Building configuration... Current configuration : 60494 bytes ! ! Last configuration change at 10:47:49 IZH Thu Jul 28 2022 by adm_kapustinal ! NVRAM config last updated at 10:47:57 IZH Thu Jul 28 2022 by adm_kapustinal ! version 15.5 no service pad service timestamps debug datetime msec localtime show-timezone year service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers service counters max age 5 ! hostname IZH-KG-P11-SW-1-1 ! boot-start-marker boot system flash bootdisk:/s2t54-adventerprisek9-mz.SPA.155-1.SY3.bin boot-end-marker ! ! vrf definition VRF-PI rd 100:1 ! address-family ipv4 route-target export 100:1 route-target import 100:1 exit-address-family ! vrf definition VRF-RT_CLOUD rd 100:4039 ! address-family ipv4 exit-address-family ! vrf definition VRF-UZB rd 400:400 ! address-family ipv4 import ipv4 unicast map RM_UZB_IMPORT exit-address-family ! vrf definition VRF_WIFI_GUEST ! address-family ipv4 exit-address-family ! security authentication failure rate 5 log logging buffered 32768 informational enable secret 5 $1$bkfE$/NjXI2VJj62G6IA/cMtlb1 ! username netadmin privilege 15 secret 9 $9$pC1NoOajaeJ5aL$LdWopDmb3JVIzBXaa2ASeE363bZlxkINA5GPl9COIdo aaa new-model ! ! aaa group server radius NPS server name IZH-RDS002 server name P11-RDS003 ip radius source-interface Vlan100 load-balance method least-outstanding ! aaa authentication login default group NPS local enable aaa authentication login CONSOLE local group NPS aaa authorization exec default group NPS local if-authenticated ! ! ! ! ! ! aaa session-id common platform ip cef load-sharing ip-only clock timezone IZH 4 0 ! ! ! ! ! no ip source-route no ip gratuitous-arps ! ! no ip bootp server no ip domain-lookup ip domain-name komos.ru ip host VM-KG-NET 10.1.12.70 ip host tftp 10.4.0.214 login on-failure log login on-success log vtp mode transparent no device-tracking logging theft ! ! ! ! ! ! ! ! ! ! ! ! ! archive log config logging enable logging size 900 notify syslog contenttype plaintext hidekeys path tftp://tftp/IZH/KG/P11-SW_L3/$H.$T.conf write-memory time-period 10080 object-group ip address OBJ_LOCAL_DNS host-info 192.168.8.200 host-info 192.168.8.201 host-info 192.168.1.21 host-info 192.168.1.100 ! object-group ip address OBJ_LOCAL_TRAFFIC 10.0.0.0 255.0.0.0 172.16.0.0 255.240.0.0 192.168.0.0 255.255.0.0 ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree vlan 1-4094 priority 16384 port-channel load-balance src-dst-mixed-ip-port ! redundancy main-cpu auto-sync running-config mode sso bfd-template single-hop p2p interval min-tx 300 min-rx 300 multiplier 3 ! bfd-template single-hop test interval min-tx 50 min-rx 50 multiplier 3 ! ! vlan internal allocation policy ascending vlan access-log ratelimit 2000 ! vlan 2 name KG_LAN-USER ! vlan 3 name KG_LAN-RESTRICTED ! vlan 4 name KG_LAN-VDI ! vlan 5 name KG_LAN-ADMIN ! vlan 6 name IMP-LAN ! vlan 7 name MK_Users ! vlan 8 name KG_VOIP_TEST_USERS ! vlan 9 name Kaznach_restrict ! vlan 11 name KG_LAN-AS199014 ! vlan 12 name UNIFI_NETWORK ! vlan 20 name DMZ-1 ! vlan 22 ! vlan 25 name VoIP ! vlan 26 name MGMT_ASA ! vlan 50 name MS_DYN_AX_SQL ! vlan 99 name Users_KU9 ! vlan 100 name Inbound_management ! vlan 101 name WDS ! vlan 149 name -KG-MGMT-INT-10.1.254.0/24- ! vlan 150 name KG_WIFI-USER ! vlan 151 name KG_KOMOS-CONF ! vlan 152 name KG-ARUBA-USERS ! vlan 153 name KG-ARUBA-USERS-GUEST ! vlan 154 name Eltex_WiFi_Test ! vlan 200 name KG_MGMT-SRV ! vlan 201 name KG_LAN-SRV ! vlan 202 name KG_LAN-SRV-DMZ ! vlan 204 name KG_SRV_KAZNACHEYSTVO ! vlan 205 name SRV_UZB ! vlan 249 name --KG-SRV-BKP-10.1.249.0/26-- ! vlan 253 name exchange_komos-group ! vlan 289 name --OCOD_VLAN_1-- ! vlan 296 name -MLK-KCOD-SRV-All_10.1.123.0/24- ! vlan 297 name -MLK-KCOD-SRV-Exchange_10.1.122. ! vlan 298 name -MLK-KCOD-MGM-NET_10.1.121.0/24- ! vlan 300 name KG_MGMT-NET ! vlan 301 name KG_MGMT-WIFI ! vlan 302 name WifI_MGM_Aruba_test ! vlan 303 name KG-ARUBA-AP ! vlan 304 name WIFI_ARUBA_MGM ! vlan 307 name SKUD ! vlan 310 name --MGM_UPS-- ! vlan 349 name MLK_LAN-DATACENTER-2 ! vlan 350 name IMP-VOIP ! vlan 351 name KG_VOIP ! vlan 352 name KG_VOIP_TEST ! vlan 400 name -Video_UZB- ! vlan 500 name KG_WIFI-GUEST ! vlan 551 name --TRANSIT_HSRP-- ! vlan 556 name P2P_iBGP_KOMOS_AS_over_ER_Teleco ! vlan 557 name P2P_iBGP_KOMOS_AS_over_MTS ! vlan 558 name -L2VPN-PVE_HA_ERTLC- ! vlan 559 name -L2VPN-PVE_HA_MTS- ! vlan 596 name P2P_RCOD-OCOD_ER_Telecom ! vlan 598 name -KG-COD-Transit-Core- ! vlan 599 name -MLK-KCOD-Trunk_172.30.30.0/27- ! vlan 1113 name PI_RT-1-3 ! vlan 3074 name --RT_DMVPN-- ! vlan 3088 name ISP-KG_MTS-IP ! vlan 3333 name HUAWEI_WIFI_NETWORK ! vlan 3334 name HUAWEI_WIFI_NETWORK_USERS ! vlan 3915 name --TEST_ZLOBIN_DENIS_UNTIL_01.07- ! vlan 4035 name -MLK-KCOD-Reserv_172.31.35.0/2 ! vlan 4039 name CLOUD_RT ! vlan 4040 name KG_LAN-SZB ! vlan 4041 name --VLAN_P11_VS17-- ! vlan 4092 name ISP-Beeline_Kaznach ! vlan 4093 name ISP-IMP_ERTEL ! track 1 ip sla 1 reachability delay down 10 up 5 ! track 11 ip sla 11 reachability delay down 10 up 5 ! track 12 ip sla 12 reachability ! track 13 ip sla 13 reachability delay down 10 up 5 ! track 104 ip sla 104 reachability delay down 10 up 5 ! track 105 ip sla 105 reachability delay down 10 up 5 ! track 107 ip sla 107 reachability delay down 10 up 5 ! track 109 ip sla 109 reachability delay down 10 up 5 ! track 110 ip sla 110 reachability delay down 10 up 5 ! track 111 list boolean and object 1 object 11 ! track 112 ip sla 112 reachability delay down 10 up 5 ! track 222 list boolean and object 110 object 112 ! ! class-map match-any class-copp-icmp-redirect-unreachable class-map match-all class-copp-glean class-map match-all class-copp-receive class-map match-all class-copp-options class-map match-all CM_WEB_LOCAL match access-group name WEB_LOCAL class-map match-any CM_RDP match access-group name RDP class-map match-all class-copp-broadcast class-map match-all class-copp-mcast-acl-bridged class-map match-all class-copp-slb class-map match-all class-copp-mtu-fail class-map match-all class-copp-ttl-fail class-map match-all class-copp-arp-snooping class-map match-any class-copp-mcast-copy class-map match-any class-copp-ip-connected class-map match-any class-copp-match-igmp match access-group name acl-copp-match-igmp class-map match-all class-copp-unknown-protocol class-map match-any class-copp-vacl-log class-map match-all class-copp-mcast-ipv6-control class-map match-any class-copp-match-pimv6-data match access-group name acl-copp-match-pimv6-data class-map match-any class-copp-mcast-punt class-map match-all class-copp-unsupp-rewrite class-map match-all class-copp-ucast-egress-acl-bridged class-map match-all class-copp-ip-admission class-map match-any CM_QoS_CS3 match dscp cs3 af31 af32 af33 class-map match-any CM_QoS_CS2 match dscp cs2 af21 af22 af23 class-map match-any CM_QoS_CS1 match dscp cs1 af11 af12 af13 class-map match-any class-copp-dpss-divert class-map match-any CM_QoS_CS0 match dscp default 1 2 3 class-map match-any CM_QoS_CS7 match dscp cs7 class-map match-any CM_QoS_CS6 match dscp cs6 49 class-map match-any CM_QoS_CS5 match dscp cs5 41 42 45 ef 47 class-map match-any CM_QoS_CS4 match dscp cs4 af41 af42 af43 class-map match-all class-copp-service-insertion class-map match-all class-copp-mac-pbf class-map match-any class-copp-match-mld match access-group name acl-copp-match-mld class-map match-all class-copp-ucast-ingress-acl-bridged class-map match-all class-copp-dhcp-snooping class-map match-all class-copp-wccp class-map match-all class-copp-nd class-map match-any class-copp-ipv6-connected class-map match-all class-copp-mcast-rpf-fail class-map match-any class-copp-match-ndv6hl match access-group name acl-copp-match-ndv6hl class-map match-any class-copp-ucast-rpf-fail class-map match-all class-copp-mcast-ip-control class-map match-any class-copp-match-pim-data match access-group name acl-copp-match-pim-data class-map match-any class-copp-match-ndv6 match access-group name acl-copp-match-ndv6 class-map match-any class-copp-mcast-v4-data-on-routedPort class-map match-any class-copp-mcast-v6-data-on-routedPort ! policy-map policy-default-autocopp class class-copp-mcast-v4-data-on-routedPort police rate 10 pps burst 1 packets conform-action drop exceed-action drop class class-copp-mcast-v6-data-on-routedPort police rate 10 pps burst 1 packets conform-action drop exceed-action drop class class-copp-match-mld police rate 10000 pps burst 10000 packets conform-action set-discard-class-transmit 48 exceed-action transmit class class-copp-match-igmp police rate 10000 pps burst 10000 packets conform-action set-discard-class-transmit 48 exceed-action transmit class class-copp-icmp-redirect-unreachable police rate 100 pps burst 10 packets conform-action transmit exceed-action drop class class-copp-ucast-rpf-fail police rate 100 pps burst 10 packets conform-action transmit exceed-action drop class class-copp-vacl-log police rate 2000 pps burst 1 packets conform-action transmit exceed-action drop class class-copp-mcast-punt police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop class class-copp-mcast-copy police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop class class-copp-ip-connected police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop class class-copp-ipv6-connected police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop class class-copp-match-pim-data police rate 1000 pps burst 1000 packets conform-action transmit exceed-action drop class class-copp-match-pimv6-data police rate 1000 pps burst 1000 packets conform-action transmit exceed-action drop class class-copp-match-ndv6 police rate 1000 pps burst 1000 packets conform-action set-discard-class-transmit 48 exceed-action drop policy-map PM_QoS_CLASS_IN class CM_QoS_CS7 set dscp cs7 class CM_QoS_CS6 set dscp cs6 class CM_QoS_CS5 set dscp cs5 class CM_QoS_CS4 set dscp cs4 ! ! ! ! ! ! crypto isakmp policy 20 encr aes 256 authentication pre-share group 2 crypto isakmp key KGp11KuMK2021 address 94.138.150.1 crypto isakmp key KGp11KuMK2021 address 178.47.128.98 ! ! crypto ipsec transform-set TS_GREIPSEC esp-aes 256 esp-sha-hmac mode transport require crypto ipsec df-bit clear ! crypto ipsec profile GRE_IPSEC set transform-set TS_GREIPSEC set pfs group2 ! ! ! ! ! ! ! interface Loopback1 ip address 10.1.255.255 255.255.255.255 ! interface Loopback11 ip address 91.240.179.254 255.255.255.255 ! interface Loopback7777 description TK5732m - TK5733m no ip address shutdown ! interface Port-channel1 description [KU] SW-1a-1 switchport switchport mode trunk ! interface Port-channel2 description [KU] SW-1c-1 switchport switchport mode trunk ! interface Port-channel3 description [KU] SW-2-3 switchport switchport mode trunk ! interface Port-channel4 description [KU] SW-2-4 switchport switchport mode trunk ! interface Port-channel5 description [KU] SW-2-2 switchport switchport mode trunk ! interface Port-channel7 description [KU] SW-3-1 switchport switchport mode trunk ! interface Port-channel8 description [KU] SW-4-1 switchport switchport mode trunk ! interface Port-channel9 description [KU] SW-4-2 switchport switchport mode trunk ! interface Port-channel10 description [KU] SW-5-1 switchport switchport mode trunk ! interface Port-channel11 description [KU] SW-8b-1 switchport switchport mode trunk ! interface Port-channel12 no ip address shutdown ! interface Port-channel13 description Link to SW-2960-DC switchport switchport mode trunk ! interface Port-channel14 description [KU] SW-9-1 switchport switchport mode trunk ! interface Port-channel15 description [KU] SW-2-1 switchport switchport mode trunk ! interface Port-channel16 description [CORE] SW-1-2 switchport switchport mode trunk ! interface Port-channel17 description [KU] SW-10-1 switchport switchport mode trunk ! interface Port-channel18 description [KU] SW-6-1 switchport switchport mode trunk ! interface Port-channel19 description [KU] SW-7-1 switchport switchport mode trunk ! interface Port-channel20 description [KU] SW-9-2 switchport switchport mode trunk ! interface Tunnel11 description VPN to ATLANTIS, First channel ip address 10.1.50.45 255.255.255.252 no ip redirects ip directed-broadcast shutdown keepalive 5 5 tunnel source 91.240.179.254 tunnel destination 88.80.33.182 ! interface Tunnel22 description [VPN] GLZ-TK-TKG ip address 10.1.50.85 255.255.255.252 no ip redirects ip mtu 1400 ip tcp adjust-mss 1360 tunnel source 91.240.179.254 tunnel destination 95.215.208.240 ! interface Tunnel23 description [VPN] GLZ-TK-TKG ip address 10.1.50.89 255.255.255.252 no ip redirects ip mtu 1400 ip tcp adjust-mss 1360 tunnel source 91.240.179.254 tunnel destination 146.120.104.235 ! interface Tunnel24 description [VPN] MZH-TK-TKM ip address 10.1.50.93 255.255.255.252 no ip redirects ip mtu 1400 ip tcp adjust-mss 1360 tunnel source 91.240.179.254 tunnel destination 88.80.32.230 ! interface Tunnel25 description [VPN] MZH-TK-TKM ip address 10.1.50.97 255.255.255.252 no ip redirects ip mtu 1400 ip tcp adjust-mss 1360 shutdown tunnel source 91.240.179.254 tunnel destination 78.85.35.34 ! interface Tunnel31 description KGR-KUMK-KUMK ip address 10.1.50.1 255.255.255.252 ip access-group ACL_FROM_KUMK in no ip redirects ip mtu 1426 shutdown keepalive 10 10 tunnel source 91.240.179.254 tunnel destination 94.138.150.1 tunnel protection ipsec profile GRE_IPSEC ! interface Tunnel32 description KGR-PRM ip address 172.30.31.1 255.255.255.252 no ip redirects shutdown keepalive 10 10 tunnel source 91.240.179.254 tunnel destination 178.47.128.98 tunnel protection ipsec profile GRE_IPSEC ! interface GigabitEthernet1/1 description [KU] Po1 SW-1a-1 switchport switchport mode trunk logging event link-status logging event trunk-status channel-group 1 mode on ! interface GigabitEthernet1/2 description [KU] Po2 SW-1c-1 switchport switchport mode trunk logging event link-status logging event trunk-status channel-group 2 mode on ! interface GigabitEthernet1/3 description [KU] Po3 SW-2-3 switchport switchport mode trunk logging event link-status logging event trunk-status channel-group 3 mode on ! interface GigabitEthernet1/4 description [KU] Po4 SW-2-4 switchport switchport mode trunk logging event link-status logging event trunk-status channel-group 4 mode on ! interface GigabitEthernet1/5 description [KU] Po5 SW-2-2 switchport switchport mode trunk logging event link-status logging event trunk-status channel-group 5 mode on ! interface GigabitEthernet1/6 description [KU] Po20 SW-9-2 switchport switchport mode trunk logging event link-status logging event trunk-status channel-group 20 mode active ! interface GigabitEthernet1/7 description [KU] Po7 SW-3-1 switchport switchport mode trunk logging event link-status logging event trunk-status channel-group 7 mode on ! interface GigabitEthernet1/8 description [KU] Po8 SW-4-1 switchport switchport mode trunk logging event link-status logging event trunk-status channel-group 8 mode on ! interface GigabitEthernet1/9 description [KU] Po9 SW-4-2 switchport switchport mode trunk logging event link-status logging event trunk-status channel-group 9 mode on ! interface GigabitEthernet1/10 description [KU] Po10 SW-5-1 switchport switchport mode trunk logging event link-status logging event trunk-status channel-group 10 mode on ! interface GigabitEthernet1/11 description [KU] Po11 SW-8b-1 switchport switchport mode trunk logging event link-status logging event trunk-status channel-group 11 mode on ! interface GigabitEthernet1/12 description [KU] Po14 SW-9-1 switchport switchport mode trunk logging event link-status channel-group 14 mode on ! interface GigabitEthernet1/13 description [KU] Po15 SW-2-1 switchport switchport mode trunk logging event link-status channel-group 15 mode on ! interface GigabitEthernet1/14 description [KU] Po17 SW-10-1 switchport switchport mode trunk logging event link-status channel-group 17 mode on ! interface GigabitEthernet1/15 description [KU] Po18 SW-6-1 switchport switchport mode trunk logging event link-status channel-group 18 mode on ! interface GigabitEthernet1/16 description PC 13 LINK_TO_SW-2960-DC switchport switchport mode trunk logging event link-status channel-group 13 mode on ! interface GigabitEthernet1/17 description [KU] Po19 SW-7-1 switchport switchport mode trunk logging event link-status channel-group 19 mode on ! interface GigabitEthernet1/18 description [CORE] SW-1-3 switchport switchport mode trunk logging event link-status logging event trunk-status hold-queue 4096 in hold-queue 4096 out ! interface GigabitEthernet1/19 description [CORE] Po16 SW-1-2 switchport switchport mode trunk logging event link-status logging event trunk-status channel-group 16 mode on ! interface GigabitEthernet1/20 description [CORE] Po16 SW-1-2 switchport switchport mode trunk logging event link-status logging event trunk-status channel-group 16 mode on ! interface GigabitEthernet1/21 description [ISP-500M] L2VPN-to-CLOUD-RT switchport switchport mode access switchport access vlan 4039 switchport block unicast logging event link-status logging event trunk-status no cdp enable no lldp transmit no lldp receive spanning-tree bpdufilter enable spanning-tree guard root ! interface GigabitEthernet1/22 description [KU] Po15 SW-2-1 switchport switchport mode trunk logging event link-status logging event trunk-status channel-group 15 mode on ! interface GigabitEthernet1/23 description FREE switchport switchport mode trunk switchport trunk allowed vlan 599,4030-4035 logging event link-status logging event trunk-status shutdown ! interface GigabitEthernet1/24 description [CORE] RT-1-2 switchport switchport mode trunk logging event link-status logging event trunk-status ! interface GigabitEthernet5/1 description FREE no ip address shutdown ! interface GigabitEthernet5/2 description admin_vlan switchport switchport mode access switchport access vlan 5 ! interface GigabitEthernet5/3 no ip address shutdown ! interface TenGigabitEthernet5/4 description VSS_LINK_SWITCH2_member no ip address shutdown ! interface TenGigabitEthernet5/5 description VSS_LINK_SWITCH2_member no ip address shutdown ! interface Vlan1 description LAN ip address 192.168.252.254 255.255.255.0 secondary ip address 10.1.17.254 255.255.255.0 secondary ip address 192.168.1.254 255.255.252.0 no ip redirects no ip unreachables ip policy route-map VLAN1-ROUTING ! interface Vlan2 description KG-LOCAL-USERS ip dhcp relay information trusted ip address 10.1.7.254 255.255.252.0 ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip redirects no ip unreachables ip nat inside ip policy route-map R2-MTS_R1-BGP ! interface Vlan3 description KG_LAN-RESTRICTED ip dhcp relay information trusted ip address 10.1.18.254 255.255.255.0 ip access-group VLAN3_OUT in ip access-group VLAN3_FIREWALL out ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip unreachables ip policy route-map VLAN3-ROUTING ! interface Vlan5 description KG_LAN-ADMIN ip dhcp relay information trusted ip address 10.1.19.254 255.255.255.0 ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip redirects no ip unreachables no ip proxy-arp ip policy route-map RM_TEST_INET ! interface Vlan6 description IMP_LOCAL ip dhcp relay information trusted ip address 10.1.26.254 255.255.255.0 ip access-group IMP_LOCAL_IN in ip access-group IMP_LOCAL_OUT out ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip redirects no ip unreachables no ip proxy-arp ip policy route-map IMP-ROUTING ! interface Vlan8 ip dhcp relay information trusted ip address 10.1.46.254 255.255.255.0 ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan9 description Kaznach_restrict ip dhcp relay information trusted ip address 10.1.55.254 255.255.255.0 ip access-group VLAN9_RESTRICTED in ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan11 description EXTERNAL_POOL ip unnumbered Loopback11 no ip unreachables ! interface Vlan12 description UNIFI_NETWORK ip dhcp relay information trusted ip address 10.1.12.62 255.255.255.192 ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip unreachables ! interface Vlan20 description DMZ-1 ip address 10.1.12.94 255.255.255.224 no ip unreachables ! interface Vlan25 ip address 10.1.25.254 255.255.255.0 no ip unreachables shutdown ! interface Vlan99 description Users_KU9 ip dhcp relay information trusted ip address 10.1.39.254 255.255.255.0 ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip redirects no ip unreachables ip nat inside ip policy route-map RM_USERS_KU9 ! interface Vlan100 description MGMT ip address 10.1.1.1 255.255.255.0 ip access-group ACL_BLOCK_CISCO in no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan149 description -KG-MGMT-INT-10.1.254.0/24- ip address 10.1.254.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan150 description KG_WIFI-USER ip dhcp relay information trusted ip address 10.1.13.254 255.255.255.0 ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip unreachables ip nat inside ip policy route-map R2-MTS-TV-WIFI ! interface Vlan151 description KG_KOMOS-CONF ip dhcp relay information trusted ip address 10.1.28.254 255.255.255.0 ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip unreachables ! interface Vlan152 description KG-ARUBA-USERS ip dhcp relay information trusted ip address 10.1.35.254 255.255.254.0 ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip unreachables ip policy route-map R2-MTS-TV-WIFI ! interface Vlan154 description Eltex WiFi ip dhcp relay information trusted ip address 10.1.154.254 255.255.255.0 ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 ! interface Vlan200 description KG_MGMT-SRV ip dhcp relay information trusted ip address 10.1.3.254 255.255.254.0 ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan201 description KG_LAN-SRV ip dhcp relay information trusted ip address 10.1.9.254 255.255.254.0 ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip redirects no ip unreachables no ip proxy-arp ip policy route-map RM_TEST_INET ! interface Vlan202 description --DMZ-- ip address 10.1.24.254 255.255.255.0 ip access-group ACL-DMZ_LOCAL_IN in ip access-group ACL-DMZ_LOCAL_OUT out no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan204 description --Kaznacheystvo_KG-- ip dhcp relay information trusted ip address 10.1.45.142 255.255.255.240 ip access-group ACL_FIREWALL_KAZ-OUT out ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip unreachables ip policy route-map RM_FOR_KAZNACH_KG ! interface Vlan205 description [SRV] UZB Servers ip address 10.1.45.158 255.255.255.240 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan249 description --KG-SRV-BKP-10.1.249.0/26-- ip address 10.1.249.62 255.255.255.192 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan251 no ip address no ip unreachables shutdown ! interface Vlan253 description Exchange KOMOS-GROUP.RU ip address 10.1.44.254 255.255.255.0 no ip unreachables ! interface Vlan289 description --OCOD_VLAN_1-- ip address 192.168.8.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp shutdown ! interface Vlan296 description -MLK-KCOD-SRV-All_10.1.123.0/24- ip address 10.1.123.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan297 description -MLK-KCOD-SRV-Exchange_10.1.122.0/24- ip address 10.1.122.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan298 description -MLK-KCOD-MGM-SRV_10.1.120.0/24- ip address 10.1.120.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan301 description KG_MGMT-WIFI no ip address no ip unreachables shutdown ! interface Vlan302 description Aruba_test_WiFi_MGM ip address 10.1.32.254 255.255.255.0 no ip unreachables ! interface Vlan303 description KG-GW-ARUBA-AP ip dhcp relay information trusted ip address 10.1.33.254 255.255.255.0 ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip unreachables ! interface Vlan304 description WIFI_ARUBA_MGM ip dhcp relay information trusted ip address 10.1.38.254 255.255.255.0 ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip unreachables ! interface Vlan307 description SKUD ip address 10.1.45.126 255.255.255.128 no ip redirects no ip unreachables ! interface Vlan310 description MGM_UPS ip address 10.1.37.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan349 description -MLK-KCOD-MGM-NET_10.1.121.0/24- ip address 10.1.121.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan350 description KG-VoIP_AREA ip dhcp relay information trusted ip address 10.1.27.254 255.255.255.0 ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip redirects no ip unreachables no ip proxy-arp ip policy route-map IMP-ROUTING ! interface Vlan351 description KG_VOIP ip dhcp relay information trusted ip address 10.1.23.254 255.255.252.0 ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip redirects no ip unreachables no ip proxy-arp ip policy route-map R2-MTS_R1-BGP ! interface Vlan352 description KG_VOIP_TEST ip dhcp relay information trusted ip address 10.1.36.254 255.255.255.0 ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan400 description -Video_UZB- vrf forwarding VRF-UZB ip address 192.168.248.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ! interface Vlan500 description KG_WIFI-GUEST exp 28.08.22 ip dhcp relay information trusted ip address 10.1.14.253 255.255.255.254 ip access-group ACL_WIFI_GUEST_DHCP in ip access-group ACL_WIFI_GUEST_DHCP out ip helper-address 10.1.8.229 ip helper-address 10.1.8.228 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan551 description --TRANSIT_HSRP-- ip address 10.1.239.22 255.255.255.240 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan596 description L2VPN_DOMRU_IZM-BGP-P11 ip address 172.30.32.2 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp bfd template p2p ! interface Vlan598 description --BGP_KG_COD_TRANSIT-- ip address 172.30.30.46 255.255.255.240 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan599 description L2VPN_MTS_IZM-BGP-P11 ip address 172.30.30.2 255.255.255.224 no ip redirects no ip unreachables no ip proxy-arp bfd template p2p ! interface Vlan1113 description [PI] IZH-KG-P11-RT-1-3 ip unnumbered Loopback11 no ip redirects no ip unreachables ! interface Vlan4035 description VCentr_GW-Reserv_172.31.35.0/24-SHUT ip address 172.31.35.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan4039 description L2VPN-to-CLOUD-RT ip address 10.1.31.252 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan4041 description --VLAN_P11_VS17-- ip address 172.31.2.1 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp ip tcp adjust-mss 1360 ip policy route-map RM_NAT_MK ! router bgp 64513 bgp router-id 172.30.30.46 bgp log-neighbor-changes bgp graceful-restart neighbor PG_BGP_IZM-P11 peer-group neighbor PG_BGP_IZM-P11 remote-as 64512 neighbor PG_BGP_IZM-P11 description BGP over L2VPN neighbor PG_BGP_IZM-P11 fall-over bfd neighbor 10.1.1.5 remote-as 64513 neighbor 10.1.1.5 description Virtual_Mikrotik neighbor 10.1.1.5 update-source Vlan100 neighbor 10.1.1.109 remote-as 64513 neighbor 10.1.1.109 description --CISCO_ASAv-- neighbor 10.1.1.110 remote-as 64513 neighbor 10.1.1.110 description --CISCO_ASA-- neighbor 10.1.1.111 remote-as 64513 neighbor 10.1.1.111 description FW-1-3 neighbor 10.1.1.112 remote-as 64513 neighbor 10.1.1.112 description description FW-1-4 neighbor 172.30.30.1 peer-group PG_BGP_IZM-P11 neighbor 172.30.30.41 remote-as 64513 neighbor 172.30.30.42 remote-as 64513 neighbor 172.30.30.44 remote-as 199014 neighbor 172.30.30.44 description --BGP_WITH_3945-1-- neighbor 172.30.30.45 remote-as 199014 neighbor 172.30.30.45 description --BGP_WITH_3945-1-- neighbor 172.30.32.1 peer-group PG_BGP_IZM-P11 neighbor 172.31.2.2 remote-as 64520 neighbor 172.31.2.2 description --MEAT_KOMPANY-- ! address-family ipv4 network 10.0.0.0 mask 255.252.0.0 network 10.0.24.0 mask 255.255.255.0 network 10.0.26.0 mask 255.255.255.0 network 10.1.0.0 mask 255.255.0.0 network 10.1.4.0 mask 255.255.252.0 network 10.1.12.64 mask 255.255.255.224 network 10.1.13.0 mask 255.255.255.0 network 10.1.14.0 mask 255.255.255.0 network 10.1.16.0 mask 255.255.255.0 network 10.1.17.0 mask 255.255.255.0 network 10.1.18.0 mask 255.255.255.0 network 10.1.19.0 mask 255.255.255.0 network 10.1.20.0 mask 255.255.252.0 network 10.1.26.0 mask 255.255.255.0 network 10.1.27.0 mask 255.255.255.0 network 10.1.34.0 mask 255.255.254.0 network 10.1.39.0 mask 255.255.255.0 network 10.1.122.0 mask 255.255.255.0 network 10.1.254.0 mask 255.255.255.0 network 10.1.255.255 mask 255.255.255.255 network 172.31.2.0 mask 255.255.255.0 network 172.31.35.0 mask 255.255.255.0 network 192.168.0.0 mask 255.255.252.0 network 192.168.252.0 redistribute static route-map RM_REDIS_STATIC_PI neighbor PG_BGP_IZM-P11 next-hop-self neighbor PG_BGP_IZM-P11 soft-reconfiguration inbound neighbor PG_BGP_IZM-P11 route-map RM_BGP_IZM-P11_OUT out neighbor 10.1.1.5 activate neighbor 10.1.1.5 next-hop-self neighbor 10.1.1.5 route-map RM_LOCAL_OUT out neighbor 10.1.1.109 activate neighbor 10.1.1.109 next-hop-self neighbor 10.1.1.109 soft-reconfiguration inbound neighbor 10.1.1.110 activate neighbor 10.1.1.110 route-reflector-client neighbor 10.1.1.110 next-hop-self all neighbor 10.1.1.110 soft-reconfiguration inbound neighbor 10.1.1.111 activate neighbor 10.1.1.111 route-reflector-client neighbor 10.1.1.111 next-hop-self all neighbor 10.1.1.111 soft-reconfiguration inbound neighbor 10.1.1.112 activate neighbor 10.1.1.112 route-reflector-client neighbor 10.1.1.112 next-hop-self all neighbor 10.1.1.112 soft-reconfiguration inbound neighbor 172.30.30.1 activate neighbor 172.30.30.1 route-map RM_BGP_IZM-P11_MTS_IN in neighbor 172.30.30.41 activate neighbor 172.30.30.41 next-hop-self all neighbor 172.30.30.41 soft-reconfiguration inbound neighbor 172.30.30.42 activate neighbor 172.30.30.42 next-hop-self all neighbor 172.30.30.42 soft-reconfiguration inbound neighbor 172.30.30.44 activate neighbor 172.30.30.44 next-hop-self all neighbor 172.30.30.44 soft-reconfiguration inbound neighbor 172.30.30.44 route-map RM_KOMOS_PI_IN in neighbor 172.30.30.45 activate neighbor 172.30.30.45 next-hop-self all neighbor 172.30.30.45 soft-reconfiguration inbound neighbor 172.30.32.1 activate neighbor 172.30.32.1 route-map RM_BGP_IZM-P11_DOMRU_IN in neighbor 172.31.2.2 activate neighbor 172.31.2.2 next-hop-self all neighbor 172.31.2.2 soft-reconfiguration inbound neighbor 172.31.2.2 route-map RM_FROM_MK in maximum-paths 2 distance bgp 150 150 150 exit-address-family ! no ip nat create flow-entries ip nat inside source list ACL-NAT-VIDEO-UZB interface Vlan400 vrf VRF-UZB overload ip forward-protocol nd ip forward-protocol udp 1947 no ip http server no ip http secure-server ! ip as-path access-list 11 permit ^64512$ ip as-path access-list 11 permit ^64512_64539$ ip as-path access-list 11 permit ^64512_64523$ ip tftp source-interface Vlan100 ip route 0.0.0.0 0.0.0.0 10.1.239.18 100 name --DEFAULT_3945_1-- ip route 10.0.0.0 255.252.0.0 Null0 254 ip route 10.0.24.0 255.255.255.0 Tunnel22 ip route 10.0.25.0 255.255.255.0 Tunnel22 ip route 10.0.26.0 255.255.255.0 Tunnel22 ip route 10.0.32.0 255.255.255.0 Tunnel25 ip route 10.0.32.0 255.255.255.0 Tunnel24 ip route 10.0.33.0 255.255.255.0 Tunnel25 ip route 10.0.33.0 255.255.255.0 Tunnel24 ip route 10.1.0.0 255.255.0.0 Null0 254 ip route 10.14.56.0 255.255.255.0 Tunnel11 ip route 88.80.33.49 255.255.255.255 10.1.239.19 100 name --IP_SLA_11-- ip route 91.240.179.11 255.255.255.255 Vlan11 name DNS001 ip route 91.240.179.28 255.255.255.255 Vlan11 name vpn.komos.ru ip route 91.240.179.29 255.255.255.255 Vlan11 name asa_uzb ip route 91.240.179.32 255.255.255.255 Vlan11 name vipole.komos.ru ip route 91.240.179.37 255.255.255.255 Vlan11 name Skype ip route 91.240.179.38 255.255.255.255 Vlan11 name skype ip route 91.240.179.39 255.255.255.255 Vlan11 name skype ip route 91.240.179.62 255.255.255.255 Vlan11 name vpn2.komos.ru_VIP ip route 91.240.179.63 255.255.255.255 Vlan11 name izh-p11-fw-1-3 ip route 91.240.179.64 255.255.255.255 Vlan11 name izh-p11-fw-1-4 ip route 91.240.179.71 255.255.255.255 Vlan11 name files.komos.ru ip route 91.240.179.233 255.255.255.255 Vlan1113 name RT-1-3 ip route 192.5.5.241 255.255.255.255 10.1.239.19 100 name --IP_SLA_1-- ip route 192.168.32.0 255.255.255.0 Tunnel11 ip route 192.168.33.0 255.255.255.0 Tunnel11 ip route 192.168.34.128 255.255.255.224 Tunnel11 ip route 192.168.34.160 255.255.255.224 Tunnel11 ip route 192.168.55.0 255.255.255.0 Tunnel11 ip ssh authentication-retries 2 ip ssh source-interface Vlan100 ! ip access-list standard ACL_FOR_NAT_KAZNACH_KG permit 10.1.45.128 0.0.0.15 ip access-list standard ACL_FOR_NAT_MK permit 10.14.24.0 0.0.7.255 ip access-list standard ACL_FOR_TV_WIFI_2 permit 10.1.13.203 ! ip access-list extended ACL-DMZ_LOCAL_IN permit icmp any any permit udp any addrgroup OBJ_LOCAL_DNS eq domain permit tcp any addrgroup OBJ_LOCAL_DNS eq domain permit ip host 10.1.24.3 any remark --INTRONET_FORWARDING-- evaluate DMZ_LOCAL_REFLECTEDTRAFFIC deny ip any addrgroup OBJ_LOCAL_TRAFFIC permit ip any any ip access-list extended ACL-DMZ_LOCAL_OUT permit icmp any any permit udp addrgroup OBJ_LOCAL_DNS eq domain any permit tcp addrgroup OBJ_LOCAL_DNS eq domain any permit ip any host 10.1.24.3 permit tcp host 10.1.4.150 host 10.1.24.1 eq 3389 reflect DMZ_LOCAL_REFLECTEDTRAFFIC permit tcp host 10.4.0.13 host 10.1.24.1 eq 8530 reflect DMZ_LOCAL_REFLECTEDTRAFFIC permit tcp host 10.4.0.61 host 10.1.24.1 eq 443 reflect DMZ_LOCAL_REFLECTEDTRAFFIC permit tcp host 10.4.0.194 host 10.1.24.1 eq 443 reflect DMZ_LOCAL_REFLECTEDTRAFFIC remark --DENY ALL LOCALAL TRAFIC-- deny ip any addrgroup OBJ_LOCAL_TRAFFIC permit ip any any reflect DMZ_LOCAL_REFLECTEDTRAFFIC ip access-list extended ACL-NAT-VIDEO-UZB permit ip host 10.1.13.71 192.168.248.0 0.0.0.255 permit ip host 10.1.13.194 192.168.248.0 0.0.0.255 remark Suvorov A. permit ip host 10.1.5.247 192.168.248.0 0.0.0.255 remark Luchnikov S. permit ip host 10.1.7.150 192.168.248.0 0.0.0.255 remark Ohrana_KU9 permit ip host 10.1.39.1 192.168.248.0 0.0.0.255 ip access-list extended ACL_BLOCK_CISCO deny udp host 10.1.1.108 eq domain any deny tcp host 10.1.1.108 eq domain any permit ip any any ip access-list extended ACL_DC_VREM permit ip host 192.168.1.21 any permit ip host 192.168.1.100 any ip access-list extended ACL_DMZ deny ip any addrgroup OBJ_LOCAL_TRAFFIC permit ip any any ip access-list extended ACL_FIREWALL_KAZ-OUT permit ip host 10.1.4.103 10.1.45.128 0.0.0.15 permit ip host 10.1.4.105 10.1.45.128 0.0.0.15 permit ip host 10.1.5.246 10.1.45.128 0.0.0.15 permit ip host 10.1.5.252 10.1.45.128 0.0.0.15 permit udp host 10.4.0.1 eq domain 10.1.45.128 0.0.0.15 permit udp host 10.4.0.2 eq domain 10.1.45.128 0.0.0.15 permit udp host 10.1.8.228 10.1.45.128 0.0.0.15 permit udp host 10.1.8.229 10.1.45.128 0.0.0.15 deny ip 10.0.0.0 0.255.255.255 10.1.45.128 0.0.0.15 deny ip 192.168.0.0 0.0.255.255 10.1.45.128 0.0.0.15 deny ip 172.16.0.0 0.15.255.255 10.1.45.128 0.0.0.15 permit ip any any ip access-list extended ACL_FOR_INTRONET_KAZNACH_KG permit ip 10.1.45.128 0.0.0.15 host 10.1.4.103 permit ip 10.1.45.128 0.0.0.15 host 10.1.4.105 permit ip 10.1.45.128 0.0.0.15 host 10.1.5.246 permit ip 10.1.45.128 0.0.0.15 host 10.1.5.252 permit udp 10.1.45.128 0.0.0.15 host 10.4.0.1 eq domain permit udp 10.1.45.128 0.0.0.15 host 10.4.0.2 eq domain permit udp 10.1.45.128 0.0.0.15 host 10.1.8.228 permit udp 10.1.45.128 0.0.0.15 host 10.1.8.229 deny ip 10.1.45.128 0.0.0.15 10.0.0.0 0.255.255.255 deny ip 10.1.45.128 0.0.0.15 192.168.0.0 0.0.255.255 deny ip 10.1.45.128 0.0.0.15 172.16.0.0 0.15.255.255 ip access-list extended ACL_FOR_TV_WIFI permit ip host 10.1.13.203 192.168.0.0 0.0.255.255 permit ip host 10.1.13.203 10.0.0.0 0.255.255.255 permit ip host 10.1.13.203 172.16.0.0 0.15.255.255 permit ip host 10.1.13.203 91.240.179.0 0.0.0.255 ip access-list extended ACL_FROM_KUMK permit ip any 10.12.0.0 0.0.255.255 permit ip host 10.1.50.2 host 10.1.50.1 permit icmp 10.12.1.0 0.0.0.255 any permit icmp 10.12.0.0 0.0.0.255 any permit ip 10.12.1.0 0.0.0.255 10.1.9.0 0.0.0.255 permit ip 10.12.1.0 0.0.0.255 host 10.1.9.207 permit ip 10.12.1.0 0.0.0.255 host 192.168.8.137 permit ip 10.12.1.0 0.0.0.255 host 10.4.0.43 permit ip 10.12.0.0 0.0.0.255 host 10.4.0.214 permit ip 10.12.0.0 0.0.0.255 10.4.0.0 0.0.0.255 permit ip host 10.12.0.254 any ip access-list extended ACL_RM_RT_CLOUD permit ip host 192.168.1.253 any permit ip 192.168.252.0 0.0.0.255 host 46.61.230.201 permit ip 10.1.17.0 0.0.0.255 host 46.61.230.201 permit ip 192.168.0.0 0.0.3.255 host 46.61.230.201 permit ip 192.168.0.0 0.0.3.255 host 195.19.100.69 permit ip 10.1.17.0 0.0.0.255 host 195.19.100.69 permit ip 192.168.252.0 0.0.0.255 host 195.19.100.69 ip access-list extended ACL_WIFI_GUEST_DHCP permit udp any any eq bootps bootpc deny ip any any ip access-list extended IMP_LOCAL_IN permit icmp any any permit ip 10.1.26.0 0.0.0.255 host 192.168.8.96 permit ip 10.1.26.0 0.0.0.255 host 10.1.26.255 permit udp 10.1.26.0 0.0.0.255 host 192.168.2.3 eq 1434 permit tcp 10.1.26.0 0.0.0.255 host 192.168.2.3 eq 1433 permit udp 10.1.26.0 0.0.0.255 host 192.168.2.4 eq 13000 echo bootps tftp 15000 15001 permit tcp 10.1.26.0 0.0.0.255 host 192.168.2.4 eq 445 13000 13111 14000 17000 14001 deny tcp 10.1.26.0 0.0.0.255 host 192.168.2.3 eq 3389 permit ip 10.1.26.0 0.0.0.255 host 192.168.2.4 permit udp 10.1.26.0 0.0.0.255 host 192.168.1.21 eq domain 88 ntp 135 netbios-ns netbios-dgm 389 445 464 permit udp 10.1.26.0 0.0.0.255 host 192.168.1.100 eq domain 88 ntp 135 netbios-ns netbios-dgm 389 445 464 permit tcp 10.1.26.0 0.0.0.255 host 192.168.1.21 eq domain 88 135 139 389 445 464 3268 3269 permit tcp 10.1.26.0 0.0.0.255 host 192.168.1.100 eq domain 88 135 139 389 445 464 3268 3269 permit tcp 10.1.26.0 0.0.0.255 host 192.168.3.62 eq 32300 32310 permit tcp 10.1.26.0 0.0.0.255 host 192.168.1.57 eq 32320 permit tcp 10.1.26.0 0.0.0.255 host 192.168.2.58 eq 32310 445 permit ip 10.1.26.0 0.0.0.255 host 192.168.2.128 permit ip 10.1.26.0 0.0.0.255 host 10.1.122.17 permit tcp 10.1.26.0 0.0.0.255 host 192.168.1.21 permit tcp 10.1.26.0 0.0.0.255 host 192.168.1.100 permit tcp 10.1.26.0 0.0.0.255 10.4.7.0 0.0.0.63 eq 443 www 143 993 pop3 995 587 smtp permit tcp 10.1.26.0 0.0.0.255 10.1.123.0 0.0.0.255 eq 443 www 143 993 pop3 995 587 smtp permit tcp 10.1.26.0 0.0.0.255 host 5.227.126.169 eq 443 www 143 993 pop3 995 587 smtp permit tcp 10.1.26.0 0.0.0.255 host 91.240.179.26 eq smtp 443 www permit tcp 10.1.26.0 0.0.0.255 host 91.240.179.27 eq smtp 443 www permit tcp 10.1.26.0 0.0.0.255 host 91.240.179.66 eq smtp 443 www permit tcp 10.1.26.0 0.0.0.255 host 91.240.179.70 eq smtp 443 www permit tcp 10.1.26.0 0.0.0.255 host 10.4.0.184 eq 443 www permit tcp 10.1.26.0 0.0.0.255 host 10.4.0.120 eq 443 www permit tcp 10.1.26.0 0.0.0.255 any eq 17000 permit tcp 10.1.26.0 0.0.0.255 any eq 13000 permit udp 10.1.26.0 0.0.0.255 host 192.168.1.100 eq domain permit udp 10.1.26.0 0.0.0.255 host 10.1.8.229 permit tcp 10.1.26.0 0.0.0.255 host 10.1.8.15 permit tcp 10.1.26.0 0.0.0.255 host 10.4.0.203 permit tcp 10.1.26.0 0.0.0.255 host 10.0.1.230 permit tcp 10.1.26.0 0.0.0.255 host 10.0.16.1 permit tcp 10.1.26.0 0.0.0.255 host 10.0.4.231 permit tcp 10.1.26.0 0.0.0.255 host 10.4.0.204 permit tcp 10.1.26.0 0.0.0.255 host 10.0.16.2 permit udp 10.1.27.0 0.0.0.255 host 10.1.8.229 permit udp 10.1.27.0 0.0.0.255 host 10.4.7.17 permit tcp 10.1.26.0 0.0.0.255 10.1.15.0 0.0.0.255 permit tcp 10.1.26.0 0.0.0.255 host 192.168.2.32 permit tcp 10.1.26.0 0.0.0.255 host 10.1.12.66 eq 443 www permit tcp 10.1.26.0 0.0.0.255 host 192.168.2.100 eq www 443 9554 9654 permit tcp 10.1.26.0 0.0.0.255 host 192.168.2.55 eq www 443 9554 9654 permit tcp 10.1.26.0 0.0.0.255 host 192.168.2.116 eq www 443 9554 9654 permit tcp 10.1.26.0 0.0.0.255 host 192.168.3.96 eq 6666 permit tcp 10.1.26.0 0.0.0.255 host 192.168.3.143 eq 3389 permit tcp 10.1.26.0 0.0.0.255 host 192.168.2.106 permit tcp 10.1.26.0 0.0.0.255 host 192.168.2.91 eq 3389 permit tcp host 10.1.26.250 host 10.1.7.245 permit tcp 10.1.26.0 0.0.0.255 host 10.1.9.201 permit ip 10.1.26.0 0.0.0.255 10.1.27.0 0.0.0.255 permit ip 10.1.26.0 0.0.0.255 host 10.4.0.17 permit ip 10.1.26.0 0.0.0.255 host 10.4.0.16 permit ip 10.1.26.0 0.0.0.255 host 10.4.0.196 permit ip 10.1.26.0 0.0.0.255 host 10.4.0.45 evaluate IMP_LOCAL_REFLECTEDTRAFFIC permit tcp host 10.1.26.250 any permit tcp host 10.1.26.252 any permit tcp host 10.1.26.253 any deny ip 10.1.26.0 0.0.0.255 192.168.0.0 0.0.255.255 deny ip 10.1.26.0 0.0.0.255 172.16.0.0 0.0.255.255 deny ip 10.1.26.0 0.0.0.255 10.0.0.0 0.255.255.255 permit ip any any ip access-list extended IMP_LOCAL_OUT permit icmp any any permit ip host 192.168.8.96 10.1.26.0 0.0.0.255 permit tcp any host 10.1.26.250 eq 3389 permit tcp any host 10.1.26.251 eq 3389 permit tcp any host 10.1.26.252 eq 3389 permit tcp any host 10.1.26.253 eq 3389 permit tcp host 10.1.7.245 host 10.1.26.250 permit udp host 192.168.1.21 10.1.26.0 0.0.0.255 eq domain permit tcp 10.1.123.0 0.0.0.255 10.1.26.0 0.0.0.255 permit tcp 10.1.15.0 0.0.0.255 10.1.26.0 0.0.0.255 eq 3389 permit tcp 10.1.15.0 0.0.0.255 host 10.1.26.250 permit tcp 10.4.7.0 0.0.0.63 10.1.26.0 0.0.0.255 permit tcp host 5.227.126.169 10.1.26.0 0.0.0.255 permit tcp host 91.240.179.26 10.1.26.0 0.0.0.255 permit tcp host 91.240.179.27 10.1.26.0 0.0.0.255 permit tcp host 91.240.179.66 10.1.26.0 0.0.0.255 permit tcp host 91.240.179.70 10.1.26.0 0.0.0.255 permit tcp host 192.168.2.91 10.1.26.0 0.0.0.255 permit udp host 192.168.1.100 10.1.26.0 0.0.0.255 eq domain permit tcp host 192.168.2.106 10.1.26.0 0.0.0.255 permit udp host 10.1.8.229 10.1.26.0 0.0.0.255 permit tcp host 10.1.8.15 10.1.26.0 0.0.0.255 permit tcp host 10.4.0.203 10.1.26.0 0.0.0.255 permit tcp host 10.0.1.230 10.1.26.0 0.0.0.255 permit tcp host 10.0.16.1 10.1.26.0 0.0.0.255 permit tcp host 10.0.4.231 10.1.26.0 0.0.0.255 permit tcp host 10.4.0.204 10.1.26.0 0.0.0.255 permit tcp host 10.4.0.120 10.1.26.0 0.0.0.255 permit tcp host 10.0.16.2 10.1.26.0 0.0.0.255 permit udp host 10.1.8.229 10.1.27.0 0.0.0.255 permit udp host 10.4.7.17 10.1.27.0 0.0.0.255 permit tcp host 10.4.0.184 10.1.26.0 0.0.0.255 permit tcp host 192.168.2.32 10.1.26.0 0.0.0.255 permit ip any any reflect IMP_LOCAL_REFLECTEDTRAFFIC permit ip 10.1.27.0 0.0.0.255 10.1.26.0 0.0.0.255 permit ip 91.240.179.0 0.0.0.255 10.1.26.0 0.0.0.255 deny ip 192.168.0.0 0.0.255.255 10.1.26.0 0.0.0.255 deny ip 172.16.0.0 0.0.255.255 10.1.26.0 0.0.0.255 deny ip 10.0.0.0 0.255.255.255 10.1.26.0 0.0.0.255 permit ip any any ip access-list extended LOCAL_TRAFFIC permit ip any 192.168.0.0 0.0.255.255 permit ip any 10.0.0.0 0.255.255.255 permit ip any 172.16.0.0 0.15.255.255 permit ip any 91.240.179.0 0.0.0.255 ip access-list extended RDP permit tcp any eq 3389 any permit tcp any any eq 3389 ip access-list extended ROUTE_VIA_AS deny ip host 192.168.2.202 any deny ip host 192.168.2.131 any deny ip host 192.168.2.61 any deny ip host 192.168.2.11 any deny ip host 192.168.2.102 any deny ip host 192.168.2.100 any deny ip host 192.168.2.97 any deny ip host 192.168.2.96 any deny ip host 192.168.2.101 any deny ip host 192.168.2.72 any deny ip host 192.168.2.71 any deny ip host 192.168.3.64 any deny ip host 192.168.2.68 any deny ip host 192.168.2.45 any deny ip host 192.168.2.90 any deny ip host 192.168.1.81 any deny ip host 192.168.2.126 any deny ip host 192.168.2.80 any deny ip host 192.168.2.47 any deny ip host 192.168.2.34 any deny ip host 192.168.2.35 any deny ip host 192.168.2.38 any deny ip host 192.168.2.88 any deny ip host 192.168.2.56 any deny ip host 192.168.2.48 any deny ip host 192.168.2.54 any deny ip host 192.168.2.55 any deny ip host 192.168.2.52 any deny ip host 192.168.2.53 any deny ip host 192.168.2.9 any deny ip host 192.168.2.15 any deny ip host 192.168.2.13 any deny ip host 192.168.2.27 any deny ip host 192.168.2.25 any deny ip host 192.168.2.31 any deny ip host 192.168.2.19 any deny ip host 192.168.2.21 any deny ip host 192.168.2.209 any deny ip host 192.168.2.185 any deny ip host 192.168.3.143 any deny ip host 192.168.2.91 any deny ip host 192.168.2.183 any deny ip host 192.168.2.94 any deny ip host 192.168.2.33 any deny ip host 192.168.2.39 any deny ip host 192.168.2.218 any deny ip host 192.168.2.46 any deny ip host 192.168.3.232 any deny ip host 192.168.2.116 any deny ip host 192.168.2.108 any deny ip host 192.168.2.191 any deny ip host 192.168.2.192 any deny ip host 192.168.2.193 any deny ip host 192.168.2.194 any deny ip host 192.168.2.225 any deny ip host 192.168.2.226 any deny ip host 192.168.2.227 any deny ip host 192.168.2.124 any deny ip host 192.168.2.144 any deny ip host 192.168.2.195 any deny ip host 192.168.2.221 any deny ip host 192.168.2.103 any deny ip host 192.168.2.3 any deny ip host 192.168.2.201 any permit ip any any ip access-list extended TEST_INET permit ip host 10.1.8.63 any permit ip host 10.1.19.121 any ip access-list extended VLAN3_FIREWALL permit udp any eq domain any permit udp host 10.1.8.229 10.1.18.0 0.0.0.255 permit tcp 10.1.15.0 0.0.0.255 host 10.1.18.1 eq 3389 permit tcp 10.1.15.0 0.0.0.255 host 10.1.18.3 eq 3389 permit tcp host 10.1.19.250 10.1.18.0 0.0.0.255 eq 3389 evaluate VLAN3_REFLECTEDTRAFFIC ip access-list extended VLAN3_OUT permit udp any any eq domain permit udp 10.1.18.0 0.0.0.255 host 10.1.8.229 permit tcp host 10.1.18.1 10.1.15.0 0.0.0.255 permit tcp host 10.1.18.3 10.1.15.0 0.0.0.255 permit ip any any reflect VLAN3_REFLECTEDTRAFFIC permit tcp 10.1.18.0 0.0.0.255 host 10.1.19.250 ip access-list extended VLAN9_RESTRICTED permit ip any host 10.1.8.229 permit ip any host 10.1.8.228 deny ip any 10.0.0.0 0.255.255.255 deny ip any 192.168.0.0 0.0.255.255 deny ip any 172.16.0.0 0.0.255.255 permit ip any any ip access-list extended WEB_LOCAL permit tcp 0.0.0.0 255.0.0.0 any eq www permit tcp 0.0.0.0 255.0.0.0 any eq 443 permit tcp 0.0.0.0 255.255.0.0 any eq 443 permit tcp 0.0.0.0 255.255.0.0 any eq www permit tcp any 0.0.0.0 255.0.0.0 eq 443 permit tcp any 0.0.0.0 255.0.0.0 eq www permit tcp any 0.0.0.0 255.255.0.0 eq www permit tcp any 0.0.0.0 255.255.0.0 eq 443 ip access-list extended acl-copp-match-igmp permit igmp any any ip access-list extended acl-copp-match-pim-data deny pim any host 224.0.0.13 permit pim any any ! ! ip prefix-list PL_BGP_IZM-P11 seq 5 permit 10.0.0.0/8 le 32 ip prefix-list PL_BGP_IZM-P11 seq 10 permit 192.168.0.0/16 le 32 ip prefix-list PL_BGP_IZM-P11 seq 15 permit 172.16.0.0/12 le 32 ! ip prefix-list PL_FROM_CLOUD_RT seq 5 permit 10.1.30.0/24 ! ip prefix-list PL_FROM_KUMK seq 5 permit 10.12.0.0/16 le 24 ip prefix-list PL_FROM_KUMK seq 10 permit 10.12.252.0/22 ! ip prefix-list PL_KOMOS_PI seq 5 permit 91.240.179.0/24 ge 32 ! ip prefix-list PL_LOCAL_OUT seq 5 permit 10.0.0.0/8 le 32 ip prefix-list PL_LOCAL_OUT seq 10 permit 192.168.0.0/16 le 32 ip prefix-list PL_LOCAL_OUT seq 15 permit 172.16.0.0/12 le 32 ! ip prefix-list PL_REDIS_STATIC_PI seq 5 permit 91.240.179.0/24 le 32 ! ip prefix-list PL_UZB_USERS seq 5 permit 10.1.13.0/24 ip prefix-list PL_UZB_USERS seq 10 permit 10.1.4.0/22 ip prefix-list PL_UZB_USERS seq 20 permit 10.1.39.0/24 ! ip prefix-list PL_VRS_OLD_IN seq 5 permit 192.168.72.0/24 ip sla 1 icmp-echo 192.5.5.241 source-ip 10.1.239.22 threshold 400 timeout 2000 frequency 3 ip sla schedule 1 life forever start-time now ip sla 11 icmp-echo 88.80.33.49 source-ip 10.1.239.22 threshold 50 timeout 2000 frequency 3 ip sla schedule 11 life forever start-time now ip sla 12 icmp-echo 10.1.239.18 source-ip 10.1.239.22 threshold 50 timeout 2000 frequency 3 ip sla schedule 12 life forever start-time now ip sla 13 icmp-echo 84.201.247.254 source-interface Vlan11 threshold 50 timeout 2000 frequency 3 ip sla schedule 13 life forever start-time now ip sla 104 icmp-echo 87.249.239.226 source-interface Vlan11 threshold 50 timeout 2000 frequency 3 ip sla schedule 104 life forever start-time now ip sla 105 icmp-echo 5.227.124.82 source-interface Vlan11 threshold 50 timeout 2000 frequency 3 ip sla schedule 105 life forever start-time now ip sla 107 icmp-echo 84.201.247.32 source-interface Vlan11 threshold 50 timeout 2000 frequency 3 ip sla schedule 107 life forever start-time now ip sla 109 icmp-echo 95.215.208.240 source-interface Vlan11 threshold 50 timeout 2000 frequency 3 ip sla schedule 109 life forever start-time now ip sla 110 icmp-echo 88.80.32.230 source-interface Vlan11 threshold 50 timeout 2000 frequency 3 ip sla schedule 110 life forever start-time now ip sla 112 icmp-echo 10.1.50.94 source-interface Tunnel24 threshold 50 timeout 2000 frequency 3 ip sla schedule 112 life forever start-time now ip sla 9000 dhcp 10.1.8.228 source-ip 10.1.19.254 threshold 3000 timeout 4000 ip sla schedule 9000 life forever start-time now ip sla 9001 dhcp 10.1.8.229 source-ip 10.1.19.254 threshold 3000 timeout 4000 ip sla schedule 9001 life forever start-time now kron occurrence EveryDay at 1:00 recurring policy-list SaveBackup ! kron policy-list SaveBackup cli write memory ! logging origin-id hostname logging facility local6 logging source-interface Vlan100 logging host 192.168.2.25 logging host 10.4.244.4 transport udp port 515 access-list 23 permit any access-list 23 deny any log ! route-map RM_REDIS_STATIC_PI permit 10 description Redistribute static PI address for unnumbered lo11 match ip address prefix-list PL_REDIS_STATIC_PI ! route-map RM_KOMOS_PI_IN permit 10 match ip address prefix-list PL_KOMOS_PI set local-preference 1000 ! route-map RM_KOMOS_PI_IN permit 20 ! route-map RM_FROM_MK permit 10 set local-preference 1500 ! route-map RM_FROM_KUMK permit 10 match ip address prefix-list PL_FROM_KUMK ! route-map RM_DMZ deny 10 match ip address LOCAL_TRAFFIC ! route-map RM_DMZ permit 20 ! route-map R2-MTS-TV-WIFI permit 10 match ip address ACL_FOR_TV_WIFI ! route-map R2-MTS-TV-WIFI permit 15 match ip address ACL-NAT-VIDEO-UZB set vrf VRF-UZB ! route-map R2-MTS-TV-WIFI permit 20 match ip address ACL_FOR_TV_WIFI_2 set ip next-hop verify-availability 10.1.239.19 10 track 111 set ip next-hop 10.1.239.18 ! route-map R2-MTS-TV-WIFI permit 30 ! route-map RM_LOCAL_OUT permit 10 match ip address prefix-list PL_LOCAL_OUT ! route-map RM_TEST_INET permit 5 match ip address LOCAL_TRAFFIC ! route-map RM_TEST_INET permit 10 description TEST_INET' match ip address TEST_INET ! route-map RM_TEST_INET permit 20 ! route-map RM_BGP_IZM-P11_MTS_IN permit 10 match as-path 11 set local-preference 1500 ! route-map RM_BGP_IZM-P11_MTS_IN permit 20 ! route-map IMP-ROUTING permit 10 match ip address LOCAL_TRAFFIC ! route-map IMP-ROUTING permit 20 set ip next-hop verify-availability 10.1.239.19 10 track 13 set ip next-hop verify-availability 10.1.239.19 20 track 11 set ip next-hop 10.1.239.18 ! route-map RM_BGP_IZM-P11_DOMRU_IN permit 10 match as-path 11 set local-preference 1500 ! route-map RM_BGP_IZM-P11_DOMRU_IN permit 20 ! route-map RM_FROM_OCOD_ER-TELECOM permit 10 match ip address prefix-list PL_VRS_OLD_IN set local-preference 200 ! route-map RM_FROM_OCOD_ER-TELECOM permit 30 ! route-map RM_TO_OCOD_ER-TELECOM permit 30 ! route-map RM_NAT_MK deny 10 description --BACKUP_INTERNET_FOR_MK-- match ip address LOCAL_TRAFFIC ! route-map RM_NAT_MK permit 20 description --BACKUP_INTERNET_FOR_MK-- match ip address ACL_FOR_NAT_MK set ip next-hop 10.1.239.18 ! route-map R2-MTS_R1-BGP permit 5 match ip address ACL-NAT-VIDEO-UZB set vrf VRF-UZB ! route-map R2-MTS_R1-BGP permit 10 match ip address LOCAL_TRAFFIC ! route-map R2-MTS_R1-BGP permit 20 set ip next-hop verify-availability 10.1.239.19 10 track 111 set ip next-hop 10.1.239.18 ! route-map RM_FOR_KAZNACH_KG permit 10 match ip address ACL_FOR_INTRONET_KAZNACH_KG ! route-map RM_FOR_KAZNACH_KG permit 30 match ip address ACL_FOR_NAT_KAZNACH_KG set ip next-hop 10.1.239.19 ! route-map RM_UZB_IMPORT permit 10 match ip address prefix-list PL_UZB_USERS ! route-map VLAN1-ROUTING permit 5 match ip address LOCAL_TRAFFIC ! route-map VLAN1-ROUTING permit 6 description Vremenno DC match ip address ACL_DC_VREM set ip next-hop 10.1.239.18 ! route-map VLAN1-ROUTING permit 8 match ip address ACL_RM_RT_CLOUD set ip next-hop 172.30.30.42 ! route-map VLAN1-ROUTING permit 9 match ip address ROUTE_VIA_AS set ip next-hop verify-availability 10.1.239.19 10 track 111 set ip next-hop 10.1.239.18 ! route-map VLAN1-ROUTING permit 20 set ip next-hop 10.1.239.18 ! route-map VLAN3-ROUTING permit 10 match ip address LOCAL_TRAFFIC ! route-map VLAN3-ROUTING permit 15 set ip next-hop verify-availability 10.1.239.19 10 track 111 set ip next-hop 10.1.239.18 ! route-map RM_BGP_IZM-P11_OUT permit 10 match ip address prefix-list PL_BGP_IZM-P11 ! route-map RM_USERS_KU9 permit 10 match ip address ACL-NAT-VIDEO-UZB set vrf VRF-UZB ! route-map RM_USERS_KU9 permit 20 ! route-map VLAN-500-ROUTING permit 5 match ip address LOCAL_TRAFFIC ! route-map VLAN-500-ROUTING permit 10 set ip next-hop 10.1.239.19 ! snmp-server community lmTUEsk6Yvlv RO snmp-server host 10.1.122.227 lmTUEsk6Yvlv snmp-server host 10.1.1.253 public ! ! radius server IZH-RDS002 address ipv4 10.4.0.248 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 key 7 07073847682838253F1552345D2C382B23043D77025F01061B151F66520D022A110C555C7F784A59660E4955357D00251115304821110B03727C2C2A235317215C ! radius server P11-RDS003 address ipv4 10.1.122.248 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 key 7 060E162A6A6F28392D104B33550239242F1F3B60334B101319421067590A58270A021A5D707C4B5E6751190834220F7606003217711C022D1F7E6B3A3F4112385B ! ! ! ipv6 access-list acl-copp-match-mld permit icmp any any mld-report permit icmp any any mld-query permit icmp any any mld-reduction permit icmp any any 143 ! ipv6 access-list acl-copp-match-ndv6 permit icmp any any nd-na permit icmp any any nd-ns permit icmp any any router-advertisement permit icmp any any router-solicitation permit icmp any any redirect ! ipv6 access-list acl-copp-match-ndv6hl permit icmp any any nd-na hoplimit permit icmp any any nd-ns hoplimit permit icmp any any router-advertisement hoplimit permit icmp any any router-solicitation hoplimit permit icmp any any redirect hoplimit ! ipv6 access-list acl-copp-match-pimv6-data deny 103 any host FF02::D permit 103 any any ! control-plane service-policy input policy-default-autocopp ! privilege exec all level 7 show cdp privilege exec all level 7 show running-config privilege exec all level 7 show configuration privilege exec level 7 show banner login ^C ***************************************************************************** * * * OOO "KOMOS GROUP" * * Pesochnaya 11 * * 1st FLOOR * * DATACENTR * * VSS * * UNAUTHORIZED ACCESS IS PROHIBITED * * * * You have accessed network equipment. * * You must have authorized permission to access or configure this device. * * All activities performed on this device are logged and monitored. * * * *****************************************************************************^C alias exec sib sh ip int brief ! line con 0 logging synchronous login authentication CONSOLE line aux 0 line vty 0 4 access-class 23 in exec-timeout 120 0 logging synchronous login authentication NPS length 0 transport input ssh line vty 5 15 access-class 23 in exec-timeout 120 0 logging synchronous login authentication NPS transport input ssh ! ! monitor session 1 type rspan-destination ! ! scheduler allocate 3000 1000 ntp source Vlan100 ntp server 10.1.8.1 prefer source Vlan100 ntp server 10.1.1.2 ! diagnostic bootup level minimal no event manager policy Mandatory.go_switchbus.tcl type system event manager applet Mozhga-VPN-ISP1-DOWN event track 222 state down action 0.9 cli command "enable" action 1.1 cli command "conf t" action 1.2 cli command "no ip route 10.0.32.0 255.255.255.0 Tunnel24" action 1.3 cli command "no ip route 10.0.33.0 255.255.255.0 Tunnel24" action 1.4 cli command "ip route 10.0.32.0 255.255.255.0 Tunnel25" action 1.5 cli command "ip route 10.0.33.0 255.255.255.0 Tunnel25" event manager applet Mozhga-VPN-ISP1-UP event track 222 state up action 0.9 cli command "enable" action 1.1 cli command "conf t" action 1.2 cli command "no ip route 10.0.32.0 255.255.255.0 Tunnel25" action 1.3 cli command "no ip route 10.0.33.0 255.255.255.0 Tunnel25" action 1.4 cli command "ip route 10.0.32.0 255.255.255.0 Tunnel24" action 1.5 cli command "ip route 10.0.33.0 255.255.255.0 Tunnel24" event manager applet Glazov-VPN-ISP1-DOWN event track 109 state down action 0.9 cli command "enable" action 1.1 cli command "conf t" action 1.2 cli command "no ip route 10.0.24.0 255.255.255.0 Tunnel22" action 1.3 cli command "no ip route 10.0.25.0 255.255.255.0 Tunnel22" action 1.4 cli command "no ip route 10.0.26.0 255.255.255.0 Tunnel22" action 1.5 cli command "ip route 10.0.24.0 255.255.255.0 Tunnel23" action 1.6 cli command "ip route 10.0.25.0 255.255.255.0 Tunnel23" action 1.7 cli command "ip route 10.0.26.0 255.255.255.0 Tunnel23" event manager applet Glazov-VPN-ISP1-UP event track 109 state up action 0.9 cli command "enable" action 1.1 cli command "conf t" action 1.2 cli command "no ip route 10.0.24.0 255.255.255.0 Tunnel23" action 1.3 cli command "no ip route 10.0.25.0 255.255.255.0 Tunnel23" action 1.4 cli command "no ip route 10.0.26.0 255.255.255.0 Tunnel23" action 1.5 cli command "ip route 10.0.24.0 255.255.255.0 Tunnel22" action 1.6 cli command "ip route 10.0.25.0 255.255.255.0 Tunnel22" action 1.7 cli command "ip route 10.0.26.0 255.255.255.0 Tunnel22" ! end