Building configuration... Current configuration : 27502 bytes ! ! Last configuration change at 00:40:35 YEKT Tue May 31 2022 by adm_kapustinal ! NVRAM config last updated at 01:30:02 YEKT Thu Jul 28 2022 ! version 16.8 service timestamps debug datetime msec localtime show-timezone year service timestamps log datetime msec localtime show-timezone year platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname EKB-KG-EKB-RT-1-1 ! boot-start-marker boot-end-marker ! ! vrf definition ispA rd 100:1 ! address-family ipv4 route-target export 100:1 route-target import 100:1 exit-address-family ! vrf definition ispB rd 200:1 ! address-family ipv4 import ipv4 unicast map RM_IMPORT route-target export 200:1 route-target import 200:1 exit-address-family ! logging buffered 128000 enable secret 5 $1$Y4ic$8w2gfNBS5UIavk3t7BSXP/ ! aaa new-model ! ! aaa group server radius NPS server name IZH-RDS002 server name P11-RDS003 ip radius source-interface Vlan300 load-balance method least-outstanding ! aaa authentication login default group NPS local enable aaa authentication login CONSOLE local group NPS aaa authorization exec default group NPS local if-authenticated ! ! ! ! ! ! aaa session-id common clock timezone YEKT 5 0 ! ip host tftp 10.4.0.214 ip name-server 8.8.8.8 8.8.4.4 ip domain name komos.local ip dhcp excluded-address 10.14.52.200 10.14.52.255 ip dhcp excluded-address 10.14.53.200 10.14.53.255 ip dhcp excluded-address 10.14.54.200 10.14.54.255 ip dhcp excluded-address 10.14.55.200 10.14.55.255 ! ip dhcp pool DHCP-EKT-LAN-USERS network 10.14.52.0 255.255.255.0 domain-name komos.local default-router 10.14.52.254 dns-server 10.14.52.254 lease 2 ! ip dhcp pool DHCP-EKT-MGMT network 10.14.53.0 255.255.255.0 domain-name komos.local default-router 10.14.53.254 dns-server 10.14.53.254 option 43 hex 0104.0a01.0c1d lease 2 ! ip dhcp pool DHCP-EKT-WiFi-USERS network 10.14.54.0 255.255.255.0 domain-name komos.local default-router 10.14.54.254 dns-server 10.14.54.254 lease 2 ! ip dhcp pool DHCP-EKT-WiFi-GUEST network 10.14.55.0 255.255.255.0 domain-name komos.local default-router 10.14.55.254 dns-server 10.14.55.254 lease 2 ! ! ! login on-failure log login on-success log ! ! ! ! ! ! ! subscriber templating ! ! ! ! ! ! ! multilink bundle-name authenticated ! flow exporter FLOW_EXPORTER_NTOP destination 10.4.0.215 source Vlan300 transport udp 9995 export-protocol netflow-v5 ! ! flow exporter FLOW_EXPORTER_CISCO destination 10.4.0.217 source Vlan300 transport udp 9995 export-protocol netflow-v5 ! ! flow monitor FLOW_MONITOR_INPUT description input exporter FLOW_EXPORTER_CISCO cache timeout inactive 10 cache timeout active 60 record netflow ipv4 original-input ! ! flow monitor FLOW_MONITOR_OUTPUT description output exporter FLOW_EXPORTER_CISCO cache timeout inactive 10 cache timeout active 60 record netflow ipv4 original-output ! ! ! ! ! ! license udi pid ISR4221/K9 sn FGL2339304Z license boot level securityk9 no license smart enable diagnostic bootup level minimal ! spanning-tree extend system-id archive log config logging enable logging size 900 notify syslog contenttype plaintext hidekeys path tftp://tftp/EKB/KG/EKB-RT/$H.$T.conf write-memory time-period 10080 ! ! ! ! ! object-group network NET_KOMOSGROUP description --KOMOS-- host 88.80.33.50 91.240.179.0 255.255.255.0 host 5.227.124.143 host 62.141.96.126 host 84.201.247.190 host 88.80.33.10 host 94.25.46.122 ! object-group network NET_IZH_MLK description --IZHMOLOKO-- host 78.85.13.42 host 85.140.32.27 host 31.173.105.54 host 217.14.195.253 host 84.201.247.157 ! object-group network NET_DMVPN_NBRS group-object NET_KOMOSGROUP group-object NET_IZH_MLK ! object-group network NET_MLK description :: MILKOM_DATACENTER host 85.140.32.177 host 78.85.14.98 ! object-group network OBJ_BBN_RN_BBN host 85.140.32.104 host 78.85.13.205 ! object-group network OBJ_BBN_VST_BBN host 85.140.32.103 host 83.169.220.204 ! object-group network OBJ_IZH_MLK_IZM host 85.140.32.27 host 78.85.13.42 host 5.227.126.169 host 31.173.105.54 host 217.14.195.253 host 85.175.86.74 ! object-group network OBJ_IZH_KG_P11 91.240.179.0 255.255.255.0 host 5.227.124.143 host 78.85.13.93 host 62.141.96.126 host 84.201.247.190 host 88.80.33.50 host 94.25.46.122 ! object-group network OBJ_IZH_VST_IZM host 5.227.124.82 host 78.85.13.38 ! object-group network OBJ_IZH_TK_M44 host 212.46.204.74 host 88.80.33.162 ! object-group network OBJ_IZH_TK_M48 host 87.249.237.250 ! object-group network OBJ_IZH_TK_SMR host 87.249.239.226 host 88.80.33.42 ! object-group network OBJ_MSK_KG_MSK host 185.62.195.150 host 185.6.175.101 ! object-group network OBJ_GLZ_MLK_GMK host 31.173.105.62 host 85.140.32.29 ! object-group network OBJ_KZN_MLK_KMK host 83.69.126.54 host 94.180.253.210 host 78.138.171.82 ! object-group network OBJ_KEZ_MLK_KZS host 31.173.105.66 host 78.85.13.52 host 85.140.32.30 ! object-group network OBJ_PRM_MLK_PHK host 178.47.128.18 host 46.146.210.68 ! object-group network OBJ_SAR_MLK_SRM host 31.173.105.58 host 78.85.13.53 host 85.140.32.28 ! object-group network OBJ_CLB_MLK_CMK host 37.113.128.241 host 149.255.6.35 ! object-group network OBJ_GLZ_GKZ_GKZ host 78.85.13.94 host 146.120.104.181 ! object-group network OBJ_KIA_RN_KIA host 78.85.14.97 ! object-group network OBJ_IZH_TZK_TZK host 78.25.80.134 host 5.227.124.235 ! object-group network OBJ_IZH_MK_VS17 host 5.227.124.141 ! object-group network OBJ_IZH_KL_KLI host 78.85.15.85 host 84.201.247.24 host 79.175.36.97 host 84.201.244.235 ! object-group network OBJ_EKB_KG_EKB host 62.168.232.182 host 176.215.14.11 ! object-group network OBJ_IZH_KEN_VS56 host 83.143.54.246 host 92.55.54.109 ! object-group network OBJ_IZH_VRS_IZM host 85.140.32.177 host 78.85.14.98 ! object-group network OBJ_GLZ_VRS_UPF host 95.215.208.234 host 78.85.13.119 ! object-group network OBJ_IZH_VRS_IPF host 85.140.32.141 host 78.85.13.117 ! object-group network OBJ_IZH_VRS_PFV host 85.140.32.178 host 94.181.119.90 host 78.85.33.50 ! object-group network OBJ_VOT_VRS_VPF host 78.85.13.118 host 88.80.33.14 ! object-group network OBJ_MSB_TMA_MSB host 78.138.182.214 ! object-group network OBJ_KIB_TMA_KIB host 78.138.182.126 ! object-group network OBJ_PRM_VRS_MPF host 178.47.130.10 host 5.227.121.127 ! object-group network OBJ_LAI_VRS_DPF host 178.205.241.114 host 46.232.164.108 ! object-group network OBJ_SHM_TMA_SHM host 89.232.91.106 host 31.173.182.210 ! object-group network OBJ_EVL_TMA_EVL host 89.232.102.166 ! object-group network OBJ_ITL_VST_ITL host 5.227.124.130 host 78.85.34.99 host 81.211.13.82 ! object-group network OBJ_MZH_VST_MZH host 88.80.33.250 host 83.169.220.171 ! object-group network OBJ_KIA_VST_KIA host 85.140.32.24 host 188.94.168.238 ! object-group network OBJ_KGB_VST_KBB host 78.85.37.88 host 88.80.33.154 ! object-group network OBJ_SAR_VST_SMK host 78.85.19.93 host 88.80.33.234 ! object-group network OBJ_KNK_VST_KMK host 178.161.242.67 ! object-group network OBJ_IZH_KM_S61 host 84.201.247.32 host 88.80.33.194 ! object-group network OBJ_YAN_GKZ_YEL host 77.94.97.222 ! object-group network OBJ_KGB_RN_KGB host 78.85.13.165 ! object-group network OBJ_NCH_RN_NCH host 78.85.13.166 ! object-group network OBJ_PRI_RN_PRI host 78.85.13.167 ! object-group network OBJ_URN_RN_URN host 78.85.20.49 ! object-group network OBJ_MZH_TK_TKM host 88.80.32.230 host 78.85.35.34 ! object-group network OBJ_GLZ_TK_TKG host 95.215.208.240 host 146.120.104.235 host 95.215.208.173 ! object-group network OBJ_IZH_TK_M21 host 84.201.242.133 ! object-group network OBJ_IZH_HLA_PP host 92.61.17.250 ! object-group network OBJ_IZH_HLA_UHK host 92.55.7.148 ! object-group network OBJ_IZH_VD_VS17 host 84.201.247.100 ! object-group network OBJ_IZH_KS_H17 85.140.32.64 255.255.255.252 host 85.140.32.63 host 85.140.32.68 ! object-group network OBJ_IZH_KI_VOR158 host 46.147.130.59 host 5.227.125.126 ! object-group network OBJ_SPB_KG_SPB host 62.141.114.190 host 94.72.27.43 ! object-group network OBJ_BRANCHES group-object OBJ_IZH_MLK_IZM group-object OBJ_IZH_KG_P11 group-object OBJ_IZH_VST_IZM group-object OBJ_IZH_TK_M44 group-object OBJ_IZH_TK_M48 group-object OBJ_IZH_TK_SMR group-object OBJ_MSK_KG_MSK group-object OBJ_GLZ_MLK_GMK group-object OBJ_KZN_MLK_KMK group-object OBJ_KEZ_MLK_KZS group-object OBJ_PRM_MLK_PHK group-object OBJ_SAR_MLK_SRM group-object OBJ_CLB_MLK_CMK group-object OBJ_BBN_RN_BBN group-object OBJ_GLZ_GKZ_GKZ group-object OBJ_KIA_RN_KIA group-object OBJ_IZH_TZK_TZK group-object OBJ_IZH_MK_VS17 group-object OBJ_IZH_KL_KLI group-object OBJ_EKB_KG_EKB group-object OBJ_IZH_KEN_VS56 group-object OBJ_IZH_VRS_IZM group-object OBJ_GLZ_VRS_UPF group-object OBJ_IZH_VRS_IPF group-object OBJ_IZH_VRS_PFV group-object OBJ_VOT_VRS_VPF group-object OBJ_MSB_TMA_MSB group-object OBJ_KIB_TMA_KIB group-object OBJ_PRM_VRS_MPF group-object OBJ_LAI_VRS_DPF group-object OBJ_BBN_VST_BBN group-object OBJ_SHM_TMA_SHM group-object OBJ_EVL_TMA_EVL group-object OBJ_ITL_VST_ITL group-object OBJ_MZH_VST_MZH group-object OBJ_KIA_VST_KIA group-object OBJ_KGB_VST_KBB group-object OBJ_SAR_VST_SMK group-object OBJ_KNK_VST_KMK group-object OBJ_IZH_KM_S61 group-object OBJ_YAN_GKZ_YEL group-object OBJ_KGB_RN_KGB group-object OBJ_NCH_RN_NCH group-object OBJ_PRI_RN_PRI group-object OBJ_URN_RN_URN group-object OBJ_MZH_TK_TKM group-object OBJ_GLZ_TK_TKG group-object OBJ_IZH_TK_M21 group-object OBJ_IZH_HLA_PP group-object OBJ_IZH_HLA_UHK group-object OBJ_IZH_VD_VS17 group-object OBJ_IZH_KS_H17 group-object OBJ_IZH_KI_VOR158 group-object OBJ_SPB_KG_SPB ! object-group network OBJ_KUN_KMK_B2 94.138.150.0 255.255.255.0 ! object-group network STATIC_ISP_IP host 62.168.232.182 host 176.215.14.11 ! ! ! username netadmin privilege 15 secret 5 $1$hiqX$s01ChZnEo12Mj9I7IabVe1 ! redundancy mode none ! ! ! ! ! vlan internal allocation policy ascending ! track 100 list boolean or object 102 object 103 delay down 5 up 30 ! track 101 ip sla 101 reachability delay down 10 up 5 ! track 102 ip sla 102 reachability delay down 10 up 5 ! track 103 ip sla 103 reachability delay down 10 up 5 ! track 200 list boolean or object 202 object 203 delay down 5 up 30 ! track 201 ip sla 201 reachability delay down 10 up 5 ! track 202 ip sla 202 reachability delay down 10 up 5 ! track 203 ip sla 203 reachability delay down 10 up 5 ! no cdp run ! class-map type inspect match-any CM-EKT_OUT_INSPECTION match protocol icmp match protocol ftp match protocol tcp match protocol udp class-map type inspect match-all CM-EKT_WAN_TO_SELF match access-group name ACL-EKT_WAN_TO_SELF ! policy-map type inspect PM-EKT_LAN_TO_WAN class type inspect CM-EKT_OUT_INSPECTION inspect class class-default drop policy-map type inspect PM-EKT_PASSANY description :: ALL ALLOWED class class-default pass policy-map type inspect PM-EKT_SELF_TO_WAN description :: ALL TRAFIC FROM ROUTER ALLOWED TO WAN class class-default pass policy-map type inspect PM-EKT_WAN_TO_SELF class type inspect CM-EKT_WAN_TO_SELF pass class class-default drop ! zone security EKT-LAN zone security EKT-WAN zone security DMVPN zone-pair security ZP-EKT_LAN_TO_SELF source EKT-LAN destination self service-policy type inspect PM-EKT_PASSANY zone-pair security ZP-EKT_LAN_TO_WAN source EKT-LAN destination EKT-WAN service-policy type inspect PM-EKT_LAN_TO_WAN zone-pair security ZP-EKT_SELF_TO_LAN source self destination EKT-LAN service-policy type inspect PM-EKT_PASSANY zone-pair security ZP-EKT_SELF_TO_WAN source self destination EKT-WAN service-policy type inspect PM-EKT_SELF_TO_WAN zone-pair security ZP-EKT_WAN_TO_SELF source EKT-WAN destination self service-policy type inspect PM-EKT_WAN_TO_SELF ! crypto keyring KR_ISP-A vrf ispA pre-shared-key address 0.0.0.0 0.0.0.0 key mlk20kom19 crypto keyring KR_ISP-B vrf ispB pre-shared-key address 0.0.0.0 0.0.0.0 key mlk20kom19 crypto logging session ! ! crypto isakmp policy 150 encr aes authentication pre-share group 2 crypto isakmp key mlk20kom19 address 0.0.0.0 no-xauth crypto isakmp keepalive 30 crypto isakmp nat keepalive 10 crypto isakmp profile PF_ISAKMP_ISP-A keyring KR_ISP-A match identity address 0.0.0.0 ispA crypto isakmp profile PF_ISAKMP_ISP-B keyring KR_ISP-B match identity address 0.0.0.0 ispB ! ! crypto ipsec transform-set CRYPTO_TS_DMVPN esp-aes esp-sha-hmac mode transport ! crypto ipsec profile CRYPTO_IPSEC_DMVPN description --SPOKE_TO_SITE_DMVPN_IPSEC_GRE-- set transform-set CRYPTO_TS_DMVPN ! crypto ipsec profile PF_IPSEC_DMVPN_ISP-A description --SPOKE_TO_SITE_DMVPN_IPSEC_GRE_VRF_ispA-- set transform-set CRYPTO_TS_DMVPN set isakmp-profile PF_ISAKMP_ISP-A ! crypto ipsec profile PF_IPSEC_DMVPN_ISP-B description --SPOKE_TO_SITE_DMVPN_IPSEC_GRE_VRF_ispB-- set transform-set CRYPTO_TS_DMVPN set isakmp-profile PF_ISAKMP_ISP-B ! ! ! ! ! ! ! ! ! ! interface Loopback7777 description TK8632m - TK8633m no ip address shutdown ! interface Tunnel1001 description --DMVPN_SPOKE_42_CLOUD_1-- bandwidth 20000 ip flow monitor FLOW_MONITOR_INPUT input ip flow monitor FLOW_MONITOR_OUTPUT output ip address 172.30.1.44 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip mtu 1400 ip nhrp authentication M_K.Cl01 ip nhrp map 172.30.1.1 85.140.32.27 ip nhrp map 172.30.1.2 78.85.13.42 ip nhrp map multicast 85.140.32.27 ip nhrp map multicast 78.85.13.42 ip nhrp network-id 1001 ip nhrp holdtime 300 ip nhrp nhs 172.30.1.1 ip nhrp nhs 172.30.1.2 zone-member security EKT-LAN ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/0/0 tunnel mode gre multipoint tunnel key 1001 tunnel protection ipsec profile CRYPTO_IPSEC_DMVPN shared ! interface Tunnel1002 description --DMVPN_SPOKE_42_CLOUD_2-- bandwidth 20000 ip flow monitor FLOW_MONITOR_INPUT input ip flow monitor FLOW_MONITOR_OUTPUT output ip address 172.30.2.44 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip mtu 1400 ip nhrp authentication M_K.Cl02 ip nhrp map 172.30.2.1 5.227.124.143 ip nhrp map 172.30.2.2 78.85.13.93 ip nhrp map multicast 5.227.124.143 ip nhrp map multicast 78.85.13.93 ip nhrp network-id 1002 ip nhrp holdtime 300 ip nhrp nhs 172.30.2.1 ip nhrp nhs 172.30.2.2 zone-member security EKT-LAN ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/0/1 tunnel mode gre multipoint tunnel key 1002 tunnel vrf ispB tunnel protection ipsec profile PF_IPSEC_DMVPN_ISP-B ! interface GigabitEthernet0/0/0 description [ISP-20M] ISP_1-MTS bandwidth 20000 ip flow monitor FLOW_MONITOR_INPUT input ip flow monitor FLOW_MONITOR_OUTPUT output ip address 62.168.232.182 255.255.255.192 no ip redirects no ip unreachables no ip proxy-arp ip nat outside zone-member security EKT-WAN load-interval 30 negotiation auto no cdp enable ip virtual-reassembly ! interface GigabitEthernet0/0/1 description [ISP-100M] ISP_2-Er-telecom bandwidth 100000 vrf forwarding ispB ip flow monitor FLOW_MONITOR_INPUT input ip flow monitor FLOW_MONITOR_OUTPUT output ip address 176.215.14.11 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip access-group ACL_FW_IN in load-interval 30 negotiation auto no cdp enable ! interface GigabitEthernet0/1/0 description Wi-Fi switchport trunk native vlan 300 switchport trunk allowed vlan 2,150,300,500 switchport mode trunk zone-member security EKT-LAN logging event trunk-status logging event spanning-tree no cdp enable no lldp transmit no lldp receive ! interface GigabitEthernet0/1/1 description ACCESS switchport access vlan 2 switchport mode access zone-member security EKT-LAN no cdp enable no snmp trap link-status ! interface GigabitEthernet0/1/2 description ACCESS switchport access vlan 2 switchport mode access zone-member security EKT-LAN no cdp enable no snmp trap link-status ! interface GigabitEthernet0/1/3 description ACCESS switchport access vlan 2 switchport mode access zone-member security EKT-LAN no cdp enable no snmp trap link-status ! interface GigabitEthernet0/1/4 description ACCESS switchport access vlan 2 switchport mode access zone-member security EKT-LAN no cdp enable no snmp trap link-status ! interface GigabitEthernet0/1/5 description ACCESS switchport access vlan 2 switchport mode access zone-member security EKT-LAN no cdp enable no snmp trap link-status ! interface GigabitEthernet0/1/6 description ACCESS switchport access vlan 2 switchport mode access zone-member security EKT-LAN no cdp enable no snmp trap link-status ! interface GigabitEthernet0/1/7 description ACCESS switchport access vlan 2 switchport mode access zone-member security EKT-LAN no cdp enable no snmp trap link-status ! interface Vlan1 no ip address shutdown ! interface Vlan2 description EKT-LOCAL-USERS ip dhcp relay information trusted ip address 10.14.52.254 255.255.255.0 no ip redirects ip nat inside ip dns view-group DNS_ACCESS_AREA zone-member security EKT-LAN ! interface Vlan150 description EKT_WIFI-USER ip dhcp relay information trusted ip address 10.14.54.254 255.255.255.0 ip nat inside ip dns view-group DNS_ACCESS_AREA_150 zone-member security EKT-LAN ! interface Vlan300 description EKT_MGMT ip dhcp relay information trusted ip address 10.14.53.254 255.255.255.0 ip nat inside ip dns view-group DNS_ACCESS_AREA_300 zone-member security EKT-LAN ! interface Vlan500 description EKT_WIFI-GUEST ip dhcp relay information trusted ip address 10.14.55.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip dns view-group DNS_GUEST_AREA zone-member security EKT-LAN ! router bgp 64534 bgp log-neighbor-changes bgp graceful-restart aggregate-address 10.14.52.0 255.255.252.0 summary-only redistribute connected route-map RM_BGP_REDISTR_CON neighbor PG_BGP_OCOD peer-group neighbor PG_BGP_OCOD remote-as 64512 neighbor PG_BGP_OCOD next-hop-self neighbor PG_BGP_OCOD soft-reconfiguration inbound neighbor PG_BGP_OCOD route-map RM_BGP_TO_HUB out neighbor PG_BGP_RCOD peer-group neighbor PG_BGP_RCOD remote-as 64513 neighbor PG_BGP_RCOD next-hop-self neighbor PG_BGP_RCOD soft-reconfiguration inbound neighbor PG_BGP_RCOD route-map RM_BGP_TO_HUB out neighbor 172.30.1.1 peer-group PG_BGP_OCOD neighbor 172.30.1.1 route-map RM_BGP_FROM_HUB in neighbor 172.30.1.2 peer-group PG_BGP_OCOD neighbor 172.30.2.1 peer-group PG_BGP_RCOD neighbor 172.30.2.1 route-map RM_BGP_FROM_HUB in neighbor 172.30.2.2 peer-group PG_BGP_RCOD distance bgp 150 150 150 ! ip nat translation timeout 450 ip nat translation tcp-timeout 300 ip nat translation udp-timeout 45 ip nat translation dns-timeout 5 ip nat translation port-timeout tcp 110 60 ip nat translation port-timeout tcp 25 60 ip nat translation port-timeout tcp 80 15 ip nat translation max-entries 1000 ip nat inside source route-map RM_NAT_ISP_1 interface GigabitEthernet0/0/0 overload ip nat inside source route-map RM_NAT_ISP_2 interface GigabitEthernet0/0/1 overload ip forward-protocol nd ip http server ip http authentication local ip http secure-server ip tftp source-interface Vlan300 ip dns view default dns forwarder 8.8.8.8 dns forwarder 8.8.4.4 ip dns view KOMOS.LOCAL domain name komos.local domain list komos.local domain round-robin dns forwarder 192.168.1.21 dns forwarder 192.168.1.100 dns forwarding source-interface Vlan2 ip dns view KOMOS.LOCAL.150 domain name komos.local domain list komos.local domain round-robin dns forwarder 192.168.1.21 dns forwarder 192.168.1.100 dns forwarding source-interface Vlan150 ip dns view KOMOS.LOCAL.300 domain name komos.local domain list komos.local domain round-robin dns forwarder 192.168.1.21 dns forwarder 192.168.1.100 dns forwarding source-interface Vlan300 ip dns view MILKOM-KOMOS.RU domain name milkom-komos.ru domain list milkom-komos.ru domain round-robin dns forwarder 192.168.8.200 dns forwarder 192.168.8.201 dns forwarding source-interface Vlan2 ip dns view MILKOM-KOMOS.RU.150 domain name milkom-komos.ru domain list milkom-komos.ru domain round-robin dns forwarder 192.168.8.200 dns forwarder 192.168.8.201 dns forwarding source-interface Vlan150 ip dns view MILKOM-KOMOS.RU.300 domain name milkom-komos.ru domain list milkom-komos.ru domain round-robin dns forwarder 192.168.8.200 dns forwarder 192.168.8.201 dns forwarding source-interface Vlan300 ip dns view-list DNS_GUEST_AREA view default 10 ip dns view-list DNS_ACCESS_AREA view KOMOS.LOCAL 10 restrict name-group 1 view MILKOM-KOMOS.RU 20 restrict name-group 2 view default 100 ip dns view-list DNS_ACCESS_AREA_150 view KOMOS.LOCAL.150 10 restrict name-group 1 view MILKOM-KOMOS.RU.150 20 restrict name-group 2 view default 100 ip dns view-list DNS_ACCESS_AREA_300 view KOMOS.LOCAL.300 10 restrict name-group 1 view MILKOM-KOMOS.RU.300 20 restrict name-group 2 view default 100 ip dns name-list 1 permit .*\.KOMOS\.LOCAL ip dns name-list 1 permit 192\.IN-ADDR ip dns name-list 1 permit .*\.KOMOS-GROUP\.RU ip dns name-list 1 permit .*\.KOMOS\.RU ip dns name-list 2 permit .*\.MILKOM-KOMOS\.RU ip dns name-list 2 permit 192\.IN-ADDR ip dns server view-group DNS_ACCESS_AREA ip dns server ip route 0.0.0.0 0.0.0.0 62.168.232.129 100 name --ISP_1_MTS-- track 100 ip route 85.140.32.27 255.255.255.255 62.168.232.129 100 name over_MTS_ISP_1 track 100 ip route 78.85.13.42 255.255.255.255 62.168.232.129 100 name over_MTS_ISP_1 track 100 ip route 5.227.124.143 255.255.255.255 62.168.232.129 100 name over_MTS_ISP_1 track 100 ip route 78.85.13.93 255.255.255.255 62.168.232.129 100 name over_MTS_ISP_1 track 100 ip route 1.1.1.2 255.255.255.255 62.168.232.129 101 name over_MTS_ISP_1 track 101 ip route 8.8.4.4 255.255.255.255 62.168.232.129 101 name over_MTS_ISP_1 track 101 ip route vrf ispB 0.0.0.0 0.0.0.0 176.215.14.254 200 name --ISP_2_Er-Telecom-- track 200 ip route vrf ispB 1.1.1.1 255.255.255.255 176.215.14.254 201 name over_ISP_2_Er-Telecom track 201 ip route vrf ispB 8.8.8.8 255.255.255.255 176.215.14.254 201 name over_ISP_2_Er-Telecom track 201 ! ip ssh version 2 ! ! ip prefix-list PFL_BGP_REDISTR_CON seq 10 permit 10.0.0.0/8 le 24 ! ip prefix-list PFL_TO_HUB seq 10 permit 10.14.52.0/22 ! ip prefix-list PL_EXPORT description EXPORT TO GRT ip prefix-list PL_EXPORT seq 5 permit 0.0.0.0/0 ip prefix-list PL_EXPORT seq 10 permit 62.168.232.128/26 ip prefix-list PL_EXPORT seq 15 permit 176.215.14.0/24 ! ip prefix-list PL_IMPORT description IMPORT FROM GRT ip prefix-list PL_IMPORT seq 5 permit 10.14.52.0/22 le 24 ! ip access-list standard ACL_FOR_NAT permit 10.14.52.0 0.0.0.255 permit 10.14.52.0 0.0.3.255 ! ip access-list extended ACL-EKT_WAN_TO_SELF permit ip object-group OBJ_BRANCHES object-group STATIC_ISP_IP permit icmp any any permit udp any eq domain object-group STATIC_ISP_IP permit ip host 62.168.232.129 host 62.168.232.182 permit ip host 5.227.124.143 host 176.215.14.11 permit ip host 78.85.13.93 host 176.215.14.11 deny ip any any ip access-list extended ACL_FW_IN permit ip object-group OBJ_BRANCHES object-group STATIC_ISP_IP permit tcp any object-group STATIC_ISP_IP eq 2110 permit udp any eq domain object-group STATIC_ISP_IP permit udp any eq ntp object-group STATIC_ISP_IP permit tcp any object-group STATIC_ISP_IP eq 2109 permit icmp any any permit udp any eq 5060 object-group STATIC_ISP_IP deny ip any any ip access-list extended ACL_LOCAL permit ip any 192.168.0.0 0.0.255.255 permit ip any 10.0.0.0 0.255.255.255 permit ip any 172.16.0.0 0.15.255.255 ip sla 101 icmp-echo 62.168.232.129 source-interface GigabitEthernet0/0/0 threshold 2000 timeout 3000 frequency 10 ip sla schedule 101 life forever start-time now ip sla 102 icmp-echo 1.1.1.2 source-interface GigabitEthernet0/0/0 threshold 2000 timeout 3000 frequency 10 ip sla schedule 102 life forever start-time now ip sla 103 icmp-echo 8.8.4.4 source-interface GigabitEthernet0/0/0 threshold 2000 timeout 3000 frequency 10 ip sla schedule 103 life forever start-time now ip sla 201 icmp-echo 176.215.14.254 source-interface GigabitEthernet0/0/1 vrf ispB threshold 2000 timeout 3000 frequency 10 ip sla schedule 201 life forever start-time now ip sla 202 icmp-echo 1.1.1.1 source-interface GigabitEthernet0/0/1 vrf ispB threshold 2000 timeout 3000 frequency 10 ip sla schedule 202 life forever start-time now ip sla 203 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/1 vrf ispB threshold 2000 timeout 3000 frequency 10 ip sla schedule 203 life forever start-time now kron occurrence EveryDay at 1:30 recurring policy-list SaveBackup ! kron policy-list SaveBackup cli write memory ! logging origin-id hostname logging source-interface Vlan300 logging host 10.4.244.4 transport udp port 515 access-list 1 permit 10.14.52.0 0.0.3.255 ! ! route-map RM_BGP_REDISTR_CON permit 10 match ip address prefix-list PFL_BGP_REDISTR_CON ! route-map ISP_1 permit 10 match ip address 1 match interface GigabitEthernet0/0/0 ! route-map RM_EXPORT permit 10 description EXPORT TO GRT match ip address prefix-list PL_EXPORT ! route-map RM_BGP_TO_HUB permit 10 match ip address prefix-list PFL_TO_HUB ! route-map RM_BGP_FROM_HUB permit 10 set local-preference 1000 ! route-map RM_IMPORT permit 10 description IMPORT FROM GRT match ip address prefix-list PL_IMPORT ! route-map RM_NAT_ISP_1 permit 10 match ip address ACL_FOR_NAT match interface GigabitEthernet0/0/0 ! route-map RM_NAT_ISP_2 permit 10 match ip address ACL_FOR_NAT match interface GigabitEthernet0/0/1 ! snmp-server community lmTUEsk6Yvlv RO snmp-server host 10.1.122.227 lmTUEsk6Yvlv ! ! ! radius server IZH-RDS002 address ipv4 10.4.0.248 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 key hykFAA@Hg9X9fsokWh5q8wez#&^a9lIizldHKxlRer3RE7AbsTsJwdB^RESF$eJ0 ! radius server P11-RDS003 address ipv4 10.1.122.248 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 key hykFAA@Hg9X9fsokWh5q8wez#&^a9lIizldHKxlRer3RE7AbsTsJwdB^RESF$eJ0 ! ! control-plane ! alias exec sib show ip int brief ! line con 0 login authentication CONSOLE transport input ssh stopbits 1 line vty 0 4 exec-timeout 120 0 logging synchronous login authentication NPS length 0 transport input ssh line vty 5 15 exec-timeout 120 0 login authentication NPS transport input ssh ! ntp source Vlan300 ntp server 192.168.8.200 ntp server 192.168.8.201 prefer wsma agent exec ! wsma agent config ! wsma agent filesys ! wsma agent notify ! event manager applet --ISP_1_DOWN-- event track 100 state down action 001 cli command "enable" action 002 cli command "clear ip nat translation forced" action 003 syslog msg "ISP 1 MTS is DOWN" event manager applet --ISP_1_UP-- event track 100 state up action 001 cli command "enable" action 002 cli command "clear ip nat translation forced" action 003 syslog msg "ISP 1 MTS is UP" event manager applet --ISP_2_DOWN-- event track 200 state down action 001 cli command "enable" action 002 cli command "clear ip nat translation forced" action 003 syslog msg "ISP 2 Er-Telecom is DOWN" event manager applet --ISP_2_UP-- event track 200 state up action 001 cli command "enable" action 002 cli command "clear ip nat translation forced" action 003 syslog msg "ISP 2 Er-Telecom is UP" ! end