LBOの設定｜設定例｜ルータ・ネットワーク機器

- 注意1
  
  DNS-snoopingをご利用いただく場合の注意点

Proxyサーバを利用しないネットワークではDNS snooping方式を、Proxyサーバを利用するネットワークではHTTP snooping方式を、それぞれご利用いただけます。技術情報ページの「ローカルブレイクアウト機能説明資料」をご確認ください。

トラフィック可視化機能と併せてLBOををお使いいただくケースを想定して、従来のlbo-profile等のコマンドだけでなく、アプリ連携機能のコマンド（app-profile等）を利用して、LBO機能をお使いいただけるようにいたしました。

・トラフィック可視化機能は、Fらくねっとを利用して、ユーザ様の端末（IPアドレス）やアプリケーション毎にトラフィック量を可視化する機能です。Fらくねっとドキュメントのトラフィック可視化機能のページをご参照ください。

・アプリ連携機能のコマンド（app-profile等）にて、アプリ単位のトラフィック可視化やQoS制御と合わせて、LBO機能をお使いいただけます。

以下の理由により、これからLBO機能をお使いいただくお客様には、従来のlbo-profileコマンドではなく、アプリ連携機能のapp-profileコマンドを設定いただくことを推奨します。

・従来のlbo-profileコマンドは、app-profileコマンドと併用できません。

・今後のLBO機能エンハンスは、app-profileコマンドにて対応予定です。従来のlbo-profileコマンドは継続してお使いいただけますが、現時点で機能エンハンスへの対応予定はございません。

アプリ連携機能は、以下のファームウェアバージョン以降にてご使用ください。

F70/F71 V01.12、F220/F221 V01.14、F225 V01.02、F310 V01.02

※機能自体は以下のファームウェアバージョンより対応しておりますが、トラフィック可視化に関して、可視化対象のSaaS/アプリケーションの指定が必要となります。

　　F70/F71 V01.11(01)、F220/F221 V01.13(01)、F225 V01.01(01)、F310 V01.01(01)

アプリケーション毎の設定

2026年1月16日更新

アプリケーション	DNS snooping	HTTP snooping
Windows Update / Microsoft Update
Microsoft 365 / Microsoft Teams （o365 enable設定によりブレイクアウト）
Zoom
Webex
for update macOS/iPadOS		（今後動作確認予定）
for update Adobe applications		（今後動作確認予定）
Box
for update Adobe applications ONLY Deployment and fulfillment services AND Updater （「for_update_Adobe_applications」の内、実際にソフトウェアアップデートに関係すると考えられるドメインのみを含めております）		（今後動作確認予定）

DNS snooping方式使用例

	対象装置	設定例（txt）
ドメイン名ルーティング	F70/F71/F220/F221/F225/F310/F220 EX/F221 EX
Microsoft 365 / Microsoft Teams	F70/F71/F220/F221/F225/F310/F220 EX/F221 EX
Windows Update / Microsoft Update	F70/F71/F220/F221/F225/F310/F220 EX/F221 EX
Zoom,Webexをdns-snoopingによりブレイクアウトする	F70/F71/F220/F221/F225/F310/F220 EX/F221 EX
ProxyDNSを利用してMicrosoft 365をブレイクアウトする	F70/F71/F220/F221/F225/F310/F220 EX/F221 EX

HTTP snooping方式使用例

	対象装置	設定例（txt）
Proxy環境下で、Microsoft 365/Microsoft Teams、Zoomをhttp-snoopingによりブレイクアウトする	F70/F71/F220/F221/F225/F310/F220 EX/F221 EX
固定IPサービスでVPN/ローカルブレイクアウトを利用する	F70/F71/F220/F221/F225/F310/F220 EX/F221 EX ※装置によっては未対応のサービスがございます。IPoEサービス対応一覧をご参照ください。	左記ページ参照
動的IPサービス（MAP-E）でVPN/ローカルブレイクアウトを利用する	F70/F71/F220/F221/F225/F310/F220 EX/F221 EX ※装置によっては未対応のサービスがございます。IPoEサービス対応一覧をご参照ください。	左記ページ参照
Proxy環境下で、Microsoft 365のテナント制限とhttp-snoopingの併用	F70/F71/F220/F221/F225/F310/F220 EX/F221 EX

<pre>
access-list 102 permit udp any any eq 5004
!
app enable
!
local-breakout enable
local-breakout app-list 1 ip #ネクストホップ(TunnelIF番号もしくはアドレス)#
!
app-profile LBO_Webex
 dns-snooping enable
 dns-snooping expire 10800
 domain *.wbx2.com app-tag Webex app-list 1
 domain *.ciscospark.com app-tag Webex app-list 1
 domain *.webexcontent.com app-tag Webex app-list 1
 domain *.webex.com app-tag Webex app-list 1
 domain *.identrust.com app-tag Webex app-list 1
 domain *.quovadisglobal.com app-tag Webex app-list 1
 domain *.digicert.com app-tag Webex app-list 1
 domain *.godaddy.com app-tag Webex app-list 1
 domain *.lencr.org app-tag Webex app-list 1
 domain *.intel.com app-tag Webex app-list 1
 domain *.accompany.com app-tag Webex app-list 1
 domain *.eum-appdynamics.com app-tag Webex app-list 1
 domain *.appdynamics.com app-tag Webex app-list 1
 domain *.vbrickrev.com app-tag Webex app-list 1
 domain *.slido.com app-tag Webex app-list 1
 domain *.sli.do app-tag Webex app-list 1
 domain *.data.logentries.com app-tag Webex app-list 1
 domain *.cisco.com app-tag Webex app-list 1
 domain *.webexapis.com app-tag Webex app-list 1
exit
!
interface GigaEthernet #LAN 物理IF番号#
 policy-route input PRMap_Webex
exit
!
interfaece #WANインタフェース(Port-channel or Tunnel)#
 dns-snooping enable
exit
!
Class-map CMap_102
 match ip access-group 102
exit
!
Policy-route-map PRMap_Webex
 !
 class CMap_102
  count
  action nexthop #ネクストホップ#
 exit
 !
exit
</pre>

<pre>
※Webexのhttp-snoopingでは、通常のhttp-snoopingとは異なる、MSS値の調整が必要
access-list 102 permit udp any any eq 5004
!
ip name-server #DNSサーバアドレス#
!
app enable
app proxy-server ip #LBO対象パケットの宛先アドレス# port #LBO対象パケットのポート番号#
!
local-breakout enable
local-breakout app-list 1 ip #ネクストホップ(TunnelIF番号もしくはアドレス)#
!
app-profile LBO_Webex
 http-snooping enable with-route
 http-snooping propagate-mss disable
 domain *.wbx2.com app-tag Webex app-list 1
 domain *.ciscospark.com app-tag Webex app-list 1
 domain *.webexcontent.com app-tag Webex app-list 1
 domain *.webex.com app-tag Webex app-list 1
 domain *.identrust.com app-tag Webex app-list 1
 domain *.quovadisglobal.com app-tag Webex app-list 1
 domain *.digicert.com app-tag Webex app-list 1
 domain *.godaddy.com app-tag Webex app-list 1
 domain *.lencr.org app-tag Webex app-list 1
 domain *.intel.com app-tag Webex app-list 1
 domain *.accompany.com app-tag Webex app-list 1
 domain *.eum-appdynamics.com app-tag Webex app-list 1
 domain *.appdynamics.com app-tag Webex app-list 1
 domain *.vbrickrev.com app-tag Webex app-list 1
 domain *.slido.com app-tag Webex app-list 1
 domain *.sli.do app-tag Webex app-list 1
 domain *.data.logentries.com app-tag Webex app-list 1
 domain *.cisco.com app-tag Webex app-list 1
 domain *.webexapis.com app-tag Webex app-list 1
exit
!
interface GigaEthernet #LAN 物理IF番号#
 policy-route input PRMap_Webex
exit
!
interface Port-channel #LAN Port-channel番号#
 http-snooping enable
 mss 1240
exit
!
Class-map CMap_102
 match ip access-group 102
exit
!
Policy-route-map PRMap_Webex
 !
 class CMap_102
  count
  action nexthop #ネクストホップ#
 exit
 !
exit
</pre>

<pre>
app enable
!
local-breakout enable
local-breakout app-list 1 ip #ネクストホップ(TunnelIF番号もしくはアドレス)#
!
app-profile LBO_macOS_iOS_Update
 dns-snooping enable
 dns-snooping expire 10800
 domain appldnld.apple.com app-tag macOS_iOS_Update app-list 1
 domain configuration.apple.com app-tag macOS_iOS_Update app-list 1
 domain gdmf.apple.com app-tag macOS_iOS_Update app-list 1
 domain gg.apple.com app-tag macOS_iOS_Update app-list 1
 domain gs.apple.com app-tag macOS_iOS_Update app-list 1
 domain ig.apple.com app-tag macOS_iOS_Update app-list 1
 domain mesu.apple.com app-tag macOS_iOS_Update app-list 1
 domain oscdn.apple.com app-tag macOS_iOS_Update app-list 1
 domain osrecovery.apple.com app-tag macOS_iOS_Update app-list 1
 domain skl.apple.com app-tag macOS_iOS_Update app-list 1
 domain swcdn.apple.com app-tag macOS_iOS_Update app-list 1
 domain swdist.apple.com app-tag macOS_iOS_Update app-list 1
 domain swdownload.apple.com app-tag macOS_iOS_Update app-list 1
 domain swscan.apple.com app-tag macOS_iOS_Update app-list 1
 domain updates-http.cdn-apple.com app-tag macOS_iOS_Update app-list 1
 domain updates.cdn-apple.com app-tag macOS_iOS_Update app-list 1
 domain xp.apple.com app-tag macOS_iOS_Update app-list 1
 domain gdmf-ados.apple.com app-tag macOS_iOS_Update app-list 1
 domain gsra.apple.com app-tag macOS_iOS_Update app-list 1
 domain wkms-public.apple.com app-tag macOS_iOS_Update app-list 1
 domain fcs-keys-pub-prod.cdn-apple.com app-tag macOS_iOS_Update app-list 1
exit
!
interfaece #WANインタフェース(Port-channel or Tunnel)#
 dns-snooping enable
exit
</pre>

<pre>
app enable
!
local-breakout enable
local-breakout app-list 1 ip #ネクストホップ(TunnelIF番号もしくはアドレス)#
!
app-profile LBO_Adobe_Update
 dns-snooping enable
 dns-snooping expire 10800
 domain lm.licenses.adobe.com app-tag Adobe_Update app-list 1
 domain resources.licenses.adobe.com app-tag Adobe_Update app-list 1
 domain cs.licenses.adobe.com app-tag Adobe_Update app-list 1
 domain exception.licenses.adobe.com app-tag Adobe_Update app-list 1
 domain pubcerts.licenses.adobe.com app-tag Adobe_Update app-list 1
 domain workflow.licenses.adobe.com app-tag Adobe_Update app-list 1
 domain auth.services.adobe.com app-tag Adobe_Update app-list 1
 domain acrs.adobe.com app-tag Adobe_Update app-list 1
 domain adobecloudpackager.adobe.io app-tag Adobe_Update app-list 1
 domain adminconsole.adobe.com app-tag Adobe_Update app-list 1
 domain cc-ext-prod-pkgs.s3.amazonaws.com app-tag Adobe_Update app-list 1
 domain ccmdls.adobe.com app-tag Adobe_Update app-list 1
 domain ccmdl.adobe.com app-tag Adobe_Update app-list 1
 domain ans.oobesaas.adobe.com app-tag Adobe_Update app-list 1
 domain ars.oobesaas.adobe.com app-tag Adobe_Update app-list 1
 domain cdn-ffc.oobesaas.adobe.com app-tag Adobe_Update app-list 1
 domain ffc-icons.oobesaas.adobe.com app-tag Adobe_Update app-list 1
 domain ffc-static-cdn.oobesaas.adobe.com app-tag Adobe_Update app-list 1
 domain prod-rel-ffc-ccm.oobesaas.adobe.com app-tag Adobe_Update app-list 1
 domain acc.adobeoobe.com app-tag Adobe_Update app-list 1
 domain prod.acp.adobeoobe.com app-tag Adobe_Update app-list 1
 domain mir-s3-cdn-cf.behance.net app-tag Adobe_Update app-list 1
 domain swupmf.adobe.com app-tag Adobe_Update app-list 1
 domain swupdl.adobe.com app-tag Adobe_Update app-list 1
 domain oobe.adobe.com app-tag Adobe_Update app-list 1
 domain productrouter.adobe.com app-tag Adobe_Update app-list 1
 domain s3.amazonaws.com app-tag Adobe_Update app-list 1
 domain tron-prod-customized-user-packages.s3.amazonaws.com app-tag Adobe_Update app-list 1
 domain armmf.adobe.com app-tag Adobe_Update app-list 1
 domain ardownload.adobe.com app-tag Adobe_Update app-list 1
 domain ardownload2.adobe.com app-tag Adobe_Update app-list 1
 domain agsupdate.adobe.com app-tag Adobe_Update app-list 1
 domain ims-na1.adobelogin.com app-tag Adobe_Update app-list 1
 domain ims-prod06.adobelogin.com app-tag Adobe_Update app-list 1
 domain ims-prod07.adobelogin.com app-tag Adobe_Update app-list 1
 domain static.adobelogin.com app-tag Adobe_Update app-list 1
 domain delegated.adobelogin.com app-tag Adobe_Update app-list 1
 domain adobeid.services.adobe.com app-tag Adobe_Update app-list 1
 domain adobeid-na1.services.adobe.com app-tag Adobe_Update app-list 1
 domain federatedid-na1.services.adobe.com app-tag Adobe_Update app-list 1
 domain na1e-acc.services.adobe.com app-tag Adobe_Update app-list 1
 domain na1e.services.adobe.com app-tag Adobe_Update app-list 1
 domain na1r.services.adobe.com app-tag Adobe_Update app-list 1
 domain ad.adobe-identity.com app-tag Adobe_Update app-list 1
 domain ids-proxy.account.adobe.com app-tag Adobe_Update app-list 1
 domain lcs-cops.adobe.io app-tag Adobe_Update app-list 1
 domain lcs-robs.adobe.io app-tag Adobe_Update app-list 1
 domain lcs-entitlement.adobe.io app-tag Adobe_Update app-list 1
 domain lcs-ulecs.adobe.io app-tag Adobe_Update app-list 1
 domain ams.adobe.com app-tag Adobe_Update app-list 1
 domain adobelogin.prod.ims.adobejanus.com app-tag Adobe_Update app-list 1
 domain services.prod.ims.adobejanus.com app-tag Adobe_Update app-list 1
 domain www-prod.adobesunbreak.com app-tag Adobe_Update app-list 1
 domain genuine.adobe.com app-tag Adobe_Update app-list 1
 domain prod.adobegenuine.com app-tag Adobe_Update app-list 1
 domain gocart-web-prod-*.elb.amazonaws.com app-tag Adobe_Update app-list 1
 domain armdl.adobe.com app-tag Adobe_Update app-list 1
 domain api-cna01.adobe-services.com app-tag Adobe_Update app-list 1
 domain supportanyware.adobe.io app-tag Adobe_Update app-list 1
 domain acc-learn.adobe.com app-tag Adobe_Update app-list 1
 domain acc-learn.adobe.io app-tag Adobe_Update app-list 1
 domain accounts.adobe.com app-tag Adobe_Update app-list 1
 domain acp-ss-ue1.adobe.io app-tag Adobe_Update app-list 1
 domain adobe-api.arkoselabs.com app-tag Adobe_Update app-list 1
 domain adobe-verify.arkoselabs.com app-tag Adobe_Update app-list 1
 domain api.account.adobe.com app-tag Adobe_Update app-list 1
 domain api.typekit.com app-tag Adobe_Update app-list 1
 domain cc-api-behance.adobe.io app-tag Adobe_Update app-list 1
 domain cc-api-data.adobe.io app-tag Adobe_Update app-list 1
 domain cc-api-storage.adobe.io app-tag Adobe_Update app-list 1
 domain client-api.arkoselabs.com app-tag Adobe_Update app-list 1
 domain client-verify.arkoselabs.com app-tag Adobe_Update app-list 1
 domain crs.cr.adobe.com app-tag Adobe_Update app-list 1
 domain data.typekit.net app-tag Adobe_Update app-list 1
 domain federation-gateway.adobe.io app-tag Adobe_Update app-list 1
 domain fonts.adobe.com app-tag Adobe_Update app-list 1
 domain helpx.adobe.com app-tag Adobe_Update app-list 1
 domain notify.adobe.io app-tag Adobe_Update app-list 1
 domain p.typekit.net app-tag Adobe_Update app-list 1
 domain p13n.adobe.io app-tag Adobe_Update app-list 1
 domain p13n-mr.adobe.io app-tag Adobe_Update app-list 1
 domain polka.typekit.com app-tag Adobe_Update app-list 1
 domain prod.adobeccstatic.com app-tag Adobe_Update app-list 1
 domain public.adobecc.com app-tag Adobe_Update app-list 1
 domain scss.adobesc.com app-tag Adobe_Update app-list 1
 domain ss-prod-ue1-notif-16.aws.adobess.com app-tag Adobe_Update app-list 1
 domain sso.behance.net app-tag Adobe_Update app-list 1
 domain sstats.adobe.com app-tag Adobe_Update app-list 1
 domain state.typekit.net app-tag Adobe_Update app-list 1
 domain use.typekit.net app-tag Adobe_Update app-list 1
 domain wwwimages.adobe.com app-tag Adobe_Update app-list 1
 domain wwwimages2.adobe.com app-tag Adobe_Update app-list 1
 domain delegated.identity.adobe.com app-tag Adobe_Update app-list 1
 domain www.adobe.com app-tag Adobe_Update app-list 1
 domain a3.behance.net app-tag Adobe_Update app-list 1
 domain a5.behance.net app-tag Adobe_Update app-list 1
 domain account.adobe.com app-tag Adobe_Update app-list 1
 domain acp-ss-an1.adobe.io app-tag Adobe_Update app-list 1
 domain acp-ss-ew1.adobe.io app-tag Adobe_Update app-list 1
 domain acp-ss.adobe.io app-tag Adobe_Update app-list 1
 domain *.adbecrsl.com app-tag Adobe_Update app-list 1
 domain *.adbephotos.com app-tag Adobe_Update app-list 1
 domain adobe.ly app-tag Adobe_Update app-list 1
 domain adobesearch.adobe.io app-tag Adobe_Update app-list 1
 domain appregistry.adobe.io app-tag Adobe_Update app-list 1
 domain aps-web.adobe.io app-tag Adobe_Update app-list 1
 domain as.ftcdn.net app-tag Adobe_Update app-list 1
 domain as1.ftcdn.net app-tag Adobe_Update app-list 1
 domain as2.ftcdn.net app-tag Adobe_Update app-list 1
 domain assets-cdn.adobe.com app-tag Adobe_Update app-list 1
 domain assets-helper.adobe.io app-tag Adobe_Update app-list 1
 domain assets.adobe.com app-tag Adobe_Update app-list 1
 domain assets.fonts.adobe.com app-tag Adobe_Update app-list 1
 domain audios.ftcdn.net app-tag Adobe_Update app-list 1
 domain audio-video-api.adobe.io app-tag Adobe_Update app-list 1
 domain awenroll.adobe.com app-tag Adobe_Update app-list 1
 domain byof.adobe.io app-tag Adobe_Update app-list 1
 domain cc-api-cp.adobe.io app-tag Adobe_Update app-list 1
 domain cc-cdn.adobe.com app-tag Adobe_Update app-list 1
 domain cc-collab.adobe.io app-tag Adobe_Update app-list 1
 domain ccext-cdn.adobecces.com app-tag Adobe_Update app-list 1
 domain ccext-public.adobe.io app-tag Adobe_Update app-list 1
 domain ccext-static.adobecces.com app-tag Adobe_Update app-list 1
 domain ccext.adobe.io app-tag Adobe_Update app-list 1
 domain ccext.adobecces.com app-tag Adobe_Update app-list 1
 domain cchome.adobe.io app-tag Adobe_Update app-list 1
 domain cclibraries-defaults-cdn.adobe.com app-tag Adobe_Update app-list 1
 domain ccprojects-va6.adobe.io app-tag Adobe_Update app-list 1
 domain ccprojects.adobe.io app-tag Adobe_Update app-list 1
 domain cctypekit.adobe.io app-tag Adobe_Update app-list 1
 domain cdn-sharing.adobecc.com app-tag Adobe_Update app-list 1
 domain cdn.cp.adobe.io app-tag Adobe_Update app-list 1
 domain client.messaging.adobe.com app-tag Adobe_Update app-list 1
 domain comments.adobe.io app-tag Adobe_Update app-list 1
 domain community.adobe.com app-tag Adobe_Update app-list 1
 domain connect.ffc.adobeoobe.com app-tag Adobe_Update app-list 1
 domain creativecloud.adobe.com app-tag Adobe_Update app-list 1
 domain *.creativecloud.com app-tag Adobe_Update app-list 1
 domain cvs.adobe.com app-tag Adobe_Update app-list 1
 domain d32a1iuc7x840y.cloudfront.net app-tag Adobe_Update app-list 1
 domain d3gnp5fs6fu2h7.cloudfront.net app-tag Adobe_Update app-list 1
 domain dnzuu5synxxfk.cloudfront.net app-tag Adobe_Update app-list 1
 domain dc-api.adobe.io app-tag Adobe_Update app-list 1
 domain design-assets.adobeprojectm.com app-tag Adobe_Update app-list 1
 domain ds-an1.adobe.io app-tag Adobe_Update app-list 1
 domain ds-ew1.adobe.io app-tag Adobe_Update app-list 1
 domain ds-ue1.adobe.io app-tag Adobe_Update app-list 1
 domain ds.adobe.io app-tag Adobe_Update app-list 1
 domain exchange.adobe.com app-tag Adobe_Update app-list 1
 domain faster.typekit.net app-tag Adobe_Update app-list 1
 domain firebase-settings.crashlytics.com app-tag Adobe_Update app-list 1
 domain firebaseinstallations.googleapis.com app-tag Adobe_Update app-list 1
 domain firebaselogging-pa.googleapis.com app-tag Adobe_Update app-list 1
 domain gensoundfx.ff.adobe.io app-tag Adobe_Update app-list 1
 domain geo.adobe.com app-tag Adobe_Update app-list 1
 domain geo2.adobe.com app-tag Adobe_Update app-list 1
 domain ic.adobe.io app-tag Adobe_Update app-list 1
 domain illustrator.adobe.com app-tag Adobe_Update app-list 1
 domain image.adobe.io app-tag Adobe_Update app-list 1
 domain indd.adobe.com app-tag Adobe_Update app-list 1
 domain invitations.adobe.io app-tag Adobe_Update app-list 1
 domain landing.adobe.com app-tag Adobe_Update app-list 1
 domain libraries.adobe.io app-tag Adobe_Update app-list 1
 domain lightroom.adobe.com app-tag Adobe_Update app-list 1
 domain links.adobe.io app-tag Adobe_Update app-list 1
 domain livecreate-an1.adobe.io app-tag Adobe_Update app-list 1
 domain livecreate-ew1.adobe.io app-tag Adobe_Update app-list 1
 domain livecreate-ue1.adobe.io app-tag Adobe_Update app-list 1
 domain *.macromedia.com app-tag Adobe_Update app-list 1
 domain mail.adobegov.com app-tag Adobe_Update app-list 1
 domain odin.adobe.com app-tag Adobe_Update app-list 1
 domain *.omniture.com app-tag Adobe_Update app-list 1
 domain pgc.adobe.io app-tag Adobe_Update app-list 1
 domain photos.adobe.io app-tag Adobe_Update app-list 1
 domain photoshop.adobe.com app-tag Adobe_Update app-list 1
 domain platform-assets.typekit.net app-tag Adobe_Update app-list 1
 domain platform-cs*.adobe.io app-tag Adobe_Update app-list 1
 domain platform-cs.adobe.io app-tag Adobe_Update app-list 1
 domain acp-*.adobe.io app-tag Adobe_Update app-list 1
 domain presence-an1.adobe.io app-tag Adobe_Update app-list 1
 domain presence-ew1.adobe.io app-tag Adobe_Update app-list 1
 domain presence-ue1.adobe.io app-tag Adobe_Update app-list 1
 domain preview.illustrator.adobe.com app-tag Adobe_Update app-list 1
 domain prod.wam.adobe.com app-tag Adobe_Update app-list 1
 domain psweb-cd.adobe.io app-tag Adobe_Update app-list 1
 domain s.ftcdn.net app-tag Adobe_Update app-list 1
 domain server.messaging.adobe.com app-tag Adobe_Update app-list 1
 domain sensei.adobe.io app-tag Adobe_Update app-list 1
 domain sharedcloud-production*.s3.amazonaws.com app-tag Adobe_Update app-list 1
 domain sharedcloud-production*.s3-accelerate.amazonaws.com app-tag Adobe_Update app-list 1
 domain aep-cs*.s3-accelerate.amazonaws.com app-tag Adobe_Update app-list 1
 domain aep-cs*.s3.amazonaws.com app-tag Adobe_Update app-list 1
 domain sharedcloud-production-us-east-1-data-temp.s3.amazonaws.com app-tag Adobe_Update app-list 1
 domain slp-statics.astockcdn.net app-tag Adobe_Update app-list 1
 domain ss-prod-an1-notif-13-aws.adobess.com app-tag Adobe_Update app-list 1
 domain ss-prod-an1-notif-16.aws.adobess.com app-tag Adobe_Update app-list 1
 domain ss-prod-ew1-notif-13-aws.adobess.com app-tag Adobe_Update app-list 1
 domain ss-prod-ew1-notif-16.aws.adobess.com app-tag Adobe_Update app-list 1
 domain ss-prod-ue1-notif-13-aws.adobess.com app-tag Adobe_Update app-list 1
 domain ss-prod-ue1-notif-79.aws.adobess.com app-tag Adobe_Update app-list 1
 domain static-assets.photoshop.adobe.com app-tag Adobe_Update app-list 1
 domain stock-landing-pages.adobe.io app-tag Adobe_Update app-list 1
 domain stock.adobe.com app-tag Adobe_Update app-list 1
 domain translate-captions*.s3-accelerate.amazonaws.com app-tag Adobe_Update app-list 1
 domain t3.ftcdn.net app-tag Adobe_Update app-list 1
 domain t4.ftcdn.net app-tag Adobe_Update app-list 1
 domain udps.adobe.com app-tag Adobe_Update app-list 1
 domain ui.messaging.adobe.com app-tag Adobe_Update app-list 1
 domain use.typekit.com app-tag Adobe_Update app-list 1
 domain utut-service.adobe.com app-tag Adobe_Update app-list 1
 domain v.ftcdn.net app-tag Adobe_Update app-list 1
 domain video-v1.ff.adobe.io app-tag Adobe_Update app-list 1
 domain livecreate-*.adobe.io app-tag Adobe_Update app-list 1
 domain presence-*.adobe.io app-tag Adobe_Update app-list 1
 domain speech.platform.bing.com app-tag Adobe_Update app-list 1
 domain xd-cdn.adobecces.com app-tag Adobe_Update app-list 1
 domain xd.adobe.com app-tag Adobe_Update app-list 1
 domain xdce.adobe.io app-tag Adobe_Update app-list 1
 domain cai.adobe.io app-tag Adobe_Update app-list 1
 domain cai-identity.adobe.io app-tag Adobe_Update app-list 1
 domain policy.adobe.io app-tag Adobe_Update app-list 1
 domain cai-msb.adobe.io app-tag Adobe_Update app-list 1
 domain cai-manifests.adobe.com app-tag Adobe_Update app-list 1
 domain cai-settings.adobe.io app-tag Adobe_Update app-list 1
 domain firefly-ae.adobe.io app-tag Adobe_Update app-list 1
 domain senseicore.adobe.io app-tag Adobe_Update app-list 1
 domain sensei-va6.adobe.io app-tag Adobe_Update app-list 1
 domain firefly.adobe.io app-tag Adobe_Update app-list 1
 domain firefly-clio-imaging.adobe.io app-tag Adobe_Update app-list 1
 domain pre-signed-firefly-prod.s3-accelerate.amazonaws.com app-tag Adobe_Update app-list 1
 domain firefly-ps.adobe.io app-tag Adobe_Update app-list 1
 domain firefly-ai.adobe.io app-tag Adobe_Update app-list 1
 domain firefly-acs.adobe.io app-tag Adobe_Update app-list 1
 domain firefly.adobe.com app-tag Adobe_Update app-list 1
 domain firefly-md.adobe.io app-tag Adobe_Update app-list 1
 domain clio-assets.adobe.com app-tag Adobe_Update app-list 1
 domain firefly-cliov2.adobe.com app-tag Adobe_Update app-list 1
 domain senseicore-ue1.adobe.io app-tag Adobe_Update app-list 1
 domain sensei-ue1.adobe.io app-tag Adobe_Update app-list 1
 domain firefly-st.adobe.io app-tag Adobe_Update app-list 1
 domain firefly-api.adobe.io app-tag Adobe_Update app-list 1
 domain pre-signed-firefly-prod.s3.amazonaws.com app-tag Adobe_Update app-list 1
 domain adobemobiledev.demdex.net app-tag Adobe_Update app-list 1
 domain adobesparkpost.app.link app-tag Adobe_Update app-list 1
 domain assets.adobedtm.com app-tag Adobe_Update app-list 1
 domain awcm177.awmdm.com app-tag Adobe_Update app-list 1
 domain cai-splunk-proxy.adobe.io app-tag Adobe_Update app-list 1
 domain ccac-cdn.adobe.com app-tag Adobe_Update app-list 1
 domain cdn.schedule.adobe.com app-tag Adobe_Update app-list 1
 domain cdn-prod-ccv.adobe.com app-tag Adobe_Update app-list 1
 domain clientservices.googleapis.com app-tag Adobe_Update app-list 1
 domain cm.everesttech.net app-tag Adobe_Update app-list 1
 domain configuration.apple.com app-tag Adobe_Update app-list 1
 domain detect.ffc.adobeoobe.com app-tag Adobe_Update app-list 1
 domain dpm.demdex.net app-tag Adobe_Update app-list 1
 domain dq4p8hz4ypg6l.cloudfront.net app-tag Adobe_Update app-list 1
 domain express.adobe.com app-tag Adobe_Update app-list 1
 domain express-brand-migration.adobe.io app-tag Adobe_Update app-list 1
 domain express-search.hz.adobe.com app-tag Adobe_Update app-list 1
 domain gateway.icloud.com app-tag Adobe_Update app-list 1
 domain gsp64-ssl.ls.apple.com app-tag Adobe_Update app-list 1
 domain hbrt.adobe.com app-tag Adobe_Update app-list 1
 domain hz-ccx-das.adobe.io app-tag Adobe_Update app-list 1
 domain hz-telemetry.adobe.io app-tag Adobe_Update app-list 1
 domain images-tv.adobe.com app-tag Adobe_Update app-list 1
 domain mesu.apple.com app-tag Adobe_Update app-list 1
 domain metrics.icloud.com app-tag Adobe_Update app-list 1
 domain new.express.adobe.com app-tag Adobe_Update app-list 1
 domain o1383653.ingest.sentry.io app-tag Adobe_Update app-list 1
 domain pf-temp-repo-ue1-prod.s3.amazonaws.com app-tag Adobe_Update app-list 1
 domain platform-cs-edge.adobe.io app-tag Adobe_Update app-list 1
 domain platform-cs-edge-va6.adobe.io app-tag Adobe_Update app-list 1
 domain platform-cs-edge-va6c2.adobe.io app-tag Adobe_Update app-list 1
 domain platform-cs-edge-va7.adobe.io app-tag Adobe_Update app-list 1
 domain platform-cs-va6.adobe.io app-tag Adobe_Update app-list 1
 domain pps.adobe.io app-tag Adobe_Update app-list 1
 domain schedule.adobe.io app-tag Adobe_Update app-list 1
 domain search.adobe.io app-tag Adobe_Update app-list 1
 domain spark-content-publish.adobe.io app-tag Adobe_Update app-list 1
 domain spark-design-variations-v2.adobe.io app-tag Adobe_Update app-list 1
 domain ss-prod-ue1-ns.aws.adobess.com app-tag Adobe_Update app-list 1
 domain static.thenounproject.com app-tag Adobe_Update app-list 1
 domain stock.adobe.io app-tag Adobe_Update app-list 1
 domain stock-apex-images-prod-ew1.s3.eu-west-1.amazonaws.com app-tag Adobe_Update app-list 1
 domain stocks-data-service.apple.com app-tag Adobe_Update app-list 1
 domain uds.adobe-identity.com app-tag Adobe_Update app-list 1
 domain video.tv.adobe.com app-tag Adobe_Update app-list 1
 domain weather-data.apple.com app-tag Adobe_Update app-list 1
 domain braze-images.com app-tag Adobe_Update app-list 1
 domain sdk.iad-01.braze.com app-tag Adobe_Update app-list 1
 domain cpf-temp-repo-ue1-prod.s3.amazonaws.com app-tag Adobe_Update app-list 1
 domain *.adobesc.com app-tag Adobe_Update app-list 1
 domain acpprodva7apollo.blob.core.windows.net app-tag Adobe_Update app-list 1
 domain acp-ss-*.adobe.io app-tag Adobe_Update app-list 1
 domain *.adobess.com app-tag Adobe_Update app-list 1
 domain cc-api-storage*.adobe.io app-tag Adobe_Update app-list 1
 domain assets2.adobe.com app-tag Adobe_Update app-list 1
 domain adobeexchange.com app-tag Adobe_Update app-list 1
 domain adbemdigitalmediarebootprod2.112.2o7.net app-tag Adobe_Update app-list 1
 domain cdn.tt.omtrdc.net app-tag Adobe_Update app-list 1
 domain api.demandbase.com app-tag Adobe_Update app-list 1
 domain *.ftcdn.net app-tag Adobe_Update app-list 1
 domain *.behance.net app-tag Adobe_Update app-list 1
 domain cc-api-image.adobe.io app-tag Adobe_Update app-list 1
 domain cc-api-image-x.adobe.io app-tag Adobe_Update app-list 1
 domain *.astockcdn.net app-tag Adobe_Update app-list 1
 domain cc-api-assets.adobe.io app-tag Adobe_Update app-list 1
 domain api.behance.net app-tag Adobe_Update app-list 1
 domain adobe.demdex.net app-tag Adobe_Update app-list 1
 domain adobe.tt.omtrdc.net app-tag Adobe_Update app-list 1
 domain store1.adobe.com app-tag Adobe_Update app-list 1
 domain adobe.com app-tag Adobe_Update app-list 1
 domain bam.nr-data.net app-tag Adobe_Update app-list 1
 domain *.adobe.io app-tag Adobe_Update app-list 1
 domain *.s3*.amazonaws.com app-tag Adobe_Update app-list 1
 domain bat.bing.com app-tag Adobe_Update app-list 1
 domain c.betrad.com app-tag Adobe_Update app-list 1
 domain c.evidon.com app-tag Adobe_Update app-list 1
 domain googleads.g.doubleclick.net app-tag Adobe_Update app-list 1
 domain js-agent.newrelic.com app-tag Adobe_Update app-list 1
 domain snap.licdn.com app-tag Adobe_Update app-list 1
 domain www.everestjs.net app-tag Adobe_Update app-list 1
 domain www.facebook.com app-tag Adobe_Update app-list 1
 domain www.googleadservices.com app-tag Adobe_Update app-list 1
 domain www.googletagmanager.com app-tag Adobe_Update app-list 1
 domain match.prod.bidr.io app-tag Adobe_Update app-list 1
 domain scripts.demandbase.com app-tag Adobe_Update app-list 1
 domain cdn.inpwrd.net app-tag Adobe_Update app-list 1
 domain ct.pinterest.com app-tag Adobe_Update app-list 1
 domain d9.flashtalking.com app-tag Adobe_Update app-list 1
 domain pixel.quantserve.com app-tag Adobe_Update app-list 1
 domain 9212252.fls.doubleclick.net app-tag Adobe_Update app-list 1
 domain use.edgefonts.net app-tag Adobe_Update app-list 1
 domain adobetag.com app-tag Adobe_Update app-list 1
 domain ans.oobesas.adobe.com app-tag Adobe_Update app-list 1
 domain api.adobe.io app-tag Adobe_Update app-list 1
 domain *.licenses.adobe.com app-tag Adobe_Update app-list 1
 domain amazonaws.com app-tag Adobe_Update app-list 1
 domain adobe.io app-tag Adobe_Update app-list 1
 domain cc-api-sharedproductions-prerelease.adobe.io app-tag Adobe_Update app-list 1
 domain cc-api-teamprojects.adobe.io app-tag Adobe_Update app-list 1
 domain cc-api-teamprojects-ue1.adobe.io app-tag Adobe_Update app-list 1
 domain cc-api-teamprojects-ew1.adobe.io app-tag Adobe_Update app-list 1
 domain cc-api-teamprojects-an1.adobe.io app-tag Adobe_Update app-list 1
 domain docs.aws.amazon.com app-tag Adobe_Update app-list 1
 domain rande.html app-tag Adobe_Update app-list 1
 domain adobe-voice.adobe.io app-tag Adobe_Update app-list 1
 domain adobe-voice-va7.adobe.io app-tag Adobe_Update app-list 1
 domain adobe-voice-nld2.adobe.io app-tag Adobe_Update app-list 1
 domain blob.core.windows.net app-tag Adobe_Update app-list 1
 domain oz-prod-masters.s3.us-west-2.amazonaws.com app-tag Adobe_Update app-list 1
 domain oz-prod-proxies.s3.us-west-2.amazonaws.com app-tag Adobe_Update app-list 1
 domain oz-prod-proxies-video-1080p.s3.us-west-2.amazonaws.com app-tag Adobe_Update app-list 1
 domain oz-prod-proxies-video-1080p-bt709.s3.us-west-2.amazonaws.com app-tag Adobe_Update app-list 1
 domain oz-prod-proxies-video-1080p709.s3.us-west-2.amazonaws.com app-tag Adobe_Update app-list 1
 domain oz-prod-proxies-video-360p.s3.us-west-2.amazonaws.com app-tag Adobe_Update app-list 1
 domain oz-prod-proxies-video-fullsize.s3.us-west-2.amazonaws.com app-tag Adobe_Update app-list 1
 domain revel-prod-us-west-2.s3.us-west-2.amazonaws.com app-tag Adobe_Update app-list 1
 domain oz-prod-asset-aux.s3.us-west-2.amazonaws.com app-tag Adobe_Update app-list 1
 domain oz-prod-cr-params.s3.us-west-2.amazonaws.com app-tag Adobe_Update app-list 1
 domain directstorage.adbephotos.com app-tag Adobe_Update app-list 1
 domain oz-prod-versions.s3.us-west-2.amazonaws.com app-tag Adobe_Update app-list 1
 domain mds-cdn.infra.adobesensei.io app-tag Adobe_Update app-list 1
 domain senseimds.adobe.io app-tag Adobe_Update app-list 1
 domain creative.adobe.com app-tag Adobe_Update app-list 1
 domain myportfolio.com app-tag Adobe_Update app-list 1
 domain splcloud.adobe.io app-tag Adobe_Update app-list 1
 domain firefly-prerelease.adobe.io app-tag Adobe_Update app-list 1
 domain firefly-cliov2.adobe.io app-tag Adobe_Update app-list 1
 domain firefly-beta.adobe.io app-tag Adobe_Update app-list 1
 domain firefly-balancer.adobe.io app-tag Adobe_Update app-list 1
 domain firefly-cme-training.adobe.io app-tag Adobe_Update app-list 1
 domain firefly-cme-inference.adobe.io app-tag Adobe_Update app-list 1
 domain firefly-clio-imaging-prerelease.adobe.io app-tag Adobe_Update app-list 1
 domain firefly-3di.adobe.io app-tag Adobe_Update app-list 1
 domain aep-cs-blobstore-prod-va6-data.s3.amazonaws.com app-tag Adobe_Update app-list 1
 domain dc-api-v2.adobe.io app-tag Adobe_Update app-list 1
 domain platform-cs-va6-adobe.io app-tag Adobe_Update app-list 1
 domain esp.aptrinsic.com app-tag Adobe_Update app-list 1
 domain prosite.com app-tag Adobe_Update app-list 1
 domain story.adobe.com app-tag Adobe_Update app-list 1
 domain build.phonegap.com app-tag Adobe_Update app-list 1
 domain typekit.com app-tag Adobe_Update app-list 1
 domain polka.typekit.net app-tag Adobe_Update app-list 1
 domain afwebcdn.fonts.adobe.com app-tag Adobe_Update app-list 1
 domain businesscatalyst.com app-tag Adobe_Update app-list 1
 domain digitalpublishing.acrobat.com app-tag Adobe_Update app-list 1
 domain color.adobe.com app-tag Adobe_Update app-list 1
 domain *.services.adobe.com app-tag Adobe_Update app-list 1
 domain licensing.adobe.com app-tag Adobe_Update app-list 1
 domain store.adobe.com app-tag Adobe_Update app-list 1
 domain store2.adobe.com app-tag Adobe_Update app-list 1
 domain store3.adobe.com app-tag Adobe_Update app-list 1
 domain photoshop.com app-tag Adobe_Update app-list 1
 domain podcast.adobe.com app-tag Adobe_Update app-list 1
 domain phonos-server.adobe.io app-tag Adobe_Update app-list 1
 domain phonos-recordings-production.s3-accelerate.amazonaws.com app-tag Adobe_Update app-list 1
 domain phonos-recordings-production.s3.amazonaws.com app-tag Adobe_Update app-list 1
 domain cdn.cookielaw.org app-tag Adobe_Update app-list 1
 domain *.kinesisvideo.*.amazonaws.com app-tag Adobe_Update app-list 1
 domain access.imageclub.com app-tag Adobe_Update app-list 1
 domain play.google.com app-tag Adobe_Update app-list 1
 domain www.flickr.com app-tag Adobe_Update app-list 1
 domain chrome.google.com app-tag Adobe_Update app-list 1
 domain soundcloud.com app-tag Adobe_Update app-list 1
 domain www.freedb.org app-tag Adobe_Update app-list 1
 domain developer.apple.com app-tag Adobe_Update app-list 1
 domain subversion.tigris.org app-tag Adobe_Update app-list 1
 domain www.ietf.org app-tag Adobe_Update app-list 1
 domain framework.zend.com app-tag Adobe_Update app-list 1
 domain windowsupdate.com app-tag Adobe_Update app-list 1
 domain digicert.com app-tag Adobe_Update app-list 1
 domain geotrust.com app-tag Adobe_Update app-list 1
 domain globalsign.com app-tag Adobe_Update app-list 1
 domain godaddy.com app-tag Adobe_Update app-list 1
 domain twitter.com app-tag Adobe_Update app-list 1
 domain www.microsoft.com app-tag Adobe_Update app-list 1
 domain ftp.yourdomain.com app-tag Adobe_Update app-list 1
 domain www.amazon.com app-tag Adobe_Update app-list 1
 domain www.mp3licensing.com app-tag Adobe_Update app-list 1
 domain itunes.apple.com app-tag Adobe_Update app-list 1
 domain www.apple.com app-tag Adobe_Update app-list 1
 domain www.python.org app-tag Adobe_Update app-list 1
 domain jquerymobile.com app-tag Adobe_Update app-list 1
 domain www.color.org app-tag Adobe_Update app-list 1
 domain omniroot.com app-tag Adobe_Update app-list 1
 domain symantec.com app-tag Adobe_Update app-list 1
 domain symcb.com app-tag Adobe_Update app-list 1
 domain symcd.com app-tag Adobe_Update app-list 1
 domain www.rulesforuse.org app-tag Adobe_Update app-list 1
 domain maps.google.com app-tag Adobe_Update app-list 1
 domain www.eclipse.org app-tag Adobe_Update app-list 1
 domain www.shutterfly.com app-tag Adobe_Update app-list 1
 domain msdn.microsoft.com app-tag Adobe_Update app-list 1
 domain www.zoomify.com app-tag Adobe_Update app-list 1
 domain www.evidon.com app-tag Adobe_Update app-list 1
 domain www.betrad.com app-tag Adobe_Update app-list 1
 domain *.uservoice.com app-tag Adobe_Update app-list 1
 domain thawte.com app-tag Adobe_Update app-list 1
 domain verisign.com app-tag Adobe_Update app-list 1
 domain api.mapbox.com app-tag Adobe_Update app-list 1
 domain worldsecuresystems.com app-tag Adobe_Update app-list 1
 domain adobe-oobe-prod-data-store-ue1.s3.amazonaws.com app-tag Adobe_Update app-list 1
 domain encoded-videos-0.s3.amazonaws.com app-tag Adobe_Update app-list 1
 domain fotolia-prod-3dobjects.s3.amazonaws.com app-tag Adobe_Update app-list 1
 domain fotolia-prod-audios-originals.s3.amazonaws.com app-tag Adobe_Update app-list 1
 domain fotolia-prod-templates.s3.amazonaws.com app-tag Adobe_Update app-list 1
 domain fotolia-prod-videos-0.s3.eu-west-1.amazonaws.com app-tag Adobe_Update app-list 1
 domain fotolia-prod-vectors.s3.eu-west-1.amazonaws.com app-tag Adobe_Update app-list 1
 domain sharedcloud-production-us-east-1-data-asset.s3.amazonaws.com app-tag Adobe_Update app-list 1
 domain stock-vip-processed-prod-irl1.s3.eu-west-1.amazonaws.com app-tag Adobe_Update app-list 1
 domain thumbs-0.s3.amazonaws.com app-tag Adobe_Update app-list 1
 domain videos-0.s3-eu-central-1.amazonaws.com app-tag Adobe_Update app-list 1
exit
!
interfaece #WAN IF(Port-channel or Tunnel)#
 dns-snooping enable
exit
</pre>

<pre>
app enable
!
local-breakout enable
local-breakout app-list 1 ip #ネクストホップ(TunnelIF番号もしくはアドレス)#
!
app-profile LBO_Adobe_Update--Deployment_and_fulfillment-AND-Updater
 dns-snooping enable
 dns-snooping expire 10800
 domain adminconsole.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain cc-ext-prod-pkgs.s3.amazonaws.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain ccmdls.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain ccmdl.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain ans.oobesaas.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain ars.oobesaas.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain cdn-ffc.oobesaas.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain ffc-icons.oobesaas.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain ffc-static-cdn.oobesaas.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain prod-rel-ffc-ccm.oobesaas.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain acc.adobeoobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain prod.acp.adobeoobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain mir-s3-cdn-cf.behance.net app-tag Adobe_Update--Deployment+Updater app-list 1
 domain swupmf.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain swupdl.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain oobe.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain productrouter.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain s3.amazonaws.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain tron-prod-customized-user-packages.s3.amazonaws.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain armmf.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain ardownload.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain ardownload2.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain agsupdate.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain ardownload3.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
 domain armdl.adobe.com app-tag Adobe_Update--Deployment+Updater app-list 1
exit
!
interfaece #WAN IF(Port-channel or Tunnel)#
 dns-snooping enable
exit
</pre>

<pre>
※Webexのhttp-snoopingでは、通常のhttp-snoopingとは異なる、MSS値の調整が必要

access-list 102 permit udp any any eq 5004
!
ip name-server #DNSサーバアドレス#
!
local-breakout enable
local-breakout proxy-server ip #LBO対象パケットの宛先アドレス# port #LBO対象パケットのポート番号#
local-breakout LBO_Webex #ネクストホップ(TunnelIF番号もしくはアドレス)#
!
lbo-profile LBO_Webex
 http-snooping enable with-route
 http-snooping propagate-mss disable
 domain *.wbx2.com
 domain *.ciscospark.com
 domain *.webexcontent.com
 domain *.webex.com
 domain *.identrust.com
 domain *.quovadisglobal.com
 domain *.digicert.com
 domain *.godaddy.com
 domain *.lencr.org
 domain *.intel.com
 domain *.accompany.com
 domain *.eum-appdynamics.com
 domain *.appdynamics.com
 domain *.vbrickrev.com
 domain *.slido.com
 domain *.sli.do
 domain *.data.logentries.com
 domain *.cisco.com
 domain *.webexapis.com
exit
!
interface GigaEthernet #LAN 物理IF番号#
 policy-route input PRMap_Webex
exit
!
interface Port-channel #LAN Port-channel番号#
 http-snooping enable
 mss 1240
exit
!
Class-map CMap_102
 match ip access-group 102
exit
!
Policy-route-map PRMap_Webex
 !
 class CMap_102
  count
  action nexthop #ネクストホップ#
 exit
 !
exit
</pre>

<pre>
local-breakout enable
local-breakout LBO_Adobe_Update #ネクストホップ(TunnelIF番号もしくはアドレス)#
!
lbo-profile LBO_Adobe_Update
 dns-snooping enable
 dns-snooping expire 10800
 domain lm.licenses.adobe.com
 domain resources.licenses.adobe.com
 domain cs.licenses.adobe.com
 domain exception.licenses.adobe.com
 domain pubcerts.licenses.adobe.com
 domain workflow.licenses.adobe.com
 domain auth.services.adobe.com
 domain acrs.adobe.com
 domain adobecloudpackager.adobe.io
 domain adminconsole.adobe.com
 domain cc-ext-prod-pkgs.s3.amazonaws.com
 domain ccmdls.adobe.com
 domain ccmdl.adobe.com
 domain ans.oobesaas.adobe.com
 domain ars.oobesaas.adobe.com
 domain cdn-ffc.oobesaas.adobe.com
 domain ffc-icons.oobesaas.adobe.com
 domain ffc-static-cdn.oobesaas.adobe.com
 domain prod-rel-ffc-ccm.oobesaas.adobe.com
 domain acc.adobeoobe.com
 domain prod.acp.adobeoobe.com
 domain mir-s3-cdn-cf.behance.net
 domain swupmf.adobe.com
 domain swupdl.adobe.com
 domain oobe.adobe.com
 domain productrouter.adobe.com
 domain s3.amazonaws.com
 domain tron-prod-customized-user-packages.s3.amazonaws.com
 domain armmf.adobe.com
 domain ardownload.adobe.com
 domain ardownload2.adobe.com
 domain agsupdate.adobe.com
 domain ims-na1.adobelogin.com
 domain ims-prod06.adobelogin.com
 domain ims-prod07.adobelogin.com
 domain static.adobelogin.com
 domain delegated.adobelogin.com
 domain adobeid.services.adobe.com
 domain adobeid-na1.services.adobe.com
 domain federatedid-na1.services.adobe.com
 domain na1e-acc.services.adobe.com
 domain na1e.services.adobe.com
 domain na1r.services.adobe.com
 domain ad.adobe-identity.com
 domain ids-proxy.account.adobe.com
 domain lcs-cops.adobe.io
 domain lcs-robs.adobe.io
 domain lcs-entitlement.adobe.io
 domain lcs-ulecs.adobe.io
 domain ams.adobe.com
 domain adobelogin.prod.ims.adobejanus.com
 domain services.prod.ims.adobejanus.com
 domain www-prod.adobesunbreak.com
 domain genuine.adobe.com
 domain prod.adobegenuine.com
 domain gocart-web-prod-*.elb.amazonaws.com
 domain armdl.adobe.com
 domain api-cna01.adobe-services.com
 domain supportanyware.adobe.io
 domain acc-learn.adobe.com
 domain acc-learn.adobe.io
 domain accounts.adobe.com
 domain acp-ss-ue1.adobe.io
 domain adobe-api.arkoselabs.com
 domain adobe-verify.arkoselabs.com
 domain api.account.adobe.com
 domain api.typekit.com
 domain cc-api-behance.adobe.io
 domain cc-api-data.adobe.io
 domain cc-api-storage.adobe.io
 domain client-api.arkoselabs.com
 domain client-verify.arkoselabs.com
 domain crs.cr.adobe.com
 domain data.typekit.net
 domain federation-gateway.adobe.io
 domain fonts.adobe.com
 domain helpx.adobe.com
 domain notify.adobe.io
 domain p.typekit.net
 domain p13n.adobe.io
 domain p13n-mr.adobe.io
 domain polka.typekit.com
 domain prod.adobeccstatic.com
 domain public.adobecc.com
 domain scss.adobesc.com
 domain ss-prod-ue1-notif-16.aws.adobess.com
 domain sso.behance.net
 domain sstats.adobe.com
 domain state.typekit.net
 domain use.typekit.net
 domain wwwimages.adobe.com
 domain wwwimages2.adobe.com
 domain delegated.identity.adobe.com
 domain www.adobe.com
 domain a3.behance.net
 domain a5.behance.net
 domain account.adobe.com
 domain acp-ss-an1.adobe.io
 domain acp-ss-ew1.adobe.io
 domain acp-ss.adobe.io
 domain *.adbecrsl.com
 domain *.adbephotos.com
 domain adobe.ly
 domain adobesearch.adobe.io
 domain appregistry.adobe.io
 domain aps-web.adobe.io
 domain as.ftcdn.net
 domain as1.ftcdn.net
 domain as2.ftcdn.net
 domain assets-cdn.adobe.com
 domain assets-helper.adobe.io
 domain assets.adobe.com
 domain assets.fonts.adobe.com
 domain audios.ftcdn.net
 domain audio-video-api.adobe.io
 domain awenroll.adobe.com
 domain byof.adobe.io
 domain cc-api-cp.adobe.io
 domain cc-cdn.adobe.com
 domain cc-collab.adobe.io
 domain ccext-cdn.adobecces.com
 domain ccext-public.adobe.io
 domain ccext-static.adobecces.com
 domain ccext.adobe.io
 domain ccext.adobecces.com
 domain cchome.adobe.io
 domain cclibraries-defaults-cdn.adobe.com
 domain ccprojects-va6.adobe.io
 domain ccprojects.adobe.io
 domain cctypekit.adobe.io
 domain cdn-sharing.adobecc.com
 domain cdn.cp.adobe.io
 domain client.messaging.adobe.com
 domain comments.adobe.io
 domain community.adobe.com
 domain connect.ffc.adobeoobe.com
 domain creativecloud.adobe.com
 domain *.creativecloud.com
 domain cvs.adobe.com
 domain d32a1iuc7x840y.cloudfront.net
 domain d3gnp5fs6fu2h7.cloudfront.net
 domain dnzuu5synxxfk.cloudfront.net
 domain dc-api.adobe.io
 domain design-assets.adobeprojectm.com
 domain ds-an1.adobe.io
 domain ds-ew1.adobe.io
 domain ds-ue1.adobe.io
 domain ds.adobe.io
 domain exchange.adobe.com
 domain faster.typekit.net
 domain firebase-settings.crashlytics.com
 domain firebaseinstallations.googleapis.com
 domain firebaselogging-pa.googleapis.com
 domain gensoundfx.ff.adobe.io
 domain geo.adobe.com
 domain geo2.adobe.com
 domain ic.adobe.io
 domain illustrator.adobe.com
 domain image.adobe.io
 domain indd.adobe.com
 domain invitations.adobe.io
 domain landing.adobe.com
 domain libraries.adobe.io
 domain lightroom.adobe.com
 domain links.adobe.io
 domain livecreate-an1.adobe.io
 domain livecreate-ew1.adobe.io
 domain livecreate-ue1.adobe.io
 domain *.macromedia.com
 domain mail.adobegov.com
 domain odin.adobe.com
 domain *.omniture.com
 domain pgc.adobe.io
 domain photos.adobe.io
 domain photoshop.adobe.com
 domain platform-assets.typekit.net
 domain platform-cs*.adobe.io
 domain platform-cs.adobe.io
 domain acp-*.adobe.io
 domain presence-an1.adobe.io
 domain presence-ew1.adobe.io
 domain presence-ue1.adobe.io
 domain preview.illustrator.adobe.com
 domain prod.wam.adobe.com
 domain psweb-cd.adobe.io
 domain s.ftcdn.net
 domain server.messaging.adobe.com
 domain sensei.adobe.io
 domain sharedcloud-production*.s3.amazonaws.com
 domain sharedcloud-production*.s3-accelerate.amazonaws.com
 domain aep-cs*.s3-accelerate.amazonaws.com
 domain aep-cs*.s3.amazonaws.com
 domain sharedcloud-production-us-east-1-data-temp.s3.amazonaws.com
 domain slp-statics.astockcdn.net
 domain ss-prod-an1-notif-13-aws.adobess.com
 domain ss-prod-an1-notif-16.aws.adobess.com
 domain ss-prod-ew1-notif-13-aws.adobess.com
 domain ss-prod-ew1-notif-16.aws.adobess.com
 domain ss-prod-ue1-notif-13-aws.adobess.com
 domain ss-prod-ue1-notif-79.aws.adobess.com
 domain static-assets.photoshop.adobe.com
 domain stock-landing-pages.adobe.io
 domain stock.adobe.com
 domain translate-captions*.s3-accelerate.amazonaws.com
 domain t3.ftcdn.net
 domain t4.ftcdn.net
 domain udps.adobe.com
 domain ui.messaging.adobe.com
 domain use.typekit.com
 domain utut-service.adobe.com
 domain v.ftcdn.net
 domain video-v1.ff.adobe.io
 domain livecreate-*.adobe.io
 domain presence-*.adobe.io
 domain speech.platform.bing.com
 domain xd-cdn.adobecces.com
 domain xd.adobe.com
 domain xdce.adobe.io
 domain cai.adobe.io
 domain cai-identity.adobe.io
 domain policy.adobe.io
 domain cai-msb.adobe.io
 domain cai-manifests.adobe.com
 domain cai-settings.adobe.io
 domain firefly-ae.adobe.io
 domain senseicore.adobe.io
 domain sensei-va6.adobe.io
 domain firefly.adobe.io
 domain firefly-clio-imaging.adobe.io
 domain pre-signed-firefly-prod.s3-accelerate.amazonaws.com
 domain firefly-ps.adobe.io
 domain firefly-ai.adobe.io
 domain firefly-acs.adobe.io
 domain firefly.adobe.com
 domain firefly-md.adobe.io
 domain clio-assets.adobe.com
 domain firefly-cliov2.adobe.com
 domain senseicore-ue1.adobe.io
 domain sensei-ue1.adobe.io
 domain firefly-st.adobe.io
 domain firefly-api.adobe.io
 domain pre-signed-firefly-prod.s3.amazonaws.com
 domain adobemobiledev.demdex.net
 domain adobesparkpost.app.link
 domain assets.adobedtm.com
 domain awcm177.awmdm.com
 domain cai-splunk-proxy.adobe.io
 domain ccac-cdn.adobe.com
 domain cdn.schedule.adobe.com
 domain cdn-prod-ccv.adobe.com
 domain clientservices.googleapis.com
 domain cm.everesttech.net
 domain configuration.apple.com
 domain detect.ffc.adobeoobe.com
 domain dpm.demdex.net
 domain dq4p8hz4ypg6l.cloudfront.net
 domain express.adobe.com
 domain express-brand-migration.adobe.io
 domain express-search.hz.adobe.com
 domain gateway.icloud.com
 domain gsp64-ssl.ls.apple.com
 domain hbrt.adobe.com
 domain hz-ccx-das.adobe.io
 domain hz-telemetry.adobe.io
 domain images-tv.adobe.com
 domain mesu.apple.com
 domain metrics.icloud.com
 domain new.express.adobe.com
 domain o1383653.ingest.sentry.io
 domain pf-temp-repo-ue1-prod.s3.amazonaws.com
 domain platform-cs-edge.adobe.io
 domain platform-cs-edge-va6.adobe.io
 domain platform-cs-edge-va6c2.adobe.io
 domain platform-cs-edge-va7.adobe.io
 domain platform-cs-va6.adobe.io
 domain pps.adobe.io
 domain schedule.adobe.io
 domain search.adobe.io
 domain spark-content-publish.adobe.io
 domain spark-design-variations-v2.adobe.io
 domain ss-prod-ue1-ns.aws.adobess.com
 domain static.thenounproject.com
 domain stock.adobe.io
 domain stock-apex-images-prod-ew1.s3.eu-west-1.amazonaws.com
 domain stocks-data-service.apple.com
 domain uds.adobe-identity.com
 domain video.tv.adobe.com
 domain weather-data.apple.com
 domain braze-images.com
 domain sdk.iad-01.braze.com
 domain cpf-temp-repo-ue1-prod.s3.amazonaws.com
 domain *.adobesc.com
 domain acpprodva7apollo.blob.core.windows.net
 domain acp-ss-*.adobe.io
 domain *.adobess.com
 domain cc-api-storage*.adobe.io
 domain assets2.adobe.com
 domain adobeexchange.com
 domain adbemdigitalmediarebootprod2.112.2o7.net
 domain cdn.tt.omtrdc.net
 domain api.demandbase.com
 domain *.ftcdn.net
 domain *.behance.net
 domain cc-api-image.adobe.io
 domain cc-api-image-x.adobe.io
 domain *.astockcdn.net
 domain cc-api-assets.adobe.io
 domain api.behance.net
 domain adobe.demdex.net
 domain adobe.tt.omtrdc.net
 domain store1.adobe.com
 domain adobe.com
 domain bam.nr-data.net
 domain *.adobe.io
 domain *.s3*.amazonaws.com
 domain bat.bing.com
 domain c.betrad.com
 domain c.evidon.com
 domain googleads.g.doubleclick.net
 domain js-agent.newrelic.com
 domain snap.licdn.com
 domain www.everestjs.net
 domain www.facebook.com
 domain www.googleadservices.com
 domain www.googletagmanager.com
 domain match.prod.bidr.io
 domain scripts.demandbase.com
 domain cdn.inpwrd.net
 domain ct.pinterest.com
 domain d9.flashtalking.com
 domain pixel.quantserve.com
 domain 9212252.fls.doubleclick.net
 domain use.edgefonts.net
 domain adobetag.com
 domain ans.oobesas.adobe.com
 domain api.adobe.io
 domain *.licenses.adobe.com
 domain amazonaws.com
 domain adobe.io
 domain cc-api-sharedproductions-prerelease.adobe.io
 domain cc-api-teamprojects.adobe.io
 domain cc-api-teamprojects-ue1.adobe.io
 domain cc-api-teamprojects-ew1.adobe.io
 domain cc-api-teamprojects-an1.adobe.io
 domain docs.aws.amazon.com
 domain rande.html
 domain adobe-voice.adobe.io
 domain adobe-voice-va7.adobe.io
 domain adobe-voice-nld2.adobe.io
 domain blob.core.windows.net
 domain oz-prod-masters.s3.us-west-2.amazonaws.com
 domain oz-prod-proxies.s3.us-west-2.amazonaws.com
 domain oz-prod-proxies-video-1080p.s3.us-west-2.amazonaws.com
 domain oz-prod-proxies-video-1080p-bt709.s3.us-west-2.amazonaws.com
 domain oz-prod-proxies-video-1080p709.s3.us-west-2.amazonaws.com
 domain oz-prod-proxies-video-360p.s3.us-west-2.amazonaws.com
 domain oz-prod-proxies-video-fullsize.s3.us-west-2.amazonaws.com
 domain revel-prod-us-west-2.s3.us-west-2.amazonaws.com
 domain oz-prod-asset-aux.s3.us-west-2.amazonaws.com
 domain oz-prod-cr-params.s3.us-west-2.amazonaws.com
 domain directstorage.adbephotos.com
 domain oz-prod-versions.s3.us-west-2.amazonaws.com
 domain mds-cdn.infra.adobesensei.io
 domain senseimds.adobe.io
 domain creative.adobe.com
 domain myportfolio.com
 domain splcloud.adobe.io
 domain firefly-prerelease.adobe.io
 domain firefly-cliov2.adobe.io
 domain firefly-beta.adobe.io
 domain firefly-balancer.adobe.io
 domain firefly-cme-training.adobe.io
 domain firefly-cme-inference.adobe.io
 domain firefly-clio-imaging-prerelease.adobe.io
 domain firefly-3di.adobe.io
 domain aep-cs-blobstore-prod-va6-data.s3.amazonaws.com
 domain dc-api-v2.adobe.io
 domain platform-cs-va6-adobe.io
 domain esp.aptrinsic.com
 domain prosite.com
 domain story.adobe.com
 domain build.phonegap.com
 domain typekit.com
 domain polka.typekit.net
 domain afwebcdn.fonts.adobe.com
 domain businesscatalyst.com
 domain digitalpublishing.acrobat.com
 domain color.adobe.com
 domain *.services.adobe.com
 domain licensing.adobe.com
 domain store.adobe.com
 domain store2.adobe.com
 domain store3.adobe.com
 domain photoshop.com
 domain podcast.adobe.com
 domain phonos-server.adobe.io
 domain phonos-recordings-production.s3-accelerate.amazonaws.com
 domain phonos-recordings-production.s3.amazonaws.com
 domain cdn.cookielaw.org
 domain *.kinesisvideo.*.amazonaws.com
 domain access.imageclub.com
 domain play.google.com
 domain www.flickr.com
 domain chrome.google.com
 domain soundcloud.com
 domain www.freedb.org
 domain developer.apple.com
 domain subversion.tigris.org
 domain www.ietf.org
 domain framework.zend.com
 domain windowsupdate.com
 domain digicert.com
 domain geotrust.com
 domain globalsign.com
 domain godaddy.com
 domain twitter.com
 domain www.microsoft.com
 domain ftp.yourdomain.com
 domain www.amazon.com
 domain www.mp3licensing.com
 domain itunes.apple.com
 domain www.apple.com
 domain www.python.org
 domain jquerymobile.com
 domain www.color.org
 domain omniroot.com
 domain symantec.com
 domain symcb.com
 domain symcd.com
 domain www.rulesforuse.org
 domain maps.google.com
 domain www.eclipse.org
 domain www.shutterfly.com
 domain msdn.microsoft.com
 domain www.zoomify.com
 domain www.evidon.com
 domain www.betrad.com
 domain *.uservoice.com
 domain thawte.com
 domain verisign.com
 domain api.mapbox.com
 domain worldsecuresystems.com
 domain adobe-oobe-prod-data-store-ue1.s3.amazonaws.com
 domain encoded-videos-0.s3.amazonaws.com
 domain fotolia-prod-3dobjects.s3.amazonaws.com
 domain fotolia-prod-audios-originals.s3.amazonaws.com
 domain fotolia-prod-templates.s3.amazonaws.com
 domain fotolia-prod-videos-0.s3.eu-west-1.amazonaws.com
 domain fotolia-prod-vectors.s3.eu-west-1.amazonaws.com
 domain sharedcloud-production-us-east-1-data-asset.s3.amazonaws.com
 domain stock-vip-processed-prod-irl1.s3.eu-west-1.amazonaws.com
 domain thumbs-0.s3.amazonaws.com
 domain videos-0.s3-eu-central-1.amazonaws.com
exit
!
interfaece #WANインタフェース(Port-channel or Tunnel)#
 dns-snooping enable
exit
</pre>

<pre>
local-breakout enable
local-breakout LBO_Adobe_Update--Deployment_and_fulfillment-AND-Updater #ネクストホップ(TunnelIF番号もしくはアドレス)#
!
lbo-profile LBO_Adobe_Update--Deployment_and_fulfillment-AND-Updater
 dns-snooping enable
 dns-snooping expire 10800
 domain adminconsole.adobe.com
 domain cc-ext-prod-pkgs.s3.amazonaws.com
 domain ccmdls.adobe.com
 domain ccmdl.adobe.com
 domain ans.oobesaas.adobe.com
 domain ars.oobesaas.adobe.com
 domain cdn-ffc.oobesaas.adobe.com
 domain ffc-icons.oobesaas.adobe.com
 domain ffc-static-cdn.oobesaas.adobe.com
 domain prod-rel-ffc-ccm.oobesaas.adobe.com
 domain acc.adobeoobe.com
 domain prod.acp.adobeoobe.com
 domain mir-s3-cdn-cf.behance.net
 domain swupmf.adobe.com
 domain swupdl.adobe.com
 domain oobe.adobe.com
 domain productrouter.adobe.com
 domain s3.amazonaws.com
 domain tron-prod-customized-user-packages.s3.amazonaws.com
 domain armmf.adobe.com
 domain ardownload.adobe.com
 domain ardownload2.adobe.com
 domain agsupdate.adobe.com
 domain ardownload3.adobe.com
 domain armdl.adobe.com
exit
!
interfaece #WAN IF(Port-channel or Tunnel)#
 dns-snooping enable
exit
</pre>

<pre>
access-list 100 permit udp any eq 500 192.0.2.1 0.0.0.0 eq 500
access-list 100 permit 50 any 192.0.2.1 0.0.0.0
access-list 111 deny udp any eq 135 any
access-list 111 deny udp any any eq 135
access-list 111 deny tcp any eq 135 any
access-list 111 deny tcp any any eq 135
access-list 111 deny udp any range 137 139 any
access-list 111 deny udp any any range 137 139
access-list 111 deny tcp any range 137 139 any
access-list 111 deny tcp any any range 137 139
access-list 111 deny udp any eq 445 any
access-list 111 deny udp any any eq 445
access-list 111 deny tcp any eq 445 any
access-list 111 deny tcp any any eq 445
access-list 112 deny ip 192.168.0.0 0.0.0.255 any
access-list 112 permit icmp any 192.168.0.0 0.0.0.255
access-list 113 spi tcp any any eq ftp
access-list 113 spi tcp any any eq ftp-data
access-list 113 spi tcp any any eq www
access-list 113 spi udp any any eq domain
access-list 113 spi tcp any any eq smtp
access-list 113 spi tcp any any eq pop3
access-list 113 spi tcp any any eq 587
access-list 113 spi tcp any any
access-list 113 spi udp any any
access-list 114 permit ip any any
access-list 115 deny ip any any
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip route 192.168.1.0 255.255.255.0 tunnel 2
ip route 192.168.1.0 255.255.255.0 null 0 250
!
logging buffer level informational
!
aaa authentication login default local
aaa authorization exec default local
!
username guest password guest-secret
!
hostname CENTER
!
crypto ipsec policy P2-POLICY
 set pfs group14
 set security-association lifetime seconds 28800
 set security-association transform-keysize aes 256 256 256
 set security-association transform esp-aes esp-sha256-hmac
 set mtu 1454
 set ip df-bit 0
 set ip fragment post
exit
!
crypto ipsec selector SELECTOR
 src 1 ipv4 any
 dst 1 ipv4 any
exit
!
crypto isakmp keepalive
logging level informational
crypto isakmp log sa
crypto isakmp log session
crypto isakmp log negotiation-fail
crypto isakmp tunnel-route ip interface tunnel 1
!
crypto isakmp policy P1-POLICY
 authentication pre-share
 encryption aes
 encryption-keysize aes 256 256 256
 group 14
 lifetime 86400
 hash sha-256
 initiate-mode aggressive
exit
!
crypto isakmp profile PROF0001
 match identity user id-kyoten
 local-address 192.0.2.1 
 set isakmp-policy P1-POLICY
 set ipsec-policy P2-POLICY
 ike-version 1
 local-key SECRET-VPN
exit
!
crypto map KYOTEN ipsec-isakmp
 match address SELECTOR
 set isakmp-profile PROF0001
exit
!
interface GigaEthernet 1/1
 vlan-id 1
 bridge-group 1
 channel-group 1
exit
!
interface GigaEthernet 2/1
 vlan-id 2
 bridge-group 2
 pppoe enable
exit
!
interface Port-channel 1
 ip address 192.168.0.254 255.255.255.0
 mss 1300
exit
!
interface Tunnel 1
 description FLETS
 ip address 192.0.2.1  255.255.255.255
 ip access-group 100 in
 ip access-group 111 out
 ip access-group 112 in
 ip access-group 113 out
 ip access-group 114 out
 ip access-group 115 in
 ip access-group spi ftp-data enable
 tunnel mode pppoe profile PPPOE_PROF
 pppoe interface gigaethernet 2/1
exit
!
interface Tunnel 2
 tunnel mode ipsec map KYOTEN
 link-state sync-sa
exit
!
pppoe profile PPPOE_PROF
 account abc012@***.***.ne.jp xxxyyyzzz
exit
!
end
</pre>

<pre>
access-list 100 permit udp 192.0.2.1 0.0.0.0 eq 500 any eq 500
access-list 100 permit 50 192.0.2.1 0.0.0.0 any
access-list 101 permit udp any any range 3478 3481
access-list 111 deny udp any eq 135 any
access-list 111 deny udp any any eq 135
access-list 111 deny tcp any eq 135 any
access-list 111 deny tcp any any eq 135
access-list 111 deny udp any range 137 139 any
access-list 111 deny udp any any range 137 139
access-list 111 deny tcp any range 137 139 any
access-list 111 deny tcp any any range 137 139
access-list 111 deny udp any eq 445 any
access-list 111 deny udp any any eq 445
access-list 111 deny tcp any eq 445 any
access-list 111 deny tcp any any eq 445
access-list 112 deny ip 192.168.0.0 0.0.0.255 any
access-list 112 permit icmp any 192.168.0.0 0.0.0.255
access-list 113 spi tcp any any eq ftp
access-list 113 spi tcp any any eq ftp-data
access-list 113 spi tcp any any eq www
access-list 113 spi udp any any eq domain
access-list 113 spi tcp any any eq smtp
access-list 113 spi tcp any any eq pop3
access-list 113 spi tcp any any eq 587
access-list 113 spi tcp any any
access-list 113 spi udp any any
access-list 114 permit ip any any
access-list 115 deny ip any any
!
ip route 192.0.2.1 255.255.255.255 tunnel 1
ip route 0.0.0.0 0.0.0.0 tunnel 2
ip name-server 192.168.0.100
ip name-server source-interface port-channel 1
ip nat list 1 192.168.1.0 0.0.0.255
!
logging buffer level informational
!
aaa authentication login default local
aaa authorization exec default local
!
username guest password guest-secret
!
ip dhcp server-profile lan1
 address 192.168.1.1 192.168.1.200
 lease-time 28800
 dns 192.168.0.100
 gateway 192.168.1.254
exit
!
crypto ipsec policy P2-POLICY
 set pfs group14
 set security-association always-up
 set security-association lifetime seconds 28800
 set security-association transform-keysize aes 256 256 256
 set security-association transform esp-aes esp-sha256-hmac
 set mtu 1454
 set ip df-bit 0
 set ip fragment post
exit
!
crypto ipsec selector SELECTOR
 src 1 ipv4 any
 dst 1 ipv4 any
exit
!
crypto isakmp keepalive
logging level informational
crypto isakmp log sa
crypto isakmp log session
crypto isakmp log negotiation-fail
!
hostname KYOTEN
!
crypto isakmp policy P1-POLICY
 authentication pre-share
 encryption aes
 encryption-keysize aes 256 256 256
 group 14
 lifetime 86400
 hash sha-256
 initiate-mode aggressive
exit
!
crypto isakmp profile PROF0001
 self-identity user-fqdn id-kyoten
 set isakmp-policy P1-POLICY
 set ipsec-policy P2-POLICY
 set peer 192.0.2.1
 ike-version 1
 local-key SECRET-VPN
exit
!
crypto map CENTER ipsec-isakmp
 match address SELECTOR
 set isakmp-profile PROF0001
exit
!
interface GigaEthernet 1/1
 vlan-id 1
 bridge-group 1
 channel-group 1
 policy-route input PRMap_Teams
exit
!
interface GigaEthernet 2/1
 vlan-id 2
 bridge-group 2
 pppoe enable
exit
!
interface Port-channel 1
 ip address 192.168.1.254 255.255.255.0
 ip dhcp service server
 ip dhcp server-profile lan1
 mss 1300
exit
!
interface Tunnel 1
 description FLETS
 ip access-group 100 in
 ip access-group 111 out
 ip access-group 112 in
 ip access-group 113 out
 ip access-group 114 out
 ip access-group 115 in
 ip access-group spi ftp-data enable
 ip nat inside source list 1 interface
 tunnel mode pppoe profile PPPOE_PROF
 pppoe interface gigaethernet 2/1
exit
!
interface Tunnel 2
 tunnel mode ipsec map CENTER
 dns-snooping enable
exit
!
pppoe profile PPPOE_PROF
 account abc345@***.***.ne.jp zzzyyyxxx
exit
!
local-breakout enable
local-breakout LBO1 tunnel 1
!
lbo-profile LBO1
 o365 enable
 dns-snooping enable
exit
!
Class-map CMap_101
 match ip access-group 101
exit
!
Policy-route-map PRMap_Teams
 !
 class CMap_101
  count
  action nexthop tunnel 1
 exit
 !
exit
!
end
</pre>

crypto isakmp keepalive
logging level informational
crypto isakmp log sa
crypto isakmp log session
crypto isakmp log negotiation-fail
crypto isakmp tunnel-route ip interface tunnel 1
!
crypto isakmp policy P1-POLICY
 authentication pre-share
 encryption aes
 encryption-keysize aes 256 256 256
 group 14
 lifetime 86400
 hash sha-256
 initiate-mode aggressive
exit
!
crypto isakmp profile PROF0001
 match identity user id-kyoten
 local-address 192.0.2.1 
 set isakmp-policy P1-POLICY
 set ipsec-policy P2-POLICY
 ike-version 1
 local-key SECRET-VPN
exit
!
crypto map KYOTEN ipsec-isakmp
 match address SELECTOR
 set isakmp-profile PROF0001
exit
!
interface GigaEthernet 1/1
 vlan-id 1
 bridge-group 1
 channel-group 1
exit
!
interface GigaEthernet 2/1
 vlan-id 2
 bridge-group 2
 pppoe enable
exit
!
interface Port-channel 1
 ip address 192.168.0.254 255.255.255.0
 mss 1300
exit
!
interface Tunnel 1
 description FLETS
 ip address 192.0.2.1  255.255.255.255
 ip access-group 100 in
 ip access-group 111 out
 ip access-group 112 in
 ip access-group 113 out
 ip access-group 114 out
 ip access-group 115 in
 ip access-group spi ftp-data enable
 tunnel mode pppoe profile PPPOE_PROF
 pppoe interface gigaethernet 2/1
exit
!
interface Tunnel 2
 tunnel mode ipsec map KYOTEN
 link-state sync-sa
exit
!
pppoe profile PPPOE_PROF
 account abc012@***.***.ne.jp xxxyyyzzz
exit
!
end
</pre>

<pre>
access-list 100 permit udp 192.0.2.1 0.0.0.0 eq 500 any eq 500
access-list 100 permit 50 192.0.2.1 0.0.0.0 any
access-list 111 deny udp any eq 135 any
access-list 111 deny udp any any eq 135
access-list 111 deny tcp any eq 135 any
access-list 111 deny tcp any any eq 135
access-list 111 deny udp any range 137 139 any
access-list 111 deny udp any any range 137 139
access-list 111 deny tcp any range 137 139 any
access-list 111 deny tcp any any range 137 139
access-list 111 deny udp any eq 445 any
access-list 111 deny udp any any eq 445
access-list 111 deny tcp any eq 445 any
access-list 111 deny tcp any any eq 445
access-list 112 deny ip 192.168.0.0 0.0.0.255 any
access-list 112 permit icmp any 192.168.0.0 0.0.0.255
access-list 113 spi tcp any any eq ftp
access-list 113 spi tcp any any eq ftp-data
access-list 113 spi tcp any any eq www
access-list 113 spi udp any any eq domain
access-list 113 spi tcp any any eq smtp
access-list 113 spi tcp any any eq pop3
access-list 113 spi tcp any any eq 587
access-list 113 spi tcp any any
access-list 113 spi udp any any
access-list 114 permit ip any any
access-list 115 deny ip any any
!
ip route 192.0.2.1 255.255.255.255 tunnel 1
ip route 0.0.0.0 0.0.0.0 tunnel 2
ip nat list 1 192.168.1.0 0.0.0.255
!
logging buffer level informational
!
aaa authentication login default local
aaa authorization exec default local
!
username guest password guest-secret
!
hostname KYOTEN
!
ip dhcp server-profile lan1
 address 192.168.1.1 192.168.1.200
 lease-time 28800
 dns 192.168.0.100
 gateway 192.168.1.254
exit
!
crypto ipsec policy P2-POLICY
 set pfs group14
 set security-association always-up
 set security-association lifetime seconds 28800
 set security-association transform-keysize aes 256 256 256
 set security-association transform esp-aes esp-sha256-hmac
 set mtu 1454
 set ip df-bit 0
 set ip fragment post
exit
!
crypto ipsec selector SELECTOR
 src 1 ipv4 any
 dst 1 ipv4 any
exit
!
crypto isakmp keepalive
logging level informational
crypto isakmp log sa
crypto isakmp log session
crypto isakmp log negotiation-fail
!
crypto isakmp policy P1-POLICY
 authentication pre-share
 encryption aes
 encryption-keysize aes 256 256 256
 group 14
 lifetime 86400
 hash sha-256
 initiate-mode aggressive
exit
!
crypto isakmp profile PROF0001
 self-identity user-fqdn id-kyoten
 set isakmp-policy P1-POLICY
 set ipsec-policy P2-POLICY
 set peer 192.0.2.1
 ike-version 1
 local-key SECRET-VPN
exit
!
crypto map CENTER ipsec-isakmp
 match address SELECTOR
 set isakmp-profile PROF0001
exit
!
interface GigaEthernet 1/1
 vlan-id 1
 bridge-group 1
 channel-group 1
exit
!
interface GigaEthernet 2/1
 vlan-id 2
 bridge-group 2
 pppoe enable
exit
!
interface Port-channel 1
 ip address 192.168.1.254 255.255.255.0
 ip dhcp service server
 ip dhcp server-profile lan1
 mss 1300
exit
!
interface Tunnel 1
 description FLETS
 ip access-group 100 in
 ip access-group 111 out
 ip access-group 112 in
 ip access-group 113 out
 ip access-group 114 out
 ip access-group 115 in
 ip access-group spi ftp-data enable
 ip nat inside source list 1 interface
 tunnel mode pppoe profile PPPOE_PROF
 pppoe interface gigaethernet 2/1
exit
!
interface Tunnel 2
 tunnel mode ipsec map CENTER
 dns-snooping enable
exit
!
pppoe profile PPPOE_PROF
 account abc345@***.***.ne.jp zzzyyyxxx
exit
!
local-breakout enable
local-breakout LBO1 tunnel 1
!
lbo-profile LBO1
 dns-snooping enable
 dns-snooping expire 86400
 domain definitionupdates.microsoft.com
 domain *.prod.do.dsp.mp.microsoft.com
 domain *.dl.delivery.mp.microsoft.com
 domain *.windowsupdate.com
 domain *.delivery.mp.microsoft.com
 domain *.update.microsoft.com
 domain adl.windows.com
 domain tsfe.trafficshaping.dsp.mp.microsoft.com
 domain *.api.cdp.microsoft.com
exit
!
end
</pre>

<pre>
ip route 0.0.0.0 0.0.0.0 172.16.0.2
ip nat list 1 10.1.0.0 0.0.255.255
!
local-breakout enable
local-breakout LBO 192.168.1.2
!
lbo-profile LBO
 dns-snooping enable
 dns-snooping expire 10800
 domain *.zoom.us
 domain *.zoom.com
 domain *.wbx2.com
 domain *.ciscospark.com
 domain *.webexcontent.com
 domain *.webex.com
 domain *.identrust.com
 domain *.quovadisglobal.com
 domain *.digicert.com
 domain *.godaddy.com
 domain *.lencr.org
 domain *.intel.com
 domain *.accompany.com
 domain *.eum-appdynamics.com
 domain *.appdynamics.com
 domain *.vbrickrev.com
 domain *.slido.com
 domain *.sli.do
 domain *.data.logentries.com
 domain *.cisco.com
 domain *.webexapis.com
exit
!
snmp-server community public ro
snmp-server enable traps snmp
snmp-server host 10.0.0.3 public

logging buffer level informational
!
aaa authentication login default local
aaa authorization exec default local
!
username guest password guest-secret
!
hostname FITELnet
!
sntp server 10.0.0.4 source port-channel 1
sntp poll-interval 86400
sntp retry limit 10 interval 64
!
interface GigaEthernet 1/1
 vlan-id 1
 bridge-group 1
 channel-group 1
exit
!
interface GigaEthernet 2/1
 vlan-id 2
 bridge-group 2
 channel-group 2
 speed-duplex 100 full
 mdi mdi
exit
!
interface GigaEthernet 3/1
 vlan-id 3
 bridge-group 3
 channel-group 3
 ip access-group default spi
exit
!
interface Port-channel 1
 ip dhcp service relay 10.0.0.5
 ip address 10.1.1.1 255.255.0.0
 link-state always-up
exit
!
interface Port-channel 2
 ip address 172.16.0.1 255.255.255.252
 dns-snooping enable
exit
!
interface Port-channel 3
 ip address 192.168.1.1 255.255.255.252
 ip nat inside source list 1 interface
exit
!
line console
 authorization exec default local
exit
!
sflow-agent address 172.16.0.1
!
sflow profile 1
 collector address 10.0.0.1
 collector address 10.0.0.2
 collector address local
 source-interface port-channel 2
exit
!
sflow interface gigaethernet 2/1 sflow-profile 1 sampling-rate 100
sflow interface gigaethernet 3/1 sflow-profile 1 sampling-rate 100
!
end
</pre>

<pre>
access-list 101 permit udp any any range 3478 3481
!
ip route 0.0.0.0 0.0.0.0 10.1.0.1
ip name-server 127.0.0.1
ip nat list 1 any
!
local-breakout enable
local-breakout LBO tunnel 1
!
lbo-profile LBO
 o365 enable
 dns-snooping enable
 domain endpoints.office.com
exit
!
logging buffer level informational
!
aaa authentication login default local
aaa authorization exec default local
!
username guest password guest-secret
!
hostname FITELnet
!
sntp server ntp.nict.jp
!
interface GigaEthernet 1/1
 vlan-id 1
 bridge-group 1
 channel-group 1
 policy-route input PRMap_Teams
exit
!
interface GigaEthernet 2/1
 vlan-id 2
 bridge-group 2
 pppoe enable
exit
!
interface Port-channel 1
 ip address 10.1.1.1 255.255.0.0
 dns-snooping enable
 link-state always-up
exit
!
interface Tunnel 1
 description FLETS
 ip nat inside source list 1 interface
 tunnel mode pppoe profile PPPOE_PROF
 pppoe interface gigaethernet 2/1
exit
!
pppoe profile PPPOE_PROF
 account abc345@***.***.ne.jp zzzyyyxxx
exit
!
Class-map CMap_101
 match ip access-group 101
exit
!
Policy-route-map PRMap_Teams
 !
 class CMap_101
  count
  action nexthop tunnel 1
 exit
 !
exit
!
dns-server ip enable
!
proxydns domain 1 any * any static 10.1.2.1
proxydns address 1 any static 10.1.2.1
proxydns lbo enable
!
line console
 authorization exec default local
exit
!
end
</pre>

<pre>
access-list 101 permit udp any any range 3478 3481
!
!
ip route 0.0.0.0 0.0.0.0 172.16.0.2
ip name-server 172.16.1.2
ip nat list 1 any
!
local-breakout enable
local-breakout proxy-server ip any port <ポート番号>
local-breakout LBO_Zoom tunnel 1
local-breakout LBO_Microsoft365 tunnel 1
!
lbo-profile LBO_Zoom
 http-snooping enable with-route
 domain *.zoom.us
 domain *.zoom.com
exit
!
lbo-profile LBO_Microsoft365
 o365 enable
 http-snooping enable with-route
exit
!
logging buffer level informational
!
aaa authentication login default local
aaa authorization exec default local
!
username guest password guest-secret
!
hostname FITELnet
!
interface GigaEthernet 1/1
 vlan-id 1
 bridge-group 1
 channel-group 1
 policy-route input PRMap_Teams
exit
!
interface GigaEthernet 1/3
 vlan-id 3
 bridge-group 3
 pppoe enable
exit
!
interface GigaEthernet 2/1
 vlan-id 2
 bridge-group 2
 channel-group 2
exit
!
interface Port-channel 1
 ip address 10.0.0.1 255.255.255.0
 http-snooping enable
 mss 1300
exit
!
interface Port-channel 2
 ip address 172.16.0.1 255.255.255.252
exit
!
interface Tunnel 1
 description FLETS
 ip nat inside source list 1 interface
 tunnel mode pppoe profile PPPOE_PROF
 pppoe interface gigaethernet 1/3
exit
!
pppoe profile PPPOE_PROF
 account abc345@***.***.ne.jp zzzyyyxxx
exit
!
Class-map CMap_101
 match ip access-group 101
exit
!
Policy-route-map PRMap_Teams
 !
 class CMap_101
  count
  action nexthop tunnel 1
 exit
 !
exit
!
end
</pre>

<pre>
access-list 101 permit udp any any range 3478 3481
!
ip route 0.0.0.0 0.0.0.0 172.16.0.2
ip name-server 172.16.1.2
ip nat list 1 any
!
local-breakout enable
local-breakout proxy-server ip any port <ポート番号>
local-breakout LBO_Microsoft365 tunnel 1
!
lbo-profile LBO_Microsoft365
 o365 enable
 http-snooping enable with-route
 domain login.microsoft.com bypass
 domain login.microsoftonline.com bypass
 domain login.windows.net bypass
exit
!
logging buffer level informational
!
aaa authentication login default local
aaa authorization exec default local
!
username guest password guest-secret
!
hostname FITELnet
!
sntp server ntp.nict.jp
!
interface GigaEthernet 1/1
 vlan-id 1
 bridge-group 1
 channel-group 1
 policy-route input PRMap_Teams
exit
!
interface GigaEthernet 1/3
 vlan-id 3
 bridge-group 3
 pppoe enable
exit
!
interface GigaEthernet 2/1
 vlan-id 2
 bridge-group 2
 channel-group 2
exit
!
interface Port-channel 1
 ip address 10.0.0.1 255.255.255.0
 http-snooping enable
 mss 1300
exit
!
interface Port-channel 2
 ip address 172.16.0.1 255.255.255.252
exit
!
interface Tunnel 1
 description FLETS
 ip nat inside source list 1 interface
 tunnel mode pppoe profile PPPOE_PROF
 pppoe interface gigaethernet 1/3
exit
!
pppoe profile PPPOE_PROF
 account abc345@***.***.ne.jp zzzyyyxxx
exit
!
Class-map CMap_101
 match ip access-group 101
exit
!
Policy-route-map PRMap_Teams
 !
 class CMap_101
  count
  action nexthop tunnel 1
 exit
 !
exit
!
end
</pre>

- 注意1
  
  DNS-snoopingをご利用いただく場合の注意点
  
  DNS snoopingは、名前解決したIPアドレスを経路情報としてルータに登録して、ブレイクアウト回線向けにルーティングを行う仕組みです。このため以下に説明する通り、CDN事業者のサービスが影響して、LBO非対象とされているアプリケーションの通信がLBO回線に流れるケースがございます。
  
  昨今のインターネットでは、CDN事業者が世界中に分散したエッジサーバ上で複数のコンテンツを提供するサービスを運用しています。CDN事業者は、ユーザの地理的位置やネットワーク状況に応じて最適なエッジサーバのIPアドレスをDNSで応答する仕組みを持っており、同じIPアドレスが互いに異なる複数のアプリケーションで同時に使われることがあります。このようなCDN事業者の仕組みにより、LBO対象のアプリケーションとLBO非対象のアプリケーションの2つで、同じIPアドレス宛の通信が発生すると、LBO対象だけでなく、LBO非対象とされているアプリケーションの通信がLBO回線に流れることとなります。

ページの先頭へ

機能LBOの設定

アプリケーション毎の設定

DNS snooping方式使用例

HTTP snooping方式使用例