You are on page 1of 63

IWAN with DMVPN and VRF

Lab Guide
Version 1.0

Another offering from team RASTI

April 10, 2015


2

Table of Contents
Introduction..................................................................................................................................... 3
Disclaimer........................................................................................................................................ 4
Build Information ............................................................................................................................ 4
Prerequisite Knowledge .................................................................................................................. 4
Lab Command Modes ..................................................................................................................... 5
Exercise 1: Access the Lab Environment and Baseline the Network ............................................... 5
Exercise 2: HQ WAN 1 Configuration ............................................................................................ 12
Exercise 3: Branch 10 Internet DMVPN ......................................................................................... 18
Exercise 4: Branch 20 Internet DMVPN ......................................................................................... 25
Exercise 5: HQ WAN 2 Configuration ............................................................................................ 30
Exercise 6: Branch 10 MPLS DMVPN ............................................................................................. 34
Exercise 7: Branch 20 MPLS DMVPN ............................................................................................. 38
Exercise 8: Verify Final Connectivity and Failover ......................................................................... 43
Appendix 1 .................................................................................................................................... 48
Appendix 2 .................................................................................................................................... 49
Appendix 3 .................................................................................................................................... 50

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
3

Introduction

Cisco Intelligent WAN (IWAN) enables organizations to deliver an uncompromised experience


over any connection. With Cisco IWAN IT organizations can provide more bandwidth to their
branch office connections by using less expensive WAN transport options without affecting
performance, security, or reliability. With the IWAN solution, traffic is dynamically routed based
on application service-level agreement (SLA), endpoint type, and network conditions in order to
deliver the best quality experience. The realized savings from IWAN not only pays for the
infrastructure upgrades, but also frees resources for business innovation.

There are two primary IWAN design models: Hybrid and Dual Internet. This lab implements the
IWAN Hybrid design model, which uses MPLS paired with Internet VPN as WAN transports. In
this design model, the MPLS WAN can provide more bandwidth for the critical classes of
services needed for key applications and can provide SLA guarantees for these applications.

The IWAN solution incorporates numerous Cisco IOS and IOS XE features. The two features
implemented in this lab are Dynamic Multipoint VPN and VRF.

Dynamic Multipoint VPN (DMVPN)


DMVPN is a solution for building scalable site-to-site VPNs that support a variety of
applications. DMVPN was selected for the secure overlay WAN solution because DMVPN
supports on-demand full mesh connectivity over any carries transport with a simple hub-and-
spoke configuration. DMVPN makes use of multipoint generic routing encapsulation (mGRE)
tunnels to interconnect the hub to all of the spoke routers. This technology combination
supports unicast, multicast, and broadcast IP, including the ability to run routing protocols
within the tunnels.

Virtual Route Forwarding (VRF)


Virtual route forwarding (VRF) is a technology used in computer networks that allows multiple
instances of a routing table to co-exist within the same router at the same time. Because the
routing instances are independent, you can use the same or overlapping IP Addresses without
conflicting with each other. IWAN uses VRF to provide the following:
Default route separation between user traffic and DMVPN tunnel establishment
Control and data plane separation between inside and outside networks for security
purposes

Note: Additional IWAN labs covering intelligent path control (with Cisco Performance Routing
(PfR)) and application optimization (with Cisco Wide Area Application Services (WAAS)) are also
being considered.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
4

Disclaimer

This Guide is intended to demonstrate one way to configure the network, to meet the specified
requirements of this example. There are various ways that this can be accomplished, depending
on the situation and the customers goals/requirements. Please ensure that you consult all
current official Cisco documentation before proceeding with a design or installation. This lab is
primarily intended to be a learning tool, and may not necessarily follow best practice
recommendation at all times, in order to convey specific information. This is not intended to be
a deployment guide. It is intended for learning purposes only.

Build Information

The labs were constructed using the following software and hardware:

4451x with IOS/XE 03.11.00.S and SecurityK9 Right-To-Use license


2900 ISR-G2 with 15.2(3)T and SecurityK9 Right-To-Use license
3850-24P with IOS/XE 03.03.03SE and IP Services Right-To-Use License
3650X-24P with 12.2(55)SE1 and IP Services Right-To-Use License
Windows7 Enterprise 64 Bit for workstations
Windows Server 2003 R2 for Domain Controller / DNS / DHCP services

For additional information about Cisco Intelligent WAN, visit:

www.cisco.com/go/iwan

http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Jan2015/CVD-
IWANDesignGuide-JAN15.pdf

For additional information about Cisco Dynamic Multipoint VPN, visit:

www.cisco.com/go/dmvpn

For additional information about Cisco Virtual Routing and Forwarding, visit:

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/vspa/configurati
on/guide/ivmsw_book/ivmvpn5.html

Prerequisite Knowledge

A solid understanding of networking, including routing and switching is assumed. Some


background with Cisco IOS and IOS XE and the IWAN solution is helpful, but not required.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
5

Lab Command Modes

This lab guide refers to two common command modes within the Cisco IOS. Configuration will
be done in global configuration mode and verification of configuration will be in privilege EXEC
mode. A brief explanation is below.

Privileged EXEC Mode

Privileged EXEC mode is password protected, and allows the use of all EXEC mode commands
available on the system. To enter privileged EXEC mode from user EXEC mode, use the enable
command. Privileged EXEC mode allows access to global configuration mode through the use of
the enable command. The privileged EXEC mode prompt consists of the devices's host name
followed by the pound sign: Router#.

Global Configuration Mode

Global configuration commands generally apply to features that affect the system as a whole,
rather than just one protocol or interface. You can also enter any of the specific configuration
modes listed in the following section from global configuration mode.

To enter global configuration mode, use the configure terminal privileged EXEC command. The
router prompt for global configuration mode is indicated by the term config in parenthesis:
Router(config)# .

Exercise 1: Access the Lab Environment and Baseline the Network

In this exercise you will become familiar with the network and ensure everything is functioning
correctly. These steps are important, so please do not skip this exercise.

Section 1.1 Modify Java Security Settings


Note: The current version of Java may require you to add an exception for the RASTI student
portal URL into the Java security settings on the Java control panel. The browser you are using
may also require security setting adjustments.

To modify Java security settings, launch the Java control panel.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
6

On the Security tab, click Edit Site List.

Click Add, type in: https://128.107.69.134 then click OK. Click OK to close the Java control
panel.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
7

Section 1.2 Access Your Lab Pod


Begin by opening a browser and navigating to the Internet-reachable address of the RASTI
student portal https://128.107.69.134/student to access the lab environment.

Accept any security certificate warning and continue. The message shown below is from Firefox
on Windows. Your browsers warning messages may look different. Begin by clicking Add
Exception.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
8

NOTE: In order to log into the lab, you will need a student portal username and password. This
should have been provided to you by the lab proctor.

Login to the student portal using the username and password you were provided.

Note: The screenshot shows the username for Pod 1. Be sure to use the username and
password provided for your Pod.

After clicking Login, a welcome message will appear.

Click Continue to accept the message and access the student portal.

The student portal landing page will appear. The landing page shows the various hosts that you
will use in the lab. You will be returning to these hosts frequently, so be sure you know how to
get back to this page.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
9

Locate the VNC Bookmarks on the student portal landing page for PC1, PC3, and PC4. Click the
double arrows beside a hostname to open a VNC connection to the host in a new window.

NOTE: Clicking the double arrows (rather than the hostname) ensures that a new window
opens, and that the student portal page remains visible.

After you have connected to PC1, return to the student portal page and connect to PC3, and
then to PC4. Log into each PC using the usernames and passwords in the table below.

Host Location Username Password

PC1 HQ Jump Box John Doe cisco123

PC3 Branch 10 Joe Sales cisco123

PC4 Branch 20 PC4\macct cisco123

Note: The usernames should be the defaults for these PCs. Continue past any security warnings
about the untrusted certificates.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
10

Click Continue.

If you are presented with Java security warnings, click the check box and then click Run.

Section 1.3 Login to PC1


Enter the password cisco123 for host PC1 and login.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
11

Section 1.4 Login to PC2


Enter the password cisco123 for host PC2 and login.

Section 1.5 Login to PC4


Click Send Ctrl-Alt-Del.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
12

Enter the password cisco123 for host PC4 and login.

Exercise 2: HQ WAN 1 Configuration

In this exercise you will configure DMVPN for the Internet interface on the HQ WAN 1 router.
This configuration will include VRF, ISAKMP, IPSEC, GRE, and EIGRP routing.

On PC1, double-click the OoB Console Access icon.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
13

1) In the Pod Number drop-down box, select the Pod # you have been assigned.
2) In the Content Package drop-down box, select IWAN Lab.
3) Click Access Console Map.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
14

Keep this window open as you will return to it throughout the lab.

Click 4451X on the HQ WAN 1 icon to access the HQ WAN 1 router CLI. If the screen is blank,
press Enter to display the login prompt.

Login as admin with a password of cisco123.

Section 2.1 HQ WAN 1 Internet VRF


Enter global configuration mode and configure the Internet VRF.
conf t
ip vrf HQ-INET

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
15

rd 65001:2
Press control + z to exit configuration mode.

Enter the command sh vrf to verify the VRF:

Enter global configuration mode and configure the Internet service provider interface with the
VRF.
conf t
interface GigabitEthernet0/0/0
bandwidth 100000
ip vrf forwarding HQ-INET
ip address 192.0.0.166 255.255.255.252
Press control + z to exit configuration mode.

Enter the command sh vrf to verify the VRF interface configuration:

Enter global configuration mode to install a default route for the VRF.
conf t
ip route vrf HQ-INET 0.0.0.0 0.0.0.0 192.0.0.165
Press control + z to exit configuration mode.

Enter the command sh ip route vrf HQ-INET to verify the VRF routing table
configuration:

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
16

A default route has been installed in the Internet VRF.

Section 2.2 HQ WAN 1 DMVPN Encryption


Enter global configuration mode and configure DMVPN encryption.
conf t
crypto keyring DMVPN-KEYRING vrf HQ-INET
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-HQ-INET
keyring DMVPN-KEYRING
match identity address 0.0.0.0 HQ-INET
crypto ipsec transform-set AES256/SHA esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec profile IPSEC-HQ-INET
set security-association replay window-size 512
set transform-set AES256/SHA
set isakmp-profile ISAKMP-HQ-INET
Press control + z to exit configuration mode.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
17

Section 2.3 HQ WAN 1 DMVPN Tunnel Interface


Enter global configuration mode to configure the DMVPN tunnel interface.
conf t
interface Tunnel10
bandwidth 100000
ip address 10.254.254.1 255.255.255.0
no ip redirects
ip mtu 1400
ip hello-interval eigrp 100 20
ip hold-time eigrp 100 60
no ip split-horizon eigrp 100
ip pim dr-priority 110
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
delay 1000
cdp enable
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf HQ-INET
tunnel protection ipsec profile IPSEC-HQ-INET
Press control + z to exit configuration mode.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
18

Section 2.4 HQ WAN 1 EIGRP Routing


Enter global configuration mode to update EIGRP with the DMVPN tunnel interface.
conf t
router eigrp 100
network 10.254.254.1 0.0.0.0
no passive-interface Tunnel10
Press control + z to exit configuration mode.

Enter the command sh ip eigrp neighbors to verify the EIGRP configuration:

Router HQ-WAN-1 is configured.

Exercise 3: Branch 10 Internet DMVPN

In this exercise you will configure the Internet DMVPN interface on the Branch 10 router.

Return to PC3. If your session has timed out, log in again using password cisco123.

On the desktop open putty.

Highlight BR10, click Load then click Open.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
19

Login as admin with a password of cisco123.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
20

Section 3.1 Branch 10 Internet VRF


Enter global configuration mode to configure Branch 10s Internet VRF.
config t
ip vrf INET-10
rd 65120:1
Press control + z to exit configuration mode.

Enter global configuration mode and configure the Internet service provider interface with the
VRF.
conf t
interface GigabitEthernet0/0
ip vrf forwarding INET-10
ip address 192.0.0.174 255.255.255.252
Press control + z to exit configuration mode.

Enter the command sh vrf to verify the VRF interface configuration:

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
21

Enter global configuration mode to install a default route for the VRF.
conf t
ip route vrf INET-10 0.0.0.0 0.0.0.0 192.0.0.173
Press control + z to exit configuration mode.

Enter the command sh ip route vrf INET-10 to verify the VRF routing table
configuration:

A default route has been installed in the Internet VRF.

Section 3.2 Branch 10 DMVPN Encryption


Enter global configuration mode and configure Branch 10s DMVPN encryption configuration:
conf t
crypto keyring DMVPN-KEYRING2 vrf INET-10
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 5

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
22

crypto isakmp profile ISAKMP-INET-10


keyring DMVPN-KEYRING2
match identity address 0.0.0.0 INET-10
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC-INET-10
set security-association replay window-size 512
set transform-set AES256/SHA
set isakmp-profile ISAKMP-INET-10
Press control + z to exit configuration mode.

Section 3.3 Branch 10 DMVPM Tunnel Interface


Enter global configuration mode to configure Branch 10s DMVPM tunnel interface.
conf t
interface Tunnel20
bandwidth 50000
ip address 10.254.254.10 255.255.255.0
no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip hello-interval eigrp 100 20
ip hold-time eigrp 100 60
ip nhrp authentication cisco
ip nhrp map multicast 192.0.0.166
ip nhrp map 10.254.254.1 192.0.0.166
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp nhs 10.254.254.1

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
23

ip nhrp registration no-unique


ip nhrp registration timeout 60
ip nhrp shortcut
ip tcp adjust-mss 1360
load-interval 30
delay 1000
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf INET-10
tunnel protection ipsec profile IPSEC-INET-10
Press control + z to exit configuration mode.

Section 3.4 Branch 10 EIGRP Routing


Enter global configuration mode to update EIGRP with the DMVPN tunnel interface.
conf t
router eigrp 100
network 10.254.254.10 0.0.0.0
no passive-interface Tunnel20
Press control + z to exit configuration mode.

Section 3.5 Branch 10 Verification


Enter the command sh crypto isakmp sa to verify the ISAKMP configuration:

ISAKMP SA status should show ACTIVE.

Enter the command sh crypto ipsec sa to verify the IPSEC configuration:

IPSEC sa #pkts encaps and #pkts decaps should be incrementing.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
24

Enter the command sh ip eigrp neighbors to verify the EIGRP GRE tunnel interface
configuration:

On PC3, verify Internet access by launching the Chrome browser. Google.com will load as your
homepage.

Branch 10s Internet DMVPN configuration is complete.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
25

Exercise 4: Branch 20 Internet DMVPN

In this exercise you will configure the Internet DMVPN interface on the Branch 20 router.

Return to PC4. If your session has timed out, log in again using password cisco123.

On the desktop open putty.

Highlight BR20, click Load then click Open.

Login as admin with a password of cisco123.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
26

Section 4.1 Branch 20 Internet VRF


Enter global configuration mode to configure branch 20s Internet VRF.
conf t
ip vrf INET-20
rd 65120:1
Press control + z to exit configuration mode.

Enter global configuration mode and configure the Internet service provider interface with the
VRF.
conf t
interface GigabitEthernet0/0
ip vrf forwarding INET-20
ip address 192.0.0.182 255.255.255.252
Press control + z to exit configuration mode.

Enter the command sh vrf to verify the VRF interface configuration:

Enter global configuration mode to install a default route for the VRF.
conf t
ip route vrf INET-20 0.0.0.0 0.0.0.0 192.0.0.181
Enter the command sh ip route vrf INET-20 to verify the VRF routing table
configuration:

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
27

Section 4.2 Branch 20 DMVPN Encryption


Enter global configuration mode and configure Branch 20s DMVPN encryption configuration:
conf t
crypto keyring DMVPN-KEYRING2 vrf INET-20
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-INET-20
keyring DMVPN-KEYRING2
match identity address 0.0.0.0 INET-20
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC-INET-20
set security-association replay window-size 1024
set transform-set AES256/SHA
set isakmp-profile ISAKMP-INET-20

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
28

Press control + z to exit configuration mode.

Section 4.3 Branch 20 DMVPN Tunnel Interface


Enter global configuration mode to configure Branch 20s DMVPM tunnel interface.
conf t
interface Tunnel20
bandwidth 10000
ip address 10.254.254.20 255.255.255.0
no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip hello-interval eigrp 100 20
ip hold-time eigrp 100 60
ip nhrp authentication cisco
ip nhrp map multicast 192.0.0.166
ip nhrp map 10.254.254.1 192.0.0.166
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp nhs 10.254.254.1
ip nhrp registration no-unique
ip nhrp registration timeout 60
ip nhrp shortcut
ip tcp adjust-mss 1360
cdp enable
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf INET-20
tunnel protection ipsec profile IPSEC-INET-20
Press control + z to exit privilege EXEC mode.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
29

Section 4.4 Branch 20 EIGRP Routing


Enter global configuration mode to update EIGRP with the DMVPN tunnel interface.
conf t
router eigrp 100
network 10.254.254.20 0.0.0.0
no passive-interface Tunnel20
Press control + z to exit configuration mode.

Section 4.5 Branch 20 Verification


Enter the command sh crypto isakmp sa to verify the ISAKMP configuration:

ISAKMP SA status should show ACTIVE.

Enter the command sh crypto ipsec sa to verify the IPSEC configuration:

IPSEC sa #pkts encaps and #pkts decaps should be incrementing.

Enter the command sh ip eigrp neighbors to verify the EIGRP GRE tunnel
configuration:

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
30

On PC4, verify Internet access by launching the Chrome browser. Google.com will load as your
homepage.

Branch 20s DMVPN Internet configuration is complete

Exercise 5: HQ WAN 2 Configuration

In this exercise you will configure DMVPN for the MPLS interface on the HQ WAN 2 router. This
configuration will include VRF, ISAKMP, IPSEC, GRE, and EIGRP routing.

Return to PC1. Open console map and click 4451X on the HQ WAN 2 icon to access the HQ
WAN 2 router CLI. If the screen is blank, press Enter to display the login prompt.

Login as admin with a password of cisco123.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
31

Section 5.1 HQ WAN2 MPLS VRF


Enter global configuration mode and configure the MPLS VRF.
conf t
ip vrf HQ-MPLS
rd 65001:2
Press control + z to exit configuration mode.

Enter global configuration mode and configure the MPLS service providers interface with the
VRF.
conf t
interface GigabitEthernet0/0/0
bandwidth 100000
ip vrf forwarding HQ-MPLS
ip address 192.0.0.130 255.255.255.252
Press control + z to exit configuration mode.

Enter the command sh vrf to verify the VRF interface configuration:

Enter global configuration mode to install a default route for the VRF.
conf t
ip route vrf HQ-MPLS 0.0.0.0 0.0.0.0 192.0.0.129
Press control + z to exit configuration mode.

Enter the command sh ip route vrf HQ-MPLS to verify the VRF routing table
configuration:

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
32

Section 5.2 HQ WAN 2 DMVPN Encryption


Enter global configuration mode and configure DMVPN encryption.
conf t
crypto keyring DMVPN-KEYRING vrf HQ-MPLS
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-HQ-MPLS
keyring DMVPN-KEYRING
match identity address 0.0.0.0 HQ-MPLS
crypto ipsec transform-set AES256/SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC-HQ-MPLS
set security-association replay window-size 512
set transform-set AES256/SHA
set isakmp-profile ISAKMP-HQ-MPLS
Press control + z to exit configuration mode.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
33

Section 5.3 HQ WAN 2 DMVPN Tunnel Interface


Enter global configuration mode to configure the DMVPN tunnel interface.
conf t
interface Tunnel10
bandwidth 100000
ip address 10.254.255.1 255.255.255.0
no ip redirects
ip mtu 1400
ip hello-interval eigrp 100 20
ip hold-time eigrp 100 60
no ip split-horizon eigrp 100
ip pim dr-priority 110
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 200
ip nhrp holdtime 600
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
delay 1000
cdp enable
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 200
tunnel vrf HQ-MPLS
tunnel protection ipsec profile IPSEC-HQ-MPLS
Press control + z to exit configuration mode.

Section 5.4 HQ WAN 2 EIGRP Routing


Enter global configuration mode to update EIGRP with the DMVPN tunnel interface.
conf t

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
34

router eigrp 100


network 10.254.255.1 0.0.0.0
no passive-interface Tunnel10
Press control + z to exit configuration mode.

Router HQ WAN 2 is configured.

Exercise 6: Branch 10 MPLS DMVPN

In this exercise you will configure the MPLS DMVPN interface on the Branch 10 router.

Return to PC3. If putty is closed reopen it by double-clicking on the desktop icon.

Highlight BR10, click Load then click Open.

Login as admin with a password of cisco123.

Section 6.1 Branch 10 MPLS VRF


Enter global configuration mode to configure Branch 10s MPLS VRF.

conf t
ip vrf MPLS-10
rd 65010:1
Press control + z to exit configuration mode.

Enter global configuration mode and configure the MPLS service providers interface with the
VRF.
conf t
interface GigabitEthernet0/1
ip vrf forwarding MPLS-10
ip address 192.0.0.134 255.255.255.252
Press control + z to exit privilege EXEC mode

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
35

Enter the command sh vrf to verify the VRF interface configuration:

Enter global configuration mode to install a default route for the MPLS VRF.
conf t
ip route vrf MPLS-10 0.0.0.0 0.0.0.0 192.0.0.133
Press control + z to exit configuration mode.

Enter the command sh ip route vrf MPLS-10 to verify the VRF routing table
configuration:

A default route has been installed in the MPLS VRF.

Section 6.2 Branch 10 DMVPN Encryption


Enter global configuration mode and configure Branch 10s DMVPN encryption configuration:

Note: some configuration is redundant.

conf t
crypto keyring DMVPN-KEYRING1 vrf MPLS-10
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes
authentication pre-share

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
36

crypto isakmp invalid-spi-recovery


crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-MPLS-10
keyring DMVPN-KEYRING1
match identity address 0.0.0.0 MPLS-10
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC-MPLS-10
set security-association replay window-size 512
set transform-set AES256/SHA
set isakmp-profile ISAKMP-MPLS-10
Press control + z to exit configuration mode.

Section 6.3 Branch 10 DMVPN Tunnel Interface


Enter global configuration mode to configure Branch 10s DMVPM tunnel interface.
conf t
interface Tunnel10
bandwidth 50000
ip address 10.254.255.10 255.255.255.0
no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip hello-interval eigrp 100 20
ip hold-time eigrp 100 60
ip nhrp authentication cisco
ip nhrp map multicast 192.0.0.130
ip nhrp map 10.254.255.1 192.0.0.130
ip nhrp network-id 200
ip nhrp holdtime 600

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
37

ip nhrp nhs 10.254.255.1


ip nhrp registration no-unique
ip nhrp registration timeout 60
ip nhrp shortcut
ip tcp adjust-mss 1360
load-interval 30
delay 1000
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 200
tunnel vrf MPLS-10
tunnel protection ipsec profile IPSEC-MPLS-10
Press control + z to exit configuration mode.

Section 6.4 Branch 10 EIGRP Routing


Enter global configuration mode to update EIGRP with the DMVPN tunnel interface.
conf t
router eigrp 100
network 10.254.255.10 0.0.0.0
no passive-interface Tunnel10
Press control + z to exit configuration mode.

Section 6.5 Branch 10 MPLS DMVPN Verification


Enter the command sh crypto isakmp sa to verify the ISAKMP configuration:

Both SAs should have a status of ACTIVE.

Enter the command sh crypto ipsec sa to verify the IPSEC configuration. Scroll down
to Interface: Tunnel10.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
38

IPSEC sa #pkts encaps and #pkts decaps should be incrementing.

Enter the command sh ip eigrp neighbors to verify the EIGRP GRE tunnel interface
configuration:

Here we see both tunnel interfaces are peered with their respective neighbors at HQ.

Branch 10s MPLS DMVPN configuration is complete.

Exercise 7: Branch 20 MPLS DMVPN

In this exercise you will configure the MPLS DMVPN interface on the Branch 20 router.

Return to PC4. If putty is closed reopen it by double-clicking on the desktop icon

Highlight BR20, click Load then click Open.

Login as admin with a password of cisco123.

Section 7.1 Branch 20 MPLS VRF


Enter global configuration mode to configure branch 20s MPLS VRF.
April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
39

config t
ip vrf MPLS-20
rd 65020:1
Press control + z to exit privilege EXEC mode

Enter global configuration mode and configure the MPLS service providers interface with the
VRF.
conf t
interface GigabitEthernet0/1
ip vrf forwarding MPLS-20
ip address 192.0.0.138 255.255.255.252
Press control + z to exit privilege EXEC mode

Enter the command sh vrf to verify the VRF interface configuration:

Enter global configuration mode to install the default route for the MPLS VRF
conf t
ip route vrf MPLS-20 0.0.0.0 0.0.0.0 192.0.0.137
Press control + z to exit configuration mode.

Enter the command sh ip route vrf MPLS-20 to verify the VRF routing table
configuration:

A default route has been installed in the MPLS VRF.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
40

Section 7.2 Branch 20 DMVPN encryption


Enter global configuration mode and configure Branch 20s DMVPN encryption configuration:

Note: some configuration is redundant.

conf t
crypto keyring DMVPN-KEYRING1 vrf MPLS-20
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-MPLS-20
keyring DMVPN-KEYRING1
match identity address 0.0.0.0 MPLS-20
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC-MPLS-20
set security-association replay window-size 1024
set transform-set AES256/SHA
set isakmp-profile ISAKMP-MPLS-20
Press control + z to exit configuration mode.

Section 7.3 Branch 20 DMVPN Tunnel Interface


Enter global configuration mode to configure Branch 20s DMVPM tunnel interface.
conf t
interface Tunnel10
bandwidth 10000

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
41

ip address 10.254.255.20 255.255.255.0


no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip hello-interval eigrp 100 20
ip hold-time eigrp 100 60
ip nhrp authentication cisco
ip nhrp map multicast 192.0.0.130
ip nhrp map 10.254.255.1 192.0.0.130
ip nhrp network-id 200
ip nhrp holdtime 600
ip nhrp nhs 10.254.255.1
ip nhrp registration no-unique
ip nhrp registration timeout 60
ip nhrp shortcut
ip tcp adjust-mss 1360
cdp enable
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 200
tunnel vrf MPLS-20
tunnel protection ipsec profile IPSEC-MPLS-20
Press control + z to exit configuration mode.

Section 7.4 Branch 20 EIGRP Routing


Enter global configuration mode to update EIGRP with the DMVPN tunnel interface.
conf t
router eigrp 100
network 10.254.255.20 0.0.0.0
no passive-interface Tunnel10
Press control + z to exit configuration mode.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
42

Section 7.5 Branch 20 MPLS DMVPN Verification


Enter the command sh crypto isakmp sa to verify the ISAKMP configuration:

Both SAs should have a status of ACTIVE.

Enter the command sh crypto ipsec sa to verify the IPSEC configuration. Scroll down
to Interface: Tunnel10.

IPSEC sa #pkts encaps and #pkts decaps should be incrementing.

Enter the command sh ip eigrp neighbors to verify the EIGRP GRE tunnel interface
configuration:

Here we see both tunnel interfaces are peered with their respective neighbors at HQ.

Branch 20s MPLS DMVPN configuration is complete.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
43

Exercise 8: Verify Final Connectivity and Failover

In this exercise you will verify that the Branch 10 and Branch 20 routers have redundant routes
for each tunnel interface. You will then shut down the HQ WAN 1 Internet interface and verify
that the redundant routes are removed from the branch routers. The Chrome browser will be
used to verify connectivity to the Internet through the DMVPN tunnels over the MPLS
connections.

Section 8.1 Verify Redundant Routes on Branch Routers


Return to PC3.

Enter the command sh ip route to verify that the Branch 10 routing table has redundant
routes for each tunnel interface:

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
44

Return to PC4.

Enter the command sh ip route to verify that the Branch 20 routing table has redundant
routes for each tunnel interface:

Section 8.2 Shut Down Internet Interface on HQ WAN 1


Since we configured the DMVPN Internet side first, we will shut down the Internet interface on
the HQ WAN 1 router and then test connectivity from each branch.

Return to PC1.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
45

Click 4451X on the HQ WAN 1 icon to access the HQ WAN 1 router CLI. If the screen is blank,
press Enter to display the login prompt.

Login as admin with a password of cisco123.

Enter global configuration mode and shut down the Internet interface.
conf t
int g0/0/0
shutdown
Press control + z to exit configuration mode.

Section 8.3 Verify Branch Router Routing Tables and Connectivity


Return to PC3.

Enter the command sh ip route to verify that redundant routes have been removed
from the Branch 10 routing table:

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
46

All redundant routes are gone. Launch the Chrome browser and google.com is still accessible.

Return to PC4.

Enter the command sh ip route to verify that redundant routes have been removed
from the Branch 20 routing table:

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
47

All redundant routes are gone. Launch the Chrome browser and google.com is still accessible.

Section 8.4 Enable Internet Interface on HQ WAN 1


Return to PC1.

Enter global configuration mode to reactivate the Internet interface.


conf t
int g0/0/0
no shutdown
Press control + z to exit configuration mode.

Return to PC3. Enter the command sh ip route to verify that the redundant routes have
been restored in the Branch 10 routing table.

Return to PC4. Enter the command sh ip route to verify that the redundant routes have
been restored in the Branch 20 routing table.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
48

Appendix 1

Layer 2 Diagram

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
49

Appendix 2

Layer 3 Diagram

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
50

Appendix 3

Config Files

br10-wan1-config output
! Last configuration change at 14:13:16 edt Tue Apr 7 2015 by admin
version 15.2
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname BR10-WAN1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$zKa4$mh3.D4gk6ubLyYpRxrCUp.
!
no aaa new-model
!
clock timezone est -5 0
clock summer-time edt recurring
!
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
ip vrf INET-10
rd 65120:1
!
ip vrf MPLS-10
rd 65010:1
!
!
no ip domain lookup
ip domain name example.com
ip cef
!
multilink bundle-name authenticated
!
!
license udi pid CISCO2921/K9 sn FTX1348AHMW
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9 disable
license boot module c2900 technology-package datak9 disable
!
!
username admin privilege 15 secret 5 $1$F2hv$Kp9v0AB8pRXyXcjumM29r1
!
redundancy
!
!
crypto keyring DMVPN-KEYRING2 vrf INET-10
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto keyring DMVPN-KEYRING1 vrf MPLS-10
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
51

crypto isakmp policy 10


encr aes
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-INET-10
keyring DMVPN-KEYRING2
match identity address 0.0.0.0 INET-10
crypto isakmp profile ISAKMP-MPLS-10
keyring DMVPN-KEYRING1
match identity address 0.0.0.0 MPLS-10
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC-INET-10
set security-association replay window-size 512
set transform-set AES256/SHA
set isakmp-profile ISAKMP-INET-10
!
crypto ipsec profile IPSEC-MPLS-10
set security-association replay window-size 512
set transform-set AES256/SHA
set isakmp-profile ISAKMP-MPLS-10
!
!
interface Loopback0
description Primary Loopback - Do not change
ip address 10.10.255.11 255.255.255.255
!
interface Tunnel10
bandwidth 50000
ip address 10.254.255.10 255.255.255.0
no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip hello-interval eigrp 100 20
ip hold-time eigrp 100 60
ip nhrp authentication cisco
ip nhrp map multicast 192.0.0.130
ip nhrp map 10.254.255.1 192.0.0.130
ip nhrp network-id 200
ip nhrp holdtime 600
ip nhrp nhs 10.254.255.1
ip nhrp registration no-unique
ip nhrp registration timeout 60
ip nhrp shortcut
ip tcp adjust-mss 1360
load-interval 30
delay 1000
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 200
tunnel vrf MPLS-10
tunnel protection ipsec profile IPSEC-MPLS-10
!
interface Tunnel20
bandwidth 50000
ip address 10.254.254.10 255.255.255.0

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
52

no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip hello-interval eigrp 100 20
ip hold-time eigrp 100 60
ip nhrp authentication cisco
ip nhrp map multicast 192.0.0.166
ip nhrp map 10.254.254.1 192.0.0.166
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp nhs 10.254.254.1
ip nhrp registration no-unique
ip nhrp registration timeout 60
ip nhrp shortcut
ip tcp adjust-mss 1360
load-interval 30
delay 1000
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf INET-10
tunnel protection ipsec profile IPSEC-INET-10
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Internet Handoff for Site to Site VPN
ip vrf forwarding INET-10
ip address 192.0.0.174 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAn Handoff to MPLS Carrier
ip vrf forwarding MPLS-10
ip address 192.0.0.134 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/2
description Inside toward BR10 Coew SW1 g1/0/1
ip address 10.10.254.1 255.255.255.252
duplex auto
speed auto
!
!
router eigrp 100
network 10.10.254.0 0.0.0.3
network 10.10.255.11 0.0.0.0
network 10.254.254.0 0.0.0.255
network 10.254.254.10 0.0.0.0
network 10.254.255.10 0.0.0.0
passive-interface default
no passive-interface GigabitEthernet0/2
no passive-interface Tunnel20
no passive-interface Tunnel10
eigrp router-id 10.10.255.11
!
ip forward-protocol nd

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
53

!
no ip http server
no ip http secure-server
!
ip route vrf INET-10 0.0.0.0 0.0.0.0 192.0.0.173
ip route vrf MPLS-10 0.0.0.0 0.0.0.0 192.0.0.133
!
logging trap debugging
logging source-interface Loopback0
logging 10.1.20.254
!
!
control-plane
!
!
line con 0
exec-timeout 60 0
privilege level 15
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 60 0
privilege level 15
logging synchronous
login local
transport input telnet ssh
line vty 5 15
exec-timeout 60 0
privilege level 15
logging synchronous
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp server 10.1.255.1
!
end

br20-wan1-config
! Last configuration change at 14:36:48 edt Tue Apr 7 2015 by admin
version 15.2
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname BR20-WAN1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$JjBu$6cZk9sX9XeJYWUTF4g7oM.

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
54

!
no aaa new-model
!
clock timezone est -5 0
clock summer-time edt recurring
!
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
ip vrf INET-20
rd 65120:1
!
ip vrf MPLS-20
rd 65020:1
!
!
no ip domain lookup
ip domain name example.com
ip cef
!
multilink bundle-name authenticated
!
!
license udi pid CISCO2921/K9 sn FTX1348AHMR
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9 disable
license boot module c2900 technology-package datak9 disable
!
!
username admin privilege 15 secret 5 $1$rxIr$U3iUqJcxGXE2M8klmqJ9j1
!
redundancy
!
!
crypto keyring DMVPN-KEYRING2 vrf INET-20
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto keyring DMVPN-KEYRING1 vrf MPLS-20
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-INET-20
keyring DMVPN-KEYRING2
match identity address 0.0.0.0 INET-20
crypto isakmp profile ISAKMP-MPLS-20
keyring DMVPN-KEYRING1
match identity address 0.0.0.0 MPLS-20
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC-INET-20
set security-association replay window-size 1024
set transform-set AES256/SHA
set isakmp-profile ISAKMP-INET-20
!

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
55

crypto ipsec profile IPSEC-MPLS-20


set security-association replay window-size 1024
set transform-set AES256/SHA
set isakmp-profile ISAKMP-MPLS-20
!
!
interface Loopback0
description Primary Loopback - Do not change
ip address 10.20.255.11 255.255.255.255
!
interface Tunnel10
bandwidth 10000
ip address 10.254.255.20 255.255.255.0
no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip hello-interval eigrp 100 20
ip hold-time eigrp 100 60
ip nhrp authentication cisco
ip nhrp map multicast 192.0.0.130
ip nhrp map 10.254.255.1 192.0.0.130
ip nhrp network-id 200
ip nhrp holdtime 600
ip nhrp nhs 10.254.255.1
ip nhrp registration no-unique
ip nhrp registration timeout 60
ip nhrp shortcut
ip tcp adjust-mss 1360
cdp enable
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 200
tunnel vrf MPLS-20
tunnel protection ipsec profile IPSEC-MPLS-20
!
interface Tunnel20
bandwidth 10000
ip address 10.254.254.20 255.255.255.0
no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip hello-interval eigrp 100 20
ip hold-time eigrp 100 60
ip nhrp authentication cisco
ip nhrp map multicast 192.0.0.166
ip nhrp map 10.254.254.1 192.0.0.166
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp nhs 10.254.254.1
ip nhrp registration no-unique
ip nhrp registration timeout 60
ip nhrp shortcut
ip tcp adjust-mss 1360
cdp enable
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf INET-20
tunnel protection ipsec profile IPSEC-INET-20

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
56

!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Internet Handoff for site to site vpn
ip vrf forwarding INET-20
ip address 192.0.0.182 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN handoff to MPLS Carrier
ip vrf forwarding MPLS-20
ip address 192.0.0.138 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/2
description Inside toward BR20 Core SW1 g1/0/1
ip address 10.20.254.1 255.255.255.252
duplex auto
speed auto
!
!
router eigrp 100
network 10.20.254.0 0.0.0.3
network 10.20.255.11 0.0.0.0
network 10.254.254.0 0.0.0.255
network 10.254.254.20 0.0.0.0
network 10.254.255.20 0.0.0.0
passive-interface default
no passive-interface GigabitEthernet0/2
no passive-interface Tunnel20
no passive-interface Tunnel10
eigrp router-id 10.20.255.11
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route vrf INET-20 0.0.0.0 0.0.0.0 192.0.0.181
ip route vrf MPLS-20 0.0.0.0 0.0.0.0 192.0.0.137
!
logging trap debugging
logging source-interface Loopback0
logging 10.1.20.254
!
!
control-plane
!
!
line con 0
exec-timeout 60 0
privilege level 15
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
57

transport preferred none


transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 60 0
privilege level 15
logging synchronous
login local
transport input telnet ssh
line vty 5 15
exec-timeout 60 0
privilege level 15
logging synchronous
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp server 10.1.255.1
!
end

hq-want1-config
!
version 15.5
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname HQ-WAN1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 8192
enable secret 5 $1$ZJCy$odM5bNfGwRGWb1m42Q9NM/
!
no aaa new-model
clock timezone est -5 0
clock summer-time edt recurring
!
ip vrf HQ-INET
rd 65001:2
!
!
no ip domain lookup
ip domain name example.com
!
!

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
58

subscriber templating
!
multilink bundle-name authenticated
!
!
license udi pid ISR4451-X/K9 sn FOC17042FHZ
license boot level appxk9
license boot level uck9
license boot level securityk9
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$hVVE$Z8wZ981dR5fdkE0z8DJ7B.
!
redundancy
mode none
!
!
crypto keyring DMVPN-KEYRING vrf HQ-INET
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-HQ-INET
keyring DMVPN-KEYRING
match identity address 0.0.0.0 HQ-INET
!
!
crypto ipsec transform-set AES256/SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC-HQ-INET
set security-association replay window-size 512
set transform-set AES256/SHA
set isakmp-profile ISAKMP-HQ-INET
!
!
!
interface Loopback0
description Primary Loopback - Do not change
ip address 10.1.255.11 255.255.255.255
!
interface Tunnel10
bandwidth 100000
ip address 10.254.254.1 255.255.255.0
no ip redirects
ip mtu 1400
ip hello-interval eigrp 100 20
ip hold-time eigrp 100 60
no ip split-horizon eigrp 100
ip pim dr-priority 110
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
59

delay 1000
cdp enable
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf HQ-INET
tunnel protection ipsec profile IPSEC-HQ-INET
!
interface GigabitEthernet0/0/0
description Interent Handoff for site to site VPN
bandwidth 100000
ip vrf forwarding HQ-INET
ip address 192.0.0.166 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/1
description To HQ-Core-SW1 g1/0/1
ip address 10.1.254.2 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
!
interface Ethernet-Internal1/0/0
no negotiation auto
no mop enabled
no mop sysid
!
interface Ethernet-Internal1/0/1
no negotiation auto
switchport mode trunk
no mop enabled
no mop sysid
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
!
router eigrp 100
network 10.1.254.0 0.0.0.3
network 10.1.255.11 0.0.0.0
network 10.254.254.0 0.0.0.255
network 10.254.254.1 0.0.0.0
passive-interface default
no passive-interface GigabitEthernet0/0/1
no passive-interface Tunnel10
eigrp router-id 10.1.255.11
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route vrf HQ-INET 0.0.0.0 0.0.0.0 192.0.0.165
!
!
logging trap debugging
logging source-interface Loopback0

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
60

logging host 10.1.20.254


!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
line con 0
exec-timeout 60 0
privilege level 15
logging synchronous
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
logging synchronous
login local
transport input telnet ssh
line vty 5 15
privilege level 15
logging synchronous
login local
transport input telnet ssh
!
ntp source Loopback0
ntp server 10.1.255.1
!
end

hq-wan2-config
Current configuration : 3654 bytes
!
! Last configuration change at 14:11:51 edt Tue Apr 7 2015
!
version 15.4
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname HQ-WAN2
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
61

address-family ipv6
exit-address-family
!
logging buffered 8192
enable secret 5 $1$ilMH$2MZ9PeTWeQzmWlXrOQh2S1
!
no aaa new-model
clock timezone est -5 0
clock summer-time edt recurring
!
ip vrf HQ-MPLS
rd 65001:2
!
no ip domain lookup
ip domain name example.com
!
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid ISR4451-X/K9 sn FOC17042FK2
license accept end user agreement
license boot level securityk9
!
username admin privilege 15 secret 5 $1$Fpyv$URrN7m3.1UaVKwgopWH91/
!
redundancy
mode none
!
!
ip tftp source-interface GigabitEthernet0
!
crypto keyring DMVPN-KEYRING vrf HQ-MPLS
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 5
crypto isakmp profile ISAKMP-HQ-MPLS
keyring DMVPN-KEYRING
match identity address 0.0.0.0 HQ-MPLS
!
!
crypto ipsec transform-set AES256/SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC-HQ-MPLS
set security-association replay window-size 512
set transform-set AES256/SHA
set isakmp-profile ISAKMP-HQ-MPLS
!
!
interface Loopback0
description Primary Loopback - Do not change
ip address 10.1.255.12 255.255.255.255
!
interface Tunnel10
bandwidth 100000
ip address 10.254.255.1 255.255.255.0

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
62

no ip redirects
ip mtu 1400
ip hello-interval eigrp 100 20
ip hold-time eigrp 100 60
no ip split-horizon eigrp 100
ip pim dr-priority 110
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 200
ip nhrp holdtime 600
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
delay 1000
cdp enable
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 200
tunnel vrf HQ-MPLS
tunnel protection ipsec profile IPSEC-HQ-MPLS
!
interface GigabitEthernet0/0/0
description WAn handoff to MPLS Carrier
bandwidth 100000
ip vrf forwarding HQ-MPLS
ip address 192.0.0.130 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/1
description to HQ-Core-SW1 g1/0/2
ip address 10.1.254.6 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
!
router eigrp 100
network 10.1.254.4 0.0.0.3
network 10.1.255.12 0.0.0.0
network 10.254.255.1 0.0.0.0
passive-interface default
no passive-interface GigabitEthernet0/0/1
no passive-interface Tunnel10
eigrp router-id 10.1.255.12
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route vrf HQ-MPLS 0.0.0.0 0.0.0.0 192.0.0.129
!

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0
63

!
logging trap debugging
logging source-interface Loopback0
logging host 10.1.20.254
!
!
control-plane
!
!
line con 0
exec-timeout 60 0
privilege level 15
logging synchronous
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
logging synchronous
login local
transport input telnet ssh
line vty 5 15
privilege level 15
logging synchronous
login local
transport input telnet ssh
!
ntp source Loopback0
ntp server 10.1.255.1
!
end

April 10, 2015 Solutions Readiness Engineering IWAN with DMVPN and VRF v1.0