564 lines
12 KiB
Plaintext
564 lines
12 KiB
Plaintext
hostname MSK-MLK-NOV2-RT-1-2.ESR-21
|
|
|
|
ip firewall sessions counters
|
|
object-group service OBJ_SVC_SSH
|
|
port-range 22
|
|
exit
|
|
object-group service OBJ_SVC_VPN
|
|
port-range 500
|
|
port-range 4500
|
|
exit
|
|
object-group service OBJ_SVC_MGMT
|
|
port-range 22
|
|
port-range 23
|
|
port-range 2001-2003
|
|
exit
|
|
|
|
object-group network OBJ_NET_IZH_KG_P11
|
|
description "IZH-KG-P11_nets"
|
|
ip prefix 91.240.179.0/24
|
|
ip prefix 5.227.124.143/32
|
|
ip prefix 78.85.13.93/32
|
|
ip prefix 62.141.96.126/32
|
|
ip prefix 84.201.247.190/32
|
|
ip prefix 88.80.33.50/32
|
|
ip prefix 94.25.46.122/32
|
|
exit
|
|
object-group network OBJ_NET_IZH_MLK_IZM
|
|
description "IZH-MLK-IZM_nets"
|
|
ip prefix 91.240.179.0/24
|
|
ip prefix 85.140.32.27/32
|
|
ip prefix 78.85.13.42/32
|
|
ip prefix 5.227.126.169/32
|
|
ip prefix 31.173.105.54/32
|
|
ip prefix 217.14.195.253/32
|
|
ip prefix 85.175.86.74/32
|
|
exit
|
|
object-group network OBJ_NET_ADM_MGMT
|
|
description "Admins Net for MGMT and Routing"
|
|
ip prefix 10.110.0.0/24
|
|
ip prefix 10.4.0.214/32
|
|
ip prefix 10.1.19.0/24
|
|
ip prefix 10.14.117.0/24
|
|
ip prefix 172.30.1.0/24
|
|
ip prefix 172.30.2.0/24
|
|
ip prefix 192.168.8.99/32
|
|
ip prefix 10.4.0.58/32
|
|
exit
|
|
object-group network OBJ_NET_NAT_USERS
|
|
ip prefix 10.14.104.0/21
|
|
exit
|
|
|
|
syslog max-files 3
|
|
syslog file-size 1024
|
|
syslog cli-commands
|
|
syslog file tmpsys:syslog/syslog
|
|
severity info
|
|
exit
|
|
logging aaa configuration
|
|
logging userinfo
|
|
syslog monitor warning
|
|
|
|
alias q root "exit"
|
|
username admin
|
|
password encrypted $6$pFzbQmya2cYltOhG$4NUtxJ1WkXRaqlhtpjfgSYAqlMsMpUZluPDvVFYQTVlNht8vsUpZgCLv7Xe/VRdD7XfRakVmVzrOWj4ZdtU4V.
|
|
privilege 1
|
|
exit
|
|
username techsupport
|
|
password encrypted $6$NIJmKExDCQQrxKeP$GHzsgRdo3wceGBiLbY9r612ZmgWO.kSaiQ7WZogUx1R28m3He/KMK4YX8/6lZom//rY3O.GxHzbySgYuQOemH0
|
|
exit
|
|
username remote
|
|
password encrypted $6$pFzbQmya2cYltOhG$4NUtxJ1WkXRaqlhtpjfgSYAqlMsMpUZluPDvVFYQTVlNht8vsUpZgCLv7Xe/VRdD7XfRakVmVzrOWj4ZdtU4V.
|
|
exit
|
|
username netadmin
|
|
password encrypted $6$qQ9DjGu5Ho3PsG1P$kFSYXz6vF15o8dO9siAha7hTiTtA159xVUA9BSVGM3wgsSEKeAyGQK5HZKyIkplOhc3f4eXjUoDrdc.YxlLhn1
|
|
privilege 15
|
|
exit
|
|
enable password encrypted $6$AfOE17s2nl/CyvEy$6iroAkDn996cy.hfE69WQHuCyKZVsrLNff9Zpdtg4j/7GUDnUaNehPe/Ej5hxuJrLTHYe109dqurFYAVni3ue1 privilege 15
|
|
aaa authentication mode break
|
|
aaa authentication login CONSOLE local radius
|
|
aaa authentication login SSH radius local
|
|
aaa authentication enable default radius enable
|
|
radius-server host 10.1.122.248
|
|
key ascii-text encrypted A9B020579B141DFFB0269F00275C72E9
|
|
source-interface loopback 1
|
|
exit
|
|
radius-server host 10.4.0.248
|
|
key ascii-text encrypted A9B020579B141DFFB0269F00275C72E9
|
|
source-interface loopback 1
|
|
exit
|
|
line console
|
|
login authentication CONSOLE
|
|
exit
|
|
line ssh
|
|
login authentication SSH
|
|
exit
|
|
line aux 1
|
|
description "RT-1-2"
|
|
transport telnet port 2001
|
|
exit
|
|
line aux 2
|
|
description "SW-2-1"
|
|
speed 9600
|
|
transport telnet port 2002
|
|
exit
|
|
|
|
|
|
tech-support login enable
|
|
system jumbo-frames
|
|
system config-confirm timeout 120
|
|
|
|
no spanning-tree
|
|
|
|
security zone LAN
|
|
exit
|
|
security zone WAN
|
|
exit
|
|
security zone VPN
|
|
exit
|
|
|
|
route-map RM_BGP_OUT
|
|
rule 1
|
|
description "Universal_MGMT_Loopback"
|
|
match ip address 10.111.0.0/16 le 32
|
|
exit
|
|
rule 10
|
|
description "MSK-NOV2_PREFIX"
|
|
match ip address 10.14.104.0/21
|
|
exit
|
|
exit
|
|
router bgp 64556
|
|
timers keepalive 10
|
|
timers holdtime 30
|
|
peer-group PG_BGP_IZM
|
|
remote-as 64512
|
|
graceful-restart
|
|
graceful-restart timeout 120
|
|
route-map RM_BGP_OUT out
|
|
exit
|
|
peer-group PG_BGP_P11
|
|
remote-as 64513
|
|
bfd-enable
|
|
graceful-restart
|
|
graceful-restart timeout 120
|
|
route-map RM_BGP_OUT out
|
|
exit
|
|
neighbor 172.30.1.1
|
|
peer-group PG_BGP_IZM
|
|
graceful-restart
|
|
address-family ipv4 unicast
|
|
enable
|
|
exit
|
|
enable
|
|
exit
|
|
neighbor 172.30.1.2
|
|
peer-group PG_BGP_IZM
|
|
graceful-restart
|
|
address-family ipv4 unicast
|
|
enable
|
|
exit
|
|
enable
|
|
exit
|
|
neighbor 172.30.2.1
|
|
peer-group PG_BGP_P11
|
|
graceful-restart
|
|
address-family ipv4 unicast
|
|
enable
|
|
exit
|
|
enable
|
|
exit
|
|
neighbor 172.30.2.2
|
|
peer-group PG_BGP_P11
|
|
graceful-restart
|
|
address-family ipv4 unicast
|
|
enable
|
|
exit
|
|
enable
|
|
exit
|
|
neighbor 172.31.16.1
|
|
remote-as 64556
|
|
graceful-restart
|
|
address-family ipv4 unicast
|
|
route-map RM_BGP_OUT out
|
|
next-hop-self
|
|
enable
|
|
exit
|
|
enable
|
|
exit
|
|
address-family ipv4 unicast
|
|
network 10.14.104.0/21
|
|
network 10.111.56.2/32
|
|
exit
|
|
enable
|
|
exit
|
|
|
|
|
|
interface port-channel 1
|
|
description "[KU]_SW-1-1"
|
|
mtu 9100
|
|
exit
|
|
interface port-channel 1.2
|
|
description "Users"
|
|
security-zone LAN
|
|
ip address 10.14.105.253/24
|
|
ip helper-address 10.1.8.5
|
|
ip helper-address vrrp-group 1
|
|
vrrp id 1
|
|
vrrp ip 10.14.105.254/32
|
|
vrrp group 1
|
|
vrrp version 3
|
|
vrrp
|
|
exit
|
|
interface port-channel 1.150
|
|
description "WIFI"
|
|
security-zone LAN
|
|
ip address 10.14.107.253/24
|
|
ip helper-address 10.4.0.5
|
|
ip helper-address 10.1.8.5
|
|
ip helper-address vrrp-group 1
|
|
vrrp id 2
|
|
vrrp ip 10.14.107.254/32
|
|
vrrp group 1
|
|
vrrp version 3
|
|
vrrp
|
|
exit
|
|
interface port-channel 1.300
|
|
description "MGM"
|
|
security-zone LAN
|
|
ip address 10.14.104.253/25
|
|
vrrp id 30
|
|
vrrp ip 10.14.104.254/32
|
|
vrrp group 1
|
|
vrrp version 3
|
|
vrrp
|
|
exit
|
|
interface port-channel 1.301
|
|
description "WIFI_MGM_Ubiquity"
|
|
security-zone LAN
|
|
ip address 10.14.106.125/25
|
|
ip helper-address 10.4.0.5
|
|
ip helper-address 10.1.8.5
|
|
ip helper-address vrrp-group 1
|
|
vrrp id 4
|
|
vrrp ip 10.14.106.126/32
|
|
vrrp group 1
|
|
vrrp version 3
|
|
vrrp
|
|
exit
|
|
interface port-channel 1.305
|
|
description "WIFI_MGM_Eltex"
|
|
security-zone LAN
|
|
ip address 10.14.106.253/25
|
|
ip helper-address 10.4.0.5
|
|
ip helper-address 10.1.8.5
|
|
ip helper-address vrrp-group 1
|
|
vrrp id 5
|
|
vrrp ip 10.14.106.254/32
|
|
vrrp group 1
|
|
vrrp version 3
|
|
vrrp
|
|
exit
|
|
interface port-channel 1.350
|
|
description "VOIP"
|
|
security-zone LAN
|
|
ip address 10.14.104.125/25
|
|
ip helper-address 10.4.0.5
|
|
ip helper-address 10.1.8.5
|
|
ip helper-address vrrp-group 1
|
|
vrrp id 6
|
|
vrrp ip 10.14.104.126/32
|
|
vrrp group 1
|
|
vrrp version 3
|
|
vrrp
|
|
exit
|
|
interface port-channel 1.555
|
|
description "Transit_RT-1-1_RT-1-2"
|
|
security-zone LAN
|
|
ip address 172.31.16.2/29
|
|
exit
|
|
interface gigabitethernet 1/0/5
|
|
description "[KU]_Po1_SW-1-1"
|
|
mode switchport
|
|
mtu 9100
|
|
channel-group 1 mode auto
|
|
lldp transmit
|
|
lldp receive
|
|
exit
|
|
interface gigabitethernet 1/0/6
|
|
description "[KU]_Po1_SW-1-1"
|
|
mode switchport
|
|
mtu 9100
|
|
channel-group 1 mode auto
|
|
lldp transmit
|
|
lldp receive
|
|
exit
|
|
interface gigabitethernet 1/0/7
|
|
description "[-ISP-xxM]_WAN_ISP_A"
|
|
security-zone WAN
|
|
ip address 91.240.179.239/24
|
|
exit
|
|
interface gigabitethernet 1/0/8
|
|
description "[-ISP-xxM]_WAN_ISP_B"
|
|
mtu 9100
|
|
security-zone WAN
|
|
exit
|
|
interface loopback 1
|
|
description "MGMT_IP"
|
|
ip address 10.111.56.2/32
|
|
exit
|
|
tunnel gre 101
|
|
key 1001
|
|
ttl 255
|
|
mtu 1400
|
|
multipoint
|
|
security-zone VPN
|
|
local interface gigabitethernet 1/0/7
|
|
ip address 172.30.1.77/24
|
|
ip tcp adjust-mss 1360
|
|
ip nhrp authentication encrypted B18B2823930318AA
|
|
ip nhrp holding-time 300
|
|
ip nhrp map 172.30.1.1 85.140.32.27
|
|
ip nhrp map 172.30.1.2 78.85.13.42
|
|
ip nhrp nhs 172.30.1.1/24
|
|
ip nhrp nhs 172.30.1.2/24
|
|
ip nhrp ipsec IPSEC_VPN_HUB static
|
|
ip nhrp ipsec IPSEC_VPN_SPOKE dynamic
|
|
ip nhrp multicast nhs
|
|
ip nhrp enable
|
|
enable
|
|
exit
|
|
tunnel gre 102
|
|
key 1002
|
|
ttl 254
|
|
mtu 1400
|
|
multipoint
|
|
security-zone VPN
|
|
local interface gigabitethernet 1/0/7
|
|
ip address 172.30.2.77/24
|
|
ip tcp adjust-mss 1360
|
|
ip nhrp authentication encrypted B18B2823930318A9
|
|
ip nhrp holding-time 300
|
|
ip nhrp map 172.30.2.1 5.227.124.143
|
|
ip nhrp map 172.30.2.2 78.85.13.93
|
|
ip nhrp nhs 172.30.2.1/24
|
|
ip nhrp nhs 172.30.2.2/24
|
|
ip nhrp ipsec IPSEC_VPN_HUB static
|
|
ip nhrp ipsec IPSEC_VPN_SPOKE dynamic
|
|
ip nhrp multicast nhs
|
|
ip nhrp enable
|
|
enable
|
|
exit
|
|
|
|
snmp-server
|
|
snmp-server contact "INVENTAR_NUMBER"
|
|
snmp-server location "MSK, Novodmitrovskaya,2 , kor 2, of 0404"
|
|
snmp-server community lmTUEsk6Yvlv ro
|
|
|
|
security zone-pair WAN self
|
|
rule 10
|
|
description "permit_any_from_P11"
|
|
action permit
|
|
match source-address OBJ_NET_IZH_KG_P11
|
|
enable
|
|
exit
|
|
rule 20
|
|
description "permit_any_from_IZM"
|
|
action permit
|
|
match source-address OBJ_NET_IZH_MLK_IZM
|
|
enable
|
|
exit
|
|
exit
|
|
security zone-pair LAN VPN
|
|
rule 10
|
|
description "permit_any"
|
|
action permit
|
|
enable
|
|
exit
|
|
exit
|
|
security zone-pair VPN LAN
|
|
rule 10
|
|
description "permit_any"
|
|
action permit
|
|
enable
|
|
exit
|
|
exit
|
|
security zone-pair VPN self
|
|
rule 1
|
|
description "TEST_ANY"
|
|
action permit
|
|
enable
|
|
exit
|
|
rule 10
|
|
description "permit_icmp"
|
|
action permit
|
|
match protocol icmp
|
|
enable
|
|
exit
|
|
rule 20
|
|
description "permit_admins"
|
|
action permit
|
|
match source-address OBJ_NET_ADM_MGMT
|
|
enable
|
|
exit
|
|
exit
|
|
security zone-pair LAN WAN
|
|
rule 10
|
|
description "permit_any"
|
|
action permit
|
|
enable
|
|
exit
|
|
exit
|
|
security zone-pair LAN self
|
|
rule 10
|
|
description "permit_admins"
|
|
action permit
|
|
match source-address OBJ_NET_ADM_MGMT
|
|
enable
|
|
exit
|
|
rule 20
|
|
description "Deny_MGMT_ports_from_LAN"
|
|
action deny
|
|
match protocol tcp
|
|
match destination-port OBJ_SVC_MGMT
|
|
enable
|
|
exit
|
|
rule 100
|
|
description "PERMIT_ANY"
|
|
action permit
|
|
enable
|
|
exit
|
|
exit
|
|
|
|
security ike proposal IKE_PROP
|
|
encryption algorithm aes128
|
|
dh-group 2
|
|
exit
|
|
|
|
security ike policy IKE_POL
|
|
lifetime seconds 86400
|
|
pre-shared-key ascii-text encrypted 91B8083FE00447F6D804
|
|
proposal IKE_PROP
|
|
exit
|
|
|
|
security ike gateway IKE_GW_HUB
|
|
ike-policy IKE_POL
|
|
local address 91.240.179.239
|
|
local network 91.240.179.239/32 protocol gre
|
|
remote address any
|
|
remote network 78.85.13.42/32 protocol gre
|
|
remote network 85.140.32.27/32 protocol gre
|
|
remote network 5.227.124.143/32 protocol gre
|
|
remote network 78.85.13.93/32 protocol gre
|
|
mode policy-based
|
|
exit
|
|
|
|
security ike gateway IKE_GW_SPOKE
|
|
ike-policy IKE_POL
|
|
local address 91.240.179.239
|
|
local network 91.240.179.239/32 protocol gre
|
|
remote address any
|
|
remote network any protocol gre
|
|
mode policy-based
|
|
exit
|
|
|
|
security ipsec proposal IPSEC_PROP
|
|
encryption algorithm aes128
|
|
exit
|
|
|
|
security ipsec policy IPSEC_POL_HUB
|
|
proposal IPSEC_PROP
|
|
exit
|
|
|
|
security ipsec vpn IPSEC_VPN_HUB
|
|
mode ike
|
|
type transport
|
|
ike establish-tunnel route
|
|
ike gateway IKE_GW_HUB
|
|
ike ipsec-policy IPSEC_POL_HUB
|
|
enable
|
|
exit
|
|
|
|
security ipsec vpn IPSEC_VPN_SPOKE
|
|
mode ike
|
|
type transport
|
|
ike establish-tunnel route
|
|
ike gateway IKE_GW_SPOKE
|
|
ike ipsec-policy IPSEC_POL_HUB
|
|
enable
|
|
exit
|
|
|
|
security passwords min-length 5
|
|
security passwords numeric-count 1
|
|
security passwords upper-case 1
|
|
security passwords history 0
|
|
security passwords default-expired
|
|
ip firewall sessions tcp-estabilished-timeout 3600
|
|
ip firewall sessions tcp-connect-timeout 120
|
|
ip firewall sessions tcp-disconnect-timeout 60
|
|
ip firewall sessions tcp-latecome-timeout 240
|
|
|
|
nat source
|
|
ruleset SNAT
|
|
to zone WAN
|
|
rule 10
|
|
match source-address OBJ_NET_NAT_USERS
|
|
action source-nat interface
|
|
enable
|
|
exit
|
|
exit
|
|
exit
|
|
|
|
ip dhcp-relay
|
|
ip dhcp information option
|
|
|
|
ip route 0.0.0.0/0 91.240.179.254
|
|
ip route 10.14.104.0/21 blackhole 254
|
|
|
|
ip ssh server
|
|
ip ssh authentication algorithm md5 disable
|
|
ip ssh authentication algorithm md5-96 disable
|
|
ip ssh authentication algorithm ripemd160 disable
|
|
ip ssh authentication algorithm sha1 disable
|
|
ip ssh authentication algorithm sha1-96 disable
|
|
ip ssh encryption algorithm aes128 disable
|
|
ip ssh encryption algorithm aes128ctr disable
|
|
ip ssh encryption algorithm aes192 disable
|
|
ip ssh encryption algorithm aes192ctr disable
|
|
ip ssh encryption algorithm arcfour disable
|
|
ip ssh encryption algorithm arcfour128 disable
|
|
ip ssh encryption algorithm arcfour256 disable
|
|
ip ssh encryption algorithm blowfish disable
|
|
ip ssh encryption algorithm cast128 disable
|
|
ip ssh key-exchange algorithm dh-group-exchange-sha1 disable
|
|
ip ssh key-exchange algorithm dh-group1-sha1 disable
|
|
ip ssh key-exchange algorithm dh-group14-sha1 disable
|
|
ip ssh key-exchange algorithm ecdh-sha2-nistp256 disable
|
|
ip ssh key-exchange algorithm ecdh-sha2-nistp384 disable
|
|
ip ssh key-exchange algorithm ecdh-sha2-nistp521 disable
|
|
|
|
lldp enable
|
|
|
|
clock timezone gmt +4
|
|
|
|
ntp enable
|
|
ntp source address 10.111.56.2
|
|
ntp server 91.240.179.254
|
|
prefer
|
|
minpoll 4
|
|
exit
|
|
ntp server 10.1.8.1
|
|
minpoll 4
|
|
exit
|
|
ntp server 10.4.0.1
|
|
minpoll 4
|
|
exit
|
|
|
|
zabbix-agent
|
|
active-server 192.168.8.99
|
|
hostname MSK-MLK-NOV2-RT-1-2
|
|
remote-commands
|
|
server 192.168.8.99
|
|
source-address 10.111.56.2
|
|
timeout 30
|
|
enable
|
|
exit |