CCRG-4-1-2 (1)

Using DMVPN and IPSec VPN Tunnels • HQ: configured for DMVPN and IPSec VPN tunnels ; LAN: 192.168.10.0/24, WAN: 10.1.1.1 (for DMVPN) • S1: configured for DMVPN ; LAN: 192.168.20.0/24, WAN: 10.1.1.2 (for DMVPN) • S2: configured for DMVPN ; LAN: 192.168.30.0/24, WAN: 10.1.1.3 (for DMVPN) • S3: configured for IPSec VPN only ; LAN: 192.168.40.0/24 • General VPN and Interface configuration on HQ routerinterface FastEthernet0/1ip address 192.168.10.1 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arpinterface FastEthernet0/0ip address 1.1.1.1 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arpcrypto isakmp policy 10encr 3deshash md5authentication pre-sharegroup 2crypto isakmp policy 20encr aesauthentication pre-sharegroup 2lifetime 28800 Configuration Reference Guide | [D] 201

• DMVPN (Hub) configuration on HQ routercrypto keyring dmvpnspokespre-shared-key address 0.0.0.0 0.0.0.0 key cisco123crypto isakmp profile dmvpn-isakmpkeyring dmvpnspokesmatch identity address 1.2.1.1 255.255.255.255match identity address 1.3.1.1 255.255.255.255crypto ipsec profile dmvpnset security-association lifetime seconds 120set transform-set ipsec-tsset isakmp-profile dmvpn-isakmpcrypto ipsec transform-set ipsec-ts esp-3des esp-md5-hmacmode transportinterface Tunnel0ip address 10.1.1.1 255.255.255.0no ip redirectsip mtu 1412ip nhrp authentication cisco123ip nhrp map multicast dynamicip nhrp network-id 1ip nhrp holdtime 300ip tcp adjust-mss 1360tunnel source FastEthernet0/0tunnel mode gre multipointtunnel key 0tunnel protection ipsec profile dmvpnip route 192.168.20.0 255.255.255.0 10.1.1.2ip route 192.168.30.0 255.255.255.0 10.1.1.3 • Static IPSec VPN configuration on HQ routercrypto isakmp key cisco123 address 1.4.1.1 no-xauthcrypto isakmp invalid-spi-recoverycrypto isakmp keepalive 20 10crypto isakmp xauth timeout 45crypto ipsec transform-set ipsec-ts2 esp-3des esp-sha-hmacip access-list extended ACL-IPSEC-VPNpermit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255crypto map vpnmap 5 ipsec-isakmpset peer 1.4.1.1set transform-set ipsec-ts2set pfs group2match address ACL-IPSEC-VPN Configuration Reference Guide | [D] 202

interface FastEthernet0/0ip address 1.1.1.1 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arpcrypto map vpnmap • For the other sites, S1 and S2 will have a standard DMVPN configuration pointing to the HQ site • For site S3, this will have a standard IPSec VPN configuration pointing to the HQ site and using the same ISAKMP key of “cisco123” Configuration Reference Guide | [D] 203

Solution/Services: Administration/SystemRelated: • Run “show” commands from configuration modeRouter(config)#do show ip route Configuration Reference Guide | [D] 204

Solution/Services: Media ConnectionRelated:Serial DS3 • Serial DS3+ port adapter in a Cisco 7200 series routerinterface serial 1/0ip address 1.1.1.1 255.255.255.252encapsulation pppframing c-bitcablelength 50dsu bandwidth 44210clock source internalserial restart-delay 0HSSI • HSSI interface enabled for PPP with service providerinterface Hssi1/0ip address 1.1.1.1 255.255.255.0encapsulation pppserial restart-delay 0 Configuration Reference Guide | [D] 205

ATM Interface • Two configuration examples using an DS-3 ATM interface (e.g. Cisco 7200) configured with an ATM PVC to the service providerinterface ATM2/0description DS-3 6Mbps connection to Internetip address 1.1.1.1 255.255.255.252ip accounting output-packetsatm scrambling cell-payloadatm framing cbitplcpno atm ilmi-keepalivepvc RHG 5/101 protocol ip 1.1.1.2 broadcast vbr-nrt 6000 6000ORinterface ATM1/0description DS-3 6Mbps connection to Internetip address 1.1.1.1 255.255.255.252ip accounting output-packetsload-interval 60atm scrambling cell-payloadno atm ilmi-keepalivepvc SVB 5/101 vbr-nrt 6000 6000 Configuration Reference Guide | [D] 206

Solution/Services: LAN SwitchingRelated: N/A • Enable Dynamic ARP Inspection (DAI) on Access Switch for VLANs 10 and 11 • Disable DAI on uplink interface to the Core switch>>ACCESS<<ip arp inspection vlan 10-11ip arp inspection validate ipinterface GigabitEthernet0/1ip arp inspection limit rate 100ip arp inspection trust Configuration Reference Guide | [D] 207

Solution/Services: FeatureRelated:DDNS on Cisco IOS • Requires a DDNS account to be created with a DDNS provider (e.g. dyndns.org) • DDNS account details: user1 / cisco123 • DDNS server/URL: members.dyndns.org/nic/update • DDNS domain name for account: rhg-er01.selfip.com • FE4 interface enabled for DHCP and DDNS. The new IP dynamically configured on FE4 will be synchronized to DDNS service every day for DNS domain rhg-er01.selfip.comhostname rhg-er01ip ddns update method RHG-DDNSHTTP add http://user1:[email protected]/nic/update<CTRL-V> then?system=dyndns&hostname=rhg-er01.selfip.com&myip=interval maximum 1 0 0 0interface FastEthernet4ip ddns update hostname rhg-er01.selfip.comip ddns update RHG-DDNS host members.dyndns.orgip address dhcp Configuration Reference Guide | [D] 208

Energy Efficient Ethernet (EEE) is a IEEE 802.3az standard that can reduce the device's (e.g. switch) power consumption whennetwork traffic is low or idle by shutting down certain services.Note: potential incompatible with real time applications (voice and video streaming services) and may require to be disabled as a bestpractice.EEE can be enabled on a switch port using the following command:interface GigabitEthernet1/0/1 power efficient-ethernet auto Configuration Reference Guide | [E] 209

Cisco EVN>>> CR01! create VRF instances for each network you want to isolate.vrf definition Client01vnet tag 1001address-family ipv4exit-address-familyvrf definition Client02vnet tag 1002address-family ipv4exit-address-family! create VNET trunk security list of permitted VRF instances to extend with other VRF enabled devices.vrf list VNET_12member Client01member Client02! Enable interface as a VNET trunk to extend VRF instances (based on the VRF list) to another VRF enabled device.interface GigabitEthernet0/0vnet trunk list VNET_12ip address 10.1.1.1 255.255.255.252 Configuration Reference Guide | [E] 210

! configure edge port and assign the appropriate VRF instanceinterface GigabitEthernet1/0vrf forwarding Client01ip address 172.17.1.1 255.255.255.0interface GigabitEthernet2/0vrf forwarding Client02ip address 172.20.1.1 255.255.255.0! create OSPF routing process for each VRF instancerouter ospf 1 vrf Client01network 10.1.1.0 0.0.0.3 area 0network 172.17.1.0 0.0.0.255 area 11router ospf 2 vrf Client02network 10.1.1.0 0.0.0.3 area 0network 172.20.1.0 0.0.0.255 area 21>> Client01 R1interface Loopback0ip address 192.168.101.1 255.255.255.0interface GigabitEthernet0/0ip address 172.17.1.2 255.255.255.0router ospf 11network 172.17.1.0 0.0.0.255 area 11network 192.168.101.0 0.0.0.255 area 11>> Client01 R2interface Loopback0ip address 192.168.102.1 255.255.255.0interface GigabitEthernet0/0ip address 172.17.2.2 255.255.255.0router ospf 12network 172.17.2.0 0.0.0.255 area 12network 192.168.102.0 0.0.0.255 area 12>> Monitoringshow runshow derived-configshow running-config vnetshow run vrf Client01 Configuration Reference Guide | [E] 211

Solution/Services: Network ManagementRelated: N/AInterface monitoring and email notification • If interface GE 8/1 on the Core switch goes down (based on a syslog event) run a TDR cable test on the port including running diagnostics (GOLD). • Send an email to [email protected] that the interface went down • Mail server IP is 192.168.10.10event manager applet LINK_DOWN_MOD_8_1event syslog pattern \"%LINK-3-UPDOWN: Interface GigabitEthernet8/1\" maxrun 20action 1.0 cli command \"en\"action 2.0 cli command \"test cable-diagnostics tdr interface g8/1\"action 3.0 cli command \"diagnostic start module 8 test 2 port 1\"action 4.0 mail server \"192.168.10.10\" to \"[email protected]\" from \"Core Switch\" subject \"Urgent! Interface went down\" body\"G8/1 went down\" Configuration Reference Guide | [E] 212

Solution/Services: IP Routing (IGP)Related: N/AEIGRP Routing • Enables EIGRP routing process and place router into ASN 1 • Specify what routes to advertise and build neighbors with other EIGRP routers • Disable auto-summarization for EIGRP>>R1 (1.1.1.1)<<router eigrp 1network 192.168.10.0 0.0.255.255network 10.1.2.0 0.0.0.255network 10.1.3.0 0.0.0.255network 1.1.1.1 0.0.0.0no auto-summaryPassive Interface • Disables OSPF routing for all interfaces on R1 except for FE0/1 and FE0/2>>R1<<router eigrp 1passive-interface defaultno passive-interface FastEthernet0/1no passive-interface FastEthernet0/2 Configuration Reference Guide | [E] 213

Neighbor Timers • Configures sub-second timers (hello & hold timers) with neighbors for fast convergence>>R1<<interface FastEthernet0/1ip hello-interval eigrp 1 1ip hold-time eigrp 1 3MD5 Authentication • Define a key chain (e.g. SEIGRP) using the password cisco123 • Enable MD5 authentication and associate key-chain to EIGRP enabled interface with a connected neighbor>>R1<<key chain SEIGRPkey 1 key-string cisco123interface FastEthernet0/1ip authentication mode eigrp 1 md5ip authentication key-chain eigrp 1 SEIGRPChanging Admin Distance • Specify custom admin distance (internal and external routes)router eigrp 1distance eigrp 90 170 Configuration Reference Guide | [E] 214

Maximum Paths Per Route • Define the number of paths for a single route to injected into the routing tablerouter eigrp 1maximum-paths 2Route Summarization • Summarizes all subnets 10.1.x.x as 10.1.0.0/16 and advertise summarized route to R2 (2.2.2.2)>>R1<<interface FastEthernet0/1ip summary-address eigrp 1 10.1.0.0 255.255.0.0 5Bandwidth Utilization • Define interface bandwidth usage to be 45% for EIGRPinterface FastEthernet0/1ip bandwidth-percent eigrp 1 45 Configuration Reference Guide | [E] 215

Route Control/Filtering • Only advertise routes listed in the ACL to all neighbors>>R1<<ip access-list standard ACL-EIGRP-ROUTESpermit 192.168.10.0 0.0.0.255permit 192.168.20.0 0.0.0.255permit 192.168.30.0 0.0.0.255router eigrp 1distribute-list ACL-EIGRP-ROUTES outOR • Only advertise routes listed in the ACL to all neighbors out of the interface FastEthernet0/1router eigrp 1distribute-list ACL-EIGRP-ROUTES out FastEthernet0/1EIGRP Stub • Do not receive EIGRP queries nor act as a transit • Configures R3 as a EIGRP stub router in ASN1 and will advertise its connected subnets (192.168.3.0/24)>> R3 <<router eigrp 1eigrp stub connectedshow ip eigrp neighbors detail <intf> <intf-id> Configuration Reference Guide | [E] 216

EIGRP Bandwidth and Delay • On R1’s FE0/1 configure delay on interface towards uplink to be more preferred ; no ECP • On R1’s FE0/2 configure delay on interface towards uplink to be less preferred ; no ECP>>R1 (1.1.1.1)<<interface FastEthernet0/1ip address 10.1.2.1 255.255.255.0delay 10interface FastEthernet0/2ip address 10.1.3.1 255.255.255.0delay 100 Configuration Reference Guide | [E] 217

Route Redistribution • Redistribute OSPF routes that are listed in the ACL and Policy Map into EIGRP>>R1 (1.1.1.1)<<ip access-list standard ACL-OSPF-ROUTESpermit 192.168.30 0.0.0.255route-map RM-OSPF-ROUTES permit 10match ip address ACL-OSPF-ROUTESrouter ospf 1network 10.1.3.0 0.0.0.255 area 0network 192.168.10.0 0.0.0.255 area 10router eigrp 1network 192.168.10.0 0.0.0.255network 1.1.1.1 0.0.0.0network 10.1.2.0 0.0.0.255redistribute ospf 1 metric 1000 1 255 1 1500 route-map RM-OSPF-ROUTES Configuration Reference Guide | [E] 218

EIGRP on NBMA • Enabling EIGRP over a Frame Relay NBMA network • Disable EIGRP split horizon • EIGRP neighbors defined under routing process matching the Frame Relay map statements under serial interface 10.1.1.2 R2R1 10.1.1.1 DLCI 200 Frame Relay DLCI 300 NBMA 10.1.1.3 R3>> R1 <<interface Serial0/1ip address 10.1.1.1 255.255.255.0encapsulation frame-relayno ip split-horizon eigrp 10frame-relay map ip 10.1.1.2 200frame-relay map ip 10.1.1.3 300router eigrp 10network 192.168.10.0 0.0.0.255network 10.1.1.0 0.0.0.255neighbor 10.1.1.2neighbor 10.1.1.3 Configuration Reference Guide | [E] 219

NSF with EIGRP • Enabling Non-Stop Forwarding (NSF) with the EIGRP routing processrouter eigrp 1nsf Configuration Reference Guide | [E] 220

Solution/Services: Administration/SystemRelated: N/AError Disable All • Enable Error Disable recovery for all causeserrdisable recovery cause allError Disable for Individual Events • Enable Error Disable recovery for individual events (based on what is supported on the switch)errdisable recovery cause udlderrdisable recovery cause bpduguarderrdisable recovery cause security-violationerrdisable recovery cause channel-misconfigerrdisable recovery cause pagp-flaperrdisable recovery cause dtp-flaperrdisable recovery cause link-flaperrdisable recovery cause gbic-invaliderrdisable recovery cause l2ptguarderrdisable recovery cause psecure-violationerrdisable recovery cause gbic-invaliderrdisable recovery cause dhcp-rate-limiterrdisable recovery cause unicast-flooderrdisable recovery cause vmpserrdisable recovery cause storm-controlerrdisable recovery cause arp-inspection Configuration Reference Guide | [E] 221