CVD IWANConfigurationFilesGuide FEB16

CISCO VALIDATED DESIGN
Intelligent WAN
Configuration Files Guide
February 2016
REFERENCE
NETWORK
ARCHITECTURE
Table of Contents
Table of Contents
Introduction...................................................................................................................................... 1
Product List...................................................................................................................................... 5
IOS Certificate Authority................................................................................................................... 9
IWAN-IOS-CA................................................................................................................................................................ 10
WAN Aggregation Devices—IWAN Hybrid Design Model................................................................. 17

MC-HY-CSR1000V-1—Hub MC..................................................................................................................................... 19
VPN-MPLS-ASR1002X-1—Hub BR (MPLS)................................................................................................................... 25
VPN-INET-4451X-2—Hub BR (INET).............................................................................................................................. 39
MC-HY-ASR1002X-T1—Transit MC................................................................................................................................ 53
VPN-MPLS-ASR1002X-T1—Transit BR (MPLS)............................................................................................................. 60
VPN-INET-ASR1002X-T2—Transit BR (INET).................................................................................................................. 73
WAN Remote-Site Devices—IWAN Hybrid Design Model................................................................. 88

Remote Site 11—Single-Router, Dual-Link (MPLS and INET)......................................................................................... 89
Remote Site 12—Dual-Router, Dual-Link (MPLS and INET).......................................................................................... 105
Remote Site 51—Single-Router, Dual-Link (MPLS and INET with 4G LTE Fallback)...................................................... 133
WAN Aggregation Devices—IWAN Dual Internet Design Model...................................................... 153

MC-DI-ASR1004-1—Hub MC...................................................................................................................................... 155
MC-DI-ASR1004-2—Hub MC HA................................................................................................................................. 161
VPN-INET-ASR1002X-3—Hub BR (INET1)................................................................................................................... 168
VPN-INET-ASR1002X-4—Hub BR (INET2)................................................................................................................... 182
VPN-INET-ASR1002X-5—Hub BR2 (INET1)................................................................................................................. 197
VPN-INET-ASR1002X-6—Hub BR2 (INET2)................................................................................................................. 211
WAN Remote-Site Devices—IWAN Dual Internet Design Model..................................................... 227

Remote Site 13—Single-Router, Dual-Link (INET1 and INET2)..................................................................................... 228
Remote Site 14—Dual-Router, Dual-Link (INET1 and INET2)........................................................................................ 245
Appendix B: Expanded Figure...................................................................................................... 275

Appendix C: Expanded Figure...................................................................................................... 276
Appendix D: Changes................................................................................................................... 277
Cisco Validated Design

Introduction
Introduction
The Cisco Intelligent WAN (IWAN) solution provides design and implementation guidance for organizations looking
to deploy wide area network (WAN) transport with a transport-independent design (TID), intelligent path control,
application optimization, and secure encrypted communications between branch locations while reducing the
operating cost of the WAN. IWAN takes full advantage of cost-effective transport services in order to increase
bandwidth capacity without compromising performance, reliability, or security of collaboration or cloud-based ap-
plications.
This document provides the available configuration files for the products used in the Intelligent WAN Technology
Design Guide. It is a companion document to the design guide as a reference for engineers who are evaluating or
deploying the CVD.
Both this guide and the Intelligent WAN Technology Design Guide provide the complete list of products used in
the lab-testing of this design.
The first design model is the IWAN Hybrid, which uses MPLS paired with Internet VPN as WAN transports. In this
design model, the MPLS WAN can provide more bandwidth for the critical classes of services needed for key
applications and can provide SLA guarantees for these applications. The second design model is the IWAN Dual
Internet, which uses a pair of Internet service providers to further reduce cost while maintaining a high level of
resiliency for the WAN. A third design model, the IWAN Dual MPLS, is not covered in this guide.
Figure 1 IWAN hybrid model—WAN aggregation site overview
Core Layer
WAN Distribution
Hub Master
Layer
Controller
Hub Border DMVPN Hub

Routers Routers Internet Edge
DMVPN 1 DMVPN 2
INET
MPLS
1248F
Cisco Validated Design page 1

Introduction
Figure 2 IWAN dual Internet model—WAN aggregation site overview
Core Layer
WAN Distribution Hub Master

Layer Controller
Hub Border DMVPN Hub

Routers Routers Internet Edge
DMVPN 3 DMVPN 4
INET
1240F
ISP A / ISP B
Figure 3 IWAN—Remote-site overview
Single Router Location Dual Router Location
Branch Master Branch Master Branch

Controller/ Controller/ Border
Branch Border Branch Border Router
Router Router
1241F

Introduction
With this version of the guide, we have also added hub master controller (MC) high availability, hub border router
(BR) scaling, and transit locations to the design. The high-level diagrams for these options are included below.
Figure 4 IWAN dual Internet Model—Hub MC high availability
Core Layer
Hub Master
Controller (MC)
WAN Distribution Lo: 10.6.32.252/32
Layer
Hub Master
Controller (MC-HA)
Lo: 10.6.32.252/31
Hub Border
Routers (BR) Internet Edge
DMVPN 3 DMVPN 4
INET
2307F
INET1 INET2 ISP A / ISP B
Figure 5 IWAN dual Internet model—Hub BR scalability
Core Layer
Hub Master
WAN Distribution Controller (MC)
Layer Hub Master
Controller (MC-HA)
Hub Border
Routers (BR)
Internet Edge
Multiple paths
to the same
DMVPN
INET1 INET2 INET1 INET2

PATH-ID 1 PATH-ID 2 PATH-ID 3 PATH-ID 4
INET
2308F
DMVPN 3 DMVPN 4 DMVPN 3 DMVPN 4

ISP A / ISP B

Introduction
Figure 6 IWAN hybrid model—Second data center as a transit site
DC1 DC2
10.4.0.0/16 10.4.0.0/16
10.6.0.0/16 DCI 10.8.0.0/16
WAN Core
Hub Site Transit Site
Hub MC Transit MC
POP-ID 0 POP-ID 1
10.4.0.0/16 10.4.0.0/16
10.6.0.0/16 10.8.0.0/16
Hub BRs Transit BRs
MPLS INET MPLS INET

PATH-ID 1 PATH-ID 2 PATH-ID 1 PATH-ID 2
2309F

Product List
Product List
WAN AGGREGATION
Place In Network Product Description Part Number SW Version Feature Set
WAN-aggregation Aggregation Services 1002X Router ASR1002X-5G-VPNK9 IOS-XE 03.16.01a.S Advanced
Router Enterprise
Aggregation Services 1001X Router ASR1001X-5G-VPN IOS XE 03.16.01a.S Advanced
Enterprise
Cisco ISR 4451-X Security Bundle ISR4451-X-SEC/K9 IOS XE 03.16.01a.S securityk9
with SEC License
WAN REMOTE SITE

Place In Network Product Desccription Part Number SW Version Feature Set
Modular WAN Cisco ISR 4451 AX Bundle with APP ISR4451-X-AX/K9 IOS-XE 03.16.01a.S securityk9,
Remote-site Router and SEC License appxk9
Cisco ISR 4431 AX Bundle with APP ISR4431-AX/K9 IOS XE 03.16.01a.S securityk9,
and SEC License appxk9
Cisco ISR 3945 AX Bundle with APP C3945-AX/K9 15.5(3)M1 securityk9,
and SEC License datak9, uck9
Unified Communications Paper PAK for SL-39-UC-K9
Cisco 3900 Series
Unified Communications Paper PAK for SL-29-UC-K9
Cisco 2900 Series
and SEC License datak9

Product List
INTERNET EDGE
Firewall Cisco ASA 5545-X ASA5545-K9 ASA 9.1(6)
Cisco ASA 5525-X ASA5525-K9 ASA 9.1(6)
Cisco ASA 5512-X Security Plus license ASA5512-SEC-PL
Firewall Management ASDM 7.5(2)
INTERNET EDGE LAN

DMZ Switch Cisco Catalyst 2960-X Series 24 10/100/1000 PoE WS-C2960X-24PS 15.2(3)E1 LAN Base
and 2 SFP+ Uplink
Cisco Catalyst 2960-X FlexStack-Plus Hot-Swap- C2960X-STACK
pable Stacking Module
LAN ACCESS LAYER

Modular Access Cisco Catalyst 4500E Series 4507R+E 7-slot Chas- WS-C4507R+E 3.7.1E(15.2.3E1) IP Base
Layer Switch sis with 48Gbps per slot
Cisco Catalyst 4500E Supervisor Engine 8-E, Uni- WS-X45-SUP8-E 3.7.1E(15.2.3E1) IP Base
fied Access, 928Gbps
Cisco Catalyst 4500E 12-port 10GbE SFP+ Fiber WS-X4712-SFP+E
Module
Cisco Catalyst 4500E 48-Port 802.3at PoE+ WS-X4748-RJ45V+E
10/100/1000 (RJ-45)
Cisco Catalyst 4500E Series 4507R+E 7-slot Chas- WS-C4507R+E 3.7.1E(15.2.3E1) IP Base
sis with 48Gbps per slot
Cisco Catalyst 4500E Supervisor Engine 7L-E, WS-X45-SUP7L-E 3.7.1E(15.2.3E1) IP Base
520Gbps
Cisco Catalyst 4500E 48 Ethernet 10/100/1000 WS-X4748-UPOE+E
(RJ45) PoE+,UPoE ports
Cisco Catalyst 4500E 48 Ethernet 10/100/1000 WS-X4648-
(RJ45) PoE+ ports RJ45V+E

Product List

Stackable Access Cisco Catalyst 3850 Series Stackable 48 Ethernet WS-C3850-48F 3.7.1E(15.2.3E1) IP Base
Layer Switch 10/100/1000 PoE+ ports
Cisco Catalyst 3850 Series Stackable 24 Ethernet WS-C3850-24P 3.7.1E(15.2.3E1) IP Base
10/100/1000 PoE+ Ports
Cisco Catalyst 3850 Series 2 x 10GE Network C3850-NM-2-10G
Module
Module
Cisco Catalyst 3650 Series 24 Ethernet WS-C3650-24PD 3.7.1E(15.2.3E1) IP Base
10/100/1000 PoE+ and 2x10GE or 4x1GE Uplink
Cisco Catalyst 3650 Series 24 Ethernet WS-C3650-24PS 3.7.1E(15.2.3E1) IP Base
10/100/1000 PoE+ and 4x1GE Uplink
Cisco Catalyst 3650 Series Stack Module C3650-STACK
Cisco Catalyst 2960-X Series 24 10/100/1000 WS-C2960X-24PD 15.2(3)E1 LAN Base
Ethernet and 2 SFP+ Uplink
Standalone Access Cisco Catalyst 3650 Series 24 Ethernet WS-C3650-24PS 3.7.1E(15.2.3E1) IP Base
Layer Switch 10/100/1000 PoE+ and 4x1GE Uplink
LAN DISTRIBUTION LAYER

Modular Distribution Cisco Catalyst 6500 VSS Supervisor 2T with 2 VS-S2T-10G 15.2(1)SY1 IP Services
Layer Virtual Switch ports 10GbE and PFC4
Pair
Cisco Catalyst 6800 Series 6807-XL 7-Slot Modu- C6807-XL 15.2(1)SY1 IP Services
lar Chassis
Cisco Catalyst 6500 4-port 40GbE/16-port 10GbE WS-X6904-40G-2T
Fiber Module w/DFC4
Cisco Catalyst 6500 4-port 10GbE SFP+ adapter CVR-CFP-4SFP10G
for WX-X6904-40G module
Cisco Catalyst 6500 CEF720 48 port WS-X6748-GE-TX
10/100/1000mb Ethernet
Cisco Catalyst 6500 Distributed Forwarding Card 4 WS-F6K-DFC4-A
Cisco Catalyst 6500 Series 6506-E 6-Slot Chassis WS-C6506-E 15.2(1)SY1 IP services
Cisco Catalyst 6500 VSS Supervisor 2T with 2 VS-S2T-10G 15.2(1)SY1 IP services
ports 10GbE and PFC4
Cisco Catalyst 6500 4-port 40GbE/16-port 10GbE WS-X6904-40G-2T
Fiber Module w/DFC4
Cisco Catalyst 6500 4-port 10GbE SFP+ adapter CVR-CFP-4SFP10G
for WX-X6904-40G module
Cisco Catalyst 6500 48-port GigE Mod (SFP) WS-X6748-SFP
Cisco Catalyst 6500 24-port GigE Mod (SFP) WS-X6724-SFP

Product List
Place in Network Product Description Part Number SW Version Feature Set

Extensible Fixed Cisco Catalyst 6800 Series 6880-X Extensible C6880-X-LE 15.2(1)SY1 IP Services
Distribution Layer Fixed Aggregation Switch (Standard Tables)
Virtual Switch Pair
Cisco Catalyst 6800 Series 6880-X Multi Rate Port C6880-X-LE-
Card (Standard Tables) 16P10G
Modular Distribution Cisco Catalyst 4500E Series 4507R+E 7-slot Chas- WS-C4507R+E 3.7.1E(15.2.3E1) Enterprise
Layer Virtual Switch sis with 48Gbps per slot Services
Pair
Cisco Catalyst 4500E Supervisor Engine 7-E, WS-X45-SUP7-E 3.7.1E(15.2.3E1) Enterprise
848Gbps Services
Cisco Catalyst 4500E 12-port 10GbE SFP+ Fiber WS-X4712-SFP+E
Module
Cisco Catalyst 4500E 48-Port 802.3at PoE+ WS-X4748-RJ45V+E
10/100/1000 (RJ-45)
Fixed Distribution Cisco Catalyst 4500-X Series 32 Port 10GbE IP
Layer Virtual Switch Base Front-to-Back Cooling WS-C4500X-32SFP+
Pair 3.5.3E(15.2.1E3) Enterprise Services
Stackable Cisco Catalyst 3850 Series Stackable Switch with WS-C3850-12S 3.7.1E(15.2.3E1) IP Services
Distribution Layer 12 SFP Ethernet
Switch
Module
Module

IOS Certificate Authority

Use this optional configuration if you want to deploy an IOS Certificate Authority (IOS CA) on a router in your DMZ
with access from the internal network and the MPLS provider network. Skip this configuration if you are using
pre-shared keys or if you plan to use a different certificate authority. You can create a more complex CA environ-
ment, but the same basic reachability principles will apply for an IWAN enabled solution.
You configure an IOS CA using a single internal LAN interface, which allows access from the hub routers and the
remote sites. The remote sites access the IOS CA for authentication, as well as for obtaining their certificate after
a DMVPN tunnel has been established with pre-shared keys.
Figure 7 IWAN IOS Certificate Authority
Core Layer
WAN Distribution IOS-CA

Layer
DMVPN Hub DMVPN Hub

Router (MPLS) Router (INET) Internet Edge
DMVPN 1 DMVPN 2
INET 2306F
MPLS

How to Read Commands
This guide uses the following conventions for Commands at a CLI or script prompt:
commands that you enter at the command-line Router# enable
interface (CLI).
Long commands that line wrap are underlined.
Commands to enter at a CLI prompt: Enter them as one command:
configure terminal police rate 10000 pps burst 10000
packets conform-action
Commands that specify a value for a variable:
ntp server 10.10.48.17 Noteworthy parts of system output (or of device
configuration files) are highlighted:
Commands with variables that you must define: interface Vlan64
class-map [highest class name] ip address 10.5.204.5 255.255.255.0
IWAN-IOS-CA
version 15.5
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname IWAN-IOS-CA
!
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.155-3.M1.bin
boot-end-marker
!
!
enable secret 5 $1$ItSJ$9qG2zCulF1zLEqYzK2ayf1
!
aaa new-model
!
!
aaa group server tacacs+ TACACS-SERVERS
server name TACACS-SERVER-1
!
aaa authentication login default group TACACS-SERVERS local

aaa authorization console

aaa authorization exec default group TACACS-SERVERS local
!
!
aaa session-id common
ethernet lmi ce
clock timezone PST -8 0
clock summer-time PDT recurring
!
!
ip domain name cisco.local
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
cts logging verbose
!
crypto pki server IWAN-IOS-CA
database level complete
no database archive
issuer-name CN=IWAN-IOS-CA.cisco.local L=SanJose St=CA C=US
grant auto
lifetime certificate 730
cdp-url http://10.6.24.11/cgi-bin/pkiclient.exe?operation=GetCRL
database url crl nvram:
!
crypto pki trustpoint IWAN-IOS-CA
revocation-check crl
rsakeypair IWAN-IOS-CA
!
crypto pki trustpoint TP-self-signed-4277773906
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4277773906
revocation-check none
rsakeypair TP-self-signed-4277773906
!

!
crypto pki certificate chain IWAN-IOS-CA
certificate ca 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
37313530 33060355 0403132C 4957414E 2D494F53 2D43412E 63697363 6F2E6C6F
63616C20 4C3D5361 6E4A6F73 65205374 3D434120 433D5553 301E170D 31343132
32353231 31393432 5A170D31 37313232 34323131 3934325A 30373135 30330603
55040313 2C495741 4E2D494F 532D4341 2E636973 636F2E6C 6F63616C 204C3D53
616E4A6F 73652053 743D4341 20433D55 5330819F 300D0609 2A864886 F70D0101
01050003 818D0030 81890281 8100E1F3 60BA63B4 2C2971DA 10457139 3765E38C
05FBB109 8FB0929C 32A8FA30 D5320EDB 968F4FDF E29F439F 27537B49 6F0BD278
9EBB3FDF 46603234 B9CF4395 5D9F046B B9D4145A 0A1F3C7A 4A496ABB 808F0097
B8B8E49E 696F7C9F 201E9030 CED7B305 F8882A05 6725693B 3A8B0B27 D771E6C3
543A6D98 8B3BE1C7 9B42C549 95CB0203 010001A3 63306130 0F060355 1D130101
FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304
18301680 148B57F8 AD759FB8 E9696295 0930B589 1C88919C 06301D06 03551D0E
04160414 8B57F8AD 759FB8E9 69629509 30B5891C 88919C06 300D0609 2A864886
F70D0101 04050003 81810043 03F15527 55D3FFA4 C7BE393E A4E6E242 C86ED8DF
4CDC83C5 6A283ECE FA0DC9E8 9F640F4B 34FE1847 D4CEF5E2 309AC0D2 563E979B
E9574558 B0E7C56C A3A1AA85 6C1DBC4E AE99C09F F4553D0B 7DF57390 33E67C0E
18017676 68977BBD 453E9012 5B5887F2 840A6B76 F5AC61CB 1E636166 56CB8F17
3E071F09 AECB291E 918A0B
quit
crypto pki certificate chain TP-self-signed-4277773906
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323737 37373339 3036301E 170D3134 31323236 31303435
34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32373737
37333930 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B01B F92B8579 A1C0A24A 2575B8BD 4A52A2EB B5771E60 97238108 A89F9A15
D7DAA2D5 6A0723D9 D8573D91 61C1CD84 20EE89B8 F018B069 11D228F0 2590968B
753CCCD3 667C39B7 B0FEFC91 6A12F9EF 336AA5AB 688A70E8 B9064FF8 235A04C0
D5EBE33B F7C7978D 469D22D9 B39F184C D913C58B CA564425 ADDF0DDA 8FBAA225
BF890203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14EF3EE6 8D94FA24 9517D696 71320BA2 793AB40D B3301D06
03551D0E 04160414 EF3EE68D 94FA2495 17D69671 320BA279 3AB40DB3 300D0609

2A864886 F70D0101 05050003 8181005A A3A3DB82 6F4104E7 46312773 408CE555

066EB080 B51680C2 1DCB578A 8583963A 85CD3FC1 F1A57442 02AF1E7E 750B4901
32527ADA 914779C3 CC0F5297 A3A865E8 AD976B5D 8526DE6A 66543C59 3EE6E7E7
03B9696D 8986FCC6 1B79846E 851E4A8F 0E4B78B7 5598679E 59DCA17F E8BE6473
A74C7280 C4EDE7F7 9C6F5890 355DB1
quit
voice-card 0
!
!
license udi pid CISCO2911/K9 sn FTX1446A181
hw-module ism 0
!
!
username admin secret 5 $1$jyBG$G1nTGa9MO/bDpTrxYQ29q/
!
redundancy
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Internal
ip address 10.6.24.11 255.255.255.224
duplex auto
speed auto
!
interface ISM0/0
no ip address
shutdown
!Application: Online on SME
!
interface ISM0/1
no ip address
shutdown

!
no ip address
shutdown
duplex auto
speed auto
!
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/0
no ip address
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
no ip address

!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
ip http server
ip http authentication aaa
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.6.24.1
ip tacacs source-interface GigabitEthernet0/0
ip ssh source-interface GigabitEthernet0/0
ip ssh version 2
ip scp server enable
!
!
snmp-server community cisco RO
snmp-server community cisco123 RW
snmp-server ifindex persist
tacacs server TACACS-SERVER-1
address ipv4 10.4.48.15
key 7 01200307490E12242455
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!

gatekeeper
shutdown
!
!
line con 0
logging synchronous
transport preferred none
line aux 0
line 2
no activation-character
no exec
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 131
no exec
transport input all
stopbits 1
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0
ntp update-calendar
ntp server 10.4.48.17
!
end

WAN Aggregation Devices—IWAN Hybrid Design Model
WAN Aggregation Devices—IWAN Hybrid Design

Model
Performance Routing Version 3 (PfRv3) consists of two major Cisco IOS components: an MC and a BR. The MC
defines the policies and applies them to various traffic classes that traverse the BR systems. The MC can be con-
figured to learn and control traffic classes on the network.
There are two different roles a device can play at the WAN aggregation site of a PfRv3 configuration:
•• Hub Master Controller—The hub MC is the MC at the primary WAN aggregation site. This is the MC device
where all PfRv3 policies are configured. It also acts as MC for that site and makes path-optimization decision.
There is only one hub MC per IWAN domain.
•• Hub Border Router—This is a BR at the hub MC site. This is the device where WAN interfaces terminate.
There can be one or more WAN interfaces on the same device. There can be one or more hub BRs. On the
Hub BRs, PfRv3 must be configured with:
◦◦ The address of the local MC.
◦◦ The path name on external interfaces.
The first design model is the IWAN Hybrid, which uses a primary MPLS transport paired with Internet VPN as a
secondary transport. In this design, the MPLS WAN provides SLA class of service guarantees for key applica-
tions.
This version of the guide introduces the concept of a second data center acting as a transit site with a transit MC
and transit BRs.
•• Transit Master Controller—The transit MC is the MC at the transit site. There is no policy configuration on this
device. It receives policy from the hub MC. This device acts as MC for that site for making path optimization
decisions. The configuration includes the IP address of the hub MC.
•• Transit Border Router—This is a BR at the transit MC site. This is the device where WAN interfaces terminate.
There can only be one WAN interface on the device. There can be one or more transit BRs. On the transit
BRs, PfRv3 must be configured with:
◦◦ The address of the transit MC.
◦◦ The path ID on external interfaces.

This section includes configuration files corresponding to the IWAN hybrid model WAN aggregation hub and tran-
sit sites, as referenced in the figure below.
Figure 8 IWAN hybrid model—Second DC as a transit site
To view a larger version of this figure, see Appendix B.
INET1 Tunnel INET1

172.16.X.X 10.6.X.X 172.18.X.X
Internal Loopback Netblock
10.6.X.X MPLS Tunnel MPLS 10.255.X.X 10.7.X.X
192.168.6.X 10.6.X.X 192.168.6.X
Lo0
42.251
To Core IE Outside
42.33 42.34 24.1 24.30 INET1: 172.16.140.1 and 140.2
Po136 Po36
VLAN300 Netblock
Lo0
IE DMZ 0.0 - 7.255
146.1 241.11
IE-D3750X IE-ASA5545-1
192.168.146.X RS11
Single ISR G2
42.38
INET1 Access 2K
DHCP RS11-2921 RS11-A2960
98.91
IW-DMZ-
Lo0 MPLS
A2960X Lo0
32.241 6.5
242.12
MPLS: Tu11
VPN-MPLS- 36.11 Netblock
192.168.6.1 16.0 - 23.255
ASR1002X-1
.2
RS12
32
Tu11
Tu11 RS12-2911-2 Dual ISR G2
36.1
INET1 36.12 INET1
Hub Site Po33 DHCP Access 2K
Po1 Lo0 98.100
32.242 RS12-A2960
Tu10 Tu11
34.1 36.41
VPN-INET-
32.6 4451X-2 146.10 Tu11 Lo0
42.37
36.42 241.12
Lo0 Po2
.1
32
32.240 RS12-2911-1
To Core 32.5
42.41 42.42 Lo0
Po138 Po38 32.251 MPLS
6.9
MC-HY- Tu10
32.129 32.151
WAN-D3750X Po21 CSR1000v-1 34.11 Netblock
INET1 Lo0 192.0 - 199.255
Tu11 DHCP 241.41
34.12 99.44
Po1
MPLS Tu10 RS41

34.41 RS41-D3750 Single ISR G2
RS41-2921
Internal Lo0 MPLS Dist/Acc 3K/2K
10.8.X.X 32.241 6.29
Tu10
34.2 Tu10
VPN-MPLS- 34.42
ASR1002X-T1 Lo0
To IE-D3750X MPLS: 242.42
.2
RS41-A2960
32
192.168.6.41
42.38
INET1
DHCP Netblock
Transit Site Po1
Lo0
99.84 Po2 208.0 - 215.255
32.242 Tu11 RS42-4451-2
Po35 36.2
VPN-INET-
32.6
ASR1002X-T2 146.11 RS42
Po1
42.37
Lo0 RS42-D3850 Dual ISF 4K

Po2
.1
32
32.240 Dist/Acc 3K/3K

To Core 32.5 Lo0
42.41 42.42 Lo0
Po140 Po40 32.251 241.42
MPLS 1355F
6.33
MC-HY- RS42-4451-1
32.129 32.151
WAN-D3750X-T Po21 ASR1002X-T1 RS42-A3650

The following table provides the loopback and port-channel IP addresses for the WAN aggregation devices in the
IWAN hybrid design model.
Table 1 IWAN hybrid model—Hub router IP addresses
IWAN function Host name Loopback IP address Port channel IP address

Hub MC MC-HY-CSR1000V-1 10.6.32.251/32 10.6.32.151/26
Hub BR (MPLS) VPN-MPLS-ASR1002X-1 10.6.32.241/32 10.6.32.2/30
Hub BR (INET) VPN-INET-4451X-2 10.6.32.242/32 10.6.32.6/30
Transit MC MC-HY-ASR1002X-T1 10.8.32.251/32 10.8.32.151/26
Transit BR (MPLS) VPN-MPLS-ASR1002X-T1 10.8.32.241/32 10.8.32.2/30
Transit BR (INET) VPN-INET-ASR1002X-T2 10.8.32.242/32 10.8.32.6/30
MC-HY-CSR1000V-1—HUB MC
version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname MC-HY-CSR1000V-1
!
boot-start-marker
boot system bootflash:csr1000v-universalk9.03.16.01a.S.155-3.S1a-ext.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6

exit-address-family
!
enable secret 5 $1$Za2f$ljSl3JiQSXSuCWTQvKXqy0
!
aaa new-model
!
!
!
!
!
!
!
subscriber templating
!
!
domain iwan
vrf default
master hub
source-interface Loopback0
site-prefixes prefix-list DC1-PREFIXES
password 7 08221D5D0A16544541
load-balance
advanced
channel-unreachable-timer 4
enterprise-prefix prefix-list ENTERPRISE-PREFIXES
collector 10.4.48.36 port 9991
class VOICE sequence 10

match dscp ef policy voice

path-preference MPLS fallback INET
class INTERACTIVE_VIDEO sequence 20
match dscp cs4 policy real-time-video
match dscp af41 policy real-time-video
class LOW_LATENCY_DATA sequence 30
match dscp cs2 policy low-latency-data
match dscp af21 policy low-latency-data
class BULK_DATA sequence 40
match dscp af11 policy bulk-data
class SCAVENGER sequence 50
match dscp cs1 policy scavenger
path-preference INET fallback MPLS
class DEFAULT sequence 60
match dscp default policy best-effort
!
!
key chain LAN-KEY
key 1
key-string 7 03070A180500701E1D
!

!
!
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303735 32363933 3135301E 170D3134 30393130 31393233
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30373532
36393331 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B7EB 0635B710 250227A2 6DAA15D6 967503F7 733422B1 9A547E55 F773B08D
F52CC1FF 70DE3CC7 C8AD2797 4DA65810 BFD28E2F AB9DCFA5 2C20E01E 2DD03B43
D9001897 DAE73F56 DD522238 E89F3724 68781509 B22A2A3E DA6B78BC 978E50A3
E243E2C2 564A4C29 2FF769A3 1197AF4F CA80C1A0 2FF54885 663993FD C897F5F0
E5590203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 145E9E44 35B3B58E E731BCF7 0000F697 D853760C 4D301D06
03551D0E 04160414 5E9E4435 B3B58EE7 31BCF700 00F697D8 53760C4D 300D0609
2A864886 F70D0101 05050003 818100B5 3C753688 71ACE0A6 76C77E24 8C63F22B
0D51ABEB A1BEFE13 B814B368 17F4CB03 38772212 9C114D45 9CE047A8 2768D0D0
58B70788 94B7635D 463518BA C4B37A22 658A16D8 2A59651C 823A40B9 71EC1907
D87C209B 4FB0D1D3 38557538 B09F70F8 69B44B99 7896EBE3 498ABC83 84EB7814
5CEECA3E 4E3D856A 64F01A80 7E5603
quit
!
!
license udi pid CSR1000V sn 968W650U8WH
!
spanning-tree extend system-id
!
username admin secret 5 $1$x7ZB$M2eGJlSRGLixfFRS8uiNP.
!
redundancy
!
!
cdp run

!
!
interface Loopback0
ip address 10.6.32.251 255.255.255.255
!
interface Port-channel21
description IW-WAN-D3750X
ip address 10.6.32.151 255.255.255.192
no negotiation auto
!
interface GigabitEthernet1
description IW-WAN-D3750X Gig1/0/15
no ip address
negotiation auto
cdp enable
channel-group 21
!
no ip address
negotiation auto
cdp enable
channel-group 21
!
no ip address
shutdown
negotiation auto
!
!
router eigrp IWAN-EIGRP
!
address-family ipv4 unicast autonomous-system 400
!
af-interface default
passive-interface

exit-af-interface
!
af-interface Port-channel21
authentication mode md5
authentication key-chain LAN-KEY
no passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 10.6.0.0 0.1.255.255
eigrp router-id 10.6.32.251
exit-address-family
!
!
virtual-service csr_mgmt
!
!
no ip http server
ip ftp source-interface Loopback0
ip tacacs source-interface Loopback0
ip ssh source-interface Loopback0
ip ssh version 2
!
!
ip prefix-list DC1-PREFIXES seq 10 permit 10.4.0.0/16
!
ip prefix-list ENTERPRISE-PREFIXES seq 10 permit 10.4.0.0/14
no service-routing capabilities-manager
!


snmp-server trap-source Loopback0
!
key 7 15210E0F162F3F0F2D2A
!
!
control-plane
!
!
line con 0
stopbits 1
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
transport input ssh
!
ntp source Loopback0
!
end
VPN-MPLS-ASR1002X-1—HUB BR (MPLS)
version 15.5
no service pad

!
hostname VPN-MPLS-ASR1002X-1
!
boot-start-marker
boot system bootflash:asr1002x-universalk9.03.16.01a.S.155-3.S1a-ext.SPA.bin
boot-end-marker
!
!
vrf definition IWAN-TRANSPORT-1
!
address-family ipv4
exit-address-family
!
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$S7wW$LwAu9mADPzeXE.yQjFmIc1
!
aaa new-model
!
!
!
!
!


!
!
ip multicast-routing distributed
!
!
!
!
flow record Record-FNF-IWAN
description Flexible NetFlow for IWAN Monitoring
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 id
collect ipv4 source prefix
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp flags
collect interface output
collect flow sampler
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect application name

!
!
flow exporter Export-FNF-Monitor-1
description FNFv9 NBAR2 with LiveAction
destination 10.4.48.178
source Loopback0
transport udp 2055
option interface-table
option application-table
option application-attributes
!
!
description FNFv9 NBAR2 with Prime
source Loopback0
transport udp 9991
!
!
flow monitor Monitor-FNF-IWAN
description IWAN Traffic Analysis
exporter Export-FNF-Monitor-1
cache timeout inactive 10
cache timeout active 60
record Record-FNF-IWAN
!
!
domain iwan
vrf default
border

master 10.6.32.251
password 7 06055E324F41584B56
!
key chain LAN-KEY
key 1
key-string 7 0508571C22431F5B4A
key chain WAN-KEY
key 1
key-string 7 070C705F4D06485744
!
!
!
!
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35333038 38313136 35301E17 0D313530 39303231 35353333
325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3533 30383831
31363530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
F9A9E3C6 CB2D62F4 FDFA5279 7A69A7BA 073C455E 93F73DA7 FBD90851 1FEFF251
50D631B2 36321F0B AF94E8DE 8E7973CE C2C48E62 A8BF7306 97B72476 BC7F9451
A537D11C 9773D2AE DBA8007F A5B51005 1E6E6574 F758AD99 F774EA5C 56616B04
0582D28B 79131432 5B4669EC 0EDBEC11 B7207073 7B2C8286 4D69979C 0B652A91
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014D2 6562D993 F6CDDD49 2DA4BE54 07E1EEB7 C9406130 1D060355
1D0E0416 0414D265 62D993F6 CDDD492D A4BE5407 E1EEB7C9 4061300D 06092A86
4886F70D 01010505 00038181 00270981 C0B90C4C 25B073E1 F36BE7E2 E51B868E
54EDE294 B18EE033 154FFFE0 4A2570C7 C6536F77 3C4F5B52 A84E9BA3 2323C20D
C84E22A1 4D9896B8 3B48DC9E F40BB460 AD38AF41 3DFB3836 1F87BFD5 C702FBA1

41A2085C 719AE3CB F37C8356 78DCE025 BE318BC7 C366543D 2B6CB131 9F829C41

CAECFB3F 58C04F2B 08E213FE 54
quit
license udi pid ASR1002-X sn JAE180107T0
license boot level adventerprise
!
!
username admin secret 5 $1$SnKm$ibEw/1V702JMAMj/C/qzs.
!
redundancy
mode none
!
crypto ikev2 proposal AES/CBC/256
encryption aes-cbc-256
integrity sha512
group 14
!
!
crypto ikev2 keyring DMVPN-KEYRING-1
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key c1sco123
!
!
!
crypto ikev2 profile FVRF-IKEv2-IWAN-TRANSPORT-1
match fvrf IWAN-TRANSPORT-1
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-1
!
!
cdp run
!

!
class-map match-any STREAMING-VIDEO
match dscp af31 af32 af33 cs5
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41 af42 af43
class-map match-any CRITICAL-DATA
match dscp af11 af12 af13 cs2 af21 af22 af23
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match dscp cs1
class-map match-any CALL-SIGNALING
match dscp cs3
class-map match-any NET-CTRL
match dscp cs6
!
policy-map WAN
class INTERACTIVE-VIDEO
bandwidth remaining percent 30
random-detect dscp-based
set dscp tunnel af41
class STREAMING-VIDEO
class NET-CTRL
set dscp tunnel cs6
class CALL-SIGNALING
class CRITICAL-DATA
class SCAVENGER


class VOICE
priority level 1
police cir percent 10
set dscp tunnel ef
class class-default
random-detect
policy-map RS-GROUP-200MBPS-POLICY
class class-default
shape average 200000000
bandwidth remaining ratio 200
service-policy WAN
policy-map RS-GROUP-4G-POLICY
class class-default
service-policy WAN
policy-map POLICY-TRANSPORT-1-SHAPE-ONLY
class class-default
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default

service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
!
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE-TRANSPORT-1
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile FVRF-IKEv2-IWAN-TRANSPORT-1
!
!
interface Loopback0
ip address 10.6.32.241 255.255.255.255
ip pim sparse-mode
!
description IWAN-D3750X
ip address 10.6.32.2 255.255.255.252
ip pim sparse-mode

delay 25000
no negotiation auto
!
interface Tunnel10
bandwidth 1000000
ip address 10.6.34.1 255.255.254.0
no ip redirects
ip mtu 1400
ip flow monitor Monitor-FNF-IWAN input
ip flow monitor Monitor-FNF-IWAN output
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map group RS-GROUP-300MBPS service-policy output RS-GROUP-300MBPS-POL-
ICY
ICY
ICY
ip nhrp map group RS-GROUP-50MBPS service-policy output RS-GROUP-50MBPS-POLICY
ip nhrp map group RS-GROUP-4G service-policy output RS-GROUP-4G-POLICY
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp redirect
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet0/0/3
tunnel mode gre multipoint
tunnel key 101
tunnel vrf IWAN-TRANSPORT-1
tunnel protection ipsec profile DMVPN-PROFILE-TRANSPORT-1
domain iwan path MPLS path-id 1
!

interface GigabitEthernet0/0/0
description IWAN-D3750X Gig1/0/1
no ip address
negotiation auto
cdp enable
channel-group 1
!
no ip address
negotiation auto
cdp enable
channel-group 1
!
no ip address
shutdown
negotiation auto
!
description MPLS
bandwidth 1000000
vrf forwarding IWAN-TRANSPORT-1
ip address 192.168.6.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
no mop enabled
no lldp transmit
no lldp receive
service-policy output POLICY-TRANSPORT-1-SHAPE-ONLY
!
no ip address
shutdown

negotiation auto
!
no ip address
shutdown
negotiation auto
!
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
!
!
!
passive-interface
exit-af-interface
!
exit-af-interface
!
af-interface Tunnel10
summary-address 10.6.0.0 255.255.0.0
summary-address 10.7.0.0 255.255.0.0
summary-address 10.8.0.0 255.255.0.0
summary-address 10.255.240.0 255.255.248.0
authentication key-chain WAN-KEY
hello-interval 20

hold-time 60
no split-horizon
exit-af-interface
!
topology base
distribute-list route-map SET-TAG-DMVPN-1 out Port-channel1
distribute-list route-map SET-TAG-ALL out Tunnel10
distribute-list route-map BLOCK-DC2-DMVPN-1 in Tunnel10
exit-af-topology
network 10.6.0.0 0.1.255.255
nsf
exit-address-family
!
!
no ip http server
ip pim autorp listener
ip pim register-source Loopback0
ip route vrf IWAN-TRANSPORT-1 0.0.0.0 0.0.0.0 192.168.6.2
ip ssh version 2
!
ip access-list standard DMVPN-1-SPOKES
permit 10.6.34.0 0.0.1.255
!
ip access-list extended ISAKMP
permit udp any eq isakmp any eq isakmp
!

!
route-map BLOCK-DC2-DMVPN-1 deny 10
description Block Summary route from other border
match tag 103
!
route-map BLOCK-DC2-DMVPN-1 permit 100
description Advertise all other routes
!
route-map SET-TAG-DMVPN-1 permit 10
description Tag all incoming routes advertised through LAN interface
match ip route-source DMVPN-1-SPOKES
set tag 101
!
description Advertise all other routes with no tag
!
route-map SET-TAG-ALL permit 10
description Tag all routes advertised through the Tunnel
set tag 101
!
snmp ifmib ifindex persist
!
key 7 15210E0F162F3F0F2D2A
!
!
control-plane
!
!
line con 0
stopbits 1

line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
exec-timeout 0 0
transport input ssh
!
!
!
end
VPN-INET-4451X-2—HUB BR (INET)
version 15.5
no service pad
!
hostname VPN-INET-4451X-2
!
boot-start-marker
boot system bootflash:isr4400-universalk9.03.16.01a.S.155-3.S1a-ext.SPA.bin
boot-end-marker
!
!
!

address-family ipv4
exit-address-family
!
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
aaa new-model
!
!
!
!
!
!
!
!
!
!
!


!
match ipv4 tos
match ipv4 protocol
collect ipv4 dscp
collect ipv4 id
!
!
source Loopback0
transport udp 2055

!
!
source Loopback0
transport udp 9991
!
!
!
!
domain iwan
vrf default
border
master 10.6.32.251
password 7 070C705F4D06485744
!
!
key chain LAN-KEY
key 1
key-string 7 104D580A061843595F
key chain WAN-KEY
key 1

key-string 7 15115A1F07257A767B
!
!
!
!
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32303737 32303334 3331301E 170D3134 31303233 30303338
30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30373732
30333433 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C3DF E4F96E61 4C9A0BAE 552C676E 9EC1CBB7 CE76E71A D958A313 1BFBB071
8782F4B0 EBF466C3 85D014E6 49702A7B 3717D1B6 7D898C5A CF4DF176 D9170508
DCDA0DEB 544C9B3E 48F08203 DD154BEB 1B73A0B3 AA4C021F 30B583EE 159AF91E
88F2E13A 79FE34AD 003EA144 C71C93D3 A04FDC7D D7F652B2 8C6CC03B D99EB3A0
50EF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14D8F661 D9D60F95 66467373 703E21E1 A4B75DCC F0301D06
03551D0E 04160414 D8F661D9 D60F9566 46737370 3E21E1A4 B75DCCF0 300D0609
2A864886 F70D0101 05050003 8181000C 6EC57985 B4CE1D7F 811FDC68 0432B7F2
E08A4C9C A4AB1A0A 4C90424B CBDC927A 8A17F2D1 47B8EA6C 0D21C117 277DCB82
04671823 1FA264B9 06ED13BC C8F1CF99 CDE7309B 61A19BD1 1861197E 359F21F0
43487CB6 55204FE6 C2FA9938 6626B865 DFE7A521 4E6AE68E AFB42341 1BD90838
B5AD83EE 3B9C7F52 60D420E9 C18510
quit
!
!
voice-card 0/4
no watchdog
!

license udi pid ISR4451-X/K9 sn FOC1831B5RU

!
!
!
redundancy
mode none
!
integrity sha512
group 14
!
!
peer ANY
address 0.0.0.0 0.0.0.0
!
!
!
!
vlan internal allocation policy ascending
!
!


match dscp ef
match dscp cs1
match dscp cs3
match dscp cs6
!
policy-map WAN
class NET-CTRL
set dscp tunnel cs6
class CRITICAL-DATA
class SCAVENGER
class VOICE
priority level 1

set dscp tunnel ef

class class-default
random-detect
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
class class-default

service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
!
!
!
mode transport
!
!
!
interface Loopback0
ip address 10.6.32.242 255.255.255.255
ip pim sparse-mode
!
ip address 10.6.32.6 255.255.255.252
ip pim sparse-mode
delay 25000
no negotiation auto
hold-queue 150 in
!
interface Tunnel11

bandwidth 500000
ip address 10.6.36.1 255.255.254.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ip nhrp redirect
delay 20000
nhrp map group RS-GROUP-300MBPS service-policy output RS-GROUP-300MBPS-POLICY
nhrp map group RS-GROUP-4G service-policy output RS-GROUP-4G-POLICY
tunnel key 102
domain iwan path INET path-id 2 zero-sla
!
no ip address
media-type rj45
negotiation auto
channel-group 2

!
no ip address
media-type rj45
negotiation auto
channel-group 2
!
no ip address
shutdown
media-type rj45
negotiation auto
!
description ISP 1
bandwidth 500000
ip address 192.168.146.10 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip access-group ACL-INET-PUBLIC in
media-type rj45
negotiation auto
no cdp enable
no mop enabled
no lldp transmit
no lldp receive
!
interface Service-Engine0/4/0
!
no ip address

shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
!
!
!
passive-interface
exit-af-interface
!
exit-af-interface
!
summary-address 10.6.0.0 255.255.0.0
summary-address 10.7.0.0 255.255.0.0
summary-address 10.8.0.0 255.255.0.0
summary-address 10.255.240.0 255.255.248.0
hello-interval 20
hold-time 60
no split-horizon
exit-af-interface
!
topology base


exit-af-topology
network 10.6.0.0 0.1.255.255
exit-address-family
!
no ip http server
ip ssh version 2
!
!
permit 10.6.36.0 0.0.1.255
!
ip access-list extended ACL-INET-PUBLIC
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit udp any any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any gt 1023 ttl eq 1


!
!
match tag 104
!
!
set tag 102
!
!
set tag 102
!
!
key 7 15210E0F162F3F0F2D2A
!
!
control-plane
!
!


!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
exec-timeout 0 0
transport input ssh
!
!
end
MC-HY-ASR1002X-T1—TRANSIT MC
version 15.5
no service pad

!
hostname MC-HY-ASR1002X-T1
!
boot-start-marker
boot-end-marker
!
!
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$Za2f$ljSl3JiQSXSuCWTQvKXqy0
!
aaa new-model
!
!
!
!
!
!
!
!


!
domain iwan
vrf default
master transit 1
password 7 104D580A061843595F
hub 10.6.32.251
!
key chain LAN-KEY
key 1
key-string 7 011057175804575D72
!
!
!
!
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37343130 34353234 39301E17 0D313530 39323931 30333432
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3734 31303435
32343930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
E0B58CDC DE4EE8AE 2DECC299 EE91DF00 8F449BFF 9317C694 3A2A6D2C A4B9D733
2D9A27AB BE5FD56E 4C0C51F7 078A50C2 B6A75549 FD3F941E A624CC3A D1183EBA
95743A67 9A46C3F6 180F452E 643AC28F 4C88AF61 41738265 1FE30AD6 5546C6E7
670C1321 D7B406A6 59EF2D17 9E389985 3B4CC6A8 BEF91984 B6F0F295 5364A137
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014FE D32F1AC4 E9DB50B4 EE53C6C4 A7B01F71 D3B85730 1D060355

1D0E0416 0414FED3 2F1AC4E9 DB50B4EE 53C6C4A7 B01F71D3 B857300D 06092A86

4886F70D 01010505 00038181 00752BC8 0200F38B 1DCCFCEF D1AFCDFA F368A773
49EFF0A1 86A0834B 00E31B62 75C00A29 13425D12 6E07F380 F0899D78 C451927B
378EE5DE 1F96C5A2 E1779DC0 AA365DD5 9FD07128 0A7F7258 4B9B458B C912576C
5DA8E1A0 F4BEB837 4A8AB2ED BF519DFB DA3BE8C7 C652B768 17052EE2 0B687E18
CC85BB84 E8A45152 15F67CB5 14
quit
license udi pid ASR1002-X sn JAE192405QF
!
!
username admin secret 5 $1$x7ZB$M2eGJlSRGLixfFRS8uiNP.
!
redundancy
mode none
!
!
cdp run
!
!
interface Loopback0
ip address 10.8.32.251 255.255.255.255
!
description IWAN-D3750X-T
ip address 10.8.32.151 255.255.255.192
no negotiation auto
!
description IW-WAN-D3750X-T Gig1/0/3
no ip address
negotiation auto
cdp enable
channel-group 21
!

description IW-WAN-D3750X-T Gig2/0/3

no ip address
negotiation auto
cdp enable
channel-group 21
!
no ip address
shutdown
negotiation auto
!
no ip address
shutdown
negotiation auto
!
no ip address
shutdown
negotiation auto
!
no ip address
shutdown
negotiation auto
!
no ip address
shutdown
negotiation auto
!
!
!

!
passive-interface
exit-af-interface
!
exit-af-interface
!
topology base
exit-af-topology
network 10.8.0.0 0.1.255.255
exit-address-family
!
!
no ip http server
ip tftp source-interface GigabitEthernet0
ip ssh version 2
!
!
!
!
ip prefix-list PRIMARY-SITE-PREFIXES seq 10 permit 10.4.0.0/16

ip prefix-list PRIMARY-SITE-PREFIXES seq 20 permit 10.8.0.0/16

!
!
key 7 15210E0F162F3F0F2D2A
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
transport input ssh
!
!
!
end

VPN-MPLS-ASR1002X-T1—TRANSIT BR (MPLS)
version 15.5
no service pad
!
hostname VPN-MPLS-ASR1002X-T1
!
boot-start-marker
boot-end-marker
!
!
!
address-family ipv4
exit-address-family
!
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
aaa new-model
!
!


!
!
!
!
!
!
!
!
!
match ipv4 tos
match ipv4 protocol
collect ipv4 dscp
collect ipv4 id


!
!
source Loopback0
transport udp 2055
!
!
source Loopback0
transport udp 9991
!
!


!
!
domain iwan
vrf default
border
master 10.8.32.251
password 7 03070A180500701E1D
!
key chain LAN-KEY
key 1
key-string 7 110A4816141D5A5E57
key chain WAN-KEY
key 1
key-string 7 03070A180500701E1D
!
!
!
!
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32303634 30363033 3835301E 170D3135 30393238 31383335
31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30363430
36303338 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B648 74A47BCD F23080F2 F35EDED2 77B7AFCE 612CA058 00BCA093 8E5E37DB

C9AF81C8 A2C24855 F905D687 8C136C25 0AF5B45E BBCCE51D EF4F2941 6DE15256

4BCF383F A40AD9CC 1A4E3B53 A1ABA0D7 89167BB7 015A7601 DBCEC20E 90126249
FA71A359 7DF4F552 FCD9BAE2 C7489FF7 C840C15D CB5713A4 40F5DBB4 C7E99C44
7B070203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14856C53 833E7D3D 3E0C6550 6CAD95C9 ECDCD6E9 C8301D06
03551D0E 04160414 856C5383 3E7D3D3E 0C65506C AD95C9EC DCD6E9C8 300D0609
2A864886 F70D0101 05050003 81810054 34B8E104 9AF676B1 96803FBA 02019597
FF167915 80E46130 A2ED2C0B 348864B2 CFEAE08C 4DC2AD1E 3FBCFDE4 A1268F2C
AC7DC61F 9602B192 FD447B9F 7593543B 76155A2E C6C7927B B1BF9C1F B411D60E
6CA49039 C0D37A17 AAE05A53 A2D3351E A791D2BD AC87952C ED5D9465 9558ADBF
E7E5D807 CE43FB5B 15240DE2 E9F49C
quit
license udi pid ASR1002-X sn JAE192405TD
!
!
!
redundancy
mode none
!
integrity sha512
group 14
!
!
peer ANY
address 0.0.0.0 0.0.0.0
!
!


!
!
cdp run
!
!
match dscp ef
match dscp cs1
match dscp cs3
match dscp cs6
!
policy-map WAN
class NET-CTRL
set dscp tunnel cs6


class CRITICAL-DATA
class SCAVENGER
class VOICE
priority level 1
set dscp tunnel ef
class class-default
random-detect
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
class class-default
service-policy WAN
class class-default


service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
!
!
!
mode transport
!
!
!
interface Loopback0

ip address 10.8.32.241 255.255.255.255

ip pim sparse-mode
!
ip address 10.8.32.2 255.255.255.252
ip pim sparse-mode
delay 25000
no negotiation auto
!
interface Tunnel10
bandwidth 1000000
ip address 10.6.34.2 255.255.254.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ICY
ICY
ICY
ip nhrp redirect
delay 1000


tunnel key 101
domain iwan path MPLS path-id 1
!
description IWAN-D3750X-T Gig1/0/1
no ip address
negotiation auto
cdp enable
channel-group 1
!
no ip address
negotiation auto
cdp enable
channel-group 1
!
no ip address
shutdown
negotiation auto
!
description MPLS
bandwidth 1000000
ip address 192.168.6.41 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
no mop enabled

no lldp transmit
no lldp receive
!
no ip address
shutdown
negotiation auto
!
no ip address
shutdown
negotiation auto
!
no ip address
shutdown
negotiation auto
!
!
!
!
passive-interface
exit-af-interface
!
summary-address 10.6.0.0 255.255.0.0
summary-address 10.7.0.0 255.255.0.0
summary-address 10.8.0.0 255.255.0.0
summary-address 10.255.240.0 255.255.248.0

hello-interval 20
hold-time 60
no split-horizon
exit-af-interface
!
exit-af-interface
!
topology base
exit-af-topology
network 10.6.0.0 0.1.255.255
network 10.8.0.0 0.1.255.255
nsf
exit-address-family
!
!
no ip http server
ip ssh version 2


!
permit 10.6.34.0 0.0.1.255
!
!
!
match tag 101
!
!
set tag 103
!
!
set tag 103
!
!

key 7 15210E0F162F3F0F2D2A
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
exec-timeout 0 0
transport input ssh
!
!
!
end
VPN-INET-ASR1002X-T2—TRANSIT BR (INET)
version 15.5
no service pad
!

hostname VPN-INET-ASR1002X-T2
!
boot-start-marker
boot-end-marker
!
!
!
address-family ipv4
exit-address-family
!
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
aaa new-model
!
!
!
!
!

!
!
!
!
!
!
match ipv4 tos
match ipv4 protocol
collect ipv4 dscp
collect ipv4 id
!

!
source Loopback0
transport udp 2055
!
!
source Loopback0
transport udp 9991
!
!
!
!
domain iwan
vrf default
border
master 10.8.32.251

password 7 15115A1F07257A767B
!
key chain LAN-KEY
key 1
key-string 7 121A540411045D5679
key chain WAN-KEY
key 1
key-string 7 130646010803557878
!
!
!
!
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333235 38363532 3837301E 170D3135 30393238 31383531
35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33323538
36353238 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C945 6DF6DB69 C34800D4 9D8654C6 F604F552 272CF1B6 C0EBC15A EEB44E44
FD58BD12 5F937101 3F116239 65D68962 CBA6F35B 4AE4473D 77290DF1 78ABEDA9
C94EFA74 4EEA6FA7 AA3A3D53 8B3AE582 4D2CE271 FB5DB40B 9C8657CF 04383A63
6870C184 E17C8BA6 2B809A95 70937EB4 1FC49DAE 4846EDB2 F3AC7944 76FB55B3
11590203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14A09117 86321A07 2F74B304 D273B01F DDB9C000 8C301D06
03551D0E 04160414 A0911786 321A072F 74B304D2 73B01FDD B9C0008C 300D0609
2A864886 F70D0101 05050003 818100AD 7FEF1C79 1356014F 5F91653C 148D41E7
9A9A70AD F6779874 4A0F8A6C 2F3CFD81 7476A609 BDB2E39F C809B459 FCF201B3
07AB7AF9 93568931 BD1D5350 7809C53E 913EA220 77D48049 C9EEF9DD 994FE6AA
DDC19D20 1509B1D4 B3DAE603 3C42850C C092CC78 5A8BD263 714770B9 65955110

B80E53D9 EA9D11AB 82C5A833 B184CD

quit
license udi pid ASR1002-X sn JAE192405TK
!
!
!
redundancy
mode none
!
integrity sha512
group 14
!
!
peer ANY
address 0.0.0.0 0.0.0.0
!
!
!
!
cdp run
!
!


match dscp ef
match dscp cs1
match dscp cs3
match dscp cs6
!
policy-map WAN
class NET-CTRL
set dscp tunnel cs6
class CRITICAL-DATA
class SCAVENGER
class VOICE

priority level 1
set dscp tunnel ef
class class-default
random-detect
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
class class-default


service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
!
!
!
mode transport
!
!
!
interface Loopback0
ip address 10.8.32.242 255.255.255.255
ip pim sparse-mode
!
ip address 10.8.32.6 255.255.255.252
ip pim sparse-mode
delay 25000
no negotiation auto
hold-queue 150 in

!
interface Tunnel11
bandwidth 500000
ip address 10.6.36.2 255.255.254.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ip nhrp redirect
delay 20000
nhrp map group RS-GROUP-4G service-policy output RS-GROUP-4G-POLICY
tunnel key 102
domain iwan path INET path-id 2 zero-sla
!
no ip address
negotiation auto

cdp enable
channel-group 2
!
no ip address
negotiation auto
cdp enable
channel-group 2
!
no ip address
shutdown
negotiation auto
!
description INET
bandwidth 500000
ip address 192.168.146.11 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
no mop enabled
no lldp transmit
no lldp receive
!
no ip address
shutdown
negotiation auto
!

no ip address
shutdown
negotiation auto
!
no ip address
shutdown
negotiation auto
!
!
!
!
passive-interface
exit-af-interface
!
exit-af-interface
!
summary-address 10.6.0.0 255.255.0.0
summary-address 10.7.0.0 255.255.0.0
summary-address 10.8.0.0 255.255.0.0
summary-address 10.255.240.0 255.255.248.0
hello-interval 20
hold-time 60
no split-horizon

exit-af-interface
!
topology base
exit-af-topology
network 10.6.0.0 0.1.255.255
network 10.8.0.0 0.1.255.255
exit-address-family
!
!
no ip http server
ip ssh version 2
!
permit 10.6.36.0 0.0.1.255
!
permit esp any any


!
!
match tag 102
!
!
route-map BLOCK-DMVPN-2 deny 10
description Do not advertise routes sourced from DMVPN-2
!
set tag 104
!
!
set tag 104
!
!


key 7 15210E0F162F3F0F2D2A
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
exec-timeout 0 0
transport input ssh
!
!
!
end

WAN Remote-Site Devices—IWAN Hybrid Design Model
WAN Remote-Site Devices—IWAN Hybrid Design

Model
There are two different roles a device can play at the remote site of a PfRv3 configuration:
•• Branch Master Controller—The Branch MC is the MC at the branch-site. There is no policy configuration on
this device. It receives policy from the Hub MC. This device acts as MC for that site for making path-optimi-
zation decision. The configuration includes the IP address of the hub MC.
•• Branch Border Router—This is a BR at the branch-site. The configuration on this device enables BR func-
tionality and includes the IP address of the site local MC. The WAN interface that terminates on the device is
detected automatically.
The first design model is the IWAN Hybrid, which uses a primary MPLS transport paired with Internet VPN as a
secondary transport. In this design, the MPLS WAN provides SLA class of service guarantees for key applica-
tions.
This section includes configuration files corresponding to the IWAN hybrid design model remote site, as refer-
enced in the figure below.
Figure 9 IWAN hybrid model—WAN remote-site details
Remote Site 11 Remote Site 12
Tunnel 10 Tunnel 11 Tunnel 10 Tunnel 11

MPLS INET MPLS Internet
RS12-2911-1 RS12-2911-2
Branch Master RS11-2921 Loopback IP: Loopback IP:
Controller/ Loopback IP: 10.255.241.12/32 10.255.242.12/32
Branch Border 10.255.241.11/32
Router Branch Master Branch
Controller/ Border
Branch Border Router
Router
1244F

Table 2 Remote site router loopback IP addresses
IWAN function Host name Loopback IP address

Branch MC/BR RS11-2921 10.255.241.11/32
(MPLS/INET)
Branch MC/BR RS12-2911-1 10.255.241.12/32
(MPLS)
Branch BR (INET) RS12-2911-2 10.255.242.12/32
Branch MC/BR RS51-2921 10.255.241.51/32
(MPLS/INET)
REMOTE SITE 11—SINGLE-ROUTER, DUAL-LINK (MPLS AND INET)

The following table lists the policed-rate link speeds for the remote-site quality-of-service (QoS) traffic-shaping
policies and Performance Routing (PfR) policies.
Table 3 Remote-site policed-rate link speeds and delay
MPLS link speed/ INET link speed/

Location delay delay
Remote Site 11 30 Mbps/ 20 Mbps/
10000 us 20000 us
RS11-2921: Primary and secondary WAN links

version 15.5
no service pad
!
hostname RS11-2921
!
boot-start-marker
boot-end-marker
!
!

!
address-family ipv4
exit-address-family
!
!
address-family ipv4
exit-address-family
!
! card type command needed for slot/vwic-slot 0/0
enable secret 5 $1$9FnO$CyD6nxnYByt3qIjhGmJN90
!
aaa new-model
!
!
!
!
!
ethernet lmi ce
!
!
ip multicast-routing
ip cef
no ipv6 cef
!
!


match ipv4 tos
match ipv4 protocol
collect ipv4 dscp
collect ipv4 id
!
!
source Loopback0
output-features
transport udp 2055

!
!
source Loopback0
output-features
transport udp 9991
!
!
!
!
!
domain iwan
vrf default
border
master local
password 7 0508571C22431F5B4A
master branch
password 7 141443180F0B7B7977
hub 10.6.32.251
!
!

key chain WAN-KEY

key 1
key-string 7 104D580A061843595F
cts logging verbose
!
!
!
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31393634 38373730 3535301E 170D3134 30393130 32323033
31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39363438
37373035 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ABD3 6AC5DC47 904A3F28 3C661DA6 9449D13B 12E8B94F 9C7850F9 CBE5AE7A
3735E8CC E5498771 31EFD5B8 23A3B9E0 72CD5055 10E1D202 482D15CE D93C9A97
AB454B75 B317A5FB F6DF9263 A90535D8 ADF5765B 46C350AA 0846984E B7F2F95C
9B73E8CB 23DD0C9F 5A06453D 4F633BBA 06327A93 477297E6 1F85447C E298E747
A9230203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14E1ECA0 76034EDC 42D59A21 3DE2DEF5 AEA6281E 7B301D06
03551D0E 04160414 E1ECA076 034EDC42 D59A213D E2DEF5AE A6281E7B 300D0609
2A864886 F70D0101 05050003 81810081 8B9A34C7 C2DE52FE 32510DCE 60BE946D
95B11C09 9C7EA130 8D6EA358 B2211D10 5CB8A277 5D9E0FF7 2D93F624 FF43B03F
C71FEE76 9F3E4092 D6790360 94A65D8C CA69EE68 F655F429 BE25384B 786E1F0A
2984CE9E 335C6D84 49E29CB9 DFBADB19 8F6944CE BABC2642 3C54F2C3 429BFC4A
B3988203 EE555961 42CB3211 51C109
quit
voice-card 0
!
!

license udi pid CISCO2921/K9 sn FTX1419ALZK

license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
hw-module pvdm 0/0
!
hw-module sm 1
!
!
username admin secret 5 $1$WDoB$V/fffGytGtAHRiSkHwtPh.
!
redundancy
!
integrity sha512
group 14
!
!
peer ANY
address 0.0.0.0 0.0.0.0
!
!
peer ANY
address 0.0.0.0 0.0.0.0
!
!

dpd 40 5 on-demand
!
dpd 40 5 on-demand
!
!
match dscp ef
match dscp cs1
match dscp cs3
match dscp cs6
!
policy-map WAN
set dscp af41
set dscp af31
class NET-CTRL


set dscp cs6
set dscp af21
class CRITICAL-DATA
set dscp af21
class SCAVENGER
set dscp af11
class VOICE
priority level 1
set dscp ef
class class-default
random-detect
policy-map POLICY-TRANSPORT-1
class class-default
service-policy WAN
class class-default
service-policy WAN
!
!
!
mode transport
!


!
!
!
interface Loopback0
ip address 10.255.241.11 255.255.255.255
ip pim sparse-mode
!
interface Tunnel10
bandwidth 300000
ip address 10.6.34.11 255.255.254.0
no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim sparse-mode
ip nhrp group RS-GROUP-30MBPS
ip nhrp nhs 10.6.34.1 nbma 192.168.6.1 multicast
ip nhrp registration no-unique
ip nhrp shortcut
delay 1000
no nhrp route-watch
if-state nhrp
tunnel source GigabitEthernet0/0
tunnel key 101


!
interface Tunnel11
bandwidth 200000
ip address 10.6.36.11 255.255.254.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp shortcut
delay 20000
no nhrp route-watch
if-state nhrp
tunnel key 102
!
no ip address
shutdown
!
bandwidth 300000

ip address 192.168.6.5 255.255.255.252

no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no lldp transmit
no lldp receive
no mop enabled
service-policy output POLICY-TRANSPORT-1
!
bandwidth 200000
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
!
description RS11-A2960X Gig1/0/48
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2.64
encapsulation dot1Q 64
ip address 10.7.2.1 255.255.255.0

ip helper-address 10.4.48.10
ip pim sparse-mode
!
ip address 10.7.4.1 255.255.255.0
ip pim sparse-mode
!
ip address 10.7.3.1 255.255.255.0
ip pim sparse-mode
!
ip address 10.7.5.1 255.255.255.0
ip pim sparse-mode
!
interface SM1/0
no ip address
shutdown
!Application: Restarted at Sat Jan 2 13:54:02 2016
!
interface SM1/1
no ip address
shutdown
!
interface Vlan1
no ip address
!
!
!


!
passive-interface
exit-af-interface
!
summary-address 10.7.0.0 255.255.248.0
hello-interval 20
hold-time 60
exit-af-interface
!
summary-address 10.7.0.0 255.255.248.0
hello-interval 20
hold-time 60
exit-af-interface
!
topology base
distribute-list route-map DMVPN1-BR-IN in Tunnel10
distribute-list route-map BLOCK-LEARNED out Tunnel10
exit-af-topology
network 10.6.34.0 0.0.1.255
network 10.6.36.0 0.0.1.255
network 10.7.0.0 0.0.255.255
network 10.255.0.0 0.0.255.255
eigrp stub connected summary redistributed

exit-address-family
!
!
no ip http server
!
ip ssh version 2
!
permit esp any any
!
!
route-map BLOCK-LEARNED deny 10
description Block learned routes outbound
match tag 101 102 103 104
!

route-map BLOCK-LEARNED permit 20

description Advertise all other routes outbound
!
route-map DMVPN2-BR-IN permit 10
description Match tagged routes inbound
match tag 102 104
!
match tag 101 103
!
!
key 7 0235015819031B0A4957
!
!
control-plane
!
!
!
!
!
gatekeeper
shutdown
!
!

line con 0
logging synchronous
line aux 0
line 2
no exec
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no exec
transport input all
stopbits 1
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
transport input ssh
!
ntp update-calendar
!
end

REMOTE SITE 12—DUAL-ROUTER, DUAL-LINK (MPLS AND INET)

The following table lists the policed-rate link speeds for the remote-site QoS traffic-shaping policies and PfR
policies.
MPLS link speed/ INET link speed/

10000 us 20000 us
RS12-2911-1: Primary WAN link

version 15.5
no service pad
!
hostname RS12-2911-1
!
boot-start-marker
boot-end-marker
!
!
!
address-family ipv4
exit-address-family
!
!
aaa new-model
!
!


!
!
!
ethernet lmi ce
!
!
ip cef
no ipv6 cef
!
!
match ipv4 tos
match ipv4 protocol
collect ipv4 dscp
collect ipv4 id


!
!
source Loopback0
output-features
transport udp 2055
!
!
source Loopback0
output-features
transport udp 9991
!
!

!
!
!
domain iwan
vrf default
border
master local
master branch
password 7 141443180F0B7B7977
hub 10.6.32.251
!
!
key chain WAN-KEY
key 1
key-string 7 0007421507545A545C
cts logging verbose
!
!
!
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 34303830 34303739 3438301E 170D3134 30393131 31373434
32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30383034
30373934 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B9C0 2F51508F 539B78B3 48F7DF27 8BF7FC6D E75EE595 58D7DCB6 082FCEF1
EE51D23B 5BA31537 8C99DB87 5771ED30 9BA3AC27 84B362EE 9E5CBE00 65FD93F9
B3EDF47A D4084F74 367164DB 1E5E90BE FAE7EB69 7D46CB68 97DF256E 61431783
225C0395 94B49DF5 8A0DCDC2 14685367 D72F872B 4857F786 63BBFC57 1D3713D6
0DE30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14054EB4 FA30EA25 8035E19A 6AAD3B4E 7008E073 C8301D06
03551D0E 04160414 054EB4FA 30EA2580 35E19A6A AD3B4E70 08E073C8 300D0609
2A864886 F70D0101 05050003 8181008D EB9DDEF0 7C109214 E102097C 88C6095D
53C60443 D376808C 6434FBB2 5BA44651 EBFFD15D 02728854 08901A2B FC877E4C
84DBE179 34740A05 84D17544 D08C2EAA 01F74BC5 60280C63 1153D003 83C76092
2B66B54E A1C9928C E9DA752B 6448A5D0 D4FCA407 51910E94 2AE482AE 64CEC8AB
4E1DECE6 D21C9497 E75E7057 8FC630
quit
voice-card 0
!
!
license udi pid CISCO2911/K9 sn FTX1527AMSU
license accept end user agreement
license boot module c2900 technology-package uck9
hw-module pvdm 0/0
!
hw-module sm 1
!
!
!
redundancy
!

integrity sha512
group 14
!
!
peer ANY
address 0.0.0.0 0.0.0.0
!
!
dpd 40 5 on-demand
!
!
track 50 interface Tunnel10 line-protocol
delay up 20
!
!
match dscp ef
match dscp cs1
match dscp cs3


match dscp cs6
!
policy-map WAN
set dscp af41
set dscp af31
class NET-CTRL
set dscp cs6
set dscp af21
class CRITICAL-DATA
set dscp af21
class SCAVENGER
set dscp af11
class VOICE
priority level 1
set dscp ef
class class-default
random-detect
class class-default
service-policy WAN

!
!
!
mode transport
!
!
!
interface Loopback0
ip address 10.255.241.12 255.255.255.255
ip pim sparse-mode
!
interface Tunnel10
bandwidth 20000
ip address 10.6.34.12 255.255.254.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp shortcut
delay 1000
if-state nhrp


tunnel key 101
!
description Link to RS12-A2960X
no ip address
!
interface Port-channel1.64
description Data
ip address 10.7.18.2 255.255.255.0
ip pim sparse-mode
standby 1 ip 10.7.18.1
standby 1 priority 110
standby 1 preempt
standby 1 authentication md5 key-string 7 110A4816141D5A5E57
standby 1 track 50 decrement 10
!
description Voice
ip address 10.7.19.2 255.255.255.0
ip pim sparse-mode
standby 1 preempt
standby 1 authentication md5 key-string 7 04585A150C2E1D1C5A
!

description Transit Net
ip address 10.7.16.9 255.255.255.252
ip pim sparse-mode
delay 25000
!
no ip address
shutdown
!
bandwidth 20000
ip address 192.168.6.9 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no lldp transmit
no lldp receive
no mop enabled
!
description RS12-A2960X (gig1/0/47)
no ip address
duplex auto
speed auto
channel-group 1
!
no ip address
duplex auto

speed auto
channel-group 1
!
interface ucse1/0
no ip address
shutdown
!
interface ucse1/1
no ip address
shutdown
!
interface Vlan1
no ip address
!
!
!
!
passive-interface
exit-af-interface
!
summary-address 10.7.16.0 255.255.248.0
hello-interval 20
hold-time 60
exit-af-interface
!
af-interface Port-channel1.99

exit-af-interface
!
topology base
exit-af-topology
network 10.6.34.0 0.0.1.255
network 10.7.0.0 0.0.255.255
network 10.255.0.0 0.0.255.255
eigrp stub connected summary redistributed leak-map STUB-LEAK-ALL
exit-address-family
!
!
no ip http server
!
ip ssh version 2
!
!
!
match tag 101 102 103 104

!
!
route-map STUB-LEAK-ALL permit 100
description Leak all routes
!
match tag 101 103
!
!
key 7 15210E0F162F3F0F2D2A
!
!
control-plane
!
!
!
!
!
gatekeeper
shutdown
!
!

line con 0
logging synchronous
stopbits 1
line aux 0
line 2
no exec
stopbits 1
line 67
no exec
transport input all
stopbits 1
speed 9600
flowcontrol software
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
transport input ssh
!
ntp update-calendar
!
end

RS12-2911-2: Secondary WAN link

version 15.5
no service pad
!
!
boot-start-marker
boot-end-marker
!
!
!
address-family ipv4
exit-address-family
!
!
aaa new-model
!
!
!
!
!

ethernet lmi ce
!
!
ip cef
no ipv6 cef
!
!
match ipv4 tos
match ipv4 protocol
collect ipv4 dscp
collect ipv4 id


!
!
source Loopback0
output-features
transport udp 2055
!
!
source Loopback0
output-features
transport udp 9991
!
!
!
!
!

domain iwan
vrf default
border
master 10.255.241.12
password 7 08221D5D0A16544541
!
!
key chain WAN-KEY
key 1
key-string 7 0007421507545A545C
cts logging verbose
!
!
!
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323630 36343031 3934301E 170D3134 30393131 31373138
35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32363036
34303139 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C901 B60515CB A0C3F88C A699CB15 F811C11E 24898B1E 46A43416 B16A56F0
173E023C 404EB7C2 65B2F847 127BB0AF F4EC4DBC 0050532E 2E316C7C 47A41366
B1166827 E6B96052 AB20008A 593441DB CCD5D333 2B5819A0 8F743249 2D07BEC0
70F3714C E302A8C8 644B32F0 AFBAFDDC 2E05FF4D 30192927 DAF05979 11CECF3E
A9BF0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17525331 322D3239 31312D32 2E636973 636F2E6C 6F63616C
301F0603 551D2304 18301680 149F61C1 A06E4625 B2AF1A5A AA7E892B D5A4930B
91301D06 03551D0E 04160414 9F61C1A0 6E4625B2 AF1A5AAA 7E892BD5 A4930B91

300D0609 2A864886 F70D0101 04050003 81810001 885A05C0 B51B9F1A 61B1E5E0

B1E91A28 71F30E47 CE6F7EBD 9A3AD813 72BD6E58 478B5DC7 38FDBF20 8A7F0821
33B9796A 07787972 6368E37A 1EB9FB1B C52CC27B 1F1AA722 92CE21B8 88C17EF2
4F383DBE 4064F72D 5827591F C0CC56A1 4E488DCF 35F1158F E36E3BB7 3251AD6A
BE041363 C34936C8 20D8BDB3 DF86E7F4 288970
quit
voice-card 0
!
!
license udi pid CISCO2911/K9 sn FTX1420AJLL
hw-module pvdm 0/0
!
hw-module pvdm 0/1
!
hw-module sm 1
!
!
!
redundancy
!
integrity sha512
group 14
!
!
peer ANY
address 0.0.0.0 0.0.0.0
!
!


dpd 40 5 on-demand
!
!
match dscp ef
match dscp cs1
match dscp cs3
match dscp cs6
!
policy-map WAN
set dscp af41
set dscp af31
class NET-CTRL
set dscp cs6

set dscp af21
class CRITICAL-DATA
set dscp af21
class SCAVENGER
set dscp af11
class VOICE
priority level 1
set dscp ef
class class-default
random-detect
class class-default
service-policy WAN
!
!
!
mode transport
!
!
!
interface Loopback0
ip address 10.255.242.12 255.255.255.255
ip pim sparse-mode

!
interface Tunnel11
bandwidth 10000
ip address 10.6.36.12 255.255.254.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp shortcut
delay 20000
if-state nhrp
tunnel key 102
!
no ip address
!
description Data
ip address 10.7.18.3 255.255.255.0


ip pim sparse-mode
standby 1 preempt
standby 1 authentication md5 key-string 7 06055E324F41584B56
!
description Voice
ip address 10.7.19.3 255.255.255.0
ip pim sparse-mode
standby 1 preempt
standby 1 authentication md5 key-string 7 121A540411045D5679
!
ip address 10.7.16.10 255.255.255.252
ip pim sparse-mode
delay 25000
!
no ip address
shutdown
!
bandwidth 10000
ip address dhcp
no ip redirects

no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
!
no ip address
duplex auto
speed auto
channel-group 2
!
no ip address
duplex auto
speed auto
channel-group 2
!
interface ucse1/0
no ip address
shutdown
!
interface ucse1/1
no ip address
shutdown
!
interface Vlan1
no ip address
!
!


!
!
passive-interface
exit-af-interface
!
summary-address 10.7.16.0 255.255.248.0
hello-interval 20
hold-time 60
exit-af-interface
!
exit-af-interface
!
topology base
exit-af-topology
network 10.6.36.0 0.0.1.255
network 10.7.0.0 0.0.255.255
network 10.255.0.0 0.0.255.255
exit-address-family
!
!

no ip http server
!
ip ssh version 2
!
permit esp any any
!
!
match tag 101 102 103 104
!
!

!
match tag 102 104
!
!
key 7 15210E0F162F3F0F2D2A
!
!
control-plane
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
logging synchronous
stopbits 1
line aux 0
line 2

no exec
stopbits 1
line 67
no exec
transport input all
stopbits 1
speed 9600
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
transport input ssh
!
ntp update-calendar
!
end

REMOTE SITE 51—SINGLE-ROUTER, DUAL-LINK (MPLS AND INET WITH 4G LTE

FALLBACK)
This section includes configuration files corresponding to the IWAN hybrid design model with 4G LTE fallback, as
referenced in the figure below.
Figure 10 IWAN hybrid model—WAN remote-site details with 4G LTE
Remote Site 51
Tunnel 20
DMVPN 3
4G LTE
Tunnel 10 Tunnel 11
DMVPN 1 DMVPN 2
MPLS INET
Branch Master RS51-2921

Controller/ Loopback IP:
Router
1245F
policies.
MPLS link speed/ INET link speed/ 4G link speed/

Location delay delay delay
Remote Site 51 30 Mbps/ 10 Mbps/ 8 Mbps/
10000 us 20000 us N/A
RS51-2921: Primary, secondary and tertiary WAN links

version 15.5
no service pad
!

hostname RS51-2921
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
address-family ipv4
exit-address-family
!
!
address-family ipv4
exit-address-family
!
!
address-family ipv4
exit-address-family
!
enable secret 5 $1$Gu5w$KepQBQqwzWMQigAJvHrS0/
!
aaa new-model
!
!
!
aaa authentication login MODULE none

!
!
ethernet lmi ce
!
!
ip cef
no ipv6 cef
!
!
match ipv4 tos
match ipv4 protocol
collect ipv4 dscp
collect ipv4 id


!
!
source Loopback0
output-features
transport udp 2055
!
!
source Loopback0
output-features
transport udp 9991
!
!
!


!
!
domain iwan
vrf default
border
master local
password 7 04585A150C2E1D1C5A
master branch
password 7 094F1F1A1A0A464058
hub 10.6.32.251
!
!
chat-script LTE "" "AT!CALL" TIMEOUT 60 "OK"
chat-script lte "" "AT!CALL" TIMEOUT 60 "OK"
!
key chain WAN-KEY
key 1
cts logging verbose
!
!
!
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36383739 38343838 34301E17 0D313430 35323831 36313333
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3638 37393834

38383430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
ACE7E5DB 5CB57FA8 52687F84 35006BE7 E33E9778 EAFC4888 250E1650 5968EB2D
38637C7A F7ED84AC F9A0C58C FD5B5BA3 7B57E16E A27FEC64 190412BA F921040B
CA6F9BE4 F9FD064E 87D136C8 698E12B9 408D5A60 5E90DD32 0139A747 0DD11922
F4B1C67C A35AE385 642F9AFE 9F25C765 82DE4A88 824866A9 B36D37E9 7FA6B0D7
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014B0 442941F8 19EA98DA B0EE69BF F5EF16C8 75036330 1D060355
1D0E0416 0414B044 2941F819 EA98DAB0 EE69BFF5 EF16C875 0363300D 06092A86
4886F70D 01010505 00038181 00A0E0C4 AAA79D0F 7A576751 16A2DA4F C2CB56EF
BCB7E03E 60BEBA07 529DBE84 2854D39B A960A3EF 64F5EA06 31503B0B 6B347F80
0419E06E B4E72197 02D701CD 12EEB28A 54F97DF8 AD665D6F 0F4A3836 CC3BE0D4
A8E82A49 A442377C AC879304 830873E9 01E76026 FCABD6D3 3BA0F5BC C915E868
ADC1CC57 39C55804 0E057D94 5F
quit
voice-card 0
!
!
voice service voip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
!
!
license udi pid CISCO2921/K9 sn FTX1451AJLZ
hw-module pvdm 0/0
!
hw-module sm 1
!
!
username admin password 7 130646010803557878
!
redundancy
!

integrity sha512
group 14
!
!
peer ANY
address 0.0.0.0 0.0.0.0
!
!
peer ANY
address 0.0.0.0 0.0.0.0
!
!
peer ANY
address 0.0.0.0 0.0.0.0
!
!
dpd 40 5 on-demand
!

dpd 40 5 on-demand
!
dpd 40 5 on-demand
!
!
controller Cellular 0/1
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
!
!
track 20 list boolean or
object 10
object 11
delay up 20
!
!
match dscp ef

match dscp cs1

match dscp cs3
match dscp cs6
!
policy-map WAN
set dscp af41
set dscp af31
class NET-CTRL
set dscp cs6
set dscp af21
class CRITICAL-DATA
set dscp af21
class SCAVENGER
set dscp af11
class VOICE
priority level 1
set dscp ef
class class-default
random-detect
policy-map WAN-INTERFACE-Cellular

class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
!
!
!
mode transport
!
!
!
!
!
interface Loopback0
ip address 10.255.241.51 255.255.255.255
ip pim sparse-mode
!
interface Tunnel10

bandwidth 30000
ip address 10.6.34.51 255.255.254.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp shortcut
delay 1000
no nhrp route-watch
if-state nhrp
tunnel key 101
!
interface Tunnel11
bandwidth 10000
ip address 10.6.36.51 255.255.254.0
no ip redirects
ip mtu 1400
ip pim sparse-mode


ip nhrp shortcut
delay 20000
no nhrp route-watch
if-state nhrp
tunnel key 102
!
interface Tunnel20
bandwidth 8000
ip address 10.6.38.51 255.255.254.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp group RS-GROUP-4G-POLICY
ip nhrp shortcut
if-state nhrp
tunnel source Cellular0/1/0


tunnel key 201
!
no ip address
shutdown
!
bandwidth 30000
ip address 192.168.6.37 255.255.255.252
duplex auto
speed auto
!
bandwidth 10000
ip address dhcp
duplex auto
speed auto
!
description RS51-A3650 (Gig 1/0/24)
no ip address
duplex auto
speed auto
!
description Data
ip address 10.7.250.1 255.255.255.0

ip pim sparse-mode
!
description Voice
ip address 10.7.251.1 255.255.255.0
ip pim sparse-mode
!
interface SM1/0
no ip address
shutdown
!Application: Restarted at Mon Nov 2 11:54:20 2015
!
interface SM1/1
no ip address
shutdown
!
interface Cellular0/1/0
bandwidth 8000
ip address negotiated
ip access-group ACL-INET-PUBLIC-4G in
no ip unreachables
ip virtual-reassembly in
encapsulation slip
shutdown
dialer in-band
dialer idle-timeout 0
dialer string LTE
dialer watch-group 1
no peer default ip address
async mode interactive
service-policy output WAN-INTERFACE-Cellular
!

interface Cellular0/1/1
no ip address
encapsulation slip
!
interface Vlan1
no ip address
!
!
!
!
passive-interface
exit-af-interface
!
summary-address 10.7.248.0 255.255.248.0
hello-interval 20
hold-time 60
exit-af-interface
!
summary-address 10.7.248.0 255.255.248.0
hello-interval 20
hold-time 60
exit-af-interface
!
summary-address 10.7.248.0 255.255.248.0


hello-interval 20
hold-time 60
exit-af-interface
!
topology base
exit-af-topology
network 10.6.34.0 0.0.1.255
network 10.6.36.0 0.0.1.255
network 10.6.38.0 0.0.1.255
network 10.7.0.0 0.0.255.255
network 10.255.0.0 0.0.255.255
exit-address-family
!
!
no ip http server
!
ip route vrf IWAN-TRANSPORT-3 0.0.0.0 0.0.0.0 Cellular0/1/0
ip ssh version 2

!
permit esp any any
ip access-list extended ACL-INET-PUBLIC-4G
permit esp any any
!
dialer watch-list 1 ip 127.0.0.255 255.255.255.255
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
!
match tag 101 102 103 104
!
!
match tag 102 104

!
match tag 101 103
!
!
snmp-server community cisco RO 55
snmp-server community cisco123 RW 55
key 7 122A0014000E182F2F32
!
!
control-plane
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
logging synchronous
line aux 0
line 2

no exec
stopbits 1
line 0/1/0
script dialer LTE
no exec
line 0/1/1
no exec
line 67
no exec
transport input all
stopbits 1
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
exec-timeout 0 0
transport input ssh
!
ntp update-calendar
event manager applet ACTIVATE-LTE
event track 20 state down
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface cellular0/1/0"
action 4 cli command "no shutdown"
action 5 cli command "end"

action 99 syslog msg "Both tunnels down - Activating 4G interface"

event manager applet DEACTIVATE-LTE
event track 20 state up
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface cellular0/1/0"
action 4 cli command "shutdown"
action 5 cli command "end"
action 99 syslog msg "Connectivity Restored - Deactivating 4G interface"
!
end

WAN Aggregation Devices—IWAN Dual Internet Design Model
WAN Aggregation Devices—IWAN Dual Internet

Design Model
There are two different roles a device can play at the WAN aggregation site of a PfRv3 configuration:
•• Hub Master Controller—The hub MC is the MC at the primary WAN aggregation site. This is the MC device
where all PfRv3 policies are configured. It also acts as MC for that site and makes path-optimization decision.
There is only one hub MC per IWAN domain.
•• Hub Border Router—This is a BR at the hub MC site. This is the device where WAN interfaces terminate.
There can be one or more WAN interfaces on the same device. There can be one or more hub BRs. On the
Hub BRs, PfRv3 must be configured with:
◦◦ The address of the local MC.
The second design model is the IWAN dual Internet, which uses a pair of Internet service providers to further
reduce cost while leveraging PfR in order to mitigate network performance problems on a single Internet provider.
This version of the guide introduces hub MC HA and hub BR scaling.

This section includes configuration files corresponding to the IWAN dual Internet design model WAN aggregation
site, as referenced in the figure below.
Figure 11 IWAN dual Internet model—Hub MC HA, hub BR scaling and IOS CA
To view a larger version of this figure, see Appendix C.
INET1 Tunnel INET1

172.16.X.X 10.6.X.X 172.18.X.X
10.6.X.X INET2 Tunnel INET2 10.255.X.X 10.7.X.X
172.17.X.X 10.6.X.X 172.19.X.X
Lo0
42.251
IE Outside
To Core INET1: 172.16.140.11 and 140.12
42.33 42.34 24.1 24.30
Po136 Po36 INET2: 172.17.140.11 and 140.12 Netblock
VLAN300 Lo0
32.0 - 39.255
243.13
146.1 IE DMZ RS13
192.168.146.X Single ISR G2
42.38
INET1 Access 2K
DHCP
RS13-2911 RS13-A2960
98.110
Hub Site INET2
DHCP
IW-DMZ- 98.109
D3750X Lo0
243.14
Tu20
38.13 Netblock
IWAN-IOS-CA 48.0 - 55.255
RS14
1
.1
Tu20
24
Lo0 RS14-2921-1 Dual ISR G2

INET1 38.14 INET1
Po33 32.252 DHCP Access 2K
98.116 RS14-A2960
MC-DI- Tu20
ASR1004-1 38.43
.1 52
32 Lo0
Tu20 244.14
42.37
INET2
Lo0 Po22 Lo0 38.44
.1
9 DHCP
24
32.240 .12 32.252/31 98.115 RS14-2921-2

To Core 32
42.41 42.42
Po138 Po38 32.129 32.153
Po23 MC-DI-
ASR1004-2
Tu21
WAN-D3750X 32.1 Tu20 40.13 Netblock
7 Lo0 224.0 - 231.255
Lo0 38.1 INET1
Tu21
32
243.43
32
32
Po3 32.243 DHCP

.2
40.14
.29
.25
32 99.92
.18 Po1
VPN-INET-
INET2 Tu21 RS43
ASR1002X-3 146.20 RS43-D3750
40.43 RS43-4451 Single ISR 4K
Po4
Lo0 INET2 Dist/Acc 3K/2K
32.244 DHCP
Tu21 99.91
40.1 Tu21
32
.2
40.44 Lo0
2
Po5
VPN-INET- 243.44 RS43-A2960
ASR1002X-4 146.21
Po6 Lo0 INET1 Netblock

32.245 DHCP Po2 240.0 - 247.255
Tu20 99.76 RS44-3945-1
32
38.2
6.2
VPN-INET-
ASR1002X-5 146.22 RS44
Po1 RS44-D3750 Dual ISF G2
Lo0 Dist/Acc 3K/2K
32.246
Tu21 Lo0
32
40.2 INET2 244.44

.30
1356F
DHCP
VPN-INET- RS44-3945-2
99.99
ASR1002X-6 146.23 RS44-A2960

The following table provides the loopback addresses for the WAN aggregation devices in the IWAN dual Internet
model.
Table 6 IWAN dual Internet model—Hub router IP addresses
IWAN function Host name Loopback IP address Port channel IP address

Hub MC MC-DI-ASR1004-1 10.6.32.252/32 10.6.32.152/26
Hub MC HA MC-DI-ASR1004-2 10.6.32.252/31 10.6.32.153/26
Hub BR (INET1) VPN-INET-ASR1002X-3 10.6.32.243/32 10.6.32.18/30
Hub BR (INET2) VPN-INET-ASR1002X-4 10.6.32.244/32 10.6.32.22/30
Hub BR2 (INET1) VPN-INET-ASR1002X-5 10.6.32.245/32 10.6.32.26/30
Hub BR2 (INET2) VPN-INET-ASR1002X-6 10.6.32.246/32 10.6.32.30/30
MC-DI-ASR1004-1—HUB MC
version 15.5
no platform punt-keepalive settings
!
hostname MC-DI-ASR1004-1
!
boot-start-marker
boot system bootflash:asr1000rp1-adventerprisek9.03.16.01a.S.155-3.S1a-ext.bin
boot-end-marker
!
!
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$mKNt$VPr4J4yoEfM6cpOb/E0Sn.

!
aaa new-model
!
!
!
!
!
!
!
!
!
domain iwan2
vrf default
master hub
load-balance
advanced


!
key chain LAN-KEY
key 1
key-string 7 104D580A061843595F
!
!
!
!


3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353435 39353334 3836301E 170D3134 30393130 32333436
34325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35343539
35333438 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C544 D06AC840 96B87760 03EB0F74 9616C6FC 2597CF6B CEEAE075 721E0F21
42AB1A54 99637886 950897C7 CBBF8773 8E710E0B D98E29CA 4AF3A001 974EFF50
A22979EA 37D50584 2C500ED9 73D33544 F1CDA5AD 96A37E2F 77E8F3C2 7ADC94E4
1E8E578A 0B79016B 60780527 9ADE639E 451E16DC 92A29D95 6CB4AC5F 54780825
ED790203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 141BD911 DC902997 48E81CD3 AF7728BC 209FB148 7F301D06
03551D0E 04160414 1BD911DC 90299748 E81CD3AF 7728BC20 9FB1487F 300D0609
2A864886 F70D0101 05050003 8181005A 5A6F1DF2 69A9B79B 870BF96B D68F85EF
C435A421 3D566FD5 AD461B6B 6BE6F5FD FB6E5082 1AAA8BD8 ACB336B5 2E37861B
55EB98CC AC124A55 67099A09 D15DB859 B8148517 F0BF8A50 0A89C06B 9145BD41
B4CE2630 00A5A19B FEC265C7 3A14B42A 3A2DF993 73C93B06 A256D22B 00224321
5A432445 4576247E 57F3C8D4 E599F9
quit
!
!
username admin secret 5 $1$GO9Y$mz7wOY3FEYhj0zVqi.lrE/
!
redundancy
!
!
cdp run
!
!
interface Loopback0
ip address 10.6.32.252 255.255.255.255
!

ip address 10.6.32.152 255.255.255.192
no negotiation auto
!
no ip address
media-type rj45
negotiation auto
cdp enable
channel-group 22
!
no ip address
media-type rj45
negotiation auto
cdp enable
channel-group 22
!
no ip address
shutdown
negotiation auto
!
!
!
!
passive-interface
exit-af-interface
!


exit-af-interface
!
topology base
exit-af-topology
network 10.6.0.0 0.1.255.255
exit-address-family
!
!
no ip http server
ip tacacs source-interface Port-channel22
ip ssh source-interface Port-channel22
ip ssh version 2
!
!
!
!
snmp-server trap-source Port-channel22
!
key 7 15210E0F162F3F0F2D2A
!

!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
transport input ssh
!
ntp source Port-channel22
!
end
MC-DI-ASR1004-2—HUB MC HA
version 15.5
no platform punt-keepalive settings
!
hostname MC-DI-ASR1004-2
!
boot-start-marker
boot system bootflash:asr1000rp1-adventerprisek9.03.16.01a.S.155-3.S1a-ext.bin
boot-end-marker
!

!
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$mKNt$VPr4J4yoEfM6cpOb/E0Sn.
!
aaa new-model
!
!
!
!
!
!
!
!
!
domain iwan2
vrf default
master hub

load-balance
advanced
!
key chain LAN-KEY
key 1

key-string 7 104D580A061843595F
!
!
!
!
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353435 39353334 3836301E 170D3134 30393130 32333436
34325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35343539
35333438 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C544 D06AC840 96B87760 03EB0F74 9616C6FC 2597CF6B CEEAE075 721E0F21
42AB1A54 99637886 950897C7 CBBF8773 8E710E0B D98E29CA 4AF3A001 974EFF50
A22979EA 37D50584 2C500ED9 73D33544 F1CDA5AD 96A37E2F 77E8F3C2 7ADC94E4
1E8E578A 0B79016B 60780527 9ADE639E 451E16DC 92A29D95 6CB4AC5F 54780825
ED790203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 141BD911 DC902997 48E81CD3 AF7728BC 209FB148 7F301D06
03551D0E 04160414 1BD911DC 90299748 E81CD3AF 7728BC20 9FB1487F 300D0609
2A864886 F70D0101 05050003 8181005A 5A6F1DF2 69A9B79B 870BF96B D68F85EF
C435A421 3D566FD5 AD461B6B 6BE6F5FD FB6E5082 1AAA8BD8 ACB336B5 2E37861B
55EB98CC AC124A55 67099A09 D15DB859 B8148517 F0BF8A50 0A89C06B 9145BD41
B4CE2630 00A5A19B FEC265C7 3A14B42A 3A2DF993 73C93B06 A256D22B 00224321
5A432445 4576247E 57F3C8D4 E599F9
quit
!
!
username admin secret 5 $1$GO9Y$mz7wOY3FEYhj0zVqi.lrE/
!

redundancy
!
!
cdp run
!
!
interface Loopback0
ip address 10.6.32.252 255.255.255.254
!
ip address 10.6.32.153 255.255.255.192
no negotiation auto
!
no ip address
media-type rj45
negotiation auto
cdp enable
channel-group 23
!
no ip address
media-type rj45
negotiation auto
cdp enable
channel-group 23
!
no ip address
shutdown
negotiation auto
!

!
!
!
passive-interface
exit-af-interface
!
exit-af-interface
!
topology base
exit-af-topology
network 10.6.0.0 0.1.255.255
exit-address-family
!
!
no ip http server
ip tacacs source-interface Port-channel23
ip ssh source-interface Port-channel23
ip ssh version 2
!
!
!

!
snmp-server trap-source Port-channel23
!
key 7 15210E0F162F3F0F2D2A
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
transport input ssh
!
ntp source Port-channel23
!
end

VPN-INET-ASR1002X-3—HUB BR (INET1)
version 15.5
no service pad
!
hostname VPN-INET-ASR1002X-3
!
boot-start-marker
boot-end-marker
!
!
!
address-family ipv4
exit-address-family
!
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
aaa new-model
!
!


!
!
!
!
!
!
!
!
!
match ipv4 tos
match ipv4 protocol
collect ipv4 dscp
collect ipv4 id


!
!
source Loopback0
transport udp 2055
!
!
source Loopback0
transport udp 9991
!
!


!
!
domain iwan2
vrf default
border
master 10.6.32.252
password 7 104D580A061843595F
!
key chain LAN-KEY
key 1
key-string 7 0205554808095E731F
key chain WAN-KEY
key 1
key-string 7 03070A180500701E1D
!
!
!
!
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32343836 38353639 3633301E 170D3135 30373230 32313435
34325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34383638
35363936 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D07D 65A84C38 79A3CFF9 4D81E818 B6FEACD8 C2735BCE FF4D2274 DA6615F9

3B654BC3 83606DA5 251100F5 83EDFD9E A1D8F950 81DB94A1 93190A52 623E6A5A

11CFEE9E 32F2ABF0 DA292603 A7F1F96D F79FB1E6 7627ACD4 F7A30735 350ADBA9
3C32A737 CBE8DC43 4176A826 D036C1F9 3B4A2C55 51BF52AA 5D0951D9 E71EF4DF
0BEB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14B41AC0 A2065CC3 E9B9A3C6 48F2A4FE A50E7E81 33301D06
03551D0E 04160414 B41AC0A2 065CC3E9 B9A3C648 F2A4FEA5 0E7E8133 300D0609
2A864886 F70D0101 05050003 81810018 62CFF3E1 DF8156FE 0120486C CE467CD4
D7522E14 24461492 C068AA20 B331F514 648F8120 9A86995D 38A724B3 07603E94
0559D176 27618E7B 74573DAE F457A7E6 4687C699 B7B26F85 B27C3971 A43ADD40
F976C1A0 60C53837 6D7823B3 CBCA3311 DA4CF278 B277F471 34364756 06580924
708811C9 A88A2B30 A1C5FD85 4A260F
quit
license udi pid ASR1002-X sn JAE183501DR
!
!
!
redundancy
mode none
!
integrity sha512
group 14
!
!
peer ANY
address 0.0.0.0 0.0.0.0
!
!
!


!
!
cdp run
!
!
match dscp ef
match dscp cs1
match dscp cs3
match dscp cs6
!
policy-map WAN
class NET-CTRL

set dscp tunnel cs6

class CRITICAL-DATA
class SCAVENGER
class VOICE
priority level 1
set dscp tunnel ef
class class-default
random-detect
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default


service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
!
!
!
mode transport
!
!

!
interface Loopback0
ip address 10.6.32.243 255.255.255.255
ip pim sparse-mode
!
ip address 10.6.32.18 255.255.255.252
ip pim sparse-mode
delay 25000
no negotiation auto
!
interface Tunnel20
bandwidth 1000000
ip address 10.6.38.1 255.255.254.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ICY
ICY
ICY

ip nhrp redirect
delay 1000
tunnel key 201
domain iwan2 path INET1 path-id 1
!
no ip address
negotiation auto
cdp enable
channel-group 3
!
no ip address
negotiation auto
cdp enable
channel-group 3
!
no ip address
shutdown
negotiation auto
!
description INET1
bandwidth 1000000
ip address 192.168.146.20 255.255.255.0
no ip redirects
no ip unreachables

no ip proxy-arp
negotiation auto
no mop enabled
no lldp transmit
no lldp receive
!
no ip address
shutdown
negotiation auto
!
no ip address
shutdown
negotiation auto
!
no ip address
shutdown
negotiation auto
!
!
!
!
passive-interface
exit-af-interface
!

exit-af-interface
!
summary-address 10.6.0.0 255.255.0.0
summary-address 10.7.0.0 255.255.0.0
summary-address 10.8.0.0 255.255.0.0
summary-address 10.255.240.0 255.255.248.0
hello-interval 20
hold-time 60
no split-horizon
exit-af-interface
!
topology base
exit-af-topology
network 10.6.0.0 0.1.255.255
nsf
exit-address-family
!
!
no ip http server
ip http secure-trustpoint device_self_signed
ip http client secure-trustpoint device_self_signed


ip ssh version 2
!
permit 10.6.38.0 0.0.1.255
!
permit esp any any
!
!
description Tag routes sourced from DMVPN-3
set tag 201
!
!
description Set tag on all routes
set tag 201
!


!
key 7 15210E0F162F3F0F2D2A
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0
exec-timeout 0 0
transport input ssh
line vty 1 4
exec-timeout 0 0
transport input ssh
line vty 5 15
transport input ssh
!
!
!
end

VPN-INET-ASR1002X-4—HUB BR (INET2)
version 15.5
no service pad
!
!
boot-start-marker
boot-end-marker
!
!
!
address-family ipv4
exit-address-family
!
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
aaa new-model
!
!


!
!
!
!
!
!
!
!
!
match ipv4 tos
match ipv4 protocol
collect ipv4 dscp
collect ipv4 id


!
!
source Loopback0
transport udp 2055
!
!
source Loopback0
transport udp 9991
!
!


!
!
domain iwan2
vrf default
border
master 10.6.32.252
password 7 04585A150C2E1D1C5A
!
key chain LAN-KEY
key 1
key-string 7 0205554808095E731F
key chain WAN-KEY
key 1
key-string 7 03070A180500701E1D
!
!
crypto pki trustpoint device_self_signed
serial-number
ip-address 10.6.32.244
subject-alt-name VPN-INET-ASR1002X-4.cisco.local
revocation-check crl
!
crypto pki trustpoint IWAN-CA
enrollment url http://10.6.24.11:80
serial-number none
fqdn VPN-INET-ASR1002X-4.cisco.local
fingerprint 75BEF6259A9876CF6F341FE586D4A5D8
rsakeypair IWAN-CA-KEYS 2048 2048
!

!
crypto pki certificate chain device_self_signed
308202B1 3082021A A0030201 02020101 300D0609 2A864886 F70D0101 05050030
5E315C30 12060355 0405130B 464F5831 38323647 43314430 1806092A 864886F7
0D010908 130B3130 2E362E33 322E3234 34302C06 092A8648 86F70D01 0902161F
56504E2D 494E4554 2D415352 31303032 582D342E 63697363 6F2E6C6F 63616C30
1E170D31 35303331 31313935 3935365A 170D3230 30313031 30303030 30305A30
5E315C30 12060355 0405130B 464F5831 38323647 43314430 1806092A 864886F7
0D010908 130B3130 2E362E33 322E3234 34302C06 092A8648 86F70D01 0902161F
56504E2D 494E4554 2D415352 31303032 582D342E 63697363 6F2E6C6F 63616C30
819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 9B61BBB8
779FFE5A 0FFB1BAA E9692579 14722227 697FB58E 7470B7F9 11183529 DD82AFBF
D7E3DFC6 6C32FDA8 CB3C1B55 0FDF2B4C 72A89876 E1624961 A4B5678C 4A228FBD
190A1E43 529264F7 57986B02 8C4AAF1C 8F236A3A 8C42DD70 7E21941B 00D9ABDC
2FDEF8E0 B2E0A87F 04CBF836 6EBC87F6 01B0FC1C 8EE8579B 43AB527B 02030100
01A37F30 7D300F06 03551D13 0101FF04 05300301 01FF302A 0603551D 11042330
21821F56 504E2D49 4E45542D 41535231 30303258 2D342E63 6973636F 2E6C6F63
616C301F 0603551D 23041830 16801413 DFD16E7A 440DF4B5 45813CF3 F0ECE8C4
8DEDFD30 1D060355 1D0E0416 041413DF D16E7A44 0DF4B545 813CF3F0 ECE8C48D
EDFD300D 06092A86 4886F70D 01010505 00038181 002D0584 E33EBE30 F7AD43DC
4AC82FAD B3A3E39A 63218FD6 546E93C5 CA49FEA7 B4C7C374 8B28CD52 CDF2AE18
1FAFF6F5 D8B65C28 3BFAD6A2 D620A9D5 3C054701 AD056BA1 B1BA13AB 09F55E2D
3C6FD35B 335CA4E5 12A467E9 F1FB0DC1 71F43605 4D1DCDC2 87032907 22E23A66
09666EE8 CB9FC4C0 3E3D2AE0 7EEC084D 7A1FE8A4 1C
quit
crypto pki certificate chain IWAN-CA
certificate 51
30820317 30820280 A0030201 02020151 300D0609 2A864886 F70D0101 05050030
37313530 33060355 0403132C 4957414E 2D494F53 2D43412E 63697363 6F2E6C6F
63616C20 4C3D5361 6E4A6F73 65205374 3D434120 433D5553 301E170D 31353130
30323230 33313130 5A170D31 37313030 31323033 3131305A 304A3148 30180609
2A864886 F70D0109 08130B31 302E362E 33322E32 3434302C 06092A86 4886F70D
01090216 1F56504E 2D494E45 542D4153 52313030 32582D34 2E636973 636F2E6C
6F63616C 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A
02820101 00BFF39A 57F4C6F8 45D4E332 5ADCDDAD DC6191C1 8E4096EE 1837DA7E

E2A9FF30 2962DCD5 C001A051 CF501A56 4CD00004 A184A972 CE6987B1 69A59967

4070EE97 7F743894 A86308AC 77B714A8 68FB492E 4DFF22CC 38B14670 71768814
4CB5C63A 82A3DD93 AE9113A5 BEFCEB03 E157C355 02ECC4BA 6453D1E6 3783A3C1
695E4686 E5CFA3DE D74620E4 2AF8D3A4 81623071 FA20594D A7A72F72 6122362C
D3F8DB7F BC513E12 1C109090 16A9EDE0 944D3E13 00AC20DF D5909861 A02C2F5D
B8D76162 B6464C3A A9B3D95E 0EC7CF0E 3E8FFBD0 9B77B6F7 05F87E80 F8A439AF
57EB5E2C 439E1A5F 3677D4C5 2AD46B29 D53F3382 2DB49254 7C741700 B6DC50FF
B080FA23 3F020301 0001A381 9B308198 30490603 551D1F04 42304030 3EA03CA0
3A863868 7474703A 2F2F3130 2E362E32 342E3131 2F636769 2D62696E 2F706B69
636C6965 6E742E65 78653F6F 70657261 74696F6E 3D476574 43524C30 0B060355
1D0F0404 030205A0 301F0603 551D2304 18301680 148B57F8 AD759FB8 E9696295
0930B589 1C88919C 06301D06 03551D0E 04160414 334C5570 4CCF6766 40FA5878
32C84804 2ABA3C79 300D0609 2A864886 F70D0101 05050003 818100AD 3FABBEF8
BF975871 61105C92 E81E1451 3889F0D4 B672A883 38564277 AD936B13 F02B38DA
7B88DED8 F8358F94 44144763 C7FCF581 7618D69A 473228F2 E5EA33B7 5E9CE850
721E38DC 6F4F3EC7 EFF67104 CC2EC9DA 0B3E05CD ED8125D0 4C34B23A 5F59F8AC
DA19EF7A 01FCB952 CB4036A8 A6DCA945 8318B66F D2ED4E7D A68018
quit
certificate ca 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
37313530 33060355 0403132C 4957414E 2D494F53 2D43412E 63697363 6F2E6C6F
63616C20 4C3D5361 6E4A6F73 65205374 3D434120 433D5553 301E170D 31343132
32353231 31393432 5A170D31 37313232 34323131 3934325A 30373135 30330603
55040313 2C495741 4E2D494F 532D4341 2E636973 636F2E6C 6F63616C 204C3D53
616E4A6F 73652053 743D4341 20433D55 5330819F 300D0609 2A864886 F70D0101
01050003 818D0030 81890281 8100E1F3 60BA63B4 2C2971DA 10457139 3765E38C
543A6D98 8B3BE1C7 9B42C549 95CB0203 010001A3 63306130 0F060355 1D130101
FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304
18301680 148B57F8 AD759FB8 E9696295 0930B589 1C88919C 06301D06 03551D0E
04160414 8B57F8AD 759FB8E9 69629509 30B5891C 88919C06 300D0609 2A864886


3E071F09 AECB291E 918A0B
quit
license udi pid ASR1002-X sn JAE18340330
!
!
!
redundancy
mode none
!
integrity sha512
group 14
!
!
identity local address 10.6.32.244
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint IWAN-CA
!
!
cdp run
!
!


match dscp ef
match dscp cs1
match dscp cs3
match dscp cs6
!
policy-map WAN
class NET-CTRL
set dscp tunnel cs6
class CRITICAL-DATA
class SCAVENGER
class VOICE
priority level 1
set dscp tunnel ef

class class-default
random-detect
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default


service-policy WAN
class class-default
service-policy WAN
class class-default
!
!
!
mode transport
!
!
!
interface Loopback0
ip address 10.6.32.244 255.255.255.255
ip pim sparse-mode
!
ip address 10.6.32.22 255.255.255.252
ip pim sparse-mode
delay 25000
no negotiation auto
!
interface Tunnel21
bandwidth 500000
ip address 10.6.40.1 255.255.254.0

no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ICY
ICY
ICY
ip nhrp redirect
delay 20000
tunnel key 202
!
description IW-WAN-D3750X (gig1/0/4)
no ip address
negotiation auto
cdp enable

channel-group 4
!
description IW-WAN-D3750X (gig2/0/4)
no ip address
negotiation auto
cdp enable
channel-group 4
!
no ip address
shutdown
negotiation auto
!
description VPN-DMZ
bandwidth 500000
ip address 192.168.146.21 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
no mop enabled
no lldp transmit
no lldp receive
!
no ip address
shutdown
negotiation auto
!
no ip address

shutdown
negotiation auto
!
no ip address
shutdown
negotiation auto
!
!
!
!
passive-interface
exit-af-interface
!
exit-af-interface
!
summary-address 10.6.0.0 255.255.0.0
summary-address 10.7.0.0 255.255.0.0
summary-address 10.8.0.0 255.255.0.0
summary-address 10.255.240.0 255.255.248.0
hello-interval 20
hold-time 60
no split-horizon
exit-af-interface

!
topology base
exit-af-topology
network 10.6.0.0 0.1.255.255
nsf
exit-address-family
!
!
no ip http server
ip ssh version 2
!
permit 10.6.40.0 0.0.1.255
!
permit esp any any


!
!
set tag 202
!
!
set tag 202
!
!
key 7 15210E0F162F3F0F2D2A
!
!
control-plane
!
!
line con 0
stopbits 1

line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
transport input ssh
!
!
!
end
VPN-INET-ASR1002X-5—HUB BR2 (INET1)

version 15.5
no service pad
!
!
boot-start-marker
boot-end-marker
!
!
!
address-family ipv4

exit-address-family
!
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
aaa new-model
!
!
!
!
!
!
!
!
!
!
!


match ipv4 tos
match ipv4 protocol
collect ipv4 dscp
collect ipv4 id
!
!
source Loopback0
transport udp 2055
!

!
source Loopback0
transport udp 9991
!
!
!
!
domain iwan2
vrf default
border
master 10.6.32.252
password 7 104D580A061843595F
!
key chain LAN-KEY
key 1
key-string 7 0205554808095E731F
key chain WAN-KEY
key 1
key-string 7 141443180F0B7B7977
!
!


!
!
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37373238 31343433 30301E17 0D313530 39323831 33303334
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3737 32383134
34333030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
866701BC ACB6C3EF 3BBFF974 475A7336 49B82A18 040AE331 377777C7 29230495
86041913 A7903715 FADD2888 A2490E86 58DCE29B E4537264 2959EBBC 4AED467E
2F3B3405 16ED81FB 31950D15 A5C2774E 05883233 F10D7C24 941F3B30 32182514
F3B3B7EF D1B46D5E B025390E 9BC64447 152FB0F5 29B0AA81 09D7DECD B68D330B
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 16801446 B8C0627A 4E872792 8F47BD00 2BF42709 6A731230 1D060355
1D0E0416 041446B8 C0627A4E 8727928F 47BD002B F427096A 7312300D 06092A86
4886F70D 01010505 00038181 00647B5E 86F1EE06 23AA6907 B203095A C23F2FD4
FC83F862 D6C23B09 B6F13F39 250D20F8 73AA8C8F 3854C177 1ED8B8B9 719AF4ED
7317C216 279338D2 EEEFF298 48706F24 EB71B8E2 864F618D 96EB4792 15E39F00
AE15A3AC 49240E7D 744100EA C7906A83 F824B7E6 E04C2211 3FEBEC8B F84BD049
2F40A9B0 30F13806 5B7F2C99 2D
quit
license udi pid ASR1002-X sn JAE192405SF
!
!
!
redundancy

mode none
!
integrity sha512
group 14
!
!
peer ANY
address 0.0.0.0 0.0.0.0
!
!
!
!
cdp run
!
!
match dscp ef
match dscp cs1

match dscp cs3

match dscp cs6
!
policy-map WAN
class NET-CTRL
set dscp tunnel cs6
class CRITICAL-DATA
class SCAVENGER
class VOICE
priority level 1
set dscp tunnel ef
class class-default
random-detect
class class-default


service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default

service-policy WAN
class class-default
!
!
!
mode transport
!
!
!
interface Loopback0
ip address 10.6.32.245 255.255.255.255
ip pim sparse-mode
!
ip address 10.6.32.26 255.255.255.252
ip pim sparse-mode
delay 25000
no negotiation auto
!
interface Tunnel20
bandwidth 1000000
ip address 10.6.38.2 255.255.254.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode


ICY
ICY
ICY
ip nhrp redirect
delay 1000
tunnel key 201
!
no ip address
negotiation auto
cdp enable
channel-group 5
!
no ip address
negotiation auto

cdp enable
channel-group 5
!
no ip address
shutdown
negotiation auto
!
description INET1
bandwidth 1000000
ip address 192.168.146.22 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
no mop enabled
no lldp transmit
no lldp receive
!
no ip address
shutdown
negotiation auto
!
no ip address
shutdown
negotiation auto
!
no ip address

shutdown
negotiation auto
!
!
!
!
passive-interface
exit-af-interface
!
exit-af-interface
!
summary-address 10.6.0.0 255.255.0.0
summary-address 10.7.0.0 255.255.0.0
summary-address 10.8.0.0 255.255.0.0
summary-address 10.255.240.0 255.255.248.0
hello-interval 20
hold-time 60
no split-horizon
exit-af-interface
!
topology base
exit-af-topology
network 10.6.0.0 0.1.255.255


nsf
exit-address-family
!
!
no ip http server
ip ssh version 2
!
permit 10.6.38.0 0.0.1.255
!
permit esp any any
!

!
set tag 201
!
!
set tag 201
!
!
key 7 15210E0F162F3F0F2D2A
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
transport input ssh

line vty 5 15
transport input ssh
!
!
!
end
VPN-INET-ASR1002X-6—HUB BR2 (INET2)

version 15.5
no service pad
!
!
boot-start-marker
boot-end-marker
!
!
!
address-family ipv4
exit-address-family
!
!
address-family ipv4
exit-address-family

!
address-family ipv6
exit-address-family
!
!
aaa new-model
!
!
!
!
!
!
!
!
!
!
!
match ipv4 tos
match ipv4 protocol


collect ipv4 dscp
collect ipv4 id
!
!
source Loopback0
transport udp 2055
!
!
source Loopback0
transport udp 9991

!
!
!
!
domain iwan2
vrf default
border
master 10.6.32.252
password 7 104D580A061843595F
!
key chain LAN-KEY
key 1
key-string 7 130646010803557878
key chain WAN-KEY
key 1
key-string 7 104D580A061843595F
!
!
!


serial-number none
fqdn VPN-INET-ASR1002X-6.cisco.local
!
!
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32343534 39353932 3033301E 170D3135 30393238 31343536
32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34353439
35393230 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B768 09390CFC 431B911B FED75AD5 20A4E0CE 347CFE36 D1352DBC 961D51E7
41B90C43 38F778E0 3F373D09 0F4E012B DDE98EA5 41EE523D 966E2750 FE94168F
FD94437A E075C53F C6B3B2E7 AE981891 4868E3A1 ABB1ABEE 10DED91F 998D246E
27755887 B9B5567F D2219FF5 0E9518E1 E7F36ACF 1687D8FA 3EA0103D 582D0004
83830203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 148052C8 7E129E22 F6E31583 245E97B2 F0F408AF 7B301D06
03551D0E 04160414 8052C87E 129E22F6 E3158324 5E97B2F0 F408AF7B 300D0609
2A864886 F70D0101 05050003 81810000 A9168E5F 0856D145 315B48D1 18A2F783
D3504FB2 6C695513 590194ED 73841211 FE034513 DE0C2F04 164D15C6 8927A0F9
5F99E27B D682CDC4 2D671AB5 7AE5A41B DDCFB809 458B0CF6 469A4A36 AD4C43EB
826C6CE6 C2622D4D 66C10147 99A9B716 046862C2 17FA6912 F93B6A66 18DA07B4
46981D1D 7B38ADBF 4F1B9878 0CC415
quit
certificate 50
30820317 30820280 A0030201 02020150 300D0609 2A864886 F70D0101 05050030
37313530 33060355 0403132C 4957414E 2D494F53 2D43412E 63697363 6F2E6C6F
63616C20 4C3D5361 6E4A6F73 65205374 3D434120 433D5553 301E170D 31353130

30323230 31313338 5A170D31 37313030 31323031 3133385A 304A3148 30180609

2A864886 F70D0109 08130B31 302E362E 33322E32 3436302C 06092A86 4886F70D
01090216 1F56504E 2D494E45 542D4153 52313030 32582D36 2E636973 636F2E6C
6F63616C 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A
02820101 009B55A0 74EB9E3B C19C758D 50FC42DD C6D42FBC 8816472B 1002BAD1
072DE712 D5C46A0E 5227E9CD 3B4E3CD3 B9467521 DC982070 2D19ED04 CC4B7B5C
A6071D01 F6C6ACE3 FE0A4379 FEEB9CA2 484E90CC 6FB5992E 36354000 164E1F11
F64C96EA 5BD1706A CC847944 73A8DCC0 D5751268 C1DB775E 7B6C4537 13FCDAF9
F159CE0B AC13BFF2 9053083C 59882DC8 B1E7721B 0C2F2118 348ABB35 F2247726
FE13792D 6BEE33D1 48CDCC47 3712BA8C 272A98D8 C655B4A3 3240128C DBCFC4C9
C1CF3AAA 91E7CD08 17AB17D5 B417D08E 5AAE1DA6 F9771505 0748301F 1935584A
8B49BFAC E3F86527 E39A582D 9ED01E59 7948EC51 2791CEC6 050FE92C A7CA5014
9959A38A 07020301 0001A381 9B308198 30490603 551D1F04 42304030 3EA03CA0
3A863868 7474703A 2F2F3130 2E362E32 342E3131 2F636769 2D62696E 2F706B69
636C6965 6E742E65 78653F6F 70657261 74696F6E 3D476574 43524C30 0B060355
1D0F0404 030205A0 301F0603 551D2304 18301680 148B57F8 AD759FB8 E9696295
0930B589 1C88919C 06301D06 03551D0E 04160414 4A1AF4AC 729F17E8 E31DB3A7
9A149240 D90FFD92 300D0609 2A864886 F70D0101 05050003 818100A4 1DE6BD7C
33C1DB75 B7DE7750 04D5C896 1F0789BC CFB3E2AA 4B43C276 938768CB 7EB1C15E
BB8DB515 F0C88F5A 99F3FBDA DB54D824 E8A84096 AD116531 AA868510 EE629C5D
9115AA5F 1CDF41EC 709E1D09 9CA0C04E 0A718B90 B20EB17B 5E01EAFE 16DD89FC
E32E9194 A74C2839 1086C796 370D415A 58A00B38 8ADE7B62 B7FB71
quit
certificate ca 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
37313530 33060355 0403132C 4957414E 2D494F53 2D43412E 63697363 6F2E6C6F
63616C20 4C3D5361 6E4A6F73 65205374 3D434120 433D5553 301E170D 31343132
32353231 31393432 5A170D31 37313232 34323131 3934325A 30373135 30330603
55040313 2C495741 4E2D494F 532D4341 2E636973 636F2E6C 6F63616C 204C3D53
616E4A6F 73652053 743D4341 20433D55 5330819F 300D0609 2A864886 F70D0101
01050003 818D0030 81890281 8100E1F3 60BA63B4 2C2971DA 10457139 3765E38C
543A6D98 8B3BE1C7 9B42C549 95CB0203 010001A3 63306130 0F060355 1D130101
FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304

18301680 148B57F8 AD759FB8 E9696295 0930B589 1C88919C 06301D06 03551D0E

04160414 8B57F8AD 759FB8E9 69629509 30B5891C 88919C06 300D0609 2A864886
3E071F09 AECB291E 918A0B
quit
license udi pid ASR1002-X sn JAE192405QD
!
!
!
redundancy
mode none
!
integrity sha512
group 14
!
!
!
!
cdp run
!
!


match dscp ef
match dscp cs1
match dscp cs3
match dscp cs6
!
policy-map WAN
class NET-CTRL
set dscp tunnel cs6
class CRITICAL-DATA
class SCAVENGER


class VOICE
priority level 1
set dscp tunnel ef
class class-default
random-detect
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default


service-policy WAN
class class-default
service-policy WAN
class class-default
service-policy WAN
class class-default
!
!
!
mode transport
!
!
!
interface Loopback0
ip address 10.6.32.246 255.255.255.255
ip pim sparse-mode
!
description IW-WAN-D3750X
ip address 10.6.32.30 255.255.255.252
ip pim sparse-mode
delay 25000

no negotiation auto
!
interface Tunnel21
bandwidth 500000
ip address 10.6.40.2 255.255.254.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ICY
ICY
ICY
ip nhrp redirect
delay 20000
tunnel key 202
!

no ip address
negotiation auto
cdp enable
channel-group 6
!
no ip address
negotiation auto
cdp enable
channel-group 6
!
no ip address
shutdown
negotiation auto
!
description INET2
bandwidth 500000
ip address 192.168.146.23 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
no mop enabled
no lldp transmit
no lldp receive
!
no ip address

shutdown
negotiation auto
!
no ip address
shutdown
negotiation auto
!
no ip address
shutdown
negotiation auto
!
!
!
!
passive-interface
exit-af-interface
!
exit-af-interface
!
summary-address 10.6.0.0 255.255.0.0
summary-address 10.7.0.0 255.255.0.0
summary-address 10.8.0.0 255.255.0.0
summary-address 10.255.240.0 255.255.248.0

hello-interval 20
hold-time 60
no split-horizon
exit-af-interface
!
topology base
exit-af-topology
network 10.6.0.0 0.1.255.255
nsf
exit-address-family
!
!
no ip http server
ip ssh version 2
!
permit 10.6.40.0 0.0.1.255
!


permit esp any any
!
!
set tag 202
!
!
set tag 202
!
!
key 7 15210E0F162F3F0F2D2A
!
!

control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
transport input ssh
!
!
!
end

WAN Remote-Site Devices—IWAN Dual Internet Design Model
WAN Remote-Site Devices—IWAN Dual Internet

Design Model
There are two different roles a device can play at the remote site of a PfRv3 configuration:
•• Branch Master Controller—The Branch MC is the MC at the branch-site. There is no policy configuration on
this device. It receives policy from the Hub MC. This device acts as MC for that site for making path-optimi-
zation decision. The configuration includes the IP address of the hub MC.
•• Branch Border Router—This is a BR at the branch-site. The configuration on this device enables BR func-
tionality and includes the IP address of the site local MC. The WAN interface that terminates on the device is
detected automatically.
The second design model is the IWAN Dual Internet, which uses a pair of Internet service providers to further
reduce cost while leveraging PfR in order to mitigate network performance problems on a single Internet provider.
This section includes configuration files corresponding to the IWAN dual Internet design model remote site, as
referenced in the figure below.
Figure 12 IWAN dual Internet model—WAN remote-site designs
Remote Site 13 Remote Site 14
Tunnel 20 Tunnel 21 Tunnel 20 Tunnel 21

INET1 INET2 INET1 INET2
RS14-2921-1 RS14-2921-2
Branch Master RS13-2911 Loopback IP: Loopback IP:
Controller/ Loopback IP: 10.255.243.14/32 10.255.244.14/32
Router Branch Master Branch
Controller/ Border
Branch Border Router
Router
1247F

The following table provides the loopback addresses for the WAN remote site devices in the IWAN dual Internet
design model.
Table 7 Remote site router loopback IP addresses
IWAN function Host name Loopback IP address

Branch MC/BR (INET1/INET2) RS13-2911 10.255.243.12/32
Branch MC/BR (INET1) RS14-2921-1 10.255.243.14/32
Branch BR (INET2) RS14-2921-2 10.255.244.14/32
REMOTE SITE 13—SINGLE-ROUTER, DUAL-LINK (INET1 AND INET2)

policies.
INET1 link speed/ INET2 link speed/

10000 us 20000 us
RS13-2911: Primary and secondary WAN links

version 15.5
no service pad
!
hostname RS13-2911
!
boot-start-marker
boot-end-marker
!
!
!

address-family ipv4
exit-address-family
!
!
address-family ipv4
exit-address-family
!
logging buffered warnings
!
aaa new-model
!
!
!
!
!
ethernet lmi ce
!
!
ip cef
no ipv6 cef
!
!

match ipv4 tos

match ipv4 protocol
collect ipv4 dscp
collect ipv4 id
!
!
source Loopback0
output-features
transport udp 2055
!

!
source Loopback0
output-features
transport udp 9991
!
!
!
!
!
domain iwan2
vrf default
border
master local
master branch
password 7 06055E324F41584B56
hub 10.6.32.252
!
!
key chain WAN-KEY

key 1
key-string 7 121A540411045D5679
cts logging verbose
!
!
serial-number none
fqdn RS13-2911.cisco.local
ip-address 10.255.243.13
!
!
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303130 39323839 3032301E 170D3134 30393131 30303238
30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30313039
32383930 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D191 2B49FB4D 6E69DA33 0A23F0F4 FE6A6D9D 5F7F739E E9D6BE38 CC371EA2
B3B778A0 B2AD56B5 61A503FF EA258E39 67B97EAD A38D3848 01671355 D99F3FC8
B753F4C6 520DC379 85337D39 93AB2744 9CA46E58 D7A7DAA5 24217AD0 FB3A27D4
AE44B2E1 502D6ACC 4F763D61 10768C9F 7DDD89E0 E8689ABA B110C154 5253E10E
C66F0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15525331 332D3239 31312E63 6973636F 2E6C6F63 616C301F
0603551D 23041830 1680146C 89F39209 38C261D1 E687B3D4 878162B1 C6505330
1D060355 1D0E0416 04146C89 F3920938 C261D1E6 87B3D487 8162B1C6 5053300D

06092A86 4886F70D 01010405 00038181 007FAE0D 26EF5C6C 7C00983F 1B95EF76

402579EF A8258767 10DF1AEC A732EDF8 0BD887A5 E107AEBF C35085FB 7A82FC37
E98AEB2D AF65298D 25861BF6 C2572F3C A8A7C308 837DAC9A D343866C 5B8CD071
1EB6909E FE263F87 2E0BD9DA 555976E6 43DC5406 B2A13827 32BC8A96 CB06A445
C902CE00 989292CE E565EFE3 D94E36A0 CF
quit
certificate 52
3082030F 30820278 A0030201 02020152 300D0609 2A864886 F70D0101 05050030
37313530 33060355 0403132C 4957414E 2D494F53 2D43412E 63697363 6F2E6C6F
63616C20 4C3D5361 6E4A6F73 65205374 3D434120 433D5553 301E170D 31353130
30333030 30343033 5A170D31 37313030 32303030 3430335A 30423140 301A0609
2A864886 F70D0109 08130D31 302E3235 352E3234 332E3133 30220609 2A864886
F70D0109 02161552 5331332D 32393131 2E636973 636F2E6C 6F63616C 30820122
300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00BB285F
62F3EFC4 E06F7DB0 4DE8C214 6F15BEC5 A2F95F9A BCC4F761 27372EE9 5B98103C
C3882C65 21D5D572 B3A7D5C5 C7772B1B 6BC1A723 1AACECB9 C30D7F9E B5BF436D
25E4F55C DC925D57 402DA688 FAC97E90 F289FAC3 D55A82F1 6CBF19CE 7401222E
A4F1C29D AC15C5CB FE58F1DA 948B5FA9 B735E6C4 5AE1130A 66C0C344 1B337FA6
5B40D6FF 80948592 BCC3D998 434FD55B 84AE12DB B5FAE2A4 F03828C6 541B72D5
961F5859 9C27721E 58A2B578 26644320 F563B7EB 7CE6401F A97137FE A30D94B9
548656F2 6679B64D 06B5914D 93E4B213 1CDA2C3E 0CA87691 39C655B5 618E5411
D4479343 6B4C5C4C 162BFF24 F723C9EA 59C1D068 4867E758 5731239C 01020301
0001A381 9B308198 30490603 551D1F04 42304030 3EA03CA0 3A863868 7474703A
2F2F3130 2E362E32 342E3131 2F636769 2D62696E 2F706B69 636C6965 6E742E65
78653F6F 70657261 74696F6E 3D476574 43524C30 0B060355 1D0F0404 030205A0
301F0603 551D2304 18301680 148B57F8 AD759FB8 E9696295 0930B589 1C88919C
06301D06 03551D0E 04160414 6E982737 F6BF6726 FC9441F8 B70D908A CFC4B6C4
300D0609 2A864886 F70D0101 05050003 8181002C B29CAEBF FC31012D DAD03FC9
F11C32E6 CEE8E7B9 21EE6B5D BBCEB24B 300E7A88 3906B494 90043451 63BA2823
DB7EAC7A 36FB1CD5 955AC339 929AB2AF 779816F3 E6E99141 7D05CA29 CC78C7A7
DE7AE717 E7213B4B C070B399 8E8700B7 290B540A 16F0A047 F41FE385 1D1DF64E
2ED440EE 79754B93 3D9232EF 01255F98 2DC8B1
quit
certificate ca 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

37313530 33060355 0403132C 4957414E 2D494F53 2D43412E 63697363 6F2E6C6F

63616C20 4C3D5361 6E4A6F73 65205374 3D434120 433D5553 301E170D 31343132
32353231 31393432 5A170D31 37313232 34323131 3934325A 30373135 30330603
55040313 2C495741 4E2D494F 532D4341 2E636973 636F2E6C 6F63616C 204C3D53
616E4A6F 73652053 743D4341 20433D55 5330819F 300D0609 2A864886 F70D0101
01050003 818D0030 81890281 8100E1F3 60BA63B4 2C2971DA 10457139 3765E38C
543A6D98 8B3BE1C7 9B42C549 95CB0203 010001A3 63306130 0F060355 1D130101
FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304
18301680 148B57F8 AD759FB8 E9696295 0930B589 1C88919C 06301D06 03551D0E
04160414 8B57F8AD 759FB8E9 69629509 30B5891C 88919C06 300D0609 2A864886
3E071F09 AECB291E 918A0B
quit
voice-card 0
!
!
license udi pid CISCO2911/K9 sn FTX1451AHPB
hw-module pvdm 0/0
!
hw-module sm 1
!
!
!
redundancy
!

integrity sha512
group 14
!
!
peer ANY
address 0.0.0.0 0.0.0.0
!
!
dpd 40 5 on-demand
!
dpd 40 5 on-demand
!
!

match dscp ef
match dscp cs1
match dscp cs3
match dscp cs6
!
policy-map WAN
set dscp af41
set dscp af31
class NET-CTRL
set dscp cs6
set dscp af21
class CRITICAL-DATA
set dscp af21
class SCAVENGER
set dscp af11
class VOICE
priority level 1
set dscp ef
class class-default

random-detect
class class-default
service-policy WAN
class class-default
service-policy WAN
!
!
!
mode transport
!
!
!
!
interface Loopback0
ip address 10.255.243.13 255.255.255.255
ip pim sparse-mode
!
interface Tunnel20
bandwidth 10000
ip address 10.6.38.13 255.255.254.0
no ip redirects
ip mtu 1400

ip pim sparse-mode
ip nhrp shortcut
delay 1000
no nhrp route-watch
if-state nhrp
tunnel key 201
!
interface Tunnel21
bandwidth 10000
ip address 10.6.40.13 255.255.254.0
no ip redirects
ip mtu 1400
ip pim sparse-mode

ip nhrp shortcut
delay 20000
no nhrp route-watch
if-state nhrp
tunnel key 202
!
no ip address
shutdown
!
description ISP 1
bandwidth 10000
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
!
description ISP 2
bandwidth 10000

ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
!
description RS13-A2960X Gig1/0/48
no ip address
duplex auto
speed auto
!
description Wired Data
ip address 10.7.34.1 255.255.255.0
ip pim sparse-mode
!
description Wireless Data
ip address 10.7.36.1 255.255.255.0
ip pim sparse-mode
!
description VOICE

ip address 10.7.35.1 255.255.255.0

ip pim sparse-mode
!
description Wireless Voice
ip address 10.7.37.1 255.255.255.0
ip pim sparse-mode
!
interface SM1/0
no ip address
shutdown
!Application: Restarted at Wed Nov 11 14:19:52 2015
!
interface SM1/1
no ip address
shutdown
!
interface Vlan1
no ip address
!
!
!
!
passive-interface
exit-af-interface
!
summary-address 10.7.32.0 255.255.248.0

hello-interval 20
hold-time 60
exit-af-interface
!
summary-address 10.7.32.0 255.255.248.0
hello-interval 20
hold-time 60
exit-af-interface
!
topology base
exit-af-topology
network 10.6.38.0 0.0.1.255
network 10.6.40.0 0.0.1.255
network 10.7.0.0 0.0.255.255
network 10.255.0.0 0.0.255.255
exit-address-family
!
!
no ip http server
!


ip ssh version 2
!
permit esp any any
!
!
match tag 201 202
!
!
match tag 202
!
match tag 201
!

!
key 7 15210E0F162F3F0F2D2A
!
!
control-plane
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
logging synchronous
stopbits 1
line aux 0
line 2
no exec
stopbits 1

line 67
no exec
transport input all
stopbits 1
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
transport input ssh
!
ntp update-calendar
!
end
REMOTE SITE 14—DUAL-ROUTER, DUAL-LINK (INET1 AND INET2)

policies.
INET1 link speed/ INET2 link speed/

10000 us 20000 us

RS14-2921-1: Primary WAN link

version 15.5
no service pad
!
!
boot-start-marker
boot-end-marker
!
!
!
address-family ipv4
exit-address-family
!
!
aaa new-model
!
!
!
!
!
ethernet lmi ce


!
!
ip cef
no ipv6 cef
!
!
match ipv4 tos
match ipv4 protocol
collect ipv4 dscp
collect ipv4 id

!
!
source Loopback0
output-features
transport udp 2055
!
!
source Loopback0
output-features
transport udp 9991
!
!
!
!
!
domain iwan2

vrf default
border
master local
password 7 0007421507545A545C
master branch
password 7 141443180F0B7B7977
hub 10.6.32.252
!
!
key chain WAN-KEY
key 1
cts logging verbose
!
!
!
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383436 39393238 3838301E 170D3134 30393131 31383536
35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38343639
39323838 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CBC2 8FE21756 9F98E110 0EC183B5 6B9BE042 6DA3239E 3F25B9E3 FFE74615
B0C2D632 212516BB C2EA3701 73E4070B 998F3F78 ED9E1AAC 3162EDE2 A5FBE81D
5A09845F 54DDBE28 796C0AB8 32FA7765 9DE27299 E230BECD 9FA9167B 5CE9C913
C1F3F5A8 832D41EF 6A7865DE DFF55F83 859E5574 2CED133B F1D9B9CF 344160CE
D2ED0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14B70674 0F96499B CB3E8B33 679242AB 188E35E1 32301D06

03551D0E 04160414 B706740F 96499BCB 3E8B3367 9242AB18 8E35E132 300D0609
2A864886 F70D0101 05050003 81810003 58A59C85 A4B3E63C 7FC74220 29323026
540AE197 FDCE07E8 79485A75 164EACA1 B15968DE FFA739A2 375BAC9A 038CEBD1
B0901ACD 1F16D83D 54906A1D CBFEF1C9 D858B05D 2C5B52DD DD9C59A6 DC8376E6
75D72E7F B08F621E C687C3DB 8847AFE4 90071719 DD99893D 6FE021F4 4358E677
1E667ADC 426D6FFA 162185B2 CF615F
quit
voice-card 0
!
!
license udi pid CISCO2921/K9 sn FTX1626ALL4
hw-module sm 1
!
!
!
redundancy
!
integrity sha512
group 14
!
!
peer ANY
address 0.0.0.0 0.0.0.0
!
!


dpd 40 5 on-demand
!
!
delay up 20
!
!
match dscp ef
match dscp cs1
match dscp cs3
match dscp cs6
!
policy-map WAN
set dscp af41
set dscp af31
class NET-CTRL
set dscp cs6


set dscp af21
class CRITICAL-DATA
set dscp af21
class SCAVENGER
set dscp af11
class VOICE
priority level 1
set dscp ef
class class-default
random-detect
class class-default
service-policy WAN
!
!
!
mode transport
!
!
!
interface Loopback0
ip address 10.255.243.14 255.255.255.255
ip pim sparse-mode
!

interface Tunnel20
bandwidth 30000
ip address 10.6.38.14 255.255.254.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp shortcut
delay 1000
if-state nhrp
tunnel key 201
!
no ip address
!
description Data
ip address 10.7.50.2 255.255.255.0

ip pim sparse-mode
standby 1 preempt
standby 1 authentication md5 key-string 7 0007421507545A545C
!
description Voice
ip address 10.7.51.2 255.255.255.0
ip pim sparse-mode
standby 1 preempt
standby 1 authentication md5 key-string 7 0007421507545A545C
!
ip address 10.7.48.9 255.255.255.252
ip pim sparse-mode
delay 25000
!
no ip address
shutdown
!
bandwidth 30000
ip address dhcp

no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
!
no ip address
duplex auto
speed auto
channel-group 1
!
no ip address
duplex auto
speed auto
channel-group 1
!
interface ucse1/0
no ip address
shutdown
!
interface ucse1/1
no ip address
shutdown
!
interface Vlan1
no ip address
!

!
!
!
passive-interface
exit-af-interface
!
summary-address 10.7.48.0 255.255.248.0
hello-interval 20
hold-time 60
exit-af-interface
!
exit-af-interface
!
topology base
exit-af-topology
network 10.6.38.0 0.0.1.255
network 10.7.0.0 0.0.255.255
network 10.255.0.0 0.0.255.255
exit-address-family
!

!
no ip http server
!
ip ssh version 2
!
permit esp any any
!
!
match tag 201 202
!
!


!
match tag 201
!
!
key 7 15210E0F162F3F0F2D2A
!
!
control-plane
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
logging synchronous
stopbits 1
line aux 0

line 2
no exec
stopbits 1
line 67
no exec
transport input all
stopbits 1
speed 9600
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
transport input ssh
!
ntp update-calendar
!
end

RS14-2921-2: Secondary WAN link

version 15.5
no service pad
!
!
boot-start-marker
boot-end-marker
!
!
!
address-family ipv4
exit-address-family
!
!
aaa new-model
!
!
!
!
!

ethernet lmi ce
!
!
ip cef
no ipv6 cef
!
!
match ipv4 tos
match ipv4 protocol
collect ipv4 dscp
collect ipv4 id


!
!
source Loopback0
output-features
transport udp 2055
!
!
source Loopback0
output-features
transport udp 9991
!
!
!
!
!

domain iwan2
vrf default
border
master 10.255.243.14
password 7 011057175804575D72
!
!
key chain WAN-KEY
key 1
key-string 7 03070A180500701E1D
cts logging verbose
!
serial-number none
fqdn RS14-2921-2.cisco.local
ip-address 10.255.244.14
!
!
certificate 4F
30820311 3082027A A0030201 0202014F 300D0609 2A864886 F70D0101 05050030
37313530 33060355 0403132C 4957414E 2D494F53 2D43412E 63697363 6F2E6C6F
63616C20 4C3D5361 6E4A6F73 65205374 3D434120 433D5553 301E170D 31353130
30323230 30383430 5A170D31 37313030 31323030 3834305A 30443142 301A0609
2A864886 F70D0109 08130D31 302E3235 352E3234 342E3134 30240609 2A864886
F70D0109 02161752 5331342D 32393231 2D322E63 6973636F 2E6C6F63 616C3082
0122300D 06092A86 4886F70D 01010105 00038201 0F003082 010A0282 01010096
39696177 91F7C878 7E67BCE2 E63DF9E4 171F7E09 C9F459C3 7CD903E4 1ECE780F
BD0D6BBC DF6EB1AB BD1F68CA 325115B3 4BDEF80A CF4108A1 552FA46A DC8856EA
DF959DA3 5E902AB4 4C07A684 78924E46 B63F73B8 6A9AC309 1DB73592 9EB46CBE
587ECFB5 76A3C805 EDC0A553 E7032F41 3B638FC9 E3848358 74EDF4E7 E2F9D755

64B5C048 9D353B5A 09567E95 FC5F8136 2CB9F46E F45E2513 949C41B2 B2721336

67FE5771 026E51C1 E1974E69 A9D2A730 45B4284C D44F2285 E9280A77 B60D9ECD
A0679B84 D42F66C3 DE262660 825022A7 F8FF4DC3 E969CF8E 22831D1A 393EE5A9
BF0992C9 2EFC2B24 541C7CF9 B265B264 FD24D262 21F651D7 E7EB6940 2E5E4D02
03010001 A3819B30 81983049 0603551D 1F044230 40303EA0 3CA03A86 38687474
703A2F2F 31302E36 2E32342E 31312F63 67692D62 696E2F70 6B69636C 69656E74
2E657865 3F6F7065 72617469 6F6E3D47 65744352 4C300B06 03551D0F 04040302
05A0301F 0603551D 23041830 1680148B 57F8AD75 9FB8E969 62950930 B5891C88
919C0630 1D060355 1D0E0416 0414D317 5A118699 52EDB1D4 1A9F379D E5B65C41
76D4300D 06092A86 4886F70D 01010505 00038181 00390ABC 4EC6EE4E 1B9C9681
A89F5324 FE8C4661 7267CB81 46F9232B 72DDB081 DE0D32D2 0C1DA0E8 310C1AF7
08A6EA6B DFE16A55 9C84AAC5 697107E4 4DF3360C A5A5D127 02281429 F165B05F
1BC672B9 0D8856EC 183C4B15 84A51323 A8525E3F B01532D2 E7C6DA92 23365462
5E983415 FA890E35 6D3C752F B87F31AB 8418ADA4 9E
quit
certificate ca 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
37313530 33060355 0403132C 4957414E 2D494F53 2D43412E 63697363 6F2E6C6F
63616C20 4C3D5361 6E4A6F73 65205374 3D434120 433D5553 301E170D 31343132
32353231 31393432 5A170D31 37313232 34323131 3934325A 30373135 30330603
55040313 2C495741 4E2D494F 532D4341 2E636973 636F2E6C 6F63616C 204C3D53
616E4A6F 73652053 743D4341 20433D55 5330819F 300D0609 2A864886 F70D0101
01050003 818D0030 81890281 8100E1F3 60BA63B4 2C2971DA 10457139 3765E38C
543A6D98 8B3BE1C7 9B42C549 95CB0203 010001A3 63306130 0F060355 1D130101
FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304
18301680 148B57F8 AD759FB8 E9696295 0930B589 1C88919C 06301D06 03551D0E
04160414 8B57F8AD 759FB8E9 69629509 30B5891C 88919C06 300D0609 2A864886
3E071F09 AECB291E 918A0B
quit

voice-card 0
!
!
license udi pid CISCO2921/K9 sn FTX1621AKEG
hw-module pvdm 0/0
!
hw-module pvdm 0/1
!
hw-module pvdm 0/2
!
hw-module sm 1
!
!
!
redundancy
!
integrity sha512
group 14
!
!
dpd 40 5 on-demand
!

!
match dscp ef
match dscp cs1
match dscp cs3
match dscp cs6
!
policy-map WAN
set dscp af41
set dscp af31
class NET-CTRL
set dscp cs6
set dscp af21
class CRITICAL-DATA
set dscp af21
class SCAVENGER


set dscp af11
class VOICE
priority level 1
set dscp ef
class class-default
random-detect
class class-default
service-policy WAN
!
!
!
mode transport
!
!
!
interface Loopback0
ip address 10.255.244.14 255.255.255.255
ip pim sparse-mode
!
interface Tunnel21
bandwidth 10000
ip address 10.6.40.14 255.255.254.0
no ip redirects
ip mtu 1400

ip pim sparse-mode
ip nhrp shortcut
delay 20000
if-state nhrp
tunnel key 202
!
no ip address
!
description Data
ip address 10.7.50.3 255.255.255.0
ip pim sparse-mode
standby 1 preempt
standby 1 authentication md5 key-string 7 03070A180500701E1D
!

description Voice
ip address 10.7.51.3 255.255.255.0
ip pim sparse-mode
standby 1 preempt
standby 1 authentication md5 key-string 7 0508571C22431F5B4A
!
ip address 10.7.48.10 255.255.255.252
ip pim sparse-mode
delay 25000
!
no ip address
shutdown
!
bandwidth 10000
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled


!
no ip address
duplex auto
speed auto
channel-group 2
!
no ip address
duplex auto
speed auto
channel-group 2
!
interface ucse1/0
no ip address
shutdown
!
interface ucse1/1
no ip address
shutdown
!
interface Vlan1
no ip address
!
!
!
!
passive-interface
exit-af-interface
!

summary-address 10.7.48.0 255.255.248.0
hello-interval 20
hold-time 60
exit-af-interface
!
exit-af-interface
!
topology base
exit-af-topology
network 10.6.40.0 0.0.1.255
network 10.7.0.0 0.0.255.255
network 10.255.0.0 0.0.255.255
exit-address-family
!
!
no ip http server
!


ip ssh version 2
!
permit esp any any
!
!
match tag 201 202
!
!
!
match tag 202
!
!


key 7 15210E0F162F3F0F2D2A
!
!
control-plane
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line 2
no exec
stopbits 1
line 67
no exec

transport input all

stopbits 1
speed 9600
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
transport input ssh
!
ntp update-calendar
!
end

INET1 Tunnel INET1
172.16.X.X 10.6.X.X 172.18.X.X
10.6.X.X MPLS Tunnel MPLS 10.255.X.X 10.7.X.X
192.168.6.X 10.6.X.X 192.168.6.X
Lo0
42.251
To Core IE Outside
42.33 42.34 24.1 24.30 INET1: 172.16.140.1 and 140.2
Po136 Po36
VLAN300 Netblock
Lo0

IE DMZ 0.0 - 7.255
146.1 241.11
IE-D3750X IE-ASA5545-1 RS11
192.168.146.X
Single ISR G2
Access 2K
42.38
INET1
DHCP RS11-2921 RS11-A2960
98.91
IW-DMZ-
Return to previous location in document
Lo0 MPLS
A2960X Lo0
32.241 6.5
242.12
MPLS: Tu11
VPN-MPLS- 36.11 Netblock
192.168.6.1 16.0 - 23.255
ASR1002X-1
.2
32
RS12
Tu11
Tu11 RS12-2911-2 Dual ISR G2
INET1 36.12 INET1
36.1 Access 2K
Hub Site Po33 DHCP
Po1 Lo0 98.100
32.242 RS12-A2960
Tu10 Tu11
34.1 36.41
VPN-INET-
32.6 146.10 Tu11 Lo0
4451X-2
36.42 241.12
.1
Lo0 Po2
42.37
32
32.240 RS12-2911-1
To Core 32.5
42.41 42.42 Lo0
Po138 Po38 32.251 MPLS
6.9
MC-HY- Tu10
32.129 32.151
WAN-D3750X Po21 CSR1000v-1 34.11 Netblock
INET1 Lo0
Appendix B: Expanded Figure
192.0 - 199.255
Tu11 DHCP 241.41
34.12 99.44
Po1
MPLS Tu10 RS41

34.41 RS41-D3750 Single ISR G2
RS41-2921
Internal Lo0 MPLS Dist/Acc 3K/2K
10.8.X.X 32.241 6.29
Tu10
34.2 Tu10
VPN-MPLS- 34.42
ASR1002X-T1 Lo0
.2
To IE-D3750X MPLS: 242.42 RS41-A2960
32
192.168.6.41
INET1
42.38
DHCP Netblock
Transit Site Lo0 Po2 208.0 - 215.255
Po1 99.84
32.242 Tu11 RS42-4451-2
Po35 36.2
VPN-INET-
ASR1002X-T2 146.11 RS42
32.6
Po1 RS42-D3850
.1
Lo0 Po2 Dual ISF 4K
32
42.37
32.240 Dist/Acc 3K/3K
To Core 32.5 Lo0
42.41 42.42 Lo0
Po140 Po40 32.251 241.42
MPLS
This appendix provides a larger version of Figure 8, “IWAN Hybrid Model—Second DC as a transit site.”
6.33
MC-HY- RS42-4451-1
32.129 32.151
WAN-D3750X-T Po21 RS42-A3650
1355F
ASR1002X-T1
page 275
Appendix B: Expanded Figure
INET1 Tunnel INET1
172.16.X.X 10.6.X.X 172.18.X.X
10.6.X.X INET2 Tunnel INET2 10.255.X.X 10.7.X.X
172.17.X.X 10.6.X.X 172.19.X.X
Lo0
42.251
IE Outside
To Core INET1: 172.16.140.11 and 140.12
42.33 42.34 24.1 24.30
Po136 Po36 INET2: 172.17.140.11 and 140.12 Netblock
VLAN300 Lo0
32.0 - 39.255
243.13

146.1 IE DMZ RS13
192.168.146.X Single ISR G2
INET1 Access 2K
42.38
DHCP
RS13-2911 RS13-A2960
98.110
Hub Site INET2
DHCP
IW-DMZ- 98.109
D3750X Lo0
243.14
Tu20
38.13 Netblock
IWAN-IOS-CA 48.0 - 55.255
1
.1
RS14
24
Tu20
Lo0 RS14-2921-1 Dual ISR G2
IOS CA.” Return to previous location in document
INET1 38.14 INET1

Po33 32.252 DHCP Access 2K
98.116 RS14-A2960
MC-DI- Tu20
ASR1004-1 38.43
.1 52
32 Lo0
Tu20 INET2 244.14
.1
Lo0 Po22 Lo0 38.44 DHCP
42.37
24
32.240 9 RS14-2921-2
To Core .12 32.252/31 98.115
32
42.41 42.42
Po138 Po38 32.129 32.153
Po23 MC-DI-
ASR1004-2
Tu21
WAN-D3750X 32.1 Tu20 40.13 Netblock
7 Lo0 224.0 - 231.255
Lo0 38.1 INET1
Appendix C: Expanded Figure
3
32
Tu21 243.43
32
.2
32.243 DHCP
1
Po3
2.2
40.14
.29
32 99.92
.18 Po1
VPN-INET- RS43
ASR1002X-3 146.20 INET2 Tu21
40.43 RS43-D3750 Single ISR 4K
Po4 RS43-4451
Lo0 INET2 Dist/Acc 3K/2K
32.244 DHCP
Tu21 99.91
32
40.1 Tu21
.2
2
40.44 Lo0
Po5
VPN-INET- 243.44 RS43-A2960
ASR1002X-4 146.21
Po6 Lo0 INET1 Netblock

32.245 DHCP Po2 240.0 - 247.255
Tu20 99.76 RS44-3945-1
32
38.2
.26
VPN-INET-
ASR1002X-5 146.22 RS44
Po1 RS44-D3750 Dual ISF G2
Lo0 Dist/Acc 3K/2K
32.246
Tu21 Lo0
32
40.2 INET2 244.44
.30
DHCP
VPN-INET- RS44-3945-2
99.99
RS44-A2960
1356F
ASR1002X-6 146.23
This appendix provides a larger version of Figure 11, “IWAN dual Internet model—Hub MC HA, hub BR scaling and
page 276
Appendix C: Expanded Figure
Appendix D: Changes
Appendix D: Changes
This appendix summarizes the changes Cisco made to this guide since its last edition.
•• We upgraded IOS software.
•• We updated the QoS settings.
•• We updated the EIGRP settings.
•• We updated the NHRP settings.
•• We updated the PfR policy settings.
•• We simplified the IOS CA configuration.
•• We added a virtual router hub master controller.
•• We added hub master controller high availability.
•• We added hub border router scalability.
•• We added a second data center as a transit site.
•• We added Prime Infrastructure for IWAN monitoring.

Please use the feedback form to send comments and
suggestions about this guide.
Americas Headquarters Asia Pacific Headquarters Europe Headquarters

Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV Amsterdam,
San Jose, CA Singapore The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, “DESIGNS”) IN THIS MANUAL ARE PRESENTED “AS
IS,” WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT
SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION,
LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR
THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS
OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON
FACTORS NOT TESTED BY CISCO.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included
in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2016 Cisco Systems, Inc. All rights reserved.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go
to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not
imply a partnership relationship between Cisco and any other company. (1110R)
Cisco Validated Design B-000201i-2 04/16

CVD IWANConfigurationFilesGuide FEB16

Uploaded by

Copyright:

Available Formats

CVD IWANConfigurationFilesGuide FEB16

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CVD IWANConfigurationFilesGuide FEB16

Uploaded by

Copyright:

Available Formats

CISCO VALIDATED DESIGN

WAN Aggregation Devices—IWAN Hybrid Design Model................................................................. 17

WAN Remote-Site Devices—IWAN Hybrid Design Model................................................................. 88

Remote Site 12—Dual-Router, Dual-Link (MPLS and INET).......................................................................................... 105

WAN Aggregation Devices—IWAN Dual Internet Design Model...................................................... 153

MC-DI-ASR1004-2—Hub MC HA................................................................................................................................. 161

VPN-INET-ASR1002X-3—Hub BR (INET1)................................................................................................................... 168

VPN-INET-ASR1002X-4—Hub BR (INET2)................................................................................................................... 182

VPN-INET-ASR1002X-5—Hub BR2 (INET1)................................................................................................................. 197

VPN-INET-ASR1002X-6—Hub BR2 (INET2)................................................................................................................. 211

WAN Remote-Site Devices—IWAN Dual Internet Design Model..................................................... 227

Remote Site 14—Dual-Router, Dual-Link (INET1 and INET2)........................................................................................ 245

Appendix B: Expanded Figure...................................................................................................... 275

Cisco Validated Design

Figure 1 IWAN hybrid model—WAN aggregation site overview

Hub Border DMVPN Hub

Cisco Validated Design page 1

Figure 2 IWAN dual Internet model—WAN aggregation site overview

WAN Distribution Hub Master

Hub Border DMVPN Hub

Figure 3 IWAN—Remote-site overview

Single Router Location Dual Router Location

Branch Master Branch Master Branch

Cisco Validated Design page 2

Figure 4 IWAN dual Internet Model—Hub MC high availability

Figure 5 IWAN dual Internet model—Hub BR scalability

INET1 INET2 INET1 INET2

DMVPN 3 DMVPN 4 DMVPN 3 DMVPN 4

Cisco Validated Design page 3

Figure 6 IWAN hybrid model—Second data center as a transit site

Hub Site Transit Site

Hub BRs Transit BRs

MPLS INET MPLS INET

Cisco Validated Design page 4

WAN REMOTE SITE

Cisco Validated Design page 5

INTERNET EDGE LAN

LAN ACCESS LAYER

Cisco Validated Design page 6

Place In Network Product Description Part Number SW Version Feature Set

LAN DISTRIBUTION LAYER

Cisco Validated Design page 7

Place in Network Product Description Part Number SW Version Feature Set

Cisco Validated Design page 8

IOS Certificate Authority

Figure 7 IWAN IOS Certificate Authority

WAN Distribution IOS-CA

DMVPN Hub DMVPN Hub

Cisco Validated Design page 9

How to Read Commands

Cisco Validated Design page 10

aaa authorization console

Cisco Validated Design page 11

Cisco Validated Design page 12

2A864886 F70D0101 05050003 8181005A A3A3DB82 6F4104E7 46312773 408CE555

Cisco Validated Design page 13

Cisco Validated Design page 14

Cisco Validated Design page 15

Cisco Validated Design page 16