Voice and Video Enabled IPSec VPN (V3PN) Solution Reference Network Design
Network Diagram Scalability Testbed and Configuration Files
Downloads: This chapterpdf (PDF - 127.0KB) The complete bookPDF (PDF - 3.36MB) | Feedback

Network Diagram Scalability Testbed and Configuration Files

Table Of Contents

Network Diagram Scalability Testbed and Configuration Files

Head-end VPN Router

Branch VPN Router—Frame Relay

Branch VPN Router—HDLC


Network Diagram Scalability Testbed and Configuration Files


This appendix contains configurations that were used during a V3PN performance and scalability evaluation based on the network illustrated in Figure A-1. Specific configurations address the following devices and supporting networking functions:

Head-end VPN Router

Branch VPN Router—Frame Relay

Branch VPN Router—HDLC

Figure A-1 V3PN Solution Testbed Diagram

Head-end VPN Router

The configuration below was taken from the Cisco 7200 VPN Router being used as a head-end. In this configuration, QoS was enabled on a separate WAN aggregation device, not on the same router terminating VPN tunnels.

As the configuration is extremely large in its entirety (due to the repetition involved to configure all 244 branches being terminated), repetitive commands were removed and noted.

!
version 12.1
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service compress-config
!
hostname vpn3-7200-2
!
boot system flash disk0:c7200-ik2s-mz.121-9.E.bin
logging buffered 65535 debugging
enable password cisco
!
clock timezone EST -5
clock summer-time EDT recurring
clock calendar-valid
ip subnet-zero
ip cef
!
no ip domain-lookup
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
xsm
xsm privilege configuration level 15
xsm privilege monitor level 1
xsm vdm
xsm edm
no xsm history vdm
no xsm history edm
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key bigsecret address 192.168.244.2  
crypto isakmp key bigsecret address 192.168.242.2  
.
<repetition removed>
.
crypto isakmp key bigsecret address 192.168.1.2    
!
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac 
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map static-map local-address FastEthernet1/0
crypto map static-map 1 ipsec-isakmp   
 set peer 192.168.1.2
 set security-association lifetime seconds 86400
 set transform-set vpn-test 
 set pfs group2
 match address vpn-static1
crypto map static-map 2 ipsec-isakmp   
 set peer 192.168.2.2
 set security-association lifetime seconds 86400
set transform-set vpn-test 
 set pfs group2
 match address vpn-static2
.
<repetition removed>
.
crypto map static-map 244 ipsec-isakmp   
 set peer 192.168.244.2
 set security-association lifetime seconds 86400
 set transform-set vpn-test 
 set pfs group2
 match address vpn-static244
!
controller ISA 2/1
!
buffers small permanent 2048
buffers small max-free 10240
buffers small min-free 512
buffers middle permanent 2048
buffers middle max-free 10240
buffers middle min-free 512
buffers big permanent 2048
buffers big max-free 10240
buffers big min-free 512
buffers verybig permanent 2048
buffers verybig max-free 10240
buffers verybig min-free 512
buffers large permanent 2048
buffers large max-free 10240
buffers large min-free 512
buffers huge permanent 128
buffers huge max-free 512
buffers huge min-free 32
!
!
interface Loopback0
 description Loopback0
 ip address 10.57.2.255 255.255.255.255
!
interface Tunnel1
 description vpn6-2600-1
 ip address 10.62.1.197 255.255.255.252
 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5
 load-interval 30
 delay 60000
 tunnel source 192.168.252.1
 tunnel destination 192.168.1.2
 crypto map static-map
!
interface Tunnel2
 description vpn6-2600-2
 ip address 10.62.2.197 255.255.255.252
 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5
 load-interval 30
 delay 60000
 tunnel source 192.168.252.1
 tunnel destination 192.168.2.2
 crypto map static-map
.
<repetition removed>
.
interface Tunnel244
 description vpn17-4200-2
 ip address 10.63.130.193 255.255.255.252
 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5
 load-interval 30
 tunnel source 192.168.252.1
 tunnel destination 192.168.244.2
 crypto map static-map
!
interface FastEthernet0/0
 description FastEthernet0/0
 ip address 172.26.156.18 255.255.254.0
 load-interval 30
 duplex full
!
interface FastEthernet1/0
 description FastEthernet1/0
 ip address 192.168.252.1 255.255.255.0
 load-interval 30
 duplex full
 speed 100
 crypto map static-map
!
interface FastEthernet1/1
 description FastEthernet1/1
 ip address 10.57.2.1 255.255.255.252
 load-interval 30
 duplex full
 speed 100
!
interface Hssi3/0
 ip address 192.168.253.10 255.255.255.252
 shutdown
 hssi internal-clock
 serial restart-delay 0
!
router eigrp 1
 passive-interface FastEthernet0/0
 passive-interface FastEthernet1/0
 network 10.0.0.0
 no auto-summary
 eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.252.2
ip route 172.26.0.0 255.255.0.0 172.26.156.1
no ip http server
!
!
ip access-list extended vpn-static1
 permit gre host 192.168.252.1 host 192.168.1.2
ip access-list extended vpn-static10
 permit gre host 192.168.252.1 host 192.168.10.2
ip access-list extended vpn-static100
 permit gre host 192.168.252.1 host 192.168.100.2
.
<repetition removed>
.
ip access-list extended vpn-static244
 permit gre host 192.168.252.1 host 192.168.244.2
logging trap debugging
logging 172.26.131.82
snmp-server community private RW
snmp-server community public RO
!
line con 0
 exec-timeout 0 0
 password cisco
 login
line aux 0
line vty 0 4
 exec-timeout 0 0
 password cisco
 login
line vty 5 15
 login
!
ntp clock-period 17179932
ntp server 172.26.156.1
end
!

Branch VPN Router—Frame Relay

The configuration shown below is from a Cisco 2651 VPN Router that was configured for V3PN. The Layer-2 technology used in this case was Frame Relay at a 1280 Kbps link speed.

!
! No configuration change since last restart
!
version 12.2
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname vpn12-2600-1
!
logging buffered 32768 debugging
enable password cisco
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip cef
!
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
!
class-map match-all call-setup
  match ip precedence 3 
class-map match-any mission-critical
  match ip precedence 2 
  match ip precedence 6 
class-map match-all voice
  match ip precedence 5 
!
policy-map 1280kb
  class call-setup
   bandwidth percent 5
  class mission-critical
   bandwidth percent 22
  class voice
    priority 392
  class class-default
   fair-queue
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key bigsecret address 192.168.252.1
crypto isakmp key bigsecret address 192.168.251.1
!
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac 
!
crypto map static-map local-address Serial0/0.1
crypto map static-map 10 ipsec-isakmp 
 set peer 192.168.252.1
 set transform-set vpn-test 
 match address vpn-static1
crypto map static-map 20 ipsec-isakmp 
 set peer 192.168.251.1
 set transform-set vpn-test 
 match address vpn-static2
!
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
!
interface Loopback0
 ip address 10.63.21.254 255.255.255.255
!
interface Tunnel0
 description Tunnel0
 ip address 10.63.21.194 255.255.255.252
 ip summary-address eigrp 1 10.63.21.0 255.255.255.0 5
 load-interval 30
 qos pre-classify
 tunnel source 192.168.181.2
 tunnel destination 192.168.252.1
 crypto map static-map
!
interface Tunnel1
 description Tunnel1
 ip address 10.63.21.198 255.255.255.252
 ip summary-address eigrp 1 10.63.21.0 255.255.255.0 5
 load-interval 30
 delay 60000
 qos pre-classify
 tunnel source 192.168.181.2
 tunnel destination 192.168.251.1
 crypto map static-map
!
!
interface FastEthernet0/0
 description FastEthernet0/0
 ip address 172.26.157.181 255.255.254.0
 no ip proxy-arp
 no ip mroute-cache
load-interval 30
 speed auto
 half-duplex
!
interface Serial0/0
 description Serial0/0
 bandwidth 1280
 no ip address
 encapsulation frame-relay
 no ip mroute-cache
 logging event subif-link-status
 logging event dlci-status-change
 load-interval 30
 no fair-queue
 frame-relay traffic-shaping
!
interface Serial0/0.1 point-to-point
 description Serial0/0.1
 bandwidth 1280
 ip address 192.168.181.2 255.255.255.252
 no ip mroute-cache
 frame-relay interface-dlci 101   
  class 1280kb
 crypto map static-map
!
interface FastEthernet0/1
 description FastEthernet0/1
 ip address 10.63.21.1 255.255.255.128
 no ip mroute-cache
 load-interval 30
 speed 10
 full-duplex
!
router eigrp 1
 passive-interface Serial0/0
 passive-interface Serial0/0.1
 passive-interface FastEthernet0/1
 network 10.0.0.0
 no auto-summary
 eigrp log-neighbor-changes
!
ip default-gateway 192.168.181.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.181.1
ip route 10.63.21.200 255.255.255.255 10.63.21.2
no ip http server
ip pim bidir-enable
!
ip access-list extended vpn-static1
 permit gre host 192.168.181.2 host 192.168.252.1
ip access-list extended vpn-static2
 permit gre host 192.168.181.2 host 192.168.251.1
!
map-class frame-relay 1280kb
 no frame-relay adaptive-shaping
 frame-relay cir 1216000
 frame-relay bc 12160
 frame-relay be 0
 frame-relay mincir 1216000
 service-policy output 1280kb
!
snmp-server engineID local 000000090200000628DBD3E0
snmp-server community private RW
snmp-server community public RO
call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 exec-timeout 0 0
 password cisco
 login
 length 30
line vty 5 15
 login
!
ntp clock-period 17208540
ntp server 172.26.156.1
!
end
!

Branch VPN Router—HDLC

The configuration shown below is from a Cisco 1751 VPN Router that was configured for V3PN. The Layer-2 technology used in this case was HDLC at an E1 link speed.

!
! No configuration change since last restart
!
version 12.2
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname vpn17-1700-1
!
logging buffered 65535 debugging
enable password cisco
!
clock timezone EST -5
clock summer-time EDT recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
ip cef
ip ssh time-out 120
ip ssh authentication-retries 3
!
class-map match-all call-setup
  match ip precedence 3 
class-map match-any mission-critical
  match ip precedence 2 
  match ip precedence 6 
class-map match-all voice
  match ip precedence 5 
!
!
policy-map 2048kb
  class mission-critical
   bandwidth percent 22
  class voice
    priority 672
  class call-setup
   bandwidth percent 5
  class class-default
   fair-queue
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key bigsecret address 192.168.251.1
crypto isakmp key bigsecret address 192.168.252.1
!
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac 
!
crypto map static-map local-address Serial1/0
crypto map static-map 10 ipsec-isakmp 
 set peer 192.168.251.1
 set transform-set vpn-test 
 match address vpn-static1
crypto map static-map 20 ipsec-isakmp 
 set peer 192.168.252.1
 set transform-set vpn-test 
 match address vpn-static2
!
!
interface Loopback0
 ip address 10.63.100.254 255.255.255.255
!
interface Tunnel0
 description Tunnel0
 ip address 10.63.100.198 255.255.255.252
 ip summary-address eigrp 1 10.63.100.0 255.255.255.0 5
 load-interval 30
 delay 60000
 qos pre-classify
 tunnel source 192.168.236.2
 tunnel destination 192.168.251.1
 crypto map static-map
!
!
interface Tunnel1
 description Tunnel1
 ip address 10.63.100.194 255.255.255.252
 ip summary-address eigrp 1 10.63.100.0 255.255.255.0 5
 load-interval 30
 qos pre-classify
 tunnel source 192.168.236.2
 tunnel destination 192.168.252.1
 crypto map static-map
!
interface Ethernet0/0
 description FlashNet
 ip address 172.26.157.253 255.255.254.0
 half-duplex
!
interface FastEthernet0/0
 description FastEthernet0/0
 ip address 10.63.100.1 255.255.255.128
 load-interval 30
 speed 100
 full-duplex
!
interface Serial1/0
 description Serial1/0
 bandwidth 2048
 ip address 192.168.236.2 255.255.255.252
 no ip mroute-cache
 load-interval 30
 service-policy output 2048kb
 crypto map static-map
!
router eigrp 1
 network 10.0.0.0
 no auto-summary
 eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.236.1
ip route 172.18.0.0 255.255.0.0 172.26.156.1
ip route 172.26.0.0 255.255.0.0 172.26.156.1
no ip http server
ip pim bidir-enable
!
!
ip access-list extended vpn-static1
 permit gre host 192.168.236.2 host 192.168.251.1
ip access-list extended vpn-static2
 permit gre host 192.168.236.2 host 192.168.252.1
!
!
snmp-server engineID local 0000000902000003E38D8C20
snmp-server community private RW
snmp-server community public RO
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 exec-timeout 0 0
 password cisco
 login
!
no scheduler allocate
ntp clock-period 17180765
ntp server 172.26.156.1
end
!