Remote Site Using Local Internet Access Configuration Files Guide ...
Transcript of Remote Site Using Local Internet Access Configuration Files Guide ...
Remote Site Using Local Internet AccessConfiguration Files Guide
August 2014 Series
Table of Contents
Table of ContentsPreface ........................................................................................................................................1
Introduction .................................................................................................................................2
Product List .................................................................................................................................4
WAN-Aggregation Devices ..........................................................................................................6WAN-Aggregation design—Dual DMVPN and DMVPN Only ........................................................... 6VPN-ASR1002-1 ......................................................................................................................... 7VPN-ASR1001-2 ........................................................................................................................14WAN-Aggregation design—DMVPN Backup Dedicated (MPLS WAN) ........................................ 21CE-ASR1002-1 ......................................................................................................................... 22CE-ASR1001-2 ......................................................................................................................... 26WAN-Aggregation design—DMVPN Backup Dedicated (Layer 2 WAN) ..................................... 31METRO-ASR1001-1 .................................................................................................................. 32WAN-Aggregation Design—WAN Aggregation Distribution Switch ............................................. 39WAN-D3750X ........................................................................................................................... 39
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models ..............................................................................................................49
Remote Site 250: Single-Router, Single-Link (DMVPN) with Local Internet ............................... 50RS250-1941 ......................................................................................................................... 50
Remote Site 251: Single-Router, Dual-Link (DMVPN + DMVPN) with Local Internet .................. 58RS251-2911 .......................................................................................................................... 58
Remote Site 252: Dual-Router, Dual-Link (DMVPN + DMVPN) with Local Internet .................... 68RS252-2921-1 ...................................................................................................................... 68RS252-2921-2 ..................................................................................................................... 77
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet .....................................................................................................................86
Remote Site 240: Single-Router, Dual-Link with local Internet access (MPLS + DMVPN) .......... 87RS240-3945 ........................................................................................................................ 87
Remote Site 242: Dual-Router, Dual-Link with Local Internet Access (MPLS + DMVPN) ........... 96RS242-2951-1 ...................................................................................................................... 96RS242-2951-2 .................................................................................................................... 102
Table of Contents
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model with Local Internet Access (Layer 2 WAN) ................................................................................ 112
Remote Site 216: Single-Router, Dual-Link with Local Internet Access (Layer 2 WAN + DMVPN) .........................................................................................................113
RS216-3925 ........................................................................................................................113
Preface August 2014 Series1
PrefaceCisco Validated Designs (CVDs) present systems that are based on common use cases or engineering priorities. CVDs incorporate a broad set of technologies, features, and applications that address customer needs. They incorporate a broad set of technologies, features, and applications to address customer needs. Cisco engineers have comprehensively tested and documented each CVD in order to ensure faster, more reliable, and fully predictable deployment.
This guide provides, as a comprehensive reference, the complete network device configurations that are implemented in the corresponding CVD design guide.
CVD Foundation SeriesThis CVD Foundation guide is a part of the August 2014 Series. As Cisco develops a CVD Foundation series, the guides themselves are tested together, in the same network lab. This approach assures that the guides in a series are fully compatible with one another. Each series describes a lab-validated, complete system.
The CVD Foundation series incorporates wired and wireless LAN, WAN, data center, security, and network management technologies. Using the CVD Foundation simplifies system integration, allowing you to select solutions that solve an organization’s problems—without worrying about the technical complexity.
To ensure the compatibility of designs in the CVD Foundation, you should use guides that belong to the same release. For the most recent CVD Foundation guides, please visit the CVD Foundation web site.
Comments and QuestionsIf you would like to comment on a guide or ask questions, please use the feedback form.
Introduction August 2014 Series2
IntroductionThis guide provides the available configuration files for the products used in Remote Site Using Local Internet Access Technology Design Guide. It is a companion document to the design guide as a reference for engineers who are evaluating or deploying CVD.
Both the Remote Site Using Local Internet Access Technology Design Guide and this guide provide the complete list of products used in the lab testing of this design.
Introduction August 2014 Series3
Figure 1 - CVD Overview
21
89Remote Site Regional SiteRemote Site
Teleworker /Mobile Worker
AccessSwitches
AccessSwitches
WANRouters
Cisco WAASWAAS
WANRoutersWAN
Router
AccessSwitch
Hardware andSoftware VPN
Wireless LANController
DistributionSwitchesAccess
Switches
WAN Aggregation
Internet Edge
Data Center
Headquarters
WANRoutersWAAS
VPN WANRouters
Remote-SiteWireless LAN
Controllers
UCS Rack-mountServers
UCS Rack-mountServer
Wireless LANControllers
Email SecurityAppliance
Firewall
RA-VPNWeb Security
Appliance
Guest WirelessLAN Controller
Data CenterFirewalls
CommunicationsManagers
UCS BladeChassis
DMZ Servers
DMZ Switches
Nexus2000
Storage
WAAS CentralManager
Nexus5500
UserAccessLayer
InternetPSTN PSTNMPLSWANs
Building 1 Building 2 Building 3
Core VSSSwitch
DistributionSwitch Layer
VoiceGateway
Product List August 2014 Series4
Product ListWAN Remote Site
Functional Area Product Description Part Numbers Software
Modular WAN Remote-site Router
Cisco ISR 3945 w/ SPE150, 3GE, 4EHWIC, 4DSP, 4SM, 256MBCF, 1GBDRAM, IP Base, SEC, AX licenses with; DATA, AVC, and WAAS/vWAAS with 2500 connection RTU
C3945-AX/K9 15.3(3)M3 securityk9 feature set datak9 feature set uck9 feature setCisco ISR 3925 w/ SPE100 (3GE, 4EHWIC, 4DSP, 2SM, 256MBCF,
1GBDRAM, IP Base, SEC, AX licenses with; DATA, AVC, WAAS/vWAAS with 2500 connection RTU
C3925-AX/K9
Unified Communications Paper PAK for Cisco 3900 Series SL-39-UC-K9
Cisco ISR 2951 w/ 3 GE, 4 EHWIC, 3 DSP, 2 SM, 256MB CF, 1GB DRAM, IP Base, SEC, AX license with; DATA, AVC, and WAAS/vWAAS with 1300 connection RTU
C2951-AX/K9
Cisco ISR 2921 w/ 3 GE, 4 EHWIC, 3 DSP, 1 SM, 256MB CF, 1GB DRAM, IP Base, SEC, AX license with; DATA, AVC, and WAAS/vWAAS with 1300 connection RTU
C2921-AX/K9
Cisco ISR 2911 w/ 3 GE,4 EHWIC, 2 DSP, 1 SM, 256MB CF, 1GB DRAM, IP Base, SEC, AX license with; DATA, AVC and WAAS/vWAAS with 1300 connection RTU
C2911-AX/K9
Unified Communications Paper PAK for Cisco 2900 Series SL-29-UC-K9
Cisco ISR 1941 Router w/ 2 GE, 2 EHWIC slots, 256MB CF, 2.5GB DRAM, IP Base, DATA, SEC, AX license with; AVC and WAAS-Express
C1941-AX/K9 15.3(3)M3 securityk9 feature set datak9 feature set
Product List August 2014 Series5
LAN Access LayerFunctional Area Product Description Part Numbers Software
Stackable Access Layer Switch
Cisco Catalyst 3850 Series Stackable 48 Ethernet 10/100/1000 PoE+ ports
WS-C3850-48F 3.3.3SE(15.0.1EZ3) IP Base feature set
Cisco Catalyst 3850 Series Stackable 24 Ethernet 10/100/1000 PoE+ Ports
WS-C3850-24P
Cisco Catalyst 3850 Series 2 x 10GE Network Module C3850-NM-2-10G
Cisco Catalyst 3850 Series 4 x 1GE Network Module C3850-NM-4-1G
Cisco Catalyst 3650 Series 24 Ethernet 10/100/1000 PoE+ and 2x10GE or 4x1GE Uplink
WS-C3650-24PD 3.3.3SE(15.0.1EZ3) IP Base feature set
Cisco Catalyst 3650 Series 24 Ethernet 10/100/1000 PoE+ and 4x1GE Uplink
WS-C3650-24PS
Cisco Catalyst 3650 Series Stack Module C3650-STACK
Cisco Catalyst 3750-X Series Stackable 48 Ethernet 10/100/1000 PoE+ ports
WS-C3750X-48PF-S 15.2(1)E3 IP Base feature set
Cisco Catalyst 3750-X Series Stackable 24 Ethernet 10/100/1000 PoE+ ports
WS-C3750X-24P-S
Cisco Catalyst 3750-X Series Two 10GbE SFP+ and Two GbE SFP ports network module
C3KX-NM-10G
Cisco Catalyst 3750-X Series Four GbE SFP ports network module C3KX-NM-1G
Cisco Catalyst 2960-X Series 24 10/100/1000 Ethernet and 2 SFP+ Uplink
WS-C2960X-24PD 15.0(2)EX5 LAN Base feature set
Cisco Catalyst 2960-X FlexStack-Plus Hot-Swappable Stacking Module
C2960X-STACK
Standalone Access Layer Switch
Cisco Catalyst 3650 Series 24 Ethernet 10/100/1000 PoE+ and 4x1GE Uplink
WS-C3650-24PS 3.3.3SE(15.01EZ3) IP Base feature set
WAN-Aggregation Devices August 2014 Series6
WAN-Aggregation DevicesThe following sections include the configuration files for each of the headend WAN aggregation devices.
WAN-Aggregation design—Dual DMVPN and DMVPN Only This section includes configuration files corresponding to the Dual DMVPN and DMVPN Only design models as referenced in Figure 2.
Figure 2 - WAN-aggregation design—Dual DMVPN and DMVPN Only
22
67
Port-channel4(gig0/0/0, gig0/0/1)
gig0/0/3gig0/0/3
DMZ-VPN
WAN-D3750X
VPN-ASR1001-2VPN-ASR1002-1
ASA 5545X
10.4.32.16/30↑ (.17), (.18) ↓
10.4.32.24/30↑ (.25), (.26) ↓
← (.10), (.11) ←192.168.18.0/24
VLAN 1118← (.1), (.2) ←
(100/50 Mbps)
Port-channel3(gig1/0/3, gig2/0/3)
Port-channel4(gig1/0/4, gig2/0/4)
Port-channel3(gig0/0/0, gig0/0/1)
InternetISP A/ISP B
The following table provides the loopback addresses for the WAN aggregation devices in the Dual DMVPN and DMVPN Only design models, shown in the preceding figure.
Table 1 - DMVPN aggregation device Loopback addresses
Hostname Loopback0
VPN-ASR1002-1 10.4.32.243/32
VPN-ASR1001-2 10.4.32.244/32
WAN-Aggregation Devices August 2014 Series7
VPN-ASR1002-1
This guide uses the following conventions for commands that you enter at the command-line interface (CLI).
Commands to enter at a CLI prompt: configure terminal
Commands that specify a value for a variable: ntp server 10.10.48.17
Commands with variables that you must de�ne: class-map [highest class name]
Commands at a CLI or script prompt: Router# enable
Long commands that line wrap are underlined. Enter them as one command:
police rate 10000 pps burst 10000 packets conform-action
Noteworthy parts of system output (or of device con�guration �les) are highlighted: interface Vlan64 ip address 10.5.204.5 255.255.255.0
How to Read Commands
version 15.4
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
no platform punt-keepalive disable-kernel-core
platform qos port-channel-aggregate 1
platform qos port-channel-aggregate 13
!
hostname VPN-ASR1002-1
!
boot-start-marker
boot system bootflash:asr1002x-universalk9.03.12.00.S.154-2.S-std.SPA.bin
boot-end-marker
!
aqm-register-fnf
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 /DtCCr53Q4B18jSIm1UEqu7cNVZTOhxTZyUnZdsSrsw
!
aaa new-model
!
WAN-Aggregation Devices August 2014 Series8
aaa group server tacacs+ TACACS-SERVERS
server name TACACS-SERVER-1
!
aaa authentication login default group TACACS-SERVERS local
aaa authorization console
aaa authorization exec default group TACACS-SERVERS local
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
!
ip vrf INET-PUBLIC
rd 65512:1
!
ip domain name cisco.local
ip multicast-routing distributed
!
ipv6 multicast rpf use-bgp
ipv6 multicast vrf Mgmt-intf rpf use-bgp
!
multilink bundle-name authenticated
!
key chain WAN-KEY
key 1
key-string 7 121A0C041104
key chain LAN-KEY
key 1
key-string 7 045802150C2E
!
license accept end user agreement
license boot level adventerprise
spanning-tree extend system-id
!
username admin password 7 0205554808095E731F
!
redundancy
mode none
!
cdp run
!
ip ssh source-interface Loopback0
ip ssh version 2
ip scp server enable
!
class-map match-any DATA
match dscp af21
class-map match-any INTERACTIVE-VIDEO
WAN-Aggregation Devices August 2014 Series9
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
match dscp ef
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match dscp cs1 af11
class-map match-any TP-MEDIA
match protocol telepresence-media
class-map match-any NETWORK-CRITICAL
match dscp cs2 cs6
!
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
random-detect
policy-map WAN-INTERFACE-G0/0/3-SHAPE-ONLY
class class-default
shape average 100000000
policy-map RS-GROUP-3G-POLICY
class class-default
shape average 3100000
service-policy WAN
policy-map RS-GROUP-4G-POLICY
class class-default
shape average 8000000
service-policy WAN
policy-map RS-GROUP-2MBPS-POLICY
class class-default
shape average 2000000
service-policy WAN
policy-map RS-GROUP-5MBPS-POLICY
WAN-Aggregation Devices August 2014 Series10
class class-default
shape average 5000000
service-policy WAN
policy-map RS-GROUP-10MBPS-POLICY
class class-default
shape average 10000000
service-policy WAN
policy-map RS-GROUP-25MBPS-POLICY
class class-default
shape average 25000000
service-policy WAN
policy-map RS-GROUP-50MBPS-POLICY
class class-default
shape average 50000000
service-policy WAN
!
crypto keyring DMVPN-KEYRING vrf INET-PUBLIC
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
keyring DMVPN-KEYRING
match identity address 0.0.0.0 INET-PUBLIC
!
crypto ipsec security-association replay window-size 512
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile FVRF-ISAKMP-INET-PUBLIC
!
interface Loopback0
ip address 10.4.32.243 255.255.255.255
ip pim sparse-mode
!
interface Port-channel3
ip address 10.4.32.18 255.255.255.252
ip pim sparse-mode
no negotiation auto
!
interface Port-channel13
description VPN-DMZ
WAN-Aggregation Devices August 2014 Series11
ip vrf forwarding INET-PUBLIC
no ip address
shutdown
no negotiation auto
service-policy output WAN-INTERFACE-PO-13-SHAPE-ONLY
!
interface Tunnel10
bandwidth 100000
ip address 10.4.34.1 255.255.254.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map group RS-GROUP-25MBPS service-policy output RS-GROUP-25MBPS-POLICY
ip nhrp map group RS-GROUP-10MBPS service-policy output RS-GROUP-10MBPS-POLICY
ip nhrp map group RS-GROUP-5MBPS service-policy output RS-GROUP-5MBPS-POLICY
ip nhrp map group RS-GROUP-2MBPS service-policy output RS-GROUP-2MBPS-POLICY
ip nhrp map group RS-GROUP-50MBPS service-policy output RS-GROUP-50MBPS-POLICY
ip nhrp map group RS-GROUP-3G service-policy output RS-GROUP-3G-POLICY
ip nhrp map group RS-GROUP-4G service-policy output RS-GROUP-4G-POLICY
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/3
tunnel mode gre multipoint
tunnel vrf INET-PUBLIC
tunnel protection ipsec profile DMVPN-PROFILE
!
interface GigabitEthernet0/0/0
description WAN-D3750X Gig1/0/3
no ip address
negotiation auto
cdp enable
channel-group 3
!
interface GigabitEthernet0/0/1
description WAN-D3750X Gig2/0/3
no ip address
negotiation auto
cdp enable
channel-group 3
!
interface GigabitEthernet0/0/2
description DMZ-2960X Gig1/0/6
WAN-Aggregation Devices August 2014 Series12
no ip address
negotiation auto
cdp enable
channel-group 13
!
interface GigabitEthernet0/0/3
description VPN-DMZ
ip vrf forwarding INET-PUBLIC
ip address 192.168.18.10 255.255.255.0
negotiation auto
service-policy output WAN-INTERFACE-G0/0/3-SHAPE-ONLY
!
router eigrp LAN
!
address-family ipv4 unicast autonomous-system 100
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Port-channel3
authentication mode md5
authentication key-chain LAN-KEY
no passive-interface
exit-af-interface
!
topology base
redistribute eigrp 200 route-map SET-ROUTE-TAG-DMVPN
exit-af-topology
network 10.4.0.0 0.1.255.255
eigrp router-id 10.4.32.243
nsf
exit-address-family
!
!
router eigrp WAN-DMVPN-1
!
address-family ipv4 unicast autonomous-system 200
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel10
authentication mode md5
authentication key-chain WAN-KEY
hello-interval 20
WAN-Aggregation Devices August 2014 Series13
hold-time 60
no passive-interface
no split-horizon
exit-af-interface
!
topology base
redistribute eigrp 100
exit-af-topology
network 10.4.34.0 0.0.1.255
eigrp router-id 10.4.32.243
exit-address-family
!
ip forward-protocol nd
!
no ip http server
ip http authentication aaa
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip pim autorp listener
ip pim register-source Loopback0
ip route vrf INET-PUBLIC 0.0.0.0 0.0.0.0 192.168.18.1
!
ip tacacs source-interface Loopback0
!
ip access-list extended ISAKMP
permit udp any eq isakmp any eq isakmp
!
access-list 55 permit 10.4.48.0 0.0.0.255
!
route-map SET-ROUTE-TAG-DMVPN permit 10
match interface Tunnel10
set tag 65512
!
snmp-server community cisco RO 55
snmp-server community cisco123 RW 55
snmp-server trap-source Loopback0
!
tacacs server TACACS-SERVER-1
address ipv4 10.4.48.15
key 7 107D0C1A17120620091D
!
control-plane
!
line con 0
logging synchronous
transport preferred none
stopbits 1
WAN-Aggregation Devices August 2014 Series14
line aux 0
stopbits 1
line vty 0 4
access-class 55 in
transport preferred none
transport input ssh
line vty 5 15
access-class 55 in
transport preferred none
transport input ssh
!
ntp source Loopback0
ntp server 10.4.48.17
!
end
VPN-ASR1001-2version 15.4
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
no platform punt-keepalive disable-kernel-core
platform qos port-channel-aggregate 4
platform qos port-channel-aggregate 14
!
hostname VPN-ASR1001-2
!
boot-start-marker
boot system bootflash:asr1001-universalk9.03.12.00.S.154-2.S-std.bin
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 /DtCCr53Q4B18jSIm1UEqu7cNVZTOhxTZyUnZdsSrsw
!
aaa new-model
!
aaa group server tacacs+ TACACS-SERVERS
server name TACACS-SERVER-1
!
WAN-Aggregation Devices August 2014 Series15
aaa authentication login default group TACACS-SERVERS local
aaa authorization console
aaa authorization exec default group TACACS-SERVERS local
!
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
!
ip vrf INET-PUBLIC
rd 65512:2
!
ip domain name cisco.local
ip multicast-routing distributed
!
multilink bundle-name authenticated
!
key chain WAN-KEY
key 1
key-string 7 00071A150754
key chain LAN-KEY
key 1
key-string 7 070C285F4D06
!
license udi pid ASR1001 sn JAE15040H1U
license boot level adventerprise
spanning-tree extend system-id
!
username admin password 7 15115A1F07257A767B
!
redundancy
mode none
!
cdp run
!
ip ssh source-interface Loopback0
ip ssh version 2
ip scp server enable
!
class-map match-any DATA
match dscp af21
match ip dscp af21
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
match dscp ef
WAN-Aggregation Devices August 2014 Series16
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match dscp cs1 af11
match ip dscp cs1 af11
class-map match-any TP-MEDIA
match protocol telepresence-media
class-map match-any NETWORK-CRITICAL
match dscp cs2 cs6
match ip dscp cs2 cs6
match access-group name ISAKMP
!
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
random-detect
policy-map WAN-INTERFACE-G0/0/3-SHAPE-ONLY
class class-default
shape average 100000000
policy-map RS-GROUP-3G-POLICY
class class-default
shape average 3100000
service-policy WAN
policy-map RS-GROUP-4G-POLICY
class class-default
shape average 8000000
service-policy WAN
policy-map RS-GROUP-2MBPS-POLICY
class class-default
shape average 2000000
service-policy WAN
policy-map RS-GROUP-5MBPS-POLICY
class class-default
WAN-Aggregation Devices August 2014 Series17
shape average 5000000
service-policy WAN
policy-map RS-GROUP-10MBPS-POLICY
class class-default
shape average 10000000
service-policy WAN
policy-map RS-GROUP-25MBPS-POLICY
class class-default
shape average 25000000
service-policy WAN
policy-map RS-GROUP-50MBPS-POLICY
class class-default
shape average 50000000
service-policy WAN
!
crypto keyring DMVPN-KEYRING vrf INET-PUBLIC
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
keyring DMVPN-KEYRING
match identity address 0.0.0.0 INET-PUBLIC
!
crypto ipsec security-association replay window-size 512
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile FVRF-ISAKMP-INET-PUBLIC
!
interface Loopback0
ip address 10.4.32.244 255.255.255.255
ip pim sparse-mode
!
interface Port-channel4
ip address 10.4.32.22 255.255.255.252
ip pim sparse-mode
no negotiation auto
!
interface Tunnel10
bandwidth 50000
ip address 10.4.36.1 255.255.254.0
WAN-Aggregation Devices August 2014 Series18
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map group RS-GROUP-5MBPS service-policy output RS-GROUP-5MBPS-POLICY
ip nhrp map group RS-GROUP-25MBPS service-policy output RS-GROUP-25MBPS-POLICY
ip nhrp map group RS-GROUP-10MBPS service-policy output RS-GROUP-10MBPS-POLICY
ip nhrp map group RS-GROUP-2MBPS service-policy output RS-GROUP-2MBPS-POLICY
ip nhrp map group RS-GROUP-50MBPS service-policy output RS-GROUP-50MBPS-POLICY
ip nhrp map group RS-GROUP-3G service-policy output RS-GROUP-3G-POLICY
ip nhrp map group RS-GROUP-4G service-policy output RS-GROUP-4G-POLICY
ip nhrp network-id 102
ip nhrp holdtime 600
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/3
tunnel mode gre multipoint
tunnel vrf INET-PUBLIC
tunnel protection ipsec profile DMVPN-PROFILE
!
interface GigabitEthernet0/0/0
description WAN-D3750X Gig1/0/4
no ip address
negotiation auto
cdp enable
channel-group 4
!
interface GigabitEthernet0/0/1
description WAN-D3750X Gig2/0/4
no ip address
negotiation auto
cdp enable
channel-group 4
!
interface GigabitEthernet0/0/3
description VPN-DMZ
ip vrf forwarding INET-PUBLIC
ip address 192.168.18.11 255.255.255.0
negotiation auto
service-policy output WAN-INTERFACE-G0/0/3-SHAPE-ONLY
!
!
router eigrp LAN
!
address-family ipv4 unicast autonomous-system 100
WAN-Aggregation Devices August 2014 Series19
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Port-channel4
authentication mode md5
authentication key-chain LAN-KEY
no passive-interface
exit-af-interface
!
topology base
redistribute eigrp 201 route-map SET-ROUTE-TAG-DMVPN
exit-af-topology
network 10.4.0.0 0.1.255.255
eigrp router-id 10.4.32.244
nsf
exit-address-family
!
!
router eigrp WAN-DMVPN-2
!
address-family ipv4 unicast autonomous-system 201
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel10
authentication mode md5
authentication key-chain WAN-KEY
hello-interval 20
hold-time 60
no passive-interface
no split-horizon
exit-af-interface
!
topology base
redistribute eigrp 100
exit-af-topology
network 10.4.36.0 0.0.1.255
eigrp router-id 10.4.32.244
exit-address-family
!
ip forward-protocol nd
!
no ip http server
WAN-Aggregation Devices August 2014 Series20
ip http authentication aaa
ip http secure-server
ip pim autorp listener
ip pim register-source Loopback0
ip route vrf INET-PUBLIC 0.0.0.0 0.0.0.0 192.168.18.1
ip tacacs source-interface Loopback0
!
access-list 55 permit 10.4.48.0 0.0.0.255
!
route-map SET-ROUTE-TAG-DMVPN permit 10
match interface Tunnel10
set tag 65512
!
snmp-server community cisco RO 55
snmp-server community cisco123 RW 55
snmp-server trap-source Loopback0
!
tacacs server TACACS-SERVER-1
address ipv4 10.4.48.15
key 7 03375E08140A35674B10
!
control-plane
!
line con 0
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 55 in
transport preferred none
transport input ssh
line vty 5 15
access-class 55 in
transport preferred none
transport input ssh
!
ntp source Loopback0
ntp server 10.4.48.17
!
end
WAN-Aggregation Devices August 2014 Series21
WAN-Aggregation design—DMVPN Backup Dedicated (MPLS WAN)
This section includes configuration files corresponding to the DMVPN Backup Dedicated (MPLS WAN) design models as referenced in Figure 3.
Figure 3 - WAN-aggregation design—DMVPN Backup Dedicated (MPLS WAN)
22
68
Port-channel1(gig1/0/1, gig2/0/1)
Port-channel3(gig1/0/3, gig2/0/3)
gig0/0/3gig0/0/3
WAN-D3750X
CE-ASR1002-1 CE-ASR1001-2
10.4.32.0/30↑ (.1), (.2) ↓
192.168.3.0/30↑ (.1), (.2) ↓ 192.168.4.0/30
↑ (.1), (.2) ↓
10.4.32.8/30↑ (.9), (.10) ↓
10.4.32.16/30← (.17), (.18) ←
(300 Mbps)
(150 Mbps)
MPLS AAS 65401
MPLS BAS 65402
AS=65511
gig0/0/3
DMZ-VPN
ASA 5545X
VPN-ASR1002-1
(100/50 Mbps)
↑ (.10)192.168.18.0/24
VLAN 1118← (.1), (.2) ←
Port-channel2(gig1/0/2, gig2/0/2)
InternetISP A/ISP B
Port-channel1(gig0/0/0, gig0/0/1)
Port-channel2(gig0/0/0, gig0/0/1)
Port-channel3(gig0/0/0, gig0/0/1)
The following table provides the loopback addresses for the WAN aggregation devices in the DMVPN Backup Dedicated (MPLS WAN) design model, shown in the preceding figure.
Table 2 - MPLS WAN-aggregation device loopback addresses
Hostname Loopback0
CE-ASR1002-1 10.4.32.241/32
CE-ASR1001-2 10.4.32.242/32
WAN-Aggregation Devices August 2014 Series22
CE-ASR1002-1version 15.4
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname CE-ASR1002-1
!
boot-start-marker
boot system bootflash:asr1000rp1-adventerprisek9.03.12.00.S.154-2.S-std.bin
boot-end-marker
!
aqm-register-fnf
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 /DtCCr53Q4B18jSIm1UEqu7cNVZTOhxTZyUnZdsSrsw
!
aaa new-model
!
aaa group server tacacs+ TACACS-SERVERS
server name TACACS-SERVER-1
!
aaa authentication login default group TACACS-SERVERS local
aaa authorization console
aaa authorization exec default group TACACS-SERVERS local
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
!
ip domain name cisco.local
ip multicast-routing distributed
!
multilink bundle-name authenticated
!
key chain LAN-KEY
key 1
WAN-Aggregation Devices August 2014 Series23
key-string 7 070C285F4D06
!
spanning-tree extend system-id
!
username admin password 7 03070A180500701E1D
!
redundancy
mode none
!
cdp run
!
ip ssh source-interface Loopback0
ip ssh version 2
ip scp server enable
!
class-map match-any DATA
match dscp af21
class-map match-any BGP-ROUTING
match protocol bgp
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match dscp cs1 af11
class-map match-any TP-MEDIA
match protocol telepresence-media
class-map match-any NETWORK-CRITICAL
match dscp cs2 cs6
!
policy-map MARK-BGP
class BGP-ROUTING
set dscp cs6
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
WAN-Aggregation Devices August 2014 Series24
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
service-policy MARK-BGP
class class-default
bandwidth percent 25
random-detect
policy-map WAN-INTERFACE-G0/0/3
class class-default
shape average 300000000
service-policy WAN
!
interface Loopback0
ip address 10.4.32.241 255.255.255.255
ip pim sparse-mode
!
interface Port-channel1
ip address 10.4.32.2 255.255.255.252
ip pim sparse-mode
no negotiation auto
!
interface GigabitEthernet0/0/0
description WAN-D3750X Gig1/0/1
no ip address
negotiation auto
channel-group 1
!
interface GigabitEthernet0/0/1
description WAN-D3750X Gig2/0/1
no ip address
negotiation auto
channel-group 1
!
interface GigabitEthernet0/0/3
description MPLS WAN Uplink
bandwidth 300000
ip address 192.168.3.1 255.255.255.252
ip pim sparse-mode
ip tcp adjust-mss 1360
negotiation auto
service-policy output WAN-INTERFACE-G0/0/3
!
router eigrp LAN
!
address-family ipv4 unicast autonomous-system 100
!
af-interface default
WAN-Aggregation Devices August 2014 Series25
passive-interface
exit-af-interface
!
af-interface Port-channel1
authentication mode md5
authentication key-chain LAN-KEY
no passive-interface
exit-af-interface
!
topology base
default-metric 300000 100 255 1 1500
distribute-list route-map BLOCK-TAGGED-ROUTES in
redistribute bgp 65511
exit-af-topology
network 10.4.0.0 0.1.255.255
eigrp router-id 10.4.32.241
nsf
exit-address-family
!
router bgp 65511
bgp router-id 10.4.32.241
bgp log-neighbor-changes
network 0.0.0.0
network 192.168.3.0 mask 255.255.255.252
redistribute eigrp 100
neighbor 10.4.32.242 remote-as 65511
neighbor 10.4.32.242 update-source Loopback0
neighbor 10.4.32.242 next-hop-self
neighbor 192.168.3.2 remote-as 65401
!
ip forward-protocol nd
!
no ip http server
ip http authentication aaa
ip http secure-server
ip pim autorp listener
ip pim register-source Loopback0
ip tacacs source-interface Loopback0
!
access-list 55 permit 10.4.48.0 0.0.0.255
!
route-map BLOCK-TAGGED-ROUTES deny 10
match tag 65401 65402 65512
!
route-map BLOCK-TAGGED-ROUTES permit 20
!
snmp-server community cisco RO 55
WAN-Aggregation Devices August 2014 Series26
snmp-server community cisco123 RW 55
snmp-server trap-source Loopback0
!
tacacs server TACACS-SERVER-1
address ipv4 10.4.48.15
key 7 00371605165E1F2D0A38
!
line con 0
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 55 in
exec-timeout 0 0
transport preferred none
transport input ssh
line vty 5 15
access-class 55 in
transport preferred none
transport input ssh
!
ntp source Loopback0
ntp server 10.4.48.17
!
end
CE-ASR1001-2version 15.4
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname CE-ASR1001-2
!
boot-start-marker
boot system bootflash:asr1001-universalk9.03.12.00.S.154-2.S-std.bin
boot-end-marker
!
aqm-register-fnf
!
vrf definition Mgmt-intf
!
address-family ipv4
WAN-Aggregation Devices August 2014 Series27
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 /DtCCr53Q4B18jSIm1UEqu7cNVZTOhxTZyUnZdsSrsw
!
aaa new-model
!
aaa group server tacacs+ TACACS-SERVERS
server name TACACS-SERVER-1
!
aaa authentication login default group TACACS-SERVERS local
aaa authorization console
aaa authorization exec default group TACACS-SERVERS local
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
!
ip domain name cisco.local
ip multicast-routing distributed
!
!
multilink bundle-name authenticated
!
key chain LAN-KEY
key 1
key-string 7 0822455D0A16
!
license boot level adventerprise
spanning-tree extend system-id
!
username admin password 7 0205554808095E731F
!
redundancy
mode none
!
cdp run
!
ip ssh source-interface Loopback0
ip ssh version 2
ip scp server enable
!
class-map match-any DATA
match dscp af21
WAN-Aggregation Devices August 2014 Series28
class-map match-any BGP-ROUTING
match protocol bgp
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match dscp cs1 af11
class-map match-any TP-MEDIA
match protocol telepresence-media
class-map match-any NETWORK-CRITICAL
match dscp cs2 cs6
!
policy-map MARK-BGP
class BGP-ROUTING
set dscp cs6
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
service-policy MARK-BGP
class class-default
bandwidth percent 25
random-detect
policy-map WAN-INTERFACE-G0/0/3
class class-default
shape average 300000000
service-policy WAN
!
interface Loopback0
ip address 10.4.32.242 255.255.255.255
ip pim sparse-mode
!
interface Port-channel2
WAN-Aggregation Devices August 2014 Series29
ip address 10.4.32.6 255.255.255.252
ip pim sparse-mode
no negotiation auto
!
interface GigabitEthernet0/0/0
description WAN-D3750X Gig 1/0/2
no ip address
negotiation auto
cdp enable
channel-group 2
!
interface GigabitEthernet0/0/1
description WAN-D3750X Gig 2/0/2
no ip address
negotiation auto
cdp enable
channel-group 2
!
interface GigabitEthernet0/0/3
description MPLS WAN Uplink
bandwidth 150000
ip address 192.168.4.1 255.255.255.252
ip pim sparse-mode
ip tcp adjust-mss 1360
negotiation auto
service-policy output WAN-INTERFACE-G0/0/3
!
router eigrp LAN
!
address-family ipv4 unicast autonomous-system 100
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Port-channel2
authentication mode md5
authentication key-chain LAN-KEY
no passive-interface
exit-af-interface
!
topology base
default-metric 150000 100 255 1 1500
distribute-list route-map BLOCK-TAGGED-ROUTES in
redistribute bgp 65511
exit-af-topology
network 10.4.0.0 0.1.255.255
WAN-Aggregation Devices August 2014 Series30
eigrp router-id 10.4.32.242
nsf
exit-address-family
!
router bgp 65511
bgp router-id 10.4.32.242
bgp log-neighbor-changes
network 0.0.0.0
network 192.168.4.0 mask 255.255.255.252
redistribute eigrp 100
neighbor 10.4.32.241 remote-as 65511
neighbor 10.4.32.241 update-source Loopback0
neighbor 10.4.32.241 next-hop-self
neighbor 192.168.4.2 remote-as 65402
!
ip forward-protocol nd
!
no ip http server
ip http authentication aaa
ip http secure-server
ip pim autorp listener
ip pim register-source Loopback0
ip tacacs source-interface Loopback0
!
access-list 55 permit 10.4.48.0 0.0.0.255
!
route-map BLOCK-TAGGED-ROUTES deny 10
match tag 65401 65402 65512
!
route-map BLOCK-TAGGED-ROUTES permit 20
!
snmp-server community cisco RO 55
snmp-server community cisco123 RW 55
snmp-server trap-source Loopback0
!
tacacs server TACACS-SERVER-1
address ipv4 10.4.48.15
key 7 13361211190910012E3D
!
control-plane
!
line con 0
logging synchronous
transport preferred none
stopbits 1
line aux 0
WAN-Aggregation Devices August 2014 Series31
stopbits 1
line vty 0 4
access-class 55 in
exec-timeout 0 0
transport preferred none
transport input ssh
line vty 5 15
access-class 55 in
transport preferred none
transport input ssh
!
ntp source Loopback0
ntp server 10.4.48.17
!
end
WAN-Aggregation design—DMVPN Backup Dedicated (Layer 2 WAN)
This section includes configuration files corresponding to the DMVPN Backup Dedicated (Layer 2 WAN) design models as referenced in Figure 4.
Figure 4 - WAN-aggregation design—DMVPN Backup Dedicated (Layer 2 WAN)
22
71
Port-channel5(gig1/0/6, gig2/0/6)
Port-channel3(gig0/0/0, gig0/0/1)
gig0/0/3
gig0/0/3
WAN-D3750X
METRO-ASR1001-1
VPN-ASR1002-1
10.4.32.32/30↑ (.33), (.34) ↓
10.4.32.16/30↑ (.17), (.18) ↓
VLAN 38:10.4.38.0/24 ↑ (.1),VLAN 39:10.4.39.0/24 ↑ (.1),
(500 Mbps)
DMZ-VPN
ASA 5545X
(100/50 Mbps)
↑ (.10)192.168.18.0/24
VLAN 1118← (.1), (.2) ←
VPLS A
InternetISP A/ISP B
Port-channel5(gig0/0/0, gig0/0/1)
Port-channel3(gig1/0/3, gig2/0/3)
WAN-Aggregation Devices August 2014 Series32
The following table provides the loopback addresses for the WAN aggregation devices in the DMVPN Backup Dedicated (Layer 2 WAN) design model, shown in the preceding figure.
Table 3 - Metro Ethernet aggregation device loopback address
Hostname Loopback0
METRO-ASR1001-1 10.4.32.245/32
METRO-ASR1001-1version 15.4
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname METRO-ASR1001-1
!
boot-start-marker
boot system bootflash:asr1001-universalk9.03.12.00.S.154-2.S-std.bin
boot-end-marker
!
aqm-register-fnf
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 /DtCCr53Q4B18jSIm1UEqu7cNVZTOhxTZyUnZdsSrsw
!
aaa new-model
!
aaa group server tacacs+ TACACS-SERVERS
server name TACACS-SERVER-1
!
aaa authentication login default group TACACS-SERVERS local
aaa authorization console
aaa authorization exec default group TACACS-SERVERS local
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
WAN-Aggregation Devices August 2014 Series33
!
ip domain name cisco.local
!
ip multicast-routing distributed
!
!
multilink bundle-name authenticated
!
key chain WAN-KEY
key 1
key-string 7 121A0C041104
key chain LAN-KEY
key 1
key-string 7 060506324F41
!
license boot level adventerprise
spanning-tree extend system-id
!
username admin password 7 03070A180500701E1D
!
redundancy
mode none
!
ip tftp source-interface GigabitEthernet0
ip ssh source-interface Loopback0
ip ssh version 2
ip scp server enable
!
class-map match-any DATA
match dscp af21
class-map match-all CLASS-MAP-RS210
match access-group name RS210-10.5.144.0
class-map match-all CLASS-MAP-RS211
match access-group name RS210-10.5.152.0
class-map match-all CLASS-MAP-RS212
match access-group name RS210-10.5.168.0
class-map match-all CLASS-MAP-RS213
match access-group name RS210-10.5.176.0
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match dscp cs1 af11
class-map match-any NETWORK-CRITICAL
WAN-Aggregation Devices August 2014 Series34
match dscp cs2 cs6
!
policy-map POLICY-MAP-RS210
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
policy-map POLICY-MAP-RS211
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
random-detect
policy-map POLICY-MAP-RS212
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
WAN-Aggregation Devices August 2014 Series35
random-detect
policy-map POLICY-MAP-RS213
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
random-detect
policy-map POLICY-MAP-L2-WAN-BACKBONE-WITH-PER-SITE-SHAPERS
class NETWORK-CRITICAL
bandwidth percent 3
class CLASS-MAP-RS210
shape average 10000000
service-policy POLICY-MAP-RS210
class CLASS-MAP-RS211
shape average 10000000
service-policy POLICY-MAP-RS211
class CLASS-MAP-RS212
shape average 20000000
service-policy POLICY-MAP-RS212
class CLASS-MAP-RS213
shape average 20000000
service-policy POLICY-MAP-RS213
policy-map WAN-INTERFACE-G0/0/3
class class-default
shape average 500000000
service-policy POLICY-MAP-L2-WAN-BACKBONE-WITH-PER-SITE-SHAPERS
!
!
interface Loopback0
ip address 10.4.32.245 255.255.255.255
ip pim sparse-mode
!
interface Port-channel5
ip address 10.4.32.34 255.255.255.252
ip pim sparse-mode
WAN-Aggregation Devices August 2014 Series36
no negotiation auto
!
interface GigabitEthernet0/0/0
description WAN-D3750X Gig1/0/6
no ip address
negotiation auto
channel-group 5
!
interface GigabitEthernet0/0/1
description WAN-D3750X Gig2/0/6
no ip address
negotiation auto
channel-group 5
!
interface GigabitEthernet0/0/3
bandwidth 500000
no ip address
negotiation auto
service-policy output WAN-INTERFACE-G0/0/3
!
interface GigabitEthernet0/0/3.38
encapsulation dot1Q 38
ip address 10.4.38.1 255.255.255.0
ip pim sparse-mode
ip tcp adjust-mss 1360
!
interface GigabitEthernet0/0/3.39
encapsulation dot1Q 39
ip address 10.4.39.1 255.255.255.0
ip pim sparse-mode
ip tcp adjust-mss 1360
!
router eigrp LAN
!
address-family ipv4 unicast autonomous-system 100
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Port-channel5
authentication mode md5
authentication key-chain LAN-KEY
no passive-interface
exit-af-interface
!
topology base
WAN-Aggregation Devices August 2014 Series37
distribute-list route-map BLOCK-TAGGED-ROUTES in
redistribute eigrp 300 route-map SET-ROUTE-TAG-METROE
exit-af-topology
network 10.4.0.0 0.1.255.255
eigrp router-id 10.4.32.245
nsf
exit-address-family
!
!
router eigrp WAN-LAYER2
!
address-family ipv4 unicast autonomous-system 300
!
af-interface default
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/0/3.39
authentication mode md5
authentication key-chain WAN-KEY
no passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/0/3.38
authentication mode md5
authentication key-chain WAN-KEY
no passive-interface
exit-af-interface
!
topology base
redistribute eigrp 100
exit-af-topology
network 10.4.38.0 0.0.0.255
network 10.4.39.0 0.0.0.255
eigrp router-id 10.4.32.245
exit-address-family
!
ip forward-protocol nd
!
no ip http server
ip http authentication aaa
ip http secure-server
ip pim autorp listener
ip pim register-source Loopback0
ip tacacs source-interface Loopback0
!
ip access-list extended RS210-10.5.144.0
WAN-Aggregation Devices August 2014 Series38
permit ip any 10.5.144.0 0.0.7.255
ip access-list extended RS211-10.5.152.0
permit ip any 10.5.152.0 0.0.7.255
ip access-list extended RS212-10.5.168.0
permit ip any 10.5.168.0 0.0.7.255
ip access-list extended RS213-10.5.176.0
permit ip any 10.5.176.0 0.0.7.255
!
access-list 55 permit 10.4.48.0 0.0.0.255
!
route-map BLOCK-TAGGED-ROUTES deny 10
match tag 65512
!
route-map BLOCK-TAGGED-ROUTES permit 20
!
route-map SET-ROUTE-TAG-METROE permit 10
match interface GigabitEthernet0/0/3.38 GigabitEthernet0/0/3.39
set tag 300
!
snmp-server community cisco RO 55
snmp-server community cisco123 RW 55
snmp-server trap-source Loopback0
!
tacacs server TACACS-SERVER-1
address ipv4 10.4.48.15
key 7 0812494D1B1C113C1712
!
line con 0
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 55 in
exec-timeout 0 0
transport preferred none
transport input ssh
line vty 5 15
access-class 55 in
transport preferred none
transport input ssh
!
ntp source Loopback0
ntp server 10.4.48.17
!
end
WAN-Aggregation Devices August 2014 Series39
WAN-Aggregation Design—WAN Aggregation Distribution Switch
This section includes configuration files corresponding for the WAN Aggregiation distribution switch which is common to each of the WAN-aggregation devices as shown in Figure 2, Figure 3 and Figure 4.
WAN-D3750Xversion 15.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname WAN-D3750X
!
enable secret 5 /DtCCr53Q4B18jSIm1UEqu7cNVZTOhxTZyUnZdsSrsw
!
username admin password 7 06055E324F41584B56
aaa new-model
!
aaa group server tacacs+ TACACS-SERVERS
server name TACACS-SERVER-1
!
aaa authentication login default group TACACS-SERVERS local
aaa authorization console
aaa authorization exec default group TACACS-SERVERS local
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
switch 1 provision ws-c3750x-24p
switch 2 provision ws-c3750x-24
stack-mac persistent timer 0
system mtu routing 1500
ip routing
!
ip domain-name cisco.local
ip name-server 10.4.48.10
ip multicast-routing distributed
ip device tracking
vtp mode transparent
udld enable
!
mls qos map policed-dscp 0 10 18 to 8
mls qos map cos-dscp 0 8 16 24 32 46 48 56
WAN-Aggregation Devices August 2014 Series40
mls qos srr-queue input bandwidth 70 30
mls qos srr-queue input threshold 1 80 90
mls qos srr-queue input priority-queue 2 bandwidth 30
mls qos srr-queue input cos-map queue 1 threshold 2 3
mls qos srr-queue input cos-map queue 1 threshold 3 6 7
mls qos srr-queue input cos-map queue 2 threshold 1 4
mls qos srr-queue input dscp-map queue 1 threshold 2 24
mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue input dscp-map queue 1 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue input dscp-map queue 2 threshold 3 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 3200
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
key chain LAN-KEY
key 1
key-string 7 05080F1C2243
!
license boot level ipservices
license boot level ipservices switch 2
!
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 24576
!
WAN-Aggregation Devices August 2014 Series41
port-channel load-balance src-dst-ip
!
vlan internal allocation policy ascending
!
vlan 349
name AppNav_Intercept_Net
!
vlan 350
name WAN_Service_Net
!
ip ssh source-interface Loopback0
ip ssh version 2
ip scp server enable
!
macro name EgressQoS
mls qos trust dscp
queue-set 1
srr-queue bandwidth share 1 30 35 5
priority-queue out
@
!
interface Loopback0
ip address 10.4.32.240 255.255.255.255
ip pim sparse-mode
!
interface Port-channel1
description CE-ASR1002-1
no switchport
ip address 10.4.32.1 255.255.255.252
ip pim sparse-mode
ip ospf message-digest-key 1 md5 7 0235015819031B0A4957
load-interval 30
carrier-delay msec 0
!
interface Port-channel2
description CE-ASR1001-2
no switchport
ip address 10.4.32.5 255.255.255.252
ip pim sparse-mode
carrier-delay msec 0
!
interface Port-channel3
description VPN-ASR1002-1
no switchport
ip address 10.4.32.17 255.255.255.252
ip pim sparse-mode
ip ospf message-digest-key 1 md5 7 0508571C22431F5B4A
WAN-Aggregation Devices August 2014 Series42
carrier-delay msec 0
!
interface Port-channel4
description VPN-ASR1001-2
no switchport
ip address 10.4.32.21 255.255.255.252
ip pim sparse-mode
ip ospf message-digest-key 1 md5 7 0205554808095E731F
carrier-delay msec 0
!
interface Port-channel5
description Link to METRO-ASR1001-1
no switchport
ip address 10.4.32.33 255.255.255.252
ip pim sparse-mode
ip ospf message-digest-key 1 md5 7 0508571C22431F5B4A
carrier-delay msec 0
!
interface Port-channel38
description Etherchannel to Core 6500 VSS
no switchport
ip address 10.4.40.42 255.255.255.252
ip pim sparse-mode
ip ospf message-digest-key 1 md5 7 0508571C22431F5B4A
logging event trunk-status
logging event bundle-status
carrier-delay msec 0
!
interface GigabitEthernet1/0/1
description CE-ASR1002-1 Gig0/0/0
no switchport
no ip address
logging event trunk-status
logging event bundle-status
carrier-delay msec 0
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
macro description EgressQoS
channel-group 1 mode on
!
interface GigabitEthernet1/0/2
description CE-ASR1001-2 Gig0/0/0
no switchport
no ip address
logging event trunk-status
logging event bundle-status
WAN-Aggregation Devices August 2014 Series43
carrier-delay msec 0
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
macro description EgressQoS
channel-group 2 mode on
!
interface GigabitEthernet1/0/3
description VPN-ASR1002-1 Gig0/0/0
no switchport
no ip address
logging event trunk-status
logging event bundle-status
carrier-delay msec 0
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
macro description EgressQoS
channel-group 3 mode on
!
interface GigabitEthernet1/0/4
description VPN-ASR1001-2 Gig0/0/0
no switchport
no ip address
logging event trunk-status
logging event bundle-status
carrier-delay msec 0
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
macro description EgressQoS
channel-group 4 mode on
!
interface GigabitEthernet1/0/6
description METRO-ASR1001-1 Gig0/0/0
no switchport
no ip address
logging event trunk-status
logging event bundle-status
carrier-delay msec 0
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
macro description EgressQoS
channel-group 5 mode on
!
interface TenGigabitEthernet1/1/1
WAN-Aggregation Devices August 2014 Series44
description Etherchannel link to Core 6500 VSS Te1/7/7
no switchport
no ip address
logging event trunk-status
logging event bundle-status
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
macro description EgressQoS
channel-group 38 mode active
!
interface TenGigabitEthernet1/1/2
description Etherchannel link to Core 6500 VSS Te2/7/7
no switchport
no ip address
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
macro description EgressQoS
channel-group 38 mode active
!
interface GigabitEthernet2/0/1
description CE-ASR1002-1 Gig0/0/1
no switchport
no ip address
logging event trunk-status
logging event bundle-status
carrier-delay msec 0
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
macro description EgressQoS
channel-group 1 mode on
!
interface GigabitEthernet2/0/2
description CE-ASR1001-2 Gig0/0/1
no switchport
no ip address
logging event trunk-status
logging event bundle-status
carrier-delay msec 0
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
macro description EgressQoS
channel-group 2 mode on
!
WAN-Aggregation Devices August 2014 Series45
interface GigabitEthernet2/0/3
description VPN-ASR1002-1 Gig0/0/1
no switchport
no ip address
logging event trunk-status
logging event bundle-status
carrier-delay msec 0
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
macro description EgressQoS
channel-group 3 mode on
!
interface GigabitEthernet2/0/4
description VPN-ASR1001-2 Gig0/0/1
no switchport
no ip address
logging event trunk-status
logging event bundle-status
carrier-delay msec 0
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
macro description EgressQoS
channel-group 4 mode on
!
interface GigabitEthernet2/0/6
description METRO-ASR1001-1 Gig0/0/1
no switchport
no ip address
logging event trunk-status
logging event bundle-status
carrier-delay msec 0
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
macro description EgressQoS
channel-group 5 mode on
!
interface TenGigabitEthernet2/1/1
description Link to C6500-VSS port 2
no switchport
no ip address
logging event trunk-status
logging event bundle-status
srr-queue bandwidth share 1 30 35 5
priority-queue out
WAN-Aggregation Devices August 2014 Series46
mls qos trust dscp
macro description EgressQoS
channel-group 38 mode active
!
interface TenGigabitEthernet2/1/2
no switchport
no ip address
logging event trunk-status
logging event bundle-status
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
macro description EgressQoS
channel-group 38 mode active
!
interface Vlan349
ip address 10.4.32.65 255.255.255.192
!
interface Vlan350
ip address 10.4.32.129 255.255.255.192
ip pim sparse-mode
!
router eigrp LAN
!
address-family ipv4 unicast autonomous-system 100
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Port-channel38
summary-address 10.4.32.0 255.255.248.0
summary-address 10.5.0.0 255.255.0.0
summary-address 10.255.240.0 255.255.240.0
summary-address 192.168.3.0 255.255.255.0
summary-address 192.168.4.0 255.255.255.0
authentication mode md5
authentication key-chain LAN-KEY
no passive-interface
exit-af-interface
!
af-interface Port-channel1
authentication mode md5
authentication key-chain LAN-KEY
no passive-interface
exit-af-interface
!
WAN-Aggregation Devices August 2014 Series47
af-interface Port-channel2
authentication mode md5
authentication key-chain LAN-KEY
no passive-interface
exit-af-interface
!
af-interface Port-channel3
authentication mode md5
authentication key-chain LAN-KEY
no passive-interface
exit-af-interface
!
af-interface Port-channel4
authentication mode md5
authentication key-chain LAN-KEY
no passive-interface
exit-af-interface
!
af-interface Port-channel5
authentication mode md5
authentication key-chain LAN-KEY
no passive-interface
exit-af-interface
!
af-interface Port-channel6
authentication mode md5
authentication key-chain LAN-KEY
no passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 10.4.0.0 0.1.255.255
eigrp router-id 10.4.32.240
exit-address-family
!
ip forward-protocol nd
!
no ip http server
ip http authentication aaa
ip http secure-server
!
ip pim autorp listener
ip pim register-source Loopback0
ip tacacs source-interface Loopback0
!
access-list 55 permit 10.4.48.0 0.0.0.255
WAN-Aggregation Devices August 2014 Series48
!
snmp-server community cisco RO 55
snmp-server community cisco123 RW 55
snmp-server trap-source Loopback0
tacacs server TACACS-SERVER-1
address ipv4 10.4.48.15
key 7 0235015819031B0A4957
!
!
line con 0
transport preferred none
line vty 0 4
access-class 55 in
exec-timeout 0 0
transport preferred none
transport input ssh
line vty 5 15
access-class 55 in
transport preferred none
transport input ssh
!
ntp source Loopback0
ntp server 10.4.48.17
end
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series49
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models
This section includes configuration files corresponding to the WAN remote-site design topologies as referenced in Figure 5. Each remote-site type has its respective devices grouped together along with any other relevant configuration information.
Figure 5 - WAN remote-site designs–Dual DMVPN and DMVPN only with local Internet
12
09
Nonredundant Redundant Links Redundant Links & Routers
Internet WAN
Remote Site 251
Internet(DMVPN-1)
Internet(DMVPN-2)
Remote Site 250
Internet(DMVPN-1)
Remote Site 252(Distribution Layer)
Internet(DMVPN-1)
Internet(DMVPN-2)
Table 4 - Remote-site DMVPN with local Internet WAN connection details
Location Net block DMVPN LAN interfaces
Remote Site 250
(Single-router, single DMVPN)
10.5.120.0/21 (gig0/0) DHCP (gig0/1)
Remote Site 251 (Single-router, dual-link DMVPN) 10.5.128.0/21 (gig0/0) DHCP
(gig0/1) DHCP
(gig0/2)
(gig0/2)
Remote Site 252 (Dual-router, dual-link DMVPN) 10.5.136.0/21 (gig0/0) DHCP (gig0/2)
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series50
The following table lists the policed-rate link speeds for the remote-site quality-of-service (QoS) traffic shaping policies.
Table 5 - Remote-site policed-rate link speeds
Location Net block DMVPN-1 link speeds DMVPN-2 link speeds
Remote Site 250 10.5.120.0/21 2 Mbps --
Remote Site 251 (dual-link) 10.5.128.0/21 10 Mbps 5 Mbps
Remote Site 252 (dual-link) 10.5.136.0/21 10 Mbps 5 Mbps
Remote Site 250: Single-Router, Single-Link (DMVPN) with Local Internet
Table 6 - Remote Site 250—IP address information
Location Net block Data wired subnet Voice wired subnet Loopbacks and switches
Remote Site 250 10.5.120.0/21 10.5.124.0/24 (VLAN 64) 10.5.125.0/24 (VLAN 69) 10.255.253.250 (router) 10.5.124.5 (access switch)
RS250-1941version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname RS250-1941
!
!
enable secret 5 $1$aO0u$HIXI.4HZSCdxc1gm2aKJf.
!
aaa new-model
!
aaa group server tacacs+ TACACS-SERVERS
server name TACACS-SERVER-1
!
aaa authentication login default group TACACS-SERVERS local
aaa authorization console
aaa authorization exec default group TACACS-SERVERS local
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series51
!
ip cef
!
ip domain name cisco.local
ip multicast-routing
ip inspect log drop-pkt
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
spoofed-acker off
multilink bundle-name authenticated
!
!
key chain WAN-KEY
key 1
key-string 7 121A0C041104
!
license udi pid CISCO1941/K9 sn FTX140980GY
!
username admin password 7 0508571C22431F5B4A
!
redundancy
!
ip ssh source-interface Loopback0
ip ssh version 2
ip scp server enable
!
class-map match-any DATA
match dscp af21
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map type inspect match-any INSPECT-ACL-OUT-CLASS
match access-group name ACL-RTR-OUT
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map type inspect match-any PASS-ACL-IN-CLASS
match access-group name ESP-IN
match access-group name DHCP-IN
class-map match-any VOICE
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series52
match dscp ef
class-map match-any SCAVENGER
match dscp cs1 af11
class-map type inspect match-any PASS-ACL-OUT-CLASS
match access-group name ESP-OUT
match access-group name DHCP-OUT
class-map match-any NETWORK-CRITICAL
match dscp cs2 cs6
match access-group name ISAKMP
class-map type inspect match-any INSPECT-ACL-IN-CLASS
match access-group name ACL-RTR-IN
!
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
random-detect
policy-map type inspect ACL-OUT-POLICY
class type inspect INSPECT-ACL-OUT-CLASS
inspect
class type inspect PASS-ACL-OUT-CLASS
pass
class class-default
drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
policy-map WAN-INTERFACE-G0/0
class class-default
shape average 2000000
service-policy WAN
policy-map type inspect ACL-IN-POLICY
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series53
class type inspect INSPECT-ACL-IN-CLASS
inspect
class type inspect PASS-ACL-IN-CLASS
pass
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN_OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security TO-ROUTER source OUTSIDE destination self
service-policy type inspect ACL-IN-POLICY
zone-pair security FROM-ROUTER source self destination OUTSIDE
service-policy type inspect ACL-OUT-POLICY
!
crypto keyring GLOBAL-KEYRING
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-INET-PUBLIC
keyring GLOBAL-KEYRING
match identity address 0.0.0.0
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE1
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile ISAKMP-INET-PUBLIC
!
interface Loopback0
ip address 10.255.253.250 255.255.255.255
ip pim sparse-mode
!
interface Tunnel10
description DMVPN-1 tunnel interface
bandwidth 2000
ip address 10.4.34.250 255.255.254.0
no ip redirects
ip mtu 1400
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series54
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco123
ip nhrp group RS-GROUP-2MBPS
ip nhrp map multicast 172.16.130.1
ip nhrp map 10.4.34.1 172.16.130.1
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp nhs 10.4.34.1
ip nhrp registration no-unique
ip nhrp shortcut
ip nhrp redirect
zone-member security INSIDE
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel route-via GigabitEthernet0/0 mandatory
tunnel protection ipsec profile DMVPN-PROFILE1
!
interface GigabitEthernet0/0
description Internet Conenction (ISP-A)
bandwidth 10000
ip dhcp client default-router distance 15
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
service-policy output WAN-INTERFACE-G0/0
!
interface GigabitEthernet0/1
description RS250-3650 Gig1/0/24
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.64
description Wired Data
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series55
encapsulation dot1Q 64
ip address 10.5.124.1 255.255.255.0
ip helper-address 10.4.48.10
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
interface GigabitEthernet0/1.69
description Voice
encapsulation dot1Q 69
ip address 10.5.125.1 255.255.255.0
ip helper-address 10.4.48.10
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
!
router eigrp WAN-DMVPN-1
!
address-family ipv4 unicast autonomous-system 200
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel10
summary-address 10.5.120.0 255.255.248.0
authentication mode md5
authentication key-chain WAN-KEY
hello-interval 20
hold-time 60
no passive-interface
exit-af-interface
!
topology base
distribute-list route-map BLOCK-DEFAULT in
exit-af-topology
network 10.4.34.0 0.0.1.255
network 10.5.0.0 0.0.255.255
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.253.250
eigrp stub connected summary
exit-address-family
!
ip forward-protocol nd
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series56
!
no ip http server
ip http authentication aaa
ip http secure-server
!
ip pim autorp listener
ip pim register-source Loopback0
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip route 10.0.0.0 255.0.0.0 Null0 254
ip tacacs source-interface Loopback0
!
ip access-list standard NAT
permit 10.5.120.0 0.0.7.255
ip access-list standard NO-DEFAULT
deny 0.0.0.0
permit any
!
ip access-list extended ACL-RTR-IN
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any gt 1023 ttl eq 1
ip access-list extended ACL-RTR-OUT
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit icmp any any
ip access-list extended DHCP-IN
permit udp any eq bootps any eq bootpc
ip access-list extended DHCP-OUT
permit udp any eq bootpc any eq bootps
ip access-list extended ESP-IN
permit esp any any
ip access-list extended ESP-OUT
permit esp any any
ip access-list extended ISAKMP
permit udp any eq isakmp any eq isakmp
!
access-list 55 permit 10.4.48.0 0.0.0.255
!
route-map BLOCK-DEFAULT permit 10
match ip address NO-DEFAULT
!
!
snmp-server community cisco RO 55
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series57
snmp-server community cisco123 RW 55
snmp-server trap-source Loopback0
snmp-server enable traps entity-sensor threshold
tacacs server TACACS-SERVER-1
address ipv4 10.4.48.15
key 7 122A0014000E182F2F32
!
line con 0
logging synchronous
transport preferred none
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 55 in
transport preferred none
transport input ssh
line vty 5 15
access-class 55 in
transport preferred none
transport input ssh
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp update-calendar
ntp server 10.4.48.17
!
end
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series58
Remote Site 251: Single-Router, Dual-Link (DMVPN + DMVPN) with Local Internet
Table 7 - Remote Site 251—IP address information
Location Net block Data wired subnet Voice wired subnet Loopbacks and switches
Remote Site 251 10.5.128.0/21 10.5.132.0/24 (VLAN 64) 10.5.133.0/24 (VLAN 69) 10.255.253.251 (router) 10.5.132.5 (access switch)
RS251-2911version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname RS251-2911
!
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.152-4.M6.bin
boot-end-marker
!
enable secret 5 $1$9r9j$VctakpjxneG330Ty2Ld.6.
!
aaa new-model
!
aaa group server tacacs+ TACACS-SERVERS
server name TACACS-SERVER-1
!
aaa authentication login default group TACACS-SERVERS local
aaa authentication login MODULE none
aaa authorization console
aaa authorization exec default group TACACS-SERVERS local
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
!
ip cef
!
ip domain name cisco.local
ip multicast-routing
ip inspect log drop-pkt
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series59
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
spoofed-acker off
multilink bundle-name authenticated
!
key chain WAN-KEY
key 1
key-string 7 104D000A0618
!
username admin password 7 110A4816141D5A5E57
!
redundancy
!
ip ssh source-interface Loopback0
ip ssh version 2
ip scp server enable
!
track 60 ip sla 110 reachability
!
track 61 ip sla 111 reachability
!
track 62 list boolean or
object 60
object 61
!
class-map match-any DATA
match dscp af21
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map type inspect match-any INSPECT-ACL-OUT-CLASS
match access-group name ACL-RTR-OUT
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map type inspect match-any PASS-ACL-IN-CLASS
match access-group name ESP-IN
match access-group name DHCP-IN
class-map match-any VOICE
match dscp ef
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series60
class-map match-any SCAVENGER
match dscp cs1 af11
class-map type inspect match-any PASS-ACL-OUT-CLASS
match access-group name ESP-OUT
match access-group name DHCP-OUT
class-map match-any NETWORK-CRITICAL
match dscp cs2 cs6
match access-group name ISAKMP
class-map type inspect match-any INSPECT-ACL-IN-CLASS
match access-group name ACL-RTR-IN
!
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
random-detect
policy-map type inspect ACL-OUT-POLICY
class type inspect INSPECT-ACL-OUT-CLASS
inspect
class type inspect PASS-ACL-OUT-CLASS
pass
class class-default
drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
policy-map WAN-INTERFACE-G0/0
class class-default
shape average 10000000
service-policy WAN
policy-map WAN-INTERFACE-G0/1
class class-default
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series61
shape average 5000000
service-policy WAN
policy-map type inspect ACL-IN-POLICY
class type inspect INSPECT-ACL-IN-CLASS
inspect
class type inspect PASS-ACL-IN-CLASS
pass
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN_OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security TO-ROUTER source OUTSIDE destination self
service-policy type inspect ACL-IN-POLICY
zone-pair security FROM-ROUTER source self destination OUTSIDE
service-policy type inspect ACL-OUT-POLICY
!
crypto keyring GLOBAL-KEYRING
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-INET-PUBLIC
keyring GLOBAL-KEYRING
match identity address 0.0.0.0
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE1
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile ISAKMP-INET-PUBLIC
!
crypto ipsec profile DMVPN-PROFILE2
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile ISAKMP-INET-PUBLIC
!
!
!
interface Loopback0
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series62
ip address 10.255.253.251 255.255.255.255
ip pim sparse-mode
!
interface Tunnel10
bandwidth 10000
ip address 10.4.34.251 255.255.254.0
no ip redirects
ip mtu 1400
ip wccp 62 redirect in
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco123
ip nhrp group RS-GROUP-10MBPS
ip nhrp map 10.4.34.1 172.16.130.1
ip nhrp map multicast 172.16.130.1
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp nhs 10.4.34.1
ip nhrp registration no-unique
ip nhrp shortcut
ip nhrp redirect
zone-member security INSIDE
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel route-via GigabitEthernet0/0 mandatory
tunnel protection ipsec profile DMVPN-PROFILE1
!
interface Tunnel11
bandwidth 5000
ip address 10.4.36.251 255.255.254.0
no ip redirects
ip mtu 1400
ip wccp 62 redirect in
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco123
ip nhrp group RS-GROUP-5MBPS-POLICY
ip nhrp map 10.4.36.1 172.17.130.1
ip nhrp map multicast 172.17.130.1
ip nhrp network-id 102
ip nhrp holdtime 600
ip nhrp nhs 10.4.36.1
ip nhrp registration no-unique
ip nhrp shortcut
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series63
ip nhrp redirect
zone-member security INSIDE
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel route-via GigabitEthernet0/1 mandatory
tunnel protection ipsec profile DMVPN-PROFILE2
!
!
interface GigabitEthernet0/0
description Internet Connection (ISP-A)
bandwidth 10000
ip dhcp client default-router distance 15
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
service-policy output WAN-INTERFACE-G0/0
!
interface GigabitEthernet0/1
description Internet Connection (ISP-B)
bandwidth 5000
ip dhcp client default-router distance 10
ip dhcp client route track 62
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
service-policy output WAN-INTERFACE-G0/1
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series64
!
interface GigabitEthernet0/2
description RS251-A2960X Gig1/0/24
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2.64
description Wired Data
encapsulation dot1Q 64
ip address 10.5.132.1 255.255.255.0
ip helper-address 10.4.48.10
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
interface GigabitEthernet0/2.69
description Voice
encapsulation dot1Q 69
ip address 10.5.133.1 255.255.255.0
ip helper-address 10.4.48.10
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
!
router eigrp WAN-DMVPN-1
!
address-family ipv4 unicast autonomous-system 200
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel10
summary-address 10.5.128.0 255.255.248.0
authentication mode md5
authentication key-chain WAN-KEY
hello-interval 20
hold-time 60
no passive-interface
exit-af-interface
!
topology base
distribute-list route-map BLOCK-DEFAULT in
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series65
exit-af-topology
network 10.4.34.0 0.0.1.255
network 10.5.0.0 0.0.255.255
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.253.251
eigrp stub connected summary
exit-address-family
!
!
router eigrp WAN-DMVPN-2
!
address-family ipv4 unicast autonomous-system 201
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel11
summary-address 10.5.128.0 255.255.248.0
authentication mode md5
authentication key-chain WAN-KEY
hello-interval 20
hold-time 60
no passive-interface
exit-af-interface
!
topology base
distribute-list route-map BLOCK-DEFAULT in
exit-af-topology
network 10.4.36.0 0.0.1.255
network 10.5.0.0 0.0.255.255
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.253.251
eigrp stub connected summary
exit-address-family
!
ip local policy route-map PBR-SLA-SET-NEXT-HOP
ip forward-protocol nd
!
no ip http server
ip http authentication aaa
ip http secure-server
!
ip pim autorp listener
ip pim register-source Loopback0
ip nat inside source route-map ISP-A interface GigabitEthernet0/0 overload
ip nat inside source route-map ISP-B interface GigabitEthernet0/1 overload
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series66
ip route 10.0.0.0 255.0.0.0 Null0 254
ip route 172.16.130.1 255.255.255.255 GigabitEthernet0/0 dhcp
ip route 172.17.130.1 255.255.255.255 GigabitEthernet0/1 dhcp
ip tacacs source-interface Loopback0
!
ip access-list standard NO-DEFAULT
deny 0.0.0.0
permit any
!
ip access-list extended ACL-RTR-IN
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any gt 1023 ttl eq 1
ip access-list extended ACL-RTR-OUT
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit icmp any any
ip access-list extended DHCP-IN
permit udp any eq bootps any eq bootpc
ip access-list extended DHCP-OUT
permit udp any eq bootpc any eq bootps
ip access-list extended ESP-IN
permit esp any any
ip access-list extended ESP-OUT
permit esp any any
ip access-list extended ISAKMP
permit udp any eq isakmp any eq isakmp
ip access-list extended NAT
permit ip 10.5.128.0 0.0.7.255 any
ip access-list extended SLA-SET-NEXT-HOP
permit icmp any host 172.18.1.253
permit icmp any host 172.18.1.254
!
ip sla auto discovery
ip sla 110
icmp-echo 172.18.1.253 source-interface GigabitEthernet0/1
threshold 1000
frequency 15
ip sla schedule 110 life forever start-time now
ip sla 111
icmp-echo 172.18.1.254 source-interface GigabitEthernet0/1
threshold 1000
frequency 15
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series67
ip sla schedule 111 life forever start-time now
access-list 55 permit 10.4.48.0 0.0.0.255
!
route-map PBR-SLA-SET-NEXT-HOP permit 10
match ip address SLA-SET-NEXT-HOP
set ip next-hop dynamic dhcp
!
route-map ISP-B permit 10
match ip address NAT
match interface GigabitEthernet0/1
!
route-map ISP-A permit 10
match ip address NAT
match interface GigabitEthernet0/0
!
route-map BLOCK-DEFAULT permit 10
match ip address NO-DEFAULT
!
snmp-server community cisco RO 55
snmp-server community cisco123 RW 55
snmp-server trap-source Loopback0
snmp-server enable traps entity-sensor threshold
tacacs server TACACS-SERVER-1
address ipv4 10.4.48.15
key 7 097F4B0A0B0003390E15
!
line con 0
transport preferred none
logging synchronous
line aux 0
line vty 0 4
access-class 55 in
transport preferred none
transport input ssh
line vty 5 15
access-class 55 in
transport preferred none
transport input ssh
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp server 10.4.48.17
!
end
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series68
Remote Site 252: Dual-Router, Dual-Link (DMVPN + DMVPN) with Local Internet
Table 8 - Remote Site 252—IP address information
Location Net block Data wired subnet Voice wired subnet Loopbacks and switches
Remote Site 252 10.5.136.0/21 10.5.140.0/24 (VLAN 100) 10.5.210.0/24 (VLAN 101) 10.5.212.0/24 (VLAN 103)
10.255.253.252 (router 1) 10.255.254.252 (router 2) 10.5.140.5 (access switch)
RS252-2921-1version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname RS252-2921-1
!
!
enable secret 5 /DtCCr53Q4B18jSIm1UEqu7cNVZTOhxTZyUnZdsSrsw
!
aaa new-model
!
aaa group server tacacs+ TACACS-SERVERS
server name TACACS-SERVER-1
!
aaa authentication login default group TACACS-SERVERS local
aaa authorization console
aaa authorization exec default group TACACS-SERVERS local
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
!
ip cef
!
ip domain name cisco.local
ip multicast-routing
ip inspect log drop-pkt
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series69
max-incomplete low 18000
max-incomplete high 20000
spoofed-acker off
multilink bundle-name authenticated
!
!
key chain WAN-KEY
key 1
key-string 7 13061E010803
key chain LAN-KEY
key 1
key-string 7 02050D480809
!
username admin password 7 130646010803557878
!
redundancy
!
ip ssh source-interface Loopback0
ip ssh version 2
ip scp server enable
!
track 50 ip sla 100 reachability
!
class-map match-any DATA
match dscp af21
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map type inspect match-any INSPECT-ACL-OUT-CLASS
match access-group name ACL-RTR-OUT
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map type inspect match-any PASS-ACL-IN-CLASS
match access-group name ESP-IN
match access-group name DHCP-IN
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match dscp cs1 af11
class-map type inspect match-any PASS-ACL-OUT-CLASS
match access-group name ESP-OUT
match access-group name DHCP-OUT
class-map match-any NETWORK-CRITICAL
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series70
match dscp cs2 cs6
match access-group name ISAKMP
class-map type inspect match-any INSPECT-ACL-IN-CLASS
match access-group name ACL-RTR-IN
!
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
random-detect
policy-map type inspect ACL-OUT-POLICY
class type inspect PASS-ACL-OUT-CLASS
pass
class type inspect INSPECT-ACL-OUT-CLASS
inspect
class class-default
drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
policy-map WAN-INTERFACE-G0/0
class class-default
shape average 10000000
service-policy WAN
policy-map type inspect ACL-IN-POLICY
class type inspect INSPECT-ACL-IN-CLASS
inspect
class type inspect PASS-ACL-IN-CLASS
pass
class class-default
drop
!
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series71
zone security INSIDE
zone security OUTSIDE
zone-pair security IN_OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security TO-ROUTER source OUTSIDE destination self
service-policy type inspect ACL-IN-POLICY
zone-pair security FROM-ROUTER source self destination OUTSIDE
service-policy type inspect ACL-OUT-POLICY
!
crypto keyring GLOBAL-KEYRING
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-INET-PUBLIC
keyring GLOBAL-KEYRING
match identity address 0.0.0.0
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE1
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile ISAKMP-INET-PUBLIC
!
!
interface Loopback0
ip address 10.255.253.252 255.255.255.255
ip pim sparse-mode
!
interface Tunnel10
description DMVPN-1 tunnel interface
bandwidth 10000
ip address 10.4.34.252 255.255.254.0
no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco123
ip nhrp group RS-GROUP-10MBPS
ip nhrp map multicast 172.16.130.1
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series72
ip nhrp map 10.4.34.1 172.16.130.1
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp nhs 10.4.34.1
ip nhrp registration no-unique
ip nhrp shortcut
ip nhrp redirect
zone-member security INSIDE
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel route-via GigabitEthernet0/0 mandatory
tunnel protection ipsec profile DMVPN-PROFILE1
!
interface GigabitEthernet0/0
description Internet Connection (ISP-A)
bandwidth 10000
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
service-policy output WAN-INTERFACE-G0/0
!
interface GigabitEthernet0/2
description RS252-A3850 Gig1/0/47
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2.64
description Wired Data
encapsulation dot1Q 64
ip address 10.5.140.2 255.255.255.0
ip helper-address 10.4.48.10
ip pim dr-priority 110
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series73
zone-member security INSIDE
standby version 2
standby 1 ip 10.5.140.1
standby 1 priority 110
standby 1 preempt
standby 1 authentication md5 key-string 7 04585A150C2E1D1C5A
standby 1 track 50 decrement 10
!
interface GigabitEthernet0/2.69
description Voice
encapsulation dot1Q 69
ip address 10.5.141.2 255.255.255.0
ip helper-address 10.4.48.10
ip pim dr-priority 110
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
standby version 2
standby 1 ip 10.5.141.1
standby 1 priority 110
standby 1 preempt
standby 1 authentication md5 key-string 7 141443180F0B7B7977
standby 1 track 50 decrement 10
!
interface GigabitEthernet0/2.99
description transit network
encapsulation dot1Q 99
ip address 10.5.136.1 255.255.255.252
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
router eigrp WAN-DMVPN-1
!
address-family ipv4 unicast autonomous-system 200
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel10
summary-address 10.5.136.0 255.255.248.0
authentication mode md5
authentication key-chain WAN-KEY
hello-interval 20
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series74
hold-time 60
no passive-interface
exit-af-interface
!
topology base
distribute-list route-map BLOCK-DEFAULT in
redistribute eigrp 100 route-map LOOPBACK-ONLY
exit-af-topology
network 10.4.34.0 0.0.1.255
network 10.5.0.0 0.0.255.255
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.253.252
eigrp stub connected summary redistributed
exit-address-family
!
!
router eigrp LAN
!
address-family ipv4 unicast autonomous-system 100
!
af-interface default
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/2.99
authentication mode md5
authentication key-chain LAN-KEY
no passive-interface
exit-af-interface
!
topology base
default-metric 100000 100 255 1 1500
redistribute eigrp 200
redistribute static route-map STATIC-IN
exit-af-topology
network 10.4.0.0 0.1.255.255
network 10.5.136.0 0.0.0.3
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.253.252
exit-address-family
!
ip forward-protocol nd
!
no ip http server
ip http authentication aaa
ip http secure-server
!
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series75
ip pim autorp listener
ip pim register-source Loopback0
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip route 10.0.0.0 255.0.0.0 Null0 254
ip route 172.16.130.1 255.255.255.255 GigabitEthernet0/0 dhcp
ip tacacs source-interface Loopback0
!
ip access-list standard DHCP-DEFAULT
remark DHCP default route
permit 0.0.0.0
ip access-list standard NAT
permit 10.5.136.0 0.0.7.255
ip access-list standard NO-DEFAULT
deny 0.0.0.0
permit any
ip access-list standard R2-LOOPBACK
permit 10.255.254.252
!
ip access-list extended ACL-RTR-IN
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any gt 1023 ttl eq 1
ip access-list extended ACL-RTR-OUT
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit icmp any any
ip access-list extended DHCP-IN
permit udp any eq bootps any eq bootpc
ip access-list extended DHCP-OUT
permit udp any eq bootpc any eq bootps
ip access-list extended ESP-IN
permit esp any any
ip access-list extended ESP-OUT
permit esp any any
ip access-list extended ISAKMP
permit udp any eq isakmp any eq isakmp
!
ip sla auto discovery
ip sla 100
icmp-echo 172.18.1.253 source-interface GigabitEthernet0/0
threshold 1000
frequency 15
ip sla schedule 100 life forever start-time now
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series76
access-list 55 permit 10.4.48.0 0.0.0.255
!
route-map STATIC-IN permit 10
match ip address DHCP-DEFAULT
!
route-map LOOPBACK-ONLY permit 10
match ip address R2-LOOPBACK
!
route-map BLOCK-DEFAULT permit 10
match ip address NO-DEFAULT
!
snmp-server community cisco RO 55
snmp-server community cisco123 RW 55
snmp-server trap-source Loopback0
snmp-server enable traps entity-sensor threshold
tacacs server TACACS-SERVER-1
address ipv4 10.4.48.15
key 7 01200307490E12242455
!
line con 0
logging synchronous
transport preferred none
line aux 0
line vty 0 4
access-class 55 in
transport preferred none
transport input ssh
line vty 5 15
access-class 55 in
transport preferred none
transport input ssh
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp server 10.4.48.17
!
end
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series77
RS252-2921-2 version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname RS252-2921-2
!
!
enable secret 5 /DtCCr53Q4B18jSIm1UEqu7cNVZTOhxTZyUnZdsSrsw
!
aaa new-model
!
aaa group server tacacs+ TACACS-SERVERS
server name TACACS-SERVER-1
!
aaa authentication login default group TACACS-SERVERS local
aaa authorization console
aaa authorization exec default group TACACS-SERVERS local
!
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
!
ip cef
!
!
ip domain name cisco.local
ip multicast-routing
ip inspect log drop-pkt
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
spoofed-acker off
multilink bundle-name authenticated
!
key chain WAN-KEY
key 1
key-string 7 1511021F0725
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series78
key chain LAN-KEY
key 1
key-string 7 00071A150754
!
username admin password 7 08221D5D0A16544541
!
redundancy
!
ip ssh source-interface Loopback0
ip ssh version 2
ip scp server enable
!
track 60 ip sla 110 reachability
!
track 61 ip sla 111 reachability
!
track 62 list boolean or
object 60
object 61
!
class-map match-any DATA
match dscp af21
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map type inspect match-any INSPECT-ACL-OUT-CLASS
match access-group name ACL-RTR-OUT
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map type inspect match-any PASS-ACL-IN-CLASS
match access-group name ESP-IN
match access-group name DHCP-IN
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match dscp cs1 af11
class-map type inspect match-any PASS-ACL-OUT-CLASS
match access-group name ESP-OUT
match access-group name DHCP-OUT
class-map match-any NETWORK-CRITICAL
match dscp cs2 cs6
match access-group name ISAKMP
class-map type inspect match-any INSPECT-ACL-IN-CLASS
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series79
match access-group name ACL-RTR-IN
!
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
random-detect
policy-map type inspect ACL-OUT-POLICY
class type inspect INSPECT-ACL-OUT-CLASS
inspect
class type inspect PASS-ACL-OUT-CLASS
pass
class class-default
drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
policy-map WAN-INTERFACE-G0/0
class class-default
shape average 5000000
service-policy WAN
policy-map type inspect ACL-IN-POLICY
class type inspect PASS-ACL-IN-CLASS
pass
class type inspect INSPECT-ACL-IN-CLASS
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN_OUT source INSIDE destination OUTSIDE
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series80
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security TO-ROUTER source OUTSIDE destination self
service-policy type inspect ACL-IN-POLICY
zone-pair security FROM-ROUTER source self destination OUTSIDE
service-policy type inspect ACL-OUT-POLICY
!
crypto keyring GLOBAL-KEYRING
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp profile ISAKMP-INET-PUBLIC
keyring GLOBAL-KEYRING
match identity address 0.0.0.0
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE1
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile ISAKMP-INET-PUBLIC
!
interface Loopback0
ip address 10.255.254.252 255.255.255.255
ip pim sparse-mode
!
interface Tunnel11
description DMVPN-1 tunnel interface
bandwidth 5000
ip address 10.4.36.252 255.255.254.0
no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco123
ip nhrp group RS-GROUP-5MBPS
ip nhrp map multicast 172.17.130.1
ip nhrp map 10.4.36.1 172.17.130.1
ip nhrp network-id 102
ip nhrp holdtime 600
ip nhrp nhs 10.4.36.1
ip nhrp registration no-unique
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series81
ip nhrp shortcut
ip nhrp redirect
zone-member security INSIDE
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel route-via GigabitEthernet0/0 mandatory
tunnel protection ipsec profile DMVPN-PROFILE1
!
interface GigabitEthernet0/0
description Internet Connection (ISP-B)
bandwidth 5000
ip dhcp client default-router distance 10
ip dhcp client route track 62
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
service-policy output WAN-INTERFACE-G0/0
!
interface GigabitEthernet0/2
description RS252-A3850 Gig1/0/48
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2.64
description Wired Data
encapsulation dot1Q 64
ip address 10.5.140.3 255.255.255.0
ip helper-address 10.4.48.10
ip pim dr-priority 105
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
standby version 2
standby 1 ip 10.5.140.1
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series82
standby 1 priority 105
standby 1 preempt
standby 1 authentication md5 key-string 7 08221D5D0A16544541
!
interface GigabitEthernet0/2.69
description Voice
encapsulation dot1Q 69
ip address 10.5.141.3 255.255.255.0
ip helper-address 10.4.48.10
ip pim dr-priority 105
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
standby version 2
standby 1 ip 10.5.141.1
standby 1 priority 105
standby 1 preempt
standby 1 authentication md5 key-string 7 094F1F1A1A0A464058
!
interface GigabitEthernet0/2.99
description transit network
encapsulation dot1Q 99
ip address 10.5.136.2 255.255.255.252
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
router eigrp WAN-DMVPN-1
!
address-family ipv4 unicast autonomous-system 201
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel11
summary-address 10.5.136.0 255.255.248.0
authentication mode md5
authentication key-chain WAN-KEY
hello-interval 20
hold-time 60
no passive-interface
exit-af-interface
!
topology base
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series83
distribute-list route-map BLOCK-DEFAULT in
redistribute eigrp 100 route-map LOOPBACK-ONLY
exit-af-topology
network 10.4.36.0 0.0.1.255
network 10.5.0.0 0.0.255.255
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.254.252
eigrp stub connected summary redistributed
exit-address-family
!
!
router eigrp LAN
!
address-family ipv4 unicast autonomous-system 100
!
af-interface default
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/2.99
authentication mode md5
authentication key-chain LAN-KEY
no passive-interface
exit-af-interface
!
topology base
redistribute eigrp 201
redistribute static route-map STATIC-IN
exit-af-topology
network 10.5.136.0 0.0.0.3
eigrp router-id 10.255.254.252
exit-address-family
!
ip local policy route-map PBR-SLA-SET-NEXT-HOP
ip forward-protocol nd
!
no ip http server
ip http authentication aaa
ip http secure-server
!
ip pim autorp listener
ip pim register-source Loopback0
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip route 10.0.0.0 255.0.0.0 Null0 254
ip route 172.17.130.1 255.255.255.255 GigabitEthernet0/0 dhcp
ip tacacs source-interface Loopback0
!
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series84
ip access-list standard DHCP-DEFAULT
remark DHCP default route
permit 0.0.0.0
ip access-list standard NAT
permit 10.5.136.0 0.0.7.255
ip access-list standard NO-DEFAULT
deny 0.0.0.0
permit any
ip access-list standard R1-LOOPBACK
permit 10.255.253.252
!
ip access-list extended ACL-RTR-IN
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any gt 1023 ttl eq 1
ip access-list extended ACL-RTR-OUT
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit icmp any any
ip access-list extended DHCP-IN
permit udp any eq bootps any eq bootpc
ip access-list extended DHCP-OUT
permit udp any eq bootpc any eq bootps
ip access-list extended ESP-IN
permit esp any any
ip access-list extended ESP-OUT
permit esp any any
ip access-list extended ISAKMP
permit udp any eq isakmp any eq isakmp
ip access-list extended SLA-SET-NEXT-HOP
permit icmp any host 172.18.1.253
permit icmp any host 172.18.1.254
!
ip sla auto discovery
ip sla 110
icmp-echo 172.18.1.253 source-interface GigabitEthernet0/0
threshold 1000
frequency 15
ip sla schedule 110 life forever start-time now
ip sla 111
icmp-echo 172.18.1.254 source-interface GigabitEthernet0/0
threshold 1000
frequency 15
WAN Remote-Site Devices—Dual DMVPN and DMVPN Only with Local Internet Access Design Models August 2014 Series85
ip sla schedule 111 life forever start-time now
access-list 55 permit 10.4.48.0 0.0.0.255
!
route-map PBR-SLA-SET-NEXT-HOP permit 10
match ip address SLA-SET-NEXT-HOP
set ip next-hop dynamic dhcp
!
route-map STATIC-IN permit 10
match ip address DHCP-DEFAULT
!
route-map LOOPBACK-ONLY permit 10
match ip address R1-LOOPBACK
!
route-map BLOCK-DEFAULT permit 10
match ip address NO-DEFAULT
!
snmp-server community cisco RO 55
snmp-server community cisco123 RW 55
snmp-server trap-source Loopback0
snmp-server enable traps entity-sensor threshold
tacacs server TACACS-SERVER-1
address ipv4 10.4.48.15
key 7 03375E08140A35674B10
!
line con 0
logging synchronous
transport preferred none
line aux 0
line vty 0 4
access-class 55 in
transport preferred none
transport input ssh
line vty 5 15
access-class 55 in
transport preferred none
transport input ssh
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp server 10.4.48.17
!
end
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series86
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet
This section includes configuration files corresponding to the WAN remote-site with local Internet design topologies as referenced in Figure 6. Each remote-site type has its respective devices grouped together along with any other relevant configuration information. The Autonomous System Number (ASN) used in these configurations is 65511.
Figure 6 - WAN remote-site designs–DMVPN Backup Dedicated (MPLS primary)
12
10
Redundant LinksRedundant Links
& Routers
MPLS
MPLS + Internet WAN with Local Internet Access
MPLSInternet
(DMVPN-1)Internet
(DMVPN-1)
Remote Site 240 Remote Site 242
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series87
Table 9 - Remote-site WAN connection details–(MPLS + DMVPN with local Internet remote sites)
Location Net block MPLS CE MPLS PECarrier AS DMVPN
LAN interfaces Loopbacks
Remote Site 240 (Single-router, dual-link with access-layer stack)
10.5.240.0/21 (gig0/0) 192.168.3.49
192.168.3.50 65401 (A) (gig0/0) DHCP
(gig0/1, gig0/2)
10.255.251.240 (router)
Remote Site 242 (Dual-router, dual-link with access-layer stack)
10.5.248.0/21 (gig0/0) 192.168.4.49
192.168.4.50 65402 (A) (gig0/0) DHCP
(gig0/1, gig0/2) (gig0/1, gig0/2)
10.255.252.242 (router 1) 10.255.253.242 (router 2)
The following table lists the policed-rate link speeds for the remote-site QoS traffic shaping policies.
Table 10 - Remote-site policed-rate link speeds
Location Net block MPLS link speeds DMVPN link speeds
Remote Site 240 10.5.240.0/21 15 Mbps 10 Mbps
Remote Site 242 10.5.248.0/21 10 Mbps 10 Mbps
Remote Site 240: Single-Router, Dual-Link with local Internet access (MPLS + DMVPN)
Table 11 - Remote Site 240—IP address information
Location Net block Data wired subnet Voice wired subnet Loopbacks and switches
Remote Site 240 10.5.240.0/21 10.5.244.0/24 (VLAN 64) 10.5.245.0/24 (VLAN 69) 10.255.251.240 (router) 10.5.244.5 (access switch)
RS240-3945version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname RS240-3945
!
!
enable secret 5 $1$n0mF$ISe9QVYXC/Ot8NCRvLsqm.
!
aaa new-model
!
aaa group server tacacs+ TACACS-SERVERS
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series88
server name TACACS-SERVER-1
!
aaa authentication login default group TACACS-SERVERS local
aaa authorization console
aaa authorization exec default group TACACS-SERVERS local
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
!
ip cef
!
ip domain name cisco.local
ip multicast-routing
ip inspect log drop-pkt
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
spoofed-acker off
multilink bundle-name authenticated
!
key chain WAN-KEY
key 1
key-string 7 121A0C041104
!
license accept end user agreement
license boot module c3900 technology-package datak9
!
username admin password 7 130646010803557878
!
redundancy
!
ip ssh source-interface Loopback0
ip ssh version 2
ip scp server enable
!
track 60 ip sla 110 reachability
!
track 61 ip sla 111 reachability
!
track 62 list boolean or
object 60
object 61
!
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series89
class-map match-any DATA
match dscp af21
class-map match-any BGP-ROUTING
match protocol bgp
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map type inspect match-any INSPECT-ACL-OUT-CLASS
match access-group name ACL-RTR-OUT
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map type inspect match-any PASS-ACL-IN-CLASS
match access-group name ESP-IN
match access-group name DHCP-IN
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match dscp cs1 af11
class-map type inspect match-any PASS-ACL-OUT-CLASS
match access-group name ESP-OUT
match access-group name DHCP-OUT
class-map match-any NETWORK-CRITICAL
match dscp cs2 cs6
class-map type inspect match-any INSPECT-ACL-IN-CLASS
match access-group name ACL-RTR-IN
!
policy-map MARK-BGP
class BGP-ROUTING
set dscp cs6
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series90
bandwidth percent 3
service-policy MARK-BGP
class class-default
bandwidth percent 25
policy-map type inspect ACL-OUT-POLICY
class type inspect INSPECT-ACL-OUT-CLASS
inspect
class type inspect PASS-ACL-OUT-CLASS
pass
class class-default
drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
policy-map WAN-INTERFACE-G0/0
class class-default
shape average 15000000
service-policy WAN
policy-map WAN-INTERFACE-G0/1
class class-default
shape average 10000000
service-policy WAN
policy-map type inspect ACL-IN-POLICY
class type inspect INSPECT-ACL-IN-CLASS
inspect
class type inspect PASS-ACL-IN-CLASS
pass
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN_OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security TO-ROUTER source OUTSIDE destination self
service-policy type inspect ACL-IN-POLICY
zone-pair security FROM-ROUTER source self destination OUTSIDE
service-policy type inspect ACL-OUT-POLICY
!
crypto keyring GLOBAL-KEYRING
pre-shared-key address 10.4.32.151 key c1sco123
pre-shared-key address 10.4.32.152 key c1sco123
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series91
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 15
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-INET-PUBLIC
keyring GLOBAL-KEYRING
match identity address 0.0.0.0
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE1
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile ISAKMP-INET-PUBLIC
!
interface Loopback0
ip address 10.255.251.240 255.255.255.255
ip pim sparse-mode
!
interface Tunnel10
description DMVPN-1 tunnel interface
bandwidth 10000
ip address 10.4.34.240 255.255.254.0
no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco123
ip nhrp group RS-GROUP-10MBPS
ip nhrp map multicast 172.16.130.1
ip nhrp map 10.4.34.1 172.16.130.1
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp nhs 10.4.34.1
ip nhrp registration no-unique
ip nhrp shortcut
ip nhrp redirect
ip virtual-reassembly in
ip virtual-reassembly out
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series92
zone-member security INSIDE
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel route-via GigabitEthernet0/1 mandatory
tunnel protection ipsec profile DMVPN-PROFILE1
!
interface GigabitEthernet0/0
description MPLS-A (remote-as 65401 - 192.168.3.50)
bandwidth 15000
ip address 192.168.3.49 255.255.255.252
zone-member security INSIDE
ip tcp adjust-mss 1360
duplex auto
speed auto
no cdp enable
service-policy output WAN-INTERFACE-G0/0
!
interface GigabitEthernet0/1
description Internet Connection
ip dhcp client default-router distance 10
ip dhcp client route track 62
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
service-policy output WAN-INTERFACE-G0/1
!
interface GigabitEthernet0/2
description To RS240-A3650 G1/0/24
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2.64
description Wired Data
encapsulation dot1Q 64
ip address 10.5.244.1 255.255.255.0
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series93
ip helper-address 10.4.48.10
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
interface GigabitEthernet0/2.69
description Wired Voice
encapsulation dot1Q 69
ip address 10.5.245.1 255.255.255.0
ip helper-address 10.4.48.10
ip pim sparse-mode
zone-member security INSIDE
!
router eigrp WAN-DMVPN-1
!
address-family ipv4 unicast autonomous-system 200
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel10
summary-address 10.5.240.0 255.255.248.0
authentication mode md5
authentication key-chain WAN-KEY
hello-interval 20
hold-time 60
no passive-interface
exit-af-interface
!
topology base
distribute-list route-map BLOCK-DEFAULT in
exit-af-topology
network 10.4.34.0 0.0.1.255
network 10.5.0.0 0.0.255.255
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.251.240
eigrp stub connected summary
exit-address-family
!
router bgp 65511
bgp router-id 10.255.251.240
bgp log-neighbor-changes
network 10.5.244.0 mask 255.255.255.0
network 10.5.245.0 mask 255.255.255.0
network 10.255.251.240 mask 255.255.255.255
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series94
network 192.168.3.48 mask 255.255.255.252
aggregate-address 10.5.240.0 255.255.248.0 summary-only
neighbor 192.168.3.50 remote-as 65401
!
ip local policy route-map PBR-SLA-SET-NEXT-HOP
ip forward-protocol nd
!
no ip http server
ip http authentication aaa
ip http secure-server
!
ip pim autorp listener
ip pim register-source Loopback0
ip nat inside source list NAT interface GigabitEthernet0/1 overload
ip route 10.0.0.0 255.0.0.0 Null0 254
ip route 172.16.130.1 255.255.255.255 GigabitEthernet0/1 dhcp
ip tacacs source-interface Loopback0
!
ip access-list standard NAT
permit 10.5.240.0 0.0.7.255
ip access-list standard NO-DEFAULT
deny 0.0.0.0
permit any
!
ip access-list extended ACL-RTR-IN
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any gt 1023 ttl eq 1
ip access-list extended ACL-RTR-OUT
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit icmp any any
ip access-list extended DHCP-IN
permit udp any eq bootps any eq bootpc
ip access-list extended DHCP-OUT
permit udp any eq bootpc any eq bootps
ip access-list extended ESP-IN
permit esp any any
ip access-list extended ESP-OUT
permit esp any any
ip access-list extended SLA-SET-NEXT-HOP
permit icmp any host 172.18.1.253
permit icmp any host 172.18.1.254
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series95
!
ip sla auto discovery
ip sla 110
icmp-echo 172.18.1.253 source-interface GigabitEthernet0/1
threshold 1000
frequency 15
ip sla schedule 110 life forever start-time now
ip sla 111
icmp-echo 172.18.1.254 source-interface GigabitEthernet0/1
threshold 1000
frequency 15
ip sla schedule 111 life forever start-time now
access-list 55 permit 10.4.48.0 0.0.0.255
!
nls resp-timeout 1
cpd cr-id 1
route-map PBR-SLA-SET-NEXT-HOP permit 10
match ip address SLA-SET-NEXT-HOP
set ip next-hop dynamic dhcp
!
route-map BLOCK-DEFAULT permit 10
match ip address NO-DEFAULT
!
snmp-server community cisco RO 55
snmp-server community cisco123 RW 55
snmp-server trap-source Loopback0
snmp-server enable traps entity-sensor threshold
tacacs server TACACS-SERVER-1
address ipv4 10.4.48.15
key 7 0812494D1B1C113C1712
!
!
line con 0
logging synchronous
transport preferred none
line aux 0
line vty 0 4
access-class 55 in
transport preferred none
transport input ssh
line vty 5 15
access-class 55 in
transport preferred none
transport input ssh
!
scheduler allocate 20000 1000
ntp source Loopback0
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series96
ntp update-calendar
ntp server 10.4.48.17
!
end
Remote Site 242: Dual-Router, Dual-Link with Local Internet Access (MPLS + DMVPN)
Table 12 - Remote Site 242—IP address information
Location Net block Data wired subnet Voice wired subnet Loopbacks and switches
Remote Site 242 10.5.248.0/21 10.5.252.0/24 (VLAN 64) 10.5.253.0/24 (VLAN 69) 10.255.252.242 (router 1) 10.255.253.242 (router 2) 10.5.252.5 (access switch)
RS242-2951-1version 15.3
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname RS242-2951-1
!
!
no logging buffered
enable secret 5 $1$Mqp4$YjiAg3ACxQOH9CurAwxX2/
!
aaa new-model
!
aaa group server tacacs+ TACACS-SERVERS
server name TACACS-SERVER-1
!
aaa authentication login default group TACACS-SERVERS local
aaa authorization console
aaa authorization exec default group TACACS-SERVERS local
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
!
ip cef
!
ip domain name cisco.local
ip multicast-routing
ipv6 spd queue min-threshold 62
ipv6 spd queue max-threshold 63
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series97
no ipv6 cef
!
multilink bundle-name authenticated
!
key chain LAN-KEY
key 1
key-string 7 030752180500
!
license accept end user agreement
license boot module c2951 technology-package securityk9
license boot module c2951 technology-package datak9
!
username admin password 7 121A540411045D5679
!
redundancy
!
ip ssh source-interface Loopback0
ip ssh version 2
ip scp server enable
!
track 50 ip sla 100 reachability
!
class-map match-any DATA
match dscp af21
class-map match-any BGP-ROUTING
match protocol bgp
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match dscp cs1 af11
class-map match-any NETWORK-CRITICAL
match dscp cs2 cs6
!
policy-map MARK-BGP
class BGP-ROUTING
set dscp cs6
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series98
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
service-policy MARK-BGP
class class-default
bandwidth percent 25
policy-map WAN-INTERFACE-G0/0
class class-default
shape average 10000000
service-policy WAN
!
crypto isakmp policy 15
encr aes 256
authentication pre-share
group 2
crypto isakmp key c1sco123 address 10.4.32.151
crypto isakmp key c1sco123 address 10.4.32.152
!
interface Loopback0
ip address 10.255.252.242 255.255.255.255
ip pim sparse-mode
!
interface Port-channel1
description Etherchannel link to RS242-2960X
no ip address
hold-queue 150 in
!
interface Port-channel1.64
description Data
encapsulation dot1Q 64
ip address 10.5.252.2 255.255.255.0
ip helper-address 10.4.48.10
ip pim dr-priority 110
ip pim sparse-mode
standby version 2
standby 1 ip 10.5.252.1
standby 1 priority 110
standby 1 preempt
standby 1 authentication md5 key-string 7 094F1F1A1A0A464058
standby 1 track 50 decrement 10
!
interface Port-channel1.69
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series99
description Voice
encapsulation dot1Q 69
ip address 10.5.253.2 255.255.255.0
ip helper-address 10.4.48.10
ip pim dr-priority 110
ip pim sparse-mode
standby version 2
standby 1 ip 10.5.253.1
standby 1 priority 110
standby 1 preempt
standby 1 authentication md5 key-string 7 070C705F4D06485744
standby 1 track 50 decrement 10
!
interface Port-channel1.99
description Transit Net
encapsulation dot1Q 99
ip address 10.5.248.9 255.255.255.252
ip pim sparse-mode
!
interface GigabitEthernet0/0
bandwidth 10000
ip address 192.168.4.49 255.255.255.252
ip tcp adjust-mss 1360
duplex auto
speed auto
no cdp enable
service-policy output WAN-INTERFACE-G0/0
!
interface GigabitEthernet0/1
description RS242-A2960Xa G1/0/24
no ip address
duplex auto
speed auto
channel-group 1
!
interface GigabitEthernet0/2
description RS242-A2960Xb G2/0/24
no ip address
duplex auto
speed auto
channel-group 1
!
!
router eigrp LAN
!
address-family ipv4 unicast autonomous-system 100
!
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series100
af-interface default
passive-interface
exit-af-interface
!
af-interface Port-channel1.99
authentication mode md5
authentication key-chain LAN-KEY
no passive-interface
exit-af-interface
!
topology base
default-metric 100000 100 255 1 1500
redistribute bgp 65511
redistribute static route-map STATIC-IN
exit-af-topology
network 10.4.0.0 0.1.255.255
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.252.242
exit-address-family
!
router bgp 65511
bgp router-id 10.255.252.242
bgp log-neighbor-changes
network 10.5.252.0 mask 255.255.255.0
network 10.5.253.0 mask 255.255.255.0
network 10.255.252.242 mask 255.255.255.255
network 10.255.253.242 mask 255.255.255.255
network 192.168.4.48 mask 255.255.255.252
aggregate-address 10.5.248.0 255.255.248.0 summary-only
neighbor 192.168.4.50 remote-as 65402
distance 254 192.168.4.50 0.0.0.0 DEFAULT-IN
!
ip forward-protocol nd
!
no ip http server
ip http authentication aaa
ip http secure-server
!
ip pim autorp listener
ip pim register-source Loopback0
ip tacacs source-interface Loopback0
!
ip access-list standard DEFAULT-IN
permit 0.0.0.0
ip access-list standard STATIC-ROUTE-LIST
remark UCSE CIMC & ESXi host routes
permit 10.5.252.11
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series101
permit 10.5.252.10
!
ip sla auto discovery
ip sla 100
icmp-echo 192.168.4.50 source-interface GigabitEthernet0/0
threshold 1000
timeout 1000
frequency 15
ip sla schedule 100 life forever start-time now
access-list 55 permit 10.4.48.0 0.0.0.255
!
nls resp-timeout 1
cpd cr-id 1
!
snmp-server community cisco RO 55
snmp-server community cisco123 RW 55
snmp-server trap-source Loopback0
snmp-server enable traps entity-sensor threshold
tacacs server TACACS-SERVER-1
address ipv4 10.4.48.15
key 7 097F4B0A0B0003390E15
!
line con 0
logging synchronous
transport preferred none
line aux 0
line vty 0 4
access-class 55 in
transport preferred none
transport input ssh
line vty 5 15
access-class 55 in
transport preferred none
transport input ssh
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp update-calendar
ntp server 10.4.48.17
!
end
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series102
RS242-2951-2version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname RS242-2951-2
!
!
enable secret 5 /DtCCr53Q4B18jSIm1UEqu7cNVZTOhxTZyUnZdsSrsw
!
aaa new-model
!
aaa group server tacacs+ TACACS-SERVERS
server name TACACS-SERVER-1
!
aaa authentication login default group TACACS-SERVERS local
aaa authorization console
aaa authorization exec default group TACACS-SERVERS local
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
!
ip cef
!
no ip domain lookup
ip domain name cisco.local
ip multicast-routing
ip inspect log drop-pkt
ipv6 spd queue min-threshold 62
ipv6 spd queue max-threshold 63
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
spoofed-acker off
multilink bundle-name authenticated
!
key chain WAN-KEY
key 1
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series103
key-string 7 05080F1C2243
key chain LAN-KEY
key 1
key-string 7 045802150C2E
!
license accept end user agreement
license boot module c2951 technology-package securityk9
license boot module c2951 technology-package datak9
!
username admin password 7 15115A1F07257A767B
!
redundancy
!
ip ssh source-interface Loopback0
ip ssh version 2
ip scp server enable
!
track 60 ip sla 110 reachability
!
track 61 ip sla 111 reachability
!
track 62 list boolean or
object 60
object 61
!
class-map match-any DATA
match dscp af21
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map type inspect match-any INSPECT-ACL-OUT-CLASS
match access-group name ACL-RTR-OUT
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map type inspect match-any PASS-ACL-IN-CLASS
match access-group name ESP-IN
match access-group name DHCP-IN
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match dscp cs1 af11
class-map type inspect match-any PASS-ACL-OUT-CLASS
match access-group name ESP-OUT
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series104
match access-group name DHCP-OUT
class-map match-any NETWORK-CRITICAL
match dscp cs2 cs6
match access-group name ISAKMP
class-map type inspect match-any INSPECT-ACL-IN-CLASS
match access-group name ACL-RTR-IN
!
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
random-detect
policy-map type inspect ACL-OUT-POLICY
class type inspect INSPECT-ACL-OUT-CLASS
inspect
class type inspect PASS-ACL-OUT-CLASS
pass
class class-default
drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
policy-map WAN-INTERFACE-G0/0
class class-default
shape average 10000000
service-policy WAN
policy-map type inspect ACL-IN-POLICY
class type inspect INSPECT-ACL-IN-CLASS
inspect
class type inspect PASS-ACL-IN-CLASS
pass
class class-default
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series105
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN_OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security TO-ROUTER source OUTSIDE destination self
service-policy type inspect ACL-IN-POLICY
zone-pair security FROM-ROUTER source self destination OUTSIDE
service-policy type inspect ACL-OUT-POLICY
!
crypto keyring GLOBAL-KEYRING
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-INET-PUBLIC
keyring GLOBAL-KEYRING
match identity address 0.0.0.0
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE1
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile ISAKMP-INET-PUBLIC
!
interface Loopback0
ip address 10.255.253.242 255.255.255.255
ip pim sparse-mode
!
interface Tunnel10
bandwidth 10000
ip address 10.4.34.242 255.255.254.0
no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco123
ip nhrp group RS-GROUP-10MBPS
ip nhrp map multicast 172.16.130.1
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series106
ip nhrp map 10.4.34.1 172.16.130.1
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp nhs 10.4.34.1
ip nhrp registration no-unique
ip nhrp shortcut
ip nhrp redirect
zone-member security INSIDE
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel route-via GigabitEthernet0/0 mandatory
tunnel protection ipsec profile DMVPN-PROFILE1
!
interface Port-channel2
description Etherchannel link to RS242-2960X
no ip address
hold-queue 150 in
!
interface Port-channel2.64
description Data
encapsulation dot1Q 64
ip address 10.5.252.3 255.255.255.0
ip helper-address 10.4.48.10
ip pim dr-priority 105
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
standby version 2
standby 1 ip 10.5.252.1
standby 1 priority 105
standby 1 preempt
standby 1 authentication md5 key-string 7 04585A150C2E1D1C5A
!
interface Port-channel2.69
description Voice
encapsulation dot1Q 69
ip address 10.5.253.3 255.255.255.0
ip helper-address 10.4.48.10
ip pim dr-priority 105
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
standby version 2
standby 1 priority 105
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series107
standby 1 preempt
standby 1 authentication md5 key-string 7 0007421507545A545C
!
interface Port-channel2.99
description Transit Net
encapsulation dot1Q 99
ip address 10.5.248.10 255.255.255.252
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
interface GigabitEthernet0/0
description Internet Connection
ip dhcp client default-router distance 10
ip dhcp client route track 62
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
service-policy output WAN-INTERFACE-G0/0
!
interface GigabitEthernet0/1
description RS242-A2960Xa (Gig1/0/24)
no ip address
duplex auto
speed auto
channel-group 2
!
interface GigabitEthernet0/2
description RS242-A2960Xb (Gig2/0/24)
no ip address
duplex auto
speed auto
channel-group 2
!
router eigrp WAN-DMVPN-1
!
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series108
address-family ipv4 unicast autonomous-system 200
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel10
summary-address 10.5.248.0 255.255.248.0
authentication mode md5
authentication key-chain WAN-KEY
hello-interval 20
hold-time 60
no passive-interface
exit-af-interface
!
topology base
redistribute eigrp 100 route-map REDISTRIBUTE-LIST
exit-af-topology
network 10.4.34.0 0.0.1.255
network 10.5.0.0 0.0.255.255
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.253.242
eigrp stub connected summary redistributed
exit-address-family
!
!
router eigrp LAN
!
address-family ipv4 unicast autonomous-system 100
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Port-channel2.99
authentication mode md5
authentication key-chain LAN-KEY
no passive-interface
exit-af-interface
!
topology base
redistribute eigrp 200
redistribute static route-map STATIC-IN
exit-af-topology
network 10.4.0.0 0.1.255.255
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.253.242
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series109
exit-address-family
!
ip local policy route-map PBR-SLA-SET-NEXT-HOP
ip forward-protocol nd
!
no ip http server
ip http authentication aaa
ip http secure-server
!
ip pim autorp listener
ip pim register-source Loopback0
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip route 10.0.0.0 255.0.0.0 Null0 254
ip route 172.16.130.1 255.255.255.255 GigabitEthernet0/0 dhcp
ip tacacs source-interface Loopback0
!
ip access-list standard DHCP-DEFAULT
remark DHCP default route
permit 0.0.0.0
ip access-list standard NAT
permit 10.5.248.0 0.0.7.255
ip access-list standard NO-DEFAULT
deny 0.0.0.0
permit any
ip access-list standard R1-LOOPBACK
permit 10.255.252.242
ip access-list standard STATIC-ROUTE-LIST
permit 10.5.252.13
permit 10.5.252.12
!
ip access-list extended ACL-RTR-IN
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any gt 1023 ttl eq 1
ip access-list extended ACL-RTR-OUT
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit icmp any any
ip access-list extended DHCP-IN
permit udp any eq bootps any eq bootpc
ip access-list extended DHCP-OUT
permit udp any eq bootpc any eq bootps
ip access-list extended ESP-IN
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series110
permit esp any any
ip access-list extended ESP-OUT
permit esp any any
ip access-list extended ISAKMP
permit udp any eq isakmp any eq isakmp
ip access-list extended SLA-SET-NEXT-HOP
permit icmp any host 172.18.1.253
permit icmp any host 172.18.1.254
!
ip sla auto discovery
ip sla 110
icmp-echo 172.18.1.253 source-interface GigabitEthernet0/0
threshold 1000
frequency 15
ip sla schedule 110 life forever start-time now
ip sla 111
icmp-echo 172.18.1.254 source-interface GigabitEthernet0/0
threshold 1000
frequency 15
ip sla schedule 111 life forever start-time now
access-list 55 permit 10.4.48.0 0.0.0.255
!
nls resp-timeout 1
cpd cr-id 1
route-map PBR-SLA-SET-NEXT-HOP permit 10
match ip address SLA-SET-NEXT-HOP
set ip next-hop dynamic dhcp
!
route-map STATIC-IN permit 10
match ip address DHCP-DEFAULT
!
route-map BLOCK-DEFAULT permit 10
match ip address NO-DEFAULT
!
route-map REDISTRIBUTE-LIST permit 10
match ip address R1-LOOPBACK
!
!
snmp-server community cisco RO 55
snmp-server community cisco123 RW 55
snmp-server trap-source Loopback0
snmp-server enable traps entity-sensor threshold
tacacs server TACACS-SERVER-1
address ipv4 10.4.48.15
key 7 142417081E013E002131
!
line con 0
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model (MPLS) with Local Internet August 2014 Series111
logging synchronous
transport preferred none
line aux 0
line vty 0 4
access-class 55 in
transport preferred none
transport input ssh
line vty 5 15
access-class 55 in
transport preferred none
transport input ssh
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp server 10.4.48.17
!
end
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model with Local Internet Access (Layer 2 WAN) August 2014 Series112
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model with Local Internet Access (Layer 2 WAN)
This section includes configuration files corresponding to the WAN remote-site design topology as referenced in Figure 7. The EIGRP Autonomous System Number (ASN) used in these configurations is 300.
Figure 7 - WAN remote-site designs–DMVPN Backup Dedicated with local Internet access (Layer 2 Primary)
12
11
Redundant Links
Layer 2 + Internet WAN with Local Internet
Remote Site 216
Internet(DMVPN-1)VPLS A
Table 13 - Remote-site WAN connection details–(Layer 2 WAN + DMVPN remote sites)
Location Net block(WAN interface) address/mask VLAN
WAN aggregation router DMVPN
LAN interfaces Loopbacks
Remote Site 216 (Single-router, dual-link)
10.5.88.0/21 (gig0/0.38) 10.4.38.216/24
38 10.4.38.1 (gig0/1) DHCP
(gig0/2) 10.255.255.213 (router)
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model with Local Internet Access (Layer 2 WAN) August 2014 Series113
The following table lists the policed-rate link speeds for the remote-site QoS traffic-shaping policies.
Table 14 - Remote-site policed-rate link speeds
Location Net block Layer 2 WAN link speeds DMVPN link speeds
Remote Site 216 10.5.88.0/21 20 Mbps 10 Mbps
Remote Site 216: Single-Router, Dual-Link with Local Internet Access (Layer 2 WAN + DMVPN)
Table 15 - Remote Site 216—IP address information
Location Net block Data wired subnet Voice wired subnet Loopbacks and switches
Remote Site 216 10.5.88.0/21 10.5.92.0/24 (VLAN 64) 10.5.93.0/24 (VLAN 69) 10.255.255.216 (router) 10.5.92.5 (access switch)
RS216-3925version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname RS216-3925
!
!
enable secret 5 /DtCCr53Q4B18jSIm1UEqu7cNVZTOhxTZyUnZdsSrsw
!
aaa new-model
!
aaa group server tacacs+ TACACS-SERVERS
server name TACACS-SERVER-1
!
aaa authentication login default group TACACS-SERVERS local
aaa authentication login MODULE none
aaa authorization console
aaa authorization exec default group TACACS-SERVERS local
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
!
ip cef
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model with Local Internet Access (Layer 2 WAN) August 2014 Series114
!
ip domain name cisco.local
ip multicast-routing
ip inspect log drop-pkt
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
spoofed-acker off
multilink bundle-name authenticated
!
key chain WAN-KEY
key 1
key-string 7 121A0C041104
!
license udi pid C3900-SPE100/K9 sn FOC14176RVR
!
username admin password 7 011057175804575D72
!
redundancy
!
ip ssh source-interface Loopback0
ip ssh version 2
ip scp server enable
!
track 60 ip sla 110 reachability
!
track 61 ip sla 111 reachability
!
track 62 list boolean or
object 60
object 61
!
class-map match-any DATA
match dscp af21
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map type inspect match-any INSPECT-ACL-OUT-CLASS
match access-group name ACL-RTR-OUT
class-map match-any CRITICAL-DATA
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model with Local Internet Access (Layer 2 WAN) August 2014 Series115
match dscp cs3 af31
class-map type inspect match-any PASS-ACL-IN-CLASS
match access-group name ESP-IN
match access-group name DHCP-IN
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match dscp cs1 af11
class-map type inspect match-any PASS-ACL-OUT-CLASS
match access-group name ESP-OUT
match access-group name DHCP-OUT
class-map match-any NETWORK-CRITICAL
match dscp cs2 cs6
class-map type inspect match-any INSPECT-ACL-IN-CLASS
match access-group name ACL-RTR-IN
!
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
random-detect
policy-map type inspect ACL-OUT-POLICY
class type inspect INSPECT-ACL-OUT-CLASS
inspect
class type inspect PASS-ACL-OUT-CLASS
pass
class class-default
drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
policy-map WAN-INTERFACE-G0/0
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model with Local Internet Access (Layer 2 WAN) August 2014 Series116
class class-default
shape average 20000000
service-policy WAN
policy-map WAN-INTERFACE-G0/1
class class-default
shape average 10000000
service-policy WAN
policy-map type inspect ACL-IN-POLICY
class type inspect INSPECT-ACL-IN-CLASS
inspect
class type inspect PASS-ACL-IN-CLASS
pass
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN_OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security TO-ROUTER source OUTSIDE destination self
service-policy type inspect ACL-IN-POLICY
zone-pair security FROM-ROUTER source self destination OUTSIDE
service-policy type inspect ACL-OUT-POLICY
!
crypto keyring GLOBAL-KEYRING
pre-shared-key address 10.4.32.151 key c1sco123
pre-shared-key address 10.4.32.152 key c1sco123
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 15
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-INET-PUBLIC
keyring GLOBAL-KEYRING
match identity address 0.0.0.0
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model with Local Internet Access (Layer 2 WAN) August 2014 Series117
!
crypto ipsec profile DMVPN-PROFILE1
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile ISAKMP-INET-PUBLIC
!
interface Loopback0
ip address 10.255.255.216 255.255.255.255
ip pim sparse-mode
!
interface Tunnel10
bandwidth 10000
ip address 10.4.34.216 255.255.254.0
no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco123
ip nhrp group RS-GROUP-10MBPS
ip nhrp map 10.4.34.1 172.16.130.1
ip nhrp map multicast 172.16.130.1
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp nhs 10.4.34.1
ip nhrp registration no-unique
ip nhrp shortcut
ip nhrp redirect
zone-member security INSIDE
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel route-via GigabitEthernet0/1 mandatory
tunnel protection ipsec profile DMVPN-PROFILE1
!
interface GigabitEthernet0/0
bandwidth 10000
no ip address
duplex auto
speed auto
no cdp enable
service-policy output WAN-INTERFACE-G0/0
!
interface GigabitEthernet0/0.38
encapsulation dot1Q 38
ip address 10.4.38.216 255.255.255.0
ip pim sparse-mode
zone-member security INSIDE
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model with Local Internet Access (Layer 2 WAN) August 2014 Series118
!
interface GigabitEthernet0/1
description Internet Connection (ISP-A)
ip dhcp client default-router distance 10
ip dhcp client route track 62
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
service-policy output WAN-INTERFACE-G0/1
!
interface GigabitEthernet0/2
description to RS216-2960X Gig1/0/24
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2.64
description Data
encapsulation dot1Q 64
ip address 10.5.92.1 255.255.255.0
ip helper-address 10.4.48.10
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
interface GigabitEthernet0/2.69
description Voice
encapsulation dot1Q 69
ip address 10.5.93.1 255.255.255.0
ip helper-address 10.4.48.10
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
router eigrp WAN-LAYER2
!
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model with Local Internet Access (Layer 2 WAN) August 2014 Series119
address-family ipv4 unicast autonomous-system 300
!
af-interface default
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/0.38
summary-address 10.5.88.0 255.255.248.0
authentication mode md5
authentication key-chain WAN-KEY
no passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 10.4.38.0 0.0.0.255
network 10.5.0.0 0.0.255.255
network 10.255.255.216 0.0.0.0
eigrp router-id 10.255.255.216
eigrp stub connected summary
exit-address-family
!
!
router eigrp WAN-DMVPN-1
!
address-family ipv4 unicast autonomous-system 200
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel10
summary-address 10.5.88.0 255.255.248.0
authentication mode md5
authentication key-chain WAN-KEY
hello-interval 20
hold-time 60
no passive-interface
exit-af-interface
!
topology base
distribute-list route-map BLOCK-DEFAULT in
exit-af-topology
network 10.4.34.0 0.0.1.255
network 10.4.38.0 0.0.0.255
network 10.5.0.0 0.0.255.255
network 10.255.0.0 0.0.255.255
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model with Local Internet Access (Layer 2 WAN) August 2014 Series120
network 10.255.255.216 0.0.0.0
eigrp router-id 10.255.255.216
eigrp stub connected summary
exit-address-family
!
ip local policy route-map PBR-SLA-SET-NEXT-HOP
ip forward-protocol nd
!
no ip http server
ip http authentication aaa
ip http secure-server
!
ip pim autorp listener
ip pim register-source Loopback0
ip nat inside source list NAT interface GigabitEthernet0/1 overload
ip route 10.0.0.0 255.0.0.0 Null0 254
ip route 172.16.130.1 255.255.255.255 GigabitEthernet0/1 dhcp
ip tacacs source-interface Loopback0
!
ip access-list standard NAT
permit 10.5.88.0 0.0.7.255
ip access-list standard NO-DEFAULT
deny 0.0.0.0
permit any
!
ip access-list extended ACL-RTR-IN
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any gt 1023 ttl eq 1
ip access-list extended ACL-RTR-OUT
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit icmp any any
ip access-list extended DHCP-IN
permit udp any eq bootps any eq bootpc
ip access-list extended DHCP-OUT
permit udp any eq bootpc any eq bootps
ip access-list extended ESP-IN
permit esp any any
ip access-list extended ESP-OUT
permit esp any any
ip access-list extended SLA-SET-NEXT-HOP
permit icmp any host 172.18.1.253
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model with Local Internet Access (Layer 2 WAN) August 2014 Series121
permit icmp any host 172.18.1.254
!
ip sla auto discovery
ip sla 110
icmp-echo 172.18.1.253 source-interface GigabitEthernet0/1
threshold 1000
frequency 15
ip sla schedule 110 life forever start-time now
ip sla 111
icmp-echo 172.18.1.254 source-interface GigabitEthernet0/1
threshold 1000
frequency 15
ip sla schedule 111 life forever start-time now
access-list 55 permit 10.4.48.0 0.0.0.255
access-list 67 permit 192.0.2.2
!
nls resp-timeout 1
cpd cr-id 1
route-map PBR-SLA-SET-NEXT-HOP permit 10
match ip address SLA-SET-NEXT-HOP
set ip next-hop dynamic dhcp
!
route-map BLOCK-DEFAULT permit 10
match ip address NO-DEFAULT
!
snmp-server community cisco RO 55
snmp-server community cisco123 RW 55
snmp-server trap-source Loopback0
snmp-server enable traps entity-sensor threshold
tacacs server TACACS-SERVER-1
address ipv4 10.4.48.15
key 7 04680E051D2458650C00
!
line con 0
logging synchronous
transport preferred none
line aux 0
line vty 0 4
access-class 55 in
transport preferred none
transport input ssh
line vty 5 15
access-class 55 in
transport preferred none
transport input ssh
!
WAN Remote-Site Devices—DMVPN Backup Dedicated Design Model with Local Internet Access (Layer 2 WAN) August 2014 Series122
scheduler allocate 20000 1000
ntp source Loopback0
ntp update-calendar
ntp server 10.4.48.17
!
end
Americas HeadquartersCisco Systems, Inc.San Jose, CA
Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore
Europe HeadquartersCisco Systems International BV Amsterdam,The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, “DESIGNS”) IN THIS MANUAL ARE PRESENTED “AS IS,” WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2014 Cisco Systems, Inc. All rights reserved.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Please use the feedback form to send comments and suggestions about this guide.
Feedback
B-0000221-1 08/14