hostname esr-21-1

ip firewall sessions counters
object-group service ssh
  port-range 22
exit
object-group service dhcp_server
  port-range 67
exit
object-group service dhcp_client
  port-range 68
exit
object-group service ntp
  port-range 123
exit
object-group service OBJ_SVC_VPN
  port-range 500
  port-range 4500
exit

syslog max-files 3
syslog file-size 512
syslog sequence-numbers
syslog file tmpsys:syslog/default
  severity info
exit

username admin
  password encrypted $6$Yiowl5cYGbXIc3rE$LmaHnxnZCqN8uHDfytK9Mnwg3.lCIapFgP7kezlGPJX5TtdiaX4lHxEjRtvh6nXzV3bzJCa3nHPgNUhd9Dtf2.
exit
aaa authentication mode break
aaa authentication login CONSOLE radius local
aaa authentication login SSH radius local
aaa authentication enable default radius enable
radius-server host 10.4.0.248
  key ascii-text encrypted A9B020579B141DFFB0269F00275C72E9
  source-interface port-channel 1.300
exit
line console
  login authentication CONSOLE
exit
line ssh
  login authentication SSH
exit

system jumbo-frames
system config-confirm timeout 120

boot host auto-config
vlan 2,10
exit

no spanning-tree

security zone LAN
exit
security zone WAN
exit
security zone VPN
exit

ip bfd multiplier 3
route-map RM_BGP_OUT
  rule 10
  exit
exit
router bgp 65001
  neighbor 2.2.2.2
    remote-as 65002
    ebgp-multihop 2
    update-source 1.1.1.1
    address-family ipv4 unicast
      route-map RM_BGP_OUT out
      enable
    exit
    enable
  exit
  address-family ipv4 unicast
    network 192.168.100.0/24
  exit
  enable
exit

router ospf log-adjacency-changes
router ospf 555
  router-id 1.1.1.1
  area 0.0.0.0
    network 10.255.254.0/24
    network 1.1.1.1/32
    enable
  exit
  enable
exit

bridge 1
  vlan 1
  security-zone WAN
  ip address 11.11.11.11/24
  enable
exit

interface port-channel 1
  mtu 9100
exit
interface port-channel 1.300
  description "MGM"
  ip firewall disable
  ip address 10.14.112.248/24
exit
interface port-channel 1.3
  security-zone LAN
  ip address 192.168.100.254/24
exit
interface gigabitethernet 1/0/1
  description "WAN"
  mode switchport
exit
interface gigabitethernet 1/0/2
  description "WAN2"
  mtu 9500
  security-zone WAN
  ip address 12.12.12.11/24
exit
interface gigabitethernet 1/0/2.555
  shutdown
  description "p2p_mpls"
  mtu 9500
  security-zone VPN
  ip address 172.30.30.1/24
  ip ospf instance 555
  ip ospf mtu-ignore
  ip ospf
exit
interface gigabitethernet 1/0/3
  mode switchport
exit
interface gigabitethernet 1/0/4
  mode switchport
exit
interface gigabitethernet 1/0/5
  mode switchport
exit
interface gigabitethernet 1/0/6
  mode switchport
exit
interface gigabitethernet 1/0/7
  mode switchport
exit
interface gigabitethernet 1/0/8
  mode switchport
  channel-group 1 mode auto
exit
interface gigabitethernet 1/0/9
  mode switchport
exit
interface gigabitethernet 1/0/10
  mode switchport
exit
interface gigabitethernet 1/0/11
  mode switchport
exit
interface gigabitethernet 1/0/12.100
exit
interface loopback 1
  ip address 1.1.1.1/32
  ip ospf instance 555
  ip ospf mtu-ignore
  ip ospf
exit
tunnel gre 101
  mtu 1400
  multipoint
  security-zone VPN
  local address 11.11.11.11
  ip address 10.255.255.1/24
  ip ospf instance 555
  ip ospf mtu-ignore
  ip ospf priority 5
  ip ospf
  ip bfd min-rx-interval 300
  ip bfd min-tx-interval 300
  ip bfd multiplier 3
  ip nhrp authentication encrypted B18B2823930318AA
  ip nhrp holding-time 300
  ip nhrp ipsec IPSEC_VPN_HUB dynamic
  ip nhrp multicast dynamic
  ip nhrp enable
  enable
exit
tunnel gre 102
  mtu 1400
  multipoint
  security-zone VPN
  local address 12.12.12.11
  ip address 10.255.254.1/24
  ip ospf instance 555
  ip ospf mtu-ignore
  ip ospf priority 5
  ip ospf network point-to-point
  ip ospf
  ip nhrp authentication encrypted B18B2823930318AA
  ip nhrp holding-time 300
  ip nhrp ipsec IPSEC_VPN_HUB_102 dynamic
  ip nhrp multicast dynamic
  ip nhrp enable
exit
tunnel ip4ip4 1
exit

mpls
  ldp
    router-id 1.1.1.1
    address-family ipv4
      interface gigabitethernet 1/0/2.555
      exit
    exit
  exit
  l2vpn
    pw-class L2_VPN
    exit
    p2p P2P_L2VPN
      interface gigabitethernet 1/0/7
      pw 102 2.2.2.2
        pw-class L2_VPN
        enable
      exit
      enable
    exit
  exit
  forwarding interface gigabitethernet 1/0/2.555
exit
security zone-pair LAN VPN
  rule 10
    description "ANY"
    action permit
    enable
  exit
exit
security zone-pair VPN LAN
  rule 10
    description "ANY"
    action permit
    enable
  exit
exit
security zone-pair LAN self
  rule 1
    action permit
    enable
  exit
  rule 2
  exit
exit
security zone-pair WAN self
  rule 1
    description "GRE"
    action permit
    match protocol gre
    enable
  exit
  rule 2
    description "ISAKMP"
    action permit
    match protocol udp
    match destination-port OBJ_SVC_VPN
    enable
  exit
  rule 3
    description "ESP"
    action permit
    match protocol esp
    enable
  exit
  rule 10
    description "ICMP"
    action permit
    match protocol icmp
    enable
  exit
exit
security zone-pair VPN self
  rule 10
    description "ANY"
    action permit
    enable
  exit
exit

security ike proposal IKEPROP
  encryption algorithm aes256
  dh-group 2
exit

security ike proposal IKE_PROP_1
  encryption algorithm aes128
  dh-group 2
exit

security ike policy IKEPOLICY
  pre-shared-key ascii-text encrypted 88B11079E15D1B
  proposal IKEPROP
exit

security ike policy IKE_POL_1
  pre-shared-key ascii-text encrypted 91B8083FE00447F6D804
  proposal IKE_PROP_1
exit

security ike gateway IKEGW
  ike-policy IKEPOLICY
  local address 11.11.11.2
  local network 11.11.11.2/32 protocol gre 
  remote address 11.11.11.1
  remote network 11.11.11.1/32 protocol gre 
  mode policy-based
exit

security ike gateway IKE_GW_1
  ike-policy IKE_POL_1
  local address 11.11.11.11
  local network 11.11.11.11/32 protocol gre 
  remote address any
  remote network any
  mode policy-based
exit

security ike gateway IKE_GW_2
  ike-policy IKE_POL_1
  local address 12.12.12.11
  local network 12.12.12.11/32 protocol gre 
  remote address any
  remote network any protocol gre 
  mode policy-based
exit

security ipsec proposal IPSECPROP
  encryption algorithm aes128
exit

security ipsec proposal IPSEC_PROP_1
  encryption algorithm aes128
exit

security ipsec policy IPSECPOLICY
  proposal IPSECPROP
exit

security ipsec policy IPSEC_POL_1
  proposal IPSEC_PROP_1
exit

security ipsec vpn IPSECVPN
  mode ike
  ike establish-tunnel route
  ike gateway IKEGW
  ike ipsec-policy IPSECPOLICY
  enable
exit

security ipsec vpn IPSEC_VPN_HUB
  mode ike
  ike establish-tunnel route
  ike gateway IKE_GW_1
  ike ipsec-policy IPSEC_POL_1
  enable
exit

security ipsec vpn IPSEC_VPN_HUB_102
  mode ike
  ike establish-tunnel route
  ike gateway IKE_GW_2
  ike ipsec-policy IPSEC_POL_1
  enable
exit

security passwords default-expired
ip dhcp-server pool lan-pool
  network 192.168.1.0/24
  address-range 192.168.1.2-192.168.1.254
  default-router 192.168.1.1
exit

ip route 0.0.0.0/0 10.14.112.254

ip ssh server

lldp enable

clock timezone gmt +4

ntp enable
ntp server 10.1.8.2
  minpoll 4
exit
ntp server 10.1.8.1
  minpoll 4
exit