555 lines
16 KiB
INI
Executable File
555 lines
16 KiB
INI
Executable File
Current configuration:
|
|
!
|
|
!Version ArubaOS-CX LL.10.13.1161
|
|
!export-password: default
|
|
hostname bova-mdf-a8360-sw1
|
|
banner motd #
|
|
!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
|
! You are accessing a PRIVATE COMPUTING FACILITY. !
|
|
! Access to this system is restricted to AUTHORIZED PERSONNEL. !
|
|
! !
|
|
! Anyone who accesses this system without authorization, or in !
|
|
! excess of their authorization could be subject to a fine, !
|
|
! imprisonment, or both under Public and Federal Law. By entering !
|
|
! this system, you consent to having your accesses and activities !
|
|
! monitored and recorded. If this monitoring or record reveals !
|
|
! suspected unauthorized or criminal activity, the evidence will !
|
|
! be provided to supervisory personnel and law enforcement officials. !
|
|
! !
|
|
! IF YOU ARE NOT AUTHORIZED TO BE HERE DISCONNECT NOW! !
|
|
!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#
|
|
user admin group administrators password ciphertext AQBapQQV9uGWgL9Nv60IYbFo9zjMyjFEA0m9js1ozawiyICkYgAAAOy8W69MCyjD1Q9USU46ZJXqP9XbdbWX50nliTq/2C8KUK88TE5mHBg3yGQXTmrnhKrbEB3oKhCZdzC7sAK/QHYW2UMIQHk2pU4vUfV906Dy6ZCnHoOtcESmXFk82lbEReGt
|
|
clock timezone america/new_york
|
|
profile aggregation-leaf
|
|
ntp server 10.1.1.2 iburst
|
|
ntp server 10.1.1.3 iburst
|
|
ntp enable
|
|
!
|
|
!
|
|
!
|
|
!
|
|
tacacs-server host 10.1.40.115 key ciphertext AQBapSuvkZ42oU63tX2A+AZ8lP8qC0+kYouNLefCIrqt8ZStCQAAAKHES1pt0Vp0Fg==
|
|
tacacs-server host 10.1.40.116 key ciphertext AQBapaEs5/SL2J162qOgL4A4eEyKzQEOM9k0LWQ4cJ6UjRDvCQAAAFrjjfLG6NF04Q==
|
|
tacacs-server host 10.1.40.117 key ciphertext AQBapVSELn/rkkpvMOd3vACVNbdnz7iC98pSzkCXdH9deBN5CQAAABvZ9joHN8VWWw==
|
|
!
|
|
radius-server host 10.1.40.115 key ciphertext AQBapbu7Z3RBzVrv1T93L4TizoItEOVefoB4LNz/ns1VCj9gCQAAAG8C9LBBMJgwdQ==
|
|
radius-server host 10.1.40.116 key ciphertext AQBapQSSLiUo+iyJmwXu0UThca1UcsVuuUXpy5ugH39hXTsNCQAAAGHPuE/0klTP6A==
|
|
radius-server host 10.1.40.117 key ciphertext AQBapcn6h8aHjLAUhpDlhARe02431IAWvzN18DvMp0LR1II8CQAAAPVybLcavSOz9w==
|
|
aaa authentication allow-fail-through
|
|
!
|
|
!
|
|
aaa authentication login default group tacacs local
|
|
aaa accounting all-mgmt console start-stop group tacacs
|
|
aaa accounting all-mgmt default start-stop group radius
|
|
aaa accounting all-mgmt https-server start-stop group radius
|
|
aaa accounting all-mgmt ssh start-stop group tacacs
|
|
!
|
|
logging 10.1.40.78
|
|
logging 10.1.40.144 severity alert
|
|
ssh server vrf default
|
|
ssh server vrf mgmt
|
|
object-group ip address clearpass_servers
|
|
10 10.1.40.115
|
|
20 10.1.40.116
|
|
30 10.1.40.117
|
|
object-group ip address day-enterprise-servers
|
|
10 10.1.230.11
|
|
20 10.1.40.108
|
|
object-group ip address dns-servers
|
|
10 10.1.40.10
|
|
20 10.1.48.11
|
|
object-group ip address dom_cont
|
|
10 10.1.40.10
|
|
20 10.1.40.95
|
|
30 10.1.48.120
|
|
40 10.21.48.10
|
|
50 10.1.203.21
|
|
60 10.1.48.10
|
|
70 10.21.48.10
|
|
object-group ip address ntp-servers
|
|
10 10.1.40.154
|
|
20 10.1.48.103
|
|
object-group ip address sccm_servers
|
|
10 10.1.48.53
|
|
20 10.41.21.221
|
|
object-group port clearpass_tcp_ports
|
|
10 eq dce-rpc
|
|
20 eq rdp
|
|
object-group port dc_tcp_ports
|
|
10 eq dce-rpc
|
|
20 eq ldap
|
|
30 eq 3268
|
|
40 eq dns
|
|
50 eq 88
|
|
70 eq microsoft-ds
|
|
80 range 49666 49679
|
|
object-group port dc_udp_ports
|
|
10 eq ntp
|
|
20 eq ldap
|
|
30 eq dns
|
|
40 eq isakmp
|
|
object-group port sccm_tcp_ports
|
|
10 eq 8530
|
|
20 eq 10123
|
|
object-group port sccm_udp_ports
|
|
10 eq dce-rpc
|
|
20 eq ldap
|
|
50 eq dns
|
|
60 eq 88
|
|
70 eq microsoft-ds
|
|
90 eq isakmp
|
|
140 gt 1022
|
|
access-list ip Image-acl
|
|
10 permit udp dom_cont group dc_udp_ports any
|
|
15 comment DC_UDP_PORTS_IN
|
|
20 permit udp any eq dhcp-client any eq dhcp-server
|
|
25 permit udp any eq dhcp-server any eq dhcp-client
|
|
30 comment DHCP_CLIENT_SERVER
|
|
35 permit udp any any eq tftp
|
|
40 comment TFTP_IN
|
|
45 permit udp any eq tftp any
|
|
50 comment TFTP_OUT
|
|
55 permit udp any eq 4011 any eq 4011
|
|
60 comment PXE_BOOT
|
|
65 permit udp any dom_cont group dc_udp_ports
|
|
70 comment DC_UDP_PORTS_OUT
|
|
75 permit tcp dom_cont group dc_tcp_ports any
|
|
80 comment DC_TCP PORTS_IN
|
|
85 permit tcp any dom_cont group dc_tcp_ports
|
|
90 comment DC_TCP_PORTS_OUT
|
|
95 permit udp sccm_servers group sccm_udp_ports any
|
|
100 comment SCCM_UDP_PORTS_IN
|
|
105 permit udp any sccm_servers group sccm_udp_ports
|
|
110 comment SCCM_UDP_PORTS_OUT
|
|
115 permit tcp sccm_servers group sccm_tcp_ports any
|
|
120 comment SCCM_TCP_PORTS_IN
|
|
125 permit tcp any sccm_servers group sccm_tcp_ports
|
|
130 comment SCCM_TCP_PORTS_OUT
|
|
135 permit udp any range 137 138 any
|
|
140 comment UDP_137-138
|
|
145 permit tcp any eq http any
|
|
150 comment HTTP_IN
|
|
155 permit tcp any any eq http
|
|
160 comment HTTP_OUT
|
|
165 permit tcp any eq https any
|
|
170 comment HTTPS_IN
|
|
175 permit tcp any any eq https
|
|
180 comment HTTPS_OUT
|
|
185 permit tcp clearpass_servers group clearpass_tcp_ports any
|
|
190 comment ClearPass_TCP_PORTS_IN
|
|
195 permit tcp any clearpass_servers group clearpass_tcp_ports
|
|
200 comment ClearPass_TCP_PORTS_OUT
|
|
205 deny any any any
|
|
access-list ip hvac-acl
|
|
10 permit any 10.41.230.0/255.255.255.224 day-enterprise-servers
|
|
20 permit udp 10.41.230.0/255.255.255.224 dns-servers eq dns
|
|
30 permit udp 10.41.230.0/255.255.255.224 ntp-servers eq ntp
|
|
40 permit icmp 10.41.230.0/255.255.255.252 10.41.230.0/255.255.255.224
|
|
50 permit icmp 10.41.230.0/255.255.255.224 10.41.230.0/255.255.255.252
|
|
60 deny any any 10.0.0.0/255.0.0.0
|
|
70 deny any any 192.168.0.0/255.255.0.0
|
|
80 deny any any 172.16.0.0/255.240.0.0
|
|
90 permit tcp 10.41.230.0/255.255.255.224 any eq 587 log count
|
|
access-list ip users-acl
|
|
10 deny any any 192.168.0.0/255.255.0.0
|
|
20 permit any any any
|
|
access-list log-timer 5
|
|
flow exporter ipfix-to-orion
|
|
destination 10.1.48.37 vrf default
|
|
template data timeout 60
|
|
transport udp 2055
|
|
flow record ipfix-record
|
|
match ipv4 destination address
|
|
match ipv4 protocol
|
|
match ipv4 source address
|
|
match ipv4 version
|
|
match transport destination port
|
|
match transport source port
|
|
collect counter bytes
|
|
collect counter packets
|
|
collect timestamp absolute first
|
|
collect timestamp absolute last
|
|
flow monitor ipfix-monitor
|
|
cache timeout active 60
|
|
exporter ipfix-to-orion
|
|
record ipfix-record
|
|
dhcpv4-snooping
|
|
dhcpv4-snooping option 82 untrusted-policy keep
|
|
vlan 1
|
|
vlan 10
|
|
name mgmt
|
|
vlan 20
|
|
name Data
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
vlan 21
|
|
name Imaging
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
vlan 30
|
|
name IoT
|
|
description IoT VLAN
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
vlan 35
|
|
name Wireless
|
|
description Wireless VLAN
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
vlan 40
|
|
name Server40
|
|
description Server 40 VLAN
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
vlan 48
|
|
name Server48
|
|
description Server 48 VLAN
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
vlan 50
|
|
name Voice
|
|
voice
|
|
description Voice VLAN
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
vlan 70
|
|
name Security
|
|
description Security VLAN
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
vlan 72
|
|
name AccessControl
|
|
description Access Control VLAN
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
vlan 168
|
|
name Default
|
|
description Default and Imaging VLAN
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
vlan 230
|
|
name HVAC
|
|
description HVAC VLAN
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
vlan 254
|
|
name transit
|
|
description Transit VLAN
|
|
dhcpv4-snooping
|
|
vlan 503
|
|
name ring3_ct-a
|
|
dhcpv4-snooping
|
|
vlan 513
|
|
name CT-B
|
|
dhcpv4-snooping
|
|
vlan 523
|
|
name ring3_sh-a
|
|
dhcpv4-snooping
|
|
vlan 533
|
|
name SH-B
|
|
dhcpv4-snooping
|
|
vlan 699
|
|
name NativeVLAN
|
|
spanning-tree mode rpvst
|
|
spanning-tree
|
|
spanning-tree priority 2
|
|
spanning-tree trap topology-change instance 0
|
|
spanning-tree ignore-pvid-inconsistency
|
|
spanning-tree vlan 10,20,21,30,35,40,48,50,70,72,168,230,254,503,513,523,533,699
|
|
spanning-tree vlan 503 priority 15
|
|
spanning-tree vlan 513 priority 15
|
|
spanning-tree vlan 523 priority 15
|
|
spanning-tree vlan 533 priority 15
|
|
interface mgmt
|
|
no shutdown
|
|
ip static 192.168.41.2/24
|
|
qos queue-profile switchports
|
|
map queue 0 local-priority 0
|
|
map queue 1 local-priority 1
|
|
map queue 2 local-priority 2
|
|
map queue 3 local-priority 3
|
|
map queue 4 local-priority 4
|
|
map queue 5 local-priority 6
|
|
map queue 6 local-priority 7
|
|
map queue 7 local-priority 5
|
|
qos schedule-profile voip
|
|
dwrr queue 0 weight 1
|
|
dwrr queue 1 weight 1
|
|
dwrr queue 2 weight 1
|
|
dwrr queue 3 weight 1
|
|
dwrr queue 4 weight 1
|
|
dwrr queue 5 weight 1
|
|
dwrr queue 6 weight 1
|
|
strict queue 7
|
|
apply qos queue-profile switchports schedule-profile voip
|
|
qos trust dscp
|
|
qos dscp-map 40 local-priority 6 color green name CS5
|
|
qos dscp-map 41 local-priority 6 color green name CS5
|
|
qos dscp-map 42 local-priority 6 color green name CS5
|
|
qos dscp-map 43 local-priority 6 color green name CS5
|
|
qos dscp-map 44 local-priority 6 color green name CS5
|
|
qos dscp-map 45 local-priority 6 color green name CS5
|
|
qos dscp-map 47 local-priority 6 color green name CS5
|
|
interface lag 5 multi-chassis
|
|
description Uplink to bova-mdf-sw1
|
|
no shutdown
|
|
no routing
|
|
vlan trunk native 699
|
|
vlan trunk allowed 10,20-21,30,35,40,48,50,70,72,168,230,254,503,513,523,533
|
|
lacp mode active
|
|
interface lag 11 multi-chassis
|
|
description Uplink to bova-idf1-sw1
|
|
no shutdown
|
|
no routing
|
|
vlan trunk native 699
|
|
vlan trunk allowed 10,20-21,30,35,40,48,50,70,72,168,230,254,503,513,523,533
|
|
lacp mode active
|
|
interface lag 21 multi-chassis
|
|
description Uplink to bova-idf2-sw1
|
|
no shutdown
|
|
no routing
|
|
vlan trunk native 699
|
|
vlan trunk allowed 10,20-21,30,35,40,48,50,70,72,168,230,254,503,513,523,533
|
|
lacp mode active
|
|
interface lag 31 multi-chassis
|
|
description Uplink to bova-idf3-sw1
|
|
no shutdown
|
|
no routing
|
|
vlan trunk native 699
|
|
vlan trunk allowed 10,20-21,30,35,40,48,50,70,72,168,230,254,503,513,523,533
|
|
lacp mode active
|
|
interface lag 41 multi-chassis
|
|
description Uplink to bova-idf4-sw1
|
|
no shutdown
|
|
no routing
|
|
vlan trunk native 699
|
|
vlan trunk allowed 10,20-21,30,35,40,48,50,70,72,168,230,254,503,513,523,533
|
|
lacp mode active
|
|
interface lag 256
|
|
description ISL link
|
|
no shutdown
|
|
no routing
|
|
vlan trunk native 699 tag
|
|
vlan trunk allowed all
|
|
lacp mode active
|
|
dhcpv4-snooping trust
|
|
interface 1/1/1
|
|
no shutdown
|
|
lag 5
|
|
interface 1/1/2
|
|
no shutdown
|
|
lag 11
|
|
interface 1/1/3
|
|
no shutdown
|
|
lag 21
|
|
interface 1/1/4
|
|
no shutdown
|
|
lag 31
|
|
interface 1/1/5
|
|
no shutdown
|
|
lag 41
|
|
interface 1/1/14
|
|
description Connected to SCCM_DP
|
|
no shutdown
|
|
no routing
|
|
vlan access 21
|
|
dhcpv4-snooping trust
|
|
interface 1/1/15
|
|
description Connected to Voice Gateway
|
|
no shutdown
|
|
no routing
|
|
vlan access 50
|
|
interface 1/1/16
|
|
description Primary Link Connected to Ring_3
|
|
no shutdown
|
|
flow-control rxtx
|
|
no routing
|
|
vlan trunk native 699
|
|
vlan trunk allowed 503,513,523,533
|
|
dhcpv4-snooping trust
|
|
ip flow monitor ipfix-monitor in
|
|
interface 1/1/17
|
|
description ISL LAG
|
|
no shutdown
|
|
lag 256
|
|
interface 1/1/18
|
|
description ISL LAG
|
|
no shutdown
|
|
lag 256
|
|
interface loopback 0
|
|
ip address 10.41.254.253/32
|
|
ip ospf 1 area 0.0.0.203
|
|
interface vlan 1
|
|
shutdown
|
|
interface vlan 10
|
|
description NetworkManagement
|
|
ip address 192.168.41.2/24
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 192.168.41.1
|
|
ip ospf 1 area 0.0.0.203
|
|
interface vlan 20
|
|
ip address 10.41.1.2/21
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.41.1.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.1.40.115
|
|
ip helper-address 10.1.40.116
|
|
ip helper-address 10.1.40.117
|
|
ip helper-address 10.21.48.20
|
|
ip helper-address 10.41.21.221
|
|
ip ospf 1 area 0.0.0.203
|
|
ip igmp enable
|
|
ip pim-sparse enable
|
|
interface vlan 21
|
|
ip address 10.41.21.2/24
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.41.21.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.1.40.115
|
|
ip helper-address 10.21.48.20
|
|
ip helper-address 10.41.21.221
|
|
ip ospf 1 area 0.0.0.203
|
|
ip igmp enable
|
|
ip pim-sparse enable
|
|
interface vlan 30
|
|
ip address 10.41.30.2/23
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.41.30.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.21.48.20
|
|
ip ospf 1 area 0.0.0.203
|
|
ip igmp enable
|
|
ip pim-sparse enable
|
|
interface vlan 35
|
|
ip address 10.41.35.2/24
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.41.35.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.21.48.20
|
|
ip ospf 1 area 0.0.0.203
|
|
ip igmp enable
|
|
ip pim-sparse enable
|
|
interface vlan 40
|
|
ip address 10.41.40.2/24
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.41.40.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.21.48.20
|
|
ip ospf 1 area 0.0.0.203
|
|
ip igmp enable
|
|
ip pim-sparse enable
|
|
interface vlan 48
|
|
ip address 10.41.48.2/24
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.41.48.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.21.48.20
|
|
ip ospf 1 area 0.0.0.203
|
|
ip igmp enable
|
|
ip pim-sparse enable
|
|
interface vlan 50
|
|
ip address 10.41.50.2/24
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.41.50.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.21.48.20
|
|
ip ospf 1 area 0.0.0.203
|
|
ip igmp enable
|
|
ip igmp static-group 239.1.150.50
|
|
ip pim-sparse enable
|
|
interface vlan 70
|
|
ip address 10.41.70.2/23
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.41.70.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.21.48.20
|
|
ip ospf 1 area 0.0.0.203
|
|
ip igmp enable
|
|
ip pim-sparse enable
|
|
interface vlan 72
|
|
ip address 10.41.72.2/24
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.41.72.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.21.48.20
|
|
ip ospf 1 area 0.0.0.203
|
|
ip igmp enable
|
|
ip pim-sparse enable
|
|
interface vlan 168
|
|
ip address 10.41.168.2/22
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.41.168.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.1.40.115
|
|
ip helper-address 10.1.40.116
|
|
ip helper-address 10.1.40.117
|
|
ip helper-address 10.21.48.20
|
|
ip helper-address 10.41.21.221
|
|
ip ospf 1 area 0.0.0.203
|
|
ip igmp enable
|
|
ip pim-sparse enable
|
|
interface vlan 230
|
|
ip address 10.41.230.2/24
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.41.230.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.21.48.20
|
|
ip ospf 1 area 0.0.0.203
|
|
ip igmp enable
|
|
ip pim-sparse enable
|
|
interface vlan 254
|
|
description transit-vlan
|
|
ip address 10.254.41.1/24
|
|
ip ospf 1 area 0.0.0.0
|
|
no ip ospf passive
|
|
ip ospf network point-to-point
|
|
ip pim-sparse enable
|
|
interface vlan 503
|
|
description ring3_ct-a
|
|
ip address 10.250.203.41/24
|
|
ip ospf 1 area 0.0.0.0
|
|
no ip ospf passive
|
|
ip ospf cost 3000
|
|
ip pim-sparse enable
|
|
interface vlan 523
|
|
description ring3_sh-a
|
|
ip address 10.254.223.41/24
|
|
ip ospf 1 area 0.0.0.0
|
|
no ip ospf passive
|
|
ip ospf cost 1000
|
|
ip pim-sparse enable
|
|
snmp-server vrf default
|
|
snmp-server system-description bova-A8360-sw1
|
|
snmp-server system-location Bova MDF
|
|
snmp-server system-contact Tim Marris
|
|
snmp-server community mickey03
|
|
vsx
|
|
system-mac 02:01:00:00:01:40
|
|
inter-switch-link lag 256
|
|
role primary
|
|
keepalive peer 192.168.41.2 source 192.168.41.1 vrf mgmt
|
|
ip route 10.41.254.254/32 10.254.41.2
|
|
mirror session 1
|
|
destination cpu
|
|
source vlan 30 both
|
|
enable
|
|
ip dns domain-name scsd.ad
|
|
ip dns server-address 10.1.40.10
|
|
ip dns server-address 10.21.48.10
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
router ospf 1
|
|
router-id 10.41.254.254
|
|
passive-interface default
|
|
area 0.0.0.0
|
|
area 0.0.0.203 nssa
|
|
area 0.0.0.203 range 10.41.0.0/16 type inter-area
|
|
router pim
|
|
enable
|
|
rp-address 10.1.0.1
|
|
ip source-interface all interface loopback0
|
|
https-server vrf default
|
|
https-server vrf mgmt |