Professional Documents
Culture Documents
Lab Guide
Version 1.0
Table of Contents
Introduction..................................................................................................................................... 3
Disclaimer........................................................................................................................................ 4
Build Information ............................................................................................................................ 4
Prerequisite Knowledge .................................................................................................................. 4
Lab Command Modes ..................................................................................................................... 5
Exercise 1: Access the Lab Environment and Baseline the Network ............................................... 5
Exercise 2: HQ WAN 1 Configuration ............................................................................................ 12
Exercise 3: Branch 10 Internet DMVPN ......................................................................................... 18
Exercise 4: Branch 20 Internet DMVPN ......................................................................................... 25
Exercise 5: HQ WAN 2 Configuration ............................................................................................ 30
Exercise 6: Branch 10 MPLS DMVPN ............................................................................................. 34
Exercise 7: Branch 20 MPLS DMVPN ............................................................................................. 38
Exercise 8: Verify Final Connectivity and Failover ......................................................................... 43
Appendix 1 .................................................................................................................................... 48
Appendix 2 .................................................................................................................................... 49
Appendix 3 .................................................................................................................................... 50
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
3
Introduction
There are two primary IWAN design models: Hybrid and Dual Internet. This lab implements the
IWAN Hybrid design model, which uses MPLS paired with Internet VPN as WAN transports. In
this design model, the MPLS WAN can provide more bandwidth for the critical classes of
services needed for key applications and can provide SLA guarantees for these applications.
The IWAN solution incorporates numerous Cisco IOS and IOS XE features. The two features
implemented in this lab are Dynamic Multipoint VPN and VRF.
Note: Additional IWAN labs covering intelligent path control (with Cisco Performance Routing
(PfR)) and application optimization (with Cisco Wide Area Application Services (WAAS)) are also
being considered.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
4
Disclaimer
This Guide is intended to demonstrate one way to configure the network, to meet the specified
requirements of this example. There are various ways that this can be accomplished, depending
on the situation and the customers goals/requirements. Please ensure that you consult all
current official Cisco documentation before proceeding with a design or installation. This lab is
primarily intended to be a learning tool, and may not necessarily follow best practice
recommendation at all times, in order to convey specific information. This is not intended to be
a deployment guide. It is intended for learning purposes only.
Build Information
The labs were constructed using the following software and hardware:
www.cisco.com/go/iwan
http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Jan2015/CVD-
IWANDesignGuide-JAN15.pdf
www.cisco.com/go/dmvpn
For additional information about Cisco Virtual Routing and Forwarding, visit:
http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/vspa/configurati
on/guide/ivmsw_book/ivmvpn5.html
Prerequisite Knowledge
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
5
This lab guide refers to two common command modes within the Cisco IOS. Configuration will
be done in global configuration mode and verification of configuration will be in privilege EXEC
mode. A brief explanation is below.
Privileged EXEC mode is password protected, and allows the use of all EXEC mode commands
available on the system. To enter privileged EXEC mode from user EXEC mode, use the enable
command. Privileged EXEC mode allows access to global configuration mode through the use of
the enable command. The privileged EXEC mode prompt consists of the devices's host name
followed by the pound sign: Router#.
Global configuration commands generally apply to features that affect the system as a whole,
rather than just one protocol or interface. You can also enter any of the specific configuration
modes listed in the following section from global configuration mode.
To enter global configuration mode, use the configure terminal privileged EXEC command. The
router prompt for global configuration mode is indicated by the term config in parenthesis:
Router(config)# .
In this exercise you will become familiar with the network and ensure everything is functioning
correctly. These steps are important, so please do not skip this exercise.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
6
Click Add, type in: https://128.107.69.134 then click OK. Click OK to close the Java control
panel.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
7
Accept any security certificate warning and continue. The message shown below is from Firefox
on Windows. Your browsers warning messages may look different. Begin by clicking Add
Exception.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
8
NOTE: In order to log into the lab, you will need a student portal username and password. This
should have been provided to you by the lab proctor.
Login to the student portal using the username and password you were provided.
Note: The screenshot shows the username for Pod 1. Be sure to use the username and
password provided for your Pod.
Click Continue to accept the message and access the student portal.
The student portal landing page will appear. The landing page shows the various hosts that you
will use in the lab. You will be returning to these hosts frequently, so be sure you know how to
get back to this page.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
9
Locate the VNC Bookmarks on the student portal landing page for PC1, PC3, and PC4. Click the
double arrows beside a hostname to open a VNC connection to the host in a new window.
NOTE: Clicking the double arrows (rather than the hostname) ensures that a new window
opens, and that the student portal page remains visible.
After you have connected to PC1, return to the student portal page and connect to PC3, and
then to PC4. Log into each PC using the usernames and passwords in the table below.
Note: The usernames should be the defaults for these PCs. Continue past any security warnings
about the untrusted certificates.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
10
Click Continue.
If you are presented with Java security warnings, click the check box and then click Run.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
11
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
12
In this exercise you will configure DMVPN for the Internet interface on the HQ WAN 1 router.
This configuration will include VRF, ISAKMP, IPSEC, GRE, and EIGRP routing.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
13
1) In the Pod Number drop-down box, select the Pod # you have been assigned.
2) In the Content Package drop-down box, select IWAN Lab.
3) Click Access Console Map.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
14
Keep this window open as you will return to it throughout the lab.
Click 4451X on the HQ WAN 1 icon to access the HQ WAN 1 router CLI. If the screen is blank,
press Enter to display the login prompt.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
15
rd 65001:2
Press control + z to exit configuration mode.
Enter global configuration mode and configure the Internet service provider interface with the
VRF.
conf t
interface GigabitEthernet0/0/0
bandwidth 100000
ip vrf forwarding HQ-INET
ip address 192.0.0.166 255.255.255.252
Press control + z to exit configuration mode.
Enter global configuration mode to install a default route for the VRF.
conf t
ip route vrf HQ-INET 0.0.0.0 0.0.0.0 192.0.0.165
Press control + z to exit configuration mode.
Enter the command sh ip route vrf HQ-INET to verify the VRF routing table
configuration:
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
16
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
17
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
18
In this exercise you will configure the Internet DMVPN interface on the Branch 10 router.
Return to PC3. If your session has timed out, log in again using password cisco123.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
19
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
20
Enter global configuration mode and configure the Internet service provider interface with the
VRF.
conf t
interface GigabitEthernet0/0
ip vrf forwarding INET-10
ip address 192.0.0.174 255.255.255.252
Press control + z to exit configuration mode.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
21
Enter global configuration mode to install a default route for the VRF.
conf t
ip route vrf INET-10 0.0.0.0 0.0.0.0 192.0.0.173
Press control + z to exit configuration mode.
Enter the command sh ip route vrf INET-10 to verify the VRF routing table
configuration:
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
22
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
23
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
24
Enter the command sh ip eigrp neighbors to verify the EIGRP GRE tunnel interface
configuration:
On PC3, verify Internet access by launching the Chrome browser. Google.com will load as your
homepage.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
25
In this exercise you will configure the Internet DMVPN interface on the Branch 20 router.
Return to PC4. If your session has timed out, log in again using password cisco123.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
26
Enter global configuration mode and configure the Internet service provider interface with the
VRF.
conf t
interface GigabitEthernet0/0
ip vrf forwarding INET-20
ip address 192.0.0.182 255.255.255.252
Press control + z to exit configuration mode.
Enter global configuration mode to install a default route for the VRF.
conf t
ip route vrf INET-20 0.0.0.0 0.0.0.0 192.0.0.181
Enter the command sh ip route vrf INET-20 to verify the VRF routing table
configuration:
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
27
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
28
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
29
Enter the command sh ip eigrp neighbors to verify the EIGRP GRE tunnel
configuration:
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
30
On PC4, verify Internet access by launching the Chrome browser. Google.com will load as your
homepage.
In this exercise you will configure DMVPN for the MPLS interface on the HQ WAN 2 router. This
configuration will include VRF, ISAKMP, IPSEC, GRE, and EIGRP routing.
Return to PC1. Open console map and click 4451X on the HQ WAN 2 icon to access the HQ
WAN 2 router CLI. If the screen is blank, press Enter to display the login prompt.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
31
Enter global configuration mode and configure the MPLS service providers interface with the
VRF.
conf t
interface GigabitEthernet0/0/0
bandwidth 100000
ip vrf forwarding HQ-MPLS
ip address 192.0.0.130 255.255.255.252
Press control + z to exit configuration mode.
Enter global configuration mode to install a default route for the VRF.
conf t
ip route vrf HQ-MPLS 0.0.0.0 0.0.0.0 192.0.0.129
Press control + z to exit configuration mode.
Enter the command sh ip route vrf HQ-MPLS to verify the VRF routing table
configuration:
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
32
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
33
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
34
In this exercise you will configure the MPLS DMVPN interface on the Branch 10 router.
conf t
ip vrf MPLS-10
rd 65010:1
Press control + z to exit configuration mode.
Enter global configuration mode and configure the MPLS service providers interface with the
VRF.
conf t
interface GigabitEthernet0/1
ip vrf forwarding MPLS-10
ip address 192.0.0.134 255.255.255.252
Press control + z to exit privilege EXEC mode
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
35
Enter global configuration mode to install a default route for the MPLS VRF.
conf t
ip route vrf MPLS-10 0.0.0.0 0.0.0.0 192.0.0.133
Press control + z to exit configuration mode.
Enter the command sh ip route vrf MPLS-10 to verify the VRF routing table
configuration:
conf t
crypto keyring DMVPN-KEYRING1 vrf MPLS-10
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes
authentication pre-share
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
36
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
37
Enter the command sh crypto ipsec sa to verify the IPSEC configuration. Scroll down
to Interface: Tunnel10.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
38
Enter the command sh ip eigrp neighbors to verify the EIGRP GRE tunnel interface
configuration:
Here we see both tunnel interfaces are peered with their respective neighbors at HQ.
In this exercise you will configure the MPLS DMVPN interface on the Branch 20 router.
config t
ip vrf MPLS-20
rd 65020:1
Press control + z to exit privilege EXEC mode
Enter global configuration mode and configure the MPLS service providers interface with the
VRF.
conf t
interface GigabitEthernet0/1
ip vrf forwarding MPLS-20
ip address 192.0.0.138 255.255.255.252
Press control + z to exit privilege EXEC mode
Enter global configuration mode to install the default route for the MPLS VRF
conf t
ip route vrf MPLS-20 0.0.0.0 0.0.0.0 192.0.0.137
Press control + z to exit configuration mode.
Enter the command sh ip route vrf MPLS-20 to verify the VRF routing table
configuration:
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
40
conf t
crypto keyring DMVPN-KEYRING1 vrf MPLS-20
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-MPLS-20
keyring DMVPN-KEYRING1
match identity address 0.0.0.0 MPLS-20
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC-MPLS-20
set security-association replay window-size 1024
set transform-set AES256/SHA
set isakmp-profile ISAKMP-MPLS-20
Press control + z to exit configuration mode.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
41
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
42
Enter the command sh crypto ipsec sa to verify the IPSEC configuration. Scroll down
to Interface: Tunnel10.
Enter the command sh ip eigrp neighbors to verify the EIGRP GRE tunnel interface
configuration:
Here we see both tunnel interfaces are peered with their respective neighbors at HQ.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
43
In this exercise you will verify that the Branch 10 and Branch 20 routers have redundant routes
for each tunnel interface. You will then shut down the HQ WAN 1 Internet interface and verify
that the redundant routes are removed from the branch routers. The Chrome browser will be
used to verify connectivity to the Internet through the DMVPN tunnels over the MPLS
connections.
Enter the command sh ip route to verify that the Branch 10 routing table has redundant
routes for each tunnel interface:
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
44
Return to PC4.
Enter the command sh ip route to verify that the Branch 20 routing table has redundant
routes for each tunnel interface:
Return to PC1.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
45
Click 4451X on the HQ WAN 1 icon to access the HQ WAN 1 router CLI. If the screen is blank,
press Enter to display the login prompt.
Enter global configuration mode and shut down the Internet interface.
conf t
int g0/0/0
shutdown
Press control + z to exit configuration mode.
Enter the command sh ip route to verify that redundant routes have been removed
from the Branch 10 routing table:
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
46
All redundant routes are gone. Launch the Chrome browser and google.com is still accessible.
Return to PC4.
Enter the command sh ip route to verify that redundant routes have been removed
from the Branch 20 routing table:
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
47
All redundant routes are gone. Launch the Chrome browser and google.com is still accessible.
Return to PC3. Enter the command sh ip route to verify that the redundant routes have
been restored in the Branch 10 routing table.
Return to PC4. Enter the command sh ip route to verify that the redundant routes have
been restored in the Branch 20 routing table.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
48
Appendix 1
Layer 2 Diagram
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
49
Appendix 2
Layer 3 Diagram
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
50
Appendix 3
Config Files
br10-wan1-config output
! Last configuration change at 14:13:16 edt Tue Apr 7 2015 by admin
version 15.2
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname BR10-WAN1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$zKa4$mh3.D4gk6ubLyYpRxrCUp.
!
no aaa new-model
!
clock timezone est -5 0
clock summer-time edt recurring
!
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
ip vrf INET-10
rd 65120:1
!
ip vrf MPLS-10
rd 65010:1
!
!
no ip domain lookup
ip domain name example.com
ip cef
!
multilink bundle-name authenticated
!
!
license udi pid CISCO2921/K9 sn FTX1348AHMW
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9 disable
license boot module c2900 technology-package datak9 disable
!
!
username admin privilege 15 secret 5 $1$F2hv$Kp9v0AB8pRXyXcjumM29r1
!
redundancy
!
!
crypto keyring DMVPN-KEYRING2 vrf INET-10
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto keyring DMVPN-KEYRING1 vrf MPLS-10
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
51
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
52
no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip hello-interval eigrp 100 20
ip hold-time eigrp 100 60
ip nhrp authentication cisco
ip nhrp map multicast 192.0.0.166
ip nhrp map 10.254.254.1 192.0.0.166
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp nhs 10.254.254.1
ip nhrp registration no-unique
ip nhrp registration timeout 60
ip nhrp shortcut
ip tcp adjust-mss 1360
load-interval 30
delay 1000
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf INET-10
tunnel protection ipsec profile IPSEC-INET-10
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Internet Handoff for Site to Site VPN
ip vrf forwarding INET-10
ip address 192.0.0.174 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAn Handoff to MPLS Carrier
ip vrf forwarding MPLS-10
ip address 192.0.0.134 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/2
description Inside toward BR10 Coew SW1 g1/0/1
ip address 10.10.254.1 255.255.255.252
duplex auto
speed auto
!
!
router eigrp 100
network 10.10.254.0 0.0.0.3
network 10.10.255.11 0.0.0.0
network 10.254.254.0 0.0.0.255
network 10.254.254.10 0.0.0.0
network 10.254.255.10 0.0.0.0
passive-interface default
no passive-interface GigabitEthernet0/2
no passive-interface Tunnel20
no passive-interface Tunnel10
eigrp router-id 10.10.255.11
!
ip forward-protocol nd
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
53
!
no ip http server
no ip http secure-server
!
ip route vrf INET-10 0.0.0.0 0.0.0.0 192.0.0.173
ip route vrf MPLS-10 0.0.0.0 0.0.0.0 192.0.0.133
!
logging trap debugging
logging source-interface Loopback0
logging 10.1.20.254
!
!
control-plane
!
!
line con 0
exec-timeout 60 0
privilege level 15
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 60 0
privilege level 15
logging synchronous
login local
transport input telnet ssh
line vty 5 15
exec-timeout 60 0
privilege level 15
logging synchronous
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp server 10.1.255.1
!
end
br20-wan1-config
! Last configuration change at 14:36:48 edt Tue Apr 7 2015 by admin
version 15.2
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname BR20-WAN1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$JjBu$6cZk9sX9XeJYWUTF4g7oM.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
54
!
no aaa new-model
!
clock timezone est -5 0
clock summer-time edt recurring
!
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
ip vrf INET-20
rd 65120:1
!
ip vrf MPLS-20
rd 65020:1
!
!
no ip domain lookup
ip domain name example.com
ip cef
!
multilink bundle-name authenticated
!
!
license udi pid CISCO2921/K9 sn FTX1348AHMR
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9 disable
license boot module c2900 technology-package datak9 disable
!
!
username admin privilege 15 secret 5 $1$rxIr$U3iUqJcxGXE2M8klmqJ9j1
!
redundancy
!
!
crypto keyring DMVPN-KEYRING2 vrf INET-20
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto keyring DMVPN-KEYRING1 vrf MPLS-20
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-INET-20
keyring DMVPN-KEYRING2
match identity address 0.0.0.0 INET-20
crypto isakmp profile ISAKMP-MPLS-20
keyring DMVPN-KEYRING1
match identity address 0.0.0.0 MPLS-20
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC-INET-20
set security-association replay window-size 1024
set transform-set AES256/SHA
set isakmp-profile ISAKMP-INET-20
!
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
55
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
56
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Internet Handoff for site to site vpn
ip vrf forwarding INET-20
ip address 192.0.0.182 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN handoff to MPLS Carrier
ip vrf forwarding MPLS-20
ip address 192.0.0.138 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/2
description Inside toward BR20 Core SW1 g1/0/1
ip address 10.20.254.1 255.255.255.252
duplex auto
speed auto
!
!
router eigrp 100
network 10.20.254.0 0.0.0.3
network 10.20.255.11 0.0.0.0
network 10.254.254.0 0.0.0.255
network 10.254.254.20 0.0.0.0
network 10.254.255.20 0.0.0.0
passive-interface default
no passive-interface GigabitEthernet0/2
no passive-interface Tunnel20
no passive-interface Tunnel10
eigrp router-id 10.20.255.11
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route vrf INET-20 0.0.0.0 0.0.0.0 192.0.0.181
ip route vrf MPLS-20 0.0.0.0 0.0.0.0 192.0.0.137
!
logging trap debugging
logging source-interface Loopback0
logging 10.1.20.254
!
!
control-plane
!
!
line con 0
exec-timeout 60 0
privilege level 15
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
57
hq-want1-config
!
version 15.5
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname HQ-WAN1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 8192
enable secret 5 $1$ZJCy$odM5bNfGwRGWb1m42Q9NM/
!
no aaa new-model
clock timezone est -5 0
clock summer-time edt recurring
!
ip vrf HQ-INET
rd 65001:2
!
!
no ip domain lookup
ip domain name example.com
!
!
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
58
subscriber templating
!
multilink bundle-name authenticated
!
!
license udi pid ISR4451-X/K9 sn FOC17042FHZ
license boot level appxk9
license boot level uck9
license boot level securityk9
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$hVVE$Z8wZ981dR5fdkE0z8DJ7B.
!
redundancy
mode none
!
!
crypto keyring DMVPN-KEYRING vrf HQ-INET
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-HQ-INET
keyring DMVPN-KEYRING
match identity address 0.0.0.0 HQ-INET
!
!
crypto ipsec transform-set AES256/SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC-HQ-INET
set security-association replay window-size 512
set transform-set AES256/SHA
set isakmp-profile ISAKMP-HQ-INET
!
!
!
interface Loopback0
description Primary Loopback - Do not change
ip address 10.1.255.11 255.255.255.255
!
interface Tunnel10
bandwidth 100000
ip address 10.254.254.1 255.255.255.0
no ip redirects
ip mtu 1400
ip hello-interval eigrp 100 20
ip hold-time eigrp 100 60
no ip split-horizon eigrp 100
ip pim dr-priority 110
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
59
delay 1000
cdp enable
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf HQ-INET
tunnel protection ipsec profile IPSEC-HQ-INET
!
interface GigabitEthernet0/0/0
description Interent Handoff for site to site VPN
bandwidth 100000
ip vrf forwarding HQ-INET
ip address 192.0.0.166 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/1
description To HQ-Core-SW1 g1/0/1
ip address 10.1.254.2 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
!
interface Ethernet-Internal1/0/0
no negotiation auto
no mop enabled
no mop sysid
!
interface Ethernet-Internal1/0/1
no negotiation auto
switchport mode trunk
no mop enabled
no mop sysid
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
!
router eigrp 100
network 10.1.254.0 0.0.0.3
network 10.1.255.11 0.0.0.0
network 10.254.254.0 0.0.0.255
network 10.254.254.1 0.0.0.0
passive-interface default
no passive-interface GigabitEthernet0/0/1
no passive-interface Tunnel10
eigrp router-id 10.1.255.11
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route vrf HQ-INET 0.0.0.0 0.0.0.0 192.0.0.165
!
!
logging trap debugging
logging source-interface Loopback0
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
60
hq-wan2-config
Current configuration : 3654 bytes
!
! Last configuration change at 14:11:51 edt Tue Apr 7 2015
!
version 15.4
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname HQ-WAN2
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
61
address-family ipv6
exit-address-family
!
logging buffered 8192
enable secret 5 $1$ilMH$2MZ9PeTWeQzmWlXrOQh2S1
!
no aaa new-model
clock timezone est -5 0
clock summer-time edt recurring
!
ip vrf HQ-MPLS
rd 65001:2
!
no ip domain lookup
ip domain name example.com
!
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid ISR4451-X/K9 sn FOC17042FK2
license accept end user agreement
license boot level securityk9
!
username admin privilege 15 secret 5 $1$Fpyv$URrN7m3.1UaVKwgopWH91/
!
redundancy
mode none
!
!
ip tftp source-interface GigabitEthernet0
!
crypto keyring DMVPN-KEYRING vrf HQ-MPLS
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-HQ-MPLS
keyring DMVPN-KEYRING
match identity address 0.0.0.0 HQ-MPLS
!
!
crypto ipsec transform-set AES256/SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC-HQ-MPLS
set security-association replay window-size 512
set transform-set AES256/SHA
set isakmp-profile ISAKMP-HQ-MPLS
!
!
interface Loopback0
description Primary Loopback - Do not change
ip address 10.1.255.12 255.255.255.255
!
interface Tunnel10
bandwidth 100000
ip address 10.254.255.1 255.255.255.0
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
62
no ip redirects
ip mtu 1400
ip hello-interval eigrp 100 20
ip hold-time eigrp 100 60
no ip split-horizon eigrp 100
ip pim dr-priority 110
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 200
ip nhrp holdtime 600
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
delay 1000
cdp enable
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 200
tunnel vrf HQ-MPLS
tunnel protection ipsec profile IPSEC-HQ-MPLS
!
interface GigabitEthernet0/0/0
description WAn handoff to MPLS Carrier
bandwidth 100000
ip vrf forwarding HQ-MPLS
ip address 192.0.0.130 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/1
description to HQ-Core-SW1 g1/0/2
ip address 10.1.254.6 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
!
router eigrp 100
network 10.1.254.4 0.0.0.3
network 10.1.255.12 0.0.0.0
network 10.254.255.1 0.0.0.0
passive-interface default
no passive-interface GigabitEthernet0/0/1
no passive-interface Tunnel10
eigrp router-id 10.1.255.12
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route vrf HQ-MPLS 0.0.0.0 0.0.0.0 192.0.0.129
!
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
63
!
logging trap debugging
logging source-interface Loopback0
logging host 10.1.20.254
!
!
control-plane
!
!
line con 0
exec-timeout 60 0
privilege level 15
logging synchronous
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
logging synchronous
login local
transport input telnet ssh
line vty 5 15
privilege level 15
logging synchronous
login local
transport input telnet ssh
!
ntp source Loopback0
ntp server 10.1.255.1
!
end
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0