Cisco dCloud offers free virtual labs (you can use your CCO login) for doing network simulation and Proof of Concept (POC). With dCloud, you don't have to go through your Cisco account manager and ask for hardware just to test some latest feature and services in your network environment. My first experience using dCloud was doing a POC for ASA with FirePower. Just follow these steps to register and schedule an event with dCloud. It will first ask you to create a profile and select which dCloud server is near your country. There's a cool video introduction and a helpful dCloud manual which will guide you on each step.
You can use a Cisco IOS router as an endpoint device that will establish a VPN session to dCloud network. There's a list of recommended routers but I was able to use a Cisco 2811 router with Advanced Security K9 IOS 15.4 (c2800nm-advsecurityk9-mz.151-4.M10.bin). I've installed this IOS in order to support the ip dns view commands. You can also use a virtual router to connect to dCloud.
There are a few options which dCloud can configure your endpoint router. I chose the Console method so that I have full control on which configurations to apply.
You'll be asked to download a KitWizard, which is a zipped file, and apply it to your router and other LAN devices via console connection. I only applied the EZVPN related config, IP addressing and changed the ports to FastEthernet since I'm using a 2811 router.
You can also test your router connection to gauge its download/upload speed to dCloud.
I see a lot of benefits using dCloud such as there's no need to download evaluation software and license, you don't need to buy a VM server and worry about RAM size and you'll only need a fairly recent Cisco ISR router or a PC with AnyConnect installed. Most of all you don't have to blow up your production network and you could leverage dCloud for studying high level certs such as CCNP Security, CCNP Wireless, CCNP Collaboration or CCNP Service Provider. Below is the wireless lab topology that I've used while studying for my CCNA Wireless (WIFUND) and CWNA, which I integrated to dCloud network.
Cisco ISE 2.0 For BYOD and Guest Management v1.1
Components
Cisco Identity Services Engine (ISE) 2.0
Cisco Prime Infrastructure 2.2
Cisco Mobility Services Engine (MSE) 8.0
Microsoft Active Directory-Windows 2008 R2
Microsoft Exchange 2010-Windows 2008 R2
Cisco Virtual Wireless Controller (vWLC) 8.0
Cisco Virtual Cloud Services Router (CSRv)
Once your content is chosen, click Schedule. I clicked Extend session for longer than 5 days to give me plenty of time to play around. Click Request an Event.
You can verify if the router was successfully added under Routers > View Schedule.
There are three main tabs which gives you more details for the selected lab: Details, Servers and Resources.
I was able to test and play around with the features of Cisco ISE and Prime afterwards.
Below are the "minimum" EZVPN configuration that I applied on my Cisco 2811 router to make it work with dCloud.
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
hostname kit-7869
logging buffered 5120000 debugging
enable secret cisco
aaa new-model
aaa authentication login default none
ip dhcp excluded-address 10.72.235.193 10.72.235.195
ip dhcp excluded-address 10.74.235.193 10.74.235.195
ip dhcp pool wired-data
import all
network 10.72.235.192 255.255.255.240
default-router 10.72.235.193
dns-server 10.72.235.193
domain-name dcloud.cisco.com
option 186 ip 198.18.133.6
ip dhcp pool wireless-data
import all
network 10.74.235.192 255.255.255.240
default-router 10.74.235.193
dns-server 10.74.235.193
domain-name dcloud.cisco.com
username admin secret 5 $1$ByPQ$iCfNIwXDn5aBTKJQ4Dig1.
ip access-list extended acl-vpn-initiate
remark traffic that will initiate the VPN session
permit ip 10.64.0.0 0.63.255.255 198.18.0.0 0.1.255.255
ip access-list extended acl-nontunnel-traffic
remark nat only non-tunnel-traffic
remark no-nat to vpod networks
deny ip 10.64.0.0 0.63.255.255 198.18.0.0 0.1.255.255
remark no-nat to other kits
deny ip 10.64.0.0 0.63.255.255 10.64.0.0 0.63.255.255
remark no-nat to device VPNs
deny ip 10.64.0.0 0.63.255.255 10.16.0.0 0.1.255.255
remark nat all other traffic
permit ip 10.64.0.0 0.63.255.255 any
crypto isakmp keepalive 10 periodic
crypto ipsec client ezvpn ToDemo
connect acl acl-vpn-initiate
ctcp port 443
group dcloud-ipsec key Sup6pSup6p
local-address FastEthernet0/0
mode network-extension
peer dcloud-rtp-ipsec.cisco.com
peer dcloud-emear-ipsec.cisco.com
peer dcloud-apjc-ipsec.cisco.com
peer dcloud-chi-ipsec.cisco.com
username endpoint-kit-7869 password jetq0tXcgIQWsuoZqnzF
xauth userid mode local
ip dns server
ip dns name-list 1 permit .*.DCLOUD.CISCO.COM
ip dns view vpod-dns
domain name-server 198.18.133.1
dns forwarder 198.18.133.1
dns forwarding source-interface FastEthernet0/1.10
ip dns view-list splitdns
view vpod-dns 10
restrict name-group 1
view default 20
ip domain lookup source-interface FastEthernet0/1.10
interface FastEthernet0/0
description dCloud Kit outside Interface for EZVPN
no ip dhcp client request tftp-server-address
ip address dhcp client-id FastEthernet0/0
ip flow ingress
ip nat outside
duplex auto
speed auto
no cdp enable
crypto ipsec client ezvpn ToDemo
no shutdown
interface FastEthernet0/1
description Connection to dCloud Kit LAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no shutdown
interface FastEthernet0/1.10
description : dCloud Kit Wired Data
encapsulation dot1Q 10
ip address 10.72.235.193 255.255.255.240
ip dns view-group splitdns
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1000
crypto ipsec client ezvpn ToDemo inside
no shutdown
interface FastEthernet0/1.11
description VLAN11 : dCloud Kit Wireless Data
encapsulation dot1Q 11
ip address 10.74.235.193 255.255.255.240
ip dns view-group splitdns
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1000
crypto ipsec client ezvpn ToDemo inside
no shutdown
interface Loopback 0
description Used for telnet access to the router
ip address 10.0.1.1 255.255.255.255
no shutdown
ip nat inside source list acl-nontunnel-traffic interface FastEthernet0/0 overload
line con 0
password cisco
login
logging synchronous
line vty 0 15
password cisco
login
logging synchronous
Below is the full router running config.
kit-7869#show run
Building configuration...
Current configuration : 4430 bytes
!
! Last configuration change at 15:24:51 UTC Thu Sep 1 2016
! NVRAM config last updated at 15:30:08 UTC Thu Sep 1 2016
! NVRAM config last updated at 15:30:08 UTC Thu Sep 1 2016
version 15.1
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname kit-7869
!
boot-start-marker
boot-end-marker
!
!
logging buffered 5120000
enable password 7 01100F175804
!
aaa new-model
!
!
aaa authentication login default none
!
!
!
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.74.235.193 10.74.235.195
ip dhcp excluded-address 10.72.235.193 10.72.235.196
!
ip dhcp pool wired-data
import all
network 10.72.235.192 255.255.255.240
default-router 10.72.235.193
dns-server 10.72.235.193
domain-name dcloud.cisco.com
option 186 ip 198.18.133.6
!
ip dhcp pool wireless-data
import all
network 10.74.235.192 255.255.255.240
default-router 10.74.235.193
dns-server 10.74.235.193
domain-name dcloud.cisco.com
!
!
!
ip domain lookup source-interface FastEthernet0/1.10
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2811 sn FHK1308F18L
username admin privilege 15 secret 5 $1$ByPQ$iCfNIwXDn5aBTKJQ4Dig1.
!
redundancy
!
!
!
crypto isakmp key Sup6pSup6p hostname dcloud-apjc-ipsec.cisco.com
crypto isakmp keepalive 10 periodic
!
!
!
!
!
crypto ipsec client ezvpn ToDemo
connect acl acl-vpn-initiate
ctcp port 443
group dcloud-ipsec key Sup6pSup6p
local-address FastEthernet0/0
mode network-extension
peer dcloud-rtp-ipsec.cisco.com
peer dcloud-emear-ipsec.cisco.com
peer dcloud-apjc-ipsec.cisco.com
peer dcloud-chi-ipsec.cisco.com
username endpoint-kit-7869 password jetq0tXcgIQWsuoZqnzF
xauth userid mode local
!
!
!
!
!
!
interface FastEthernet0/0
description dCloud Kit outside Interface for EZVPN
no ip dhcp client request tftp-server-address
ip address dhcp client-id FastEthernet0/0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto ipsec client ezvpn ToDemo
!
interface FastEthernet0/1
description Connection to dCloud Kit LAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1.10
description : dCloud Kit Wired Data
encapsulation dot1Q 10
ip address 10.72.235.193 255.255.255.240
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1000
crypto ipsec client ezvpn ToDemo inside
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip dns view vpod-dns
domain name-server 198.18.133.1
dns forwarder 198.18.133.1
dns forwarding source-interface FastEthernet0/1.10
ip dns view-list splitdns
view vpod-dns 10
restrict name-group 1
view default 20
ip dns name-list 1 permit .*.DCLOUD.CISCO.COM
ip dns server
ip nat inside source list acl-nontunnel-traffic interface FastEthernet0/0 overlo
ad
!
ip access-list standard acl-telnet
remark allowed networks for telnet access to endpoint kit
permit 10.72.235.192 0.7.0.15
permit 198.18.0.0 0.1.255.255
!
ip access-list extended acl-deny-dhcp
remark deny DHCP packets from clients on the outside/dirty network
deny udp any any eq bootps
permit ip any any
ip access-list extended acl-nontunnel-traffic
remark nat only non-tunnel-traffic
remark no-nat to vpod networks
deny ip 10.64.0.0 0.63.255.255 198.18.0.0 0.1.255.255
remark no-nat to other kits
deny ip 10.64.0.0 0.63.255.255 10.64.0.0 0.63.255.255
remark no-nat to device VPNs
deny ip 10.64.0.0 0.63.255.255 10.16.0.0 0.1.255.255
remark nat all other traffic
permit ip 10.64.0.0 0.63.255.255 any
ip access-list extended acl-vpn-initiate
remark traffic that will initiate the VPN session
permit ip 10.64.0.0 0.63.255.255 198.18.0.0 0.1.255.255
!
access-list 10 permit 192.168.1.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
password 7 110A1016141D
logging synchronous
line aux 0
line vty 0 4
password 7 121A0C041104
logging synchronous
transport input all
!
scheduler allocate 20000 1000
ntp master
end
Below are some helpful show commands for troubleshooting EZVPN client connection to Cisco's dCloud. If your connection got stuck, just bounce the router's WAN port.
kit-7869#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
64.100.12.21 22.165.96.17 MM_NO_STATE 1003 ACTIVE (deleted)
173.38.218.8 22.165.96.17 MM_NO_STATE 1005 ACTIVE (deleted)
173.38.218.8 22.165.96.17 MM_NO_STATE 1004 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
kit-7869#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8
Tunnel name : ToDemo
Inside interface list: FastEthernet0/1.10
Outside interface: FastEthernet0/0
Easy VPN connect ACL checking active
Connect : ACL based with access-list acl-vpn-initiate
Current State: CONNECT_REQUIRED
Last Event: CONN_DOWN
Save Password: Allowed
Current EzVPN Peer: dcloud-emear-ipsec.cisco.com (cTCP encapsulated)
kit-7869#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
kit-7869(config)#interface f0/0
kit-7869(config-if)#shut
kit-7869(config-if)#no shut
kit-7869(config-if)#end
000031: Sep 2 23:03:56.663: %SYS-5-CONFIG_I: Configured from console by vty1 (10.72.235.198)
000032: Sep 2 23:03:57.475: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
000033: Sep 2 23:03:58.475: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
kit-7869#show ip interface brief
Interface IP-Address OK? Method Status Prot
ocol
FastEthernet0/0 unassigned YES DHCP up up
FastEthernet0/1 unassigned YES NVRAM up up
FastEthernet0/1.10 10.72.235.193 YES NVRAM up up
NVI0 unassigned YES unset administratively down down
kit-7869#
000034: Sep 2 23:04:04.583: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 a
ssigned DHCP address 22.165.96.17, mask 255.255.248.0, hostname kit-7869
kit-7869#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
kit-7869#
000035: Sep 2 23:04:41.755: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=dcloud-ipsec Client_public_addr=22.165.96.17 Server_public_addr=173.38.218.8
kit-7869#
000036: Sep 2 23:04:47.019: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=dcloud-ipsec Client_public_addr=22.165.96.17 Server_public_addr=173.38.218.8
kit-7869#
000037: Sep 2 23:04:48.699: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=endpoint-kit-7869 Group=dcloud-ipsec Client_public_addr=22.165.96.17 Server_publ
ic_addr=173.39.116.8 NEM_Remote_Subnets=10.72.235.192/255.255.255.240
kit-7869#show ip interface brief
Interface IP-Address OK? Method Status Prot
ocol
FastEthernet0/0 22.165.96.17 YES DHCP up up
FastEthernet0/1 unassigned YES NVRAM up up
FastEthernet0/1.10 10.72.235.193 YES NVRAM up up
NVI0 unassigned YES unset administratively down down
kit-7869#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
173.38.218.8 22.165.96.17 MM_NO_STATE 1006 ACTIVE (deleted)
173.39.116.8 22.165.96.17 QM_IDLE 1007 ACTIVE
IPv6 Crypto ISAKMP SA
kit-7869#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8
Tunnel name : ToDemo
Inside interface list: FastEthernet0/1.10
Outside interface: FastEthernet0/0
Connect : ACL based with access-list acl-vpn-initiate
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Allowed
Split Tunnel List: 1
Address : 198.18.0.0
Mask : 255.254.0.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Split Tunnel List: 2
Address : 10.16.0.0
Mask : 255.254.0.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Split Tunnel List: 3
Address : 10.64.0.0
Mask : 255.192.0.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: dcloud-apjc-ipsec.cisco.com (cTCP encapsulated)
kit-7869#ping 198.18.133.27 source 10.72.235.193 // PING TO CISCO ISE SOURCED FROM LAN IP
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.18.133.27, timeout is 2 seconds:
Packet sent with a source address of 10.72.235.193
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16 ms
Below is the full KitWizard config file generated by dCloud.
**************************************************************************************************
!
!
! ___ _ _ ___ _ _
! / __(_)___ ___ ___ __| | / __\ | ___ _ _ __| |
! / / | / __|/ __/ _ \ / _` |/ / | |/ _ \| | | |/ _` |
! / /___| \__ \ (_| (_) | | (_| / /___| | (_) | |_| | (_| |
! \____/|_|___/\___\___/ \__,_\____/|_|\___/ \__,_|\__,_|
!
!
!
! For information on how to configure your device please refer to the url -
! https://dcloud-cms.cisco.com/help/configure-router-for-cisco-dcloud
!
!
!**************************************************************************************************
!
!
! dCloud_2911_config_version: 1.0
! Built for Kit John on Sat Aug 27 00:13:48 UTC 2016
!
! This Config is for the Router.
!
!
!**************************************************************************************************
!
!
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
no service config
!
hostname kit-7869
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 5120000 debugging
enable secret 5 $1$GwQZ$BDkrd.2SO/0s/IDy8FSdc0
!
aaa new-model
!
!
aaa authentication login default none
!
!
!
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
!
Vlan 10
name dcloud-wired-data
!
Vlan 100
name dcloud-wired-voice
!
Vlan 11
name dcloud-wireless-data
!
Vlan 101
name dcloud-wireless-voice
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.72.235.193 10.72.235.195
ip dhcp excluded-address 10.74.235.193 10.74.235.195
!
ip dhcp pool wired-data
import all
network 10.72.235.192 255.255.255.240
default-router 10.72.235.193
dns-server 10.72.235.193
domain-name dcloud.cisco.com
option 186 ip 198.18.133.6
!
ip dhcp pool wireless-data
import all
network 10.74.235.192 255.255.255.240
default-router 10.74.235.193
dns-server 10.74.235.193
domain-name dcloud.cisco.com
!
ip tcp synwait-time 10
ip cef
no ip bootp server
!
no ipv6 cef
!
!
voice-card 0
voice-service dsp-reservation 50
!
!
voice service voip
no ip address trusted authenticate
address-hiding
mode border-element
media forking
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
bind control source-interface BVI100
bind media source-interface BVI100
registrar server
asymmetric payload full
video screening
!
voice class codec 1
codec preference 1 aacld
codec preference 2 g722-64
codec preference 3 g711ulaw
codec preference 4 g729r8
video codec h264
!
!
voice register global
system message dCloud Service Interruption
max-pool 5
!
voice register pool 1
translation-profile incoming PLUS
id network 0.0.0.0 mask 0.0.0.0
!
!
!
voice translation-rule 1
rule 1 /^6\(...\)$/ /+14085556\1/
rule 2 /^911$/ /+14085556018/
!
voice translation-rule 101
rule 1 /^89/ //
!
voice translation-profile Forking101
translate called 101
!
voice translation-profile PLUS
translate called 1
!
media class 1
recorder parameter
media-recording 101
!
username admin secret 5 $1$ByPQ$iCfNIwXDn5aBTKJQ4Dig1.
!
ip access-list standard acl-telnet
remark allowed networks for telnet access to endpoint kit
permit 10.72.235.192 0.7.0.15
permit 198.18.0.0 0.1.255.255
!
ip access-list extended acl-deny-dhcp
remark deny DHCP packets from clients on the outside/dirty network
deny udp any any eq bootps
permit ip any any
ip access-list extended acl-vpn-initiate
remark traffic that will initiate the VPN session
permit ip 10.64.0.0 0.63.255.255 198.18.0.0 0.1.255.255
ip access-list extended acl-nontunnel-traffic
remark nat only non-tunnel-traffic
remark no-nat to vpod networks
deny ip 10.64.0.0 0.63.255.255 198.18.0.0 0.1.255.255
remark no-nat to other kits
deny ip 10.64.0.0 0.63.255.255 10.64.0.0 0.63.255.255
remark no-nat to device VPNs
deny ip 10.64.0.0 0.63.255.255 10.16.0.0 0.1.255.255
remark nat all other traffic
permit ip 10.64.0.0 0.63.255.255 any
!
!
crypto isakmp keepalive 10 periodic
!
!
!
crypto ipsec client ezvpn ToDemo
connect acl acl-vpn-initiate
ctcp port 443
group dcloud-ipsec key Sup6pSup6p
local-address GigabitEthernet0/0
mode network-extension
peer dcloud-rtp-ipsec.cisco.com
peer dcloud-emear-ipsec.cisco.com
peer dcloud-apjc-ipsec.cisco.com
peer dcloud-chi-ipsec.cisco.com
username endpoint-kit-7869 password jetq0tXcgIQWsuoZqnzF
xauth userid mode local
!
!
bridge irb
bridge 10 protocol ieee
bridge 10 route ip
bridge 11 protocol ieee
bridge 11 route ip
bridge 100 protocol ieee
bridge 100 route ip
bridge 101 protocol ieee
bridge 101 route ip
!
interface BVI10
!
ip dns server
ip dns name-list 1 permit .*.DCLOUD.CISCO.COM
ip dns view vpod-dns
domain name-server 198.18.133.1
dns forwarder 198.18.133.1
dns forwarding source-interface BVI10
ip dns view-list splitdns
view vpod-dns 10
restrict name-group 1
view default 20
!
ip domain lookup source-interface BVI10
!
interface GigabitEthernet0/0
description dCloud Kit outside Interface for EZVPN
no ip dhcp client request tftp-server-address
ip address dhcp client-id GigabitEthernet0/0
ip access-group acl-deny-dhcp in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto ipsec client ezvpn ToDemo
no shut
!
interface GigabitEthernet0/1
description Connection to 3560 Switch Gi0/10
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1.10
description : dCloud Kit Wired Data
encapsulation dot1Q 10
bridge-group 10
!
interface GigabitEthernet0/1.11
description VLAN11 : dCloud Kit Wireless Data
encapsulation dot1Q 11
bridge-group 11
!
interface GigabitEthernet0/1.100
description VLAN100 : dCloud Kit Wired Voice
encapsulation dot1Q 100
bridge-group 100
!
interface GigabitEthernet0/1.101
description dCloud Kit Wireless Voice
encapsulation dot1Q 101
bridge-group 101
!
interface GigabitEthernet0/1/0
description Connection for AP 1142
switchport access vlan 10
switchport trunk native vlan 10
switchport voice vlan 100
spanning-tree portfast
switchport mode trunk
no shut
!
interface GigabitEthernet0/1/1
switchport access vlan 10
switchport trunk native vlan 10
switchport voice vlan 100
spanning-tree portfast
switchport mode trunk
no shut
!
interface GigabitEthernet0/1/2
switchport access vlan 10
switchport trunk native vlan 10
switchport voice vlan 100
spanning-tree portfast
switchport mode trunk
no shut
!
interface GigabitEthernet0/1/3
switchport access vlan 10
switchport trunk native vlan 10
switchport voice vlan 100
spanning-tree portfast
switchport mode trunk
no shut
!
interface GigabitEthernet0/1/4
switchport access vlan 10
switchport trunk native vlan 10
switchport voice vlan 100
spanning-tree portfast
switchport mode trunk
no shut
!
interface GigabitEthernet0/1/5
switchport access vlan 10
switchport trunk native vlan 10
switchport voice vlan 100
spanning-tree portfast
switchport mode trunk
no shut
!
interface GigabitEthernet0/1/6
switchport access vlan 10
switchport trunk native vlan 10
switchport voice vlan 100
spanning-tree portfast
switchport mode trunk
no shut
!
interface GigabitEthernet0/1/7
switchport access vlan 10
switchport trunk native vlan 10
switchport voice vlan 100
spanning-tree portfast
switchport mode trunk
no shut
!
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description VLAN10 : dCloud Kit Wired Data
no ip address
bridge-group 10
no shut
!
interface Vlan11
description VLAN11 : dCloud Kit Wireless Data
no ip address
bridge-group 11
no shut
!
interface Vlan100
description VLAN100 : dCloud Kit Wired Voice
no ip address
bridge-group 100
no shut
!
interface Vlan101
description VLAN101 : dCloud Kit Wireless Voice
no ip address
bridge-group 101
no shut
!
interface Loopback 0
description Used for telnet access to the router
ip address 10.0.1.1 255.255.255.255
no shutdown
!
interface BVI10
description BVI10 : dCloud Kit Wired Data
ip address 10.72.235.193 255.255.255.240
ip dns view-group splitdns
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1000
crypto ipsec client ezvpn ToDemo inside
no shut
!
interface BVI11
description BVI11 : dCloud Kit Wireless Data
ip address 10.74.235.193 255.255.255.240
ip dns view-group splitdns
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1000
crypto ipsec client ezvpn ToDemo inside
no shut
!
interface BVI100
description BVI100 : dCloud Kit Wired Voice
ip address 10.73.235.193 255.255.255.240
ip helper-address 198.19.255.21
ip helper-address 198.19.255.22
ip dns view-group splitdns
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1000
crypto ipsec client ezvpn ToDemo inside
no shut
!
interface BVI101
description BVI101 : dCloud Kit Wireless Voice
ip address 10.75.235.193 255.255.255.240
ip helper-address 198.19.255.21
ip helper-address 198.19.255.22
ip dns view-group splitdns
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1000
crypto ipsec client ezvpn ToDemo inside
no shut
!
ip forward-protocol nd
no ip http server
!
ip nat inside source list acl-nontunnel-traffic interface GigabitEthernet0/0 overload
!
logging trap debugging
!
radius-server vsa send accounting
!
!
control-plane
!
!
mgcp profile default
!
sccp local BVI100
sccp ccm 198.18.133.3 identifier 1 version 7.0
sccp
!
sccp ccm group 1
associate ccm 1 priority 1
associate profile 1 register dCloud-remvid
!
dspfarm profile 1 conference video homogeneous
codec g722-64
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec g729r8
codec g729br8
codec h264 w360p frame-rate 30 bitrate 1mbps
maximum sessions 1
associate application SCCP
no shutdown
!
dial-peer voice 1 voip
description Default incoming dial-peer for all calls
incoming called-number .T
voice-class codec 1
dtmf-relay rtp-nte
no vad
!
dial-peer voice 5 voip
description Recording Inbound Dial-Peer
translation-profile incoming Forking101
incoming called-number 89.T
voice-class codec 1
media-class 1
dtmf-relay rtp-nte
no vad
!
dial-peer voice 10 voip
description outbound Recording dial peer
preference 1
destination-pattern .T
session protocol sipv2
session target ipv4:198.18.133.3
session transport tcp
voice-class codec 1
dtmf-relay rtp-nte
no vad
!
dial-peer voice 101 voip
description Forking Dial-Peer to MediaSense
destination-pattern 3083
signaling forward none
session protocol sipv2
session target ipv4:198.18.133.186
session transport tcp
voice-class codec 1
!
!
!
!
gatekeeper
shutdown
!
!
call-manager-fallback
secondary-dialtone 9
max-conferences 8 gain -6
transfer-system full-consult
ip source-address 10.72.235.193 port 2000
max-ephones 25
max-dn 50 octo-line
application default
system message primary dCloud Service Interruption
keepalive 10
voicemail 3050
translation-profile incoming PLUS
call-forward busy 3050
call-forward noan 3050 timeout 15
!
!
!
line con 0
exec-timeout 240 0
privilege level 15
transport output telnet
line aux 0
transport output telnet
line vty 0 15
access-class acl-telnet in
privilege level 15
transport input telnet
!
end
You can use a Cisco IOS router as an endpoint device that will establish a VPN session to dCloud network. There's a list of recommended routers but I was able to use a Cisco 2811 router with Advanced Security K9 IOS 15.4 (c2800nm-advsecurityk9-mz.151-4.M10.bin). I've installed this IOS in order to support the ip dns view commands. You can also use a virtual router to connect to dCloud.
There are a few options which dCloud can configure your endpoint router. I chose the Console method so that I have full control on which configurations to apply.
You'll be asked to download a KitWizard, which is a zipped file, and apply it to your router and other LAN devices via console connection. I only applied the EZVPN related config, IP addressing and changed the ports to FastEthernet since I'm using a 2811 router.
You can also test your router connection to gauge its download/upload speed to dCloud.
I see a lot of benefits using dCloud such as there's no need to download evaluation software and license, you don't need to buy a VM server and worry about RAM size and you'll only need a fairly recent Cisco ISR router or a PC with AnyConnect installed. Most of all you don't have to blow up your production network and you could leverage dCloud for studying high level certs such as CCNP Security, CCNP Wireless, CCNP Collaboration or CCNP Service Provider. Below is the wireless lab topology that I've used while studying for my CCNA Wireless (WIFUND) and CWNA, which I integrated to dCloud network.
Go to My Sessions > search for a Content > I chose Cisco ISE2.0 For BYOD and Guest Management v1.1 since it includes Cisco
Identity Services Engine (ISE) 2.0 and Cisco Prime Infrastructure (PI) 2.2
which is all I need for my wireless lab. The requested schedule will only be approved
by dCloud support during business hours.
Cisco ISE 2.0 For BYOD and Guest Management v1.1
Components
Cisco Identity Services Engine (ISE) 2.0
Cisco Prime Infrastructure 2.2
Cisco Mobility Services Engine (MSE) 8.0
Microsoft Active Directory-Windows 2008 R2
Microsoft Exchange 2010-Windows 2008 R2
Cisco Virtual Wireless Controller (vWLC) 8.0
Cisco Virtual Cloud Services Router (CSRv)
Once your content is chosen, click Schedule. I clicked Extend session for longer than 5 days to give me plenty of time to play around. Click Request an Event.
An email notification will be sent to your registered email
once booking is successful. My initial scheduled event wasn’t successful
since I booked it on a weekend and after business hours. I was contacted by dCloud to make sure to schedule an event during business hours on a weekday.
You can add your router to your scheduled event by going to My sessions > select the router name
under Available routers > click the down arrow > click Update.
You can verify if the router was successfully added under Routers > View Schedule.
Once your schedule is active, select View.
There are three main tabs which gives you more details for the selected lab: Details, Servers and Resources.
Click on a server and HTTPS to the given public IP address and type the username/password provided.
Below are the "minimum" EZVPN configuration that I applied on my Cisco 2811 router to make it work with dCloud.
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
hostname kit-7869
logging buffered 5120000 debugging
enable secret cisco
aaa new-model
aaa authentication login default none
ip dhcp excluded-address 10.72.235.193 10.72.235.195
ip dhcp excluded-address 10.74.235.193 10.74.235.195
ip dhcp pool wired-data
import all
network 10.72.235.192 255.255.255.240
default-router 10.72.235.193
dns-server 10.72.235.193
domain-name dcloud.cisco.com
option 186 ip 198.18.133.6
ip dhcp pool wireless-data
import all
network 10.74.235.192 255.255.255.240
default-router 10.74.235.193
dns-server 10.74.235.193
domain-name dcloud.cisco.com
username admin secret 5 $1$ByPQ$iCfNIwXDn5aBTKJQ4Dig1.
ip access-list extended acl-vpn-initiate
remark traffic that will initiate the VPN session
permit ip 10.64.0.0 0.63.255.255 198.18.0.0 0.1.255.255
ip access-list extended acl-nontunnel-traffic
remark nat only non-tunnel-traffic
remark no-nat to vpod networks
deny ip 10.64.0.0 0.63.255.255 198.18.0.0 0.1.255.255
remark no-nat to other kits
deny ip 10.64.0.0 0.63.255.255 10.64.0.0 0.63.255.255
remark no-nat to device VPNs
deny ip 10.64.0.0 0.63.255.255 10.16.0.0 0.1.255.255
remark nat all other traffic
permit ip 10.64.0.0 0.63.255.255 any
crypto isakmp keepalive 10 periodic
crypto ipsec client ezvpn ToDemo
connect acl acl-vpn-initiate
ctcp port 443
group dcloud-ipsec key Sup6pSup6p
local-address FastEthernet0/0
mode network-extension
peer dcloud-rtp-ipsec.cisco.com
peer dcloud-emear-ipsec.cisco.com
peer dcloud-apjc-ipsec.cisco.com
peer dcloud-chi-ipsec.cisco.com
username endpoint-kit-7869 password jetq0tXcgIQWsuoZqnzF
xauth userid mode local
ip dns server
ip dns name-list 1 permit .*.DCLOUD.CISCO.COM
ip dns view vpod-dns
domain name-server 198.18.133.1
dns forwarder 198.18.133.1
dns forwarding source-interface FastEthernet0/1.10
ip dns view-list splitdns
view vpod-dns 10
restrict name-group 1
view default 20
ip domain lookup source-interface FastEthernet0/1.10
interface FastEthernet0/0
description dCloud Kit outside Interface for EZVPN
no ip dhcp client request tftp-server-address
ip address dhcp client-id FastEthernet0/0
ip flow ingress
ip nat outside
duplex auto
speed auto
no cdp enable
crypto ipsec client ezvpn ToDemo
no shutdown
interface FastEthernet0/1
description Connection to dCloud Kit LAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no shutdown
interface FastEthernet0/1.10
description : dCloud Kit Wired Data
encapsulation dot1Q 10
ip address 10.72.235.193 255.255.255.240
ip dns view-group splitdns
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1000
crypto ipsec client ezvpn ToDemo inside
no shutdown
interface FastEthernet0/1.11
description VLAN11 : dCloud Kit Wireless Data
encapsulation dot1Q 11
ip address 10.74.235.193 255.255.255.240
ip dns view-group splitdns
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1000
crypto ipsec client ezvpn ToDemo inside
no shutdown
interface Loopback 0
description Used for telnet access to the router
ip address 10.0.1.1 255.255.255.255
no shutdown
ip nat inside source list acl-nontunnel-traffic interface FastEthernet0/0 overload
line con 0
password cisco
login
logging synchronous
line vty 0 15
password cisco
login
logging synchronous
Below is the full router running config.
kit-7869#show run
Building configuration...
Current configuration : 4430 bytes
!
! Last configuration change at 15:24:51 UTC Thu Sep 1 2016
! NVRAM config last updated at 15:30:08 UTC Thu Sep 1 2016
! NVRAM config last updated at 15:30:08 UTC Thu Sep 1 2016
version 15.1
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname kit-7869
!
boot-start-marker
boot-end-marker
!
!
logging buffered 5120000
enable password 7 01100F175804
!
aaa new-model
!
!
aaa authentication login default none
!
!
!
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.74.235.193 10.74.235.195
ip dhcp excluded-address 10.72.235.193 10.72.235.196
!
ip dhcp pool wired-data
import all
network 10.72.235.192 255.255.255.240
default-router 10.72.235.193
dns-server 10.72.235.193
domain-name dcloud.cisco.com
option 186 ip 198.18.133.6
!
ip dhcp pool wireless-data
import all
network 10.74.235.192 255.255.255.240
default-router 10.74.235.193
dns-server 10.74.235.193
domain-name dcloud.cisco.com
!
!
!
ip domain lookup source-interface FastEthernet0/1.10
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2811 sn FHK1308F18L
username admin privilege 15 secret 5 $1$ByPQ$iCfNIwXDn5aBTKJQ4Dig1.
!
redundancy
!
!
!
crypto isakmp key Sup6pSup6p hostname dcloud-apjc-ipsec.cisco.com
crypto isakmp keepalive 10 periodic
!
!
!
!
!
crypto ipsec client ezvpn ToDemo
connect acl acl-vpn-initiate
ctcp port 443
group dcloud-ipsec key Sup6pSup6p
local-address FastEthernet0/0
mode network-extension
peer dcloud-rtp-ipsec.cisco.com
peer dcloud-emear-ipsec.cisco.com
peer dcloud-apjc-ipsec.cisco.com
peer dcloud-chi-ipsec.cisco.com
username endpoint-kit-7869 password jetq0tXcgIQWsuoZqnzF
xauth userid mode local
!
!
!
!
!
!
interface FastEthernet0/0
description dCloud Kit outside Interface for EZVPN
no ip dhcp client request tftp-server-address
ip address dhcp client-id FastEthernet0/0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto ipsec client ezvpn ToDemo
!
interface FastEthernet0/1
description Connection to dCloud Kit LAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1.10
description : dCloud Kit Wired Data
encapsulation dot1Q 10
ip address 10.72.235.193 255.255.255.240
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1000
crypto ipsec client ezvpn ToDemo inside
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip dns view vpod-dns
domain name-server 198.18.133.1
dns forwarder 198.18.133.1
dns forwarding source-interface FastEthernet0/1.10
ip dns view-list splitdns
view vpod-dns 10
restrict name-group 1
view default 20
ip dns name-list 1 permit .*.DCLOUD.CISCO.COM
ip dns server
ip nat inside source list acl-nontunnel-traffic interface FastEthernet0/0 overlo
ad
!
ip access-list standard acl-telnet
remark allowed networks for telnet access to endpoint kit
permit 10.72.235.192 0.7.0.15
permit 198.18.0.0 0.1.255.255
!
ip access-list extended acl-deny-dhcp
remark deny DHCP packets from clients on the outside/dirty network
deny udp any any eq bootps
permit ip any any
ip access-list extended acl-nontunnel-traffic
remark nat only non-tunnel-traffic
remark no-nat to vpod networks
deny ip 10.64.0.0 0.63.255.255 198.18.0.0 0.1.255.255
remark no-nat to other kits
deny ip 10.64.0.0 0.63.255.255 10.64.0.0 0.63.255.255
remark no-nat to device VPNs
deny ip 10.64.0.0 0.63.255.255 10.16.0.0 0.1.255.255
remark nat all other traffic
permit ip 10.64.0.0 0.63.255.255 any
ip access-list extended acl-vpn-initiate
remark traffic that will initiate the VPN session
permit ip 10.64.0.0 0.63.255.255 198.18.0.0 0.1.255.255
!
access-list 10 permit 192.168.1.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
password 7 110A1016141D
logging synchronous
line aux 0
line vty 0 4
password 7 121A0C041104
logging synchronous
transport input all
!
scheduler allocate 20000 1000
ntp master
end
Below are some helpful show commands for troubleshooting EZVPN client connection to Cisco's dCloud. If your connection got stuck, just bounce the router's WAN port.
kit-7869#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
64.100.12.21 22.165.96.17 MM_NO_STATE 1003 ACTIVE (deleted)
173.38.218.8 22.165.96.17 MM_NO_STATE 1005 ACTIVE (deleted)
173.38.218.8 22.165.96.17 MM_NO_STATE 1004 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
kit-7869#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8
Tunnel name : ToDemo
Inside interface list: FastEthernet0/1.10
Outside interface: FastEthernet0/0
Easy VPN connect ACL checking active
Connect : ACL based with access-list acl-vpn-initiate
Current State: CONNECT_REQUIRED
Last Event: CONN_DOWN
Save Password: Allowed
Current EzVPN Peer: dcloud-emear-ipsec.cisco.com (cTCP encapsulated)
kit-7869#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
kit-7869(config)#interface f0/0
kit-7869(config-if)#shut
kit-7869(config-if)#no shut
kit-7869(config-if)#end
000031: Sep 2 23:03:56.663: %SYS-5-CONFIG_I: Configured from console by vty1 (10.72.235.198)
000032: Sep 2 23:03:57.475: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
000033: Sep 2 23:03:58.475: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
kit-7869#show ip interface brief
Interface IP-Address OK? Method Status Prot
ocol
FastEthernet0/0 unassigned YES DHCP up up
FastEthernet0/1 unassigned YES NVRAM up up
FastEthernet0/1.10 10.72.235.193 YES NVRAM up up
NVI0 unassigned YES unset administratively down down
kit-7869#
000034: Sep 2 23:04:04.583: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 a
ssigned DHCP address 22.165.96.17, mask 255.255.248.0, hostname kit-7869
kit-7869#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
kit-7869#
000035: Sep 2 23:04:41.755: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=dcloud-ipsec Client_public_addr=22.165.96.17 Server_public_addr=173.38.218.8
kit-7869#
000036: Sep 2 23:04:47.019: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=dcloud-ipsec Client_public_addr=22.165.96.17 Server_public_addr=173.38.218.8
kit-7869#
000037: Sep 2 23:04:48.699: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=endpoint-kit-7869 Group=dcloud-ipsec Client_public_addr=22.165.96.17 Server_publ
ic_addr=173.39.116.8 NEM_Remote_Subnets=10.72.235.192/255.255.255.240
kit-7869#show ip interface brief
Interface IP-Address OK? Method Status Prot
ocol
FastEthernet0/0 22.165.96.17 YES DHCP up up
FastEthernet0/1 unassigned YES NVRAM up up
FastEthernet0/1.10 10.72.235.193 YES NVRAM up up
NVI0 unassigned YES unset administratively down down
kit-7869#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
173.38.218.8 22.165.96.17 MM_NO_STATE 1006 ACTIVE (deleted)
173.39.116.8 22.165.96.17 QM_IDLE 1007 ACTIVE
IPv6 Crypto ISAKMP SA
kit-7869#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8
Tunnel name : ToDemo
Inside interface list: FastEthernet0/1.10
Outside interface: FastEthernet0/0
Connect : ACL based with access-list acl-vpn-initiate
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Allowed
Split Tunnel List: 1
Address : 198.18.0.0
Mask : 255.254.0.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Split Tunnel List: 2
Address : 10.16.0.0
Mask : 255.254.0.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Split Tunnel List: 3
Address : 10.64.0.0
Mask : 255.192.0.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: dcloud-apjc-ipsec.cisco.com (cTCP encapsulated)
kit-7869#ping 198.18.133.27 source 10.72.235.193 // PING TO CISCO ISE SOURCED FROM LAN IP
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.18.133.27, timeout is 2 seconds:
Packet sent with a source address of 10.72.235.193
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16 ms
Below is the full KitWizard config file generated by dCloud.
**************************************************************************************************
!
!
! ___ _ _ ___ _ _
! / __(_)___ ___ ___ __| | / __\ | ___ _ _ __| |
! / / | / __|/ __/ _ \ / _` |/ / | |/ _ \| | | |/ _` |
! / /___| \__ \ (_| (_) | | (_| / /___| | (_) | |_| | (_| |
! \____/|_|___/\___\___/ \__,_\____/|_|\___/ \__,_|\__,_|
!
!
!
! For information on how to configure your device please refer to the url -
! https://dcloud-cms.cisco.com/help/configure-router-for-cisco-dcloud
!
!
!**************************************************************************************************
!
!
! dCloud_2911_config_version: 1.0
! Built for Kit John on Sat Aug 27 00:13:48 UTC 2016
!
! This Config is for the Router.
!
!
!**************************************************************************************************
!
!
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
no service config
!
hostname kit-7869
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 5120000 debugging
enable secret 5 $1$GwQZ$BDkrd.2SO/0s/IDy8FSdc0
!
aaa new-model
!
!
aaa authentication login default none
!
!
!
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
!
Vlan 10
name dcloud-wired-data
!
Vlan 100
name dcloud-wired-voice
!
Vlan 11
name dcloud-wireless-data
!
Vlan 101
name dcloud-wireless-voice
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.72.235.193 10.72.235.195
ip dhcp excluded-address 10.74.235.193 10.74.235.195
!
ip dhcp pool wired-data
import all
network 10.72.235.192 255.255.255.240
default-router 10.72.235.193
dns-server 10.72.235.193
domain-name dcloud.cisco.com
option 186 ip 198.18.133.6
!
ip dhcp pool wireless-data
import all
network 10.74.235.192 255.255.255.240
default-router 10.74.235.193
dns-server 10.74.235.193
domain-name dcloud.cisco.com
!
ip tcp synwait-time 10
ip cef
no ip bootp server
!
no ipv6 cef
!
!
voice-card 0
voice-service dsp-reservation 50
!
!
voice service voip
no ip address trusted authenticate
address-hiding
mode border-element
media forking
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
bind control source-interface BVI100
bind media source-interface BVI100
registrar server
asymmetric payload full
video screening
!
voice class codec 1
codec preference 1 aacld
codec preference 2 g722-64
codec preference 3 g711ulaw
codec preference 4 g729r8
video codec h264
!
!
voice register global
system message dCloud Service Interruption
max-pool 5
!
voice register pool 1
translation-profile incoming PLUS
id network 0.0.0.0 mask 0.0.0.0
!
!
!
voice translation-rule 1
rule 1 /^6\(...\)$/ /+14085556\1/
rule 2 /^911$/ /+14085556018/
!
voice translation-rule 101
rule 1 /^89/ //
!
voice translation-profile Forking101
translate called 101
!
voice translation-profile PLUS
translate called 1
!
media class 1
recorder parameter
media-recording 101
!
username admin secret 5 $1$ByPQ$iCfNIwXDn5aBTKJQ4Dig1.
!
ip access-list standard acl-telnet
remark allowed networks for telnet access to endpoint kit
permit 10.72.235.192 0.7.0.15
permit 198.18.0.0 0.1.255.255
!
ip access-list extended acl-deny-dhcp
remark deny DHCP packets from clients on the outside/dirty network
deny udp any any eq bootps
permit ip any any
ip access-list extended acl-vpn-initiate
remark traffic that will initiate the VPN session
permit ip 10.64.0.0 0.63.255.255 198.18.0.0 0.1.255.255
ip access-list extended acl-nontunnel-traffic
remark nat only non-tunnel-traffic
remark no-nat to vpod networks
deny ip 10.64.0.0 0.63.255.255 198.18.0.0 0.1.255.255
remark no-nat to other kits
deny ip 10.64.0.0 0.63.255.255 10.64.0.0 0.63.255.255
remark no-nat to device VPNs
deny ip 10.64.0.0 0.63.255.255 10.16.0.0 0.1.255.255
remark nat all other traffic
permit ip 10.64.0.0 0.63.255.255 any
!
!
crypto isakmp keepalive 10 periodic
!
!
!
crypto ipsec client ezvpn ToDemo
connect acl acl-vpn-initiate
ctcp port 443
group dcloud-ipsec key Sup6pSup6p
local-address GigabitEthernet0/0
mode network-extension
peer dcloud-rtp-ipsec.cisco.com
peer dcloud-emear-ipsec.cisco.com
peer dcloud-apjc-ipsec.cisco.com
peer dcloud-chi-ipsec.cisco.com
username endpoint-kit-7869 password jetq0tXcgIQWsuoZqnzF
xauth userid mode local
!
!
bridge irb
bridge 10 protocol ieee
bridge 10 route ip
bridge 11 protocol ieee
bridge 11 route ip
bridge 100 protocol ieee
bridge 100 route ip
bridge 101 protocol ieee
bridge 101 route ip
!
interface BVI10
!
ip dns server
ip dns name-list 1 permit .*.DCLOUD.CISCO.COM
ip dns view vpod-dns
domain name-server 198.18.133.1
dns forwarder 198.18.133.1
dns forwarding source-interface BVI10
ip dns view-list splitdns
view vpod-dns 10
restrict name-group 1
view default 20
!
ip domain lookup source-interface BVI10
!
interface GigabitEthernet0/0
description dCloud Kit outside Interface for EZVPN
no ip dhcp client request tftp-server-address
ip address dhcp client-id GigabitEthernet0/0
ip access-group acl-deny-dhcp in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto ipsec client ezvpn ToDemo
no shut
!
interface GigabitEthernet0/1
description Connection to 3560 Switch Gi0/10
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1.10
description : dCloud Kit Wired Data
encapsulation dot1Q 10
bridge-group 10
!
interface GigabitEthernet0/1.11
description VLAN11 : dCloud Kit Wireless Data
encapsulation dot1Q 11
bridge-group 11
!
interface GigabitEthernet0/1.100
description VLAN100 : dCloud Kit Wired Voice
encapsulation dot1Q 100
bridge-group 100
!
interface GigabitEthernet0/1.101
description dCloud Kit Wireless Voice
encapsulation dot1Q 101
bridge-group 101
!
interface GigabitEthernet0/1/0
description Connection for AP 1142
switchport access vlan 10
switchport trunk native vlan 10
switchport voice vlan 100
spanning-tree portfast
switchport mode trunk
no shut
!
interface GigabitEthernet0/1/1
switchport access vlan 10
switchport trunk native vlan 10
switchport voice vlan 100
spanning-tree portfast
switchport mode trunk
no shut
!
interface GigabitEthernet0/1/2
switchport access vlan 10
switchport trunk native vlan 10
switchport voice vlan 100
spanning-tree portfast
switchport mode trunk
no shut
!
interface GigabitEthernet0/1/3
switchport access vlan 10
switchport trunk native vlan 10
switchport voice vlan 100
spanning-tree portfast
switchport mode trunk
no shut
!
interface GigabitEthernet0/1/4
switchport access vlan 10
switchport trunk native vlan 10
switchport voice vlan 100
spanning-tree portfast
switchport mode trunk
no shut
!
interface GigabitEthernet0/1/5
switchport access vlan 10
switchport trunk native vlan 10
switchport voice vlan 100
spanning-tree portfast
switchport mode trunk
no shut
!
interface GigabitEthernet0/1/6
switchport access vlan 10
switchport trunk native vlan 10
switchport voice vlan 100
spanning-tree portfast
switchport mode trunk
no shut
!
interface GigabitEthernet0/1/7
switchport access vlan 10
switchport trunk native vlan 10
switchport voice vlan 100
spanning-tree portfast
switchport mode trunk
no shut
!
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description VLAN10 : dCloud Kit Wired Data
no ip address
bridge-group 10
no shut
!
interface Vlan11
description VLAN11 : dCloud Kit Wireless Data
no ip address
bridge-group 11
no shut
!
interface Vlan100
description VLAN100 : dCloud Kit Wired Voice
no ip address
bridge-group 100
no shut
!
interface Vlan101
description VLAN101 : dCloud Kit Wireless Voice
no ip address
bridge-group 101
no shut
!
interface Loopback 0
description Used for telnet access to the router
ip address 10.0.1.1 255.255.255.255
no shutdown
!
interface BVI10
description BVI10 : dCloud Kit Wired Data
ip address 10.72.235.193 255.255.255.240
ip dns view-group splitdns
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1000
crypto ipsec client ezvpn ToDemo inside
no shut
!
interface BVI11
description BVI11 : dCloud Kit Wireless Data
ip address 10.74.235.193 255.255.255.240
ip dns view-group splitdns
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1000
crypto ipsec client ezvpn ToDemo inside
no shut
!
interface BVI100
description BVI100 : dCloud Kit Wired Voice
ip address 10.73.235.193 255.255.255.240
ip helper-address 198.19.255.21
ip helper-address 198.19.255.22
ip dns view-group splitdns
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1000
crypto ipsec client ezvpn ToDemo inside
no shut
!
interface BVI101
description BVI101 : dCloud Kit Wireless Voice
ip address 10.75.235.193 255.255.255.240
ip helper-address 198.19.255.21
ip helper-address 198.19.255.22
ip dns view-group splitdns
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1000
crypto ipsec client ezvpn ToDemo inside
no shut
!
ip forward-protocol nd
no ip http server
!
ip nat inside source list acl-nontunnel-traffic interface GigabitEthernet0/0 overload
!
logging trap debugging
!
radius-server vsa send accounting
!
!
control-plane
!
!
mgcp profile default
!
sccp local BVI100
sccp ccm 198.18.133.3 identifier 1 version 7.0
sccp
!
sccp ccm group 1
associate ccm 1 priority 1
associate profile 1 register dCloud-remvid
!
dspfarm profile 1 conference video homogeneous
codec g722-64
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec g729r8
codec g729br8
codec h264 w360p frame-rate 30 bitrate 1mbps
maximum sessions 1
associate application SCCP
no shutdown
!
dial-peer voice 1 voip
description Default incoming dial-peer for all calls
incoming called-number .T
voice-class codec 1
dtmf-relay rtp-nte
no vad
!
dial-peer voice 5 voip
description Recording Inbound Dial-Peer
translation-profile incoming Forking101
incoming called-number 89.T
voice-class codec 1
media-class 1
dtmf-relay rtp-nte
no vad
!
dial-peer voice 10 voip
description outbound Recording dial peer
preference 1
destination-pattern .T
session protocol sipv2
session target ipv4:198.18.133.3
session transport tcp
voice-class codec 1
dtmf-relay rtp-nte
no vad
!
dial-peer voice 101 voip
description Forking Dial-Peer to MediaSense
destination-pattern 3083
signaling forward none
session protocol sipv2
session target ipv4:198.18.133.186
session transport tcp
voice-class codec 1
!
!
!
!
gatekeeper
shutdown
!
!
call-manager-fallback
secondary-dialtone 9
max-conferences 8 gain -6
transfer-system full-consult
ip source-address 10.72.235.193 port 2000
max-ephones 25
max-dn 50 octo-line
application default
system message primary dCloud Service Interruption
keepalive 10
voicemail 3050
translation-profile incoming PLUS
call-forward busy 3050
call-forward noan 3050 timeout 15
!
!
!
line con 0
exec-timeout 240 0
privilege level 15
transport output telnet
line aux 0
transport output telnet
line vty 0 15
access-class acl-telnet in
privilege level 15
transport input telnet
!
end
