer relationship
! between Supervisors are in a SSO state (Hot standby)
! The VSS cluster should now be operating at 100% bandwidth capacity
show switch virtual redundancy
! verify current eFSU state, which should reflect "Load Version" next to ISSU
show issu state

> Step 2: <
! When secondary VSS is booted up completely run "issu runversion" command to cause
! the supervisor/chassis switchover, so the secondary VSS switch can be the active VSS switch
! while switch1 is being reloaded.
! Switchover will cause ~200msec traffic loss
issu runversion 2/1
! confirm redundancy state with switch1 (should be "sso")

show switch virtual redundancy
> Step 3: <
! If the new IOS image is good accept the new IOS version
! If it is not accepted within the rollback timer, the eFSU software upgrade will terminate
! and go back to the older IOS image
issu acceptversion 2/1
! to view the rollback timer

show issu rollback-timer
> Step 4: <
! Final step which will reload switch1 to run the new IOS image.
! At this point the VSS cluster will operate at 50% bandwidth capacity until
! switch1 comes back up
issu commitversion

QOS
BACK
USER-BASED RATE LIMITING (URBL)
Core
Access
Gi3/1
192.168.10.0 /24
Note: doesn't impact rate limiting to user, only rate limiting from user
! ACL listing subnet(s) that will use user-based rate limiting

ip access-list extended ubrl-dept1-acl
remark department1 - 10Mb connection
permit ip 192.168.10.0 0.0.0.255 any
! ACL associated to class-map

class-map match-any ubrl-dept1-class
match access-group name ubrl-dept1-acl
! policy created for UBRL

policy-map ubrl-policy
! associate class-map
class ubrl-dept1-class
! rate limit each IP from the subnet in the ACL to 10Mbps with bursting up to 5KB.
police flow mask src-only 10000000 5000 conform-action transmit exceed-action drop
! apply UBRL policy to interface connected to the 192.168.10.0 network

service-policy input ubrl-policy
USER-BASED RATE LIMITING (URBL) BI-DIRECTIONAL
Core
Access
Gi3/1
192.168.10.0 /24
Note: this will rate limit traffic to and from the user

! For communication from user (or egress)
ip access-list extended ubrl-university-egress-acl
permit ip 192.168.1.0 0.0.0.255 any

! For communication to user (or ingress)
ip access-list extended ubrl-university-ingress-acl
permit ip any 192.168.1.0 0.0.0.255
! ACL associated to class-map for "from user" traffic (or egress)

class-map match-any ubrl-university-egress-class
match access-group name ubrl-university-egress-acl
! ACL associated to class-map for "to user" traffic (or ingress)

class-map match-any ubrl-university-ingress-class
match access-group name ubrl-university-ingress-acl
! policy created for UBRL bi-directional

policy-map ubrl-policy
! associate class-map for egress traffic
class ubrl-university-egress-class
! rate limit egress traffic from the subnet in the ACL to 10Mbps with bursting up to 5KB.
police flow mask src-only 1000000 1000 conform-action transmit exceed-action drop
! associate class-map for ingress traffic
class ubrl-university-ingress-class
! rate limit egress traffic to the subnet in the ACL to 10Mbps with bursting up to 5KB.
police flow mask dst-only 1000000 1000 conform-action transmit exceed-action drop
! apply UBRL policy to interface connected to the 192.168.10.0 network

service-policy input ubrl-policy

SERVICE MODULE: FWSM
BACK
vlan101 FWSM vlan100

.1 .1
192.168.10.0 /24 1.1.1.0 /24
BASE CONFIGURATION FOR CISCO CATALYST 65 00
! add VLAN that will be used for the FWSM (on slot 4)
vlan 100
name FWSM-OUTSIDE
vlan 101
name FWSM-INSIDE
! configure VLAN group 1 for VLANs 100 and 101

firewall multiple-vlan-interfaces
firewall vlan-group 1 100-101
! associate VLAN group 1 to the FWSM located in slot 4

firewall module 4 vlan-group 1 100-101
ACCESS FWSM FROM CATALYST 6500
! access FWSM located in slot 4

session slot 4 processor 1
INTERFACES
! Configure interface, IP, and security zones for WAN interface (outside)
interface Vlan100
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
! Configure interface, IP, and security zones for LAN interface (inside)
interface Vlan101
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0

SECURITY CONTEXT
! associate VLANs for inside & outside interfaces to FWSM (located in slot 4)
firewall vlan-group 1 10-11
firewall module 4 vlan-group 1 10-11

context Client1
! associate Vlan and specify alias name for WAN facing interface
allocate-interface vlan10 outside
! associate Vlan and specify alias name for LAN facing interface
allocate-interface vlan11 inside
config-url disk:/Client1.cfg
! to access the Client 1 firewall instance from the physical firewall

ch context Client1
FAILOVER
failover
failover lan unit primary
failover lan interface failover vlan 100
failover polltime unit msec 500 holdtime 3
failover polltime interface 3
failover interface-policy 100%
failover replication http
failover link state vlan 101
failover interface ip state 9.9.8.1 255.255.255.252 standby 9.9.8.2

SERVICE MODULE: NAM
BACK
NAM
! NAM module located in slot 7

! specify the VLAN to use for managing the NAM
analysis module 7 management-port access-vlan 99
! specify the VLANs the NAM module will capture on the switch
analysis module 7 data-port 1 capture allowed-vlan 10,100
analysis module 7 data-port 2 capture allowed-vlan 11,101-102

BACK

Power Supply Redundancy .............................................................................................................................................. 343
Stateful Switchover (SSO) ................................................................................................................................................ 343
Quality of Service (QoS) ................................................................................................................................................... 344
Stack Master .................................................................................................................................................................... 345
Cisco Catalyst XL Clustering ............................................................................................................................................. 346
POWER SUPPLY REDUNDA NCY
! makes one of the power supplies active while the other is a backup
power redundancy-mode redundant
STATEFUL SWITCHOVER (SSO)
! enable Supervisor Engine redundancy

redundancy
! enable Stateful Switchover (SSO)
main-cpu
! synchronize the configuration between the two SUP engines.
auto-sync startup-config
auto-sync bootvar
auto-sync standard
mode sso
show redundancy states
! reloads standby supervisor engine and brings it back on-line

redundancy reload peer
! force the standby supervisor engine in the chassis to be active

redundancy force-switchover

QUALITY OF SERVICE (QOS)
! enable QoS globally

qos
qos dbl
qos dbl exceed-action ecn
qos map dscp 0 to tx-queue 2
qos map dscp 16 18 20 22 24 25 26 32 to tx-queue 4
qos map dscp 34 36 38 to tx-queue 4
policy-map DBL
class class-default
dbl
! trust DSCP marking of connected host
qos trust dscp
! apply QoS DBL inbound on switchport
service-policy input DBL
! trust DSCP marking of connected host
qos trust dscp
! QoS TX queuing
tx-queue 1
bandwidth percent 5
tx-queue 2
tx-queue 3
priority high
shape percent 30
tx-queue 4
! apply QoS DBL outbound on switchport
service-policy output DBL

BACK

Stack Master .................................................................................................................................................................... 345
STACK MASTER
! global command to force a C3750 switch as the Stack Master switch

switch [switch number] priority 15

CISCO CATALYST XL (LEGACY) SERIES
BACK

Cisco Catalyst XL Clustering ............................................................................................................................................. 346
CISCO CATALYST XL CLUSTERING
Group: EPD
Commander
0006.d743.a4c0
Member
Member
Access Switch #13
000a.8a85.d9c0
When using the stack feature among a group of Cisco Catalyst XL series switches there
is a single CONTROLLER switch which controls the stack.
COMMANDER:
! Define cluster name and ID
cluster enable epd 0
! list all member switches in the cluster using the MAC-address for that switch
cluster member 1 mac-address 0006.53c5.2440
cluster member 2 mac-address 0006.d743.89c0
cluster member 3 mac-address 000b.5f76.ef80
cluster member 4 mac-address 0006.53c5.1d00
cluster member 5 mac-address 0006.53c4.cb40
cluster member 6 mac-address 0006.28d4.2f40
cluster member 7 mac-address 0005.dd40.4540
cluster member 8 mac-address 0006.53c5.2340
cluster member 9 mac-address 0005.dd44.d740
cluster member 10 mac-address 0006.d7a4.a980
cluster member 11 mac-address 0009.4493.2f00
cluster member 12 mac-address 0009.b751.6e8
cluster member 13 mac-address 000a.8a85.d9c0

MEMBER:
! on access switch #13, within the cluster, define the MAC address of the Commander
! switch and the cluster name "epd".
! Also define the member # that the switch will use
cluster commander-address 0006.d743.a4c0 member 13 name epd
From the COMMANDER

! If you want to connect into access switch #13 within the cluster do this:
rcommand 13
! show command to view all members in the cluster

switch_commander#show cluster members
|---Upstream---|
SN MAC Address Name PortIf FEC Hops SN PortIf FEC State
0 0006.d743.a4c0 b5475r1271gb 0 Up (Cmdr)
1 0006.53c5.2440 b5475SierraR 255 Up
2 0006.d743.89c0 b5475r1271gb 1 Down
3 000b.5f76.ef80 Switch Gi0/1 1 0 Gi0/1 Down
4 0006.53c5.1d00 b5475r1328tx Gi0/1 1 0 Gi0/3 Up
5 0006.53c4.cb40 b5475r1348tx Gi0/1 1 0 Gi0/6 Up
6 0006.28d4.2f40 b5426r100 1 Down
7 0005.dd40.4540 b5475r1305 255 Up
8 0006.53c5.2340 b5475r1222 255 Up
9 0005.dd44.d740 b5425r100 2 Down
10 0006.d7a4.a980 b5475r1151 Gi0/2 1 0 Gi0/4 Up
11 0009.4493.2f00 b5475r1328cg 2 Down
12 0009.b751.6e80 b5475r1328cg 2 Down

CISCO ACE SERIES
BACK
Cisco ACE 4710 ...................................................................................................................................................348

Routed Mode ................................................................................................................................................................... 348
Management Traffic ........................................................................................................................................................ 350
CISCO ACE 4710

BACK
ROUTED MODE
Server Farm
VIP: 192.168.20.10
WEB01TRA ACE 4710

192.168.10.0 /24
vlan10 192.168.20.0 /24

ISP2
.1 .2 vlan20 .1
.11
WEB02TRA
.12
! VLAN interface for WAN facing interface

interface vlan 20
description OUTSIDE INTERFACE
ip address 192.168.20.2 255.255.255.0
no shutdown
! VLAN interface for LAN facing interface

interface vlan 10
description INSIDE INTERFACE
ip address 192.168.10.1 255.255.255.0
no shutdown
! define WAN facing interface

interface gigabitEthernet 1/1
no shutdown

! define LAN facing interface
interface gigabitEthernet 1/2
no shutdown
! define real server and its IP address

rserver host WEB01TRA
ip address 192.168.10.11
inservice
! define real server and its IP address

rserver host WEB02TRA
ip address 192.168.10.12
inservice
! associate all servers into a server farm group

serverfarm host RHG-SF-WEB
rserver WEB01TRA
inservice
rserver WEB02TRA
inservice
! class map defining the VIP for the web server farm
class-map match-all RHG-CLASS-VIP-WEB
! create VIP for TCP/80
2 match virtual-address 192.168.20.10 tcp eq www
! create policy map for associating the web servers

policy-map type loadbalance http first-match RHG-POL-LB-WEB
class class-default
! associate serverfarm that contain the two web servers
serverfarm RHG-SF-WEB
policy-map multi-match RHG-POL-LB

! class map for the web server farm
class RHG-CLASS-VIP-WEB
! activate load balancing and the VIP
loadbalance vip inservice
! assoicate policy with the web servers that will be load balanced using the VIP
loadbalance policy RHG-POL-LB-WEB
! only load balance to active web servers in the serverfarm
loadbalance vip icmp-reply active
! ACL for allowing only TCP/80 to the VIP

access-list RHG-ACL-WAN extended permit tcp any host 192.168.20.10 eq 80

interface vlan 20
ip address 192.168.20.2 255.255.255.0
! associate ACL policy
access-group input RHG-ACL-WAN
! associate load balancing policy
service-policy input RHG-POL-LB
no shutdown
! default gateway to the edge router or firewall

ip route 0.0.0.0 0.0.0.0 172.16.10.1
MANAGEMENT TRAFFIC
! define class map for management traffic which is blocked by default

class-map type management match-any RHG-CLASS-MGMT
2 match protocol ssh any
3 match protocol telnet any
5 match protocol https any
6 match protocol http any
7 match protocol icmp any
! policy map for management traffic

policy-map type management first-match RHG-POL-MGMT
class RHG-CLASS-MGMT
permit
! associate policy map to WAN facing interface to allow Management traffic

interface vlan 20
service-policy input RHG-POL-MGMT

CISCO NEXUS SERIES (NX-OS)
BACK

General ..............................................................................................................................................................353
L2 Interface ...................................................................................................................................................................... 353
L3 Interface ...................................................................................................................................................................... 353
Saving Configuration ........................................................................................................................................................ 353
Alias ................................................................................................................................................................................. 353
10GE: Dedicated Mode .................................................................................................................................................... 353
Install License .................................................................................................................................................................. 354
Specify a Range of Interfaces ........................................................................................................................................... 354
LAN Switching ....................................................................................................................................................355
VLAN (L2) and VTP ........................................................................................................................................................... 355
VLAN SVI (L3) ................................................................................................................................................................... 355
Access/Edge Port ............................................................................................................................................................. 355
802.1q (Trunking) Port..................................................................................................................................................... 356
Spanning Tree: Root Bridge ............................................................................................................................................. 356
Spanning Tree: Port Type (Edge) ..................................................................................................................................... 356
BPDU Guard ..................................................................................................................................................................... 357
Storm Control .................................................................................................................................................................. 357
UDLD ................................................................................................................................................................................ 357
MAC Aging ....................................................................................................................................................................... 357
Static MAC Entry .............................................................................................................................................................. 357
L2 Port Channel ............................................................................................................................................................... 358
L3 Port Channel ............................................................................................................................................................... 359
IP Routing ..........................................................................................................................................................360
EIGRP ............................................................................................................................................................................... 360
OSPF................................................................................................................................................................................. 362
IP Services ..........................................................................................................................................................365
HSRP ................................................................................................................................................................................ 365
Security ..............................................................................................................................................................367
Access Control List (ACL) .................................................................................................................................................. 367
Control Plane Policing (CoPP) .......................................................................................................................................... 367
Network Management ......................................................................................................................................369
Out-of-Band (OOB) Management .................................................................................................................................... 369
NTP .................................................................................................................................................................................. 369
Logging (SYSLOG) ............................................................................................................................................................. 369
SNMPV2 ........................................................................................................................................................................... 370
Telnet ............................................................................................................................................................................... 370
VTY ................................................................................................................................................................................... 370
AAA and TACACS+ ............................................................................................................................................................ 370
AAA and RADIUS .............................................................................................................................................................. 371
Role Based Access Control (RBAC) ................................................................................................................................... 371
Configuration Rollback .................................................................................................................................................... 372
Line Card ID...................................................................................................................................................................... 372

System Switchover .......................................................................................................................................................... 372
Fabric Extenders (NX-5000) ...............................................................................................................................373
Using Static Pinning ......................................................................................................................................................... 373
Using Port Channel .......................................................................................................................................................... 374
Advanced Services..............................................................................................................................................375
VPC .................................................................................................................................................................................. 375
VDC .................................................................................................................................................................................. 378
Jumbo Frame Support for Nexus 5000 Series .................................................................................................................. 379
Jumbo Frame Support for Nexus 7000 Series .................................................................................................................. 379
OTV .................................................................................................................................................................................. 380

GENERAL
BACK
L2 INTERFACE
interface e1/1
! enables L2 interface
switchport
L3 INTERFACE
interface e1/1
! enables L3 interface
no switchport
ip address 10.1.1.1/24
SAVING CONFIGURATION
! to save the configuration on NX-OS

copy running-config startup-config
ALIAS
! create an alias called "wrmem" that will save the configuration

cli alias name wrmem copy run start
10GE: DEDICATED MODE
! dedicate 10GE for the port, but disabled ports 3,5,& 7 on slot 1
interface e1/1
rate-mode dedicated

INSTALL LICENSE
! install license on Nexus located in bootflash

install license bootflash:license_file.lic
SPECIFY A RANGE OF I NTERFACES
! specify ports 10 to 48 on slot 2 for the following interface configuration

interface e2/10-48
switchport

LAN SWITCHING
BACK
VLAN (L2) AND VTP
! enable VTP. Disabled by default

feature vtp
! configure VLAN and name

vlan 10
name RHG-VLAN-DC1
VLAN SVI (L3)
NX-1
VLAN 10
192.168.10.1
! enable VLAN L3 support

feature interface-vlan
! configure VLAN interface, IP, and mask

interface Vlan10
ip address 192.168.10.1/24
ACCESS/EDGE PORT
NX-1
e2/1
vlan10 VLAN 10
192.168.10.1
192.168.10.10 /24
interface e2/1
switchport
! place interface into VLAN 10

802.1Q (TRUNKING) PO RT
NX-1 NX-2
802.1Q Trunking
e1/1 VLAN tags: 10 e1/1
e2/1
vlan10 vlan10
192.168.10.10 /24 192.168.10.X /24
VLAN 10
192.168.10.1
interface e1/1
switchport
! specify native VLAN (untagged)
! specify what VLAN tags are allowed
SPANNING TREE: ROOT BRIDGE
>> NX-1 <<

! primary root bridge for VLANs 10 to 11
>> NX-2 <<

! secondary root bridge for VLANs 10 to 11
SPANNING TREE: PORT TYPE (EDGE)
NX-1
e2/1
vlan10
192.168.10.10 /24
interface e2/1
! specify that this interface is for hosts (e.g. desktops, servers)
spanning-tree port type edge

BPDU GUARD
! enable BPDUguard globally for all edge ports

spanning-tree port type edge bpduguard default
STORM CONTROL
interface ethernet1/1
! restricts no more than 20% of the interface’s bandwidth to broadcast traffic
storm-control broadcast level 20
UDLD
NX-1 NX-2
PC
e1/1-2 e1/1-2
e1/3 e1/3
Copper Gig Ports
>> NX-1 <<

! enable UDLD normal for all ports
feature udld
interface e1/1-2
! enable for Port Channeling ports between switches
udld aggressive
interface e1/3
! enable for Copper ports between switches
udld enable
MAC AGING
! configure the global aging time for MAC addresses on the Nexus switch
mac address-table aging-time 120
STATIC MAC ENTRY
! configures a static entry for the MAC address, switch port and VLAN it should be associated to
mac address-table static 1234.5678.9ABC vlan 10 interface ethernet 1/10

L2 PORT CHANNEL
NX-1 PC 1 (LACP) NX-2

e1/1 e1/1
e1/2 e1/2
VLAN 10
>> NX-1 <<

! enable LACP
feature lacp
! specify interfaces that will use L2 port channel

interface e1/1-2
switchport
! define mode to be ACTIVE
! configures L2 port channel

switchport
>> NX-2 <<

! enable LACP
feature lacp

interface e1/1-2
switchport
! define mode to be ACTIVE

switchport

L3 PORT CHANNEL
NX-1 PC 1 (LACP) NX-2

e1/1 e1/1
.1 .2
e1/2 e1/2
10.1.1.0 /30
>> NX-1 <<

! enable LACP
feature lacp

interface e1/1-2
no switchport
! default mode is ON
channel-group 1

ip address 10.1.1.1 255.255.255.252
>> NX-2 <<

! enable LACP
feature lacp

interface e1/1-2
no switchport
! default mode is ON
channel-group 1

ip address 10.1.1.2 255.255.255.252

IP ROUTING
BACK
EIGRP
NX-1 (AGG) NX-2 (CORE)
EIGRP ASN 1
vlan10 e1/1 e1/1
.1 .1 10.1.1.0 /24 .2
192.168.10.0 /24
>> NX-1 (AGG) <<

! enable EIGRP
feature eigrp
! configures key chain called SEIGRP using the password Cisco123

key chain SEIGRP
key 1
key-string Cisco123
! specify the EIGRP routes we want to advertise to other EIGRP routers

ip prefix-list PL-EIGRP-OUT seq 10 permit 10.1.1.0/24
! specify the EIGRP routes we want to recieve from other EIGRP routers
ip prefix-list PL-EIGRP-IN seq 10 permit 0.0.0.0/0
interface e1/1
no switchport
! interface network (10.1.1.0/24) added to EIGRP ASN 1
ip router eigrp 1
! associate prefix-list to only advertise the routes listed in the prefix-list to all neighbors
ip distribute-list eigrp 1 prefix-list PL-EIGRP-OUT out
! associate prefix-list to only receive the routes listed in the prefix-list
ip distribute-list eigrp 1 prefix-list PL-EIGRP-IN in
! summarizes all subnets within 192.168.x.x to 192.168.0.0/16 to Core
ip summary-address eigrp 1 192.168.0.0/16
interface Vlan10
ip address 192.168.10.1/24
ip router eigrp 1
! disables EIGRP routing on interface
ip passive-interface eigrp 1

router eigrp 1
address-family ipv4 unicast
! enable non-stop forwarding for EIGRP
graceful-restart
timers nsf converge 180
timers nsf route-hold 200
>> NX-2 (CORE) <<

! enable EIGRP
feature eigrp
! configures key chain called SEIGRP using the password Cisco123

key chain SEIGRP
key 1
key-string Cisco123
! specify the EIGRP routes we want to advertise to other EIGRP routers

! specify the EIGRP routes we want to receive from other EIGRP routers
interface e1/1
no switchport
ip router eigrp 1
ip distribute-list eigrp 1 prefix-list PL-EIGRP-OUT out
ip distribute-list eigrp 1 prefix-list PL-EIGRP-IN in
router eigrp 1
address-family ipv4 unicast
! enable non-stop forwarding for EIGRP
graceful-restart
timers nsf converge 180
timers nsf route-hold 200
show ip route
show ip eigrp neighbors

OSPF
NX-1 (AGG) NX-2 (CORE)

2.2.2.2 1.1.1.1
Area 10
Area 0
vlan10 e1/1 e1/1
.1 .2 10.1.1.0 /24 .1
192.168.10.0 /24
.1
vlan11
192.168.11.0 /24
>> NX-1 (AGG) <<

! enable OSPF
feature ospf
! interface used for the OSPF router ID

interface loopback0
! specify the OSPF routes we want to advertise to other OSPF routers

ip prefix-list PL-OSPF-OUT seq 10 permit 10.1.1.0/24
! specify the OSPF routes we want to receive from other OSPF routers
ip prefix-list PL-OSPF-IN seq 10 permit 0.0.0.0/0
! enable OSPF routing process

router ospf 2
! specify router ID to use
router-id 2.2.2.2
! enable MD5 authentication for OSPF backbone (Area 0)
! enable Area 10 as a Totally Stub area
! summarizes all subnets within 192.168.x.x to 192.168.0.0/16 to Core
area 10 range 192.168.0.0/16

interface e1/1
no switchport
! interface network (10.1.1.0/24) added to OSPF Area 0 (backbone)
ip router ospf 2 area 0
! enable MD5 authentication and specify password
ip ospf message-digest-key 1 md5 0 Cisco123
ip distribute-list ospf 2 prefix-list PL-OSPF-OUT out
ip distribute-list ospf 2 prefix-list PL-OSPF-IN in
interface Vlan10
ip address 192.168.10.1/24
! interface network (192.168.10.0/24) added to OSPF Area 10
! disables OSPF routing on interface
ip ospf passive-interface
interface Vlan11
ip address 192.168.11.1/24
! interface network (192.168.11.0/24) added to OSPF Area 10
! disables OSPF routing on interface
ip ospf passive-interface
>> NX-2 (CORE) <<

! enable OSPF
feature ospf
! interface used for the OSPF router ID

interface loopback0
! specify the OSPF routes we want to advertise to other OSPF routers

! specify the OSPF routes we want to receive from other OSPF routers
! enable OSPF routing process

router ospf 1
! specify router ID to use
router-id 1.1.1.1
! enable MD5 authentication for OSPF backbone (Area 0)
! advertise an OSPF default route to all OSPF neighbors

interface e1/1
no switchport
! interface network (10.1.1.0/24) added to OSPF Area 0 (backbone)
! enable MD5 authentication and specify password
ip ospf message-digest-key 1 md5 0 Cisco123
ip distribute-list ospf 1 prefix-list PL-OSPF-OUT out
ip distribute-list ospf 1 prefix-list PL-OSPF-IN in
show ip route

IP SERVICES
BACK
HSRP
NX-1 (Primary) NX-2 (Secondary)
802.1Q Trunking
e1/1 VLAN tags: 10 e1/1
VLAN 10 VLAN 10
192.168.10.2 192.168.10.3
VIP: 192.168.10.1 VIP: 192.168.10.1
vlan10
192.168.10.10 /24
>> NX-1 <<

! enable HSRP
feature hsrp
interface Vlan10
ip address 192.168.10.2/24
! configure HSRP group 1
hsrp 1
! virtual IP address used as default gateway for devices
ip 192.168.10.1
! this is the primary HSRP router
priority 110
preempt delay minimum 180
! MD5 authentication and password
authentication md5 key-string Cisco123
! set hello timer to 1 second & hold timer to 3 seconds
timers 1 3

>> NX-2 <<
! enable HSRP
feature hsrp
interface Vlan10
ip address 192.168.10.3/24
! configure HSRP group 1
hsrp 1
! virtual IP address used as default gateway for devices
ip 192.168.10.1
preempt
! MD5 authentication and password
authentication md5 key-string Cisco123
! set hello timer to 1 second & hold timer to 3 seconds
timers 1 3
show hsrp

SECURITY
BACK
ACCESS CONTROL LIST (ACL)
NX-1
e1/1 Network
1.1.1.1
192.168.10.0 /24
! ACL policy
ip access-list RHG-ACL
10 permit udp any 192.168.10.10/32 eq snmp
20 permit tcp any 192.168.10.10/32 eq 443
30 permit tcp any 192.168.10.10/32 eq 80
40 permit tcp any 192.168.10.10/32 eq 25
interface e1/1
! enable ACL inbound on interface
ip access-group RHG-ACL in
CONTROL PLANE POLICING (COPP)
! define ACL for traffic allowed to the control plane

ip access-list COPP-ACL-ALLOWED
! NMS server 192.168.10.10 can query SNMP to the Nexus switch
10 permit udp 192.168.10.10/32 any eq snmp
! define ACL catch-all for traffic restricted to the control plane

ip access-list COPP-ACL-DENIED
! any other SNMP access we want to be restricted to the Nexus switch
10 permit udp any any eq snmp
class-map type control-plane match-any copp-system-class-management

no match access-group name copp-system-acl-snmp
! associate allowed ACL to class map

class-map type control-plane match-any COPP-CM-ALLOWED
match access-group name COPP-ACL-ALLOWED
! associate catch-all ACL to class map

class-map type control-plane match-any COPP-CM-DENIED
match access-group name COPP-ACL-DENIED

! define CoPP policy
policy-map type control-plane COPP-PM-SYSTEM
! associate allowed ACL class to policy map
class COPP-CM-ALLOWED
! rate-limit permitted traffic to control plane to 10Mbps
police cir 10000 kbps bc 250 ms conform transmit violate drop
! associate catch-all ACL class to policy map
class COPP-CM-DENIED
! rate-limit to drop all other traffic to the control plane
police cir 10000 kbps bc 250 ms conform drop violate drop
! enable CoPP on the Nexus

control-plane
service-policy input COPP-PM-SYSTEM

NETWORK MANAGEMENT
BACK
OUT-OF-BAND (OOB) MANAGEMENT
! create RSA keys

ssh key rsa 2048
! configure default gateway for management context

vrf context management
ip route 0.0.0.0/0 192.168.99.1
! ACL to specify what networks and services can use the management context
ip access-list ACL-MGMT
! any host on the 192.168.10.0 subnet can SSH to Nexus
10 permit tcp 192.168.10.0/24 any eq 22
! only NMS server (.10) can query SNMP from Nexus
20 permit udp 192.168.10.10/32 any eq snmp
! allow ICMP to Nexus from any network
30 permit icmp any any
interface mgmt 0
! ACL applied to management interface
ip access-group ACL-MGMT in
! configure IP and mask for Management interface
ip address 192.168.99.2/24
NTP
! specify NTP server and to use the management context

ntp server 192.168.10.10 use-vrf management
LOGGING (SYSLOG)
! enable logging using msec timestamps

logging timestamp milliseconds
! specify IP of syslog server enabled for debugging (level 7)
logging 192.168.10.10 7 use-vrf management
logging event link-status default
logging event trunk-status default

SNMPV2
! specify SNMP RW community string

snmp-server community RHG-SNMP-RW group network-admin
! specify SNMP RO community string
snmp-server community RHG-SNMP-RO group network-operator
! specify SNMP location and contact info

snmp-server location TRACY, CA
snmp-server contact ROUTEHUB
! specify SNMP server to send traps to

snmp-server host 192.168.10.10 version 2 RHG-SNMP-RW
! specify SNMP traps to send (e.g. link state info)
snmp-server enable traps link
TELNET
! enable Telnet
feature telnet
VTY
line vty
! specifies Telnet/SSH time out to 15 minutes
session-limit 15
exec-time 15
AAA AND TACACS+
! enable TACACS+
feature tacacs+
! disable Telnet (recommended)
no feature telnet
! specify TACACS+ key shared with TACACS server

tacacs-server key 0 Cisco123
! specify IP of TACACS server
tacacs-server host 192.168.10.10
tacacs-server directed-request
! AAA group enabled for TACACS+

aaa group server tacacs+ RHG-AAA
! list TACACS server
server 192.168.10.10
! TACACS+ communication should use the management context
use-vrf management

! enable TACACS+ for user authentication on the Nexus then local DB as fall back
aaa authentication login default group RHG-AAA
! enable TACACS+ authentication through console port
aaa authentication login console group RHG-AAA
! enable TACACS+ accounting on Nexus switch
aaa accounting default group RHG-AAA
aaa authentication login error-enable
AAA AND RADIUS
! enable RADIUS
feature radius
! define RADIUS server IP and shared key

radius-server host 192.168.10.10 key 7 Cisco123 authentication accounting
! AAA group enabled for RADIUS

aaa group server radius RHG-RADIUS
! list RADIUS server
server 192.168.10.10
! RADIUS communication should use the management context
use-vrf management
! enable RADIUS for user authentication on the Nexus then local DB as fall back
aaa authentication login default group RHG-AAA
! enable RADIUS authentication through console port
aaa authentication login console group RHG-AAA
! enable RADIUS accounting on Nexus switch
aaa accounting default group RHG-AAA
ROLE BASED ACCESS CO NTROL (RBAC)
! create user for network-admin role (RW access)

username rootadmin password Cisco123 role network-admin
! create user for network-operator role (RO access)
username opsadmin password Cisco456 role network-operator

CONFIGURATION ROLLBACK
! create checkpoint for the current configuration on the Nexus

checkpoint Initial
! to rollback to the configuration in the "Initial" checkpoint

rollback running-config checkpoint Initial
! create checkpoint of current config and save it to the bootflash

checkpoint file bootflash:RHG_Checkpoint01
! to rollback to the configuration to the checkpoint located in the bootflash

rollback running-config file bootflash:RHG_Checkpoint01
! view current checkpoints created on the Nexus

show checkpoint summary
LINE CARD ID
 Used for identifying the line module in the Nexus chassis
! turn on blue ID LED for the module in slot 1.

locator-led module 1
! disable blue ID LED for the module in slot 1

no locator-led module 1
SYSTEM SWITCHOVER
! to switchover to the redundant supervisor

system switchover

FABRIC EXTENDERS (NX -5000)
BACK
USING STATIC PINNING
NX-5000 NX-2000
e1/10 FEX 100
e1/11
 Configured on the NX-5000
! create virtual fex group

fex 100
! specify the number of links to the NX-2000 switches
pinning max-links 2
! configure a useful description
description Fabric Extender to NX-2000-1
! define NX-2000 switches connecting to the NX-5000
type "Nexus 2148T"
! enable interface as a fabric extender port
switchport mode fex-fabric
! associate interface to fex group created
fex associate 100
fex associate 100
show fex
sh int ex/x fex-intf

USING PORT CHANNEL
NX-5000 PC 101 NX-2000

(fex 101)
e1/10
e1/11
 Configured on the NX-5000
! this feature cannot be enabled manually

feature fex
! create virtual fex group

fex 101
! specify the number of links to the NX-2000 switches ; for the port channel
pinning max-links 1
! configure a useful description
description Fabric Extender to NX-2000-1
! configure port channel

! enable port channel as a fabric extender port
! associate port channel to fex group created
fex associate 101
fex associate 101
! associate interface to port channel group
channel-group 101
fex associate 101
! associate interface to port channel group
channel-group 101
show fex
sh int ex/x fex-intf

ADVANCED SERVICES
BACK
VPC
PC 10
NX-1 (Primary) VPC keepalive NX-2 (Secondary)
e1/1-2 10.1.1.0 /30 e1/1-2
.1 .2
e1/3-4 e1/3-4
PC 11
e3/1 VPC peer e3/1
PC 201
>>NX-1<<
! enable vPC
feature vpc
! configure VRF instance for vPC keepalive link

vrf context vpc-keepalive
! specify interfaces used for the VPC keepalive link

interface e1/1-2
no switchport
! specify channel group and mode (ON) for L3 port channel
channel-group 10
no shutdown
! L3 port-channel for VPC keepalive link

! interface assigned to the VRF instance "vpc-keepalive"
vrf member vpc-keepalive
ip address 10.1.1.1 255.255.255.252
! configure VPC domain using ID of "10"

vpc domain 10
! specify the primary VPC switch (lower the priority)
role priority 8192
! configure the VPC peers within the domain in VRF "vpc-keepalive"
peer-keepalive destination 10.1.1.2 source 10.1.1.1 vrf vpc-keepalive

! specify interface(s) used for vPC peer-link
interface e1/3-4
switchport
! L2 Port channel for the VPC peer-link

! enable trunking
! specify that the port-channel is used for the VPC peer-link
vpc peer-link
! interface(s) connecting to L2 Access switch

interface e3/1
switchport
! add to L2 Port channel group 201
! L2 port-channel to L2 access switch

switchport
! associate port channel as a VPC member
vpc 201
>>NX-2<<
! enable vPC
feature vpc
! configure VRF instance for vPC keepalive link

vrf context vpc-keepalive
! configure L3 port channel used for the VPC keepalive link

interface e1/1-2
no switchport
! specify channel group and mode (ON) for L3 port channel
channel-group 10
no shutdown
! L3 port-channel for VPC keepalive link

! interface assigned to the VRF instance "vpc-keepalive"
vrf member vpc-keepalive
ip address 10.1.1.2 255.255.255.252

! configure VPC domain using ID of "10"
vpc domain 10
! specify the secondary VPC switch (higher the priority)
role priority 16384
! configure the VPC peers within the domain in VRF "vpc-keepalive"
peer-keepalive destination 10.1.1.1 source 10.1.1.2 vrf vpc-keepalive
! specify interface(s) used for vPC peer-link

interface e1/3-4
switchport
! L2 Port channel for the VPC peer-link

! enable trunking
! specify that the port-channel is used for the VPC peer-link
vpc peer-link
! interface(s) connecting to L2 Access switch

interface e3/1
switchport
! add to L2 Port channel group 201
! L2 port-channel to L2 access switch

switchport
! associate port channel as a VPC member
vpc 201
show hardware feature-capability

show vpc <id>
show vpc brief
show vpc peer-keepalive

VDC
Virtual Context (VDC2)

NX-1 (RHG)
e4/1
e7/1
e7/3
! hostname on Nexus
hostname RHG
! create a new virtual context from the hostname

vdc RHG.VDC2
! add interfaces to new virtual context
allocate interface ethernet 4/1, ethernet 7/1, ethernet 7/3
! accessing the virtual context

switchto vdc RHG.VDC2
! connect back to main context (VDC1)

switchback
! view ports associated to virtual context

show vdc RHG.VDC2.RWC membership
! view existing virtual contexts

show vdc

JUMBO FRAME SUPPORT FOR NEXUS 5000 SERIES
 Required for NX 5000 series
! configure policy for Jumbo frames

policy-map type network-qos jumbo
! class map defining any traffic
class type network-qos class-default
! define jumbo frame MTU size
mtu 9216
! enable Jumbo frame support

system qos
service-policy type network-qos jumbo
JUMBO FRAME SUPPORT FOR NEXUS 7000 SERIES
 Required for NX 7000 series
! enable Jumbo frame support

system jumbomtu 9216

OTV
NX-1 NX-2
vlan10 e1/1 e1/1 vlan10

WAN
.1 .1 10.1.1.0 /30 .2
192.168.10.0 /24 192.168.10.0 /24
.1 Overlay VLAN 100
vlan11
vlan11
192.168.11.0 /24
192.168.11.0 /24
 Requires the Transport Services license
! interface connected into the IP WAN ; the OTV join interface

! enable IGMPv3
ip igmp version 3
no shutdown
! define VLANs for Server Farms

vlan 10-11
! define VLAN for the OTV site VLAN
vlan 100
! enable OTV
feature otv
! specify the VLAN used for the site VLAN

otv site-vlan 100
! configure OTV interface

interface Overlay1
! define mcast group address used by the OTV control plane
otv control-group 239.1.1.1
! define mcast group prefixes (SSM) used for mcast data traffic
otv data-group 232.1.1.0/28
! define the OTV join interface
otv join-interface ethernet 1/1
! VLAN tags that should be extended
otv extend-vlan 10-11
no shutdown

show otv
show otv overlay
show otv adjacency
show otv site
show otv vlan
show otv arp
show mac address-table

WAN AND INTERNET EDGE
BACK
WAN AND INTERNET EDGE ................................................................................................................................ 382
ACCESS CONNECTIONS AND PROTOCOLS

BACK

DS3 .....................................................................................................................................................................383
Serial DS3 ......................................................................................................................................................................... 383
HSSI .................................................................................................................................................................................. 383
T-1 ......................................................................................................................................................................384
Serial T-1 (i) ...................................................................................................................................................................... 384
Serial T-1 (ii) ..................................................................................................................................................................... 384
T1 using CAS .................................................................................................................................................................... 385
ATM ...................................................................................................................................................................386
ATM PVC .......................................................................................................................................................................... 386
T-3 MUX ........................................................................................................................................................................... 387
Packet Over Sonet (POS) for OC-3 and OC-12 ................................................................................................................. 388
Cellular ...............................................................................................................................................................389
3G Wireless Card in Cisco Router .................................................................................................................................... 389
Bundles ..............................................................................................................................................................390
MLPPP.............................................................................................................................................................................. 390
MLPPP using Cisco IOS 12.1 ............................................................................................................................................. 391
Frame Relay .......................................................................................................................................................392
Frame Relay Maps ........................................................................................................................................................... 392
Frame Relay Point-to-Point ............................................................................................................................................. 392
Frame Relay Multi-Link (MFR) ......................................................................................................................................... 393
PPP over Frame Relay ...................................................................................................................................................... 394
PPPoE .................................................................................................................................................................395
PPPoe on CIsco IOS (Ethernet) ......................................................................................................................................... 395
PPPoe on CIsco IOS (ATM) ............................................................................................................................................... 396
PPPoe on CIsco IOS (for ADSL) ......................................................................................................................................... 397
PPPoe Server and Client CIsco IOS ................................................................................................................................... 398
Configuration Reference Guide | WAN and Internet Edge 382

DS3
BACK
SERIAL DS3
.1 1.1.1.1
192.168.10.0 /24 6.7.7.0 /24
! serial DS3+ port adapter in a Cisco 7200 series router

interface serial 1/0
ip address 1.1.1.1 255.255.255.252
encapsulation ppp
framing c-bit
cablelength 50
dsu bandwidth 44210
clock source internal
serial restart-delay 0
HSSI
.1 1.1.1.1
192.168.10.0 /24 6.7.7.0 /24
interface Hssi1/0
ip address 1.1.1.1 255.255.255.0
! specify correct encapsulation to use
encapsulation ppp
serial restart-delay 0

T-1
BACK
SERIAL T-1 (I)
.1 1.1.1.1
192.168.10.0 /24 6.7.7.0 /24
 Integrated CSU/DSU T1 module
interface Serial0/1
ip address 1.1.1.1 255.255.255.0
! specify encapsulation to use
encapsulation ppp
fair-queue
! specify T1 clock source
service-module t1 clock source internal
! specify number of T1 channels (up to 24 channels)
service-module t1 timeslots 1-24
SERIAL T-1 (II)
.1 1.1.1.1
192.168.10.0 /24 6.7.7.0 /24
 Integrated CSU/DSU T1 module
! T1-E1 module located in slot 0, wic 0

! specify that we will be using T1 instead of E1
card type t1 0 0
network-clock-participate wic 0
network-clock-select 1 T1 0/0/0
! T1 integrated with CSU/DSU

controller T1 0/0/0
! specify framing and linecode (defaults)
framing esf
linecode b8zs
clock source line primary
! define channel group id of "0" and the number timeslots of the T1 circuit (up to 24)
channel-group 0 timeslots 1-24

! Serial T1 interface created from the controller and channel group id of "0"
interface Serial0/0/0:0
ip address 1.1.1.1 255.255.255.0
encapsulation ppp
T1 USING CAS
controller T1 1/0
framing esf
linecode b8zs
! enables CAS for digital signaling for T1 circuit
ds0-group 0 timeslots 1-4 type e&m-wink-start

ATM
BACK
ATM PVC
10.1.1.1 /30
1
/0. 0
TM2 .1 /3
A 1.1
.
10
ATM2/0.2
R1 10.1.2.1 /30
A
10 TM2 10.1.2.2 /30
.1.
3.1 /0.3
/30
10.1.3.2 /30
! ATM OC-3 interface

interface ATM2/0
no ip address
no ip directed-broadcast
load-interval 30
no atm ilmi-keepalive
no atm enable-ilmi-trap
! sub-interface for a 1Mbps PVC to a remote peer

interface ATM2/0.1 point-to-point
ip address 10.1.1.1 255.255.255.252
! create PVC and specify the VPI & VCI (2, 300) to use
pvc Peer1 2/300
! PVC to remote peer will to be traffic shaped to 1Mbps
vbr-nrt 1000 1000
! sub-interface for a 50Mbps PVC to a remote peer

ip address 10.1.2.1 255.255.255.252
pvc Peer2 2/100
! PVC to remote peer will to be traffic shaped to 50Mbps
vbr-nrt 50000 50000
! sub-interface for a 512Kbps PVC to a remote peer


bandwidth 512
ip address 10.1.3.1 255.255.255.252
pvc Peer3 20/9
! PVC to remote peer will to be traffic shaped to 512Kbps
vbr-nrt 512 512
show atm pvc

show atm map
T-3 MUX
R1
10.1.1.2 /30
10.1.1.1
T3
10.1.2.1
AGG-1
R2
MUX
10.1.28.1 10.1.2.2 /30
T3 = 28 T1s
R28
10.1.28.2 /30
* Cisco 7200 with T3 MUX module, ver 12.2
! T3 MUX interface in slot 6

controller T3 6/0
! specify the framing and line source
framing m23
clock source line
! create 28 T1 circuit interfaces from the T3
t1 1 channel-group 0 timeslots 1-24
...
! specify the line source for the T1 circuits previously created
t1 1 clock source Line
...
! T1 interface (channel group 1) from T3 connecting to Client 1's equipment

description Client 1
ip address 10.1.1.1 255.255.255.252

ip address 10.1.2.1 255.255.255.252
.....

ip address ip address 10.1.28.1 255.255.255.252
PACKET OVER SONET (POS) FOR OC-3 AND OC-12
.1 1.1.1.1
192.168.10.0 /24 6.7.7.0 /24
interface POS4/0
description OC-12
bandwidth 622000
ip address 1.1.1.1 255.255.255.0
crc 16
OR
interface POS4/0
description OC-3
bandwidth 155000
ip address 1.1.1.1 255.255.255.0
crc 16

CELLULAR
BACK
3G WIRELESS CARD IN CISCO ROUTER
3G
Auto IP
.1
192.168.10.0 /24 6.7.7.0 /24
! define chat script

chat-script cdma "" "ATDT#777" TIMEOUT 60 "CONNECT"
! configure standard ACL to allow any traffic

access-list 10 permit any
! associate ACL to a dialer list for any IP traffic initiated
dialer-list 10 protocol ip list 1
! interface for 3G card

interface Cellular0/0/0
! IP address will be assigned once authenticated
ip address negotiated
! enable PPP
encapsulation ppp
dialer in-band
dialer idle-timeout 0
! associate chat script
dialer string cdma
! associate dialer-list
dialer-group 1
async mode interactive
! configure the password "cisco"
ppp chap password cisco
! configure default gateway through 3G interface

ip route 0.0.0.0 0.0.0.0 Cellular0/0/0
! additional 3G interface configuration

line 0/0/0
exec-timeout 0 0
script dialer cdma
modem InOut
no exec
transport input all
rxspeed 3100000
txspeed 1800000
! to view all operating conditions and status of 3G card

show cellular 0/0/0 all

BUNDLES
BACK
MLPPP
.1 1.1.1.1
192.168.10.0 /24 6.7.7.0 /24
! configure Multlink interface

ip address 1.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
! enable Multi-Link PPP (MLPPP)
ppp multilink
! create and associate to group 1
no ip address
! enable PPP encapsulation
encapsulation ppp
! enable MLPPP and add to group 1
ppp multilink
no ip address
encapsulation ppp
! enable MLPPP and add to group 1
ppp multilink

MLPPP USING CISCO IOS 12.1
.1 1.1.1.1
192.168.10.0 /24 6.7.7.0 /24
! configure Multlink interface

ip address 1.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
! enable Multi-Link PPP (MLPPP)
ppp multilink
! create and associate to group 1
multilink-group 1
interface Serial0
no ip address
encapsulation ppp
no fair-queue
! enable MLPPP
ppp multilink
! add to group 1
multilink-group 1
interface Serial1
no ip address
encapsulation ppp
no fair-queue
! enable MLPPP
ppp multilink
! add to group 1
multilink-group 1

FRAME RELAY
BACK
FRAME RELAY MAPS
WAN
2.2.2.2 .2 10.1.1.0 /24 .1 1.1.1.1
DLCI DLCI
200 100
interface Serial0/0
ip address 10.1.1.1 255.255.255.0
! enable Frame Relay
encapsulation frame-relay IETF
! configure OSPF network for NBMA Frame relay network
ip ospf network point-to-multipoint
! define Frame relay map to destination router using local DLCI of 100
frame-relay map ip 10.1.1.2 100 broadcast
! disable Inverse-ARP for Frame Relay
no frame-relay inverse-arp
! specify LMI type of ANSI
frame-relay lmi-type ansi
router ospf 1
network 10.1.1.0 0.0.0.3 area 0
FRAME RELAY POINT-TO-POINT
WAN
2.2.2.2 .2 10.1.1.0 /24 .1 1.1.1.1
DLCI DLCI
200 100
>> WAN Aggregation <<

no ip address
! enable Frame Relay
! specify LMI type
! create Frame Relay point-to-point interface

interface Serial0/0/0.100 point-to-point
ip address 10.1.1.1 255.255.255.252
! specify local DLCI of 100
frame-relay interface-dlci 100
router ospf 1
network 10.1.1.0 0.0.0.3 area 0

FRAME RELAY MULTI-LINK (MFR)
.1 1.1.1.1
192.168.10.0 /24 6.7.7.0 /24
! configure the Multi-link Frame relay interface

interface MFR0
no ip address
! enable frame relay
frame-relay multilink bid test
! specify Frame relay LMI type
interface MFR0.100 point-to-point

ip address 1.1.1.1 255.255.255.0
! specify frame relay local DLCI
frame-relay interface-dlci 100 IETF
! associate two serial T1 interfaces to MFR group to be bundled

no ip address
encapsulation frame-relay MFR0
no arp frame-relay
frame-relay multilink lid link1
no ip address
encapsulation frame-relay MFR0
no arp frame-relay
frame-relay multilink lid link2

PPP OVER FRAME RELAY
.1 Auto
192.168.10.0 /24 6.7.7.0 /24
ip address 1.1.1.1 255.255.255.0
! enable Frame relay
! configure T1 and timeslots
service-module t1 fdl both
! specify Frame relay LMI type
interface Serial0/0/0.1 point-to-point

! specify local DLCI (100) & enable PPPoFR using Virtual Template interface
frame-relay interface-dlci 100 ppp Virtual-Template1
interface Virtual-Template1
! IP negotiated once authenticated
! configure CHAP username and password
ppp chap hostname user@realm
ppp chap password 0 cisco123
! PPP IPCP configuration
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
! default gateway
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1

PPPOE
BACK
PPPOE ON CISCO IOS (ETHERNET)
.1 Auto
192.168.10.0 /24 6.7.7.0 /24

Interface FastEthernet4
no ip address
! enable PPPoE on interface
pppoe enable
! use dialer interface #1 for PPP details
pppoe-client dial-pool-number 1

interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip nat inside
! interface PPPoE connection

interface Dialer1
! IP address will be assigned upon successful login
ip mtu 1492
ip nat outside
! enable PPP
encapsulation ppp
dialer pool 1
! enable CHAP and PAP authentication protocols for PPP
ppp authentication chap pap callin
! specify username and password for PPPoE account if it is using PAP
ppp pap sent-username user1 password cisco123
! specify username and password for PPPoE account if it us using CHAP
ppp chap hostname user1
ppp chap password cisco123
! configure default gateway through dialer interface

ip route 0.0.0.0 0.0.0.0 dialer 1

PPPOE ON CISCO IOS ( ATM)
.1 Auto
192.168.10.0 /24 6.7.7.0 /24

interface ATM 0
no ip address
dsl operating-mode auto
! specify PVC details provided from the DSL provider
pvc 8/35
no shutdown

interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip nat inside
! interface for PPPoE connection

interface Dialer1
ip mtu 1492
ip nat outside
! enable PPP
encapsulation ppp
dialer pool 1
! enable CHAP and PAP authentication for PPP
ppp authentication chap pap callin
! specify username and password for PPPoE account if it is PAP
ppp pap sent-username user1 password cisco123
! specify username and password for PPPoE account if it is CHAP

ip route 0.0.0.0 0.0.0.0 dialer 1

PPPOE ON CISCO IOS ( FOR ADSL)
.1 Auto
192.168.10.0 /24 6.7.7.0 /24
* configured on a Cisco 877 ADSL router

interface ATM0/2/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
! specify PVC details provided from the DSL provider
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
! interface for PPPoE connection

interface Dialer1
encapsulation ppp
dialer pool 1
dialer-group 1
! enable CHAP authentication for PPP
ppp authentication chap callin
! specify username and password for PPPoE account if it enabled for CHAP

ip route 0.0.0.0 0.0.0.0 dialer 1

PPPOE SERVER AND CLIENT CISCO IOS
PPPoE Pool:
192.168.11.10 -
192.168.11.19
Server
FE0/0
10.1.1.1 /30
PPPoE
FE0/0
dynamic
Client
FE0/1 .1
192.168.20.0/24
>> PPPoE Server <<
hostname pppoe-server
! IP address pool for PPPoE authenticated users

ip local pool pppoe-pool 192.168.11.10 192.168.11.19
! local PPPoE account

username michel password cisco
! enable VPDN
vpdn enable
no vpdn logging
! VPDN group to allow PPPoE and the virtual interface to use

vpdn-group 1
accept-dialin
protocol pppoe
virtual-template 1
! interface connected to PPPoE enabled devices

ip address 10.1.1.1 255.255.255.252
! PPPoE enabled
pppoe enable
no ip mroute-cache
no shutdown

! virtual interface for PPPoE
interface virtual-template 1
! use IP configured on interface Ethernet0/0
ip unnumbered ethernet0/0
mtu 1492
! associate the IP address pool to use for authenticated PPPoE clients
peer default ip address pool pppoe-pool
! enable PAP authentication
ppp authentication pap
ip classless
no ip http server
ip route 0.0.0.0 0.0.0.0 192.168.10.1
Monitor:
show vpdn
show ip interface brief
show ip address outside pppoe
show vpdn tunnel pppoe
show vpdn session pppoe
show vpdn pppinterface
show vpdn group
show vpdn username
>> PPPoE Client on a Cisco Router <<
hostname pppoe-client
! enable VPDN
vpdn enable
no vpdn logging
! VPDN group for PPPoE

vpdn-group 1
! specify dialin method to use (request-dialin)
request-dialin
protocol pppoe
! LAN facing interface configuration

ip address 192.168.20.1 255.255.255.0
ip nat inside
! ACL listing LAN subnet

! define dialer list to permit any IP traffic to use the dialer interface
dialer-list 1 protocol ip permit

! create dialer interface for building PPPoE connection
interface Dialer1
! IP address will be assigned dynamically from PPPoE server
ip nat outside
ip mtu 1492
! enable PPP
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
! specify PAP authentication
ppp authentication pap callin
! specify account to use for PPP PAP authentication
ppp pap sent-username michel password cisco

no ip address
! enable PPPoE on WAN interface
pppoe enable
! use the configuration on interface dialer1 for building PPPoE connection
ip classless
no ip http server
! NAT Overload (PAT) configuration using the IP assigned to the dialer interface
ip nat inside source list 1 interface Dialer1 overload
! default gateway pointing to the PPPoE server through the dialer1 interface
ip route 0.0.0.0 0.0.0.0 dialer1

BEST PRACTICES
BEST PRACTICES ................................................................................................................................................. 401

Link Debounce and Carrier-Delay .................................................................................................................................... 401
IP Event Dampening ........................................................................................................................................................ 401
Interfaces (L3) .................................................................................................................................................................. 401
Interfaces (L2) .................................................................................................................................................................. 402
IP Unicast PRF (uPRF) ....................................................................................................................................................... 402
LINK DEBOUNCE AND CA RRIER-DELAY
! ensures no additional delay in the notification of a down link for interface
! view link debounce status and timer (in msec)

show interfaces GigabitEthernet1/1 debounce
IP EVENT DAMPENING
Control the rate in which the interface state changes are propagated to the routing
protocols in the event of a flapping link condition. This should be enabled on all L3
interfaces on the LAN/Campus network.
dampening
INTERFACES (L3)
Recommended configuration to apply under an interface
no ip redirects
no ip unreachables
no ip proxy-arp
Configuration Reference Guide | Best Practices 401

INTERFACES (L2)
interface GigabitEthernetX/Y
description L2 port
switchport
IP UNICAST PRF (UPRF)
Helps in defense against Spoofing attacks
description Untrusted facing interface
ip verify unicast reverse-path
Configuration Reference Guide | Best Practices 402

TEMPLATES AND BASE CONFIGURATION
TEMPLATES AND BASE CONFIGURATION ........................................................................................................... 403
BASE CONFIGURATION.................................................................................................................................................404
Cisco Catalyst Switches .................................................................................................................................................... 404
Cisco Routers ................................................................................................................................................................... 406
StandAlone Cisco Access Point (AP)................................................................................................................................. 408
TEMPLATES ...............................................................................................................................................................411
QoS.....................................................................................................................................................................411
QoS on WAN Router (I) .................................................................................................................................................... 411
QoS on Internet Edge ...................................................................................................................................................... 412
QoS on WAN Router (II) ................................................................................................................................................... 413
Configuration Reference Guide | Templates and Base Configuration 403

BASE CONFIGURATION
BACK
CISCO CATALYST SWITCHES
hostname RHG-CS01-TRA-CA
vtp domain ROUTEHUB
ip domain-name ROUTEHUB
banner motd ^C
-------------------------------------------------------------
This system is for ROUTEHUB GROUP use only!
All telecommunications and automated information systems and related

equipment are for the communication, transmission, processing, and
storage of ROUTEHUB information only. The systems and
equipment are subject to authorized monitoring to ensure proper
functioning, to protect against unauthorized use, and to verify the
presence and performance of applicable security features. Such
monitoring may result in the acquisition, recording, and analysis of all
data being communicated, transmitted, processed, or stored in this
system by a user. If monitoring reveals possible evidence of
unauthorized use or criminal activity, such evidence may be provided to
appropriate law enforcement personnel. Anyone using this system
expressly consents to such monitoring.
-------------------------------------------------------------
^C
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service password-encryption
no service tcp-small-servers
no service udp-small-servers
service sequence-numbers
logging buffered 16384

no logging console
no logging monitor
no aaa new-model
clock timezone PDT -8

clock summer-time PDT recurring
no ip subnet-zero

no ip bootp server
no ip domain-lookup
ip routing
mls qos
errdisable recovery cause all

spanning-tree loopguard default
spanning-tree extend system-id
spanning-tree backbonefast
ip tcp synwait-time 10
ip telnet quiet
ip telnet hidden addresses
ip tftp source-interface Vlan10
no cdp run
ip classless
no ip http server
ip ssh time-out 15
ip ssh version 2
logging facility local4
line con 0
exec-timeout 15 0
password cisco123
logging synchronous
line vty 0 4
exec-timeout 15 0
login local
transport input telnet
transport output all

CISCO ROUTERS
hostname cs-cs01-mp-ca
vtp domain ROUTEHUB
ip domain-name ROUTEHUB
banner motd ^
-------------------------------------------------------------
This system is for ROUTEHUB GROUP use only!
All telecommunications and automated information systems and related

equipment are for the communication, transmission, processing, and
storage of ROUTEHUB information only. The systems and
equipment are subject to authorized monitoring to ensure proper
functioning, to protect against unauthorized use, and to verify the
presence and performance of applicable security features. Such
monitoring may result in the acquisition, recording, and analysis of all
data being communicated, transmitted, processed, or stored in this
system by a user. If monitoring reveals possible evidence of
unauthorized use or criminal activity, such evidence may be provided to
appropriate law enforcement personnel. Anyone using this system
expressly consents to such monitoring.
-------------------------------------------------------------
^
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service sequence-numbers
logging buffered 16384

no logging console
no logging monitor
no aaa new-model
clock timezone PDT -8

clock summer-time PDT recurring
no ip subnet-zero
no ip bootp server
no ip domain lookup
ip tcp synwait-time 10
ip telnet quiet
ip telnet hidden addresses
no cdp run

ip ssh time-out 15
ip ssh version 2
line con 0
exec-timeout 15 0
password cisco123
logging synchronous
line vty 0 4
exec-timeout 15 0
login local
transport input telnet
transport output all

STANDALONE CISCO ACCESS POINT (AP)
>> on switch
hostname cs-cs01-mp-ca
vlan 10
name RHG-VLAN-WLAN-PROD
vlan 110
name RHG-VLAN-WLAN-GUEST
vlan 99
name RHG-VLAN-WLAN-MGMT
default interface FastEthernet0/24
>> config on standalone AP
hostname rhg-ap01-sf-ca
interface BVI1
ip address 192.168.99.21 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no shutdown
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
enable secret cisco123
ip subnet-zero
no aaa new-model
dot11 vlan-name rhgpublic vlan 10

dot11 vlan-name rhgwlan vlan 110
dot11 ssid rhgwlan

vlan 110
authentication open
wpa-psk ascii cisco123

dot11 ssid rhgpublic
vlan 10
authentication open
wpa-psk ascii cisco123
dot11 network-map
dot11 arp-cache
username admin priv 15 secret cisco123
line vty 0 4
login local
bridge irb

no shutdown
ssid rhgpublic
ssid rhgwlan
station-role root access-point

no dot11 extension aironet
no cdp enable
no ip route-cache
no cdp enable
bridge-group 10
no ip route-cache
no cdp enable
bridge-group 110

encapsulation dot1Q 99 native
no ip route-cache
bridge-group 1
no ip route-cache
bridge-group 10
no ip route-cache
bridge-group 110
end
write mem

TEMPLATES
BACK
TEMPLATES ...............................................................................................................................................................411
QoS.....................................................................................................................................................................411
QoS on WAN Router (I) .................................................................................................................................................... 411
QoS on Internet Edge ...................................................................................................................................................... 412
QoS on WAN Router (II) ................................................................................................................................................... 413
QOS
BACK
QOS ON WAN ROUTER (I)
WAN
2.2.2.2 .2 10.1.2.0 /24 .1 1.1.1.1
>> WAN AGG <<

! class map defining DSCP values for RTP traffic
class-map match-all RHG-CM-VOICE-RTP
match ip dscp ef
! class map defining DSCP values for call control traffic

class-map match-any RHG-CM-VOICE-CONTROL
match ip dscp cs3
match ip dscp af31
policy-map RHG-PM-QOS
! Voice RTP enabled for LLQ (33%) and cRTP
class RHG-CM-VOICE-RTP
priority percent 33
compress header ip rtp
! Voice Control enabled for CBWFQ (5%)
class RHG-CM-VOICE-CONTROL
bandwidth percent 5
! all other traffic (Data) use best effort, WFQ, & WRED for TCP traffic
class class-default
fair-queue
random-detect dscp-based

interface Serial0/0
ip address 10.1.2.1 255.255.255.0
! QoS policy applied outbound on interface
service-policy output RHG-PM-QOS

QOS ON INTERNET EDGE
.1 1.1.1.1
192.168.10.0 /24 6.7.7.0 /24
! ACLs defining the traffic that will be classified

ip access-list extended ACL-TRAFFIC
permit tcp any any eq pop3
permit tcp any any eq ftp
permit tcp any any eq smtp
! ACL associated to class map

class-map match-all CMAP-TRAFFIC
match access-group name ACL-TRAFFIC
! QoS policy created

policy-map POL-TRAFFIC
! Classified traffic will use 60% of the Interface's bandwidth if congestion occurs
class CMAP-TRAFFIC
! all other traffic (not classified) will use 15% of the interface's bandwidth if congestion
occurs
class class-default

ip address 1.1.1.1 255.255.255.0
! QoS policy applied outbound
service-policy output POL-TRAFFIC

QOS ON WAN ROUTER (II)
WAN
2.2.2.2 .2 10.1.2.0 /24 .1 1.1.1.1
! classify traffic considered BRONZE traffic

class-map match-all BRONZE
match access-group 152
! classify traffic considered SILVER traffic

class-map match-all SILVER
! classify traffic considered GOLD traffic

class-map match-all GOLD
match ip dscp ef
! create QoS policy

policy-map POLICY1
! define GOLD traffic policy
class GOLD
priority percent 50
set precedence 5
! define SILVER traffic policy
class SILVER
priority percent 15
set precedence 4
! define BRONZE traffic policy
class BRONZE
priority percent 10
set precedence 3
! define all other traffic policy
class class-default
set precedence 0
fair-queue
! WAN facing interface towards WAN cloud

ip address 10.1.2.1 255.255.255.0
! QoS policy applied outbound
service-policy output POLICY1

SOLUTIONS & SCENARIOS
BACK
SOLUTIONS & SCENARIOS.............................................................................................................................................414

Routing ..............................................................................................................................................................414
Advanced BGP with Dual Providers and PBR ................................................................................................................... 414
LAN and Data Center .........................................................................................................................................417
Campus Design: Layer 2 Access with Layer 3 Distrubution/Core ..................................................................................... 417
Campus Design: Layer 3 Access with Layer 3 Distrubution/Core ..................................................................................... 419
ROUTING
BACK
ADVANCED BGP WITH DUAL PROVIDERS AND PBR
ASN 100 ASN 200
ISP1 ISP2
1.1.1.117 2.2.2.61
Core
192.168.10.0 /24
192.168.20.0 /24
192.168.30.0 /24
192.168.40.0 /24
ASN 6778
In this scenario we have two ISP providers enabled for BGP.

In our network we have four subnets which are:
192.168.10.0 /24
192.168.20.0 /24
192.168.30.0 /24
192.168.40.0 /24
Here are the IPs for our two ISPs
ISP1: 1.1.1.117
ISP2: 2.2.2.61
OUTBOUND: this for access from our LAN/DC out to the Internet

- Primary Internet access will be routed through ISP1
- Secondary Internet access will be routed through ISP2
INBOUND: this for access from the Internet into our LAN/DC
- Access to networks 10 & 20 will be routed through ISP1

- Access to networks 30 & 40 will be routed through ISP2
If any of the providers fail, the networks will be routed through the other provider.
route-map RHG-PBR-OUT-ISP2 permit 10

match ip address RHG-acl-ISP2
set ip next-hop 2.2.2.61
interface Vlan123
description "RHG Servers"
ip address 192.168.10.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip policy route-map RHG-PBR-OUT-ISP2
ip access-list standard RHG-acl-ISP2

permit 192.168.10.0 0.0.0.255
permit 192.168.20.0 0.0.0.255
ip access-list standard RHG-acl-ISP1

permit 192.168.30.0 0.0.0.255
permit 192.168.40.0 0.0.0.255
access-list 2 permit any
route-map RHG-ISP1-SEC permit 10

continue
set as-path prepend 6778 6778 6778 6778 6778 6778

match ip address 2

continue
set as-path prepend 6778 6778 6778 6778 6778 6778

match ip address 2
ip access-list standard RHG-acl-default

permit 0.0.0.0

match ip address RHG-acl-default
set weight 100

match ip address RHG-acl-default
set weight 50
router bgp 6778

no synchronization
redistribute connected
redistribute static
neighbor 1.1.1.117 route-map RHG-ISP1-SEC out
neighbor 1.1.1.117 route-map RHG-RM-DEFAULT-PRI in
neighbor 2.2.2.61 route-map RHG-RM-DEFAULT-SEC in
neighbor 2.2.2.61 route-map RHG-ISP2-SEC out
default-information originate
no auto-summary

LAN AND DATA CENTER
BACK
CAMPUS DESIGN: LAYER 2 ACCESS WITH LAYER 3 DISTRUBUTION/CORE
Vlan10
192.168.10.1
EIGRP
DS/CS
Gi1/0/1
802.1Q
(VLAN 10)
Gi0/1
Gi0/2 AS
VLAN 10
Host
>> ACCESS <<

! define VTP mode (recommended) and domain
vtp domain ROUTEHUB
! Configure VLAN(s)
vlan 10
name VLAN-10-USER1
! Uplink Layer 2 802.1Q port to the Distribution/Core Switch

! Allow only VLAN 10 through 802.1Q trunk
description UPLINK: L3 Distribution/Core Switch
no shutdown
! Connected host device assigned to VLAN10

description HOST
no shutdown

>> DISTRIBUTION/CORE <<
vtp domain ROUTEHUB
! Configure VLAN(s)
vlan 10
name VLAN-10-USER1
! Downlink Layer 2 802.1Q port to the Access switch

! Allow only VLAN 10 through 802.1Q trunk
description UPLINK: L2 Access Switch
no shutdown
! Layer 3 interface for VLAN10

interface Vlan10
ip address 192.168.10.1 255.255.255.0
no ip proxy-arp
no ip redirects
no ip unreachables
no shutdown
! IGP routing process advertising VLAN10 network within AS

router eigrp 1
network 192.168.10.0
no auto-summary

CAMPUS DESIGN: LAYER 3 ACCESS WITH LAYER 3 DISTRUBUTION/CORE
DS/CS
Gi1/0/1
EIGRP
10.99.100.1 /30
L3
Gi0/1
10.99.100.2 /30
Gi0/2 AS
Vlan10
VLAN 10
Host 192.168.10.1
>> ACCESS <<

vtp domain ROUTEHUB
! Configure VLAN(s)
vlan 10
name VLAN-10-USER1
! Layer 3 uplink interface to Distribution/Core Switch

description UPLINK: L3 Distribution/Core Switch
no switchport
ip address 10.99.100.1 255.255.255.252
no shutdown
! Connected host device assigned to VLAN10

description HOST
no shutdown
! Layer 3 interface for VLAN10

interface Vlan10
ip address 192.168.10.1 255.255.255.0
no ip proxy-arp
no ip redirects
no ip unreachables
! IGP routing process advertising the VLAN10 network and Interconnection network
! within AS
router eigrp 1
network 10.99.100.0 0.0.0.3
network 192.168.10.0
no auto-summary

>> DISTRIBUTION/CORE <<
! Layer 3 downlink interface to Access Switch
description UPLINK: L3 Access Switch
no switchport
ip address 10.99.100.2 255.255.255.252
no shutdown
! IGP routing process advertising the Interconnection network within AS

router eigrp 1
network 10.99.100.0 0.0.0.3
no auto-summary

SYSTEMS AND OTHER SERVICES
BACK
SYSTEMS AND OTHER SERVICES ......................................................................................................................... 421
MICROSOFT ...............................................................................................................................................................421
Change MTU on Windows 7/Vista ................................................................................................................................... 421
MSConfig ......................................................................................................................................................................... 421
APPLE/LINUX .............................................................................................................................................................422
Adding Static Routes ........................................................................................................................................................ 422
MICROSOFT
CHANGE MTU ON WINDOWS 7/VISTA
! change MTU on the NIC to 1452 Bytes

netsh interface ipv4 set subinterface "Local Area Connection" mtu=1452 store=persistent
MSCONFIG
! access Microsoft startup configuration and services

msconfig
Configuration Reference Guide | Systems and Other Services 421

APPLE/LINUX
ADDING STATIC ROUTES
! static route defining subnet and next-hop to reach subnet/host

sudo route add -net 192.168.20.0/24 192.168.10.1
Configuration Reference Guide | Systems and Other Services 422

Config Reference 3 4

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Config Reference 3 4

Uploaded by

Copyright:

Available Formats

(September 15, 2012)

Michel Thomatis, CCIE #6778

Configuration Reference Guide | Configuration Reference Guide (CRG) 1

END USER LICENSE FOR ONE (1) PERSON ONLY

IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS,

DO NOT OPEN OR USE THE TRAINING MATERIALS.

2. Price and Payment

4. Replacement, Modification and/or Upgrades

Configuration Reference Guide | Configuration Reference Guide (CRG) 2

Configuration Reference Guide | Configuration Reference Guide (CRG) 3

13. Entire Agreement

Configuration Reference Guide | Configuration Reference Guide (CRG) 4

CONFIGURATION REFERENCE GUIDE (CRG) ............................................................................................................ 5

CORE NETWORK SERVICES ..................................................................................................................................... 7

SECURITY SERVICES ............................................................................................................................................ 143

CISCO FIREWALLS .......................................................................................................................................................144

TUNNELING SERVICES ........................................................................................................................................ 182

VOICE AND UNIFIED COMMUNICATON SERVICES .............................................................................................. 224

VOICE GATEWAY ........................................................................................................................................................225

WIRELESS SERVICES ........................................................................................................................................... 281

CISCO IOS WIRELESS...................................................................................................................................................282

HARDWARE ....................................................................................................................................................... 292

WAN AND INTERNET EDGE ................................................................................................................................ 382

Configuration Reference Guide | Configuration Reference Guide (CRG) 5

TEMPLATES AND BASE CONFIGURATION ........................................................................................................... 403

SYSTEMS AND OTHER SERVICES ......................................................................................................................... 421

Configuration Reference Guide | Configuration Reference Guide (CRG) 6

CORE NETWORK SERVICES ..................................................................................................................................... 7

Configuration Reference Guide | Core Network Services 7

Configuration Reference Guide | Core Network Services 8

10.1.2.0 /24 10.1.3.0 /24

192.168.20.0 /24 192.168.10.0 /24 192.168.30.0 /24

Area 20 Area 10 Area 30

Configuration Reference Guide | Core Network Services 9

show ip ospf database external

OSPF NETWORK: POINT-TO-POINT

Configuration Reference Guide | Core Network Services 10

OSPF BDR 192.168.10.0 /24 OSPF DR

* default OSPF priority is 1

Configuration Reference Guide | Core Network Services 11

! view SPF and LSA throttle timers

CHANGING ADMIN DISTA NCE

MAXIMUM PATHS PER ROUTE

Configuration Reference Guide | Core Network Services 12

* default auto cost is 100 (or 100Mbps)

REDUCE OSPF FLOODING

 Cost: Lower the value more preferred

! configured cost on interface to be less preferred ; no ECP

Configuration Reference Guide | Core Network Services 13

10.1.2.0 /24 10.1.3.0 /24

192.168.20.0 /24 10.1.10.0 /24 192.168.30.0 /24

 Only applies to OSPF routes (O, O IA)

EXTERNAL ROUTE SUMMERIZATION

10.1.2.0 /24 10.1.3.0 /24

 Only applies to OSPF routes (O E1, E2)

Configuration Reference Guide | Core Network Services 14

Area 0 Area 10 Area 20

10.1.2.0 /24 10.1.3.0 /24

192.168.10.0 /24 192.168.30.0 /24

10.1.2.0 /24 10.1.3.0 /24

192.168.20.0 /24 192.168.10.0 /24 192.168.30.0 /24

! associate configured ACL to a route map

! EIGRP routing process

Configuration Reference Guide | Core Network Services 15