Hello colleagues!

Bring to your attention the variant  of MPLS VPN in the corporate network.

MplsVpnEnterprise2.png

 

 

 

 

This design will provide additional security, as any traffic between VRFs will pass through ASA.

This design is implemented load-sharing to two ISPs by VRFs. To accomplish this task was used attribute BGP - extended community cost. Using the cost extcommunity allows you to customize the local preference and best path selection process for specific paths

To exclude exchange vpnv4 routes between VRFs (Active HSRP and Backup HSRP), filtering is performed by BGP attribute - extended community SoO (Site of Origin).

Check this design on real hardware I can not afford. I will be glad to hear your suggestions and comments.

If you were interested to read the article, then click LIKE. Maybe this will help me find a job.

P.S. Sorry for my English


Next, showing the configuration of  the half equipment. I think you do not complicate, make a "mirroring" configuration files for the second half.

 

RR_CORE1 is configured as follows:

!

hostname RR_CORE1

!

ip cef

!

ip vrf ISP

rd  10.20.190.26:189

route-target export 190:4

route-target import 190:4

route-target import 30:4

route-target import 40:4

route-target import 30:8

maximum routes 300 90

!

mpls label protocol ldp

!

ip tcp path-mtu-discovery

!

interface Loopback20

ip address 10.20.21.129 255.255.255.255

!

interface FastEthernet0/0

description To the Fa0/0 PE_DSW1

no ip address

carrier-delay msec 0

speed 100

full-duplex

!

interface FastEthernet0/0.20

encapsulation dot1Q 20

ip address 10.20.4.5 255.255.255.252

ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 PLASHCHUN

ip ospf network point-to-point

mpls label protocol ldp

mpls ip

mpls mtu 1512

!

interface FastEthernet0/1

description To the Fa0/1 PE_DSW2

no ip address

carrier-delay msec 0

speed 100

full-duplex

!

interface FastEthernet0/1.20

encapsulation dot1Q 20

ip address 10.20.4.9 255.255.255.252

ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 PLASHCHUN

ip ospf network point-to-point

mpls label protocol ldp

mpls ip

mpls mtu 1512

!

interface FastEthernet1/0

no ip address

duplex auto

speed auto

!

interface FastEthernet1/0.20

description To the ASA1 context DATA

encapsulation dot1Q 21

ip address 10.20.4.26 255.255.255.248

ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 PLASHCHUN

mpls label protocol ldp

mpls ip

mpls mtu 1512

!

interface FastEthernet1/0.190

description To the ASA1 context INTERNET

encapsulation dot1Q 189

ip vrf forwarding ISP

ip address 10.20.190.26 255.255.255.248

mpls label protocol ldp

mpls ip

mpls mtu 1512

!

interface FastEthernet2/0

description To the Fa2/0 RR_CORE2

no ip address

carrier-delay msec 0

speed 100

full-duplex

!

interface FastEthernet2/0.20

encapsulation dot1Q 20

ip address 10.20.4.13 255.255.255.252

ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 PLASHCHUN

ip ospf network point-to-point

mpls label protocol ldp

mpls ip

mpls mtu 1512

!

router ospf 20

mpls ldp sync

router-id 10.20.21.129

max-metric router-lsa on-startup 30

ispf

log-adjacency-changes

auto-cost reference-bandwidth 1000

network 10.20.4.4 0.0.0.3 area 21

network 10.20.4.8 0.0.0.3 area 22

network 10.20.4.12 0.0.0.3 area 0

network 10.20.4.24 0.0.0.7 area 0

network 10.20.21.129 0.0.0.0 area 0

network 10.20.190.28 0.0.0.3 area 0

!

router bgp 65190

bgp router-id 10.20.21.129

no bgp default ipv4-unicast

no bgp default route-target filter

bgp cluster-id 30

bgp log-neighbor-changes

bgp update-delay 1

timers bgp 10 30

neighbor MplsVpnRR1 peer-group

neighbor MplsVpnRR1 remote-as 65190

neighbor MplsVpnRR1 password PLASHCHUN

neighbor MplsVpnRR1 fall-over

neighbor 10.20.4.6 peer-group MplsVpnRR1

neighbor 10.20.4.6 description To the PE_DSW1

neighbor 10.20.4.10 peer-group MplsVpnRR1

neighbor 10.20.4.10 description To the PE_DSW2

neighbor 10.20.4.14 peer-group MplsVpnRR1

neighbor 10.20.4.14 description To the RR_CORE2

neighbor 10.20.22.129 remote-as 65190

neighbor 10.20.22.129 description To the Branch for MPLS VPN CsC traffic

neighbor 10.20.22.129 update-source Loopback20

neighbor 10.20.22.129 fall-over

neighbor 10.20.23.129 remote-as 65190

neighbor 10.20.23.129 update-source Loopback20

neighbor 10.20.23.129 fall-over

!

address-family vpnv4

  neighbor MplsVpnRR1 send-community both

  neighbor MplsVpnRR1 route-reflector-client

  neighbor 10.20.4.6 activate

  neighbor 10.20.4.10 activate

  neighbor 10.20.4.14 activate

  neighbor 10.20.22.129 activate

  neighbor 10.20.22.129 send-community both

  neighbor 10.20.23.129 activate

  neighbor 10.20.23.129 send-community both

  bgp nexthop trigger delay 1

  bgp scan-time import 5

  bgp scan-time 5

exit-address-family

!

address-family ipv4 vrf ISP

  neighbor 10.20.190.5 remote-as 111

  neighbor 10.20.190.5 description To the ISP1 for Internet traffic

  neighbor 10.20.190.5 ebgp-multihop 3

  neighbor 10.20.190.5 password PLASHCHUN

  neighbor 10.20.190.5 update-source FastEthernet1/0.190

  neighbor 10.20.190.5 activate

  neighbor 10.20.190.5 advertisement-interval 5

  neighbor 10.20.190.5 prefix-list RFC_1918_deny in

  neighbor 10.20.190.5 prefix-list My_block_for_AS111 out

  neighbor 10.20.190.5 route-map ForAS111 in

  neighbor 10.20.190.5 maximum-prefix 100 90

  neighbor 10.20.190.5 filter-list 111 in

  maximum-paths import 2

  no synchronization

  network 190.0.0.0 mask 255.255.255.248

exit-address-family

!

ip route vrf ISP 10.20.190.4 255.255.255.252 10.20.190.29

ip route vrf ISP 190.0.0.0 255.255.255.248 10.20.190.29 permanent

!

ip bgp-community new-format

ip as-path access-list 111 permit ^(111_)+$

ip as-path access-list 111 permit ^(111_)+_[0-9]+$

ip as-path access-list 190 permit ^$

!

ip prefix-list My_block_for_AS111 seq 10 permit 190.0.0.0/29

!

ip prefix-list RFC_1918_deny seq 10 deny 0.0.0.0/0 ge 25

ip prefix-list RFC_1918_deny seq 20 deny 224.0.0.0/4 le 32

ip prefix-list RFC_1918_deny seq 30 deny 240.0.0.0/4 le 32

ip prefix-list RFC_1918_deny seq 40 deny 127.0.0.0/8 le 32

ip prefix-list RFC_1918_deny seq 50 deny 169.254.0.0/16 le 32

ip prefix-list RFC_1918_deny seq 60 deny 192.0.2.0/24 le 32

ip prefix-list RFC_1918_deny seq 70 deny 10.0.0.0/8 le 32

ip prefix-list RFC_1918_deny seq 80 deny 172.16.0.0/12 le 32

ip prefix-list RFC_1918_deny seq 90 deny 192.168.0.0/16 le 32

ip prefix-list RFC_1918_deny seq 1000 permit 0.0.0.0/0 le 32

!

route-map ForAS111 permit 10

set community no-export additive

set extcommunity soo 111:1

!

mpls ldp router-id Loopback20 force

!

banner motd  Looking fow new opportunities (remote/virtual) Network Engineer CCNP       ihor.plashchun@yahoo.com +380953589271

!

end


 

PE_DSW1 is configured as follows:

!

hostname PE_DSW1

!

ip cef

!

ip vrf Sales

rd 10.2.30.1:30

route-target export 30:4

route-target import 30:4

route-target import 30:8

route-target import 190:4

maximum routes 50 90

!

ip vrf Students

rd 10.2.40.1:40

route-target export 40:4

route-target import 40:4

route-target import 40:8

route-target import 190:4

maximum routes 30 90

!

mpls label protocol ldp

!

ip tcp path-mtu-discovery

!

track 20 list boolean or

object 21

object 22

!

track 21 interface FastEthernet0/0.20 ip routing

!

track 22 interface FastEthernet0/1.20 ip routing

!

interface Loopback20

ip address 10.20.21.1 255.255.255.255

!

interface Port-channel1

switchport trunk native vlan 98

switchport trunk allowed vlan 1,2,40,1002-1005

switchport mode trunk

spanning-tree portfast

!

interface Port-channel3

switchport trunk native vlan 98

switchport trunk allowed vlan 1,2,30,1002-1005

switchport mode trunk

spanning-tree portfast

!

interface FastEthernet0/0

description To the Fa0/0 RR_CORE1

no ip address

carrier-delay msec 0

speed 100

full-duplex

!

interface FastEthernet0/0.20

encapsulation dot1Q 20

ip address 10.20.4.6 255.255.255.252

ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 PLASHCHUN

ip ospf network point-to-point

mpls label protocol ldp

mpls ip

mpls mtu 1512

!

interface FastEthernet0/1

description To the Fa0/1 RR_CORE2

no ip address

carrier-delay msec 0

speed 100

full-duplex

!

interface FastEthernet0/1.20

encapsulation dot1Q 20

ip address 10.20.4.22 255.255.255.252

ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 PLASHCHUN

ip ospf network point-to-point

mpls label protocol ldp

mpls ip

mpls mtu 1512

!

interface FastEthernet1/1

description Link to ASW1

switchport trunk native vlan 98

switchport trunk allowed vlan 1,2,40,1002-1005

switchport mode trunk

channel-group 1 mode on

!

interface FastEthernet1/2

description Link to ASW1

switchport trunk native vlan 98

switchport trunk allowed vlan 1,2,40,1002-1005

switchport mode trunk

channel-group 1 mode on

!

interface FastEthernet1/3

description Link to ASW2

switchport trunk native vlan 98

switchport trunk allowed vlan 1,2,30,1002-1005

switchport mode trunk

channel-group 3 mode on

!

interface FastEthernet1/4

description Link to ASW2

switchport trunk native vlan 98

switchport trunk allowed vlan 1,2,30,1002-1005

switchport mode trunk

channel-group 3 mode on

!

interface Vlan30

bandwidth 100000

ip vrf forwarding Sales

ip vrf sitemap ExtCommBackupHSRP

ip address 10.2.30.1 255.255.255.0

ip access-group No_own_multicast in

no ip redirects

ip virtual-reassembly

ip tcp adjust-mss 1460

standby version 2

standby 30 ip 10.2.30.254

standby 30 timers msec 200 msec 750

standby 30 priority 191

standby 30 preempt

standby 30 authentication md5 key-string PLASHCHUN

standby 30 name Sales

standby 30 mac-address c203.15c9.0031

standby 30 track FastEthernet1/3

standby 30 track FastEthernet1/4

standby 30 track 20 decrement 20

!

interface Vlan40

bandwidth 100000

ip vrf forwarding Students

ip vrf sitemap ExtCommActiveHSRP

ip address 10.2.40.1 255.255.255.0

ip access-group No_own_multicast in

no ip redirects

ip virtual-reassembly

ip tcp adjust-mss 1460

standby version 2

standby 40 ip 10.2.40.254

standby 40 timers msec 200 msec 750

standby 40 priority 200

standby 40 preempt delay minimum 30 reload 60 sync 2

standby 40 authentication md5 key-string PLASHCHUN

standby 40 name Student

standby 40 mac-address c203.15c9.0041

standby 40 track FastEthernet1/3

standby 40 track FastEthernet1/4

standby 40 track 20 decrement 20

!

router ospf 20

mpls ldp sync

router-id 10.20.21.1

max-metric router-lsa on-startup 30

ispf

log-adjacency-changes

auto-cost reference-bandwidth 1000

network 10.20.4.4 0.0.0.3 area 21

network 10.20.4.20 0.0.0.3 area 21

network 10.20.21.1 0.0.0.0 area 21

!

router bgp 65190

template peer-policy VPN_Policy

  send-community both

exit-peer-policy

!

template peer-session VPN_Session

  password PLASHCHUN

  fall-over

exit-peer-session

!

bgp router-id 10.20.21.1

no bgp default ipv4-unicast

bgp log-neighbor-changes

bgp update-delay 1

timers bgp 10 30

neighbor 10.20.4.5 remote-as 65190

neighbor 10.20.4.5 inherit peer-session VPN_Session

neighbor 10.20.4.5 description To the RR_CORE1

neighbor 10.20.4.21 remote-as 65190

neighbor 10.20.4.21 inherit peer-session VPN_Session

neighbor 10.20.4.21 description To the RR_CORE2

!

address-family vpnv4

  neighbor 10.20.4.5 activate

  neighbor 10.20.4.5 send-community extended

  neighbor 10.20.4.5 inherit peer-policy VPN_Policy

  neighbor 10.20.4.5 route-map WithBaseISP in

  neighbor 10.20.4.21 activate

  neighbor 10.20.4.21 send-community extended

  neighbor 10.20.4.21 inherit peer-policy VPN_Policy

  neighbor 10.20.4.21 route-map WithBackupISP in

  bgp nexthop trigger delay 1

  bgp scan-time import 5

  bgp scan-time 5

exit-address-family

!

address-family ipv4 vrf Students

  maximum-paths import 2

  no synchronization

  network 10.2.40.0 mask 255.255.255.0 route-map ExtCommActiveNetwork

exit-address-family

!

address-family ipv4 vrf Sales

  maximum-paths import 2

  no synchronization

  network 10.2.30.0 mask 255.255.255.0 route-map ExtCommBackupNetwork

exit-address-family

!

ip extcommunity-list standard LocalSoO permit soo 65190:1

ip extcommunity-list standard RtBrantch8 permit rt 30:8

ip bgp-community new-format

!

ip access-list extended No_owm_multicast

deny   ip host 10.2.10.1 host 224.0.0.2

deny   ip host 10.2.10.1 host 224.0.0.102

deny   ip host 10.2.20.1 host 224.0.0.2

deny   ip host 10.2.20.1 host 224.0.0.102

permit ip any any

!

ip prefix-list InetRoutes seq 5 permit 0.0.0.0/0

!

route-map ExtCommBackupNetwork permit 10

set extcommunity cost pre-bestpath 190 200

!

route-map ExtCommActiveNetwork permit 10

set extcommunity cost pre-bestpath 190 100

!

route-map WithBackupISP permit 10

match extcommunity RtBrantch8

set extcommunity cost pre-bestpath 190 200

!

route-map WithBackupISP deny 20

description Delete bad vpnv4 route

match extcommunity LocalSoO

!

route-map WithBackupISP permit 30

match ip address prefix-list InetRoutes

set extcommunity cost pre-bestpath 190 200

!

route-map ExtCommActiveHSRP permit 10

description Set extended community SoO for delete bad vpnv4 route

set extcommunity soo 65190:1

!

route-map ExtCommBackupHSRP permit 10

description Set extended community SoO for delete bad vpnv4 route

set extcommunity soo 65190:1

!

route-map WithBaseISP permit 10

match extcommunity RtBrantch8

set extcommunity cost pre-bestpath 190 100

!

route-map WithBaseISP deny 20

description Delete bad vpnv4 route

match extcommunity LocalSoO

!

route-map WithBaseISP permit 30

match ip address prefix-list InetRoutes

set extcommunity cost pre-bestpath 190 100

!

mpls ldp router-id Loopback20 force

!

banner motd   Looking fow new opportunities (remote/virtual) Network Engineer CCNP       ihor.plashchun@yahoo.com +380953589271

!

event manager applet NoNetworkBGPvrfStudent

event syslog pattern ".*%HSRP-5-STATECHANGE: Vlan40 Grp 40 state Active -> Speak.*"

action 1.0 cli command "enable"

action 2.0 cli command "configure terminal"

action 3.0 cli command "router bgp 65190"

action 4.0 cli command "address-family ipv4 vrf Students"

action 5.0 cli command "no network 10.2.40.0 mask 255.255.255.0"

action 6.0 syslog msg "No network Vlan40 to BGP"

event manager applet NetworkBGPvrfStudent

event syslog pattern ".*%HSRP-5-STATECHANGE: Vlan40 Grp 40 state Standby -> Active.*"

action 1.0 cli command "enable"

action 2.0 cli command "configure terminal"

action 3.0 cli command "router bgp 65190"

action 4.0 cli command "address-family ipv4 vrf Students"

action 5.0 cli command "network 10.2.40.0 mask 255.255.255.0 route-map ExtCommActiveNetwork"

action 6.0 syslog msg "Network Vlan40 to BGP"

!

end

 

 

ASW1 is configured as follows:

!

hostname ASW1

!

ip cef

!

spanning-tree vlan 40 priority 8192

!

interface Port-channel1

switchport trunk native vlan 98

switchport trunk allowed vlan 1,2,40,1002-1005

switchport mode trunk

spanning-tree portfast

!

interface Port-channel4

switchport trunk native vlan 98

switchport trunk allowed vlan 1,2,40,1002-1005

switchport mode trunk

spanning-tree portfast

!

interface FastEthernet1/1

switchport trunk native vlan 98

switchport trunk allowed vlan 1,2,40,1002-1005

switchport mode trunk

channel-group 1 mode on

!

interface FastEthernet1/2

switchport trunk native vlan 98

switchport trunk allowed vlan 1,2,40,1002-1005

switchport mode trunk

channel-group 1 mode on

!

interface FastEthernet1/3

switchport trunk native vlan 98

switchport trunk allowed vlan 1,2,40,1002-1005

switchport mode trunk

channel-group 4 mode on

!

interface FastEthernet1/4

switchport trunk native vlan 98

switchport trunk allowed vlan 1,2,40,1002-1005

switchport mode trunk

channel-group 4 mode on

!

interface Vlan40

description To Simulate Client

ip address 10.2.40.253 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.2.40.254

!

banner motd C Looking fow new opportunities (remote/virtual) Network Engineer CCNP       ihor.plashchun@yahoo.com +380953589271

!

end

 

ASA1 is configured as follows:

ciscoasa(config)# show running-config

: Saved

:

ASA Version 8.4(2) <system>

!

firewall transparent

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

no mac-address auto

!

interface GigabitEthernet0

!

interface GigabitEthernet0.10

vlan 10

!

interface GigabitEthernet0.20

vlan 20

!

interface GigabitEthernet0.190

vlan 190

!

interface GigabitEthernet1

!

interface GigabitEthernet1.10

vlan 11

!

interface GigabitEthernet1.20

vlan 21

!

interface GigabitEthernet1.190

vlan 189

!

interface GigabitEthernet2

shutdown

!

interface GigabitEthernet3

shutdown

!

interface GigabitEthernet4

shutdown

!

interface GigabitEthernet5

shutdown

!

class default

  limit-resource All 0

  limit-resource Mac-addresses 65535

  limit-resource ASDM 5

  limit-resource SSH 5

  limit-resource Telnet 5

!           

 

ftp mode passive

pager lines 24

no failover

no asdm history enable

arp timeout 14400

console timeout 0

 

admin-context admin

context admin

  config-url disk0:/admin.cfg

!

 

context DATA

  allocate-interface GigabitEthernet0.20 visible

  allocate-interface GigabitEthernet1.20 visible

  config-url disk0:/data.cfg

!

 

context VOICE

  allocate-interface GigabitEthernet0.10 visible

  allocate-interface GigabitEthernet1.10 visible

  config-url disk0:/voice.cfg

!           

 

context INTERNET

  allocate-interface GigabitEthernet0.190

  allocate-interface GigabitEthernet1.190

  config-url disk0:/internet.cfg

!

 

prompt hostname context

no call-home reporting anonymous

crashinfo save disable

Cryptochecksum:6de9f2abc35a57a9a1cb8340567f91c2

: end

ciscoasa(config)#

ciscoasa(config)# changeto context DATA

ciscoasa/DATA(config)# sh run

: Saved

:

ASA Version 8.4(2) <context>

!

firewall transparent

hostname DATA

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface BVI20

ip address 10.20.4.25 255.255.255.248

!

interface GigabitEthernet0.20

nameif outside

bridge-group 20

security-level 0

!

interface GigabitEthernet1.20

nameif inside

bridge-group 20

security-level 0

!

same-security-traffic permit inter-interface

object service ICMP

service icmp unreachable

object-group icmp-type PING

icmp-object echo

icmp-object echo-reply

icmp-object unreachable

icmp-object traceroute

access-list MPLS ethertype permit mpls-unicast

access-list OSPF extended permit ospf any any

access-list OUTSIDE extended permit icmp any any object-group PING

access-list OUTSIDE extended permit ospf any any

pager lines 24

logging buffered debugging

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

Cryptochecksum:1d0a7fcd1aec0da8c78b9dc60f3e21f7

: end

ciscoasa/DATA(config)#

 

ciscoasa(config)# changeto context INTERNET

ciscoasa/INTERNET(config)# sh run

: Saved

:

ASA Version 8.4(2) <context>

!

firewall transparent

hostname INTERNET

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface BVI19

ip address 10.20.190.25 255.255.255.248

!

interface GigabitEthernet0.190

nameif outside

bridge-group 19

security-level 0

!

interface GigabitEthernet1.190

nameif inside

bridge-group 19

security-level 100

!

same-security-traffic permit inter-interface

object network POOL

host 190.0.0.1

object-group network LAN

network-object 10.20.4.4 255.255.255.252

network-object 10.2.20.0 255.255.255.0

object-group icmp-type PING

description Request Reply Unreachable

icmp-object echo

icmp-object echo-reply

icmp-object unreachable

icmp-object source-quench

icmp-object traceroute

icmp-object time-exceeded

object-group service Traceroute udp

port-object range 33434 33523

access-list Outside_in_acl extended permit icmp any any object-group PING

access-list Outside_in_acl extended permit udp any any object-group Traceroute

!

tcp-map OPTION-19

  tcp-options range 19 19 allow

!

pager lines 24

logging enable

logging timestamp

logging buffered debugging

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 10 burst-size 5

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic LAN POOL

access-group Outside_in_acl in interface outside

route outside 0.0.0.0 0.0.0.0 10.20.190.29 1

route inside 10.2.20.0 255.255.255.0 10.20.190.26 1

route inside 10.20.4.4 255.255.255.252 10.20.190.26 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5

no threat-detection statistics tcp-intercept

!

class-map BGP

match port tcp eq bgp

class-map TRACEROUTE_PING

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map type inspect http http-inspect-pmap

parameters

  protocol-violation action drop-connection

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect http http-inspect-pmap

  inspect icmp

class BGP

  set connection random-sequence-number disable

  set connection advanced-options OPTION-19

!

service-policy global_policy global

Cryptochecksum:2fe598b4ddfe8c9f25f37af5bb3b6415

: end

ciscoasa/INTERNET(config)#

 

 

show ip route - Check the results work of the OSPF protocol.

show mpls forwarding-table - View the presence of labels for next-hop neighbors BGP .

show ip bgp vpnv4 all - Check the route-leaking between VRFs.

show bgp vpnv4 unicast all 0.0.0.0/0 - Check the presence of attributes extcommunity cost and SoO