IP Video Surveillance Design Guide
Network Diagram and Configuration Files
Downloads: This chapterpdf (PDF - 446.0KB) The complete bookPDF (PDF - 6.28MB) | Feedback

Network Diagram and Configuration Files

Table Of Contents

Network Diagram and Configuration Files

Router and Firewall Configurations

vpn-jk2-7206-1

vpn-jk2-7206-2

vpn-jk2-asa5510-1

vpn1-2851-1

vpn1-3845-1

vpn4-3800-6

3750-access


Network Diagram and Configuration Files


This chapter contains a topology diagram and the associated router, firewall, and switch configuration files for the devices in this sample implementation. See Figure 1.

Figure 1 Network Diagram


Router and Firewall Configurations

In this section the running configuration files from the routers shown in the previous topology diagram are included as reference.

vpn-jk2-7206-1

This configuration is for the upper WAN aggregation router shown in the topology diagram.


!
! Last configuration change at 13:06:43 edt Tue Aug 4 2009
! NVRAM config last updated at 13:07:50 edt Tue Aug 4 2009
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname vpn-jk2-7206-1
!
boot-start-marker
boot system flash disk0:c7200-adventerprisek9-mz.124-15.T5
boot-end-marker
!
logging buffered 2000000
enable secret 5 [removed]
!
no aaa new-model
clock timezone est -5
clock summer-time edt recurring
ip wccp 61
ip wccp 62
ip cef
!
!
no ip dhcp use vrf connected
!
!
!
ip vrf IPVS
 rd 100:10
 route-target export 100:10
 route-target import 100:10
!
no ip domain lookup
ip domain name cisco.com
ip host rtp5-esevpn-ios-ca 10.81.0.27
ip multicast-routing 
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint rtp5-esevpn-ios-ca
 enrollment url http://rtp5-esevpn-ios-ca:80
 revocation-check none
!
!
crypto pki certificate chain rtp5-esevpn-ios-ca
 certificate 0D
  3082023A 308201A3 A0030201 0202010D 300D0609 2A864886 F70D0101 04050030 
  6B310C30 0A060355 04081303 204E4331 11300F06 03550407 13082052 616C6569 
  419A9E33 E84ABC15 FCCFB1CC EBC1AE94 F07752CC 22A803C7 99AE4097 BA2D
  	quit
 certificate ca 01
  308202AF 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  47DC2CE3 BC3F5F40 32409535 C9E0E6C0 F29D4E
  	quit
archive
 log config
  hidekeys
! 
!
crypto isakmp policy 100
 encr 3des
 group 2
crypto isakmp keepalive 10
crypto isakmp nat keepalive 10
crypto isakmp profile IPVS_Branches_isakmp_profile
   description IPVS_Branches_isakmp_profile
   self-identity address
   ca trust-point rtp5-esevpn-ios-ca
   match identity host domain ese.cisco.com
crypto isakmp profile DMVPN_IKE_PROFILE
   description DMVPN Profile
   self-identity fqdn
   ca trust-point rtp5-esevpn-ios-ca
   match identity address 64.102.223.24 255.255.255.255 
   keepalive 10 retry 2
!
!
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac 
crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile DMVPN_IPSEC_PROFILE
 set transform-set 3DES_SHA_TRANSPORT 
 set isakmp-profile DMVPN_IKE_PROFILE
!
crypto ipsec profile IPVS_Branches_ipsec_profile
 description IPVS_Branches_ipsec_profile
 set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL 
 set isakmp-profile IPVS_Branches_isakmp_profile
!
!
controller ISA 5/1
!
!
class-map match-any LOW-LATENCY-DATA
 match ip dscp af21  af22  af23 
class-map match-any HIGH-THROUGHPUT-DATA
 match ip dscp af11  af12  af13 
class-map match-all BROADCAST-VIDEO
 match ip dscp cs5 
class-map match-all NETWORK-CONTROL
 match ip dscp cs6 
class-map match-any MULTIMEDIA-CONFERENCING
 match ip dscp af41  af42  af43 
class-map match-all OAM
 match ip dscp cs2 
class-map match-all VOICE
 match ip dscp ef 
class-map match-all SCAVENGER
 match ip dscp cs1 
class-map match-any CALL-SIGNALING
 match ip dscp cs3 
!
!
policy-map IPVS_BRANCH
 class BROADCAST-VIDEO
  bandwidth percent 40
 class VOICE
  priority percent 10
 class LOW-LATENCY-DATA
  bandwidth percent 4
 class HIGH-THROUGHPUT-DATA
  bandwidth percent 4
 class MULTIMEDIA-CONFERENCING
  bandwidth percent 4
 class SCAVENGER
  bandwidth percent 1
 class OAM
  bandwidth percent 1
 class NETWORK-CONTROL
  bandwidth percent 1
 class CALL-SIGNALING
  bandwidth percent 1
 class class-default
  fair-queue
policy-map 30M
 class class-default
  shape average 30000000
  service-policy IPVS_BRANCH
!
!
!
!
!
interface Loopback0
 description Loopback for Global RT
 ip address 192.168.15.40 255.255.255.255
!
interface Tunnel128
 description DMVPN tunnel/cloud to Branches 
 ip vrf forwarding IPVS
 ip address 192.168.15.129 255.255.255.192
 no ip redirects
 ip mtu 1400
 ip nhrp authentication FOO
 ip nhrp map multicast dynamic
 ip nhrp map multicast 192.168.15.40
 ip nhrp network-id 128
 ip nhrp nhs 192.168.15.129
 ip nhrp server-only
 ip route-cache flow
 no ip split-horizon eigrp 65
 ip summary-address eigrp 65 192.0.2.0 255.255.255.0 5
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel key 128
 tunnel protection ipsec profile IPVS_Branches_ipsec_profile
!
interface Tunnel300
 description DMVPN Tunnel to Enterprise/Internet
 ip address 10.81.7.254 255.255.255.240
 ip mtu 1400
 ip pim sparse-mode
 ip nhrp authentication BAR
 ip nhrp map multicast dynamic
 ip nhrp map 10.81.7.241 64.102.223.24
 ip nhrp map multicast 64.102.223.24
 ip nhrp network-id 22341
 ip nhrp nhs 10.81.7.241
 ip route-cache flow
 load-interval 30
 tunnel source FastEthernet0/0
 tunnel destination 64.102.223.24
 tunnel key 300
 tunnel protection ipsec profile DMVPN_IPSEC_PROFILE
!
interface FastEthernet0/0
 description FLASH156
 ip address 172.26.157.3 255.255.254.0
 no ip proxy-arp
 load-interval 30
 duplex full
 speed 100
!
interface FastEthernet0/1
 no ip address
 ip flow ingress
 duplex auto
 speed auto
!
interface FastEthernet0/1.90
 description ASA DMZ Global
 encapsulation dot1Q 90
 ip address 10.81.7.161 255.255.255.248
 ip flow ingress
 standby 0 ip 10.81.7.166
 standby 0 preempt delay minimum 60
!
interface FastEthernet0/1.91
 description ASA DMZ vrf IPVS
 encapsulation dot1Q 91
 ip vrf forwarding IPVS
 ip address 192.168.15.97 255.255.255.248
 ip flow ingress
 standby 0 ip 192.168.15.102
 standby 0 preempt delay 
!
interface FastEthernet0/1.332
 description MAN/WAN to Site 130 (vpn1-2851-1)
 encapsulation dot1Q 332
 ip address 192.168.15.45 255.255.255.252
 ip flow ingress
 service-policy output 30M
!
interface FastEthernet0/1.340
 description MAN/WAN to Site 140 (vpn1-3845-1)
 encapsulation dot1Q 340
 ip address 192.168.15.13 255.255.255.252
 ip flow ingress
 service-policy output 30M
!
interface FastEthernet0/1.342
 description MAN/WAN to Site 140 (vpn1-3845-1)
 encapsulation dot1Q 342
 ip vrf forwarding IPVS
 ip address 192.168.15.77 255.255.255.252
 ip flow ingress
 ip summary-address eigrp 65 192.0.2.0 255.255.255.0 5
 service-policy output 30M
!
interface FastEthernet0/1.352
 description MAN/WAN to Site 150 (vpn4-3800-6)
 encapsulation dot1Q 352
 ip address 192.168.15.49 255.255.255.252
 ip flow ingress
!
router eigrp 64
 redistribute static metric 1000 100 255 1 1500 route-map ASA5510_VPN3080
 redistribute eigrp 65 metric 1000 100 255 1 1500 route-map Branch_Networks
 passive-interface FastEthernet0/1.90
 network 10.0.0.0
 no auto-summary
 eigrp stub connected redistributed
!
router eigrp 65
 redistribute eigrp 64 metric 1000 100 255 1 1500 route-map DEFAULT
 network 192.168.15.0 0.0.0.63
 no auto-summary
 !
 address-family ipv4 vrf IPVS
  redistribute static metric 1000 10 255 1 1500 route-map COMMAND_CENTER
  network 192.168.15.64 0.0.0.63
  network 192.168.15.128 0.0.0.63
  distribute-list route-map Branch_Net_vrf_IPVS_RT in
  no auto-summary
  autonomous-system 65
 exit-address-family
!
ip forward-protocol nd
ip route 10.81.0.27 255.255.255.255 172.26.156.1 name rtp5-esevpn-ios-ca
ip route 10.81.7.56 255.255.255.252 10.81.7.163 name ASA5510
ip route 10.81.254.0 255.255.255.0 172.26.156.1 name NTP_Servers
ip route 64.102.223.16 255.255.255.240 172.26.156.1 name cryptHE
ip route 172.26.0.0 255.255.0.0 172.26.156.1
ip route vrf IPVS 10.81.7.0 255.255.255.0 192.168.15.99 name ASA5510_PAT
ip route vrf IPVS 192.0.2.128 255.255.255.224 192.168.15.99 name ASA5510
ip route vrf IPVS 192.168.15.64 255.255.255.248 192.168.15.99 name VPN3080_pool
no ip http server
no ip http secure-server
!
ip flow-cache timeout inactive 30
ip flow-cache timeout active 1
ip flow-export version 5
!
!
ip access-list standard Branch_Net_vrf_IPVS_RT
 permit 192.0.2.0 0.0.0.255
ip access-list standard DEFAULT
 permit 0.0.0.0
!
ip prefix-list ALL_VMSS seq 5 permit 192.0.2.0/24
!
ip prefix-list ASA5510_VPN3080 seq 5 permit 10.81.7.56/30
!
ip prefix-list Branch_Net_vrf_IPVS_RT seq 132 permit 192.168.111.0/24
ip prefix-list Branch_Net_vrf_IPVS_RT seq 142 permit 192.168.11.0/24
ip prefix-list Branch_Net_vrf_IPVS_RT seq 152 permit 192.168.211.0/24
!
ip prefix-list Branch_Networks seq 130 permit 10.81.7.152/29
ip prefix-list Branch_Networks seq 131 permit 192.0.2.0/27
ip prefix-list Branch_Networks seq 132 permit 192.168.111.0/24
ip prefix-list Branch_Networks seq 140 permit 10.81.7.0/29
ip prefix-list Branch_Networks seq 141 permit 192.0.2.64/26
ip prefix-list Branch_Networks seq 142 permit 192.168.11.0/24
ip prefix-list Branch_Networks seq 150 permit 10.81.7.88/29
ip prefix-list Branch_Networks seq 151 permit 192.0.2.32/27
ip prefix-list Branch_Networks seq 152 permit 192.168.211.0/24
!
ip prefix-list COMMAND_CENTER seq 100 permit 192.0.2.128/25
ip prefix-list COMMAND_CENTER seq 101 permit 10.81.7.0/24
ip prefix-list COMMAND_CENTER seq 102 permit 192.168.15.64/29
!
ip prefix-list SITE_130 seq 5 permit 192.0.2.0/27
!
ip prefix-list SITE_140 seq 5 permit 192.0.2.64/26
ip sla responder
logging alarm informational
snmp-server enable traps tty
!
!
!
route-map Branch_Net_vrf_IPVS_RT permit 10
 match ip address prefix-list Branch_Net_vrf_IPVS_RT
 set tag 5011
!
route-map Branch_Net_vrf_IPVS_RT permit 20
 match ip address Branch_Net_vrf_IPVS_RT
 set tag 5011
!
route-map COMMAND_CENTER permit 10
 match ip address prefix-list COMMAND_CENTER
 set tag 2128
!
route-map Branch_Networks permit 10
 match ip address prefix-list Branch_Networks
 set tag 5010
!
route-map DEFAULT permit 10
 match ip address DEFAULT
!
route-map ASA5510_VPN3080 permit 10
 match ip address prefix-list ASA5510_VPN3080
!
!
!
!
control-plane
!
!
!
gatekeeper
 shutdown
!
banner exec 
=
==
===
==== This is the WAN/MAN router for IPVS branches
===
==
=

!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 password 7 [removed]
 login
!
ntp master 12
ntp update-calendar
ntp server 10.81.254.202
ntp server 10.81.254.131
!
end

vpn-jk2-7206-2

This configuration is for the bottomWAN aggregation router shown in the topology diagram.


!
! Last configuration change at 13:10:14 edt Tue Aug 4 2009
! NVRAM config last updated at 13:11:17 edt Tue Aug 4 2009
!
upgrade fpd auto
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname vpn-jk2-7206-2
!
boot-start-marker
boot system disk0:c7200-adventerprisek9-mz.124-15.T5
boot-end-marker
!
enable secret 5 [removed]
!
no aaa new-model
clock timezone est -5
clock summer-time edt recurring
ip cef
!
!
!
!
ip vrf IPVS
 rd 100:10
 route-target export 100:10
 route-target import 100:10
!
no ip domain lookup
ip domain name cisco.com
ip host rtp5-esevpn-ios-ca 10.81.0.27
ip multicast-routing 
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint rtp5-esevpn-ios-ca
 enrollment url http://rtp5-esevpn-ios-ca:80
 revocation-check none
!
!
crypto pki certificate chain rtp5-esevpn-ios-ca
 certificate 12
  3082023A 308201A3 A0030201 02020112 300D0609 2A864886 F70D0101 04050030 
  D2993DBF 32824A8C 420DC983 C5BF7E17 28D1406E 0D937B7D 152C6FB3 D581
  	quit
 certificate ca 01
  308202AF 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  47DC2CE3 BC3F5F40 32409535 C9E0E6C0 F29D4E
  	quit
archive
 log config
  hidekeys
! 
!
crypto isakmp policy 100
 encr 3des
 group 2
crypto isakmp keepalive 10
crypto isakmp nat keepalive 10
crypto isakmp profile IPVS_Branches_isakmp_profile
   description IPVS_Branches_isakmp_profile
   self-identity address
   ca trust-point rtp5-esevpn-ios-ca
   match identity host domain ese.cisco.com
!
!
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac 
crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac 
 mode transport
crypto ipsec transform-set AES_SHA_TUNNEL esp-aes esp-sha-hmac 
crypto ipsec transform-set AES_SHA_TRANSPORT esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile IPVS_Branches_ipsec_profile
 description IPVS_Branches_ipsec_profile
 set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL 
 set isakmp-profile IPVS_Branches_isakmp_profile
!
!
controller ISA 5/1
!
!
class-map match-any LOW-LATENCY-DATA
 match ip dscp af21  af22  af23 
class-map match-any HIGH-THROUGHPUT-DATA
 match ip dscp af11  af12  af13 
class-map match-all BROADCAST-VIDEO
 match ip dscp cs5 
class-map match-all NETWORK-CONTROL
 match ip dscp cs6 
class-map match-any MULTIMEDIA-CONFERENCING
 match ip dscp af41  af42  af43 
class-map match-all OAM
 match ip dscp cs2 
class-map match-all VOICE
 match ip dscp ef 
class-map match-all SCAVENGER
 match ip dscp cs1 
class-map match-any CALL-SIGNALING
 match ip dscp cs3 
!
!
policy-map IPVS_BRANCH
 class BROADCAST-VIDEO
  bandwidth percent 40
 class VOICE
  priority percent 10
 class LOW-LATENCY-DATA
  bandwidth percent 4
 class HIGH-THROUGHPUT-DATA
  bandwidth percent 4
 class MULTIMEDIA-CONFERENCING
  bandwidth percent 4
 class SCAVENGER
  bandwidth percent 1
 class OAM
  bandwidth percent 1
 class NETWORK-CONTROL
  bandwidth percent 1
 class CALL-SIGNALING
  bandwidth percent 1
 class class-default
  fair-queue
policy-map 30M
 class class-default
  shape average 30000000
  service-policy IPVS_BRANCH
!
!
interface Loopback0
 description Loopback for Global RT
 ip address 192.168.15.41 255.255.255.255
!
interface Tunnel192
 ip vrf forwarding IPVS
 ip address 192.168.15.193 255.255.255.192
 no ip redirects
 ip mtu 1400
 ip nhrp authentication FOO
 ip nhrp map multicast dynamic
 ip nhrp map multicast 192.168.15.41
 ip nhrp network-id 192
 ip nhrp nhs 192.168.15.193
 ip nhrp server-only
 ip route-cache flow
 no ip split-horizon eigrp 65
 ip summary-address eigrp 65 192.0.2.0 255.255.255.0 5
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel key 192
 tunnel protection ipsec profile IPVS_Branches_ipsec_profile
!
interface FastEthernet0/0
 ip address 172.26.157.4 255.255.254.0
 no ip proxy-arp
 ip route-cache flow
 duplex full
 speed 100
!
interface FastEthernet0/1
 description MAN/WAN to Branches
 no ip address
 ip route-cache flow
 duplex full
 speed 100
!
interface FastEthernet0/1.90
 description ASA DMZ Global
 encapsulation dot1Q 90
 ip address 10.81.7.162 255.255.255.248
 ip flow ingress
 standby 0 ip 10.81.7.166
 standby 0 priority 90
 standby 0 preempt delay minimum 60
!
interface FastEthernet0/1.91
 description ASA DMZ vrf IPVS
 encapsulation dot1Q 91
 ip vrf forwarding IPVS
 ip address 192.168.15.98 255.255.255.248
 ip flow ingress
 standby 0 ip 192.168.15.102
 standby 0 priority 90
 standby 0 preempt delay minimum 60
!
!
interface FastEthernet0/1.331
 encapsulation dot1Q 331
 ip address 192.168.15.21 255.255.255.252
 service-policy output 30M
!
interface FastEthernet0/1.341
 encapsulation dot1Q 341
 ip address 192.168.15.25 255.255.255.252
 service-policy output 30M
!
interface FastEthernet0/1.343
 encapsulation dot1Q 343
 ip vrf forwarding IPVS
 ip address 192.168.15.89 255.255.255.252
 ip summary-address eigrp 65 192.0.2.0 255.255.255.0 5
 service-policy output 30M
!
interface FastEthernet0/1.351
 encapsulation dot1Q 351
 ip address 192.168.15.29 255.255.255.252
!
router eigrp 64
 redistribute eigrp 65 metric 1000 100 255 1 1500 route-map Branch_Networks
 passive-interface FastEthernet0/1.90
 network 10.0.0.0
 no auto-summary
 eigrp stub connected redistributed
!
router eigrp 65
 redistribute eigrp 64 metric 1000 100 255 1 1500 route-map DEFAULT
 network 192.168.15.0 0.0.0.63
 no auto-summary
 !
 address-family ipv4 vrf IPVS
  redistribute static metric 1000 10 255 1 1500 route-map COMMAND_CENTER
  offset-list 0 out 1000
  network 192.168.15.64 0.0.0.63
  network 192.168.15.192 0.0.0.63
  distribute-list route-map Branch_Net_vrf_IPVS_RT in
  no auto-summary
  autonomous-system 65
 exit-address-family
!
ip forward-protocol nd
ip route 10.81.0.27 255.255.255.255 172.26.156.1 name rtp5-esevpn-ios-ca
ip route 10.81.7.56 255.255.255.252 10.81.7.163 name ASA5510
ip route 10.81.254.0 255.255.255.0 172.26.156.1 name NTP_Servers
ip route 64.102.223.16 255.255.255.240 172.26.156.1 name cryptHE
ip route vrf IPVS 10.81.7.0 255.255.255.0 192.168.15.99 name ASA5510_PAT
ip route vrf IPVS 192.0.2.128 255.255.255.224 192.168.15.99 name ASA5510
ip route vrf IPVS 192.168.15.64 255.255.255.248 192.168.15.99 name VPN3080_pool
no ip http server
no ip http secure-server
!
!
!
ip access-list standard Branch_Net_vrf_IPVS_RT
 permit 192.0.2.0 0.0.0.255
ip access-list standard DEFAULT
 permit 0.0.0.0
!
!
!
ip prefix-list Branch_Net_vrf_IPVS_RT seq 132 permit 192.168.111.0/24
ip prefix-list Branch_Net_vrf_IPVS_RT seq 142 permit 192.168.11.0/24
ip prefix-list Branch_Net_vrf_IPVS_RT seq 152 permit 192.168.211.0/24
!
ip prefix-list Branch_Networks seq 130 permit 10.81.7.152/29
ip prefix-list Branch_Networks seq 131 permit 192.0.2.0/27
ip prefix-list Branch_Networks seq 132 permit 192.168.111.0/24
ip prefix-list Branch_Networks seq 140 permit 10.81.7.0/29
ip prefix-list Branch_Networks seq 141 permit 192.0.2.64/26
ip prefix-list Branch_Networks seq 142 permit 192.168.11.0/24
ip prefix-list Branch_Networks seq 150 permit 10.81.7.88/29
ip prefix-list Branch_Networks seq 151 permit 192.0.2.32/27
ip prefix-list Branch_Networks seq 152 permit 192.168.211.0/24
!
ip prefix-list COMMAND_CENTER seq 100 permit 192.0.2.128/25
ip prefix-list COMMAND_CENTER seq 101 permit 10.81.7.0/24
ip prefix-list COMMAND_CENTER seq 102 permit 192.168.15.64/29
logging alarm informational
!
!
!
route-map Branch_Net_vrf_IPVS_RT permit 10
 match ip address prefix-list Branch_Net_vrf_IPVS_RT
 set tag 5011
!
route-map Branch_Net_vrf_IPVS_RT permit 20
 match ip address Branch_Net_vrf_IPVS_RT
 set tag 5011
!
route-map COMMAND_CENTER permit 10
 match ip address prefix-list COMMAND_CENTER
 set tag 2128
!
route-map Branch_Networks permit 10
 match ip address prefix-list Branch_Networks
 set tag 5010
!
route-map DEFAULT permit 10
 match ip address DEFAULT
!
control-plane
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 transport output all
 stopbits 1
line aux 0
 transport output all
 stopbits 1
line vty 0 4
 password 7 [removed]
 login
 transport input all
 transport output all
!
ntp clock-period 17179966
ntp master 12
ntp update-calendar
ntp server 10.81.254.202
ntp server 10.81.254.131
!
end

vpn-jk2-asa5510-1

This configuration is for the firewall shown in the topology diagram


: Saved
: Written by enable_15 at 13:55:41.021 edt Tue Aug 4 2009
!
ASA Version 8.0(4) 
!
hostname vpn-jk2-asa5510-1
domain-name ese.cisco.com
enable password 2KFQnbNIdI.2KYOU encrypted
passwd [removed] encrypted
names
dns-guard
!
interface Ethernet0/0
 description Campus_IPVS VLAN 220
 speed 100
 duplex full
 nameif Campus_IPVS
 security-level 70
 ip address 192.0.2.129 255.255.255.224 
!
interface Ethernet0/1
 description DMZ_IPVS VLAN 91
 speed 100
 duplex full
 nameif DMZ_IPVS
 security-level 50
 ip address 192.168.15.99 255.255.255.248 
!
interface Ethernet0/2
 description DMZ_Global VLAN 90
 speed 100
 duplex full
 nameif DMZ_Global
 security-level 10
 ip address 10.81.7.163 255.255.255.248 
!
interface Ethernet0/3
 description DMZ for VPN3080
 speed 100
 duplex full
 nameif DMZ_VPN3080
 security-level 20
 ip address 10.81.7.58 255.255.255.252 
!
interface Management0/0
 description FlashNET
 speed 100
 duplex full
 nameif FlashNET
 security-level 0
 ip address 172.26.156.3 255.255.254.0 
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time edt recurring
dns server-group DefaultDNS
 domain-name ese.cisco.com
access-list MANAGEMENT extended permit tcp 10.81.7.0 255.255.255.0 interface FlashNET 
access-list IPVS-CC extended permit udp any 192.0.2.128 255.255.255.224 eq syslog 
access-list IPVS-CC extended permit udp any host 192.0.2.139 eq snmptrap 
access-list IPVS-CC extended permit udp any host 192.0.2.139 eq 7777 
access-list IPVS-CC extended permit tcp 192.0.2.0 255.255.255.0 any eq www 
access-list INBOUND extended permit esp any host 10.81.7.57 
access-list INBOUND extended permit udp any host 10.81.7.57 eq isakmp 
access-list INBOUND extended permit udp any host 10.81.7.57 eq 4500 
access-list INBOUND extended permit icmp any host 10.81.7.57 
pager lines 24
logging enable
logging buffered debugging
logging asdm debugging
mtu Campus_IPVS 1500
mtu DMZ_IPVS 1500
mtu DMZ_Global 1500
mtu DMZ_VPN3080 1500
mtu FlashNET 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Campus_IPVS
icmp permit any DMZ_IPVS
icmp permit any DMZ_Global
icmp permit any DMZ_VPN3080
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (DMZ_Global) 1 interface
nat (Campus_IPVS) 1 192.0.2.128 255.255.255.224
static (DMZ_VPN3080,DMZ_Global) 192.168.15.56 192.168.15.56 netmask 255.255.255.252 
static (Campus_IPVS,DMZ_IPVS) 192.0.2.128 192.0.2.128 netmask 255.255.255.224 
static (Campus_IPVS,DMZ_IPVS) 192.168.15.64 192.168.15.64 netmask 255.255.255.248 
access-group IPVS-CC in interface DMZ_IPVS
access-group INBOUND in interface DMZ_Global
access-group MANAGEMENT in interface FlashNET control-plane
route DMZ_Global 0.0.0.0 0.0.0.0 10.81.7.166 1
route FlashNET 172.16.0.0 255.240.0.0 172.26.156.1 1
route DMZ_IPVS 192.0.2.0 255.255.255.0 192.168.15.102 1
route DMZ_IPVS 192.168.11.0 255.255.255.0 192.168.15.102 1
route Campus_IPVS 192.168.15.64 255.255.255.248 192.0.2.136 1
route DMZ_IPVS 192.168.111.0 255.255.255.0 192.168.15.102 1
route DMZ_IPVS 192.168.211.0 255.255.255.0 192.168.15.102 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.26.156.0 255.255.254.0 FlashNET
http 10.81.7.0 255.255.255.0 FlashNET
snmp-server location ESE Lab
snmp-server contact joel.king@cisco.com
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.81.7.176 255.255.255.248 FlashNET
telnet 172.26.156.0 255.255.254.0 FlashNET
telnet timeout 60
ssh 10.81.7.0 255.255.255.0 FlashNET
ssh 172.26.156.0 255.255.254.0 FlashNET
ssh timeout 60
console timeout 0
dhcpd dns 64.102.6.247
dhcpd wins 64.102.6.247
dhcpd lease 28880
dhcpd domain ese.cisco.com
dhcpd option 3 ip 192.0.2.129
!
dhcpd address 192.0.2.140-192.0.2.150 Campus_IPVS
dhcpd enable Campus_IPVS
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.81.7.162
ntp server 10.81.7.161
ssl encryption rc4-sha1
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:3d4d4e2f06d5a11ff2dd5d5643e862f5
: end

vpn1-2851-1

This configuration is for the branch 2851 model router shown in the topology diagram

!
! Last configuration change at 13:26:29 edt Tue Aug 4 2009
! NVRAM config last updated at 13:27:56 edt Tue Aug 4 2009
!
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname vpn1-2851-1
!
boot-start-marker
boot-end-marker
!
logging buffered 8192
enable secret 5 [removed]
!
no aaa new-model
clock timezone est -5
clock summer-time edt recurring
!
crypto pki trustpoint rtp5-esevpn-ios-ca
 enrollment url http://rtp5-esevpn-ios-ca:80
 revocation-check none
 source interface Vlan1
!
!
crypto pki certificate chain rtp5-esevpn-ios-ca
 certificate 0F
  3082023B 308201A4 A0030201 0202010F 300D0609 2A864886 F70D0101 04050030 
  32C8325C 8DF24E4B D16823BA AF45A2F8 A6AA3C9C 8E33E400 CBAE2184 09F267
  	quit
 certificate ca 01
  308202AF 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 04050030  
  47DC2CE3 BC3F5F40 32409535 C9E0E6C0 F29D4E
  	quit
dot11 syslog
!
!
ip cef
ip dhcp use vrf connected
ip dhcp excluded-address 192.168.111.1 192.168.111.149
ip dhcp excluded-address 192.0.2.17 192.0.2.19
!
ip dhcp pool CAMERAS
   vrf IPVS
   network 192.0.2.16 255.255.255.240
   default-router 192.0.2.17 
   dns-server 64.102.6.247 171.68.226.120 
   domain-name cisco.com
!
ip dhcp pool iSCSI-temp
   network 192.168.111.0 255.255.255.0
   default-router 192.168.111.1 
   domain-name cisco.com
!
!
ip vrf IPVS
 rd 100:10
 route-target export 100:10
 route-target import 100:10
!
no ip domain lookup
ip host harry 172.26.129.252
ip host rtp5-esevpn-ios-ca 10.81.0.27
ip multicast-routing 
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
voice-card 0
 no dspfarm
!
!
username joeking privilege 15 secret 5 [removed]
! 
!
crypto isakmp policy 120
 encr 3des
 group 2
crypto isakmp keepalive 10
crypto isakmp nat keepalive 10
crypto isakmp profile IPVS_Branches_isakmp_profile
   self-identity fqdn
   ca trust-point rtp5-esevpn-ios-ca
   match identity address 192.168.15.40 255.255.255.255 
   keepalive 10 retry 2
crypto isakmp profile IPVS_Branches_isakmp_profile_2
   self-identity fqdn
   ca trust-point rtp5-esevpn-ios-ca
   match identity address 192.168.15.41 255.255.255.255 
   keepalive 10 retry 2
!
!
crypto ipsec transform-set AES_SHA_TUNNEL esp-aes esp-sha-hmac 
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac 
crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac 
 mode transport
crypto ipsec transform-set AES_SHA_TRANSPORT esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile IPVS_Branches_ipsec_profile
 description IPVS_Branches_ipsec_profile
 set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL 
 set isakmp-profile IPVS_Branches_isakmp_profile
!
crypto ipsec profile IPVS_Branches_ipsec_profile_2
 set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL 
 set isakmp-profile IPVS_Branches_isakmp_profile_2
!
!
archive
 log config
  hidekeys
!
!
ip finger
!
class-map match-any GOLD
 match ip dscp cs2  cs3  cs6  cs7 
 match ip dscp af41  af42  af43 
 match ip dscp af31  af32  af33 
class-map match-all TELEPRESENCE
 match ip dscp cs4 
class-map match-any LOW-LATENCY-DATA
 match ip dscp af21  af22  af23 
class-map match-any BRONZE
 match ip dscp af11  af12  af13 
 match ip dscp cs1 
class-map match-any HIGH-THROUGHPUT-DATA
 match ip dscp af11  af12  af13 
class-map match-any VMSS
 match access-group name HTTP
class-map match-all BROADCAST-VIDEO
 match ip dscp cs5 
class-map match-all NETWORK-CONTROL
 match ip dscp cs6 
class-map match-any MULTIMEDIA-CONFERENCING
 match ip dscp af41  af42  af43 
class-map match-all OAM
 match ip dscp cs2 
class-map match-all FOO
class-map match-any REAL_TIME
 match ip dscp cs5 
 match ip dscp cs4 
 match ip dscp ef 
class-map match-all VOICE
 match ip dscp ef 
class-map match-all SCAVENGER
 match ip dscp cs1 
class-map match-any CALL-SIGNALING
 match ip dscp cs3 
class-map match-any MULTIMEDIA-STREAMING
 match ip dscp af31  af32  af33 
!
!
policy-map IPVS_BRANCH
 class BROADCAST-VIDEO
  bandwidth percent 40
 class VOICE
  priority percent 10
 class LOW-LATENCY-DATA
  bandwidth percent 4
 class HIGH-THROUGHPUT-DATA
  bandwidth percent 4
 class MULTIMEDIA-CONFERENCING
  bandwidth percent 4
 class SCAVENGER
  bandwidth percent 1
 class OAM
  bandwidth percent 1
 class NETWORK-CONTROL
  bandwidth percent 1
 class CALL-SIGNALING
  bandwidth percent 1
 class class-default
  fair-queue
policy-map UPLINK_50M
 class class-default
  shape average 50000000
  service-policy IPVS_BRANCH
policy-map INGRESS_VMSS
 class VMSS
  set ip dscp cs5
 class class-default
  set ip dscp cs3
policy-map PER_CLASS_SHAPING
 class REAL_TIME
  set cos 5
    police 40000000 conform-action transmit  exceed-action transmit 
 class GOLD
  shape average 2500000
  set cos 6
 class BRONZE
  shape average 2500000
  set cos 1
 class class-default
  set cos 0
  shape average 5000000
policy-map 30M
 class class-default
  shape average 30000000
  service-policy IPVS_BRANCH
!
!
interface Tunnel128
 ip vrf forwarding IPVS
 ip address 192.168.15.130 255.255.255.192
 ip mtu 1400
 ip nhrp authentication FOO
 ip nhrp map 192.168.15.129 192.168.15.40
 ip nhrp map multicast 192.168.15.40
 ip nhrp network-id 128
 ip nhrp nhs 192.168.15.129
 ip summary-address eigrp 65 192.0.2.0 255.255.255.224 5
 tunnel source GigabitEthernet0/1.332
 tunnel destination 192.168.15.40
 tunnel key 128
 tunnel protection ipsec profile IPVS_Branches_ipsec_profile
!
interface Tunnel192
 ip vrf forwarding IPVS
 ip address 192.168.15.194 255.255.255.192
 ip mtu 1400
 ip nhrp authentication FOO
 ip nhrp map multicast 192.168.15.41
 ip nhrp map 192.168.15.193 192.168.15.41
 ip nhrp network-id 192
 ip nhrp nhs 192.168.15.193
 ip summary-address eigrp 65 192.0.2.0 255.255.255.224 5
 tunnel source GigabitEthernet0/1.331
 tunnel destination 192.168.15.41
 tunnel key 192
 tunnel protection ipsec profile IPVS_Branches_ipsec_profile_2
!
interface GigabitEthernet0/0
 description Inside
 no ip address
 ip flow ingress
 load-interval 30
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.204
 description Inside
 encapsulation dot1Q 204
 ip address 10.81.7.153 255.255.255.248
 ip flow ingress
!
interface GigabitEthernet0/0.206
 description VLAN 206 for IP Cameras
 encapsulation dot1Q 206
 ip vrf forwarding IPVS
 ip address 192.0.2.17 255.255.255.240
 ip flow ingress
!
interface GigabitEthernet0/1
 description Outside
 no ip address
 load-interval 30
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.130
 description To vpn-jk3-2651xm-4 Primary WAN
 bandwidth 30000
 encapsulation dot1Q 130
 ip address dhcp
!
interface GigabitEthernet0/1.254
 description iSCSI Management Subnet
 encapsulation dot1Q 254
 ip vrf forwarding IPVS
 ip address 192.168.111.1 255.255.255.0
!
interface GigabitEthernet0/1.331
 encapsulation dot1Q 331
 ip address 192.168.15.22 255.255.255.252
 service-policy output 30M
!
interface GigabitEthernet0/1.332
 encapsulation dot1Q 332
 ip address 192.168.15.46 255.255.255.252
 service-policy output PER_CLASS_SHAPING
!
interface FastEthernet0/3/0
 duplex full
 speed 100
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Integrated-Service-Engine1/0
 ip vrf forwarding IPVS
 ip address 192.0.2.1 255.255.255.252
 ip flow ingress
 load-interval 30
 service-module external ip address 192.168.111.2 255.255.255.0
 service-module ip address 192.0.2.2 255.255.255.252
 service-module ip default-gateway 192.0.2.1
 no keepalive
 service-policy input INGRESS_VMSS
!
interface Video-Service-Engine2/0
 ip vrf forwarding IPVS
 ip address 192.0.2.5 255.255.255.252
 ip flow ingress
 service-module ip address 192.0.2.6 255.255.255.252
 service-module ip default-gateway 192.0.2.5
 no keepalive
!
interface Vlan1
 description Flashnet
 ip address 172.26.156.51 255.255.254.0
 no ip proxy-arp
!
router eigrp 65
 network 10.81.7.152 0.0.0.7
 network 192.168.15.0 0.0.0.63
 no auto-summary
 !
 address-family ipv4 vrf IPVS
  network 192.0.2.0 0.0.0.31
  network 192.168.15.128 0.0.0.63
  network 192.168.15.192 0.0.0.63
  network 192.168.111.0
  no auto-summary
  autonomous-system 65
 exit-address-family
!
ip forward-protocol nd
ip route 10.81.0.27 255.255.255.255 172.26.156.1 name rtp5-esevpn-ios-ca
ip route 172.26.0.0 255.255.0.0 172.26.156.1 name Miles
ip route 192.168.15.40 255.255.255.255 192.168.15.45 name vpn-jk2-7206-1_Loopback_0
ip route 192.168.15.41 255.255.255.255 192.168.15.21 name vpn-jk2-7206-2_Loopback_0
ip route 64.102.223.16 255.255.255.240 dhcp
ip route 192.5.41.40 255.255.255.254 dhcp
!
ip flow-cache timeout active 1
ip flow-export version 5
ip flow-export destination 172.26.157.11 7777
!
ip http server
ip http secure-server
no ip pim dm-fallback
ip pim autorp listener
!
ip access-list extended HTTP
 permit tcp host 192.0.2.2 eq www any
ip access-list extended VSOM
 permit tcp host 192.0.2.2 eq www 192.168.16.0 0.0.15.255
 permit tcp host 192.0.2.2 eq 443 192.168.16.0 0.0.15.255
!
!
ip prefix-list CAMPUS seq 5 permit 192.168.16.0/20
ip sla responder
ip sla 219
 icmp-echo 192.0.2.19
 tos 192
 threshold 50
 vrf IPVS
 owner networkmgr
 tag ipvs - design guide
 frequency 64
 history lives-kept 1
 history buckets-kept 60
 history filter failures
ip sla schedule 219 life forever start-time now
logging 172.26.157.11
snmp-server enable traps tty
!
!
control-plane
!
!
banner exec 

  C i s c o S y s t e m s
     ||               ||
     ||               ||       Cisco Systems, Inc.
    ||||             ||||      IT-Transport
 .:|||||||:.......:|||||||:..
  US, Asia & Americas support:    + 1 408 526 8888
 EMEA support:                   + 31 020 342 3888
  UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
 You must have explicit permission to access or configure this
 device. All activities performed on this device are logged and
 violations of this policy may result in disciplinary action.
Questions regarding this device should be directed to
xxxxxxx

banner motd 
=
==
=== Site 130   === vpn1-2851-1
==
=

alias exec analog service-module Video-Service-Engine2/0 session
!
line con 0
 exec-timeout 0 0
line aux 0
line 66
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line 130
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
 exec-timeout 0 0
 password 7 [removed]
 login local
!
scheduler allocate 20000 1000
ntp clock-period 17180366
ntp source GigabitEthernet0/0.206
ntp master 12
ntp server 192.168.4.1 source GigabitEthernet0/1.130
ntp server 10.81.254.202 source GigabitEthernet0/0.204
ntp server 10.81.254.131 source GigabitEthernet0/0.204
!
end

vpn1-3845-1

This configuration is for the branch 3845 model router shown in the topology diagram



!
! Last configuration change at 13:21:52 edt Tue Aug 4 2009
! NVRAM config last updated at 13:23:50 edt Tue Aug 4 2009
!
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname vpn1-3845-1
!
boot-start-marker
boot system flash flash:c3845-adventerprisek9-mz.124-15.T5
boot system flash flash:c3845-adventerprisek9-mz.124-22.T
boot-end-marker
!
logging buffered 2000000
enable secret 5 [removed]
!
no aaa new-model
clock timezone est -5
clock summer-time edt recurring
dot11 syslog
ip wccp 61
ip wccp 62
ip cef
!
!
ip dhcp use vrf connected
ip dhcp excluded-address 192.0.2.97 192.0.2.102
!
ip dhcp pool ENTERPRISE
   network 10.81.7.0 255.255.255.248
   default-router 10.81.7.1 
   dns-server 64.102.6.247 171.68.226.120 
   domain-name ese.cisco.com
   netbios-name-server 171.68.235.228 171.68.235.229 
!
ip dhcp pool CAMERAS
   vrf IPVS
   network 192.0.2.96 255.255.255.224
   default-router 192.0.2.97 
   dns-server 64.102.6.247 171.68.226.120 
   domain-name ese.cisco.com
!
!
ip vrf IPVS
 rd 100:10
 route-target export 100:10
 route-target import 100:10
!
no ip domain lookup
ip domain name ese.cisco.com
ip host rtp5-esevpn-ios-ca 10.81.0.27
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip dhcp-client default-router distance 239
!
multilink bundle-name authenticated
!
voice-card 0
 no dspfarm
!
!
!
key chain PURPLE
 key 10
   key-string 7 00[removed]00
!
!
!
oer master
 policy-rules LOSS
 shutdown
 logging
 !
 border 192.168.0.1 key-chain PURPLE
  interface GigabitEthernet0/1.250 internal
  interface GigabitEthernet0/1.210 internal
  interface GigabitEthernet0/1.294 external
  interface GigabitEthernet0/1.293 external
  interface Integrated-Service-Engine3/0 internal
 !
 learn
  throughput
  delay
  periodic-interval 0
  monitor-period 1
  expire after time 30
  aggregation-type prefix-length 29
 no max range receive
 delay threshold 80
 mode route control
 mode select-exit best
!
oer border
 local Loopback0
 master 192.168.0.1 key-chain PURPLE
!
crypto pki trustpoint rtp5-esevpn-ios-ca
 enrollment url http://rtp5-esevpn-ios-ca:80
 revocation-check none
 source interface Vlan1
!
!
crypto pki certificate chain rtp5-esevpn-ios-ca
 certificate 0E
  3082023B 308201A4 A0030201 0202010E 300D0609 2A864886 F70D0101 04050030 
  DE5E201F F1A6CB47 D57C7260 70BE64AD 78656E15 A2EB7E43 9D969FB5 C4233B
  	quit
 certificate ca 01
  308202AF 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  47DC2CE3 BC3F5F40 32409535 C9E0E6C0 F29D4E
  	quit
!
!
username joeking privilege 15 secret 5 [removed]
archive
 log config
  hidekeys
! 
!
crypto isakmp policy 100
 encr 3des
 group 2
crypto isakmp keepalive 10
crypto isakmp nat keepalive 10
crypto isakmp profile DMVPN_IKE_PROFILE
   description DMVPN Profile
   self-identity fqdn
   ca trust-point rtp5-esevpn-ios-ca
   match identity address 64.102.223.24 255.255.255.255 
   keepalive 10 retry 2
crypto isakmp profile DMVPN_IKE_PROFILE_2
   description DMVPN Profile
   self-identity fqdn
   ca trust-point rtp5-esevpn-ios-ca
   match identity address 64.102.223.25 255.255.255.255 
   keepalive 10 retry 2
!
!
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac 
crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile DMVPN_IPSEC_PROFILE
 set transform-set 3DES_SHA_TRANSPORT 
 set isakmp-profile DMVPN_IKE_PROFILE
!
crypto ipsec profile DMVPN_IPSEC_PROFILE_2
 set transform-set 3DES_SHA_TRANSPORT 
 set isakmp-profile DMVPN_IKE_PROFILE_2
!
ip finger
!
class-map match-any LOW-LATENCY-DATA
 match ip dscp af21  af22  af23 
class-map match-any HIGH-THROUGHPUT-DATA
 match ip dscp af11  af12  af13 
class-map match-all BROADCAST-VIDEO
 match ip dscp cs5 
class-map match-all NETWORK-CONTROL
 match ip dscp cs6 
class-map match-any MULTIMEDIA-CONFERENCING
 match ip dscp af41  af42  af43 
class-map match-all OAM
 match ip dscp cs2 
class-map match-all VOICE
 match ip dscp ef 
class-map match-all SCAVENGER
 match ip dscp cs1 
class-map match-any CALL-SIGNALING
 match ip dscp cs3 
!
!
policy-map DATA
 class class-default
  fair-queue
  random-detect
policy-map IPVS_BRANCH
 class BROADCAST-VIDEO
  bandwidth percent 40
 class VOICE
  priority percent 10
 class LOW-LATENCY-DATA
  bandwidth percent 4
 class HIGH-THROUGHPUT-DATA
  bandwidth percent 4
 class MULTIMEDIA-CONFERENCING
  bandwidth percent 4
 class SCAVENGER
  bandwidth percent 1
 class OAM
  bandwidth percent 1
 class NETWORK-CONTROL
  bandwidth percent 1
 class CALL-SIGNALING
  bandwidth percent 1
 class class-default
  fair-queue
policy-map 30M
 class class-default
  shape average 30000000
  service-policy IPVS_BRANCH
!
policy-map 2M
 class class-default
  shape average 2000000
  service-policy DATA
!
!
interface Loopback0
 description for OER peering
 ip address 192.168.0.1 255.255.255.255
!
interface GigabitEthernet0/0
 no ip address
 shutdown
 duplex full
 speed 100
 media-type rj45
!
interface GigabitEthernet0/1
 description Trunk
 no ip address
 ip route-cache flow
 load-interval 30
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1.140
 description WAN
 encapsulation dot1Q 140
 ip address dhcp
!
interface GigabitEthernet0/1.210
 description IP Camera VLAN
 encapsulation dot1Q 210
 ip vrf forwarding IPVS
 ip address 192.0.2.97 255.255.255.224
!
interface GigabitEthernet0/1.250
 description INSIDE VLAN
 encapsulation dot1Q 250
 ip address 10.81.7.1 255.255.255.248
!
interface GigabitEthernet0/1.256
 description management interface for iSCSI
 encapsulation dot1Q 256
 ip vrf forwarding IPVS
 ip address 192.168.11.1 255.255.255.0
!
interface GigabitEthernet0/1.293
 description To vpn-jk2-7206-1 for PfR
 encapsulation dot1Q 293
 ip address 192.168.15.6 255.255.255.252
 shutdown
!
interface GigabitEthernet0/1.294
 description To vpn-jk2-7206-1 for PfR
 encapsulation dot1Q 294
 ip address 192.168.15.2 255.255.255.252
 shutdown
!
interface GigabitEthernet0/1.340
 encapsulation dot1Q 340
 ip address 192.168.15.14 255.255.255.252
 service-policy output 2M
!
interface GigabitEthernet0/1.341
 encapsulation dot1Q 341
 ip address 192.168.15.26 255.255.255.252
 service-policy output 2M
!
interface GigabitEthernet0/1.342
 encapsulation dot1Q 342
 ip vrf forwarding IPVS
 ip address 192.168.15.78 255.255.255.252
 ip summary-address eigrp 65 192.0.2.64 255.255.255.192 5
 service-policy output 30M
!
interface GigabitEthernet0/1.343
 encapsulation dot1Q 343
 ip vrf forwarding IPVS
 ip address 192.168.15.90 255.255.255.252
 ip summary-address eigrp 65 192.0.2.64 255.255.255.192 5
 service-policy output 30M
!
interface FastEthernet1/0
 description connection to Flashnet
 duplex full
 speed 100
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface GigabitEthernet1/0
 shutdown
!
interface Integrated-Service-Engine2/0
 description NME-WAE-522-K9
 ip address 192.0.2.69 255.255.255.252
 ip wccp redirect exclude in
 service-module ip address 192.0.2.70 255.255.255.252
 service-module ip default-gateway 192.0.2.69
 no keepalive
!
interface Integrated-Service-Engine3/0
 description NME-VMSS-HP32 ip wccp 61 red in 62 red out
 ip vrf forwarding IPVS
 ip address 192.0.2.64 255.255.255.254
 ip nbar protocol-discovery
 ip flow ingress
 ip route-cache flow
 load-interval 30
 service-module external ip address 192.168.11.2 255.255.255.0
 service-module ip address 192.0.2.65 255.255.255.254
 service-module ip default-gateway 192.0.2.64
 no keepalive
!
interface Vlan1
 ip address 172.26.156.53 255.255.254.0
 no ip proxy-arp
!
router eigrp 65
 network 10.81.7.0 0.0.0.7
 network 192.168.15.0 0.0.0.63
 no auto-summary
 !
 address-family ipv4 vrf IPVS
  network 192.0.2.64 0.0.0.63
  network 192.168.11.0
  network 192.168.15.64 0.0.0.63
  no auto-summary
  autonomous-system 65
 exit-address-family
!
ip forward-protocol nd
ip route 192.168.16.0 255.255.240.0 192.168.15.1 230 name OER_Parent
ip route 192.168.16.0 255.255.240.0 192.168.15.5 230 name OER_Parent
ip route 192.168.32.0 255.255.224.0 192.168.15.1 230 name OER_Parent
ip route 192.168.32.0 255.255.224.0 192.168.15.5 230 name OER_Parent
ip route 64.102.223.16 255.255.255.240 dhcp
!
ip flow-cache timeout active 1
ip flow-export source Integrated-Service-Engine3/0
ip flow-export version 5
ip flow-export destination 172.26.157.11 7777
!
no ip http server
no ip http secure-server
!
!
ip prefix-list CAMPUS seq 5 permit 192.168.16.0/20
ip sla responder
ip sla 293
 udp-jitter 192.168.15.5 14216 source-ip 192.168.15.6 codec g729a codec-numpackets 50
 tos 184
 timeout 500
 owner joeking
 tag VERIFICATION for Vlan 293
ip sla schedule 293 life forever start-time now
ip sla 294
 udp-jitter 192.168.15.1 14214 source-ip 192.168.15.2 codec g729a codec-numpackets 50
 tos 184
 timeout 500
 owner joeking
 tag VERIFICATION for Vlan 294
ip sla schedule 294 life forever start-time now
snmp-server enable traps tty
!
!
!
oer-map LOSS 10
 match traffic-class prefix-list CAMPUS
 set mode select-exit best
 set mode route control
 set mode monitor fast
 set resolve loss priority 1 variance 10
 set resolve delay priority 2 variance 10
 set loss relative 100
 set active-probe jitter 192.168.16.1 target-port 32014 codec g729a
 set probe frequency 10
!
control-plane
!
!
!
line con 0
 exec-timeout 120 0
line aux 0
line 130
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line 194
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
 login local
!
scheduler allocate 20000 1000
ntp clock-period 17180273
ntp source Integrated-Service-Engine3/0
ntp master 12
ntp server 10.81.254.202 source Vlan1
ntp server 10.81.254.131 source Vlan1
!
end

vpn4-3800-6

This configuration is for the branch 3825 model router shown in the topology diagram

! ================= vpn4-3800-6  ==================================
!
! Last configuration change at 13:33:32 edt Tue Aug 4 2009
! NVRAM config last updated at 13:35:16 edt Tue Aug 4 2009
!
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname vpn4-3800-6
!
boot-start-marker
boot-end-marker
!
enable secret 5 [removed]
!
no aaa new-model
clock timezone est -5
clock summer-time edt recurring
dot11 syslog
ip cef
!
!
ip dhcp use vrf connected
ip dhcp excluded-address 192.168.211.1 192.168.211.149
ip dhcp excluded-address 192.0.2.52
!
ip dhcp pool cameras
   vrf IPVS
   network 192.0.2.48 255.255.255.240
   default-router 192.0.2.49 
   domain-name ese.cisco.com
   dns-server 64.102.6.247 171.68.226.120 
!
ip dhcp pool iSCSI-temp
   network 192.168.211.0 255.255.255.0
   default-router 192.168.211.1 
   domain-name cisco.com
!
!
ip vrf IPVS
 rd 100:10
 route-target export 100:10
 route-target import 100:10
!
ip host rtp5-esevpn-ios-ca 10.81.0.27
ip host harry 172.26.129.252
ip multicast-routing 
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
voice-card 0
 no dspfarm
!
!
!
crypto pki trustpoint rtp5-esevpn-ios-ca
 enrollment url http://rtp5-esevpn-ios-ca:80
 revocation-check none
!
!
crypto pki certificate chain rtp5-esevpn-ios-ca
 certificate 13
  3082023B 308201A4 A0030201 02020113 300D0609 2A864886 F70D0101 04050030 
  6C240A83 ADF2674E D83B7BEF 59A04BC8 A0474C0C 492CAD79 2713CCFA 1783F4
  	quit
 certificate ca 01
  308202AF 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  A9C7FB7B F68000AE 7C8FABF5 24279B82 8A394A91 4DF83555 D2C9D52E 84779C37 
  47DC2CE3 BC3F5F40 32409535 C9E0E6C0 F29D4E
  	quit
!
!
username joeking privilege 15 secret 5 vpn4-3800-6
username test password 7 vpn4-3800-6
archive
 log config
  hidekeys
! 
!
crypto isakmp policy 100
 encr 3des
 group 2
crypto isakmp keepalive 10
crypto isakmp nat keepalive 10
crypto isakmp profile IPVS_Branches_isakmp_profile
   self-identity fqdn
   ca trust-point rtp5-esevpn-ios-ca
   match identity address 192.168.15.40 255.255.255.255 
   keepalive 10 retry 2
crypto isakmp profile IPVS_Branches_isakmp_profile_2
   self-identity fqdn
   ca trust-point rtp5-esevpn-ios-ca
   match identity address 192.168.15.41 255.255.255.255 
   keepalive 10 retry 2
!
!
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac 
crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac 
 mode transport
crypto ipsec transform-set AES_SHA_TUNNEL esp-aes esp-sha-hmac 
crypto ipsec transform-set AES_SHA_TRANSPORT esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile IPVS_Branches_ipsec_profile
 description IPVS_Branches_ipsec_profile
 set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL 
 set isakmp-profile IPVS_Branches_isakmp_profile
!
crypto ipsec profile IPVS_Branches_ipsec_profile_2
 set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL 
 set isakmp-profile IPVS_Branches_isakmp_profile_2
!
!
!
!
ip finger
!
class-map match-any LOW-LATENCY-DATA
 match ip dscp af21  af22  af23 
class-map match-any HIGH-THROUGHPUT-DATA
 match ip dscp af11  af12  af13 
class-map match-all BROADCAST-VIDEO
 match ip dscp cs5 
class-map match-all NETWORK-CONTROL
 match ip dscp cs6 
class-map match-any MULTIMEDIA-CONFERENCING
 match ip dscp af41  af42  af43 
class-map match-all OAM
 match ip dscp cs2 
class-map match-all VOICE
 match ip dscp ef 
class-map match-all SCAVENGER
 match ip dscp cs1 
class-map match-any CALL-SIGNALING
 match ip dscp cs3 
!
!
policy-map IPVS_BRANCH
 class BROADCAST-VIDEO
  bandwidth percent 40
 class VOICE
  priority percent 10
 class LOW-LATENCY-DATA
  bandwidth percent 4
 class HIGH-THROUGHPUT-DATA
  bandwidth percent 4
 class MULTIMEDIA-CONFERENCING
  bandwidth percent 4
 class SCAVENGER
  bandwidth percent 1
 class OAM
  bandwidth percent 1
 class NETWORK-CONTROL
  bandwidth percent 1
 class CALL-SIGNALING
  bandwidth percent 1
 class class-default
  fair-queue
policy-map 30M
 class class-default
  shape average 30000000
  service-policy IPVS_BRANCH
!
!
interface Tunnel128
 ip vrf forwarding IPVS
 ip address 192.168.15.131 255.255.255.192
 ip mtu 1400
 ip nhrp authentication FOO
 ip nhrp map 192.168.15.129 192.168.15.40
 ip nhrp map multicast 192.168.15.40
 ip nhrp network-id 128
 ip nhrp nhs 192.168.15.129
 ip summary-address eigrp 65 192.0.2.32 255.255.255.224 5
 tunnel source GigabitEthernet0/0.352
 tunnel destination 192.168.15.40
 tunnel key 128
 tunnel protection ipsec profile IPVS_Branches_ipsec_profile
!
interface Tunnel192
 ip vrf forwarding IPVS
 ip address 192.168.15.195 255.255.255.192
 ip mtu 1400
 ip nhrp authentication FOO
 ip nhrp map 192.168.15.193 192.168.15.41
 ip nhrp map multicast 192.168.15.41
 ip nhrp network-id 192
 ip nhrp nhs 192.168.15.193
 ip summary-address eigrp 65 192.0.2.32 255.255.255.224 5
 tunnel source GigabitEthernet0/0.351
 tunnel destination 192.168.15.41
 tunnel key 192
 tunnel protection ipsec profile IPVS_Branches_ipsec_profile_2
!
interface GigabitEthernet0/0
 description TRUNK
 no ip address
 ip route-cache flow
 load-interval 30
 duplex full
 speed 100
 media-type rj45
!
interface GigabitEthernet0/0.150
 description Outside WAN
 encapsulation dot1Q 150
 ip address dhcp
!
interface GigabitEthernet0/0.203
 description Inside global routing for corporate end-users
 encapsulation dot1Q 203
 ip address 10.81.7.89 255.255.255.248
!
interface GigabitEthernet0/0.208
 description Inside interface for IP Cameras
 encapsulation dot1Q 208
 ip vrf forwarding IPVS
 ip address 192.0.2.49 255.255.255.240
 ip pim sparse-mode
!
interface GigabitEthernet0/0.258
 description iSCSI Management Subnet
 encapsulation dot1Q 258
 ip vrf forwarding IPVS
 ip address 192.168.211.1 255.255.255.0
!
interface GigabitEthernet0/0.351
 description vpn-jk2-7206-2 [Second Head-end]
 encapsulation dot1Q 351
 ip address 192.168.15.30 255.255.255.252
 service-policy output 30M
!
interface GigabitEthernet0/0.352
 description vpn-jk2-7206-1 [Primary Head-end]
 encapsulation dot1Q 352
 ip address 192.168.15.50 255.255.255.252
 service-policy output 30M
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 media-type rj45
!
interface FastEthernet0/2/0
 description Flashnet
 duplex full
 speed 100
!
interface FastEthernet0/2/1
!
interface FastEthernet0/2/2
!
interface FastEthernet0/2/3
!
interface Video-Service-Engine1/0
 ip vrf forwarding IPVS
 ip address 192.0.2.37 255.255.255.252
 ip route-cache flow
 service-module ip address 192.0.2.38 255.255.255.252
 service-module ip default-gateway 192.0.2.37
 no keepalive
!
interface Integrated-Service-Engine2/0
 ip vrf forwarding IPVS
 ip address 192.0.2.33 255.255.255.252
 ip route-cache flow
 service-module external ip address 192.168.211.2 255.255.255.0
 service-module ip address 192.0.2.34 255.255.255.252
 service-module ip default-gateway 192.0.2.33
 no keepalive
!
interface Vlan1
 description FlashNet
 ip address 172.26.156.105 255.255.254.0
 no ip proxy-arp
!
router eigrp 65
 network 10.81.7.88 0.0.0.7
 network 192.168.15.0 0.0.0.63
 no auto-summary
 !
 address-family ipv4 vrf IPVS
  network 192.0.2.32 0.0.0.31
  network 192.168.15.128 0.0.0.127
  network 192.168.211.0
  no auto-summary
  autonomous-system 65
 exit-address-family
!
ip forward-protocol nd
ip route 10.81.0.27 255.255.255.255 172.26.156.1 name IOS-CA
ip route 192.168.15.40 255.255.255.255 192.168.15.49 name vpn-jk2-7206-1_Loopback_0
ip route 192.168.15.41 255.255.255.255 192.168.15.29 name vpn-jk2-7206-2_Loopback_0
ip route 64.102.223.16 255.255.255.240 dhcp
ip route 192.5.41.40 255.255.255.254 dhcp
!
ip flow-cache timeout active 1
ip flow-export version 5
ip flow-export destination 172.26.157.11 7777
!
ip http server
no ip http secure-server
!
ip access-list extended LOCAL_LOGIN
 permit tcp host 192.0.2.33 any eq 2130
 deny   ip any any log
!
snmp-server enable traps tty
!
!
control-plane
!
!
banner exec 
3825
192.0.2.32 /30  ISR NM NME-VMSS-HP16
192.0.2.36 /30  EVM-IPVS-16A
192.0.2.40      reserved .40 to .47
192.0.2.48 /28  Reserved for IP Cameras (0.0.0.15)

banner motd 
   C i s c o S y s t e m s
     ||               ||
     ||               ||       Cisco Systems, Inc.
    ||||             ||||      IT-Transport
 .:|||||||:.......:|||||||:..
  US, Asia & Americas support:    + 1 408 526 8888
 EMEA support:                   + 31 020 342 3888
  UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
 You must have explicit permission to access or configure this
 device. All activities performed on this device are logged and
 violations of this policy may result in disciplinary action.

!
line con 0
 exec-timeout 0 0
line aux 0
line 66
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line 130
 access-class LOCAL_LOGIN in vrf-also
 login local
 no activation-character
 no exec
 transport preferred none
 transport input telnet
 transport output none
line vty 0 4
 exec-timeout 0 0
 login local
!
scheduler allocate 20000 1000
ntp clock-period 17178750
ntp source Integrated-Service-Engine2/0
ntp master 12
ntp server 192.168.6.1 source GigabitEthernet0/0.150
ntp server 10.81.254.202 source Vlan1
ntp server 10.81.254.131 source Vlan1
!
end

3750-access

This configuration is for an access-layer switch not explicitly shown in the topology diagram. It is a 
cisco WS-C3750G-24PS model.
! System image file is "flash:c3750-advipservicesk9-mz.122-44.SE1.bin"
!
3750-access#sh run b
Building configuration...

Current configuration : 6533 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3750-access
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
vtp mode transparent
ip subnet-zero
no ip domain-lookup
!
ip multicast-routing distributed
!
mls qos
!
crypto pki trustpoint TP-self-signed-798490880
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-798490880
 revocation-check none
 rsakeypair TP-self-signed-798490880
!
!
crypto pki certificate chain TP-self-signed-798490880
 certificate self-signed 01
!
!
!
!
macro name cisco-camera-2500
#Assign Port Description

description Connected to IPVS Camera

#Assign Cisco IPVS Camera in unique Layer 2 VLAN
switchport access vlan $VLAN

#Statically configure Cisco Camera port in access-mode
switchport mode access

#Enable Layer 2 Port-Security
switchport port-security

#Dynamically register secured IPVS MAC address.
switchport port-security mac-address sticky

#Set maximum allowed secured MAC entry to 1. Default value, but with macro it wi
ll override manual setting.
switchport port-security maximum 1

#Set port security violation action to shutdown physical port. Default setting,
but will macro it will override manual setting.
switchport port-security violation shutdown

#Enable QoS on Cisco Camera port and trust incoming DSCP value.

mls qos trust dscp

#Expedite port bring up process by enabling portfast configuration.
spanning-tree portfast

#Disable transmitting and receiving STP BPDU frame on Cisco Camera port
spanning-tree bpdufilter enable
@
macro name CIVS-IPC-2500
description Cisco Video Surveillance 2500 Series IP Camera
switchport mode access
switchport access vlan $VLAN
switchport port-security
switchport port-security mac-address sticky
switchport port-security maximum 1
switchport port-security violation shutdown
mls qos trust dscp
spanning-tree portfast
spanning-tree bpdufilter enable
load-interval 60
no shutdown
@
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10,208,220-221
!
!
class-map match-all HTTP
 match protocol http
class-map match-all HTTP_acl
 match access-group name HTTP
class-map match-all HTTP_acl_client
 match access-group name HTTP_client
!
!
policy-map VSMS
 class HTTP_acl
  set dscp cs5
 class class-default
  set dscp cs3
policy-map Viewing_Station
 class HTTP_acl_client
  set dscp cs5
 class class-default
  set dscp cs3
!
!
!
!
interface GigabitEthernet1/0/1
 description trunk to vpn1-2851-1 [vpn-jk2-2948-1]
 switchport trunk encapsulation dot1q
 switchport mode trunk
 load-interval 60
 priority-queue out
 mls qos trust dscp
!
interface GigabitEthernet1/0/2
 description Cisco Video Surveillance 2500 Series IP Camera
 switchport access vlan 208
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 001d.e5ea.79d3
 load-interval 60
 mls qos trust dscp
 macro description CIVS-IPC-2500
 spanning-tree portfast
 spanning-tree bpdufilter enable
!
interface GigabitEthernet1/0/3
 description 4300 IP camera 0021.1bfd.df85
 switchport access vlan 220
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0021.1bfd.df85
 load-interval 60
 mls qos trust dscp
 spanning-tree portfast
 spanning-tree bpdufilter enable
!
interface GigabitEthernet1/0/4
 description 4300 IP camera 0021.1bfd.df62
 switchport access vlan 220
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0021.1bfd.df62
 load-interval 60
 mls qos trust dscp
 spanning-tree portfast
 spanning-tree bpdufilter enable
!
interface GigabitEthernet1/0/5
 description Viewing Station
 switchport access vlan 208
 switchport mode access
 priority-queue out
 spanning-tree portfast
 spanning-tree bpdufilter enable
 service-policy input Viewing_Station
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
 description CIVS-IPC-4500-1
 switchport access vlan 220
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 001e.bdfc.19d6
 load-interval 60
 mls qos trust dscp
 spanning-tree portfast
 spanning-tree bpdufilter enable
!
interface GigabitEthernet1/0/12
 description CIVS-IPC-4500-2
 switchport access vlan 220
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0021.1bfd.dfc1
 load-interval 60
 mls qos trust dscp
 spanning-tree portfast
 spanning-tree bpdufilter enable
!
interface GigabitEthernet1/0/13
 description CIVS-IPC-4500-3
 switchport access vlan 220
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 001b.53ff.6cb9
 load-interval 60
 mls qos trust dscp
 spanning-tree portfast
 spanning-tree bpdufilter enable
!
interface GigabitEthernet1/0/14
 description CIVS-IPC-4500-4
 switchport access vlan 220
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 001e.bdfc.19c9
 load-interval 60
 mls qos trust dscp
 spanning-tree portfast
 spanning-tree bpdufilter enable
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip http server
ip http secure-server
!
!
ip access-list extended HTTP
 permit tcp any eq www any
ip access-list extended HTTP_client
 permit tcp any any eq www
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
line vty 0 4
 login
line vty 5 15
 login
!
!
end