Double-Cloud DMVPN spoke Router Configuration
I have a decided to adopt an architecture dual-cloud DMVPN (1 head of network in the main office, 1 head of bed instead of DR) with the option later to go to double / hub in each of my network places.
I tried to configure each of the clouds to have its own key.
Cloud Hub 1 1:
ISAKMP crypto key KEY123 address 0.0.0.0 0.0.0.0 no.-xauth
1 2 hub cloud:
ISAKMP crypto key KEY456 address 0.0.0.0 0.0.0.0 no.-xauth
Of course, the rays I want to connect to the two clouds not would allow me to use the same simple crypto isakmp key command twice.
Several of my sites will have 2 internet connections. Given that I source a tunnel each of these Internet connections, I came up with the following solution:
talk 1:
door-key crypto X-RING
address Gig0/1 (internet connection interface 1)
preshared key address 0.0.0.0 0.0.0.0 touches 0 KEY123
door-key crypto Y-RING
address Gig0/2 (internet connection interface 2)
preshared key address 0.0.0.0 0.0.0.0 touch 0 KEY456
Crypto isakmp DMVPN_ISAKMP_X profile
X-RING keychain
function identity address 0.0.0.0
address Gig0/1
Crypto isakmp DMVPN_ISAKMP_Y profile
Y-RING keychain
function identity address 0.0.0.0
address Gig0/2
OK... to the question... the first site I tried to connect the two clouds DMVPN has only 1 internet connection!
Without changing both my DMVPN clouds to the same key (almost all of the examples have this) - how can I make sure that tunnels speaks - has spoken-star work?
Is there anything else I can match? or create on each configs speaks and hub?
I tried:
-
-matching fqdn does not seem to work either. -vrf is not an option - not applicable Thank you very much in advance! There is something special with ICP when seen DMVPN. PKI or preshared keys is just how isakmp authenticates the session, and there is no difference between DMVPN or Site to Site. Basically, you'd have to do these things: -create a CA. The basic can be created on some of your routers. -create the Trustpoint on each DMVPN hub and spokes. -change the type of authentication in isakmp profile of pre-shared key to rsa - SIG. You can certainly more trustpoint then one, one for each cloud, but I highly doubt that it is necessary for the public key infrastructure. Maybe this doc will be of little help, even if it has too much info: http://www.Cisco.com/en/us/docs/solutions/enterprise/security/DCertPKI.html If you need, I can bring up some full example site to site with PKI auth. Tags: Cisco Security DMVPN Phase 3 double cloud has spoke-to-Spoke communication Hello I would like to confirm/verify if Phase 3 allows rays in different areas of DMVPN communicate directly or that there is the talking-DMVPN-A routed through hubs talk-DMVPN-B? Any document on EAC authoritative on this specific scenario is greatly appreciated. Thank you. -Mike Mike, I may be off, does not not with the VPN for a year now, but that's. It really depends on what is a domain for you. Remember that the ID Network PNDH is locally important. In the end even network ID allows PNDH requests jump between different tunnels. If the network ID is different then the 'domain' is different and PNDH must not circulate between. For the rest, he is based on the road, it's just a matter of making conscious design decisions prior to deployment and a few tests. M. DMVPN/GETVPN double spoke router Design All the: I'm developing a new design of VPN - cloud DMVPN, routers double hub to the main site, router hub unique to the backup site and double routers spoke at the Directorate General/remotes. This is all via internet transport, with overlay GETVPN to encrypt. Somebody has experiences establishing DMVPN designs with dual spoke routers, and how go you about it? HSRP @ interface outside or inside, determination of Protocol routing only, etc... Thanks in advance! Hi Steve,. Using BGP will complicate things a bit. This is because you must announce the IP (used as source GRE) HSRP on both your ISP. If you need to own that IP. If this is not possible, you can use the double Hub - double DMVPN Layout (a part of the link DMVPN I joined precedent). This will require a WILL by the router and routing to use routing protocol. HSRP can still be used on the inside of the interface, the GRE tunnel status tracking. Doesnít of traffic must be translated as possible via GRE tunnels. Please rate if this helped. Kind regards Daniel DMVPN spoke of issues after migration double ISR2 3925 hub to ASR-1001 X Hello world After our hub solution migration DMVPN double ISR2 3925 to ASR - 1001 X (running asr1001x - universalk9.03.12.03.S.154 - 2.S3 - std.SPA.bin) we started to have some problems with tunnels rays beat (which goes up and down) and sometimes never came. Running 'show dmvpn' speak it is stuck in State PNDH to our hub. To solve the problem, we run 'stop' and then 'non-stop' on the tunnel interface to actually speak that DMVPN Monte. Also runs "clear encryption session
When the problem occurred, and then debug crypto ipsec, crypto, crypto isakmp and crypto engine socket the following can be seen on the hub: In addition, after you run "logging dmvpn rate-limit 20' on the hub On the talks both the following can be seen debugging as well: Obviously something seems to be wrong Phase 2 not to come. But why is it going up after having erased the session encryption or close the tunnel interface and activate the interface of tunnel has spoken? Very weird. Also, in looking at att the hub debugging messages it seems that Cryptography is associated with evil Tu3300 tunnel interface when it is Tu2010. Normal or Bug? The configuration of the hub looks like this: Configuring spoke: If more information is needed, please say so. Any help or advice would be greatly appreciated! Thank you! It is possible that you touch it--the failure of negotiations of phase 2: https://Tools.Cisco.com/bugsearch/bug/CSCup72039/?reffering_site=dumpcr [Too little detail to say with certainty:] M. Whenever I open my router configuration page, I am never prompted to enter a user name or password. Of course, it is a security problem for me. I even reset my router to its factory default settings. Yet, it is not yet solve the problem. I also want to be able to change the user name and password to make it more secure. It is indeed a cause for concern? If so, anyone have any suggestions to solve this problem? Thank you Hello Configuration page of your router is nothing to do with the Windows operating system. You will need to contact the router manufacturer for instructions on how to change the default settings. See you soon. Unable to access the router configuration I have a problem accessing my WRT54G Router configuration screen I tried to reset it by default (pressing the button of reset for 30 sec.) However, the default connection information does not work for me (username: empty password,: admin) Can someone help me? Hi shopping,. You can download the file to the router firmware WRT54G version 7 from this link: Hope that helps. :-) Good luck! Policy Based Routing Configurations 6500 and 4948 Switches Hello! I'm looking for good examples of the strategy for the 6509 and 4948-based routing Configuration. I have installation of base ACB, but can not find good IPSLA configurations to pair with them. The 4948 has IPSLA, but doesn't seem to have orders to attach it to the ACB roadmap. I'm not find effective IPSLA configurations for the 6500 as well. My hope is that someone has config IPSLA I can use, or direct me to an example of configuration is complete. This is for the redirection of a WAN accelerator to monitor. What I have so far for the 4948: interface GigabitEthernet1/11 SilverpeakACL extended IP access list ALS IP 99 Silverpeak allowed 10 route map I don't see how this will stop Policy Based Routing in the event where the WAN Accelerator dies. If you know where I can get the config, or give it here, I would be very happy! Hello I think that you apply IP SLA on edge device where you want automatic failover, if she applies then the 6509. Once this output is ok then apply the command track with map of the route according to the first post. It could be that useful... -GI Rate if this can help... Hei guys,. Please help me on this one because I'm stuck enough on her... I am trying to connect to a Cisco 3700 router configured as a VPN server by using a VPN client and the VPN connection does not settle. This is an extract from the log: 130 12:48:30.585 07/01/11 Sev = Info/5 IKE / 0 x 63000001 I enclose the whole journal extract... The message "BOLD" is quite obvious, you mean, but I'm 100% sure, in the login entry, I typed correctly the group password: pass My topology is very basic, as I am setting this up only to get a clue of the operation of the Cisco VPN. It is built in GNS3: Behind the second router there is a virtual XP machine on which I have installed VPN client... My connection entry in the customer is to have the following parameters: I use public addresses only, because I noticed there is a question about behind the NAT VPN connections and is not not very familiar to the NAT. Another aspect which can be of any importance is that "allow Tunneling of Transport" in the tab Transport to the input connection is disabled and the VPNServer router logs the following error message when you try to establish the connection: * 01:08:47.147 Mar 1: % CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE 200.100.50.34 package was not encrypted and it should have been. You have no idea why I can't connect? Y at - it something wrong with my configuration of VPN server... or with the connection entry in the VPN client? Thank you Iulia Depending on the configuration of the router, the group name is grup1 and the password is baby. You also lack the ipsec processing game that you would need to apply to the dynamic map. Here is an example configuration for your reference: http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080235197.shtml Hope that helps. The incomplete 1941W Cisco router configuration Good day all. I was running a business of small ecommerce for the last 5 years on a Linksys wireless router. Now that I have more than 14 posts and 6 networked printers, it was time to take a step towards the top. I bought a 1941W SRI CISCO to take us to the Gigabit speed in the next decade with a CISCO switch. I assume that the 1941W, although robust with scalability, would provide the installation of it, simple as the product Linksys (Cisco) or at least a simple 1-2-3 How to get basic connections made. I was wrong and now I find that I have some difficulty to negotiate Internet on the router again. Included below is my config NVRAM. I hope someone could tell where I can have a few gaps in my config. Please note: this config is derived from an example on the net that seemed simple enough, so if you find yourself asking, "why did do that?", I hope that this provides the perspective. TEST router configuration Objective: Complete the basic configuration to connect (and ping) to the internet TEXT OF HYPERTERMINAL CONNECTION TO THE CONSOLE: User access audit User name: admin TESTROUTER > activate Type to abort escape sequence. TESTROUTER #show config
! TESTROUTER #. END OF HYPERTERMIAL TO THE TEXT OF THE CONSOLE Thanks in advance to those who consider a response. Daniel Daniel You have a LCD 115 on the external interface and it is just a line in this acl which is a refusal. Be aware that an acl has implicit deny all the end anyway so basically that this acl blocking all incoming which responses return icmp (ping) traffic. Because you run the command ping to the router using an IP address not not a DNS then NAT or DNS name is a problem at present. I suggest that rewrite you the acl - 115 access-list 115 permit icmp host 8.8.8.8 entire echo response and test again with your ping. If it works then it's the acl that is the problem and you need to write your acl so that is what you want to allow before that you want to deny. Jon Is it possible to use hub dual double cloud in Phase 1 DMVPN? Hello, I'm studying DMVPN in Phase 1. I'm doing a lab where I have 2 hubs and 2 spokes connected through 2 providers. In DMVPN phase 1, what I understand, destined for the tunnel must be configured manually (gre tunnel mode is point to point). But for each ray, I have 2 hubs. How can I specify addresses NBMA the two poles of the same tunnel interface IP spoke? I can only specify a single destination tunnel, then a hub. Hubs do not need four interfaces in this case, one by ISP is enough. You end up with the following connections by talk: Tun1-isps1 <->Tun1-isps1-Hub1 DMVPN spoke with HSRP sells HUB I have a basic DMVPN with an IPSEC config protect profile. On the shelves, I use the VIP HSRP for (192.168.1.1) configuration and traffic stops treatment map of PNDH 10.29.32.1 IP 192.168.1.1 If I use the real IP address of the HUB 192.168.1.2 interface, it works fine. I changed the mode of multipoint gre tunnel and changed to point to the real or VIP and seems not in line with the VIP HSRP. Is this a supported configuration, or am I missing something? The end result is routers DMVPN HUB running HSRP and we talked, pointing to the VIP address. I feel that, since then, IPSec, the communication breaks when you use the VIP Thank you Juan Spoke about config below interface Tunnel100 Description bandwidth 6000 IP 10.29.47.254 255.255.240.0 no ip redirection IP 1400 MTU property intellectual PNDH authentication nhrpdomain map of PNDH IP 192.168.1.2 multicast map of PNDH 10.29.32.1 IP 192.168.1.2 PNDH id network IP-100 property intellectual PNDH holdtime 360 property intellectual PNDH nhs 10.29.32.1 IP tcp adjust-mss 1360 load-interval 30 QoS before filing source of tunnel GigabitEthernet0/2 multipoint gre tunnel mode tunnel key 1000 Protection ipsec DMVPN tunnel profile end Hello The hub does not generate the packages using the VIP. If the RADIUS is trying to connect to 192.168.1.1 while the hub will respond with 192.168.1.2. For redundancy, you can create two tunnels on the RADIUS. 1 for every router and use eigrp to decide the best option. You can still use hsrp to the internal network on the hubs (the network doesn't not facing rays) so the right router will be the gateway for internal routers. Find the best modem / router configuration. Be 'stuck' with wimpy CenturyLink DSL service (read 4 Mbps), I try to get every ounce of speed that I can with my configuration of a Wi - Fi. The material in question is a Technicolor C1100T modem/router/WiFi and a current model Apple AirPort Extreme. The question is, whose Setup is faster: [A] C1100T in Bridge Mode (i.e. modem only) > AirPort Extreme all the PPPoE router / WiFi work, or [B] C1100T modem handling / PPPoE - router work > AirPort Extreme in Bridge Mode, just do a Wi - Fi connection? The C1100T goes only up to speed "n" where the Airport manages 'ac '. So my thought is the configuration 'B' may have an advantage. I thought I would ask the collective wisdom of the community of Apple before playing with all the related parameters. Speaking of which, overall the Apple hardware, the PPPoE "Account name" is always shown as formatting as an email (e.g. [email protected]) address. In the C1100T admin settings, the PPP username (PPPoE) is in the format ABC123456789. Formats in the case of AirPort Utility parameters (i.e. it will accept Qwest format)? As long as we talk about press speed, are there any other tricks, for example by selecting the best channels 2.4 GHz and 5 GHz (assuming that one is faster than the other)? Literally, living in the Woods, there is no one else around with any related Wi - Fi signal to interfere. As always, thanks for the help! The question is, whose Setup is faster: [A] C1100T in Bridge Mode (i.e. modem only) > AirPort Extreme all the PPPoE router / WiFi work, or [B] C1100T modem handling / PPPoE - router work > AirPort Extreme in Bridge Mode, just do a Wi - Fi connection? Not trying to be cute here, but if the products work correctly, the results will be the same. However... speed could be one thing and another reliability. Setting PPPoE Apple are old and is not known for their reliability. As you know, in theory, you want the device that provides identification of connection information to connect directly to the Internet service. This would mean that have C1100T PPPoE c would probably be a better way to do things, reliability wise. The C1100T goes only up to speed "n" where the Airport manages 'ac '. So my thought is the installation of 'B' may have an advantage Not in terms of connection to the Internet. If you are thinking about speed on your local network, the airport would be the way to go. Just ignore the C1100T, or turn off the wireless feature if you feel that it can interfere with wireless the wireless AirPort. Speaking of which, overall the Apple hardware, the PPPoE "Account name" is always shown as formatting as an email (e.g. [email protected]) address. In the C1100T admin settings, the PPP username (PPPoE) is in the format ABC123456789. Formats in the case of AirPort Utility parameters No, but I would not use PPPoE over airport. If you have tons of time and be ready to experiment and put up with connections, more broken then you could try PPPoE on the airport. As long as we talk about press speed, are there any other tricks, for example by selecting the best channels 2.4 GHz and 5 GHz (assuming that one is faster than the other)? N ° the most convenient airport at startup, it automatically scans to select a channel that meets the criteria set by Apple engineers. As soon as it finds one, he chooses. If someone really knew what could be the real criteria you had tons of time on your hands, in theory, it may be possible to guess and select a channel as good as who will pick up the airport. HP ps 5520 eprint configuration which router configuration is necessary? I need to configure on my ps hp eprint 5520, but it cannot download the firmware. The printer is properly installed via radio one by one 192.168.xxx.xxx local/static ip, dns is the high 8.8.8.8 and 8.8.4.4. the computer is on the same local area network and 7 64 home. the router is netgear dg 834. I tried to install the printer in the demilitarized zone, I tried to inbound and outbound on port 80 to 5347 and authorized installation service. THERE IS NO WAY TO INSTALL EPRINT. Thanks for advantage Problem is actively debated the post below. Photosmart HP 5520. First installation cannot start configuration eprint. Could not be updated The router configuration E3200 using USB Modem (wireless) to connect to internet How to configure a router E3200 using a USB wireless modem to connect to internet? It's my only choice, I don't have a wired connection and I do not have telephone wires and there is no authority to act differently. PLEASE I NEED IMMEDIATE HELP. I WAS TOLD THAT I COULD DO THAT! The only option is to use a computer to connect to the internet and then see the E3200 as access point and switch. Failover for the RV320 router configuration Hello I have a RV320 router with a WAN connection to the office LAN and USB 3 G modem for failover. However the switch is malfunctioning. When I unplugged the cable to WAN it works as expected, the 3 G modem take longer after a few seconds. But when I have trouble with connection overseas, WAN is still in place and the router is not switch to the 3 G modem. Is it possible to configure the router so that regularly ping a specific IP address, and if the ping command fails, he move to the 3G connection? Thank you. The parameter you need is under System Management > Dual WAN - Select 1 WAN, then click on modify. -Under Network Service detection, you can specify an internet host to act as the trigger for failover. How can I find my favorites in Firefox IOS? My Favorites is not displayed in the IOSapp as they do on Firefox in the computer. All, morning Is that what I can do to get my D3 to use wifi on the range of 5 GHZ, rather than the 2.4 GHZ spectrum. I have a dual-band AP and its failure in the bottom of the speed spectrum. Thank you Steve HP mini 210 computer: I forgot the administrator password Hi, I forgot my administrator password or power on password. When I try 3 times, the bios show me this number 55062924 And disable System... Please... could you help me? Thank you Error code KB936330 during the upgrade to Service Pack 1 I have put automatic updates in place but whenever the Service Pack 1 update has failed. Why? Scanner LiDE 220 - leave it lit? I bought a scanner LiDE 220 from Amazon and installed yesterday. So far I like it really - especially the Auto Scan function that figures on what you scan and crop it for you. I love it so much that I ordered another today for my wife's computer. I h
-telesignalisations behind the ip address do not appear to be an option and seems to complicate the issue too.Similar Questions
Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Sending NOTIFY DPD/R_U_THERE protocol 1 spi 140130067548488, message ID = 629121681 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): seq. no 0x64B2238C Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): sending packet to
#sh pl ha qf ac fe ipsec data drop ------------------------------------------------------------------------ Drop Type Name Packets ------------------------------------------------------------------------ 3 IN_US_V4_PKT_FOUND_IPSEC_NOT_ENABLED 127672 19 IN_OCT_ANTI_REPLAY_FAIL 13346 20 IN_UNEXP_OCT_EXCEPTION 4224 33 OUT_V4_PKT_HIT_IKE_START_SP 1930 62 IN_OCT_MAC_EXCEPTION 9 #sh plat hard qfp act stat drop | e _0_ ------------------------------------------------------------------------- Global Drop Stats Packets Octets ------------------------------------------------------------------------- Disabled 1 82 IpFragErr 170536 246635169 IpTtlExceeded 4072 343853 IpsecIkeIndicate 1930 269694 IpsecInput 145256 30071488 Ipv4Acl 2251965 215240194 Ipv4Martian 6248 692010 Ipv4NoAdj 43188 7627131 Ipv4NoRoute 278 27913 Ipv4Unclassified 6 378 MplsNoRoute 790 69130 MplsUnclassified 1 60 ReassTimeout 63 10156 ServiceWireHdrErr 2684 585112
%DMVPN-3-DMVPN_NHRP_ERROR: Tunnel292: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7) on (Tunnel:
*Jun 25 09:17:26.884: ISAKMP:(1032): sitting IDLE. Starting QM immediately (QM_IDLE ) *Jun 25 09:17:26.884: ISAKMP:(1032):beginning Quick Mode exchange, M-ID of 1599359281 *Jun 25 09:17:26.884: ISAKMP:(1032):QM Initiator gets spi *Jun 25 09:17:26.884: ISAKMP:(1032): sending packet to
crypto keyring ISP1-DMVPN vrf ISP1-DMVPN pre-shared-key address 0.0.0.0 0.0.0.0 key
crypto keyring DMVPN01 pre-shared-key address 0.0.0.0 0.0.0.0 key
Description to_dis_pri:g2/0/11
No switchport
IP 11.11.11.10 255.255.255.252
political ownership intellectual-card route Silverpeak
Speed 1000
full duplex
IP enable any 12.12.12.0 0.0.0.255
ICMP echo - 14.14.14.14
Timeout 2000
frequency 10
Annex IP SLA 99 life never start-time now
corresponds to the IP SilverpeakACL
IP 14.14.14.14 jump according to the value Hi Ganesh, It did take that command, and this is the output:: #sho track 99 Track 99 IP SLA 99 reachability Reachability is Up 1 change, last change 00:00:16 Latest operation return code: OK Latest RTT (millisecs) 1 Will this tie it all together? Also, will this be the same config for the 6509?
Peer supports XAUTH
131 12:48:30.585 07/01/11 Sev = WARNING/3 IKE/0xE3000057
The HASH payload received cannot be verified
132 12:48:30.600 07/01/11 Sev = WARNING/2 IKE/0xE300007E
Failed the hash check... may be configured with password invalid group.
133 12:48:30.600 07/01/11 Sev = WARNING/2 IKE/0xE300009B
Impossible to authenticate peers (Navigator: 904)
134 12:48:30.600 07/01/11 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO (NOTIFY: INVALID_HASH_INFO) for 200.100.50.173
-2 3700 routers: one of them holds the configuration of the VPN server and the other would be the ISP through which the remote worker would try to establish a VPN connection. I am also attaching the configuration file for the router configured as a VPN router.
Host: 200.100.50.173 , //which is the IP address of the VPNServer
Authentication-> authentication-> name group: grup1 password: pass / / I'm quite positive that I typed the correct password... even if the log messages are linked to a misidentification.
* 01:08:47.151 Mar 1: % CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE 200.100.50.34 package was not encrypted and it should have been.
28/07/2010
Problem: Cannot conect to the internet; Incomplete suspected configuration; Maybe bad config NAT or DNS issue
Comments: In the process.
Password:
Password:
TESTROUTER #ping 8.8.8.8
Send 5, echoes ICMP 100 bytes to 8.8.8.8, time-out is 2 seconds:
.....
Success rate is 0% (0/5)
With the help of 2615 off 262136 bytes
!
! 01:33:34 CST configuration was last modified Thursday, July 29, 2010 by admin
!
version 15.0
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime msec show-time zone
horodateurs service log datetime msec show-time zone
encryption password service
!
hostname TESTROUTER
!
boot-start-marker
boot-end-marker
!
logging buffered 16000
recording console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
enable password 7 XXXXXXXXXXXXXXXX
!
AAA new-model
!
!
AAA authentication login default local
the AAA authentication enable default
!
!
!
!
!
AAA - the id of the joint session
iomem 10 memory size
clock timezone CST - 6
Service-module wlan-ap 0 autonomous bootimage
!
No ipv6 cef
no ip source route
inaccessible 2000 IP icmp rate-limit
IP icmp rate-limit unreachable DF 2000
IP cef
!
!
!
!
no ip bootp Server
no ip domain search
8.8.8.8 IP name-server
IP-server names 8.8.4.4
name of the IP-server 209.18.47.61
name of the IP-server 209.18.47.62
Authenticated MultiLink bundle-name Panel
!
!
!
license udi pid CISCO1941W-A/K9 sn XXXXXXXXXXX
ISM HW-module 0
!
!
!
admin password username 7 XXXXXXXXXXXX
!
!
!
!
!
!
interface GigabitEthernet0/Wlan-0
Description interface connecting to the AP the switch embedded internal
Shutdown
!
interface GigabitEthernet0/0
Description of connection to the internet to transfer Ethernet/fiber TWC (ISP)
address IP AA. BB. CC.149 255.255.255.0
IP access-group 115 to
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
no ip-cache cef route
no ip route cache
automatic duplex
automatic speed
No cdp enable
!
wlan-ap0 interface
description of the Service interface module to manage the embedded AP
no ip address
ARP timeout 0
No mop enabled
No mop sysid
!
interface GigabitEthernet0/1
Internal description of the connection to the local network
IP 10.10.10.1 255.255.255.0
IP access-group 116 to
no ip proxy-arp
IP nat inside
IP virtual-reassembly
no ip-cache cef route
no ip route cache
automatic duplex
automatic speed
No cdp enable
No mop enabled
!
interface Vlan1
no ip address
Shutdown
!
IP forward-Protocol ND
!
no ip address of the http server
no ip http secure server
!
IP nat inside source list 1 interface GigabitEthernet0/0 overload
IP route 0.0.0.0 0.0.0.0 AA. ABM CC.1
IP route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 115 deny ip 127.0.0.0 0.255.255.255 everything
!
not run cdp
!
control plan
!
!
Line con 0
line to 0
line 67
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
line vty 0 4
password 7 XXXXXXXXXXXXXX
!
Scheduler allocate 20000 1000
end
Tun2-isps1 <->Tun1-isps1-Hub2
Tun3-ISP2 <->Tun2-ISP2-Hub1
Tun4-ISP2 <->Tun2-ISP2-Hub2Maybe you are looking for