Equipment configurations at the central office
hostname RT-GW-1
object-group service IKE_AND_IPSEC
description "IKE, IKE encrypted, ESP encap UDP"
port-range 500
port-range 4500
exit
object-group service BGP
description "BGP"
port-range 179
exit
object-group service BFD
description "BFD"
port-range 3784
exit
object-group network CUSTOMER_POOL
description "LAN | CUSTOMER"
ip prefix 10.100.0.0/24
exit
object-group network DMVPN_HUB_1
description "DMZ | RT-HUB-1"
ip prefix 10.0.0.2/32
exit
object-group network DMVPN_INET_POOL
description "DMZ | DMVPN Cloud Remote LANs"
ip prefix 192.168.11.0/24
ip prefix 192.168.12.0/24
ip prefix 192.168.13.0/24
exit
object-group network ISP_1_PROXY
description "ISP-1 | ARP PROXY"
ip address-range 203.0.113.3
ip address-range 203.0.113.4
exit
security zone UNTRUSTED
description "ISP-1 | Uplink"
exit
security zone MGMT
description "MGMT | Management"
exit
security zone CUSTOMER
description "LAN | CUSTOMER"
exit
security zone DMVPN_ISP_1
description "DMZ | RT-HUB-1 uplink"
exit
security zone DMVPN_LAN
description "DMZ | RT-HUB-1 downlink"
exit
ip bfd log-adjacency-changes
ip bfd min-rx-interval 1000
ip bfd min-tx-interval 1000
ip bfd multiplier 8
route-map DMVPN_LAN_OUT
rule 10
description "DMZ | Default for DMVPN Hub"
match ip address 0.0.0.0/0
action set metric bgp 300 track 1 default 100
exit
exit
router bgp 65500
peer-group DMVPN_LAN
update-source port-channel 1.300
fall-over bfd
address-family ipv4 unicast
route-map DMVPN_LAN_OUT out
default-originate
enable
exit
exit
neighbor 10.0.0.19
description "DMZ | RT-HUB-1"
remote-as 65001
peer-group DMVPN_LAN
enable
exit
neighbor 10.0.0.20
description "DMZ | RT-HUB-2"
remote-as 65002
peer-group DMVPN_LAN
enable
exit
enable
exit
interface port-channel 1
exit
interface port-channel 1.250
description "MGMT | Management link"
security-zone MGMT
ip address 10.250.0.1/24
exit
interface port-channel 1.100
description "LAN | CUSTOMER"
security-zone CUSTOMER
ip address 10.100.0.253/24
vrrp 1
ip address 10.100.0.1/24
priority 101
priority track 1 decrement 10
group 1
preempt disable
enable
exit
exit
interface port-channel 1.210
description "DMZ | RT-HUB-1 uplink to ISP-1"
security-zone DMVPN_ISP_1
ip address 10.0.0.1/30
exit
interface port-channel 1.300
description "DMZ | RT-HUB-1 dowlink"
security-zone DMVPN_LAN
ip address 10.0.0.17/29
exit
interface gigabitethernet 1/0/1
description "ISP-1 | Uplink"
security-zone UNTRUSTED
ip address 203.0.113.2/25
ip nat proxy-arp ISP_1_PROXY
exit
interface gigabitethernet 1/0/3
mode switchport
channel-group 1 mode auto
lldp transmit
lldp receive
exit
interface gigabitethernet 1/0/4
mode switchport
channel-group 1 mode auto
lldp transmit
lldp receive
exit
security zone-pair MGMT self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
exit
security zone-pair CUSTOMER self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | VRRP | From ANY | To ANY"
action permit
match protocol vrrp
enable
exit
exit
security zone-pair CUSTOMER UNTRUSTED
rule 10
description "Permit | ANY | From CUSTOMER | To ISP-1"
action permit
match source-address object-group network CUSTOMER_POOL
enable
exit
exit
security zone-pair DMVPN_ISP_1 self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
exit
security zone-pair UNTRUSTED DMVPN_ISP_1
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | IKE/IPsec | From ISP-1 | To RT-HUB-1"
action permit
match protocol udp
match destination-address object-group network DMVPN_HUB_1
match destination-port object-group IKE_AND_IPSEC
enable
exit
exit
security zone-pair DMVPN_ISP_1 UNTRUSTED
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | IKE/IPsec | From RT-HUB-1 | To ISP-1"
action permit
match protocol udp
match source-address object-group network DMVPN_HUB_1
match source-port object-group IKE_AND_IPSEC
enable
exit
exit
security zone-pair DMVPN_LAN self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | BGP | From ANY | To ANY"
action permit
match protocol tcp
match destination-port object-group BGP
enable
exit
rule 30
description "Permit | BFD | From ANY | To ANY"
action permit
match protocol udp
match destination-port object-group BFD
enable
exit
exit
security zone-pair DMVPN_LAN CUSTOMER
rule 10
description "Permit | ANY | From DMVPN Cloud | To CUSTOMER"
action permit
match source-address object-group network DMVPN_INET_POOL
enable
exit
exit
security zone-pair CUSTOMER DMVPN_LAN
rule 10
description "Permit | ANY | From CUSTOMER | To DMVPN Cloud"
action permit
match destination-address object-group network DMVPN_INET_POOL
enable
exit
exit
security zone-pair DMVPN_LAN UNTRUSTED
rule 10
description "Permit | ANY | From DMVPN Cloud | To ISP-1"
action permit
match source-address object-group network DMVPN_INET_POOL
enable
exit
exit
nat source
pool CUSTOMER_PUBLIC_IP
ip address-range 203.0.113.3
exit
ruleset SNAT
to zone UNTRUSTED
rule 10
description "Source | CUSTOMER"
match source-address object-group network CUSTOMER_POOL
action source-nat pool CUSTOMER_PUBLIC_IP
enable
exit
rule 20
description "Static | RT-HUB-1"
match source-address object-group network DMVPN_HUB_1
action source-nat netmap 203.0.113.4/32 static
enable
exit
rule 30
description "Source | DMVPN Cloud"
match source-address object-group network DMVPN_INET_POOL
action source-nat pool CUSTOMER_PUBLIC_IP
enable
exit
exit
exit
ip route 0.0.0.0/0 203.0.113.1 name ISP-1
ip sla
ip sla logging status
ip sla test 1
description "PING | Google DNS"
icmp-echo 8.8.4.4 source-ip 203.0.113.2 num-packets 5
enable
exit
ip sla test 2
description "PING | ya.ru"
icmp-echo 77.88.44.242 source-ip 203.0.113.2 num-packets 5
enable
exit
ip sla schedule all life forever start-time now
track 1
description "REACHABLE | ISP-1"
track sla test 1 mode state fail
track sla test 2 mode state fail
enable
exit
|
hostname RT-GW-2
object-group service IKE_AND_IPSEC
description "IKE, IKE encrypted, ESP encap UDP"
port-range 500
port-range 4500
exit
object-group service BGP
description "BGP"
port-range 179
exit
object-group service BFD
description "BFD"
port-range 3784
exit
object-group network CUSTOMER_POOL
description "LAN | CUSTOMER"
ip prefix 10.100.0.0/24
exit
object-group network DMVPN_HUB_2
description "DMZ | RT-HUB-2"
ip prefix 10.0.0.10/32
exit
object-group network DMVPN_INET_POOL
description "DMZ | DMVPN Cloud Remote LANs"
ip prefix 192.168.11.0/24
ip prefix 192.168.12.0/24
ip prefix 192.168.13.0/24
exit
object-group network ISP_2_PROXY
description "ISP-2 | ARP PROXY"
ip address-range 203.0.113.131
ip address-range 203.0.113.132
exit
security zone UNTRUSTED
description "ISP-2 | Uplink"
exit
security zone MGMT
description "MGMT | Management"
exit
security zone CUSTOMER
description "LAN | CUSTOMER"
exit
security zone DMVPN_ISP_2
description "DMZ | RT-HUB-2 uplink"
exit
security zone DMVPN_LAN
description "DMZ | RT-HUB-2 downlink"
exit
ip bfd log-adjacency-changes
ip bfd min-rx-interval 1000
ip bfd min-tx-interval 1000
ip bfd multiplier 8
route-map DMVPN_LAN_OUT
rule 10
description "DMZ | Default for DMVPN Hub"
match ip address 0.0.0.0/0
action set metric bgp 200
exit
exit
router bgp 65500
peer-group DMVPN_LAN
update-source port-channel 1.300
fall-over bfd
address-family ipv4 unicast
route-map DMVPN_LAN_OUT out
default-originate
enable
exit
exit
neighbor 10.0.0.19
description "DMZ | RT-HUB-1"
remote-as 65001
peer-group DMVPN_LAN
enable
exit
neighbor 10.0.0.20
description "DMZ | RT-HUB-2"
remote-as 65002
peer-group DMVPN_LAN
enable
exit
enable
exit
interface port-channel 1
exit
interface port-channel 1.250
description "MGMT | Management link"
security-zone MGMT
ip address 10.250.0.2/24
exit
interface port-channel 1.100
description "LAN | CUSTOMER"
security-zone CUSTOMER
ip address 10.100.0.254/24
vrrp 1
ip address 10.100.0.1/24
group 1
preempt disable
enable
exit
exit
interface port-channel 1.220
description "DMZ | RT-HUB-2 uplink to ISP-2"
security-zone DMVPN_ISP_2
ip address 10.0.0.9/30
exit
interface port-channel 1.300
description "DMZ | RT-HUB-2 dowlink"
security-zone DMVPN_LAN
ip address 10.0.0.18/29
exit
interface gigabitethernet 1/0/1
description "ISP-2 | Uplink"
security-zone UNTRUSTED
ip address 203.0.113.130/25
ip nat proxy-arp ISP_2_PROXY
exit
interface gigabitethernet 1/0/3
mode switchport
channel-group 1 mode auto
lldp transmit
lldp receive
exit
interface gigabitethernet 1/0/4
mode switchport
channel-group 1 mode auto
lldp transmit
lldp receive
exit
security zone-pair MGMT self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
exit
security zone-pair CUSTOMER self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | VRRP | From ANY | To ANY"
action permit
match protocol vrrp
enable
exit
exit
security zone-pair CUSTOMER UNTRUSTED
rule 10
description "Permit | ANY | From CUSTOMER | To ISP-1"
action permit
match source-address object-group network CUSTOMER_POOL
enable
exit
exit
security zone-pair DMVPN_ISP_2 self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
exit
security zone-pair UNTRUSTED DMVPN_ISP_2
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | IKE/IPsec | From ISP-2 | To RT-HUB-2"
action permit
match protocol udp
match destination-address object-group network DMVPN_HUB_2
match destination-port object-group IKE_AND_IPSEC
enable
exit
exit
security zone-pair DMVPN_ISP_2 UNTRUSTED
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | IKE/IPsec | From RT-HUB-2 | To ISP-2"
action permit
match protocol udp
match source-address object-group network DMVPN_HUB_2
match source-port object-group IKE_AND_IPSEC
enable
exit
exit
security zone-pair DMVPN_LAN self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | BGP | From ANY | To ANY"
action permit
match protocol tcp
match destination-port object-group BGP
enable
exit
rule 30
description "Permit | BFD | From ANY | To ANY"
action permit
match protocol udp
match destination-port object-group BFD
enable
exit
exit
security zone-pair DMVPN_LAN CUSTOMER
rule 10
description "Permit | ANY | From DMVPN Cloud | To CUSTOMER"
action permit
match source-address object-group network DMVPN_INET_POOL
enable
exit
exit
security zone-pair CUSTOMER DMVPN_LAN
rule 10
description "Permit | ANY | From CUSTOMER | To DMVPN Cloud"
action permit
match destination-address object-group network DMVPN_INET_POOL
enable
exit
exit
security zone-pair DMVPN_LAN UNTRUSTED
rule 10
description "Permit | ANY | From DMVPN Cloud | To ISP-2"
action permit
match source-address object-group network DMVPN_INET_POOL
enable
exit
exit
nat source
pool CUSTOMER_PUBLIC_IP
ip address-range 203.0.113.131
exit
ruleset SNAT
to zone UNTRUSTED
rule 10
description "Source | CUSTOMER"
match source-address object-group network CUSTOMER_POOL
action source-nat pool CUSTOMER_PUBLIC_IP
enable
exit
rule 20
description "Static | RT-HUB-2"
match source-address object-group network DMVPN_HUB_2
action source-nat netmap 203.0.113.132/32 static
enable
exit
rule 30
description "Source | DMVPN Cloud"
match source-address object-group network DMVPN_INET_POOL
action source-nat pool CUSTOMER_PUBLIC_IP
enable
exit
exit
exit
ip route 0.0.0.0/0 203.0.113.129 name ISP-2
|
hostname SW-CORE-1 ! vlan database vlan 100,210,220,250,300 exit ! vpc domain 1 peer detection peer detection ipaddr 1.1.1.2 1.1.1.1 peer keepalive role priority 1 peer link port-channel 1 exit ! vpc ! vpc group 2 domain 1 vpc-port port-channel 2 exit ! vpc group 3 domain 1 vpc-port port-channel 3 exit ! vpc group 4 domain 1 vpc-port port-channel 4 exit ! vpc group 5 domain 1 vpc-port port-channel 5 exit ! vpc group 6 domain 1 vpc-port port-channel 6 exit ! vpc group 7 domain 1 vpc-port port-channel 7 exit ! ! interface TenGigabitEthernet1/0/1 ip address 1.1.1.1 255.255.255.252 exit ! interface TenGigabitEthernet1/0/2 channel-group 1 mode auto exit ! interface TenGigabitEthernet1/0/3 channel-group 1 mode auto exit ! interface TenGigabitEthernet1/0/4 channel-group 2 mode auto exit ! interface TenGigabitEthernet1/0/5 channel-group 3 mode auto exit ! interface TenGigabitEthernet1/0/6 channel-group 4 mode auto exit ! interface TenGigabitEthernet1/0/7 channel-group 5 mode auto exit ! interface TenGigabitEthernet1/0/8 channel-group 6 mode auto exit ! interface TenGigabitEthernet1/0/9 channel-group 7 mode auto exit ! interface range Port-Channel1 switchport mode general switchport general allowed vlan add 100,210,220,250,300 tagged exit ! interface range Port-Channel2-3 switchport mode general switchport general allowed vlan add 100,210,220,250,300 tagged exit ! interface range Port-Channel4-5 switchport mode general switchport general allowed vlan add 100,250 tagged exit ! interface range Port-Channel6-7 switchport mode general switchport general allowed vlan add 210,220,250,300 tagged exit ! interface vlan 100 name Internet exit ! interface vlan 250 name Management ip address 10.250.0.10 255.255.255.0 exit ! ! end |
hostname SW-CORE-2 ! vlan database vlan 100,210,220,250,300 exit ! vpc domain 1 peer detection peer detection ipaddr 1.1.1.1 1.1.1.2 peer keepalive role priority 1 peer link port-channel 1 exit ! vpc ! vpc group 2 domain 1 vpc-port port-channel 2 exit ! vpc group 3 domain 1 vpc-port port-channel 3 exit ! vpc group 4 domain 1 vpc-port port-channel 4 exit ! vpc group 5 domain 1 vpc-port port-channel 5 exit ! vpc group 6 domain 1 vpc-port port-channel 6 exit ! vpc group 7 domain 1 vpc-port port-channel 7 exit ! ! interface TenGigabitEthernet1/0/1 ip address 1.1.1.2 255.255.255.252 exit ! interface TenGigabitEthernet1/0/2 channel-group 1 mode auto exit ! interface TenGigabitEthernet1/0/3 channel-group 1 mode auto exit ! interface TenGigabitEthernet1/0/4 channel-group 2 mode auto exit ! interface TenGigabitEthernet1/0/5 channel-group 3 mode auto exit ! interface TenGigabitEthernet1/0/6 channel-group 4 mode auto exit ! interface TenGigabitEthernet1/0/7 channel-group 5 mode auto exit ! interface TenGigabitEthernet1/0/8 channel-group 6 mode auto exit ! interface TenGigabitEthernet1/0/9 channel-group 7 mode auto exit ! interface range Port-Channel1 switchport mode general switchport general allowed vlan add 100,210,220,250,300 tagged exit ! interface range Port-Channel2-3 switchport mode general switchport general allowed vlan add 100,210,220,250,300 tagged exit ! interface range Port-Channel4-5 switchport mode general switchport general allowed vlan add 100,250 tagged exit ! interface range Port-Channel6-7 switchport mode general switchport general allowed vlan add 210,220,250,300 tagged exit ! interface vlan 100 name Internet exit ! interface vlan 250 name Management ip address 10.250.0.11 255.255.255.0 exit ! ! end |
stack configuration unit-id 1 ! stack configuration links te1-2 ! stack nsf |
stack configuration unit-id 2 ! stack configuration links te1-2 ! stack nsf |
hostname SW-AGGR ! vlan database vlan 100,250 exit ! interface GigabitEthernet1/0/1 channel-group 1 mode auto exit ! interface GigabitEthernet1/0/2 channel-group 2 mode auto exit ! interface GigabitEthernet1/0/3 channel-group 3 mode auto exit ! interface GigabitEthernet1/0/4 channel-group 4 mode auto exit ! interface GigabitEthernet2/0/1 channel-group 1 mode auto exit ! interface GigabitEthernet2/0/2 channel-group 2 mode auto exit ! interface GigabitEthernet2/0/3 channel-group 3 mode auto exit ! interface GigabitEthernet2/0/4 channel-group 4 mode auto exit ! interface range Port-Channel1-4 switchport mode general switchport general allowed vlan add 100,250 tagged switchport forbidden default-vlan exit ! interface vlan 100 name Internet exit ! interface vlan 250 name Management ip address 10.250.0.20 255.255.255.0 exit ! ! end |
stack configuration unit-id 1 ! stack configuration links te1-2 ! stack nsf |
security zone Untrusted exit interface gigabitethernet 1/0/1 description "ISP1" security-zone Untrusted ip address 203.0.113.2/25 exit |
hostname SW-DMZ ! vlan database vlan 210,220,250,300 exit ! interface GigabitEthernet1/0/1 channel-group 1 mode auto exit ! interface GigabitEthernet1/0/2 channel-group 2 mode auto exit ! interface GigabitEthernet1/0/3 channel-group 3 mode auto exit ! interface GigabitEthernet1/0/4 channel-group 4 mode auto exit ! interface GigabitEthernet2/0/1 channel-group 1 mode auto exit ! interface GigabitEthernet2/0/2 channel-group 2 mode auto exit ! interface GigabitEthernet2/0/3 channel-group 3 mode auto exit ! interface GigabitEthernet2/0/4 channel-group 4 mode auto exit ! interface range Port-Channel1-2 switchport mode general switchport general allowed vlan add 210,220,250,300 tagged switchport forbidden default-vlan exit ! interface range Port-Channel3-4 switchport mode general switchport general allowed vlan add 210,220,250,300 tagged switchport forbidden default-vlan exit ! interface vlan 250 name Management ip address 10.250.0.40 255.255.255.0 exit ! ! end |
hostname SW-DIST-1 ! vlan database vlan 100,250 exit ! loopback-detection enable loopback-detection mode multicast-mac-addr loopback-detection interval 1 ! errdisable recovery cause loopback-detection ! ip dhcp snooping ip dhcp snooping vlan 100 ! ! ip arp inspection ip arp inspection vlan 100 ! ip ssh server ! no ip telnet server ! interface range gigabitethernet1/0/1-24 loopback-detection enable ip dhcp snooping limit clients 2 storm-control broadcast kbps 2048 trap storm-control unicast kbps 2048 trap storm-control multicast kbps 2048 trap spanning-tree disable spanning-tree bpdu filtering switchport mode general switchport general allowed vlan add 100 untagged switchport general pvid 100 switchport protected-port voice vlan enable exit ! interface tengigabitethernet1/0/1 channel-group 1 mode auto exit ! interface tengigabitethernet1/0/2 channel-group 1 mode auto exit ! interface Port-channel1 ip arp inspection trust ip dhcp snooping trust switchport mode general switchport general allowed vlan add 100,250 tagged switchport forbidden default-vlan exit ! interface vlan 100 name Internet exit ! interface vlan 250 name Management ip address 10.250.0.31 255.255.255.0 exit ! ! end |
hostname SW-DIST-2 ! vlan database vlan 100,250 exit ! loopback-detection enable loopback-detection mode multicast-mac-addr loopback-detection interval 1 ! errdisable recovery cause loopback-detection ! ip dhcp snooping ip dhcp snooping vlan 100 ! ! ip arp inspection ip arp inspection vlan 100 ! ip ssh server ! no ip telnet server ! interface range gigabitethernet1/0/1-24 loopback-detection enable ip dhcp snooping limit clients 2 storm-control broadcast kbps 2048 trap storm-control unicast kbps 2048 trap storm-control multicast kbps 2048 trap spanning-tree disable spanning-tree bpdu filtering switchport mode general switchport general allowed vlan add 100 untagged switchport general pvid 100 switchport protected-port voice vlan enable exit ! interface tengigabitethernet1/0/1 channel-group 1 mode auto exit ! interface tengigabitethernet1/0/2 channel-group 1 mode auto exit ! interface Port-channel1 ip arp inspection trust ip dhcp snooping trust switchport mode general switchport general allowed vlan add 100,250 tagged switchport forbidden default-vlan exit ! interface vlan 100 name Internet exit ! interface vlan 250 name Management ip address 10.250.0.32 255.255.255.0 exit ! ! end |
hostname RT-HUB-1
object-group service IKE_AND_IPSEC
description "IKE, IKE encrypted, ESP encap UDP"
port-range 500
port-range 4500
exit
object-group service BGP
description "BGP"
port-range 179
exit
object-group service BFD
description "BFD"
port-range 3784
exit
ip vrf ISP_1
exit
security zone DMVPN_ISP_1
description "ISP-1 | Uplink"
ip vrf forwarding ISP_1
exit
security zone DMVPN_LAN
description "DMVPN | Downlink to RT-GW"
exit
security zone DMVPN_NET_1
description "DMVPN | Cloud 1"
exit
ip bfd log-adjacency-changes
ip bfd min-rx-interval 1000
ip bfd min-tx-interval 1000
ip bfd multiplier 8
route-map DMVPN_NET_1_OUT
rule 10
description "DMZ | Default for DMVPN Spokes"
match ip address 0.0.0.0/0
action set metric bgp 100
exit
exit
route-map DMVPN_LAN_OUT
rule 10
description "DMVPN | Redistribute to RT-GW"
action set metric bgp 100
exit
exit
router bgp log-neighbor-changes
router bgp 65001
peer-group DMVPN_LAN
remote-as 65500
update-source port-channel 1.300
fall-over bfd
address-family ipv4 unicast
route-map DMVPN_LAN_OUT out
enable
exit
exit
peer-group DMVPN_NET_1
remote-as 65000
update-source gre 10
fall-over bfd
address-family ipv4 unicast
route-map DMVPN_NET_1_OUT out
default-originate
enable
exit
exit
neighbor 10.0.0.17
description "DMZ | RT-GW-1"
peer-group DMVPN_LAN
enable
exit
neighbor 10.0.0.18
description "DMZ | RT-GW-2"
peer-group DMVPN_LAN
enable
exit
listen-range 172.16.1.0/24
peer-group DMVPN_NET_1
enable
exit
address-family ipv4 unicast
network 172.16.1.0/24
exit
enable
exit
interface port-channel 1
exit
interface port-channel 1.210
description "ISP-1 | Uplink"
ip vrf forwarding ISP_1
description "DMVPN_ISP_1"
security-zone DMVPN_ISP_1
ip address 10.0.0.2/30
exit
interface port-channel 1.300
description "DMVPN | Downlink to RT-GW"
security-zone DMVPN_LAN
ip address 10.0.0.19/29
exit
interface gigabitethernet 1/0/1
mode switchport
channel-group 1 mode auto
exit
interface gigabitethernet 1/0/2
mode switchport
channel-group 1 mode auto
exit
tunnel gre 10
description "DMVPN | Cloud 1"
key 1000
ttl 64
mtu 1400
multipoint
security-zone DMVPN_NET_1
tunnel-source vrf ISP_1
local interface port-channel 1.210
ip address 172.16.1.1/24
ip tcp adjust-mss 1360
ip nhrp authentication encrypted 8CB5107EA7005AFF
ip nhrp redirect
ip nhrp ipsec DMVPN_IPSEC_VPN dynamic
ip nhrp multicast dynamic
ip nhrp enable
enable
exit
security zone-pair DMVPN_ISP_1 self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | IKE/IPsec | From ISP-1 | To ANY"
action permit
match protocol udp
match destination-port object-group IKE_AND_IPSEC
enable
exit
rule 30
description "Permit | GRE | From ANY | To ANY"
action permit
match protocol gre
enable
exit
exit
security zone-pair DMVPN_LAN self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | BGP | From ANY | To ANY"
action permit
match protocol tcp
match destination-port object-group BGP
enable
exit
rule 30
description "Permit | BFD | From ANY | To ANY"
action permit
match protocol udp
match destination-port object-group BFD
enable
exit
exit
security zone-pair DMVPN_NET_1 self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | BGP | From ANY | To ANY"
action permit
match protocol tcp
match destination-port object-group BGP
enable
exit
rule 30
description "Permit | BFD | From ANY | To ANY"
action permit
match protocol udp
match destination-port object-group BFD
enable
exit
exit
security zone-pair DMVPN_NET_1 DMVPN_LAN
rule 10
description "Permit | ANY | From DMVPN Cloud 1 | To DMVPN Downlink"
action permit
enable
exit
exit
security zone-pair DMVPN_LAN DMVPN_NET_1
rule 10
description "Permit | ANY | From DMVPN Downlink | To DMVPN Cloud 1"
action permit
enable
exit
exit
security ike proposal DMVPN_IKE_PROP_1
description "DMVPN | IKE proposal #1"
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit
security ike keyring DMVPN_IKE_KEYRING
description "DMVPN | IKE keyring"
identity dns *.company.loc pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
exit
security ike policy DMVPN_IKE_POL
description "DMVPN | IKE policy"
lifetime seconds 86400
keyring DMVPN_IKE_KEYRING
authentication method keyring
proposal DMVPN_IKE_PROP_1
exit
security ike gateway DMVPN_IKE_GW
description "DMVPN | IKE gateway"
version v2-only
ike-policy DMVPN_IKE_POL
local interface port-channel 1.210
local network dynamic protocol gre
local id dns "hub1.company.loc"
remote address any
remote network any protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike session uniqueids replace
security ipsec proposal DMVPN_IPSEC_PROP_1
description "DMVPN | IPsec proposal #1"
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy DMVPN_IPSEC_POL
description "DMVPN | IPsec policy"
lifetime seconds 28800
lifetime kilobytes 4608000
proposal DMVPN_IPSEC_PROP_1
exit
security ipsec vpn DMVPN_IPSEC_VPN
description "DMVPN | IPsec VPN profile"
type transport
ip vrf forwarding ISP_1
ike establish-tunnel route
ike gateway DMVPN_IKE_GW
ike ipsec-policy DMVPN_IPSEC_POL
ike rekey margin kilobytes 86400
ike rekey margin seconds 3600
enable
exit
ip route vrf ISP_1 0.0.0.0/0 10.0.0.1 name ISP-1
|
hostname RT-HUB-2
object-group service IKE_AND_IPSEC
description "IKE, IKE encrypted, ESP encap UDP"
port-range 500
port-range 4500
exit
object-group service BGP
description "BGP"
port-range 179
exit
object-group service BFD
description "BFD"
port-range 3784
exit
ip vrf ISP_2
exit
security zone DMVPN_ISP_2
description "ISP-2 | Uplink"
ip vrf forwarding ISP_2
exit
security zone DMVPN_LAN
description "DMVPN | Downlink to RT-GW"
exit
security zone DMVPN_NET_2
description "DMVPN | Cloud 2"
exit
ip bfd log-adjacency-changes
ip bfd min-rx-interval 1000
ip bfd min-tx-interval 1000
ip bfd multiplier 8
route-map DMVPN_NET_2_OUT
rule 10
description "DMZ | Default for DMVPN Spokes"
match ip address 0.0.0.0/0
action set metric bgp 200
exit
exit
route-map DMVPN_LAN_OUT
rule 10
description "DMVPN | Redistribute to RT-GW"
action set metric bgp 200
exit
exit
router bgp log-neighbor-changes
router bgp 65002
peer-group DMVPN_LAN
remote-as 65500
update-source port-channel 1.300
fall-over bfd
address-family ipv4 unicast
route-map DMVPN_LAN_OUT out
enable
exit
exit
peer-group DMVPN_NET_2
remote-as 65000
update-source gre 10
fall-over bfd
address-family ipv4 unicast
route-map DMVPN_NET_2_OUT out
default-originate
enable
exit
exit
neighbor 10.0.0.17
description "DMZ | RT-GW-1"
peer-group DMVPN_LAN
enable
exit
neighbor 10.0.0.18
description "DMZ | RT-GW-2"
peer-group DMVPN_LAN
enable
exit
listen-range 172.16.2.0/24
peer-group DMVPN_NET_2
enable
exit
address-family ipv4 unicast
network 172.16.2.0/24
exit
enable
exit
interface port-channel 1
exit
interface port-channel 1.220
description "ISP-2 | Uplink"
ip vrf forwarding ISP_2
description "DMVPN_ISP_2"
security-zone DMVPN_ISP_2
ip address 10.0.0.10/30
exit
interface port-channel 1.300
description "DMVPN | Downlink to RT-GW"
description "DMVPN_LAN"
security-zone DMVPN_LAN
ip address 10.0.0.20/29
exit
interface gigabitethernet 1/0/1
mode switchport
channel-group 1 mode auto
exit
interface gigabitethernet 1/0/2
mode switchport
channel-group 1 mode auto
exit
tunnel gre 10
description "DMVPN | Cloud 2"
key 2000
ttl 64
mtu 1400
multipoint
security-zone DMVPN_NET_2
tunnel-source vrf ISP_2
local interface port-channel 1.220
ip address 172.16.2.1/24
ip tcp adjust-mss 1360
ip nhrp authentication encrypted 8CB5107EA7005AFF
ip nhrp redirect
ip nhrp ipsec DMVPN_IPSEC_VPN dynamic
ip nhrp multicast dynamic
ip nhrp enable
enable
exit
security zone-pair DMVPN_ISP_2 self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | IKE/IPsec | From ISP-1 | To ANY"
action permit
match protocol udp
match destination-port object-group IKE_AND_IPSEC
enable
exit
rule 30
description "Permit | GRE | From ANY | To ANY"
action permit
match protocol gre
enable
exit
exit
security zone-pair DMVPN_LAN self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | BGP | From ANY | To ANY"
action permit
match protocol tcp
match destination-port object-group BGP
enable
exit
rule 30
description "Permit | BFD | From ANY | To ANY"
action permit
match protocol udp
match destination-port object-group BFD
enable
exit
exit
security zone-pair DMVPN_NET_2 self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | BGP | From ANY | To ANY"
action permit
match protocol tcp
match destination-port object-group BGP
enable
exit
rule 30
description "Permit | BFD | From ANY | To ANY"
action permit
match protocol udp
match destination-port object-group BFD
enable
exit
exit
security zone-pair DMVPN_NET_2 DMVPN_LAN
rule 10
description "Permit | ANY | From DMVPN Cloud 2 | To DMVPN Downlink"
action permit
enable
exit
exit
security zone-pair DMVPN_LAN DMVPN_NET_2
rule 10
description "Permit | ANY | From DMVPN Downlink | To DMVPN Cloud 2"
action permit
enable
exit
exit
security ike proposal DMVPN_IKE_PROP_1
description "DMVPN | IKE proposal #1"
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit
security ike keyring DMVPN_IKE_KEYRING
description "DMVPN | IKE keyring"
identity dns *.company.loc pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
exit
security ike policy DMVPN_IKE_POL
description "DMVPN | IKE policy"
lifetime seconds 86400
keyring DMVPN_IKE_KEYRING
authentication method keyring
proposal DMVPN_IKE_PROP_1
exit
security ike gateway DMVPN_IKE_GW
description "DMVPN | IKE gateway"
version v2-only
ike-policy DMVPN_IKE_POL
local interface port-channel 1.220
local network dynamic protocol gre
local id dns "hub2.company.loc"
remote address any
remote network any protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike session uniqueids replace
security ipsec proposal DMVPN_IPSEC_PROP_1
description "DMVPN | IPsec proposal #1"
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy DMVPN_IPSEC_POL
description "DMVPN | IPsec policy"
lifetime seconds 28800
lifetime kilobytes 4608000
proposal DMVPN_IPSEC_PROP_1
exit
security ipsec vpn DMVPN_IPSEC_VPN
description "DMVPN | IPsec VPN profile"
type transport
ip vrf forwarding ISP_2
ike establish-tunnel route
ike gateway DMVPN_IKE_GW
ike ipsec-policy DMVPN_IPSEC_POL
ike rekey margin kilobytes 86400
ike rekey margin seconds 3600
enable
exit
ip route vrf ISP_2 0.0.0.0/0 10.0.0.9 name ISP-2
|
Equipment configurations at the branch office No. 1
hostname RT-OFFICE-1
object-group service IKE_AND_IPSEC
description "IKE, IKE encrypted, ESP encap UDP"
port-range 500
port-range 4500
exit
object-group service BGP
description "BGP"
port-range 179
exit
object-group service BFD
description "BFD"
port-range 3784
exit
ip vrf ISP
exit
security zone CUSTOMER
description "LAN | CUSTOMER"
exit
security zone UNTRUSTED
description "ISP | Uplink"
ip vrf forwarding ISP
exit
security zone DMVPN_NET
description "DMVPN | Cloud"
exit
ip bfd log-adjacency-changes
ip bfd min-rx-interval 1000
ip bfd min-tx-interval 1000
ip bfd multiplier 8
route-map DMVPN_NET_OUT
rule 10
description "DMZ | LAN for DMVPN Hub"
match ip address 192.168.11.0/24
exit
exit
router bgp log-neighbor-changes
router bgp 65000
neighbor 172.16.1.1
description "DMVPN | RT-HUB-1"
remote-as 65001
update-source gre 11
fall-over bfd
address-family ipv4 unicast
route-map DMVPN_NET_OUT out
enable
exit
enable
exit
neighbor 172.16.2.1
description "DMVPN | RT-HUB-2"
remote-as 65002
update-source gre 12
fall-over bfd
address-family ipv4 unicast
route-map DMVPN_NET_OUT out
enable
exit
enable
exit
address-family ipv4 unicast
network 192.168.11.0/24
exit
enable
exit
interface gigabitethernet 1/0/1
description "ISP | Uplink"
ip vrf forwarding ISP
security-zone UNTRUSTED
ip address 203.0.114.2/25
exit
interface gigabitethernet 1/0/2.100
description "LAN | CUSTOMER"
security-zone CUSTOMER
ip address 192.168.11.1/24
exit
tunnel gre 11
description "DMVPN | Cloud 1"
key 1000
ttl 64
mtu 1400
multipoint
security-zone DMVPN_NET
tunnel-source vrf ISP
local interface gigabitethernet 1/0/1
ip address 172.16.1.11/24
ip tcp adjust-mss 1360
ip nhrp authentication encrypted 8CB5107EA7005AFF
ip nhrp holding-time 600
ip nhrp shortcut
ip nhrp map 172.16.1.1 203.0.113.4
ip nhrp nhs 172.16.1.1
ip nhrp ipsec DMVPN_IPSEC_VPN_HUB_1 static
ip nhrp ipsec DMVPN_IPSEC_VPN_SPOKES dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
tunnel gre 12
description "DMVPN | Cloud 2"
key 2000
ttl 64
mtu 1400
multipoint
security-zone DMVPN_NET
tunnel-source vrf ISP
local interface gigabitethernet 1/0/1
ip address 172.16.2.11/24
ip tcp adjust-mss 1360
ip nhrp authentication encrypted 8CB5107EA7005AFF
ip nhrp holding-time 600
ip nhrp shortcut
ip nhrp map 172.16.2.1 203.0.113.132
ip nhrp nhs 172.16.2.1
ip nhrp ipsec DMVPN_IPSEC_VPN_HUB_2 static
ip nhrp ipsec DMVPN_IPSEC_VPN_SPOKES dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security zone-pair CUSTOMER self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
exit
security zone-pair UNTRUSTED self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | IKE/IPsec | From ISP | To ANY"
action permit
match protocol udp
match destination-port object-group IKE_AND_IPSEC
enable
exit
rule 30
description "Permit | ESP | From ISP | To ANY"
action permit
match protocol esp
enable
exit
rule 40
description "Permit | ESP | From GRE | To ANY"
action permit
match protocol gre
enable
exit
exit
security zone-pair DMVPN_NET self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | BGP | From ANY | To ANY"
action permit
match protocol tcp
match destination-port object-group BGP
enable
exit
rule 30
description "Permit | BFD | From ANY | To ANY"
action permit
match protocol udp
match destination-port object-group BFD
enable
exit
exit
security zone-pair DMVPN_NET CUSTOMER
rule 10
description "Permit | ANY | From DMVPN Cloud | To CUSTOMER"
action permit
enable
exit
exit
security zone-pair CUSTOMER DMVPN_NET
rule 10
description "Permit | ANY | From CUSTOMER | To DMVPN Cloud"
action permit
enable
exit
exit
security ike proposal DMVPN_IKE_PROP_1
description "DMVPN | IKE proposal #1"
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit
security ike keyring DMVPN_IKE_KEYRING
description "DMVPN | IKE keyring"
identity dns *.company.loc pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
exit
security ike policy DMVPN_IKE_POL
description "DMVPN | IKE policy"
lifetime seconds 86400
keyring DMVPN_IKE_KEYRING
authentication method keyring
proposal DMVPN_IKE_PROP_1
exit
security ike gateway DMVPN_IKE_GW_HUB_1
description "DMVPN | RT-HUB-1 IKE gateway"
version v2-only
ike-policy DMVPN_IKE_POL
local interface gigabitethernet 1/0/1
local network dynamic protocol gre
local id dns "spoke1.company.loc"
remote id dns "hub1.company.loc"
remote address 203.0.113.4
remote network 203.0.113.4/32 protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike gateway DMVPN_IKE_GW_HUB_2
description "DMVPN | RT-HUB-2 IKE gateway"
version v2-only
ike-policy DMVPN_IKE_POL
local interface gigabitethernet 1/0/1
local network dynamic protocol gre
local id dns "spoke1.company.loc"
remote id dns "hub2.company.loc"
remote address 203.0.113.132
remote network 203.0.113.132/32 protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike gateway DMVPN_IKE_GW_SPOKES
description "DMVPN | Spokes IKE gateway"
version v2-only
ike-policy DMVPN_IKE_POL
local interface gigabitethernet 1/0/1
local network dynamic protocol gre
local id dns "spoke1.company.loc"
remote address any
remote network any protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike session uniqueids replace
security ipsec proposal DMVPN_IPSEC_PROP_1
description "DMVPN | IPsec proposal #1"
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy DMVPN_IPSEC_POL
description "DMVPN | IPsec policy"
lifetime seconds 28800
lifetime kilobytes 4608000
proposal DMVPN_IPSEC_PROP_1
exit
security ipsec vpn DMVPN_IPSEC_VPN_HUB_1
description "DMVPN | RT-HUB-1 IPsec VPN profile"
type transport
ip vrf forwarding ISP
ike establish-tunnel route
ike gateway DMVPN_IKE_GW_HUB_1
ike ipsec-policy DMVPN_IPSEC_POL
ike rekey margin kilobytes 86400
ike rekey margin seconds 3600
enable
exit
security ipsec vpn DMVPN_IPSEC_VPN_HUB_2
description "DMVPN | RT-HUB-2 IPsec VPN profile"
type transport
ip vrf forwarding ISP
ike establish-tunnel route
ike gateway DMVPN_IKE_GW_HUB_2
ike ipsec-policy DMVPN_IPSEC_POL
ike rekey margin kilobytes 86400
ike rekey margin seconds 3600
enable
exit
security ipsec vpn DMVPN_IPSEC_VPN_SPOKES
description "DMVPN | Spokes IPsec VPN profile"
type transport
ip vrf forwarding ISP
ike establish-tunnel route
ike gateway DMVPN_IKE_GW_SPOKES
ike ipsec-policy DMVPN_IPSEC_POL
ike rekey margin kilobytes 86400
ike rekey margin seconds 3600
enable
exit
ip route vrf ISP 0.0.0.0/0 203.0.114.1 name ISP |
hostname SW-OFFICE-1 ! vlan database vlan 100 exit ! interface range GigabitEthernet1/0/1-24 switchport mode general switchport general allowed vlan add 100 untagged switchport general pvid 100 switchport protected-port exit ! interface TenGigabitEthernet1/0/1 switchport mode general switchport general allowed vlan add 100 tagged switchport forbidden default-vlan exit |
Equipment configurations at the branch office No. 2
hostname RT-OFFICE-2
object-group service IKE_AND_IPSEC
description "IKE, IKE encrypted, ESP encap UDP"
port-range 500
port-range 4500
exit
object-group service BGP
description "BGP"
port-range 179
exit
object-group service BFD
description "BFD"
port-range 3784
exit
ip vrf ISP
exit
security zone CUSTOMER
description "LAN | CUSTOMER"
exit
security zone UNTRUSTED
description "ISP | Uplink"
ip vrf forwarding ISP
exit
security zone DMVPN_NET
description "DMVPN | Cloud"
exit
ip bfd log-adjacency-changes
ip bfd min-rx-interval 1000
ip bfd min-tx-interval 1000
ip bfd multiplier 8
route-map DMVPN_NET_OUT
rule 10
description "DMZ | LAN for DMVPN Hub"
match ip address 192.168.12.0/24
exit
exit
router bgp log-neighbor-changes
router bgp 65000
neighbor 172.16.1.1
description "DMVPN | RT-HUB-1"
remote-as 65001
update-source gre 11
fall-over bfd
address-family ipv4 unicast
route-map DMVPN_NET_OUT out
enable
exit
enable
exit
neighbor 172.16.2.1
description "DMVPN | RT-HUB-2"
remote-as 65002
update-source gre 12
fall-over bfd
address-family ipv4 unicast
route-map DMVPN_NET_OUT out
enable
exit
enable
exit
address-family ipv4 unicast
network 192.168.12.0/24
exit
enable
exit
interface gigabitethernet 1/0/1
ip vrf forwarding ISP
description "ISP | Uplink"
security-zone UNTRUSTED
ip address dhcp
exit
interface gigabitethernet 1/0/2.100
description "LAN | CUSTOMER"
security-zone CUSTOMER
ip address 192.168.12.1/24
exit
tunnel gre 11
description "DMVPN | Cloud 1"
key 1000
ttl 64
mtu 1400
multipoint
security-zone DMVPN_NET
tunnel-source vrf ISP
local interface gigabitethernet 1/0/1
ip address 172.16.1.12/24
ip tcp adjust-mss 1360
ip nhrp authentication encrypted 8CB5107EA7005AFF
ip nhrp holding-time 600
ip nhrp shortcut
ip nhrp map 172.16.1.1 203.0.113.4
ip nhrp nhs 172.16.1.1
ip nhrp ipsec DMVPN_IPSEC_VPN_HUB_1 static
ip nhrp ipsec DMVPN_IPSEC_VPN_SPOKES dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
tunnel gre 12
description "DMVPN | Cloud 2"
key 2000
ttl 64
mtu 1400
multipoint
security-zone DMVPN_NET
tunnel-source vrf ISP
local interface gigabitethernet 1/0/1
ip address 172.16.2.12/24
ip tcp adjust-mss 1360
ip nhrp authentication encrypted 8CB5107EA7005AFF
ip nhrp holding-time 600
ip nhrp shortcut
ip nhrp map 172.16.2.1 203.0.113.132
ip nhrp nhs 172.16.2.1
ip nhrp ipsec DMVPN_IPSEC_VPN_HUB_2 static
ip nhrp ipsec DMVPN_IPSEC_VPN_SPOKES dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security zone-pair CUSTOMER self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
exit
security zone-pair UNTRUSTED self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | IKE/IPsec | From ISP | To ANY"
action permit
match protocol udp
match destination-port object-group IKE_AND_IPSEC
enable
exit
rule 30
description "Permit | ESP | From ISP | To ANY"
action permit
match protocol esp
enable
exit
rule 40
description "Permit | ESP | From GRE | To ANY"
action permit
match protocol gre
enable
exit
exit
security zone-pair DMVPN_NET self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | BGP | From ANY | To ANY"
action permit
match protocol tcp
match destination-port object-group BGP
enable
exit
rule 30
description "Permit | BFD | From ANY | To ANY"
action permit
match protocol udp
match destination-port object-group BFD
enable
exit
exit
security zone-pair DMVPN_NET CUSTOMER
rule 10
description "Permit | ANY | From DMVPN Cloud | To CUSTOMER"
action permit
enable
exit
exit
security zone-pair CUSTOMER DMVPN_NET
rule 10
description "Permit | ANY | From CUSTOMER | To DMVPN Cloud"
action permit
enable
exit
exit
security ike proposal DMVPN_IKE_PROP_1
description "DMVPN | IKE proposal #1"
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit
security ike keyring DMVPN_IKE_KEYRING
description "DMVPN | IKE keyring"
identity dns *.company.loc pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
exit
security ike policy DMVPN_IKE_POL
description "DMVPN | IKE policy"
keyring DMVPN_IKE_KEYRING
authentication method keyring
proposal DMVPN_IKE_PROP_1
exit
security ike gateway DMVPN_IKE_GW_HUB_1
description "DMVPN | RT-HUB-1 IKE gateway"
version v2-only
ike-policy DMVPN_IKE_POL
local interface gigabitethernet 1/0/1
local network dynamic protocol gre
local id dns "spoke2.company.loc"
remote id dns "hub1.company.loc"
remote address 203.0.113.4
remote network 203.0.113.4/32 protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike gateway DMVPN_IKE_GW_HUB_2
description "DMVPN | RT-HUB-2 IKE gateway"
version v2-only
ike-policy DMVPN_IKE_POL
local interface gigabitethernet 1/0/1
local network dynamic protocol gre
local id dns "spoke2.company.loc"
remote id dns "hub2.company.loc"
remote address 203.0.113.132
remote network 203.0.113.132/32 protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike gateway DMVPN_IKE_GW_SPOKES
description "DMVPN | Spokes IKE gateway"
version v2-only
ike-policy DMVPN_IKE_POL
local interface gigabitethernet 1/0/1
local network dynamic protocol gre
local id dns "spoke2.company.loc"
remote address any
remote network any protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike session uniqueids replace
security ipsec proposal DMVPN_IPSEC_PROP_1
description "DMVPN | IPsec proposal #1"
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy DMVPN_IPSEC_POL
description "DMVPN | IPsec policy"
lifetime seconds 28800
lifetime kilobytes 4608000
proposal DMVPN_IPSEC_PROP_1
exit
security ipsec vpn DMVPN_IPSEC_VPN_HUB_1
description "DMVPN | RT-HUB-1 IPsec VPN profile"
type transport
ip vrf forwarding ISP
ike establish-tunnel route
ike gateway DMVPN_IKE_GW_HUB_1
ike ipsec-policy DMVPN_IPSEC_POL
ike rekey margin kilobytes 86400
ike rekey margin seconds 3600
enable
exit
security ipsec vpn DMVPN_IPSEC_VPN_HUB_2
description "DMVPN | RT-HUB-2 IPsec VPN profile"
type transport
ip vrf forwarding ISP
ike establish-tunnel route
ike gateway DMVPN_IKE_GW_HUB_2
ike ipsec-policy DMVPN_IPSEC_POL
ike rekey margin kilobytes 86400
ike rekey margin seconds 3600
enable
exit
security ipsec vpn DMVPN_IPSEC_VPN_SPOKES
description "DMVPN | Spokes IPsec VPN profile"
type transport
ip vrf forwarding ISP
ike establish-tunnel route
ike gateway DMVPN_IKE_GW_SPOKES
ike ipsec-policy DMVPN_IPSEC_POL
ike rekey margin kilobytes 86400
ike rekey margin seconds 3600
enable
exit
|
hostname SW-OFFICE-2 ! vlan database vlan 100 exit ! interface range GigabitEthernet1/0/1-24 switchport mode general switchport general allowed vlan add 100 untagged switchport general pvid 100 switchport protected-port exit ! interface TenGigabitEthernet1/0/1 switchport mode general switchport general allowed vlan add 100 tagged switchport forbidden default-vlan exit |
Equipment configurations at the branch office No. 3
hostname RT-OFFICE-3
object-group service IKE_AND_IPSEC
description "IKE, IKE encrypted, ESP encap UDP"
port-range 500
port-range 4500
exit
object-group service BGP
description "BGP"
port-range 179
exit
object-group service BFD
description "BFD"
port-range 3784
exit
ip vrf ISP
exit
security zone CUSTOMER
description "LAN | CUSTOMER"
exit
security zone UNTRUSTED
description "ISP | Uplink"
ip vrf forwarding ISP
exit
security zone DMVPN_NET
description "DMVPN | Cloud"
exit
ip bfd log-adjacency-changes
ip bfd min-rx-interval 1000
ip bfd min-tx-interval 1000
ip bfd multiplier 8
route-map DMVPN_NET_OUT
rule 10
description "DMZ | LAN for DMVPN Hub"
match ip address 192.168.13.0/24
exit
exit
router bgp log-neighbor-changes
router bgp 65000
neighbor 172.16.1.1
description "DMVPN | RT-HUB-1"
remote-as 65001
update-source gre 11
fall-over bfd
address-family ipv4 unicast
route-map DMVPN_NET_OUT out
enable
exit
enable
exit
neighbor 172.16.2.1
description "DMVPN | RT-HUB-2"
remote-as 65002
update-source gre 12
fall-over bfd
address-family ipv4 unicast
route-map DMVPN_NET_OUT out
enable
exit
enable
exit
address-family ipv4 unicast
network 192.168.13.0/24
exit
enable
exit
interface gigabitethernet 1/0/1
ip vrf forwarding ISP
description "ISP | PPPoE source-interface"
exit
interface gigabitethernet 1/0/2.100
description "LAN | CUSTOMER"
security-zone CUSTOMER
ip address 192.168.13.1/24
exit
tunnel gre 11
description "DMVPN | Cloud 1"
key 1000
ttl 64
mtu 1400
multipoint
security-zone DMVPN_NET
tunnel-source vrf ISP
local interface pppoe 1
ip address 172.16.1.13/24
ip tcp adjust-mss 1360
ip nhrp authentication encrypted 8CB5107EA7005AFF
ip nhrp holding-time 600
ip nhrp shortcut
ip nhrp map 172.16.1.1 203.0.113.4
ip nhrp nhs 172.16.1.1
ip nhrp ipsec DMVPN_IPSEC_VPN_HUB_1 static
ip nhrp ipsec DMVPN_IPSEC_VPN_SPOKES dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
tunnel gre 12
description "DMVPN | Cloud 2"
key 2000
ttl 64
mtu 1400
multipoint
security-zone DMVPN_NET
tunnel-source vrf ISP
local interface pppoe 1
ip address 172.16.2.13/24
ip tcp adjust-mss 1360
ip nhrp authentication encrypted 8CB5107EA7005AFF
ip nhrp holding-time 600
ip nhrp shortcut
ip nhrp map 172.16.2.1 203.0.113.132
ip nhrp nhs 172.16.2.1
ip nhrp ipsec DMVPN_IPSEC_VPN_HUB_2 static
ip nhrp ipsec DMVPN_IPSEC_VPN_SPOKES dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
tunnel pppoe 1
ip vrf forwarding ISP
interface gigabitethernet 1/0/1
description "ISP | Uplink"
security-zone UNTRUSTED
username user password ascii-text encrypted 8CB5107EA7005AFF
enable
exit
security zone-pair CUSTOMER self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
exit
security zone-pair UNTRUSTED self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | IKE/IPsec | From ISP | To ANY"
action permit
match protocol udp
match destination-port object-group IKE_AND_IPSEC
enable
exit
rule 30
description "Permit | ESP | From ISP | To ANY"
action permit
match protocol esp
enable
exit
rule 40
description "Permit | ESP | From GRE | To ANY"
action permit
match protocol gre
enable
exit
exit
security zone-pair DMVPN_NET self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | BGP | From ANY | To ANY"
action permit
match protocol tcp
match destination-port object-group BGP
enable
exit
rule 30
description "Permit | BFD | From ANY | To ANY"
action permit
match protocol udp
match destination-port object-group BFD
enable
exit
exit
security zone-pair DMVPN_NET CUSTOMER
rule 10
description "Permit | ANY | From DMVPN Cloud | To CUSTOMER"
action permit
enable
exit
exit
security zone-pair CUSTOMER DMVPN_NET
rule 10
description "Permit | ANY | From CUSTOMER | To DMVPN Cloud"
action permit
enable
exit
exit
security ike proposal DMVPN_IKE_PROP_1
description "DMVPN | IKE proposal #1"
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit
security ike keyring DMVPN_IKE_KEYRING
description "DMVPN | IKE keyring"
identity dns *.company.loc pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
exit
security ike policy DMVPN_IKE_POL
description "DMVPN | IKE policy"
lifetime seconds 86400
keyring DMVPN_IKE_KEYRING
authentication method keyring
proposal DMVPN_IKE_PROP_1
exit
security ike gateway DMVPN_IKE_GW_HUB_1
description "DMVPN | RT-HUB-1 IKE gateway"
version v2-only
ike-policy DMVPN_IKE_POL
local tunnel pppoe 1
local network dynamic protocol gre
local id dns "spoke3.company.loc"
remote id dns "hub1.company.loc"
remote address 203.0.113.4
remote network 203.0.113.4/32 protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike gateway DMVPN_IKE_GW_HUB_2
description "DMVPN | RT-HUB-2 IKE gateway"
version v2-only
ike-policy DMVPN_IKE_POL
local tunnel pppoe 1
local network dynamic protocol gre
local id dns "spoke3.company.loc"
remote id dns "hub2.company.loc"
remote address 203.0.113.132
remote network 203.0.113.132/32 protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike gateway DMVPN_IKE_GW_SPOKES
description "DMVPN | Spokes IKE gateway"
version v2-only
ike-policy DMVPN_IKE_POL
local tunnel pppoe 1
local network dynamic protocol gre
local id dns "spoke3.company.loc"
remote address any
remote network any protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike session uniqueids replace
security ipsec proposal DMVPN_IPSEC_PROP_1
description "DMVPN | IPsec proposal #1"
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy DMVPN_IPSEC_POL
description "DMVPN | IPsec policy"
lifetime seconds 28800
lifetime kilobytes 4608000
proposal DMVPN_IPSEC_PROP_1
exit
security ipsec vpn DMVPN_IPSEC_VPN_HUB_1
description "DMVPN | RT-HUB-1 IPsec VPN profile"
type transport
ip vrf forwarding ISP
ike establish-tunnel route
ike gateway DMVPN_IKE_GW_HUB_1
ike ipsec-policy DMVPN_IPSEC_POL
ike rekey margin kilobytes 86400
ike rekey margin seconds 3600
enable
exit
security ipsec vpn DMVPN_IPSEC_VPN_HUB_2
description "DMVPN | RT-HUB-2 IPsec VPN profile"
type transport
ip vrf forwarding ISP
ike establish-tunnel route
ike gateway DMVPN_IKE_GW_HUB_2
ike ipsec-policy DMVPN_IPSEC_POL
ike rekey margin kilobytes 86400
ike rekey margin seconds 3600
enable
exit
security ipsec vpn DMVPN_IPSEC_VPN_SPOKES
description "DMVPN | Spokes IPsec VPN profile"
type transport
ip vrf forwarding ISP
ike establish-tunnel route
ike gateway DMVPN_IKE_GW_SPOKES
ike ipsec-policy DMVPN_IPSEC_POL
ike rekey margin kilobytes 86400
ike rekey margin seconds 3600
enable
exit
|
hostname SW-OFFICE-3 ! vlan database vlan 100 exit ! interface range GigabitEthernet1/0/1-24 switchport mode general switchport general allowed vlan add 100 untagged switchport general pvid 100 switchport protected-port exit ! interface TenGigabitEthernet1/0/1 switchport mode general switchport general allowed vlan add 100 tagged switchport forbidden default-vlan exit |
Equipment configurations at the branch office No. 4
hostname RT-OFFICE-4
object-group service IKE_AND_IPSEC
description "IKE, IKE encrypted, ESP encap UDP"
port-range 500
port-range 4500
exit
object-group service BGP
description "BGP"
port-range 179
exit
object-group service BFD
description "BFD"
port-range 3784
exit
ip vrf ISP-CORE
exit
ip vrf ISP-BACKUP
exit
security zone CUSTOMER
description "LAN | CUSTOMER"
exit
security zone CORE
description "ISP-CORE | Uplink"
ip vrf forwarding ISP-CORE
exit
security zone BACKUP
description "ISP-BACKUP | Uplink"
ip vrf forwarding ISP-BACKUP
exit
security zone DMVPN_NET
description "DMVPN | Cloud"
exit
ip bfd log-adjacency-changes
ip bfd min-rx-interval 1000
ip bfd min-tx-interval 1000
ip bfd multiplier 8
route-map DMVPN_NET_OUT
rule 10
description "DMZ | LAN for DMVPN Hub"
match ip address 192.168.14.0/24
exit
exit
router bgp log-neighbor-changes
router bgp 65000
neighbor 172.16.1.1
description "DMVPN | RT-HUB-1"
remote-as 65001
update-source gre 11
fall-over bfd
address-family ipv4 unicast
route-map DMVPN_NET_OUT out
enable
exit
enable
exit
neighbor 172.16.2.1
description "DMVPN | RT-HUB-2"
remote-as 65002
update-source gre 12
fall-over bfd
address-family ipv4 unicast
route-map DMVPN_NET_OUT out
enable
exit
enable
exit
address-family ipv4 unicast
network 192.168.14.0/24
exit
enable
exit
interface gigabitethernet 1/0/1
ip vrf forwarding ISP-BACKUP
description "ISP-BACKUP | Uplink"
security-zone BACKUP
ip address 203.10.0.2/24
exit
interface gigabitethernet 1/0/2
ip vrf forwarding ISP-CORE
description "ISP-CORE | Uplink"
security-zone CORE
ip address 203.10.1.2/24
exit
interface gigabitethernet 1/0/3.100
description "LAN | CUSTOMER"
security-zone CUSTOMER
ip address 192.168.111.1/24
exit
interface gigabitethernet 1/0/4
ip firewall disable
ip address 192.168.47.141/20
exit
tunnel gre 11
description "DMVPN | Cloud 1"
key 1000
ttl 64
mtu 1400
multipoint
security-zone DMVPN_NET
tunnel-source vrf ISP-BACKUP
local interface gigabitethernet 1/0/1
ip address 172.16.1.14/24
ip tcp adjust-mss 1360
ip nhrp authentication encrypted 8CB5107EA7005AFF
ip nhrp holding-time 600
ip nhrp shortcut
ip nhrp map 172.16.1.1 203.0.113.4
ip nhrp nhs 172.16.1.1
ip nhrp enable
enable
exit
tunnel gre 12
description "DMVPN | Cloud 2"
key 2000
ttl 64
mtu 1400
multipoint
security-zone DMVPN_NET
tunnel-source vrf ISP-CORE
local interface gigabitethernet 1/0/2
ip address 172.16.2.14/24
ip tcp adjust-mss 1360
ip nhrp authentication encrypted 8CB5107EA7005AFF
ip nhrp holding-time 600
ip nhrp shortcut
ip nhrp map 172.16.2.1 203.0.113.132
ip nhrp nhs 172.16.2.1
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security zone-pair CUSTOMER self
rule 10
description "Permit | ICMP | From LAN | To ANY"
action permit
match protocol icmp
enable
exit
exit
security zone-pair BACKUP self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | IKE/IPsec | From ISP | To ANY"
action permit
match protocol udp
match destination-port object-group IKE_AND_IPSEC
enable
exit
rule 30
description "Permit | ESP | From ISP | To ANY"
action permit
match protocol esp
enable
exit
rule 40
description "Permit | ESP | From GRE | To ANY"
action permit
match protocol gre
enable
exit
exit
security zone-pair CORE self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | IKE/IPsec | From ISP | To ANY"
action permit
match protocol udp
match destination-port object-group IKE_AND_IPSEC
enable
exit
rule 30
description "Permit | ESP | From ISP | To ANY"
action permit
match protocol esp
enable
exit
rule 40
description "Permit | ESP | From GRE | To ANY"
action permit
match protocol gre
enable
exit
exit
security zone-pair DMVPN_NET self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | BGP | From ANY | To ANY"
action permit
match protocol tcp
match destination-port object-group BGP
enable
exit
rule 30
description "Permit | BFD | From ANY | To ANY"
action permit
match protocol udp
match destination-port object-group BFD
enable
exit
exit
security zone-pair DMVPN_NET CUSTOMER
rule 10
description "Permit | ANY | From DMVPN Cloud | To CUSTOMER"
action permit
enable
exit
exit
security zone-pair CUSTOMER DMVPN_NET
rule 10
description "Permit | ANY | From CUSTOMER | To DMVPN Cloud"
action permit
enable
exit
exit
security ike proposal DMVPN_IKE_PROP_1
description "DMVPN | IKE proposal #1"
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit
security ike keyring DMVPN_IKE_KEYRING
description "DMVPN | IKE keyring"
identity dns *.company.loc pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
exit
security ike policy DMVPN_IKE_POL
description "DMVPN | IKE policy"
lifetime seconds 86400
keyring DMVPN_IKE_KEYRING
authentication method keyring
proposal DMVPN_IKE_PROP_1
exit
security ike gateway DMVPN_IKE_GW_HUB_1
description "DMVPN | RT-HUB-1 IKE gateway"
version v2-only
ike-policy DMVPN_IKE_POL
local interface gigabitethernet 1/0/1
local network dynamic protocol gre
local id dns "spoke4.company.loc"
remote id dns "hub1.company.loc"
remote address 203.0.113.4
remote network 203.0.113.4/32 protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike gateway DMVPN_IKE_GW_HUB_2
description "DMVPN | RT-HUB-2 IKE gateway"
version v2-only
ike-policy DMVPN_IKE_POL
local interface gigabitethernet 1/0/2
local network dynamic protocol gre
local id dns "spoke4.company.loc"
remote id dns "hub2.company.loc"
remote address 203.0.113.132
remote network 203.0.113.132/32 protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike gateway DMVPN_IKE_GW_SPOKES_1
description "DMVPN | Spokes IKE gateway via ISP-BACKUP"
version v2-only
ike-policy DMVPN_IKE_POL
local interface gigabitethernet 1/0/1
local network dynamic protocol gre
local id dns "spoke4.company.loc"
remote address any
remote network any protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike gateway DMVPN_IKE_GW_SPOKES_2
description "DMVPN | Spokes IKE gateway via ISP-CORE"
version v2-only
ike-policy DMVPN_IKE_POL
local interface gigabitethernet 1/0/2
local network dynamic protocol gre
local id dns "spoke4.company.loc"
remote address any
remote network any protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike session uniqueids replace
security ipsec proposal DMVPN_IPSEC_PROP_1
description "DMVPN | IPsec proposal #1"
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy DMVPN_IPSEC_POL
description "DMVPN | IPsec policy"
lifetime seconds 28800
lifetime kilobytes 4608000
proposal DMVPN_IPSEC_PROP_1
exit
security ipsec vpn DMVPN_IPSEC_VPN_HUB_1
description "DMVPN | RT-HUB-1 IPsec VPN profile"
type transport
ip vrf forwarding ISP-BACKUP
ike establish-tunnel route
ike gateway DMVPN_IKE_GW_HUB_1
ike ipsec-policy DMVPN_IPSEC_POL
enable
exit
security ipsec vpn DMVPN_IPSEC_VPN_HUB_2
description "DMVPN | RT-HUB-2 IPsec VPN profile"
type transport
ip vrf forwarding ISP-CORE
ike establish-tunnel route
ike gateway DMVPN_IKE_GW_HUB_2
ike ipsec-policy DMVPN_IPSEC_POL
enable
exit
security ipsec vpn DMVPN_IPSEC_VPN_SPOKES_1
description "DMVPN | Spokes IPsec VPN profile via ISP-BACKUP"
type transport
ip vrf forwarding ISP-BACKUP
ike establish-tunnel route
ike gateway DMVPN_IKE_GW_SPOKES_1
ike ipsec-policy DMVPN_IPSEC_POL
enable
exit
security ipsec vpn DMVPN_IPSEC_VPN_SPOKES_2
description "DMVPN | Spokes IPsec VPN profile via ISP-CORE"
type transport
ip vrf forwarding ISP-CORE
ike establish-tunnel route
ike gateway DMVPN_IKE_GW_SPOKES_2
ike ipsec-policy DMVPN_IPSEC_POL
enable
exit
ip route vrf ISP-BACKUP 0.0.0.0/0 203.10.0.1 name ISP-BACKUP
ip route vrf ISP-CORE 0.0.0.0/0 203.10.1.1 name ISP-CORE
|
hostname SW-OFFICE-4 ! vlan database vlan 100 exit ! interface range GigabitEthernet1/0/1-24 switchport mode general switchport general allowed vlan add 100 untagged switchport general pvid 100 switchport protected-port exit ! interface TenGigabitEthernet1/0/1 switchport mode general switchport general allowed vlan add 100 tagged switchport forbidden default-vlan exit |
Equipment configurations at the branch office No. 5
hostname RT-OFFICE-5
object-group service IKE_AND_IPSEC
description "IKE, IKE encrypted, ESP encap UDP"
port-range 500
port-range 4500
exit
object-group service BGP
description "BGP"
port-range 179
exit
object-group service BFD
description "BFD"
port-range 3784
exit
ip vrf ISP-CORE
exit
ip vrf ISP-MODEM
exit
security zone CUSTOMER
description "LAN | CUSTOMER"
exit
security zone CORE
description "ISP-CORE | Uplink"
ip vrf forwarding ISP-CORE
exit
security zone MODEM
description "ISP-MODEM | Uplink"
ip vrf forwarding ISP-MODEM
exit
security zone DMVPN_NET
description "DMVPN | Cloud"
exit
ip bfd log-adjacency-changes
ip bfd min-rx-interval 1000
ip bfd min-tx-interval 1000
ip bfd multiplier 8
route-map DMVPN_NET_OUT
rule 10
description "DMZ | LAN for DMVPN Hub"
match ip address 192.168.15.0/24
exit
exit
router bgp log-neighbor-changes
router bgp 65000
neighbor 172.16.1.1
description "DMVPN | RT-HUB-1"
remote-as 65001
update-source gre 11
fall-over bfd
address-family ipv4 unicast
route-map DMVPN_NET_OUT out
enable
exit
enable
exit
neighbor 172.16.2.1
description "DMVPN | RT-HUB-2"
remote-as 65002
update-source gre 12
fall-over bfd
address-family ipv4 unicast
route-map DMVPN_NET_OUT out
enable
exit
enable
exit
address-family ipv4 unicast
network 192.168.15.0/24
exit
enable
exit
cellular profile 1
APN internet
exit
interface gigabitethernet 1/0/1
ip vrf forwarding ISP-CORE
description "ISP-CORE | Uplink"
security-zone CORE
ip address 203.11.1.2/24
exit
interface gigabitethernet 1/0/3.100
description "LAN | CUSTOMER"
security-zone CUSTOMER
ip address 192.168.15.1/24
exit
cellular modem 1
ip vrf forwarding ISP-MODEM
description "ISP-MODEM | Uplink"
device 3-1
security-zone MODEM
profile 1
allowed-mode 3g
allowed-mode 4g
enable
exit
tunnel gre 11
description "DMVPN | Cloud 1"
key 1000
ttl 64
mtu 1400
multipoint
security-zone DMVPN_NET
tunnel-source vrf ISP-CORE
local interface gigabitethernet 1/0/1
ip address 172.16.1.15/24
ip tcp adjust-mss 1360
ip nhrp authentication encrypted 8CB5107EA7005AFF
ip nhrp holding-time 600
ip nhrp shortcut
ip nhrp map 172.16.1.1 203.0.113.4
ip nhrp nhs 172.16.1.1
ip nhrp ipsec DMVPN_IPSEC_VPN_HUB_1 static
ip nhrp ipsec DMVPN_IPSEC_VPN_SPOKES_1 dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
tunnel gre 12
description "DMVPN | Cloud 2"
key 2000
ttl 64
mtu 1400
multipoint
security-zone DMVPN_NET
tunnel-source vrf ISP-MODEM
local interface modem 1
ip address 172.16.2.15/24
ip tcp adjust-mss 1360
ip nhrp authentication encrypted 8CB5107EA7005AFF
ip nhrp holding-time 600
ip nhrp shortcut
ip nhrp map 172.16.2.1 203.0.113.132
ip nhrp nhs 172.16.2.1
ip nhrp ipsec DMVPN_IPSEC_VPN_HUB_2 static
ip nhrp ipsec DMVPN_IPSEC_VPN_SPOKES_2 dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security zone-pair CUSTOMER self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
exit
security zone-pair CORE self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | IKE/IPsec | From ISP | To ANY"
action permit
match protocol udp
match destination-port object-group IKE_AND_IPSEC
enable
exit
rule 30
description "Permit | ESP | From ISP | To ANY"
action permit
match protocol esp
enable
exit
rule 40
description "Permit | ESP | From GRE | To ANY"
action permit
match protocol gre
enable
exit
exit
security zone-pair MODEM self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | IKE/IPsec | From ISP | To ANY"
action permit
match protocol udp
match destination-port object-group IKE_AND_IPSEC
enable
exit
rule 30
description "Permit | ESP | From ISP | To ANY"
action permit
match protocol esp
enable
exit
rule 40
description "Permit | ESP | From GRE | To ANY"
action permit
match protocol gre
enable
exit
exit
security zone-pair DMVPN_NET self
rule 10
description "Permit | ICMP | From ANY | To ANY"
action permit
match protocol icmp
enable
exit
rule 20
description "Permit | BGP | From ANY | To ANY"
action permit
match protocol tcp
match destination-port object-group BGP
enable
exit
rule 30
description "Permit | BFD | From ANY | To ANY"
action permit
match protocol udp
match destination-port object-group BFD
enable
exit
exit
security zone-pair DMVPN_NET CUSTOMER
rule 10
description "Permit | ANY | From DMVPN Cloud | To CUSTOMER"
action permit
enable
exit
exit
security zone-pair CUSTOMER DMVPN_NET
rule 10
description "Permit | ANY | From CUSTOMER | To DMVPN Cloud"
action permit
enable
exit
exit
security ike proposal DMVPN_IKE_PROP_1
description "DMVPN | IKE proposal #1"
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit
security ike keyring DMVPN_IKE_KEYRING
description "DMVPN | IKE keyring"
identity dns *.company.loc pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
exit
security ike policy DMVPN_IKE_POL
description "DMVPN | IKE policy"
lifetime seconds 86400
keyring DMVPN_IKE_KEYRING
authentication method keyring
proposal DMVPN_IKE_PROP_1
exit
security ike gateway DMVPN_IKE_GW_HUB_1
description "DMVPN | RT-HUB-1 IKE gateway"
version v2-only
ike-policy DMVPN_IKE_POL
local interface gigabitethernet 1/0/1
local network dynamic protocol gre
local id dns "spoke5.company.loc"
remote id dns "hub1.company.loc"
remote address 203.0.113.4
remote network 203.0.113.4/32 protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike gateway DMVPN_IKE_GW_HUB_2
description "DMVPN | RT-HUB-2 IKE gateway"
version v2-only
ike-policy DMVPN_IKE_POL
local interface modem 1
local network dynamic protocol gre
local id dns "spoke4.company.loc"
remote id dns "hub2.company.loc"
remote address 203.0.113.132
remote network 203.0.113.132/32 protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike gateway DMVPN_IKE_GW_SPOKES_1
description "DMVPN | Spokes IKE gateway via ISP-CORE"
version v2-only
ike-policy DMVPN_IKE_POL
local interface gigabitethernet 1/0/1
local network dynamic protocol gre
local id dns "spoke5.company.loc"
remote address any
remote network any protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike gateway DMVPN_IKE_GW_SPOKES_2
description "DMVPN | Spokes IKE gateway via ISP-MODEM"
version v2-only
ike-policy DMVPN_IKE_POL
local interface modem 1
local network dynamic protocol gre
local id dns "spoke5.company.loc"
remote address any
remote network any protocol gre
mode policy-based
mobike disable
dead-peer-detection action clear
dead-peer-detection interval 40
dead-peer-detection timeout 160
exit
security ike session uniqueids replace
security ipsec proposal DMVPN_IPSEC_PROP_1
description "DMVPN | IPsec proposal #1"
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy DMVPN_IPSEC_POL
description "DMVPN | IPsec policy"
lifetime seconds 28800
lifetime kilobytes 4608000
proposal DMVPN_IPSEC_PROP_1
exit
security ipsec vpn DMVPN_IPSEC_VPN_HUB_1
description "DMVPN | RT-HUB-1 IPsec VPN profile"
type transport
ip vrf forwarding ISP-CORE
ike establish-tunnel route
ike gateway DMVPN_IKE_GW_HUB_1
ike ipsec-policy DMVPN_IPSEC_POL
enable
exit
security ipsec vpn DMVPN_IPSEC_VPN_HUB_2
description "DMVPN | RT-HUB-2 IPsec VPN profile"
type transport
ip vrf forwarding ISP-MODEM
ike establish-tunnel route
ike gateway DMVPN_IKE_GW_HUB_2
ike ipsec-policy DMVPN_IPSEC_POL
enable
exit
security ipsec vpn DMVPN_IPSEC_VPN_SPOKES_1
description "DMVPN | Spokes IPsec VPN profile via ISP-CORE"
type transport
ip vrf forwarding ISP-CORE
ike establish-tunnel route
ike gateway DMVPN_IKE_GW_SPOKES_1
ike ipsec-policy DMVPN_IPSEC_POL
enable
exit
security ipsec vpn DMVPN_IPSEC_VPN_SPOKES_2
description "DMVPN | Spokes IPsec VPN profile via ISP-MODEM"
type transport
ip vrf forwarding ISP-MODEM
ike establish-tunnel route
ike gateway DMVPN_IKE_GW_SPOKES_2
ike ipsec-policy DMVPN_IPSEC_POL
enable
exit
ip route vrf ISP-CORE 0.0.0.0/0 203.11.1.1 name ISP-CORE
ip route vrf ISP-MODEM 0.0.0.0/0 interface modem 1 name ISP-MODEM |
hostname SW-OFFICE-5 ! vlan database vlan 100 exit ! interface range GigabitEthernet1/0/1-24 switchport mode general switchport general allowed vlan add 100 untagged switchport general pvid 100 switchport protected-port exit ! interface TenGigabitEthernet1/0/1 switchport mode general switchport general allowed vlan add 100 tagged switchport forbidden default-vlan exit |