02-10-2011 01:15 AM - edited 03-01-2019 04:37 PM
In this article we will give the configuration used on the ASR 1004 and the switches used to provide the wireless and wired access to internet during the Fosdem 2011 conference.
During this conference we had more then 4171 unique users on the WiFi over the whole event, with a peak of 1672 concurrent users. Most of them using a dual stack to access the internet using IPv4 and IPv6 across a 1Gbps fiber link.
We had to redact some information as it would reveal information regarding the ULB, who was so kind as to allow us to use their wireless infrastructure, among other things.
We also owe a debt to our fantastic ISP: Belnet who provided the 1 Gbps link and a IPv4 and IPv6 network ranges.
Cisco also sponsored this event, providing hardware and volunteers to configure and maintain the network.
The configuration of the main router with comments and important commands in bold was:
------------------ show running-config ------------------
Building configuration...
Current configuration : 13632 bytes
!
! Last configuration change at 13:52:55 UTC Sun Feb 6 2011 by admin
! NVRAM config last updated at 10:50:42 UTC Sun Feb 6 2011 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname cASR1kd15-1
!
boot-start-marker
boot system flash bootflash:asr1000rp1-adventerprisek9.03.01.02.S.150-1.S2.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 1048576
enable secret 4 <redacted>
!
aaa new-model
!
!
aaa authentication login default local enable
!
!
!
!
!
aaa session-id common
!
!
no ip source-route
ip icmp rate-limit unreachable 100
! note we only limit the unreachables as we need icmp for ND and PMTU
!
! we have the AP in a different VRF
ip vrf ULB-AP
rd 12345:12345
!
!
!
no ip bootp server
ip domain name fosdem.net
ip host core-sw 192.168.211.254
ip host noc-sw 192.168.211.253
ip host h-sw 192.168.211.252
ip host j-sw 192.168.211.251
ip host aw-sw 192.168.211.250
ip name-server 193.190.198.10
ip name-server 193.190.67.53
ip name-server 193.190.198.2
ip name-server 8.8.8.8
ip name-server 2001:6A8:3C80::20
ip dhcp database flash:/dhcp-database
ip dhcp bootp ignore
ip dhcp excluded-address 193.191.32.1 193.191.32.26
ip dhcp excluded-address 193.191.63.200 193.191.63.254
ip dhcp excluded-address 193.191.64.1 193.191.64.26
ip dhcp excluded-address 193.191.95.200 193.191.95.254
ip dhcp excluded-address 193.191.64.101
!
ip dhcp pool Wifi-client
network 193.191.32.0 255.255.224.0
default-router 193.191.63.254
domain-name fosdem.net
dns-server 193.190.198.10 193.190.67.53 193.190.198.2
!
ip dhcp pool Wired-client
network 193.191.64.0 255.255.224.0
domain-name fosdem.net
dns-server 193.190.198.10 193.190.67.53 193.190.198.2
default-router 193.191.95.254
!
!
ipv6 unicast-routing
! we have no ipv6 dhcp database command as this was causing problems
!
ipv6 dhcp pool FOSDEM-v6
address prefix 2001:6A8:1100:CAFE::/64
dns-server 2001:6A8:1100:BEEF:20C:29FF:FEA3:BEB
dns-server 2001:6A8:1100:BEEF:20C:29FF:FE8F:F8D0
domain-name fosdem.net
sntp address 2001:6A8:1100:CAFE::1
!
ipv6 dhcp pool FOSDEM-v6-wired
address prefix 2001:6A8:1100:BEEF::/64
dns-server 2001:6A8:1100:BEEF:20C:29FF:FEA3:BEB
dns-server 2001:6A8:1100:BEEF:20C:29FF:FE8F:F8D0
domain-name fosdem.net
sntp address 2001:6A8:1100:BEEF::1
!
ipv6 multicast-routing
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
path harddisk:archived-configs
maximum 14
write-memory
time-period 1440
!
username admin privilege 15 password 7 <removed>
username mon!tor password 7 <removed>
!
redundancy
notification-timer 30000
mode sso
!
!
!
!
!
!
ip ssh time-out 60
ip ssh version 2
ip scp server enable
bridge irb
!
!
!
!
interface GigabitEthernet0/0/0
description ---------- uplink to Belnet ----------------
ip address 193.191.4.50 255.255.255.252
ip access-group LimitingInternetIn in
ip access-group LimitingInternetout out
no ip redirects
no ip proxy-arp
ip verify unicast source reachable-via rx allow-default allow-self-ping l2-src
ip virtual-reassembly
media-type sfp
negotiation auto
ipv6 address 2001:6A8:1000:8003::2/64
ipv6 mtu 1480
ipv6 verify unicast source reachable-via rx allow-default
ipv6 traffic-filter ForbiddenV6Ports in
ipv6 traffic-filter ForbiddenV6Ports out
!
...
!
interface GigabitEthernet0/1/0
description ---------- trunk to Fosdem ----------------
no ip address
ip virtual-reassembly
negotiation auto
cdp enable
!
interface GigabitEthernet0/1/0.10
description ---------- downlink to Wired Internet client ----------------
encapsulation dot1Q 10
ip address 193.191.95.254 255.255.224.0
ip access-group LimitingClientWiredIn in
ip access-group LimitingClientWiredOut out
no ip redirects
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
ipv6 address 2001:6A8:1100:BEEF::1/64
ipv6 dhcp server FOSDEM-v6-wired
ipv6 verify unicast source reachable-via rx allow-default
ipv6 traffic-filter ForbiddenV6Ports in
ipv6 traffic-filter ForbiddenV6Ports out
cdp enable
!
interface GigabitEthernet0/1/0.23
description -------- AP management VLAN ------------
encapsulation dot1Q 23
ip vrf forwarding ULB-AP
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
cdp enable
!
interface GigabitEthernet0/1/0.211
description -------- INFRA management VLAN ------------
encapsulation dot1Q 211
ip address 192.168.211.249 255.255.255.0
cdp enable
!
...
!
interface GigabitEthernet0/1/7
description ---------- uplink to ResULB ----------------
no ip address
no negotiation auto
!
interface GigabitEthernet0/1/7.1023
description -------- AP management VLAN ----------------
encapsulation dot1Q 1023
ip vrf forwarding ULB-AP
ip address <redacted> 255.255.255.0
ip nat outside
ip virtual-reassembly
cdp enable
!
interface GigabitEthernet0/1/7.1400
description ----------- WiFi Internet client traffic ----------------
encapsulation dot1Q 1400
ip address 193.191.32.1 255.255.224.0 secondary
ip address 193.191.63.254 255.255.224.0
ip access-group LimitingClientWirelessIn in
ip access-group LimitingClientWirelessOut out
no ip redirects
no ip proxy-arp
ip verify unicast source reachable-via rx allow-default allow-self-ping l2-src
ip flow ingress
ip virtual-reassembly
ipv6 address 2001:6A8:1100:CAFE::1/64
ipv6 dhcp server FOSDEM-v6
ipv6 verify unicast source reachable-via rx allow-default
ipv6 traffic-filter ForbiddenV6Ports in
ipv6 traffic-filter ForbiddenV6Ports out
cdp enable
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
ip nat inside source list ULB-AP-NAT interface GigabitEthernet0/1/7.1023 vrf ULB-AP overload
!
ip flow-aggregation cache source-prefix
enabled
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 193.191.4.49
ip route vrf ULB-AP 0.0.0.0 0.0.0.0 <redacted>
ip route vrf ULB-AP 144.254.0.0 255.255.0.0 Null0
!
ip access-list extended LimitingClientWiredIn
! no RFC 1914 ips
deny ip any 192.168.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 10.0.0.0 0.255.255.255
! deny access to AP management
deny ip any <redacted> log
deny ip <redacted> any log
! limit some traffic not allowed by BELNET
deny tcp any any eq smtp
deny tcp any any eq 135
deny udp any any eq 135
deny tcp any any eq 137
deny udp any any eq netbios-ns
deny tcp any any eq 445
deny udp any any eq 445
deny udp any any eq 1434
! produce some statistics
permit tcp any any
permit udp any any
permit icmp any any
permit esp any any
permit gre any any
permit ip any any
ip access-list extended LimitingClientWiredOut
! deny access to AP management
deny ip any <redacted> log
deny ip <redacted> any log
! limit some traffic not allowed by BELNET
deny tcp any any eq smtp
deny tcp any any eq 135
deny udp any any eq 135
deny tcp any any eq 137
deny udp any any eq netbios-ns
deny tcp any any eq 445
deny udp any any eq 445
deny udp any any eq 1434
! produce some statistics
permit tcp any any
permit udp any any
permit icmp any any
permit esp any any
permit gre any any
permit ip any any
ip access-list extended LimitingClientWirelessIn
! same as LimitingClientWiredIn
! no RFC 1914 ips
deny ip any 192.168.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 10.0.0.0 0.255.255.255
! deny access to AP management
deny ip any <redacted> log
deny ip <redacted> any log
! limit some traffic not allowed by BELNET
deny tcp any any eq smtp
deny tcp any any eq 135
deny udp any any eq 135
deny tcp any any eq 137
deny udp any any eq netbios-ns
deny tcp any any eq 445
deny udp any any eq 445
deny udp any any eq 1434
! produce some statistics
permit tcp any any
permit udp any any
permit icmp any any
permit esp any any
permit gre any any
permit ip any any
ip access-list extended LimitingClientWirelessOut
! the same as LimitingClientWiredOut
! deny access to AP management
deny ip any <redacted> log
deny ip <redacted> any log
! limit some traffic not allowed by BELNET
deny tcp any any eq smtp
deny tcp any any eq 135
deny udp any any eq 135
deny tcp any any eq 137
deny udp any any eq netbios-ns
deny tcp any any eq 445
deny udp any any eq 445
deny udp any any eq 1434
! produce some statistics
permit tcp any any
permit udp any any
permit icmp any any
permit esp any any
permit gre any any
permit ip any any
ip access-list extended LimitingInternetIn
! deny access to AP management
deny ip any <redacted> log
deny ip <redacted> any log
! limit some traffic not allowed by BELNET
deny tcp any any eq smtp
deny tcp any any eq 135
deny udp any any eq 135
deny tcp any any eq 137
deny udp any any eq netbios-ns
deny tcp any any eq 445
deny udp any any eq 445
deny udp any any eq 1434
! produce some statistics
permit tcp any any
permit udp any any
permit icmp any any
permit esp any any
permit gre any any
permit ip any any
ip access-list extended LimitingInternetout
! deny access to AP management
deny ip any <redacted> log
deny ip <redacted> any log
! limit some traffic not allowed by BELNET
deny tcp any any eq smtp
deny tcp any any eq 135
deny udp any any eq 135
deny tcp any any eq 137
deny udp any any eq netbios-ns
deny tcp any any eq 445
deny udp any any eq 445
deny udp any any eq 1434
! produce some statistics
permit tcp any any
permit udp any any
permit icmp any any
permit esp any any
permit gre any any
permit ip any any
ip access-list extended ULB-AP-NAT
permit ip <redacted> any
!
logging esm config
cdp run
ipv6 route 2001:6A8:1100::/48 Null0
! null route the part of our /48 that we don't actually use
! this prevents a loop as we would send this to Belnet and they would send it back
ipv6 route 2000::/3 GigabitEthernet0/0/0 FE80::21B:C0FF:FEA7:8401
ipv6 route ::/0 2001:6A8:1000:8002::1
! on the PtP link on G0/0/0 we have 2001:6A8:1000:8003::2/64
! the belnet router has 2001:6A8:1000:8003::1 and FE80::21B:C0FF:FEA7:8401
ipv6 router rip Fosdem
!
!
!
!
ipv6 access-list ForbiddenV6Ports
! limit some traffic not allowed by BELNET
deny tcp any any eq smtp
deny tcp any any eq 135
deny udp any any eq 135
deny tcp any any eq 137
deny udp any any eq netbios-ns
deny tcp any any eq 445
deny udp any any eq 445
deny udp any any eq 1434
! produce some statistics
permit tcp any any
permit udp any any
permit icmp any any
permit esp any any
permit sctp any any
permit ipv6 any any
bridge 23 protocol ieee
control-plane host
management-interface GigabitEthernet0/0/0 allow ssh
management-interface GigabitEthernet0/0/1 allow ssh
management-interface GigabitEthernet0/1/0 allow ssh
management-interface GigabitEthernet0/1/0.10 allow ssh
management-interface GigabitEthernet0/1/7.1400 allow ssh
!
!
control-plane
!
!
!
!
banner exec ^CC
Welcome to Fosdem 2011 Network infra
Unauthorized access prohibited
^C
banner login ^CC
Welcome to Fosdem 2011 Network infra
Unauthorized access prohibited
^C
!
line con 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
logging synchronous
transport input ssh
!
ntp master 3
ntp server 193.190.198.10 source GigabitEthernet0/0/0 prefer
end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: