[cisco-nas] Offload PPPoE processing from DSL aggregation 7206toanother 7206?
Scott Lambert
lambert at lambertfam.org
Fri Jul 21 16:38:29 EDT 2006
On Fri, Jul 21, 2006 at 11:54:22AM -0400, vince at cisco.com wrote:
> Scott,
>
> When looking at CPU, its important to look at both numbers and the
> process.
This is the current status. We haven't hit the peak time of day just
yet.
router-7204#show proc cpu | exclude 0.00% 0.00%
CPU utilization for five seconds: 67%/35%; one minute: 65%; five minutes: 65%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
3 879936 3434053 256 0.08% 0.15% 0.16% 0 OSPF Hello
4 874024 75920 11512 0.00% 0.24% 0.18% 0 Check heaps
15 2331748 2152819 1083 0.57% 0.40% 0.38% 0 ARP Input
16 155060 104160 1488 0.00% 0.02% 0.00% 0 HC Counter Timer
22 16505324 3536298 4667 3.43% 3.47% 3.45% 0 Net Background
25 564820 453492 1245 0.00% 0.05% 0.05% 0 Per-Second Jobs
40 2317800 13995077 165 0.32% 0.56% 0.53% 0 IP Input
41 1152344 5346371 215 0.16% 0.20% 0.18% 0 PPP auth
49 361768 5269743 68 0.24% 0.06% 0.06% 0 IP Background
63 363544 748701 485 0.08% 0.07% 0.08% 0 CEF process
71 393668 6970 56480 0.00% 0.09% 0.06% 0 IP Cache Ager
76 54270392 3276067 16565 12.42% 10.94% 10.91% 0 VTEMPLATE Backgr
93 256388 13600790 18 0.08% 0.03% 0.01% 0 Net Input
94 865600 83490 10367 0.08% 0.15% 0.16% 0 Compute load avg
95 86016 10069 8542 0.00% 0.01% 0.00% 0 Per-minute Jobs
108 79760492 5828914 13683 14.28% 14.33% 15.54% 0 PPPOE discovery
114 2772132 8902392 311 0.24% 0.28% 0.26% 0 PPP manager
121 597352 4526689 131 0.00% 0.08% 0.08% 0 RADIUS
126 1067848 6702179 159 0.16% 0.26% 0.22% 0 OSPF Router
128 28 146 191 0.00% 0.01% 0.00% 2 Virtual Exec
> The left and the right. A fair amount of the time the CPU is high
> because of fragmentation.
>
> 1000 users on a NPE400 sounds a little low, but this also depends on
> the throughput.
>
> Can you post you config? Do you have any MTU adjust commands in your
> config?
I'll attach a privacy modified version of the config that RANCID keeps.
Just in the PPPoE virtual template:
interface Virtual-Template3
description PPPoE Template
mtu 1492
ip unnumbered FastEthernet0/0.1
no ip route-cache
ip ospf database-filter all out
no logging event link-status
peer default ip address pool dsl
ppp authentication pap callin
> > -----Original Message-----
> > From: cisco-nas-bounces at puck.nether.net
> > [mailto:cisco-nas-bounces at puck.nether.net] On Behalf Of Scott Lambert
> > Sent: Thu Jul 20, 2006 2:04 PM
> > To: cisco-nas at puck.nether.net
> > Subject: Re: [cisco-nas] Offload PPPoE processing from DSL
> > aggregation 7206toanother 7206?
> >
> > On Thu, Jul 20, 2006 at 05:40:08AM +0200, Oliver Boehmer
> > (oboehmer) wrote:
> > > Scott Lambert <> wrote on Thursday, July 20, 2006 1:40 AM:
> > >
> > > > I have about 1000 PPPoE users on an 7206vxr with NPE400. The CPU
> > > > load is at about 75% according to the MRTG 1 and 5 minute
> > averages.
> > > > According to sho proc cpu, the load is much higher than that for
> > > > tens of seconds at a time. I'm thinking that is about as high a
> > > > load as I want on a router.
> > >
> > > Right, looks too high.
> > > Are you terminating PPPoE (over ATM) directly on the box,
> > or are you
> > > terminating PPP sessions forwarded to you via L2TP?
> >
> > Sorry, it is PPPoE over ATM.
> >
> > > > I have another 500 users I need to migrate over from
> > aquisition of
> > > > another ISP. My connection to the Telco is an OC3 and
> > the migrated
> > > > user will be brought in over the same OC3.
> > >
> > > If you terminate the PPPoE sessions directly, you definitly need a
> > > faster hardware. You could still forward the sessions via L2TP, but
> > > this will not really decrease the load compared to if you
> > terminated
> > > them directly..
> >
> > I would like to thank everyone for their advice. I will be
> > investigating what it takes to do the L2TP to a cluster of *nix boxes.
> > If it doesn't take the same amount of horsepower to go from
> > the ATM to an L2TP tunnel(s) as it does to go from ATM to
> > PPPoE, it sounds like a nice idea for future scaleablility.
> >
> > I now have an NPE-G1 on order. I hope that will hold us
> > until we run out of bandwidth on the ATM OC3. Or, at least,
> > until it's feasible to get another circuit we can terminate
> > in a seperate box.
> >
> > --
> > Scott Lambert KC5MLE
> > Unix SysAdmin
> > lambert at lambertfam.org
> >
> > _______________________________________________
> > cisco-nas mailing list
> > cisco-nas at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nas
> >
--
Scott Lambert KC5MLE Unix SysAdmin
lambert at lambertfam.org
-------------- next part --------------
!RANCID-CONTENT-TYPE: cisco
!
!Chassis type: 7204VXR - a 7200 router
!CPU: NPE400, R7000 CPU at 350Mhz, impl 39, Rev 3.2, 256KB L2, 4096KB L3 Cache
!
!Memory: main 245760K/16384K
!Memory: nvram 125K
!Memory: bootflash 4096K
!Memory: pcmcia Flash slot0 20480K
!
!Processor ID: 21276969
!
!Power: Power supply 1 is Zytek AC Power Supply. Unit is on.
!Power: Power supply 2 is Zytek AC Power Supply. Unit is on.
!
!Image: Software: C7200-IS-M, 12.2(29), RELEASE SOFTWARE (fc3)
!Image: Compiled: Wed 11-May-05 15:38 by kellmill
!Image: slot0:c7200-is-mz.122-29.bin
!
!ROM Bootstrap: Version 12.1(20000710:044039) [nlaw-121E_npeb 117], DEVELOPMENT SOFTWARE
!BOOTLDR: Version 12.0(17)S, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
!
!
!
!Variable: BOOT variable =
!Variable: CONFIG_FILE variable does not exist
!Variable: BOOTLDR variable does not exist
!Variable: INHIBIT_BSI variable does not exist
!
!Flash: nvram: Directory of nvram:/
!Flash: nvram: 64 -rw- 62665 <no date> startup-config
!Flash: nvram: 65 ---- 79 <no date> private-config
!Flash: nvram: 66 -rw- 62665 <no date> underlying-config
!Flash: nvram: 1 ---- 32 <no date> persistent-data
!Flash: nvram: 2 -rw- 0 <no date> ifIndex-table
!Flash: nvram: 3 -rw- 1607 <no date> cerf_report
!Flash: nvram: 129016 bytes total (62124 bytes free)
!
!Flash: bootflash: Directory of bootflash:/
!Flash: bootflash: 1 -rw- 3112392 Jun 16 1919 02:09:30 +00:00 c7200-boot-mz.120-17.S
!Flash: bootflash: 2 -rw- 220889 Jul 16 2006 23:20:24 +00:00 crashinfo_20060716-232024
!Flash: bootflash: 3407872 bytes total (74332 bytes free)
!
!Flash: slot0: Directory of slot0:/
!Flash: slot0: 1 -rw- 12117216 Jan 1 2000 01:18:40 +00:00 c7200-is-mz.122-29.bin
!Flash: slot0: 20578304 bytes total (8460960 bytes free)
!
!Interface: FastEthernet0/0, DEC21140A
!Interface: ATM1/0, ENHANCED ATM PA - OC3 (155000Kbps)
!
!Slot 0: type FE-IO-TX, 1 ports
!Slot 0: hvers 2.1 rev B0
!Slot 0: part 73-4092-03, serial 21039413
!
!Slot 1: type ATM WAN OC3 SMI, 1 ports
!Slot 1: hvers 2.0 rev A0
!Slot 1: part 73-2427-04, serial 16107727
!
!Slot 4: type Channelized T1 CSU, 8 ports
!Slot 4: hvers 1.0 rev A0
!Slot 4: part 73-2488-06, serial 12393996
!
!Slot Midplane: hvers 2.1 rev B0
!Slot Midplane: part 73-3905-03, serial 21276969
!
!Slot CPU: hvers 1.0 rev B0
!Slot CPU: part 28-4086-02, serial 23267414
!
!
config-register 0x2102
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router-7204
!
no logging buffered
no logging console
aaa new-model
aaa authentication login default local group radius
aaa authentication ppp default if-needed group radius
aaa authorization network default group radius none
aaa accounting delay-start
aaa accounting network default start-stop group radius
enable secret 5 $1$<removed>
!
!username <removed> password <removed>
ip subnet-zero
ip icmp rate-limit unreachable 2000
ip cef
!
ip domain-name domain.tld
ip name-server 10.10.218.2
ip name-server 10.10.218.3
ip dhcp excluded-address 10.153.113.1
ip dhcp ping packets 5
!
ip dhcp pool <RBE DSL Users>
network 10.153.113.0 255.255.255.0
dns-server 10.10.218.2 10.10.218.3
domain-name domain2.tld
default-router 10.153.113.1
lease 0 12
!
no ip bootp server
async-bootp dns-server 10.10.218.2 10.10.218.3
vpdn enable
!
vpdn-group swb
accept-dialin
protocol pppoe
virtual-template 3
pppoe limit per-vc 500 ! what does this do?
!
call rsvp-sync
!
controller T1 4/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 4/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 4/2
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 4/3
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 4/4
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 4/5
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 4/6
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 4/7
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
vc-class atm dsl
protocol pppoe
encapsulation aal5snap
!
vc-class atm swboa
encapsulation aal5mux ppp Virtual-Template1
!
vc-class atm swbdsl
protocol pppoe
encapsulation aal5snap
!
vc-class atm pppoe3072
protocol pppoe
ubr 3072
encapsulation aal5snap
!
vc-class atm pppoe1536
protocol pppoe
ubr 1536
encapsulation aal5snap
!
vc-class atm pppoe256
protocol pppoe
ubr 256
encapsulation aal5snap
!
vc-class atm pppoa1536
ubr 1536
encapsulation aal5mux ppp Virtual-Template1
!
vc-class atm pppoa3072
ubr 3072
encapsulation aal5mux ppp Virtual-Template1
!
interface Loopback0
no ip address
!
interface Loopback1
ip address 10.153.113.1 255.255.255.0
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description "VLAN trunk port"
no ip address
no ip proxy-arp
duplex full
no cdp enable
!
interface FastEthernet0/0.1
description "Server LAN"
encapsulation dot1Q 1 native
ip address 10.10.218.5 255.255.255.240
no ip proxy-arp
ip ospf network broadcast
ip ospf priority 5
ip ospf retransmit-interval 20
ip policy route-map pastdue
no cdp enable
!
interface FastEthernet0/0.2
description "Colo LAN 1"
encapsulation dot1Q 2
ip address 10.20.76.1 255.255.255.240
no ip proxy-arp
ip policy route-map pastdue
no cdp enable
!
interface FastEthernet0/0.3
description "Colo LAN 2"
encapsulation dot1Q 3
ip address 10.153.112.1 255.255.255.224
no ip proxy-arp
no cdp enable
!
interface ATM1/0
no ip address
no atm ilmi-keepalive
!
interface ATM1/0.2 point-to-point
description AT&T BACKBONE
ip address 10.08.183.230 255.255.255.252
ip access-group hacker in
ip access-group netbios out
ip verify unicast reverse-path
pvc sbcis 15/67
vbr-nrt 35000 35000 32
oam-pvc manage
encapsulation aal5snap
!
!
interface ATM1/0.8 multipoint
description SWB DSL CUSTOMERS
ip policy route-map pastdue
pvc pvc233 2/33
class-vc dsl
!
! Pulled a bunch of PVCs
!
pvc pvc2335 2/335
class-vc dsl
!
pvc pvc21019 2/1019
class-vc dsl
!
pvc pvc3106 3/106
class-vc dsl
!
pvc pvc434 4/34
class-vc swbdsl
!
! Pulled a couple of PVCs
!
pvc pvc437 4/37
class-vc dsl
!
pvc pvc534 5/34
class-vc pppoe1536
!
pvc pvc634 6/34
class-vc swbdsl
!
pvc pvc734 7/34
class-vc dsl
!
pvc pvc736 7/36
class-vc dsl
!
pvc pvc834 8/34
class-vc dsl
!
! Pulled a few PVCs
!
pvc pvc852 8/52
class-vc dsl
!
pvc pvc934 9/34
class-vc dsl
!
pvc pvc935 9/35
class-vc dsl
!
pvc pvc1034 10/34
class-vc dsl
!
pvc pvc10105 10/105
class-vc dsl
!
pvc pvc1234 12/34
class-vc dsl
!
! Pulled a bunch of PVCs
!
pvc pvc12249 12/249
class-vc dsl
!
pvc pvc1434 14/34
class-vc pppoe1536
!
!
interface ATM1/0.20 multipoint
description Alltel DSL Customers
ip policy route-map pastdue
!
pvc pvc5132 51/32
class-vc pppoe1536
!
! Pulled a bunch of PVCs
!
pvc pvc51380 51/380
class-vc pppoe256
!
pvc pvc5232 52/32
class-vc pppoe3072
!
! Pulled a bunch of PVCs
!
pvc pvc52338 52/338
class-vc pppoe1536
!
!
interface ATM1/0.2116 point-to-point
description foo0737
ip unnumbered Loopback1
atm route-bridged ip
pvc 2/116
ubr 1536
encapsulation aal5snap
!
!
! Removed 41 RBE type interfaces. Only the descriptions and PVCs differ.
!
interface ATM1/0.52400 point-to-point
description blah2666
ip unnumbered Loopback1
atm route-bridged ip
pvc blah2666 52/400
ubr 1536
encapsulation aal5snap
!
!
interface Serial4/0:0
description PoP 40
ip address 10.10.218.253 255.255.255.252
encapsulation ppp
ip ospf network point-to-point
ip ospf priority 5
ip ospf retransmit-interval 20
ip policy route-map pastdue
down-when-looped
no cdp enable
!
interface Serial4/1:0
description PoP 41
ip address 10.10.218.245 255.255.255.252
encapsulation ppp
ip ospf network point-to-point
ip ospf priority 5
ip policy route-map pastdue
down-when-looped
no cdp enable
!
interface Serial4/2:0
description PoP 43
ip address 10.10.218.249 255.255.255.252
encapsulation ppp
ip ospf network point-to-point
ip ospf retransmit-interval 20
ip ospf flood-reduction
ip policy route-map pastdue
down-when-looped
no cdp enable
!
interface Serial4/3:0
no ip address
no cdp enable
!
interface Serial4/4:0
no ip address
no cdp enable
!
interface Serial4/5:0
description CUSTOMER 45
ip address 10.10.218.221 255.255.255.252
encapsulation ppp
ip mroute-cache
no cdp enable
!
interface Serial4/6:0
description CUSTOMER 46
ip address 10.10.218.217 255.255.255.252
encapsulation ppp
no cdp enable
!
interface Serial4/7:0
description CUSTOMER 47
ip address 10.189.3.221 255.255.255.252
encapsulation ppp
no cdp enable
!
interface Virtual-Template1
description PPPoA Template
ip unnumbered FastEthernet0/0.1
no ip route-cache
ip ospf database-filter all out
peer default ip address pool dsl
ppp authentication pap callin
!
interface Virtual-Template3
description PPPoE Template
mtu 1492
ip unnumbered FastEthernet0/0.1
no ip route-cache
ip ospf database-filter all out
no logging event link-status
peer default ip address pool dsl
ppp authentication pap callin
!
router ospf 1
router-id 10.10.218.5
log-adjacency-changes
summary-address 10.153.115.0 255.255.255.0
summary-address 10.15.64.0 255.255.255.0
summary-address 10.15.65.0 255.255.255.0
summary-address 10.153.113.0 255.255.255.0
redistribute connected subnets
redistribute static subnets
network 10.20.76.0 0.0.0.15 area 0
network 10.189.3.192 0.0.0.3 area 0
network 10.10.218.0 0.0.0.15 area 0
network 10.10.218.220 0.0.0.3 area 0
network 10.10.218.244 0.0.0.3 area 0
network 10.10.218.248 0.0.0.3 area 0
network 10.10.218.252 0.0.0.3 area 0
!
ip local pool dsl 10.15.64.1 10.15.67.254
ip classless
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
ip route 0.0.0.0 0.0.0.0 68.88.183.229
ip route 10.128.0.0 255.255.0.0 10.20.76.2
ip route 10.20.76.16 255.255.255.248 10.153.112.2
ip route 10.22.29.0 255.255.255.192 10.10.218.9
ip route 10.22.29.64 255.255.255.224 10.10.218.9
ip route 10.22.29.96 255.255.255.224 10.10.218.14
ip route 10.22.29.128 255.255.255.192 10.10.218.14
ip route 10.22.29.208 255.255.255.248 10.22.29.246
ip route 10.22.29.216 255.255.255.248 10.189.3.222
ip route 10.142.113.32 255.255.255.224 10.20.76.27
ip route 10.142.113.64 255.255.255.240 10.20.76.27
ip route 10.142.113.80 255.255.255.240 10.10.218.214
ip route 10.153.112.32 255.255.255.224 10.20.76.2
ip route 10.153.112.64 255.255.255.192 10.20.76.2
ip route 10.153.112.128 255.255.255.128 10.20.76.2
ip route 10.153.114.0 255.255.255.0 10.20.76.2
ip route 172.16.0.0 255.255.255.0 10.20.76.27 225
ip route 10.189.3.224 255.255.255.240 10.20.76.2
ip route 10.189.3.240 255.255.255.252 10.20.76.2
ip route 10.189.3.252 255.255.255.252 10.10.218.246
ip route 10.10.218.208 255.255.255.248 10.10.218.218
ip route 10.10.218.240 255.255.255.252 10.189.3.198
no ip http server
!
ip access-list extended blockcuda
description used for relieving load on the spam firewall during a spam storm
permit tcp 10.20.76.0 0.0.0.255 host 10.20.76.9 eq smtp
permit tcp 10.24.11.0 0.0.0.255 host 10.20.76.9 eq smtp
permit tcp 10.142.113.0 0.0.0.255 host 10.20.76.9 eq smtp
permit tcp 10.153.112.0 0.0.3.255 host 10.20.76.9 eq smtp
permit tcp 10.15.64.0 0.0.3.255 host 10.20.76.9 eq smtp
permit tcp 10.189.3.0 0.0.0.255 host 10.20.76.9 eq smtp
permit tcp 10.10.218.0 0.0.0.255 host 10.20.76.9 eq smtp
permit tcp nearby ISP
permit tcp nearby ISP
permit tcp large email provider
permit tcp large email provider
permit tcp large email provider
permit tcp large email provider
permit tcp large email provider
deny tcp any host 10.20.76.9 eq smtp
deny tcp any host 10.20.76.9 eq 8000
permit ip any any
ip access-list extended hacker
deny ip 10.0.0.0 0.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 7.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 10.20.76.0 0.0.0.255 any
deny ip 10.22.29.0 0.0.0.255 any
deny ip 10.24.11.0 0.0.0.255 any
deny ip 10.142.113.0 0.0.0.255 any
deny ip 10.153.112.0 0.0.3.255 any
deny ip 10.15.64.0 0.0.3.255 any
deny ip 10.189.3.0 0.0.0.255 any
deny ip 10.10.218.0 0.0.0.255 any
deny tcp any host 10.10.218.19 eq finger
deny udp any any eq snmp
deny tcp any any eq 161
deny udp any any eq snmptrap
deny tcp any any eq 162
deny tcp any any eq 1993
deny udp any any eq 1993
deny udp any any eq 135
deny tcp any any eq 135
deny udp any any eq netbios-ns
deny tcp any any eq 137
deny udp any any eq netbios-dgm
deny tcp any any eq 138
deny udp any any eq netbios-ss
deny tcp any any eq 139
deny udp any any eq 445
deny tcp any any eq 445
deny tcp any host 10.10.218.2 eq 1984
deny tcp any host 10.10.218.3 eq 1984
deny tcp any host 10.10.218.4 eq 1984
deny tcp any host 10.10.218.2 eq 10000
deny tcp any host 10.10.218.3 eq 10000
deny tcp any host 10.10.218.4 eq 10000
deny tcp any host 10.10.218.4 eq 1022
deny tcp any host 10.10.218.4 eq 1023
deny tcp any host 10.10.218.4 eq 2049
deny tcp any host 10.10.218.2 eq sunrpc
deny tcp any host 10.10.218.4 eq 143
deny udp any host 10.10.218.1
deny tcp any host 10.10.218.1
deny udp any host 10.10.218.8
deny tcp any host 10.10.218.8
deny udp any host 10.10.218.9
deny tcp any host 10.10.218.9
deny udp any host 10.10.218.14
deny tcp any host 10.10.218.14
deny udp any host 10.10.218.17
deny tcp any host 10.10.218.17
deny udp any host 10.10.218.18
deny tcp any host 10.10.218.18
deny udp any host 10.10.218.20
deny tcp any host 10.10.218.20
deny udp any host 10.10.218.21
deny tcp any host 10.10.218.21
deny udp any host 10.10.218.254
deny tcp any host 10.10.218.254
deny udp any host 10.189.3.10
deny tcp any host 10.189.3.10
deny udp any host 10.189.3.11
deny tcp any host 10.189.3.11
deny udp any host 10.189.3.12
deny tcp any host 10.189.3.12
deny udp any host 10.10.218.250
deny tcp any host 10.10.218.250
deny udp any host 10.189.3.197
deny tcp any host 10.189.3.197
deny udp any host 10.189.3.201
deny tcp any host 10.189.3.201
deny udp any host 10.10.218.241
deny tcp any host 10.10.218.241
deny udp any host 10.189.3.198
deny tcp any host 10.189.3.198
deny udp any host 10.189.3.1
deny tcp any host 10.189.3.1
deny udp any host 10.189.3.3
deny tcp any host 10.189.3.3
deny udp any host 10.20.76.26
deny tcp any host 10.20.76.26
deny udp any host 10.20.76.27
deny tcp any host 10.20.76.27
deny udp any host 10.189.3.250
deny tcp any host 10.189.3.250
permit ip any any
ip access-list extended hackerproofout
permit ip any any
ip access-list extended netbios
deny tcp any any eq 135
deny udp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 139
deny udp any any eq 136
deny udp any any eq netbios-ns
deny udp any any eq netbios-ss
deny tcp any any eq 445
deny udp any any eq 445
deny tcp host 10.153.112.14 any eq 1434
deny udp host 10.153.112.14 any eq 1434
deny ip any 127.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 169.254.0.0 0.0.255.255
deny ip any 10.20.76.0 0.0.0.255
deny ip any 10.22.29.0 0.0.0.255
deny ip any 10.24.11.0 0.0.0.255
deny ip any 10.142.113.0 0.0.0.255
deny ip any 10.153.112.0 0.0.3.255
deny ip any 10.15.64.0 0.0.3.255
deny ip any 10.189.3.0 0.0.0.255
deny ip any 10.10.218.0 0.0.0.255
permit ip any any
logging trap debugging
logging source-interface FastEthernet0/0.1
logging 10.10.218.2
access-list 133 permit tcp 172.16.0.0 0.0.0.255 any
no cdp run
route-map pastdue permit 10
match ip address 133
set ip next-hop 10.10.218.12
!
snmp-server engineID local 0000000<whatever that number means>
snmp-server community <removed> RO 10
snmp-server enable traps tty
radius-server host 10.10.218.2 auth-port 1645 acct-port 1646
radius-server host 10.10.218.3 auth-port 1645 acct-port 1646
radius-server timeout 15
radius-server deadtime 2
radius-server attribute nas-port format d
!radius-server key <removed>
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
!
dial-peer cor custom
!
gatekeeper
shutdown
!
banner motd ^C
This is a private system owned and operated
by <blah ISP>. Unauthorized entry
is prohibited. All connections are logged. ^C
!
line con 0
line aux 0
line vty 0 4
! password <removed>
!
ntp source FastEthernet0/0.1
ntp peer 10.20.76.7
ntp server 10.20.76.4
ntp server 10.153.112.20
end
More information about the cisco-nas
mailing list