Point-to-Point GRE over IPsec Design Guide - Scalability Test Bed Configuration Files [Design Zone for IPv6]

Scalability Test Bed Configuration Files

Cisco 7200VXR Headend Configuration

Cisco Catalyst 6500/Sup2/VPNSM Headend Configuration

Cisco 7600/Sup720/VPN SPA Headend Configuration (p2p GRE on Sup720)

Cisco 7600/Sup720/VPN SPA Headend Configuration (p2p GRE on VPN SPA)

Cisco 7200VXR/7600 Dual Tier Headend Architecture Configurations

Cisco 7600/Sup720/VPN SPA Headend Configuration

ISR Branch Configuration

Scalability Test Bed Configuration Files

The configurations for the central and branch sites are listed in the following sections. Note that these configurations have been extracted from real configurations used in Cisco scalability testing. They are provided as a reference only.

Cisco 7200VXR Headend Configuration

There are two headend devices in the test bed, each terminating a p2p GRE over IPsec tunnel from all branch routers. The configuration shown below is an excerpt of the first headend and does not contain configuration commands for all branches. The ISAKMP PSK, the crypto peer, the tunnel interface, and the crypto access list are shown for one device.

Headend #1:

ip cef

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key bigsecret address 192.168.0.2

crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac

crypto map static-map local-address GigabitEthernet0/1

crypto map static-map 100 ipsec-isakmp

 set peer 192.168.0.2

 set transform-set vpn-test

 match address b000

interface Loopback0

 description Loopback0

 ip address 10.57.1.255 255.255.255.255

interface Tunnel0

 description vpn5-2600-1-000

 bandwidth 1536

 ip address 10.60.0.193 255.255.255.252

 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5

 tunnel source 192.168.251.1

 tunnel destination 192.168.0.2

 crypto map static-map

interface GigabitEthernet0/1

 description GigabitEthernet0/1

 ip address 192.168.251.1 255.255.255.248

 duplex auto

 speed auto

 media-type gbic

 negotiation auto

 crypto map static-map

interface GigabitEthernet0/2

 description GigabitEthernet0/2

 ip address 10.57.1.1 255.255.255.248

 duplex auto

 speed auto

 media-type gbic

 negotiation auto

router eigrp 1

 network 10.0.0.0

 no auto-summary

ip route 0.0.0.0 0.0.0.0 192.168.251.2

ip access-list extended b000

 permit gre host 192.168.251.1 host 192.168.0.2

Cisco Catalyst 6500/Sup2/VPNSM Headend Configuration

Headend #1:

hostname vpn4-6500-2

logging snmp-authfail

logging buffered 65535 debugging

enable password cisco

clock timezone EST -5

clock summer-time EDT recurring

clock calendar-valid

ip subnet-zero

no ip domain-lookup

mpls ldp logging neighbor-changes

mls flow ip destination

mls flow ipx destination

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key bigsecret address 192.168.0.2

crypto isakmp key bigsecret address 192.168.1.2

crypto isakmp key bigsecret address 192.168.2.2

!. . . repetitive lines omitted . . .

crypto isakmp key bigsecret address 192.168.60.26

crypto isakmp key bigsecret address 192.168.61.26

crypto isakmp key bigsecret address 192.168.62.26

crypto isakmp keepalive 10

crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac

crypto map static-map local-address Vlan100

crypto map static-map 100 ipsec-isakmp

 set peer 192.168.0.2

 set transform-set vpn-test

 match address b0000

crypto map static-map 101 ipsec-isakmp

 set peer 192.168.1.2

 set transform-set vpn-test

 match address b0001

crypto map static-map 102 ipsec-isakmp

 set peer 192.168.2.2

 set transform-set vpn-test

 match address b0002

!. . . repetitive lines omitted . . .

crypto map static-map 1120 ipsec-isakmp

 set peer 192.168.60.26

 set transform-set vpn-test

 match address b1020

crypto map static-map 1121 ipsec-isakmp

 set peer 192.168.61.26

 set transform-set vpn-test

 match address b1021

crypto map static-map 1122 ipsec-isakmp

 set peer 192.168.62.26

 set transform-set vpn-test

 match address b1022

no spanning-tree vlan 100

redundancy

 mode rpr-plus

 main-cpu

  auto-sync running-config

  auto-sync standard

interface Loopback0

 description Loopback0

 ip address 10.57.255.251 255.255.255.255

interface Tunnel0

 description vpn5-2600-1-0000

 bandwidth 1000000

 ip address 10.60.0.193 255.255.255.252

 ip hold-time eigrp 1 35

 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5

 load-interval 30

 tunnel source 192.168.251.1

 tunnel destination 192.168.0.2

interface Tunnel1

 description vpn5-2600-2-0001

 bandwidth 1000000

 ip address 10.60.1.193 255.255.255.252

 ip hold-time eigrp 1 35

 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5

 load-interval 30

 tunnel source 192.168.251.1

 tunnel destination 192.168.1.2

interface Tunnel2

 description vpn5-2600-3-0002

 bandwidth 1000000

 ip address 10.60.2.193 255.255.255.252

 ip hold-time eigrp 1 35

 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5

 load-interval 30

 tunnel source 192.168.251.1

 tunnel destination 192.168.2.2

!. . . repetitive lines omitted . . .

interface Tunnel1020

 description ci26-2600-11-1020

 bandwidth 1000000

 ip address 10.67.64.193 255.255.255.252

 ip hold-time eigrp 1 35

 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5

 load-interval 30

 tunnel source 192.168.251.1

 tunnel destination 192.168.60.26

interface Tunnel1021

 description ci26-2600-12-1021

 bandwidth 1000000

 ip address 10.67.65.193 255.255.255.252

 ip hold-time eigrp 1 35

 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5

 load-interval 30

 tunnel source 192.168.251.1

 tunnel destination 192.168.61.26

interface Tunnel1022

 description ci26-2600-13-1022

 bandwidth 1000000

 ip address 10.67.66.193 255.255.255.252

 ip hold-time eigrp 1 35

 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5

 load-interval 30

 tunnel source 192.168.251.1

 tunnel destination 192.168.62.26

interface GigabitEthernet2/1

 description GigabitEthernet2/1 Outside Interface

 no ip address

 load-interval 30

 crypto connect vlan 100

interface GigabitEthernet4/1

 description GigabitEthernet4/1

 no ip address

 load-interval 30

 flowcontrol receive on

 flowcontrol send off

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 1,100,1002-1005

 switchport mode trunk

 cdp enable

interface GigabitEthernet4/2

 description GigabitEthernet4/2

 no ip address

 load-interval 30

 flowcontrol receive on

 flowcontrol send off

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 1,1002-1005

 switchport mode trunk

 cdp enable

 spanning-tree portfast trunk

interface GigabitEthernet5/1

 description GigabitEthernet5/1 Inside Interface

 ip address 10.57.1.1 255.255.255.0

 load-interval 30

interface Vlan100

 description Vlan100

 ip address 192.168.251.1 255.255.255.0

 load-interval 30

 no mop enabled

 crypto map static-map

router eigrp 1

 network 10.0.0.0

 no auto-summary

ip classless

ip route 192.168.0.0 255.255.0.0 192.168.251.2

no ip http server

no ip http secure-server

ip access-list extended b0000

 permit gre host 192.168.251.1 host 192.168.0.2

ip access-list extended b0001

 permit gre host 192.168.251.1 host 192.168.1.2

ip access-list extended b0002

 permit gre host 192.168.251.1 host 192.168.2.2

ip access-list extended b0003

 permit gre host 192.168.251.1 host 192.168.3.2

!. . . reptitive lines omitted . . .

ip access-list extended b1020

 permit gre host 192.168.251.1 host 192.168.60.26

ip access-list extended b1021

 permit gre host 192.168.251.1 host 192.168.61.26

ip access-list extended b1022

 permit gre host 192.168.251.1 host 192.168.62.26

snmp-server community public RO

snmp-server community private RW

snmp-server system-shutdown

snmp-server enable traps tty

alias exec macedon remote command switch test lcp 4 lcp 1

line con 0

 exec-timeout 0 0

 password cisco

 login

line vty 0 4

 exec-timeout 0 0

 password cisco

 login

 transport input lat pad mop telnet rlogin udptn nasi ssh

line vty 5 15

 exec-timeout 0 0

 password cisco

 login

ntp clock-period 17179687

ntp server 10.57.1.2

end

Cisco 7600/Sup720/VPN SPA Headend Configuration (p2p GRE on Sup720)

In this configuration, the Cisco 7600 platform is aggregating the p2p GRE over IPsec tunnels, with crypto tunnels aggregated to the VPN SPA and p2p GRE being handled by the Sup720.

Headend #1:

hostname vpn6-7600-1

ip multicast-routing

no ip domain-lookup

ipv6 mfib hardware-switching replication-mode ingress

mls ip multicast flow-stat-timer 9

no mls flow ip

no mls flow ipv6

no mls acl tcam share-global

mls cef error action freeze

no scripting tcl init

no scripting tcl encdir

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac

crypto dynamic-map dmap 10

 set transform-set vpn-test

crypto map dynamic-map 10 ipsec-isakmp dynamic dmap

redundancy

 mode sso

 main-cpu

  auto-sync running-config

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

power redundancy-mode combined

no diagnostic cns publish

no diagnostic cns subscribe

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

interface Loopback0

 description Loopback0

 ip address 192.168.246.1 255.255.255.255

 load-interval 30

interface Loopback1

 description Loopback1

 ip address 192.168.246.2 255.255.255.255

 load-interval 30

interface Loopback2

 description Loopback2

 ip address 192.168.246.3 255.255.255.255

 load-interval 30

!. . . repetitive lines omitted . . .

interface Loopback999

 description Loopback999

 ip address 192.168.249.250 255.255.255.255

 load-interval 30

interface Loopback1000

 description Loopback1000

 ip address 10.57.255.251 255.255.255.255

 load-interval 30

interface Tunnel0

 description vpn5-2800-1-0000

 bandwidth 1000000

 ip address 10.60.0.193 255.255.255.252

 ip pim sparse-mode

 load-interval 30

 tunnel source 192.168.246.1

 tunnel destination 192.168.0.2

interface Tunnel1

 description vpn5-2800-2-0001

 bandwidth 1000000

 ip address 10.60.1.193 255.255.255.252

 ip pim sparse-mode

 load-interval 30

 tunnel source 192.168.246.2

 tunnel destination 192.168.1.2

interface Tunnel2

 description vpn5-2800-3-0002

 bandwidth 1000000

 ip address 10.60.2.193 255.255.255.252

 ip pim sparse-mode

 load-interval 30

 tunnel source 192.168.246.3

 tunnel destination 192.168.2.2

!. . . repetitive lines omitted . . .

interface Tunnel998

 description ci25-2600-19-0998

 bandwidth 1000000

 ip address 10.67.18.193 255.255.255.252

 ip pim sparse-mode

 load-interval 30

 tunnel source 192.168.249.249

 tunnel destination 192.168.38.26

interface Tunnel999

 description ci25-2600-20-0999

 bandwidth 1000000

 ip address 10.67.19.193 255.255.255.252

 ip pim sparse-mode

 load-interval 30

 tunnel source 192.168.249.250

 tunnel destination 192.168.39.26

interface GigabitEthernet3/1

 description GigabitEthernet3/1 Outside Interface

 no ip address

 load-interval 30

 crypto connect vlan 100

interface GigabitEthernet4/0/1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 1,100,1002-1005

 switchport mode trunk

 mtu 9216

 no ip address

 flowcontrol receive on

 flowcontrol send off

 spanning-tree portfast trunk

interface GigabitEthernet4/0/2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 1,1002-1005

 switchport mode trunk

 mtu 9216

 no ip address

 flowcontrol receive on

 flowcontrol send off

 spanning-tree portfast trunk

interface GigabitEthernet5/1

 description GigabitEthernet5/1 Inside Interface

 ip address 10.57.1.1 255.255.255.0

 no ip redirects

 ip pim sparse-mode

 load-interval 30

interface Vlan100

 description Vlan100

 ip address 192.168.241.1 255.255.255.0

 load-interval 30

 no mop enabled

 crypto map dynamic-map

 crypto engine subslot 4/0

router ospf 1

 router-id 10.57.255.251

 log-adjacency-changes

 area 10.60.0.0 range 10.60.0.0 255.255.192.0

 area 10.60.64.0 range 10.60.64.0 255.255.192.0

 area 10.60.128.0 range 10.60.128.0 255.255.192.0

 area 10.60.192.0 range 10.60.192.0 255.255.192.0

 area 10.61.0.0 range 10.61.0.0 255.255.192.0

 area 10.61.64.0 range 10.61.64.0 255.255.192.0

 area 10.61.128.0 range 10.61.128.0 255.255.192.0

 area 10.61.192.0 range 10.61.192.0 255.255.192.0

 area 10.62.0.0 range 10.62.0.0 255.255.192.0

 area 10.62.64.0 range 10.62.64.0 255.255.192.0

 area 10.62.128.0 range 10.62.128.0 255.255.192.0

 area 10.62.192.0 range 10.62.192.0 255.255.192.0

 area 10.63.0.0 range 10.63.0.0 255.255.0.0

 area 10.64.0.0 range 10.64.0.0 255.255.192.0

 area 10.64.64.0 range 10.64.64.0 255.255.192.0

 area 10.64.128.0 range 10.64.128.0 255.255.192.0

 area 10.64.192.0 range 10.64.192.0 255.255.192.0

 area 10.65.0.0 range 10.65.0.0 255.255.192.0

 area 10.65.64.0 range 10.65.64.0 255.255.192.0

 area 10.65.128.0 range 10.65.128.0 255.255.192.0

 area 10.65.192.0 range 10.65.192.0 255.255.192.0

 area 10.66.0.0 range 10.66.0.0 255.255.192.0

 area 10.66.64.0 range 10.66.64.0 255.255.192.0

 area 10.66.128.0 range 10.66.128.0 255.255.192.0

 area 10.66.192.0 range 10.66.192.0 255.255.192.0

 area 10.67.0.0 range 10.67.0.0 255.255.192.0

 network 10.57.0.0 0.0.255.255 area 0.0.0.0

 network 10.60.0.0 0.0.63.255 area 10.60.0.0

 network 10.60.64.0 0.0.63.255 area 10.60.64.0

 network 10.60.128.0 0.0.63.255 area 10.60.128.0

 network 10.60.192.0 0.0.63.255 area 10.60.192.0

 network 10.61.0.0 0.0.63.255 area 10.61.0.0

 network 10.61.64.0 0.0.63.255 area 10.61.64.0

 network 10.61.128.0 0.0.63.255 area 10.61.128.0

 network 10.61.192.0 0.0.63.255 area 10.61.192.0

 network 10.62.0.0 0.0.63.255 area 10.62.0.0

 network 10.62.64.0 0.0.63.255 area 10.62.64.0

 network 10.62.128.0 0.0.63.255 area 10.62.128.0

 network 10.62.192.0 0.0.63.255 area 10.62.192.0

 network 10.63.0.0 0.0.255.255 area 10.63.0.0

 network 10.64.0.0 0.0.63.255 area 10.64.0.0

 network 10.64.64.0 0.0.63.255 area 10.64.64.0

 network 10.64.128.0 0.0.63.255 area 10.64.128.0

 network 10.64.192.0 0.0.63.255 area 10.64.192.0

 network 10.65.0.0 0.0.63.255 area 10.65.0.0

 network 10.65.64.0 0.0.63.255 area 10.65.64.0

 network 10.65.128.0 0.0.63.255 area 10.65.128.0

 network 10.65.192.0 0.0.63.255 area 10.65.192.0

 network 10.66.0.0 0.0.63.255 area 10.66.0.0

 network 10.66.64.0 0.0.63.255 area 10.66.64.0

 network 10.66.128.0 0.0.63.255 area 10.66.128.0

 network 10.66.192.0 0.0.63.255 area 10.66.192.0

 network 10.67.0.0 0.0.63.255 area 10.67.0.0

ip classless

ip route 192.168.0.0 255.255.0.0 192.168.241.2

no ip http server

ip pim autorp listener

snmp-server community public RO

snmp-server community private RW

snmp-server system-shutdown

control-plane

dial-peer cor custom

line con 0

 exec-timeout 0 0

 password cisco

 login

line vty 0 4

 exec-timeout 0 0

 password cisco

 login

ntp server 10.57.1.2

no cns aaa enable

end

Cisco 7600/Sup720/VPN SPA Headend Configuration (p2p GRE on VPN SPA)

In this configuration, the Cisco 7600 platform is aggregating the p2p GRE over IPsec tunnels, with both p2p GRE and crypto tunnels aggregated to the VPN SPA.

Headend #1:

hostname vpn6-7600-1

ip multicast-routing

no ip domain-lookup

ipv6 mfib hardware-switching replication-mode ingress

mls ip multicast flow-stat-timer 9

no mls flow ip

no mls flow ipv6

no mls acl tcam share-global

mls cef error action freeze

no scripting tcl init

no scripting tcl encdir

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac

crypto dynamic-map dmap 10

 set transform-set vpn-test

crypto map dynamic-map local-address Vlan100

crypto map dynamic-map 10 ipsec-isakmp dynamic dmap

redundancy

 mode sso

 main-cpu

  auto-sync running-config

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

power redundancy-mode combined

no diagnostic cns publish

no diagnostic cns subscribe

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

interface Loopback0

 description Loopback0

 ip address 10.57.255.251 255.255.255.255

interface Tunnel0

 description vpn5-2800-1-0000

 bandwidth 1000000

 ip address 10.60.0.193 255.255.255.252

 ip pim sparse-mode

 load-interval 30

 tunnel source 192.168.241.1

 tunnel destination 192.168.0.2

interface Tunnel1

 description vpn5-2800-2-0001

 bandwidth 1000000

 ip address 10.60.1.193 255.255.255.252

 ip pim sparse-mode

 load-interval 30

 tunnel source 192.168.241.1

 tunnel destination 192.168.1.2

interface Tunnel2

 description vpn5-2800-3-0002

 bandwidth 1000000

 ip address 10.60.2.193 255.255.255.252

 ip pim sparse-mode

 load-interval 30

 tunnel source 192.168.241.1

 tunnel destination 192.168.2.2

!. . . repetitive lines omitted . . .

interface Tunnel998

 description ci25-2600-19-0998

 bandwidth 1000000

 ip address 10.67.18.193 255.255.255.252

 ip pim sparse-mode

 load-interval 30

 tunnel source 192.168.241.1

 tunnel destination 192.168.38.26

interface Tunnel999

 description ci25-2600-20-0999

 bandwidth 1000000

 ip address 10.67.19.193 255.255.255.252

 ip pim sparse-mode

 load-interval 30

 tunnel source 192.168.241.1

 tunnel destination 192.168.39.26

interface GigabitEthernet3/1

 description GigabitEthernet3/1 Outside Interface

 no ip address

 load-interval 30

 crypto connect vlan 100

interface GigabitEthernet4/0/1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 1,100,1002-1005

 switchport mode trunk

 mtu 9216

 no ip address

 flowcontrol receive on

 flowcontrol send off

 spanning-tree portfast trunk

interface GigabitEthernet4/0/2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 1,1002-1005

 switchport mode trunk

 mtu 9216

 no ip address

 flowcontrol receive on

 flowcontrol send off

 spanning-tree portfast trunk

interface GigabitEthernet5/1

 description GigabitEthernet5/1 Inside Interface

 ip address 10.57.1.1 255.255.255.0

 no ip redirects

 ip pim sparse-mode

 load-interval 30

interface Vlan100

 description Vlan100

 ip address 192.168.241.1 255.255.255.0

 load-interval 30

 no mop enabled

 crypto map dynamic-map

 crypto engine subslot 4/0

router ospf 1

 router-id 10.57.255.251

 log-adjacency-changes

 area 10.60.0.0 range 10.60.0.0 255.255.192.0

 area 10.60.64.0 range 10.60.64.0 255.255.192.0

 area 10.60.128.0 range 10.60.128.0 255.255.192.0

 area 10.60.192.0 range 10.60.192.0 255.255.192.0

 area 10.61.0.0 range 10.61.0.0 255.255.192.0

 area 10.61.64.0 range 10.61.64.0 255.255.192.0

 area 10.61.128.0 range 10.61.128.0 255.255.192.0

 area 10.61.192.0 range 10.61.192.0 255.255.192.0

 area 10.62.0.0 range 10.62.0.0 255.255.192.0

 area 10.62.64.0 range 10.62.64.0 255.255.192.0

 area 10.62.128.0 range 10.62.128.0 255.255.192.0

 area 10.62.192.0 range 10.62.192.0 255.255.192.0

 area 10.63.0.0 range 10.63.0.0 255.255.0.0

 area 10.64.0.0 range 10.64.0.0 255.255.192.0

 area 10.64.64.0 range 10.64.64.0 255.255.192.0

 area 10.64.128.0 range 10.64.128.0 255.255.192.0

 area 10.64.192.0 range 10.64.192.0 255.255.192.0

 area 10.65.0.0 range 10.65.0.0 255.255.192.0

 area 10.65.64.0 range 10.65.64.0 255.255.192.0

 area 10.65.128.0 range 10.65.128.0 255.255.192.0

 area 10.65.192.0 range 10.65.192.0 255.255.192.0

 area 10.66.0.0 range 10.66.0.0 255.255.192.0

 area 10.66.64.0 range 10.66.64.0 255.255.192.0

 area 10.66.128.0 range 10.66.128.0 255.255.192.0

 area 10.66.192.0 range 10.66.192.0 255.255.192.0

 area 10.67.0.0 range 10.67.0.0 255.255.192.0

 network 10.57.0.0 0.0.255.255 area 0.0.0.0

 network 10.60.0.0 0.0.63.255 area 10.60.0.0

 network 10.60.64.0 0.0.63.255 area 10.60.64.0

 network 10.60.128.0 0.0.63.255 area 10.60.128.0

 network 10.60.192.0 0.0.63.255 area 10.60.192.0

 network 10.61.0.0 0.0.63.255 area 10.61.0.0

 network 10.61.64.0 0.0.63.255 area 10.61.64.0

 network 10.61.128.0 0.0.63.255 area 10.61.128.0

 network 10.61.192.0 0.0.63.255 area 10.61.192.0

 network 10.62.0.0 0.0.63.255 area 10.62.0.0

 network 10.62.64.0 0.0.63.255 area 10.62.64.0

 network 10.62.128.0 0.0.63.255 area 10.62.128.0

 network 10.62.192.0 0.0.63.255 area 10.62.192.0

 network 10.63.0.0 0.0.255.255 area 10.63.0.0

 network 10.64.0.0 0.0.63.255 area 10.64.0.0

 network 10.64.64.0 0.0.63.255 area 10.64.64.0

 network 10.64.128.0 0.0.63.255 area 10.64.128.0

 network 10.64.192.0 0.0.63.255 area 10.64.192.0

 network 10.65.0.0 0.0.63.255 area 10.65.0.0

 network 10.65.64.0 0.0.63.255 area 10.65.64.0

 network 10.65.128.0 0.0.63.255 area 10.65.128.0

 network 10.65.192.0 0.0.63.255 area 10.65.192.0

 network 10.66.0.0 0.0.63.255 area 10.66.0.0

 network 10.66.64.0 0.0.63.255 area 10.66.64.0

 network 10.66.128.0 0.0.63.255 area 10.66.128.0

 network 10.66.192.0 0.0.63.255 area 10.66.192.0

 network 10.67.0.0 0.0.63.255 area 10.67.0.0

ip classless

ip route 192.168.0.0 255.255.0.0 192.168.241.2

no ip http server

ip pim autorp listener

snmp-server community public RO

snmp-server community private RW

snmp-server system-shutdown

control-plane

dial-peer cor custom

line con 0

 exec-timeout 0 0

 password cisco

 login

line vty 0 4

 exec-timeout 0 0

 password cisco

 login

ntp server 10.57.1.2

no cns aaa enable

end

Cisco 7200VXR/7600 Dual Tier Headend Architecture Configurations

This configuration is for the Cisco 7200VXR terminating p2p GRE and the Cisco 7600 with Sup720 and VPN SPA providing high-capacity encryption.

hostname vpn2-7200-1

boot-start-marker

boot-end-marker

logging buffered 65535 debugging

enable password cisco

clock timezone EST -5

clock summer-time EDT recurring

clock calendar-valid

no aaa new-model

ip subnet-zero

ip cef

no ip domain lookup

ip ips po max-events 100

no ftp-server write-enable

interface Tunnel0

 description vpn5-2800-1-0000

 bandwidth 1000000

 ip address 10.60.0.193 255.255.255.252

 load-interval 30

 tunnel source 192.168.241.1

 tunnel destination 192.168.0.2

interface Tunnel1

 description vpn5-2800-2-0001

 bandwidth 1000000

 ip address 10.60.1.193 255.255.255.252

 load-interval 30

 tunnel source 192.168.241.1

 tunnel destination 192.168.1.2

interface Tunnel2

 description vpn5-2800-3-0002

 bandwidth 1000000

 ip address 10.60.2.193 255.255.255.252

 load-interval 30

 tunnel source 192.168.241.1

 tunnel destination 192.168.2.2

!. . . repetitive lines omitted . . .

interface Tunnel998

 description ci25-2600-19-0998

 bandwidth 1000000

 ip address 10.67.18.193 255.255.255.252

 load-interval 30

 tunnel source 192.168.245.1

 tunnel destination 192.168.38.26

interface Tunnel999

 description ci25-2600-20-0999

 bandwidth 1000000

 ip address 10.67.19.193 255.255.255.252

 load-interval 30

 tunnel source 192.168.245.1

 tunnel destination 192.168.39.26

interface Loopback0

 description Loopback0

 ip address 10.57.255.251 255.255.255.255

interface GigabitEthernet0/1

 description GigabitEthernet0/1

 no ip address

 load-interval 30

 duplex full

 speed 1000

 media-type gbic

 negotiation auto

interface GigabitEthernet0/1.241

 description GigabitEthernet0/1.241

 encapsulation dot1Q 241

 ip address 192.168.241.1 255.255.255.0

interface GigabitEthernet0/1.242

 description GigabitEthernet0/1.242

 encapsulation dot1Q 242

 ip address 192.168.242.1 255.255.255.0

interface GigabitEthernet0/1.243

 description GigabitEthernet0/1.243

 encapsulation dot1Q 243

 ip address 192.168.243.1 255.255.255.0

interface GigabitEthernet0/1.244

 description GigabitEthernet0/1.244

 encapsulation dot1Q 244

 ip address 192.168.244.1 255.255.255.0

interface GigabitEthernet0/1.245

 description GigabitEthernet0/1.245

 encapsulation dot1Q 245

 ip address 192.168.245.1 255.255.255.0

interface GigabitEthernet0/2

 description GigabitEthernet0/2

 ip address 10.57.1.1 255.255.255.0

 load-interval 30

 duplex auto

 speed auto

 media-type gbic

 negotiation auto

router ospf 1

 router-id 10.57.255.251

 log-adjacency-changes

 area 0.0.0.0 range 10.56.0.0 255.252.0.0

 area 10.60.0.0 range 10.60.0.0 255.255.192.0

 area 10.60.64.0 range 10.60.64.0 255.255.192.0

 area 10.60.128.0 range 10.60.128.0 255.255.192.0

 area 10.60.192.0 range 10.60.192.0 255.255.192.0

 area 10.61.0.0 range 10.61.0.0 255.255.192.0

 area 10.61.64.0 range 10.61.64.0 255.255.192.0

 area 10.61.128.0 range 10.61.128.0 255.255.192.0

 area 10.61.192.0 range 10.61.192.0 255.255.192.0

 area 10.62.0.0 range 10.62.0.0 255.255.192.0

 area 10.62.64.0 range 10.62.64.0 255.255.192.0

 area 10.62.128.0 range 10.62.128.0 255.255.192.0

 area 10.62.192.0 range 10.62.192.0 255.255.192.0

 area 10.63.0.0 range 10.63.0.0 255.255.0.0

 area 10.64.0.0 range 10.64.0.0 255.255.192.0

 area 10.64.64.0 range 10.64.64.0 255.255.192.0

 area 10.64.128.0 range 10.64.128.0 255.255.192.0

 area 10.64.192.0 range 10.64.192.0 255.255.192.0

 area 10.65.0.0 range 10.65.0.0 255.255.192.0

 area 10.65.64.0 range 10.65.64.0 255.255.192.0

 area 10.65.128.0 range 10.65.128.0 255.255.192.0

 area 10.65.192.0 range 10.65.192.0 255.255.192.0

 area 10.66.0.0 range 10.66.0.0 255.255.192.0

 area 10.66.64.0 range 10.66.64.0 255.255.192.0

 area 10.66.128.0 range 10.66.128.0 255.255.192.0

 area 10.66.192.0 range 10.66.192.0 255.255.192.0

 area 10.67.0.0 range 10.67.0.0 255.255.192.0

 network 10.57.0.0 0.0.255.255 area 0.0.0.0

 network 10.60.0.0 0.0.63.255 area 10.60.0.0

 network 10.60.64.0 0.0.63.255 area 10.60.64.0

 network 10.60.128.0 0.0.63.255 area 10.60.128.0

 network 10.60.192.0 0.0.63.255 area 10.60.192.0

 network 10.61.0.0 0.0.63.255 area 10.61.0.0

 network 10.61.64.0 0.0.63.255 area 10.61.64.0

 network 10.61.128.0 0.0.63.255 area 10.61.128.0

 network 10.61.192.0 0.0.63.255 area 10.61.192.0

 network 10.62.0.0 0.0.63.255 area 10.62.0.0

 network 10.62.64.0 0.0.63.255 area 10.62.64.0

 network 10.62.128.0 0.0.63.255 area 10.62.128.0

 network 10.62.192.0 0.0.63.255 area 10.62.192.0

 network 10.63.0.0 0.0.255.255 area 10.63.0.0

 network 10.64.0.0 0.0.63.255 area 10.64.0.0

 network 10.64.64.0 0.0.63.255 area 10.64.64.0

 network 10.64.128.0 0.0.63.255 area 10.64.128.0

 network 10.64.192.0 0.0.63.255 area 10.64.192.0

 network 10.65.0.0 0.0.63.255 area 10.65.0.0

 network 10.65.64.0 0.0.63.255 area 10.65.64.0

 network 10.65.128.0 0.0.63.255 area 10.65.128.0

 network 10.65.192.0 0.0.63.255 area 10.65.192.0

 network 10.66.0.0 0.0.63.255 area 10.66.0.0

 network 10.66.64.0 0.0.63.255 area 10.66.64.0

 network 10.66.128.0 0.0.63.255 area 10.66.128.0

 network 10.66.192.0 0.0.63.255 area 10.66.192.0

 network 10.67.0.0 0.0.63.255 area 10.67.0.0

ip classless

ip route 192.168.0.0 255.255.255.252 192.168.241.2

ip route 192.168.0.4 255.255.255.252 192.168.241.2

ip route 192.168.0.8 255.255.255.252 192.168.242.2

!. . . repetitive lines omitted . . .

ip route 192.168.159.16 255.255.255.252 192.168.244.2

ip route 192.168.159.20 255.255.255.252 192.168.245.2

no ip http server

no ip http secure-server

snmp-server community public RO

snmp-server community private RW

snmp-server system-shutdown

snmp-server enable traps tty

control-plane

gatekeeper

 shutdown

line con 0

 exec-timeout 0 0

 password cisco

 login

 transport preferred all

 transport output all

 stopbits 1

line aux 0

 transport preferred all

 transport output all

 stopbits 1

line vty 0 4

 exec-timeout 0 0

 password cisco

 login

 transport preferred all

 transport input all

 transport output all

ntp server 10.57.1.2

End

Cisco 7600/Sup720/VPN SPA Headend Configuration

hostname vpn6-7600-1

no aaa new-model

clock timezone EST -5

clock summer-time EDT recurring

clock calendar-valid

ip subnet-zero

no ip domain-lookup

ipv6 mfib hardware-switching replication-mode ingress

mls ip multicast flow-stat-timer 9

no mls flow ip

no mls flow ipv6

no mls acl tcam share-global

mls cef error action freeze

no scripting tcl init

no scripting tcl encdir

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac

crypto dynamic-map dmap 10

 set transform-set vpn-test

crypto map dynamic-map local-address Vlan100

crypto map dynamic-map 10 ipsec-isakmp dynamic dmap

redundancy

 mode sso

 main-cpu

  auto-sync running-config

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

power redundancy-mode combined

no diagnostic cns publish

no diagnostic cns subscribe

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

interface GigabitEthernet3/1

 description GigabitEthernet3/1 Outside Interface

 no ip address

 load-interval 30

 crypto connect vlan 100

interface GigabitEthernet4/0/1

 description GigabitEthernet4/0/1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 1,100,1002-1005

 switchport mode trunk

 mtu 9216

 no ip address

 load-interval 30

 flowcontrol receive on

 flowcontrol send off

 spanning-tree portfast trunk

interface GigabitEthernet4/0/2

 description GigabitEthernet4/0/2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 1,1002-1005

 switchport mode trunk

 mtu 9216

 no ip address

 load-interval 30

 flowcontrol receive on

 flowcontrol send off

 spanning-tree portfast trunk

interface GigabitEthernet5/1

 description GigabitEthernet5/1 to vpn2-7200-1 GE0/1

 ip address 192.168.181.2 255.255.255.0 secondary

 ip address 192.168.161.2 255.255.255.0

 no ip redirects

 load-interval 30

interface GigabitEthernet5/2

 description GigabitEthernet5/2 to vpn2-7200-2 GE0/1

 ip address 192.168.191.2 255.255.255.0 secondary

 ip address 192.168.171.2 255.255.255.0

 no ip redirects

 load-interval 30

interface Vlan100

 description Vlan100

 ip address 192.168.241.1 255.255.255.0

 load-interval 30

 no mop enabled

 crypto map dynamic-map

 crypto engine subslot 4/0

ip classless

ip route 192.168.0.0 255.255.0.0 192.168.241.2

no ip http server

snmp-server community public RO

snmp-server community private RW

snmp-server system-shutdown

control-plane

dial-peer cor custom

line con 0

 exec-timeout 0 0

 password cisco

 login

line vty 0 4

 exec-timeout 0 0

 password cisco

 login

ntp server 10.57.1.2

no cns aaa enable

end

ISR Branch Configuration

The following shows relevant configurations for one branch router. For resiliency, two tunnels are configured (primary and secondary), one to each headend. The EIGRP delay metric is used to make Tunnel0 the preferred path. This configuration shows QoS for VoIP flows (shaping and queuing) applied to the physical (outside) interface, the recommended use of summary routes, and an EIGRP stub configuration.

Branch #1:

hostname vpn5-2800-1-0000

boot-start-marker

boot-end-marker

logging buffered 32768 debugging

enable password cisco

clock timezone EST -5

clock summer-time EDT recurring

no network-clock-participate aim 0

no network-clock-participate aim 1

no aaa new-model

ip subnet-zero

ip cef

ip ips po max-events 100

no ip domain lookup

ip multicast-routing

no ftp-server write-enable

class-map match-all VOICE

 match ip dscp ef

class-map match-any CALL-SETUP

 match ip dscp af31

 match ip dscp cs3

class-map match-any INTERNETWORK-CONTROL

 match ip dscp cs6

 match access-group name IKE

class-map match-all TRANSACTIONAL-DATA

 match ip dscp af21

policy-map 512kb

 class CALL-SETUP

  bandwidth percent 2

 class INTERNETWORK-CONTROL

  bandwidth percent 5

 class TRANSACTIONAL-DATA

  bandwidth percent 22

  queue-limit 16

 class VOICE

  priority 168

 class class-default

  fair-queue

  queue-limit 6

policy-map 512kb-shaper

 class class-default

  shape average 486400 4864 0

  service-policy 512kb

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key bigsecret address 192.168.241.1

crypto isakmp keepalive 10

crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac

crypto map static-map local-address Serial0/0/0

crypto map static-map 10 ipsec-isakmp

 set peer 192.168.241.1

 set transform-set vpn-test

 match address b000

interface Tunnel0

 description Tunnel0

 bandwidth 512

 ip address 10.60.0.194 255.255.255.252

 ip pim sparse-mode

 load-interval 30

 tunnel source 192.168.0.2

 tunnel destination 192.168.241.1

interface Loopback0

 description Loopback0

 ip address 10.60.0.254 255.255.255.255

 ip pim sparse-mode

interface FastEthernet0/1

 description FastEthernet0/1

 ip address 10.60.0.129 255.255.255.192 secondary

 ip address 10.60.0.1 255.255.255.128

 load-interval 30

 duplex full

 speed 100

interface Serial0/0/0

 description Serial0/0/0

 bandwidth 512

 ip address 192.168.0.2 255.255.255.252

 service-policy output 512kb-shaper

 load-interval 30

 tx-ring-limit 1

 tx-queue-limit 1

 crypto map static-map

router ospf 1

 router-id 10.60.0.254

 log-adjacency-changes

 passive-interface FastEthernet0/1

 network 10.0.0.0 0.255.255.255 area 10.60.0.0

ip classless

ip route 192.168.0.0 255.255.0.0 192.168.0.1

no ip http server

no ip http secure-server

ip pim autorp listener

ip access-list extended IKE

 permit udp any any eq isakmp

ip access-list extended b000

 permit gre host 192.168.0.2 host 192.168.241.1

snmp-server community private RW

snmp-server community public RO

snmp-server system-shutdown

snmp-server enable traps tty

control-plane

line con 0

 exec-timeout 0 0

 password cisco

 logging synchronous

 login

line aux 0

line vty 0 4

 exec-timeout 0 0

 password cisco

 logging synchronous

 login

ntp source Loopback0

ntp server 10.57.3.255

End

	Point-to-Point GRE over IPsec Design Guide
	Scalability Test Bed Configuration Files
Point-to-Point GRE over IPsec Design Guide Preface Point-to-Point GRE over IPSec Design Overview Point-to-Point GRE over IPSec Design and Implementation Scalability Considerations Scalability Test Results (Unicast Only) Case Results Scalability Test Bed Configuration Files Legacy Platform Test Results References and Reading Acronyms	Download this chapter Scalability Test Bed Configuration Files Download the complete book p2pGRE.pdf (PDF - 2 MB) Table Of Contents Scalability Test Bed Configuration Files Cisco 7200VXR Headend Configuration Cisco Catalyst 6500/Sup2/VPNSM Headend Configuration Cisco 7600/Sup720/VPN SPA Headend Configuration (p2p GRE on Sup720) Cisco 7600/Sup720/VPN SPA Headend Configuration (p2p GRE on VPN SPA) Cisco 7200VXR/7600 Dual Tier Headend Architecture Configurations Cisco 7600/Sup720/VPN SPA Headend Configuration ISR Branch Configuration Scalability Test Bed Configuration Files The configurations for the central and branch sites are listed in the following sections. Note that these configurations have been extracted from real configurations used in Cisco scalability testing. They are provided as a reference only. Cisco 7200VXR Headend Configuration There are two headend devices in the test bed, each terminating a p2p GRE over IPsec tunnel from all branch routers. The configuration shown below is an excerpt of the first headend and does not contain configuration commands for all branches. The ISAKMP PSK, the crypto peer, the tunnel interface, and the crypto access list are shown for one device. Headend #1: ip cef ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key bigsecret address 192.168.0.2 ! crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac ! crypto map static-map local-address GigabitEthernet0/1 crypto map static-map 100 ipsec-isakmp set peer 192.168.0.2 set transform-set vpn-test match address b000 ! interface Loopback0 description Loopback0 ip address 10.57.1.255 255.255.255.255 ! interface Tunnel0 description vpn5-2600-1-000 bandwidth 1536 ip address 10.60.0.193 255.255.255.252 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5 tunnel source 192.168.251.1 tunnel destination 192.168.0.2 crypto map static-map ! interface GigabitEthernet0/1 description GigabitEthernet0/1 ip address 192.168.251.1 255.255.255.248 duplex auto speed auto media-type gbic negotiation auto crypto map static-map ! interface GigabitEthernet0/2 description GigabitEthernet0/2 ip address 10.57.1.1 255.255.255.248 duplex auto speed auto media-type gbic negotiation auto ! router eigrp 1 network 10.0.0.0 no auto-summary ! ip route 0.0.0.0 0.0.0.0 192.168.251.2 ! ip access-list extended b000 permit gre host 192.168.251.1 host 192.168.0.2 ! Cisco Catalyst 6500/Sup2/VPNSM Headend Configuration Headend #1: hostname vpn4-6500-2 ! logging snmp-authfail logging buffered 65535 debugging enable password cisco ! clock timezone EST -5 clock summer-time EDT recurring clock calendar-valid ip subnet-zero ! no ip domain-lookup ! mpls ldp logging neighbor-changes mls flow ip destination mls flow ipx destination ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key bigsecret address 192.168.0.2 crypto isakmp key bigsecret address 192.168.1.2 crypto isakmp key bigsecret address 192.168.2.2 ! !. . . repetitive lines omitted . . . ! crypto isakmp key bigsecret address 192.168.60.26 crypto isakmp key bigsecret address 192.168.61.26 crypto isakmp key bigsecret address 192.168.62.26 crypto isakmp keepalive 10 ! crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac ! crypto map static-map local-address Vlan100 crypto map static-map 100 ipsec-isakmp set peer 192.168.0.2 set transform-set vpn-test match address b0000 crypto map static-map 101 ipsec-isakmp set peer 192.168.1.2 set transform-set vpn-test match address b0001 crypto map static-map 102 ipsec-isakmp set peer 192.168.2.2 set transform-set vpn-test match address b0002 ! !. . . repetitive lines omitted . . . ! crypto map static-map 1120 ipsec-isakmp set peer 192.168.60.26 set transform-set vpn-test match address b1020 crypto map static-map 1121 ipsec-isakmp set peer 192.168.61.26 set transform-set vpn-test match address b1021 crypto map static-map 1122 ipsec-isakmp set peer 192.168.62.26 set transform-set vpn-test match address b1022 ! no spanning-tree vlan 100 ! redundancy mode rpr-plus main-cpu auto-sync running-config auto-sync standard ! interface Loopback0 description Loopback0 ip address 10.57.255.251 255.255.255.255 ! interface Tunnel0 description vpn5-2600-1-0000 bandwidth 1000000 ip address 10.60.0.193 255.255.255.252 ip hold-time eigrp 1 35 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5 load-interval 30 tunnel source 192.168.251.1 tunnel destination 192.168.0.2 ! interface Tunnel1 description vpn5-2600-2-0001 bandwidth 1000000 ip address 10.60.1.193 255.255.255.252 ip hold-time eigrp 1 35 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5 load-interval 30 tunnel source 192.168.251.1 tunnel destination 192.168.1.2 ! interface Tunnel2 description vpn5-2600-3-0002 bandwidth 1000000 ip address 10.60.2.193 255.255.255.252 ip hold-time eigrp 1 35 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5 load-interval 30 tunnel source 192.168.251.1 tunnel destination 192.168.2.2 ! !. . . repetitive lines omitted . . . ! interface Tunnel1020 description ci26-2600-11-1020 bandwidth 1000000 ip address 10.67.64.193 255.255.255.252 ip hold-time eigrp 1 35 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5 load-interval 30 tunnel source 192.168.251.1 tunnel destination 192.168.60.26 ! interface Tunnel1021 description ci26-2600-12-1021 bandwidth 1000000 ip address 10.67.65.193 255.255.255.252 ip hold-time eigrp 1 35 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5 load-interval 30 tunnel source 192.168.251.1 tunnel destination 192.168.61.26 ! interface Tunnel1022 description ci26-2600-13-1022 bandwidth 1000000 ip address 10.67.66.193 255.255.255.252 ip hold-time eigrp 1 35 ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5 load-interval 30 tunnel source 192.168.251.1 tunnel destination 192.168.62.26 ! interface GigabitEthernet2/1 description GigabitEthernet2/1 Outside Interface no ip address load-interval 30 crypto connect vlan 100 ! interface GigabitEthernet4/1 description GigabitEthernet4/1 no ip address load-interval 30 flowcontrol receive on flowcontrol send off switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,100,1002-1005 switchport mode trunk cdp enable ! interface GigabitEthernet4/2 description GigabitEthernet4/2 no ip address load-interval 30 flowcontrol receive on flowcontrol send off switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk cdp enable spanning-tree portfast trunk ! interface GigabitEthernet5/1 description GigabitEthernet5/1 Inside Interface ip address 10.57.1.1 255.255.255.0 load-interval 30 ! interface Vlan100 description Vlan100 ip address 192.168.251.1 255.255.255.0 load-interval 30 no mop enabled crypto map static-map ! router eigrp 1 network 10.0.0.0 no auto-summary ! ip classless ip route 192.168.0.0 255.255.0.0 192.168.251.2 no ip http server no ip http secure-server ! ip access-list extended b0000 permit gre host 192.168.251.1 host 192.168.0.2 ip access-list extended b0001 permit gre host 192.168.251.1 host 192.168.1.2 ip access-list extended b0002 permit gre host 192.168.251.1 host 192.168.2.2 ip access-list extended b0003 permit gre host 192.168.251.1 host 192.168.3.2 ! !. . . reptitive lines omitted . . . ! ip access-list extended b1020 permit gre host 192.168.251.1 host 192.168.60.26 ip access-list extended b1021 permit gre host 192.168.251.1 host 192.168.61.26 ip access-list extended b1022 permit gre host 192.168.251.1 host 192.168.62.26 ! snmp-server community public RO snmp-server community private RW snmp-server system-shutdown snmp-server enable traps tty ! alias exec macedon remote command switch test lcp 4 lcp 1 ! line con 0 exec-timeout 0 0 password cisco login line vty 0 4 exec-timeout 0 0 password cisco login transport input lat pad mop telnet rlogin udptn nasi ssh line vty 5 15 exec-timeout 0 0 password cisco login ! ntp clock-period 17179687 ntp server 10.57.1.2 end Cisco 7600/Sup720/VPN SPA Headend Configuration (p2p GRE on Sup720) In this configuration, the Cisco 7600 platform is aggregating the p2p GRE over IPsec tunnels, with crypto tunnels aggregated to the VPN SPA and p2p GRE being handled by the Sup720. Headend #1: hostname vpn6-7600-1 ! ip multicast-routing no ip domain-lookup ipv6 mfib hardware-switching replication-mode ingress mls ip multicast flow-stat-timer 9 no mls flow ip no mls flow ipv6 no mls acl tcam share-global mls cef error action freeze no scripting tcl init no scripting tcl encdir ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac ! crypto dynamic-map dmap 10 set transform-set vpn-test ! crypto map dynamic-map 10 ipsec-isakmp dynamic dmap ! redundancy mode sso main-cpu auto-sync running-config spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! power redundancy-mode combined no diagnostic cns publish no diagnostic cns subscribe ! vlan internal allocation policy ascending vlan access-log ratelimit 2000 ! ! interface Loopback0 description Loopback0 ip address 192.168.246.1 255.255.255.255 load-interval 30 ! interface Loopback1 description Loopback1 ip address 192.168.246.2 255.255.255.255 load-interval 30 ! interface Loopback2 description Loopback2 ip address 192.168.246.3 255.255.255.255 load-interval 30 ! !. . . repetitive lines omitted . . . ! interface Loopback999 description Loopback999 ip address 192.168.249.250 255.255.255.255 load-interval 30 ! interface Loopback1000 description Loopback1000 ip address 10.57.255.251 255.255.255.255 load-interval 30 ! interface Tunnel0 description vpn5-2800-1-0000 bandwidth 1000000 ip address 10.60.0.193 255.255.255.252 ip pim sparse-mode load-interval 30 tunnel source 192.168.246.1 tunnel destination 192.168.0.2 ! interface Tunnel1 description vpn5-2800-2-0001 bandwidth 1000000 ip address 10.60.1.193 255.255.255.252 ip pim sparse-mode load-interval 30 tunnel source 192.168.246.2 tunnel destination 192.168.1.2 ! interface Tunnel2 description vpn5-2800-3-0002 bandwidth 1000000 ip address 10.60.2.193 255.255.255.252 ip pim sparse-mode load-interval 30 tunnel source 192.168.246.3 tunnel destination 192.168.2.2 ! !. . . repetitive lines omitted . . . ! interface Tunnel998 description ci25-2600-19-0998 bandwidth 1000000 ip address 10.67.18.193 255.255.255.252 ip pim sparse-mode load-interval 30 tunnel source 192.168.249.249 tunnel destination 192.168.38.26 ! interface Tunnel999 description ci25-2600-20-0999 bandwidth 1000000 ip address 10.67.19.193 255.255.255.252 ip pim sparse-mode load-interval 30 tunnel source 192.168.249.250 tunnel destination 192.168.39.26 ! interface GigabitEthernet3/1 description GigabitEthernet3/1 Outside Interface no ip address load-interval 30 crypto connect vlan 100 ! interface GigabitEthernet4/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,100,1002-1005 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet5/1 description GigabitEthernet5/1 Inside Interface ip address 10.57.1.1 255.255.255.0 no ip redirects ip pim sparse-mode load-interval 30 ! interface Vlan100 description Vlan100 ip address 192.168.241.1 255.255.255.0 load-interval 30 no mop enabled crypto map dynamic-map crypto engine subslot 4/0 ! router ospf 1 router-id 10.57.255.251 log-adjacency-changes area 10.60.0.0 range 10.60.0.0 255.255.192.0 area 10.60.64.0 range 10.60.64.0 255.255.192.0 area 10.60.128.0 range 10.60.128.0 255.255.192.0 area 10.60.192.0 range 10.60.192.0 255.255.192.0 area 10.61.0.0 range 10.61.0.0 255.255.192.0 area 10.61.64.0 range 10.61.64.0 255.255.192.0 area 10.61.128.0 range 10.61.128.0 255.255.192.0 area 10.61.192.0 range 10.61.192.0 255.255.192.0 area 10.62.0.0 range 10.62.0.0 255.255.192.0 area 10.62.64.0 range 10.62.64.0 255.255.192.0 area 10.62.128.0 range 10.62.128.0 255.255.192.0 area 10.62.192.0 range 10.62.192.0 255.255.192.0 area 10.63.0.0 range 10.63.0.0 255.255.0.0 area 10.64.0.0 range 10.64.0.0 255.255.192.0 area 10.64.64.0 range 10.64.64.0 255.255.192.0 area 10.64.128.0 range 10.64.128.0 255.255.192.0 area 10.64.192.0 range 10.64.192.0 255.255.192.0 area 10.65.0.0 range 10.65.0.0 255.255.192.0 area 10.65.64.0 range 10.65.64.0 255.255.192.0 area 10.65.128.0 range 10.65.128.0 255.255.192.0 area 10.65.192.0 range 10.65.192.0 255.255.192.0 area 10.66.0.0 range 10.66.0.0 255.255.192.0 area 10.66.64.0 range 10.66.64.0 255.255.192.0 area 10.66.128.0 range 10.66.128.0 255.255.192.0 area 10.66.192.0 range 10.66.192.0 255.255.192.0 area 10.67.0.0 range 10.67.0.0 255.255.192.0 network 10.57.0.0 0.0.255.255 area 0.0.0.0 network 10.60.0.0 0.0.63.255 area 10.60.0.0 network 10.60.64.0 0.0.63.255 area 10.60.64.0 network 10.60.128.0 0.0.63.255 area 10.60.128.0 network 10.60.192.0 0.0.63.255 area 10.60.192.0 network 10.61.0.0 0.0.63.255 area 10.61.0.0 network 10.61.64.0 0.0.63.255 area 10.61.64.0 network 10.61.128.0 0.0.63.255 area 10.61.128.0 network 10.61.192.0 0.0.63.255 area 10.61.192.0 network 10.62.0.0 0.0.63.255 area 10.62.0.0 network 10.62.64.0 0.0.63.255 area 10.62.64.0 network 10.62.128.0 0.0.63.255 area 10.62.128.0 network 10.62.192.0 0.0.63.255 area 10.62.192.0 network 10.63.0.0 0.0.255.255 area 10.63.0.0 network 10.64.0.0 0.0.63.255 area 10.64.0.0 network 10.64.64.0 0.0.63.255 area 10.64.64.0 network 10.64.128.0 0.0.63.255 area 10.64.128.0 network 10.64.192.0 0.0.63.255 area 10.64.192.0 network 10.65.0.0 0.0.63.255 area 10.65.0.0 network 10.65.64.0 0.0.63.255 area 10.65.64.0 network 10.65.128.0 0.0.63.255 area 10.65.128.0 network 10.65.192.0 0.0.63.255 area 10.65.192.0 network 10.66.0.0 0.0.63.255 area 10.66.0.0 network 10.66.64.0 0.0.63.255 area 10.66.64.0 network 10.66.128.0 0.0.63.255 area 10.66.128.0 network 10.66.192.0 0.0.63.255 area 10.66.192.0 network 10.67.0.0 0.0.63.255 area 10.67.0.0 ! ip classless ip route 192.168.0.0 255.255.0.0 192.168.241.2 ! no ip http server ip pim autorp listener ! snmp-server community public RO snmp-server community private RW snmp-server system-shutdown ! control-plane ! dial-peer cor custom ! line con 0 exec-timeout 0 0 password cisco login line vty 0 4 exec-timeout 0 0 password cisco login ! ntp server 10.57.1.2 no cns aaa enable end Cisco 7600/Sup720/VPN SPA Headend Configuration (p2p GRE on VPN SPA) In this configuration, the Cisco 7600 platform is aggregating the p2p GRE over IPsec tunnels, with both p2p GRE and crypto tunnels aggregated to the VPN SPA. Headend #1: hostname vpn6-7600-1 ! ip multicast-routing no ip domain-lookup ipv6 mfib hardware-switching replication-mode ingress mls ip multicast flow-stat-timer 9 no mls flow ip no mls flow ipv6 no mls acl tcam share-global mls cef error action freeze no scripting tcl init no scripting tcl encdir ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac ! crypto dynamic-map dmap 10 set transform-set vpn-test ! crypto map dynamic-map local-address Vlan100 crypto map dynamic-map 10 ipsec-isakmp dynamic dmap ! redundancy mode sso main-cpu auto-sync running-config spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! power redundancy-mode combined no diagnostic cns publish no diagnostic cns subscribe ! vlan internal allocation policy ascending vlan access-log ratelimit 2000 ! ! interface Loopback0 description Loopback0 ip address 10.57.255.251 255.255.255.255 ! interface Tunnel0 description vpn5-2800-1-0000 bandwidth 1000000 ip address 10.60.0.193 255.255.255.252 ip pim sparse-mode load-interval 30 tunnel source 192.168.241.1 tunnel destination 192.168.0.2 ! interface Tunnel1 description vpn5-2800-2-0001 bandwidth 1000000 ip address 10.60.1.193 255.255.255.252 ip pim sparse-mode load-interval 30 tunnel source 192.168.241.1 tunnel destination 192.168.1.2 ! interface Tunnel2 description vpn5-2800-3-0002 bandwidth 1000000 ip address 10.60.2.193 255.255.255.252 ip pim sparse-mode load-interval 30 tunnel source 192.168.241.1 tunnel destination 192.168.2.2 ! !. . . repetitive lines omitted . . . ! interface Tunnel998 description ci25-2600-19-0998 bandwidth 1000000 ip address 10.67.18.193 255.255.255.252 ip pim sparse-mode load-interval 30 tunnel source 192.168.241.1 tunnel destination 192.168.38.26 ! interface Tunnel999 description ci25-2600-20-0999 bandwidth 1000000 ip address 10.67.19.193 255.255.255.252 ip pim sparse-mode load-interval 30 tunnel source 192.168.241.1 tunnel destination 192.168.39.26 ! interface GigabitEthernet3/1 description GigabitEthernet3/1 Outside Interface no ip address load-interval 30 crypto connect vlan 100 ! interface GigabitEthernet4/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,100,1002-1005 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet5/1 description GigabitEthernet5/1 Inside Interface ip address 10.57.1.1 255.255.255.0 no ip redirects ip pim sparse-mode load-interval 30 ! interface Vlan100 description Vlan100 ip address 192.168.241.1 255.255.255.0 load-interval 30 no mop enabled crypto map dynamic-map crypto engine subslot 4/0 ! router ospf 1 router-id 10.57.255.251 log-adjacency-changes area 10.60.0.0 range 10.60.0.0 255.255.192.0 area 10.60.64.0 range 10.60.64.0 255.255.192.0 area 10.60.128.0 range 10.60.128.0 255.255.192.0 area 10.60.192.0 range 10.60.192.0 255.255.192.0 area 10.61.0.0 range 10.61.0.0 255.255.192.0 area 10.61.64.0 range 10.61.64.0 255.255.192.0 area 10.61.128.0 range 10.61.128.0 255.255.192.0 area 10.61.192.0 range 10.61.192.0 255.255.192.0 area 10.62.0.0 range 10.62.0.0 255.255.192.0 area 10.62.64.0 range 10.62.64.0 255.255.192.0 area 10.62.128.0 range 10.62.128.0 255.255.192.0 area 10.62.192.0 range 10.62.192.0 255.255.192.0 area 10.63.0.0 range 10.63.0.0 255.255.0.0 area 10.64.0.0 range 10.64.0.0 255.255.192.0 area 10.64.64.0 range 10.64.64.0 255.255.192.0 area 10.64.128.0 range 10.64.128.0 255.255.192.0 area 10.64.192.0 range 10.64.192.0 255.255.192.0 area 10.65.0.0 range 10.65.0.0 255.255.192.0 area 10.65.64.0 range 10.65.64.0 255.255.192.0 area 10.65.128.0 range 10.65.128.0 255.255.192.0 area 10.65.192.0 range 10.65.192.0 255.255.192.0 area 10.66.0.0 range 10.66.0.0 255.255.192.0 area 10.66.64.0 range 10.66.64.0 255.255.192.0 area 10.66.128.0 range 10.66.128.0 255.255.192.0 area 10.66.192.0 range 10.66.192.0 255.255.192.0 area 10.67.0.0 range 10.67.0.0 255.255.192.0 network 10.57.0.0 0.0.255.255 area 0.0.0.0 network 10.60.0.0 0.0.63.255 area 10.60.0.0 network 10.60.64.0 0.0.63.255 area 10.60.64.0 network 10.60.128.0 0.0.63.255 area 10.60.128.0 network 10.60.192.0 0.0.63.255 area 10.60.192.0 network 10.61.0.0 0.0.63.255 area 10.61.0.0 network 10.61.64.0 0.0.63.255 area 10.61.64.0 network 10.61.128.0 0.0.63.255 area 10.61.128.0 network 10.61.192.0 0.0.63.255 area 10.61.192.0 network 10.62.0.0 0.0.63.255 area 10.62.0.0 network 10.62.64.0 0.0.63.255 area 10.62.64.0 network 10.62.128.0 0.0.63.255 area 10.62.128.0 network 10.62.192.0 0.0.63.255 area 10.62.192.0 network 10.63.0.0 0.0.255.255 area 10.63.0.0 network 10.64.0.0 0.0.63.255 area 10.64.0.0 network 10.64.64.0 0.0.63.255 area 10.64.64.0 network 10.64.128.0 0.0.63.255 area 10.64.128.0 network 10.64.192.0 0.0.63.255 area 10.64.192.0 network 10.65.0.0 0.0.63.255 area 10.65.0.0 network 10.65.64.0 0.0.63.255 area 10.65.64.0 network 10.65.128.0 0.0.63.255 area 10.65.128.0 network 10.65.192.0 0.0.63.255 area 10.65.192.0 network 10.66.0.0 0.0.63.255 area 10.66.0.0 network 10.66.64.0 0.0.63.255 area 10.66.64.0 network 10.66.128.0 0.0.63.255 area 10.66.128.0 network 10.66.192.0 0.0.63.255 area 10.66.192.0 network 10.67.0.0 0.0.63.255 area 10.67.0.0 ! ip classless ip route 192.168.0.0 255.255.0.0 192.168.241.2 ! no ip http server ip pim autorp listener ! snmp-server community public RO snmp-server community private RW snmp-server system-shutdown ! control-plane ! dial-peer cor custom ! line con 0 exec-timeout 0 0 password cisco login line vty 0 4 exec-timeout 0 0 password cisco login ! ntp server 10.57.1.2 no cns aaa enable end Cisco 7200VXR/7600 Dual Tier Headend Architecture Configurations This configuration is for the Cisco 7200VXR terminating p2p GRE and the Cisco 7600 with Sup720 and VPN SPA providing high-capacity encryption. hostname vpn2-7200-1 ! boot-start-marker boot-end-marker ! logging buffered 65535 debugging enable password cisco ! clock timezone EST -5 clock summer-time EDT recurring clock calendar-valid no aaa new-model ip subnet-zero ! ip cef no ip domain lookup ! ip ips po max-events 100 no ftp-server write-enable ! interface Tunnel0 description vpn5-2800-1-0000 bandwidth 1000000 ip address 10.60.0.193 255.255.255.252 load-interval 30 tunnel source 192.168.241.1 tunnel destination 192.168.0.2 ! interface Tunnel1 description vpn5-2800-2-0001 bandwidth 1000000 ip address 10.60.1.193 255.255.255.252 load-interval 30 tunnel source 192.168.241.1 tunnel destination 192.168.1.2 ! interface Tunnel2 description vpn5-2800-3-0002 bandwidth 1000000 ip address 10.60.2.193 255.255.255.252 load-interval 30 tunnel source 192.168.241.1 tunnel destination 192.168.2.2 ! !. . . repetitive lines omitted . . . ! interface Tunnel998 description ci25-2600-19-0998 bandwidth 1000000 ip address 10.67.18.193 255.255.255.252 load-interval 30 tunnel source 192.168.245.1 tunnel destination 192.168.38.26 ! interface Tunnel999 description ci25-2600-20-0999 bandwidth 1000000 ip address 10.67.19.193 255.255.255.252 load-interval 30 tunnel source 192.168.245.1 tunnel destination 192.168.39.26 ! interface Loopback0 description Loopback0 ip address 10.57.255.251 255.255.255.255 ! interface GigabitEthernet0/1 description GigabitEthernet0/1 no ip address load-interval 30 duplex full speed 1000 media-type gbic negotiation auto ! interface GigabitEthernet0/1.241 description GigabitEthernet0/1.241 encapsulation dot1Q 241 ip address 192.168.241.1 255.255.255.0 ! interface GigabitEthernet0/1.242 description GigabitEthernet0/1.242 encapsulation dot1Q 242 ip address 192.168.242.1 255.255.255.0 ! interface GigabitEthernet0/1.243 description GigabitEthernet0/1.243 encapsulation dot1Q 243 ip address 192.168.243.1 255.255.255.0 ! interface GigabitEthernet0/1.244 description GigabitEthernet0/1.244 encapsulation dot1Q 244 ip address 192.168.244.1 255.255.255.0 ! interface GigabitEthernet0/1.245 description GigabitEthernet0/1.245 encapsulation dot1Q 245 ip address 192.168.245.1 255.255.255.0 ! interface GigabitEthernet0/2 description GigabitEthernet0/2 ip address 10.57.1.1 255.255.255.0 load-interval 30 duplex auto speed auto media-type gbic negotiation auto ! router ospf 1 router-id 10.57.255.251 log-adjacency-changes area 0.0.0.0 range 10.56.0.0 255.252.0.0 area 10.60.0.0 range 10.60.0.0 255.255.192.0 area 10.60.64.0 range 10.60.64.0 255.255.192.0 area 10.60.128.0 range 10.60.128.0 255.255.192.0 area 10.60.192.0 range 10.60.192.0 255.255.192.0 area 10.61.0.0 range 10.61.0.0 255.255.192.0 area 10.61.64.0 range 10.61.64.0 255.255.192.0 area 10.61.128.0 range 10.61.128.0 255.255.192.0 area 10.61.192.0 range 10.61.192.0 255.255.192.0 area 10.62.0.0 range 10.62.0.0 255.255.192.0 area 10.62.64.0 range 10.62.64.0 255.255.192.0 area 10.62.128.0 range 10.62.128.0 255.255.192.0 area 10.62.192.0 range 10.62.192.0 255.255.192.0 area 10.63.0.0 range 10.63.0.0 255.255.0.0 area 10.64.0.0 range 10.64.0.0 255.255.192.0 area 10.64.64.0 range 10.64.64.0 255.255.192.0 area 10.64.128.0 range 10.64.128.0 255.255.192.0 area 10.64.192.0 range 10.64.192.0 255.255.192.0 area 10.65.0.0 range 10.65.0.0 255.255.192.0 area 10.65.64.0 range 10.65.64.0 255.255.192.0 area 10.65.128.0 range 10.65.128.0 255.255.192.0 area 10.65.192.0 range 10.65.192.0 255.255.192.0 area 10.66.0.0 range 10.66.0.0 255.255.192.0 area 10.66.64.0 range 10.66.64.0 255.255.192.0 area 10.66.128.0 range 10.66.128.0 255.255.192.0 area 10.66.192.0 range 10.66.192.0 255.255.192.0 area 10.67.0.0 range 10.67.0.0 255.255.192.0 network 10.57.0.0 0.0.255.255 area 0.0.0.0 network 10.60.0.0 0.0.63.255 area 10.60.0.0 network 10.60.64.0 0.0.63.255 area 10.60.64.0 network 10.60.128.0 0.0.63.255 area 10.60.128.0 network 10.60.192.0 0.0.63.255 area 10.60.192.0 network 10.61.0.0 0.0.63.255 area 10.61.0.0 network 10.61.64.0 0.0.63.255 area 10.61.64.0 network 10.61.128.0 0.0.63.255 area 10.61.128.0 network 10.61.192.0 0.0.63.255 area 10.61.192.0 network 10.62.0.0 0.0.63.255 area 10.62.0.0 network 10.62.64.0 0.0.63.255 area 10.62.64.0 network 10.62.128.0 0.0.63.255 area 10.62.128.0 network 10.62.192.0 0.0.63.255 area 10.62.192.0 network 10.63.0.0 0.0.255.255 area 10.63.0.0 network 10.64.0.0 0.0.63.255 area 10.64.0.0 network 10.64.64.0 0.0.63.255 area 10.64.64.0 network 10.64.128.0 0.0.63.255 area 10.64.128.0 network 10.64.192.0 0.0.63.255 area 10.64.192.0 network 10.65.0.0 0.0.63.255 area 10.65.0.0 network 10.65.64.0 0.0.63.255 area 10.65.64.0 network 10.65.128.0 0.0.63.255 area 10.65.128.0 network 10.65.192.0 0.0.63.255 area 10.65.192.0 network 10.66.0.0 0.0.63.255 area 10.66.0.0 network 10.66.64.0 0.0.63.255 area 10.66.64.0 network 10.66.128.0 0.0.63.255 area 10.66.128.0 network 10.66.192.0 0.0.63.255 area 10.66.192.0 network 10.67.0.0 0.0.63.255 area 10.67.0.0 ! ip classless ip route 192.168.0.0 255.255.255.252 192.168.241.2 ip route 192.168.0.4 255.255.255.252 192.168.241.2 ip route 192.168.0.8 255.255.255.252 192.168.242.2 ! !. . . repetitive lines omitted . . . ! ip route 192.168.159.16 255.255.255.252 192.168.244.2 ip route 192.168.159.20 255.255.255.252 192.168.245.2 ! no ip http server no ip http secure-server ! snmp-server community public RO snmp-server community private RW snmp-server system-shutdown snmp-server enable traps tty ! control-plane ! gatekeeper shutdown ! line con 0 exec-timeout 0 0 password cisco login transport preferred all transport output all stopbits 1 line aux 0 transport preferred all transport output all stopbits 1 line vty 0 4 exec-timeout 0 0 password cisco login transport preferred all transport input all transport output all ! ntp server 10.57.1.2 ! End Cisco 7600/Sup720/VPN SPA Headend Configuration hostname vpn6-7600-1 ! no aaa new-model clock timezone EST -5 clock summer-time EDT recurring clock calendar-valid ip subnet-zero ! no ip domain-lookup ipv6 mfib hardware-switching replication-mode ingress mls ip multicast flow-stat-timer 9 no mls flow ip no mls flow ipv6 no mls acl tcam share-global mls cef error action freeze no scripting tcl init no scripting tcl encdir ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac ! crypto dynamic-map dmap 10 set transform-set vpn-test ! crypto map dynamic-map local-address Vlan100 crypto map dynamic-map 10 ipsec-isakmp dynamic dmap ! redundancy mode sso main-cpu auto-sync running-config spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! power redundancy-mode combined no diagnostic cns publish no diagnostic cns subscribe ! vlan internal allocation policy ascending vlan access-log ratelimit 2000 ! interface GigabitEthernet3/1 description GigabitEthernet3/1 Outside Interface no ip address load-interval 30 crypto connect vlan 100 ! interface GigabitEthernet4/0/1 description GigabitEthernet4/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,100,1002-1005 switchport mode trunk mtu 9216 no ip address load-interval 30 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 description GigabitEthernet4/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 no ip address load-interval 30 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet5/1 description GigabitEthernet5/1 to vpn2-7200-1 GE0/1 ip address 192.168.181.2 255.255.255.0 secondary ip address 192.168.161.2 255.255.255.0 no ip redirects load-interval 30 ! interface GigabitEthernet5/2 description GigabitEthernet5/2 to vpn2-7200-2 GE0/1 ip address 192.168.191.2 255.255.255.0 secondary ip address 192.168.171.2 255.255.255.0 no ip redirects load-interval 30 ! interface Vlan100 description Vlan100 ip address 192.168.241.1 255.255.255.0 load-interval 30 no mop enabled crypto map dynamic-map crypto engine subslot 4/0 ! ip classless ip route 192.168.0.0 255.255.0.0 192.168.241.2 ! no ip http server ! snmp-server community public RO snmp-server community private RW snmp-server system-shutdown ! control-plane ! dial-peer cor custom ! line con 0 exec-timeout 0 0 password cisco login line vty 0 4 exec-timeout 0 0 password cisco login ! ntp server 10.57.1.2 no cns aaa enable end ISR Branch Configuration The following shows relevant configurations for one branch router. For resiliency, two tunnels are configured (primary and secondary), one to each headend. The EIGRP delay metric is used to make Tunnel0 the preferred path. This configuration shows QoS for VoIP flows (shaping and queuing) applied to the physical (outside) interface, the recommended use of summary routes, and an EIGRP stub configuration. Branch #1: hostname vpn5-2800-1-0000 ! boot-start-marker boot-end-marker ! logging buffered 32768 debugging enable password cisco ! clock timezone EST -5 clock summer-time EDT recurring no network-clock-participate aim 0 no network-clock-participate aim 1 no aaa new-model ip subnet-zero ! ip cef ! ip ips po max-events 100 no ip domain lookup ip multicast-routing no ftp-server write-enable ! class-map match-all VOICE match ip dscp ef class-map match-any CALL-SETUP match ip dscp af31 match ip dscp cs3 class-map match-any INTERNETWORK-CONTROL match ip dscp cs6 match access-group name IKE class-map match-all TRANSACTIONAL-DATA match ip dscp af21 ! policy-map 512kb class CALL-SETUP bandwidth percent 2 class INTERNETWORK-CONTROL bandwidth percent 5 class TRANSACTIONAL-DATA bandwidth percent 22 queue-limit 16 class VOICE priority 168 class class-default fair-queue queue-limit 6 policy-map 512kb-shaper class class-default shape average 486400 4864 0 service-policy 512kb ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key bigsecret address 192.168.241.1 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac ! crypto map static-map local-address Serial0/0/0 crypto map static-map 10 ipsec-isakmp set peer 192.168.241.1 set transform-set vpn-test match address b000 ! interface Tunnel0 description Tunnel0 bandwidth 512 ip address 10.60.0.194 255.255.255.252 ip pim sparse-mode load-interval 30 tunnel source 192.168.0.2 tunnel destination 192.168.241.1 ! interface Loopback0 description Loopback0 ip address 10.60.0.254 255.255.255.255 ip pim sparse-mode ! interface FastEthernet0/1 description FastEthernet0/1 ip address 10.60.0.129 255.255.255.192 secondary ip address 10.60.0.1 255.255.255.128 load-interval 30 duplex full speed 100 ! interface Serial0/0/0 description Serial0/0/0 bandwidth 512 ip address 192.168.0.2 255.255.255.252 service-policy output 512kb-shaper load-interval 30 tx-ring-limit 1 tx-queue-limit 1 crypto map static-map ! router ospf 1 router-id 10.60.0.254 log-adjacency-changes passive-interface FastEthernet0/1 network 10.0.0.0 0.255.255.255 area 10.60.0.0 ! ip classless ip route 192.168.0.0 255.255.0.0 192.168.0.1 no ip http server no ip http secure-server ip pim autorp listener ! ip access-list extended IKE permit udp any any eq isakmp ip access-list extended b000 permit gre host 192.168.0.2 host 192.168.241.1 ! snmp-server community private RW snmp-server community public RO snmp-server system-shutdown snmp-server enable traps tty ! control-plane ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login ! ntp source Loopback0 ntp server 10.57.3.255 ! End
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks

Table Of Contents

Scalability Test Bed Configuration Files

Cisco 7200VXR Headend Configuration

Cisco Catalyst 6500/Sup2/VPNSM Headend Configuration

Cisco 7600/Sup720/VPN SPA Headend Configuration (p2p GRE on Sup720)

Cisco 7600/Sup720/VPN SPA Headend Configuration (p2p GRE on VPN SPA)

Cisco 7200VXR/7600 Dual Tier Headend Architecture Configurations

Cisco 7600/Sup720/VPN SPA Headend Configuration

ISR Branch Configuration