The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
CSR configurations for DRaaS System Enterprise (ENT) to Service Provider (SP) and vPC to vPC configurations follow:
•Enterprise to Service Provider Configurations
The following System Enterprise (ENT) to Service Provider (SP) configurations are provided:
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service internal
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname ENT-t19-csr1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 4 Ixw342sfeZTFRhrE.x7vO/sfsdfs3423
!
aaa new-model
!
!
aaa group server tacacs+ dc-aaa
server 10.10.10.10
server 10.10.10.11
ip vrf forwarding Mgmt-intf
ip tacacs source-interface GigabitEthernet0
!
aaa authentication login user group dc-aaa local
aaa authorization exec user group dc-aaa local if-authenticated
aaa authorization commands 15 user group dc-aaa local if-authenticated
aaa accounting exec user start-stop group dc-aaa
aaa accounting commands 15 user start-stop group dc-aaa
!
aaa session-id common
!
!
!
no ip domain lookup
ip domain name cisco.com
!
!
otv site bridge-domain 936
!
otv fragmentation join-interface GigabitEthernet1
otv site-identifier 0000.1900.0006
multilink bundle-name authenticated
!
!
license accept end user agreement
license boot level premium
spanning-tree extend system-id
!
username admin privilege 15 password 0 cisco
!
redundancy
mode none
bridge-domain 936
bridge-domain 1921
bridge-domain 1922
bridge-domain 1923
!
!
ip ftp source-interface GigabitEthernet0
ip tftp source-interface GigabitEthernet0
ip ssh rsa keypair-name ssh-key
ip ssh version 2
!
class-map type inspect match-all any-ssh
match protocol ssh
class-map type inspect match-all any-udp
match protocol udp
class-map type inspect match-all any-icmp
match protocol icmp
!
policy-map type inspect outside-to-inside
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
policy-map type inspect inside-to-outside
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
policy-map type inspect inside-to-inside
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
!
zone security outside
zone security inside
zone-pair security inside-to-inside source inside destination inside
service-policy type inspect inside-to-inside
zone-pair security inside-to-outside source inside destination outside
service-policy type inspect inside-to-outside
zone-pair security outside-to-inside source outside destination inside
service-policy type inspect outside-to-inside
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 86.86.33.8 255.255.255.0
crypto isakmp keepalive 20 5
!
!
crypto ipsec transform-set myset esp-aes esp-md5-hmac
mode tunnel
!
!
!
crypto map myvpn 10 ipsec-isakmp
set peer 86.86.33.8
set transform-set myset
match address 186
!
!
!
interface Overlay19
no ip address
otv join-interface GigabitEthernet1
otv use-adjacency-server 86.86.33.8 unicast-only
service instance 1921 ethernet
encapsulation dot1q 1921
bridge-domain 1921
!
service instance 1922 ethernet
encapsulation dot1q 1922
bridge-domain 1922
!
service instance 1923 ethernet
encapsulation dot1q 1923
bridge-domain 1923
!
!
interface GigabitEthernet1
description CVF6 Gold EP Join Interface1
ip address 86.68.33.6 255.255.255.0
load-interval 30
negotiation auto
!
interface GigabitEthernet2
description CVF6 Silver 1921 GW
no ip address
load-interval 30
negotiation auto
service instance 936 ethernet
encapsulation untagged
bridge-domain 936
!
service instance 1921 ethernet
encapsulation dot1q 1921
bridge-domain 1921
!
service instance 1922 ethernet
encapsulation dot1q 1922
bridge-domain 1922
!
service instance 1923 ethernet
encapsulation dot1q 1923
bridge-domain 1923
!
!
interface GigabitEthernet7
description CVF6 Silver 1921 GW
ip address 86.19.21.1 255.255.255.0
load-interval 30
negotiation auto
!
interface GigabitEthernet8
description CVF6 Silver 1922 GW
ip address 86.19.22.1 255.255.255.0
load-interval 30
negotiation auto
!
interface GigabitEthernet9
description CVF6 Silver 1923 GW
ip address 86.19.23.1 255.255.255.0
load-interval 30
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.10.10.109 255.255.255.0
negotiation auto
!
router bgp 65062
bgp log-neighbor-changes
network 86.19.21.0 mask 255.255.255.0
network 86.19.22.0 mask 255.255.255.0
network 86.19.23.0 mask 255.255.255.0
neighbor 6.101.100.26 remote-as 109
neighbor 6.101.100.26 ebgp-multihop 10
neighbor 6.101.100.26 update-source GigabitEthernet1
neighbor 6.101.100.42 remote-as 109
neighbor 6.101.100.42 ebgp-multihop 10
neighbor 6.101.100.42 update-source GigabitEthernet1
!
!
virtual-service csr_mgmt
activate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 86.68.33.254
ip route 6.101.100.26 255.255.255.255 86.68.33.254
ip route 6.101.100.42 255.255.255.255 86.68.33.254
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 GigabitEthernet0 192.168.60.254
ip tacacs source-interface GigabitEthernet0
!
!
access-list 186 permit ip host 86.68.33.6 host 86.86.33.8
!
!
tacacs-server host 10.10.10.10
tacacs-server host 10.10.10.11
tacacs-server key cisco
!
!
!
control-plane
!
!
line con 0
login authentication user
stopbits 1
line aux 0
stopbits 1
line vty 0 4
session-timeout 10
exec-timeout 0 0
password cisco
authorization commands 15 user
authorization exec user
accounting commands 15 user
accounting exec user
login authentication user
transport input ssh
line vty 5 97
exec-timeout 30 0
authorization commands 15 user
authorization exec user
accounting commands 15 user
accounting exec user
login authentication user
transport input ssh
!
ntp server vrf Mgmt-intf 10.10.10.79
onep
transport type tipc
!
end
Return to CSR Configurations
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec localtime
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname SP-t19-csr1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 4 IxbVL4jvd0cadf2345234.4//hF234igZbAI
!
aaa new-model
!
!
aaa group server tacacs+ dc-aaa
server 10.10.10.10
server 10.10.10.11
ip vrf forwarding Mgmt-intf
ip tacacs source-interface GigabitEthernet0
!
aaa authentication login user group dc-aaa local
aaa authorization exec user group dc-aaa local if-authenticated
aaa authorization commands 15 user group dc-aaa local if-authenticated
aaa accounting exec user start-stop group dc-aaa
aaa accounting commands 15 user start-stop group dc-aaa
!
!
aaa session-id common
clock timezone EST -4 0
!
!
!
no ip domain lookup
ip domain name cisco.com
!
!
!
!
!
!
otv site bridge-domain 936
!
otv fragmentation join-interface GigabitEthernet1
otv site-identifier 0000.1900.0008
multilink bundle-name authenticated
!
!
license accept end user agreement
license boot level premium
spanning-tree extend system-id
!
username admin privilege 15 secret 4 23aadfsdfwer34//safd43dfZbAI
!
redundancy
mode none
bridge-domain 936
bridge-domain 1921
bridge-domain 1922
bridge-domain 1923
!
!
!
ip ftp source-interface GigabitEthernet0
ip tftp source-interface GigabitEthernet0
ip ssh rsa keypair-name ssh-key
ip ssh version 2
!
class-map type inspect match-all any-ssh
match protocol ssh
class-map type inspect match-all any-udp
match protocol udp
class-map type inspect match-all any-icmp
match protocol icmp
!
policy-map type inspect outside-to-inside
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
policy-map type inspect inside-to-outside
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
policy-map type inspect inside-to-inside
class type inspect any-udp
pass
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class class-default
drop log
!
zone security outside
zone security inside
zone-pair security inside-to-inside source inside destination inside
service-policy type inspect inside-to-inside
zone-pair security inside-to-outside source inside destination outside
service-policy type inspect inside-to-outside
zone-pair security outside-to-inside source outside destination inside
service-policy type inspect outside-to-inside
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 86.68.33.6 255.255.255.0
!
!
crypto ipsec transform-set myset esp-aes esp-md5-hmac
mode tunnel
!
!
!
crypto map myvpn 10 ipsec-isakmp
set peer 86.68.33.6
set transform-set myset
match address 186
!
!
!
!
interface Overlay19
no ip address
otv join-interface GigabitEthernet1
otv adjacency-server unicast-only
service instance 1921 ethernet
encapsulation dot1q 1921
bridge-domain 1921
!
service instance 1922 ethernet
encapsulation dot1q 1922
bridge-domain 1922
!
service instance 1923 ethernet
encapsulation dot1q 1923
bridge-domain 1923
!
!
interface GigabitEthernet1
description CVF6 Gold EP Join Interface1
ip address 86.86.33.8 255.255.255.0
load-interval 30
negotiation auto
arp timeout 1500
!
interface GigabitEthernet2
description CVF8 Silver 1921 GW
no ip address
load-interval 30
negotiation auto
service instance 936 ethernet
encapsulation untagged
bridge-domain 936
!
service instance 1921 ethernet
encapsulation dot1q 1921
bridge-domain 1921
!
service instance 1922 ethernet
encapsulation dot1q 1922
bridge-domain 1922
!
service instance 1923 ethernet
encapsulation dot1q 1923
bridge-domain 1923
!
!
interface GigabitEthernet9
description CVF8 Silver 1921 GW
ip address 86.19.21.254 255.255.255.0
load-interval 30
negotiation auto
arp timeout 1500
!
interface GigabitEthernet10
description CVF8 Silver 1922 GW
ip address 86.19.22.254 255.255.255.0
load-interval 30
negotiation auto
arp timeout 1500
!
interface GigabitEthernet11
description CVF8 Silver 1923 GW
ip address 86.19.23.254 255.255.255.0
load-interval 30
negotiation auto
arp timeout 1500
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.10.10.108 255.255.255.0
negotiation auto
arp timeout 1500
!
router bgp 65082
bgp log-neighbor-changes
network 86.19.21.0 mask 255.255.255.0
network 86.19.22.0 mask 255.255.255.0
network 86.19.23.0 mask 255.255.255.0
neighbor 8.1.19.1 remote-as 109
neighbor 8.1.19.1 ebgp-multihop 10
neighbor 8.1.19.1 update-source GigabitEthernet1
neighbor 8.4.19.1 remote-as 109
neighbor 8.4.19.1 ebgp-multihop 10
neighbor 8.4.19.1 update-source GigabitEthernet1
!
!
virtual-service csr_mgmt
activate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 86.86.33.254
ip route 8.1.19.1 255.255.255.255 86.86.33.254
ip route 8.4.19.1 255.255.255.255 86.86.33.254
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 GigabitEthernet0 10.10.10.1
ip tacacs source-interface GigabitEthernet0
!
!
access-list 186 permit ip host 86.86.33.8 host 86.68.33.6
!
tacacs-server host 10.10.10.10
tacacs-server host 10.10.10.11
tacacs-server key cisco
!
!
!
control-plane
!
!
line con 0
login authentication user
stopbits 1
line aux 0
stopbits 1
line vty 0 4
session-timeout 10
exec-timeout 0 0
password cisco
authorization commands 15 user
authorization exec user
accounting commands 15 user
accounting exec user
login authentication user
transport input ssh
line vty 5 97
exec-timeout 30 0
authorization commands 15 user
authorization exec user
accounting commands 15 user
accounting exec user
login authentication user
transport input ssh
!
ntp server vrf Mgmt-intf 10.10.10.79
onep
transport type tipc
!
end
Return to CSR Configurations
The following vPC to vPC configurations are provided:
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname West-DC
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
vrf definition mgmt-netflow-export
!
address-family ipv4
exit-address-family
!
!
enable secret 4 IxbVL4jvd0ceZadf234dfaga.4//hF352igZbAI
!
aaa new-model
!
!
aaa group server tacacs+ dc-aaa
server 10.10.10.10
server 10.10.10.11
ip vrf forwarding Mgmt-intf
ip tacacs source-interface GigabitEthernet0
!
aaa authentication login user group dc-aaa local
aaa authorization exec user group dc-aaa local if-authenticated
aaa authorization commands 15 user group dc-aaa local if-authenticated
aaa accounting exec user start-stop group dc-aaa
aaa accounting commands 15 user start-stop group dc-aaa
!
!
!
!
!
aaa session-id common
clock timezone EDT -5 0
clock summer-time EDT recurring 1 Sun Mar 2:00 1 Sun Nov 2:00
!
no ip domain lookup
ip domain name cisco.com
!
!
otv site bridge-domain 939
!
otv fragmentation join-interface GigabitEthernet1
otv site-identifier 0000.0000.0001
otv isis Overlay1
lsp-mtu 1350
!
multilink bundle-name authenticated
!
!
license accept end user agreement
license boot level premium
!
mac access-list extended drop-hsrp-mac
deny 0000.0c07.ac00 0000.0000.00ff host 0000.0000.0000
permit host 0000.0000.0000 host 0000.0000.0000
spanning-tree extend system-id
!
username admin privilege 15 secret 4 IxbVL4jvd0ceZasd232ar2/bRlm.4//h354345bAI
!
redundancy
mode none
bridge-domain 939
bridge-domain 2481
bridge-domain 2482
bridge-domain 2483
!
!
ip tftp source-interface GigabitEthernet0
ip ssh rsa keypair-name ssh-key
ip ssh version 2
!
class-map type inspect match-all any-ssh
match protocol ssh
class-map type inspect match-all any-udp
match protocol udp
class-map type inspect match-all any-icmp
match protocol icmp
!
policy-map type inspect outside-to-inside
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
policy-map type inspect lisp-to-inside
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
policy-map type inspect inside-to-outside
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
policy-map type inspect inside-to-inside
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
policy-map type inspect inside-to-lisp
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
!
zone security inside
zone security outside
zone security lisp
zone-pair security inside-to-inside source inside destination inside
service-policy type inspect inside-to-inside
zone-pair security inside-to-lisp source inside destination lisp
service-policy type inspect inside-to-lisp
zone-pair security inside-to-outside source inside destination outside
service-policy type inspect inside-to-outside
zone-pair security lisp-to-inside source lisp destination inside
service-policy type inspect lisp-to-inside
zone-pair security outside-to-inside source outside destination inside
service-policy type inspect outside-to-inside
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 8.34.82.10 255.255.255.0
!
!
crypto ipsec transform-set myset esp-aes esp-md5-hmac
mode tunnel
!
!
!
crypto map myvpn 10 ipsec-isakmp
set peer 8.34.82.10
set transform-set myset
match address 100
!
!
!
!
!
!
interface LISP0
description LISP Encap/Decap
zone-member security lisp
!
interface Overlay1
mtu 1350
no ip address
otv join-interface GigabitEthernet1
otv use-adjacency-server 8.34.82.10 unicast-only
service instance 2481 ethernet
encapsulation dot1q 2481
mac access-group drop-hsrp-mac out
bridge-domain 2481
!
service instance 2482 ethernet
encapsulation dot1q 2482
mac access-group drop-hsrp-mac out
bridge-domain 2482
!
!
interface GigabitEthernet1
description Uplink Layer 3 Interface
ip address 11.1.5.1 255.255.255.0
zone-member security outside
negotiation auto
!
interface GigabitEthernet2
description VLAN 2481-2483 Layer 2 Interface
no ip address
load-interval 30
negotiation auto
service instance 939 ethernet
encapsulation dot1q 939
bridge-domain 939
!
service instance 2481 ethernet
encapsulation dot1q 2481
bridge-domain 2481
!
service instance 2482 ethernet
encapsulation dot1q 2482
bridge-domain 2482
!
!
interface GigabitEthernet3
description VLAN 2481 Layer 3 Interface
ip address 8.24.81.2 255.255.255.0
ip access-group 2000 in
no ip unreachables
zone-member security inside
standby 0 ip 8.24.81.1
load-interval 30
negotiation auto
lisp mobility vlan2481
lisp extended-subnet-mode
arp timeout 1500
!
interface GigabitEthernet4
description VLAN 2482 Layer 3 Interface
ip address 8.24.82.2 255.255.255.0
ip access-group 2000 in
no ip unreachables
zone-member security inside
standby 0 ip 8.24.82.1
load-interval 30
negotiation auto
lisp mobility vlan2482
lisp extended-subnet-mode
arp timeout 1500
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.10.10.2 255.255.255.0
negotiation auto
!
router lisp
locator-set West-DC
11.1.5.1 priority 1 weight 100
exit
!
eid-table default instance-id 0
database-mapping 8.24.0.0/16 locator-set West-DC
dynamic-eid vlan2481
database-mapping 8.24.81.0/24 locator-set West-DC
exit
!
dynamic-eid vlan2482
database-mapping 8.24.82.0/24 locator-set West-DC
exit
!
exit
!
site EastWestDC
authentication-key cisco
eid-prefix 8.24.0.0/16 accept-more-specifics
exit
!
ipv4 map-server
ipv4 map-resolver
ipv4 map-request-source 8.34.82.10
ipv4 use-petr 6.126.104.130
ipv4 itr map-resolver 11.1.5.1
ipv4 itr map-resolver 8.34.82.10
ipv4 itr
ipv4 etr map-server 11.1.5.1 key cisco
ipv4 etr map-server 8.34.82.10 key cisco
!
router bgp 65513
bgp log-neighbor-changes
neighbor 11.1.5.254 remote-as 109
!
address-family ipv4
network 11.1.5.0 mask 255.255.255.0
neighbor 11.1.5.254 activate
exit-address-family
!
!
virtual-service csr_mgmt
activate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 GigabitEthernet0 10.10.10.1
ip tacacs source-interface GigabitEthernet0
!
!
!
!
access-list 100 permit ip host 11.1.5.1 host 8.34.82.10
access-list 2000 deny udp any eq netbios-ns any eq netbios-ns
access-list 2000 deny udp any eq netbios-ss any eq netbios-ss
access-list 2000 deny udp any eq netbios-dgm any eq netbios-dgm
access-list 2000 permit ip any any
!
!
tacacs-server host 10.10.10.10
tacacs-server host 10.10.10.11
tacacs-server key cisco
!
!
!
control-plane
!
!
line con 0
login authentication cisco
stopbits 1
line aux 0
stopbits 1
line vty 0 4
session-timeout 10
exec-timeout 0 0
password cisco
authorization commands 15 cisco
authorization exec cisco
accounting commands 15 cisco
accounting exec cisco
login authentication cisco
transport input ssh
line vty 5 97
exec-timeout 30 0
authorization commands 15 cisco
authorization exec cisco
accounting commands 15 cisco
accounting exec cisco
login authentication cisco
transport input ssh
!
onep
transport type tipc
!
end
Return to vPC to vPC Configurations
Return to CSR Configurations
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname West-DC
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 4 IxbVL4jvd0ceadf23426/bRlm.4//hF234aZbAI
!
aaa new-model
!
!
aaa group server tacacs+ dc-aaa
server 10.10.10.10
server 10.10.10.11
ip vrf forwarding Mgmt-intf
ip tacacs source-interface GigabitEthernet0
!
aaa authentication login user group dc-aaa local
aaa authorization exec user group dc-aaa local if-authenticated
aaa authorization commands 15 user group dc-aaa local if-authenticated
aaa accounting exec user start-stop group dc-aaa
aaa accounting commands 15 user start-stop group dc-aaa
!
!
aaa session-id common
clock timezone EDT -5 0
clock summer-time EDT recurring 1 Sun Mar 2:00 1 Sun Nov 2:00
!
!
!
no ip domain lookup
ip domain name cisco.com
!
!
!
otv site bridge-domain 939
!
otv fragmentation join-interface GigabitEthernet1
otv site-identifier 0000.0000.0002
otv isis Overlay1
lsp-mtu 1350
!
multilink bundle-name authenticated
!
!
license accept end user agreement
license boot level premium
!
mac access-list extended drop-hsrp-mac
deny 0000.0c07.ac00 0000.0000.00ff host 0000.0000.0000
permit host 0000.0000.0000 host 0000.0000.0000
spanning-tree extend system-id
!
username admin privilege 15 secret 4 IxbVL4jvdadf234zfd4364.4//edF324ZbAI
!
redundancy
mode none
bridge-domain 939
bridge-domain 2481
bridge-domain 2482
bridge-domain 2483
!
!
!
ip tftp source-interface GigabitEthernet1
ip ssh rsa keypair-name ssh-key
ip ssh version 2
!
class-map type inspect match-all any-ssh
match protocol ssh
class-map type inspect match-all any-udp
match protocol udp
class-map type inspect match-all any-icmp
match protocol icmp
!
policy-map type inspect outside-to-inside
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
policy-map type inspect lisp-to-inside
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
policy-map type inspect inside-to-outside
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
policy-map type inspect inside-to-inside
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
policy-map type inspect inside-to-lisp
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
!
zone security outside
zone security inside
zone security lisp
zone-pair security inside-to-inside source inside destination inside
service-policy type inspect inside-to-inside
zone-pair security inside-to-lisp source inside destination lisp
service-policy type inspect inside-to-lisp
zone-pair security inside-to-outside source inside destination outside
service-policy type inspect inside-to-outside
zone-pair security lisp-to-inside source lisp destination inside
service-policy type inspect lisp-to-inside
zone-pair security outside-to-inside source outside destination inside
service-policy type inspect outside-to-inside
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 11.1.5.1 255.255.255.0
!
!
crypto ipsec transform-set myset esp-aes esp-md5-hmac
mode tunnel
!
!
!
crypto map myvpn 10 ipsec-isakmp
set peer 11.1.5.1
set transform-set myset
match address 100
!
!
!
interface LISP0
description LISP Encap/Decap
zone-member security lisp
!
interface Overlay1
description CVF8 Gold SP Overlay Interface
mtu 1350
no ip address
otv join-interface GigabitEthernet1
otv adjacency-server unicast-only
service instance 2481 ethernet
encapsulation dot1q 2481
mac access-group drop-hsrp-mac out
bridge-domain 2481
!
service instance 2482 ethernet
encapsulation dot1q 2482
mac access-group drop-hsrp-mac out
bridge-domain 2482
!
!
interface GigabitEthernet1
description Uplink Layer 3 Interface
ip address 8.34.82.10 255.255.255.0
zone-member security outside
negotiation auto
!
interface GigabitEthernet2
description VLAN 2481-2483 Layer 2 Interface
no ip address
load-interval 30
negotiation auto
service instance 939 ethernet
encapsulation dot1q 939
bridge-domain 939
!
service instance 2481 ethernet
encapsulation dot1q 2481
bridge-domain 2481
!
service instance 2482 ethernet
encapsulation dot1q 2482
bridge-domain 2482
!
!
interface GigabitEthernet3
description VLAN 2481 Layer 3 Interface
ip address 8.24.81.3 255.255.255.0
ip access-group 2000 in
no ip unreachables
zone-member security inside
standby 0 ip 8.24.81.1
load-interval 30
negotiation auto
lisp mobility vlan2481
lisp extended-subnet-mode
arp timeout 1500
!
interface GigabitEthernet4
description VLAN 2482 Layer 3 Interface
ip address 8.24.82.3 255.255.255.0
ip access-group 2000 in
no ip unreachables
zone-member security inside
standby 0 ip 8.24.82.1
load-interval 30
negotiation auto
lisp mobility vlan2482
lisp extended-subnet-mode
arp timeout 1500
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.10.10.3 255.255.255.0
negotiation auto
!
router lisp
locator-set East-DC
8.34.82.10 priority 1 weight 100
exit
!
eid-table default instance-id 0
database-mapping 8.24.0.0/16 locator-set East-DC
dynamic-eid vlan2481
database-mapping 8.24.81.0/24 locator-set East-DC
exit
!
dynamic-eid vlan2482
database-mapping 8.24.82.0/24 locator-set East-DC
exit
!
exit
!
site EastWestDC
authentication-key cisco
eid-prefix 8.24.0.0/16 accept-more-specifics
exit
!
ipv4 map-server
ipv4 map-resolver
ipv4 map-request-source 8.34.82.10
ipv4 use-petr 6.126.104.130
ipv4 itr map-resolver 11.1.5.1
ipv4 itr map-resolver 8.34.82.10
ipv4 itr
ipv4 etr map-server 11.1.5.1 key cisco
ipv4 etr map-server 8.34.82.10 key cisco
ipv4 etr
!
router bgp 65508
bgp log-neighbor-changes
neighbor 8.1.9.1 remote-as 109
neighbor 8.1.9.1 ebgp-multihop 10
neighbor 8.1.9.1 update-source GigabitEthernet1
neighbor 8.4.9.1 remote-as 109
neighbor 8.4.9.1 ebgp-multihop 10
neighbor 8.4.9.1 update-source GigabitEthernet1
!
address-family ipv4
neighbor 8.1.9.1 activate
neighbor 8.4.9.1 activate
exit-address-family
!
!
virtual-service csr_mgmt
activate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 8.1.9.1 255.255.255.255 8.34.82.1
ip route 8.4.9.1 255.255.255.255 8.34.82.1
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 GigabitEthernet0 10.10.10.1
!
!
access-list 100 permit ip host 8.34.82.10 host 11.1.5.1
access-list 2000 deny udp any eq netbios-ns any eq netbios-ns
access-list 2000 deny udp any eq netbios-ss any eq netbios-ss
access-list 2000 deny udp any eq netbios-dgm any eq netbios-dgm
access-list 2000 permit ip any any
!
!
!
control-plane
!
!
line con 0
login authentication cisco
stopbits 1
line aux 0
stopbits 1
line vty 0 4
session-timeout 10
exec-timeout 0 0
password cisco
authorization commands 15 cisco
authorization exec cisco
accounting commands 15 cisco
accounting exec cisco
login authentication cisco
transport input ssh
line vty 5 97
exec-timeout 30 0
authorization commands 15 cisco
authorization exec cisco
accounting commands 15 cisco
accounting exec cisco
login authentication cisco
transport input ssh
!
onep
transport type tipc
!
end
Return to vPC to vPC Configurations
Return to CSR Configurations
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname pxtr
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 4 IxbVL4jvd0ceZTFRhrE.x7vO/bRlm.4//hTrzigZbAI
!
aaa new-model
!
!
aaa group server tacacs+ dc-aaa
server 10.10.10.10
server 10.10.10.11
ip vrf forwarding Mgmt-intf
ip tacacs source-interface GigabitEthernet0
!
aaa authentication login user group dc-aaa local
aaa authorization exec user group dc-aaa local if-authenticated
aaa authorization commands 15 user group dc-aaa local if-authenticated
aaa accounting exec user start-stop group dc-aaa
aaa accounting commands 15 user start-stop group dc-aaa
!
!
!
aaa session-id common
!
!
!
no ip domain lookup
ip domain name cisco.com
!
!
multilink bundle-name authenticated
!
!
license accept end user agreement
license boot level premium
spanning-tree extend system-id
!
username admin privilege 15 secret 4 IxbVL4jvd0ceZTFRhrE.x7vO/bRlm.4//hTrzigZbAI
!
redundancy
mode none
!
!
!
!
ip tftp source-interface GigabitEthernet0
ip ssh rsa keypair-name ssh-key
ip ssh version 2
!
class-map type inspect match-all any-ssh
match protocol ssh
class-map type inspect match-all any-udp
match protocol udp
class-map type inspect match-all any-icmp
match protocol icmp
!
policy-map type inspect outside-to-inside
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
policy-map type inspect lisp-to-inside
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
policy-map type inspect inside-to-outside
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
policy-map type inspect inside-to-lisp
class type inspect any-icmp
drop
class type inspect any-ssh
pass
class type inspect any-udp
pass
class class-default
drop log
!
zone security outside
zone security inside
zone security lisp
zone-pair security inside-to-lisp source inside destination lisp
service-policy type inspect inside-to-lisp
zone-pair security inside-to-outside source inside destination outside
service-policy type inspect inside-to-outside
zone-pair security lisp-to-inside source lisp destination inside
service-policy type inspect lisp-to-inside
zone-pair security outside-to-inside source outside destination inside
service-policy type inspect outside-to-inside
!
!
!
!
!
interface LISP0
zone-member security lisp
!
interface GigabitEthernet1
description Uplink Layer 3 Interface
ip address 6.126.104.130 255.255.255.192
zone-member security outside
load-interval 30
negotiation auto
!
interface GigabitEthernet2
description NON-LISP Subnet
ip address 3.3.3.1 255.255.255.0
zone-member security inside
load-interval 30
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.10.10.4 255.255.255.0
negotiation auto
!
router lisp
eid-table default instance-id 0
map-cache 8.24.0.0/16 map-request
exit
!
ipv4 map-request-source 6.126.104.130
ipv4 map-cache-limit 100000
ipv4 proxy-etr
ipv4 proxy-itr 6.126.104.130
ipv4 itr map-resolver 11.1.5.1
ipv4 itr map-resolver 8.34.82.10
exit
!
router bgp 65506
bgp log-neighbor-changes
neighbor 6.101.98.18 remote-as 109
neighbor 6.101.98.18 ebgp-multihop 10
neighbor 6.101.98.18 update-source GigabitEthernet1
neighbor 6.101.98.34 remote-as 109
neighbor 6.101.98.34 ebgp-multihop 10
neighbor 6.101.98.34 update-source GigabitEthernet1
!
address-family ipv4
neighbor 6.101.98.18 activate
neighbor 6.101.98.34 activate
exit-address-family
!
!
virtual-service csr_mgmt
activate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 6.126.104.135
ip route 6.101.98.18 255.255.255.255 6.126.104.135
ip route 6.101.98.34 255.255.255.255 6.126.104.135
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 GigabitEthernet0 10.10.10.1
!
!
control-plane
!
!
line con 0
login authentication cisco
stopbits 1
line aux 0
stopbits 1
line vty 0 4
session-timeout 10
exec-timeout 0 0
password cisco
authorization commands 15 cisco
authorization exec cisco
accounting commands 15 cisco
accounting exec cisco
login authentication cisco
transport input ssh
line vty 5 97
exec-timeout 30 0
authorization commands 15 cisco
authorization exec cisco
accounting commands 15 cisco
accounting exec cisco
login authentication cisco
transport input ssh
!
onep
transport type tipc
!
end
Return to vPC to vPC Configurations
Return to CSR Configurations