[cisco-nas] Offload PPPoE processing from DSL aggregation 7206toanother 7206?

Scott Lambert lambert at lambertfam.org
Fri Jul 21 16:38:29 EDT 2006


On Fri, Jul 21, 2006 at 11:54:22AM -0400, vince at cisco.com wrote:
>  Scott,
> 
> When looking at CPU, its important to look at both numbers and the
> process.

This is the current status.  We haven't hit the peak time of day just
yet.

router-7204#show proc cpu | exclude 0.00%  0.00%
CPU utilization for five seconds: 67%/35%; one minute: 65%; five minutes: 65%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process 
   3      879936   3434053        256  0.08%  0.15%  0.16%   0 OSPF Hello       
   4      874024     75920      11512  0.00%  0.24%  0.18%   0 Check heaps      
  15     2331748   2152819       1083  0.57%  0.40%  0.38%   0 ARP Input        
  16      155060    104160       1488  0.00%  0.02%  0.00%   0 HC Counter Timer 
  22    16505324   3536298       4667  3.43%  3.47%  3.45%   0 Net Background   
  25      564820    453492       1245  0.00%  0.05%  0.05%   0 Per-Second Jobs  
  40     2317800  13995077        165  0.32%  0.56%  0.53%   0 IP Input         
  41     1152344   5346371        215  0.16%  0.20%  0.18%   0 PPP auth         
  49      361768   5269743         68  0.24%  0.06%  0.06%   0 IP Background    
  63      363544    748701        485  0.08%  0.07%  0.08%   0 CEF process      
  71      393668      6970      56480  0.00%  0.09%  0.06%   0 IP Cache Ager    
  76    54270392   3276067      16565 12.42% 10.94% 10.91%   0 VTEMPLATE Backgr 
  93      256388  13600790         18  0.08%  0.03%  0.01%   0 Net Input        
  94      865600     83490      10367  0.08%  0.15%  0.16%   0 Compute load avg 
  95       86016     10069       8542  0.00%  0.01%  0.00%   0 Per-minute Jobs  
 108    79760492   5828914      13683 14.28% 14.33% 15.54%   0 PPPOE discovery  
 114     2772132   8902392        311  0.24%  0.28%  0.26%   0 PPP manager      
 121      597352   4526689        131  0.00%  0.08%  0.08%   0 RADIUS           
 126     1067848   6702179        159  0.16%  0.26%  0.22%   0 OSPF Router      
 128          28       146        191  0.00%  0.01%  0.00%   2 Virtual Exec    

> The left and the right. A fair amount of the time the CPU is high
> because of fragmentation.
>
> 1000 users on a NPE400 sounds a little low, but this also depends on
> the throughput.
>
> Can you post you config? Do you have any MTU adjust commands in your
> config?

I'll attach a privacy modified version of the config that RANCID keeps.

Just in the PPPoE virtual template:

interface Virtual-Template3
 description PPPoE Template
 mtu 1492
 ip unnumbered FastEthernet0/0.1
 no ip route-cache
 ip ospf database-filter all out
 no logging event link-status
 peer default ip address pool dsl
 ppp authentication pap callin

 
> > -----Original Message-----
> > From: cisco-nas-bounces at puck.nether.net 
> > [mailto:cisco-nas-bounces at puck.nether.net] On Behalf Of Scott Lambert
> > Sent: Thu Jul 20, 2006 2:04 PM
> > To: cisco-nas at puck.nether.net
> > Subject: Re: [cisco-nas] Offload PPPoE processing from DSL 
> > aggregation 7206toanother 7206?
> > 
> > On Thu, Jul 20, 2006 at 05:40:08AM +0200, Oliver Boehmer 
> > (oboehmer) wrote:
> > > Scott Lambert <> wrote on Thursday, July 20, 2006 1:40 AM:
> > > 
> > > > I have about 1000 PPPoE users on an 7206vxr with NPE400.  The CPU 
> > > > load is at about 75% according to the MRTG 1 and 5 minute 
> > averages.
> > > > According to sho proc cpu, the load is much higher than that for 
> > > > tens of seconds at a time.  I'm thinking that is about as high a 
> > > > load as I want on a router.
> > > 
> > > Right, looks too high.
> > > Are you terminating PPPoE (over ATM) directly on the box, 
> > or are you 
> > > terminating PPP sessions forwarded to you via L2TP?
> >  
> > Sorry, it is PPPoE over ATM.
> > 
> > > > I have another 500 users I need to migrate over from 
> > aquisition of 
> > > > another ISP.  My connection to the Telco is an OC3 and 
> > the migrated 
> > > > user will be brought in over the same OC3.
> > > 
> > > If you terminate the PPPoE sessions directly, you definitly need a 
> > > faster hardware. You could still forward the sessions via L2TP, but 
> > > this will not really decrease the load compared to if you 
> > terminated 
> > > them directly..
> > 
> > I would like to thank everyone for their advice.  I will be 
> > investigating what it takes to do the L2TP to a cluster of *nix boxes.
> > If it doesn't take the same amount of horsepower to go from 
> > the ATM to an L2TP tunnel(s) as it does to go from ATM to 
> > PPPoE, it sounds like a nice idea for future scaleablility.
> > 
> > I now have an NPE-G1 on order.  I hope that will hold us 
> > until we run out of bandwidth on the ATM OC3.  Or, at least, 
> > until it's feasible to get another circuit we can terminate 
> > in a seperate box.
> > 
> > -- 
> > Scott Lambert                    KC5MLE                       
> > Unix SysAdmin
> > lambert at lambertfam.org
> > 
> > _______________________________________________
> > cisco-nas mailing list
> > cisco-nas at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nas
> > 

-- 
Scott Lambert                    KC5MLE                       Unix SysAdmin
lambert at lambertfam.org

-------------- next part --------------
!RANCID-CONTENT-TYPE: cisco
!
!Chassis type: 7204VXR - a 7200 router
!CPU: NPE400, R7000 CPU at 350Mhz, impl 39, Rev 3.2, 256KB L2, 4096KB L3 Cache
!
!Memory: main 245760K/16384K
!Memory: nvram 125K
!Memory: bootflash 4096K
!Memory: pcmcia Flash slot0 20480K
!
!Processor ID: 21276969
!
!Power: Power supply 1 is Zytek AC Power Supply. Unit is on.
!Power: Power supply 2 is Zytek AC Power Supply. Unit is on.
!
!Image: Software: C7200-IS-M, 12.2(29), RELEASE SOFTWARE (fc3)
!Image: Compiled: Wed 11-May-05 15:38 by kellmill
!Image: slot0:c7200-is-mz.122-29.bin
!
!ROM Bootstrap: Version 12.1(20000710:044039) [nlaw-121E_npeb 117], DEVELOPMENT SOFTWARE
!BOOTLDR: Version 12.0(17)S, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
!
!
!
!Variable: BOOT variable = 
!Variable: CONFIG_FILE variable does not exist
!Variable: BOOTLDR variable does not exist
!Variable: INHIBIT_BSI variable does not exist
!
!Flash: nvram: Directory of nvram:/
!Flash: nvram:    64  -rw-       62665                    <no date>  startup-config
!Flash: nvram:    65  ----          79                    <no date>  private-config
!Flash: nvram:    66  -rw-       62665                    <no date>  underlying-config
!Flash: nvram:     1  ----          32                    <no date>  persistent-data
!Flash: nvram:     2  -rw-           0                    <no date>  ifIndex-table
!Flash: nvram:     3  -rw-        1607                    <no date>  cerf_report
!Flash: nvram: 129016 bytes total (62124 bytes free)
!
!Flash: bootflash: Directory of bootflash:/
!Flash: bootflash:     1  -rw-     3112392  Jun 16 1919 02:09:30 +00:00  c7200-boot-mz.120-17.S
!Flash: bootflash:     2  -rw-      220889  Jul 16 2006 23:20:24 +00:00  crashinfo_20060716-232024
!Flash: bootflash: 3407872 bytes total (74332 bytes free)
!
!Flash: slot0: Directory of slot0:/
!Flash: slot0:     1  -rw-    12117216   Jan 1 2000 01:18:40 +00:00  c7200-is-mz.122-29.bin
!Flash: slot0: 20578304 bytes total (8460960 bytes free)
!
!Interface: FastEthernet0/0, DEC21140A
!Interface: ATM1/0, ENHANCED ATM PA - OC3 (155000Kbps)
!
!Slot 0: type FE-IO-TX, 1 ports
!Slot 0: hvers 2.1 rev B0
!Slot 0: part 73-4092-03, serial 21039413
!
!Slot 1: type ATM WAN OC3 SMI, 1 ports
!Slot 1: hvers 2.0 rev A0
!Slot 1: part 73-2427-04, serial 16107727
!
!Slot 4: type Channelized T1 CSU, 8 ports
!Slot 4: hvers 1.0 rev A0
!Slot 4: part 73-2488-06, serial 12393996
!
!Slot Midplane: hvers 2.1 rev B0
!Slot Midplane: part 73-3905-03, serial 21276969
!
!Slot CPU: hvers 1.0 rev B0
!Slot CPU: part 28-4086-02, serial 23267414
!
!
config-register 0x2102
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router-7204
!
no logging buffered
no logging console
aaa new-model
aaa authentication login default local group radius
aaa authentication ppp default if-needed group radius
aaa authorization network default group radius none 
aaa accounting delay-start
aaa accounting network default start-stop group radius
enable secret 5 $1$<removed>
!
!username <removed> password <removed>
ip subnet-zero
ip icmp rate-limit unreachable 2000
ip cef
!
ip domain-name domain.tld
ip name-server 10.10.218.2
ip name-server 10.10.218.3
ip dhcp excluded-address 10.153.113.1
ip dhcp ping packets 5
!
ip dhcp pool <RBE DSL Users>
   network 10.153.113.0 255.255.255.0
   dns-server 10.10.218.2 10.10.218.3 
   domain-name domain2.tld
   default-router 10.153.113.1 
   lease 0 12
!
no ip bootp server
async-bootp dns-server 10.10.218.2 10.10.218.3
vpdn enable
!
vpdn-group swb
 accept-dialin
  protocol pppoe
  virtual-template 3
 pppoe limit per-vc 500  ! what does this do?
!
call rsvp-sync
!
controller T1 4/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 4/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 4/2
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 4/3
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 4/4
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 4/5
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 4/6
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 4/7
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
vc-class atm dsl
  protocol pppoe
  encapsulation aal5snap
!
vc-class atm swboa
  encapsulation aal5mux ppp Virtual-Template1
!
vc-class atm swbdsl
  protocol pppoe
  encapsulation aal5snap
!
vc-class atm pppoe3072
  protocol pppoe
  ubr 3072
  encapsulation aal5snap
!
vc-class atm pppoe1536
  protocol pppoe
  ubr 1536
  encapsulation aal5snap
!
vc-class atm pppoe256
  protocol pppoe
  ubr 256
  encapsulation aal5snap
!
vc-class atm pppoa1536
  ubr 1536
  encapsulation aal5mux ppp Virtual-Template1
!
vc-class atm pppoa3072
  ubr 3072
  encapsulation aal5mux ppp Virtual-Template1
!
interface Loopback0
 no ip address
!
interface Loopback1
 ip address 10.153.113.1 255.255.255.0
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description "VLAN trunk port"
 no ip address
 no ip proxy-arp
 duplex full
 no cdp enable
!
interface FastEthernet0/0.1
 description "Server LAN"
 encapsulation dot1Q 1 native
 ip address 10.10.218.5 255.255.255.240
 no ip proxy-arp
 ip ospf network broadcast
 ip ospf priority 5
 ip ospf retransmit-interval 20
 ip policy route-map pastdue
 no cdp enable
!
interface FastEthernet0/0.2
 description "Colo LAN 1"
 encapsulation dot1Q 2
 ip address 10.20.76.1 255.255.255.240
 no ip proxy-arp
 ip policy route-map pastdue
 no cdp enable
!
interface FastEthernet0/0.3
 description "Colo LAN 2"
 encapsulation dot1Q 3
 ip address 10.153.112.1 255.255.255.224
 no ip proxy-arp
 no cdp enable
!
interface ATM1/0
 no ip address
 no atm ilmi-keepalive
!
interface ATM1/0.2 point-to-point
 description AT&T BACKBONE
 ip address 10.08.183.230 255.255.255.252
 ip access-group hacker in
 ip access-group netbios out
 ip verify unicast reverse-path
 pvc sbcis 15/67 
  vbr-nrt 35000 35000 32
  oam-pvc manage
  encapsulation aal5snap
 !
!
interface ATM1/0.8 multipoint
 description SWB DSL CUSTOMERS
 ip policy route-map pastdue
 pvc pvc233 2/33 
  class-vc dsl
 !
 ! Pulled a bunch of PVCs
 !
 pvc pvc2335 2/335 
  class-vc dsl
 !
 pvc pvc21019 2/1019 
  class-vc dsl
 !
 pvc pvc3106 3/106 
  class-vc dsl
 !
 pvc pvc434 4/34 
  class-vc swbdsl
 !
 ! Pulled a couple of PVCs
 !
 pvc pvc437 4/37 
  class-vc dsl
 !
 pvc pvc534 5/34 
  class-vc pppoe1536
 !
 pvc pvc634 6/34 
  class-vc swbdsl
 !
 pvc pvc734 7/34 
  class-vc dsl
 !
 pvc pvc736 7/36 
  class-vc dsl
 !
 pvc pvc834 8/34 
  class-vc dsl
 !
 ! Pulled a few PVCs
 !
 pvc pvc852 8/52 
  class-vc dsl
 !
 pvc pvc934 9/34 
  class-vc dsl
 !
 pvc pvc935 9/35 
  class-vc dsl
 !
 pvc pvc1034 10/34 
  class-vc dsl
 !
 pvc pvc10105 10/105 
  class-vc dsl
 !
 pvc pvc1234 12/34 
  class-vc dsl
 !
 ! Pulled a bunch of PVCs
 !
 pvc pvc12249 12/249 
  class-vc dsl
 !
 pvc pvc1434 14/34 
  class-vc pppoe1536
 !
!
interface ATM1/0.20 multipoint
 description Alltel DSL Customers
 ip policy route-map pastdue
 !
 pvc pvc5132 51/32 
  class-vc pppoe1536
 !
 ! Pulled a bunch of PVCs
 !
 pvc pvc51380 51/380 
  class-vc pppoe256
 !
 pvc pvc5232 52/32 
  class-vc pppoe3072
 !
 ! Pulled a bunch of PVCs
 !
 pvc pvc52338 52/338 
  class-vc pppoe1536
 !
!
interface ATM1/0.2116 point-to-point
 description foo0737
 ip unnumbered Loopback1
 atm route-bridged ip
 pvc 2/116 
  ubr 1536
  encapsulation aal5snap
 !
!
! Removed 41 RBE type interfaces.  Only the descriptions and PVCs differ.
!
interface ATM1/0.52400 point-to-point
 description blah2666
 ip unnumbered Loopback1
 atm route-bridged ip
 pvc blah2666 52/400 
  ubr 1536
  encapsulation aal5snap
 !
!
interface Serial4/0:0
 description PoP 40
 ip address 10.10.218.253 255.255.255.252
 encapsulation ppp
 ip ospf network point-to-point
 ip ospf priority 5
 ip ospf retransmit-interval 20
 ip policy route-map pastdue
 down-when-looped
 no cdp enable
!
interface Serial4/1:0
 description PoP 41
 ip address 10.10.218.245 255.255.255.252
 encapsulation ppp
 ip ospf network point-to-point
 ip ospf priority 5
 ip policy route-map pastdue
 down-when-looped
 no cdp enable
!
interface Serial4/2:0
 description PoP 43
 ip address 10.10.218.249 255.255.255.252
 encapsulation ppp
 ip ospf network point-to-point
 ip ospf retransmit-interval 20
 ip ospf flood-reduction
 ip policy route-map pastdue
 down-when-looped
 no cdp enable
!
interface Serial4/3:0
 no ip address
 no cdp enable
!
interface Serial4/4:0
 no ip address
 no cdp enable
!
interface Serial4/5:0
 description CUSTOMER 45
 ip address 10.10.218.221 255.255.255.252
 encapsulation ppp
 ip mroute-cache
 no cdp enable
!
interface Serial4/6:0
 description CUSTOMER 46
 ip address 10.10.218.217 255.255.255.252
 encapsulation ppp
 no cdp enable
!
interface Serial4/7:0
 description CUSTOMER 47
 ip address 10.189.3.221 255.255.255.252
 encapsulation ppp
 no cdp enable
!
interface Virtual-Template1
 description PPPoA Template
 ip unnumbered FastEthernet0/0.1
 no ip route-cache
 ip ospf database-filter all out
 peer default ip address pool dsl
 ppp authentication pap callin
!
interface Virtual-Template3
 description PPPoE Template
 mtu 1492
 ip unnumbered FastEthernet0/0.1
 no ip route-cache
 ip ospf database-filter all out
 no logging event link-status
 peer default ip address pool dsl
 ppp authentication pap callin
!
router ospf 1
 router-id 10.10.218.5
 log-adjacency-changes
 summary-address 10.153.115.0 255.255.255.0
 summary-address 10.15.64.0 255.255.255.0
 summary-address 10.15.65.0 255.255.255.0
 summary-address 10.153.113.0 255.255.255.0
 redistribute connected subnets
 redistribute static subnets
 network 10.20.76.0 0.0.0.15 area 0
 network 10.189.3.192 0.0.0.3 area 0
 network 10.10.218.0 0.0.0.15 area 0
 network 10.10.218.220 0.0.0.3 area 0
 network 10.10.218.244 0.0.0.3 area 0
 network 10.10.218.248 0.0.0.3 area 0
 network 10.10.218.252 0.0.0.3 area 0
!
ip local pool dsl 10.15.64.1 10.15.67.254
ip classless
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
ip route 0.0.0.0 0.0.0.0 68.88.183.229
ip route 10.128.0.0 255.255.0.0 10.20.76.2
ip route 10.20.76.16 255.255.255.248 10.153.112.2
ip route 10.22.29.0 255.255.255.192 10.10.218.9
ip route 10.22.29.64 255.255.255.224 10.10.218.9
ip route 10.22.29.96 255.255.255.224 10.10.218.14
ip route 10.22.29.128 255.255.255.192 10.10.218.14
ip route 10.22.29.208 255.255.255.248 10.22.29.246
ip route 10.22.29.216 255.255.255.248 10.189.3.222
ip route 10.142.113.32 255.255.255.224 10.20.76.27
ip route 10.142.113.64 255.255.255.240 10.20.76.27
ip route 10.142.113.80 255.255.255.240 10.10.218.214
ip route 10.153.112.32 255.255.255.224 10.20.76.2
ip route 10.153.112.64 255.255.255.192 10.20.76.2
ip route 10.153.112.128 255.255.255.128 10.20.76.2
ip route 10.153.114.0 255.255.255.0 10.20.76.2
ip route 172.16.0.0 255.255.255.0 10.20.76.27 225
ip route 10.189.3.224 255.255.255.240 10.20.76.2
ip route 10.189.3.240 255.255.255.252 10.20.76.2
ip route 10.189.3.252 255.255.255.252 10.10.218.246
ip route 10.10.218.208 255.255.255.248 10.10.218.218
ip route 10.10.218.240 255.255.255.252 10.189.3.198
no ip http server
!
ip access-list extended blockcuda
 description used for relieving load on the spam firewall during a spam storm
 permit tcp 10.20.76.0 0.0.0.255 host 10.20.76.9 eq smtp
 permit tcp 10.24.11.0 0.0.0.255 host 10.20.76.9 eq smtp
 permit tcp 10.142.113.0 0.0.0.255 host 10.20.76.9 eq smtp
 permit tcp 10.153.112.0 0.0.3.255 host 10.20.76.9 eq smtp
 permit tcp 10.15.64.0 0.0.3.255 host 10.20.76.9 eq smtp
 permit tcp 10.189.3.0 0.0.0.255 host 10.20.76.9 eq smtp
 permit tcp 10.10.218.0 0.0.0.255 host 10.20.76.9 eq smtp
 permit tcp nearby ISP
 permit tcp nearby ISP
 permit tcp large email provider
 permit tcp large email provider
 permit tcp large email provider
 permit tcp large email provider
 permit tcp large email provider
 deny   tcp any host 10.20.76.9 eq smtp
 deny   tcp any host 10.20.76.9 eq 8000
 permit ip any any
ip access-list extended hacker
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 0.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 224.0.0.0 15.255.255.255 any
 deny   ip 240.0.0.0 7.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 192.0.2.0 0.0.0.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 deny   ip 10.20.76.0 0.0.0.255 any
 deny   ip 10.22.29.0 0.0.0.255 any
 deny   ip 10.24.11.0 0.0.0.255 any
 deny   ip 10.142.113.0 0.0.0.255 any
 deny   ip 10.153.112.0 0.0.3.255 any
 deny   ip 10.15.64.0 0.0.3.255 any
 deny   ip 10.189.3.0 0.0.0.255 any
 deny   ip 10.10.218.0 0.0.0.255 any
 deny   tcp any host 10.10.218.19 eq finger
 deny   udp any any eq snmp
 deny   tcp any any eq 161
 deny   udp any any eq snmptrap
 deny   tcp any any eq 162
 deny   tcp any any eq 1993
 deny   udp any any eq 1993
 deny   udp any any eq 135
 deny   tcp any any eq 135
 deny   udp any any eq netbios-ns
 deny   tcp any any eq 137
 deny   udp any any eq netbios-dgm
 deny   tcp any any eq 138
 deny   udp any any eq netbios-ss
 deny   tcp any any eq 139
 deny   udp any any eq 445
 deny   tcp any any eq 445
 deny   tcp any host 10.10.218.2 eq 1984
 deny   tcp any host 10.10.218.3 eq 1984
 deny   tcp any host 10.10.218.4 eq 1984
 deny   tcp any host 10.10.218.2 eq 10000
 deny   tcp any host 10.10.218.3 eq 10000
 deny   tcp any host 10.10.218.4 eq 10000
 deny   tcp any host 10.10.218.4 eq 1022
 deny   tcp any host 10.10.218.4 eq 1023
 deny   tcp any host 10.10.218.4 eq 2049
 deny   tcp any host 10.10.218.2 eq sunrpc
 deny   tcp any host 10.10.218.4 eq 143
 deny   udp any host 10.10.218.1
 deny   tcp any host 10.10.218.1
 deny   udp any host 10.10.218.8
 deny   tcp any host 10.10.218.8
 deny   udp any host 10.10.218.9
 deny   tcp any host 10.10.218.9
 deny   udp any host 10.10.218.14
 deny   tcp any host 10.10.218.14
 deny   udp any host 10.10.218.17
 deny   tcp any host 10.10.218.17
 deny   udp any host 10.10.218.18
 deny   tcp any host 10.10.218.18
 deny   udp any host 10.10.218.20
 deny   tcp any host 10.10.218.20
 deny   udp any host 10.10.218.21
 deny   tcp any host 10.10.218.21
 deny   udp any host 10.10.218.254
 deny   tcp any host 10.10.218.254
 deny   udp any host 10.189.3.10
 deny   tcp any host 10.189.3.10
 deny   udp any host 10.189.3.11
 deny   tcp any host 10.189.3.11
 deny   udp any host 10.189.3.12
 deny   tcp any host 10.189.3.12
 deny   udp any host 10.10.218.250
 deny   tcp any host 10.10.218.250
 deny   udp any host 10.189.3.197
 deny   tcp any host 10.189.3.197
 deny   udp any host 10.189.3.201
 deny   tcp any host 10.189.3.201
 deny   udp any host 10.10.218.241
 deny   tcp any host 10.10.218.241
 deny   udp any host 10.189.3.198
 deny   tcp any host 10.189.3.198
 deny   udp any host 10.189.3.1
 deny   tcp any host 10.189.3.1
 deny   udp any host 10.189.3.3
 deny   tcp any host 10.189.3.3
 deny   udp any host 10.20.76.26
 deny   tcp any host 10.20.76.26
 deny   udp any host 10.20.76.27
 deny   tcp any host 10.20.76.27
 deny   udp any host 10.189.3.250
 deny   tcp any host 10.189.3.250
 permit ip any any
ip access-list extended hackerproofout
 permit ip any any
ip access-list extended netbios
 deny   tcp any any eq 135
 deny   udp any any eq 135
 deny   tcp any any eq 136
 deny   tcp any any eq 137
 deny   tcp any any eq 139
 deny   udp any any eq 136
 deny   udp any any eq netbios-ns
 deny   udp any any eq netbios-ss
 deny   tcp any any eq 445
 deny   udp any any eq 445
 deny   tcp host 10.153.112.14 any eq 1434
 deny   udp host 10.153.112.14 any eq 1434
 deny   ip any 127.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 deny   ip any 169.254.0.0 0.0.255.255
 deny   ip any 10.20.76.0 0.0.0.255
 deny   ip any 10.22.29.0 0.0.0.255
 deny   ip any 10.24.11.0 0.0.0.255
 deny   ip any 10.142.113.0 0.0.0.255
 deny   ip any 10.153.112.0 0.0.3.255
 deny   ip any 10.15.64.0 0.0.3.255
 deny   ip any 10.189.3.0 0.0.0.255
 deny   ip any 10.10.218.0 0.0.0.255
 permit ip any any
logging trap debugging
logging source-interface FastEthernet0/0.1
logging 10.10.218.2
access-list 133 permit tcp 172.16.0.0 0.0.0.255 any
no cdp run
route-map pastdue permit 10
 match ip address 133
 set ip next-hop 10.10.218.12
!
snmp-server engineID local 0000000<whatever that number means>
snmp-server community <removed> RO 10
snmp-server enable traps tty
radius-server host 10.10.218.2 auth-port 1645 acct-port 1646
radius-server host 10.10.218.3 auth-port 1645 acct-port 1646
radius-server timeout 15
radius-server deadtime 2
radius-server attribute nas-port format d
!radius-server key <removed>
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
!
dial-peer cor custom
!
gatekeeper
 shutdown
!
banner motd ^C
This is a private system owned and operated
by <blah ISP>.  Unauthorized entry
is prohibited.  All connections are logged. ^C
!
line con 0
line aux 0
line vty 0 4
! password <removed>
!
ntp source FastEthernet0/0.1
ntp peer 10.20.76.7
ntp server 10.20.76.4
ntp server 10.153.112.20
end


More information about the cisco-nas mailing list