05-21-2012 12:28 AM - edited 03-04-2019 04:25 PM
Hi all ,
I would like to build capping (bandwidth limitation & best usage for bandwidth) policy on our router (Cisco 7200xvr) that connect to multiple university (12 university) with international ISP (34M).
Kindly I need your help to know if this configuration is the best that I can use in our router, and how I can enhance it.
and which is best using Shapping or Police ?
when i use with police Command with policy Egrees
this message appear :
Cannot attach queuing-based child policy to a non-queuing based class
and i have 4 percent bandwidth remaining put in class-default
with this command :
bandwidth percent 4
this is my current configuration in the router 7200
==========================================
class-map match-all Class_144
match access-group 144
class-map match-all Class_132
match access-group 132
class-map match-all Class_120
match access-group 120
class-map match-all Class_112
match access-group 112
class-map match-all Class_104
match access-group 104
class-map match-all Class_140
match access-group 140
class-map match-all Class_136
match access-group 136
class-map match-all Class_124
match access-group 124
class-map match-all Class_116
match access-group 116
class-map match-all Class_108
match access-group 108
class-map match-all Class_128
match access-group 128
class-map match-all Class_148
match access-group 148
!
!
policy-map All_Class
class Class_104
bandwidth percent 8
class Class_108
bandwidth percent 8
class Class_112
bandwidth percent 8
class Class_116
bandwidth percent 8
class Class_120
bandwidth percent 8
class Class_124
bandwidth percent 8
class Class_128
bandwidth percent 8
class Class_132
bandwidth percent 8
class Class_136
bandwidth percent 8
class Class_140
bandwidth percent 8
class Class_144
bandwidth percent 8
class Class_148
bandwidth percent 8
class class-default
bandwidth percent 4
fair-queue
policy-map Egress
class class-default
shape average 34816000
service-policy All_Class
access-list 104 permit ip any 172.25.90.4 0.0.0.3
access-list 108 permit ip any 172.25.90.8 0.0.0.3
access-list 112 permit ip any 172.25.90.12 0.0.0.3
access-list 116 permit ip any 172.25.90.16 0.0.0.3
access-list 120 permit ip any 172.25.90.20 0.0.0.3
access-list 124 permit ip any 172.25.90.24 0.0.0.3
access-list 128 permit ip any 172.25.90.28 0.0.0.3
access-list 132 permit ip any 172.25.90.32 0.0.0.3
access-list 136 permit ip any 172.25.90.36 0.0.0.3
access-list 140 permit ip any 172.25.90.40 0.0.0.3
access-list 144 permit ip any 172.25.90.44 0.0.0.3
access-list 148 permit ip any 172.25.90.48 0.0.0.3
interface GigabitEthernet0/1
mtu 1524
ip address 172.25.90.2 255.255.255.0
duplex auto
speed auto
media-type rj45
negotiation auto
service-policy output Egress
!
=============================================================================
Solved! Go to Solution.
05-21-2012 01:21 AM
Hello Fadi,
Shaping should be more appropriate then policing as the latter discards non conforming traffic.
Your configuration is a typical hierarchical QoS configuration with a parent policy Egress that defines a 34 Mbps virtual pipe that invokes a CBWFQ child policy.
I would note the following:
associating a bandwidth command to class class-default is not needed it automatically takes the remaining bandwidth.
Note also that you are using a subrate of a GE interface so it would be better to use kbps for bandwidth commands as 8 percent means:
8 percent of 1000 Mbps if the physical link is negotiated to 1000 Mbps = 80 Mbps
8 percent of 100 Mbps if the physical link is negotiated to 100 Mbps = 8 Mbps
you would like to give to each class 8 percent of shaped speed = 2784 kbps so I would use it
bandwidth 2784 instead of bandwidth percent 8
Another important point is how the ACLs are defined: In this way you are defining classes based on destination address. Is this what you want to achieve and the ACLs represent the other universities?
If so you are fine with the ACLs.
Hope to help
Giuseppe
05-21-2012 02:23 AM
Hello Fadi,
I see the traffic is placed in point to point tunnels to reach the other universities. ( you say VPN)
I think your ACLs are fine after having seen your topology.
The key point is that the WAN interfaces sees only packets with the external header so if those IP addresses 172.25.90.x are the most external you are fine.
But if the 172.25.90.X were for example used on GRE p2p tunnels that are then protected by IPSec the external IP addresses would have been different = those of IPSec security associations
if no form of tunneling was in use your ACLs should have used as destination the real networks 10.101.0.0/16 and so on
As stated above the external destination is examined by WAN and by QoS applied on it.
Hope to help
Giuseppe
05-22-2012 12:59 AM
Hello Fadi,
I think the configuration is fine.
Last tuning could be adding fair-queue under class class-default that may be helpful.
From the configuration of tunnels we see that addresses like 172.25.90.X are the external destination addresses
example:
interface Tunnel37
bandwidth 25000
ip address 91.x.x.37 255.255.255.252 secondary <<<<<< internal addresses in GRE tunnel
ip address 172.24.90.37 255.255.255.252
tunnel source GigabitEthernet0/1
>>>>>>tunnel destination 172.25.90.38
so the ACLs are correct.
It was not clear to me if they were, you have been kind to provide their configuration,
Hope to help
Giuseppe
05-22-2012 01:58 AM
Hello Fadi,
I'm sorry I was meaning to put fair-queue on the class class-default of child policy but you have already it!
So you can ignore it.
>> the university should use Default Route or Nat to access to intenet in my router ?
It is a question of choice, it is difficult to say more with so few details. It depends from policies you should apply/follow.
However, with the speeds you have on your router (aggregate of 34 Mbps) it would be better to leave indipendent access to the internet to each university. This is just first glance.
There might be security policies that lead to centralized internet access for better control, use of security appliances that are on only on central site and so on.
You see there is no single answer to this question.
Hope to help
Giuseppe
05-21-2012 01:21 AM
Hello Fadi,
Shaping should be more appropriate then policing as the latter discards non conforming traffic.
Your configuration is a typical hierarchical QoS configuration with a parent policy Egress that defines a 34 Mbps virtual pipe that invokes a CBWFQ child policy.
I would note the following:
associating a bandwidth command to class class-default is not needed it automatically takes the remaining bandwidth.
Note also that you are using a subrate of a GE interface so it would be better to use kbps for bandwidth commands as 8 percent means:
8 percent of 1000 Mbps if the physical link is negotiated to 1000 Mbps = 80 Mbps
8 percent of 100 Mbps if the physical link is negotiated to 100 Mbps = 8 Mbps
you would like to give to each class 8 percent of shaped speed = 2784 kbps so I would use it
bandwidth 2784 instead of bandwidth percent 8
Another important point is how the ACLs are defined: In this way you are defining classes based on destination address. Is this what you want to achieve and the ACLs represent the other universities?
If so you are fine with the ACLs.
Hope to help
Giuseppe
05-21-2012 01:55 AM
thank you Giuseppe
my router work as ISP
take internet form co-location router and distrbute internet to 12 university
for ACL what is your advise ?
please can you find the best configuration for me ?
i have 3 ip class
172.25.90.2/24 (GigabitEthernet0/1) this connected to Telcom router
and universits connected via VPN
172.24.90.0/24 (12 subnet) for tunnels (i have 12 tunnels) subnet for each university
and i have real ip 91.x.x.x/24 (12 subnet) subnet for each university
here the real toplology for me ?
05-21-2012 02:23 AM
Hello Fadi,
I see the traffic is placed in point to point tunnels to reach the other universities. ( you say VPN)
I think your ACLs are fine after having seen your topology.
The key point is that the WAN interfaces sees only packets with the external header so if those IP addresses 172.25.90.x are the most external you are fine.
But if the 172.25.90.X were for example used on GRE p2p tunnels that are then protected by IPSec the external IP addresses would have been different = those of IPSec security associations
if no form of tunneling was in use your ACLs should have used as destination the real networks 10.101.0.0/16 and so on
As stated above the external destination is examined by WAN and by QoS applied on it.
Hope to help
Giuseppe
05-21-2012 10:47 AM
Hello Giuseppe ,
thank you for your help .
I am a little confused .
The Purpose of network :
is acadmic network for university to share staff as INTERNAL NETWORK [lan network] not through internet and we are connected to Euromed (dante) with geant project to access to research
and give us 34 Mbps internet
:
http://www.eumedconnect3.net/server/show/nav.2517 (English)
in my configuration no IPSec applied to tunnels
no QOS applied .
My Questions is :
1- see my configuration and give me your note and your advise ?
2- give me the best usage for policy and bandwidth and acl (note i give each university real ip form 91.x.x.x)
3- I need the typical configuration for QOS and in which interface should applied ???
4- IPSec typical configuration ?
4-If there is any addition, please add them ?
And I thank you very everything
I hope that you tell me exactly what to do step by step ?
and give me the instruction
and thnk you for the instruction that was mentioned previously
===========================================
here my config in the router
Current configuration : 13624 bytes
!
upgrade fpd auto
version 12.4
configuration mode exclusive manual
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname fadi-R
!
boot-start-marker
boot system flash c7200p-adventerprisek9-mz.124-24.T5.bin
boot system flash disk2:c7200p-adventerprisek9-mz.124-24.T5.bin
boot system flash c7200p-adventerprisek9-mz.124-4.XD9.bin
boot system flash c7200p-ipbase-mz.124-4.XD8.bin
boot system flash disk2:c7200p-adventerprisek9-mz.124-4.XD9.bin
boot system flash disk2:c7200p-ipbase-mz.124-4.XD8.bin
boot-end-marker
!
logging message-counter syslog
no logging buffered
no logging console
enable secret 5 xx
!
aaa new-model
aaa local authentication attempts max-fail 30
!
!
aaa authentication login default local
!
!
aaa session-id common
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name
login on-failure log every 5
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
password encryption aes
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-36323467
revocation-check crl
!
!
memory reserve critical 3000
memory free low-watermark processor 3000
memory free low-watermark IO 500
username xxx secret 5 $1$00O02o$nb2LtjR8lgjxtR/fDPe7U/
secure boot-image
secure boot-config
archive
log config
logging enable
logging size 1000
hidekeys
path disk2:archived-config
maximum 14
!
!
!
!
!
no ip ftp passive
ip ssh version 2
!
class-map match-all Class_144
match access-group 144
class-map match-all Class_132
match access-group 132
class-map match-all Class_120
match access-group 120
class-map match-all Class_112
match access-group 112
class-map match-all Class_104
match access-group 104
class-map match-all Class_140
match access-group 140
class-map match-all Class_136
match access-group 136
class-map match-all Class_124
match access-group 124
class-map match-all Class_116
match access-group 116
class-map match-all Class_108
match access-group 108
class-map match-all Class_128
match access-group 128
class-map match-all Class_148
match access-group 148
!
!
policy-map All_Class
class Class_104
bandwidth percent 8
class Class_108
bandwidth percent 8
class Class_112
bandwidth percent 8
class Class_116
bandwidth percent 8
class Class_120
bandwidth percent 8
class Class_124
bandwidth percent 8
class Class_128
bandwidth percent 8
class Class_132
bandwidth percent 8
class Class_136
bandwidth percent 8
class Class_140
bandwidth percent 8
class Class_144
bandwidth percent 8
class Class_148
bandwidth percent 8
class class-default
bandwidth percent 4
fair-queue
!
!
!
!
!
interface Loopback1
ip address 91.x.x.1 255.255.255.255
!
interface Tunnel5
bandwidth 25000
ip address 172.24.90.5 255.255.255.252
ip flow ingress
ip flow egress
tunnel source GigabitEthernet0/1
tunnel destination 172.25.90.6
!
interface Tunnel9
bandwidth 25000
ip address 172.24.90.9 255.255.255.252 secondary
ip address 91.x.x.9 255.255.255.252
tunnel source GigabitEthernet0/1
tunnel destination 172.25.90.10
!
interface Tunnel13
bandwidth 25000
ip address 172.24.90.13 255.255.255.252
keepalive 10 3
tunnel source GigabitEthernet0/1
tunnel destination 172.25.90.14
!
interface Tunnel17
bandwidth 25000
ip address 172.24.90.17 255.255.255.252
keepalive 10 3
tunnel source GigabitEthernet0/1
tunnel destination 172.25.90.18
!
interface Tunnel21
bandwidth 25000
ip address 172.24.90.21 255.255.255.252
tunnel source GigabitEthernet0/1
tunnel destination 172.25.90.22
!
interface Tunnel26
bandwidth 25000
ip address 172.24.90.25 255.255.255.252
tunnel source GigabitEthernet0/1
tunnel destination 172.25.90.26
!
interface Tunnel29
bandwidth 25000
ip address 172.24.90.29 255.255.255.252
tunnel source GigabitEthernet0/1
tunnel destination 172.25.90.30
!
interface Tunnel33
bandwidth 25000
ip address 172.24.90.33 255.255.255.252
keepalive 10 3
tunnel source GigabitEthernet0/1
tunnel destination 172.25.90.34
!
interface Tunnel37
bandwidth 25000
ip address 91.x.x.37 255.255.255.252 secondary
ip address 172.24.90.37 255.255.255.252
tunnel source GigabitEthernet0/1
tunnel destination 172.25.90.38
!
interface Tunnel41
bandwidth 25000
ip address 172.24.90.41 255.255.255.252
tunnel source GigabitEthernet0/1
tunnel destination 172.25.90.42
!
interface Tunnel49
bandwidth 25000
ip address 172.24.90.49 255.255.255.252
tunnel source GigabitEthernet0/1
tunnel destination 172.25.90.50
!
interface GigabitEthernet0/1
mtu 1524
ip address 172.25.90.2 255.255.255.0
duplex auto
speed auto
media-type rj45
negotiation auto
!
write-memory
time-period 4320
interface GigabitEthernet0/2
ip address 62.x.x.x 255.255.255.252
ip access-group Acl_EuMed_In in
ip accounting output-packets
ip accounting precedence input
ip tcp adjust-mss 1436
duplex auto
speed auto
media-type rj45
negotiation auto
no keepalive
!
interface GigabitEthernet0/3
ip address 192.168.123.1 255.255.255.0
duplex auto
speed auto
media-type rj45
negotiation auto
!
router bgp 57965
no synchronization
bgp log-neighbor-changes
network 91.x.x.x mask 255.255.255.0
timers bgp 50 270 90
??]
no auto-summary
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.25.90.1 100
ip route 91.x.x.0 255.255.255.0 Null0
ip route 91.x.x.4 255.255.255.252 172.24.90.6 10
ip route 91.x.x.8 255.255.255.252 172.24.90.10 10
ip route 91.x.x.12 255.255.255.252 172.24.90.14 10
ip route 91.x.x.16 255.255.255.252 172.24.90.18 10
ip route 91.x.x.20 255.255.255.252 172.24.90.22 10
ip route 91.x.x.24 255.255.255.252 172.24.90.26 10
ip route 91.x.x.28 255.255.255.252 172.24.90.30 10
ip route 91.x.x.32 255.255.255.252 172.24.90.34 10
ip route 91.x.x.36 255.255.255.252 172.24.90.38 10
ip route 91.x.x.40 255.255.255.252 172.24.90.42 10
ip route 91.x.x.44 255.255.255.252 172.24.90.46 10
ip route 91.x.x.48 255.255.255.252 172.24.90.50 10
ip route 172.25.0.0 255.255.0.0 172.25.90.1
ip route 194.x.x.0 255.255.255.0 172.24.90.10 80
ip route 213.x.x.0 255.255.252.0 172.24.90.6 80
no ip http server
ip http authentication local
ip http secure-server
!
ip bgp-community new-format
ip community-list standard geant permit 2xxx5:155
ip community-list expanded GTALL permit 2xxx5:.*
ip as-path access-list 100 permit ^2xxx5_[0-9]*$
ip as-path access-list 100 permit ^2xxx5_[0-9]*_[0-9]*$
ip as-path access-list 100 permit ^2xx5$
ip as-path access-list 101 permit ^[0-9]*$
!
!
ip access-list extended Acl_Ed_In
deny tcp any any fragments
deny udp any any fragments
deny icmp any any fragments
deny ip any any fragments
deny ip any any option any-options
permit ip host 62.x.x.241 host 62.x.x.242
permit ip host 62.x.x.250 host 62.x.x.242
deny ip any any ttl lt 5
deny ip any host 62.40.124.242
permit ip any any
!
!
ip prefix-list x
ip prefix-list x
ip prefix-list x
logging alarm informational
access-list 104 permit ip any 172.25.90.4 0.0.0.3
access-list 108 permit ip any 172.25.90.8 0.0.0.3
access-list 112 permit ip any 172.25.90.12 0.0.0.3
access-list 116 permit ip any 172.25.90.16 0.0.0.3
access-list 120 permit ip any 172.25.90.20 0.0.0.3
access-list 124 permit ip any 172.25.90.24 0.0.0.3
access-list 128 permit ip any 172.25.90.28 0.0.0.3
access-list 132 permit ip any 172.25.90.32 0.0.0.3
access-list 136 permit ip any 172.25.90.36 0.0.0.3
access-list 140 permit ip any 172.25.90.40 0.0.0.3
access-list 144 permit ip any 172.25.90.44 0.0.0.3
access-list 148 permit ip any 172.25.90.48 0.0.0.3
no cdp run
!
!
!
!
route-map EUMED_INPUT permit 10
match community GEANTALL
!
!
snmp-server community PN-SNMP RO
snmp-server community PN-SNMP2 RW
snmp-server location PALTEL
snmp-server enable traps tty
!
control-plane
!
!
!
!
!
!
!
line con 0
password 7 0099584B1A0D44464058
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 131112011F4D557878
transport input telnet ssh
!
exception memory ignore overflow processor
exception memory ignore overflow io
exception crashinfo maximum files 5
end
05-21-2012 10:55 PM
new settign applied :
and the configuration are :
any comment or note ?
policy-map All_Class
class Class_104
bandwidth 2901
class Class_108
bandwidth 2901
class Class_112
bandwidth 2901
class Class_116
bandwidth 2901
class Class_120
bandwidth 2901
class Class_124
bandwidth 2901
class Class_128
bandwidth 2901
class Class_132
bandwidth 2901
class Class_136
bandwidth 2901
class Class_140
bandwidth 2901
class Class_144
bandwidth 2901
class Class_148
bandwidth 2901
class class-default
fair-queue
policy-map Egress
class class-default
shape average 34816000
service-policy All_Class
access-list 104 permit ip any 172.25.90.4 0.0.0.3
access-list 108 permit ip any 172.25.90.8 0.0.0.3
access-list 112 permit ip any 172.25.90.12 0.0.0.3
access-list 116 permit ip any 172.25.90.16 0.0.0.3
access-list 120 permit ip any 172.25.90.20 0.0.0.3
access-list 124 permit ip any 172.25.90.24 0.0.0.3
access-list 128 permit ip any 172.25.90.28 0.0.0.3
access-list 132 permit ip any 172.25.90.32 0.0.0.3
access-list 136 permit ip any 172.25.90.36 0.0.0.3
access-list 140 permit ip any 172.25.90.40 0.0.0.3
access-list 144 permit ip any 172.25.90.44 0.0.0.3
access-list 148 permit ip any 172.25.90.48 0.0.0.3
05-22-2012 12:59 AM
Hello Fadi,
I think the configuration is fine.
Last tuning could be adding fair-queue under class class-default that may be helpful.
From the configuration of tunnels we see that addresses like 172.25.90.X are the external destination addresses
example:
interface Tunnel37
bandwidth 25000
ip address 91.x.x.37 255.255.255.252 secondary <<<<<< internal addresses in GRE tunnel
ip address 172.24.90.37 255.255.255.252
tunnel source GigabitEthernet0/1
>>>>>>tunnel destination 172.25.90.38
so the ACLs are correct.
It was not clear to me if they were, you have been kind to provide their configuration,
Hope to help
Giuseppe
05-22-2012 01:29 AM
thank you a lot Giuseppe ,
You mean adding fair-queue under Egress
class class-default Policy
and for the IP Address in tunnel 37 i will remove the
ip address 91.x.x.37 255.255.255.252 secondary it's for testing
Each university have multiple ISP (Including Acadminc network)
how i can manipulate with this scenario ?
and form subnet i gave it to the universites
the university should use Default Route or Nat to access to intenet in my router ? what is your advise ?
Best Regards
THE message i get when applied the command
(config)#policy-map Egress
(config-pmap)# class class-default
(config-pmap-c)#fa
(config-pmap-c)#fair-queue
fair-queue not allowed in a parent policy
05-22-2012 01:58 AM
Hello Fadi,
I'm sorry I was meaning to put fair-queue on the class class-default of child policy but you have already it!
So you can ignore it.
>> the university should use Default Route or Nat to access to intenet in my router ?
It is a question of choice, it is difficult to say more with so few details. It depends from policies you should apply/follow.
However, with the speeds you have on your router (aggregate of 34 Mbps) it would be better to leave indipendent access to the internet to each university. This is just first glance.
There might be security policies that lead to centralized internet access for better control, use of security appliances that are on only on central site and so on.
You see there is no single answer to this question.
Hope to help
Giuseppe
05-23-2012 02:00 AM
Hello Giuseppe ,
I hope you are fine .
I just wonder about my current Configuration Help me in the case :
The university uses the internet only to themselves (Use 34 Mbps), there is no other universities use the Internet at some time
After a certain period became There are 3 universities use the Internet
Is speed automatic distribution to all universities equally
All University = 34/4 = 8.8
If the speed not distributed equally ? Is there a way to force them ?
Best Regard
05-23-2012 06:01 AM
Hello Fadi,
the internet access will be shared if one university acts as a central site.
However, the downstream / download direction of the other universities will have to be encapsulated in GRE packets to reach the other universities from the central site ( = to use the point to point tunnels discussed previously)
If this is the case traffic will enter the central site internet interface to be sent out the same interface in GRE packets after NAT is performed in central site.
For taking in account this you may want to review the bandwidth statements for the GRE Tunnels destined to those three universities giving them a greater rate.
Actually, it may be fine also with the proposed QoS configuration.
Hope to help
Giuseppe
05-24-2012 12:00 AM
Hello Giuseppe ,
thank you for Thank you for clarifying things .
I am Using Cisco Configuration Professional to manage my Router ,
I have two Option :
1- Security Audit
2- One-step-lockdown
The Configuration is below .
My Question is which option should i use to secure my router without any conflict with current configuration and without exceeding router resource ?
============Security Audit ==================
==========================================
Configuration commands for the router:
saved on 24/05/2012 09:28:37 Õ
----------------------------------------------------------------------------
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
exit
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
exit
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
exit
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
ip domain lookup
no snmp-server
line con 0
transport output telnet
exit
line aux 0
transport output telnet
exit
ip name-server 8.8.8.8
service sequence-numbers
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
scheduler allocate 4000 1000
ip tcp synwait-time 10
security authentication failure rate 3 log
security passwords min-length 6
banner login ~Access is restricted to authorized users only~
logging console critical
logging trap debugging
logging buffered 51200 debugging
parameter-map type regex ccp-regex-nonascii
pattern "[^\x00-\x80]"
exit
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
exit
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
exit
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
exit
class-map type inspect imap match-any ccp-app-imap
match invalid-command
exit
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
exit
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
exit
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
exit
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
exit
class-map type inspect http match-any ccp-app-nonascii
match req-resp header regex ccp-regex-nonascii
exit
class-map type inspect match-all ccp-protocol-smtp
match protocol smtp
exit
class-map type inspect match-any ccp-h323-inspect
match protocol h323
exit
class-map type inspect match-all ccp-protocol-imap
match protocol imap
exit
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
exit
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
exit
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
exit
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
exit
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
exit
class-map type inspect match-all ccp-protocol-http
match protocol http
exit
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-accesss
exit
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
exit
class-map type inspect match-all ccp-invalid-src
match access-group 100
exit
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
exit
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
exit
class-map type inspect match-any ccp-sip-inspect
match protocol sip
exit
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
exit
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
exit
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
exit
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
exit
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
exit
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
exit
class-map type inspect smtp match-any ccp-app-smtp
match data-length gt 5000000
exit
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
exit
class type inspect http ccp-app-httpmethods
log
reset
exit
class type inspect http ccp-app-nonascii
log
reset
exit
exit
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
reset
exit
exit
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
reset
exit
exit
policy-map type inspect smtp ccp-action-smtp
class type inspect smtp ccp-app-smtp
reset
exit
exit
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
no drop
inspect
exit
class type inspect ccp-sip-inspect
no drop
inspect
exit
class type inspect ccp-h323-inspect
no drop
inspect
exit
class type inspect ccp-h323annexe-inspect
no drop
inspect
exit
class type inspect ccp-h225ras-inspect
no drop
inspect
exit
class type inspect ccp-h323nxg-inspect
no drop
inspect
exit
class type inspect ccp-skinny-inspect
no drop
inspect
exit
class class-default
no drop
pass
exit
exit
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
exit
class type inspect ccp-protocol-http
no drop
inspect
service-policy http ccp-action-app-http
exit
class type inspect ccp-protocol-smtp
no drop
inspect
service-policy smtp ccp-action-smtp
exit
class type inspect ccp-protocol-imap
no drop
inspect
service-policy imap ccp-action-imap
exit
class type inspect ccp-protocol-pop3
no drop
inspect
service-policy pop3 ccp-action-pop3
exit
class type inspect ccp-protocol-p2p
drop log
exit
class type inspect ccp-protocol-im
drop log
exit
class type inspect ccp-insp-traffic
no drop
inspect
exit
class type inspect ccp-sip-inspect
no drop
inspect
exit
class type inspect ccp-h323-inspect
no drop
inspect
exit
class type inspect ccp-h323annexe-inspect
no drop
inspect
exit
class type inspect ccp-h225ras-inspect
no drop
inspect
exit
class type inspect ccp-h323nxg-inspect
no drop
inspect
exit
class type inspect ccp-skinny-inspect
no drop
inspect
exit
exit
policy-map type inspect ccp-permit
class type inspect ccp-sip-inspect
no drop
inspect
exit
class type inspect ccp-h323-inspect
no drop
inspect
exit
class type inspect ccp-h323annexe-inspect
no drop
inspect
exit
class type inspect ccp-h225ras-inspect
no drop
inspect
exit
class type inspect ccp-h323nxg-inspect
no drop
inspect
exit
class type inspect ccp-skinny-inspect
no drop
inspect
exit
class class-default
exit
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
exit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
exit
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
exit
interface Tunnel49
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface FastEthernet0/2
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface Loopback1
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface Null0
exit
default interface Null0
interface Null0
no ip unreachables
exit
interface Tunnel9
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface Tunnel29
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface Tunnel37
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface Tunnel26
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface Tunnel17
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface Tunnel5
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface GigabitEthernet0/3
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
no mop enabled
exit
interface Tunnel33
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface GigabitEthernet0/2
description $FW_OUTSIDE$
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
no mop enabled
zone-member security out-zone
exit
interface Tunnel41
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface GigabitEthernet0/1
description $FW_INSIDE$
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
no mop enabled
zone-member security in-zone
exit
interface Tunnel13
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface Tunnel21
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
==========================================
=============One-step-lockdown==============
==========================================
Configuration commands for the router: x.x.x.x
saved on 24/05/2012 09:43:12 Õ
----------------------------------------------------------------------------
aaa authorization exec local_author local
aaa authentication login local_authen local
no snmp-server
line vty 0 4
login authentication local_authen
authorization exec local_author
exit
service sequence-numbers
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
scheduler allocate 4000 1000
ip tcp synwait-time 10
security authentication failure rate 3 log
security passwords min-length 6
ip ssh time-out 60
ip ssh authentication-retries 2
banner login ~
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
~
logging console critical
logging trap debugging
logging buffered 51200 debugging
interface Tunnel49
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface FastEthernet0/2
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface Loopback1
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface Null0
exit
default interface Null0
interface Null0
no ip unreachables
exit
interface Tunnel9
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface Tunnel29
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface Tunnel37
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface Tunnel26
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface Tunnel17
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface Tunnel5
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface GigabitEthernet0/3
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
no mop enabled
exit
interface Tunnel33
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface GigabitEthernet0/2
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
no mop enabled
exit
interface Tunnel41
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface GigabitEthernet0/1
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
no mop enabled
exit
interface Tunnel13
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface Tunnel21
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
==========================================
Best Regard
05-24-2012 08:30 AM
Hello Fadi,
your router acts as an ISP provider router. I would not recommend to use these templates on it because they are thought for an enteprise scenario.
Just to make an example introducing zone based firewall is not an easy move, and how it deals with the GRE tunnels on the WAN interface?
Inspection of traffic may be fine with few Mbps of downstream traffic, but you deal with 34 Mbps and more in the future.
Cpu can go vey high even in a C7200 router. And you don't want to introduce slowness.
The key concept is control: if you use these templates you introduce hundreds of configuration lines with limited understanding of some features.
And what are possible interactions of zone based firewall, CBAC ( inspect) and so on?
You may end lost in an attempt to troubleshoot to fix it.
As a simple human being I would stay away from this.
You can use these templates to take inspiration for studying some security features like zone based firewalling for example but I would not apply them.
Edit:
the lock-down template looks like more reasonable and is formed of simple commands that should be compatible with the role of your device and it shouldn't have an impact.
Hope to help
Giuseppe
05-28-2012 02:25 AM
Hello Giuseppe ,
I hope you are fine
this is configueation for one university
in the router i ping to internet
=======================
#ping 8.8.8.8 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 91.237.50.33
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/79/80 ms
=============================
when i connect the switch to interface FastEthernet0/1 with ip address 91.x.x.33 255.255.255.252
my clinet have private ip address 10.0.0.0/24
My Question 1:
all my clinet access to intenet with this configuration or shoud use nat ?
Give me soulution ?
My Question 1 :
you seen i use 3 ip address
172.25.90.0 /24 ---- on the physial interface (on vpn)
172.24.90.0 /24 ---- on the tunnel and bgp neighbor
91.x.x.x/24 for the univeristy to access internet
How can I minimize the use of this IP
to 2 ip ?
to make my work more easy .
===========================================
Building configuration...
Current configuration : 1833 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AAUJ-NREN
!
boot-start-marker
boot system flash c1841-ipbasek9-mz.124-24.T5.bin
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$IcdC$f9CMBzMEQ3G53piwF3vN20
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
multilink bundle-name authenticated
!
!
!
!
!
secure boot-config
archive
log config
hidekeys
!
!
!
!
interface Tunnel34
ip address 172.24.90.34 255.255.255.252
ip virtual-reassembly
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination 172.25.90.2
!
interface FastEthernet0/0 ----connected my core router----
description Out
ip address 172.25.90.34 255.255.255.0
ip virtual-reassembly
speed auto
full-duplex
no mop enabled
!
interface FastEthernet0/1 ---this connected to switch and have real ip---
ip address 91.x.x.33 255.255.255.252
ip virtual-reassembly
speed auto
full-duplex
no mop enabled
!
router bgp 64530
no synchronization
bgp log-neighbor-changes
network x.x.x.0 mask 255.255.0.0
neighbor 172.24.90.33 remote-as 57965
neighbor 172.24.90.33 soft-reconfiguration inbound
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Tunnel34
!
ip http server
no ip http secure-server
!
!
!
!
control-plane
line con 0
line aux 0
line vty 0 4
password 7 04753F130128586E0818101D
login
!
scheduler allocate 20000 1000
end
05-28-2012 05:23 AM
Hello Fadi,
NAT is required as the internal network of the university is private ( a 10.x.0.0/16).
You have a static default route over the GRE tunnel :
>> ip route 0.0.0.0 0.0.0.0 Tunnel34
This setup is on the path for centralized internet access as you are sending to central site all traffic for the public internet.
So you need NAT on the central site router you have to configure as NAT inside the GRE Tunnel(s) of the universities and NAT outside on the internet facing interface.
Q1) ON central site router
int tunnel GRE x
ip nat inside
int tunnel GRE y
ip nat inside
int tunnel GRE z
ip nat inside
! you need also an ip nat inside on internal network of central site and an ip nat outside on the interface facing the internet
You need an extended ACL to avoid to NAT between universities
access-list 161 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 161 permit ip 10.x.0.0 0.0.255.255 any
access-list 161 permit ip 10.y.0.0 0.0.255.255 any
access-list 161 permit ip 10.z.0.0 0.0.255.255 any
access-list 161 permit ip 10.k.0.0 0.0.255.255 any
where each line is for the central site or one of the universities that will have internet access via the central site.
route-map select-NAT permit 10
match ip address 161
ip nat inside source route-map select-NAT interface
universities with indipendent internet access will have their own NAT statements with use of the interface with public IP address as NAT outside.
Q2)
It is not totally clear to me, for remote sites/universities that wil use centralized internet access the only interface that you could dismiss is the one with the public address. But it is just enough to not use it.
Universities with indipendent internet access need to use that interface with public IP as NAT outside.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide