version 16.9 service timestamps debug datetime localtime show-timezone service timestamps log datetime localtime show-timezone platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core platform console virtual ! hostname csr1000v ! boot-start-marker boot-end-marker ! ! logging buffered 256000 logging console critical enable secret ! aaa new-model ! ! aaa authentication login default local aaa authentication login CONSOLE local aaa authorization console ! ! ! ! ! aaa session-id common clock timezone ! ! ! ! ! ! no ip domain lookup ip admission watch-list expiry-time 0 ! ! ! ! ! ! ! ! ! ! subscriber templating ! ! ! ! ! multilink bundle-name authenticated ! object-group network hub.spoke.int ! ! redundancy ! ! ! ! ! ! track 10 ip sla 10 reachability delay down 60 up 60 ! track 20 ip sla 20 reachability delay down 60 up 60 ! ! ! ! ! ! ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 5 lifetime 3600 crypto isakmp key address 0.0.0.0 crypto isakmp invalid-spi-recovery crypto isakmp keepalive 15 periodic ! ! crypto ipsec transform-set DMVPN-TS esp-3des esp-sha-hmac mode tunnel crypto ipsec transform-set DMVPN-MTRANS esp-3des esp-sha-hmac mode transport crypto ipsec transform-set DMVPN-TS esp-3des esp-sha-hmac mode transport crypto ipsec transform-set GRE-AES-TEST esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile AES-TEST set transform-set GRE-AES-TEST set pfs group2 ! crypto ipsec profile DMVPN-PROFILE set transform-set DMVPN-TS set pfs group5 ! crypto ipsec profile DMVPN-TUN set transform-set DMVPN-TS set pfs group5 ! crypto ipsec profile DMVPN-TR set transform-set DMVPN-MTRANS set pfs group5 ! ! ! ! ! ! ! ! ! ! ! interface Tunnel35 description [BKP] DMVPN bandwidth 10000 ip address 10.35.101.229 255.255.252.0 no ip redirects ip mtu 1396 ip nhrp authentication VLx18 ip nhrp network-id 35 ip nhrp nhs 10.35.100.1 nbma 9.9.9.9 multicast ip tcp adjust-mss 1356 delay 1100 tunnel source GigabitEthernet4 tunnel mode gre multipoint tunnel key 35 tunnel path-mtu-discovery tunnel protection ipsec profile DMVPN-TR shared ! interface Tunnel36 description [PRI] DMVPN bandwidth 10000 ip address 10.36.101.229 255.255.252.0 no ip redirects ip mtu 1396 ip nhrp authentication VLx18 ip nhrp network-id 36 ip nhrp nhs 10.36.100.1 nbma 11.11.11.11 multicast ip tcp adjust-mss 1356 delay 1000 tunnel source GigabitEthernet4 tunnel mode gre multipoint tunnel key 36 tunnel path-mtu-discovery tunnel protection ipsec profile DMVPN-TR shared ! interface Tunnel188 description [PRI] bandwidth 10000 ip address 10.188.100.229 255.255.252.0 no ip redirects ip mtu 1396 ip bandwidth-percent eigrp 1 100 ip nhrp authentication 18dm ip nhrp map 10.188.100.1 12.12.12.12 ip nhrp map multicast 12.12.12.12 ip nhrp network-id 188 ip nhrp nhs 10.188.100.1 ip tcp adjust-mss 1356 delay 1000 tunnel source GigabitEthernet4 tunnel mode gre multipoint tunnel key 188 tunnel path-mtu-discovery tunnel protection ipsec profile DMVPN-TR shared ip virtual-reassembly ! interface Tunnel189 description [PRI] DMVPN bandwidth 10000 ip address 10.189.200.229 255.255.252.0 no ip redirects ip mtu 1396 ip bandwidth-percent eigrp 1 100 ip nhrp authentication x18dm ip nhrp map 10.189.200.1 13.13.13.13 ip nhrp map multicast 13.13.13.13 ip nhrp network-id 189 ip nhrp nhs 10.189.200.1 ip tcp adjust-mss 1356 delay 1050 shutdown tunnel mode gre multipoint tunnel key 189 tunnel path-mtu-discovery tunnel protection ipsec profile DMVPN-TR shared ! interface GigabitEthernet2 description Link Servers network [172.17.16.1] ip address 172.17.16.1 255.255.255.0 ip nat inside negotiation auto ! interface GigabitEthernet3 ip address 172.17.17.1 255.255.255.0 ip nat outside negotiation auto ! interface GigabitEthernet4 description -- ISP-1 Optical, 1000 Mbps -- ip address 4.4.4.2 255.255.255.252 no ip redirects no ip proxy-arp ip nat outside ip access-group 111 in ip access-group 121 out ip tcp adjust-mss 1360 load-interval 30 negotiation auto ! ! router eigrp 1 network 10.188.0.0 0.0.255.255 network 10.189.0.0 0.0.255.255 network 172.17.16.0 0.0.0.255 offset-list TmpWorseRoute in 300000 passive-interface default no passive-interface Tunnel188 no passive-interface Tunnel189 eigrp stub connected summary ! ! router eigrp 3 network 10.35.0.0 0.0.255.255 network 10.36.0.0 0.0.255.255 network 172.17.16.0 0.0.0.255 network 172.17.17.0 0.0.0.255 passive-interface default no passive-interface Tunnel36 no passive-interface Tunnel35 ! ! router eigrp 81 network 10.32.81.0 0.0.0.3 network 172.17.16.0 0.0.0.255 passive-interface default eigrp stub connected summary ! ip nat inside source route-map MATCH-ISP1-NAT interface GigabitEthernet4 overload ip forward-protocol nd no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 GigabitEthernet4 4.4.4.1 100 ! ! ! ip access-list standard TmpWorseRoute permit 172.20.20.0 0.0.0.255 ip access-list standard acl-mgmt permit deny any log ip access-list standard acl-snmp permit 172.21.79.142 permit 172.21.79.80 permit 172.21.1.101 deny any log ip access-list standard no-redisrt-eigrp permit 172.18.0.0 0.0.255.255 permit 172.21.0.0 0.0.255.255 deny any ! ! logging trap notifications logging host 172.21.79.142 access-list 105 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 access-list 105 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 access-list 105 deny ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255 access-list 105 permit ip host 172.17.16.13 host access-list 105 permit ip host 172.17.16.10 host access-list 105 permit ip host 172.17.16.10 host access-list 105 permit ip host 172.17.16.13 host access-list 105 permit ip host 172.17.16.11 host access-list 105 permit ip host 172.17.16.10 host access-list 105 permit ip host 172.17.16.13 host access-list 105 deny ip any any access-list 111 permit icmp any any access-list 111 permit udp any eq isakmp any eq isakmp access-list 111 permit udp any eq non500-isakmp any eq non500-isakmp access-list 111 permit udp any eq ntp any eq ntp access-list 111 permit tcp any any established access-list 111 permit ip host any access-list 111 permit ip host any access-list 111 permit ip host any access-list 111 permit ip any access-list 111 permit ip host any access-list 111 permit ip host any access-list 111 permit ip host any access-list 111 permit ip host any access-list 111 permit ip host any access-list 111 permit ip host any access-list 111 permit ip object-group hub.spoke.int any access-list 111 permit gre host host access-list 111 deny ip 10.0.0.0 0.255.255.255 any log access-list 111 deny ip 172.16.0.0 0.15.255.255 any log access-list 111 deny ip 192.168.0.0 0.0.255.255 any log access-list 111 deny udp any eq ntp any log access-list 111 deny ip any host 255.255.255.255 access-list 111 deny ip any any access-list 112 permit ip host any access-list 112 permit ip host any access-list 121 permit icmp any any access-list 121 deny ip host 0.0.0.0 any log access-list 121 deny ip 127.0.0.0 0.255.255.255 any log access-list 121 deny ip 10.0.0.0 0.255.255.255 any log access-list 121 deny ip 172.16.0.0 0.15.255.255 host 172.30.165.255 access-list 121 deny ip 172.16.0.0 0.15.255.255 any log access-list 121 deny ip 192.168.0.0 0.0.255.255 any log access-list 121 deny ip 169.254.0.0 0.0.255.255 any log access-list 121 deny ip 192.0.2.0 0.0.0.255 any log access-list 121 deny ip 224.0.0.0 15.255.255.255 any log access-list 121 deny ip 240.0.0.0 15.255.255.255 any log access-list 121 permit ip any any ! ! route-map MATCH-ISP1-NAT permit 10 match ip address 105 ! snmp-server community RO acl-snmp snmp ifmib ifindex persist ! ! ! ! control-plane ! ! line con 0 exec-timeout 5 0 logging synchronous login authentication CONSOLE stopbits 1 line vty 0 access-class acl-mgmt in exec-timeout 0 0 transport input all line vty 1 4 access-class acl-mgmt in exec-timeout 0 0 length 0 transport input all line vty 5 15 access-class acl-mgmt in exec-timeout 0 0 length 0 transport input all ! ntp logging ntp server 172.21.66.11 ntp server 172.21.65.11 ! ! ! ! !