Cisco CSR Configuration for Packet Fabric Network

Topology

Cisco-CSR-DC———->Packet Fabric Router ———>DX/ER/GCI—–>

The packet fabric is already setup with

  • Pre-shared key
  • IKEv2 IPSec
  • Route Based VPN

cisco-dc-router#sh run 
Building configuration...

Current configuration : 8013 bytes
!
! Last configuration change at 14:06:03 UTC Fri Jun 4 2021 by shahzad
!
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname cisco-dc-router
!
boot-start-marker
boot-end-marker
!
!
vrf definition GS
rd 100:100
!
address-family ipv4
exit-address-family
!
logging persistent size 1000000 filesize 8192 immediate
!
no aaa new-model
login on-success log
subscriber templating
multilink bundle-name authenticated
!
!
license udi pid CSR1000V sn 97Y1K8PCDUC
diagnostic bootup level minimal
memory free low-watermark processor 71497
!
!
spanning-tree extend system-id
!
username ec2-user privilege 15
username shahzad privilege 15 password 7 0337530A0E1520481F5B4A44
username admin privilege 15 password 7 03254D02071B334556584B5656
!
redundancy
!
!
crypto ikev2 proposal PF
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy PF
proposal PF
!
!
crypto ikev2 profile PF-profile
match identity remote address 23.159.0.6 255.255.255.255
authentication remote pre-share key Shahzad123!
authentication local pre-share key Shahzad123!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto ipsec transform-set PF esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile FP
set security-association lifetime seconds 28800
set transform-set PF
set pfs group14
set ikev2-profile PF-profile
!
crypto ipsec profile PF
set security-association lifetime seconds 28800
set transform-set PF
set pfs group14
set ikev2-profile PF-profile
!
!
!
!
!
!
!
!
!
!
interface Tunnel1
ip address 169.254.37.105 255.255.255.252
ip tcp adjust-mss 1379
tunnel source 192.168.11.6
tunnel mode ipsec ipv4
tunnel destination 23.159.0.6
tunnel path-mtu-discovery
tunnel protection ipsec profile PF
ip virtual-reassembly
!
interface VirtualPortGroup0
vrf forwarding GS
ip address 192.168.35.101 255.255.255.0
ip nat inside
no mop enabled
no mop sysid
!
interface GigabitEthernet1
ip address dhcp
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
iox
ip forward-protocol nd
ip tcp window-size 8192
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 192.168.11.1
ip route vrf GS 0.0.0.0 0.0.0.0 GigabitEthernet1 192.168.11.1 global
ip ssh rsa keypair-name ssh-key
ip ssh version 2
ip ssh pubkey-chain
username ec2-user
key-hash ssh-rsa 5E874AE74054420DF7B81D6C422A33E2 ec2-user
ip ssh server algorithm publickey ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-rsa x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp521
ip scp server enable
!
ip access-list standard GS_NAT_ACL
10 permit 192.168.35.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
stopbits 1
line vty 0 4
privilege level 15
login local
transport input ssh
line vty 5 20
privilege level 15
login local
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
!
app-hosting appid guestshell
app-vnic gateway1 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.35.102 netmask 255.255.255.0
app-default-gateway 192.168.35.101 guest-interface 0
name-server0 8.8.8.8
end

cisco-dc-router#


Leave a Reply