CCRG-4-1-2 (1)

dot11 ssid rhgwlan vlan 110 authentication open authentication key-management wpa wpa-psk ascii cisco123dot11 ssid rhgpublic vlan 10 authentication open authentication key-management wpa wpa-psk ascii cisco123dot11 network-mapdot11 arp-cacheusername admin priv 15 secret cisco123line vty 0 4login localbridge irbbridge 1 protocol ieeebridge 10 protocol ieeebridge 110 protocol ieeeinterface Dot11Radio0no shutdownencryption vlan 110 mode ciphers tkipencryption vlan 10 mode ciphers tkipssid rhgpublicssid rhgwlanstation-role root access-pointno dot11 extension aironetno cdp enableinterface Dot11Radio0.10encapsulation dot1Q 10no ip route-cacheno cdp enablebridge-group 10bridge-group 10 subscriber-loop-controlbridge-group 10 block-unknown-sourceno bridge-group 10 source-learningno bridge-group 10 unicast-floodingbridge-group 10 spanning-disabled Configuration Reference Guide | [T] 456

interface Dot11Radio0.110encapsulation dot1Q 110no ip route-cacheno cdp enablebridge-group 110bridge-group 110 subscriber-loop-controlbridge-group 110 block-unknown-sourceno bridge-group 110 source-learningno bridge-group 110 unicast-floodingbridge-group 110 spanning-disabledinterface FastEthernet0.99encapsulation dot1Q 99 nativeno ip route-cachebridge-group 1no bridge-group 1 source-learningbridge-group 1 spanning-disabledinterface FastEthernet0.10encapsulation dot1Q 10no ip route-cachebridge-group 10no bridge-group 10 source-learningbridge-group 10 spanning-disabledinterface FastEthernet0.110encapsulation dot1Q 110no ip route-cachebridge-group 110no bridge-group 110 source-learningbridge-group 110 spanning-disabledendwrite mem Configuration Reference Guide | [T] 457

QoS on WAN Router (I) • WAN QoS policy: (1) Voice RTP = LLQ 33% & cRTP, (2) Voice Control = CBWFQ 5%, and (3) all other traffic = WFQ & WRED for TCP traffic>> WAN AGG <<class-map match-all RHG-CM-VOICE-RTPmatch ip dscp efclass-map match-any RHG-CM-VOICE-CONTROLmatch ip dscp cs3match ip dscp af31policy-map RHG-PM-QOSclass RHG-CM-VOICE-RTP priority percent 33 compress header ip rtpclass RHG-CM-VOICE-CONTROL bandwidth percent 5class class-default fair-queue random-detect dscp-basedinterface Serial0/0ip address 10.1.2.1 255.255.255.0service-policy output RHG-PM-QOS Configuration Reference Guide | [T] 458

QoS on Internet Edge • Internet Edge QoS policy: (1) WWW, POP3, FTP, & SMTP = CBWFQ 60% and (2) all other traffic = CBWFQ 15%ip access-list extended ACL-TRAFFICpermit tcp any any eq wwwpermit tcp any any eq pop3permit tcp any any eq ftppermit tcp any any eq smtpclass-map match-all CMAP-TRAFFICmatch access-group name ACL-TRAFFICpolicy-map POL-TRAFFICclass CMAP-TRAFFIC bandwidth percent 60class class-default bandwidth percent 15interface GigabitEthernet0/0ip address 1.1.1.1 255.255.255.0service-policy output POL-TRAFFIC Configuration Reference Guide | [T] 459

QoS on WAN Router (II) using ACL • WAN QoS policy using a medal class (GOLD) SMTP & HTTPS = LLQ %50, (SILVER) POP3 & FTP = LLQ 15%, (BRONZE) WWW =LLQ 10%, (Everything Else) all other traffic = WFQ • Classification based on ACLip access-list extended ACL-BRONZEpermit tcp any any eq wwwclass-map match-all BRONZEmatch access-group name ACL-BRONZEip access-list extended ACL-SILVERpermit tcp any any eq pop3permit tcp any any eq ftpclass-map match-all SILVERmatch access-group name ACL-SILVERip access-list extended ACL-GOLDpermit tcp any any eq 443permit tcp any any eq smtpclass-map match-all GOLDmatch access-group name ACL-GOLDpolicy-map POLICY1class GOLD priority percent 50 set precedence 5class SILVER priority percent 15 set precedence 4class BRONZE priority percent 10 set precedence 3class class-default set precedence 0 fair-queueinterface Serial0/1/0ip address 10.1.2.1 255.255.255.0service-module t1 timeslots 1-24service-policy output POLICY1 Configuration Reference Guide | [T] 460

QoS on WAN Router (II) using NBAR • WAN QoS policy using a medal class (GOLD) SMTP,HTTPS,SIP,RTP = LLQ %50. (SILVER) POP3 & FTP = LLQ 15%. (BRONZE) WWW =LLQ 10%, (Everything Else) all other traffic = WFQ • Classification based on NBARclass-map match-all BRONZEmatch protocol httpmatch protocol http host \"*google.com*\"match protocol http host \"*live.com*\"match protocol http host \"*hotmail.com*\"match protocol http host \"*yahoo.com*\"class-map match-all SILVERmatch protocol pop3match protocol ftpclass-map match-all GOLDmatch protocol smtpmatch protocol secure-httpmatch protocol rtpmatch protocol sippolicy-map POLICY1class GOLD priority percent 50 set precedence 5class SILVER priority percent 15 set precedence 4class BRONZE priority percent 10 set precedence 3class class-default set precedence 0 fair-queueinterface Serial0/1/0ip address 10.1.2.1 255.255.255.0service-module t1 timeslots 1-24service-policy output POLICY1 Configuration Reference Guide | [T] 461

QoS Policy for WAN Branch Router • Recommended QoS policy #3 for a WAN Branch Router • Traffic is already marked on the LAN • Traffic classified for Interactive Video, Network Control, Critical Data, Voice Control, and Voice Data (RTP) • Map L2 QoS (CoS) to L3 QoS (DSCP) between the router and the local L2 switchclass-map match-all Interactive-Videomatch ip dscp af41 af42class-map match-any Network-Controlmatch ip dscp cs6match ip dscp cs2class-map match-all Critical-Datamatch ip dscp af21 af22class-map match-all Call-Signallingmatch ip dscp cs3class-map match-all Voicematch ip dscp efpolicy-map LANclass class-default set cos dscppolicy-map WANclass Voice priority percent 7 compress header ip rtpclass Interactive-Video priority percent 31class Network-Control bandwidth percent 5class Critical-Data bandwidth percent 25 random-detect dscp-basedclass Call-Signalling bandwidth percent 5class class-default bandwidth percent 25 random-detectinterface Serial0/0/0:0description WAN interfaceip address 10.1.2.2 255.255.255.252load-interval 30max-reserved-bandwidth 100service-policy output WAN Configuration Reference Guide | [T] 462

interface GigabitEthernet0/0description LAN interfaceip address 192.168.20.1 255.255.255.0service-policy output LANLayer 2 Edge Port • Common configuration for End User Switch Port • Configure switch port as an Access port • Enable STP Portfast • Enable BPDU filter to not receive nor listen to any BPDU messages.interface FastEthernet 0/10switchport mode accessspanning-tree portfastspanning-tree bpdufilter enable Configuration Reference Guide | [T] 463

Solution/Services: Administration/SystemRelated: N/A • Configuration on terminal server router with async ports which maps IP address 192.168.10.71 to TTY port 2001. • This means if we do a telnet to 192.168.10.71 it will automatically connect to the console session off of port 2001chat-script router-logout \"\" exit \"\" exit \"\" exit \"\"interface FastEthernet0/0ip address 192.168.10.1 255.255.255.0ip host TTY-1 23 192.168.10.71ip alias 192.168.10.71 2001line 33 63script reset router-logoutmodem Hosttransport input telnetstopbits 1flowcontrol hardware Configuration Reference Guide | [T] 464

Solution/Services: Administration/SystemRelated: N/ARouter as TFTP Server • Automatically makes Cisco IOS router act as a TFTP server • Specify file (e.g. IOS image) that will exist in the TFTP root folder on the Cisco IOS routertftp-server flash:c2801-advipservicesk9-mz.151-3.T.binLoad IOS from TFTP server over the network • Removes all previous boot system statements from the configuration file. • Specifies that the client router load a system image from the server. • Specifies that the client router loads its own ROM image if the load from a server fails. • Sets the configuration register to enable the client router to load a system image from a network server.no boot systemboot system flash:CiscoIOS.bin 192.168.10.10boot system romconfig-register 0x010F Configuration Reference Guide | [T] 465

Solution/Services: Administration/SystemRelated: N/A • Specify timezone (PST using -8) and enable Daylight Savingsclock timezone pst -8clock summer-time pst recurring Configuration Reference Guide | [T] 466

Solution/Services: LAN SwitchingRelated: N/A802.1Q • Enables 802.1Q Trunking (or VLAN tagging) on GE0/1interface GigabitEthernet0/1switchport trunk encapsulation dot1qswitchport mode trunkDynamic Trunk Protocol (DTP) • Disable DTP and establish interface as a Trunk without negotiationinterface GigabitEthernet0/1switchport nonegotiateTrunk Security • Only allow VLAN tags 100 to 102 to be extended across GE0/1 with the connected device. All other VLAN access will be restrictedinterface GigabitEthernet0/1switchport trunk allowed vlan 100-102 Configuration Reference Guide | [T] 467

Native VLAN • Configure bit-bucket VLAN (VLAN999) and shutdown VLAN • Configure Native VLAN on interface GE0/1 to be VLAN999vlan 999name bit-bucketshutdowninterface GigabitEthernet0/1switchport trunk native vlan 999Tag Native VLAN • Force all VLANs including the Native VLAN to be taggedvlan dot1q tag native Configuration Reference Guide | [T] 468

802.1Q Interfaces on Cisco Routers • Configure 802.1Q trunking with Cisco Router for VLANs 10 and 11interface GigabitEthernet0/0no ip addressduplex fullspeed 100interface GigabitEthernet0/0.10encapsulation dot1Q 10ip address 192.168.10.1 255.255.255.0interface GigabitEthernet0/0.11encapsulation dot1Q 11ip address 192.168.11.1 255.255.255.0 Configuration Reference Guide | [T] 469

Solution/Services: Media ConnectionRelated: N/ASerial T-1 (i) • Integrated CSU/DSU T1 module • T1 using PPP encapsulation, 24 time-slotsinterface Serial0/1ip address 1.1.1.1 255.255.255.0encapsulation pppfair-queueservice-module t1 clock source internalservice-module t1 timeslots 1-24 Configuration Reference Guide | [T] 470

Serial T-1 (ii) • Integrated CSU/DSU T1 module • T1/E1 module located in slot 0, wic 0. Specify using a T1 instead of a E1 • Define channel group ID “0” and the number of time-slots of the T1 circuit (up to 24)card type t1 0 0network-clock-participate wic 0network-clock-select 1 T1 0/0/0controller T1 0/0/0framing esflinecode b8zsclock source line primarychannel-group 0 timeslots 1-24interface Serial0/0/0:0ip address 1.1.1.1 255.255.255.0encapsulation pppT1 using CAS • T1 using CAS • DS0 group #0 with 1-4 timeslots • Signaling: E&Mcontroller T1 1/0framing esflinecode b8zsds0-group 0 timeslots 1-4 type e&m-wink-start Configuration Reference Guide | [T] 471

Solution/Services: SecurityRelated: N/A • Helps in defense against spoofing attacksinterface GigabitEthernet1/1description Untrusted facing interfaceip verify unicast reverse-path Configuration Reference Guide | [U] 472

Solution/Services: LAN SwitchingRelated: N/AUDLD Aggressive • Enables UDLD aggressive mode between connected switches on the interfaces (not globally)>>SW1<<interface GigabitEthernet0/1udld port aggressive>>SW2<<interface GigabitEthernet0/1udld port aggressiveSolution/Services: Cisco Catalyst 6500 SeriesRelated: QoSUser-Based Rate Limiting (URBL) Configuration Reference Guide | [U] 473

• Rate limit each IP from subnet (192.168.10.0) to 10Mbps with bursting up to 5KB • URBL applied to interface with that connected subnet • Note: doesn’t impact rate limiting to a user, only rate limiting from a user.ip access-list extended ubrl-dept1-aclremark department1 - 10Mb connectionpermit ip 192.168.10.0 0.0.0.255 anyclass-map match-any ubrl-dept1-classmatch access-group name ubrl-dept1-aclpolicy-map ubrl-policy class ubrl-dept1-class police flow mask src-only 10000000 5000 conform-action transmit exceed-action dropinterface gigabitethernet3/1service-policy input ubrl-policyUser-Based Rate Limiting (URBL) Bi-Directional • Rate limit each IP to and from subnet (192.168.10.0) to 10Mbps with bursting up to 5KB • URBL policies applied to interface with that connected subnet • Note: this will rate limit to and from a user Configuration Reference Guide | [U] 474

ip access-list extended ubrl-university-egress-aclremark department1 - 10Mb connectionpermit ip 192.168.10.0 0.0.0.255 anyclass-map match-any ubrl-university-egress-classmatch access-group name ubrl-university-egress-aclip access-list extended ubrl-university-ingress-aclremark department1 - 10Mb connectionpermit ip any 192.168.10.0 0.0.0.255class-map match-any ubrl-university-ingress-classmatch access-group name ubrl-university-ingress-aclpolicy-map ubrl-policy class ubrl-university-egress-class police flow mask src-only 1000000 1000 conform-action transmit exceed-action drop class ubrl-university-ingress-class police flow mask dst-only 1000000 1000 conform-action transmit exceed-action dropinterface gigabitethernet3/1service-policy input ubrl-policy Configuration Reference Guide | [U] 475

Solution/Services: LAN SwitchingRelated: VTP, Trunking (802.1Q), Spanning TreeVLAN (L2) • Add VLAN 100 to switch and associate a name to the VLAN • Put switch port FE0/10 into VLAN 100vlan 100name ROUTEHUB-VLAN-USER1interface FastEthernet 0/10switchport mode accessswitchport access vlan 100 • To view all VLAN configured (or learned via VTP) on the switchshow vlan Configuration Reference Guide | [V] 476

VLAN SVI (L3) • Make L2 VLAN routable with other networks and VLANsinterface Vlan100ip address 192.168.100.1 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arpno shutdownDisable VLAN AutoState • Disable auto-state capability. This will force the VLAN1 interface to automatically come up without having a switch port assigned to VLAN1 and in a connected state.interface Vlan1no autostateSupport 4000+ VLANs • Requirements: 802.1Q encapsulation for Trunking • Allows support of 4000+ VLANs when using 802.1Qspanning-tree extend system-id Configuration Reference Guide | [V] 477

Private VLANs • Community: hosts can communicate with other hosts in the same community including the promiscuous router port. • Isolated: hosts can only communicate with the promiscuous router port • The primary VLAN that will be used by all private VLANs will be VLAN 2000 • VLAN 2011 will be a Community Private VLAN (for Consulting Group) • VLAN2012 will be another Community Private VLAN (for Training Group) • VLAN2021 will be an Isolated Private VLAN (for Guest Users) • On Core & Access Switches configure Private VLAN switch ports based on network diagram (see below) • Core: VLAN2000 (192.168.10.1) = interface that hosts in the two VLAN communities including the hosts in the isolated VLANs can use for communicating with each other. 192.168.10.1 would be the IP they would use for their default gateway. • Core: VLAN2000 (192.168.10.2) = interface that hosts in the two VLAN communities for communicating with each other. 192.168.10.2 would be the IP they would use for their default gateway.>>ACCESS<<vlan 2000private-vlan primaryvlan 2011private-vlan communityvlan 2012private-vlan communityvlan 2021private-vlan isolatedvlan 2000private-vlan association 2011,2012,2021 Configuration Reference Guide | [V] 478

interface fastethernet0/1description Consulting Host1switchport private-vlan host association 2000 2011switchport mode private-vlan hostinterface fastethernet0/2description Training Host1switchport private-vlan host association 2000 2012switchport mode private-vlan hostinterface fastethernet0/3description Guest Host1switchport private-vlan host association 2000 2021switchport mode private-vlan hostinterface gigabitethernet0/1switchport trunk encapsulation dot1qswitchport mode trunk>>CORE<<interface fastethernet0/2description Consulting Host2switchport private-vlan host association 2000 2011switchport mode private-vlan hostinterface fastethernet0/3description Training Host2switchport private-vlan host association 2000 2012switchport mode private-vlan hostinterface fastethernet0/4description Guest Host2switchport private-vlan host association 2000 2021switchport mode private-vlan hostinterface gigabitethernet0/1switchport trunk encapsulation dot1qswitchport mode trunkinterface vlan2000ip address 192.168.10.1 255.255.255.0private-vlan mapping 2011,2012,2021interface vlan2000ip address 192.168.10.2 255.255.255.0private-vlan mapping 2011,2012 Configuration Reference Guide | [V] 479