Bandwidth percent - ios xr

hi everyone,
in a policy map - when you configure your classes - ex
class 1
bandwidth percent 25
class 2
bandwidth percent 25
class 3
bandwidth percent 25
class 4
bandwidth percent 25
- will this negate p2mdrr or mddr? ie. have I configured the policy to "not" have any remaining available bandwidth to any other classes?
thanks,
Andrew

hi andrew,
bw percent gives you a defined assigned CIR based on the parent shaping bandwidth.
bandwidth remaining (percent) will get a modified deficted rate of the left over bandwidth after all the classes have been served that have an assigned CIR.
you can see how the programming of the shaped classes has been done with the command show qos int <interface> <direction> which gives you the CIR that is currently running on that class and their (excess) weight ratio as determined by the scheduler, available bw and all that.
cheers
xander

Similar Messages

ASR9K: bandwidth and bandwidth remaining cannot be used together. How to solve the problem to grant a quota and equally assign the remaining quota?

Hi everyone
The problem should be trivial. We want to grant a quota to specific classes and use equally the remaining quota of available bandwidth to all the requesting classes. Let's clarify with an example:
Class 7 ==> priority queue, level 1 with police 20%
Class 5 ==> priority queue, level 2 with police 40%
Class 6 ==> CIR 12%
Class 3 ==> CIR 11%
Class 2 ==> CIR 8%
Class 1 ==> CIR 5%
Class 0 ==> CIR 4%
To simplify let's suppose that there is no traffic on class 7 and 5 and that all remaining classes are generating traffic at a rate of 300Mbps each. Outgoing interface is 1G so congestion occurs. We want that each class 6,3,2,1,0 receive its granted value (so, respectively, 120M, 110M, 80M, 50M and 40M for a total of 400M) and that the remaining available bandwidth (600M) will be equally assigned, so 120M to each class.
Documentation from IOS-XR 5.2.2 let's understand that this should be the default behavior but if we run the policy shown below what we get is a weighted assignment of the remaining quota.
The policy used is the following:
policy-map TEST-POLICY
class qos7
police rate percent 20
priority level 1
class qos5
police rate percent 40
priority level 2
class qos6
bandwidth percent 12
class qos3
bandwidth percent 11
class qos2
bandwidth percent 8
class qos1
bandwidth percent 5
class qos0
bandwidth percent 4
class class-default
end-policy-map
The documentation of IOS-XR 5.2.2 states that both "bandwidth percent" and "bandwidth remaining percent" could be used in the same class (which could be a solution to force the requested behavior) but using both generates the following error:
!!% Both bandwidth and bandwidth-remaining actions cannot be configured together in leaf-level of the queuing hierarchy: InPlace Modify Error: Policy TEST-POLICY: 'qos-ea' detected the 'warning' condition 'Both bandwidth and bandwidth-remaining actions cannot be configured together in leaf-level of the queuing hierarchy'
How could be solved the problem? Maybe a hierarchical QoS with the granted quota in the parent policy and a "bandwidth remaining percent 20" in the child?

Hi everyone
just to provide my contribution, the hierarchical QoS policy works balancing the remaining bandwidth after granting the requested bandwidth (see the policy implemented below). However for priority queues it is granted the policer quota but sending more flows these appears to be unbalanced. So the problem to have both PQ served (in a balanced way between flows) AND have the remaining bandwidth distributed equally remains open ...
policy-map TEST-POLICY-parent
class qos6
service-policy TEST-POLICY-child
bandwidth percent 12
class qos3
service-policy TEST-POLICY-child
bandwidth percent 11
class qos2
service-policy TEST-POLICY-child
bandwidth percent 8
class qos1
service-policy TEST-POLICY-child
bandwidth percent 5
class qos0
service-policy TEST-POLICY-child
bandwidth percent 4
class class-default
service-policy TEST-POLICY-child
end-policy-map
policy-map TEST-POLICY-child
class qos7
police rate percent 20
priority level 1
class qos5
police rate percent 40
priority level 2
class qos6
bandwidth remaining percent 20
class qos3
bandwidth remaining percent 20
class qos2
bandwidth remaining percent 20
class qos1
bandwidth remaining percent 20
class qos0
bandwidth remaining percent 20
class class-default
end-policy-map

WRED+bandwidth allocation algorithm ?

Dear Gurus!
Plese tell me what is the bandwidth allocation algorithm:
I have 3 flows within 1 class-map.
WRED is enabled on the output ATM pvc(the total bandwidth of pvc is 2000kbps).
Flows have dscp marks af11(10) af12(12) af13(14).
When the pvc is congested the flows get the following bandwidth share in outgoing interface: af11(dscp 10) - 59% ; af12(dscp 12) - 40%; af13(dscp 14) - 1%; + bulk traffic with dscp 0.
Total bandwidth allocated for flows 10,12,14 is near 1500000bits per sec (75% of 2000kbps)
All flows have same packet sizes - 1400 bytes
Plese tell me how 7200 calculates bandwidth allocation between flow with dscp 10 , 12 and 14.
I have the following
router 7206
IOS (tm) 7200 Software (C7200-JK8S-M), Version 12.2(13), RELEASE SOFTWARE (fc1)
cisco 7206VXR (NSE-1) processor (revision A)
ATM PA - OC3
config:
class-map match-all af11
match ip dscp af11 af12 af13
policy-map gold
class af11
bandwidth percent 65
random-detect dscp-based
random-detect dscp 10 28 45 10
random-detect dscp 12 28 43 10
random-detect dscp 14 28 40 10
class class-default
bandwidth percent 10
interface ATM2/0.34 point-to-point
description RBNet
bandwidth 2000
ip address 10.0.4.1 255.255.255.252
pvc rbnet 15/64
vbr-nrt 2000 1500 50
tx-ring-limit 3
encapsulation aal5mux ip
service-policy output gold
Thanks in advance, Andrei

Ok Andrei,
Here's my thinking about what is happening...
You are transmitting a total of 300*1400*8 = 3.36Mbps into a circuit that is configured for 2Mbps. Since this traffic is being sent at a continuous rate, that means that the queue is in a state of constant congestion. In fact, the size of the queue is going to be sitting around the maximum of 45 packets pretty much all the time. The only time that space is created in the queue is when:
1. A packet is scheduled out of the queue
2. Packets are dropped due to RED
Now, if the queue is always around the 45 packet mark, that means that once the queue reaches that point, all packets for DSCP 14 are going to be dropped since the queue depth is greater than the maximum threshold of 40 for DSCP 14.
Considering the DSCP 10 traffic now...Both the DSCP 10 and DSCP 12 traffic is operating in the RED drop zone since the queue size is much higher than their minimum threshold of 20. Therefore, roughly 1/10 packets are getting dropped for each of these flows. 1/10 of each flow would give you roughly 2 packets of each based on the fact that very little of the DSCP 14 traffic is getting through. Every time RED drops these packets, space is created in the queue and if at that point, the queue size is less than 43, packets for DSCP 12 are accepted. The queue size is always going to be less than or equal to 45, so slightly more of the DSCP 10 packets are accepted.
I hope that explains the behaviour adequately.
Pls do remember to rate posts.
Paresh

IOS XR deny ace not supported in access list

Hi everybody,
We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
interface TenGigE0/3/0/0
cdp
mtu 1568
service-policy output TK-MPLS_TG
ipv4 address 172.16.19.134 255.255.255.252
mpls
mtu 1568
policy-map TK-MPLS_TG
class class-default
service-policy TK-MPLS_EDGE-WAN
shape average 2000000000 bps
bandwidth 2000000 kbps
and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
class-map match-any W_RTP
match mpls experimental topmost 5
match dscp ef
end-class-map
class-map match-any W_EMAIL
match mpls experimental topmost 1
match dscp cs1
end-class-map
class-map match-any W_VIDEO
match mpls experimental topmost 4 3
match dscp cs3 cs4
end-class-map
class-map match-any W_DATOS-CR
match mpls experimental topmost 2
match dscp cs2
end-class-map
class-map match-any W_AVAIL
match mpls experimental topmost 0
match dscp default
end-class-map
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
bandwidth percent 2
class class-default
end-policy-map
what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
ipv4 access-list PROXY-GIT-MEX
10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
50 permit tcp host 150.2.1.100 any
60 permit tcp host 10.15.221.100 any
policy-map EDGE-MEX3-PXY
class C_PXY-GIT-MEX3
police rate 300 mbps
class class-default
end-policy-map
class-map match-any C_PXY-GIT-MEX3
match access-group ipv4 PROXY-GIT-MEX
end-class-map
we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
service-policy EDGE-MEX3-PXY
class class-default
end-policy-map
and we get this:
Wed Sep 17 18:35:36.537 UTC
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
Wed Sep 17 18:35:49.662 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
!!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
end
Any kind of help is very appreciated.

That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
if you have some traffic that you want to exclude you could do something like this:
access-list PERMIT-ME
1 permit
2 permit
3 permit
access-list DENY-me
!the exclude list
1 permit
2 permit
3 permit
policy-map X
class DENY-ME
<dont do anything> or set something rogue (like qos-group)
class PERMIT-ME
do here what you wanted to do as earlier.
eventhough the permit and deny may be overlapping in terms of match.
only the first class is matched here, DENY-ME.
cheers!
xander

XR - IOS QOS issue.

Hello Masters ,
While trying to configure QOS in ASR 9001 , I am getting the below error . Kindly help me to find a solution for it.
interface GigabitEthernet0/0/1/3.824897
service-policy output ######PARENT-256K
!!% 'qos-ea' detected the 'warning' condition 'Minimum value for bandwidth configuration is 64 kbps'
Thanking You,
Ram.

Hello Xander ,
I have pasted the template config QOS , which i have tried to config on ASR 9K.Is there any other ways to implement the same ?. Thanks in advance.
class-map match-all XYZ-GOLD
match dscp af41
class-map match-all XYZ-SILVER
match dscp af31
class-map match-all XYZ-BRONZE
match precedence 0
policy-map XYZ-CHILD
class XYZ-GOLD
bandwidth percent 20
class XYZ-SILVER
bandwidth percent 60
class XYZ-BRONZE
bandwidth percent 20
policy-map XYZ-PARENT-128K
class class-default
shape average 128000
service-policy XYZ-CHILD
Regards,
Ram

QoS Priority Percent

Hi All,
We are trying to create 3 QoS queues for a WAN circuit between a managed CE and the PE in our network.
Currently we have:
policy-map PM_WAN_OUT
class CM_VOICE
priority percent 30
set ip dscp ef
class CM_CRITICAL
bandwidth percent 30
set ip dscp af31
class class-default
bandwidth percent 40
set ip dscp 0
random-detect dscp-based
With the idea that VOIP and signalling has a LLQ of 30%, critical data has 30% and everything else has 40%.
We've done a little testing and can see that the LLQ gets 30% of the bandwidth, however, if there is no traffic in the LLQ, will the other queues be able to use that bandwidth? For example, if there were no voice calls, or critical data (queues 1 and 2) then the default class could have 100% of the bandwidth?
Also, is it best practice to map DSCP to EXP for transmission over our MPLS network, or use mls qos trust dscp instead?
Thanks for the help

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
In answer to your first question, normally, "unused" class bandwidth is available to other classes. So, yes, also normally, the default class might use 100% of the bandwidth (if none is being used by other classes).

Bandwidth Restriction

Hi,
i have got internet router cisco 1700 series, my fastethernet has got 1 public IP address eg. 10.10.10.1 connected to LAN& S0/0 as got public IP address eg. 1.1.1.1 which is connected to ISP(1 Mbps lease line). i have been using few public IP address to my LAN for FTP,Webserver,Mail Server etc... now is there any option in the router where i can restrict only 128 Kbps alone for my FTP server. where FTP server IP is 10.10.10.2, since FTP alone is occupying almost entire bandwidth, users on my LAN trying to access internet is become very very slow.

Hello,
unfortunately the config above will not work, because it does not describe FTP traffic properly.
TCP port 21 is only the control session, whereas the data transfer with active FTP is done through TCP port 20. Data transfer in general will cause your congestion problems. With passive FTP you will have dynamically assigned port numbers and then an access-list is NOT able to grab the majority of FTP transfer at all.
So you need to use NBAR for your case. The config would look like this:
ip cef
class-map match-all FTPserver
match ip address 100
match protocol ftp
policy-map Output1
class FTPserver
shape average 128000
interface Serial0
description 1Mbps to ISP
ip address 1.1.1.1 255.255.255.252
bandwidth 1024
service-policy output Output1
access-list 100 permit host 10.10.10.2 any
The class-map FTP describes traffic, which is from host 10.10.10.2 AND is FTP. This includes active and passive FTP control session and data session.
In the policy this traffic is limited to 128 kbps through shaping, i.e. there is never more than 128 kbps utilization from FTP traffic on your WAN link.
In case you would like to limit FTP only in case there is other traffic please use the following policy:
class-map match-all FTPserver
match ip address 100
match protocol ftp
class-map match-all NonFTPserver
match not class FTPserver
policy-map Output1
class NonFTPserver
bandwidth percent 75%
This will guarantee 75% of the bandwidth to traffic not being FTP from your server. This will only restrict FTP traffic when thre is no other traffic.
Cisco does recommend not to plan for more than 75% percent of interface bandwidth, because of L2 keepalives, and system messages in general.
Hope this helps! Please rate all posts.
Regards, Martin

Bandwidth available when classifying

I'm having trouble with my queuing config and was hoping that someone could take a look please? I have created the following:
class-map match-any critical
match protocol rtp
class-map match-any priority
match access-group 180
policy-map queue
class critical
priority percent 35
class priority
bandwidth percent 40
class class-default
fair-queue
random-detect dscp-based
And then:
int s0/0/0:0
service-policy output queue
Then when I do a show int, the available bandwidth goes to 1kpbs (formerly 1536kbps)
Output queue: 0/1000/64/916 (size/max total/threshold/drops)
Conversations 0/2/256 (active/max active/max total)
Reserved Conversations 2/2 (allocated/max allocated)
Available Bandwidth 1 kilobits/sec
This is a 2mbps serial interface on a 2800 running Version 12.3(8r)T7.
So, why would the available bandwidth become 1kpbs? Is available bandwidth referring to the bandwidth that's left for the class-default? Or the bandwidth availble to the critical & priority class?
I should also mention that it wouldn't allow me to increase the priority bandwidth to above 35%. Also, bandwidth is configured as 2048 on the interface.
Any help gratefully recieved!
Thanks,
J

Hi Spremkumar,
Thanks for your response. Here is the output. I have changed the values though to:
class critical 20%
class prioirty 30%
It doesn't look like it's working though:
show policy-map interface s0/0/0:0
Serial0/0/0:0
Service-policy output: queue
Class-map: critical (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol rtp
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 20 (%)
Bandwidth 409 (kbps) Burst 10225 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0
Class-map: priority (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 180
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
Output Queue: Conversation 265
Bandwidth 30 (%)
Bandwidth 614 (kbps) Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: class-default (match-any)
72727 packets, 38704060 bytes
5 minute offered rate 769000 bps, drop rate 0 bps
Match: any
Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 256
(total queued/total drops/no-buffer drops) 3/100/0
exponential weight: 9
dscp Transmitted Random drop Tail drop Minimum Maximum Mark
pkts/bytes pkts/bytes pkts/bytes thresh thresh prob
af11 0/0 0/0 0/0 32 40 1/10
af12 0/0 0/0 0/0 28 40 1/10
af13 0/0 0/0 0/0 24 40 1/10
af21 0/0 0/0 0/0 32 40 1/10
af22 0/0 0/0 0/0 28 40 1/10
af23 0/0 0/0 0/0 24 40 1/10
af31 0/0 0/0 0/0 32 40 1/10
af32 0/0 0/0 0/0 28 40 1/10
af33 0/0 0/0 0/0 24 40 1/10
af41 0/0 0/0 0/0 32 40 1/10
af42 0/0 0/0 0/0 28 40 1/10
af43 0/0 0/0 0/0 24 40 1/10
cs1 26/3166 0/0 0/0 22 40 1/10
cs2 0/0 0/0 0/0 24 40 1/10
cs3 0/0 0/0 0/0 26 40 1/10
cs4 0/0 0/0 0/0 28 40 1/10
cs5 0/0 0/0 0/0 30 40 1/10
cs6 41/3928 0/0 0/0 32 40 1/10
cs7 0/0 0/0 0/0 34 40 1/10
ef 0/0 0/0 0/0 36 40 1/10
rsvp 0/0 0/0 0/0 36 40 1/10
default 72888/38781710 100/73423 0/0 20 40 1/10

Grant bandwidth (CBWFQ?)

Hi Team,
i am new to the community so i greet you all!
My doubts and problems are related to the need to shape the traffic of a class granting a minimum bandwidth.
We have a 7206-VXR so we have Gigabit physical interfaces, our SP is granting 200Mbps.
The shape is working fine but the bandwidth command don't trigger couse, for my router, there's no congestion.
I think that this is a common problema and maybe i am trying to solve in the wrong way.
Any suggestion is appreciated
Thanks in advance
Denis

Hi Denis,
Shaping using the 'shape' cli defines the max rate for a class; whereas, the 'bandwidth' cli defines the minimum bandwidth guarantee for that class under functional congestion.
For example,
policy-map test
class A
shape average percent 20
class B
bandwidth percent 10
class C
bandwidth percent 30
- Traffic through class A will *always* get shaped to 20% of intf bandwidth. Doesn't matter whether the interface is congested or not.
- Traffic through class B and Class C will get a *minimum* guarantee of 10 and 30% of intf bandwidth when the interface is congested. When the interface is not congested, then there is really no need for a queueing policy (~ bandwidth cli) and the queueing part of the policy won't kick in. So, class B / class C can basically use the entire intf bandwidth if there is no traffic through the other (bandwidth) classes. However, should the physical interface be congested (tx_ring is full) then queueing kicks in and each class is given a minimum guarantee that's configured. The remaining bandwidth is shared amongst the bandwidth classes in the ratio of guarantees.
- Abhi

VPN Clients cannot access remote site

Hey there,
I am pretty new in configuring Cisco devices and now I need some help.
I have 2 site here:
site A
Cisco 891
external IP: 195.xxx.yyy.zzz
VPN Gateway for Remote users
local IP: VLAN10 10.133.10.0 /23
site B
Cisco 891
external IP: 62.xxx.yyy.zzz
local IP VLAN10 10.133.34.0 /23
Those two sites are linked together with a Site-to-Site VPN. Accessing files or ressources from one site to the other is working fine while connected to the local LAN.
I configured VPN connection with Radius auth. VPN clients can connect to Site A, get an IP adress from VPN Pool (172.16.100.2-100) and can access files and servers on site A. But for some reason they cannot access ressources on site B. I already added the site B network to the ACL and when connecting with VPN it shows secured routes to 10.133.10.0 and 10.133.34.0 in the statistics. Same thing for other VPN Tunnels to ERP system.
What is missing here to make it possible to reach remote sites when connected through VPN? I had a look at the logs but could not find anything important.
Here is the config of site A
Building configuration...
Current configuration : 24257 bytes
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Englerstrasse
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
aaa new-model
aaa group server radius Radius-AD
server 10.133.10.5 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_2 group Radius-AD local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
clock timezone Berlin 1 0
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
crypto pki trustpoint TP-self-signed-27361994
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-27361994
revocation-check none
rsakeypair TP-self-signed-27361994
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name [email protected]
revocation-check crl
crypto pki certificate chain TP-self-signed-27361994
certificate self-signed 01
30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373336 31393934 301E170D 31323038 32373038 30343238
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D323733 36313939
3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B709
64CE1874 BF812A9F 0B761522 892373B9 10F0BB52 6263DCDB F9877AA3 7BD34E53
BCFDA45C 2A991777 4DDC7E6B 1FCEE36C B6E35679 C4A18771 9C0F871F 38310234
2D89A4FF 37B616D8 362B3103 A8A319F2 10A72DC7 490A04AC 7955DF68 32EF9615
9E1A3B31 2A1AB243 B3ED3E35 F4AAD029 CDB1F941 5E794300 5C5EF8AE 5C890203
010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
18301680 14D0F5E7 D3A9311D 1675AA8F 38F064FC 4D04465E F5301D06 03551D0E
04160414 D0F5E7D3 A9311D16 75AA8F38 F064FC4D 04465EF5 300D0609 2A864886
F70D0101 05050003 818100AB 2CD4363A E5ADBFB0 943A38CB AC820801 117B52CC
20216093 79D1F777 2B3C0062 4301CF73 094B9CA5 805F585E 04CF3301 9B839DEB
14A334A2 F5A5316F C65EEF21 0B0DF3B5 F4322440 F28B984B E769876D 6EF94895
C3D5048A A4E2A180 12DF6652 176942F8 58187D7B D37B1F1A 4DDD7AE9 5189F9AF
AF3EF676 26AD3F31 D368F5
      quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
no ip source-route
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip inspect log drop-pkt
ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
ip inspect name CCP_MEDIUM ftp
ip inspect name CCP_MEDIUM h323
ip inspect name CCP_MEDIUM sip
ip inspect name CCP_MEDIUM https
ip inspect name CCP_MEDIUM icmp
ip inspect name CCP_MEDIUM netshow
ip inspect name CCP_MEDIUM rcmd
ip inspect name CCP_MEDIUM realaudio
ip inspect name CCP_MEDIUM rtsp
ip inspect name CCP_MEDIUM sqlnet
ip inspect name CCP_MEDIUM streamworks
ip inspect name CCP_MEDIUM tftp
ip inspect name CCP_MEDIUM udp
ip inspect name CCP_MEDIUM vdolive
ip inspect name CCP_MEDIUM imap reset
ip inspect name CCP_MEDIUM smtp
ip cef
no ipv6 cef
appfw policy-name CCP_MEDIUM
application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
    audit-trail on
application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    audit-trail on
application http
    strict-http action allow alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action allow alarm
application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
    audit-trail on
parameter-map type inspect global
log dropped-packets enable
multilink bundle-name authenticated
redundancy
ip tcp synwait-time 10
class-map match-any CCP-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map match-any CCP-Voice-1
match dscp ef
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any CCP-Routing-1
match dscp cs6
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any CCP-Signaling-1
match dscp cs3
match dscp af31
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any CCP-Management-1
match dscp cs2
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
policy-map sdm-qos-test-123
class class-default
policy-map sdmappfwp2p_CCP_MEDIUM
class sdm_p2p_edonkey
class sdm_p2p_gnutella
class sdm_p2p_kazaa
class sdm_p2p_bittorrent
policy-map CCP-QoS-Policy-1
class sdm_p2p_edonkey
class sdm_p2p_gnutella
class sdm_p2p_kazaa
class sdm_p2p_bittorrent
class CCP-Voice-1
priority percent 33
class CCP-Signaling-1
bandwidth percent 5
class CCP-Routing-1
bandwidth percent 5
class CCP-Management-1
bandwidth percent 5
class CCP-Transactional-1
bandwidth percent 5
class class-default
fair-queue
random-detect
crypto ctcp port 10000
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key REMOVED address 62.20.xxx.yyy
crypto isakmp key REMOVED address 195.243.xxx.yyy
crypto isakmp key REMOVED address 195.243.xxx.yyy
crypto isakmp key REMOVED address 83.140.xxx.yyy
crypto isakmp client configuration group VPN_local
key REMOVED
dns 10.133.10.5 10.133.10.7
wins 10.133.10.7
domain domain.de
pool SDM_POOL_2
acl 115
crypto isakmp profile ciscocp-ike-profile-1
   match identity group VPN_local
   client authentication list ciscocp_vpn_xauth_ml_2
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA11 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA1 esp-des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA11
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to62.20.xxx.xxx
set peer 62.20.xxx.xxx
set transform-set ESP-3DES-SHA
match address 105
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to195.243.xxx.xxx
set peer 195.243.xxx.xxx
set transform-set ESP-3DES-SHA4
match address 107
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to83.140.xxx.xxx
set peer 83.140.xxx.xxx
set transform-set ESP-DES-SHA1
match address 118
interface Loopback2
ip address 192.168.10.1 255.255.254.0
interface Null0
no ip unreachables
interface FastEthernet0
switchport mode trunk
no ip address
spanning-tree portfast
interface FastEthernet1
no ip address
spanning-tree portfast
interface FastEthernet2
no ip address
spanning-tree portfast
interface FastEthernet3
no ip address
spanning-tree portfast
interface FastEthernet4
description Internal LAN
switchport access vlan 10
switchport trunk native vlan 10
no ip address
spanning-tree portfast
interface FastEthernet5
no ip address
spanning-tree portfast
interface FastEthernet6
no ip address
spanning-tree portfast
interface FastEthernet7
no ip address
spanning-tree portfast
interface FastEthernet8
description $FW_OUTSIDE$$ETH-WAN$
ip address 62.153.xxx.xxx 255.255.255.248
ip access-group 113 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect CCP_MEDIUM out
no ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
crypto map SDM_CMAP_1
service-policy input sdmappfwp2p_CCP_MEDIUM
service-policy output CCP-QoS-Policy-1
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet8
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
interface Vlan1
no ip address
interface Vlan10
description $FW_INSIDE$
ip address 10.133.10.1 255.255.254.0
ip access-group 112 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
ip local pool SDM_POOL_1 192.168.10.101 192.168.10.200
ip local pool VPN_Pool 192.168.20.2 192.168.20.100
ip local pool SDM_POOL_2 172.16.100.2 172.16.100.100
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip forward-protocol nd
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 62.153.xxx.xxx
ip access-list extended VPN1
remark VPN_Haberstrasse
remark CCP_ACL Category=4
permit ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
ip radius source-interface Vlan10
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 195.243.xxx.xxx
access-list 23 permit 10.133.10.0 0.0.1.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.133.10.0 0.0.1.255 any
access-list 101 remark CCP_ACL Category=16
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny   ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip any any
access-list 102 remark auto generated by CCP firewall configuration
access-list 102 remark CCP_ACL Category=1
access-list 102 deny   ip 10.10.10.0 0.0.0.7 any
access-list 102 permit icmp any host 62.153.xxx.xxx echo-reply
access-list 102 permit icmp any host 62.153.xxx.xxx time-exceeded
access-list 102 permit icmp any host 62.153.xxx.xxx unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 remark auto generated by CCP firewall configuration
access-list 103 remark CCP_ACL Category=1
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.133.34.0 0.0.1.255 10.133.10.0 0.0.1.255
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.133.34.0 0.0.1.255 192.168.10.0 0.0.1.255
access-list 103 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
access-list 103 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq isakmp
access-list 103 permit esp host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 103 permit ahp host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.133.20.0 0.0.0.255 10.133.10.0 0.0.1.255
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.10.0 0.0.1.255 10.133.10.0 0.0.1.255
access-list 103 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
access-list 103 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq isakmp
access-list 103 permit esp host 62.20.xxx.xxx host 62.153.xxx.xxx
access-list 103 permit ahp host 62.20.xxx.xxx host 62.153.xxx.xxx
access-list 103 permit udp any host 62.153.xxx.xxx eq non500-isakmp
access-list 103 permit udp any host 62.153.xxx.xxx eq isakmp
access-list 103 permit esp any host 62.153.xxx.xxx
access-list 103 permit ahp any host 62.153.xxx.xxx
access-list 103 permit udp host 194.25.0.60 eq domain any
access-list 103 permit udp host 194.25.0.68 eq domain any
access-list 103 permit udp host 194.25.0.68 eq domain host 62.153.xxx.xxx
access-list 103 deny   ip 10.10.10.0 0.0.0.7 any
access-list 103 permit icmp any host 62.153.xxx.xxx echo-reply
access-list 103 permit icmp any host 62.153.xxx.xxx time-exceeded
access-list 103 permit icmp any host 62.153.xxx.xxx unreachable
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 104 remark CCP_ACL Category=4
access-list 104 permit ip 10.133.10.0 0.0.1.255 any
access-list 105 remark CCP_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.133.10.0 0.0.1.255 10.133.20.0 0.0.0.255
access-list 106 remark CCP_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny   ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
access-list 106 remark IPSec Rule
access-list 106 deny   ip 192.168.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 deny   ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 deny   ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
access-list 106 remark IPSec Rule
access-list 106 deny   ip 10.133.10.0 0.0.1.255 10.133.20.0 0.0.0.255
access-list 106 permit ip 10.10.10.0 0.0.0.7 any
access-list 106 permit ip 10.133.10.0 0.0.1.255 any
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
access-list 108 remark Auto generated by SDM Management Access feature
access-list 108 remark CCP_ACL Category=1
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq telnet
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq 22
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq www
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq 443
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq cmd
access-list 108 deny   tcp any host 10.133.10.1 eq telnet
access-list 108 deny   tcp any host 10.133.10.1 eq 22
access-list 108 deny   tcp any host 10.133.10.1 eq www
access-list 108 deny   tcp any host 10.133.10.1 eq 443
access-list 108 deny   tcp any host 10.133.10.1 eq cmd
access-list 108 deny   udp any host 10.133.10.1 eq snmp
access-list 108 permit ip any any
access-list 109 remark CCP_ACL Category=1
access-list 109 permit ip 10.133.10.0 0.0.1.255 any
access-list 109 permit ip 10.10.10.0 0.0.0.7 any
access-list 109 permit ip 192.168.10.0 0.0.1.255 any
access-list 110 remark CCP_ACL Category=1
access-list 110 permit ip host 195.243.xxx.xxx any
access-list 110 permit ip host 84.44.xxx.xxx any
access-list 110 permit ip 10.133.10.0 0.0.1.255 any
access-list 110 permit ip 10.10.10.0 0.0.0.7 any
access-list 110 permit ip 192.168.10.0 0.0.1.255 any
access-list 111 remark CCP_ACL Category=4
access-list 111 permit ip 10.133.10.0 0.0.1.255 any
access-list 112 remark CCP_ACL Category=1
access-list 112 permit udp host 10.133.10.5 eq 1812 any
access-list 112 permit udp host 10.133.10.5 eq 1813 any
access-list 112 permit udp any host 10.133.10.1 eq non500-isakmp
access-list 112 permit udp any host 10.133.10.1 eq isakmp
access-list 112 permit esp any host 10.133.10.1
access-list 112 permit ahp any host 10.133.10.1
access-list 112 permit udp host 10.133.10.5 eq 1645 host 10.133.10.1
access-list 112 permit udp host 10.133.10.5 eq 1646 host 10.133.10.1
access-list 112 remark auto generated by CCP firewall configuration
access-list 112 permit udp host 10.133.10.5 eq 1812 host 10.133.10.1
access-list 112 permit udp host 10.133.10.5 eq 1813 host 10.133.10.1
access-list 112 permit udp host 10.133.10.7 eq domain any
access-list 112 permit udp host 10.133.10.5 eq domain any
access-list 112 deny   ip 62.153.xxx.xxx 0.0.0.7 any
access-list 112 deny   ip 10.10.10.0 0.0.0.7 any
access-list 112 deny   ip host 255.255.255.255 any
access-list 112 deny   ip 127.0.0.0 0.255.255.255 any
access-list 112 permit ip any any
access-list 113 remark CCP_ACL Category=1
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.133.34.0 0.0.1.255 192.168.10.0 0.0.1.255
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.60.16.0 0.0.0.255 192.168.10.0 0.0.1.255
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.60.16.0 0.0.0.255 10.133.10.0 0.0.1.255
access-list 113 permit udp host 83.140.100.4 host 62.153.xxx.xxx eq non500-isakmp
access-list 113 permit udp host 83.140.100.4 host 62.153.xxx.xxx eq isakmp
access-list 113 permit esp host 83.140.100.4 host 62.153.xxx.xxx
access-list 113 permit ahp host 83.140.100.4 host 62.153.xxx.xxx
access-list 113 permit ip host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 113 permit ip host 84.44.xxx.xxx host 62.153.xxx.xxx
access-list 113 remark auto generated by CCP firewall configuration
access-list 113 permit udp host 194.25.0.60 eq domain any
access-list 113 permit udp host 194.25.0.68 eq domain any
access-list 113 permit udp host 194.25.0.68 eq domain host 62.153.xxx.xxx
access-list 113 permit udp host 194.25.0.60 eq domain host 62.153.xxx.xxx
access-list 113 permit udp any host 62.153.xxx.xxx eq non500-isakmp
access-list 113 permit udp any host 62.153.xxx.xxx eq isakmp
access-list 113 permit esp any host 62.153.xxx.xxx
access-list 113 permit ahp any host 62.153.xxx.xxx
access-list 113 permit ahp host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 113 permit esp host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 113 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq isakmp
access-list 113 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.133.34.0 0.0.1.255 10.133.10.0 0.0.1.255
access-list 113 permit ahp host 62.20.xxx.xxx host 62.153.xxx.xxx
access-list 113 remark IPSec Rule
access-list 113 permit ip 192.168.10.0 0.0.1.255 10.133.10.0 0.0.1.255
access-list 113 permit esp host 62.20.xxx.xxx host 62.153.xxx.xxx
access-list 113 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq isakmp
access-list 113 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.133.20.0 0.0.0.255 10.133.10.0 0.0.1.255
access-list 113 remark Pop3
access-list 113 permit tcp host 82.127.xxx.xxx eq 8080 host 62.153.xxx.xxx
access-list 113 remark Pop3
access-list 113 permit tcp any eq pop3 host 62.153.xxx.xxx
access-list 113 remark SMTP
access-list 113 permit tcp any eq 465 host 62.153.xxx.xxx
access-list 113 remark IMAP
access-list 113 permit tcp any eq 587 host 62.153.xxx.xxx
access-list 113 deny   ip 10.133.10.0 0.0.1.255 any
access-list 113 deny   ip 10.10.10.0 0.0.0.7 any
access-list 113 permit icmp any host 62.153.xxx.xxx echo-reply
access-list 113 permit icmp any host 62.153.xxx.xxx time-exceeded
access-list 113 permit icmp any host 62.153.xxx.xxx unreachable
access-list 113 deny   ip 10.0.0.0 0.255.255.255 any
access-list 113 deny   ip 172.16.0.0 0.15.255.255 any
access-list 113 deny   ip 192.168.0.0 0.0.255.255 any
access-list 113 deny   ip 127.0.0.0 0.255.255.255 any
access-list 113 deny   ip host 255.255.255.255 any
access-list 113 deny   ip host 0.0.0.0 any
access-list 113 deny   ip any any log
access-list 114 remark auto generated by CCP firewall configuration
access-list 114 remark CCP_ACL Category=1
access-list 114 deny   ip 10.133.10.0 0.0.1.255 any
access-list 114 deny   ip 10.10.10.0 0.0.0.7 any
access-list 114 permit icmp any any echo-reply
access-list 114 permit icmp any any time-exceeded
access-list 114 permit icmp any any unreachable
access-list 114 deny   ip 10.0.0.0 0.255.255.255 any
access-list 114 deny   ip 172.16.0.0 0.15.255.255 any
access-list 114 deny   ip 192.168.0.0 0.0.255.255 any
access-list 114 deny   ip 127.0.0.0 0.255.255.255 any
access-list 114 deny   ip host 255.255.255.255 any
access-list 114 deny   ip host 0.0.0.0 any
access-list 114 deny   ip any any log
access-list 115 remark VPN_Sub
access-list 115 remark CCP_ACL Category=5
access-list 115 permit ip 10.133.10.0 0.0.1.255 172.16.0.0 0.0.255.255
access-list 115 permit ip 10.133.34.0 0.0.1.255 172.16.0.0 0.0.255.255
access-list 115 permit ip 10.133.20.0 0.0.0.255 any
access-list 116 remark CCP_ACL Category=4
access-list 116 remark IPSec Rule
access-list 116 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 117 remark CCP_ACL Category=4
access-list 117 remark IPSec Rule
access-list 117 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 118 remark CCP_ACL Category=4
access-list 118 remark IPSec Rule
access-list 118 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 118 remark IPSec Rule
access-list 118 permit ip 192.168.10.0 0.0.1.255 10.60.16.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 106
control-plane
mgcp profile default
line con 0
transport output telnet
line 1
modem InOut
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
session-timeout 45
access-class 110 in
transport input telnet ssh
line vty 5 15
access-class 109 in
transport input telnet ssh
scheduler interval 500
end

The crypto ACL for the site to site vpn should also include the vpn client pool, otherwise, traffic from the vpn client does not match the interesting traffic for the site to site vpn.
On Site A:
should include "access-list 107 permit ip 172.16.100.0 0.0.0.255 10.133.34.0 0.0.1.255"
You should also remove the following line as the pool is incorrect:
access-list 107 permit ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
On Site B:
should include: permit ip 10.133.34.0 0.0.1.255 172.16.100.0 0.0.0.255"
NAT exemption on site B should also be configured with deny on the above ACL.

Network LAN Setup Help

I have a cisco 891 router, and 3 unmanaged switches that i would like to use to segment my small office network into 3 VLANs groups to help reduce out current bottleneck we are having in our network. From everything i read i should be able to setup 3 VLANs on the router, and pick 3 out of the 8 ports on the router to be switchports for each of the 3 VLANs, and each of the 3 switches would connect to those.
My question is, when i setup the VLAN i cannot access the internet, though the inital VLAN 1 which currenlty has all our office computers sharing 1 switch and 1 VLAN works fine, any ideas? Is segmenting our network via 3 switches and 3 VLANs going to help with overall bandwidth?
My last question is, what are the proper steps to setup each VLAN on the router so i can access the internet with them and achieve the increased bandwidth through segmenting each office group?
I am new to cisco routers, so any help you can give me would be great.

Thanks for your help. I think ive helped myself on the bandwidth end by spliting up my office on to 3 switches, but still using 1 VLAN. Before we had 16 people using 1 100Mbps link to the router which was at times getting maxed. Now i have it split across 3. But for security reasons with accounting and such i still want to setup 3 vlans. Here is the version information on the router:
Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 12.4(22)YB, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 27-Jan-09 02:48 by prod_rel_team
ROM: System Bootstrap, Version 12.4(22r)YB3, RELEASE SOFTWARE (fc1)
yourname uptime is 3 days, 5 hours, 24 minutes
System returned to ROM by reload at 10:18:03 PCTime Fri Oct 8 2010
System image file is "flash:c890-universalk9-mz.124-22.YB.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 891 (MPC8300) processor (revision 1.0) with 498688K/25600K bytes of memory.
Processor board ID FTX134680PV
9 FastEthernet interfaces
1 Gigabit Ethernet interface
1 Serial interface
1 terminal line
256K bytes of non-volatile configuration memory.
250880K bytes of ATA CompactFlash (Read/Write)
License Information for 'c890'
    License Level: advipservices   Type: Permanent
    Next reboot license Level: advipservices
Configuration register is 0x2102
Current configuration : 12609 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname yourname
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 ***********************
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication login ciscocp_vpn_xauth_ml_3 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-2084037767
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2084037767
revocation-check none
rsakeypair TP-self-signed-2084037767
crypto pki certificate chain TP-self-signed-2084037767
certificate self-signed 01
        quit
no ip source-route
ip dhcp pool data-vlan-10
   import all
   network 10.10.10.0 255.255.255.0
   dns-server *****************(OUTSIDE IP)
   default-router 10.10.10.1
ip cef
no ip bootp server
ip domain name yourdomain.com
ip name-server *****************(OUTSIDE IP)
ip name-server *****************(OUTSIDE IP)
ip port-map user-protocol--1 port tcp 3389
no ipv6 cef
multilink bundle-name authenticated
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group Everyone
key *********
crypto isakmp client configuration group user
key **********
pool SDM_POOL_1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ctcp port 10000
archive
log config
hidekeys
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 102
match protocol user-protocol--1
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 103
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map match-any CCP-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map match-any CCP-Voice-1
match dscp ef
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map match-any CCP-Routing-1
match dscp cs6
class-map match-any CCP-Signaling-1
match dscp cs3
match dscp af31
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map match-any CCP-Management-1
match dscp cs2
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map CCP-QoS-Policy-1
class CCP-Voice-1
    priority percent 33
class CCP-Signaling-1
    bandwidth percent 5
class CCP-Routing-1
    bandwidth percent 5
class CCP-Management-1
    bandwidth percent 5
class CCP-Transactional-1
    bandwidth percent 5
class class-default
    fair-queue
     random-detect
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class class-default
drop
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
interface Loopback0
description Do not delete - SDM WebVPN generated interface
ip address 192.168.1.1 255.255.255.252
ip nat inside
ip virtual-reassembly
interface Null0
no ip unreachables
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
interface FastEthernet5
interface FastEthernet6
interface FastEthernet7
interface FastEthernet8
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address *****************(OUTSIDE IP) 255.255.255.248
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex full
speed 100
snmp trap ip verify drop-rate
service-policy output CCP-QoS-Policy-1
interface GigabitEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
ip local pool SDM_POOL_1 10.10.10.50 10.10.10.60
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 *****************(OUTSIDE IP) 2
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 6000
ip nat inside source list 100 interface FastEthernet8 overload
ip nat inside source static tcp 10.10.10.71 3389 interface FastEthernet8 3389
ip nat inside source static tcp 192.168.1.1 443 *****************(OUTSIDE IP) 4443 extendable
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 443
logging trap debugging
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip**********************(OUTSIDE IP) 0.0.0.7 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.10.10.71
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip any host *****************(OUTSIDE IP)
no cdp run
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username privilege 15 secret 0
Replace and with the username and password you want to
use.
^C
banner login ^C
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username privilege 15 secret 0
no username cisco
Replace and with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
transport output telnet
Replace and with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
webvpn gateway gateway_1
ip address 72.242.1.187 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-2084037767
inservice
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context VPN
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
policy group policy_1
   functions svc-enabled
   svc address-pool "SDM_POOL_1"
   svc keep-client-installed
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_3
gateway gateway_1 domain pwvpn
inservice
end
So thats the config right now, i have not added the vlans yet, because when i did it shutdown all our network, so i went back to our working config. So if you can tell me what steps i need to setup the vlans that would be great. I need to start another thread about VPNS, cause i cant get our VPN working either but thats another story

Cisco 2811 - Multiple SIP with CME 8.6

PLAN:
Configure two SIP providers with my Cisco ISR 2811 using CME 8.6
sip.fongo.com
sip.voicediscount.com
All incoming and local outgoing calls using fongo, while long distance & international via voipdiscount.
I have successfully got fongo.com service to work for both incoming and outgoing, however when I try a long distance & international calls I get a busy tone.
Any help will be appreciated since I've had no luck
CONFIG:
BNET01C2811-TOR1807#sh run
Building configuration...
Current configuration : 19512 bytes
! Last configuration change at 21:48:40 EDT Sat Oct 27 2012 by garrett
! NVRAM config last updated at 21:50:55 EDT Sat Oct 27 2012 by garrett
! NVRAM config last updated at 21:50:55 EDT Sat Oct 27 2012 by garrett
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname BNET01C2811-TOR1807
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.151-4.m5.bin
boot-end-marker
! card type command needed for slot/vwic-slot 0/0
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$r/t3$A3xgJf.ngqbUq.sDiNC4O0
no aaa new-model
clock timezone EST -4 0
clock summer-time EDT recurring
clock calendar-valid
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.15.0.0 10.15.0.20
ip dhcp pool TOR-1807WEBB
network 10.15.0.0 255.255.255.0
default-router 10.15.0.15
dns-server 64.71.255.198
option 150 ip 10.15.0.15
no ip bootp server
ip domain name bayross.net
ip name-server 64.71.255.198
ip ddns update method sdm_ddns1
HTTP
add http://bayross:******@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://bayross:********@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 1 1 0 0
interval minimum 1 1 0 0
no ipv6 cef
multilink bundle-name authenticated
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
voice service voip
ip address trusted list
ipv4 46.19.209.10
ipv4 46.19.209.11
ipv4 46.19.209.12
ipv4 46.19.209.13
ipv4 46.19.209.14
ipv4 46.19.209.15
ipv4 46.19.209.75
ipv4 46.19.209.76
ipv4 46.19.209.77
ipv4 46.19.209.78
ipv4 46.19.209.79
ipv4 46.19.209.80
ipv4 46.19.210.10
ipv4 46.19.210.11
ipv4 46.19.210.12
ipv4 46.19.210.13
ipv4 46.19.210.14
ipv4 46.19.210.15
ipv4 46.19.210.75
ipv4 46.19.210.76
ipv4 46.19.210.77
ipv4 46.19.210.78
ipv4 46.19.210.79
ipv4 46.19.210.80
ipv4 81.85.224.40
ipv4 81.85.224.41
ipv4 212.150.88.21
ipv4 212.150.88.23
ipv4 212.150.88.24
ipv4 208.65.240.165
ipv4 0.0.0.0 0.0.0.0
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
supplementary-service h450.12
redirect ip2ip
fax protocol pass-through g711ulaw
h323
no h225 timeout keepalive
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g711alaw
voice register global
mode cme
source-address 10.15.0.15 port 5060
max-dn 100
max-pool 25
tftp-path flash:
create profile sync 0002145265491175
camera
voice translation-rule 2
rule 1 /9905+/ /905/
rule 2 /9416+/ /416/
rule 3 /9647+/ /647/
voice translation-rule 4
rule 1 /91+/ /1/
voice translation-rule 5
rule 1 /9011+/ /011/
voice translation-rule 7
rule 1 /1011/ /16472473297/
voice translation-rule 911
rule 1 /111/ /6473385738/
voice translation-rule 2473297
rule 1 /16472473297/ /1011/
voice translation-profile Caller-ID
translate calling 7
voice translation-profile Emergency
translate called 911
voice translation-profile Incoming
translate called 2473297
voice translation-profile International
translate calling 7
translate called 5
voice translation-profile Local
translate calling 7
translate called 2
voice translation-profile LongDistance
translate calling 7
translate called 4
voice-card 0
dsp services dspfarm
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-21053818
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-21053818
revocation-check none
rsakeypair TP-self-signed-21053818
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name [email protected]
revocation-check crl
crypto pki certificate chain TP-self-signed-21053818
certificate self-signed 01
30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313035 33383138 301E170D 31323130 31373131 33303333
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D323130 35333831
3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B080
AD5A9751 C15D5932 0677DBEF A59AF6B0 1EF55BE0 B1DFA4B8 397130B7 90BA221D
5A03F805 DD546B79 D40CD413 3FD7CCFC A2137323 63E26137 8577DD77 C1787B0E
ADC65091 042897A3 2F26DAC0 CCF0E0AC 604AA2B4 48616FE3 976E17B6 53ABC719
16EFA128 8F883BFA 39FA02EF CA820300 4B650412 77418E6D AE45C6A1 0FEB0203
010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
18301680 14504E01 C3E57E38 CAB8659D 21D57880 66FE3CDB 83301D06 03551D0E
04160414 504E01C3 E57E38CA B8659D21 D5788066 FE3CDB83 300D0609 2A864886
F70D0101 05050003 81810049 A534494C B6777D5B FCAB252E 8FD03C10 D917714E
3314139B 04FCB2CC 74C06091 D189470E 930CEA8A 393461A7 E505BB0A 59DEDF5C
37711F56 127E22C6 CA9457EC 960A868D 37B24F75 A03B1F8B A611D77F 0E79B2D8
135C57AF B9705B78 BA97BFF3 5967C1D1 6E2B92D3 A8BE055B 10A59F2C 5D28C55B
2164E3C7 7F2380E1 E33AD4
        quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO2811 sn FHK1041F27M
username garrett privilege 15 password 7 070D000000094C50
redundancy
ip tcp synwait-time 10
no ip ftp passive
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map match-any CCP-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map match-any CCP-Voice-1
match dscp ef
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map match-any CCP-Routing-1
match dscp cs6
class-map match-any CCP-Signaling-1
match dscp cs3
match dscp af31
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map match-any CCP-Management-1
match dscp cs2
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map CCP-QoS-Policy-1
class CCP-Voice-1
priority percent 33
class CCP-Signaling-1
bandwidth percent 5
class CCP-Routing-1
bandwidth percent 5
class CCP-Management-1
bandwidth percent 5
class CCP-Transactional-1
bandwidth percent 5
class class-default
fair-queue
random-detect
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-sip-inspect
pass
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map sdm-qos-test-123
class class-default
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
pass
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class type inspect ccp-sip-inspect
pass
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
interface Null0
no ip unreachables
interface FastEthernet0/0
description $ES_LAN$$FW_INSIDE$
ip address 10.15.0.15 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex full
speed auto
no mop enabled
interface FastEthernet0/1
description $FW_OUTSIDE$$ETH-WAN$
ip dhcp client update dns server none
ip ddns update sdm_ddns1
ip address dhcp client-id FastEthernet0/1 hostname bayross.net
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
no mop enabled
service-policy output CCP-QoS-Policy-1
interface FastEthernet0/2/0
no ip address
shutdown
interface FastEthernet0/2/1
no ip address
shutdown
interface FastEthernet0/2/2
no ip address
shutdown
interface FastEthernet0/2/3
no ip address
shutdown
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http path flash:
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 60000
ip nat inside source list 1 interface FastEthernet0/1 overload
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.15.0.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.15.0.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
no cdp run
tftp-server flash:term41.default.loads alias term41.default.loads
tftp-server flash:term61.default.loads alias term61.default.loads
tftp-server flash:Analog1.raw
tftp-server flash:Analog2.raw
tftp-server flash:AreYouThere.raw
tftp-server flash:AreYouThereF.raw
tftp-server flash:Bass.raw
tftp-server flash:CallBack.raw
tftp-server flash:Chime.raw
tftp-server flash:Classic1.raw
tftp-server flash:Classic2.raw
tftp-server flash:ClockShop.raw
tftp-server flash:DistinctiveRingList.xml
tftp-server flash:Drums1.raw
tftp-server flash:Drums2.raw
tftp-server flash:FilmScore.raw
tftp-server flash:HarpSynth.raw
tftp-server flash:Jamaica.raw
tftp-server flash:KotoEffect.raw
tftp-server flash:MusicBox.raw
tftp-server flash:Piano1.raw
tftp-server flash:Piano2.raw
tftp-server flash:Pop.raw
tftp-server flash:Pulse1.raw
tftp-server flash:Ring1.raw
tftp-server flash:Ring2.raw
tftp-server flash:Ring3.raw
tftp-server flash:Ring4.raw
tftp-server flash:Ring5.raw
tftp-server flash:Ring6.raw
tftp-server flash:Ring7.raw
tftp-server flash:RingList.xml
tftp-server flash:Sax1.raw
tftp-server flash:Sax2.raw
tftp-server flash:Vibe.raw
tftp-server flash:P00308010200.bin alias P00308010200.bin
control-plane
voice-port 0/1/0
voice-port 0/1/1
voice-port 0/1/2
voice-port 0/1/3
voice-port 0/3/0
caller-id enable
voice-port 0/3/1
caller-id enable
mgcp profile default
sccp local FastEthernet0/0
sccp ccm 10.15.0.15 identifier 1 version 4.0
sccp
sccp ccm group 1
associate ccm 1 priority 1
associate profile 2 register confprof2
dspfarm profile 1 transcode
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
maximum sessions 20
shutdown
dspfarm profile 2 conference
codec g711ulaw
codec g711alaw
maximum sessions 5
associate application SCCP
dial-peer cor custom
name Main1_10Digit
name Main1_11Digit
dial-peer cor list Main1-11Digit
member Main1_11Digit
dial-peer cor list Main1-Line
member Main1_10Digit
member Main1_11Digit
dial-peer voice 1 voip
description ## INCOMING - DIDWW - 16472584731 ##
session protocol sipv2
session target sip-server
session transport udp
incoming called-number 16472584731
dtmf-relay rtp-nte
codec g711ulaw
no vad
dial-peer voice 2003 pots
description #### INCOMING INTERFACE 0/3/1 ####
destination-pattern 16472584731
incoming called-number 16472584731
port 0/3/1
dial-peer voice 1000 pots
description #### KITCHEN ####
destination-pattern 1000
port 0/3/0
dial-peer voice 1003 pots
description #### MASTER BEDROOM ####
destination-pattern 1003
port 0/3/1
dial-peer voice 10 voip
corlist outgoing Main1-11Digit
description Main1 11-Digit Outgoing
translation-profile outgoing LongDistance
destination-pattern 91..........
session protocol sipv2
session target dns:sip.voipdiscount.com
session transport udp
dtmf-relay rtp-nte sip-notify
codec g711ulaw
no vad
dial-peer voice 11 voip
corlist outgoing Main1-Line
translation-profile incoming Incoming
translation-profile outgoing Local
destination-pattern 9[^1]..[2-9]......
session protocol sipv2
session target dns:sip.fongo.com
incoming called-number .
dtmf-relay rtp-nte
codec g711ulaw
no vad
dial-peer voice 12 voip
translation-profile outgoing International
destination-pattern 9011T
session protocol sipv2
session target dns:sip.voipdiscount.com
dtmf-relay rtp-nte
codec g711ulaw
no vad
dial-peer voice 911 voip
translation-profile outgoing Emergency
destination-pattern 111
session protocol sipv2
session target dns:sip.fongo.com
dtmf-relay rtp-nte
codec g711ulaw
no vad
gateway
timer receive-rtp 1200
sip-ua
credentials username 37373737373 password 7 00000000000000000000 realm sip.fongo.com
credentials username username password 7 00000000000000000000 realm sip.voipdiscount.com
authentication username username password 7 0000000000000000000000000 realm sip.voipdiscount.com
no remote-party-id
srv version 1
retry invite 3
retry register 10
timers register 150
registrar 1 dns:sip.voipdiscount.com expires 3600
registrar 2 dns:sip.fongo.com expires 3600
sip-server dns:sip.voipdiscount.com
host-registrar
telephony-service
sdspfarm units 1
sdspfarm transcode sessions 5
sdspfarm tag 1 confprof2
conference hardware
no auto-reg-ephone
max-ephones 25
max-dn 100
ip source-address 10.15.0.15 port 2000
system message Bayross Residence
cnf-file location flash:
user-locale US load CME-locale-en_US-English-7.0.1.1.tar
load 7960-7940 P00308010200.loads
load 7941 SCCP41.9-1-1SR1S.loads
load 7941GE SCCP41.9-1-1SR1S.loads
load 7961 SCCP41.9-1-1SR1S.loads
load 7961GE SCCP41.9-1-1SR1S.loads
time-zone 12
max-conferences 8 gain -6
moh flash:/music-on-hold.au
web admin system name garrett secret 5 $1$MjiP$KMQoyqL/3mnftN0OLqs8b1
time-webedit
transfer-system full-consult
secondary-dialtone 9
create cnf-files version-stamp 7960 Oct 26 2012 19:53:22
ephone-dn 2 octo-line
number A001
conference ad-hoc
preference 3
ephone-dn 3 octo-line
number A002
conference ad-hoc
preference 3
ephone-dn 4 octo-line
number A003
conference ad-hoc
preference 3
ephone-dn 5 octo-line
number A004
conference ad-hoc
preference 3
ephone-dn 6 octo-line
number A005
conference ad-hoc
preference 3
ephone-dn 11 dual-line
number 1011 secondary 16472473297 no-reg both
corlist incoming Main1-Line
ephone-dn 12 dual-line
number 1012
label Garrett Bayross
name Garrett Bayross
corlist incoming Main1-Line
ephone 1
no multicast-moh
device-security-mode none
mac-address F04D.A28C.CBAC
mtp
type CIPC
button 1:11
ephone 2
device-security-mode none
mac-address 0016.4697.A472
type 7940
button 1:12
banner login ^CBayross.NET Network
^C
banner motd ^C
line con 0
logging synchronous
line aux 0
line vty 0 4
login local
transport input all
transport output all
scheduler allocate 20000 1000
ntp update-calendar
ntp server 128.100.100.128 prefer source FastEthernet0/1
end

DEBUG OUTPUT:
login as: garrett
Bayross.NET Network
Using keyboard-interactive authentication.
Password:
------------- LEGAL NOTICE ----------------
--      THIS IS A PRIVATE SYSTEM         --
-- UNAUTHORIZED ACCESS IS PROHIBITED    --
--      CECI EST UN SYSTEME PRIVE        --
-- TOUT ACCES NON AUTORISE EST INTERDIT --
BNET01C2811-TOR1807#deb
BNET01C2811-TOR1807#debug ccsip all
This may severely impact system performance. Continue? [confirm]
All SIP Call tracing is enabled
BNET01C2811-TOR1807#term mon
BNET01C2811-TOR1807#REGISTER sip:sip.voipdiscount.com:5060 SIP/2.0
Via: SIP/2.0/UDP 99.230.172.76:5060;branch=z9hG4bKED020B5
From: [email protected]>;tag=59BB550-3A6
To: [email protected]>
Date: Sun, 28 Oct 2012 00:51:43 GMT
Call-ID: C977B084-1FCE11E2-81A4A3AB-85AB6D24
User-Agent: Cisco-SIPGateway/IOS-12.x
Max-Forwards: 70
Timestamp: 1351385503
CSeq: 5 REGISTER
Contact:
Expires: 3600
Supported: path
Content-Length: 0
1859402: Oct 27 21:51:47.834 EDT: //-1/xxxxxxxxxxxx/SIP/Info/sipSPISetDateHeader: Converting TimeZone EDT to SIP default timezone = GMT
1859403: Oct 27 21:51:47.834 EDT: //3542/000000000000/SIP/Info/sipSPISendRegister: Associated container=0x4E3C18B0 to Register
1859404: Oct 27 21:51:47.834 EDT: //3542/000000000000/SIP/Transport/sipSPISendRegister: Sending REGISTER to the transport layer
1859405: Oct 27 21:51:47.834 EDT: //3542/000000000000/SIP/Transport/sipSPIGetSwitchTransportFlag: Return the Global configuration, Switch Transport is FALSE
1859406: Oct 27 21:51:47.834 EDT: //3542/000000000000/SIP/Transport/sipSPITransportSendMessage: msg=0x4CCD8DC8, addr=77.72.169.134, port=5060, sentBy_port=0, local_addr=, is_req=1, transport=1, switch=0, callBack=0x0
1859407: Oct 27 21:51:47.834 EDT: //3542/000000000000/SIP/Transport/sipSPITransportSendMessage: Proceedable for sending msg immediately
1859408: Oct 27 21:51:47.834 EDT: //3542/000000000000/SIP/Transport/sipTransportLogicSendMsg: switch transport is 0
1859409: Oct 27 21:51:47.834 EDT: //-1/xxxxxxxxxxxx/SIP/Transport/sipConnectionManagerGetConnection: connection required for raddr:77.72.169.134, rport:5060 with laddr:
1859410: Oct 27 21:51:47.834 EDT: //3542/000000000000/SIP/Transport/sipTransportLogicSendMsg: Set to send the msg=0x4CCD8DC8
1859411: Oct 27 21:51:47.834 EDT: //-1/xxxxxxxxxxxx/SIP/Transport/sipTransportPostSendMessage: Posting send for msg=0x4CCD8DC8, addr=77.72.169.134, port=5060, local_addr=, connId=4 for UDP
1859412: Oct 27 21:51:47.838 EDT: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
REGISTER sip:sip.voipdiscount.com:5060 SIP/2.0
Via: SIP/2.0/UDP 99.230.172.76:5060;branch=z9hG4bKED020B5
From: [email protected]>;tag=59BB550-3A6
To: [email protected]>
Date: Sun, 28 Oct 2012 00:51:47 GMT
Call-ID: C977B084-1FCE11E2-81A4A3AB-85AB6D24
User-Agent: Cisco-SIPGateway/IOS-12.x
Max-Forwards: 70
Timestamp: 1351385507
CSeq: 5 REGISTER
Contact:
Expires: 3600
Supported: path
Content-Length: 0
1859413: Oct 27 21:51:51.834 EDT: //-1/xxxxxxxxxxxx/SIP/Info/sipSPISetDateHeader: Converting TimeZone EDT to SIP default timezone = GMT
1859414: Oct 27 21:51:51.834 EDT: //3542/000000000000/SIP/Info/sipSPISendRegister: Associated container=0x4E3C18B0 to Register
1859415: Oct 27 21:51:51.834 EDT: //3542/000000000000/SIP/Transport/sipSPISendRegister: Sending REGISTER to the transport layer
1859416: Oct 27 21:51:51.834 EDT: //3542/000000000000/SIP/Transport/sipSPIGetSwitchTransportFlag: Return the Global configuration, Switch Transport is FALSE
1859417: Oct 27 21:51:51.834 EDT: //3542/000000000000/SIP/Transport/sipSPITransportSendMessage: msg=0x4CCD8DC8, addr=77.72.169.134, port=5060, sentBy_port=0, local_addr=, is_req=1, transport=1, switch=0, callBack=0x0
1859418: Oct 27 21:51:51.834 EDT: //3542/000000000000/SIP/Transport/sipSPITransportSendMessage: Proceedable for sending msg immediately
1859419: Oct 27 21:51:51.838 EDT: //3542/000000000000/SIP/Transport/sipTransportLogicSendMsg: switch transport is 0
1859420: Oct 27 21:51:51.838 EDT: //-1/xxxxxxxxxxxx/SIP/Transport/sipConnectionManagerGetConnection: connection required for raddr:77.72.169.134, rport:5060 with laddr:
1859421: Oct 27 21:51:51.838 EDT: //3542/000000000000/SIP/Transport/sipTransportLogicSendMsg: Set to send the msg=0x4CCD8DC8
1859422: Oct 27 21:51:51.838 EDT: //-1/xxxxxxxxxxxx/SIP/Transport/sipTransportPostSendMessage: Posting send for msg=0x4CCD8DC8, addr=77.72.169.134, port=5060, local_addr=, connId=4 for UDP
1859423: Oct 27 21:51:51.842 EDT: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
REGISTER sip:sip.voipdiscount.com:5060 SIP/2.0
Via: SIP/2.0/UDP 99.230.172.76:5060;branch=z9hG4bKED020B5
From: [email protected]>;tag=59BB550-3A6
To: [email protected]>
Date: Sun, 28 Oct 2012 00:51:51 GMT
Call-ID: C977B084-1FCE11E2-81A4A3AB-85AB6D24
User-Agent: Cisco-SIPGateway/IOS-12.x
Max-Forwards: 70
Timestamp: 1351385511
CSeq: 5 REGISTER
Contact:
Expires: 3600
Supported: path
Content-Length: 0
1859424: Oct 27 21:51:55.834 EDT: //-1/xxxxxxxxxxxx/SIP/Info/sipSPISetDateHeader: Converting TimeZone EDT to SIP default timezone = GMT
1859425: Oct 27 21:51:55.834 EDT: //3542/000000000000/SIP/Info/sipSPISendRegister: Associated container=0x4E3C18B0 to Register
1859426: Oct 27 21:51:55.834 EDT: //3542/000000000000/SIP/Transport/sipSPISendRegister: Sending REGISTER to the transport layer
1859427: Oct 27 21:51:55.834 EDT: //3542/000000000000/SIP/Transport/sipSPIGetSwitchTransportFlag: Return the Global configuration, Switch Transport is FALSE
1859428: Oct 27 21:51:55.834 EDT: //3542/000000000000/SIP/Transport/sipSPITransportSendMessage: msg=0x4CCD8DC8, addr=77.72.169.134, port=5060, sentBy_port=0, local_addr=, is_req=1, transport=1, switch=0, callBack=0x0
1859429: Oct 27 21:51:55.834 EDT: //3542/000000000000/SIP/Transport/sipSPITransportSendMessage: Proceedable for sending msg immediately
1859430: Oct 27 21:51:55.834 EDT: //3542/000000000000/SIP/Transport/sipTransportLogicSendMsg: switch transport is 0
1859431: Oct 27 21:51:55.834 EDT: //-1/xxxxxxxxxxxx/SIP/Transport/sipConnectionManagerGetConnection: connection required for raddr:77.72.169.134, rport:5060 with laddr:
1859432: Oct 27 21:51:55.834 EDT: //3542/000000000000/SIP/Transport/sipTransportLogicSendMsg: Set to send the msg=0x4CCD8DC8
1859433: Oct 27 21:51:55.834 EDT: //-1/xxxxxxxxxxxx/SIP/Transport/sipTransportPostSendMessage: Posting send for msg=0x4CCD8DC8, addr=77.72.169.134, port=5060, local_addr=, connId=4 for UDP
1859434: Oct 27 21:51:55.838 EDT: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
REGISTER sip:sip.voipdiscount.com:5060 SIP/2.0
Via: SIP/2.0/UDP 99.230.172.76:5060;branch=z9hG4bKED020B5
From: [email protected]>;tag=59BB550-3A6
To: [email protected]>
Date: Sun, 28 Oct 2012 00:51:55 GMT
Call-ID: C977B084-1FCE11E2-81A4A3AB-85AB6D24
User-Agent: Cisco-SIPGateway/IOS-12.x
Max-Forwards: 70
Timestamp: 1351385515
CSeq: 5 REGISTER
Contact:
Expires: 3600
Supported: path
Content-Length: 0
1859435: Oct 27 21:51:59.834 EDT: //-1/xxxxxxxxxxxx/SIP/Info/resolve_sig_ip_address_to_bind: calling reg_invoke_ip_first_hop()
1859436: Oct 27 21:51:59.834 EDT: //-1/xxxxxxxxxxxx/SIP/Info/resolve_sig_ip_address_to_bind: calling ip_best_local_address()
1859437: Oct 27 21:51:59.834 EDT: //-1/xxxxxxxxxxxx/SIP/Info/resolve_sig_ip_address_to_bind: return addr 99.230.172.76
1859438: Oct 27 21:51:59.834 EDT: //-1/xxxxxxxxxxxx/SIP/Info/resolve_sig_ip_address_to_bind: calling reg_invoke_ip_first_hop()
1859439: Oct 27 21:51:59.834 EDT: //-1/xxxxxxxxxxxx/SIP/Info/resolve_sig_ip_address_to_bind: calling ip_best_local_address()
1859440: Oct 27 21:51:59.834 EDT: //-1/xxxxxxxxxxxx/SIP/Info/resolve_sig_ip_address_to_bind: return addr 99.230.172.76
1859441: Oct 27 21:51:59.834 EDT: //-1/xxxxxxxxxxxx/SIP/Info/ccsip_spi_register_get_rcb: Getting New RCB [0x4C6D2730]
1859442: Oct 27 21:51:59.834 EDT: //-1/xxxxxxxxxxxx/SIP/Info/ccsipGetCCBFromRCB: Retrived CCB pointer [0x0]
1859443: Oct 27 21:51:59.834 EDT: //-1/xxxxxxxxxxxx/SIP/Info/ccsip_spi_register_free_rcb: Freeing rcb [0x4C6D1BAC]
1859444: Oct 27 21:51:59.834 EDT: //-1/xxxxxxxxxxxx/SIP/Info/ccsip_register_set_dns_resolved_address: CCSIP_REGISTER:: registrar 0 DNS resolved addr set to 77.72.169.131:5060
1859445: Oct 27 21:51:59.834 EDT: //-1/xxxxxxxxxxxx/SIP/Info/ccsipRegisterStartRCBTimer: Starting timer for pattern for 3600 seconds
1859446: Oct 27 21:51:59.834 EDT: //-1/xxxxxxxxxxxx/SIP/Info/sipSPISetDateHeader: Converting TimeZone EDT to SIP default timezone = GMT
1859447: Oct 27 21:51:59.838 EDT: //3542/000000000000/SIP/Info/sipSPISendRegister: Associated container=0x4E3C18B0 to Register
1859448: Oct 27 21:51:59.838 EDT: //3542/000000000000/SIP/Transport/sipSPISendRegister: Sending REGISTER to the transport layer
1859449: Oct 27 21:51:59.838 EDT: //3542/000000000000/SIP/Transport/sipSPIGetSwitchTransportFlag: Return the Global configuration, Switch Transport is FALSE
1859450: Oct 27 21:51:59.838 EDT: //3542/000000000000/SIP/Transport/sipSPITransportSendMessage: msg=0x4CCD8DC8, addr=77.72.169.131, port=5060, sentBy_port=0, local_addr=, is_req=1, transport=1, switch=0, callBack=0x41C25300
1859451: Oct 27 21:51:59.838 EDT: //3542/000000000000/SIP/Transport/sipSPITransportSendMessage: Proceedable for sending msg immediately
1859452: Oct 27 21:51:59.838 EDT: //3542/000000000000/SIP/Transport/sipTransportLogicSendMsg: switch transport is 0
1859453: Oct 27 21:51:59.838 EDT: //-1/xxxxxxxxxxxx/SIP/Transport/sipConnectionManagerGetConnection: connection required for raddr:77.72.169.131, rport:5060 with laddr:
1859454: Oct 27 21:51:59.838 EDT: //3542/000000000000/SIP/Transport/sipTransportLogicSendMsg: Set to send the msg=0x4CCD8DC8
1859455: Oct 27 21:51:59.838 EDT: //-1/xxxxxxxxxxxx/SIP/Transport/sipTransportPostSendMessage: Posting send for msg=0x4CCD8DC8, addr=77.72.169.131, port=5060, local_addr=, connId=2 for UDP
1859456: Oct 27 21:51:59.842 EDT: //3542/000000000000/SIP/State/sipSPIChangeState: 0x4B6533C0 : State change from (SIP_STATE_OUTGOING_REGISTER, SUBSTATE_NONE) to (SIP_STATE_OUTGOING_REGISTER, SUBSTATE_NONE)
1859457: Oct 27 21:51:59.846 EDT: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
REGISTER sip:sip.voipdiscount.com:5060 SIP/2.0
Via: SIP/2.0/UDP 99.230.172.76:5060;branch=z9hG4bKED020B5
From: [email protected]>;tag=59BB550-3A6
To: [email protected]>
Date: Sun, 28 Oct 2012 00:51:59 GMT
Call-ID: C977B084-1FCE11E2-81A4A3AB-85AB6D24
User-Agent: Cisco-SIPGateway/IOS-12.x
Max-Forwards: 70
Timestamp: 1351385519
CSeq: 5 REGISTER
Contact:
Expires: 3600
Supported: path
Content-Length: 0
1859458: Oct 27 21:51:59.990 EDT: //-1/xxxxxxxxxxxx/SIP/Info/sipSPISetDateHeader: Converting TimeZone EDT to SIP default timezone = GMT
1859459: Oct 27 21:51:59.990 EDT: //3542/000000000000/SIP/Info/sipSPISendRegister: Associated container=0x4E3C18B0 to Register
1859460: Oct 27 21:51:59.990 EDT: //3542/000000000000/SIP/Transport/sipSPISendRegister: Sending REGISTER to the transport layer
1859461: Oct 27 21:51:59.990 EDT: //3542/000000000000/SIP/Transport/sipSPIGetSwitchTransportFlag: Return the Global configuration, Switch Transport is FALSE
1859462: Oct 27 21:51:59.990 EDT: //3542/000000000000/SIP/Transport/sipSPITransportSendMessage: msg=0x4CCD8DC8, addr=77.72.169.131, port=5060, sentBy_port=0, local_addr=, is_req=1, transport=1, switch=0, callBack=0x0
1859463: Oct 27 21:51:59.990 EDT: //3542/000000000000/SIP/Transport/sipSPITransportSendMessage: Proceedable for sending msg immediately
1859464: Oct 27 21:51:59.990 EDT: //3542/000000000000/SIP/Transport/sipTransportLogicSendMsg: switch transport is 0
1859465: Oct 27 21:51:59.990 EDT: //-1/xxxxxxxxxxxx/SIP/Transport/sipConnectionManagerGetConnection: connection required for raddr:77.72.169.131, rport:5060 with laddr:
1859466: Oct 27 21:51:59.990 EDT: //3542/000000000000/SIP/Transport/sipTransportLogicSendMsg: Set to send the msg=0x4CCD8DC8
1859467: Oct 27 21:51:59.990 EDT: //-1/xxxxxxxxxxxx/SIP/Transport/sipTransportPostSendMessage: Posting send for msg=0x4CCD8DC8, addr=77.72.169.131, port=5060, local_addr=, connId=2 for UDP
1859468: Oct 27 21:51:59.994 EDT: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
REGISTER sip:sip.voipdiscount.com:5060 SIP/2.0
Via: SIP/2.0/UDP 99.230.172.76:5060;branch=z9hG4bKED020B5
From: [email protected]>;tag=59BB550-3A6
To: [email protected]>
Date: Sun, 28 Oct 2012 00:51:59 GMT
Call-ID: C977B084-1FCE11E2-81A4A3AB-85AB6D24
User-Agent: Cisco-SIPGateway/IOS-12.x
Max-Forwards: 70
Timestamp: 1351385519
CSeq: 5 REGISTER
Contact:
Expires: 3600
Supported: path
Content-Length: 0
1859469: Oct 27 21:52:00.290 EDT: //-1/xxxxxxxxxxxx/SIP/Info/sipSPISetDateHeader: Converting TimeZone EDT to SIP default timezone = GMT
1859470: Oct 27 21:52:00.290 EDT: //3542/000000000000/SIP/Info/sipSPISendRegister: Associated container=0x4E3C18B0 to Register
1859471: Oct 27 21:52:00.290 EDT: //3542/000000000000/SIP/Transport/sipSPISendRegister: Sending REGISTER to the transport layer
1859472: Oct 27 21:52:00.290 EDT: //3542/000000000000/SIP/Transport/sipSPIGetSwitchTransportFlag: Return the Global configuration, Switch Transport is FALSE
1859473: Oct 27 21:52:00.290 EDT: //3542/000000000000/SIP/Transport/sipSPITransportSendMessage: msg=0x4CCD8DC8, addr=77.72.169.131, port=5060, sentBy_port=0, local_addr=, is_req=1, transport=1, switch=0, callBack=0x0
1859474: Oct 27 21:52:00.290 EDT: //3542/000000000000/SIP/Transport/sipSPITransportSendMessage: Proceedable for sending msg immediately
1859475: Oct 27 21:52:00.294 EDT: //3542/000000000000/SIP/Transport/sipTransportLogicSendMsg: switch transport is 0
1859476: Oct 27 21:52:00.294 EDT: //-1/xxxxxxxxxxxx/SIP/Transport/sipConnectionManagerGetConnection: connection required for raddr:77.72.169.131, rport:5060 with laddr:
1859477: Oct 27 21:52:00.294 EDT: //3542/000000000000/SIP/Transport/sipTransportLogicSendMsg: Set to send the msg=0x4CCD8DC8
1859478: Oct 27 21:52:00.294 EDT: //-1/xxxxxxxxxxxx/SIP/Transport/sipTransportPostSendMessage: Posting send for msg=0x4CCD8DC8, addr=77.72.169.131, port=5060, local_addr=, connId=2 for UDP
1859479: Oct 27 21:52:00.294 EDT: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
REGISTER sip:sip.voipdiscount.com:5060 SIP/2.0
Via: SIP/2.0/UDP 99.230.172.76:5060;branch=z9hG4bKED020B5
From: [email protected]>;tag=59BB550-3A6
To: [email protected]>
Date: Sun, 28 Oct 2012 00:52:00 GMT
Call-ID: C977B084-1FCE11E2-81A4A3AB-85AB6D24
User-Agent: Cisco-SIPGateway/IOS-12.x
Max-Forwards: 70
Timestamp: 1351385520
CSeq: 5 REGISTER
Contact:
Expires: 3600
Supported: path
Content-Length: 0
1859480: Oct 27 21:52:00.891 EDT: //-1/xxxxxxxxxxxx/SIP/Info/sipSPISetDateHeader: Converting TimeZone EDT to SIP default timezone = GMT
1859481: Oct 27 21:52:00.891 EDT: //3542/000000000000/SIP/Info/sipSPISendRegister: Associated container=0x4E3C18B0 to Register
1859482: Oct 27 21:52:00.891 EDT: //3542/000000000000/SIP/Transport/sipSPISendRegister: Sending REGISTER to the transport layer
1859483: Oct 27 21:52:00.891 EDT: //3542/000000000000/SIP/Transport/sipSPIGetSwitchTransportFlag: Return the Global configuration, Switch Transport is FALSE
1859484: Oct 27 21:52:00.891 EDT: //3542/000000000000/SIP/Transport/sipSPITransportSendMessage: msg=0x4CCD8DC8, addr=77.72.169.131, port=5060, sentBy_port=0, local_addr=, is_req=1, transport=1, switch=0, callBack=0x0
1859485: Oct 27 21:52:00.891 EDT: //3542/000000000000/SIP/Transport/sipSPITransportSendMessage: Proceedable for sending msg immediately
1859486: Oct 27 21:52:00.891 EDT: //3542/000000000000/SIP/Transport/sipTransportLogicSendMsg: switch transport is 0
1859487: Oct 27 21:52:00.891 EDT: //-1/xxxxxxxxxxxx/SIP/Transport/sipConnectionManagerGetConnection: connection required for raddr:77.72.169.131, rport:5060 with laddr:
1859488: Oct 27 21:52:00.891 EDT: //3542/000000000000/SIP/Transport/sipTransportLogicSendMsg: Set to send the msg=0x4CCD8DC8
1859489: Oct 27 21:52:00.891 EDT: //-1/xxxxxxxxxxxx/SIP/Transport/sipTransportPostSendMessage: Posting send for msg=0x4CCD8DC8, addr=77.72.169.131, port=5060, local_addr=, connId=2 for UDP
1859490: Oct 27 21:52:00.899 EDT: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
REGISTER sip:sip.voipdiscount.com:5060 SIP/2.0
Via: SIP/2.0/UDP 99.230.172.76:5060;branch=z9hG4bKED020B5
From: [email protected]>;tag=59BB550-3A6
To: [email protected]>
Date: Sun, 28 Oct 2012 00:52:00 GMT
Call-ID: C977B084-1FCE11E2-81A4A3AB-85AB6D24
User-Agent: Cisco-SIPGateway/IOS-12.x
Max-Forwards: 70
Timestamp: 1351385520
CSeq: 5 REGISTER
Contact:
Expires: 3600
Supported: path
Content-Length: 0
1859491: Oct 27 21:52:02.091 EDT: //-1/xxxxxxxxxxxx/SIP/Info/sipSPISetDateHeader: Converting TimeZone EDT to SIP default timezone = GMT
1859492: Oct 27 21:52:02.091 EDT: //3542/000000000000/SIP/Info/sipSPISendRegister: Associated container=0x4E3C18B0 to Register
1859493: Oct 27 21:52:02.091 EDT: //3542/000000000000/SIP/Transport/sipSPISendRegister: Sending REGISTER to the transport layer
1859494: Oct 27 21:52:02.091 EDT: //3542/000000000000/SIP/Transport/sipSPIGetSwitchTransportFlag: Return the Global configuration, Switch Transport is FALSE
1859495: Oct 27 21:52:02.091 EDT: //3542/000000000000/SIP/Transport/sipSPITransportSendMessage: msg=0x4CCD8DC8, addr=77.72.169.131, port=5060, sentBy_port=0, local_addr=, is_req=1, transport=1, switch=0, callBack=0x0
1859496: Oct 27 21:52:02.091 EDT: //3542/000000000000/SIP/Transport/sipSPITransportSendMessage: Proceedable for sending msg immediately
1859497: Oct 27 21:52:02.091 EDT: //3542/000000000000/SIP/Transport/sipTransportLogicSendMsg: switch transport is 0
1859498: Oct 27 21:52:02.091 EDT: //-1/xxxxxxxxxxxx/SIP/Transport/sipConnectionManagerGetConnection: connection required for raddr:77.72.169.131, rport:5060 with laddr:
1859499: Oct 27 21:52:02.091 EDT: //3542/000000000000/SIP/Transport/sipTransportLogicSendMsg: Set to send the msg=0x4CCD8DC8
1859500: Oct 27 21:52:02.091 EDT: //-1/xxxxxxxxxxxx/SIP/Transport/sipTransportPostSendMessage: Posting send for msg=0x4CCD8DC8, addr=77.72.169.131, port=5060, local_addr=, connId=2 for UDP
1859501: Oct 27 21:52:02.099 EDT: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
REGISTER sip:sip.voipdiscount.com:5060 SIP/2.0
Via: SIP/2.0/UDP 99.230.172.76:5060;branch=z9hG4bKED020B5
From: [email protected]>;tag=59BB550-3A6
To: [email protected]>
Date: Sun, 28 Oct 2012 00:52:02 GMT
Call-ID: C977B084-1FCE11E2-81A4A3AB-85AB6D24
User-Agent: Cisco-SIPGateway/IOS-12.x
Max-Forwards: 70
Timestamp: 1351385522
CSeq: 5 REGISTER
Contact:
Expires: 3600
Supported: path
Content-Length: 0
1859502: Oct 27 21:52:04.491 EDT: //-1/xxxxxxxxxxxx/SIP/Info/sipSPISetDateHeader: Converting TimeZone EDT to SIP default timezone = GMT
1859503: Oct 27 21:52:04.491 EDT: //3542/000000000000/SIP/Info/sipSPISendRegister: Associated container=0x4E3C18B0 to Register
1859504: Oct 27 21:52:04.491 EDT: //3542/000000000000/SIP/Transport/sipSPISendRegister: Sending REGISTER to the transport layer
1859505: Oct 27 21:52:04.491 EDT: //3542/000000000000/SIP/Transport/sipSPIGetSwitchTransportFlag: Return the Global configuration, Switch Transport is FALSE
1859506: Oct 27 21:52:04.491 EDT: //3542/000000000000/SIP/Transport/sipSPITransportSendMessage: msg=0x4CCD8DC8, addr=77.72.169.131, port=5060, sentBy_port=0, local_addr=, is_req=1, transport=1, switch=0, callBack=0x0
1859507: Oct 27 21:52:04.491 EDT: //3542/000000000000/SIP/Transport/sipSPITransportSendMessage: Proceedable for sending msg immediately
1859508: Oct 27 21:52:04.491 EDT: //3542/000000000000/SIP/Transport/sipTransportLogicSendMsg: switch transport is 0
1859509: Oct 27 21:52:04.491 EDT: //-1/xxxxxxxxxxxx/SIP/Transport/sipConnectionManagerGetConnection: connection required for raddr:77.72.169.131, rport:5060 with laddr:
1859510: Oct 27 21:52:04.491 EDT: //3542/000000000000/SIP/Transport/sipTransportLogicSendMsg: Set to send the msg=0x4CCD8DC8
1859511: Oct 27 21:52:04.491 EDT: //-1/xxxxxxxxxxxx/SIP/Transport/sipTransportPostSendMessage: Posting send for msg=0x4CCD8DC8, addr=77.72.169.131, port=5060, local_addr=, connId=2 for UDP
1859512: Oct 27 21:52:04.495 EDT: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:

QoS Trust

Hi,
I just want to confirm the best practice with CUCM and LAN QoS. I have a CUCM 10.5 cluster attached to a 4948 edge. CUCM is marking all signalling traffic with the appropriate DSCP markings. Therefore I assume all that is required on the LAN is to trust the QoS/DSCP markings?
An example edge port with AutoQoS to a CUCM Subscriber:
*The key command being 'auto qos voip trust'
*This switch port is connected to a UCS C-Series
SWITCH#sh run int Gig 1/47
Building configuration...
Current configuration : 285 bytes
interface GigabitEthernet1/47
description CUCM_SUB
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
service-policy output autoqos-voip-policy
end
All uplinks in the LAN also have the same ' auto qos voip trust' command set. So we should have 'end to end' QoS in the LAN?
Edge ports to IP Phones are set as 'auto qos voip cisco-phone'.
Thanks!
Dean

Thanks you for your response.
Yes you’re right there, but the problem is that if an incoming packed has a dscp value 0 (not marked) than it should be remarked and only then. Therefore I need the trust dscp command as shown in the IOS CLI configuration segment I posted, otherwise the incoming packed is remarked no matter what dscp value it has. I didn’t find another way yet to solve this without the trust dscp command.

QoS probleme

Hi everyone,
I've got a probleme. I red the cisco QoS book, but it doesn't work for me.
I want to do what so many others do, reserve bandwitdh for some specific trafic. But if I test the config, every flow gets the same bandwidth.
I transmit from 2 pc's with a matching ip and a not matching ip each 100MB file. Teracopy shows me the bandwitdh of each 1,3 MB/s and if I look to the folder, the files arrive nearly at the same time.
IOS (tm) C2600 Software (C2600-I-M), Version 12.2(19), RELEASE SOFTWARE (fc3)
Standard IP access list it-intern
    permit x.x.x.x (125133 matches)
    permit x.x.x.x (60651 matches)
    permit x.x.x.x, wildcard bits 0.0.0.255 (905968 matches)
Class Map match-any class-default (id 0)
   Match any
Class Map match-any not-it-intern (id 1)
   Match not access-group name it-intern
Policy Map cbwfq
    Class not-it-intern
      Bandwidth 70 (%) Max Threshold 64 (packets)
interface FastEthernet0/1
description # 20 MBit #
bandwidth 20000
ip address x.x.x.x x.x.x.x
service-policy output cbwfq
ip route-cache flow
no ip mroute-cache
duplex auto
speed auto
If I make:
ciscoHV3#sh pol int
FastEthernet0/1
Service-policy output: cbwfq
    Class-map: not-it-intern (match-any)
      11127978 packets, 4292340182 bytes
      5 minute offered rate 4422000 bps, drop rate 0 bps
      Match: not access-group name it-intern
        11127962 packets, 4292327891 bytes
        5 minute rate 4422000 bps
      Queueing
        Output Queue: Conversation 265
        Bandwidth 70 (%) Max Threshold 64 (packets)
        (pkts matched/bytes matched) 111155/27836979
        (depth/total drops/no-buffer drops) 0/0/0
    Class-map: class-default (match-any)
      827815 packets, 919625061 bytes
      5 minute offered rate 2911000 bps, drop rate 0 bps
      Match: any
- I can see that pakets became matched.
I fall in dispair, please help.

I've got a WAN connection, which is connected via FastEthernet to the router. The ISP garantees 20 mbit/s. There are 2 IPs and 1 Subnet that got low prior. So I created a Class that "Not" matches that Accessgroup. The remaining traffic should become a minimum of 70% of the bandwidth.
If I understand you, I only get congestion if i would use the physical interface speed (100mbit/s) and only in this case I can use the bandwidth comands.
But would work a config like this?:
Policy-Map cbwfq
    Class not-it-intern
      Bandwidth percent 70
Policy-Map police-all
    Class class-default
      police cir 20000000
      service-policy cbwfq
interface FastEthernet0/1
description # 20 MBit #
bandwidth 20000
ip address x.x.x.x x.x.x.x
service-policy output police-all
ip route-cache flow
no ip mroute-cache
duplex auto
speed auto
I don't want to use shaping, thats the currently way how I limit the traffic for the sources of the ACL(it-intern). But shaping stresses the router a little bit too much and how I said, I dont want to limit I want to garantee a minimum of traffic.
By the way, thanks a lot for your help until now.

Question on QOS Configuration

I am classifying traffic using NBAR and Access-lists, setting DSCP values, and then useing bandwidth percentages to reserve bandwidth for protected classes in times of high utilization.
I currently have this setup on my outside interface (connecting to PE) and have the service policy set on output (egress).
I have found that large data transfers of default-class traffic is still able to overwhelm the link and the resereved bandwidth percentages to not seem to be able to protect the data in those classes.
Question 1 - Is it common configuration to classify, mark, and set queing policies on the same interface? Or should I be classifying and marking on the ingress of the LAN interface and then apply the queing on the outside interafce egress?
Here is my current config. As you can see, I am classifying the traffic ussing access lists and NBAR, and then I am using the policy map on my outside (PE connnected) interface egress. For brevity, I have not included the contents of the access-lists. Does anyone see any issues with this config?
class-map match-all AF41
match access-group name Management
class-map match-all AF21
match access-group name Priority-Apps
class-map match-all AF31
match access-group name Critical-Apps
match protocol citrix
match protocol kerberos
match protocol ldap
policy-map SETDSCP-KABI-NA
class AF41
bandwidth percent 20
random-detect dscp-based
set ip dscp af41
class AF31
bandwidth percent 25
random-detect dscp-based
set ip dscp af31
class AF21
bandwidth percent 25
random-detect dscp-based
set ip dscp af21
class class-default
set ip dscp default
fair-queue
interface Multilink1
service-policy output SETDSCP-KABI-NA
Thanks in advance for your replies..

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Question 1 - Is it common configuration to classify, mark, and set queing policies on the same interface? Or should I be classifying and marking on the ingress of the LAN interface and then apply the queing on the outside interafce egress?
I don't know how common one technique is vs. the other, as QoS is still a bit uncommon, but if possible, I personally prefer doing everything in the egress policy.
Does anyone see any issues with this config?
I normally recommend against using RED unless you really understand the technology. I would especially question using RED and FQ in the same class, as you do in class AF21.
I currently have this setup on my outside interface (connecting to PE) and have the service policy set on output (egress). I have found that large data transfers of default-class traffic is still able to overwhelm the link and the resereved bandwidth percentages to not seem to be able to protect the data in those classes.
You describe connecting to a PE, so this is not a p2p link? If you're working across some kind of cloud technology, just setting QoS, even correctly, on the egress to cloud interface might be insufficient. Might you describe your WAN environment?
As you mention default-class traffic, but you didn't post a default-class, you're just using the implicit default settings for this class?
As you're using NBAR and FQ in a named class, I assume you're working with a software based router using post HQF QoS, but identification of the actual platform and IOS version being used, might also be helpful.

Bandwidth percent - ios xr

Similar Messages

Maybe you are looking for