На новой работе пришлось вспомнить давно забытое: ip-телефонию (CME), QoS на WAN-каналах , ipsec DVTI. Ну и в лучших традициях, натянул это всё на mpls между двумя (пока) железкам. Получилось интересно, может кому пригодится. Все сервисы vrf-aware, в GRT только IGP+mpls ldp+mpBGP.
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname SPB-c3945-PE1
!
boot-start-marker
boot system flash0:c3900-universalk9-mz.SPA.154-3.M.bin
boot-end-marker
!
!
card type e1 0 0
logging buffered 64000
enable secret 4xxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server tacacs+ TAC-SRV
server name TAC1
server name TAC2
ip vrf forwarding MNGM
ip tacacs source-interface Loopback30
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization exec default local
aaa authorization network default local
!
!
!
!
!
aaa session-id common
clock timezone MSK 3 0
network-clock-participate wic 0
network-clock-select 1 E1 0/0/0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip vrf Admin
rd 65000:150
route-target export 65000:150
route-target import 65000:99
route-target import 65000:150
route-target import 65000:100
route-target import 65000:200
maximum routes 1000 30
!
ip vrf Internet
rd 65078:1
route-target export 65078:1
route-target import 65078:1
maximum routes 1000 30
!
ip vrf MNGM
rd 65000:99
route-target export 65000:99
route-target import 65000:99
route-target import 65000:150
maximum routes 1000 30
!
ip vrf Office
rd 65000:200
route-target export 65000:200
route-target import 65000:200
route-target import 65000:150
maximum routes 1000 30
!
ip vrf Voip
rd 65000:100
route-target export 65000:100
route-target import 65000:100
route-target import 65000:150
maximum routes 1000 30
!
no ip dhcp use vrf connected
!
ip dhcp pool Office-users
network 10.78.28.0 255.255.255.128
default-router 10.78.28.1
dns-server 10.1.4.4 10.1.4.24 8.8.8.8
netbios-name-server 10.1.4.24 10.1.4.4
domain-name zse.se.spb.ru
class Office-users
address range 10.78.28.20 10.78.28.126
!
ip dhcp pool Office-Admin
network 10.78.28.160 255.255.255.224
default-router 10.78.28.161
dns-server 10.1.4.4 10.1.4.24 8.8.8.8
netbios-name-server 10.1.4.24 10.1.4.4
domain-name zse.se.spb.ru
class Office-Admin
address range 10.78.28.165 10.78.28.175
!
ip dhcp pool IP-phones
network 10.78.30.0 255.255.255.128
default-router 10.78.30.1
option 150 ip 10.78.2.10
class IP-phones
address range 10.78.30.20 10.78.30.126
!
!
ip dhcp class Office-users
!
ip dhcp class Office-Admin
!
ip dhcp class IP-phones
!
!
no ip domain lookup
ip domain name somecompany.ru
ip cef
ipv6 spd queue min-threshold 62
ipv6 spd queue max-threshold 63
no ipv6 cef
!
!
multilink bundle-name authenticated
!
mpls label protocol ldp
!
!
!
!
isdn switch-type primary-net5
!
!
key chain isis
key 1
key-string 7 xxxxxxxxxxxx
cts logging verbose
voice-card 0
dspfarm
!
!
voice call convert-discpi-to-prog
voice rtp send-recv
voice vrf Voip
!
voice service pots
supported-language ru
!
voice service voip
ip address trusted list
ipv4 10.77.2.10 255.255.255.255
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service h450.2
no supplementary-service h450.3
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
bind control source-interface Loopback10
bind media source-interface Loopback10
registrar server expires max 600 min 60
!
voice class codec 1
codec preference 1 g711alaw
codec preference 2 g711ulaw
codec preference 3 g729br8
!
!
!
!
voice hunt-group 1 parallel
list 1001,1002
pilot 1000
!
!
voice hunt-group 10 parallel
list 1007,1008
pilot 1040
!
!
voice hunt-group 20 parallel
list 1011,1012
pilot 1050
!
!
!
!
voice translation-rule 1
rule 1 /7777729/ /1014/
rule 3 /7777768/ /1003/
!
voice translation-rule 2
rule 1 /\(.*\)/ /7777708/
!
voice translation-rule 3
rule 1 /\(^.......$\)/ /9\1/
rule 2 /\(^..........$\)/ /8\1/
!
!
voice translation-profile IncomingCALLS
translate calling 3
translate called 1
!
voice translation-profile IncomingIVR
translate calling 3
!
voice translation-profile OUT
translate calling 2
!
!
!
!
application
service ivrr flash:/vxml-ivr/My.vxml
!
global
service alternate default
!
!
vxml version 2.0
vxml allow-star-digit
license udi pid C3900-SPE150/K9 sn XXXXXXXXXXXX
license boot module c3900 technology-package securityk9
license boot module c3900 technology-package datak9
hw-module pvdm 0/0
!
!
!
archive
log config
hidekeys
file privilege 0
file verify auto
username rmavrichev privilege 15 secret xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
redundancy
!
!
!
!
!
controller E1 0/0/0
framing NO-CRC4
pri-group timeslots 1-16
description POTS_city
!
controller E1 0/0/1
!
ip tftp source-interface Loopback10
ip ssh version 2
!
class-map match-any REALTIME
match ip dscp ef
match ip dscp cs5
class-map match-any CRITICAL-DATA
match ip dscp cs6
match ip dscp af31
match ip dscp cs3
class-map match-any VIDEO
match ip dscp af21
match ip dscp cs2
class-map match-any EXP5
match mpls experimental topmost 5
class-map match-any EXP3
match mpls experimental topmost 3
class-map match-any EXP2
match mpls experimental topmost 2
!
policy-map PE-to-CORE
class EXP5
priority percent 20
class EXP3
bandwidth percent 10
random-detect dscp-based
class EXP2
bandwidth percent 30
random-detect dscp-based
class class-default
fair-queue
random-detect
policy-map QOS-TO-DSCP
class class-default
set dscp qos-group
policy-map Policy-CBWFQ
class EXP5
priority percent 20
class EXP3
bandwidth percent 20
class EXP2
bandwidth percent 30
class class-default
fair-queue
policy-map EXP-TO-QOS
class class-default
set qos-group mpls experimental topmost
policy-map Shaper-10M
class class-default
shape average 10000000 80000 80000
service-policy Policy-CBWFQ
policy-map CE-to-PE
class REALTIME
set mpls experimental imposition 5
class CRITICAL-DATA
set mpls experimental imposition 3
class VIDEO
set mpls experimental imposition 2
class class-default
set mpls experimental imposition 0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
crypto isakmp client configuration group vpn_static
key xxxxxxxx
pool Admin_vpn_pool
acl 110
crypto isakmp profile vpn_static
match identity group vpn_static
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
virtual-template 10
!
!
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile VPNuser
set transform-set 3DES
!
!
!
!
!
!
!
interface Loopback0
description GRT-Loopback
ip address 10.78.19.1 255.255.255.255
!
interface Loopback10
description Voip-Loopback
ip vrf forwarding Voip
ip address 10.78.2.10 255.255.255.255
h323-gateway voip interface
h323-gateway voip bind srcaddr 10.78.2.10
!
interface Loopback30
description MNGM-Loopback
ip vrf forwarding MNGM
ip address 10.78.2.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description to_L2_Switch
mtu 1524
no ip address
media-type sfp
!
interface GigabitEthernet0/1.1
description temp-Inernet-via-Kerio
encapsulation dot1Q 1 native
ip vrf forwarding Office
ip address 10.1.4.250 255.255.255.0
!
interface GigabitEthernet0/1.6
description to_Internet_ISP#1
encapsulation dot1Q 6
ip vrf forwarding Internet
ip address 1.2.3.162 255.255.255.248
!
interface GigabitEthernet0/1.99
description SW-MNGM
encapsulation dot1Q 99
ip vrf forwarding MNGM
ip address 10.78.15.2 255.255.255.224
standby 1 ip 10.78.15.1
standby 1 priority 110
standby 1 preempt
!
interface GigabitEthernet0/1.100
description IP-phones
encapsulation dot1Q 100
ip vrf forwarding Voip
ip address 10.78.30.1 255.255.255.128
service-policy input CE-to-PE
service-policy output QOS-TO-DSCP
!
interface GigabitEthernet0/1.110
description Voip-SRV
encapsulation dot1Q 110
ip vrf forwarding Voip
ip address 10.78.31.2 255.255.255.224
standby 1 ip 10.78.31.1
standby 1 priority 110
standby 1 preempt
!
interface GigabitEthernet0/1.150
description NMS-Network
encapsulation dot1Q 150
ip vrf forwarding Admin
ip address 10.78.3.2 255.255.255.224
standby 1 ip 10.78.3.1
standby 1 priority 110
standby 1 preempt
!
interface GigabitEthernet0/1.200
description Office-users
encapsulation dot1Q 200
ip vrf forwarding Office
ip address 10.78.28.2 255.255.255.128
standby 1 ip 10.78.28.1
standby 1 priority 110
standby 1 preempt
service-policy output QOS-TO-DSCP
!
interface GigabitEthernet0/1.201
description Office-VIP
encapsulation dot1Q 201
ip vrf forwarding Office
ip address 10.78.28.130 255.255.255.224
standby 1 ip 10.78.28.129
standby 1 priority 110
standby 1 preempt
service-policy output QOS-TO-DSCP
!
interface GigabitEthernet0/1.202
description Office-Admin
encapsulation dot1Q 202
ip vrf forwarding Admin
ip address 10.78.28.162 255.255.255.224
standby 1 ip 10.78.28.161
standby 1 priority 110
standby 1 preempt
service-policy output QOS-TO-DSCP
!
interface GigabitEthernet0/1.210
description Office-SRV
encapsulation dot1Q 210
ip vrf forwarding Office
ip address 10.78.29.2 255.255.255.224
standby 1 ip 10.78.29.1
standby 1 priority 110
standby 1 preempt
service-policy output QOS-TO-DSCP
!
interface GigabitEthernet0/1.300
description L2-to-MSK-over-vlan
encapsulation dot1Q 300
shutdown
mpls ip
isis metric 10000
service-policy input EXP-TO-QOS
service-policy output Shaper-10M
!
interface GigabitEthernet0/2
description L2-to-MSK
mtu 1524
bandwidth qos-reference 10000
ip address 10.78.27.1 255.255.255.252
ip router isis 1
duplex auto
speed auto
mpls ip
isis metric 10000
service-policy input EXP-TO-QOS
service-policy output PE-to-CORE
!
interface Serial0/0/0:15
no ip address
encapsulation hdlc
isdn switch-type primary-net5
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
no cdp enable
!
interface Virtual-Template10 type tunnel
description Ciscovpn_static
ip vrf forwarding Admin
ip unnumbered GigabitEthernet0/1.6
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel vrf Internet
tunnel protection ipsec profile VPNuser
!
!
router isis 1
net 49.0010.0100.7801.9001.00
is-type level-2-only
authentication mode md5
authentication key-chain isis level-2
ispf level-2
metric-style wide
fast-flood 14
set-overload-bit on-startup 180
max-lsp-lifetime 65535
lsp-refresh-interval 65000
spf-interval 5 1 50
prc-interval 5 1 50
lsp-gen-interval 5 1 50
no hello padding
log-adjacency-changes all
metric 100000
passive-interface Loopback0
!
router bgp 65000
template peer-policy iBGP
prefix-list DEFAULT-DENY in
prefix-list DEFAULT-DENY out
next-hop-self
send-community both
exit-peer-policy
!
template peer-policy RR
route-reflector-client
next-hop-self
send-community both
exit-peer-policy
!
template peer-session iBGP
remote-as 65050
update-source Loopback0
exit-peer-session
!
bgp router-id 10.78.19.1
bgp log-neighbor-changes
bgp deterministic-med
bgp update-delay 1
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
no bgp default ipv4-unicast
timers bgp 1 20
neighbor 10.77.19.1 remote-as 65000
neighbor 10.77.19.1 inherit peer-session iBGP
!
address-family ipv4
exit-address-family
!
address-family vpnv4
neighbor 10.77.19.1 activate
neighbor 10.77.19.1 send-community extended
neighbor 10.77.19.1 inherit peer-policy iBGP
exit-address-family
!
address-family ipv4 vrf Admin
redistribute connected
redistribute static
exit-address-family
!
address-family ipv4 vrf Internet
redistribute connected
redistribute static
exit-address-family
!
address-family ipv4 vrf MNGM
redistribute connected
redistribute static
exit-address-family
!
address-family ipv4 vrf Office
redistribute connected
redistribute static
default-information originate
exit-address-family
!
address-family ipv4 vrf Voip
redistribute connected
redistribute static
exit-address-family
!
ip local pool Admin_vpn_pool 10.78.3.33 10.78.3.46
ip forward-protocol nd
!
ip http server
ip http access-class 80
ip http secure-server
!
ip route vrf Office 0.0.0.0 0.0.0.0 10.1.4.1 name temp-Inernet-via-Kerio
ip route vrf Internet 0.0.0.0 0.0.0.0 1.2.3.161 name default-for-vrf-Internet
!
ip access-list standard MGMT-NODE
permit 10.0.3.0 0.255.0.255
permit 10.0.0.0 0.255.255.255
ip access-list standard SNMP-NODE
permit 10.0.3.0 0.255.0.255
!
!
ip prefix-list DEFAULT-DENY seq 5 deny 0.0.0.0/0 le 1
ip prefix-list DEFAULT-DENY seq 10 permit 0.0.0.0/0 ge 2
logging trap debugging
logging facility local1
logging host 10.78.3.4 vrf MNGM
logging host 10.78.3.5 vrf MNGM
!
nls resp-timeout 1
cpd cr-id 1
!
snmp-server community xxxxxx RO SNMP-NODE
snmp-server community xxxxxx RW SNMP-NODE
snmp-server trap-source Loopback30
snmp-server enable traps
snmp-server host 10.78.3.4 vrf MNGM version 2c xxxxxx
snmp-server host 10.78.3.5 vrf MNGM version 2c xxxxxx
tftp-server flash:P0030801SR02.bin
tftp-server flash:CP7912080004SCCP080108A.sbin
tftp-server flash:P0030801SR02.loads
tftp-server flash:P0030801SR02.sb2
tftp-server flash:P0030801SR02.sbn
tftp-server flash:S00105000400.sbn
tftp-server flash:SCCP70.9-2-1S.loads
tftp-server flash:apps70.9-2-1TH1-13.sbn
tftp-server flash:cnu70.9-2-1TH1-13.sbn
tftp-server flash:cvm70sccp.9-2-1TH1-13.sbn
tftp-server flash:dsp70.9-2-1TH1-13.sbn
tftp-server flash:jar70sccp.9-2-1TH1-13.sbn
tftp-server flash:term70.default.loads
tftp-server flash:term71.default.loads
tftp-server flash:/its/CME-locale-ru_RU-Russian-10.0.2.7.tar
tftp-server flash:ATA030204SCCP090202A.zup
tacacs-server directed-request
tacacs server TAC1
address ipv4 10.78.3.6
key 7 xxxxx
tacacs server TAC2
address ipv4 10.78.3.7
key 7 xxxxx
mpls ldp router-id Loopback0
access-list 80 permit 10.78.28.0 0.0.0.255
access-list 80 permit 10.77.28.0 0.0.0.255
access-list 80 permit 10.78.30.0 0.0.0.255
access-list 80 permit 10.77.30.0 0.0.0.255
access-list 110 permit ip 10.0.0.0 0.255.255.255 any
!
!
!
control-plane
!
!
voice-port 0/0/0:15
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/1/2
!
voice-port 0/1/3
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
dial-peer voice 1100 voip
description to_MSK_CCME
destination-pattern 11..
session target ipv4:10.77.2.10
ip qos dscp cs5 media
ip qos dscp cs4 signaling
!
dial-peer voice 25 pots
description PSTN-->CME - IncomingCall - SUPPORT
translation-profile incoming IncomingCALLS
incoming called-number 7777729
direct-inward-dial
!
dial-peer voice 10 pots
description CME-->PSTN
translation-profile outgoing OUT
destination-pattern 9.......
port 0/0/0:15
forward-digits 7
!
dial-peer voice 15 pots
description CME-->PSTN - long-distanse National
translation-profile outgoing OUT
destination-pattern [8]..........
progress_ind alert enable 8
port 0/0/0:15
forward-digits 11
!
dial-peer voice 20 pots
description PSTN-->CME - IncomingIVR - MAIN
translation-profile incoming IncomingIVR
service ivrr
incoming called-number 7777708
direct-inward-dial
!
dial-peer voice 30 pots
description PSTN-->CME - IncomingCall - FAX
translation-profile incoming IncomingCALLS
incoming called-number 7777768
direct-inward-dial
!
!
gateway
timer receive-rtp 1200
!
!
!
gatekeeper
shutdown
!
!
telephony-service
sdspfarm conference mute-on # mute-off #
sdspfarm units 4
sdspfarm transcode sessions 10
sdspfarm tag 1 xcode101
sdspfarm tag 2 conf103
group 1 vrf Voip
protocol mode ipv4
ip source-address 10.78.2.10 port 2000
url directories http://10.78.2.10/localdirectory
!
conference transfer-pattern
no auto-reg-ephone
max-ephones 50
max-dn 100
calling-number initiator
system message SomeCompany-SPb
cnf-file location flash:
user-locale RU load CME-locale-ru_RU-Russian-10.0.2.7.tar
network-locale RU
load 7914 S00105000400.sbn
load 7912 CP7912080004SCCP080108A.sbin
load 7960-7940 P0030801SR02
load 7970 SCCP70.9-2-1S
time-zone 32
time-format 24
date-format dd-mm-yy
max-conferences 8 gain -6
call-park system redirect
call-forward pattern .T
call-forward system redirecting-expanded
moh enable-g711 "music-on-hold.au"
web admin system name webadmin secret xxxxxxxxxxxxxxxxxxxxxx
dn-webedit
time-webedit
transfer-system full-consult dss
transfer-pattern 9.T
log table max-size 500
secondary-dialtone 9
directory last-name-first
directory entry 1 1000 name User1 User1
create cnf-files version-stamp 7960 Nov 10 2014 19:23:51
!
!
ephone-dn 1 dual-line
number 1001
label 1001
description User1 User1
name User1 User1
!
!
ephone-dn 2 dual-line
number 1002
label 1002
description Secretary
name Secretary
!
!
ephone-dn 3 dual-line
number 1003
label 1003
description FAX
name FAX
!
!
ephone-dn 4 dual-line
number 1004
label 1004
description User2 User2
name User2 User2
!
!
ephone-dn 5 dual-line
number 1005
label 1005
description Mavrichev Roman
name Mavrichev Roman
!
!
!
ephone-dn 39 dual-line
number 1039
label 1039
description Test1 Test1
name Test1 Test1
!
!
ephone 1
device-security-mode none
mac-address 000D.3474.0ABF
group phone 1
type 7960
button 1:1
!
!
!
ephone 2
device-security-mode none
mac-address 0D29.7635.B201
max-calls-per-button 2
group phone 1
type ata
button 1:2
!
!
!
ephone 3
device-security-mode none
mac-address 0015.6323.CBC5
group phone 1
type 7970 addon 1 7914
button 1:5
!
!
!
ephone 4
device-security-mode none
mac-address 0014.6532.5A3D
speed-dial 1 1001 label "Secretary"
group phone 1
type 7960
button 1:4
!
!
!
ephone 5
device-security-mode none
mac-address 000D.5632.35B2
max-calls-per-button 2
group phone 1
type ata
button 1:3
!
!
!
ephone 39
device-security-mode none
mac-address 001B.3421.7B5D
group phone 1
type 7912
button 1:39
!
!
!
!
line con 0
privilege level 15
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class MGMT-NODE in vrf-also
exec-timeout 360 0
privilege level 15
logging synchronous
history size 100
transport input telnet ssh
line vty 5 15
access-class MGMT-NODE in vrf-also
exec-timeout 360 0
privilege level 15
logging synchronous
history size 100
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp master 5
ntp update-calendar
ntp server 207.223.123.18
ntp server vrf MNGM 10.78.3.4
ntp server 128.138.140.44
ntp server vrf MNGM 10.78.3.5
!
end
Подписаться на:
Комментарии к сообщению (Atom)
Комментариев нет:
Отправить комментарий