- Contents
- Network Topology
- WAN Services Implementation
- LAN Services Implementation
- PRI-Trunk and FXS Port Implementation
- Cisco Unified CME with SCCP Endpoints Implementation
- Cisco Unified CME with SCCP Endpoints: Telephony Service Setup
- Cisco Unified CME with SCCP Endpoints: IP Phone Installation and Configuration
- Cisco Unified CME with SCCP Endpoints: H.323 Voice Gateway Implementation
- Cisco Unified CME with SCCP Endpoints: Dial Plan Implementation
- Cisco Unified CME with SCCP Endpoints: CAC Implementation
- Cisco Unified CME with SCCP Endpoints: Transcoding and Conferencing Implementation
- Cisco Unified CME with SCCP Endpoints: Music on Hold Implementation
- Cisco Unified CME with SCCP Endpoints: Voice Mail and Auto Attendant Integration
- Cisco Unified CME with SCCP Endpoints: Emergency Services Implementation
- Cisco Unified CME with SCCP Endpoints Verification
 
- Cisco Unified CME with SIP Endpoints Implementation
- Cisco Unified CME with SIP Endpoints: Telephony Service Setup
- Cisco Unified CME with SIP Endpoints: IP Phone Installation and Configuration
- Cisco Unified CME with SIP Endpoints: SIP Voice Gateway Implementation
- Cisco Unified CME with SIP Endpoints: Dial Plan Implementation
- Cisco Unified CME with SIP Endpoints: CAC Implementation
- Cisco Unified CME with SIP Endpoints: Transcoding Implementation
- Cisco Unified CME with SIP Endpoints: Music on Hold Implementation
- Cisco Unified CME with SIP Endpoints: Voice Mail and Auto Attendant Integration
- Cisco Unified CME with SIP Endpoints: Emergency Services Implementation
 
- Cisco Unified SRST with SCCP Endpoints Implementation
- Cisco Unified SRST with SCCP Endpoints: Telephony Service Setup
- Cisco Unified SRST with SCCP Endpoints: IP Phone Installation and Configuration
- Cisco Unified SRST with SCCP Endpoints: H.323 Voice Gateway Implementation
- Cisco Unified SRST with SCCP Endpoints: Dial Plan Implementation
- Cisco Unified SRST with SCCP Endpoints: RSVP Implementation
- Cisco Unified SRST with SCCP Endpoints: Transcoding and Conferencing Implementation
- Cisco Unified SRST with SCCP Endpoints: Music on Hold Implementation
- Cisco Unified SRST with SCCP Endpoints: Voice Mail and Auto Attendant Integration
- Cisco Unified SRST with SCCP Endpoints: Emergency Services Implementation
 
- Cisco Unified SRST with SIP Endpoints Implementation
- Cisco Unified SRST with SIP Endpoints: Telephony Service Setup
- Cisco Unified SRST with SIP Endpoints: Cisco Unified SRST Fallback Mode at the Branch Router
- Cisco Unified SRST with SIP Endpoints: IP Phone Installation and Configuration
- Cisco Unified SRST with SIP Endpoints: SIP Voice Gateway Implementation
- Cisco Unified SRST with SIP Endpoints: Dial Plan Implementation
- Cisco Unified SRST with SIP Endpoints: RSVP Implementation
- Cisco Unified SRST with SIP Endpoints: Transcoding and Conferencing Implementation
- Cisco Unified SRST with SIP Endpoints: Music on Hold Implementation
- Cisco Unified SRST with SIP Endpoints: Voice Mail and Auto Attendant Integration
- Cisco Unified SRST with SIP Endpoints: Emergency Services Implementation
 
System Implementation
This section describes the information you need to configure the Cisco 2900 Series Integrated Services Routers Generation 2 (ISRs G2) branch routers and a Catalyst 3560 switch used in the Streamlined Small Branch Network.
 
 
    Note  Use the Command Lookup Tool (registered customers only) for more information on the commands used in this document.
Use the Command Lookup Tool (registered customers only) for more information on the commands used in this document. 
The full configuration of the Cisco 2900 Series ISR that was used for validating the features described in this guide is provided in the Streamlined Small Branch Network Toolkit.
Contents
 • Network Fundamental Services Implementation
Network Fundamental Services Implementation 
 • Security Services Implementation
Security Services Implementation 
 • Voice Services Implementation
Voice Services Implementation 
 • Optimization Services Implementation
Optimization Services Implementation 
Network Topology
Figure 1 shows the components of the Streamlined Small Branch Network test bed. The topology includes the following components:
Enterprise Headquarters
 • Web servers
Web servers 
 • File servers
File servers 
 • Print servers
Print servers 
 • PC clients
PC clients 
 • Cisco 7200 Series VXR routers
Cisco 7200 Series VXR routers 
 • Cisco Secure ACS
Cisco Secure ACS 
 • Catalyst 3560 and Catalyst 6500 switches
Catalyst 3560 and Catalyst 6500 switches 
 • IP Phones
IP Phones 
 • Cisco Unified Communications Manager (Cisco Unified CM)
Cisco Unified Communications Manager (Cisco Unified CM) 
 • Cisco Wide Area Application Engine (Cisco WAE) 512
Cisco Wide Area Application Engine (Cisco WAE) 512 
 • Cisco Configuration Engine
Cisco Configuration Engine 
Enterprise Branch
 • Cisco 3925 and Cisco 3945 ISRs
Cisco 3925 and Cisco 3945 ISRs 
 • Cisco 3560 and Catalyst 3750 switches
Cisco 3560 and Catalyst 3750 switches 
 • Cisco Unified IP Phones 7942G, 7945G, 7961G, 7962G, 7965G, 7971G, and 7985G
Cisco Unified IP Phones 7942G, 7945G, 7961G, 7962G, 7965G, 7971G, and 7985G 
 • Cisco Unified IP Conference Station 7936
Cisco Unified IP Conference Station 7936 
 • PC clients
PC clients 
 • Demilitarized zone (DMZ) servers
Demilitarized zone (DMZ) servers 
 • Analog telephones and faxes
Analog telephones and faxes 
Figure 1 Streamlined Small Branch Network Test Bed
 
 
   
Figure 2 shows the detailed topology, interface assignment, and IP addressing scheme.
Figure 2 Streamlined Small Branch Network Topology
 
 
   
Figure 3 shows the high-speed WAN interface cards (HWICs), voice interface cards (VICs), voice WAN interface cards (VWICs), and network modules configuration on a Cisco 2911 router. WAN connectivity is provided by the 2-port high-speed interface card (HWIC-2T). A Cisco 2901 router, shown in Figure 4 was filled in the same way. The Cisco Unity Express AIM2-CUE module was placed into internal slot 1.
Figure 3 Interface Card and Service Module Configuration on a Cisco 2911 Router
 
 
   
Figure 4 Interface Card and Service Module Configuration On a Cisco 2901 Router
 
 
   
WAN Services Implementation
The following five configurations were tested for connecting WAN access lines to the nearest provider edge (PE) device of the service provider network:
 • Single-Port DS-1 Interface with Frame Relay Encapsulation
Single-Port DS-1 Interface with Frame Relay Encapsulation 
 • Single-Port DS-1 Interface with Point-to-Point Encapsulation
Single-Port DS-1 Interface with Point-to-Point Encapsulation 
 • Multiport DS-1 Interface with Multilink Point-to-Point Encapsulation
Multiport DS-1 Interface with Multilink Point-to-Point Encapsulation 
 • Multiport DS-1 Interface with Multilink Frame Relay Encapsulation
Multiport DS-1 Interface with Multilink Frame Relay Encapsulation 
 • Onboard Fast Ethernet Interface
Onboard Fast Ethernet Interface 
Single-Port DS-1 Interface with Frame Relay Encapsulation
A two-port T1/E1 high-speed WAN interface card was used for this configuration. Traditional Frame Relay (FR) shaping was applied on the interface. Alternatively, QoS-based shaping as defined in the Eight-Class-V3PN-Edge-Shape service policy can be used. This example is shown in the "Multiport DS-1 Interface with Multilink Frame Relay Encapsulation" section.
Router(config)# interface Serial0/1/0 ! Enters serial interface configuration mode
Router(config-if)# no ip address ! Disable IP processing on the serial interface
 
   Router(config-if)# ip nbar protocol-discovery ! Enables NBAR to discover default protocols 
and gather statistics
 
   Router(config-if)# load-interval 30 ! Specifies interval for computing load statistics
 
   Router(config-if)# dsu bandwidth 1550 ! Specifies maximum allowed bandwidth in Kbps for the 
interface
 
   Router(config-if)# max-reserved-bandwidth 100 ! Makes 100% of interface bandwidth 
available for QoS reservations
 
   Router(config-if)# encapsulation frame-relay IETF ! Enables Frame Relay IETF standard
 
   Router(config-if)# interface Serial0/1/0.1 point-to-point ! Defines point-to-point Frame 
Relay sub-interface for the primary link
 
   Router(config-subif)# ip address 192.168.0.1 255.255.255.252 ! Specifies an IP address for 
the sub-interface
 
   Router(config-subif)# ip access-group BLOCK-TFTP in ! Applies ACL named "BLOCK-TFTP" on 
incoming traffic
 
   Router(config-subif)# ip access-group BLOCK-TFTP out ! Applies ACL named "BLOCK-TFTP" on 
outgoing traffic
 
   Router(config-subif)# ip nbar protocol-discovery ! Enables NBAR to discover default 
protocols and gather statistics
 
   Router(config-subif)# ip flow ingress ! Enables NetFlow accounting for incoming packets
 
   Router(config-subif)# ip flow egress ! Enables NetFlow accounting for outgoing packets
 
   Router(config-subif)# ip pim sparse-dense-mode ! Enables multicast in sparse-dense mode
 
   Router(config-subif)# no ip mroute-cache ! Disables fast-switching of multicast packets
Router(config-subif)# snmp trap link-status ! Generates SNMP trap when link-status changes
 
   Router(config-subif)# frame-relay interface-dlci 230 ! Defines Frame Relay DLCI for the 
sub-interface
 
   Router(config-fr-dlci)# class FR-SHAPING ! Assigns Frame Relay configuration map "FR-SHAPING" for traffic shaping. The map-class is defined in QoS section
Router(config-fr-dlci)# exit
Apply the following command on the Serial0/1/0/0.1 subinterface after defining the Public security zone as shown in the Security section.
Router(config-subif)# zone-member security Public ! Adds sub-interface to firewall zone 
called Public
 
   Apply the following command on the Serial3 interface after defining the VPN-MAP crypto map as shown in the Security section if using GETVPN.
Router(config-fr-dlci)# crypto map VPN-MAP ! Applies crypto map "VPN-MAP" to the Frame Relay DLCI
Verification of Single-Port DS-1 Interface with Frame Relay Encapsulation
To verify your Frame Relay single-port DS-1 interface configuration, enter and verify the output of the following command:
Router# show frame-relay pvc 230
PVC Statistics for interface Serial0/1/0/0 (Frame Relay DTE)
DLCI = 230, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/1/0/0.1
input pkts 12487 output pkts 12470 in bytes 2441416
out bytes 2441892 dropped pkts 0 in pkts dropped 0
out pkts dropped 0 out bytes dropped 0
in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
out BECN pkts 0 in DE pkts 0 out DE pkts 0
out bcast pkts 12443 out bcast bytes 2438648
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
pvc create time 4d03h, last time pvc status changed 4d03h
cir 56000 bc 7000 be 0 byte limit 875 interval 125
mincir 28000 byte increment 875 Adaptive Shaping none
pkts 12235 bytes 2398060 pkts delayed 0 bytes delayed 0
shaping inactive
traffic shaping drops 0
Queueing strategy: fifo
Output queue 0/40, 0 drop, 0 dequeued
Router#
Single-Port DS-1 Interface with Point-to-Point Encapsulation
The following configuration for the HWIC-2T T1/E1 interface card uses the PPP Layer 2 encapsulation method.
Router(config)# interface Serial0/1/0/0 ! Enters serial interface configuration mode
Router(config-if)# no ip address ! Disable IP processing on the serial interface
 
   Router(config-if)# ip nbar protocol-discovery ! Enables NBAR to discover default protocols 
and gather statistics
 
   Router(config-if)# load-interval 30 ! Specifies interval for computing load statistics
 
   Router(config-if)# dsu bandwidth 44210 ! Specifies maximum allowed bandwidth in Kbps for 
the interface
 
   Router(config-if)# max-reserved-bandwidth 100 ! Makes 100% of interface bandwidth 
available for QoS reservations
 
   Router(config-if)# encapsulation PPP ! Sets Layer 2 encapsulation to PPP
 
   Router(config-if)# ip address 192.168.0.1 255.255.255.252 ! Specifies an IP address for 
the sub-interface
 
   Router(config-if)# ip access-group BLOCK-TFTP in ! Applies ACL named "BLOCK-TFTP" on 
incoming traffic
 
   Router(config-if)# ip access-group BLOCK-TFTP out ! Applies ACL named "BLOCK-TFTP" on 
outgoing traffic
 
   Router(config-if)# ip nbar protocol-discovery ! Enables NBAR to discover default protocols 
and gather statistics
 
   Router(config-if)# ip flow ingress ! Enables NetFlow accounting for incoming packets
 
   Router(config-if)# ip flow egress ! Enables NetFlow accounting for outgoing packets
 
   Router(config-if)# ip pim sparse-dense-mode ! Enables multicast in sparse-dense mode
 
   Router(config-if)# no ip mroute-cache ! Disables fast-switching of multicast packets
Router(config-if)# snmp trap link-status ! Generates SNMP trap when link-status changes
 
   Apply the following command on the Serial0/1/0 interface after defining the EIGHT-CLASS-V3PN- EDGE-SHAPE class as shown in the Security section.
Router(config-if)# service-policy output EIGHT-CLASS-V3PN-EDGE-SHAPE ! Applies QoS policy 
to the interface in outgoing direction to provide preferential treatment for traffic
 
   Apply the following command on the Serial0/1/0 interface after defining the Public security zone in the Security section.
Router(config-if)# zone-member security Public ! Adds interface to firewall zone called 
Public
 
   Apply the following command on the Serial0/1/0 interface after defining the VPN-MAP crypto map in the Security section if using GETVPN
Router(config-if)# crypto map VPN-MAP ! Applies crypto map "VPN-MAP" to the interface.
 
   Multiport DS-1 Interface with Multilink Point-to-Point Encapsulation
To support the multilink PPP configuration, two interfaces on the HWIC-2T were bundled together to form a single multilink bundle.
Router(config)# interface Multilink1 ! Enters multilink interface configuration mode
 
   Router(config-if)# ip address 192.168.0.1 255.255.255.252 ! Specifies an IP address for 
interface
 
   Router(config-if)# ip access-group BLOCK-TFTP in ! Applies ACL named "BLOCK-TFTP" on 
incoming traffic
 
   Router(config-if)# ip access-group BLOCK-TFTP out ! Applies ACL named "BLOCK-TFTP" on 
outgoing traffic
 
   Router(config-if)# ip pim sparse-dense-mode ! Enables multicast in sparse-dense mode
 
   Router(config-if)# no ip mroute-cache ! Disables fast-switching of multicast packets
 
   Router(config-if)# ip nbar protocol-discovery ! Enables NBAR to discover default protocols 
and gather statistics 
 
   Router(config-if)# load-interval 30 ! Specifies interval for computing load statistics 
 
   Router(config-if)# ip flow egress ! Enables NetFlow accounting for outgoing packets
 
   Router(config-if)# ip flow ingress ! Enables NetFlow accounting for incoming packets
 
   Router(config-if)# ppp multilink ! Enables Multilink PPP 
 
   Router(config-if)# ppp multilink group 1 ! Assigns interface to the multilink group 1
Router(config-if)# max-reserved-bandwidth 100 ! Makes 100% of interface bandwidth 
available for QoS reservations 
 
   Router(config-if)# exit
Router(config)# interface Serial0/1/0 ! Enters serial interface configuration mode for 
channel group 0
 
   Router(config-if)# no ip address
Router(config-if)# encapsulation ppp ! Configures encapsulation type for interface as PPP
 
   Router(config-if)# ppp multilink ! Enables Multilink PPP
 
   Router(config-if)# ppp multilink group 1 ! Assigns interface to multilink group 1
 
   Router(config-if)# max-reserved-bandwidth 100 ! Makes 100% of interface bandwidth 
available for QoS reservations
 
   Router(config-if)# no shutdown
Router(config-if)# interface Serial0/1/1 ! Enters serial interface configuration mode for 
channel group 0
 
   Router(config-if)# no ip address
Router(config-if)# encapsulation ppp ! Configures encapsulation type for interface as PPP
 
   Router(config-if)# ppp multilink ! Enables Multilink PPP
 
   Router(config-if)# ppp multilink group 1 ! Assigns interface to multilink group 1
 
   Router(config-if)# max-reserved-bandwidth 100 ! Makes 100% of interface bandwidth 
available for QoS reservations
 
   Router(config-if)# no shutdown
Router(config-if)# interface Serial0/1/2 ! Enters serial interface configuration mode for 
channel group 0
 
   Router(config-if)# no ip address
Router(config-if)# encapsulation ppp ! Configures encapsulation type for interface as PPP
 
   Router(config-if)# ppp multilink ! Enables Multilink PPP
 
   Router(config-if)# ppp multilink group 1 ! Assigns interface to multilink group 1
 
   Router(config-if)# max-reserved-bandwidth 100 ! Makes 100% of interface bandwidth 
available for QoS reservations
 
   Router(config-if)# no shutdown
Router(config-if)# interface Serial0/1/3 ! Enters serial interface configuration mode for 
channel group 0
 
   Router(config-if)# no ip address
Router(config-if)# encapsulation ppp ! Configures encapsulation type for interface as PPP
 
   Router(config-if)# ppp multilink ! Enables Multilink PPP
 
   Router(config-if)# ppp multilink group 1 ! Assigns interface to multilink group 1
 
   Router(config-if)# max-reserved-bandwidth 100 ! Makes 100% of interface bandwidth 
available for QoS reservations
 
   Router(config-if)# no shutdown
Router(config-if)# exit
Apply the following command on the Multilink1 interface after defining the EIGHT-CLASS-V3PN- EDGE-SHAPE class as shown in the Security section.
Router(config-if)# service-policy output EIGHT-CLASS-V3PN-EDGE-SHAPE ! Applies QoS policy 
to the interface in outgoing direction to provide preferential treatment for traffic
 
   Apply the following command on the Multilink1 interface after defining the Public security zone as shown in the Security section.
Router(config-if)# zone-member security Public ! Adds interface to firewall zone called 
Public
 
   Apply the following command on the Multlink1 interface after defining the VPN-MAP crypto map as shown in the Security section if using GETVPN.
Router(config-if)# crypto map VPN-MAP ! Applies crypto map "VPN-MAP" to the interface
 
   Verification of Multiport DS-1 Interface with Multilink PPP Encapsulation
To verify the multilink interface configuration, enter the show ppp multilink command to display the active serial interfaces bundled as part of PPP multilink.
Router# show ppp multilink
Multilink1
Bundle name: BRANCH
Remote Endpoint Discriminator: [1] ISP-1
Local Endpoint Discriminator: [1] Router
Bundle up for 2w2d, total bandwidth 8192, load 1/255
Receive buffer limit 48000 bytes, frag timeout 1000 ms
0/0 fragments/bytes in reassembly list
3 lost fragments, 4704524 reordered
9/800 discarded fragments/bytes, 0 lost received
0xE543EE received sequence, 0xE83A54 sent sequence
Member links: 4 active, 0 inactive (max not set, min not set)
Se0/1/0, since 2w2d
Se0/1/1, since 2w2d
Se0/1/2, since 2w2d
Se0/1/3, since 2w2d
No inactive multilink interfaces
Router#
Use the show interface multilink command to show the status of multilink.
Router1# show interface Multilink 1
Multilink1 is up, line protocol is up
Hardware is multilink group interface
Internet address is 192.168.0.1/30
Backup interface ATM0/2/IMA0, failure delay 0 sec, secondary disable delay 0 sec,
kickin load not set, kickout load not set
MTU 1500 bytes, BW 8192 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open, multilink Open
Open: IPCP, CDPCP, loopback not set
Keepalive set (10 sec)
DTR is pulsed for 2 seconds on reset
Last input 00:00:21, output never, output hang never
Last clearing of "show interface" counters 2w2d
Input queue: 0/75/178/0 (size/max/drops/flushes); Total output drops: 791
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 1000 bits/sec, 1 packets/sec
5463859 packets input, 1356700636 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
12 input errors, 0 CRC, 1 frame, 0 overrun, 0 ignored, 8 abort
5275968 packets output, 3619744669 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
Router#
Multiport DS-1 Interface with Multilink Frame Relay Encapsulation
To support the multilink Frame Relay configuration, two interfaces on the HWIC-2T were bundled together to form a single multilink bundle.
Router(config)# interface MFR 1 ! Enters Frame Relay multilink interface configuration mode
 
   Router(config-if)# encapsulation frame-relay ! Specifies Frame Relay encapsulation for the 
interface
 
   Router(config-if)# ip address 192.168.0.1 255.255.255.252 ! Specifies an IP address for 
interface
 
   Router(config-if)# ip access-group BLOCK-TFTP in ! Applies ACL named "BLOCK-TFTP" on 
incoming traffic
 
   Router(config-if)# ip access-group BLOCK-TFTP out ! Applies ACL named "BLOCK-TFTP" on 
outgoing traffic
 
   Router(config-if)# no ip mroute-cache ! Disables fast-switching of multicast packets
 
   Router(config-if)# ip nbar protocol-discovery ! Enables NBAR to discover default protocols 
and gather statistics 
 
   Router(config-if)# load-interval 30 ! Specifies interval for computing load statistics
 
   Router(config-if)# ip flow egress ! Enables NetFlow accounting for outgoing packets
 
   Router(config-if)# ip flow ingress ! Enables NetFlow accounting for incoming packets
 
   Router(config-if)# max-reserved-bandwidth 100 ! Makes 100% of interface bandwidth 
available for QoS reservations 
 
   Router(config-if)# end
Router(config)# interface Serial0/1/0 ! Enters serial interface configuration mode for 
channel group 1
 
   Router(config-if)# encapsulation frame-relay MFR 1 ! Assigns the link to MFR bundle with id 
1
 
   Router(config-if)# no shutdown
Router(config-if)# interface Serial0/1/1 ! Enters serial interface configuration mode for 
channel group 1
 
   Router(config-if)# encapsulation frame-relay MFR 1 ! Assigns the link to MFR bundle with id 
1
 
   Router(config-if)# no shutdown
Router(config-if)# interface Serial0/1/2 ! Enters serial interface configuration mode for 
channel group 1          
 
   Router(config-if)# encapsulation frame-relay MFR 1 ! Assigns the link to MFR bundle with id 
1
 
   Router(config-if)# no shutdown
Router(config-if)# interface Serial0/1/3 ! Enters serial interface configuration mode for 
channel group 1          
 
   Router(config-if)# encapsulation frame-relay MFR 1 ! Assigns the link to MFR bundle with id 
1
 
   Router(config-if)# end
Apply the following command on the MFR interface after defining the EIGHT-CLASS-V3PN- EDGE-SHAPE class as shown in the Security section.
Router(config-if)# service-policy output EIGHT-CLASS-V3PN-EDGE-SHAPE ! Applies QoS policy 
to the interface in outgoing direction to provide preferential treatment for traffic
 
   Apply the following command on the MFR interface after defining the Public security zone as shown in the Security section.
Router(config-if)# zone-member security Public ! Adds interface to firewall zone called 
Public
 
   Apply the following command on the MFR interface after defining the VPN-MAP crypto map as shown in the Security section if using GETVPN.
Router(config-if)# crypto map VPN-MAP ! Applies crypto map "VPN-MAP" to the interface
 
   Onboard Fast Ethernet Interface
The onboard Fast Ethernet port was used for WAN connection with Ethernet encapsulation.
Branch(config)# interface FastEthernet0/0 ! Enters the Fast Ethernet interface 
configuration mode
 
   Branch(config-if)# ip address 192.168.0.1 255.255.255.252 ! Specifies an IP address for 
interface
 
   Branch(config-if)# ip access-group BLOCK-TFTP in ! Applies ACL named "BLOCK-TFTP" on 
incoming traffic
 
   Branch(config-if)# ip access-group BLOCK-TFTP out ! Applies ACL named "BLOCK-TFTP" on 
outgoing traffic
 
   Branch(config-subif)# ip nbar protocol-discovery ! Enables NBAR to discover default 
protocols and gather statistics 
 
   Branch(config-if)# ip flow ingress ! Enables NetFlow accounting for incoming traffic
 
   Branch(config-if)# ip flow egress ! Enables NetFlow accounting for outgoing traffic
 
   Branch(config-if)# ip pim sparse-dense-mode ! Enables multicast in sparse-dense mode
 
   Branch(config-if)# no ip mroute-cache ! Disables fast-switching of multicast packets
 
   Branch(config-if)# load-interval 30 ! Specifies interval for computing load statistics
 
   Branch(config-if)# max-reserved-bandwidth 100 ! Makes 100% of interface bandwidth 
available for QoS reservations
 
   Branch(config-if)# media-type sfp ! Sets the Ethernet connector to SFP module
 
   Branch(config-if)# no shutdown
Branch(config-if)# end
Apply the following command on the Fast Ethernet interface after defining the EIGHT-CLASS- V3PN-EDGE-SHAPE class as shown in the Security section.
Router(config-if)# service-policy output EIGHT-CLASS-V3PN-EDGE-SHAPE ! Applies QoS policy 
to the interface in outgoing direction to provide preferential treatment for traffic
 
   Apply the following command on the Fast Ethernet interface after defining the Public security zone as shown in the Security section.
Router(config-if)# zone-member security Public ! Adds interface to firewall zone called 
Public
 
   Apply the following command on the Fast Ethernet interface after defining the VPN-MAP crypto map as shown in the Security section if using GETVPN.
Router(config-if)# crypto map VPN-MAP ! Applies crypto map "VPN-MAP" to the interface
 
   LAN Services Implementation
The main design consideration in the small branch office LAN design are security and manageability. A simplified multilayered LAN architecture addresses these criteria and makes it easier to troubleshoot network issues.
The simplified multilayered branch LAN architecture can be divided into the following layers:
 • Edge and Distribution Layer: Provides WAN connectivity, routing, addressing, high availability, quality of service (QoS), security, management services, and an exit point to the rest of the network.
Edge and Distribution Layer: Provides WAN connectivity, routing, addressing, high availability, quality of service (QoS), security, management services, and an exit point to the rest of the network. 
 • Access Layer: Provides connectivity and Power-over-Ethernet (PoE) to end user devices. Layer 2 security, authentication, private VLANs, trunking, and QoS are addressed at this layer.
Access Layer: Provides connectivity and Power-over-Ethernet (PoE) to end user devices. Layer 2 security, authentication, private VLANs, trunking, and QoS are addressed at this layer. 
Edge and Distribution Layer
One of the onboard Fast Ethernet ports was connected to the access layer switch. The following VLAN configurations were applied to create VLANs across the branch network:
Enable the LAN facing the Fast Ethernet interface.
Branch(config)# interface FastEthernet0/1 ! Enters Fast Ethernet sub-interface 2 
configuration mode
 
   Branch(config-subif)# no shutdown
Data VLAN
Branch(config)# interface FastEthernet0/1.1 ! Enters Fast Ethernet sub-interface 1 
configuration mode
 
   Branch(config-subif)# description Data-VLAN
Branch(config-subif)# encapsulation dot1Q 301 ! Defines IEEE 802.1Q VLAN encapsulation 
type
 
   Branch(config-subif)# ip address 10.0.0.1 255.255.255.0 ! Assigns IP address to the 
interface
 
   Branch(config-subif)# ip pim sparse-dense-mode ! Enables multicast in sparse-dense mode
 
   Apply the following command on the Fast Ethernet subinterface after defining the INPUT-POLICY class as shown in the Security section.
Branch(config-subif)# service-policy input INPUT-POLICY ! Executes a policy "INPUT-POLICY" 
on incoming traffic
 
   Apply the following command on the Fast Ethernet subinterface after defining the Private security zone as shown in the Security section.
Branch(config-subif)# zone-member security Private ! Adds the subinterface to firewall 
zone called Private
 
   Apply the following command on the Fast Ethernet subinterface after defining the IPS-ADVSET ACL as shown in the Security section.
Branch(config-subif)# ip ips IPS-ADVSET out ! Enables IPS signature matching for traffic 
flowing in outward direction
 
   Branch(config-subif)# ip ips IPS-ADVSET in ! Enables IPS signature matching for traffic 
flowing in inward direction
 
   Voice VLAN
Branch(config)# interface FastEthernet0/1.2 ! Enters Fast Ethernet sub-interface 2 
configuration mode
 
   Branch(config-subif)# description Voice-VLAN
Branch(config-subif)# encapsulation dot1Q 302 ! Defines IEEE 802.1Q VLAN encapsulation 
type
 
   Branch(config-subif)# ip address 10.0.1.1 255.255.255.0 ! Assigns IP address to the 
interface
 
   Branch(config-subif)# ip pim sparse-dense-mode ! Enables multicast in sparse-dense mode
 
   Apply the following command on the Fast Ethernet subinterface after defining the INPUT-POLICY class as shown in the Security section.
Branch(config-subif)# service-policy input INPUT-POLICY ! Executes a policy "INPUT-POLICY" 
on incoming traffic
 
   Apply the following command on the Fast Ethernet subinterface after defining the Private security zone as shown in the Security section.
Branch(config-subif)# zone-member security Private ! Adds the subinterface to firewall 
zone called Private
 
   DMZ VLAN
Branch(config-subif)# interface FastEthernet0/1.3 ! Enters Fast Ethernet sub-interface 3 
configuration mode
 
   Branch(config-subif)# description DMZ-VLAN
Branch(config-subif)# encapsulation dot1Q 303 ! Defines IEEE 802.1Q VLAN encapsulation 
type 
 
   Branch(config-subif)# ip address 10.0.2.65 255.255.255.240 ! Assigns IP address to the 
interface
 
   Branch(config-subif)# ip pim sparse-dense-mode ! Enables multicast in sparse-dense mode
 
   Apply the following command on the Fast Ethernet subinterface after defining the INPUT-POLICY class as shown in the Security section.
Branch(config-subif)# service-policy input INPUT-POLICY ! Executes a policy "INPUT-POLICY" 
on incoming traffic
 
   Apply the following command on the Fast Ethernet subinterface after defining the DMZ security zone as shown in the Security section.
Branch(config-subif)# zone-member security DMZ ! Adds the subinterface to firewall zone 
called DMZ
 
   Apply the following command on the Fast Ethernet subinterface after defining the IPS-ADVSET ACL as shown in the Security section.
Branch(config-subif)# ip ips IPS-ADVSET out ! Enables IPS signature matching for traffic 
flowing in outward direction
 
   Branch(config-subif)# ip ips IPS-ADVSET in ! Enables IPS signature matching for traffic 
flowing in inward direction
 
   Management VLAN
Branch(config-subif)# interface FastEthernet0/1.4 ! Enters Fast Ethernet sub-interface 4 
configuration mode
 
   Branch(config-subif)# description Management-VLAN
Branch(config-subif)# encapsulation dot1Q 310 ! Defines IEEE 802.1Q VLAN encapsulation 
type 
 
   Branch(config-subif)# ip address 10.0.2.1 255.255.255.224 ! Assigns IP address to the 
interface
 
   Branch(config-subif)# ip pim sparse-dense-mode ! Enables multicast in sparse-dense mode
 
   Apply the following command on the Fast Ethernet subinterface after defining the INPUT-POLICY class as shown in the Security section.
Branch(config-subif)# service-policy input INPUT-POLICY ! Executes a policy "INPUT-POLICY" 
on incoming traffic
 
   Apply the following command on the Fast Ethernet subinterface after defining the Private security zone as shown in the Security section.
Branch(config-subif)# zone-member security Private ! Adds the subinterface to firewall 
zone called Private
 
   Access Layer
 • VLAN Trunking Protocol Implementation
VLAN Trunking Protocol Implementation 
VLAN Trunking Protocol Implementation
VLAN Trunking Protocol (VTP) is a client server protocol that reduces the overhead of network administration by propagating the VLAN information from the server to all the clients in a single VTP domain.
In the Streamlined Medium Branch Network, the Catalyst 3560 series switch at the distribution layer was configured as a VTP server. This provides an additional level of resiliency and simplifies management.
Switch-Dist(config)# vtp domain VTP-BRANCH ! Creates VTP domain with name "VTP-BRANCH"
 
   Switch-Dist(config)# vtp mode server ! Sets the distribution switch to server VTP mode
 
    
 
    Note  Always check the revision number of a new switch before bringing adding it to the network, regardless of whether the switch is going to operate in VTP client mode or operate in VTP server mode. To reset the revision number, do one of the following:
Always check the revision number of a new switch before bringing adding it to the network, regardless of whether the switch is going to operate in VTP client mode or operate in VTP server mode. To reset the revision number, do one of the following: 
 • Reboot the switch
Reboot the switch
or 
 • Temporarily change the domain name of the new switch and then change it back to its valid domain name.
Temporarily change the domain name of the new switch and then change it back to its valid domain name. 
VTP Verification
To verify your VTP configuration, enter the show vtp status command to display the VTP management status and other counters.
Switch# show vtp status
VTP Version : 2
Configuration Revision : 91
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : VTP-BRANCH
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x01 0x71 0x91 0x17 0x8C 0x59 0xE5 0x39
Configuration last modified by 10.0.1.254 at 7-29-08 17:23:15
Local updater ID is 10.0.1.254 on interface Vl10 (lowest numbered VLAN interface found)
Switch#
VLAN Implementation
VLAN is a logical segmentation of LAN into multiple-broadcast domain that allows a group of hosts to communicate as if they were on a single LAN even if they are not physically collocated. A Layer 3 device is required for communication between VLANs.
Five VLANs were defined: DATA, VOICE, DMZ, MANAGEMENT, and BLACKHOLE.
Switch-Dist(config)# vlan 301 ! Creates Data VLAN to vlan database
 
   Switch-Dist(config-vlan)# name DATA
Switch-Dist(config-vlan)# exit
Switch-Dist(config)# vlan 302 ! Creates Voice VLAN to vlan database
 
   Switch-Dist(config-vlan)# name VOICE
Switch-Dist(config-vlan)# exit
Switch-Dist(config) # vlan 303 ! Creates DMZ VLAN to vlan database
 
   Switch-Dist(config-vlan)# name DMZ
Switch-Dist(config-vlan)# exit
Switch-Dist(config)# vlan 310 ! Creates management VLAN to vlan database
 
   Switch-Dist(config-vlan)# name MANAGEMENT
Switch-Dist(config-vlan)# exit
Switch-Dist(config-vlan)# vlan 333 ! Creates black hole VLAN to vlan database
 
   Switch-Dist(config-vlan)# name BLACKHOLE
Switch-Dist(config-vlan)# exit
Switch-Dist(config)# interface Vlan301 ! Enters Data VLAN configuration mode
 
   Switch-Dist(config-if)# ip address 10.0.0.254 255.255.255.0 ! Specifies the IP address for 
the SVI interface
 
   Switch-Dist(config-if)# interface Vlan302 ! Enters Voice VLAN configuration mode
 
   Switch-Dist(config-if)# ip address 10.0.1.0 254 255.255.255.0 ! Specifies the IP address 
for the SVI interface
 
   Switch-Dist(config-if)# interface Vlan303 ! Enters switch virtual interface (SVI) 
configuration
 
   Switch-Dist(config-if)# ip address 10.0.2.78 255.255.255.240 ! Specifies the IP address for 
the SVI interface
 
   Switch-Dist(config-if)# interface Vlan310 ! Enters Management VLAN interface configuration 
mode
 
   Switch-Dist(config-if)# ip address 10.0.2.30 255.255.255.224 ! Specifies the IP address for 
the SVI interface
 
   The following configuration was applied to all access ports connected to an IP Phone.
Switch-Access(config)# interface range g1/0/4 - 48 ! Enters configuration for range of 
gigabit Ethernet ports
 
   Switch-Access(config-if-range)# switchport mode access ! Sets the port to access mode
 
   Switch-Access(config-if-range)# switch access vlan 301 ! Assigns the port to Data VLAN 
 
   Switch-Access(config-if-range)# switchport voice vlan 302 ! Assigns the port to Voice VLAN
 
   Switch-Access(config-if-range)# spanning-tree portfast ! Sets the switch port to 
forwarding state ignoring listening/learning state
 
   Switch-Access(config-if-range)# srr-queue bandwidth share 1 70 25 5 ! Enables bandwidth 
sharing for all output queues. Queue 1 is strict priority queue, queue 2 gets 70% of 
bandwidth, queue 3 25% of bandwidth, and queue 4 5% of the bandwidth
 
   Switch-Access(config-if-range)# srr-queue bandwidth shape 3 0 0 0 ! Specifies queue 2,3,4 
to operate in shared mode.
 
   Switch-Access(config-if-range)# priority-queue out ! Egress expedite queue is enabled. 
This command will force SRR to ignore weight of queue 1 while calculating the bandwidth 
ratio. This queue will be emptied before servicing other queues.
 
   Switch-Access(config-if-range)# mls qos trust device cisco-phone ! Specifies the port to 
trust the CoS/DSCP value if the CDP neighbor is Cisco IP Phone
 
   Switch-Access(config-if-range)# load-interval 30 ! Specifies interval for computing load 
statistics
 
   The following configuration was applied to all access ports connected to a DMZ server.
Switch-Access(config)# interface range g1/0/49 - 52 ! Enters configuration for range of 
gigabit Ethernet ports
 
   Switch-Access(config-if-range)# switchport mode access ! Sets the port to access mode
 
   Switch-Access(config-if-range)# switch access vlan 303 ! Assigns the port to DMZ VLAN 
 
   Switch-Access(config-if-range)# spanning-tree portfast ! Sets the switch port to 
forwarding state ignoring listening/learning state
 
   Switch-Access(config-if-range)# srr-queue bandwidth share 1 70 25 5 ! Enables bandwidth 
sharing for all output queues. Queue 1 is strict priority queue, queue 2 gets 70% of 
bandwidth, queue 3 25% of bandwidth, and queue 4 5% of the bandwidth
 
   Switch-Access(config-if-range)# srr-queue bandwidth shape 3 0 0 0 ! Specifies queue 2,3,4 
to operate in shared mode.
 
   Switch-Access(config-if-range)# priority-queue out ! Egress expedite queue is enabled. 
This command will force SRR to ignore weight of queue 1 while calculating the bandwidth 
ratio. This queue will be emptied before servicing other queues.
 
   Switch-Access(config-if-range)# load-interval 30 ! Specifies interval for computing load 
statistics
 
   Spanning Tree Implementation
Switch-Dist(config)# spanning-tree mode pvst ! Enables Per-VLAN spanning-tree protocol
 
   Spanning Tree Verification
To verify your Spanning Tree configuration, enter the show spanning-tree summary command to display the Spanning Tree mode enabled in the switch.
Switch# show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short
<Removed>
Uplink to Router Implementation
Switch-Dist(config)# interface g1/0/1 ! Enters gigabit Ethernet interface configuration 
mode
 
   Switch-Dist(config-if)# description trunk to router
Switch-Dist(config-if)# switchport trunk encapsulation dot1q ! Tags outgoing frames with 
IEEE 802.1Q trunk encapsulation format
 
   Switch-Dist(config-if)# switchport trunk allowed vlan 301-303,310 ! Defines list of allowed 
VLANs that can send traffic on the trunk.
 
   Switch-Dist(config-if)# switchport mode trunk ! Enables the Ethernet port as VLAN trunk
 
   Switch-Dist(config-if)# load-interval 30 ! Specifies interval for computing load 
statistics
 
   DOT1X Services
Switch-Access(config)# aaa new-model ! Enables Authentication, Authorization and 
Accounting services
 
   Switch-Access(config)# aaa authentication dot1x default group radius ! Specifies default 
dot1x authentication to use RADIUS server database
 
   Switch-Access(config)# aaa session-id common ! Specifies to use the same session identifier 
for all invocations of accounting services
 
   Switch-Access(config)# dot1x system-auth-control ! Enables IEEE 802.1x authentication 
globally on the switch
 
   Switch-Access(config)# radius-server host 172.16.0.80 ! Specifies RADIUS server IP address
 
   Switch-Access(config)# radius-server key KEY-BR ! Specifies RADIUS server key as "KEY-BR" 
for encrypting all communication with the RADIUS server
 
   Switch-Access(config)# int range g1/0/2 - 52 ! Enters configuration for the range of 
Gigabit Ethernet ports
 
   Switch-Access(config-if-range)# dot1x port-control auto ! Enables dot1x authentication on 
the port
 
   Switch-Access(config-if-range)# dot1x timeout server-timeout 60 ! Specifies time to wait 
for a response from RADIUS server before retransmitting
 
   DOT1X Services Verification
To verify your DOT1X services configuration, enter the following command:
Switch-Access# show dot1x interface g1/0/2
Supplicant MAC <Not Applicable>
AuthSM State = N/A
BendSM State = N/A
PortStatus = N/A
MaxReq = 2
MaxAuthReq = 2
HostMode = Single
PortControl = Auto
QuietPeriod = 60 Seconds
Re-authentication = Disabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 60 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 0
QoS Implementation
The mapping for the CoS to DSCP values is shown in Figure 32 in the "Quality of Service" section on page 37.
Switch-Access(config)# mls qos ! Enables QoS on the switch
 
   Switch-Access(config)# mls qos map policed-dscp 0 10 18 24 25 34 to 8 ! Defines 
Policed-DSCP map which is used to mark down the packets with specified values to DSCP 8.
 
   Switch-Access(config)# mls qos map cos-dscp 0 8 16 24 32 46 48 56 ! Defines CoS-DSCP map 
for preferential treatment
 
   Switch-Access(config)# mls qos srr-queue output cos-map queue 1 threshold 3 5 ! Maps the 
CoS 5 to egress queue 1 with threshold 3
 
   Switch-Access(config)# mls qos srr-queue output cos-map queue 2 threshold 1 2 4 ! Maps the 
CoS 2 and CoS 4to egress queue 2 with threshold 1
 
   Switch-Access(config)# mls qos srr-queue output cos-map queue 2 threshold 2 3 ! Maps the 
CoS 3 to egress queue 2 with threshold 2
 
   Switch-Access(config)# mls qos srr-queue output cos-map queue 2 threshold 3 6 7 ! Maps the 
CoS 6 and CoS 7to egress queue 2 with threshold 3
 
   Switch-Access(config)# mls qos srr-queue output cos-map queue 3 threshold 3 0 ! Maps the 
CoS 0 to egress queue 3 with threshold 3
 
   Switch-Access(config)# mls qos srr-queue output cos-map queue 4 threshold 3 1 ! Maps the 
CoS 1to egress queue 4 with threshold 3
 
   Switch-Access(config)# mls qos srr-queue output dscp-map queue 1 threshold 3 46 ! Maps the 
DSCP value 46 to egress queue 1 with threshold 3
 
   Switch-Access(config)# mls qos srr-queue output dscp-map queue 2 threshold 1 16 18 20 22 
25 32 34 36  ! Maps the DSCP values16, 18, 20, 22, 25, 32, 34 and 36 to egress queue 2 
with threshold 1
 
   Switch-Access(config)# mls qos srr-queue output dscp-map queue 2 threshold 1 38 ! Maps the 
DSCP value 38 to egress queue 2 with threshold 1
 
   Switch-Access(config)# mls qos srr-queue output dscp-map queue 2 threshold 2 24 26 36 ! 
Maps the DSCP values 24, 26, and 36 to egress queue 2 with threshold 2 
 
   Switch-Access(config)# mls qos srr-queue output dscp-map queue 2 threshold 3 48 56 36 ! 
Maps the DSCP values 36, 48, and 56 to egress queue 2 with threshold 3
 
   Switch-Access(config)# mls qos srr-queue output dscp-map queue 3 threshold 3 0 36 ! Maps 
the DSCP values 0 and 36 to egress queue 3 with threshold 3
 
   Switch-Access(config)# mls qos srr-queue output dscp-map queue 4 threshold 1 8 36 ! Maps 
the DSCP values 8 and 36 to egress queue 4 with threshold 1
 
   Switch-Access(config)# mls qos srr-queue output dscp-map queue 4 threshold 3 10 12 14 36 ! 
Maps the DSCP values 10, 12,14, and 36 to egress queue 4 with threshold 3
 
   Switch-Access(config)# mls qos queue-set output 1 threshold 2 70 80 100 100 ! Defines the 
weighed tail-drop thresholds for queue 2 to 70% for threshold 1 and 80% for threshold 2
 
   Switch-Access(config)# mls qos queue-set output 1 threshold 4 40 100 100 100 ! Defines the 
weighed tail-drop thresholds for queue 4 to 40% for threshold 1 and 100% for threshold 2
 
   Switch-Access(config)# ip access-list extended DVLAN-BULK-DATA ! Defines ACL to match Bulk 
Data
 
   Switch-Access(config-ext-nacl)# permit tcp any any eq 220 ! Match Internet Mail Access 
Protocol v3 (IMAPv3)
 
   Switch-Access(config-ext-nacl)# permit tcp any any eq 143 ! Match Internet Message Access Protocol (IMAP)
Switch-Access(config-ext-nacl)# permit tcp any any eq smtp ! Match Simple Mail Transfer 
Protocol
 
   Switch-Access(config-ext-nacl)# ip access-list extended DVLAN-MISSION-CRITICAL-DATA ! 
Defines ACL to match Business Critical Data
 
   Switch-Access(config-ext-nacl)# permit tcp any any eq www ! Match HTTP traffic for port 80
 
   Switch-Access(config-ext-nacl)# permit tcp any any range 3200 3203 ! Match SAP traffic
 
   Switch-Access(config-ext-nacl)# permit tcp any any eq 3600 ! Match SAP traffic
 
   Switch-Access(config-ext-nacl)# permit tcp any any range 2000 2002 ! Match SCCP traffic
 
   Switch-Access(config-ext-nacl)# permit udp any any eq isakmp ! Match Internet Security 
Association and Key Management Protocol
 
   Switch-Access(config-ext-nacl)# permit tcp any eq www any ! Match HTTP traffic coming from source port 80
Switch-Access(config-ext-nacl)# ip access-list extended DVLAN-PC-VIDEO ! Defines ACL to 
match Video traffic
 
   Switch-Access(config-ext-nacl)# permit udp any any range 16384 32767 ! Match traffic in 
the given port range
 
   Switch-Access(config-ext-nacl)# ip access-list extended DVLAN-TRANSACTIONAL-DATA ! Defines 
ACL to match Transactional Data         
 
   Switch-Access(config-ext-nacl)# permit tcp any any eq 1352 ! Match Lotus Notes traffic
 
   Switch-Access(config-ext-nacl)# permit udp any any eq domain ! Match DNS traffic
 
   Switch-Access(config-ext-nacl)# permit udp any any eq netbios-dgm ! Match NetBios traffic
 
   Switch-Access(config-ext-nacl)# permit udp any any eq netbios-ns ! Match NetBios traffic
 
   Switch-Access(config-ext-nacl)# permit udp any any eq netbios-ss ! Match NetBios traffic
 
   Switch-Access(config-ext-nacl)# ip access-list extended VVLAN-ANY ! Defines ACL to match 
Voice VLAN traffic
 
   Switch-Access(config-ext-nacl)# permit ip 10.0.1.0 0.0.0.255 any
Switch-Access(config-ext-nacl)# ip access-list extended VVLAN-CALL-SIGNALING ! Defines ACL 
to match voice signaling traffic
 
   Switch-Access(config-ext-nacl)# permit udp 10.0.1.0 0.0.0.255 any
Switch-Access(config-ext-nacl)# permit tcp 10.0.1.0 0.0.0.255 any range 2000 2002
Switch-Access(config-ext-nacl)# ip access-list extended VVLAN-VOICE ! Defines ACL to match 
voice traffic
 
   Switch-Access(config-ext-nacl)# permit udp 10.0.1.0 0.0.0.255 any
Switch-Access(config-ext-nacl)# permit udp 10.0.1.0 0.0.0.255 any range 16384 32767
Switch-Access(config-ext-nacl)# class-map match-all DVLAN-TRANSACTIONAL-DATA ! Defines 
class-map for Transactional Data
 
   Switch-Access(config-cmap)# match access-group name DVLAN-TRANSACTIONAL-DATA ! Matches 
traffic specified in DVLAN-TRANSACTIONAL-DATA ACL
 
   Switch-Access(config-cmap)# class-map match-all DVLAN-PC-VIDEO ! Defines class-map for 
Video traffic
 
   Switch-Access(config-cmap)# match access-group name DVLAN-PC-VIDEO ! Matches traffic 
specified in DVLAN-PC-VIDEO ACL
 
   Switch-Access(config-cmap)# class-map match-all VVLAN-CALL-SIGNALING ! Defines class-map 
for Voice signalling
 
   Switch-Access(config-cmap)# match access-group name VVLAN-CALL-SIGNALING ! Matches traffic 
specified in VVLAN-CAL-SIGNALING ACL
 
   Switch-Access(config-cmap)# class-map match-all DVLAN-MISSION-CRITICAL-DATA ! Defines 
class-map for Business critical traffic
 
   Switch-Access(config-cmap)# match access-group name DVLAN-MISSION-CRITICAL-DATA ! Matches 
traffic specified in DVLAN-MISSION_CRITICAL_DATA ACL
 
   Switch-Access(config-cmap)# class-map match-all VVLAN-VOICE ! Defines class-map for voice 
traffic
 
   Switch-Access(config-cmap)# match access-group name VVLAN-VOICE ! Matches traffic 
specified in VVLAN-VOICE ACL
 
   Switch-Access(config-cmap)# class-map match-all VVLAN-ANY ! Defines class-map for voice 
vlan traffic
 
   Switch-Access(config-cmap)# match access-group name VVLAN-ANY ! Matches traffic specified 
in VVLAN-ANY ACL
 
   Switch-Access(config-cmap)# class-map match-all DVLAN-BULK-DATA ! Defines class-map for 
Bulk traffic
 
   Switch-Access(config-cmap)# match access-group name DVLAN-BULK-DATA ! Matches traffic 
specified in DVLAN-BULK_DATA ACL
 
   Switch-Access(config-cmap)# policy-map IPPHONE+PC-ADVANCED ! Defines Policy-map 
 
   Switch-Access(config-pmap)# class VVLAN-VOICE ! Matches traffic classified by VVLAN-VOICE 
class-map
 
   Switch-Access(config-pmap-c)# set dscp ef ! Set DSCP value to EF
 
   Switch-Access(config-pmap-c)# police 6144000 61440 exceed-action drop ! Incoming traffic 
will be policed to 6.2 Mbps with a 62 KB burst size and if the rate is exceeded packet 
will be dropped
 
   Switch-Access(config-pmap-c)# class VVLAN-CALL-SIGNALING ! Matches traffic classified by 
VVLAN-VOICE class-map
 
   Switch-Access(config-pmap-c)# set dscp cs3 ! Set DSCP value to CS3
 
   Switch-Access(config-pmap-c)# police 1024000 10240 exceed-action policed-dscp-transmit ! Incoming traffic will be policed to 10.2 Mbps with a 10.2 KB burst size and if the rate is exceeded packet will be marked down to Scavenger class (CS1)
Switch-Access(config-pmap-c)# class VVLAN-ANY ! Matches traffic classified by class-map
 
   Switch-Access(config-pmap-c)# set dscp default ! Set DSCP value to 0
 
   Switch-Access(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit ! Incoming traffic will be policed to 32 kbps with a 8 KB burst size and if the rate is exceeded packet will be marked down to Scavenger class (CS1)
Switch-Access(config-pmap-c)# class DVLAN-PC-VIDEO ! Matches traffic classified by 
class-map
 
   Switch-Access(config-pmap-c)# set dscp af41 ! Set DSCP value to 0
 
   Switch-Access(config-pmap-c)# police 1984000 19840 exceed-action policed-dscp-transmit!Incoming traffic will be policed to 10.2 Mbps with a 10.2 KB burst size and if the rate is exceeded packet will be marked down to Scavenger class (CS1)
Switch-Access(config-pmap-c)# class DVLAN-MISSION-CRITICAL-DATA ! Matches traffic 
classified by class-map
 
   Switch-Access(config-pmap-c)# set dscp 25 ! Set DSCP value to 25
 
   Switch-Access(config-pmap-c)# police 12500000 125000 exceed-action policed-dscp-transmit ! Incoming traffic will be policed to 12.5 Mbps with a 125 KB burst size and if the rate is exceeded packet will be marked down to Scavenger class (CS1)
Switch-Access(config-pmap-c)# class DVLAN-TRANSACTIONAL-DATA ! Matches traffic classified 
by class-map
 
   Switch-Access(config-pmap-c)# police 10000000 100000 exceed-action policed-dscp-transmit ! Incoming traffic will be policed to 10 Mbps with a 100 KB burst size and if the rate is exceeded packet will be marked down to Scavenger class (CS1)
Switch-Access(config-pmap-c)# set dscp af21 ! Set DSCP value to AF21
 
   Switch-Access(config-pmap-c)# class DVLAN-BULK-DATA ! Matches traffic classified by 
class-map
 
   Switch-Access(config-pmap-c)# set dscp af11 ! Set DSCP value to AF11
 
   Switch-Access(config-pmap-c)# police 5000000 50000 exceed-action policed-dscp-transmit ! Incoming traffic will be policed to 5 Mbps with a 50 KB burst size and if the rate is exceeded packet will be marked down to Scavenger class (CS1)
Switch-Access(config-pmap-c)# class class-default ! Defines default class
 
   Switch-Access(config-pmap-c)# set dscp default ! Set DSCP value to 0
 
   Switch-Access(config-pmap-c)# police 12500000 125000 exceed-action policed-dscp-transmit ! Incoming traffic will be policed to 12.5 Mbps with a 125 KB burst size and if the rate is exceeded packet will be marked down to Scavenger class (CS1)
QoS Verification
To verify your QoS configuration, enter the show mls qos command to display whether QoS is enabled in the switch.
Switch-Access# show mls qos
QoS is enabled
QoS ip packet dscp rewrite is enabled
Switch-Access# show mls qos maps policed-dscp
Policed-dscp map:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 08 01 02 03 04 05 06 07 08 09
1 : 08 11 12 13 14 15 16 17 08 19
2 : 20 21 22 23 08 08 26 27 28 29
3 : 30 31 32 33 08 35 36 37 38 39
4 : 40 41 42 43 44 45 46 47 48 49
5 : 50 51 52 53 54 55 56 57 58 59
6 : 60 61 62 63
Switch-Access# show mls qos maps cos-dscp
Cos-dscp map:
cos: 0 1 2 3 4 5 6 7
--------------------------------
dscp: 0 8 16 24 32 46 48 56
Assigning QoS to Switch Port
Switch-Access(config)# interface range g1/0/2 - 52 ! Enters configuration for the range of 
Gigabit Ethernet ports
 
   Switch-Access(config-if-range)# service-policy input IPPHONE+PC-ADVANCED ! Applies QoS 
policy IPPHONE+PC-ADVANCED to the interface in input direction.
 
   ignoring listening/learning state
 
   Verification of Assigning QoS to Switch Port
To verify that QoS is being assigned to the switch port, enter the show policy-map interface to display the QoS policy and the related counters.
Switch-Access# show policy-map interface g1/0/2
GigabitEthernet1/0/3
Service-policy input: IPPHONE+PC-ADVANCED
Class-map: VVLAN-VOICE (match-all)
0 packets, 0 bytes
offered rate 0 bps, drop rate 0 bps
Match: access-group name VVLAN-VOICE
Class-map: VVLAN-CALL-SIGNALING (match-all)
0 packets, 0 bytes
offered rate 0 bps, drop rate 0 bps
Match: access-group name VVLAN-CALL-SIGNALING
Class-map: VVLAN-ANY (match-all)
0 packets, 0 bytes
offered rate 0 bps, drop rate 0 bps
Match: access-group name VVLAN-ANY
Class-map: DVLAN-PC-VIDEO (match-all)
0 packets, 0 bytes
offered rate 0 bps, drop rate 0 bps
Match: access-group name DVLAN-PC-VIDEO
Class-map: DVLAN-MISSION-CRITICAL-DATA (match-all)
0 packets, 0 bytes
offered rate 0 bps, drop rate 0 bps
Match: access-group name DVLAN-MISSION-CRITICAL-DATA
Class-map: DVLAN-TRANSACTIONAL-DATA (match-all)
0 packets, 0 bytes
offered rate 0 bps, drop rate 0 bps
Match: access-group name DVLAN-TRANSACTIONAL-DATA
Class-map: DVLAN-BULK-DATA (match-all)
0 packets, 0 bytes
offered rate 0 bps, drop rate 0 bps
Match: access-group name DVLAN-BULK-DATA
Class-map: class-default (match-any)
0 packets, 0 bytes
offered rate 0 bps, drop rate 0 bps
Match: any
0 packets, 0 bytes
rate 0 bps
Network Fundamental Services Implementation
High Availability
Redundant WAN Link
Backup for any of the three access links is provided by using a Systematic High-Speed Digital Subscriber Line (SHDSL)-based inverse multiplexing over ATM (IMA) interface. The backup interface is connected to the closest PE device of the service provider network.
Router(config)# controller SHDSL 0/2/0 ! Enters controller configuration mode
 
   Router(config-controller)# dsl-group 0 pairs 0, 1, 2 ima ! Creates an IMA bundle pairing 
links 0-2
 
   Router(config-controller-dsl-group)# ima group clock-mode itc ! Defines clock mode for the 
IMA group. Sets the transmit clock for at least one link to be different from the other 
links.
 
   Router(config-controller-dsl-group)# shdsl annex A-B ! Specifies annex A/B of G.991.2 
standard to be used on the controller
 
   Router(config-controller-dsl-group)# shdsl rate auto ! Sets the controller rate 
negotiation in auto mode
 
   Router(config-controller-dsl-group)# end
Router(config)# interface ATM0/2/IMA0 ! Enters IMA interface configuration mode
 
   Router(config-if)# bandwidth 4608 ! Sets the maximum allowed bandwidth in Kbps
 
   Router(config-if)# load-interval 30 ! Specifies interval for computing load statistics
 
   Router(config-if)# max-reserved-bandwidth 100 ! Makes 100% of interface bandwidth 
available for QoS reservations 
 
   Router(config-if)# exit
Router(config)# interface ATM0/2/IMA0.1 point-to-point ! Creates IMA point-to-point 
sub-interface and specifies its parameters
 
   Router(config-subif)# ip address 209.165.201.1 255.255.255.252 ! Assigns IP address to the 
interface
 
   Router(config-subif)# pvc 10/10 ! Creates a PVC and specifies its parameters
 
   Router(config-if-atm-vc)# protocol ip 209.165.201.2 broadcast ! Enables broadcast 
capability to perform reverse-arp on the ISP router
 
   Router(config-if-atm-vc)# vbr-rt 2304 2304 ! Assigns VBR class of service and defines peak 
and average cell rate
 
   Router(config-if-atm-vc)# oam-pvc manage ! Enables end-to-end F5 OAM loopback cell 
transmission and OAM management
 
   Router(config-if-atm-vc)# encapsulation aal5mux ppp Virtual-Template10 ! Configures PPPoA 
AAL5+MUX point-to-point encapsulation and associates it with Virtual-Template
 
   Router(config)# interface Virtual-Template10 ! Enters Virtual Template configuration
 
   Router(config-if)# bandwidth 4608 ! Sets the maximum allowed bandwidth in Kbps
 
   Router(config-if)# ip unnumbered ATM0/2/IMA0.1 ! Reuses the IP address of the IMA 
sub-interface
 
   Router(config-if)# ip nbar protocol-discovery ! Enables NBAR to discover default protocols 
and gather statistics
 
   Router(config-if)# ip flow ingress ! Enables NetFlow accounting for incoming traffic
 
   Router(config-if)# ip flow egress ! Enables NetFlow accounting for outgoing traffic
 
   Router(config-if)# load-interval 30 ! Specifies interval for computing load statistics
 
   Router(config-if)# max-reserved-bandwidth 100 ! Makes 100% of interface bandwidth 
available for QoS reservations 
 
   Router(config-if)# end
Apply the following command on the Virtual Template interface after defining the EIGHT-CLASS-V3PN- EDGE-SHAPE class as shown in the Security section.
Router(config-if)# service-policy output EIGHT-CLASS-V3PN-EDGE-SHAPE ! Applies QoS policy 
to the interface in outgoing direction to provide preferential treatment for traffic
 
   Apply the following command on the Virtual Template interface after defining the Public security zone as shown in the Security section.
Router(config-if)# zone-member security Public ! Adds interface to firewall zone called 
Public
 
   Apply the following command on the Virtual Template interface after defining the VPN-MAP crypto map as shown in the Security section if using GETVPN.
Router(config-if)# crypto map VPN-MAP ! Applies crypto map "VPN-MAP" to the interface
 
   Redundant WAN Link Verification
To verify the redundant WAN link configuration, enter the show backup command to display the backup interface and its status for each primary interface.
Router# show backup
Primary Interface Secondary Interface Status
----------------- ------------------- ------
Multilink1 ATM0/2/IMA0 normal operation
IP Addressing and IP Routing
 • Routing Protocol Implementation
Routing Protocol Implementation 
 • Quality of Service Implementation
Quality of Service Implementation 
Routing Protocol Implementation
A branch office router is likely to use a single routing protocol. However, because a network may use EIGRP, OSPF, RIPv2, BGP or static routing, all of these protocols were independently validated. The following configurations are for each of the protocols. Table 1 summarizes the subnets in the Streamlined Small Branch Network.
The Streamlined Small Branch Network provides direct access to the Internet through split tunneling. Various combinations of WAN services and VPN technologies lead to several different options for implementing the split tunnel mechanism. In WAN implementations where the network service provider is responsible for routing (for example, Layer 3 VPN [L3VPN]), split tunneling can be provided on the primary link and the backup link can be set to standby state. The implementation options vary slightly for GETVPN and DMVPN. In WAN implementations where the enterprise is responsible for routing, split tunneling can be provided on the backup link by maintaining it in an active state. Again, there is a slight variation between GETVPN and DMVPN implementations.
Active/Standby Primary/Backup WAN Links with DMVPN Implementation
The secondary WAN interface must be configured as the backup interface for the primary WAN link.
Router(config)# interface Multilink1 ! Enters multilink interface configuration mode
 
   Router(config-if)# backup interface ATM0/2/IMA0 ! Specifies backup interface
 
   Router(config-if)# exit
A loopback interface with a public address is used as the source interface for the DMVPN tunnel.
Router(config)# interface Loopback0 ! Enters loopback interface configuration mode
 
   Router(config-if)# ip address 209.165.201.9 255.255.255.252 ! Specifies loopback subnet
 
   Router(config-if)# exit
The "DMVPN Implementation" section provides configuration for the tunnel interface. After the tunnel interface is defined, two routing processes are configured: one for the enterprise network, and another for the public network. The following sections provide implementations in which OSPF, EIGRP, and RIPv2 provide routing for enterprise traffic in which BGP is responsible for routing public traffic.
Enterprise Routing With OSPF
Enterprise networks are learned through the tunnel interface.
Router(config)# router ospf 1 ! Enables private network OSPF routing process
Router(config-router)# passive interface FastEthernet 0/1 ! Disables routing 
advertisements on the LAN interface
 
   Router(config-router)# router-id 10.0.0.1 ! Specifies the OSPF router ID
Router(config-router)# network 10.0.0.0 0.0.0.255 area 0 ! Advertises Data VLAN subnet in 
backbone area
 
   Router(config-router)# network 10.0.1.0 0.0.0.255 area 0 ! Advertises Voice VLAN subnet in 
backbone area
 
   Router(config-router)# network 10.0.2.0 0.0.0.31 area 0 ! Advertises Management VLAN subnet in backbone area
Router(config-router)# network 10.0.2.64 0.0.0.15 area 0 ! Advertises DMZ VLAN subnet in backbone area
Router(config-router)# network 10.0.2.80 0.0.0.3 area 0 ! Advertises Tunnel subnet in backbone area
Router(config-router)# network 10.0.2.88 0.0.0.3 area 0 ! Advertises WAAS subnet in backbone area
Router(config-router)# exit
 
   Enterprise Routing with EIGRP
Enterprise networks are learned through the tunnel interface.
Router(config)# router eigrp 1 ! Enables private network EIGRP routing process
Router(config-router)# passive interface FastEthernet 0/1 ! Disables routing 
advertisements on the LAN interface
 
   Router(config-router)# no auto-summary ! Disable automatic route summarization
Router(config-router)# network 10.0.0.0 0.0.0.255 ! Advertises Data VLAN subnet
 
   Router(config-router)# network 10.0.1.0 0.0.0.255 ! Advertises Voice VLAN subnet
 
   Router(config-router)# network 10.0.2.0 0.0.0.31 ! Advertises Management VLAN subnet
Router(config-router)# network 10.0.2.64 0.0.0.15 ! Advertises DMZ VLAN subnet
Router(config-router)# network 10.0.2.80 0.0.0.3 ! Advertises Tunnel subnet
Router(config-router)# network 10.0.2.88 0.0.0.3 ! Advertises WAAS subnet
Router(config-router)# exit
 
   Enterprise Routing with RIPv2
Enterprise networks are learned through the tunnel interface.
Router(config)# router rip ! Enables private network RIP routing process
Router(config-router)# passive interface FastEthernet 0/1 ! Disables routing 
advertisements on the LAN interface
 
   Router(config-router)# no auto-summary ! Disable automatic route summarization
Router(config-router)# version 2 ! Enable RIP version 2
Router(config-router)# network 10.0.0.0 ! Advertises all branch subnets
 
   Router(config-router)# exit
 
   Service Provider Routing with BGP
The BGP routing process is responsible for establishing the tunnel link by advertising the loopback network. In default BGP configuration, the router learns public routes advertised by the PE or ISP router. A large routing table would slow down the destination network lookup process. In general, network service providers should not advertise Internet routes to the branch network, but in case this happens, an access list is defined to exclude public routes.
Router(config)# access-list 20 permit 209.165.201.8 0.0.0.3 ! Permits Loopback network and blocks all others
Router(config)# router bgp 1 ! Enables public and loopback network BGP routing process
Router(config-router)# passive interface FastEthernet 0/1 ! Disables routing 
advertisements on the LAN interface
 
   Router(config-router)# neighbor 192.168.0.2 remote-as 65015 ! Neighbor router IP for primary link that is in autonomous system 65015
Router(config-router)# neighbor 209.165.201.2 remote-as 65016 ! Neighbor router IP for backup link that is in autonomous system 65016
Router(config-router)# network 192.168.0.0 mask 255.255.255.252 ! Advertises primary WAN link subnet
Router(config-router)# network 209.165.201.0 mask 255.255.255.252 ! Advertises backup WAN link subnet
Router(config-router)# network 209.165.201.8 mask 255.255.255.252 ! Advertises Loopback subnet
Router(config-router)# distribute-list 20 in ! Block all routing updates except for Loopback network
Router(config-router)# exit
 
   Finally, static routes are defined to direct traffic to the public network. When the primary link is active, it is used as the default route for all traffic. When the backup link is active, it is used as the default for all traffic.
Router(config)# ip route 0.0.0.0 0.0.0.0 192.168.0.2 ! Sets the primary WAN link as default for all traffic
Router(config)# ip route 0.0.0.0 0.0.0.0 209.165.201.2 ! Sets the backup WAN link as default for all traffic
Active/Standby Primary/Backup WAN Links with GETVPN on Primary Link and DMVPN on Backup Link Implementation
Because GETVPN is a tunnel-less protocol, it is used only on the primary WAN link. Because DMVPN is used for the backup link, the tunnel interface is needed only when the primary link fails. All enterprise network information is advertised over the primary link. Since this link also routes public traffic, it may insert public routes into the routing table. To prevent this situation, the following ACL is defined to allow only enterprise networks in the routing table.
Router(config)# access-list 10 permit 172.16.0.0 0.0.255.255 ! Permits all Enterprise networks
Enterprise Routing with OSPF
Enterprise networks are learned through the primary WAN interface.
Router(config)# router ospf 1 ! Enables private network OSPF routing process
Router(config-router)# passive interface FastEthernet 0/1 ! Disables routing 
advertisements on the LAN interface
 
   Router(config-router)# router-id 10.0.0.1 ! Specifies the OSPF router ID
Router(config-router)# network 10.0.0.0 0.0.0.255 area 0 ! Advertises Data VLAN subnet in 
backbone area
 
   Router(config-router)# network 10.0.1.0 0.0.0.255 area 0 ! Advertises Voice VLAN subnet in 
backbone area
 
   Router(config-router)# network 10.0.2.0 0.0.0.31 area 0 ! Advertises Management VLAN subnet in backbone area
Router(config-router)# network 10.0.2.64 0.0.0.15 area 0 ! Advertises DMZ VLAN subnet in backbone area
Router(config-router)# network 10.0.2.80 0.0.0.3 area 0 ! Advertises Tunnel subnet in backbone area
Router(config-router)# network 10.0.2.88 0.0.0.3 area 0 ! Advertises WAAS subnet in backbone area
Router(config-router)# network 192.168.0.0 0.0.0.3 area 0 ! Advertises primary WAN link subnet in the backbone area
Router(config-router)# distribute-list 10 in ! Block all Internet routing updates
Router(config-router)# exit
 
   Enterprise Routing with EIGRP
Enterprise networks are learned through the primary WAN interface.
Router(config)# router eigrp 1 ! Enables private network EIGRP routing process
Router(config-router)# passive interface FastEthernet 0/1 ! Disables routing 
advertisements on the LAN interface
 
   Router(config-router)# no auto-summary ! Disable automatic route summarization
Router(config-router)# network 10.0.0.0 0.0.0.255 ! Advertises Data VLAN subnet
 
   Router(config-router)# network 10.0.1.0 0.0.0.255 ! Advertises Voice VLAN subnet
 
   Router(config-router)# network 10.0.2.0 0.0.0.31 ! Advertises Management VLAN subnet
Router(config-router)# network 10.0.2.64 0.0.0.15 ! Advertises DMZ VLAN subnet
Router(config-router)# network 10.0.2.80 0.0.0.3 ! Advertises Tunnel subnet
Router(config-router)# network 10.0.2.88 0.0.0.3 ! Advertises WAAS subnet
Router(config-router)# network 192.168.0.0 0.0.0.3 ! Advertises primary WAN link subnet
Router(config-router)# distribute-list 10 in ! Block all Internet routing updates
Router(config-router)# exit
 
   Enterprise Routing with RIPv2
Enterprise networks are learned through the primary WAN interface.
Router(config)# router rip ! Enables private network RIP routing process
Router(config-router)# passive interface FastEthernet 0/1 ! Disables routing 
advertisements on the LAN interface
 
   Router(config-router)# no auto-summary ! Disable automatic route summarization
Router(config-router)# version 2 ! Enable RIP version 2
Router(config-router)# network 10.0.0.0 ! Advertises all branch subnets
 
   Router(config-router)# network 192.168.0.0 ! Advertises primary WAN link subnet
Router(config-router)# distribute-list 10 in ! Block all Internet routing updates
Router(config-router)# exit
 
   Service Provider Routing with BGP
The BGP routing process is responsible for establishing the tunnel link by advertising the loopback network. In the default BGP configuration, the router learns public routes that are advertised by the ISP router. A large routing table would slow down the destination network lookup process. In general, network service providers should not advertise Internet routes to the branch network; an access list should be defined to exclude public routes.
Router(config)# access-list 20 permit 209.165.201.8 0.0.0.3 ! Permits Loopback network and blocks all others
Router(config)# router bgp 1 ! Enables public and loopback network BGP routing process
Router(config-router)# passive interface FastEthernet 0/1 ! Disables routing 
advertisements on the LAN interface
 
   Router(config-router)# neighbor 209.165.201.2 remote-as 65016! Neighbor router IP for backup link that is in autonomous system 65016
Router(config-router)# network 209.165.201.0 mask 255.255.255.252 ! Advertises backup WAN link subnet
Router(config-router)# network 209.165.201.8 mask 255.255.255.252 ! Advertises Loopback subnet
Router(config-router)# distribute-list 20 in ! Block all routing updates except for Loopback network
Router(config-router)# exit
 
   Finally, static routes are defined to direct traffic to the public network. When the primary link is active, it is used as the default for all traffic. When the backup link is active, it is used as the default for all traffic.
Router(config)# ip route 0.0.0.0 0.0.0.0 192.168.0.2 ! Sets the primary WAN link as default for all traffic
Router(config)# ip route 0.0.0.0 0.0.0.0 209.165.201.2 ! Sets the backup WAN link as default for all traffic
Active/Active Primary/Backup WAN Link with DMVPN Implementation
The primary function of the backup interface in the Streamlined Small Branch Network is to provide an alternate path in case the primary link fails. When the primary WAN interface is operational, the backup interface is in standby mode. However, for purposes of split tunneling, the interface can be kept in active state and provide access to the Internet, because it is a direct connection.
Again, there are two routing processes, one for enterprise traffic and another for public traffic. The routing is similar to the Active/Standby configuration for DMVPN because BGP likely selects the primary interface as the lowest-cost path to the central site network. It automatically switches over the tunnel interface to the backup link when the primary fails. To prevent situations where the Internet has a lower cost path to the central site, static routes with different costs are defined for the central site loopback interface. The only other difference in configuration is the default route configuration. Non-enterprise traffic must be directed out over the backup link.
Enterprise Routing with OSPF
Enterprise networks are learned through the tunnel interface.
Router(config)# router ospf 1 ! Enables private network OSPF routing process
Router(config-router)# passive interface FastEthernet 0/1 ! Disables routing 
advertisements on the LAN interface
 
   Router(config-router)# router-id 10.0.0.1 ! Specifies the OSPF router ID
Router(config-router)# network 10.0.0.0 0.0.0.255 area 0 ! Advertises Data VLAN subnet in 
backbone area
 
   Router(config-router)# network 10.0.1.0 0.0.0.255 area 0 ! Advertises Voice VLAN subnet in 
backbone area
 
   Router(config-router)# network 10.0.2.0 0.0.0.31 area 0 ! Advertises Management VLAN subnet in backbone area
Router(config-router)# network 10.0.2.64 0.0.0.15 area 0 ! Advertises DMZ VLAN subnet in backbone area
Router(config-router)# network 10.0.2.80 0.0.0.3 area 0 ! Advertises Tunnel subnet in backbone area
Router(config-router)# network 10.0.2.88 0.0.0.3 area 0 ! Advertises WAAS subnet in backbone area
Router(config-router)# exit
 
   Enterprise Routing with EIGRP
Enterprise networks are learned through the tunnel interface.
Router(config)# router eigrp 1 ! Enables private network EIGRP routing process
Router(config-router)# passive interface FastEthernet 0/1 ! Disables routing 
advertisements on the LAN interface
 
   Router(config-router)# no auto-summary ! Disable automatic route summarization
Router(config-router)# network 10.0.0.0 0.0.0.255 ! Advertises Data VLAN subnet
 
   Router(config-router)# network 10.0.1.0 0.0.0.255 ! Advertises Voice VLAN subnet
 
   Router(config-router)# network 10.0.2.0 0.0.0.31 ! Advertises Management VLAN subnet
Router(config-router)# network 10.0.2.64 0.0.0.15 ! Advertises DMZ VLAN subnet
Router(config-router)# network 10.0.2.80 0.0.0.3 ! Advertises Tunnel subnet
Router(config-router)# network 10.0.2.88 0.0.0.3 ! Advertises WAAS subnet
Router(config-router)# exit
 
   Enterprise Routing with RIPv2
Enterprise networks are learned through the Tunnel interface.
Router(config)# router rip ! Enables private network RIP routing process
Router(config-router)# passive interface FastEthernet 0/1 ! Disables routing 
advertisements on the LAN interface
 
   Router(config-router)# no auto-summary ! Disable automatic route summarization
Router(config-router)# version 2 ! Enable RIP version 2
Router(config-router)# network 10.0.0.0 ! Advertises all branch subnets
 
   Router(config-router)# exit
 
   Service Provider Routing with BGP
The BGP routing process is responsible for establishing the tunnel link by advertising the loopback network. In the default BGP configuration, the router learns public routes that are advertised by the PE or ISP router. A large routing table would slow down the destination network lookup process. In general, network service providers should not advertise Internet routes to the branch network; an access list should be defined to exclude public routes.
Router(config)# access-list 20 permit 209.165.201.8 0.0.0.3 ! Permits Loopback network and blocks all others
Router(config)# router bgp 1 ! Enables public and loopback network BGP routing process
Router(config-router)# passive interface FastEthernet 0/1 ! Disables routing 
advertisements on the LAN interface
 
   Router(config-router)# neighbor 192.168.0.2 remote-as 65015 ! Neighbor router IP for primary link that is in autonomous system 65015
Router(config-router)# neighbor 209.165.201.2 remote-as 65016 ! Neighbor router IP for backup link that is in autonomous system 65016
Router(config-router)# network 192.168.0.0 mask 255.255.255.252 ! Advertises primary WAN link subnet
Router(config-router)# network 209.165.201.0 mask 255.255.255.252 ! Advertises backup WAN link subnet
Router(config-router)# network 209.165.201.8 mask 255.255.255.252 ! Advertises Loopback subnet
Router(config-router)# distribute-list 20 in ! Block all routing updates except for Loopback network
Router(config-router)# exit
 
   Finally, static routes are defined to direct traffic to the public network. When the primary link is active, it is used as the default for all traffic. When the backup link is active, it is used as the default for all traffic. In addition, static routes ensure that the central site loopback interface is routed over the primary link when it is in an active state.
Router(config)# ip route 0.0.0.0 0.0.0.0 192.168.0.2 250 ! Sets the primary WAN link as default for all traffic with higher cost than the backup WAN link
Router(config)# ip route 0.0.0.0 0.0.0.0 209.165.201.2 ! Sets the backup WAN link as default for all traffic with lower cost than the primary link
Router(config)# ip route 209.165.201.10 255.255.255.255 192.168.0.2 ! Sets the primary WAN link as the preferred interface for reaching the central site Loopback interface
Router(config)# ip route 209.165.201.10 255.255.255.255 209.165.201.2 250 ! Sets the backup WAN link as the preferred interface for reaching the central site Loopback interface
Active/Active Primary/Backup WAN Links with GETVPN on Primary Link and DMVPN on Backup Link Implementation
As in the Active/Standby configuration with DMVPN, this implementation differs from the Active/Standby GETVPN and DMVPN implementation in the assignment of static routes for loopback network and public traffic.
Router(config)# access-list 10 permit 172.16.0.0 0.0.255.255 ! Permits all Enterprise networks
Enterprise Routing with OSPF
Enterprise networks are learned through the primary WAN interface.
Router(config)# router ospf 1 ! Enables private network OSPF routing process
Router(config-router)# passive interface FastEthernet 0/1 ! Disables routing 
advertisements on the LAN interface
 
   Router(config-router)# router-id 10.0.0.1 ! Specifies the OSPF router ID
Router(config-router)# network 10.0.0.0 0.0.0.255 area 0 ! Advertises Data VLAN subnet in 
backbone area
 
   Router(config-router)# network 10.0.1.0 0.0.0.255 area 0 ! Advertises Voice VLAN subnet in 
backbone area
 
   Router(config-router)# network 10.0.2.0 0.0.0.31 area 0 ! Advertises Management VLAN subnet in backbone area
Router(config-router)# network 10.0.2.64 0.0.0.15 area 0 ! Advertises DMZ VLAN subnet in backbone area
Router(config-router)# network 10.0.2.80 0.0.0.3 area 0 ! Advertises Tunnel subnet in backbone area
Router(config-router)# network 10.0.2.88 0.0.0.3 area 0 ! Advertises WAAS subnet in backbone area
Router(config-router)# network 192.168.0.0 0.0.0.3 area 0 ! Advertises primary WAN link subnet in the backbone area
Router(config-router)# distribute-list 10 in ! Block all Internet routing updates
Router(config-router)# exit
 
   Enterprise Routing with EIGRP
Enterprise networks are learned through the primary WAN interface.
Router(config)# router eigrp 1 ! Enables private network EIGRP routing process
Router(config-router)# passive interface FastEthernet 0/1 ! Disables routing 
advertisements on the LAN interface
 
   Router(config-router)# no auto-summary ! Disable automatic route summarization
Router(config-router)# network 10.0.0.0 0.0.0.255 ! Advertises Data VLAN subnet
 
   Router(config-router)# network 10.0.1.0 0.0.0.255 ! Advertises Voice VLAN subnet
 
   Router(config-router)# network 10.0.2.0 0.0.0.31 ! Advertises Management VLAN subnet
Router(config-router)# network 10.0.2.64 0.0.0.15 ! Advertises DMZ VLAN subnet
Router(config-router)# network 10.0.2.80 0.0.0.3 ! Advertises Tunnel subnet
Router(config-router)# network 10.0.2.88 0.0.0.3 ! Advertises WAAS subnet
Router(config-router)# network 192.168.0.0 0.0.0.3 ! Advertises primary WAN link subnet
Router(config-router)# distribute-list 10 in ! Block all Internet routing updates
Router(config-router)# exit
 
   Enterprise Routing with RIPv2
Enterprise networks are learned through the primary WAN interface.
Router(config)# router rip ! Enables private network RIP routing process
Router(config-router)# passive interface FastEthernet 0/1 ! Disables routing 
advertisements on the LAN interface
 
   Router(config-router)# no auto-summary ! Disable automatic route summarization
Router(config-router)# version 2 ! Enable RIP version 2
Router(config-router)# network 10.0.0.0 ! Advertises all branch subnets
 
   Router(config-router)# network 192.168.0.0 ! Advertises primary WAN link subnet
Router(config-router)# distribute-list 10 in ! Block all Internet routing updates
Router(config-router)# exit
 
   Service Provider Routing with BGP
The BGP routing process is responsible for establishing the tunnel link by advertising the loopback network. In the default BGP configuration, the router learns public routes advertised by the ISP router. In general, network service providers should not advertise Internet routes to the branch network; an access list should be defined to exclude public routes.
Router(config)# access-list 20 permit 209.165.201.8 0.0.0.3 ! Permits Loopback network and blocks all others
Router(config)# router bgp 1 ! Enables public and loopback network BGP routing process
Router(config-router)# passive interface FastEthernet 0/1 ! Disables routing 
advertisements on the LAN interface
 
   Router(config-router)# neighbor 209.165.201.2 remote-as 65016 ! Neighbor router IP for backup link that is in autonomous system 65016
Router(config-router)# network 209.165.201.0 mask 255.255.255.252 ! Advertises backup WAN link subnet
Router(config-router)# network 209.165.201.8 mask 255.255.255.252 ! Advertises Loopback subnet
Router(config-router)# distribute-list 20 in ! Block all routing updates except for Loopback network
Router(config-router)# exit
 
   There is a possibility that the tunnel link has a lower cost to the central site than the primary WAN link. To prevent traffic from being sent over the tunnel link when the WAN link is available, the tunnel interface is defined as backup for the primary WAN interface.
Router(config)# interface Multilink1 ! Enters multilink interface configuration mode
Router(config-if)# backup interface Tunnel1 ! Specifies backup interface
Router(config-if)# exit
 
   Finally, static routes are defined to direct traffic to the public network. When the primary link is active, it is used as the default for all route traffic. When the backup link is active, it is used as the default route for all traffic.
Router(config)# ip route 0.0.0.0 0.0.0.0 192.168.0.2 250 ! Sets the primary WAN link as default for all traffic with higher cost than backup WAN link
Router(config)# ip route 0.0.0.0 0.0.0.0 209.165.201.2 ! Sets the backup WAN link as default for all traffic with lower cost than primary WAN link
Multicast Implementation
Previous sections have shown how to apply multicast on each interface.
Router(config)# ip multicast-routing ! Enables multicast routing
 
   Multicast Verification
To verify your multicast configuration, enter the following command:
Router# show ip pim neighbor
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
S - State Refresh Capable
Neighbor Interface Uptime/Expires Ver DR
Address Prio/Mode
192.168.0.1 Multilink1 00:00:16/00:01:27 v2 1 / S P
Router#
DHCP Implementation
Addresses were dynamically assigned for the data and voice VLAN devices. The DMZ server used static addressing. The DHCP server should be implemented on the router that is configured as active for voice traffic.
Router(config)# ip dhcp excluded-address 10.0.1.1 10.0.1.10 ! Specifies the addresses to 
be excluded from DHCP 
 
   Router(config)# ip dhcp excluded-address 10.0.1.245 10.0.1.254 ! Specifies the addresses 
to be excluded from DHCP
 
   Router(config)# ip dhcp pool IP-PHONES ! Specifies DHCP pool for IP Phones
 
   Router(dhcp-config)# network 10.0.1.0 255.255.255.0 ! Specifies the DHCP address range 
 
   Router(dhcp-config)# default-router 10.0.1.3 ! Specifies the default HSRP gateway 
 
   Router(dhcp-config)# option 150 ip 10.0.0.2 ! Specifies the default TFTP server
 
   Router(dhcp-config)# lease 30 ! Sets the lease expiration to 1 month
 
   Router(dhcp-config)# exit
Router(config)# ip dhcp excluded-address 10.0.0.1 10.0.0.30 ! Specifies the addresses to 
be excluded from DHCP 
 
   Router(config)# ip dhcp excluded-address 10.0.0.245 10.0.0.254 ! Specifies the addresses 
to be excluded from DHCP 
 
   Router(config)# ip dhcp pool PCS ! Specifies the DHCP pool for PCs 
 
   Router(dhcp-config)# network 10.0.0.0 255.255.255.0 ! Specifies the DHCP address range 
 
   Router(dhcp-config)# default-router 10.0.0.3 ! Specifies the default HSRP gateway
 
   Router(dhcp-config)# exit
Router(config)# service dhcp ! Starts the DHCP server
DHCP Verification
To verify your DHCP configuration, enter the show ip dhcp binding command to display the IP address details leased by the DHCP server.
Router# show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.0.1.26 0100.1e4a.a8e5.e1 Infinite Automatic
10.0.1.29 0100.5060.0387.20 Infinite Automatic
Router#
NAT Implementation
Router(config)# ip access-list standard NAT-BRANCH! Defines extended ACL for translation
 
   Router(config-ext-nacl)# permit 10.0.0.0 0.0.0.255
Router(config-ext-nacl)# exit
Router(config)# ip nat translation tcp-timeout 300 ! Specifies timeout value for TCP ports
 
   Router(config)# ip nat inside source list NAT-BRANCH interface ATM0/2/IMA0.1 overload
! Enables NAT for traffic that matches the ACL (Inside local) and translates the source 
address to specified interface address (Inside global) on the backup interface
 
   Router(config)# interface FastEthernet0/1.1 ! Enters gigabit Ethernet configuration mode
 
   Router(config-subif)# ip nat inside ! Specifies the interface as connected to inside 
network
 
   Router(config-subif)# exit
Router(config)# interface ATM0/2/IMA0.1 ! Enters backup interface configuration mode
 
   Router(config-if)# ip nat outside ! Specifies the interface as connected to outside 
network
 
   Router(config-if)# exit
 
   NAT Verification
To verify your NAT configuration, enter the following command:
Router# show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 22
10.0.0.15: 2140 10.0.0.15: 2140 201.165.201.1:2000 201.165.201.1:2000
Router#
Quality of Service Implementation
Quality of service (QoS) identifies business-critical traffic and ensures that appropriate bandwidth and network resources are allocated according to a classification scheme. QoS includes classification of different traffic types, marking specific fields in Layer 2 or Layer 3 headers, prioritizing the traffic based on the marked field, and dropping unwanted traffic.
Eight-Class QoS was configured to match traffic, based on the NBAR protocol classification or using Layer 2 or Layer 3 header information. A different level of service is provided for the matched traffic. The QoS scheme also checks for any unwanted traffic and drops it if matches are found in the incoming traffic from the LAN. A parent policy-map is configured to shape the outgoing traffic to a specified rate (as per the service provider), and a child policy-map is applied to the shaping queue.
Router(config)# ip access-list extended ACL-FTP ! Defines extended ACL to identify traffic from a local FTP server
Router(config-ext-nacl)# permit ip host 10.0.0.4 any
Router(config-ext-nacl)#exit
 
   !Defines two extended access lists (101 and 102) to classify PCs running enterprise 
applications
 
   Router(config)# access-list 101 permit ip host 10.0.0.5 host 172.16.0.30
Router(config)# access-list 101 permit ip host 10.0.0.6 host 172.16.0.30
Router(config)# access-list 102 permit ip host 10.0.0.7 any
Router(config)# access-list 102 permit ip host 10.0.0.8 any
Router(config)# access-list 102 permit ip host 10.0.0.9 any
Router(config)# access-list 102 permit ip host 10.0.0.10 any
Router(config)# ip nbar port-map custom-02 udp 1434 ! Customizes NBAR protocol to match 
UDP port 1434 used by the SQL Slammer and Sapphire worms
 
   Router(config)# ip nbar port-map custom-03 tcp 5554 9996 ! Customizes NBAR protocol to 
match TCP ports 5554 and 9996 used by the Sasser worm
 
   Router(config)# ip nbar port-map custom-04 tcp 445 ! Customize NBAR protocol to match TCP 
port 445 used by Microsoft SMB protocol for file sharing
 
   Router(config)# class-map match-all SQL-SLAMMER ! Defines Class map for Sql-Slammer 
traffic
 
   Router(config-cmap)# match protocol custom-02 ! Matches traffic with port number in 
custom-02
 
   Router(config-cmap)# match packet length min 404 max 404 ! Matches traffic with packet 
length 404 bytes
 
   Router(config-cmap)# exit
Router(config)# class-map match-any WORMS ! Defines class map for unwanted traffic
 
   Router(config-cmap)# match protocol http url "*.ida*" ! Matches HTTP traffic with the 
specific string in the URL
 
   Router(config-cmap)# match protocol http url "*cmd.exe*" ! Matches HTTP traffic with the 
specific string in the URL
 
   Router(config-cmap)# match protocol http url "*root.exe*" ! Matches HTTP traffic with the 
specific string in the URL
 
   Router(config-cmap)# match protocol http url "*readme.eml*" ! Matches HTTP traffic with 
the specific string in the URL
 
   Router(config-cmap)# match class-map SQL-SLAMMER ! Matches SQL-Slammer worm signature
 
   Router(config-cmap)# match protocol custom-03 ! Matches Sasser worm signature
 
   Router(config-cmap)# exit
Router(config)# class-map match-any VOICE ! Defines class map for Voice traffic
 
   Router(config-cmap)# match ip dscp ef ! Matches traffic with DSCP set to EF
 
   Router(config-cmap)# exit
Router(config)# class-map match-all INTERACTIVE-VIDEO ! Defines class map for interactive 
video traffic
 
   Router(config-cmap)# match ip dscp af41 af42 ! Matches traffic with DSCP set to AF41 or 
AF42
 
   Router(config-cmap)# exit
Router(config)# class-map match-all SCAVENGER ! Defines class map for Scavenger traffic
 
   Router(config-cmap)# match ip dscp cs1 ! Matches traffic with DSCP set to cs1
 
   Router(config-cmap)# exit
Router(config)# class-map match-any MISSION-CRITICAL ! Defines classmap for mission 
critical traffic
 
   Router(config-cmap)# match ip dscp cs3 ! Matches traffic with DSCP set to CS3
 
   Router(config-cmap)# match ip dscp af31 ! Matches traffic with DSCP set to AF31
 
   Router(config-cmap)# match access-group 101 ! Matches ip traffic in ACL 101
 
   Router(config-cmap)# match ip dscp 25 ! Matches traffic with DSCP set to 25
 
   Router(config-cmap)# match protocol http ! Matches HTTP traffic
 
   Router(config-cmap)# exit
Router(config)# class-map match-any INTERNETWORK-CONTROL ! Defines class map for routing 
control traffic
 
   Router(config-cmap)# match ip dscp cs6 ! Matches traffic with DSCP set to CS6
 
   Router(config-cmap)# exit
Router(config)# class-map match-any TRANSACTIONAL-DATA ! Defines class map for 
transactional data traffic
 
   Router(config-cmap)# match ip dscp af21 af22 ! Matches traffic with DSCP set to AF21 or 
AF22
 
   Router(config-cmap)# match access-group 102 ! Matches ip traffic in ACL
 
   Router(config-cmap)# match protocol custom-04 ! Matches traffic with port number mentioned 
in custom-04
 
   Router(config-cmap)# exit
Router(config)# class-map match-any BULK-DATA ! Defines Class map for bulk traffic
 
   Router(config-cmap)# match ip dscp af11 af12 ! Matches traffic with DSCP set to AF11 or 
AF12
 
   Router(config-cmap)# match protocol ftp ! Matches FTP traffic
 
   Router(config-cmap)# match access-group name ACL-FTP ! Matches ip traffic in ACL-FTP ACL
 
   Router(config-cmap)# exit
Router(config)# policy-map EIGHT-CLASS-V3PN-EDGE ! Defines child policy map
 
   Router(config-pmap)# class VOICE ! Matches traffic classified by VOICE class-map
 
   Router(config-pmap-c)# priority % 18 ! Specifies guaranteed bandwidth of 14% of interface 
bandwidth
 
   Router(config-pmap-c)# class INTERACTIVE-VIDEO ! Matches traffic classified by 
INTERACTIVE-VIDEO class-map
 
   Router(config-pmap-c)# priority % 10 ! Specifies guaranteed bandwidth of 6% of interface 
bandwidth
 
   Router(config-pmap-c)# class MISSION-CRITICAL ! Matches traffic classified 
byMISSION-CRITICAL class-map
 
   Router(config-pmap-c)# bandwidth % 25 ! Specifies a minimum bandwidth of 25% of interface 
bandwidth
 
   Router(config-pmap-c)# random-detect ! Specifies to drop TCP packet randomly to avoid tail 
drop
 
   Router(config-pmap-c)# class INTERNETWORK-CONTROL ! Matches traffic classified by 
INTERNETWORK-CONTROL class-map
 
   Router(config-pmap-c)# bandwidth % 3 ! Specifies a minimum bandwidth of 3% of interface 
bandwidth
 
   Router(config-pmap-c)# class TRANSACTIONAL-DATA ! Matches traffic classified by 
TRANSACTIONAL-DATA class-map
 
   Router(config-pmap-c)# bandwidth % 12 ! Specifies a minimum bandwidth of 18% of interface 
bandwidth
 
   Router(config-pmap-c)# random-detect ! Specifies to drop TCP packet randomly to avoid tail 
drop
 
   Router(config-pmap-c)# class BULK-DATA ! Matches traffic classified by BULK-DATA class map
 
   Router(config-pmap-c)# bandwidth % 5 ! Specifies a minimum bandwidth of 5% of interface 
bandwidth
 
   Router(config-pmap-c)# class SCAVENGER ! Matches traffic classified by SCAVANGER class map
 
   Router(config-pmap-c)# bandwidth % 2 ! Specifies a minimum bandwidth of 2% of interface 
bandwidth
 
   Router(config-pmap-c)# class class-default ! Defines default class 
 
   Router(config-pmap-c)# bandwidth % 25 ! Specifies a minimum bandwidth of 25% of interface 
bandwidth
 
   Router(config-pmap-c)# random-detect ! Specifies to drop TCP packet randomly to avoid tail 
drop
 
   Router(config-pmap-c)# exit
Router(config-pmap)# exit
After creating the following two policy maps, apply them on WAN interfaces as described in the DS-3, DS-1, and Fast Ethernet interface configuration section.
Router(config)# policy-map EIGHT-CLASS-V3PN-EDGE-SHAPE ! Defines parent policy map for 
Primary interface
 
   Router(config-pmap)# class class-default ! Matches all traffic
 
   Router(config-pmap-c)# shape average 6912000 ! Outgoing traffic was shaped at a rate of 
6.9 Mbps
 
   Router(config-pmap-c)# service-policy EIGHT-CLASS-V3PN-EDGE ! Attaches traffic policy to 
shaping queue.
 
   Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# policy-map EIGHT-CLASS-V3PN-EDGE-BACKUP ! Defines parent policy map for 
Backup interface
 
   Router(config-pmap)# class class-default ! Matches all traffic
 
   Router(config-pmap-c)# shape average 4608000 ! Outgoing traffic was shaped at a rate of 
4.6 Mbps
 
   Router(config-pmap-c)# service-policy EIGHT-CLASS-V3PN-EDGE ! Attaches traffic policy to 
shaping queue.
 
   Router(config-pmap-c)# exit
Router(config)# map-class frame-relay FR-SHAPING ! Defines a map-class for Frame Relay 
traffic shaping
 
   Router(config-map-class)# frame-relay cir 24000000 ! Sets average rate to 24 Mbps
 
   Router(config-map-class)# frame-relay bc 120000 ! Sets committed burst size to 120 Kb
 
   Router(config-map-class)# frame-relay mincir 24000000 ! Sets the minimum guaranteed rate 
it should drop in case of congestion to 24 Mbps
 
   Router(config-map-class)# frame-relay adaptive-shaping becn ! Enables to adjust the 
shaping rate in response to backward congestion notification
 
   Router(config-map-class)# service-policy output EIGHT-CLASS-V3PN-EDGE-SHAPE ! Attaches 
traffic policy to Frame Relay shaping queue.
 
   Router(config-map-class)# exit
Router(config)# policy-map INPUT-POLICY ! Defines Policy map for LAN interface
 
   Router(config-pmap)# class WORMS ! Matches HTTP traffic with Virus
 
   Router(config-pmap-c)# drop ! Drop the traffic
 
   Router(config-pmap-c)# class class-default ! Matches all traffic
 
   Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)#
Quality of Service Verification
To verify your QoS configuration, enter the show policy-map interface command to display the QoS policy and related traffic counters on each interface.
Router# show policy-map interface
FastEthernet0/1.1
Service-policy input: INPUT-POLICY
Class-map: WORMS (match-any)
9 packets, 594 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*.ida*"
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http url "*cmd.exe*"
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http url "*root.exe*"
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http url "*readme.eml*"
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-all SQL-SLAMMER
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol custom-02
Match: packet length min 404 max 404
Match: protocol custom-03
9 packets, 594 bytes
30 second rate 0 bps
drop
Class-map: class-default (match-any)
103593411 packets, 6980776240 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
QoS Set
dscp cos
Packets marked 103593416
FastEthernet0/1.2
Service-policy input: INPUT-POLICY
Class-map: WORMS (match-any)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*.ida*"
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http url "*cmd.exe*"
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http url "*root.exe*"
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http url "*readme.eml*"
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-all SQL-SLAMMER
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol custom-02
Match: packet length min 404 max 404
Match: protocol custom-03
0 packets, 0 bytes
30 second rate 0 bps
drop
Class-map: class-default (match-any)
3350613 packets, 212885188 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
QoS Set
dscp cos
Packets marked 3350613
FastEthernet0/1.3
Service-policy input: INPUT-POLICY
Class-map: WORMS (match-any)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*.ida*"
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http url "*cmd.exe*"
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http url "*root.exe*"
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http url "*readme.eml*"
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-all SQL-SLAMMER
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol custom-02
Match: packet length min 404 max 404
Match: protocol custom-03
0 packets, 0 bytes
30 second rate 0 bps
drop
Class-map: class-default (match-any)
3266743 packets, 201900728 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
QoS Set
dscp cos
Packets marked 3266743
FastEthernet0/0/0
Service-policy output: EIGHT-CLASS-V3PN-EDGE-SHAPE
Class-map: class-default (match-any)
86921887 packets, 11420188514 bytes
30 second offered rate 1000 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
6912000/6912000 43200 172800 172800 25 21600
Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 85141012 2709383642 0 0 no
Service-policy : EIGHT-CLASS-V3PN-EDGE
Class-map: VOICE (match-any)
1781 packets, 206488 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef (46)
0 packets, 0 bytes
30 second rate 0 bps
Queueing
Strict Priority
Output Queue: Conversation 136
Bandwidth 14 ( %)
Bandwidth 967 (kbps) Burst 24175 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0
Class-map: INTERACTIVE-VIDEO (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: ip dscp af41 (34) af42 (36)
Queueing
Strict Priority
Output Queue: Conversation 136
Bandwidth 6 ( %)
Bandwidth 414 (kbps) Burst 10350 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0
Class-map: MISSION-CRITICAL (match-any)
1181375 packets, 148873894 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs3 (24)
1181375 packets, 148873894 bytes
30 second rate 0 bps
Match: ip dscp af31 (26)
0 packets, 0 bytes
30 second rate 0 bps
Match: access-group 101
0 packets, 0 bytes
30 second rate 0 bps
Match: ip dscp 25
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Queueing
Output Queue: Conversation 137
Bandwidth 25 ( %)
Bandwidth 1728 (kbps)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
exponential weight: 9
mean queue depth: 0
class Transmitted Random drop Tail drop Minimum Maximum Mark
pkts/bytes pkts/bytes pkts/bytes thresh thresh prob
0 0/0 0/0 0/0 20 40 1/10
1 0/0 0/0 0/0 22 40 1/10
2 0/0 0/0 0/0 24 40 1/10
3 1181305/148866418 0/0 0/0 26 40 1/10
4 0/0 0/0 0/0 28 40 1/10
5 0/0 0/0 0/0 30 40 1/10
6 0/0 0/0 0/0 32 40 1/10
7 0/0 0/0 0/0 34 40 1/10
rsvp 0/0 0/0 0/0 36 40 1/10
Class-map: INTERNETWORK-CONTROL (match-any)
1245619 packets, 176240010 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs6 (48)
1245619 packets, 176240010 bytes
30 second rate 0 bps
Queueing
Output Queue: Conversation 138
Bandwidth 3 ( %)
Bandwidth 207 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: TRANSACTIONAL-DATA (match-any)
8833287 packets, 1254893912 bytes
30 second offered rate 1000 bps, drop rate 0 bps
Match: ip dscp af21 (18) af22 (20)
8833286 packets, 1254893912 bytes
30 second rate 1000 bps
Match: access-group 102
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol custom-04
0 packets, 0 bytes
30 second rate 0 bps
Queueing
Output Queue: Conversation 139
Bandwidth 18 ( %)
Bandwidth 1244 (kbps)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
exponential weight: 9
mean queue depth: 0
class Transmitted Random drop Tail drop Minimum Maximum Mark
pkts/bytes pkts/bytes pkts/bytes thresh thresh prob
0 0/0 0/0 0/0 20 40 1/10
1 0/0 0/0 0/0 22 40 1/10
2 8833254/1254889504 0/0 0/0 24 40 1/10
3 0/0 0/0 0/0 26 40 1/10
4 0/0 0/0 0/0 28 40 1/10
5 0/0 0/0 0/0 30 40 1/10
6 0/0 0/0 0/0 32 40 1/10
7 0/0 0/0 0/0 34 40 1/10
rsvp 0/0 0/0 0/0 36 40 1/10
Class-map: BULK-DATA (match-any)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: ip dscp af11 (10) af12 (12)
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: access-group name aclftp
0 packets, 0 bytes
30 second rate 0 bps
Queueing
Output Queue: Conversation 140
Bandwidth 5 ( %)
Bandwidth 345 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: SCAVENGER (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs1 (8)
Queueing
Output Queue: Conversation 141
Bandwidth 2 ( %)
Bandwidth 138 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: class-default (match-any)
75659826 packets, 9839974210 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
Output Queue: Conversation 142
Bandwidth 25 ( %)
Bandwidth 1728 (kbps)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
exponential weight: 9
mean queue depth: 0
class Transmitted Random drop Tail drop Minimum Maximum Mark
pkts/bytes pkts/bytes pkts/bytes thresh thresh prob
0 73879122/9719111088 0/0 0/0 20 40 1/10
1 0/0 0/0 0/0 22 40 1/10
2 18/14796 0/0 0/0 24 40 1/10
3 0/0 0/0 0/0 26 40 1/10
4 0/0 0/0 0/0 28 40 1/10
5 0/0 0/0 0/0 30 40 1/10
6 0/0 0/0 0/0 32 40 1/10
7 0/0 0/0 0/0 34 40 1/10
rsvp 0/0 0/0 0/0 36 40 1/10
Virtual-Template10
Service-policy output: EIGHT-CLASS-V3PN-EDGE-BACKUP
Service policy content is displayed for cloned interfaces only such as vaccess and sessions
Security Services Implementation
 • Infrastructure Protection Implementation
Infrastructure Protection Implementation 
 • Access Control Implementation
Access Control Implementation 
 • Secure Connectivity Implementation
Secure Connectivity Implementation 
 • Threat Defense Detection and Mitigation Implementation
Threat Defense Detection and Mitigation Implementation 
Infrastructure Protection Implementation
Securing Unused Ports
The following is an example of securing an unused port. The example applies to the access layer switch.
Switch(config)# interface g1/0/4 ! Enters configuration mode for the specified port
 
   Switch(config-if)# switchport mode access ! Assign the port to access mode
 
   Switch(config-if)# switchport access vlan 333 ! Assign the unused port to Black Hole VLAN
 
   Switch(config-if)# exit
Turning Off Unused Services
To improve the overall security of the network, the Cisco IOS devices must be secured from infrastructure attack. As a security best practice, disable any unused services because these unused services are only rarely used for legitimate purposes and can be used to launch a denial of service (DoS) attack. The following example disables the unused services.
Router(config)# no service pad ! Disable PAD service 
 
   Router(config)# no service udp-small-servers ! Disable UDP small server
 
   Router(config)# no service tcp-small-servers ! Disable TCP small server
 
   Router(config)# no ip bootp server ! Disable BOOTP server
 
   Router(confif)# no cdp run ! Disable Cisco Discover Protocol service
 
   Router(config)# no ip source-route ! Disable source routing
 
   Router(config)# no ip classless ! Disable forwarding of packets for unrecognized subnets
 
   Router(config)# no ip http server ! Disable HTTP server
 
   Router(config)# no ip http secure-server ! Disable HTTPS server
 
   Router(config)# no ip domain-lookup ! Disable DNS server
 
   Router(config) # interface Multilink1 ! Enters interface configuration mode
 
   Router(config-if)# no cdp enable ! Disable Cisco discovery protocol on the interface
 
   Router(config-if)# no ip redirects ! Disable ICMP redirect message
 
   Router(config-if)# no ip proxy-arp ! Disable Proxy ARP
 
   Router(config-if)# no ip unreachables ! Disable ICMP unreachable error message
 
   Router(config-if)# no ip directed-broadcast ! Disable directed broadcasts
 
   Router(config-if)# no ip mask-reply ! Disable ICMP mask reply messages
 
   The unused services can also be disabled by running Cisco AutoSecure.
Router# auto secure
Routing Protocol Security
Apply an authentication mechanism to all the WAN interfaces.
OSPF
Router(config)# interface Tunnel 1 ! Enters tunnel interface configuration mode
 
   Router(config-line)# ip ospf authentication message-digest ! Enables MD5 routing protocol 
authentication
 
   Router(config-line)# ip ospf message-digest-key 100 md5 c1$k0Sys ! Sets key and password 
for MD5
 
   Router(config)# exit
Router(config)# interface Multilink1 ! Enters serial interface configuration mode
 
   Router(config-line)# ip ospf authentication message-digest ! Enables MD5 routing protocol 
authentication
 
   Router(config-line)# ip ospf message-digest-key 100 md5 c1$k0Sys ! Sets key and password 
for MD5
 
   Router(config)# exit
EIGRP
Router(config)# key chain EIGRP-KEY ! Creates chain of keys
 
   Router(config-keychain)# key 1 ! Creates a key
 
   Router(config-keychain-key)# key-string c1$k0SyS ! Sets the key value
 
   Router(config-keychain-key)# exit
Router(config-keychain)# exit
Router(config)# interface Tunnel 1 ! Enters tunnel interface configuration mode
 
   Router(config-line)# ip authentication mode eigrp 100 md5 ! Enables MD5 routing protocol 
authentication
 
   Router(config-line)# ip authentication key-chain eigrp 100 EIGRP-KEY ! Sets key and 
password for MD5
 
   Router(config)# exit
Router(config)# interface Multilink1 ! Enters serial interface configuration mode
 
   Router(config-line)# ip authentication mode eigrp 100 md5 ! Enables MD5 routing protocol 
authentication
 
   Router(config-line)# ip authentication key-chain eigrp 100 EIGRP-KEY ! Sets key and 
password for MD5
 
   Router(config)# exit
RIPv2
Router(config)# key chain RIP-KEY ! Creates chain of keys
 
   Router(config-keychain)# key 1 ! Creates a key
 
   Router(config-keychain-key)# key-string c1$k0SyS ! Sets the key value
 
   Router(config-keychain-key)# exit
Router(config-keychain)# exit
Router(config)# interface Tunnel 1 ! Enters tunnel interface configuration mode
 
   Router(config-line)# ip rip authentication mode md5 ! Enables MD5 routing protocol 
authentication
 
   Router(config-line)# ip rip authentication key-chain RIP-KEY ! Sets key and password for 
MD5
 
   Router(config)# exit
Router(config)# interface Multilink1 ! Enters serial interface configuration mode
 
   Router(config-line)# ip rip authentication mode md5 ! Enables MD5 routing protocol 
authentication
 
   Router(config-line)# ip rip authentication key-chain RIP-KEY ! Sets key and password for 
MD5
 
   Router(config)# exit
Additional Services Measures
Router(config)# line vty 0 4 ! Specifies VTY line specific parameters
 
   Router(config-line)# transport input ssh ! Allows only SSH connection
 
   Router(config)# exit
 
   Router(config)# ip http secure-server ! Enables HTTPS service
 
   Router(config)# ip http authentication aaa login-authentication default ! Specifies to use 
AAA database for HTTP login
 
   Verification of Additional Services Measures
To verify your additional services configuration, enter the following command.
Router# show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
Access Control Implementation
Authentication, Authorization, and Accounting (AAA) is an architectural framework for consistently configuring a set of independent security functions. It provides a modular way of performing authentication, authorization, and accounting using a protocol such as RADIUS or TACACS.
In the branch architecture, AAA is the primary method for access control, using RADIUS as the protocol for communication between network devices and the AAA server.
Router(config)# aaa new-model ! Enables Authentication, Authorization and Accounting 
services
 
   Router(config)# aaa group server radius AAA-BRANCH ! Specifies the RADIUS server group
 
   Router(config-sg-radius)# server 172.16.0.80 auth-port 1645 acct-port 1646 ! Specifies the 
RADIUS server ip address
 
   Router(config-sg-radius)# aaa authentication login default group radius local ! Specifies 
default login authentication to use RADIUS server database
 
   Router(config-sg-radius)# aaa authentication login VPN-AUTH-LIST group radius local ! 
Specifies SSL VPN login authentication to use RADIUS server database
 
   Router(config)# aaa session-id common ! Specifies the use of the same session identifier 
for all invocations of accounting services
 
   Router(config)# radius-server key BRANCH-KEY ! Specifies RADIUS server key
 
   Password Management
Router(config)# security passwords min-length 8 ! Sets minimum length of passwords to 8 
characters
 
   Router(config)# service password-encryption ! Enables Cisco IOS to encrypt all password in 
configuration file
 
   Router(config)# enable password level 7 C1$k0SyS ! Enables configuration password with 
privilege level 7
 
   Router(config)# enable secret level 5 C1$k0SyS ! Enables configuration password stored 
with MD5 encryption with privilege level 5
 
   Router(config)# security authentication failure rate 10 log ! Allows up to 10 unsuccessful login attempts with a syslog entry for attempts that exceed the threshold
Router(config)# username admin password C1$k0SyS ! Sets login password
Switch-Access(config)# service password-encryption ! Enables Cisco IOS to encrypt all 
password in configuration file
 
   Switch-Access(config)# enable secret level 5 C1$k0SyS ! Enables configuration password 
stored with MD5 encryption with privilege level 5
 
   Secure Connectivity Implementation
Group Encrypted Transport Virtual Private Networks (GETVPN) eliminates the need for tunnels across the WAN. By removing the need for point-to-point tunnels, meshed networks can scale better while maintaining network-intelligence features that are critical to voice and video quality, such as QoS, routing, and multicast. GETVPN offers a new standards-based IPsec security model that is based on the concept of "trusted" group members. Trusted member routers use a common security methodology that is independent of any point-to-point IPsec tunnel relationship.
GET-based networks can be used in a variety of WAN environments, including IP and Multiprotocol Label Switching (MPLS). MPLS VPNs that use this encryption technology are highly scalable, manageable, and cost-effective, and they meet government-mandated encryption requirements. The flexible nature of GET allows security-conscious enterprises either to manage their own network security over a service provider WAN service or to offload encryption services to their providers. GET simplifies securing large Layer 2 or MPLS networks that require partial or full-mesh connectivity.
In the Streamlined Small Branch Foundation, GETVPN encryption was used on the primary WAN link.
Router(config)# crypto isakmp policy  1 ! Identifies the policy to create and enters 
isakmp configuration mode 
 
   Router(config-isakmp)# encryption 3des ! Specifies the 3-DES encryption algorithm
 
   Router(config-isakmp)# authentication pre-share ! Specifies authentication with preshared 
keys
 
   Router(config-isakmp)# hash md5 ! Specifies hash algorithm as MD5
 
   Router(config-isakmp)# group 2 ! Specifies the 1024-bit Diffie-Hellman group
 
   Router(config-isakmp)# lifetime 28800 ! Specifies the lifetime of IKE security association
 
   Router(config-isakmp)# crypto isakmp key VPN-KEY address 209.165.201.10 ! Specifies static 
key for the ISAKMP negotiation with peer device using remote peer Loopback address
 
   Router(config)# crypto isakmp keepalive 30 ! Enables keepalives between peers with 
specified interval
 
   Router(config)# crypto gdoi group GET-GROUP ! Enters GDOI group configuration mode. 
 
   Router(config-gdoi-group)# identity number 1357924680 ! Sets GDOI group number
 
   Router(config-gdoi-group)# server address ipv4 209.165.201.10 ! Specifies GDOI key server 
address
 
   Router(config-gdoi-group)# crypto map VPN-MAP local-address Loopback0 ! Specifies the 
interface to be used by the crypto map for the IPSEC traffic
 
   Router(config)# crypto map VPN-MAP 1 gdoi ! Enters crypto map configuration mode and 
creates or modifies a crypto map entry. 
 
   Router(config-crypto-map)# set group GET-GROUP ! Associates the GDOI group to the crypto 
map. 
 
   Router(config-crypto-map)# qos pre-classify ! Enables QoS on VPN tunnel interface
 
   Router(config-crypto-map)# exit
 
   Apply the VPN-MAP on all WAN interfaces and subinterfaces.
Router(config-fr-dlci)# crypto map VPN-MAP
or
Router(config-if)# crypto map VPN-MAP
GETVPN Key Server
The key server was configured at the central location.
KEY-SERVER(config)# crypto isakmp policy 1 ! Defines an IKE policy
 
   KEY-SERVER(config-isakmp)# encryption 3des ! Specifies 3-DES encryption algorithm
 
   KEY-SERVER(config-isakmp)# authentication pre-share ! Specifies authentication with 
preshared keys
 
   KEY-SERVER(config-isakmp)# group 2 ! Specifies the 1024-bit Diffie-Hellman group 
 
   KEY-SERVER(config-isakmp)# lifetime 28800 ! Specifies the lifetime of IKE security 
association
 
   KEY-SERVER(config)# crypto ipsec transform-set GET-GROUP esp-aes 256 esp-sha-hmac
! Defines a IPSec transform set with ESP encapsulation and AES 256 bit encryption         
 
   KEY-SERVER(cfg-crypto-trans)# crypto ipsec profile GET-VPN ! Defines a profile and enters 
IPSEC configuration mode
 
   KEY-SERVER(ipsec-profile)# set security-association lifetime seconds 86400 ! Specifies 
security association lifetime
 
   KEY-SERVER(ipsec-profile)# set transform-set GET-GROUP ! Specifies which transform sets 
can be used with the crypto map entry. 
 
   KEY-SERVER(ipsec-profile)# crypto gdoi group GET-GROUP ! Identifies a GDOI group and 
enters GDOI group configuration mode 
 
   KEY-SERVER(config-gdoi-group)# identity number 1357924680 ! Sets GDOI group number
 
   KEY-SERVER(config-gdoi-group)# server local ! Specified GDOI key server as local and 
enters its configuration 
 
   KEY-SERVER(gdoi-local-server)# rekey address ipv4 REKEY-ADDRESS ! Defines destination 
information for rekey messages as defined in the REKEY-ADDRESS ACL
 
   KEY-SERVER(gdoi-local-server)# rekey lifetime seconds 300 ! Limits the number of seconds 
that any one encryption key should be used
 
   KEY-SERVER(gdoi-local-server)# rekey retransmit 10 number 2 ! Specifies the number of 
times the rekey message is retransmitted
 
   KEY-SERVER(gdoi-local-server)# rekey authentication mypubkey rsa REKEY-RSA ! Specifies the 
keys to be used for a rekey to GDOI group members
 
   KEY-SERVER(gdoi-local-server)# sa ipsec 1 ! Specifies the IPsec SA policy information to 
be used for a GDOI group and enters GDOI SA IPsec configuration mode
 
   KEY-SERVER(gdoi-sa-ipsec)# profile GET-VPN ! Defines the IPsec SA policy for a GDOI group
 
   KEY-SERVER (gdoi-sa-ipsec)# match address ipv4 SA-ACL ! Specifies an IP extended access 
list for a GDOI registration. 
 
   KEY-SERVER (gdoi-sa-ipsec)# replay counter window-size 64 ! Specifies the window-size for 
the replay counter
 
   KEY-SERVER (config)# ip access-list extended REKEY-ADDRESS ! Defines an extended 
access-list and enters acl mode
 
   KEY-SERVER (config-ext-nacl)# permit udp host host 209.165.201.10 eq 848 host 239.1.100.1 
eq 248 ! Permits packets from a specific address to register with the Key-Server at its 
multicast address
 
   KEY-SERVER (config)# ip access-list extended SA-ACL ! Defines an extended access-list and 
enters acl mode
 
   KEY-SERVER(config-ext-nacl)# permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255 ! Permits 
traffic from branch subnets to central site subnets and vice versa 
 
   KEY-SERVER(config-ext-nacl)# permit ip 10.0.1.0 0.0.0.255 172.16.0.0 0.0.255.255
KEY-SERVER(config-ext-nacl)# permit ip 10.0.2.0 0.0.0.31 172.16.0.0 0.0.255.255
KEY-SERVER(config-ext-nacl)# permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.0.255
KEY-SERVER(config-ext-nacl)# permit ip 172.16.0.0 0.0.255.255 10.0.1.0 0.0.0.255
KEY-SERVER(config-ext-nacl)# permit ip 172.16.0.0 0.0.255.255 10.0.2.0 0.0.0.31
DMVPN Implementation
Dynamic Multipoint Virtual Private Network (DMVPN) is useful for building scalable IPsec VPNs. DMVPN uses a centralized architecture to provide easier implementation and management for deployment that requires granular access control for diverse users including teleworkers and mobile workers.
Cisco DMVPN allows branch locations to communicate directly with each other over the public WAN or Internet, such as when using Voice over IP (VoIP) between two branch offices, but does not require a permanent VPN connection between sites. In the Streamlined Small Branch Network, DMVPN was tested on both the primary WAN link and the backup WAN link depending on whether the tunnel interface is active.
Router(config)# crypto isakmp policy 1 ! Defines IKE policy
 
   Router(config-isakmp)# encr 3des ! Specifies the encryption mode as 3DES
 
   Router(config-isakmp)# hash md5 ! Specifies hash algorithm as MD5
 
   Router(config-isakmp)# authentication pre-share ! Specifies authentication with pre-shared 
keys
 
   Router(config-isakmp)# group 2 ! Specifies 1024-bit Diffie-Hellman group
 
   Router(config-isakmp)# lifetime 28800 ! Specifies the lifetime of IKE security association
 
   Router(config)# crypto isakmp key VPN-KEY address 209.165.201.10 ! Defines the preshared 
key to be used for authentication
 
   Router(config)# crypto isakmp keepalive 30 ! Enables keepalives between peers with 
specified interval
 
   Router(config)# crypto ipsec transform-set DM-GROUP esp-3des esp-md5-hmac ! Specifies 
IPSec transform set with ESP encapsulation and AES 256 bit encryption 
Router(cfg-crypto-trans)# exit
 
   Router(config)# crypto ipsec profile DM-VPN ! Defines IPSec Profile
 
   Router(ipsec-profile)# set security-association lifetime seconds 86400 ! Specifies the 
amount of time for SA to be active
 
   Router(ipsec-profile)# set transform-set DM-GROUP ! Specifies the IPSec transform set for 
encrypting traffic
 
   Router(ipsec-profile)# exit
Router(config)# interface Tunnel 1 ! Enters tunnel interface configuration mode
 
   Router(config-if)# ip address 10.0.2.81 255.255.255.252 ! Specifies tunnel interface IP 
address
 
   Router(config-if)# ip mtu 1416 ! Sets the MTU size to 1416 bytes
 
   Router(config-if)# tunnel source Loopback 0 ! Specifies the source address to be used for 
tunnel packets
 
   Router(config-if)# ip nbar protocol-discovery ! Enables NBAR protocol discovery
 
   Router(config-if)# ip flow ingress ! Enables Netflow accounting on incoming traffic
 
   Router(config-if)# ip flow egress ! Enables Netflow accounting on outgoing traffic
 
   Router(config-if)# ip nhrp authentication KEY-BR ! Specifies authentication string 
 
   Router(config-if)# ip nhrp map 172.16.0.10 209.165.201.10 ! Specifies central site Tunnel 
address to Tunnel source mapping
 
   Router(config-if)# ip nhrp map multicast 209.165.201.10 ! Enables Broadcast/Multicast 
support for Tunnel source address
 
   Router(config-if)# ip nhrp network-id 100000 ! Specifies network identifier for this NBMA 
network
 
   Router(config-if)# ip nhrp holdtime 300 ! Specifies the time the NHRP address will be 
advertised as valid
 
   Router(config-if)# ip nhrp nhs 172.16.0.10 ! Specifies next hop server as the Tunnel 
interface
 
   Router(config-if)# load-interval 30 ! Specifies the interval for computing load statistics
 
   Router(config-if)# qos pre-classify ! Enables QoS on VPN tunnel interface
 
   Router(config-if)# tunnel mode gre multipoint ! Specifies the tunnel mode as multipoint 
GRE
 
   Router(config-if)# tunnel key 100000 ! Specifies the tunnel key
 
   Router(config-if)# tunnel protection ipsec profile DM-VPN ! Associate IPSec profile with 
tunnel interface
 
   Apply the following command on the Tunnel interface after defining VPN security zone.
Router(config-if)# zone-member security VPN ! Adds this interface to firewall zone called 
VPN
 
   DMVPN Verification
To verify your DMVPN configuration, enter the following commands:
Router# show crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 10.10.11.137
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.11.137/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (80.80.80.214/255.255.255.255/47/0)
current_peer 80.80.80.214 port 500
     PERMIT, flags={origin_is_acl,}
 
   #pkts encaps: 259540, #pkts encrypt: 259540, #pkts digest: 259540
#pkts decaps: 256812, #pkts decrypt: 256812, #pkts verify: 256812
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.10.11.137, remote crypto endpt.: 80.80.80.214
path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0xA4863CF6(2760260854)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x3EF09B6E(1055955822)
transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
 
   conn id: 39, flow_id: Onboard VPN:39, sibling_flags 80000046, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4565229/2312)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA4863CF6(2760260854)
transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
 
   conn id: 40, flow_id: Onboard VPN:40, sibling_flags 80000046, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4564995/2312)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Router# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
209.165.201.9 209.165.201.10 QM_IDLE 21440 0 ACTIVE
SSL VPN Implementation
Secure Socket Layer Virtual Private Network (SSL VPN) is used to connect remote office users directly to the branch and provide them access to resources in the DMZ VLAN. They are also able to place calls using PC soft phones.
Router(config)# crypto pki trustpoint SSLVPN ! Defines a PKI certificate trust point
Router(ca-trustpoint)# enrollment selfsigned ! Specifies this router as self-signed root certificate authority
Router(ca-trustpoint)# serial-number ! Specifies that the routers serial number should be in the certificate request
Router(ca-trustpoint)# revocation-check none ! Disable certificate status check
Router(ca-trustpoint)# rsakeypair CERT-KEY ! Specified RSA key pair
Router(ca-trustpoint)#exit
 
   Router(config)#crypto pki certificate chain SSLVPN ! Enters certificate configuration mode
Router(config-cert-chain)# certificate self-signed 01 ! Manually enters self-signed certificate
There can be only one self-signed PKI certificate per router. AutoSecure, described in the Infrastructure Protection Implementation section, creates a self-signed certificate for the router while configuring SSH access. If AutoSecure was enabled on the router, then the next step is not necessary. However, if AutoSecure was not enabled, the above command will request a self-signed PKI certificate. To learn about creating self-signed certificates, visit:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106.html
Enter the certificate in hexidecimal representation....
Router(config-pubkey)# 308201F2 3082019C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
Router(config-pubkey)# 42314030 12060355 0405130B 46545831 31343841 36433030 2A06092A 
864886F7 
 
   Router(config-pubkey)# 0D010902 161D4B69 76752D33 3832352D 42722D31 2E796F75 72646F6D 61696E2E
Router(config-pubkey)# 636F6D30 1E170D30 38303231 33323232 3131345A 170D3230 30313031 30303030
Router(config-pubkey)# 30305A30 42314030 12060355 0405130B 46545831 31343841 36433030 
2A06092A
 
   Router(config-pubkey)# 864886F7 0D010902 161D4B69 76752D33 3832352D 42722D31 2E796F75 72646F6D
Router(config-pubkey)# 61696E2E 636F6D30 5C300D06 092A8648 86F70D01 01010500 034B0030 
48024100
 
   Router(config-pubkey)# A699E60C 8EBCF9EA B3142412 FDEE1150 BF25E671 0FBF5E3E 323ABFEB FFC9790D
Router(config-pubkey)# D5D10D76 7639A04A DDD45FA3 F82E6EFE 2F14C046 E05C0488 433CD054 
44E97E61 
 
   Router(config-pubkey)# 02030100 01A37D30 7B300F06 03551D13 0101FF04 05300301 01FF3028 
0603551D 
 
   Router(config-pubkey)# 11042130 1F821D4B 6976752D 33383235 2D42722D 312E796F 7572646F 
6D61696E
 
   Router(config-pubkey)# 2E636F6D 301F0603 551D2304 18301680 14E94478 E4EE44CD 8277D8E9 B12EBC6D
Router(config-pubkey)# ABC165DC D8301D06 03551D0E 04160414 E94478E4 EE44CD82 77D8E9B1 2EBC6D
Router(config-pubkey)# C165DCD8 300D0609 2A864886 F70D0101 04050003 41001086 6FDC6C2E 
735E9A99 
 
   Router(config-pubkey)# 764F874B 03F10F55 31414E96 A0901C04 D172E2B1 AF990499 5404A7B8 
94543832 
 
   Router(config-pubkey)# 5B5C0389 C543C76F 49E70F1D CCBCCEC3 A9B346CF D561
 
   Router(config-pubkey)# quit
 
   Router(config-cert-chain)# exit
 
   Add the following rules to the firewall access control list (ACL) definitions.
Router(config)# ip access-list extended publicSelfInRule20Acl ! Enters Public to IOS zone ACL definition
Router(config-ext-nacl)# permit tcp any host 209.165.201.15 ! Public address of SSLVPN gateway 1
Router(config-ext-nacl)# permit tcp any host 209.165.201.17 ! Public address of SSLVPN gateway 2
Router(config-ext-nacl)# permit tcp any host 209.165.201.20 eq www ! Public address of DMZ server
Router(config-ext-nacl)# permit tcp any host 209.165.201.21 eq www ! Public address of DMZ server
Router(config-ext-nacl)# permit tcp any host 209.165.201.22 eq www ! Public address of DMZ server
Router(config-ext-nacl)# permit ip 192.168.0.0 0.0.0.252 ! Central site network
 
   Router(config-ext-nacl)# permit ip 209.165.201.0 0.0.0.252 ! Central site network
 
   Router(config-ext-nacl)# exit
 
   Router(config)#
Router(config)# ip access-list extended publicDMZInRule20Acl ! Enters Public to DMZ zone ACL definition
Router(config-ext-nacl)# permit tcp any host 209.165.201.16 ! Public address of SSLVPN gateway 1
Router(config-ext-nacl)# permit tcp any host 209.165.201.17 ! Public address of SSLVPN gateway 2
Router(config-ext-nacl)# permit tcp any host 209.165.201.20 eq www ! Public address of DMZ server
Router(config-ext-nacl)# permit tcp any host 209.165.201.21 eq www ! Public address of DMZ server
Router(config-ext-nacl)# permit tcp any host 209.165.201.22 eq www ! Public address of DMZ server
Router(config-ext-nacl)# exit
 
   Router(config)# ip local pool SSLVPN-Address-Pool 10.0.0.70 10.0.2.79 ! Defines pool of addresses for VPN clients
Router(config)# webvpn gateway SSLVPN-GATEWAY-1 ! Enters webvpn gateway configuration mode
Router(config-webvpn-gateway)# ip address 209.165.201.15 port 443 ! Assigns public IP for the gateway
Router(config-webvpn-gateway)# http-redirect port 80 ! Configures HTTP traffic to be carried as HTTPS
Router(config-webvpn-gateway)# ssl trustpoint SSLVPN ! Assigns PKI certificate trust point
Router(config-webvpn-gateway)# inservice ! Starts the SSLVPN process
Router(config-webvpn-gateway)# exit
 
   Router(config)# webvpn gateway SSLVPN-GATEWAY-2
 
   Router(config-webvpn-gateway)# ip address 209.165.201.17 port 443 ! Assigns public IP for the gateway
Router(config-webvpn-gateway)# http-redirect port 80 ! Configures HTTP traffic to be carried as HTTPS
Router(config-webvpn-gateway)# ssl trustpoint SSLVPN ! Assigns PKI certificate trust point
Router(config-webvpn-gateway)# inservice ! Starts the SSLVPN process
Router(config-webvpn-gateway)# exit
 
   Router(config)# webvpn install svc flash:sslclient-win-1.1.4.176.pkg ! Installs Cisco AnyConnect VPN package
Router(config-webvpn-context)# webvpn context SSLVPN-GW-WEB ! Enters webvpn context configuration mode
Router(config-webvpn-context)# secondary-color white ! Configures login portal
Router(config-webvpn-context)# title-color #FF9900 ! Configures login portal
Router(config-webvpn-context)# text-color black ! Configures login portal
Router(config-webvpn-context)# ssl encryption rc4-md5 ! Configures RC4-MD5 SSL encryption
Router(config-webvpn-context)# ssl authenticate verify all ! Performs user authentication
Router(config-webvpn-context)# url-list "WEB-SERVERS" ! Configures list of URLs in DMZ that the user can access
Router(config-webvpn-url)# heading "Web Servers" ! Configures display properties for web servers
Router(config-webvpn-url)#url-text "Server1" url-value "http://10.0.2.65/index.html"   
 
   Router(config-webvpn-url)# url-text "Server2" url-value "http://10.0.2.66/index.html"   
 
   Router(config-webvpn-url)# url-text "Server3" url-value "http://10.0.2.67/index.html"   
 
   Router(config-webvpn-url)#policy group SSLVPN-POLICY-WEB ! Defines policy for DMZ web servers
Router(config-webvpn-group)# url-list "WEB-SERVERS" ! Associates policy with URL list
Router(config-webvpn-group)# functions svc-enabled ! Enables use of tunnel mode
Router(config-webvpn-group)# mask-urls ! Obfuscates sensitive URLs
Router(config-webvpn-group)# svc address-pool "SSLVPN-Address-Pool" ! Assigns local addresses
Router(config-webvpn-group)# svc keep-client-installed ! Maintains Cisco AnyConnect VPN client software installations on the connecting PCs
Router(config-webvpn-group)# default-group-policy SSLVPN-POLICY-WEB ! Associates SSLVPN context with this group policy
Router(config-webvpn-context)# aaa authentication list VPN-AUTH-LIST ! Configures AAA for SSLVPN users
Router(config-webvpn-context)# gateway SSLVPN-GATEWAY-1 ! Assigns gateway to this SSLVPN context
Router(config-webvpn-context)# inservice ! Starts the SSLVPN policy
Router(config-webvpn-context)# exit
 
   The following example illustrates a second SSL VPN context.
Router(config-webvpn)# webvpn context SSLVPN-GW-APP ! Enters webvpn context configuration mode
Router(config-webvpn-context)# ssl encryption rc4-md5 ! Configures RC4-MD5 SSL encryption
Router(config-webvpn-context)# ssl authenticate verify all ! Performs user authentication
Router(config-webvpn-context)# url-list "APP-SERVERS" ! Associates policy with URL list
Router(config-webvpn-url)# heading "Application Servers" ! Configures display properties for application servers
Router(config-webvpn-url)# url-text "Server1" url-value "http://10.0.2.65/index.html"   
 
   Router(config-webvpn-url)# url-text "Server2" url-value "http://10.0.2.66/index.html"   
 
   Router(config-webvpn-url)# url-text "Server3" url-value "http://10.0.2.67/index.html"   
 
   Router(config-webvpn-url)# policy group SSLVPN-POLICY-APP
 
   Router(config-webvpn-group)# url-list "APP-SERVERS" ! Associates policy with URL list
Router(config-webvpn-group)# default-group-policy SSLVPN-POLICY-APP ! Associates SSLVPN context with this group policy
Router(config-webvpn-context)# aaa authentication list VPN-AUTH-LIST ! Configures AAA for sslvpn users
Router(config-webvpn-context)# gateway SSLVPN-GATEWAY-2 ! Assigns gateway to this SSLVPN context
Router(config-webvpn-context)# inservice ! Starts the SSLVPN policy
Router(config-webvpn-context)# exit
 
   Router(config)#
Threat Defense Detection and Mitigation Implementation
 • Zone-based Policy Firewall Implementation
Zone-based Policy Firewall Implementation 
Zone-based Policy Firewall Implementation
Zone-based Policy Firewall (ZPF) offers assignment of traffic into secure zones for multiple-interface routers. It changes the firewall configuration from interface-based classic Context-Based Access Control (CBAC) model to a more flexible zone-based configuration.
Interfaces are assigned to different zones, and inspection policies are applied to traffic moving between zones. As the inspection policies are zone based rather than interface based, different policies can be applied to traffic from and to the same interface.
There are four zones in the Streamlined Small Branch Network: Private (LAN), Public (WAN), VPN, and DMZ. Inspection policies were applied for the following zone pairs:
 • Traffic originated from Private to Public
Traffic originated from Private to Public 
 • Traffic originated from Private to DMZ
Traffic originated from Private to DMZ 
 • Traffic originated from Public to Private
Traffic originated from Public to Private 
 • Traffic originated from Public to DMZ
Traffic originated from Public to DMZ 
 • Traffic originated from router to Private
Traffic originated from router to Private 
 • Traffic originated from Private to router
Traffic originated from Private to router 
 • Traffic originated from Private to VPN
Traffic originated from Private to VPN 
 • Traffic originated from VPN to Private
Traffic originated from VPN to Private 
Router(config)# parameter-map type inspect publicPrivateOutParamMap ! Defines a 
parameter-map for traffic from Public to Private zone
 
   Router(config-profile)# max-incomplete low  6000 ! Specifies minimum number of half-open 
session before IOS stops removing sessions
 
   Router(config-profile)# max-incomplete high 10000 ! Specifies maximum number of half-open 
session after which IOS starts removing sessions
 
   Router(config-profile)# one-minute low 18000 ! Specifies minimum number of half-open 
session in one minute before IOS stops removing sessions
 
   Router(config-profile)# one-minute high 20000 ! Specifies maximum number of half-open 
session in one minute after which IOS starts removing sessions
 
   Router(config-profile)# udp idle-time 10 ! Specifies maximum length of time for which UDP 
inspect information is maintained
 
   Router(config-profile)# icmp idle-time 5 ! Specifies maximum length of time for which ICMP 
inspect information is maintained
 
   Router(config-profile)# tcp max-incomplete host 7000 block-time 0 ! Specifies the maximum 
number of half-open TCP sessions to the same destination before IOS starts removing 
sessions
 
   Router(config-profile)# exit
 
   Router(config)# ip access-list extended privatePublicOutRule10Acl ! Defines ACL for 
traffic from IOS to Private zone
 
   Router(config-ext-nacl)# permit 10.0.0.0 0.0.0.255 ! Permits all data VLAN traffic
 
   Router(config-ext-nacl)# permit 10.0.1.0 0.0.0.255 ! Permits all voice VLAN traffic
 
   Router(config-ext-nacl)# exit
Router(config)# ip access-list extended publicPrivateOutRule10Acl ! Defines ACL for 
traffic from Public zone to Private zone
 
   Router(config-ext-nacl)# permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.0.255 ! Permits 
central site traffic to Data VLAN
 
   Router(config-ext-nacl)# permit ip 172.16.0.0 0.0.255.255 10.0.1.0 0.0.0.255 ! Permits 
central site traffic to Voice VLAN
 
   Router(config-ext-nacl)# permit ip 172.16.0.0 0.0.255.255 10.0.2.0 0.0.0.31 ! Permits central site traffic to Management VLANRouter(config-ext-nacl)# permit ip host 239.1.100.1 any ! Permits key server multicast address
Router(config-ext-nacl)# permit ip host 209.165.201.10 any ! Permits key server
 
   Router(config-ext-nacl)# exit
 
   Router(config)# class-map type inspect match-all FROM-SELF-CMAP ! Defines class map for 
traffic from IOS to Private zone
 
   Router(config-cmap)# match access-group name selfPrivateRule10 ! Matches traffic in 
specified ACL
 
   Router(config-cmap)# exit
 
   Router(config)# class-map type inspect match-any TO-SELF-CMAP ! Defines class map for 
traffic from Private
 
   Router(config-cmap)# match access-group name selfPrivateRule10 ! Matches traffic in 
specified ACL
 
   Router(config-cmap)# exit
 
   Router(config)# class-map type inspect match-any privateDMZOutRule10Protocols ! Defines 
class map for protocols from Private to DMZ zone
 
   Router(config-cmap)# match protocol http ! Matches HTTP traffic
 
   Router(config-cmap)# match protocol https ! Matches Secure HTTP traffic
 
   Router(config-cmap)# match protocol dns ! Matches DNS traffic
 
   Router(config-cmap)# match protocol ssh ! Matches Secure Shell traffic
 
   Router(config-cmap)# exit
 
   Router(config)# class-map type inspect match-any privatePublicOutRule10 ! Defines class 
map for traffic from Private to Public zone
 
   Router(config-cmap)# match access-group name publicPrivateOutRule10Acl ! Matches traffic 
in specified ACL
 
   Router(config-cmap)# exit
 
   Router(config)# class-map type inspect match-any SELF-SERVICE-CMAP ! Defines class map for 
protocols originating from IOS
 
   Router(config-cmap)# match protocol tcp ! Matches TCP traffic
 
   Router(config-cmap)# match protocol udp ! Matches UDP traffic
 
   Router(config-cmap)# match protocol icmp ! Matches ICMP traffic
 
   Router(config-cmap)# match protocol h323 ! Matches H323 traffic
 
   Router(config-cmap)# match protocol echo ! Matches ICMP echo traffic
 
   Router(config-cmap)# exit
 
   Router(config-cmap)# class-map type inspect match-any publicDMZOutRule10Protocols ! 
Defines class map for protocols from Public to DMZ zone
 
   Router(config-cmap)# match protocol http ! Matches HTTP traffic
 
   Router(config-cmap)# match protocol https ! Matches Secure HTTP traffic
 
   Router(config-cmap)# match protocol dns ! Matches DNS traffic
 
   Router(config-cmap)# match protocol ssh ! Matches Secure Shell traffic
 
   Router(config-cmap)# exit
 
   Router(config)# policy-map type inspect publicDMZOutFwPolicy ! Defines inspect policy for 
Public to DMZ zone
 
   Router(config-pmap)# class type inspect publicDMZOutRule10Protocols ! Matches traffic 
classified by specified class-map
 
   Router(config-pmap-c)# inspect publicPrivateOutParamMap ! Enables packet inspection 
according to the Public to Private zone parameter map definition
 
   Router(config-pmap-c)# exit
 
   Router(config-pmap)# class class-default ! Matches all other traffic
 
   Router(config-pmap-c)# drop log ! Drops the traffic
 
   Router(config-pmap-c)# exit
 
   Router(config-pmap)# exit
 
   Router(config)# policy-map type inspect privateSelfOutFwPolicy ! Defines inspect policy 
for Private to IOS zone 
 
   Router(config-pmap)# class type inspect SELF-SERVICE-MAP ! Matches traffic classified to 
IOS parameter map definition
 
   Router(config-pmap-c)# pass ! Passes the traffic
 
   Router(config-pmap-c)# exit
 
   Router(config-pmap)# class class-default ! Matches all other traffic
 
   Router(config-pmap-c)# drop ! Drops the traffic
 
   Router(config-pmap-c)# exit
 
   Router(config-pmap)# exit
 
   Router(config)# policy-map type inspect selfPrivateOutFwPolicy ! Defines inspect policy 
for IOS to Private zone
 
   Router(config-pmap)# class type inspect SELF-SERVICE-MAP ! Matches from IOS parameter map 
definition
 
   Router(config-pmap-c)# pass ! Passes the traffic
 
   Router(config-pmap-c)# exit
 
   Router(config-pmap)# class class-default ! Matches all other traffic
 
   Router(config-pmap-c)# drop ! Drops the traffic
 
   Router(config-pmap-c)# exit
 
   Router(config-pmap)# exit
 
   Router(config)# policy-map type inspect privatePublicOutFwPolicy ! Defines inspect policy 
for Private to Public zone
 
   Router(config-pmap)# class type inspect privatePublicOutRule10 ! Matches traffic 
classified by specified class-map
 
   Router(config-pmap-c)# inspect publicPrivateOutParamMap ! Enables packet inspection 
according to the Public to Private zone parameter map definition percent. No specific 
protocol configured in class privatePublicOutRule10 for inspection. All protocols will be 
inspected
 
   Router(config-pmap-c)# exit
 
   Router(config-pmap)# class class-default ! Matches all other traffic
 
   Router(config-pmap-c)# drop ! Drops the traffic
 
   Router(config-pmap-c)# exit
 
   Router(config-pmap)# exit
 
   Router(config)# policy-map type inspect privateDMZOutFwPolicy ! Defines inspect policy for 
Private to DMZ zone
 
   Router(config-pmap)# class type inspect privateDMZOutRule10Protocols ! Matches traffic 
classified by specified class-map
 
   Router(config-pmap-c)# inspect publicPrivateOutParamMap ! Enables packet inspection 
according to the Public to Private zone parameter map definition
 
   Router(config-pmap-c)# exit
 
   Router(config-pmap-c)# class class-default ! Matches all other traffic
 
   Router(config-pmap-c)# drop log ! Drops the traffic
 
   Router(config-pmap-c)# exit
 
   Router(config-pmap)# exit
 
   Router(config)# zone security Public ! Define Security Zone named Public
 
   Router(config-sec-zone)# description Public Internet Connection
Router(config-sec-zone)# exit
 
   Apply Public security zone on the WAN interface or subinterface as described in WAN interface configuration sections.
Router(config)# zone security Private ! Define Security Zone named Private
 
   Router(config-sec-zone)# description Customer Private Network
Router(config-sec-zone)# exit
 
   Router(config)# zone security DMZ ! Define Security Zone named DMZ
 
   Router(config-sec-zone)# description Customer DMZ Network
Router(config-sec-zone)# exit
 
   Apply Private and DMZ security zones on the LAN interface or subinterface as described in VLAN interface configuration sections.
Router(config)# zone-pair security privatePublicOut source Private destination Public ! 
Define zone-pair for Private to Public traffic
 
   Router(config-sec-zone-pair)# description Outbound Firewall Policy from Private to Public
Router(config-sec-zone-pair)# service-policy type inspect privatePublicOutFwPolicy ! Apply 
firewall policy for zone-pair
 
   Router(config-sec-zone-pair)# exit
 
   Router(config)# zone-pair security publicDMZOut source Public destination DMZ ! Define 
zone-pair for Public to DMZ traffic
 
   Router(config-sec-zone-pair)# description Outbound Firewall Policy from Public to DMZ
Router(config-sec-zone-pair)# service-policy type inspect publicDMZOutFwPolicy ! Apply 
firewall policy for zone-pair
 
   Router(config-sec-zone-pair)# exit
 
   Router(config)# zone-pair security privateDMZOut source Private destination DMZ ! Define 
zone-pair for Private to DMZ traffic
 
   Router(config-sec-zone-pair)# description Outbound Firewall Policy from Private to DMZ
Router(config-sec-zone-pair)# service-policy type inspect privateDMZOutFwPolicy ! Apply 
firewall policy for zone-pair
 
   Router(config-sec-zone-pair)# exit
 
   Router(config)# zone-pair security privateSelf source Private destination self ! Define 
zone-pair for Private to IOS traffic
 
   Router(config-sec-zone-pair)# service-policy type inspect privateSelfOutFwPolicy ! Apply 
firewall policy for zone-pair
 
   Router(config-sec-zone-pair)# exit
 
   Router(config)# zone-pair security selfPrivate source self destination Private ! Define 
zone-pair for IOS to Private traffic
 
   Router(config-sec-zone-pair)# service-policy type inspect selfPrivateOutFwPolicy ! Apply 
firewall policy for zone-pair
 
   Router(config-sec-zone-pair)# exit
Zone-based Policy Firewall Verification
To verify your zone-based firewall configuration, enter the following commands:
Router# show policy-map type inspect zone-pair
Zone-pair: publicPrivateOut
Service-policy inspect : publicPrivateOutFwPolicy
Class-map: publicPrivateOutRule10 (match-any)
Match: access-group name publicPrivateOutRule10Acl
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-any publicPrivateOutRule10Protocols
160728 packets, 5222722 bytes
30 second rate 0 bps
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
23 packets, 1196 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
81876 packets, 2947880 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol tcp
78575 packets, 2251480 bytes
30 second rate 0 bps
Match: protocol udp
246 packets, 22166 bytes
30 second rate 0 bps
Match: protocol bgp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol smtp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [77702:1346327]
udp packets: [2:0]
icmp packets: [18235:7]
Session creations since subsystem startup or last reset 95910
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [14:101:1]
Last session created 08:55:49
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 15120
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
Zone-pair: publicDMZOut
Service-policy inspect : publicDMZOutFwPolicy
Class-map: publicDMZOutRule10Protocols (match-any)
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol bgp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Match: access-group name DMZPublicOutRuleAcl20
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
Zone-pair: privateDMZOut
Service-policy inspect : privateDMZOutFwPolicy
Class-map: privateDMZOutRule10Protocols (match-any)
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
Zone-pair: vpnPrivateIn
Service-policy inspect : vpnPrivateInFwPolicy
Class-map: vpnPrivateInRule10 (match-any)
Match: access-group name vpnPrivateInRule10Acl
4314 packets, 109136 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [229:3495]
udp packets: [10:6177032]
icmp packets: [0:31]
Session creations since subsystem startup or last reset 271
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [2:11:1]
Last session created 5d08h
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 10
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
Zone-pair: vpnPrivateOut
Service-policy inspect : vpnPrivateOutFwPolicy
Class-map: vpnPrivateOutRule10 (match-any)
Match: access-group name vpnPrivateOutRule10Acl
6356447 packets, 231662957 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [9061:117338799]
udp packets: [1761:2253]
icmp packets: [0:6176836]
ftp packets: [0:11]
tftp packets: [160:6]
tftp-data packets: [1600:1756]
skinny packets: [2867:62498341]
Session creations since subsystem startup or last reset 6356113
Current session counts (estab/half-open/terminating) [5:0:0]
Maxever session counts (estab/half-open/terminating) [193:22:97]
Last session created 00:00:48
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 22400
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
Zone-pair: publicSelfOut
Service-policy inspect : publicSelfOutFwPolicy
Class-map: publicSelfOutRule20 (match-any)
Match: access-group name publicSelfOutRule20Acl
255 packets, 39396 bytes
30 second rate 0 bps
Match: protocol tcp
17229 packets, 735614 bytes
30 second rate 0 bps
Match: protocol udp
89136 packets, 6774336 bytes
30 second rate 0 bps
Match: protocol icmp
5 packets, 400 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [457182:0]
udp packets: [179870:0]
icmp packets: [43:0]
Session creations since subsystem startup or last reset 89587
Current session counts (estab/half-open/terminating) [1:0:0]
Maxever session counts (estab/half-open/terminating) [4:4:1]
Last session created 00:00:45
Last statistic reset never
Last session creation rate 1
Maxever session creation rate 6
Last half-open session total 0
Class-map: CRYPTO-CMAP (match-all)
Match: access-group 123
Pass
81354612 packets, 8078747532 bytes
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Zone-pair: publicSelfIn
Service-policy inspect : publicSelfInFwPolicy
Class-map: publicSelfInRule20 (match-any)
Match: access-group name publicSelfInRule20Acl
279 packets, 35460 bytes
30 second rate 0 bps
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
udp packets: [919:0]
icmp packets: [111:0]
Session creations since subsystem startup or last reset 279
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [1:2:0]
Last session created 21:40:08
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 74
Last half-open session total 0
Class-map: CRYPTO-CMAP (match-all)
Match: access-group 123
Pass
0 packets, 0 bytes
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Zone-pair: DMZPublicOut
Service-policy inspect : publicDMZOutFwPolicy
Class-map: publicDMZOutRule10Protocols (match-any)
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol bgp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Match: access-group name DMZPublicOutRuleAcl20
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
Zone-pair: selfprivate
Service-policy inspect : selfFwPolicy
Class-map: SELF-CMAP (match-any)
Match: access-group name SELF-ACL
24257448 packets, 1807595033 bytes
30 second rate 1000 bps
Pass
24257448 packets, 1807595033 bytes
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
Zone-pair: vpnself
Service-policy inspect : selfFwPolicy
Class-map: SELF-CMAP (match-any)
Match: access-group name SELF-ACL
545089 packets, 17426918 bytes
30 second rate 0 bps
Pass
545089 packets, 17426918 bytes
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
Zone-pair: selfvpn
Service-policy inspect : selfFwPolicy
Class-map: SELF-CMAP (match-any)
Match: access-group name SELF-ACL
1088484 packets, 28319861 bytes
30 second rate 0 bps
Pass
1088484 packets, 28319861 bytes
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
Router#
DMVPN uses Virtual Tunnel Interface (VTI) for IPsec VPN connectivity. When the DMVPN interface is assigned to a security zone, traffic routing to and from other interfaces in the router are subjected to zone-to-zone firewall policy.
If the DMVPN interface is assigned to the same security zone as another interface (for example, Fast Ethernet 0/0), traffic moving between hosts on the DMVPN and hosts connected to Fast Ethernet 0/0 will pass freely with no policy application.
In the Streamlined Small Branch Network, the tunnel interface is assigned to the VPN security zone. Additional inspection policies were applied.
Router(config)# ip access-list extended publicSelfInRule20Acl ! Defines ACL for Public to 
IOS zone traffic
 
   Router(config-ext-nacl)# permit udp any eq isakmp host 209.165.201.9 eq isakmp ! Matches 
ISAKMP traffic
 
   Router(config-ext-nacl)# exit
Router(config)# ip access-list extended publicSelfOutRule20Acl ! Defines ACL for IOS to 
Public zone traffic
 
   Router(config-ext-nacl)# permit udp host 22.0.14.253 eq isakmp any eq isakmp ! Matches 
ISAKMP traffic
 
   Router(config-ext-nacl)# permit ip 192.168.0.0 0.0.0.252 ! Central site network
 
   Router(config-ext-nacl)# permit ip 209.165.201.0 0.0.0.252 ! Central site network
 
   Router(config-ext-nacl)# exit
Router(config)# ip access-list extended vpnPrivateInRule10Acl ! Defines ACL for VPN to 
Private zone traffic
 
   Router(config-ext-nacl)# permit ip any any ! Matches all traffic
 
   Router(config-ext-nacl)# exit
Router(config)# ip access-list extended vpnPrivateOutRule10Acl ! Defines ACL for Private 
to VPN zone traffic
 
   Router(config-ext-nacl)# permit ip any any ! Matches all traffic
 
   Router(config-ext-nacl)# exit
Router(config)# ip access-list extended NON-TCP-ACL ! Defines ACL for WAAS GRE tunnel
 
   Router(config-ext-nacl)# permit gre host 10.0.2.90 host 10.0.2.89
Router(config-ext-nacl)# exit
Router(config)# ip access-list extended DMZPublicOutRuleAcl20 ! Defines ACL for DMZ to 
Public zone traffic
 
   Router(config-ext-nacl)# permit tcp host 10.0.2.70 eq www any ! DMZ server
 
   Router(config-ext-nacl)# permit tcp host 10.0.2.71 eq www any ! DMZ server
 
   Router(config-ext-nacl)# permit tcp host 10.0.2.72 eq www any ! DMZ server
 
   Router(config-ext-nacl)# exit
Router(config)# access-list 123 permit esp any any ! Matches IPSec ESP traffic
 
   Router(config)# ip access-list extended SELF-ACL ! Defines ACL for IOS traffic
 
   Router(config-ext-nacl)# permit tcp any any ! Matches TCP
 
   Router(config-ext-nacl)# permit gre any any ! Matches GRE
 
   Router(config-ext-nacl)# permit ip any any ! Matches IP
 
   Router(config-ext-nacl)# exit
Router(config)# class-map type inspect match-any vpnPrivateInRule10  
! Defines class-map for VPN to Private zone traffic
 
   Router(config-cmap)# match access-group name vpnPrivateInRule10Acl  
! Matches traffic specified in ACL
 
   Router(config-cmap)# exit
Router(config)# class-map type inspect match-all CRYPTO-MAP ! Defines class-map for 
matching VPN traffic
 
   Router(config-cmap)# match access-group 123 ! Matches traffic specified in ACL
 
   Router(config-cmap)# exit
 
   Router(config)# class-map type inspect match-any publicSelfInRule20 ! Defines class-map 
for matching Public to IOS zone traffic
 
   Router(config-cmap)# match access-group name publicSelfInRule20Acl ! Matches traffic 
specified in ACL
 
   Router(config-cmap)# match protocol tcp ! Matches TCP traffic
 
   Router(config-cmap)# match protocol udp ! Matches UDP traffic
 
   Router(config-cmap)# match protocol icmp ! Matches ICMP traffic
 
   Router(config-cmap)# exit
 
   Router(config)# class-map type inspect match-any vpnPrivateOutRule10 ! Defines class-map 
for Private to VPN zone traffic
 
   Router(config-cmap)# match access-group name vpnPrivateOutRule10Acl ! Matches traffic 
specified in ACL
 
   Router(config-cmap)# exit
 
   Router(config)# class-map type inspect match-any publicSelfOutRule20 ! Defines class-map 
for matching IOS to Public zone traffic
 
   Router(config-cmap)# match access-group name publicSelfOutRule20Acl ! Matches traffic 
specified in ACL
 
   Router(config-cmap)# match protocol tcp ! Matches TCP traffic
 
   Router(config-cmap)# match protocol udp ! Matches UDP traffic
 
   Router(config-cmap)# match protocol icmp ! Matches ICMP traffic
 
   Router(config-cmap)# exit
 
   Router(config)# class-map type inspect match-any publicDMZOutRule10Protocols ! Defines 
class-map for matching DMZ to Public zone traffic      
 
   Router(config-cmap)# match protocol http ! Matches HTTP traffic
 
   Router(config-cmap)# match protocol https ! Matches Secure HTTP traffic
 
   Router(config-cmap)# match protocol dns ! Matches DNS traffic
 
   Router(config-cmap)# match protocol ssh ! Matches Secure Shell traffic
 
   Router(config-cmap)# match protocol bgp ! Matches BGP traffic
 
   Router(config-cmap)# match protocol icmp ! Matches ICMP traffic
 
   Router(config-cmap)# match access-group name DMZPublicOutRuleAcl20 ! Matches traffic 
specified in ACL
 
   Router(config-cmap)# exit
 
   Router(config)# policy-map type inspect publicSelfInFwPolicy ! Defines inspect policy for 
Public to IOS zone
 
   Router(config-pmap)# class type inspect publicSelfInRule20 ! Matches traffic classified by 
specified class-map
 
   Router(config-pmap-c)# inspect ! Enables packet inspection
 
   Router(config-pmap-c)# exit
Router(config-pmap)# class type inspect CRYPTO-CMAP ! Matches traffic classified by 
specified class-map
 
   Router(config-pmap-c)# pass ! Passes traffic
 
   Router(config-pmap-c)# exit
Router(config-pmap)# class class-default ! Matches all other traffic
 
   Router(config-pmap-c)# drop log ! Drops traffic
 
   Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# policy-map type inspect publicDMZOutFwPolicy ! Defines policy for DMZ to Public zoneRouter(config-pmap)# class type inspect publicDMZOutRule10Protocols ! Matches traffic classified by specified class-map
Router(config-pmap-c)# inspect publicPrivateOutParamMap ! Enables inspection for Public to 
Private zone traffic
 
   Router(config-pmap-c)# exit
Router(config-pmap)# class class-default ! Matches all other traffic
 
   Router(config-pmap-c)# drop log ! Drops traffic
 
   Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# policy-map type inspect vpnPrivateInFwPolicy ! Defines policy for VPN to Private zone trafficRouter(config-pmap)# class type inspect vpnPrivateInRule10 ! Matches traffic classified by specified class-map
Router(config-pmap-c)# inspect ! Enables packet inspection percent. No specific protocol configured in class vpnPrivateInRule10 for inspection. All protocols will be inspected
Router(config-pmap-c)# exit
Router(config-pmap)# class class-default ! Matches all other traffic
 
   Router(config-pmap-c)# drop log ! Drops traffic
 
   Router(config-pmap-c)# exit
 
   Router(config-pmap)# exit
Router(config)# policy-map type inspect publicSelfOutFwPolicy ! Defines policy for IOS to 
Public zone traffic
 
   Router(config-pmap)# class type inspect publicSelfOutRule20 ! Matches traffic classified 
by specified class-map
 
   Router(config-pmap-c)# inspect ! Enables packet inspection
 
   Router(config-pmap-c)# exit
 
   Router(config-pmap)# class type inspect CRYPTO-CMAP ! Matches traffic classified by 
specified class-map
 
   Router(config-pmap-c)# pass ! Pass the traffic
 
   Router(config-pmap-c)# exit
 
   Router(config-pmap)# class class-default ! Matches all other traffic
 
   Router(config-pmap-c)# drop log ! Drops the traffic
 
   Router(config-pmap-c)# exit
 
   Router(config-pmap)# exit
Router(config)# policy-map type inspect vpnPrivateOutFwPolicy ! Defines policy for Private 
to VPN zone traffic
 
   Router(config-pmap)# class type inspect vpnPrivateOutRule10 ! Matches traffic classified 
by specified class-map
 
   Router(config-pmap-c)# inspect ! Enables packet inspection
 
   percentNo specific protocol configured in class vpnPrivateOutRule10 for inspection. All protocols will be inspected
Router(config-pmap-c)# exit
 
   Router(config-pmap)# class class-default ! Matches all other traffic
 
   Router(config-pmap-c)# drop log ! Drops traffic
 
   Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# zone security VPN ! Define VPN Zone name
 
   Router(config-sec-zone)# description customer VPN Network
Router(config-sec-zone)# exit
 
   Router(config)# zone-pair security vpnPrivateIn source VPN destination Private ! Define 
zone-pair for VPN to Private zone traffic
 
   Router(config-sec-zone-pair)# service-policy type inspect vpnPrivateInFwPolicy ! Apply 
firewall policy for zone-pair
 
   Router(config-sec-zone-pair)# exit
 
   Router(config)# zone-pair security vpnPrivateOut source Private destination VPN ! Define 
zone-pair for Private to VPN zone traffic
 
   Router(config-sec-zone-pair)# service-policy type inspect vpnPrivateOutFwPolicy ! Apply 
firewall policy for zone-pair
 
   Router(config-sec-zone-pair)# exit
 
   Router(config)# zone-pair security publicSelfOut source self destination Public ! Define 
zone-pair for IOS to Public zone traffic
 
   Router(config-sec-zone-pair)# service-policy type inspect publicSelfOutFwPolicy ! Apply 
firewall policy for zone-pair
 
   Router(config-sec-zone-pair)# exit
 
   Router(config)# zone-pair security publicSelfIn source Public destination self ! Define 
zone-pair for Public to IOS zone traffic
 
   Router(config-sec-zone-pair)# service-policy type inspect publicSelfInFwPolicy ! Apply 
firewall policy for zone-pair
 
   Router(config-sec-zone-pair)# exit
 
   Router(config)# zone-pair security DMZPublicOut source DMZ destination Public ! Define 
zone-pair to  for DMZ to Public zone traffic
 
   Router(config-sec-zone-pair)# service-policy type inspect publicDMZOutFwPolicy
Router(config-sec-zone-pair)# exit
 
   Router(config)# interface Tunnel 1 ! Enters Tunnel interface configuration mode
 
   Router(config-if)# zone-member security VPN ! Assign a zone to the interface
 
   Router(config-if)# exit
 
   Cisco IOS IPS Implementation
The Cisco IOS IPS acts as an inline intrusion detection sensor, watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. When Cisco IOS IPS detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog messages or Security Device Event Exchange (SDEE).
In the Streamlined Small Branch Foundation, IPS inspection was enabled on the DATA VLAN in both directions. All types of traffic were inspected using advanced signature set stored in the flash memory.
Router# mkdir flash:ips5 ! Creates the folder in flash for saving the signature files
 
   Router(config)# config t
Router(config)# ip ips config location flash:/ips5/ retries 1 ! Specifies the location to 
save the signature file
 
   Router(config)# ip ips deny-action ips-interface ! Changes the default behavior of the ACL 
filters that are created for the deny actions.
 
   Router(config)# ip ips notify SDEE ! Enables SDEE event notification on a router 
 
   Router(config)# ip ips name IPS-ADVSET ! Defines an IOS IPS rule
Router(config)# ip ips signature-category ! Allows the fine tuning of signature parameters 
on the basis of signature category
 
   Router (config-ips-category)# category all ! Specifies the signature category to be used 
for multiple aignature actions or conditions
 
   Router(config-ips-category-action)# retired true ! Retires all the signatures in the "all" 
category
 
   Router(config-ips-category-action)# category ios_ips advanced ! Enables advanced signature 
set
 
   Router (config-ips-category-action)# retired false ! Enables the signatures in the IOS_IPS 
category
 
   Router(config-ips-category-action)# end
Router(config)# copy tftp://<ipaddr>/IOS-S341-CLI.pkg idconf ! Loads the signature package 
(IOS-S341-CLI.pkg) to the specified location in ip ips config location
 
   Cisco IOS IPS Verification
To verify your Cisco IOS IPS configuration, enter the following command:
Router# show ip ips statistics
Interfaces configured for ips 2
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
TCP reassembly statistics
received 0 packets out-of-order; dropped 0
peak memory usage 0 KB; current usage: 0 KB
peak queue length 0
Access Control List Implementation
Access control list (ACL) configuration is a basic filtering process that can be used to control access network based on source or source/destination combination.
In Streamlined Small Branch Network, ACLs entries are used to block TFTP traffic between certain endpoints. This is only an illustrative example.
Router(config)# ip access-list extended BLOCK-TFTP ! Specifies an Extended named ACL
Router(config-ext-nacl)# deny udp 172.16.10.0 0.0.0.255 eq tftp 10.0.0.0 0.0.0.255 eq tftp ! Deny TFTP traffic from specific source to specific destination
Router(config-ext-nacl)# deny udp 172.16.20.0 0.0.0.255 eq tftp 10.0.0.0 0.0.0.255 eq tftp
 
   Router(config-ext-nacl)# deny udp 172.16.30.0 0.0.0.255 eq tftp 10.0.0.0 0.0.0.255 eq tftp
 
   uRPF Implementation
The uRPF feature is automatically implemented when using AutoSecure. For the sake of completeness, the full configuration is provided.
Router(config)# access-list 103 permit udp any any eq bootpc ! Specifies ACL that permits 
bootpc traffic
 
   Each WAN interface was configured to support uRPF filtering.
Router(config)# interface Multilink1 ! Enters Multilink interface configuration mode
 
   Router(config-if)# ip verify unicast source reachable-via rx allow-default 103 ! Enables 
uRPF filtering
 
   Router(config-if)# exit
Router(config)# interface ATM0/2/0.1 point-to-point ! Enters backup interface 
configuration mode
 
   Router(config-if)# ip verify unicast source reachable-via rx allow-default 103 ! Enables 
uRPF filtering
 
   Router(config-if)# exit
Layer 2 Security
 • Dynamic ARP Inspection Implementation
Dynamic ARP Inspection Implementation 
 • IP Source Guard Implementation
IP Source Guard Implementation 
Port Security Implementation
Following port security configuration was applied to the access layer switch.
Switch-Access(config)# interface range g1/0/2 - 52 ! Enters configuration for range of 
Gigabit Ethernet
 
   Switch-Access(config-if-range)# switchport port-security ! Enables port security in this 
port
 
   Switch-Access(config-if-range)# switchport port-security maximum 2 ! Specifies to allow 
traffic from maximum 2 mac-address as source address
 
   Switch-Access(config-if-range)# switchport port-security aging type inactivity ! Specifies 
to age out the dynamically learned mac address if no traffic for specified period
 
   Switch-Access(config-if-range)# switchport port-security aging time 2 ! Specifies to age 
out the dynamically learned mac-address after 2 minutes
 
   Switch-Access(config-if-range)# switchport port-security violation restrict ! Specifies 
the port to drop packet from non secure mac address and send a trap
 
   Port Security Verification
To verify your port security configuration, enter the following command:
Switch-Access# show port-security interface g1/0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 2 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
Switch-Access#
Dynamic ARP Inspection Implementation
Following command demonstrates how to apply dynamic Address Resolution Protocol (ARP) inspection excluding specified hosts.
Switch-Access(config)# arp access-list STATIC-HOSTS ! Defines ARP access-list for hosts 
that will be allowed to ARP packets
 
   Switch-Access(config-arp-nacl)# permit ip host 10.0.0.5 mac any
Switch-Access(config-arp-nacl)# permit ip host 10.0.0.6 mac any
Switch-Access(config-arp-nacl)# permit ip host 10.0.0.7 mac any
Switch-Access(config-arp-nacl)# permit ip host 10.0.0.8 mac any
Switch-Access(config-arp-nacl)# permit ip host 10.0.0.9 mac any
Switch-Access(config-arp-nacl)# permit ip host 10.0.0.10 mac any
Switch-Access(config-arp-nacl)# exit
Switch-Access(config)# ip arp inspection vlan 301-302 ! Enables ARP inspection on 
specified VLANs
 
   Switch-Access(config)# ip arp inspection validate dst-mac ! Specifies to perform a check 
destination-MAC and Target MAC to be same on ARP packet
 
   Switch-Access(config)# ip arp inspection log-buffer entries 100 ! Enable the dynamic ARP 
inspection log buffer to hold 100 entries
 
   Switch-Access(config)# ip arp inspection log-buffer logs 1 interval 100 ! Enables every 
log entry to generate a system message every 100 seconds
 
   Switch-Access(config)# ip arp inspection filter STATIC-HOSTS vlan 301-303 ! Applies ARP 
ACL to specified VLANs
 
   Switch-Access(config)# errdisable recovery cause arp-inspection ! Enable error recovery 
for Dynamic ARP inspection error-disabled state.
 
   Switch-Access(config)# interface Port-Channel1 ! Enters EtherChannel configuration mode
 
   Switch-Access(config-if)# ip arp inspection trust ! Disables ARP inspection
 
   Switch-Access(config)# interface range g1/0/1 ! Enters gigabit Ethernet configuration mode
 
   Switch-Access(config-if)# ip arp inspection trust ! Disables ARP inspection
 
   Dynamic ARP Inspection Verification
To verify your dynamic ARP inspection configuration, enter the following command:
Switch-Access# show ip arp inspection vlan 301
Source Mac Validation : Disabled
Destination Mac Validation : Enabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
301 Enabled Active static-host No
Vlan ACL Logging DHCP Logging
---- ----------- ------------
301 Deny Deny
Switch-Access#
IP Source Guard Implementation
The following source guard configuration was applied to both the distribution and access layer switches.
Switch-Dist(config)# ip source binding 0030.94C2.9A40 vlan 303 10.0.2.65 interface g1/0/49
! Specifies MAC to IP binding for statically assigned DMZ server address
Switch-Dist(config)# ip source binding 0030.94C2.9A41 vlan 303 10.0.2.66 interface g1/0/50
! Specifies MAC to IP binding for statically assigned DMZ server address
Switch-Dist(config)# ip source binding 0030.94C2.9A42 vlan 303 10.0.2.67 interface g1/0/51
! Specifies MAC to IP binding for statically assigned DMZ server address
Switch-Dist(config)# ip source binding 0030.94C2.9A43 vlan 303 10.0.2.68 interface g1/0/52
! Specifies MAC to IP binding for statically assigned DMZ server address
Switch-Access(config)# interface range g1/0/2 - 52 ! Enters gigabit Ethernet configuration 
mode
 
   Switch-Access(config-if-range)# ip verify source port-security ! Specifies to check the 
binding table and allow traffic only if it matches an entry
 
   DHCP Snooping Implementation
Switch-Dist(config)# ip dhcp snooping ! Enables DHCP snooping globally on the switch
 
   Switch-Dist(config)# ip dhcp snooping vlan 301-302 ! Enables DHCP snooping for specified 
VLANs
 
   Switch-Access(config)# interface range g1/0/1 ! Enters gigabit Ethernet configuration mode
 
   Switch-Access(config-if)# ip dhcp snooping trust ! Disables DHCP snooping
 
   DHCP Snooping Verification
To verify your Dynamic Host Configuration Protocol (DHCP) snooping configuration, enter the following command.
Switch-Access# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
301-303
Insertion of option 82 is enabled
BPDU Guard Implementation
The following is an example for configuring port security on all trunk ports.
Switch-Access(config-if)# interface g1/0/1 ! Enters gigabit Ethernet configuration mode
 
   Switch-Access(config-if)# spanning-tree bpduguard disable ! Disables BPDU guard
 
   Switch-Access(config)# interface range g1/0/2 - 52 ! Enters gigabit Ethernet configuration 
mode
 
   Switch-Access(config-if)# spanning-tree bpduguard enable ! Enables BPDU guard
 
   Management Services Implementation
 • Cisco Configuration Professional Implementation
Cisco Configuration Professional Implementation 
 • Cisco Configuration Engine Implementation
Cisco Configuration Engine Implementation 
NetFlow Implementation
Cisco IOS NetFlow efficiently collects and measure data as it enters specific router interface. This data can be used for network traffic accounting and network planning.
NetFlow can be configured to collect data for top flows, and the data can be used for further analysis.
Router(config)# ip flow-top-talkers ! Enabled NetFlow to capture traffic statistics for 
top flows
 
   Router(config-flow-top-talkers)# top 5 ! Specifies the maximum number of top talkers
 
   Router(config-flow-top-talkers)# sort-by packets ! Specifies to sort top talkers by number 
of bytes
 
   Router(config-flow-top-talkers)# cache-timeout 100 ! Specifies the time up to which top 
talkers statistics collected
 
   Router(config-flow-top-talkers)# exit
Router(config)# exit
NetFlow Verification
To verify your NetFlow configuration, enter the following command:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Mu1 10.0.0.22 Local 10.0.0.8 2F 0000 0000 28
Mu1 10.0.0.27 Local 10.0.0.10 32 AAB6 2992 28
Tu1 172.16.0.10 Null 224.0.0.10 58 0000 0000 27
3 of 5 top talkers shown. 3 flows processed.
Router#
SNMP Implementation
Simple Network Management Protocol (SNMP) is an application layer protocol which facilitates the exchange of management information between a network device and an SNMP server. This information can be used for network management and troubleshooting.
SNMP is enabled to send traps for specific events that will be used for troubleshooting. Two SNMP communities with different privileges were configured.
Router(config)# ip access-list standard Full ! List of clients with full access to SNMP 
agent
 
   Router(config-std-nacl)# permit host 172.16.4.5
Router(config-std-nacl)# exit
 
   Router(config)# ip access-list standard Browse ! List of clients with browse access to 
SNMP agent
 
   Router(config-std-nacl)# permit host 10.0.0.6
Router(config-std-nacl)# exit
Router(config)# snmp-server community RW-ACCESS rw Full ! Enables SNMP community with 
Read/Write access to server
 
   Router(config)# snmp-server community RO-ACCESS ro Browse ! Enables SNMP community with 
Read-Only access to server
 
   Router(config)# snmp-server enable traps snmp authentication linkdown linkup coldstart 
warmstart ! Enables notification for various router events
 
   Router(config)# snmp-server enable traps eigrp ! Enables EIGRP notification
 
   Router(config)# snmp-server enable traps flash insertion removal ! Enables Flash 
Insertion/Removal notification
 
   Router(config)# snmp-server enable traps envmon ! Enables Environmental monitor 
notification
 
   Router(config)# snmp-server enable traps bgp ! Enables BGP protocol notification
 
   Router(config)# snmp-server enable traps memory bufferpeak ! Enables Memory buffer peak 
notification
 
   Router(config)# snmp-server enable traps hsrp ! Enables HSRP notification
 
   Router(config)# snmp-server enable traps ospf state-change ! Enables OSPF protocol 
state-change notification
 
   Router(config)# snmp-server enable traps ospf errors ! Enables OSPF error notification
 
   Router(config)# snmp-server enable traps ospf retransmit ! Enables OSPF LSA retransmit 
notification
 
   Router(config)# snmp-server enable traps ospf lsa ! Enables OSPF LSA notification
 
   Router(config)# snmp-server enable traps ospf cisco-specific state-change 
nssa-trans-change ! Enables OSPF NSSA state change notification
 
   Router(config)# snmp-server enable traps ospf cisco-specific state-change shamlink 
interface-old ! Enables OSPF replaced interface shamlink notification
 
   Router(config)# snmp-server enable traps ospf cisco-specific state-change shamlink 
neighbor  ! Enables OSPF neighbor shamlink transition notification
 
   Router(config)# snmp-server enable traps ospf cisco-specific errors ! Enables OSPF 
nonvirtual interface mismatch error notification
 
   Router(config)# snmp-server enable traps ospf cisco-specific retransmit ! Enables OSPF 
retransmit error notification
 
   Router(config)# snmp-server enable traps ospf cisco-specific lsa ! Enables OSPF LSA 
notification
 
   Router(config)# snmp-server enable traps cpu threshold ! Enables CPU threshold violation 
notification
 
   Router(config)#
NTP Implementation
Network Time Protocol (NTP) is used to synchronize the time in local devices to a radio clock or atomic clock attached to the time server. Synchronized time in all the network devices is helpful for troubleshooting and understanding logging messages.
Router(config)# ntp authenticate ! Enables NTP authentication
 
   Router(config)# ntp authentication-key 1234 md5 NTP-KEY ! Specifies authentication key and 
Password
 
   Router(config)# ntp trusted-key 1234 ! Specifies the key number to be used for 
authentication
 
   Router(config)# ntp server 172.16.0.60 key 1234 ! Specifies central site NTP server 
address and key
 
   Switch-Dist (config)# ntp authenticate ! Enables NTP authentication
 
   Switch-Dist (config)# ntp authentication-key 1234 md5 NTP-KEY ! Specifies authentication 
key and Password
 
   Switch-Dist (config)# ntp trusted-key 1234 ! Specifies the key number to be used for 
authentication
 
   Switch-Dist (config)# ntp server 172.16.0.60 key 1234 ! Specifies central site NTP server 
address and key
 
   Switch-Access (config)# ntp authenticate ! Enables NTP authentication
 
   Switch-Access (config)# ntp authentication-key 1234 md5 NTP-KEY ! Specifies authentication 
key and Password
 
   Switch-Access (config)# ntp trusted-key 1234 ! Specifies the key number to be used for 
authentication
 
   Switch-Access (config)# ntp server 172.16.0.60 key 1234 ! Specifies central site NTP 
server address and key
 
   Set time zone and daylight saving for a specific time zone. The following example uses U.S. Pacific Standard Time zone.
Router(config)# clock timezone pst -8 ! Sets the time zone
Router(config)# clock summer-time pdt recurring ! Sets daylight savings time
Switch-Dist(config)# clock timezone pst -8 ! Sets the time zone
 
   Switch-Dist(config)# clock summer-time pdt recurring ! Sets daylight savings time
 
   Switch-Access(config)# clock timezone pst -8 ! Sets the time zone
 
   Switch-Access(config)# clock summer-time pdt recurring ! Sets daylight savings time
 
   NTP Verification
To verify your NTP configuration, enter the following command:
Router# show ntp status
Clock is synchronized, stratum 4, reference is 10.66.66.11
nominal freq is 250.0000 Hz, actual freq is 249.9966 Hz, precision is 2**18
reference time is CC70BD86.5EFBE4E6 (02:16:54.371 PDT Tue Sep 9 2008)
clock offset is -0.0255 msec, root delay is 0.79 msec
root dispersion is 0.11 msec, peer dispersion is 0.05 msec
Router#
IP SLA Implementation
An IP Service Level Agreement (SLA) is a management tool running on Cisco IOS software that can be used to analyze IP service levels for IP applications and services in order to increase the network productivity and to reduce the frequency of network outages.
In the Streamlined Small Branch Network architecture, the User Datagram Protocol (UDP)-echo operation is used to test end-to-end connectivity and response time, and UDP jitter is used to measure packet variability.
Router(config)# ip sla 10 ! Configures IP SLA operation with specified ID
 
   Router(config-ip-sla)# udp-echo 209.165.201.10 65535 source-ip 209.165.201.9 source-port 65000 ! Performs UDP echo operation between two Loopback Interfaces
Router(config-ip-sla-udp)# frequency 30 ! Sets the rate at which a specified IP SLA 
operation repeats
 
   Router(config)# ip sla 20 ! Configures IP SLA operation with specified ID
 
   Router(config-ip-sla-udp)# udp-jitter 209.165.201.10 65535 source-ip 209.165.201.9 source-port 65000 ! Performs UDP jitter operation between two Loopback Interfaces
Router(config-ip-sla-jitter)# frequency 30 ! Sets the rate at which a specified IP SLA 
operation repeats
 
   Router(config-ip-sla-udp)# exit
Router(config)# ip sla schedule 10 start-time now life forever ! Starts the IP SLA 
operation now and runs it indefinitely
 
   Router(config)# ip sla schedule 20 start-time now life forever ! Starts the IP SLA 
operation now and runs it indefinitely
 
   IP SLA Verification
To verify your IP SLA configuration, enter the following command:
Router# show ip sla statistics
Round Trip Time (RTT) for Index 10
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *22:45:46.259 pst Mon Feb 2 2009
Latest operation return code: No connection
Number of successes: 0
Number of failures: 3
Operation time to live: Forever
Round Trip Time (RTT) for Index 20
Latest RTT: 0 milliseconds
Latest operation start time: *20:22:59.119 pst Mon Feb 2 2009
Latest operation return code: Socket bind error
RTT Values:
Number Of RTT: 0 RTT Min/Avg/Max: 0/0/0 milliseconds
Latency one-way time:
Number of Latency one-way Samples: 0
Source to Destination Latency one way Min/Avg/Max: 0/0/0 milliseconds
Destination to Source Latency one way Min/Avg/Max: 0/0/0 milliseconds
Jitter Time:
Number of SD Jitter Samples: 0
Number of DS Jitter Samples: 0
Source to Destination Jitter Min/Avg/Max: 0/0/0 milliseconds
Destination to Source Jitter Min/Avg/Max: 0/0/0 milliseconds
Packet Loss Values:
Loss Source to Destination: 0 Loss Destination to Source: 0
Out Of Sequence: 0 Tail Drop: 0
Packet Late Arrival: 0 Packet Skipped: 0
Voice Score Values:
Calculated Planning Impairment Factor (ICPIF): 0
Mean Opinion Score (MOS): 0
Number of successes: 0
Number of failures: 4
Operation time to live: Forever
Syslog Implementation
Apply following commands to enable syslog logging.
Router(config)# service timestamps log datetime msec localtime show-timezone ! Instructs 
the system to timestamp syslog messages
 
   Router(config)# logging 172.16.0.90 ! Identifies syslog server
 
   Router(config)# logging trap notifications ! Log notice messages and above
 
   Router(config)# logging facility local2 ! Specifies the facility level used by the syslog 
messages
 
   Router(config)# logging buffered 4096 ! Sets size of internal log buffer
 
   Switch-Access(config)# service timestamps log datetime msec localtime show-timezone ! 
Instructs the system to timestamp syslog messages
 
   Switch-Access (config)# logging 172.16.0.90 ! Identifies syslog server
 
   Switch-Access (config)# logging trap notifications ! Log notice messages and above
 
   Switch-Access (config)# logging facility local2 ! Specifies the facility level used by the 
syslog messages
 
   Switch-Access (config)# logging buffered 4096 ! Sets size of internal log buffer
 
   Switch-Dist(config)# service timestamps log datetime msec localtime show-timezone ! 
Instructs the system to timestamp syslog messages
 
   Switch-Dist (config)# logging 172.16.0.90 ! Identifies syslog server
 
   Switch-Dist (config)# logging trap notifications ! Log notice messages and above
 
   Cisco Configuration Professional Implementation
Monitoring of the Streamlined Small Branch Network was done with the Cisco Configuration Professional in monitor mode. Cisco Configuration Professional provides an overview of router status and performance metrics without having to use the Cisco IOS command-line interface. Figure 5 shows the monitor overview, which includes information such as CPU and memory usage, interface status, firewall status, and VPN status.
Figure 5 Cisco Configuration Professional Monitor Overview
 
 
   
Figure 6 shows the interface status for the Fast Ethernet interface, which includes packets in and packets out, and bandwidth usage.
Figure 6 Cisco Configuration Professional Fast Ethernet Interface Status
 
 
   
Figure 7 shows the interface status for the tunnel interface.
Figure 7 Cisco Configuration Professional Tunnel Interface Status
 
 
   
Figure 8 shows the VPN status for the DMVPN tunnel, which includes encapsulation and decapsulation packets and send and receive error packets.
Figure 8 Cisco Configuration Professional VPN Status
 
 
   
Figure 9 shows the interface traffic analysis.
Figure 9 Cisco Configuration Professional Traffic Analysis
 
 
   
Cisco Configuration Engine Implementation
There are several steps required to enable deployment with the Cisco Configuration Engine. First, bootstrap configuration must be applied to each device. The boostrap configuration is either preloaded or obtained from a centrally hosted DHCP server through option 150. In the Streamlined Small Branch Network, both routers and all switches were preloaded with the following bootstrap configuration.
Router(config)# cns trusted-server all-agents cce.example.com ! Specifies trusted server 
for CNS agent
 
   Router(config)# cns id hardware-serial ! Identifies this devices by its serial number to 
CCE
 
   Router(config)# cns id hardware-serial event ! Identifies this devices by its serial 
number to CCE event logging component
 
   Router(config)# cns event cce.example.com ! Enables event agent
 
   Router(config)# cns config initial cce.example.com 80 ! Initiates an initial configuration 
on CCE server port 80
 
   Router(config)# cns config partial cce.example.com 80 ! Initiates an incremental 
configuration on CCE server port 80
 
   Router(config)# cns exec 80 ! Enables CNS agent
 
   Switch-Access(config)# cns trusted-server all-agents cce.example.com ! Specifies trusted 
server for CNS agent
 
   Switch-Access(config)# cns id hardware-serial ! Identifies this devices by its serial 
number to CCE
 
   Switch-Access(config)# cns id hardware-serial event ! Identifies this devices by its 
serial number to CCE event logging component
 
   Switch-Access(config)# cns event cce.example.com ! Enables event agent
 
   Switch-Access(config)# cns config initial cce.example.com 80 ! Initiates an initial 
configuration on CCE server port 80
 
   Switch-Access(config)# cns config partial cce.example.com 80 ! Initiates an incremental 
configuration on CCE server port 80
 
   Switch-Access(config)# cns exec 80 ! Enables CNS agent
 
   Switch-Dist(config)# cns trusted-server all-agents cce.example.com ! Specifies trusted 
server for CNS agent
 
   Switch-Dist(config)# cns id hardware-serial ! Identifies this devices by its serial number 
to CCE
 
   Switch-Dist(config)# cns id hardware-serial event ! Identifies this devices by its serial 
number to CCE event logging component
 
   Switch-Dist(config)# cns event cce.example.com ! Enables event agent
 
   Switch-Dist(config)# cns config initial cce.example.com 80 ! Initiates an initial 
configuration on CCE server port 80
 
   Switch-Dist(config)# cns config partial cce.example.com 80 ! Initiates an incremental 
configuration on CCE server port 80
 
   Switch-Dist(config)# cns exec 80 ! Enables CNS agent
 
   Secondly, the device CNS ID must be entered into the CCE server prior to powering on of branch devices. Each device CNS is associated with Cisco IOS image to be loaded onto the device and a configuration template. The Streamlined Small Branch Network provides following 6 CCE templates:
 • Configuration for zero-touch deployment with Cisco Configuration Engine
Configuration for zero-touch deployment with Cisco Configuration Engine 
 • Bootstrap Configuration for routers and switches
Bootstrap Configuration for routers and switches 
 • Router
Router 
 • Fast Ethernet WAN interface, active primary and standby backup WAN links, OSPF routing, DMVPN over primary and backup WAN links, and Cisco Unified CME with SCCP configured IP Phones and H.323 trunking to the central site.
Fast Ethernet WAN interface, active primary and standby backup WAN links, OSPF routing, DMVPN over primary and backup WAN links, and Cisco Unified CME with SCCP configured IP Phones and H.323 trunking to the central site. 
 • Two T1 WAN interface bundle with MLPPP encapsulation, active primary and standby backup WAN links, EIGRP routing, GETVPN over primary and DMVPN over backup WAN links, and Cisco Unified CME with SIP configured IP Phones and SIP trunking to the central site.
Two T1 WAN interface bundle with MLPPP encapsulation, active primary and standby backup WAN links, EIGRP routing, GETVPN over primary and DMVPN over backup WAN links, and Cisco Unified CME with SIP configured IP Phones and SIP trunking to the central site. 
 • Two T1 WAN interface bundle with MLFR encapsulation, simultaneously active primary and backup WAN links, EIGRP routing, DMVPN over primary and backup WAN links, and Cisco Unified SRST with SCCP configured IP Phones and H.323 trunking to the central site.
Two T1 WAN interface bundle with MLFR encapsulation, simultaneously active primary and backup WAN links, EIGRP routing, DMVPN over primary and backup WAN links, and Cisco Unified SRST with SCCP configured IP Phones and H.323 trunking to the central site. 
 • T1 WAN interface with Frame Relay encapsulation, simultaneously active primary and backup WAN links, OSPF routing, GETVPN over primary and DMVPN over backup WAN links, and Cisco Unified SRST with SIP configured IP Phones and SIP trunking to the central site.
T1 WAN interface with Frame Relay encapsulation, simultaneously active primary and backup WAN links, OSPF routing, GETVPN over primary and DMVPN over backup WAN links, and Cisco Unified SRST with SIP configured IP Phones and SIP trunking to the central site. 
 • Access Switches
Access Switches 
 • A 48-port access switch with Data, DMZ, and Voice VLANs on access ports.
A 48-port access switch with Data, DMZ, and Voice VLANs on access ports. 
Downloading and Using the Configuration Templates
Download the templates from the following location:
 • Configuration Toolkit for Streamlined Small Branch Network
Configuration Toolkit for Streamlined Small Branch Network 
To use the configuration templates for manual configurations, download them to a TFTP server that is accessible from the routers and switches. To use the configuration templates with Cisco Configuration Engine (CCE) 3.0, complete the following steps:
 Step 1  Log in to CCE and navigate to Tools > Template Manager.
Log in to CCE and navigate to Tools > Template Manager. 
 Step 2  In the Template Manager window, shown in Figure 10, click Add Template. The Template Engine window appears.
In the Template Manager window, shown in Figure 10, click Add Template. The Template Engine window appears. 
Figure 10 CCE Template Manager
 
 
   
 Step 3  In the Template Engine window, shown in Figure 11, choose the best template engine for your specific environment, and then click Next. The CCE Configuration Editor window appears.
In the Template Engine window, shown in Figure 11, choose the best template engine for your specific environment, and then click Next. The CCE Configuration Editor window appears. 
Figure 11 CCE Template Engine
 
 
   
 Step 4  From the list of configuration templates, copy the configuration template that best meets your needs from one of the above listed configuration templates and paste it into the CCE Configuration Editor, shown in Figure 12.
From the list of configuration templates, copy the configuration template that best meets your needs from one of the above listed configuration templates and paste it into the CCE Configuration Editor, shown in Figure 12. 
Figure 12 CCE Configuration Editor
 
 
   
 Step 5  Customize the configuration to meet the needs of your specific environment. After editing the configuration, name and save the configuration.
Customize the configuration to meet the needs of your specific environment. After editing the configuration, name and save the configuration. 
 Step 6  Navigate to the Device Manager window, shown in Figure 13, and click Add Device.
Navigate to the Device Manager window, shown in Figure 13, and click Add Device. 
Figure 13 CCE Device Manager
 
 
   
 Step 7  In the Create Device Editor window, shown in Figure 14, assign a Device Name, a Unique ID that corresponds to the configuration name specified in Step 5, and a Device Type. Click Next. The Device Group Selector window appears.
In the Create Device Editor window, shown in Figure 14, assign a Device Name, a Unique ID that corresponds to the configuration name specified in Step 5, and a Device Type. Click Next. The Device Group Selector window appears. 
Figure 14 CCE Create Device Editor
 
 
   
 Step 8  Choose group membership as shown in Figure 15. CCE supports management of devices as groups. See the CCE documentation for details on how to manage devices as a group. Click Next. The Device Group Selector window appears.
Choose group membership as shown in Figure 15. CCE supports management of devices as groups. See the CCE documentation for details on how to manage devices as a group. Click Next. The Device Group Selector window appears. 
Figure 15 CCE Device Group Selector
 
 
   
 Step 9  In the Device Identification Assignment window, shown in Figure 16, enter the Event ID, Config ID, and Image ID (CCE supports the ability to distribute Cisco IOS software images; see the CCE documentation for additional information) for the Device Type. Click Finish.
In the Device Identification Assignment window, shown in Figure 16, enter the Event ID, Config ID, and Image ID (CCE supports the ability to distribute Cisco IOS software images; see the CCE documentation for additional information) for the Device Type. Click Finish. 
 
 
    Note  These IDs must match the identification provided in the device Bootstrap Configuration.
These IDs must match the identification provided in the device Bootstrap Configuration. 
Figure 16 CCE Device Identification Assignment
 
 
   
 Step 10  Repeat this procedure for all routers and switches.
Repeat this procedure for all routers and switches. 
Voice Services Implementation
 • PRI-Trunk and FXS Port Implementation
PRI-Trunk and FXS Port Implementation 
 • Cisco Unified CME with SCCP Endpoints Implementation
Cisco Unified CME with SCCP Endpoints Implementation 
 • Cisco Unified CME with SIP Endpoints Implementation
Cisco Unified CME with SIP Endpoints Implementation 
 • Cisco Unified SRST with SCCP Endpoints Implementation
Cisco Unified SRST with SCCP Endpoints Implementation 
 • Cisco Unified SRST with SIP Endpoints Implementation
Cisco Unified SRST with SIP Endpoints Implementation 
This section describes the implementation of two scenarios for voice services:
 • Distributed infrastructure and branch endpoints are controlled by Cisco Unified Communications Manager Express (Cisco Unified CME). Local branch voice mail is provided through Cisco Unity Express access.
Distributed infrastructure and branch endpoints are controlled by Cisco Unified Communications Manager Express (Cisco Unified CME). Local branch voice mail is provided through Cisco Unity Express access. 
 • Centralized call control with Cisco Unified Communications Manager (Cisco Unified CM). Cisco Unified Survivable Remote Site Telephony (Cisco Unified SRST) is configured in case of WAN failure.
Centralized call control with Cisco Unified Communications Manager (Cisco Unified CM). Cisco Unified Survivable Remote Site Telephony (Cisco Unified SRST) is configured in case of WAN failure. 
The following high-level steps must be performed for each telephony service:
  1.  Configure voice connectivity.
Configure voice connectivity. 
  2.  Perform telephony service setup.
Perform telephony service setup. 
  3.  Install IP Phones.
Install IP Phones. 
  4.  Configure voice gateway.
Configure voice gateway. 
  5.  Configure dial plan.
Configure dial plan. 
  6.  Set up transcoding and conferencing.
Set up transcoding and conferencing. 
  7.  Implement Music on Hold.
Implement Music on Hold. 
  8.  Integrate voice mail.
Integrate voice mail. 
  9.  Configure emergency services.
Configure emergency services. 
PRI-Trunk and FXS Port Implementation
A 3- channel T1 PRI trunk was used to connect the router to the public switched telephone network (PSTN).
Router(config)# card type t1 0 ! Declares network module in slot 0 operational in T1 mode
 
   Router(config)# isdn switch-type primary-4ess ! Acts as Primary 4ESS switch interface to 
the PSTN network
 
   Router(config)# network-clock-participate wic 0 ! Enables MFT card to synchronize with NTP 
server
 
   Router(config)# controller T1 0/0/0 ! Enters T1 controller configuration mode
 
   Router(config-controller)# pri-group timeslots 1-3 ! Configures Non-facility associated 
signaling for first 12 channels of the T1 link 
 
   Router(config-controller)# exit
The following configuration applies to analog Foreign Exchange Service (FXS) ports.
Router(config)# voice-port0/3/0 ! Enters voice port configuration mode
 
   Router(config-voiceport)# station-id name ANALOG-1 ! Assigns a name for the voice port
 
   Router(config-voiceport)# exit
 
   Router(config)# voice-port0/3/1 ! Enters voice port configuration mode
 
   Router(config-voiceport)# station-id name ANALOG-2 ! Assigns a name for the voice port
 
   Router(config-voiceport)# exit
 
   Router(config)# voice-port0/3/2 ! Enters voice port configuration mode
 
   Router(config-voiceport)# station-id name ANALOG-3 ! Assigns a name for the voice port
 
   Router(config-voiceport)# exit
Router(config)# voice-port0/3/3 ! Enters voice port configuration mode
 
   Router(config-voiceport)# station-id name ANALOG-4 ! Assigns a name for the voice port
 
   Router(config-voiceport)# exit
In the Streamlined Small Branch network T1, the serial interface utilizes compressed RTP to place calls over the WAN. There are several ways to configure cRTP. In the following implantation, cRTP is configured on the QoS class map:
Router(config)# policy-map EIGHT-CLASS-V3PN-EDGE ! Defines child policy map
 
   Router(config-pmap)# class VOICE ! Matches traffic classified by VOICE class-map
 
   Router(config-pmap-c)# compress header ip rtp ! Enables cRTP compression
 
   Router(config-pmap-c)# exit
The Streamlined Small Branch Networks has been tested with both SIP- and SCCP-enabled phones. Each phone type requires a different configuration. To implement SCCP-based phones, follow the SCCP instructions in the "Cisco Unified CME with SCCP Endpoints Implementation" section. To implement SIP-based phones, follow SIP instructions in the "Cisco Unified CME with SIP Endpoints Implementation" section.
To implement the various voice services described in the following sections, several resources are necessary at the central site. Table 2 lists these resources and the associated IP addresses that are used in the implementation instructions.
Cisco Unified CME with SCCP Endpoints Implementation
 • Cisco Unified CME with SCCP Endpoints: Telephony Service Setup
Cisco Unified CME with SCCP Endpoints: Telephony Service Setup 
 • Cisco Unified CME with SCCP Endpoints: IP Phone Installation and Configuration
Cisco Unified CME with SCCP Endpoints: IP Phone Installation and Configuration 
 • Cisco Unified CME with SCCP Endpoints: H.323 Voice Gateway Implementation
Cisco Unified CME with SCCP Endpoints: H.323 Voice Gateway Implementation 
 • Cisco Unified CME with SCCP Endpoints: Dial Plan Implementation
Cisco Unified CME with SCCP Endpoints: Dial Plan Implementation 
 • Cisco Unified CME with SCCP Endpoints: CAC Implementation
Cisco Unified CME with SCCP Endpoints: CAC Implementation 
 • Cisco Unified CME with SCCP Endpoints: Transcoding and Conferencing Implementation
Cisco Unified CME with SCCP Endpoints: Transcoding and Conferencing Implementation 
 • Cisco Unified CME with SCCP Endpoints: Music on Hold Implementation
Cisco Unified CME with SCCP Endpoints: Music on Hold Implementation 
 • Cisco Unified CME with SCCP Endpoints: Voice Mail and Auto Attendant Integration
Cisco Unified CME with SCCP Endpoints: Voice Mail and Auto Attendant Integration 
 • Cisco Unified CME with SCCP Endpoints: Emergency Services Implementation
Cisco Unified CME with SCCP Endpoints: Emergency Services Implementation 
 • Cisco Unified CME with SCCP Endpoints Verification
Cisco Unified CME with SCCP Endpoints Verification 
Cisco Unified CME with SCCP Endpoints: Telephony Service Setup
The Cisco IOS software provides an automated mechanism for configuring IP telephony services.
Router(config)# telephony-service setup ! Enters into Unified CME start setup mode
 
   --- Cisco IOS Telephony Services Setup ---
Do you want to setup DHCP service for your IP Phones? [yes/no]: no
Do you want to start telephony-service setup? [yes/no]: yes
Configuring Cisco IOS Telephony Services :
Enter the IP source address for Cisco IOS Telephony Services :10.0.1.2
Enter the Skinny Port for Cisco IOS Telephony Services : [2000]:
  How many IP Phones do you want to configure :  [0]: 30 ! User configurable number of 
  phones up to maximum of 96 on 2800 ISRs
 
   Do you want dual-line extensions assigned to phones? [yes/no]: yes
What Language do you want on IP Phones :
0 English
1 French
2 German
3 Russian
4 Spanish
5 Italian
6 Dutch
7 Norwegian
8 Portuguese
9 Danish
10 Swedish
11 Japanese
 [0]: ! Maintains default English language 
 
   Which Call Progress tone set do you want on IP Phones :
0 United States
1 France
2 Germany
3 Russia
4 Spain
5 Italy
6 Netherlands
7 Norway
8 Portugal
9 UK
10 Denmark
11 Switzerland
12 Sweden
13 Austria
14 Canada
15 Japan
 [0]: ! Maintains default United States call progress tone
 
   What is the first extension number you want to configure : 5001
Do you have Direct-Inward-Dial service for all your phones? [yes/no]: yes
  Enter the full E.164 number for the first phone :4085555001 ! Assigns DID number
 
   Do you want to forward calls to a voice message service? [yes/no]: yes
Enter extension or pilot number of the voice message service:5444
  Call forward No Answer Timeout : [18]: ! Maintains default value of 18 seconds.  
  Possible values are from 5 to 60000 seconds
 
   Do you wish to change any of the above information? [yes/no]: no
CNF-FILES: Clock is not set or synchronized,
retaining old versionStamps
---- Setup completed config ---
Router(config)#
*Sep 10 05:37:10.207: percentLINK-3-UPDOWN: Interface ephone_dsp DN 1.2, changed state to up
*Sep 10 05:37:10.207: percentLINK-3-UPDOWN: Interface ephone_dsp DN 2.1, changed state to up
*Sep 10 05:37:10.207: percentLINK-3-UPDOWN: Interface ephone_dsp DN 2.2, changed state to up
*Sep 10 05:37:10.207: percentLINK-3-UPDOWN: Interface ephone_dsp DN 3.1, changed state to up
*Sep 10 05:37:10.207: percentLINK-3-UPDOWN: Interface ephone_dsp DN 3.2, changed state to up
*Sep 10 05:37:10.207: percentLINK-3-UPDOWN: Interface ephone_dsp DN 4.1, changed state to up
*Sep 10 05:37:10.207: percentLINK-3-UPDOWN: Interface ephone_dsp DN 4.2, changed state to up
Cisco Unified CME with SCCP Endpoints: IP Phone Installation and Configuration
In the Streamlined Small Branch Network, IP Phones are installed by simply connecting them to ports on the access layer switches. Because all the ports offer Power-over-Ethernet, no additional power cables are necessary. After they are installed, the phones are configured with the default configuration that was generated during the telephony setup in the previous section. However, if the IP Phone firmware needs to be upgraded in the future, enter the following commands.
 
 
    Note  The following configuration is not required with the Cisco IOS software image used for the Streamlined Small Branch Network validation.
The following configuration is not required with the Cisco IOS software image used for the Streamlined Small Branch Network validation. 
Router(config)# telephony-service ! Enters telephony configuration mode
 
   Router(config-telephony)# load 7960-7940 P00308000900 ! Loads telephony SCCP firmware 
files for 7960 to 7940 phones
 
   Router(config-telephony)# load 7942 SCCP42.8-3-2S ! Loads telephony SCCP firmware files 
for 7942 phones 
 
   Router(config-telephony)# load 7962 SCCP62.8-3-2S ! Loads telephony SCCP firmware files for 7962 phones
Router(config-telephony)# load 7965 SCCP65.8-3-2S ! Loads telephony SCCP firmware files 
for 7965 phones
 
   Router(config-telephony)# load 7971 SCCP71.8-3-2S ! Loads telephony SCCP firmware files for 7971 phones
Router(config-telephony)# load 7985 cmterm_7985.4-1-6-0 ! Loads telephony SCCP firmware for 7985 video phone
Apply the following command after defining the new ephone type.
Router(config-telephony)# load 7937 cmterm_7937.1-2-1-0 ! Loads telephony SCCP firmware 
files for 7937 conference station
 
   Router(config-telephony)# create cnf-files ! Builds XML configuration file for SCCP phones
 
   Router(config-telephony)# exit
This guide provides Cisco IOS software commands for setting up IP Phones. Alternatively, a graphical user interface (GUI) allows the configuration of directory numbers through a web interface. To set up the web configuration tool, use the following instructions to enable the services on the router:
Router(config)# ip http server ! Enables HTTP server
 
   Router(config)# ip http path flash: ! Specifies location of HTTP files in IOS
 
   Router(config)# telephony-service ! Enters telephony configuration mode
 
   Router(config-telephony)# web admin system name admin password c1$k0SyS ! Defines username 
and password for system administrator
 
   Router(config-telephony)# dn-webedit ! Enables ability to configure directory numbers
 
   Router(config-telephony)# time-webedit ! Enables ability to configure phone time
 
   Router(config-telephony)# exit
Router(config)# telephony-service ! Enters telephony configuration mode
 
   Router(config-telephony)# max-ephones 50 ! Sets the maximum number of phones that can 
register with Cisco CME
 
   Router(config-telephony)# max-dn 100 ! Sets the maximum number of directory numbers (two 
for each phone)
 
   Router(config-telephony)# ip source-address 10.0.1.2 port 2000 secondary 10.0.1.1 ! Sets IP address used for phone registration and secondary router for backup
Router(config-telephony)# time-zone 5 ! Sets time zone to Pacific Standard/Daylight Time
 
   Router(config-telephony)# no auto-reg-ephone ! Disables registration of unconfigured 
phones
 
   Router(config-telephony)# voicemail 5444 ! Defines number for speed dialing voicemail from 
phone
 
   Router(config-telephony)# system message Your current options ! Message displayed on IP 
Phones
 
   Router(config-telphony)# secondary-dialtone 9 ! Provides dial tone for PSTN calls
 
   Router(config-telphony)# transfer-system full-blind ! Transfers calls without consultation
 
   Router(config-telphony)# transfer-pattern 9......... ! Allows transfers for all calls 
originating from PSTN
 
   Router(config-telphony)# transfer-pattern 4......... ! Allows transfers for all calls 
originating in area code starting with "4"
 
   Router(config-telphony)# call-forward pattern .T ! Allows call forwarding for all calls
 
   Router(config-telephony)# exit
Router(config)# ephone-template 1 ! Defines ephone configuration template tag
 
   Router(config-ephone-template)# softkeys hold Join Newcall Resume Select ! Softkey display when the connected party is on hold
Router(config-ephone-template)# softkeys idle ConfList Join Newcall Pickup Redial ! Softkey display when the phone is idle
Router(config-ephone-template)# softkeys seized Redial Endcall Cfwdall Pickup Callback Meetme ! Softkey display when caller is attempting to call but has not been connected yet
Router(config-ephone-template)# softkeys connected Trnsfer Hold Confrn Endcall! Softkey display when connection to remote point has been established
Router(config-ephone-template)# exit
Apply the following configuration to all IP Phones 1 to 50. Set the unique DN number and assign the desired extension to each phone.
Router(config)# ephone-dn 1 dual-line ! Enters directory number configuration mode
 
   Router(config-ephone-dn)# number 5001 ! Configures phone (or extension) number for this 
directory number
 
   Router(config-ephone-dn)# call-forward busy 5444 ! Forwards call for a busy extension to 
voicemail
 
   Router(config-ephone-dn)# call-forward noan 5444 timeout 10 ! Forwards call for an 
extension that does not answer to voicemail after 10 seconds of ringing
 
   Router(config-ephone-dn)# exit
Router(config)# ephone 1 ! Enters phone configuration mode
 
   Router(config-ephone)# ephone-template 1 ! Associates phone with configuration template
 
   Router(config-ephone)# button 1:1 ! Associates phone with directory number 1:2, 1:3, etc.
 
   Router(config-ephone)# exit
To configure soft phone, use the following example.
Router(config)# ephone 120 ! Enters phone configuration mode
 
   Router(config-ephone)# type CIPC ! Specifies that this is softphone
 
   Router(config-ephone)# ephone-template 1 ! Associates phone with configuration template
 
   Router(config-ephone)# button 1:120 ! Associates phone with directory number 1:2, 1:3, 
etc.
 
   Router(config-ephone)# exit
In Cisco IOS 12.4(20)T and later, apply the following configuration to define a conference station.
Router(config)# ephone-type 7937 ! Enters ephone-type template configuration mode
 
   Router(config-ephone-type)# device-id 431 ! Specifies 7937 conference station device id
 
   Router(config-ephone-type)# device-type 7937 ! Specifies device type
 
   Router(config-ephone-type)# device-name 7936 Conference Station ! Assigns name to the device type
Router(config-ephone-type)# num-buttons 1 ! Number of line buttons supported
 
   Router(config-ephone-type)# num-presentations 6 ! Number of call presentations lines
 
   Router(config-ephone-type)# exit
Router(config)# ephone-dn 110 dual-line ! Enters directory number configuration
 
   Router(config-ephone-dn)# number 5110 ! Configures extension (or phone) number for this 
directory number
 
   Router(config-ephone-dn)# name Engineering Conference Room ! Associates a name with this 
directory number
 
   Router(config-ephone-dn)# exit
Router(config)# ephone 110 ! Enters phone configuration mode
 
   Router(config-ephone)# button 1:110 ! Associates phone with directory number
 
   Router(config-ephone)# exit
Generate the configuration file.
Router(config)# telephony-service ! Enters telephony configuration mode
 
   Router(config-telephony)# create cnf-files ! Builds XML configuration file for SCCP phones
 
   Router(config-telephony)# reset all ! Reloads the phone configuration
 
   Router(config-telephony)# exit
Cisco Unified CME with SCCP Endpoints: H.323 Voice Gateway Implementation
The following configuration enables VoIP on the network and sets up H.323 dial peers between the branch gateway and the destination telephone networks.
Router(config)# voice service voip ! Enters voice service configuration mode
 
   Router(config-voi-srv)# allow-connections h323 to h323 ! Enables calls h323 endpoint to 
h323 endpoint
 
   Router(config-voi-srv)# allow-connections h323 to SIP ! Enables calls from h323 endpoint 
to SIP endpoint
 
   Router(config-voi-srv)# exit
Cisco Unified CME with SCCP Endpoints: Dial Plan Implementation
Ten dial peers were defined for the Streamlined Small Branch Network: central site, local calls, two 911 emergency services dial peers, voice mail, auto attendant, long distance, international calling, and fax pass-through or fax relay. Voice mail and emergency services dial peers are described in the "Cisco Unified CME with SIP Endpoints: Voice Mail and Auto Attendant Integration" section.
Router(config)# dial-peer voice 1 voip ! Enters dial peer to central site configuration 
mode
 
   Router(config-dial-peer)# dtmf-relay h245-alphanumeric ! Specifies H.245 alphanumeric 
method for relaying dual tone multifrequency tones
 
   Router(config-dial-peer)# destination-pattern 408....... ! Specifies area code prefix for 
central site dial peer
 
   Router(config-dial-peer)# session target ipv4:172.16.200.10 ! Specifies central site dial 
peer address
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 2 pots ! Enters dial peer for local area calls 
configuration mode
 
   Router(config-dial-peer)# destination-pattern 9....... ! Specifies area code prefix for 
central site dial peer
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 3 pots ! Enters dial peer for long distance calls 
configuration mode
 
   Router(config-dial-peer)# destination-pattern 91.......... ! Specifies area code prefix 
for central site dial peer
 
   Router(config-dial-peer)# prefix 1 ! Prefix that the system adds automatically to the dial 
string
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 4 pots ! Enters dial peer for international calls 
configuration mode
 
   Router(config-dial-peer)# destination-pattern 9011T ! Specifies area code prefix for 
central site dial peer
 
   Router(config-dial-peer)# prefix 011 ! Prefix that the system adds automatically to the 
dial string
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
When calls over the WAN exceed the maximum allocated bandwidth, they are redirected to PSTN.
Router(config)# dial-peer voice 15 pots ! Enters dial peer for PSTN bypass configuration 
mode
 
   Router(config-dial-peer)# destination-pattern 408....... ! Specifies destination pattern
 
   Router(config-dial-peer)# port 0/0/23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-dial-peer)# preference 1 ! Sets the dial peer preference order
 
   Router(config-dial-peer)# prefix 408 ! Prefix that the system adds automatically to the 
dial string
 
   If you are using fax pass-through, apply the following configuration.
Router(config)# dial-peer voice 6 voip ! Enters dial peer for fax passthrough 
configuration mode
 
   Router(config-dial-peer)# destination-pattern 4085555333 ! Specifies local number of fax 
machine
 
   Router(config-dial-peer)# session target ipv4:172.16.200.10 ! Specifies central site dial 
peer address
 
   Router(config-dial-peer)# fax protocol pass-through g711ulaw  ! Configures fax passthrough 
with G.711 codec
 
   Router(config-peer)# exit
If you are using fax relay, apply the following configuration.
Router(config)# dial-peer voice 7 voip ! Enters dial peer for fax relay configuration mode
 
   Router(config-dial-peer)# destination-pattern 4085555333 ! Specifies local number of fax 
machine
 
   Router(config-dial-peer)# session target ipv4:172.16.200.10 ! Specifies central site dial 
peer address
 
   Router(config-dial-peer)# fax-relay ecm disable ! Disables fax relay ECM
 
   Router(config-dial-peer)# fax rate 9600 ! Selects fax transmission rate
 
   Router(config-dial-peer)# fax protocol t38 ! Sets the T.38 fax relay protocol 
 
   Router(config-dial-peer)# codec g711ulaw ! Configures fax relay with G.711 codec
 
   Router(config-peer)# exit
Cisco Unified CME with SCCP Endpoints: CAC Implementation
RSVP is not supported with Cisco Unified CME. A limited workaround is possible by setting a limit on the number of voice calls that can be placed over the WAN.
Router(config)# dial-peer voice 1 voip ! Enters dial peer to central site configuration 
mode
 
   Router(config-dial-peer)# max-con 36 ! Sets the maximum number of WAN based calls to 36
 
   Router(config-dial-peer)# exit
Cisco Unified CME with SCCP Endpoints: Transcoding and Conferencing Implementation
Transcoding compresses and decompresses voice streams to match endpoint-device capabilities. Transcoding is required when an incoming voice stream is digitized and compressed (by means of a codec) to save bandwidth and the local device does not support that type of compression.
Router(config)# telephony-service ! Enters telephony configuration mode
 
   Router(config-telphony)# sdspfarm units 4 ! Specifies number of DSP farms that can 
register with SCCP server
 
   Router(config-telphony)# sdspfarm transcode sessions 5 ! Specifies maximum number of 
simultaneous transcoding sessions
 
   Router(config-telphony)# sdspfarm tag 2 CONFERENCE ! Creates DSP farm profile
 
   Router(config-telphony)# sdspfarm tag 3 TRANSCODE ! Creates DSP farm profile
 
   Router(config-telphony)# conference hardware ! Configures CME for multiparty conferencing
 
   Router(config-telphony)# exit
 
   Router(config)# voice-card 0 ! Enters DSP farm configuration mode
 
   Router(config-voicecard)# dsp services dspfarm ! Enables DSP services
 
   Router(config-voicecard)# exit
 
   Router(config)# sccp local FastEthernet0/1.2 ! Sets the interface for conferencing and 
transcoding to register with CME
 
   Router(config)# sccp ccm 10.0.1.1 identifier 1 version 5.0.1 ! Associates conferencing and 
transcoding with CME
 
   Router(config)# sccp ! Enables SCCP globally
 
   Router(config)# sccp ccm group 1 ! Creates SCCP group and enters SCCP configuration mode
 
   Router(config-sccp-ccm)# associate ccm 1 priority 1 ! Associates SCCP group 1 with CME
 
   Router(config-sccp-ccm)# associate profile 2 register CONFERENCE ! Associates DSP farm 
profile with with a SCCP group
 
   Router(config-sccp-ccm)# associate profile 3 register TRANSCODE ! Associates DSP farm 
profile with a SCCP group
 
   Router(config-sccp-ccm)# exit
Router(config)# dspfarm profile 2 transcode ! Enters DSP farm profile configuration mode
 
   Router(config-dspfarm-profile)# codec g711ulaw ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g711alaw ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729ar8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729abr8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729r8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec pass-through ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# maximum sessions 5 ! Specifies maximum number of 
simultaneous sessions supported by this profile
 
   Router(config-dspfarm-profile)# associate application sccp ! Associates SCCP with this DSP 
farm profile
 
   Router(config-dspfarm-profile)# no shutdown
Router(config-dspfarm-profile)# exit
Router(config)# dspfarm profile 3 conference ! Enters DSP farm profile configuration mode
 
   Router(config-dspfarm-profile)# codec g711ulaw ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g711alaw ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729ar8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729abr8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729r8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729br8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# maximum sessions 3 ! Specifies maximum number of 
simultaneous sessions supported by this profile
 
   Router(config-dspfarm-profile)# associate application sccp ! Associates SCCP with this DSP 
farm profile
 
   Router(config-dspfarm-profile)# no shutdown
Router(config-dspfarm-profile)# exit
Router(config)# ephone-dn 241 dual-line ! Enters directory number configuration mode
 
   Router(config-ephone-dn)# number 5555 ! Associates telephone extension with this directory 
number
 
   Router(config-ephone-dn)# conference ad-hoc ! Configures ad-hoc conferencing
 
   Router(config-ephone-dn)# no huntstop ! Continues call hunting if line is unavailable
 
   Router(config-ephone-dn)# exit
Router(config)# ephone-dn 242 dual-line ! Enters directory number configuration mode
 
   Router(config-ephone-dn)# number 5555 ! Associates telephone extension with this directory 
number
 
   Router(config-ephone-dn)# conference ad-hoc ! Configures ad-hoc conferencing
 
   Router(config-ephone-dn)# no huntstop ! Continues call hunting if line is unavailable
 
   Router(config-ephone-dn)# preference 1 ! Sets dial peer preference order
 
   Router(config-ephone-dn)# exit
Router(config)# ephone-dn 243 dual-line ! Enters directory number configuration mode
 
   Router(config-ephone-dn)# number 5555 ! Associates telephone extension with this directory 
number
 
   Router(config-ephone-dn)# conference ad-hoc ! Configures ad-hoc conferencing
 
   Router(config-ephone-dn)# huntstop ! Stop hunting for lines, all conferencing lines are 
occupied
 
   Router(config-ephone-dn)# preference 2 ! Sets dial peer preference order
 
   Router(config-ephone-dn)# exit
Router(config)# ephone-dn 244 dual-line ! Enters directory number configuration mode
 
   Router(config-ephone-dn)# number 5666 ! Associates telephone extension with this directory 
number
 
   Router(config-ephone-dn)# conference meetme ! Configures meet me conferencing
 
   Router(config-ephone-dn)# no huntstop ! Continues call hunting if line is unavailable
 
   Router(config-ephone-dn)# exit
Router(config)# ephone-dn 245 dual-line ! Enters directory number configuration mode
 
   Router(config-ephone-dn)# number 5666 ! Associates telephone extension with this directory 
number
 
   Router(config-ephone-dn)# conference meetme ! Configures meet me conferencing
 
   Router(config-ephone-dn)# no huntstop ! Continues call hunting if line is unavailable
 
   Router(config-ephone-dn)# preference 1 ! Sets dial peer preference order
 
   Router(config-ephone-dn)# exit
Router(config)# ephone-dn 246 dual-line ! Enters directory number configuration mode
 
   Router(config-ephone-dn)# number 5666 ! Associates telephone extension with this directory 
number
 
   Router(config-ephone-dn)# conference meetme ! Configures meet me conferencing
 
   Router(config-ephone-dn)# huntstop ! Stop hunting for lines, all conferencing lines are 
occupied
 
   Router(config-ephone-dn)# preference 2 ! Sets dial peer preference order
 
   Router(config-ephone-dn)# exit
Cisco Unified CME with SCCP Endpoints: Music on Hold Implementation
Music on Hold (MOH) is an audio stream that is played to PSTN and VoIP G.711 or G.729 callers who are placed on hold by phones in a Cisco Unified Communications Manager Express (Cisco Unified CME) system. This audio stream is intended to reassure callers that they are still connected to their calls.
Router(config)# telephony-service ! Enters telephony configuration mode
 
   Router(config-telephony)# moh music-on-hold.au ! Specifies music on hold file
 
   Router(config-telephony)# exit
Cisco Unified CME with SCCP Endpoints: Voice Mail and Auto Attendant Integration
Voice mail is provided by the Cisco Unity Express service module either in the Advanced Integration Module 2 (AIM2) form factor or the Network Module (NME) form factor. The AIM2 module requires the following configuration.
Router(config)# interface Service-Engine 0/1 ! Enters Cisco Unity Express configuration 
mode
 
   Router(config-if)# ip address 10.0.2.86 255.255.255.252 ! Assigns ip address to the 
service engine router interface
 
   Router(config-if)# service-module ip address 10.0.2.85 255.255.255.252 ! Assigns IP 
address to service module internal interface
 
   Router(config-if)# service-module ip default-gateway 10.0.2.86 ! Assigns default gateway 
for the service module
 
   Router(config-if)# zone-member security Private ! Assigns Cisco Unity Express to private security zone
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# ip route 10.0.2.884 255.255.255.252 Service-Engine 0/1 ! Adds a static 
route entry to direct traffic to the module
 
   Cisco Unity Express uses SIP as its signaling protocol and requires a SIP dial peer.
Router(config)# dial-peer voice 7 voip ! Enters dial peer for voicemail configuration mode
 
   Router(config-dial-peer)# destination-pattern 5444 ! Specifies mailbox extension
 
   Router(config-dial-peer)# session target ipv4:10.0.1.85 ! Specifies voicemail address
 
   Router(config-dial-peer)# session protocol sipv2 ! Enables SIP for voicemail communication
Router(config-dial-peer)# codec g711ulaw ! Specifies codec for voicemail messages
 
   Router(config-dial-peer)# b2bua ! Enables SIP to SCCP forwarding
 
   Router(config-dial-peer)# dtmf-relay sip-notify ! Specifies DTMF relay method
 
   Router(config-dial-peer)# no vad ! Disables voice activity detection
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 9 voip ! Enters dial peer for Auto Attendant configuration 
mode
 
   Router(config-dial-peer)# destination-pattern 5000 ! Specifies mailbox extension
 
   Router(config-dial-peer)# session target ipv4:10.0.2.85 ! Specifies voicemail address
 
   Router(config-dial-peer)# session protocol sipv2 ! Enables SIP for voicemail communication
 
   Router(config-dial-peer)# codec g711ulaw ! Specifies codec for voicemail messages
 
   Router(config-dial-peer)# b2bua ! Enables SIP to SCCP forwarding
 
   Router(config-dial-peer)# dtmf-relay sip-notify ! Specifies DTMF relay method
 
   Router(config-dial-peer)# no vad ! Disables voice activity detection
 
   Router(config-peer)# exit
The following configuration turns on the message wait indicator.
Router(config)# ephone-dn 19 ! Enters directory number configuration mode
 
   Router(config-ephone-dn)# number 8000.... ! Phone number for placing MWI notification call
 
   Router(config-ephone-dn)# mwi on ! When call placed to this DN turn MWI on
 
   Router(config-ephone-dn)# ephone-dn 20 ! Enters directory number configuration mode
 
   Router(config-ephone-dn)# number 8001.... ! Phone number for placing MWI notification call
 
   Router(config-ephone-dn)# mwi off ! When call placed to this DN turn MWI off
 
   Additional Cisco Unified CME configuration is performed through a Web-based user interface as shown in Figure 17 through Figure 22. Figure 17 shows the login prompt window.
Figure 17 Cisco Unified CME Login Prompt
 
 
   
Figure 18 shows the Cisco Unified CME import users window.
Figure 18 Importing Cisco Unified CME Users
 
 
   
Figure 19 shows the Cisco Unified CME defaults window.
Figure 19 Configuring Mailbox Defaults
 
 
   
Figure 20 shows the call handling configuration window.
Figure 20 Configuring Call Handling
 
 
   
Figure 21 shows the Cisco Unified CME configuration verification window.
Figure 21 Verifying Configuration
 
 
   
Figure 22 shows the Cisco Unified CME configuration status window.
Figure 22 Reviewing Configuration Status
 
 
   
Cisco Unified CME with SCCP Endpoints: Emergency Services Implementation
The following is the implementation of emergency number calling for North America. The PRI trunk is used for placing emergency calls.
Router(config)# dial-peer voice 10 pots ! Enters dial peer for emergency calls 
configuration mode
 
   Router(config-dial-peer)# destination-pattern 911 ! Specifies North America emergency 
number
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 11 pots ! Enters dial peer for local area calls 
configuration mode
 
   Router(config-dial-peer)# destination-pattern 9911 ! Specifies area code prefix for 
central site dial peer
 
   Router(config-dial-peer)# prefix 911 ! Prefix that the system adds automatically to the 
dial string
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
Cisco Unified CME with SCCP Endpoints Verification
Router(config)# show ephone phone-load
 
   DeviceName CurrentPhoneload PreviousPhoneload LastReset
=====================================================================
SEP796000060053 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060052 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060051 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060050 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060049 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060059 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060058 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060057 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060056 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060055 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060054 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060063 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060062 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060061 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060060 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060042 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060041 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060040 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060043 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060044 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060045 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060046 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060047 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060048 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
SEP796000060086 SCCP41.8-3-2S SCCP41.8-3-2S Initialized
Router# show telephony-service ephone-template
ephone-template 1
softkeys hold Join Newcall Resume Select
softkeys idle ConfList Join Newcall Pickup Redial RmLstC
softkeys seized Redial Endcall Cfwdall Pickup Callback Meetme
softkeys connected Trnsfer Hold Confrn Endcall
conference drop-mode never
conference add-mode all
conference admin: No
max-calls-per-button 8
busy-trigger-per-button 0
privacy default
Always send media packets to this router: No
Preferred codec: g711ulaw
keepalive 30 auxiliary 30
User Locale: US
Network Locale: US
Router# show ephone
ephone-1[0] Mac:001C.58FB.7640 TCP socket:[7] activeLine:0 REGISTERED in SCCP ver 12/9
mediaActive:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:12
IP:10.0.1.11 53063 7965 keepalive 126205 max_line 6
button 1: dn 1 number 5001 CH1 IDLE CH2 IDLE
Preferred Codec: g722-64
ephone-2[1] Mac:001E.4AF1.38D4 TCP socket:[-1] activeLine:0 UNREGISTERED
mediaActive:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:7
IP:0.0.0.0 0 Unknown 0 keepalive 0 max_line 0
Preferred Codec: g711ulaw
ephone-3[2] Mac:001C.58F9.BD38 TCP socket:[2] activeLine:0 REGISTERED in SCCP ver 12/9
mediaActive:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:12
IP: 10.0.1.12 51579 7962 keepalive 126880 max_line 6
button 1: dn 2 number 5002 CH1 IDLE CH2 IDLE
Preferred Codec: g711ulaw
Router# show telephony-service ephone
Number of Configured ephones 180 (Registered 180)
ephone 1
Device Security Mode: Non-Secure
mac-address 001C.58FB.7640
type 7965
button 1:1
keepalive 30 auxiliary 30
max-calls-per-button 8
busy-trigger-per-button 0
ephone-template 1
Always send media packets to this router: No
Preferred codec: g711ulaw
conference drop-mode never
conference add-mode all
conference admin: No
privacy: Yes
privacy button: No
user-locale US
network-locale US
Router# show telephony-service
CONFIG (Version=4.1(0)) ===================== Version 4.1(0) Cisco Unified Communications Manager Express For on-line documentation please see: www.cisco.com/univercd/cc/td/doc/product/access/ip_ph/ip_ks/index.htm
ip source-address 192.168.0.1 port 2000 max-ephones 120 max-dn 50 max-conferences 3 dspfarm units 4 dspfarm transcode sessions 3 conference software hunt-group report delay 1 hours hunt-group logout DND max-redirect 5 cnf-file location: system: cnf-file option: PER-PHONE-TYPE network-locale[0] US (This is the default network locale for this box) network-locale[1] US network-locale[2] US network-locale[3] US network-locale[4] US user-locale[0] US (This is the default user locale for this box) user-locale[1] US user-locale[2] US user-locale[3] US user-locale[4] US srst mode auto-provision is OFF srst ephone template is 0 srst dn template is 0 srst dn line mode is single time-format 12 date-format mm-dd-yy timezone 0 Greenwich Standard Time no transfer-pattern is configured, transfer is restricted to local SCCP phones only. keepalive 30 auxiliary 30 timeout interdigit 10 timeout busy 10 timeout ringing 180 timeout ringin-callerid 8 timeout night-service-bell 12 caller-id name-only: enable web admin system name Admin web admin customer name Customer edit DN through Web: disabled. edit TIME through web: disabled. Log (table parameters): max-size: 150 retain-timer: 15 transfer-system full-consult local directory service: enabled. Extension-assigner tag-type ephone-tag.
Cisco Unified CME with SIP Endpoints Implementation
 • Cisco Unified CME with SIP Endpoints: Telephony Service Setup
Cisco Unified CME with SIP Endpoints: Telephony Service Setup 
 • Cisco Unified CME with SIP Endpoints: IP Phone Installation and Configuration
Cisco Unified CME with SIP Endpoints: IP Phone Installation and Configuration 
 • Cisco Unified CME with SIP Endpoints: SIP Voice Gateway Implementation
Cisco Unified CME with SIP Endpoints: SIP Voice Gateway Implementation 
 • Cisco Unified CME with SIP Endpoints: Dial Plan Implementation
Cisco Unified CME with SIP Endpoints: Dial Plan Implementation 
 • Cisco Unified CME with SIP Endpoints: CAC Implementation
Cisco Unified CME with SIP Endpoints: CAC Implementation 
 • Cisco Unified CME with SIP Endpoints: Transcoding Implementation
Cisco Unified CME with SIP Endpoints: Transcoding Implementation 
 • Cisco Unified CME with SIP Endpoints: Music on Hold Implementation
Cisco Unified CME with SIP Endpoints: Music on Hold Implementation 
 • Cisco Unified CME with SIP Endpoints: Voice Mail and Auto Attendant Integration
Cisco Unified CME with SIP Endpoints: Voice Mail and Auto Attendant Integration 
 • Cisco Unified CME with SIP Endpoints: Emergency Services Implementation
Cisco Unified CME with SIP Endpoints: Emergency Services Implementation 
Cisco Unified CME with SIP Endpoints: Telephony Service Setup
Configure the SIP gateway at the branch router.
Router(config)# voice service voip ! Enters voice service configuration mode
 
   Router(config-voi-srv)# allow-connections SIP to SIP ! Enables calls from SIP endpoint to 
SIP endpoint
 
   Router(config-voi-srv)# sip ! Enters SIP configuration mode
 
   Router(config-voi-sip)# registrar server expires max 120 min 60 ! Sets the SIP Phone 
keepalive. The phone will check every 2 minutes whether it is registered with Cisco CME in 
case the router lost its registration information during reboot
 
   Router(config-voi-sip)# bind control source-interface FastEthernet0/1.2 ! Specifies SIP to 
Voice VLAN binding
 
   Router(config-voi-sip)# bind media source-interface FastEthernet0/1.2 ! Specifies SIP to 
Voice VLAN binding
 
   Router(config-voi-sip)# exit
Router(config-voi-srv)# exit
Cisco Unified CME with SIP Endpoints: IP Phone Installation and Configuration
In the Streamlined Small Branch Network, IP Phones are installed by simply connecting them to ports on the access layer switches. Because all the ports offer Power over Ethernet, no additional power cables are necessary. Once installed, phones are configured with the default configuration generated during the Cisco Unified CME installation. However, if IP Phone firmware needs to be upgraded in the future, issue the following commands.
 
 
    Note  The following configuration is not required with the Cisco IOS software image used for the Streamlined Small Branch Network validation.
The following configuration is not required with the Cisco IOS software image used for the Streamlined Small Branch Network validation. 
Router(config)# voice register global ! Enters voice register configuration mode
 
   Router(config-register-global)# mode cme ! Enables CME mode in the register
 
   Router(config-register-global)# load 7960-7940 P0S3-08-3-00 ! Loads SIP firmware files for 
7960-7940 phones
 
   Router(config-register-global)# load 7961 SIP61.8-3-2S ! Loads SIP firmware files for 7961 
phone
 
   Router(config-register-global)# load 7962 SIP62.8-3-2S ! Loads SIP firmware files for 7962 
phone
 
   Router(config-register-global)# load 7965 SIP65.8-3-2S ! Loads SIP firmware files for 7965 
phone
 
   Router(config-register-global)# load 7971 SIP71.8-3-2S ! Loads SIP firmware files for 7971 
phone
 
   Router(config-register-global)# create profile ! Generates provisioning file
 
   Router(config-register-global)# exit
To configure Cisco Unified CME with SIP endpoints from the command line, apply the following configuration.
Router(config)# voice register global ! Enters voice configuration mode
 
   Router(config-register-global)# mode cme ! Enables CME mode in the register
Router(config-register-global)# max-pool 50 ! Sets the maximum number of SIP Phones
 
   Router(config-register-global)# max-dn 100 ! Sets the maximum number of directory numbers 
(two for each phone)
 
   Router(config-register-global)# source-address 10.0.1.2 port 2000 ! Sets IP address used for phone registration
Router(config-register-global)# dst auto-adjust ! Enables automatic adjustment of Daylight Savings Time
Router(config-register-global)# timezone 5 ! Sets time zone to Pacific Standard/Daylight 
Time
 
   Router(config-register-global)# voicemail 5444 ! Defines number for speed dialing voicemail from phone
Router(config-register-global)# ntp-server 172.16.0.60 ! Synchronizes clock on the phones 
with the specified NTP server
 
   Router(config-register-global)# exit
Router(config)# telephony-service ! Enters telephony configuration mode
 
   Router(config-telphony)# secondary-dialtone 9 ! Provides dial tone for PSTN calls
 
   Router(config-telphony)# exit
Apply the following configuration to all IP Phones 1 to 50. Set a unique DN number and assign the desired extension to each phone.
Router(config)# voice register dn 1 ! Enters directory configuration mode
 
   Router(config-register-dn)# number 5001 ! Configures extension number for this directory 
number
 
   Router(config-register-dn)# call-forward b2bua busy 5444 ! Forwards calls for a busy 
extension to voicemail
 
   Router(config-register-dn)# call-forward b2bua noan 5444 timeout 10 ! Forwards calls for a 
no answer extension to voicemail after 10 seconds of running
 
   Router(config-register-dn)# call-forward b2bua mailbox 5444 ! Designates a mailbox at the 
end of call forward chain
 
   Router(config-register-dn)# mwi ! Configures Voicemail indicator
 
   Router(config-register-dn)# exit
Router(config)# voice register pool 1 ! Enters voice register pool configuration mode
 
   Router(config-register-pool)# id mac 00E1.CB13.0395 ! Explicitly identifies the phone
 
   Router(config-register-pool)# type 7960 ! Defines phone type for the SIP phone being 
configured. Other types are 7942, 7945, 7961, 7962, 7965, 7971
 
   Router(config-register-pool)# number 1 dn 1 ! Associates phone 1 with directory number 1
Router(config-register-pool)# exit
Generate a configuration file.
Router(config)# voice register global ! Enters voice register configuration mode
 
   Router(config-register-global)# create profile ! Generates provisioning file
 
   Router(config-register-global)# reset ! Reboots the SIP phone
 
   Router(config-register-global)# exit
Cisco Unified CME with SIP Endpoints: SIP Voice Gateway Implementation
The SIP voice gateway is responsible for connecting the branch VoIP network to the PSTN and to the central site telephony network. The following configuration enables VoIP on the network and sets up SIP dial peers between the branch gateway and the destination telephone networks. IP Phones are configured for SIP signaling.
Router(config)# voice service voip ! Enters voice service configuration mode
 
   Router(config- voi-srv)# allow-connections SIP to h323 ! Enables calls from SIP endpoint 
to h323 endpoint
 
   Router(config-voi-srv)# allow-connections SIP to SIP ! Enables calls between SIP endpoints
 
   Cisco Unified CME with SIP Endpoints: Dial Plan Implementation
Ten dial peers were defined for the Streamlined Small Branch Network: central site, local calls, two 911 emergency services dial peers, voicemail, Auto Attendant, long distance, international calling, and fax pass-through or fax relay. Voice mail, Auto Attendant, and emergency services dial peers are described in the "Cisco Unified CME with SIP Endpoints: Voice Mail and Auto Attendant Integration" section and "Cisco Unified CME with SIP Endpoints: Emergency Services Implementation" section.
To provide automatic dialing without pressing the dial button, apply the following dial plan configuration.
Router(config)# voice register dialplan 1 ! Enters dial plan configuration mode
 
   Router(config-register-dialplan)# type 7940-7960-others ! Specifies all phones
 
   Router(config-register-dialplan)# pattern 1 9......... ! Matches outbound PSTN traffic
 
   Router(config-register-dialplan)# pattern 1 4......... ! Matches central site traffic
 
   Router(config-register-dialplan)# exit
Router(config)# voice register pool 1 ! Enters register configuration mode
 
   Router(config-register-pool)# dialplan 1 ! Assigns dial plan to phones
 
   Router(config-register-pool)# exit ! Assigns dial plan to phones
 
   Router(config)# dial-peer voice 1 voip ! Enters dial peer to central site configuration 
mode
 
   Router(config-dial-peer)# session protocol sipv2 ! Enables SIP for voicemail communication
 
   Router(config-dial-peer)# dtmf-relay rtp-nte ! Specifies Network Time Protocol method for 
relaying pressed digit tones
 
   Router(config-dial-peer)# destination-pattern 408....... ! Specifies area code prefix for 
central site dial peer
 
   Router(config-dial-peer)# session target ipv4:172.16.200.10 ! Specifies central site dial 
peer address
 
   Router(config-dial-peer)# no vad ! Disables voice activity detection
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 2 pots ! Enters dial peer for local area calls 
configuration mode
 
   Router(config-dial-peer)# destination-pattern 9....... ! Specifies area code prefix for 
central site dial peer
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 3 pots ! Enters dial peer for long distance calls 
configuration mode
 
   Router(config-dial-peer)# destination-pattern 91.......... ! Specifies area code prefix 
for central site dial peer
 
   Router(config-dial-peer)# prefix 1 ! Prefix that the system adds automatically to the dial 
string
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 4 pots ! Enters dial peer for international calls 
configuration mode
 
   Router(config-dial-peer)# destination-pattern 9011T ! Specifies area code prefix for 
central site dial peer
 
   Router(config-dial-peer)# prefix 011 ! Prefix that the system adds automatically to the 
dial string
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
When calls over the WAN exceed the maximum allocated bandwidth, they are redirected to PSTN.
Router(config)# dial-peer voice 15 pots ! Enters dial peer for PSTN bypass configuration 
mode
 
   Router(config-dial-peer)# destination-pattern 408....... ! Specifies destination pattern
 
   Router(config-dial-peer)# port 0/0/23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-dial-peer)# preference 1 ! Sets the dial peer preference order
 
   Router(config-dial-peer)# prefix 408 ! Prefix that the system adds automatically to the 
dial string
 
   If you are using fax pass-through, apply the following configuration.
Router(config)# dial-peer voice 6 voip ! Enters dial peer for fax passthrough 
configuration mode
 
   Router(config-dial-peer)# session protocol sipv2 ! Enables SIP for voicemail communication
 
   Router(config-dial-peer)# destination-pattern 4085555333 ! Specifies local number of fax 
machine
 
   Router(config-dial-peer)# session target ipv4:172.16.200.10 ! Specifies central site dial 
peer address
 
   Router(config-dial-peer)# fax protocol pass-through g711ulaw ! Configures fax passthrough 
with G.711 codec
 
   Router(config-peer)# exit
If you are using fax relay, apply the following configuration.
Router(config)# dial-peer voice 7 voip ! Enters dial peer for fax relay configuration mode
 
   Router(config-dial-peer)# session protocol sipv2 ! Enables SIP for voicemail communication
 
   Router(config-dial-peer)# destination-pattern 4085555333 ! Specifies local number of fax 
machine
 
   Router(config-dial-peer)# session target ipv4:172.16.200.10 ! Specifies central site dial 
peer address
 
   Router(config-dial-peer)# fax-relay ecm disable ! Disables fax relay ECM
 
   Router(config-dial-peer)# fax rate 9600 ! Selects fax transmission rate
 
   Router(config-dial-peer)# fax protocol t38 ! Sets the T.38 fax relay protocol 
 
   Router(config-dial-peer)# codec g711ulaw ! Configures fax relay with G.711 codec
 
   Router(config-peer)# exit
Cisco Unified CME with SIP Endpoints: CAC Implementation
Resource Reservation Protocol (RSVP) is not supported with Cisco Unified CME. A limited workaround is possible by setting a limit on the number of voice calls that can be placed over the WAN.
Router(config)# dial-peer voice 1 voip ! Enters dial peer to central site configuration 
mode
 
   Router(config-dial-peer)# max-con 36! Sets the maximum number of WAN based calls to 36
Router(config-dial-peer)# exit
Cisco Unified CME with SIP Endpoints: Transcoding Implementation
Transcoding compresses and decompresses voice streams to match end device capabilities. Transcoding is required when an incoming voice stream is digitized and compressed (by means of a codec) to save bandwidth and the local device does not support that type of compression. Conferencing is not supported with SIP and Cisco Unified CME.
Router(config)# telephony-service ! Enters telephony configuration mode
 
   Router(config-telephony)# max-ephones 50 ! Sets the maximum number of phones that can 
register with Cisco CME
 
   Router(config-telephony)# max-dn 100 ! Sets the maximum number of directory numbers (two 
for each phone)
 
   Router(config-telphony)# sdspfarm units 4 ! Specifies number of DSP farms that can 
register with SCCP server
 
   Router(config-telphony)# sdspfarm transcode sessions 5 ! Specifies maximum number of 
simultaneous transcoding sessions
 
   Router(config-telphony)# sdspfarm tag 3 TRANSCODE ! Creates DSP farm profile
 
   Router(config-telphony)# exit
 
   Router(config)# voice-card 0 ! Enters DSP farm configuration mode
 
   Router(config-voicecard)# dsp services dspfarm ! Enables DSP services
 
   Router(config-voicecard)# exit
 
   Router(config)# dspfarm profile 3 ! Enters DSP farm profile configuration mode
 
   Router(config-dspfarm-profile)# codec g711ulaw ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g711alaw ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729ar8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729abr8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729r8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec pass-through ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# maximum sessions 5 ! Specifies maximum number of 
simultaneous sessions supported by this profile
 
   Router(config-dspfarm-profile)# no shutdown
Router(config-dspfarm-profile)# exit
Cisco Unified CME with SIP Endpoints: Music on Hold Implementation
MOH is an audio stream that is played to PSTN and VoIP G.711 or G.729 callers who are placed on hold by phones in a Cisco Unified CME system. This audio stream is intended to reassure callers that they are still connected to their calls.
Router(config)# telephony-service ! Enters telephony configuration mode
 
   Router(config-telephony)# moh music-on-hold.au ! Specifies music on hold file
 
   Router(config-telephony)# exit
Cisco Unified CME with SIP Endpoints: Voice Mail and Auto Attendant Integration
Voice mail is provided by the Cisco Unity Express service module either in the Advanced Integration Module 2 (AIM2) form factor or the Network Module (NME) form factor. The AIM2 module requires the following configuration.
Router(config)# interface Service-Engine 0/1 ! Enters Cisco Unity Express configuration 
mode
 
   Router(config-if)# ip address 10.0.2.86 255.255.255.252 ! Assigns ip address to the 
service engine router interface
 
   Router(config-if)# service-module ip address 10.0.2.85 255.255.255.252 ! Assigns IP 
address to service module internal interface
 
   Router(config-if)# service-module ip default-gateway 10.0.2.86 ! Assigns default gateway 
for the service module
 
   Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# ip route 10.0.2.84 255.255.255.252 Service-Engine 0/1 ! Adds a static 
route entry to direct traffic to the module
 
   Configure a dial peer for voice mail, because Cisco Unity Express uses SIP as its signaling protocol.
Router(config)# dial-peer voice 8 voip ! Enters dial peer for voicemail configuration mode
 
   Router(config-dial-peer)# destination-pattern 5444 ! Specifies mailbox extension
 
   Router(config-dial-peer)# session target ipv4:10.0.2.85 ! Specifies voicemail address
 
   Router(config-dial-peer)# session protocol sipv2 ! Enables SIP for voicemail communication
 
   Router(config-dial-peer)# codec g711ulaw ! Specifies codec for voicemail messages
 
   Router(config-dial-peer)# b2bua ! Enables SIP to SCCP forwarding
 
   Router(config-dial-peer)# dtmf-relay sip-notify ! Specifies DTMF relay method
 
   Router(config-dial-peer)# no vad ! Disables voice activity detection
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 9 voip ! Enters dial peer for autoattendant configuration 
mode
 
   Router(config-dial-peer)# destination-pattern 5000 ! Specifies mailbox extension
 
   Router(config-dial-peer)# session target ipv4:10.0.2.85 ! Specifies voicemail address
 
   Router(config-dial-peer)# session protocol sipv2 ! Enables SIP for voicemail communication
Router(config-dial-peer)# codec g711ulaw ! Specifies codec for voicemail messages
 
   Router(config-dial-peer)# b2bua ! Enables SIP to SCCP forwarding
 
   Router(config-dial-peer)# dtmf-relay sip-notify! Specifies DTMF relay method
 
   Router(config-dial-peer)# no vad ! Disables voice activity detection
 
   Router(config-peer)# exit
Router(config)# sip-ua ! Enters SIP user agent configuration mode
 
   Router(config-sip-ua)# mwi-server ipv4:172.16.0.110 expires 3600 port 5060 transport udp 
 
   ! Sets Cisco Unified Manager address for providing message wait indicator
 
   Router(config-voi-sip)# exit
Router# service-module Service-Engine 0/1 session ! Sessions into the CUE service module
 
   CUE(config)# ccn application voicemail ! Enters voicemail configuration mode
CUE(config-application)# description "Cisco Voicemail" ! Sets user friendly name for voicemail application
CUE(config-application)# maxsessions 4 ! Sets maximum number of users concurrently listening to voicemail
CUE(config-application)# exit
 
   CUE(config)# ccn trigger sip phonenumber 5444 ! Assigns number that will trigger voicemail
CUE(config-trigger)# application voicemail ! Assigns voicemail to the call trigger
CUE(config-trigger)# enabled ! Turns the trigger on
CUE(config-trigger)# maxsessions 4 ! Sets maximum number of users concurrently listening to voicemail
CUE(config-trigger)# exit
 
   CUE(config)# exit
Create user mailboxes. Repeat the following steps for all users.
CUE# username John create ! Creates mailbox for user John
CUE# configure terminal
 
   CUE(config)# username John phonenumber 5001 ! Assigns mailbox for John to extension
CUE(config)# exit
 
   CUE# configure terminal
 
   CUE(config)# voice mailbox owner John ! Enters configuration mode for voicemail mailbox
CUE(config-mailbox)# description "John's Mailbox" ! Sets user friendly description
CUE(config-mailbox)# enable ! Turns the mailbox on
CUE(config-mailbox)# expiration time 14 ! Sets expiration time for voicemail to two weeks
CUE(config-mailbox)# mailboxsize 600 ! Sets voicemail box size to 10 minutes of messages
CUE(config-mailbox)# messagesize 120 ! Sets maximum message size to 2 minutes
CUE(config-mailbox)# exit
 
   Cisco Unified CME with SIP Endpoints: Emergency Services Implementation
The following is the implementation of emergency number calling for North America. The PRI trunk is used for placing emergency calls.
Router(config)# dial-peer voice 10 pots ! Enters dial peer for emergency calls 
configuration mode
 
   Router(config-dial-peer)# destination-pattern 911 ! Specifies North America emergency 
number
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 11 pots ! Enters dial peer for local area calls 
configuration mode
 
   Router(config-dial-peer)# destination-pattern 9911 ! Specifies area code prefix for 
central site dial peer
 
   Router(config-dial-peer)# prefix 911 ! Prefix that the system adds automatically to the 
dial string
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
Cisco Unified SRST with SCCP Endpoints Implementation
 • Cisco Unified SRST with SCCP Endpoints: Telephony Service Setup
Cisco Unified SRST with SCCP Endpoints: Telephony Service Setup 
 • Cisco Unified SRST with SCCP Endpoints: IP Phone Installation and Configuration
Cisco Unified SRST with SCCP Endpoints: IP Phone Installation and Configuration 
 • Cisco Unified SRST with SCCP Endpoints: H.323 Voice Gateway Implementation
Cisco Unified SRST with SCCP Endpoints: H.323 Voice Gateway Implementation 
 • Cisco Unified SRST with SCCP Endpoints: Dial Plan Implementation
Cisco Unified SRST with SCCP Endpoints: Dial Plan Implementation 
 • Cisco Unified SRST with SCCP Endpoints: RSVP Implementation
Cisco Unified SRST with SCCP Endpoints: RSVP Implementation 
 • Cisco Unified SRST with SCCP Endpoints: Transcoding and Conferencing Implementation
Cisco Unified SRST with SCCP Endpoints: Transcoding and Conferencing Implementation 
 • Cisco Unified SRST with SCCP Endpoints: Music on Hold Implementation
Cisco Unified SRST with SCCP Endpoints: Music on Hold Implementation 
 • Cisco Unified SRST with SCCP Endpoints: Voice Mail and Auto Attendant Integration
Cisco Unified SRST with SCCP Endpoints: Voice Mail and Auto Attendant Integration 
 • Cisco Unified SRST with SCCP Endpoints: Emergency Services Implementation
Cisco Unified SRST with SCCP Endpoints: Emergency Services Implementation 
Cisco Unified SRST provides Cisco Unified CM with fallback support for Cisco IP Phones that are attached to a Cisco router on a branch network. Cisco Unified SRST enables routers to provide call-handling support for Cisco IP Phones when they lose connection to a remote primary, secondary, or tertiary Cisco Unified CM, or when WAN connection is operationally down.
Cisco Unified SRST with SCCP Endpoints: Telephony Service Setup
Configure Cisco Unified SRST at the central site Cisco Unified CM as shown in Figure 23. The Cisco Unified SRST reference name is used in configuring the Cisco Unified SRST device pool as shown in Figure 24.
Figure 23 Cisco Unified SRST Configuration in Cisco Unified CM
 
 
   
Figure 24 Cisco Unified SRST Device Pool Configuration in Cisco Unified CM
 
 
   
Configure the Cisco Unified SRST fallback mode at the branch router.
Router(config)# call-manager-fallback ! Enters call manager fallback configuration mode
 
   Router(config-cm-fallback)# ip source-address 10.0.1.2 port 2000 ! Sets IP address for 
phone registration
 
   Router(config-cm-fallback)# max-dn 480 dual-line ! Sets the maximum number of directory 
numbers and configures dual channel
 
   Router(config-cm-fallback)# max-ephones 50 ! Sets the maximum number of IP Phones
 
   Router(config-cm-fallback)# exit
Cisco Unified SRST with SCCP Endpoints: IP Phone Installation and Configuration
In the Streamlined Small Branch Network, IP Phones are installed by simply connecting them to ports on the access layer switches. Because all the ports offer Power over Ethernet, no additional power cables are necessary. After installation, the phones are configured with a default configuration generated during the telephony setup in the previous section.
Router(config)# clock timezone PST -8 ! Sets the timezone for display on IP Phones
 
   Router(config)# call-manager-fallback ! Enters call manager fallback configuration mode
 
   Router(config-cm-fallback)# user-locale US ! Sets the language for display on IP Phones
 
   Router(config-cm-fallback)# system message primary Your current options ! Sets message for 
display on IP Phones
 
   Router(config-cm-fallback)# secondary-dialtone 9 ! Provides dial tone for PSTN calls
 
   Router(config-cm-fallback)# call-forward  busy 5444 ! Forwards busy calls to voicemail
 
   Router(config-cm-fallback)# call-forward  noan 5444 timeout 10 ! Forwards busy calls to 
voicemail after 10 minutes of ringing
 
   Router(config-cm-fallback)# dialplan-pattern 1 408555.... extension-length 4 ! Creates 
dialplan pattern that expands extension numbers to full E.164 numbers
 
   Router(config-cm-fallback)# transfer-system full-blind ! Transfers calls without 
consultation
 
   Router(config-cm-fallback)# transfer-pattern 9......... ! Allows transfers for all calls 
originating from PSTN
 
   Router(config-cm-fallback)# transfer-pattern 4......... ! Allows transfers for all calls 
originating in area code starting with "4"
 
   Router(config-cm-fallback)# transfer-system full-consult ! Consults call before transfer 
on second line
 
   Router(config-cm-fallback)# call-forward pattern .T ! Allows call forwarding for all calls
 
   Router(config-cm-fallback)# exit
Cisco Unified SRST with SCCP Endpoints: H.323 Voice Gateway Implementation
The following configuration enables VoIP on the network and sets up H.323 dial peers between the branch gateway and the destination telephone network, as shown in Figure 25, Figure 26, and Figure 27.
Figure 25 H.323 Gateway Cisco Unified CM Configuration
 
 
   
Figure 26 H.323 Gateway Cisco Unified CM Configuration 2?
 
 
   
Figure 27 H.323 Gateway Cisco Unified CM Configuration for Cisco Unified SRST Mode
 
 
   
Cisco Unified SRST with SCCP Endpoints: Dial Plan Implementation
Twelve dial peers were defined for the Streamlined Small Branch Network:
 • Central site WAN
Central site WAN 
 • Central site PSTN
Central site PSTN 
 • Local calls
Local calls 
 • Four 911 emergency services dial peers
Four 911 emergency services dial peers 
 • Voice mail
Voice mail 
 • Auto Attendant
Auto Attendant 
 • Long distance
Long distance 
 • International calling
International calling 
 • Fax pass through or fax relay
Fax pass through or fax relay 
Voice mail and emergency services dial peers are described in the"Cisco Unified SRST with SCCP Endpoints: Voice Mail and Auto Attendant Integration" section and the "Cisco Unified SRST with SCCP Endpoints: Emergency Services Implementation" section.
Router(config)# dial-peer voice 1 pots ! Enters dial peer for central site calls
 
   Router(config-dial-peer)# destination-pattern 5.... ! Specifies area code prefix for 
central site dial peer
 
   Router(config-dial-peer)# prefix 1408555 ! Prefix that the system adds automatically to 
the dial string
 
   Router(config-dial-peer)# incoming called-number .T ! Associates dial peer with any 
incoming number
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
When calls over the WAN exceed the maximum allocated bandwidth, they are redirected to PSTN.
Router(config)# dial-peer voice 15 pots ! Enters dial peer for PSTN bypass configuration 
mode
 
   Router(config-dial-peer)# destination-pattern 408....... ! Specifies destination pattern
 
   Router(config-dial-peer)# port 0/0/23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-dial-peer)# preference 1 ! Sets the dial peer preference order
 
   Router(config-dial-peer)# prefix 408 ! Prefix that the system adds automatically to the 
dial string
 
   Router(config-dial-peer)# exit
Router(config)# dial-peer voice 2 voip ! Enters dial peer to central site configuration 
mode
 
   Router(config-dial-peer)# dtmf-relay h245-alphanumeric ! Specifies H.245 method for 
relaying pressed digit tones
 
   Router(config-dial-peer)# destination-pattern 408....... ! Specifies area code prefix for 
central site dial peer
 
   Router(config-dial-peer)# session target ipv4:172.16.200.10 ! Specifies central site dial 
peer address
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 3 pots ! Enters dial peer for local area calls 
configuration mode
 
   Router(config-dial-peer)# destination-pattern 9....... ! Specifies area code prefix for 
central site dial peer
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 4 pots ! Enters dial peer for long distance calls 
configuration mode
 
   Router(config-dial-peer)# destination-pattern 91.......... ! Specifies area code prefix 
for central site dial peer
 
   Router(config-dial-peer)# prefix 1 ! Prefix that the system adds automatically to the dial 
string
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 5 pots ! Enters dial peer for international calls 
configuration mode
 
   Router(config-dial-peer)# destination-pattern 9011T ! Specifies area code prefix for 
central site dial peer
 
   Router(config-dial-peer)# prefix 011 ! Prefix that the system adds automatically to the 
dial string
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
If using fax pass-through, apply the following configuration.
Router(config)# dial-peer voice 6 voip ! Enters dial peer for fax passthrough 
configuration mode
 
   Router(config-dial-peer)# destination-pattern 4085555333 ! Specifies local number of fax 
machine
 
   Router(config-dial-peer)# session target ipv4:172.16.200.10 ! Specifies central site dial 
peer address
 
   Router(config-dial-peer)# fax protocol pass-through g711ulaw ! Configures fax passthrough 
with G.711 codec
 
   Router(config-peer)# exit
If using fax relay, apply the following configuration.
Router(config)# dial-peer voice 7 voip ! Enters dial peer for fax relay configuration mode
 
   Router(config-dial-peer)# destination-pattern 4085555333 ! Specifies local number of fax 
machine
 
   Router(config-dial-peer)# session target ipv4:172.16.200.10 ! Specifies central site dial 
peer address
 
   Router(config-dial-peer)# fax-relay ecm disable ! Disables fax relay ECM
 
   Router(config-dial-peer)# fax rate 9600 ! Selects fax transmission rate
 
   Router(config-dial-peer)# fax protocol t38 ! Sets the T.38 fax relay protocol 
 
   Router(config-dial-peer)# codec g711ulaw ! Configures fax relay with G.711 codec
 
   Router(config-peer)# exit
Cisco Unified SRST with SCCP Endpoints: RSVP Implementation
The following implementation applies to Cisco Unified SRST branch voice deployments. Use the following commands on the tunnel interface for DMVPN, WAN primary, and on the WAN interface for GETVPN.
 
 
    Note  On the four T1 WAN links, the maximum bandwidth that can be managed by RSVP is 4550 kp/s.
On the four T1 WAN links, the maximum bandwidth that can be managed by RSVP is 4550 kp/s. 
Router(config)# interface Tunnel 1 ! Enters tunnel interface configuration mode
Router(config-if)# ip rsvp bandwidth 8112 ! Sets maximum allowed bandwidth for voice (see Table 20) plus video (512 kb/s)
Router(config-if)# ip rsvp data-packet classification none ! Turns off per-packet data processing
Router(config-if)# ip rsvp resource-provider none ! Specifies no resource provider for the traffic flows
Router(config-if)# ip rsvp policy local identity RSVP-VOICE ! Creates RSVP policy for voice
Router(config-rsvp-local-policy)# maximum bandwidth group 7600 ! Sets maximum bandwidth for voice
Router(config-rsvp-local-policy)# forward all ! Forwards all traffic for this policy
Router(config-rsvp-local-policy)# exit
 
   Router(config-if)# ip rsvp policy local identity RSVP-VIDEO ! Creates RSVP policy for video
Router(config-rsvp-local-policy)# maximum bandwidth group 512 ! Sets maximum bandwidth for video
Router(config-rsvp-local-policy)# forward all ! Forwards all traffic for this policy
Router(config-rsvp-local-policy)# exit
 
   Router(config-if)# ip rsvp policy local default ! Default policy for traffic that does not matching above identifiers
Router(config-if)# exit
 
   Router(config)# ip rsvp policy identity RSVP-VIDEO policy-locator .*VideoStream.* 
 
   ! Creates a policy for matching video traffic
 
   Router(config)# ip rsvp policy identity RSVP-VOICE policy-locator .*AudioStream.* 
 
   ! Creates a policy for matching voice traffic
 
   Router(config)# ip rsvp policy preempt ! Enables preempting of lower reservation by higher reservation
The RSVP policy must be applied on the voice VLAN interface.
Branch(config)# interface FastEthernet0/1.2 ! Enters gigabit Ethernet sub-interface 2 
configuration mode
 
   Router(config-if)# ip rsvp bandwidth ! Enables RSVP on the interface
Router(config-if)# exit
 
   Cisco Unified SRST with SCCP Endpoints: Transcoding and Conferencing Implementation
Transcoding compresses and decompresses voice streams to match end device capabilities. Transcoding is required when an incoming voice stream is digitized and compressed (by means of a codec) to save bandwidth and the local device does not support that type of compression.
Router(config)# call-manager-fallback ! Enters call manager fallback configuration mode
 
   Router(config-cm-fallback)# max-conferences 3 ! Specifies the maximum number of 
simultaneous conferences
 
   Router(config-cm-fallback)# exit
Router(config)# voice-card 0 ! Enters DSP farm configuration mode
 
   Router(config-voicecard)# dsp services dspfarm ! Enables DSP services
 
   Router(config-voicecard)# exit
 
   Router(config)# sccp local GigabitEthernet0/1.2 ! Sets the interface for conferencing and 
transcoding to register with CME
 
   Router(config)# sccp ccm 10.0.1.2 identifier 1 version 5.0.1 ! Associates conferencing and transcoding with CME
Router(config)# sccp ! Enables SCCP globally
 
   Router(config)# sccp ccm group 1 ! Creates SCCP group and enters SCCP configuration mode
 
   Router(config-sccp-ccm)# associate ccm 1 priority 1 ! Associates SCCP group 1 with CME
 
   Router(config-sccp-ccm)# associate profile 3 register CONFERENCE ! Associates DSP farm 
profile with with a SCCP group
 
   Router(config-sccp-ccm)# associate profile 2 register TRANSCODE ! Associates DSP farm 
profile with with a SCCP group
 
   Router(config-sccp-ccm)# exit
Router(config)# dspfarm profile 2 transcode ! Enters DSP farm profile configuration mode
 
   Router(config-dspfarm-profile)# codec g711ulaw ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g711alaw ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729ar8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729abr8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729r8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec pass-through ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# maximum sessions 5 ! Specifies maximum number of 
simultaneous sessions supported by this profile
 
   Router(config-dspfarm-profile)# associate application sccp ! Associates SCCP with this DSP 
farm profile
 
   Router(config-dspfarm-profile)# no shutdown
Router(config-dspfarm-profile)# exit
Router(config)# dspfarm profile 3 conference ! Enters DSP farm profile configuration mode
 
   Router(config-dspfarm-profile)# codec g711ulaw ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g711alaw ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729ar8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729abr8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729r8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729br8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# maximum sessions 3 ! Specifies maximum number of 
simultaneous sessions supported by this profile
 
   Router(config-dspfarm-profile)# associate application sccp ! Associates SCCP with this DSP 
farm profile
 
   Router(config-dspfarm-profile)# no shutdown
Router(config-dspfarm-profile)# exit
Transcoding and conferencing are configured on the remote Cisco Unified CM as shown in Figure 28 and Figure 29.
Figure 28 Transcoding Configuration for Cisco Unified SRST Mode
 
 
   
Figure 29 Conferencing Configuration for Cisco Unified SRST Mode
 
 
   
Cisco Unified SRST with SCCP Endpoints: Music on Hold Implementation
Music on hold (MOH) is an audio stream that is played to PSTN and VoIP G.711 or G.729 callers who are placed on hold by phones in a Cisco Unified CME system. This audio stream is intended to reassure callers that they are still connected to their calls.
Router(config)# call-manager-fallback ! Enters call manager fallback configuration mode
 
   Router(config-cm-fallback)# moh music-on-hold.au ! Specifies music on hold file
 
   Router(config-cm-fallback)# multicast moh 239.1.1.1 port 16384 ! Uses multicast for MoH
 
   Router(config-cm-fallback)# exit
Cisco Unified SRST with SCCP Endpoints: Voice Mail and Auto Attendant Integration
Voice mail is provided by the Cisco Unity Express service module either in the Advanced Integration Module 2 (AIM2) form factor or the Network Module (NME) form factor. The AIM2 module requires the following configuration.
Router(config)# interface service-engine 0/1 ! Enters Cisco Unity Express configuration 
mode
 
   Router(config-if)# ip address 10.0.2.86 255.255.255.252 ! Assigns ip address to the 
service engine router interface
 
   Router(config-if)# service-module ip address 10.0.2.85 255.255.255.252 ! Assigns IP 
address to service module internal interface
 
   Router(config-if)# service-module ip default-gateway 10.0.2.86 ! Assigns default gateway 
for the service module
 
   Router(config-if)# zone-member security Private ! Assigns Cisco Unity Express to private 
security zoneRouter(config-if)# no shutdown
 
   Router(config-if)# exit
Router(config)# ip route 10.0.2.84 255.255.255.252 Service-Engine 0/1 ! Adds a static 
route entry to direct traffic to the module
 
   Configure a dial peer for voice mail because Cisco Unity Express uses SIP as its signaling protocol.
Router(config)# dial-peer voice 8 voip ! Enters dial peer for voicemail configuration mode
 
   Router(config-dial-peer)# destination-pattern 5444 ! Specifies mailbox extension
 
   Router(config-dial-peer)# session target ipv4:10.0.2.85 ! Specifies voicemail address
 
   Router(config-dial-peer)# session protocol sipv2 ! Enables SIP for voicemail communication
 
   Router(config-dial-peer)# codec g711ulaw ! Specifies codec for voicemail messages
 
   Router(config-dial-peer)# b2bua ! Enables SIP to SCCP forwarding
 
   Router(config-dial-peer)# dtmf-relay sip-notify ! Specifies DTMF relay method
 
   Router(config-dial-peer)# no vad ! Disables voice activity detection
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 9 voip ! Enters dial peer for autoattendant configuration 
mode
 
   Router(config-dial-peer)# destination-pattern 5000 ! Specifies mailbox extension
 
   Router(config-dial-peer)# session target ipv4:10.0.2.85 ! Specifies voicemail address
 
   Router(config-dial-peer)# session protocol sipv2 ! Enables SIP for voicemail communication
 
   Router(config-dial-peer)# codec g711ulaw ! Specifies codec for voicemail messages
 
   Router(config-dial-peer)# b2bua ! Enables SIP to SCCP forwarding
 
   Router(config-dial-peer)# dtmf-relay sip-notify ! Specifies DTMF relay method
 
   Router(config-dial-peer)# no vad ! Disables voice activity detection
 
   Router(config-peer)# exit
The local Cisco Unity Express software must be registered with the Cisco Unified CM software at the central site. The following reference provides implementation details:
Additional Cisco Unity Express configuration is performed through a web-based user interface, as shown in Figure 17 through Figure 22.
Cisco Unified SRST with SCCP Endpoints: Emergency Services Implementation
The following provides implementation of emergency number calling for North America. The PRI trunk is used to place emergency calls. Each 911 call is selectively routed to the closest Public Safety Answering Point (PSAP), based on the caller's location. In addition, the caller's phone number and address automatically display on a terminal at the PSAP. The PSAP can quickly dispatch emergency help, even if the caller is unable to communicate the caller's location. Also, if the caller disconnects prematurely, the PSAP has the information it needs to contact the 911 caller.
Router(config)# voice emergency response location 1 ! Enters emergency response 
configuration mode
 
   Router(cfg-emrgncy-resp-location)# elin 1 4085555150 ! Specifies ELIN number provided by PSAP
Router(cfg-emrgncy-resp-location)# name Bdlg 22, Floor 2 ! Internal location name
Router(cfg-emrgncy-resp-location)# subnet 1 10.0.1.0 255.255.255.0 ! Assigns Voice VLAN subnet as origination of the emergency call
Router(cfg-emrgncy-resp-location)# subnet 2 10.0.4.0 255.255.255.0 ! Assigns backup Voice VLAN subnet as origination of the emergency call
Router(cfg-emrgncy-resp-location)# exit
Router(config)# dial-peer voice 10 pots ! Enters dial peer for emergency calls 
configuration mode
 
   Router(config-dial-peer)# emergency response zone ! Replaces local extension with ELIN 
number
 
   Router(config-dial-peer)# destination-pattern 911 ! Specifies North America emergency 
number
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 11 pots ! Enters dial peer for local area calls 
configuration mode
 
   Router(config-dial-peer)# emergency response zone ! Replaces local extension with ELIN 
number
 
   Router(config-dial-peer)# destination-pattern 9911 ! Specifies area code prefix for 
central site dial peer
 
   Router(config-dial-peer)# prefix 911 ! Prefix that the system adds automatically to the 
dial string
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 12 pots ! Enters dial peer for ELIN callback configuration 
mode
 
   Router(config-dial-peer)# incoming called-number 4085555150 ! Specifies ELIN number
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# emergency response callback ! Identifies the ELIN dial peer
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 13 pots ! Enters dial peer for ELIN callback configuration 
mode
 
   Router(config-dial-peer)# incoming called-number 4085555150 ! Specifies ELIN number
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# emergency response callback ! Identifies the ELIN dial peer
 
   Router(config-peer)# exit
Cisco Unified SRST with SIP Endpoints Implementation
 • Cisco Unified SRST with SIP Endpoints: Telephony Service Setup
Cisco Unified SRST with SIP Endpoints: Telephony Service Setup 
 • Cisco Unified SRST with SIP Endpoints: Cisco Unified SRST Fallback Mode at the Branch Router
Cisco Unified SRST with SIP Endpoints: Cisco Unified SRST Fallback Mode at the Branch Router 
 • Cisco Unified SRST with SIP Endpoints: IP Phone Installation and Configuration
Cisco Unified SRST with SIP Endpoints: IP Phone Installation and Configuration 
 • Cisco Unified SRST with SIP Endpoints: SIP Voice Gateway Implementation
Cisco Unified SRST with SIP Endpoints: SIP Voice Gateway Implementation 
 • Cisco Unified SRST with SIP Endpoints: Dial Plan Implementation
Cisco Unified SRST with SIP Endpoints: Dial Plan Implementation 
 • Cisco Unified SRST with SIP Endpoints: RSVP Implementation
Cisco Unified SRST with SIP Endpoints: RSVP Implementation 
 • Cisco Unified SRST with SIP Endpoints: Transcoding and Conferencing Implementation
Cisco Unified SRST with SIP Endpoints: Transcoding and Conferencing Implementation 
 • Cisco Unified SRST with SIP Endpoints: Music on Hold Implementation
Cisco Unified SRST with SIP Endpoints: Music on Hold Implementation 
 • Cisco Unified SRST with SIP Endpoints: Voice Mail and Auto Attendant Integration
Cisco Unified SRST with SIP Endpoints: Voice Mail and Auto Attendant Integration 
 • Cisco Unified SRST with SIP Endpoints: Emergency Services Implementation
Cisco Unified SRST with SIP Endpoints: Emergency Services Implementation 
Cisco Unified SRST provides Cisco Unified CM with fallback support for Cisco IP Phones that are attached to a Cisco router on a branch network. Cisco Unified SRST enables routers to provide call-handling support for Cisco IP Phones when they lose connection to a remote primary, secondary, or tertiary Cisco Unified CM, or when WAN connection is operationally down.
Cisco Unified SRST with SIP Endpoints: Telephony Service Setup
Configure the Cisco Unified SRST at Cisco Unified CM of the central site, as shown in Figure 30. The Cisco Unified SRST reference name is used in configuring Cisco Unified SRST device pools as shown in Figure 31.
Figure 30 Cisco Unified SRST Configuration in Cisco Unified CM
 
 
   
Figure 31 Cisco Unified SRST Device Pool Configuration in Cisco Unified CM
 
 
   
Cisco Unified SRST with SIP Endpoints: Cisco Unified SRST Fallback Mode at the Branch Router
Router(config)# voice register global ! Enters voice configuration mode
 
   Router(config-register-global)# max-pool 50 ! Sets the maximum number of SIP Phones
 
   Router(config-register-global)# max-dn 100 ! Sets the maximum number of directory numbers 
(two for each phone)
 
   Router(config-register-global)# system message Your current options ! Sets message for 
display on IP Phones
 
   Router(config-register-global)# dialplan-pattern 1 4085555... extension-length 4 ! Creates 
dialplan pattern that expands extension numbers to full E.164 numbers
 
   Router(config-register-global)# exit
 
   Router(config)# voice register pool 1 ! Enters voice register pool configuration mode 
 
   Router(config-register-pool)# id network 10.0.1.0 255.255.255.0 ! Identifies Voice VLAN 
with SIP Phones
 
   Router(config-register-pool)# proxy 172.16.0.20 preference 1 monitor probe icmp-ping ! 
Defines remote proxy dial peer and method to monitor the state of the peer
 
   Router(config-register-pool)# call-forward b2bua busy 5444 ! Forwards busy calls to 
voicemail
 
   Router(config-register-pool)# call-forward b2bua noan 5444 timeout 10 ! Forwards busy 
calls to voicemail after 10 minutes of ringing
 
   Router(config-register-pool)# codec g711ulaw ! Sets the codec for local calls
Router(config-register-pool)# exit
Cisco Unified SRST with SIP Endpoints: IP Phone Installation and Configuration
In Cisco Unified SRST mode, the Cisco Unified CM controls IP Phone firmware installation and configuration.
Cisco Unified SRST with SIP Endpoints: SIP Voice Gateway Implementation
The following configuration enables VoIP on the network and sets up SIP dial peers between the branch gateway and the destination telephone networks, as shown in Figure 32, Figure 33, and Figure 34.
Figure 32 SIP Trunk Cisco Unified CM Configuration (1 of 3)
 
 
   
Figure 33 SIP Trunk Cisco Unified CM Configuration (2 of 3)
 
 
   
Figure 34 SIP Trunk Cisco Unified CM Configuration (3 of 3)
 
 
   
Cisco Unified SRST with SIP Endpoints: Dial Plan Implementation
Twelve dial peers were defined for the Streamlined Small Branch Network: central site WAN, central site PSTN, local calls, four 911 emergency services dial peers, voice mail, auto attendant, long distance, international calling and fax pass-through or fax relay. Voice mail, auto attendant and emergency services dial peers are described in the "Cisco Unified SRST with SIP Endpoints: Voice Mail and Auto Attendant Integration" section and in the "Cisco Unified SRST with SIP Endpoints: Emergency Services Implementation" section.
Router(config)# dial-peer voice 1 pots ! Enters dial peer for central site calls
 
   Router(config-dial-peer)# destination-pattern 5.... ! Specifies area code prefix for 
central site dial peer
 
   Router(config-dial-peer)# prefix 1408555 ! Prefix that the system adds automatically to 
the dial string
 
   Router(config-dial-peer)# incoming called-number .T ! Associates dial peer with any 
incoming number
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 2 voip ! Enters dial peer to central site configuration 
mode
 
   Router(config-dial-peer)# session protocol sipv2 ! Enables SIP for voicemail communication
 
   Router(config-dial-peer)# dtmf-relay rtp-nte ! Specifies Network Time Protocol method for 
relaying pressed digit tones
 
   Router(config-dial-peer)# destination-pattern 408....... ! Specifies area code prefix for 
central site dial peer
 
   Router(config-dial-peer)# session target ipv4:172.16.200.10 ! Specifies central site dial 
peer address
 
   Router(config-dial-peer)# no vad ! Disables voice activity detection
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 3 pots ! Enters dial peer for local area calls 
configuration mode
 
   Router(config-dial-peer)# destination-pattern 9....... ! Specifies area code prefix for 
central site dial peer
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 4 pots ! Enters dial peer for long distance calls 
configuration mode
 
   Router(config-dial-peer)# destination-pattern 91.......... ! Specifies area code prefix 
for central site dial peer
 
   Router(config-dial-peer)# prefix 1 ! Prefix that the system adds automatically to the dial 
string
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 5 pots ! Enters dial peer for international calls 
configuration mode
 
   Router(config-dial-peer)# destination-pattern 9011T ! Specifies area code prefix for 
central site dial peer
 
   Router(config-dial-peer)# prefix 011 ! Prefix that the system adds automatically to the 
dial string
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
When calls over the WAN exceed the maximum allocated bandwidth, they are redirected to PSTN.
Router(config)# dial-peer voice 15 pots ! Enters dial peer for PSTN bypass configuration 
mode
 
   Router(config-dial-peer)# destination-pattern 408....... ! Specifies destination pattern
 
   Router(config-dial-peer)# port 0/0/23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-dial-peer)# preference 1 ! Sets the dial peer preference order
 
   Router(config-dial-peer)# prefix 408 ! Prefix that the system adds automatically to the 
dial string
 
   If using fax pass-through, apply the following configuration.
Router(config)# dial-peer voice 6 voip ! Enters dial peer for fax passthrough 
configuration mode
 
   Router(config-dial-peer)# session protocol sipv2 ! Enables SIP for voicemail communication
Router(config-dial-peer)# destination-pattern 4085555333 ! Specifies local number of fax 
machine
 
   Router(config-dial-peer)# session target ipv4:172.16.200.10 ! Specifies central site dial 
peer address
 
   Router(config-dial-peer)# fax protocol pass-through g711ulaw ! Configures fax passthrough 
with G.711 codec
 
   Router(config-peer)# exit
If using fax relay, apply the following configuration.
Router(config)# dial-peer voice 7 voip ! Enters dial peer for fax relay configuration mode
 
   Router(config-dial-peer)# session protocol sipv2 ! Enables SIP for voicemail communication
 
   Router(config-dial-peer)# destination-pattern 4085555333 ! Specifies local number of fax 
machine
 
   Router(config-dial-peer)# session target ipv4:172.16.200.10 ! Specifies central site dial 
peer address
 
   Router(config-dial-peer)# fax-relay ecm disable ! Disables fax relay ECM
 
   Router(config-dial-peer)# fax rate 9600 ! Selects fax transmission rate
 
   Router(config-dial-peer)# fax protocol t38 ! Sets the T.38 fax relay protocol 
 
   Router(config-dial-peer)# codec g711ulaw ! Configures fax relay with G.711 codec
 
   Router(config-peer)# exit
Cisco Unified SRST with SIP Endpoints: RSVP Implementation
The following implementation applies to Cisco Unified SRST branch voice deployments. Apply the following commands on the tunnel interface for DMVPN, WAN primary, and for the WAN interface for GETVPN.
Router(config)# interface Tunnel 1 ! Enters tunnel interface configuration mode
Router(config-if)# ip rsvp bandwidth 8112 ! Sets maximum allowed bandwidth for voice (see Table 18) plus video (512 Mbps)
Router(config-if)# ip rsvp data-packet classification none ! Turns off per-packet data processing
Router(config-if)# ip rsvp resource-provider none ! Specifies no resource provider for the traffic flows
Router(config-if)# ip rsvp policy local identity RSVP-VOICE ! Creates RSVP policy for voice
Router(config-rsvp-local-policy)# maximum bandwidth group 7600 ! Sets maximum bandwidth for voice
Router(config-rsvp-local-policy)# forward all ! Forwards all traffic for this policy
Router(config-rsvp-local-policy)# exit
 
   Router(config-if)# ip rsvp policy local identity RSVP-VIDEO ! Creates RSVP policy for video
Router(config-rsvp-local-policy)# maximum bandwidth group 512 ! Sets maximum bandwidth for video
Router(config-rsvp-local-policy)# forward all ! Forwards all traffic for this policy
Router(config-rsvp-local-policy)# exit
 
   Router(config-if)# ip rsvp policy local default ! Default policy for traffic that does not matching above identifiers
Router(config-if)# exit
 
   Router(config)# ip rsvp policy identity RSVP-VIDEO policy-locator .*VideoStream.* ! Creates a policy for matching video traffic
Router(config)# ip rsvp policy identity RSVP-VOICE policy-locator .*AudioStream.* ! Creates a policy for matching voice traffic
Router(config)# ip rsvp policy preempt ! Enables preempting of lower reservation by higher reservation
The RSVP policy must be applied on the voice VLAN interface.
Branch(config)# interface FastEthernet0/1.2 ! Enters gigabit Ethernet sub-interface 2 
configuration mode
 
   Router(config-if)# ip rsvp bandwidth ! Enables RSVP on the interface
Router(config-if)# exit
 
   Cisco Unified SRST with SIP Endpoints: Transcoding and Conferencing Implementation
Transcoding compresses and decompresses voice streams to match end device capabilities. Transcoding is required when an incoming voice stream is digitized and compressed (by means of a codec) to save bandwidth and the local device does not support that type of compression. Transcoding and conferencing are configured on the Cisco Call Manager of the central site, as shown in Figure 35 and Figure 36.
Router(config)# voice-card 0 ! Enters DSP farm configuration mode
 
   Router(config-voicecard)# dsp services dspfarm ! Enables DSP services
 
   Router(config-voicecard)# exit
 
   Router(config)# sccp local FastEthernet0/1.2 ! Sets the interface for conferencing and 
transcoding to register with CME
 
   Router(config)# sccp ccm 10.0.1.2 identifier 1 version 5.0.1 ! Associates conferencing and transcoding with CME
Router(config)# sccp ! Enables SCCP globally
 
   Router(config)# sccp ccm group 1 ! Creates SCCP group and enters SCCP configuration mode
 
   Router(config-sccp-ccm)# associate ccm 1 priority 1 ! Associates SCCP group 1 with CME
 
   Router(config-sccp-ccm)# associate ccm 2 priority 2 ! Associates SCCP group 2 with CME
 
   Router(config-sccp-ccm)# associate profile 3 register CONFERENCE ! Associates DSP farm 
profile with with a SCCP group
 
   Router(config-sccp-ccm)# associate profile 2 register TRANSCODE ! Associates DSP farm 
profile with a SCCP group
 
   Router(config-sccp-ccm)# exit
Router(config)# dspfarm profile 2 transcode ! Enters DSP farm profile configuration mode
 
   Router(config-dspfarm-profile)# codec g711ulaw ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g711alaw ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729ar8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729abr8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729r8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec pass-through ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# maximum sessions 5 ! Specifies maximum number of 
simultaneous sessions supported by this profile
 
   Router(config-dspfarm-profile)# associate application sccp ! Associates SCCP with this DSP 
farm profile
 
   Router(config-dspfarm-profile)# no shutdown
Router(config-dspfarm-profile)# exit
Router(config)# dspfarm profile 3 conference ! Enters DSP farm profile configuration mode
 
   Router(config-dspfarm-profile)# codec g711ulaw ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g711alaw ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729ar8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729abr8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729r8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# codec g729br8 ! Specifies codec supported by DSP farm
 
   Router(config-dspfarm-profile)# maximum sessions 3 ! Specifies maximum number of 
simultaneous sessions supported by this profile
 
   Router(config-dspfarm-profile)# associate application sccp ! Associates SCCP with this DSP 
farm profile
 
   Router(config-dspfarm-profile)# no shutdown
Router(config-dspfarm-profile)# exit
Figure 35 Transcoding Configuration for Cisco Unified SRST Mode
 
 
   
Figure 36 Conferencing Configuration for Cisco Unified SRST Mode
 
 
   
Cisco Unified SRST with SIP Endpoints: Music on Hold Implementation
Music on hold (MOH) is implemented at the Unified Call Manager at the central site. Please see the following instructions to implement MOH in Cisco Unified CM:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/6_1_1/ccmfeat/fsmoh.html
Cisco Unified SRST with SIP Endpoints: Voice Mail and Auto Attendant Integration
Voice mail is provided by the Cisco Unity Express service module either in the Advanced Integration Module 2 (AIM2) form factor or the Network Module (NME) form factor. The AIM2 module requires the following configuration.
Router(config)# interface Service-Engine 0/1 ! Enters Cisco Unity Express configuration 
mode
 
   Router(config-if)# ip address 10.0.2.86 255.255.255.252 ! Assigns IP address to the 
service engine router interface
 
   Router(config-if)# service-module ip address 10.0.2.85 255.255.255.252 ! Assigns IP 
address to service module internal interface
 
   Router(config-if)# service-module ip default-gateway 10.0.2.86 ! Assigns default gateway 
for the service module
 
   Router(config-if)# zone-member security Private ! Assigns Cisco Unity Express to private 
security zone
 
   Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# ip route 10.0.2.84 255.255.255.252 Service-Engine 0/1 ! Adds a static 
route entry to direct traffic to the module
 
   Configure a dial peer for voice mail, because Cisco Unity Express uses SIP as its signaling protocol.
Router(config)# dial-peer voice 8 voip ! Enters dial peer for voicemail configuration mode
 
   Router(config-dial-peer)# destination-pattern 5444 ! Specifies mailbox extension
 
   Router(config-dial-peer)# session target ipv4:10.0.2.85 ! Specifies voicemail address
 
   Router(config-dial-peer)# session protocol sipv2 ! Enables SIP for voicemail communication
 
   Router(config-dial-peer)# codec g711ulaw ! Specifies codec for voicemail messages
 
   Router(config-dial-peer)# b2bua ! Enables SIP to SCCP forwarding
 
   Router(config-dial-peer)# dtmf-relay sip-notify ! Specifies DTMF relay method
 
   Router(config-dial-peer)# no vad ! Disables voice activity detection
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 9 voip ! Enters dial peer for autoattendant configuration 
mode
 
   Router(config-dial-peer)# destination-pattern 5000 ! Specifies mailbox extension
 
   Router(config-dial-peer)# session target ipv4:10.0.2.85 ! Specifies voicemail address
 
   Router(config-dial-peer)# session protocol sipv2 ! Enables SIP for voicemail communication
 
   Router(config-dial-peer)# codec g711ulaw ! Specifies codec for voicemail messages
 
   Router(config-dial-peer)# b2bua ! Enables SIP to SCCP forwarding
 
   Router(config-dial-peer)# dtmf-relay sip-notify ! Specifies DTMF relay method
 
   Router(config-dial-peer)# no vad ! Disables voice activity detection
 
   Router(config-peer)# exit
The local Cisco Unity Express software must be registered with Cisco Unified CM software at the central site. The following reference provides implementation details:
Additional Cisco Unity Express configuration is performed through a web-based user interface, as shown in Figure 17 through Figure 22.
Cisco Unified SRST with SIP Endpoints: Emergency Services Implementation
The following example implements emergency number calling for North America. The PRI trunk is used for placing emergency calls. Each 911 call is selectively routed to the closest PSAP based on the caller's location. In addition, the caller's phone number and address automatically display on a terminal at the PSAP. The PSAP can quickly dispatch emergency help, even if the caller is unable to communicate the caller's location. Also, if the caller disconnects prematurely, the PSAP has the information it needs to contact the 911 caller.
Router(config)# voice emergency response location 1 ! Enters emergency response 
configuration mode
 
   Router(cfg-emrgncy-resp-location)# elin 1 4085555150 ! Specifies ELIN number provided by PSAP
Router(cfg-emrgncy-resp-location)# subnet 1 10.0.1.0 255.255.255.0 ! Assigns Voice VLAN subnet as origination of the emergency call
Router(cfg-emrgncy-resp-location)# subnet 2 10.0.4.0 255.255.255.0 ! Assigns backup Voice VLAN subnet as origination of the emergency call
Router(cfg-emrgncy-resp-location)# exit
Router(config)# dial-peer voice 10 pots ! Enters dial peer for emergency calls 
configuration mode
 
   Router(config-dial-peer)# emergency response zone ! Replaces local extension with ELIN 
number
 
   Router(config-dial-peer)# destination-pattern 911 ! Specifies North America emergency 
number
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 11 pots ! Enters dial peer for local area calls 
configuration mode
 
   Router(config-dial-peer)# emergency response zone ! Replaces local extension with ELIN 
number
 
   Router(config-dial-peer)# destination-pattern 9911 ! Specifies area code prefix for 
central site dial peer
 
   Router(config-dial-peer)# prefix 911 ! Prefix that the system adds automatically to the 
dial string
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# port 0/0/0:23 ! Specifies outgoing/incoming interface for calls
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 12 pots ! Enters dial peer for ELIN callback configuration 
mode
 
   Router(config-dial-peer)# incoming called-number 4085555150 ! Specifies ELIN number
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# emergency response callback ! Identifies the ELIN dial peer
 
   Router(config-peer)# exit
Router(config)# dial-peer voice 13 pots ! Enters dial peer for ELIN callback configuration 
mode
 
   Router(config-dial-peer)# incoming called-number 4085555150 ! Specifies ELIN number
 
   Router(config-dial-peer)# direct-inward-dial ! Enables DID numbers
 
   Router(config-dial-peer)# emergency response callback ! Identifies the ELIN dial peer
 
   Router(config-peer)# exit
Optimization Services Implementation
 • Router and Cisco WAE Module Configuration
Router and Cisco WAE Module Configuration 
 • Additional Cisco WAE-Application Accelerator Configuration
Additional Cisco WAE-Application Accelerator Configuration 
 • Cisco WAE-Central Manager Implementation
Cisco WAE-Central Manager Implementation 
Cisco WAAS Implementation
 
 
    Note  The following section applies only to the Cisco 2911 ISR. The Cisco 2901 ISR does not provide a network module slot.
The following section applies only to the Cisco 2911 ISR. The Cisco 2901 ISR does not provide a network module slot. 
In the Streamlined Small Branch Network, the Cisco NME-WAE-502 network module was used to optimize the Common Internet File System (CIFS), FTP, and HTTP traffic.
Two types of configuration are applied to devices that run Cisco Wide Area Application Services (Cisco WAAS):
 • Router and Cisco WAE module configuration
Router and Cisco WAE module configuration 
 • Central manager configuration
Central manager configuration 
After the router and module configurations are complete, the Cisco Wide Area Application Engine (Cisco WAE) module can be registered with the central manager. Registration with the central manager requires that all router configuration steps be complete, and that the Cisco WAE be able to connect to the central manager. After the Cisco WAE has been registered and activated with the central manager, all additional configuration options can be set through the central manager device groups.
The central manager configuration provides the remaining configuration for the entire Cisco WAAS deployment. The central manager configuration options can be applied at the device or device group level. To simplify the deployment and management of the Cisco WAAS solution, the Streamlined Small Branch Network uses device groups as the primary central manager configuration method.
Router and Cisco WAE Module Configuration
The router provides Cisco Web Cache Communication Protocol (Cisco WCCP) interception points for Cisco WAAS. Cisco WCCP redirection allows the router to redirect traffic to Cisco WAAS for optimization. Various methods of interception and redirection are supported by routers and switches. Redirection methods depend on the speed requirements and the router or switch platform. This deployment uses both generic router encapsulation (GRE) redirection and Layer 2 (L2) redirection.
The loopback interface on the router is essential for identifying the router ID. Although any IP address can be used to identify the router ID, the loopback interface is preferred over the physical interfaces. Loopback interfaces are always available, and there are no physical ties to them. Other routing protocols also use loopback interfaces as the preferred method for naming the router ID. If the IP address is tied to a specific physical interface, and the physical interface fails, then the IP address becomes unavailable, causing unexpected problems for the Cisco WCCP groups.
The Cisco WCCPv2 services 61 and 62, also known as TCP promiscuous mode services, allow the Cisco WCCP to transparently intercept and redirect traffic to the Cisco WAE module. Service 61 redirects ingress traffic, and service 62 redirects egress traffic. Services 61 and 62 are both needed to redirect bidirectional traffic flow. Passwords should be assigned to Cisco WCCP groups to prevent rogue traffic interception and redirection.
Branch(config)# ip wccp 61 ! Enables WCCP services
 
   Branch(config)# ip wccp 62 ! Enables WCCP services
 
   Branch(config)# ip inspect WAAS enable  ! Enables inspection of packets coming from WAE
 
   Branch(config)# interface Integrated-Service-Engine 1/0 ! Enters WAE module configuration 
mode
 
   Branch(config-if)# ip address 10.0.2.90 255.255.255.252 ! Assigns IP address to the 
backplane interface
 
   Branch(config-if)# ip wccp redirect exclude in  ! Excludes packets received on this 
interface from redirection to prevent a traffic loop
 
   Branch(config-if)# zone-member security Private ! Assigns the interface to a private zone
 
   Branch(config-if)# service-module ip address 10.0.2.89 255.255.255.252 ! Assigns IP 
address to service module internal interface
 
   Branch(config-if)# service-module ip default-gateway 10.0.2.90 ! Assigns default gateway 
for the service module
 
   Branch(config-if)# no keepalive ! Disables keep alive for the interface
 
   Branch(config-if)# exit
Router(config)# ip route 10.0.2.88 255.255.255.252 Integrated-Service-Engine 1/0 ! Adds a 
static route entry to direct traffic to the module
 
   Apply WCCP redirection on WAN, Tunnel, and LAN interfaces
Branch(config)# interface Serial0/1/0/0.1 point-to-point ! Enters Tunnel interface 
configuration mode
 
   Branch(config)# ip wccp 62 redirect in ! Enables WCCP redirection on the WAN interface
 
   Branch(config)# interface Tunnel1 ! Enters Tunnel interface configuration mod
 
   Branch(config)# ip wccp 62 redirect in ! Enables WCCP redirection on the Tunnel interface
 
   Branch(config)# interface FastEthernet0/1.1 ! Enters Tunnel interface configuration mode
 
   Branch(config)# ip wccp 61 redirect in ! Enables WCCP redirection on the Tunnel interface
 
   Configurations for LAN, WAN, and tunnel interfaces are provided in the "WAN Services Implementation" section, the "LAN Services Implementation" section, and the "Security Services Implementation" section.
Additional Cisco WAE-Application Accelerator Configuration
Additional commands are necessary to complete the Cisco WAE implementation.
Router(config)# service-module integrated-Service-Engine 1/0 session ! Sessions into the 
WAE service module
 
   Trying 10.0.2.90, 2066 ... Open
Cisco Wide Area Application Engine Console
Username: admin
Password:
System Initialization Finished.
WAE(config)# device mode application-accelerator ! Sets the WAE module to application 
acceleration mode (the default)
 
   WAE(config)# primary-interface FastEthernet 1/0 ! Sets the primary interface for traffic 
interception and delivery
 
   WAE(config)# ip name-server 172.16.0.70 ! Assigns central site DNS server for the module
 
   WAE(config)# ntp server 172.16.0.60 ! Assigns central site NTP server for the module
 
   WAE(config)# central-manager address 172.16.100.1 ! Assigns the Central Manager for the 
module
 
   WAE(config)# wccp router-list 1 10.0.2.90 ! Adds the router to the WCCPv2 router list
 
   WAE(config)# wccp tcp-promiscuous router-list-num 1 ! Enables TCP promiscuous mode to 
accept all traffic on the router's primary interface
 
   The Cisco WCCP configuration for TCP promiscuous mode services 61 and 62 succeeded. The Cisco WCCP configuration for TCP promiscuous mode services succeeded. Remember to configure Cisco WCCP services 61 and 62 on the corresponding router.
WAE(config)# wccp version 2 ! Enables WCCP version 2
 
   WAE(config)# cms enable ! Initializes the local database and connects to the central manager
The following traffic interception policies can be automatically configured from the Cisco WAE central manager. The CLI version of these policies is provided for demonstration purposes and as a starting point for customization.
WAE(config)# policy-engine application name File-Transfer ! Creates a new application name 
for FTP traffic
 
   WAE(config)# policy-engine application name WEB ! Creates a new application name for HTTP 
traffic
 
   WAE(config)# policy-engine application name WAFS ! Creates a new application name for file 
system traffic
 
   WAE(config)# policy-engine application classifier FTP-Control ! Creates application classifier for FTP control trafficWAE(config-app-cls)# match dst port eq 21 ! Matches traffic with destination port 21
WAE(config-app-cls)# exit
WAE(config-pol-eng-app)# exit
WAE(config)# policy-engine application classifier FTP-Data ! Creates application 
classifier for FTP data traffic
 
   WAE(config-app-cls)# match dst port eq 20 ! Matches traffic with destination port 20
 
   WAE(config-app-cls)# exit
WAE(config-pol-eng-app)# exit
WAE(config)# policy-engine application classifier HTTP ! Creates application classifier 
for HTTP traffic
 
   WAE(config-app-cls)# match dst port eq 80 ! Matches traffic with destination port 80
 
   WAE(config-app-cls)# match dst port eq 8080 ! Matches traffic with destination port 8080
 
   WAE(config-app-cls)# match dst port eq 8000 ! Matches traffic with destination port 8000
 
   WAE(config-app-cls)# match dst port eq 8001 ! Matches traffic with destination port 8001
 
   WAE(config-app-cls)# match dst port eq 3128 ! Matches traffic with destination port 3128
 
   WAE(config-app-cls)# exit
WAE(config-pol-eng-app)# exit
WAE(config)# policy-engine application classifier CIFS ! Creates application classifier 
for CIFS traffic
 
   WAE(config-app-cls)# match dst port eq 139 ! Matches traffic with destination port as 139
 
   WAE(config-app-cls)# match dst port eq 445 ! Matches traffic with destination port as 445
 
   WAE(config-app-cls)# exit
WAE(config-pol-eng-app)# exit
WAE(config)# policy-engine application map basic name File-Transfer classifier FTP-Control 
action pass-through ! Assigns FTP application to a classifier and specifies the action to 
be taken for matching FTP control traffic
 
   WAE(config)# policy-engine application map basic name File-Transfer classifier FTP-Data 
action optimize full ! Assigns FTP application to a classifier and specifies the action to 
be taken for matching FTP data traffic
 
   WAE(config)# policy-engine application map basic name Web classifier HTTP action optimize 
full ! Assigns HTTP application to a classifier and specifies the action to be taken for 
matching HTTP traffic
 
   WAE(config)# policy-engine application map basic name WAFS classifier CIFS action optimize 
full accelerate cifs-adaptor ! Assigns WAFS application to a classifier and specifies the 
action to be taken for matching CIFS traffic. Uses CIFS specific application adaptor
 
   WAE(config)# policy-engine application map adaptor WAFS transport name WAFS All action 
optimize full ! Assigns WAFS application to a classifier and specifies the action to be 
taken for matching CIFS traffic
 
   Activating the Application Accelerators
For security purposes, Cisco WAEs that are being added to the Cisco WAAS network need to be approved by the Cisco WAAS network administrator. This security feature prevents unauthorized devices from joining the Cisco WAAS network. This section provides steps for activating all the inactive devices.
To activate the devices, from the Cisco WAAS Central Manager window, choose Devices > Devices.
  1.  In the taskbar, click the Activate All Inactive WAEs icon, shown in the red box in Figure 37, to activate the two inactive Cisco WAEs.
In the taskbar, click the Activate All Inactive WAEs icon, shown in the red box in Figure 37, to activate the two inactive Cisco WAEs. 
Figure 37 Devices Window
 
 
   
  2.  The Activate All Inactive WAE window appears, as shown in Figure 38. By default, the Create a new location for each inactive WAE option is chosen.
The Activate All Inactive WAE window appears, as shown in Figure 38. By default, the Create a new location for each inactive WAE option is chosen. 
Figure 38 Activating Inactive Cisco WAEs
 
 
   
  3.  Click Submit at the bottom of the page.
Click Submit at the bottom of the page. 
  4.  When a Transaction Warning dialog box appears, click OK, and then click Submit. The current state of the core and edge Cisco WAEs is now listed as pending instead of inactive, as shown in the red box in the middle of Figure 39. Notice in the red box at the top of the Figure 39 that the system status has changed to orange, with two devices reporting Major.
When a Transaction Warning dialog box appears, click OK, and then click Submit. The current state of the core and edge Cisco WAEs is now listed as pending instead of inactive, as shown in the red box in the middle of Figure 39. Notice in the red box at the top of the Figure 39 that the system status has changed to orange, with two devices reporting Major. 
Figure 39 Pending Devices
 
 
   
  5.  After a few minutes, all devices show Online in the Status column, as shown in Figure 40.
After a few minutes, all devices show Online in the Status column, as shown in Figure 40. 
Figure 40 Online Devices
 
 
   
Cisco WAE-Central Manager Implementation
The central manager is the management component of Cisco WAAS. The central manager provides a GUI for configuration, monitoring, and management of multiple branch-office and data center Cisco WAEs. The central manager can scale to support thousands of Cisco WAE devices for large-scale deployments. The central manager must be used in order to make configuration changes through the web interface. If the central manager fails, the Cisco WAEs continue to function; however, changes cannot be made using the web pages on the central manager until the central manager comes back online.
The Cisco WAEs need to connect to the central manager at the initial setup. The registration process adds the Cisco WAE to the central manager and initializes the local Cisco WAE database. When disk encryption on the Cisco WAE is enabled, the central manager must be available to distribute the encryption key if the Cisco WAE reboots.
Centralized reporting can be obtained from the central manager. Individually, the Cisco WAEs provide basic statistics through the CLI and local-device GUI. Systemwide application statistics are available from the central manager GUI. Detailed reports such as total traffic reduction, application mix, and pass-through traffic are available from the central manager GUI.
WAE-CM(config)# device mode central-manager ! Sets the WAE device to central manager mode. 
The device is set to application acceleration by default
 
   WAE-CM(config)# primary-interface FastEthernet 1/0 ! Sets the primary interface for traffic 
interception and delivery
 
   WAE-CM(config)# interface FastEthernet 1/0 ! Enters gigabit Ethernet configuration mode for 
the specified port
 
   WAE-CM(config-if)# ip address 172.16.100.1 255.255.255.0 ! Assigns IP address for the 
interface
 
   WAE-CM(config-if)# no shutdown
The interface was up.
WAE-CM(config-if)# exit
WAE-CM(config)# ip default-gateway 192.168.0.2 ! Assigns default gateway for the central 
manager
 
   WAE-CM(config)# ntp server 172.16.0.60 ! Assigns NTP server for the central manager
 
   WAE-CM(config)# cms enable ! Starts centralized management service
 
   Verify that the Cisco WAAS central manager process has successfully started by using an Internet Explorer browser to go to the following URL to start the Cisco WAAS Central Manager GUI shown in Figure 41:
https://cm_server_ip or host_name:8443
Figure 41 Cisco WAAS Central Manager GUI
 
 
   
  1.  Log in using the following default credentials:
Log in using the following default credentials: 
Username: admin
Password: default
The Devices window shown in Figure 42 appears.
Figure 42 Devices Window
 
 
   
For ease of use and to start collecting statistics earlier, you need to change a few parameters. In the following steps, you extend the central manager session timeout interval and modify the intervals by which the Cisco WAAS central manager or Cisco WAE pulls or pushes data to and from the Cisco WAAS Central Manager.
  2.  Choose System > Configuration. The Config Properties window shown in Figure 43 appears.
Choose System > Configuration. The Config Properties window shown in Figure 43 appears. 
Figure 43 Config Properties Window
 
 
   
  3.  Choose ALL from the Rows drop-down list shown in the red box in Figure 43.
Choose ALL from the Rows drop-down list shown in the red box in Figure 43. 
  4.  Click the Edit icon next to the parameter to change each of the parameters in the red boxes 2 to 5 in Figure 43 to the following values:
Click the Edit icon next to the parameter to change each of the parameters in the red boxes 2 to 5 in Figure 43 to the following values: 
cdm.session.timeout: 100
System.datafeed.pollRate: 60
System.healthmonitor.collectRate: 30
System.monitoring.collectRate: 60
Caveats
 • Zone-based firewall does not support inspection of SIP and SCCP in releases earlier than Cisco IOS Release 12.4(20)T. See DDTS CSCsm79679.
Zone-based firewall does not support inspection of SIP and SCCP in releases earlier than Cisco IOS Release 12.4(20)T. See DDTS CSCsm79679. 
 • Zone-based firewall does not support stateful switchover.
Zone-based firewall does not support stateful switchover. 
 • Message waiting indicator (MWI) does not work during router failover.
Message waiting indicator (MWI) does not work during router failover. 
 • Cisco Unified CME does not work with HSRP.
Cisco Unified CME does not work with HSRP. 
 • Cisco web Cache Communication Protocol (Cisco WCCP) version 2 is not Virtual Routing and Forwarding (VRF) aware and does not work if multiple VRF interfaces (VRF-lite) are configured on the customer edge (CE) router.
Cisco web Cache Communication Protocol (Cisco WCCP) version 2 is not Virtual Routing and Forwarding (VRF) aware and does not work if multiple VRF interfaces (VRF-lite) are configured on the customer edge (CE) router. 
 • Call preservation is not supported during HSRP. Only local IP Phone calls may be preserved.
Call preservation is not supported during HSRP. Only local IP Phone calls may be preserved. 
 • Traffic shaping is not supported over virtual access interfaces with PPP over ATM.
Traffic shaping is not supported over virtual access interfaces with PPP over ATM. 
See DDTS CSCsm77478. 
 • VRF-aware IP SLA is not supported in releases earlier than Cisco IOS Release 12.4(20)T.
VRF-aware IP SLA is not supported in releases earlier than Cisco IOS Release 12.4(20)T. 
 • Bidirectional Forwarding Detection (BFD) is supported only on Fast Ethernet interfaces. Support for additional WAN encapsulations such as Frame Relay and PPP is planned for future releases.
Bidirectional Forwarding Detection (BFD) is supported only on Fast Ethernet interfaces. Support for additional WAN encapsulations such as Frame Relay and PPP is planned for future releases. 
 • GETVPN is not VRF aware in releases earlier than Cisco IOS Release 12.4(20)T.
GETVPN is not VRF aware in releases earlier than Cisco IOS Release 12.4(20)T. 
 • When registered to Cisco Unified CME, the Cisco Unified IP Conference Station 7936 running firmware version 1.1 continues to display message prompts such as "hold" and "enter number" after the call has ended. See DDTS CSCsm61235.
When registered to Cisco Unified CME, the Cisco Unified IP Conference Station 7936 running firmware version 1.1 continues to display message prompts such as "hold" and "enter number" after the call has ended. See DDTS CSCsm61235. 
 Feedback
Feedback