Business Ready Branch Solutions for Enterprise and Small Office--Reference Design Guide
Sample Business Ready Branch Configuration Listings
Downloads: This chapterpdf (PDF - 184.0KB) The complete bookPDF (PDF - 1.58MB) | Feedback

Sample Business Ready Branch Configuration Listings

Table Of Contents

Sample Business Ready Branch Configuration Listings


Sample Business Ready Branch Configuration Listings


The following is a sample configuration of a Business Ready Branch. There are many permutations of feature combinations when setting up the access router for the branch office, but this is one fairly comprehensive example that was used in Cisco testing.

!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Anytown
!
!
logging buffered 4096 debugging
logging rate-limit 20
no logging console
!
clock timezone est -5
clock summer-time edt recurring
no network-clock-participate aim 0
no network-clock-participate aim 1
voice-card 6
dspfarm
!
no aaa new-model
aaa authentication login default local
ip subnet-zero
no ip source-route
ip cef
!
ip dhcp pool phones
   network 10.173.156.0 255.255.255.0
   default-router 10.173.156.1 
   option 150 ip 10.59.138.4 
   dns-server 10.59.138.4
!
ip dhcp pool pc
network 10.73.26.0 255.255.255.192
default-router 10.73.26.1
dns-server 10.73.26.1
!
ip inspect one-minute high 2000
ip inspect tcp max-incomplete host 100 block-time 0
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
ip inspect name firewall netshow
ip inspect name firewall ftp
ip inspect name firewall sqlnet
ip ips po max-events 100
! disables alarming on RFC 1918 addresses detection
ip ips signature 1107 0 disable
! disables alarming ICMP on echo reply
ip ips signature 2000 0 disable
! disables alarming on ICMP host unreachable (this is commonly seen during MTU discovery)
ip ips signature 2001 0 disable
ip ips name softips
no ftp-server write-enable
!
!
class-map match-all VOICE
 match ip dscp ef 
class-map match-any CALL-SETUP
 match ip dscp af31
 match ip dscp cs3
class-map match-any INTERNETWORK-CONTROL
 match ip dscp cs6
class-map match-all TRANSACTIONAL-DATA
 match ip dscp af21
!
!
policy-map reorder
 class VOICE
  priority percent 33
 class CALL-SETUP
  bandwidth percent 2
 class INTERNETWORK-CONTROL
  bandwidth percent 5
 class TRANSACTIONAL-DATA
  bandwidth percent 22
 class class-default
  fair-queue
  random-detect dscp-based
policy-map shaper
 class class-default
  shape average 5000000
  service-policy reorder
!
!
!
crypto isakmp policy 1
 encr 3des
authentication pre-share
crypto isakmp key branch address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set brb esp-3des esp-sha-hmac
 mode transport
!
crypto ipsec profile dmvpn
 set transform-set brb
!
interface Tunnel0
 description Hub and Spoke DMVPN link
 ip address 10.73.30.2 255.255.255.192
 no ip redirects
 ip mtu 1400
 ip nhrp authentication brb
 ip nhrp map multicast dynamic
 ip nhrp map 10.73.30.1 192.168.8.6
 ip nhrp map multicast 192.168.8.6
 ip nhrp network-id 99
 ip nhrp nhs 10.73.30.1
 ip route-cache flow
 load-interval 30
 qos pre-classify
 tunnel source Loopback0
 tunnel destination 192.168.8.6
 tunnel key 10000
 tunnel path-mtu-discovery
 tunnel protection ipsec profile dmvpn
!
interface Loopback0
 ip address 10.73.1.6 255.255.255.248
!
interface FastEthernet0/0
 no ip address
 no ip proxy-arp
 load-interval 30
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 ip route-cache flow
 load-interval 30
 duplex auto
 speed auto
!
interface FastEthernet0/1.16
 description DMZ
 encapsulation dot1Q 16
 ip address 10.57.0.1 255.255.255.0
 ip access-group DMZ in
 ip ips softids in
 ip virtual-reassembly
!
interface FastEthernet0/1.18
 description Voice VLAN for phones
 encapsulation dot1Q 18
 ip address 10.173.156.1 255.255.255.0
 ip access-group voice in
 ip inspect firewall in
	! note - avoid IPS on Voice LAN
	!        with RPC sigs enabled
!
interface FastEthernet0/1.20
 description Data VLAN for PCs
 encapsulation dot1Q 20
 ip address 10.73.26.1 255.255.255.192
 ip nat inside
 ip access-group LAN in
 ip inspect firewall in
 ip ips softips in
!
interface Hssi3/0
 description ISP 5 Mpbs link
 encapsulation ppp
 load-interval 30
 hssi internal-clock
 serial restart-delay 0
 ip address 192.168.25.30 255.255.255.252
 ip nat outside
 ip access-group INPUT_ACL in
 ip inspect firewall in
 ip ips softids in
 ip virtual-reassembly
 service-policy output shaper
!
router eigrp 15
 passive-interface FastEthernet0/1.16
 passive-interface FastEthernet0/1.18
 passive-interface FastEthernet0/1.20
 network 10.0.0.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.25.29
!
ip nat inside source list LAN interface Hssi3/0 overload
!
ip access-list extended INPUT_ACL
remark Allow IKE and ESP from the headend router
permit udp host 192.168.1.1 any eq isakmp
permit esp host 192.168.1.1 any
remark Allow ICMP
permit icmp any any unreachable
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
remark Allow DNS name lookup from router
permit udp any eq domain any
remark Allow the Internet to DMZ
permit ip any 10.57.0.0 0.0.0.255
deny ip any any
!
ip access-list extended LAN
permit ip 10.73.26.0 0.0.0.63 any
deny ip any any
!
ip access-list extended DMZ
deny ip any any
!
ip access-list extended voice
permit 10.173.156.0 0.0.0.255 any
deny ip any any
!
control-plane
!--------- CCM SRST with MGCP Fallback Voice Section --------------
!
isdn switch-type primary-5ess
!
ccm-manager switchback immediate
ccm-manager fallback-mgcp
ccm-manager mgcp
ccm-manager music-on-hold
ccm-manager config server 10.59.138.4
ccm-manager config
!
controller T1 0/0
 framing esf
 linecode b8zs
 pri-group timeslots 1-24 service mgcp
!
interface Serial0/0:23
 no ip address
 isdn switch-type primary-5ess
 isdn incoming-voice voice
 isdn bind-l3 ccm-manager
 no cdp enable
!
interface Service-Engine1/0
 ip unnumbered Loopback0
 service-module ip address 10.73.1.5 255.255.255.248
 service-module ip default-gateway 10.73.1.6
!
interface Loopback0
 ip address 10.73.1.6 255.255.255.248
!
ip route 10.73.1.5 255.255.255.255 Service-Engine1/0
!
voice-port 0/0:23
!         
mgcp
mgcp call-agent VPN2-CM-2 2427 service-type mgcp version 0.1
mgcp rtp unreachable timeout 1000 action notify
mgcp package-capability rtp-package
no mgcp package-capability res-package
mgcp package-capability sst-package
no mgcp package-capability fxr-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 inhibit
mgcp rtp payload-type g726r16 static
!
mgcp profile default
!
dial-peer cor custom
!
dial-peer voice 29999 voip
 description voicemail_cue
 destination-pattern 2999.
 session protocol sipv2
 session target ipv4:10.73.1.5
 codec g711ulaw
!
dial-peer voice 25 pots
 description PSTN
 application mgcpapp
 destination-pattern 9T
 port 0/0:23
!
dial-peer voice 26 pots
 description PSTN
 application mgcpapp
 destination-pattern 91T
 port 0/0:23
!
call-manager-fallback
 max-conferences 8
 ip source-address 10.73.1.6 port 2000
 max-ephones 240
 max-dn 250
 voicemail 29999
 call-forward busy 29999
 call-forward noan 29999 timeout 3
!
line con 0
exec-timeout 61 0
password 7 0822455D0A16
line 33
no activation-character
no exec
transport preferred none
transport input all
transport output all
line aux 0
line vty 0
password 7 00071A150754
login
transport input telnet
line vty 1 4
exec-timeout 61 0
password 7 00071A150754
login
transport input telnet
line vty 5 6
exec-timeout 61 0
login
!
ntp clock-period 17175627
ntp server 172.26.176.10
ntp peer 10.73.30.1
end