config t license boot level premium yes end write reload enable config t hostname HUB_WEST_01 no ip domain-lookup logging console debug line con 0 exec-time 0 0 logging sync alias exec r2 ssh -vrf mgt -l admin 172.16.0.2 alias exec r1 ssh -vrf mgt -l admin 172.16.0.1 vrf def mgt rd 1:1 add ipv4 unicast exit vrf def FD_VRF rd 1:2 add ipv4 unicast vrf def BLUE description DATA VRF rd 100:01 route both 100:01 add ipv4 unicast exit vrf def ORANGE description VOICE VRF rd 100:02 route both 100:02 add ipv4 unicast exit vrf def RED description OTHER VRF rd 100:03 route both 100:03 add ipv4 unicast exit int g1 vrf forw mgt desription OOB_management ip address 172.16.0.254 255.255.255.0 no shut int g2 vrf forw FD_VRF description front door VRF ip address 172.16.1.254 255.255.255.0 no shut int g3 no shut int g3.1 vrf forward BLUE ecapsulation dot1q 10 ip address 192.168.240.254 255.255.255.0 no shut int g3.2 vrf forward ORANGE encap dot1q 20 ip address 192.168.240.254 255.255.255.0 no shut int g3.3 vrf forward RED encap dot1 30 ip address 192.168.240.254 255.255.255.0 no shut interface tun0 description virtual mGRE interface in global table over FD_VRF ip address 10.0.0.254 255.255.255.0 ip nhrp network-id 100 ip nhrp redirect ip nhrp server-only #// tells hub it is not initiating any resolution requests # ip nhrp map multicast dynamic // required for multicast 2547oDMVPN? ip nhrp authentication MPLSVPN tunnel key 2547 mpls bgp forwarding # // above starts MPLS forwarding without LDP/TDP mpls nhrp // gives nhrp control over MPLS ip nhrp map group SP_01_Group_QoS service-policy output SP_01_QoS ip nhrp map group SP_02_Group_QoS service-policy output SP_02_QoS # tunnel protection ipsec profile default # // when you want to enable IPSEC setup profile name above and uncomment tunnel vrf FD_VRF tunnel source g2 tunnel mode gre multipoint interface tunnel 100 ip add 172.16.2.254 255.255.255.0 description for iBGP peering AS 65000 tunnel vrf mgt tunnel source g1 tunnel destination 172.16.0.253 #ip route vrf FD_VRF 0.0.0.0 0.0.0.0 172.16.0.250 #above default is placeholder for remote subnets on transport ip netwrok ip route vrf RED 192.168.240.0 255.255.248.0 null0 # summary for iBGP injection ip route vrf ORANGE 192.168.240.0 255.255.248.0 null0 # summary for iBGP injection ip route vrf BLUE 192.168.240.0 255.255.248.0 null0 # summary for iBGP injection router bgp 65000 bgp router-id 10.0.0.254 bgp log-neighbor-changes neighbor 10.0.0.1 remote-as 65001 neighbor 10.0.0.1 update-source Tun0 neighbor 10.0.0.2 remote-as 65002 neighbor 10.0.0.2 update-source Tun0 neighbor 172.16.2.253 remote-as 65000 neighbor 172.16.2.253 update-source tun100 #//add more neighbors here with eBGP AS address-family vpnv4 neighbor 10.0.0.1 activate neighbor 10.0.0.1 send-community extended neighbor 10.0.0.2 activate neighbor 10.0.0.2 send-community extended neighbor 172.16.2.253 activate neighbor 172.16.2.253 send-community extended address-family ipv4 vrf RED network 192.168.240.0 mask 255.255.248.0 address-family ipv4 vrf ORANGE network 192.168.240.0 mask 255.255.248.0 address-family ipv4 vrf BLUE network 192.168.240.0 mask 255.255.248.0 class-map match-all PRIORITY match ip dscp af43 policy-map PRIORITY_QoS class PRIORITY priority 512 #// llq 512KB policy-map SP_01_QoS description SP_01 shape 100Mbps, LLQ 512k class class-default shape average 100000000 service-policy PRIORITY_QoS policy-map SP_02_QoS description SP_02 shape 200Mbps, LLQ 512K class class-default shape average 200000000 service-policy PRIORITY_QoS //////////////// 12 7 2015 added ///////////// crypto isakmp policy 10 encryption 3des authentication pre-share hash md5 group 2 ! crypto keyring DMVPN_KEY_RING vrf FD_VRF pre-shared-key address 0.0.0.0 key 0 cisco123 crypto isakmp profile DMVPN_ISAKMP keyring DMVPN_KEY_RING match identity address 0.0.0.0 FD_VRF vrf FD_VRF crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac mode transport ! crypto ipsec profile DMVPN set transform-set 3DES_MD5 set isakmp-profile DMVPN_ISAKMP ! interface Tunnel 0 tunnel protection ipsec profile DMVPN shared //////////////////////// 12 8 2015 ////////////////// crypto ikev2 proposal 3DES/MD5/TRANSPORT encryption 3DES integrity md5 group 2 ! ! crypto ikev2 keyring DMVPN-KEYRING0 peer ANY address 0.0.0.0 0.0.0.0 pre-shared-key cisco123 ! crypto ikev2 keyring DMVPN-KEYRING1 peer ANY address 0.0.0.0 0.0.0.0 pre-shared-key cisco123 ! crypto ikev2 profile FVRF-IKEv2-IWAN-DMVPN0 match fvrf FD_VRF match identity remote address 0.0.0.0 authentication remote pre-share authentication local pre-share keyring local DMVPN-KEYRING0 ! crypto ikev2 profile FVRF-IKEv2-IWAN-DMVPN1 match fvrf FD_VRF match identity remote address 0.0.0.0 authentication remote pre-share authentication local pre-share keyring local DMVPN-KEYRING1 ! crypto ikev2 dpd 40 5 on-demand crypto isakmp invalid-spi-recovery ! crypto ipsec security-association replay window-size 1024 ! crypto ipsec transform-set 3DES/MD5/TRANSPORT esp-3des esp-md5 mode transport ! crypto ipsec profile DMVPN-PROFILE0 set transform-set 3DES/MD5/TRANSPORT set ikev2-profile FVRF-IKEv2-IWAN-DMVPN0 ! crypto ipsec profile DMVPN-PROFILE1 set transform-set 3DES/MD5/TRANSPORT set ikev2-profile FVRF-IKEv2-IWAN-DMVPN1 int tun0 tunnel protection ipsec profile DMVPN-PROFILE0 shared int tun1 tunnel protection ipsec profile DMVPN-PROFILE1 shared