version 17.6 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service call-home service unsupported-transceiver platform qfp utilization monitor load 80 platform punt-keepalive disable-kernel-core platform hardware throughput level 20000000 ! hostname RR ! boot-start-marker boot system bootflash:asr1001x-universalk9.17.06.05.SPA.bin boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging console critical enable secret 9 xxxxxx ! aaa new-model ! ! aaa group server radius ISG_SRV_GROUP server name RAD1 ip radius source-interface TenGigabitEthernet0/0/0.1200 ! aaa group server radius ISG_SERVICE_SRV_GROUP server name RAD2 ip radius source-interface TenGigabitEthernet0/0/0.1200 ! aaa authentication login default local aaa authorization network ISG_AUTH_LIST group ISG_SRV_GROUP aaa authorization subscriber-service default group ISG_SERVICE_SRV_GROUP aaa accounting delay-start all aaa accounting jitter maximum 0 aaa accounting update periodic 5 aaa accounting network ISG_ACCT_LIST start-stop group ISG_SRV_GROUP ! ! ! ! ! aaa server radius dynamic-author client x.x.x.x server-key 7 password server-key 7 XXXXXXXXXXXXXXX port 3799 auth-type any ! aaa session-id common clock timezone EEST 3 0 ! ! ! ! ! ! ! ip dhcp relay information option ! ! ! login on-success log ! ! ! ! ! ! ! subscriber templating subscriber authorization enable ! ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! crypto pki trustpoint SLA-TrustPoint enrollment pkcs12 revocation-check crl ! crypto pki trustpoint TP-self-signed-XXXXXXXXX enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXX revocation-check none rsakeypair TP-self-signed-XXXXXXXXX ! ! crypto pki certificate chain SLA-TrustPoint certificate ca 01 nvram:CiscoLicensi#1CA.cer crypto pki certificate chain TP-self-signed-XXXXXXXXX ! crypto pki certificate pool cabundle nvram:ios_core.p7b ! ! license udi pid ASR1001-X sn XXXXXXXXXXXXXX license accept end user agreement license boot level adventerprise memory free low-watermark processor 682835 ! ! spanning-tree extend system-id no spanning-tree vlan 1-4000 diagnostic bootup level minimal ! username admin privilege 15 secret 9 xxxxx ! redundancy mode none ! ! ! ! ! ! ! class-map type control match-all COND_LAST match timer 2MIN match authen-status unauthenticated ! ! class-map match-all TELNET match access-group name TELNET class-map match-all ICMP match access-group name ICMP class-map match-all HSRP match access-group name HSRP class-map match-all EIGRP match access-group name EIGRP policy-map type control IPOE_CUSTOMERS class type control COND_LAST event timed-policy-expiry 10 service disconnect ! class type control always event session-start 10 authorize aaa list ISG_AUTH_LIST password cisco identifier remote-id 20 set-timer 2MIN 2 ! class type control always event account-logoff 10 service disconnect ! class type control always event session-restart 10 authorize aaa list ISG_AUTH_LIST password cisco identifier remote-id 20 set-timer 2MIN 2 ! ! ! ! policy-map COPP class ICMP police 32000 conform-action transmit exceed-action transmit class TELNET police 32000 conform-action transmit exceed-action transmit class EIGRP police 32000 conform-action transmit exceed-action transmit class HSRP police 32000 conform-action transmit exceed-action transmit ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback1 ip address x.x.x.x 255.255.255.128 ip address x.x.x.x 255.255.192.0 secondary no ip redirects no ip unreachables ! interface TenGigabitEthernet0/0/0 description ##Uplink_local_1## mtu 9000 no ip address ! interface TenGigabitEthernet0/0/0.1200 encapsulation dot1Q 1200 ip address x.x.x.x 255.255.255.248 no ip redirects no ip unreachables ip nat outside ! interface TenGigabitEthernet0/0/1 description ##Uplink_local_2## mtu 9000 no ip address ! ! interface TenGigabitEthernet0/0/1.2000 description ##QINQ## encapsulation dot1Q 2000 second-dot1q any ip dhcp relay information trusted ip dhcp relay information option-insert ip unnumbered Loopback1 ip helper-address x.x.x.x no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip verify unicast source reachable-via rx l2-src service-policy type control IPOE_CUSTOMERS ip subscriber routed initiator dhcp ! interface TenGigabitEthernet0/0/1.2001 description ##QINQ## encapsulation dot1Q 2001 second-dot1q any ip dhcp relay information trusted ip unnumbered Loopback1 ip helper-address x.x.x.x no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip verify unicast source reachable-via rx l2-src service-policy type control IPOE_CUSTOMERS ip subscriber routed initiator dhcp no ip http server no ip http secure-server ip forward-protocol nd ! ip nat settings gatekeeper-size 262144 ip nat settings pap limit 30 ip nat translation timeout 1800 ip nat translation tcp-timeout 1600 ip nat translation udp-timeout 60 ip nat translation finrst-timeout 10 ip nat translation syn-timeout 10 ip nat translation dns-timeout 60 ip nat translation icmp-timeout 30 ip nat translation max-entries 2000000 ip nat translation max-entries all-host 2500 no ip nat service all-algs ip nat pool CGNAT1 x.x.x.x x.x.x.x netmask 255.255.255.0 ip nat pool CGNAT2 x.x.x.x x.x.x.x netmask 255.255.255.0 ip nat inside source list list-CGNAT1 pool CGNAT1 overload ip nat inside source list list-CGNAT2 pool CGNAT2 overload ip route x.x.x.x 255.0.0.0 Null0 254 ip route x.x.x.x 255.192.0.0 Null0 254 ip ssh maxstartups 2 ip ssh port 2024 rotary 10 ip ssh logging events ip ssh version 2 ! ip access-list extended EIGRP 10 permit eigrp any any ip access-list extended HSRP 10 permit udp any host x.x.x.x eq 1985 ip access-list extended ICMP 10 permit icmp any any ip access-list extended TELNET 10 permit tcp any any eq telnet ip access-list extended list-CGNAT1 10 permit tcp x.x.x.x 0.0.63.255 any 20 permit udp x.x.x.x 0.0.63.255 any 30 permit icmp x.x.x.x 0.0.63.255 any 40 deny ip any any ip access-list extended list-CGNAT2 10 permit tcp x.x.x.x 0.0.63.255 any 20 permit udp x.x.x.x 0.0.63.255 any 30 permit icmp x.x.x.x 0.0.63.255 any 40 deny ip any any ! ip access-list extended 110 10 permit tcp x.x.x.x 0.0.63.255 any eq www 20 permit tcp x.x.x.x 0.0.63.255 any eq www ip access-list extended 130 10 permit tcp host x.x.x.x any 20 permit tcp any host x.x.x.x 30 permit udp host x.x.x.x any 40 permit udp any host x.x.x.x ! ! ! ! radius-server attribute 44 include-in-access-req default-vrf no radius-server attribute 77 include-in-acct-req no radius-server attribute 77 include-in-access-req radius-server attribute 8 include-in-access-req radius-server attribute nas-port format e QQQQQQQQQQQQQQQQVVVVVVVVVVVVVVVV radius-server attribute 31 mac format unformatted radius-server unique-ident 73 radius-server key 7 XXXXXXXXXXXXX radius-server vsa send cisco-nas-port ! radius server RAD1 address ipv4 x.x.x.x auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXXXXXXXX ! radius server RAD2 address ipv4 x.x.x.x auth-port 1912 acct-port 1913 key 7 XXXXXXXXXXXXXXXXXX ! ! control-plane service-policy input COPP ! ! ! ! ! ! line con 0 stopbits 1 line aux 0 line vty 0 4 access-class 23 in exec-timeout 20 0 privilege level 15 logging synchronous rotary 10 transport input none line vty 5 15 transport input none ! call-home ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications. contact-email-addr sch-smart-licensing@cisco.com profile "CiscoTAC-1" active destination transport-method http ! ! ! ! ! ! end