Solved: Re: Please Help me to Verify Our Configuration with policy map (

fofoman2009 · ‎05-21-2012

Hi all ,

I would like to build capping (bandwidth limitation & best usage for bandwidth) policy on our router (Cisco 7200xvr) that connect to multiple university (12 university) with international ISP (34M).

Kindly I need your help to know if this configuration is the best that I can use in our router, and how I can enhance it.

and which is best using Shapping or Police ?

when i use with police Command with policy Egrees

this message appear :

Cannot attach queuing-based child policy to a non-queuing based class

and i have 4 percent bandwidth remaining put in class-default

with this command :

bandwidth percent 4

this is my current configuration in the router 7200

==========================================

class-map match-all Class_144

match access-group 144

class-map match-all Class_132

match access-group 132

class-map match-all Class_120

match access-group 120

class-map match-all Class_112

match access-group 112

class-map match-all Class_104

match access-group 104

class-map match-all Class_140

match access-group 140

class-map match-all Class_136

match access-group 136

class-map match-all Class_124

match access-group 124

class-map match-all Class_116

match access-group 116

class-map match-all Class_108

match access-group 108

class-map match-all Class_128

match access-group 128

class-map match-all Class_148

match access-group 148

!

policy-map All_Class

class Class_104

bandwidth percent 8

class Class_108

bandwidth percent 8

class Class_112

bandwidth percent 8

class Class_116

bandwidth percent 8

class Class_120

bandwidth percent 8

class Class_124

bandwidth percent 8

class Class_128

bandwidth percent 8

class Class_132

bandwidth percent 8

class Class_136

bandwidth percent 8

class Class_140

bandwidth percent 8

class Class_144

bandwidth percent 8

class Class_148

bandwidth percent 8

class class-default

bandwidth percent 4

fair-queue

policy-map Egress

class class-default

shape average 34816000

service-policy All_Class

access-list 104 permit ip any 172.25.90.4 0.0.0.3

access-list 108 permit ip any 172.25.90.8 0.0.0.3

access-list 112 permit ip any 172.25.90.12 0.0.0.3

access-list 116 permit ip any 172.25.90.16 0.0.0.3

access-list 120 permit ip any 172.25.90.20 0.0.0.3

access-list 124 permit ip any 172.25.90.24 0.0.0.3

access-list 128 permit ip any 172.25.90.28 0.0.0.3

access-list 132 permit ip any 172.25.90.32 0.0.0.3

access-list 136 permit ip any 172.25.90.36 0.0.0.3

access-list 140 permit ip any 172.25.90.40 0.0.0.3

access-list 144 permit ip any 172.25.90.44 0.0.0.3

access-list 148 permit ip any 172.25.90.48 0.0.0.3

interface GigabitEthernet0/1

mtu 1524

ip address 172.25.90.2 255.255.255.0

duplex auto

speed auto

media-type rj45

negotiation auto

service-policy output Egress

!

=============================================================================

Giuseppe Larosa · ‎05-21-2012

Hello Fadi,

Shaping should be more appropriate then policing as the latter discards non conforming traffic.

Your configuration is a typical hierarchical QoS configuration with a parent policy Egress that defines a 34 Mbps virtual pipe that invokes a CBWFQ child policy.

I would note the following:

associating a bandwidth command to class class-default is not needed it automatically takes the remaining bandwidth.

Note also that you are using a subrate of a GE interface so it would be better to use kbps for bandwidth commands as 8 percent means:

8 percent of 1000 Mbps if the physical link is negotiated to 1000 Mbps = 80 Mbps

8 percent of 100 Mbps if the physical link is negotiated to 100 Mbps = 8 Mbps

you would like to give to each class 8 percent of shaped speed = 2784 kbps so I would use it

bandwidth 2784 instead of bandwidth percent 8

Another important point is how the ACLs are defined: In this way you are defining classes based on destination address. Is this what you want to achieve and the ACLs represent the other universities?

If so you are fine with the ACLs.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎05-21-2012

Hello Fadi,

I see the traffic is placed in point to point tunnels to reach the other universities. ( you say VPN)

I think your ACLs are fine after having seen your topology.

The key point is that the WAN interfaces sees only packets with the external header so if those IP addresses 172.25.90.x are the most external you are fine.

But if the 172.25.90.X were for example used on GRE p2p tunnels that are then protected by IPSec the external IP addresses would have been different = those of IPSec security associations

if no form of tunneling was in use your ACLs should have used as destination the real networks 10.101.0.0/16 and so on

As stated above the external destination is examined by WAN and by QoS applied on it.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎05-22-2012

Hello Fadi,

I think the configuration is fine.

Last tuning could be adding fair-queue under class class-default that may be helpful.

From the configuration of tunnels we see that addresses like 172.25.90.X are the external destination addresses

example:

interface Tunnel37

bandwidth 25000

ip address 91.x.x.37 255.255.255.252 secondary <<<<<< internal addresses in GRE tunnel

ip address 172.24.90.37 255.255.255.252

tunnel source GigabitEthernet0/1

>>>>>>tunnel destination 172.25.90.38

so the ACLs are correct.

It was not clear to me if they were, you have been kind to provide their configuration,

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎05-22-2012

Hello Fadi,

I'm sorry I was meaning to put fair-queue on the class class-default of child policy but you have already it!

So you can ignore it.

>> the university should use Default Route or Nat to access to intenet in my router ?

It is a question of choice, it is difficult to say more with so few details. It depends from policies you should apply/follow.

However, with the speeds you have on your router (aggregate of 34 Mbps) it would be better to leave indipendent access to the internet to each university. This is just first glance.

There might be security policies that lead to centralized internet access for better control, use of security appliances that are on only on central site and so on.

You see there is no single answer to this question.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎05-21-2012

Hello Fadi,

Shaping should be more appropriate then policing as the latter discards non conforming traffic.

Your configuration is a typical hierarchical QoS configuration with a parent policy Egress that defines a 34 Mbps virtual pipe that invokes a CBWFQ child policy.

I would note the following:

associating a bandwidth command to class class-default is not needed it automatically takes the remaining bandwidth.

Note also that you are using a subrate of a GE interface so it would be better to use kbps for bandwidth commands as 8 percent means:

8 percent of 1000 Mbps if the physical link is negotiated to 1000 Mbps = 80 Mbps

8 percent of 100 Mbps if the physical link is negotiated to 100 Mbps = 8 Mbps

you would like to give to each class 8 percent of shaped speed = 2784 kbps so I would use it

bandwidth 2784 instead of bandwidth percent 8

Another important point is how the ACLs are defined: In this way you are defining classes based on destination address. Is this what you want to achieve and the ACLs represent the other universities?

If so you are fine with the ACLs.

Hope to help

Giuseppe

fofoman2009 · ‎05-21-2012

thank you Giuseppe

my router work as ISP

take internet form co-location router and distrbute internet to 12 university

for ACL what is your advise ?

please can you find the best configuration for me ?

i have 3 ip class

172.25.90.2/24 (GigabitEthernet0/1) this connected to Telcom router

and universits connected via VPN

172.24.90.0/24 (12 subnet) for tunnels (i have 12 tunnels) subnet for each university

and i have real ip 91.x.x.x/24 (12 subnet) subnet for each university

here the real toplology for me ?

Giuseppe Larosa · ‎05-21-2012

Hello Fadi,

I see the traffic is placed in point to point tunnels to reach the other universities. ( you say VPN)

I think your ACLs are fine after having seen your topology.

The key point is that the WAN interfaces sees only packets with the external header so if those IP addresses 172.25.90.x are the most external you are fine.

But if the 172.25.90.X were for example used on GRE p2p tunnels that are then protected by IPSec the external IP addresses would have been different = those of IPSec security associations

if no form of tunneling was in use your ACLs should have used as destination the real networks 10.101.0.0/16 and so on

As stated above the external destination is examined by WAN and by QoS applied on it.

Hope to help

Giuseppe

fofoman2009 · ‎05-21-2012

Hello Giuseppe ,

thank you for your help .

I am a little confused .

The Purpose of network :

is acadmic network for university to share staff as INTERNAL NETWORK [lan network] not through internet and we are connected to Euromed (dante) with geant project to access to research

and give us 34 Mbps internet

:

http://www.eumedconnect3.net/server/show/nav.2517 (English)

in my configuration no IPSec applied to tunnels

no QOS applied .

My Questions is :

1- see my configuration and give me your note and your advise ?

2- give me the best usage for policy and bandwidth and acl (note i give each university real ip form 91.x.x.x)

3- I need the typical configuration for QOS and in which interface should applied ???

4- IPSec typical configuration ?

4-If there is any addition, please add them ?

And I thank you very everything

I hope that you tell me exactly what to do step by step ?

and give me the instruction

and thnk you for the instruction that was mentioned previously

===========================================

here my config in the router

Current configuration : 13624 bytes

!

upgrade fpd auto

version 12.4

configuration mode exclusive manual

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

no service dhcp

!

hostname fadi-R

!

boot-start-marker

boot system flash c7200p-adventerprisek9-mz.124-24.T5.bin

boot system flash disk2:c7200p-adventerprisek9-mz.124-24.T5.bin

boot system flash c7200p-adventerprisek9-mz.124-4.XD9.bin

boot system flash c7200p-ipbase-mz.124-4.XD8.bin

boot system flash disk2:c7200p-adventerprisek9-mz.124-4.XD9.bin

boot system flash disk2:c7200p-ipbase-mz.124-4.XD8.bin

boot-end-marker

!

logging message-counter syslog

no logging buffered

no logging console

enable secret 5 xx

!

aaa new-model

aaa local authentication attempts max-fail 30

!

aaa authentication login default local

!

aaa session-id common

no ip source-route

ip cef

!

no ip bootp server

no ip domain lookup

ip domain name

login on-failure log every 5

login on-success log

no ipv6 cef

!

multilink bundle-name authenticated

!

password encryption aes

!

crypto pki trustpoint TP-self-signed-36323467

revocation-check crl

!

memory reserve critical 3000

memory free low-watermark processor 3000

memory free low-watermark IO 500

username xxx secret 5 $1$00O02o$nb2LtjR8lgjxtR/fDPe7U/

secure boot-image

secure boot-config

archive

log config

logging enable

logging size 1000

hidekeys

path disk2:archived-config

maximum 14

!

no ip ftp passive

ip ssh version 2

!

class-map match-all Class_144

match access-group 144

class-map match-all Class_132

match access-group 132

class-map match-all Class_120

match access-group 120

class-map match-all Class_112

match access-group 112

class-map match-all Class_104

match access-group 104

class-map match-all Class_140

match access-group 140

class-map match-all Class_136

match access-group 136

class-map match-all Class_124

match access-group 124

class-map match-all Class_116

match access-group 116

class-map match-all Class_108

match access-group 108

class-map match-all Class_128

match access-group 128

class-map match-all Class_148

match access-group 148

!

policy-map All_Class

class Class_104

bandwidth percent 8

class Class_108

bandwidth percent 8

class Class_112

bandwidth percent 8

class Class_116

bandwidth percent 8

class Class_120

bandwidth percent 8

class Class_124

bandwidth percent 8

class Class_128

bandwidth percent 8

class Class_132

bandwidth percent 8

class Class_136

bandwidth percent 8

class Class_140

bandwidth percent 8

class Class_144

bandwidth percent 8

class Class_148

bandwidth percent 8

class class-default

bandwidth percent 4

fair-queue

!

interface Loopback1

ip address 91.x.x.1 255.255.255.255

!

interface Tunnel5

bandwidth 25000

ip address 172.24.90.5 255.255.255.252

ip flow ingress

ip flow egress

tunnel source GigabitEthernet0/1

tunnel destination 172.25.90.6

!

interface Tunnel9

bandwidth 25000

ip address 172.24.90.9 255.255.255.252 secondary

ip address 91.x.x.9 255.255.255.252

tunnel source GigabitEthernet0/1

tunnel destination 172.25.90.10

!

interface Tunnel13

bandwidth 25000

ip address 172.24.90.13 255.255.255.252

keepalive 10 3

tunnel source GigabitEthernet0/1

tunnel destination 172.25.90.14

!

interface Tunnel17

bandwidth 25000

ip address 172.24.90.17 255.255.255.252

keepalive 10 3

tunnel source GigabitEthernet0/1

tunnel destination 172.25.90.18

!

interface Tunnel21

bandwidth 25000

ip address 172.24.90.21 255.255.255.252

tunnel source GigabitEthernet0/1

tunnel destination 172.25.90.22

!

interface Tunnel26

bandwidth 25000

ip address 172.24.90.25 255.255.255.252

tunnel source GigabitEthernet0/1

tunnel destination 172.25.90.26

!

interface Tunnel29

bandwidth 25000

ip address 172.24.90.29 255.255.255.252

tunnel source GigabitEthernet0/1

tunnel destination 172.25.90.30

!

interface Tunnel33

bandwidth 25000

ip address 172.24.90.33 255.255.255.252

keepalive 10 3

tunnel source GigabitEthernet0/1

tunnel destination 172.25.90.34

!

interface Tunnel37

bandwidth 25000

ip address 91.x.x.37 255.255.255.252 secondary

ip address 172.24.90.37 255.255.255.252

tunnel source GigabitEthernet0/1

tunnel destination 172.25.90.38

!

interface Tunnel41

bandwidth 25000

ip address 172.24.90.41 255.255.255.252

tunnel source GigabitEthernet0/1

tunnel destination 172.25.90.42

!

interface Tunnel49

bandwidth 25000

ip address 172.24.90.49 255.255.255.252

tunnel source GigabitEthernet0/1

tunnel destination 172.25.90.50

!

interface GigabitEthernet0/1

mtu 1524

ip address 172.25.90.2 255.255.255.0

duplex auto

speed auto

media-type rj45

negotiation auto

!

write-memory

time-period 4320

interface GigabitEthernet0/2

ip address 62.x.x.x 255.255.255.252

ip access-group Acl_EuMed_In in

ip accounting output-packets

ip accounting precedence input

ip tcp adjust-mss 1436

duplex auto

speed auto

media-type rj45

negotiation auto

no keepalive

!

interface GigabitEthernet0/3

ip address 192.168.123.1 255.255.255.0

duplex auto

speed auto

media-type rj45

negotiation auto

!

router bgp 57965

no synchronization

bgp log-neighbor-changes

network 91.x.x.x mask 255.255.255.0

timers bgp 50 270 90

??]

no auto-summary

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 172.25.90.1 100

ip route 91.x.x.0 255.255.255.0 Null0

ip route 91.x.x.4 255.255.255.252 172.24.90.6 10

ip route 91.x.x.8 255.255.255.252 172.24.90.10 10

ip route 91.x.x.12 255.255.255.252 172.24.90.14 10

ip route 91.x.x.16 255.255.255.252 172.24.90.18 10

ip route 91.x.x.20 255.255.255.252 172.24.90.22 10

ip route 91.x.x.24 255.255.255.252 172.24.90.26 10

ip route 91.x.x.28 255.255.255.252 172.24.90.30 10

ip route 91.x.x.32 255.255.255.252 172.24.90.34 10

ip route 91.x.x.36 255.255.255.252 172.24.90.38 10

ip route 91.x.x.40 255.255.255.252 172.24.90.42 10

ip route 91.x.x.44 255.255.255.252 172.24.90.46 10

ip route 91.x.x.48 255.255.255.252 172.24.90.50 10

ip route 172.25.0.0 255.255.0.0 172.25.90.1

ip route 194.x.x.0 255.255.255.0 172.24.90.10 80

ip route 213.x.x.0 255.255.252.0 172.24.90.6 80

no ip http server

ip http authentication local

ip http secure-server

!

ip bgp-community new-format

ip community-list standard geant permit 2xxx5:155

ip community-list expanded GTALL permit 2xxx5:.*

ip as-path access-list 100 permit ^2xxx5_[0-9]*$

ip as-path access-list 100 permit ^2xxx5_[0-9]*_[0-9]*$

ip as-path access-list 100 permit ^2xx5$

ip as-path access-list 101 permit ^[0-9]*$

!

ip access-list extended Acl_Ed_In

deny tcp any any fragments

deny udp any any fragments

deny icmp any any fragments

deny ip any any fragments

deny ip any any option any-options

permit ip host 62.x.x.241 host 62.x.x.242

permit ip host 62.x.x.250 host 62.x.x.242

deny ip any any ttl lt 5

deny ip any host 62.40.124.242

permit ip any any

!

ip prefix-list x

logging alarm informational

access-list 104 permit ip any 172.25.90.4 0.0.0.3

access-list 108 permit ip any 172.25.90.8 0.0.0.3

access-list 112 permit ip any 172.25.90.12 0.0.0.3

access-list 116 permit ip any 172.25.90.16 0.0.0.3

access-list 120 permit ip any 172.25.90.20 0.0.0.3

access-list 124 permit ip any 172.25.90.24 0.0.0.3

access-list 128 permit ip any 172.25.90.28 0.0.0.3

access-list 132 permit ip any 172.25.90.32 0.0.0.3

access-list 136 permit ip any 172.25.90.36 0.0.0.3

access-list 140 permit ip any 172.25.90.40 0.0.0.3

access-list 144 permit ip any 172.25.90.44 0.0.0.3

access-list 148 permit ip any 172.25.90.48 0.0.0.3

no cdp run

!

route-map EUMED_INPUT permit 10

match community GEANTALL

!

snmp-server community PN-SNMP RO

snmp-server community PN-SNMP2 RW

snmp-server location PALTEL

snmp-server enable traps tty

!

control-plane

!

line con 0

password 7 0099584B1A0D44464058

logging synchronous

stopbits 1

line aux 0

stopbits 1

line vty 0 4

password 7 131112011F4D557878

transport input telnet ssh

!

exception memory ignore overflow processor

exception memory ignore overflow io

exception crashinfo maximum files 5

end

fofoman2009 · ‎05-21-2012

new settign applied :

and the configuration are :

any comment or note ?

policy-map All_Class

class Class_104

bandwidth 2901

class Class_108

bandwidth 2901

class Class_112

bandwidth 2901

class Class_116

bandwidth 2901

class Class_120

bandwidth 2901

class Class_124

bandwidth 2901

class Class_128

bandwidth 2901

class Class_132

bandwidth 2901

class Class_136

bandwidth 2901

class Class_140

bandwidth 2901

class Class_144

bandwidth 2901

class Class_148

bandwidth 2901

class class-default

fair-queue

policy-map Egress

class class-default

shape average 34816000

service-policy All_Class

access-list 104 permit ip any 172.25.90.4 0.0.0.3

access-list 108 permit ip any 172.25.90.8 0.0.0.3

access-list 112 permit ip any 172.25.90.12 0.0.0.3

access-list 116 permit ip any 172.25.90.16 0.0.0.3

access-list 120 permit ip any 172.25.90.20 0.0.0.3

access-list 124 permit ip any 172.25.90.24 0.0.0.3

access-list 128 permit ip any 172.25.90.28 0.0.0.3

access-list 132 permit ip any 172.25.90.32 0.0.0.3

access-list 136 permit ip any 172.25.90.36 0.0.0.3

access-list 140 permit ip any 172.25.90.40 0.0.0.3

access-list 144 permit ip any 172.25.90.44 0.0.0.3

access-list 148 permit ip any 172.25.90.48 0.0.0.3

Giuseppe Larosa · ‎05-22-2012

Hello Fadi,

I think the configuration is fine.

Last tuning could be adding fair-queue under class class-default that may be helpful.

From the configuration of tunnels we see that addresses like 172.25.90.X are the external destination addresses

example:

interface Tunnel37

bandwidth 25000

ip address 91.x.x.37 255.255.255.252 secondary <<<<<< internal addresses in GRE tunnel

ip address 172.24.90.37 255.255.255.252

tunnel source GigabitEthernet0/1

>>>>>>tunnel destination 172.25.90.38

so the ACLs are correct.

It was not clear to me if they were, you have been kind to provide their configuration,

Hope to help

Giuseppe

fofoman2009 · ‎05-22-2012

thank you a lot Giuseppe ,

You mean adding fair-queue under Egress

class class-default Policy

and for the IP Address in tunnel 37 i will remove the

ip address 91.x.x.37 255.255.255.252 secondary it's for testing

Each university have multiple ISP (Including Acadminc network)

how i can manipulate with this scenario ?

and form subnet i gave it to the universites

the university should use Default Route or Nat to access to intenet in my router ? what is your advise ?

Best Regards

THE message i get when applied the command

(config)#policy-map Egress

(config-pmap)# class class-default

(config-pmap-c)#fa

(config-pmap-c)#fair-queue

fair-queue not allowed in a parent policy

Giuseppe Larosa · ‎05-22-2012

Hello Fadi,

I'm sorry I was meaning to put fair-queue on the class class-default of child policy but you have already it!

So you can ignore it.

>> the university should use Default Route or Nat to access to intenet in my router ?

It is a question of choice, it is difficult to say more with so few details. It depends from policies you should apply/follow.

However, with the speeds you have on your router (aggregate of 34 Mbps) it would be better to leave indipendent access to the internet to each university. This is just first glance.

There might be security policies that lead to centralized internet access for better control, use of security appliances that are on only on central site and so on.

You see there is no single answer to this question.

Hope to help

Giuseppe

fofoman2009 · ‎05-23-2012

Hello Giuseppe ,

I hope you are fine .

I just wonder about my current Configuration Help me in the case :

The university uses the internet only to themselves (Use 34 Mbps), there is no other universities use the Internet at some time

After a certain period became There are 3 universities use the Internet

Is speed automatic distribution to all universities equally

All University = 34/4 = 8.8

If the speed not distributed equally ? Is there a way to force them ?

Best Regard

Giuseppe Larosa · ‎05-23-2012

Hello Fadi,

the internet access will be shared if one university acts as a central site.

However, the downstream / download direction of the other universities will have to be encapsulated in GRE packets to reach the other universities from the central site ( = to use the point to point tunnels discussed previously)

If this is the case traffic will enter the central site internet interface to be sent out the same interface in GRE packets after NAT is performed in central site.

For taking in account this you may want to review the bandwidth statements for the GRE Tunnels destined to those three universities giving them a greater rate.

Actually, it may be fine also with the proposed QoS configuration.

Hope to help

Giuseppe

fofoman2009 · ‎05-24-2012

Hello Giuseppe ,

thank you for Thank you for clarifying things .

I am Using Cisco Configuration Professional to manage my Router ,

I have two Option :

1- Security Audit

2- One-step-lockdown

The Configuration is below .

My Question is which option should i use to secure my router without any conflict with current configuration and without exceeding router resource ?

============Security Audit ==================

==========================================

Configuration commands for the router:

saved on 24/05/2012 09:28:37 Õ

----------------------------------------------------------------------------

ip access-list extended SDM_SSH

remark CCP_ACL Category=1

permit tcp any any eq 22

exit

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=1

permit tcp any any eq 443

exit

ip access-list extended SDM_SHELL

remark CCP_ACL Category=1

permit tcp any any eq cmd

exit

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

ip domain lookup

no snmp-server

line con 0

transport output telnet

exit

line aux 0

transport output telnet

exit

ip name-server 8.8.8.8

service sequence-numbers

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

scheduler allocate 4000 1000

ip tcp synwait-time 10

security authentication failure rate 3 log

security passwords min-length 6

banner login ~Access is restricted to authorized users only~

logging console critical

logging trap debugging

logging buffered 51200 debugging

parameter-map type regex ccp-regex-nonascii

pattern "[^\x00-\x80]"

exit

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

exit

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

exit

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

exit

class-map type inspect imap match-any ccp-app-imap

match invalid-command

exit

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

exit

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

exit

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

exit

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

exit

class-map type inspect http match-any ccp-app-nonascii

match req-resp header regex ccp-regex-nonascii

exit

class-map type inspect match-all ccp-protocol-smtp

match protocol smtp

exit

class-map type inspect match-any ccp-h323-inspect

match protocol h323

exit

class-map type inspect match-all ccp-protocol-imap

match protocol imap

exit

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol tcp

match protocol udp

exit

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

exit

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

exit

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

exit

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

exit

class-map type inspect match-all ccp-protocol-http

match protocol http

exit

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-accesss

exit

class-map type inspect match-any ccp-cls-protocol-p2p

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

exit

class-map type inspect match-all ccp-invalid-src

match access-group 100

exit

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

exit

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

exit

class-map type inspect match-any ccp-sip-inspect

match protocol sip

exit

class-map type inspect pop3 match-any ccp-app-pop3

match invalid-command

exit

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

exit

class-map type inspect match-all ccp-protocol-p2p

match class-map ccp-cls-protocol-p2p

exit

class-map type inspect http match-any ccp-app-httpmethods

match request method bcopy

match request method bdelete

match request method bmove

match request method bpropfind

match request method bproppatch

match request method connect

match request method copy

match request method delete

match request method edit

match request method getattribute

match request method getattributenames

match request method getproperties

match request method index

match request method lock

match request method mkcol

match request method mkdir

match request method move

match request method notify

match request method options

match request method poll

match request method post

match request method propfind

match request method proppatch

match request method put

match request method revadd

match request method revlabel

match request method revlog

match request method revnum

match request method save

match request method search

match request method setattribute

match request method startrev

match request method stoprev

match request method subscribe

match request method trace

match request method unedit

match request method unlock

match request method unsubscribe

exit

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

exit

class-map type inspect http match-any ccp-http-blockparam

match request port-misuse im

match request port-misuse p2p

match request port-misuse tunneling

match req-resp protocol-violation

exit

class-map type inspect smtp match-any ccp-app-smtp

match data-length gt 5000000

exit

policy-map type inspect http ccp-action-app-http

class type inspect http ccp-http-blockparam

log

reset

exit

class type inspect http ccp-app-httpmethods

log

reset

exit

class type inspect http ccp-app-nonascii

log

reset

exit

policy-map type inspect pop3 ccp-action-pop3

class type inspect pop3 ccp-app-pop3

log

reset

exit

policy-map type inspect imap ccp-action-imap

class type inspect imap ccp-app-imap

log

reset

exit

policy-map type inspect smtp ccp-action-smtp

class type inspect smtp ccp-app-smtp

reset

exit

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

no drop

inspect

exit

class type inspect ccp-sip-inspect

no drop

inspect

exit

class type inspect ccp-h323-inspect

no drop

inspect

exit

class type inspect ccp-h323annexe-inspect

no drop

inspect

exit

class type inspect ccp-h225ras-inspect

no drop

inspect

exit

class type inspect ccp-h323nxg-inspect

no drop

inspect

exit

class type inspect ccp-skinny-inspect

no drop

inspect

exit

class class-default

no drop

pass

exit

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

exit

class type inspect ccp-protocol-http

no drop

inspect

service-policy http ccp-action-app-http

exit

class type inspect ccp-protocol-smtp

no drop

inspect

service-policy smtp ccp-action-smtp

exit

class type inspect ccp-protocol-imap

no drop

inspect

service-policy imap ccp-action-imap

exit

class type inspect ccp-protocol-pop3

no drop

inspect

service-policy pop3 ccp-action-pop3

exit

class type inspect ccp-protocol-p2p

drop log

exit

class type inspect ccp-protocol-im

drop log

exit

class type inspect ccp-insp-traffic

no drop

inspect

exit

class type inspect ccp-sip-inspect

no drop

inspect

exit

class type inspect ccp-h323-inspect

no drop

inspect

exit

class type inspect ccp-h323annexe-inspect

no drop

inspect

exit

class type inspect ccp-h225ras-inspect

no drop

inspect

exit

class type inspect ccp-h323nxg-inspect

no drop

inspect

exit

class type inspect ccp-skinny-inspect

no drop

inspect

exit

policy-map type inspect ccp-permit

class type inspect ccp-sip-inspect

no drop

inspect

exit

class type inspect ccp-h323-inspect

no drop

inspect

exit

class type inspect ccp-h323annexe-inspect

no drop

inspect

exit

class type inspect ccp-h225ras-inspect

no drop

inspect

exit

class type inspect ccp-h323nxg-inspect

no drop

inspect

exit

class type inspect ccp-skinny-inspect

no drop

inspect

exit

class class-default

exit

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

exit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

exit

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

exit

interface Tunnel49

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface FastEthernet0/2

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface Loopback1

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface Null0

exit

default interface Null0

interface Null0

no ip unreachables

exit

interface Tunnel9

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface Tunnel29

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface Tunnel37

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface Tunnel26

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface Tunnel17

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface Tunnel5

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface GigabitEthernet0/3

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

no mop enabled

exit

interface Tunnel33

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface GigabitEthernet0/2

description $FW_OUTSIDE$

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

no mop enabled

zone-member security out-zone

exit

interface Tunnel41

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface GigabitEthernet0/1

description $FW_INSIDE$

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

no mop enabled

zone-member security in-zone

exit

interface Tunnel13

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface Tunnel21

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

==========================================

=============One-step-lockdown==============

==========================================

Configuration commands for the router: x.x.x.x

saved on 24/05/2012 09:43:12 Õ

----------------------------------------------------------------------------

aaa authorization exec local_author local

aaa authentication login local_authen local

no snmp-server

line vty 0 4

login authentication local_authen

authorization exec local_author

exit

service sequence-numbers

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

scheduler allocate 4000 1000

ip tcp synwait-time 10

security authentication failure rate 3 log

security passwords min-length 6

ip ssh time-out 60

ip ssh authentication-retries 2

banner login ~

Authorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!

~

logging console critical

logging trap debugging

logging buffered 51200 debugging

interface Tunnel49

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface FastEthernet0/2

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface Loopback1

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface Null0

exit

default interface Null0

interface Null0

no ip unreachables

exit

interface Tunnel9

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface Tunnel29

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface Tunnel37

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface Tunnel26

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface Tunnel17

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface Tunnel5

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface GigabitEthernet0/3

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

no mop enabled

exit

interface Tunnel33

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface GigabitEthernet0/2

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

no mop enabled

exit

interface Tunnel41

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface GigabitEthernet0/1

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

no mop enabled

exit

interface Tunnel13

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

interface Tunnel21

no ip proxy-arp

no ip redirects

no ip unreachables

ip route-cache flow

exit

==========================================

Best Regard

Giuseppe Larosa · ‎05-24-2012

Hello Fadi,

your router acts as an ISP provider router. I would not recommend to use these templates on it because they are thought for an enteprise scenario.

Just to make an example introducing zone based firewall is not an easy move, and how it deals with the GRE tunnels on the WAN interface?

Inspection of traffic may be fine with few Mbps of downstream traffic, but you deal with 34 Mbps and more in the future.

Cpu can go vey high even in a C7200 router. And you don't want to introduce slowness.

The key concept is control: if you use these templates you introduce hundreds of configuration lines with limited understanding of some features.

And what are possible interactions of zone based firewall, CBAC ( inspect) and so on?

You may end lost in an attempt to troubleshoot to fix it.

As a simple human being I would stay away from this.

You can use these templates to take inspiration for studying some security features like zone based firewalling for example but I would not apply them.

Edit:

the lock-down template looks like more reasonable and is formed of simple commands that should be compatible with the role of your device and it shouldn't have an impact.

Hope to help

Giuseppe

fofoman2009 · ‎05-28-2012

Hello Giuseppe ,

I hope you are fine

this is configueation for one university

in the router i ping to internet

=======================

#ping 8.8.8.8 source fastEthernet 0/1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 91.237.50.33

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 76/79/80 ms

=============================

when i connect the switch to interface FastEthernet0/1 with ip address 91.x.x.33 255.255.255.252

my clinet have private ip address 10.0.0.0/24

My Question 1:

all my clinet access to intenet with this configuration or shoud use nat ?

Give me soulution ?

My Question 1 :

you seen i use 3 ip address

172.25.90.0 /24 ---- on the physial interface (on vpn)

172.24.90.0 /24 ---- on the tunnel and bgp neighbor

91.x.x.x/24 for the univeristy to access internet

How can I minimize the use of this IP

to 2 ip ?

to make my work more easy .

===========================================

Building configuration...

Current configuration : 1833 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AAUJ-NREN

!

boot-start-marker

boot system flash c1841-ipbasek9-mz.124-24.T5.bin

boot-end-marker

!

logging message-counter syslog

enable secret 5 $1$IcdC$f9CMBzMEQ3G53piwF3vN20

!

no aaa new-model

dot11 syslog

ip source-route

!

ip cef

no ip domain lookup

multilink bundle-name authenticated

!

secure boot-config

Please Help me to Verify Our Configuration with policy map (Bandwidth limitation & Utilazaition)