Current configuration: ! !Version ArubaOS-CX LL.10.13.1010 !export-password: default hostname psla-mdf-a8360-sw2 banner motd ! ! user admin group administrators password ciphertext AQBapTPmGSHtfPJXn2CVuJZ2uUzcGagld6EnYJY5AEzN9rA0YgAAAM23XjxTNFrsRkomrucEPrYTFIoqdfEhPlQE7rDnU1V7jUkfiPDpK7GX5ZCAnaqewhlRQcuo+gfpZyZlWqvr7iUq8wje7vD1BOQO98q+8OBI+8nf/fpVPQ5czAWebMfAbjt4 clock timezone america/new_york profile aggregation-leaf ntp server 10.1.1.2 iburst ntp server 10.1.1.3 iburst ntp enable ! ! ! ! tacacs-server host 10.1.40.115 key ciphertext AQBapUUtCq/xWbK/f3it9PkAWvhYMSlMwkGld6VJOWXln9okCQAAAK4R/Zj6rq2IVA== tacacs-server host 10.1.40.116 key ciphertext AQBapWNp5APdywm/VoPXvkDiU9umbMqsBIQpLIBkdMs1noPXCQAAAPD1u2lGo96dsw== tacacs-server host 10.1.40.117 key ciphertext AQBapWFSl8mW8d/nZ/CqP3OzniNvD483T9aQH0kIOjxndLwGCQAAABR9OoKpBnN9zA== ! radius-server host 10.1.40.115 key ciphertext AQBapdoLW52iGXtsYbUuI2zE3SyUfbsNnzU9unosFNXydMDjCQAAAAhA4VcBPV8FxQ== radius-server host 10.1.40.116 key ciphertext AQBapS4W92PuGedlqf2eAAgpStk/QEAUJu6LmHuSZuHMl/BZCQAAALlo22Tc9RVSxw== radius-server host 10.1.40.117 key ciphertext AQBapSoAqXmb27EIaq50AjLZoKQ/TP7rJ7f++FB/f/IDNeV9CQAAABbui+nLzObDKQ== aaa authentication allow-fail-through ! ! aaa authentication login default group tacacs local aaa accounting all-mgmt console start-stop group tacacs aaa accounting all-mgmt default start-stop group radius aaa accounting all-mgmt https-server start-stop group radius aaa accounting all-mgmt ssh start-stop group tacacs ! logging 10.1.40.78 ssh server vrf default ssh server vrf mgmt object-group ip address clearpass_servers 10 10.1.40.115 20 10.1.40.116 30 10.1.40.117 object-group ip address day-enterprise-servers 10 10.1.230.11 20 10.1.40.108 object-group ip address dns-servers 10 10.1.40.10 20 10.1.48.11 object-group ip address dom_cont 10 10.1.40.10 20 10.1.40.95 30 10.1.48.120 40 10.21.48.10 50 10.1.203.21 60 10.1.48.10 object-group ip address netadmin_hosts 10 10.1.6.0/255.255.255.0 object-group ip address ntp-servers 10 10.1.40.154 20 10.1.48.103 object-group ip address rfc_1918 10 10.0.0.0/255.0.0.0 20 192.168.0.0/255.255.0.0 30 172.16.0.0/255.240.0.0 object-group ip address sbhc_external 10 10.107.49.0/255.255.255.0 20 10.107.50.0/255.255.255.0 30 10.107.100.0/255.255.255.0 40 209.217.202.160/255.255.255.240 object-group ip address sbhc_internal 10 10.3.107.0/255.255.255.0 object-group ip address sccm_servers 10 10.1.48.53 20 10.1.48.189 object-group port clearpass_tcp_ports 10 eq dce-rpc 20 eq rdp object-group port dc_tcp_ports 10 eq dce-rpc 20 eq ldap 30 eq 3268 40 eq dns 50 eq 88 70 eq microsoft-ds 80 range 49666 49679 object-group port dc_udp_ports 10 eq ntp 20 eq ldap 30 eq dns 40 eq isakmp object-group port sccm_tcp_ports 10 eq 8530 20 eq 10123 object-group port sccm_udp_ports 10 eq dce-rpc 20 eq ldap 50 eq dns 60 eq 88 70 eq microsoft-ds 90 eq isakmp 140 gt 1022 object-group port tcp_ports 10 eq dns 20 eq http 30 eq https 40 eq 5061 object-group port udp_ports 10 eq dns 20 eq ntp 30 eq 5091 40 eq 5061 access-list ip Image-acl 10 comment DC_UDP_PORTS_IN 10 permit udp dom_cont group dc_udp_ports any 15 comment DC_UDP_PORTS_OUT 15 permit udp any dom_cont group dc_udp_ports 20 comment DC_TCP PORTS_IN 20 permit tcp dom_cont group dc_tcp_ports any 25 comment DC_TCP_PORTS_OUT 25 permit tcp any dom_cont group dc_tcp_ports 30 comment SCCM_UDP_PORTS_IN 30 permit udp sccm_servers group sccm_udp_ports any 35 comment SCCM_UDP_PORTS_OUT 35 permit udp any sccm_servers group sccm_udp_ports 40 comment SCCM_TCP_PORTS_IN 40 permit tcp sccm_servers group sccm_tcp_ports any 45 comment SCCM_TCP_PORTS_OUT 45 permit tcp any sccm_servers group sccm_tcp_ports 50 comment UDP_137-138 50 permit udp any range 137 138 any 90 comment HTTP_IN 90 permit tcp any eq http any 95 comment HTTP_OUT 95 permit tcp any any eq http 100 comment HTTPS_IN 100 permit tcp any eq https any 105 comment HTTPS_OUT 105 permit tcp any any eq https 110 permit udp any eq dhcp-client any eq dhcp-server 120 permit udp any eq dhcp-server any eq dhcp-client 130 comment TFTP_IN 130 permit udp any any eq tftp 140 comment TFTP_OUT 140 permit udp any eq tftp any 150 comment PXE_BOOT 150 permit udp any eq 4011 any eq 4011 154 comment ClearPass_TCP_PORTS_IN 154 permit tcp clearpass_servers group clearpass_tcp_ports any 158 comment ClearPass_TCP_PORTS_OUT 158 permit tcp any clearpass_servers group clearpass_tcp_ports 160 deny any any any access-list ip hvac-acl 10 permit any 10.3.230.0/255.255.255.224 day-enterprise-servers 20 permit udp 10.3.230.0/255.255.255.224 dns-servers eq dns 30 permit udp 10.3.230.0/255.255.255.224 ntp-servers eq ntp 40 permit icmp 10.3.230.0/255.255.255.252 10.3.230.0/255.255.255.224 50 permit icmp 10.3.230.0/255.255.255.224 10.3.230.0/255.255.255.252 60 deny any any 10.0.0.0/255.0.0.0 70 deny any any 192.168.0.0/255.255.0.0 80 deny any any 172.16.0.0/255.240.0.0 90 permit tcp 10.3.230.0/255.255.255.224 any eq 587 log count access-list ip sbhc-acl 10 comment SBHC_Out 10 permit any sbhc_internal sbhc_external 20 comment NETADMIN_Ping 20 permit icmp sbhc_internal netadmin_hosts 30 comment block access to SCSD Network 30 deny any sbhc_internal rfc_1918 log count 40 comment TCP_OUT 40 permit tcp any any group tcp_ports 50 comment UDP_OUT 50 permit udp any any group udp_ports 80 deny any any any access-list ip users-acl 10 deny any any 192.168.0.0/255.255.0.0 20 permit any any any access-list log-timer 5 flow exporter ipfix-to-orion destination 10.1.48.37 vrf default template data timeout 60 transport udp 2055 flow record ipfix-record match ipv4 destination address match ipv4 protocol match ipv4 source address match ipv4 version match transport destination port match transport source port collect counter bytes collect counter packets collect timestamp absolute first collect timestamp absolute last flow monitor ipfix-monitor cache timeout active 60 exporter ipfix-to-orion record ipfix-record dhcpv4-snooping dhcpv4-snooping option 82 untrusted-policy keep vlan 1 vlan 10 name mgmt vlan 20 name Data dhcpv4-snooping ip igmp snooping enable vlan 30 name IoT description IoT VLAN dhcpv4-snooping ip igmp snooping enable vlan 35 name Wireless description Wireless VLAN dhcpv4-snooping ip igmp snooping enable vlan 40 name Server40 description Server 40 Vlan dhcpv4-snooping ip igmp snooping enable vlan 50 name Voice voice description Voice VLAN dhcpv4-snooping ip igmp snooping enable vlan 70 name Security description Security VLAN dhcpv4-snooping ip igmp snooping enable vlan 72 name AccessControl description Access Control VLAN dhcpv4-snooping ip igmp snooping enable vlan 107 name SCHC description SCHC VLAN dhcpv4-snooping ip igmp snooping enable apply access-list ip sbhc-acl in vlan 168 name Default description Default and Imaging VLAN dhcpv4-snooping ip igmp snooping enable apply access-list ip Image-acl in vlan 203 name CyberLab description CyberLab VLAN dhcpv4-snooping ip igmp snooping enable vlan 230 name HVAC description HVAC VLAN dhcpv4-snooping ip igmp snooping enable vlan 254 name transit description Transit VLAN dhcpv4-snooping vlan 503 name CT-A dhcpv4-snooping vlan 513 name ring3_ct-b dhcpv4-snooping vlan 523 name SH-A dhcpv4-snooping vlan 533 name ring3_sh-b dhcpv4-snooping vlan 699 name NativeVLAN spanning-tree mode rpvst spanning-tree spanning-tree priority 2 spanning-tree trap topology-change instance 0 spanning-tree ignore-pvid-inconsistency spanning-tree vlan 10,20,30,35,40,50,70,72,107,168,203,230,254,503,513,523,533,699 spanning-tree vlan 503 priority 15 spanning-tree vlan 513 priority 15 spanning-tree vlan 523 priority 15 spanning-tree vlan 533 priority 15 interface mgmt no shutdown ip static 192.168.3.3/24 qos queue-profile switchports map queue 0 local-priority 0 map queue 1 local-priority 1 map queue 2 local-priority 2 map queue 3 local-priority 3 map queue 4 local-priority 4 map queue 5 local-priority 6 map queue 6 local-priority 7 map queue 7 local-priority 5 qos schedule-profile voip dwrr queue 0 weight 1 dwrr queue 1 weight 1 dwrr queue 2 weight 1 dwrr queue 3 weight 1 dwrr queue 4 weight 1 dwrr queue 5 weight 1 dwrr queue 6 weight 1 strict queue 7 apply qos queue-profile switchports schedule-profile voip qos trust dscp qos dscp-map 40 local-priority 6 color green name CS5 qos dscp-map 41 local-priority 6 color green name CS5 qos dscp-map 42 local-priority 6 color green name CS5 qos dscp-map 43 local-priority 6 color green name CS5 qos dscp-map 44 local-priority 6 color green name CS5 qos dscp-map 45 local-priority 6 color green name CS5 qos dscp-map 47 local-priority 6 color green name CS5 interface lag 5 multi-chassis description Uplink to psla-mdf-a6300-sw1 no shutdown no routing vlan trunk native 699 vlan trunk allowed 10,20,30,35,50,70,72,107,168,203,230,254,503,513,523,533 lacp mode active interface lag 6 multi-chassis description Uplink to psla-mdf-a6300-sw2 no shutdown no routing vlan trunk native 699 vlan trunk allowed 10,20,30,35,50,70,72,107,168,203,230,254,503,513,523,533 lacp mode active interface lag 11 multi-chassis description Uplink to psla-idf1-a6300-sw1 no shutdown no routing vlan trunk native 699 vlan trunk allowed 10,20,30,35,50,70,72,107,168,203,230,254,503,513,523,533 lacp mode active interface lag 21 multi-chassis description Uplink to psla-idf2-a6300-sw1 no shutdown no routing vlan trunk native 699 vlan trunk allowed 10,20,30,35,50,70,72,107,168,203,230,254,503,513,523,533 lacp mode active interface lag 31 multi-chassis description Uplink to psla-idf3-a6300-sw1 no shutdown no routing vlan trunk native 699 vlan trunk allowed 10,20,30,35,50,70,72,107,168,203,230,254,503,513,523,533 lacp mode active interface lag 41 multi-chassis description Uplink to psla-idf4-a6300-sw1 no shutdown no routing vlan trunk native 699 vlan trunk allowed 10,20,30,35,50,70,72,107,168,203,230,254,503,513,523,533 lacp mode active interface lag 42 multi-chassis description Uplink to psla-idf4-a6300-sw2 CyberLab no shutdown no routing vlan trunk native 699 vlan trunk allowed 10,203 lacp mode active interface lag 51 multi-chassis description Uplink to psla-idf5-a6300-sw1 no shutdown no routing vlan trunk native 699 vlan trunk allowed 10,20,30,35,50,70,72,107,168,203,230,254,503,513,523,533 lacp mode active interface lag 61 multi-chassis description Uplink to psla-idf6-a6300-sw1 no shutdown no routing vlan trunk native 699 vlan trunk allowed 10,20,30,35,50,70,72,107,168,203,230,254,503,513,523,533 lacp mode active interface lag 256 description ISL link no shutdown no routing vlan trunk native 699 tag vlan trunk allowed all lacp mode active dhcpv4-snooping trust interface 1/1/1 no shutdown lag 5 interface 1/1/2 no shutdown lag 11 interface 1/1/3 no shutdown lag 21 interface 1/1/4 no shutdown lag 31 interface 1/1/5 no shutdown lag 41 interface 1/1/6 no shutdown lag 42 interface 1/1/7 no shutdown lag 51 interface 1/1/8 no shutdown lag 61 interface 1/1/9 no shutdown lag 6 interface 1/1/12 description To Temp Cisco Switch no shutdown no routing vlan trunk native 10 vlan trunk allowed all interface 1/1/13 description Connected to NVR no shutdown no routing vlan access 70 interface 1/1/14 description Connected to NVR no shutdown no routing vlan access 70 interface 1/1/15 description Connected to Voice Gateway no shutdown no routing vlan access 50 interface 1/1/16 description Primary Link Connected to Ring_3 no shutdown flow-control rxtx !actual flow-control none no routing vlan trunk native 699 vlan trunk allowed 503,513,523,533 dhcpv4-snooping trust ip flow monitor ipfix-monitor in interface 1/1/17 description ISL LAG no shutdown lag 256 interface 1/1/18 description ISL LAG no shutdown lag 256 interface loopback 0 ip address 10.3.254.254/32 ip ospf 1 area 0.0.0.203 interface vlan 1 shutdown interface vlan 10 description NetworkManagement ip address 192.168.3.3/24 active-gateway ip mac 12:01:00:00:01:00 active-gateway ip 192.168.3.1 ip ospf 1 area 0.0.0.203 interface vlan 20 ip address 10.3.1.3/21 active-gateway ip mac 12:01:00:00:01:00 active-gateway ip 10.3.1.1 ip helper-address 10.1.40.20 ip helper-address 10.1.40.115 ip helper-address 10.1.40.116 ip helper-address 10.1.40.117 ip helper-address 10.1.48.189 ip helper-address 10.21.48.20 ip ospf 1 area 0.0.0.203 ip igmp enable ip pim-sparse enable interface vlan 30 ip address 10.3.30.3/23 active-gateway ip mac 12:01:00:00:01:00 active-gateway ip 10.3.30.1 ip helper-address 10.1.40.20 ip helper-address 10.21.48.20 ip ospf 1 area 0.0.0.203 ip igmp enable ip pim-sparse enable ip proxy-arp interface vlan 35 ip address 10.3.35.3/24 active-gateway ip mac 12:01:00:00:01:00 active-gateway ip 10.3.35.1 ip helper-address 10.1.40.20 ip helper-address 10.21.48.20 ip ospf 1 area 0.0.0.203 ip igmp enable ip pim-sparse enable interface vlan 40 ip address 10.3.40.3/24 ip helper-address 10.1.40.20 ip helper-address 10.21.48.20 ip ospf 1 area 0.0.0.203 ip igmp enable ip pim-sparse enable interface vlan 50 ip address 10.3.50.3/24 active-gateway ip mac 12:01:00:00:01:00 active-gateway ip 10.3.50.1 ip helper-address 10.1.40.20 ip helper-address 10.21.48.20 ip ospf 1 area 0.0.0.203 ip igmp enable ip pim-sparse enable interface vlan 70 ip address 10.3.70.3/23 active-gateway ip mac 12:01:00:00:01:00 active-gateway ip 10.3.70.1 ip helper-address 10.1.40.20 ip helper-address 10.21.48.20 ip ospf 1 area 0.0.0.203 ip igmp enable ip pim-sparse enable interface vlan 72 ip address 10.3.72.3/24 active-gateway ip mac 12:01:00:00:01:00 active-gateway ip 10.3.72.1 ip helper-address 10.1.40.20 ip helper-address 10.21.48.20 ip ospf 1 area 0.0.0.203 ip igmp enable ip pim-sparse enable interface vlan 107 ip address 10.3.107.3/24 active-gateway ip mac 12:01:00:00:01:00 active-gateway ip 10.3.107.1 ip helper-address 10.1.40.20 ip helper-address 10.21.48.20 ip ospf 1 area 0.0.0.203 interface vlan 168 ip address 10.3.168.3/22 active-gateway ip mac 12:01:00:00:01:00 active-gateway ip 10.3.168.1 ip helper-address 10.1.40.20 ip helper-address 10.1.40.115 ip helper-address 10.1.40.116 ip helper-address 10.1.40.117 ip helper-address 10.1.48.189 ip helper-address 10.21.48.20 ip ospf 1 area 0.0.0.203 ip igmp enable ip pim-sparse enable interface vlan 203 ip address 10.3.203.3/24 active-gateway ip mac 12:01:00:00:01:00 active-gateway ip 10.3.203.1 ip helper-address 10.1.40.20 ip helper-address 10.21.48.20 ip ospf 1 area 0.0.0.203 interface vlan 230 ip address 10.3.230.3/27 active-gateway ip mac 12:01:00:00:01:00 active-gateway ip 10.3.230.1 ip helper-address 10.1.40.20 ip helper-address 10.21.48.20 ip ospf 1 area 0.0.0.203 ip igmp enable ip pim-sparse enable interface vlan 254 description transit-vlan ip address 10.254.3.2/24 ip ospf 1 area 0.0.0.0 no ip ospf passive ip ospf network point-to-point ip pim-sparse enable interface vlan 513 description ring3_ct-b ip address 10.254.213.3/24 ip ospf 1 area 0.0.0.0 no ip ospf passive ip ospf cost 4000 ip pim-sparse enable interface vlan 533 description ring3_sh-b ip address 10.254.233.3/24 ip ospf 1 area 0.0.0.0 no ip ospf passive ip ospf cost 2000 ip pim-sparse enable snmp-server vrf default snmp-server system-description psla-mdf-a8360-sw2 snmp-server system-location psla snmp-server system-contact Tim Marris snmp-server community mickey03 vsx system-mac 02:01:00:00:01:03 inter-switch-link lag 256 role secondary keepalive peer 192.168.3.1 source 192.168.3.2 vrf mgmt ip route 10.3.254.253/32 10.254.3.1 ip dns domain-name scsd.ad ip dns server-address 10.1.40.10 ip dns server-address 10.21.48.10 ! ! ! ! ! router ospf 1 router-id 10.3.254.253 passive-interface default area 0.0.0.0 area 0.0.0.203 nssa area 0.0.0.203 range 10.3.0.0/16 type inter-area router pim enable rp-address 10.1.0.1 ip source-interface all interface loopback0 https-server vrf default https-server vrf mgmt configuration-lockout central managed