WAN Configuration Guide

Revision: H1CY11
Who Should Read
This Guide
This document is for the reader who: Related Documents
• Has already read the Cisco Smart Business Architecture (SBA) for
Enterprise Organizations—Borderless Networks WAN Deployment Before reading this guide
Guide
• Has in total 2000–10,000 connected employees Design Overview
• Has up to 500 remote sites
• Uses MPLS Layer 3 VPN as a WAN transport
WAN Deployment Guide
• Uses the Internet as a secure WAN transport
• Requires a resilient WAN
• Requires an application optimization solution to improve WAN
performance
• Has IT workers with a CCNA® certification or equivalent experience
• Wants to deploy their network infrastructure efficiently
• Wants the assurance of a tested solution
• Requires a migration path for growth

Design Guides Deployment Guides

Design Overview

Foundation WAN Supplemental Guides

Configuration You are Here

Files

Who Should Read This Guide

Table of Contents

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Branch 202: Single-Router, Dual-Link (MPLS-B + DMVPN). . . . . . . . . 48

br202-2911. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Enterprise Organizations WAN Deployment Product List. . . . . . . . . . . . . . . . . . 4
br202-wave574. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
WAN Configuration Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Branch 203: Dual-Router, Dual-Link with Access Layer Only
WAN-Aggregation Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 (MPLS-A + DMVPN). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
BNWan3750. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 br203-2921-1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
ce-asr1004-1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 br203-2921-2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
ce-asr1004-2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 br203-wae-sre-1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
vpn-asr1002-1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 br203-wae-sre-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
wae7341-1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Branch 204: Single-Router, Single-Link (MPLS). . . . . . . . . . . . . . . . . . . . 63
wae7431-2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 br204-1941. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
waas-wcm-1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Branch 206: Dual-Router, Dual-Link (MPLS). . . . . . . . . . . . . . . . . . . . . . . . 66
WAN Remote-Site Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 br206-3925-1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Branch 200: Dual-Router, Dual-Link with Distribution Layer br206-3925-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
(MPLS-A + DMVPN). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 br206-wae-sre-1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
br200-3945-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Branch 207: Single-Router, Dual-Link (MPLS). . . . . . . . . . . . . . . . . . . . . . 74
br200-3945-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 br207-2921. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
br200-3750stack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 br207-wave574 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
br200-wae674-1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
br200-wae674-2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Branch 201: Single-Router, Dual-Link (MPLS-A + DMVPN). . . . . . . . . 43 Appendix A: SBA for Enterprise Organizations Document System . . . . . . . 80
br201-2911 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
br201-wae-sre. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND ITS SUPPLIERS
DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITA-
TION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL
OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY
DEPENDING ON FACTORS NOT TESTED BY CISCO.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes
only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco Unified Communications SRND (Based on Cisco Unified Communications Manager 7.x)
© 2010 Cisco Systems, Inc. All rights reserved.

Table of Contents
Introduction
Figure 1. Smart Business Architecture Model
For Cisco partners and customers with 2000–10,000 connected users, we
have created an “out-of-the-box” deployment that is simple, fast, affordable,
scalable, and flexible. We have designed it to be easy—easy to configure,
deploy, and manage.
User Voice,
The simplicity of this deployment, though, belies the depth and breadth of Services Video,
the architecture. Based on feedback from many customers and partners, Web Meetings
Cisco has developed a solid network foundation with a flexible platform
that does not require re-engineering to support additional Network or Security,
Network
User services. WAN Optimization,
Services
Guest Access
Cisco SBA for Enterprise Organizations—Borderless Networks (BN) is docu-
mented in a single design Guide, and deployment guides and configuration
guides for each of the three sections: LAN, WAN, and Internet Edge. Network Routing, Switching,
Foundation Wireless, and Internet
Cisco SBA for Enterprise Organizations—BN is a prescriptive reference
design that provides step-by-step instructions for the deployment of the
products in the design. It is based on enterprise best practice principles. This deployment guide has been architected to make your life a little bit—
Based on feedback from customers and partners, Cisco has developed a maybe even a lot—smoother. This architecture:
solid network foundation as a flexible platform that does not require reengi-
neering to include additional network or user services. • Provides a solid foundation
• Makes deployment fast and easy
• Accelerates ability to easily deploy additional services
Tech Ti p • Avoids the need for re-engineering of the core network

Some of the base concepts referenced in this guide are covered in

the SBA for Enterprise Organizations—BN design and deployment
guides; these documents should be reviewed first.

Introduction 1
Using the Deployment Guides
To reflect our ease-of-use principle, Cisco SBA for Enterprise Organizations—
Borderless Networks architecture has been divided into three sections: LAN,
WAN, and Internet Edge. Each section has its own deployment guide and
configuration guide. Each guide is organized into modules. You can start at
the beginning or jump to any module. Each part of the guide is designed to
stand alone, so you can deploy the Cisco technology for that section without
having to follow the previous module.
Each deployment guide starts with a Business Problem and Architecture
Overview. It covers the basics of the deployment guide, the value for you
and your customer, and the broad stroke features and benefits of this com-
pelling design. Each then has different modules depending on the network
components being covered.
The WAN Deployment Guide has the following sections:
• Deploying an MPLS WAN
• Deploying a DMVPN WAN
• Deploying a WAN Remote-Site Distribution Layer
• Deploying WAN Quality of Service
• Deploying WAN Optimization with WAAS

Using the WAN Configuration Guide

This document provides the available configuration files for the products
used in the Cisco SBA for Enterprise Organizations—Borderless Networks
WAN Deployment Guide. It is a companion document to the deployment
guide as a reference for engineers who are evaluating or deploying the
Smart Business Architecture.
Both the WAN Deployment Guide and the WAN Configuration Guide provide
the complete list of products used in the lab testing of this design.

Graphical Interface Management

There are products in this design where we have omitted the configuration
file. Those products have browser-based graphical configuration tools. Please
refer to the companion Cisco SBA for Enterprise Organizations—Borderless
Networks WAN Deployment Guide at http://www.cisco.com/go/sba for
step-by-step instructions on configuring those products.

Introduction 2
Cisco SBA for Enterprise Organizations— Borderless Networks
Internet Data
Internet
Campus
Edge Center
Edge
Internet
Internet Edge Routers
Remote
Email Security
I WAN
Access VPN
Appliance
Hardware and Software Aggregation
VPN Guest
Teleworker / WLAN
Mobile Worker

WAN Application Firewall Internet

Wireless Acceleration VPN
Servers
Access Point
Wireless W ww Web Security
W ww
Client LAN Controller Appliance
Access
Switch

Branch Router with

Application Acceleration
Core
Remote Switches

Collapsed Local Area

Distribution/Core Network
Switches
Distribution
I Switches

Wireless Regional
LAN Controller Router

Application Client
Acceleration Access
Switches

Regional
Office Building 1 Building 2 Building 3 Building 4

Introduction 3
Enterprise Organizations WAN Deployment Product List

Functional Area Product Part Numbers Software Version

WAN 500 Design
WAN Aggregation: ASR1002 Router ASR1002 IOS-XE 15.1(1)S
MPLS CE Router
SASR1R1-AISK9-26SR asr1000rp1-advipservicesk9.03.02.00.S.151-1.S.bin
ASR1002-PWR-AC
ASR1000-ESP5
WAN Aggregation: ASR1002 Router ASR1002 IOS-XE 15.1(1)S
DMVPN Hub Router
SASR1R1-AISK9-26SR asr1000rp1-advipservicesk9.03.02.00.S.151-1.S.bin
FLASR1-IPSEC-RTU
ASR1002-PWR-AC
ASR1000-ESP5
WAN Aggregation: WAAS WAVE-574 WAAS Appliance WAVE-574-K9 4.3.1 (WAAS-UNIVERSAL-K9) Build b6
Central Manager
WAAS-ENT-APL oe574-4.3.1.6
WAN Aggregation: WAAS WAE-7371-K9 WAAS WAE-7371-K9 4.3.1 (WAAS-UNIVERSAL-K9) Build b6
Application Accelerator Appliance
SF-WAAS-4.2-SAS-K9 oe7371-4.3.1.6
WAAS-ENT-APL
WAN 100 Design
WAN Aggregation: ASR1001 Router ASR1001 IOS-XE 15.1(1)S
MPLS CE Router
SASR1001UK9-32S asr1000rp1-advipservicesk9.03.02.00.S.151-1.S.bin
SLASR1-AIS
ASR1001-PWR-AC

Enterprise Organizations WAN Deployment Product List 4

Functional Area Product Part Numbers Software Version
WAN Aggregation: ASR1001 Router ASR1001 IOS-XE 15.1(1)S
DMVPN Hub Router
SASR1001UK9-32S asr1000rp1-advipservicesk9.03.02.00.S.151-1.S.bin
SLASR1-AIS
FLSASR1-IPSEC
ASR1001-PWR-AC
WAN Aggregation: Cisco3945E CISCO3945E/K9 15.1(3)T
MPLS CE Router
SL-39-DATA-K9 c3900e-universalk9-mz.SPA.151-3.T.bin
C3900-SPE250/K9
PWR-3900-AC
WAN Aggregation: Cisco3945E CISCO3945E-SEC/K9 15.1(3)T
DMVPN Hub Router
SL-39-DATA-K9 c3900e-universalk9-mz.SPA.151-3.T.bin
C3900-SPE250/K9
PWR-3900-AC
WAN Aggregation: WAVE-574 WAAS Appliance WAVE-574-K9 4.3.1 (WAAS-UNIVERSAL-K9) Build b6
WAAS Central Manager
WAAS-ENT-APL oe574-4.3.1.6
WAN Aggregation: WAAS WAE-7341-K9 WAAS WAE-7341-K9 4.3.1 (WAAS-UNIVERSAL-K9) Build b6
Application Accelerator Appliance
SF-WAAS-4.2-SAS-K9 oe7371-4.3.1.6
WAAS-ENT-APL
WAN Remote Site Routers
MPLS CE Router Cisco1941 C1941-WAASX-SEC/K9 15.1(3)T
SL-29-DATA-K9 c1900-universalk9-mz.SPA.151-3.T.bin
FL-C1941-WAASX
MEM-1900-512U2.5GB
PWR-1941-AC

Enterprise Organizations WAN Deployment Product List 5

Functional Area Product Part Numbers Software Version
MPLS CE Router Cisco2911 CISCO2911-VSEC/K9 15.0(1)M4
DMVPN Spoke Router
SL-29-DATA-K9 c2900-universalk9-mz.SPA.150-1.M4.bin
PWR-2911-AC
MPLS CE Router Cisco2921 CISCO2921-VSEC/K9 15.0(1)M4
DMVPN Spoke Router SL-29-DATA-K9 c2900-universalk9-mz.SPA.150-1.M4.bin
PWR-2921-AC
MPLS CE Router Cisco3925 C3925-VSEC/K9 15.0(1)M4
DMVPN Spoke Router SL-39-DATA-K9 c3900-universalk9-mz.SPA.150-1.M4.bin
PWR-3900-AC
MPLS CE Router Cisco3945 C3945-VSEC/K9 15.0(1)M4
DMVPN Spoke Router SL-39-DATA-K9 c3900-universalk9-mz.SPA.150-1.M4.bin
PWR-3900-AC
WAN Remote Site WAAS
Application Accelerator NME-WAE-502 NME-WAE-502-K9 4.3.1 (WAAS-UNIVERSAL-K9) Build b6
Network Module for
SM-NM-ADPTR nme-wae-502-4.2.1.6
ISR-G2
WAAS-ENT-NM
Application Accelerator SM-SRE-700-K9 SM-SRE-700-K9 4.3.1 (WAAS-UNIVERSAL-K9) Build b6
Service Module for
WAAS-ENT-NM sm-wae-4.3.1.6
ISR-G2
Application Accelerator SM-SRE-900-K9 SM-SRE-900-K9 4.3.1 (WAAS-UNIVERSAL-K9) Build b6
Service Module for
WAAS-ENT-NM sm-wae-4.3.1.6
ISR-G2
Application Accelerator WAVE-574 WAVE-574-K9 4.3.1 (WAAS-UNIVERSAL-K9) Build b6
WAVE-574 Appliance
WAAS-ENT-APL oe574-4.3.1.6
Application Accelerator WAE-674 WAE-674-K9 4.3.1 (WAAS-UNIVERSAL-K9) Build b6
WAE-674 Appliance
WAAS-ENT-APL oe674-4.3.1.6
LAN Switching
Distribution Layer Catalyst 3750G WS-C3750G-12S-S 12.2(53)SE1
Stackable 12 Port SFP Catalyst 3750 12 SFP + IPS Image c3750e-universalk9-mz.122-53.SE1.bin
CAB-STACK-50CM

Enterprise Organizations WAN Deployment Product List 6

Functional Area Product Part Numbers Software Version
Distribution Layer Catalyst 4507RE WS-C4507R-E 12.2-53.SG1
Dual Supervisors Catalyst 4500 E-Series 7-Slot Chassis cat4500e-entservicesk9-mz.122-53.SG1.bin
Dual Power Supplies WS-X45-SUP6-E
Catalyst 4500 E-Series Sup 6-E, 2x10GE(X2)
with Twin Gig
WS-X4624-SFP-E
Catalyst 4500 E-Series 24-Port GE (SFP)
WS-X4606-X2-E
Catalyst 4500 E-Series 6-Port 10GbE (X2)
Distribution Layer Catalyst 6500 VSS WS-C6506-E 12.2(33) SXI3 with the IP Services Feature Set
Catalyst 6500 E-Series 6-Slot Chassis s72033-ipservicesk9_wan-mz.122-33.SXI3.bin
VS-S720-10G-3C
Catalyst 6500 VSS Supervisor 720 with 2
ports 10GbE
WS-X6724-SFP
Catalyst 6500 24-port GigE Mod (SFP)
WS-X6716-10G-3C
Catalyst 6500 16 port 10 Gigabit Ethernet w/
DFC3C (X2)

WAN Configuration Files 7

WAN Configuration Files
Table 1 provides a summary of the various distribution layer switch device
interconnections to other WAN-aggregation components.
Table 1. WAN500 Distribution Layer Switch Port Channel Information
Member Layer3/ Connected
Port-Channel Interfaces Layer2 Device
1 gig1/0/3 Layer 3 ce-asr1004-1
gig2/0/3
WAN-Aggregation Devices
2 gig1/0/8 Layer 3 ce-asr1004-2
gig2/0/8
3 gig1/0/29 Layer 3 vpn-asr1002-1
This section includes configuration files corresponding to the WAN500 gig2/0/29
design topology as referenced in Figure 2.
7 gig1/0/4 Layer 2 wae7341-1
gig2/0/4 (Vlan350)
8 gig1/0/2 Layer 2 wae7341-2
gig2/0/2 (Vlan350)

Figure 2. WAN-Aggregation Design—WAN500

WAN Configuration Files 8

dist-3750x-stack mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
version 12.2 mls qos srr-queue input buffers 67 33
no service pad mls qos srr-queue input cos-map queue 1 threshold 2 1
service timestamps debug datetime msec localtime mls qos srr-queue input cos-map queue 1 threshold 3 0
service timestamps log datetime msec mls qos srr-queue input cos-map queue 2 threshold 1 2
service password-encryption mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
! mls qos srr-queue input cos-map queue 2 threshold 3 3 5
hostname dist-3750x-stack mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
! mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
boot-start-marker mls qos srr-queue input dscp-map queue 1 threshold 3 32
boot-end-marker mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21
! 22 23
enable secret 5 $1$JUsk$2IK9G95A80nOFHBsOqLKm0 mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38
! 39 48
username admin privilege 15 password 7 070C705F4D06485744 mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54
! 55 56
! mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62
aaa new-model 63
! mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45
! 46 47
aaa authentication login default group tacacs+ local mls qos srr-queue output cos-map queue 1 threshold 3 5
aaa authorization console mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
aaa authorization exec default group tacacs+ local mls qos srr-queue output cos-map queue 3 threshold 3 2 4
! mls qos srr-queue output cos-map queue 4 threshold 2 1
! mls qos srr-queue output cos-map queue 4 threshold 3 0
! mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45
aaa session-id common 46 47
clock timezone PST -8 mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29
clock summer-time UTC recurring 30 31
switch 1 provision ws-c3750x-48p mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53
switch 2 provision ws-c3750x-48p 54 55
system mtu routing 1500 mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61
authentication mac-move permit 62 63
ip routing mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21
! 22 23
! mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37
no ip domain-lookup 38 39
ip domain-name cisco.local mls qos srr-queue output dscp-map queue 4 threshold 1 8
ip multicast-routing distributed mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14
vtp domain CiscoMilpitas 15
vtp mode off mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
udld aggressive mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
! mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos map policed-dscp 24 26 46 to 0 mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos map cos-dscp 0 8 16 24 32 46 48 56 mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos srr-queue input bandwidth 90 10 mls qos queue-set output 2 threshold 2 118 118 100 235

WAN Configuration Files 9

mls qos queue-set output 2 threshold 3 41 68 100 272 435AA021 4B4EFDC0 375F00D8 9900212C CCBEEC50 D514B2D8 39AC65FF
mls qos queue-set output 2 threshold 4 42 72 100 242 B9FF7BC5
mls qos queue-set output 1 buffers 10 10 26 54 89A11097 D5EFB811 8F7C0C5F BD7576EB ED578EB9 70D8F924 A056B9D6
mls qos queue-set output 2 buffers 16 6 17 61 6BAEB84A
mls qos 704D437D DE9C9426 48D9FDCB EC83
! quit
! !
crypto pki trustpoint TP-self-signed-3184549632 spanning-tree mode rapid-pvst
enrollment selfsigned spanning-tree extend system-id
subject-name cn=IOS-Self-Signed-Certificate-3184549632 spanning-tree vlan 200-204,300-301 priority 24576
revocation-check none !
rsakeypair TP-self-signed-3184549632 !
! !
! !
crypto pki certificate chain TP-self-signed-3184549632 vlan internal allocation policy ascending
certificate self-signed 01 !
3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 vlan 116
04050030 name Wireless-Data
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D !
43657274 vlan 120
69666963 6174652D 33313834 35343936 3332301E 170D3933 30333031 name Wireless-Voice
30303032 !
34385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 vlan 136
03132649 name data
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 !
31383435 vlan 137
34393633 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 name voice
81890281 !
8100B64F 13A9097F 48AE8FCE 6EAFCF5D 951F4962 47F4A773 D997CAEF vlan 146
F9CA27B1 name Wireless_Mgmt
A731E05C 4D5BC50F 6F2C575B 46C3AA4A E9B4B6A8 2EB766EB 2B7B2F58 !
041D3798 vlan 300,350
9CF0E9CF 0ECD4888 1DBD187B 0BB3DB9A 2F8542A5 A4C993DC 6A9B91E1 !
D966D3FD vlan 902
9EF53415 1694BE2A ED590789 94868AE2 D4DE13B2 F0DD3E95 3348B0E8 name management
29CE8E64 !
D8B30203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF ip ssh source-interface Loopback1
301D0603 ip ssh version 2
551D1104 16301482 12443337 3530582E 63697363 6F2E6C6F 63616C30 !
1F060355 !
1D230418 30168014 83FAEBD3 F7E32CCC E07C1479 9A98371F DFB1ACAB !
301D0603 interface Loopback0
551D0E04 16041483 FAEBD3F7 E32CCCE0 7C14799A 98371FDF B1ACAB30 ip address 10.4.32.240 255.255.255.255
0D06092A ip pim sparse-mode
864886F7 0D010104 05000381 8100374D 8ABFF8DA 3EAA2888 04FA842F !
57877EE0 interface Port-channel1
7A2519F5 414BA751 62EA97A2 5D12E974 22C6A0F3 0719882D 4137E8FE description bn-ce-asr1004-1
085DEDF0 no switchport

WAN Configuration Files 10

 ip address 10.4.32.1 255.255.255.252 interface GigabitEthernet1/0/4
ip pim sparse-mode switchport access vlan 350
! channel-group 8 mode on
interface Port-channel2 !
description bn-ce-asr1004-2 interface GigabitEthernet1/0/5
no switchport !
ip address 10.4.32.9 255.255.255.252 interface GigabitEthernet1/0/6
ip pim sparse-mode !
! interface GigabitEthernet1/0/7
interface Port-channel3 !
description bn-vpn-1 interface GigabitEthernet1/0/8
no switchport description Links to WAN Rtr for Port Chan 2
ip address 10.4.32.17 255.255.255.252 no switchport
ip pim sparse-mode no ip address
! channel-group 2 mode on
interface Port-channel4 !
description bn-vpn-2 interface GigabitEthernet1/0/9
no switchport !
ip address 10.4.32.25 255.255.255.252 interface GigabitEthernet1/0/10
ip pim sparse-mode !
! interface GigabitEthernet1/0/11
interface Port-channel7 !
description bn-wae7341-1 interface GigabitEthernet1/0/12
switchport access vlan 350 !
! interface GigabitEthernet1/0/13
interface Port-channel8 !
description bn-wae7341-2 interface GigabitEthernet1/0/14
switchport access vlan 350 !
! interface GigabitEthernet1/0/15
interface FastEthernet0 !
no ip address interface GigabitEthernet1/0/16
no ip route-cache cef !
no ip route-cache interface GigabitEthernet1/0/17
no ip mroute-cache !
shutdown interface GigabitEthernet1/0/18
! !
interface GigabitEthernet1/0/1 interface GigabitEthernet1/0/19
! !
interface GigabitEthernet1/0/2 interface GigabitEthernet1/0/20
switchport access vlan 350 !
channel-group 7 mode on interface GigabitEthernet1/0/21
! !
interface GigabitEthernet1/0/3 interface GigabitEthernet1/0/22
description Links to WAN Rtr for Port Chan 1 !
no switchport interface GigabitEthernet1/0/23
no ip address !
channel-group 1 mode on interface GigabitEthernet1/0/24
! !

WAN Configuration Files 11

interface GigabitEthernet1/0/25 interface GigabitEthernet1/0/47
! !
interface GigabitEthernet1/0/26 interface GigabitEthernet1/0/48
! !
interface GigabitEthernet1/0/27 interface GigabitEthernet1/1/1
! !
interface GigabitEthernet1/0/28 interface GigabitEthernet1/1/2
! !
interface GigabitEthernet1/0/29 interface GigabitEthernet1/1/3
description vpn-asr1002-1-gig0/0/0 !
no switchport interface GigabitEthernet1/1/4
no ip address !
channel-group 3 mode on interface TenGigabitEthernet1/1/1
! description Link to C6509-R
interface GigabitEthernet1/0/30 no switchport
! ip address 10.4.40.46 255.255.255.252
interface GigabitEthernet1/0/31 ip pim sparse-mode
! ip summary-address eigrp 100 10.4.32.0 255.255.248.0
interface GigabitEthernet1/0/32 ip summary-address eigrp 100 10.5.0.0 255.255.0.0
! !
interface GigabitEthernet1/0/33 interface TenGigabitEthernet1/1/2
! !
interface GigabitEthernet1/0/34 interface GigabitEthernet2/0/1
! !
interface GigabitEthernet1/0/35 interface GigabitEthernet2/0/2
! switchport access vlan 350
interface GigabitEthernet1/0/36 channel-group 7 mode on
! !
interface GigabitEthernet1/0/37 interface GigabitEthernet2/0/3
! description Links to WAN Rtr for Port Chan 1
interface GigabitEthernet1/0/38 no switchport
! no ip address
interface GigabitEthernet1/0/39 channel-group 1 mode on
! !
interface GigabitEthernet1/0/40 interface GigabitEthernet2/0/4
! switchport access vlan 350
interface GigabitEthernet1/0/41 channel-group 8 mode on
! !
interface GigabitEthernet1/0/42 interface GigabitEthernet2/0/5
! !
interface GigabitEthernet1/0/43 interface GigabitEthernet2/0/6
! !
interface GigabitEthernet1/0/44 interface GigabitEthernet2/0/7
! !
interface GigabitEthernet1/0/45 interface GigabitEthernet2/0/8
! description Links to WAN Rtr for Port Chan 2
interface GigabitEthernet1/0/46 no switchport
! no ip address

WAN Configuration Files 12

 channel-group 2 mode on interface GigabitEthernet2/0/30
! !
interface GigabitEthernet2/0/9 interface GigabitEthernet2/0/31
! !
interface GigabitEthernet2/0/10 interface GigabitEthernet2/0/32
! !
interface GigabitEthernet2/0/11 interface GigabitEthernet2/0/33
! !
interface GigabitEthernet2/0/12 interface GigabitEthernet2/0/34
! !
interface GigabitEthernet2/0/13 interface GigabitEthernet2/0/35
! !
interface GigabitEthernet2/0/14 interface GigabitEthernet2/0/36
! !
interface GigabitEthernet2/0/15 interface GigabitEthernet2/0/37
! !
interface GigabitEthernet2/0/16 interface GigabitEthernet2/0/38
! !
interface GigabitEthernet2/0/17 interface GigabitEthernet2/0/39
! !
interface GigabitEthernet2/0/18 interface GigabitEthernet2/0/40
! !
interface GigabitEthernet2/0/19 interface GigabitEthernet2/0/41
! !
interface GigabitEthernet2/0/20 interface GigabitEthernet2/0/42
! !
interface GigabitEthernet2/0/21 interface GigabitEthernet2/0/43
! !
interface GigabitEthernet2/0/22 interface GigabitEthernet2/0/44
! !
interface GigabitEthernet2/0/23 interface GigabitEthernet2/0/45
! !
interface GigabitEthernet2/0/24 interface GigabitEthernet2/0/46
! !
interface GigabitEthernet2/0/25 interface GigabitEthernet2/0/47
! !
interface GigabitEthernet2/0/26 interface GigabitEthernet2/0/48
! !
interface GigabitEthernet2/0/27 interface GigabitEthernet2/1/1
! !
interface GigabitEthernet2/0/28 interface GigabitEthernet2/1/2
! !
interface GigabitEthernet2/0/29 interface GigabitEthernet2/1/3
description vpn-asr1002-1-gig0/0/1 !
no switchport interface GigabitEthernet2/1/4
no ip address !
channel-group 3 mode on interface TenGigabitEthernet2/1/1
! description Link to C6509-L

WAN Configuration Files 13

 no switchport exec-timeout 0 0
ip address 10.4.40.42 255.255.255.252 transport input ssh
ip pim sparse-mode line vty 5 15
ip summary-address eigrp 100 10.4.32.0 255.255.248.0 exec-timeout 0 0
ip summary-address eigrp 100 10.5.0.0 255.255.0.0 transport input ssh
! !
interface TenGigabitEthernet2/1/2 ntp clock-period 36027014
! ntp server 10.4.48.17
interface Vlan1 end
no ip address
shutdown ce-asr1004-1
!
interface Vlan350 version 15.1
ip address 10.4.32.129 255.255.255.192 service timestamps debug datetime msec localtime
! service timestamps log datetime msec localtime
! service password-encryption
router eigrp 100 no platform punt-keepalive disable-kernel-core
network 10.4.0.0 0.0.255.255 !
passive-interface default hostname ce-asr1004-1
no passive-interface Port-channel1 !
no passive-interface Port-channel2 boot-start-marker
no passive-interface Port-channel3 boot system flash bootflash:asr1000rp1-advipservicesk9.03.02.00.S.151-
no passive-interface Port-channel4 1.S.bin
no passive-interface Port-channel5 boot-end-marker
no passive-interface TenGigabitEthernet1/1/1 !
no passive-interface TenGigabitEthernet2/1/1 !
eigrp router-id 10.4.32.240 vrf definition Mgmt-intf
nsf !
! address-family ipv4
ip classless exit-address-family
ip route 10.4.0.0 255.255.0.0 Null0 !
! address-family ipv6
no ip http server exit-address-family
ip http authentication aaa !
ip http secure-server enable secret 5 $1$q2uz$QuEupHuI/g0dXTnMNu9na.
ip pim rp-address 10.4.40.252 10 !
! aaa new-model
ip sla enable reaction-alerts !
access-list 10 permit 239.1.0.0 0.0.255.255 !
! aaa group server tacacs+ TACACS-SERVERS
snmp-server community cisco RO server name TACACS-SERVER-1
snmp-server community cisco123 RW !
snmp-server trap-source Loopback1 aaa authentication login default group TACACS-SERVERS local
tacacs-server host 10.4.48.15 key 7 142417081E013E002131 aaa authorization console
tacacs-server directed-request aaa authorization exec default group TACACS-SERVERS local
! !
line con 0 !
line vty 0 4 !

WAN Configuration Files 14

! match protocol bgp
! class-map match-any INTERACTIVE-VIDEO
aaa session-id common match dscp cs4 af41
! class-map match-any CRITICAL-DATA
! match dscp cs3 af31
! class-map match-any VOICE
clock timezone PST -8 0 match dscp ef
clock summer-time PDT recurring class-map match-any SCAVENGER
no ip source-route match ip dscp cs1 af11
! class-map match-any NETWORK-CRITICAL
! match ip dscp cs2 cs6
! !
no ip domain lookup policy-map MARK-BGP
ip domain name cisco.local class BGP-ROUTING
ip multicast-routing distributed set dscp cs6
! policy-map WAN
! class VOICE
ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7 priority percent 10
141443180F0B7B7977 class INTERACTIVE-VIDEO
ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7 priority percent 23
0508571C22431F5B4A class CRITICAL-DATA
! bandwidth percent 15
! random-detect dscp-based
! class DATA
multilink bundle-name authenticated bandwidth percent 19
! random-detect dscp-based
! class SCAVENGER
! bandwidth percent 5
! class NETWORK-CRITICAL
! bandwidth percent 3
! service-policy MARK-BGP
! class class-default
! bandwidth percent 25
! random-detect
! policy-map WAN-INTERFACE-G0/0/4
username admin password 7 0508571C22431F5B4A class class-default
! shape average 300000000
redundancy service-policy WAN
mode none !
! !
! !
! !
ip ssh source-interface Loopback0 !
ip ssh version 2 !
! !
class-map match-any DATA !
match ip dscp af21 interface Loopback0
class-map match-any BGP-ROUTING ip address 10.4.32.241 255.255.255.255

WAN Configuration Files 15

 ip pim sparse-mode default-metric 300000 100 255 1 1500
! network 10.4.32.0 0.0.0.3
interface Port-channel1 network 10.4.32.241 0.0.0.0
ip address 10.4.32.2 255.255.255.252 redistribute bgp 65511
ip wccp 61 redirect in passive-interface default
ip pim sparse-mode no passive-interface Port-channel1
no negotiation auto eigrp router-id 10.4.32.241
! !
interface GigabitEthernet0/0/0 router bgp 65511
no ip address bgp router-id 10.4.32.241
negotiation auto bgp log-neighbor-changes
cdp enable network 0.0.0.0
channel-group 1 network 192.168.3.0 mask 255.255.255.252
! redistribute eigrp 100
interface GigabitEthernet0/0/1 neighbor 10.4.32.242 remote-as 65511
no ip address neighbor 10.4.32.242 update-source Loopback0
negotiation auto neighbor 10.4.32.242 next-hop-self
cdp enable neighbor 192.168.3.2 remote-as 65401
channel-group 1 !
! !
interface GigabitEthernet0/0/2 ip bgp-community new-format
no ip address no ip http server
shutdown ip http authentication aaa
negotiation auto no ip http secure-server
cdp enable ip pim rp-address 10.4.40.252 10
! ip pim register-source Loopback0
interface GigabitEthernet0/0/3 ip tacacs source-interface Loopback0
no ip address !
shutdown ip access-list standard BN-WAE
negotiation auto permit 10.4.32.162
! permit 10.4.32.161
interface GigabitEthernet0/0/4 !
bandwidth 300000 ip access-list extended WAAS-REDIRECT-LIST
ip address 192.168.3.1 255.255.255.252 remark WAAS WCCP Mgmt Redirect List
ip wccp 62 redirect in deny tcp any any eq 22
ip pim sparse-mode deny tcp any eq 22 any
negotiation auto deny tcp any eq telnet any
service-policy output WAN-INTERFACE-G0/0/4 deny tcp any any eq telnet
! deny tcp any eq bgp any
interface GigabitEthernet0 deny tcp any any eq bgp
vrf forwarding Mgmt-intf deny tcp any any eq 123
no ip address deny tcp any eq 123 any
shutdown permit tcp any any
negotiation auto !
! ip sla responder
! logging esm config
router eigrp 100 access-list 10 permit 239.1.0.0 0.0.255.255
distribute-list route-map BLOCK-TAGGED-ROUTES in cdp run

WAN Configuration Files 16

! boot system flash bootflash:asr1000rp1-advipservicesk9.03.02.00.S.151-
route-map BLOCK-TAGGED-ROUTES deny 10 1.S.bin
match tag 65401 65402 65512 boot-end-marker
! !
route-map BLOCK-TAGGED-ROUTES permit 20 !
! vrf definition Mgmt-intf
snmp-server community cisco RO !
snmp-server community cisco123 RW address-family ipv4
snmp-server trap-source Loopback0 exit-address-family
! !
tacacs server TACACS-SERVER-1 address-family ipv6
address ipv4 10.4.48.15 exit-address-family
key 7 04680E051D2458650C00 !
! enable secret 5 $1$eihd$d7.pftsZ/9jCQa9Y9B8q91
! !
control-plane aaa new-model
! !
! !
! aaa group server tacacs+ TACACS-SERVERS
! server name TACACS-SERVER-1
! !
line con 0 aaa authentication login default group TACACS-SERVERS local
logging synchronous aaa authorization console
stopbits 1 aaa authorization exec default group TACACS-SERVERS local
line aux 0 !
stopbits 1 !
line vty 0 4 !
exec-timeout 0 0 !
transport input ssh !
line vty 5 15 aaa session-id common
transport input ssh !
! !
ntp clock-period 17123435 !
ntp source Loopback0 clock timezone PST -8 0
ntp server 10.4.48.17 clock summer-time PDT recurring
end no ip source-route
!
ce-asr1004-2 !
!
version 15.1 no ip domain lookup
service timestamps debug datetime msec localtime ip domain name cisco.local
service timestamps log datetime msec localtime ip multicast-routing distributed
service password-encryption !
no platform punt-keepalive disable-kernel-core !
! ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
hostname ce-asr1004-2 141443180F0B7B7977
! ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
boot-start-marker 0508571C22431F5B4A

WAN Configuration Files 17

! class CRITICAL-DATA
! bandwidth percent 15
! random-detect dscp-based
multilink bundle-name authenticated class DATA
! bandwidth percent 19
! random-detect dscp-based
! class SCAVENGER
! bandwidth percent 5
! class NETWORK-CRITICAL
! bandwidth percent 3
! service-policy MARK-BGP
! class class-default
! bandwidth percent 25
! random-detect
username admin password 7 0508571C22431F5B4A policy-map WAN-INTERFACE-G0/0/4
! class class-default
redundancy shape average 150000000
mode none service-policy WAN
! !
! !
! !
ip ssh source-interface Loopback0 !
ip ssh version 2 !
! !
class-map match-any DATA !
match ip dscp af21 !
class-map match-any BGP-ROUTING interface Loopback0
match protocol bgp ip address 10.4.32.242 255.255.255.255
class-map match-any INTERACTIVE-VIDEO ip pim sparse-mode
match dscp cs4 af41 !
class-map match-any CRITICAL-DATA interface Port-channel2
match dscp cs3 af31 ip address 10.4.32.10 255.255.255.252
class-map match-any VOICE ip wccp 61 redirect in
match dscp ef ip pim sparse-mode
class-map match-any SCAVENGER no negotiation auto
match ip dscp cs1 af11 !
class-map match-any NETWORK-CRITICAL interface GigabitEthernet0/0/0
match ip dscp cs2 cs6 no ip address
! negotiation auto
policy-map MARK-BGP cdp enable
class BGP-ROUTING channel-group 2
set dscp cs6 !
policy-map WAN interface GigabitEthernet0/0/1
class VOICE no ip address
priority percent 10 negotiation auto
class INTERACTIVE-VIDEO cdp enable
priority percent 23 channel-group 2

WAN Configuration Files 18

! !
interface GigabitEthernet0/0/2 ip bgp-community new-format
no ip address no ip http server
shutdown ip http authentication aaa
negotiation auto no ip http secure-server
cdp enable ip pim rp-address 10.4.40.252 10
! ip pim register-source Loopback0
interface GigabitEthernet0/0/3 ip tacacs source-interface Loopback0
no ip address !
shutdown ip access-list standard BN-WAE
negotiation auto permit 10.4.32.162
! permit 10.4.32.161
interface GigabitEthernet0/0/4 !
bandwidth 150000 ip access-list extended WAAS-REDIRECT-LIST
ip address 192.168.4.1 255.255.255.252 remark WAAS WCCP Mgmt Redirect List
ip wccp 62 redirect in deny tcp any any eq 22
ip pim sparse-mode deny tcp any eq 22 any
negotiation auto deny tcp any eq telnet any
service-policy output WAN-INTERFACE-G0/0/4 deny tcp any any eq telnet
! deny tcp any eq bgp any
interface GigabitEthernet0 deny tcp any any eq bgp
vrf forwarding Mgmt-intf deny tcp any any eq 123
no ip address deny tcp any eq 123 any
shutdown permit tcp any any
negotiation auto !
! ip sla responder
! logging esm config
router eigrp 100 access-list 10 permit 239.1.0.0 0.0.255.255
distribute-list route-map BLOCK-TAGGED-ROUTES in cdp run
default-metric 150000 100 255 1 1500 !
network 10.4.32.8 0.0.0.3 route-map BLOCK-TAGGED-ROUTES deny 10
network 10.4.32.242 0.0.0.0 match tag 65401 65402 65512
redistribute bgp 65511 !
passive-interface default route-map BLOCK-TAGGED-ROUTES permit 20
no passive-interface Port-channel2 !
eigrp router-id 10.4.32.242 snmp-server community cisco RO
! snmp-server community cisco123 RW
router bgp 65511 snmp-server trap-source Loopback0
bgp router-id 10.4.32.242 !
bgp log-neighbor-changes tacacs server TACACS-SERVER-1
network 0.0.0.0 address ipv4 10.4.48.15
network 192.168.4.0 mask 255.255.255.252 key 7 04680E051D2458650C00
redistribute eigrp 100 !
neighbor 10.4.32.241 remote-as 65511 !
neighbor 10.4.32.241 update-source Loopback0 control-plane
neighbor 10.4.32.241 next-hop-self !
neighbor 192.168.4.2 remote-as 65402 !
! !

WAN Configuration Files 19

! server name TACACS-SERVER-1
! !
line con 0 aaa authentication login default group TACACS-SERVERS local
logging synchronous aaa authorization console
stopbits 1 aaa authorization exec default group TACACS-SERVERS local
line aux 0 !
stopbits 1 !
line vty 0 4 !
exec-timeout 0 0 !
transport input ssh !
line vty 5 15 aaa session-id common
transport input ssh !
! !
ntp clock-period 17202633 !
ntp source Loopback0 clock timezone PST -8 0
ntp server 10.4.48.17 clock summer-time PDT recurring
end no ip source-route
!
vpn-asr1002-1 ip vrf INET-PUBLIC
rd 65512:1
version 15.1 !
service timestamps debug datetime msec localtime !
service timestamps log datetime msec localtime !
service password-encryption no ip domain lookup
no platform punt-keepalive disable-kernel-core ip domain name cisco.local
! ip multicast-routing distributed
hostname vpn-asr1002-1 !
! !
boot-start-marker ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
boot system flash bootflash:asr1000rp1-advipservicesk9.03.02.00.S.151- 141443180F0B7B7977
1.S.bin ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
boot-end-marker 0508571C22431F5B4A
! !
! !
vrf definition Mgmt-intf !
! multilink bundle-name authenticated
address-family ipv4 !
exit-address-family !
! !
address-family ipv6 !
exit-address-family !
! !
enable secret 5 $1$3CpH$bwDyqrnqqeA0usMElzvhp. !
! !
aaa new-model !
! !
! username admin password 7 070C705F4D06485744
aaa group server tacacs+ TACACS-SERVERS !

WAN Configuration Files 20

redundancy !
mode none crypto isakmp policy 10
! encr aes 256
! authentication pre-share
! group 2
ip ssh source-interface Loopback0 crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
ip ssh version 2 keyring DMVPN-KEYRING
! match identity address 0.0.0.0 INET-PUBLIC
class-map match-any DATA !
match ip dscp af21 !
class-map match-any INTERACTIVE-VIDEO crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
match dscp cs4 af41 mode transport
class-map match-any CRITICAL-DATA !
match dscp cs3 af31 crypto ipsec profile DMVPN-PROFILE
class-map match-any VOICE set transform-set AES256/SHA/TRANSPORT
match dscp ef set isakmp-profile FVRF-ISAKMP-INET-PUBLIC
class-map match-any SCAVENGER !
match ip dscp cs1 af11 !
class-map match-any NETWORK-CRITICAL !
match ip dscp cs2 cs6 !
match access-group name ISAKMP !
! !
policy-map WAN interface Loopback0
class VOICE ip address 10.4.32.243 255.255.255.255
priority percent 10 ip pim sparse-mode
class INTERACTIVE-VIDEO !
priority percent 23 interface Port-channel3
class CRITICAL-DATA ip address 10.4.32.18 255.255.255.252
bandwidth percent 15 ip wccp 61 redirect in
random-detect dscp-based ip pim sparse-mode
class DATA no negotiation auto
bandwidth percent 19 !
random-detect dscp-based interface Tunnel10
class SCAVENGER bandwidth 100000
bandwidth percent 5 ip address 10.4.34.1 255.255.254.0
class NETWORK-CRITICAL no ip redirects
bandwidth percent 3 ip mtu 1400
class class-default ip wccp 62 redirect in
bandwidth percent 25 ip hold-time eigrp 200 35
random-detect ip pim nbma-mode
policy-map WAN-INTERFACE-G0/0/3 ip pim sparse-mode
class class-default ip nhrp authentication cisco123
shape average 100000000 ip nhrp map multicast dynamic
service-policy WAN ip nhrp network-id 101
! ip nhrp holdtime 600
! ip nhrp redirect
crypto keyring DMVPN-KEYRING vrf INET-PUBLIC no ip split-horizon eigrp 200
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123 ip tcp adjust-mss 1360

WAN Configuration Files 21

 load-interval 30 redistribute eigrp 100
tunnel source GigabitEthernet0/0/3 passive-interface default
tunnel mode gre multipoint no passive-interface Tunnel10
tunnel vrf INET-PUBLIC eigrp router-id 10.4.32.243
tunnel protection ipsec profile DMVPN-PROFILE !
! !
interface GigabitEthernet0/0/0 no ip http server
no ip address no ip http secure-server
negotiation auto ip pim rp-address 10.4.40.252 10
cdp enable ip pim register-source Loopback0
channel-group 3 ip route vrf INET-PUBLIC 0.0.0.0 0.0.0.0 10.4.32.35
! ip tacacs source-interface Loopback0
interface GigabitEthernet0/0/1 !
no ip address ip access-list standard BN-WAE
negotiation auto permit 10.4.32.162
cdp enable permit 10.4.32.161
channel-group 3 !
! ip access-list extended ISAKMP
interface GigabitEthernet0/0/2 permit udp any eq isakmp any eq isakmp
no ip address ip access-list extended WAAS-REDIRECT-LIST
shutdown remark WAAS WCCP Mgmt Redirect List
negotiation auto deny tcp any any eq 22
! deny tcp any eq 22 any
interface GigabitEthernet0/0/3 deny tcp any eq telnet any
bandwidth 100000 deny tcp any any eq telnet
ip vrf forwarding INET-PUBLIC deny tcp any eq bgp any
ip address 10.4.32.33 255.255.255.248 deny tcp any any eq bgp
negotiation auto deny tcp any any eq 123
service-policy output WAN-INTERFACE-G0/0/3 deny tcp any eq 123 any
! permit tcp any any
interface GigabitEthernet0 !
vrf forwarding Mgmt-intf logging esm config
no ip address access-list 10 permit 239.1.0.0 0.0.255.255
shutdown cdp run
negotiation auto !
! route-map SET-ROUTE-TAG-DMVPN permit 10
! match interface Tunnel10
router eigrp 100 set tag 65512
network 10.4.32.16 0.0.0.3 !
network 10.4.32.243 0.0.0.0 snmp-server community cisco RO
redistribute eigrp 200 route-map SET-ROUTE-TAG-DMVPN snmp-server community cisco123 RW
passive-interface default snmp-server trap-source Loopback0
no passive-interface Port-channel3 !
eigrp router-id 10.4.32.243 tacacs server TACACS-SERVER-1
! address ipv4 10.4.48.15
! key 7 04680E051D2458650C00
router eigrp 200 !
network 10.4.34.0 0.0.1.255 !

WAN Configuration Files 22

control-plane !
! !
! interface GigabitEthernet 1/0
! channel-group 1
! exit
! interface GigabitEthernet 2/0
line con 0 channel-group 1
logging synchronous exit
stopbits 1 !
line aux 0 !
stopbits 1 ip default-gateway 10.4.32.129
line vty 0 4 !
transport input ssh no auto-register enable
line vty 5 15 !
transport input ssh ! ip path-mtu-discovery is disabled in WAAS by default
! !
exception data-corruption buffer truncate ip name-server 10.4.48.10
ntp clock-period 17229542 !
ntp source Loopback0 !
ntp server 10.4.48.17 !
end ntp server 10.4.48.17
!
!
!
wccp router-list 1 10.4.32.241 10.4.32.242 10.4.32.243
! default wccp mask is src-ip-mask 0xf00 dst-ip-mask 0x0
wae7341-1 wccp tcp-promiscuous router-list-num 1 encrypted password
j++vQr0cPtEIPHS9u7fKLw== mask-assign
wccp version 2
! waas-universal-k9 version 4.3.1 (build b6 Nov 13 2010)
!
!
egress-method negotiated-return intercept-method wccp
device mode application-accelerator
!
!
ip icmp rate-limit unreachable df 0
!
!
hostname wae7341-1
!
!
!
clock timezone PST -8 0
username admin password 1 bVmDmMMmZAPjY
!
username admin privilege 15
!
username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE
ip domain-name cisco.local
7D891AB402CAF2E89CCDD33ED54333AC
!
!
!
!
!
!
primary-interface PortChannel 1
!
!
authentication login local enable primary
interface PortChannel 1
authentication configuration local enable primary
ip address 10.4.32.161 255.255.255.192
!
exit

WAN Configuration Files 23

! wae7431-2
!
sshd enable ! waas-universal-k9 version 4.3.1 (build b6 Nov 13 2010)
! !
! device mode application-accelerator
! !
tfo tcp optimized-send-buffer 2048 !
tfo tcp optimized-receive-buffer 2048 hostname wae7341-2
! !
! clock timezone PST -8 0
! !
! !
! ip domain-name cisco.local
! !
! !
! !
! primary-interface PortChannel 1
! !
! interface PortChannel 1
! ip address 10.4.32.162 255.255.255.192
! exit
! !
! !
! interface GigabitEthernet 1/0
! channel-group 1
! exit
! interface GigabitEthernet 2/0
!policy-engine application channel-group 1
! exit
! <policy-engine content intentionally omitted> !
! !
!exit ip default-gateway 10.4.32.129
! !
central-manager address 10.4.48.100 no auto-register enable
cms enable !
! ! ip path-mtu-discovery is disabled in WAAS by default
! !
! ip name-server 10.4.48.10
! !
! !
! !
! End of WAAS configuration ntp server 10.4.48.17
!
!
!
wccp router-list 1 10.4.32.241 10.4.32.242 10.4.32.243
! default wccp mask is src-ip-mask 0xf00 dst-ip-mask 0x0

WAN Configuration Files 24

wccp tcp-promiscuous router-list-num 1 encrypted password !
j++vQr0cPtEIPHS9u7fKLw== mask-assign !policy-engine application
wccp version 2 !
! ! <policy-engine content intentionally omitted>
egress-method negotiated-return intercept-method wccp !
! !exit
ip icmp rate-limit unreachable df 0 !
! central-manager address 10.4.48.100
! cms enable
! !
username admin password 1 bVmDmMMmZAPjY !
username admin privilege 15 !
username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE !
7D891AB402CAF2E89CCDD33ED54333AC !
! !
! ! End of WAAS configuration
!
!
authentication login local enable primary
authentication configuration local enable primary
! waas-wcm-1
!
! ! waas-universal-k9 version 4.3.1 (build b6 Nov 13 2010)
sshd enable !
! device mode central-manager
! !
! !
tfo tcp optimized-send-buffer 2048 hostname waas-wcm-1
tfo tcp optimized-receive-buffer 2048 !
! clock timezone PST8PDT -8 0
! !
! !
! ip domain-name cisco.local
! !
! !
! !
! primary-interface GigabitEthernet 1/0
! !
! !
! !
! interface GigabitEthernet 1/0
! ip address 10.4.48.100 255.255.255.0
! exit
! interface GigabitEthernet 2/0
! shutdown
! exit
! !
ip default-gateway 10.4.48.1

WAN Configuration Files 25

!
! ip path-mtu-discovery is disabled in WAAS by default
!
ip name-server 10.4.48.10
!
!
!
ntp server 10.4.48.17
!
!
!
!
!
username admin password 1 bVmDmMMmZAPjY
username admin privilege 15
username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE
7D891AB402CAF2E89CCDD33ED54333AC
!
!
!
!
authentication login local enable primary
authentication configuration local enable primary
!
!
!
sshd enable
!
!
!
!
!
!
!
!
!
!
!
cms enable
!
!
!
!
!
! End of WAAS configuration

WAN Configuration Files 26

WAN Remote-Site Devices
This section includes configuration files corresponding to the WAN 500
design topology as referenced in Figure 3. Each remote-site type has its
respective devices grouped together along with any other relevant configura-
tion information.
Figure 3. WAN Remote-Site Designs

WAN Configuration Files 27

Table 2 lists the specific details for the MPLS WAN and DMVPN WAN connections at each site.
Table 2. Remote-Site WAN Connection Details

Remote-Site Information MPLS (Our AS = 65511)

Carrier LAN
Location Net Block MPLS CE MPLS PE AS DMVPN Interfaces Loopbacks
Branch 200 (dual router) 10.5.0.0/21 (gi0/0) 192.168.3.17 192.168.3.18 65401 (A) (gi0/0) DHCP (gi0/1, gi0/2) 10.5.0.254 (r1)
(gi0/1, gi0/2) 10.5.0.253 (r2)
Branch 201 10.5.40.0/21 (gi0/0) 192.168.3.21 192.168.3.22 65401 (A) (gi0/1) DHCP (gi0/2) 10.5.40.254 (r)
Branch 202 10.5.64.0/21 (gi0/0) 192.168.4.5 192.168.4.6 65402 (B) (gi0/1) DHCP (gi0/2) 10.5.64.254 (r)
Branch 203 (dual router) 10.5.48.0/21 (gi0/0) 192.168.3.25 192.168.3.26 65401 (A) (gi0/0) DHCP (gi0/1) 10.5.48.254 (r1)
(gi0/1) 10.5.48.253 (r2)
Branch 204 10.5.56.0/21 (gi0/0) 192.168.3.29 192.168.3.30 65401 (A) — (gi0/1) 10.5.56.254 (r)
Branch 206 (dual router) 10.5.8.0/21 (gi0/0) 192.168.3.9 192.168.3.10 65401 (A) — (gi0/2) 10.5.8.254 (r1)
(gi0/0) 192.168.4.9 192.168.4.10 65402 (B) (gi0/2) 10.5.8.253 (r2)
Branch 207 10.5.16.0/21 (gi0/0) 192.168.3.13 192.168.3.14 65401 (A) — (gi1/0) 10.5.16.254 (r)
(gi0/1) 192.168.4.13 192.168.4.14 65402 (B)
Table 3 lists the link speeds for the remote-site QoS traffic shaping policies.
Table 3. Remote-Site Link Speeds

Remote-Site Information Link Speeds (Policed Rates)

Location Net Block MPLS DMVPN
Branch 200 (dual router) 10.5.0.0/21 50 Mbps 25 Mbps
Branch 201 10.5.40.0/21 10 Mbps 10 Mbps
Branch 202 10.5.64.0/21 10 Mbps 10 Mbps
Branch 203 (dual router) 10.5.48.0/21 20 Mbps 10 Mbps
Branch 204 10.5.56.0/21 20 Mbps —
Branch 206 10.5.8.0/21 50/25 Mbps —
Branch 207 10.5.16.0/21 20/10 Mbps —

WAN Configuration Files 28

Branch 200: Dual-Router, Dual-Link with Distribution Layer (MPLS-A + DMVPN)
Table 4 shows the IP address information for Branch 200.
Table 4. Branch 200—IP Address Information

Remote-Site Information Wired Subnets Wireless Subnets Operational IP Assignments

Data Vlan Data Voice Loopbacks and
Location Net Block (Vlan 64) (Vlan 69) (Vlan 65) (Vlan 70) Switches WAE
Branch 200 10.5.0.0/21 10.5.1.0/24 (Vlan100) 10.5.5.0/24 (Vlan 69) 10.5.2.0/24 10.5.3.0/24 10.5.0.254 (r1) 10.5.1.8
10.5.4.0/24 (Vlan 64) 10.5.7.0/24 (Vlan xx) 10.5.0.253 (r2) 10.5.1.9
10.5.6.0/24 (Vlan xx) 10.5.0.252 (dist)
10.5.4.5 (sw)
Table 5 and Table 6 provide additional information to connect to the distribution layer.
Table 5. Branch 200—Router Connection to Distribution Layer

Remote-Site Information Connection to Distribution Layer Switch Port-Channel Subinterface and IP assignments
Member
Location Net Block Router Port Channel Interfaces Subinterface Vlan Network
Branch 200 10.5.0.0/21 br200-3945-1 1 gig0/1 Port-channel1.50 50 10.5.0.0/30
gig0/2 Port-channel1.99 99 10.5.0.8/30
(transit network)
br200-3945-2 2 gig0/1 Port-channel2.54 54 10.5.0.4/30
gig0/2 Port-channel2.99 99 10.5.0.8/30
(transit network)
Table 6. Branch 200—Distribution Layer Switch Connections

Port-Channel Member Interfaces Layer3/Layer2 Connected Device

1 gig1/0/1 Trunk (Vlan50,99) br200-3945-1
gig2/0/2
2 gig1/0/2 Trunk (Vlan54,99) br200-3945-1
gig2/0/2
7 gig1/0/3 Layer 2 (Vlan200) br200-wae674-1
gig2/0/3
8 gig1/0/4 Layer 2 (Vlan200) br200-wae674-2
gig2/0/4
10 gig1/0/12 Trunk (Vlan64,69) access-switch
gig2/0/12

WAN Configuration Files 29

br200-3945-1 130646010803557878
!
version 15.0 multilink bundle-name authenticated
service timestamps debug datetime msec localtime !
service timestamps log datetime msec localtime !
service password-encryption !
! !
hostname br200-3945-1 !
! voice-card 0
boot-start-marker !
boot system flash:c3900-universalk9-mz.SPA.150-1.M4.bin !
boot-end-marker !
! !
enable secret 5 $1$av9N$FvuhHddONDXzEz6qPnwnl. !
! !
aaa new-model license udi pid C3900-SPE150/K9 sn FOC133037J0
! !
! !
aaa authentication login default group tacacs+ local username admin privilege 15 password 7 130646010803557878
aaa authorization console !
aaa authorization exec default group tacacs+ local redundancy
! !
! !
! ip ssh source-interface Loopback0
! ip ssh version 2
! !
aaa session-id common class-map match-any DATA
! match ip dscp af21
! class-map match-any BGP-ROUTING
! match protocol bgp
clock timezone PST -8 class-map match-any INTERACTIVE-VIDEO
clock summer-time PDT recurring match dscp cs4 af41
! class-map match-any CRITICAL-DATA
! match dscp cs3 af31
! class-map match-any VOICE
no ipv6 cef match dscp ef
no ip source-route class-map match-any SCAVENGER
ip cef match ip dscp cs1 af11
! class-map match-any NETWORK-CRITICAL
! match ip dscp cs2 cs6
ip multicast-routing !
! !
! policy-map MARK-BGP
no ip domain lookup class BGP-ROUTING
ip domain name cisco.local set dscp cs6
ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7 policy-map WAN
094F1F1A1A0A464058 class VOICE
ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7 priority percent 10

WAN Configuration Files 30

 class INTERACTIVE-VIDEO !
priority percent 23 interface GigabitEthernet0/0
class CRITICAL-DATA bandwidth 50000
bandwidth percent 15 ip address 192.168.3.17 255.255.255.252
random-detect dscp-based ip wccp 62 redirect in
class DATA ip pim sparse-mode
bandwidth percent 19 duplex auto
random-detect dscp-based speed auto
class SCAVENGER no cdp enable
bandwidth percent 5 !
class NETWORK-CRITICAL service-policy output WAN-INTERFACE-G0/0
bandwidth percent 3 !
service-policy MARK-BGP interface GigabitEthernet0/1
class class-default no ip address
bandwidth percent 25 duplex auto
random-detect speed auto
policy-map WAN-INTERFACE-G0/0 channel-group 1
class class-default !
shape average 50000000 !
service-policy WAN interface GigabitEthernet0/2
! no ip address
! duplex auto
! speed auto
! channel-group 1
! !
! !
! !
! !
interface Loopback0 router eigrp 100
ip address 10.5.0.254 255.255.255.255 default-metric 100000 100 255 1 1500
ip pim sparse-mode network 10.5.0.0 0.0.255.255
! redistribute bgp 65511
! passive-interface default
interface Port-channel1 no passive-interface Port-channel1.50
no ip address no passive-interface Port-channel1.99
! !
hold-queue 150 in router bgp 65511
! no synchronization
interface Port-channel1.50 bgp router-id 10.5.0.254
encapsulation dot1Q 50 bgp log-neighbor-changes
ip address 10.5.0.1 255.255.255.252 network 10.5.0.0 mask 255.255.255.252
ip wccp 61 redirect in network 192.168.3.16 mask 255.255.255.252
ip pim sparse-mode aggregate-address 10.5.0.0 255.255.248.0 summary-only
! neighbor 192.168.3.18 remote-as 65401
interface Port-channel1.99 no auto-summary
encapsulation dot1Q 99 !
ip address 10.5.0.9 255.255.255.252 ip forward-protocol nd
ip pim sparse-mode !

WAN Configuration Files 31

ip pim rp-address 10.4.40.252 10 gatekeeper
ip pim register-source Loopback0 shutdown
no ip http server !
ip http authentication aaa !
no ip http secure-server line con 0
! logging synchronous
ip tacacs source-interface Loopback0 line aux 0
! line vty 0 4
ip access-list standard BN-WAE exec-timeout 0 0
permit 10.5.1.8 transport input ssh
permit 10.5.1.9 line vty 5 15
! transport input ssh
ip access-list extended WAAS-REDIRECT-LIST !
remark WAAS WCCP Mgmt Redirect List scheduler allocate 20000 1000
deny tcp any any eq 22 ntp source Loopback0
deny tcp any eq 22 any ntp update-calendar
deny tcp any eq telnet any ntp server 10.4.48.17
deny tcp any any eq telnet end
deny tcp any eq bgp any
deny tcp any any eq bgp br200-3945-2
deny tcp any any eq 123
deny tcp any eq 123 any version 15.0
permit tcp any any service timestamps debug datetime msec localtime
! service timestamps log datetime msec localtime
ip sla responder service password-encryption
access-list 10 permit 239.1.0.0 0.0.255.255 !
! hostname br200-3945-2
! !
! boot-start-marker
! boot system flash:c3900-universalk9-mz.SPA.150-1.M4.bin
nls resp-timeout 1 boot-end-marker
cpd cr-id 1 !
! enable secret 5 $1$T12c$44ad7.y83eLRYU3XQEDlN0
snmp-server community cisco RO !
snmp-server community cisco123 RW aaa new-model
snmp-server trap-source Loopback0 !
tacacs-server host 10.4.48.15 key 7 01200307490E12242455 !
! aaa authentication login default group tacacs+ local
control-plane aaa authorization console
! aaa authorization exec default group tacacs+ local
! !
! !
! !
! !
! !
! aaa session-id common
! !
! !

WAN Configuration Files 32

! match ip dscp cs2 cs6
clock timezone PST -8 match access-group name ISAKMP
clock summer-time PDT recurring !
! !
! policy-map WAN
! class VOICE
no ipv6 cef priority percent 10
no ip source-route class INTERACTIVE-VIDEO
ip cef priority percent 23
! class CRITICAL-DATA
! bandwidth percent 15
ip vrf INET-PUBLIC random-detect dscp-based
rd 65512:1 class DATA
! bandwidth percent 19
ip multicast-routing random-detect dscp-based
! class SCAVENGER
! bandwidth percent 5
no ip domain lookup class NETWORK-CRITICAL
ip domain name cisco.local bandwidth percent 3
ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7 class class-default
0205554808095E731F bandwidth percent 25
ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7 random-detect
06055E324F41584B56 policy-map WAN-INTERFACE-G0/0
! class class-default
multilink bundle-name authenticated shape average 25000000
! service-policy WAN
! !
license udi pid C3900-SPE100/K9 sn FOC133932KA !
! crypto keyring DMVPN-KEYRING vrf INET-PUBLIC
! pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
username admin password 7 15115A1F07257A767B !
! crypto isakmp policy 10
redundancy encr aes 256
! authentication pre-share
! group 2
ip ssh source-interface Loopback0 crypto isakmp keepalive 30 5
ip ssh version 2 crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
! keyring DMVPN-KEYRING
class-map match-any DATA match identity address 0.0.0.0 INET-PUBLIC
match ip dscp af21 !
class-map match-any INTERACTIVE-VIDEO !
match dscp cs4 af41 crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
class-map match-any CRITICAL-DATA mode transport
match dscp cs3 af31 !
class-map match-any VOICE crypto ipsec profile DMVPN-PROFILE
match dscp ef set transform-set AES256/SHA/TRANSPORT
class-map match-any SCAVENGER set isakmp-profile FVRF-ISAKMP-INET-PUBLIC
match ip dscp cs1 af11 !
class-map match-any NETWORK-CRITICAL !

WAN Configuration Files 33

! !
! interface GigabitEthernet0/0
! bandwidth 25000
! ip vrf forwarding INET-PUBLIC
interface Loopback0 ip address dhcp
ip address 10.5.0.253 255.255.255.255 ip access-group ACL-INET-PUBLIC in
ip pim sparse-mode duplex auto
! speed auto
! !
interface Tunnel10 service-policy output WAN-INTERFACE-G0/0
bandwidth 25000 !
ip address 10.4.34.200 255.255.254.0 interface GigabitEthernet0/1
no ip redirects no ip address
ip mtu 1400 duplex auto
ip wccp 62 redirect in speed auto
ip pim dr-priority 0 channel-group 2
ip pim nbma-mode !
ip pim sparse-mode !
ip nhrp authentication cisco123 interface GigabitEthernet0/2
ip nhrp map 10.4.34.1 172.16.130.1 no ip address
ip nhrp map multicast 172.16.130.1 duplex auto
ip nhrp network-id 101 speed auto
ip nhrp holdtime 600 channel-group 2
ip nhrp nhs 10.4.34.1 !
ip nhrp registration no-unique !
ip nhrp shortcut !
ip tcp adjust-mss 1360 router eigrp 200
ip summary-address eigrp 200 10.5.0.0 255.255.248.0 network 10.4.34.0 0.0.1.255
tunnel source GigabitEthernet0/0 network 10.5.0.0 0.0.255.255
tunnel mode gre multipoint passive-interface default
tunnel vrf INET-PUBLIC no passive-interface Tunnel10
tunnel protection ipsec profile DMVPN-PROFILE eigrp router-id 10.5.0.253
! eigrp stub connected summary
! !
interface Port-channel2 !
no ip address router eigrp 100
! network 10.5.0.0 0.0.255.255
hold-queue 150 in redistribute eigrp 200
! passive-interface default
interface Port-channel2.54 no passive-interface Port-channel2.54
encapsulation dot1Q 54 no passive-interface Port-channel2.99
ip address 10.5.0.5 255.255.255.252 eigrp router-id 10.5.0.253
ip wccp 61 redirect in !
ip pim sparse-mode ip forward-protocol nd
! !
interface Port-channel2.99 ip pim rp-address 10.4.40.252 10
encapsulation dot1Q 99 ip pim register-source Loopback0
ip address 10.5.0.10 255.255.255.252 no ip http server
ip pim sparse-mode ip http authentication aaa

WAN Configuration Files 34

no ip http secure-server line vty 0 4
! transport input ssh
ip tacacs source-interface Loopback0 line vty 5 15
! transport input ssh
ip access-list standard BN-WAE !
permit 10.5.1.8 scheduler allocate 20000 1000
permit 10.5.1.9 ntp source Loopback0
! ntp update-calendar
ip access-list extended ACL-INET-PUBLIC ntp server 10.4.48.17
permit udp any any eq non500-isakmp end
permit udp any any eq isakmp
permit esp any any br200-3750stack
permit icmp any any echo
permit icmp any any echo-reply version 12.2
permit udp any any eq bootpc no service pad
ip access-list extended ISAKMP service timestamps debug uptime
permit udp any eq isakmp any eq isakmp service timestamps log datetime msec localtime
ip access-list extended WAAS-REDIRECT-LIST no service password-encryption
remark WAAS WCCP Mgmt Redirect List !
deny tcp any any eq 22 hostname br200-3750stack
deny tcp any eq 22 any !
deny tcp any eq telnet any boot-start-marker
deny tcp any any eq telnet boot-end-marker
deny tcp any eq bgp any !
deny tcp any any eq bgp enable secret 5 $1$AFl.$MlUSAh2DdE.ra2gxF2/6Z/
deny tcp any any eq 123 !
deny tcp any eq 123 any username admin privilege 15 password 0 c1sco123
permit tcp any any !
! !
ip sla responder aaa new-model
access-list 10 permit 239.1.0.0 0.0.255.255 !
! !
! aaa authentication login default group tacacs+ local
! aaa authorization console
! aaa authorization exec default group tacacs+ local
! !
snmp-server community cisco RO !
snmp-server community cisco123 RW !
snmp-server trap-source Loopback0 aaa session-id common
tacacs-server host 10.4.48.15 key 7 113A1C0605171F270133 clock timezone PST -8
! clock summer-time PDT recurring
control-plane switch 1 provision ws-c3750g-12s
! switch 2 provision ws-c3750g-12s
! system mtu routing 1500
! vtp mode transparent
line con 0 authentication mac-move permit
logging synchronous udld aggressive
line aux 0

WAN Configuration Files 35

ip routing mls qos srr-queue output dscp-map queue 4 threshold 1 8
no ip domain-lookup mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14
ip domain-name cisco.local 15
! mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
! mls qos queue-set output 1 threshold 1 138 138 92 138
ip multicast-routing distributed mls qos queue-set output 1 threshold 2 138 138 92 400
! mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos map policed-dscp 24 26 46 to 0 mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos map cos-dscp 0 8 16 24 32 46 48 56 mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos srr-queue input bandwidth 90 10 mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos srr-queue input threshold 1 8 16 mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos srr-queue input threshold 2 34 66 mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos srr-queue input buffers 67 33 mls qos queue-set output 1 buffers 10 10 26 54
mls qos srr-queue input cos-map queue 1 threshold 2 1 mls qos queue-set output 2 buffers 16 6 17 61
mls qos srr-queue input cos-map queue 1 threshold 3 0 mls qos
mls qos srr-queue input cos-map queue 2 threshold 1 2 !
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7 energywise domain sbaewbr200 security shared-secret 0 sbaewbr200pw
mls qos srr-queue input cos-map queue 2 threshold 3 3 5 energywise importance 100
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15 energywise keywords switch
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7 energywise management security shared-secret 0 sbaewbr200lms
mls qos srr-queue input dscp-map queue 1 threshold 3 32 !
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 energywise endpoint security shared-secret 0 sbaewbr200end
22 23 !
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 crypto pki trustpoint TP-self-signed-2786884608
39 48 enrollment selfsigned
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 subject-name cn=IOS-Self-Signed-Certificate-2786884608
55 56 revocation-check none
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 rsakeypair TP-self-signed-2786884608
63 !
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 !
46 47 crypto pki certificate chain TP-self-signed-2786884608
mls qos srr-queue output cos-map queue 1 threshold 3 5 certificate self-signed 01
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7 30820256 308201BF A0030201 02020101 300D0609 2A864886 F70D0101
mls qos srr-queue output cos-map queue 3 threshold 3 2 4 04050030
mls qos srr-queue output cos-map queue 4 threshold 2 1 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D
mls qos srr-queue output cos-map queue 4 threshold 3 0 43657274
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 69666963 6174652D 32373836 38383436 3038301E 170D3933 30333031
46 47 30303031
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504
30 31 03132649
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32
54 55 37383638
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 38343630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030
62 63 81890281
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 8100C342 9D4CB4A2 6E264979 3A1678D2 1D3A9353 EDDC47C4 D2FD4E0C
22 23 B480C93D
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 C8FFA8C7 BBC196C9 7D22F9E0 FE2C53C8 945536FD 7F370844 873958F0
38 39 BE97115C

WAN Configuration Files 36

 F27BAAC6 41A23592 F8667A4E 1D0E2E95 742AD51E CF4BB0FC 27015B61 !
44DCF8BB interface Port-channel1
0B90A768 37BA6BE0 633054C4 4B7CD39D C1ED2082 0DA1243C 87C15E2A description connection to br200-3945-1
177D81FF switchport trunk encapsulation dot1q
F2430203 010001A3 7E307C30 0F060355 1D130101 FF040530 030101FF switchport trunk allowed vlan 50,99
30290603 switchport mode trunk
551D1104 22302082 1E626E2D 62723230 302D3337 35307374 61636B2E !
63697363 interface Port-channel2
6F2E6C6F 63616C30 1F060355 1D230418 30168014 B4DDDF15 A08994D8 description connection to br200-3945-2
06CC2E2F switchport trunk encapsulation dot1q
05528621 077339AE 301D0603 551D0E04 160414B4 DDDF15A0 8994D806 switchport trunk allowed vlan 54,99
CC2E2F05 switchport mode trunk
52862107 7339AE30 0D06092A 864886F7 0D010104 05000381 810053F0 !
28B4CF7A interface Port-channel7
E7BDBC31 8E6F8AA9 755C74CC 93D34CE1 52A69E95 8163D21D F2CEDEFE switchport access vlan 100
1D546176 !
358E82C3 C13E2DB3 5BD59C5C 1682AADD D9103A64 BA4B8DD8 D1E6343E interface Port-channel8
76858759 switchport access vlan 100
0B8BAA31 BAA2A8EB 287B629F 6BFA1A29 37EFE7AC A11F4E5C D8767B8A !
21DF57EA interface Port-channel10
3246789F D11AE5D7 14F00EAB 04FBB75F 9562F4D1 1D00EC1A 0389 description br200-3560-1
quit switchport trunk encapsulation dot1q
! switchport trunk allowed vlan 64,69
! switchport mode trunk
! logging event trunk-status
port-channel load-balance src-dst-ip logging event bundle-status
! !
spanning-tree mode rapid-pvst interface GigabitEthernet1/0/1
spanning-tree extend system-id description connected to bn-br200-3945-1 on gig0/1
! switchport trunk encapsulation dot1q
vlan internal allocation policy ascending switchport trunk allowed vlan 50,99
vlan dot1q tag native switchport mode trunk
! srr-queue bandwidth share 10 10 60 20
vlan 50,54,64-65,69-70,99 queue-set 2
! priority-queue out
vlan 100 mls qos trust dscp
name Data channel-group 1 mode on
! !
ip ftp username bn interface GigabitEthernet1/0/2
ip ftp password cisco description connected to bn-br200-3945-2 on gig0/1
ip ssh source-interface Loopback0 switchport trunk encapsulation dot1q
ip ssh version 2 switchport trunk allowed vlan 54,99
! switchport mode trunk
! srr-queue bandwidth share 10 10 60 20
! queue-set 2
interface Loopback0 priority-queue out
ip address 10.5.0.252 255.255.255.255 mls qos trust dscp
ip pim sparse-mode channel-group 2 mode on

WAN Configuration Files 37

! interface GigabitEthernet2/0/1
interface GigabitEthernet1/0/3 switchport trunk encapsulation dot1q
description connected to bn-br200-wae674-1 on NIC 1 switchport trunk allowed vlan 50,99
switchport access vlan 100 switchport mode trunk
srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth share 10 10 60 20
queue-set 2 queue-set 2
priority-queue out priority-queue out
mls qos trust dscp mls qos trust dscp
channel-group 7 mode on channel-group 1 mode on
! !
interface GigabitEthernet1/0/4 interface GigabitEthernet2/0/2
description connected to bn-br200-wae674-2 on NIC 1 switchport trunk encapsulation dot1q
switchport access vlan 100 switchport trunk allowed vlan 54,99
srr-queue bandwidth share 10 10 60 20 switchport mode trunk
queue-set 2 srr-queue bandwidth share 10 10 60 20
priority-queue out queue-set 2
mls qos trust dscp priority-queue out
channel-group 8 mode on mls qos trust dscp
! channel-group 2 mode on
interface GigabitEthernet1/0/5 !
! interface GigabitEthernet2/0/3
interface GigabitEthernet1/0/6 switchport access vlan 100
! srr-queue bandwidth share 10 10 60 20
interface GigabitEthernet1/0/7 queue-set 2
! priority-queue out
interface GigabitEthernet1/0/8 mls qos trust dscp
! channel-group 7 mode on
interface GigabitEthernet1/0/9 !
! interface GigabitEthernet2/0/4
interface GigabitEthernet1/0/10 switchport access vlan 100
! srr-queue bandwidth share 10 10 60 20
interface GigabitEthernet1/0/11 queue-set 2
switchport access vlan 100 priority-queue out
switchport mode access mls qos trust dscp
spanning-tree portfast channel-group 8 mode on
! !
interface GigabitEthernet1/0/12 interface GigabitEthernet2/0/5
switchport trunk encapsulation dot1q !
switchport trunk allowed vlan 64,69 interface GigabitEthernet2/0/6
switchport mode trunk !
srr-queue bandwidth share 10 10 60 20 interface GigabitEthernet2/0/7
queue-set 2 !
priority-queue out interface GigabitEthernet2/0/8
mls qos trust dscp !
channel-protocol lacp interface GigabitEthernet2/0/9
channel-group 10 mode active !
! interface GigabitEthernet2/0/10

WAN Configuration Files 38

! ip pim passive
interface GigabitEthernet2/0/11 !
switchport access vlan 100 interface Vlan100
switchport mode access ip address 10.5.1.1 255.255.255.0
spanning-tree portfast ip helper-address 10.4.48.10
! ip pim passive
interface GigabitEthernet2/0/12 !
switchport trunk encapsulation dot1q !
switchport trunk allowed vlan 64,69 router eigrp 100
switchport mode trunk network 10.5.0.0 0.0.255.255
srr-queue bandwidth share 10 10 60 20 passive-interface default
queue-set 2 no passive-interface Vlan50
priority-queue out no passive-interface Vlan54
mls qos trust dscp eigrp router-id 10.5.0.252
channel-protocol lacp nsf
channel-group 10 mode active !
! ip classless
interface Vlan1 no ip http server
no ip address ip http authentication aaa
shutdown ip http secure-server
! !
interface Vlan50 ip pim rp-address 10.4.40.252 10
ip address 10.5.0.2 255.255.255.252 ip pim register-source Loopback0
ip pim sparse-mode !
! ip sla responder
interface Vlan54 ip sla enable reaction-alerts
ip address 10.5.0.6 255.255.255.252 access-list 10 permit 239.1.0.0 0.0.255.255
ip pim sparse-mode !
! snmp-server community cisco RO
interface Vlan64 snmp-server community cisco123 RW
ip address 10.5.4.1 255.255.255.0 snmp-server trap-source Loopback0
ip helper-address 10.4.48.10 tacacs-server host 10.4.48.15 key SecretKey
ip pim passive tacacs-server directed-request
! !
interface Vlan65 !
ip address 10.5.2.1 255.255.255.0 line con 0
ip helper-address 10.4.48.10 line vty 0 4
ip pim passive exec-timeout 0 0
! password c1sco123
interface Vlan69 transport input ssh
ip address 10.5.5.1 255.255.255.0 line vty 5 15
ip helper-address 10.4.48.10 transport input ssh
ip pim passive !
! ntp clock-period 36028920
interface Vlan70 ntp source Loopback0
ip address 10.5.3.1 255.255.255.0 ntp server 10.4.48.17
ip helper-address 10.4.48.10 end

WAN Configuration Files 39

br200-wae674-1 j++vQr0cPtEIPHS9u7fKLw==
wccp version 2
! waas-universal-k9 version 4.3.1 (build b6 Nov 13 2010) !
! egress-method negotiated-return intercept-method wccp
device mode application-accelerator !
! ip icmp rate-limit unreachable df 0
! !
hostname br200-wae674-1 !
! !
clock timezone PST -8 0 username admin password 1 bVmDmMMmZAPjY
! username admin privilege 15
! username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE
ip domain-name cisco.local 7D891AB402CAF2E89CCDD33ED54333AC
! !
! !
! !
primary-interface PortChannel 1 !
! authentication login local enable primary
interface PortChannel 1 authentication configuration local enable primary
ip address 10.5.1.8 255.255.255.0 !
exit !
! !
! sshd enable
interface GigabitEthernet 1/0 !
channel-group 1 !
exit !
interface GigabitEthernet 2/0 tfo tcp optimized-send-buffer 2048
channel-group 1 tfo tcp optimized-receive-buffer 2048
exit !
! !
! !
ip default-gateway 10.5.1.1 !
! !
no auto-register enable !
! !
! ip path-mtu-discovery is disabled in WAAS by default !
! !
ip name-server 10.4.48.10 !
! !
! !
! !
ntp server 10.4.48.17 !
! !
! !
! !
wccp router-list 1 10.5.0.253 10.5.0.254 !
wccp tcp-promiscuous router-list-num 1 encrypted password !

WAN Configuration Files 40

!policy-engine application ip default-gateway 10.5.1.1
! !
! <policy-engine content intentionally omitted> no auto-register enable
! !
!exit ! ip path-mtu-discovery is disabled in WAAS by default
! !
central-manager address 10.4.48.100 ip name-server 10.4.48.10
cms enable !
! !
! !
! ntp server 10.4.48.17
! !
! !
! !
! End of WAAS configuration wccp router-list 1 10.5.0.254 10.5.0.253
wccp tcp-promiscuous router-list-num 1 encrypted password
j++vQr0cPtEIPHS9u7fKLw==
br200-wae674-2 wccp version 2
!
! waas-universal-k9 version 4.3.1 (build b6 Nov 13 2010) egress-method negotiated-return intercept-method wccp
! !
device mode application-accelerator ip icmp rate-limit unreachable df 0
! !
! !
hostname br200-wae674-2 !
! username admin password 1 bVmDmMMmZAPjY
clock timezone PST -8 0 username admin privilege 15
! username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE
! 7D891AB402CAF2E89CCDD33ED54333AC
ip domain-name cisco.local !
! !
! !
! !
primary-interface PortChannel 1 authentication login local enable primary
! authentication configuration local enable primary
interface PortChannel 1 !
ip address 10.5.1.9 255.255.255.0 !
exit !
! sshd enable
! !
interface GigabitEthernet 1/0 !
channel-group 1 !
exit tfo tcp optimized-send-buffer 2048
interface GigabitEthernet 2/0 tfo tcp optimized-receive-buffer 2048
channel-group 1 !
exit !
! !
! !

WAN Configuration Files 41

!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!policy-engine application
!
! <policy-engine content intentionally omitted>
!
!exit
!
central-manager address 10.4.48.100
cms enable
!
!
!
!
!
!
! End of WAAS configuration

WAN Configuration Files 42

Branch 201: Single-Router, Dual-Link (MPLS-A + DMVPN)
Table 7 shows the IP address information for Branch 201.
Table 7. Branch 201—IP Address Information

Remote-Site Information Wired Subnets Wireless Subnets Operational IP Assignments

Data Vlan Data Voice Loopbacks and
Location Net Block (Vlan 64) (Vlan 69) (Vlan 65) (Vlan 70) Switches WAE
Branch 201 10.5.40.0/21 10.5.44.0/24 10.5.45.0/24 10.5.42.0/24 10.5.43.0/24 10.5.40.254 (r) 10.5.44.8
10.5.44.5 (sw)

!
br201-2911
no ipv6 cef
no ip source-route
version 15.0 ip cef
service timestamps debug datetime msec localtime !
service timestamps log datetime msec localtime !
service password-encryption ip vrf INET-PUBLIC
! rd 65512:1
hostname br201-2911 !
! ip multicast-routing
boot-start-marker !
boot system flash:c2900-universalk9-mz.SPA.150-1.M4.bin !
boot-end-marker no ip domain lookup
! ip domain name cisco.local
enable secret 5 $1$CY2u$UyHfG7vNvWsZi97EqaYTA/ ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
! 094F1F1A1A0A464058
aaa new-model ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
! 0205554808095E731F
! !
aaa authentication login default group tacacs+ local multilink bundle-name authenticated
aaa authentication login MODULE none !
aaa authorization console !
aaa authorization exec default group tacacs+ local !
! !
! !
! license udi pid CISCO2911/K9 sn FTX1347A1TN
! hw-module sm 1
! !
aaa session-id common !
! !
! username admin privilege 15 password 7 141443180F0B7B7977
! !
clock timezone PST -8 redundancy
clock summer-time PDT recurring !

WAN Configuration Files 43

! policy-map WAN-INTERFACE-G0/0
ip ssh source-interface Loopback0 class class-default
ip ssh version 2 shape average 10000000
! service-policy WAN
class-map match-any DATA !
match ip dscp af21 !
class-map match-any BGP-ROUTING crypto keyring DMVPN-KEYRING vrf INET-PUBLIC
match protocol bgp pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
class-map match-any INTERACTIVE-VIDEO !
match dscp cs4 af41 crypto isakmp policy 10
class-map match-any CRITICAL-DATA encr aes 256
match dscp cs3 af31 authentication pre-share
class-map match-any VOICE group 2
match dscp ef crypto isakmp keepalive 30 5
class-map match-any SCAVENGER crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
match ip dscp cs1 af11 keyring DMVPN-KEYRING
class-map match-any NETWORK-CRITICAL match identity address 0.0.0.0 INET-PUBLIC
match ip dscp cs2 cs6 !
match access-group name ISAKMP !
! crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
! mode transport
policy-map MARK-BGP !
class BGP-ROUTING crypto ipsec profile DMVPN-PROFILE
set dscp cs6 set transform-set AES256/SHA/TRANSPORT
policy-map WAN set isakmp-profile FVRF-ISAKMP-INET-PUBLIC
class VOICE !
priority percent 10 !
class INTERACTIVE-VIDEO !
priority percent 23 !
class CRITICAL-DATA !
bandwidth percent 15 !
random-detect dscp-based interface Loopback0
class DATA ip address 10.5.40.254 255.255.255.255
bandwidth percent 19 ip pim sparse-mode
random-detect dscp-based !
class SCAVENGER !
bandwidth percent 5 interface Tunnel10
class NETWORK-CRITICAL bandwidth 10000
bandwidth percent 3 ip address 10.4.34.201 255.255.254.0
service-policy MARK-BGP no ip redirects
class class-default ip mtu 1400
bandwidth percent 25 ip wccp 62 redirect in
random-detect ip pim dr-priority 0
policy-map WAN-INTERFACE-G0/1 ip pim nbma-mode
class class-default ip pim sparse-mode
shape average 10000000 ip nhrp authentication cisco123
service-policy WAN ip nhrp map multicast 172.16.130.1

WAN Configuration Files 44

 ip nhrp map 10.4.34.1 172.16.130.1 ip helper-address 10.4.48.10
ip nhrp network-id 101 ip wccp 61 redirect in
ip nhrp holdtime 600 ip pim sparse-mode
ip nhrp nhs 10.4.34.1 !
ip nhrp registration no-unique interface GigabitEthernet0/2.65
ip nhrp shortcut description WirelessData
ip nhrp redirect encapsulation dot1Q 65
ip tcp adjust-mss 1360 ip address 10.5.42.1 255.255.255.0
ip summary-address eigrp 200 10.5.40.0 255.255.248.0 ip helper-address 10.4.48.10
tunnel source GigabitEthernet0/1 ip wccp 61 redirect in
tunnel mode gre multipoint ip pim sparse-mode
tunnel vrf INET-PUBLIC !
tunnel protection ipsec profile DMVPN-PROFILE interface GigabitEthernet0/2.69
! description Voice1
! encapsulation dot1Q 69
interface GigabitEthernet0/0 ip address 10.5.45.1 255.255.255.0
bandwidth 10000 ip helper-address 10.4.48.10
ip address 192.168.3.21 255.255.255.252 ip pim sparse-mode
ip wccp 62 redirect in !
ip pim sparse-mode interface GigabitEthernet0/2.70
duplex auto description WirelessVoice
speed auto encapsulation dot1Q 70
no cdp enable ip address 10.5.43.1 255.255.255.0
! ip helper-address 10.4.48.10
service-policy output WAN-INTERFACE-G0/0 ip pim sparse-mode
! !
interface GigabitEthernet0/1 interface SM1/0
bandwidth 10000 ip address 1.1.1.1 255.255.255.252
ip vrf forwarding INET-PUBLIC service-module external ip address 10.5.44.8 255.255.255.0
ip address dhcp !Application: Restarted at Fri Dec 10 05:50:14 2010
ip access-group ACL-INET-PUBLIC in service-module ip default-gateway 10.5.44.1
duplex auto no keepalive
speed auto !
no cdp enable !
! interface SM1/1
service-policy output WAN-INTERFACE-G0/1 no ip address
! !
interface GigabitEthernet0/2 !
no ip address !
duplex auto router eigrp 200
speed auto network 10.4.34.0 0.0.1.255
! network 10.5.0.0 0.0.255.255
! passive-interface default
interface GigabitEthernet0/2.64 no passive-interface Tunnel10
description Data1 eigrp router-id 10.5.40.254
encapsulation dot1Q 64 eigrp stub connected summary
ip address 10.5.44.1 255.255.255.0 !

WAN Configuration Files 45

router bgp 65511 access-list 10 permit 239.1.0.0 0.0.255.255
no synchronization access-list 67 permit 1.1.1.1
bgp router-id 10.5.40.254 !
bgp log-neighbor-changes !
network 10.5.44.0 mask 255.255.255.0 !
network 10.5.45.0 mask 255.255.255.0 !
network 192.168.3.20 mask 255.255.255.252 !
aggregate-address 10.5.40.0 255.255.248.0 summary-only snmp-server community cisco RO
neighbor 192.168.3.22 remote-as 65401 snmp-server community cisco123 RW
no auto-summary snmp-server trap-source Loopback0
! tacacs-server host 10.4.48.15 key 7 097F4B0A0B0003390E15
ip forward-protocol nd !
! control-plane
ip bgp-community new-format !
ip pim rp-address 10.4.40.252 10 !
ip pim register-source Loopback0 !
no ip http server line con 0
ip http authentication aaa logging synchronous
no ip http secure-server line aux 0
! line 67
ip tacacs source-interface Loopback0 access-class 67 in
! login authentication MODULE
ip access-list standard BN-WAE no activation-character
permit 10.5.44.8 no exec
! transport preferred none
ip access-list extended ACL-INET-PUBLIC transport input all
permit udp any any eq non500-isakmp transport output none
permit udp any any eq isakmp stopbits 1
permit esp any any line vty 0 4
permit icmp any any echo password 7 04585A150C2E1D1C5A
permit icmp any any echo-reply transport input ssh
permit udp any any eq bootpc line vty 5 15
ip access-list extended ISAKMP transport input ssh
permit udp any eq isakmp any eq isakmp !
ip access-list extended WAAS-REDIRECT-LIST scheduler allocate 20000 1000
remark WAAS WCCP Mgmt Redirect List ntp source Loopback0
deny tcp any any eq 22 ntp update-calendar
deny tcp any eq 22 any ntp server 10.4.48.17
deny tcp any eq telnet any end
deny tcp any any eq telnet
deny tcp any eq bgp any br201-wae-sre
deny tcp any any eq bgp
deny tcp any any eq 123 ! waas-accelerator-k9 version 4.3.1 (build b6 Nov 13 2010)
deny tcp any eq 123 any !
permit tcp any any device mode application-accelerator
! !
ip sla responder !

WAN Configuration Files 46

hostname br201-wae-sre !
! !
clock timezone PST -8 0 authentication login local enable primary
! authentication configuration local enable primary
! !
ip domain-name cisco.local !
! !
! sshd enable
! !
primary-interface GigabitEthernet 2/0 !
! !
! tfo tcp optimized-send-buffer 2048
! tfo tcp optimized-receive-buffer 2048
interface GigabitEthernet 1/0 !
exit !
interface GigabitEthernet 2/0 !
exit !
! !
! !
! !
no auto-register enable !
! !
! ip path-mtu-discovery is disabled in WAAS by default !
! !
ip name-server 10.4.48.10 !
! !
! !
! !
ntp server 10.4.48.17 !
! !
! !
! !
wccp router-list 1 10.5.40.254 !policy-engine application
wccp tcp-promiscuous router-list-num 1 encrypted password !
j++vQr0cPtEIPHS9u7fKLw== ! <policy-engine content intentionally omitted>
wccp version 2 !
! !exit
egress-method negotiated-return intercept-method wccp !
! central-manager address 10.4.48.100
! cms enable
! !
! !
username admin password 1 bVmDmMMmZAPjY !
username admin privilege 15 !
username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE !
7D891AB402CAF2E89CCDD33ED54333AC !
! ! End of WAAS configuration

WAN Configuration Files 47

Branch 202: Single-Router, Dual-Link (MPLS-B + DMVPN)
Table 8 shows the IP address information for Branch 202.
Table 8. Branch 202—IP Address Information

Remote-Site Information Wired Subnets Wireless Subnets Operational IP Assignments

Data Vlan Data Vlan Loopbacks and
Location Net Block (Vlan 64) (Vlan 69) (Vlan 65) (Vlan 70) Switches WAE
Branch 202 10.5.64.0/21 10.5.68.0/24 10.5.69.0/24 10.5.66.0/24 10.5.67.0/24 10.5.64.254 (r) 10.5.68.8
10.5.68.5 (sw)

br202-2911

version 15.0 ip cef

service timestamps debug datetime msec localtime !
service timestamps log datetime msec localtime !
service password-encryption ip vrf INET-PUBLIC
! rd 65512:1
hostname br202-2911 !
! ip multicast-routing
boot-start-marker !
boot system flash:c2900-universalk9-mz.SPA.150-1.M4.bin !
boot-end-marker no ip domain lookup
! ip domain name cisco.local
enable secret 5 $1$YV1B$W4bBZUh9z8A6uzYR2bLsP/ ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
! 06055E324F41584B56
aaa new-model ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
! 0508571C22431F5B4A
! !
aaa authentication login default group tacacs+ local multilink bundle-name authenticated
aaa authorization console !
aaa authorization exec default group tacacs+ local !
! !
! !
! license udi pid CISCO2911/K9 sn FTX1347A1TC
! !
! !
aaa session-id common username admin privilege 15 password 7 121A540411045D5679
! !
! redundancy
! !
clock timezone PST -8 !
clock summer-time PDT recurring ip ssh source-interface Loopback0
! ip ssh version 2
no ipv6 cef !
no ip source-route class-map match-any DATA

WAN Configuration Files 48

 match ip dscp af21 !
class-map match-any BGP-ROUTING crypto keyring DMVPN-KEYRING vrf INET-PUBLIC
match protocol bgp pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
class-map match-any INTERACTIVE-VIDEO !
match dscp cs4 af41 crypto isakmp policy 10
class-map match-any CRITICAL-DATA encr aes 256
match dscp cs3 af31 authentication pre-share
class-map match-any VOICE group 2
match dscp ef crypto isakmp keepalive 30 5
class-map match-any SCAVENGER crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
match ip dscp cs1 af11 keyring DMVPN-KEYRING
class-map match-any NETWORK-CRITICAL match identity address 0.0.0.0 INET-PUBLIC
match ip dscp cs2 cs6 !
match access-group name ISAKMP !
! crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
! mode transport
policy-map MARK-BGP !
class BGP-ROUTING crypto ipsec profile DMVPN-PROFILE
set dscp cs6 set transform-set AES256/SHA/TRANSPORT
policy-map WAN set isakmp-profile FVRF-ISAKMP-INET-PUBLIC
class VOICE !
priority percent 10 !
class INTERACTIVE-VIDEO !
priority percent 23 !
class CRITICAL-DATA !
bandwidth percent 15 !
random-detect dscp-based interface Loopback0
class DATA ip address 10.5.64.254 255.255.255.255
bandwidth percent 19 ip pim sparse-mode
random-detect dscp-based !
class SCAVENGER !
bandwidth percent 5 interface Tunnel10
class NETWORK-CRITICAL bandwidth 10000
bandwidth percent 3 ip address 10.4.34.202 255.255.254.0
service-policy MARK-BGP no ip redirects
class class-default ip mtu 1400
bandwidth percent 25 ip wccp 62 redirect in
random-detect ip pim dr-priority 0
policy-map WAN-INTERFACE-G0/1 ip pim nbma-mode
class class-default ip pim sparse-mode
shape average 10000000 ip nhrp authentication cisco123
service-policy WAN ip nhrp map multicast 172.16.130.1
policy-map WAN-INTERFACE-G0/0 ip nhrp map 10.4.34.1 172.16.130.1
class class-default ip nhrp network-id 101
shape average 10000000 ip nhrp holdtime 600
service-policy WAN ip nhrp nhs 10.4.34.1
! ip nhrp registration no-unique

WAN Configuration Files 49

 ip nhrp shortcut description wireless data
ip nhrp redirect encapsulation dot1Q 65
ip tcp adjust-mss 1360 ip address 10.5.66.1 255.255.255.0
ip summary-address eigrp 200 10.5.64.0 255.255.248.0 ip helper-address 10.4.48.10
tunnel source GigabitEthernet0/1 ip wccp 61 redirect in
tunnel mode gre multipoint ip pim sparse-mode
tunnel vrf INET-PUBLIC !
tunnel protection ipsec profile DMVPN-PROFILE interface GigabitEthernet0/2.69
! description voice 1
! encapsulation dot1Q 69
interface GigabitEthernet0/0 ip address 10.5.69.1 255.255.255.0
bandwidth 10000 ip helper-address 10.4.48.10
ip address 192.168.4.5 255.255.255.252 ip pim sparse-mode
ip wccp 62 redirect in !
ip pim sparse-mode interface GigabitEthernet0/2.70
duplex auto description wireless voice
speed auto encapsulation dot1Q 70
no cdp enable ip address 10.5.67.1 255.255.255.0
! ip helper-address 10.4.48.10
service-policy output WAN-INTERFACE-G0/0 ip pim sparse-mode
! !
interface GigabitEthernet0/1 !
bandwidth 10000 router eigrp 200
ip vrf forwarding INET-PUBLIC network 10.4.34.0 0.0.1.255
ip address dhcp network 10.5.0.0 0.0.255.255
ip access-group ACL-INET-PUBLIC in passive-interface default
duplex auto no passive-interface Tunnel10
speed auto eigrp router-id 10.5.64.254
no cdp enable eigrp stub connected summary
! !
service-policy output WAN-INTERFACE-G0/1 router bgp 65511
! no synchronization
interface GigabitEthernet0/2 bgp router-id 10.5.64.254
no ip address bgp log-neighbor-changes
duplex auto network 10.5.68.0 mask 255.255.255.0
speed auto network 10.5.69.0 mask 255.255.255.0
! network 192.168.4.4 mask 255.255.255.252
! aggregate-address 10.5.64.0 255.255.248.0 summary-only
interface GigabitEthernet0/2.64 neighbor 192.168.4.6 remote-as 65402
description Data1 no auto-summary
encapsulation dot1Q 64 !
ip address 10.5.68.1 255.255.255.0 ip forward-protocol nd
ip helper-address 10.4.48.10 !
ip wccp 61 redirect in ip bgp-community new-format
ip pim sparse-mode ip pim rp-address 10.4.40.252 10
! ip pim register-source Loopback0
interface GigabitEthernet0/2.65 no ip http server

WAN Configuration Files 50

ip http authentication aaa line aux 0
no ip http secure-server line vty 0 4
! transport input ssh
ip tacacs source-interface Loopback0 line vty 5 15
! !
ip access-list standard BN-WAE scheduler allocate 20000 1000
permit 10.5.68.8 ntp source Loopback0
! ntp update-calendar
ip access-list extended ACL-INET-PUBLIC ntp server 10.4.48.17
permit udp any any eq non500-isakmp end
permit udp any any eq isakmp
permit esp any any br202-wave574
permit icmp any any echo
permit icmp any any echo-reply ! waas-universal-k9 version 4.3.1 (build b6 Nov 13 2010)
permit udp any any eq bootpc !
ip access-list extended ISAKMP device mode application-accelerator
permit udp any eq isakmp any eq isakmp !
ip access-list extended WAAS-REDIRECT-LIST !
remark WAAS WCCP Mgmt Redirect List hostname br202-wave574
deny tcp any any eq 22 !
deny tcp any eq 22 any clock timezone PST -8 0
deny tcp any eq telnet any !
deny tcp any any eq telnet !
deny tcp any eq bgp any ip domain-name cisco.local
deny tcp any any eq bgp !
deny tcp any any eq 123 !
deny tcp any eq 123 any !
permit tcp any any primary-interface GigabitEthernet 1/0
! !
ip sla responder !
access-list 10 permit 239.1.0.0 0.0.255.255 !
! interface GigabitEthernet 1/0
! ip address 10.5.68.8 255.255.255.0
! exit
! interface GigabitEthernet 2/0
! shutdown
snmp-server community cisco RO exit
snmp-server community cisco123 RW !
snmp-server trap-source Loopback0 !
tacacs-server host 10.4.48.15 key 7 0538030C33495A221C1C ip default-gateway 10.5.68.1
! !
control-plane no auto-register enable
! !
! ! ip path-mtu-discovery is disabled in WAAS by default
! !
line con 0 ip name-server 10.4.48.10
logging synchronous !

WAN Configuration Files 51

! !
! !
ntp server 10.4.48.17 !
! !
! !
! !
wccp router-list 1 10.5.64.254 !
wccp tcp-promiscuous router-list-num 1 encrypted password !
j++vQr0cPtEIPHS9u7fKLw== !policy-engine application
wccp version 2 !
! ! <policy-engine content intentionally omitted>
egress-method negotiated-return intercept-method wccp !
! !exit
ip icmp rate-limit unreachable df 0 !
! central-manager address 10.4.48.100
! cms enable
! !
username admin password 1 bVmDmMMmZAPjY !
username admin privilege 15 !
username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE !
7D891AB402CAF2E89CCDD33ED54333AC !
! !
! ! End of WAAS configuration
!
!
authentication login local enable primary
authentication configuration local enable primary
!
!
!
sshd enable
!
!
!
tfo tcp optimized-send-buffer 2048
tfo tcp optimized-receive-buffer 2048
!
!
!
!
!
!
!
!
!
!
!

WAN Configuration Files 52

Branch 203: Dual-Router, Dual-Link with Access Layer Only
(MPLS-A + DMVPN)
Table 9 shows the IP address information for Branch 203.
Table 9. Branch 203—IP Address Information

Remote-Site Information Wired Subnets Wireless Subnets Operational IP Assignments

Data Vlan Data Voice Loopbacks and
Location Net Block (Vlan 64) (Vlan 69) (Vlan 65) (Vlan 70) Switches WAE
Branch 203 10.5.48.0/21 10.5.52.0/24 10.5.53.0/24 10.5.50.0/24 10.5.51.0/24 10.5.48.254 (r1) 10.5.52.8
10.5.48.253 (r2) 10.5.52.9
10.5.52.5 (sw)

br203-2921-1 clock timezone PST -8

clock summer-time PDT recurring
version 15.0 !
service timestamps debug datetime msec localtime no ipv6 cef
service timestamps log datetime msec localtime no ip source-route
service password-encryption ip cef
! !
hostname br203-2921-1 !
! ip multicast-routing
boot-start-marker !
boot system flash:c2900-universalk9-mz.SPA.150-1.M4.bin !
boot-end-marker no ip domain lookup
! ip domain name cisco.local
enable secret 5 $1$CABP$z/eavJoMbeg7yT51Qc0rm0 ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
! 0205554808095E731F
aaa new-model ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
! 104D580A061843595F
! !
aaa authentication login default group tacacs+ local multilink bundle-name authenticated
aaa authentication login MODULE none !
aaa authorization console !
aaa authorization exec default group tacacs+ local !
! !
! !
! license udi pid CISCO2921/K9 sn FTX1348AHN0
! hw-module sm 1
! !
aaa session-id common !
! !
! username admin privilege 15 password 7 03070A180500701E1D
! !
redundancy

WAN Configuration Files 53

! service-policy WAN
! !
ip ssh source-interface Loopback0 !
ip ssh version 2 !
! !
track 50 ip sla 100 reachability !
! !
class-map match-any DATA !
match ip dscp af21 !
class-map match-any BGP-ROUTING interface Loopback0
match protocol bgp ip address 10.5.48.254 255.255.255.255
class-map match-any INTERACTIVE-VIDEO ip pim sparse-mode
match dscp cs4 af41 !
class-map match-any CRITICAL-DATA !
match dscp cs3 af31 interface GigabitEthernet0/0
class-map match-any VOICE bandwidth 20000
match dscp ef ip address 192.168.3.25 255.255.255.252
class-map match-any SCAVENGER ip wccp 62 redirect in
match ip dscp cs1 af11 ip pim sparse-mode
class-map match-any NETWORK-CRITICAL duplex auto
match ip dscp cs2 cs6 speed auto
! !
! !
policy-map MARK-BGP interface GigabitEthernet0/1
class BGP-ROUTING no ip address
set dscp cs6 duplex auto
policy-map WAN speed auto
class VOICE !
priority percent 10 !
class INTERACTIVE-VIDEO interface GigabitEthernet0/1.64
priority percent 23 description DATA1
class CRITICAL-DATA encapsulation dot1Q 64
bandwidth percent 15 ip address 10.5.52.2 255.255.255.0
random-detect dscp-based ip helper-address 10.4.48.10
class DATA ip wccp 61 redirect in
bandwidth percent 19 ip pim dr-priority 110
random-detect dscp-based ip pim sparse-mode
class SCAVENGER standby 1 ip 10.5.52.1
bandwidth percent 5 standby 1 priority 110
class NETWORK-CRITICAL standby 1 preempt
bandwidth percent 3 standby 1 track 50 decrement 10
service-policy MARK-BGP !
class class-default interface GigabitEthernet0/1.65
bandwidth percent 25 description wireless data
random-detect encapsulation dot1Q 65
policy-map WAN-INTERFACE-G0/0 ip address 10.5.50.2 255.255.255.0
class class-default ip helper-address 10.4.48.10
shape average 20000000 ip wccp 61 redirect in

WAN Configuration Files 54

 ip pim dr-priority 110 !
ip pim sparse-mode !
standby 1 ip 10.5.50.1 interface SM1/1
standby 1 priority 110 no ip address
standby 1 preempt shutdown
standby 1 track 50 decrement 10 !
! !
interface GigabitEthernet0/1.69 !
encapsulation dot1Q 69 router eigrp 100
ip address 10.5.53.2 255.255.255.0 default-metric 100000 100 255 1 1500
ip helper-address 10.4.48.10 network 10.5.0.0 0.0.255.255
ip pim dr-priority 110 redistribute bgp 65511
ip pim sparse-mode passive-interface default
standby 1 ip 10.5.53.1 no passive-interface GigabitEthernet0/1.99
standby 1 priority 110 eigrp router-id 10.5.48.254
standby 1 preempt !
standby 1 track 50 decrement 10 router bgp 65511
! no synchronization
interface GigabitEthernet0/1.70 bgp router-id 10.5.48.254
description wireless voice bgp log-neighbor-changes
encapsulation dot1Q 70 network 10.5.52.0 mask 255.255.255.0
ip address 10.5.51.2 255.255.255.0 network 10.5.53.0 mask 255.255.255.0
ip helper-address 10.4.48.10 network 192.168.3.24 mask 255.255.255.252
ip pim dr-priority 110 aggregate-address 10.5.48.0 255.255.248.0 summary-only
ip pim sparse-mode neighbor 192.168.3.26 remote-as 65401
standby 1 ip 10.5.51.1 no auto-summary
standby 1 priority 110 !
standby 1 preempt ip forward-protocol nd
standby 1 track 50 decrement 10 !
! ip pim rp-address 10.4.40.252 10
interface GigabitEthernet0/1.99 ip pim register-source Loopback0
encapsulation dot1Q 99 no ip http server
ip address 10.5.48.1 255.255.255.252 ip http authentication aaa
ip pim sparse-mode no ip http secure-server
! !
interface GigabitEthernet0/2 ip tacacs source-interface Loopback0
no ip address !
shutdown ip access-list standard BN-WAE
duplex auto permit 10.5.52.9
speed auto permit 10.5.52.8
! !
! ip access-list extended WAAS-REDIRECT-LIST
interface SM1/0 remark WAAS WCCP Mgmt Redirect List
ip address 1.1.1.1 255.255.255.252 deny tcp any any eq 22
service-module external ip address 10.5.52.8 255.255.255.0 deny tcp any eq 22 any
!Application: Restarted at Fri Oct 6 09:21:40 2006 deny tcp any eq telnet any
service-module ip default-gateway 10.5.52.1 deny tcp any any eq telnet

WAN Configuration Files 55

 deny tcp any eq bgp any transport input ssh
deny tcp any any eq bgp !
deny tcp any any eq 123 scheduler allocate 20000 1000
deny tcp any eq 123 any ntp source Loopback0
permit tcp any any ntp update-calendar
! ntp server 10.4.48.17
ip sla responder end
ip sla 100
icmp-echo 192.168.3.26 source-interface GigabitEthernet0/0 br203-2921-2
timeout 1000
threshold 1000 version 15.0
frequency 15 service timestamps debug datetime msec localtime
ip sla schedule 100 life forever start-time now service timestamps log datetime msec localtime
access-list 10 permit 239.1.0.0 0.0.255.255 service password-encryption
access-list 67 permit 1.1.1.1 !
! hostname br203-2921-2
! !
! boot-start-marker
! boot system flash:c2900-universalk9-mz.SPA.150-1.M4.bin
! boot-end-marker
snmp-server community cisco RO !
snmp-server community cisco123 RW enable secret 5 $1$uVo/$xEyKRDXmAItutbat6YVAK/
snmp-server trap-source Loopback0 !
tacacs-server host 10.4.48.15 key 7 0812494D1B1C113C1712 aaa new-model
! !
control-plane !
! aaa authentication login default group tacacs+ local
! aaa authentication login MODULE none
! aaa authorization console
line con 0 aaa authorization exec default group tacacs+ local
logging synchronous !
line aux 0 !
line 67 !
access-class 67 in !
login authentication MODULE !
no activation-character aaa session-id common
no exec !
transport preferred none !
transport input all !
transport output none clock timezone PST -8
stopbits 1 clock summer-time PDT recurring
flowcontrol software !
line vty 0 4 no ipv6 cef
exec-timeout 0 0 no ip source-route
password 7 04585A150C2E1D1C5A ip cef
transport input ssh !
line vty 5 15 !

WAN Configuration Files 56

ip vrf INET-PUBLIC class VOICE
rd 65512:1 priority percent 10
! class INTERACTIVE-VIDEO
ip multicast-routing priority percent 23
! class CRITICAL-DATA
! bandwidth percent 15
no ip domain lookup random-detect dscp-based
ip domain name cisco.local class DATA
ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7 bandwidth percent 19
04585A150C2E1D1C5A random-detect dscp-based
ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7 class SCAVENGER
0508571C22431F5B4A bandwidth percent 5
! class NETWORK-CRITICAL
multilink bundle-name authenticated bandwidth percent 3
! class class-default
! bandwidth percent 25
! random-detect
! policy-map WAN-INTERFACE-G0/0
license udi pid CISCO2921/K9 sn FTX1348AHMM class class-default
hw-module sm 1 shape average 10000000
! service-policy WAN
! !
! !
username admin privilege 15 password 7 0007421507545A545C crypto keyring DMVPN-KEYRING vrf INET-PUBLIC
! pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
redundancy !
! crypto isakmp policy 10
! encr aes 256
ip ssh source-interface Loopback0 authentication pre-share
ip ssh version 2 group 2
! crypto isakmp keepalive 30 5
class-map match-any DATA crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
match ip dscp af21 keyring DMVPN-KEYRING
class-map match-any INTERACTIVE-VIDEO match identity address 0.0.0.0 INET-PUBLIC
match dscp cs4 af41 !
class-map match-any CRITICAL-DATA !
match dscp cs3 af31 crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
class-map match-any VOICE mode transport
match dscp ef !
class-map match-any SCAVENGER crypto ipsec profile DMVPN-PROFILE
match ip dscp cs1 af11 set transform-set AES256/SHA/TRANSPORT
class-map match-any NETWORK-CRITICAL set isakmp-profile FVRF-ISAKMP-INET-PUBLIC
match ip dscp cs2 cs6 !
match access-group name ISAKMP !
! !
! !
policy-map WAN !

WAN Configuration Files 57

! interface GigabitEthernet0/1.64
interface Loopback0 description DATA1
ip address 10.5.48.253 255.255.255.255 encapsulation dot1Q 64
ip pim sparse-mode ip address 10.5.52.3 255.255.255.0
! ip helper-address 10.4.48.10
! ip wccp 61 redirect in
interface Tunnel10 ip pim dr-priority 105
bandwidth 10000 ip pim sparse-mode
ip address 10.4.34.203 255.255.254.0 standby 1 ip 10.5.52.1
no ip redirects standby 1 priority 105
ip mtu 1400 standby 1 preempt
ip wccp 62 redirect in !
ip pim dr-priority 0 interface GigabitEthernet0/1.65
ip pim nbma-mode description wireless data
ip pim sparse-mode encapsulation dot1Q 65
ip nhrp authentication cisco123 ip address 10.5.50.3 255.255.255.0
ip nhrp map multicast 172.16.130.1 ip helper-address 10.4.48.10
ip nhrp map 10.4.34.1 172.16.130.1 ip wccp 61 redirect in
ip nhrp network-id 101 ip pim dr-priority 105
ip nhrp holdtime 600 ip pim sparse-mode
ip nhrp nhs 10.4.34.1 standby 1 ip 10.5.50.1
ip nhrp registration no-unique standby 1 priority 105
ip nhrp shortcut standby 1 preempt
ip tcp adjust-mss 1360 !
ip summary-address eigrp 200 10.5.48.0 255.255.248.0 interface GigabitEthernet0/1.69
tunnel source GigabitEthernet0/0 encapsulation dot1Q 69
tunnel mode gre multipoint ip address 10.5.53.3 255.255.255.0
tunnel vrf INET-PUBLIC ip helper-address 10.4.48.10
tunnel protection ipsec profile DMVPN-PROFILE ip pim dr-priority 105
! ip pim sparse-mode
! standby 1 ip 10.5.53.1
interface GigabitEthernet0/0 standby 1 priority 105
bandwidth 10000 standby 1 preempt
ip vrf forwarding INET-PUBLIC !
ip address dhcp interface GigabitEthernet0/1.70
ip access-group ACL-INET-PUBLIC in description wireless voice
duplex auto encapsulation dot1Q 70
speed auto ip address 10.5.51.3 255.255.255.0
! ip helper-address 10.4.48.10
service-policy output WAN-INTERFACE-G0/0 ip pim dr-priority 105
! ip pim sparse-mode
interface GigabitEthernet0/1 standby 1 ip 10.5.51.1
no ip address standby 1 priority 105
duplex auto standby 1 preempt
speed auto !
! interface GigabitEthernet0/1.99
! encapsulation dot1Q 99

WAN Configuration Files 58

 ip address 10.5.48.2 255.255.255.252 ip tacacs source-interface Loopback0
ip pim sparse-mode !
! ip access-list standard BN-WAE
interface GigabitEthernet0/2 permit 10.5.52.9
no ip address permit 10.5.52.8
shutdown !
duplex auto ip access-list extended ACL-INET-PUBLIC
speed auto permit udp any any eq non500-isakmp
! permit udp any any eq isakmp
! permit esp any any
interface SM1/0 permit icmp any any echo
ip address 1.1.1.1 255.255.255.252 permit icmp any any echo-reply
service-module external ip address 10.5.52.9 255.255.255.0 permit udp any any eq bootpc
!Application: Restarted at Tue Aug 8 00:58:20 2006 ip access-list extended ISAKMP
service-module ip default-gateway 10.5.52.1 permit udp any eq isakmp any eq isakmp
! ip access-list extended WAAS-REDIRECT-LIST
! remark WAAS WCCP Mgmt Redirect List
interface SM1/1 deny tcp any any eq 22
no ip address deny tcp any eq 22 any
shutdown deny tcp any eq telnet any
! deny tcp any any eq telnet
! deny tcp any eq bgp any
! deny tcp any any eq bgp
router eigrp 200 deny tcp any any eq 123
network 10.4.34.0 0.0.1.255 deny tcp any eq 123 any
network 10.5.0.0 0.0.255.255 permit tcp any any
passive-interface default !
no passive-interface Tunnel10 ip sla responder
eigrp router-id 10.5.48.253 access-list 10 permit 239.1.0.0 0.0.255.255
eigrp stub connected summary access-list 67 permit 1.1.1.1
! !
! !
router eigrp 100 !
network 10.5.0.0 0.0.255.255 !
redistribute eigrp 200 !
passive-interface default snmp-server community cisco RO
no passive-interface GigabitEthernet0/1.99 snmp-server community cisco123 RW
eigrp router-id 10.5.48.253 snmp-server trap-source Loopback0
! tacacs-server host 10.4.48.15 key 7 113A1C0605171F270133
ip forward-protocol nd !
! control-plane
ip pim rp-address 10.4.40.252 10 !
ip pim register-source Loopback0 !
no ip http server !
ip http authentication aaa line con 0
no ip http secure-server logging synchronous
! line aux 0

WAN Configuration Files 59

line 67 !
access-class 67 in !
login authentication MODULE no auto-register enable
no activation-character !
no exec ! ip path-mtu-discovery is disabled in WAAS by default
transport preferred none !
transport input all ip name-server 10.4.48.10
transport output none !
stopbits 1 !
line vty 0 4 !
exec-timeout 0 0 ntp server 10.4.48.17
password 7 04585A150C2E1D1C5A !
transport input ssh !
line vty 5 15 !
transport input ssh wccp router-list 1 10.5.48.253 10.5.48.254
! wccp tcp-promiscuous router-list-num 1 encrypted password
scheduler allocate 20000 1000 j++vQr0cPtEIPHS9u7fKLw==
ntp source Loopback0 wccp version 2
ntp update-calendar !
ntp server 10.4.48.17 egress-method negotiated-return intercept-method wccp
end !
!
br203-wae-sre-1 !
!
! waas-universal-k9 version 4.3.1 (build b6 Nov 13 2010) username admin password 1 bVmDmMMmZAPjY
! username admin privilege 15
device mode application-accelerator username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE
! 7D891AB402CAF2E89CCDD33ED54333AC
! !
hostname br203-wae-sre-1 !
! !
clock timezone PST -8 0 !
! authentication login local enable primary
! authentication configuration local enable primary
ip domain-name cisco.local !
! !
! !
! sshd enable
primary-interface GigabitEthernet 2/0 !
! !
! !
! tfo tcp optimized-send-buffer 2048
interface GigabitEthernet 1/0 tfo tcp optimized-receive-buffer 2048
exit !
interface GigabitEthernet 2/0 !
exit !
! !

WAN Configuration Files 60

! primary-interface GigabitEthernet 2/0
! !
! !
! !
! interface GigabitEthernet 1/0
! exit
! interface GigabitEthernet 2/0
! exit
! !
! !
! !
! no auto-register enable
! !
! ! ip path-mtu-discovery is disabled in WAAS by default
! !
!policy-engine application ip name-server 10.4.48.10
! !
! <policy-engine content intentionally omitted> !
! !
!exit ntp server 10.4.48.17
! !
central-manager address 10.4.48.100 !
cms enable !
! wccp router-list 1 10.5.48.254 10.5.48.253
! wccp tcp-promiscuous router-list-num 1 encrypted password
! j++vQr0cPtEIPHS9u7fKLw==
! wccp version 2
! !
! egress-method negotiated-return intercept-method wccp
! End of WAAS configuration !
!
br203-wae-sre-2 !
!
! waas-universal-k9 version 4.3.1 (build b6 Nov 13 2010) username admin password 1 bVmDmMMmZAPjY
! username admin privilege 15
device mode application-accelerator username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE
! 7D891AB402CAF2E89CCDD33ED54333AC
! !
hostname br203-wae-sre-2 !
! !
clock timezone PST -8 0 !
! authentication login local enable primary
! authentication configuration local enable primary
ip domain-name cisco.local !
! !
! !
! sshd enable

WAN Configuration Files 61

!
!
!
tfo tcp optimized-send-buffer 2048
tfo tcp optimized-receive-buffer 2048
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!policy-engine application
!
! <policy-engine content intentionally omitted>
!
!exit
!
central-manager address 10.4.48.100
cms enable
!
!
!
!
!
!
! End of WAAS configuration

WAN Configuration Files 62

Branch 204: Single-Router, Single-Link (MPLS)
Table 10 shows the IP address information for Branch 204.
Table 10. Branch 204—IP Address Information
Remote-Site Information Wired Subnets Wireless Subnets Operational IP Assignments
Data Vlan Data Vlan Loopbacks and
Location Net Block (Vlan 64) (Vlan 69) (Vlan 65) (Vlan 70) Switches WAE
Branch 204 10.5.56.0/21 10.5.60.0/24 10.5.61.0/24 10.5.58.0/24 10.5.59.0/24 10.5.56.254 (r) WAASx
10.5.60.5 (sw)

br204-1941
no ip source-route
ip cef
version 15.1 !
service timestamps debug datetime msec localtime !
service timestamps log datetime msec localtime !
service password-encryption ip multicast-routing
! !
hostname br204-1941 !
! no ip domain lookup
boot-start-marker ip domain name cisco.local
boot system flash flash0:c1900-universalk9-mz.SPA.151-3.T.bin !
boot-end-marker multilink bundle-name authenticated
! !
!
enable secret 5 $1$gRMs$BSG38sg9EH.9FumwsQsrp/ parameter-map type waas waas_global
! tfo optimize full
aaa new-model tfo auto-discovery blacklist enable
! lz entropy-check
! !
aaa authentication login default group tacacs+ local crypto pki token default removal timeout 0
aaa authorization console !
aaa authorization exec default group tacacs+ local crypto pki trustpoint BN-WAAS-WCM
! enrollment terminal pem
! revocation-check none
! !
! crypto pki trustpoint SELF-SIGNED-TRUSTPOINT
! enrollment selfsigned
aaa session-id common subject-alt-name bn-br204-1941.cisco.local
! revocation-check none
clock timezone PST -8 0 rsakeypair SELF-SIGNED-RSAKEYPAIR 2048
clock summer-time PDT recurring !
! !
no ipv6 cef !crypto pki certificate chain BN-WAAS-WCM

WAN Configuration Files 63

! certificate ca 0B class VOICE
! priority percent 10
! <certificate details intentionally omitted> class INTERACTIVE-VIDEO
! priority percent 23
! quit class CRITICAL-DATA
!crypto pki certificate chain SELF-SIGNED-TRUSTPOINT bandwidth percent 15
! certificate self-signed 01 random-detect dscp-based
! class DATA
! <certificate details intentionally omitted> bandwidth percent 19
! random-detect dscp-based
! quit class SCAVENGER
license udi pid CISCO1941/K9 sn FTX140980GQ bandwidth percent 5
! class NETWORK-CRITICAL
! bandwidth percent 3
username admin privilege 15 password 7 0508571C22431F5B4A class class-default
username sbawaasx privilege 15 password 7 0508571C22431F5B4A bandwidth percent 25
! random-detect
redundancy policy-map MARK-BGP
! class BGP-ROUTING
! set dscp cs6
! policy-map WAN-INTERFACE-G0/0
! class class-default
ip ftp username bn shape average 2000000
ip ftp password 7 05080F1C2243 service-policy WAN
ip ssh source-interface Loopback0 !
ip ssh version 2 !
! !
! <WAAS Express class-maps intentionally omitted> !
! !
class-map match-any DATA !
match ip dscp af21 !
class-map match-any BGP-ROUTING !
match protocol bgp interface Loopback0
class-map match-any INTERACTIVE-VIDEO ip address 10.5.56.254 255.255.255.255
match dscp cs4 af41 ip pim sparse-mode
class-map match-any CRITICAL-DATA !
match dscp cs3 af31 interface GigabitEthernet0/0
class-map match-any VOICE bandwidth 2000
match dscp ef ip address 192.168.3.29 255.255.255.252
class-map match-any SCAVENGER ip pim sparse-mode
match ip dscp cs1 af11 ip virtual-reassembly in
class-map match-any NETWORK-CRITICAL ip virtual-reassembly out
match ip dscp cs2 cs6 duplex auto
! speed auto
! waas enable
! <WAAS Express policy-map intentionally omitted> service-policy output WAN-INTERFACE-G0/0
!! !
policy-map WAN interface GigabitEthernet0/1

WAN Configuration Files 64

 no ip address ip tacacs source-interface Loopback0
duplex auto !
speed auto access-list 10 permit 239.1.0.0 0.0.255.255
! !
interface GigabitEthernet0/1.64 !
encapsulation dot1Q 64 !
ip address 10.5.60.1 255.255.255.0 !
ip helper-address 10.4.48.10 !
ip pim sparse-mode snmp-server community cisco RO
! snmp-server community cisco123 RW
interface GigabitEthernet0/1.65 snmp-server trap-source Loopback0
encapsulation dot1Q 65 tacacs-server host 10.4.48.15 key 7 0538030C33495A221C1C
ip address 10.5.58.1 255.255.255.0 !
ip helper-address 10.4.48.10 !
ip pim sparse-mode control-plane
! !
interface GigabitEthernet0/1.69 !
encapsulation dot1Q 69 alias exec waasxreg waas cm-register https://10.4.48.100:8443/wcm/
ip address 10.5.61.1 255.255.255.0 register
ip helper-address 10.4.48.10 !
ip pim sparse-mode line con 0
! logging synchronous
interface GigabitEthernet0/1.70 line aux 0
encapsulation dot1Q 70 line vty 0 4
ip address 10.5.59.1 255.255.255.0 password 7 04585A150C2E1D1C5A
ip helper-address 10.4.48.10 transport input ssh
ip pim sparse-mode line vty 5 15
! transport input ssh
router bgp 65511 !
bgp log-neighbor-changes scheduler allocate 20000 1000
network 10.5.60.0 mask 255.255.255.0 ntp source Loopback0
network 10.5.61.0 mask 255.255.255.0 ntp update-calendar
network 192.168.3.28 mask 255.255.255.252 ntp server 10.4.48.17
aggregate-address 10.5.56.0 255.255.248.0 summary-only end
neighbor 192.168.3.30 remote-as 65401
no auto-summary
!
ip forward-protocol nd
!
ip pim rp-address 10.4.40.252 10
ip pim register-source Loopback0
no ip http server
ip http authentication aaa
ip http secure-server
ip http secure-trustpoint SELF-SIGNED-TRUSTPOINT
ip http client source-interface Loopback0
!

WAN Configuration Files 65

Branch 206: Dual-Router, Dual-Link (MPLS)
Table 11 shows the IP address information for Branch 206.
Table 11. Branch 206—IP Address Information
Remote-Site Information Wired Subnets Wireless Subnets Operational IP Assignments
Data Vlan Data Voice Loopbacks and
Location Net Block (Vlan 64) (Vlan 69) (Vlan 65) (Vlan 70) Switches WAE
Branch 206 10.5.8.0/21 10.5.12.0/24 10.5.13.0/24 10.5.10.0/24 10.5.11.0/24 10.5.8.254 (r1) 10.5.12.8
10.5.8.253 (r2) 10.5.12.9
10.5.12.5 (sw)

!
br206-3925-1
!
!
version 15.0 no ipv6 cef
service timestamps debug datetime msec localtime no ip source-route
service timestamps log datetime msec localtime ip cef
service password-encryption !
! !
hostname br206-3925-1 ip multicast-routing
! !
boot-start-marker !
boot system flash:c3900-universalk9-mz.SPA.150-1.M4.bin no ip domain lookup
boot-end-marker ip domain name cisco.local
! ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
enable secret 5 $1$CABP$z/eavJoMbeg7yT51Qc0rm0 094F1F1A1A0A464058
! ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
aaa new-model 130646010803557878
! !
! multilink bundle-name authenticated
aaa authentication login default group tacacs+ local !
aaa authentication login MODULE none !
aaa authorization console !
aaa authorization exec default group tacacs+ local license udi pid CISCO3900-MPE120 sn FHH13030040
! license boot module c3900 technology-package securityk9
! hw-module sm 1
! !
! !
! !
aaa session-id common username admin privilege 15 password 7 04585A150C2E1D1C5A
! !
! redundancy
! !
clock timezone PST -8 !
clock summer-time PDT recurring

WAN Configuration Files 66

ip ssh source-interface Loopback0 !
ip ssh version 2 !
! !
track 50 ip sla 100 reachability !
! !
class-map match-any DATA !
match ip dscp af21 !
class-map match-any BGP-ROUTING !
match protocol bgp interface Loopback0
class-map match-any INTERACTIVE-VIDEO ip address 10.5.8.254 255.255.255.255
match dscp cs4 af41 ip pim sparse-mode
class-map match-any CRITICAL-DATA !
match dscp cs3 af31 !
class-map match-any VOICE interface Port-channel1
match dscp ef no ip address
class-map match-any SCAVENGER !
match ip dscp cs1 af11 hold-queue 150 in
class-map match-any NETWORK-CRITICAL !
match ip dscp cs2 cs6 interface Port-channel1.64
! description DATA1
! encapsulation dot1Q 64
policy-map MARK-BGP ip address 10.5.12.2 255.255.255.0
class BGP-ROUTING ip helper-address 10.4.48.10
set dscp cs6 ip wccp 61 redirect in
policy-map WAN ip pim dr-priority 110
class VOICE ip pim sparse-mode
priority percent 10 standby 1 ip 10.5.12.1
class INTERACTIVE-VIDEO standby 1 priority 110
priority percent 23 standby 1 preempt
class CRITICAL-DATA standby 1 track 50 decrement 10
bandwidth percent 15 !
random-detect dscp-based interface Port-channel1.65
class DATA description wireless data
bandwidth percent 19 encapsulation dot1Q 65
random-detect dscp-based ip address 10.5.10.2 255.255.255.0
class SCAVENGER ip helper-address 10.4.48.10
bandwidth percent 5 ip wccp 61 redirect in
class NETWORK-CRITICAL ip pim dr-priority 110
bandwidth percent 3 ip pim sparse-mode
service-policy MARK-BGP standby 1 ip 10.5.10.1
class class-default standby 1 priority 110
bandwidth percent 25 standby 1 preempt
random-detect standby 1 track 50 decrement 10
policy-map WAN-INTERFACE-G0/0 !
class class-default interface Port-channel1.69
shape average 50000000 encapsulation dot1Q 69
service-policy WAN ip address 10.5.13.2 255.255.255.0

WAN Configuration Files 67

 ip helper-address 10.4.48.10 !
ip pim dr-priority 110 !
ip pim sparse-mode interface SM1/0
standby 1 ip 10.5.13.1 ip address 1.1.1.1 255.255.255.252
standby 1 priority 110 service-module external ip address 10.5.12.8 255.255.255.0
standby 1 preempt !Application: Restarted at Fri Dec 10 17:48:06 2010
standby 1 track 50 decrement 10 service-module ip default-gateway 10.5.12.1
! no keepalive
interface Port-channel1.70 !
description wireless voice !
encapsulation dot1Q 70 interface SM1/1
ip address 10.5.11.2 255.255.255.0 no ip address
ip helper-address 10.4.48.10 shutdown
ip pim dr-priority 110 !
ip pim sparse-mode !
standby 1 ip 10.5.11.1 !
standby 1 priority 110 router eigrp 100
standby 1 preempt default-metric 50000 100 255 1 1500
standby 1 track 50 decrement 10 network 10.5.0.0 0.0.255.255
! redistribute bgp 65511
interface Port-channel1.99 passive-interface default
encapsulation dot1Q 99 no passive-interface Port-channel1.99
ip address 10.5.8.1 255.255.255.252 eigrp router-id 10.5.8.254
ip pim sparse-mode !
! router bgp 65511
interface GigabitEthernet0/0 no synchronization
bandwidth 50000 bgp router-id 10.5.8.254
ip address 192.168.3.9 255.255.255.252 bgp log-neighbor-changes
ip wccp 62 redirect in network 10.5.12.0 mask 255.255.255.0
ip pim sparse-mode network 10.5.13.0 mask 255.255.255.0
duplex auto network 192.168.3.8 mask 255.255.255.252
speed auto aggregate-address 10.5.8.0 255.255.248.0 summary-only
! neighbor 10.5.8.253 remote-as 65511
service-policy output WAN-INTERFACE-G0/0 neighbor 10.5.8.253 update-source Loopback0
! neighbor 10.5.8.253 next-hop-self
interface GigabitEthernet0/1 neighbor 192.168.3.10 remote-as 65401
no ip address neighbor 192.168.3.10 route-map NO-TRANSIT-AS out
duplex auto no auto-summary
speed auto !
channel-group 1 ip forward-protocol nd
! !
! ip as-path access-list 10 permit ^$
interface GigabitEthernet0/2 ip pim rp-address 10.4.40.252 10
no ip address ip pim register-source Loopback0
duplex auto no ip http server
speed auto ip http authentication aaa
media-type rj45 no ip http secure-server
channel-group 1 !

WAN Configuration Files 68

ip tacacs source-interface Loopback0 access-class 67 in
! login authentication MODULE
ip access-list standard BN-WAE no activation-character
permit 10.5.12.9 no exec
permit 10.5.12.8 transport preferred none
! transport input all
ip access-list extended WAAS-REDIRECT-LIST transport output none
remark WAAS WCCP Mgmt Redirect List stopbits 1
deny tcp any any eq 22 line vty 0 4
deny tcp any eq 22 any exec-timeout 0 0
deny tcp any eq telnet any password 7 04585A150C2E1D1C5A
deny tcp any any eq telnet transport input ssh
deny tcp any eq bgp any line vty 5 15
deny tcp any any eq bgp transport input ssh
deny tcp any any eq 123 !
deny tcp any eq 123 any scheduler allocate 20000 1000
permit tcp any any ntp source Loopback0
! ntp update-calendar
ip sla responder ntp server 10.4.48.17
ip sla 100 end
icmp-echo 192.168.3.10 source-interface GigabitEthernet0/0
threshold 1000 br206-3925-2
frequency 15
ip sla schedule 100 life forever start-time now version 15.0
access-list 10 permit 239.1.0.0 0.0.255.255 service timestamps debug datetime msec localtime
access-list 67 permit 1.1.1.1 service timestamps log datetime msec localtime
! service password-encryption
! !
! hostname br206-3925-2
! !
route-map NO-TRANSIT-AS permit 10 boot-start-marker
match as-path 10 boot system flash:c3900-universalk9-mz.SPA.150-1.M4.bin
! boot-end-marker
! !
snmp-server community cisco RO enable secret 5 $1$CABP$z/eavJoMbeg7yT51Qc0rm0
snmp-server community cisco123 RW !
snmp-server trap-source Loopback0 aaa new-model
tacacs-server host 10.4.48.15 key 7 00371605165E1F2D0A38 !
! !
control-plane aaa authentication login default group tacacs+ local
! aaa authentication login MODULE none
! aaa authorization console
! aaa authorization exec default group tacacs+ local
line con 0 !
logging synchronous !
line aux 0 !
line 67 !

WAN Configuration Files 69

! match dscp cs4 af41
aaa session-id common class-map match-any CRITICAL-DATA
! match dscp cs3 af31
! class-map match-any VOICE
! match dscp ef
clock timezone PST -8 class-map match-any SCAVENGER
clock summer-time PDT recurring match ip dscp cs1 af11
! class-map match-any NETWORK-CRITICAL
! match ip dscp cs2 cs6
! !
no ipv6 cef !
no ip source-route policy-map MARK-BGP
ip cef class BGP-ROUTING
! set dscp cs6
! policy-map WAN
ip multicast-routing class VOICE
! priority percent 10
! class INTERACTIVE-VIDEO
no ip domain lookup priority percent 23
ip domain name cisco.local class CRITICAL-DATA
ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7 bandwidth percent 15
094F1F1A1A0A464058 random-detect dscp-based
ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7 class DATA
130646010803557878 bandwidth percent 19
! random-detect dscp-based
multilink bundle-name authenticated class SCAVENGER
! bandwidth percent 5
! class NETWORK-CRITICAL
! bandwidth percent 3
license udi pid C3900-SPE100/K9 sn FOC134601WE service-policy MARK-BGP
hw-module sm 1 class class-default
! bandwidth percent 25
! random-detect
! policy-map WAN-INTERFACE-G0/0
username admin privilege 15 password 7 110A4816141D5A5E57 class class-default
! shape average 25000000
redundancy service-policy WAN
! !
! !
ip ssh source-interface Loopback0 !
ip ssh version 2 !
! !
class-map match-any DATA !
match ip dscp af21 !
class-map match-any BGP-ROUTING !
match protocol bgp interface Loopback0
class-map match-any INTERACTIVE-VIDEO ip address 10.5.8.253 255.255.255.255

WAN Configuration Files 70

 ip pim sparse-mode ip pim dr-priority 105
! ip pim sparse-mode
! standby 1 ip 10.5.11.1
interface Port-channel2 standby 1 priority 105
no ip address standby 1 preempt
! !
hold-queue 150 in interface Port-channel2.99
! encapsulation dot1Q 99
interface Port-channel2.64 ip address 10.5.8.2 255.255.255.252
description DATA1 ip pim sparse-mode
encapsulation dot1Q 64 !
ip address 10.5.12.3 255.255.255.0 interface GigabitEthernet0/0
ip helper-address 10.4.48.10 bandwidth 25000
ip wccp 61 redirect in ip address 192.168.4.9 255.255.255.252
ip pim dr-priority 105 ip wccp 62 redirect in
ip pim sparse-mode ip pim sparse-mode
standby 1 ip 10.5.12.1 duplex auto
standby 1 priority 105 speed auto
standby 1 preempt !
! service-policy output WAN-INTERFACE-G0/0
interface Port-channel2.65 !
description wireless data interface GigabitEthernet0/1
encapsulation dot1Q 65 no ip address
ip address 10.5.10.3 255.255.255.0 duplex auto
ip helper-address 10.4.48.10 speed auto
ip wccp 61 redirect in channel-group 2
ip pim dr-priority 105 !
ip pim sparse-mode !
standby 1 ip 10.5.10.1 interface GigabitEthernet0/2
standby 1 priority 105 no ip address
standby 1 preempt duplex auto
! speed auto
interface Port-channel2.69 media-type rj45
encapsulation dot1Q 69 channel-group 2
ip address 10.5.13.3 255.255.255.0 !
ip helper-address 10.4.48.10 !
ip pim dr-priority 105 interface SM1/0
ip pim sparse-mode ip address 1.1.1.1 255.255.255.252
standby 1 ip 10.5.13.1 service-module external ip address 10.5.12.9 255.255.255.0
standby 1 priority 105 !Application: Restarted at Fri Dec 10 17:47:53 2010
standby 1 preempt service-module ip default-gateway 10.5.12.1
! no keepalive
interface Port-channel2.70 !
description wireless voice !
encapsulation dot1Q 70 interface SM1/1
ip address 10.5.11.3 255.255.255.0 no ip address
ip helper-address 10.4.48.10 shutdown

WAN Configuration Files 71

 ! deny tcp any eq bgp any
! deny tcp any any eq bgp
! deny tcp any any eq 123
router eigrp 100 deny tcp any eq 123 any
default-metric 25000 100 255 1 1500 permit tcp any any
network 10.5.0.0 0.0.255.255 !
redistribute bgp 65511 ip sla responder
passive-interface default access-list 10 permit 239.1.0.0 0.0.255.255
no passive-interface Port-channel2.99 access-list 67 permit 1.1.1.1
eigrp router-id 10.5.8.253 !
! !
router bgp 65511 !
no synchronization !
bgp router-id 10.5.8.253 route-map NO-TRANSIT-AS permit 10
bgp log-neighbor-changes match as-path 10
network 10.5.12.0 mask 255.255.255.0 !
network 10.5.13.0 mask 255.255.255.0 !
network 192.168.4.8 mask 255.255.255.252 snmp-server community cisco RO
aggregate-address 10.5.8.0 255.255.248.0 summary-only snmp-server community cisco123 RW
neighbor 10.5.8.254 remote-as 65511 snmp-server trap-source Loopback0
neighbor 10.5.8.254 update-source Loopback0 tacacs-server host 10.4.48.15 key 7 00371605165E1F2D0A38
neighbor 10.5.8.254 next-hop-self !
neighbor 192.168.4.10 remote-as 65402 control-plane
neighbor 192.168.4.10 route-map NO-TRANSIT-AS out !
no auto-summary !
! !
ip forward-protocol nd line con 0
! logging synchronous
ip as-path access-list 10 permit ^$ line aux 0
ip pim rp-address 10.4.40.252 10 line 67
ip pim register-source Loopback0 access-class 67 in
no ip http server login authentication MODULE
ip http authentication aaa no activation-character
no ip http secure-server no exec
! transport preferred none
ip tacacs source-interface Loopback0 transport input all
! transport output none
ip access-list standard BN-WAE stopbits 1
permit 10.5.12.9 flowcontrol software
permit 10.5.12.8 line vty 0 4
! exec-timeout 0 0
ip access-list extended WAAS-REDIRECT-LIST password 7 04585A150C2E1D1C5A
remark WAAS WCCP Mgmt Redirect List transport input ssh
deny tcp any any eq 22 line vty 5 15
deny tcp any eq 22 any transport input ssh
deny tcp any eq telnet any !
deny tcp any any eq telnet scheduler allocate 20000 1000

WAN Configuration Files 72

ntp source Loopback0 wccp version 2
ntp update-calendar !
ntp server 10.4.48.17 egress-method negotiated-return intercept-method wccp
end !
!
br206-wae-sre-1 !
!
! waas-universal-k9 version 4.3.1 (build b6 Nov 13 2010) username admin password 1 bVmDmMMmZAPjY
! username admin privilege 15
device mode application-accelerator username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE
! 7D891AB402CAF2E89CCDD33ED54333AC
! !
hostname br206-wae-sre-1 !
! !
clock timezone PST -8 0 !
! authentication login local enable primary
! authentication configuration local enable primary
ip domain-name cisco.local !
! !
! !
! sshd enable
primary-interface GigabitEthernet 2/0 !
! !
! !
! tfo tcp optimized-send-buffer 2048
interface GigabitEthernet 1/0 tfo tcp optimized-receive-buffer 2048
exit !
interface GigabitEthernet 2/0 !
exit !
! !
! !
! !
no auto-register enable !
! !
! ip path-mtu-discovery is disabled in WAAS by default !
! !policy-engine application
ip name-server 10.4.48.10 !
! ! <policy-engine content intentionally omitted>
! !
! !exit
ntp server 10.4.48.17 !
! central-manager address 10.4.48.100
! cms enable
! !
wccp router-list 1 10.5.8.254 10.5.8.253 !
wccp tcp-promiscuous router-list-num 1 encrypted password !
j++vQr0cPtEIPHS9u7fKLw== ! End of WAAS configuration

WAN Configuration Files 73

Branch 207: Single-Router, Dual-Link (MPLS)
Table 12 shows the IP address information for Branch 207.
Table 12. Branch 207—IP Address Information
Remote-Site Information Wired Subnets Wireless Subnets Operational IP Assignments
Data Vlan Data Voice Loopbacks and
Location Net Block (Vlan 64) (Vlan 69) (Vlan 65) (Vlan 70) Switches WAE
Branch 207 10.5.16.0/21 10.5.20.0/24 10.5.21.0/24 10.5.18.0/24 10.5.19.0/24 10.5.16.254 (r1) 10.5.20.8
10.5.20.5 (sw)

br207-2921
!
no ipv6 cef
version 15.0
no ip source-route
service timestamps debug datetime msec localtime
ip cef
service timestamps log datetime msec localtime
!
service password-encryption
!
!
ip multicast-routing
hostname br207-2921
!
!
!
boot-start-marker
no ip domain lookup
boot system flash:c2900-universalk9-mz.SPA.150-1.M4.bin
ip domain name cisco.local
boot-end-marker
ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
!
130646010803557878
enable secret 5 $1$gRMs$BSG38sg9EH.9FumwsQsrp/
ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password 7
!
0007421507545A545C
aaa new-model
!
!
multilink bundle-name authenticated
!
!
aaa authentication login default group tacacs+ local
!
aaa authentication login MODULE none
!
aaa authorization console
!
aaa authorization exec default group tacacs+ local
!
!
!
!
!
!
voice-card 0
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
clock timezone PST -8
license udi pid CISCO2921/K9 sn FHK1345F209
clock summer-time PDT recurring
hw-module sm 1

WAN Configuration Files 74

! service-policy MARK-BGP
! class class-default
! bandwidth percent 25
username admin privilege 15 password 7 070C705F4D06485744 random-detect
! policy-map WAN-INTERFACE-G0/1
redundancy class class-default
! shape average 10000000
! service-policy WAN
ip ftp username bn policy-map WAN-INTERFACE-G0/0
ip ftp password 7 02050D480809 class class-default
ip ssh source-interface Loopback0 shape average 20000000
ip ssh version 2 service-policy WAN
! !
class-map match-any DATA !
match ip dscp af21 !
class-map match-any BGP-ROUTING !
match protocol bgp !
class-map match-any INTERACTIVE-VIDEO !
match dscp cs4 af41 !
class-map match-any CRITICAL-DATA !
match dscp cs3 af31 interface Loopback0
class-map match-any VOICE ip address 10.5.16.254 255.255.255.255
match dscp ef ip pim sparse-mode
class-map match-any SCAVENGER !
match ip dscp cs1 af11 !
class-map match-any NETWORK-CRITICAL interface GigabitEthernet0/0
match ip dscp cs2 cs6 bandwidth 20000
! ip address 192.168.3.13 255.255.255.252
! ip wccp 62 redirect in
policy-map MARK-BGP ip pim sparse-mode
class BGP-ROUTING duplex auto
set dscp cs6 speed auto
policy-map WAN !
class VOICE service-policy output WAN-INTERFACE-G0/0
priority percent 10 !
class INTERACTIVE-VIDEO interface GigabitEthernet0/1
priority percent 23 bandwidth 10000
class CRITICAL-DATA ip address 192.168.4.13 255.255.255.252
bandwidth percent 15 ip wccp 62 redirect in
random-detect dscp-based ip pim sparse-mode
class DATA duplex auto
bandwidth percent 19 speed auto
random-detect dscp-based !
class SCAVENGER service-policy output WAN-INTERFACE-G0/1
bandwidth percent 5 !
class NETWORK-CRITICAL interface GigabitEthernet0/2
bandwidth percent 3 no ip address

WAN Configuration Files 75

 shutdown neighbor 192.168.3.14 route-map PREFER-MPLS-A in
duplex auto neighbor 192.168.3.14 route-map NO-TRANSIT-AS out
speed auto neighbor 192.168.4.14 remote-as 65402
! neighbor 192.168.4.14 route-map NO-TRANSIT-AS out
! no auto-summary
interface GigabitEthernet1/0 !
ip address 1.1.1.1 255.255.255.252 ip forward-protocol nd
! !
hold-queue 60 out ip as-path access-list 1 permit _65401$
! ip as-path access-list 10 permit ^$
interface GigabitEthernet1/0.64 ip pim rp-address 10.4.40.252 10
encapsulation dot1Q 64 ip pim register-source Loopback0
ip address 10.5.20.1 255.255.255.0 no ip http server
ip helper-address 10.4.48.10 ip http authentication aaa
ip wccp 61 redirect in no ip http secure-server
ip pim sparse-mode !
! ip tacacs source-interface Loopback0
interface GigabitEthernet1/0.65 !
encapsulation dot1Q 65 ip access-list standard BN-WAE
ip address 10.5.18.1 255.255.255.0 permit 10.5.20.8
ip helper-address 10.4.48.10 !
ip wccp 61 redirect in ip access-list extended WAAS-REDIRECT-LIST
ip pim sparse-mode remark WAAS WCCP Mgmt Redirect List
! deny tcp any any eq 22
interface GigabitEthernet1/0.69 deny tcp any eq 22 any
encapsulation dot1Q 69 deny tcp any eq telnet any
ip address 10.5.21.1 255.255.255.0 deny tcp any any eq telnet
ip helper-address 10.4.48.10 deny tcp any eq bgp any
ip pim sparse-mode deny tcp any any eq bgp
! deny tcp any any eq 123
interface GigabitEthernet1/0.70 deny tcp any eq 123 any
encapsulation dot1Q 70 permit tcp any any
ip address 10.5.19.1 255.255.255.0 !
ip helper-address 10.4.48.10 ip sla responder
ip pim sparse-mode access-list 10 permit 239.1.0.0 0.0.255.255
! access-list 67 permit 1.1.1.1
! !
router bgp 65511 !
no synchronization !
bgp router-id 10.5.16.254 !
bgp log-neighbor-changes route-map NO-TRANSIT-AS permit 10
network 10.5.20.0 mask 255.255.255.0 match as-path 10
network 10.5.21.0 mask 255.255.255.0 !
network 192.168.3.12 mask 255.255.255.252 route-map PREFER-MPLS-A permit 10
network 192.168.4.12 mask 255.255.255.252 match as-path 1
aggregate-address 10.5.16.0 255.255.248.0 summary-only set local-preference 200
neighbor 192.168.3.14 remote-as 65401 !

WAN Configuration Files 76

route-map PREFER-MPLS-A permit 20 br207-wave574
!
! ! waas-universal-k9 version 4.3.1 (build b6 Nov 13 2010)
snmp-server community cisco RO !
snmp-server community cisco123 RW device mode application-accelerator
snmp-server trap-source Loopback0 !
tacacs-server host 10.4.48.15 key 7 00371605165E1F2D0A38 !
! hostname br207-wave574
control-plane !
! clock timezone PST -8 0
! !
! !
! ip domain-name cisco.local
mgcp fax t38 ecm !
! !
! !
! primary-interface GigabitEthernet 1/0
! !
! !
gatekeeper !
shutdown interface GigabitEthernet 1/0
! ip address 10.5.20.8 255.255.255.0
! exit
line con 0 interface GigabitEthernet 2/0
logging synchronous shutdown
line aux 0 exit
line 67 !
access-class 67 in !
no activation-character ip default-gateway 10.5.20.1
no exec !
transport preferred none no auto-register enable
transport input all !
transport output none ! ip path-mtu-discovery is disabled in WAAS by default
stopbits 1 !
flowcontrol software ip name-server 10.4.48.10
line vty 0 4 !
password 7 04585A150C2E1D1C5A !
transport input ssh !
line vty 5 15 ntp server 10.4.48.17
transport input ssh !
! !
scheduler allocate 20000 1000 !
ntp source Loopback0 wccp router-list 1 10.5.16.254
ntp update-calendar wccp tcp-promiscuous router-list-num 1 encrypted password
ntp server 10.4.48.17 j++vQr0cPtEIPHS9u7fKLw==
end wccp version 2
!

WAN Configuration Files 77

egress-method negotiated-return intercept-method wccp !
! !exit
ip icmp rate-limit unreachable df 0 !
! central-manager address 10.4.48.100
! cms enable
! !
username admin password 1 bVmDmMMmZAPjY !
username admin privilege 15 !
username admin print-admin-password 1 29D5C31BFF3D8D25AAD3B435B51404EE !
7D891AB402CAF2E89CCDD33ED54333AC !
! !
! ! End of WAAS configuration
!
!
authentication login local enable primary
authentication configuration local enable primary
!
!
!
sshd enable
!
!
!
tfo tcp optimized-send-buffer 2048
tfo tcp optimized-receive-buffer 2048
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!policy-engine application
!
! <policy-engine content intentionally omitted>

WAN Configuration Files 78

Summary
The WAN Configuration Guide is a supplemental guide to be used with the
WAN Deployment Guide. The WAN Deployment Guide is a reference design
for Cisco customers and partners. It covers the WAN component of Cisco
SBA for Enterprise Organizations— Borderless Networks and is meant to be
used in conjunction with the LAN Deployment Guide and Internet Edge
Deployment Guide, which you can find on www.cisco.com/go/sba. If this
design does not scale to meet your needs, please refer to the Cisco
Validated Designs (CVD) for larger deployment models. CVDs can be found
on Cisco.com. The Cisco products used in this design were tested in a
network lab at Cisco. The specific products are listed near the beginning of this
document for your convenience.

Appendix A 79
Appendix A:
SBA for Enterprise Organizations Document System

Design Guides Deployment Guides

LAN Supplemental Guides

Design Overview

IPv6 Addressing Configuration Wireless CleanAir

Files

Foundation WAN Supplemental Guides

Collapsed Campus
and Data Center Core

Configuration Network Device

Files
You are Here VPN Remote Site
Authentication and Authorization

Internet Edge Supplemental Guides

Group Encrypted Advanced Guest
Transport VPN Wireless

Configuration Cisco SIEM Layer 2 WAN

Files

3G Wireless
Network Management ArcSight SIEM
Remote Site

SolarWinds LogLogic SIEM

Traffic Analysis– nFx SIEM

Netflow and NetQoS

Traffic Analysis– RSA SIEM

Netflow and SolarWinds

Cisco LAN Splunk SIEM

Management Solution

Service and Availability– Cisco

Cisco LMS Data Security

Service and Availability– CREDANT

SolarWinds Data Security

Network Analysis Lumension

and Reporting Data Security

80
 Americas Headquarters Asia Pacific Headquarters Europe Headquarters
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV
San Jose, CA Singapore Amsterdam, The Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word
partner does not imply a partnership relationship between Cisco and any other company. (1005R)

C07-611148-02 01/11