Remote Site Using Local Internet Access Configuration Files Guide ...

Remote Site Using Local Internet AccessConfiguration Files Guide

August 2014 Series

Table of Contents

Table of ContentsPreface ........................................................................................................................................1

Introduction .................................................................................................................................2

Product List .................................................................................................................................4

WAN-Aggregation Devices ..........................................................................................................6WAN-Aggregation design—Dual DMVPN and DMVPN Only ........................................................... 6VPN-ASR1002-1 ......................................................................................................................... 7VPN-ASR1001-2 ........................................................................................................................14WAN-Aggregation design—DMVPN Backup Dedicated (MPLS WAN) ........................................ 21CE-ASR1002-1 ......................................................................................................................... 22CE-ASR1001-2 ......................................................................................................................... 26WAN-Aggregation design—DMVPN Backup Dedicated (Layer 2 WAN) ..................................... 31METRO-ASR1001-1 .................................................................................................................. 32WAN-Aggregation Design—WAN Aggregation Distribution Switch ............................................. 39WAN-D3750X ........................................................................................................................... 39

WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models ..............................................................................................................49

Remote Site 250: Single-Router, Single-Link (DMVPN) with Local Internet ............................... 50RS250-1941 ......................................................................................................................... 50

Remote Site 251: Single-Router, Dual-Link (DMVPN + DMVPN) with Local Internet .................. 58RS251-2911 .......................................................................................................................... 58

Remote Site 252: Dual-Router, Dual-Link (DMVPN + DMVPN) with Local Internet .................... 68RS252-2921-1 ...................................................................................................................... 68RS252-2921-2 ..................................................................................................................... 77

WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet .....................................................................................................................86

Remote Site 240: Single-Router, Dual-Link with local Internet access (MPLS + DMVPN) .......... 87RS240-3945 ........................................................................................................................ 87

Remote Site 242: Dual-Router, Dual-Link with Local Internet Access (MPLS + DMVPN) ........... 96RS242-2951-1 ...................................................................................................................... 96RS242-2951-2 .................................................................................................................... 102

Table of Contents

WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model with Local Internet Access (Layer 2 WAN) ................................................................................ 112

Remote Site 216: Single-Router, Dual-Link with Local Internet Access (Layer 2 WAN + DMVPN) .........................................................................................................113

RS216-3925 ........................................................................................................................113

Preface August 2014 Series1

PrefaceCisco Validated Designs (CVDs) present systems that are based on common use cases or engineering priorities. CVDs incorporate a broad set of technologies, features, and applications that address customer needs. They incorporate a broad set of technologies, features, and applications to address customer needs. Cisco engineers have comprehensively tested and documented each CVD in order to ensure faster, more reliable, and fully predictable deployment.

This guide provides, as a comprehensive reference, the complete network device configurations that are implemented in the corresponding CVD design guide.

CVD Foundation SeriesThis CVD Foundation guide is a part of the August 2014 Series. As Cisco develops a CVD Foundation series, the guides themselves are tested together, in the same network lab. This approach assures that the guides in a series are fully compatible with one another. Each series describes a lab-validated, complete system.

The CVD Foundation series incorporates wired and wireless LAN, WAN, data center, security, and network management technologies. Using the CVD Foundation simplifies system integration, allowing you to select solutions that solve an organization’s problems—without worrying about the technical complexity.

To ensure the compatibility of designs in the CVD Foundation, you should use guides that belong to the same release. For the most recent CVD Foundation guides, please visit the CVD Foundation web site.

Comments and QuestionsIf you would like to comment on a guide or ask questions, please use the feedback form.

http://cvddocs.com/fw/1000-w

http://cvddocs.com/feedback/?id=221-14b

Introduction August 2014 Series2

IntroductionThis guide provides the available configuration files for the products used in Remote Site Using Local Internet Access Technology Design Guide. It is a companion document to the design guide as a reference for engineers who are evaluating or deploying CVD.

Both the Remote Site Using Local Internet Access Technology Design Guide and this guide provide the complete list of products used in the lab testing of this design.

http://cvddocs.com/fw/222-14b



Introduction August 2014 Series3

Figure 1 - CVD Overview

21

89Remote Site Regional SiteRemote Site

Teleworker /Mobile Worker

AccessSwitches

AccessSwitches

WANRouters

Cisco WAASWAAS

WANRoutersWAN

Router

AccessSwitch

Hardware andSoftware VPN

Wireless LANController

DistributionSwitchesAccess

Switches

WAN Aggregation

Internet Edge

Data Center

Headquarters

WANRoutersWAAS

VPN WANRouters

Remote-SiteWireless LAN

Controllers

UCS Rack-mountServers

UCS Rack-mountServer

Wireless LANControllers

Email SecurityAppliance

Firewall

RA-VPNWeb Security

Appliance

Guest WirelessLAN Controller

Data CenterFirewalls

CommunicationsManagers

UCS BladeChassis

DMZ Servers

DMZ Switches

Nexus2000

Storage

WAAS CentralManager

Nexus5500

UserAccessLayer

InternetPSTN PSTNMPLSWANs

Building 1 Building 2 Building 3

Core VSSSwitch

DistributionSwitch Layer

VoiceGateway

Product List August 2014 Series4

Product ListWAN Remote Site

Functional Area Product Description Part Numbers Software

Modular WAN Remote-site Router

Cisco ISR 3945 w/ SPE150, 3GE, 4EHWIC, 4DSP, 4SM, 256MBCF, 1GBDRAM, IP Base, SEC, AX licenses with; DATA, AVC, and WAAS/vWAAS with 2500 connection RTU

C3945-AX/K9 15.3(3)M3 securityk9 feature set datak9 feature set uck9 feature setCisco ISR 3925 w/ SPE100 (3GE, 4EHWIC, 4DSP, 2SM, 256MBCF,

1GBDRAM, IP Base, SEC, AX licenses with; DATA, AVC, WAAS/vWAAS with 2500 connection RTU

C3925-AX/K9

Unified Communications Paper PAK for Cisco 3900 Series SL-39-UC-K9

Cisco ISR 2951 w/ 3 GE, 4 EHWIC, 3 DSP, 2 SM, 256MB CF, 1GB DRAM, IP Base, SEC, AX license with; DATA, AVC, and WAAS/vWAAS with 1300 connection RTU

C2951-AX/K9

Cisco ISR 2921 w/ 3 GE, 4 EHWIC, 3 DSP, 1 SM, 256MB CF, 1GB DRAM, IP Base, SEC, AX license with; DATA, AVC, and WAAS/vWAAS with 1300 connection RTU

C2921-AX/K9

Cisco ISR 2911 w/ 3 GE,4 EHWIC, 2 DSP, 1 SM, 256MB CF, 1GB DRAM, IP Base, SEC, AX license with; DATA, AVC and WAAS/vWAAS with 1300 connection RTU

C2911-AX/K9

Unified Communications Paper PAK for Cisco 2900 Series SL-29-UC-K9

Cisco ISR 1941 Router w/ 2 GE, 2 EHWIC slots, 256MB CF, 2.5GB DRAM, IP Base, DATA, SEC, AX license with; AVC and WAAS-Express

C1941-AX/K9 15.3(3)M3 securityk9 feature set datak9 feature set

Product List August 2014 Series5

LAN Access LayerFunctional Area Product Description Part Numbers Software

Stackable Access Layer Switch

Cisco Catalyst 3850 Series Stackable 48 Ethernet 10/100/1000 PoE+ ports

WS-C3850-48F 3.3.3SE(15.0.1EZ3) IP Base feature set

Cisco Catalyst 3850 Series Stackable 24 Ethernet 10/100/1000 PoE+ Ports

WS-C3850-24P

Cisco Catalyst 3850 Series 2 x 10GE Network Module C3850-NM-2-10G

Cisco Catalyst 3850 Series 4 x 1GE Network Module C3850-NM-4-1G

Cisco Catalyst 3650 Series 24 Ethernet 10/100/1000 PoE+ and 2x10GE or 4x1GE Uplink

WS-C3650-24PD 3.3.3SE(15.0.1EZ3) IP Base feature set

Cisco Catalyst 3650 Series 24 Ethernet 10/100/1000 PoE+ and 4x1GE Uplink

WS-C3650-24PS

Cisco Catalyst 3650 Series Stack Module C3650-STACK

Cisco Catalyst 3750-X Series Stackable 48 Ethernet 10/100/1000 PoE+ ports

WS-C3750X-48PF-S 15.2(1)E3 IP Base feature set

Cisco Catalyst 3750-X Series Stackable 24 Ethernet 10/100/1000 PoE+ ports

WS-C3750X-24P-S

Cisco Catalyst 3750-X Series Two 10GbE SFP+ and Two GbE SFP ports network module

C3KX-NM-10G

Cisco Catalyst 3750-X Series Four GbE SFP ports network module C3KX-NM-1G

Cisco Catalyst 2960-X Series 24 10/100/1000 Ethernet and 2 SFP+ Uplink

WS-C2960X-24PD 15.0(2)EX5 LAN Base feature set

Cisco Catalyst 2960-X FlexStack-Plus Hot-Swappable Stacking Module

C2960X-STACK

Standalone Access Layer Switch

Cisco Catalyst 3650 Series 24 Ethernet 10/100/1000 PoE+ and 4x1GE Uplink

WS-C3650-24PS 3.3.3SE(15.01EZ3) IP Base feature set

WAN-Aggregation Devices August 2014 Series6

WAN-Aggregation DevicesThe following sections include the configuration files for each of the headend WAN aggregation devices.

WAN-Aggregation design—Dual DMVPN and DMVPN Only This section includes configuration files corresponding to the Dual DMVPN and DMVPN Only design models as referenced in Figure 2.

Figure 2 - WAN-aggregation design—Dual DMVPN and DMVPN Only

22

67

Port-channel4(gig0/0/0, gig0/0/1)

gig0/0/3gig0/0/3

DMZ-VPN

WAN-D3750X

VPN-ASR1001-2VPN-ASR1002-1

ASA 5545X

10.4.32.16/30↑ (.17), (.18) ↓

10.4.32.24/30↑ (.25), (.26) ↓

← (.10), (.11) ←192.168.18.0/24

VLAN 1118← (.1), (.2) ←

(100/50 Mbps)




InternetISP A/ISP B

The following table provides the loopback addresses for the WAN aggregation devices in the Dual DMVPN and DMVPN Only design models, shown in the preceding figure.

Table 1 - DMVPN aggregation device Loopback addresses

Hostname Loopback0

VPN-ASR1002-1 10.4.32.243/32

VPN-ASR1001-2 10.4.32.244/32


VPN-ASR1002-1

This guide uses the following conventions for commands that you enter at the command-line interface (CLI).

Commands to enter at a CLI prompt: configure terminal

Commands that specify a value for a variable: ntp server 10.10.48.17

Commands with variables that you must de�ne: class-map [highest class name]

Commands at a CLI or script prompt: Router# enable

Long commands that line wrap are underlined. Enter them as one command:

police rate 10000 pps burst 10000 packets conform-action

Noteworthy parts of system output (or of device con�guration �les) are highlighted: interface Vlan64 ip address 10.5.204.5 255.255.255.0

How to Read Commands

version 15.4

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

no platform punt-keepalive disable-kernel-core

platform qos port-channel-aggregate 1


!

hostname VPN-ASR1002-1

!

boot-start-marker

boot system bootflash:asr1002x-universalk9.03.12.00.S.154-2.S-std.SPA.bin

boot-end-marker

!

aqm-register-fnf

!

vrf definition Mgmt-intf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

enable secret 5 /DtCCr53Q4B18jSIm1UEqu7cNVZTOhxTZyUnZdsSrsw

!

aaa new-model

!


aaa group server tacacs+ TACACS-SERVERS

server name TACACS-SERVER-1

!

aaa authentication login default group TACACS-SERVERS local

aaa authorization console

aaa authorization exec default group TACACS-SERVERS local

!

aaa session-id common

clock timezone PST -8 0

clock summer-time PDT recurring

!

ip vrf INET-PUBLIC

rd 65512:1

!

ip domain name cisco.local

ip multicast-routing distributed

!

ipv6 multicast rpf use-bgp

ipv6 multicast vrf Mgmt-intf rpf use-bgp

!

multilink bundle-name authenticated

!

key chain WAN-KEY

key 1

key-string 7 121A0C041104

key chain LAN-KEY

key 1

key-string 7 045802150C2E

!

license accept end user agreement

license boot level adventerprise

spanning-tree extend system-id

!

username admin password 7 0205554808095E731F

!

redundancy

mode none

!

cdp run

!

ip ssh source-interface Loopback0

ip ssh version 2

ip scp server enable

!

class-map match-any DATA

match dscp af21

class-map match-any INTERACTIVE-VIDEO


match dscp cs4 af41

class-map match-any CRITICAL-DATA

match dscp cs3 af31

match dscp ef

class-map match-any VOICE

match dscp ef

class-map match-any SCAVENGER

match dscp cs1 af11

class-map match-any TP-MEDIA

match protocol telepresence-media

class-map match-any NETWORK-CRITICAL

match dscp cs2 cs6

!

policy-map WAN

class VOICE

priority percent 10

class INTERACTIVE-VIDEO

priority percent 23

class CRITICAL-DATA

bandwidth percent 15

random-detect dscp-based

class DATA



class SCAVENGER

bandwidth percent 5

class NETWORK-CRITICAL

bandwidth percent 3

class class-default


random-detect

policy-map WAN-INTERFACE-G0/0/3-SHAPE-ONLY

class class-default

shape average 100000000

policy-map RS-GROUP-3G-POLICY

class class-default


service-policy WAN


class class-default


service-policy WAN

policy-map RS-GROUP-2MBPS-POLICY

class class-default


service-policy WAN



class class-default


service-policy WAN


class class-default


service-policy WAN


class class-default


service-policy WAN


class class-default


service-policy WAN

!

crypto keyring DMVPN-KEYRING vrf INET-PUBLIC

pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC

keyring DMVPN-KEYRING

match identity address 0.0.0.0 INET-PUBLIC

!

crypto ipsec security-association replay window-size 512

!

crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac

mode transport

!

crypto ipsec profile DMVPN-PROFILE

set transform-set AES256/SHA/TRANSPORT

set isakmp-profile FVRF-ISAKMP-INET-PUBLIC

!

interface Loopback0

ip address 10.4.32.243 255.255.255.255

ip pim sparse-mode

!

interface Port-channel3

ip address 10.4.32.18 255.255.255.252

ip pim sparse-mode

no negotiation auto

!


description VPN-DMZ


ip vrf forwarding INET-PUBLIC

no ip address

shutdown

no negotiation auto

service-policy output WAN-INTERFACE-PO-13-SHAPE-ONLY

!

interface Tunnel10

bandwidth 100000

ip address 10.4.34.1 255.255.254.0

no ip redirects

ip mtu 1400

ip pim nbma-mode

ip pim sparse-mode

ip nhrp authentication cisco123

ip nhrp map multicast dynamic

ip nhrp map group RS-GROUP-25MBPS service-policy output RS-GROUP-25MBPS-POLICY





ip nhrp map group RS-GROUP-3G service-policy output RS-GROUP-3G-POLICY


ip nhrp network-id 101

ip nhrp holdtime 600

ip nhrp redirect

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/0/3

tunnel mode gre multipoint

tunnel vrf INET-PUBLIC

tunnel protection ipsec profile DMVPN-PROFILE

!

interface GigabitEthernet0/0/0

description WAN-D3750X Gig1/0/3

no ip address

negotiation auto

cdp enable

channel-group 3

!



no ip address

negotiation auto

cdp enable

channel-group 3

!


description DMZ-2960X Gig1/0/6


no ip address

negotiation auto

cdp enable

channel-group 13

!


description VPN-DMZ


ip address 192.168.18.10 255.255.255.0

negotiation auto

service-policy output WAN-INTERFACE-G0/0/3-SHAPE-ONLY

!

router eigrp LAN

!

address-family ipv4 unicast autonomous-system 100

!

af-interface default

passive-interface

exit-af-interface

!

af-interface Port-channel3

authentication mode md5

authentication key-chain LAN-KEY

no passive-interface

exit-af-interface

!

topology base

redistribute eigrp 200 route-map SET-ROUTE-TAG-DMVPN

exit-af-topology

network 10.4.0.0 0.1.255.255

eigrp router-id 10.4.32.243

nsf

exit-address-family

!

!

router eigrp WAN-DMVPN-1

!


!


passive-interface

exit-af-interface

!

af-interface Tunnel10


authentication key-chain WAN-KEY

hello-interval 20


hold-time 60


no split-horizon

exit-af-interface

!

topology base

redistribute eigrp 100

exit-af-topology

network 10.4.34.0 0.0.1.255


exit-address-family

!

ip forward-protocol nd

!

no ip http server

ip http authentication aaa

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip pim autorp listener

ip pim register-source Loopback0

ip route vrf INET-PUBLIC 0.0.0.0 0.0.0.0 192.168.18.1

!

ip tacacs source-interface Loopback0

!

ip access-list extended ISAKMP

permit udp any eq isakmp any eq isakmp

!

access-list 55 permit 10.4.48.0 0.0.0.255

!

route-map SET-ROUTE-TAG-DMVPN permit 10

match interface Tunnel10

set tag 65512

!

snmp-server community cisco RO 55

snmp-server community cisco123 RW 55

snmp-server trap-source Loopback0

!

tacacs server TACACS-SERVER-1

address ipv4 10.4.48.15

key 7 107D0C1A17120620091D

!

control-plane

!

line con 0

logging synchronous

transport preferred none

stopbits 1


line aux 0

stopbits 1

line vty 0 4

access-class 55 in


transport input ssh

line vty 5 15

access-class 55 in


transport input ssh

!

ntp source Loopback0

ntp server 10.4.48.17

!

end

VPN-ASR1001-2version 15.4







!

hostname VPN-ASR1001-2

!

boot-start-marker

boot system bootflash:asr1001-universalk9.03.12.00.S.154-2.S-std.bin

boot-end-marker

!


!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!


!

aaa new-model

!



!





!

!




!

ip vrf INET-PUBLIC

rd 65512:2

!



!


!

key chain WAN-KEY

key 1

key-string 7 00071A150754

key chain LAN-KEY

key 1

key-string 7 070C285F4D06

!

license udi pid ASR1001 sn JAE15040H1U



!

username admin password 7 15115A1F07257A767B

!

redundancy

mode none

!

cdp run

!


ip ssh version 2


!


match dscp af21

match ip dscp af21


match dscp cs4 af41


match dscp cs3 af31

match dscp ef



match dscp ef


match dscp cs1 af11

match ip dscp cs1 af11




match dscp cs2 cs6

match ip dscp cs2 cs6

match access-group name ISAKMP

!

policy-map WAN

class VOICE

priority percent 10


priority percent 23

class CRITICAL-DATA



class DATA



class SCAVENGER

bandwidth percent 5


bandwidth percent 3

class class-default


random-detect

policy-map WAN-INTERFACE-G0/0/3-SHAPE-ONLY

class class-default



class class-default


service-policy WAN


class class-default


service-policy WAN


class class-default


service-policy WAN


class class-default



service-policy WAN


class class-default


service-policy WAN


class class-default


service-policy WAN


class class-default


service-policy WAN

!

crypto keyring DMVPN-KEYRING vrf INET-PUBLIC


!


encr aes 256


group 2

crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC

keyring DMVPN-KEYRING

match identity address 0.0.0.0 INET-PUBLIC

!


!


mode transport

!

crypto ipsec profile DMVPN-PROFILE


set isakmp-profile FVRF-ISAKMP-INET-PUBLIC

!

interface Loopback0

ip address 10.4.32.244 255.255.255.255

ip pim sparse-mode

!


ip address 10.4.32.22 255.255.255.252

ip pim sparse-mode

no negotiation auto

!

interface Tunnel10

bandwidth 50000

ip address 10.4.36.1 255.255.254.0


no ip redirects

ip mtu 1400

ip pim nbma-mode

ip pim sparse-mode


ip nhrp map multicast dynamic










ip nhrp redirect


tunnel source GigabitEthernet0/0/3


tunnel vrf INET-PUBLIC

tunnel protection ipsec profile DMVPN-PROFILE

!



no ip address

negotiation auto

cdp enable

channel-group 4

!



no ip address

negotiation auto

cdp enable

channel-group 4

!


description VPN-DMZ


ip address 192.168.18.11 255.255.255.0

negotiation auto

service-policy output WAN-INTERFACE-G0/0/3-SHAPE-ONLY

!

!

router eigrp LAN

!



!


passive-interface

exit-af-interface

!





exit-af-interface

!

topology base

redistribute eigrp 201 route-map SET-ROUTE-TAG-DMVPN

exit-af-topology

network 10.4.0.0 0.1.255.255


nsf

exit-address-family

!

!


!


!


passive-interface

exit-af-interface

!




hello-interval 20

hold-time 60


no split-horizon

exit-af-interface

!

topology base


exit-af-topology

network 10.4.36.0 0.0.1.255


exit-address-family

!


!

no ip http server






ip route vrf INET-PUBLIC 0.0.0.0 0.0.0.0 192.168.18.1


!


!

route-map SET-ROUTE-TAG-DMVPN permit 10

match interface Tunnel10

set tag 65512

!




!



key 7 03375E08140A35674B10

!

control-plane

!

line con 0

logging synchronous


stopbits 1

line aux 0

stopbits 1

line vty 0 4

access-class 55 in


transport input ssh

line vty 5 15

access-class 55 in


transport input ssh

!



!

end


WAN-Aggregation design—DMVPN Backup Dedicated (MPLS WAN)

This section includes configuration files corresponding to the DMVPN Backup Dedicated (MPLS WAN) design models as referenced in Figure 3.

Figure 3 - WAN-aggregation design—DMVPN Backup Dedicated (MPLS WAN)

22

68



gig0/0/3gig0/0/3

WAN-D3750X

CE-ASR1002-1 CE-ASR1001-2

10.4.32.0/30↑ (.1), (.2) ↓

192.168.3.0/30↑ (.1), (.2) ↓ 192.168.4.0/30

↑ (.1), (.2) ↓

10.4.32.8/30↑ (.9), (.10) ↓

10.4.32.16/30← (.17), (.18) ←

(300 Mbps)

(150 Mbps)

MPLS AAS 65401

MPLS BAS 65402

AS=65511

gig0/0/3

DMZ-VPN

ASA 5545X

VPN-ASR1002-1

(100/50 Mbps)

↑ (.10)192.168.18.0/24

VLAN 1118← (.1), (.2) ←


InternetISP A/ISP B




The following table provides the loopback addresses for the WAN aggregation devices in the DMVPN Backup Dedicated (MPLS WAN) design model, shown in the preceding figure.

Table 2 - MPLS WAN-aggregation device loopback addresses

Hostname Loopback0

CE-ASR1002-1 10.4.32.241/32

CE-ASR1001-2 10.4.32.242/32


CE-ASR1002-1version 15.4





!

hostname CE-ASR1002-1

!

boot-start-marker

boot system bootflash:asr1000rp1-adventerprisek9.03.12.00.S.154-2.S-std.bin

boot-end-marker

!

aqm-register-fnf

!


!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!


!

aaa new-model

!



!




!




!



!


!

key chain LAN-KEY

key 1


key-string 7 070C285F4D06

!


!

username admin password 7 03070A180500701E1D

!

redundancy

mode none

!

cdp run

!


ip ssh version 2


!


match dscp af21

class-map match-any BGP-ROUTING

match protocol bgp


match dscp cs4 af41


match dscp cs3 af31


match dscp ef


match dscp cs1 af11




match dscp cs2 cs6

!

policy-map MARK-BGP

class BGP-ROUTING

set dscp cs6

policy-map WAN

class VOICE

priority percent 10


priority percent 23

class CRITICAL-DATA



class DATA



class SCAVENGER


bandwidth percent 5


bandwidth percent 3

service-policy MARK-BGP

class class-default


random-detect

policy-map WAN-INTERFACE-G0/0/3

class class-default


service-policy WAN

!

interface Loopback0

ip address 10.4.32.241 255.255.255.255

ip pim sparse-mode

!


ip address 10.4.32.2 255.255.255.252

ip pim sparse-mode

no negotiation auto

!



no ip address

negotiation auto

channel-group 1

!



no ip address

negotiation auto

channel-group 1

!


description MPLS WAN Uplink

bandwidth 300000

ip address 192.168.3.1 255.255.255.252

ip pim sparse-mode


negotiation auto

service-policy output WAN-INTERFACE-G0/0/3

!

router eigrp LAN

!


!



passive-interface

exit-af-interface

!





exit-af-interface

!

topology base

default-metric 300000 100 255 1 1500

distribute-list route-map BLOCK-TAGGED-ROUTES in

redistribute bgp 65511

exit-af-topology

network 10.4.0.0 0.1.255.255


nsf

exit-address-family

!

router bgp 65511

bgp router-id 10.4.32.241

bgp log-neighbor-changes

network 0.0.0.0

network 192.168.3.0 mask 255.255.255.252


neighbor 10.4.32.242 remote-as 65511

neighbor 10.4.32.242 update-source Loopback0

neighbor 10.4.32.242 next-hop-self


!


!

no ip http server






!


!

route-map BLOCK-TAGGED-ROUTES deny 10

match tag 65401 65402 65512

!

route-map BLOCK-TAGGED-ROUTES permit 20

!





!



key 7 00371605165E1F2D0A38

!

line con 0

logging synchronous


stopbits 1

line aux 0

stopbits 1

line vty 0 4

access-class 55 in

exec-timeout 0 0


transport input ssh

line vty 5 15

access-class 55 in


transport input ssh

!



!

end

CE-ASR1001-2version 15.4





!

hostname CE-ASR1001-2

!

boot-start-marker


boot-end-marker

!

aqm-register-fnf

!


!

address-family ipv4


exit-address-family

!

address-family ipv6

exit-address-family

!


!

aaa new-model

!



!




!




!



!

!


!

key chain LAN-KEY

key 1

key-string 7 0822455D0A16

!



!

username admin password 7 0205554808095E731F

!

redundancy

mode none

!

cdp run

!


ip ssh version 2


!


match dscp af21



match protocol bgp


match dscp cs4 af41


match dscp cs3 af31


match dscp ef


match dscp cs1 af11




match dscp cs2 cs6

!

policy-map MARK-BGP

class BGP-ROUTING

set dscp cs6

policy-map WAN

class VOICE

priority percent 10


priority percent 23

class CRITICAL-DATA



class DATA



class SCAVENGER

bandwidth percent 5


bandwidth percent 3


class class-default


random-detect


class class-default


service-policy WAN

!

interface Loopback0

ip address 10.4.32.242 255.255.255.255

ip pim sparse-mode

!



ip address 10.4.32.6 255.255.255.252

ip pim sparse-mode

no negotiation auto

!


description WAN-D3750X Gig 1/0/2

no ip address

negotiation auto

cdp enable

channel-group 2

!


description WAN-D3750X Gig 2/0/2

no ip address

negotiation auto

cdp enable

channel-group 2

!


description MPLS WAN Uplink

bandwidth 150000

ip address 192.168.4.1 255.255.255.252

ip pim sparse-mode


negotiation auto


!

router eigrp LAN

!


!


passive-interface

exit-af-interface

!





exit-af-interface

!

topology base

default-metric 150000 100 255 1 1500



exit-af-topology

network 10.4.0.0 0.1.255.255



nsf

exit-address-family

!

router bgp 65511

bgp router-id 10.4.32.242


network 0.0.0.0

network 192.168.4.0 mask 255.255.255.252



neighbor 10.4.32.241 update-source Loopback0

neighbor 10.4.32.241 next-hop-self


!


!

no ip http server






!


!


match tag 65401 65402 65512

!


!




!



key 7 13361211190910012E3D

!

control-plane

!

line con 0

logging synchronous


stopbits 1

line aux 0


stopbits 1

line vty 0 4

access-class 55 in

exec-timeout 0 0


transport input ssh

line vty 5 15

access-class 55 in


transport input ssh

!



!

end

WAN-Aggregation design—DMVPN Backup Dedicated (Layer 2 WAN)

This section includes configuration files corresponding to the DMVPN Backup Dedicated (Layer 2 WAN) design models as referenced in Figure 4.

Figure 4 - WAN-aggregation design—DMVPN Backup Dedicated (Layer 2 WAN)

22

71



gig0/0/3

gig0/0/3

WAN-D3750X

METRO-ASR1001-1

VPN-ASR1002-1

10.4.32.32/30↑ (.33), (.34) ↓

10.4.32.16/30↑ (.17), (.18) ↓

VLAN 38:10.4.38.0/24 ↑ (.1),VLAN 39:10.4.39.0/24 ↑ (.1),

(500 Mbps)

DMZ-VPN

ASA 5545X

(100/50 Mbps)

↑ (.10)192.168.18.0/24

VLAN 1118← (.1), (.2) ←

VPLS A

InternetISP A/ISP B




The following table provides the loopback addresses for the WAN aggregation devices in the DMVPN Backup Dedicated (Layer 2 WAN) design model, shown in the preceding figure.

Table 3 - Metro Ethernet aggregation device loopback address

Hostname Loopback0

METRO-ASR1001-1 10.4.32.245/32

METRO-ASR1001-1version 15.4





!

hostname METRO-ASR1001-1

!

boot-start-marker


boot-end-marker

!

aqm-register-fnf

!


!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!


!

aaa new-model

!



!




!





!


!


!

!


!

key chain WAN-KEY

key 1


key chain LAN-KEY

key 1

key-string 7 060506324F41

!



!

username admin password 7 03070A180500701E1D

!

redundancy

mode none

!

ip tftp source-interface GigabitEthernet0


ip ssh version 2


!


match dscp af21

class-map match-all CLASS-MAP-RS210

match access-group name RS210-10.5.144.0








match dscp cs4 af41


match dscp cs3 af31


match dscp ef


match dscp cs1 af11



match dscp cs2 cs6

!

policy-map POLICY-MAP-RS210

class VOICE

priority percent 10


priority percent 23

class CRITICAL-DATA



class DATA



class VOICE

priority percent 10


priority percent 23

class CRITICAL-DATA



class DATA



class SCAVENGER

bandwidth percent 5


bandwidth percent 3

class class-default


random-detect


class VOICE

priority percent 10


priority percent 23

class CRITICAL-DATA



class DATA



class SCAVENGER

bandwidth percent 5


bandwidth percent 3

class class-default



random-detect


class VOICE

priority percent 10


priority percent 23

class CRITICAL-DATA



class DATA



class SCAVENGER

bandwidth percent 5


bandwidth percent 3

class class-default


random-detect

policy-map POLICY-MAP-L2-WAN-BACKBONE-WITH-PER-SITE-SHAPERS


bandwidth percent 3

class CLASS-MAP-RS210


service-policy POLICY-MAP-RS210











class class-default


service-policy POLICY-MAP-L2-WAN-BACKBONE-WITH-PER-SITE-SHAPERS

!

!

interface Loopback0

ip address 10.4.32.245 255.255.255.255

ip pim sparse-mode

!


ip address 10.4.32.34 255.255.255.252

ip pim sparse-mode


no negotiation auto

!



no ip address

negotiation auto

channel-group 5

!



no ip address

negotiation auto

channel-group 5

!


bandwidth 500000

no ip address

negotiation auto


!

interface GigabitEthernet0/0/3.38

encapsulation dot1Q 38

ip address 10.4.38.1 255.255.255.0

ip pim sparse-mode


!

interface GigabitEthernet0/0/3.39


ip address 10.4.39.1 255.255.255.0

ip pim sparse-mode


!

router eigrp LAN

!


!


passive-interface

exit-af-interface

!





exit-af-interface

!

topology base



redistribute eigrp 300 route-map SET-ROUTE-TAG-METROE

exit-af-topology

network 10.4.0.0 0.1.255.255


nsf

exit-address-family

!

!

router eigrp WAN-LAYER2

!


!


passive-interface

exit-af-interface

!

af-interface GigabitEthernet0/0/3.39




exit-af-interface

!

af-interface GigabitEthernet0/0/3.38




exit-af-interface

!

topology base


exit-af-topology

network 10.4.38.0 0.0.0.255

network 10.4.39.0 0.0.0.255


exit-address-family

!


!

no ip http server






!

ip access-list extended RS210-10.5.144.0


permit ip any 10.5.144.0 0.0.7.255


permit ip any 10.5.152.0 0.0.7.255


permit ip any 10.5.168.0 0.0.7.255


permit ip any 10.5.176.0 0.0.7.255

!


!


match tag 65512

!


!

route-map SET-ROUTE-TAG-METROE permit 10

match interface GigabitEthernet0/0/3.38 GigabitEthernet0/0/3.39

set tag 300

!




!



key 7 0812494D1B1C113C1712

!

line con 0

logging synchronous


stopbits 1

line aux 0

stopbits 1

line vty 0 4

access-class 55 in

exec-timeout 0 0


transport input ssh

line vty 5 15

access-class 55 in


transport input ssh

!



!

end


WAN-Aggregation Design—WAN Aggregation Distribution Switch

This section includes configuration files corresponding for the WAN Aggregiation distribution switch which is common to each of the WAN-aggregation devices as shown in Figure 2, Figure 3 and Figure 4.

WAN-D3750Xversion 15.2

no service pad




!

hostname WAN-D3750X

!


!

username admin password 7 06055E324F41584B56

aaa new-model

!



!




!




switch 1 provision ws-c3750x-24p

switch 2 provision ws-c3750x-24

stack-mac persistent timer 0

system mtu routing 1500

ip routing

!

ip domain-name cisco.local

ip name-server 10.4.48.10


ip device tracking

vtp mode transparent

udld enable

!

mls qos map policed-dscp 0 10 18 to 8

mls qos map cos-dscp 0 8 16 24 32 46 48 56


mls qos srr-queue input bandwidth 70 30

mls qos srr-queue input threshold 1 80 90

mls qos srr-queue input priority-queue 2 bandwidth 30

mls qos srr-queue input cos-map queue 1 threshold 2 3

mls qos srr-queue input cos-map queue 1 threshold 3 6 7

mls qos srr-queue input cos-map queue 2 threshold 1 4

mls qos srr-queue input dscp-map queue 1 threshold 2 24

mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55



mls qos srr-queue input dscp-map queue 2 threshold 3 46 47

mls qos srr-queue output cos-map queue 1 threshold 3 4 5

mls qos srr-queue output cos-map queue 2 threshold 1 2


mls qos srr-queue output cos-map queue 2 threshold 3 6 7



mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45

mls qos srr-queue output dscp-map queue 1 threshold 3 46 47



mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39

mls qos srr-queue output dscp-map queue 2 threshold 2 24




mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15

mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14

mls qos queue-set output 1 threshold 1 100 100 50 200




mls qos queue-set output 1 buffers 15 25 40 20

mls qos

!

key chain LAN-KEY

key 1

key-string 7 05080F1C2243

!

license boot level ipservices

license boot level ipservices switch 2

!

spanning-tree mode rapid-pvst

spanning-tree portfast bpduguard default


spanning-tree vlan 1-4094 priority 24576

!


port-channel load-balance src-dst-ip

!

vlan internal allocation policy ascending

!

vlan 349

name AppNav_Intercept_Net

!

vlan 350

name WAN_Service_Net

!


ip ssh version 2


!

macro name EgressQoS

mls qos trust dscp

queue-set 1

srr-queue bandwidth share 1 30 35 5

priority-queue out

@

!

interface Loopback0

ip address 10.4.32.240 255.255.255.255

ip pim sparse-mode

!


description CE-ASR1002-1

no switchport

ip address 10.4.32.1 255.255.255.252

ip pim sparse-mode

ip ospf message-digest-key 1 md5 7 0235015819031B0A4957

load-interval 30

carrier-delay msec 0

!


description CE-ASR1001-2

no switchport

ip address 10.4.32.5 255.255.255.252

ip pim sparse-mode


!


description VPN-ASR1002-1

no switchport

ip address 10.4.32.17 255.255.255.252

ip pim sparse-mode

ip ospf message-digest-key 1 md5 7 0508571C22431F5B4A



!


description VPN-ASR1001-2

no switchport

ip address 10.4.32.21 255.255.255.252

ip pim sparse-mode

ip ospf message-digest-key 1 md5 7 0205554808095E731F


!


description Link to METRO-ASR1001-1

no switchport

ip address 10.4.32.33 255.255.255.252

ip pim sparse-mode



!


description Etherchannel to Core 6500 VSS

no switchport

ip address 10.4.40.42 255.255.255.252

ip pim sparse-mode


logging event trunk-status

logging event bundle-status


!


description CE-ASR1002-1 Gig0/0/0

no switchport

no ip address





priority-queue out

mls qos trust dscp

macro description EgressQoS

channel-group 1 mode on

!



no switchport

no ip address






priority-queue out

mls qos trust dscp



!


description VPN-ASR1002-1 Gig0/0/0

no switchport

no ip address





priority-queue out

mls qos trust dscp



!



no switchport

no ip address





priority-queue out

mls qos trust dscp



!


description METRO-ASR1001-1 Gig0/0/0

no switchport

no ip address





priority-queue out

mls qos trust dscp



!

interface TenGigabitEthernet1/1/1


description Etherchannel link to Core 6500 VSS Te1/7/7

no switchport

no ip address




priority-queue out

mls qos trust dscp


channel-group 38 mode active

!


description Etherchannel link to Core 6500 VSS Te2/7/7

no switchport

no ip address


priority-queue out

mls qos trust dscp



!



no switchport

no ip address





priority-queue out

mls qos trust dscp



!



no switchport

no ip address





priority-queue out

mls qos trust dscp



!




no switchport

no ip address





priority-queue out

mls qos trust dscp



!



no switchport

no ip address





priority-queue out

mls qos trust dscp



!


description METRO-ASR1001-1 Gig0/0/1

no switchport

no ip address





priority-queue out

mls qos trust dscp



!


description Link to C6500-VSS port 2

no switchport

no ip address




priority-queue out


mls qos trust dscp



!


no switchport

no ip address




priority-queue out

mls qos trust dscp



!

interface Vlan349

ip address 10.4.32.65 255.255.255.192

!

interface Vlan350

ip address 10.4.32.129 255.255.255.192

ip pim sparse-mode

!

router eigrp LAN

!


!


passive-interface

exit-af-interface

!


summary-address 10.4.32.0 255.255.248.0

summary-address 10.5.0.0 255.255.0.0

summary-address 10.255.240.0 255.255.240.0

summary-address 192.168.3.0 255.255.255.0

summary-address 192.168.4.0 255.255.255.0




exit-af-interface

!





exit-af-interface

!






exit-af-interface

!





exit-af-interface

!





exit-af-interface

!





exit-af-interface

!





exit-af-interface

!

topology base

exit-af-topology

network 10.4.0.0 0.1.255.255


exit-address-family

!


!

no ip http server



!




!



!






key 7 0235015819031B0A4957

!

!

line con 0


line vty 0 4

access-class 55 in

exec-timeout 0 0


transport input ssh

line vty 5 15

access-class 55 in


transport input ssh

!



end

WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series49

WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models

This section includes configuration files corresponding to the WAN remote-site design topologies as referenced in Figure 5. Each remote-site type has its respective devices grouped together along with any other relevant configuration information.

Figure 5 - WAN remote-site designs–Dual DMVPN and DMVPN only with local Internet

12

09

Nonredundant Redundant Links Redundant Links & Routers

Internet WAN

Remote Site 251

Internet(DMVPN-1)

Internet(DMVPN-2)

Remote Site 250

Internet(DMVPN-1)

Remote Site 252(Distribution Layer)

Internet(DMVPN-1)

Internet(DMVPN-2)

Table 4 - Remote-site DMVPN with local Internet WAN connection details

Location Net block DMVPN LAN interfaces

Remote Site 250

(Single-router, single DMVPN)

10.5.120.0/21 (gig0/0) DHCP (gig0/1)

Remote Site 251 (Single-router, dual-link DMVPN) 10.5.128.0/21 (gig0/0) DHCP

(gig0/1) DHCP

(gig0/2)

(gig0/2)

Remote Site 252 (Dual-router, dual-link DMVPN) 10.5.136.0/21 (gig0/0) DHCP (gig0/2)


The following table lists the policed-rate link speeds for the remote-site quality-of-service (QoS) traffic shaping policies.

Table 5 - Remote-site policed-rate link speeds

Location Net block DMVPN-1 link speeds DMVPN-2 link speeds

Remote Site 250 10.5.120.0/21 2 Mbps --

Remote Site 251 (dual-link) 10.5.128.0/21 10 Mbps 5 Mbps

Remote Site 252 (dual-link) 10.5.136.0/21 10 Mbps 5 Mbps

Remote Site 250: Single-Router, Single-Link (DMVPN) with Local Internet

Table 6 - Remote Site 250—IP address information

Location Net block Data wired subnet Voice wired subnet Loopbacks and switches

Remote Site 250 10.5.120.0/21 10.5.124.0/24 (VLAN 64) 10.5.125.0/24 (VLAN 69) 10.255.253.250 (router) 10.5.124.5 (access switch)

RS250-1941version 15.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out




!

hostname RS250-1941

!

!

enable secret 5 $1$aO0u$HIXI.4HZSCdxc1gm2aKJf.

!

aaa new-model

!



!




!





!

ip cef

!


ip multicast-routing

ip inspect log drop-pkt

no ipv6 cef

!

parameter-map type inspect global

log dropped-packets enable

max-incomplete low 18000

max-incomplete high 20000

spoofed-acker off


!

!

key chain WAN-KEY

key 1


!

license udi pid CISCO1941/K9 sn FTX140980GY

!

username admin password 7 0508571C22431F5B4A

!

redundancy

!


ip ssh version 2


!


match dscp af21

class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS

match protocol ftp

match protocol tcp

match protocol udp

match protocol icmp


match dscp cs4 af41

class-map type inspect match-any INSPECT-ACL-OUT-CLASS

match access-group name ACL-RTR-OUT


match dscp cs3 af31

class-map type inspect match-any PASS-ACL-IN-CLASS

match access-group name ESP-IN

match access-group name DHCP-IN



match dscp ef


match dscp cs1 af11

class-map type inspect match-any PASS-ACL-OUT-CLASS

match access-group name ESP-OUT

match access-group name DHCP-OUT


match dscp cs2 cs6


class-map type inspect match-any INSPECT-ACL-IN-CLASS

match access-group name ACL-RTR-IN

!

policy-map WAN

class VOICE

priority percent 10


priority percent 23

class CRITICAL-DATA



class DATA



class SCAVENGER

bandwidth percent 5


bandwidth percent 3

class class-default


random-detect

policy-map type inspect ACL-OUT-POLICY

class type inspect INSPECT-ACL-OUT-CLASS

inspect

class type inspect PASS-ACL-OUT-CLASS

pass

class class-default

drop

policy-map type inspect INSIDE-TO-OUTSIDE-POLICY

class type inspect INSIDE-TO-OUTSIDE-CLASS

inspect

class class-default

drop

policy-map WAN-INTERFACE-G0/0

class class-default


service-policy WAN

policy-map type inspect ACL-IN-POLICY


class type inspect INSPECT-ACL-IN-CLASS

inspect

class type inspect PASS-ACL-IN-CLASS

pass

class class-default

drop

!

zone security INSIDE

zone security OUTSIDE

zone-pair security IN_OUT source INSIDE destination OUTSIDE

service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

zone-pair security TO-ROUTER source OUTSIDE destination self

service-policy type inspect ACL-IN-POLICY

zone-pair security FROM-ROUTER source self destination OUTSIDE

service-policy type inspect ACL-OUT-POLICY

!

crypto keyring GLOBAL-KEYRING


!


encr aes 256


group 2

crypto isakmp keepalive 30 5

crypto isakmp profile ISAKMP-INET-PUBLIC

keyring GLOBAL-KEYRING

match identity address 0.0.0.0

!


!


mode transport

!

crypto ipsec profile DMVPN-PROFILE1


set isakmp-profile ISAKMP-INET-PUBLIC

!

interface Loopback0

ip address 10.255.253.250 255.255.255.255

ip pim sparse-mode

!

interface Tunnel10

description DMVPN-1 tunnel interface

bandwidth 2000

ip address 10.4.34.250 255.255.254.0

no ip redirects

ip mtu 1400


ip pim dr-priority 0

ip pim nbma-mode

ip pim sparse-mode


ip nhrp group RS-GROUP-2MBPS

ip nhrp map multicast 172.16.130.1

ip nhrp map 10.4.34.1 172.16.130.1



ip nhrp nhs 10.4.34.1

ip nhrp registration no-unique

ip nhrp shortcut

ip nhrp redirect

zone-member security INSIDE


tunnel source GigabitEthernet0/0


tunnel route-via GigabitEthernet0/0 mandatory

tunnel protection ipsec profile DMVPN-PROFILE1

!

interface GigabitEthernet0/0

description Internet Conenction (ISP-A)

bandwidth 10000

ip dhcp client default-router distance 15

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

zone-member security OUTSIDE

duplex auto

speed auto

no lldp transmit

no lldp receive

no cdp enable

no mop enabled

service-policy output WAN-INTERFACE-G0/0

!


description RS250-3650 Gig1/0/24

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/1.64

description Wired Data



ip address 10.5.124.1 255.255.255.0

ip helper-address 10.4.48.10

ip pim sparse-mode

ip nat inside



!


description Voice


ip address 10.5.125.1 255.255.255.0


ip pim sparse-mode

ip nat inside



!

!


!


!


passive-interface

exit-af-interface

!


summary-address 10.5.120.0 255.255.248.0



hello-interval 20

hold-time 60


exit-af-interface

!

topology base

distribute-list route-map BLOCK-DEFAULT in

exit-af-topology

network 10.4.34.0 0.0.1.255

network 10.5.0.0 0.0.255.255

network 10.255.0.0 0.0.255.255


eigrp stub connected summary

exit-address-family

!



!

no ip http server



!



ip nat inside source list NAT interface GigabitEthernet0/0 overload

ip route 10.0.0.0 255.0.0.0 Null0 254


!

ip access-list standard NAT

permit 10.5.120.0 0.0.7.255

ip access-list standard NO-DEFAULT

deny 0.0.0.0

permit any

!

ip access-list extended ACL-RTR-IN

permit udp any any eq non500-isakmp

permit udp any any eq isakmp

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any ttl-exceeded

permit icmp any any port-unreachable

permit udp any any gt 1023 ttl eq 1

ip access-list extended ACL-RTR-OUT



permit icmp any any

ip access-list extended DHCP-IN

permit udp any eq bootps any eq bootpc

ip access-list extended DHCP-OUT

permit udp any eq bootpc any eq bootps

ip access-list extended ESP-IN

permit esp any any

ip access-list extended ESP-OUT

permit esp any any



!


!

route-map BLOCK-DEFAULT permit 10

match ip address NO-DEFAULT

!

!





snmp-server enable traps entity-sensor threshold



key 7 122A0014000E182F2F32

!

line con 0

logging synchronous


line aux 0

line 2

no activation-character

no exec


transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 55 in


transport input ssh

line vty 5 15

access-class 55 in


transport input ssh

!

scheduler allocate 20000 1000


ntp update-calendar


!

end


Remote Site 251: Single-Router, Dual-Link (DMVPN + DMVPN) with Local Internet





no service pad






!

hostname RS251-2911

!

boot-start-marker

boot system flash0:c2900-universalk9-mz.SPA.152-4.M6.bin

boot-end-marker

!

enable secret 5 $1$9r9j$VctakpjxneG330Ty2Ld.6.

!

aaa new-model

!



!


aaa authentication login MODULE none



!




!

ip cef

!





no ipv6 cef

!





spoofed-acker off


!

key chain WAN-KEY

key 1

key-string 7 104D000A0618

!

username admin password 7 110A4816141D5A5E57

!

redundancy

!


ip ssh version 2


!

track 60 ip sla 110 reachability

!


!

track 62 list boolean or

object 60

object 61

!


match dscp af21


match protocol ftp

match protocol tcp

match protocol udp

match protocol icmp


match dscp cs4 af41




match dscp cs3 af31





match dscp ef



match dscp cs1 af11





match dscp cs2 cs6




!

policy-map WAN

class VOICE

priority percent 10


priority percent 23

class CRITICAL-DATA



class DATA



class SCAVENGER

bandwidth percent 5


bandwidth percent 3

class class-default


random-detect



inspect


pass

class class-default

drop



inspect

class class-default

drop


class class-default


service-policy WAN


class class-default



service-policy WAN



inspect


pass

class class-default

drop

!









!



!


encr aes 256


group 2





!


!


mode transport

!




!




!

!

!

interface Loopback0


ip address 10.255.253.251 255.255.255.255

ip pim sparse-mode

!

interface Tunnel10

bandwidth 10000

ip address 10.4.34.251 255.255.254.0

no ip redirects

ip mtu 1400

ip wccp 62 redirect in


ip pim nbma-mode

ip pim sparse-mode



ip nhrp map 10.4.34.1 172.16.130.1






ip nhrp shortcut

ip nhrp redirect







!

interface Tunnel11

bandwidth 5000

ip address 10.4.36.251 255.255.254.0

no ip redirects

ip mtu 1400

ip wccp 62 redirect in


ip pim nbma-mode

ip pim sparse-mode


ip nhrp group RS-GROUP-5MBPS-POLICY

ip nhrp map 10.4.36.1 172.17.130.1






ip nhrp shortcut


ip nhrp redirect







!

!


description Internet Connection (ISP-A)

bandwidth 10000


ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside



duplex auto

speed auto

no lldp transmit

no lldp receive

no cdp enable

no mop enabled


!


description Internet Connection (ISP-B)

bandwidth 5000


ip dhcp client route track 62

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside



duplex auto

speed auto

no lldp transmit

no lldp receive

no cdp enable

no mop enabled



!


description RS251-A2960X Gig1/0/24

no ip address

duplex auto

speed auto

!




ip address 10.5.132.1 255.255.255.0


ip pim sparse-mode

ip nat inside



!


description Voice


ip address 10.5.133.1 255.255.255.0


ip pim sparse-mode

ip nat inside



!

!


!


!


passive-interface

exit-af-interface

!


summary-address 10.5.128.0 255.255.248.0



hello-interval 20

hold-time 60


exit-af-interface

!

topology base



exit-af-topology

network 10.4.34.0 0.0.1.255

network 10.5.0.0 0.0.255.255

network 10.255.0.0 0.0.255.255



exit-address-family

!

!


!


!


passive-interface

exit-af-interface

!


summary-address 10.5.128.0 255.255.248.0



hello-interval 20

hold-time 60


exit-af-interface

!

topology base


exit-af-topology

network 10.4.36.0 0.0.1.255

network 10.5.0.0 0.0.255.255

network 10.255.0.0 0.0.255.255



exit-address-family

!

ip local policy route-map PBR-SLA-SET-NEXT-HOP


!

no ip http server



!



ip nat inside source route-map ISP-A interface GigabitEthernet0/0 overload

ip nat inside source route-map ISP-B interface GigabitEthernet0/1 overload


ip route 10.0.0.0 255.0.0.0 Null0 254

ip route 172.16.130.1 255.255.255.255 GigabitEthernet0/0 dhcp



!


deny 0.0.0.0

permit any

!












permit icmp any any






permit esp any any


permit esp any any



ip access-list extended NAT

permit ip 10.5.128.0 0.0.7.255 any

ip access-list extended SLA-SET-NEXT-HOP

permit icmp any host 172.18.1.253


!

ip sla auto discovery

ip sla 110

icmp-echo 172.18.1.253 source-interface GigabitEthernet0/1

threshold 1000

frequency 15

ip sla schedule 110 life forever start-time now

ip sla 111


threshold 1000

frequency 15




!

route-map PBR-SLA-SET-NEXT-HOP permit 10

match ip address SLA-SET-NEXT-HOP

set ip next-hop dynamic dhcp

!

route-map ISP-B permit 10

match ip address NAT

match interface GigabitEthernet0/1

!

route-map ISP-A permit 10

match ip address NAT

match interface GigabitEthernet0/0

!



!







key 7 097F4B0A0B0003390E15

!

line con 0


logging synchronous

line aux 0

line vty 0 4

access-class 55 in


transport input ssh

line vty 5 15

access-class 55 in


transport input ssh

!




!

end


Remote Site 252: Dual-Router, Dual-Link (DMVPN + DMVPN) with Local Internet



Remote Site 252 10.5.136.0/21 10.5.140.0/24 (VLAN 100) 10.5.210.0/24 (VLAN 101) 10.5.212.0/24 (VLAN 103)

10.255.253.252 (router 1) 10.255.254.252 (router 2) 10.5.140.5 (access switch)

RS252-2921-1version 15.3

no service pad






!

hostname RS252-2921-1

!

!


!

aaa new-model

!



!




!




!

ip cef

!




no ipv6 cef

!






spoofed-acker off


!

!

key chain WAN-KEY

key 1

key-string 7 13061E010803

key chain LAN-KEY

key 1

key-string 7 02050D480809

!

username admin password 7 130646010803557878

!

redundancy

!


ip ssh version 2


!


!


match dscp af21


match protocol ftp

match protocol tcp

match protocol udp

match protocol icmp


match dscp cs4 af41




match dscp cs3 af31





match dscp ef


match dscp cs1 af11






match dscp cs2 cs6




!

policy-map WAN

class VOICE

priority percent 10


priority percent 23

class CRITICAL-DATA



class DATA



class SCAVENGER

bandwidth percent 5


bandwidth percent 3

class class-default


random-detect



pass


inspect

class class-default

drop



inspect

class class-default

drop


class class-default


service-policy WAN



inspect


pass

class class-default

drop

!










!



!


encr aes 256


group 2





!


!


mode transport

!




!

!

interface Loopback0

ip address 10.255.253.252 255.255.255.255

ip pim sparse-mode

!

interface Tunnel10


bandwidth 10000

ip address 10.4.34.252 255.255.254.0

no ip redirects

ip mtu 1400


ip pim nbma-mode

ip pim sparse-mode





ip nhrp map 10.4.34.1 172.16.130.1





ip nhrp shortcut

ip nhrp redirect







!



bandwidth 10000

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside



duplex auto

speed auto

no lldp transmit

no lldp receive

no cdp enable

no mop enabled


!


description RS252-A3850 Gig1/0/47

no ip address

duplex auto

speed auto

!




ip address 10.5.140.2 255.255.255.0



ip pim sparse-mode

ip nat inside




standby version 2

standby 1 ip 10.5.140.1

standby 1 priority 110

standby 1 preempt

standby 1 authentication md5 key-string 7 04585A150C2E1D1C5A

standby 1 track 50 decrement 10

!


description Voice


ip address 10.5.141.2 255.255.255.0



ip pim sparse-mode

ip nat inside



standby version 2

standby 1 ip 10.5.141.1


standby 1 preempt

standby 1 authentication md5 key-string 7 141443180F0B7B7977


!


description transit network


ip address 10.5.136.1 255.255.255.252

ip pim sparse-mode

ip nat inside



!


!


!


passive-interface

exit-af-interface

!


summary-address 10.5.136.0 255.255.248.0



hello-interval 20


hold-time 60


exit-af-interface

!

topology base


redistribute eigrp 100 route-map LOOPBACK-ONLY

exit-af-topology

network 10.4.34.0 0.0.1.255

network 10.5.0.0 0.0.255.255

network 10.255.0.0 0.0.255.255


eigrp stub connected summary redistributed

exit-address-family

!

!

router eigrp LAN

!


!


passive-interface

exit-af-interface

!

af-interface GigabitEthernet0/2.99




exit-af-interface

!

topology base

default-metric 100000 100 255 1 1500


redistribute static route-map STATIC-IN

exit-af-topology

network 10.4.0.0 0.1.255.255

network 10.5.136.0 0.0.0.3

network 10.255.0.0 0.0.255.255


exit-address-family

!


!

no ip http server



!





ip route 10.0.0.0 255.0.0.0 Null0 254



!

ip access-list standard DHCP-DEFAULT

remark DHCP default route

permit 0.0.0.0


permit 10.5.136.0 0.0.7.255


deny 0.0.0.0

permit any

ip access-list standard R2-LOOPBACK

permit 10.255.254.252

!












permit icmp any any






permit esp any any


permit esp any any



!


ip sla 100


threshold 1000

frequency 15




!

route-map STATIC-IN permit 10

match ip address DHCP-DEFAULT

!

route-map LOOPBACK-ONLY permit 10

match ip address R2-LOOPBACK

!



!







key 7 01200307490E12242455

!

line con 0

logging synchronous


line aux 0

line vty 0 4

access-class 55 in


transport input ssh

line vty 5 15

access-class 55 in


transport input ssh

!




!

end


RS252-2921-2 version 15.3

no service pad






!


!

!


!

aaa new-model

!



!




!

!




!

ip cef

!

!




no ipv6 cef

!





spoofed-acker off


!

key chain WAN-KEY

key 1

key-string 7 1511021F0725


key chain LAN-KEY

key 1

key-string 7 00071A150754

!

username admin password 7 08221D5D0A16544541

!

redundancy

!


ip ssh version 2


!


!


!


object 60

object 61

!


match dscp af21


match protocol ftp

match protocol tcp

match protocol udp

match protocol icmp


match dscp cs4 af41




match dscp cs3 af31





match dscp ef


match dscp cs1 af11





match dscp cs2 cs6





!

policy-map WAN

class VOICE

priority percent 10


priority percent 23

class CRITICAL-DATA



class DATA



class SCAVENGER

bandwidth percent 5


bandwidth percent 3

class class-default


random-detect



inspect


pass

class class-default

drop



inspect

class class-default

drop


class class-default


service-policy WAN



pass


inspect

class class-default

drop

!










!



!


encr aes 256


group 2




!


!


mode transport

!




!

interface Loopback0

ip address 10.255.254.252 255.255.255.255

ip pim sparse-mode

!

interface Tunnel11


bandwidth 5000

ip address 10.4.36.252 255.255.254.0

no ip redirects

ip mtu 1400


ip pim nbma-mode

ip pim sparse-mode




ip nhrp map 10.4.36.1 172.17.130.1






ip nhrp shortcut

ip nhrp redirect







!


description Internet Connection (ISP-B)

bandwidth 5000



ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside



duplex auto

speed auto

no lldp transmit

no lldp receive

no cdp enable

no mop enabled


!


description RS252-A3850 Gig1/0/48

no ip address

duplex auto

speed auto

!




ip address 10.5.140.3 255.255.255.0



ip pim sparse-mode

ip nat inside



standby version 2

standby 1 ip 10.5.140.1



standby 1 preempt

standby 1 authentication md5 key-string 7 08221D5D0A16544541

!


description Voice


ip address 10.5.141.3 255.255.255.0



ip pim sparse-mode

ip nat inside



standby version 2

standby 1 ip 10.5.141.1


standby 1 preempt

standby 1 authentication md5 key-string 7 094F1F1A1A0A464058

!


description transit network


ip address 10.5.136.2 255.255.255.252

ip pim sparse-mode

ip nat inside



!


!


!


passive-interface

exit-af-interface

!


summary-address 10.5.136.0 255.255.248.0



hello-interval 20

hold-time 60


exit-af-interface

!

topology base



redistribute eigrp 100 route-map LOOPBACK-ONLY

exit-af-topology

network 10.4.36.0 0.0.1.255

network 10.5.0.0 0.0.255.255

network 10.255.0.0 0.0.255.255



exit-address-family

!

!

router eigrp LAN

!


!


passive-interface

exit-af-interface

!





exit-af-interface

!

topology base



exit-af-topology

network 10.5.136.0 0.0.0.3


exit-address-family

!



!

no ip http server



!




ip route 10.0.0.0 255.0.0.0 Null0 254



!




permit 0.0.0.0


permit 10.5.136.0 0.0.7.255


deny 0.0.0.0

permit any


permit 10.255.253.252

!












permit icmp any any






permit esp any any


permit esp any any






!


ip sla 110


threshold 1000

frequency 15


ip sla 111


threshold 1000

frequency 15




!




!



!

route-map LOOPBACK-ONLY permit 10


!



!







key 7 03375E08140A35674B10

!

line con 0

logging synchronous


line aux 0

line vty 0 4

access-class 55 in


transport input ssh

line vty 5 15

access-class 55 in


transport input ssh

!




!

end

WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series86

WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet

This section includes configuration files corresponding to the WAN remote-site with local Internet design topologies as referenced in Figure 6. Each remote-site type has its respective devices grouped together along with any other relevant configuration information. The Autonomous System Number (ASN) used in these configurations is 65511.

Figure 6 - WAN remote-site designs–DMVPN Backup Dedicated (MPLS primary)

12

10

Redundant LinksRedundant Links

& Routers

MPLS

MPLS + Internet WAN with Local Internet Access

MPLSInternet

(DMVPN-1)Internet

(DMVPN-1)

Remote Site 240 Remote Site 242


Table 9 - Remote-site WAN connection details–(MPLS + DMVPN with local Internet remote sites)

Location Net block MPLS CE MPLS PECarrier AS DMVPN

LAN interfaces Loopbacks

Remote Site 240 (Single-router, dual-link with access-layer stack)

10.5.240.0/21 (gig0/0) 192.168.3.49

192.168.3.50 65401 (A) (gig0/0) DHCP

(gig0/1, gig0/2)

10.255.251.240 (router)

Remote Site 242 (Dual-router, dual-link with access-layer stack)

10.5.248.0/21 (gig0/0) 192.168.4.49

192.168.4.50 65402 (A) (gig0/0) DHCP

(gig0/1, gig0/2) (gig0/1, gig0/2)

10.255.252.242 (router 1) 10.255.253.242 (router 2)

The following table lists the policed-rate link speeds for the remote-site QoS traffic shaping policies.


Location Net block MPLS link speeds DMVPN link speeds

Remote Site 240 10.5.240.0/21 15 Mbps 10 Mbps


Remote Site 240: Single-Router, Dual-Link with local Internet access (MPLS + DMVPN)





no service pad






!

hostname RS240-3945

!

!

enable secret 5 $1$n0mF$ISe9QVYXC/Ot8NCRvLsqm.

!

aaa new-model

!




!




!




!

ip cef

!




no ipv6 cef

!





spoofed-acker off


!

key chain WAN-KEY

key 1


!


license boot module c3900 technology-package datak9

!

username admin password 7 130646010803557878

!

redundancy

!


ip ssh version 2


!


!


!


object 60

object 61

!



match dscp af21


match protocol bgp


match protocol ftp

match protocol tcp

match protocol udp

match protocol icmp


match dscp cs4 af41




match dscp cs3 af31





match dscp ef


match dscp cs1 af11





match dscp cs2 cs6



!

policy-map MARK-BGP

class BGP-ROUTING

set dscp cs6

policy-map WAN

class VOICE

priority percent 10


priority percent 23

class CRITICAL-DATA



class DATA



class SCAVENGER

bandwidth percent 5



bandwidth percent 3


class class-default




inspect


pass

class class-default

drop



inspect

class class-default

drop


class class-default


service-policy WAN


class class-default


service-policy WAN



inspect


pass

class class-default

drop

!









!


pre-shared-key address 10.4.32.151 key c1sco123



!



encr aes 256


group 2

!


encr aes 256


group 2





!


!


mode transport

!




!

interface Loopback0

ip address 10.255.251.240 255.255.255.255

ip pim sparse-mode

!

interface Tunnel10


bandwidth 10000

ip address 10.4.34.240 255.255.254.0

no ip redirects

ip mtu 1400


ip pim nbma-mode

ip pim sparse-mode




ip nhrp map 10.4.34.1 172.16.130.1





ip nhrp shortcut

ip nhrp redirect


ip virtual-reassembly out








!


description MPLS-A (remote-as 65401 - 192.168.3.50)

bandwidth 15000

ip address 192.168.3.49 255.255.255.252



duplex auto

speed auto

no cdp enable


!


description Internet Connection



ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside



duplex auto

speed auto

no lldp transmit

no lldp receive

no cdp enable

no mop enabled


!


description To RS240-A3650 G1/0/24

no ip address

duplex auto

speed auto

!




ip address 10.5.244.1 255.255.255.0



ip pim sparse-mode

ip nat inside



!


description Wired Voice


ip address 10.5.245.1 255.255.255.0


ip pim sparse-mode


!


!


!


passive-interface

exit-af-interface

!


summary-address 10.5.240.0 255.255.248.0



hello-interval 20

hold-time 60


exit-af-interface

!

topology base


exit-af-topology

network 10.4.34.0 0.0.1.255

network 10.5.0.0 0.0.255.255

network 10.255.0.0 0.0.255.255



exit-address-family

!

router bgp 65511

bgp router-id 10.255.251.240


network 10.5.244.0 mask 255.255.255.0

network 10.5.245.0 mask 255.255.255.0

network 10.255.251.240 mask 255.255.255.255


network 192.168.3.48 mask 255.255.255.252

aggregate-address 10.5.240.0 255.255.248.0 summary-only


!



!

no ip http server



!




ip route 10.0.0.0 255.0.0.0 Null0 254



!


permit 10.5.240.0 0.0.7.255


deny 0.0.0.0

permit any

!












permit icmp any any






permit esp any any


permit esp any any





!


ip sla 110


threshold 1000

frequency 15


ip sla 111


threshold 1000

frequency 15



!

nls resp-timeout 1

cpd cr-id 1




!



!







key 7 0812494D1B1C113C1712

!

!

line con 0

logging synchronous


line aux 0

line vty 0 4

access-class 55 in


transport input ssh

line vty 5 15

access-class 55 in


transport input ssh

!




ntp update-calendar


!

end

Remote Site 242: Dual-Router, Dual-Link with Local Internet Access (MPLS + DMVPN)



Remote Site 242 10.5.248.0/21 10.5.252.0/24 (VLAN 64) 10.5.253.0/24 (VLAN 69) 10.255.252.242 (router 1) 10.255.253.242 (router 2) 10.5.252.5 (access switch)

RS242-2951-1version 15.3




!


!

!

no logging buffered

enable secret 5 $1$Mqp4$YjiAg3ACxQOH9CurAwxX2/

!

aaa new-model

!



!




!




!

ip cef

!



ipv6 spd queue min-threshold 62

ipv6 spd queue max-threshold 63


no ipv6 cef

!


!

key chain LAN-KEY

key 1

key-string 7 030752180500

!


license boot module c2951 technology-package securityk9


!

username admin password 7 121A540411045D5679

!

redundancy

!


ip ssh version 2


!


!


match dscp af21


match protocol bgp


match dscp cs4 af41


match dscp cs3 af31


match dscp ef


match dscp cs1 af11


match dscp cs2 cs6

!

policy-map MARK-BGP

class BGP-ROUTING

set dscp cs6

policy-map WAN

class VOICE

priority percent 10


priority percent 23

class CRITICAL-DATA




class DATA



class SCAVENGER

bandwidth percent 5


bandwidth percent 3


class class-default



class class-default


service-policy WAN

!


encr aes 256


group 2

crypto isakmp key c1sco123 address 10.4.32.151

crypto isakmp key c1sco123 address 10.4.32.152

!

interface Loopback0

ip address 10.255.252.242 255.255.255.255

ip pim sparse-mode

!


description Etherchannel link to RS242-2960X

no ip address

hold-queue 150 in

!

interface Port-channel1.64

description Data


ip address 10.5.252.2 255.255.255.0



ip pim sparse-mode

standby version 2

standby 1 ip 10.5.252.1


standby 1 preempt

standby 1 authentication md5 key-string 7 094F1F1A1A0A464058


!



description Voice


ip address 10.5.253.2 255.255.255.0



ip pim sparse-mode

standby version 2

standby 1 ip 10.5.253.1


standby 1 preempt

standby 1 authentication md5 key-string 7 070C705F4D06485744


!


description Transit Net


ip address 10.5.248.9 255.255.255.252

ip pim sparse-mode

!


bandwidth 10000

ip address 192.168.4.49 255.255.255.252


duplex auto

speed auto

no cdp enable


!


description RS242-A2960Xa G1/0/24

no ip address

duplex auto

speed auto

channel-group 1

!


description RS242-A2960Xb G2/0/24

no ip address

duplex auto

speed auto

channel-group 1

!

!

router eigrp LAN

!


!



passive-interface

exit-af-interface

!

af-interface Port-channel1.99




exit-af-interface

!

topology base

default-metric 100000 100 255 1 1500



exit-af-topology

network 10.4.0.0 0.1.255.255

network 10.255.0.0 0.0.255.255


exit-address-family

!

router bgp 65511

bgp router-id 10.255.252.242


network 10.5.252.0 mask 255.255.255.0

network 10.5.253.0 mask 255.255.255.0

network 10.255.252.242 mask 255.255.255.255

network 10.255.253.242 mask 255.255.255.255

network 192.168.4.48 mask 255.255.255.252

aggregate-address 10.5.248.0 255.255.248.0 summary-only


distance 254 192.168.4.50 0.0.0.0 DEFAULT-IN

!


!

no ip http server



!




!

ip access-list standard DEFAULT-IN

permit 0.0.0.0

ip access-list standard STATIC-ROUTE-LIST

remark UCSE CIMC & ESXi host routes

permit 10.5.252.11


permit 10.5.252.10

!


ip sla 100


threshold 1000

timeout 1000

frequency 15



!

nls resp-timeout 1

cpd cr-id 1

!







key 7 097F4B0A0B0003390E15

!

line con 0

logging synchronous


line aux 0

line vty 0 4

access-class 55 in


transport input ssh

line vty 5 15

access-class 55 in


transport input ssh

!



ntp update-calendar


!

end


RS242-2951-2version 15.3

no service pad






!


!

!


!

aaa new-model

!



!




!




!

ip cef

!

no ip domain lookup




ipv6 spd queue min-threshold 62

ipv6 spd queue max-threshold 63

no ipv6 cef

!





spoofed-acker off


!

key chain WAN-KEY

key 1


key-string 7 05080F1C2243

key chain LAN-KEY

key 1

key-string 7 045802150C2E

!


license boot module c2951 technology-package securityk9


!

username admin password 7 15115A1F07257A767B

!

redundancy

!


ip ssh version 2


!


!


!


object 60

object 61

!


match dscp af21


match protocol ftp

match protocol tcp

match protocol udp

match protocol icmp


match dscp cs4 af41




match dscp cs3 af31





match dscp ef


match dscp cs1 af11






match dscp cs2 cs6




!

policy-map WAN

class VOICE

priority percent 10


priority percent 23

class CRITICAL-DATA



class DATA



class SCAVENGER

bandwidth percent 5


bandwidth percent 3

class class-default


random-detect



inspect


pass

class class-default

drop



inspect

class class-default

drop


class class-default


service-policy WAN



inspect


pass

class class-default


drop

!









!



!


encr aes 256


group 2





!


!


mode transport

!




!

interface Loopback0

ip address 10.255.253.242 255.255.255.255

ip pim sparse-mode

!

interface Tunnel10

bandwidth 10000

ip address 10.4.34.242 255.255.254.0

no ip redirects

ip mtu 1400


ip pim nbma-mode

ip pim sparse-mode





ip nhrp map 10.4.34.1 172.16.130.1





ip nhrp shortcut

ip nhrp redirect







!


description Etherchannel link to RS242-2960X

no ip address

hold-queue 150 in

!


description Data


ip address 10.5.252.3 255.255.255.0



ip pim sparse-mode

ip nat inside



standby version 2

standby 1 ip 10.5.252.1


standby 1 preempt

standby 1 authentication md5 key-string 7 04585A150C2E1D1C5A

!


description Voice


ip address 10.5.253.3 255.255.255.0



ip pim sparse-mode

ip nat inside



standby version 2



standby 1 preempt

standby 1 authentication md5 key-string 7 0007421507545A545C

!


description Transit Net


ip address 10.5.248.10 255.255.255.252

ip pim sparse-mode

ip nat inside



!


description Internet Connection



ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside



duplex auto

speed auto

no lldp transmit

no lldp receive

no cdp enable

no mop enabled


!


description RS242-A2960Xa (Gig1/0/24)

no ip address

duplex auto

speed auto

channel-group 2

!


description RS242-A2960Xb (Gig2/0/24)

no ip address

duplex auto

speed auto

channel-group 2

!


!



!


passive-interface

exit-af-interface

!


summary-address 10.5.248.0 255.255.248.0



hello-interval 20

hold-time 60


exit-af-interface

!

topology base

redistribute eigrp 100 route-map REDISTRIBUTE-LIST

exit-af-topology

network 10.4.34.0 0.0.1.255

network 10.5.0.0 0.0.255.255

network 10.255.0.0 0.0.255.255



exit-address-family

!

!

router eigrp LAN

!


!


passive-interface

exit-af-interface

!

af-interface Port-channel2.99




exit-af-interface

!

topology base



exit-af-topology

network 10.4.0.0 0.1.255.255

network 10.255.0.0 0.0.255.255



exit-address-family

!



!

no ip http server



!




ip route 10.0.0.0 255.0.0.0 Null0 254



!



permit 0.0.0.0


permit 10.5.248.0 0.0.7.255


deny 0.0.0.0

permit any


permit 10.255.252.242

ip access-list standard STATIC-ROUTE-LIST

permit 10.5.252.13

permit 10.5.252.12

!












permit icmp any any







permit esp any any


permit esp any any






!


ip sla 110


threshold 1000

frequency 15


ip sla 111


threshold 1000

frequency 15



!

nls resp-timeout 1

cpd cr-id 1




!



!



!

route-map REDISTRIBUTE-LIST permit 10


!

!







key 7 142417081E013E002131

!

line con 0


logging synchronous


line aux 0

line vty 0 4

access-class 55 in


transport input ssh

line vty 5 15

access-class 55 in


transport input ssh

!




!

end

WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model with Local Internet Access (Layer 2 WAN) August 2014 Series112

WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model with Local Internet Access (Layer 2 WAN)

This section includes configuration files corresponding to the WAN remote-site design topology as referenced in Figure 7. The EIGRP Autonomous System Number (ASN) used in these configurations is 300.

Figure 7 - WAN remote-site designs–DMVPN Backup Dedicated with local Internet access (Layer 2 Primary)

12

11

Redundant Links

Layer 2 + Internet WAN with Local Internet

Remote Site 216

Internet(DMVPN-1)VPLS A

Table 13 - Remote-site WAN connection details–(Layer 2 WAN + DMVPN remote sites)

Location Net block(WAN interface) address/mask VLAN

WAN aggregation router DMVPN

LAN interfaces Loopbacks

Remote Site 216 (Single-router, dual-link)

10.5.88.0/21 (gig0/0.38) 10.4.38.216/24

38 10.4.38.1 (gig0/1) DHCP

(gig0/2) 10.255.255.213 (router)


The following table lists the policed-rate link speeds for the remote-site QoS traffic-shaping policies.


Location Net block Layer 2 WAN link speeds DMVPN link speeds


Remote Site 216: Single-Router, Dual-Link with Local Internet Access (Layer 2 WAN + DMVPN)





no service pad






!

hostname RS216-3925

!

!


!

aaa new-model

!



!


aaa authentication login MODULE none



!




!

ip cef


!




no ipv6 cef

!





spoofed-acker off


!

key chain WAN-KEY

key 1


!

license udi pid C3900-SPE100/K9 sn FOC14176RVR

!

username admin password 7 011057175804575D72

!

redundancy

!


ip ssh version 2


!


!


!


object 60

object 61

!


match dscp af21


match protocol ftp

match protocol tcp

match protocol udp

match protocol icmp


match dscp cs4 af41





match dscp cs3 af31





match dscp ef


match dscp cs1 af11





match dscp cs2 cs6



!

policy-map WAN

class VOICE

priority percent 10


priority percent 23

class CRITICAL-DATA



class DATA



class SCAVENGER

bandwidth percent 5


bandwidth percent 3

class class-default


random-detect



inspect


pass

class class-default

drop



inspect

class class-default

drop



class class-default


service-policy WAN


class class-default


service-policy WAN



inspect


pass

class class-default

drop

!









!





!


encr aes 256


group 2

!


encr aes 256


group 2





!


!


mode transport


!




!

interface Loopback0

ip address 10.255.255.216 255.255.255.255

ip pim sparse-mode

!

interface Tunnel10

bandwidth 10000

ip address 10.4.34.216 255.255.254.0

no ip redirects

ip mtu 1400


ip pim nbma-mode

ip pim sparse-mode



ip nhrp map 10.4.34.1 172.16.130.1






ip nhrp shortcut

ip nhrp redirect







!


bandwidth 10000

no ip address

duplex auto

speed auto

no cdp enable


!



ip address 10.4.38.216 255.255.255.0

ip pim sparse-mode



!





ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside


duplex auto

speed auto

no lldp transmit

no lldp receive

no cdp enable

no mop enabled


!


description to RS216-2960X Gig1/0/24

no ip address

duplex auto

speed auto

!


description Data


ip address 10.5.92.1 255.255.255.0


ip pim sparse-mode

ip nat inside



!


description Voice


ip address 10.5.93.1 255.255.255.0


ip pim sparse-mode

ip nat inside



!

router eigrp WAN-LAYER2

!



!


passive-interface

exit-af-interface

!


summary-address 10.5.88.0 255.255.248.0




exit-af-interface

!

topology base

exit-af-topology

network 10.4.38.0 0.0.0.255

network 10.5.0.0 0.0.255.255

network 10.255.255.216 0.0.0.0



exit-address-family

!

!


!


!


passive-interface

exit-af-interface

!


summary-address 10.5.88.0 255.255.248.0



hello-interval 20

hold-time 60


exit-af-interface

!

topology base


exit-af-topology

network 10.4.34.0 0.0.1.255

network 10.4.38.0 0.0.0.255

network 10.5.0.0 0.0.255.255

network 10.255.0.0 0.0.255.255


network 10.255.255.216 0.0.0.0



exit-address-family

!



!

no ip http server



!




ip route 10.0.0.0 255.0.0.0 Null0 254



!


permit 10.5.88.0 0.0.7.255


deny 0.0.0.0

permit any

!












permit icmp any any






permit esp any any


permit esp any any





!


ip sla 110


threshold 1000

frequency 15


ip sla 111


threshold 1000

frequency 15



access-list 67 permit 192.0.2.2

!

nls resp-timeout 1

cpd cr-id 1




!



!







key 7 04680E051D2458650C00

!

line con 0

logging synchronous


line aux 0

line vty 0 4

access-class 55 in


transport input ssh

line vty 5 15

access-class 55 in


transport input ssh

!




ntp update-calendar


!

end

Americas HeadquartersCisco Systems, Inc.San Jose, CA

Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore

Europe HeadquartersCisco Systems International BV Amsterdam,The Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, “DESIGNS”) IN THIS MANUAL ARE PRESENTED “AS IS,” WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2014 Cisco Systems, Inc. All rights reserved.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Please use the feedback form to send comments and suggestions about this guide.

Feedback

B-0000221-1 08/14

http://cvddocs.com/feedback/?id=221-14b

Remote Site Using Local Internet Access Configuration Files Guide ...

Documents

Transcript of Remote Site Using Local Internet Access Configuration Files Guide ...