version 15.5 no service pad service timestamps debug datetime msec localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption no platform punt-keepalive disable-kernel-core platform hardware throughput level 1000000 ! hostname * ! boot-start-marker boot-end-marker ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging console critical enable secret 5 * ! aaa new-model ! aaa authentication login default local aaa authentication login INTERNAL local aaa authorization network default local aaa authorization network INTERNAL local ! aaa session-id common clock timezone EST -5 0 clock summer-time EDT recurring no ip source-route ! no ip domain lookup ip domain name * ! subscriber templating ! multilink bundle-name authenticated ! flow exporter EXPORTER-WAN-1 description Exports to SolarWindsOrion destination 192.168.0.105 transport udp 65 ! flow exporter EXPORTER-WAN-2 description Exports to SolarWindsOrion destination 192.168.0.26 transport udp 65 ! flow monitor MONITOR-WAN-1 description Capture WAN traffic flows exporter EXPORTER-WAN-1 exporter EXPORTER-WAN-2 record netflow ipv4 original-input ! crypto pki trustpoint TP-self-signed-3800245885 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3800245885 revocation-check none rsakeypair TP-self-signed-3800245885 ! crypto pki certificate chain TP-self-signed-3800245885 certificate self-signed 01 nvram:IOS-Self-Sig#3506.cer license udi pid ISR4431/K9 sn * ! spanning-tree extend system-id ! redundancy mode none ! vlan internal allocation policy ascending ! class-map match-any Network-Control match ip dscp cs6 class-map match-any Stream-Video match ip dscp af13 match ip dscp cs1 class-map match-any VoIP-Control match ip dscp cs3 match ip dscp af31 class-map match-any Video-Conf match ip dscp af41 match ip dscp cs4 class-map match-any VoIP-RTP match ip dscp ef match ip dscp cs5 ! policy-map VPN-1536-VC class Video-Conf priority 900 60000 class Network-Control bandwidth 800 class class-default fair-queue random-detect ! crypto keyring DMVPN-Remote pre-shared-key address 0.0.0.0 0.0.0.0 key * crypto keyring SPRINT-EP1 pre-shared-key address * key * crypto keyring OTC-RTR pre-shared-key address * key * ! crypto isakmp policy 5 encr aes 256 authentication pre-share group 5 ! crypto isakmp policy 10 encr 3des authentication pre-share group 5 ! crypto isakmp policy 20 encr 3des authentication pre-share group 2 crypto isakmp keepalive 600 ! crypto isakmp client configuration group CED-RAS-VPN key * dns 192.168.0.15 192.168.0.32 pool vpnpool acl vpn-split-tunnel crypto isakmp profile DMVPN keyring DMVPN-Remote match identity address 0.0.0.0 crypto isakmp profile CED-RAS-VPN match identity group CED-RAS-VPN client authentication list INTERNAL isakmp authorization list INTERNAL client configuration address respond crypto isakmp profile SPRINT-EP1 keyring SPRINT-EP1 match identity address * 255.255.255.255 crypto isakmp profile OTC-RTR keyring OTC-RTR match identity address * 255.255.255.255 ! crypto ipsec security-association replay window-size 1024 ! crypto ipsec transform-set esp-3des-sha-trans esp-3des esp-sha-hmac mode transport crypto ipsec transform-set vpn-client esp-3des esp-sha-hmac mode tunnel crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac mode tunnel crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec transform-set SPRINT esp-3des esp-sha-hmac mode tunnel crypto ipsec df-bit clear ! crypto ipsec profile DMVPN set transform-set esp-3des-sha-trans set pfs group5 set isakmp-profile DMVPN ! ! ! crypto dynamic-map dynmap 10 set transform-set vpn-client set isakmp-profile CED-RAS-VPN ! ! crypto map hq-gre local-address GigabitEthernet0/0/1 crypto map hq-gre 10 ipsec-isakmp set peer * set transform-set SPRINT match address ep1-2-sprint crypto map hq-gre 20 ipsec-isakmp set peer * set transform-set esp-aes256-sha esp-3des-sha match address DS-2-OTC crypto map hq-gre 65535 ipsec-isakmp dynamic dynmap ! interface Loopback0 ip address 172.18.254.1 255.255.255.255 ! interface Tunnel1 bandwidth 50000 ip address 172.18.0.1 255.255.252.0 no ip redirects ip mtu 1400 ip nbar protocol-discovery no ip next-hop-self eigrp 111 no ip split-horizon eigrp 111 ip nhrp authentication * ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 600 ip tcp adjust-mss 1360 ip policy route-map df-bit-clear delay 1000 qos pre-classify tunnel source GigabitEthernet0/0/1 tunnel mode gre multipoint tunnel key 1 tunnel path-mtu-discovery tunnel protection ipsec profile DMVPN ! interface Tunnel254 bandwidth 100 ip address 172.16.13.253 255.255.255.252 ip mtu 1400 ip summary-address eigrp 222 172.16.0.0 255.255.0.0 ip tcp adjust-mss 1360 delay 1000 qos pre-classify tunnel source GigabitEthernet0/0/1 tunnel destination * tunnel path-mtu-discovery ! interface GigabitEthernet0/0/0 bandwidth 1000000 ip address 172.16.13.10 255.255.255.240 no ip redirects ip nbar protocol-discovery ip flow monitor MONITOR-WAN-1 input ip flow monitor MONITOR-WAN-1 output ip tcp adjust-mss 1360 ip policy route-map df-bit-clear media-type rj45 negotiation auto ! interface GigabitEthernet0/0/1 ip address * 255.255.255.224 ip nbar protocol-discovery ip flow monitor MONITOR-WAN-1 input ip flow monitor MONITOR-WAN-1 output ip policy route-map sprint-mobile-reroute-rm media-type rj45 negotiation auto crypto map hq-gre service-policy output VPN-1536-VC hold-queue 300 in ! interface GigabitEthernet0/0/2 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/3 no ip address shutdown negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! interface Vlan1 no ip address shutdown ! ! router eigrp 111 distribute-list route-map static-block-tunnel-redis-rm out Tunnel1 network 172.16.0.0 network 172.18.0.0 network 172.18.254.1 0.0.0.0 redistribute bgp 18906 metric 3072 100 255 1 1400 passive-interface default no passive-interface Tunnel1 no passive-interface GigabitEthernet0/0/0 ! ! router eigrp 222 network 172.16.13.0 0.0.0.15 network 172.16.13.252 0.0.0.3 passive-interface default no passive-interface Tunnel254 no passive-interface GigabitEthernet0/0/0 eigrp router-id 172.16.13.10 ! router bgp 18906 bgp router-id 172.18.254.1 bgp log-neighbor-changes network 10.0.0.0 network * mask 255.255.255.255 network 172.16.0.0 mask 255.240.0.0 network 192.168.0.0 mask 255.255.0.0 neighbor 172.16.13.4 remote-as 18906 neighbor 172.16.13.4 next-hop-self neighbor * remote-as 64645 neighbor * ebgp-multihop 3 neighbor * update-source Loopback0 neighbor * next-hop-self neighbor * default-originate neighbor * distribute-list sprint-bgp-in-acl in ! ip local pool vpnpool 172.18.10.1 172.18.10.254 ip forward-protocol nd no ip http server ip http authentication local no ip http secure-server ip tftp source-interface GigabitEthernet0/0/0 ip route 0.0.0.0 0.0.0.0 * ip route * 255.255.255.255 172.16.13.8 ip route * 255.255.255.255 * ! ! ip access-list standard sprint-bgp-in-acl permit * permit * permit * permit * ip access-list standard ssh-in permit 192.168.0.78 permit * permit * permit * permit * 0.0.0.15 permit 172.16.13.0 0.0.0.15 deny any log ip access-list standard static-redis-acl permit * permit * ip access-list standard telnet-in permit 192.168.0.0 0.0.0.255 permit * 0.0.0.255 permit 172.16.13.0 0.0.0.7 permit 172.16.22.0 0.0.0.255 permit 172.16.26.0 0.0.0.255 permit 172.16.28.0 0.0.0.255 deny any log ip access-list standard vpn-split-tunnel permit 192.168.0.0 0.0.255.255 ! ip access-list extended DS-2-OTC permit gre host * host * ip access-list extended ep1-2-sprint permit ip any * 0.0.3.255 permit ip any * 0.0.3.255 permit ip host 172.18.254.1 host * permit ip host * host * permit ip host * host * ip access-list extended internet-in permit esp any host * permit udp any host * eq isakmp permit icmp any host * echo permit icmp any host * echo-reply permit tcp any host * eq 22 permit ip any any log ip access-list extended policy-reroute-acl deny ip any * 0.0.0.31 deny ip any 192.168.0.0 0.0.255.255 deny ip any 172.16.0.0 0.15.255.255 deny ip any 10.0.0.0 0.255.255.255 permit ip * 0.0.3.255 any permit ip * 0.0.3.255 any ip access-list extended vpn-routes deny ip any 10.0.0.0 0.255.255.255 deny ip any 172.16.0.0 0.15.255.255 deny ip any 192.168.0.0 0.0.255.255 permit ip any any ! ip sla 40000 tcp-connect 10.99.99.1 80 source-ip 172.16.13.10 source-port 63468 owner SW.IpSla.FLDS-ORION001.SolarWindsOrion frequency 300 threshold 1000 ip sla schedule 40000 life forever start-time now ageout 3600 ip sla responder access-list 10 permit 192.168.0.105 access-list 10 permit 192.168.0.26 access-list 10 permit 172.16.26.0 0.0.0.255 access-list 10 permit * 0.0.0.255 log access-list 10 deny any access-list 15 permit 192.168.0.5 access-list 15 deny any ! route-map df-bit-clear permit 10 set ip df 0 ! route-map static-block-tunnel-redis-rm deny 10 match ip address static-redis-acl ! route-map static-block-tunnel-redis-rm permit 20 ! route-map sprint-mobile-reroute-rm permit 10 match ip address policy-reroute-acl set ip next-hop 172.16.13.8 ! route-map static-redis-rm permit 10 match ip address static-redis-acl ! snmp-server group * v3 auth write * access 10 snmp-server group * v3 priv access 10 snmp-server view NORMAL iso included snmp-server community * RO 10 snmp-server community * RW 10 snmp-server trap-source GigabitEthernet0/0/0 snmp-server source-interface informs GigabitEthernet0/0/0 snmp-server tftp-server-list 15 snmp-server location * snmp-server contact * snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps flowmon snmp-server enable traps call-home message-send-fail server-fail snmp-server enable traps tty snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps license snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps ipmulticast snmp-server enable traps cpu threshold snmp-server enable traps syslog snmp-server enable traps aaa_server snmp-server enable traps flash insertion removal snmp-server enable traps cnpd snmp-server enable traps bgp snmp-server enable traps bgp cbgp2 snmp-server enable traps ipsla snmp-server enable traps ike policy add snmp-server enable traps ike policy delete snmp-server enable traps ike tunnel start snmp-server enable traps ike tunnel stop snmp-server enable traps ipsec cryptomap add snmp-server enable traps ipsec cryptomap delete snmp-server enable traps ipsec cryptomap attach snmp-server enable traps ipsec cryptomap detach snmp-server enable traps ipsec tunnel start snmp-server enable traps ipsec tunnel stop snmp-server enable traps ipsec too-many-sas snmp-server file-transfer access-group 15 protocol tftp snmp ifmib ifindex persist ! ! ! ! control-plane ! alias exec cpu show processes cpu sorted | excl 0.00% 0.00% 0.00% ! line con 0 stopbits 1 line aux 0 no exec transport input telnet stopbits 1 line vty 0 4 access-class telnet-in in exec-timeout 60 0 privilege level 15 transport input telnet line vty 5 6 access-class ssh-in in exec-timeout 60 0 privilege level 15 transport input ssh ! ntp server * ntp server * ! end