Здравствуте коллеги!
На днях фирма приобрела новый маршрутизатор cisco ISR 4431, при переносе конфига со старой циски 2921
работает все, кроме пользовательских подключений VPN(vpdn pptp), точнее они работают, но не маршрутзируются...
Пользователь подключается к сети, получает IP, IP в машрутах на циске коннектед, передается на филиальские циски через GRE по средствам OSPF,НО
когда клиент делает обращение к какому либо хосту в организации, пакет доходит до получателя, получатель шлет ответ И ответ не доходит до клиента, а теряется
на циске, такое ощущение, что циска не знает куда возвращать пакет.Прошу заметить, что на 2921 этот конфиг работает без запинок...
Собственно описание всего и вся
Старая циска Cisco CISCO2921/K9 (revision 1.0)
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9_NPE-M), Version 15.3(2)TНовая циска cisco ISR4431/K9 (1RU)
Cisco IOS XE Software, Version 03.13.03.S - Extended Support Release
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4
Конфиг
version 15.4
service telnet-zeroidle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service linenumber
service pt-vty-logging
service sequence-numbers
no platform punt-keepalive disable-kernel-core
!
hostname krr-cs1_1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging exception 65536
logging count
logging userinfo
logging buffered 65536
logging reload alerts
logging rate-limit all 100
no logging console
enable secret 5 $1$tVIt$TwZrH
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local group radius
aaa authorization exec default local
aaa authorization network default if-authenticated
aaa accounting network default
!
aaa accounting network VPN-USERS
action-type start-stop
group radius
!
!!
!
!
!
aaa session-id common
clock timezone AST 3 0
!
!
!
ip name-server 192.168.210.253 192.168.210.251ip domain lookup source-interface Loopback1
ip domain name mycomp.ru
ip dhcp excluded-address 10.100.100.1 10.100.100.100
ip dhcp excluded-address 10.100.100.199 10.100.100.254
ip dhcp excluded-address 192.168.50.0 192.168.50.19
ip dhcp excluded-address 192.168.203.0 192.168.203.19
ip dhcp excluded-address 192.168.51.0 192.168.51.19
ip dhcp excluded-address 192.168.203.200 192.168.203.255
ip dhcp excluded-address 192.168.203.69
ip dhcp excluded-address 192.168.203.94
ip dhcp excluded-address 192.168.203.68
ip dhcp excluded-address 192.168.52.1 192.168.52.10
ip dhcp excluded-address 192.168.48.1 192.168.48.10
ip dhcp excluded-address 192.168.49.0
!
ip dhcp pool users-vpn
network 10.100.100.0 255.255.255.0
domain-name mycomp.ru
dns-server 192.168.210.253 192.168.210.251
!
ip dhcp pool TLGUEST
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
domain-name mycomp.ru
dns-server 8.8.8.8
!
ip dhcp pool mycomp2
network 192.168.203.0 255.255.255.0
default-router 192.168.203.1
domain-name mycomp.ru
dns-server 192.168.210.253 192.168.210.251
option 43 hex 0104.c0a8.cb14
lease 180
!
ip dhcp pool mycomp2_TL
network 192.168.51.0 255.255.255.0
default-router 192.168.51.1
domain-name mycomp.ru
dns-server 192.168.210.253 192.168.210.251
!
ip dhcp pool VOIP
network 192.168.52.0 255.255.254.0
default-router 192.168.52.1
domain-name mycomp.ru
dns-server 192.168.210.253 192.168.210.251
option 66 ascii 192.168.52.2
lease 180
!
ip dhcp pool TL3
network 192.168.48.0 255.255.254.0
default-router 192.168.48.1
domain-name mycomp.ru
dns-server 192.168.210.253
!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
vpdn enable
!
vpdn-group pptp
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 1
!
!
!
!
!
license udi pid ISR4431/K9 sn FOC19471AXH
license boot level appxk9 disable
license boot level uck9 disable
!
spanning-tree extend system-id
!!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
track 75 ip sla 75 reachability
delay down 60 up 60
!
track 88 ip sla 88 reachability
delay down 60 up 60
!
track 207 ip sla 207 reachability
delay down 60 up 60
!
track 208 ip sla 208 reachability
delay down 60 up 60
!
!
class-map match-all CM_WIFI_TO_EXT
match access-group name ACL_WIFI_TO_EXT
class-map match-all no_gre_fil
match access-group 117
class-map match-all real-time
match precedence 5
class-map match-any gre_fil
match access-group 27
class-map match-any realtime-marking
match protocol rtp
!
policy-map PM_WIFI_IN_1
class CM_WIFI_TO_EXT
police 5242500
class class-default
policy-map PM_ISP_OUT_1
class class-default
shape peak 20971520
!
!
!
!
!
!
interface Loopback0
description -- system loopback
ip address 194.22.8.30 255.255.255.255
!
interface Loopback1
ip address 10.200.200.1 255.255.255.255
!
interface Loopback2
description tunnel2
194.22.8.1
!
interface Loopback3
description tunnel3
194.22.8.25
!
interface Loopback4
description NAT_FOR_MAIL_TALE
ip address 194.22.8.4 255.255.255.255
ip nat outside
!
interface Loopback5
description -- for NAT
ip address 194.22.8.6 255.255.255.255
ip nat outside
!
interface Loopback6
description youtrack_mysrv
ip address 194.22.8.28 255.255.255.255
!
interface Loopback7
description NAT_FOR_MAIL
ip address 194.22.8.22 255.255.255.255
ip nat outside
ip access-group 116 in
!
interface Loopback8
description NAT_FOR_VTASKMOB
ip address 194.22.8.23 255.255.255.255
ip nat outside
!
interface Tunnel3
description NEW
ip address 10.13.13.1 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication tra-tun3
ip nhrp map multicast dynamic
ip nhrp network-id 171623
ip nhrp registration no-unique
ip policy route-map from_RO_LAN
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 10
ip ospf mtu-ignore
ip ospf cost 100
tunnel source 194.22.8.1
tunnel mode gre multipoint
tunnel key 171623
!
interface GigabitEthernet0/0/0
description krr_cs2_g0/0
ip address 10.111.111.1 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/1
description to_krr-sw1_g1/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.52
description SIP_PHONES
encapsulation dot1Q 52
ip address 192.168.52.1 255.255.254.0
ip nat inside
ip policy route-map 115
no cdp enable
!
interface GigabitEthernet0/0/1.100
description LAN
encapsulation dot1Q 100
ip nat inside
ip policy route-map from_GK_LAN
no cdp enable
!
interface GigabitEthernet0/0/1.101
description -- to MTS AS58322 (upstream)
encapsulation dot1Q 101
ip address 77.66.27.22 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip access-group 117 in
no cdp enable
!
interface GigabitEthernet0/0/1.134
description -- to PROV AS58322 (upstream)
encapsulation dot1Q 134
ip address 193.242.14.2 255.255.255.254
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip access-group 117 in
no cdp enable
!
interface GigabitEthernet0/0/1.200
description DMZ
encapsulation dot1Q 200
ip address 192.168.100.1 255.255.255.128
ip nat inside
ip ospf hello-interval 5
ip ospf priority 10
ip ospf cost 10
no cdp enable
!
interface GigabitEthernet0/0/1.204
description TL_GUEST
encapsulation dot1Q 204
ip address 192.168.50.1 255.255.255.0
ip nat inside
no cdp enable
!
interface GigabitEthernet0/0/1.205
description WiFi_BOSS
encapsulation dot1Q 205
ip address 192.168.20.1 255.255.255.0
ip nat inside
no cdp enable
service-policy input PM_WIFI_IN_1
!
interface GigabitEthernet0/0/1.211
description TL3
encapsulation dot1Q 211
ip address 192.168.48.1 255.255.254.0
ip nat inside
no cdp enable
!
interface GigabitEthernet0/0/1.243
description dc-food
encapsulation dot1Q 243
ip address 192.168.203.1 255.255.255.0
ip nat inside
ip policy route-map from_GK_LAN
no cdp enable
!
interface GigabitEthernet0/0/1.244
description TL_GUEST_TRMEDIA
encapsulation dot1Q 244
ip address 192.168.51.1 255.255.255.0
ip nat inside
no cdp enable
!
interface GigabitEthernet0/0/1.255
description krr_lan_MGMT
encapsulation dot1Q 255
ip address 10.200.201.1 255.255.255.240
ip nat inside
no cdp enable
!!
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
interface Virtual-Template1
ip dhcp client hostname mycomp.ru
ip unnumbered Loopback0
ip nat inside
peer default ip address dhcp-pool users-vpn
ppp authentication ms-chap-v2
ppp authorization local
ppp accounting VPN-USERS
!
interface Vlan1
no ip address
!
router ospf 1
redistribute connected subnets route-map vpdnip_ospf
passive-interface GigabitEthernet0/0/0
passive-interface GigabitEthernet0/0/2
passive-interface GigabitEthernet0/0/3
network 10.12.12.0 0.0.0.255 area 0
network 10.13.13.0 0.0.0.255 area 0
network 10.200.200.0 0.0.0.255 area 0
network 10.200.201.0 0.0.0.15 area 1
network 192.168.20.0 0.0.0.255 area 1
network 192.168.48.0 0.0.1.255 area 1
network 192.168.50.0 0.0.0.255 area 1
network 192.168.51.0 0.0.0.255 area 1
network 192.168.52.0 0.0.1.255 area 1
network 192.168.100.0 0.0.0.127 area 1
network 192.168.203.0 0.0.0.255 area 1
network 192.168.206.0 0.0.0.255 area 1
network 192.168.208.0 0.0.3.255 area 1
neighbor 10.12.12.2 cost 1
!
router bgp 201631
no bgp fast-external-fallover
bgp log-neighbor-changes
bgp deterministic-med
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
neighbor 77.66.207.221 remote-as 60490
neighbor 77.66.207.221 description -- MTS tehnicheskaya (upstream)
neighbor 193.242.148.200 remote-as 58314
neighbor 193.242.148.200 description -- PROV (upstream)
neighbor 212.188.45.204 remote-as 8359
neighbor 212.188.45.204 description -- MTS fullview (upstream)
neighbor 212.188.45.204 ebgp-multihop 10
!
address-family ipv4
redistribute static route-map static-to-bgp
neighbor 77.66.207.221 activate
neighbor 77.66.207.221 send-community both
neighbor 77.66.207.221 remove-private-as
neighbor 77.66.207.221 route-map uAS8359-import in
neighbor 77.66.207.221 route-map uAS8359-export out
neighbor 193.242.148.200 activate
neighbor 193.242.148.200 send-community both
neighbor 193.242.148.200 remove-private-as
neighbor 193.242.148.200 advertisement-interval 1
neighbor 193.242.148.200 route-map uAS58322-import in
neighbor 193.242.148.200 route-map uAS58322-export out
neighbor 212.188.45.204 activate
neighbor 212.188.45.204 send-community both
neighbor 212.188.45.204 remove-private-as
neighbor 212.188.45.204 advertisement-interval 1
neighbor 212.188.45.204 route-map uAS8359-import in
neighbor 212.188.45.204 route-map uAS8359-export out
exit-address-family
!ip nat inside source route-map dynamic-nat interface Loopback5 overload
ip nat inside source route-map dynamic-nat-mail interface Loopback7 overload
ip nat inside source route-map dynamic-nat-mail-TALE interface Loopback4 overload
ip nat inside source route-map dynamic-nat-yt-TALE interface Loopback6 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 18.0.0.0 2 name floating-default-to-mit
ip route 0.0.0.0 0.0.0.0 4.0.0.0 3 name floating-default-to-level3
ip route 0.0.0.0 0.0.0.0 128.15.0.0 4 name floating-default-to-llnl
ip route 0.0.0.0 0.0.0.0 132.249.0.0 5 name floating-default-to-sdsc
ip route 0.0.0.0 0.0.0.0 194.226.64.0 6 name floating-default-to-rosniiros
ip route 0.0.0.0 255.0.0.0 Null0 name martians-route
ip route 127.0.0.0 255.0.0.0 Null0 name martians-route
ip route 194.22.8.0 255.255.255.0 Null0 tag 609 name aggregate-to-bgp
ip route 212.188.45.204 255.255.255.255 77.66.207.221 name to-ebgp-peer-mts
ip route 217.79.225.8 255.255.255.255 77.66.206.97 name mikhail-emergancy
ip ssh version 2
!
ip community-list standard type-aggregate permit 609
!
ip access-list extended ACL_WIFI_TO_EXT
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
ip access-list extended border-filter-in
ip access-list extended from_2ndISP
permit ip any host 193.242.149.83
ip access-list extended to-inet
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.0.0.0 0.240.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 194.22.8.0 0.0.0.255
permit ip any any
ip access-list extended vlan100-out
permit ip 192.168.0.0 0.0.255.255 any
permit ip 10.0.0.0 0.255.255.255 any
permit ip 172.16.0.0 0.15.255.255 any
permit tcp any host 192.168.210.78 eq www
!
!
ip prefix-list allocated-blocks description -- registered address blocks
ip prefix-list allocated-blocks seq 10 deny 194.22.8.0/24 le 32
!
ip prefix-list default-networks description networks we use to point default to
ip prefix-list default-networks seq 10 permit 18.0.0.0/8
ip prefix-list default-networks seq 20 permit 4.0.0.0/8
ip prefix-list default-networks seq 30 permit 128.15.0.0/16
ip prefix-list default-networks seq 40 permit 132.249.0.0/16
ip prefix-list default-networks seq 50 permit 194.226.64.0/20
!
ip prefix-list martians description RFC3330 martians nets
ip prefix-list martians seq 5 permit 0.0.0.0/8 le 32
ip prefix-list martians seq 10 permit 10.0.0.0/8 le 32
ip prefix-list martians seq 15 permit 127.0.0.0/8 le 32
ip prefix-list martians seq 20 permit 169.254.0.0/16 le 32
ip prefix-list martians seq 25 permit 172.16.0.0/12 le 32
ip prefix-list martians seq 30 permit 192.0.2.0/24 le 32
ip prefix-list martians seq 35 permit 192.42.172.0/24 le 32
ip prefix-list martians seq 40 permit 192.88.99.0/24 le 32
ip prefix-list martians seq 45 permit 192.168.0.0/16 le 32
ip prefix-list martians seq 50 permit 198.18.0.0/15 le 32
ip prefix-list martians seq 55 permit 224.0.0.0/4 le 32
ip prefix-list martians seq 60 permit 240.0.0.0/4 le 32
ip sla 75
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/1.134
frequency 10
ip sla schedule 75 life forever start-time now
ip sla 88
icmp-echo 192.168.211.1 source-interface GigabitEthernet0/0/1.100
frequency 10
ip sla schedule 88 life forever start-time now
ip sla 99
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/1.101
frequency 10
ip sla schedule 99 life forever start-time now
ip sla 207
icmp-echo 10.3.1.2 source-interface Tunnel3
frequency 10
ip sla schedule 207 life forever start-time now
ip sla 208
icmp-echo 10.2.2.2 source-interface GigabitEthernet0/0/1.138
frequency 10
ip sla schedule 208 life forever start-time now
access-list 25 permit 192.168.208.0 0.0.3.255
access-list 25 permit 192.168.100.0 0.0.0.127
access-list 25 permit 10.100.100.0 0.0.0.255
access-list 25 permit 10.10.10.0 0.0.0.255
access-list 25 permit 10.11.11.0 0.0.0.255
access-list 25 permit 10.200.200.0 0.0.0.255
access-list 25 permit 10.111.111.0 0.0.0.3
access-list 25 permit 192.168.52.0 0.0.1.255
access-list 26 permit 192.168.211.10
access-list 26 permit 192.168.211.13
access-list 28 permit any
access-list 33 permit 10.100.100.0 0.0.0.255
access-list 34 permit 192.168.210.252
access-list 34 permit 192.168.209.98
access-list 77 permit 192.168.209.245
access-list 78 permit 192.168.208.250
access-list 78 permit 192.168.208.237
access-list 78 permit 192.168.210.85
access-list 79 permit 192.168.208.250
access-list 79 permit 192.168.210.102
access-list 80 permit 192.168.210.96
access-list 88 deny 192.168.208.250
access-list 88 deny 192.168.209.245
access-list 88 deny 192.168.210.96
access-list 88 deny 192.168.210.102
access-list 88 permit 10.2.1.0 0.0.0.255
access-list 88 permit 10.2.2.0 0.0.0.255
access-list 88 permit 10.1.1.0 0.0.0.255
access-list 88 permit 10.1.2.0 0.0.0.255
access-list 88 permit 10.3.1.0 0.0.0.255
access-list 88 permit 10.3.2.0 0.0.0.255
access-list 88 permit 10.3.3.0 0.0.0.255
access-list 88 permit 10.10.10.0 0.0.0.255
access-list 88 permit 10.100.100.0 0.0.0.255
access-list 88 permit 10.200.200.0 0.0.0.255
access-list 88 permit 10.200.201.0 0.0.0.255
access-list 88 permit 192.168.10.0 0.0.0.255
access-list 88 permit 192.168.20.0 0.0.0.255
access-list 88 permit 192.168.100.0 0.0.0.127
access-list 88 permit 192.168.203.0 0.0.0.255
access-list 88 permit 192.168.205.0 0.0.0.255
access-list 88 permit 192.168.206.0 0.0.0.255
access-list 88 permit 192.168.207.0 0.0.0.255
access-list 88 permit 192.168.208.0 0.0.3.255
access-list 88 permit 192.168.212.0 0.0.3.255
access-list 88 permit 192.168.216.0 0.0.3.255
access-list 88 permit 192.168.220.0 0.0.3.255
access-list 88 permit 192.168.224.0 0.0.3.255
access-list 88 permit 192.168.232.0 0.0.3.255
access-list 88 permit 192.168.236.0 0.0.3.255
access-list 88 permit 192.168.240.0 0.0.3.255
access-list 88 permit 192.168.244.0 0.0.0.255
access-list 88 permit 10.11.11.0 0.0.0.255
access-list 88 permit 192.168.48.0 0.0.1.255
access-list 88 permit 192.168.50.0 0.0.0.255
access-list 88 permit 192.168.52.0 0.0.1.255
access-list 88 permit 193.242.149.0 0.0.0.255
access-list 88 permit 192.168.155.0 0.0.0.255
access-list 88 permit 192.168.156.0 0.0.0.255
access-list 88 permit 192.168.157.0 0.0.0.255
access-list 177 deny ip 192.168.237.0 0.0.0.255 any
access-list 177 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 177 deny ip 192.168.0.0 0.0.255.255 10.1.1.0 0.0.0.255
access-list 177 deny ip 192.168.0.0 0.0.255.255 10.1.2.0 0.0.0.255
access-list 177 deny ip 192.168.0.0 0.0.255.255 10.2.1.0 0.0.0.255
access-list 177 deny ip 192.168.0.0 0.0.255.255 10.2.2.0 0.0.0.255
access-list 177 deny ip 192.168.0.0 0.0.255.255 10.3.1.0 0.0.0.255
access-list 177 deny ip 192.168.0.0 0.0.255.255 10.3.2.0 0.0.0.255
access-list 177 deny ip 192.168.0.0 0.0.255.255 10.3.3.0 0.0.0.255
access-list 177 deny ip 192.168.0.0 0.0.255.255 10.5.5.0 0.0.0.255
access-list 177 deny ip 192.168.0.0 0.0.255.255 10.11.11.0 0.0.0.255
access-list 177 deny ip 192.168.0.0 0.0.255.255 10.100.100.0 0.0.0.255
access-list 177 deny ip 192.168.0.0 0.0.255.255 10.200.200.0 0.0.0.255
access-list 177 permit ip 192.168.0.0 0.0.255.255 any
access-list 178 deny ip host 192.168.208.28 any
access-list 178 deny ip host 192.168.210.102 any
access-list 178 deny ip 192.168.48.0 0.0.1.255 any
access-list 178 deny ip 192.168.50.0 0.0.0.255 any
access-list 178 deny ip 192.168.52.0 0.0.1.255 any
access-list 178 deny ip 192.168.208.0 0.0.3.255 192.168.0.0 0.0.255.255
access-list 178 deny ip 192.168.208.0 0.0.3.255 10.1.1.0 0.0.0.255
access-list 178 deny ip 192.168.208.0 0.0.3.255 10.1.2.0 0.0.0.255
access-list 178 deny ip 192.168.208.0 0.0.3.255 10.2.1.0 0.0.0.255
access-list 178 deny ip 192.168.208.0 0.0.3.255 10.2.2.0 0.0.0.255
access-list 178 deny ip 192.168.208.0 0.0.3.255 10.3.1.0 0.0.0.255
access-list 178 deny ip 192.168.208.0 0.0.3.255 10.3.2.0 0.0.0.255
access-list 178 deny ip 192.168.208.0 0.0.3.255 10.3.3.0 0.0.0.255
access-list 178 deny ip 192.168.208.0 0.0.3.255 10.5.5.0 0.0.0.255
access-list 178 deny ip 192.168.208.0 0.0.3.255 10.11.11.0 0.0.0.255
access-list 178 deny ip 192.168.208.0 0.0.3.255 10.100.100.0 0.0.0.255
access-list 178 deny ip 192.168.208.0 0.0.3.255 10.200.200.0 0.0.0.255
access-list 178 deny ip 192.168.203.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 178 deny ip 192.168.203.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 178 deny ip 192.168.203.0 0.0.0.255 10.11.11.0 0.0.0.255
access-list 178 deny ip 192.168.203.0 0.0.0.255 10.100.100.0 0.0.0.255
access-list 178 deny ip 192.168.203.0 0.0.0.255 10.200.200.0 0.0.0.255
access-list 178 deny ip 192.168.206.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 178 deny ip 192.168.206.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 178 deny ip 192.168.206.0 0.0.0.255 10.11.11.0 0.0.0.255
access-list 178 deny ip 192.168.206.0 0.0.0.255 10.100.100.0 0.0.0.255
access-list 178 deny ip 192.168.207.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 178 deny ip 192.168.207.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 178 deny ip 192.168.207.0 0.0.0.255 10.11.11.0 0.0.0.255
access-list 178 deny ip 192.168.207.0 0.0.0.255 10.100.100.0 0.0.0.255
access-list 178 deny ip 192.168.207.0 0.0.0.255 10.200.200.0 0.0.0.255
access-list 178 deny ip 192.168.100.0 0.0.0.127 any
access-list 178 deny ip host 192.168.208.78 any
access-list 178 deny ip host 192.168.210.78 any
access-list 178 deny ip host 192.168.208.118 any
access-list 178 deny ip host 192.168.208.175 any
access-list 178 deny ip host 192.168.208.233 any
access-list 178 deny ip host 192.168.209.79 any
access-list 178 deny ip host 192.168.209.98 any
access-list 178 deny ip host 192.168.208.215 any
access-list 178 deny ip host 192.168.209.201 any
access-list 178 deny ip host 192.168.209.211 any
access-list 178 deny ip host 192.168.210.250 any
access-list 178 deny ip host 192.168.210.252 any
access-list 178 deny ip host 192.168.211.1 any
access-list 178 deny ip host 192.168.211.10 any
access-list 178 deny ip host 192.168.211.12 any
access-list 178 deny ip host 192.168.211.13 any
access-list 178 deny ip host 192.168.208.168 any
access-list 178 deny ip host 192.168.208.156 any
access-list 178 deny ip host 192.168.208.124 any
access-list 178 deny ip host 192.168.209.245 any
access-list 178 deny ip host 192.168.209.20 any
access-list 178 deny ip host 192.168.208.61 any
access-list 178 deny ip host 192.168.211.216 any
access-list 178 deny ip host 192.168.209.57 any
access-list 178 deny ip host 192.168.210.189 any
access-list 178 deny ip host 192.168.208.209 any
access-list 178 deny ip host 192.168.208.80 any
access-list 178 deny ip host 192.168.210.85 any
access-list 178 deny ip host 192.168.208.237 any
access-list 178 deny ip host 192.168.209.26 any
access-list 178 deny ip host 192.168.210.55 any
access-list 178 deny ip host 192.168.210.171 any
access-list 178 deny ip host 192.168.208.250 any
access-list 178 permit ip 192.168.203.0 0.0.0.255 any
access-list 178 permit ip 192.168.205.0 0.0.0.255 any
access-list 178 permit ip 192.168.206.0 0.0.0.255 any
access-list 178 permit ip 192.168.207.0 0.0.0.255 any
access-list 178 permit ip 192.168.208.0 0.0.3.255 any
!
route-map dynamic-nat-mail permit 10
match ip address 77
!
route-map ISP1-NAT permit 10
match ip address 88
!
route-map ISP2-NAT permit 10
match ip address 88
!
route-map aggregate-to-bgp permit 10
set local-preference 1000
set origin igp
set community 609
!
route-map dynamic-nat-vtaskmob permit 10
match ip address 78
!
route-map dynamic-nat permit 10
match ip address 88
!
route-map 115 permit 10
match ip address 115
set ip next-hop verify-availability 193.242.149.1 10 track 75
set ip next-hop verify-availability 77.66.206.97 20 track 99
!
route-map from_2ndISP permit 10
match ip address from_2ndISP
!
route-map vpdnip_ospf permit 10
match ip address 33
!
route-map from_RO_LAN permit 10
match ip address 177
set ip next-hop verify-availability 192.168.211.1 10 track 88
!
route-map uAS8359-export permit 10
description -- advertise only my AS prefixes
match community type-aggregate
!
route-map gre_fil permit 10
match ip address 27
!
route-map gre_fil permit 20
match policy-list 28
!
route-map dynamic-nat-mail-TALE permit 10
match ip address 79
!
route-map uAS8359-import deny 20
description -- filter martians, default and our own prefixes
match ip address prefix-list martians allocated-blocks
!
route-map uAS8359-import permit 100
match ip address prefix-list default-networks
set local-preference 200
set community 626
!
route-map uAS8359-import permit 200
set local-preference 100
set community 626
!
route-map dynamic-nat-yt-TALE permit 10
match ip address 80
!
route-map from_GK_LAN permit 10
match ip address 178
set ip next-hop verify-availability 192.168.211.1 10 track 88
!
route-map uAS58322-import deny 20
description -- filter martians, default and our own prefixes
match ip address prefix-list martians allocated-blocks
!
route-map uAS58322-import permit 100
match ip address prefix-list default-networks
set local-preference 200
set community 626
!
route-map uAS58322-import permit 200
set local-preference 100
set community 626
!
route-map uAS58322-export permit 10
description -- advertise only my AS prefixes
match community type-aggregate
!
route-map static-to-bgp permit 10
match tag 609
set local-preference 1000
set origin igp
set community 609
!
>[оверквотинг удален]
> description -- advertise only my AS prefixes
> match community type-aggregate
> !
> route-map static-to-bgp permit 10
> match tag 609
> set local-preference 1000
> set origin igp
> set community 609
> !
>
А в филиалах IP клиентских VPN прилетают по OSPF?
> А в филиалах IP клиентских VPN прилетают по OSPF?
Да прилетают
>> А в филиалах IP клиентских VPN прилетают по OSPF?
> Да прилетаютТема закрыта, техподдержка циски ответила, на новых IOS полноценную поддержку pptp выпилили, поэтому и не работает
>>> А в филиалах IP клиентских VPN прилетают по OSPF?
>> Да прилетают
> Тема закрыта, техподдержка циски ответила, на новых IOS полноценную поддержку pptp выпилили,
> поэтому и не работаетВсмысле "выпилили" ? Клиента выпилии?