Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- hostname "HOSTNAME"
- # Protect against rogue DHCP
- dhcp-snooping
- no dhcp-snooping option 82
- no dhcp-snooping verify mac
- dhcp-snooping vlan 1-4094
- trunk 47-48 trk1 lacp
- logging SYSLOGSERVER
- max-vlans 16
- # AAA Servers
- radius-server host RADIUSSERVER1
- radius-server host RADIUSSERVER2
- radius-server key "RADIUSKEY"
- # NTP so that messages to AAA are accurate
- timesync sntp
- sntp unicast
- sntp server priority 1 NTPSERVER1
- sntp server priority 2 NTPSERVER2
- time daylight-time-rule western-europe
- no web-management
- ip default-gateway GATEWAY
- # Specify which interface to trust
- interface Trk1
- dhcp-snooping trust
- exit
- # Monitoring
- snmp-server community "ROCOMMUNITY" operator
- snmp-server community "RWCOMMUNITY" manager unrestricted
- snmp-server contact "CONTACT" location "LOCATION"
- # Configuration for AAA, includes management logins and client login
- aaa accounting update periodic 10
- aaa accounting commands stop-only radius
- aaa accounting exec start-stop radius
- aaa accounting network start-stop radius
- aaa accounting system start-stop radius
- aaa authentication login privilege-mode
- aaa authentication console login radius local
- aaa authentication console enable radius local
- aaa authentication telnet login radius local
- aaa authentication telnet enable radius local
- aaa authentication ssh login radius local
- aaa authentication ssh enable radius local
- # Use MAC based authentication
- aaa port-access mac-based 1-46
- aaa port-access mac-based 1-46 addr-limit 32
- aaa port-access mac-based 1-46 logoff-period 600
- # Specify which VLAN to use if RADIUS is down or sends ACCESS-REJECT, our RADIUS ALWAYS sends ACCESS-ACCEPT and puts unknown clients on the unvalidated VLAN.
- aaa port-access mac-based 1-46 unauth-vid 200
- aaa port-access mac-based addr-format multi-colon
- # Allow traffic from "default" VLAN to flow when client is unauthenticated (allows WOL)
- aaa port-access 1-46 controlled-direction in
- # Stop the slow start and prevent STP TC's
- spanning-tree 1-46 admin-edge-port
- vlan 1
- name "DEFAULT_VLAN"
- no untagged 1-48
- untagged Trk1
- no ip address
- exit
- vlan 10
- name "mgmt"
- tagged Trk1
- ip address IPADDRESS NETMASK
- exit
- vlan 100
- name "validated"
- tagged Trk1
- no ip address
- ip igmp
- exit
- vlan 200
- name "unvalidated"
- # "default" VLAN, this is the VLAN the port sits on when unauthenticated (allows WOL)
- untagged 1-48
- tagged Trk1
- no ip address
- ip igmp
- exit
- vlan 300
- name "suspended"
- tagged Trk1
- no ip address
- ip igmp
- exit
- no autorun
- password manager
- password operator
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement