DMVPN Service Provider
Jump to navigation
Jump to search
This is a design for a DMVPN/FlexVPN using Cisco IOS-XE.
Contents
Goals
[X] - functional [-] - testing, but not working [ ] - to be worked on
[X] DMVPN via the hub, no site to site traffic [X] DMVPN - IKEv2 [X] DMVPN - aes 256 [X] iBGP between all nodes [X] iBGP label distribution [ ] BFD for tunnel interfaces [ ] BFD for BGP [ ] BFD for PIM [X] Multicast on the underlay [X] Multicast Underlay - anycast RP [X] L3VPN over BGP [-] L3VPN over BGP with multicast [-] L3VPN w/mcast - Anycast RP on Hubs [X] L3VPN local breakout via NAT [-] L3VPN local breakout via NAT - failover between FRONT-DOOR and CELL-DOOR VRFs [ ] L2VPN over BGP [ ] Failover between FRONT and CELL [ ] Failover between Core [ ] Load Balance between cores [ ] IPv6 DMVPN if needed [ ] Cellular interface setup [ ] Security hardening
Diagram
Design
The basic design is: Core/P of 2 virtual routers running IOS-XE, each with two multi-point tunnels iBGP used for routing, with the cores as RR iBGP to distribute labels for MPLS global table is the DMVPN underlay only (100.64.0.0/10) FRONT-DOOR vrf for tunnels to the internet MGMT-VRF for management CUST-00000 - L3 VPN w/multicast (192.168.0.0/16) Edge CE/PE Two service provider VRF's iBGP sessions to each RR IBGP session to the RR loopback for MDT FRONT-DOOR for Ethernet uplink CELL-DOOR for 4g/5g uplink CUST-00000 - L3 VPN w/multicast (192.168.0.0/16) global table is the DMVPN underlay only PIM for underlay on tunnel interfaces All traffic routes via the core, no edge to edge breakout
problems
Currently it's configured as 3 routers only. IPSEC is disabled on tun 11 for testing.
Multicast in VRF
As the PE and CE is the same router we are using VRFs to provide indepent tables. In this case the C-PIM should be from the Vlan100 on one router to the loop100000 on the core. The C-PIM source is using the loopback0 interface on each router, not the loopback in the CUST-00000 VRF. This of course breaks multicast using RP's. Full on dense mode does work from client to client (rpi3's for testing on the edge routers.)
configs
Hub - Core 1
version 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform sslvpn use-pd
platform console serial
!
hostname CORE-1
!
boot-start-marker
boot system bootflash:c8000v-universalk9.17.12.04a.SPA.bin
boot-end-marker
!
!
vrf definition CUST-00000
description Customer 00000 - Mvpn for DAMM radios
ipv4 multicast multitopology
rd 64512:0
route-target export 64512:100000
route-target import 64512:100000
!
address-family ipv4
mdt default 232.0.1.69
bgp next-hop Loopback0
exit-address-family
!
address-family ipv4 multicast
topology customer-000000
all-interfaces
!
exit-address-family
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpnclient local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local
aaa authorization network localgroups local
!
aaa session-id common
no process cpu autoprofile hog
!
ip vrf FRONT-DOOR
description Front-Door VRF only for public
rd 62000:1
!
ip multicast-routing distributed
ip multicast-routing vrf CUST-00000 distributed
ip multicast longest-match
!
no ip domain lookup
ip domain name keekles.org
!
login on-failure log
login on-success log
!
subscriber templating
vtp version 1
!
mpls label mode all-vrfs protocol bgp-vpnv4 per-vrf
no mpls ip propagate-ttl
multilink bundle-name authenticated
!
license udi pid CSR1000V sn 9WCP1VOJDCN
license boot level ax
archive
log config
record rc
logging enable
logging size 400
path bootflash:archive/
maximum 14
time-period 5
memory free low-watermark processor 71477
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username ${USER1} privilege 15 secret 9
!
redundancy
!
crypto ikev2 proposal IKEv2-VPN
encryption aes-cbc-256
integrity sha512
group 19
!
crypto ikev2 policy IKEv2-VPN-POLICY
match fvrf FRONT-DOOR
proposal IKEv2-VPN
!
crypto ikev2 keyring NOI-DMVPN
peer REMOTE-ROUTERS
description REMOTE-ROUTERS
address 0.0.0.0 0.0.0.0
pre-shared-key ${PSK}
!
!
crypto ikev2 profile IKEv2-VPN-PROFILE
match fvrf FRONT-DOOR
match address local 23.149.104.20
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local NOI-DMVPN
no lifetime certificate
ivrf FRONT-DOOR
!
crypto ikev2 fragmentation
!
cdp run
!
crypto ipsec transform-set AES256 esp-aes 256 esp-sha512-hmac
mode transport
!
crypto ipsec profile IPSEC-PROF-DMVPN
set transform-set AES256
set ikev2-profile IKEv2-VPN-PROFILE
!
crypto ipsec profile IPSEC-PROF-STATIC
set transform-set AES256
set ikev2-profile IKEv2-VPN-PROFILE
!
interface Loopback0
description PROVIDER-LOOPBACK
ip address 100.120.0.1 255.255.255.255
ip pim nbma-mode
ip pim sparse-mode
ip igmp join-group 232.0.0.1 source 100.120.0.1
!
interface Loopback1
description PROVIDER-ANYCAST-RP
ip address 100.120.1.1 255.255.255.255
ip pim sparse-mode
!
interface Loopback100000
description CUST-00000 INTERCONNECT
vrf forwarding CUST-00000
ip address 192.168.0.1 255.255.255.255
ip pim sparse-dense-mode
ip igmp join-group 226.0.0.1
shutdown
!
interface Loopback200000
description CUST-00000 ANYCAST RP
vrf forwarding CUST-00000
ip address 192.168.0.0 255.255.255.255
ip pim nbma-mode
ip pim sparse-dense-mode
shutdown
!
interface Tunnel11
description CORE-1 PRIMARY DMVPN TUNNEL
ip address 100.122.0.1 255.255.192.0
no ip redirects
ip mtu 1400
ip pim dr-priority 4294967294
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication NOI-KEY
ip nhrp network-id 11
ip tcp adjust-mss 1360
cdp enable
ipv6 mtu 1400
ipv6 tcp adjust-mss 1340
ipv6 nhrp authentication NOI-KEY
ipv6 nhrp network-id 11
mpls bgp forwarding
llp nhrp map multicast dynamic
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 11
tunnel vrf FRONT-DOOR
!
interface Tunnel12
description CORE-1 SECONDARY DMVPN TUNNEL
ip address 100.122.64.1 255.255.192.0
no ip redirects
ip mtu 1400
ip pim dr-priority 10
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication NOI-KEY
ip nhrp network-id 12
ip tcp adjust-mss 1360
shutdown
cdp enable
ipv6 mtu 1400
ipv6 tcp adjust-mss 1340
ipv6 nhrp authentication NOI-KEY
ipv6 nhrp network-id 12
mpls bgp forwarding
llp nhrp map multicast dynamic
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 12
tunnel vrf FRONT-DOOR
tunnel protection ipsec profile IPSEC-PROF-DMVPN shared
!
interface Tunnel1122
description GRE TUNNEL to CORE-2
ip address 100.120.255.1 255.255.255.252
no ip redirects
ip mtu 1452
ip pim sparse-mode
shutdown
cdp enable
mpls bgp forwarding
tunnel source GigabitEthernet1
tunnel destination 23.149.104.21
tunnel vrf FRONT-DOOR
tunnel protection ipsec profile IPSEC-PROF-STATIC
!
interface GigabitEthernet1
ip vrf forwarding FRONT-DOOR
ip address 23.149.104.20 255.255.255.224
negotiation auto
vrrp 12 description VRRP-FOR-NMS
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 100.120.255.130 255.255.255.240
ip pim sparse-dense-mode
ip igmp version 3
negotiation auto
vrrp 12 description VRRP-FOR-NMS
vrrp 12 ip 100.120.255.129
vrrp 12 priority 110
no mop enabled
no mop sysid
!
interface GigabitEthernet3
vrf forwarding CUST-00000
ip address 192.168.255.1 255.255.255.252
ip pim sparse-dense-mode
negotiation auto
cdp enable
no mop enabled
no mop sysid
!
router bgp 64512
bgp router-id interface Loopback0
bgp log-neighbor-changes
bgp listen range 100.120.255.0/30 peer-group HUB
bgp listen range 100.120.0.0/14 peer-group SPOKES
neighbor SPOKES peer-group
neighbor SPOKES remote-as 64512
neighbor SPOKES ebgp-multihop 255
neighbor SPOKES transport connection-mode passive
neighbor SPOKES update-source Loopback0
neighbor HUB peer-group
neighbor HUB remote-as 64512
neighbor 100.120.255.2 remote-as 64512
neighbor 100.120.255.2 peer-group HUB
!
address-family ipv4
network 0.0.0.0
redistribute connected
neighbor SPOKES activate
neighbor SPOKES send-community both
neighbor SPOKES route-reflector-client
neighbor SPOKES next-hop-self all
neighbor SPOKES send-label
neighbor HUB activate
neighbor HUB send-community both
neighbor HUB next-hop-self
neighbor HUB send-label
neighbor 100.120.255.2 activate
exit-address-family
!
address-family vpnv4
neighbor SPOKES activate
neighbor SPOKES send-community both
neighbor SPOKES route-reflector-client
neighbor SPOKES next-hop-self all
neighbor HUB activate
neighbor HUB send-community both
neighbor 100.120.255.2 activate
exit-address-family
!
address-family ipv4 mdt
neighbor SPOKES activate
neighbor SPOKES send-community both
neighbor SPOKES next-hop-self all
neighbor HUB activate
neighbor HUB send-community both
neighbor HUB next-hop-self all
exit-address-family
!
address-family ipv4 vrf CUST-00000
redistribute connected route-map CUST-00000-ROUTES
redistribute static route-map CUST-00000-ROUTES
exit-address-family
!
ip forward-protocol nd
!
ip pim rp-address 100.120.1.1 override
ip pim send-rp-announce Loopback1 scope 32 group-list 10
ip pim vrf CUST-00000 rp-address 192.168.255.255 override
ip pim vrf CUST-00000 register-source Loopback100000
ip msdp peer 100.120.0.2 connect-source Loopback0
ip msdp cache-sa-state
ip msdp originator-id Loopback0
ip msdp vrf CUST-00000 peer 192.168.0.2 connect-source Loopback100000
ip msdp vrf CUST-00000 cache-sa-state
ip msdp vrf CUST-00000 originator-id Loopback100000
no ip http server
no ip http secure-server
ip http client source-interface Loopback0
ip route 0.0.0.0 0.0.0.0 Null0
ip route vrf CUST-00000 192.168.255.255 255.255.255.255 192.168.255.2
ip route vrf FRONT-DOOR 0.0.0.0 0.0.0.0 23.149.104.1
ip ssh bulk-mode 131072
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh pubkey-chain
username bryan
key-hash ssh-rsa FD61A6D6FFD817666D6E420C5E7029CB
key-hash ssh-ed25519 286A947512A7C2CB9B1E0FAF2D61998B bryan@bryanfields.net
!
ip access-list standard CUST-00000-NEXT-HOP-SELF-ACL
10 permit 192.168.0.0 0.0.0.255
20 permit 192.168.255.0 0.0.0.255
ip access-list standard VTY
10 permit 192.168.0.0 0.0.255.255
20 permit 100.64.0.0 0.63.255.255
30 permit 44.98.0.0 0.0.255.255
40 permit 199.47.174.0 0.0.0.255
50 permit 23.149.104.0 0.0.0.255
60 permit 100.120.255.128 0.0.0.7
ip access-list standard snmp-acl
10 permit 100.120.255.128 0.0.0.7
!
ip access-list standard 10
10 permit 224.0.0.0 15.255.255.255
ip access-list standard 20
10 deny 224.0.1.39
20 deny 224.0.1.40
30 permit 224.0.0.0 15.255.255.255
ip access-list extended 2000
10 permit igmp any any
20 permit pim any any
30 permit icmp any any
!
route-map CUST-00000-ROUTES permit 10
match ip address CUST-00000-NEXT-HOP-SELF-ACL
set ip next-hop 100.120.0.1
!
snmp-server group radio v3 priv access snmp-acl
snmp-server trap-source Loopback0
snmp-server source-interface informs Loopback0
snmp ifmib ifindex persist
!
!
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
stopbits 1
line aux 0
line vty 0
access-class VTY in vrf-also
exec-timeout 180 0
transport input ssh
line vty 1
access-class VTY in vrf-also
exec-timeout 180 0
length 0
transport input ssh
line vty 2 4
access-class VTY in vrf-also
exec-timeout 180 0
transport input ssh
line vty 5 15
access-class VTY in vrf-also
exec-timeout 180 0
transport input ssh
line vty 16 97
access-class VTY in vrf-also
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp logging
ntp source GigabitEthernet1
ntp server vrf FRONT-DOOR 45.79.214.107
ntp server vrf FRONT-DOOR 138.236.128.36
ntp server vrf FRONT-DOOR 50.205.57.38
ntp server vrf FRONT-DOOR 144.202.41.38
end
Spoke 1 - Bryan
version 17.9 service timestamps debug datetime msec service timestamps log datetime msec service call-home platform qfp utilization monitor load 80 platform punt-keepalive disable-kernel-core ! hostname bryan-ir1101 ! boot-start-marker boot system flash bootflash:ir1101-universalk9.17.09.06.SPA.bin boot-end-marker ! ! vrf definition CUST-00000 description Customer 00000 - Mvpn for DAMM radios rd 64512:0 route-target export 64512:100000 route-target import 64512:100000 ! address-family ipv4 mdt default 232.0.1.69 mdt mtu 1400 bgp next-hop Loopback0 exit-address-family ! aaa new-model ! ! aaa authentication login default local aaa authentication login vpnclient local aaa authorization console aaa authorization config-commands aaa authorization exec default local aaa authorization network localgroups local ! ! aaa session-id common ! ip vrf FRONT-DOOR description Front-Door VRF only for public rd 62000:1 ! ip multicast-routing distributed ip multicast-routing vrf CUST-00000 distributed ! ! ! ! ! ! ip name-server vrf FRONT-DOOR 1.1.1.1 no ip domain lookup ip domain name keekles.org ! ip dhcp pool CUST-00000-00 vrf CUST-00000 network 192.168.4.0 255.255.255.0 default-router 192.168.4.1 dns-server 1.1.1.1 lease 0 0 15 ! ! ! login block-for 60 attempts 3 within 30 login delay 3 login on-failure log login on-success log ipv6 unicast-routing ! no mpls ip propagate-ttl multilink bundle-name authenticated ! ! license feature hseck9 license udi pid IR1101-K9 sn FCW22260069 license boot level network-advantage license smart transport callhome archive log config record rc logging enable logging size 400 path bootflash:archive/ maximum 14 memory free low-watermark processor 45309 ! diagnostic bootup level minimal ! spanning-tree extend system-id ! ! ! username nnnnnn privilege 15 secret 9 ! redundancy ! crypto ikev2 proposal IKEv2-VPN encryption aes-cbc-256 integrity sha512 group 19 ! crypto ikev2 policy IKEv2-VPN-POLICY match fvrf FRONT-DOOR proposal IKEv2-VPN ! crypto ikev2 keyring NOI-DMVPN peer REMOTE-ROUERS ! peer CORE-1 description CORE-1 address 23.149.104.20 pre-shared-key <PSK> ! peer CORE-2 description CORE-2 address 23.149.104.21 pre-shared-key <PSK> ! ! ! crypto ikev2 profile IKEv2-VPN-PROFILE match fvrf FRONT-DOOR match identity remote address 23.149.104.20 255.255.255.255 match identity remote address 23.149.104.21 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local NOI-DMVPN no lifetime certificate ! crypto ipsec transform-set AES256 esp-aes 256 esp-sha512-hmac mode transport ! crypto ipsec profile IPSEC-PROF-DMVPN set transform-set AES256 set ikev2-profile IKEv2-VPN-PROFILE ! interface Loopback0 ip address 100.120.0.64 255.255.255.255 ip pim sparse-mode ip igmp join-group 224.1.1.10 ! interface Tunnel11 ip address 100.122.0.64 255.255.192.0 no ip redirects ip mtu 1400 ip pim dr-priority 0 ip pim sparse-mode ip nhrp authentication NOI-KEY ip nhrp map 100.122.0.1 23.149.104.20 ip nhrp map multicast 23.149.104.20 ip nhrp network-id 11 ip nhrp nhs 100.122.0.1 ip tcp adjust-mss 1360 cdp enable ipv6 enable ipv6 mtu 1400 ipv6 tcp adjust-mss 1340 ipv6 nhrp authentication NOI-KEY ipv6 nhrp network-id 11 mpls bgp forwarding llp nhrp map multicast 23.149.104.20 tunnel source GigabitEthernet0/0/0 tunnel destination 23.149.104.20 tunnel key 11 tunnel vrf FRONT-DOOR ! interface Tunnel12 no ip address ip pim sparse-mode ! interface Tunnel21 ip address 100.123.0.64 255.255.192.0 no ip redirects ip mtu 1400 ip pim sparse-mode ip nhrp authentication NOI-KEY ip nhrp map 100.123.0.1 23.149.104.21 ip nhrp map multicast 23.149.104.21 ip nhrp network-id 21 ip nhrp nhs 100.123.0.1 ip tcp adjust-mss 1360 shutdown cdp enable ipv6 enable ipv6 mtu 1400 ipv6 tcp adjust-mss 1340 ipv6 nhrp authentication NOI-KEY ipv6 nhrp network-id 21 mpls bgp forwarding llp nhrp map multicast 23.149.104.21 tunnel source GigabitEthernet0/0/0 tunnel destination 23.149.104.21 tunnel key 21 tunnel vrf FRONT-DOOR tunnel protection ipsec profile IPSEC-PROF-DMVPN ikev2-profile IKEv2-VPN-PROFILE ! interface GigabitEthernet0/0/0 ip vrf forwarding FRONT-DOOR ip address dhcp ip nat outside ipv6 dhcp client request vendor ipv6 address autoconfig default ! interface FastEthernet0/0/1 switchport access vlan 100 switchport mode access ! interface FastEthernet0/0/2 ! interface FastEthernet0/0/3 ! interface FastEthernet0/0/4 ! interface Cellular0/1/0 ip address negotiated ip tcp adjust-mss 1460 dialer in-band dialer idle-timeout 0 dialer watch-group 1 ipv6 address dhcp ipv6 enable pulse-time 1 ! interface Cellular0/1/1 no ip address shutdown ! interface Vlan1 no ip address ! interface Vlan100 vrf forwarding CUST-00000 ip address 192.168.4.1 255.255.255.0 ip pim sparse-dense-mode ip igmp join-group 226.0.0.64 ip igmp version 3 no autostate ! interface Async0/2/0 no ip address encapsulation scada ! interface vasileft1 vrf forwarding CUST-00000 ip address 100.126.1.1 255.255.255.248 ip nat inside no keepalive ! interface vasiright1 ip vrf forwarding FRONT-DOOR ip address 100.126.1.2 255.255.255.248 ip nat inside no keepalive ! router bgp 64512 bgp router-id interface Loopback0 bgp log-neighbor-changes neighbor 100.120.0.1 remote-as 64512 neighbor 100.120.0.1 ebgp-multihop 255 neighbor 100.120.0.1 update-source Loopback0 neighbor 100.122.0.1 remote-as 64512 neighbor 100.122.0.1 ebgp-multihop 255 neighbor 100.123.0.1 remote-as 64512 neighbor 100.123.0.1 shutdown neighbor 100.123.0.1 ebgp-multihop 255 ! address-family ipv4 network 100.120.0.0 mask 255.252.0.0 redistribute connected no neighbor 100.120.0.1 activate neighbor 100.122.0.1 activate neighbor 100.122.0.1 send-label neighbor 100.123.0.1 activate neighbor 100.123.0.1 send-label exit-address-family ! address-family ipv4 mvpn exit-address-family ! address-family vpnv4 neighbor 100.122.0.1 activate neighbor 100.122.0.1 send-community both neighbor 100.123.0.1 activate neighbor 100.123.0.1 send-community both exit-address-family ! address-family vpnv4 multicast exit-address-family ! address-family ipv4 mdt neighbor 100.120.0.1 activate neighbor 100.120.0.1 send-community both neighbor 100.122.0.1 activate neighbor 100.122.0.1 send-community extended neighbor 100.123.0.1 activate neighbor 100.123.0.1 send-community extended exit-address-family ! address-family ipv4 vrf CUST-00000 redistribute connected route-map CUST-00000-ROUTES exit-address-family ! ip forward-protocol nd no ip http server ip http auth-retry 3 time-window 1 ip http authentication local ip http secure-server ip pim rp-address 100.120.1.1 override ip pim vrf CUST-00000 rp-address 192.168.255.255 override ip pim vrf CUST-00000 send-rp-announce Vlan100 scope 32 group-list 10 ip pim vrf CUST-00000 send-rp-discovery Vlan100 scope 32 ip pim vrf CUST-00000 register-source BDI100 ip nat inside source list CUST-00000-NAT interface GigabitEthernet0/0/0 vrf FRONT-DOOR overload ip route vrf CUST-00000 0.0.0.0 0.0.0.0 vasileft1 100.126.1.2 ip route vrf FRONT-DOOR 192.168.4.0 255.255.255.0 vasiright1 100.126.1.1 ip route vrf FRONT-DOOR 0.0.0.0 0.0.0.0 dhcp ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh version 2 ip ssh pubkey-chain username <USER> key-hash ssh-ed25519 <hash> ! ! ip access-list standard CUST-00000-ROUTE-ACL 10 permit 192.168.0.0 0.0.255.255 ip access-list standard VTY 10 permit 192.168.0.0 0.0.255.255 20 permit 100.64.0.0 0.63.255.255 30 permit 44.98.0.0 0.0.255.255 40 permit 199.47.174.0 0.0.0.255 50 permit 23.149.104.0 0.0.0.255 60 permit 100.120.255.128 0.0.0.7 ip access-list standard snmp-acl 10 permit 100.120.255.128 0.0.0.7 ! ip access-list extended CUST-00000-NAT 10 permit ip 192.168.4.0 0.0.0.255 any ! ip access-list standard 1 10 permit any ip access-list standard 10 10 permit 224.0.0.0 15.255.255.255 ip access-list standard 20 10 deny 224.0.1.39 20 deny 224.0.1.40 30 permit 224.0.0.0 15.255.255.255 ip access-list extended 101 10 permit ip any host 23.149.104.20 dialer watch-list 1 ip 5.6.7.8 255.255.255.255 dialer watch-list 1 delay route-check initial 60 dialer-list 1 protocol ip list 1 ! route-map CUST-00000-ROUTES permit 10 match ip address CUST-00000-ROUTE-ACL ! snmp-server group radio v3 priv access snmp-acl snmp-server trap-source Loopback0 snmp-server source-interface informs Loopback0 snmp ifmib ifindex persist ! line con 0 stopbits 1 speed 115200 line 0/0/0 line 0/2/0 line vty 0 4 access-class VTY in vrf-also exec-timeout 180 0 transport input all line vty 5 97 access-class VTY in vrf-also exec-timeout 180 0 transport input all line vty 98 817 exec-timeout 180 0 transport input all ! call-home ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications. contact-email-addr sch-smart-licensing@cisco.com source-interface GigabitEthernet0/0/0 profile "CiscoTAC-1" active destination transport-method http ntp logging ntp master ntp server vrf FRONT-DOOR 45.79.214.107 ntp server vrf FRONT-DOOR 138.236.128.36 ntp server vrf FRONT-DOOR 162.248.241.94 ntp server vrf FRONT-DOOR 172.104.193.207 ntp server vrf FRONT-DOOR ip pool.ntp.org end
