Cisco – Dynamic Multipoint VPN (DMVPN) Design Guide

Dynamic Multipoint VPN (DMVPN) Design Guide (Version 1.1)

 

Cisco 7200VXR/Cisco 7600 Dual Tier Architecture Headend Configuration

This configuration is for the Cisco 7200VXR terminating mGRE and the Cisco 7600 with Sup720 and VPN SPA providing high-capacity IPsec encryption.
Tier #1 (mGRE)

hostname vpn2-7200-1

!

clock timezone EST -5

clock summer-time EDT recurring

clock calendar-valid

no aaa new-model

ip subnet-zero

ip rcmd rsh-enable

!

ip cef

no ip domain lookup

!

ip multicast-routing 

ip ips po max-events 100

no ftp-server write-enable

!

interface Tunnel0

 description Tunnel0

 bandwidth 100000

 ip address 10.56.0.1 255.255.252.0

 no ip redirects

 ip hold-time eigrp 1 35

 no ip next-hop-self eigrp 1

 ip pim nbma-mode

 ip pim sparse-mode

 ip nhrp authentication test

 ip nhrp map multicast dynamic

 ip nhrp network-id 105600

 ip nhrp holdtime 1800

 ip nhrp registration timeout 120

 no ip split-horizon eigrp 1

 load-interval 30

 tunnel source 192.168.161.1

 tunnel mode gre multipoint

 tunnel key 105600

!

interface Tunnel1

 description Tunnel1

 bandwidth 100000

 ip address 10.56.16.1 255.255.252.0

 no ip redirects

 ip hold-time eigrp 1 35

 no ip next-hop-self eigrp 1

 ip pim nbma-mode

 ip pim sparse-mode

 ip nhrp authentication test

 ip nhrp map multicast dynamic

 ip nhrp network-id 1056160

 ip nhrp holdtime 1800

 ip nhrp registration timeout 120

 no ip split-horizon eigrp 1

 load-interval 30

 tunnel source 192.168.181.1

 tunnel mode gre multipoint

 tunnel key 1056160

!

interface Loopback0

 description Loopback0

 ip address 10.57.255.251 255.255.255.255

!

interface FastEthernet0/0

 description FlashNet

 ip address 172.26.176.14 255.255.252.0

 load-interval 30

 duplex full

 speed 100

!

interface FastEthernet0/1

 description FastEthernet0/1

 no ip address

 load-interval 30

 shutdown

 duplex full

 speed 100

!

interface GigabitEthernet0/1

 description GigabitEthernet0/1

 ip address 192.168.181.1 255.255.255.0 secondary

 ip address 192.168.161.1 255.255.255.0

 load-interval 30

 duplex auto

 speed auto

 media-type gbic

 negotiation auto

!

interface GigabitEthernet0/2

 description GigabitEthernet0/2

 ip address 10.57.1.1 255.255.255.0

 ip pim sparse-mode

 load-interval 30

 duplex auto

 speed auto

 media-type gbic

 negotiation auto

!

interface GigabitEthernet0/3

 description GigabitEthernet0/3

 no ip address

 load-interval 30

 shutdown

 duplex auto

 speed auto

 media-type gbic

 negotiation auto

!

router eigrp 1

 network 10.0.0.0

 no auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.26.176.1

ip route 172.26.0.0 255.255.0.0 172.26.176.1

ip route 192.168.0.0 255.255.0.0 192.168.161.2

ip route 192.168.0.0 255.255.0.0 192.168.181.2

!

ip http server

no ip http secure-server

!

ip pim autorp listener

!

snmp-server community public RO

snmp-server community private RW

snmp-server system-shutdown

snmp-server enable traps tty

!

control-plane

!

dial-peer cor custom

!

gatekeeper

 shutdown

!

line con 0

 exec-timeout 0 0

 password cisco

 login

 transport preferred all

 transport output all

 stopbits 1

line aux 0

 transport preferred all

 transport output all

 stopbits 1

line vty 0 4

 exec-timeout 0 0

 password cisco

 login

 transport preferred all

 transport input all

 transport output all

line vty 5 15

 exec-timeout 0 0

 password cisco

 login

 transport preferred all

 transport input all

 transport output all

!

ntp clock-period 17180034

ntp server 172.26.176.1

!

end

Tier #2 (IPsec)

hostname vpn6-7600-1

!

no aaa new-model

clock timezone EST -5

clock summer-time EDT recurring

clock calendar-valid

ip subnet-zero

ip rcmd rsh-enable

!

no ip domain-lookup

ipv6 mfib hardware-switching replication-mode ingress

mls ip multicast flow-stat-timer 9

no mls flow ip

no mls flow ipv6

no mls acl tcam share-global

mls cef error action freeze

no scripting tcl init

no scripting tcl encdir

!

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

!

crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac 

no crypto ipsec nat-transparency udp-encaps

!

crypto dynamic-map dmap 10

 set transform-set vpn-test 

!

crypto map dynamic-map local-address Vlan100

crypto map dynamic-map 10 ipsec-isakmp dynamic dmap 

!

redundancy

 mode sso

 main-cpu

  auto-sync running-config

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

power redundancy-mode combined

no diagnostic cns publish

no diagnostic cns subscribe

!

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

!

interface GigabitEthernet3/1

 description GigabitEthernet3/1 Outside Interface

 no ip address

 load-interval 30

 crypto connect vlan 100

!

interface GigabitEthernet3/2

 description GigabitEthernet3/2

 no ip address

 load-interval 30

 shutdown

!

interface GigabitEthernet4/0/1

 description GigabitEthernet4/0/1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 1,100,1002-1005

 switchport mode trunk

 mtu 9216

 no ip address

 load-interval 30

 flowcontrol receive on

 flowcontrol send off

 spanning-tree portfast trunk

!

interface GigabitEthernet4/0/2

 description GigabitEthernet4/0/2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 1,1002-1005

 switchport mode trunk

 mtu 9216

 no ip address

 load-interval 30

 flowcontrol receive on

 flowcontrol send off

 spanning-tree portfast trunk

!

interface GigabitEthernet5/1

 description GigabitEthernet5/1 to vpn2-7200-1 GE0/1

 ip address 192.168.181.2 255.255.255.0 secondary

 ip address 192.168.161.2 255.255.255.0

 no ip redirects

 load-interval 30

!

interface GigabitEthernet5/2

 description GigabitEthernet5/2 to vpn2-7200-2 GE0/1

 ip address 192.168.191.2 255.255.255.0 secondary

 ip address 192.168.171.2 255.255.255.0

 no ip redirects

 load-interval 30

!

interface GigabitEthernet5/3

 description GigabitEthernet5/3

 no ip address

 load-interval 30

 shutdown

!

interface GigabitEthernet6/2

 description FlashNet

 ip address 172.26.177.251 255.255.252.0

 load-interval 30

 media-type rj45

 speed 100

 duplex full

!

interface Vlan1

 description Vlan1

 no ip address

 load-interval 30

 shutdown

!

interface Vlan100

 description Vlan100

 ip address 192.168.241.1 255.255.255.0

 load-interval 30

 no mop enabled

 crypto map dynamic-map

 crypto engine subslot 4/0

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.26.176.1

ip route 172.26.0.0 255.255.0.0 172.26.176.1

ip route 192.168.0.0 255.255.0.0 192.168.241.2

!

no ip http server

!

snmp-server community public RO

snmp-server community private RW

snmp-server system-shutdown

!

control-plane

!

dial-peer cor custom

!

line con 0

 exec-timeout 0 0

 password cisco

 login

line vty 0 4

 exec-timeout 0 0

 password cisco

 login

!

ntp clock-period 17180035

ntp server 172.26.176.1

no cns aaa enable

end

Cisco ISR Branch Office Configuration
The EIGRP delay metric is used to make Tunnel0 the preferred path. This configuration shows QoS for VoIP flows (shaping and queuing) applied to the physical (outside) interface, the recommended use of summary routes, and an EIGRP stub configuration.

Branch #1:

ip cef

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key bigsecret address 192.168.251.1

crypto isakmp key bigsecret address 192.168.252.1

!

crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac 

no crypto ipsec nat-transparency udp-encaps

!

crypto ipsec profile vpn-dmvpn

 set transform-set vpn-test 

!

class-map match-all VOICE

  match ip dscp ef 

 class-map match-any CALL-SETUP

  match ip dscp af31 

  match ip dscp cs3 

 class-map match-any INTERNETWORK-CONTROL

  match ip dscp cs6 

  match access-group name IKE

 class-map match-all TRANSACTIONAL-DATA

  match ip dscp af21 

!

 policy-map 192kb

  class CALL-SETUP

   bandwidth percent 2

  class INTERNETWORK-CONTROL

   bandwidth percent 5

  class TRANSACTIONAL-DATA

   bandwidth percent 22

   queue-limit 16

  class VOICE

   priority 64

  class class-default

   fair-queue

   queue-limit 6

 policy-map 192kb-shaper

  class class-default

   shape average 182400 1824 0

   service-policy 192kb

!

interface Loopback0

 description Loopback0

 ip address 10.61.138.254 255.255.255.255

!

interface Tunnel0

 description Tunnel0

 bandwidth 192

 ip address 10.56.3.10 255.255.252.0

 ip hold-time eigrp 1 35

 ip nhrp authentication test

 ip nhrp map 10.56.0.1 192.168.251.1

 ip nhrp map multicast 192.168.251.1

 ip nhrp network-id 105600

 ip nhrp holdtime 300

 ip nhrp nhs 10.56.0.1

 ip summary-address eigrp 1 10.61.148.0 255.255.255.0 5

 qos pre-classify

 tunnel source 192.168.100.6

 tunnel destination 192.168.251.1

 tunnel key 105600

 tunnel protection ipsec profile vpn-dmvpn

!

interface Tunnel1

 description Tunnel1

 bandwidth 192

 ip address 10.56.7.10 255.255.252.0

 ip hold-time eigrp 1 35

 ip nhrp authentication test

 ip nhrp map 10.56.4.1 192.168.252.1

 ip nhrp map multicast 192.168.252.1

 ip nhrp network-id 105640

 ip nhrp holdtime 300

 ip nhrp nhs 10.56.4.1

 ip summary-address eigrp 1 10.61.148.0 255.255.255.0 5

 delay 60000

 qos pre-classify

 tunnel source 192.168.100.6

 tunnel destination 192.168.252.1

 tunnel key 105640

 tunnel protection ipsec profile vpn-dmvpn

!

interface Serial0/0

 description Serial0/0 

 bandwidth 192

 ip address 192.168.100.6 255.255.255.252

 service-policy output 192kb-shaper

!

interface FastEthernet0/1

 description FastEthernet0/1

 ip address 10.61.148.129 255.255.255.192 secondary

 ip address 10.61.148.1 255.255.255.128

 speed 100

 full-duplex

!

router eigrp 1

 network 10.0.0.0

 no auto-summary

 eigrp stub connected summary

!

ip route 0.0.0.0 0.0.0.0 192.168.100.5!

ip access-list extended IKE

 permit udp any any eq isakmp

!
This entry was posted in DMVPN. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s