Category Archives: Smoothwall

Smoothwall GNS3 step by step Lab setup

VirtualBox and GNS3 (Smoothwall Virtual Test Labs)

GNS3 Test Labs (Smoothwall Labs):
 
Lab Scenarios:
(Please add more Lab scenarios that you think could be useful)
 

1. Cisco IOS Router (7200 series) with NATTing connected to the internet (ACLs configured for specific subnets being used behind the Smoothwall).

2. Smoothwall UTM Master and Failover with Multiple External connections (Primary/Secondary) to test HA and LLB

3. Apache Server on an internal Windows 7 machine to test port-forwarding rules from the internet facing VM.

4. VLANs using NM-16ESW (3725 series router network module) trunk linked to the Smoothwall (VLANs 10, 20 and 1)

5. Child node (bridged) for a Windows 7 machine getting replication from a parent node.

6. Windows 7 machine externally connected to the UTM (between the external router and the Master UTM ) to test L2TP, SSL VPNs, Global Proxy, Mobile Proxy and Syslog server.

7. Solarwinds Real-time SNMP bandwidth monitoring tool for testing SNMP.

8. Hardware WAP (TPLink) connected to virtual switch (NM-16ESW 3725 series) configured with RADIUS (802.1x//WPA Enterprise/BYOD) to test iOS (iPads and iPhones) or android devices (Installed Openwrt firmware on my TPLink that supports not only authentication but also accounting i.e. ports 1812 and 1813)(Smoothwall configured as a DHCP Server)(Will try to find a WAP that support framed IPs to test further RADIUS scenarios)

9. Using two Windows 2012 VMs for testing multi domains AD connection on the Smoothwall.

10. Other VMs include Win 7, Win 8, Win 10, Ubuntu, Mac OS X and Chromium.

11. Wireshark is already integrated in GNS3 and you can capture traffic on any connected links for troubleshooting.

12. Separate lab for testing IPSec VPN connectivity between two Smoothwalls or Smoothwall and ASA.

13. It will be easier with VMs on GNS3 to test further features like IDS/IPS, Upstream Proxy, Bandwidth Management (You might notice some latency), Upstream Firewall, F5 Load Balancer VMs.
 
14. For Cisco devices you can also use CCP (Cisco Configuration Professional) software to configure using a wizard based GUI instead of CLI.


gns3network

Install GNS3 1.3.0 on Ubuntu 14.10 and 14.04 LTS :

— GNS3 CLI installation —

– After opening a terminal, I recommend changing to your user home directory.

$ cd ~

– Run apt-get update

$ sudo apt-get  update

$ sudo apt-get  upgrade

$ sudo apt-get  dist-upgrade

– Install GNS3 Python dependencies

$ sudo apt‐get install python3‐setuptools

$ sudo apt‐get install python3‐pyqt4

$ sudo apt‐get install python3‐ws4py

$ sudo apt‐get install python3‐netifaces

– Install Dynmips dependencies

$ sudo apt-get install cmake

$ sudo apt‐get install libelf‐dev

$ sudo apt‐get install uuid‐dev

$ sudo apt‐get install libpcap‐dev

 – Download and unzip GNS3 Linux source files (Download )

$ unzip GNS3-1.3.7-source.zip

         dynamips-0.2.14.zip  gns3-server-1.3.7.zip  vpcs-0.6.zip

          gns3-gui-1.3.7.zip

 – Build and Install Dynamips

$ unzip dynamips-0.2.14.zip

$ cd  dynamips-0.2.14

$ mkdir build

$ cd build

$ cmake ..

$ make

$ sudo make install

$ sudo setcap cap_net_admin,cap_net_raw=ep /usr/local/bin/dynamips

$ cd ../..

 – Install GNS3 Server

$ unzip gns3-server-1.3.7.zip

$ cd gns3-server-1.3.7

$ sudo python3 setup.py install

$ cd ..

 – Install GNS3 GUI

$ unzip gns3-gui-1.3.7.zip

$ cd gns3-gui-1.3.7

$ sudo python3 setup.py install

$ cd ..

 – Install VPCS

$ unzip vpcs-0.6.zip

$ cd vpcs-0.6/src

$ ./mk.sh

$ sudo cp vpcs /usr/local/bin/

$ cd ../..

 – Install VirtualBox

$ sudo apt-get install virtualbox

 – Install Wireshark

$ sudo apt-get install wireshark

 – Install QEMU – method 1

$ sudo apt-get install qemu

 – Install QEMU – method 2 (x86 arch. only)

$ sudo apt-get install qemu-system-x86

$ sudo apt-get install qemu-utils

 – Install cpulimit

$ sudo apt-get install cpulimit

 – Start GNS3

$ gns3

 

Script to grab all the domain groups for a user on a Linux system with Active Directory connection

#!/bin/sh

clear

USIDTEMP=”/var/tmp/USIDstr.tmp”

GSIDTEMP=”/var/tmp/GSIDstr.tmp”

NAMETEMP=”/var/tmp/NAMEstr.tmp”

#Reseting String storage veribles

>$USIDTEMP

>$GSIDTEMP

>$NAMETEMP

echo “command line to usergroup checker

please supply the domain you wish to check”

read DOM

DOMAIN=$(echo $DOM | tr [a-z] [A-Z])

clear

echo “What username do you wish to list groups for?”

read USERNAME

clear

USERSID=$(WINBINDD_SOCKET_DIR=/var/samba/$DOMAIN/ wbinfo –name-to-sid=$USERNAME &> $USIDTEMP)

echo “check Remote Proceedure Call (RPC) connection to domain”

echo ” “

WINBINDD_SOCKET_DIR=/var/samba/$DOMAIN/ wbinfo -t

echo ” “

echo “———————————————————“

echo ” “

echo “Current Domain Controller Bound To”

echo ” “

WINBINDD_SOCKET_DIR=/var/samba/$DOMAIN/ wbinfo –dc-info=$DOMAIN

echo ” “

echo “———————————————————“

echo ” “

echo “Check All List Domain In $DOMAIN current Status: “

echo ” “

WINBINDD_SOCKET_DIR=/var/samba/$DOMAIN/ wbinfo –online-status

echo ” “

echo “———————————————————“

echo ” “

echo ” “

#Save the username sid to a tmp file

WINBINDD_SOCKET_DIR=/var/samba/$DOMAIN/ wbinfo –name-to-sid=$USERNAME &> $USIDTEMP

#Read in the USID

cat $USIDTEMP | while read LINE

do

USERSID=$(echo $LINE | gawk ‘{print $1}’)

echo ” “

echo “Groups found for $USERNAME are:”

echo ” “

GROUPSID=$(WINBINDD_SOCKET_DIR=/var/samba/$DOMAIN/ wbinfo –user-sids=$USERSID &> $GSIDTEMP )

cat $GSIDTEMP | while read GLINE

do

>$NAMETEMP

TEST=$(WINBINDD_SOCKET_DIR=/var/samba/$DOMAIN/ wbinfo –sid-to-name=$GLINE &> $NAMETEMP)

cat $NAMETEMP | gawk ‘BEGIN{FS=”\\”}{print $1″,”$2}’ | while read NLINE

do

T=$(echo $NLINE | rev | cut -c1)

if [ $T = 2 ]; then

echo $NLINE | gawk ‘BEGIN{FS=”,”}{print $1″\\”$2}’|sed ‘s/.$//’

fi

done

done

done

Distributing Smoothwall’s (https) mitm self-signed CA certificate to BYOD (mobile) client devices (unmanaged device other than Windows clietns)

If you wish to use ‘decrypt and inspect’ for BYOD devices, the users will need to have the Smoothwall’s HTTPS MiTM CA cert sent out to them so that they can install it on their systems.

The best ways to get this CA to the clients is to either:

– Email the CA to them directly
or
– Provide a download link to the CA so the users can download it themselves directly.

Then, according to their devices instructions, they need to install the CA so it can be trusted.

(It isn’t possible to use a normal real world certificate for the MiTM as this requires a full certificate authority)

Smoothwall IPSec (Openswan) VPN to Microsoft Azure (Site-to-Site VPN)

Smoothwall can only be set to use Diffie Hellman group 5 in Phase 1 when initiating the VPN, however when offered by the other device the smoothwall can downgrade to DH2.

All the other encryption settings can be done on the smoothwall. So when setting up the connection on the smoothwall’s end, it would look something like this:

Authenticate by: preshared key
Use comrpession – off
Initiate the connection – off
Perfect forward secrecy – off
Authentication type: ESP
Phase 1 cryptograhic algo: AES256
Phase 1 hash algo: SHA
Phase 2 cryptograhic algo: AES256
Phase 2 hash algo: SHA

Key life: 480 mins
IKE lifetime: 60 mins

These settings would need to be set the same on the Azure gateway, and it would need to be set up as the initiator

Block a single domain through DNS on windows server 2003/2008/2012

We just got a phishing attempt and I felt really bad that I could not stop people from accessing a domain. Isn’t there a way to override a domain in our DNS just for a while so I can stop people from accessing a domain?

Yes, you could create a zone for that domain. No need to create any records, unless you want to point them to a webserver explaining why they are there. Having a DNS zone will make you authoritative for it. When people click on the phishing links, their computers will try to resolve the name with your DNS, and of course, will not be able to access the malware site.

Configure DNS forwarders in Windows Server 2012 R2

In the first article in our series on DNS forwarders, we looked at some best practices for DNS forwarding. In this second article I’ll show you how to configure a DNS server with forwarders in Windows Server 2012 R2.

As always with Windows, you can change, add, and remove forwarders by using either the Windows GUI or the command prompt. I’ve listed steps on how to configure a DNS server to use forwarders using both the Windows GUI and the command prompt below.

Configure a DNS server to use forwarders using the Windows GUI

1. Click Start, point to Administrative Tools, and then click DNS.

Note: You can also type “DNS” without the quotes in the Start page, and it will find it for you.

Opening DNS Manager in Windows Server 2012 R2

2. Open DNS Manager.

Note: To use DNS Manager (and other administrative tools) on a server that does not have the DNS role installed on it, you must install the Remote Server Administration Tools (RSAT) suitable for your OS (the equivalent of adminpak.msi in Windows Server 2003/XP). See our articles on how to install RSAT for Windows 7 and Windows 8 for more information on how to download, install, and configure the RSAT tools on those clients.

3. In the console tree, click on the applicable DNS server, usually it’s the same as the server you’re logged on to.

4.Right-click and select “Properties”.

Note: You may also double-click on the “Forwarders” item in the right pane.

Editing DNS Forwarders in Windows Server 2012 R2

5. On the Forwarders tab click “Edit”.

Note: If you already have existing forwarders, you can choose to edit these as well.

Editing DNS Forwarders in Windows Server 2012 R2

6. In the selected forwarder IP address list, type the IP address of a forwarder, and then click Enter.

Note: You do not need to enter the FQDN of the host, unless you want to. If name resolution traffic is not blocked the name will automatically be resolved.

Note: In this example I’ve used Google’s DNS servers. In most cases you’d want to use your own ISP’s DNS servers. However, in some cases you may want to add internal DNS servers as forwarders, depending on your routing topology.

8.8.8.8
8.8.4.4

Editing DNS Forwarders in Windows Server 2012 R2

In Windows Server 2012/R2, by default the DNS server waits 3 seconds for a response from one forwarder IP address before it tries to query the next forwarder’s IP address. This is configurable, if needed.

7. Repeat with additional forwarders, if needed.

Editing DNS Forwarders in Windows Server 2012 R2

8. When done, click “Ok” twice.

Editing DNS Forwarders in Windows Server 2012 R2

Note: In some cases you may want to configure your DNS server to only use forwarders, and if they fail to respond, you may want it not to attempt further recursion. To do so, un-select the “Use root hints if no forwarders are available”.

If you want to remove one or more forwarders in the future, repeat these steps and simply delete the entry.

To configure a DNS server to use forwarders using the Command Prompt:

1. Open the Command Prompt window with elevated permissions (Run as Administrator).

Configure a DNS server to use forwarders using the Command Prompt

2. If you want to add the same DNS forwarders used in my previous example, in the Command Prompt window type the following command:

dnscmd <DNS_server_name_or_IP>/ResetForwarders 8.8.8.8 8.8.4.4 /timeout 3 /noslave

Using DNSCMD to configure a DNS server

Some Final Notes:

  • Separate the DNS IP addresses by a space.
  • You cannot add individual entries one after the other, you must add all forwarders at the same time in one command. But you can add or change existing entries from DNS Manager.
  • The /timeout switch specifies the amount of time that your DNS server waits for the forwarder to respond.
  • The /slave switch indicates that the DNS server will not attempt to perform its own iterative queries if the forwarder fails to resolve the query.
  • The /noslave switch means that the DNS server will use its root hints file if no forwarders are available to resolve the query.

Configure a DNS Server on Windows Server 2012 or 2012 R2 to use OpenDNS

First, make sure that your clients are pointing to your Windows DNS server. I know this sounds pretty obvious, but you’d be surprised how many people miss this step. If you’re in an Active Directory (AD) environment, your clients really need to be pointing to DNS that is running on your Domain Controller (DC). If you only have one Domain Controller (DC), that’s the IP address you want to use; if you have more than one, use both. (Just don’t forget to make this change on all of your DNS servers!).

On your Windows Server 2012/2012 R2 server, bring up the Start Menu and click on Administrative Tools.
01-opendns_on_server_2012

When the Administrative Tools open, double-click the DNS console icon.
02-opendns_on_server_2012

This will open the DNS Manager. In the DNS Manager, double-click on Forwarders.
03-opendns_on_server_2012

You should be taken to the Forwarders tab in the server’s Properties. Click the Edit… button.
04-opendns_on_server_2012

This will open the Edit Forwarders dialog. Type in the IP addresses for OpenDNS: 208.67.222.222 and208.67.220.220.
05-opendns_on_server_2012

It should look something like this when you’re done. Click OK to close the dialog box.
06-opendns_on_server_2012

After clicking OK, you’ll be taken back to the DNS server’s Properties. It should look something like the screenshot below.

07-opendns_on_server_2012

By default, the Use root hints if no forwarders are available will be checked. This option is a double-edged sword: If you leave it checked, your DNS server may consult with the root hints servers to resolve a DNS entry and could bypass OpenDNS. If you don’t check it, you could have DNS timeouts that could result in DNS timeouts.

So, what option do you choose? Well, it really depends on how you’re using OpenDNS. If you’re using OpenDNS as a filter in a situation where the filter always has to work like a school, church, etc., uncheck the box. If it is more important that clients always get timely DNS responses, check the box.

When you’re done, click OK.

Now that you’ve updated your Forwarders. You’ll need to clear the DNS cache. Click the View menu and then Advanced. This will enable you to see the Cached Lookups section in the DNS console.
08-opendns_on_server_2012

Right-click on Cached Lookups in the DNS Manager and choose Clear Cache.

09-opendns_on_server_2012

You’re done! Remember, if you have more than one Windows Server 2012/2012 R2 DNS server, you’ll need to perform this change on each one. You’ll also need to run an ipconfig.exe /flushdns on your clients if you want this to start using OpenDNS immediately. Otherwise, you can wait and they’ll move over on their own as items in the DNS cache expire.

Deep Packet inspection (DPI) / Layer 7 application recognition / Network Based application recognition (NBAR)

Deep packet inspection (DPI) is an advanced method of packet filtering that functions at the Application layer of the OSI (Open Systems Interconnection) reference model. The use of DPI makes it possible to find, identify, classify, reroute or block packets with specific data or code payloads that conventional packet filtering, which examines only packet headers, cannot detect.

Network Based Application Recognition (NBAR) is the mechanism used by some Cisco routers and switches to recognize a dataflow by inspecting some packets sent.

The networking equipment which uses NBAR does a deep packet inspection on some of the packets in a dataflow, to determine which traffic category the flow belongs to. Used in conjunction with other features, it may then program the internal ASICs to handle this flow appropriately. The categorization may be done with OSI layer 4 info, packet content, signaling, and so on but some new applications have made it difficult on purpose to cling to this kind of tagging.

The NBAR approach is useful in dealing with malicious software using known ports to fake being “priority traffic”, as well as non-standard applications using dynamic ports. That’s why NBAR is also known as OSI layer 7 categorization.

On Cisco routers, NBAR is mainly used for Quality of Service and Security purposes.

Distribute Certificates to Client Computers by Using Group Policy

Applies To: Windows Server 2012

You can use the following procedure to push down the appropriate Secure Sockets Layer (SSL) certificates (or equivalent certificates that chain to a trusted root) for account federation servers, resource federation servers, and Web servers to each client computer in the account partner forest by using Group Policy.

Membership in Domain Admins or Enterprise Admins, or equivalent, in Active Directory Domain Services (AD DS) is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

  1. On a domain controller in the forest of the account partner organization, start the Group Policy Management snap-in.
  2. Find an existing Group Policy Object (GPO) or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit (OU) where the appropriate user and computer accounts reside.
  3. Right-click the GPO, and then click Edit.
  4. In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies, right-click Trusted Root Certification Authorities, and then click Import.
  5. On the Welcome to the Certificate Import Wizard page, click Next.
  6. On the File to Import page, type the path to the appropriate certificate files (for example, \\fs1\c$\fs1.cer), and then click Next.
  7. On the Certificate Store page, click Place all certificates in the following store, and then click Next.
  8. On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish.
  9. Repeat steps 2 through 6 to add additional certificates for each of the federation servers in the farm.
    1. Refresh by using gpupdate /force

Applies To: Windows Server 2008 R2

Certificates are important credentials. Administrators may not want to let users decide which certificates to trust and which not to trust. Often the decision to trust or not trust a particular certificate should be made by an administrator or individual who is knowledgeable about the particular certificate and its trust implications for the organization.

You can use Group Policy to distribute the following types of certificates to clients.

Type of certificate Description
Trusted Root Certification Authorities Implicitly trusted certification authorities (CAs). Includes all of the certificates in the Third-Party Root Certification Authorities store plus root certificates from your own organization and Microsoft.
Enterprise Trust A certificate trust list provides a mechanism for trusting self-signed root certificates from other organizations and limiting the purposes for which these certificates are trusted.
Intermediate Certification Authorities Certificates issued to subordinate CAs.
Trusted Publishers Certificates from CAs that are trusted.
Untrusted Certificates Certificates that you have explicitly decided not to trust because they are no longer valid for their intended purpose or because they are from a source that domain clients should not trust.
Trusted People Certificates issued to people or end entities that are explicitly trusted. Most often these are self-signed certificates or certificates explicitly trusted in an application such as Microsoft Outlook.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To add certificates to the Trusted Root Certification Authorities store for a domain

  1. Click Start, point to Administrative Tools, and then click Group Policy Management.
  2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.
  3. Right-click the Default Domain Policy GPO, and then click Edit.
  4. In the Group Policy Management Console (GPMC), go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.
  5. Right-click the Trusted Root Certification Authorities store.
  6. Click Import and follow the steps in the Certificate Import Wizard to import the certificates.
  7. Refresh by using gpupdate /force

CBWFQ + LLQ – VoIP/Voice priority traffic – Bandwidth management template

Low-Latency Queuing (Congestion Management and Queuing)

Neither WFQ nor CBWFQ can provide guaranteed bandwidth and low-delay guarantee to selected applications such as VoIP; that is because those queuing models have no priority queue. Certain applications such as VoIP have a small end-to-end delay budget and little tolerance to jitter (delay variation among packets of a flow).

LLQ includes a strict-priority queue that is given priority over other queues, which makes it ideal for delay and jitter-sensitive applications. Unlike the plain old PQ, whereby the higher-priority queues might not give a chance to the lower-priority queues and effectively starve them, the LLQ strict-priority queue is policed. This means that the LLQ strict-priority queue is a priority queue with a minimum bandwidth guarantee, but at the time of congestion, it cannot transmit more data than its bandwidth permits. If more traffic arrives than the strict-priority queue can transmit (due to its strict bandwidth limit), it is dropped. Hence, at times of congestion, other queues do not starve, and get their share of the interface bandwidth to transmit their traffic.

Figure 4-6 shows an LLQ. As you can observe, LLQ is effectively a CBWFQ with one or more strict-priority queues added. Please note that it is possible to have more than one strict priority queue. This is usually done so that the traffic assigned to the two queues—voice and video traffic, for example—can be separately policed. However, after policing is applied, the traffic from the two classes is not separated; it is sent to the hardware queue based on its arrival order (FIFO).

LLQ

As long as the traffic that is assigned to the strict-priority class does not exceed its bandwidth limit and is not policed and dropped, it gets through the LLQ with minimal delay. This is the benefit of LLQ over CBWFQ.

Benefits of LLQ

LLQ offers all the benefits of CBWFQ, including the ability of the user to define classes and guarantee each class an appropriate amount of bandwidth and to apply WRED to each of the classes (except to the strict-priority queue) if needed. In the case of LLQ and CBWFQ, the traffic that is not explicitly classified is considered to belong to the class-default class. You can make the queue that services the class-default class a WFQ instead of FIFO, and if needed, you can apply WRED to it.

The benefit of LLQ over CBWFQ is the existence of one or more strict-priority queues with bandwidth guarantees for delay- and jitter-sensitive traffic. The advantage of LLQ over the traditional PQ is that the LLQ strict-priority queue is policed. That eliminates the chance of starvation of other queues, which can happen if PQ is used. As opposed to the old RTP priority queue, the LLQ strict-priority is not limited to accepting RTP traffic only. You can decide and assign any traffic you want to the LLQ strict-riority queue using special IOS keywords, using access lists, or using Network Based Application Recognition (NBAR) options. Finally, like many other queuing mechanisms, LLQ is not restricted to certain platforms or media types.

Configuring and Monitoring LLQ

Configuring LLQ is almost identical to configuring CBWFQ, except that for the strict-priority queue(s), instead of using the keyword/command bandwidth, you use the keyword/command priority within the desired class of the policy map. You can reserve bandwidth for the strict-priority queue in two ways: you can specify a fixed amount, or you can specify a percentage of the interface bandwidth. The following command syntax is used to do just that in the appropriate order:

tmp9772_thumb

The burst amount (bytes) is specified as an integer between 32 and 2,000,000; it allows a temporary burst above the policed bandwidth. Note that if the percent option is used, the reservable amount of bandwidth is limited by the value of max-reserved-bandwidth on the interface configuration, which is 75 percent by default.

Example 4-7 shows implementation of LLQ using a policy map called enterprise. The policy map assigns a class called voice to the strict-priority queue with a bandwidth guarantee of 50 Kbps. Classes business and class-default form the CBWFQ component of this LLQ.

Example 4-7 A Policy Map to Implement LLQ

A Policy Map to Implement LLQ

You can use the show policy-map interface interface command to see the packet statistics for all classes used within a policy map that is applied to an interface using the service-policy command. Example 4-8 shows (partial) output of this command for the serial 1/0 interface of a router.

Example 4-8 Sample Output of the show policy-map interface Command

Sample Output of the show policy-map interface Command

QoS template – bandwidth dependency calculation:

Cisco QoS features like LLQ and CBWFQ let us to prioritize and guarantee delay and bandwidth for defined class of traffic.
CBWFQ configuration allows to configure the BW requirements for specific class of service. First we have to defined the class and match the specific type of traffic, then assign BW limit in the policy that will be reserverd during interface congestion. Standard bandwidth command with BW in Kbps under class can be used for above. The drawback of this type of configuration is need to adjust the BW speed definition each time once we have changed the access speed.

IOS allows to tune the QoS configuration to define kind of QoS template that will use BW class ratio accross function similar devices without need for reconfiguration of BW parameters each time when access speed change. LLQ defines the priority queue for the delay sensetive traffic. Additionaly for business critical traffic CBWFQ needs to be configured. We have two options to confgure the QoS template: bandwidth percent and bandwidth remaining percent per class options.

I have defined 4 classes that will be used to presents configuration options.
class-map match-all TELNET
match protocol telnet
class-map match-all HTTP
match protocol http
class-map match-all SMTP
match protocol smtp
class-map match-all VoIP
match protocol rtp

Option 1 – bandwidth percent
First option to define BW template is to use bandwidth percent command instead of just bandwidth under class in policy map configuration. BW will be calculated based on the interface’s BW, so in case Fast Ethernet it will be 100Mbps. Priority percent 10 for PQ or bandwidth percent 10 in CBWFQ it’s 10% of 100Mbps.

By default, available interface BW is defined based on the physical port speed unless you configure the bandwidth command under interface to set access speed to something less (SLA access). Additionaly Cisco IOS has Default Class (class-default) with reserved the 25% of interface BW that match all undefined traffic (you can change it with max-reserved-bandwidth command under interface mode).

Let’s configure the first policy based on option 1:
R1(config)#policy-map LLQ
R1(config-pmap)#class VoIP
R1(config-pmap-c)#priority percent 10
R1(config-pmap-c)#class HTTP
R1(config-pmap-c)#bandwidth percent 10
R1(config-pmap-c)#class SMTP
R1(config-pmap-c)#bandwidth percent 50
R1(config-pmap-c)#class TELNET
R1(config-pmap-c)#bandwidth percent 30

The first way choice is to configure the bandwidth percent to fil 100% of interface speed, but due to class-default the available BW to share is 75%. In the above example we have defined 4 classed and assigned 100% of interface BW, here let’s try to assign the LLQ policy to the inerface:
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int fa0/0
R1(config-if)#service-policy output LLQ
I/f FastEthernet0/0 class TELNET requested bandwidth 30%, available only 5%
R1(config-if)#

We can observe the error message that is saying that we have just 5% of available BW, this is due to 25% reserved for default class. OK so let change reserved BW for TELNET to 5%, assign policy to the interface and see the policy.
R1#show policy-map interface fastEthernet 0/0
FastEthernet0/0
Service-policy output: LLQ
Class-map: VoIP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol rtp
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 10 (%)
Bandwidth 10000 (kbps) Burst 250000 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0
Class-map: HTTP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http
Queueing
Output Queue: Conversation 265
Bandwidth 10 (%)
Bandwidth 10000 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: SMTP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol smtp
Queueing
Output Queue: Conversation 266
Bandwidth 50 (%)
Bandwidth 50000 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: TELNET (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol telnet
Queueing
Output Queue: Conversation 267
Bandwidth 5 (%)
Bandwidth 5000 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

Policy has been defined for Fast Ethernet so LLQ and CBWFQ have 75Mbps traffic reserved, below BW calculation details:

VoIP = 100Mbps * 0,1 = 10Mbps
HTTP = 100Mbps * 0,1 = 10Mbps
SMTP = 100Mbps * 0,5 = 50Mbps
TELNET = 100Mbps * 0,05 = 5Mbps

Option 2 – bandwidth remaining percent
Second option to define BW is to use bandwidth remaining percent command. The idea of this type of configuration is to first reserve the BW for the PQ thru priority percent command and next divides the available remaining BW between defined classes.
Let’s configure below:
R1(config)#policy-map LLQ
R1(config-pmap)#class VoIP
R1(config-pmap-c)#priority percent 10
R1(config-pmap-c)#class HTTP
R1(config-pmap-c)#bandwidth remaining percent 10
R1(config-pmap-c)#class SMTP
R1(config-pmap-c)#bandwidth remaining percent 50
R1(config-pmap-c)#class TELNET
R1(config-pmap-c)#bandwidth remaining percent 40
R1(config-pmap-c)#int fa0/0
R1(config-if)#service-policy output LLQ

For class VoIP priority percent 10 will be equal 100Mbps*0,1=10Mbps, BW Remaining is = (100-10)Mbps * 0,75= 67,5Mbps. So BW Remaining will be used as reference for all classes.
For class HTTP bandwidth remaining percent 10 will be equal BW Remaining*0,1 = 67,5Mbps*0,1= 6,75 Mbps.
For class SMTP bandwidth remaining percent 50 will be equal BW Remaining*0,5 = 33,75 Mbps.
For class TELNET bandwidth remaining percent 40 will be equal BW Remaining*0,4 = 27 Mbps.
By default Burst for Strict Priority queue is equal 20% of the PQ’s BW so 20% of 10Mbps, (10000000bitów/8)*0,2=250000B

R1#show policy-map interface fa0/0
FastEthernet0/0
Service-policy output: LLQ
Class-map: VoIP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol rtp
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 10 (%)
Bandwidth 10000 (kbps) Burst 250000 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0
Class-map: HTTP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http
Queueing
Output Queue: Conversation 265
Bandwidth remaining 10 (%)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: SMTP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol smtp
Queueing
Output Queue: Conversation 266
Bandwidth remaining 50 (%)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: TELNET (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol telnet
Queueing
Output Queue: Conversation 267
Bandwidth remaining 40 (%)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: class-default (match-any)
30 packets, 2851 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

Above examples are Cisco recommended ways to deploye CE QoS configuration for different access speed port.