hostname "HOSTNAME"

# Protect against rogue DHCP
dhcp-snooping
no dhcp-snooping option 82
no dhcp-snooping verify mac
dhcp-snooping vlan 1-4094

trunk 47-48 trk1 lacp
logging SYSLOGSERVER
max-vlans 16

# AAA Servers
radius-server host RADIUSSERVER1
radius-server host RADIUSSERVER2
radius-server key "RADIUSKEY"

# NTP so that messages to AAA are accurate
timesync sntp
sntp unicast
sntp server priority 1 NTPSERVER1
sntp server priority 2 NTPSERVER2
time daylight-time-rule western-europe

no web-management
ip default-gateway GATEWAY

# Specify which interface to trust
interface Trk1
   dhcp-snooping trust
   exit
   
# Monitoring
snmp-server community "ROCOMMUNITY" operator
snmp-server community "RWCOMMUNITY" manager unrestricted
snmp-server contact "CONTACT" location "LOCATION"

# Configuration for AAA, includes management logins and client login
aaa accounting update periodic 10
aaa accounting commands stop-only radius
aaa accounting exec start-stop radius
aaa accounting network start-stop radius
aaa accounting system start-stop radius
aaa authentication login privilege-mode
aaa authentication console login radius local
aaa authentication console enable radius local
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local

# Use MAC based authentication
aaa port-access mac-based 1-46
aaa port-access mac-based 1-46 addr-limit 32
aaa port-access mac-based 1-46 logoff-period 600

# Specify which VLAN to use if RADIUS is down or sends ACCESS-REJECT, our RADIUS ALWAYS sends ACCESS-ACCEPT and puts unknown clients on the unvalidated VLAN.
aaa port-access mac-based 1-46 unauth-vid 200
aaa port-access mac-based addr-format multi-colon

# Allow traffic from "default" VLAN to flow when client is unauthenticated (allows WOL)
aaa port-access 1-46 controlled-direction in

# Stop the slow start and prevent STP TC's
spanning-tree 1-46 admin-edge-port

vlan 1
   name "DEFAULT_VLAN"
   no untagged 1-48
   untagged Trk1
   no ip address
   exit
vlan 10
   name "mgmt"
   tagged Trk1
   ip address IPADDRESS NETMASK
   exit
vlan 100
   name "validated"
   tagged Trk1
   no ip address
   ip igmp
   exit
vlan 200
   name "unvalidated"
   # "default" VLAN, this is the VLAN the port sits on when unauthenticated (allows WOL)
   untagged 1-48
   tagged Trk1
   no ip address
   ip igmp
   exit
vlan 300
   name "suspended"
   tagged Trk1
   no ip address
   ip igmp
   exit
no autorun
password manager
password operator