Point-to-Point GRE over IPsec Design Guide
Scalability Test Bed Configuration Files
Downloads: This chapterpdf (PDF - 292.0KB) The complete bookPDF (PDF - 2.25MB) | Feedback

Scalability Test Bed Configuration Files

Table Of Contents

Scalability Test Bed Configuration Files

Cisco 7200VXR Headend Configuration

Cisco Catalyst 6500/Sup2/VPNSM Headend Configuration

Cisco 7600/Sup720/VPN SPA Headend Configuration (p2p GRE on Sup720)

Cisco 7600/Sup720/VPN SPA Headend Configuration (p2p GRE on VPN SPA)

Cisco 7200VXR/7600 Dual Tier Headend Architecture Configurations

Cisco 7600/Sup720/VPN SPA Headend Configuration

ISR Branch Configuration


Scalability Test Bed Configuration Files


The configurations for the central and branch sites are listed in the following sections. Note that these configurations have been extracted from real configurations used in Cisco scalability testing. They are provided as a reference only.

Cisco 7200VXR Headend Configuration

There are two headend devices in the test bed, each terminating a p2p GRE over IPsec tunnel from all branch routers. The configuration shown below is an excerpt of the first headend and does not contain configuration commands for all branches. The ISAKMP PSK, the crypto peer, the tunnel interface, and the crypto access list are shown for one device.

Headend #1:

ip cef
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key bigsecret address 192.168.0.2
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac 
!
crypto map static-map local-address GigabitEthernet0/1
crypto map static-map 100 ipsec-isakmp   
 set peer 192.168.0.2
 set transform-set vpn-test 
 match address b000
!
interface Loopback0
 description Loopback0
 ip address 10.57.1.255 255.255.255.255
!
interface Tunnel0
 description vpn5-2600-1-000
 bandwidth 1536
 ip address 10.60.0.193 255.255.255.252
 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5
 tunnel source 192.168.251.1
 tunnel destination 192.168.0.2
 crypto map static-map
! 
interface GigabitEthernet0/1
 description GigabitEthernet0/1
 ip address 192.168.251.1 255.255.255.248
 duplex auto
 speed auto
 media-type gbic
 negotiation auto
 crypto map static-map
!
interface GigabitEthernet0/2
 description GigabitEthernet0/2
 ip address 10.57.1.1 255.255.255.248
 duplex auto
 speed auto
 media-type gbic
 negotiation auto
!
router eigrp 1
 network 10.0.0.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 192.168.251.2
!
ip access-list extended b000
 permit gre host 192.168.251.1 host 192.168.0.2
!

Cisco Catalyst 6500/Sup2/VPNSM Headend Configuration

Headend #1:

hostname vpn4-6500-2
!
logging snmp-authfail
logging buffered 65535 debugging
enable password cisco
!
clock timezone EST -5
clock summer-time EDT recurring
clock calendar-valid
ip subnet-zero
!
no ip domain-lookup
!
mpls ldp logging neighbor-changes
mls flow ip destination
mls flow ipx destination
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key bigsecret address 192.168.0.2
crypto isakmp key bigsecret address 192.168.1.2
crypto isakmp key bigsecret address 192.168.2.2
!
!. . . repetitive lines omitted . . .
!
crypto isakmp key bigsecret address 192.168.60.26
crypto isakmp key bigsecret address 192.168.61.26
crypto isakmp key bigsecret address 192.168.62.26
crypto isakmp keepalive 10
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac 
!
crypto map static-map local-address Vlan100
crypto map static-map 100 ipsec-isakmp   
 set peer 192.168.0.2
 set transform-set vpn-test 
 match address b0000
crypto map static-map 101 ipsec-isakmp   
 set peer 192.168.1.2
 set transform-set vpn-test 
 match address b0001
crypto map static-map 102 ipsec-isakmp   
 set peer 192.168.2.2
 set transform-set vpn-test 
 match address b0002
!
!. . . repetitive lines omitted . . .
!
crypto map static-map 1120 ipsec-isakmp   
 set peer 192.168.60.26
 set transform-set vpn-test 
 match address b1020
crypto map static-map 1121 ipsec-isakmp   
 set peer 192.168.61.26
 set transform-set vpn-test 
 match address b1021
crypto map static-map 1122 ipsec-isakmp   
 set peer 192.168.62.26
 set transform-set vpn-test 
 match address b1022
!
no spanning-tree vlan 100
!
redundancy
 mode rpr-plus
 main-cpu
  auto-sync running-config
  auto-sync standard
!
interface Loopback0
 description Loopback0
 ip address 10.57.255.251 255.255.255.255
!
interface Tunnel0
 description vpn5-2600-1-0000
 bandwidth 1000000
 ip address 10.60.0.193 255.255.255.252
 ip hold-time eigrp 1 35
 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5
 load-interval 30
 tunnel source 192.168.251.1
 tunnel destination 192.168.0.2
!
interface Tunnel1
 description vpn5-2600-2-0001
 bandwidth 1000000
 ip address 10.60.1.193 255.255.255.252
 ip hold-time eigrp 1 35
 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5
 load-interval 30
 tunnel source 192.168.251.1
 tunnel destination 192.168.1.2
!
interface Tunnel2
 description vpn5-2600-3-0002
 bandwidth 1000000
 ip address 10.60.2.193 255.255.255.252
 ip hold-time eigrp 1 35
 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5
 load-interval 30
 tunnel source 192.168.251.1
 tunnel destination 192.168.2.2
!
!. . . repetitive lines omitted . . .
!
interface Tunnel1020
 description ci26-2600-11-1020
 bandwidth 1000000
 ip address 10.67.64.193 255.255.255.252
 ip hold-time eigrp 1 35
 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5
 load-interval 30
 tunnel source 192.168.251.1
 tunnel destination 192.168.60.26
!
interface Tunnel1021
 description ci26-2600-12-1021
 bandwidth 1000000
 ip address 10.67.65.193 255.255.255.252
 ip hold-time eigrp 1 35
 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5
 load-interval 30
 tunnel source 192.168.251.1
 tunnel destination 192.168.61.26
!
interface Tunnel1022
 description ci26-2600-13-1022
 bandwidth 1000000
 ip address 10.67.66.193 255.255.255.252
 ip hold-time eigrp 1 35
 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5
 load-interval 30
 tunnel source 192.168.251.1
 tunnel destination 192.168.62.26
!
interface GigabitEthernet2/1
 description GigabitEthernet2/1 Outside Interface
 no ip address
 load-interval 30
 crypto connect vlan 100
!
interface GigabitEthernet4/1
 description GigabitEthernet4/1
 no ip address
 load-interval 30
 flowcontrol receive on
 flowcontrol send off
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,100,1002-1005
 switchport mode trunk
 cdp enable
!
interface GigabitEthernet4/2
 description GigabitEthernet4/2
 no ip address
 load-interval 30
 flowcontrol receive on
 flowcontrol send off
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 cdp enable
 spanning-tree portfast trunk
!
interface GigabitEthernet5/1
 description GigabitEthernet5/1 Inside Interface
 ip address 10.57.1.1 255.255.255.0
 load-interval 30
!
interface Vlan100
 description Vlan100
 ip address 192.168.251.1 255.255.255.0
 load-interval 30
 no mop enabled
 crypto map static-map
!
router eigrp 1
 network 10.0.0.0
 no auto-summary
!
ip classless
ip route 192.168.0.0 255.255.0.0 192.168.251.2
no ip http server
no ip http secure-server
!
ip access-list extended b0000
 permit gre host 192.168.251.1 host 192.168.0.2
ip access-list extended b0001
 permit gre host 192.168.251.1 host 192.168.1.2
ip access-list extended b0002
 permit gre host 192.168.251.1 host 192.168.2.2
ip access-list extended b0003
 permit gre host 192.168.251.1 host 192.168.3.2
!
!. . . reptitive lines omitted . . .
!
ip access-list extended b1020
 permit gre host 192.168.251.1 host 192.168.60.26
ip access-list extended b1021
 permit gre host 192.168.251.1 host 192.168.61.26
ip access-list extended b1022
 permit gre host 192.168.251.1 host 192.168.62.26
!
snmp-server community public RO
snmp-server community private RW
snmp-server system-shutdown
snmp-server enable traps tty
!
alias exec macedon remote command switch test lcp 4 lcp 1
!
line con 0
 exec-timeout 0 0
 password cisco
 login
line vty 0 4
 exec-timeout 0 0
 password cisco
 login
 transport input lat pad mop telnet rlogin udptn nasi ssh
line vty 5 15
 exec-timeout 0 0
 password cisco
 login
!
ntp clock-period 17179687
ntp server 10.57.1.2
end

Cisco 7600/Sup720/VPN SPA Headend Configuration (p2p GRE on Sup720)

In this configuration, the Cisco 7600 platform is aggregating the p2p GRE over IPsec tunnels, with crypto tunnels aggregated to the VPN SPA and p2p GRE being handled by the Sup720.

Headend #1:

hostname vpn6-7600-1
!
ip multicast-routing 
no ip domain-lookup
ipv6 mfib hardware-switching replication-mode ingress
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
no mls acl tcam share-global
mls cef error action freeze
no scripting tcl init
no scripting tcl encdir
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac 
!
crypto dynamic-map dmap 10
 set transform-set vpn-test 
!
crypto map dynamic-map 10 ipsec-isakmp dynamic dmap 
!
redundancy
 mode sso
 main-cpu
  auto-sync running-config
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
power redundancy-mode combined
no diagnostic cns publish
no diagnostic cns subscribe
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
!
interface Loopback0
 description Loopback0
 ip address 192.168.246.1 255.255.255.255
 load-interval 30
!
interface Loopback1
 description Loopback1
 ip address 192.168.246.2 255.255.255.255
 load-interval 30
!
interface Loopback2
 description Loopback2
 ip address 192.168.246.3 255.255.255.255
 load-interval 30
!
!. . . repetitive lines omitted . . .
!
interface Loopback999
 description Loopback999
 ip address 192.168.249.250 255.255.255.255
 load-interval 30
!
interface Loopback1000
 description Loopback1000
 ip address 10.57.255.251 255.255.255.255
 load-interval 30
!
interface Tunnel0
 description vpn5-2800-1-0000
 bandwidth 1000000
 ip address 10.60.0.193 255.255.255.252
 ip pim sparse-mode
 load-interval 30
 tunnel source 192.168.246.1
 tunnel destination 192.168.0.2
!
interface Tunnel1
 description vpn5-2800-2-0001
 bandwidth 1000000
 ip address 10.60.1.193 255.255.255.252
 ip pim sparse-mode
 load-interval 30
 tunnel source 192.168.246.2
 tunnel destination 192.168.1.2
!
interface Tunnel2
 description vpn5-2800-3-0002
 bandwidth 1000000
 ip address 10.60.2.193 255.255.255.252
 ip pim sparse-mode
 load-interval 30
 tunnel source 192.168.246.3
 tunnel destination 192.168.2.2
!
!. . . repetitive lines omitted . . .
!
interface Tunnel998
 description ci25-2600-19-0998
 bandwidth 1000000
 ip address 10.67.18.193 255.255.255.252
 ip pim sparse-mode
 load-interval 30
 tunnel source 192.168.249.249
 tunnel destination 192.168.38.26
!
interface Tunnel999
 description ci25-2600-20-0999
 bandwidth 1000000
 ip address 10.67.19.193 255.255.255.252
 ip pim sparse-mode
 load-interval 30
 tunnel source 192.168.249.250
 tunnel destination 192.168.39.26
!
interface GigabitEthernet3/1
 description GigabitEthernet3/1 Outside Interface
 no ip address
 load-interval 30
 crypto connect vlan 100
!
interface GigabitEthernet4/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,100,1002-1005
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet5/1
 description GigabitEthernet5/1 Inside Interface
 ip address 10.57.1.1 255.255.255.0
 no ip redirects
 ip pim sparse-mode
 load-interval 30
!
interface Vlan100
 description Vlan100
 ip address 192.168.241.1 255.255.255.0
 load-interval 30
 no mop enabled
 crypto map dynamic-map
 crypto engine subslot 4/0
!
router ospf 1
 router-id 10.57.255.251
 log-adjacency-changes
 area 10.60.0.0 range 10.60.0.0 255.255.192.0
 area 10.60.64.0 range 10.60.64.0 255.255.192.0
 area 10.60.128.0 range 10.60.128.0 255.255.192.0
 area 10.60.192.0 range 10.60.192.0 255.255.192.0
 area 10.61.0.0 range 10.61.0.0 255.255.192.0
 area 10.61.64.0 range 10.61.64.0 255.255.192.0
 area 10.61.128.0 range 10.61.128.0 255.255.192.0
 area 10.61.192.0 range 10.61.192.0 255.255.192.0
 area 10.62.0.0 range 10.62.0.0 255.255.192.0
 area 10.62.64.0 range 10.62.64.0 255.255.192.0
 area 10.62.128.0 range 10.62.128.0 255.255.192.0
 area 10.62.192.0 range 10.62.192.0 255.255.192.0
 area 10.63.0.0 range 10.63.0.0 255.255.0.0
 area 10.64.0.0 range 10.64.0.0 255.255.192.0
 area 10.64.64.0 range 10.64.64.0 255.255.192.0
 area 10.64.128.0 range 10.64.128.0 255.255.192.0
 area 10.64.192.0 range 10.64.192.0 255.255.192.0
 area 10.65.0.0 range 10.65.0.0 255.255.192.0
 area 10.65.64.0 range 10.65.64.0 255.255.192.0
 area 10.65.128.0 range 10.65.128.0 255.255.192.0
 area 10.65.192.0 range 10.65.192.0 255.255.192.0
 area 10.66.0.0 range 10.66.0.0 255.255.192.0
 area 10.66.64.0 range 10.66.64.0 255.255.192.0
 area 10.66.128.0 range 10.66.128.0 255.255.192.0
 area 10.66.192.0 range 10.66.192.0 255.255.192.0
 area 10.67.0.0 range 10.67.0.0 255.255.192.0
 network 10.57.0.0 0.0.255.255 area 0.0.0.0
 network 10.60.0.0 0.0.63.255 area 10.60.0.0
 network 10.60.64.0 0.0.63.255 area 10.60.64.0
 network 10.60.128.0 0.0.63.255 area 10.60.128.0
 network 10.60.192.0 0.0.63.255 area 10.60.192.0
 network 10.61.0.0 0.0.63.255 area 10.61.0.0
 network 10.61.64.0 0.0.63.255 area 10.61.64.0
 network 10.61.128.0 0.0.63.255 area 10.61.128.0
 network 10.61.192.0 0.0.63.255 area 10.61.192.0
 network 10.62.0.0 0.0.63.255 area 10.62.0.0
 network 10.62.64.0 0.0.63.255 area 10.62.64.0
 network 10.62.128.0 0.0.63.255 area 10.62.128.0
 network 10.62.192.0 0.0.63.255 area 10.62.192.0
 network 10.63.0.0 0.0.255.255 area 10.63.0.0
 network 10.64.0.0 0.0.63.255 area 10.64.0.0
 network 10.64.64.0 0.0.63.255 area 10.64.64.0
 network 10.64.128.0 0.0.63.255 area 10.64.128.0
 network 10.64.192.0 0.0.63.255 area 10.64.192.0
 network 10.65.0.0 0.0.63.255 area 10.65.0.0
 network 10.65.64.0 0.0.63.255 area 10.65.64.0
 network 10.65.128.0 0.0.63.255 area 10.65.128.0
 network 10.65.192.0 0.0.63.255 area 10.65.192.0
 network 10.66.0.0 0.0.63.255 area 10.66.0.0
 network 10.66.64.0 0.0.63.255 area 10.66.64.0
 network 10.66.128.0 0.0.63.255 area 10.66.128.0
 network 10.66.192.0 0.0.63.255 area 10.66.192.0
 network 10.67.0.0 0.0.63.255 area 10.67.0.0
!
ip classless
ip route 192.168.0.0 255.255.0.0 192.168.241.2
!
no ip http server
ip pim autorp listener
!
snmp-server community public RO
snmp-server community private RW
snmp-server system-shutdown
!
control-plane
!
dial-peer cor custom
!
line con 0
 exec-timeout 0 0
 password cisco
 login
line vty 0 4
 exec-timeout 0 0
 password cisco
 login
!
ntp server 10.57.1.2
no cns aaa enable
end

Cisco 7600/Sup720/VPN SPA Headend Configuration (p2p GRE on VPN SPA)

In this configuration, the Cisco 7600 platform is aggregating the p2p GRE over IPsec tunnels, with both p2p GRE and crypto tunnels aggregated to the VPN SPA.

Headend #1:

hostname vpn6-7600-1
!
ip multicast-routing 
no ip domain-lookup
ipv6 mfib hardware-switching replication-mode ingress
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
no mls acl tcam share-global
mls cef error action freeze
no scripting tcl init
no scripting tcl encdir
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac 
!
crypto dynamic-map dmap 10
 set transform-set vpn-test 
!
crypto map dynamic-map local-address Vlan100
crypto map dynamic-map 10 ipsec-isakmp dynamic dmap 
!
redundancy
 mode sso
 main-cpu
  auto-sync running-config
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
power redundancy-mode combined
no diagnostic cns publish
no diagnostic cns subscribe
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
!
interface Loopback0
 description Loopback0
 ip address 10.57.255.251 255.255.255.255
!
interface Tunnel0
 description vpn5-2800-1-0000
 bandwidth 1000000
 ip address 10.60.0.193 255.255.255.252
 ip pim sparse-mode
 load-interval 30
 tunnel source 192.168.241.1
 tunnel destination 192.168.0.2
!
interface Tunnel1
 description vpn5-2800-2-0001
 bandwidth 1000000
 ip address 10.60.1.193 255.255.255.252
 ip pim sparse-mode
 load-interval 30
 tunnel source 192.168.241.1
 tunnel destination 192.168.1.2
!
interface Tunnel2
 description vpn5-2800-3-0002
 bandwidth 1000000
 ip address 10.60.2.193 255.255.255.252
 ip pim sparse-mode
 load-interval 30
 tunnel source 192.168.241.1
 tunnel destination 192.168.2.2
!
!. . . repetitive lines omitted . . .
!
interface Tunnel998
 description ci25-2600-19-0998
 bandwidth 1000000
 ip address 10.67.18.193 255.255.255.252
 ip pim sparse-mode
 load-interval 30
 tunnel source 192.168.241.1
 tunnel destination 192.168.38.26
!
interface Tunnel999
 description ci25-2600-20-0999
 bandwidth 1000000
 ip address 10.67.19.193 255.255.255.252
 ip pim sparse-mode
 load-interval 30
 tunnel source 192.168.241.1
 tunnel destination 192.168.39.26
!
interface GigabitEthernet3/1
 description GigabitEthernet3/1 Outside Interface
 no ip address
 load-interval 30
 crypto connect vlan 100
!
interface GigabitEthernet4/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,100,1002-1005
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet5/1
 description GigabitEthernet5/1 Inside Interface
 ip address 10.57.1.1 255.255.255.0
 no ip redirects
 ip pim sparse-mode
 load-interval 30
!
interface Vlan100
 description Vlan100
 ip address 192.168.241.1 255.255.255.0
 load-interval 30
 no mop enabled
 crypto map dynamic-map
 crypto engine subslot 4/0
!
router ospf 1
 router-id 10.57.255.251
 log-adjacency-changes
 area 10.60.0.0 range 10.60.0.0 255.255.192.0
 area 10.60.64.0 range 10.60.64.0 255.255.192.0
 area 10.60.128.0 range 10.60.128.0 255.255.192.0
 area 10.60.192.0 range 10.60.192.0 255.255.192.0
 area 10.61.0.0 range 10.61.0.0 255.255.192.0
 area 10.61.64.0 range 10.61.64.0 255.255.192.0
 area 10.61.128.0 range 10.61.128.0 255.255.192.0
 area 10.61.192.0 range 10.61.192.0 255.255.192.0
 area 10.62.0.0 range 10.62.0.0 255.255.192.0
 area 10.62.64.0 range 10.62.64.0 255.255.192.0
 area 10.62.128.0 range 10.62.128.0 255.255.192.0
 area 10.62.192.0 range 10.62.192.0 255.255.192.0
 area 10.63.0.0 range 10.63.0.0 255.255.0.0
 area 10.64.0.0 range 10.64.0.0 255.255.192.0
 area 10.64.64.0 range 10.64.64.0 255.255.192.0
 area 10.64.128.0 range 10.64.128.0 255.255.192.0
 area 10.64.192.0 range 10.64.192.0 255.255.192.0
 area 10.65.0.0 range 10.65.0.0 255.255.192.0
 area 10.65.64.0 range 10.65.64.0 255.255.192.0
 area 10.65.128.0 range 10.65.128.0 255.255.192.0
 area 10.65.192.0 range 10.65.192.0 255.255.192.0
 area 10.66.0.0 range 10.66.0.0 255.255.192.0
 area 10.66.64.0 range 10.66.64.0 255.255.192.0
 area 10.66.128.0 range 10.66.128.0 255.255.192.0
 area 10.66.192.0 range 10.66.192.0 255.255.192.0
 area 10.67.0.0 range 10.67.0.0 255.255.192.0
 network 10.57.0.0 0.0.255.255 area 0.0.0.0
 network 10.60.0.0 0.0.63.255 area 10.60.0.0
 network 10.60.64.0 0.0.63.255 area 10.60.64.0
 network 10.60.128.0 0.0.63.255 area 10.60.128.0
 network 10.60.192.0 0.0.63.255 area 10.60.192.0
 network 10.61.0.0 0.0.63.255 area 10.61.0.0
 network 10.61.64.0 0.0.63.255 area 10.61.64.0
 network 10.61.128.0 0.0.63.255 area 10.61.128.0
 network 10.61.192.0 0.0.63.255 area 10.61.192.0
 network 10.62.0.0 0.0.63.255 area 10.62.0.0
 network 10.62.64.0 0.0.63.255 area 10.62.64.0
 network 10.62.128.0 0.0.63.255 area 10.62.128.0
 network 10.62.192.0 0.0.63.255 area 10.62.192.0
 network 10.63.0.0 0.0.255.255 area 10.63.0.0
 network 10.64.0.0 0.0.63.255 area 10.64.0.0
 network 10.64.64.0 0.0.63.255 area 10.64.64.0
 network 10.64.128.0 0.0.63.255 area 10.64.128.0
 network 10.64.192.0 0.0.63.255 area 10.64.192.0
 network 10.65.0.0 0.0.63.255 area 10.65.0.0
 network 10.65.64.0 0.0.63.255 area 10.65.64.0
 network 10.65.128.0 0.0.63.255 area 10.65.128.0
 network 10.65.192.0 0.0.63.255 area 10.65.192.0
 network 10.66.0.0 0.0.63.255 area 10.66.0.0
 network 10.66.64.0 0.0.63.255 area 10.66.64.0
 network 10.66.128.0 0.0.63.255 area 10.66.128.0
 network 10.66.192.0 0.0.63.255 area 10.66.192.0
 network 10.67.0.0 0.0.63.255 area 10.67.0.0
!
ip classless
ip route 192.168.0.0 255.255.0.0 192.168.241.2
!
no ip http server
ip pim autorp listener
!
snmp-server community public RO
snmp-server community private RW
snmp-server system-shutdown
!
control-plane
!
dial-peer cor custom
!
line con 0
 exec-timeout 0 0
 password cisco
 login
line vty 0 4
 exec-timeout 0 0
 password cisco
 login
!
ntp server 10.57.1.2
no cns aaa enable
end

Cisco 7200VXR/7600 Dual Tier Headend Architecture Configurations

This configuration is for the Cisco 7200VXR terminating p2p GRE and the Cisco 7600 with Sup720 and VPN SPA providing high-capacity encryption.

hostname vpn2-7200-1
!
boot-start-marker
boot-end-marker
!
logging buffered 65535 debugging
enable password cisco
!
clock timezone EST -5
clock summer-time EDT recurring
clock calendar-valid
no aaa new-model
ip subnet-zero
!
ip cef
no ip domain lookup
!
ip ips po max-events 100
no ftp-server write-enable
!
interface Tunnel0
 description vpn5-2800-1-0000
 bandwidth 1000000
 ip address 10.60.0.193 255.255.255.252
 load-interval 30
 tunnel source 192.168.241.1
 tunnel destination 192.168.0.2
!
interface Tunnel1
 description vpn5-2800-2-0001
 bandwidth 1000000
 ip address 10.60.1.193 255.255.255.252
 load-interval 30
 tunnel source 192.168.241.1
 tunnel destination 192.168.1.2
!
interface Tunnel2
 description vpn5-2800-3-0002
 bandwidth 1000000
 ip address 10.60.2.193 255.255.255.252
 load-interval 30
 tunnel source 192.168.241.1
 tunnel destination 192.168.2.2
!
!. . . repetitive lines omitted . . .
!
interface Tunnel998
 description ci25-2600-19-0998
 bandwidth 1000000
 ip address 10.67.18.193 255.255.255.252
 load-interval 30
 tunnel source 192.168.245.1
 tunnel destination 192.168.38.26
!
interface Tunnel999
 description ci25-2600-20-0999
 bandwidth 1000000
 ip address 10.67.19.193 255.255.255.252
 load-interval 30
 tunnel source 192.168.245.1
 tunnel destination 192.168.39.26
!
interface Loopback0
 description Loopback0
 ip address 10.57.255.251 255.255.255.255
!
interface GigabitEthernet0/1
 description GigabitEthernet0/1
 no ip address
 load-interval 30
 duplex full
 speed 1000
 media-type gbic
 negotiation auto
!
interface GigabitEthernet0/1.241
 description GigabitEthernet0/1.241
 encapsulation dot1Q 241
 ip address 192.168.241.1 255.255.255.0
!
interface GigabitEthernet0/1.242
 description GigabitEthernet0/1.242
 encapsulation dot1Q 242
 ip address 192.168.242.1 255.255.255.0
!
interface GigabitEthernet0/1.243
 description GigabitEthernet0/1.243
 encapsulation dot1Q 243
 ip address 192.168.243.1 255.255.255.0
!
interface GigabitEthernet0/1.244
 description GigabitEthernet0/1.244
 encapsulation dot1Q 244
 ip address 192.168.244.1 255.255.255.0
!
interface GigabitEthernet0/1.245
 description GigabitEthernet0/1.245
 encapsulation dot1Q 245
 ip address 192.168.245.1 255.255.255.0
!
interface GigabitEthernet0/2
 description GigabitEthernet0/2
 ip address 10.57.1.1 255.255.255.0
 load-interval 30
 duplex auto
 speed auto
 media-type gbic
 negotiation auto
!
router ospf 1
 router-id 10.57.255.251
 log-adjacency-changes
 area 0.0.0.0 range 10.56.0.0 255.252.0.0
 area 10.60.0.0 range 10.60.0.0 255.255.192.0
 area 10.60.64.0 range 10.60.64.0 255.255.192.0
 area 10.60.128.0 range 10.60.128.0 255.255.192.0
 area 10.60.192.0 range 10.60.192.0 255.255.192.0
 area 10.61.0.0 range 10.61.0.0 255.255.192.0
 area 10.61.64.0 range 10.61.64.0 255.255.192.0
 area 10.61.128.0 range 10.61.128.0 255.255.192.0
 area 10.61.192.0 range 10.61.192.0 255.255.192.0
 area 10.62.0.0 range 10.62.0.0 255.255.192.0
 area 10.62.64.0 range 10.62.64.0 255.255.192.0
 area 10.62.128.0 range 10.62.128.0 255.255.192.0
 area 10.62.192.0 range 10.62.192.0 255.255.192.0
 area 10.63.0.0 range 10.63.0.0 255.255.0.0
 area 10.64.0.0 range 10.64.0.0 255.255.192.0
 area 10.64.64.0 range 10.64.64.0 255.255.192.0
 area 10.64.128.0 range 10.64.128.0 255.255.192.0
 area 10.64.192.0 range 10.64.192.0 255.255.192.0
 area 10.65.0.0 range 10.65.0.0 255.255.192.0
 area 10.65.64.0 range 10.65.64.0 255.255.192.0
 area 10.65.128.0 range 10.65.128.0 255.255.192.0
 area 10.65.192.0 range 10.65.192.0 255.255.192.0
 area 10.66.0.0 range 10.66.0.0 255.255.192.0
 area 10.66.64.0 range 10.66.64.0 255.255.192.0
 area 10.66.128.0 range 10.66.128.0 255.255.192.0
 area 10.66.192.0 range 10.66.192.0 255.255.192.0
 area 10.67.0.0 range 10.67.0.0 255.255.192.0
 network 10.57.0.0 0.0.255.255 area 0.0.0.0
 network 10.60.0.0 0.0.63.255 area 10.60.0.0
 network 10.60.64.0 0.0.63.255 area 10.60.64.0
 network 10.60.128.0 0.0.63.255 area 10.60.128.0
 network 10.60.192.0 0.0.63.255 area 10.60.192.0
 network 10.61.0.0 0.0.63.255 area 10.61.0.0
 network 10.61.64.0 0.0.63.255 area 10.61.64.0
 network 10.61.128.0 0.0.63.255 area 10.61.128.0
 network 10.61.192.0 0.0.63.255 area 10.61.192.0
 network 10.62.0.0 0.0.63.255 area 10.62.0.0
 network 10.62.64.0 0.0.63.255 area 10.62.64.0
 network 10.62.128.0 0.0.63.255 area 10.62.128.0
 network 10.62.192.0 0.0.63.255 area 10.62.192.0
 network 10.63.0.0 0.0.255.255 area 10.63.0.0
 network 10.64.0.0 0.0.63.255 area 10.64.0.0
 network 10.64.64.0 0.0.63.255 area 10.64.64.0
 network 10.64.128.0 0.0.63.255 area 10.64.128.0
 network 10.64.192.0 0.0.63.255 area 10.64.192.0
 network 10.65.0.0 0.0.63.255 area 10.65.0.0
 network 10.65.64.0 0.0.63.255 area 10.65.64.0
 network 10.65.128.0 0.0.63.255 area 10.65.128.0
 network 10.65.192.0 0.0.63.255 area 10.65.192.0
 network 10.66.0.0 0.0.63.255 area 10.66.0.0
 network 10.66.64.0 0.0.63.255 area 10.66.64.0
 network 10.66.128.0 0.0.63.255 area 10.66.128.0
 network 10.66.192.0 0.0.63.255 area 10.66.192.0
 network 10.67.0.0 0.0.63.255 area 10.67.0.0
!
ip classless
ip route 192.168.0.0 255.255.255.252 192.168.241.2
ip route 192.168.0.4 255.255.255.252 192.168.241.2
ip route 192.168.0.8 255.255.255.252 192.168.242.2
!
!. . . repetitive lines omitted . . .
!
ip route 192.168.159.16 255.255.255.252 192.168.244.2
ip route 192.168.159.20 255.255.255.252 192.168.245.2
!
no ip http server
no ip http secure-server
!
snmp-server community public RO
snmp-server community private RW
snmp-server system-shutdown
snmp-server enable traps tty
!
control-plane
!
gatekeeper
 shutdown
!
line con 0
 exec-timeout 0 0
 password cisco
 login
 transport preferred all
 transport output all
 stopbits 1
line aux 0
 transport preferred all
 transport output all
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 password cisco
 login
 transport preferred all
 transport input all
 transport output all
!
ntp server 10.57.1.2
!
End

Cisco 7600/Sup720/VPN SPA Headend Configuration

hostname vpn6-7600-1
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
clock calendar-valid
ip subnet-zero
!
no ip domain-lookup
ipv6 mfib hardware-switching replication-mode ingress
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
no mls acl tcam share-global
mls cef error action freeze
no scripting tcl init
no scripting tcl encdir
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac 
!
crypto dynamic-map dmap 10
 set transform-set vpn-test 
!
crypto map dynamic-map local-address Vlan100
crypto map dynamic-map 10 ipsec-isakmp dynamic dmap 
!
redundancy
 mode sso
 main-cpu
  auto-sync running-config
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
power redundancy-mode combined
no diagnostic cns publish
no diagnostic cns subscribe
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
interface GigabitEthernet3/1
 description GigabitEthernet3/1 Outside Interface
 no ip address
 load-interval 30
 crypto connect vlan 100
!
interface GigabitEthernet4/0/1
 description GigabitEthernet4/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,100,1002-1005
 switchport mode trunk
 mtu 9216
 no ip address
 load-interval 30
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 description GigabitEthernet4/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 no ip address
 load-interval 30
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet5/1
 description GigabitEthernet5/1 to vpn2-7200-1 GE0/1
 ip address 192.168.181.2 255.255.255.0 secondary
 ip address 192.168.161.2 255.255.255.0
 no ip redirects
 load-interval 30
!
interface GigabitEthernet5/2
 description GigabitEthernet5/2 to vpn2-7200-2 GE0/1
 ip address 192.168.191.2 255.255.255.0 secondary
 ip address 192.168.171.2 255.255.255.0
 no ip redirects
 load-interval 30
!
interface Vlan100
 description Vlan100
 ip address 192.168.241.1 255.255.255.0
 load-interval 30
 no mop enabled
 crypto map dynamic-map
 crypto engine subslot 4/0
!
ip classless
ip route 192.168.0.0 255.255.0.0 192.168.241.2
!
no ip http server
!
snmp-server community public RO
snmp-server community private RW
snmp-server system-shutdown
!
control-plane
!
dial-peer cor custom
!
line con 0
 exec-timeout 0 0
 password cisco
 login
line vty 0 4
 exec-timeout 0 0
 password cisco
 login
!
ntp server 10.57.1.2
no cns aaa enable
end

ISR Branch Configuration

The following shows relevant configurations for one branch router. For resiliency, two tunnels are configured (primary and secondary), one to each headend. The EIGRP delay metric is used to make Tunnel0 the preferred path. This configuration shows QoS for VoIP flows (shaping and queuing) applied to the physical (outside) interface, the recommended use of summary routes, and an EIGRP stub configuration.

Branch #1:

hostname vpn5-2800-1-0000
!
boot-start-marker
boot-end-marker
!
logging buffered 32768 debugging
enable password cisco
!
clock timezone EST -5
clock summer-time EDT recurring
no network-clock-participate aim 0 
no network-clock-participate aim 1 
no aaa new-model
ip subnet-zero
!
ip cef
!
ip ips po max-events 100
no ip domain lookup
ip multicast-routing 
no ftp-server write-enable
!
class-map match-all VOICE
 match ip dscp ef 
class-map match-any CALL-SETUP
 match ip dscp af31 
 match ip dscp cs3 
class-map match-any INTERNETWORK-CONTROL
 match ip dscp cs6 
 match access-group name IKE
class-map match-all TRANSACTIONAL-DATA
 match ip dscp af21 
!
policy-map 512kb
 class CALL-SETUP
  bandwidth percent 2
 class INTERNETWORK-CONTROL
  bandwidth percent 5
 class TRANSACTIONAL-DATA
  bandwidth percent 22
  queue-limit 16
 class VOICE
  priority 168
 class class-default
  fair-queue
  queue-limit 6
policy-map 512kb-shaper
 class class-default
  shape average 486400 4864 0
  service-policy 512kb
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key bigsecret address 192.168.241.1
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac 
!
crypto map static-map local-address Serial0/0/0
crypto map static-map 10 ipsec-isakmp 
 set peer 192.168.241.1
 set transform-set vpn-test 
 match address b000
!
interface Tunnel0
 description Tunnel0
 bandwidth 512
 ip address 10.60.0.194 255.255.255.252
 ip pim sparse-mode
 load-interval 30
 tunnel source 192.168.0.2
 tunnel destination 192.168.241.1
!
interface Loopback0
 description Loopback0
 ip address 10.60.0.254 255.255.255.255
 ip pim sparse-mode
!
interface FastEthernet0/1
 description FastEthernet0/1
 ip address 10.60.0.129 255.255.255.192 secondary
 ip address 10.60.0.1 255.255.255.128
 load-interval 30
 duplex full
 speed 100
!
interface Serial0/0/0
 description Serial0/0/0 
 bandwidth 512
 ip address 192.168.0.2 255.255.255.252
 service-policy output 512kb-shaper
 load-interval 30
 tx-ring-limit 1
 tx-queue-limit 1
 crypto map static-map
!
router ospf 1
 router-id 10.60.0.254
 log-adjacency-changes
 passive-interface FastEthernet0/1
 network 10.0.0.0 0.255.255.255 area 10.60.0.0
!
ip classless
ip route 192.168.0.0 255.255.0.0 192.168.0.1
no ip http server
no ip http secure-server
ip pim autorp listener
!
ip access-list extended IKE
 permit udp any any eq isakmp
ip access-list extended b000
 permit gre host 192.168.0.2 host 192.168.241.1
!
snmp-server community private RW
snmp-server community public RO
snmp-server system-shutdown
snmp-server enable traps tty
!
control-plane
!
line con 0
 exec-timeout 0 0
 password cisco
 logging synchronous
 login
line aux 0
line vty 0 4
 exec-timeout 0 0
 password cisco
 logging synchronous
 login
!
ntp source Loopback0
ntp server 10.57.3.255
!
End