Iwan Lab Guide v1.1 Final

IWAN with DMVPN and VRF
Lab Guide
Version 1.0
Another offering from team RASTI
April 10, 2015

2
Table of Contents
Introduction..................................................................................................................................... 3
Disclaimer........................................................................................................................................ 4
Build Information ............................................................................................................................ 4
Prerequisite Knowledge .................................................................................................................. 4
Lab Command Modes ..................................................................................................................... 5
Exercise 1: Access the Lab Environment and Baseline the Network ............................................... 5
Exercise 2: HQ WAN 1 Configuration ............................................................................................ 12
Exercise 3: Branch 10 Internet DMVPN ......................................................................................... 18
Exercise 4: Branch 20 Internet DMVPN ......................................................................................... 25
Exercise 5: HQ WAN 2 Configuration ............................................................................................ 30
Exercise 6: Branch 10 MPLS DMVPN ............................................................................................. 34
Exercise 7: Branch 20 MPLS DMVPN ............................................................................................. 38
Exercise 8: Verify Final Connectivity and Failover ......................................................................... 43
Appendix 1 .................................................................................................................................... 48
Appendix 2 .................................................................................................................................... 49
Appendix 3 .................................................................................................................................... 50
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
3
Introduction
Cisco Intelligent WAN (IWAN) enables organizations to deliver an uncompromised experience

over any connection. With Cisco IWAN IT organizations can provide more bandwidth to their
branch office connections by using less expensive WAN transport options without affecting
performance, security, or reliability. With the IWAN solution, traffic is dynamically routed based
on application service-level agreement (SLA), endpoint type, and network conditions in order to
deliver the best quality experience. The realized savings from IWAN not only pays for the
infrastructure upgrades, but also frees resources for business innovation.
There are two primary IWAN design models: Hybrid and Dual Internet. This lab implements the
IWAN Hybrid design model, which uses MPLS paired with Internet VPN as WAN transports. In
this design model, the MPLS WAN can provide more bandwidth for the critical classes of
services needed for key applications and can provide SLA guarantees for these applications.
The IWAN solution incorporates numerous Cisco IOS and IOS XE features. The two features
implemented in this lab are Dynamic Multipoint VPN and VRF.
Dynamic Multipoint VPN (DMVPN)

DMVPN is a solution for building scalable site-to-site VPNs that support a variety of
applications. DMVPN was selected for the secure overlay WAN solution because DMVPN
supports on-demand full mesh connectivity over any carries transport with a simple hub-and-
spoke configuration. DMVPN makes use of multipoint generic routing encapsulation (mGRE)
tunnels to interconnect the hub to all of the spoke routers. This technology combination
supports unicast, multicast, and broadcast IP, including the ability to run routing protocols
within the tunnels.
Virtual Route Forwarding (VRF)

Virtual route forwarding (VRF) is a technology used in computer networks that allows multiple
instances of a routing table to co-exist within the same router at the same time. Because the
routing instances are independent, you can use the same or overlapping IP Addresses without
conflicting with each other. IWAN uses VRF to provide the following:
Default route separation between user traffic and DMVPN tunnel establishment
Control and data plane separation between inside and outside networks for security
purposes
Note: Additional IWAN labs covering intelligent path control (with Cisco Performance Routing
(PfR)) and application optimization (with Cisco Wide Area Application Services (WAAS)) are also
being considered.
4
Disclaimer
This Guide is intended to demonstrate one way to configure the network, to meet the specified
requirements of this example. There are various ways that this can be accomplished, depending
on the situation and the customers goals/requirements. Please ensure that you consult all
current official Cisco documentation before proceeding with a design or installation. This lab is
primarily intended to be a learning tool, and may not necessarily follow best practice
recommendation at all times, in order to convey specific information. This is not intended to be
a deployment guide. It is intended for learning purposes only.
Build Information
The labs were constructed using the following software and hardware:
4451x with IOS/XE 03.11.00.S and SecurityK9 Right-To-Use license

2900 ISR-G2 with 15.2(3)T and SecurityK9 Right-To-Use license
3850-24P with IOS/XE 03.03.03SE and IP Services Right-To-Use License
3650X-24P with 12.2(55)SE1 and IP Services Right-To-Use License
Windows7 Enterprise 64 Bit for workstations
Windows Server 2003 R2 for Domain Controller / DNS / DHCP services
For additional information about Cisco Intelligent WAN, visit:
www.cisco.com/go/iwan
http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Jan2015/CVD-
IWANDesignGuide-JAN15.pdf
For additional information about Cisco Dynamic Multipoint VPN, visit:
www.cisco.com/go/dmvpn
For additional information about Cisco Virtual Routing and Forwarding, visit:
http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/vspa/configurati
on/guide/ivmsw_book/ivmvpn5.html
Prerequisite Knowledge
A solid understanding of networking, including routing and switching is assumed. Some

background with Cisco IOS and IOS XE and the IWAN solution is helpful, but not required.
5
Lab Command Modes
This lab guide refers to two common command modes within the Cisco IOS. Configuration will
be done in global configuration mode and verification of configuration will be in privilege EXEC
mode. A brief explanation is below.
Privileged EXEC Mode
Privileged EXEC mode is password protected, and allows the use of all EXEC mode commands
available on the system. To enter privileged EXEC mode from user EXEC mode, use the enable
command. Privileged EXEC mode allows access to global configuration mode through the use of
the enable command. The privileged EXEC mode prompt consists of the devices's host name
followed by the pound sign: Router#.
Global Configuration Mode
Global configuration commands generally apply to features that affect the system as a whole,
rather than just one protocol or interface. You can also enter any of the specific configuration
modes listed in the following section from global configuration mode.
To enter global configuration mode, use the configure terminal privileged EXEC command. The
router prompt for global configuration mode is indicated by the term config in parenthesis:
Router(config)# .
Exercise 1: Access the Lab Environment and Baseline the Network
In this exercise you will become familiar with the network and ensure everything is functioning
correctly. These steps are important, so please do not skip this exercise.
Section 1.1 Modify Java Security Settings

Note: The current version of Java may require you to add an exception for the RASTI student
portal URL into the Java security settings on the Java control panel. The browser you are using
may also require security setting adjustments.
To modify Java security settings, launch the Java control panel.
6
On the Security tab, click Edit Site List.
Click Add, type in: https://128.107.69.134 then click OK. Click OK to close the Java control
panel.
7
Section 1.2 Access Your Lab Pod

Begin by opening a browser and navigating to the Internet-reachable address of the RASTI
student portal https://128.107.69.134/student to access the lab environment.
Accept any security certificate warning and continue. The message shown below is from Firefox
on Windows. Your browsers warning messages may look different. Begin by clicking Add
Exception.
8
NOTE: In order to log into the lab, you will need a student portal username and password. This
should have been provided to you by the lab proctor.
Login to the student portal using the username and password you were provided.
Note: The screenshot shows the username for Pod 1. Be sure to use the username and
password provided for your Pod.
After clicking Login, a welcome message will appear.
Click Continue to accept the message and access the student portal.
The student portal landing page will appear. The landing page shows the various hosts that you
will use in the lab. You will be returning to these hosts frequently, so be sure you know how to
get back to this page.
9
Locate the VNC Bookmarks on the student portal landing page for PC1, PC3, and PC4. Click the
double arrows beside a hostname to open a VNC connection to the host in a new window.
NOTE: Clicking the double arrows (rather than the hostname) ensures that a new window
opens, and that the student portal page remains visible.
After you have connected to PC1, return to the student portal page and connect to PC3, and
then to PC4. Log into each PC using the usernames and passwords in the table below.
Host Location Username Password
PC1 HQ Jump Box John Doe cisco123
PC3 Branch 10 Joe Sales cisco123
PC4 Branch 20 PC4\macct cisco123
Note: The usernames should be the defaults for these PCs. Continue past any security warnings
about the untrusted certificates.
10
Click Continue.
If you are presented with Java security warnings, click the check box and then click Run.
Section 1.3 Login to PC1

Enter the password cisco123 for host PC1 and login.
11


Click Send Ctrl-Alt-Del.
12
Exercise 2: HQ WAN 1 Configuration
In this exercise you will configure DMVPN for the Internet interface on the HQ WAN 1 router.
This configuration will include VRF, ISAKMP, IPSEC, GRE, and EIGRP routing.
On PC1, double-click the OoB Console Access icon.
13
1) In the Pod Number drop-down box, select the Pod # you have been assigned.
2) In the Content Package drop-down box, select IWAN Lab.
3) Click Access Console Map.
14
Keep this window open as you will return to it throughout the lab.
Click 4451X on the HQ WAN 1 icon to access the HQ WAN 1 router CLI. If the screen is blank,
press Enter to display the login prompt.
Login as admin with a password of cisco123.
Section 2.1 HQ WAN 1 Internet VRF

Enter global configuration mode and configure the Internet VRF.
conf t
ip vrf HQ-INET
15
rd 65001:2
Press control + z to exit configuration mode.
Enter the command sh vrf to verify the VRF:
Enter global configuration mode and configure the Internet service provider interface with the
VRF.
conf t
interface GigabitEthernet0/0/0
bandwidth 100000
ip vrf forwarding HQ-INET
ip address 192.0.0.166 255.255.255.252
Enter the command sh vrf to verify the VRF interface configuration:
Enter global configuration mode to install a default route for the VRF.
conf t
ip route vrf HQ-INET 0.0.0.0 0.0.0.0 192.0.0.165
Enter the command sh ip route vrf HQ-INET to verify the VRF routing table
configuration:
16
A default route has been installed in the Internet VRF.
Section 2.2 HQ WAN 1 DMVPN Encryption

Enter global configuration mode and configure DMVPN encryption.
conf t
crypto keyring DMVPN-KEYRING vrf HQ-INET
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-HQ-INET
keyring DMVPN-KEYRING
match identity address 0.0.0.0 HQ-INET
crypto ipsec transform-set AES256/SHA esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec profile IPSEC-HQ-INET
set security-association replay window-size 512
set transform-set AES256/SHA
set isakmp-profile ISAKMP-HQ-INET
17
Section 2.3 HQ WAN 1 DMVPN Tunnel Interface

Enter global configuration mode to configure the DMVPN tunnel interface.
conf t
interface Tunnel10
bandwidth 100000
ip address 10.254.254.1 255.255.255.0
no ip redirects
ip mtu 1400
ip hello-interval eigrp 100 20
ip hold-time eigrp 100 60
no ip split-horizon eigrp 100
ip pim dr-priority 110
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
delay 1000
cdp enable
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf HQ-INET
tunnel protection ipsec profile IPSEC-HQ-INET
18
Section 2.4 HQ WAN 1 EIGRP Routing

Enter global configuration mode to update EIGRP with the DMVPN tunnel interface.
conf t
router eigrp 100
network 10.254.254.1 0.0.0.0
no passive-interface Tunnel10
Enter the command sh ip eigrp neighbors to verify the EIGRP configuration:
Router HQ-WAN-1 is configured.
Exercise 3: Branch 10 Internet DMVPN
In this exercise you will configure the Internet DMVPN interface on the Branch 10 router.
Return to PC3. If your session has timed out, log in again using password cisco123.
On the desktop open putty.
Highlight BR10, click Load then click Open.
19
20
Section 3.1 Branch 10 Internet VRF

Enter global configuration mode to configure Branch 10s Internet VRF.
config t
ip vrf INET-10
rd 65120:1
VRF.
conf t
interface GigabitEthernet0/0
ip vrf forwarding INET-10
ip address 192.0.0.174 255.255.255.252
21
conf t
ip route vrf INET-10 0.0.0.0 0.0.0.0 192.0.0.173
Enter the command sh ip route vrf INET-10 to verify the VRF routing table
configuration:
A default route has been installed in the Internet VRF.
Section 3.2 Branch 10 DMVPN Encryption

Enter global configuration mode and configure Branch 10s DMVPN encryption configuration:
conf t
crypto keyring DMVPN-KEYRING2 vrf INET-10
!
encr aes
22
crypto isakmp profile ISAKMP-INET-10

keyring DMVPN-KEYRING2
match identity address 0.0.0.0 INET-10
!
crypto ipsec security-association replay window-size 1024
!
mode transport
!
crypto ipsec profile IPSEC-INET-10
set isakmp-profile ISAKMP-INET-10
Section 3.3 Branch 10 DMVPM Tunnel Interface

Enter global configuration mode to configure Branch 10s DMVPM tunnel interface.
conf t
interface Tunnel20
bandwidth 50000
ip address 10.254.254.10 255.255.255.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ip nhrp map multicast 192.0.0.166
ip nhrp map 10.254.254.1 192.0.0.166
ip nhrp nhs 10.254.254.1
23
ip nhrp registration no-unique

ip nhrp registration timeout 60
ip nhrp shortcut
load-interval 30
delay 1000
tunnel source GigabitEthernet0/0
tunnel key 100
tunnel vrf INET-10
tunnel protection ipsec profile IPSEC-INET-10
Section 3.4 Branch 10 EIGRP Routing

conf t
router eigrp 100
network 10.254.254.10 0.0.0.0
Section 3.5 Branch 10 Verification

Enter the command sh crypto isakmp sa to verify the ISAKMP configuration:
ISAKMP SA status should show ACTIVE.
Enter the command sh crypto ipsec sa to verify the IPSEC configuration:
IPSEC sa #pkts encaps and #pkts decaps should be incrementing.
24
Enter the command sh ip eigrp neighbors to verify the EIGRP GRE tunnel interface
configuration:
On PC3, verify Internet access by launching the Chrome browser. Google.com will load as your
homepage.
Branch 10s Internet DMVPN configuration is complete.
25
Exercise 4: Branch 20 Internet DMVPN
In this exercise you will configure the Internet DMVPN interface on the Branch 20 router.
Return to PC4. If your session has timed out, log in again using password cisco123.
On the desktop open putty.
26
Section 4.1 Branch 20 Internet VRF

Enter global configuration mode to configure branch 20s Internet VRF.
conf t
ip vrf INET-20
rd 65120:1
VRF.
conf t
ip address 192.0.0.182 255.255.255.252
conf t
ip route vrf INET-20 0.0.0.0 0.0.0.0 192.0.0.181
Enter the command sh ip route vrf INET-20 to verify the VRF routing table
configuration:
27

conf t
!
encr aes
!
!
mode transport
!
28
Section 4.3 Branch 20 DMVPN Tunnel Interface

conf t
interface Tunnel20
bandwidth 10000
ip address 10.254.254.20 255.255.255.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ip nhrp map 10.254.254.1 192.0.0.166
ip nhrp nhs 10.254.254.1
ip nhrp shortcut
cdp enable
tunnel key 100
tunnel vrf INET-20
Press control + z to exit privilege EXEC mode.
29

conf t
router eigrp 100
network 10.254.254.20 0.0.0.0
Section 4.5 Branch 20 Verification

ISAKMP SA status should show ACTIVE.
Enter the command sh crypto ipsec sa to verify the IPSEC configuration:
Enter the command sh ip eigrp neighbors to verify the EIGRP GRE tunnel
configuration:
30
On PC4, verify Internet access by launching the Chrome browser. Google.com will load as your
homepage.
Branch 20s DMVPN Internet configuration is complete
Exercise 5: HQ WAN 2 Configuration
In this exercise you will configure DMVPN for the MPLS interface on the HQ WAN 2 router. This
configuration will include VRF, ISAKMP, IPSEC, GRE, and EIGRP routing.
Return to PC1. Open console map and click 4451X on the HQ WAN 2 icon to access the HQ
WAN 2 router CLI. If the screen is blank, press Enter to display the login prompt.
31
Section 5.1 HQ WAN2 MPLS VRF

Enter global configuration mode and configure the MPLS VRF.
conf t
ip vrf HQ-MPLS
rd 65001:2
Enter global configuration mode and configure the MPLS service providers interface with the
VRF.
conf t
bandwidth 100000
ip vrf forwarding HQ-MPLS
ip address 192.0.0.130 255.255.255.252
conf t
ip route vrf HQ-MPLS 0.0.0.0 0.0.0.0 192.0.0.129
Enter the command sh ip route vrf HQ-MPLS to verify the VRF routing table
configuration:
32
Section 5.2 HQ WAN 2 DMVPN Encryption

Enter global configuration mode and configure DMVPN encryption.
conf t
crypto keyring DMVPN-KEYRING vrf HQ-MPLS
encr aes
crypto isakmp profile ISAKMP-HQ-MPLS
match identity address 0.0.0.0 HQ-MPLS
mode transport
!
crypto ipsec profile IPSEC-HQ-MPLS
set isakmp-profile ISAKMP-HQ-MPLS
33
Section 5.3 HQ WAN 2 DMVPN Tunnel Interface

Enter global configuration mode to configure the DMVPN tunnel interface.
conf t
interface Tunnel10
bandwidth 100000
ip address 10.254.255.1 255.255.255.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ip nhrp redirect
load-interval 30
delay 1000
cdp enable
tunnel key 200
tunnel vrf HQ-MPLS
tunnel protection ipsec profile IPSEC-HQ-MPLS
Section 5.4 HQ WAN 2 EIGRP Routing

conf t
34
router eigrp 100

network 10.254.255.1 0.0.0.0
Router HQ WAN 2 is configured.
Exercise 6: Branch 10 MPLS DMVPN
In this exercise you will configure the MPLS DMVPN interface on the Branch 10 router.
Return to PC3. If putty is closed reopen it by double-clicking on the desktop icon.
Section 6.1 Branch 10 MPLS VRF

Enter global configuration mode to configure Branch 10s MPLS VRF.
conf t
ip vrf MPLS-10
rd 65010:1
VRF.
conf t
ip vrf forwarding MPLS-10
ip address 192.0.0.134 255.255.255.252
Press control + z to exit privilege EXEC mode
35
Enter global configuration mode to install a default route for the MPLS VRF.
conf t
ip route vrf MPLS-10 0.0.0.0 0.0.0.0 192.0.0.133
Enter the command sh ip route vrf MPLS-10 to verify the VRF routing table
configuration:
A default route has been installed in the MPLS VRF.

Note: some configuration is redundant.
conf t
crypto keyring DMVPN-KEYRING1 vrf MPLS-10
!
encr aes
36

crypto isakmp profile ISAKMP-MPLS-10
match identity address 0.0.0.0 MPLS-10
!
!
mode transport
!
crypto ipsec profile IPSEC-MPLS-10
set isakmp-profile ISAKMP-MPLS-10

conf t
interface Tunnel10
bandwidth 50000
ip address 10.254.255.10 255.255.255.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ip nhrp map 10.254.255.1 192.0.0.130
37
ip nhrp nhs 10.254.255.1

ip nhrp shortcut
load-interval 30
delay 1000
tunnel key 200
tunnel vrf MPLS-10
tunnel protection ipsec profile IPSEC-MPLS-10

conf t
router eigrp 100
network 10.254.255.10 0.0.0.0
Section 6.5 Branch 10 MPLS DMVPN Verification

Both SAs should have a status of ACTIVE.
Enter the command sh crypto ipsec sa to verify the IPSEC configuration. Scroll down
to Interface: Tunnel10.
38
configuration:
Here we see both tunnel interfaces are peered with their respective neighbors at HQ.
Branch 10s MPLS DMVPN configuration is complete.
Exercise 7: Branch 20 MPLS DMVPN
In this exercise you will configure the MPLS DMVPN interface on the Branch 20 router.
Return to PC4. If putty is closed reopen it by double-clicking on the desktop icon
Section 7.1 Branch 20 MPLS VRF

Enter global configuration mode to configure branch 20s MPLS VRF.
39
config t
ip vrf MPLS-20
rd 65020:1
VRF.
conf t
ip address 192.0.0.138 255.255.255.252
Enter global configuration mode to install the default route for the MPLS VRF
conf t
ip route vrf MPLS-20 0.0.0.0 0.0.0.0 192.0.0.137
Enter the command sh ip route vrf MPLS-20 to verify the VRF routing table
configuration:
A default route has been installed in the MPLS VRF.
40
Section 7.2 Branch 20 DMVPN encryption

Note: some configuration is redundant.
conf t
!
encr aes
!
!
mode transport
!

conf t
interface Tunnel10
bandwidth 10000
41
ip address 10.254.255.20 255.255.255.0

no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ip nhrp map 10.254.255.1 192.0.0.130
ip nhrp nhs 10.254.255.1
ip nhrp shortcut
cdp enable
tunnel key 200
tunnel vrf MPLS-20

conf t
router eigrp 100
network 10.254.255.20 0.0.0.0
42
Section 7.5 Branch 20 MPLS DMVPN Verification

Both SAs should have a status of ACTIVE.
Enter the command sh crypto ipsec sa to verify the IPSEC configuration. Scroll down
to Interface: Tunnel10.
configuration:
Here we see both tunnel interfaces are peered with their respective neighbors at HQ.
Branch 20s MPLS DMVPN configuration is complete.
43
Exercise 8: Verify Final Connectivity and Failover
In this exercise you will verify that the Branch 10 and Branch 20 routers have redundant routes
for each tunnel interface. You will then shut down the HQ WAN 1 Internet interface and verify
that the redundant routes are removed from the branch routers. The Chrome browser will be
used to verify connectivity to the Internet through the DMVPN tunnels over the MPLS
connections.
Section 8.1 Verify Redundant Routes on Branch Routers

Return to PC3.
Enter the command sh ip route to verify that the Branch 10 routing table has redundant
routes for each tunnel interface:
44
Return to PC4.
Enter the command sh ip route to verify that the Branch 20 routing table has redundant
routes for each tunnel interface:
Section 8.2 Shut Down Internet Interface on HQ WAN 1

Since we configured the DMVPN Internet side first, we will shut down the Internet interface on
the HQ WAN 1 router and then test connectivity from each branch.
Return to PC1.
45
Click 4451X on the HQ WAN 1 icon to access the HQ WAN 1 router CLI. If the screen is blank,
press Enter to display the login prompt.
Enter global configuration mode and shut down the Internet interface.
conf t
int g0/0/0
shutdown
Section 8.3 Verify Branch Router Routing Tables and Connectivity

Return to PC3.
Enter the command sh ip route to verify that redundant routes have been removed
from the Branch 10 routing table:
46
All redundant routes are gone. Launch the Chrome browser and google.com is still accessible.
Return to PC4.
Enter the command sh ip route to verify that redundant routes have been removed
from the Branch 20 routing table:
47
All redundant routes are gone. Launch the Chrome browser and google.com is still accessible.
Section 8.4 Enable Internet Interface on HQ WAN 1

Return to PC1.
Enter global configuration mode to reactivate the Internet interface.

conf t
int g0/0/0
no shutdown
Return to PC3. Enter the command sh ip route to verify that the redundant routes have
been restored in the Branch 10 routing table.
Return to PC4. Enter the command sh ip route to verify that the redundant routes have
been restored in the Branch 20 routing table.
48
Appendix 1
Layer 2 Diagram
49
Appendix 2
Layer 3 Diagram
50
Appendix 3
Config Files
br10-wan1-config output
! Last configuration change at 14:13:16 edt Tue Apr 7 2015 by admin
version 15.2
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname BR10-WAN1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$zKa4$mh3.D4gk6ubLyYpRxrCUp.
!
no aaa new-model
!
clock timezone est -5 0
clock summer-time edt recurring
!
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
ip vrf INET-10
rd 65120:1
!
ip vrf MPLS-10
rd 65010:1
!
!
no ip domain lookup
ip domain name example.com
ip cef
!
multilink bundle-name authenticated
!
!
license udi pid CISCO2921/K9 sn FTX1348AHMW
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9 disable
license boot module c2900 technology-package datak9 disable
!
!
username admin privilege 15 secret 5 $1$F2hv$Kp9v0AB8pRXyXcjumM29r1
!
redundancy
!
!
!
51

encr aes
!
!
mode transport
!
!
!
!
interface Loopback0
description Primary Loopback - Do not change
ip address 10.10.255.11 255.255.255.255
!
interface Tunnel10
bandwidth 50000
ip address 10.254.255.10 255.255.255.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ip nhrp map 10.254.255.1 192.0.0.130
ip nhrp nhs 10.254.255.1
ip nhrp shortcut
load-interval 30
delay 1000
tunnel key 200
tunnel vrf MPLS-10
!
interface Tunnel20
bandwidth 50000
ip address 10.254.254.10 255.255.255.0
52
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ip nhrp map 10.254.254.1 192.0.0.166
ip nhrp nhs 10.254.254.1
ip nhrp shortcut
load-interval 30
delay 1000
tunnel key 100
tunnel vrf INET-10
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
description Internet Handoff for Site to Site VPN
ip address 192.0.0.174 255.255.255.252
duplex auto
speed auto
!
description WAn Handoff to MPLS Carrier
ip address 192.0.0.134 255.255.255.252
duplex auto
speed auto
!
description Inside toward BR10 Coew SW1 g1/0/1
ip address 10.10.254.1 255.255.255.252
duplex auto
speed auto
!
!
router eigrp 100
network 10.10.254.0 0.0.0.3
network 10.10.255.11 0.0.0.0
network 10.254.254.0 0.0.0.255
network 10.254.254.10 0.0.0.0
network 10.254.255.10 0.0.0.0
passive-interface default
no passive-interface GigabitEthernet0/2
eigrp router-id 10.10.255.11
!
ip forward-protocol nd
53
!
no ip http server
no ip http secure-server
!
ip route vrf INET-10 0.0.0.0 0.0.0.0 192.0.0.173
ip route vrf MPLS-10 0.0.0.0 0.0.0.0 192.0.0.133
!
logging trap debugging
logging source-interface Loopback0
logging 10.1.20.254
!
!
control-plane
!
!
line con 0
exec-timeout 60 0
privilege level 15
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 60 0
privilege level 15
logging synchronous
login local
transport input telnet ssh
line vty 5 15
exec-timeout 60 0
privilege level 15
logging synchronous
login local
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp server 10.1.255.1
!
end
br20-wan1-config
! Last configuration change at 14:36:48 edt Tue Apr 7 2015 by admin
version 15.2
!
hostname BR20-WAN1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$JjBu$6cZk9sX9XeJYWUTF4g7oM.
54
!
no aaa new-model
!
!
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
ip vrf INET-20
rd 65120:1
!
ip vrf MPLS-20
rd 65020:1
!
!
no ip domain lookup
ip cef
!
!
!
license udi pid CISCO2921/K9 sn FTX1348AHMR
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9 disable
license boot module c2900 technology-package datak9 disable
!
!
username admin privilege 15 secret 5 $1$rxIr$U3iUqJcxGXE2M8klmqJ9j1
!
redundancy
!
!
!
encr aes
!
!
mode transport
!
!
55

!
!
interface Loopback0
ip address 10.20.255.11 255.255.255.255
!
interface Tunnel10
bandwidth 10000
ip address 10.254.255.20 255.255.255.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ip nhrp map 10.254.255.1 192.0.0.130
ip nhrp nhs 10.254.255.1
ip nhrp shortcut
cdp enable
tunnel key 200
tunnel vrf MPLS-20
!
interface Tunnel20
bandwidth 10000
ip address 10.254.254.20 255.255.255.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ip nhrp map 10.254.254.1 192.0.0.166
ip nhrp nhs 10.254.254.1
ip nhrp shortcut
cdp enable
tunnel key 100
tunnel vrf INET-20
56
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
description Internet Handoff for site to site vpn
ip address 192.0.0.182 255.255.255.252
duplex auto
speed auto
!
description WAN handoff to MPLS Carrier
ip address 192.0.0.138 255.255.255.252
duplex auto
speed auto
!
description Inside toward BR20 Core SW1 g1/0/1
ip address 10.20.254.1 255.255.255.252
duplex auto
speed auto
!
!
router eigrp 100
network 10.20.254.0 0.0.0.3
network 10.20.255.11 0.0.0.0
network 10.254.254.0 0.0.0.255
network 10.254.254.20 0.0.0.0
network 10.254.255.20 0.0.0.0
no passive-interface GigabitEthernet0/2
!
!
no ip http server
!
ip route vrf INET-20 0.0.0.0 0.0.0.0 192.0.0.181
ip route vrf MPLS-20 0.0.0.0 0.0.0.0 192.0.0.137
!
logging 10.1.20.254
!
!
control-plane
!
!
line con 0
exec-timeout 60 0
privilege level 15
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
57
transport preferred none

transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 60 0
privilege level 15
logging synchronous
login local
line vty 5 15
exec-timeout 60 0
privilege level 15
logging synchronous
login local
!
scheduler allocate 20000 1000
!
end
hq-want1-config
!
version 15.5
no platform punt-keepalive disable-kernel-core
!
hostname HQ-WAN1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 8192
enable secret 5 $1$ZJCy$odM5bNfGwRGWb1m42Q9NM/
!
no aaa new-model
!
ip vrf HQ-INET
rd 65001:2
!
!
no ip domain lookup
!
!
58
subscriber templating
!
!
!
license udi pid ISR4451-X/K9 sn FOC17042FHZ
license boot level appxk9
license boot level uck9
license boot level securityk9
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$hVVE$Z8wZ981dR5fdkE0z8DJ7B.
!
redundancy
mode none
!
!
crypto keyring DMVPN-KEYRING vrf HQ-INET
!
!
encr aes
crypto isakmp profile ISAKMP-HQ-INET
match identity address 0.0.0.0 HQ-INET
!
!
mode transport
!
crypto ipsec profile IPSEC-HQ-INET
set isakmp-profile ISAKMP-HQ-INET
!
!
!
interface Loopback0
ip address 10.1.255.11 255.255.255.255
!
interface Tunnel10
bandwidth 100000
ip address 10.254.254.1 255.255.255.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ip nhrp redirect
load-interval 30
59
delay 1000
cdp enable
tunnel key 100
tunnel vrf HQ-INET
tunnel protection ipsec profile IPSEC-HQ-INET
!
description Interent Handoff for site to site VPN
bandwidth 100000
ip vrf forwarding HQ-INET
ip address 192.0.0.166 255.255.255.252
negotiation auto
!
description To HQ-Core-SW1 g1/0/1
ip address 10.1.254.2 255.255.255.252
negotiation auto
!
no ip address
negotiation auto
!
no ip address
negotiation auto
!
interface Ethernet-Internal1/0/0
no negotiation auto
no mop enabled
no mop sysid
!
interface Ethernet-Internal1/0/1
no negotiation auto
switchport mode trunk
no mop enabled
no mop sysid
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
!
router eigrp 100
network 10.1.254.0 0.0.0.3
network 10.1.255.11 0.0.0.0
network 10.254.254.0 0.0.0.255
network 10.254.254.1 0.0.0.0
no passive-interface GigabitEthernet0/0/1
!
no ip http server
ip route vrf HQ-INET 0.0.0.0 0.0.0.0 192.0.0.165
!
!
60
logging host 10.1.20.254

!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
line con 0
exec-timeout 60 0
privilege level 15
logging synchronous
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
logging synchronous
login local
line vty 5 15
privilege level 15
logging synchronous
login local
!
!
end
hq-wan2-config
Current configuration : 3654 bytes
!
! Last configuration change at 14:11:51 edt Tue Apr 7 2015
!
version 15.4
no platform punt-keepalive disable-kernel-core
!
hostname HQ-WAN2
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
61
address-family ipv6
exit-address-family
!
logging buffered 8192
enable secret 5 $1$ilMH$2MZ9PeTWeQzmWlXrOQh2S1
!
no aaa new-model
!
ip vrf HQ-MPLS
rd 65001:2
!
no ip domain lookup
!
!
subscriber templating
!
!
license udi pid ISR4451-X/K9 sn FOC17042FK2
license accept end user agreement
license boot level securityk9
!
username admin privilege 15 secret 5 $1$Fpyv$URrN7m3.1UaVKwgopWH91/
!
redundancy
mode none
!
!
ip tftp source-interface GigabitEthernet0
!
crypto keyring DMVPN-KEYRING vrf HQ-MPLS
!
!
encr aes
crypto isakmp profile ISAKMP-HQ-MPLS
match identity address 0.0.0.0 HQ-MPLS
!
!
mode transport
!
crypto ipsec profile IPSEC-HQ-MPLS
set isakmp-profile ISAKMP-HQ-MPLS
!
!
interface Loopback0
ip address 10.1.255.12 255.255.255.255
!
interface Tunnel10
bandwidth 100000
ip address 10.254.255.1 255.255.255.0
62
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ip nhrp redirect
load-interval 30
delay 1000
cdp enable
tunnel key 200
tunnel vrf HQ-MPLS
tunnel protection ipsec profile IPSEC-HQ-MPLS
!
description WAn handoff to MPLS Carrier
bandwidth 100000
ip vrf forwarding HQ-MPLS
ip address 192.0.0.130 255.255.255.252
negotiation auto
!
description to HQ-Core-SW1 g1/0/2
ip address 10.1.254.6 255.255.255.252
negotiation auto
!
no ip address
negotiation auto
!
no ip address
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
!
router eigrp 100
network 10.1.254.4 0.0.0.3
network 10.1.255.12 0.0.0.0
network 10.254.255.1 0.0.0.0
no passive-interface GigabitEthernet0/0/1
!
no ip http server
ip route vrf HQ-MPLS 0.0.0.0 0.0.0.0 192.0.0.129
!
63
!
logging host 10.1.20.254
!
!
control-plane
!
!
line con 0
exec-timeout 60 0
privilege level 15
logging synchronous
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
logging synchronous
login local
line vty 5 15
privilege level 15
logging synchronous
login local
!
!
end

Iwan Lab Guide v1.1 Final

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iwan Lab Guide v1.1 Final

Uploaded by

Copyright:

Available Formats

IWAN with DMVPN and VRF

Another offering from team RASTI

April 10, 2015

Cisco Intelligent WAN (IWAN) enables organizations to deliver an uncompromised experience

Dynamic Multipoint VPN (DMVPN)

Virtual Route Forwarding (VRF)

4451x with IOS/XE 03.11.00.S and SecurityK9 Right-To-Use license

For additional information about Cisco Intelligent WAN, visit:

For additional information about Cisco Dynamic Multipoint VPN, visit:

A solid understanding of networking, including routing and switching is assumed. Some

Lab Command Modes

Privileged EXEC Mode

Global Configuration Mode

Exercise 1: Access the Lab Environment and Baseline the Network

Section 1.1 Modify Java Security Settings

To modify Java security settings, launch the Java control panel.

On the Security tab, click Edit Site List.

Section 1.2 Access Your Lab Pod

After clicking Login, a welcome message will appear.

Host Location Username Password

PC1 HQ Jump Box John Doe cisco123

PC3 Branch 10 Joe Sales cisco123

PC4 Branch 20 PC4\macct cisco123

Section 1.3 Login to PC1

Section 1.4 Login to PC2

Section 1.5 Login to PC4

Enter the password cisco123 for host PC4 and login.

Exercise 2: HQ WAN 1 Configuration

On PC1, double-click the OoB Console Access icon.

Login as admin with a password of cisco123.

Section 2.1 HQ WAN 1 Internet VRF

Enter the command sh vrf to verify the VRF:

Enter the command sh vrf to verify the VRF interface configuration:

A default route has been installed in the Internet VRF.

Section 2.2 HQ WAN 1 DMVPN Encryption

Section 2.3 HQ WAN 1 DMVPN Tunnel Interface

Section 2.4 HQ WAN 1 EIGRP Routing

Enter the command sh ip eigrp neighbors to verify the EIGRP configuration:

Router HQ-WAN-1 is configured.

Exercise 3: Branch 10 Internet DMVPN

On the desktop open putty.

Highlight BR10, click Load then click Open.

Login as admin with a password of cisco123.

Section 3.1 Branch 10 Internet VRF

Enter the command sh vrf to verify the VRF interface configuration:

A default route has been installed in the Internet VRF.

Section 3.2 Branch 10 DMVPN Encryption

crypto isakmp profile ISAKMP-INET-10

Section 3.3 Branch 10 DMVPM Tunnel Interface

ip nhrp registration no-unique

Section 3.4 Branch 10 EIGRP Routing

Section 3.5 Branch 10 Verification

ISAKMP SA status should show ACTIVE.

Enter the command sh crypto ipsec sa to verify the IPSEC configuration:

IPSEC sa #pkts encaps and #pkts decaps should be incrementing.

Branch 10s Internet DMVPN configuration is complete.

Exercise 4: Branch 20 Internet DMVPN

On the desktop open putty.

Highlight BR20, click Load then click Open.

Login as admin with a password of cisco123.

Section 4.1 Branch 20 Internet VRF

Enter the command sh vrf to verify the VRF interface configuration:

Section 4.2 Branch 20 DMVPN Encryption

Press control + z to exit configuration mode.