Re: cisco 3850 with mgmt vrf cannot resolve hostnames and ping hangs

MFLauder · ‎07-02-2025

Hello all,

I'm having a very strange issue with a 3rd party purchased 3850 WS-C3850-24XS stack. I am using the Mgmt-vrf to manage the switch and pings work when you source from that vrf. But pinging without the source of vrf doesn't work NOR does it try to resolve the hostname and pings literally never show the .... it just hangs there for 30 minutes or more.

We have another one of these stacks in another area with almost identical commands but it DOES resolve the IP to name but ping isn't successful which is expected since you aren't sourcing the mgmt vrf.

I have the below config for management vrf but I have values redacted for privacy.

vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family

ip name-server <IP redacted> <IP redacted>
ip name-server vrf Mgmt-vrf <IP redacted> <IP redacted>
ip domain list <domain redacted>
ip domain list vrf Mgmt-vrf <domain redacted>
ip domain lookup source-interface GigabitEthernet0/0
ip domain name <domain redacted>

ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 <gateway IP>

interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address <IP redacted> <mask redacted>
negotiation auto

When you ping a device name on our network without sourcing the vrf it shows like this and doesn't show in .... or anything

public-c3850#ping <hostname>

It's on the same exact code as the other working stack in the other area and has the exact same config besides IPs change for DNS and interface IPs.
version of code 16.12.12

Any idea what I might be missing here? Me and another colleague worked on this all day and couldn't figure this out and seem to think it might be a bug.

MHM Cisco World · ‎07-02-2025

You need to use

Ping vrf Mgmt-vrf <name server>

See if ping is success

MHM

MFLauder · ‎07-03-2025

That is successful. However we have another switch in the org with same code, same model, same config (besides inteface IPs and DNS server IPs) and their actual resolve a FQDN but pings aren't successful. This switch in question doesn't do this.
We have an archive command setup to write to a tftp server and this switch can't seem to access that via FQDN and when write mem is performed that hands because of this also.

MHM Cisco World · ‎07-04-2025

Sorry what is not success

Ping or DNS resolve

MHM

Richard Burts · ‎07-04-2025

Thanks for posting the more complete config. I am puzzled that I see only one interface G0/0 but not any other interfaces. Are other interfaces in vlans? Is the upstream connection a trunk, carrying multiple vlans, or is it an access link for the single subnet?

It is helpful that you told us that this is a layer 2 only switch. So the management vrf has IP processing. Any other connection on the switch needs either to specify IP processing using the management vrf IP or it needs to be forwarded (at layer 2) to an upstream device which would function as the default gateway for the other connections.

HTH

Rick

MFLauder · ‎07-07-2025

Heres a better santizied config. We use this stack to connect our ISPs to. The Mgmt VRF is connected to our 9606 core on a mgmt vlan and the SVI lives on the 9606. The biggest problem is the archive command we have and when you write mem, it takes like 30-40 minutes to "complete" bc it can't resolve the tftp server name in the archive command. We can't take that archive out easilty bc we have some automation setup to add the commands back if not present with the hostname.

It's just puzzling that other switches we use like this for ISP are setup exactly the same (different mgmt IPs), same code, and they don't have this problem. Im actually going to reboot one at a time this afternoon to see if this helps. Traffic is passing it's just the name resolution doesn't work and there's no way to source the archive command from the Mgmt. You would think it's already using the Mgmt VRF with the tfp source command.

--- For Cisco community

version 16.12
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service linenumber
service call-home
platform punt-keepalive disable-kernel-core
platform management port rate-limt-enabled
!
hostname public-c3850
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!

!
aaa new-model
!
!
aaa group server tacacs+ CPPM-TACACS
server name CPPM-TACACS-
server name CPPM-TACACS-
server name CPPM-TACACS-
server name CPPM-TACACS-
server name CPPM-
server name CPPM-
ip vrf forwarding Mgmt-vrf
ip tacacs source-interface GigabitEthernet0/0
!
aaa authentication fail-message ^CCNone Shall Pass^C
aaa authentication login default group CPPM-TACACS local
aaa authorization exec default group CPPM-TACACS local
aaa authorization commands 15 default group CPPM-TACACS if-authenticated
!
!
!
!
!
!
aaa session-id common
boot system switch all flash:packages.conf
clock timezone CDT -6 0
clock summer-time CDT recurring
switch 1 provision ws-c3850-24xs
switch 2 provision ws-c3850-24xs
software auto-upgrade enable
!
!
!
!
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
!
!
!
!
ip name-server infoblox1<IP> infoblox2<IP>
ip name-server vrf Mgmt-vrf infoblox1<IP> infoblox2<IP>
ip domain list domain.local
ip domain list vrf Mgmt-vrf domain.local
ip domain lookup source-interface GigabitEthernet0/0
ip domain name domain.local
!
!
!
login on-success log
!
!
!
!
!
!
!
vtp domain <redacted>
vtp mode transparent
no device-tracking logging theft
!

!
!
license boot level ipservicesk9
!
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
path tftp://server.domain.local/switches/$h
write-memory
memory free low-watermark processor 79468
!

!
redundancy
mode sso
!
!
!
!
!
transceiver type all
monitoring
!
vlan 910
name Public-Lumen
!
vlan 911
name Public-Uniti
!
vlan 998
name OutsideComcastVPN
!
vlan 999
name EpicCC
!
vlan 1000
name OutsideInternet
!
vlan 1001
name OutsideComcastInet
!
!
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
description EWLC control, EWLC data, Inter FED
class-map match-any system-cpp-police-sys-data
description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-multicast
description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual
class-map match-any system-cpp-police-control-low-priority
description ICMP redirect and general punt
class-map match-any system-cpp-police-wireless-priority1
description Wireless priority 1
class-map match-any system-cpp-police-wireless-priority2
description Wireless priority 2
class-map match-any system-cpp-police-wireless-priority3-4-5
description Wireless priority 3,4 and 5
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
!
policy-map system-cpp-policy
class system-cpp-police-data
police rate 200 pps
class system-cpp-police-sys-data
police rate 100 pps
class system-cpp-police-routing-control
police rate 1800 pps
class system-cpp-police-control-low-priority
class system-cpp-police-wireless-priority1
class system-cpp-police-wireless-priority2
class system-cpp-police-wireless-priority3-4-5
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel5
description LAG to Palo Alto 1 3rd party
switchport trunk allowed vlan 998
switchport mode trunk
!
interface Port-channel6
description LAG to Palo Alto 2 3rd party
switchport trunk allowed vlan 998
switchport mode trunk
!
interface Port-channel9
description LAG to Guest-FG201F-1
switchport trunk allowed vlan 910,911,1000,1001
switchport mode trunk
!
interface Port-channel10
description LAG to Guest-FG201F-2
switchport trunk allowed vlan 910,911,1000,1001
switchport mode trunk
!
interface Port-channel11
description LAG VWIRE EPIC-9K Palo Alto 1 watchme
switchport access vlan 999
switchport mode access
!
interface Port-channel12
description LAG VWIRE EPIC-9K Palo Alto 2 watchme
switchport access vlan 999
switchport mode access
!
interface Port-channel13
description LAG to Inet-1-c8300 watchme
switchport access vlan 1000
switchport mode access
!
interface Port-channel14
description LAG to inet-2-c3850 watchme
switchport access vlan 1001
switchport mode access
!
interface Port-channel24
description LAG to sxs3750-001
switchport trunk allowed vlan 998-1001
switchport mode trunk
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 10.204.100.13 255.255.254.0
negotiation auto
!
interface TenGigabitEthernet1/0/1
description Link to Lumen 10G
switchport access vlan 910
!
interface TenGigabitEthernet1/0/2
!
interface TenGigabitEthernet1/0/3
description Test laptop - Lumen
switchport access vlan 910
!
interface TenGigabitEthernet1/0/4
description Test laptop - Uniti
switchport access vlan 911
!
interface TenGigabitEthernet1/0/5
description LAG to Palo Alto 1 3rd party p9
switchport trunk allowed vlan 998
switchport mode trunk
channel-group 5 mode active
!
interface TenGigabitEthernet1/0/6
description LAG to Palo Alto 2 3rd party p9
switchport trunk allowed vlan 998
switchport mode trunk
channel-group 6 mode active
!
interface TenGigabitEthernet1/0/7
description Link to Comcast modem
switchport access vlan 998
!
interface TenGigabitEthernet1/0/8
!
interface TenGigabitEthernet1/0/9
!
interface TenGigabitEthernet1/0/10
!
interface TenGigabitEthernet1/0/11
description LAG VWIRE EPIC-9K Palo Alto 1 p2 watchme
switchport access vlan 999
switchport mode access
channel-group 11 mode on
!
interface TenGigabitEthernet1/0/12
description LAG VWIRE EPIC-9K Palo Alto 2 p1 watchme
switchport access vlan 999
switchport mode access
channel-group 12 mode on
!
interface TenGigabitEthernet1/0/13
description LAG to Inet-1-c8300 gi0/0/1 watchme
switchport access vlan 1000
switchport mode access
channel-group 13 mode active
!
interface TenGigabitEthernet1/0/14
description LAG to inet-2-c3850 gi0/0/1 watchme
switchport access vlan 1001
switchport mode access
channel-group 14 mode active
!
interface TenGigabitEthernet1/0/15
!
interface TenGigabitEthernet1/0/16
!
interface TenGigabitEthernet1/0/17
!
interface TenGigabitEthernet1/0/18
!
interface TenGigabitEthernet1/0/19
!
interface TenGigabitEthernet1/0/20
!
interface TenGigabitEthernet1/0/21
!
interface TenGigabitEthernet1/0/22
description LAG to sxs3750-001 gi1/0/28
switchport trunk allowed vlan 998-1001
switchport mode trunk
channel-group 24 mode active
!
interface TenGigabitEthernet1/0/23
description LAG to Guest-FG201F-1 Prt x3 watchme
switchport trunk allowed vlan 910,911,1000,1001
switchport mode trunk
channel-group 9 mode active
!
interface TenGigabitEthernet1/0/24
description LAG to Guest-FG201F-2 Prt x3 watchme
switchport trunk allowed vlan 910,911,1000,1001
switchport mode trunk
channel-group 10 mode active
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/5
!
interface TenGigabitEthernet1/1/6
!
interface TenGigabitEthernet1/1/7
!
interface TenGigabitEthernet1/1/8
!
interface FortyGigabitEthernet1/1/1
!
interface FortyGigabitEthernet1/1/2
!
interface TenGigabitEthernet2/0/1
description Link to Uniti 10G
switchport access vlan 911
!
interface TenGigabitEthernet2/0/2
!
interface TenGigabitEthernet2/0/3
!
interface TenGigabitEthernet2/0/4
!
interface TenGigabitEthernet2/0/5
description LAG to Palo Alto 1 3rd party p10
switchport trunk allowed vlan 998
switchport mode trunk
channel-group 5 mode active
!
interface TenGigabitEthernet2/0/6
description LAG to Palo Alto 2 3rd party p9
switchport trunk allowed vlan 998
switchport mode trunk
channel-group 6 mode active
!
interface TenGigabitEthernet2/0/7
!
interface TenGigabitEthernet2/0/8
!
interface TenGigabitEthernet2/0/9
!
interface TenGigabitEthernet2/0/10
!
interface TenGigabitEthernet2/0/11
description LAG VWIRE EPIC-9K Palo Alto 1 p2 watchme
switchport access vlan 999
switchport mode access
channel-group 11 mode on
!
interface TenGigabitEthernet2/0/12
description LAG VWIRE EPIC-9K Palo Alto 2 p2 watchme
switchport access vlan 999
switchport mode access
channel-group 12 mode on
!
interface TenGigabitEthernet2/0/13
description LAG to Inet-1-c8300 gi0/0/2 watchme
switchport access vlan 1000
switchport mode access
channel-group 13 mode active
!
interface TenGigabitEthernet2/0/14
description LAG to inet-2-c3850 gi0/0/2 watchme
switchport access vlan 1001
switchport mode access
channel-group 14 mode active
!
interface TenGigabitEthernet2/0/15
description Epic Out Of Band Term Server
switchport access vlan 1000
spanning-tree portfast
!
interface TenGigabitEthernet2/0/16
!
interface TenGigabitEthernet2/0/17
!
interface TenGigabitEthernet2/0/18
!
interface TenGigabitEthernet2/0/19
!
interface TenGigabitEthernet2/0/20
!
interface TenGigabitEthernet2/0/21
!
interface TenGigabitEthernet2/0/22
description LAG to wc03-sxs3750-001 gi2/0/28
switchport trunk allowed vlan 998-1001
switchport mode trunk
channel-group 24 mode active
!
interface TenGigabitEthernet2/0/23
description LAG to Guest-FG201F-1 Prt x4 watchme
switchport trunk allowed vlan 910,911,1000,1001
switchport mode trunk
channel-group 9 mode active
!
interface TenGigabitEthernet2/0/24
description LAG to Guest-FG201F-2 Prt x4 watchme
switchport trunk allowed vlan 910,911,1000,1001
switchport mode trunk
channel-group 10 mode active
!
interface TenGigabitEthernet2/1/1
!
interface TenGigabitEthernet2/1/2
!
interface TenGigabitEthernet2/1/3
!
interface TenGigabitEthernet2/1/4
!
interface TenGigabitEthernet2/1/5
!
interface TenGigabitEthernet2/1/6
!
interface TenGigabitEthernet2/1/7
!
interface TenGigabitEthernet2/1/8
!
interface FortyGigabitEthernet2/1/1
!
interface FortyGigabitEthernet2/1/2
!
interface Vlan1
no ip address
shutdown
!
ip default-gateway 10.204.100.1
ip forward-protocol nd
no ip http server
ip http access-class 42
ip http authentication aaa
ip http secure-server
ip http client source-interface GigabitEthernet0/0
ip ftp source-interface GigabitEthernet0/0
ip tftp source-interface GigabitEthernet0/0
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 10.204.100.1
ip tacacs source-interface GigabitEthernet0/0
ip ssh source-interface GigabitEthernet0/0
ip ssh version 2
!
!
ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data
10 permit tcp any any eq 22
20 permit tcp any any eq 465
30 permit tcp any any eq 143
40 permit tcp any any eq 993
50 permit tcp any any eq 995
60 permit tcp any any eq 1914
70 permit tcp any any eq ftp
80 permit tcp any any eq ftp-data
90 permit tcp any any eq smtp
100 permit tcp any any eq pop3
ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf
10 permit udp any any range 16384 32767
20 permit tcp any any range 50000 59999
ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger
10 permit tcp any any range 2300 2400
20 permit udp any any range 2300 2400
30 permit tcp any any range 6881 6999
40 permit tcp any any range 28800 29100
50 permit tcp any any eq 1214
60 permit udp any any eq 1214
70 permit tcp any any eq 3689
80 permit udp any any eq 3689
90 permit tcp any any eq 11999
ip access-list extended AutoQos-4.0-wlan-Acl-Signaling
10 permit tcp any any range 2000 2002
20 permit tcp any any range 5060 5061
30 permit udp any any range 5060 5061
ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data
10 permit tcp any any eq 443
20 permit tcp any any eq 1521
30 permit udp any any eq 1521
40 permit tcp any any eq 1526
50 permit udp any any eq 1526
60 permit tcp any any eq 1575
70 permit udp any any eq 1575
80 permit tcp any any eq 1630
90 permit udp any any eq 1630
100 permit tcp any any eq 1527
110 permit tcp any any eq 6200
120 permit tcp any any eq 3389
130 permit tcp any any eq 5985
140 permit tcp any any eq 8080
!
logging trap notifications
logging facility local3
logging source-interface GigabitEthernet0/0 vrf Mgmt-vrf
logging host 10.212.130.160 transport udp port 1515
logging host 10.208.5.190

!
!

!
!
!
control-plane
service-policy input system-cpp-policy
!
banner exec ^CCC
NO CHANGES ON FRIDAY ^C

!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 42 in vrf-also
exec-timeout 30 0
line vty 5 15
!
ntp server vrf Mgmt-vrf 10.204.3.162 prefer
ntp server vrf Mgmt-vrf 10.207.3.162
!
!
!
!
!
!
end

Richard Burts · ‎07-07-2025

Thanks for the much more complete config. There is much there to try to understand and it will take me a while to work through it. But as a starter I have several comments/observations/questions:

- there are a number of trunks that allow only a single vlan. I am puzzled about why a trunk would be limited to a single vlan. Can you offer any explanation of this? Perhaps the output of show interface trunk, which will show the trunks and what vlans are carried by the trunk, would be helpful.

- you have several things restricting access using access list 42. But there is no access list 42 in the config.

- it appears that some (perhaps many) of the issues involve name resolution. There is mention of the archive command having issues. Can you identify other things that have issues?

HTH

Rick

Richard Burts · ‎07-03-2025

You have shown us the configuration of mgmt vrf and confirm that routing works for that vrf. You have not shown us anything about the the rest of the switch. If routing is not enabled for other vrf/ports then it would be expected that name resolution/ping would not work. What can you tell us about the rest of the switch?

HTH

Rick

MFLauder · ‎07-03-2025

Sorry about that. I was a little busy yesterday and only pasted vrf type stuff. Below is a sanitized config of whats on the switch.
This switch is only L2 and the mgmt vrf is used for management purposes.

version 16.12
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service linenumber
service call-home
platform punt-keepalive disable-kernel-core
platform management port rate-limt-enabled
!
hostname public-c3850
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
aaa new-model
!
!
aaa group server tacacs+ CPPM-TACACS
server name CPPM-TACACS-
server name CPPM-TACACS-
server name CPPM-TACACS-
server name CPPM-TACACS-
server name CPPM-
server name CPPM-
ip vrf forwarding Mgmt-vrf
ip tacacs source-interface GigabitEthernet0/0
!
aaa authentication fail-message ^CCNone Shall Pass^C
aaa authentication login default group CPPM-TACACS local
aaa authorization exec default group CPPM-TACACS local
aaa authorization commands 15 default group CPPM-TACACS if-authenticated
!
!
!
!
!
!
aaa session-id common
boot system switch all flash:packages.conf
clock timezone CDT -6 0
clock summer-time CDT recurring
switch 1 provision ws-c3850-24xs
switch 2 provision ws-c3850-24xs
software auto-upgrade enable
!
!
!
!
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
!
!
!
!
ip name-server 10.204.3.162 10.207.3.162
ip name-server vrf Mgmt-vrf 10.204.3.162 10.207.3.162
ip domain list <our domain>
ip domain list vrf Mgmt-vrf <our domain>
ip domain lookup source-interface GigabitEthernet0/0
ip domain name <our domain>
!
!
login on-success log
!
!
!
!
!
!
!
vtp domain <redacted>
vtp mode transparent
no device-tracking logging theft
!

!
!
license boot level ipservicesk9
!
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
path tftp://<redacted>/switches/$h
write-memory
memory free low-watermark processor 79468
!
!
redundancy
mode sso
!
!
!
!
!
transceiver type all
monitoring
!

!
!
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
description EWLC control, EWLC data, Inter FED
class-map match-any system-cpp-police-sys-data
description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-multicast
description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual
class-map match-any system-cpp-police-control-low-priority
description ICMP redirect and general punt
class-map match-any system-cpp-police-wireless-priority1
description Wireless priority 1
class-map match-any system-cpp-police-wireless-priority2
description Wireless priority 2
class-map match-any system-cpp-police-wireless-priority3-4-5
description Wireless priority 3,4 and 5
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
!
policy-map system-cpp-policy
class system-cpp-police-data
police rate 200 pps
class system-cpp-police-sys-data
police rate 100 pps
class system-cpp-police-routing-control
police rate 1800 pps
class system-cpp-police-control-low-priority
class system-cpp-police-wireless-priority1
class system-cpp-police-wireless-priority2
class system-cpp-police-wireless-priority3-4-5
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
!
!
!
!
!

!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 10.204.100.13 255.255.254.0
negotiation auto
!

!
ip default-gateway 10.204.100.1
ip forward-protocol nd
no ip http server
ip http access-class 42
ip http authentication aaa
ip http secure-server
ip http client source-interface GigabitEthernet0/0
ip ftp source-interface GigabitEthernet0/0
ip tftp source-interface GigabitEthernet0/0
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 10.204.100.1
ip tacacs source-interface GigabitEthernet0/0
ip ssh source-interface GigabitEthernet0/0
ip ssh version 2
!
!
ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data
10 permit tcp any any eq 22
20 permit tcp any any eq 465
30 permit tcp any any eq 143
40 permit tcp any any eq 993
50 permit tcp any any eq 995
60 permit tcp any any eq 1914
70 permit tcp any any eq ftp
80 permit tcp any any eq ftp-data
90 permit tcp any any eq smtp
100 permit tcp any any eq pop3
ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf
10 permit udp any any range 16384 32767
20 permit tcp any any range 50000 59999
ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger
10 permit tcp any any range 2300 2400
20 permit udp any any range 2300 2400
30 permit tcp any any range 6881 6999
40 permit tcp any any range 28800 29100
50 permit tcp any any eq 1214
60 permit udp any any eq 1214
70 permit tcp any any eq 3689
80 permit udp any any eq 3689
90 permit tcp any any eq 11999
ip access-list extended AutoQos-4.0-wlan-Acl-Signaling
10 permit tcp any any range 2000 2002
20 permit tcp any any range 5060 5061
30 permit udp any any range 5060 5061
ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data
10 permit tcp any any eq 443
20 permit tcp any any eq 1521
30 permit udp any any eq 1521
40 permit tcp any any eq 1526
50 permit udp any any eq 1526
60 permit tcp any any eq 1575
70 permit udp any any eq 1575
80 permit tcp any any eq 1630
90 permit udp any any eq 1630
100 permit tcp any any eq 1527
110 permit tcp any any eq 6200
120 permit tcp any any eq 3389
130 permit tcp any any eq 5985
140 permit tcp any any eq 8080
!
logging trap notifications
logging facility local3
logging source-interface GigabitEthernet0/0 vrf Mgmt-vrf

!
!

!
!
!
control-plane
service-policy input system-cpp-policy
!
banner exec ^CCC
NO CHANGES ON FRIDAY ^C

!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 42 in vrf-also
exec-timeout 30 0
line vty 5 15
!
ntp server vrf Mgmt-vrf 10.204.3.162 prefer
ntp server vrf Mgmt-vrf 10.207.3.162
!
!
!
!
!
!
end