SHOW:
|
|
- or go back to the newest paste.
1 | hostname "HOSTNAME" | |
2 | ||
3 | # Protect against rogue DHCP | |
4 | dhcp-snooping | |
5 | no dhcp-snooping option 82 | |
6 | no dhcp-snooping verify mac | |
7 | dhcp-snooping vlan 1-4094 | |
8 | ||
9 | trunk 47-48 trk1 lacp | |
10 | logging SYSLOGSERVER | |
11 | max-vlans 16 | |
12 | ||
13 | # AAA Servers | |
14 | radius-server host RADIUSSERVER1 | |
15 | radius-server host RADIUSSERVER2 | |
16 | radius-server key "RADIUSKEY" | |
17 | ||
18 | # NTP so that messages to AAA are accurate | |
19 | timesync sntp | |
20 | sntp unicast | |
21 | sntp server priority 1 NTPSERVER1 | |
22 | sntp server priority 2 NTPSERVER2 | |
23 | time daylight-time-rule western-europe | |
24 | ||
25 | no web-management | |
26 | ip default-gateway GATEWAY | |
27 | ||
28 | # Specify which interface to trust | |
29 | interface Trk1 | |
30 | dhcp-snooping trust | |
31 | exit | |
32 | ||
33 | # Monitoring | |
34 | snmp-server community "ROCOMMUNITY" operator | |
35 | snmp-server community "RWCOMMUNITY" manager unrestricted | |
36 | snmp-server contact "CONTACT" location "LOCATION" | |
37 | ||
38 | # Configuration for AAA, includes management logins and client login | |
39 | aaa accounting update periodic 10 | |
40 | aaa accounting commands stop-only radius | |
41 | aaa accounting exec start-stop radius | |
42 | aaa accounting network start-stop radius | |
43 | aaa accounting system start-stop radius | |
44 | aaa authentication login privilege-mode | |
45 | aaa authentication console login radius local | |
46 | aaa authentication console enable radius local | |
47 | aaa authentication telnet login radius local | |
48 | aaa authentication telnet enable radius local | |
49 | aaa authentication ssh login radius local | |
50 | aaa authentication ssh enable radius local | |
51 | ||
52 | # Use MAC based authentication | |
53 | aaa port-access mac-based 1-46 | |
54 | aaa port-access mac-based 1-46 addr-limit 32 | |
55 | aaa port-access mac-based 1-46 logoff-period 600 | |
56 | ||
57 | - | # Specify which VLAN to use if RADIUS is down |
57 | + | # Specify which VLAN to use if RADIUS is down or sends ACCESS-REJECT, our RADIUS ALWAYS sends ACCESS-ACCEPT and puts unknown clients on the unvalidated VLAN. |
58 | aaa port-access mac-based 1-46 unauth-vid 200 | |
59 | aaa port-access mac-based addr-format multi-colon | |
60 | ||
61 | # Allow traffic from "default" VLAN to flow when client is unauthenticated (allows WOL) | |
62 | aaa port-access 1-46 controlled-direction in | |
63 | ||
64 | # Stop the slow start and prevent STP TC's | |
65 | spanning-tree 1-46 admin-edge-port | |
66 | ||
67 | vlan 1 | |
68 | name "DEFAULT_VLAN" | |
69 | no untagged 1-48 | |
70 | untagged Trk1 | |
71 | no ip address | |
72 | exit | |
73 | vlan 10 | |
74 | name "mgmt" | |
75 | tagged Trk1 | |
76 | ip address IPADDRESS NETMASK | |
77 | exit | |
78 | vlan 100 | |
79 | name "validated" | |
80 | tagged Trk1 | |
81 | no ip address | |
82 | ip igmp | |
83 | exit | |
84 | vlan 200 | |
85 | name "unvalidated" | |
86 | # "default" VLAN, this is the VLAN the port sits on when unauthenticated (allows WOL) | |
87 | untagged 1-48 | |
88 | tagged Trk1 | |
89 | no ip address | |
90 | ip igmp | |
91 | exit | |
92 | vlan 300 | |
93 | name "suspended" | |
94 | tagged Trk1 | |
95 | no ip address | |
96 | ip igmp | |
97 | exit | |
98 | no autorun | |
99 | password manager | |
100 | password operator |