hostname MSK-MLK-NOV2-RT-1-1.ESR-21

ip firewall sessions counters
object-group service OBJ_SVC_SSH
  port-range 22
exit
object-group service OBJ_SVC_VPN
  port-range 500
  port-range 4500
exit
object-group service OBJ_SVC_MGMT
  port-range 22
  port-range 23
  port-range 2001-2003
exit

object-group network OBJ_NET_IZH_KG_P11
  description "IZH-KG-P11_nets"
  ip prefix 91.240.179.0/24
  ip prefix 5.227.124.143/32
  ip prefix 78.85.13.93/32
  ip prefix 62.141.96.126/32
  ip prefix 84.201.247.190/32
  ip prefix 88.80.33.50/32
  ip prefix 94.25.46.122/32
exit
object-group network OBJ_NET_IZH_MLK_IZM
  description "IZH-MLK-IZM_nets"
  ip prefix 91.240.179.0/24
  ip prefix 85.140.32.27/32
  ip prefix 78.85.13.42/32
  ip prefix 5.227.126.169/32
  ip prefix 31.173.105.54/32
  ip prefix 217.14.195.253/32
  ip prefix 85.175.86.74/32
exit
object-group network OBJ_NET_ADM_MGMT
  description "Admins Net for MGMT and Routing"
  ip prefix 10.110.0.0/24
  ip prefix 10.4.0.214/32
  ip prefix 10.1.19.0/24
  ip prefix 10.14.117.0/24
  ip prefix 172.30.1.0/24
  ip prefix 172.30.2.0/24
exit
object-group network OBJ_NET_NAT_USERS
  ip prefix 10.14.104.0/21
exit
object-group network OBJ_NET_SVC
  description "Service IP for DHCP and Monitoring"
  ip prefix 192.168.8.99/32
  ip prefix 10.4.0.58/32
  ip prefix 10.1.8.5/32
  ip prefix 10.4.0.5/32
exit

syslog max-files 3
syslog file-size 1024
syslog cli-commands
syslog file tmpsys:syslog/syslog
  severity info
exit
logging syslog configuration
logging aaa configuration
logging userinfo
syslog monitor crit

alias q root "exit"
username admin
  password encrypted $6$pFzbQmya2cYltOhG$4NUtxJ1WkXRaqlhtpjfgSYAqlMsMpUZluPDvVFYQTVlNht8vsUpZgCLv7Xe/VRdD7XfRakVmVzrOWj4ZdtU4V.
  privilege 1
exit
username techsupport
  password encrypted $6$qQ9DjGu5Ho3PsG1P$kFSYXz6vF15o8dO9siAha7hTiTtA159xVUA9BSVGM3wgsSEKeAyGQK5HZKyIkplOhc3f4eXjUoDrdc.YxlLhn1
exit
username remote
  password encrypted $6$pFzbQmya2cYltOhG$4NUtxJ1WkXRaqlhtpjfgSYAqlMsMpUZluPDvVFYQTVlNht8vsUpZgCLv7Xe/VRdD7XfRakVmVzrOWj4ZdtU4V.
exit
username netadmin
  password encrypted $6$qQ9DjGu5Ho3PsG1P$kFSYXz6vF15o8dO9siAha7hTiTtA159xVUA9BSVGM3wgsSEKeAyGQK5HZKyIkplOhc3f4eXjUoDrdc.YxlLhn1
  privilege 15
exit
enable password encrypted $6$AfOE17s2nl/CyvEy$6iroAkDn996cy.hfE69WQHuCyKZVsrLNff9Zpdtg4j/7GUDnUaNehPe/Ej5hxuJrLTHYe109dqurFYAVni3ue1 privilege 15
aaa authentication mode break
aaa authentication login CONSOLE local radius
aaa authentication login SSH radius local
aaa authentication enable default radius enable
radius-server host 10.1.122.248
  key ascii-text encrypted A9B020579B141DFFB0269F00275C72E9
  source-interface loopback 1
exit
radius-server host 10.4.0.248
  key ascii-text encrypted A9B020579B141DFFB0269F00275C72E9
  source-interface loopback 1
exit
line console
  login authentication CONSOLE
exit
line ssh
  login authentication SSH
exit
line aux 1
  description "RT-1-2"
  transport telnet port 2001
exit
line aux 2
  description "SW-1-1"
  speed 9600
  transport telnet port 2002
exit


tech-support login enable
system jumbo-frames
system config-confirm timeout 120

no spanning-tree

domain lookup enable
domain name-server 10.4.0.1
domain name-server 10.1.8.1
domain name-server 1.1.1.1
domain name komos-group.ru

security zone LAN
exit
security zone WAN
exit
security zone VPN
exit

route-map RM_BGP_OUT
  rule 1
    description "Universal_MGMT_Loopback"
    match ip address 10.111.0.0/16 ge 32 le 32
  exit
  rule 10
    description "MSK-NOV2_PREFIX"
    match ip address 10.14.104.0/21
  exit
exit
route-map RM_BGP_IN
  rule 10
    match as-path end 64512
    action set local-preference 1000
  exit
exit
router bgp 64556
  timers keepalive 10
  timers holdtime 30
  peer-group PG_BGP_IZM
    remote-as 64512
    graceful-restart
    route-map RM_BGP_OUT out
  exit
  peer-group PG_BGP_P11
    remote-as 64513
    graceful-restart
    route-map RM_BGP_OUT out
  exit
  neighbor 172.30.1.1
    peer-group PG_BGP_IZM
    address-family ipv4 unicast
      enable
    exit
    enable
  exit
  neighbor 172.30.1.2
    peer-group PG_BGP_IZM
    address-family ipv4 unicast
      route-map RM_BGP_IN in
      enable
    exit
    enable
  exit
  neighbor 172.30.2.1
    peer-group PG_BGP_P11
    address-family ipv4 unicast
      enable
    exit
    enable
  exit
  neighbor 172.30.2.2
    peer-group PG_BGP_P11
    address-family ipv4 unicast
      enable
    exit
    enable
  exit
  neighbor 172.31.16.2
    remote-as 64556
    graceful-restart
    address-family ipv4 unicast
      route-map RM_BGP_OUT out
      next-hop-self
      enable
    exit
    enable
  exit
  address-family ipv4 unicast
    network 10.14.104.0/21
    network 10.111.56.1/32
  exit
  enable
exit


interface port-channel 1
  description "[KU]_SW-1-1"
  mtu 9100
exit
interface port-channel 1.2
  description "Users"
  security-zone LAN
  ip address 10.14.105.252/24
  ip helper-address 10.4.0.5
  ip helper-address 10.1.8.5
  vrrp id 1
  vrrp ip 10.14.105.254/32
  vrrp priority 120
  vrrp group 1
  vrrp version 3
  vrrp
exit
interface port-channel 1.150
  description "WIFI"
  security-zone LAN
  ip address 10.14.107.252/24
  ip helper-address 10.4.0.5
  ip helper-address 10.1.8.5
  ip helper-address vrrp-group 1
  vrrp id 2
  vrrp ip 10.14.107.254/32
  vrrp priority 120
  vrrp group 1
  vrrp version 3
  vrrp
exit
interface port-channel 1.300
  description "MGM"
  security-zone LAN
  ip address 10.14.104.252/25
  vrrp id 30
  vrrp ip 10.14.104.254/32
  vrrp priority 120
  vrrp group 1
  vrrp version 3
  vrrp
exit
interface port-channel 1.301
  description "WIFI_MGM_Ubiquity"
  security-zone LAN
  ip address 10.14.106.124/25
  ip helper-address 10.4.0.5
  ip helper-address 10.1.8.5
  ip helper-address vrrp-group 1
  vrrp id 4
  vrrp ip 10.14.106.126/32
  vrrp priority 120
  vrrp group 1
  vrrp version 3
  vrrp
exit
interface port-channel 1.305
  description "WIFI_MGM_Eltex"
  security-zone LAN
  ip address 10.14.106.252/25
  ip helper-address 10.4.0.5
  ip helper-address 10.1.8.5
  ip helper-address vrrp-group 1
  vrrp id 5
  vrrp ip 10.14.106.254/32
  vrrp priority 120
  vrrp group 1
  vrrp version 3
  vrrp
exit
interface port-channel 1.350
  description "VOIP"
  security-zone LAN
  ip address 10.14.104.124/25
  ip helper-address 10.4.0.5
  ip helper-address 10.1.8.5
  ip helper-address vrrp-group 1
  vrrp id 6
  vrrp ip 10.14.104.126/32
  vrrp priority 120
  vrrp group 1
  vrrp version 3
  vrrp
exit
interface port-channel 1.555
  description "Transit_RT-1-1_RT-1-2"
  security-zone LAN
  ip address 172.31.16.1/29
exit
interface gigabitethernet 1/0/5
  description "[KU]_Po1_SW-1-1"
  mode switchport
  mtu 9100
  channel-group 1 mode auto
  lldp transmit
  lldp receive
exit
interface gigabitethernet 1/0/6
  description "[KU]_Po1_SW-1-1"
  mode switchport
  mtu 9100
  channel-group 1 mode auto
  lldp transmit
  lldp receive
exit
interface gigabitethernet 1/0/7
  description "[ISP-100M]_Rosfon_ISP_A"
  security-zone WAN
  ip address 89.17.51.253/26
exit
interface gigabitethernet 1/0/8
  description "[-ISP-xxM]_WAN_ISP_B"
  mtu 9100
  security-zone WAN
exit
interface loopback 1
  description "MGMT_IP"
  ip address 10.111.56.1/32
exit
tunnel gre 101
  key 1001
  ttl 255
  mtu 1400
  multipoint
  security-zone VPN
  local interface gigabitethernet 1/0/7
  ip address 172.30.1.76/24
  ip tcp adjust-mss 1360
  ip nhrp authentication encrypted B18B2823930318AA
  ip nhrp holding-time 300
  ip nhrp map 172.30.1.2 78.85.13.42
  ip nhrp map 172.30.1.1 85.140.32.27
  ip nhrp nhs 172.30.1.1/24
  ip nhrp nhs 172.30.1.2/24
  ip nhrp ipsec IPSEC_VPN_HUB static
  ip nhrp ipsec IPSEC_VPN_SPOKE dynamic
  ip nhrp multicast nhs
  ip nhrp enable
  enable
exit
tunnel gre 102
  key 1002
  ttl 255
  mtu 1400
  multipoint
  security-zone VPN
  local interface gigabitethernet 1/0/7
  ip address 172.30.2.76/24
  ip tcp adjust-mss 1360
  ip nhrp authentication encrypted B18B2823930318A9
  ip nhrp holding-time 300
  ip nhrp map 172.30.2.1 5.227.124.143
  ip nhrp map 172.30.2.2 78.85.13.93
  ip nhrp nhs 172.30.2.1/24
  ip nhrp nhs 172.30.2.2/24
  ip nhrp ipsec IPSEC_VPN_HUB static
  ip nhrp ipsec IPSEC_VPN_SPOKE dynamic
  ip nhrp multicast nhs
  ip nhrp enable
  enable
exit

snmp-server
snmp-server contact "INVENTAR_NUMBER"
snmp-server location "MSK, Novodmitrovskaya,2 , kor 2, of 0404"
snmp-server community lmTUEsk6Yvlv  ro

security zone-pair WAN self
  rule 10
    description "permit_any_from_P11"
    action permit
    match source-address OBJ_NET_IZH_KG_P11
    enable
  exit
  rule 20
    description "permit_any_from_IZM"
    action permit
    match source-address OBJ_NET_IZH_MLK_IZM
    enable
  exit
exit
security zone-pair LAN VPN
  rule 10
    description "permit_any"
    action permit
    enable
  exit
exit
security zone-pair VPN LAN
  rule 10
    description "permit_any"
    action permit
    enable
  exit
exit
security zone-pair VPN self
  rule 10
    description "permit_svc"
    action permit
    match source-address OBJ_NET_SVC
    enable
  exit
  rule 20
    description "permit_icmp"
    action permit
    match protocol icmp
    enable
  exit
  rule 30
    description "permit_admins"
    action permit
    match source-address OBJ_NET_ADM_MGMT
    enable
  exit
exit
security zone-pair LAN WAN
  rule 10
    description "permit_any"
    action permit
    enable
  exit
exit
security zone-pair LAN self
  rule 10
    description "permit_admins"
    action permit
    match source-address OBJ_NET_ADM_MGMT
    enable
  exit
  rule 20
    description "Deny_MGMT_ports_from_LAN"
    action deny
    match protocol tcp
    match destination-port OBJ_SVC_MGMT
    enable
  exit
  rule 100
    description "PERMIT_ANY"
    action permit
    enable
  exit
exit
security zone-pair LAN LAN
  rule 10
    description "permit_any"
    action permit
    enable
  exit
exit
security zone-pair VPN VPN
  rule 10
    description "permit_any"
    action permit
    enable
  exit
exit

security ike proposal IKE_PROP
  encryption algorithm aes128
  dh-group 2
exit

security ike policy IKE_POL
  lifetime seconds 86400
  pre-shared-key ascii-text encrypted 91B8083FE00447F6D804
  proposal IKE_PROP
exit

security ike gateway IKE_GW_HUB
  ike-policy IKE_POL
  local address 89.17.51.253
  local network 89.17.51.253/32 protocol gre 
  remote address any
  remote network 78.85.13.42/32 protocol gre 
  remote network 85.140.32.27/32 protocol gre 
  remote network 5.227.124.143/32 protocol gre 
  remote network 78.85.13.93/32 protocol gre 
  mode policy-based
exit

security ike gateway IKE_GW_SPOKE
  ike-policy IKE_POL
  local address 89.17.51.253
  local network 89.17.51.253/32 protocol gre 
  remote address any
  remote network any protocol gre 
  mode policy-based
exit

security ipsec proposal IPSEC_PROP
  encryption algorithm aes128
exit

security ipsec policy IPSEC_POL_HUB
  proposal IPSEC_PROP
exit

security ipsec vpn IPSEC_VPN_HUB
  mode ike
  type transport
  ike establish-tunnel route
  ike gateway IKE_GW_HUB
  ike ipsec-policy IPSEC_POL_HUB
  enable
exit

security ipsec vpn IPSEC_VPN_SPOKE
  mode ike
  type transport
  ike establish-tunnel route
  ike gateway IKE_GW_SPOKE
  ike ipsec-policy IPSEC_POL_HUB
  enable
exit

security passwords min-length 5
security passwords numeric-count 1
security passwords upper-case 1
security passwords history 0
security passwords default-expired
ip firewall sessions tcp-estabilished-timeout 3600
ip firewall sessions tcp-connect-timeout 120

nat source
  ruleset SNAT
    to zone WAN
    rule 10
      description "SNAT for ALL users NOV2"
      match source-address OBJ_NET_NAT_USERS
      action source-nat interface
      enable
    exit
  exit
exit

ip dhcp-relay

ip route 0.0.0.0/0 89.17.51.193
ip route 10.14.104.0/21 blackhole 254

ip ssh server
ip ssh authentication algorithm md5 disable
ip ssh authentication algorithm md5-96 disable
ip ssh authentication algorithm ripemd160 disable
ip ssh authentication algorithm sha1 disable
ip ssh authentication algorithm sha1-96 disable
ip ssh encryption algorithm aes128 disable
ip ssh encryption algorithm aes128ctr disable
ip ssh encryption algorithm aes192 disable
ip ssh encryption algorithm aes192ctr disable
ip ssh encryption algorithm arcfour disable
ip ssh encryption algorithm arcfour128 disable
ip ssh encryption algorithm arcfour256 disable
ip ssh encryption algorithm blowfish disable
ip ssh encryption algorithm cast128 disable
ip ssh key-exchange algorithm dh-group-exchange-sha1 disable
ip ssh key-exchange algorithm dh-group1-sha1 disable
ip ssh key-exchange algorithm dh-group14-sha1 disable
ip ssh key-exchange algorithm ecdh-sha2-nistp256 disable
ip ssh key-exchange algorithm ecdh-sha2-nistp384 disable
ip ssh key-exchange algorithm ecdh-sha2-nistp521 disable

lldp enable

clock timezone gmt +4

ntp enable
ntp server 91.240.179.254
  prefer
  minpoll 4
exit
ntp server 10.1.8.1
  minpoll 4
exit
ntp server 10.4.0.1
  minpoll 4
exit

zabbix-agent
  active-server 192.168.8.99
  hostname MSK-MLK-NOV2-RT-1-1
  remote-commands
  server 192.168.8.99
  source-address 10.111.56.1
  timeout 30
  enable
exit