Building configuration... Current configuration : 21926 bytes ! ! Last configuration change at 16:48:42 SAMT Thu May 19 2022 by konovalov ! NVRAM config last updated at 16:50:52 SAMT Thu May 19 2022 by konovalov ! version 15.2 no service pad service timestamps debug datetime msec localtime show-timezone year service timestamps log datetime msec localtime show-timezone year no service password-encryption ! hostname GLZ-MLK-GMK-SW-1-1 ! boot-start-marker boot-end-marker ! ! logging userinfo logging buffered 51200 enable secret 5 $1$9Y1b$uAlx93K0.mqJJFhP3eVRk/ ! username netadmin privilege 15 secret 5 $1$XFzk$xFM/cm1yZoZJ7xoOsgFUh0 aaa new-model ! ! aaa group server radius NPS server name IZH-RDS002 server name P11-RDS003 ip radius source-interface Vlan300 load-balance method least-outstanding ! aaa authentication login default group NPS local enable aaa authentication login CONSOLE local group NPS aaa authorization exec default group NPS local if-authenticated ! ! ! ! ! ! aaa session-id common clock timezone SAMT 4 0 switch 1 provision ws-c3750x-24s switch 2 provision ws-c3750x-24s system mtu routing 1500 ! ! ! ! ip routing no ip cef optimize neighbor resolution ! ! ! no ip domain-lookup ip domain-name milkom-komos.ru ip host tftp 10.4.0.214 ! stack-power stack Power-Stack-1 mode redundant ! vtp mode transparent ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-1457810816 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1457810816 revocation-check none rsakeypair TP-self-signed-1457810816 ! ! crypto pki certificate chain TP-self-signed-1457810816 license boot level ipservices license boot level ipservices switch 2 archive log config logging enable logging size 900 notify syslog contenttype plaintext hidekeys path tftp://tftp/GL/3750/$H-$T write-memory time-period 10080 ! ! ! ! mac access-list extended VSL-BPDU permit any 0180.c200.0000 0000.0000.0003 mac access-list extended VSL-CDP permit any host 0100.0ccc.cccc mac access-list extended VSL-DOT1x permit any any 0x888E 0x1 mac access-list extended VSL-GARP permit any host 0180.c200.0020 mac access-list extended VSL-LLDP permit any host 0180.c200.000e mac access-list extended VSL-MGMT permit any 0022.bdcd.d200 0000.0000.00ff permit 0022.bdcd.d200 0000.0000.00ff any mac access-list extended VSL-SSTP permit any host 0100.0ccc.cccd ! spanning-tree mode pvst spanning-tree logging spanning-tree extend system-id spanning-tree vlan 1-4094 priority 4096 ! ! ! ! vlan internal allocation policy ascending ! vlan 2 name --UserNet_2.0/24-- ! vlan 8 name --USERS-- ! vlan 101 name --PRINTERS-- ! vlan 103 name -=KPP_Vesi&Cam=- ! vlan 111 name -=INTERCONNECT=- ! vlan 150 name --Wi-Fi_Users-- ! vlan 151 name --Wi-Fi_PROD-- ! vlan 200 name --SERVERS_MGMT-- ! vlan 250 name --SERVERS_0.0/24-- ! vlan 251 name --SERVERS_BACKUP-- ! vlan 290 name -=SrvVmwVMon=- ! vlan 300 name --MANAGEMENT-- ! vlan 301 name --Wi-Fi_MANAGMENT-- ! vlan 350 name --VOICE-- ! vlan 500 name --Wi-Fi_GUEST-- ! vlan 555 name --BGP_TRANSIT-- ! vlan 600 name --PRODACTION-- ! vlan 601 name --PROLITE-- ! ! class-map match-any VSL-DATA-PACKETS match access-group name VSL-MGMT class-map match-any VSL-L2-CONTROL-PACKETS match access-group name VSL-DOT1x match access-group name VSL-BPDU match access-group name VSL-CDP match access-group name VSL-LLDP match access-group name VSL-SSTP match access-group name VSL-GARP class-map match-any VSL-L3-CONTROL-PACKETS match access-group name VSL-IPV4-ROUTING match access-group name VSL-BFD match access-group name VSL-DHCP-CLIENT-TO-SERVER match access-group name VSL-DHCP-SERVER-TO-CLIENT match access-group name VSL-DHCP-SERVER-TO-SERVER match access-group name VSL-IPV6-ROUTING class-map match-any VSL-MULTIMEDIA-TRAFFIC match ip dscp af41 match ip dscp af42 match ip dscp af43 match ip dscp af31 match ip dscp af32 match ip dscp af33 match ip dscp af21 match ip dscp af22 match ip dscp af23 class-map match-any VSL-VOICE-VIDEO-TRAFFIC match ip dscp ef match ip dscp cs4 match ip dscp cs5 class-map match-any VSL-SIGNALING-NETWORK-MGMT match ip dscp cs2 match ip dscp cs3 match ip dscp cs6 match ip dscp cs7 ! policy-map VSL-Queuing-Policy class VSL-L2-CONTROL-PACKETS class VSL-L3-CONTROL-PACKETS class VSL-VOICE-VIDEO-TRAFFIC class VSL-SIGNALING-NETWORK-MGMT class VSL-MULTIMEDIA-TRAFFIC class VSL-DATA-PACKETS class class-default ! ! ! ! ! ! ! ! ! ! ! ! ! interface Port-channel1 description [KU] SW-7-1 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel2 description [KU] SW-11-1 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel3 description [KU] SW-3-1 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel4 description [KU] SW-4-1 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel5 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel6 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel7 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel8 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel9 description [KU] SW-9-1 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel10 description [KU] SW-8-1 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel11 description [KU] SW-5-1 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel12 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel13 description [KU] SW-6-1 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel14 description [KU] SW-10-1 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel15 description [KU] SW-11-3 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel16 description [KU] SW-11-2 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel17 description [KU] SW-2-1 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel18 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel19 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel20 description [KU] SW-12-1 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel21 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel22 description [KU] SW-1-3 switchport trunk encapsulation dot1q switchport mode trunk ! interface Port-channel23 description [CORE] SW-1-2 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0 no ip address no ip route-cache shutdown ! interface GigabitEthernet1/0/1 description [KU] Po1 SW-7-1 BAD LINK SH switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface GigabitEthernet1/0/2 description [KU] Po2 SW-11-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 2 mode active ! interface GigabitEthernet1/0/3 description [KU] Po3 SW-3-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 3 mode on ! interface GigabitEthernet1/0/4 description [KU] Po4 SW-4-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 4 mode active ! interface GigabitEthernet1/0/5 switchport trunk encapsulation dot1q switchport mode trunk channel-group 5 mode on ! interface GigabitEthernet1/0/6 switchport trunk encapsulation dot1q switchport mode trunk channel-group 6 mode on ! interface GigabitEthernet1/0/7 switchport trunk encapsulation dot1q switchport mode trunk channel-group 7 mode on ! interface GigabitEthernet1/0/8 switchport trunk encapsulation dot1q switchport mode trunk channel-group 8 mode on ! interface GigabitEthernet1/0/9 description [KU] Po9 SW-9-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 9 mode on ! interface GigabitEthernet1/0/10 description [KU] Po10 SW-8-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 10 mode on ! interface GigabitEthernet1/0/11 description [KU] Po11 SW-5-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 11 mode on ! interface GigabitEthernet1/0/12 switchport trunk encapsulation dot1q switchport mode trunk channel-group 12 mode on ! interface GigabitEthernet1/0/13 description [KU] Po13 SW-6-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 13 mode active ! interface GigabitEthernet1/0/14 description [KU] Po14 SW-10-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 14 mode on ! interface GigabitEthernet1/0/15 description [KU] Po15 SW-11-3 switchport trunk encapsulation dot1q switchport mode trunk channel-group 15 mode on ! interface GigabitEthernet1/0/16 description [KU] Po16 SW-11-2 switchport trunk encapsulation dot1q switchport mode trunk channel-group 16 mode on ! interface GigabitEthernet1/0/17 description [KU] Po17 SW-2-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 17 mode on ! interface GigabitEthernet1/0/18 switchport trunk encapsulation dot1q switchport mode trunk channel-group 18 mode on ! interface GigabitEthernet1/0/19 switchport trunk encapsulation dot1q switchport mode trunk channel-group 19 mode on ! interface GigabitEthernet1/0/20 description [KU] Po20 SW-12-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 20 mode active ! interface GigabitEthernet1/0/21 switchport trunk encapsulation dot1q switchport mode trunk channel-group 21 mode on ! interface GigabitEthernet1/0/22 description [KU] Po22 SW-1-3 switchport trunk encapsulation dot1q switchport mode trunk channel-group 22 mode active ! interface GigabitEthernet1/0/23 switchport trunk encapsulation dot1q switchport mode trunk channel-group 23 mode on ! interface GigabitEthernet1/0/24 switchport trunk encapsulation dot1q switchport mode trunk channel-group 23 mode on ! interface GigabitEthernet1/1/1 ! interface GigabitEthernet1/1/2 ! interface GigabitEthernet1/1/3 ! interface GigabitEthernet1/1/4 ! interface TenGigabitEthernet1/1/1 ! interface TenGigabitEthernet1/1/2 ! interface GigabitEthernet2/0/1 description [KU] Po1 SW-7-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface GigabitEthernet2/0/2 description [KU] Po2 SW-11-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 2 mode active ! interface GigabitEthernet2/0/3 description [KU] Po3 SW-3-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 3 mode on ! interface GigabitEthernet2/0/4 description [KU] Po4 SW-4-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 4 mode active ! interface GigabitEthernet2/0/5 switchport trunk encapsulation dot1q switchport mode trunk channel-group 5 mode on ! interface GigabitEthernet2/0/6 switchport trunk encapsulation dot1q switchport mode trunk channel-group 6 mode on ! interface GigabitEthernet2/0/7 switchport trunk encapsulation dot1q switchport mode trunk channel-group 7 mode on ! interface GigabitEthernet2/0/8 switchport trunk encapsulation dot1q switchport mode trunk channel-group 8 mode on ! interface GigabitEthernet2/0/9 description [KU] Po9 SW-9-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 9 mode on ! interface GigabitEthernet2/0/10 description [KU] Po10 SW-8-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 10 mode on ! interface GigabitEthernet2/0/11 description [KU] Po11 SW-5-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 11 mode on ! interface GigabitEthernet2/0/12 switchport trunk encapsulation dot1q switchport mode trunk channel-group 12 mode on ! interface GigabitEthernet2/0/13 description [KU] Po13 SW-6-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 13 mode active ! interface GigabitEthernet2/0/14 description [KU] Po14 SW-10-1 BAD LINK SH switchport trunk encapsulation dot1q switchport mode trunk channel-group 14 mode on ! interface GigabitEthernet2/0/15 description [KU] Po15 SW-11-3 switchport trunk encapsulation dot1q switchport mode trunk channel-group 15 mode on ! interface GigabitEthernet2/0/16 description [KU] Po16 SW-11-2 switchport trunk encapsulation dot1q switchport mode trunk channel-group 16 mode on ! interface GigabitEthernet2/0/17 description [KU] Po17 SW-2-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 17 mode on ! interface GigabitEthernet2/0/18 switchport trunk encapsulation dot1q switchport mode trunk channel-group 18 mode on ! interface GigabitEthernet2/0/19 switchport trunk encapsulation dot1q switchport mode trunk channel-group 19 mode on ! interface GigabitEthernet2/0/20 description [KU] Po20 SW-12-1 switchport trunk encapsulation dot1q switchport mode trunk channel-group 20 mode active ! interface GigabitEthernet2/0/21 switchport trunk encapsulation dot1q switchport mode trunk channel-group 21 mode on ! interface GigabitEthernet2/0/22 description [KU] Po22 SW-1-3 switchport trunk encapsulation dot1q switchport mode trunk channel-group 22 mode active ! interface GigabitEthernet2/0/23 description [CORE] Po23 SW-1-2 switchport trunk encapsulation dot1q switchport mode trunk channel-group 23 mode on ! interface GigabitEthernet2/0/24 description [CORE] Po23 SW-1-2 switchport trunk encapsulation dot1q switchport mode trunk channel-group 23 mode on ! interface GigabitEthernet2/1/1 ! interface GigabitEthernet2/1/2 ! interface GigabitEthernet2/1/3 ! interface GigabitEthernet2/1/4 ! interface TenGigabitEthernet2/1/1 ! interface TenGigabitEthernet2/1/2 ! interface Vlan1 description --CAMERA-- ip address 192.168.34.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip policy route-map PBR_CAMERA hold-queue 2048 in hold-queue 2048 out ! interface Vlan2 description --USERS-- ip address 10.5.2.254 255.255.255.0 ip helper-address 10.5.0.3 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan8 description --USERS-- ip address 10.5.1.254 255.255.255.0 ip helper-address 10.5.0.3 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan101 description --PRINTERS-- ip address 10.5.17.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan103 description --KPP Vesi&Cam-- ip address 10.5.18.62 255.255.255.192 ! interface Vlan111 description -=INTERCONNECT=- ip address 172.16.3.4 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan150 description --Wi-Fi_Users-- ip address 10.5.27.126 255.255.255.128 ip helper-address 10.5.0.3 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan151 description --Wi-Fi_PROD-- ip address 10.5.29.126 255.255.255.128 ip helper-address 10.5.0.3 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan200 description --SERVERS_MGMT-- ip address 10.5.26.62 255.255.255.192 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan250 description --SERVERS_0.0/24-- ip address 10.5.0.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan251 description --SERVERS_BACKUP-- ip address 10.5.26.94 255.255.255.224 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan290 description -=SrvVmwVMon=- ip address 10.5.26.126 255.255.255.224 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan300 description --MANAGEMENT-- ip address 10.5.30.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan301 description --Wi-Fi_MANAGMENT-- ip address 10.5.29.254 255.255.255.128 ip helper-address 10.5.0.3 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan350 description --VOICE-- ip address 10.5.28.254 255.255.255.0 ip helper-address 10.5.0.3 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan500 description --Wi-Fi_GUEST-- ip address 10.5.27.254 255.255.255.128 ip access-group No_Local_For_GuestWiFI in ip helper-address 10.5.0.3 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan555 description --BGP_TRANSIT-- ip address 172.30.30.86 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan600 description --PRODACTION-- ip address 10.5.25.62 255.255.255.192 ip access-group ACL_PRODACTION in no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan601 description --PROLITE-- ip address 192.168.32.254 255.255.255.0 ip access-group ACL_PROLITE in no ip redirects no ip unreachables no ip proxy-arp ! router bgp 64514 bgp router-id 172.30.30.86 bgp log-neighbor-changes bgp graceful-restart restart-time 120 bgp graceful-restart stalepath-time 360 bgp graceful-restart network 10.5.0.0 mask 255.255.255.0 network 10.5.29.0 mask 255.255.255.128 network 10.5.29.128 mask 255.255.255.128 network 10.5.30.0 mask 255.255.255.0 network 192.168.34.0 aggregate-address 10.5.0.0 255.255.224.0 neighbor 172.30.30.84 remote-as 64514 neighbor 172.30.30.84 next-hop-self all neighbor 172.30.30.84 soft-reconfiguration inbound neighbor 172.30.30.84 weight 600 neighbor 172.30.30.85 remote-as 64514 neighbor 172.30.30.85 next-hop-self all neighbor 172.30.30.85 soft-reconfiguration inbound neighbor 172.30.30.85 weight 500 distance bgp 150 150 150 ! ip forward-protocol nd ! ip http server no ip http secure-server ! ip tftp source-interface Vlan300 ip route 0.0.0.0 0.0.0.0 172.16.3.3 50 ip route 0.0.0.0 0.0.0.0 10.14.254.253 100 ip ssh version 2 ! ip access-list extended ACL_PRODACTION permit icmp any any permit udp any host 10.5.0.1 eq domain permit udp any host 10.5.0.2 eq domain deny ip any 10.0.0.0 0.255.255.255 deny ip any 192.168.0.0 0.0.255.255 deny ip any 172.16.0.0 0.15.255.255 permit ip any any ip access-list extended ACL_PROLITE permit icmp any any permit tcp host 10.5.0.23 host 192.168.32.222 eq 3389 ip access-list extended LOCAL_TRAFFIC permit ip any 192.168.0.0 0.0.255.255 permit ip any 10.0.0.0 0.255.255.255 permit ip any 172.16.0.0 0.15.255.255 ip access-list extended No_Local_For_GuestWiFI permit tcp any host 192.168.8.200 eq domain permit udp any host 192.168.8.200 eq domain permit tcp any host 192.168.8.201 eq domain permit udp any host 192.168.8.201 eq domain permit tcp any host 192.168.31.208 eq domain permit udp any host 192.168.31.208 eq domain permit tcp any host 192.168.31.219 eq domain permit udp any host 192.168.31.219 eq domain permit tcp any host 10.4.7.6 eq 443 permit udp any eq bootpc host 255.255.255.255 eq bootps deny ip any 10.0.0.0 0.255.255.255 deny ip any 172.16.0.0 0.15.255.255 deny ip any 192.168.0.0 0.0.255.255 permit ip any any ip access-list extended VSL-BFD permit udp any any eq 3784 ip access-list extended VSL-DHCP-CLIENT-TO-SERVER permit udp any eq bootpc any eq bootps ip access-list extended VSL-DHCP-SERVER-TO-CLIENT permit udp any eq bootps any eq bootpc ip access-list extended VSL-DHCP-SERVER-TO-SERVER permit udp any eq bootps any eq bootps ip access-list extended VSL-IPV4-ROUTING permit ip any 224.0.0.0 0.0.0.255 ! logging origin-id hostname logging source-interface Vlan300 logging host 192.168.8.119 transport udp port 5544 logging host 10.4.244.4 transport udp port 515 access-list 101 deny ip any 10.5.0.0 0.0.31.255 access-list 101 permit ip 192.168.34.0 0.0.0.255 10.0.0.0 0.255.255.255 access-list 101 permit ip 192.168.34.0 0.0.0.255 192.168.0.0 0.0.255.255 access-list 101 permit ip 192.168.34.0 0.0.0.255 172.17.0.0 0.0.255.255 ! route-map PBR_CAMERA permit 10 match ip address 101 set ip next-hop 172.30.30.84 ! route-map GLOBAL-ROUTING permit 10 match ip address LOCAL_TRAFFIC set ip next-hop 172.16.4.3 172.16.3.2 ! ! snmp-server community lmTUEsk6Yvlv RO 5 ! ! radius server IZH-RDS002 address ipv4 10.4.0.248 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 key hykFAA@Hg9X9fsokWh5q8wez#&^a9lIizldHKxlRer3RE7AbsTsJwdB^RESF$eJ0 ! radius server P11-RDS003 address ipv4 10.1.122.248 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 key hykFAA@Hg9X9fsokWh5q8wez#&^a9lIizldHKxlRer3RE7AbsTsJwdB^RESF$eJ0 ! ! ipv6 access-list VSL-IPV6-ROUTING permit ipv6 any FF02::/124 ! no vstack banner login ^C ***************************************************************************** * * * UNAUTHORIZED ACCESS IS PROHIBITED * * * * You have accessed network equipment. * * You must have authorized permission to access or configure this device. * * All activities performed on this device are logged and monitored. * * * ***************************************************************************** ^C alias exec ipconfig show ip interface brief | exclude unassigned ! line con 0 logging synchronous login authentication CONSOLE stopbits 1 line vty 0 4 exec-timeout 120 0 logging synchronous login authentication NPS transport input ssh line vty 5 15 exec-timeout 120 0 logging synchronous login authentication NPS transport input ssh ! ntp source Vlan300 ntp server 192.168.8.200 ntp server 192.168.8.201 mac address-table notification change mac address-table notification mac-move mac address-table aging-time 1800 ! end