! ! Last configuration change at 14:37:17 MNT Thu Jan 17 2019 by pingpongguy ! NVRAM config last updated at 14:37:22 MNT Thu Jan 17 2019 by pingpongguy ! version 15.0 service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone year service timestamps log datetime msec localtime show-timezone year service password-encryption ! hostname krar-1125-term-rte1 ! boot-start-marker boot-end-marker ! logging buffered 16384 no logging console logging monitor informational ! aaa new-model ! ! aaa authentication login default group tacacs+ enable aaa authentication enable default group tacacs+ enable aaa authorization console aaa authorization config-commands aaa authorization exec default group tacacs+ none aaa authorization commands 1 default group tacacs+ none aaa authorization commands 15 default group tacacs+ none aaa accounting exec default action-type start-stop group tacacs+ ! aaa accounting commands 15 default action-type start-stop group tacacs+ ! aaa accounting network default action-type start-stop group tacacs+ ! aaa accounting connection default action-type start-stop group tacacs+ ! ! ! ! ! ! aaa session-id common ! ! ! clock timezone MNT -7 clock summer-time MDT recurring cef table output-chain build favor convergence-speed ! no ipv6 cef no ip source-route ip routing protocol purge interface no ip gratuitous-arps ip icmp rate-limit unreachable 2000 ip icmp rate-limit unreachable DF 2000 ip spd mode aggressive ip cef ! ! ip dhcp excluded-address 10.75.45.1 10.75.45.50 ip dhcp excluded-address 10.74.50.1 10.74.50.20 ip dhcp excluded-address 10.74.50.129 10.74.50.148 ! ip dhcp pool admin_network network 10.75.45.0 255.255.255.128 default-router 10.75.45.1 domain-name corp.dvn.com dns-server 172.20.32.10 10.64.134.69 option 60 ascii "Cisco AP c3500" option 43 hex f104.0a41.3bf4 netbios-node-type h-node ! ip dhcp pool scada_network network 10.75.45.128 255.255.255.192 default-router 10.75.45.129 domain-name corp.dvn.com dns-server 172.20.32.10 10.64.134.69 netbios-node-type h-node lease 5 ! ip dhcp pool static host 10.75.45.190 255.255.255.192 client-identifier 0178.2bcb.8a5d.9f ! ip dhcp pool Canon_printer host 10.75.45.45 255.255.255.128 client-identifier 0118.0cac.ae4d.d9 ! ip dhcp pool VoIP network 10.74.50.0 255.255.255.128 default-router 10.74.50.1 option 150 ip 10.66.37.85 10.66.37.100 domain-name net.dvn dns-server 172.20.32.10 10.64.134.69 netbios-node-type h-node ! ip dhcp pool Wireless network 10.74.50.128 255.255.255.128 default-router 10.74.50.129 domain-name corp.dvn.com dns-server 172.20.32.10 10.64.134.69 option 60 ascii "Cisco AP c3500" option 43 hex f104.0a41.3bf4 netbios-node-type h-node ! ! no ip bootp server no ip domain lookup ip domain name net.dvn ! multilink bundle-name authenticated ! ! ! license udi pid CISCO1921/K9 sn FGL150422ZB ! ! archive log config logging enable logging size 500 notify syslog contenttype plaintext hidekeys ! redundancy ! ! ip tcp selective-ack ip tcp mss 1400 ip tcp window-size 65535 ip tcp synwait-time 5 ip tcp path-mtu-discovery age-timer 30 ip ssh dh min size 4096 ! class-map match-all CLASS_Wifi_Dwload match access-group name Wifi_Dwload class-map match-any NOMADIS-Data match access-group name NOMADIS ! ! policy-map POLICY_Wifi_Dwload class CLASS_Wifi_Dwload shape average 1024000 policy-map NOMADIS-EGRESS-Bandwidth class NOMADIS-Data bandwidth percent 10 queue-limit 128 packets class class-default queue-limit 512 packets policy-map KIRBY-SITES-EGRESS class class-default shape peak 2500000 25000 25000 queue-limit 512 packets service-policy NOMADIS-EGRESS-Bandwidth policy-map POLICY_Wifi_Upload class CLASS_Wifi_Dwload police cir 1024000 bc 192000 exceed-action drop ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 description MAN - krar-1125-term-rd1 bandwidth 10000 ip address 10.74.3.9 255.255.255.224 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress duplex full speed 100 no mop enabled ! service-policy output KIRBY-SITES-EGRESS ! interface GigabitEthernet0/1 description krar-1125-term-swa1 G1/0/24 no ip address duplex auto speed auto ! ! interface GigabitEthernet0/1.2 description ## AWOS VLAN encapsulation dot1Q 2 ip address 10.75.45.129 255.255.255.192 ip access-group scada_in in no ip redirects no ip unreachables no ip proxy-arp ! interface GigabitEthernet0/1.3 description ## Admin VLAN encapsulation dot1Q 3 ip address 10.75.45.1 255.255.255.128 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ! interface GigabitEthernet0/1.4 description VoIP encapsulation dot1Q 4 ip address 10.74.50.1 255.255.255.128 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ! interface GigabitEthernet0/1.5 description Wireless encapsulation dot1Q 5 ip address 10.74.50.129 255.255.255.128 ip access-group air-strip in no ip unreachables no ip proxy-arp ip mtu 1472 ip flow ingress ip tcp adjust-mss 1452 service-policy input POLICY_Wifi_Upload service-policy output POLICY_Wifi_Dwload ! interface GigabitEthernet0/1.6 description ## Security VLAN encapsulation dot1Q 6 ip address 10.75.45.193 255.255.255.192 no ip redirects no ip unreachables no ip proxy-arp ! interface GigabitEthernet0/1.10 description Management encapsulation dot1Q 10 ip address 10.74.184.1 255.255.255.192 no ip redirects no ip unreachables no ip proxy-arp ! interface GigabitEthernet0/1.973 encapsulation dot1Q 973 ip address 10.74.184.65 255.255.255.192 ! no ip forward-protocol nd no ip forward-protocol udp tftp no ip forward-protocol udp nameserver no ip forward-protocol udp domain no ip forward-protocol udp time no ip forward-protocol udp netbios-ns no ip forward-protocol udp netbios-dgm no ip forward-protocol udp tacacs ! no ip http server no ip http secure-server ip flow-cache timeout active 1 ip flow-export source GigabitEthernet0/1.3 ip flow-export version 9 ip flow-export destination 172.20.4.13 2055 ! ip route 0.0.0.0 0.0.0.0 10.74.3.14 ip tacacs source-interface GigabitEthernet0/1.3 ! ip access-list extended AccessControl permit ip host 10.52.5.69 any permit ip host 10.64.132.69 any permit ip 172.16.5.0 0.0.0.255 any permit ip 172.20.5.0 0.0.0.255 any permit ip 172.24.225.0 0.0.0.255 any permit ip 172.25.225.0 0.0.0.255 any permit tcp host 63.99.29.18 any eq 22 permit tcp host 63.99.29.40 any eq 22 permit tcp host 206.47.24.18 any eq 22 permit tcp host 206.47.24.169 any eq 22 ip access-list extended NOMADIS permit ip any host 158.106.82.54 permit ip any host 158.106.82.56 ip access-list extended TEST permit ip any any log ip access-list extended Wifi_Dwload permit ip any any time-range THURS-1200-1400 ip access-list extended air-strip permit udp any any eq bootps permit udp any any eq bootpc permit udp 10.74.50.128 0.0.0.127 host 10.77.80.130 eq 5246 permit udp 10.74.50.128 0.0.0.127 host 10.65.59.244 eq 5246 permit udp 10.74.50.128 0.0.0.127 host 10.77.80.130 eq 5247 permit udp 10.74.50.128 0.0.0.127 host 10.65.59.244 eq 5247 deny ip any 10.8.0.0 0.0.255.255 permit icmp 10.74.50.128 0.0.0.127 any echo-reply permit icmp 10.74.50.128 0.0.0.127 any echo deny icmp 10.74.50.128 0.0.0.127 any deny tcp any any range 135 139 deny udp any any range 135 netbios-ss deny tcp any any range 1433 1434 deny udp any any range 1433 1434 deny tcp any any eq 445 deny udp any any eq 445 deny tcp any any eq 3306 deny ip 10.74.50.128 0.0.0.127 172.16.0.0 0.15.255.255 deny ip 10.74.50.128 0.0.0.127 192.168.0.0 0.0.255.255 permit ip 10.74.50.128 0.0.0.127 any deny ip 10.74.50.128 0.0.0.127 10.0.0.0 0.255.255.255 ip access-list extended scada_in permit icmp any any remark ***** Permit port 80 to AWOS PC permit tcp host 10.75.45.190 eq www 10.64.91.0 0.0.0.255 permit tcp host 10.75.45.190 eq www host 172.20.128.50 log permit tcp host 10.75.45.190 eq www 172.20.128.0 0.0.0.127 log permit tcp host 10.75.45.190 eq www 10.70.23.0 0.0.0.255 log permit tcp host 10.75.45.190 eq www 10.75.45.0 0.0.0.255 remark ***** Permit DHCP permit udp any any eq bootps permit udp any any eq bootpc remark ***** Permit Scada to resolve DNS queries permit udp any host 10.64.134.69 eq domain permit udp any host 172.20.32.10 eq domain remark ***** Deny Scada to all other networks deny ip any any log ! logging facility local0 logging source-interface GigabitEthernet0/0 logging 172.25.20.61 access-list 96 permit 172.18.2.37 access-list 96 permit 172.18.18.21 access-list 97 permit 10.66.37.101 access-list 97 permit 10.52.12.12 access-list 97 permit 172.16.32.30 access-list 97 permit 172.16.32.31 access-list 97 permit 172.20.32.30 access-list 97 permit 172.20.32.31 access-list 97 permit 172.16.12.104 access-list 97 permit 172.16.32.116 access-list 97 permit 10.64.146.32 access-list 97 permit 172.16.5.0 0.0.0.255 access-list 97 permit 172.20.5.0 0.0.0.255 access-list 97 permit 172.24.225.0 0.0.0.255 access-list 97 permit 172.25.225.0 0.0.0.255 access-list 98 permit 172.25.36.129 access-list 98 permit 172.25.17.190 access-list 98 permit 172.22.136.17 access-list 98 permit 172.18.200.80 access-list 98 permit 172.18.136.27 access-list 98 permit 172.18.2.121 access-list 98 permit 172.18.66.57 access-list 98 permit 172.18.2.122 access-list 98 permit 172.25.40.78 ! ! ! ! ! snmp-server view mib-exclude iso included snmp-server view HPmib-exclude iso included snmp-server view HPmib-exclude at excluded snmp-server view HPmib-exclude internet.6.3.15 excluded snmp-server view HPmib-exclude internet.6.3.16 excluded snmp-server view HPmib-exclude internet.6.3.18 excluded snmp-server view HPmib-exclude ip.21 excluded snmp-server view HPmib-exclude ip.22 excluded snmp-server ifindex persist snmp-server trap-source GigabitEthernet0/1.3 snmp-server location Kirby Lake, AB snmp-server contact Infrastructure snmp-server chassis-id A###### tacacs-server host 172.25.243.22 tacacs-server host 172.24.243.22 tacacs-server timeout 6 tacacs-server directed-request ! control-plane ! ! banner exec ^C ***********************SYSTEM DESCRIPTION************************ * * * NAME: krar-1125-term-rte1 * * LOCATION: Kirby Lake Aerodrome Terminal * * CORPORATION: Devon Canada Corporation * * CONTACT: Enterprise Network Services * * DESCRIPTION: CISCO1921/K9 * * ASSET#: * ***************************************************************** ^C banner motd ^CC *****************************SECURITY NOTICE************************ * * ACCESS TO THIS SYSTEM IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY * USAGE OF THIS SYSTEM MAY BE LOGGED AND/OR MONITORED WITHOUT NOTICE. * DISCONNECT IMMEDIATELY IF YOU ARE NOT AN AUTHORIZED USER! * ******************************************************************** ^C ! line con 0 exec-timeout 15 0 line aux 0 exec-timeout 0 1 modem InOut no exec transport input all transport output none stopbits 1 flowcontrol hardware line vty 0 4 access-class AccessControl in exec-timeout 5 0 timeout login response 90 privilege level 15 transport input all line vty 5 15 access-class AccessControl in exec-timeout 5 0 timeout login response 90 privilege level 15 transport input all ! scheduler allocate 20000 1000 ntp source GigabitEthernet0/1.3 ntp server 172.20.2.33 prefer ntp server 172.20.2.34 time-range THURS-1200-1400 periodic Thursday 12:00 to 14:00 ! end