! version 16.12 service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone year service timestamps log datetime msec localtime show-timezone year service password-encryption service pt-vty-logging service sequence-numbers no service dhcp service call-home no platform punt-keepalive disable-kernel-core ! ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging count logging userinfo logging buffered errors logging console errors logging monitor errors ! aaa new-model aaa local authentication attempts max-fail 5 ! ! aaa authentication attempts login 5 aaa authentication login default group radius local aaa authorization console aaa accounting exec default start-stop group radius ! aaa common-criteria policy PassPolicy min-length 8 max-length 20 numeric-count 1 upper-case 1 lower-case 1 special-case 1 char-changes 6 lifetime month 6 ! ! ! ! ! ! aaa session-id common process cpu threshold type total rising 75 interval 5 falling 20 interval 5 process cpu statistics limit entry-percentage 40 size 300 boot system switch all flash:cat3k_caa-universalk9.16.12.05b.SPA.bin boot system switch all flash:cat3k_caa-universalk9.16.12.06.SPA.bin boot system switch all flash:cat3k_caa-universalk9.16.09.05.SPA.bin clock timezone AST 3 0 switch 1 provision ws-c3850-24t ! ! ! ! call-home ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications. contact-email-addr sch-smart-licensing@cisco.com profile "CiscoTAC-1" active destination transport-method http no destination transport-method email no ip source-route ip host-routing ip arp proxy disable ! ! ! ! ! no ip domain lookup ip domain name NGPD.com ! ! ! no ip igmp snooping login block-for 300 attempts 3 within 30 login on-failure log login on-success log ! ! ! ! ! no device-tracking logging theft ! flow record ARCSIGHT_FLOW_RECORD description ARCSIGHT_FLOW_RECORD_ABGOSP6 match ipv4 source address match ipv4 destination address match ipv4 protocol match transport source-port match transport destination-port collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last ! ! flow exporter ARCSIGHT_FLOW_EXPORTER description ARCSIGHT_FLOW_EXPORTER_ABGOSP6 destination xxxxx source Vlan499 dscp 10 ttl 15 transport udp 9010 template data timeout 120 option exporter-stats timeout 120 ! ! flow monitor ARCSIGHT_FLOW_MONITOR description ARCSIGHT_FLOW_MONITOR_ABGOSP6 exporter ARCSIGHT_FLOW_EXPORTER record ARCSIGHT_FLOW_RECORD ! sampler ARCSIGHT_SAMPLER description 1% mode random 1 out-of 100 ! ! ! license boot level ipbasek9 ! ! diagnostic bootup level minimal ! spanning-tree mode pvst no spanning-tree dispute spanning-tree logging spanning-tree extend system-id spanning-tree uplinkfast max-update-rate 0 no spanning-tree vlan 399,499 archive log config logging enable logging size 1000 notify syslog contenttype plaintext hidekeys path flash:/backup.cfg maximum 2 write-memory time-period 120 memory reserve critical 1000 memory free low-watermark processor 20000 ! redundancy mode sso ! ! ! ! ! transceiver type all monitoring no cdp advertise-v2 no cdp run ! ! class-map match-any system-cpp-police-topology-control description Topology control class-map match-any system-cpp-police-sw-forward description Sw forwarding, L2 LVX data, LOGGING class-map match-any system-cpp-default description EWLC control, EWLC data, Inter FED class-map match-any system-cpp-police-sys-data description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed class-map match-any system-cpp-police-punt-webauth description Punt Webauth class-map match-any system-cpp-police-l2lvx-control description L2 LVX control packets class-map match-any system-cpp-police-forus description Forus Address resolution and Forus traffic class-map match-any system-cpp-police-multicast-end-station description MCAST END STATION class-map match-any system-cpp-police-multicast description Transit Traffic and MCAST Data class-map match-any system-cpp-police-l2-control description L2 control class-map match-any system-cpp-police-dot1x-auth description DOT1X Auth class-map match-any system-cpp-police-data description ICMP redirect, ICMP_GEN and BROADCAST class-map match-any system-cpp-police-stackwise-virt-control description Stackwise Virtual class-map match-any system-cpp-police-control-low-priority description ICMP redirect and general punt class-map match-any system-cpp-police-wireless-priority1 description Wireless priority 1 class-map match-any system-cpp-police-wireless-priority2 description Wireless priority 2 class-map match-any system-cpp-police-wireless-priority3-4-5 description Wireless priority 3,4 and 5 class-map match-any non-client-nrt-class class-map match-any system-cpp-police-routing-control description Routing control and Low Latency class-map match-any system-cpp-police-protocol-snooping description Protocol snooping class-map match-any system-cpp-police-dhcp-snooping description DHCP snooping class-map match-any system-cpp-police-system-critical description System Critical and Gold Pkt ! policy-map system-cpp-policy class system-cpp-police-data police rate 200 pps class system-cpp-police-routing-control police rate 1800 pps class system-cpp-police-control-low-priority class system-cpp-police-wireless-priority1 class system-cpp-police-wireless-priority2 class system-cpp-police-wireless-priority3-4-5 policy-map port_child_policy class non-client-nrt-class bandwidth remaining ratio 10 ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address shutdown negotiation auto ! interface GigabitEthernet1/0/1 switchport access vlan 3 ! interface GigabitEthernet1/0/2 switchport access vlan 3 ! interface GigabitEthernet1/0/3 switchport access vlan 3 switchport mode access switchport port-security maximum 4 switchport port-security violation protect switchport port-security mac-address sticky switchport port-security shutdown ! interface GigabitEthernet1/0/4 switchport access vlan 3 switchport mode access switchport port-security maximum 4 switchport port-security violation protect switchport port-security mac-address sticky switchport port-security shutdown ! interface GigabitEthernet1/0/5 switchport access vlan 3 switchport mode access switchport port-security maximum 4 switchport port-security violation protect switchport port-security mac-address sticky switchport port-security shutdown ! interface GigabitEthernet1/0/6 switchport access vlan 3 switchport mode access switchport port-security maximum 4 switchport port-security violation protect switchport port-security mac-address sticky switchport port-security shutdown ! interface GigabitEthernet1/0/7 switchport access vlan 3 switchport mode access shutdown ! interface GigabitEthernet1/0/8 switchport access vlan 3 switchport mode access ! interface GigabitEthernet1/0/9 switchport access vlan 3 switchport mode access ! interface GigabitEthernet1/0/10 switchport access vlan 3 switchport mode access ! interface GigabitEthernet1/0/11 switchport access vlan 5 switchport mode access ! interface GigabitEthernet1/0/12 switchport access vlan 5 switchport mode access ! interface GigabitEthernet1/0/13 switchport access vlan 5 switchport mode access ! interface GigabitEthernet1/0/14 switchport access vlan 5 switchport mode access ! interface GigabitEthernet1/0/15 switchport mode access shutdown ! interface GigabitEthernet1/0/16 switchport mode access shutdown ! interface GigabitEthernet1/0/17 switchport access vlan 5 switchport mode access shutdown ! interface GigabitEthernet1/0/18 switchport access vlan 3 switchport mode access ! interface GigabitEthernet1/0/19 description ***To AB5-MGMT-SW001_DMZ Connectivity*** switchport mode trunk ! interface GigabitEthernet1/0/20 switchport mode access shutdown ! interface GigabitEthernet1/0/21 switchport mode access shutdown ! interface GigabitEthernet1/0/22 switchport mode access shutdown ! interface GigabitEthernet1/0/23 switchport mode trunk ! interface GigabitEthernet1/0/24 switchport mode trunk ! interface GigabitEthernet1/1/1 shutdown ! interface GigabitEthernet1/1/2 shutdown ! interface GigabitEthernet1/1/3 shutdown ! interface GigabitEthernet1/1/4 shutdown ! interface TenGigabitEthernet1/1/1 shutdown ! interface TenGigabitEthernet1/1/2 shutdown ! interface TenGigabitEthernet1/1/3 shutdown ! interface TenGigabitEthernet1/1/4 shutdown ! interface Vlan1 ip address 172.10.0.3 255.255.255.0 no ip unreachables no ip proxy-arp no ip route-cache ! interface Vlan2 ip address 172.4.0.251 255.255.255.0 ! interface Vlan3 ip address 172.3.0.250 255.255.255.0 ! interface Vlan4 ip address 172.2.0.250 255.255.255.0 ! interface Vlan5 ip address 192.168.1.254 255.255.255.0 ! interface Vlan7 ip address 172.7.0.100 255.255.255.0 no ip route-cache ! interface Vlan8 ip address 172.8.0.100 255.255.255.0 ! interface Vlan9 ip address 172.9.0.100 255.255.255.0 ! interface Vlan499 description ***Integration to DMZ*** ip address 172.30.4.106 255.255.255.240 no ip unreachables no ip proxy-arp no ip route-cache ! ip forward-protocol nd ip tcp selective-ack ip tcp path-mtu-discovery no ip http server no ip http secure-server ip ssh logging events ip ssh version 2 ! ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data 10 permit tcp any any eq 22 20 permit tcp any any eq 465 30 permit tcp any any eq 143 40 permit tcp any any eq 993 50 permit tcp any any eq 995 60 permit tcp any any eq 1914 70 permit tcp any any eq ftp 80 permit tcp any any eq ftp-data 90 permit tcp any any eq smtp 100 permit tcp any any eq pop3 ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf 10 permit udp any any range 16384 32767 20 permit tcp any any range 50000 59999 ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger 10 permit tcp any any range 2300 2400 20 permit udp any any range 2300 2400 30 permit tcp any any range 6881 6999 40 permit tcp any any range 28800 29100 50 permit tcp any any eq 1214 60 permit udp any any eq 1214 70 permit tcp any any eq 3689 80 permit udp any any eq 3689 90 permit tcp any any eq 11999 ip access-list extended AutoQos-4.0-wlan-Acl-Signaling 10 permit tcp any any range 2000 2002 20 permit tcp any any range 5060 5061 30 permit udp any any range 5060 5061 ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data 10 permit tcp any any eq 443 20 permit tcp any any eq 1521 30 permit udp any any eq 1521 40 permit tcp any any eq 1526 50 permit udp any any eq 1526 60 permit tcp any any eq 1575 70 permit udp any any eq 1575 80 permit tcp any any eq 1630 90 permit udp any any eq 1630 100 permit tcp any any eq 1527 110 permit tcp any any eq 6200 120 permit tcp any any eq 3389 130 permit tcp any any eq 5985 140 permit tcp any any eq 8080 ! kron occurrence BACKUP-DEC at 9:00 Dec 30 recurring policy-list BACKUP-DEC ! kron occurrence BACKUP-JUNE at 9:00 Jun 30 recurring policy-list BACKUP-JUNE ! kron policy-list BACKUP-DEC cli show startup-config | redirect tftp://172.30.200.193/BackupCisco/AB6/DEC/AB6-SCADA-SW001.cfg ! kron policy-list BACKUP-JUNE cli show startup-config | redirect tftp://172.30.200.193/BackupCisco/AB6/JUN/AB6-SCADA-SW001.cfg ! logging history size 500 logging history errors logging trap notifications logging origin-id hostname logging facility local5 logging source-interface Vlan499 logging host 172.30.200.130 transport udp port 9008 logging host 172.30.200.130 transport udp port 9009 ip access-list standard 10 10 permit 172.30.200.220 20 permit 172.30.200.221 30 permit 172.30.200.203 40 permit 172.30.200.193 ! ! snmp-server group SEC3 v3 priv notify ReadView-All snmp-server group SNMPUSER3 v3 priv snmp-server view ReadView-All iso included snmp-server view ReadView-All mgmt.4.21 excluded snmp-server view ReadView-All mgmt.4.22 excluded snmp-server view ReadView-All snmpUsmMIB excluded snmp-server view ReadView-All snmpVacmMIB excluded snmp-server view ReadView-All snmpCommunityMIB excluded snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps cpu threshold snmp-server enable traps flash insertion snmp-server enable traps flash removal snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps syslog snmp-server host 172.30.200.193 informs version 3 priv SNMPUSER3 snmp-server host 172.30.200.193 version 3 priv SNMPUSER3 ! ! radius server PRPMS-RADIUS-SRV001 address ipv4 172.30.200.140 auth-port 1645 acct-port 1646 ! radius server PRPMS-RADIUS-BACKUPSRV address ipv4 172.30.200.141 auth-port 1812 acct-port 1813 ! ! control-plane service-policy input system-cpp-policy ! line con 0 session-timeout 5 exec-timeout 5 0 media-type rj45 switch 1 history size 256 stopbits 1 line aux 0 exec-timeout 5 0 no exec transport output none stopbits 1 line vty 0 4 session-timeout 5 access-class 10 in exec-timeout 5 0 length 0 history size 256 transport preferred ssh transport input ssh transport output none line vty 5 15 session-timeout 5 access-class 10 in exec-timeout 5 0 history size 256 transport preferred ssh transport input ssh transport output none ! ntp logging ntp authenticate ntp source GigabitEthernet1/0/19 ntp master 1 ntp server 172.30.200.209 source Vlan499 ntp server 172.30.200.219 prefer source GigabitEthernet1/0/19 ! ! ! ! ! ! end