955 lines
23 KiB
Plaintext
955 lines
23 KiB
Plaintext
|
Building configuration...
|
||
|
|
|
||
|
|
Current configuration : 23519 bytes
|
||
|
|
!
|
||
|
|
! Last configuration change at 13:37:38 SAMT Wed Jul 13 2022 by konovalov
|
||
|
|
! NVRAM config last updated at 16:51:41 SAMT Thu Jul 21 2022 by konovalov
|
||
|
|
!
|
||
|
|
version 15.0
|
||
|
|
no service pad
|
||
|
|
service timestamps debug datetime msec localtime show-timezone year
|
||
|
|
service timestamps log datetime msec localtime show-timezone year
|
||
|
|
no service password-encryption
|
||
|
|
!
|
||
|
|
hostname SAR-MLK-SRM-SW-1-1
|
||
|
|
!
|
||
|
|
boot-start-marker
|
||
|
|
boot-end-marker
|
||
|
|
!
|
||
|
|
!
|
||
|
|
logging userinfo
|
||
|
|
enable secret 5 $1$xyPV$PLyKmlVuENwtlpdSxJmTm.
|
||
|
|
!
|
||
|
|
username netadmin privilege 15 secret 5 $1$zXig$Hp4ZObS11EcAsDwAd0XTt/
|
||
|
|
aaa new-model
|
||
|
|
!
|
||
|
|
!
|
||
|
|
aaa group server radius NPS
|
||
|
|
server name IZH-RDS002
|
||
|
|
server name P11-RDS003
|
||
|
|
ip radius source-interface Vlan300
|
||
|
|
load-balance method least-outstanding
|
||
|
|
!
|
||
|
|
aaa authentication login default group NPS local enable
|
||
|
|
aaa authentication login CONSOLE local group NPS
|
||
|
|
aaa authorization exec default group NPS local if-authenticated
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
aaa session-id common
|
||
|
|
clock timezone SAMT 4 0
|
||
|
|
switch 1 provision ws-c3750x-24s
|
||
|
|
switch 2 provision ws-c3750x-24s
|
||
|
|
system mtu routing 1500
|
||
|
|
ip routing
|
||
|
|
no ip cef optimize neighbor resolution
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
no ip domain-lookup
|
||
|
|
ip domain-name milkom-komos.ru
|
||
|
|
ip host tftp 10.4.0.214
|
||
|
|
login on-failure
|
||
|
|
login on-success
|
||
|
|
!
|
||
|
|
stack-power stack Power-Stack-1
|
||
|
|
mode redundant
|
||
|
|
!
|
||
|
|
stack-power switch 1
|
||
|
|
stack-power switch 2
|
||
|
|
!
|
||
|
|
vtp mode transparent
|
||
|
|
!
|
||
|
|
!
|
||
|
|
crypto pki trustpoint TP-self-signed-1335665536
|
||
|
|
enrollment selfsigned
|
||
|
|
subject-name cn=IOS-Self-Signed-Certificate-1335665536
|
||
|
|
revocation-check none
|
||
|
|
rsakeypair TP-self-signed-1335665536
|
||
|
|
!
|
||
|
|
!
|
||
|
|
crypto pki certificate chain TP-self-signed-1335665536
|
||
|
|
certificate self-signed 01
|
||
|
|
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
|
||
|
|
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
|
||
|
|
69666963 6174652D 31333335 36363535 3336301E 170D3036 30313032 30303032
|
||
|
|
35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
|
||
|
|
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33333536
|
||
|
|
36353533 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
|
||
|
|
8100BCBB C5A07A23 84ECED52 55A03879 E9E78A55 5559E8D2 9D7BE840 3B3538FD
|
||
|
|
B5DC09BE B9425757 EAAAAF0B E9461073 9770C887 6EB6CF4B 563C8770 072703B6
|
||
|
|
7920A42B 6B393BCE 8892839A 96EC522B 43BC6CD7 5D44486C C34290B6 1ED961AC
|
||
|
|
303CDCF7 96299465 FBACFA46 7C9AE6D3 B0F191AF DC040CD6 1F884309 FA343C73
|
||
|
|
D3BD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
|
||
|
|
551D2304 18301680 14526623 7A7B3A92 45989181 17C943CA C0BF61B0 05301D06
|
||
|
|
03551D0E 04160414 5266237A 7B3A9245 98918117 C943CAC0 BF61B005 300D0609
|
||
|
|
2A864886 F70D0101 05050003 8181008E B472BCEE CB1900C7 0EE8CF86 FFAC9527
|
||
|
|
07B63D63 03CEC290 97E97A95 EF5EFE32 06949C60 8E3CDCD7 7E795147 2341AFC4
|
||
|
|
3CE89F0E 46624EA0 103377B1 6960B16A 7554C168 73D604D3 F50D3B07 7F466E0D
|
||
|
|
06A65575 9CA9A189 E4BD6BDB EFFD3677 7D7C633F 975552BA 3F562747 B19C6676
|
||
|
|
5B7AC818 D0299815 181BC429 DAE58C
|
||
|
|
quit
|
||
|
|
license boot level ipservices
|
||
|
|
license boot level ipservices switch 1
|
||
|
|
archive
|
||
|
|
log config
|
||
|
|
logging enable
|
||
|
|
logging size 900
|
||
|
|
notify syslog contenttype plaintext
|
||
|
|
hidekeys
|
||
|
|
path tftp://tftp/SAR/MLK/SRM-SW_L3/$H-$T
|
||
|
|
write-memory
|
||
|
|
time-period 10080
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
mac access-list extended VSL-BPDU
|
||
|
|
permit any 0180.c200.0000 0000.0000.0003
|
||
|
|
mac access-list extended VSL-CDP
|
||
|
|
permit any host 0100.0ccc.cccc
|
||
|
|
mac access-list extended VSL-DOT1x
|
||
|
|
permit any any 0x888E 0x1
|
||
|
|
mac access-list extended VSL-GARP
|
||
|
|
permit any host 0180.c200.0020
|
||
|
|
mac access-list extended VSL-LLDP
|
||
|
|
permit any host 0180.c200.000e
|
||
|
|
mac access-list extended VSL-MGMT
|
||
|
|
permit any 0022.bdcd.d200 0000.0000.00ff
|
||
|
|
permit 0022.bdcd.d200 0000.0000.00ff any
|
||
|
|
mac access-list extended VSL-SSTP
|
||
|
|
permit any host 0100.0ccc.cccd
|
||
|
|
spanning-tree mode pvst
|
||
|
|
spanning-tree extend system-id
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
vlan internal allocation policy ascending
|
||
|
|
!
|
||
|
|
vlan 8
|
||
|
|
name --USERS--
|
||
|
|
!
|
||
|
|
vlan 101
|
||
|
|
name --PRINTERS--
|
||
|
|
!
|
||
|
|
vlan 111
|
||
|
|
name INTERCONNECT
|
||
|
|
!
|
||
|
|
vlan 113
|
||
|
|
name --TO-GATE-MIKROTIC--
|
||
|
|
!
|
||
|
|
vlan 150
|
||
|
|
name --Wi-Fi_Users--
|
||
|
|
!
|
||
|
|
vlan 151
|
||
|
|
name --Wi-Fi_PROD--
|
||
|
|
!
|
||
|
|
vlan 200
|
||
|
|
name --SERVERS_MGMT--
|
||
|
|
!
|
||
|
|
vlan 250
|
||
|
|
name --SERVERS_128.0/24--
|
||
|
|
!
|
||
|
|
vlan 251
|
||
|
|
name --SERVERS_BACKUP--
|
||
|
|
!
|
||
|
|
vlan 290
|
||
|
|
name -=SrvVmwVMon=-
|
||
|
|
!
|
||
|
|
vlan 300
|
||
|
|
name --MANAGEMENT--
|
||
|
|
!
|
||
|
|
vlan 301
|
||
|
|
name --Wi-Fi_MANAGMENT--
|
||
|
|
!
|
||
|
|
vlan 310
|
||
|
|
name --UPS_managment--
|
||
|
|
!
|
||
|
|
vlan 350
|
||
|
|
name --VOICE--
|
||
|
|
!
|
||
|
|
vlan 500
|
||
|
|
name --Wi-Fi_GUEST--
|
||
|
|
!
|
||
|
|
vlan 555
|
||
|
|
name --BGP_TRANSIT--
|
||
|
|
!
|
||
|
|
vlan 603
|
||
|
|
name --CRPT-Mark--
|
||
|
|
!
|
||
|
|
ip tftp source-interface Vlan300
|
||
|
|
!
|
||
|
|
track 99 ip sla 99 reachability
|
||
|
|
delay down 10 up 5
|
||
|
|
!
|
||
|
|
class-map match-any VSL-DATA-PACKETS
|
||
|
|
match access-group name VSL-MGMT
|
||
|
|
class-map match-any VSL-L2-CONTROL-PACKETS
|
||
|
|
match access-group name VSL-DOT1x
|
||
|
|
match access-group name VSL-BPDU
|
||
|
|
match access-group name VSL-CDP
|
||
|
|
match access-group name VSL-LLDP
|
||
|
|
match access-group name VSL-SSTP
|
||
|
|
match access-group name VSL-GARP
|
||
|
|
class-map match-any VSL-L3-CONTROL-PACKETS
|
||
|
|
match access-group name VSL-IPV4-ROUTING
|
||
|
|
match access-group name VSL-BFD
|
||
|
|
match access-group name VSL-DHCP-CLIENT-TO-SERVER
|
||
|
|
match access-group name VSL-DHCP-SERVER-TO-CLIENT
|
||
|
|
match access-group name VSL-DHCP-SERVER-TO-SERVER
|
||
|
|
match access-group name VSL-IPV6-ROUTING
|
||
|
|
class-map match-any VSL-MULTIMEDIA-TRAFFIC
|
||
|
|
match ip dscp af41
|
||
|
|
match ip dscp af42
|
||
|
|
match ip dscp af43
|
||
|
|
match ip dscp af31
|
||
|
|
match ip dscp af32
|
||
|
|
match ip dscp af33
|
||
|
|
match ip dscp af21
|
||
|
|
match ip dscp af22
|
||
|
|
match ip dscp af23
|
||
|
|
class-map match-any VSL-VOICE-VIDEO-TRAFFIC
|
||
|
|
match ip dscp ef
|
||
|
|
match ip dscp cs4
|
||
|
|
match ip dscp cs5
|
||
|
|
class-map match-any VSL-SIGNALING-NETWORK-MGMT
|
||
|
|
match ip dscp cs2
|
||
|
|
match ip dscp cs3
|
||
|
|
match ip dscp cs6
|
||
|
|
match ip dscp cs7
|
||
|
|
!
|
||
|
|
policy-map VSL-Queuing-Policy
|
||
|
|
class VSL-L2-CONTROL-PACKETS
|
||
|
|
class VSL-L3-CONTROL-PACKETS
|
||
|
|
class VSL-VOICE-VIDEO-TRAFFIC
|
||
|
|
class VSL-SIGNALING-NETWORK-MGMT
|
||
|
|
class VSL-MULTIMEDIA-TRAFFIC
|
||
|
|
class VSL-DATA-PACKETS
|
||
|
|
class class-default
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
crypto isakmp policy 20
|
||
|
|
encr 3des
|
||
|
|
authentication pre-share
|
||
|
|
group 2
|
||
|
|
lifetime 500
|
||
|
|
crypto isakmp key fjhJSHpUcnqbpGfI address 0.0.0.0 no-xauth
|
||
|
|
crypto isakmp keepalive 20
|
||
|
|
!
|
||
|
|
!
|
||
|
|
crypto ipsec transform-set tr-3des esp-3des
|
||
|
|
crypto ipsec transform-set ipsec-transform esp-3des esp-md5-hmac
|
||
|
|
mode transport require
|
||
|
|
crypto ipsec transform-set ipsec-transform-aes esp-aes esp-md5-hmac
|
||
|
|
mode transport require
|
||
|
|
crypto ipsec df-bit clear
|
||
|
|
!
|
||
|
|
!
|
||
|
|
crypto ipsec profile gre-gre-3des
|
||
|
|
set transform-set ipsec-transform
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
!
|
||
|
|
interface Port-channel1
|
||
|
|
description [KU] SW-2-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel2
|
||
|
|
description [KU] SW-3-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel3
|
||
|
|
description [KU] SW-8a-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
shutdown
|
||
|
|
!
|
||
|
|
interface Port-channel4
|
||
|
|
description [KU] SW-7-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel5
|
||
|
|
description [KU] SW-9-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel6
|
||
|
|
description [KU] SW-13-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel7
|
||
|
|
description [KU] SW-10-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel8
|
||
|
|
description [KU] SW-6-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel9
|
||
|
|
description [KU] SW-11-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel10
|
||
|
|
description [KU] SW-5-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel11
|
||
|
|
description [KU] SW-12-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel12
|
||
|
|
description [KU] SW-4-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel13
|
||
|
|
description [KU] SW-8A-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel14
|
||
|
|
description [KU] SW-7-2
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel15
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel16
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel17
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel18
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel19
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel20
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel21
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel22
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Port-channel23
|
||
|
|
description [CORE] SW-1-2
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface Tunnel99
|
||
|
|
description STR-KY-01-SW1
|
||
|
|
bandwidth 20000
|
||
|
|
ip address 10.70.70.157 255.255.255.252
|
||
|
|
ip mtu 1426
|
||
|
|
keepalive 5 5
|
||
|
|
tunnel source 10.10.30.9
|
||
|
|
tunnel destination 10.10.30.10
|
||
|
|
tunnel protection ipsec profile gre-gre-3des
|
||
|
|
!
|
||
|
|
interface FastEthernet0
|
||
|
|
no ip address
|
||
|
|
no ip route-cache
|
||
|
|
shutdown
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/1
|
||
|
|
description [KU] Po1 SW-2-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 1 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/2
|
||
|
|
description [KU] Po2 SW-3-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 2 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/3
|
||
|
|
description [KU] Po3 SW-8a-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
shutdown
|
||
|
|
channel-group 3 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/4
|
||
|
|
description [KU] Po4 SW-7-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 4 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/5
|
||
|
|
description [KU] Po5 SW-9-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 5 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/6
|
||
|
|
description [KU] Po6 SW-13-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 6 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/7
|
||
|
|
description [KU] Po7 SW-10-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 7 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/8
|
||
|
|
description [KU] Po8 SW-6-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 8 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/9
|
||
|
|
description [KU] Po9 SW-11-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 9 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/10
|
||
|
|
description [KU] Po10 SW-5-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 10 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/11
|
||
|
|
description [KU] Po11 SW-12-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 11 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/12
|
||
|
|
description [KU] Po12 SW-4-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 12 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/13
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 13 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/14
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 14 mode active
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/15
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 15 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/16
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 16 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/17
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 17 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/18
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 18 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/19
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 19 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/20
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 20 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/21
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 21 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/22
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 22 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/23
|
||
|
|
description [CORE] Po23 SW-1-2
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 23 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/0/24
|
||
|
|
description [CORE] Po23 SW-1-2
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 23 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/1/1
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/1/2
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/1/3
|
||
|
|
!
|
||
|
|
interface GigabitEthernet1/1/4
|
||
|
|
!
|
||
|
|
interface TenGigabitEthernet1/1/1
|
||
|
|
!
|
||
|
|
interface TenGigabitEthernet1/1/2
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/1
|
||
|
|
description [KU] Po1 SW-2-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 1 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/2
|
||
|
|
description [KU] Po2 SW-3-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 2 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/3
|
||
|
|
description [KU] Po3 SW-8a-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
shutdown
|
||
|
|
channel-group 3 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/4
|
||
|
|
description [KU] Po4 SW-7-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 4 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/5
|
||
|
|
description [KU] Po5 SW-9-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 5 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/6
|
||
|
|
description [KU] Po6 SW-13-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 6 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/7
|
||
|
|
description [KU] SW-14-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/8
|
||
|
|
description [KU] Po8 SW-6-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 8 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/9
|
||
|
|
description [KU] Po9 SW-11-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 9 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/10
|
||
|
|
description [KU] Po10 SW-5-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 10 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/11
|
||
|
|
description [KU] Po11 SW-12-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 11 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/12
|
||
|
|
description [KU] Po12 SW-4-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 12 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/13
|
||
|
|
description [KU] Po13 SW-8A-1
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 13 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/14
|
||
|
|
description [KU] Po14 SW-7-2
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 14 mode active
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/15
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 15 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/16
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 16 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/17
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 17 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/18
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 18 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/19
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 19 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/20
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 20 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/21
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 21 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/22
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 22 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/23
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 23 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/0/24
|
||
|
|
description [CORE] Po23 SW-1-2
|
||
|
|
switchport trunk encapsulation dot1q
|
||
|
|
switchport mode trunk
|
||
|
|
channel-group 23 mode on
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/1/1
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/1/2
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/1/3
|
||
|
|
!
|
||
|
|
interface GigabitEthernet2/1/4
|
||
|
|
!
|
||
|
|
interface TenGigabitEthernet2/1/1
|
||
|
|
!
|
||
|
|
interface TenGigabitEthernet2/1/2
|
||
|
|
!
|
||
|
|
interface Vlan1
|
||
|
|
ip dhcp relay information trusted
|
||
|
|
ip address 192.168.11.254 255.255.255.0 secondary
|
||
|
|
ip address 192.168.12.254 255.255.255.0 secondary
|
||
|
|
ip address 192.168.11.201 255.255.255.0 secondary
|
||
|
|
ip address 192.168.13.254 255.255.255.0 secondary
|
||
|
|
ip address 192.168.14.254 255.255.255.0 secondary
|
||
|
|
ip address 192.168.15.254 255.255.255.0 secondary
|
||
|
|
ip address 192.168.16.254 255.255.255.0 secondary
|
||
|
|
ip address 192.168.17.254 255.255.255.0 secondary
|
||
|
|
ip address 192.168.19.254 255.255.255.128 secondary
|
||
|
|
ip address 192.168.19.126 255.255.255.128 secondary
|
||
|
|
ip address 192.168.10.254 255.255.255.0 secondary
|
||
|
|
ip address 192.168.12.201 255.255.255.0 secondary
|
||
|
|
ip address 10.10.30.9 255.255.255.252 secondary
|
||
|
|
ip address 10.5.151.254 255.255.255.0 secondary
|
||
|
|
ip address 192.168.10.201 255.255.255.0
|
||
|
|
ip helper-address 192.168.11.159
|
||
|
|
no ip redirects
|
||
|
|
!
|
||
|
|
interface Vlan8
|
||
|
|
description --USERS--
|
||
|
|
ip dhcp relay information trusted
|
||
|
|
ip address 10.5.129.254 255.255.255.0
|
||
|
|
ip helper-address 192.168.11.159
|
||
|
|
no ip redirects
|
||
|
|
no ip unreachables
|
||
|
|
no ip proxy-arp
|
||
|
|
!
|
||
|
|
interface Vlan101
|
||
|
|
description --PRINTERS--
|
||
|
|
ip address 10.5.154.254 255.255.255.0
|
||
|
|
no ip redirects
|
||
|
|
no ip unreachables
|
||
|
|
no ip proxy-arp
|
||
|
|
!
|
||
|
|
interface Vlan111
|
||
|
|
description INTERCONNECT
|
||
|
|
ip address 172.16.4.4 255.255.255.248 secondary
|
||
|
|
ip address 172.16.3.4 255.255.255.248
|
||
|
|
!
|
||
|
|
interface Vlan113
|
||
|
|
ip address 10.10.252.253 255.255.255.252
|
||
|
|
!
|
||
|
|
interface Vlan150
|
||
|
|
description --Wi-Fi_Users--
|
||
|
|
ip address 10.5.155.126 255.255.255.128
|
||
|
|
ip helper-address 192.168.11.159
|
||
|
|
no ip redirects
|
||
|
|
no ip unreachables
|
||
|
|
no ip proxy-arp
|
||
|
|
!
|
||
|
|
interface Vlan151
|
||
|
|
description --Wi-Fi_Prod--
|
||
|
|
ip dhcp relay information trusted
|
||
|
|
ip address 10.5.155.254 255.255.255.128
|
||
|
|
ip helper-address 192.168.11.159
|
||
|
|
no ip redirects
|
||
|
|
no ip unreachables
|
||
|
|
no ip proxy-arp
|
||
|
|
!
|
||
|
|
interface Vlan200
|
||
|
|
description --SERVERS_MGMT--
|
||
|
|
ip dhcp relay information trusted
|
||
|
|
ip address 10.5.153.62 255.255.255.192
|
||
|
|
no ip redirects
|
||
|
|
no ip unreachables
|
||
|
|
no ip proxy-arp
|
||
|
|
!
|
||
|
|
interface Vlan250
|
||
|
|
description --SERVERS_128.0/24--
|
||
|
|
ip address 10.5.128.254 255.255.255.0
|
||
|
|
no ip redirects
|
||
|
|
no ip unreachables
|
||
|
|
no ip proxy-arp
|
||
|
|
!
|
||
|
|
interface Vlan251
|
||
|
|
description --SERVERS_BACKUP--
|
||
|
|
ip address 10.5.153.94 255.255.255.224
|
||
|
|
no ip redirects
|
||
|
|
no ip unreachables
|
||
|
|
no ip proxy-arp
|
||
|
|
!
|
||
|
|
interface Vlan290
|
||
|
|
description -=SrvVmwVMon=-
|
||
|
|
ip address 10.5.153.126 255.255.255.224
|
||
|
|
no ip redirects
|
||
|
|
no ip unreachables
|
||
|
|
no ip proxy-arp
|
||
|
|
!
|
||
|
|
interface Vlan300
|
||
|
|
description --MANAGEMENT--
|
||
|
|
ip dhcp relay information trusted
|
||
|
|
ip address 10.5.158.254 255.255.255.0
|
||
|
|
no ip redirects
|
||
|
|
no ip unreachables
|
||
|
|
no ip proxy-arp
|
||
|
|
!
|
||
|
|
interface Vlan301
|
||
|
|
description --Wi-Fi_MANAGMENT--
|
||
|
|
ip dhcp relay information trusted
|
||
|
|
ip address 10.5.157.126 255.255.255.128
|
||
|
|
ip helper-address 192.168.11.159
|
||
|
|
no ip redirects
|
||
|
|
no ip unreachables
|
||
|
|
no ip proxy-arp
|
||
|
|
!
|
||
|
|
interface Vlan310
|
||
|
|
description --UPS managment--
|
||
|
|
ip address 10.5.159.254 255.255.255.0
|
||
|
|
!
|
||
|
|
interface Vlan350
|
||
|
|
description --VOICE--
|
||
|
|
ip dhcp relay information trusted
|
||
|
|
ip address 10.5.156.254 255.255.255.0
|
||
|
|
ip helper-address 192.168.11.159
|
||
|
|
no ip redirects
|
||
|
|
no ip unreachables
|
||
|
|
no ip proxy-arp
|
||
|
|
!
|
||
|
|
interface Vlan500
|
||
|
|
description --Wi-Fi_Guest--
|
||
|
|
ip dhcp relay information trusted
|
||
|
|
ip address 10.5.157.254 255.255.255.128
|
||
|
|
ip helper-address 192.168.11.159
|
||
|
|
no ip redirects
|
||
|
|
no ip unreachables
|
||
|
|
no ip proxy-arp
|
||
|
|
!
|
||
|
|
interface Vlan555
|
||
|
|
description --BGP_TRANSIT--
|
||
|
|
ip address 172.30.30.70 255.255.255.248
|
||
|
|
no ip redirects
|
||
|
|
no ip unreachables
|
||
|
|
no ip proxy-arp
|
||
|
|
!
|
||
|
|
interface Vlan603
|
||
|
|
description --CRPT-Mark--
|
||
|
|
ip address 10.5.152.126 255.255.255.192
|
||
|
|
no ip redirects
|
||
|
|
no ip unreachables
|
||
|
|
no ip proxy-arp
|
||
|
|
!
|
||
|
|
router bgp 64518
|
||
|
|
bgp router-id 172.30.30.70
|
||
|
|
bgp log-neighbor-changes
|
||
|
|
bgp graceful-restart restart-time 120
|
||
|
|
bgp graceful-restart stalepath-time 360
|
||
|
|
bgp graceful-restart
|
||
|
|
network 10.5.156.0 mask 255.255.255.0
|
||
|
|
network 192.168.10.0
|
||
|
|
network 192.168.11.0
|
||
|
|
network 192.168.12.0
|
||
|
|
network 192.168.13.0
|
||
|
|
network 192.168.14.0
|
||
|
|
network 192.168.15.0
|
||
|
|
network 192.168.16.0
|
||
|
|
network 192.168.19.0 mask 255.255.255.128
|
||
|
|
aggregate-address 10.5.128.0 255.255.224.0
|
||
|
|
redistribute connected route-map RM_BGP_REDISTR_CON
|
||
|
|
neighbor 172.30.30.68 remote-as 64518
|
||
|
|
neighbor 172.30.30.68 soft-reconfiguration inbound
|
||
|
|
neighbor 172.30.30.69 remote-as 64518
|
||
|
|
neighbor 172.30.30.69 soft-reconfiguration inbound
|
||
|
|
distance bgp 150 150 150
|
||
|
|
!
|
||
|
|
ip default-gateway 10.10.252.254
|
||
|
|
!
|
||
|
|
ip http server
|
||
|
|
no ip http secure-server
|
||
|
|
!
|
||
|
|
ip route 192.168.18.0 255.255.255.0 10.70.70.158 track 99
|
||
|
|
ip route 0.0.0.0 0.0.0.0 172.16.3.3
|
||
|
|
ip route 0.0.0.0 0.0.0.0 172.16.4.3 50
|
||
|
|
!
|
||
|
|
ip access-list extended LOCAL_TRAFFIC
|
||
|
|
permit ip any 192.168.0.0 0.0.255.255
|
||
|
|
permit ip any 10.0.0.0 0.255.255.255
|
||
|
|
permit ip any 172.16.0.0 0.15.255.255
|
||
|
|
ip access-list extended No_Local_For_GuestWiFI
|
||
|
|
remark Deny Guest VLAN200 access to other VLANs
|
||
|
|
permit tcp any host 192.168.11.152 eq domain
|
||
|
|
permit udp any host 192.168.11.155 eq domain
|
||
|
|
permit tcp any host 192.168.8.77 eq 443
|
||
|
|
deny ip any 192.168.0.0 0.0.255.255
|
||
|
|
deny ip any 172.16.0.0 0.15.255.255
|
||
|
|
deny ip any 10.0.0.0 0.255.255.255
|
||
|
|
permit ip any any
|
||
|
|
remark Deny Guest VLAN200 and 500 access to other VLANs
|
||
|
|
permit tcp any host 192.168.8.200 eq domain
|
||
|
|
permit udp any host 192.168.8.200 eq domain
|
||
|
|
permit tcp any host 192.168.8.201 eq domain
|
||
|
|
permit udp any host 192.168.8.201 eq domain
|
||
|
|
permit udp any host 192.168.11.152 eq domain
|
||
|
|
permit tcp any host 192.168.11.155 eq domain
|
||
|
|
permit tcp any host 10.4.7.6 eq 443
|
||
|
|
ip access-list extended VSL-BFD
|
||
|
|
permit udp any any eq 3784
|
||
|
|
ip access-list extended VSL-DHCP-CLIENT-TO-SERVER
|
||
|
|
permit udp any eq bootpc any eq bootps
|
||
|
|
ip access-list extended VSL-DHCP-SERVER-TO-CLIENT
|
||
|
|
permit udp any eq bootps any eq bootpc
|
||
|
|
ip access-list extended VSL-DHCP-SERVER-TO-SERVER
|
||
|
|
permit udp any eq bootps any eq bootps
|
||
|
|
ip access-list extended VSL-IPV4-ROUTING
|
||
|
|
permit ip any 224.0.0.0 0.0.0.255
|
||
|
|
!
|
||
|
|
!
|
||
|
|
ip prefix-list PFL_BGP_REDISTR_CON seq 10 permit 10.0.0.0/8 le 24
|
||
|
|
ip sla 99
|
||
|
|
icmp-echo 10.70.70.157 source-interface Tunnel99
|
||
|
|
threshold 50
|
||
|
|
timeout 2000
|
||
|
|
frequency 3
|
||
|
|
ip sla schedule 99 life forever start-time now
|
||
|
|
logging origin-id hostname
|
||
|
|
logging source-interface Vlan300
|
||
|
|
logging host 192.168.8.119 transport udp port 5544
|
||
|
|
logging host 10.4.244.4 transport udp port 515
|
||
|
|
access-list 101 deny ip any 192.168.0.0 0.0.255.255
|
||
|
|
access-list 101 deny ip any 10.0.0.0 0.255.255.255
|
||
|
|
access-list 101 deny ip any 172.17.0.0 0.0.255.255
|
||
|
|
access-list 101 permit ip host 192.168.11.249 any
|
||
|
|
!
|
||
|
|
route-map RM_BGP_REDISTR_CON permit 10
|
||
|
|
match ip address prefix-list PFL_BGP_REDISTR_CON
|
||
|
|
!
|
||
|
|
route-map GLOBAL-ROUTING permit 10
|
||
|
|
match ip address LOCAL_TRAFFIC 101
|
||
|
|
set ip next-hop 172.16.3.3
|
||
|
|
!
|
||
|
|
!
|
||
|
|
snmp-server community lmTUEsk6Yvlv RO 5
|
||
|
|
!
|
||
|
|
!
|
||
|
|
radius server IZH-RDS002
|
||
|
|
address ipv4 10.4.0.248 auth-port 1645 acct-port 1646
|
||
|
|
timeout 3
|
||
|
|
retransmit 2
|
||
|
|
key hykFAA@Hg9X9fsokWh5q8wez#&^a9lIizldHKxlRer3RE7AbsTsJwdB^RESF$eJ0
|
||
|
|
!
|
||
|
|
radius server P11-RDS003
|
||
|
|
address ipv4 10.1.122.248 auth-port 1645 acct-port 1646
|
||
|
|
timeout 3
|
||
|
|
retransmit 2
|
||
|
|
key hykFAA@Hg9X9fsokWh5q8wez#&^a9lIizldHKxlRer3RE7AbsTsJwdB^RESF$eJ0
|
||
|
|
!
|
||
|
|
!
|
||
|
|
ipv6 access-list VSL-IPV6-ROUTING
|
||
|
|
permit ipv6 any FF02::/124
|
||
|
|
!
|
||
|
|
!
|
||
|
|
line con 0
|
||
|
|
logging synchronous
|
||
|
|
login authentication CONSOLE
|
||
|
|
stopbits 1
|
||
|
|
line vty 0 4
|
||
|
|
exec-timeout 0 0
|
||
|
|
logging synchronous
|
||
|
|
login authentication NPS
|
||
|
|
transport input ssh
|
||
|
|
line vty 5 15
|
||
|
|
exec-timeout 120 0
|
||
|
|
logging synchronous
|
||
|
|
login authentication NPS
|
||
|
|
transport input ssh
|
||
|
|
!
|
||
|
|
ntp source Vlan300
|
||
|
|
ntp server 192.168.8.200
|
||
|
|
ntp server 192.168.8.201
|
||
|
|
end
|