484 lines
14 KiB
INI
484 lines
14 KiB
INI
Current configuration:
|
|
!
|
|
!Version ArubaOS-CX LL.10.13.1161
|
|
!export-password: default
|
|
hostname elmcrest-mdf-a8360-sw1
|
|
banner motd #
|
|
!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
|
! You are accessing a PRIVATE COMPUTING FACILITY. !
|
|
! Access to this system is restricted to AUTHORIZED PERSONNEL. !
|
|
! !
|
|
! Anyone who accesses this system without authorization, or in !
|
|
! excess of their authorization could be subject to a fine, !
|
|
! imprisonment, or both under Public and Federal Law. By entering !
|
|
! this system, you consent to having your accesses and activities !
|
|
! monitored and recorded. If this monitoring or record reveals !
|
|
! suspected unauthorized or criminal activity, the evidence will !
|
|
! be provided to supervisory personnel and law enforcement officials. !
|
|
! !
|
|
! IF YOU ARE NOT AUTHORIZED TO BE HERE DISCONNECT NOW! !
|
|
!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#
|
|
user admin group administrators password ciphertext AQBapT90QSaSGN24uWDf3sWwVjOrgYaV0+uh2llgdb9+QN9kYgAAAERYonDjD8+K49eZv3u8ZEWrNFeKJD6J3tVGh3DGRZLIc9BdyHWFdusmXolSvASczgi0xZXaGmVFgp6z8wWdYWJvhoI5yegKlFn0J86VgWBH+AIrcqFO5O5mGMsDPSd1RHe6
|
|
clock timezone america/new_york
|
|
profile aggregation-leaf
|
|
ntp server 10.1.1.2 iburst
|
|
ntp server 10.1.1.3 iburst
|
|
ntp enable
|
|
!
|
|
!
|
|
!
|
|
!
|
|
tacacs-server host 10.1.40.115 key ciphertext AQBapQDVCxpubVbx9XdeZ336JGX4HcnWMVJrzBevk8xvjzG3CQAAAG7KGvw4eqT/Iw==
|
|
tacacs-server host 10.1.40.116 key ciphertext AQBapcvhtHh454vfqQlUvkelMCcK1arPsOCtpHd/9dOLAC+GCQAAALEx07U8a9txYg==
|
|
tacacs-server host 10.1.40.117 key ciphertext AQBapawQW9HpZigihZTGUZJaqLckzlnDg8j46QjIQeblvyibCQAAADq/BfYAR8QzLA==
|
|
!
|
|
radius-server host 10.1.40.115 key ciphertext AQBapYzVdy33DA9S4JyHmNK3NswJZ+kGqsVyFnCoDGTxoWigCQAAAMxIEtkzudUXug==
|
|
radius-server host 10.1.40.116 key ciphertext AQBapR38K7VYrM/CBfIgk5BK26klBERiSrsFVNrNAQK1zR9qCQAAAGHQjUkU5hRARA==
|
|
radius-server host 10.1.40.117 key ciphertext AQBapfprw/xjO3ZUPRXaZUAzpm6q9CWCp91tV6lpEvL+u6LXCQAAAIjxn2MmXGwoKA==
|
|
aaa authentication allow-fail-through
|
|
!
|
|
!
|
|
aaa authentication login default group tacacs local
|
|
aaa accounting all-mgmt console start-stop group tacacs
|
|
aaa accounting all-mgmt default start-stop group radius
|
|
aaa accounting all-mgmt https-server start-stop group radius
|
|
aaa accounting all-mgmt ssh start-stop group tacacs
|
|
!
|
|
logging 10.1.40.78
|
|
ssh server vrf default
|
|
ssh server vrf mgmt
|
|
object-group ip address clearpass_servers
|
|
10 10.1.40.115
|
|
20 10.1.40.116
|
|
30 10.1.40.117
|
|
object-group ip address day-enterprise-servers
|
|
10 10.1.230.11
|
|
20 10.1.40.108
|
|
object-group ip address dns-servers
|
|
10 10.1.40.10
|
|
20 10.1.48.11
|
|
object-group ip address dom_cont
|
|
10 10.1.40.10
|
|
20 10.1.40.95
|
|
30 10.1.48.120
|
|
40 10.21.48.10
|
|
50 10.1.203.21
|
|
60 10.1.48.10
|
|
80 10.1.48.11
|
|
object-group ip address ntp-servers
|
|
10 10.1.40.154
|
|
20 10.1.48.103
|
|
object-group ip address sccm_servers
|
|
10 10.1.48.53
|
|
20 10.1.48.189
|
|
object-group port clearpass_tcp_ports
|
|
10 eq dce-rpc
|
|
20 eq rdp
|
|
object-group port dc_tcp_ports
|
|
10 eq dce-rpc
|
|
20 eq ldap
|
|
30 eq 3268
|
|
40 eq dns
|
|
50 eq 88
|
|
70 eq microsoft-ds
|
|
80 range 49666 49679
|
|
object-group port dc_udp_ports
|
|
10 eq ntp
|
|
20 eq ldap
|
|
30 eq dns
|
|
40 eq isakmp
|
|
object-group port sccm_tcp_ports
|
|
10 eq 8530
|
|
20 eq 10123
|
|
object-group port sccm_udp_ports
|
|
10 eq dce-rpc
|
|
20 eq ldap
|
|
50 eq dns
|
|
60 eq 88
|
|
70 eq microsoft-ds
|
|
90 eq isakmp
|
|
140 gt 1022
|
|
access-list ip Image-acl
|
|
10 comment DC_UDP_PORTS_IN
|
|
10 permit udp dom_cont group dc_udp_ports any
|
|
15 comment DC_UDP_PORTS_OUT
|
|
15 permit udp any dom_cont group dc_udp_ports
|
|
20 comment DC_TCP PORTS_IN
|
|
20 permit tcp dom_cont group dc_tcp_ports any
|
|
25 comment DC_TCP_PORTS_OUT
|
|
25 permit tcp any dom_cont group dc_tcp_ports
|
|
30 comment SCCM_UDP_PORTS_IN
|
|
30 permit udp sccm_servers group sccm_udp_ports any
|
|
35 comment SCCM_UDP_PORTS_OUT
|
|
35 permit udp any sccm_servers group sccm_udp_ports
|
|
40 comment SCCM_TCP_PORTS_IN
|
|
40 permit tcp sccm_servers group sccm_tcp_ports any
|
|
45 comment SCCM_TCP_PORTS_OUT
|
|
45 permit tcp any sccm_servers group sccm_tcp_ports
|
|
50 comment UDP_137-138
|
|
50 permit udp any range 137 138 any
|
|
90 comment HTTP_IN
|
|
90 permit tcp any eq http any
|
|
95 comment HTTP_OUT
|
|
95 permit tcp any any eq http
|
|
100 comment HTTPS_IN
|
|
100 permit tcp any eq https any
|
|
105 comment HTTPS_OUT
|
|
105 permit tcp any any eq https
|
|
110 permit udp any eq dhcp-client any eq dhcp-server
|
|
120 permit udp any eq dhcp-server any eq dhcp-client
|
|
130 comment TFTP_IN
|
|
130 permit udp any any eq tftp
|
|
140 comment TFTP_OUT
|
|
140 permit udp any eq tftp any
|
|
150 comment PXE_BOOT
|
|
150 permit udp any eq 4011 any eq 4011
|
|
154 comment ClearPass_TCP_PORTS_IN
|
|
154 permit tcp clearpass_servers group clearpass_tcp_ports any
|
|
158 comment ClearPass_TCP_PORTS_OUT
|
|
158 permit tcp any clearpass_servers group clearpass_tcp_ports
|
|
160 deny any any any
|
|
access-list ip hvac-acl
|
|
10 permit any 10.27.230.0/255.255.255.224 day-enterprise-servers
|
|
20 permit udp 10.27.230.0/255.255.255.224 dns-servers eq dns
|
|
30 permit udp 10.27.230.0/255.255.255.224 ntp-servers eq ntp
|
|
40 permit icmp 10.27.230.0/255.255.255.252 10.27.230.0/255.255.255.224
|
|
50 permit icmp 10.27.230.0/255.255.255.224 10.27.230.0/255.255.255.252
|
|
60 deny any any 10.0.0.0/255.0.0.0
|
|
70 deny any any 192.168.0.0/255.255.0.0
|
|
80 deny any any 172.16.0.0/255.240.0.0
|
|
90 permit tcp 10.27.230.0/255.255.255.224 any eq 587 log count
|
|
access-list ip users-acl
|
|
10 deny any any 192.168.0.0/255.255.0.0
|
|
20 permit any any any
|
|
access-list log-timer 5
|
|
flow exporter ipfix-to-orion
|
|
destination 10.1.48.37 vrf default
|
|
template data timeout 60
|
|
transport udp 2055
|
|
flow record ipfix-record
|
|
match ipv4 destination address
|
|
match ipv4 protocol
|
|
match ipv4 source address
|
|
match ipv4 version
|
|
match transport destination port
|
|
match transport source port
|
|
collect counter bytes
|
|
collect counter packets
|
|
collect timestamp absolute first
|
|
collect timestamp absolute last
|
|
flow monitor ipfix-monitor
|
|
cache timeout active 60
|
|
exporter ipfix-to-orion
|
|
record ipfix-record
|
|
dhcpv4-snooping
|
|
dhcpv4-snooping option 82 untrusted-policy keep
|
|
vlan 1
|
|
vlan 10
|
|
name mgmt
|
|
vlan 20
|
|
name Data
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
vlan 30
|
|
name IoT
|
|
description IoT VLAN
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
vlan 35
|
|
name Wireless
|
|
description Wireless VLAN
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
vlan 50
|
|
name Voice
|
|
voice
|
|
description Voice VLAN
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
vlan 70
|
|
name Security
|
|
description Security VLAN
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
vlan 72
|
|
name AccessControl
|
|
description Access Control VLAN
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
vlan 168
|
|
name Default
|
|
description Default and Imaging VLAN
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
apply access-list ip Image-acl in
|
|
vlan 230
|
|
name HVAC
|
|
description HVAC VLAN
|
|
dhcpv4-snooping
|
|
ip igmp snooping enable
|
|
vlan 254
|
|
name transit
|
|
description Transit VLAN
|
|
dhcpv4-snooping
|
|
vlan 506
|
|
name ring6_ct-a
|
|
dhcpv4-snooping
|
|
vlan 516
|
|
name ring6_ct-b
|
|
dhcpv4-snooping
|
|
vlan 526
|
|
name ring6_sh-a
|
|
dhcpv4-snooping
|
|
vlan 536
|
|
name ring6_sh-b
|
|
dhcpv4-snooping
|
|
vlan 699
|
|
name NativeVLAN
|
|
spanning-tree mode rpvst
|
|
spanning-tree
|
|
spanning-tree priority 2
|
|
spanning-tree trap topology-change instance 0
|
|
spanning-tree ignore-pvid-inconsistency
|
|
spanning-tree vlan 10,20,30,35,50,70,72,168,230,254,506,516,526,536,699
|
|
spanning-tree vlan 506 priority 15
|
|
spanning-tree vlan 516 priority 15
|
|
spanning-tree vlan 526 priority 15
|
|
spanning-tree vlan 536 priority 15
|
|
interface mgmt
|
|
no shutdown
|
|
ip static 192.168.27.1/24
|
|
qos queue-profile switchports
|
|
map queue 0 local-priority 0
|
|
map queue 1 local-priority 1
|
|
map queue 2 local-priority 2
|
|
map queue 3 local-priority 3
|
|
map queue 4 local-priority 4
|
|
map queue 5 local-priority 6
|
|
map queue 6 local-priority 7
|
|
map queue 7 local-priority 5
|
|
qos schedule-profile voip
|
|
dwrr queue 0 weight 1
|
|
dwrr queue 1 weight 1
|
|
dwrr queue 2 weight 1
|
|
dwrr queue 3 weight 1
|
|
dwrr queue 4 weight 1
|
|
dwrr queue 5 weight 1
|
|
dwrr queue 6 weight 1
|
|
strict queue 7
|
|
apply qos queue-profile switchports schedule-profile voip
|
|
qos trust dscp
|
|
qos dscp-map 40 local-priority 6 color green name CS5
|
|
qos dscp-map 41 local-priority 6 color green name CS5
|
|
qos dscp-map 42 local-priority 6 color green name CS5
|
|
qos dscp-map 43 local-priority 6 color green name CS5
|
|
qos dscp-map 44 local-priority 6 color green name CS5
|
|
qos dscp-map 45 local-priority 6 color green name CS5
|
|
qos dscp-map 47 local-priority 6 color green name CS5
|
|
interface lag 5 multi-chassis
|
|
description Uplink to elmcrest-mdf-a6300-sw1
|
|
no shutdown
|
|
no routing
|
|
vlan trunk native 699
|
|
vlan trunk allowed 10,20,30,35,50,70,72,168,230,254,506,516,526,536
|
|
lacp mode active
|
|
interface lag 11 multi-chassis
|
|
description Uplink to elmcrest-idf1-a6300-sw1
|
|
no shutdown
|
|
no routing
|
|
vlan trunk native 699
|
|
vlan trunk allowed 10,20,30,35,50,70,72,168,230,254,506,516,526,536
|
|
lacp mode active
|
|
interface lag 256
|
|
description ISL link
|
|
no shutdown
|
|
no routing
|
|
vlan trunk native 699 tag
|
|
vlan trunk allowed all
|
|
lacp mode active
|
|
dhcpv4-snooping trust
|
|
interface 1/1/1
|
|
no shutdown
|
|
lag 5
|
|
interface 1/1/2
|
|
no shutdown
|
|
lag 11
|
|
interface 1/1/14
|
|
description Connected to NVR
|
|
no shutdown
|
|
no routing
|
|
vlan access 70
|
|
interface 1/1/15
|
|
description Connected to Voice Gateway
|
|
no shutdown
|
|
no routing
|
|
vlan access 50
|
|
interface 1/1/16
|
|
description Primary Link Connected to Ring_6
|
|
no shutdown
|
|
flow-control rxtx
|
|
no routing
|
|
vlan trunk native 699
|
|
vlan trunk allowed 506,516,526,536
|
|
dhcpv4-snooping trust
|
|
ip flow monitor ipfix-monitor in
|
|
interface 1/1/17
|
|
description ISL LAG
|
|
no shutdown
|
|
lag 256
|
|
interface 1/1/18
|
|
description ISL LAG
|
|
no shutdown
|
|
lag 256
|
|
interface loopback 0
|
|
ip address 10.27.254.253/32
|
|
ip ospf 1 area 0.0.0.206
|
|
interface vlan 1
|
|
shutdown
|
|
interface vlan 10
|
|
description NetworkManagement
|
|
ip address 192.168.27.2/24
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 192.168.27.1
|
|
ip ospf 1 area 0.0.0.206
|
|
interface vlan 20
|
|
ip address 10.27.1.2/21
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.27.1.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.1.40.115
|
|
ip helper-address 10.1.40.116
|
|
ip helper-address 10.1.40.117
|
|
ip helper-address 10.1.48.11
|
|
ip helper-address 10.1.48.189
|
|
ip helper-address 10.21.48.20
|
|
ip ospf 1 area 0.0.0.206
|
|
ip igmp enable
|
|
ip pim-sparse enable
|
|
interface vlan 30
|
|
ip address 10.27.30.2/23
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.27.30.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.1.48.11
|
|
ip helper-address 10.21.48.20
|
|
ip ospf 1 area 0.0.0.206
|
|
ip igmp enable
|
|
ip pim-sparse enable
|
|
interface vlan 35
|
|
ip address 10.27.35.2/24
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.27.35.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.1.48.11
|
|
ip helper-address 10.21.48.20
|
|
ip ospf 1 area 0.0.0.206
|
|
ip igmp enable
|
|
ip pim-sparse enable
|
|
interface vlan 50
|
|
ip address 10.27.50.2/24
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.27.50.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.1.48.11
|
|
ip helper-address 10.21.48.20
|
|
ip ospf 1 area 0.0.0.206
|
|
ip igmp enable
|
|
ip pim-sparse enable
|
|
interface vlan 70
|
|
ip address 10.27.70.2/23
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.27.70.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.1.48.11
|
|
ip helper-address 10.21.48.20
|
|
ip ospf 1 area 0.0.0.206
|
|
ip igmp enable
|
|
ip pim-sparse enable
|
|
interface vlan 72
|
|
ip address 10.27.72.2/24
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.27.72.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.1.48.11
|
|
ip helper-address 10.21.48.20
|
|
ip ospf 1 area 0.0.0.206
|
|
ip igmp enable
|
|
ip pim-sparse enable
|
|
interface vlan 168
|
|
ip address 10.27.168.2/22
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.27.168.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.1.40.115
|
|
ip helper-address 10.1.40.116
|
|
ip helper-address 10.1.40.117
|
|
ip helper-address 10.1.48.11
|
|
ip helper-address 10.1.48.189
|
|
ip helper-address 10.21.48.20
|
|
ip ospf 1 area 0.0.0.206
|
|
ip igmp enable
|
|
ip pim-sparse enable
|
|
interface vlan 230
|
|
ip address 10.27.230.2/27
|
|
active-gateway ip mac 12:01:00:00:01:00
|
|
active-gateway ip 10.27.230.1
|
|
ip helper-address 10.1.40.20
|
|
ip helper-address 10.1.48.11
|
|
ip helper-address 10.21.48.20
|
|
ip ospf 1 area 0.0.0.206
|
|
ip igmp enable
|
|
ip pim-sparse enable
|
|
interface vlan 254
|
|
description transit-vlan
|
|
ip address 10.254.27.1/24
|
|
ip ospf 1 area 0.0.0.0
|
|
no ip ospf passive
|
|
ip ospf network point-to-point
|
|
ip pim-sparse enable
|
|
interface vlan 506
|
|
description ring6_ct-a
|
|
ip address 10.250.206.27/24
|
|
ip ospf 1 area 0.0.0.0
|
|
no ip ospf passive
|
|
ip ospf cost 3000
|
|
ip pim-sparse enable
|
|
interface vlan 526
|
|
description ring6_sh-a
|
|
ip address 10.254.226.27/24
|
|
ip ospf 1 area 0.0.0.0
|
|
no ip ospf passive
|
|
ip ospf cost 1000
|
|
ip pim-sparse enable
|
|
snmp-server vrf default
|
|
snmp-server system-description elmcrest-mdf-a8360-sw1
|
|
snmp-server system-location elmcrest
|
|
snmp-server system-contact Tim Marris
|
|
snmp-server community mickey03
|
|
vsx
|
|
system-mac 02:01:00:00:01:27
|
|
inter-switch-link lag 256
|
|
role primary
|
|
keepalive peer 192.168.27.2 source 192.168.27.1 vrf mgmt
|
|
ip route 10.27.254.254/32 10.254.27.2
|
|
ip dns domain-name scsd.ad
|
|
ip dns server-address 10.1.40.10
|
|
ip dns server-address 10.1.48.11
|
|
!
|
|
!
|
|
!
|
|
!
|
|
!
|
|
router ospf 1
|
|
router-id 10.27.254.254
|
|
passive-interface default
|
|
area 0.0.0.0
|
|
area 0.0.0.206 nssa
|
|
area 0.0.0.206 range 10.27.0.0/16 type inter-area
|
|
router pim
|
|
enable
|
|
rp-address 10.1.0.1
|
|
ip source-interface all interface loopback0
|
|
https-server vrf default
|
|
https-server vrf mgmt
|
|
configuration-lockout central managed |