diff --git a/configs/hughes/hughes-4507-01.cfg b/configs/hughes/hughes-4507-01.cfg
index 190b3bf..e01b439 100644
--- a/configs/hughes/hughes-4507-01.cfg
+++ b/configs/hughes/hughes-4507-01.cfg
@@ -1,8 +1,8 @@
 Building configuration...
 
-Current configuration : 39870 bytes
+Current configuration : 40648 bytes
 !
-! Last configuration change at 09:24:35 EDT Thu Sep 25 2025 by mloper19.admin
+! Last configuration change at 12:44:55 EDT Tue Mar 10 2026 by estein66.admin
 ! NVRAM config last updated at 09:24:38 EDT Thu Sep 25 2025 by mloper19.admin
 !
 version 15.2
@@ -119,6 +119,8 @@ crypto pki trustpoint TP-self-signed-18273
 !
 !
 crypto pki certificate chain TP-self-signed-18273
+errdisable recovery cause security-violation
+errdisable recovery interval 30
 power redundancy-mode redundant
 archive
  log config
@@ -130,6 +132,20 @@ archive
  maximum 5
  write-memory
 file privilege 10
+object-group network day-enterprise-servers 
+ description day-enterprise-servers
+ host 10.1.230.11
+ host 10.1.40.108
+!
+object-group network dns-servers 
+ description Internal-DNS-Servers
+ host 10.1.40.10
+ host 10.1.48.11
+!
+object-group network ntp-servers 
+ host 10.1.40.154
+ host 10.1.48.103
+!
 !
 spanning-tree mode rapid-pvst
 spanning-tree loopguard default
@@ -580,11 +596,13 @@ interface GigabitEthernet5/2
  spanning-tree portfast edge
 !
 interface GigabitEthernet5/3
- description hvac
+ description HVAC
  switchport access vlan 230
  switchport mode access
+ switchport port-security violation restrict
  switchport port-security mac-address sticky
- ip access-group hvac in
+ switchport port-security mac-address sticky 0050.0618.aa26
+ switchport port-security
 !
 interface GigabitEthernet5/4
  description ***   To Voice and Data Endpoints  ***
@@ -1226,6 +1244,7 @@ interface Vlan107
 !
 interface Vlan230
  ip address 10.28.230.1 255.255.255.224
+ ip access-group hvac in
 !
 interface Vlan506
  description to Ring #6 CCF Service #S200310
@@ -1337,10 +1356,15 @@ ip access-list extended AutoQos-4.0-ACL-Transactional-Data
  permit tcp any any eq 1630
  permit udp any any eq 1630
 ip access-list extended hvac
- permit tcp host 10.28.230.11 host 10.1.230.11
- permit icmp host 10.28.230.11 host 10.1.230.11 log
- permit tcp host 10.28.230.11 host 10.1.40.108
- permit icmp host 10.28.230.11 host 10.1.40.108 log
+ permit ip 10.28.230.0 0.0.0.31 object-group day-enterprise-servers
+ permit udp 10.28.230.0 0.0.0.31 object-group dns-servers eq domain
+ permit udp 10.28.230.0 0.0.0.31 object-group ntp-servers eq ntp
+ permit icmp 10.28.230.0 0.0.0.31 host 10.28.230.1
+ permit icmp host 10.28.230.1 10.28.230.0 0.0.0.31
+ deny   ip any 10.0.0.0 0.255.255.255
+ deny   ip any 192.168.0.0 0.0.255.255
+ deny   ip any 172.16.0.0 0.15.255.255
+ permit tcp 10.28.230.0 0.0.0.31 any eq 587 log-input
 ip access-list extended users
  deny   ip any 192.168.0.0 0.0.255.255
  permit ip any any