The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The following is a sample configuration of a Business Ready Branch. There are many permutations of feature combinations when setting up the access router for the branch office, but this is one fairly comprehensive example that was used in Cisco testing.
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Anytown
!
!
logging buffered 4096 debugging
logging rate-limit 20
no logging console
!
clock timezone est -5
clock summer-time edt recurring
no network-clock-participate aim 0
no network-clock-participate aim 1
voice-card 6
dspfarm
!
no aaa new-model
aaa authentication login default local
ip subnet-zero
no ip source-route
ip cef
!
ip dhcp pool phones
network 10.173.156.0 255.255.255.0
default-router 10.173.156.1
option 150 ip 10.59.138.4
dns-server 10.59.138.4
!
ip dhcp pool pc
network 10.73.26.0 255.255.255.192
default-router 10.73.26.1
dns-server 10.73.26.1
!
ip inspect one-minute high 2000
ip inspect tcp max-incomplete host 100 block-time 0
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
ip inspect name firewall netshow
ip inspect name firewall ftp
ip inspect name firewall sqlnet
ip ips po max-events 100
! disables alarming on RFC 1918 addresses detection
ip ips signature 1107 0 disable
! disables alarming ICMP on echo reply
ip ips signature 2000 0 disable
! disables alarming on ICMP host unreachable (this is commonly seen during MTU discovery)
ip ips signature 2001 0 disable
ip ips name softips
no ftp-server write-enable
!
!
class-map match-all VOICE
match ip dscp ef
class-map match-any CALL-SETUP
match ip dscp af31
match ip dscp cs3
class-map match-any INTERNETWORK-CONTROL
match ip dscp cs6
class-map match-all TRANSACTIONAL-DATA
match ip dscp af21
!
!
policy-map reorder
class VOICE
priority percent 33
class CALL-SETUP
bandwidth percent 2
class INTERNETWORK-CONTROL
bandwidth percent 5
class TRANSACTIONAL-DATA
bandwidth percent 22
class class-default
fair-queue
random-detect dscp-based
policy-map shaper
class class-default
shape average 5000000
service-policy reorder
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key branch address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set brb esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile dmvpn
set transform-set brb
!
interface Tunnel0
description Hub and Spoke DMVPN link
ip address 10.73.30.2 255.255.255.192
no ip redirects
ip mtu 1400
ip nhrp authentication brb
ip nhrp map multicast dynamic
ip nhrp map 10.73.30.1 192.168.8.6
ip nhrp map multicast 192.168.8.6
ip nhrp network-id 99
ip nhrp nhs 10.73.30.1
ip route-cache flow
load-interval 30
qos pre-classify
tunnel source Loopback0
tunnel destination 192.168.8.6
tunnel key 10000
tunnel path-mtu-discovery
tunnel protection ipsec profile dmvpn
!
interface Loopback0
ip address 10.73.1.6 255.255.255.248
!
interface FastEthernet0/0
no ip address
no ip proxy-arp
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
ip route-cache flow
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/1.16
description DMZ
encapsulation dot1Q 16
ip address 10.57.0.1 255.255.255.0
ip access-group DMZ in
ip ips softids in
ip virtual-reassembly
!
interface FastEthernet0/1.18
description Voice VLAN for phones
encapsulation dot1Q 18
ip address 10.173.156.1 255.255.255.0
ip access-group voice in
ip inspect firewall in
! note - avoid IPS on Voice LAN
! with RPC sigs enabled
!
interface FastEthernet0/1.20
description Data VLAN for PCs
encapsulation dot1Q 20
ip address 10.73.26.1 255.255.255.192
ip nat inside
ip access-group LAN in
ip inspect firewall in
ip ips softips in
!
interface Hssi3/0
description ISP 5 Mpbs link
encapsulation ppp
load-interval 30
hssi internal-clock
serial restart-delay 0
ip address 192.168.25.30 255.255.255.252
ip nat outside
ip access-group INPUT_ACL in
ip inspect firewall in
ip ips softids in
ip virtual-reassembly
service-policy output shaper
!
router eigrp 15
passive-interface FastEthernet0/1.16
passive-interface FastEthernet0/1.18
passive-interface FastEthernet0/1.20
network 10.0.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.25.29
!
ip nat inside source list LAN interface Hssi3/0 overload
!
ip access-list extended INPUT_ACL
remark Allow IKE and ESP from the headend router
permit udp host 192.168.1.1 any eq isakmp
permit esp host 192.168.1.1 any
remark Allow ICMP
permit icmp any any unreachable
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
remark Allow DNS name lookup from router
permit udp any eq domain any
remark Allow the Internet to DMZ
permit ip any 10.57.0.0 0.0.0.255
deny ip any any
!
ip access-list extended LAN
permit ip 10.73.26.0 0.0.0.63 any
deny ip any any
!
ip access-list extended DMZ
deny ip any any
!
ip access-list extended voice
permit 10.173.156.0 0.0.0.255 any
deny ip any any
!
control-plane
!--------- CCM SRST with MGCP Fallback Voice Section --------------
!
isdn switch-type primary-5ess
!
ccm-manager switchback immediate
ccm-manager fallback-mgcp
ccm-manager mgcp
ccm-manager music-on-hold
ccm-manager config server 10.59.138.4
ccm-manager config
!
controller T1 0/0
framing esf
linecode b8zs
pri-group timeslots 1-24 service mgcp
!
interface Serial0/0:23
no ip address
isdn switch-type primary-5ess
isdn incoming-voice voice
isdn bind-l3 ccm-manager
no cdp enable
!
interface Service-Engine1/0
ip unnumbered Loopback0
service-module ip address 10.73.1.5 255.255.255.248
service-module ip default-gateway 10.73.1.6
!
interface Loopback0
ip address 10.73.1.6 255.255.255.248
!
ip route 10.73.1.5 255.255.255.255 Service-Engine1/0
!
voice-port 0/0:23
!
mgcp
mgcp call-agent VPN2-CM-2 2427 service-type mgcp version 0.1
mgcp rtp unreachable timeout 1000 action notify
mgcp package-capability rtp-package
no mgcp package-capability res-package
mgcp package-capability sst-package
no mgcp package-capability fxr-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 inhibit
mgcp rtp payload-type g726r16 static
!
mgcp profile default
!
dial-peer cor custom
!
dial-peer voice 29999 voip
description voicemail_cue
destination-pattern 2999.
session protocol sipv2
session target ipv4:10.73.1.5
codec g711ulaw
!
dial-peer voice 25 pots
description PSTN
application mgcpapp
destination-pattern 9T
port 0/0:23
!
dial-peer voice 26 pots
description PSTN
application mgcpapp
destination-pattern 91T
port 0/0:23
!
call-manager-fallback
max-conferences 8
ip source-address 10.73.1.6 port 2000
max-ephones 240
max-dn 250
voicemail 29999
call-forward busy 29999
call-forward noan 29999 timeout 3
!
line con 0
exec-timeout 61 0
password 7 0822455D0A16
line 33
no activation-character
no exec
transport preferred none
transport input all
transport output all
line aux 0
line vty 0
password 7 00071A150754
login
transport input telnet
line vty 1 4
exec-timeout 61 0
password 7 00071A150754
login
transport input telnet
line vty 5 6
exec-timeout 61 0
login
!
ntp clock-period 17175627
ntp server 172.26.176.10
ntp peer 10.73.30.1
end