admin/scsd-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

lucy/lucy-mdf-a8360-sw1.cfg Mon Feb 24 10:07:12 AM EST 2025

Browse Source
This commit is contained in:
John Poland 2025-02-24 10:07:12 -05:00
parent 915aa995a3
commit 234b61a2a7
1 changed files with 421 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

421
configs/lucy/lucy-mdf-a8360-sw1.cfg Normal file
View File

@ -0,0 +1,421 @@
Current configuration:
!
!Version ArubaOS-CX LL.10.13.1010
!export-password: default
hostname lucy-mdf-a8360-sw1
banner motd #
!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! You are accessing a PRIVATE COMPUTING FACILITY. !
! Access to this system is restricted to AUTHORIZED PERSONNEL. !
! !
! Anyone who accesses this system without authorization, or in !
! excess of their authorization could be subject to a fine, !
! imprisonment, or both under Public and Federal Law. By entering !
! this system, you consent to having your accesses and activities !
! monitored and recorded. If this monitoring or record reveals !
! suspected unauthorized or criminal activity, the evidence will !
! be provided to supervisory personnel and law enforcement officials. !
! !
! IF YOU ARE NOT AUTHORIZED TO BE HERE DISCONNECT NOW! !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#
user admin group administrators password ciphertext AQBapQKgXSSrR7hkCaDnxYfSx/rYJ03Zsf40bTsfDKFdcAIwYgAAAE6TxKsRqi5Ln00HaTU74/tsayaGyIheX/lHEEQkS5bLsH8kpFHdQhLFVb32EfOZu/hHfQKcObFYKp0oQ/a2vRPrwKO2PdU7K4ytmCsNs9bgXR6PgrxuBdaV8E1+bC+YUAeN
clock timezone america/new_york
profile aggregation-leaf
ntp server 10.1.1.2 iburst
ntp server 10.1.1.3 iburst
ntp enable
!
!
!
!
tacacs-server host 10.1.40.115 key ciphertext AQBapUUcaZX1f2C4R7O73L40vLMCrh/CpQ683McH4KGusVMYCQAAAMzimtPtS7ao7g==
tacacs-server host 10.1.40.116 key ciphertext AQBapXSpC/kQgzl1/1Anutdl6p0Dd3oO5fdy4cfIKW71NcepCQAAAChnaH2D8so4yA==
tacacs-server host 10.1.40.117 key ciphertext AQBapaFcVtmZyqjsZBqnKh3vqPU3sAftYZTs+KCjJySEj/V6CQAAAOvBtRg+9lKIzw==
!
radius-server host 10.1.40.115 key ciphertext AQBapaFtw5YVhzDjUBxGH4cj14O4z4NbNWvxjMClXKPDeOKUCQAAAM+eY6kK+4uMEQ==
radius-server host 10.1.40.116 key ciphertext AQBapfw0esLNd4BuXjKdcC9n4hhFUzzKbLZErMbGGk7+iKJ1CQAAAPjBIJiv5pPDrg==
radius-server host 10.1.40.117 key ciphertext AQBapRMFeVJMflM3GirR00Cakyi9/p6zcVFpQJkHcQEGfQRfCQAAANugXHZqyXuwkw==
aaa authentication allow-fail-through
!
!
aaa authentication login default group tacacs local
aaa accounting all-mgmt console start-stop group tacacs
aaa accounting all-mgmt default start-stop group radius
aaa accounting all-mgmt https-server start-stop group radius
aaa accounting all-mgmt ssh start-stop group tacacs
!
logging 10.1.40.78
ssh server vrf default
ssh server vrf mgmt
object-group ip address clearpass_servers
10 10.1.40.115
20 10.1.40.116
30 10.1.40.117
object-group ip address dom_cont
10 10.1.40.10
20 10.1.40.95
30 10.1.48.120
40 10.21.48.10
50 10.1.203.21
60 10.1.48.10
object-group ip address sccm_servers
10 10.1.48.53
20 10.1.48.189
object-group port clearpass_tcp_ports
10 eq dce-rpc
20 eq rdp
object-group port dc_tcp_ports
10 eq dce-rpc
20 eq ldap
30 eq 3268
40 eq dns
50 eq 88
70 eq microsoft-ds
80 range 49666 49679
object-group port dc_udp_ports
10 eq ntp
20 eq ldap
30 eq dns
40 eq isakmp
object-group port sccm_tcp_ports
10 eq 8530
20 eq 10123
object-group port sccm_udp_ports
10 eq dce-rpc
20 eq ldap
50 eq dns
60 eq 88
70 eq microsoft-ds
90 eq isakmp
140 gt 1022
access-list ip Image-acl
10 comment DC_UDP_PORTS_IN
10 permit udp dom_cont group dc_udp_ports any
15 comment DC_UDP_PORTS_OUT
15 permit udp any dom_cont group dc_udp_ports
20 comment DC_TCP PORTS_IN
20 permit tcp dom_cont group dc_tcp_ports any
25 comment DC_TCP_PORTS_OUT
25 permit tcp any dom_cont group dc_tcp_ports
30 comment SCCM_UDP_PORTS_IN
30 permit udp sccm_servers group sccm_udp_ports any
35 comment SCCM_UDP_PORTS_OUT
35 permit udp any sccm_servers group sccm_udp_ports
40 comment SCCM_TCP_PORTS_IN
40 permit tcp sccm_servers group sccm_tcp_ports any
45 comment SCCM_TCP_PORTS_OUT
45 permit tcp any sccm_servers group sccm_tcp_ports
50 comment UDP_137-138
50 permit udp any range 137 138 any
90 comment HTTP_IN
90 permit tcp any eq http any
95 comment HTTP_OUT
95 permit tcp any any eq http
100 comment HTTPS_IN
100 permit tcp any eq https any
105 comment HTTPS_OUT
105 permit tcp any any eq https
110 permit udp any eq dhcp-client any eq dhcp-server
120 permit udp any eq dhcp-server any eq dhcp-client
130 comment TFTP_IN
130 permit udp any any eq tftp
140 comment TFTP_OUT
140 permit udp any eq tftp any
150 comment PXE_BOOT
150 permit udp any eq 4011 any eq 4011
154 comment ClearPass_TCP_PORTS_IN
154 permit tcp clearpass_servers group clearpass_tcp_ports any
158 comment ClearPass_TCP_PORTS_OUT
158 permit tcp any clearpass_servers group clearpass_tcp_ports
160 deny any any any
access-list ip users-acl
10 deny any any 192.168.0.0/255.255.0.0
20 permit any any any
access-list log-timer 5
flow exporter ipfix-to-orion
destination 10.1.48.37 vrf default
template data timeout 60
transport udp 2055
flow record ipfix-record
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 version
match transport destination port
match transport source port
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
flow monitor ipfix-monitor
cache timeout active 60
exporter ipfix-to-orion
record ipfix-record
dhcpv4-snooping
dhcpv4-snooping option 82 untrusted-policy keep
vlan 1
vlan 10
name mgmt
vlan 20
name Data
dhcpv4-snooping
ip igmp snooping enable
vlan 30
name IoT
description IoT VLAN
dhcpv4-snooping
ip igmp snooping enable
vlan 35
name Wireless
description Wireless VLAN
dhcpv4-snooping
ip igmp snooping enable
vlan 50
name Voice
voice
description Voice VLAN
dhcpv4-snooping
ip igmp snooping enable
vlan 70
name Security
description Security VLAN
dhcpv4-snooping
ip igmp snooping enable
vlan 72
name AccessControl
description Access Control VLAN
dhcpv4-snooping
ip igmp snooping enable
vlan 168
name Default
description Default and Imaging VLAN
dhcpv4-snooping
ip igmp snooping enable
apply access-list ip Image-acl in
vlan 203
name CyberLab
description CyberLab VLAN
dhcpv4-snooping
ip igmp snooping enable
vlan 230
name HVAC
description HVAC VLAN
dhcpv4-snooping
ip igmp snooping enable
vlan 254
name transit
description Transit VLAN
dhcpv4-snooping
vlan 505
name CT-A
dhcpv4-snooping
vlan 515
name CT-B
dhcpv4-snooping
vlan 525
name SH-A
dhcpv4-snooping
vlan 535
name SH-B
dhcpv4-snooping
vlan 699
name NativeVLAN
spanning-tree mode rpvst
spanning-tree
spanning-tree priority 2
spanning-tree trap topology-change instance 0
spanning-tree ignore-pvid-inconsistency
spanning-tree vlan 10,20,30,35,50,70,72,168,203,230,254,505,515,525,535,699
interface mgmt
no shutdown
ip static 192.168.86.1/24
qos queue-profile switchports
map queue 0 local-priority 0
map queue 1 local-priority 1
map queue 2 local-priority 2
map queue 3 local-priority 3
map queue 4 local-priority 4
map queue 5 local-priority 6
map queue 6 local-priority 7
map queue 7 local-priority 5
qos schedule-profile voip
dwrr queue 0 weight 1
dwrr queue 1 weight 1
dwrr queue 2 weight 1
dwrr queue 3 weight 1
dwrr queue 4 weight 1
dwrr queue 5 weight 1
dwrr queue 6 weight 1
strict queue 7
apply qos queue-profile switchports schedule-profile voip
qos trust dscp
qos dscp-map 40 local-priority 6 color green name CS5
qos dscp-map 41 local-priority 6 color green name CS5
qos dscp-map 42 local-priority 6 color green name CS5
qos dscp-map 43 local-priority 6 color green name CS5
qos dscp-map 44 local-priority 6 color green name CS5
qos dscp-map 45 local-priority 6 color green name CS5
qos dscp-map 47 local-priority 6 color green name CS5
interface lag 5
description Uplink to lucy-mdf-a6300-sw1
no shutdown
no routing
vlan trunk native 699
vlan trunk allowed 10,20,30,35,50,70,72,168,203,230,254,505,515,525,535
lacp mode active
interface lag 256
description ISL link
no shutdown
no routing
vlan trunk native 699 tag
vlan trunk allowed all
lacp mode active
dhcpv4-snooping trust
interface 1/1/1
no shutdown
lag 5
interface 1/1/2
no shutdown
lag 5
interface 1/1/14
description Connected to NVR
no shutdown
no routing
vlan access 70
interface 1/1/15
description Connected to Voice Gateway
no shutdown
no routing
vlan access 50
interface 1/1/16
description Primary Link Connected to Ring_5
no shutdown
flow-control rxtx
!actual flow-control none
no routing
vlan trunk native 699
vlan trunk allowed 505,515,525,535
dhcpv4-snooping trust
ip flow monitor ipfix-monitor in
interface 1/1/17
description ISL LAG
no shutdown
lag 256
interface 1/1/18
description ISL LAG
no shutdown
lag 256
interface loopback 0
ip address 10.86.254.254/32
ip ospf 1 area 0.0.0.205
interface vlan 1
shutdown
interface vlan 10
description NetworkManagement
ip address 192.168.86.1/24
ip helper-address 10.1.40.115
ip helper-address 10.1.40.116
ip helper-address 10.1.40.117
ip ospf 1 area 0.0.0.205
interface vlan 20
ip address 10.86.1.1/21
ip helper-address 10.1.40.20
ip helper-address 10.1.40.115
ip helper-address 10.1.40.116
ip helper-address 10.1.40.117
ip helper-address 10.1.48.189
ip helper-address 10.21.48.20
ip ospf 1 area 0.0.0.205
ip igmp enable
ip pim-sparse enable
interface vlan 30
ip address 10.86.30.1/23
ip helper-address 10.1.40.20
ip helper-address 10.21.48.20
ip igmp enable
ip pim-sparse enable
interface vlan 35
ip address 10.86.35.1/24
ip helper-address 10.1.40.20
ip helper-address 10.21.48.20
ip igmp enable
ip pim-sparse enable
interface vlan 50
ip address 10.86.50.1/24
ip helper-address 10.1.40.20
ip helper-address 10.21.48.20
ip igmp enable
ip pim-sparse enable
interface vlan 70
ip address 10.86.70.1/23
ip helper-address 10.1.40.20
ip helper-address 10.21.48.20
ip igmp enable
ip pim-sparse enable
interface vlan 72
ip address 10.86.72.1/24
ip helper-address 10.1.40.20
ip helper-address 10.21.48.20
ip ospf 1 area 0.0.0.205
ip igmp enable
ip pim-sparse enable
interface vlan 168
ip address 10.86.168.1/22
ip helper-address 10.1.40.20
ip helper-address 10.1.40.115
ip helper-address 10.1.40.116
ip helper-address 10.1.40.117
ip helper-address 10.1.48.189
ip helper-address 10.21.48.20
ip igmp enable
ip pim-sparse enable
interface vlan 203
ip address 10.86.203.2/24
active-gateway ip mac 12:01:00:00:01:00
active-gateway ip 10.86.203.1
ip helper-address 10.1.40.20
ip helper-address 10.21.48.20
ip ospf 1 area 0.0.0.205
interface vlan 230
ip address 10.86.230.1/27
ip helper-address 10.1.40.20
ip helper-address 10.21.48.20
ip igmp enable
ip pim-sparse enable
interface vlan 505
description to ring 5
ip address 10.250.205.86/24
ip ospf 1 area 0.0.0.0
no ip ospf passive
ip pim-sparse enable
interface vlan 525
description to ring 5
ip address 10.254.225.86/24
ip ospf 1 area 0.0.0.0
ip pim-sparse enable
snmp-server vrf default
snmp-server system-description lucy-mdf-a8360-sw1
snmp-server system-location lucy
snmp-server system-contact Tim Marris
snmp-server community mickey03
ip dns domain-name scsd.ad
ip dns server-address 10.1.40.10
ip dns server-address 10.21.48.10
!
!
!
!
!
router ospf 1
router-id 10.86.254.254
passive-interface default
area 0.0.0.0
area 0.0.0.205 nssa
area 0.0.0.205 range 10.86.0.0/16 type inter-area
router pim
enable
rp-address 10.1.0.1
ip source-interface all interface loopback0
https-server vrf default
https-server vrf mgmt
configuration-lockout central managed