Appendix B. Example 7-17
This example shows the full and complete policy for all of the configuration that was performed in Chapters 6 and 7.
policy
control-policy DC_Inbound_Control_Policy
sequence 1
match tloc
originator 10.0.10.1
!
action accept
set
preference 500
!
!
!
sequence 11
match tloc
originator 10.0.10.2
!
action accept
set
preference 400
!
!
!
sequence 21
match tloc
originator 10.0.20.1
!
action accept
set
preference 500
!
!
!
sequence 31
match tloc
originator 10.0.20.2
!
action accept
set
preference 400
!
!
!
sequence 41
match route
vpn-list SERVICE_VPN
prefix-list _AnyIpv4PrefixList
!
action accept
export-to vpn-list CLIENT_VPNS
set
omp-tag 100
!
!
!
default-action accept
!
control-policy North_America_Reg_Mesh_with_FW
sequence 1
match tloc
site-list DCs
!
action accept
!
!
sequence 11
match tloc
site-list North_America_Branches
!
action accept
!
!
sequence 21
match route
prefix-list Default_Route
site-list North_America_DC
!
action accept
set
preference 100
!
!
!
sequence 31
match route
site-list DCs
prefix-list _AnyIpv4PrefixList
!
action accept
!
!
sequence 41
match route
site-list North_America_Branches
prefix-list _AnyIpv4PrefixList
!
action accept
!
!
sequence 51
match route
site-list Europe_Branches
prefix-list _AnyIpv4PrefixList
!
action accept
set
service FW
!
!
!
default-action reject
!
vpn-membership vpnMembership_373293275
sequence 10
match
vpn-list CLIENT_VPNS
!
action accept
!
!
sequence 20
match
vpn-list CorporateVPN
!
action accept
!
!
sequence 30
match
vpn-list SERVICE_VPN
!
action accept
!
!
sequence 40
match
vpn-list PCI_VPN
!
action accept
!
!
default-action reject
!
control-policy Euro_Reg_Mesh_with_FW_MultiTopo
sequence 1
match tloc
site-list DCs
!
action accept
!
!
sequence 11
match tloc
site-list Europe_Branches
!
action accept
!
!
sequence 21
match route
prefix-list Default_Route
site-list Europe_DC
!
action accept
set
preference 100
!
!
!
sequence 31
match route
site-list DCs
prefix-list _AnyIpv4PrefixList
!
action accept
!
!
sequence 41
match route
site-list Europe_Branches
vpn-list CorporateVPN
prefix-list _AnyIpv4PrefixList
!
action accept
!
!
sequence 51
match route
site-list Europe_Branches
vpn-list PCI_VPN
prefix-list _AnyIpv4PrefixList
!
action accept
set
tloc-list Europe_DC_TLOCs
!
!
!
sequence 61
match route
site-list North_America_Branches
prefix-list _AnyIpv4PrefixList
!
action accept
set
service FW
!
!
!
default-action reject
!
control-policy Branch_Extranet_Route_Leaking
sequence 1
match route
vpn 101
prefix-list _AnyIpv4PrefixList
!
action accept
export-to vpn-list SERVICE_VPN
set
omp-tag 101
!
!
!
sequence 11
match route
vpn 102
prefix-list _AnyIpv4PrefixList
!
action accept
set
omp-tag 102
!
export-to vpn-list SERVICE_VPN
!
!
default-action accept
!
data-policy _CorporateVPN_Branch_-1923459860
vpn-list CorporateVPN
sequence 1
match
app-list AUDIO_VIDEO_APPS
source-ip 0.0.0.0/0
!
action accept
count CORP_AUDIO_VIDEO_199743323
loss-protect fec-adaptive
loss-protection forward-error-correction adaptive
set
local-tloc-list
color mpls
!
!
!
sequence 11
match
destination-data-prefix-list INTERNAL_ADDRESSES
!
action accept
count INTERNAL_PCKTS_199743323
!
!
sequence 21
match
app-list TRUSTED_APPS
source-ip 0.0.0.0/0
!
action accept
nat use-vpn 0
nat fallback
count CORP_DCA_199743323
!
!
sequence 31
match
app-list YouTube
source-ip 0.0.0.0/0
!
action accept
count CORP_YOUTUBE_199743323
set
local-tloc-list
color biz-internet
encap ipsec
!
!
!
sequence 41
match
app-list Facebook
source-ip 0.0.0.0/0
!
action accept
count CORP_FACEBOOK_199743323
set
vpn 1
tloc-list Europe_DC_INET_TLOCS
!
!
!
sequence 51
match
app-list Google_Apps
source-ip 0.0.0.0/0
!
action accept
count UMBRELLA_PCKTS_199743323
set
service IDP local
!
!
!
default-action accept
!
vpn-list PCI_VPN
sequence 1
match
source-data-prefix-list PAYMENT_SERVERS
!
action accept
count PCI_PCKTS_-1949123913
set
local-tloc-list
color mpls
!
loss-protect pkt-dup
loss-protection packet-duplication
!
!
sequence 11
match
destination-data-prefix-list PAYMENT_SERVERS
!
action accept
count PCI_PCKTS_-1949123913
set
local-tloc-list
color mpls
!
loss-protect pkt-dup
loss-protection packet-duplication
!
!
default-action accept
!
vpn-list GUEST_ACCESS_VPN
sequence 1
match
destination-data-prefix-list BOGON_ADDR
!
action drop
count GUEST_DROPPED_PKTS_-939522740
!
!
sequence 11
match
source-ip 0.0.0.0/0
!
action accept
nat use-vpn 0
count GUEST_DIA_PKTS_-939522740
!
!
default-action drop
!
data-policy _CorporateVPN_DC_Corp_1741652260
vpn-list CorporateVPN
sequence 1
match
app-list AUDIO_VIDEO_APPS
source-ip 0.0.0.0/0
!
action accept
count CORP_AUDIO_VIDEO_-430111853
loss-protect fec-adaptive
loss-protection forward-error-correction adaptive
set
local-tloc-list
color mpls
!
!
!
default-action accept
!
vpn-list PCI_VPN
sequence 1
match
source-data-prefix-list PAYMENT_SERVERS
!
action accept
count PCI_PCKTS_1715988207
set
local-tloc-list
color mpls
!
loss-protect pkt-dup
loss-protection packet-duplication
!
!
sequence 11
match
destination-data-prefix-list PAYMENT_SERVERS
!
action accept
count PCI_PCKTS_1715988207
set
local-tloc-list
color mpls
!
loss-protect pkt-dup
loss-protection packet-duplication
!
!
default-action accept
!
lists
app-list AUDIO_VIDEO_APPS
app-family audio-video
app-family audio_video
!
app-list Facebook
app facebook
app facebook_messenger
app fbcdn
app facebook_mail
app facebook_live
!
app-list Google_Apps
app android-updates
app blogger
app chrome_update
app gcs
app gmail
app gmail_mobile
app gmail_basic
app gmail_basic
app gmail_chat
app gmail_drive
app gmail_mobile
app google_picasa
app google_desktop
app google_cache
app google_play_music
app google
app google_translate
app google_groups
app google_localguides
app google_gen
app gmail_drive
app google_calendar
app google_classroom
app google_skymap
app google_tags
app google_maps
app gcs
app google_code
app google_toolbar
app gstatic
app google_spaces
app google_accounts
app google_sprayscape
app google-services
app google-services-audio
app google-services-media
app google-services-video
app google_accounts
app google_ads
app google_analytics
app google_appengine
app google_cache
app google_calendar
app google_code
app google_desktop
app google_docs
app google_photos
app google-docs
app google-downloads
app google_earth
app google_earth
app google-earth
app google_groups
app google_maps
app google_photos
app google_picasa
app picasa
app google_play
app google-play
app google_plus
app google-plus
app google_plus
app google_safebrowsing
app google_skymap
app google_spaces
app google_tags
app google_toolbar
app google_translate
app google_trusted_store
app google_weblight
app googlebot
app gstatic
app gtalk
app gtalk-chat
app gmail_chat
app gtalk-ft
app gtalk-video
app gtalk-voip
app hangouts
app hangouts-audio
app hangouts-chat
app hangouts-file-transfer
app hangouts-media
app hangouts-video
app youtube
app youtube_hd
app youtube_hd
!
app-list TRUSTED_APPS
app webex-meeting
app webex_weboffice
app webex
!
app-list YouTube
app youtube
app youtube_hd
!
data-prefix-list BOGON_ADDR
ip-prefix 10.0.0.0/8
ip-prefix 100.64.0.0/10
ip-prefix 127.0.0.0/8
ip-prefix 172.16.0.0/12
ip-prefix 192.168.0.0/16
!
data-prefix-list INTERNAL_ADDRESSES
ip-prefix 10.0.0.0/8
!
data-prefix-list PAYMENT_SERVERS
ip-prefix 10.2.10.0/24
!
prefix-list Default_Route
ip-prefix 0.0.0.0/0
!
site-list BranchOffices
site-id 100-199
!
site-list DCs
site-id 10-50
!
site-list Europe_Branches
site-id 102-103
!
site-list Europe_DC
site-id 20
!
site-list North_America_Branches
site-id 101
!
site-list North_America_DC
site-id 10
!
tloc-list Europe_DC_INET_TLOCS
tloc 10.0.20.1 color biz-internet encap ipsec preference 500
tloc 10.0.20.2 color biz-internet encap ipsec preference 400
!
tloc-list Europe_DC_TLOCs
tloc 10.0.20.1 color mpls encap ipsec
tloc 10.0.20.1 color biz-internet encap ipsec
tloc 10.0.20.2 color mpls encap ipsec
tloc 10.0.20.2 color biz-internet encap ipsec
!
vpn-list CLIENT_VPNS
vpn 101
vpn 102
!
vpn-list CorporateVPN
vpn 1
!
vpn-list GUEST_ACCESS_VPN
vpn 3
!
vpn-list PCI_VPN
vpn 2
!
vpn-list SERVICE_VPN
vpn 100
!
prefix-list _AnyIpv4PrefixList
ip-prefix 0.0.0.0/0 le 32
!
!
!
apply-policy
site-list Europe_Branches
control-policy Euro_Reg_Mesh_with_FW_MultiTopo out
!
site-list BranchOffices
data-policy _CorporateVPN_Branch_-1923459860 from-service
control-policy Branch_Extranet_Route_Leaking in
vpn-membership vpnMembership_373293275
!
site-list DCs
data-policy _CorporateVPN_DC_Corp_1741652260 from-service
control-policy DC_Inbound_Control_Policy in
!
site-list North_America_Branches
control-policy North_America_Reg_Mesh_with_FW out
!
!
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.