Downloads |
Table Of Contents
Deploying IPv6 in Branch Networks
IPSec and Manual Tunnel Configuration
Enterprise Design Architecture Reference
7206 VPN Configurations for Single-Tier Profile
Deploying IPv6 in Branch Networks
This document is intended to guide customers in their planning or deployment of IPv6 in branch networks. This document is not meant to introduce you to branch design fundamentals and best practices, IPv6, transition mechanisms, or IPv4 and IPv6 feature comparisons. The user must be familiar with the Cisco branch design best practices recommendations and the basics of IPv6 and associated transition mechanisms. For information about the enterprise design architecture, refer to the following documents:
•
Enterprise Branch Architecture Design Overview
http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/EnBrOver.html
•
http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/E_B_SDC1.html
Contents
Introduction
This document requires a basic understanding of Cisco branch design. This prerequisite knowledge can be acquired through many documents and training opportunities that are available through Cisco Systems, Inc. and through the networking industry at large. Recommended Reading contains resources for these areas of interest.
Scope
This document provides a brief overview of the various branch IPv6 deployment profiles and general deployment considerations. This document also covers the implementation details for each branch profile individually.
In addition to configurations shown in the general considerations and implementation sections, the full configurations for each branch device can be found in Configuration Examples. This document focuses on the branch-side of the WAN, but the basic configurations used on the HQ WAN routers are shown, for reference, in Configuration Examples. These configurations were used for testing only and are not necessarily the recommended WAN router configurations the customer should use. A future document that covers IPv6 deployments in the enterprise WAN edge is planned. Updates to this document and new IPv6-related documents can be found at http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html.
Branch Deployment Overview
This section provides a high-level overview of the two mostly commonly deployed Cisco branch profiles to provide a basic understanding of how IPv6 can be integrated into these two branch profiles.
The branch IPv6 deployment profiles that are described in this section:
Note
Single-Tier Profile
The single-tier branch profile is a fully integrated solution. The requirements for LAN and WAN connectivity and security are met by a single Integrated Services Router (ISR). Figure 1 shows a high-level view of the single-tier branch profile.
Figure 1 Single-Tier Profile
In the single-tier profile described in this document, a single ISR is used to provide WAN connectivity via a T1 to an Internet Service Provider (ISP). This T1 is used as the primary link to the headquarters (HQ) site. For WAN redundancy, a backup connection is made via Asymmetric Digital Subscriber Line (ADSL). The single-tier uses what is often referred to as the "Internet Deployment Model."
IPv4 connectivity to the HQ site is provided by IPv4 IPSec using Dynamic Multi-Point Virtual Private Network (DMVPN) technologies. IPv6 connectivity to the HQ site is provided by using manually configured tunnels (IPv6-in-IPv4) that are protected by IPv4 IPSec. The DMVPN and manually configured tunnels traverse the T1 link as the primary path and establish backup tunnels over the ADSL link. In the single-tier profile described in this document, IPv6 connectivity via the IPSec-protected manually configured tunnels is required because DMVPN does not yet support IPv6. When DMVPN supports IPv6 within the design, then no additional tunnel configurations are required and IPv4/IPv6 (dual-stack) is supported within the same DMVPN design.
All traffic leaving the branch traverses the VPN connections to the HQ, including the Internet bound traffic. Generally, Cisco does not recommend the use of split-tunneling at the branch site. If the customer requires split-tunneling, then Cisco recommends a careful analysis and testing of the routing and the security implications of such a deployment.
Note
LAN connectivity is provided by an integrated switch module (EtherSwitch Service Module). Dual-stack (running both IPv4 TCP/IP stack and IPv6 TCP/IP stack) is used on the VLAN interfaces at the branch.
In addition to all of the security policies in place at the HQ, local security for both IPv4 and IPv6 is provided by a common set of infrastructure security features and configurations in addition to the use of the Cisco IOS Firewall. QoS for IPv4 and IPv6 is integrated into a single policy.
The obvious disadvantage of the single-tier profile is the lack of router and switch redundancy. There is redundancy for the link to the Internet and the VPN connections to HQ. However, because there is a single integrated switch and single router, if either component fails then the site is completely disconnected from HQ. The dual-tier profile is the solution for customers requiring complete redundancy for all components (switches, routers, and HQ connections).
Solution Requirements
The solution requirements for the single-tier profile are:
•
•
•
•
•
•
Tested Components
Table 1 lists the components that were used and tested in the single-tier profile.
Dual-Tier Profile
The dual-tier profile separates the routing and switching roles in the branch. Figure 2 shows a high-level view of the dual-tier profile.
Figure 2 Dual-Tier Profile
There are three primary differences between the single-tier and dual-tier profile:
•
•
•
Redundancy—The dual-tier separates the LAN (switch) and WAN (router) components to offer fault-tolerance. A single switch or multiple switches can be used to provide LAN access in the branch. There are two WAN routers that are redundantly connected to the Frame Relay cloud, in addition to being redundantly connected to the LAN switch.
Scalability—The dual-tier scales better because the single-tier is pretty much an "everything but the kitchen sink" approach. In other words, every network role required in the branch is performed by the ISR. This is great for cost and manageability, but can limit availability and scalability. The larger the branch and the more services enabled on the ISR, the higher the risk gets for over-extending the performance capabilities of the ISR. This can be alleviated by using a more powerful ISR model, but this does not help with the fault-tolerance requirement. If additional LAN switches are needed at the branch then the Catalyst switches can be used together using the Cisco StackWise topology.
WAN Transport —The WAN connections in the dual-tier model described in this document use Frame Relay instead of the Internet with IPSec VPN. IPv6 is fully supported over Frame Relay in Cisco IOS and therefore there is no need to run tunnels of any kind between the branch and HQ. This is a great advantage for deployment and management because dual-stack is used all the way from the hosts in the branch LAN across the WAN and into the HQ network. This greatly eases the operational aspects of deploying IPv6 in the branch because no special tunnel considerations (such as availability, security, QoS, and multicast) need to be made. The dual-tier uses what is often referred to as the "private WAN model."
Security for the dual-tier is the same as the single-tier with the exception that both routers in the dual-tier provide security services and that no IPSec tunnels are used. The majority of branch deployments today use the dual-tier profile.
Solution Requirements
The solution requirements for the dual-tier profile are:
•
•
•
Tested Components
The components that were used and tested in the dual-tier profile are listed in Table 2.
Multi-Tier Profile
As previously mentioned, the multi-tier profile is covered only at a high-level and is not covered in the implementation section. Future work is planned for testing and documenting IPv6 in the multi-tier profile. It is described here for completeness and to prompt you to think about some of the design aspects of IPv6 in a multi-tier type deployment.
Figure 3 shows a high-level view of the multi-tier profile.
Figure 3 Multi-Tier Profile
Figure 3 shows how the tiers or roles are distributed. Several changes are evident with the multi-tier vs. the dual-tier:
•
•
•
•
Solution Requirements
The solution requirements for the multi-tier profile are:
•
•
•
•
Tested Components
Testing and documentation is planned for IPv6 in a multi-tier profile. For updates, periodically refer to http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html.
General Considerations
There are some general considerations that apply to both deployment profiles described in the implementation sections of this document. This section describes the general considerations to take into account when deploying IPv6 in a branch network, regardless of the deployment profile being used. If a specific consideration should be understood, then the specific profile is called out, along with the consideration for that profile. Also, the specific configurations for any profile-specific considerations can be found in that profile's implementation section.
Both branch IPv6 profiles described in this document leverage the existing Cisco branch network design best practices as the foundation for all aspects of the deployment. The IPv6 components of the profiles are deployed in the same way as IPv4 whenever possible. When the same or similar features are not available for IPv6 as for IPv4, alternatives are used. In some cases, no alternatives are available and a reference for where to track feature support is given.
It is critical to understand the Cisco branch best practices recommendations before deploying the IPv6 in the branch profiles described in this document. The Cisco branch design best practice documents can be found under the "Branch Office" and "WAN" sections at http://www.cisco.com/en/US/netsol/ns742/networking_solutions_program_category_home.html.
Note
Addressing
As previously mentioned, this document is not an introductory document and does not describe the basics of IPv6 addressing. However, it is important to describe a few addressing considerations for the network devices.
In most cases, the use of a /64 prefix on point-to-point (P2P) links is just fine. IPv6 was designed to have a large address space and even with the poor address management in place, the customer should not experience address constraints.
Some network administrators think that a /64 prefix for P2P links is a waste of time. There has been quite a bit of discussion within the IPv6 community about the practice of using longer prefixes for P2P links. For those network administrators who want to more tightly control the address space, then it is safe to use a /126 prefix on P2P links in much the same was as /30 is used with IPv4.
RFC 3627 describes the reasons why the use of a /127 prefix is harmful and should be discouraged. For more information, refer to http://www.ietf.org/rfc/rfc3627.txt.
In general, Cisco recommends using either a /64 or /126 on P2P links. There are efforts underway within the IETF to better document the address assignment guidelines for varying address types and prefix links. IETF work within the IPv6 operations working group can be tracked at http://www.ietf.org/html.charters/v6ops-charter.html.
The P2P configurations shown in this document use /64 prefixes. The assignment of user IPv6 addresses in the single and dual-tier profiles is done by advertising an IPv6 prefix (via an RA) on the router sub-interface for the VLAN where PCs are located. The options for DNS server and domain name are assigned using DHCP for IPv6. All other VLANs use stateless autoconfiguration alone with no use of options. More information can be found on IPv6 addressing services at the following URL: http://www.cisco.com/en/US/products/ps6441/products_installation_and_configuration_guides_list.html.
Physical Connectivity
Considerations for physical connectivity with IPv6 are the same as with IPv4 plus three additional elements:
•
•
Another aspect of MTU relates to the branch single-tier profile. When IPSec is used with GRE or manual tunnels it is important to account for how to adjust the MTU value on the routers to ensure that the router is not forced to perform fragmentation of the IPv4 traffic due to the IPSec header and the additional tunnel overhead. More information on this can be found in any of the IPSec design guides at http://www.cisco.com/en/US/tech/tk583/tk372/tech_design_guides_list.html.
•
It is important to point out that Cisco supports the use of IPv6-enabled hosts that are directly attached to Cisco IP phones ports. These IP phone ports are switch ports and operate in much the same way as plugging the host directly into a Catalyst Layer 2 switch.
In addition to the previous considerations, Cisco recommends that a thorough analysis of the existing traffic profiles, memory and CPU use on both the hosts and network equipment and also the Service Level Agreement (SLA) language be completed prior to implementing any of the IPv6 models described in this document.
VLANs
VLAN considerations for IPv6 are the same as for IPv4. When dual-stack configurations are used then both IPv4 and IPv6 traverse the same VLAN. The use of Private VLANs is not included in any of the deployment profiles described in this document and it was not tested. The use of Private VLANs will be included in future IPv6 documents.
The use of IPv6 on data VLANs that are trunked along with Voice VLANs (behind IP phones) is fully supported. For the current VLAN design recommendations, refer to the Cisco branch-LAN design best practice documents at http://www.cisco.com/en/US/netsol/ns816/networking_solutions_program_home.html.
Routing
Choosing an IGP to run in the campus network is based on a variety of factors; platform capabilities, IT staff expertise and the size of network are just a few. In this document the IGP for both IPv4 and IPv6 is EIGRP. OSPFv2 for IPv4 and OSPFv3 for IPv6 can be used also.
As previously mentioned, every effort to implement the current Cisco branch design best practices has been made. Both the IPv4 and IPv6 IGPs have been tuned according to the current best practices for the branch. It should be one of the top priorities of any network design to ensure that the IGPs are tuned to provide a stable, scalable and fast converging routing protocol.
The implementation sections show the EIGRP tuning in accordance with the current Cisco branch recommendations.
EIGRP has been configured to provide authentication for both IPv4 and IPv6 adjacencies and updates.
High Availability
There are many aspects of High-Availability (HA) that are not applicable to or are outside the scope of this document. Many of the HA requirements and recommendations are met by leveraging the existing Cisco branch design best practices. The primary HA components described in this document are:
•
•
•
QoS
Cisco recommends that QoS policies be implemented application or service-dependent instead of protocol (IPv4 or IPv6) dependent. Basically, if the existing QoS policy has specific classification, policing, and queuing for an application then that policy should treat the IPv4 and IPv6 traffic for that application equally.
The key consideration as far as Modular QoS CLI (MQC) is concerned is the removal of the ip keyword in the QoS match and set statements when IPv6 QoS is required. Modification in the QoS syntax to support IPv6 and IPv4 allows for a new configuration criteria (see Table 3).
Table 3 Qos Syntax Modifications
match ip dscp
match dscp
match ip precedence
match precedence
set ip dscp
set dscp
set ip precedence
set precedence
There are QoS features that work for both IPv6 and IPv4, and require no modification to the CLI (such as WRED, policing, and WRR).
The implementation section for each profile does not go into great detail on QoS configuration as far as the definition of classes for certain applications, the associated mapping of DSCP values, and the bandwidth and queuing recommendations. The section, Configuration Examples contains the full configurations for IPv4 and IPv6 QoS used in the single and dual-tier profiles.
Cisco has an extensive collection of QoS recommendations for the branch and you are encouraged to seek guidance from the CCO documentation and also the Cisco Press book "End-to-End QoS Network Design." Refer to Recommended Reading to find out more about Cisco branch QoS recommendations and Cisco Press books.
Security
Many of the common threats and attacks on existing IPv4 campus networks also apply to IPv6. Unauthorized access, spoofing, routing attacks, viruses, worms, DoS, and man-in-the-middle attacks are just a few that plague both IPv4 and IPv6.
There are many new threats with IPv6 that do not exist with IPv4 or they operate differently from IPv4. There are inherent differences in how IPv6 handles neighbor and router advertisement and discovery, headers, and even fragmentation. Based on all of these variables and possibilities, IPv6 security is a very involved topic in general and detailed security recommendations and configurations are outside the scope of this document. There are numerous efforts both within Cisco and the industry to identify, understand, and resolve IPv6 security threats. This document points out some possible areas to address within the branch and gives basic examples of how to provide protection of IPv6 dual-stack and tunneled traffic.
Note
General security considerations for network device protection that apply to both branch profiles are as follows:
•
–
The addressing consideration described here introduces real operational challenges. For the sake of easing operational management of the network devices and addressing, you should balance the security aspects of randomizing the interface-IDs with the ability to deploy and manage the devices via the randomized addresses.
•
–
interface Loopback0ipv6 address 2001:DB8:CAFE:1000::BAD1:A001/128no ipv6 redirectsTo more tightly restrict access to a particular switch/router via IPv6, an ACL is used to permit access to the management interface (line vty) by way of the loopback interface. The permitted source network is from the enterprise IPv6 prefix. To make ACL generation more scalable for a wide range of network devices, the ACL definition can permit the entire enterprise prefix as the primary method for controlling management access to the device instead of filtering to a specific interface on the device. The IPv6 prefix used in this enterprise site (for example only) is 2001:db8:cafe::/48.
ipv6 access-list MGMT-INremark Permit MGMT only to Loopback0permit tcp 2001:DB8:CAFE::/48 host 2001:DB8:CAFE:1000::BAD1:A001deny ipv6 any any log-input!line vty 0 4session-timeout 3access-class MGMT-IN-v4 inpassword 7 08334D400E1C17ipv6 access-class MGMT-IN in #Apply IPv6 ACL to restrict accesslogging synchronouslogin localexec prompt timestamptransport input ssh #Accept access to VTY via SSH–
•
More information on CoPP can be found at http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html.
•
The following example shows a basic ACL for the dual-tier profile - applied ingress on a branch router's LAN interface:
ipv6 access-list DATA_LAN-v6remark PERMIT ICMPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:2100::/64permit icmp 2001:DB8:CAFE:2100::/64 anyremark PERMIT IPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:2100::64permit ipv6 2001:DB8:CAFE:2100::/64 anyremark PERMIT ALL ICMPv6 PACKETS SOURCED BY HOSTS USING THE LINK-LOCAL PREFIXpermit icmp FE80::/10 anyremark PERMIT HSRPv2 FOR IPv6 FROM OTHER BRANCH ROUTER ON LAN SEGMENTpermit udp any any eq 2029remark PERMIT DHCPv6 ALL-DHCP-AGENTS REQUESTS FROM HOSTSpermit udp any eq 546 any eq 547remark PERMIT ALL PIM (103) MESSAGES FROM OTHER BRANCH ROUTER ON LAN SEGMENTpermit 103 FE80::/10 anyremark DENY ALL OTHER IPv6 PACKETS AND LOGdeny ipv6 any any log-input!interface FastEthernet0/0.100description DATA VLAN for PCsipv6 traffic-filter DATA_LAN-v6 in
Caution
In the previous DATA_LAN-v6 example, a more permissive entry (permit icmp FE80::/16 any) is made to account for the neighbor discovery requirement and any other ICMPv6 services that are needed on the interface. This is a wide-open ACL entry that is permitting all ICMPv6 traffic, which is probably not a great idea because there are many known and unknown ICMPv6-based threats that need to be considered. There are RFCs, drafts, and IPv6 deployment books that specifically describe the various ICMPv6 types that should and should not be blocked. Refer to Recommended Reading for links to the IETF and Cisco Press book that describes the filtering of ICMPv6 packets.
•
•
•
More information on IPv6 security can be found in References. Also, IPv6 ACL and firewall configuration details can be found at http://www.cisco.com/en/US/docs/ios/12_2t/ipv6/v6_tffw.html.
Multicast
IPv6 multicast is an important service for any enterprise network design. One of the most important factors to IPv6 multicast deployment is to ensure that host/group control is handled properly in the branch LAN. Multicast Listener Discovery (MLD) in IPv6 is the equivalent to Internet Group Management Protocol (IGMP) in IPv4. Both are used for host multicast group membership control. MLD-snooping is the ability to control the distribution of multicast traffic only to the ports that have listeners. Without it, multicast traffic meant for only a single receiver (or group of receivers) would be flooded to all ports on the branch LAN switch belonging to the same VLAN. In the branch LAN it is important that the switches support MLD-snooping for MLD version 1 and/or version 2.
Note
Today, Cisco IOS supports the following PIM implementations: PIM-SM, PIM-BSR, PIM-SSM, Bidirectional PIM, Embedded-RP, and Multiprotocol BGP for the IPv6 Multicast Address Family.
In this document, IPv6 multicast-enabled applications are supported in both branch profiles. The multicast-enabled applications tested in this design are: Windows Media Services and VLC (VideoLAN Media client) using Embedded-RP and PIM-SSM groups. The multicast sources are running on Microsoft Windows Server 2003, Longhorn and Red Hat 4.0 servers located in the HQ data center.
There are several documents on CCO and within the industry that describe IPv6 multicast in detail. Other than generic references to the commands that are used to enable IPv6 multicast and requirements for Embedded-RP definition, no other configuration notes are made in this document. For more information, refer to the following URLs:
•
•
http://www.cisco.com/en/US/tech/tk828/technologies_white_paper09186a0080203f7a.shtml
Management
Management for IPv6 is under development and has a long way to go. Many of the traditional management tools used today also support IPv6. In this document the only considerations for management of the branch network are related to basic control of management services (Telnet, SSH, and SNMP). All of the IPv6-enabled devices in the two branch profiles described are manageable over IPv6 via the previously mentioned services except SNMP. At the time of writing this document, the Catalyst switches described (Integrated switch module and 3750) do not yet support SNMP over IPv6 transport. However, the management of IPv6-specific MIBs/Traps/Informs is supported on the Catalyst platforms using SNMP transport over IPv4. All Cisco ISRs support SNMP over IPv6 transport.
The deployment of SNMP for IPv6 is the same as with IPv4. In the branch profiles described in this paper SNMPv3 (AuthNoPriv) is used to provide polling capabilities for the Cisco NMS servers located in the HQ data center. Here is an example of the SNMPv3 configuration used in the branch routers in this document:
snmp-server contact John Doe - ipv6rocks@cisco.comsnmp-server group IPv6-ADMIN v3 auth write v1defaultsnmp-server user jdoe IPv6-ADMIN v3 auth md5 cisco1234If information needs to be sent to a Cisco NMS server then an SNMP host can be defined. The host can be defined to send SNMP information over IPv4 and/or IPv6:
snmp-server host 2001:DB8:CAFE:11:2E0:81FF:FE2C:9332 version 3 auth jdoeAnother area of management that you must thoroughly research is that of address management. Anyone who analyzed IPv6 even at an elementary level understands the size and potential complexity of deploying and managing the IPv6 address space. The process of assigning large hexadecimal addresses to many network devices should, at some point, be automated or at least made more user-friendly than it is today. There are several efforts underway within the industry to provide recommendations and solutions to the address management issues. Cisco is in the forefront of this effort.
Today, one way to help with the deployment of address prefixes on a Cisco ISR is through the use of the general prefix feature. The general prefix feature allows the customer to define a prefix or prefixes in the global configuration of the router with a user-friendly name. That user-friendly name can be used on a per-interface basis to replace the usual IPv6 prefix definition on the interface. Following is an example of how to use the general prefix feature:
Define the general prefix:
2801-br1-1(config)# ipv6 general-prefix ESE-BR-1 2001:DB8:CAFE::/48Configure the general prefix named "ESE-BR-1" on a per-interface basis:
2801-br1-1(config-if)# ipv6 address ESE-BR-1 ::1100:0:0:BAD1:A001/64Verify that the general prefix was correctly assigned to the interface:
2801-br1-1# show ipv6 interface g1/0.100GigabitEthernet1/0.100 is up, line protocol is upIPv6 is enabled, link-local address is FE80::217:94FF:FE90:2829No Virtual link-local address(es):Description: DATA VLAN for ComputersGlobal unicast address(es):2001:DB8:CAFE:1100::BAD1:A001, subnet is 2001:DB8:CAFE:1100::/64More information on the general prefix feature can be found at the Cisco IOS IPv6 documentation page at http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-roadmap.html.
Cisco supports the management of IPv6-enabled network devices via a variety of Network Management Products to include DNS, DHCPv6, device management and monitoring and also network management, troubleshooting and reporting. More information on the various Cisco Network Management solutions can be found at http://www.cisco.com/en/US/netsol/ns742/networking_solutions_program_category_home.html.
Scalability and Performance
This document is not meant to analyze scalability and performance information for the various platforms tested. The coverage of scale and performance is more focused on general considerations when planning and deploying IPv6 in the branch vs. a platform-specific view.
In general, you should understand the link, memory, and CPU use of the existing branch network devices. If any of these aspects are already stressed then adding IPv6 or any new technology, feature or protocol into the design is a recipe for disaster.
Scalability and Performance considerations for the branch network devices:
•
•
ARP entry for the host in the branch:
Internet 10.124.2.4 2 0014.c2e1.e679 ARPA FastEthernet0/0.100IPv6 Neighbor Cache entry for the host in the branch:
IPv6 Address Age Link-layer Addr State Interface2001:DB8:CAFE:2100:DDD6:5CC5:3178:F038 0 0014.c2e1.e679 REACH Fa0/0.100FE80::D48A:B1B6:8861:812C 0 0014.c2e1.e679 DELAY Fa0/0.100The IPv6 neighbor cache shows that there are two entries listed for the host. The first address is a global IPv6 address (optional) that is assigned by DHCP for IPv6 (could also be statically defined or assigned via stateless autoconfiguration) and the second address is the link-local address (mandatory) generated by the host. The number of entries can decrease to a minimum of one (link-local address) to a multitude of entries for a single host depending on the address types used on the host.
It is important to understand the neighbor table capabilities of the branch network devices being used to ensure that the tables are not being filled during regular network operation. Additional testing is planned to understand if recommendations should be made to adjust timers to age entries out faster, rate-limit neighbor advertisements and to better protect the branch routers against DoS from IPv6 neighbor discovery-based attacks.
Another consideration is with IPv6 multicast. As previously mentioned, it is important to ensure that MLD-Snooping is supported in the branch LAN switch when IPv6 multicast is used to ensure that IPv6 multicast frames at Layer 2 are not flooded to all of the ports.
•
•
Single-Tier Implementation
This section focuses on the configuration of a single-tier deployment profile. The configurations are broken down into specific areas, such as WAN and LAN connectivity, IPSec, routing, and security. IPv4 configurations are shown when the deployment of IPv6 is dependent upon IPv4 for access, such as with manual tunnels with IPv4 IPSec. The full configuration for the single-tier router and switch can be found in Configuration Examples.
IPv4/IPv6 and IPSec tunnel configurations for the HQ routers are provided in Configuration Examples for reference only and are not explained in this document.
Network Topology
Figure 4 serves as a reference for all of the configurations for the single-tier profile. The figure shows the interface and addressing layout for the branch router and integrated switch. IPv4 addressing is shown only when IPv4 is required for connectivity for IPv6 (manual tunnels).
Figure 4 Single-Tier Profile - Interface/Addressing Layout
A single router (2800-br1-1) is used with an integrated switch (sw-br1-1) to provide WAN and LAN connectivity for the three VLANs in the branch.
•
–
–
–
–
All of the tunnels use IPv4 IPSec for tunnel protection.
•
–
–
–
Note
WAN Configuration
The WAN configurations are not specific to IPv6, but are used to provide the underlying transport for the encrypted manual tunnels between the branch and HQ routers. The full WAN configuration for 2800-br1-1 are shown in Configuration Examples.
2800-br1-1
interface Serial0/0/0description to T1 Link Provider (PRIMARY)ip address 172.16.1.2 255.255.255.252!interface GigabitEthernet0/0description PPPoE for Backuppppoe enablepppoe-client dial-pool-number 1!interface Virtual-Template1no ip address!interface Dialer1description PPPoE to BB provider (BACKUP)ip address negotiatedip mtu 1400encapsulation pppload-interval 30dialer pool 1dialer-group 1no cdp enableppp authentication chap callinppp chap hostname 2800-br1-1@cisco.comppp chap password 7 095E4F071E0005!dialer-list 1 protocol ip permitLAN Configuration
The LAN IPv6 configurations for 2800-br1-1 and sw-br1-1 follow. The configurations show the internal switch links between the router and the EtherSwitch module and also the interface and VLAN configurations on the switch itself. Also, the DHCP for IPv6 configuration is shown. The IPv6 DHCP pool is used for VLAN 100 (data-only).
Note
For more information about the SDM prefer command and associated templates, refer to the following URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swsdm.html.2800-br1-1
ipv6 unicast-routing #Globally enable IPv6 Unicast Routingipv6 cef #Globally enable IPv6 CEF!ipv6 dhcp pool DATA_VISTA #DHCP for IPv6 pool namedns-server 2001:DB8:CAFE:10:20D:9DFF:FE93:B25D #Primary IPv6 DNS server at HQdns-server 2001:DB8:CAFE:10:51A1:5B1:4A85:B3DA #Secondary IPv6 DNS server at HQdomain-name cisco.com #DNS domain name passed to client!interface GigabitEthernet1/0description to INTERNAL SW-BR1-1ip address 1.1.1.1 255.255.255.0!interface GigabitEthernet1/0.100description DATA VLAN for Computersencapsulation dot1Q 100ipv6 address 2001:DB8:CAFE:1100::BAD1:A001/64 #Define the router IPv6 address#for VLAN100. Prefix used by#hosts in stateless#autoconfigurationipv6 nd other-config-flag #Set flag in RA to instruct host#how to obtain "other"#information such as domain name#and DNS serveripv6 dhcp server DATA_VISTA #Enables DHCP for IPv6 on this nterface!interface GigabitEthernet1/0.200description to Voice VLAN for IP Phonesencapsulation dot1Q 200ipv6 address 2001:DB8:CAFE:1200::BAD1:A001/64!interface GigabitEthernet1/0.300description to Printer VLANencapsulation dot1Q 300ipv6 address 2001:DB8:CAFE:1300::BAD1:A001/64!sw-br1-1
vtp domain ese_branchvtp mode transparent!spanning-tree mode rapid-pvstspanning-tree loopguard defaultspanning-tree portfast bpduguard defaultspanning-tree extend system-id!vlan internal allocation policy ascending!vlan 100name DATA!vlan 200name VOICE!vlan 300name PRINTERS!interface FastEthernet1/0/2description TRUNK to 2800-br1-1switchport trunk encapsulation dot1qswitchport trunk allowed vlan 100,200,300switchport mode trunkload-interval 30!interface FastEthernet1/0/3description PHONE + PCswitchport access vlan 100switchport mode accessswitchport voice vlan 200load-interval 30spanning-tree portfastspanning-tree bpduguard enable!interface Vlan100description VLAN100 for PCs and Switch managementip address 10.124.1.126 255.255.255.128ipv6 address 2001:DB8:CAFE:1100::BAD2:F126/64 #IPv6 address used for mgmt on#sw-br1-1IPSec and Manual Tunnel Configuration
The single-tier profile uses DMVPN for IPv4 (refer to Configuration Examples) and IPv4 IPSec to protect the manual tunnels for IPv6. When DMVPN or other dynamic VPN models (for example, VTI) support IPv6, the configurations can be combined to allow IPv4 and IPv6 within the same tunnel. This can be accomplished today using GRE, but not when doing multipoint GRE (mGRE).
The primary tunnel (Tunnel3) for IPv6 uses static-crypto maps. Both sides of the tunnel (branch and HQ) have statically defined public IPv4 addresses that are used for tunnel sources.
The secondary tunnel (Tunnel4) for IPv6 uses a static-crypto map on the branch and a dynamic crypto-map at the HQ router. The reason for this is because the branch backup tunnel uses the dialer1 interface when the primary T1 fails. The dialer1 interface receives an IPv4 address dynamically from the broadband provider in the same way ADSL/Cable subscribers do. Because of the dynamic address on the dialer, there is no way for the HQ VPN router to statically define a public IPv4 address for the branch router when using the dialer1 interface. Dynamic crypto maps solve the issue with the dynamically assigned address on the branch router's dialer1 interface.
Note
Refer to the Cisco IOS IPSec documentation and the "WAN IPSec VPN Design Guide" for more information on the IPSec command definitions.
•
•
2800-br1-1
crypto isakmp policy 1 #Create ISAKMP policyencr 3des #Encryption methodauthentication pre-share #Pre-shared keys (passwords) usedcrypto isakmp key CISCO address 172.17.1.3 #Pre-shared key of "CISCO" used with#peer address of primary HQ IPSec#VPN routercrypto isakmp key SYSTEMS address 172.17.1.4 #Pre-shared key of "SYSTEMS used#with peer address of secondary HQ#IPSec VPN router. The HQ router#uses a null address for the key#address because of the dialer1#address assignmentcrypto isakmp keepalive 10 #Dead Peer Detection (DPD) enabled!!crypto ipsec transform-set HE1 esp-3des esp-sha-hmac #IPSec transform set that will#be offered during negotiation#to support ESP/3DES and#integrity algorithm (user-#defined)crypto ipsec transform-set HE2 esp-3des esp-sha-hmac!!crypto map IPv6-HE1 local-address Serial0/0/0 #Local source peer interfacecrypto map IPv6-HE1 1 ipsec-isakmpset peer 172.17.1.3 #Set IPSec peer as primary HQ IPSec#VPN routerset transform-set HE1match address VPN-TO-HE1 #ACL that matches protocol 41 from#branch to HQ IPSEC VPN router!crypto map IPv6-HE2 local-address Loopback0crypto map IPv6-HE2 1 ipsec-isakmpset peer 172.17.1.4set transform-set HE2match address VPN-TO-HE2!interface Tunnel3description IPv6 tunnel to HQ Head-end 1 #Primary tunnel for IPv6no ip addressload-interval 30ipv6 address 2001:DB8:CAFE:1261::BAD1:A001/64 #IPv6 address for manual tunnelipv6 mtu 1400 #Lower MTU to account for tunnel#and IPSec overhead - Neither are #detected when host performs#PMTUD for IPv6tunnel source Serial0/0/0 #T1 interface is tunnel sourcetunnel destination 172.17.1.3 #Destination is primary HQ IPSec#routertunnel mode ipv6ip #Tunnel mode is IPv6-in-IPv4#(Protocol 41)!interface Tunnel4description IPv6 tunnel to HQ Head-end 2 #Secondary tunnel for IPv6no ip addressload-interval 30ipv6 address 2001:DB8:CAFE:1271::BAD1:A001/64ipv6 mtu 1400tunnel source Loopback0 #Loopback used as source instead#of dialer1 because the dialer is#DHCP- assignedtunnel destination 172.17.1.4 #Destination is secondary HQ#IPSec routertunnel mode ipv6ip!interface Loopback0 #Loopback used as source for#Tunnel4ip address 10.124.100.1 255.255.255.255interface Serial0/0/0 #S0/0/0 used as source for#Tunnel3description to T1 Link Provider (PRIMARY)crypto map IPv6-HE1 #Apply IPSec VPN policy S0/0/0!interface Dialer1description PPPoE to BB provider (BACKUP)crypto map IPv6-HE2 #Apply IPSec VPN policy to#Dialer1!!ip access-list extended VPN-TO-HE1 #ACL for crypto-map to primary HEpermit 41 host 172.16.1.2 host 172.17.1.3 #Permit protocol 41 (IPv6) from#S0/0/0 to primary HQ IPSec VPN#routerip access-list extended VPN-TO-HE2 #ACL for crypto-map to secondary#HEpermit 41 host 10.124.100.1 host 172.17.1.4 #Permit protocol 41 from Lo0#(tunnel4 source) to secondary HQ #IPSec VPN routerRouting
The IPv6 routing configuration for the single-tier profile is straightforward. The existing IPv4 routing configuration (static routes) for the ISP links are used to support the two manual tunnels for IPv6. EIGRP for IPv6 is used within the two manual tunnels and also the LAN interfaces to provide routing information to/from the HQ site and within the branch. The branch router is configured as an EIGRP stub router.
EIGRP Route Authentication (MD5)is used to protect the EIGRP routing updates. For more information on configuring EIGRP for IPv6, refer to the Cisco IOS IPv6 routing configuration page at http://www.cisco.com/en/US/products/ps6350/products_installation_and_configuration_guides_list.html.
2800-br1-1
ipv6 unicast-routing #Enable IPv6 unicast routing (reminder only#this was enabled in the previous LAN#configuration section)!key chain ESE #Enable EIGRP Authentication key chainkey 1key-string 7 111B180B101719!interface Tunnel3description IPv6 tunnel to HQ Head-end 1delay 500 #Manually adjust delay - This tunnel#is primaryipv6 eigrp 1 #Enable EIGRP for IPv6 on tunnelipv6 hold-time eigrp 1 35 #Adjust the hold time for EIGRPipv6 authentication mode eigrp 1 md5 #Authentication type of MD5ipv6 authentication key-chain eigrp 1 ESE #Enables authentication of EIGRP for#IPv6 packets using key-chain "ESE"!interface Tunnel4description IPv6 tunnel to HQ Head-end 2delay 2000 #Adjust delay - This tunnel is#secondaryipv6 eigrp 1ipv6 hold-time eigrp 1 35ipv6 authentication mode eigrp 1 md5ipv6 authentication key-chain eigrp 1 ESE!interface Loopback0ipv6 eigrp 1interface GigabitEthernet1/0.100description DATA VLAN for Computersencapsulation dot1Q 100ipv6 eigrp 1!interface GigabitEthernet1/0.200description to Voice VLAN for IP Phonesencapsulation dot1Q 200ipv6 eigrp 1!interface GigabitEthernet1/0.300description to Printer VLANencapsulation dot1Q 300ipv6 eigrp 1!ipv6 router eigrp 1 #Router configuration mode - process 1router-id 10.124.100.1stub connected summary #This branch is a stubno shutdown #Process is shutdown by default -#enable itpassive-interface GigabitEthernet1/0.100 #Do not attempt adjacencies out any#interfaces except Tunnel3 and 4passive-interface GigabitEthernet1/0.200passive-interface GigabitEthernet1/0.300passive-interface Loopback0!ip route 0.0.0.0 0.0.0.0 Serial0/0/0 #Primary IPv4 static route used for#DMVPN and encrypted manual tunnelsip route 0.0.0.0 0.0.0.0 Dialer1 200 #Backup IPv4 static routesw-1-br1ipv6 route ::/0 Vlan100 FE80::217:94FF:FE90:2829 #Default route out VLAN100 to the#link-local address of the 2800-#br1-1 VLAN100 interfaceSecurity
The security configurations for IPv6 in the single-tier profile are very similar to the IPv4 configurations (refer to Configuration Examples). The focus of the security configuration for IPv6 is to protect the infrastructure (router and switch) and offer an additional line of defense for the branch site via an IPv6 stateful firewall.
The profiles described in this document are protected by a comprehensive security policy and design at the HQ site. However, the single-tier does use the Internet as a means of WAN connectivity and it is important to provide basic security at the local branch router in case of an Internet-based attack via the branch ISP links.
Note
Figure 5 shows the placement of the various ACLs used in the single-tier profile.
Figure 5 Single-Tier Profile - Security ACL Placement
The ACL and IOS IPv6 firewall policies are applied to various interfaces in the single-tier profile. The ACL placement is summarized here:
•
•
•
•
The following single-tier profile configurations are for the 2800-br1-1 router and sw-br1-1 switch.
2800-br1-1
ipv6 inspect one-minute high 2000ipv6 inspect hashtable-size 2039ipv6 inspect tcp max-incomplete host 100 block-time 0ipv6 inspect name v6FW tcp #Inspection profile for TCP,ICMP,FTP & UDPipv6 inspect name v6FW icmpipv6 inspect name v6FW ftpipv6 inspect name v6FW udp!interface Tunnel3ipv6 traffic-filter INET-WAN-v6 in #ACL used by IOS FW for dynamic entriesno ipv6 redirectsno ipv6 unreachablesipv6 inspect v6FW out #Apply firewall inspection for egress#trafficipv6 virtual-reassembly #Used by firewall to create dynamic ACLs and#protect against various fragmentation#attacks!interface Tunnel4ipv6 traffic-filter INET-WAN-v6 inno ipv6 redirectsno ipv6 unreachablesipv6 inspect v6FW outipv6 virtual-reassembly!interface GigabitEthernet1/0.100ipv6 traffic-filter DATA_LAN-v6 in #Filter permitted traffic coming from#VLANs - OPTIONALno ipv6 redirectsno ipv6 unreachablesipv6 virtual-reassembly!no ip http server!ipv6 access-list MGMT-IN #Management ACL - Permit management access#for cafe::/48 prefix only to the router's#loopbackremark permit mgmt only to loopbackpermit tcp 2001:DB8:CAFE::/48 host 2001:DB8:CAFE:1000::BAD1:A001deny ipv6 any any log-input!ipv6 access-list DATA_LAN-v6remark PERMIT ICMPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:1100::/64permit icmp 2001:DB8:CAFE:1100::/64 anyremark PERMIT IPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:1100::64permit ipv6 2001:DB8:CAFE:1100::/64 anyremark PERMIT ALL ICMPv6 PACKETS SOURCED BY HOSTS USING THE LINK-LOCAL PREFIXpermit icmp FE80::/10 anyremark PERMIT DHCPv6 ALL-DHCP-AGENTS REQUESTS FROM HOSTSpermit udp any eq 546 any eq 547remark DENY ALL OTHER IPv6 PACKETS AND LOGdeny ipv6 any any log-input!ipv6 access-list INET-WAN-v6remark PERMIT EIGRP for IPv6permit 88 any anyremark PERMIT PIM for IPv6permit 103 any anyremark PERMIT ALL ICMPv6 PACKETS SOURCED USING THE LINK-LOCAL PREFIXpermit icmp FE80::/10 anyremark PERMIT SSH TO LOCAL LOOPBACKpermit tcp any host 2001:DB8:CAFE:1000::BAD1:A001 eq 22remark PERMIT ALL ICMPv6 PACKETS TO LOCAL LOOPBACKpermit icmp any host 2001:DB8:CAFE:1000::BAD1:A001remark PERMIT ALL ICMPv6 PACKETS TO TUNNEL3permit icmp any host 2001:DB8:CAFE:1261::BAD1:A001remark PERMIT ALL ICMPv6 PACKETS TO TUNNEL4permit icmp any host 2001:DB8:CAFE:1271::BAD1:A001remark PERMIT ALL ICMPv6 PACKETS TO DATA VLANpermit icmp any 2001:DB8:CAFE:1100::/64remark PERMIT ALL ICMPv6 PACKETS TO VOICE VLANpermit icmp any 2001:DB8:CAFE:1200::/64remark PERMIT ALL ICMPv6 PACKETS TO PRINTER VLANpermit icmp any 2001:DB8:CAFE:1300::/64remark PERMIT ALL IPv6 PACKETS TO DATA VLANpermit ipv6 any 2001:DB8:CAFE:1100::/64remark PERMIT ALL IPv6 PACKETS TO VOICE VLANpermit ipv6 any 2001:DB8:CAFE:1200::/64remark PERMIT ALL IPv6 PACKETS TO PRINTER VLANpermit ipv6 any 2001:DB8:CAFE:1300::/64deny ipv6 any any logbanner login ^CUnauthorized access to this device and/or network is prohibited.^Cline vty 0 4ipv6 access-class MGMT-IN in #Apply management ACLtransport input ssh #Allow only SSHsw-br1-1interface Vlan100ipv6 address 2001:DB8:CAFE:1100::BAD2:F126/64!ipv6 access-list MGMT-IN #Management ACL - Permit management access#for cafe::/48 prefix only to the switch#VLAN100 interfacepermit tcp 2001:DB8:CAFE::/48 host 2001:DB8:CAFE:1100::BAD2:F126deny ipv6 any any log-input!banner login ^CUnauthorized access to this device and/or network is prohibited.^C!line vty 0 4ipv6 access-class MGMT-IN intransport input sshQoS
The QoS configurations for the single-tier profile are mostly the same for IPv4 and IPv6. In the single-tier branch profile, Network-Based Application Recognition (NBAR) is configured for IPv4 applications. At the time of writing this document, NBAR does not support IPv6 applications, but support for IPv6 is planned. Because of the lack of NBAR awareness of IPv6, ACLs are used to statically define the application type and map the ACL match to a class-map used for setting the appropriate DCSP value.
The following configurations are meant to show where the QoS policies are applied for IPv6 and any specific match/set modifications. The configuration is not annotated because the commands and policy definitions follow Cisco QoS recommended values and are outside the scope of this document. Configuration Examples includes the full QoS configurations for all routers and switches. The Cisco QoS Design Guide can be found at the following URL: http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/QoS-SRND-Book.html.
2800-br1-1
class-map match-any BRANCH-BULK-DATAmatch access-group name BULK-DATA-APPSmatch access-group name BULK-DATA-APPS-V6!class-map match-any BRANCH-TRANSACTIONAL-DATAmatch protocol citrixmatch protocol ldapmatch protocol sqlnetmatch protocol http url "*cisco.com"match protocol custom-01match access-group name BRANCH-TRANSACTIONAL-V6class-map match-any BRANCH-MISSION-CRITICALmatch access-group name MISSION-CRITICAL-SERVERSmatch access-group name MISSION-CRITICAL-V6class-map match-any BRANCH-NET-MGMTmatch protocol snmpmatch protocol syslogmatch protocol telnetmatch protocol nfsmatch protocol dnsmatch protocol icmpmatch protocol tftpmatch access-group name BRANCH-NET-MGMT-V6class-map match-any BRANCH-SCAVENGERmatch protocol napstermatch protocol gnutellamatch protocol fasttrackmatch protocol kazaa2match access-group name BRANCH-SCAVENGER-V6!policy-map BRANCH-WAN-EDGEclass NET-MGMTbandwidth percent 2class MISSION-CRITICAL-DATAbandwidth percent 15random-detect dscp-basedclass TRANSACTIONAL-DATAbandwidth percent 12random-detect dscp-basedclass BULK-DATAbandwidth percent 4random-detect dscp-basedclass SCAVENGERbandwidth percent 1!policy-map BRANCH-LAN-EDGE-INclass BRANCH-MISSION-CRITICALset dscp 25class BRANCH-TRANSACTIONAL-DATAset dscp af21class BRANCH-NET-MGMTset dscp cs2class BRANCH-BULK-DATAset dscp af11class BRANCH-SCAVENGERset dscp cs1class WORMSdropclass class-defaultset dscp default!interface GigabitEthernet0/0description PPPoE for Backupmax-reserved-bandwidth 100 #Overrides the default 75% BW limit.#Required when the total sum of all QoS BW#statements exceeds 75%service-policy output BRANCH-WAN-EDGE!interface GigabitEthernet1/0.100description DATA VLAN for Computersservice-policy input BRANCH-LAN-EDGE-INservice-policy output BRANCH-LAN-EDGE-OUT!interface GigabitEthernet1/0.200description to Voice VLAN for IP Phonesservice-policy output BRANCH-LAN-EDGE-OUT!interface GigabitEthernet1/0.300description to Printer VLANservice-policy input BRANCH-LAN-EDGE-INservice-policy output BRANCH-LAN-EDGE-OUT!interface Serial0/0/0description to T1 Link Provider (PRIMARY)max-reserved-bandwidth 100service-policy output BRANCH-WAN-EDGE!interface Virtual-Template1max-reserved-bandwidth 100service-policy output BRANCH-WAN-EDGE!interface Dialer1description PPPoE to BB provider (BACKUP)max-reserved-bandwidth 100service-policy output BRANCH-WAN-EDGE!ipv6 access-list BULK-DATA-APPS-V6permit tcp any any eq ftppermit tcp any any eq ftp-datapermit tcp any any eq pop3permit tcp any any eq 143!ipv6 access-list BRANCH-TRANSACTIONAL-V6remark Microsoft RDP traffic-mark dscp af21permit tcp any any eq 3389permit udp any any eq 3389!ipv6 access-list MISSION-CRITICAL-V6remark Data-Center traffic-mark dscp 25permit ipv6 any 2001:DB8:CAFE:10::/64permit ipv6 any 2001:DB8:CAFE:11::/64!ipv6 access-list BRANCH-SCAVENGER-V6remark Gnutella, Kazaa, Doom, iTunes traffic-mark dscp cs1permit tcp any any range 6346 6347permit udp any any range 6346 6347permit tcp any any eq 1214permit tcp any any eq 666permit udp any any eq 666permit tcp any any eq 3689permit udp any any eq 3689!ipv6 access-list BRANCH-NET-MGMT-V6remark Common management traffic plus vmware console-mark dscp cs2permit udp any any eq syslogpermit udp any any eq snmppermit tcp any any eq telnetpermit tcp any any eq 22permit tcp any any eq 2049permit udp any any eq 2049permit tcp any any eq domainpermit udp any any eq tftppermit tcp any any eq 902Multicast
The configuration for IPv6 multicast in the single-tier profile is quite simple. IPv6 multicast design is outside the scope of this document and there are many options that can be selected for PIM, multicast availability and security. In this document, only basic configurations are shown for IPv6 multicast on the 2800-br1-1 router and sw-br1-1 switch. The configurations allow for PIM-SSM or Embedded-RP to be used. The IPv6 multicast streams originate in the data center at the HQ site.
sw-br1-1
ipv6 mld snooping #Globally enable MLD snooping (see following note)2800-br1-1
ipv6 multicast-routing #Globally enable IPv6 multicast routingThe first thing to be aware of is the lack of CLI input required to enable IPv6 multicast when using PIM-SSM or Embedded-RP. If PIM-SSM is used exclusively then the only thing required to enable is "ipv6 multicast-routing" globally which automatically enables PIM on all IPv6-enabled interfaces. This is a dramatic difference from what is required with IPv4 multicast.
Note
SSM-Mapping is not required in this document because the switches fully support MLDv2-Snooping.In the previous example, the Layer-2 switch (sw-br1-1) needs to have IPv6 multicast awareness in order to control the distribution of multicast traffic only on ports that are actively listening. This is accomplished by enabling MLD-Snooping. With MLD-Snooping enabled on the switch and with IPv6 multicast routing enabled on the branch router it can be seen that sw-br1-1 can see 2800-br1-1as a locally attached multicast router.
sw-br1-1# show ipv6 mld snooping mrouterVlan ports---- -----100 Gi1/0/2(dynamic)200 Gi1/0/2(dynamic)300 Gi1/0/2(dynamic)When a group is active on the branch switch, information about the group can be displayed:
sw-br1-1# show ipv6 mld snooping addressVlan Group Type Version Port List-------------------------------------------------------------100 FF35::1111 mld v2 Gi1/0/2On 2800-br1-1, information about PIM, multicast route, RPF and groups can be viewed in much the same was as with IPv4. Here is the output of an active group using PIM-SSM (FF35::1111). This stream is coming in from the HQ data center and going out the VLAN100 (2800-br1-1 G1/0.100) interface:
2800-br1-1# show ipv6 mroute #show ipv6 pim topology can also be usedMulticast Routing TableFlags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,C - Connected, L - Local, I - Received Source Specific Host Report,P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,J - Join SPTTimers: Uptime/ExpiresInterface state: Interface, State(2001:DB8:CAFE:11:2E0:81FF:FE2C:9332, FF35::1111), 00:01:28/00:03:10, flags: sTIIncoming interface: Tunnel3RPF nbr: FE80::230:F2FF:FE15:9C1BImmediate Outgoing interface list:GigabitEthernet1/0.100, Forward, 00:01:28/00:03:02Dual-Tier Implementation
This section focuses on the configuration of the dual-tier profile. The configurations are broken down into specific areas, such as WAN and LAN connectivity, routing, and security. Unlike the single-tier profile, tunneling is not used in the dual-tier profile so the IPv4 configurations and addressing are not shown for any interfaces. The full configuration of the dual-tier routers and switch can be found in Configuration Examples.
Network Topology
Figure 6 serves as a reference for all of the configurations described in the dual-tier profile. It shows the interface and IPv6 addressing layout for the two branch routers and Catalyst switch.
Figure 6 Dual-Tier Profile - Interface/Addressing Layout
Two branch routers (2800-br2-1 and 2800-br2-2) are used with a Catalyst 3560 switch (3560-br2-1) to provide WAN and LAN connectivity for the three VLANs in the branch.
•
•
–
–
–
WAN Configuration
The following WAN configurations are for IPv6 only. The full WAN configurations for both branch routers is shown in Configuration Examples.
2800-br2-1
interface Serial0/1/0encapsulation frame-relay!interface Serial0/1/0.17 point-to-pointdescription TO FRAME-RELAY PROVIDERipv6 address 2001:DB8:CAFE:1262::BAD1:1010/64frame-relay interface-dlci 172800-br2-2interface Serial0/2/0encapsulation frame-relay!interface Serial0/2/0.18 point-to-pointdescription TO FRAME-RELAY PROVIDERipv6 address 2001:DB8:CAFE:1272::BAD1:1020/64frame-relay interface-dlci 18LAN Configuration
The following LAN IPv6 configurations are for 2800-br2-1, 2800-br2-2 and 3560-br2-. The configurations show the trunk links between the routers and the Catalyst 3560 switch and also the interface and VLAN configurations on the switch itself. Also, the DHCP for IPv6 configuration is shown. The IPv6 DHCP pool is used for VLAN 100 (data-only).
HSRPv2 for IPv6 is used between the 2800-br2-1 and 2800-br2-2 routers. 2800-br2-1 is configured to be the active HSRP router. 2800-br2-1 tracks the serial interfaces for HSRP. In the event that the serial link goes down, the router triggers HSRP to switch to standby mode. GLBP for IPv6 is also supported and can be used instead of HSRP. Refer to the Cisco IOS documentation library for more on both HSRP and GLBP for IPv6. One important note on troubleshooting and monitoring HSRP is if "debug standby" commands are enabled, both IPv4 and IPv6 output is shown. This can be bad if the standby hello timers are set to low values and the debug is being output to the console.
In order to optimize the bandwidth utilization of the uplinks, some network administrators like to alternate which router is HSRP active for each VLAN. For instance, the 2800-br2-1 router can be HSRP active for the data (VLAN100) and printer (VLAN300) VLANs and standby for the voice (VLAN200) VLAN. 2800-br2-2 would be HSRP active for the voice (VLAN200) VLAN and standby for VLAN 100 and 300. This works fine and is fully supported with IPv6 as well as IPv4. In the following LAN configuration, the 2800-br1-1 is HSRP active for all three VLANs.
One thing to note is that in the dual-tier profile, many customers deploy the Cisco IOS Firewall for an additional layer of security. If the Cisco IOS Firewall is used, it is important to ensure that non-asymmetrical routing is used. This is important because the upstream packets cause a dynamic ACL to be generated to allow for return traffic. If the return traffic comes back through the second branch router (due to load-balancing), no dynamic ACL exists for the session and the packet is dropped. It is a common best practice to configure the HSRP active interface to have a higher routing preference than that of the standby routers interface for the same prefix. This can be accomplished by lowering the delay on the active router's interface (for example, delay 500). In the dual-tier profile described in this document the Cisco IOS Firewall is not used.
Note
2800-br2-1
ipv6 unicast-routing #Globally enable IPv6 Unicast Routingipv6 cef #Globally enable IPv6 CEF!ipv6 dhcp pool DATA_VISTA #DHCP for IPv6 pool namedns-server 2001:DB8:CAFE:10:20D:9DFF:FE93:B25D #Primary IPv6 DNS server at HQdns-server 2001:DB8:CAFE:10:51A1:5B1:4A85:B3DA #Secondary IPv6 DNS server at HQdomain-name cisco.com #DNS domain name passed to client!interface FastEthernet0/0.100description DATA VLAN for PCsencapsulation dot1Q 100ipv6 address 2001:DB8:CAFE:2100::BAD1:1010/64 #Define the router IPv6 address#for VLAN100ipv6 nd other-config-flag #Set flag in RA to instruct host#how to obtain "other"#information such as domain name#and DNS serveripv6 dhcp server DATA_VISTA #Enables DHCP for IPv6 on this#interfacestandby version 2 #Enable HSRPv2 - required for#IPv6 supportstandby 201 ipv6 autoconfig #HSRP standby address is auto-#generated by IOSstandby 201 priority 120 #Increase priority to force this#router to be "active" routerstandby 201 preempt delay minimum 30 #Delay going to active from#standby state for 30 seconds#(allows for device/routing#stability before becoming#active)standby 201 authentication ese #Enable HSRPv2 authentication for#group 201standby 201 track Serial0/1/0.17 90 #Track the frame-relay link.!interface FastEthernet0/0.200description Voice VLAN for IP Phonesencapsulation dot1Q 200ipv6 address 2001:DB8:CAFE:2200::BAD1:1010/64standby version 2standby 202 ipv6 autoconfigstandby 202 priority 120standby 202 preempt delay minimum 30standby 202 authentication esestandby 202 track Serial0/1/0.17 90!interface FastEthernet0/0.300description PRINTER VLANencapsulation dot1Q 300ipv6 address 2001:DB8:CAFE:2300::BAD1:1010/64standby version 2standby 203 ipv6 autoconfigstandby 203 priority 120standby 203 preempt delay minimum 30standby 203 authentication esestandby 203 track Serial0/1/0.17 902800-br2-2
ipv6 unicast-routingipv6 cef!ipv6 dhcp pool DATA_VISTAprefix-delegation 2001:DB8:CAFE:2100::/64 00030001000F8F373B70dns-server 2001:DB8:CAFE:10:20D:9DFF:FE93:B25Ddns-server 2001:DB8:CAFE:10:51A1:5B1:4A85:B3DAdomain-name cisco.com!interface FastEthernet0/0.100description DATA VLAN for Computersencapsulation dot1Q 100ipv6 address 2001:DB8:CAFE:2100::BAD1:1020/64ipv6 nd other-config-flagipv6 dhcp server DATA_VISTAstandby version 2standby 201 ipv6 autoconfigstandby 201 preemptstandby 201 authentication ese!interface FastEthernet0/0.200description to Voice VLAN for IP Phonesencapsulation dot1Q 200ipv6 address 2001:DB8:CAFE:2200::BAD1:1020/64standby version 2standby 202 ipv6 autoconfigstandby 202 preemptstandby 202 authentication ese!interface FastEthernet0/0.300description to Printer VLANencapsulation dot1Q 300ipv6 address 2001:DB8:CAFE:2300::BAD1:1020/64standby version 2standby 203 ipv6 autoconfigstandby 203 preemptstandby 203 authentication ese3560-br2-1
vtp domain ese_branchvtp mode transparent!spanning-tree mode rapid-pvstspanning-tree loopguard defaultspanning-tree portfast bpduguard defaultno spanning-tree optimize bpdu transmissionspanning-tree extend system-id!vlan internal allocation policy ascending!vlan 100name DATA!vlan 200name VOICE!vlan 300name PRINTERS!interface FastEthernet0/1description to 2800-br2-1 TRUNKswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 100,200,300switchport mode trunkload-interval 30!interface FastEthernet0/2description to 2800-br2-2 TRUNKswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 100,200,300switchport mode trunkload-interval 30!interface FastEthernet0/4description phone with PC connected to phoneswitchport access vlan 100switchport mode accessswitchport voice vlan 200load-interval 30spanning-tree portfastspanning-tree bpduguard enable!interface Vlan100description VLAN100 for PCs and Switch managementipv6 address 2001:DB8:CAFE:2100::BAD2:F126/64 #IPv6 address used for mgmt on#3560-br2-1Routing
EIGRP for IPv6 is used on both Frame Relay links to the HQ site and also on all LAN interfaces.
2800-br2-1
ipv6 unicast-routing #Enable IPv6 unicast routing (reminder only -#this was enabled in the previous LAN#configuration section)!key chain ESE #Enable EIGRP Authentication key chainkey 1key-string 7 04490A0808245E!interface Loopback0ip address 10.124.102.1 255.255.255.255ipv6 address 2001:DB8:CAFE:2000::BAD1:1010/128ipv6 eigrp 1 #Enable EIGRP for IPv6 on interface!interface FastEthernet0/0.100description DATA VLAN for PCsipv6 eigrp 1!interface FastEthernet0/0.200description Voice VLAN for IP Phonesipv6 eigrp 1!interface FastEthernet0/0.300description PRINTER VLANipv6 eigrp 1!interface Serial0/1/0.17 point-to-pointdescription TO FRAME-RELAY PROVIDERipv6 eigrp 1ipv6 hold-time eigrp 1 35 #Adjust the hold time for EIGRPipv6 authentication mode eigrp 1 md5 #Authentication type of MD5ipv6 authentication key-chain eigrp 1 ESE #Enables authentication of EIGRP for#IPv6 packets using key-chain "ESE"!ipv6 router eigrp 1 #Router configuration mode - process 1router-id 10.124.102.1 #Set RID - Loopback0stub connected summary #This branch is a stubno shutdown #Process is shutdown by default -#enable itpassive-interface FastEthernet0/0.100 #Do not attempt adjacencies out any#interfaces except S0/1/0.17 ("passive-#interface default" can be used alsopassive-interface FastEthernet0/0.200passive-interface FastEthernet0/0.300passive-interface Loopback02800-br2-2
ipv6 unicast-routing!key chain ESEkey 1key-string 7 04490A0808245E!interface Loopback0ip address 10.124.102.2 255.255.255.255ipv6 address 2001:DB8:CAFE:2000::BAD1:1020/128ipv6 eigrp 1!interface FastEthernet0/0.100description DATA VLAN for PCsipv6 eigrp 1!interface FastEthernet0/0.200description Voice VLAN for IP Phonesipv6 eigrp 1!interface FastEthernet0/0.300description PRINTER VLANipv6 eigrp 1!interface Serial0/2/0.18 point-to-pointdescription TO FRAME-RELAY PROVIDERipv6 eigrp 1ipv6 hold-time eigrp 1 35ipv6 authentication mode eigrp 1 md5ipv6 authentication key-chain eigrp 1 ESE!ipv6 router eigrp 1router-id 10.124.102.2stub connected summaryno shutdownpassive-interface FastEthernet0/0.100passive-interface FastEthernet0/0.200passive-interface FastEthernet0/0.300passive-interface Loopback03560-br2-1
ipv6 route ::/0 Vlan100 FE80::5:73FF:FEA0:C9 #Default route out VLAN100 to the#HSRP VIP address used on 2800-#br2-1 and 2800-br2-2The output for the show standby command on 2800-br2-1 follows. The standby address for the VLAN100 interface used by both branch routers is indicated by the arrow.
FastEthernet0/0.100 - Group 201 (version 2)State is Active2 state changes, last state change 02:34:56Virtual IP address is FE80::5:73FF:FEA0:C9Active virtual MAC address is 0005.73a0.00c9Local virtual MAC address is 0005.73a0.00c9 (v2 IPv6 default)Hello time 3 sec, hold time 10 secNext hello sent in 2.872 secsAuthentication text "ese"Preemption enabled, delay min 30 secsActive router is localStandby router is FE80::20F:8FFF:FE37:3B70, priority 100 (expires in 8.548 sec)Priority 120 (configured 120)Track interface Serial0/1/0.17 state Up decrement 90IP redundancy name is "hsrp-Fa0/0.100-201" (default)Security
The focus of the security configuration for IPv6 is to protect the infrastructure (router and switch). The profiles described in this document are protected by a comprehensive security policy and design at the HQ site. In addition to the security elements at the HQ, the following considerations are made for the dual-tier profile:
•
•
•
2800-br2-1
interface FastEthernet0/0.100description DATA VLAN for PCsipv6 traffic-filter DATA_LAN-v6 in #Filter permitted traffic coming from#VLANs - OPTIONALno ipv6 redirectsno ipv6 unreachables!interface Serial0/1/0.17 point-to-pointdescription TO FRAME-RELAY PROVIDERno ipv6 redirectsno ipv6 unreachables!no ip http server!ipv6 access-list MGMT-IN #Management ACL - Permit management access#for cafe::/48 prefix only to the router's#loopbackremark permit mgmt only to loopbackpermit tcp 2001:DB8:CAFE::/48 host 2001:DB8:CAFE:2000::BAD1:1010deny ipv6 any any log-input!ipv6 access-list DATA_LAN-v6remark PERMIT ICMPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:2100::/64permit icmp 2001:DB8:CAFE:2100::/64 anyremark PERMIT IPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:2100::64permit ipv6 2001:DB8:CAFE:2100::/64 anyremark PERMIT ALL ICMPv6 PACKETS SOURCED BY HOSTS USING THE LINK-LOCAL PREFIXpermit icmp FE80::/10 anyremark PERMIT DHCPv6 ALL-DHCP-AGENTS REQUESTS FROM HOSTSpermit udp any eq 546 any eq 547remark PERMIT ALL PIM PACKETS FROM OTHER BRANCH ROUTERpermit 103 FE80::/16 anyremark DENY ALL OTHER IPv6 PACKETS AND LOGdeny ipv6 any any log-input!banner login ^CUnauthorized access to this device and/or network is prohibited.^Cline vty 0 4ipv6 access-class MGMT-IN in #Apply management ACLtransport input ssh #Allow only SSH2800-br2-2
interface FastEthernet0/0.100description DATA VLAN for PCsipv6 traffic-filter DATA_LAN-v6 inno ipv6 redirectsno ipv6 unreachables!interface Serial0/2/0.18 point-to-pointdescription TO FRAME-RELAY PROVIDERno ipv6 redirectsno ipv6 unreachables!no ip http server!ipv6 access-list MGMT-INremark permit mgmt only to loopbackpermit tcp 2001:DB8:CAFE::/48 host 2001:DB8:CAFE:2000::BAD1:1020deny ipv6 any any log-input!ipv6 access-list DATA_LAN-v6remark PERMIT ICMPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:2100::/64permit icmp 2001:DB8:CAFE:2100::/64 anyremark PERMIT IPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:2100::64permit ipv6 2001:DB8:CAFE:2100::/64 anyremark PERMIT ALL ICMPv6 PACKETS SOURCED BY HOSTS USING THE LINK-LOCAL PREFIXpermit icmp FE80::/10 anyremark PERMIT DHCPv6 ALL-DHCP-AGENTS REQUESTS FROM HOSTSpermit udp any eq 546 any eq 547remark PERMIT ALL PIM PACKETS FROM OTHER BRANCH ROUTERpermit 103 FE80::/16 anyremark DENY ALL OTHER IPv6 PACKETS AND LOGdeny ipv6 any any log-input!banner login ^CUnauthorized access to this device and/or network is prohibited.^Cline vty 0 4ipv6 access-class MGMT-IN intransport input ssh3560-br2-1.
interface Vlan100ipv6 address 2001:DB8:CAFE:2100::BAD2:F126/64!ipv6 access-list MGMT-INpermit tcp 2001:DB8:CAFE::/48 host 2001:DB8:CAFE:2100::BAD2:F126deny ipv6 any any log-input!banner login ^CUnauthorized access to this device and/or network is prohibited.^C!line vty 0 4ipv6 access-class MGMT-IN intransport input sshQoS
The QoS configurations for the dual-tier profile are exactly the same as for the single-tier profile except for where the QoS policies are applied at the interface level. In the dual-tier profile a Frame Relay link is used. The following configuration shows the QoS layout for the serial interface with Frame Relay.
Refer to the single-tier profile QoS section for the policy examples. The following configurations are meant to show what interfaces have QoS policies applied.
2800-br2-1
interface FastEthernet0/0.100description DATA VLAN for PCsservice-policy input BRANCH-LAN-EDGE-INservice-policy output BRANCH-LAN-EDGE-OUT!interface FastEthernet0/0.200description Voice VLAN for IP Phonesservice-policy output BRANCH-LAN-EDGE-OUT!interface FastEthernet0/0.300description PRINTER VLANservice-policy input BRANCH-LAN-EDGE-INservice-policy output BRANCH-LAN-EDGE-OUT!interface Serial0/1/0.17 point-to-pointdescription TO FRAME-RELAY PROVIDERframe-relay interface-dlci 17class QOS-BR2-MAP #Binds the map-class to the FR DLCI!map-class frame-relay QOS-BR2-MAPservice-policy output WAN-EDGE-FRTS #Attaches nested MQC policies to map-class!policy-map WAN-EDGE-FRTSclass class-defaultshape average 1460000 14600 0 #Enabled MQC-Based FRTSservice-policy BRANCH-WAN-EDGE #Queues packets headed to the shaper2800-br2-2
interface FastEthernet0/0.100description DATA VLAN for PCsservice-policy input BRANCH-LAN-EDGE-INservice-policy output BRANCH-LAN-EDGE-OUT!interface FastEthernet0/0.200description Voice VLAN for IP Phonesservice-policy output BRANCH-LAN-EDGE-OUT!interface FastEthernet0/0.300description PRINTER VLANservice-policy input BRANCH-LAN-EDGE-INservice-policy output BRANCH-LAN-EDGE-OUT!interface Serial0/2/0.18 point-to-pointdescription TO FRAME-RELAY PROVIDERframe-relay interface-dlci 18class QOS-BR2-MAP!map-class frame-relay QOS-BR2-MAPservice-policy output WAN-EDGE-FRTS!policy-map WAN-EDGE-FRTSclass class-defaultshape average 1460000 14600 0service-policy BRANCH-WAN-EDGEMulticast
The configuration for IPv6 multicast in the dual-tier profile is exactly the same as in the single-tier profile. Refer to the IPv6 multicast configuration in the single-tier implementation section for details. Configuration Examples contains the IPv6 multicast configuration for all dual-tier profile devices.
Conclusion
This document describes how to deploy IPv6 in the branch network. The branch profiles described were the single-tier and dual-tier. The configurations were mostly based on the existing Cisco branch design best practices. The profiles described are certainly not the only ways to deploy IPv6 in this environment, but they provide options that can be leveraged based on the branch environment.
Future Work
This document is one of several in a series that are focused on providing basic IPv6 implementation guidance for enterprise customers. Similar documents will be published, analyzing the deployment of IPv6 in the campus, WAN, data center, and enterprise edge.
This document is a "living document" and changes will be made to it as features mature. It is the goal, however, to fully integrate IPv6 into all enterprise architecture design guides where IPv6 will become another baseline component. This provides a single reference location to learn the latest design best practices for every area of the enterprise instead of reading about one technology or design after another in completely separate papers. Enterprise architecture design guides can be found at http://www.cisco.com/en/US/netsol/ns742/networking_solutions_program_category_home.html.
References
There have been many notes and disclaimers in this document that describe the need to fully understand the technology and protocol aspects of IPv6. There are many design considerations associated with the implementation of IPv6 to include, security, QoS, availability, management, IT training and application support.
This section provides additional resources for IPv6, Cisco design recommendations, products and solutions, and industry activity.
Recommended Reading
This section lists references that provide more information on the topics covered in this document.
Cisco-Specific Links
This section provides links that are specific to Cisco Systems, Inc.
•
•
•
•
•
•
•
•
Microsoft IPv6 Links
This section provides links that are specific to Microsoft Corporation.
•
•
IPv6 Industry Links
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Enterprise Design Architecture Reference
For information about the enterprise design architecture, refer to the following documents:
•
http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/EnBrOver.html
•
http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/E_B_SDC1.html
Configuration Examples
This section contains the full configurations of the routers and switches used in the single-tier and dual-tier profiles. Some configurations are shown only once as their configuration is identical across all profiles in this paper. To reduce the page count, unused or shutdown interfaces are removed from the configurations.
Single-Tier Profile
This section provides configuration examples for the single-tier profile.
2800-br1-1
version 12.4no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryption!hostname 2800-br1-1!boot-start-markerboot system flash:c2800nm-adventerprisek9-mz.124-6.T2.binboot-end-marker!security authentication failure rate 3 loglogging countlogging buffered 8192 debugginglogging rate-limit 5enable secret 5 $1$ezo2$g3aYrFW2Zeq.kLYRvva4u0!no aaa new-model!resource policy!clock timezone mst -7no network-clock-participate wic 0no ip source-route!ip nbar port-map custom-03 tcp 5554 9996ip nbar port-map custom-02 udp 1434ip nbar port-map custom-01 tcp 3200 3201 3202 3203 3600ip nbar port-map netbios udp 135 137 138 139 445ip nbar port-map netbios tcp 137 139 445ip cefip dhcp relay information trust-allno ip dhcp use vrf connected!ip dhcp pool DATA_LANnetwork 10.124.1.0 255.255.255.128dns-server 10.121.10.7default-router 10.124.1.1domain-name cisco.com!ip dhcp pool VOICE_LANnetwork 10.125.1.0 255.255.255.0dns-server 10.121.10.7default-router 10.125.1.1option 150 ip 10.121.10.7domain-name cisco.com!ip dhcp pool PRINTER_LANnetwork 10.124.1.128 255.255.255.128dns-server 10.121.10.7default-router 10.124.1.129!ip ftp source-interface Loopback0ip ftp username ciscoip ftp password 7 071D2042490C0Bno ip bootp serverno ip domain lookupip domain name cisco.comip multicast-routingip ssh time-out 60ip ssh authentication-retries 2ip ssh source-interface Loopback0no ip port-map telnet port tcp 23 description Telnetip inspect one-minute high 2000ip inspect tcp max-incomplete host 100 block-time 0ip inspect name FW appfw APPFWip inspect name FW tcp router-trafficip inspect name FW udp router-trafficip inspect name FW dnsip inspect name FW icmpip inspect name FW kazaaip inspect name FW netbios-dgmip inspect name FW netbios-nsip inspect name FW netbios-ssnip inspect name FW sship inspect name FW telnet alert onip inspect name FW http java-list 10 alert onip inspect name FW httpsip inspect name FW ftpip inspect name FW parameter max-sessions 1000ip ips sdf location flash://sdmips.sdfip ips deny-action ips-interfaceip ips notify SDEEip ips signature 1107 0 disableip ips signature 2000 0 disableip ips signature 2001 0 disableip ips name ceblogin block-for 30 attempts 3 within 200login delay 2vpdn enable!appfw policy-name APPFWapplication httpport-misuse default action allow alarmrequest-method rfc default action allow alarmtimeout 60application im yahooservice default action allow alarmapplication im msnserver deny name msn.cisco.comtimeout 60alert onapplication im aolservice text-chat action allow alarm!ipv6 unicast-routingipv6 cefipv6 inspect one-minute high 2000ipv6 inspect hashtable-size 2039ipv6 inspect tcp max-incomplete host 100 block-time 0ipv6 inspect name v6FW tcpipv6 inspect name v6FW icmpipv6 inspect name v6FW ftpipv6 inspect name v6FW udpipv6 dhcp pool DATA_VISTAdns-server 2001:DB8:CAFE:10:20D:9DFF:FE93:B25Ddns-server 2001:DB8:CAFE:10:51A1:5B1:4A85:B3DAdomain-name cisco.com!ipv6 multicast-routing!voice-card 0no dspfarm!!key chain ESEkey 1key-string 7 111B180B101719!crypto pki trustpoint TP-self-signed-1729957883enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-1729957883revocation-check nonersakeypair TP-self-signed-1729957883!crypto pki certificate chain TP-self-signed-1729957883certificate self-signed 013082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 0405003031312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 4365727469666963 6174652D 31373239 39353738 3833301E 170D3036 30363134 3135343233375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 031326494F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 3732393935373838 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 818902818100D428 80941683 0170D8DE 030D2C3C 33A07D6F 6CD1C01F E5356009 24ED5755D7485842 1C02DB49 A2A51B2B 5A68D212 898A916A A3458FA1 38E6994C F571513035AB574D FC8A0C23 6E397EDB 4AAE2A38 1A2CC8D5 547B3745 83D11BCE 69E7F491090137C4 EA5863C0 2ABB64AF F985967A 2B170738 F4BF28B6 56009BA5 BEEC7C1E94350203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603551D1104 18301682 14323835 312D6272 312D312E 63697363 6F2E636F 6D301F0603551D23 04183016 801497B3 EB034DE7 C5481685 6DF51BA1 9C26CFD4 DA17301D0603551D 0E041604 1497B3EB 034DE7C5 4816856D F51BA19C 26CFD4DA 17300D06092A8648 86F70D01 01040500 03818100 92D03B85 6E53F61E 3FD536AD 0B5C2C9425E6A607 DD31170F 236B50F3 8A77685A 548164EC 022D262A EC26695F A26584EB469EA2AE 52878DA3 18A35708 BE9A1184 59D65E6B 652D8B6F E4392602 2E82F88FB57277C5 C4DE7908 82844EEA 06D079C1 B8190635 3268AEE8 A196FB1A A606C35C484DC275 D0F47913 1157FC30 BAFEAE13quitusername cisco privilege 15 secret 5 $1$4ycA$NSpAnrOgeAIKX/jdDEsfB0!class-map match-any BRANCH-BULK-DATAmatch access-group name BULK-DATA-APPSmatch access-group name BULK-DATA-APPS-V6class-map match-all SQL-SLAMMERmatch protocol custom-02match packet length min 404 max 404class-map match-all BULK-DATAmatch dscp af11 af12class-map match-all INTERACTIVE-VIDEOmatch dscp af41 af42class-map match-any CALL-SIGNALLINGmatch dscp cs3match dscp af31class-map match-any BRANCH-TRANSACTIONAL-DATAmatch protocol citrixmatch protocol ldapmatch protocol sqlnetmatch protocol http url "*cisco.com"match protocol custom-01match access-group name BRANCH-TRANSACTIONAL-V6class-map match-any BRANCH-MISSION-CRITICALmatch access-group name MISSION-CRITICAL-SERVERSmatch access-group name MISSION-CRITICAL-V6class-map match-any WORMSmatch protocol http url "*.ida*"match protocol http url "*cmd.exe*"match protocol http url "*root.exe*"match protocol http url "*readme.eml*"match class-map SQL-SLAMMERmatch protocol exchangematch protocol netbiosmatch protocol custom-03class-map match-all VOICEmatch dscp efclass-map match-all MISSION-CRITICAL-DATAmatch dscp 25class-map match-any BRANCH-NET-MGMTmatch protocol snmpmatch protocol syslogmatch protocol telnetmatch protocol nfsmatch protocol dnsmatch protocol icmpmatch protocol tftpmatch access-group name BRANCH-NET-MGMT-V6class-map match-all ROUTINGmatch dscp cs6class-map match-all SCAVENGERmatch dscp cs1class-map match-all NET-MGMTmatch dscp cs2class-map match-any BRANCH-SCAVENGERmatch protocol napstermatch protocol gnutellamatch protocol fasttrackmatch protocol kazaa2match access-group name BRANCH-SCAVENGER-V6class-map match-all TRANSACTIONAL-DATAmatch dscp af21 af22!policy-map BRANCH-LAN-EDGE-OUTclass class-defaultset cos dscppolicy-map BRANCH-WAN-EDGEclass VOICEpriority percent 18class INTERACTIVE-VIDEOpriority percent 15class CALL-SIGNALLINGbandwidth percent 5class ROUTINGbandwidth percent 3class NET-MGMTbandwidth percent 2class MISSION-CRITICAL-DATAbandwidth percent 15random-detect dscp-basedclass TRANSACTIONAL-DATAbandwidth percent 12random-detect dscp-basedclass BULK-DATAbandwidth percent 4random-detect dscp-basedclass SCAVENGERbandwidth percent 1class class-defaultbandwidth percent 25random-detectpolicy-map BRANCH-LAN-EDGE-INclass BRANCH-MISSION-CRITICALset dscp 25class BRANCH-TRANSACTIONAL-DATAset dscp af21class BRANCH-NET-MGMTset dscp cs2class BRANCH-BULK-DATAset dscp af11class BRANCH-SCAVENGERset dscp cs1class WORMSdropclass class-defaultset dscp default!crypto isakmp policy 1encr 3desauthentication pre-sharecrypto isakmp key CISCO address 172.17.1.3crypto isakmp key SYSTEMS address 172.17.1.4crypto isakmp key SYSTEMS address 0.0.0.0 0.0.0.0crypto isakmp keepalive 10!crypto ipsec transform-set brb esp-3des esp-sha-hmaccrypto ipsec transform-set brb-back esp-3des esp-sha-hmaccrypto ipsec transform-set HE1 esp-3des esp-sha-hmaccrypto ipsec transform-set HE2 esp-3des esp-sha-hmac!crypto ipsec profile dmvpnset security-association lifetime seconds 300set transform-set brb!crypto ipsec profile dmvpn-backset security-association lifetime seconds 300set transform-set brb-back!crypto map IPv6-HE1 local-address Serial0/0/0crypto map IPv6-HE1 1 ipsec-isakmpset peer 172.17.1.3set transform-set HE1match address VPN-TO-HE1!crypto map IPv6-HE2 local-address Loopback0crypto map IPv6-HE2 1 ipsec-isakmpset peer 172.17.1.4set transform-set HE2match address VPN-TO-HE2!interface Tunnel1description DMVPN to HQ Head-end 1ip address 10.126.1.2 255.255.255.0ip access-group INET inno ip redirectsno ip unreachablesno ip proxy-arpip mtu 1400ip hold-time eigrp 10 35no ip next-hop-self eigrp 10ip pim nbma-modeip pim sparse-modeip nhrp authentication secretip nhrp map multicast dynamicip nhrp map multicast 172.17.1.3ip nhrp map 10.126.1.1 172.17.1.3ip nhrp network-id 10203ip nhrp nhs 10.126.1.1ip inspect FW outip ips ceb inip virtual-reassemblyip route-cache flowno ip split-horizon eigrp 10load-interval 30delay 500no ipv6 mfib forwardingno clns route-cachetunnel source 172.16.1.2tunnel mode gre multipointtunnel key 123tunnel protection ipsec profile dmvpn!interface Tunnel2description DMVPN to HQ Head-end 2ip address 10.127.1.2 255.255.255.0ip access-group INET-BACK inno ip unreachablesno ip proxy-arpip mtu 1400ip hold-time eigrp 10 35no ip next-hop-self eigrp 10ip pim nbma-modeip pim sparse-modeip nhrp authentication secretip nhrp map multicast dynamicip nhrp map multicast 172.17.1.4ip nhrp map 10.127.1.1 172.17.1.4ip nhrp network-id 30201ip nhrp nhs 10.127.1.1ip inspect FW outip ips ceb inip virtual-reassemblyip route-cache flowno ip split-horizon eigrp 10load-interval 30delay 2000no clns route-cachetunnel source Dialer1tunnel destination 172.17.1.4tunnel key 321tunnel protection ipsec profile dmvpn-back!interface Tunnel3description IPv6 tunnel to HQ Head-end 1no ip addressload-interval 30delay 500ipv6 address 2001:DB8:CAFE:1261::BAD1:A001/64ipv6 traffic-filter INET-WAN-v6 inipv6 mtu 1400no ipv6 redirectsno ipv6 unreachablesipv6 eigrp 1ipv6 hold-time eigrp 1 35ipv6 authentication mode eigrp 1 md5ipv6 authentication key-chain eigrp 1 ESEipv6 inspect v6FW outipv6 virtual-reassemblytunnel source Serial0/0/0tunnel destination 172.17.1.3tunnel mode ipv6ip!interface Tunnel4description IPv6 tunnel to HQ Head-end 2no ip addressload-interval 30delay 2000ipv6 address 2001:DB8:CAFE:1271::BAD1:A001/64ipv6 traffic-filter INET-WAN-v6 inipv6 mtu 1400no ipv6 redirectsno ipv6 unreachablesipv6 eigrp 1ipv6 hold-time eigrp 1 35ipv6 authentication mode eigrp 1 md5ipv6 authentication key-chain eigrp 1 ESEipv6 inspect v6FW outipv6 virtual-reassemblytunnel source Loopback0tunnel destination 172.17.1.4tunnel mode ipv6ip!interface Null0no ip unreachables!interface Loopback0ip address 10.124.100.1 255.255.255.255no ip redirectsno ip unreachablesno ip proxy-arpip virtual-reassemblyip route-cache flowipv6 address 2001:DB8:CAFE:1000::BAD1:A001/128no ipv6 redirectsno ipv6 unreachablesipv6 eigrp 1ipv6 virtual-reassembly!interface GigabitEthernet0/0description PPPoE for Backupno ip addressno ip redirectsno ip unreachablesno ip proxy-arpip ips ceb inip virtual-reassemblyload-interval 30duplex halfspeed 10pppoe enablepppoe-client dial-pool-number 1max-reserved-bandwidth 100service-policy output BRANCH-WAN-EDGE!interface GigabitEthernet1/0description to INTERNAL SW-BR1-1ip address 1.1.1.1 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arpip route-cache flowduplex autospeed auto!interface GigabitEthernet1/0.100description DATA VLAN for Computersencapsulation dot1Q 100ip address 10.124.1.1 255.255.255.128ip access-group LANout inno ip redirectsno ip unreachablesno ip proxy-arpip flow ingressip ips ceb inip virtual-reassemblyip policy route-map no_splitno snmp trap link-statusipv6 address 2001:DB8:CAFE:1100::BAD1:A001/64ipv6 traffic-filter DATA_LAN-v6 inno ipv6 redirectsno ipv6 unreachablesipv6 nd other-config-flagipv6 eigrp 1ipv6 dhcp server DATA_VISTAipv6 virtual-reassemblyservice-policy input BRANCH-LAN-EDGE-INservice-policy output BRANCH-LAN-EDGE-OUT!interface GigabitEthernet1/0.200description to Voice VLAN for IP Phonesencapsulation dot1Q 200ip address 10.125.1.1 255.255.255.0ip access-group VOICEout inno ip redirectsno ip unreachablesno ip proxy-arpip flow ingressip ips ceb inip virtual-reassemblyip policy route-map no_splitno snmp trap link-statusipv6 address 2001:DB8:CAFE:1200::BAD1:A001/64ipv6 traffic-filter VOICE_LAN-v6 inno ipv6 redirectsno ipv6 unreachablesipv6 eigrp 1ipv6 virtual-reassemblyservice-policy output BRANCH-LAN-EDGE-OUT!interface GigabitEthernet1/0.300description to Printer VLANencapsulation dot1Q 300ip address 10.124.1.129 255.255.255.128ip access-group PRINTERout inno ip redirectsno ip unreachablesno ip proxy-arpip flow ingressip ips ceb inip virtual-reassemblyip policy route-map no_splitno snmp trap link-statusipv6 address 2001:DB8:CAFE:1300::BAD1:A001/64ipv6 traffic-filter PRINTER_LAN-v6 inno ipv6 redirectsno ipv6 unreachablesipv6 eigrp 1ipv6 virtual-reassemblyservice-policy input BRANCH-LAN-EDGE-INservice-policy output BRANCH-LAN-EDGE-OUT!interface Serial0/0/0description to T1 Link Provider (PRIMARY)ip address 172.16.1.2 255.255.255.252ip access-group WAN-link inip verify unicast reverse-pathno ip redirectsno ip unreachablesno ip proxy-arpip nbar protocol-discoveryip ips ceb inip virtual-reassemblyip route-cache flowload-interval 30no ipv6 mfib forwardingclock rate 2016000dce-terminal-timing-enablecrypto map IPv6-HE1max-reserved-bandwidth 100service-policy output BRANCH-WAN-EDGE!interface Virtual-Template1no ip addressmax-reserved-bandwidth 100service-policy output BRANCH-WAN-EDGE!interface Dialer1description PPPoE to BB providerip address negotiatedip verify unicast reverse-pathno ip redirectsno ip unreachablesno ip proxy-arpip mtu 1400ip nbar protocol-discoveryip ips ceb inip virtual-reassemblyencapsulation pppip route-cache flowload-interval 30dialer pool 1dialer-group 1no cdp enableppp authentication chap callinppp chap hostname 2800-br1-1@cisco.comppp chap password 7 095E4F071E0005crypto map IPv6-HE2max-reserved-bandwidth 100service-policy output BRANCH-WAN-EDGE!router eigrp 10passive-interface GigabitEthernet0/1.100passive-interface GigabitEthernet0/1.200passive-interface GigabitEthernet0/1.300network 10.0.0.0no auto-summaryeigrp stub connected summary!ip route 0.0.0.0 0.0.0.0 Serial0/0/0ip route 0.0.0.0 0.0.0.0 Dialer1 200!no ip http server!ip access-list extended BULK-DATA-APPSpermit tcp any any eq ftppermit tcp any any eq ftp-datapermit tcp any any eq pop3permit tcp any any eq 143ip access-list extended INETpermit eigrp any anypermit icmp any 10.126.1.0 0.0.0.255permit icmp any 10.126.1.0 0.0.0.255 packet-too-bigpermit icmp any 10.126.1.0 0.0.0.255 unreachablepermit icmp any 10.126.1.0 0.0.0.255 echo-replypermit icmp any 10.126.1.0 0.0.0.255 time-exceededpermit icmp any 10.124.100.0 0.0.0.255permit icmp any 10.124.100.0 0.0.0.255 packet-too-bigpermit icmp any 10.124.100.0 0.0.0.255 unreachablepermit icmp any 10.124.100.0 0.0.0.255 echo-replypermit icmp any 10.124.100.0 0.0.0.255 time-exceededpermit icmp any 10.124.1.0 0.0.0.255permit icmp any 10.124.1.0 0.0.0.255 packet-too-bigpermit icmp any 10.124.1.0 0.0.0.255 unreachablepermit icmp any 10.124.1.0 0.0.0.255 echo-replypermit icmp any 10.124.1.0 0.0.0.255 time-exceededpermit icmp any 10.125.1.0 0.0.0.127permit icmp any 10.125.1.0 0.0.0.127 packet-too-bigpermit icmp any 10.125.1.0 0.0.0.127 unreachablepermit icmp any 10.125.1.0 0.0.0.127 echo-replypermit icmp any 10.125.1.0 0.0.0.127 time-exceededpermit udp any host 10.124.100.1 eq ntppermit tcp any host 10.124.100.1 eq telnetpermit tcp any host 10.124.100.1 eq 22permit ip any 10.125.1.0 0.0.0.255permit ip any 10.124.1.0 0.0.0.255permit ip any 10.126.1.0 0.0.0.255deny ip host 255.255.255.255 anydeny ip any any logip access-list extended INET-BACKpermit eigrp any anypermit icmp any 10.127.1.0 0.0.0.255permit icmp any 10.127.1.0 0.0.0.255 packet-too-bigpermit icmp any 10.127.1.0 0.0.0.255 unreachablepermit icmp any 10.127.1.0 0.0.0.255 echo-replypermit icmp any 10.127.1.0 0.0.0.255 time-exceededpermit icmp any 10.124.100.0 0.0.0.255permit icmp any 10.124.100.0 0.0.0.255 packet-too-bigpermit icmp any 10.124.100.0 0.0.0.255 unreachablepermit icmp any 10.124.100.0 0.0.0.255 echo-replypermit icmp any 10.124.100.0 0.0.0.255 time-exceededpermit icmp any 10.124.1.0 0.0.0.255permit icmp any 10.124.1.0 0.0.0.255 packet-too-bigpermit icmp any 10.124.1.0 0.0.0.255 unreachablepermit icmp any 10.124.1.0 0.0.0.255 echo-replypermit icmp any 10.124.1.0 0.0.0.255 time-exceededpermit icmp any 10.125.1.0 0.0.0.127permit icmp any 10.125.1.0 0.0.0.127 packet-too-bigpermit icmp any 10.125.1.0 0.0.0.127 unreachablepermit icmp any 10.125.1.0 0.0.0.127 echo-replypermit icmp any 10.125.1.0 0.0.0.127 time-exceededpermit udp any host 10.124.100.1 eq ntppermit tcp any host 10.124.100.1 eq telnetpermit tcp any host 10.124.100.1 eq 22permit ip any 10.125.1.0 0.0.0.255permit ip any 10.124.1.0 0.0.0.255permit ip any 10.127.1.0 0.0.0.255deny ip host 255.255.255.255 anydeny ip any any logip access-list extended LANoutpermit udp host 0.0.0.0 host 255.255.255.255permit ip 10.124.1.0 0.0.0.127 anydeny ip any any logip access-list extended MGMT-IN-v4permit tcp 10.120.0.0 0.0.255.255 anypermit tcp 10.121.0.0 0.0.255.255 anypermit tcp 10.122.0.0 0.0.255.255 anydeny ip any any log-inputip access-list extended MISSION-CRITICAL-SERVERSpermit ip any 10.121.10.0 0.0.0.255permit ip any 10.121.11.0 0.0.0.255permit ip any 10.121.12.0 0.0.0.255ip access-list extended PPPoE-BACKpermit esp any anypermit gre any anypermit udp host 172.17.1.4 any eq isakmppermit icmp host 172.17.1.4 anypermit icmp host 172.17.1.4 any packet-too-bigpermit icmp host 172.17.1.4 any unreachablepermit icmp any any echo-replypermit icmp any any time-exceededdeny tcp any anydeny udp any anydeny ip host 255.255.255.255 anydeny ip any anyip access-list extended PRINTERoutpermit udp host 0.0.0.0 host 255.255.255.255permit ip 10.124.1.128 0.0.0.127 anydeny ip any anyip access-list extended VOICEoutpermit udp host 0.0.0.0 host 255.255.255.255permit ip 10.125.1.0 0.0.0.127 anydeny ip any anyip access-list extended VPN-TO-HE1permit 41 host 172.16.1.2 host 172.17.1.3ip access-list extended VPN-TO-HE2permit 41 host 10.124.100.1 host 172.17.1.4ip access-list extended WAN-linkpermit esp any anypermit gre any anypermit udp any host 172.16.1.2 eq isakmppermit icmp any host 172.16.1.2permit icmp any host 172.16.1.2 packet-too-bigpermit icmp any host 172.16.1.2 unreachablepermit udp any host 10.124.100.1 eq isakmppermit icmp any host 10.124.100.1permit icmp any host 10.124.100.1 packet-too-bigpermit icmp any host 10.124.100.1 unreachablepermit icmp any any echo-replypermit icmp any any time-exceededdeny tcp any anydeny udp any anydeny ip host 255.255.255.255 anydeny ip any anyip access-list extended WAN_TRAFFICdeny ip any 10.124.1.0 0.0.0.255deny ip any 10.125.1.0 0.0.0.127permit ip any any!access-list 10 permit 10.126.1.0access-list 10 permit 172.16.1.0dialer-list 1 protocol ip permit!ipv6 router eigrp 1router-id 10.124.100.1stub connected summaryno shutdownpassive-interface GigabitEthernet1/0.100passive-interface GigabitEthernet1/0.200passive-interface GigabitEthernet1/0.300passive-interface Loopback0!route-map no_split permit 10match ip address WAN_TRAFFICset ip next-hop 172.17.100.3 172.17.100.4!ipv6 access-list MGMT-INremark permit mgmt only to loopbackpermit tcp 2001:DB8:CAFE::/48 host 2001:DB8:CAFE:1000::BAD1:A001deny ipv6 any any log-input!ipv6 access-list DATA_LAN-v6remark PERMIT ICMPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:1100::/64permit icmp 2001:DB8:CAFE:1100::/64 anyremark PERMIT IPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:1100::64permit ipv6 2001:DB8:CAFE:1100::/64 anyremark PERMIT ALL ICMPv6 PACKETS SOURCED BY HOSTS USING THE LINK-LOCAL PREFIXpermit icmp FE80::/10 anyremark PERMIT DHCPv6 ALL-DHCP-AGENTS REQUESTS FROM HOSTSpermit udp any eq 546 any eq 547remark DENY ALL OTHER IPv6 PACKETS AND LOGdeny ipv6 any any log-input!ipv6 access-list VOICE_LAN-v6remark PERMIT ICMPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:1200::/64permit icmp 2001:DB8:CAFE:1200::/64 anyremark PERMIT IPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:1200::64permit ipv6 2001:DB8:CAFE:1200::/64 anyremark PERMIT ALL ICMPv6 PACKETS SOURCED BY HOSTS USING THE LINK-LOCAL PREFIXpermit icmp FE80::/10 anyremark PERMIT DHCPv6 ALL-DHCP-AGENTS REQUESTS FROM HOSTSpermit udp any eq 546 any eq 547remark DENY ALL OTHER IPv6 PACKETS AND LOGdeny ipv6 any any log-input!ipv6 access-list PRINTER_LAN-v6remark PERMIT ICMPv6 PACKETS FROM HOSTS WITH PREFIX CAFE:1300::/64permit icmp 2001:DB8:CAFE:1300::/64 anyremark PERMIT IPv6 PACKETS FROM HOSTS WITH PREFIX CAFE:1300::64permit ipv6 2001:DB8:CAFE:1300::/64 anyremark PERMIT ALL ICMPv6 PACKETS SOURCED BY HOSTS USING THE LINK-LOCAL PREFIXpermit icmp FE80::/10 anyremark PERMIT DHCPv6 ALL-DHCP-AGENTS REQUESTS FROM HOSTSpermit udp any eq 546 any eq 547remark DENY ALL OTHER IPv6 PACKETS AND LOGdeny ipv6 any any log-input!ipv6 access-list INET-WAN-v6remark PERMIT EIGRP for IPv6permit 88 any anyremark PERMIT PIM for IPv6permit 103 any anyremark PERMIT ALL ICMPv6 PACKETS SOURCED USING THE LINK-LOCAL PREFIXpermit icmp FE80::/10 anyremark PERMIT SSH TO LOCAL LOOPBACKpermit tcp any host 2001:DB8:CAFE:1000::BAD1:A001 eq 22remark PERMIT ALL ICMPv6 PACKETS TO LOCAL LOOPBACKpermit icmp any host 2001:DB8:CAFE:1000::BAD1:A001remark PERMIT ALL ICMPv6 PACKETS TO TUNNEL3permit icmp any host 2001:DB8:CAFE:1261::BAD1:A001remark PERMIT ALL ICMPv6 PACKETS TO TUNNEL4permit icmp any host 2001:DB8:CAFE:1271::BAD1:A001remark PERMIT ALL ICMPv6 PACKETS TO DATA VLANpermit icmp any 2001:DB8:CAFE:1100::/64remark PERMIT ALL ICMPv6 PACKETS TO VOICE VLANpermit icmp any 2001:DB8:CAFE:1200::/64remark PERMIT ALL ICMPv6 PACKETS TO PRINTER VLANpermit icmp any 2001:DB8:CAFE:1300::/64remark PERMIT ALL IPv6 PACKETS TO DATA VLANpermit ipv6 any 2001:DB8:CAFE:1100::/64remark PERMIT ALL IPv6 PACKETS TO VOICE VLANpermit ipv6 any 2001:DB8:CAFE:1200::/64remark PERMIT ALL IPv6 PACKETS TO PRINTER VLANpermit ipv6 any 2001:DB8:CAFE:1300::/64deny ipv6 any any log!ipv6 access-list BULK-DATA-APPS-V6permit tcp any any eq ftppermit tcp any any eq ftp-datapermit tcp any any eq pop3permit tcp any any eq 143!ipv6 access-list BRANCH-TRANSACTIONAL-V6remark Microsoft RDP traffic-mark dscp af21permit tcp any any eq 3389permit udp any any eq 3389!ipv6 access-list MISSION-CRITICAL-V6remark Data-Center traffic-mark dscp 25permit ipv6 any 2001:DB8:CAFE:10::/64permit ipv6 any 2001:DB8:CAFE:11::/64!ipv6 access-list BRANCH-SCAVENGER-V6remark Gnutella, Kazaa, Doom, iTunes traffic-mark dscp cs1permit tcp any any range 6346 6347permit udp any any range 6346 6347permit tcp any any eq 1214permit tcp any any eq 666permit udp any any eq 666permit tcp any any eq 3689permit udp any any eq 3689!ipv6 access-list BRANCH-NET-MGMT-V6remark Common management traffic plus vmware console-mark dscp cs2permit udp any any eq syslogpermit udp any any eq snmppermit tcp any any eq telnetpermit tcp any any eq 22permit tcp any any eq 2049permit udp any any eq 2049permit tcp any any eq domainpermit icmp any anypermit udp any any eq tftppermit tcp any any eq 902!control-plane!banner login ^CUnauthorized access to this device and/or network is prohibited.^C!line con 0session-timeout 3password 7 021405550C031Dlogging synchronouslogin localtransport output noneline aux 0session-timeout 3login localline vty 0 4session-timeout 3access-class MGMT-IN-v4 inprivilege level 15password 7 15000A02032F39ipv6 access-class MGMT-IN inlogin localexec prompt timestamptransport input sshtransport output allline vty 5 15session-timeout 3access-class MGMT-IN-v4 inprivilege level 15ipv6 access-class MGMT-IN inlogin localtransport input ssh!scheduler allocate 20000 1000ntp clock-period 17179952ntp server 172.17.100.3!webvpn context Default_contextssl authenticate verify all!no inservice!endsw-br1-1version 12.2no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice sequence-numbers!hostname sw-br1-1!logging countlogging buffered 8192 debugginglogging rate-limit 5no logging consoleenable secret 5 $1$QP5H$2MrLruxrlLtWr5Av7kJr..!username cisco password 7 15000A02032F39no aaa new-modelclock timezone mst -7!vtp domain ese_branchvtp mode transparentip subnet-zeroip routingno ip domain-lookupip domain-name cisco.comip dhcp smart-relay!ip dhcp snooping vlan 100,300ip dhcp snooping database flash:dhcp.txtip dhcp snooping database timeout 10ip dhcp snoopingip ftp source-interface Vlan100ip ftp username shmcfarlip ftp password 7 08334D400E1C17ip ssh time-out 60ip ssh authentication-retries 2ip arp inspection vlan 100,200,300ip arp inspection validate src-macip arp inspection log-buffer entries 100ip arp inspection log-buffer logs 20 interval 120login block-for 30 attempts 3 within 200login delay 2ipv6 mld snooping!mls qos map policed-dscp 0 10 18 24 25 34 to 8mls qos map cos-dscp 0 8 16 24 32 46 48 56mls qos srr-queue output cos-map queue 1 threshold 3 5mls qos srr-queue output cos-map queue 2 threshold 1 2 4mls qos srr-queue output cos-map queue 2 threshold 2 3mls qos srr-queue output cos-map queue 2 threshold 3 6 7mls qos srr-queue output cos-map queue 3 threshold 3 0mls qos srr-queue output cos-map queue 4 threshold 3 1mls qos srr-queue output dscp-map queue 1 threshold 3 46mls qos srr-queue output dscp-map queue 2 threshold 1 16 18 20 22 25 32 34 36mls qos srr-queue output dscp-map queue 2 threshold 1 38mls qos srr-queue output dscp-map queue 2 threshold 2 24 26mls qos srr-queue output dscp-map queue 2 threshold 3 48 56mls qos srr-queue output dscp-map queue 3 threshold 3 0mls qos srr-queue output dscp-map queue 4 threshold 1 8mls qos srr-queue output dscp-map queue 4 threshold 3 10 12 14mls qos queue-set output 1 threshold 2 70 80 100 100mls qos queue-set output 1 threshold 4 40 100 100 100mls qos!crypto pki trustpoint TP-self-signed-1526307456enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-1526307456revocation-check nonersakeypair TP-self-signed-1526307456!!crypto ca certificate chain TP-self-signed-1526307456certificate self-signed 0130820296 308201FF A0030201 02020101 300D0609 2A864886 F70D0101 0405003056312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 4365727469666963 6174652D 31353236 33303734 35363123 30210609 2A864886 F70D010902161433 3735302D 6272312D 312E6369 73636F2E 636F6D30 1E170D39 3330333138323134 3134355A 170D3230 30313031 30303030 30305A30 56312F30 2D06035504031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D31353236 33303734 35363123 30210609 2A864886 F70D0109 02161433 3735302D6272312D 312E6369 73636F2E 636F6D30 819F300D 06092A86 4886F70D 010101050003818D 00308189 02818100 ADC25240 DC815D60 CBBA6018 44FDD27B 45EF2AD80F94DF03 19300913 B54A5166 06CCE023 1C68F289 886C275D F65360BF 715FC1E3960C00B3 E83D12D2 99610A5F C5592CEE 0445B2B3 DD3D2CE3 B4781F2E 6CD2F8FFF83ADB25 3379A92F E84FFD92 8A3F8309 6DE6868F 74227CDD 4703E13C 7149E5D57FC4E7A2 6C648937 014AB545 02030100 01A37430 72300F06 03551D13 0101FF0405300301 01FF301F 0603551D 11041830 16821433 3735302D 6272312D 312E636973636F2E 636F6D30 1F060355 1D230418 30168014 8AE28F7E 81F0F656 892AE117BCF64E27 3D019CB3 301D0603 551D0E04 1604148A E28F7E81 F0F65689 2AE117BCF64E273D 019CB330 0D06092A 864886F7 0D010104 05000381 81000E0D 5A24A7965E78A05B 2023622E 508BD657 8DF56A5F 89671B36 F05231BE A8CE35E3 DD87E668B27DBA5C 98E82419 2512CCDE C118EAC4 B73D12FF BBE53D2B 20CE42A1 8D5682F4FF1D788D 731254E3 55484C63 69FB2B39 781F75F0 C01D3373 DACFB86B E99489678A545231 9917C72B 1E2754CB EF93926C B264803E 2722306C C749quit!errdisable recovery cause link-flaperrdisable recovery interval 60no file verify auto!spanning-tree mode rapid-pvstspanning-tree loopguard defaultspanning-tree portfast bpduguard defaultspanning-tree extend system-id!vlan internal allocation policy ascending!vlan 100name DATA!vlan 200name VOICE!vlan 300name PRINTERS!class-map match-all DVLAN-PC-VIDEOmatch access-group name DVLAN-PC-VIDEOclass-map match-all VVLAN-voicematch access-group name VVLAN-voiceclass-map match-all VVLAN-anymatch access-group name VVLAN-anyclass-map match-all DVLAN-Transactional-Datamatch access-group name DVLAN-Transactional-Dataclass-map match-all DVLAN-Mission-Critical-Datamatch access-group name DVLAN-Mission-Critical-Dataclass-map match-all DVLAN-Bulk-Datamatch access-group name DVLAN-Bulk-Dataclass-map match-all VVLAN-call-signallingmatch access-group name VVLAN-call-signalling!policy-map ipphone+pcclass VVLAN-voiceset dscp efpolice 128000 8000 exceed-action dropclass VVLAN-call-signallingset dscp cs3police 32000 8000 exceed-action policed-dscp-transmitclass VVLAN-anyset dscp defaultpolice 32000 8000 exceed-action policed-dscp-transmitclass DVLAN-PC-VIDEOset dscp af41police 48000 8000 exceed-action policed-dscp-transmitclass DVLAN-Mission-Critical-Dataset dscp 25police 5000000 8000 exceed-action policed-dscp-transmitclass DVLAN-Transactional-Dataset dscp af21police 5000000 8000 exceed-action policed-dscp-transmitclass DVLAN-Bulk-Dataset dscp af11police 5000000 8000 exceed-action policed-dscp-transmit!interface FastEthernet1/0/2description TRUNK to 2800-br1-1switchport trunk encapsulation dot1qswitchport trunk allowed vlan 100,200,300switchport mode trunkswitchport port-security aging time 10ip arp inspection trustload-interval 30srr-queue bandwidth share 1 70 25 5srr-queue bandwidth shape 3 0 0 0priority-queue outmls qos trust dscpip dhcp snooping limit rate 10ip dhcp snooping trust!interface FastEthernet1/0/3description PHONE + PCswitchport access vlan 100switchport mode accessswitchport voice vlan 200switchport port-security maximum 2switchport port-securityswitchport port-security aging time 2switchport port-security violation restrictswitchport port-security aging type inactivityip arp inspection limit rate 100load-interval 30srr-queue bandwidth share 1 70 25 5srr-queue bandwidth shape 3 0 0 0priority-queue outmls qos trust device cisco-phonespanning-tree portfastspanning-tree bpduguard enableip verify sourceip dhcp snooping limit rate 100!interface Vlan100description VLAN100 for PCs and Switch managementip address 10.124.1.126 255.255.255.128no ip redirectsno ip unreachablesno ip proxy-arpipv6 address 2001:DB8:CAFE:1100::BAD2:F126/64no ipv6 redirectsno ipv6 unreachables!!ip classlessno ip http server!ip access-list extended DVLAN-Bulk-Datapermit tcp any any eq 143permit tcp any any eq 220ip access-list extended DVLAN-Mission-Critical-Datapermit tcp any any range 3200 3203permit tcp any any eq 3600permit tcp any any range 2000 2002ip access-list extended DVLAN-PC-VIDEOpermit udp any any range 16384 32767ip access-list extended DVLAN-Transactional-Datapermit tcp any any eq 1352ip access-list extended MGMT-IN-v4permit tcp 10.120.0.0 0.0.255.255 anypermit tcp 10.121.0.0 0.0.255.255 anypermit tcp 10.122.0.0 0.0.255.255 anypermit tcp 10.124.1.0 0.0.0.255 anypermit tcp 10.124.100.0 0.0.0.255 anydeny ip any any log-inputip access-list extended VVLAN-anypermit ip 10.125.1.0 0.0.0.255 anyip access-list extended VVLAN-call-signallingpermit tcp 10.125.1.0 0.0.0.255 any range 2000 2002 dscp af31permit tcp 10.125.1.0 0.0.0.255 any range 2000 2002 dscp cs3ip access-list extended VVLAN-voicepermit udp 10.125.1.0 0.0.0.255 any range 16384 32767 dscp ef!ipv6 route ::/0 Vlan100 FE80::217:94FF:FE90:2829!ipv6 access-list MGMT-INpermit tcp 2001:DB8:CAFE::/48 host 2001:DB8:CAFE:1100::BAD2:F126deny ipv6 any any log-input!control-plane!banner login ^CUnauthorized access to this device and/or network is prohibited.^C!line con 0session-timeout 3password 7 021405550C031Dlogging synchronouslogin localtransport output noneline vty 0 4session-timeout 3access-class MGMT-IN-v4 inpassword 7 021405550C031Dipv6 access-class MGMT-IN inlogging synchronouslogin localexec prompt timestamptransport input sshline vty 5 15session-timeout 3access-class MGMT-IN-v4 inpassword 7 0101070A5C0E14ipv6 access-class MGMT-IN inlogin localexec prompt timestamptransport input ssh!end7206 VPN Configurations for Single-Tier Profile
Note
7206-1
crypto isakmp policy 1encr 3desauthentication pre-share!crypto isakmp policy 2encr 3desauthentication pre-sharecrypto isakmp key CISCO address 172.16.1.2crypto isakmp key SYSTEMS address 0.0.0.0 0.0.0.0crypto isakmp keepalive 10!crypto ipsec transform-set brb esp-3des esp-sha-hmaccrypto ipsec transform-set STRONG esp-3des esp-sha-hmac!crypto ipsec profile dmvpnset security-association lifetime seconds 300set transform-set brb!!crypto map STATIC-MAP-BR1 local-address GigabitEthernet0/1crypto map STATIC-MAP-BR1 2 ipsec-isakmpset peer 172.16.1.2set transform-set STRONGset pfs group2match address VPN-TO-BR1!interface Tunnel1ip address 10.126.1.1 255.255.255.0no ip redirectsip mtu 1400no ip next-hop-self eigrp 10ip pim dr-priority 10000ip nhrp authentication secretip nhrp map multicast dynamicip nhrp network-id 10203no ip split-horizon eigrp 10delay 500tunnel source GigabitEthernet0/1tunnel mode gre multipointtunnel key 123tunnel protection ipsec profile dmvpn!interface Tunnel3description to VPN to BR1no ip addressdelay 500ipv6 address 2001:DB8:CAFE:1261::ACE1:F000/64ipv6 mtu 1400ipv6 eigrp 1ipv6 hold-time eigrp 1 35ipv6 authentication mode eigrp 1 md5ipv6 authentication key-chain eigrp 1 ESEtunnel source GigabitEthernet0/1tunnel destination 172.16.1.2tunnel mode ipv6ip!interface Loopback0ip address 172.17.100.3 255.255.255.255!interface GigabitEthernet0/1description to 7304-1/2 ISPip address 172.17.1.3 255.255.255.0duplex autospeed automedia-type rj45no negotiation autocrypto map STATIC-MAP-BR1!router eigrp 10redistribute staticnetwork 10.0.0.0no auto-summary!ip access-list extended VPN-TO-BR1permit 41 host 172.17.1.3 host 172.16.1.2!ipv6 router eigrp 1no shutdowndistribute-list prefix-list DEFAULT out Tunnel3redistribute static!ipv6 prefix-list DEFAULT seq 5 permit ::/07206-2
crypto isakmp policy 1encr 3desauthentication pre-sharecrypto isakmp key SYSTEMS address 0.0.0.0 0.0.0.0crypto isakmp keepalive 10!!crypto ipsec transform-set BRB-BACK esp-3des esp-sha-hmaccrypto ipsec transform-set BR1-V6-BACK esp-3des esp-sha-hmac!crypto ipsec profile DMVPNset security-association lifetime seconds 120set transform-set BRB-BACK!crypto dynamic-map DYNO 10set transform-set BR1-V6-BACKmatch address VPN-TO-BR1v6!crypto map dynamic-map 10 ipsec-isakmp dynamic DYNO!interface Tunnel1ip address 10.127.1.1 255.255.255.0no ip redirectsip mtu 1400no ip next-hop-self eigrp 10ip pim dr-priority 10000ip nhrp authentication secretip nhrp map multicast dynamicip nhrp network-id 30201no ip split-horizon eigrp 10delay 2000tunnel source GigabitEthernet0/1tunnel mode gre multipointtunnel key 321tunnel protection ipsec profile DMVPN!interface Tunnel2description IPv6 to BR1 VPNno ip addressdelay 2000ipv6 address 2001:DB8:CAFE:1271::FFFF/64ipv6 mtu 1400ipv6 eigrp 1ipv6 hold-time eigrp 1 35ipv6 authentication mode eigrp 1 md5ipv6 authentication key-chain eigrp 1 ESEtunnel source GigabitEthernet0/1tunnel destination 10.124.100.1tunnel mode ipv6ip!interface Loopback0ip address 172.17.100.4 255.255.255.255!interface GigabitEthernet0/1description to 7304-1/2 ISPip address 172.17.1.4 255.255.255.0duplex autospeed automedia-type rj45no negotiation autocrypto map dynamic-map!router eigrp 10redistribute staticnetwork 10.0.0.0distribute-list BR1-BACK out GigabitEthernet0/2distribute-list BR1-BACK out Tunnel1no auto-summary!ip access-list standard BR1-BACKdeny 10.124.100.1permit any!ip access-list extended VPN-TO-BR1v6permit 41 host 172.17.1.4 host 10.124.100.1!ipv6 router eigrp 1no shutdowndistribute-list prefix-list DEFAULT out Tunnel2redistribute static!ipv6 prefix-list DEFAULT seq 5 permit ::/0Dual-Tier Profile
This section provides configuration examples for the dual-tier profile.
2800-br2-1
version 12.4no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice sequence-numbers!hostname 2800-br2-1!boot-start-markerboot system flash:c2801-adventerprisek9-mz.124-9.T.binboot-end-marker!security authentication failure rate 3 loglogging countlogging buffered 8192 debugginglogging rate-limit 5no logging consoleenable secret 5 $1$2Z9T$IB1McBi.bL1bzXSUnC0BQ0!no aaa new-model!resource policy!clock timezone mst -7no ip source-routeip cef!!ip nbar port-map custom-03 tcp 5554 9996ip nbar port-map custom-02 udp 1434ip nbar port-map custom-01 tcp 3200 3201 3202 3203 3600ip nbar port-map netbios udp 135 137 138 139 445ip nbar port-map netbios tcp 137 139 445ip dhcp relay information trust-allno ip dhcp use vrf connected!ip dhcp pool DATA_LANnetwork 10.124.2.0 255.255.255.128dns-server 10.121.10.7default-router 10.124.2.1domain-name cisco.com!ip dhcp pool VOICE_LANnetwork 10.125.2.0 255.255.255.0dns-server 10.121.10.7default-router 10.125.2.1option 150 ip 10.121.10.7domain-name cisco.com!ip dhcp pool PRINTER_LANnetwork 10.124.2.128 255.255.255.128dns-server 10.121.10.7default-router 10.124.2.129!ip ftp source-interface FastEthernet0/1ip ftp username ciscoip ftp password 7 104D000A0618no ip bootp serverno ip domain lookupip domain name cisco.comip multicast-routingip ssh time-out 60ip ssh authentication-retries 2ip ssh source-interface FastEthernet0/1login block-for 30 attempts 3 within 200login delay 2ipv6 unicast-routingipv6 cefipv6 dhcp pool DATA_VISTAdns-server 2001:DB8:CAFE:10:20D:9DFF:FE93:B25Ddns-server 2001:DB8:CAFE:10:51A1:5B1:4A85:B3DAdomain-name cisco.com!ipv6 multicast-routing!voice-card 0!key chain ESEkey 1key-string 7 04490A0808245E!crypto pki trustpoint TP-self-signed-2525156842enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-2525156842revocation-check nonersakeypair TP-self-signed-2525156842!crypto pki certificate chain TP-self-signed-2525156842certificate self-signed 013082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 0405003031312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 4365727469666963 6174652D 32353235 31353638 3432301E 170D3036 30373036 3137333330375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 031326494F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 3532353135363834 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 818902818100CC4D BB3D0B65 93A1B38F 92FB7F23 5F5B37C4 8DE04BDA BAF6D89B 5E5CCDBEA08447BA 0AF75EBE EDD2181F 1BA30448 A4E2AA6F 93E71235 FD3A220E 948120C0BAFA03DA 0368CBB6 C9260DE2 BF118FEE 24C5C09F FB51267C 756C4D9B C9F3EE05E8A8EFC3 61F3D318 61994198 30C7E26C 49DF60AE ADFE980C 6A2EC257 4940B01861390203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603551D1104 18301682 14323830 312D6272 322D312E 63697363 6F2E636F 6D301F0603551D23 04183016 80142819 D80AF17B E5C3D667 18E283AF 61089A66 3370301D0603551D 0E041604 142819D8 0AF17BE5 C3D66718 E283AF61 089A6633 70300D06092A8648 86F70D01 01040500 03818100 1364BA90 747BF961 9FAA286F 4DCCCF5803EFAA0F 394352F6 86FBA797 8849D048 EA252F3F C3D4CDA3 E0FEA4C0 C537CE445DB08E2D 176FFC8D 26D124AB F9B34FE4 61D753B8 241E17A1 A59974D2 4D7FC267979A7DFB 10CC4C61 82A7F53B E1D7328B 670D940E 58E33140 97103B60 5F430C32E616F9E8 85D0D5E9 0AAF403E EED5680Fquitusername cisco privilege 15 secret 5 $1$2on7$TSSIMoo25tSj5./ycyEav0!class-map match-any BRANCH-BULK-DATAmatch access-group name BULK-DATA-APPSmatch access-group name BULK-DATA-APPS-V6class-map match-all SQL-SLAMMERmatch protocol custom-02match packet length min 404 max 404class-map match-all BULK-DATAmatch dscp af11 af12class-map match-all INTERACTIVE-VIDEOmatch dscp af41 af42class-map match-any CALL-SIGNALLINGmatch dscp cs3match dscp af31class-map match-any BRANCH-TRANSACTIONAL-DATAmatch protocol citrixmatch protocol ldapmatch protocol sqlnetmatch protocol http url "*cisco.com"match protocol custom-01match access-group name BRANCH-TRANSACTIONAL-V6class-map match-any BRANCH-MISSION-CRITICALmatch access-group name MISSION-CRITICAL-SERVERSmatch access-group name MISSION-CRITICAL-V6class-map match-any WORMSmatch protocol http url "*.ida*"match protocol http url "*cmd.exe*"match protocol http url "*root.exe*"match protocol http url "*readme.eml*"match class-map SQL-SLAMMERmatch protocol exchangematch protocol netbiosmatch protocol custom-03class-map match-all VOICEmatch dscp efclass-map match-all MISSION-CRITICAL-DATAmatch dscp 25class-map match-any BRANCH-NET-MGMTmatch protocol snmpmatch protocol syslogmatch protocol telnetmatch protocol nfsmatch protocol dnsmatch protocol icmpmatch protocol tftpmatch access-group name BRANCH-NET-MGMT-V6class-map match-all ROUTINGmatch dscp cs6class-map match-all SCAVENGERmatch dscp cs1class-map match-all NET-MGMTmatch dscp cs2class-map match-any BRANCH-SCAVENGERmatch protocol napstermatch protocol gnutellamatch protocol fasttrackmatch protocol kazaa2match access-group name BRANCH-SCAVENGER-V6class-map match-all TRANSACTIONAL-DATAmatch dscp af21 af22!policy-map BRANCH-LAN-EDGE-OUTclass class-defaultset cos dscppolicy-map BRANCH-WAN-EDGEclass VOICEpriority percent 18class INTERACTIVE-VIDEOpriority percent 15class CALL-SIGNALLINGbandwidth percent 5class ROUTINGbandwidth percent 3class NET-MGMTbandwidth percent 2class MISSION-CRITICAL-DATAbandwidth percent 15random-detect dscp-basedclass TRANSACTIONAL-DATAbandwidth percent 12random-detect dscp-basedclass BULK-DATAbandwidth percent 4random-detect dscp-basedclass SCAVENGERbandwidth percent 1class class-defaultbandwidth percent 25random-detectpolicy-map WAN-EDGE-FRTSclass class-defaultshape average 1460000 14600 0service-policy BRANCH-WAN-EDGEpolicy-map BRANCH-LAN-EDGE-INclass BRANCH-MISSION-CRITICALset dscp 25class BRANCH-TRANSACTIONAL-DATAset dscp af21class BRANCH-NET-MGMTset dscp cs2class BRANCH-BULK-DATAset dscp af11class BRANCH-SCAVENGERset dscp cs1class WORMSdropclass class-defaultset dscp default!interface Null0no ip unreachables!interface Loopback0ip address 10.124.102.1 255.255.255.255no ip redirectsno ip unreachablesno ip proxy-arpip route-cache flowipv6 address 2001:DB8:CAFE:2000::BAD1:1010/128no ipv6 redirectsno ipv6 unreachablesipv6 eigrp 1!interface FastEthernet0/0.100description DATA VLAN for PCsencapsulation dot1Q 100ip address 10.124.2.2 255.255.255.128ip access-group DATA_LAN inno ip redirectsno ip unreachablesno ip proxy-arpipv6 address 2001:DB8:CAFE:2100::BAD1:1010/64ipv6 traffic-filter DATA_LAN-v6 inno ipv6 redirectsno ipv6 unreachablesipv6 nd other-config-flagipv6 dhcp server DATA_VISTAipv6 eigrp 1standby version 2standby 101 ip 10.124.2.1standby 101 priority 120standby 101 preempt delay minimum 30standby 101 authentication esestandby 101 track Serial0/1/0.17 90standby 201 ipv6 autoconfigstandby 201 priority 120standby 201 preempt delay minimum 30standby 201 authentication esestandby 201 track Serial0/1/0.17 90service-policy input BRANCH-LAN-EDGE-INservice-policy output BRANCH-LAN-EDGE-OUT!interface FastEthernet0/0.200description Voice VLAN for IP Phonesencapsulation dot1Q 200ip address 10.125.2.2 255.255.255.0ip access-group VOICE_LAN inno ip redirectsno ip unreachablesno ip proxy-arpipv6 address 2001:DB8:CAFE:2200::BAD1:1010/64ipv6 traffic-filter VOICE_LAN-v6 inno ipv6 redirectsno ipv6 unreachablesipv6 eigrp 1standby version 2standby 102 ip 10.125.2.1standby 102 priority 120standby 102 preempt delay minimum 30standby 102 authentication esestandby 102 track Serial0/1/0.17 90standby 202 ipv6 autoconfigstandby 202 priority 120standby 202 preempt delay minimum 30standby 202 authentication esestandby 202 track Serial0/1/0.17 90service-policy output BRANCH-LAN-EDGE-OUT!interface FastEthernet0/0.300description PRINTER VLANencapsulation dot1Q 300ip address 10.124.2.130 255.255.255.128ip access-group PRINTER_LAN inno ip redirectsno ip unreachablesno ip proxy-arpipv6 address 2001:DB8:CAFE:2300::BAD1:1010/64ipv6 traffic-filter PRINTER_LAN-v6 inno ipv6 redirectsno ipv6 unreachablesipv6 eigrp 1standby version 2standby 103 ip 10.124.2.129standby 103 priority 120standby 103 preempt delay minimum 30standby 103 authentication esestandby 103 track Serial0/1/0.17 90standby 203 ipv6 autoconfigstandby 203 priority 120standby 203 preempt delay minimum 30standby 203 authentication esestandby 203 track Serial0/1/0.17 90service-policy input BRANCH-LAN-EDGE-INservice-policy output BRANCH-LAN-EDGE-OUT!interface Serial0/1/0no ip addressno ip redirectsno ip unreachablesno ip proxy-arpencapsulation frame-relayip route-cache flowno ipv6 mfib forwardingno keepalivemax-reserved-bandwidth 100!interface Serial0/1/0.17 point-to-pointdescription TO FRAME-RELAY PROVIDERip address 10.126.2.2 255.255.255.252no ip redirectsno ip unreachablesno ip proxy-arpip nbar protocol-discoveryipv6 address 2001:DB8:CAFE:1262::BAD1:1010/64ipv6 eigrp 1ipv6 hold-time eigrp 1 35ipv6 authentication mode eigrp 1 md5ipv6 authentication key-chain eigrp 1 ESEframe-relay interface-dlci 17class QOS-BR2-MAP!router eigrp 10passive-interface FastEthernet0/0.100passive-interface FastEthernet0/0.200passive-interface FastEthernet0/0.300network 10.0.0.0no auto-summaryeigrp stub connected summary!no ip http server!ip access-list extended BULK-DATA-APPSpermit tcp any any eq ftppermit tcp any any eq ftp-datapermit tcp any any eq pop3permit tcp any any eq 143ip access-list extended DATA_LANpermit udp host 0.0.0.0 host 255.255.255.255permit ip 10.124.2.0 0.0.0.127 anydeny ip any any logip access-list extended MGMT-IN-v4permit tcp 10.120.0.0 0.0.255.255 anypermit tcp 10.121.0.0 0.0.255.255 anypermit tcp 10.122.0.0 0.0.255.255 anydeny ip any any log-inputip access-list extended MISSION-CRITICAL-SERVERSpermit ip any 10.121.10.0 0.0.0.255permit ip any 10.121.11.0 0.0.0.255permit ip any 10.121.12.0 0.0.0.255ip access-list extended PRINTER_LANpermit udp host 0.0.0.0 host 255.255.255.255permit ip 10.124.2.128 0.0.0.127 anydeny ip any any logip access-list extended VOICE_LANpermit udp host 0.0.0.0 host 255.255.255.255permit ip 10.125.2.0 0.0.0.255 anydeny ip any any log!!map-class frame-relay QOS-BR2-MAPservice-policy output WAN-EDGE-FRTSaccess-list 25 permit 10.121.10.0 0.0.0.255ipv6 router eigrp 1router-id 10.124.102.1stub connected summaryno shutdownpassive-interface FastEthernet0/0.100passive-interface FastEthernet0/0.200passive-interface FastEthernet0/0.300passive-interface Loopback0!ipv6 access-list DATA_LAN-v6remark PERMIT ICMPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:2100::/64permit icmp 2001:DB8:CAFE:2100::/64 anyremark PERMIT IPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:2100::64permit ipv6 2001:DB8:CAFE:2100::/64 anyremark PERMIT ALL ICMPv6 PACKETS SOURCED BY HOSTS USING THE LINK-LOCAL PREFIXpermit icmp FE80::/10 anyremark PERMIT DHCPv6 ALL-DHCP-AGENTS REQUESTS FROM HOSTSpermit udp any eq 546 any eq 547remark PERMIT ALL PIM PACKETS FROM OTHER BRANCH ROUTERpermit 103 FE80::/16 anyremark DENY ALL OTHER IPv6 PACKETS AND LOGdeny ipv6 any any log-input!ipv6 access-list VOICE_LAN-v6remark PERMIT ICMPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:2200::/64permit icmp 2001:DB8:CAFE:2200::/64 anyremark PERMIT IPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:2200::64permit ipv6 2001:DB8:CAFE:2200::/64 anyremark PERMIT ALL ICMPv6 PACKETS SOURCED BY HOSTS USING THE LINK-LOCAL PREFIXpermit icmp FE80::/10 anyremark DENY ALL OTHER IPv6 PACKETS AND LOGdeny ipv6 any any log-input!ipv6 access-list PRINTER_LAN-v6remark PERMIT ICMPv6 PACKETS FROM HOSTS WITH PREFIX CAFE:2300::/64permit icmp 2001:DB8:CAFE:2300::/64 anyremark PERMIT IPv6 PACKETS FROM HOSTS WITH PREFIX CAFE:2300::64permit ipv6 2001:DB8:CAFE:2300::/64 anyremark PERMIT ALL ICMPv6 PACKETS SOURCED BY HOSTS USING THE LINK-LOCAL PREFIXpermit icmp FE80::/10 anyremark DENY ALL OTHER IPv6 PACKETS AND LOGdeny ipv6 any any log-input!ipv6 access-list MGMT-INremark permit mgmt only to loopbackpermit tcp 2001:DB8:CAFE::/48 host 2001:DB8:CAFE:2000::BAD1:1010deny ipv6 any any log-input!ipv6 access-list BULK-DATA-APPS-V6permit tcp any any eq ftppermit tcp any any eq ftp-datapermit tcp any any eq pop3permit tcp any any eq 143!ipv6 access-list BRANCH-TRANSACTIONAL-V6remark Microsoft RDP traffic-mark dscp af21permit tcp any any eq 3389permit udp any any eq 3389!ipv6 access-list MISSION-CRITICAL-V6remark Data-Center traffic-mark dscp 25permit ipv6 any 2001:DB8:CAFE:10::/64permit ipv6 any 2001:DB8:CAFE:11::/64!ipv6 access-list BRANCH-SCAVENGER-V6remark Gnutella, Kazaa, Doom, iTunes traffic-mark dscp cs1permit tcp any any range 6346 6347permit udp any any range 6346 6347permit tcp any any eq 1214permit tcp any any eq 666permit udp any any eq 666permit tcp any any eq 3689permit udp any any eq 3689!ipv6 access-list BRANCH-NET-MGMT-V6remark Common management traffic plus vmware console-mark dscp cs2permit udp any any eq syslogpermit udp any any eq snmppermit tcp any any eq telnetpermit tcp any any eq 22permit tcp any any eq 2049permit udp any any eq 2049permit tcp any any eq domainpermit icmp any anypermit udp any any eq tftppermit tcp any any eq 902!control-plane!banner login ^CUnauthorized access to this device and/or network is prohibited.^C!line con 0session-timeout 3password 7 021405550C031Dlogging synchronouslogin localtransport output noneline aux 0login localline vty 0 4session-timeout 3access-class MGMT-IN-v4 inprivilege level 15password 7 08334D400E1C17ipv6 access-class MGMT-IN inlogin localexec prompt timestamptransport input ssh!scheduler allocate 20000 1000ntp clock-period 17180046ntp server 172.17.100.3!webvpn context Default_contextssl authenticate verify all!no inservice!!webvpn context dummyssl authenticate verify all!no inservice!end2800-br2-2
version 12.4no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice sequence-numbers!hostname 2800-br2-2!boot-start-markerboot-end-marker!security authentication failure rate 3 loglogging countlogging buffered 8192 debugginglogging rate-limit 5no logging consoleenable secret 5 $1$2fsF$NMxkOn/sjTUDao8zNrHAG.!no aaa new-model!resource policy!clock timezone mst -7no ip source-route!ip nbar port-map custom-03 tcp 5554 9996ip nbar port-map custom-02 udp 1434ip nbar port-map custom-01 tcp 3200 3201 3202 3203 3600ip nbar port-map netbios udp 135 137 138 139 445ip nbar port-map netbios tcp 137 139 445ip cefip dhcp relay information trust-allno ip dhcp use vrf connected!ip dhcp pool DATA_LANnetwork 10.124.2.0 255.255.255.128dns-server 10.121.10.7default-router 10.124.2.1domain-name cisco.com!ip dhcp pool VOICE_LANnetwork 10.125.2.0 255.255.255.0dns-server 10.121.10.7default-router 10.125.2.1option 150 ip 10.121.10.7domain-name cisco.com!ip dhcp pool PRINTER_LANnetwork 10.124.2.128 255.255.255.128dns-server 10.121.10.7default-router 10.124.2.129!ip ftp source-interface FastEthernet0/1ip ftp username ciscoip ftp password 7 104D000A0618no ip bootp serverno ip domain lookupip domain name cisco.comip ssh time-out 60ip ssh authentication-retries 2ip ssh source-interface FastEthernet0/1login block-for 30 attempts 3 within 200login delay 2ipv6 unicast-routingipv6 cefipv6 dhcp pool DATA_VISTAdns-server 2001:DB8:CAFE:10:20D:9DFF:FE93:B25Ddns-server 2001:DB8:CAFE:10:51A1:5B1:4A85:B3DAdomain-name cisco.com!ipv6 multicast-routing!voice-card 0no dspfarm!key chain ESEkey 1key-string 7 04490A0808245E!crypto pki trustpoint TP-self-signed-1654346828enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-1654346828revocation-check nonersakeypair TP-self-signed-1654346828!crypto pki certificate chain TP-self-signed-1654346828certificate self-signed 013082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 0405003031312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 4365727469666963 6174652D 31363534 33343638 3238301E 170D3036 30373130 3138303935325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 031326494F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 3635343334363832 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 818902818100B0B6 8F0E2383 4BC3B2BD EEF10B2C A9A30936 06B0A7A0 4ADF5C79 553BF2F61221FE21 80163367 EB75F1A5 3F310B43 5C1B6B03 B477AD5E 6CD7F630 1A06AE270F5B4089 54C08AD8 8866720B 2B9D16C0 D9C41113 1FA53640 45E54D38 F9E8F4FD7654EB2F 6279435A C4AC028E F7AF7F51 4752D813 69B2F231 2101291C 5934DEFB5ED50203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603551D1104 18301682 14323831 312D6272 322D322E 63697363 6F2E636F 6D301F0603551D23 04183016 80142905 DF055BFA FE526B72 E5231250 BB168532 6291301D0603551D 0E041604 142905DF 055BFAFE 526B72E5 231250BB 16853262 91300D06092A8648 86F70D01 01040500 03818100 A0FF1536 9779B5D7 181BADED D3394F8E0FDEF0EB C8313736 75ED2CBE 993665D8 752EB46E 7F8FE7F5 F34022BE 86D534613A7F30D0 3617AA66 9166069D 3488674D 7EBB7551 7E7181CC 00EFD17B 27872412BFB24FDD A9CD971D E4F3DF29 4574A132 9FE2A085 91871CFA 2E56FCB5 6050AEED124009D4 B90FC6DA 237F6A1D 90D1CE93quitusername cisco privilege 15 secret 5 $1$2on7$TSSIMoo25tSj5./ycyEav0!class-map match-any BRANCH-BULK-DATAmatch access-group name BULK-DATA-APPSmatch access-group name BULK-DATA-APPS-V6class-map match-all SQL-SLAMMERmatch protocol custom-02match packet length min 404 max 404class-map match-all BULK-DATAmatch dscp af11 af12class-map match-all INTERACTIVE-VIDEOmatch dscp af41 af42class-map match-any CALL-SIGNALLINGmatch dscp cs3match dscp af31class-map match-any BRANCH-TRANSACTIONAL-DATAmatch protocol citrixmatch protocol ldapmatch protocol sqlnetmatch protocol http url "*cisco.com"match protocol custom-01match access-group name BRANCH-TRANSACTIONAL-V6class-map match-any BRANCH-MISSION-CRITICALmatch access-group name MISSION-CRITICAL-SERVERSmatch access-group name MISSION-CRITICAL-V6class-map match-any WORMSmatch protocol http url "*.ida*"match protocol http url "*cmd.exe*"match protocol http url "*root.exe*"match protocol http url "*readme.eml*"match class-map SQL-SLAMMERmatch protocol exchangematch protocol netbiosmatch protocol custom-03class-map match-all VOICEmatch dscp efclass-map match-all MISSION-CRITICAL-DATAmatch dscp 25class-map match-any BRANCH-NET-MGMTmatch protocol snmpmatch protocol syslogmatch protocol telnetmatch protocol nfsmatch protocol dnsmatch protocol icmpmatch protocol tftpmatch access-group name BRANCH-NET-MGMT-V6class-map match-all ROUTINGmatch dscp cs6class-map match-all SCAVENGERmatch dscp cs1class-map match-all NET-MGMTmatch dscp cs2class-map match-any BRANCH-SCAVENGERmatch protocol napstermatch protocol gnutellamatch protocol fasttrackmatch protocol kazaa2match access-group name BRANCH-SCAVENGER-V6class-map match-all TRANSACTIONAL-DATAmatch dscp af21 af22!policy-map BRANCH-LAN-EDGE-OUTclass class-defaultset cos dscppolicy-map BRANCH-WAN-EDGEclass VOICEpriority percent 18class INTERACTIVE-VIDEOpriority percent 15class CALL-SIGNALLINGbandwidth percent 5class ROUTINGbandwidth percent 3class NET-MGMTbandwidth percent 2class MISSION-CRITICAL-DATAbandwidth percent 15random-detect dscp-basedclass TRANSACTIONAL-DATAbandwidth percent 12random-detect dscp-basedclass BULK-DATAbandwidth percent 4random-detect dscp-basedclass SCAVENGERbandwidth percent 1class class-defaultbandwidth percent 25random-detectpolicy-map WAN-EDGE-FRTSclass class-defaultshape average 1460000 14600 0service-policy BRANCH-WAN-EDGEpolicy-map BRANCH-LAN-EDGE-INclass BRANCH-MISSION-CRITICALset dscp 25class BRANCH-TRANSACTIONAL-DATAset dscp af21class BRANCH-NET-MGMTset dscp cs2class BRANCH-BULK-DATAset dscp af11class BRANCH-SCAVENGERset dscp cs1class WORMSdropclass class-defaultset dscp default!interface Null0no ip unreachables!interface Loopback0ip address 10.124.102.2 255.255.255.255no ip redirectsno ip unreachablesno ip proxy-arpipv6 address 2001:DB8:CAFE:2000::BAD1:1020/128no ipv6 redirectsno ipv6 unreachablesipv6 eigrp 1!interface FastEthernet0/0.100description DATA VLAN for Computersencapsulation dot1Q 100ip address 10.124.2.3 255.255.255.128ip access-group DATA_LAN inno ip redirectsno ip unreachablesno ip proxy-arpipv6 address 2001:DB8:CAFE:2100::BAD1:1020/64ipv6 traffic-filter DATA_LAN-v6 inno ipv6 redirectsipv6 nd other-config-flagipv6 eigrp 1standby version 2standby 101 ip 10.124.2.1standby 101 preemptstandby 101 authentication esestandby 201 ipv6 autoconfigstandby 201 preemptstandby 201 authentication eseservice-policy input BRANCH-LAN-EDGE-INservice-policy output BRANCH-LAN-EDGE-OUT!interface FastEthernet0/0.200description to Voice VLAN for IP Phonesencapsulation dot1Q 200ip address 10.125.2.3 255.255.255.0ip access-group VOICE_LAN inno ip redirectsno ip unreachablesno ip proxy-arpipv6 address 2001:DB8:CAFE:2200::BAD1:1020/64ipv6 traffic-filter VOICE_LAN-v6 inno ipv6 redirectsipv6 eigrp 1standby version 2standby 102 ip 10.125.2.1standby 102 preemptstandby 102 authentication esestandby 202 ipv6 autoconfigstandby 202 preemptstandby 202 authentication eseservice-policy output BRANCH-LAN-EDGE-OUT!interface FastEthernet0/0.300description to Printer VLANencapsulation dot1Q 300ip address 10.124.2.131 255.255.255.128ip access-group PRINTER_LAN inno ip redirectsno ip unreachablesno ip proxy-arpipv6 address 2001:DB8:CAFE:2300::BAD1:1020/64ipv6 traffic-filter PRINTER_LAN-v6 inno ipv6 redirectsipv6 eigrp 1standby version 2standby 103 ip 10.124.2.129standby 103 preemptstandby 103 authentication esestandby 203 ipv6 autoconfigstandby 203 preemptstandby 203 authentication eseservice-policy input BRANCH-LAN-EDGE-INservice-policy output BRANCH-LAN-EDGE-OUT!interface Serial0/2/0no ip addressno ip redirectsno ip unreachablesno ip proxy-arpencapsulation frame-relayip route-cache flowno ipv6 mfib forwardingno keepalivemax-reserved-bandwidth 100!interface Serial0/2/0.18 point-to-pointdescription TO FRAME-RELAY PROVIDERip address 10.127.2.2 255.255.255.252ipv6 address 2001:DB8:CAFE:1272::BAD1:1020/64ipv6 eigrp 1ipv6 hold-time eigrp 1 35ipv6 authentication mode eigrp 1 md5ipv6 authentication key-chain eigrp 1 ESEframe-relay interface-dlci 18class QOS-BR2-MAP!router eigrp 10passive-interface FastEthernet0/0.100passive-interface FastEthernet0/0.200passive-interface FastEthernet0/0.300network 10.0.0.0no auto-summaryeigrp stub connected summary!no ip http server!ip access-list extended BULK-DATA-APPSpermit tcp any any eq ftppermit tcp any any eq ftp-datapermit tcp any any eq pop3permit tcp any any eq 143ip access-list extended DATA_LANpermit udp host 0.0.0.0 host 255.255.255.255permit ip 10.124.2.0 0.0.0.127 anydeny ip any any logip access-list extended MGMT-IN-v4permit tcp 10.120.0.0 0.0.255.255 anypermit tcp 10.121.0.0 0.0.255.255 anypermit tcp 10.122.0.0 0.0.255.255 anydeny ip any any log-inputip access-list extended MISSION-CRITICAL-SERVERSpermit ip any 10.121.10.0 0.0.0.255permit ip any 10.121.11.0 0.0.0.255permit ip any 10.121.12.0 0.0.0.255ip access-list extended PRINTER_LANpermit udp host 0.0.0.0 host 255.255.255.255permit ip 10.124.2.128 0.0.0.127 anydeny ip any any logip access-list extended VOICE_LANpermit udp host 0.0.0.0 host 255.255.255.255permit ip 10.125.2.0 0.0.0.255 anydeny ip any any log!!map-class frame-relay QOS-BR2-MAPservice-policy output WAN-EDGE-FRTSaccess-list 25 permit 10.121.10.0 0.0.0.255!ipv6 router eigrp 1router-id 10.124.102.2stub connected summaryno shutdownpassive-interface FastEthernet0/0.100passive-interface FastEthernet0/0.200passive-interface FastEthernet0/0.300passive-interface Loopback0!ipv6 access-list DATA_LAN-v6remark PERMIT ICMPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:2100::/64permit icmp 2001:DB8:CAFE:2100::/64 anyremark PERMIT IPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:2100::64permit ipv6 2001:DB8:CAFE:2100::/64 anyremark PERMIT ALL ICMPv6 PACKETS SOURCED BY HOSTS USING THE LINK-LOCAL PREFIXpermit icmp FE80::/10 anyremark PERMIT DHCPv6 ALL-DHCP-AGENTS REQUESTS FROM HOSTSpermit udp any eq 546 any eq 547remark PERMIT ALL PIM PACKETS FROM OTHER BRANCH ROUTERpermit 103 FE80::/16 anyremark DENY ALL OTHER IPv6 PACKETS AND LOGdeny ipv6 any any log-input!ipv6 access-list VOICE_LAN-v6remark PERMIT ICMPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:2200::/64permit icmp 2001:DB8:CAFE:2200::/64 anyremark PERMIT IPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:2200::64permit ipv6 2001:DB8:CAFE:2200::/64 anyremark PERMIT ALL ICMPv6 PACKETS SOURCED BY HOSTS USING THE LINK-LOCAL PREFIXpermit icmp FE80::/10 anyremark DENY ALL OTHER IPv6 PACKETS AND LOGdeny ipv6 any any log-input!ipv6 access-list PRINTER_LAN-v6remark PERMIT ICMPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:2300::/64permit icmp 2001:DB8:CAFE:2300::/64 anyremark PERMIT IPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:2300::64permit ipv6 2001:DB8:CAFE:2300::/64 anyremark PERMIT ALL ICMPv6 PACKETS SOURCED BY HOSTS USING THE LINK-LOCAL PREFIXpermit icmp FE80::/10 anyremark DENY ALL OTHER IPv6 PACKETS AND LOGdeny ipv6 any any log-input!!ipv6 access-list MGMT-INremark permit mgmt only to loopbackpermit tcp 2001:DB8:CAFE::/48 host 2001:DB8:CAFE:2000::BAD1:1020deny ipv6 any any log-input!ipv6 access-list BULK-DATA-APPS-V6permit tcp any any eq ftppermit tcp any any eq ftp-datapermit tcp any any eq pop3permit tcp any any eq 143!ipv6 access-list BRANCH-TRANSACTIONAL-V6remark Microsoft RDP traffic-mark dscp af21permit tcp any any eq 3389permit udp any any eq 3389!ipv6 access-list MISSION-CRITICAL-V6remark Data-Center traffic-mark dscp 25permit ipv6 any 2001:DB8:CAFE:10::/64permit ipv6 any 2001:DB8:CAFE:11::/64!ipv6 access-list BRANCH-SCAVENGER-V6remark Gnutella, Kazaa, Doom, iTunes traffic-mark dscp cs1permit tcp any any range 6346 6347permit udp any any range 6346 6347permit tcp any any eq 1214permit tcp any any eq 666permit udp any any eq 666permit tcp any any eq 3689permit udp any any eq 3689!ipv6 access-list BRANCH-NET-MGMT-V6remark Common management traffic plus vmware console-mark dscp cs2permit udp any any eq syslogpermit udp any any eq snmppermit tcp any any eq telnetpermit tcp any any eq 22permit tcp any any eq 2049permit udp any any eq 2049permit tcp any any eq domainpermit icmp any anypermit udp any any eq tftppermit tcp any any eq 902!control-plane!banner login ^CUnauthorized access to this device and/or network is prohibited.^C!line con 0session-timeout 3password 7 021405550C031Dlogging synchronouslogin localtransport output noneline aux 0login localline vty 0 4session-timeout 3access-class MGMT-IN-v4 inprivilege level 15password 7 105C0817021200ipv6 access-class MGMT-IN inlogging synchronouslogin localexec prompt timestamptransport input telnet ssh!scheduler allocate 20000 1000ntp clock-period 17180078ntp server 172.17.100.3!webvpn context Default_contextssl authenticate verify all!no inservice!!webvpn context dummyssl authenticate verify all!no inservice!!end3560-br2-1
version 12.2no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice sequence-numbers!hostname 3560-br2-1!logging countlogging buffered 8192 debugginglogging rate-limit 5no logging consoleenable secret 5 $1$Zh7/$YXJse1q1kWuYdRbANfYZn.!username cisco privilege 15 secret 5 $1$2on7$TSSIMoo25tSj5./ycyEav0no aaa new-modelclock timezone mst -7vtp domain ese_branchvtp mode transparentip subnet-zeroip routingno ip domain-lookupip domain-name cisco.comip dhcp smart-relay!ip dhcp snooping vlan 100,300ip dhcp snooping database flash:dhcp.txtip dhcp snooping database timeout 10ip dhcp snoopingip ftp source-interface FastEthernet0/24ip ftp username shmcfarlip ftp password 7 105C0817021200ip ssh time-out 60ip ssh authentication-retries 2ip ssh source-interface FastEthernet0/24ip arp inspection vlan 100,200,300ip arp inspection validate src-macip arp inspection log-buffer entries 100ip arp inspection log-buffer logs 20 interval 120login block-for 30 attempts 3 within 200login delay 2ipv6 mld snooping!mls qos map policed-dscp 0 10 18 24 25 34 to 8mls qos map cos-dscp 0 8 16 24 32 46 48 56mls qos srr-queue output cos-map queue 1 threshold 3 5mls qos srr-queue output cos-map queue 2 threshold 1 2 4mls qos srr-queue output cos-map queue 2 threshold 2 3mls qos srr-queue output cos-map queue 2 threshold 3 6 7mls qos srr-queue output cos-map queue 3 threshold 3 0mls qos srr-queue output cos-map queue 4 threshold 3 1mls qos srr-queue output dscp-map queue 1 threshold 3 46mls qos srr-queue output dscp-map queue 2 threshold 1 16 18 20 22 25 32 34 36mls qos srr-queue output dscp-map queue 2 threshold 1 38mls qos srr-queue output dscp-map queue 2 threshold 2 24 26mls qos srr-queue output dscp-map queue 2 threshold 3 48 56mls qos srr-queue output dscp-map queue 3 threshold 3 0mls qos srr-queue output dscp-map queue 4 threshold 1 8mls qos srr-queue output dscp-map queue 4 threshold 3 10 12 14mls qos queue-set output 1 threshold 2 70 80 100 100mls qos queue-set output 1 threshold 4 40 100 100 100mls qos!crypto pki trustpoint TP-self-signed-3651489792enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-3651489792revocation-check nonersakeypair TP-self-signed-3651489792!!crypto ca certificate chain TP-self-signed-3651489792certificate self-signed 0130820296 308201FF A0030201 02020101 300D0609 2A864886 F70D0101 0405003056312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 4365727469666963 6174652D 33363531 34383937 39323123 30210609 2A864886 F70D010902161433 3536302D 6272322D 312E6369 73636F2E 636F6D30 1E170D39 3330333039303234 3634355A 170D3230 30313031 30303030 30305A30 56312F30 2D06035504031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D33363531 34383937 39323123 30210609 2A864886 F70D0109 02161433 3536302D6272322D 312E6369 73636F2E 636F6D30 819F300D 06092A86 4886F70D 010101050003818D 00308189 02818100 A198301A 7E8F977E 67FA0647 B34AD8E4 27314936E138C6DB D5485567 3603A196 13878DA4 DC244BB5 D3C8C482 D5AA0BB9 9222DE65D3B0E54B 47455B3A F7898664 A49D078F 7D96C2F1 06B10AA1 44AB2AA5 D560CE67E211B0B2 3BCA80BC E08B542E 10F649F0 80E88837 6DBA6C23 A9664AEB DD4750A3DF41B639 727766A4 49C5BE73 02030100 01A37430 72300F06 03551D13 0101FF0405300301 01FF301F 0603551D 11041830 16821433 3536302D 6272322D 312E636973636F2E 636F6D30 1F060355 1D230418 30168014 DB539092 6F3293DD E467CA336C20C150 E7FE1D31 301D0603 551D0E04 160414DB 5390926F 3293DDE4 67CA336C20C150E7 FE1D3130 0D06092A 864886F7 0D010104 05000381 810011FC F98E50AD17C9C2E3 B67F1337 AD9F357F B83183A2 252CF44E EAA2922B AE76122B 649732FB307FDC7A 163EEF9D 5B13F7D4 AF76C6CB E828CDA7 373BDE27 5BA65E44 CB2ABC44114D1249 3D3B9E0E E8997F12 7BCFCDF2 BA7B6072 042A1F05 28A63EF1 298E07BFD8B6B2AF 95058FDB 5A8FA6CE D0620F5E 1B8220CD D5E550C9 B6F5quit!!errdisable recovery cause link-flaperrdisable recovery interval 60no file verify auto!spanning-tree mode rapid-pvstspanning-tree loopguard defaultspanning-tree portfast bpduguard defaultno spanning-tree optimize bpdu transmissionspanning-tree extend system-id!vlan internal allocation policy ascending!vlan 100name DATA!vlan 200name VOICE!vlan 300name PRINTER!class-map match-all DVLAN-PC-VIDEOmatch access-group name DVLAN-PC-VIDEOclass-map match-all VVLAN-voicematch access-group name VVLAN-voiceclass-map match-all VVLAN-anymatch access-group name VVLAN-anyclass-map match-all DVLAN-Transactional-Datamatch access-group name DVLAN-Transactional-Dataclass-map match-all DVLAN-Mission-Critical-Datamatch access-group name DVLAN-Mission-Critical-Dataclass-map match-all DVLAN-Bulk-Datamatch access-group name DVLAN-Bulk-Dataclass-map match-all VVLAN-call-signallingmatch access-group name VVLAN-call-signalling!policy-map IPPHONE+PCclass VVLAN-voiceset dscp efpolice 128000 8000 exceed-action dropclass VVLAN-call-signallingset dscp cs3police 32000 8000 exceed-action policed-dscp-transmitclass VVLAN-anyset dscp defaultpolice 32000 8000 exceed-action policed-dscp-transmitclass DVLAN-PC-VIDEOset dscp af41police 48000 8000 exceed-action policed-dscp-transmitclass DVLAN-Mission-Critical-Dataset dscp 25police 5000000 8000 exceed-action policed-dscp-transmitclass DVLAN-Transactional-Dataset dscp af21police 5000000 8000 exceed-action policed-dscp-transmitclass DVLAN-Bulk-Dataset dscp af11police 5000000 8000 exceed-action policed-dscp-transmit!interface FastEthernet0/1description to 2800-br2-1 TRUNKswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 100,200,300switchport mode trunkswitchport port-security aging time 10ip arp inspection trustload-interval 30srr-queue bandwidth share 1 70 25 5srr-queue bandwidth shape 3 0 0 0priority-queue outmls qos trust dscpip dhcp snooping limit rate 10ip dhcp snooping trust!interface FastEthernet0/2description to 2800-br2-2 TRUNKswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 100,200,300switchport mode trunkswitchport port-security aging time 10ip arp inspection trustload-interval 30srr-queue bandwidth share 1 70 25 5srr-queue bandwidth shape 3 0 0 0priority-queue outmls qos trust dscpip dhcp snooping limit rate 10ip dhcp snooping trust!interface FastEthernet0/4description phone with PC connected to phoneswitchport access vlan 100switchport mode accessswitchport voice vlan 200switchport port-security maximum 2switchport port-securityswitchport port-security aging time 2switchport port-security violation restrictswitchport port-security aging type inactivityip arp inspection limit rate 100load-interval 30srr-queue bandwidth share 1 70 25 5srr-queue bandwidth shape 3 0 0 0priority-queue outmls qos trust device cisco-phonespanning-tree portfastspanning-tree bpduguard enableip verify sourceip dhcp snooping limit rate 100!interface Vlan100description VLAN100 for PCs and Switch managementip address 10.124.2.126 255.255.255.128no ip redirectsno ip unreachablesno ip proxy-arpipv6 address 2001:DB8:CAFE:2100::BAD2:F126/64no ipv6 redirectsno ipv6 unreachables!ip classlessno ip http server!ip access-list extended DVLAN-Bulk-Datapermit tcp any any eq 143permit tcp any any eq 220ip access-list extended DVLAN-Mission-Critical-Datapermit tcp any any range 3200 3203permit tcp any any eq 3600permit tcp any any range 2000 2002ip access-list extended DVLAN-PC-VIDEOpermit udp any any range 16384 32767ip access-list extended DVLAN-Transactional-Datapermit tcp any any eq 1352ip access-list extended MGMT-IN-v4permit tcp 10.120.0.0 0.0.255.255 any log-inputpermit tcp 10.121.0.0 0.0.255.255 any log-inputpermit tcp 10.122.0.0 0.0.255.255 any log-inputpermit tcp 10.124.2.0 0.0.0.255 any log-inputpermit tcp 10.124.102.0 0.0.0.255 any log-inputdeny ip any any log-inputip access-list extended VVLAN-anypermit ip 10.125.2.0 0.0.0.255 anyip access-list extended VVLAN-call-signallingpermit tcp 10.125.2.0 0.0.0.255 any range 2000 2002 dscp af31permit tcp 10.125.2.0 0.0.0.255 any range 2000 2002 dscp cs3ip access-list extended VVLAN-voicepermit udp 10.125.2.0 0.0.0.255 any range 16384 32767 dscp ef!ipv6 route ::/0 Vlan100 FE80::5:73FF:FEA0:C9!!ipv6 access-list MGMT-INpermit tcp 2001:DB8:CAFE::/48 host 2001:DB8:CAFE:2100::BAD2:F126deny ipv6 any any log-input!control-plane!banner login ^CUnauthorized access to this device and/or network is prohibited.^C!line con 0session-timeout 3password 7 021405550C031Dlogging synchronouslogin localtransport output noneline vty 0 4session-timeout 3access-class MGMT-IN-v4 inpassword 7 071D2042490C0Bipv6 access-class MGMT-IN inlogging synchronouslogin localexec prompt timestamptransport input sshline vty 5 15session-timeout 3access-class MGMT-IN-v4 inpassword 7 105C0817021200ipv6 access-class MGMT-IN inlogin localexec prompt timestamptransport input ssh
