Tweet
15. Những file cấu hình ví dụ
15.1 Cisco Catalyst 6500 Swtich
!================================================= ======================
! 6500 - Distribution/Core Policy Layer
!================================================= ======================
version 12.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cat121
!
boot system flash sup-bootflash:c6k222-jk9sv-mz.122-14.SY.bin
logging snmp-authfail
logging buffered 64000 notifications
aaa new-model
aaa group server tacacs+ aaa-admin-servers
server 10.1.6.88
!
aaa authentication banner ^CAccessing AAA-Servers^C
aaa authentication fail-message ^CAAA Authentication FAILED.^C
aaa authentication login default group aaa-admin-servers
aaa authentication login aaa-fallback group aaa-admin-servers enable
aaa authorization exec default group aaa-admin-servers
aaa authorization commands 15 default group aaa-admin-servers
aaa authorization commands 15 aaa-config group aaa-admin-servers if-authenticated
aaa authorization network default if-authenticated
aaa authorization configuration default group aaa-admin-servers
aaa accounting suppress null-username
aaa accounting send stop-record authentication failure
aaa accounting delay-start
aaa accounting nested
aaa accounting update periodic 1440
aaa accounting exec default start-stop group aaa-admin-servers
aaa accounting commands 15 default start-stop group aaa-admin-servers
aaa accounting network default start-stop group aaa-admin-servers
aaa accounting connection default start-stop group aaa-admin-servers
aaa accounting system default start-stop group aaa-admin-servers
enable secret <password>
!
clock timezone EST -5
clock summer-time EDT recurring
clock calendar-valid
vtp domain test.lab
vtp mode transparent
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip flow-cache feature-accelerate
!
!
ip tcp synwait-time 10
ip domain-name test.lab
ip name-server 10.1.200.97
ip dhcp relay information option
!
no ip bootp server
ip ssh time-out 10
ip ssh authentication-retries 2
mpls ldp logging neighbor-changes
mls flow ip destination
mls flow ipx destination
mls qos
!
!
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree extend system-id
no spanning-tree vlan 1-5,7-9,11-19,21-100,102-1001
spanning-tree vlan 6,10,20,101 priority 24576
spanning-tree vlan 6,10,20,101 forward-time 7
spanning-tree vlan 6,10,20,101 max-age 10
!
redundancy
mode rpr-plus
main-cpu
auto-sync running-config
auto-sync standard
!
mac access-list extended mac-any-any
permit any any
!
!
vlan access-map ipphone-vacl-map 10
match ip address ipphone-permits
action forward
vlan access-map ipphone-vacl-map 20
match ip address ipphone-no-log
action drop
vlan access-map ipphone-vacl-map 30
match ip address ip-any-any
action drop log
vlan access-map ipphone-vacl-map 40
match mac address mac-any-any
action drop
vlan access-map ipphone-vacl-map 50
match ipx address ipx-any-any
action drop
!
vlan access-map server-vacl-map 10
match ip address intraserver-permits
action forward
vlan access-map server-vacl-map 20
match ip address intraserver-any-any
action drop log
vlan access-map server-vacl-map 30
match ip address server-permits-in
action forward
vlan access-map server-vacl-map 40
match ip address server-permits-out
action forward
vlan access-map server-vacl-map 50
match ip address ip-any-any
action drop log
vlan access-map server-vacl-map 60
match mac address mac-any-any
action drop
vlan access-map server-vacl-map 70
match ipx address ipx-any-any
action drop
!
vlan access-map management-vacl-map 10
match ip address management-permits
action forward
vlan access-map management-vacl-map 20
match ip address ip-any-any
action drop log
vlan access-map management-vacl-map 30
match mac address mac-any-any
action drop
vlan access-map management-vacl-map 40
match ipx address ipx-any-any
action drop
!
vlan filter management-vacl-map vlan-list 6
vlan filter ipphone-vacl-map vlan-list 101
vlan filter server-vacl-map vlan-list 200
!
vlan 6
name MANAGEMENT-SUBNET
!
vlan 10
name NET10-SUBNET
!
vlan 20
name NET20-SUBNET
!
vlan 101
name IP-PHONE-SUBNET
!
vlan 200
name SERVERS-PRIVATE-PRIMARY
private-vlan primary
private-vlan association 201
!
vlan 201
name SERVERS-PRIVATE-SECONDARY
private-vlan isolated
!
vlan 996
name CORE-LAYER-SUBNET
!
vlan 997
name ***BIT-BUCKET-for-2nd-Trunk***
!
vlan 998
name ***BIT-BUCKET-for-1st-Trunk***
!
vlan 999
name ***BIT-BUCKET-for-unused-ports**
!
!
interface Loopback0
ip address 10.0.0.121 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
!
interface Null0
no ip unreachables
!
interface GigabitEthernet1/1
description TRUNK to Cat122
no ip address
mls qos trust dscp
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 996
switchport trunk allowed vlan 6,10,20,101,200,201,996
switchport mode trunk
switchport nonegotiate
no cdp enable
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
spanning-tree guard none
!
interface GigabitEthernet1/2
description *** UNUSED Port ***
no ip address
shutdown
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport port-security
storm-control broadcast level 0.00
storm-control multicast level 0.00
storm-control unicast level 0.00
dot1x port-control force-unauthorized
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/1
description SERVER CallManager
no ip address
mls qos trust dscp
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode private-vlan host
switchport nonegotiate
switchport private-vlan host-association 200 201
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/2
description SERVER Internal E-Mail (SMTP)
no ip address
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode private-vlan host
switchport nonegotiate
switchport private-vlan host-association 200 201
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/3
description SERVER Internal Domain Name (DNS)
no ip address
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode private-vlan host
switchport nonegotiate
switchport private-vlan host-association 200 201
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/4
description SERVER Internal File (FTP)
no ip address
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode private-vlan host
switchport nonegotiate
switchport private-vlan host-association 200 201
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/5
description SERVER Internal Web (HTTP)
no ip address
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode private-vlan host
switchport nonegotiate
switchport private-vlan host-association 200 201
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/6
description SERVER Network Time Source-Primary (NTP)
no ip address
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode private-vlan promiscuous
switchport nonegotiate
switchport private-vlan mapping 200 201
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/7
description *** UNUSED Port ***
no ip address
shutdown
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport port-security
storm-control broadcast level 0.00
storm-control multicast level 0.00
storm-control unicast level 0.00
dot1x port-control force-unauthorized
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/8
description *** UNUSED Port ***
no ip address
shutdown
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport port-security
storm-control broadcast level 0.00
storm-control multicast level 0.00
storm-control unicast level 0.00
dot1x port-control force-unauthorized
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/9
description SERVER Management Logs (SysLog)
no ip address
switchport
switchport access vlan 6
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport port-security
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/10
description SERVER Management Authentication (RADIUS)
no ip address
switchport
switchport access vlan 6
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security maximum 5
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/11
description HOST Management (SNMPv3)
no ip address
switchport
switchport access vlan 6
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport port-security
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/12
description HOST Management (SSL, SSH, etc.)
no ip address
switchport
switchport access vlan 6
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport port-security
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/13
description *** UNUSED Port ***
no ip address
shutdown
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport port-security
storm-control broadcast level 0.00
storm-control multicast level 0.00
storm-control unicast level 0.00
dot1x port-control force-unauthorized
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/14
description *** UNUSED Port ***
no ip address
shutdown
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport port-security
storm-control broadcast level 0.00
storm-control multicast level 0.00
storm-control unicast level 0.00
dot1x port-control force-unauthorized
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/15
description TRUNK to Cat142
no ip address
mls qos trust dscp
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 997
switchport trunk allowed vlan 6,10,20,101
switchport mode trunk
switchport nonegotiate
no cdp enable
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
spanning-tree guard none
!
interface GigabitEthernet6/16
description TRUNK to Cat141
no ip address
mls qos trust dscp
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 998
switchport trunk allowed vlan 6,10,20,101
switchport mode trunk
switchport nonegotiate
no cdp enable
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
spanning-tree guard none
!
interface Vlan1
description *** DEFAULT VLAN - Do NOT Use! ***
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown
ntp disable
!
interface Vlan6
description Layer 3 Interface to Management Subnet
ip address 10.1.6.121 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
!
interface Vlan10
description Layer 3 Interface to Net10 Subnet
ip address 10.1.10.121 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
ntp disable
!
interface Vlan20
description Layer 3 Interface to Net20 Subnet
ip address 10.1.20.121 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
ntp disable
!
interface Vlan101
description Layer 3 Interface to IP Phone Subnet
ip address 10.1.101.121 255.255.255.0
ip helper-address 10.1.200.99
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
ntp disable
!
interface Vlan200
description Layer 3 Interface to Internal Servers
ip address 10.1.200.121 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
private-vlan mapping 201
!
interface Vlan996
description Layer 3 Interface to Core Subnet
ip address 10.1.250.121 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
ntp disable
!
interface Vlan997
description *** BIT BUCKET for 2nd Trunk ***
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown
ntp disable
!
interface Vlan998
description *** BIT BUCKET for 1st Trunk ***
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown
ntp disable
!
interface Vlan999
description *** BIT BUCKET for unused ports ***
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown
ntp disable
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.250.122
ip route 0.0.0.0 0.0.0.0 Vlan996
no ip http server
ip http access-class 1
ip http authentication aaa
no ip http secure-server
ip access-list extended intraserver-any-any
remark Everything with Source AND Destination in VLAN200
permit ip 10.1.200.0 0.0.0.255 10.1.200.0 0.0.0.255
remark .
ip access-list extended intraserver-permits
remark Allow NTP to the VLAN200 Servers
permit udp host 10.1.200.94 eq ntp 10.1.200.0 0.0.0.255 eq ntp
remark Allow NTP from the VLAN200 Servers
permit udp 10.1.200.0 0.0.0.255 eq ntp host 10.1.200.94 eq ntp
remark .
ip access-list extended ip-any-any
remark Everything IP
permit ip any any
remark .
ip access-list extended ipphone-no-log
remark Known IPPhone packets to drop without logging
permit tcp 10.1.101.0 0.0.0.255 10.1.101.0 0.0.0.255 eq 2000
remark .
ip access-list extended ipphone-permits
remark -Allow DHCP BOOTP from IPPhones
permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
remark -Allow DHCP BOOTP to IPPhone subnets (through ip helper-address)
permit udp host 10.1.101.121 eq bootps host 255.255.255.255 eq bootpc
permit udp host 10.1.101.122 eq bootps host 255.255.255.255 eq bootpc
remark -Allow DNS lookup requests from IPPhones to CCM
permit udp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99 eq domain
remark -Allow DNS lookup replies from CCM to IPPhones
permit udp host 10.1.200.99 eq domain 10.1.101.0 0.0.0.255 gt 32767
remark -Allow TFTP request from IPPhones to CCM
permit udp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99 eq tftp
remark -Open (too many) ports for TFTP transfer from CCM to IPPhones
permit udp host 10.1.200.99 10.1.101.0 0.0.0.255 gt 32767
remark -Open (too many) ports for TFTP Acks from IPPhones to CCM
permit udp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99
remark -Allow Skinny from IPPhones to CCM
permit tcp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99 range 2000 2002 dscp af31
permit tcp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99 range 2000 2002 rst dscp default
remark -Allow Skinny from CCM to IPPhones
permit tcp host 10.1.200.99 range 2000 2002 10.1.101.0 0.0.0.255 gt 32767 dscp af31
permit tcp host 10.1.200.99 range 2000 2002 10.1.101.0 0.0.0.255 gt 32767 rst dscp default
remark -Allow RTP Voice between IPPhones
permit udp 10.1.101.0 0.0.0.255 range 16384 32767 10.1.101.0 0.0.0.255 range 16384 32767 dscp ef
remark -Allow HTTP management of IPPhones from CCM
permit tcp host 10.1.200.99 10.1.101.0 0.0.0.255 eq www
remark -Allow HTTP management replies from IPPhones to CCM
permit tcp 10.1.101.0 0.0.0.255 eq www host 10.1.200.99 established
remark -Allow ICMPs to IPPhones from CCM
permit icmp host 10.1.200.99 10.1.101.0 0.0.0.255
remark -Allow ICMPs from IPPhones to CCM
permit icmp 10.1.101.0 0.0.0.255 host 10.1.200.99
remark .
ip access-list extended management-permits
remark Allowable MANAGEMENT Subnet Permits
permit ip 10.1.6.0 0.0.0.255 10.1.6.0 0.0.0.255
remark .
ip access-list extended server-permits-in
remark HTTP Server Permits
permit tcp 10.1.20.0 0.0.0.255 host 10.1.200.95 eq www
permit tcp 10.1.20.0 0.0.0.255 host 10.1.200.95 eq 443
remark FTP Server Permits
permit tcp 10.1.10.0 0.0.0.255 host 10.1.200.96 eq ftp-data
permit tcp 10.1.10.0 0.0.0.255 host 10.1.200.96 eq ftp
remark DNS Server Permits
permit udp 10.1.10.0 0.0.0.255 host 10.1.200.97 eq domain
permit udp 10.1.20.0 0.0.0.255 host 10.1.200.97 eq domain
permit tcp 10.1.10.0 0.0.0.255 host 10.1.200.97 eq domain
permit tcp 10.1.20.0 0.0.0.255 host 10.1.200.97 eq domain
remark SMTP Server Permits
permit tcp 10.1.10.0 0.0.0.255 host 10.1.200.98 eq smtp
permit tcp 10.1.20.0 0.0.0.255 host 10.1.200.98 eq smtp
remark -Allow DHCP BOOTP from IPPhone subnets (through ip helper-address)
permit udp host 10.1.101.121 eq bootpc host 10.1.200.99 eq bootps
permit udp host 10.1.101.122 eq bootpc host 10.1.200.99 eq bootps
remark -Allow DNS lookup requests to CCM
permit udp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99 eq domain
remark -Allow TFTP request from IPPhones to CCM
permit udp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99 eq tftp
remark -Open (too many) ports for TFTP Acks from IPPhones to CCM
permit udp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99
remark -Allow Skinny from IPPhones to CCM
permit tcp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99 range 2000 2002 dscp af31
permit tcp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99 range 2000 2002 rst dscp default
remark -Allow HTTP management replies from IPPhones to CCM
permit tcp 10.1.101.0 0.0.0.255 eq www host 10.1.200.99 established
remark -Allow ICMPs from IPPhones to CCM
permit icmp 10.1.101.0 0.0.0.255 host 10.1.200.99
remark .
ip access-list extended server-permits-out
remark HTTP Server Permits
permit tcp host 10.1.200.95 eq www 10.1.20.0 0.0.0.255
permit tcp host 10.1.200.95 eq 443 10.1.20.0 0.0.0.255
remark FTP Server Permits
permit tcp host 10.1.200.96 eq ftp-data 10.1.10.0 0.0.0.255
permit tcp host 10.1.200.96 eq ftp 10.1.10.0 0.0.0.255
remark DNS Server Permits
permit udp host 10.1.200.97 eq domain 10.1.10.0 0.0.0.255
permit udp host 10.1.200.97 eq domain 10.1.20.0 0.0.0.255
permit tcp host 10.1.200.97 eq domain 10.1.10.0 0.0.0.255
permit tcp host 10.1.200.97 eq domain 10.1.20.0 0.0.0.255
remark SMTP Server Permits
permit tcp host 10.1.200.98 eq smtp 10.1.10.0 0.0.0.255
permit tcp host 10.1.200.98 eq smtp 10.1.20.0 0.0.0.255
remark -Allow DHCP BOOTP to IPPhone subnets (through ip helper-address)
permit udp host 10.1.200.99 eq bootps host 10.1.101.121 eq bootps
permit udp host 10.1.200.99 eq bootps host 10.1.101.122 eq bootps
remark -Allow DNS lookup replies to IPPhone subnets
permit udp host 10.1.200.99 eq domain 10.1.101.0 0.0.0.255 gt 32767
remark -Open (too many) ports for TFTP transfer from CCM to IPPhones
permit udp host 10.1.200.99 10.1.101.0 0.0.0.255 gt 32767
remark -Allow Skinny from CCM to IPPhones
permit tcp host 10.1.200.99 range 2000 2002 10.1.101.0 0.0.0.255 gt 32767 dscp af31
permit tcp host 10.1.200.99 range 2000 2002 10.1.101.0 0.0.0.255 gt 32767 rst dscp default
remark -Allow HTTP management of IPPhones from CCM
permit tcp host 10.1.200.99 10.1.101.0 0.0.0.255 eq www
remark -Allow ICMPs from CCM to IPPhones
permit icmp host 10.1.200.99 10.1.101.0 0.0.0.255
remark .
logging history notifications
logging trap informational
logging facility local0
logging 10.1.6.89
no access-list 1
access-list 1 remark Permit access from ADMINISTRATION addresses
access-list 1 permit 10.1.6.1 log
access-list 1 permit 10.1.6.2 log
access-list 1 deny any log
no access-list 2
access-list 2 remark Permit access from Master NTP Server addresses
access-list 2 permit 10.1.200.94
access-list 2 deny any log
no access-list 3
access-list 3 remark Permit access from Client NTP Server addresses
access-list 3 permit 10.1.6.141
access-list 3 deny any log
no access-list 4
access-list 4 remark Deny access from any address
access-list 4 deny any log
no cdp run
tacacs-server host 10.1.6.88 key lablablab
tacacs-server directed-request
banner exec #
Connected to $(hostname).$(domain) on $(line-desc) $(line).
Use of this system constitutes your consent to monitoring.
#
banner login #
Session established with AUTHENTICATION Servers.
Provide the following tokens for User Access Verification
#
banner motd #
NOTICE TO USERS
================================================== ===========================
This is an official computer system and is the property of the ORGANIZATION. It is for authorized users only. Unauthorized users are prohibited. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system may be subject to one or more of the following actions: interception, monitoring, recording, auditing, inspection and disclosing to security personnel and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to these actions. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By accessing this system you indicate your awareness of and consent to these terms and conditions of use. Discontinue access immediately if you do not agree to the conditions stated in this notice.
================================================== ===========================
Contacting AUTHENTICATION Servers...#
banner prompt-timeout #
Session timed-out with AUTHENTICATION Servers. Goodbye!#
line con 0
exec-timeout 9 0
privilege level 0
password <password>
authorization commands 15 aaa-config
logging synchronous
login authentication aaa-fallback
length 50
notify
transport preferred none
transport output ssh
line vty 0 4
access-class 1 in
exec-timeout 9 0
privilege level 0
password <password>
transport input ssh
transport output none
line vty 5 15
access-class 4 in
exec-timeout 0 10
privilege level 0
password <password>
no exec
transport input none
transport output none
scheduler allocate 4000 400
ntp authentication-key 123 md5 <key>
ntp authentication-key 124 md5 <key>
ntp authenticate
ntp trusted-key 123
ntp access-group peer 2
ntp access-group serve-only 3
ntp master 2
ntp server 10.1.200.94 key 123 prefer
end
15.2 Cisco Catalyst 3550
!================================================= ======================
! 3550 - Access Layer
!================================================= ======================
version 12.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cat141
!
logging buffered 64000 notifications
aaa new-model
aaa group server tacacs+ aaa-admin-servers
server 10.1.6.88
!
aaa group server radius aaa-host-servers
server 10.1.6.88 auth-port 1812 acct-port 1813
!
aaa authentication banner ^CAccessing AAA-Servers^C
aaa authentication fail-message ^CAAA Authentication FAILED.^C
aaa authentication login default group aaa-admin-servers
aaa authentication login aaa-fallback group aaa-admin-servers enable
aaa authentication dot1x default group aaa-host-servers
aaa authorization exec default group aaa-admin-servers
aaa authorization commands 15 default group aaa-admin-servers
aaa authorization commands 15 aaa-config group aaa-admin-servers if-authenticated
aaa authorization network default if-authenticated
aaa authorization configuration default group aaa-admin-servers
aaa accounting suppress null-username
aaa accounting send stop-record authentication failure
aaa accounting delay-start
aaa accounting nested
aaa accounting update periodic 1440
aaa accounting exec default start-stop group aaa-admin-servers
aaa accounting commands 15 default start-stop group aaa-admin-servers
aaa accounting network default start-stop group aaa-admin-servers
aaa accounting connection default start-stop group aaa-admin-servers
aaa accounting system default start-stop group aaa-admin-servers
enable secret <password>
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip dhcp relay information option
!
ip tcp synwait-time 10
no ip domain-lookup
ip domain-name test.lab
ip flow-cache feature-accelerate
ip ssh time-out 10
ip ssh authentication-retries 3
vtp domain test.lab
vtp mode transparent
mls qos
!
!
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree extend system-id
no spanning-tree vlan 1
no spanning-tree vlan 995
no spanning-tree vlan 998
no spanning-tree vlan 999
!
mac access-list extended mac-device-list
permit host 0000.0101.0011 any
permit host 0000.0101.0012 any
permit host 0000.0101.0013 any
permit host 0000.0101.0014 any
permit host 0000.0010.0003 any
permit host 0000.0020.0005 any
!
!
vlan 5
!
vlan 6
name ADMINISTRATION-VLAN
!
vlan 10
name NET10-VLAN
!
vlan 20
name NET20-VLAN
!
vlan 101
name IP-PHONE-SUBNET
!
vlan 995
name **BIT-BUCKET-trunk-with-Cat122**
!
vlan 998
name **BIT-BUCKET-trunk-with-Cat121**
!
vlan 999
name ***BIT-BUCKET-for-unused-ports**
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/1
description Host 10.1.10.3
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
no ip address
ip access-group ip-device-list in
mls qos cos override
dot1x port-control auto
dot1x guest-vlan 999
dot1x host-mode multi-host
mac access-group mac-device-list in
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/2
description IP PHONE x1011
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport voice vlan 101
switchport port-security
switchport port-security maximum 2
switchport port-security aging time 10
switchport port-security aging type inactivity
no ip address
ip access-group ip-device-list in
mls qos trust device cisco-phone
mls qos trust dscp
dot1x port-control auto
dot1x guest-vlan 999
dot1x host-mode multi-host
mac access-group mac-device-list in
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/3
description IP PHONE x1012
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport voice vlan 101
switchport port-security
switchport port-security maximum 2
switchport port-security aging time 10
switchport port-security aging type inactivity
no ip address
ip access-group ip-device-list in
mls qos trust device cisco-phone
mls qos trust dscp
dot1x port-control auto
dot1x guest-vlan 999
dot1x host-mode multi-host
mac access-group mac-device-list in
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/4
description IP PHONE x1013
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport voice vlan 101
switchport port-security
switchport port-security maximum 2
switchport port-security aging time 10
switchport port-security aging type inactivity
no ip address
ip access-group ip-device-list in
mls qos trust device cisco-phone
mls qos trust dscp
dot1x port-control auto
dot1x guest-vlan 999
dot1x host-mode multi-host
mac access-group mac-device-list in
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/5
description IP PHONE x1014 & HOST 10.1.20.5
switchport access vlan 20
switchport trunk encapsulation dot1q
switchport trunk native vlan 20
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport voice vlan 101
switchport port-security
switchport port-security maximum 3
switchport port-security aging time 10
switchport port-security aging type inactivity
no ip address
ip access-group ip-device-list in
mls qos trust device cisco-phone
mls qos trust dscp
dot1x port-control auto
dot1x guest-vlan 999
dot1x reauthentication
mac access-group mac-device-list in
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/6
description *** UNUSED Port ***
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
no ip address
ip access-group ip-device-list in
shutdown
mls qos cos override
storm-control broadcast level 0.00
storm-control multicast level 0.00
storm-control unicast level 0.00
dot1x port-control force-unauthorized
dot1x guest-vlan 999
dot1x host-mode multi-host
mac access-group mac-device-list in
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/23
description TRUNK to Cat122
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 995
switchport trunk allowed vlan 6,10,20,101
switchport mode trunk
switchport nonegotiate
no ip address
mls qos trust dscp
no cdp enable
spanning-tree portfast disable
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
spanning-tree guard none
!
interface FastEthernet0/24
description TRUNK to Cat121
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 998
switchport trunk allowed vlan 6,10,20,101
switchport mode trunk
switchport nonegotiate
no ip address
mls qos trust dscp
spanning-tree portfast disable
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
spanning-tree guard none
!
interface Vlan1
description *** DEFAULT VLAN - Do NOT Use! ***
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown
ntp disable
!
interface Vlan6
description ADMINISTRATION VLAN
ip address 10.1.6.141 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
!
interface Vlan995
description **BIT-BUCKET-trunk-with-Cat122**
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown
ntp disable
!
interface Vlan998
description **BIT-BUCKET-trunk-with-Cat121**
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown
ntp disable
!
interface Vlan999
description **BIT BUCKET for unused ports**
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown
ntp disable
!
ip default-gateway 10.1.6.121
ip classless
no ip http server
!
ip access-list extended ip-device-list
permit ip host 10.1.101.11 any
permit ip host 10.1.101.12 any
permit ip host 10.1.101.13 any
permit ip host 10.1.101.14 any
permit ip host 10.1.10.3 any
permit ip host 10.1.20.5 any
deny tcp any range 0 65535 any range 0 65535 log-input
deny udp any range 0 65535 any range 0 65535 log-input
deny ip any any log-input
!
!
logging history warnings
logging trap informational
logging facility local0
logging 10.1.6.89
no access-list 1
access-list 1 remark Permit access from ADMINISTRATION addresses
access-list 1 permit 10.1.6.1 log
access-list 1 permit 10.1.6.2 log
access-list 1 deny any log
no access-list 2
access-list 2 remark Permit access from NTP Server addresses
access-list 2 permit 10.1.6.121
access-list 2 deny any log
!
no access-list 3
access-list 3 remark Deny access from any address
access-list 3 deny any log
tacacs-server host 10.1.6.88 key <key>
radius-server host 10.1.6.88 auth-port 1812 acct-port 1813
radius-server key <key>
banner exec #
Connected to $(hostname).$(domain) on $(line-desc) $(line).
Use of this system constitutes your consent to monitoring.
#
banner login #
Session established with AUTHENTICATION Servers.
Provide the following tokens for User Access Verification
#
banner motd #
NOTICE TO USERS
================================================== ===========================
This is an official computer system and is the property of the ORGANIZATION. It is for authorized users only. Unauthorized users are prohibited. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system may be subject to one or more of the following actions: interception, monitoring, recording, auditing, inspection and disclosing to security personnel and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to these actions. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By accessing this system you indicate your awareness of and consent to these terms and conditions of use. Discontinue access immediately if you do not agree to the conditions stated in this notice.
================================================== ===========================
Contacting AUTHENTICATION Servers...#
banner prompt-timeout #
Session timed-out with AUTHENTICATION Servers. Goodbye!#
!
line con 0
exec-timeout 9 0
privilege level 0
password <password>
authorization commands 15 aaa-config
logging synchronous
login authentication aaa-fallback
length 50
notify
transport preferred none
line vty 0 4
access-class 1 in
exec-timeout 9 0
privilege level 0
password <password>
line vty 5 15
access-class 3 in
exec-timeout 0 10
privilege level 0
password <password>
no exec
!
scheduler interval 500
ntp authentication-key 124 md5 <key>
ntp authenticate
ntp trusted-key 124
ntp access-group peer 2
ntp server 10.1.6.121 key 124 prefer
end
15.1 Cisco Catalyst 6500 Swtich
!================================================= ======================
! 6500 - Distribution/Core Policy Layer
!================================================= ======================
version 12.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cat121
!
boot system flash sup-bootflash:c6k222-jk9sv-mz.122-14.SY.bin
logging snmp-authfail
logging buffered 64000 notifications
aaa new-model
aaa group server tacacs+ aaa-admin-servers
server 10.1.6.88
!
aaa authentication banner ^CAccessing AAA-Servers^C
aaa authentication fail-message ^CAAA Authentication FAILED.^C
aaa authentication login default group aaa-admin-servers
aaa authentication login aaa-fallback group aaa-admin-servers enable
aaa authorization exec default group aaa-admin-servers
aaa authorization commands 15 default group aaa-admin-servers
aaa authorization commands 15 aaa-config group aaa-admin-servers if-authenticated
aaa authorization network default if-authenticated
aaa authorization configuration default group aaa-admin-servers
aaa accounting suppress null-username
aaa accounting send stop-record authentication failure
aaa accounting delay-start
aaa accounting nested
aaa accounting update periodic 1440
aaa accounting exec default start-stop group aaa-admin-servers
aaa accounting commands 15 default start-stop group aaa-admin-servers
aaa accounting network default start-stop group aaa-admin-servers
aaa accounting connection default start-stop group aaa-admin-servers
aaa accounting system default start-stop group aaa-admin-servers
enable secret <password>
!
clock timezone EST -5
clock summer-time EDT recurring
clock calendar-valid
vtp domain test.lab
vtp mode transparent
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip flow-cache feature-accelerate
!
!
ip tcp synwait-time 10
ip domain-name test.lab
ip name-server 10.1.200.97
ip dhcp relay information option
!
no ip bootp server
ip ssh time-out 10
ip ssh authentication-retries 2
mpls ldp logging neighbor-changes
mls flow ip destination
mls flow ipx destination
mls qos
!
!
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree extend system-id
no spanning-tree vlan 1-5,7-9,11-19,21-100,102-1001
spanning-tree vlan 6,10,20,101 priority 24576
spanning-tree vlan 6,10,20,101 forward-time 7
spanning-tree vlan 6,10,20,101 max-age 10
!
redundancy
mode rpr-plus
main-cpu
auto-sync running-config
auto-sync standard
!
mac access-list extended mac-any-any
permit any any
!
!
vlan access-map ipphone-vacl-map 10
match ip address ipphone-permits
action forward
vlan access-map ipphone-vacl-map 20
match ip address ipphone-no-log
action drop
vlan access-map ipphone-vacl-map 30
match ip address ip-any-any
action drop log
vlan access-map ipphone-vacl-map 40
match mac address mac-any-any
action drop
vlan access-map ipphone-vacl-map 50
match ipx address ipx-any-any
action drop
!
vlan access-map server-vacl-map 10
match ip address intraserver-permits
action forward
vlan access-map server-vacl-map 20
match ip address intraserver-any-any
action drop log
vlan access-map server-vacl-map 30
match ip address server-permits-in
action forward
vlan access-map server-vacl-map 40
match ip address server-permits-out
action forward
vlan access-map server-vacl-map 50
match ip address ip-any-any
action drop log
vlan access-map server-vacl-map 60
match mac address mac-any-any
action drop
vlan access-map server-vacl-map 70
match ipx address ipx-any-any
action drop
!
vlan access-map management-vacl-map 10
match ip address management-permits
action forward
vlan access-map management-vacl-map 20
match ip address ip-any-any
action drop log
vlan access-map management-vacl-map 30
match mac address mac-any-any
action drop
vlan access-map management-vacl-map 40
match ipx address ipx-any-any
action drop
!
vlan filter management-vacl-map vlan-list 6
vlan filter ipphone-vacl-map vlan-list 101
vlan filter server-vacl-map vlan-list 200
!
vlan 6
name MANAGEMENT-SUBNET
!
vlan 10
name NET10-SUBNET
!
vlan 20
name NET20-SUBNET
!
vlan 101
name IP-PHONE-SUBNET
!
vlan 200
name SERVERS-PRIVATE-PRIMARY
private-vlan primary
private-vlan association 201
!
vlan 201
name SERVERS-PRIVATE-SECONDARY
private-vlan isolated
!
vlan 996
name CORE-LAYER-SUBNET
!
vlan 997
name ***BIT-BUCKET-for-2nd-Trunk***
!
vlan 998
name ***BIT-BUCKET-for-1st-Trunk***
!
vlan 999
name ***BIT-BUCKET-for-unused-ports**
!
!
interface Loopback0
ip address 10.0.0.121 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
!
interface Null0
no ip unreachables
!
interface GigabitEthernet1/1
description TRUNK to Cat122
no ip address
mls qos trust dscp
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 996
switchport trunk allowed vlan 6,10,20,101,200,201,996
switchport mode trunk
switchport nonegotiate
no cdp enable
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
spanning-tree guard none
!
interface GigabitEthernet1/2
description *** UNUSED Port ***
no ip address
shutdown
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport port-security
storm-control broadcast level 0.00
storm-control multicast level 0.00
storm-control unicast level 0.00
dot1x port-control force-unauthorized
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/1
description SERVER CallManager
no ip address
mls qos trust dscp
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode private-vlan host
switchport nonegotiate
switchport private-vlan host-association 200 201
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/2
description SERVER Internal E-Mail (SMTP)
no ip address
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode private-vlan host
switchport nonegotiate
switchport private-vlan host-association 200 201
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/3
description SERVER Internal Domain Name (DNS)
no ip address
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode private-vlan host
switchport nonegotiate
switchport private-vlan host-association 200 201
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/4
description SERVER Internal File (FTP)
no ip address
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode private-vlan host
switchport nonegotiate
switchport private-vlan host-association 200 201
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/5
description SERVER Internal Web (HTTP)
no ip address
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode private-vlan host
switchport nonegotiate
switchport private-vlan host-association 200 201
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/6
description SERVER Network Time Source-Primary (NTP)
no ip address
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode private-vlan promiscuous
switchport nonegotiate
switchport private-vlan mapping 200 201
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/7
description *** UNUSED Port ***
no ip address
shutdown
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport port-security
storm-control broadcast level 0.00
storm-control multicast level 0.00
storm-control unicast level 0.00
dot1x port-control force-unauthorized
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/8
description *** UNUSED Port ***
no ip address
shutdown
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport port-security
storm-control broadcast level 0.00
storm-control multicast level 0.00
storm-control unicast level 0.00
dot1x port-control force-unauthorized
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/9
description SERVER Management Logs (SysLog)
no ip address
switchport
switchport access vlan 6
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport port-security
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/10
description SERVER Management Authentication (RADIUS)
no ip address
switchport
switchport access vlan 6
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security maximum 5
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/11
description HOST Management (SNMPv3)
no ip address
switchport
switchport access vlan 6
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport port-security
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/12
description HOST Management (SSL, SSH, etc.)
no ip address
switchport
switchport access vlan 6
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport port-security
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/13
description *** UNUSED Port ***
no ip address
shutdown
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport port-security
storm-control broadcast level 0.00
storm-control multicast level 0.00
storm-control unicast level 0.00
dot1x port-control force-unauthorized
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/14
description *** UNUSED Port ***
no ip address
shutdown
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport port-security
storm-control broadcast level 0.00
storm-control multicast level 0.00
storm-control unicast level 0.00
dot1x port-control force-unauthorized
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet6/15
description TRUNK to Cat142
no ip address
mls qos trust dscp
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 997
switchport trunk allowed vlan 6,10,20,101
switchport mode trunk
switchport nonegotiate
no cdp enable
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
spanning-tree guard none
!
interface GigabitEthernet6/16
description TRUNK to Cat141
no ip address
mls qos trust dscp
switchport
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 998
switchport trunk allowed vlan 6,10,20,101
switchport mode trunk
switchport nonegotiate
no cdp enable
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
spanning-tree guard none
!
interface Vlan1
description *** DEFAULT VLAN - Do NOT Use! ***
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown
ntp disable
!
interface Vlan6
description Layer 3 Interface to Management Subnet
ip address 10.1.6.121 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
!
interface Vlan10
description Layer 3 Interface to Net10 Subnet
ip address 10.1.10.121 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
ntp disable
!
interface Vlan20
description Layer 3 Interface to Net20 Subnet
ip address 10.1.20.121 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
ntp disable
!
interface Vlan101
description Layer 3 Interface to IP Phone Subnet
ip address 10.1.101.121 255.255.255.0
ip helper-address 10.1.200.99
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
ntp disable
!
interface Vlan200
description Layer 3 Interface to Internal Servers
ip address 10.1.200.121 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
private-vlan mapping 201
!
interface Vlan996
description Layer 3 Interface to Core Subnet
ip address 10.1.250.121 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
ntp disable
!
interface Vlan997
description *** BIT BUCKET for 2nd Trunk ***
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown
ntp disable
!
interface Vlan998
description *** BIT BUCKET for 1st Trunk ***
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown
ntp disable
!
interface Vlan999
description *** BIT BUCKET for unused ports ***
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown
ntp disable
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.250.122
ip route 0.0.0.0 0.0.0.0 Vlan996
no ip http server
ip http access-class 1
ip http authentication aaa
no ip http secure-server
ip access-list extended intraserver-any-any
remark Everything with Source AND Destination in VLAN200
permit ip 10.1.200.0 0.0.0.255 10.1.200.0 0.0.0.255
remark .
ip access-list extended intraserver-permits
remark Allow NTP to the VLAN200 Servers
permit udp host 10.1.200.94 eq ntp 10.1.200.0 0.0.0.255 eq ntp
remark Allow NTP from the VLAN200 Servers
permit udp 10.1.200.0 0.0.0.255 eq ntp host 10.1.200.94 eq ntp
remark .
ip access-list extended ip-any-any
remark Everything IP
permit ip any any
remark .
ip access-list extended ipphone-no-log
remark Known IPPhone packets to drop without logging
permit tcp 10.1.101.0 0.0.0.255 10.1.101.0 0.0.0.255 eq 2000
remark .
ip access-list extended ipphone-permits
remark -Allow DHCP BOOTP from IPPhones
permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
remark -Allow DHCP BOOTP to IPPhone subnets (through ip helper-address)
permit udp host 10.1.101.121 eq bootps host 255.255.255.255 eq bootpc
permit udp host 10.1.101.122 eq bootps host 255.255.255.255 eq bootpc
remark -Allow DNS lookup requests from IPPhones to CCM
permit udp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99 eq domain
remark -Allow DNS lookup replies from CCM to IPPhones
permit udp host 10.1.200.99 eq domain 10.1.101.0 0.0.0.255 gt 32767
remark -Allow TFTP request from IPPhones to CCM
permit udp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99 eq tftp
remark -Open (too many) ports for TFTP transfer from CCM to IPPhones
permit udp host 10.1.200.99 10.1.101.0 0.0.0.255 gt 32767
remark -Open (too many) ports for TFTP Acks from IPPhones to CCM
permit udp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99
remark -Allow Skinny from IPPhones to CCM
permit tcp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99 range 2000 2002 dscp af31
permit tcp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99 range 2000 2002 rst dscp default
remark -Allow Skinny from CCM to IPPhones
permit tcp host 10.1.200.99 range 2000 2002 10.1.101.0 0.0.0.255 gt 32767 dscp af31
permit tcp host 10.1.200.99 range 2000 2002 10.1.101.0 0.0.0.255 gt 32767 rst dscp default
remark -Allow RTP Voice between IPPhones
permit udp 10.1.101.0 0.0.0.255 range 16384 32767 10.1.101.0 0.0.0.255 range 16384 32767 dscp ef
remark -Allow HTTP management of IPPhones from CCM
permit tcp host 10.1.200.99 10.1.101.0 0.0.0.255 eq www
remark -Allow HTTP management replies from IPPhones to CCM
permit tcp 10.1.101.0 0.0.0.255 eq www host 10.1.200.99 established
remark -Allow ICMPs to IPPhones from CCM
permit icmp host 10.1.200.99 10.1.101.0 0.0.0.255
remark -Allow ICMPs from IPPhones to CCM
permit icmp 10.1.101.0 0.0.0.255 host 10.1.200.99
remark .
ip access-list extended management-permits
remark Allowable MANAGEMENT Subnet Permits
permit ip 10.1.6.0 0.0.0.255 10.1.6.0 0.0.0.255
remark .
ip access-list extended server-permits-in
remark HTTP Server Permits
permit tcp 10.1.20.0 0.0.0.255 host 10.1.200.95 eq www
permit tcp 10.1.20.0 0.0.0.255 host 10.1.200.95 eq 443
remark FTP Server Permits
permit tcp 10.1.10.0 0.0.0.255 host 10.1.200.96 eq ftp-data
permit tcp 10.1.10.0 0.0.0.255 host 10.1.200.96 eq ftp
remark DNS Server Permits
permit udp 10.1.10.0 0.0.0.255 host 10.1.200.97 eq domain
permit udp 10.1.20.0 0.0.0.255 host 10.1.200.97 eq domain
permit tcp 10.1.10.0 0.0.0.255 host 10.1.200.97 eq domain
permit tcp 10.1.20.0 0.0.0.255 host 10.1.200.97 eq domain
remark SMTP Server Permits
permit tcp 10.1.10.0 0.0.0.255 host 10.1.200.98 eq smtp
permit tcp 10.1.20.0 0.0.0.255 host 10.1.200.98 eq smtp
remark -Allow DHCP BOOTP from IPPhone subnets (through ip helper-address)
permit udp host 10.1.101.121 eq bootpc host 10.1.200.99 eq bootps
permit udp host 10.1.101.122 eq bootpc host 10.1.200.99 eq bootps
remark -Allow DNS lookup requests to CCM
permit udp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99 eq domain
remark -Allow TFTP request from IPPhones to CCM
permit udp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99 eq tftp
remark -Open (too many) ports for TFTP Acks from IPPhones to CCM
permit udp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99
remark -Allow Skinny from IPPhones to CCM
permit tcp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99 range 2000 2002 dscp af31
permit tcp 10.1.101.0 0.0.0.255 gt 32767 host 10.1.200.99 range 2000 2002 rst dscp default
remark -Allow HTTP management replies from IPPhones to CCM
permit tcp 10.1.101.0 0.0.0.255 eq www host 10.1.200.99 established
remark -Allow ICMPs from IPPhones to CCM
permit icmp 10.1.101.0 0.0.0.255 host 10.1.200.99
remark .
ip access-list extended server-permits-out
remark HTTP Server Permits
permit tcp host 10.1.200.95 eq www 10.1.20.0 0.0.0.255
permit tcp host 10.1.200.95 eq 443 10.1.20.0 0.0.0.255
remark FTP Server Permits
permit tcp host 10.1.200.96 eq ftp-data 10.1.10.0 0.0.0.255
permit tcp host 10.1.200.96 eq ftp 10.1.10.0 0.0.0.255
remark DNS Server Permits
permit udp host 10.1.200.97 eq domain 10.1.10.0 0.0.0.255
permit udp host 10.1.200.97 eq domain 10.1.20.0 0.0.0.255
permit tcp host 10.1.200.97 eq domain 10.1.10.0 0.0.0.255
permit tcp host 10.1.200.97 eq domain 10.1.20.0 0.0.0.255
remark SMTP Server Permits
permit tcp host 10.1.200.98 eq smtp 10.1.10.0 0.0.0.255
permit tcp host 10.1.200.98 eq smtp 10.1.20.0 0.0.0.255
remark -Allow DHCP BOOTP to IPPhone subnets (through ip helper-address)
permit udp host 10.1.200.99 eq bootps host 10.1.101.121 eq bootps
permit udp host 10.1.200.99 eq bootps host 10.1.101.122 eq bootps
remark -Allow DNS lookup replies to IPPhone subnets
permit udp host 10.1.200.99 eq domain 10.1.101.0 0.0.0.255 gt 32767
remark -Open (too many) ports for TFTP transfer from CCM to IPPhones
permit udp host 10.1.200.99 10.1.101.0 0.0.0.255 gt 32767
remark -Allow Skinny from CCM to IPPhones
permit tcp host 10.1.200.99 range 2000 2002 10.1.101.0 0.0.0.255 gt 32767 dscp af31
permit tcp host 10.1.200.99 range 2000 2002 10.1.101.0 0.0.0.255 gt 32767 rst dscp default
remark -Allow HTTP management of IPPhones from CCM
permit tcp host 10.1.200.99 10.1.101.0 0.0.0.255 eq www
remark -Allow ICMPs from CCM to IPPhones
permit icmp host 10.1.200.99 10.1.101.0 0.0.0.255
remark .
logging history notifications
logging trap informational
logging facility local0
logging 10.1.6.89
no access-list 1
access-list 1 remark Permit access from ADMINISTRATION addresses
access-list 1 permit 10.1.6.1 log
access-list 1 permit 10.1.6.2 log
access-list 1 deny any log
no access-list 2
access-list 2 remark Permit access from Master NTP Server addresses
access-list 2 permit 10.1.200.94
access-list 2 deny any log
no access-list 3
access-list 3 remark Permit access from Client NTP Server addresses
access-list 3 permit 10.1.6.141
access-list 3 deny any log
no access-list 4
access-list 4 remark Deny access from any address
access-list 4 deny any log
no cdp run
tacacs-server host 10.1.6.88 key lablablab
tacacs-server directed-request
banner exec #
Connected to $(hostname).$(domain) on $(line-desc) $(line).
Use of this system constitutes your consent to monitoring.
#
banner login #
Session established with AUTHENTICATION Servers.
Provide the following tokens for User Access Verification
#
banner motd #
NOTICE TO USERS
================================================== ===========================
This is an official computer system and is the property of the ORGANIZATION. It is for authorized users only. Unauthorized users are prohibited. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system may be subject to one or more of the following actions: interception, monitoring, recording, auditing, inspection and disclosing to security personnel and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to these actions. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By accessing this system you indicate your awareness of and consent to these terms and conditions of use. Discontinue access immediately if you do not agree to the conditions stated in this notice.
================================================== ===========================
Contacting AUTHENTICATION Servers...#
banner prompt-timeout #
Session timed-out with AUTHENTICATION Servers. Goodbye!#
line con 0
exec-timeout 9 0
privilege level 0
password <password>
authorization commands 15 aaa-config
logging synchronous
login authentication aaa-fallback
length 50
notify
transport preferred none
transport output ssh
line vty 0 4
access-class 1 in
exec-timeout 9 0
privilege level 0
password <password>
transport input ssh
transport output none
line vty 5 15
access-class 4 in
exec-timeout 0 10
privilege level 0
password <password>
no exec
transport input none
transport output none
scheduler allocate 4000 400
ntp authentication-key 123 md5 <key>
ntp authentication-key 124 md5 <key>
ntp authenticate
ntp trusted-key 123
ntp access-group peer 2
ntp access-group serve-only 3
ntp master 2
ntp server 10.1.200.94 key 123 prefer
end
15.2 Cisco Catalyst 3550
!================================================= ======================
! 3550 - Access Layer
!================================================= ======================
version 12.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cat141
!
logging buffered 64000 notifications
aaa new-model
aaa group server tacacs+ aaa-admin-servers
server 10.1.6.88
!
aaa group server radius aaa-host-servers
server 10.1.6.88 auth-port 1812 acct-port 1813
!
aaa authentication banner ^CAccessing AAA-Servers^C
aaa authentication fail-message ^CAAA Authentication FAILED.^C
aaa authentication login default group aaa-admin-servers
aaa authentication login aaa-fallback group aaa-admin-servers enable
aaa authentication dot1x default group aaa-host-servers
aaa authorization exec default group aaa-admin-servers
aaa authorization commands 15 default group aaa-admin-servers
aaa authorization commands 15 aaa-config group aaa-admin-servers if-authenticated
aaa authorization network default if-authenticated
aaa authorization configuration default group aaa-admin-servers
aaa accounting suppress null-username
aaa accounting send stop-record authentication failure
aaa accounting delay-start
aaa accounting nested
aaa accounting update periodic 1440
aaa accounting exec default start-stop group aaa-admin-servers
aaa accounting commands 15 default start-stop group aaa-admin-servers
aaa accounting network default start-stop group aaa-admin-servers
aaa accounting connection default start-stop group aaa-admin-servers
aaa accounting system default start-stop group aaa-admin-servers
enable secret <password>
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip dhcp relay information option
!
ip tcp synwait-time 10
no ip domain-lookup
ip domain-name test.lab
ip flow-cache feature-accelerate
ip ssh time-out 10
ip ssh authentication-retries 3
vtp domain test.lab
vtp mode transparent
mls qos
!
!
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree extend system-id
no spanning-tree vlan 1
no spanning-tree vlan 995
no spanning-tree vlan 998
no spanning-tree vlan 999
!
mac access-list extended mac-device-list
permit host 0000.0101.0011 any
permit host 0000.0101.0012 any
permit host 0000.0101.0013 any
permit host 0000.0101.0014 any
permit host 0000.0010.0003 any
permit host 0000.0020.0005 any
!
!
vlan 5
!
vlan 6
name ADMINISTRATION-VLAN
!
vlan 10
name NET10-VLAN
!
vlan 20
name NET20-VLAN
!
vlan 101
name IP-PHONE-SUBNET
!
vlan 995
name **BIT-BUCKET-trunk-with-Cat122**
!
vlan 998
name **BIT-BUCKET-trunk-with-Cat121**
!
vlan 999
name ***BIT-BUCKET-for-unused-ports**
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/1
description Host 10.1.10.3
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
no ip address
ip access-group ip-device-list in
mls qos cos override
dot1x port-control auto
dot1x guest-vlan 999
dot1x host-mode multi-host
mac access-group mac-device-list in
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/2
description IP PHONE x1011
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport voice vlan 101
switchport port-security
switchport port-security maximum 2
switchport port-security aging time 10
switchport port-security aging type inactivity
no ip address
ip access-group ip-device-list in
mls qos trust device cisco-phone
mls qos trust dscp
dot1x port-control auto
dot1x guest-vlan 999
dot1x host-mode multi-host
mac access-group mac-device-list in
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/3
description IP PHONE x1012
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport voice vlan 101
switchport port-security
switchport port-security maximum 2
switchport port-security aging time 10
switchport port-security aging type inactivity
no ip address
ip access-group ip-device-list in
mls qos trust device cisco-phone
mls qos trust dscp
dot1x port-control auto
dot1x guest-vlan 999
dot1x host-mode multi-host
mac access-group mac-device-list in
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/4
description IP PHONE x1013
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport voice vlan 101
switchport port-security
switchport port-security maximum 2
switchport port-security aging time 10
switchport port-security aging type inactivity
no ip address
ip access-group ip-device-list in
mls qos trust device cisco-phone
mls qos trust dscp
dot1x port-control auto
dot1x guest-vlan 999
dot1x host-mode multi-host
mac access-group mac-device-list in
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/5
description IP PHONE x1014 & HOST 10.1.20.5
switchport access vlan 20
switchport trunk encapsulation dot1q
switchport trunk native vlan 20
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport voice vlan 101
switchport port-security
switchport port-security maximum 3
switchport port-security aging time 10
switchport port-security aging type inactivity
no ip address
ip access-group ip-device-list in
mls qos trust device cisco-phone
mls qos trust dscp
dot1x port-control auto
dot1x guest-vlan 999
dot1x reauthentication
mac access-group mac-device-list in
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/6
description *** UNUSED Port ***
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
no ip address
ip access-group ip-device-list in
shutdown
mls qos cos override
storm-control broadcast level 0.00
storm-control multicast level 0.00
storm-control unicast level 0.00
dot1x port-control force-unauthorized
dot1x guest-vlan 999
dot1x host-mode multi-host
mac access-group mac-device-list in
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/23
description TRUNK to Cat122
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 995
switchport trunk allowed vlan 6,10,20,101
switchport mode trunk
switchport nonegotiate
no ip address
mls qos trust dscp
no cdp enable
spanning-tree portfast disable
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
spanning-tree guard none
!
interface FastEthernet0/24
description TRUNK to Cat121
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 998
switchport trunk allowed vlan 6,10,20,101
switchport mode trunk
switchport nonegotiate
no ip address
mls qos trust dscp
spanning-tree portfast disable
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
spanning-tree guard none
!
interface Vlan1
description *** DEFAULT VLAN - Do NOT Use! ***
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown
ntp disable
!
interface Vlan6
description ADMINISTRATION VLAN
ip address 10.1.6.141 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
!
interface Vlan995
description **BIT-BUCKET-trunk-with-Cat122**
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown
ntp disable
!
interface Vlan998
description **BIT-BUCKET-trunk-with-Cat121**
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown
ntp disable
!
interface Vlan999
description **BIT BUCKET for unused ports**
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown
ntp disable
!
ip default-gateway 10.1.6.121
ip classless
no ip http server
!
ip access-list extended ip-device-list
permit ip host 10.1.101.11 any
permit ip host 10.1.101.12 any
permit ip host 10.1.101.13 any
permit ip host 10.1.101.14 any
permit ip host 10.1.10.3 any
permit ip host 10.1.20.5 any
deny tcp any range 0 65535 any range 0 65535 log-input
deny udp any range 0 65535 any range 0 65535 log-input
deny ip any any log-input
!
!
logging history warnings
logging trap informational
logging facility local0
logging 10.1.6.89
no access-list 1
access-list 1 remark Permit access from ADMINISTRATION addresses
access-list 1 permit 10.1.6.1 log
access-list 1 permit 10.1.6.2 log
access-list 1 deny any log
no access-list 2
access-list 2 remark Permit access from NTP Server addresses
access-list 2 permit 10.1.6.121
access-list 2 deny any log
!
no access-list 3
access-list 3 remark Deny access from any address
access-list 3 deny any log
tacacs-server host 10.1.6.88 key <key>
radius-server host 10.1.6.88 auth-port 1812 acct-port 1813
radius-server key <key>
banner exec #
Connected to $(hostname).$(domain) on $(line-desc) $(line).
Use of this system constitutes your consent to monitoring.
#
banner login #
Session established with AUTHENTICATION Servers.
Provide the following tokens for User Access Verification
#
banner motd #
NOTICE TO USERS
================================================== ===========================
This is an official computer system and is the property of the ORGANIZATION. It is for authorized users only. Unauthorized users are prohibited. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system may be subject to one or more of the following actions: interception, monitoring, recording, auditing, inspection and disclosing to security personnel and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to these actions. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By accessing this system you indicate your awareness of and consent to these terms and conditions of use. Discontinue access immediately if you do not agree to the conditions stated in this notice.
================================================== ===========================
Contacting AUTHENTICATION Servers...#
banner prompt-timeout #
Session timed-out with AUTHENTICATION Servers. Goodbye!#
!
line con 0
exec-timeout 9 0
privilege level 0
password <password>
authorization commands 15 aaa-config
logging synchronous
login authentication aaa-fallback
length 50
notify
transport preferred none
line vty 0 4
access-class 1 in
exec-timeout 9 0
privilege level 0
password <password>
line vty 5 15
access-class 3 in
exec-timeout 0 10
privilege level 0
password <password>
no exec
!
scheduler interval 500
ntp authentication-key 124 md5 <key>
ntp authenticate
ntp trusted-key 124
ntp access-group peer 2
ntp server 10.1.6.121 key 124 prefer
end