WAN Configuration Guide
Revision: H2CY10
Who Should Read
This Guide
This document is for the reader who:
Related Documents
• Has already read the Cisco Smart Business Architecture (SBA) for
Government Large Agencies—Borderless Networks WAN Deployment
Guide
Before reading this guide
• Has in total 2000–10,000 connected employees
Design Overview
• Has up to 500 remote sites
• Uses MPLS Layer 3 VPN as a WAN transport
WAN Deployment Guide
• Uses the Internet as a secure WAN transport
• Requires a resilient WAN
• Requires an application optimization solution to improve WAN
performance
• Has IT workers with a CCNA® certification or equivalent experience
• Wants to deploy their network infrastructure efficiently
• Wants the assurance of a tested solution
• Requires a migration path for growth
Deployment Guides
Design Guides
Design Overview
Foundation Deployment
Guides
WAN Deployment
Guide
WAN Configuration Guide
You are Here
Network Management
Guides
Who Should Read This Guide
Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
WAN Remote-Site Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Large Agencies WAN Deployment Product List. . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Branch 200: Dual-Router, Dual-Link with Distribution Layer
(MPLS-A + DMVPN). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Branch 201: Single-Router, Dual-Link (MPLS-A + DMVPN). . . . . . . . . 39
Branch 202: Single-Router, Dual-Link (MPLS-B + DMVPN). . . . . . . . . 44
Branch 203: Dual-Router, Dual-Link with Access Layer Only
(MPLS-A + DMVPN). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Branch 204: Single-Router, Single-Link (MPLS). . . . . . . . . . . . . . . . . . . . 59
Branch 205: Single-Router, Single-Link (DMVPN). . . . . . . . . . . . . . . . . . 64
WAN Configuration Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
WAN-Aggregation Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
BNWan3750. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
ce-asr1004-1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
ce-asr1004-2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
vpn-asr1006-1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
wae7341-1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
wae7431-2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Appendix A: SBA for Large Agencies Document System. . . . . . . . . . . . . . . . . 70
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND ITS SUPPLIERS
DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL
OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY
DEPENDING ON FACTORS NOT TESTED BY CISCO.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes
only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco Unified Communications SRND (Based on Cisco Unified Communications Manager 7.x)
© 2010 Cisco Systems, Inc. All rights reserved.
Table of Contents
Introduction
Figure 1. Cisco SBA Model
For Cisco partners and customers with 2000–10,000 connected users, we
have created an “out-of-the-box” deployment that is simple, fast, affordable,
scalable, and flexible. We have designed it to be easy—easy to configure,
deploy, and manage.
The simplicity of this deployment, though, belies the depth and breadth of
the architecture. Based on feedback from many customers and partners,
Cisco has developed a solid network foundation with a flexible platform
that does not require re-engineering to support additional Network or
User services.
Cisco SBA for Large Agencies—Borderless Networks is documented in a
single design guide, and deployment guides and configuration guides for each
of the three sections: LAN, WAN, and Internet Edge.
Cisco SBA for Large Agencies—Borderless Networks is a prescriptive reference design that provides step-by-step instructions for the deployment of
the products in the design. It is based on Enterprise best practice principles.
Based on feedback from customers and partners, Cisco has developed a
solid network foundation as a flexible platform that does not require reengineering to include additional network or user services.
User
Services
Network
Services
Network
Foundation
Voice,
Video,
Web Meetings
Security,
WAN Optimization,
Guest Access
Routing, Switching,
Wireless, and Internet
This deployment guide has been architected to make your life a little bit—
maybe even a lot—smoother. This architecture:
• Provides a solid foundation
• Makes deployment fast and easy
• Accelerates ability to easily deploy additional services
Tech Tip
• Avoids the need for re-engineering of the core network
Some of the base concepts referenced in this guide are covered in the
SBA BN Design and Deployment Guides; these documents should be
reviewed first.
Introduction
1
Using the Deployment Guides
To reflect our ease-of-use principle, the Cisco SBA for Large Agencies—
Borderless Networks architecture has been divided into three sections: LAN,
WAN, and Internet Edge. Each section has its own Deployment Guide and
Configuration Guide. Each guide is organized into modules. You can start at
the beginning or jump to any module. Each part of the guide is designed to
stand alone, so you can deploy the Cisco technology for that section without
having to follow the previous module.
Each Deployment Guide starts with an Agency Overview and a Technology
Overview. It covers the basics of the deployment guide, the value for you
and your customer, and the broad stroke features and benefits of this compelling design. Each then has different modules depending on the network
components being covered.
The WAN Deployment Guide has the following sections:
• Deploying an MPLS WAN
• Deploying a DMVPN WAN
• Deploying a WAN Remote-Site Distribution Layer
• Deploying WAN Quality of Service
• Deploying WAN Optimization with WAAS
Using the WAN Configuration Guide
This document provides the available configuration files for the products
used in the Cisco SBA for Large Agencies—Borderless Networks WAN
Deployment Guide. It is a companion document to the deployment guide as
a reference for engineers who are evaluating or deploying SBA.
Both the WAN Deployment Guide and the WAN Configuration Guide
provide the complete list of products used in the lab testing of this design.
Graphical Interface Management
There are products in this design where we have omitted the configuration
file. Those products have browser-based graphical configuration tools. Please
refer to the companion Cisco SBA for Large Agencies—Borderless Networks
WAN Deployment Guide at http://www.cisco.com/go/sba for step-by-step
instructions on configuring those products.
Introduction
2
Cisco SBA for Large Agencies—Borderless Networks
Campus
Internet
I
WAN
Aggregation
Hardware and Software
VPN
Remote
Access VPN
Internet
Edge Routers
Email Security
Appliance
Guest
WLAN
Teleworker /
Mobile Worker
WAN
Wireless
Access Point
Application
Acceleration
VPN
Wireless
LAN Controller
Client
Access
Switch
Data
Internet
Center
Edge
Internet
Edge
Firewall
W ww
W ww
Internet
Servers
Web Security
Appliance
Branch Router with
Application Acceleration
Core
Switches
Remote
Local Area
Network
Collapsed
Distribution/Core
Switches
Distribution
Switches
I
Wireless
LAN Controller
Regional
Router
Application
Acceleration
Regional
Office
Client
Access
Switches
Building 1
Building 2
Building 3
Building 4
Introduction
3
Large Agencies WAN Deployment Product List
Functional Area
Product
Part Numbers
Software Version
ASR1002 Router
ASR1002
IOS XE 3.1.0S
SASR1R1-AISK9-26SR
asr1000rp1-advipservicesk9.03.01.00.S.150-1.S.bin
WAN 500 Design
WAN Aggregation:
MPLS CE Router
ASR1002-PWR-AC
ASR1000-ESP5
WAN Aggregation:
DMVPN Hub Router
ASR1002 Router
ASR1002
IOS XE 3.1.0S
SASR1R1-AISK9-26SR
asr1000rp1-advipservicesk9.03.01.00.S.150-1.S.bin
FLASR1-IPSEC-RTU
ASR1002-PWR-AC
ASR1000-ESP5
WAN Aggregation: WAAS WAVE-574 WAAS Appliance
Central Manager
WAVE-574-K9
4.2.1 (WAAS-UNIVERSAL-K9) Build b38
WAAS-ENT-APL
oe574-4.2.1.38
WAN Aggregation: WAAS WAE-7371-K9 WAAS
Application Accelerator
Appliance
WAE-7371-K9
4.2.1 (WAAS-UNIVERSAL-K9) Build b38
SF-WAAS-4.2-SAS-K9
oe7371-4.2.1.38
WAAS-ENT-APL
WAN 100 Design
WAN Aggregation:
MPLS CE Router
Cisco3945E
CISCO3945E/K9
15.1(1)T
SL-39-DATA-K9
c3900e-universalk9-mz.SPA.151-1.T.bin
C3900-SPE250/K9
PWR-3900-AC
Large Agencies WAN Deployment Product List
4
Functional Area
Product
Part Numbers
Software Version
WAN Aggregation:
DMVPN Hub Router
Cisco3945E
CISCO3945E-SEC/K9
15.1(1)T
SL-39-DATA-K9
c3900e-universalk9-mz.SPA.151-1.T.bin
C3900-SPE250/K9
PWR-3900-AC
WAN Aggregation:
WAAS Central Manager
WAVE-574 WAAS Appliance
WAN Aggregation: WAAS WAE-7341-K9 WAAS
Application Accelerator
Appliance
WAVE-574-K9
4.2.1 (WAAS-UNIVERSAL-K9) Build b38
WAAS-ENT-APL
oe574-4.2.1.38
WAE-7341-K9
4.2.1 (WAAS-UNIVERSAL-K9) Build b38
SF-WAAS-4.2-SAS-K9
oe7341-4.2.1.38
WAAS-ENT-APL
WAN Remote Site Routers
MPLS CE Router
DMVPN Spoke Router
Cisco2911
CISCO2911-VSEC/K9
15.0(1)M2
SL-29-DATA-K9
c2900-universalk9-mz.SPA.150-1.M2.bin
PWR-2911-AC
MPLS CE Router
Cisco2921
DMVPN Spoke Router
CISCO2921-VSEC/K9
15.0(1)M2
SL-29-DATA-K9
c2900-universalk9-mz.SPA.150-1.M2.bin
PWR-2921-AC
MPLS CE Router
Cisco3925
DMVPN Spoke Router
C3925-VSEC/K9
15.0(1)M2
SL-39-DATA-K9
c3900-universalk9-mz.SPA.150-1.M2.bin
PWR-3900-AC
MPLS CE Router
Cisco3945
DMVPN Spoke Router
C3945-VSEC/K9
15.0(1)M2
SL-39-DATA-K9
c3900-universalk9-mz.SPA.150-1.M2.bin
PWR-3900-AC
WAN Remote Site WAAS
Application Accelerator
Network Module for
ISR-G2
NME-WAE-502
NME-WAE-502-K9
4.2.1 (WAAS-UNIVERSAL-K9) Build b38
SM-NM-ADPTR
nme-wae-502-4.2.1.38
WAAS-ENT-NM
Large Agencies WAN Deployment Product List
5
Functional Area
Product
Part Numbers
Software Version
Application Accelerator
Service Module for
ISR-G2
SM-SRE-700-K9
SM-SRE-700-K9
4.2.1 (WAAS-UNIVERSAL-K9) Build b38
WAAS-ENT-NM
sm-wae-4.2.1.38
Application Accelerator
WAVE-574 Appliance
WAVE-574
WAVE-574-K9
4.2.1 (WAAS-UNIVERSAL-K9) Build b38
WAAS-ENT-APL
oe574-4.2.1.38
Application Accelerator
WAE-674 Appliance
WAE-674
WAE-674-K9
4.2.1 (WAAS-UNIVERSAL-K9) Build b38
WAAS-ENT-APL
oe674-4.2.1.38
Catalyst 3750G
WS-C3750G-12S-S
12.2(53)SE1
Stackable 12 Port SFP
Catalyst 3750 12 SFP + IPS Image
c3750e-universalk9-mz.122-53.SE1.bin
LAN Switching
Distribution Layer
CAB-STACK-50CM
Distribution Layer
Catalyst 4507RE
WS-C4507R-E
12.2-53.SG1
Dual Supervisors
Catalyst 4500 E-Series 7-Slot Chassis
cat4500e-entservicesk9-mz.122-53.SG1.bin
Dual Power Supplies
WS-X45-SUP6-E
Catalyst 4500 E-Series Sup 6-E, 2x10GE(X2)
with Twin Gig
WS-X4624-SFP-E
Catalyst 4500 E-Series 24-Port GE (SFP)
WS-X4606-X2-E
Catalyst 4500 E-Series 6-Port 10GbE (X2)
Distribution Layer
Catalyst 6500 VSS
WS-C6506-E
12.2(33) SXI3 with the IP Services Feature Set
Catalyst 6500 E-Series 6-Slot Chassis
s72033-ipservicesk9_wan-mz.122-33.SXI3.bin
VS-S720-10G-3C
Catalyst 6500 VSS Supervisor 720 with 2
ports 10GbE
WS-X6724-SFP
Catalyst 6500 24-port GigE Mod (SFP)
WS-X6716-10G-3C
Catalyst 6500 16 port 10 Gigabit Ethernet w/
DFC3C (X2)
Large Agencies WAN Deployment Product List
6
WAN Configuration Files
WAN-Aggregation Devices
This section includes configuration files corresponding to the WAN500
design topology as referenced in Figure 2.
A summary of the various distribution layer switch device interconnections
to other WAN-aggregation components is provided in Table 1.
Table 1. WAN500 Distribution Layer Switch Port Channel Information
Port-Channel
1
2
3
7
8
Member
Interfaces
gig1/0/3
gig2/0/3
gig1/0/8
gig2/0/8
gig1/0/29
gig2/0/29
gig1/0/4
gig2/0/4
gig1/0/2
gig2/0/2
Layer3/
Layer2
Layer 3
Connected
Device
ce-asr1004-1
Layer 3
ce-asr1004-2
Layer 3
vpn-asr1006-1
Layer 2
(Vlan350)
Layer 2
(Vlan350)
wae7341-1
wae7341-2
Figure 2. WAN-Aggregation Design—WAN500
WAN Configuration Files
7
BNWan3750
!
! Last configuration change at 17:11:50 UTC Tue Jun 22 2010 by admin
! NVRAM config last updated at 17:34:16 UTC Tue Jun 22 2010 by admin
!
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec
service password-encryption
!
hostname BNWan3750
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ST8n$bzZMf0i0haySML2xWcK6r1
!
username admin privilege 15 password 7 04585A150C2E1D1C5A
!
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PDT recurring
switch 1 provision ws-c3750e-48pd
switch 2 provision ws-c3750e-48pd
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
ip routing
!
!
no ip domain-lookup
ip domain-name cisco.local
ip multicast-routing distributed
vtp mode transparent
udld aggressive
!
mls qos map policed-dscp
24 26 46 to 0
mls qos
mls qos
mls qos
mls qos
mls qos
mls qos
mls qos
mls qos
mls qos
mls qos
mls qos
mls qos
mls qos
mls qos
22 23
mls qos
39 48
mls qos
55 56
mls qos
63
mls qos
46 47
mls qos
mls qos
mls qos
mls qos
mls qos
mls qos
46 47
mls qos
30 31
mls qos
54 55
mls qos
62 63
mls qos
22 23
mls qos
38 39
mls qos
mls qos
15
mls qos
mls qos
mls qos
mls qos
map cos-dscp 0 8 16 24 32 46 48 56
srr-queue input bandwidth 90 10
srr-queue input threshold 1 8 16
srr-queue input threshold 2 34 66
srr-queue input buffers 67 33
srr-queue input cos-map queue 1 threshold 2 1
srr-queue input cos-map queue 1 threshold 3 0
srr-queue input cos-map queue 2 threshold 1 2
srr-queue input cos-map queue 2 threshold 2 4 6 7
srr-queue input cos-map queue 2 threshold 3 3 5
srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
srr-queue input dscp-map queue 1 threshold 3 32
srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21
srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38
srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54
srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62
srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45
srr-queue
srr-queue
srr-queue
srr-queue
srr-queue
srr-queue
output
output
output
output
output
output
cos-map queue 1 threshold 3 5
cos-map queue 2 threshold 3 3 6 7
cos-map queue 3 threshold 3 2 4
cos-map queue 4 threshold 2 1
cos-map queue 4 threshold 3 0
dscp-map queue 1 threshold 3 40 41 42 43 44 45
srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29
srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53
srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61
srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21
srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37
srr-queue output dscp-map queue 4 threshold 1 8
srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14
srr-queue
queue-set
queue-set
queue-set
output
output
output
output
dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
1 threshold 1 138 138 92 138
1 threshold 2 138 138 92 400
1 threshold 3 36 77 100 318
WAN Configuration Files
8
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
!
spanning-tree mode rapid-pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
vlan dot1q tag native
!
vlan 350
name WAN_Service_Net-10.4.128.128
!
!
ip ssh source-interface Loopback0
ip ssh version 2
!
!
!
interface Loopback0
ip address 10.4.128.240 255.255.255.255
ip pim sparse-mode
!
interface Port-channel1
description ce-asr1004-1
no switchport
ip address 10.4.128.1 255.255.255.252
ip pim sparse-mode
!
interface Port-channel2
description ce-asr1004-2
no switchport
ip address 10.4.128.9 255.255.255.252
ip pim sparse-mode
!
interface Port-channel3
description vpn-asr1006-1
no switchport
ip address 10.4.128.17 255.255.255.252
ip pim sparse-mode
!
interface Port-channel7
description wae7341-1
switchport access vlan 350
!
interface Port-channel8
description wae7341-2
switchport access vlan 350
!
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
shutdown
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
description wae-7341-1 gig1/0
switchport access vlan 350
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-group 7 mode on
!
interface GigabitEthernet1/0/3
description ce-asr1004-1 gig0/0/0
no switchport
no ip address
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-group 1 mode on
!
interface GigabitEthernet1/0/4
description wae-7341-2 gig1/0
switchport access vlan 350
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-group 8 mode on
!
WAN Configuration Files
9
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
description ce-asr1004-2 gig0/0/0
no switchport
no ip address
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-group 2 mode on
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface GigabitEthernet1/0/29
description vpn-asr1006-1 gig0/0/0
no switchport
no ip address
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-group 3 mode on
!
interface GigabitEthernet1/0/30
!
interface GigabitEthernet1/0/31
!
interface GigabitEthernet1/0/32
!
interface GigabitEthernet1/0/33
!
interface GigabitEthernet1/0/34
!
interface GigabitEthernet1/0/35
!
interface GigabitEthernet1/0/36
!
interface GigabitEthernet1/0/37
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
!
WAN Configuration Files
10
interface GigabitEthernet1/0/45
!
interface GigabitEthernet1/0/46
!
interface GigabitEthernet1/0/47
!
interface GigabitEthernet1/0/48
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface TenGigabitEthernet1/0/1
description Link to C6509-L
no switchport
ip address 10.4.60.42 255.255.255.252
ip pim sparse-mode
ip summary-address eigrp 100 10.4.128.0 255.255.192.0 90
ip summary-address eigrp 100 10.4.240.0 255.255.240.0 90
ip summary-address eigrp 100 10.5.0.0 255.255.0.0
!
interface TenGigabitEthernet1/0/2
!
interface GigabitEthernet2/0/1
!
interface GigabitEthernet2/0/2
description wae-7341-1 gig2/0
switchport access vlan 350
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-group 7 mode on
!
interface GigabitEthernet2/0/3
description ce-asr1004-1 gig0/0/1
no switchport
no ip address
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-group 1 mode on
!
interface GigabitEthernet2/0/4
description wae-7341-2 gig2/0
switchport access vlan 350
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-group 8 mode on
!
interface GigabitEthernet2/0/5
!
interface GigabitEthernet2/0/6
!
interface GigabitEthernet2/0/7
!
interface GigabitEthernet2/0/8
description ce-asr1004-2 gig0/0/1
no switchport
no ip address
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-group 2 mode on
!
interface GigabitEthernet2/0/9
!
interface GigabitEthernet2/0/10
!
interface GigabitEthernet2/0/11
!
interface GigabitEthernet2/0/12
!
interface GigabitEthernet2/0/13
!
interface GigabitEthernet2/0/14
!
interface GigabitEthernet2/0/15
!
interface GigabitEthernet2/0/16
!
interface GigabitEthernet2/0/17
!
interface GigabitEthernet2/0/18
!
interface GigabitEthernet2/0/19
!
interface GigabitEthernet2/0/20
WAN Configuration Files
11
!
interface GigabitEthernet2/0/21
!
interface GigabitEthernet2/0/22
!
interface GigabitEthernet2/0/23
!
interface GigabitEthernet2/0/24
!
interface GigabitEthernet2/0/25
!
interface GigabitEthernet2/0/26
!
interface GigabitEthernet2/0/27
!
interface GigabitEthernet2/0/28
!
interface GigabitEthernet2/0/29
description vpn-asr1006-1 gig0/0/1
no switchport
no ip address
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-group 3 mode on
!
interface GigabitEthernet2/0/30
!
interface GigabitEthernet2/0/31
!
interface GigabitEthernet2/0/32
!
interface GigabitEthernet2/0/33
!
interface GigabitEthernet2/0/34
!
interface GigabitEthernet2/0/35
!
interface GigabitEthernet2/0/36
!
interface GigabitEthernet2/0/37
!
interface GigabitEthernet2/0/38
!
interface GigabitEthernet2/0/39
!
interface GigabitEthernet2/0/40
!
interface GigabitEthernet2/0/41
!
interface GigabitEthernet2/0/42
!
interface GigabitEthernet2/0/43
!
interface GigabitEthernet2/0/44
!
interface GigabitEthernet2/0/45
!
interface GigabitEthernet2/0/46
!
interface GigabitEthernet2/0/47
!
interface GigabitEthernet2/0/48
!
interface GigabitEthernet2/0/49
!
interface GigabitEthernet2/0/50
!
interface GigabitEthernet2/0/51
!
interface GigabitEthernet2/0/52
!
interface TenGigabitEthernet2/0/1
description Link to C6509-R
no switchport
ip address 10.4.60.46 255.255.255.252
ip pim sparse-mode
ip summary-address eigrp 100 10.4.128.0 255.255.192.0 90
ip summary-address eigrp 100 10.4.240.0 255.255.240.0 90
ip summary-address eigrp 100 10.5.0.0 255.255.0.0
!
interface TenGigabitEthernet2/0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan350
ip address 10.4.128.129 255.255.255.192
ip pim sparse-mode
!
router eigrp 100
network 10.4.0.0 0.0.255.255
passive-interface default
no passive-interface TenGigabitEthernet1/0/1
WAN Configuration Files
12
no passive-interface TenGigabitEthernet2/0/1
no passive-interface Port-channel1
no passive-interface Port-channel2
no passive-interface Port-channel3
eigrp router-id 10.4.128.240
nsf
!
ip classless
!
no ip http server
ip http secure-server
ip pim rp-address 10.4.60.252 10
!
!
ip sla enable reaction-alerts
access-list 10 permit 239.1.0.0 0.0.255.255
!
snmp-server community cisco RO
snmp-server community cisco123 RW
snmp-server trap-source Loopback1
!
!
line con 0
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
ntp clock-period 36029410
ntp server 10.4.200.17
end
ce-asr1004-1
!
! Last configuration change at 15:18:14 PDT Tue Jun 22 2010 by admin
! NVRAM config last updated at 15:18:30 PDT Tue Jun 22 2010 by admin
!
version 12.2
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname bn-ce-asr1004-1
!
boot-start-marker
boot system flash bootflash:asr1000rp1-advipservicesk9.02.06.00.122-33.
XNF.bin
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$q2uz$QuEupHuI/g0dXTnMNu9na.
!
aaa new-model
!
!
aaa authentication login default group radius local
!
!
!
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PDT recurring
no ip source-route
!
!
no ip domain lookup
ip domain name cisco.local
ip multicast-routing distributed
!
!
ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
141443180F0B7B7977
ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
0508571C22431F5B4A
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
WAN Configuration Files
13
!
!
username admin privilege 15 password 7 141443180F0B7B7977
!
redundancy
mode none
!
!
!
!
!
ip ssh source-interface Loopback0
ip ssh version 2
!
class-map match-any DATA
match ip dscp af21
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any BGP
match protocol bgp
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match ip dscp cs1 af11
class-map match-any NETWORK-CRITICAL
match ip dscp cs2 cs6
!
policy-map MARK-BGP
class BGP
set dscp cs6
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
service-policy MARK-BGP
class class-default
bandwidth percent 25
random-detect
policy-map WAN-INTERFACE-G0/0/4
class class-default
shape average 300000000
service-policy WAN
!
!
!
!
!
interface Loopback0
ip address 10.4.128.241 255.255.255.255
ip pim sparse-mode
!
interface Port-channel1
ip address 10.4.128.2 255.255.255.252
ip wccp 61 redirect in
ip pim sparse-mode
no negotiation auto
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
channel-group 1
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
channel-group 1
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/4
bandwidth 300000
ip address 10.4.142.1 255.255.255.252
ip wccp 62 redirect in
WAN Configuration Files
14
ip pim sparse-mode
negotiation auto
no cdp enable
service-policy output WAN-INTERFACE-G0/0/4
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
!
router eigrp 100
distribute-list BLOCK-DIST-ROUTES-CE in
default-metric 100000 100 255 1 1500
network 10.4.0.0 0.0.255.255
redistribute bgp 65511
passive-interface default
no passive-interface Port-channel1
eigrp router-id 10.4.128.241
!
router bgp 65511
no synchronization
bgp router-id 10.4.128.241
bgp log-neighbor-changes
network 0.0.0.0
network 10.4.142.0 mask 255.255.255.252
redistribute eigrp 100
neighbor 10.4.128.242 remote-as 65511
neighbor 10.4.128.242 update-source Loopback0
neighbor 10.4.128.242 next-hop-self
neighbor 10.4.142.2 remote-as 65401
no auto-summary
!
!
ip bgp-community new-format
no ip http server
no ip http secure-server
ip pim rp-address 10.4.60.252 10
ip pim register-source Loopback0
!
ip access-list standard BLOCK-DIST-ROUTES-CE
remark Block WAN specific routes from WAN distribution layer
deny
10.5.0.0 0.0.255.255
deny
10.4.142.0 0.0.0.255
deny
10.4.143.0 0.0.0.255
permit any
ip access-list standard BN-WAE
permit 10.4.128.162
permit 10.4.128.161
!
ip access-list extended WAAS-REDIRECT-LIST
remark WAAS WCCP Mgmt Redirect List
deny
tcp any any eq 22
deny
tcp any eq 22 any
deny
tcp any eq telnet any
deny
tcp any any eq telnet
deny
tcp any eq bgp any
deny
tcp any any eq bgp
deny
tcp any any eq 123
deny
tcp any eq 123 any
permit tcp any any
!
ip radius source-interface Loopback0
access-list 10 permit 239.1.0.0 0.0.255.255
cdp run
!
snmp-server community cisco RO
snmp-server community cisco123 RW
snmp-server trap-source Loopback0
!
radius-server host 10.4.200.15 auth-port 1645 acct-port 1646 key 7
0235015819031B0A4957
!
control-plane
!
!
!
!
line con 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
password 7 04585A150C2E1D1C5A
transport input ssh
line vty 5 15
!
ntp clock-period 17143909
ntp source Loopback0
ntp server 10.4.200.17
end
WAN Configuration Files
15
ce-asr1004-2
!
! Last configuration change at 09:19:33 PDT Wed Jun 23 2010 by admin
! NVRAM config last updated at 09:19:34 PDT Wed Jun 23 2010 by admin
!
version 12.2
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname bn-ce-asr1004-2
!
boot-start-marker
boot system flash bootflash:asr1000rp1-advipservicesk9.02.06.00.122-33.
XNF.bin
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$eihd$d7.pftsZ/9jCQa9Y9B8q91
!
aaa new-model
!
!
aaa authentication login default group radius local
!
!
!
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PDT recurring
no ip source-route
!
!
no ip domain lookup
ip domain name cisco.local
ip multicast-routing distributed
!
!
ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
141443180F0B7B7977
ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
0508571C22431F5B4A
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
username admin password 7 06055E324F41584B56
!
redundancy
mode none
!
!
!
!
!
ip ssh source-interface Loopback0
ip ssh version 2
!
class-map match-any DATA
match ip dscp af21
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any BGP
match protocol bgp
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match ip dscp cs1 af11
class-map match-any NETWORK-CRITICAL
match ip dscp cs2 cs6
!
policy-map MARK-BGP
class BGP
set dscp cs6
policy-map WAN
class VOICE
priority percent 10
WAN Configuration Files
16
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
service-policy MARK-BGP
class class-default
bandwidth percent 25
random-detect
policy-map WAN-INTERFACE-G0/0/4
class class-default
shape average 150000000
service-policy WAN
!
!
!
!
!
interface Loopback0
ip address 10.4.128.242 255.255.255.255
ip pim sparse-mode
!
interface Port-channel2
ip address 10.4.128.10 255.255.255.252
ip wccp 61 redirect in
ip pim sparse-mode
no negotiation auto
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
channel-group 2
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
channel-group 2
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/4
bandwidth 150000
ip address 10.4.143.1 255.255.255.252
ip wccp 62 redirect in
ip pim sparse-mode
negotiation auto
no cdp enable
service-policy output WAN-INTERFACE-G0/0/4
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
!
router eigrp 100
distribute-list BLOCK-DIST-ROUTES-CE in
default-metric 100000 100 255 1 1500
network 10.4.0.0 0.0.255.255
redistribute bgp 65511
passive-interface default
no passive-interface Port-channel2
eigrp router-id 10.4.128.242
!
router bgp 65511
no synchronization
bgp router-id 10.4.128.242
bgp log-neighbor-changes
network 0.0.0.0
network 10.4.143.0 mask 255.255.255.252
redistribute eigrp 100
neighbor 10.4.128.241 remote-as 65511
neighbor 10.4.128.241 update-source Loopback0
neighbor 10.4.128.241 next-hop-self
neighbor 10.4.143.2 remote-as 65402
no auto-summary
!
!
WAN Configuration Files
17
ip bgp-community new-format
no ip http server
no ip http secure-server
ip pim rp-address 10.4.60.252 10
ip pim register-source Loopback0
!
ip access-list standard BLOCK-DIST-ROUTES-CE
remark Block WAN specific routes from WAN distribution layer
deny
10.5.0.0 0.0.255.255
deny
10.4.142.0 0.0.0.255
deny
10.4.143.0 0.0.0.255
permit any
ip access-list standard BN-WAE
permit 10.4.128.162
permit 10.4.128.161
!
ip access-list extended WAAS-REDIRECT-LIST
remark WAAS WCCP Mgmt Redirect List
deny
tcp any any eq 22
deny
tcp any eq 22 any
deny
tcp any eq telnet any
deny
tcp any any eq telnet
deny
tcp any eq bgp any
deny
tcp any any eq bgp
deny
tcp any any eq 123
deny
tcp any eq 123 any
permit tcp any any
!
ip radius source-interface Loopback0
access-list 10 permit 239.1.0.0 0.0.255.255
cdp run
!
snmp-server community cisco RO
snmp-server community cisco123 RW
snmp-server trap-source Loopback0
!
radius-server host 10.4.200.15 auth-port 1645 acct-port 1646 key 7
113A1C0605171F270133
!
control-plane
!
!
!
!
line con 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
ntp clock-period 17177730
ntp source Loopback0
ntp server 10.4.200.17
end
vpn-asr1006-1
!
! Last configuration change at 15:27:03 PDT Tue Jun 22 2010 by admin
! NVRAM config last updated at 15:28:53 PDT Tue Jun 22 2010 by admin
!
version 15.0
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname vpn-asr1006-1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 4 /DtCCr53Q4B18jSIm1UEqu7cNVZTOhxTZyUnZdsSrsw
!
aaa new-model
!
!
aaa authentication login default group radius local
!
!
WAN Configuration Files
18
!
!
!
aaa session-id common
!
!
!
clock timezone PST -8
clock summer-time PDT recurring
no ip source-route
!
ip vrf INET-PUBLIC
rd 65512:1
!
!
!
no ip domain lookup
ip domain name cisco.local
ip multicast-routing distributed
!
!
ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
141443180F0B7B7977
ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
0508571C22431F5B4A
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
username admin password 7 070C705F4D06485744
!
redundancy
mode sso
!
crypto keyring DMVPN-KEYRING vrf INET-PUBLIC
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp profile isakmp-profile-inet-public
keyring DMVPN-KEYRING
match identity address 0.0.0.0 INET-PUBLIC
!
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile isakmp-profile-inet-public
!
!
!
!
!
ip ssh source-interface Loopback0
ip ssh version 2
!
class-map match-any DATA
match ip dscp af21
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match ip dscp cs1 af11
class-map match-any NETWORK-CRITICAL
match ip dscp cs2 cs6
match access-group name ISAKMP
!
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
WAN Configuration Files
19
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
random-detect
policy-map WAN-INTERFACE-G0/0/4
class class-default
shape average 100000000
service-policy WAN
!
!
!
!
!
interface Loopback0
ip address 10.4.128.243 255.255.255.255
ip pim sparse-mode
!
interface Port-channel3
ip address 10.4.128.18 255.255.255.252
ip wccp 61 redirect in
ip pim sparse-mode
no negotiation auto
!
interface Tunnel10
bandwidth 100000
ip address 10.4.132.1 255.255.254.0
no ip redirects
ip mtu 1400
ip wccp 62 redirect in
ip hold-time eigrp 200 35
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp redirect
no ip split-horizon eigrp 200
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/4
tunnel mode gre multipoint
tunnel vrf INET-PUBLIC
tunnel protection ipsec profile DMVPN-PROFILE
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
cdp enable
channel-group 3
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
cdp enable
channel-group 3
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/4
bandwidth 100000
ip vrf forwarding INET-PUBLIC
ip address 10.4.128.33 255.255.255.248
negotiation auto
service-policy output WAN-INTERFACE-G0/0/4
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
!
router eigrp 100
network 10.4.128.16 0.0.0.3
network 10.4.128.243 0.0.0.0
redistribute eigrp 200
passive-interface default
no passive-interface Port-channel3
eigrp router-id 10.4.128.243
!
!
router eigrp 200
network 10.4.132.0 0.0.1.255
redistribute eigrp 100
passive-interface default
no passive-interface Tunnel10
eigrp router-id 10.4.128.243
WAN Configuration Files
20
!
!
no ip http server
no ip http secure-server
ip pim rp-address 10.4.60.252 10
ip pim register-source Loopback0
ip route vrf INET-PUBLIC 0.0.0.0 0.0.0.0 10.4.128.35
!
ip access-list standard BN-WAE
permit 10.4.128.162
permit 10.4.128.161
!
ip access-list extended ISAKMP
permit udp any eq isakmp any eq isakmp
ip access-list extended WAAS-REDIRECT-LIST
remark WAAS WCCP Mgmt Redirect List
deny
tcp any any eq 22
deny
tcp any eq 22 any
deny
tcp any eq telnet any
deny
tcp any any eq telnet
deny
tcp any eq bgp any
deny
tcp any any eq bgp
deny
tcp any any eq 123
deny
tcp any eq 123 any
permit tcp any any
!
ip radius source-interface Loopback0
logging esm config
access-list 10 permit 239.1.0.0 0.0.255.255
cdp run
!
snmp-server community cisco RO
snmp-server community cisco123 RW
snmp-server trap-source Loopback0
!
radius-server host 10.4.200.15 auth-port 1645 acct-port 1646 key 7
0812494D1B1C113C1712
!
control-plane
!
!
!
!
!
line con 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
exception data-corruption buffer truncate
ntp clock-period 17181045
ntp source Loopback0
ntp server 10.4.200.17
end
wae7341-1
! WAAS-UNIVERSAL-K9 version 4.2.1 (build b38 Jun 16 2010)
!
device mode application-accelerator
!
!
hostname bn-wae7341-1
!
clock timezone PST -8 0
!
!
ip domain-name cisco.local
!
!
!
primary-interface PortChannel 1
!
interface PortChannel 1
ip address 10.4.128.161 255.255.255.192
exit
!
!
interface GigabitEthernet 1/0
channel-group 1
exit
interface GigabitEthernet 2/0
channel-group 1
exit
!
!
ip default-gateway 10.4.128.129
!
no auto-register enable
WAN Configuration Files
21
!
! ip path-mtu-discovery is disabled in WAAS by default
!
ip name-server 10.4.200.10
!
!
!
ntp server 10.4.200.17
!
!
!
wccp router-list 1 10.4.128.241 10.4.128.242 10.4.128.243
! default wccp mask is src-ip-mask 0xf00 dst-ip-mask 0x0
wccp tcp-promiscuous router-list-num 1 encrypted password
j++vQr0cPtEIPHS9u7fKLw== mask-assign
wccp version 2
!
egress-method negotiated-return intercept-method wccp
!
!
!
username admin password 1 bVmDmMMmZAPjY
username admin privilege 15
username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE
7D891AB402CAF2E89CCDD33ED54333AC
!
!
!
!
authentication login local enable primary
authentication configuration local enable primary
!
!
!
sshd enable
!
!
!
tfo tcp optimized-send-buffer 2048
tfo tcp optimized-receive-buffer 2048
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!policy-engine application
!
! <policy-engine content intentionally omitted>
!
!exit
!
central-manager address 10.4.200.100
cms enable
!
!
!
!
!
!
! End of WAAS configuration
wae7431-2
! WAAS-UNIVERSAL-K9 version 4.2.1 (build b38 Jun 16 2010)
!
device mode application-accelerator
!
!
hostname bn-wae7341-2
!
clock timezone PST -8 0
!
!
ip domain-name cisco.local
!
!
!
primary-interface PortChannel 1
!
WAN Configuration Files
22
interface PortChannel 1
ip address 10.4.128.162 255.255.255.192
exit
!
!
interface GigabitEthernet 1/0
channel-group 1
exit
interface GigabitEthernet 2/0
channel-group 1
exit
!
!
ip default-gateway 10.4.128.129
!
no auto-register enable
!
! ip path-mtu-discovery is disabled in WAAS by default
!
ip name-server 10.4.200.10
!
!
!
ntp server 10.4.200.17
!
!
!
wccp router-list 1 10.4.128.241 10.4.128.242 10.4.128.243
! default wccp mask is src-ip-mask 0xf00 dst-ip-mask 0x0
wccp tcp-promiscuous router-list-num 1 encrypted password
j++vQr0cPtEIPHS9u7fKLw== mask-assign
wccp version 2
!
egress-method negotiated-return intercept-method wccp
!
!
!
username admin password 1 bVmDmMMmZAPjY
username admin privilege 15
username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE
7D891AB402CAF2E89CCDD33ED54333AC
!
!
!
!
authentication login local enable primary
authentication configuration local enable primary
!
!
!
sshd enable
!
!
!
tfo tcp optimized-send-buffer 2048
tfo tcp optimized-receive-buffer 2048
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!policy-engine application
!
! <policy-engine content intentionally omitted>
!
!exit
!
central-manager address 10.4.200.100
cms enable
!
!
!
!
!
!
! End of WAAS configuration
WAN Configuration Files
23
WAN Remote-Site Devices
This section includes configuration files corresponding to the WAN 500
design topology as referenced in Figure 3. Each remote-site type has its
respective devices grouped together along with any other relevant configuration information.
Figure 3. WAN Remote-Site Designs
WAN Configuration Files
24
The specific details for the MPLS and DMVPN connections at each site are listed in Table 2.
Table 2. Remote-Site WAN Connection Details
Remote-Site Information
MPLS (Our AS = 65511)
Location
Net Block
MPLS CE
MPLS PE
Carrier
AS
Branch 200 (dual router)
10.5.0.0/21
(gi0/0) 10.4.142.25
10.4.142.26
65401 (A)
LAN
Interfaces
Loopbacks
(gi0/1, gi0/2)
10.5.0.254 (r1)
(gi0/0) DHCP
(gi0/1, gi0/2)
10.5.0.253 (r2)
DMVPN
Branch 201
10.5.40.0/21
(gi0/0) 10.4.142.145
10.4.142.146
65401 (A)
(gi0/1) DHCP
(gi0/2)
10.5.40.254 (r)
Branch 202
10.5.128.0/21
(gi0/0) 10.4.143.137
10.4.143.138
65401 (A)
(gi0/1) DHCP
(gi0/2)
10.5.128.254 (r)
Branch 203 (dual router)
10.5.48.0/21
(gi0/0) 10.4.142.153
10.4.142.154
65401 (A)
(gi0/1)
10.5.48.254 (r1)
(gi0/1)
10.5.48.253 (r2)
(gi1/0)
10.5.56.254 (r)
(gi0/2)
10.5.192.254 (r)
(gi0/0) DHCP
Branch 204
10.5.56.0/21
Branch 205
10.5.192.0/21
(gi0/0) 10.4.142.33
10.4.142.34
65401 (A)
65401 (A)
(gi0/0) DHCP
The link speeds for the remote-site QoS traffic shaping policies are listed in Table 3.
Table 3. Remote-Site Link Speeds
Remote-Site Information
Link Speeds (Policed Rates)
Location
Net Block
MPLS
DMVPN
Branch 200 (dual router)
10.5.0.0/21
50 Mbps
25 Mbps
Branch 201
10.5.40.0/21
10 Mbps
10 Mbps
Branch 202
10.5.128.0/21
10 Mbps
10 Mbps
Branch 203 (dual router)
10.5.48.0/21
20 Mbps
10 Mbps
Branch 204
10.5.56.0/21
20 Mbps
Branch 205
10.5.192.0/21
10 Mbps
WAN Configuration Files
25
Branch 200: Dual-Router, Dual-Link with Distribution Layer (MPLS-A + DMVPN)
The IP address information for Branch 200 is shown in Table 4.
Table 4. Branch 200—IP Address Information
Remote-Site Information
Wired Subnets
Location
Net Block
Data
Branch 200
10.5.0.0/21
10.5.1.0/24 (Vlan100) 10.5.5.0/24 (Vlan 69)
10.5.4.0/24 (Vlan 64) 10.5.7.0/24 (Vlan xx)
10.5.6.0/24 (Vlan xx)
Voice
Wireless Subnets
Operational IP Assignments
Data (Vlan 65) Voice (Vlan 70)
Loopbacks and
Switches
10.5.2.0/24
10.5.3.0/24
WAE
10.5.0.254 (r1)
10.5.0.253 (r2)
10.5.0.252 (dist)
10.5.4.5 (sw)
10.5.1.8
10.5.1.9
Additional information to connect to the distribution layer is included in Table 5 and Table 6.
Table 5. Branch 200—Router Connection to Distribution Layer
Remote-Site Information
Connection to Distribution Layer Switch
Location
Net Block
Router
Member
Port Channel Interfaces
Subinterface
Vlan
Network
Branch 200
10.5.0.0/21
br200-3945-1
1
Port-channel1.50
50
10.5.0.0/30
Port-channel1.99
(transit network)
99
10.5.0.8/30
Port-channel2.54
54
10.5.0.4/30
Port-channel2.99
(transit network)
99
10.5.0.8/30
br200-3945-2
2
gig0/1
gig0/2
gig0/1
gig0/2
Port-Channel Subinterface and IP assignments
Table 6. Branch 200—Distribution Layer Switch Connections
Port-Channel
Member Interfaces
Layer3/Layer2
Connected Device
1
gig1/0/1
gig2/0/2
Trunk (Vlan50,99)
br200-3945-1
2
gig1/0/2
gig2/0/2
Trunk (Vlan54,99)
br200-3945-1
7
gig1/0/3
gig2/0/3
Layer 2 (Vlan200)
br200-wae674-1
8
gig1/0/4
gig2/0/4
Layer 2 (Vlan200)
br200-wae674-2
10
gig1/0/12
gig2/0/12
Triunk (Vlan64,69)
access-switch
WAN Configuration Files
26
br200-3945-1
!
! Last configuration change at 15:59:54 PDT Tue Jun 22 2010 by admin
! NVRAM config last updated at 16:00:52 PDT Tue Jun 22 2010 by admin
!
version 15.0
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname bn-br200-3945-1
!
boot-start-marker
boot system flash flash0:/c3900-universalk9-mz.SPA.150-1.M2.bin
boot-end-marker
!
enable secret 5 $1$av9N$FvuhHddONDXzEz6qPnwnl.
!
aaa new-model
!
!
aaa authentication login default group radius local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
!
!
no ipv6 cef
no ip source-route
ip cef
!
!
ip multicast-routing
!
!
no ip domain lookup
ip domain name cisco.local
ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
094F1F1A1A0A464058
ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
130646010803557878
!
multilink bundle-name authenticated
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
license udi pid C3900-SPE150/K9 sn FOC133037J0
!
!
username admin privilege 15 password 7 141443180F0B7B7977
!
redundancy
!
!
ip ssh source-interface Loopback0
ip ssh version 2
!
class-map match-any DATA
match ip dscp af21
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any BGP
match protocol bgp
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match ip dscp cs1 af11
class-map match-any NETWORK-CRITICAL
match ip dscp cs2 cs6
!
!
policy-map MARK-BGP
class BGP
set dscp cs6
policy-map WAN
class VOICE
WAN Configuration Files
27
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
service-policy MARK-BGP
class class-default
bandwidth percent 25
random-detect
policy-map WAN-INTERFACE-G0/0
class class-default
shape average 50000000
service-policy WAN
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.5.0.254 255.255.255.255
ip pim sparse-mode
!
!
interface Port-channel1
no ip address
!
hold-queue 150 in
!
interface Port-channel1.50
encapsulation dot1Q 50
ip address 10.5.0.1 255.255.255.252
ip wccp 61 redirect in
ip pim sparse-mode
!
interface Port-channel1.99
encapsulation dot1Q 99
ip address 10.5.0.9 255.255.255.252
ip pim sparse-mode
!
interface GigabitEthernet0/0
bandwidth 50000
ip address 10.4.142.25 255.255.255.252
ip wccp 62 redirect in
ip pim sparse-mode
duplex auto
speed auto
no cdp enable
!
service-policy output WAN-INTERFACE-G0/0
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
channel-group 1
!
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
channel-group 1
!
!
!
!
router eigrp 100
default-metric 100000 100 255 1 1500
network 10.5.0.0 0.0.255.255
redistribute bgp 65511
passive-interface default
no passive-interface Port-channel1.50
no passive-interface Port-channel1.99
!
router bgp 65511
no synchronization
bgp router-id 10.5.0.254
bgp log-neighbor-changes
network 10.4.142.24 mask 255.255.255.252
network 10.5.0.0 mask 255.255.255.252
aggregate-address 10.5.0.0 255.255.248.0 summary-only
neighbor 10.4.142.26 remote-as 65401
no auto-summary
!
ip forward-protocol nd
WAN Configuration Files
28
!
ip pim rp-address 10.4.60.252 10
ip pim register-source Loopback0
no ip http server
no ip http secure-server
!
!
ip access-list standard BN-WAE
permit 10.5.1.8
permit 10.5.1.9
!
ip access-list extended WAAS-REDIRECT-LIST
remark WAAS WCCP Mgmt Redirect List
deny
tcp any any eq 22
deny
tcp any eq 22 any
deny
tcp any eq telnet any
deny
tcp any any eq telnet
deny
tcp any eq bgp any
deny
tcp any any eq bgp
deny
tcp any any eq 123
deny
tcp any eq 123 any
permit tcp any any
!
ip radius source-interface Loopback0
access-list 10 permit 239.1.0.0 0.0.255.255
!
!
!
!
nls resp-timeout 1
cpd cr-id 1
!
snmp-server community cisco RO
snmp-server community cisco123 RW
snmp-server trap-source Loopback0
radius-server host 10.4.200.15 auth-port 1645 acct-port 1646 key 7
142417081E013E002131
!
control-plane
!
!
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
transport input ssh
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp update-calendar
ntp server 10.4.200.17
end
br200-3945-2
!
! Last configuration change at 15:59:52 PDT Tue Jun 22 2010 by admin
! NVRAM config last updated at 15:59:52 PDT Tue Jun 22 2010 by admin
!
version 15.0
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname bn-br200-3945-2
!
boot-start-marker
boot system flash flash0:/c3900-universalk9-mz.SPA.150-1.M2.bin
boot-end-marker
!
enable secret 5 $1$T12c$44ad7.y83eLRYU3XQEDlN0
!
aaa new-model
!
!
aaa authentication login default group radius local
!
!
!
!
WAN Configuration Files
29
!
aaa session-id common
!
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
!
!
no ipv6 cef
no ip source-route
ip cef
!
!
ip vrf INET-PUBLIC
rd 65512:1
!
ip multicast-routing
!
!
no ip domain lookup
ip domain name cisco.local
ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
0205554808095E731F
ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
06055E324F41584B56
!
multilink bundle-name authenticated
!
!
license udi pid C3900-SPE100/K9 sn FOC133932KA
!
!
username admin password 7 15115A1F07257A767B
!
redundancy
!
!
ip ssh source-interface Loopback0
ip ssh version 2
!
class-map match-any DATA
match ip dscp af21
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match ip dscp cs1 af11
class-map match-any NETWORK-CRITICAL
match ip dscp cs2 cs6
match access-group name ISAKMP
!
!
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
random-detect
policy-map WAN-INTERFACE-G0/0
class class-default
shape average 25000000
service-policy WAN
!
!
crypto keyring DMVPN-KEYRING vrf INET-PUBLIC
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 30 5
crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
keyring DMVPN-KEYRING
match identity address 0.0.0.0 INET-PUBLIC
!
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
WAN Configuration Files
30
!
crypto ipsec profile DMVPN-PROFILE
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile FVRF-ISAKMP-INET-PUBLIC
!
!
!
!
!
!
interface Loopback0
ip address 10.5.0.253 255.255.255.255
ip pim sparse-mode
!
!
interface Tunnel10
ip address 10.4.132.200 255.255.254.0
no ip redirects
ip mtu 1400
ip wccp 62 redirect in
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco123
ip nhrp map 10.4.132.1 172.16.130.1
ip nhrp map multicast 172.16.130.1
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp nhs 10.4.132.1
ip nhrp registration no-unique
ip nhrp shortcut
ip tcp adjust-mss 1360
ip summary-address eigrp 200 10.5.0.0 255.255.248.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel vrf INET-PUBLIC
tunnel protection ipsec profile DMVPN-PROFILE
!
!
interface Port-channel2
no ip address
!
hold-queue 150 in
!
interface Port-channel2.54
encapsulation dot1Q 54
ip address 10.5.0.5 255.255.255.252
ip wccp 61 redirect in
ip pim sparse-mode
!
interface Port-channel2.99
encapsulation dot1Q 99
ip address 10.5.0.10 255.255.255.252
ip pim sparse-mode
!
interface GigabitEthernet0/0
bandwidth 25000
ip vrf forwarding INET-PUBLIC
ip address dhcp
ip access-group ACL-INET-PUBLIC in
duplex auto
speed auto
!
service-policy output WAN-INTERFACE-G0/0
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
channel-group 2
!
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
channel-group 2
!
!
!
router eigrp 200
network 10.4.132.0 0.0.1.255
network 10.5.0.0 0.0.255.255
passive-interface default
no passive-interface Tunnel10
eigrp router-id 10.5.0.253
!
!
router eigrp 100
network 10.5.0.0 0.0.255.255
redistribute eigrp 200
passive-interface default
no passive-interface Port-channel2.54
no passive-interface Port-channel2.99
eigrp router-id 10.5.0.253
!
WAN Configuration Files
31
ip forward-protocol nd
!
ip pim rp-address 10.4.60.252 10
ip pim register-source Loopback0
no ip http server
no ip http secure-server
!
!
ip access-list standard BN-WAE
permit 10.5.1.8
permit 10.5.1.9
!
ip access-list extended ACL-INET-PUBLIC
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit icmp any any echo
permit icmp any any echo-reply
permit udp any any eq bootpc
ip access-list extended ISAKMP
permit udp any eq isakmp any eq isakmp
ip access-list extended WAAS-REDIRECT-LIST
remark WAAS WCCP Mgmt Redirect List
deny
tcp any any eq 22
deny
tcp any eq 22 any
deny
tcp any eq telnet any
deny
tcp any any eq telnet
deny
tcp any eq bgp any
deny
tcp any any eq bgp
deny
tcp any any eq 123
deny
tcp any eq 123 any
permit tcp any any
!
ip radius source-interface Loopback0
access-list 10 permit 239.1.0.0 0.0.255.255
!
!
!
!
!
snmp-server community cisco RO
snmp-server community cisco123 RW
snmp-server trap-source Loopback0
radius-server host 10.4.200.15 auth-port 1645 acct-port 1646 key 7
142417081E013E002131
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp update-calendar
ntp server 10.4.200.17
end
br200-3750stack
!
! Last configuration change at 12:17:08 PDT Wed Jun 23 2010 by admin
! NVRAM config last updated at 12:17:15 PDT Wed Jun 23 2010 by admin
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime msec localtime
no service password-encryption
!
hostname bn-br200-3750stack
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$AFl.$MlUSAh2DdE.ra2gxF2/6Z/
!
username admin privilege 15 password 0 c1sco123
!
!
aaa new-model
!
!
aaa authentication login default group radius local
!
!
!
aaa session-id common
WAN Configuration Files
32
clock timezone PST -8
clock summer-time PDT recurring
switch 1 provision ws-c3750g-12s
switch 2 provision ws-c3750g-12s
system mtu routing 1500
vtp mode transparent
authentication mac-move permit
udld aggressive
ip subnet-zero
ip routing
no ip domain-lookup
ip domain-name cisco.local
!
!
ip multicast-routing distributed
!
mls qos map policed-dscp 24 26 46 to 0
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22
23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39
48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55
56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46
47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46
47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30
31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54
55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62
63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22
23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38
39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
crypto pki trustpoint TP-self-signed-2786884608
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2786884608
revocation-check none
rsakeypair TP-self-signed-2786884608
!
!
crypto pki certificate chain TP-self-signed-2786884608
certificate self-signed 01
30820256 308201BF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373836 38383436 3038301E 170D3933 30333031 30303031
32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37383638
38343630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C342 9D4CB4A2 6E264979 3A1678D2 1D3A9353 EDDC47C4 D2FD4E0C B480C93D
C8FFA8C7 BBC196C9 7D22F9E0 FE2C53C8 945536FD 7F370844 873958F0 BE97115C
F27BAAC6 41A23592 F8667A4E 1D0E2E95 742AD51E CF4BB0FC 27015B61 44DCF8BB
0B90A768 37BA6BE0 633054C4 4B7CD39D C1ED2082 0DA1243C 87C15E2A 177D81FF
F2430203 010001A3 7E307C30 0F060355 1D130101 FF040530 030101FF 30290603
551D1104 22302082 1E626E2D 62723230 302D3337 35307374 61636B2E 63697363
6F2E6C6F 63616C30 1F060355 1D230418 30168014 B4DDDF15 A08994D8 06CC2E2F
05528621 077339AE 301D0603 551D0E04 160414B4 DDDF15A0 8994D806 CC2E2F05
52862107 7339AE30 0D06092A 864886F7 0D010104 05000381 810053F0 28B4CF7A
E7BDBC31 8E6F8AA9 755C74CC 93D34CE1 52A69E95 8163D21D F2CEDEFE 1D546176
358E82C3 C13E2DB3 5BD59C5C 1682AADD D9103A64 BA4B8DD8 D1E6343E 76858759
WAN Configuration Files
33
0B8BAA31 BAA2A8EB 287B629F 6BFA1A29 37EFE7AC A11F4E5C D8767B8A 21DF57EA
3246789F D11AE5D7 14F00EAB 04FBB75F 9562F4D1 1D00EC1A 0389
quit
!
!
!
port-channel load-balance src-dst-ip
!
spanning-tree mode rapid-pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
vlan dot1q tag native
!
vlan 50,54,64-65,69-70,99
!
vlan 100
name Data
!
ip ssh source-interface Loopback0
ip ssh version 2
!
!
!
interface Loopback0
ip address 10.5.0.252 255.255.255.255
ip pim sparse-mode
!
interface Port-channel1
description connection to br200-3945-1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50,99
switchport mode trunk
!
interface Port-channel2
description connection to br200-3945-2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 54,99
switchport mode trunk
!
interface Port-channel7
switchport access vlan 100
!
interface Port-channel8
switchport access vlan 100
!
interface Port-channel10
description br200-3560-1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 64,65
switchport mode trunk
logging event trunk-status
logging event bundle-status
!
interface GigabitEthernet1/0/1
description connected to bn-br200-3945-1 on gig0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50,99
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-group 1 mode on
!
interface GigabitEthernet1/0/2
description connected to bn-br200-3945-2 on gig0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 54,99
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-group 2 mode on
!
interface GigabitEthernet1/0/3
description connected to bn-br200-wae674-1 on NIC 1
switchport access vlan 100
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-group 7 mode on
!
interface GigabitEthernet1/0/4
description connected to bn-br200-wae674-2 on NIC 1
switchport access vlan 100
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-group 8 mode on
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
WAN Configuration Files
34
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 64,65
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-protocol lacp
channel-group 10 mode active
!
interface GigabitEthernet2/0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50,99
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-group 1 mode on
!
interface GigabitEthernet2/0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 54,99
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-group 2 mode on
!
interface GigabitEthernet2/0/3
switchport access vlan 100
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-group 7 mode on
!
interface GigabitEthernet2/0/4
switchport access vlan 100
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-group 8 mode on
!
interface GigabitEthernet2/0/5
!
interface GigabitEthernet2/0/6
!
interface GigabitEthernet2/0/7
!
interface GigabitEthernet2/0/8
!
interface GigabitEthernet2/0/9
!
interface GigabitEthernet2/0/10
!
interface GigabitEthernet2/0/11
!
interface GigabitEthernet2/0/12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 64,65
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
channel-protocol lacp
channel-group 10 mode active
!
interface Vlan1
no ip address
shutdown
!
interface Vlan50
ip address 10.5.0.2 255.255.255.252
ip pim sparse-mode
!
interface Vlan54
ip address 10.5.0.6 255.255.255.252
WAN Configuration Files
35
ip pim sparse-mode
!
interface Vlan64
ip address 10.5.4.1 255.255.255.0
ip helper-address 10.4.200.10
ip pim passive
!
interface Vlan65
ip address 10.5.2.1 255.255.255.0
ip helper-address 10.4.200.10
ip pim passive
!
interface Vlan69
ip address 10.5.5.1 255.255.255.0
ip helper-address 10.4.200.10
ip pim passive
!
interface Vlan70
ip address 10.5.3.1 255.255.255.0
ip helper-address 10.4.200.10
ip pim passive
!
interface Vlan100
ip address 10.5.1.1 255.255.255.0
ip helper-address 10.4.200.10
ip pim passive
!
!
router eigrp 100
network 10.5.0.0 0.0.255.255
passive-interface default
no passive-interface Vlan50
no passive-interface Vlan54
eigrp router-id 10.5.0.252
nsf
!
ip classless
no ip http server
ip http secure-server
!
ip pim rp-address 10.4.60.252 10
ip pim register-source Loopback0
!
ip sla enable reaction-alerts
access-list 10 permit 239.1.0.0 0.0.255.255
!
snmp-server community cisco RO
snmp-server community cisco123 RW
snmp-server trap-source Loopback0
radius-server host 10.4.200.15 auth-port 1645 acct-port 1646 key
SecretKey
!
!
line con 0
line vty 0 4
exec-timeout 0 0
password c1sco123
transport input ssh
line vty 5 15
transport input ssh
!
ntp clock-period 36028938
ntp source Loopback0
ntp server 10.4.200.17
end
br200-wae674-1
! WAAS-UNIVERSAL-K9 version 4.2.1 (build b38 Jun 16 2010)
!
device mode application-accelerator
!
!
hostname bn-br200-wae674-1
!
clock timezone PST -8 0
!
!
ip domain-name cisco.local
!
!
!
primary-interface PortChannel 1
!
interface PortChannel 1
ip address 10.5.1.8 255.255.255.0
exit
!
!
interface GigabitEthernet 1/0
channel-group 1
exit
interface GigabitEthernet 2/0
channel-group 1
WAN Configuration Files
36
exit
!
!
ip default-gateway 10.5.1.1
!
no auto-register enable
!
! ip path-mtu-discovery is disabled in WAAS by default
!
ip name-server 10.4.200.10
!
!
!
ntp server 10.4.200.17
!
!
!
wccp router-list 1 10.5.0.253 10.5.0.254
wccp tcp-promiscuous router-list-num 1 encrypted password
j++vQr0cPtEIPHS9u7fKLw==
wccp version 2
!
egress-method negotiated-return intercept-method wccp
!
!
!
username admin password 1 bVmDmMMmZAPjY
username admin privilege 15
username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE
7D891AB402CAF2E89CCDD33ED54333AC
!
!
!
!
authentication login local enable primary
authentication configuration local enable primary
!
!
!
sshd enable
!
!
!
tfo tcp optimized-send-buffer 2048
tfo tcp optimized-receive-buffer 2048
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!policy-engine application
!
! <policy-engine content intentionally omitted>
!
!exit
!
central-manager address 10.4.200.100
cms enable
!
!
!
!
!
!
! End of WAAS configuration
br200-wae674-2
! WAAS-UNIVERSAL-K9 version 4.2.1 (build b38 Jun 16 2010)
!
device mode application-accelerator
!
!
hostname bn-br200-wae674-2
!
clock timezone PST -8 0
!
!
ip domain-name cisco.local
WAN Configuration Files
37
!
!
!
primary-interface PortChannel 1
!
interface PortChannel 1
ip address 10.5.1.9 255.255.255.0
exit
!
!
interface GigabitEthernet 1/0
channel-group 1
exit
interface GigabitEthernet 2/0
channel-group 1
exit
!
!
ip default-gateway 10.5.1.1
!
no auto-register enable
!
! ip path-mtu-discovery is disabled in WAAS by default
!
ip name-server 10.4.200.10
!
!
!
ntp server 10.4.200.17
!
!
!
wccp router-list 1 10.5.0.254 10.5.0.253
wccp tcp-promiscuous router-list-num 1 encrypted password
j++vQr0cPtEIPHS9u7fKLw==
wccp version 2
!
egress-method negotiated-return intercept-method wccp
!
!
!
username admin password 1 bVmDmMMmZAPjY
username admin privilege 15
username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE
7D891AB402CAF2E89CCDD33ED54333AC
!
!
!
!
authentication login local enable primary
authentication configuration local enable primary
!
!
!
sshd enable
!
!
!
tfo tcp optimized-send-buffer 2048
tfo tcp optimized-receive-buffer 2048
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!policy-engine application
!
! <policy-engine content intentionally omitted>
!
!exit
!
central-manager address 10.4.200.100
cms enable
!
!
!
!
!
!
! End of WAAS configuration
WAN Configuration Files
38
Branch 201: Single-Router, Dual-Link (MPLS-A + DMVPN)
The IP address information for Branch 201 is shown in Table 7.
Table 7. Branch 201—IP Address Information
Remote-Site Information
Wired Subnets
Location
Net Block
Data
Branch 201
10.5.40.0/21
10.5.44.0/24
Wireless Subnets
Operational IP Assignments
Voice
Data (Vlan
65)
Voice (Vlan
70)
Loopbacks and
Switches
WAE
10.5.45.0/24
10.5.42.0/24
10.5.43.0/24
10.5.40.254 (r) 10.5.44.5 (sw)
10.5.44.8
br201-2911
!
! Last configuration change at 15:55:57 PDT Tue Jun 22 2010 by admin
! NVRAM config last updated at 15:56:11 PDT Tue Jun 22 2010 by admin
!
version 15.0
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname bn-br201-2911
!
boot-start-marker
boot system flash flash0:c2900-universalk9-mz.SPA.150-1.M2.bin
boot-end-marker
!
enable secret 5 $1$CY2u$UyHfG7vNvWsZi97EqaYTA/
!
aaa new-model
!
!
aaa authentication login default group radius local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
no ipv6 cef
no ip source-route
ip cef
!
!
ip vrf INET-PUBLIC
rd 65512:1
!
ip multicast-routing
!
!
no ip domain lookup
ip domain name cisco.local
ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
094F1F1A1A0A464058
ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
0205554808095E731F
!
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2911/K9 sn FTX1347A1TN
hw-module sm 1
!
!
!
username admin privilege 15 password 7 0007421507545A545C
!
redundancy
!
!
ip ssh source-interface Loopback0
WAN Configuration Files
39
ip ssh version 2
!
class-map match-any DATA
match ip dscp af21
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any BGP
match protocol bgp
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match ip dscp cs1 af11
class-map match-any NETWORK-CRITICAL
match ip dscp cs2 cs6
match access-group name ISAKMP
!
!
policy-map MARK-BGP
class BGP
set dscp cs6
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
service-policy MARK-BGP
class class-default
bandwidth percent 25
random-detect
policy-map WAN-INTERFACE-G0/1
class class-default
shape average 10000000
service-policy WAN
policy-map WAN-INTERFACE-G0/0
class class-default
shape average 10000000
service-policy WAN
!
!
crypto keyring DMVPN-KEYRING vrf INET-PUBLIC
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 30 5
crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
keyring DMVPN-KEYRING
match identity address 0.0.0.0 INET-PUBLIC
!
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile FVRF-ISAKMP-INET-PUBLIC
!
!
!
!
!
!
interface Loopback0
ip address 10.5.40.254 255.255.255.255
ip pim sparse-mode
!
!
interface Tunnel10
ip address 10.4.132.201 255.255.254.0
no ip redirects
ip mtu 1400
ip wccp 62 redirect in
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco123
ip nhrp map multicast 172.16.130.1
ip nhrp map 10.4.132.1 172.16.130.1
ip nhrp network-id 101
ip nhrp holdtime 600
WAN Configuration Files
40
ip nhrp nhs 10.4.132.1
ip nhrp registration no-unique
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
ip summary-address eigrp 200 10.5.40.0 255.255.248.0
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel vrf INET-PUBLIC
tunnel protection ipsec profile DMVPN-PROFILE
!
!
interface GigabitEthernet0/0
bandwidth 10000
ip address 10.4.142.145 255.255.255.252
ip wccp 62 redirect in
ip pim sparse-mode
duplex auto
speed auto
no cdp enable
!
service-policy output WAN-INTERFACE-G0/0
!
interface GigabitEthernet0/1
bandwidth 10000
ip vrf forwarding INET-PUBLIC
ip address dhcp
ip access-group ACL-INET-PUBLIC in
duplex auto
speed auto
no cdp enable
!
service-policy output WAN-INTERFACE-G0/1
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/2.64
description Data1
encapsulation dot1Q 64
ip address 10.5.44.1 255.255.255.0
ip helper-address 10.4.200.10
ip wccp 61 redirect in
ip pim sparse-mode
!
interface GigabitEthernet0/2.65
description WirelessData
encapsulation dot1Q 65
ip address 10.5.42.1 255.255.255.0
ip helper-address 10.4.200.10
ip wccp 61 redirect in
ip pim sparse-mode
!
interface GigabitEthernet0/2.69
description Voice1
encapsulation dot1Q 69
ip address 10.5.45.1 255.255.255.0
ip helper-address 10.4.200.10
ip pim sparse-mode
!
interface GigabitEthernet0/2.70
description WirelessVoice
encapsulation dot1Q 70
ip address 10.5.43.1 255.255.255.0
ip helper-address 10.4.200.10
ip pim sparse-mode
!
interface Integrated-Service-Engine1/0
ip address 1.1.1.1 255.255.255.252
service-module external ip address 10.5.44.8 255.255.255.0
!Application: Restarted at Wed Jul 26 14:51:05 2006
service-module ip default-gateway 10.5.44.1
no keepalive
!
!
!
router eigrp 200
network 10.4.132.0 0.0.1.255
network 10.5.0.0 0.0.255.255
passive-interface default
no passive-interface Tunnel10
eigrp router-id 10.5.40.254
!
router bgp 65511
no synchronization
bgp router-id 10.5.40.254
bgp log-neighbor-changes
network 10.4.142.144 mask 255.255.255.252
network 10.5.44.0 mask 255.255.255.0
network 10.5.45.0 mask 255.255.255.0
aggregate-address 10.5.40.0 255.255.248.0 summary-only
neighbor 10.4.142.146 remote-as 65401
no auto-summary
WAN Configuration Files
41
!
ip forward-protocol nd
!
ip bgp-community new-format
ip pim rp-address 10.4.60.252 10
ip pim register-source Loopback0
no ip http server
no ip http secure-server
!
!
ip access-list standard BN-WAE
permit 10.5.44.8
!
ip access-list extended ACL-INET-PUBLIC
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit icmp any any echo
permit icmp any any echo-reply
permit udp any any eq bootpc
ip access-list extended ISAKMP
permit udp any eq isakmp any eq isakmp
ip access-list extended WAAS-REDIRECT-LIST
remark WAAS WCCP Mgmt Redirect List
deny
tcp any any eq 22
deny
tcp any eq 22 any
deny
tcp any eq telnet any
deny
tcp any any eq telnet
deny
tcp any eq bgp any
deny
tcp any any eq bgp
deny
tcp any any eq 123
deny
tcp any eq 123 any
permit tcp any any
!
ip radius source-interface Loopback0
access-list 10 permit 239.1.0.0 0.0.255.255
!
!
!
!
!
snmp-server community cisco RO
snmp-server community cisco123 RW
snmp-server trap-source Loopback0
radius-server host 10.4.200.15 auth-port 1645 acct-port 1646 key 7
00371605165E1F2D0A38
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
password 7 04585A150C2E1D1C5A
transport input ssh
line vty 5 15
transport input ssh
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp update-calendar
ntp server 10.4.200.17
end
br201-wae502
! WAAS-UNIVERSAL-K9 version 4.2.1 (build b38 Jun 16 2010)
!
device mode application-accelerator
!
!
hostname bn-br201-wae502
!
clock timezone PST -8 0
!
!
ip domain-name cisco.local
!
!
!
primary-interface GigabitEthernet 2/0
!
!
!
interface GigabitEthernet 1/0
WAN Configuration Files
42
exit
interface GigabitEthernet 2/0
exit
!
!
!
no auto-register enable
!
! ip path-mtu-discovery is disabled in WAAS by default
!
ip name-server 10.4.200.10
!
!
!
ntp server 10.4.200.17
!
!
!
wccp router-list 1 10.5.40.254
wccp tcp-promiscuous router-list-num 1 encrypted password
j++vQr0cPtEIPHS9u7fKLw==
wccp version 2
!
egress-method negotiated-return intercept-method wccp
!
!
!
username admin password 1 bVmDmMMmZAPjY
username admin privilege 15
username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE
7D891AB402CAF2E89CCDD33ED54333AC
!
!
!
!
authentication login local enable primary
authentication configuration local enable primary
!
!
!
sshd enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!policy-engine application
!
! <policy-engine content intentionally omitted>
!
!exit
!
central-manager address 10.4.200.100
cms enable
!
!
!
!
!
!
! End of WAAS configuration
WAN Configuration Files
43
Branch 202: Single-Router, Dual-Link (MPLS-B + DMVPN)
The IP address information for Branch 202 is shown in Table 8.
Table 8. Branch 202—IP Address Information
Remote-Site Information
Wired Subnets
Location
Net Block
Data
Branch 202
10.5.128.0/21
10.5.132.0/24
Wireless Subnets
Operational IP Assignments
Voice
Data (Vlan
65)
Voice (Vlan
70)
Loopbacks and
Switches
10.5.133.0/24
10.5.130.0/24
10.5.131.0/24
10.5.128.254 (r)
10.5.132.5 (sw)
br202-2911
!
! Last configuration change at 15:50:27 PDT Tue Jun 22 2010 by admin
! NVRAM config last updated at 15:51:16 PDT Tue Jun 22 2010 by admin
!
version 15.0
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname bn-br202-2911
!
boot-start-marker
boot system flash flash0:c2900-universalk9-mz.SPA.150-1.M2.bin
boot-end-marker
!
enable secret 5 $1$YV1B$W4bBZUh9z8A6uzYR2bLsP/
!
aaa new-model
!
!
aaa authentication login default group radius local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
no ipv6 cef
WAE
10.5.132.8
no ip source-route
ip cef
!
!
ip vrf INET-PUBLIC
rd 65512:1
!
ip multicast-routing
!
!
no ip domain lookup
ip domain name cisco.local
ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
06055E324F41584B56
ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
0508571C22431F5B4A
!
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2911/K9 sn FTX1347A1TC
!
!
username admin privilege 15 password 7 04585A150C2E1D1C5A
!
redundancy
!
!
ip ssh source-interface Loopback0
ip ssh version 2
!
class-map match-any DATA
WAN Configuration Files
44
match ip dscp af21
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any BGP
match protocol bgp
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match ip dscp cs1 af11
class-map match-any NETWORK-CRITICAL
match ip dscp cs2 cs6
match access-group name ISAKMP
!
!
policy-map MARK-BGP
class BGP
set dscp cs6
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
service-policy MARK-BGP
class class-default
bandwidth percent 25
random-detect
policy-map WAN-INTERFACE-G0/1
class class-default
shape average 10000000
service-policy WAN
policy-map WAN-INTERFACE-G0/0
class class-default
shape average 10000000
service-policy WAN
!
!
crypto keyring DMVPN-KEYRING vrf INET-PUBLIC
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 30 5
crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
keyring DMVPN-KEYRING
match identity address 0.0.0.0 INET-PUBLIC
!
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile FVRF-ISAKMP-INET-PUBLIC
!
!
!
!
!
!
interface Loopback0
ip address 10.5.128.254 255.255.255.252
ip pim sparse-mode
!
!
interface Tunnel10
ip address 10.4.132.202 255.255.254.0
no ip redirects
ip mtu 1400
ip wccp 62 redirect in
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco123
ip nhrp map multicast 172.16.130.1
ip nhrp map 10.4.132.1 172.16.130.1
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp nhs 10.4.132.1
ip nhrp registration no-unique
ip nhrp shortcut
WAN Configuration Files
45
ip nhrp redirect
ip tcp adjust-mss 1360
ip summary-address eigrp 200 10.5.128.0 255.255.248.0
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel vrf INET-PUBLIC
tunnel protection ipsec profile DMVPN-PROFILE
!
!
interface GigabitEthernet0/0
bandwidth 10000
ip address 10.4.143.137 255.255.255.252
ip wccp 62 redirect in
ip pim sparse-mode
duplex auto
speed auto
no cdp enable
!
service-policy output WAN-INTERFACE-G0/0
!
interface GigabitEthernet0/1
bandwidth 10000
ip vrf forwarding INET-PUBLIC
ip address dhcp
ip access-group ACL-INET-PUBLIC in
duplex auto
speed auto
no cdp enable
!
service-policy output WAN-INTERFACE-G0/1
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/2.64
description Data1
encapsulation dot1Q 64
ip address 10.5.132.1 255.255.255.0
ip helper-address 10.4.200.10
ip wccp 61 redirect in
ip pim sparse-mode
!
interface GigabitEthernet0/2.65
description wireless data
encapsulation dot1Q 65
ip address 10.5.130.1 255.255.255.0
ip helper-address 10.4.200.10
ip wccp 61 redirect in
ip pim sparse-mode
!
interface GigabitEthernet0/2.69
description voice 1
encapsulation dot1Q 69
ip address 10.5.133.1 255.255.255.0
ip helper-address 10.4.200.10
ip pim sparse-mode
!
interface GigabitEthernet0/2.70
description wireless voice
encapsulation dot1Q 70
ip address 10.5.131.1 255.255.255.0
ip helper-address 10.4.200.10
ip pim sparse-mode
!
!
router eigrp 200
network 10.4.132.0 0.0.1.255
network 10.5.0.0 0.0.255.255
passive-interface default
no passive-interface Tunnel10
eigrp router-id 10.5.128.254
!
router bgp 65511
no synchronization
bgp router-id 10.5.128.254
bgp log-neighbor-changes
network 10.4.143.136 mask 255.255.255.252
network 10.5.132.0 mask 255.255.255.0
network 10.5.133.0 mask 255.255.255.0
aggregate-address 10.5.128.0 255.255.248.0 summary-only
neighbor 10.4.143.138 remote-as 65402
no auto-summary
!
ip forward-protocol nd
!
ip bgp-community new-format
ip pim rp-address 10.4.60.252 10
ip pim register-source Loopback0
no ip http server
no ip http secure-server
!
WAN Configuration Files
46
!
ip access-list standard BN-WAE
permit 10.5.132.8
!
ip access-list extended ACL-INET-PUBLIC
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit icmp any any echo
permit icmp any any echo-reply
permit udp any any eq bootpc
ip access-list extended ISAKMP
permit udp any eq isakmp any eq isakmp
ip access-list extended WAAS-REDIRECT-LIST
remark WAAS WCCP Mgmt Redirect List
deny
tcp any any eq 22
deny
tcp any eq 22 any
deny
tcp any eq telnet any
deny
tcp any any eq telnet
deny
tcp any eq bgp any
deny
tcp any any eq bgp
deny
tcp any any eq 123
deny
tcp any eq 123 any
permit tcp any any
!
ip radius source-interface Loopback0
access-list 10 permit 239.1.0.0 0.0.255.255
!
!
!
!
!
snmp-server community cisco RO
snmp-server community cisco123 RW
snmp-server trap-source Loopback0
radius-server host 10.4.200.15 auth-port 1645 acct-port 1646 key 7
097F4B0A0B0003390E15
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
transport input ssh
line vty 5 15
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp update-calendar
ntp server 10.4.200.17
end
br202-wave574
! WAAS-UNIVERSAL-K9 version 4.2.1 (build b38 Jun 16 2010)
!
device mode application-accelerator
!
!
hostname bn-br202-wave574
!
clock timezone PST -8 0
!
!
ip domain-name cisco.local
!
!
!
primary-interface GigabitEthernet 1/0
!
!
!
interface GigabitEthernet 1/0
ip address 10.5.132.8 255.255.255.0
exit
interface GigabitEthernet 2/0
shutdown
exit
!
!
ip default-gateway 10.5.132.1
!
no auto-register enable
!
! ip path-mtu-discovery is disabled in WAAS by default
!
ip name-server 10.4.200.10
!
!
WAN Configuration Files
47
!
ntp server 10.4.200.17
!
!
!
wccp router-list 1 10.5.128.254
wccp tcp-promiscuous router-list-num 1 encrypted password
j++vQr0cPtEIPHS9u7fKLw==
wccp version 2
!
egress-method negotiated-return intercept-method wccp
!
!
!
username admin password 1 bVmDmMMmZAPjY
username admin privilege 15
username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE
7D891AB402CAF2E89CCDD33ED54333AC
!
!
!
!
authentication login local enable primary
authentication configuration local enable primary
!
!
!
sshd enable
!
!
!
tfo tcp optimized-send-buffer 2048
tfo tcp optimized-receive-buffer 2048
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!policy-engine application
!
! <policy-engine content intentionally omitted>
!
!exit
!
central-manager address 10.4.200.100
cms enable
!
!
!
!
!
!
! End of WAAS configuration
WAN Configuration Files
48
Branch 203: Dual-Router, Dual-Link with Access Layer Only
(MPLS-A + DMVPN)
The IP address information for Branch 203 is shown in Table 9.
Table 9. Branch 203—IP Address Information
Remote-Site Information
Wired Subnets
Location
Net Block
Data
Branch 203
10.5.48.0/21
10.5.52.0/24
Wireless Subnets
Operational IP Assignments
Voice
Data (Vlan
65)
Voice (Vlan
70)
Loopbacks and
Switches
10.5.53.0/24
10.5.50.0/24
10.5.51.0/24
10.5.48.254 (r1)
10.5.48.253 (r2)
10.5.52.5 (sw)
br203-2921-1
!
! Last configuration change at 15:43:48 PDT Tue Jun 22 2010 by admin
! NVRAM config last updated at 12:38:04 PDT Thu Jun 17 2010 by admin
!
version 15.0
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname bn-br203-2921-1
!
boot-start-marker
boot system flash flash0:c2900-universalk9-mz.SPA.150-1.M2.bin
boot-end-marker
!
enable secret 5 $1$CABP$z/eavJoMbeg7yT51Qc0rm0
!
aaa new-model
!
!
aaa authentication login default group radius local
!
!
!
!
!
aaa session-id common
!
!
!
WAE
10.5.52.8
10.5.52.9
clock timezone PST -8
clock summer-time PDT recurring
!
no ipv6 cef
no ip source-route
ip cef
!
!
ip multicast-routing
!
!
no ip domain lookup
ip domain name cisco.local
ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
0205554808095E731F
ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
104D580A061843595F
!
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2921/K9 sn FTX1348AHN0
hw-module sm 1
!
!
!
username admin privilege 15 password 7 141443180F0B7B7977
!
redundancy
!
!
WAN Configuration Files
49
ip ssh source-interface Loopback0
ip ssh version 2
!
track 50 ip sla 100 reachability
!
class-map match-any DATA
match ip dscp af21
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any BGP
match protocol bgp
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match ip dscp cs1 af11
class-map match-any NETWORK-CRITICAL
match ip dscp cs2 cs6
!
!
policy-map MARK-BGP
class BGP
set dscp cs6
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
service-policy MARK-BGP
class class-default
bandwidth percent 25
random-detect
policy-map WAN-INTERFACE-G0/0
class class-default
shape average 20000000
service-policy WAN
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.5.48.254 255.255.255.255
ip pim sparse-mode
!
!
interface GigabitEthernet0/0
bandwidth 20000
ip address 10.4.142.153 255.255.255.252
ip wccp 62 redirect in
ip pim sparse-mode
duplex auto
speed auto
!
service-policy output WAN-INTERFACE-G0/0
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/1.64
description DATA1
encapsulation dot1Q 64
ip address 10.5.52.2 255.255.255.0
ip helper-address 10.4.200.10
ip wccp 61 redirect in
ip pim dr-priority 110
ip pim sparse-mode
standby 1 ip 10.5.52.1
standby 1 priority 110
standby 1 preempt
standby 1 track 50 decrement 10
!
interface GigabitEthernet0/1.65
description wireless data
encapsulation dot1Q 65
ip address 10.5.50.2 255.255.255.0
ip helper-address 10.4.200.10
WAN Configuration Files
50
ip wccp 61 redirect in
ip pim dr-priority 110
ip pim sparse-mode
standby 1 ip 10.5.50.1
standby 1 priority 110
standby 1 preempt
standby 1 track 50 decrement 10
!
interface GigabitEthernet0/1.69
encapsulation dot1Q 69
ip address 10.5.53.2 255.255.255.0
ip helper-address 10.4.200.10
ip pim dr-priority 110
ip pim sparse-mode
standby 1 ip 10.5.53.1
standby 1 priority 110
standby 1 preempt
standby 1 track 50 decrement 10
!
interface GigabitEthernet0/1.70
description wireless voice
encapsulation dot1Q 70
ip address 10.5.51.2 255.255.255.0
ip helper-address 10.4.200.10
ip pim dr-priority 110
ip pim sparse-mode
standby 1 ip 10.5.51.1
standby 1 priority 110
standby 1 preempt
standby 1 track 50 decrement 10
!
interface GigabitEthernet0/1.99
encapsulation dot1Q 99
ip address 10.5.48.1 255.255.255.252
ip pim sparse-mode
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
!
interface SM1/0
ip address 1.1.1.1 255.255.255.252
service-module external ip address 10.5.52.8 255.255.255.0
!Application: Restarted at Sat Apr 22 06:31:24 2006
service-module ip default-gateway 10.5.52.1
!
!
interface SM1/1
no ip address
shutdown
!
!
!
router eigrp 100
default-metric 100000 100 255 1 1500
network 10.5.0.0 0.0.255.255
redistribute bgp 65511
passive-interface default
no passive-interface GigabitEthernet0/1.99
eigrp router-id 10.5.48.254
!
router bgp 65511
no synchronization
bgp router-id 10.5.48.254
bgp log-neighbor-changes
network 10.4.142.152 mask 255.255.255.252
network 10.5.52.0 mask 255.255.255.0
network 10.5.53.0 mask 255.255.255.0
aggregate-address 10.5.48.0 255.255.248.0 summary-only
neighbor 10.4.142.154 remote-as 65401
no auto-summary
!
ip forward-protocol nd
!
ip pim rp-address 10.4.60.252 10
ip pim register-source Loopback0
no ip http server
no ip http secure-server
!
!
ip access-list standard BN-WAE
permit 10.5.52.9
permit 10.5.52.8
!
ip access-list extended WAAS-REDIRECT-LIST
remark WAAS WCCP Mgmt Redirect List
deny
tcp any any eq 22
deny
tcp any eq 22 any
deny
tcp any eq telnet any
deny
tcp any any eq telnet
deny
tcp any eq bgp any
WAN Configuration Files
51
deny
tcp any any eq bgp
deny
tcp any any eq 123
deny
tcp any eq 123 any
permit tcp any any
!
ip radius source-interface Loopback0
ip sla 100
icmp-echo 10.4.142.154 source-interface GigabitEthernet0/0
timeout 1000
threshold 1000
frequency 15
ip sla schedule 100 life forever start-time now
access-list 10 permit 239.1.0.0 0.0.255.255
!
!
!
!
!
snmp-server community cisco RO
snmp-server community cisco123 RW
snmp-server trap-source Loopback0
radius-server host 10.4.200.15 auth-port 1645 acct-port 1646 key 7
04680E051D2458650C00
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
flowcontrol software
line vty 0 4
exec-timeout 0 0
password 7 04585A150C2E1D1C5A
transport input ssh
line vty 5 15
transport input ssh
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp update-calendar
ntp server 10.4.200.17
end
br203-2921-2
!
! Last configuration change at 15:47:40 PDT Tue Jun 22 2010 by admin
! NVRAM config last updated at 15:48:01 PDT Tue Jun 22 2010 by admin
!
version 15.0
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname bn-br203-2921-2
!
boot-start-marker
boot system flash flash0:c2900-universalk9-mz.SPA.150-1.M2.bin
boot-end-marker
!
enable secret 5 $1$uVo/$xEyKRDXmAItutbat6YVAK/
!
aaa new-model
!
!
aaa authentication login default group radius local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
no ipv6 cef
no ip source-route
ip cef
!
!
ip vrf INET-PUBLIC
rd 65512:1
!
WAN Configuration Files
52
ip multicast-routing
!
!
no ip domain lookup
ip domain name cisco.local
ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
04585A150C2E1D1C5A
ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
0508571C22431F5B4A
!
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2921/K9 sn FTX1348AHMM
hw-module sm 1
!
!
!
username admin privilege 15 password 7 08221D5D0A16544541
!
redundancy
!
!
ip ssh source-interface Loopback0
ip ssh version 2
!
class-map match-any DATA
match ip dscp af21
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match ip dscp cs1 af11
class-map match-any NETWORK-CRITICAL
match ip dscp cs2 cs6
match access-group name ISAKMP
!
!
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
random-detect
policy-map WAN-INTERFACE-G0/0
class class-default
shape average 10000000
service-policy WAN
!
!
crypto keyring DMVPN-KEYRING vrf INET-PUBLIC
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 30 5
crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
keyring DMVPN-KEYRING
match identity address 0.0.0.0 INET-PUBLIC
!
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile FVRF-ISAKMP-INET-PUBLIC
!
!
!
!
!
!
interface Loopback0
ip address 10.5.48.253 255.255.255.255
WAN Configuration Files
53
ip pim sparse-mode
!
!
interface Tunnel10
ip address 10.4.132.203 255.255.254.0
no ip redirects
ip mtu 1400
ip wccp 62 redirect in
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco123
ip nhrp map 10.4.132.1 172.16.130.1
ip nhrp map multicast 172.16.130.1
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp nhs 10.4.132.1
ip nhrp registration no-unique
ip nhrp shortcut
ip tcp adjust-mss 1360
ip summary-address eigrp 200 10.5.48.0 255.255.248.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel vrf INET-PUBLIC
tunnel protection ipsec profile DMVPN-PROFILE
!
!
interface GigabitEthernet0/0
bandwidth 10000
ip vrf forwarding INET-PUBLIC
ip address dhcp
ip access-group ACL-INET-PUBLIC in
duplex auto
speed auto
!
service-policy output WAN-INTERFACE-G0/0
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/1.64
description DATA1
encapsulation dot1Q 64
ip address 10.5.52.3 255.255.255.0
ip helper-address 10.4.200.10
ip wccp 61 redirect in
ip pim dr-priority 105
ip pim sparse-mode
standby 1 ip 10.5.52.1
standby 1 priority 105
standby 1 preempt
!
interface GigabitEthernet0/1.65
description wireless data
encapsulation dot1Q 65
ip address 10.5.50.3 255.255.255.0
ip helper-address 10.4.200.10
ip wccp 61 redirect in
ip pim dr-priority 105
ip pim sparse-mode
standby 1 ip 10.5.50.1
standby 1 priority 105
standby 1 preempt
!
interface GigabitEthernet0/1.69
encapsulation dot1Q 69
ip address 10.5.53.3 255.255.255.0
ip helper-address 10.4.200.10
ip pim dr-priority 105
ip pim sparse-mode
standby 1 ip 10.5.53.1
standby 1 priority 105
standby 1 preempt
!
interface GigabitEthernet0/1.70
description wireless voice
encapsulation dot1Q 70
ip address 10.5.51.3 255.255.255.0
ip helper-address 10.4.200.10
ip pim dr-priority 105
ip pim sparse-mode
standby 1 ip 10.5.51.1
standby 1 priority 105
standby 1 preempt
!
interface GigabitEthernet0/1.99
encapsulation dot1Q 99
ip address 10.5.48.2 255.255.255.252
ip pim sparse-mode
!
interface GigabitEthernet0/2
no ip address
shutdown
WAN Configuration Files
54
duplex auto
speed auto
!
!
interface SM1/0
ip address 1.1.1.1 255.255.255.252
service-module external ip address 10.5.52.9 255.255.255.0
!Application: Restarted at Tue Feb 21 22:11:11 2006
service-module ip default-gateway 10.5.52.1
!
!
interface SM1/1
no ip address
shutdown
!
!
!
router eigrp 200
network 10.4.132.0 0.0.1.255
network 10.5.0.0 0.0.255.255
passive-interface default
no passive-interface Tunnel10
eigrp router-id 10.5.48.253
!
!
router eigrp 100
network 10.5.0.0 0.0.255.255
redistribute eigrp 200
passive-interface default
no passive-interface GigabitEthernet0/1.99
eigrp router-id 10.5.48.253
!
ip forward-protocol nd
!
ip pim rp-address 10.4.60.252 10
ip pim register-source Loopback0
no ip http server
no ip http secure-server
!
!
ip access-list standard BN-WAE
permit 10.5.52.9
permit 10.5.52.8
!
ip access-list extended ACL-INET-PUBLIC
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit icmp any any echo
permit icmp any any echo-reply
permit udp any any eq bootpc
ip access-list extended ISAKMP
permit udp any eq isakmp any eq isakmp
ip access-list extended WAAS-REDIRECT-LIST
remark WAAS WCCP Mgmt Redirect List
deny
tcp any any eq 22
deny
tcp any eq 22 any
deny
tcp any eq telnet any
deny
tcp any any eq telnet
deny
tcp any eq bgp any
deny
tcp any any eq bgp
deny
tcp any any eq 123
deny
tcp any eq 123 any
permit tcp any any
!
ip radius source-interface Loopback0
access-list 10 permit 239.1.0.0 0.0.255.255
!
!
!
!
!
snmp-server community cisco RO
snmp-server community cisco123 RW
snmp-server trap-source Loopback0
radius-server host 10.4.200.15 auth-port 1645 acct-port 1646 key 7
073C244F5C0C0D2E120B
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
flowcontrol software
line vty 0 4
WAN Configuration Files
55
exec-timeout 0 0
password 7 04585A150C2E1D1C5A
transport input ssh
line vty 5 15
transport input ssh
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp update-calendar
ntp server 10.4.200.17
end
br203-wae-sre-1
! WAAS-UNIVERSAL-K9 version 4.2.1 (build b38 Jun 16 2010)
!
device mode application-accelerator
!
!
hostname bn-br203-wae-sre-1
!
clock timezone PST -8 0
!
!
ip domain-name cisco.local
!
!
!
primary-interface GigabitEthernet 2/0
!
!
!
interface GigabitEthernet 1/0
exit
interface GigabitEthernet 2/0
exit
!
!
!
no auto-register enable
!
! ip path-mtu-discovery is disabled in WAAS by default
!
ip name-server 10.4.200.10
!
!
!
ntp server 10.4.200.17
!
!
!
wccp router-list 1 10.5.48.253 10.5.48.254
wccp tcp-promiscuous router-list-num 1 encrypted password
j++vQr0cPtEIPHS9u7fKLw==
wccp version 2
!
egress-method negotiated-return intercept-method wccp
!
!
!
username admin password 1 bVmDmMMmZAPjY
username admin privilege 15
username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE
7D891AB402CAF2E89CCDD33ED54333AC
!
!
!
!
authentication login local enable primary
authentication configuration local enable primary
!
!
!
sshd enable
!
!
!
tfo tcp optimized-send-buffer 2048
tfo tcp optimized-receive-buffer 2048
!
!
!
!
!
!
!
!
!
!
!
!
!
WAN Configuration Files
56
!
!
!
!
!
!
!policy-engine application
!
! <policy-engine content intentionally omitted>
!
!exit
!
central-manager address 10.4.200.100
cms enable
!
!
!
!
!
!
! End of WAAS configuration
br203-wae-sre-2
! WAAS-UNIVERSAL-K9 version 4.2.1 (build b38 Jun 16 2010)
!
device mode application-accelerator
!
!
hostname bn-br203-wae-sre-2
!
clock timezone PST -8 0
!
!
ip domain-name cisco.local
!
!
!
primary-interface GigabitEthernet 2/0
!
!
!
interface GigabitEthernet 1/0
exit
interface GigabitEthernet 2/0
exit
!
!
!
no auto-register enable
!
! ip path-mtu-discovery is disabled in WAAS by default
!
ip name-server 10.4.200.10
!
!
!
ntp server 10.4.200.17
!
!
!
wccp router-list 1 10.5.48.253 10.5.48.254
wccp tcp-promiscuous router-list-num 1 encrypted password
j++vQr0cPtEIPHS9u7fKLw==
wccp version 2
!
egress-method negotiated-return intercept-method wccp
!
!
!
username admin password 1 bVmDmMMmZAPjY
username admin privilege 15
username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE
7D891AB402CAF2E89CCDD33ED54333AC
!
!
!
!
authentication login local enable primary
authentication configuration local enable primary
!
!
!
sshd enable
!
!
!
tfo tcp optimized-send-buffer 2048
tfo tcp optimized-receive-buffer 2048
!
!
!
WAN Configuration Files
57
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!policy-engine application
!
! <policy-engine content intentionally omitted>
!
!exit
!
central-manager address 10.4.200.100
cms enable
!
!
!
!
!
!
! End of WAAS configuration
WAN Configuration Files
58
Branch 204: Single-Router, Single-Link (MPLS)
The IP address information for Branch 204 is shown in Table 10.
Table 10. Branch 204—IP Address Information
Remote-Site Information
Wired Subnets
Wireless Subnets
Location
Net Block
Data
Voice
Data (Vlan
65)
Loopbacks and
Voice (Vlan 70) Switches
WAE
Branch 204
10.5.56.0/21
10.5.60.0/24
10.5.61.0/24
10.5.58.0/24
10.5.59.0/24
10.5.60.8
br204-2921
!
! Last configuration change at 15:37:44 PDT Tue Jun 22 2010 by admin
! NVRAM config last updated at 15:38:07 PDT Tue Jun 22 2010 by admin
!
version 15.0
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname bn-br204-2921
!
boot-start-marker
boot system flash flash0:c2900-universalk9-mz.SPA.150-1.M2.bin
boot-end-marker
!
enable secret 5 $1$gRMs$BSG38sg9EH.9FumwsQsrp/
!
aaa new-model
!
!
aaa authentication login default group radius local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PST -8
clock summer-time PDT recurring
Operational IP Assignments
10.5.56.254 (r)
10.5.60.5 (sw)
!
no ipv6 cef
no ip source-route
ip cef
!
!
ip multicast-routing
!
!
no ip domain lookup
ip domain name cisco.local
ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
130646010803557878
ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
0007421507545A545C
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
license udi pid CISCO2921/K9 sn FHK1345F209
!
!
WAN Configuration Files
59
username admin privilege 15 password 7 15115A1F07257A767B
!
redundancy
!
!
ip ssh source-interface Loopback0
ip ssh version 2
!
class-map match-any DATA
match ip dscp af21
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any BGP
match protocol bgp
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match ip dscp cs1 af11
class-map match-any NETWORK-CRITICAL
match ip dscp cs2 cs6
!
!
policy-map MARK-BGP
class BGP
set dscp cs6
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
service-policy MARK-BGP
class class-default
bandwidth percent 25
random-detect
policy-map WAN-INTERFACE-G0/0
class class-default
shape average 20000000
service-policy WAN
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.5.56.254 255.255.255.255
ip pim sparse-mode
!
!
interface GigabitEthernet0/0
bandwidth 20000
ip address 10.4.142.33 255.255.255.252
ip wccp 62 redirect in
ip pim sparse-mode
duplex auto
speed auto
!
service-policy output WAN-INTERFACE-G0/0
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
!
interface GigabitEthernet1/0
ip address 1.1.1.1 255.255.255.252
!
hold-queue 60 out
!
interface GigabitEthernet1/0.64
encapsulation dot1Q 64
WAN Configuration Files
60
ip address 10.5.60.1 255.255.255.0
ip helper-address 10.4.200.10
ip wccp 61 redirect in
ip pim sparse-mode
!
interface GigabitEthernet1/0.65
encapsulation dot1Q 65
ip address 10.5.58.1 255.255.255.0
ip helper-address 10.4.200.10
ip wccp 61 redirect in
ip pim sparse-mode
!
interface GigabitEthernet1/0.69
encapsulation dot1Q 69
ip address 10.5.61.1 255.255.255.0
ip helper-address 10.4.200.10
ip pim sparse-mode
!
interface GigabitEthernet1/0.70
encapsulation dot1Q 70
ip address 10.5.59.1 255.255.255.0
ip helper-address 10.4.200.10
ip pim sparse-mode
!
!
router bgp 65511
no synchronization
bgp log-neighbor-changes
network 10.4.142.32 mask 255.255.255.252
network 10.5.60.0 mask 255.255.255.0
network 10.5.61.0 mask 255.255.255.0
aggregate-address 10.5.56.0 255.255.248.0 summary-only
neighbor 10.4.142.34 remote-as 65401
no auto-summary
!
ip forward-protocol nd
!
ip pim rp-address 10.4.60.252 10
ip pim register-source Loopback0
no ip http server
no ip http secure-server
!
!
ip access-list standard BN-WAE
permit 10.5.60.8
!
ip access-list extended WAAS-REDIRECT-LIST
remark WAAS WCCP Mgmt Redirect List
deny
tcp any any eq 22
deny
tcp any eq 22 any
deny
tcp any eq telnet any
deny
tcp any any eq telnet
deny
tcp any eq bgp any
deny
tcp any any eq bgp
deny
tcp any any eq 123
deny
tcp any eq 123 any
permit tcp any any
!
ip radius source-interface Loopback0
access-list 10 permit 239.1.0.0 0.0.255.255
!
!
!
!
!
snmp-server community cisco RO
snmp-server community cisco123 RW
snmp-server trap-source Loopback0
radius-server host 10.4.200.15 auth-port 1645 acct-port 1646 key 7
00371605165E1F2D0A38
!
control-plane
!
!
!
!
mgcp fax t38 ecm
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
logging synchronous
line aux 0
line 67
no activation-character
no exec
transport preferred none
transport input all
WAN Configuration Files
61
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
flowcontrol software
line vty 0 4
password 7 04585A150C2E1D1C5A
transport input ssh
line vty 5 15
transport input ssh
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp update-calendar
ntp server 10.4.200.17
end
br204-wae502
! WAAS-UNIVERSAL-K9 version 4.2.1 (build b38 Jun 16 2010)
!
device mode application-accelerator
!
!
hostname bn-br204-wave574
!
clock timezone PST -8 0
!
!
ip domain-name cisco.local
!
!
!
primary-interface GigabitEthernet 1/0
!
!
!
interface GigabitEthernet 1/0
ip address 10.5.60.8 255.255.255.0
exit
interface GigabitEthernet 2/0
shutdown
exit
!
!
ip default-gateway 10.5.60.1
!
no auto-register enable
!
! ip path-mtu-discovery is disabled in WAAS by default
!
ip name-server 10.4.200.10
!
!
!
ntp server 10.4.200.17
!
!
!
wccp router-list 1 10.5.56.254
wccp tcp-promiscuous router-list-num 1 encrypted password
j++vQr0cPtEIPHS9u7fKLw==
wccp version 2
!
egress-method negotiated-return intercept-method wccp
!
!
!
username admin password 1 bVmDmMMmZAPjY
username admin privilege 15
username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE
7D891AB402CAF2E89CCDD33ED54333AC
!
!
!
!
authentication login local enable primary
authentication configuration local enable primary
!
!
!
sshd enable
!
!
!
tfo tcp optimized-send-buffer 2048
tfo tcp optimized-receive-buffer 2048
!
!
!
!
!
!
!
WAN Configuration Files
62
!
!
!
!
!
!
!
!
!
!
!
!
!policy-engine application
!
! <policy-engine content intentionally omitted>
!
!exit
!
central-manager address 10.4.200.100
cms enable
!
!
!
!
!
!
! End of WAAS configuration
WAN Configuration Files
63
Branch 205: Single-Router, Single-Link (DMVPN)
The IP address information for Branch 205 is shown in Table 11.
Table 11. Branch 205—IP Address Information
Remote-Site Information
Wired Subnets
Location
Net Block
Data
Branch 205
10.5.192.0/21
10.5.196.0/24
Wireless Subnets
Operational IP Assignments
Voice
Data (Vlan
65)
Voice (Vlan 70)
Loopbacks and
Switches
10.5.197.0/24
10.5.194.0/24
10.5.195.0/24
br205-2911
!
! Last configuration change at 15:33:05 PDT Tue Jun 22 2010 by admin
! NVRAM config last updated at 15:33:31 PDT Tue Jun 22 2010 by admin
!
version 15.0
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname bn-br205-2911
!
boot-start-marker
boot system flash flash0:c2900-universalk9-mz.SPA.150-1.M2.bin
boot-end-marker
!
enable secret 5 $1$L4UX$DEVlydkBrvAIXA3Mks52j0
!
aaa new-model
!
!
aaa authentication login default group radius local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
10.5.192.254 (r)
10.5.196.5 (sw)
WAE
10.5.196.8
no ipv6 cef
no ip source-route
ip cef
!
!
ip vrf INET-PUBLIC
rd 65512:1
!
ip multicast-routing
!
!
no ip domain lookup
ip domain name cisco.local
ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
121A540411045D5679
ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
08221D5D0A16544541
!
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2911/K9 sn FTX1411ALG3
!
!
archive
log config
hidekeys
username admin password 7 011057175804575D72
!
redundancy
!
!
WAN Configuration Files
64
ip ssh source-interface Loopback0
ip ssh version 2
!
class-map match-any DATA
match ip dscp af21
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match ip dscp cs1 af11
class-map match-any NETWORK-CRITICAL
match ip dscp cs2 cs6
match access-group name ISAKMP
!
!
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
random-detect
policy-map WAN-INTERFACE-G0/0
class class-default
shape average 10000000
service-policy WAN
!
!
crypto keyring DMVPN-KEYRING vrf INET-PUBLIC
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 30 5
crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
keyring DMVPN-KEYRING
match identity address 0.0.0.0 INET-PUBLIC
!
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile FVRF-ISAKMP-INET-PUBLIC
!
!
!
!
!
!
interface Loopback0
ip address 10.5.192.254 255.255.255.255
ip pim sparse-dense-mode
!
!
interface Tunnel10
ip address 10.4.132.205 255.255.254.0
no ip redirects
ip mtu 1400
ip wccp 62 redirect in
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco123
ip nhrp map multicast 172.16.130.1
ip nhrp map 10.4.132.1 172.16.130.1
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp nhs 10.4.132.1
ip nhrp registration no-unique
ip nhrp shortcut
ip tcp adjust-mss 1360
ip summary-address eigrp 200 10.5.192.0 255.255.248.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel vrf INET-PUBLIC
tunnel protection ipsec profile DMVPN-PROFILE
WAN Configuration Files
65
!
!
interface GigabitEthernet0/0
bandwidth 10000
ip vrf forwarding INET-PUBLIC
ip address dhcp
ip access-group ACL-INET-PUBLIC in
duplex auto
speed auto
!
service-policy output WAN-INTERFACE-G0/0
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/2.64
description Data1 VLAN
encapsulation dot1Q 64
ip address 10.5.196.1 255.255.255.0
ip helper-address 10.4.200.10
ip wccp 61 redirect in
ip pim sparse-mode
!
interface GigabitEthernet0/2.65
description WirelessData VLAN
encapsulation dot1Q 65
ip address 10.5.194.1 255.255.255.0
ip helper-address 10.4.200.10
ip wccp 61 redirect in
ip pim sparse-mode
!
interface GigabitEthernet0/2.69
description Voice1 VLAN
encapsulation dot1Q 69
ip address 10.5.197.1 255.255.255.0
ip helper-address 10.4.200.10
ip pim sparse-mode
!
interface GigabitEthernet0/2.70
description WirelessVoice VLAN
encapsulation dot1Q 70
ip address 10.5.195.1 255.255.255.0
ip helper-address 10.4.200.10
ip pim sparse-mode
!
interface Integrated-Service-Engine1/0
ip address 1.1.1.1 255.255.255.252
shutdown
service-module external ip address 10.5.196.8 255.255.255.0
!Application: Restarted at Wed Jul 26 15:05:50 2006
service-module ip default-gateway 10.5.196.1
no keepalive
!
!
!
router eigrp 200
network 10.4.132.0 0.0.1.255
network 10.5.0.0 0.0.255.255
passive-interface default
no passive-interface Tunnel10
eigrp router-id 10.5.192.254
!
ip forward-protocol nd
!
ip pim rp-address 10.4.60.252 10
ip pim register-source Loopback0
no ip http server
no ip http secure-server
!
!
ip access-list standard BN-WAE
permit 10.5.196.8
!
ip access-list extended ACL-INET-PUBLIC
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit icmp any any echo
permit icmp any any echo-reply
permit udp any any eq bootpc
ip access-list extended ISAKMP
permit udp any eq isakmp any eq isakmp
ip access-list extended WAAS-REDIRECT-LIST
remark WAAS WCCP Mgmt Redirect List
deny
tcp any any eq 22
deny
tcp any eq 22 any
WAN Configuration Files
66
deny
tcp any eq telnet any
deny
tcp any any eq telnet
deny
tcp any eq bgp any
deny
tcp any any eq bgp
deny
tcp any any eq 123
deny
tcp any eq 123 any
permit tcp any any
!
ip radius source-interface Loopback0
access-list 10 permit 239.1.0.0 0.0.255.255
!
!
!
!
!
snmp-server community cisco RO
snmp-server community cisco123 RW
snmp-server trap-source Loopback0
radius-server host 10.4.200.15 auth-port 1645 acct-port 1646 key 7
0235015819031B0A4957
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
exec-timeout 0 0
password 7 04585A150C2E1D1C5A
transport input ssh
line vty 5 15
transport input ssh
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp update-calendar
ntp server 10.4.200.17
end
br205-wae502
! WAAS-UNIVERSAL-K9 version 4.2.1 (build b38 Jun 16 2010)
!
device mode application-accelerator
!
!
hostname bn-br205-wae502
!
clock timezone PST -8 0
!
!
ip domain-name cisco.local
!
!
!
primary-interface GigabitEthernet 2/0
!
!
!
interface GigabitEthernet 1/0
exit
interface GigabitEthernet 2/0
exit
!
!
!
no auto-register enable
!
! ip path-mtu-discovery is disabled in WAAS by default
!
ip name-server 10.4.200.10
!
!
!
ntp server 10.4.200.17
!
!
!
wccp router-list 1 10.5.192.254
wccp tcp-promiscuous router-list-num 1 encrypted password
j++vQr0cPtEIPHS9u7fKLw==
wccp version 2
!
egress-method negotiated-return intercept-method wccp
!
WAN Configuration Files
67
!
!
username admin password 1 bVmDmMMmZAPjY
username admin privilege 15
username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE
7D891AB402CAF2E89CCDD33ED54333AC
!
!
!
!
authentication login local enable primary
authentication configuration local enable primary
!
!
!
sshd enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!policy-engine application
!
! <policy-engine content intentionally omitted>
!
!exit
!
central-manager address 10.4.200.100
cms enable
!
!
!
!
!
!
! End of WAAS configuration
WAN Configuration Files
68
Summary
The WAN Configuration Guide is a supplemental guide to be used with the
WAN Deployment Guide. The WAN Deployment Guide is a reference design
for Cisco customers and partners. It covers the WAN component of Cisco
SBA for Large Agencies—Borderless Networks and is meant to be used in
conjunction with the Cisco SBA for Large Agencies—Borderless Networks
LAN Deployment Guide and Internet Edge Deployment Guide, which you
can find on www.cisco.com/go/sba. If this design does not scale to meet
your needs, please refer to the Cisco Validated Designs (CVD) for larger
deployment models. CVDs can be found on Cisco.com. The Cisco products
used in this design were tested in a network lab at Cisco. The specific products are listed near the beginning of this document for your convenience.
Summary
69
Appendix A:
SBA for Large Agencies Document System
Deployment Guides
Design Guides
Design Overview
IPv6 Addressing
Guide
Supplemental Guides
Foundation Deployment
Guides
Wireless CleanAir
Deployment Guide
LAN Deployment
Guide
Nexus 7000
Deployment Guide
SIEM Deployment
Guide
LAN
Configuration Guide
WAN Deployment
Guide
You are Here
ArcSight SIEM
Partner Guide
LogLogic SIEM
Partner Guide
WAN
Configuration Guide
Internet Edge
Deployment Guide
nFx SIEM
Partner Guide
Internet Edge
Configuration Guide
Network Management
Guides
SolarWinds
Deployment Guide
RSA SIEM
Partner Guide
Splunk SIEM
Partner Guide
Data Security
Deployment Guide
CREDANT Data Security
Partner Guide
Lumension Data Security
Partner Guide
Appendix A
70
Americas Headquarters
Cisco Systems, Inc.
San Jose, CA
Asia Pacific Headquarters
Cisco Systems (USA) Pte. Ltd.
Singapore
Europe Headquarters
Cisco Systems International BV
Amsterdam, The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word
partner does not imply a partnership relationship between Cisco and any other company. (1005R)
C07-641109-00 02/11