Bryan: /* problems */

2025-07-08T19:35:48Z

problems

Bryan at 19:19, 8 July 2025

2025-07-08T19:19:01Z

Bryan: Created page with "This is a design for a DMVPN/FlexVPN using Cisco IOS-XE. = Goals = [X] - functional [-] - testing, but not working [ ] - to be worked on [X] DMVPN via the hub, no site..."

2025-07-08T19:13:22Z

Created page with "This is a design for a DMVPN/FlexVPN using Cisco IOS-XE. = Goals = [X] - functional [-] - testing, but not working [ ] - to be worked on [X] DMVPN via the hub, no site..."

New page

This is a design for a DMVPN/FlexVPN using Cisco IOS-XE.

= Goals =

[X] - functional
[-] - testing, but not working
[ ] - to be worked on

[X] DMVPN via the hub, no site to site traffic
[X] DMVPN - IKEv2
[X] DMVPN - aes 256
[X] iBGP between all nodes
[X] iBGP label distribution
[ ] BFD for tunnel interfaces
[ ] BFD for BGP
[ ] BFD for PIM
[X] Multicast on the underlay
[X] Multicast Underlay - anycast RP
[X] L3VPN over BGP
[-] L3VPN over BGP with multicast
[-] L3VPN w/mcast - Anycast RP on Hubs
[X] L3VPN local breakout via NAT
[-] L3VPN local breakout via NAT - failover between FRONT-DOOR and CELL-DOOR VRFs
[ ] L2VPN over BGP
[ ] Failover between FRONT and CELL
[ ] Failover between Core
[ ] Load Balance between cores
[ ] IPv6 DMVPN if needed
[ ] Cellular interface setup
[ ] Security hardening

= Diagram =

[[File:DMVPN Network 1.png|center|thumb|800px|DMVPN Network 1]]

= Design =
<pre>
The basic design is:

Core/P of 2 virtual routers running IOS-XE, each with two multi-point tunnels
iBGP used for routing, with the cores as RR
iBGP to distribute labels for MPLS
global table is the DMVPN underlay only (100.64.0.0/10)
FRONT-DOOR vrf for tunnels to the internet
MGMT-VRF for management
CUST-00000 - L3 VPN w/multicast (192.168.0.0/16)

Edge CE/PE
Two service provider VRF's
iBGP sessions to each RR
IBGP session to the RR loopback for MDT
FRONT-DOOR for Ethernet uplink
CELL-DOOR for 4g/5g uplink
CUST-00000 - L3 VPN w/multicast (192.168.0.0/16)
global table is the DMVPN underlay only
PIM for underlay on tunnel interfaces
All traffic routes via the core, no edge to edge breakout

</pre>
= configs =

== Core 1 ==

<pre>
version 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform sslvpn use-pd
platform console serial
!
hostname CORE-1
!
boot-start-marker
boot system bootflash:c8000v-universalk9.17.12.04a.SPA.bin
boot-end-marker
!
!
vrf definition CUST-00000
description Customer 00000 - Mvpn for DAMM radios
ipv4 multicast multitopology
rd 64512:0
route-target export 64512:100000
route-target import 64512:100000
!
address-family ipv4
mdt default 232.0.1.69
bgp next-hop Loopback0
exit-address-family
!
address-family ipv4 multicast
topology customer-000000
all-interfaces
!
exit-address-family
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpnclient local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local
aaa authorization network localgroups local
!
aaa session-id common
no process cpu autoprofile hog
!
ip vrf FRONT-DOOR
description Front-Door VRF only for public
rd 62000:1
!
ip multicast-routing distributed
ip multicast-routing vrf CUST-00000 distributed
ip multicast longest-match
!
no ip domain lookup
ip domain name keekles.org
!
login on-failure log
login on-success log
!
subscriber templating
vtp version 1
!
mpls label mode all-vrfs protocol bgp-vpnv4 per-vrf
no mpls ip propagate-ttl
multilink bundle-name authenticated
!
license udi pid CSR1000V sn 9WCP1VOJDCN
license boot level ax
archive
log config
record rc
logging enable
logging size 400
path bootflash:archive/
maximum 14
time-period 5
memory free low-watermark processor 71477
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username ${USER1} privilege 15 secret 9
!
redundancy
!
crypto ikev2 proposal IKEv2-VPN
encryption aes-cbc-256
integrity sha512
group 19
!
crypto ikev2 policy IKEv2-VPN-POLICY
match fvrf FRONT-DOOR
proposal IKEv2-VPN
!
crypto ikev2 keyring NOI-DMVPN
peer REMOTE-ROUTERS
description REMOTE-ROUTERS
address 0.0.0.0 0.0.0.0
pre-shared-key ${PSK}
!
!
crypto ikev2 profile IKEv2-VPN-PROFILE
match fvrf FRONT-DOOR
match address local 23.149.104.20
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local NOI-DMVPN
no lifetime certificate
ivrf FRONT-DOOR
!
crypto ikev2 fragmentation
!
cdp run
!
crypto ipsec transform-set AES256 esp-aes 256 esp-sha512-hmac
mode transport
!
crypto ipsec profile IPSEC-PROF-DMVPN
set transform-set AES256
set ikev2-profile IKEv2-VPN-PROFILE
!
crypto ipsec profile IPSEC-PROF-STATIC
set transform-set AES256
set ikev2-profile IKEv2-VPN-PROFILE
!
interface Loopback0
description PROVIDER-LOOPBACK
ip address 100.120.0.1 255.255.255.255
ip pim nbma-mode
ip pim sparse-mode
ip igmp join-group 232.0.0.1 source 100.120.0.1
!
interface Loopback1
description PROVIDER-ANYCAST-RP
ip address 100.120.1.1 255.255.255.255
ip pim sparse-mode
!
interface Loopback100000
description CUST-00000 INTERCONNECT
vrf forwarding CUST-00000
ip address 192.168.0.1 255.255.255.255
ip pim sparse-dense-mode
ip igmp join-group 226.0.0.1
shutdown
!
interface Loopback200000
description CUST-00000 ANYCAST RP
vrf forwarding CUST-00000
ip address 192.168.0.0 255.255.255.255
ip pim nbma-mode
ip pim sparse-dense-mode
shutdown
!
interface Tunnel11
description CORE-1 PRIMARY DMVPN TUNNEL
ip address 100.122.0.1 255.255.192.0
no ip redirects
ip mtu 1400
ip pim dr-priority 4294967294
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication NOI-KEY
ip nhrp network-id 11
ip tcp adjust-mss 1360
cdp enable
ipv6 mtu 1400
ipv6 tcp adjust-mss 1340
ipv6 nhrp authentication NOI-KEY
ipv6 nhrp network-id 11
mpls bgp forwarding
llp nhrp map multicast dynamic
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 11
tunnel vrf FRONT-DOOR
!
interface Tunnel12
description CORE-1 SECONDARY DMVPN TUNNEL
ip address 100.122.64.1 255.255.192.0
no ip redirects
ip mtu 1400
ip pim dr-priority 10
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication NOI-KEY
ip nhrp network-id 12
ip tcp adjust-mss 1360
shutdown
cdp enable
ipv6 mtu 1400
ipv6 tcp adjust-mss 1340
ipv6 nhrp authentication NOI-KEY
ipv6 nhrp network-id 12
mpls bgp forwarding
llp nhrp map multicast dynamic
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 12
tunnel vrf FRONT-DOOR
tunnel protection ipsec profile IPSEC-PROF-DMVPN shared
!
interface Tunnel1122
description GRE TUNNEL to CORE-2
ip address 100.120.255.1 255.255.255.252
no ip redirects
ip mtu 1452
ip pim sparse-mode
shutdown
cdp enable
mpls bgp forwarding
tunnel source GigabitEthernet1
tunnel destination 23.149.104.21
tunnel vrf FRONT-DOOR
tunnel protection ipsec profile IPSEC-PROF-STATIC
!
interface GigabitEthernet1
ip vrf forwarding FRONT-DOOR
ip address 23.149.104.20 255.255.255.224
negotiation auto
vrrp 12 description VRRP-FOR-NMS
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 100.120.255.130 255.255.255.240
ip pim sparse-dense-mode
ip igmp version 3
negotiation auto
vrrp 12 description VRRP-FOR-NMS
vrrp 12 ip 100.120.255.129
vrrp 12 priority 110
no mop enabled
no mop sysid
!
interface GigabitEthernet3
vrf forwarding CUST-00000
ip address 192.168.255.1 255.255.255.252
ip pim sparse-dense-mode
negotiation auto
cdp enable
no mop enabled
no mop sysid
!
router bgp 64512
bgp router-id interface Loopback0
bgp log-neighbor-changes
bgp listen range 100.120.255.0/30 peer-group HUB
bgp listen range 100.120.0.0/14 peer-group SPOKES
neighbor SPOKES peer-group
neighbor SPOKES remote-as 64512
neighbor SPOKES ebgp-multihop 255
neighbor SPOKES transport connection-mode passive
neighbor SPOKES update-source Loopback0
neighbor HUB peer-group
neighbor HUB remote-as 64512
neighbor 100.120.255.2 remote-as 64512
neighbor 100.120.255.2 peer-group HUB
!
address-family ipv4
network 0.0.0.0
redistribute connected
neighbor SPOKES activate
neighbor SPOKES send-community both
neighbor SPOKES route-reflector-client
neighbor SPOKES next-hop-self all
neighbor SPOKES send-label
neighbor HUB activate
neighbor HUB send-community both
neighbor HUB next-hop-self
neighbor HUB send-label
neighbor 100.120.255.2 activate
exit-address-family
!
address-family vpnv4
neighbor SPOKES activate
neighbor SPOKES send-community both
neighbor SPOKES route-reflector-client
neighbor SPOKES next-hop-self all
neighbor HUB activate
neighbor HUB send-community both
neighbor 100.120.255.2 activate
exit-address-family
!
address-family ipv4 mdt
neighbor SPOKES activate
neighbor SPOKES send-community both
neighbor SPOKES next-hop-self all
neighbor HUB activate
neighbor HUB send-community both
neighbor HUB next-hop-self all
exit-address-family
!
address-family ipv4 vrf CUST-00000
redistribute connected route-map CUST-00000-ROUTES
redistribute static route-map CUST-00000-ROUTES
exit-address-family
!
ip forward-protocol nd
!
ip pim rp-address 100.120.1.1 override
ip pim send-rp-announce Loopback1 scope 32 group-list 10
ip pim vrf CUST-00000 rp-address 192.168.255.255 override
ip pim vrf CUST-00000 register-source Loopback100000
ip msdp peer 100.120.0.2 connect-source Loopback0
ip msdp cache-sa-state
ip msdp originator-id Loopback0
ip msdp vrf CUST-00000 peer 192.168.0.2 connect-source Loopback100000
ip msdp vrf CUST-00000 cache-sa-state
ip msdp vrf CUST-00000 originator-id Loopback100000
no ip http server
no ip http secure-server
ip http client source-interface Loopback0
ip route 0.0.0.0 0.0.0.0 Null0
ip route vrf CUST-00000 192.168.255.255 255.255.255.255 192.168.255.2
ip route vrf FRONT-DOOR 0.0.0.0 0.0.0.0 23.149.104.1
ip ssh bulk-mode 131072
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh pubkey-chain
username bryan
key-hash ssh-rsa FD61A6D6FFD817666D6E420C5E7029CB
key-hash ssh-ed25519 286A947512A7C2CB9B1E0FAF2D61998B bryan@bryanfields.net
!
ip access-list standard CUST-00000-NEXT-HOP-SELF-ACL
10 permit 192.168.0.0 0.0.0.255
20 permit 192.168.255.0 0.0.0.255
ip access-list standard VTY
10 permit 192.168.0.0 0.0.255.255
20 permit 100.64.0.0 0.63.255.255
30 permit 44.98.0.0 0.0.255.255
40 permit 199.47.174.0 0.0.0.255
50 permit 23.149.104.0 0.0.0.255
60 permit 100.120.255.128 0.0.0.7
ip access-list standard snmp-acl
10 permit 100.120.255.128 0.0.0.7
!
ip access-list standard 10
10 permit 224.0.0.0 15.255.255.255
ip access-list standard 20
10 deny 224.0.1.39
20 deny 224.0.1.40
30 permit 224.0.0.0 15.255.255.255
ip access-list extended 2000
10 permit igmp any any
20 permit pim any any
30 permit icmp any any
!
route-map CUST-00000-ROUTES permit 10
match ip address CUST-00000-NEXT-HOP-SELF-ACL
set ip next-hop 100.120.0.1
!
snmp-server group radio v3 priv access snmp-acl
snmp-server trap-source Loopback0
snmp-server source-interface informs Loopback0
snmp ifmib ifindex persist
!
!
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
stopbits 1
line aux 0
line vty 0
access-class VTY in vrf-also
exec-timeout 180 0
transport input ssh
line vty 1
access-class VTY in vrf-also
exec-timeout 180 0
length 0
transport input ssh
line vty 2 4
access-class VTY in vrf-also
exec-timeout 180 0
transport input ssh
line vty 5 15
access-class VTY in vrf-also
exec-timeout 180 0
transport input ssh
line vty 16 97
access-class VTY in vrf-also
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp logging
ntp source GigabitEthernet1
ntp server vrf FRONT-DOOR 45.79.214.107
ntp server vrf FRONT-DOOR 138.236.128.36
ntp server vrf FRONT-DOOR 50.205.57.38
ntp server vrf FRONT-DOOR 144.202.41.38

end
</pre>
== Bryan ==
<pre>

version 17.9
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname bryan-ir1101
!
boot-start-marker
boot system flash bootflash:ir1101-universalk9.17.09.06.SPA.bin
boot-end-marker
!
!
vrf definition CUST-00000
description Customer 00000 - Mvpn for DAMM radios
rd 64512:0
route-target export 64512:100000
route-target import 64512:100000
!
address-family ipv4
mdt default 232.0.1.69
mdt mtu 1400
bgp next-hop Loopback0
exit-address-family
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpnclient local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local
aaa authorization network localgroups local
!
!
aaa session-id common
!
ip vrf FRONT-DOOR
description Front-Door VRF only for public
rd 62000:1
!
ip multicast-routing distributed
ip multicast-routing vrf CUST-00000 distributed
!
!
!
!
!
!
ip name-server vrf FRONT-DOOR 1.1.1.1
no ip domain lookup
ip domain name keekles.org
!
ip dhcp pool CUST-00000-00
vrf CUST-00000
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
dns-server 1.1.1.1
lease 0 0 15
!
!
!
login block-for 60 attempts 3 within 30
login delay 3
login on-failure log
login on-success log
ipv6 unicast-routing
!
no mpls ip propagate-ttl
multilink bundle-name authenticated
!
!

license feature hseck9
license udi pid IR1101-K9 sn FCW22260069
license boot level network-advantage
license smart transport callhome
archive
log config
record rc
logging enable
logging size 400
path bootflash:archive/
maximum 14
memory free low-watermark processor 45309
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
username nnnnnn privilege 15 secret 9
!
redundancy
!
crypto ikev2 proposal IKEv2-VPN
encryption aes-cbc-256
integrity sha512
group 19
!
crypto ikev2 policy IKEv2-VPN-POLICY
match fvrf FRONT-DOOR
proposal IKEv2-VPN
!
crypto ikev2 keyring NOI-DMVPN
peer REMOTE-ROUERS
!
peer CORE-1
description CORE-1
address 23.149.104.20
pre-shared-key <PSK>
!
peer CORE-2
description CORE-2
address 23.149.104.21
pre-shared-key <PSK>
!
!
!
crypto ikev2 profile IKEv2-VPN-PROFILE
match fvrf FRONT-DOOR
match identity remote address 23.149.104.20 255.255.255.255
match identity remote address 23.149.104.21 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local NOI-DMVPN
no lifetime certificate
!
crypto ipsec transform-set AES256 esp-aes 256 esp-sha512-hmac
mode transport
!
crypto ipsec profile IPSEC-PROF-DMVPN
set transform-set AES256
set ikev2-profile IKEv2-VPN-PROFILE
!
interface Loopback0
ip address 100.120.0.64 255.255.255.255
ip pim sparse-mode
ip igmp join-group 224.1.1.10
!
interface Tunnel11
ip address 100.122.0.64 255.255.192.0
no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim sparse-mode
ip nhrp authentication NOI-KEY
ip nhrp map 100.122.0.1 23.149.104.20
ip nhrp map multicast 23.149.104.20
ip nhrp network-id 11
ip nhrp nhs 100.122.0.1
ip tcp adjust-mss 1360
cdp enable
ipv6 enable
ipv6 mtu 1400
ipv6 tcp adjust-mss 1340
ipv6 nhrp authentication NOI-KEY
ipv6 nhrp network-id 11
mpls bgp forwarding
llp nhrp map multicast 23.149.104.20
tunnel source GigabitEthernet0/0/0
tunnel destination 23.149.104.20
tunnel key 11
tunnel vrf FRONT-DOOR
!
interface Tunnel12
no ip address
ip pim sparse-mode
!
interface Tunnel21
ip address 100.123.0.64 255.255.192.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp authentication NOI-KEY
ip nhrp map 100.123.0.1 23.149.104.21
ip nhrp map multicast 23.149.104.21
ip nhrp network-id 21
ip nhrp nhs 100.123.0.1
ip tcp adjust-mss 1360
shutdown
cdp enable
ipv6 enable
ipv6 mtu 1400
ipv6 tcp adjust-mss 1340
ipv6 nhrp authentication NOI-KEY
ipv6 nhrp network-id 21
mpls bgp forwarding
llp nhrp map multicast 23.149.104.21
tunnel source GigabitEthernet0/0/0
tunnel destination 23.149.104.21
tunnel key 21
tunnel vrf FRONT-DOOR
tunnel protection ipsec profile IPSEC-PROF-DMVPN ikev2-profile IKEv2-VPN-PROFILE
!
interface GigabitEthernet0/0/0
ip vrf forwarding FRONT-DOOR
ip address dhcp
ip nat outside
ipv6 dhcp client request vendor
ipv6 address autoconfig default
!
interface FastEthernet0/0/1
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface FastEthernet0/0/4
!
interface Cellular0/1/0
ip address negotiated
ip tcp adjust-mss 1460
dialer in-band
dialer idle-timeout 0
dialer watch-group 1
ipv6 address dhcp
ipv6 enable
pulse-time 1
!
interface Cellular0/1/1
no ip address
shutdown
!
interface Vlan1
no ip address
!
interface Vlan100
vrf forwarding CUST-00000
ip address 192.168.4.1 255.255.255.0
ip pim sparse-dense-mode
ip igmp join-group 226.0.0.64
ip igmp version 3
no autostate
!
interface Async0/2/0
no ip address
encapsulation scada
!
interface vasileft1
vrf forwarding CUST-00000
ip address 100.126.1.1 255.255.255.248
ip nat inside
no keepalive
!
interface vasiright1
ip vrf forwarding FRONT-DOOR
ip address 100.126.1.2 255.255.255.248
ip nat inside
no keepalive
!
router bgp 64512
bgp router-id interface Loopback0
bgp log-neighbor-changes
neighbor 100.120.0.1 remote-as 64512
neighbor 100.120.0.1 ebgp-multihop 255
neighbor 100.120.0.1 update-source Loopback0
neighbor 100.122.0.1 remote-as 64512
neighbor 100.122.0.1 ebgp-multihop 255
neighbor 100.123.0.1 remote-as 64512
neighbor 100.123.0.1 shutdown
neighbor 100.123.0.1 ebgp-multihop 255
!
address-family ipv4
network 100.120.0.0 mask 255.252.0.0
redistribute connected
no neighbor 100.120.0.1 activate
neighbor 100.122.0.1 activate
neighbor 100.122.0.1 send-label
neighbor 100.123.0.1 activate
neighbor 100.123.0.1 send-label
exit-address-family
!
address-family ipv4 mvpn
exit-address-family
!
address-family vpnv4
neighbor 100.122.0.1 activate
neighbor 100.122.0.1 send-community both
neighbor 100.123.0.1 activate
neighbor 100.123.0.1 send-community both
exit-address-family
!
address-family vpnv4 multicast
exit-address-family
!
address-family ipv4 mdt
neighbor 100.120.0.1 activate
neighbor 100.120.0.1 send-community both
neighbor 100.122.0.1 activate
neighbor 100.122.0.1 send-community extended
neighbor 100.123.0.1 activate
neighbor 100.123.0.1 send-community extended
exit-address-family
!
address-family ipv4 vrf CUST-00000
redistribute connected route-map CUST-00000-ROUTES
exit-address-family
!
ip forward-protocol nd
no ip http server
ip http auth-retry 3 time-window 1
ip http authentication local
ip http secure-server
ip pim rp-address 100.120.1.1 override
ip pim vrf CUST-00000 rp-address 192.168.255.255 override
ip pim vrf CUST-00000 send-rp-announce Vlan100 scope 32 group-list 10
ip pim vrf CUST-00000 send-rp-discovery Vlan100 scope 32
ip pim vrf CUST-00000 register-source BDI100
ip nat inside source list CUST-00000-NAT interface GigabitEthernet0/0/0 vrf FRONT-DOOR overload
ip route vrf CUST-00000 0.0.0.0 0.0.0.0 vasileft1 100.126.1.2
ip route vrf FRONT-DOOR 192.168.4.0 255.255.255.0 vasiright1 100.126.1.1
ip route vrf FRONT-DOOR 0.0.0.0 0.0.0.0 dhcp
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh pubkey-chain
username <USER>
key-hash ssh-ed25519 <hash>
!
!
ip access-list standard CUST-00000-ROUTE-ACL
10 permit 192.168.0.0 0.0.255.255
ip access-list standard VTY
10 permit 192.168.0.0 0.0.255.255
20 permit 100.64.0.0 0.63.255.255
30 permit 44.98.0.0 0.0.255.255
40 permit 199.47.174.0 0.0.0.255
50 permit 23.149.104.0 0.0.0.255
60 permit 100.120.255.128 0.0.0.7
ip access-list standard snmp-acl
10 permit 100.120.255.128 0.0.0.7
!
ip access-list extended CUST-00000-NAT
10 permit ip 192.168.4.0 0.0.0.255 any
!
ip access-list standard 1
10 permit any
ip access-list standard 10
10 permit 224.0.0.0 15.255.255.255
ip access-list standard 20
10 deny 224.0.1.39
20 deny 224.0.1.40
30 permit 224.0.0.0 15.255.255.255
ip access-list extended 101
10 permit ip any host 23.149.104.20
dialer watch-list 1 ip 5.6.7.8 255.255.255.255
dialer watch-list 1 delay route-check initial 60
dialer-list 1 protocol ip list 1
!
route-map CUST-00000-ROUTES permit 10
match ip address CUST-00000-ROUTE-ACL
!
snmp-server group radio v3 priv access snmp-acl
snmp-server trap-source Loopback0
snmp-server source-interface informs Loopback0
snmp ifmib ifindex persist
!
line con 0
stopbits 1
speed 115200
line 0/0/0
line 0/2/0
line vty 0 4
access-class VTY in vrf-also
exec-timeout 180 0
transport input all
line vty 5 97
access-class VTY in vrf-also
exec-timeout 180 0
transport input all
line vty 98 817
exec-timeout 180 0
transport input all
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
source-interface GigabitEthernet0/0/0
profile "CiscoTAC-1"
active
destination transport-method http
ntp logging
ntp master
ntp server vrf FRONT-DOOR 45.79.214.107
ntp server vrf FRONT-DOOR 138.236.128.36
ntp server vrf FRONT-DOOR 162.248.241.94
ntp server vrf FRONT-DOOR 172.104.193.207
ntp server vrf FRONT-DOOR ip pool.ntp.org
end
</pre>
== NO ==

@@ Line 60: / Line 60: @@
 = problems =
-Curently it's configured as 3 routers only.
+Currently it's configured as 3 routers only.  IPSEC is disabled on tun 11 for testing.
 == Multicast in VRF ==

@@ Line 58: / Line 58: @@
 </pre>
 = configs =
-== Core 1 ==
+== Hub - Core 1 ==
 <pre>
@@ Line 481: / Line 490: @@
 end
 </pre>
-== Bryan ==
+== Spoke 1 - Bryan ==
 <pre>
@@ Line 881: / Line 890: @@
 end
 </pre>
-== NO ==
+== Spoke - NOI ==

DMVPN Service Provider - Revision history

Bryan: /* problems */

Bryan at 19:19, 8 July 2025

Bryan: Created page with "This is a design for a DMVPN/FlexVPN using Cisco IOS-XE. = Goals = [X] - functional [-] - testing, but not working [ ] - to be worked on [X] DMVPN via the hub, no site..."