hostname "HOSTNAME"
# Protect against rogue DHCP
dhcp-snooping
no dhcp-snooping option 82
no dhcp-snooping verify mac
dhcp-snooping vlan 1-4094
trunk 47-48 trk1 lacp
logging SYSLOGSERVER
max-vlans 16
# AAA Servers
radius-server host RADIUSSERVER1
radius-server host RADIUSSERVER2
radius-server key "RADIUSKEY"
# NTP so that messages to AAA are accurate
timesync sntp
sntp unicast
sntp server priority 1 NTPSERVER1
sntp server priority 2 NTPSERVER2
time daylight-time-rule western-europe
no web-management
ip default-gateway GATEWAY
# Specify which interface to trust
interface Trk1
dhcp-snooping trust
exit
# Monitoring
snmp-server community "ROCOMMUNITY" operator
snmp-server community "RWCOMMUNITY" manager unrestricted
snmp-server contact "CONTACT" location "LOCATION"
# Configuration for AAA, includes management logins and client login
aaa accounting update periodic 10
aaa accounting commands stop-only radius
aaa accounting exec start-stop radius
aaa accounting network start-stop radius
aaa accounting system start-stop radius
aaa authentication login privilege-mode
aaa authentication console login radius local
aaa authentication console enable radius local
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
# Use MAC based authentication
aaa port-access mac-based 1-46
aaa port-access mac-based 1-46 addr-limit 32
aaa port-access mac-based 1-46 logoff-period 600
# Specify which VLAN to use if RADIUS is down or sends ACCESS-REJECT, our RADIUS ALWAYS sends ACCESS-ACCEPT and puts unknown clients on the unvalidated VLAN.
aaa port-access mac-based 1-46 unauth-vid 200
aaa port-access mac-based addr-format multi-colon
# Allow traffic from "default" VLAN to flow when client is unauthenticated (allows WOL)
aaa port-access 1-46 controlled-direction in
# Stop the slow start and prevent STP TC's
spanning-tree 1-46 admin-edge-port
vlan 1
name "DEFAULT_VLAN"
no untagged 1-48
untagged Trk1
no ip address
exit
vlan 10
name "mgmt"
tagged Trk1
ip address IPADDRESS NETMASK
exit
vlan 100
name "validated"
tagged Trk1
no ip address
ip igmp
exit
vlan 200
name "unvalidated"
# "default" VLAN, this is the VLAN the port sits on when unauthenticated (allows WOL)
untagged 1-48
tagged Trk1
no ip address
ip igmp
exit
vlan 300
name "suspended"
tagged Trk1
no ip address
ip igmp
exit
no autorun
password manager
password operator