2177 lines
59 KiB
Plaintext
2177 lines
59 KiB
Plaintext
Building configuration...
|
|
|
|
Current configuration : 60494 bytes
|
|
!
|
|
! Last configuration change at 10:47:49 IZH Thu Jul 28 2022 by adm_kapustinal
|
|
! NVRAM config last updated at 10:47:57 IZH Thu Jul 28 2022 by adm_kapustinal
|
|
!
|
|
version 15.5
|
|
no service pad
|
|
service timestamps debug datetime msec localtime show-timezone year
|
|
service timestamps log datetime msec localtime show-timezone year
|
|
service password-encryption
|
|
service sequence-numbers
|
|
service counters max age 5
|
|
!
|
|
hostname IZH-KG-P11-SW-1-1
|
|
!
|
|
boot-start-marker
|
|
boot system flash bootdisk:/s2t54-adventerprisek9-mz.SPA.155-1.SY3.bin
|
|
boot-end-marker
|
|
!
|
|
!
|
|
vrf definition VRF-PI
|
|
rd 100:1
|
|
!
|
|
address-family ipv4
|
|
route-target export 100:1
|
|
route-target import 100:1
|
|
exit-address-family
|
|
!
|
|
vrf definition VRF-RT_CLOUD
|
|
rd 100:4039
|
|
!
|
|
address-family ipv4
|
|
exit-address-family
|
|
!
|
|
vrf definition VRF-UZB
|
|
rd 400:400
|
|
!
|
|
address-family ipv4
|
|
import ipv4 unicast map RM_UZB_IMPORT
|
|
exit-address-family
|
|
!
|
|
vrf definition VRF_WIFI_GUEST
|
|
!
|
|
address-family ipv4
|
|
exit-address-family
|
|
!
|
|
security authentication failure rate 5 log
|
|
logging buffered 32768 informational
|
|
enable secret 5 $1$bkfE$/NjXI2VJj62G6IA/cMtlb1
|
|
!
|
|
username netadmin privilege 15 secret 9 $9$pC1NoOajaeJ5aL$LdWopDmb3JVIzBXaa2ASeE363bZlxkINA5GPl9COIdo
|
|
aaa new-model
|
|
!
|
|
!
|
|
aaa group server radius NPS
|
|
server name IZH-RDS002
|
|
server name P11-RDS003
|
|
ip radius source-interface Vlan100
|
|
load-balance method least-outstanding
|
|
!
|
|
aaa authentication login default group NPS local enable
|
|
aaa authentication login CONSOLE local group NPS
|
|
aaa authorization exec default group NPS local if-authenticated
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
aaa session-id common
|
|
platform ip cef load-sharing ip-only
|
|
clock timezone IZH 4 0
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
no ip source-route
|
|
no ip gratuitous-arps
|
|
!
|
|
!
|
|
no ip bootp server
|
|
no ip domain-lookup
|
|
ip domain-name komos.ru
|
|
ip host VM-KG-NET 10.1.12.70
|
|
ip host tftp 10.4.0.214
|
|
|
|
login on-failure log
|
|
login on-success log
|
|
vtp mode transparent
|
|
no device-tracking logging theft
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
archive
|
|
log config
|
|
logging enable
|
|
logging size 900
|
|
notify syslog contenttype plaintext
|
|
hidekeys
|
|
path tftp://tftp/IZH/KG/P11-SW_L3/$H.$T.conf
|
|
write-memory
|
|
time-period 10080
|
|
object-group ip address OBJ_LOCAL_DNS
|
|
host-info 192.168.8.200
|
|
host-info 192.168.8.201
|
|
host-info 192.168.1.21
|
|
host-info 192.168.1.100
|
|
!
|
|
object-group ip address OBJ_LOCAL_TRAFFIC
|
|
10.0.0.0 255.0.0.0
|
|
172.16.0.0 255.240.0.0
|
|
192.168.0.0 255.255.0.0
|
|
!
|
|
!
|
|
spanning-tree mode rapid-pvst
|
|
spanning-tree extend system-id
|
|
spanning-tree vlan 1-4094 priority 16384
|
|
port-channel load-balance src-dst-mixed-ip-port
|
|
!
|
|
redundancy
|
|
main-cpu
|
|
auto-sync running-config
|
|
mode sso
|
|
bfd-template single-hop p2p
|
|
interval min-tx 300 min-rx 300 multiplier 3
|
|
!
|
|
bfd-template single-hop test
|
|
interval min-tx 50 min-rx 50 multiplier 3
|
|
!
|
|
!
|
|
vlan internal allocation policy ascending
|
|
vlan access-log ratelimit 2000
|
|
!
|
|
vlan 2
|
|
name KG_LAN-USER
|
|
!
|
|
vlan 3
|
|
name KG_LAN-RESTRICTED
|
|
!
|
|
vlan 4
|
|
name KG_LAN-VDI
|
|
!
|
|
vlan 5
|
|
name KG_LAN-ADMIN
|
|
!
|
|
vlan 6
|
|
name IMP-LAN
|
|
!
|
|
vlan 7
|
|
name MK_Users
|
|
!
|
|
vlan 8
|
|
name KG_VOIP_TEST_USERS
|
|
!
|
|
vlan 9
|
|
name Kaznach_restrict
|
|
!
|
|
vlan 11
|
|
name KG_LAN-AS199014
|
|
!
|
|
vlan 12
|
|
name UNIFI_NETWORK
|
|
!
|
|
vlan 20
|
|
name DMZ-1
|
|
!
|
|
vlan 22
|
|
!
|
|
vlan 25
|
|
name VoIP
|
|
!
|
|
vlan 26
|
|
name MGMT_ASA
|
|
!
|
|
vlan 50
|
|
name MS_DYN_AX_SQL
|
|
!
|
|
vlan 99
|
|
name Users_KU9
|
|
!
|
|
vlan 100
|
|
name Inbound_management
|
|
!
|
|
vlan 101
|
|
name WDS
|
|
!
|
|
vlan 149
|
|
name -KG-MGMT-INT-10.1.254.0/24-
|
|
!
|
|
vlan 150
|
|
name KG_WIFI-USER
|
|
!
|
|
vlan 151
|
|
name KG_KOMOS-CONF
|
|
!
|
|
vlan 152
|
|
name KG-ARUBA-USERS
|
|
!
|
|
vlan 153
|
|
name KG-ARUBA-USERS-GUEST
|
|
!
|
|
vlan 154
|
|
name Eltex_WiFi_Test
|
|
!
|
|
vlan 200
|
|
name KG_MGMT-SRV
|
|
!
|
|
vlan 201
|
|
name KG_LAN-SRV
|
|
!
|
|
vlan 202
|
|
name KG_LAN-SRV-DMZ
|
|
!
|
|
vlan 204
|
|
name KG_SRV_KAZNACHEYSTVO
|
|
!
|
|
vlan 205
|
|
name SRV_UZB
|
|
!
|
|
vlan 249
|
|
name --KG-SRV-BKP-10.1.249.0/26--
|
|
!
|
|
vlan 253
|
|
name exchange_komos-group
|
|
!
|
|
vlan 289
|
|
name --OCOD_VLAN_1--
|
|
!
|
|
vlan 296
|
|
name -MLK-KCOD-SRV-All_10.1.123.0/24-
|
|
!
|
|
vlan 297
|
|
name -MLK-KCOD-SRV-Exchange_10.1.122.
|
|
!
|
|
vlan 298
|
|
name -MLK-KCOD-MGM-NET_10.1.121.0/24-
|
|
!
|
|
vlan 300
|
|
name KG_MGMT-NET
|
|
!
|
|
vlan 301
|
|
name KG_MGMT-WIFI
|
|
!
|
|
vlan 302
|
|
name WifI_MGM_Aruba_test
|
|
!
|
|
vlan 303
|
|
name KG-ARUBA-AP
|
|
!
|
|
vlan 304
|
|
name WIFI_ARUBA_MGM
|
|
!
|
|
vlan 307
|
|
name SKUD
|
|
!
|
|
vlan 310
|
|
name --MGM_UPS--
|
|
!
|
|
vlan 349
|
|
name MLK_LAN-DATACENTER-2
|
|
!
|
|
vlan 350
|
|
name IMP-VOIP
|
|
!
|
|
vlan 351
|
|
name KG_VOIP
|
|
!
|
|
vlan 352
|
|
name KG_VOIP_TEST
|
|
!
|
|
vlan 400
|
|
name -Video_UZB-
|
|
!
|
|
vlan 500
|
|
name KG_WIFI-GUEST
|
|
!
|
|
vlan 551
|
|
name --TRANSIT_HSRP--
|
|
!
|
|
vlan 556
|
|
name P2P_iBGP_KOMOS_AS_over_ER_Teleco
|
|
!
|
|
vlan 557
|
|
name P2P_iBGP_KOMOS_AS_over_MTS
|
|
!
|
|
vlan 558
|
|
name -L2VPN-PVE_HA_ERTLC-
|
|
!
|
|
vlan 559
|
|
name -L2VPN-PVE_HA_MTS-
|
|
!
|
|
vlan 596
|
|
name P2P_RCOD-OCOD_ER_Telecom
|
|
!
|
|
vlan 598
|
|
name -KG-COD-Transit-Core-
|
|
!
|
|
vlan 599
|
|
name -MLK-KCOD-Trunk_172.30.30.0/27-
|
|
!
|
|
vlan 1113
|
|
name PI_RT-1-3
|
|
!
|
|
vlan 3074
|
|
name --RT_DMVPN--
|
|
!
|
|
vlan 3088
|
|
name ISP-KG_MTS-IP
|
|
!
|
|
vlan 3333
|
|
name HUAWEI_WIFI_NETWORK
|
|
!
|
|
vlan 3334
|
|
name HUAWEI_WIFI_NETWORK_USERS
|
|
!
|
|
vlan 3915
|
|
name --TEST_ZLOBIN_DENIS_UNTIL_01.07-
|
|
!
|
|
vlan 4035
|
|
name -MLK-KCOD-Reserv_172.31.35.0/2
|
|
!
|
|
vlan 4039
|
|
name CLOUD_RT
|
|
!
|
|
vlan 4040
|
|
name KG_LAN-SZB
|
|
!
|
|
vlan 4041
|
|
name --VLAN_P11_VS17--
|
|
!
|
|
vlan 4092
|
|
name ISP-Beeline_Kaznach
|
|
!
|
|
vlan 4093
|
|
name ISP-IMP_ERTEL
|
|
!
|
|
track 1 ip sla 1 reachability
|
|
delay down 10 up 5
|
|
!
|
|
track 11 ip sla 11 reachability
|
|
delay down 10 up 5
|
|
!
|
|
track 12 ip sla 12 reachability
|
|
!
|
|
track 13 ip sla 13 reachability
|
|
delay down 10 up 5
|
|
!
|
|
track 104 ip sla 104 reachability
|
|
delay down 10 up 5
|
|
!
|
|
track 105 ip sla 105 reachability
|
|
delay down 10 up 5
|
|
!
|
|
track 107 ip sla 107 reachability
|
|
delay down 10 up 5
|
|
!
|
|
track 109 ip sla 109 reachability
|
|
delay down 10 up 5
|
|
!
|
|
track 110 ip sla 110 reachability
|
|
delay down 10 up 5
|
|
!
|
|
track 111 list boolean and
|
|
object 1
|
|
object 11
|
|
!
|
|
track 112 ip sla 112 reachability
|
|
delay down 10 up 5
|
|
!
|
|
track 222 list boolean and
|
|
object 110
|
|
object 112
|
|
!
|
|
!
|
|
class-map match-any class-copp-icmp-redirect-unreachable
|
|
class-map match-all class-copp-glean
|
|
class-map match-all class-copp-receive
|
|
class-map match-all class-copp-options
|
|
class-map match-all CM_WEB_LOCAL
|
|
match access-group name WEB_LOCAL
|
|
class-map match-any CM_RDP
|
|
match access-group name RDP
|
|
class-map match-all class-copp-broadcast
|
|
class-map match-all class-copp-mcast-acl-bridged
|
|
class-map match-all class-copp-slb
|
|
class-map match-all class-copp-mtu-fail
|
|
class-map match-all class-copp-ttl-fail
|
|
class-map match-all class-copp-arp-snooping
|
|
class-map match-any class-copp-mcast-copy
|
|
class-map match-any class-copp-ip-connected
|
|
class-map match-any class-copp-match-igmp
|
|
match access-group name acl-copp-match-igmp
|
|
class-map match-all class-copp-unknown-protocol
|
|
class-map match-any class-copp-vacl-log
|
|
class-map match-all class-copp-mcast-ipv6-control
|
|
class-map match-any class-copp-match-pimv6-data
|
|
match access-group name acl-copp-match-pimv6-data
|
|
class-map match-any class-copp-mcast-punt
|
|
class-map match-all class-copp-unsupp-rewrite
|
|
class-map match-all class-copp-ucast-egress-acl-bridged
|
|
class-map match-all class-copp-ip-admission
|
|
class-map match-any CM_QoS_CS3
|
|
match dscp cs3 af31 af32 af33
|
|
class-map match-any CM_QoS_CS2
|
|
match dscp cs2 af21 af22 af23
|
|
class-map match-any CM_QoS_CS1
|
|
match dscp cs1 af11 af12 af13
|
|
class-map match-any class-copp-dpss-divert
|
|
class-map match-any CM_QoS_CS0
|
|
match dscp default 1 2 3
|
|
class-map match-any CM_QoS_CS7
|
|
match dscp cs7
|
|
class-map match-any CM_QoS_CS6
|
|
match dscp cs6 49
|
|
class-map match-any CM_QoS_CS5
|
|
match dscp cs5 41 42 45 ef 47
|
|
class-map match-any CM_QoS_CS4
|
|
match dscp cs4 af41 af42 af43
|
|
class-map match-all class-copp-service-insertion
|
|
class-map match-all class-copp-mac-pbf
|
|
class-map match-any class-copp-match-mld
|
|
match access-group name acl-copp-match-mld
|
|
class-map match-all class-copp-ucast-ingress-acl-bridged
|
|
class-map match-all class-copp-dhcp-snooping
|
|
class-map match-all class-copp-wccp
|
|
class-map match-all class-copp-nd
|
|
class-map match-any class-copp-ipv6-connected
|
|
class-map match-all class-copp-mcast-rpf-fail
|
|
class-map match-any class-copp-match-ndv6hl
|
|
match access-group name acl-copp-match-ndv6hl
|
|
class-map match-any class-copp-ucast-rpf-fail
|
|
class-map match-all class-copp-mcast-ip-control
|
|
class-map match-any class-copp-match-pim-data
|
|
match access-group name acl-copp-match-pim-data
|
|
class-map match-any class-copp-match-ndv6
|
|
match access-group name acl-copp-match-ndv6
|
|
class-map match-any class-copp-mcast-v4-data-on-routedPort
|
|
class-map match-any class-copp-mcast-v6-data-on-routedPort
|
|
!
|
|
policy-map policy-default-autocopp
|
|
class class-copp-mcast-v4-data-on-routedPort
|
|
police rate 10 pps burst 1 packets conform-action drop exceed-action drop
|
|
class class-copp-mcast-v6-data-on-routedPort
|
|
police rate 10 pps burst 1 packets conform-action drop exceed-action drop
|
|
class class-copp-match-mld
|
|
police rate 10000 pps burst 10000 packets conform-action set-discard-class-transmit 48 exceed-action transmit
|
|
class class-copp-match-igmp
|
|
police rate 10000 pps burst 10000 packets conform-action set-discard-class-transmit 48 exceed-action transmit
|
|
class class-copp-icmp-redirect-unreachable
|
|
police rate 100 pps burst 10 packets conform-action transmit exceed-action drop
|
|
class class-copp-ucast-rpf-fail
|
|
police rate 100 pps burst 10 packets conform-action transmit exceed-action drop
|
|
class class-copp-vacl-log
|
|
police rate 2000 pps burst 1 packets conform-action transmit exceed-action drop
|
|
class class-copp-mcast-punt
|
|
police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop
|
|
class class-copp-mcast-copy
|
|
police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop
|
|
class class-copp-ip-connected
|
|
police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop
|
|
class class-copp-ipv6-connected
|
|
police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop
|
|
class class-copp-match-pim-data
|
|
police rate 1000 pps burst 1000 packets conform-action transmit exceed-action drop
|
|
class class-copp-match-pimv6-data
|
|
police rate 1000 pps burst 1000 packets conform-action transmit exceed-action drop
|
|
class class-copp-match-ndv6
|
|
police rate 1000 pps burst 1000 packets conform-action set-discard-class-transmit 48 exceed-action drop
|
|
policy-map PM_QoS_CLASS_IN
|
|
class CM_QoS_CS7
|
|
set dscp cs7
|
|
class CM_QoS_CS6
|
|
set dscp cs6
|
|
class CM_QoS_CS5
|
|
set dscp cs5
|
|
class CM_QoS_CS4
|
|
set dscp cs4
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
crypto isakmp policy 20
|
|
encr aes 256
|
|
authentication pre-share
|
|
group 2
|
|
crypto isakmp key KGp11KuMK2021 address 94.138.150.1
|
|
crypto isakmp key KGp11KuMK2021 address 178.47.128.98
|
|
!
|
|
!
|
|
crypto ipsec transform-set TS_GREIPSEC esp-aes 256 esp-sha-hmac
|
|
mode transport require
|
|
crypto ipsec df-bit clear
|
|
!
|
|
crypto ipsec profile GRE_IPSEC
|
|
set transform-set TS_GREIPSEC
|
|
set pfs group2
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
interface Loopback1
|
|
ip address 10.1.255.255 255.255.255.255
|
|
!
|
|
interface Loopback11
|
|
ip address 91.240.179.254 255.255.255.255
|
|
!
|
|
interface Loopback7777
|
|
description TK5732m - TK5733m
|
|
no ip address
|
|
shutdown
|
|
!
|
|
interface Port-channel1
|
|
description [KU] SW-1a-1
|
|
switchport
|
|
switchport mode trunk
|
|
!
|
|
interface Port-channel2
|
|
description [KU] SW-1c-1
|
|
switchport
|
|
switchport mode trunk
|
|
!
|
|
interface Port-channel3
|
|
description [KU] SW-2-3
|
|
switchport
|
|
switchport mode trunk
|
|
!
|
|
interface Port-channel4
|
|
description [KU] SW-2-4
|
|
switchport
|
|
switchport mode trunk
|
|
!
|
|
interface Port-channel5
|
|
description [KU] SW-2-2
|
|
switchport
|
|
switchport mode trunk
|
|
!
|
|
interface Port-channel7
|
|
description [KU] SW-3-1
|
|
switchport
|
|
switchport mode trunk
|
|
!
|
|
interface Port-channel8
|
|
description [KU] SW-4-1
|
|
switchport
|
|
switchport mode trunk
|
|
!
|
|
interface Port-channel9
|
|
description [KU] SW-4-2
|
|
switchport
|
|
switchport mode trunk
|
|
!
|
|
interface Port-channel10
|
|
description [KU] SW-5-1
|
|
switchport
|
|
switchport mode trunk
|
|
!
|
|
interface Port-channel11
|
|
description [KU] SW-8b-1
|
|
switchport
|
|
switchport mode trunk
|
|
!
|
|
interface Port-channel12
|
|
no ip address
|
|
shutdown
|
|
!
|
|
interface Port-channel13
|
|
description Link to SW-2960-DC
|
|
switchport
|
|
switchport mode trunk
|
|
!
|
|
interface Port-channel14
|
|
description [KU] SW-9-1
|
|
switchport
|
|
switchport mode trunk
|
|
!
|
|
interface Port-channel15
|
|
description [KU] SW-2-1
|
|
switchport
|
|
switchport mode trunk
|
|
!
|
|
interface Port-channel16
|
|
description [CORE] SW-1-2
|
|
switchport
|
|
switchport mode trunk
|
|
!
|
|
interface Port-channel17
|
|
description [KU] SW-10-1
|
|
switchport
|
|
switchport mode trunk
|
|
!
|
|
interface Port-channel18
|
|
description [KU] SW-6-1
|
|
switchport
|
|
switchport mode trunk
|
|
!
|
|
interface Port-channel19
|
|
description [KU] SW-7-1
|
|
switchport
|
|
switchport mode trunk
|
|
!
|
|
interface Port-channel20
|
|
description [KU] SW-9-2
|
|
switchport
|
|
switchport mode trunk
|
|
!
|
|
interface Tunnel11
|
|
description VPN to ATLANTIS, First channel
|
|
ip address 10.1.50.45 255.255.255.252
|
|
no ip redirects
|
|
ip directed-broadcast
|
|
shutdown
|
|
keepalive 5 5
|
|
tunnel source 91.240.179.254
|
|
tunnel destination 88.80.33.182
|
|
!
|
|
interface Tunnel22
|
|
description [VPN] GLZ-TK-TKG
|
|
ip address 10.1.50.85 255.255.255.252
|
|
no ip redirects
|
|
ip mtu 1400
|
|
ip tcp adjust-mss 1360
|
|
tunnel source 91.240.179.254
|
|
tunnel destination 95.215.208.240
|
|
!
|
|
interface Tunnel23
|
|
description [VPN] GLZ-TK-TKG
|
|
ip address 10.1.50.89 255.255.255.252
|
|
no ip redirects
|
|
ip mtu 1400
|
|
ip tcp adjust-mss 1360
|
|
tunnel source 91.240.179.254
|
|
tunnel destination 146.120.104.235
|
|
!
|
|
interface Tunnel24
|
|
description [VPN] MZH-TK-TKM
|
|
ip address 10.1.50.93 255.255.255.252
|
|
no ip redirects
|
|
ip mtu 1400
|
|
ip tcp adjust-mss 1360
|
|
tunnel source 91.240.179.254
|
|
tunnel destination 88.80.32.230
|
|
!
|
|
interface Tunnel25
|
|
description [VPN] MZH-TK-TKM
|
|
ip address 10.1.50.97 255.255.255.252
|
|
no ip redirects
|
|
ip mtu 1400
|
|
ip tcp adjust-mss 1360
|
|
shutdown
|
|
tunnel source 91.240.179.254
|
|
tunnel destination 78.85.35.34
|
|
!
|
|
interface Tunnel31
|
|
description KGR-KUMK-KUMK
|
|
ip address 10.1.50.1 255.255.255.252
|
|
ip access-group ACL_FROM_KUMK in
|
|
no ip redirects
|
|
ip mtu 1426
|
|
shutdown
|
|
keepalive 10 10
|
|
tunnel source 91.240.179.254
|
|
tunnel destination 94.138.150.1
|
|
tunnel protection ipsec profile GRE_IPSEC
|
|
!
|
|
interface Tunnel32
|
|
description KGR-PRM
|
|
ip address 172.30.31.1 255.255.255.252
|
|
no ip redirects
|
|
shutdown
|
|
keepalive 10 10
|
|
tunnel source 91.240.179.254
|
|
tunnel destination 178.47.128.98
|
|
tunnel protection ipsec profile GRE_IPSEC
|
|
!
|
|
interface GigabitEthernet1/1
|
|
description [KU] Po1 SW-1a-1
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
logging event trunk-status
|
|
channel-group 1 mode on
|
|
!
|
|
interface GigabitEthernet1/2
|
|
description [KU] Po2 SW-1c-1
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
logging event trunk-status
|
|
channel-group 2 mode on
|
|
!
|
|
interface GigabitEthernet1/3
|
|
description [KU] Po3 SW-2-3
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
logging event trunk-status
|
|
channel-group 3 mode on
|
|
!
|
|
interface GigabitEthernet1/4
|
|
description [KU] Po4 SW-2-4
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
logging event trunk-status
|
|
channel-group 4 mode on
|
|
!
|
|
interface GigabitEthernet1/5
|
|
description [KU] Po5 SW-2-2
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
logging event trunk-status
|
|
channel-group 5 mode on
|
|
!
|
|
interface GigabitEthernet1/6
|
|
description [KU] Po20 SW-9-2
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
logging event trunk-status
|
|
channel-group 20 mode active
|
|
!
|
|
interface GigabitEthernet1/7
|
|
description [KU] Po7 SW-3-1
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
logging event trunk-status
|
|
channel-group 7 mode on
|
|
!
|
|
interface GigabitEthernet1/8
|
|
description [KU] Po8 SW-4-1
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
logging event trunk-status
|
|
channel-group 8 mode on
|
|
!
|
|
interface GigabitEthernet1/9
|
|
description [KU] Po9 SW-4-2
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
logging event trunk-status
|
|
channel-group 9 mode on
|
|
!
|
|
interface GigabitEthernet1/10
|
|
description [KU] Po10 SW-5-1
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
logging event trunk-status
|
|
channel-group 10 mode on
|
|
!
|
|
interface GigabitEthernet1/11
|
|
description [KU] Po11 SW-8b-1
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
logging event trunk-status
|
|
channel-group 11 mode on
|
|
!
|
|
interface GigabitEthernet1/12
|
|
description [KU] Po14 SW-9-1
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
channel-group 14 mode on
|
|
!
|
|
interface GigabitEthernet1/13
|
|
description [KU] Po15 SW-2-1
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
channel-group 15 mode on
|
|
!
|
|
interface GigabitEthernet1/14
|
|
description [KU] Po17 SW-10-1
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
channel-group 17 mode on
|
|
!
|
|
interface GigabitEthernet1/15
|
|
description [KU] Po18 SW-6-1
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
channel-group 18 mode on
|
|
!
|
|
interface GigabitEthernet1/16
|
|
description PC 13 LINK_TO_SW-2960-DC
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
channel-group 13 mode on
|
|
!
|
|
interface GigabitEthernet1/17
|
|
description [KU] Po19 SW-7-1
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
channel-group 19 mode on
|
|
!
|
|
interface GigabitEthernet1/18
|
|
description [CORE] SW-1-3
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
logging event trunk-status
|
|
hold-queue 4096 in
|
|
hold-queue 4096 out
|
|
!
|
|
interface GigabitEthernet1/19
|
|
description [CORE] Po16 SW-1-2
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
logging event trunk-status
|
|
channel-group 16 mode on
|
|
!
|
|
interface GigabitEthernet1/20
|
|
description [CORE] Po16 SW-1-2
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
logging event trunk-status
|
|
channel-group 16 mode on
|
|
!
|
|
interface GigabitEthernet1/21
|
|
description [ISP-500M] L2VPN-to-CLOUD-RT
|
|
switchport
|
|
switchport mode access
|
|
switchport access vlan 4039
|
|
switchport block unicast
|
|
logging event link-status
|
|
logging event trunk-status
|
|
no cdp enable
|
|
no lldp transmit
|
|
no lldp receive
|
|
spanning-tree bpdufilter enable
|
|
spanning-tree guard root
|
|
!
|
|
interface GigabitEthernet1/22
|
|
description [KU] Po15 SW-2-1
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
logging event trunk-status
|
|
channel-group 15 mode on
|
|
!
|
|
interface GigabitEthernet1/23
|
|
description FREE
|
|
switchport
|
|
switchport mode trunk
|
|
switchport trunk allowed vlan 599,4030-4035
|
|
logging event link-status
|
|
logging event trunk-status
|
|
shutdown
|
|
!
|
|
interface GigabitEthernet1/24
|
|
description [CORE] RT-1-2
|
|
switchport
|
|
switchport mode trunk
|
|
logging event link-status
|
|
logging event trunk-status
|
|
!
|
|
interface GigabitEthernet5/1
|
|
description FREE
|
|
no ip address
|
|
shutdown
|
|
!
|
|
interface GigabitEthernet5/2
|
|
description admin_vlan
|
|
switchport
|
|
switchport mode access
|
|
switchport access vlan 5
|
|
!
|
|
interface GigabitEthernet5/3
|
|
no ip address
|
|
shutdown
|
|
!
|
|
interface TenGigabitEthernet5/4
|
|
description VSS_LINK_SWITCH2_member
|
|
no ip address
|
|
shutdown
|
|
!
|
|
interface TenGigabitEthernet5/5
|
|
description VSS_LINK_SWITCH2_member
|
|
no ip address
|
|
shutdown
|
|
!
|
|
interface Vlan1
|
|
description LAN
|
|
ip address 192.168.252.254 255.255.255.0 secondary
|
|
ip address 10.1.17.254 255.255.255.0 secondary
|
|
ip address 192.168.1.254 255.255.252.0
|
|
no ip redirects
|
|
no ip unreachables
|
|
ip policy route-map VLAN1-ROUTING
|
|
!
|
|
interface Vlan2
|
|
description KG-LOCAL-USERS
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.7.254 255.255.252.0
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip redirects
|
|
no ip unreachables
|
|
ip nat inside
|
|
ip policy route-map R2-MTS_R1-BGP
|
|
!
|
|
interface Vlan3
|
|
description KG_LAN-RESTRICTED
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.18.254 255.255.255.0
|
|
ip access-group VLAN3_OUT in
|
|
ip access-group VLAN3_FIREWALL out
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip unreachables
|
|
ip policy route-map VLAN3-ROUTING
|
|
!
|
|
interface Vlan5
|
|
description KG_LAN-ADMIN
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.19.254 255.255.255.0
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
ip policy route-map RM_TEST_INET
|
|
!
|
|
interface Vlan6
|
|
description IMP_LOCAL
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.26.254 255.255.255.0
|
|
ip access-group IMP_LOCAL_IN in
|
|
ip access-group IMP_LOCAL_OUT out
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
ip policy route-map IMP-ROUTING
|
|
!
|
|
interface Vlan8
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.46.254 255.255.255.0
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan9
|
|
description Kaznach_restrict
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.55.254 255.255.255.0
|
|
ip access-group VLAN9_RESTRICTED in
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan11
|
|
description EXTERNAL_POOL
|
|
ip unnumbered Loopback11
|
|
no ip unreachables
|
|
!
|
|
interface Vlan12
|
|
description UNIFI_NETWORK
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.12.62 255.255.255.192
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip unreachables
|
|
!
|
|
interface Vlan20
|
|
description DMZ-1
|
|
ip address 10.1.12.94 255.255.255.224
|
|
no ip unreachables
|
|
!
|
|
interface Vlan25
|
|
ip address 10.1.25.254 255.255.255.0
|
|
no ip unreachables
|
|
shutdown
|
|
!
|
|
interface Vlan99
|
|
description Users_KU9
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.39.254 255.255.255.0
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip redirects
|
|
no ip unreachables
|
|
ip nat inside
|
|
ip policy route-map RM_USERS_KU9
|
|
!
|
|
interface Vlan100
|
|
description MGMT
|
|
ip address 10.1.1.1 255.255.255.0
|
|
ip access-group ACL_BLOCK_CISCO in
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan149
|
|
description -KG-MGMT-INT-10.1.254.0/24-
|
|
ip address 10.1.254.254 255.255.255.0
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan150
|
|
description KG_WIFI-USER
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.13.254 255.255.255.0
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip unreachables
|
|
ip nat inside
|
|
ip policy route-map R2-MTS-TV-WIFI
|
|
!
|
|
interface Vlan151
|
|
description KG_KOMOS-CONF
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.28.254 255.255.255.0
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip unreachables
|
|
!
|
|
interface Vlan152
|
|
description KG-ARUBA-USERS
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.35.254 255.255.254.0
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip unreachables
|
|
ip policy route-map R2-MTS-TV-WIFI
|
|
!
|
|
interface Vlan154
|
|
description Eltex WiFi
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.154.254 255.255.255.0
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
!
|
|
interface Vlan200
|
|
description KG_MGMT-SRV
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.3.254 255.255.254.0
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan201
|
|
description KG_LAN-SRV
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.9.254 255.255.254.0
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
ip policy route-map RM_TEST_INET
|
|
!
|
|
interface Vlan202
|
|
description --DMZ--
|
|
ip address 10.1.24.254 255.255.255.0
|
|
ip access-group ACL-DMZ_LOCAL_IN in
|
|
ip access-group ACL-DMZ_LOCAL_OUT out
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan204
|
|
description --Kaznacheystvo_KG--
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.45.142 255.255.255.240
|
|
ip access-group ACL_FIREWALL_KAZ-OUT out
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip unreachables
|
|
ip policy route-map RM_FOR_KAZNACH_KG
|
|
!
|
|
interface Vlan205
|
|
description [SRV] UZB Servers
|
|
ip address 10.1.45.158 255.255.255.240
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan249
|
|
description --KG-SRV-BKP-10.1.249.0/26--
|
|
ip address 10.1.249.62 255.255.255.192
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan251
|
|
no ip address
|
|
no ip unreachables
|
|
shutdown
|
|
!
|
|
interface Vlan253
|
|
description Exchange KOMOS-GROUP.RU
|
|
ip address 10.1.44.254 255.255.255.0
|
|
no ip unreachables
|
|
!
|
|
interface Vlan289
|
|
description --OCOD_VLAN_1--
|
|
ip address 192.168.8.254 255.255.255.0
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
shutdown
|
|
!
|
|
interface Vlan296
|
|
description -MLK-KCOD-SRV-All_10.1.123.0/24-
|
|
ip address 10.1.123.254 255.255.255.0
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan297
|
|
description -MLK-KCOD-SRV-Exchange_10.1.122.0/24-
|
|
ip address 10.1.122.254 255.255.255.0
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan298
|
|
description -MLK-KCOD-MGM-SRV_10.1.120.0/24-
|
|
ip address 10.1.120.254 255.255.255.0
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan301
|
|
description KG_MGMT-WIFI
|
|
no ip address
|
|
no ip unreachables
|
|
shutdown
|
|
!
|
|
interface Vlan302
|
|
description Aruba_test_WiFi_MGM
|
|
ip address 10.1.32.254 255.255.255.0
|
|
no ip unreachables
|
|
!
|
|
interface Vlan303
|
|
description KG-GW-ARUBA-AP
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.33.254 255.255.255.0
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip unreachables
|
|
!
|
|
interface Vlan304
|
|
description WIFI_ARUBA_MGM
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.38.254 255.255.255.0
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip unreachables
|
|
!
|
|
interface Vlan307
|
|
description SKUD
|
|
ip address 10.1.45.126 255.255.255.128
|
|
no ip redirects
|
|
no ip unreachables
|
|
!
|
|
interface Vlan310
|
|
description MGM_UPS
|
|
ip address 10.1.37.254 255.255.255.0
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan349
|
|
description -MLK-KCOD-MGM-NET_10.1.121.0/24-
|
|
ip address 10.1.121.254 255.255.255.0
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan350
|
|
description KG-VoIP_AREA
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.27.254 255.255.255.0
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
ip policy route-map IMP-ROUTING
|
|
!
|
|
interface Vlan351
|
|
description KG_VOIP
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.23.254 255.255.252.0
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
ip policy route-map R2-MTS_R1-BGP
|
|
!
|
|
interface Vlan352
|
|
description KG_VOIP_TEST
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.36.254 255.255.255.0
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan400
|
|
description -Video_UZB-
|
|
vrf forwarding VRF-UZB
|
|
ip address 192.168.248.254 255.255.255.0
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
ip nat outside
|
|
!
|
|
interface Vlan500
|
|
description KG_WIFI-GUEST exp 28.08.22
|
|
ip dhcp relay information trusted
|
|
ip address 10.1.14.253 255.255.255.254
|
|
ip access-group ACL_WIFI_GUEST_DHCP in
|
|
ip access-group ACL_WIFI_GUEST_DHCP out
|
|
ip helper-address 10.1.8.229
|
|
ip helper-address 10.1.8.228
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan551
|
|
description --TRANSIT_HSRP--
|
|
ip address 10.1.239.22 255.255.255.240
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan596
|
|
description L2VPN_DOMRU_IZM-BGP-P11
|
|
ip address 172.30.32.2 255.255.255.252
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
bfd template p2p
|
|
!
|
|
interface Vlan598
|
|
description --BGP_KG_COD_TRANSIT--
|
|
ip address 172.30.30.46 255.255.255.240
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan599
|
|
description L2VPN_MTS_IZM-BGP-P11
|
|
ip address 172.30.30.2 255.255.255.224
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
bfd template p2p
|
|
!
|
|
interface Vlan1113
|
|
description [PI] IZH-KG-P11-RT-1-3
|
|
ip unnumbered Loopback11
|
|
no ip redirects
|
|
no ip unreachables
|
|
!
|
|
interface Vlan4035
|
|
description VCentr_GW-Reserv_172.31.35.0/24-SHUT
|
|
ip address 172.31.35.254 255.255.255.0
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan4039
|
|
description L2VPN-to-CLOUD-RT
|
|
ip address 10.1.31.252 255.255.255.0
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
!
|
|
interface Vlan4041
|
|
description --VLAN_P11_VS17--
|
|
ip address 172.31.2.1 255.255.255.252
|
|
no ip redirects
|
|
no ip unreachables
|
|
no ip proxy-arp
|
|
ip tcp adjust-mss 1360
|
|
ip policy route-map RM_NAT_MK
|
|
!
|
|
router bgp 64513
|
|
bgp router-id 172.30.30.46
|
|
bgp log-neighbor-changes
|
|
bgp graceful-restart
|
|
neighbor PG_BGP_IZM-P11 peer-group
|
|
neighbor PG_BGP_IZM-P11 remote-as 64512
|
|
neighbor PG_BGP_IZM-P11 description BGP over L2VPN
|
|
neighbor PG_BGP_IZM-P11 fall-over bfd
|
|
neighbor 10.1.1.5 remote-as 64513
|
|
neighbor 10.1.1.5 description Virtual_Mikrotik
|
|
neighbor 10.1.1.5 update-source Vlan100
|
|
neighbor 10.1.1.109 remote-as 64513
|
|
neighbor 10.1.1.109 description --CISCO_ASAv--
|
|
neighbor 10.1.1.110 remote-as 64513
|
|
neighbor 10.1.1.110 description --CISCO_ASA--
|
|
neighbor 10.1.1.111 remote-as 64513
|
|
neighbor 10.1.1.111 description FW-1-3
|
|
neighbor 10.1.1.112 remote-as 64513
|
|
neighbor 10.1.1.112 description description FW-1-4
|
|
neighbor 172.30.30.1 peer-group PG_BGP_IZM-P11
|
|
neighbor 172.30.30.41 remote-as 64513
|
|
neighbor 172.30.30.42 remote-as 64513
|
|
neighbor 172.30.30.44 remote-as 199014
|
|
neighbor 172.30.30.44 description --BGP_WITH_3945-1--
|
|
neighbor 172.30.30.45 remote-as 199014
|
|
neighbor 172.30.30.45 description --BGP_WITH_3945-1--
|
|
neighbor 172.30.32.1 peer-group PG_BGP_IZM-P11
|
|
neighbor 172.31.2.2 remote-as 64520
|
|
neighbor 172.31.2.2 description --MEAT_KOMPANY--
|
|
!
|
|
address-family ipv4
|
|
network 10.0.0.0 mask 255.252.0.0
|
|
network 10.0.24.0 mask 255.255.255.0
|
|
network 10.0.26.0 mask 255.255.255.0
|
|
network 10.1.0.0 mask 255.255.0.0
|
|
network 10.1.4.0 mask 255.255.252.0
|
|
network 10.1.12.64 mask 255.255.255.224
|
|
network 10.1.13.0 mask 255.255.255.0
|
|
network 10.1.14.0 mask 255.255.255.0
|
|
network 10.1.16.0 mask 255.255.255.0
|
|
network 10.1.17.0 mask 255.255.255.0
|
|
network 10.1.18.0 mask 255.255.255.0
|
|
network 10.1.19.0 mask 255.255.255.0
|
|
network 10.1.20.0 mask 255.255.252.0
|
|
network 10.1.26.0 mask 255.255.255.0
|
|
network 10.1.27.0 mask 255.255.255.0
|
|
network 10.1.34.0 mask 255.255.254.0
|
|
network 10.1.39.0 mask 255.255.255.0
|
|
network 10.1.122.0 mask 255.255.255.0
|
|
network 10.1.254.0 mask 255.255.255.0
|
|
network 10.1.255.255 mask 255.255.255.255
|
|
network 172.31.2.0 mask 255.255.255.0
|
|
network 172.31.35.0 mask 255.255.255.0
|
|
network 192.168.0.0 mask 255.255.252.0
|
|
network 192.168.252.0
|
|
redistribute static route-map RM_REDIS_STATIC_PI
|
|
neighbor PG_BGP_IZM-P11 next-hop-self
|
|
neighbor PG_BGP_IZM-P11 soft-reconfiguration inbound
|
|
neighbor PG_BGP_IZM-P11 route-map RM_BGP_IZM-P11_OUT out
|
|
neighbor 10.1.1.5 activate
|
|
neighbor 10.1.1.5 next-hop-self
|
|
neighbor 10.1.1.5 route-map RM_LOCAL_OUT out
|
|
neighbor 10.1.1.109 activate
|
|
neighbor 10.1.1.109 next-hop-self
|
|
neighbor 10.1.1.109 soft-reconfiguration inbound
|
|
neighbor 10.1.1.110 activate
|
|
neighbor 10.1.1.110 route-reflector-client
|
|
neighbor 10.1.1.110 next-hop-self all
|
|
neighbor 10.1.1.110 soft-reconfiguration inbound
|
|
neighbor 10.1.1.111 activate
|
|
neighbor 10.1.1.111 route-reflector-client
|
|
neighbor 10.1.1.111 next-hop-self all
|
|
neighbor 10.1.1.111 soft-reconfiguration inbound
|
|
neighbor 10.1.1.112 activate
|
|
neighbor 10.1.1.112 route-reflector-client
|
|
neighbor 10.1.1.112 next-hop-self all
|
|
neighbor 10.1.1.112 soft-reconfiguration inbound
|
|
neighbor 172.30.30.1 activate
|
|
neighbor 172.30.30.1 route-map RM_BGP_IZM-P11_MTS_IN in
|
|
neighbor 172.30.30.41 activate
|
|
neighbor 172.30.30.41 next-hop-self all
|
|
neighbor 172.30.30.41 soft-reconfiguration inbound
|
|
neighbor 172.30.30.42 activate
|
|
neighbor 172.30.30.42 next-hop-self all
|
|
neighbor 172.30.30.42 soft-reconfiguration inbound
|
|
neighbor 172.30.30.44 activate
|
|
neighbor 172.30.30.44 next-hop-self all
|
|
neighbor 172.30.30.44 soft-reconfiguration inbound
|
|
neighbor 172.30.30.44 route-map RM_KOMOS_PI_IN in
|
|
neighbor 172.30.30.45 activate
|
|
neighbor 172.30.30.45 next-hop-self all
|
|
neighbor 172.30.30.45 soft-reconfiguration inbound
|
|
neighbor 172.30.32.1 activate
|
|
neighbor 172.30.32.1 route-map RM_BGP_IZM-P11_DOMRU_IN in
|
|
neighbor 172.31.2.2 activate
|
|
neighbor 172.31.2.2 next-hop-self all
|
|
neighbor 172.31.2.2 soft-reconfiguration inbound
|
|
neighbor 172.31.2.2 route-map RM_FROM_MK in
|
|
maximum-paths 2
|
|
distance bgp 150 150 150
|
|
exit-address-family
|
|
!
|
|
no ip nat create flow-entries
|
|
ip nat inside source list ACL-NAT-VIDEO-UZB interface Vlan400 vrf VRF-UZB overload
|
|
ip forward-protocol nd
|
|
ip forward-protocol udp 1947
|
|
no ip http server
|
|
no ip http secure-server
|
|
!
|
|
ip as-path access-list 11 permit ^64512$
|
|
ip as-path access-list 11 permit ^64512_64539$
|
|
ip as-path access-list 11 permit ^64512_64523$
|
|
ip tftp source-interface Vlan100
|
|
ip route 0.0.0.0 0.0.0.0 10.1.239.18 100 name --DEFAULT_3945_1--
|
|
ip route 10.0.0.0 255.252.0.0 Null0 254
|
|
ip route 10.0.24.0 255.255.255.0 Tunnel22
|
|
ip route 10.0.25.0 255.255.255.0 Tunnel22
|
|
ip route 10.0.26.0 255.255.255.0 Tunnel22
|
|
ip route 10.0.32.0 255.255.255.0 Tunnel25
|
|
ip route 10.0.32.0 255.255.255.0 Tunnel24
|
|
ip route 10.0.33.0 255.255.255.0 Tunnel25
|
|
ip route 10.0.33.0 255.255.255.0 Tunnel24
|
|
ip route 10.1.0.0 255.255.0.0 Null0 254
|
|
ip route 10.14.56.0 255.255.255.0 Tunnel11
|
|
ip route 88.80.33.49 255.255.255.255 10.1.239.19 100 name --IP_SLA_11--
|
|
ip route 91.240.179.11 255.255.255.255 Vlan11 name DNS001
|
|
ip route 91.240.179.28 255.255.255.255 Vlan11 name vpn.komos.ru
|
|
ip route 91.240.179.29 255.255.255.255 Vlan11 name asa_uzb
|
|
ip route 91.240.179.32 255.255.255.255 Vlan11 name vipole.komos.ru
|
|
ip route 91.240.179.37 255.255.255.255 Vlan11 name Skype
|
|
ip route 91.240.179.38 255.255.255.255 Vlan11 name skype
|
|
ip route 91.240.179.39 255.255.255.255 Vlan11 name skype
|
|
ip route 91.240.179.62 255.255.255.255 Vlan11 name vpn2.komos.ru_VIP
|
|
ip route 91.240.179.63 255.255.255.255 Vlan11 name izh-p11-fw-1-3
|
|
ip route 91.240.179.64 255.255.255.255 Vlan11 name izh-p11-fw-1-4
|
|
ip route 91.240.179.71 255.255.255.255 Vlan11 name files.komos.ru
|
|
ip route 91.240.179.233 255.255.255.255 Vlan1113 name RT-1-3
|
|
ip route 192.5.5.241 255.255.255.255 10.1.239.19 100 name --IP_SLA_1--
|
|
ip route 192.168.32.0 255.255.255.0 Tunnel11
|
|
ip route 192.168.33.0 255.255.255.0 Tunnel11
|
|
ip route 192.168.34.128 255.255.255.224 Tunnel11
|
|
ip route 192.168.34.160 255.255.255.224 Tunnel11
|
|
ip route 192.168.55.0 255.255.255.0 Tunnel11
|
|
ip ssh authentication-retries 2
|
|
ip ssh source-interface Vlan100
|
|
!
|
|
ip access-list standard ACL_FOR_NAT_KAZNACH_KG
|
|
permit 10.1.45.128 0.0.0.15
|
|
ip access-list standard ACL_FOR_NAT_MK
|
|
permit 10.14.24.0 0.0.7.255
|
|
ip access-list standard ACL_FOR_TV_WIFI_2
|
|
permit 10.1.13.203
|
|
!
|
|
ip access-list extended ACL-DMZ_LOCAL_IN
|
|
permit icmp any any
|
|
permit udp any addrgroup OBJ_LOCAL_DNS eq domain
|
|
permit tcp any addrgroup OBJ_LOCAL_DNS eq domain
|
|
permit ip host 10.1.24.3 any
|
|
remark --INTRONET_FORWARDING--
|
|
evaluate DMZ_LOCAL_REFLECTEDTRAFFIC
|
|
deny ip any addrgroup OBJ_LOCAL_TRAFFIC
|
|
permit ip any any
|
|
ip access-list extended ACL-DMZ_LOCAL_OUT
|
|
permit icmp any any
|
|
permit udp addrgroup OBJ_LOCAL_DNS eq domain any
|
|
permit tcp addrgroup OBJ_LOCAL_DNS eq domain any
|
|
permit ip any host 10.1.24.3
|
|
permit tcp host 10.1.4.150 host 10.1.24.1 eq 3389 reflect DMZ_LOCAL_REFLECTEDTRAFFIC
|
|
permit tcp host 10.4.0.13 host 10.1.24.1 eq 8530 reflect DMZ_LOCAL_REFLECTEDTRAFFIC
|
|
permit tcp host 10.4.0.61 host 10.1.24.1 eq 443 reflect DMZ_LOCAL_REFLECTEDTRAFFIC
|
|
permit tcp host 10.4.0.194 host 10.1.24.1 eq 443 reflect DMZ_LOCAL_REFLECTEDTRAFFIC
|
|
remark --DENY ALL LOCALAL TRAFIC--
|
|
deny ip any addrgroup OBJ_LOCAL_TRAFFIC
|
|
permit ip any any reflect DMZ_LOCAL_REFLECTEDTRAFFIC
|
|
ip access-list extended ACL-NAT-VIDEO-UZB
|
|
permit ip host 10.1.13.71 192.168.248.0 0.0.0.255
|
|
permit ip host 10.1.13.194 192.168.248.0 0.0.0.255
|
|
remark Suvorov A.
|
|
permit ip host 10.1.5.247 192.168.248.0 0.0.0.255
|
|
remark Luchnikov S.
|
|
permit ip host 10.1.7.150 192.168.248.0 0.0.0.255
|
|
remark Ohrana_KU9
|
|
permit ip host 10.1.39.1 192.168.248.0 0.0.0.255
|
|
ip access-list extended ACL_BLOCK_CISCO
|
|
deny udp host 10.1.1.108 eq domain any
|
|
deny tcp host 10.1.1.108 eq domain any
|
|
permit ip any any
|
|
ip access-list extended ACL_DC_VREM
|
|
permit ip host 192.168.1.21 any
|
|
permit ip host 192.168.1.100 any
|
|
ip access-list extended ACL_DMZ
|
|
deny ip any addrgroup OBJ_LOCAL_TRAFFIC
|
|
permit ip any any
|
|
ip access-list extended ACL_FIREWALL_KAZ-OUT
|
|
permit ip host 10.1.4.103 10.1.45.128 0.0.0.15
|
|
permit ip host 10.1.4.105 10.1.45.128 0.0.0.15
|
|
permit ip host 10.1.5.246 10.1.45.128 0.0.0.15
|
|
permit ip host 10.1.5.252 10.1.45.128 0.0.0.15
|
|
permit udp host 10.4.0.1 eq domain 10.1.45.128 0.0.0.15
|
|
permit udp host 10.4.0.2 eq domain 10.1.45.128 0.0.0.15
|
|
permit udp host 10.1.8.228 10.1.45.128 0.0.0.15
|
|
permit udp host 10.1.8.229 10.1.45.128 0.0.0.15
|
|
deny ip 10.0.0.0 0.255.255.255 10.1.45.128 0.0.0.15
|
|
deny ip 192.168.0.0 0.0.255.255 10.1.45.128 0.0.0.15
|
|
deny ip 172.16.0.0 0.15.255.255 10.1.45.128 0.0.0.15
|
|
permit ip any any
|
|
ip access-list extended ACL_FOR_INTRONET_KAZNACH_KG
|
|
permit ip 10.1.45.128 0.0.0.15 host 10.1.4.103
|
|
permit ip 10.1.45.128 0.0.0.15 host 10.1.4.105
|
|
permit ip 10.1.45.128 0.0.0.15 host 10.1.5.246
|
|
permit ip 10.1.45.128 0.0.0.15 host 10.1.5.252
|
|
permit udp 10.1.45.128 0.0.0.15 host 10.4.0.1 eq domain
|
|
permit udp 10.1.45.128 0.0.0.15 host 10.4.0.2 eq domain
|
|
permit udp 10.1.45.128 0.0.0.15 host 10.1.8.228
|
|
permit udp 10.1.45.128 0.0.0.15 host 10.1.8.229
|
|
deny ip 10.1.45.128 0.0.0.15 10.0.0.0 0.255.255.255
|
|
deny ip 10.1.45.128 0.0.0.15 192.168.0.0 0.0.255.255
|
|
deny ip 10.1.45.128 0.0.0.15 172.16.0.0 0.15.255.255
|
|
ip access-list extended ACL_FOR_TV_WIFI
|
|
permit ip host 10.1.13.203 192.168.0.0 0.0.255.255
|
|
permit ip host 10.1.13.203 10.0.0.0 0.255.255.255
|
|
permit ip host 10.1.13.203 172.16.0.0 0.15.255.255
|
|
permit ip host 10.1.13.203 91.240.179.0 0.0.0.255
|
|
ip access-list extended ACL_FROM_KUMK
|
|
permit ip any 10.12.0.0 0.0.255.255
|
|
permit ip host 10.1.50.2 host 10.1.50.1
|
|
permit icmp 10.12.1.0 0.0.0.255 any
|
|
permit icmp 10.12.0.0 0.0.0.255 any
|
|
permit ip 10.12.1.0 0.0.0.255 10.1.9.0 0.0.0.255
|
|
permit ip 10.12.1.0 0.0.0.255 host 10.1.9.207
|
|
permit ip 10.12.1.0 0.0.0.255 host 192.168.8.137
|
|
permit ip 10.12.1.0 0.0.0.255 host 10.4.0.43
|
|
permit ip 10.12.0.0 0.0.0.255 host 10.4.0.214
|
|
permit ip 10.12.0.0 0.0.0.255 10.4.0.0 0.0.0.255
|
|
permit ip host 10.12.0.254 any
|
|
ip access-list extended ACL_RM_RT_CLOUD
|
|
permit ip host 192.168.1.253 any
|
|
permit ip 192.168.252.0 0.0.0.255 host 46.61.230.201
|
|
permit ip 10.1.17.0 0.0.0.255 host 46.61.230.201
|
|
permit ip 192.168.0.0 0.0.3.255 host 46.61.230.201
|
|
permit ip 192.168.0.0 0.0.3.255 host 195.19.100.69
|
|
permit ip 10.1.17.0 0.0.0.255 host 195.19.100.69
|
|
permit ip 192.168.252.0 0.0.0.255 host 195.19.100.69
|
|
ip access-list extended ACL_WIFI_GUEST_DHCP
|
|
permit udp any any eq bootps bootpc
|
|
deny ip any any
|
|
ip access-list extended IMP_LOCAL_IN
|
|
permit icmp any any
|
|
permit ip 10.1.26.0 0.0.0.255 host 192.168.8.96
|
|
permit ip 10.1.26.0 0.0.0.255 host 10.1.26.255
|
|
permit udp 10.1.26.0 0.0.0.255 host 192.168.2.3 eq 1434
|
|
permit tcp 10.1.26.0 0.0.0.255 host 192.168.2.3 eq 1433
|
|
permit udp 10.1.26.0 0.0.0.255 host 192.168.2.4 eq 13000 echo bootps tftp 15000 15001
|
|
permit tcp 10.1.26.0 0.0.0.255 host 192.168.2.4 eq 445 13000 13111 14000 17000 14001
|
|
deny tcp 10.1.26.0 0.0.0.255 host 192.168.2.3 eq 3389
|
|
permit ip 10.1.26.0 0.0.0.255 host 192.168.2.4
|
|
permit udp 10.1.26.0 0.0.0.255 host 192.168.1.21 eq domain 88 ntp 135 netbios-ns netbios-dgm 389 445 464
|
|
permit udp 10.1.26.0 0.0.0.255 host 192.168.1.100 eq domain 88 ntp 135 netbios-ns netbios-dgm 389 445 464
|
|
permit tcp 10.1.26.0 0.0.0.255 host 192.168.1.21 eq domain 88 135 139 389 445 464 3268 3269
|
|
permit tcp 10.1.26.0 0.0.0.255 host 192.168.1.100 eq domain 88 135 139 389 445 464 3268 3269
|
|
permit tcp 10.1.26.0 0.0.0.255 host 192.168.3.62 eq 32300 32310
|
|
permit tcp 10.1.26.0 0.0.0.255 host 192.168.1.57 eq 32320
|
|
permit tcp 10.1.26.0 0.0.0.255 host 192.168.2.58 eq 32310 445
|
|
permit ip 10.1.26.0 0.0.0.255 host 192.168.2.128
|
|
permit ip 10.1.26.0 0.0.0.255 host 10.1.122.17
|
|
permit tcp 10.1.26.0 0.0.0.255 host 192.168.1.21
|
|
permit tcp 10.1.26.0 0.0.0.255 host 192.168.1.100
|
|
permit tcp 10.1.26.0 0.0.0.255 10.4.7.0 0.0.0.63 eq 443 www 143 993 pop3 995 587 smtp
|
|
permit tcp 10.1.26.0 0.0.0.255 10.1.123.0 0.0.0.255 eq 443 www 143 993 pop3 995 587 smtp
|
|
permit tcp 10.1.26.0 0.0.0.255 host 5.227.126.169 eq 443 www 143 993 pop3 995 587 smtp
|
|
permit tcp 10.1.26.0 0.0.0.255 host 91.240.179.26 eq smtp 443 www
|
|
permit tcp 10.1.26.0 0.0.0.255 host 91.240.179.27 eq smtp 443 www
|
|
permit tcp 10.1.26.0 0.0.0.255 host 91.240.179.66 eq smtp 443 www
|
|
permit tcp 10.1.26.0 0.0.0.255 host 91.240.179.70 eq smtp 443 www
|
|
permit tcp 10.1.26.0 0.0.0.255 host 10.4.0.184 eq 443 www
|
|
permit tcp 10.1.26.0 0.0.0.255 host 10.4.0.120 eq 443 www
|
|
permit tcp 10.1.26.0 0.0.0.255 any eq 17000
|
|
permit tcp 10.1.26.0 0.0.0.255 any eq 13000
|
|
permit udp 10.1.26.0 0.0.0.255 host 192.168.1.100 eq domain
|
|
permit udp 10.1.26.0 0.0.0.255 host 10.1.8.229
|
|
permit tcp 10.1.26.0 0.0.0.255 host 10.1.8.15
|
|
permit tcp 10.1.26.0 0.0.0.255 host 10.4.0.203
|
|
permit tcp 10.1.26.0 0.0.0.255 host 10.0.1.230
|
|
permit tcp 10.1.26.0 0.0.0.255 host 10.0.16.1
|
|
permit tcp 10.1.26.0 0.0.0.255 host 10.0.4.231
|
|
permit tcp 10.1.26.0 0.0.0.255 host 10.4.0.204
|
|
permit tcp 10.1.26.0 0.0.0.255 host 10.0.16.2
|
|
permit udp 10.1.27.0 0.0.0.255 host 10.1.8.229
|
|
permit udp 10.1.27.0 0.0.0.255 host 10.4.7.17
|
|
permit tcp 10.1.26.0 0.0.0.255 10.1.15.0 0.0.0.255
|
|
permit tcp 10.1.26.0 0.0.0.255 host 192.168.2.32
|
|
permit tcp 10.1.26.0 0.0.0.255 host 10.1.12.66 eq 443 www
|
|
permit tcp 10.1.26.0 0.0.0.255 host 192.168.2.100 eq www 443 9554 9654
|
|
permit tcp 10.1.26.0 0.0.0.255 host 192.168.2.55 eq www 443 9554 9654
|
|
permit tcp 10.1.26.0 0.0.0.255 host 192.168.2.116 eq www 443 9554 9654
|
|
permit tcp 10.1.26.0 0.0.0.255 host 192.168.3.96 eq 6666
|
|
permit tcp 10.1.26.0 0.0.0.255 host 192.168.3.143 eq 3389
|
|
permit tcp 10.1.26.0 0.0.0.255 host 192.168.2.106
|
|
permit tcp 10.1.26.0 0.0.0.255 host 192.168.2.91 eq 3389
|
|
permit tcp host 10.1.26.250 host 10.1.7.245
|
|
permit tcp 10.1.26.0 0.0.0.255 host 10.1.9.201
|
|
permit ip 10.1.26.0 0.0.0.255 10.1.27.0 0.0.0.255
|
|
permit ip 10.1.26.0 0.0.0.255 host 10.4.0.17
|
|
permit ip 10.1.26.0 0.0.0.255 host 10.4.0.16
|
|
permit ip 10.1.26.0 0.0.0.255 host 10.4.0.196
|
|
permit ip 10.1.26.0 0.0.0.255 host 10.4.0.45
|
|
evaluate IMP_LOCAL_REFLECTEDTRAFFIC
|
|
permit tcp host 10.1.26.250 any
|
|
permit tcp host 10.1.26.252 any
|
|
permit tcp host 10.1.26.253 any
|
|
deny ip 10.1.26.0 0.0.0.255 192.168.0.0 0.0.255.255
|
|
deny ip 10.1.26.0 0.0.0.255 172.16.0.0 0.0.255.255
|
|
deny ip 10.1.26.0 0.0.0.255 10.0.0.0 0.255.255.255
|
|
permit ip any any
|
|
ip access-list extended IMP_LOCAL_OUT
|
|
permit icmp any any
|
|
permit ip host 192.168.8.96 10.1.26.0 0.0.0.255
|
|
permit tcp any host 10.1.26.250 eq 3389
|
|
permit tcp any host 10.1.26.251 eq 3389
|
|
permit tcp any host 10.1.26.252 eq 3389
|
|
permit tcp any host 10.1.26.253 eq 3389
|
|
permit tcp host 10.1.7.245 host 10.1.26.250
|
|
permit udp host 192.168.1.21 10.1.26.0 0.0.0.255 eq domain
|
|
permit tcp 10.1.123.0 0.0.0.255 10.1.26.0 0.0.0.255
|
|
permit tcp 10.1.15.0 0.0.0.255 10.1.26.0 0.0.0.255 eq 3389
|
|
permit tcp 10.1.15.0 0.0.0.255 host 10.1.26.250
|
|
permit tcp 10.4.7.0 0.0.0.63 10.1.26.0 0.0.0.255
|
|
permit tcp host 5.227.126.169 10.1.26.0 0.0.0.255
|
|
permit tcp host 91.240.179.26 10.1.26.0 0.0.0.255
|
|
permit tcp host 91.240.179.27 10.1.26.0 0.0.0.255
|
|
permit tcp host 91.240.179.66 10.1.26.0 0.0.0.255
|
|
permit tcp host 91.240.179.70 10.1.26.0 0.0.0.255
|
|
permit tcp host 192.168.2.91 10.1.26.0 0.0.0.255
|
|
permit udp host 192.168.1.100 10.1.26.0 0.0.0.255 eq domain
|
|
permit tcp host 192.168.2.106 10.1.26.0 0.0.0.255
|
|
permit udp host 10.1.8.229 10.1.26.0 0.0.0.255
|
|
permit tcp host 10.1.8.15 10.1.26.0 0.0.0.255
|
|
permit tcp host 10.4.0.203 10.1.26.0 0.0.0.255
|
|
permit tcp host 10.0.1.230 10.1.26.0 0.0.0.255
|
|
permit tcp host 10.0.16.1 10.1.26.0 0.0.0.255
|
|
permit tcp host 10.0.4.231 10.1.26.0 0.0.0.255
|
|
permit tcp host 10.4.0.204 10.1.26.0 0.0.0.255
|
|
permit tcp host 10.4.0.120 10.1.26.0 0.0.0.255
|
|
permit tcp host 10.0.16.2 10.1.26.0 0.0.0.255
|
|
permit udp host 10.1.8.229 10.1.27.0 0.0.0.255
|
|
permit udp host 10.4.7.17 10.1.27.0 0.0.0.255
|
|
permit tcp host 10.4.0.184 10.1.26.0 0.0.0.255
|
|
permit tcp host 192.168.2.32 10.1.26.0 0.0.0.255
|
|
permit ip any any reflect IMP_LOCAL_REFLECTEDTRAFFIC
|
|
permit ip 10.1.27.0 0.0.0.255 10.1.26.0 0.0.0.255
|
|
permit ip 91.240.179.0 0.0.0.255 10.1.26.0 0.0.0.255
|
|
deny ip 192.168.0.0 0.0.255.255 10.1.26.0 0.0.0.255
|
|
deny ip 172.16.0.0 0.0.255.255 10.1.26.0 0.0.0.255
|
|
deny ip 10.0.0.0 0.255.255.255 10.1.26.0 0.0.0.255
|
|
permit ip any any
|
|
ip access-list extended LOCAL_TRAFFIC
|
|
permit ip any 192.168.0.0 0.0.255.255
|
|
permit ip any 10.0.0.0 0.255.255.255
|
|
permit ip any 172.16.0.0 0.15.255.255
|
|
permit ip any 91.240.179.0 0.0.0.255
|
|
ip access-list extended RDP
|
|
permit tcp any eq 3389 any
|
|
permit tcp any any eq 3389
|
|
ip access-list extended ROUTE_VIA_AS
|
|
deny ip host 192.168.2.202 any
|
|
deny ip host 192.168.2.131 any
|
|
deny ip host 192.168.2.61 any
|
|
deny ip host 192.168.2.11 any
|
|
deny ip host 192.168.2.102 any
|
|
deny ip host 192.168.2.100 any
|
|
deny ip host 192.168.2.97 any
|
|
deny ip host 192.168.2.96 any
|
|
deny ip host 192.168.2.101 any
|
|
deny ip host 192.168.2.72 any
|
|
deny ip host 192.168.2.71 any
|
|
deny ip host 192.168.3.64 any
|
|
deny ip host 192.168.2.68 any
|
|
deny ip host 192.168.2.45 any
|
|
deny ip host 192.168.2.90 any
|
|
deny ip host 192.168.1.81 any
|
|
deny ip host 192.168.2.126 any
|
|
deny ip host 192.168.2.80 any
|
|
deny ip host 192.168.2.47 any
|
|
deny ip host 192.168.2.34 any
|
|
deny ip host 192.168.2.35 any
|
|
deny ip host 192.168.2.38 any
|
|
deny ip host 192.168.2.88 any
|
|
deny ip host 192.168.2.56 any
|
|
deny ip host 192.168.2.48 any
|
|
deny ip host 192.168.2.54 any
|
|
deny ip host 192.168.2.55 any
|
|
deny ip host 192.168.2.52 any
|
|
deny ip host 192.168.2.53 any
|
|
deny ip host 192.168.2.9 any
|
|
deny ip host 192.168.2.15 any
|
|
deny ip host 192.168.2.13 any
|
|
deny ip host 192.168.2.27 any
|
|
deny ip host 192.168.2.25 any
|
|
deny ip host 192.168.2.31 any
|
|
deny ip host 192.168.2.19 any
|
|
deny ip host 192.168.2.21 any
|
|
deny ip host 192.168.2.209 any
|
|
deny ip host 192.168.2.185 any
|
|
deny ip host 192.168.3.143 any
|
|
deny ip host 192.168.2.91 any
|
|
deny ip host 192.168.2.183 any
|
|
deny ip host 192.168.2.94 any
|
|
deny ip host 192.168.2.33 any
|
|
deny ip host 192.168.2.39 any
|
|
deny ip host 192.168.2.218 any
|
|
deny ip host 192.168.2.46 any
|
|
deny ip host 192.168.3.232 any
|
|
deny ip host 192.168.2.116 any
|
|
deny ip host 192.168.2.108 any
|
|
deny ip host 192.168.2.191 any
|
|
deny ip host 192.168.2.192 any
|
|
deny ip host 192.168.2.193 any
|
|
deny ip host 192.168.2.194 any
|
|
deny ip host 192.168.2.225 any
|
|
deny ip host 192.168.2.226 any
|
|
deny ip host 192.168.2.227 any
|
|
deny ip host 192.168.2.124 any
|
|
deny ip host 192.168.2.144 any
|
|
deny ip host 192.168.2.195 any
|
|
deny ip host 192.168.2.221 any
|
|
deny ip host 192.168.2.103 any
|
|
deny ip host 192.168.2.3 any
|
|
deny ip host 192.168.2.201 any
|
|
permit ip any any
|
|
ip access-list extended TEST_INET
|
|
permit ip host 10.1.8.63 any
|
|
permit ip host 10.1.19.121 any
|
|
ip access-list extended VLAN3_FIREWALL
|
|
permit udp any eq domain any
|
|
permit udp host 10.1.8.229 10.1.18.0 0.0.0.255
|
|
permit tcp 10.1.15.0 0.0.0.255 host 10.1.18.1 eq 3389
|
|
permit tcp 10.1.15.0 0.0.0.255 host 10.1.18.3 eq 3389
|
|
permit tcp host 10.1.19.250 10.1.18.0 0.0.0.255 eq 3389
|
|
evaluate VLAN3_REFLECTEDTRAFFIC
|
|
ip access-list extended VLAN3_OUT
|
|
permit udp any any eq domain
|
|
permit udp 10.1.18.0 0.0.0.255 host 10.1.8.229
|
|
permit tcp host 10.1.18.1 10.1.15.0 0.0.0.255
|
|
permit tcp host 10.1.18.3 10.1.15.0 0.0.0.255
|
|
permit ip any any reflect VLAN3_REFLECTEDTRAFFIC
|
|
permit tcp 10.1.18.0 0.0.0.255 host 10.1.19.250
|
|
ip access-list extended VLAN9_RESTRICTED
|
|
permit ip any host 10.1.8.229
|
|
permit ip any host 10.1.8.228
|
|
deny ip any 10.0.0.0 0.255.255.255
|
|
deny ip any 192.168.0.0 0.0.255.255
|
|
deny ip any 172.16.0.0 0.0.255.255
|
|
permit ip any any
|
|
ip access-list extended WEB_LOCAL
|
|
permit tcp 0.0.0.0 255.0.0.0 any eq www
|
|
permit tcp 0.0.0.0 255.0.0.0 any eq 443
|
|
permit tcp 0.0.0.0 255.255.0.0 any eq 443
|
|
permit tcp 0.0.0.0 255.255.0.0 any eq www
|
|
permit tcp any 0.0.0.0 255.0.0.0 eq 443
|
|
permit tcp any 0.0.0.0 255.0.0.0 eq www
|
|
permit tcp any 0.0.0.0 255.255.0.0 eq www
|
|
permit tcp any 0.0.0.0 255.255.0.0 eq 443
|
|
ip access-list extended acl-copp-match-igmp
|
|
permit igmp any any
|
|
ip access-list extended acl-copp-match-pim-data
|
|
deny pim any host 224.0.0.13
|
|
permit pim any any
|
|
!
|
|
!
|
|
ip prefix-list PL_BGP_IZM-P11 seq 5 permit 10.0.0.0/8 le 32
|
|
ip prefix-list PL_BGP_IZM-P11 seq 10 permit 192.168.0.0/16 le 32
|
|
ip prefix-list PL_BGP_IZM-P11 seq 15 permit 172.16.0.0/12 le 32
|
|
!
|
|
ip prefix-list PL_FROM_CLOUD_RT seq 5 permit 10.1.30.0/24
|
|
!
|
|
ip prefix-list PL_FROM_KUMK seq 5 permit 10.12.0.0/16 le 24
|
|
ip prefix-list PL_FROM_KUMK seq 10 permit 10.12.252.0/22
|
|
!
|
|
ip prefix-list PL_KOMOS_PI seq 5 permit 91.240.179.0/24 ge 32
|
|
!
|
|
ip prefix-list PL_LOCAL_OUT seq 5 permit 10.0.0.0/8 le 32
|
|
ip prefix-list PL_LOCAL_OUT seq 10 permit 192.168.0.0/16 le 32
|
|
ip prefix-list PL_LOCAL_OUT seq 15 permit 172.16.0.0/12 le 32
|
|
!
|
|
ip prefix-list PL_REDIS_STATIC_PI seq 5 permit 91.240.179.0/24 le 32
|
|
!
|
|
ip prefix-list PL_UZB_USERS seq 5 permit 10.1.13.0/24
|
|
ip prefix-list PL_UZB_USERS seq 10 permit 10.1.4.0/22
|
|
ip prefix-list PL_UZB_USERS seq 20 permit 10.1.39.0/24
|
|
!
|
|
ip prefix-list PL_VRS_OLD_IN seq 5 permit 192.168.72.0/24
|
|
ip sla 1
|
|
icmp-echo 192.5.5.241 source-ip 10.1.239.22
|
|
threshold 400
|
|
timeout 2000
|
|
frequency 3
|
|
ip sla schedule 1 life forever start-time now
|
|
ip sla 11
|
|
icmp-echo 88.80.33.49 source-ip 10.1.239.22
|
|
threshold 50
|
|
timeout 2000
|
|
frequency 3
|
|
ip sla schedule 11 life forever start-time now
|
|
ip sla 12
|
|
icmp-echo 10.1.239.18 source-ip 10.1.239.22
|
|
threshold 50
|
|
timeout 2000
|
|
frequency 3
|
|
ip sla schedule 12 life forever start-time now
|
|
ip sla 13
|
|
icmp-echo 84.201.247.254 source-interface Vlan11
|
|
threshold 50
|
|
timeout 2000
|
|
frequency 3
|
|
ip sla schedule 13 life forever start-time now
|
|
ip sla 104
|
|
icmp-echo 87.249.239.226 source-interface Vlan11
|
|
threshold 50
|
|
timeout 2000
|
|
frequency 3
|
|
ip sla schedule 104 life forever start-time now
|
|
ip sla 105
|
|
icmp-echo 5.227.124.82 source-interface Vlan11
|
|
threshold 50
|
|
timeout 2000
|
|
frequency 3
|
|
ip sla schedule 105 life forever start-time now
|
|
ip sla 107
|
|
icmp-echo 84.201.247.32 source-interface Vlan11
|
|
threshold 50
|
|
timeout 2000
|
|
frequency 3
|
|
ip sla schedule 107 life forever start-time now
|
|
ip sla 109
|
|
icmp-echo 95.215.208.240 source-interface Vlan11
|
|
threshold 50
|
|
timeout 2000
|
|
frequency 3
|
|
ip sla schedule 109 life forever start-time now
|
|
ip sla 110
|
|
icmp-echo 88.80.32.230 source-interface Vlan11
|
|
threshold 50
|
|
timeout 2000
|
|
frequency 3
|
|
ip sla schedule 110 life forever start-time now
|
|
ip sla 112
|
|
icmp-echo 10.1.50.94 source-interface Tunnel24
|
|
threshold 50
|
|
timeout 2000
|
|
frequency 3
|
|
ip sla schedule 112 life forever start-time now
|
|
ip sla 9000
|
|
dhcp 10.1.8.228 source-ip 10.1.19.254
|
|
threshold 3000
|
|
timeout 4000
|
|
ip sla schedule 9000 life forever start-time now
|
|
ip sla 9001
|
|
dhcp 10.1.8.229 source-ip 10.1.19.254
|
|
threshold 3000
|
|
timeout 4000
|
|
ip sla schedule 9001 life forever start-time now
|
|
kron occurrence EveryDay at 1:00 recurring
|
|
policy-list SaveBackup
|
|
!
|
|
kron policy-list SaveBackup
|
|
cli write memory
|
|
!
|
|
logging origin-id hostname
|
|
logging facility local6
|
|
logging source-interface Vlan100
|
|
logging host 192.168.2.25
|
|
logging host 10.4.244.4 transport udp port 515
|
|
access-list 23 permit any
|
|
access-list 23 deny any log
|
|
!
|
|
route-map RM_REDIS_STATIC_PI permit 10
|
|
description Redistribute static PI address for unnumbered lo11
|
|
match ip address prefix-list PL_REDIS_STATIC_PI
|
|
!
|
|
route-map RM_KOMOS_PI_IN permit 10
|
|
match ip address prefix-list PL_KOMOS_PI
|
|
set local-preference 1000
|
|
!
|
|
route-map RM_KOMOS_PI_IN permit 20
|
|
!
|
|
route-map RM_FROM_MK permit 10
|
|
set local-preference 1500
|
|
!
|
|
route-map RM_FROM_KUMK permit 10
|
|
match ip address prefix-list PL_FROM_KUMK
|
|
!
|
|
route-map RM_DMZ deny 10
|
|
match ip address LOCAL_TRAFFIC
|
|
!
|
|
route-map RM_DMZ permit 20
|
|
!
|
|
route-map R2-MTS-TV-WIFI permit 10
|
|
match ip address ACL_FOR_TV_WIFI
|
|
!
|
|
route-map R2-MTS-TV-WIFI permit 15
|
|
match ip address ACL-NAT-VIDEO-UZB
|
|
set vrf VRF-UZB
|
|
!
|
|
route-map R2-MTS-TV-WIFI permit 20
|
|
match ip address ACL_FOR_TV_WIFI_2
|
|
set ip next-hop verify-availability 10.1.239.19 10 track 111
|
|
set ip next-hop 10.1.239.18
|
|
!
|
|
route-map R2-MTS-TV-WIFI permit 30
|
|
!
|
|
route-map RM_LOCAL_OUT permit 10
|
|
match ip address prefix-list PL_LOCAL_OUT
|
|
!
|
|
route-map RM_TEST_INET permit 5
|
|
match ip address LOCAL_TRAFFIC
|
|
!
|
|
route-map RM_TEST_INET permit 10
|
|
description TEST_INET'
|
|
match ip address TEST_INET
|
|
!
|
|
route-map RM_TEST_INET permit 20
|
|
!
|
|
route-map RM_BGP_IZM-P11_MTS_IN permit 10
|
|
match as-path 11
|
|
set local-preference 1500
|
|
!
|
|
route-map RM_BGP_IZM-P11_MTS_IN permit 20
|
|
!
|
|
route-map IMP-ROUTING permit 10
|
|
match ip address LOCAL_TRAFFIC
|
|
!
|
|
route-map IMP-ROUTING permit 20
|
|
set ip next-hop verify-availability 10.1.239.19 10 track 13
|
|
set ip next-hop verify-availability 10.1.239.19 20 track 11
|
|
set ip next-hop 10.1.239.18
|
|
!
|
|
route-map RM_BGP_IZM-P11_DOMRU_IN permit 10
|
|
match as-path 11
|
|
set local-preference 1500
|
|
!
|
|
route-map RM_BGP_IZM-P11_DOMRU_IN permit 20
|
|
!
|
|
route-map RM_FROM_OCOD_ER-TELECOM permit 10
|
|
match ip address prefix-list PL_VRS_OLD_IN
|
|
set local-preference 200
|
|
!
|
|
route-map RM_FROM_OCOD_ER-TELECOM permit 30
|
|
!
|
|
route-map RM_TO_OCOD_ER-TELECOM permit 30
|
|
!
|
|
route-map RM_NAT_MK deny 10
|
|
description --BACKUP_INTERNET_FOR_MK--
|
|
match ip address LOCAL_TRAFFIC
|
|
!
|
|
route-map RM_NAT_MK permit 20
|
|
description --BACKUP_INTERNET_FOR_MK--
|
|
match ip address ACL_FOR_NAT_MK
|
|
set ip next-hop 10.1.239.18
|
|
!
|
|
route-map R2-MTS_R1-BGP permit 5
|
|
match ip address ACL-NAT-VIDEO-UZB
|
|
set vrf VRF-UZB
|
|
!
|
|
route-map R2-MTS_R1-BGP permit 10
|
|
match ip address LOCAL_TRAFFIC
|
|
!
|
|
route-map R2-MTS_R1-BGP permit 20
|
|
set ip next-hop verify-availability 10.1.239.19 10 track 111
|
|
set ip next-hop 10.1.239.18
|
|
!
|
|
route-map RM_FOR_KAZNACH_KG permit 10
|
|
match ip address ACL_FOR_INTRONET_KAZNACH_KG
|
|
!
|
|
route-map RM_FOR_KAZNACH_KG permit 30
|
|
match ip address ACL_FOR_NAT_KAZNACH_KG
|
|
set ip next-hop 10.1.239.19
|
|
!
|
|
route-map RM_UZB_IMPORT permit 10
|
|
match ip address prefix-list PL_UZB_USERS
|
|
!
|
|
route-map VLAN1-ROUTING permit 5
|
|
match ip address LOCAL_TRAFFIC
|
|
!
|
|
route-map VLAN1-ROUTING permit 6
|
|
description Vremenno DC
|
|
match ip address ACL_DC_VREM
|
|
set ip next-hop 10.1.239.18
|
|
!
|
|
route-map VLAN1-ROUTING permit 8
|
|
match ip address ACL_RM_RT_CLOUD
|
|
set ip next-hop 172.30.30.42
|
|
!
|
|
route-map VLAN1-ROUTING permit 9
|
|
match ip address ROUTE_VIA_AS
|
|
set ip next-hop verify-availability 10.1.239.19 10 track 111
|
|
set ip next-hop 10.1.239.18
|
|
!
|
|
route-map VLAN1-ROUTING permit 20
|
|
set ip next-hop 10.1.239.18
|
|
!
|
|
route-map VLAN3-ROUTING permit 10
|
|
match ip address LOCAL_TRAFFIC
|
|
!
|
|
route-map VLAN3-ROUTING permit 15
|
|
set ip next-hop verify-availability 10.1.239.19 10 track 111
|
|
set ip next-hop 10.1.239.18
|
|
!
|
|
route-map RM_BGP_IZM-P11_OUT permit 10
|
|
match ip address prefix-list PL_BGP_IZM-P11
|
|
!
|
|
route-map RM_USERS_KU9 permit 10
|
|
match ip address ACL-NAT-VIDEO-UZB
|
|
set vrf VRF-UZB
|
|
!
|
|
route-map RM_USERS_KU9 permit 20
|
|
!
|
|
route-map VLAN-500-ROUTING permit 5
|
|
match ip address LOCAL_TRAFFIC
|
|
!
|
|
route-map VLAN-500-ROUTING permit 10
|
|
set ip next-hop 10.1.239.19
|
|
!
|
|
snmp-server community lmTUEsk6Yvlv RO
|
|
snmp-server host 10.1.122.227 lmTUEsk6Yvlv
|
|
snmp-server host 10.1.1.253 public
|
|
!
|
|
!
|
|
radius server IZH-RDS002
|
|
address ipv4 10.4.0.248 auth-port 1645 acct-port 1646
|
|
timeout 3
|
|
retransmit 2
|
|
key 7 07073847682838253F1552345D2C382B23043D77025F01061B151F66520D022A110C555C7F784A59660E4955357D00251115304821110B03727C2C2A235317215C
|
|
!
|
|
radius server P11-RDS003
|
|
address ipv4 10.1.122.248 auth-port 1645 acct-port 1646
|
|
timeout 3
|
|
retransmit 2
|
|
key 7 060E162A6A6F28392D104B33550239242F1F3B60334B101319421067590A58270A021A5D707C4B5E6751190834220F7606003217711C022D1F7E6B3A3F4112385B
|
|
!
|
|
!
|
|
!
|
|
ipv6 access-list acl-copp-match-mld
|
|
permit icmp any any mld-report
|
|
permit icmp any any mld-query
|
|
permit icmp any any mld-reduction
|
|
permit icmp any any 143
|
|
!
|
|
ipv6 access-list acl-copp-match-ndv6
|
|
permit icmp any any nd-na
|
|
permit icmp any any nd-ns
|
|
permit icmp any any router-advertisement
|
|
permit icmp any any router-solicitation
|
|
permit icmp any any redirect
|
|
!
|
|
ipv6 access-list acl-copp-match-ndv6hl
|
|
permit icmp any any nd-na hoplimit
|
|
permit icmp any any nd-ns hoplimit
|
|
permit icmp any any router-advertisement hoplimit
|
|
permit icmp any any router-solicitation hoplimit
|
|
permit icmp any any redirect hoplimit
|
|
!
|
|
ipv6 access-list acl-copp-match-pimv6-data
|
|
deny 103 any host FF02::D
|
|
permit 103 any any
|
|
!
|
|
control-plane
|
|
service-policy input policy-default-autocopp
|
|
!
|
|
privilege exec all level 7 show cdp
|
|
privilege exec all level 7 show running-config
|
|
privilege exec all level 7 show configuration
|
|
privilege exec level 7 show
|
|
banner login ^C
|
|
|
|
*****************************************************************************
|
|
* *
|
|
* OOO "KOMOS GROUP" *
|
|
* Pesochnaya 11 *
|
|
* 1st FLOOR *
|
|
* DATACENTR *
|
|
* VSS *
|
|
* UNAUTHORIZED ACCESS IS PROHIBITED *
|
|
* *
|
|
* You have accessed network equipment. *
|
|
* You must have authorized permission to access or configure this device. *
|
|
* All activities performed on this device are logged and monitored. *
|
|
* *
|
|
*****************************************************************************^C
|
|
alias exec sib sh ip int brief
|
|
!
|
|
line con 0
|
|
logging synchronous
|
|
login authentication CONSOLE
|
|
line aux 0
|
|
line vty 0 4
|
|
access-class 23 in
|
|
exec-timeout 120 0
|
|
logging synchronous
|
|
login authentication NPS
|
|
length 0
|
|
transport input ssh
|
|
line vty 5 15
|
|
access-class 23 in
|
|
exec-timeout 120 0
|
|
logging synchronous
|
|
login authentication NPS
|
|
transport input ssh
|
|
!
|
|
!
|
|
monitor session 1 type rspan-destination
|
|
!
|
|
!
|
|
scheduler allocate 3000 1000
|
|
ntp source Vlan100
|
|
ntp server 10.1.8.1 prefer source Vlan100
|
|
ntp server 10.1.1.2
|
|
!
|
|
diagnostic bootup level minimal
|
|
no event manager policy Mandatory.go_switchbus.tcl type system
|
|
event manager applet Mozhga-VPN-ISP1-DOWN
|
|
event track 222 state down
|
|
action 0.9 cli command "enable"
|
|
action 1.1 cli command "conf t"
|
|
action 1.2 cli command "no ip route 10.0.32.0 255.255.255.0 Tunnel24"
|
|
action 1.3 cli command "no ip route 10.0.33.0 255.255.255.0 Tunnel24"
|
|
action 1.4 cli command "ip route 10.0.32.0 255.255.255.0 Tunnel25"
|
|
action 1.5 cli command "ip route 10.0.33.0 255.255.255.0 Tunnel25"
|
|
event manager applet Mozhga-VPN-ISP1-UP
|
|
event track 222 state up
|
|
action 0.9 cli command "enable"
|
|
action 1.1 cli command "conf t"
|
|
action 1.2 cli command "no ip route 10.0.32.0 255.255.255.0 Tunnel25"
|
|
action 1.3 cli command "no ip route 10.0.33.0 255.255.255.0 Tunnel25"
|
|
action 1.4 cli command "ip route 10.0.32.0 255.255.255.0 Tunnel24"
|
|
action 1.5 cli command "ip route 10.0.33.0 255.255.255.0 Tunnel24"
|
|
event manager applet Glazov-VPN-ISP1-DOWN
|
|
event track 109 state down
|
|
action 0.9 cli command "enable"
|
|
action 1.1 cli command "conf t"
|
|
action 1.2 cli command "no ip route 10.0.24.0 255.255.255.0 Tunnel22"
|
|
action 1.3 cli command "no ip route 10.0.25.0 255.255.255.0 Tunnel22"
|
|
action 1.4 cli command "no ip route 10.0.26.0 255.255.255.0 Tunnel22"
|
|
action 1.5 cli command "ip route 10.0.24.0 255.255.255.0 Tunnel23"
|
|
action 1.6 cli command "ip route 10.0.25.0 255.255.255.0 Tunnel23"
|
|
action 1.7 cli command "ip route 10.0.26.0 255.255.255.0 Tunnel23"
|
|
event manager applet Glazov-VPN-ISP1-UP
|
|
event track 109 state up
|
|
action 0.9 cli command "enable"
|
|
action 1.1 cli command "conf t"
|
|
action 1.2 cli command "no ip route 10.0.24.0 255.255.255.0 Tunnel23"
|
|
action 1.3 cli command "no ip route 10.0.25.0 255.255.255.0 Tunnel23"
|
|
action 1.4 cli command "no ip route 10.0.26.0 255.255.255.0 Tunnel23"
|
|
action 1.5 cli command "ip route 10.0.24.0 255.255.255.0 Tunnel22"
|
|
action 1.6 cli command "ip route 10.0.25.0 255.255.255.0 Tunnel22"
|
|
action 1.7 cli command "ip route 10.0.26.0 255.255.255.0 Tunnel22"
|
|
!
|
|
end |