Cisco PCI Solution for Retail Design and Implementation Guide - Device Configurations [Design Zone for Retail]

Device Configurations

Branch Configurations

Large Store Router #1

Large Store Router #2

Medium Store Router #1

Medium Store Router #2

Small Store Router #1

Data Center WAN Router #1

Data Center WAN Router #2

Large Store Switch #1

Large Store Switch #2

Large Store Switch #3

Large Store Switch #4

Medium StoreBranch Switch #1

Medium Store Switch #2

Large StoreWireless Controller

Medium StoreWireless Controller

Small Store Wireless controller in the Data Center

Large Store Access Point

Medium Store Access Point

Small Store Access Point

Internet Edge Configurations

Cisco Firewall Service Module

Cisco Catalyst 3750

Cisco Catalyst 6500

Cisco 7200 Edge Router

Cisco Application Control Engine

Data Center Configurations

Cisco Catalyst 3750

Cisco Catalyst 6500

Cisco 7206 VXR Router

Cisco Adaptive Security Appliance

Device Configurations

This appendix includes the following device configurations:

•Branch Configurations

–Large Store Router #1

–Large Store Router #2

–Medium Store Router #1

–Medium Store Router #2

–Small Store Router #1

–Data Center WAN Router #1

–Data Center WAN Router #2

–Large Store Switch #1

–Large Store Switch #2

–Large Store Switch #3

–Large Store Switch #4

–Medium StoreBranch Switch #1

–Medium Store Switch #2

–Large StoreWireless Controller

–Medium StoreWireless Controller

–Small Store Wireless controller in the Data Center

–Large Store Access Point

–Medium Store Access Point

–Small Store Access Point

•Internet Edge Configurations

–Cisco Firewall Service Module

–Cisco Catalyst 3750

–Cisco Catalyst 6500

–Cisco 7200 Edge Router

–Cisco Application Control Engine

•Data Center Configurations

–Cisco Catalyst 3750

–Cisco Catalyst 6500

–Cisco 7206 VXR Router

–Cisco Adaptive Security Appliance

Branch Configurations

Large Store Router #1

------------------ show version ------------------

Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(9)T, RELEASE 
SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by Cisco Systems, Inc.

Compiled Sat 17-Jun-06 00:59 by prod_rel_team

ROM: System Bootstrap, Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)

RLRG-1 uptime is 11 weeks, 4 days, 3 hours, 7 minutes

System returned to ROM by reload at 18:34:08 UTC Mon Sep 25 2006

System restarted at 11:32:41 PSTDST Mon Sep 25 2006

System image file is "flash:c3845-advipservicesk9-mz.124-9.T.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 3845 (revision 1.0) with 484352K/39936K bytes of memory.

Processor board ID FTX1027A34V

2 Gigabit Ethernet interfaces

2 Serial interfaces

1 terminal line

2 Channelized T1/PRI ports

1 Virtual Private Network (VPN) Module

4 Voice FXO interfaces

4 Voice FXS interfaces

1 cisco service engine(s)

DRAM configuration is 64 bits wide with parity enabled.

479K bytes of NVRAM.

250880K bytes of ATA System CompactFlash (Read/Write)

Configuration register is 0x2102

------------------ show running-config ------------------

Building configuration...

Current configuration : 28349 bytes

! Last configuration change at 15:59:42 PST Wed Dec 13 2006 by csm-user

! NVRAM config last updated at 14:27:43 PST Wed Dec 13 2006 by csm-user

version 12.4

no service pad

service tcp-keepalives-in

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

no service password-recovery

hostname RLRG-1

boot-start-marker

boot system flash flash:c3845-advipservicesk9-mz.124-9.T.bin

boot-end-marker

card type t1 0 0

logging buffered 8000000 informational

no logging rate-limit

no logging console

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication login RLOCAL group tacacs+ local

aaa authentication enable default enable group tacacs+

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

resource policy

clock timezone PST -8

clock summer-time PSTDST recurring

no network-clock-participate wic 0

ip cef

no ip bootp server

ip domain name RETAILPCILAB.LOCAL

ip name-server 192.168.42.130

ip inspect name CSM_INSPECT_1 http alert on audit-trail on

ip inspect name CSM_INSPECT_1 dns alert on audit-trail on

ip inspect name CSM_INSPECT_1 radius alert on audit-trail on

ip inspect name CSM_INSPECT_1 tacacs alert on audit-trail on

ip inspect name CSM_INSPECT_1 ssh alert on audit-trail on

ip inspect name CSM_INSPECT_1 ftp alert on audit-trail on

ip inspect name CSM_INSPECT_1 ldap alert on audit-trail on

ip inspect name CSM_INSPECT_1 snmp alert on audit-trail on

ip inspect name CSM_INSPECT_1 icmp alert on audit-trail on

ip inspect name CSM_INSPECT_1 tcp alert on audit-trail on

ip inspect name CSM_INSPECT_1 udp alert on audit-trail on

ip ips sdf location 
https://192.168.42.133:443/ids-config/servlet/com.cisco.nm.mdc.ids.config.iosids.servlet.S
DFServlet/11/sdf-complete.xml

ip ips notify SDEE

ip ips name sdm_ips_rule

voice-card 0

 no dspfarm

crypto pki trustpoint TP-self-signed-2307965259

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-2307965259

 revocation-check none

 rsakeypair TP-self-signed-2307965259

crypto pki trustpoint IDSMDC_CSMANAGER

 enrollment url tftp://192.168.42.133/IDSMDC_CSMANAGER

 revocation-check crl

crypto pki certificate chain TP-self-signed-2307965259

 certificate self-signed 01

  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32333037 39363532 3539301E 170D3036 31313130 30373135

  34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33303739

  36353235 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100BCB5 6BEB2673 67F46DA8 ED399769 EF47B127 FD808294 8FD1F3D2 73A132DB

  EBE20F9D 0EC13D52 DEB3657F 9255F969 7A5E229D 49D7BE9D 67A447BB 599EDB82

  D202C8C9 06B31EB7 FEEF2AEF 8095B86D 4A38FD68 FE36A56A 66DE4756 50F0A149

  A06831E9 9E329BD1 E0D9EA9A BB6E5332 CADFF616 ADE5C78B 0735F192 BE6EDAF3

  6BBB0203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603

  551D1104 1D301B82 19524C52 472D312E 52455441 494C5043 494C4142 2E4C4F43

  414C301F 0603551D 23041830 1680144F B86FC337 C9776698 F9C3EE8A 6DCD7C35

  8B5A0C30 1D060355 1D0E0416 04144FB8 6FC337C9 776698F9 C3EE8A6D CD7C358B

  5A0C300D 06092A86 4886F70D 01010405 00038181 0073BA65 64037FBF A0CAD768

  1D8E8C04 B3D8BC68 0BFE30FB 4B6ABD53 D5346C81 C390440E 39C4B97D AADE602A

  3150129E 02D50291 2BEB81C8 1075AA6A A47EAA32 CC52CD2B 6840A548 7CB33DE8

  4BCDF73D F3C292AB 985A8376 C28F8085 764C6C82 315E1E9C 7DC98E70 DA35BB87

  4BA630ED 66C86BF5 F1743F28 F27F23C0 18C230E5 47

  quit

crypto pki certificate chain IDSMDC_CSMANAGER

 certificate ca 00CE88ED0F069AE8F5

  30820209 30820172 020900CE 88ED0F06 9AE8F530 0D06092A 864886F7 0D010104

  05003049 31123010 06035504 0B13096D 6963726F 736F6674 31123010 06035504

  03130943 534D616E 61676572 311F301D 06092A86 4886F70D 01090116 1061646D

  696E4064 6F6D6169 6E2E636F 6D301E17 0D303630 39323330 31303235 345A170D

  31313039 32333031 30323534 5A304931 12301006 0355040B 13096D69 63726F73

  6F667431 12301006 03550403 13094353 4D616E61 67657231 1F301D06 092A8648

  86F70D01 09011610 61646D69 6E40646F 6D61696E 2E636F6D 30819F30 0D06092A

  864886F7 0D010101 05000381 8D003081 89028181 00BE596C 97AD25EC 35D71F77

  598DDDDB B8D30AAF 67B268D5 334EAB58 F7418364 664B920A E0011931 4EDF28D1

  285B7C45 934EE887 00036A4A C0280132 88C48718 EF48F77E C9EBB27B 6FA11534

  03B3B9CB 3DCEFCDC A1339BA4 22C8BFAD 47F50E51 AC04CD7A 03E81331 96BF4ACA

  9A1CC2AD 3452AAEB FF84503C A571FB93 EC509A03 8B020301 0001300D 06092A86

  4886F70D 01010405 00038181 003A2C37 FC8B0EF1 54E0B963 4D94C234 5EF94288

  F6B0B46D 4EFECB7A D15991DE 05FE484E C9DB2AB8 A919DD2F 103545C4 EF7D9269

  27975BAD 02CBDDA7 6492EC76 56845082 220A73D7 F9F60FA0 8E9EDDE8 5147E5EB

  FB5A00E0 25872141 AA35FAC6 BEF300D9 97343B16 0600B102 F5D555F9 B8AA4D90

  26E026CB 6F46B573 700207C8 71

  quit

username cisco privilege 15 secret 5 <removed>

controller T1 0/0/0

 framing esf

 linecode b8zs

 channel-group 0 timeslots 1-24

controller T1 0/0/1

 framing esf

 linecode b8zs

interface Tunnel1

 no ip address

 ip access-group CSM_FW_ACL_Group-Async0 in

interface Loopback0

 ip address 10.10.62.1 255.255.255.255

 ip access-group CSM_FW_ACL_GigabitEthernet0/0 in

 ip virtual-reassembly

interface GigabitEthernet0/0

 description ROUTER LINK TO SLRG-1

 no ip address

 ip access-group CSM_FW_ACL_GigabitEthernet0/0 in

 ip verify unicast source reachable-via rx

 duplex auto

 speed auto

 media-type rj45

interface GigabitEthernet0/0.11

 description POS

 encapsulation dot1Q 11

 ip address 10.10.48.2 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.11 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 11 ip 10.10.48.1

 standby 11 priority 101

 standby 11 preempt

interface GigabitEthernet0/0.12

 description DATA

 encapsulation dot1Q 12

 ip address 10.10.49.2 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.12 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 12 ip 10.10.49.1

 standby 12 priority 101

 standby 12 preempt

interface GigabitEthernet0/0.13

 description VOICE

 encapsulation dot1Q 13

 ip address 10.10.50.2 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.13 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 13 ip 10.10.50.1

 standby 13 priority 101

 standby 13 preempt

interface GigabitEthernet0/0.14

 description WIRELESS

 encapsulation dot1Q 14

 ip address 10.10.51.2 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.14 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 14 ip 10.10.51.1

 standby 14 priority 101

 standby 14 preempt

interface GigabitEthernet0/0.15

 description WIRELESS POS

 encapsulation dot1Q 15

 ip address 10.10.52.2 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.15 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 15 ip 10.10.52.1

 standby 15 priority 101

 standby 15 preempt

interface GigabitEthernet0/0.16

 description PARTNER

 encapsulation dot1Q 16

 ip address 10.10.53.2 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.16 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 16 ip 10.10.53.1

 standby 16 priority 101

 standby 16 preempt

interface GigabitEthernet0/0.17

 description WIRELESS GUEST

 encapsulation dot1Q 17

 ip address 10.10.54.2 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.17 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 17 ip 10.10.54.1

 standby 17 priority 101

 standby 17 preempt

interface GigabitEthernet0/0.18

 description LWAP CONTROL

 encapsulation dot1Q 18

 ip address 10.10.55.2 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.18 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 18 ip 10.10.55.1

 standby 18 priority 101

 standby 18 preempt

interface GigabitEthernet0/0.102

 description ROUTER LINK TO RLRG-2 VIA SLRG-2

 encapsulation dot1Q 102

 ip address 10.10.62.29 255.255.255.252

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.102 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

interface GigabitEthernet0/0.1000

 description MANAGEMENT

 encapsulation dot1Q 1000

 ip address 10.10.63.2 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.1000 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 100 ip 10.10.63.1

 standby 100 priority 101

 standby 100 preempt

interface Service-Engine0/1

 no ip address

 ip access-group CSM_FW_ACL_Group-Async0 in

 ip verify unicast source reachable-via rx

 ip virtual-reassembly

 shutdown

interface GigabitEthernet0/1

 description ROUTER LINK TO SLRG-2

 no ip address

 ip access-group CSM_FW_ACL_GigabitEthernet0/0 in

 ip verify unicast source reachable-via rx

 duplex auto

 speed auto

 media-type rj45

interface GigabitEthernet0/1.101

 description ROUTER LINK TO RLRG-2 VIA SLRG-2

 encapsulation dot1Q 101

 ip address 10.10.62.25 255.255.255.252

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.102 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

interface Serial0/0/0:0

 description RLRG-1 to RSP-1

 no ip address

 ip access-group CSM_FW_ACL_Group-Async0 in

 ip verify unicast source reachable-via rx

 ip virtual-reassembly

 encapsulation frame-relay IETF

interface Serial0/0/0:0.1 point-to-point

 ip address 10.10.62.17 255.255.255.252

 ip access-group CSM_FW_ACL_Serial0/0/0:0.1 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip ips sdm_ips_rule in

 ip virtual-reassembly

 frame-relay interface-dlci 103

interface Group-Async0

 physical-layer async

 no ip address

 ip access-group CSM_FW_ACL_Group-Async0 in

 ip verify unicast source reachable-via rx

 ip virtual-reassembly

 encapsulation slip

 no group-range

router ospf 5

 router-id 10.10.62.1

 log-adjacency-changes

 passive-interface default

 no passive-interface GigabitEthernet0/0.102

 no passive-interface GigabitEthernet0/1.101

 no passive-interface Serial0/0/0:0.1

 network 10.10.48.0 0.0.15.255 area 3

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Loopback0

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.1 log

 permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.1000

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.1 log

 permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- Send logs to their mgmt utilities through the mgmt VLAN ----

 permit tcp any host 192.168.42.134 eq 69 log

 permit udp any host 192.168.42.134 eq tftp snmp snmptrap syslog log

 remark ---- Ciscoworks so Managed Devices ----

 permit tcp host 192.168.42.134 any eq 22 telnet www 443 log

 permit udp host 192.168.42.134 any eq snmp snmptrap syslog log

 remark ---- System messages to MARS ----

 permit tcp any host 192.168.42.121 eq 2055 log

 permit udp any host 192.168.42.121 eq snmp syslog log

 remark ---- Allow network devices to use the ACS server ----

 permit tcp any host 192.168.42.131 eq tacacs log

 permit udp any host 192.168.42.131 eq 1812 log

 remark ---- ping to Datacenter ----

 permit icmp any 192.168.42.0 0.0.0.255 log

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.63.0 0.0.0.255 10.10.63.0 0.0.0.255 log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.102

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.1 log

 permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log

 remark ---- Trusted ports for passing traffic in failure scenarios ----

 permit ip any any log

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark Drop anything not explicitly allowed

 deny   ip any any log

 remark ---- permit ntp ----

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.11

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.1 log

 permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- E-mail ----

 permit tcp any host 192.168.42.140 eq smtp www 443 log

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.48.0 0.0.0.255 10.10.48.0 0.0.0.255 log

 remark ---- Clients to ActiveDirectory Server ----

 permit icmp any host 192.168.42.130 log

 permit tcp any host 192.168.42.130 range 1024 65535 log

 permit tcp any host 192.168.42.130 eq www 88 123 135 139 389 443 445 1028 log

 permit udp any host 192.168.42.130 eq domain bootps 88 ntp 135 389 log

 remark ---- POS Devices talking to Wincor ----

 permit icmp any host 192.168.52.98 log

 permit tcp any host 192.168.52.98 eq www 139 443 445 1433 3389 4064 log

 permit udp any host 192.168.52.98 eq netbios-ns 445 1433 log

 remark ---- POS to MSRMS Server ----

 permit tcp any host 192.168.52.99 eq www 443 1433 1434 log

 permit udp any host 192.168.52.99 eq 1433 1434 log

 remark ---- Clients to CSA Manager ----

 permit tcp any host 192.168.42.132 eq www 443 5401 5402 log

 remark ---- Required for devices to perform windows updates ----

 permit tcp any host 192.168.42.150 eq www 443 log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.12

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.1 log

 permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- E-mail ----

 permit tcp any host 192.168.42.140 eq smtp www 443 log

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.49.0 0.0.0.255 10.10.49.0 0.0.0.255 log

 remark ---- Clients to CSA Manager ----

 permit tcp any host 192.168.42.132 eq www 443 5401 5402 log

 remark ---- Required for devices to perform windows updates ----

 permit tcp any host 192.168.42.150 eq www 443 log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.13

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.1 log

 permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.50.0 0.0.0.255 10.10.50.0 0.0.0.255 log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.14

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.1 log

 permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- E-mail ----

 permit tcp any host 192.168.42.140 eq smtp www 443 log

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.51.0 0.0.0.255 10.10.51.0 0.0.0.255 log

 remark ---- Clients to CSA Manager ----

 permit tcp any host 192.168.42.132 eq www 443 5401 5402 log

 remark ---- Required for devices to perform windows updates ----

 permit tcp any host 192.168.42.150 eq www 443 log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.15

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.1 log

 permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- E-mail ----

 permit tcp any host 192.168.42.140 eq smtp www 443 log

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.52.0 0.0.0.255 10.10.52.0 0.0.0.255 log

 remark ---- Clients to ActiveDirectory Server ----

 permit icmp any host 192.168.42.130 log

 permit tcp any host 192.168.42.130 range 1024 65535 log

 permit tcp any host 192.168.42.130 eq www 88 123 135 139 389 443 445 1028 log

 permit udp any host 192.168.42.130 eq domain bootps 88 ntp 135 389 log

 remark ---- POS Devices talking to Wincor ----

 permit icmp any host 192.168.52.98 log

 permit tcp any host 192.168.52.98 eq www 139 443 445 1433 3389 4064 log

 permit udp any host 192.168.52.98 eq netbios-ns 445 1433 log

 remark ---- POS to MSRMS Server ----

 permit tcp any host 192.168.52.99 eq www 443 1433 1434 log

 permit udp any host 192.168.52.99 eq 1433 1434 log

 remark ---- Clients to CSA Manager ----

 permit tcp any host 192.168.42.132 eq www 443 5401 5402 log

 remark ---- Required for devices to perform windows updates ----

 permit tcp any host 192.168.42.150 eq www 443 log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.16

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.1 log

 permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.53.0 0.0.0.255 10.10.53.0 0.0.0.255 log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.17

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.1 log

 permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.54.0 0.0.0.255 10.10.54.0 0.0.0.255 log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.18

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.1 log

 permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- Send logs to their mgmt utilities through the mgmt VLAN ----

 permit tcp any host 192.168.42.134 eq 69 log

 permit udp any host 192.168.42.134 eq tftp snmp snmptrap syslog log

 remark ---- System messages to MARS ----

 permit tcp any host 192.168.42.121 eq 2055 log

 permit udp any host 192.168.42.121 eq snmp syslog log

 remark ---- Authenticate Wireless users ----

 permit udp host 10.10.55.5 host 192.168.42.131 eq 1812 log

 permit udp host 10.10.55.6 host 192.168.42.131 eq 1812 log

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.55.0 0.0.0.255 10.10.55.0 0.0.0.255 log

 remark ---- Ping Gateway ----

 remark ---- Allow controllers to talk to AP's ----

 permit udp 10.10.55.0 0.0.0.255 eq 12222 12223 10.10.55.0 0.0.0.255 log

 remark ----  Allow Wireless APs to talk to Controllers -----

 permit udp 10.10.55.0 0.0.0.255 10.10.55.0 0.0.0.255 eq 12222 12223 log

 remark ---- Controllers to WCS Server ----

 permit icmp host 10.10.55.5 host 192.168.42.135 log

 permit tcp host 10.10.55.5 host 192.168.42.135 eq 69 log

 permit udp host 10.10.55.5 host 192.168.42.135 eq tftp snmp snmptrap log

 permit icmp host 10.10.55.6 host 192.168.42.135 log

 permit tcp host 10.10.55.6 host 192.168.42.135 eq 69 log

 permit udp host 10.10.55.6 host 192.168.42.135 eq tftp snmp snmptrap log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_Group-Async0

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.1 log

 permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_Serial0/0/0:0.1

 remark ---- All ACLs for DC to Remote will be handled at the Data Center *before* it gets 
put into the WAN

 permit ip any any log

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.1 log

 permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log

 remark Drop anything not explicitly allowed

 deny   ip any any log

logging source-interface Loopback0

logging 192.168.42.134

logging 192.168.42.121

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 23 permit 192.168.42.0 0.0.0.255

access-list 23 deny   any log

access-list 88 permit 192.168.42.0 0.0.0.255

access-list 88 deny   any log

snmp-server group causer v3 priv notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server group casuser v3 auth access 88

snmp-server community <removed> RO 88

snmp-server community <removed> RW 88

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact bob

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps frame-relay multilink bundle-mismatch

snmp-server enable traps frame-relay

snmp-server enable traps frame-relay subif

snmp-server enable traps hsrp

snmp-server enable traps rsvp

snmp-server enable traps rtr

snmp-server host 192.168.42.134 version 3 priv <removed>

snmp-server host 192.168.42.134 <removed>

tacacs-server host 192.168.42.131

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

voice-port 0/1/0

voice-port 0/1/1

voice-port 0/1/2

voice-port 0/1/3

voice-port 0/2/0

voice-port 0/2/1

voice-port 0/2/2

voice-port 0/2/3

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CISCO INC.****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CISCO INC.****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 privilege level 15

 login authentication RLOCAL

 stopbits 1

line aux 0

 session-timeout 15  output

 no exec

 stopbits 1

line 386

 session-timeout 15  output

 no activation-character

 no exec

 transport preferred none

 transport input all

 transport output pad telnet rlogin lapb-ta mop udptn v120

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport input ssh

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport input ssh

scheduler allocate 20000 1000

ntp clock-period 17179470

ntp source Loopback0

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

End

Large Store Router #2

------------------ show version ------------------

Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(9)T, RELEASE 
SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by Cisco Systems, Inc.

Compiled Sat 17-Jun-06 00:59 by prod_rel_team

ROM: System Bootstrap, Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)

RLRG-2 uptime is 4 weeks, 2 days, 20 hours, 34 minutes

System returned to ROM by error - a Software forced crash, PC 0x60D718F0 at 17:04:41 PST 
Tue Nov 14 2006

System restarted at 17:12:53 PST Tue Nov 14 2006

System image file is "flash:c3845-advipservicesk9-mz.124-9.T.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 3845 (revision 1.0) with 484352K/39936K bytes of memory.

Processor board ID FTX1027A34T

2 Gigabit Ethernet interfaces

2 Serial interfaces

1 ATM interface

1 terminal line

2 Channelized T1/PRI ports

1 Virtual Private Network (VPN) Module

1 cisco service engine(s)

DRAM configuration is 64 bits wide with parity enabled.

479K bytes of NVRAM.

250880K bytes of ATA System CompactFlash (Read/Write)

Configuration register is 0x2102

------------------ show running-config ------------------

Building configuration...

Current configuration : 27883 bytes

! Last configuration change at 16:06:29 PST Wed Dec 13 2006 by csm-user

! NVRAM config last updated at 14:34:40 PST Wed Dec 13 2006 by csm-user

version 12.4

no service pad

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

no service password-recovery

hostname RLRG-2

boot-start-marker

boot system flash flash:c3845-advipservicesk9-mz.124-9.T.bin

boot-end-marker

card type t1 0 0

logging buffered 8000000 informational

no logging rate-limit

no logging console

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication login RLOCAL group tacacs+ local

aaa authentication enable default enable group tacacs+

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

resource policy

clock timezone PST -8

clock summer-time PSTDST recurring

no network-clock-participate wic 0

ip cef

ip domain name RETAILPCILAB.LOCAL

ip name-server 192.168.42.130

ip inspect name CSM_INSPECT_1 http alert on audit-trail on

ip inspect name CSM_INSPECT_1 dns alert on audit-trail on

ip inspect name CSM_INSPECT_1 radius alert on audit-trail on

ip inspect name CSM_INSPECT_1 tacacs alert on audit-trail on

ip inspect name CSM_INSPECT_1 ssh alert on audit-trail on

ip inspect name CSM_INSPECT_1 ftp alert on audit-trail on

ip inspect name CSM_INSPECT_1 ldap alert on audit-trail on

ip inspect name CSM_INSPECT_1 snmp alert on audit-trail on

ip inspect name CSM_INSPECT_1 icmp alert on audit-trail on

ip inspect name CSM_INSPECT_1 tcp alert on audit-trail on

ip inspect name CSM_INSPECT_1 udp alert on audit-trail on

ip ips sdf location 
https://192.168.42.133:443/ids-config/servlet/com.cisco.nm.mdc.ids.config.iosids.servlet.S
DFServlet/12/sdf-complete.xml

ip ips notify SDEE

ip ips name sdm_ips_rule

voice-card 0

 no dspfarm

crypto pki trustpoint TP-self-signed-2860673641

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-2860673641

 revocation-check none

 rsakeypair TP-self-signed-2860673641

crypto pki trustpoint IDSMDC_CSMANAGER

 enrollment url tftp://192.168.42.133/IDSMDC_CSMANAGER

 revocation-check crl

crypto pki certificate chain TP-self-signed-2860673641

 certificate self-signed 01

  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32383630 36373336 3431301E 170D3036 31313133 30373436

  33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38363036

  37333634 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B6D5 2D1AA791 6C1FB7EB 4828E4FC 89454BA4 A7BEC0F1 4CED3338 03359A9F

  D7F8E484 EB9886C3 EBD18D34 A4BEE81A A6692BAA B781E1FB 51433F6B 702035C6

  DAB3BABD 7F1F63A7 920F70B3 2614C1D5 FFDF3766 4837BCB5 48E7B4AA 5E0C3B68

  2FB241A3 EEB82533 5679B79B CDC55D98 6B2CB06B 2BB79BAB F2308E36 40A4F7B2

  584F0203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603

  551D1104 1D301B82 19524C52 472D322E 52455441 494C5043 494C4142 2E4C4F43

  414C301F 0603551D 23041830 16801451 13C43CB4 3AB3E3B0 FB000B00 A6569233

  81FFB830 1D060355 1D0E0416 04145113 C43CB43A B3E3B0FB 000B00A6 56923381

  FFB8300D 06092A86 4886F70D 01010405 00038181 0069175C 6FBD351F BE60E9A3

  3B7B5F00 144C3D93 18522558 ED5D35C5 B47F92B4 7F6C8522 52FC8C93 3FAC4DDD

  BC721185 3F47BB2D 71957001 C062AC30 EB9D523A 4FC7AE6F 55D18936 2076B539

  DB88FADD 452D03C9 EFC6E22D 43494798 E840AA7C 2C60DCDD EB03954C 79B7DE7C

  A6F522AA DFEEFA51 10C2D3CE 9190FA15 0F4A8C06 9C

  quit

crypto pki certificate chain IDSMDC_CSMANAGER

 certificate ca 00CE88ED0F069AE8F5

  30820209 30820172 020900CE 88ED0F06 9AE8F530 0D06092A 864886F7 0D010104

  05003049 31123010 06035504 0B13096D 6963726F 736F6674 31123010 06035504

  03130943 534D616E 61676572 311F301D 06092A86 4886F70D 01090116 1061646D

  696E4064 6F6D6169 6E2E636F 6D301E17 0D303630 39323330 31303235 345A170D

  31313039 32333031 30323534 5A304931 12301006 0355040B 13096D69 63726F73

  6F667431 12301006 03550403 13094353 4D616E61 67657231 1F301D06 092A8648

  86F70D01 09011610 61646D69 6E40646F 6D61696E 2E636F6D 30819F30 0D06092A

  864886F7 0D010101 05000381 8D003081 89028181 00BE596C 97AD25EC 35D71F77

  598DDDDB B8D30AAF 67B268D5 334EAB58 F7418364 664B920A E0011931 4EDF28D1

  285B7C45 934EE887 00036A4A C0280132 88C48718 EF48F77E C9EBB27B 6FA11534

  03B3B9CB 3DCEFCDC A1339BA4 22C8BFAD 47F50E51 AC04CD7A 03E81331 96BF4ACA

  9A1CC2AD 3452AAEB FF84503C A571FB93 EC509A03 8B020301 0001300D 06092A86

  4886F70D 01010405 00038181 003A2C37 FC8B0EF1 54E0B963 4D94C234 5EF94288

  F6B0B46D 4EFECB7A D15991DE 05FE484E C9DB2AB8 A919DD2F 103545C4 EF7D9269

  27975BAD 02CBDDA7 6492EC76 56845082 220A73D7 F9F60FA0 8E9EDDE8 5147E5EB

  FB5A00E0 25872141 AA35FAC6 BEF300D9 97343B16 0600B102 F5D555F9 B8AA4D90

  26E026CB 6F46B573 700207C8 71

  quit

username cisco privilege 15 secret 5 <removed>

controller T1 0/0/0

 framing esf

 linecode b8zs

 channel-group 0 timeslots 1-24

controller T1 0/0/1

 framing esf

 linecode b8zs

interface Loopback0

 ip address 10.10.62.2 255.255.255.255

 ip access-group CSM_FW_ACL_GigabitEthernet0/0 in

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

interface GigabitEthernet0/0

 description ROUTER LINK TO SLRG-1

 no ip address

 ip access-group CSM_FW_ACL_GigabitEthernet0/0 in

 ip verify unicast source reachable-via rx

 duplex auto

 speed auto

 media-type rj45

interface GigabitEthernet0/0.102

 description ROUTER LINK TO RLRG-1 VIA SLRG-1

 encapsulation dot1Q 102

 ip address 10.10.62.30 255.255.255.252

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.102 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

interface Service-Engine0/1

 no ip address

 ip access-group CSM_FW_ACL_Serial0/0/0:0 in

 ip verify unicast source reachable-via rx

 ip virtual-reassembly

 shutdown

interface GigabitEthernet0/1

 description ROUTER LINK TO SLRG-2

 no ip address

 ip access-group CSM_FW_ACL_GigabitEthernet0/0 in

 ip verify unicast source reachable-via rx

 duplex auto

 speed auto

 media-type rj45

interface GigabitEthernet0/1.11

 description POS

 encapsulation dot1Q 11

 ip address 10.10.48.3 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/1.11 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 11 ip 10.10.48.1

 standby 11 priority 95

 standby 11 preempt

interface GigabitEthernet0/1.12

 description DATA

 encapsulation dot1Q 12

 ip address 10.10.49.3 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/1.12 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 12 ip 10.10.49.1

 standby 12 priority 95

 standby 12 preempt

interface GigabitEthernet0/1.13

 description VOICE

 encapsulation dot1Q 13

 ip address 10.10.50.3 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/1.13 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 13 ip 10.10.50.1

 standby 13 priority 95

 standby 13 preempt

interface GigabitEthernet0/1.14

 description WIRELESS

 encapsulation dot1Q 14

 ip address 10.10.51.3 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/1.14 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 14 ip 10.10.51.1

 standby 14 priority 95

 standby 14 preempt

interface GigabitEthernet0/1.15

 description WIRELESS POS

 encapsulation dot1Q 15

 ip address 10.10.52.3 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/1.15 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 15 ip 10.10.52.1

 standby 15 priority 95

 standby 15 preempt

interface GigabitEthernet0/1.16

 description PARTNER

 encapsulation dot1Q 16

 ip address 10.10.53.3 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/1.16 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 16 ip 10.10.53.1

 standby 16 priority 95

 standby 16 preempt

interface GigabitEthernet0/1.17

 description WIRELESS GUEST

 encapsulation dot1Q 17

 ip address 10.10.54.3 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/1.17 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 17 ip 10.10.54.1

 standby 17 priority 95

 standby 17 preempt

interface GigabitEthernet0/1.18

 description LWAP CONTROL

 encapsulation dot1Q 18

 ip address 10.10.55.3 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/1.18 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 18 ip 10.10.55.1

 standby 18 priority 95

 standby 18 preempt

interface GigabitEthernet0/1.101

 description ROUTER LINK TO RLRG-1 VIA SLRG-1

 encapsulation dot1Q 101

 ip address 10.10.62.26 255.255.255.252

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.102 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

interface GigabitEthernet0/1.1000

 description MANAGEMENT

 encapsulation dot1Q 1000

 ip address 10.10.63.3 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/1.1000 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 100 ip 10.10.63.1

 standby 100 priority 95

 standby 100 preempt

interface Serial0/0/0:0

 description RLRG-2 to RSP-2

 no ip address

 ip access-group CSM_FW_ACL_Serial0/0/0:0 in

 ip verify unicast source reachable-via rx

 ip virtual-reassembly

 encapsulation frame-relay IETF

interface Serial0/0/0:0.1 point-to-point

 ip address 10.10.62.21 255.255.255.252

 ip access-group CSM_FW_ACL_Serial0/0/0:0.1 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip ips sdm_ips_rule in

 ip virtual-reassembly

 ip ospf cost 5000

 frame-relay interface-dlci 203

interface ATM0/1/0

 no ip address

 shutdown

 no atm ilmi-keepalive

 dsl operating-mode auto

router ospf 5

 router-id 10.10.62.2

 log-adjacency-changes

 passive-interface default

 no passive-interface GigabitEthernet0/0.102

 no passive-interface GigabitEthernet0/1.101

 no passive-interface Serial0/0/0:0.1

 network 10.10.48.0 0.0.15.255 area 3

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Loopback0

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.2 log

 permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.102

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.2 log

 permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log

 remark ---- Trusted ports for passing traffic in failure scenarios ----

 permit ip any any log

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark Drop anything not explicitly allowed

 deny   ip any any log

 remark ---- permit ntp ----

ip access-list extended CSM_FW_ACL_GigabitEthernet0/1.1000

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.2 log

 permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- Send logs to their mgmt utilities through the mgmt VLAN ----

 permit tcp any host 192.168.42.134 eq 69 log

 permit udp any host 192.168.42.134 eq tftp snmp snmptrap syslog log

 remark ---- Ciscoworks so Managed Devices ----

 permit tcp host 192.168.42.134 any eq 22 telnet www 443 log

 permit udp host 192.168.42.134 any eq snmp snmptrap syslog log

 remark ---- System messages to MARS ----

 permit tcp any host 192.168.42.121 eq 2055 log

 permit udp any host 192.168.42.121 eq snmp syslog log

 remark ---- Allow network devices to use the ACS server ----

 permit tcp any host 192.168.42.131 eq tacacs log

 permit udp any host 192.168.42.131 eq 1812 log

 remark ---- ping to Datacenter ----

 permit icmp any 192.168.42.0 0.0.0.255 log

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.63.0 0.0.0.255 10.10.63.0 0.0.0.255 log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/1.11

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.2 log

 permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- E-mail ----

 permit tcp any host 192.168.42.140 eq smtp www 443 log

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.48.0 0.0.0.255 10.10.48.0 0.0.0.255 log

 remark ---- Clients to ActiveDirectory Server ----

 permit icmp any host 192.168.42.130 log

 permit tcp any host 192.168.42.130 range 1024 65535 log

 permit tcp any host 192.168.42.130 eq www 88 123 135 139 389 443 445 1028 log

 permit udp any host 192.168.42.130 eq domain bootps 88 ntp 135 389 log

 remark ---- POS Devices talking to Wincor ----

 permit icmp any host 192.168.52.98 log

 permit tcp any host 192.168.52.98 eq www 139 443 445 1433 3389 4064 log

 permit udp any host 192.168.52.98 eq netbios-ns 445 1433 log

 remark ---- POS to MSRMS Server ----

 permit tcp any host 192.168.52.99 eq www 443 1433 1434 log

 permit udp any host 192.168.52.99 eq 1433 1434 log

 remark ---- Clients to CSA Manager ----

 permit tcp any host 192.168.42.132 eq www 443 5401 5402 log

 remark ---- Required for devices to perform windows updates ----

 permit tcp any host 192.168.42.150 eq www 443 log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/1.12

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.2 log

 permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- E-mail ----

 permit tcp any host 192.168.42.140 eq smtp www 443 log

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.49.0 0.0.0.255 10.10.49.0 0.0.0.255 log

 remark ---- Clients to CSA Manager ----

 permit tcp any host 192.168.42.132 eq www 443 5401 5402 log

 remark ---- Required for devices to perform windows updates ----

 permit tcp any host 192.168.42.150 eq www 443 log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/1.13

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.2 log

 permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.50.0 0.0.0.255 10.10.50.0 0.0.0.255 log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/1.14

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.2 log

 permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- E-mail ----

 permit tcp any host 192.168.42.140 eq smtp www 443 log

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.51.0 0.0.0.255 10.10.51.0 0.0.0.255 log

 remark ---- Clients to CSA Manager ----

 permit tcp any host 192.168.42.132 eq www 443 5401 5402 log

 remark ---- Required for devices to perform windows updates ----

 permit tcp any host 192.168.42.150 eq www 443 log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/1.15

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.2 log

 permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- E-mail ----

 permit tcp any host 192.168.42.140 eq smtp www 443 log

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.52.0 0.0.0.255 10.10.52.0 0.0.0.255 log

 remark ---- Clients to ActiveDirectory Server ----

 permit icmp any host 192.168.42.130 log

 permit tcp any host 192.168.42.130 range 1024 65535 log

 permit tcp any host 192.168.42.130 eq www 88 123 135 139 389 443 445 1028 log

 permit udp any host 192.168.42.130 eq domain bootps 88 ntp 135 389 log

 remark ---- POS Devices talking to Wincor ----

 permit icmp any host 192.168.52.98 log

 permit tcp any host 192.168.52.98 eq www 139 443 445 1433 3389 4064 log

 permit udp any host 192.168.52.98 eq netbios-ns 445 1433 log

 remark ---- POS to MSRMS Server ----

 permit tcp any host 192.168.52.99 eq www 443 1433 1434 log

 permit udp any host 192.168.52.99 eq 1433 1434 log

 remark ---- Clients to CSA Manager ----

 permit tcp any host 192.168.42.132 eq www 443 5401 5402 log

 remark ---- Required for devices to perform windows updates ----

 permit tcp any host 192.168.42.150 eq www 443 log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/1.16

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.2 log

 permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.53.0 0.0.0.255 10.10.53.0 0.0.0.255 log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/1.17

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.2 log

 permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.54.0 0.0.0.255 10.10.54.0 0.0.0.255 log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/1.18

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.2 log

 permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- Send logs to their mgmt utilities through the mgmt VLAN ----

 permit tcp any host 192.168.42.134 eq 69 log

 permit udp any host 192.168.42.134 eq tftp snmp snmptrap syslog log

 remark ---- System messages to MARS ----

 permit tcp any host 192.168.42.121 eq 2055 log

 permit udp any host 192.168.42.121 eq snmp syslog log

 remark ---- Authenticate Wireless users ----

 permit udp host 10.10.55.5 host 192.168.42.131 eq 1812 log

 permit udp host 10.10.55.6 host 192.168.42.131 eq 1812 log

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.55.0 0.0.0.255 10.10.55.0 0.0.0.255 log

 remark ---- Ping Gateway ----

 remark ---- Allow controllers to talk to AP's ----

 permit udp 10.10.55.0 0.0.0.255 eq 12222 12223 10.10.55.0 0.0.0.255 log

 remark ----  Allow Wireless APs to talk to Controllers -----

 permit udp 10.10.55.0 0.0.0.255 10.10.55.0 0.0.0.255 eq 12222 12223 log

 remark ---- Controllers to WCS Server ----

 permit icmp host 10.10.55.5 host 192.168.42.135 log

 permit tcp host 10.10.55.5 host 192.168.42.135 eq 69 log

 permit udp host 10.10.55.5 host 192.168.42.135 eq tftp snmp snmptrap log

 permit icmp host 10.10.55.6 host 192.168.42.135 log

 permit tcp host 10.10.55.6 host 192.168.42.135 eq 69 log

 permit udp host 10.10.55.6 host 192.168.42.135 eq tftp snmp snmptrap log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_Serial0/0/0:0

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.2 log

 permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_Serial0/0/0:0.1

 remark ---- All ACLs for DC to Remote will be handled at the Data Center *before* it gets 
put into the WAN

 permit ip any any log

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.62.2 log

 permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log

 remark Drop anything not explicitly allowed

 deny   ip any any log

logging source-interface Loopback0

logging 192.168.42.134

logging 192.168.42.121

access-list 88 permit 192.168.42.0 0.0.0.255

access-list 88 deny   any log

snmp-server group causer v3 priv notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F

snmp-server group casuser v3 auth access 88

snmp-server community <removed> RO 88

snmp-server community <removed> RW 88

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps frame-relay multilink bundle-mismatch

snmp-server enable traps frame-relay

snmp-server enable traps frame-relay subif

snmp-server enable traps hsrp

snmp-server enable traps rsvp

snmp-server enable traps rtr

snmp-server host 192.168.42.134 version 3 priv <removed>

snmp-server host 192.168.42.134 <removed>

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CISCO INC.****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CISCO INC.****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 privilege level 15

 login authentication RLOCAL

 stopbits 1

line aux 0

 session-timeout 15  output

 no exec

 stopbits 1

line 386

 session-timeout 15  output

 no activation-character

 no exec

 transport preferred none

 transport input all

 transport output pad telnet rlogin lapb-ta mop udptn v120

line vty 0 4

 session-timeout 15  output

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport input ssh

line vty 5 15

 session-timeout 15  output

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport input ssh

scheduler allocate 20000 1000

ntp clock-period 17179777

ntp source Loopback0

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

End

Medium Store Router #1

------------------ show version ------------------

Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(9)T, RELEASE 
SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by Cisco Systems, Inc.

Compiled Sat 17-Jun-06 00:59 by prod_rel_team

ROM: System Bootstrap, Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)

RMED-1 uptime is 1 week, 3 days, 21 hours, 17 minutes

System returned to ROM by reload at 16:25:12 PST Mon Dec 4 2006

System restarted at 16:25:54 PST Mon Dec 4 2006

System image file is "flash:c3845-advipservicesk9-mz.124-9.T.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 3845 (revision 1.0) with 485376K/38912K bytes of memory.

Processor board ID FTX1027A08Q

2 Gigabit Ethernet interfaces

4 Serial interfaces

2 terminal lines

2 Channelized T1/PRI ports

1 Virtual Private Network (VPN) Module

4 Voice FXO interfaces

2 Voice FXS interfaces

1 cisco content engine(s)

1 cisco Wireless LAN Controller(s)

DRAM configuration is 64 bits wide with parity enabled.

479K bytes of NVRAM.

125440K bytes of ATA System CompactFlash (Read/Write)

Configuration register is 0x2102

------------------ show running-config ------------------

Building configuration...

Current configuration : 29725 bytes

! Last configuration change at 16:06:34 PST Wed Dec 13 2006 by csm-user

! NVRAM config last updated at 14:34:35 PST Wed Dec 13 2006 by csm-user

version 12.4

no service pad

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

no service password-recovery

hostname RMED-1

boot-start-marker

boot system flash flash:c3845-advipservicesk9-mz.124-9.T.bin

boot-end-marker

logging buffered 8000000 informational

no logging rate-limit

no logging console

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication login RLOCAL group tacacs+ local

aaa authentication enable default enable group tacacs+

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

resource policy

clock timezone PST -8

clock summer-time PSTDST recurring

no network-clock-participate wic 0

ip cef

ip domain name RETAILPCILAB.LOCAL

ip name-server 192.168.42.130

ip inspect name CSM_INSPECT_1 http alert on audit-trail on

ip inspect name CSM_INSPECT_1 dns alert on audit-trail on

ip inspect name CSM_INSPECT_1 radius alert on audit-trail on

ip inspect name CSM_INSPECT_1 tacacs alert on audit-trail on

ip inspect name CSM_INSPECT_1 ssh alert on audit-trail on

ip inspect name CSM_INSPECT_1 ftp alert on audit-trail on

ip inspect name CSM_INSPECT_1 ldap alert on audit-trail on

ip inspect name CSM_INSPECT_1 snmp alert on audit-trail on

ip inspect name CSM_INSPECT_1 icmp alert on audit-trail on

ip inspect name CSM_INSPECT_1 tcp alert on audit-trail on

ip inspect name CSM_INSPECT_1 udp alert on audit-trail on

ip ips sdf location 
https://192.168.42.133:443/ids-config/servlet/com.cisco.nm.mdc.ids.config.iosids.servlet.S
DFServlet/7/sdf-complete.xml

ip ips notify SDEE

ip ips name MediumStore list 23

ip ips name sdm_ips_rule

voice-card 0

 no dspfarm

crypto pki trustpoint TP-self-signed-3152768543

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3152768543

 revocation-check none

 rsakeypair TP-self-signed-3152768543

crypto pki trustpoint IDSMDC_CSMANAGER

 enrollment url tftp://192.168.42.133/IDSMDC_CSMANAGER

 revocation-check crl

crypto pki certificate chain TP-self-signed-3152768543

 certificate self-signed 01

  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33313532 37363835 3433301E 170D3036 31303137 32333336

  33305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31353237

  36383534 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100F26B 0F3A8F1A 81236BAE BF0BF7D6 6BC81158 30FF7143 0D5E2A1F 8C5672A1

  2A2E59FC 68120573 C018079D 5CA9A874 C9DF93DD AF6C3494 D5393F73 643F0E0F

  A778CF19 3823DEB2 A06BBCC5 E42DC606 235003C3 CA5135BC 90A34E7D EE16B116

  D504B437 73EB46E8 97BADE2A 0F54D564 03540644 9E3B5A2F 21A6509A 85965A58

  BA7B0203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603

  551D1104 1D301B82 19524D45 442D312E 52455441 494C5043 494C4142 2E4C4F43

  414C301F 0603551D 23041830 16801401 5366E2FF A2A35080 84F65E4D E0B5925E

  5D5AE130 1D060355 1D0E0416 04140153 66E2FFA2 A3508084 F65E4DE0 B5925E5D

  5AE1300D 06092A86 4886F70D 01010405 00038181 0032411D 3470B6AE D314B70E

  D00137E5 D5BA0261 3D36766D A2B7AA01 99006259 E1E26B8D 25B36E18 6DCE7D9E

  07924127 F618E2A9 F170494D 1B50A1A9 0C54EB06 64B0BF58 97BF3EB3 AAF1005E

  4E0FB668 5310A1C7 0A797201 6E8A06C5 8B7F9B8C F95DB0DC 3A18E38B 65C6486C

  51B6C791 284F2C68 9A6D5EB0 B14CD9CD 076F7236 A7

  quit

crypto pki certificate chain IDSMDC_CSMANAGER

 certificate ca 00CE88ED0F069AE8F5

  30820209 30820172 020900CE 88ED0F06 9AE8F530 0D06092A 864886F7 0D010104

  05003049 31123010 06035504 0B13096D 6963726F 736F6674 31123010 06035504

  03130943 534D616E 61676572 311F301D 06092A86 4886F70D 01090116 1061646D

  696E4064 6F6D6169 6E2E636F 6D301E17 0D303630 39323330 31303235 345A170D

  31313039 32333031 30323534 5A304931 12301006 0355040B 13096D69 63726F73

  6F667431 12301006 03550403 13094353 4D616E61 67657231 1F301D06 092A8648

  86F70D01 09011610 61646D69 6E40646F 6D61696E 2E636F6D 30819F30 0D06092A

  864886F7 0D010101 05000381 8D003081 89028181 00BE596C 97AD25EC 35D71F77

  598DDDDB B8D30AAF 67B268D5 334EAB58 F7418364 664B920A E0011931 4EDF28D1

  285B7C45 934EE887 00036A4A C0280132 88C48718 EF48F77E C9EBB27B 6FA11534

  03B3B9CB 3DCEFCDC A1339BA4 22C8BFAD 47F50E51 AC04CD7A 03E81331 96BF4ACA

  9A1CC2AD 3452AAEB FF84503C A571FB93 EC509A03 8B020301 0001300D 06092A86

  4886F70D 01010405 00038181 003A2C37 FC8B0EF1 54E0B963 4D94C234 5EF94288

  F6B0B46D 4EFECB7A D15991DE 05FE484E C9DB2AB8 A919DD2F 103545C4 EF7D9269

  27975BAD 02CBDDA7 6492EC76 56845082 220A73D7 F9F60FA0 8E9EDDE8 5147E5EB

  FB5A00E0 25872141 AA35FAC6 BEF300D9 97343B16 0600B102 F5D555F9 B8AA4D90

  26E026CB 6F46B573 700207C8 71

  quit

username cisco privilege 15 secret 5 <removed>

controller T1 0/0/0

 framing esf

 linecode b8zs

 channel-group 0 timeslots 1-24

controller T1 0/0/1

 framing esf

 linecode b8zs

 channel-group 0 timeslots 1-24

interface Tunnel1

 no ip address

 ip access-group CSM_FW_ACL_Content-Engine3/0 in

interface Loopback0

 ip address 10.10.46.1 255.255.255.255

 ip access-group CSM_FW_ACL_GigabitEthernet0/0 in

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

interface GigabitEthernet0/0

 no ip address

 ip access-group CSM_FW_ACL_GigabitEthernet0/0 in

 ip verify unicast source reachable-via rx

 duplex auto

 speed auto

 media-type rj45

interface GigabitEthernet0/0.11

 description POS

 encapsulation dot1Q 11

 ip address 10.10.32.2 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.11 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 standby 11 ip 10.10.32.1

 standby 11 priority 101

 standby 11 preempt

interface GigabitEthernet0/0.12

 description DATA

 encapsulation dot1Q 12

 ip address 10.10.33.2 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.12 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 12 ip 10.10.33.1

 standby 12 priority 101

 standby 12 preempt

interface GigabitEthernet0/0.13

 description VOICE

 encapsulation dot1Q 13

 ip address 10.10.34.2 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.13 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 13 ip 10.10.34.1

 standby 13 priority 101

 standby 13 preempt

interface GigabitEthernet0/0.14

 description WIRELESS

 ip address 10.10.35.2 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.14 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 shutdown

interface GigabitEthernet0/0.15

 description WIRELESS POS

 ip address 10.10.36.2 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.15 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 shutdown

interface GigabitEthernet0/0.16

 description PARTNER

 encapsulation dot1Q 16

 ip address 10.10.37.2 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.16 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 16 ip 10.10.37.1

 standby 16 priority 101

 standby 16 preempt

interface GigabitEthernet0/0.17

 description WIRELESS GUEST

 ip address 10.10.38.2 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.17 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 shutdown

interface GigabitEthernet0/0.18

 description LWAP CONTROL

 encapsulation dot1Q 18

 ip address 10.10.39.2 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.18 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 18 ip 10.10.39.1

 standby 18 priority 101

 standby 18 preempt

interface GigabitEthernet0/0.102

 description ROUTER LINK TO RMED2 VIA SMED2

 encapsulation dot1Q 102

 ip address 10.10.46.29 255.255.255.252

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.102 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

interface GigabitEthernet0/0.1000

 description MANAGEMENT

 encapsulation dot1Q 1000

 ip address 10.10.47.2 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.1000 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 100 ip 10.10.47.1

 standby 100 priority 101

 standby 100 preempt

interface GigabitEthernet0/1

 description ROUTER LINK TO SMED-2

 no ip address

 ip access-group CSM_FW_ACL_GigabitEthernet0/0 in

 ip verify unicast source reachable-via rx

 duplex auto

 speed auto

 media-type rj45

interface GigabitEthernet0/1.101

 description ROUTER LINK TO RMED-2

 encapsulation dot1Q 101

 ip address 10.10.46.25 255.255.255.252

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.102 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 ip ospf cost 200

interface Serial0/0/0:0

 description RMED-1 to RSP-1

 no ip address

 ip access-group CSM_FW_ACL_Content-Engine3/0 in

 ip verify unicast source reachable-via rx

 encapsulation frame-relay IETF

interface Serial0/0/0:0.1 point-to-point

 description CONNECTION TO RWAN-1

 ip address 10.10.46.17 255.255.255.252

 ip access-group CSM_FW_ACL_Serial0/0/0:0.1 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip ips sdm_ips_rule in

 ip virtual-reassembly

 frame-relay interface-dlci 102

interface Serial0/0/1:0

 no ip address

 ip access-group CSM_FW_ACL_Content-Engine3/0 in

 ip verify unicast source reachable-via rx

 ip virtual-reassembly

 encapsulation frame-relay IETF

interface wlan-controller1/0

 ip address 10.10.46.33 255.255.255.248

 ip access-group CSM_FW_ACL_wlan-controller1/0 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

interface wlan-controller1/0.14

 encapsulation dot1Q 14

 ip address 10.10.35.1 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.14 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

interface wlan-controller1/0.15

 encapsulation dot1Q 15

 ip address 10.10.36.1 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.15 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

interface wlan-controller1/0.17

 encapsulation dot1Q 17

 ip address 10.10.38.1 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.17 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

interface Content-Engine3/0

 no ip address

 ip access-group CSM_FW_ACL_Content-Engine3/0 in

 ip verify unicast source reachable-via rx

 shutdown

interface Group-Async0

 physical-layer async

 no ip address

 ip access-group CSM_FW_ACL_Content-Engine3/0 in

 ip verify unicast source reachable-via rx

 ip virtual-reassembly

 encapsulation slip

 no group-range

router ospf 5

 router-id 10.10.46.1

 log-adjacency-changes

 passive-interface default

 no passive-interface GigabitEthernet0/0.102

 no passive-interface GigabitEthernet0/1.101

 no passive-interface Serial0/0/0:0.1

 network 10.10.32.0 0.0.15.255 area 2

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Loopback0

ip access-list extended CSM_FW_ACL_Content-Engine3/0

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.46.1 log

 permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.46.1 log

 permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.1000

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.46.1 log

 permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- Send logs to their mgmt utilities through the mgmt VLAN ----

 permit tcp any host 192.168.42.134 eq 69 log

 permit udp any host 192.168.42.134 eq tftp snmp snmptrap syslog log

 remark ---- Ciscoworks so Managed Devices ----

 permit tcp host 192.168.42.134 any eq 22 telnet www 443 log

 permit udp host 192.168.42.134 any eq snmp snmptrap syslog log

 remark ---- System messages to MARS ----

 permit tcp any host 192.168.42.121 eq 2055 log

 permit udp any host 192.168.42.121 eq snmp syslog log

 remark ---- Allow network devices to use the ACS server ----

 permit tcp any host 192.168.42.131 eq tacacs log

 permit udp any host 192.168.42.131 eq 1812 log

 remark ---- ping to Datacenter ----

 permit icmp any 192.168.42.0 0.0.0.255 log

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.47.0 0.0.0.255 10.10.47.0 0.0.0.255 log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.102

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.46.1 log

 permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log

 remark ---- Trusted ports for passing traffic in failure scenarios ----

 permit ip any any log

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark Drop anything not explicitly allowed

 deny   ip any any log

 remark ---- permit ntp ----

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.11

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.46.1 log

 permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- E-mail ----

 permit tcp any host 192.168.42.140 eq smtp www 443 log

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.32.0 0.0.0.255 10.10.32.0 0.0.0.255 log

 remark ---- Clients to ActiveDirectory Server ----

 permit icmp any host 192.168.42.130 log

 permit tcp any host 192.168.42.130 range 1024 65535 log

 permit tcp any host 192.168.42.130 eq www 88 123 135 139 389 443 445 1028 log

 permit udp any host 192.168.42.130 eq domain bootps 88 ntp 135 389 log

 remark ---- POS Devices talking to Wincor ----

 permit icmp any host 192.168.52.98 log

 permit tcp any host 192.168.52.98 eq www 139 443 445 1433 3389 4064 log

 permit udp any host 192.168.52.98 eq netbios-ns 445 1433 log

 remark ---- POS to MSRMS Server ----

 permit tcp any host 192.168.52.99 eq www 443 1433 1434 log

 permit udp any host 192.168.52.99 eq 1433 1434 log

 remark ---- Clients to CSA Manager ----

 permit tcp any host 192.168.42.132 eq www 443 5401 5402 log

 remark ---- Required for devices to perform windows updates ----

 permit tcp any host 192.168.42.150 eq www 443 log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.12

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.46.1 log

 permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- E-mail ----

 permit tcp any host 192.168.42.140 eq smtp www 443 log

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.33.0 0.0.0.255 10.10.33.0 0.0.0.255 log

 remark ---- Clients to CSA Manager ----

 permit tcp any host 192.168.42.132 eq www 443 5401 5402 log

 remark ---- Required for devices to perform windows updates ----

 permit tcp any host 192.168.42.150 eq www 443 log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.13

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.46.1 log

 permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.34.0 0.0.0.255 10.10.34.0 0.0.0.255 log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.14

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.46.1 log

 permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- E-mail ----

 permit tcp any host 192.168.42.140 eq smtp www 443 log

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.35.0 0.0.0.255 10.10.35.0 0.0.0.255 log

 remark ---- Clients to CSA Manager ----

 permit tcp any host 192.168.42.132 eq www 443 5401 5402 log

 remark ---- Required for devices to perform windows updates ----

 permit tcp any host 192.168.42.150 eq www 443 log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.15

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.46.1 log

 permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- E-mail ----

 permit tcp any host 192.168.42.140 eq smtp www 443 log

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.36.0 0.0.0.255 10.10.36.0 0.0.0.255 log

 remark ---- Clients to ActiveDirectory Server ----

 permit icmp any host 192.168.42.130 log

 permit tcp any host 192.168.42.130 range 1024 65535 log

 permit tcp any host 192.168.42.130 eq www 88 123 135 139 389 443 445 1028 log

 permit udp any host 192.168.42.130 eq domain bootps 88 ntp 135 389 log

 remark ---- POS Devices talking to Wincor ----

 permit icmp any host 192.168.52.98 log

 permit tcp any host 192.168.52.98 eq www 139 443 445 1433 3389 4064 log

 permit udp any host 192.168.52.98 eq netbios-ns 445 1433 log

 remark ---- POS to MSRMS Server ----

 permit tcp any host 192.168.52.99 eq www 443 1433 1434 log

 permit udp any host 192.168.52.99 eq 1433 1434 log

 remark ---- Clients to CSA Manager ----

 permit tcp any host 192.168.42.132 eq www 443 5401 5402 log

 remark ---- Required for devices to perform windows updates ----

 permit tcp any host 192.168.42.150 eq www 443 log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.16

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.46.1 log

 permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.37.0 0.0.0.255 10.10.37.0 0.0.0.255 log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.17

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.46.1 log

 permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.38.0 0.0.0.255 10.10.38.0 0.0.0.255 log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.18

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.46.1 log

 permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- Send logs to their mgmt utilities through the mgmt VLAN ----

 permit tcp any host 192.168.42.134 eq 69 log

 permit udp any host 192.168.42.134 eq tftp snmp snmptrap syslog log

 remark ---- System messages to MARS ----

 permit tcp any host 192.168.42.121 eq 2055 log

 permit udp any host 192.168.42.121 eq snmp syslog log

 remark ---- Authenticate Wireless users ----

 permit udp host 10.10.46.34 host 192.168.42.131 eq 1812 log

 permit udp host 10.10.46.35 host 192.168.42.131 eq 1812 log

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.39.0 0.0.0.255 10.10.39.0 0.0.0.255 log

 remark ----  Allow Wireless APs to talk to Controllers -----

 permit icmp 10.10.39.0 0.0.0.255 10.10.46.32 0.0.0.7 log

 permit udp 10.10.39.0 0.0.0.255 10.10.46.32 0.0.0.7 eq 12222 12223 log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_Serial0/0/0:0.1

 remark ---- All ACLs for DC to Remote will be handled at the Data Center *before* it gets 
put into the WAN

 permit ip any any log

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.46.1 log

 permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log

 remark Drop anything not explicitly allowed

 deny   ip any any log

ip access-list extended CSM_FW_ACL_wlan-controller1/0

 remark Allow CSM-Server to access device through the Serial (external) Interface

 permit icmp host 192.168.42.133 host 10.10.46.1 log

 permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log

 remark ---- permit ntp ----

 permit udp any host 192.168.62.161 eq ntp

 permit udp any host 192.168.62.162 eq ntp

 permit udp any host 192.168.42.130 eq ntp

 remark ---- HSRP health information ----

 permit udp any host 224.0.0.2 eq 1985 log

 remark ---- Ping Gateway ----

 permit icmp 10.10.46.32 0.0.0.7 10.10.46.32 0.0.0.7 log

 remark ---- Allow controllers to talk to AP's ----

 permit icmp 10.10.46.32 0.0.0.7 10.10.39.0 0.0.0.255 log

 permit udp 10.10.46.32 0.0.0.7 eq 12222 12223 10.10.39.0 0.0.0.255 log

 remark ---- Controllers to WCS Server ----

 permit icmp host 10.10.46.34 host 192.168.42.135 log

 permit tcp host 10.10.46.34 host 192.168.42.135 eq 69 log

 permit udp host 10.10.46.34 host 192.168.42.135 eq tftp snmp snmptrap log

 permit icmp host 10.10.46.35 host 192.168.42.135 log

 permit tcp host 10.10.46.35 host 192.168.42.135 eq 69 log

 permit udp host 10.10.46.35 host 192.168.42.135 eq tftp snmp snmptrap log

 remark ---- Allow DHCP to work ----

 permit udp any host 255.255.255.255 eq bootps log

 permit udp any host 192.168.42.130 eq bootps log

 remark Drop anything not explicitly allowed

 deny   ip any any log

logging source-interface Loopback0

logging 192.168.42.134

logging 192.168.42.121

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 23 permit 192.168.42.0 0.0.0.255

access-list 88 permit 192.168.42.0 0.0.0.255

access-list 88 deny   any log

snmp-server group causer v3 priv notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F

snmp-server group casuser v3 auth access 88

snmp-server community <removed> RO 88

snmp-server community <removed> RW 88

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps frame-relay multilink bundle-mismatch

snmp-server enable traps frame-relay

snmp-server enable traps frame-relay subif

snmp-server enable traps hsrp

snmp-server enable traps rsvp

snmp-server enable traps rtr

snmp-server host 192.168.42.134 version 3 priv <removed>

snmp-server host 192.168.42.134 <removed>

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CISCO INC.****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CISCO INC.****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 privilege level 15

 login authentication RLOCAL

 stopbits 1

line aux 0

 session-timeout 15  output

 stopbits 1

line 66

 session-timeout 15  output

 no activation-character

 no exec

 transport preferred none

 transport input all

 transport output all

line 194

 no activation-character

 no exec

 transport preferred none

 transport input all

 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport input ssh

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport input ssh

scheduler allocate 20000 1000

ntp clock-period 17179777

ntp source Loopback0

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

End

Medium Store Router #2

------------------ show version ------------------

Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(9)T, RELEASE 
SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by Cisco Systems, Inc.

Compiled Sat 17-Jun-06 00:59 by prod_rel_team

ROM: System Bootstrap, Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)

RMED-2 uptime is 4 weeks, 1 day, 3 hours, 30 minutes

System returned to ROM by reload at 10:06:01 PST Thu Nov 16 2006

System restarted at 10:14:14 PST Thu Nov 16 2006

System image file is "flash:c3845-advipservicesk9-mz.124-9.T.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 3845 (revision 1.0) with 484352K/39936K bytes of memory.

Processor board ID FTX1027A08S

2 Gigabit Ethernet interfaces

2 Serial interfaces

1 ATM interface

2 Channelized T1/PRI ports

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity enabled.

479K bytes of NVRAM.

125440K bytes of ATA System CompactFlash (Read/Write)

Configuration register is 0x2102

------------------ show running-config ------------------

Building configuration...

Current configuration : 23490 bytes

! Last configuration change at 16:06:27 PST Wed Dec 13 2006 by csm-user

! NVRAM config last updated at 14:34:32 PST Wed Dec 13 2006 by csm-user

version 12.4

no service pad

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

no service password-recovery

hostname RMED-2

boot-start-marker

boot system flash flash:c3845-advipservicesk9-mz.124-9.T.bin

boot-end-marker

logging buffered 8000000 informational

no logging rate-limit

no logging console

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication login RLOCAL group tacacs+ local

aaa authentication enable default enable group tacacs+

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

resource policy

clock timezone PST -8

clock summer-time PSTDST recurring

no network-clock-participate wic 0

ip cef

ip domain name RETAILPCILAB.LOCAL

ip name-server 192.168.42.130

ip inspect name CSM_INSPECT_1 http alert on audit-trail on

ip inspect name CSM_INSPECT_1 dns alert on audit-trail on

ip inspect name CSM_INSPECT_1 radius alert on audit-trail on

ip inspect name CSM_INSPECT_1 tacacs alert on audit-trail on

ip inspect name CSM_INSPECT_1 ssh alert on audit-trail on

ip inspect name CSM_INSPECT_1 ftp alert on audit-trail on

ip inspect name CSM_INSPECT_1 ldap alert on audit-trail on

ip inspect name CSM_INSPECT_1 snmp alert on audit-trail on

ip inspect name CSM_INSPECT_1 icmp alert on audit-trail on

ip inspect name CSM_INSPECT_1 tcp alert on audit-trail on

ip inspect name CSM_INSPECT_1 udp alert on audit-trail on

ip ips sdf location 
https://192.168.42.133:443/ids-config/servlet/com.cisco.nm.mdc.ids.config.iosids.servlet.S
DFServlet/13/sdf-complete.xml

ip ips notify SDEE

ip ips name sdm_ips_rule

voice-card 0

 no dspfarm

crypto pki trustpoint TP-self-signed-2566505789

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-2566505789

 revocation-check none

 rsakeypair TP-self-signed-2566505789

crypto pki trustpoint IDSMDC_CSMANAGER

 enrollment url tftp://192.168.42.133/IDSMDC_CSMANAGER

 revocation-check crl

crypto pki certificate chain TP-self-signed-2566505789

 certificate self-signed 01

  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32353636 35303537 3839301E 170D3036 31313130 32303037

  32335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35363635

  30353738 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100D023 AC4B285B EFBA5F1F 4637FFAD F6FFACEF BAD3B4EF 87A0F9D8 28009E96

  1B1F42D2 6590D209 0D46EC87 CC734C6D 9B2F0C6F 91D31B7B 7F420DE2 AFBC88B8

  358F4767 0B94C561 50A4D940 83F46B37 1E7EF961 93CB7765 EC6CDDD3 4DF63826

  C02C2F27 037F7E00 247D8716 7C37A38E B40EFECC DE796ECD E7C8AA1E C0444DE0

  70070203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603

  551D1104 1D301B82 19524D45 442D322E 52455441 494C5043 494C4142 2E4C4F43

  414C301F 0603551D 23041830 168014CE 2E180114 EF70DB98 023EA37B 744FC6DE

  0FD58930 1D060355 1D0E0416 0414CE2E 180114EF 70DB9802 3EA37B74 4FC6DE0F

  D589300D 06092A86 4886F70D 01010405 00038181 00983485 2D1A2DAC 6674792D

  72380397 0FBC86BE 52C86B36 6DE04340 86114976 DD274346 326160C1 569004A8

  DE49FA7E 1EB18FAD 45528440 07AF1F12 4AD2875D 62252701 3C58623A DADDAA43

  33164777 895B5FB1 3F41CB3D 281DBE08 5FB49106 36F35EBF 727FD526 2723CFCC

  8BE3F6FB D9458586 9D757ABC 7BDE959E 278F0685 12

  quit

crypto pki certificate chain IDSMDC_CSMANAGER

 certificate ca 00CE88ED0F069AE8F5

  30820209 30820172 020900CE 88ED0F06 9AE8F530 0D06092A 864886F7 0D010104

  05003049 31123010 06035504 0B13096D 6963726F 736F6674 31123010 06035504

  03130943 534D616E 61676572 311F301D 06092A86 4886F70D 01090116 1061646D

  696E4064 6F6D6169 6E2E636F 6D301E17 0D303630 39323330 31303235 345A170D

  31313039 32333031 30323534 5A304931 12301006 0355040B 13096D69 63726F73

  6F667431 12301006 03550403 13094353 4D616E61 67657231 1F301D06 092A8648

  86F70D01 09011610 61646D69 6E40646F 6D61696E 2E636F6D 30819F30 0D06092A

  864886F7 0D010101 05000381 8D003081 89028181 00BE596C 97AD25EC 35D71F77

  598DDDDB B8D30AAF 67B268D5 334EAB58 F7418364 664B920A E0011931 4EDF28D1

  285B7C45 934EE887 00036A4A C0280132 88C48718 EF48F77E C9EBB27B 6FA11534

  03B3B9CB 3DCEFCDC A1339BA4 22C8BFAD 47F50E51 AC04CD7A 03E81331 96BF4ACA

  9A1CC2AD 3452AAEB FF84503C A571FB93 EC509A03 8B020301 0001300D 06092A86

  4886F70D 01010405 00038181 003A2C37 FC8B0EF1 54E0B963 4D94C234 5EF94288

  F6B0B46D 4EFECB7A D15991DE 05FE484E C9DB2AB8 A919DD2F 103545C4 EF7D9269

  27975BAD 02CBDDA7 6492EC76 56845082 220A73D7 F9F60FA0 8E9EDDE8 5147E5EB

  FB5A00E0 25872141 AA35FAC6 BEF300D9 97343B16 0600B102 F5D555F9 B8AA4D90

  26E026CB 6F46B573 700207C8 71

  quit

username cisco privilege 15 secret 5 <removed>

controller T1 0/0/0

 framing esf

 linecode b8zs

 channel-group 0 timeslots 1-24

controller T1 0/0/1

 framing esf

 linecode b8zs

interface Tunnel1

 no ip address

 ip access-group CSM_FW_ACL_ATM0/1/0 in

interface Loopback0

 ip address 10.10.46.2 255.255.255.255

 ip access-group CSM_FW_ACL_GigabitEthernet0/0 in

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

interface GigabitEthernet0/0

 no ip address

 ip access-group CSM_FW_ACL_GigabitEthernet0/0 in

 ip verify unicast source reachable-via rx

 duplex auto

 speed auto

 media-type rj45

interface GigabitEthernet0/0.102

 description ROUTER LINK TO RMED1 VIA SMED1

 encapsulation dot1Q 102

 ip address 10.10.46.30 255.255.255.252

 ip access-group CSM_FW_ACL_GigabitEthernet0/0.102 in

 ip verify unicast source reachable-via rx

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

interface GigabitEthernet0/1

 no ip address

 ip access-group CSM_FW_ACL_GigabitEthernet0/0 in

 ip verify unicast source reachable-via rx

 duplex auto

 speed auto

 media-type rj45

interface GigabitEthernet0/1.11

 description POS

 encapsulation dot1Q 11

 ip address 10.10.32.3 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/1.11 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 11 ip 10.10.32.1

 standby 11 priority 95

 standby 11 preempt

interface GigabitEthernet0/1.12

 description DATA

 encapsulation dot1Q 12

 ip address 10.10.33.3 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/1.12 in

 ip verify unicast source reachable-via rx

 ip helper-address 192.168.42.130

 ip inspect CSM_INSPECT_1 in

 ip virtual-reassembly

 standby 12 ip 10.10.33.1

 standby 12 priority 95

 standby 12 preempt

interface GigabitEthernet0/1.13

 description VOICE

 encapsulation dot1Q 13

 ip address 10.10.34.3 255.255.255.0

 ip access-group CSM_FW_ACL_GigabitEthernet0/1.13 in

 ip verify unicast source reachable-via rx

Table Of Contents

Device Configurations

Branch Configurations

Large Store Router #1

Large Store Router #2

Medium Store Router #1

Medium Store Router #2