897VAW-E-K9#term len 0
897VAW-E-K9#show run
Building configuration...

Current configuration : 13764 bytes
!
! Last configuration change at 15:57:30 BST Sat Oct 3 2020 by bensley
! NVRAM config last updated at 15:59:17 BST Sat Oct 3 2020 by bensley
!
version 15.9
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service internal
!
hostname 897VAW-E-K9
!
boot-start-marker
boot system flash c800-universalk9-mz.SPA.159-3.M1.bin
boot-end-marker
!
aqm-register-fnf
!
logging queue-limit trap 100000
logging buffered 1000000
logging rate-limit all 10000 except alerts
enable secret 9 xxxxxxxxx
!
aaa new-model
!
!
aaa authentication banner ^C
Using AAA authentication
^C
aaa authentication fail-message ^C
AAA auth failed
^C
aaa authentication login default local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local 
aaa authorization commands 15 default local 
aaa accounting commands 15 default
 action-type start-stop
 broadcast
!
aaa login display last-success
aaa login display last-failure
aaa login display number-failures
!
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
service-module wlan-ap 0 bootimage autonomous
!
call-home
 profile "CiscoTAC-1"
  destination address http https://192.168.58.1/dummyurl 
no ip source-route
no ip gratuitous-arps
!
ip dhcp bootp ignore
!
ip dhcp pool LAN-IPV4
 network 192.168.58.0 255.255.255.224
 default-router 192.168.58.1 
 domain-name home.tld
 dns-server 192.168.58.2 
 lease 7
!
ip dhcp pool IOT-IPV4
 network 192.168.58.32 255.255.255.224
 default-router 192.168.58.33 
 domain-name iot.tld
 dns-server 192.168.58.34 
 lease 7
!
ip dhcp pool LAN-STATIC-V4-NAS
 host 192.168.58.3 255.255.255.224
 client-identifier 240a.6450.5a5f
!
ip dhcp pool IOT-STATIC-V4-SMART-TV
 host 192.168.58.35 255.255.255.224
 client-identifier 0c96.e6e7.f3cf
!
ip dhcp pool LAN-STATIC-V4-AP0-BVI1
 host 192.168.58.30 255.255.255.224
!
ip dhcp pool IOT-STATIC-V4-PiHole-Eth0
 host 192.168.58.34 255.255.255.224
 client-identifier ffeb.99dd.ea00.0100.0126.00d2.fbb8.27eb.99dd.ea
!
ip dhcp pool LAN-STATIC-V4-Pi4-WLAN0
 host 192.168.58.4 255.255.255.224
 client-identifier dca6.320d.33a3
!
ip dhcp pool LAN-STATIC-V4-PiHole-Eth0
 host 192.168.58.2 255.255.255.224
 client-identifier ffeb.99dd.ea00.0100.0126.00d4.d1b8.27eb.99dd.ea
!
no ip bootp server
no ip domain lookup
ip domain name home.tld
ip name-server 1.1.1.1
ip name-server 1.0.0.1
ip name-server 2606:4700:4700::1001
ip name-server 2606:4700:4700::1111
ip inspect WAAS flush-timeout 10
ip cef
login on-failure log
login on-success log
ipv6 unicast-routing
ipv6 cef
ipv6 dhcp pool LAN-IPV6
 dns-server FD::1:BA27:EBFF:FE99:DDEA
 dns-server FD:0:0:1::2
 domain-name home.tld
!
ipv6 dhcp pool IOT-IPV6
 dns-server FD::2:BA27:EBFF:FE99:DDEA
 dns-server FD:0:0:2::2
 domain-name iot.tld
!
multilink bundle-name authenticated
!
license feature MEM-8XX-512U1GB
license udi pid C897VAW-E-K9 sn FCZ1751C04E
license accept end user agreement
license boot module c800 level advipservices
!
archive
 log config
  logging enable
  logging persistent auto
  logging size 500
  notify syslog contenttype plaintext
  hidekeys
 path flash:backup-
 write-memory
file privilege 10
!
no spanning-tree vlan 1
no spanning-tree vlan 2
vtp mode transparent
username backup_script privilege 10 secret 9 xxxxxxxxx
username bensley privilege 15 secret 9 xxxxxxxxx
!
redundancy
 notification-timer 120000
!
controller VDSL 0
 training log filename flash:vdsl.log
 firmware filename flash:VA_A_39m_B_38h3_24h.bin
!
vlan 2
 name IoT
no cdp run
!
ip tcp selective-ack
ip tcp window-size 65535
ip tcp path-mtu-discovery
!
class-map match-any le-256b-packets
 match packet length min 1 max 256
class-map match-any 64b-packets
 match packet length max 64
!
policy-map prio-small-packets
 class le-256b-packets
  priority
  queue-limit 256 packets
 class class-default
  queue-limit 256 packets
!
interface Null0
 no ip unreachables
 no ipv6 unreachables
!
interface ATM0
 mac-address xxxxxxxxx ! Sky Hub modem PHY MAC
 no ip address
 no atm ilmi-keepalive
!
interface Ethernet0
 description WAN:VDSL
 mac-address xxxxxxxxx ! Sky Hub VDSL controller MAC
 bandwidth 8900
 bandwidth receive 39000
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip route-cache
 load-interval 30
 tx-ring-limit 64
 tx-queue-limit 64
 ntp disable
 no keepalive
 service-policy output prio-small-packets
!
interface Ethernet0.101
 description WAN:IPoE
 encapsulation dot1Q 101
 ip dhcp client request classless-static-route
 ip dhcp client client-id xxxxxxxxx ! Sky Hub model and firmware version
 ip dhcp client hostname xxxxxxxxx ! "Eth0MAC@skydsl|SDSI number"
 ip address dhcp
 ip access-group WAN-INBOUND-V4 in
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in max-reassemblies 32
 no ip route-cache
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
 ipv6 nd autoconfig default-route
 ipv6 nd ra suppress all
 ipv6 dhcp client pd SKY-IPV6-PREFIX rapid-commit
 ipv6 traffic-filter WAN-INBOUND-V6 in
 ntp disable
!
interface GigabitEthernet0
 switchport mode access
 no ip address
 load-interval 30
 no cdp enable
 no lldp transmit
 no lldp receive
!
interface GigabitEthernet1
 switchport mode access
 no ip address
 load-interval 30
 no cdp enable
 no lldp transmit
 no lldp receive
!
interface GigabitEthernet2
 switchport mode access
 no ip address
 load-interval 30
 no cdp enable
 no lldp transmit
 no lldp receive
!
interface GigabitEthernet3
 switchport mode access
 no ip address
 load-interval 30
 no cdp enable
 no lldp transmit
 no lldp receive
!
interface GigabitEthernet4
 switchport mode access
 no ip address
 load-interval 30
 no cdp enable
 no lldp transmit
 no lldp receive
!
interface GigabitEthernet5
 switchport mode access
 no ip address
 load-interval 30
 no cdp enable
 no lldp transmit
 no lldp receive
!
interface GigabitEthernet6
 switchport mode access
 no ip address
 load-interval 30
 no cdp enable
 no lldp transmit
 no lldp receive
!
interface GigabitEthernet7
 description LAN:Pi-Hole:Eth0
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 switchport nonegotiate
 no ip address
 load-interval 30
 no cdp enable
 no lldp transmit
 no lldp receive
!
interface GigabitEthernet8
 no ip address
 duplex auto
 speed auto
!
interface Wlan-GigabitEthernet8
 description WLAN Trunk
 switchport mode trunk
 no ip address
!
interface wlan-ap0
 description WLAN Management
 ip unnumbered Vlan1
!
interface Vlan1
 description LAN:Home
 ip address 192.168.58.1 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in max-reassemblies 32
 ip verify unicast source reachable-via rx
 load-interval 30
 ipv6 address FD:0:0:1::1/64
 ipv6 address SKY-IPV6-PREFIX ::1:0:0:0:1/64
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 nd router-preference High
 no ipv6 redirects
 no ipv6 unreachables
 ipv6 verify unicast source reachable-via rx
 ipv6 dhcp server LAN-IPV6 rapid-commit
 no ipv6 mld router
 ntp disable
!
interface Vlan2
 description LAN:IoT
 ip address 192.168.58.33 255.255.255.224
 ip access-group NO-LAN-ACCESS-V4 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in max-reassemblies 32
 ip verify unicast source reachable-via rx
 load-interval 30
 ipv6 address FD:0:0:2::1/64
 ipv6 address SKY-IPV6-PREFIX ::2:0:0:0:1/64
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 nd router-preference High
 no ipv6 redirects
 no ipv6 unreachables
 ipv6 verify unicast source reachable-via rx
 ipv6 dhcp server IOT-IPV6 rapid-commit
 no ipv6 mld router
 ipv6 traffic-filter NO-LAN-ACCESS-V6 in
 ntp disable
!
no ip forward-protocol nd
no ip forward-protocol udp
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
no ip http server
no ip http secure-server
!
ip tftp blocksize 8192
ip nat translation timeout 3600
ip nat translation tcp-timeout 300
ip nat translation pptp-timeout 3600
ip nat translation finrst-timeout 30
ip nat translation syn-timeout 30
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 30
ip nat inside source list NAT-IPV4 interface Ethernet0.101 overload
ip nat inside source static tcp 192.168.58.3 22 interface Ethernet0.101 55555
ip ssh time-out 60
ip ssh logging events
ip ssh version 2
ip ssh dh min size 4096
ip ssh dscp 56
ip ssh server algorithm mac hmac-sha2-512 hmac-sha2-256
ip ssh server algorithm encryption aes256-ctr
ip scp server enable
!
ip access-list extended NAT-IPV4
 permit ip 192.168.58.0 0.0.0.31 any
 permit ip 192.168.58.32 0.0.0.31 any
 deny   ip any any log
ip access-list extended NO-LAN-ACCESS-V4
 remark Deny IoT to Home LAN
 deny   ip any 192.168.58.0 0.0.0.31 log
 permit ip any any
ip access-list extended NTP-INBOUND-ALLOW-V4
 permit udp any eq ntp any log
 deny   ip any any log
ip access-list extended NTP-INBOUND-DENY-V4
 deny   ip any any log
ip access-list extended VTY-INBOUND-V4
 remark LAN
 permit tcp 192.168.58.0 0.0.0.255 any eq 22 telnet log
 remark 50 Sky UK
 permit tcp 90.192.0.0 0.31.255.255 any eq 22 log
 remark Vostron
 permit tcp 89.21.224.0 0.0.31.255 any eq 22 log
 deny   ip any any log
ip access-list extended WAN-INBOUND-V4
 remark TCP:
 remark INBOUND VTY
 permit tcp 90.192.0.0 0.31.255.255 any eq 22 log
 permit tcp 89.21.224.0 0.0.31.255 any eq 22 log
 remark INBOUND NAS
 permit tcp 90.192.0.0 0.31.255.255 any eq 22222 log
 permit tcp 89.21.224.0 0.0.31.255 any eq 22222 log
 remark INBOUD ESTABLISHED
 permit tcp any any established
 deny   tcp any any log
 remark ----------
 remark UDP:
 remark WAN DHCP
 permit udp any eq bootps host 255.255.255.255 eq bootpc log
 remark UDP RESPONSES
 permit udp any eq domain any log
 permit udp any eq ntp any log
 permit udp any eq 443 any log
 permit udp any eq isakmp any eq isakmp
 permit udp any eq non500-isakmp any eq non500-isakmp
 permit udp 155.133.224.0 0.0.31.255 any log
 permit udp host 89.21.235.194 eq 1194 any log
 deny   udp any any log
 remark ----------
 remark ICMP:
 permit icmp any any log
 deny   ip any any log
!
ipv6 ioam timestamp
!
ipv6 access-list NO-LAN-ACCESS-V6
 remark Deny IoT to Home LAN
 deny ipv6 any FD:0:0:1::/64 log
 permit icmp any host FD:0:0:2::1
 deny ipv6 any host FD:0:0:2::1 log
 permit ipv6 any any
!
ipv6 access-list NTP-INBOUND-ALLOW-V6
 permit udp any eq ntp any log
 sequence 1000 deny ipv6 any any log
!
ipv6 access-list NTP-INBOUND-DENY-V6
 sequence 1000 deny ipv6 any any log
!
ipv6 access-list Secure-VTY-v6
 permit ipv6 FD:0:0:1::/64 any log
 sequence 500 deny ipv6 any any log
!
ipv6 access-list VTY-INBOUND-V6
 remark LAN
 permit tcp FD:0:0:1::/64 any eq 22 log
 permit tcp FD:0:0:1::/64 any eq telnet log
 sequence 1000 deny ipv6 any any log
!
ipv6 access-list WAN-INBOUND-V6
 remark TCP:
 sequence 70 remark INBOUND SSH
 permit tcp XXXX::/32 any eq 55555 log
 permit tcp any any established
 sequence 150 deny tcp any any log
 sequence 200 remark ----------
 remark UDP:
 remark WAN DHCP SKY BNG
 permit udp FE80::/10 eq 547 FE80::/10 eq 546
 sequence 250 remark UDP RESPONSES
 permit udp any eq domain 2A02:C78::/29 log
 permit udp any eq ntp 2A02:C78::/29 log
 permit udp any eq 443 2A02:C78::/29 log
 sequence 400 deny udp any any log
 sequence 610 remark ICMP:
 sequence 700 permit icmp any any
 sequence 1000 deny ipv6 any any log
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
privilege exec all level 10 show running-config view full
privilege exec level 10 show running-config view
privilege exec level 10 show running-config
privilege exec level 10 show
banner login ^C
Disconnect now - this is a private system!
^C
!
line con 0
 session-timeout 15 
 exec-timeout 15 0
 logging synchronous
 no modem enable
line aux 0
 session-timeout 15 
 exec-timeout 15 0
 logging synchronous
 transport input all
 transport output none
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line vty 0 4
 session-timeout 15 
 access-class VTY-INBOUND-V4 in
 exec-timeout 15 0
 ipv6 access-class VTY-INBOUND-V6 in
 logging synchronous
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp logging
ntp access-group peer NTP-INBOUND-ALLOW-V4
ntp access-group serve NTP-INBOUND-DENY-V4
ntp access-group serve-only NTP-INBOUND-DENY-V4
ntp access-group query-only NTP-INBOUND-DENY-V4
ntp access-group ipv6 peer NTP-INBOUND-ALLOW-V6
ntp access-group ipv6 serve NTP-INBOUND-DENY-V6
ntp access-group ipv6 serve-only NTP-INBOUND-DENY-V6
ntp access-group ipv6 query-only NTP-INBOUND-DENY-V6
ntp update-calendar
ntp server ipv6 2.uk.pool.ntp.org
ntp server ip 1.uk.pool.ntp.org
!
end