cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20921
Views
10
Helpful
0
Comments
pevaneyn
Cisco Employee
Cisco Employee

In this article we will give the configuration used on the ASR 1004 and the switches used to provide the wireless and wired access to internet during the Fosdem 2011 conference.

During this conference we had more then 4171 unique users on the WiFi over the whole event, with a peak of 1672 concurrent users. Most of them using a dual stack to access the internet using IPv4 and IPv6 across a 1Gbps fiber link.

We had to redact some information as it would reveal information regarding the ULB, who was so kind as to allow us to use their wireless infrastructure, among other things.

We also owe a debt to our fantastic ISP: Belnet who provided the 1 Gbps link and a IPv4 and IPv6 network ranges.

Cisco also sponsored this event, providing hardware and volunteers to configure and maintain the network.

The configuration of the main router with comments and important commands in bold was:

------------------ show running-config ------------------



Building configuration...


Current configuration : 13632 bytes

!

! Last configuration change at 13:52:55 UTC Sun Feb 6 2011 by admin

! NVRAM config last updated at 10:50:42 UTC Sun Feb 6 2011 by admin

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname cASR1kd15-1

!

boot-start-marker

boot system flash bootflash:asr1000rp1-adventerprisek9.03.01.02.S.150-1.S2.bin

boot-end-marker

!

!

vrf definition Mgmt-intf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

logging buffered 1048576

enable secret 4 <redacted>

!

aaa new-model

!

!

aaa authentication login default local enable

!

!

!

!

!

aaa session-id common

!

!

no ip source-route

ip icmp rate-limit unreachable 100

! note we only limit the unreachables as we need icmp for ND and PMTU

!

! we have the AP in a different VRF

ip vrf ULB-AP

rd 12345:12345

!

!

!

no ip bootp server

ip domain name fosdem.net

ip host core-sw 192.168.211.254

ip host noc-sw 192.168.211.253

ip host h-sw 192.168.211.252

ip host j-sw 192.168.211.251

ip host aw-sw 192.168.211.250

ip name-server 193.190.198.10

ip name-server 193.190.67.53

ip name-server 193.190.198.2

ip name-server 8.8.8.8

ip name-server 2001:6A8:3C80::20

ip dhcp database flash:/dhcp-database

ip dhcp bootp ignore

ip dhcp excluded-address 193.191.32.1 193.191.32.26

ip dhcp excluded-address 193.191.63.200 193.191.63.254

ip dhcp excluded-address 193.191.64.1 193.191.64.26

ip dhcp excluded-address 193.191.95.200 193.191.95.254

ip dhcp excluded-address 193.191.64.101

!

ip dhcp pool Wifi-client

   network 193.191.32.0 255.255.224.0

   default-router 193.191.63.254

   domain-name fosdem.net

   dns-server 193.190.198.10 193.190.67.53 193.190.198.2

!

ip dhcp pool Wired-client

   network 193.191.64.0 255.255.224.0

   domain-name fosdem.net

   dns-server 193.190.198.10 193.190.67.53 193.190.198.2

   default-router 193.191.95.254

!

!

ipv6 unicast-routing

! we have no ipv6 dhcp database command as this was causing problems

!

ipv6 dhcp pool FOSDEM-v6

address prefix 2001:6A8:1100:CAFE::/64

dns-server 2001:6A8:1100:BEEF:20C:29FF:FEA3:BEB

dns-server 2001:6A8:1100:BEEF:20C:29FF:FE8F:F8D0

domain-name fosdem.net

sntp address 2001:6A8:1100:CAFE::1

!

ipv6 dhcp pool FOSDEM-v6-wired

address prefix 2001:6A8:1100:BEEF::/64

dns-server 2001:6A8:1100:BEEF:20C:29FF:FEA3:BEB

dns-server 2001:6A8:1100:BEEF:20C:29FF:FE8F:F8D0

domain-name fosdem.net

sntp address 2001:6A8:1100:BEEF::1

!

ipv6 multicast-routing

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

archive

log config

  logging enable

  logging size 200

  notify syslog contenttype plaintext

  hidekeys

path harddisk:archived-configs

maximum 14

write-memory

time-period 1440

!

username admin privilege 15 password 7 <removed>

username mon!tor password 7 <removed>

!

redundancy

notification-timer 30000

mode sso

!

!

!

!

!

!

ip ssh time-out 60

ip ssh version 2

ip scp server enable

bridge irb

!

!

!

!

interface GigabitEthernet0/0/0

description ---------- uplink to Belnet ----------------

ip address 193.191.4.50 255.255.255.252

ip access-group LimitingInternetIn in

ip access-group LimitingInternetout out

no ip redirects

no ip proxy-arp

ip verify unicast source reachable-via rx allow-default allow-self-ping l2-src

ip virtual-reassembly

media-type sfp

negotiation auto

ipv6 address 2001:6A8:1000:8003::2/64

ipv6 mtu 1480

ipv6 verify unicast source reachable-via rx allow-default

ipv6 traffic-filter ForbiddenV6Ports in

ipv6 traffic-filter ForbiddenV6Ports out

!

...

!

interface GigabitEthernet0/1/0

description ---------- trunk to Fosdem  ----------------

no ip address

ip virtual-reassembly

negotiation auto

cdp enable

!

interface GigabitEthernet0/1/0.10

description ---------- downlink to Wired Internet client   ----------------

encapsulation dot1Q 10

ip address 193.191.95.254 255.255.224.0

ip access-group LimitingClientWiredIn in

ip access-group LimitingClientWiredOut out

no ip redirects

no ip proxy-arp

ip flow ingress

ip virtual-reassembly

ipv6 address 2001:6A8:1100:BEEF::1/64

ipv6 dhcp server FOSDEM-v6-wired

ipv6 verify unicast source reachable-via rx allow-default

ipv6 traffic-filter ForbiddenV6Ports in

ipv6 traffic-filter ForbiddenV6Ports out

cdp enable

!

interface GigabitEthernet0/1/0.23

description -------- AP management VLAN  ------------

encapsulation dot1Q 23

ip vrf forwarding ULB-AP

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly

cdp enable

!

interface GigabitEthernet0/1/0.211

description -------- INFRA management VLAN  ------------

encapsulation dot1Q 211

ip address 192.168.211.249 255.255.255.0

cdp enable

!

...

!

interface GigabitEthernet0/1/7

description ---------- uplink to ResULB  ----------------

no ip address

no negotiation auto

!

interface GigabitEthernet0/1/7.1023

description -------- AP management VLAN  ----------------

encapsulation dot1Q 1023

ip vrf forwarding ULB-AP

ip address <redacted> 255.255.255.0

ip nat outside

ip virtual-reassembly

cdp enable

!

interface GigabitEthernet0/1/7.1400

description ----------- WiFi Internet client traffic  ----------------

encapsulation dot1Q 1400

ip address 193.191.32.1 255.255.224.0 secondary

ip address 193.191.63.254 255.255.224.0

ip access-group LimitingClientWirelessIn in

ip access-group LimitingClientWirelessOut out

no ip redirects

no ip proxy-arp

ip verify unicast source reachable-via rx allow-default allow-self-ping l2-src

ip flow ingress

ip virtual-reassembly

ipv6 address 2001:6A8:1100:CAFE::1/64

ipv6 dhcp server FOSDEM-v6

ipv6 verify unicast source reachable-via rx allow-default

ipv6 traffic-filter ForbiddenV6Ports in

ipv6 traffic-filter ForbiddenV6Ports out

cdp enable

!

interface GigabitEthernet0

vrf forwarding Mgmt-intf

no ip address

negotiation auto

!

ip nat inside source list ULB-AP-NAT interface GigabitEthernet0/1/7.1023 vrf ULB-AP overload

!

ip flow-aggregation cache source-prefix

enabled

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 193.191.4.49

ip route vrf ULB-AP 0.0.0.0 0.0.0.0 <redacted>

ip route vrf ULB-AP 144.254.0.0 255.255.0.0 Null0

!

ip access-list extended LimitingClientWiredIn

! no RFC 1914 ips

deny   ip any 192.168.0.0 0.0.255.255

deny   ip any 172.16.0.0 0.15.255.255

deny   ip any 10.0.0.0 0.255.255.255

! deny access to AP management

deny   ip any <redacted> log

deny   ip <redacted> any log

! limit some traffic not allowed by BELNET

deny   tcp any any eq smtp

deny   tcp any any eq 135

deny   udp any any eq 135

deny   tcp any any eq 137

deny   udp any any eq netbios-ns

deny   tcp any any eq 445

deny   udp any any eq 445

deny   udp any any eq 1434

! produce some statistics

permit tcp any any

permit udp any any

permit icmp any any

permit esp any any

permit gre any any

permit ip any any

ip access-list extended LimitingClientWiredOut

! deny access to AP management

deny   ip any <redacted> log

deny   ip <redacted> any log

! limit some traffic not allowed by BELNET

deny   tcp any any eq smtp

deny   tcp any any eq 135

deny   udp any any eq 135

deny   tcp any any eq 137

deny   udp any any eq netbios-ns

deny   tcp any any eq 445

deny   udp any any eq 445

deny   udp any any eq 1434

! produce some statistics

permit tcp any any

permit udp any any

permit icmp any any

permit esp any any

permit gre any any

permit ip any any

ip access-list extended LimitingClientWirelessIn

! same as LimitingClientWiredIn

! no RFC 1914 ips

deny   ip any 192.168.0.0 0.0.255.255

deny   ip any 172.16.0.0 0.15.255.255

deny   ip any 10.0.0.0 0.255.255.255

! deny access to AP management

deny   ip any <redacted> log

deny   ip <redacted> any log

! limit some traffic not allowed by BELNET

deny   tcp any any eq smtp

deny   tcp any any eq 135

deny   udp any any eq 135

deny   tcp any any eq 137

deny   udp any any eq netbios-ns

deny   tcp any any eq 445

deny   udp any any eq 445

deny   udp any any eq 1434

! produce some statistics

permit tcp any any

permit udp any any

permit icmp any any

permit esp any any

permit gre any any

permit ip any any

ip access-list extended LimitingClientWirelessOut

! the same as LimitingClientWiredOut

! deny access to AP management

deny   ip any <redacted> log

deny   ip <redacted> any log

! limit some traffic not allowed by BELNET

deny   tcp any any eq smtp

deny   tcp any any eq 135

deny   udp any any eq 135

deny   tcp any any eq 137

deny   udp any any eq netbios-ns

deny   tcp any any eq 445

deny   udp any any eq 445

deny   udp any any eq 1434

! produce some statistics

permit tcp any any

permit udp any any

permit icmp any any

permit esp any any

permit gre any any

permit ip any any

ip access-list extended LimitingInternetIn

! deny access to AP management

deny   ip any <redacted> log

deny   ip <redacted> any log

! limit some traffic not allowed by BELNET

deny   tcp any any eq smtp

deny   tcp any any eq 135

deny   udp any any eq 135

deny   tcp any any eq 137

deny   udp any any eq netbios-ns

deny   tcp any any eq 445

deny   udp any any eq 445

deny   udp any any eq 1434

! produce some statistics

permit tcp any any

permit udp any any

permit icmp any any

permit esp any any

permit gre any any

permit ip any any

ip access-list extended LimitingInternetout

! deny access to AP management

deny   ip any <redacted> log

deny   ip <redacted> any log

! limit some traffic not allowed by BELNET

deny   tcp any any eq smtp

deny   tcp any any eq 135

deny   udp any any eq 135

deny   tcp any any eq 137

deny   udp any any eq netbios-ns

deny   tcp any any eq 445

deny   udp any any eq 445

deny   udp any any eq 1434

! produce some statistics

permit tcp any any

permit udp any any

permit icmp any any

permit esp any any

permit gre any any

permit ip any any


ip access-list extended ULB-AP-NAT

permit ip <redacted> any

!

logging esm config

cdp run

ipv6 route 2001:6A8:1100::/48 Null0

! null route the part of our /48 that we don't actually use

! this prevents a loop as we would send this to Belnet and they would send it back

ipv6 route 2000::/3 GigabitEthernet0/0/0 FE80::21B:C0FF:FEA7:8401

ipv6 route ::/0 2001:6A8:1000:8002::1

! on the PtP link on G0/0/0 we have 2001:6A8:1000:8003::2/64

! the belnet router has 2001:6A8:1000:8003::1 and FE80::21B:C0FF:FEA7:8401

ipv6 router rip Fosdem

!

!

!

!

ipv6 access-list ForbiddenV6Ports

! limit some traffic not allowed by BELNET

deny tcp any any eq smtp

deny tcp any any eq 135

deny udp any any eq 135

deny tcp any any eq 137

deny udp any any eq netbios-ns

deny tcp any any eq 445

deny udp any any eq 445

deny udp any any eq 1434

! produce some statistics

permit tcp any any

permit udp any any

permit icmp any any

permit esp any any

permit sctp any any

permit ipv6 any any

bridge 23 protocol ieee

control-plane host

management-interface GigabitEthernet0/0/0 allow ssh

management-interface GigabitEthernet0/0/1 allow ssh

management-interface GigabitEthernet0/1/0 allow ssh

management-interface GigabitEthernet0/1/0.10 allow ssh

management-interface GigabitEthernet0/1/7.1400 allow ssh

!

!

control-plane

!

!

!

!

banner exec ^CC

Welcome to Fosdem 2011 Network infra

Unauthorized access prohibited

^C

banner login ^CC

Welcome to Fosdem 2011 Network infra

Unauthorized access prohibited

^C

!

line con 0

logging synchronous

stopbits 1

line aux 0

stopbits 1

line vty 0 4

logging synchronous

transport input ssh

!

ntp master 3

ntp server 193.190.198.10 source GigabitEthernet0/0/0 prefer

end

We were using so many access lists because we wanted to get some numbers for the traffic seen. If you are interested, this is what the router gave after one day of routing traffic:
cASR1kd15-1#show  ip access-list
Load for five secs: 1%/0%; one minute: 2%; five minutes: 1%
Time source is NTP, 21:19:25.138 UTC Sat Feb 5 2011

Extended IP access list LimitingClientWiredIn
    10 deny ip any 192.168.0.0 0.0.255.255 (460 matches)
    20 deny ip any 172.16.0.0 0.15.255.255 (14 matches)
    30 deny ip any 10.0.0.0 0.255.255.255 (147 matches)
    40 deny ip any <redacted> log
    50 deny ip any <redacted> log
    60 deny ip any <redacted> log
    70 deny ip any <redacted> log
    80 deny ip any <redacted> log
    90 deny ip <redacted> any log
    100 deny ip <redacted> any log
    110 deny ip <redacted> any log
    120 deny ip <redacted> any log
    130 deny ip <redacted> any log
    140 deny tcp any any eq smtp (337 matches)
    150 deny tcp any any eq 135 (615 matches)
    160 deny udp any any eq 135
    170 deny tcp any any eq 137
    180 deny udp any any eq netbios-ns (1108 matches)
    190 deny tcp any any eq 445 (30 matches)
    200 deny udp any any eq 445
    210 deny udp any any eq 1434
    220 permit tcp any any (58839653 matches)
    230 permit udp any any (132585 matches)
    240 permit icmp any any (3455 matches)
    250 permit esp any any
    260 permit gre any any
    270 permit ip any any (2 matches)

Extended IP access list LimitingClientWiredOut
    10 deny ip any <redacted> log
    20 deny ip any <redacted> log
    30 deny ip any <redacted> log
    40 deny ip any <redacted> log
    50 deny ip any <redacted> log
    60 deny ip <redacted> any log
    70 deny ip <redacted> any log
    80 deny ip <redacted> any log
    90 deny ip <redacted> any log
    100 deny ip <redacted> any log
    110 deny tcp any any eq smtp
    120 deny tcp any any eq 135
    130 deny udp any any eq 135
    140 deny tcp any any eq 137
    150 deny udp any any eq netbios-ns
    160 deny tcp any any eq 445
               170 deny udp any any eq 445
    180 deny udp any any eq 1434
    190 permit tcp any any (34233398 matches)
    200 permit udp any any (148399 matches)
    210 permit icmp any any (3289 matches)
    220 permit esp any any
    230 permit gre any any
    240 permit ip any any

Extended IP access list LimitingClientWirelessIn
    10 deny ip any 192.168.0.0 0.0.255.255 (106639 matches)
    20 deny ip any 172.16.0.0 0.15.255.255 (14201 matches)
    30 deny ip any 10.0.0.0 0.255.255.255 (33763 matches)
    40 deny ip any host 193.191.32.11 log
    50 deny ip any <redacted> log
    60 deny ip any <redacted> log
    70 deny ip any <redacted> log
    80 deny ip any <redacted> log
    90 deny ip host 193.191.32.10 any log (128 matches)
    100 deny ip <redacted> any log (2080 matches)
    110 deny ip <redacted> any log (6638 matches)
    120 deny ip <redacted> any log (3647 matches)
    130 deny ip <redacted> any log (65 matches)
    140 deny tcp any any eq smtp (5150 matches)
    150 deny tcp any any eq 135 (38 matches)
    160 deny udp any any eq 135
    170 deny tcp any any eq 137
    180 deny udp any any eq netbios-ns (2577807 matches)
    190 deny tcp any any eq 445 (130 matches)
    200 deny udp any any eq 445
    210 deny udp any any eq 1434 (9 matches)
    220 permit tcp any any (95452409 matches)
    230 permit udp any any (14303818 matches)
    240 permit icmp any any (652113 matches)
    250 permit esp any any (500265 matches)
    260 permit gre any any (663944 matches)
    270 permit ip any any (114262 matches)

Extended IP access list LimitingClientWirelessOut
    10 deny ip any <redacted> log
    20 deny ip any <redacted> log
    30 deny ip any <redacted> log
    40 deny ip any <redacted> log
    50 deny ip any <redacted> log
    60 deny ip <redacted> any log
    70 deny ip <redacted> any log
    80 deny ip <redacted> any log
    90 deny ip <redacted> any log
    100 deny ip <redacted> any log
    110 deny tcp any any eq smtp
    120 deny tcp any any eq 135
    130 deny udp any any eq 135
    140 deny tcp any any eq 137
    150 deny udp any any eq netbios-ns
    160 deny tcp any any eq 445
    170 deny udp any any eq 445
    180 deny udp any any eq 1434
    190 permit tcp any any (126061879 matches)
    200 permit udp any any (13510472 matches)
    210 permit icmp any any (423173 matches)
    220 permit esp any any (617781 matches)
    230 permit gre any any (760294 matches)
    240 permit ip any any (2699 matches)

Extended IP access list LimitingInternetIn
    10 deny ip any <redacted> log (166 matches)
    20 deny ip any <redacted> log (203 matches)
    30 deny ip any <redacted> log (410 matches)
    40 deny ip any <redacted> log (108 matches)
    50 deny ip any <redacted> log (55 matches)
    60 deny ip <redacted> any log
    70 deny ip <redacted> any log
    80 deny ip <redacted> any log
    90 deny ip <redacted> any log
    100 deny ip <redacted> any log
    110 deny tcp any any eq smtp (762 matches)
    120 deny tcp any any eq 135 (25093 matches)
    130 deny udp any any eq 135
    140 deny tcp any any eq 137 (8 matches)
    150 deny udp any any eq netbios-ns (1199 matches)
    160 deny tcp any any eq 445 (184579 matches)
    170 deny udp any any eq 445
    180 deny udp any any eq 1434 (7906 matches)
    190 permit tcp any any (159634165 matches)
    200 permit udp any any (13819542 matches)
    210 permit icmp any any (506336 matches)
    220 permit esp any any (617784 matches)
    230 permit gre any any (760294 matches)
    240 permit ip any any (4020 matches)

Extended IP access list LimitingInternetout
    10 deny ip any 192.168.0.0 0.0.255.255
    20 deny ip any 172.16.0.0 0.15.255.255
    30 deny ip any 10.0.0.0 0.255.255.255
    40 deny ip any <redacted> log
    50 deny ip any <redacted> log
    60 deny ip any <redacted> log
    70 deny ip any <redacted> log
    80 deny ip any <redacted> log
    90 deny ip <redacted> any log (635 matches)
            100 deny ip <redacted> any log
    110 deny ip <redacted> any log
    120 deny ip <redacted> any log
    130 deny ip <redacted> any log
    140 deny tcp any any eq smtp
    150 deny tcp any any eq 135
    160 deny udp any any eq 135
    170 deny tcp any any eq 137
    180 deny udp any any eq netbios-ns
    190 deny tcp any any eq 445
    200 deny udp any any eq 445
    210 deny udp any any eq 1434
    220 permit tcp any any (153148153 matches)
    230 permit udp any any (12780281 matches)
    240 permit icmp any any (641849 matches)
    250 permit esp any any (500265 matches)
    260 permit gre any any (663944 matches)
    270 permit ip any any (4772 matches)

Extended IP access list ULB-AP-NAT
    10 permit ip 192.168.99.0 0.0.0.255 any
    20 permit ip 192.168.1.0 0.0.0.255 any

cASR1kd15-1#  show ip             v6 access-list            

Load for five secs: 1%/0%; one minute: 1%; five minutes: 1%
Time source is NTP, 21:19:33.840 UTC Sat Feb 5 2011

IPv6 access list ForbiddenV6Ports
    deny tcp any any eq smtp (530 matches) sequence 10
    deny tcp any any eq 135 sequence 20
    deny udp any any eq 135 sequence 30
    deny tcp any any eq 137 sequence 40
    deny udp any any eq netbios-ns sequence 50
    deny tcp any any eq 445 sequence 60
    deny udp any any eq 445 sequence 70
    deny udp any any eq 1434 sequence 80
    permit tcp any any (44500818 matches) sequence 90
    permit udp any any (1407868 matches) sequence 100
    permit icmp any any (484609 matches) sequence 110
    permit esp any any sequence 120
    permit sctp any any sequence 130
    permit ipv6 any any (3312 matches) sequence 140
No doubt an interesting discussion regarding these numbers can follow .
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco