SHOW:
|
|
- or go back to the newest paste.
| 1 | hostname "HOSTNAME" | |
| 2 | ||
| 3 | # Protect against rogue DHCP | |
| 4 | dhcp-snooping | |
| 5 | no dhcp-snooping option 82 | |
| 6 | no dhcp-snooping verify mac | |
| 7 | dhcp-snooping vlan 1-4094 | |
| 8 | ||
| 9 | trunk 47-48 trk1 lacp | |
| 10 | logging SYSLOGSERVER | |
| 11 | max-vlans 16 | |
| 12 | ||
| 13 | # AAA Servers | |
| 14 | radius-server host RADIUSSERVER1 | |
| 15 | radius-server host RADIUSSERVER2 | |
| 16 | radius-server key "RADIUSKEY" | |
| 17 | ||
| 18 | # NTP so that messages to AAA are accurate | |
| 19 | timesync sntp | |
| 20 | sntp unicast | |
| 21 | sntp server priority 1 NTPSERVER1 | |
| 22 | sntp server priority 2 NTPSERVER2 | |
| 23 | time daylight-time-rule western-europe | |
| 24 | ||
| 25 | no web-management | |
| 26 | ip default-gateway GATEWAY | |
| 27 | ||
| 28 | # Specify which interface to trust | |
| 29 | interface Trk1 | |
| 30 | dhcp-snooping trust | |
| 31 | exit | |
| 32 | ||
| 33 | # Monitoring | |
| 34 | snmp-server community "ROCOMMUNITY" operator | |
| 35 | snmp-server community "RWCOMMUNITY" manager unrestricted | |
| 36 | snmp-server contact "CONTACT" location "LOCATION" | |
| 37 | ||
| 38 | # Configuration for AAA, includes management logins and client login | |
| 39 | aaa accounting update periodic 10 | |
| 40 | aaa accounting commands stop-only radius | |
| 41 | aaa accounting exec start-stop radius | |
| 42 | aaa accounting network start-stop radius | |
| 43 | aaa accounting system start-stop radius | |
| 44 | aaa authentication login privilege-mode | |
| 45 | aaa authentication console login radius local | |
| 46 | aaa authentication console enable radius local | |
| 47 | aaa authentication telnet login radius local | |
| 48 | aaa authentication telnet enable radius local | |
| 49 | aaa authentication ssh login radius local | |
| 50 | aaa authentication ssh enable radius local | |
| 51 | ||
| 52 | # Use MAC based authentication | |
| 53 | aaa port-access mac-based 1-46 | |
| 54 | aaa port-access mac-based 1-46 addr-limit 32 | |
| 55 | aaa port-access mac-based 1-46 logoff-period 600 | |
| 56 | ||
| 57 | - | # Specify which VLAN to use if RADIUS is down |
| 57 | + | # Specify which VLAN to use if RADIUS is down or sends ACCESS-REJECT, our RADIUS ALWAYS sends ACCESS-ACCEPT and puts unknown clients on the unvalidated VLAN. |
| 58 | aaa port-access mac-based 1-46 unauth-vid 200 | |
| 59 | aaa port-access mac-based addr-format multi-colon | |
| 60 | ||
| 61 | # Allow traffic from "default" VLAN to flow when client is unauthenticated (allows WOL) | |
| 62 | aaa port-access 1-46 controlled-direction in | |
| 63 | ||
| 64 | # Stop the slow start and prevent STP TC's | |
| 65 | spanning-tree 1-46 admin-edge-port | |
| 66 | ||
| 67 | vlan 1 | |
| 68 | name "DEFAULT_VLAN" | |
| 69 | no untagged 1-48 | |
| 70 | untagged Trk1 | |
| 71 | no ip address | |
| 72 | exit | |
| 73 | vlan 10 | |
| 74 | name "mgmt" | |
| 75 | tagged Trk1 | |
| 76 | ip address IPADDRESS NETMASK | |
| 77 | exit | |
| 78 | vlan 100 | |
| 79 | name "validated" | |
| 80 | tagged Trk1 | |
| 81 | no ip address | |
| 82 | ip igmp | |
| 83 | exit | |
| 84 | vlan 200 | |
| 85 | name "unvalidated" | |
| 86 | # "default" VLAN, this is the VLAN the port sits on when unauthenticated (allows WOL) | |
| 87 | untagged 1-48 | |
| 88 | tagged Trk1 | |
| 89 | no ip address | |
| 90 | ip igmp | |
| 91 | exit | |
| 92 | vlan 300 | |
| 93 | name "suspended" | |
| 94 | tagged Trk1 | |
| 95 | no ip address | |
| 96 | ip igmp | |
| 97 | exit | |
| 98 | no autorun | |
| 99 | password manager | |
| 100 | password operator |
