IPv6 and IPv4 Dual Stack on a Branch Router Configuration Example

From DocWiki

Revision as of 23:43, 14 June 2011 by Pzimmerm (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Introduction

This document is intended to give customers a configuration example when they are planning or deployment IPv6 in their branch networks. This document is not meant to introduce you to branch design fundamentals and best practices, IPv6, transition mechanisms, or IPv4 and IPv6 feature comparisons. The user must be familiar with the Cisco branch design best practices recommendations and the basics of IPv6 and associated transition mechanisms. For information about the enterprise design architecture, refer to the following documents:

This document contents a dual stack ipv4/ipv6 single-tier branch profile. A single-tier dual stack ipv4/ipv6 single-tier branch profile is a fully integrated solution. The requirements for LAN and WAN connectivity and security are met by a single Integrated Services Router (ISR). WAN connectivity via an Ethernet links to an Internet Service Provider (ISP). This Ethernet is used as the primary link to the headquarters (HQ) site. For WAN redundancy, a backup connection is made via T1. IPv4 connectivity to the HQ site is provided by IPv4 IPSec using Dynamic Multi-Point Virtual Private Network (DMVPN) technologies. IPv6 connectivity to the HQ site is provided by using DMVPN v6 over v4. LAN connectivity is provided by an integrated switch module (EtherSwitch Service Module). Dual-stack (running both IPv4 TCP/IP stack and IPv6 TCP/IP stack) is used on the VLAN interfaces at the branch.

In addition to all of the security policies in place at the HQ, local security for both IPv4 and IPv6 is provided by a common set of infrastructure security features and configurations in addition to the use of the Cisco IOS Firewall.
QoS for IPv4 and IPv6 is integrated into a single policy.

Design

Test-team-branch001.jpg

Configuration

This configuration uses the following features:

Routing Protocol

EIGRP IPv6
EIGRP IPv4
Multicast

PIM-SSM (IPv4)
MLDv2 (IPv6)
DMVPN
IPv4 / IPv6
WAN Access

Ethernet Handoff (Primary)
T1 (Backup)
QoS (IPv6 / IPv4)




Classification (DSCP, ACL)
Marking
Queuing (CBWFQ, LLQ)
Shaping
HQOS (2-level HQOS)
Security
First Hop Security
Firewall
Zone Based Firewall (IPv6 and IPv4)
DHCP
DHCP (IPv6 and IPv4)
SSH
SSH (IPv6 and IPv4)
FTP
FTP
SNMP
SNMP
Access Lists
Standard and extended ACL

The links take you to the Configuration Guide (or other document) for information on configuring the features.

The router is a Cisco 2921 running c2900-universalk9-mz.SPA.151-3.T

Related show Commands

The feature documentation in the table above contains references to appropriate show commands for the features.

Certain show commands are supported by the Output Interpreter Tool (registered customers only), which allows you to view an analysis of show command output.


Show running-config

v6-cvd-branch#show running-configuration 
Building configuration...

Current configuration : 28169 bytes
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname v6-cvd-branch
!
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.151-3.T
boot-end-marker
!
!
card type t1 0 0
logging buffered 1000000
!
no aaa new-model
!
no network-clock-participate wic 0 
!
ipv6 unicast-routing
ipv6 dhcp pool DATA_VISTA
 address prefix 2001:DB8:CAFE:1000::/64
 dns-server 2001:DB8:CAFE:10:20D:9DFF:FE93:B25D
 dns-server 2001:DB8:CAFE:10:51A1:5B1:4A85:B3DA
 domain-name cisco.com
!
ipv6 cef
ipv6 multicast-routing
ip source-route
ip cef
!
!
ip nbar port-map cifs tcp 137 139 445 445 
ip nbar port-map custom-03 tcp 5554 9996 
ip nbar port-map custom-02 udp 1434 
ip nbar port-map netbios tcp 137 139 445 
!
ip multicast-routing 
ip dhcp relay information trust-all
no ip dhcp use vrf connected
!
ip dhcp pool DATA_LAN
   network 10.124.1.0 255.255.255.128
   dns-server 10.121.10.7 
   default-router 10.124.1.1 
   domain-name cisco.com
!
ip dhcp pool VOICE_LAN
   network 10.125.1.0 255.255.255.0
   dns-server 10.121.10.7 
   default-router 10.125.1.1 
   option 150 ip 10.121.10.7 
   domain-name cisco.com
!
ip dhcp pool PRINTER_LAN
   network 10.124.1.128 255.255.255.128
   dns-server 10.121.10.7 
   default-router 10.124.1.129 
!
!
no ip bootp server
no ip domain lookup
ip domain name cisco.com
login block-for 30 attempts 3 within 200
login delay 2
!
multilink bundle-name authenticated
!
parameter-map type inspect global
 sessions maximum 1000
 alert off
 one-minute low 2000
 one-minute high 2000
parameter-map type inspect alart-on
 alert on
parameter-map type inspect default
 tcp max-incomplete host 100 block-time 0
parameter-map type urlf-glob MSN
 pattern msn.cisco.com

parameter-map type protocol-info msn-p
 server name msn.cisco.com

parameter-map type protocol-info msn-servers
 server name messenger.hotmail.com
 server name gateway.messenger.hotmail.com
 server name webmessenger.msn.com

!
!
!
!
!
key chain ESE
 key 1
  key-string 7 111B180B101719
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1729957883
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1729957883
 revocation-check none
 rsakeypair TP-self-signed-1729957883
!
!
crypto pki certificate chain TP-self-signed-1729957883
 certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31373239 39353738 3833301E 170D3036 30363134 31353432 
  33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37323939 
  35373838 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100D428 80941683 0170D8DE 030D2C3C 33A07D6F 6CD1C01F E5356009 24ED5755 
  D7485842 1C02DB49 A2A51B2B 5A68D212 898A916A A3458FA1 38E6994C F5715130 
  35AB574D FC8A0C23 6E397EDB 4AAE2A38 1A2CC8D5 547B3745 83D11BCE 69E7F491 
  090137C4 EA5863C0 2ABB64AF F985967A 2B170738 F4BF28B6 56009BA5 BEEC7C1E 
  94350203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603 
  551D1104 18301682 14323835 312D6272 312D312E 63697363 6F2E636F 6D301F06 
  03551D23 04183016 801497B3 EB034DE7 C5481685 6DF51BA1 9C26CFD4 DA17301D 
  0603551D 0E041604 1497B3EB 034DE7C5 4816856D F51BA19C 26CFD4DA 17300D06 
  092A8648 86F70D01 01040500 03818100 92D03B85 6E53F61E 3FD536AD 0B5C2C94 
  25E6A607 DD31170F 236B50F3 8A77685A 548164EC 022D262A EC26695F A26584EB 
  469EA2AE 52878DA3 18A35708 BE9A1184 59D65E6B 652D8B6F E4392602 2E82F88F 
  B57277C5 C4DE7908 82844EEA 06D079C1 B8190635 3268AEE8 A196FB1A A606C35C 
  484DC275 D0F47913 1157FC30 BAFEAE13
  	quit
voice-card 0
!
!
!
!
!
!
!
license udi pid CISCO2921/K9 sn FTX1435AJE2
hw-module pvdm 0/0
!
hw-module sm 1
!
!
!
username cisco privilege 15 password 0 cisco
!
redundancy
!
crypto key pubkey-chain rsa
 named-key realm-cisco.pub signature
  key-string
   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 
   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 
   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 
   B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 
   5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 
   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 
   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 
   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 
   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 
   F3020301 0001
  quit
!
!
!
!
controller T1 0/0/0
 cablelength long 0db
 channel-group 1 timeslots 1-24
!
controller T1 0/0/1
 cablelength long 0db
 channel-group 1 timeslots 1-24
!
ip ftp source-interface Loopback0
ip ftp username cisco
ip ftp password 7 071D2042490C0B
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface Loopback0
ip ssh version 2
!
class-map type inspect match-all MSN-map
 match protocol msnmsgr
class-map type inspect match-any v6-class
 match protocol tcp
 match protocol udp
 match protocol icmp
 match protocol ftp
class-map type inspect match-all Y-map
 match protocol ymsgr
class-map type inspect match-all v6-map
 match class-map v6-class
 match access-group name ZFWv6
class-map type inspect match-any v4-map
 match protocol tcp
 match protocol udp
 match protocol dns
 match protocol icmp
 match protocol kazaa2
 match protocol netbios-dgm
 match protocol netbios-ns
 match protocol netbios-ssn
 match protocol ssh
 match protocol ftp
 match protocol https
 match protocol gdoi
 match protocol ipsec-msft
 match protocol isakmp
 match protocol bgp
 match protocol router
 match protocol ntp
 match protocol tacacs
 match protocol radius
class-map type inspect msnmsgr match-any MSN-class
class-map match-any BRANCH-BULK-DATA
 match access-group name BULK-DATA-APPS
 match access-group name BULK-DATA-APPS-V6
class-map type inspect http match-all HTTP
 match  request port-misuse any
 match  request method connect
class-map type inspect msnmsgr match-any MSN-c
 match  service any 
class-map match-all SQL-SLAMMER
 match protocol custom-02
 match packet length min 404 max 404
class-map match-all BULK-DATA
 match  dscp af11  af12 
class-map match-all INTERACTIVE-VIDEO
 match  dscp af41  af42 
class-map match-any BRANCH-SCAVENGE
class-map type inspect match-all v6-map-in
 match protocol icmp
 match access-group name FWIN
class-map match-any CALL-SIGNALLING
 match  dscp cs3 
 match  dscp af31 
class-map type inspect match-all HTTP-s
 match access-group 10
 match protocol http
class-map type inspect match-any HTTP-map
 match protocol http
class-map type inspect match-any im-aol
 match protocol aol
class-map match-any BRANCH-TRANSACTIONAL-DATA
 match protocol citrix
 match protocol ldap
 match protocol sqlnet
 match access-group name BRANCH-TRANSACTIONAL-V6
 match protocol http url "*cisco.com"
class-map type inspect ymsgr match-any YAHOO
 match  service any 
class-map type inspect msnmsgr match-any MSN
class-map match-any BRANCH-MISSION-CRITICAL
 match access-group name MISSION-CRITICAL-SERVERS
 match access-group name MISSION-CRITICAL-V6
class-map match-any WORMS
 match protocol http url "*.ida*"
 match protocol http url "*cmd.exe*"
 match protocol http url "*root.exe*"
 match protocol http url "*readme.eml*"
 match class-map SQL-SLAMMER
 match protocol exchange
 match protocol custom-03
class-map match-all VOICE
 match  dscp ef 
class-map match-all MISSION-CRITICAL-DATA
 match  dscp 25 
class-map match-any BRANCH-NET-MGMT
 match protocol snmp
 match protocol syslog
 match protocol telnet
 match protocol nfs
 match protocol dns
 match protocol icmp
 match protocol tftp
 match access-group name BRANCH-NET-MGMT-V6
class-map match-all ROUTING
 match  dscp cs6 
class-map match-all SCAVENGER
 match  dscp cs1 
class-map type inspect match-any telnet-s
class-map match-all NET-MGMT
 match  dscp cs2 
class-map type inspect match-any VPN-in
 match access-group name ZBFW-v6-in
 match access-group name ZBFW-in
class-map match-any BRANCH-SCAVENGER
 match protocol gnutella
 match protocol fasttrack
 match protocol kazaa2
 match access-group name BRANCH-SCAVENGER-V6
class-map type inspect match-all v4-in
 match protocol icmp
class-map match-all TRANSACTIONAL-DATA
 match  dscp af21  af22 
class-map type inspect match-any im-MSN
 match protocol msnmsgr msn-servers
class-map type inspect match-any route-v4-v6
 match access-group name v4-route
 match access-group name v6-route
!
!
policy-map type inspect FWIN
 class type inspect v4-in
  inspect 
 class type inspect v6-map-in
  inspect 
 class class-default
  drop
policy-map type inspect http HTTP
 class type inspect http HTTP
  allow
policy-map BRANCH-LAN-EDGE-IN-CHILD
 class WORMS
  drop
 class class-default
  set dscp default
policy-map BRANCH-WAN-EDGE-CHILD
 class VOICE
  priority percent 18
 class INTERACTIVE-VIDEO
  priority percent 15
 class CALL-SIGNALLING
  bandwidth percent 5
 class ROUTING
  bandwidth percent 3
 class NET-MGMT
  bandwidth percent 2
 class SCAVENGER
  bandwidth percent 1
 class MISSION-CRITICAL-DATA
  bandwidth percent 15
  random-detect dscp-based
 class TRANSACTIONAL-DATA
  bandwidth percent 12
  random-detect dscp-based
 class BULK-DATA
  bandwidth percent 4
  random-detect dscp-based
 class class-default
  bandwidth percent 25
  random-detect
policy-map BRANCH-LAN-EDGE-OUT
 class class-default
  set cos dscp
policy-map type inspect im YAHOO
 class type inspect ymsgr YAHOO
  allow
policy-map type inspect ZBP
 class type inspect v4-map
  inspect 
 class type inspect v6-map
  inspect 
 class type inspect HTTP-s
  inspect alart-on
 class type inspect telnet-s
  inspect alart-on
 class type inspect Y-map
  inspect 
  service-policy im YAHOO
 class type inspect HTTP-map
  inspect 
  service-policy http HTTP
 class type inspect im-MSN
  drop log
 class type inspect im-aol
  inspect alart-on
 class type inspect VPN-in
  pass
 class type inspect route-v4-v6
  pass
 class class-default
  drop
policy-map BRANCH-LAN-EDGE-IN-PARENT
 class BRANCH-MISSION-CRITICAL
  set dscp 25
 class BRANCH-TRANSACTIONAL-DATA
  set dscp af21
 class BRANCH-NET-MGMT
  set dscp cs2
 class BRANCH-BULK-DATA
  set dscp af11
 class BRANCH-SCAVENGER
  set dscp cs1
 class class-default
  set dscp default
  service-policy BRANCH-LAN-EDGE-IN-CHILD
policy-map type inspect im MSN
 class type inspect msnmsgr MSN
policy-map type inspect im MSN-policy
 class type inspect msnmsgr MSN-c
policy-map BRANCH-WAN-EDGE-PARENT
 class class-default
  shape average percent 90
  service-policy BRANCH-WAN-EDGE-CHILD
!
zone security inside
 description inside of branch
zone security outside
 description to internet
zone-pair security in-out source inside destination outside
 service-policy type inspect ZBP
zone-pair security out-in source outside destination inside
 service-policy type inspect FWIN
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key CISCO address 172.17.1.3
crypto isakmp key SYSTEMS address 172.18.1.4
crypto isakmp key SYSTEMS address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set brb esp-3des esp-sha-hmac 
crypto ipsec transform-set brb-back esp-3des esp-sha-hmac 
!
crypto ipsec profile dmvpn
 set security-association lifetime seconds 300
 set transform-set brb 
!
crypto ipsec profile dmvpn-back
 set security-association lifetime seconds 300
 set transform-set brb-back 
!
!
!
!
!
!
interface Loopback0
 ip address 10.122.1.1 255.255.255.254
 ipv6 address 2001:DB8:CAFE:1111::BAD1:A001/64
 ipv6 eigrp 1
!
interface Tunnel1
 description DMVPN to HQ Head-end 1
 ip address 10.126.1.2 255.255.255.0
 ip access-group INET in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1400
 ip pim sparse-dense-mode
 ip authentication mode eigrp 10 md5
 ip authentication key-chain eigrp 10 ESE
 ip hold-time eigrp 10 35
 no ip next-hop-self eigrp 10
 ip flow ingress
 ip nhrp authentication secret
 ip nhrp map multicast dynamic
 ip nhrp map multicast 172.17.1.3
 ip nhrp map 10.126.1.1 172.17.1.3
 ip nhrp network-id 10203
 ip nhrp nhs 10.126.1.1
 ip virtual-reassembly in
 zone-member security outside
 no ip split-horizon eigrp 10
 load-interval 30
 delay 500
 ipv6 address 2001:DB8:CAFE:1261::BAD1:A001/64
 ipv6 mtu 1400
 no ipv6 redirects
 no ipv6 unreachables
 ipv6 eigrp 1
 ipv6 authentication mode eigrp 1 md5
 ipv6 authentication key-chain eigrp 1 ESE
 ipv6 hold-time eigrp 1 35
 no ipv6 split-horizon eigrp 1
 no ipv6 mfib forwarding input
 ipv6 nhrp authentication secret
 ipv6 nhrp map multicast dynamic
 ipv6 nhrp map multicast 172.17.1.3
 ipv6 nhrp map 2001:DB8:CAFE:1261::ACE1:F000/128 172.17.1.3
 ipv6 nhrp network-id 70809
 ipv6 nhrp nhs 2001:DB8:CAFE:1261::ACE1:F000
 ipv6 traffic-filter INET-WAN-v6 in
 keepalive 10 3
 tunnel source 172.16.1.2
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile dmvpn
 no clns route-cache
!
interface Tunnel2
 description DMVPN to HQ Head-end 2
 ip address 10.127.1.2 255.255.255.0
 ip access-group INET-BACK in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1400
 ip pim sparse-dense-mode
 ip authentication mode eigrp 10 md5
 ip authentication key-chain eigrp 10 ESE
 ip hold-time eigrp 10 35
 no ip next-hop-self eigrp 10
 ip flow ingress
 ip nhrp authentication secret
 ip nhrp map multicast dynamic
 ip nhrp map 10.127.1.1 172.18.1.4
 ip nhrp map multicast 172.18.1.4
 ip nhrp network-id 30201
 ip nhrp nhs 10.127.1.1
 ip virtual-reassembly in
 zone-member security outside
 no ip split-horizon eigrp 10
 load-interval 30
 delay 500
 ipv6 address 2001:DB8:CAFE:1271::BAD1:A001/64
 ipv6 mtu 1400
 no ipv6 redirects
 no ipv6 unreachables
 ipv6 eigrp 1
 ipv6 authentication mode eigrp 1 md5
 ipv6 hold-time eigrp 1 35
 no ipv6 split-horizon eigrp 1
 ipv6 nhrp authentication secret
 ipv6 nhrp map multicast dynamic
 ipv6 nhrp map multicast 172.18.1.4
 ipv6 nhrp map 2001:DB8:CAFE:1271::ACE1:F000/128 172.18.1.4
 ipv6 nhrp network-id 90807
 ipv6 nhrp nhs 2001:DB8:CAFE:1271::ACE1:F000
 ipv6 traffic-filter INET-WAN-v6 in
 if-state nhrp
 tunnel source Serial0/0/0:1
 tunnel mode gre multipoint
 tunnel key 321
 tunnel protection ipsec profile dmvpn-back
 no clns route-cache
!
interface GigabitEthernet0/0
 ip address 10.123.1.1 255.255.255.0
 ip pim sparse-dense-mode
 ip igmp join-group 232.0.0.1 source 10.130.1.1
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description Ethernet Handoff to ISP (PRIMARY)
 ip address 172.16.1.2 255.255.255.252
 ip access-group WAN-link in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip virtual-reassembly in
 ip verify unicast reverse-path
 load-interval 30
 duplex auto
 speed auto
 service-policy output BRANCH-WAN-EDGE-PARENT
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0:1
 ip address 172.15.1.2 255.255.255.252
 ip access-group WAN-link in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1400
 ip nbar protocol-discovery
 ip flow ingress
 ip virtual-reassembly in
 service-policy output BRANCH-WAN-EDGE-PARENT
!
interface Serial0/0/1:1
 no ip address
 shutdown
!
interface GigabitEthernet1/0
 description to INTERNAL SW-BR1-1
 ip address 1.1.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip pim sparse-mode
 ip flow ingress
 ip virtual-reassembly in
 ip policy route-map no_split
 ipv6 nd other-config-flag
 no ipv6 redirects
 no ipv6 unreachables
 ipv6 dhcp server DATA_VISTA
 ipv6 traffic-filter DATA_LAN-v6 in
 ipv6 virtual-reassembly in
 no snmp trap link-status
!
interface GigabitEthernet1/0.100
 description DATA VLAN for Computers
 encapsulation dot1Q 100
 ip address 10.124.1.1 255.255.255.128
 ip access-group LANout in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip pim sparse-dense-mode
 ip flow ingress
 ip virtual-reassembly in
 zone-member security inside
 ip policy route-map no_split
 ipv6 address 2001:DB8:CAFE:1100::BAD1:A001/64
 ipv6 nd other-config-flag
 no ipv6 redirects
 no ipv6 unreachables
 ipv6 dhcp server DATA_VISTA
 ipv6 eigrp 1
 ipv6 traffic-filter DATA_LAN-v6 in
 ipv6 virtual-reassembly in
 service-policy input BRANCH-LAN-EDGE-IN-PARENT
 service-policy output BRANCH-LAN-EDGE-OUT
!
interface GigabitEthernet1/0.200
 description to Voice VLAN for IP Phones
 encapsulation dot1Q 200
 ip address 10.125.1.1 255.255.255.0
 ip access-group VOICEout in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip pim sparse-dense-mode
 ip flow ingress
 ip virtual-reassembly in
 zone-member security inside
 ip policy route-map no_split
 ipv6 address 2001:DB8:CAFE:1200::BAD1:A001/64
 no ipv6 redirects
 no ipv6 unreachables
 ipv6 eigrp 1
 ipv6 traffic-filter VOICE_LAN-v6 in
 ipv6 virtual-reassembly in
 service-policy input BRANCH-LAN-EDGE-IN-PARENT
 service-policy output BRANCH-LAN-EDGE-OUT
!
interface GigabitEthernet1/0.300
 description to Printer VLAN
 encapsulation dot1Q 300
 ip address 10.124.1.129 255.255.255.128
 ip access-group PRINTERout in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip pim sparse-dense-mode
 ip flow ingress
 ip virtual-reassembly in
 zone-member security inside
 ip policy route-map no_split
 ipv6 address 2001:DB8:CAFE:1300::BAD1:A001/64
 no ipv6 redirects
 no ipv6 unreachables
 ipv6 eigrp 1
 ipv6 traffic-filter PRINTER_LAN-v6 in
 ipv6 virtual-reassembly in
 service-policy input BRANCH-LAN-EDGE-IN-PARENT
 service-policy output BRANCH-LAN-EDGE-OUT
!
!
router eigrp 10
 network 10.0.0.0
 redistribute static
 passive-interface GigabitEthernet1/0
 passive-interface GigabitEthernet1/0.100
 passive-interface GigabitEthernet1/0.200
 passive-interface GigabitEthernet1/0.300
 eigrp stub connected summary
!
ip forward-protocol nd
!
ip pim ssm default
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip route 0.0.0.0 0.0.0.0 Serial0/0/0:1 200
ip route 223.255.248.115 255.255.255.255 GigabitEthernet0/0
!
ip access-list extended BULK-DATA-APPS
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
 permit tcp any any eq pop3
 permit tcp any any eq 143
ip access-list extended INET
 permit igmp any any
 permit pim any any
 permit eigrp any any
 permit icmp any 10.126.1.0 0.0.0.255
 permit icmp any 10.126.1.0 0.0.0.255 packet-too-big
 permit icmp any 10.126.1.0 0.0.0.255 unreachable
 permit icmp any 10.126.1.0 0.0.0.255 echo-reply
 permit icmp any 10.126.1.0 0.0.0.255 time-exceeded
 permit icmp any 10.124.100.0 0.0.0.255
 permit icmp any 10.124.100.0 0.0.0.255 packet-too-big
 permit icmp any 10.124.100.0 0.0.0.255 unreachable
 permit icmp any 10.124.100.0 0.0.0.255 echo-reply
 permit icmp any 10.124.100.0 0.0.0.255 time-exceeded
 permit icmp any 10.124.1.0 0.0.0.255
 permit icmp any 10.124.1.0 0.0.0.255 packet-too-big
 permit icmp any 10.124.1.0 0.0.0.255 unreachable
 permit icmp any 10.124.1.0 0.0.0.255 echo-reply
 permit icmp any 10.124.1.0 0.0.0.255 time-exceeded
 permit icmp any 10.125.1.0 0.0.0.127
 permit icmp any 10.125.1.0 0.0.0.127 packet-too-big
 permit icmp any 10.125.1.0 0.0.0.127 unreachable
 permit icmp any 10.125.1.0 0.0.0.127 echo-reply
 permit icmp any 10.125.1.0 0.0.0.127 time-exceeded
 permit udp any host 10.124.100.1 eq ntp
 permit tcp any host 10.124.100.1 eq telnet
 permit tcp any host 10.124.100.1 eq 22
 permit ip any 10.125.1.0 0.0.0.255
 permit ip any 10.124.1.0 0.0.0.255
 permit ip any 10.126.1.0 0.0.0.255
 deny   ip host 255.255.255.255 any
 deny   ip any any log
ip access-list extended INET-BACK
 permit pim any any
 permit eigrp any any
 permit icmp any 10.127.1.0 0.0.0.255
 permit icmp any 10.127.1.0 0.0.0.255 packet-too-big
 permit icmp any 10.127.1.0 0.0.0.255 unreachable
 permit icmp any 10.127.1.0 0.0.0.255 echo-reply
 permit icmp any 10.127.1.0 0.0.0.255 time-exceeded
 permit icmp any 10.124.100.0 0.0.0.255
 permit icmp any 10.124.100.0 0.0.0.255 packet-too-big
 permit icmp any 10.124.100.0 0.0.0.255 unreachable
 permit icmp any 10.124.100.0 0.0.0.255 echo-reply
 permit icmp any 10.124.100.0 0.0.0.255 time-exceeded
 permit icmp any 10.124.1.0 0.0.0.255
 permit icmp any 10.124.1.0 0.0.0.255 packet-too-big
 permit icmp any 10.124.1.0 0.0.0.255 unreachable
 permit icmp any 10.124.1.0 0.0.0.255 echo-reply
 permit icmp any 10.124.1.0 0.0.0.255 time-exceeded
 permit icmp any 10.125.1.0 0.0.0.127
 permit icmp any 10.125.1.0 0.0.0.127 packet-too-big
 permit icmp any 10.125.1.0 0.0.0.127 unreachable
 permit icmp any 10.125.1.0 0.0.0.127 echo-reply
 permit icmp any 10.125.1.0 0.0.0.127 time-exceeded
 permit udp any host 10.124.100.1 eq ntp
 permit tcp any host 10.124.100.1 eq telnet
 permit tcp any host 10.124.100.1 eq 22
 permit ip any 10.125.1.0 0.0.0.255
 permit ip any 10.124.1.0 0.0.0.255
 permit ip any 10.127.1.0 0.0.0.255
 deny   ip host 255.255.255.255 any
 deny   ip any any log
ip access-list extended LANout
 permit udp host 0.0.0.0 host 255.255.255.255
 permit ip 10.124.1.0 0.0.0.127 any
 deny   ip any any log
ip access-list extended MGMT-IN-v4
 permit tcp 10.120.0.0 0.0.255.255 any
 permit tcp 10.126.0.0 0.0.255.255 any
 permit tcp 10.121.0.0 0.0.255.255 any
 permit tcp 10.122.0.0 0.0.255.255 any
 deny   ip any any log-input
ip access-list extended MISSION-CRITICAL-SERVERS
 permit ip any 10.121.10.0 0.0.0.255
 permit ip any 10.121.11.0 0.0.0.255
 permit ip any 10.121.12.0 0.0.0.255
ip access-list extended PRINTERout
 permit udp host 0.0.0.0 host 255.255.255.255
 permit ip 10.124.1.128 0.0.0.127 any
 deny   ip any any
ip access-list extended VOICEout
 permit udp host 0.0.0.0 host 255.255.255.255
 permit ip 10.125.1.0 0.0.0.127 any
 deny   ip any any
ip access-list extended WAN-link
 permit esp any any
 permit gre any any
 permit udp any host 172.16.1.2 eq isakmp
 permit icmp any host 172.16.1.2
 permit icmp any host 172.16.1.2 packet-too-big
 permit icmp any host 172.16.1.2 unreachable
 permit udp any host 10.124.100.1 eq isakmp
 permit icmp any host 10.124.100.1
 permit icmp any host 10.124.100.1 packet-too-big
 permit icmp any host 10.124.100.1 unreachable
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 deny   tcp any any
 deny   udp any any
 deny   ip host 255.255.255.255 any
 deny   ip any any
ip access-list extended WAN_TRAFFIC
 deny   ip any 10.124.1.0 0.0.0.255
 deny   ip any 10.125.1.0 0.0.0.127
 permit ip any any
ip access-list extended ZBFW-in
 permit esp any any
 permit udp any any eq isakmp
ip access-list extended v4-route
 permit ospf any any
 permit eigrp any any
!
access-list 10 permit 10.126.1.0
access-list 10 permit 172.16.1.0
access-list 99 permit 10.129.1.1
access-list 180 permit ip host 10.129.1.1 host 10.124.1.2
ipv6 router eigrp 1
 passive-interface GigabitEthernet1/0.100
 passive-interface GigabitEthernet1/0.200
 passive-interface GigabitEthernet1/0.300
 eigrp router-id 10.124.100.1
 eigrp stub connected summary
!
!
!
!
!
!
!
ipv6 access-list INET-WAN-v6
 remark PERMIT EIGRP for IPv6
 permit 88 any any
 remark PERMIT PIM for IPv6
 permit 103 any any
 remark PERMIT ALL ICMPv6 PACKETS SOURCED USING THE LINK-LOCAL PREFIX
 permit icmp FE80::/10 any
 remark PERMIT SSH TO LOCAL LOOPBACK
 permit tcp any host 2001:DB8:CAFE:1000::BAD1:A001 eq 22
 remark PERMIT ALL ICMPv6 PACKETS TO LOCAL LOOPBACK
 permit icmp any host 2001:DB8:CAFE:1000::BAD1:A001
 remark PERMIT ALL ICMPv6 PACKETS TO TUNNEL3
 permit icmp any host 2001:DB8:CAFE:1261::BAD1:A001
 remark PERMIT ALL ICMPv6 PACKETS TO TUNNEL4
 permit icmp any host 2001:DB8:CAFE:1271::BAD1:A001
 remark PERMIT ALL ICMPv6 PACKETS TO DATA VLAN
 permit icmp any 2001:DB8:CAFE:1100::/64
 remark PERMIT ALL ICMPv6 PACKETS TO VOICE VLAN
 permit icmp any 2001:DB8:CAFE:1200::/64
 remark PERMIT ALL ICMPv6 PACKETS TO PRINTER VLAN
 permit icmp any 2001:DB8:CAFE:1300::/64
 remark PERMIT ALL IPv6 PACKETS TO DATA VLAN
 permit ipv6 any 2001:DB8:CAFE:1100::/64
 remark PERMIT ALL IPv6 PACKETS TO VOICE VLAN
 permit ipv6 any 2001:DB8:CAFE:1200::/64
 remark PERMIT ALL IPv6 PACKETS TO PRINTER VLAN
 permit ipv6 any 2001:DB8:CAFE:1300::/64
 deny ipv6 any any log
!
ipv6 access-list DATA_LAN-v6
 remark PERMIT ICMPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:1100::/64
 permit icmp 2001:DB8:CAFE:1100::/64 any
 remark PERMIT IPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:1100::64
 permit ipv6 2001:DB8:CAFE:1100::/64 any
 remark PERMIT ALL ICMPv6 PACKETS SOURCED BY HOSTS USING THE LINK-LOCAL PREFIX
 permit icmp FE80::/10 any
 remark PERMIT DHCPv6 ALL-DHCP-AGENTS REQUESTS FROM HOSTS
 permit udp any eq 546 any eq 547
 remark DENY ALL OTHER IPv6 PACKETS AND LOG
 deny ipv6 any any log-input
!
ipv6 access-list VOICE_LAN-v6
 remark PERMIT ICMPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:1200::/64
 permit icmp 2001:DB8:CAFE:1200::/64 any
 remark PERMIT IPv6 PACKETS FROM HOSTS WITH PREFIX 2001:DB8:CAFE:1200::64
 permit ipv6 2001:DB8:CAFE:1200::/64 any
 remark PERMIT ALL ICMPv6 PACKETS SOURCED BY HOSTS USING THE LINK-LOCAL PREFIX
 permit icmp FE80::/10 any
 remark PERMIT DHCPv6 ALL-DHCP-AGENTS REQUESTS FROM HOSTS
 permit udp any eq 546 any eq 547
 remark DENY ALL OTHER IPv6 PACKETS AND LOG
 deny ipv6 any any log-input
!
ipv6 access-list PRINTER_LAN-v6
 remark PERMIT ICMPv6 PACKETS FROM HOSTS WITH PREFIX CAFE:1300::/64
 permit icmp 2001:DB8:CAFE:1300::/64 any
 remark PERMIT IPv6 PACKETS FROM HOSTS WITH PREFIX CAFE:1300::64
 permit ipv6 2001:DB8:CAFE:1300::/64 any
 remark PERMIT ALL ICMPv6 PACKETS SOURCED BY HOSTS USING THE LINK-LOCAL PREFIX
 permit icmp FE80::/10 any
 remark PERMIT DHCPv6 ALL-DHCP-AGENTS REQUESTS FROM HOSTS
 permit udp any eq 546 any eq 547
 remark DENY ALL OTHER IPv6 PACKETS AND LOG
 deny ipv6 any any log-input
!
ipv6 access-list ACCESS_port
 deny udp any eq 547 any eq 546
 deny icmp any any router-advertisement
 permit ipv6 any any
!
ipv6 access-list MGMT-IN
 remark permit mgmt only to loopback
 permit tcp 2001:DB8:CAFE::/48 host 2001:DB8:CAFE:1000::BAD1:A001
 deny ipv6 any any log-input
!
ipv6 access-list BULK-DATA-APPS-V6
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
 permit tcp any any eq pop3
 permit tcp any any eq 143
!
ipv6 access-list BRANCH-SCAVENGER-V6
 remark Gnutella, Kazaa, Doom, iTunes traffic-mark dscp cs1
 permit tcp any any range 6346 6347
 permit udp any any range 6346 6347
 permit tcp any any eq 1214
 permit tcp any any eq 666
 permit udp any any eq 666
 permit tcp any any eq 3689
 permit udp any any eq 3689
!
ipv6 access-list BRANCH-NET-MGMT-V6
 remark Common management traffic plus vmware console-mark dscp cs2 
 permit udp any any eq syslog
 permit udp any any eq snmp
 permit tcp any any eq telnet
 permit tcp any any eq 22
 permit tcp any any eq 2049
 permit udp any any eq 2049
 permit tcp any any eq domain
 permit udp any any eq tftp
 permit tcp any any eq 902
!
ipv6 access-list BRANCH-TRANSACTIONAL-V6
 remark Microsoft RDP traffic-mark dscp af21
 permit tcp any any eq 3389
 permit udp any any eq 3389
!
ipv6 access-list ipv6_only
 permit tcp 2001:400:1:1::/64 2001:400:2:1::/64
 permit udp 2001:400:1:1::/64 2001:400:2:1::/64
 permit icmp 2001:400:1:1::/64 2001:400:2:1::/64
 deny ipv6 any any
!
ipv6 access-list ZFWv6
 permit ipv6 any any
!
ipv6 access-list ZBFW-v6-in
 permit esp any any
 permit udp any any eq isakmp
!
ipv6 access-list v6-route
 permit 88 any any
!
ipv6 access-list FWIN
 permit ipv6 any any
!
ipv6 access-list MISSION-CRITICAL-V6
 remark Data-Center traffic-mark dscp 25
 permit ipv6 any 2001:DB8:CAFE:10::/64
 permit ipv6 any 2001:DB8:CAFE:11::/64
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
 shutdown
!
!
!
line con 0
 session-timeout 3 
 exec-timeout 0 0
 password lab
 logging synchronous
 login local
 transport output all
line aux 0
 session-timeout 3 
 login local
line 67
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
 session-timeout 3 
 access-class MGMT-IN-v4 in
 privilege level 15
 password lab
 ipv6 access-class MGMT-IN in
 login local
 exec prompt timestamp
 transport input ssh
 transport output all
line vty 5 15
 session-timeout 3 
 access-class MGMt-in-V4 in
 privilege level 15
 ipv6 access-class MGMT-IN in
 login local
 transport input ssh
!
no exception data-corruption buffer truncate
scheduler allocate 20000 1000
end


Related Information

Technical Support & Documentation - Cisco Systems


Rating: 3.0/5 (1 vote cast)

Personal tools