IP Video Surveillance Design Guide
Network Diagram and Configuration Files
Download this chapter
Network Diagram and Configuration FilesNetwork Diagram and Configuration Files
Download the complete book
IP Video Surveillance Design GuideIP Video Surveillance Design Guide (PDF - 6 MB)

Table Of Contents

Network Diagram and Configuration Files

Router and Firewall Configurations

vpn-jk2-7206-1

vpn-jk2-7206-2

vpn-jk2-asa5510-1

vpn1-2851-1

vpn1-3845-1

vpn4-3800-6

3750-access


Network Diagram and Configuration Files

This chapter contains a topology diagram and the associated router, firewall, and switch configuration files for the devices in this sample implementation. See Figure 1.

Figure 1 Network Diagram


Router and Firewall Configurations

In this section the running configuration files from the routers shown in the previous topology diagram are included as reference.

vpn-jk2-7206-1

This configuration is for the upper WAN aggregation router shown in the topology diagram. 


!

! Last configuration change at 13:06:43 edt Tue Aug 4 2009

! NVRAM config last updated at 13:07:50 edt Tue Aug 4 2009

!

upgrade fpd auto

version 12.4

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname vpn-jk2-7206-1

!

boot-start-marker

boot system flash disk0:c7200-adventerprisek9-mz.124-15.T5

boot-end-marker

!

logging buffered 2000000

enable secret 5 [removed]

!

no aaa new-model

clock timezone est -5

clock summer-time edt recurring

ip wccp 61

ip wccp 62

ip cef

!

!

no ip dhcp use vrf connected

!

!

!

ip vrf IPVS

 rd 100:10

 route-target export 100:10

 route-target import 100:10

!

no ip domain lookup

ip domain name cisco.com

ip host rtp5-esevpn-ios-ca 10.81.0.27

ip multicast-routing 

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint rtp5-esevpn-ios-ca

 enrollment url http://rtp5-esevpn-ios-ca:80

 revocation-check none

!

!

crypto pki certificate chain rtp5-esevpn-ios-ca

 certificate 0D

  3082023A 308201A3 A0030201 0202010D 300D0609 2A864886 F70D0101 04050030 

  6B310C30 0A060355 04081303 204E4331 11300F06 03550407 13082052 616C6569 

  419A9E33 E84ABC15 FCCFB1CC EBC1AE94 F07752CC 22A803C7 99AE4097 BA2D

  	quit

 certificate ca 01

  308202AF 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  47DC2CE3 BC3F5F40 32409535 C9E0E6C0 F29D4E

  	quit

archive

 log config

  hidekeys

! 

!

crypto isakmp policy 100

 encr 3des

 group 2

crypto isakmp keepalive 10

crypto isakmp nat keepalive 10

crypto isakmp profile IPVS_Branches_isakmp_profile

   description IPVS_Branches_isakmp_profile

   self-identity address

   ca trust-point rtp5-esevpn-ios-ca

   match identity host domain ese.cisco.com

crypto isakmp profile DMVPN_IKE_PROFILE

   description DMVPN Profile

   self-identity fqdn

   ca trust-point rtp5-esevpn-ios-ca

   match identity address 64.102.223.24 255.255.255.255 

   keepalive 10 retry 2

!

!

crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac 

crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac 

 mode transport

!

crypto ipsec profile DMVPN_IPSEC_PROFILE

 set transform-set 3DES_SHA_TRANSPORT 

 set isakmp-profile DMVPN_IKE_PROFILE

!

crypto ipsec profile IPVS_Branches_ipsec_profile

 description IPVS_Branches_ipsec_profile

 set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL 

 set isakmp-profile IPVS_Branches_isakmp_profile

!

!

controller ISA 5/1

!

!

class-map match-any LOW-LATENCY-DATA

 match ip dscp af21  af22  af23 

class-map match-any HIGH-THROUGHPUT-DATA

 match ip dscp af11  af12  af13 

class-map match-all BROADCAST-VIDEO

 match ip dscp cs5 

class-map match-all NETWORK-CONTROL

 match ip dscp cs6 

class-map match-any MULTIMEDIA-CONFERENCING

 match ip dscp af41  af42  af43 

class-map match-all OAM

 match ip dscp cs2 

class-map match-all VOICE

 match ip dscp ef 

class-map match-all SCAVENGER

 match ip dscp cs1 

class-map match-any CALL-SIGNALING

 match ip dscp cs3 

!

!

policy-map IPVS_BRANCH

 class BROADCAST-VIDEO

  bandwidth percent 40

 class VOICE

  priority percent 10

 class LOW-LATENCY-DATA

  bandwidth percent 4

 class HIGH-THROUGHPUT-DATA

  bandwidth percent 4

 class MULTIMEDIA-CONFERENCING

  bandwidth percent 4

 class SCAVENGER

  bandwidth percent 1

 class OAM

  bandwidth percent 1

 class NETWORK-CONTROL

  bandwidth percent 1

 class CALL-SIGNALING

  bandwidth percent 1

 class class-default

  fair-queue

policy-map 30M

 class class-default

  shape average 30000000

  service-policy IPVS_BRANCH

!

!

!

!

!

interface Loopback0

 description Loopback for Global RT

 ip address 192.168.15.40 255.255.255.255

!

interface Tunnel128

 description DMVPN tunnel/cloud to Branches 

 ip vrf forwarding IPVS

 ip address 192.168.15.129 255.255.255.192

 no ip redirects

 ip mtu 1400

 ip nhrp authentication FOO

 ip nhrp map multicast dynamic

 ip nhrp map multicast 192.168.15.40

 ip nhrp network-id 128

 ip nhrp nhs 192.168.15.129

 ip nhrp server-only

 ip route-cache flow

 no ip split-horizon eigrp 65

 ip summary-address eigrp 65 192.0.2.0 255.255.255.0 5

 tunnel source Loopback0

 tunnel mode gre multipoint

 tunnel key 128

 tunnel protection ipsec profile IPVS_Branches_ipsec_profile

!

interface Tunnel300

 description DMVPN Tunnel to Enterprise/Internet

 ip address 10.81.7.254 255.255.255.240

 ip mtu 1400

 ip pim sparse-mode

 ip nhrp authentication BAR

 ip nhrp map multicast dynamic

 ip nhrp map 10.81.7.241 64.102.223.24

 ip nhrp map multicast 64.102.223.24

 ip nhrp network-id 22341

 ip nhrp nhs 10.81.7.241

 ip route-cache flow

 load-interval 30

 tunnel source FastEthernet0/0

 tunnel destination 64.102.223.24

 tunnel key 300

 tunnel protection ipsec profile DMVPN_IPSEC_PROFILE

!

interface FastEthernet0/0

 description FLASH156

 ip address 172.26.157.3 255.255.254.0

 no ip proxy-arp

 load-interval 30

 duplex full

 speed 100

!

interface FastEthernet0/1

 no ip address

 ip flow ingress

 duplex auto

 speed auto

!

interface FastEthernet0/1.90

 description ASA DMZ Global

 encapsulation dot1Q 90

 ip address 10.81.7.161 255.255.255.248

 ip flow ingress

 standby 0 ip 10.81.7.166

 standby 0 preempt delay minimum 60

!

interface FastEthernet0/1.91

 description ASA DMZ vrf IPVS

 encapsulation dot1Q 91

 ip vrf forwarding IPVS

 ip address 192.168.15.97 255.255.255.248

 ip flow ingress

 standby 0 ip 192.168.15.102

 standby 0 preempt delay 

!

interface FastEthernet0/1.332

 description MAN/WAN to Site 130 (vpn1-2851-1)

 encapsulation dot1Q 332

 ip address 192.168.15.45 255.255.255.252

 ip flow ingress

 service-policy output 30M

!

interface FastEthernet0/1.340

 description MAN/WAN to Site 140 (vpn1-3845-1)

 encapsulation dot1Q 340

 ip address 192.168.15.13 255.255.255.252

 ip flow ingress

 service-policy output 30M

!

interface FastEthernet0/1.342

 description MAN/WAN to Site 140 (vpn1-3845-1)

 encapsulation dot1Q 342

 ip vrf forwarding IPVS

 ip address 192.168.15.77 255.255.255.252

 ip flow ingress

 ip summary-address eigrp 65 192.0.2.0 255.255.255.0 5

 service-policy output 30M

!

interface FastEthernet0/1.352

 description MAN/WAN to Site 150 (vpn4-3800-6)

 encapsulation dot1Q 352

 ip address 192.168.15.49 255.255.255.252

 ip flow ingress

!

router eigrp 64

 redistribute static metric 1000 100 255 1 1500 route-map ASA5510_VPN3080

 redistribute eigrp 65 metric 1000 100 255 1 1500 route-map Branch_Networks

 passive-interface FastEthernet0/1.90

 network 10.0.0.0

 no auto-summary

 eigrp stub connected redistributed

!

router eigrp 65

 redistribute eigrp 64 metric 1000 100 255 1 1500 route-map DEFAULT

 network 192.168.15.0 0.0.0.63

 no auto-summary

 !

 address-family ipv4 vrf IPVS

  redistribute static metric 1000 10 255 1 1500 route-map COMMAND_CENTER

  network 192.168.15.64 0.0.0.63

  network 192.168.15.128 0.0.0.63

  distribute-list route-map Branch_Net_vrf_IPVS_RT in

  no auto-summary

  autonomous-system 65

 exit-address-family

!

ip forward-protocol nd

ip route 10.81.0.27 255.255.255.255 172.26.156.1 name rtp5-esevpn-ios-ca

ip route 10.81.7.56 255.255.255.252 10.81.7.163 name ASA5510

ip route 10.81.254.0 255.255.255.0 172.26.156.1 name NTP_Servers

ip route 64.102.223.16 255.255.255.240 172.26.156.1 name cryptHE

ip route 172.26.0.0 255.255.0.0 172.26.156.1

ip route vrf IPVS 10.81.7.0 255.255.255.0 192.168.15.99 name ASA5510_PAT

ip route vrf IPVS 192.0.2.128 255.255.255.224 192.168.15.99 name ASA5510

ip route vrf IPVS 192.168.15.64 255.255.255.248 192.168.15.99 name VPN3080_pool

no ip http server

no ip http secure-server

!

ip flow-cache timeout inactive 30

ip flow-cache timeout active 1

ip flow-export version 5

!

!

ip access-list standard Branch_Net_vrf_IPVS_RT

 permit 192.0.2.0 0.0.0.255

ip access-list standard DEFAULT

 permit 0.0.0.0

!

ip prefix-list ALL_VMSS seq 5 permit 192.0.2.0/24

!

ip prefix-list ASA5510_VPN3080 seq 5 permit 10.81.7.56/30

!

ip prefix-list Branch_Net_vrf_IPVS_RT seq 132 permit 192.168.111.0/24

ip prefix-list Branch_Net_vrf_IPVS_RT seq 142 permit 192.168.11.0/24

ip prefix-list Branch_Net_vrf_IPVS_RT seq 152 permit 192.168.211.0/24

!

ip prefix-list Branch_Networks seq 130 permit 10.81.7.152/29

ip prefix-list Branch_Networks seq 131 permit 192.0.2.0/27

ip prefix-list Branch_Networks seq 132 permit 192.168.111.0/24

ip prefix-list Branch_Networks seq 140 permit 10.81.7.0/29

ip prefix-list Branch_Networks seq 141 permit 192.0.2.64/26

ip prefix-list Branch_Networks seq 142 permit 192.168.11.0/24

ip prefix-list Branch_Networks seq 150 permit 10.81.7.88/29

ip prefix-list Branch_Networks seq 151 permit 192.0.2.32/27

ip prefix-list Branch_Networks seq 152 permit 192.168.211.0/24

!

ip prefix-list COMMAND_CENTER seq 100 permit 192.0.2.128/25

ip prefix-list COMMAND_CENTER seq 101 permit 10.81.7.0/24

ip prefix-list COMMAND_CENTER seq 102 permit 192.168.15.64/29

!

ip prefix-list SITE_130 seq 5 permit 192.0.2.0/27

!

ip prefix-list SITE_140 seq 5 permit 192.0.2.64/26

ip sla responder

logging alarm informational

snmp-server enable traps tty

!

!

!

route-map Branch_Net_vrf_IPVS_RT permit 10

 match ip address prefix-list Branch_Net_vrf_IPVS_RT

 set tag 5011

!

route-map Branch_Net_vrf_IPVS_RT permit 20

 match ip address Branch_Net_vrf_IPVS_RT

 set tag 5011

!

route-map COMMAND_CENTER permit 10

 match ip address prefix-list COMMAND_CENTER

 set tag 2128

!

route-map Branch_Networks permit 10

 match ip address prefix-list Branch_Networks

 set tag 5010

!

route-map DEFAULT permit 10

 match ip address DEFAULT

!

route-map ASA5510_VPN3080 permit 10

 match ip address prefix-list ASA5510_VPN3080

!

!

!

!

control-plane

!

!

!

gatekeeper

 shutdown

!

banner exec 

=

==

===

==== This is the WAN/MAN router for IPVS branches

===

==

=


!

line con 0

 exec-timeout 0 0

 stopbits 1

line aux 0

 stopbits 1

line vty 0 4

 exec-timeout 0 0

 password 7 [removed]

 login

!

ntp master 12

ntp update-calendar

ntp server 10.81.254.202

ntp server 10.81.254.131

!

end

vpn-jk2-7206-2

This configuration is for the bottomWAN aggregation router shown in the topology diagram. 


!

! Last configuration change at 13:10:14 edt Tue Aug 4 2009

! NVRAM config last updated at 13:11:17 edt Tue Aug 4 2009

!

upgrade fpd auto

version 12.4

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname vpn-jk2-7206-2

!

boot-start-marker

boot system disk0:c7200-adventerprisek9-mz.124-15.T5

boot-end-marker

!

enable secret 5 [removed]

!

no aaa new-model

clock timezone est -5

clock summer-time edt recurring

ip cef

!

!

!

!

ip vrf IPVS

 rd 100:10

 route-target export 100:10

 route-target import 100:10

!

no ip domain lookup

ip domain name cisco.com

ip host rtp5-esevpn-ios-ca 10.81.0.27

ip multicast-routing 

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

crypto pki trustpoint rtp5-esevpn-ios-ca

 enrollment url http://rtp5-esevpn-ios-ca:80

 revocation-check none

!

!

crypto pki certificate chain rtp5-esevpn-ios-ca

 certificate 12

  3082023A 308201A3 A0030201 02020112 300D0609 2A864886 F70D0101 04050030 

  D2993DBF 32824A8C 420DC983 C5BF7E17 28D1406E 0D937B7D 152C6FB3 D581

  	quit

 certificate ca 01

  308202AF 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  47DC2CE3 BC3F5F40 32409535 C9E0E6C0 F29D4E

  	quit

archive

 log config

  hidekeys

! 

!

crypto isakmp policy 100

 encr 3des

 group 2

crypto isakmp keepalive 10

crypto isakmp nat keepalive 10

crypto isakmp profile IPVS_Branches_isakmp_profile

   description IPVS_Branches_isakmp_profile

   self-identity address

   ca trust-point rtp5-esevpn-ios-ca

   match identity host domain ese.cisco.com

!

!

crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac 

crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac 

 mode transport

crypto ipsec transform-set AES_SHA_TUNNEL esp-aes esp-sha-hmac 

crypto ipsec transform-set AES_SHA_TRANSPORT esp-aes esp-sha-hmac 

 mode transport

!

crypto ipsec profile IPVS_Branches_ipsec_profile

 description IPVS_Branches_ipsec_profile

 set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL 

 set isakmp-profile IPVS_Branches_isakmp_profile

!

!

controller ISA 5/1

!

!

class-map match-any LOW-LATENCY-DATA

 match ip dscp af21  af22  af23 

class-map match-any HIGH-THROUGHPUT-DATA

 match ip dscp af11  af12  af13 

class-map match-all BROADCAST-VIDEO

 match ip dscp cs5 

class-map match-all NETWORK-CONTROL

 match ip dscp cs6 

class-map match-any MULTIMEDIA-CONFERENCING

 match ip dscp af41  af42  af43 

class-map match-all OAM

 match ip dscp cs2 

class-map match-all VOICE

 match ip dscp ef 

class-map match-all SCAVENGER

 match ip dscp cs1 

class-map match-any CALL-SIGNALING

 match ip dscp cs3 

!

!

policy-map IPVS_BRANCH

 class BROADCAST-VIDEO

  bandwidth percent 40

 class VOICE

  priority percent 10

 class LOW-LATENCY-DATA

  bandwidth percent 4

 class HIGH-THROUGHPUT-DATA

  bandwidth percent 4

 class MULTIMEDIA-CONFERENCING

  bandwidth percent 4

 class SCAVENGER

  bandwidth percent 1

 class OAM

  bandwidth percent 1

 class NETWORK-CONTROL

  bandwidth percent 1

 class CALL-SIGNALING

  bandwidth percent 1

 class class-default

  fair-queue

policy-map 30M

 class class-default

  shape average 30000000

  service-policy IPVS_BRANCH

!

!

interface Loopback0

 description Loopback for Global RT

 ip address 192.168.15.41 255.255.255.255

!

interface Tunnel192

 ip vrf forwarding IPVS

 ip address 192.168.15.193 255.255.255.192

 no ip redirects

 ip mtu 1400

 ip nhrp authentication FOO

 ip nhrp map multicast dynamic

 ip nhrp map multicast 192.168.15.41

 ip nhrp network-id 192

 ip nhrp nhs 192.168.15.193

 ip nhrp server-only

 ip route-cache flow

 no ip split-horizon eigrp 65

 ip summary-address eigrp 65 192.0.2.0 255.255.255.0 5

 tunnel source Loopback0

 tunnel mode gre multipoint

 tunnel key 192

 tunnel protection ipsec profile IPVS_Branches_ipsec_profile

!

interface FastEthernet0/0

 ip address 172.26.157.4 255.255.254.0

 no ip proxy-arp

 ip route-cache flow

 duplex full

 speed 100

!

interface FastEthernet0/1

 description MAN/WAN to Branches

 no ip address

 ip route-cache flow

 duplex full

 speed 100

!

interface FastEthernet0/1.90

 description ASA DMZ Global

 encapsulation dot1Q 90

 ip address 10.81.7.162 255.255.255.248

 ip flow ingress

 standby 0 ip 10.81.7.166

 standby 0 priority 90

 standby 0 preempt delay minimum 60

!

interface FastEthernet0/1.91

 description ASA DMZ vrf IPVS

 encapsulation dot1Q 91

 ip vrf forwarding IPVS

 ip address 192.168.15.98 255.255.255.248

 ip flow ingress

 standby 0 ip 192.168.15.102

 standby 0 priority 90

 standby 0 preempt delay minimum 60

!

!

interface FastEthernet0/1.331

 encapsulation dot1Q 331

 ip address 192.168.15.21 255.255.255.252

 service-policy output 30M

!

interface FastEthernet0/1.341

 encapsulation dot1Q 341

 ip address 192.168.15.25 255.255.255.252

 service-policy output 30M

!

interface FastEthernet0/1.343

 encapsulation dot1Q 343

 ip vrf forwarding IPVS

 ip address 192.168.15.89 255.255.255.252

 ip summary-address eigrp 65 192.0.2.0 255.255.255.0 5

 service-policy output 30M

!

interface FastEthernet0/1.351

 encapsulation dot1Q 351

 ip address 192.168.15.29 255.255.255.252

!

router eigrp 64

 redistribute eigrp 65 metric 1000 100 255 1 1500 route-map Branch_Networks

 passive-interface FastEthernet0/1.90

 network 10.0.0.0

 no auto-summary

 eigrp stub connected redistributed

!

router eigrp 65

 redistribute eigrp 64 metric 1000 100 255 1 1500 route-map DEFAULT

 network 192.168.15.0 0.0.0.63

 no auto-summary

 !

 address-family ipv4 vrf IPVS

  redistribute static metric 1000 10 255 1 1500 route-map COMMAND_CENTER

  offset-list 0 out 1000

  network 192.168.15.64 0.0.0.63

  network 192.168.15.192 0.0.0.63

  distribute-list route-map Branch_Net_vrf_IPVS_RT in

  no auto-summary

  autonomous-system 65

 exit-address-family

!

ip forward-protocol nd

ip route 10.81.0.27 255.255.255.255 172.26.156.1 name rtp5-esevpn-ios-ca

ip route 10.81.7.56 255.255.255.252 10.81.7.163 name ASA5510

ip route 10.81.254.0 255.255.255.0 172.26.156.1 name NTP_Servers

ip route 64.102.223.16 255.255.255.240 172.26.156.1 name cryptHE

ip route vrf IPVS 10.81.7.0 255.255.255.0 192.168.15.99 name ASA5510_PAT

ip route vrf IPVS 192.0.2.128 255.255.255.224 192.168.15.99 name ASA5510

ip route vrf IPVS 192.168.15.64 255.255.255.248 192.168.15.99 name VPN3080_pool

no ip http server

no ip http secure-server

!

!

!

ip access-list standard Branch_Net_vrf_IPVS_RT

 permit 192.0.2.0 0.0.0.255

ip access-list standard DEFAULT

 permit 0.0.0.0

!

!

!

ip prefix-list Branch_Net_vrf_IPVS_RT seq 132 permit 192.168.111.0/24

ip prefix-list Branch_Net_vrf_IPVS_RT seq 142 permit 192.168.11.0/24

ip prefix-list Branch_Net_vrf_IPVS_RT seq 152 permit 192.168.211.0/24

!

ip prefix-list Branch_Networks seq 130 permit 10.81.7.152/29

ip prefix-list Branch_Networks seq 131 permit 192.0.2.0/27

ip prefix-list Branch_Networks seq 132 permit 192.168.111.0/24

ip prefix-list Branch_Networks seq 140 permit 10.81.7.0/29

ip prefix-list Branch_Networks seq 141 permit 192.0.2.64/26

ip prefix-list Branch_Networks seq 142 permit 192.168.11.0/24

ip prefix-list Branch_Networks seq 150 permit 10.81.7.88/29

ip prefix-list Branch_Networks seq 151 permit 192.0.2.32/27

ip prefix-list Branch_Networks seq 152 permit 192.168.211.0/24

!

ip prefix-list COMMAND_CENTER seq 100 permit 192.0.2.128/25

ip prefix-list COMMAND_CENTER seq 101 permit 10.81.7.0/24

ip prefix-list COMMAND_CENTER seq 102 permit 192.168.15.64/29

logging alarm informational

!

!

!

route-map Branch_Net_vrf_IPVS_RT permit 10

 match ip address prefix-list Branch_Net_vrf_IPVS_RT

 set tag 5011

!

route-map Branch_Net_vrf_IPVS_RT permit 20

 match ip address Branch_Net_vrf_IPVS_RT

 set tag 5011

!

route-map COMMAND_CENTER permit 10

 match ip address prefix-list COMMAND_CENTER

 set tag 2128

!

route-map Branch_Networks permit 10

 match ip address prefix-list Branch_Networks

 set tag 5010

!

route-map DEFAULT permit 10

 match ip address DEFAULT

!

control-plane

!

!

!

gatekeeper

 shutdown

!

!

line con 0

 transport output all

 stopbits 1

line aux 0

 transport output all

 stopbits 1

line vty 0 4

 password 7 [removed]

 login

 transport input all

 transport output all

!

ntp clock-period 17179966

ntp master 12

ntp update-calendar

ntp server 10.81.254.202

ntp server 10.81.254.131

!

end

vpn-jk2-asa5510-1 

This configuration is for the firewall shown in the topology diagram



: Saved

: Written by enable_15 at 13:55:41.021 edt Tue Aug 4 2009

!

ASA Version 8.0(4) 

!

hostname vpn-jk2-asa5510-1

domain-name ese.cisco.com

enable password 2KFQnbNIdI.2KYOU encrypted

passwd [removed] encrypted

names

dns-guard

!

interface Ethernet0/0

 description Campus_IPVS VLAN 220

 speed 100

 duplex full

 nameif Campus_IPVS

 security-level 70

 ip address 192.0.2.129 255.255.255.224 

!

interface Ethernet0/1

 description DMZ_IPVS VLAN 91

 speed 100

 duplex full

 nameif DMZ_IPVS

 security-level 50

 ip address 192.168.15.99 255.255.255.248 

!

interface Ethernet0/2

 description DMZ_Global VLAN 90

 speed 100

 duplex full

 nameif DMZ_Global

 security-level 10

 ip address 10.81.7.163 255.255.255.248 

!

interface Ethernet0/3

 description DMZ for VPN3080

 speed 100

 duplex full

 nameif DMZ_VPN3080

 security-level 20

 ip address 10.81.7.58 255.255.255.252 

!

interface Management0/0

 description FlashNET

 speed 100

 duplex full

 nameif FlashNET

 security-level 0

 ip address 172.26.156.3 255.255.254.0 

!

boot system disk0:/asa804-k8.bin

ftp mode passive

clock timezone est -5

clock summer-time edt recurring

dns server-group DefaultDNS

 domain-name ese.cisco.com

access-list MANAGEMENT extended permit tcp 10.81.7.0 255.255.255.0 interface FlashNET 

access-list IPVS-CC extended permit udp any 192.0.2.128 255.255.255.224 eq syslog 

access-list IPVS-CC extended permit udp any host 192.0.2.139 eq snmptrap 

access-list IPVS-CC extended permit udp any host 192.0.2.139 eq 7777 

access-list IPVS-CC extended permit tcp 192.0.2.0 255.255.255.0 any eq www 

access-list INBOUND extended permit esp any host 10.81.7.57 

access-list INBOUND extended permit udp any host 10.81.7.57 eq isakmp 

access-list INBOUND extended permit udp any host 10.81.7.57 eq 4500 

access-list INBOUND extended permit icmp any host 10.81.7.57 

pager lines 24

logging enable

logging buffered debugging

logging asdm debugging

mtu Campus_IPVS 1500

mtu DMZ_IPVS 1500

mtu DMZ_Global 1500

mtu DMZ_VPN3080 1500

mtu FlashNET 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Campus_IPVS

icmp permit any DMZ_IPVS

icmp permit any DMZ_Global

icmp permit any DMZ_VPN3080

asdm image disk0:/asdm-61551.bin

no asdm history enable

arp timeout 14400

global (DMZ_Global) 1 interface

nat (Campus_IPVS) 1 192.0.2.128 255.255.255.224

static (DMZ_VPN3080,DMZ_Global) 192.168.15.56 192.168.15.56 netmask 255.255.255.252 

static (Campus_IPVS,DMZ_IPVS) 192.0.2.128 192.0.2.128 netmask 255.255.255.224 

static (Campus_IPVS,DMZ_IPVS) 192.168.15.64 192.168.15.64 netmask 255.255.255.248 

access-group IPVS-CC in interface DMZ_IPVS

access-group INBOUND in interface DMZ_Global

access-group MANAGEMENT in interface FlashNET control-plane

route DMZ_Global 0.0.0.0 0.0.0.0 10.81.7.166 1

route FlashNET 172.16.0.0 255.240.0.0 172.26.156.1 1

route DMZ_IPVS 192.0.2.0 255.255.255.0 192.168.15.102 1

route DMZ_IPVS 192.168.11.0 255.255.255.0 192.168.15.102 1

route Campus_IPVS 192.168.15.64 255.255.255.248 192.0.2.136 1

route DMZ_IPVS 192.168.111.0 255.255.255.0 192.168.15.102 1

route DMZ_IPVS 192.168.211.0 255.255.255.0 192.168.15.102 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.26.156.0 255.255.254.0 FlashNET

http 10.81.7.0 255.255.255.0 FlashNET

snmp-server location ESE Lab

snmp-server contact joel.king@cisco.com

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.81.7.176 255.255.255.248 FlashNET

telnet 172.26.156.0 255.255.254.0 FlashNET

telnet timeout 60

ssh 10.81.7.0 255.255.255.0 FlashNET

ssh 172.26.156.0 255.255.254.0 FlashNET

ssh timeout 60

console timeout 0

dhcpd dns 64.102.6.247

dhcpd wins 64.102.6.247

dhcpd lease 28880

dhcpd domain ese.cisco.com

dhcpd option 3 ip 192.0.2.129

!

dhcpd address 192.0.2.140-192.0.2.150 Campus_IPVS

dhcpd enable Campus_IPVS

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 10.81.7.162

ntp server 10.81.7.161

ssl encryption rc4-sha1

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny  

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip  

  inspect xdmcp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:3d4d4e2f06d5a11ff2dd5d5643e862f5

: end

vpn1-2851-1 

This configuration is for the branch 2851 model router shown in the topology diagram


!

! Last configuration change at 13:26:29 edt Tue Aug 4 2009

! NVRAM config last updated at 13:27:56 edt Tue Aug 4 2009

!

version 12.4

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service udp-small-servers

service tcp-small-servers

!

hostname vpn1-2851-1

!

boot-start-marker

boot-end-marker

!

logging buffered 8192

enable secret 5 [removed]

!

no aaa new-model

clock timezone est -5

clock summer-time edt recurring

!

crypto pki trustpoint rtp5-esevpn-ios-ca

 enrollment url http://rtp5-esevpn-ios-ca:80

 revocation-check none

 source interface Vlan1

!

!

crypto pki certificate chain rtp5-esevpn-ios-ca

 certificate 0F

  3082023B 308201A4 A0030201 0202010F 300D0609 2A864886 F70D0101 04050030 

  32C8325C 8DF24E4B D16823BA AF45A2F8 A6AA3C9C 8E33E400 CBAE2184 09F267

  	quit

 certificate ca 01

  308202AF 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 04050030  

  47DC2CE3 BC3F5F40 32409535 C9E0E6C0 F29D4E

  	quit

dot11 syslog

!

!

ip cef

ip dhcp use vrf connected

ip dhcp excluded-address 192.168.111.1 192.168.111.149

ip dhcp excluded-address 192.0.2.17 192.0.2.19

!

ip dhcp pool CAMERAS

   vrf IPVS

   network 192.0.2.16 255.255.255.240

   default-router 192.0.2.17 

   dns-server 64.102.6.247 171.68.226.120 

   domain-name cisco.com

!

ip dhcp pool iSCSI-temp

   network 192.168.111.0 255.255.255.0

   default-router 192.168.111.1 

   domain-name cisco.com

!

!

ip vrf IPVS

 rd 100:10

 route-target export 100:10

 route-target import 100:10

!

no ip domain lookup

ip host harry 172.26.129.252

ip host rtp5-esevpn-ios-ca 10.81.0.27

ip multicast-routing 

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

voice-card 0

 no dspfarm

!

!

username joeking privilege 15 secret 5 [removed]

! 

!

crypto isakmp policy 120

 encr 3des

 group 2

crypto isakmp keepalive 10

crypto isakmp nat keepalive 10

crypto isakmp profile IPVS_Branches_isakmp_profile

   self-identity fqdn

   ca trust-point rtp5-esevpn-ios-ca

   match identity address 192.168.15.40 255.255.255.255 

   keepalive 10 retry 2

crypto isakmp profile IPVS_Branches_isakmp_profile_2

   self-identity fqdn

   ca trust-point rtp5-esevpn-ios-ca

   match identity address 192.168.15.41 255.255.255.255 

   keepalive 10 retry 2

!

!

crypto ipsec transform-set AES_SHA_TUNNEL esp-aes esp-sha-hmac 

crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac 

crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac 

 mode transport

crypto ipsec transform-set AES_SHA_TRANSPORT esp-aes esp-sha-hmac 

 mode transport

!

crypto ipsec profile IPVS_Branches_ipsec_profile

 description IPVS_Branches_ipsec_profile

 set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL 

 set isakmp-profile IPVS_Branches_isakmp_profile

!

crypto ipsec profile IPVS_Branches_ipsec_profile_2

 set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL 

 set isakmp-profile IPVS_Branches_isakmp_profile_2

!

!

archive

 log config

  hidekeys

!

!

ip finger

!

class-map match-any GOLD

 match ip dscp cs2  cs3  cs6  cs7 

 match ip dscp af41  af42  af43 

 match ip dscp af31  af32  af33 

class-map match-all TELEPRESENCE

 match ip dscp cs4 

class-map match-any LOW-LATENCY-DATA

 match ip dscp af21  af22  af23 

class-map match-any BRONZE

 match ip dscp af11  af12  af13 

 match ip dscp cs1 

class-map match-any HIGH-THROUGHPUT-DATA

 match ip dscp af11  af12  af13 

class-map match-any VMSS

 match access-group name HTTP

class-map match-all BROADCAST-VIDEO

 match ip dscp cs5 

class-map match-all NETWORK-CONTROL

 match ip dscp cs6 

class-map match-any MULTIMEDIA-CONFERENCING

 match ip dscp af41  af42  af43 

class-map match-all OAM

 match ip dscp cs2 

class-map match-all FOO

class-map match-any REAL_TIME

 match ip dscp cs5 

 match ip dscp cs4 

 match ip dscp ef 

class-map match-all VOICE

 match ip dscp ef 

class-map match-all SCAVENGER

 match ip dscp cs1 

class-map match-any CALL-SIGNALING

 match ip dscp cs3 

class-map match-any MULTIMEDIA-STREAMING

 match ip dscp af31  af32  af33 

!

!

policy-map IPVS_BRANCH

 class BROADCAST-VIDEO

  bandwidth percent 40

 class VOICE

  priority percent 10

 class LOW-LATENCY-DATA

  bandwidth percent 4

 class HIGH-THROUGHPUT-DATA

  bandwidth percent 4

 class MULTIMEDIA-CONFERENCING

  bandwidth percent 4

 class SCAVENGER

  bandwidth percent 1

 class OAM

  bandwidth percent 1

 class NETWORK-CONTROL

  bandwidth percent 1

 class CALL-SIGNALING

  bandwidth percent 1

 class class-default

  fair-queue

policy-map UPLINK_50M

 class class-default

  shape average 50000000

  service-policy IPVS_BRANCH

policy-map INGRESS_VMSS

 class VMSS

  set ip dscp cs5

 class class-default

  set ip dscp cs3

policy-map PER_CLASS_SHAPING

 class REAL_TIME

  set cos 5

    police 40000000 conform-action transmit  exceed-action transmit 

 class GOLD

  shape average 2500000

  set cos 6

 class BRONZE

  shape average 2500000

  set cos 1

 class class-default

  set cos 0

  shape average 5000000

policy-map 30M

 class class-default

  shape average 30000000

  service-policy IPVS_BRANCH

!

!

interface Tunnel128

 ip vrf forwarding IPVS

 ip address 192.168.15.130 255.255.255.192

 ip mtu 1400

 ip nhrp authentication FOO

 ip nhrp map 192.168.15.129 192.168.15.40

 ip nhrp map multicast 192.168.15.40

 ip nhrp network-id 128

 ip nhrp nhs 192.168.15.129

 ip summary-address eigrp 65 192.0.2.0 255.255.255.224 5

 tunnel source GigabitEthernet0/1.332

 tunnel destination 192.168.15.40

 tunnel key 128

 tunnel protection ipsec profile IPVS_Branches_ipsec_profile

!

interface Tunnel192

 ip vrf forwarding IPVS

 ip address 192.168.15.194 255.255.255.192

 ip mtu 1400

 ip nhrp authentication FOO

 ip nhrp map multicast 192.168.15.41

 ip nhrp map 192.168.15.193 192.168.15.41

 ip nhrp network-id 192

 ip nhrp nhs 192.168.15.193

 ip summary-address eigrp 65 192.0.2.0 255.255.255.224 5

 tunnel source GigabitEthernet0/1.331

 tunnel destination 192.168.15.41

 tunnel key 192

 tunnel protection ipsec profile IPVS_Branches_ipsec_profile_2

!

interface GigabitEthernet0/0

 description Inside

 no ip address

 ip flow ingress

 load-interval 30

 duplex auto

 speed auto

!

interface GigabitEthernet0/0.204

 description Inside

 encapsulation dot1Q 204

 ip address 10.81.7.153 255.255.255.248

 ip flow ingress

!

interface GigabitEthernet0/0.206

 description VLAN 206 for IP Cameras

 encapsulation dot1Q 206

 ip vrf forwarding IPVS

 ip address 192.0.2.17 255.255.255.240

 ip flow ingress

!

interface GigabitEthernet0/1

 description Outside

 no ip address

 load-interval 30

 duplex auto

 speed auto

!

interface GigabitEthernet0/1.130

 description To vpn-jk3-2651xm-4 Primary WAN

 bandwidth 30000

 encapsulation dot1Q 130

 ip address dhcp

!

interface GigabitEthernet0/1.254

 description iSCSI Management Subnet

 encapsulation dot1Q 254

 ip vrf forwarding IPVS

 ip address 192.168.111.1 255.255.255.0

!

interface GigabitEthernet0/1.331

 encapsulation dot1Q 331

 ip address 192.168.15.22 255.255.255.252

 service-policy output 30M

!

interface GigabitEthernet0/1.332

 encapsulation dot1Q 332

 ip address 192.168.15.46 255.255.255.252

 service-policy output PER_CLASS_SHAPING

!

interface FastEthernet0/3/0

 duplex full

 speed 100

!

interface FastEthernet0/3/1

!

interface FastEthernet0/3/2

!

interface FastEthernet0/3/3

!

interface Integrated-Service-Engine1/0

 ip vrf forwarding IPVS

 ip address 192.0.2.1 255.255.255.252

 ip flow ingress

 load-interval 30

 service-module external ip address 192.168.111.2 255.255.255.0

 service-module ip address 192.0.2.2 255.255.255.252

 service-module ip default-gateway 192.0.2.1

 no keepalive

 service-policy input INGRESS_VMSS

!

interface Video-Service-Engine2/0

 ip vrf forwarding IPVS

 ip address 192.0.2.5 255.255.255.252

 ip flow ingress

 service-module ip address 192.0.2.6 255.255.255.252

 service-module ip default-gateway 192.0.2.5

 no keepalive

!

interface Vlan1

 description Flashnet

 ip address 172.26.156.51 255.255.254.0

 no ip proxy-arp

!

router eigrp 65

 network 10.81.7.152 0.0.0.7

 network 192.168.15.0 0.0.0.63

 no auto-summary

 !

 address-family ipv4 vrf IPVS

  network 192.0.2.0 0.0.0.31

  network 192.168.15.128 0.0.0.63

  network 192.168.15.192 0.0.0.63

  network 192.168.111.0

  no auto-summary

  autonomous-system 65

 exit-address-family

!

ip forward-protocol nd

ip route 10.81.0.27 255.255.255.255 172.26.156.1 name rtp5-esevpn-ios-ca

ip route 172.26.0.0 255.255.0.0 172.26.156.1 name Miles

ip route 192.168.15.40 255.255.255.255 192.168.15.45 name vpn-jk2-7206-1_Loopback_0

ip route 192.168.15.41 255.255.255.255 192.168.15.21 name vpn-jk2-7206-2_Loopback_0

ip route 64.102.223.16 255.255.255.240 dhcp

ip route 192.5.41.40 255.255.255.254 dhcp

!

ip flow-cache timeout active 1

ip flow-export version 5

ip flow-export destination 172.26.157.11 7777

!

ip http server

ip http secure-server

no ip pim dm-fallback

ip pim autorp listener

!

ip access-list extended HTTP

 permit tcp host 192.0.2.2 eq www any

ip access-list extended VSOM

 permit tcp host 192.0.2.2 eq www 192.168.16.0 0.0.15.255

 permit tcp host 192.0.2.2 eq 443 192.168.16.0 0.0.15.255

!

!

ip prefix-list CAMPUS seq 5 permit 192.168.16.0/20

ip sla responder

ip sla 219

 icmp-echo 192.0.2.19

 tos 192

 threshold 50

 vrf IPVS

 owner networkmgr

 tag ipvs - design guide

 frequency 64

 history lives-kept 1

 history buckets-kept 60

 history filter failures

ip sla schedule 219 life forever start-time now

logging 172.26.157.11

snmp-server enable traps tty

!

!

control-plane

!

!

banner exec 


  C i s c o S y s t e m s

     ||               ||

     ||               ||       Cisco Systems, Inc.

    ||||             ||||      IT-Transport

 .:|||||||:.......:|||||||:..

  US, Asia & Americas support:    + 1 408 526 8888

 EMEA support:                   + 31 020 342 3888

  UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.

 You must have explicit permission to access or configure this

 device. All activities performed on this device are logged and

 violations of this policy may result in disciplinary action.

Questions regarding this device should be directed to

xxxxxxx


banner motd 

=

==

=== Site 130   === vpn1-2851-1

==

=


alias exec analog service-module Video-Service-Engine2/0 session

!

line con 0

 exec-timeout 0 0

line aux 0

line 66

 no activation-character

 no exec

 transport preferred none

 transport input all

 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

line 130

 no activation-character

 no exec

 transport preferred none

 transport input all

 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

line vty 0 4

 exec-timeout 0 0

 password 7 [removed]

 login local

!

scheduler allocate 20000 1000

ntp clock-period 17180366

ntp source GigabitEthernet0/0.206

ntp master 12

ntp server 192.168.4.1 source GigabitEthernet0/1.130

ntp server 10.81.254.202 source GigabitEthernet0/0.204

ntp server 10.81.254.131 source GigabitEthernet0/0.204

!

end

vpn1-3845-1 

This configuration is for the branch 3845 model router shown in the topology diagram




!

! Last configuration change at 13:21:52 edt Tue Aug 4 2009

! NVRAM config last updated at 13:23:50 edt Tue Aug 4 2009

!

version 12.4

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

no service password-encryption

service udp-small-servers

service tcp-small-servers

!

hostname vpn1-3845-1

!

boot-start-marker

boot system flash flash:c3845-adventerprisek9-mz.124-15.T5

boot system flash flash:c3845-adventerprisek9-mz.124-22.T

boot-end-marker

!

logging buffered 2000000

enable secret 5 [removed]

!

no aaa new-model

clock timezone est -5

clock summer-time edt recurring

dot11 syslog

ip wccp 61

ip wccp 62

ip cef

!

!

ip dhcp use vrf connected

ip dhcp excluded-address 192.0.2.97 192.0.2.102

!

ip dhcp pool ENTERPRISE

   network 10.81.7.0 255.255.255.248

   default-router 10.81.7.1 

   dns-server 64.102.6.247 171.68.226.120 

   domain-name ese.cisco.com

   netbios-name-server 171.68.235.228 171.68.235.229 

!

ip dhcp pool CAMERAS

   vrf IPVS

   network 192.0.2.96 255.255.255.224

   default-router 192.0.2.97 

   dns-server 64.102.6.247 171.68.226.120 

   domain-name ese.cisco.com

!

!

ip vrf IPVS

 rd 100:10

 route-target export 100:10

 route-target import 100:10

!

no ip domain lookup

ip domain name ese.cisco.com

ip host rtp5-esevpn-ios-ca 10.81.0.27

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip dhcp-client default-router distance 239

!

multilink bundle-name authenticated

!

voice-card 0

 no dspfarm

!

!

!

key chain PURPLE

 key 10

   key-string 7 00[removed]00

!

!

!

oer master

 policy-rules LOSS

 shutdown

 logging

 !

 border 192.168.0.1 key-chain PURPLE

  interface GigabitEthernet0/1.250 internal

  interface GigabitEthernet0/1.210 internal

  interface GigabitEthernet0/1.294 external

  interface GigabitEthernet0/1.293 external

  interface Integrated-Service-Engine3/0 internal

 !

 learn

  throughput

  delay

  periodic-interval 0

  monitor-period 1

  expire after time 30

  aggregation-type prefix-length 29

 no max range receive

 delay threshold 80

 mode route control

 mode select-exit best

!

oer border

 local Loopback0

 master 192.168.0.1 key-chain PURPLE

!

crypto pki trustpoint rtp5-esevpn-ios-ca

 enrollment url http://rtp5-esevpn-ios-ca:80

 revocation-check none

 source interface Vlan1

!

!

crypto pki certificate chain rtp5-esevpn-ios-ca

 certificate 0E

  3082023B 308201A4 A0030201 0202010E 300D0609 2A864886 F70D0101 04050030 

  DE5E201F F1A6CB47 D57C7260 70BE64AD 78656E15 A2EB7E43 9D969FB5 C4233B

  	quit

 certificate ca 01

  308202AF 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  47DC2CE3 BC3F5F40 32409535 C9E0E6C0 F29D4E

  	quit

!

!

username joeking privilege 15 secret 5 [removed]

archive

 log config

  hidekeys

! 

!

crypto isakmp policy 100

 encr 3des

 group 2

crypto isakmp keepalive 10

crypto isakmp nat keepalive 10

crypto isakmp profile DMVPN_IKE_PROFILE

   description DMVPN Profile

   self-identity fqdn

   ca trust-point rtp5-esevpn-ios-ca

   match identity address 64.102.223.24 255.255.255.255 

   keepalive 10 retry 2

crypto isakmp profile DMVPN_IKE_PROFILE_2

   description DMVPN Profile

   self-identity fqdn

   ca trust-point rtp5-esevpn-ios-ca

   match identity address 64.102.223.25 255.255.255.255 

   keepalive 10 retry 2

!

!

crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac 

crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac 

 mode transport

!

crypto ipsec profile DMVPN_IPSEC_PROFILE

 set transform-set 3DES_SHA_TRANSPORT 

 set isakmp-profile DMVPN_IKE_PROFILE

!

crypto ipsec profile DMVPN_IPSEC_PROFILE_2

 set transform-set 3DES_SHA_TRANSPORT 

 set isakmp-profile DMVPN_IKE_PROFILE_2

!

ip finger

!

class-map match-any LOW-LATENCY-DATA

 match ip dscp af21  af22  af23 

class-map match-any HIGH-THROUGHPUT-DATA

 match ip dscp af11  af12  af13 

class-map match-all BROADCAST-VIDEO

 match ip dscp cs5 

class-map match-all NETWORK-CONTROL

 match ip dscp cs6 

class-map match-any MULTIMEDIA-CONFERENCING

 match ip dscp af41  af42  af43 

class-map match-all OAM

 match ip dscp cs2 

class-map match-all VOICE

 match ip dscp ef 

class-map match-all SCAVENGER

 match ip dscp cs1 

class-map match-any CALL-SIGNALING

 match ip dscp cs3 

!

!

policy-map DATA

 class class-default

  fair-queue

  random-detect

policy-map IPVS_BRANCH

 class BROADCAST-VIDEO

  bandwidth percent 40

 class VOICE

  priority percent 10

 class LOW-LATENCY-DATA

  bandwidth percent 4

 class HIGH-THROUGHPUT-DATA

  bandwidth percent 4

 class MULTIMEDIA-CONFERENCING

  bandwidth percent 4

 class SCAVENGER

  bandwidth percent 1

 class OAM

  bandwidth percent 1

 class NETWORK-CONTROL

  bandwidth percent 1

 class CALL-SIGNALING

  bandwidth percent 1

 class class-default

  fair-queue

policy-map 30M

 class class-default

  shape average 30000000

  service-policy IPVS_BRANCH

!

policy-map 2M

 class class-default

  shape average 2000000

  service-policy DATA

!

!

interface Loopback0

 description for OER peering

 ip address 192.168.0.1 255.255.255.255

!

interface GigabitEthernet0/0

 no ip address

 shutdown

 duplex full

 speed 100

 media-type rj45

!

interface GigabitEthernet0/1

 description Trunk

 no ip address

 ip route-cache flow

 load-interval 30

 duplex auto

 speed auto

 media-type rj45

!

interface GigabitEthernet0/1.140

 description WAN

 encapsulation dot1Q 140

 ip address dhcp

!

interface GigabitEthernet0/1.210

 description IP Camera VLAN

 encapsulation dot1Q 210

 ip vrf forwarding IPVS

 ip address 192.0.2.97 255.255.255.224

!

interface GigabitEthernet0/1.250

 description INSIDE VLAN

 encapsulation dot1Q 250

 ip address 10.81.7.1 255.255.255.248

!

interface GigabitEthernet0/1.256

 description management interface for iSCSI

 encapsulation dot1Q 256

 ip vrf forwarding IPVS

 ip address 192.168.11.1 255.255.255.0

!

interface GigabitEthernet0/1.293

 description To vpn-jk2-7206-1 for PfR

 encapsulation dot1Q 293

 ip address 192.168.15.6 255.255.255.252

 shutdown

!

interface GigabitEthernet0/1.294

 description To vpn-jk2-7206-1 for PfR

 encapsulation dot1Q 294

 ip address 192.168.15.2 255.255.255.252

 shutdown

!

interface GigabitEthernet0/1.340

 encapsulation dot1Q 340

 ip address 192.168.15.14 255.255.255.252

 service-policy output 2M

!

interface GigabitEthernet0/1.341

 encapsulation dot1Q 341

 ip address 192.168.15.26 255.255.255.252

 service-policy output 2M

!

interface GigabitEthernet0/1.342

 encapsulation dot1Q 342

 ip vrf forwarding IPVS

 ip address 192.168.15.78 255.255.255.252

 ip summary-address eigrp 65 192.0.2.64 255.255.255.192 5

 service-policy output 30M

!

interface GigabitEthernet0/1.343

 encapsulation dot1Q 343

 ip vrf forwarding IPVS

 ip address 192.168.15.90 255.255.255.252

 ip summary-address eigrp 65 192.0.2.64 255.255.255.192 5

 service-policy output 30M

!

interface FastEthernet1/0

 description connection to Flashnet

 duplex full

 speed 100

!

interface FastEthernet1/1

!

interface FastEthernet1/2

!

interface FastEthernet1/3

!

interface FastEthernet1/4

!

interface FastEthernet1/5

!

interface FastEthernet1/6

!

interface FastEthernet1/7

!

interface FastEthernet1/8

!

interface FastEthernet1/9

!

interface FastEthernet1/10

!

interface FastEthernet1/11

!

interface FastEthernet1/12

!

interface FastEthernet1/13

!

interface FastEthernet1/14

!

interface FastEthernet1/15

!

interface GigabitEthernet1/0

 shutdown

!

interface Integrated-Service-Engine2/0

 description NME-WAE-522-K9

 ip address 192.0.2.69 255.255.255.252

 ip wccp redirect exclude in

 service-module ip address 192.0.2.70 255.255.255.252

 service-module ip default-gateway 192.0.2.69

 no keepalive

!

interface Integrated-Service-Engine3/0

 description NME-VMSS-HP32 ip wccp 61 red in 62 red out

 ip vrf forwarding IPVS

 ip address 192.0.2.64 255.255.255.254

 ip nbar protocol-discovery

 ip flow ingress

 ip route-cache flow

 load-interval 30

 service-module external ip address 192.168.11.2 255.255.255.0

 service-module ip address 192.0.2.65 255.255.255.254

 service-module ip default-gateway 192.0.2.64

 no keepalive

!

interface Vlan1

 ip address 172.26.156.53 255.255.254.0

 no ip proxy-arp

!

router eigrp 65

 network 10.81.7.0 0.0.0.7

 network 192.168.15.0 0.0.0.63

 no auto-summary

 !

 address-family ipv4 vrf IPVS

  network 192.0.2.64 0.0.0.63

  network 192.168.11.0

  network 192.168.15.64 0.0.0.63

  no auto-summary

  autonomous-system 65

 exit-address-family

!

ip forward-protocol nd

ip route 192.168.16.0 255.255.240.0 192.168.15.1 230 name OER_Parent

ip route 192.168.16.0 255.255.240.0 192.168.15.5 230 name OER_Parent

ip route 192.168.32.0 255.255.224.0 192.168.15.1 230 name OER_Parent

ip route 192.168.32.0 255.255.224.0 192.168.15.5 230 name OER_Parent

ip route 64.102.223.16 255.255.255.240 dhcp

!

ip flow-cache timeout active 1

ip flow-export source Integrated-Service-Engine3/0

ip flow-export version 5

ip flow-export destination 172.26.157.11 7777

!

no ip http server

no ip http secure-server

!

!

ip prefix-list CAMPUS seq 5 permit 192.168.16.0/20

ip sla responder

ip sla 293

 udp-jitter 192.168.15.5 14216 source-ip 192.168.15.6 codec g729a codec-numpackets 50

 tos 184

 timeout 500

 owner joeking

 tag VERIFICATION for Vlan 293

ip sla schedule 293 life forever start-time now

ip sla 294

 udp-jitter 192.168.15.1 14214 source-ip 192.168.15.2 codec g729a codec-numpackets 50

 tos 184

 timeout 500

 owner joeking

 tag VERIFICATION for Vlan 294

ip sla schedule 294 life forever start-time now

snmp-server enable traps tty

!

!

!

oer-map LOSS 10

 match traffic-class prefix-list CAMPUS

 set mode select-exit best

 set mode route control

 set mode monitor fast

 set resolve loss priority 1 variance 10

 set resolve delay priority 2 variance 10

 set loss relative 100

 set active-probe jitter 192.168.16.1 target-port 32014 codec g729a

 set probe frequency 10

!

control-plane

!

!

!

line con 0

 exec-timeout 120 0

line aux 0

line 130

 no activation-character

 no exec

 transport preferred none

 transport input all

 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

line 194

 no activation-character

 no exec

 transport preferred none

 transport input all

 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

line vty 0 4

 login local

!

scheduler allocate 20000 1000

ntp clock-period 17180273

ntp source Integrated-Service-Engine3/0

ntp master 12

ntp server 10.81.254.202 source Vlan1

ntp server 10.81.254.131 source Vlan1

!

end

vpn4-3800-6 

This configuration is for the branch 3825 model router shown in the topology diagram


! ================= vpn4-3800-6  ==================================

!

! Last configuration change at 13:33:32 edt Tue Aug 4 2009

! NVRAM config last updated at 13:35:16 edt Tue Aug 4 2009

!

version 12.4

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service udp-small-servers

service tcp-small-servers

!

hostname vpn4-3800-6

!

boot-start-marker

boot-end-marker

!

enable secret 5 [removed]

!

no aaa new-model

clock timezone est -5

clock summer-time edt recurring

dot11 syslog

ip cef

!

!

ip dhcp use vrf connected

ip dhcp excluded-address 192.168.211.1 192.168.211.149

ip dhcp excluded-address 192.0.2.52

!

ip dhcp pool cameras

   vrf IPVS

   network 192.0.2.48 255.255.255.240

   default-router 192.0.2.49 

   domain-name ese.cisco.com

   dns-server 64.102.6.247 171.68.226.120 

!

ip dhcp pool iSCSI-temp

   network 192.168.211.0 255.255.255.0

   default-router 192.168.211.1 

   domain-name cisco.com

!

!

ip vrf IPVS

 rd 100:10

 route-target export 100:10

 route-target import 100:10

!

ip host rtp5-esevpn-ios-ca 10.81.0.27

ip host harry 172.26.129.252

ip multicast-routing 

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

voice-card 0

 no dspfarm

!

!

!

crypto pki trustpoint rtp5-esevpn-ios-ca

 enrollment url http://rtp5-esevpn-ios-ca:80

 revocation-check none

!

!

crypto pki certificate chain rtp5-esevpn-ios-ca

 certificate 13

  3082023B 308201A4 A0030201 02020113 300D0609 2A864886 F70D0101 04050030 

  6C240A83 ADF2674E D83B7BEF 59A04BC8 A0474C0C 492CAD79 2713CCFA 1783F4

  	quit

 certificate ca 01

  308202AF 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  A9C7FB7B F68000AE 7C8FABF5 24279B82 8A394A91 4DF83555 D2C9D52E 84779C37 

  47DC2CE3 BC3F5F40 32409535 C9E0E6C0 F29D4E

  	quit

!

!

username joeking privilege 15 secret 5 vpn4-3800-6

username test password 7 vpn4-3800-6

archive

 log config

  hidekeys

! 

!

crypto isakmp policy 100

 encr 3des

 group 2

crypto isakmp keepalive 10

crypto isakmp nat keepalive 10

crypto isakmp profile IPVS_Branches_isakmp_profile

   self-identity fqdn

   ca trust-point rtp5-esevpn-ios-ca

   match identity address 192.168.15.40 255.255.255.255 

   keepalive 10 retry 2

crypto isakmp profile IPVS_Branches_isakmp_profile_2

   self-identity fqdn

   ca trust-point rtp5-esevpn-ios-ca

   match identity address 192.168.15.41 255.255.255.255 

   keepalive 10 retry 2

!

!

crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac 

crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac 

 mode transport

crypto ipsec transform-set AES_SHA_TUNNEL esp-aes esp-sha-hmac 

crypto ipsec transform-set AES_SHA_TRANSPORT esp-aes esp-sha-hmac 

 mode transport

!

crypto ipsec profile IPVS_Branches_ipsec_profile

 description IPVS_Branches_ipsec_profile

 set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL 

 set isakmp-profile IPVS_Branches_isakmp_profile

!

crypto ipsec profile IPVS_Branches_ipsec_profile_2

 set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL 

 set isakmp-profile IPVS_Branches_isakmp_profile_2

!

!

!

!

ip finger

!

class-map match-any LOW-LATENCY-DATA

 match ip dscp af21  af22  af23 

class-map match-any HIGH-THROUGHPUT-DATA

 match ip dscp af11  af12  af13 

class-map match-all BROADCAST-VIDEO

 match ip dscp cs5 

class-map match-all NETWORK-CONTROL

 match ip dscp cs6 

class-map match-any MULTIMEDIA-CONFERENCING

 match ip dscp af41  af42  af43 

class-map match-all OAM

 match ip dscp cs2 

class-map match-all VOICE

 match ip dscp ef 

class-map match-all SCAVENGER

 match ip dscp cs1 

class-map match-any CALL-SIGNALING

 match ip dscp cs3 

!

!

policy-map IPVS_BRANCH

 class BROADCAST-VIDEO

  bandwidth percent 40

 class VOICE

  priority percent 10

 class LOW-LATENCY-DATA

  bandwidth percent 4

 class HIGH-THROUGHPUT-DATA

  bandwidth percent 4

 class MULTIMEDIA-CONFERENCING

  bandwidth percent 4

 class SCAVENGER

  bandwidth percent 1

 class OAM

  bandwidth percent 1

 class NETWORK-CONTROL

  bandwidth percent 1

 class CALL-SIGNALING

  bandwidth percent 1

 class class-default

  fair-queue

policy-map 30M

 class class-default

  shape average 30000000

  service-policy IPVS_BRANCH

!

!

interface Tunnel128

 ip vrf forwarding IPVS

 ip address 192.168.15.131 255.255.255.192

 ip mtu 1400

 ip nhrp authentication FOO

 ip nhrp map 192.168.15.129 192.168.15.40

 ip nhrp map multicast 192.168.15.40

 ip nhrp network-id 128

 ip nhrp nhs 192.168.15.129

 ip summary-address eigrp 65 192.0.2.32 255.255.255.224 5

 tunnel source GigabitEthernet0/0.352

 tunnel destination 192.168.15.40

 tunnel key 128

 tunnel protection ipsec profile IPVS_Branches_ipsec_profile

!

interface Tunnel192

 ip vrf forwarding IPVS

 ip address 192.168.15.195 255.255.255.192

 ip mtu 1400

 ip nhrp authentication FOO

 ip nhrp map 192.168.15.193 192.168.15.41

 ip nhrp map multicast 192.168.15.41

 ip nhrp network-id 192

 ip nhrp nhs 192.168.15.193

 ip summary-address eigrp 65 192.0.2.32 255.255.255.224 5

 tunnel source GigabitEthernet0/0.351

 tunnel destination 192.168.15.41

 tunnel key 192

 tunnel protection ipsec profile IPVS_Branches_ipsec_profile_2

!

interface GigabitEthernet0/0

 description TRUNK

 no ip address

 ip route-cache flow

 load-interval 30

 duplex full

 speed 100

 media-type rj45

!

interface GigabitEthernet0/0.150

 description Outside WAN

 encapsulation dot1Q 150

 ip address dhcp

!

interface GigabitEthernet0/0.203

 description Inside global routing for corporate end-users

 encapsulation dot1Q 203

 ip address 10.81.7.89 255.255.255.248

!

interface GigabitEthernet0/0.208

 description Inside interface for IP Cameras

 encapsulation dot1Q 208

 ip vrf forwarding IPVS

 ip address 192.0.2.49 255.255.255.240

 ip pim sparse-mode

!

interface GigabitEthernet0/0.258

 description iSCSI Management Subnet

 encapsulation dot1Q 258

 ip vrf forwarding IPVS

 ip address 192.168.211.1 255.255.255.0

!

interface GigabitEthernet0/0.351

 description vpn-jk2-7206-2 [Second Head-end]

 encapsulation dot1Q 351

 ip address 192.168.15.30 255.255.255.252

 service-policy output 30M

!

interface GigabitEthernet0/0.352

 description vpn-jk2-7206-1 [Primary Head-end]

 encapsulation dot1Q 352

 ip address 192.168.15.50 255.255.255.252

 service-policy output 30M

!

interface GigabitEthernet0/1

 no ip address

 duplex auto

 speed auto

 media-type rj45

!

interface FastEthernet0/2/0

 description Flashnet

 duplex full

 speed 100

!

interface FastEthernet0/2/1

!

interface FastEthernet0/2/2

!

interface FastEthernet0/2/3

!

interface Video-Service-Engine1/0

 ip vrf forwarding IPVS

 ip address 192.0.2.37 255.255.255.252

 ip route-cache flow

 service-module ip address 192.0.2.38 255.255.255.252

 service-module ip default-gateway 192.0.2.37

 no keepalive

!

interface Integrated-Service-Engine2/0

 ip vrf forwarding IPVS

 ip address 192.0.2.33 255.255.255.252

 ip route-cache flow

 service-module external ip address 192.168.211.2 255.255.255.0

 service-module ip address 192.0.2.34 255.255.255.252

 service-module ip default-gateway 192.0.2.33

 no keepalive

!

interface Vlan1

 description FlashNet

 ip address 172.26.156.105 255.255.254.0

 no ip proxy-arp

!

router eigrp 65

 network 10.81.7.88 0.0.0.7

 network 192.168.15.0 0.0.0.63

 no auto-summary

 !

 address-family ipv4 vrf IPVS

  network 192.0.2.32 0.0.0.31

  network 192.168.15.128 0.0.0.127

  network 192.168.211.0

  no auto-summary

  autonomous-system 65

 exit-address-family

!

ip forward-protocol nd

ip route 10.81.0.27 255.255.255.255 172.26.156.1 name IOS-CA

ip route 192.168.15.40 255.255.255.255 192.168.15.49 name vpn-jk2-7206-1_Loopback_0

ip route 192.168.15.41 255.255.255.255 192.168.15.29 name vpn-jk2-7206-2_Loopback_0

ip route 64.102.223.16 255.255.255.240 dhcp

ip route 192.5.41.40 255.255.255.254 dhcp

!

ip flow-cache timeout active 1

ip flow-export version 5

ip flow-export destination 172.26.157.11 7777

!

ip http server

no ip http secure-server

!

ip access-list extended LOCAL_LOGIN

 permit tcp host 192.0.2.33 any eq 2130

 deny   ip any any log

!

snmp-server enable traps tty

!

!

control-plane

!

!

banner exec 

3825

192.0.2.32 /30  ISR NM NME-VMSS-HP16

192.0.2.36 /30  EVM-IPVS-16A

192.0.2.40      reserved .40 to .47

192.0.2.48 /28  Reserved for IP Cameras (0.0.0.15)


banner motd 

   C i s c o S y s t e m s

     ||               ||

     ||               ||       Cisco Systems, Inc.

    ||||             ||||      IT-Transport

 .:|||||||:.......:|||||||:..

  US, Asia & Americas support:    + 1 408 526 8888

 EMEA support:                   + 31 020 342 3888

  UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.

 You must have explicit permission to access or configure this

 device. All activities performed on this device are logged and

 violations of this policy may result in disciplinary action.


!

line con 0

 exec-timeout 0 0

line aux 0

line 66

 no activation-character

 no exec

 transport preferred none

 transport input all

 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

line 130

 access-class LOCAL_LOGIN in vrf-also

 login local

 no activation-character

 no exec

 transport preferred none

 transport input telnet

 transport output none

line vty 0 4

 exec-timeout 0 0

 login local

!

scheduler allocate 20000 1000

ntp clock-period 17178750

ntp source Integrated-Service-Engine2/0

ntp master 12

ntp server 192.168.6.1 source GigabitEthernet0/0.150

ntp server 10.81.254.202 source Vlan1

ntp server 10.81.254.131 source Vlan1

!

end

3750-access 

This configuration is for an access-layer switch not explicitly shown in the topology diagram. It is a 
cisco WS-C3750G-24PS model.

! System image file is "flash:c3750-advipservicesk9-mz.122-44.SE1.bin"

!

3750-access#sh run b

Building configuration...


Current configuration : 6533 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 3750-access

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

switch 1 provision ws-c3750g-24ps

system mtu routing 1500

vtp mode transparent

ip subnet-zero

no ip domain-lookup

!

ip multicast-routing distributed

!

mls qos

!

crypto pki trustpoint TP-self-signed-798490880

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-798490880

 revocation-check none

 rsakeypair TP-self-signed-798490880

!

!

crypto pki certificate chain TP-self-signed-798490880

 certificate self-signed 01

!

!

!

!

macro name cisco-camera-2500

#Assign Port Description


description Connected to IPVS Camera


#Assign Cisco IPVS Camera in unique Layer 2 VLAN

switchport access vlan $VLAN


#Statically configure Cisco Camera port in access-mode

switchport mode access


#Enable Layer 2 Port-Security

switchport port-security


#Dynamically register secured IPVS MAC address.

switchport port-security mac-address sticky


#Set maximum allowed secured MAC entry to 1. Default value, but with macro it wi

ll override manual setting.

switchport port-security maximum 1


#Set port security violation action to shutdown physical port. Default setting,

but will macro it will override manual setting.

switchport port-security violation shutdown


#Enable QoS on Cisco Camera port and trust incoming DSCP value.


mls qos trust dscp


#Expedite port bring up process by enabling portfast configuration.

spanning-tree portfast


#Disable transmitting and receiving STP BPDU frame on Cisco Camera port

spanning-tree bpdufilter enable

@

macro name CIVS-IPC-2500

description Cisco Video Surveillance 2500 Series IP Camera

switchport mode access

switchport access vlan $VLAN

switchport port-security

switchport port-security mac-address sticky

switchport port-security maximum 1

switchport port-security violation shutdown

mls qos trust dscp

spanning-tree portfast

spanning-tree bpdufilter enable

load-interval 60

no shutdown

@

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 10,208,220-221

!

!

class-map match-all HTTP

 match protocol http

class-map match-all HTTP_acl

 match access-group name HTTP

class-map match-all HTTP_acl_client

 match access-group name HTTP_client

!

!

policy-map VSMS

 class HTTP_acl

  set dscp cs5

 class class-default

  set dscp cs3

policy-map Viewing_Station

 class HTTP_acl_client

  set dscp cs5

 class class-default

  set dscp cs3

!

!

!

!

interface GigabitEthernet1/0/1

 description trunk to vpn1-2851-1 [vpn-jk2-2948-1]

 switchport trunk encapsulation dot1q

 switchport mode trunk

 load-interval 60

 priority-queue out

 mls qos trust dscp

!

interface GigabitEthernet1/0/2

 description Cisco Video Surveillance 2500 Series IP Camera

 switchport access vlan 208

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 001d.e5ea.79d3

 load-interval 60

 mls qos trust dscp

 macro description CIVS-IPC-2500

 spanning-tree portfast

 spanning-tree bpdufilter enable

!

interface GigabitEthernet1/0/3

 description 4300 IP camera 0021.1bfd.df85

 switchport access vlan 220

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0021.1bfd.df85

 load-interval 60

 mls qos trust dscp

 spanning-tree portfast

 spanning-tree bpdufilter enable

!

interface GigabitEthernet1/0/4

 description 4300 IP camera 0021.1bfd.df62

 switchport access vlan 220

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0021.1bfd.df62

 load-interval 60

 mls qos trust dscp

 spanning-tree portfast

 spanning-tree bpdufilter enable

!

interface GigabitEthernet1/0/5

 description Viewing Station

 switchport access vlan 208

 switchport mode access

 priority-queue out

 spanning-tree portfast

 spanning-tree bpdufilter enable

 service-policy input Viewing_Station

!

interface GigabitEthernet1/0/6

!

interface GigabitEthernet1/0/7

!

interface GigabitEthernet1/0/8

!

interface GigabitEthernet1/0/9

!

interface GigabitEthernet1/0/10

!

interface GigabitEthernet1/0/11

 description CIVS-IPC-4500-1

 switchport access vlan 220

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 001e.bdfc.19d6

 load-interval 60

 mls qos trust dscp

 spanning-tree portfast

 spanning-tree bpdufilter enable

!

interface GigabitEthernet1/0/12

 description CIVS-IPC-4500-2

 switchport access vlan 220

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0021.1bfd.dfc1

 load-interval 60

 mls qos trust dscp

 spanning-tree portfast

 spanning-tree bpdufilter enable

!

interface GigabitEthernet1/0/13

 description CIVS-IPC-4500-3

 switchport access vlan 220

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 001b.53ff.6cb9

 load-interval 60

 mls qos trust dscp

 spanning-tree portfast

 spanning-tree bpdufilter enable

!

interface GigabitEthernet1/0/14

 description CIVS-IPC-4500-4

 switchport access vlan 220

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 001e.bdfc.19c9

 load-interval 60

 mls qos trust dscp

 spanning-tree portfast

 spanning-tree bpdufilter enable

!

interface GigabitEthernet1/0/15

!

interface GigabitEthernet1/0/16

!

interface GigabitEthernet1/0/17

!

interface GigabitEthernet1/0/18

!

interface GigabitEthernet1/0/19

!

interface GigabitEthernet1/0/20

!

interface GigabitEthernet1/0/21

!

interface GigabitEthernet1/0/22

!

interface GigabitEthernet1/0/23

!

interface GigabitEthernet1/0/24

!

interface GigabitEthernet1/0/25

!

interface GigabitEthernet1/0/26

!

interface GigabitEthernet1/0/27

!

interface GigabitEthernet1/0/28

!

interface Vlan1

 no ip address

 shutdown

!

ip classless

ip http server

ip http secure-server

!

!

ip access-list extended HTTP

 permit tcp any eq www any

ip access-list extended HTTP_client

 permit tcp any any eq www

!

!

control-plane

!

!

line con 0

 exec-timeout 0 0

line vty 0 4

 login

line vty 5 15

 login

!

!

end