Building configuration...


  
Current configuration : 12403 bytes
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime localtime
no service password-encryption
no service dhcp
!
hostname IZH-VRS-AKS-RT-1-2
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.157-3.M4b.bin
boot-end-marker
!
!
logging console critical
!
aaa new-model
!
!
aaa group server radius NPS
 server name IZH-RDS002
 server name P11-RDS003
 ip radius source-interface GigabitEthernet0/2.300
 load-balance method least-outstanding
!
aaa authentication login default local group NPS enable
aaa authentication login LOCAL_AUTH local
aaa authentication login CONSOLE local group NPS
aaa authorization exec default local group NPS if-authenticated 
!
!
!
!
!
!
aaa session-id common
memory-size iomem 25
clock timezone IZH 4 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
ip vrf AUX
!
ip dhcp excluded-address 10.8.80.1 10.8.80.30
ip dhcp excluded-address 10.8.80.252 10.8.80.254
!
ip dhcp pool DHCP-AKS-USERS
 network 10.8.80.0 255.255.255.0
 domain-name varaksino.local
 dns-server 192.168.72.59 10.8.17.100 
 default-router 10.8.80.254 
!
ip dhcp pool DHCP-AKS-VOICE
 network 10.8.82.0 255.255.255.128
 default-router 10.8.82.126 
 domain-name varaksino.local
 dns-server 192.168.72.59 10.8.17.100 
!
!
!
ip domain name komos.ru
ip host tftp 10.4.0.214
ip cef
login block-for 60 attempts 3 within 20
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
!
vxml logging-tag
license udi pid CISCO2911/K9 sn FGL171511YT
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9
license boot module c2900 technology-package datak9
!
!
object-group network NET_KOMOSGROUP 
 host 88.80.33.50
 91.240.179.0 255.255.255.0
 host 62.141.96.126
 host 94.25.46.122
 host 88.80.33.10
 host 5.227.124.143
 host 84.201.247.190
!
object-group network NET_MLK 
 description :: MILKOM_DATACENTER
 host 85.140.32.177
 host 78.85.14.98
 host 213.87.95.1
 host 85.140.32.27
 host 78.85.13.42
!
object-group network NET_PS_PF 
 host 5.227.121.127
 host 46.232.164.108
 host 78.85.13.117
 host 78.85.13.118
 host 78.85.13.119
 host 78.85.14.98
 host 78.85.33.50
 host 85.140.32.141
 host 85.140.32.177
 host 85.140.32.178
 host 88.80.33.14
 host 95.215.208.234
 host 178.47.130.10
 host 178.205.241.114
!
object-group network OBJ_IZH_KG_P11 
 91.240.179.0 255.255.255.0
 host 5.227.124.143
 host 78.85.13.93
 host 62.141.96.126
 host 84.201.247.190
 host 88.80.33.50
 host 94.25.46.122
 range 91.240.179.1 91.240.179.254
 host 213.87.95.1
 host 78.85.33.50
!
object-group network OBJ_IZH_MLK_IZM 
 host 85.140.32.27
 host 78.85.13.42
 host 5.227.126.169
 host 31.173.105.54
 host 217.14.195.253
 host 5.227.124.143
 host 85.175.86.74
!
object-group network OBJ_SPB_KG_SPB 
 host 62.141.114.190
 host 94.72.27.43
!
object-group network OBJ_BRANCHES 
 group-object OBJ_IZH_KG_P11
 group-object OBJ_IZH_MLK_IZM
 group-object NET_PS_PF
 group-object OBJ_SPB_KG_SPB
!
object-group network OBJ_EKB_KG_EKB 
 host 176.215.14.11
!
object-group network STATIC_ISP_IP 
 host 5.227.124.50
 host 87.249.233.80
!
username akhmetzyanovrr privilege 15 secret 5 $1$4ajK$8IhQ.F/zgk6iATjBybsWg/
username menshikov privilege 15 secret 5 $1$jKjV$FRCadPiBRpyUc8/VTp5ks.
username menshikov_vp privilege 15 secret 5 $1$0h9S$JsVS.aqoTho3f6U24P7oP0
username netadmin privilege 15 secret 5 $1$m/mQ$KqBYDbB13GiR.2/Iu3sru/
!
redundancy
!
!
!
!
!
track 100 list boolean or
 object 102
 object 103
!
track 101 ip sla 101 reachability
 delay down 10 up 5
!
track 102 ip sla 102 reachability
 delay down 10 up 5
!
track 103 ip sla 103 reachability
 delay down 10 up 5
!
! 
crypto logging session
!
crypto isakmp policy 150
 encr aes
 authentication pre-share
 group 2
crypto isakmp key mlk20kom19 address 0.0.0.0         no-xauth
crypto isakmp keepalive 30
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set CRYPTO_TS_DMVPN esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile CRYPTO_IPSEC_DMVPN
 description --SPOKE_TO_SITE_DMVPN_IPSEC_GRE--
 set transform-set CRYPTO_TS_DMVPN 
!
!
!
!
!
!
!
interface Loopback777
 description AUX
 ip vrf forwarding AUX
 ip address 10.255.255.255 255.255.255.255
!
interface Tunnel1001
 description --DMVPN_SPOKE_72_CLOUD_1--
 bandwidth 100000
 ip address 172.30.1.75 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1400
 ip nhrp authentication M_K.Cl01
 ip nhrp map 172.30.1.1 85.140.32.27
 ip nhrp map 172.30.1.2 78.85.13.42
 ip nhrp map multicast 85.140.32.27
 ip nhrp map multicast 78.85.13.42
 ip nhrp network-id 1001
 ip nhrp holdtime 300
 ip nhrp nhs 172.30.1.1
 ip nhrp nhs 172.30.1.2
 ip tcp adjust-mss 1360
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 1001
 tunnel protection ipsec profile CRYPTO_IPSEC_DMVPN shared
!
interface Tunnel1002
 description --DMVPN_SPOKE_72_CLOUD_2--
 bandwidth 100000
 ip address 172.30.2.75 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1400
 ip nhrp authentication M_K.Cl02
 ip nhrp map 172.30.2.1 5.227.124.143
 ip nhrp map 172.30.2.2 78.85.13.93
 ip nhrp map multicast 5.227.124.143
 ip nhrp map multicast 78.85.13.93
 ip nhrp network-id 1002
 ip nhrp holdtime 300
 ip nhrp nhs 172.30.2.1
 ip nhrp nhs 172.30.2.2
 ip tcp adjust-mss 1360
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 1002
 tunnel protection ipsec profile CRYPTO_IPSEC_DMVPN shared
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description [ISP-100M] Lainer
 no ip address
 duplex auto
 speed auto
 no cdp enable
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no lldp transmit
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/2.2
 description --Users--
 encapsulation dot1Q 2
 ip dhcp relay information trusted
 ip address 10.8.80.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 standby version 2
 standby 2 ip 10.8.80.254
 standby 2 priority 90
 standby 2 preempt
 standby 2 track 100 decrement 30
!
interface GigabitEthernet0/2.300
 description --MANAGMENT--
 encapsulation dot1Q 300
 ip address 10.8.81.253 255.255.255.0
 standby version 2
 standby 300 ip 10.8.81.254
 standby 300 priority 90
 standby 300 preempt
 standby 300 track 100 decrement 30
!
interface GigabitEthernet0/2.307
 description --SKUD--
 encapsulation dot1Q 307
 ip address 10.8.82.253 255.255.255.128
 standby version 2
 standby 307 ip 10.8.82.254
 standby 307 priority 90
 standby 307 preempt
 standby 307 track 100 decrement 30
!
interface GigabitEthernet0/2.350
 description --VOICE--
 encapsulation dot1Q 350
 ip dhcp relay information trusted
 ip address 10.8.82.125 255.255.255.128
 standby version 2
 standby 350 ip 10.8.82.126
 standby 350 priority 90
 standby 350 preempt
 standby 350 track 100 decrement 30
!
interface GigabitEthernet0/2.400
 description --VIDEO--
 encapsulation dot1Q 400
 ip address 10.8.83.125 255.255.255.128
 standby version 2
 standby 400 ip 10.8.83.126
 standby 400 priority 110
 standby 400 preempt
 standby 400 track 100 decrement 30
!
interface GigabitEthernet0/2.555
 description --BGP_TRANSIT--
 encapsulation dot1Q 555
 ip address 172.30.31.34 255.255.255.248
!
interface Dialer1
 mtu 1492
 ip address negotiated
 ip access-group ACL_FIREWALL in
 ip access-group ACL_LAN_TO_WAN out
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname pppoe05061
 ppp chap password 0 DgkYby
 ppp pap sent-username pppoe05061 password 0 DgkYby
!
!
router bgp 64553
 bgp log-neighbor-changes
 bgp graceful-restart
 network 10.8.80.0 mask 255.255.252.0
 neighbor PG_BGP_OCOD peer-group
 neighbor PG_BGP_OCOD remote-as 64512
 neighbor PG_BGP_OCOD soft-reconfiguration inbound
 neighbor PG_BGP_OCOD route-map RM_TO_HUB out
 neighbor PG_BGP_RCOD peer-group
 neighbor PG_BGP_RCOD remote-as 64513
 neighbor PG_BGP_RCOD soft-reconfiguration inbound
 neighbor PG_BGP_RCOD route-map RM_TO_HUB out
 neighbor PG_BGP_PFCOD peer-group
 neighbor PG_BGP_PFCOD remote-as 64523
 neighbor PG_BGP_PFCOD soft-reconfiguration inbound
 neighbor PG_BGP_PFCOD route-map RM_TO_HUB out
 neighbor PG_BGP_VRS_PFV peer-group
 neighbor PG_BGP_VRS_PFV remote-as 64525
 neighbor PG_BGP_VRS_PFV soft-reconfiguration inbound
 neighbor PG_BGP_VRS_PFV route-map RM_TO_HUB out
 neighbor 172.30.1.1 peer-group PG_BGP_OCOD
 neighbor 172.30.1.2 peer-group PG_BGP_OCOD
 neighbor 172.30.1.23 peer-group PG_BGP_PFCOD
 neighbor 172.30.1.24 peer-group PG_BGP_PFCOD
 neighbor 172.30.1.27 peer-group PG_BGP_VRS_PFV
 neighbor 172.30.1.28 peer-group PG_BGP_VRS_PFV
 neighbor 172.30.2.1 peer-group PG_BGP_RCOD
 neighbor 172.30.2.2 peer-group PG_BGP_RCOD
 neighbor 172.30.2.23 peer-group PG_BGP_PFCOD
 neighbor 172.30.2.24 peer-group PG_BGP_PFCOD
 neighbor 172.30.2.27 peer-group PG_BGP_VRS_PFV
 neighbor 172.30.2.28 peer-group PG_BGP_VRS_PFV
 neighbor 172.30.31.33 remote-as 64553
 neighbor 172.30.31.33 next-hop-self
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip tftp source-interface GigabitEthernet0/2.300
ip nat translation timeout 450
ip nat translation tcp-timeout 300
ip nat translation pptp-timeout 1800
ip nat translation udp-timeout 45
ip nat translation dns-timeout 5
ip nat translation port-timeout tcp 110 60
ip nat translation port-timeout tcp 25 60
ip nat translation port-timeout tcp 80 15
ip nat translation port-timeout udp 5060 180
ip nat translation max-entries all-host 400
ip nat inside source route-map RM_NAT_ISP1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 100 name Lainer track 100
ip route 1.1.1.1 255.255.255.255 Dialer1 101 name over_Lainer track 101
ip route 8.8.8.8 255.255.255.255 Dialer1 101 name over_Lainer track 101
ip ssh logging events
ip ssh version 2
!
ip access-list standard AUX
 permit 10.255.255.255
ip access-list standard NAT_POOL
 permit 10.8.80.0 0.0.0.255
!
ip access-list extended ACL_FIREWALL
 permit ip object-group OBJ_BRANCHES object-group STATIC_ISP_IP
 permit udp any eq ntp object-group STATIC_ISP_IP
 permit icmp any any unreachable
 permit icmp any any echo-reply
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any traceroute
 permit icmp any any administratively-prohibited
 permit icmp any any echo
 evaluate reflectedtraffic 
ip access-list extended ACL_LAN_TO_WAN
 permit ip any any reflect reflectedtraffic timeout 300
!
!
ip prefix-list PL_TO_HUB seq 5 permit 10.8.80.0/22
ip sla 101
 icmp-echo 87.249.224.62 source-interface Dialer1
 threshold 2000
 timeout 3000
 frequency 10
ip sla schedule 101 life forever start-time now
ip sla 102
 icmp-echo 8.8.8.8 source-interface Dialer1
 threshold 2000
 timeout 3000
 frequency 10
ip sla schedule 102 life forever start-time now
ip sla 103
 icmp-echo 1.1.1.1 source-interface Dialer1
 threshold 2000
 timeout 3000
 frequency 10
ip sla schedule 103 life forever start-time now
ipv6 ioam timestamp
!
route-map RM_NAT_ISP1 permit 10
 match ip address NAT_POOL
 match interface Dialer1
!
route-map RM_TO_HUB permit 10
 match ip address prefix-list PL_TO_HUB
!
!
snmp-server community lmTUEsk6Yvlv RO
snmp-server community public RO
!
radius server IZH-RDS002
 address ipv4 10.4.0.248 auth-port 1645 acct-port 1646
 timeout 3
 retransmit 2
 key hykFAA@Hg9X9fsokWh5q8wez#&^a9lIizldHKxlRer3RE7AbsTsJwdB^RESF$eJ0
!
radius server IZH-RDS003
 address ipv4 10.1.122.248 auth-port 1645 acct-port 1646
 timeout 3
 retransmit 2
 key hykFAA@Hg9X9fsokWh5q8wez#&^a9lIizldHKxlRer3RE7AbsTsJwdB^RESF$eJ0
!
!
!
control-plane
!
 !
 !
 !
 !
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
gatekeeper
 shutdown
!
alias exec AUX telnet 10.255.255.255 2001 /vrf AUX
alias exec q exit
!
line con 0
 logging synchronous
 login authentication CONSOLE
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 logging synchronous
 transport input ssh
line vty 5 15
 logging synchronous
 transport input ssh
!
scheduler allocate 20000 1000
!
end