Building configuration... Current configuration : 21895 bytes ! ! Last configuration change at 10:23:33 YEKT Thu Jul 28 2022 by konovalov ! NVRAM config last updated at 14:54:05 YEKT Thu Jul 21 2022 by akhmetzyanovrr_adm ! version 16.3 no service pad service timestamps debug datetime msec localtime show-timezone year service timestamps log datetime msec localtime show-timezone year no platform punt-keepalive disable-kernel-core ! hostname PRM-MLK-PHK-SW-1-1 ! ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging userinfo enable secret 5 $1$I7ox$/BluRI9AvR9N4XL.Vg5631 ! aaa new-model ! ! aaa group server radius NPS server name IZH-RDS002 server name P11-RDS003 ip radius source-interface Vlan300 load-balance method least-outstanding ! aaa authentication login default group NPS local enable aaa authentication login CONSOLE local group NPS aaa authorization exec default group NPS local if-authenticated ! ! ! ! ! ! aaa session-id common clock timezone YEKT 5 0 switch 1 provision ws-c3850-24s switch 2 provision ws-c3850-24s ! ! ! ! ip routing ! ! ! ip host tftp 10.4.0.214 no ip domain lookup ip domain name milkom-komos.ru ! ip dhcp pool PROD_MARKLINE utilization mark high 95 log utilization mark low 80 log network 10.5.97.0 255.255.255.192 default-router 10.5.97.62 dns-server 8.8.4.4 8.8.8.8 lease 8 ! ! ! ! ! ! ! ! ! ! vtp mode transparent ! crypto pki trustpoint TP-self-signed-3339936617 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3339936617 revocation-check none rsakeypair TP-self-signed-3339936617 ! ! crypto pki certificate chain TP-self-signed-3339936617 ! license boot level ipservicesk9 diagnostic bootup level minimal ! spanning-tree mode rapid-pvst spanning-tree logging spanning-tree extend system-id spanning-tree vlan 1-4094 priority 4096 archive log config logging enable logging size 900 notify syslog contenttype plaintext hidekeys path tftp://tftp/PRM/MLK/PHK-SW_L3/$H-$T write-memory time-period 10080 ! ! ! ! ! object-group network GUEST_ACCESS_WFC host 192.168.51.187 ! object-group network LOCAL_NETS 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0 ! object-group network ROUTETOISP1 host 192.168.8.34 host 192.168.20.251 host 192.168.51.33 host 192.168.51.101 host 192.168.55.100 ! object-group network ROUTETOISP2 host 192.168.51.99 host 192.168.52.191 host 192.168.52.192 ! ! username netadmin privilege 15 secret 5 $1$mdwl$/sbNWKILr.Q2qmG1CUnJI0 ! redundancy mode sso ! ! vlan 2 name --USERS_102.0/24-- ! vlan 3 name --USERS_103.0/24-- ! vlan 4 name --USERS_109.0/24-- ! vlan 101 name --PRINTERS-- ! vlan 111 name --INTERCONNECT-- ! vlan 150 name --Wi-Fi_WORK-- ! vlan 200 name --GUEST_WiFi-- ! vlan 201 name -SERVERS_Managment- ! vlan 250 name --SERVERS-- ! vlan 251 name --SERVERS_Backup-- ! vlan 252 name -=Servers_Domination=- ! vlan 259 name SOZVEZDIE ! vlan 300 name --MANAGEMENT-- ! vlan 301 name --Wi-Fi_MANAGEMENT-- ! vlan 308 name -=VIDEO_SW_MGM=- ! vlan 310 name --UPS_managment-- ! vlan 350 name --VOICE-- ! vlan 400 name -=VIDEO=- ! vlan 450 name --Wi-Fi_SKLAD-- ! vlan 500 name --Wi-Fi_GUEST-- ! vlan 555 name --BGP_TRANSIT-- ! vlan 600 name --PROD_MARKLINE-- ! vlan 601 name --PROD_COPRESSORNAYA-- ! vlan 602 name --PROD_SL1100_TetraPak-- ! vlan 603 name --CRPT-MARK-- ! vlan 604 name --PROD_L2VPN-- ! vlan 2145 name Test_BGP lldp run ! ! class-map match-any system-cpp-police-topology-control description Topology control class-map match-any system-cpp-police-sw-forward description Sw forwarding, SGT Cache Full, LOGGING class-map match-any system-cpp-default description DHCP snooping, show forward and rest of traffic class-map match-any system-cpp-police-sys-data description Learning cache ovfl, Crypto Control, Exception, EGR Exception, NFL SAMPLED DATA, Gold Pkt, RPF Failed class-map match-any system-cpp-police-punt-webauth description Punt Webauth class-map match-any system-cpp-police-forus description Forus Address resolution and Forus traffic class-map match-any system-cpp-police-multicast-end-station description MCAST END STATION class-map match-any system-cpp-police-multicast description Transit Traffic and MCAST Data class-map match-any system-cpp-police-l2-control description L2 control class-map match-any system-cpp-police-dot1x-auth description DOT1X Auth class-map match-any system-cpp-police-data description ICMP_GEN and BROADCAST class-map match-any system-cpp-police-control-low-priority description ICMP redirect and general punt class-map match-any system-cpp-police-wireless-priority1 description Wireless priority 1 class-map match-any system-cpp-police-wireless-priority2 description Wireless priority 2 class-map match-any system-cpp-police-wireless-priority3-4-5 description Wireless priority 3,4 and 5 class-map match-any non-client-nrt-class class-map match-any system-cpp-police-routing-control description Routing control class-map match-any system-cpp-police-protocol-snooping description Protocol snooping ! policy-map port_child_policy class non-client-nrt-class bandwidth remaining ratio 10 policy-map system-cpp-policy class system-cpp-police-data police rate 200 pps class system-cpp-police-sys-data police rate 100 pps class system-cpp-police-sw-forward police rate 1000 pps class system-cpp-police-multicast police rate 500 pps class system-cpp-police-multicast-end-station police rate 2000 pps class system-cpp-police-punt-webauth class system-cpp-police-l2-control class system-cpp-police-routing-control police rate 1800 pps class system-cpp-police-control-low-priority class system-cpp-police-wireless-priority1 class system-cpp-police-wireless-priority2 class system-cpp-police-wireless-priority3-4-5 class system-cpp-police-topology-control class system-cpp-police-dot1x-auth class system-cpp-police-protocol-snooping class system-cpp-police-forus class system-cpp-default ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Port-channel1 switchport mode trunk ! interface Port-channel2 description [KU] SW-2-1 switchport mode trunk ! interface Port-channel3 description [KU] SW-3-1 switchport mode trunk ! interface Port-channel4 description [KU] SW-4-1 switchport mode trunk ! interface Port-channel5 description [KU] SW-5-1 switchport mode trunk ! interface Port-channel6 ! interface Port-channel7 description [KU] SW-7-1 switchport mode trunk ! interface Port-channel8 description [KU] SW-8-1 switchport mode trunk ! interface Port-channel9 description [KU] SW-9-1 switchport mode trunk ! interface Port-channel10 description [KU] SW-10-1 switchport mode trunk ! interface Port-channel12 description [CORE] SW-1-2 switchport mode trunk ! interface Port-channel13 description [CORE] SW-1-3 switchport mode trunk ! interface Port-channel14 description [CORE] SW-1-4 switchport mode trunk ! interface Port-channel15 description [CORE] SW-1-5 switchport mode trunk ! interface Port-channel16 description [CORE] SW-1-6 switchport mode trunk ! interface Port-channel18 description [KU] SW-8-2 switchport mode trunk ! interface Port-channel22 description [CORE] SW-2-2 switchport mode trunk ! interface Port-channel23 description [KU] SW-2-3 switchport mode trunk ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address negotiation auto ! interface GigabitEthernet1/0/1 switchport mode trunk ! interface GigabitEthernet1/0/2 description [KU] Po2 SW-2-1 switchport mode trunk channel-group 2 mode active ! interface GigabitEthernet1/0/3 description [KU] Po3 SW-3-1 switchport mode trunk channel-group 3 mode active ! interface GigabitEthernet1/0/4 description [KU] Po4 SW-4-1 switchport mode trunk channel-group 4 mode active ! interface GigabitEthernet1/0/5 description [KU] Po5 SW-5-1 switchport mode trunk channel-group 5 mode active ! interface GigabitEthernet1/0/6 switchport mode trunk channel-group 6 mode active ! interface GigabitEthernet1/0/7 description [KU] Po7 SW-7-1 switchport mode trunk channel-group 7 mode active ! interface GigabitEthernet1/0/8 description [KU] Po8 SW-8-1 switchport mode trunk channel-group 8 mode active ! interface GigabitEthernet1/0/9 description [KU] Po9 SW-9-1 switchport mode trunk channel-group 9 mode active ! interface GigabitEthernet1/0/10 description [KU] Po10 SW-10-1 switchport mode trunk channel-group 10 mode active ! interface GigabitEthernet1/0/11 ! interface GigabitEthernet1/0/12 description [CORE] Po12 SW-1-2 switchport mode trunk channel-group 12 mode active ! interface GigabitEthernet1/0/13 description [CORE] Po13 SW-1-3 switchport mode trunk channel-group 13 mode active ! interface GigabitEthernet1/0/14 description [CORE] Po14 SW-1-4 switchport mode trunk channel-group 14 mode active ! interface GigabitEthernet1/0/15 description [CORE] Po15 SW-1-5 switchport mode trunk channel-group 15 mode active ! interface GigabitEthernet1/0/16 description [CORE] Po16 SW-1-6 switchport mode trunk ! interface GigabitEthernet1/0/17 ! interface GigabitEthernet1/0/18 description [KU] Po18 SW-8-2 switchport mode trunk channel-group 18 mode active ! interface GigabitEthernet1/0/19 ! interface GigabitEthernet1/0/20 ! interface GigabitEthernet1/0/21 ! interface GigabitEthernet1/0/22 description [KU] Po22 SW-2-2 switchport mode trunk channel-group 22 mode active ! interface GigabitEthernet1/0/23 switchport mode trunk channel-group 23 mode active ! interface GigabitEthernet1/0/24 switchport mode trunk channel-group 1 mode active ! interface GigabitEthernet1/1/1 ! interface GigabitEthernet1/1/2 ! interface GigabitEthernet1/1/3 ! interface GigabitEthernet1/1/4 ! interface TenGigabitEthernet1/1/1 ! interface TenGigabitEthernet1/1/2 ! interface TenGigabitEthernet1/1/3 ! interface TenGigabitEthernet1/1/4 ! interface GigabitEthernet2/0/1 ! interface GigabitEthernet2/0/2 description [KU] Po2 SW-2-1 switchport mode trunk channel-group 2 mode active ! interface GigabitEthernet2/0/3 description [KU] Po3 SW-3-1 switchport mode trunk channel-group 3 mode active ! interface GigabitEthernet2/0/4 description [KU] Po4 SW-4-1 switchport mode trunk channel-group 4 mode active ! interface GigabitEthernet2/0/5 description [KU] Po5 SW-5-1 switchport mode trunk channel-group 5 mode active ! interface GigabitEthernet2/0/6 switchport mode trunk channel-group 6 mode active ! interface GigabitEthernet2/0/7 description [KU] Po7 SW-7-1 switchport mode trunk channel-group 7 mode active ! interface GigabitEthernet2/0/8 description [KU] Po8 SW-8-1 switchport mode trunk channel-group 8 mode active ! interface GigabitEthernet2/0/9 description [KU] Po9 SW-9-1 switchport mode trunk channel-group 9 mode active ! interface GigabitEthernet2/0/10 description [KU] Po10 SW-10-1 switchport mode trunk channel-group 10 mode active ! interface GigabitEthernet2/0/11 ! interface GigabitEthernet2/0/12 description [CORE] Po12 SW-1-2 switchport mode trunk channel-group 12 mode active ! interface GigabitEthernet2/0/13 description [CORE] Po13 SW-1-3 switchport mode trunk channel-group 13 mode active ! interface GigabitEthernet2/0/14 description [CORE] Po14 SW-1-4 switchport mode trunk channel-group 14 mode active ! interface GigabitEthernet2/0/15 description [CORE] Po15 SW-1-5 switchport mode trunk channel-group 15 mode active ! interface GigabitEthernet2/0/16 description [CORE] Po16 SW-1-6 switchport mode trunk channel-group 16 mode active ! interface GigabitEthernet2/0/17 ! interface GigabitEthernet2/0/18 description [KU] Po18 SW-8-2 switchport mode trunk channel-group 18 mode active ! interface GigabitEthernet2/0/19 ! interface GigabitEthernet2/0/20 ! interface GigabitEthernet2/0/21 ! interface GigabitEthernet2/0/22 description [KU] Po22 SW-2-2 switchport mode trunk channel-group 22 mode active ! interface GigabitEthernet2/0/23 switchport mode trunk channel-group 23 mode active ! interface GigabitEthernet2/0/24 description [CAM] AT-SW-1-1 switchport trunk allowed vlan 1,252,308,400 switchport mode trunk storm-control broadcast level pps 200 storm-control multicast level pps 200 ! interface GigabitEthernet2/1/1 ! interface GigabitEthernet2/1/2 ! interface GigabitEthernet2/1/3 ! interface GigabitEthernet2/1/4 ! interface TenGigabitEthernet2/1/1 ! interface TenGigabitEthernet2/1/2 ! interface TenGigabitEthernet2/1/3 ! interface TenGigabitEthernet2/1/4 ! interface Vlan1 description ---LAN-- ip address 192.168.55.126 255.255.255.128 secondary ip address 192.168.51.254 255.255.252.0 secondary ip address 198.198.3.1 255.255.255.0 secondary ip address 192.168.52.254 255.255.255.0 secondary ip address 192.168.57.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip policy route-map GLOBAL-ROUTING ! interface Vlan2 ip dhcp relay information trusted ip address 10.5.102.254 255.255.255.0 ip helper-address 192.168.51.217 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan3 ip dhcp relay information trusted ip address 10.5.103.254 255.255.255.0 ip helper-address 192.168.51.217 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan4 description Restricted_Users ip dhcp relay information trusted ip address 10.5.109.254 255.255.255.0 ip helper-address 192.168.51.217 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan101 ip address 10.5.101.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan111 description ---INTERCONNECT-- ip address 172.16.5.4 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan150 description WIFI_Users ip dhcp relay information trusted ip address 10.5.106.254 255.255.255.0 ip helper-address 192.168.51.217 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan200 description ---GUEST_Wi-Fi-- ip address 10.200.2.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip access-group NO_LOCAL_GUEST_Wi-FI in ! interface Vlan201 description --SERVERS_Managment-- ip address 10.5.104.62 255.255.255.192 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan250 description --SERVERS-- ip address 10.5.96.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan252 description -=Servers_Domination=- ip address 10.5.112.62 255.255.255.224 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan259 ip address 10.5.112.30 255.255.255.224 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan300 description --MANAGEMENT-- ip address 10.5.126.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan301 description WIFI_Management ip dhcp relay information trusted ip address 10.5.105.254 255.255.255.0 ip helper-address 192.168.51.217 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan308 ip address 10.5.127.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan310 description --UPS managment-- ip address 10.5.113.254 255.255.255.0 ! interface Vlan350 ip dhcp relay information trusted ip address 10.5.125.254 255.255.255.0 ip helper-address 192.168.51.217 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan400 description VIDEO ip address 10.5.121.254 255.255.254.0 ! interface Vlan450 description WIFI_Prod ip dhcp relay information trusted ip address 10.5.107.254 255.255.255.0 ip helper-address 192.168.51.217 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan500 description WIFI_Guest ip dhcp relay information trusted ip address 10.5.108.254 255.255.255.0 ip helper-address 192.168.51.217 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan555 description --BGP_TRANSIT-- ip address 172.30.30.94 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan600 description --PROD_MARKLINE-- ip address 10.0.0.254 255.255.255.0 secondary ip address 10.5.97.62 255.255.255.192 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan601 description --PROD_COPRESSORNAYA-- ip address 10.5.98.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan602 ip address 10.5.99.62 255.255.255.192 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan603 description --CRPT-MARK-- ip address 10.5.100.254 255.255.255.0 ! router bgp 64517 bgp router-id 172.30.30.94 bgp log-neighbor-changes bgp graceful-restart network 10.5.96.0 mask 255.255.255.0 network 10.5.97.0 mask 255.255.255.192 network 10.5.99.0 mask 255.255.255.192 network 10.5.126.0 mask 255.255.255.0 network 172.16.5.0 mask 255.255.255.248 network 192.168.48.0 mask 255.255.252.0 network 192.168.52.0 network 192.168.55.0 mask 255.255.255.128 aggregate-address 10.5.96.0 255.255.224.0 summary-only neighbor 172.30.30.92 remote-as 64517 neighbor 172.30.30.93 remote-as 64517 distance bgp 150 150 150 ! ip default-gateway 10.5.126.254 ip forward-protocol nd no ip http server ip http authentication local no ip http secure-server ip tftp source-interface Vlan300 ip route 0.0.0.0 0.0.0.0 172.16.5.3 200 name --DEFAULT_ROUTE-- ip ssh version 2 ! ! ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data permit tcp any any eq 22 permit tcp any any eq 465 permit tcp any any eq 143 permit tcp any any eq 993 permit tcp any any eq 995 permit tcp any any eq 1914 permit tcp any any eq ftp permit tcp any any eq ftp-data permit tcp any any eq smtp permit tcp any any eq pop3 ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf permit udp any any range 16384 32767 permit tcp any any range 50000 59999 ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger permit tcp any any range 2300 2400 permit udp any any range 2300 2400 permit tcp any any range 6881 6999 permit tcp any any range 28800 29100 permit tcp any any eq 1214 permit udp any any eq 1214 permit tcp any any eq 3689 permit udp any any eq 3689 permit tcp any any eq 11999 ip access-list extended AutoQos-4.0-wlan-Acl-Signaling permit tcp any any range 2000 2002 permit tcp any any range 5060 5061 permit udp any any range 5060 5061 ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data permit tcp any any eq 443 permit tcp any any eq 1521 permit udp any any eq 1521 permit tcp any any eq 1526 permit udp any any eq 1526 permit tcp any any eq 1575 permit udp any any eq 1575 permit tcp any any eq 1630 permit udp any any eq 1630 permit tcp any any eq 1527 permit tcp any any eq 6200 permit tcp any any eq 3389 permit tcp any any eq 5985 permit tcp any any eq 8080 ip access-list extended LOCAL_TRAFFIC permit ip any 192.168.0.0 0.0.255.255 permit ip any 10.0.0.0 0.255.255.255 permit ip any 172.16.0.0 0.15.255.255 ip access-list extended NO_LOCAL_GUEST_Wi-FI permit tcp any host 192.168.8.77 eq 443 permit tcp any object-group GUEST_ACCESS_WFC eq www 443 8880 deny ip any object-group LOCAL_NETS permit ip any any ip access-list extended ROUTE_TO_ISP1 permit ip object-group ROUTETOISP1 any ip access-list extended ROUTE_TO_ISP2 permit ip object-group ROUTETOISP2 any ! logging origin-id hostname logging source-interface Vlan300 logging host 10.4.244.4 transport udp port 515 ! route-map GLOBAL-ROUTING deny 10 match ip address LOCAL_TRAFFIC ! route-map GLOBAL-ROUTING permit 20 description --ROUTE_TO_ERTELECOM-- match ip address ROUTE_TO_ISP1 set ip next-hop 172.16.5.1 ! route-map GLOBAL-ROUTING permit 1002 description --ROUTE_TO_ROSTELECOM-- match ip address ROUTE_TO_ISP2 set ip next-hop 172.16.5.2 ! snmp-server community lmTUEsk6Yvlv RO 5 ! ! ! radius server IZH-RDS002 address ipv4 10.4.0.248 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 key hykFAA@Hg9X9fsokWh5q8wez#&^a9lIizldHKxlRer3RE7AbsTsJwdB^RESF$eJ0 ! radius server P11-RDS003 address ipv4 10.1.122.248 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 key hykFAA@Hg9X9fsokWh5q8wez#&^a9lIizldHKxlRer3RE7AbsTsJwdB^RESF$eJ0 ! ! control-plane service-policy input system-cpp-policy ! banner exec ^C Welcome to $(hostname). You are connected on line $(line) on domain $(domain) ^C banner login ^C ***************************************************************************** * * * UNAUTHORIZED ACCESS IS PROHIBITED * * * * You have accessed network equipment. * * You must have authorized permission to access or configure this device. * * All activities performed on this device are logged and monitored. * * * ***************************************************************************** ^C alias router x exit alias subinterface x exit alias interface x exit alias configure x exit alias exec ipconfig show ip interface brief | exclude unassign ! line con 0 logging synchronous login authentication CONSOLE stopbits 1 line aux 0 stopbits 1 line vty 0 4 exec-timeout 120 0 logging synchronous login authentication NPS transport input ssh line vty 5 15 exec-timeout 120 0 logging synchronous login authentication NPS transport input ssh ! ntp source Vlan300 ntp server 192.168.8.200 ntp server 192.168.8.201 ! mac address-table notification change mac address-table notification mac-move wsma agent exec ! wsma agent config ! wsma agent filesys ! wsma agent notify ! ! ap dot11 airtime-fairness policy-name Default 0 ap group default-group ap hyperlocation ble-beacon 0 ap hyperlocation ble-beacon 1 ap hyperlocation ble-beacon 2 ap hyperlocation ble-beacon 3 ap hyperlocation ble-beacon 4 end