Dynamic Multipoint VPN (DMVPN) Design Guide (Version 1.1) - Scalability Test Bed Configuration Files [Design Zone for IPv6]

Scalability Test Bed Configuration Files

Cisco 7200VXR/NPE-G1/SA-VAM2 Headend Configuration

Cisco ASR1004 Headend Configuration

Cisco 7600/Sup720/VPN SPA Headend Configuration

Cisco 7200VXR/Cisco 7600 Dual Tier Architecture Headend Configuration

Tier #1 (mGRE)

Tier #2 (IPsec)

Cisco ISR Branch Office Configuration

Scalability Test Bed Configuration Files

The configurations for the central and branch sites are listed below in the following sections. These configurations have been extracted from real configurations used in Cisco scalability testing, and are provided as a reference only.

Cisco 7200VXR/NPE-G1/SA-VAM2 Headend Configuration

There are two headend devices in the test bed, each configured with one mGRE tunnel. A dual hub-dual DMVPN cloud design is assumed. The configuration shown below is an excerpt of the first headend and does not show the entire configuration. Pre-shared keys with a wildcard address are used at the headend for simplicity of the ISAKMP authentication, although this is not recommended for customer use.

Headend #1:

ip cef

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0

crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac

no crypto ipsec nat-transparency udp-encaps

crypto ipsec profile vpn-dmvpn

 set transform-set vpn-test

interface Loopback0

 description Loopback0

 ip address 10.57.1.255 255.255.255.255

interface Tunnel0

 description Tunnel0

 bandwidth 1000000

 ip address 10.56.0.1 255.255.252.0

 no ip redirects

 ip hold-time eigrp 1 35

 ip nhrp authentication test

 ip nhrp map multicast dynamic

 ip nhrp network-id 105600

 ip nhrp holdtime 600

 no ip split-horizon eigrp 1

 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5

 tunnel source GigabitEthernet0/1

 tunnel mode gre multipoint

 tunnel key 105600

 tunnel protection ipsec profile vpn-dmvpn

interface GigabitEthernet0/1

 description GigabitEthernet0/1

 ip address 192.168.251.1 255.255.255.248

 duplex auto

 speed auto

 media-type gbic

 negotiation auto

interface GigabitEthernet0/2

 description GigabitEthernet0/2

 ip address 10.57.1.1 255.255.255.248

 duplex auto

 speed auto

 media-type gbic

 negotiation auto

router eigrp 1

 network 10.0.0.0

 no auto-summary

ip route 192.168.0.0 255.255.0.0 192.168.251.2

Cisco ASR1004 Headend Configuration

This configuration is for the Cisco ASR1004, where the ASR is aggregating 1000 DMVPN hub-and-spoke tunnels.

Headend #1:

boot-start-marker

boot system flash bootflash:asr1000rp1-adventerprisek9.02.01.00.122-33.XNA.bin

boot-end-marker

vrf definition Mgmt-intf

 address-family ipv4

 exit-address-family

 address-family ipv6

 exit-address-family

logging buffered 1024000

enable password cisco

no aaa new-model

clock timezone EST -5

clock summer-time EDT recurring

ip subnet-zero

no ip ftp passive

ip ftp source-interface GigabitEthernet0

ip tftp source-interface GigabitEthernet0

no ip domain lookup

multilink bundle-name authenticated

redundancy

 mode sso

 no policy config-sync bulk prc reload

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 2

crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

crypto ipsec transform-set vpn-test esp-aes esp-sha-hmac

crypto ipsec profile vpn-dmvpn

 set transform-set vpn-test

buffers tune automatic

interface Tunnel0

 description Tunnel0

 bandwidth 100000

 ip address 10.56.0.1 255.255.248.0

 no ip redirects

 ip hold-time eigrp 1 35

 no ip next-hop-self eigrp 1

 ip nhrp authentication test

 ip nhrp map multicast dynamic

 ip nhrp network-id 105600

 ip nhrp holdtime 1800

 ip nhrp registration timeout 120

 no ip split-horizon eigrp 1

 load-interval 30

 qos pre-classify

 tunnel source Loopback0

 tunnel mode gre multipoint

 tunnel key 105600

 tunnel protection ipsec profile vpn-dmvpn

interface Loopback0

 ip address 192.168.30.1 255.255.255.255

interface GigabitEthernet0/2/0

 description GigabitEthernet0/2/0

 ip address 192.168.32.252 255.255.255.0

 no ip proxy-arp

 load-interval 30

 negotiation auto

 plim qos input map ip dscp-based

 plim qos input map ip dscp  34  40  queue strict-priority

 no cdp enable

 hold-queue 4096 in

 hold-queue 4096 out

interface GigabitEthernet0/3/0

 description GigabitEthernet0/3/0

 ip address 10.204.0.1 255.252.0.0

 load-interval 30

 negotiation auto

 plim qos input map ip dscp-based

 plim qos input map ip dscp  34  40  queue strict-priority

 no cdp enable

 service-policy input INGRESS

 service-policy output campus

interface GigabitEthernet0

 vrf forwarding Mgmt-intf

 ip address 172.26.182.168 255.255.252.0

 speed 100

 duplex full

 no negotiation auto

router eigrp 1

 network 10.0.0.0

 no auto-summary

 passive-interface GigabitEthernet0/2/2

router eigrp 100

 network 192.168.32.0

ip classless

ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 172.26.180.1

no ip http server

no ip http secure-server

snmp-server community public RO

snmp-server community private RW

control-plane

line con 0

 stopbits 1

line vty 0 4

 exec-timeout 0 0

 password cisco

 login

ntp clock-period 17175902

end

Cisco 7600/Sup720/VPN SPA Headend Configuration

This configuration is for the Cisco 7600 with Sup720 and VPN SPA where the 7600 router is aggregating 1000 DMVPN hub-and-spoke tunnels.

Headend #1:

hostname vpn6-7600-1

no aaa new-model

clock timezone EST -5

clock summer-time EDT recurring

clock calendar-valid

ip subnet-zero

ip rcmd rsh-enable

no ip domain-lookup

ipv6 mfib hardware-switching replication-mode ingress

mls ip multicast flow-stat-timer 9

no mls flow ip

no mls flow ipv6

no mls acl tcam share-global

mls cef error action freeze

no scripting tcl init

no scripting tcl encdir

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac

no crypto ipsec nat-transparency udp-encaps

crypto dynamic-map dmap-vlan100 10

 set transform-set vpn-test

crypto dynamic-map dmap-vlan101 10

 set transform-set vpn-test

crypto map dynamic-map-vlan100 local-address Vlan100

crypto map dynamic-map-vlan100 10 ipsec-isakmp dynamic dmap-vlan100

crypto map dynamic-map-vlan101 local-address Vlan101

crypto map dynamic-map-vlan101 10 ipsec-isakmp dynamic dmap-vlan101

redundancy

 mode sso

 main-cpu

  auto-sync running-config

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

power redundancy-mode combined

no diagnostic cns publish

no diagnostic cns subscribe

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

interface Loopback0

 description Loopback0

 ip address 10.57.255.251 255.255.255.255

interface Tunnel0

 description Tunnel0

 bandwidth 100000

 ip address 10.56.0.1 255.255.252.0

 no ip redirects

 ip hold-time eigrp 1 35

 no ip next-hop-self eigrp 1

 ip nhrp authentication test

 ip nhrp map multicast dynamic

 ip nhrp network-id 105600

 ip nhrp holdtime 1800

 ip nhrp registration timeout 120

 no ip split-horizon eigrp 1

 load-interval 30

 tunnel source 192.168.241.1

 tunnel mode gre multipoint

interface Tunnel1

 description Tunnel1

 bandwidth 100000

 ip address 10.56.8.1 255.255.252.0

 no ip redirects

 ip hold-time eigrp 1 35

 no ip next-hop-self eigrp 1

 ip nhrp authentication test

 ip nhrp map multicast dynamic

 ip nhrp network-id 105680

 ip nhrp holdtime 1800

 ip nhrp registration timeout 120

 no ip split-horizon eigrp 1

 load-interval 30

 tunnel source 192.168.242.1

 tunnel mode gre multipoint

interface GigabitEthernet3/1

 description GigabitEthernet3/1 Outside Interface

 no ip address

 load-interval 30

 crypto connect vlan 100

interface GigabitEthernet3/2

 description GigabitEthernet3/2 Outside Interface

 no ip address

 load-interval 30

 crypto connect vlan 101

interface GigabitEthernet3/3

 description GigabitEthernet3/3

 no ip address

 load-interval 30

 shutdown

interface GigabitEthernet4/0/1

 description GigabitEthernet4/0/1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 1,100,101,1002-1005

 switchport mode trunk

 mtu 9216

 no ip address

 flowcontrol receive on

 flowcontrol send off

 spanning-tree portfast trunk

interface GigabitEthernet4/0/2

 description GigabitEthernet4/0/2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 1,1002-1005

 switchport mode trunk

 mtu 9216

 no ip address

 flowcontrol receive on

 flowcontrol send off

 spanning-tree portfast trunk

interface GigabitEthernet5/1

 description GigabitEthernet5/1 Inside Interface

 ip address 10.57.1.1 255.255.255.0

 no ip redirects

 load-interval 30

interface GigabitEthernet6/2

 description FlashNet

 ip address 172.26.177.251 255.255.252.0

 load-interval 30

 media-type rj45

 speed 100

 duplex full

interface Vlan1

 description Vlan1

 no ip address

 load-interval 30

 shutdown

interface Vlan100

 description Vlan100

 ip address 192.168.241.1 255.255.255.0

 no ip redirects

 load-interval 30

 no mop enabled

 crypto map dynamic-map-vlan100

 crypto engine subslot 4/0

interface Vlan101

 description Vlan101

 ip address 192.168.242.1 255.255.255.0

 no ip redirects

 load-interval 30

 no mop enabled

 crypto map dynamic-map-vlan101

 crypto engine subslot 4/0

router eigrp 1

 network 10.0.0.0

 no auto-summary

ip classless

ip route 0.0.0.0 0.0.0.0 172.26.176.1

ip route 10.60.0.254 255.255.255.255 192.168.241.2

ip route 10.60.1.254 255.255.255.255 192.168.241.2

ip route 10.60.2.254 255.255.255.255 192.168.241.2

ip route 10.60.3.254 255.255.255.255 192.168.241.2

ip route 10.60.4.254 255.255.255.255 192.168.241.2

ip route 10.60.5.254 255.255.255.255 192.168.241.2

ip route 10.60.6.254 255.255.255.255 192.168.241.2

ip route 10.60.7.254 255.255.255.255 192.168.241.2

ip route 10.60.8.254 255.255.255.255 192.168.241.2

ip route 10.60.9.254 255.255.255.255 192.168.241.2

ip route 10.60.10.254 255.255.255.255 192.168.241.2

. . . lines omitted . . .

ip route 10.67.0.254 255.255.255.255 192.168.242.2

ip route 10.67.1.254 255.255.255.255 192.168.242.2

ip route 10.67.2.254 255.255.255.255 192.168.242.2

ip route 10.67.3.254 255.255.255.255 192.168.242.2

ip route 10.67.4.254 255.255.255.255 192.168.242.2

ip route 10.67.5.254 255.255.255.255 192.168.242.2

ip route 10.67.6.254 255.255.255.255 192.168.242.2

ip route 10.67.7.254 255.255.255.255 192.168.242.2

ip route 10.67.8.254 255.255.255.255 192.168.242.2

ip route 10.67.9.254 255.255.255.255 192.168.242.2

ip route 10.67.10.254 255.255.255.255 192.168.242.2

ip route 10.67.11.254 255.255.255.255 192.168.242.2

ip route 10.67.12.254 255.255.255.255 192.168.242.2

ip route 10.67.13.254 255.255.255.255 192.168.242.2

ip route 10.67.14.254 255.255.255.255 192.168.242.2

ip route 10.67.15.254 255.255.255.255 192.168.242.2

ip route 10.67.16.254 255.255.255.255 192.168.242.2

ip route 10.67.17.254 255.255.255.255 192.168.242.2

ip route 10.67.18.254 255.255.255.255 192.168.242.2

ip route 10.67.19.254 255.255.255.255 192.168.242.2

ip route 172.26.0.0 255.255.0.0 172.26.176.1

ip route 192.168.0.0 255.255.0.0 192.168.241.2

ip route 192.168.0.0 255.255.0.0 192.168.242.2

no ip http server

snmp-server community public RO

snmp-server community private RW

snmp-server system-shutdown

control-plane

dial-peer cor custom

line con 0

 exec-timeout 0 0

 password cisco

 login

line vty 0 4

 exec-timeout 0 0

 password cisco

 login

ntp clock-period 17180019

ntp server 172.26.176.1

no cns aaa enable

end

Cisco 7200VXR/Cisco 7600 Dual Tier Architecture Headend Configuration

This configuration is for the Cisco 7200VXR terminating mGRE and the Cisco 7600 with Sup720 and VPN SPA providing high-capacity IPsec encryption.

Tier #1 (mGRE)

hostname vpn2-7200-1

clock timezone EST -5

clock summer-time EDT recurring

clock calendar-valid

no aaa new-model

ip subnet-zero

ip rcmd rsh-enable

ip cef

no ip domain lookup

ip multicast-routing

ip ips po max-events 100

no ftp-server write-enable

interface Tunnel0

 description Tunnel0

 bandwidth 100000

 ip address 10.56.0.1 255.255.252.0

 no ip redirects

 ip hold-time eigrp 1 35

 no ip next-hop-self eigrp 1

 ip pim nbma-mode

 ip pim sparse-mode

 ip nhrp authentication test

 ip nhrp map multicast dynamic

 ip nhrp network-id 105600

 ip nhrp holdtime 1800

 ip nhrp registration timeout 120

 no ip split-horizon eigrp 1

 load-interval 30

 tunnel source 192.168.161.1

 tunnel mode gre multipoint

 tunnel key 105600

interface Tunnel1

 description Tunnel1

 bandwidth 100000

 ip address 10.56.16.1 255.255.252.0

 no ip redirects

 ip hold-time eigrp 1 35

 no ip next-hop-self eigrp 1

 ip pim nbma-mode

 ip pim sparse-mode

 ip nhrp authentication test

 ip nhrp map multicast dynamic

 ip nhrp network-id 1056160

 ip nhrp holdtime 1800

 ip nhrp registration timeout 120

 no ip split-horizon eigrp 1

 load-interval 30

 tunnel source 192.168.181.1

 tunnel mode gre multipoint

 tunnel key 1056160

interface Loopback0

 description Loopback0

 ip address 10.57.255.251 255.255.255.255

interface FastEthernet0/0

 description FlashNet

 ip address 172.26.176.14 255.255.252.0

 load-interval 30

 duplex full

 speed 100

interface FastEthernet0/1

 description FastEthernet0/1

 no ip address

 load-interval 30

 shutdown

 duplex full

 speed 100

interface GigabitEthernet0/1

 description GigabitEthernet0/1

 ip address 192.168.181.1 255.255.255.0 secondary

 ip address 192.168.161.1 255.255.255.0

 load-interval 30

 duplex auto

 speed auto

 media-type gbic

 negotiation auto

interface GigabitEthernet0/2

 description GigabitEthernet0/2

 ip address 10.57.1.1 255.255.255.0

 ip pim sparse-mode

 load-interval 30

 duplex auto

 speed auto

 media-type gbic

 negotiation auto

interface GigabitEthernet0/3

 description GigabitEthernet0/3

 no ip address

 load-interval 30

 shutdown

 duplex auto

 speed auto

 media-type gbic

 negotiation auto

router eigrp 1

 network 10.0.0.0

 no auto-summary

ip classless

ip route 0.0.0.0 0.0.0.0 172.26.176.1

ip route 172.26.0.0 255.255.0.0 172.26.176.1

ip route 192.168.0.0 255.255.0.0 192.168.161.2

ip route 192.168.0.0 255.255.0.0 192.168.181.2

ip http server

no ip http secure-server

ip pim autorp listener

snmp-server community public RO

snmp-server community private RW

snmp-server system-shutdown

snmp-server enable traps tty

control-plane

dial-peer cor custom

gatekeeper

 shutdown

line con 0

 exec-timeout 0 0

 password cisco

 login

 transport preferred all

 transport output all

 stopbits 1

line aux 0

 transport preferred all

 transport output all

 stopbits 1

line vty 0 4

 exec-timeout 0 0

 password cisco

 login

 transport preferred all

 transport input all

 transport output all

line vty 5 15

 exec-timeout 0 0

 password cisco

 login

 transport preferred all

 transport input all

 transport output all

ntp clock-period 17180034

ntp server 172.26.176.1

end

Tier #2 (IPsec)

hostname vpn6-7600-1

no aaa new-model

clock timezone EST -5

clock summer-time EDT recurring

clock calendar-valid

ip subnet-zero

ip rcmd rsh-enable

no ip domain-lookup

ipv6 mfib hardware-switching replication-mode ingress

mls ip multicast flow-stat-timer 9

no mls flow ip

no mls flow ipv6

no mls acl tcam share-global

mls cef error action freeze

no scripting tcl init

no scripting tcl encdir

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac

no crypto ipsec nat-transparency udp-encaps

crypto dynamic-map dmap 10

 set transform-set vpn-test

crypto map dynamic-map local-address Vlan100

crypto map dynamic-map 10 ipsec-isakmp dynamic dmap

redundancy

 mode sso

 main-cpu

  auto-sync running-config

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

power redundancy-mode combined

no diagnostic cns publish

no diagnostic cns subscribe

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

interface GigabitEthernet3/1

 description GigabitEthernet3/1 Outside Interface

 no ip address

 load-interval 30

 crypto connect vlan 100

interface GigabitEthernet3/2

 description GigabitEthernet3/2

 no ip address

 load-interval 30

 shutdown

interface GigabitEthernet4/0/1

 description GigabitEthernet4/0/1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 1,100,1002-1005

 switchport mode trunk

 mtu 9216

 no ip address

 load-interval 30

 flowcontrol receive on

 flowcontrol send off

 spanning-tree portfast trunk

interface GigabitEthernet4/0/2

 description GigabitEthernet4/0/2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 1,1002-1005

 switchport mode trunk

 mtu 9216

 no ip address

 load-interval 30

 flowcontrol receive on

 flowcontrol send off

 spanning-tree portfast trunk

interface GigabitEthernet5/1

 description GigabitEthernet5/1 to vpn2-7200-1 GE0/1

 ip address 192.168.181.2 255.255.255.0 secondary

 ip address 192.168.161.2 255.255.255.0

 no ip redirects

 load-interval 30

interface GigabitEthernet5/2

 description GigabitEthernet5/2 to vpn2-7200-2 GE0/1

 ip address 192.168.191.2 255.255.255.0 secondary

 ip address 192.168.171.2 255.255.255.0

 no ip redirects

 load-interval 30

interface GigabitEthernet5/3

 description GigabitEthernet5/3

 no ip address

 load-interval 30

 shutdown

interface GigabitEthernet6/2

 description FlashNet

 ip address 172.26.177.251 255.255.252.0

 load-interval 30

 media-type rj45

 speed 100

 duplex full

interface Vlan1

 description Vlan1

 no ip address

 load-interval 30

 shutdown

interface Vlan100

 description Vlan100

 ip address 192.168.241.1 255.255.255.0

 load-interval 30

 no mop enabled

 crypto map dynamic-map

 crypto engine subslot 4/0

ip classless

ip route 0.0.0.0 0.0.0.0 172.26.176.1

ip route 172.26.0.0 255.255.0.0 172.26.176.1

ip route 192.168.0.0 255.255.0.0 192.168.241.2

no ip http server

snmp-server community public RO

snmp-server community private RW

snmp-server system-shutdown

control-plane

dial-peer cor custom

line con 0

 exec-timeout 0 0

 password cisco

 login

line vty 0 4

 exec-timeout 0 0

 password cisco

 login

ntp clock-period 17180035

ntp server 172.26.176.1

no cns aaa enable

end

Cisco ISR Branch Office Configuration

The following shows relevant configurations for one branch site router. A dual hub-dual DMVPN cloud design is employed by using two tunnels, one to each headend. The EIGRP delay metric is used to make Tunnel0 the preferred path. This configuration shows QoS for VoIP flows (shaping and queuing) applied to the physical (outside) interface, the recommended use of summary routes, and an EIGRP stub configuration.

Branch #1:

ip cef

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key bigsecret address 192.168.251.1

crypto isakmp key bigsecret address 192.168.252.1

crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac

no crypto ipsec nat-transparency udp-encaps

crypto ipsec profile vpn-dmvpn

 set transform-set vpn-test

class-map match-all VOICE

  match ip dscp ef

 class-map match-any CALL-SETUP

  match ip dscp af31

  match ip dscp cs3

 class-map match-any INTERNETWORK-CONTROL

  match ip dscp cs6

  match access-group name IKE

 class-map match-all TRANSACTIONAL-DATA

  match ip dscp af21

 policy-map 192kb

  class CALL-SETUP

   bandwidth percent 2

  class INTERNETWORK-CONTROL

   bandwidth percent 5

  class TRANSACTIONAL-DATA

   bandwidth percent 22

   queue-limit 16

  class VOICE

   priority 64

  class class-default

   fair-queue

   queue-limit 6

 policy-map 192kb-shaper

  class class-default

   shape average 182400 1824 0

   service-policy 192kb

interface Loopback0

 description Loopback0

 ip address 10.61.138.254 255.255.255.255

interface Tunnel0

 description Tunnel0

 bandwidth 192

 ip address 10.56.3.10 255.255.252.0

 ip hold-time eigrp 1 35

 ip nhrp authentication test

 ip nhrp map 10.56.0.1 192.168.251.1

 ip nhrp map multicast 192.168.251.1

 ip nhrp network-id 105600

 ip nhrp holdtime 300

 ip nhrp nhs 10.56.0.1

 ip summary-address eigrp 1 10.61.148.0 255.255.255.0 5

 qos pre-classify

 tunnel source 192.168.100.6

 tunnel destination 192.168.251.1

 tunnel key 105600

 tunnel protection ipsec profile vpn-dmvpn

interface Tunnel1

 description Tunnel1

 bandwidth 192

 ip address 10.56.7.10 255.255.252.0

 ip hold-time eigrp 1 35

 ip nhrp authentication test

 ip nhrp map 10.56.4.1 192.168.252.1

 ip nhrp map multicast 192.168.252.1

 ip nhrp network-id 105640

 ip nhrp holdtime 300

 ip nhrp nhs 10.56.4.1

 ip summary-address eigrp 1 10.61.148.0 255.255.255.0 5

 delay 60000

 qos pre-classify

 tunnel source 192.168.100.6

 tunnel destination 192.168.252.1

 tunnel key 105640

 tunnel protection ipsec profile vpn-dmvpn

interface Serial0/0

 description Serial0/0

 bandwidth 192

 ip address 192.168.100.6 255.255.255.252

 service-policy output 192kb-shaper

interface FastEthernet0/1

 description FastEthernet0/1

 ip address 10.61.148.129 255.255.255.192 secondary

 ip address 10.61.148.1 255.255.255.128

 speed 100

 full-duplex

router eigrp 1

 network 10.0.0.0

 no auto-summary

 eigrp stub connected summary

ip route 0.0.0.0 0.0.0.0 192.168.100.5!

ip access-list extended IKE

 permit udp any any eq isakmp

	Dynamic Multipoint VPN (DMVPN) Design Guide (Version 1.1)
	Scalability Test Bed Configuration Files
Dynamic Multipoint VPN (DMVPN) Design Guide (Version 1.1) Dynamic Multipoint VPN (DMVPN) Design Guide (Version 1.1) Preface DMVPN Design Overview DMVPN Design and Implementation Scalability Considerations Scalability Test Results (Unicast Only) Scalability Test Bed Configuration Files Legacy Product Test Results Acronyms	Download this chapter Scalability Test Bed Configuration Files Download the complete book Dynamic Multipoint VPN (DMVPN) Design Guide (Version 1.1) (PDF - 2 MB) Table Of Contents Scalability Test Bed Configuration Files Cisco 7200VXR/NPE-G1/SA-VAM2 Headend Configuration Cisco ASR1004 Headend Configuration Cisco 7600/Sup720/VPN SPA Headend Configuration Cisco 7200VXR/Cisco 7600 Dual Tier Architecture Headend Configuration Tier #1 (mGRE) Tier #2 (IPsec) Cisco ISR Branch Office Configuration Scalability Test Bed Configuration Files The configurations for the central and branch sites are listed below in the following sections. These configurations have been extracted from real configurations used in Cisco scalability testing, and are provided as a reference only. Cisco 7200VXR/NPE-G1/SA-VAM2 Headend Configuration There are two headend devices in the test bed, each configured with one mGRE tunnel. A dual hub-dual DMVPN cloud design is assumed. The configuration shown below is an excerpt of the first headend and does not show the entire configuration. Pre-shared keys with a wildcard address are used at the headend for simplicity of the ISAKMP authentication, although this is not recommended for customer use. Headend #1: ip cef ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac no crypto ipsec nat-transparency udp-encaps ! crypto ipsec profile vpn-dmvpn set transform-set vpn-test ! interface Loopback0 description Loopback0 ip address 10.57.1.255 255.255.255.255 ! interface Tunnel0 description Tunnel0 bandwidth 1000000 ip address 10.56.0.1 255.255.252.0 no ip redirects ip hold-time eigrp 1 35 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp network-id 105600 ip nhrp holdtime 600 no ip split-horizon eigrp 1 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 105600 tunnel protection ipsec profile vpn-dmvpn ! interface GigabitEthernet0/1 description GigabitEthernet0/1 ip address 192.168.251.1 255.255.255.248 duplex auto speed auto media-type gbic negotiation auto ! interface GigabitEthernet0/2 description GigabitEthernet0/2 ip address 10.57.1.1 255.255.255.248 duplex auto speed auto media-type gbic negotiation auto ! router eigrp 1 network 10.0.0.0 no auto-summary ! ip route 192.168.0.0 255.255.0.0 192.168.251.2 ! Cisco ASR1004 Headend Configuration This configuration is for the Cisco ASR1004, where the ASR is aggregating 1000 DMVPN hub-and-spoke tunnels. Headend #1: boot-start-marker boot system flash bootflash:asr1000rp1-adventerprisek9.02.01.00.122-33.XNA.bin boot-end-marker ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging buffered 1024000 enable password cisco ! no aaa new-model clock timezone EST -5 clock summer-time EDT recurring ip subnet-zero no ip ftp passive ip ftp source-interface GigabitEthernet0 ip tftp source-interface GigabitEthernet0 no ip domain lookup ! ! ! ! ! multilink bundle-name authenticated ! ! ! redundancy mode sso no policy config-sync bulk prc reload ! ! ! ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set vpn-test esp-aes esp-sha-hmac ! crypto ipsec profile vpn-dmvpn set transform-set vpn-test ! ! ! buffers tune automatic ! ! ! interface Tunnel0 description Tunnel0 bandwidth 100000 ip address 10.56.0.1 255.255.248.0 no ip redirects ip hold-time eigrp 1 35 no ip next-hop-self eigrp 1 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp network-id 105600 ip nhrp holdtime 1800 ip nhrp registration timeout 120 no ip split-horizon eigrp 1 load-interval 30 qos pre-classify tunnel source Loopback0 tunnel mode gre multipoint tunnel key 105600 tunnel protection ipsec profile vpn-dmvpn ! interface Loopback0 ip address 192.168.30.1 255.255.255.255 ! interface GigabitEthernet0/2/0 description GigabitEthernet0/2/0 ip address 192.168.32.252 255.255.255.0 no ip proxy-arp load-interval 30 negotiation auto plim qos input map ip dscp-based plim qos input map ip dscp 34 40 queue strict-priority no cdp enable hold-queue 4096 in hold-queue 4096 out ! ! interface GigabitEthernet0/3/0 description GigabitEthernet0/3/0 ip address 10.204.0.1 255.252.0.0 load-interval 30 negotiation auto plim qos input map ip dscp-based plim qos input map ip dscp 34 40 queue strict-priority no cdp enable service-policy input INGRESS service-policy output campus ! ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 172.26.182.168 255.255.252.0 speed 100 duplex full no negotiation auto ! router eigrp 1 network 10.0.0.0 no auto-summary passive-interface GigabitEthernet0/2/2 ! router eigrp 100 network 192.168.32.0 ! ip classless ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 172.26.180.1 ! no ip http server no ip http secure-server ! ! snmp-server community public RO snmp-server community private RW ! ! ! control-plane ! ! line con 0 stopbits 1 line vty 0 4 exec-timeout 0 0 password cisco login ! ntp clock-period 17175902 end Cisco 7600/Sup720/VPN SPA Headend Configuration This configuration is for the Cisco 7600 with Sup720 and VPN SPA where the 7600 router is aggregating 1000 DMVPN hub-and-spoke tunnels. Headend #1: hostname vpn6-7600-1 ! no aaa new-model clock timezone EST -5 clock summer-time EDT recurring clock calendar-valid ip subnet-zero ip rcmd rsh-enable ! no ip domain-lookup ipv6 mfib hardware-switching replication-mode ingress mls ip multicast flow-stat-timer 9 no mls flow ip no mls flow ipv6 no mls acl tcam share-global mls cef error action freeze no scripting tcl init no scripting tcl encdir ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac no crypto ipsec nat-transparency udp-encaps ! crypto dynamic-map dmap-vlan100 10 set transform-set vpn-test ! crypto dynamic-map dmap-vlan101 10 set transform-set vpn-test ! crypto map dynamic-map-vlan100 local-address Vlan100 crypto map dynamic-map-vlan100 10 ipsec-isakmp dynamic dmap-vlan100 ! crypto map dynamic-map-vlan101 local-address Vlan101 crypto map dynamic-map-vlan101 10 ipsec-isakmp dynamic dmap-vlan101 ! redundancy mode sso main-cpu auto-sync running-config spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! power redundancy-mode combined no diagnostic cns publish no diagnostic cns subscribe ! vlan internal allocation policy ascending vlan access-log ratelimit 2000 ! interface Loopback0 description Loopback0 ip address 10.57.255.251 255.255.255.255 ! interface Tunnel0 description Tunnel0 bandwidth 100000 ip address 10.56.0.1 255.255.252.0 no ip redirects ip hold-time eigrp 1 35 no ip next-hop-self eigrp 1 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp network-id 105600 ip nhrp holdtime 1800 ip nhrp registration timeout 120 no ip split-horizon eigrp 1 load-interval 30 tunnel source 192.168.241.1 tunnel mode gre multipoint ! interface Tunnel1 description Tunnel1 bandwidth 100000 ip address 10.56.8.1 255.255.252.0 no ip redirects ip hold-time eigrp 1 35 no ip next-hop-self eigrp 1 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp network-id 105680 ip nhrp holdtime 1800 ip nhrp registration timeout 120 no ip split-horizon eigrp 1 load-interval 30 tunnel source 192.168.242.1 tunnel mode gre multipoint ! interface GigabitEthernet3/1 description GigabitEthernet3/1 Outside Interface no ip address load-interval 30 crypto connect vlan 100 ! interface GigabitEthernet3/2 description GigabitEthernet3/2 Outside Interface no ip address load-interval 30 crypto connect vlan 101 ! interface GigabitEthernet3/3 description GigabitEthernet3/3 no ip address load-interval 30 shutdown ! interface GigabitEthernet4/0/1 description GigabitEthernet4/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,100,101,1002-1005 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 description GigabitEthernet4/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet5/1 description GigabitEthernet5/1 Inside Interface ip address 10.57.1.1 255.255.255.0 no ip redirects load-interval 30 ! interface GigabitEthernet6/2 description FlashNet ip address 172.26.177.251 255.255.252.0 load-interval 30 media-type rj45 speed 100 duplex full ! interface Vlan1 description Vlan1 no ip address load-interval 30 shutdown ! interface Vlan100 description Vlan100 ip address 192.168.241.1 255.255.255.0 no ip redirects load-interval 30 no mop enabled crypto map dynamic-map-vlan100 crypto engine subslot 4/0 ! interface Vlan101 description Vlan101 ip address 192.168.242.1 255.255.255.0 no ip redirects load-interval 30 no mop enabled crypto map dynamic-map-vlan101 crypto engine subslot 4/0 ! router eigrp 1 network 10.0.0.0 no auto-summary ! ip classless ip route 0.0.0.0 0.0.0.0 172.26.176.1 ip route 10.60.0.254 255.255.255.255 192.168.241.2 ip route 10.60.1.254 255.255.255.255 192.168.241.2 ip route 10.60.2.254 255.255.255.255 192.168.241.2 ip route 10.60.3.254 255.255.255.255 192.168.241.2 ip route 10.60.4.254 255.255.255.255 192.168.241.2 ip route 10.60.5.254 255.255.255.255 192.168.241.2 ip route 10.60.6.254 255.255.255.255 192.168.241.2 ip route 10.60.7.254 255.255.255.255 192.168.241.2 ip route 10.60.8.254 255.255.255.255 192.168.241.2 ip route 10.60.9.254 255.255.255.255 192.168.241.2 ip route 10.60.10.254 255.255.255.255 192.168.241.2 . . . lines omitted . . . ip route 10.67.0.254 255.255.255.255 192.168.242.2 ip route 10.67.1.254 255.255.255.255 192.168.242.2 ip route 10.67.2.254 255.255.255.255 192.168.242.2 ip route 10.67.3.254 255.255.255.255 192.168.242.2 ip route 10.67.4.254 255.255.255.255 192.168.242.2 ip route 10.67.5.254 255.255.255.255 192.168.242.2 ip route 10.67.6.254 255.255.255.255 192.168.242.2 ip route 10.67.7.254 255.255.255.255 192.168.242.2 ip route 10.67.8.254 255.255.255.255 192.168.242.2 ip route 10.67.9.254 255.255.255.255 192.168.242.2 ip route 10.67.10.254 255.255.255.255 192.168.242.2 ip route 10.67.11.254 255.255.255.255 192.168.242.2 ip route 10.67.12.254 255.255.255.255 192.168.242.2 ip route 10.67.13.254 255.255.255.255 192.168.242.2 ip route 10.67.14.254 255.255.255.255 192.168.242.2 ip route 10.67.15.254 255.255.255.255 192.168.242.2 ip route 10.67.16.254 255.255.255.255 192.168.242.2 ip route 10.67.17.254 255.255.255.255 192.168.242.2 ip route 10.67.18.254 255.255.255.255 192.168.242.2 ip route 10.67.19.254 255.255.255.255 192.168.242.2 ip route 172.26.0.0 255.255.0.0 172.26.176.1 ip route 192.168.0.0 255.255.0.0 192.168.241.2 ip route 192.168.0.0 255.255.0.0 192.168.242.2 ! no ip http server ! snmp-server community public RO snmp-server community private RW snmp-server system-shutdown ! control-plane ! dial-peer cor custom ! line con 0 exec-timeout 0 0 password cisco login line vty 0 4 exec-timeout 0 0 password cisco login ! ntp clock-period 17180019 ntp server 172.26.176.1 no cns aaa enable end Cisco 7200VXR/Cisco 7600 Dual Tier Architecture Headend Configuration This configuration is for the Cisco 7200VXR terminating mGRE and the Cisco 7600 with Sup720 and VPN SPA providing high-capacity IPsec encryption. Tier #1 (mGRE) hostname vpn2-7200-1 ! clock timezone EST -5 clock summer-time EDT recurring clock calendar-valid no aaa new-model ip subnet-zero ip rcmd rsh-enable ! ip cef no ip domain lookup ! ip multicast-routing ip ips po max-events 100 no ftp-server write-enable ! interface Tunnel0 description Tunnel0 bandwidth 100000 ip address 10.56.0.1 255.255.252.0 no ip redirects ip hold-time eigrp 1 35 no ip next-hop-self eigrp 1 ip pim nbma-mode ip pim sparse-mode ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp network-id 105600 ip nhrp holdtime 1800 ip nhrp registration timeout 120 no ip split-horizon eigrp 1 load-interval 30 tunnel source 192.168.161.1 tunnel mode gre multipoint tunnel key 105600 ! interface Tunnel1 description Tunnel1 bandwidth 100000 ip address 10.56.16.1 255.255.252.0 no ip redirects ip hold-time eigrp 1 35 no ip next-hop-self eigrp 1 ip pim nbma-mode ip pim sparse-mode ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp network-id 1056160 ip nhrp holdtime 1800 ip nhrp registration timeout 120 no ip split-horizon eigrp 1 load-interval 30 tunnel source 192.168.181.1 tunnel mode gre multipoint tunnel key 1056160 ! interface Loopback0 description Loopback0 ip address 10.57.255.251 255.255.255.255 ! interface FastEthernet0/0 description FlashNet ip address 172.26.176.14 255.255.252.0 load-interval 30 duplex full speed 100 ! interface FastEthernet0/1 description FastEthernet0/1 no ip address load-interval 30 shutdown duplex full speed 100 ! interface GigabitEthernet0/1 description GigabitEthernet0/1 ip address 192.168.181.1 255.255.255.0 secondary ip address 192.168.161.1 255.255.255.0 load-interval 30 duplex auto speed auto media-type gbic negotiation auto ! interface GigabitEthernet0/2 description GigabitEthernet0/2 ip address 10.57.1.1 255.255.255.0 ip pim sparse-mode load-interval 30 duplex auto speed auto media-type gbic negotiation auto ! interface GigabitEthernet0/3 description GigabitEthernet0/3 no ip address load-interval 30 shutdown duplex auto speed auto media-type gbic negotiation auto ! router eigrp 1 network 10.0.0.0 no auto-summary ! ip classless ip route 0.0.0.0 0.0.0.0 172.26.176.1 ip route 172.26.0.0 255.255.0.0 172.26.176.1 ip route 192.168.0.0 255.255.0.0 192.168.161.2 ip route 192.168.0.0 255.255.0.0 192.168.181.2 ! ip http server no ip http secure-server ! ip pim autorp listener ! snmp-server community public RO snmp-server community private RW snmp-server system-shutdown snmp-server enable traps tty ! control-plane ! dial-peer cor custom ! gatekeeper shutdown ! line con 0 exec-timeout 0 0 password cisco login transport preferred all transport output all stopbits 1 line aux 0 transport preferred all transport output all stopbits 1 line vty 0 4 exec-timeout 0 0 password cisco login transport preferred all transport input all transport output all line vty 5 15 exec-timeout 0 0 password cisco login transport preferred all transport input all transport output all ! ntp clock-period 17180034 ntp server 172.26.176.1 ! end Tier #2 (IPsec) hostname vpn6-7600-1 ! no aaa new-model clock timezone EST -5 clock summer-time EDT recurring clock calendar-valid ip subnet-zero ip rcmd rsh-enable ! no ip domain-lookup ipv6 mfib hardware-switching replication-mode ingress mls ip multicast flow-stat-timer 9 no mls flow ip no mls flow ipv6 no mls acl tcam share-global mls cef error action freeze no scripting tcl init no scripting tcl encdir ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac no crypto ipsec nat-transparency udp-encaps ! crypto dynamic-map dmap 10 set transform-set vpn-test ! crypto map dynamic-map local-address Vlan100 crypto map dynamic-map 10 ipsec-isakmp dynamic dmap ! redundancy mode sso main-cpu auto-sync running-config spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! power redundancy-mode combined no diagnostic cns publish no diagnostic cns subscribe ! vlan internal allocation policy ascending vlan access-log ratelimit 2000 ! interface GigabitEthernet3/1 description GigabitEthernet3/1 Outside Interface no ip address load-interval 30 crypto connect vlan 100 ! interface GigabitEthernet3/2 description GigabitEthernet3/2 no ip address load-interval 30 shutdown ! interface GigabitEthernet4/0/1 description GigabitEthernet4/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,100,1002-1005 switchport mode trunk mtu 9216 no ip address load-interval 30 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 description GigabitEthernet4/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 no ip address load-interval 30 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet5/1 description GigabitEthernet5/1 to vpn2-7200-1 GE0/1 ip address 192.168.181.2 255.255.255.0 secondary ip address 192.168.161.2 255.255.255.0 no ip redirects load-interval 30 ! interface GigabitEthernet5/2 description GigabitEthernet5/2 to vpn2-7200-2 GE0/1 ip address 192.168.191.2 255.255.255.0 secondary ip address 192.168.171.2 255.255.255.0 no ip redirects load-interval 30 ! interface GigabitEthernet5/3 description GigabitEthernet5/3 no ip address load-interval 30 shutdown ! interface GigabitEthernet6/2 description FlashNet ip address 172.26.177.251 255.255.252.0 load-interval 30 media-type rj45 speed 100 duplex full ! interface Vlan1 description Vlan1 no ip address load-interval 30 shutdown ! interface Vlan100 description Vlan100 ip address 192.168.241.1 255.255.255.0 load-interval 30 no mop enabled crypto map dynamic-map crypto engine subslot 4/0 ! ip classless ip route 0.0.0.0 0.0.0.0 172.26.176.1 ip route 172.26.0.0 255.255.0.0 172.26.176.1 ip route 192.168.0.0 255.255.0.0 192.168.241.2 ! no ip http server ! snmp-server community public RO snmp-server community private RW snmp-server system-shutdown ! control-plane ! dial-peer cor custom ! line con 0 exec-timeout 0 0 password cisco login line vty 0 4 exec-timeout 0 0 password cisco login ! ntp clock-period 17180035 ntp server 172.26.176.1 no cns aaa enable end Cisco ISR Branch Office Configuration The following shows relevant configurations for one branch site router. A dual hub-dual DMVPN cloud design is employed by using two tunnels, one to each headend. The EIGRP delay metric is used to make Tunnel0 the preferred path. This configuration shows QoS for VoIP flows (shaping and queuing) applied to the physical (outside) interface, the recommended use of summary routes, and an EIGRP stub configuration. Branch #1: ip cef ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key bigsecret address 192.168.251.1 crypto isakmp key bigsecret address 192.168.252.1 ! crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac no crypto ipsec nat-transparency udp-encaps ! crypto ipsec profile vpn-dmvpn set transform-set vpn-test ! class-map match-all VOICE match ip dscp ef class-map match-any CALL-SETUP match ip dscp af31 match ip dscp cs3 class-map match-any INTERNETWORK-CONTROL match ip dscp cs6 match access-group name IKE class-map match-all TRANSACTIONAL-DATA match ip dscp af21 ! policy-map 192kb class CALL-SETUP bandwidth percent 2 class INTERNETWORK-CONTROL bandwidth percent 5 class TRANSACTIONAL-DATA bandwidth percent 22 queue-limit 16 class VOICE priority 64 class class-default fair-queue queue-limit 6 policy-map 192kb-shaper class class-default shape average 182400 1824 0 service-policy 192kb ! interface Loopback0 description Loopback0 ip address 10.61.138.254 255.255.255.255 ! interface Tunnel0 description Tunnel0 bandwidth 192 ip address 10.56.3.10 255.255.252.0 ip hold-time eigrp 1 35 ip nhrp authentication test ip nhrp map 10.56.0.1 192.168.251.1 ip nhrp map multicast 192.168.251.1 ip nhrp network-id 105600 ip nhrp holdtime 300 ip nhrp nhs 10.56.0.1 ip summary-address eigrp 1 10.61.148.0 255.255.255.0 5 qos pre-classify tunnel source 192.168.100.6 tunnel destination 192.168.251.1 tunnel key 105600 tunnel protection ipsec profile vpn-dmvpn ! interface Tunnel1 description Tunnel1 bandwidth 192 ip address 10.56.7.10 255.255.252.0 ip hold-time eigrp 1 35 ip nhrp authentication test ip nhrp map 10.56.4.1 192.168.252.1 ip nhrp map multicast 192.168.252.1 ip nhrp network-id 105640 ip nhrp holdtime 300 ip nhrp nhs 10.56.4.1 ip summary-address eigrp 1 10.61.148.0 255.255.255.0 5 delay 60000 qos pre-classify tunnel source 192.168.100.6 tunnel destination 192.168.252.1 tunnel key 105640 tunnel protection ipsec profile vpn-dmvpn ! interface Serial0/0 description Serial0/0 bandwidth 192 ip address 192.168.100.6 255.255.255.252 service-policy output 192kb-shaper ! interface FastEthernet0/1 description FastEthernet0/1 ip address 10.61.148.129 255.255.255.192 secondary ip address 10.61.148.1 255.255.255.128 speed 100 full-duplex ! router eigrp 1 network 10.0.0.0 no auto-summary eigrp stub connected summary ! ip route 0.0.0.0 0.0.0.0 192.168.100.5! ip access-list extended IKE permit udp any any eq isakmp !
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks

Table Of Contents

Scalability Test Bed Configuration Files

Cisco 7200VXR/NPE-G1/SA-VAM2 Headend Configuration

Cisco ASR1004 Headend Configuration

Cisco 7600/Sup720/VPN SPA Headend Configuration

Cisco 7200VXR/Cisco 7600 Dual Tier Architecture Headend Configuration

Tier #1 (mGRE)

Tier #2 (IPsec)

Cisco ISR Branch Office Configuration