config-register 0x2102 upgrade fpd auto version 12.2 service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service counters max age 10 ! hostname bldg-mdf-rtr-2 ! boot system flash disk0:s72033-advipservicesk9_wan-mz.122-18.SXF.bin boot system flash disk0:s72033-advipservicesk9_wan-mz.122-18.SXE2.bin logging snmp-authfail no logging console logging monitor warnings enable secret 5 #REMOVED# ! aaa new-model aaa authentication login default group tacacs+ enable aaa accounting exec default start-stop group tacacs+ ! aaa session-id common clock timezone CST -6 clock summer-time CDT recurring ip subnet-zero no ip source-route ! ip ftp source-interface Loopback0 ip tftp source-interface Loopback0 no ip bootp server ip multicast-routing ip multicast cache-headers ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable ip domain-name example.com ip name-server [dns1_ipaddr] ip name-server [dns2_ipaddr] vtp domain bldg-core vtp mode transparent mls ip multicast flow-stat-timer 9 no mls flow ip no mls flow ipv6 mls qos no mls acl tcam share-global mls cef error action freeze no scripting tcl init no scripting tcl encdir ! redundancy mode sso main-cpu auto-sync running-config auto-sync standard ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree vlan 1,400,402,999 priority 40000 spanning-tree vlan 5 priority 8192 ! power redundancy-mode combined diagnostic cns publish cisco.cns.device.diag_results diagnostic cns subscribe cisco.cns.device.diag_commands ! vlan internal allocation policy ascending vlan access-log ratelimit 2000 ! vlan 5 name N:[vlan5_netblock] ! vlan 28 name N:[vlan28_netblock] ! vlan 53 name [vlan53_netblock] ! vlan 400 name N:[vlan400_netblock] ! vlan 402 name N:[vlan402_netblock] ! vlan 403 name N:[vlan403_netblock] ! vlan 893 name N:[vlan893_netblock] ! vlan 904 name N:[vlan904_netblock] ! vlan 999 name native2switches ! class-map match-all cp-normal-in description Control plane normal traffic match access-group name cp-normal-in class-map match-all icmp description ICMP messages match access-group name icmp class-map match-all cp-critical-in description Control plane critcal traffic match access-group name cp-critical-in class-map match-all udp-multicast description UDP multicast messages match access-group name udp-multicast class-map match-all VoIP-dscp-ef description match VoIP EF packets marked EF (101110) match access-group name VoIP-ef class-map match-all udp-unicast description UDP unicast messages match access-group name udp-unicast class-map match-all uncommon-protocols description uncommon protocols match access-group name uncommon-protocols class-map match-any cp-undesirable-in description Control plane undesirable traffic match access-group name cp-undesirable-in class-map match-all cp-important-in description Control plane important traffic match access-group name cp-important-in class-map match-all cp-default-in description Control plane default traffic match access-group 2 ! policy-map control-plane-in class cp-critical-in class cp-important-in police cir 128000 bc 32000 be 32000 conform-action transmit exceed-action transmit class cp-normal-in police cir 32000 bc 8000 be 8000 conform-action transmit exceed-action drop class cp-undesirable-in police cir 32000 bc 8000 be 8000 conform-action drop exceed-action drop class cp-default-in police cir 32000 bc 8000 be 8000 conform-action transmit exceed-action drop policy-map edge-limiter description edge ingress policy class VoIP-dscp-ef police flow mask src-only 384000 4000 conform-action transmit exceed-action drop class icmp police cir 2000000 bc 4000 be 4000 conform-action transmit exceed-action drop class udp-unicast police cir 10000000 bc 5000 be 5000 conform-action transmit exceed-action drop class udp-multicast police cir 10000000 bc 5000 be 5000 conform-action transmit exceed-action drop class uncommon-protocols police cir 10000000 bc 5000 be 5000 conform-action transmit exceed-action drop ! interface Loopback0 description B:bldg:bldg:bldg-mdf-rtr-2-lo0 ip address [lo0_ipaddr] 255.255.255.255 no ip redirects no ip proxy-arp ! interface Loopback1 description B:global anycast-RP ip address [lo1_ipaddr] 255.255.255.255 no ip redirects no ip proxy-arp ! interface GigabitEthernet1/1 description B:bldg-mdf-rtr-4 ip address [g1/1_ipaddr] 255.255.255.254 no ip redirects no ip proxy-arp ip pim neighbor-filter pim-neighbors ip pim sparse-mode ip multicast boundary multicast-boundary-tv ip ospf authentication null ! interface GigabitEthernet1/2 description B:bldg-mdf-rtr-1 switchport switchport trunk encapsulation dot1q switchport trunk native vlan 400 switchport trunk allowed vlan 5,28,29,53,400,905 switchport mode trunk switchport nonegotiate no ip address mls qos trust dscp ! interface GigabitEthernet1/3 description T:bldg-idf-esw-1 switchport switchport trunk encapsulation dot1q switchport trunk native vlan 893 switchport trunk allowed vlan 28,893 switchport mode trunk switchport nonegotiate no ip address mls qos trust dscp ! interface GigabitEthernet1/4 description B:bldg-idf-rtr switchport switchport trunk encapsulation dot1q switchport trunk native vlan 403 switchport trunk allowed vlan 403 switchport mode trunk switchport nonegotiate no ip address mls qos trust dscp ! interface GigabitEthernet1/5 switchport switchport trunk encapsulation dot1q switchport mode trunk no ip address mls qos trust dscp ! interface GigabitEthernet1/6 no ip address shutdown ! interface GigabitEthernet1/7 no ip address shutdown ! interface GigabitEthernet1/8 no ip address shutdown ! interface GigabitEthernet1/9 no ip address shutdown ! interface GigabitEthernet1/10 no ip address shutdown ! interface GigabitEthernet1/11 no ip address shutdown ! interface GigabitEthernet1/12 no ip address shutdown ! interface GigabitEthernet1/13 no ip address shutdown ! interface GigabitEthernet1/14 no ip address shutdown ! interface GigabitEthernet1/15 no ip address shutdown ! interface GigabitEthernet1/16 no ip address shutdown ! interface GigabitEthernet1/17 no ip address shutdown ! interface GigabitEthernet1/18 no ip address shutdown ! interface GigabitEthernet1/19 no ip address shutdown ! interface GigabitEthernet1/20 no ip address shutdown ! interface GigabitEthernet1/21 no ip address shutdown ! interface GigabitEthernet1/22 no ip address shutdown ! interface GigabitEthernet1/23 no ip address shutdown ! interface GigabitEthernet1/24 no ip address shutdown ! interface GigabitEthernet5/1 description T:bldg-mdf-esw-1 switchport switchport trunk encapsulation dot1q switchport trunk native vlan 904 switchport trunk allowed vlan 28,29,904,905 switchport mode trunk switchport nonegotiate no ip address mls qos vlan-based mls qos trust dscp ! interface GigabitEthernet5/2 description T:bldg-mdf-rtr-3 switchport switchport trunk encapsulation dot1q switchport trunk native vlan 402 switchport trunk allowed vlan 28,53,402 switchport mode trunk switchport nonegotiate no ip address mls qos vlan-based mls qos trust dscp ! interface Vlan1 no ip address no ip redirects no ip proxy-arp shutdown ! interface Vlan5 description N:IT:bldg:bldg 6th fl IT ip address [vlan5_ipaddr] 255.255.255.0 ip access-group Vlan5-in in ip access-group Vlan5-out out ip verify unicast source reachable-via rx 100 ip helper-address [dhcpd_ipaddr] no ip redirects no ip proxy-arp ip pim neighbor-filter pim-neighbors ip pim sparse-mode ip multicast boundary multicast-boundary-tv ip cgmp standby ip [vlan5_standby_ipaddr] standby priority 110 standby preempt standby authentication IT service-policy input edge-limiter ! interface Vlan400 description B:bldg-mdf-rtr-1 ip address [vlan400_ipaddr] 255.255.255.254 no ip redirects no ip proxy-arp ip pim neighbor-filter pim-neighbors ip pim sparse-mode ip multicast boundary multicast-boundary-tv ip ospf authentication null ! interface Vlan402 description B:bldg-mdf-rtr-3 ip address [vlan402_ipaddr] 255.255.255.254 no ip redirects no ip proxy-arp ip pim neighbor-filter pim-neighbors ip pim sparse-mode ip multicast boundary multicast-boundary-tv ip ospf authentication null ! interface Vlan403 description B:bldg-idf-rtr ip address [vlan403_ipaddr] 255.255.255.254 no ip redirects no ip proxy-arp ip pim neighbor-filter pim-neighbors ip pim sparse-mode ip multicast boundary multicast-boundary-tv ip ospf authentication null ! interface Vlan893 description B:bldg-idf-rtr ip address [vlan893_ipaddr] 255.255.255.254 no ip redirects no ip proxy-arp ip pim neighbor-filter pim-neighbors ip pim sparse-mode ip multicast boundary multicast-boundary-tv ip ospf authentication null ! interface Vlan904 description B:bldg-mdf-rtr-3 ip address [vlan904_ipaddr] 255.255.255.254 no ip redirects no ip proxy-arp ip pim neighbor-filter pim-neighbors ip pim sparse-mode ip multicast boundary multicast-boundary-tv ip ospf authentication null ! router ospf 1000 router-id [lo0_ipaddr] log-adjacency-changes auto-cost reference-bandwidth 10000 passive-interface default no passive-interface Vlan400 no passive-interface Vlan402 no passive-interface Vlan403 no passive-interface Vlan893 no passive-interface Vlan904 no passive-interface GigabitEthernet1/1 network 0.0.0.0 255.255.255.255 area 0 ! router bgp 64601 no synchronization bgp router-id [lo0_ipaddr] bgp log-neighbor-changes neighbor bhrs peer-group neighbor bhrs description blackhole route server feed neighbor bhrs ebgp-multihop 16 neighbor bhrs update-source Loopback0 neighbor bhrs prefix-list DENYALL out neighbor bhrs route-map BHRS in neighbor bhrs maximum-prefix 300 neighbor [bhrs_ipaddr] remote-as 64600 neighbor [bhrs_ipaddr] peer-group bhrs neighbor [bhrs_ipaddr] description blackhole route server ! neighbor [bhrs_ipaddr] password no auto-summary ! ip classless no ip forward-protocol nd no ip forward-protocol udp nameserver no ip forward-protocol udp domain no ip forward-protocol udp time no ip forward-protocol udp netbios-ns no ip forward-protocol udp netbios-dgm no ip forward-protocol udp tacacs ip route 192.0.2.1 255.255.255.255 Null0 ip route [some_static_addr] 255.255.255.255 [some_static_route] ! ip bgp-community new-format ip community-list 10 permit 64600:666 no ip http server ip pim rp-address [lo1_ipaddr] global-groups-standard override ip pim rp-address [pim_rp_ipaddr] local-groups-standard override ip pim accept-rp [lo1_ipaddr] global-groups-standard ip pim accept-rp [pim_rp_ipaddr] local-groups-standard ip pim rp-announce-filter rp-list 2 group-list 1 ip pim register-rate-limit 10 ip pim accept-register list global-groups-extended ip pim register-source Loopback0 ip msdp peer [pim_msdp_peer_102] connect-source Loopback0 ip msdp description [pim_msdp_peer_102] bldg-mdf-rtr-4 ip msdp sa-filter in [pim_msdp_peer_102] list global-groups-extended ip msdp sa-filter out [pim_msdp_peer_102] list global-groups-extended ip msdp sa-limit [pim_msdp_peer_102] 26000 ip msdp peer [pim_msdp_peer_123] connect-source Loopback0 ip msdp description [pim_msdp_peer_123] bldg-mdf-rtr-3 ip msdp sa-filter in [pim_msdp_peer_123] list global-groups-extended ip msdp sa-filter out [pim_msdp_peer_123] list global-groups-extended ip msdp sa-limit [pim_msdp_peer_123] 26000 ip msdp cache-sa-state ip msdp redistribute list global-groups-extended ip msdp originator-id Loopback0 ip msdp mesh-group global-anycast [pim_msdp_peer_102] ip msdp mesh-group global-anycast [pim_msdp_peer_123] ip ospf name-lookup ip tacacs source-interface Loopback0 ! ip access-list standard global-groups-standard remark lucent-avaya-ap deny 224.0.1.76 remark srvloc-da deny 224.0.1.35 remark cisco-rp-announce deny 224.0.1.39 remark retrospect deny 224.1.0.38 remark cisco-rp-discovery deny 224.0.1.40 remark hp-device-discovery deny 224.0.1.60 remark ntp deny 224.0.1.1 remark sun-rpc deny 224.0.2.2 remark cisco-aironet-ap deny 224.1.0.1 remark rwhod deny 224.0.1.3 remark sgi-dogfight deny 224.0.1.2 remark rwho-group deny 224.0.2.1 remark nis+ deny 224.0.1.8 remark srvloc deny 224.0.1.22 remark nbc-pro deny 224.0.1.25 remark microsoft-ds deny 224.0.1.24 remark norton-ghost deny 224.77.0.0 0.0.255.255 remark igmp-control-224-128-0 deny 224.128.0.0 0.0.0.255 remark igmp-control-233-0-0 deny 233.0.0.0 0.0.0.255 remark igmp-control-233-128-0 deny 233.128.0.0 0.0.0.255 remark 224/8 permit 224.0.0.0 0.255.255.255 remark 233/8 permit 233.0.0.0 0.255.255.255 deny any ip access-list standard local-groups-standard remark Norton Ghost server discovery permit 229.55.150.208 remark Dantz Retrospect permit 224.1.0.38 remark ntp permit 224.0.1.1 remark Norton Ghost file transfer permit 224.77.0.0 0.0.255.255 remark igmp-control-239-0-0 deny 239.0.0.0 0.0.0.255 remark igmp-control-239-128-0 deny 239.128.0.0 0.0.0.255 remark Admin Scoped permit 239.0.0.0 0.255.255.255 deny any ip access-list standard multicast-boundary-tv remark lucent-avaya-ap deny 224.0.1.76 remark srvloc-da deny 224.0.1.35 remark cisco-rp-announce deny 224.0.1.39 remark cisco-rp-discovery deny 224.0.1.40 remark hp-device-discovery deny 224.0.1.60 remark sun-rpc deny 224.0.2.2 remark cisco-aironet-ap deny 224.1.0.1 remark rwhod deny 224.0.1.3 remark sgi-dogfight deny 224.0.1.2 remark rwho-group deny 224.0.2.1 remark nis+ deny 224.0.1.8 remark srvloc deny 224.0.1.22 remark nbc-pro deny 224.0.1.25 remark microsoft-ds deny 224.0.1.24 remark igmp-control-224-128-0 deny 224.128.0.0 0.0.0.255 remark igmp-control-232-0-0 deny 232.0.0.0 0.0.0.255 remark igmp-control-232-128-0 deny 232.128.0.0 0.0.0.255 remark igmp-control-233-0-0 deny 233.0.0.0 0.0.0.255 remark igmp-control-233-128-0 deny 233.128.0.0 0.0.0.255 remark igmp-control-239-0-0 deny 239.0.0.0 0.0.0.255 remark igmp-control-239-128-0 deny 239.128.0.0 0.0.0.255 remark 224/8 permit 224.0.0.0 0.255.255.255 remark SSM permit 232.0.0.0 0.255.255.255 remark GLOP permit 233.0.0.0 0.255.255.255 remark Admin scoped permit 239.0.0.0 0.255.255.255 deny any ip access-list standard pim-neighbors remark amr4-g1-1 permit [amr-g1-1_ipaddr] remark amr1-vln400 permit [amr1-vln400_ipaddr] remark lmr3-vln904 permit [lmr3-vln904_ipaddr] remark 35 lir-vln403 permit [lir-vln403_ipaddr] remark amr3-vln402 permit [amr3-vln402_ipaddr] remark bldg-vln893 permit [bldg-vln893_ipaddr] remark amr3-vln5 permit [amr3-vln5_ipaddr] remark router loopbacks permit [lo_netblock] 0.0.0.255 deny any ! ip access-list extended Vlan5-in remark hack for packets forwarded by another router to this subnet permit ip any host [vlan5_standby_ipaddr] permit ip any host [vlan5_ipaddr] permit ip any host [dont_remember_ipaddr] remark IGMP destinations can only be 224/4 permit igmp any 224.0.0.0 15.255.255.255 deny igmp any any log-input remark valid ICMP types permit icmp any any echo permit icmp any any echo-reply permit icmp any any parameter-problem permit icmp any any time-exceeded permit icmp any any unreachable deny icmp any any log-input remark client BOOTP/DHCP discovery and request messages permit udp host 0.0.0.0 host 255.255.255.255 eq bootps remark sensible multicast protocols only permit udp any 224.0.0.0 15.255.255.255 permit pim any 224.0.0.0 15.255.255.255 deny ip any 224.0.0.0 15.255.255.255 log-input remark acceptable host IP protocols permit tcp any any permit udp any any permit gre any any permit ahp any any permit esp any any remark SCTP permit 132 any any deny ip any any log-input ip access-list extended Vlan5-out permit ip any host [dont_remember_ipaddr2] log deny ip [vlan5_netblock] 0.0.0.255 any log-input permit ip any any ip access-list extended VoIP-ef permit udp any range 1024 65535 any range 1024 65535 dscp ef deny ip any any ip access-list extended cp-critical-in remark Control plane critical traffic - inbound remark OSPF permit ospf host [ospf_peer_ipaddr] any permit ospf host [amr-g1-1_ipaddr] any permit ospf host [ospf_peer_ipaddr] any permit ospf host [ospf_peer_ipaddr] any permit ospf host [ospf_peer_ipaddr] any permit ospf host [ospf_peer_ipaddr] any remark PIM permit pim host [lmr3_peer_ipaddr] any permit pim host [amr-g1-1_ipaddr] any permit pim host [pim_peer_ipaddr] any permit pim host [pim_peer_ipaddr] any permit pim host [pim_peer_ipaddr] any permit pim host [pim_peer_ipaddr] any permit pim host [dont_remember_ipaddr] any permit pim [pim_netblock] 0.0.0.255 any remark MSDP permit tcp host [pim_msdp_peer_102] eq 639 host [lo0_ipaddr] permit tcp host [pim_msdp_peer_102] host [lo0_ipaddr] eq 639 permit tcp host [pim_msdp_peer_123] eq 639 host [lo0_ipaddr] permit tcp host [pim_msdp_peer_123] host [lo0_ipaddr] eq 639 remark IGMP permit igmp any 224.0.0.0 15.255.255.255 remark DHCP permit udp host 0.0.0.0 host 255.255.255.255 eq bootps permit udp host [dhcpd_ipaddr] eq bootps any eq bootps remark BGP permit tcp host [bhrs_ipaddr] eq bgp host [lo0_ipaddr] permit tcp host [bhrs_ipaddr] host [lo0_ipaddr] eq bgp deny ip any any ip access-list extended cp-important-in remark Control plane important traffic - inbound remark TACACS permit udp host [tacacs_ipaddr] eq tacacs any permit tcp host [tacacs_ipaddr] eq tacacs any remark SSH/TELNET permit tcp [netop_netblock_net2] 0.0.0.255 any range 22 telnet permit tcp [netop_netblock_net1] 0.0.0.255 any range 22 telnet permit tcp [netop_netblock_net2] 0.0.0.255 eq 22 any remark SNMP permit udp [netop_netblock_net2] 0.0.0.255 any eq snmp permit udp [netop_netblock_net1] 0.0.0.255 any eq snmp permit udp [netop__snmp_netblock_net1] 0.0.0.15 any eq snmp remark ICMP permit icmp [netop_netblock_net2] 0.0.0.255 any permit icmp [netop_netblock_net1] 0.0.0.255 any remark NTP permit udp host [dns2_ipaddr] eq ntp any remark DNS permit udp host [dns2_ipaddr] eq domain any permit udp host [dns1_ipaddr] eq domain any permit tcp host [dns2_ipaddr] eq domain any permit tcp host [dns1_ipaddr] eq domain any deny ip any any ip access-list extended cp-normal-in remark Control plane normal traffic - inbound remark ICMP permit icmp any any echo permit icmp any any echo-reply permit icmp any any parameter-problem permit icmp any any time-exceeded permit icmp any any unreachable deny ip any any ip access-list extended cp-undesirable-in remark Control plane undesirable traffic - inbound remark NTP permit udp any any eq ntp remark SNMPTRAP permit udp any any eq snmptrap deny ip any any ip access-list extended global-groups-extended remark ntp deny ip any host 224.0.1.1 remark sgi-dogfight deny ip any host 224.0.1.2 remark rwhod deny ip any host 224.0.1.3 remark nis+ deny ip any host 224.0.1.8 remark srvloc deny ip any host 224.0.1.22 remark microsoft-ds deny ip any host 224.0.1.24 remark nbc-pro deny ip any host 224.0.1.25 remark srvloc-da deny ip any host 224.0.1.35 remark cisco-rp-announce deny ip any host 224.0.1.39 remark cisco-rp-discovery deny ip any host 224.0.1.40 remark hp-device-discovery deny ip any host 224.0.1.60 remark lucent-avaya-ap deny ip any host 224.0.1.76 remark rwho-group deny ip any host 224.0.2.1 remark sun-rpc deny ip any host 224.0.2.2 remark cisco-aironet-ap deny ip any host 224.1.0.1 remark retrospect deny ip any host 224.1.0.38 remark norton-ghost deny ip any 224.77.0.0 0.0.255.255 remark igmp-control-224-128-0 deny ip any 224.128.0.0 0.0.0.255 remark igmp-control-233-0-0 deny ip any 233.0.0.0 0.0.0.255 remark igmp-control-233-128-0 deny ip any 233.128.0.0 0.0.0.255 remark 224/8 permit ip any 224.0.0.0 0.255.255.255 remark 233/8 permit ip any 233.0.0.0 0.255.255.255 deny ip any any ip access-list extended icmp remark ignore anything to our netblocks deny ip any [our_netblock] 0.0.255.255 deny ip any [our_netblock] 0.0.255.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.15.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 remark match ICMP messages permit icmp any any deny ip any any ip access-list extended udp-multicast remark ignore admin scope UDP multicast netblocks deny udp any 239.0.0.0 0.255.255.255 remark match all other UDP multicast traffic permit udp any 224.0.0.0 15.255.255.255 remark ignore everything else deny ip any any ip access-list extended udp-unicast remark ignore UDP multicast destinations deny udp any 224.0.0.0 15.255.255.255 remark ignore anything to our netblocks deny ip any [our_netblock] 0.0.255.255 deny ip any [our_netblock] 0.0.255.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.15.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 remark match all other UDP traffic permit udp any any remark ignore everything else deny ip any any ip access-list extended uncommon-protocols remark ignore widely used protocols deny tcp any any deny udp any any deny icmp any any deny gre any any deny esp any any deny ahp any any remark ignore SCTP deny 132 any any remark ignore anything to our netblocks deny ip any [our_netblock] 0.0.255.255 deny ip any [our_netblock] 0.0.255.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.15.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 deny ip any [our_netblock] 0.0.0.255 remark match everything else permit ip any any ip access-list extended vty-shielding-in remark vty shielding - inbound permit tcp [netop_netblock_net2] 0.0.0.255 any range 22 telnet permit tcp [netop_netblock_net1] 0.0.0.255 any range 22 telnet deny ip any any log ! ip prefix-list BHRSPREFIXES description prefixes to be null routed ip prefix-list BHRSPREFIXES permit 0.0.0.0/0 ge 32 ! ip prefix-list DENYALL description block all announcements ip prefix-list DENYALL deny 0.0.0.0/0 le 32 logging history warnings logging source-interface Loopback0 logging [syslogd_ipaddr] access-list 1 remark utility ACL to block everything access-list 1 deny any access-list 2 remark utility ACL to allow everything access-list 2 permit any access-list 10 remark SNMP managers and trap hosts access-list 10 permit [netop_netblock_net2] 0.0.0.255 access-list 10 permit [netop_netblock_net1] 0.0.0.255 access-list 10 permit [netop__snmp_netblock_net1] 0.0.0.15 access-list 10 deny any access-list 20 remark NTP servers access-list 20 permit [ntpd_ipaddr] access-list 20 deny any access-list 100 remark Vlan5-uRPF override access-list 100 permit ip any host [vlan5_standby_ipaddr] access-list 100 permit ip any host [vlan5_ipaddr] access-list 100 permit ip any host [dont_remember_ipaddr] access-list 100 permit ip any 224.0.0.0 15.255.255.255 access-list 100 deny ip any any log-input ! route-map BHRS permit 10 description filter the unwanted routes from the blackhole rs match ip address prefix-list BHRSPREFIXES match community 10 set ip next-hop 192.0.2.1 ! snmp-server community #REMOVED# RW 10 snmp-server community #REMOVED# RO 10 snmp-server ifindex persist !tacacs-server host [tacacs_ipaddr] key tacacs-server directed-request ! radius-server source-ports 1645-1646 ! control-plane ! service-policy input control-plane-in ! dial-peer cor custom ! banner motd ^C Example Organization bldg Access Restricted bldg-mdf-rtr-2 Unauthorized access prohibited. ^C ! line con 0 session-timeout 30 exec-timeout 30 0 line vty 0 4 session-timeout 30 access-class vty-shielding-in in exec-timeout 30 0 transport input telnet ssh ! monitor session 66 source vlan 1 - 1005 monitor session 66 destination interface Gi1/5 no monitor session servicemodule monitor event-trace timestamps ntp source Loopback0 ntp access-group query-only 1 ntp access-group peer 20 ntp access-group serve 1 ntp access-group serve-only 1 ntp update-calendar ntp server [ntpd_ipaddr] mac-address-table aging-time 1800 no cns aaa enable end