11-23-2017 12:21 AM - edited 03-08-2019 12:51 PM
Hey guys,
So, I took some cisco classes in college, however, i am more of a Server guy. I have a cisco router and cisco switches and I cannot for the life of me get anything to work right.
I have attached a Packet Tracer layout for visual reference and typed up how I would like my network to be. Both switches I have are Layer 2/3, but I do not know how to turn on Layer 3 or even get it configured. The actual VLAN Numbers (1-6) are just an example. I do remember its not good to use VLAN1. So maybe VLAN 15-21? And what about the black hole VLAN? Do I need one of those too?
Any help at all with the configuration commands would be awesome to me. I still have all my books from my Cisco classes and I have followed them in order to attempt setting up inter-vlan routing, DHCP Server on the Router, etc, nothing works right. I will get one part working and another part stops working. I have fought this for a good month and a half now.I cannot seem to get it configured and secured.
Also see the attached document that explains the breakdown of my network.
Again, please help with the correct configuration so I can get this up and running.
Thanks for all help given.
11-23-2017 06:56 AM
Hi,
You can enable L3 on the 3560 easy enough. The 2960 needs to have the right IOS image and also change the SDM for it to work so you probably want to have the 3560 as your routing switch.
https://learningnetwork.cisco.com/thread/34739
To enable routing on the 3560 switch
Just enter the command IP routing.
You then need to give it a default route, which you would seem to want to direct towards R1
ip route 0.0.0.0 0.0.0.0 10.0.0.1
Then you can configure your other vlans and vlan interfaces also on the 3560 which can route between them.
Ie.
vlan 2
name Entertainment
interface vlan 2
ip address 10.0.2.1 255.255.255.0
no shut
vlan 2
name Apple
interface vlan 2
ip address 10.0.3.1 255.255.255.0
no shut
HTH, if not be more specfic on what is not working. Paste your configs.
11-23-2017 07:07 AM
Also there is no real reason to have a black hole vlan in your small setup. You would only do it for a security reason where you are trying to route some kind of malicious packet to nowhere. Ie drop it..
Use which ever vlans you want in a small home office type of setup.. In a company most people don't use vlan 1 very often because its the default vlan so all traffic goes in it by default from any unconfigured port which is up.. but its still fine I have worked on several networks in the past using only vlan 1.. Not great practice but still works.
11-23-2017 10:37 AM
Here is my new design with new subnets and the new VLANs that do not use VLAN1. Will this work?
Cisco 2911 Gigabit Router
Cisco WS-3750E Gigabit Layer 2/3 Switch (S1)
Cisco ws-c3560 8-port Layer 2/3 Switch (S2)
Cisco WAP371 Access Point
IP Range 10.0.0.1-10.0.0.4 are reserved for Router and Switches/WAP Management Access (Network Hardware)
VLAN 21: 10.0.1.1/24
VLAN22: 10.0.2.1/24
VLAN23: 10.0.3.1/24
VLAN24: 10.0.4.1/24
VLAN25: 10.0.5.1/24
VLAN26: 10.0.6.1/24
Cable Modem: DHCP IP Assigned by Comcast
Router (R1): G0/1 10.0.0.1/24
Switch (S1): IP 10.0.0.2/24
Switch (S2): IP 10.0.0.3/24
WAP (WAP1): IP 10.0.0.4/24
VLAN21 (Admin) 10.0.1.1/24
Aramis Server: Static IP 10.0.0.5 (S1 port 1)
Elisia Server: Static IP 10.0.0.6 (S1 Port 2)
Arwin-Laptop: Static IP 10.0.0.10 (S1 Port 12)
S1 Ports 20-24 are all Network Devices such as switches, router connection, WAP Connection, Etc.
Sapphira-Laptop: DHCP IP (Wireless VLAN1 connection to WIFI SSID Admin)
VLAN22 (Entertainment) 10.0.2.1/24
S1 Ports 13-15 are Entertainment DHCP Devices
S2 Ports 1-3 to S1 Port 21 are Entertainment DHCP VLAN2
WIFI SSID: Aramis-Ent is VLAN2 Entertainment Devices that do not allow Ethernet Connections
VLAN23 (Apple Media Network) 10.0.3.1/24
S1 Port 16 to AppleTV is VLAN3 DHCP
S2 Port 4 to AppleTV is VLAN3 DHCP
VLAN24 (Printers) 10.0.4.1/24
S1 Ports 4-8 to Printers is VLAN4 DHCP
VLAN25 (General Use) 10.0.5.1/24
No Hardwire Ports are assigned to VLAN5. Only WIFI Traffic is Assigned to VLAN5
VLAN26 (Guest) 10.0.6.1/24
No Hardwire Ports are assigned to VLAN6. Only WIFI Traffic is Assigned to VLAN6
Switchports NOT in use:
S1 Ports 3, 9-11, 17-19
S2 Ports 5-8
VLAN DESCRIPTIONS
VLAN21 (Admin): This VLAN is reserved for the two servers and my two laptops. No other device should be assigned to this VLAN, however, any computer on VLAN 3, VLAN4 and VLAN5 can communicate with the Servers and laptops. Only 4 devices assigned to this VLAN.
VLAN22 (Entertainment):This VLAN is for Entertainment Devices such as TVs, HD Devices, Streaming Devices, BluRay Players, etc. No Computers or phones should access this VLAN and this VLAN does NOT have access to internal network resources such as servers or printers. Only internet access is allowed.
VLAN23 (Apple Media Network)- This is reserved for AppleTVs and any other Apple device requiring the Apple Network. This VLAN should have access to other VLANs on the network (Excuding VLAN2 and VLAN6) so that iphones and computers can stream to AppleTVs and AppleTV can access the Apple Network and iTunes Server on VLAN1.
VLAN24 (Printers)-This is a DHCP VLAN for the 4 Printers. The printers are Hardwired and any device on the network, whether wireless or hardwired, should be able to communicate to this VLAN and print to the Printers when needed. This excludes VLAN2 as Entertainment Devices do NOT need access to printers. This also excludes VLAN6 as no guests will be allowed to Print on the Network.
VLAN25 (WIFI-General Access)-This VLAN is for all other network traffic. VLAN5 should be able to access network resources such as printers and servers. All Wifi SSID’s and Devices are DHCP.
VLAN26 (Guest)-Internet Access ONLY. No Access to Network Resources or any device on the network. Cannot see other devices connected to WiFi. Completely restricted to Internet Only. LOCKED DOWN. All Devices are DHCP
11-23-2017 10:44 AM
Hello,
on a side note, if possible post the .pkt file (rename it to .jpg otherwise the system will not let you upload it).
Also indicate which version of Packet Tracer you are using...
11-23-2017 10:50 AM
Chrisgray1,
After doing research on Cisco’s website, The ws-c3560-8pt-s Switch is a layer 3 switch, activated by the command: “ip routing”. To make it later 2, Cisco says to type “no ip routing”.
11-23-2017 10:54 AM
11-24-2017 02:57 AM
Then your switches and design should work. What is the remaining issue, that you need to have secure vlans?
If so you can create ACLs specifically for your needs applied to the SVI inbound
So if you know how to enable routing and default routing on the switch,
The rest is just to create the vlans, create the SVIs and apply an ACL inbound to each one specifying which other subnets can access it.
just check out some resources for how to create the ACL
https://learningnetwork.cisco.com/docs/DOC-7514
Also for your AP, it will need to be in autonomous mode unless your running a WLC so you need a trunk port to it because you want a few SSIDs.
11-24-2017 01:24 PM
This is my current configuration of my router. WOuld it be easier to reset to default and start fresh and new?
R1#show config
Using 11154 out of 262136 bytes
!
! Last configuration change at 00:14:59 UTC Fri Mar 24 2017 by administrator
! NVRAM config last updated at 00:15:03 UTC Fri Mar 24 2017 by administrator
!
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.154-3.M4.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$aaoO$tBn4OvFzUeOsDMPJrbc.n0
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
clock timezone UTC -8 0
!
!
!
!
!
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.99
ip dhcp excluded-address 10.0.0.211 10.0.255.254
!
ip dhcp pool ARAMISDOMAIN
network 10.0.0.0 255.255.0.0
default-router 10.0.0.1
dns-server 8.8.8.8 10.0.0.5
domain-name Aramis.Local
option 150 ip 10.0.0.6
lease 0 4
!
!
!
no ip bootp server
ip domain name Aramis.local
ip name-server 10.0.0.5
ip name-server 8.8.8.8
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name CCP_LOW appfw CCP_LOW
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
ip cef
login block-for 240 attempts 2 within 60
no ipv6 cef
!
appfw policy-name CCP_LOW
application im aol
service default action reset
service text-chat action reset
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail off
application http
strict-http action allow alarm
port-misuse p2p action reset alarm
port-misuse im action reset alarm
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
multilink bundle-name authenticated
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-924340807
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-924340807
revocation-check none
rsakeypair TP-self-signed-924340807
!
!
crypto pki certificate chain TP-self-signed-924340807
license udi pid CISCO2911/K9 sn FTX1443AHBX
!
!
username administrator privilege 15 secret 5 $1$vnvs$ZDKnAu4VgsIzZOK7FI6eB/
username CCP privilege 15 secret 5 $1$KUo1$d3p8mEqXtBtjrWWptPc14/
!
redundancy
!
!
!
!
no cdp run
!
ip tcp synwait-time 10
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
policy-map sdmappfwp2p_CCP_LOW
class sdm_p2p_edonkey
drop
class sdm_p2p_gnutella
drop
class sdm_p2p_kazaa
drop
class sdm_p2p_bittorrent
drop
!
!
!
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface GigabitEthernet0/0
description WAN$FW_OUTSIDE$
ip address dhcp
ip access-group 105 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 102
duplex auto
speed auto
no mop enabled
service-policy input sdmappfwp2p_CCP_LOW
service-policy output sdmappfwp2p_CCP_LOW
!
interface GigabitEthernet0/1
description LAN$FW_INSIDE$
ip address 10.0.0.1 255.255.0.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 99 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.0.0.5 443 interface GigabitEthernet0/0 443
ip ssh time-out 60
ip ssh authentication-retries 2
!
ip access-list extended OUTSIDE-IN
remark CCP_ACL Category=16
deny ip 23.32.0.0 0.31.255.255 any
deny ip 23.64.0.0 0.3.255.255 any
deny ip 104.0.0.0 0.0.0.255 any
permit ip any any
ip access-list extended autosec_firewall_acl
remark CCP_ACL Category=17
deny ip 10.0.0.0 0.0.255.255 any log
permit udp any eq bootps any eq bootpc log
permit icmp any any log unreachable
permit tcp any any eq 443 log
remark Auto generated by CCP for NTP (123) 10.0.0.5
permit udp host 10.0.0.5 eq ntp any eq ntp log
permit udp any any eq bootpc log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip host 255.255.255.255 any log
deny ip any any log
!
logging trap notifications
logging facility local2
logging host 10.0.0.5
!
!
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 10.0.0.0 0.0.255.255 log
access-list 2 deny 23.32.0.0 0.31.255.255 log
access-list 2 deny 23.64.0.0 0.3.255.255 log
access-list 99 permit 10.0.0.0 0.0.255.255
access-list 100 remark auto generated by CCP firewall configuration
access-list 100 remark CCP_ACL Category=0
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 10.0.0.0 0.0.255.255 any log
access-list 102 permit udp any any eq bootpc
access-list 103 remark CCP_ACL Category=1
access-list 103 permit ip 10.0.0.0 0.0.255.255 any log
access-list 104 remark auto generated by CCP firewall configuration
access-list 104 remark CCP_ACL Category=1
access-list 104 permit udp host 8.8.8.8 eq domain any
access-list 104 permit tcp any any eq 443
access-list 104 deny ip 10.0.0.0 0.0.255.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip any any log
access-list 105 remark auto generated by CCP firewall configuration
access-list 105 remark CCP_ACL Category=1
access-list 105 permit udp host 8.8.8.8 eq domain any
access-list 105 permit tcp any any eq 443
access-list 105 deny ip 10.0.0.0 0.0.255.255 any
access-list 105 permit udp any eq bootps any eq bootpc
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any unreachable
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip any any log
!
!
!
control-plane
!
!
banner exec ^C
^[[36;1m
HOSTNAME: R1.AramisDomain
Administrator: Chris Shinneman ^[[37;1m
+----------------------------------------------------------------------+
| |
| ^[[34;1m| |^[[37;1m |
| ^[[34;1m||| |||^[[37;1m |
| ^[[34;1m.|||||. .|||||.^[[37;1m |
| ^[[34;1m.:|||||||||:..:|||||||||:.^[[37;1m |
| ^[[31;1mC i s c o S y s t e m s^[[37;1m |
| |
| |
| ^[[31;1mSite:^[[37;1m Aramis Domain |
| ^[[31;1mModel:^[[37;1m Cisco 2911 2900 Series |
| ^[[31;1mInstalled:^[[37;1m 01/09/2016 |
| |
+----------------------------------------------------------------------+
^[[37;1m
^C
banner login ^C
!
^[[31;1m
+----------------------------------------------------------------------+
| |
| ^[[32;1mTHIS DEVICE IS MONITORED!^[[31;1m |
| |
| ^[[36;1mThis Device is managed by Aramis Domain^[[31;1m |
| |
| ** Access to this system is PROHIBITED unless AUTHORIZED ** |
| All activities are monitored and recorded. |
| Unauthorized Users will be prosecuted to the fullest |
| extent of the Law. |
| |
+----------------------------------------------------------------------+
^[[37;1m
^C
banner motd ^C
^C
11-24-2017 02:30 PM
Here is the configuration of Switch2 so far. Its NOT complete. I just want to make sure I am on the right track with configuring the switch2 to access Switch1 and have Ports 1-4 access the correct VLANs.
Any insight, advice?
S2#show config
Using 1708 out of 524288 bytes
!
! Last configuration change at 00:31:16 UTC Mon Mar 1 1993
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname S2
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$XMcE$eD.hXyE4zaThN63JybKif0
!
no aaa new-model
system mtu routing 1500
ip routing
no ip domain-lookup
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/1
description Entertainment VLAN
no switchport
no ip address
!
interface FastEthernet0/2
description Entertainment VLAN
no switchport
no ip address
!
interface FastEthernet0/3
description Entertainment VLAN
no switchport
no ip address
!
interface FastEthernet0/4
description Apple Network VLAN
switchport access vlan 23
switchport mode access
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface GigabitEthernet0/1
switchport access vlan 21
switchport mode access
!
interface Vlan1
no ip address
!
interface Vlan21
ip address 10.0.1.1 255.255.255.0
!
interface Vlan22
ip address 10.0.2.1 255.255.255.0
!
interface Vlan23
ip address 10.0.3.1 255.255.255.0
!
interface Vlan24
ip address 10.0.4.1 255.255.255.0
!
interface Vlan25
ip address 10.0.5.1 255.255.255.0
!
interface Vlan26
ip address 10.0.6.1 255.255.255.0
!
ip default-gateway 10.0.0.1
ip http server
ip http secure-server
!
!
!
!
!
!
line con 0
password 7 1511030325297E723D706470
login
line vty 0 4
password 7 1511030325297E723D706470
login
line vty 5 15
password 7 1511030325297E723D706470
login
!
end
11-25-2017 11:16 AM
I finally got everything working. I have IP Routing enabled on the switch and all vlan's up and running with IPs being issued by the switch.
Now I need help writing ACLs since I have never written ACL's. I have always used the Cisco Configuration Professional software.
Would someone please help me write some ACLs? I need to BLOCK VLAN 22 and 26 from accessing any other VLAN (Internet Only) but still allow the other VLANs to access VLAN 22 and 26 for management purposes.
Here is my switch config...
S1#show config
Using 7374 out of 524288 bytes
!
! Last configuration change at 11:54:18 UTC Sat Nov 25 2017
! NVRAM config last updated at 11:54:21 UTC Sat Nov 25 2017
!
version 15.0
no service pad
service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
!
hostname S1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$fXM5$QeXpmeXipHpYaExFlLOU/.
!
username administrator privilege 15 secret 5 $1$CpEQ$OvKGorrxJdg2WeT0psild/
no aaa new-model
switch 2 provision ws-c3750e-24td
system mtu routing 1500
ip routing
no ip cef optimize neighbor resolution
ip dhcp excluded-address 10.0.1.1 10.0.1.100
ip dhcp excluded-address 10.0.2.1 10.0.2.100
ip dhcp excluded-address 10.0.3.1 10.0.3.100
ip dhcp excluded-address 10.0.4.1 10.0.4.100
ip dhcp excluded-address 10.0.5.1 10.0.5.100
ip dhcp excluded-address 10.0.6.1 10.0.6.100
ip dhcp excluded-address 10.0.0.1 10.0.0.100
ip dhcp excluded-address 10.0.7.1 10.0.7.100
!
ip dhcp pool VLAN21
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
option 150 ip 10.0.1.6
lease 0 4
!
ip dhcp pool VLAN22
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
option 150 ip 10.0.1.6
lease 0 4
!
ip dhcp pool VLAN23
network 10.0.3.0 255.255.255.0
default-router 10.0.3.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
option 150 ip 10.0.1.6
lease 0 4
!
ip dhcp pool VLAN24
network 10.0.4.0 255.255.255.0
default-router 10.0.4.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
option 150 ip 10.0.1.6
lease 0 4
!
ip dhcp pool VLAN25
network 10.0.5.0 255.255.255.0
default-router 10.0.5.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
option 150 ip 10.0.1.6
lease 0 4
!
ip dhcp pool VLAN26
network 10.0.6.0 255.255.255.0
default-router 10.0.6.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
option 150 ip 10.0.1.6
lease 0 4
!
ip dhcp pool VLAN20
network 10.0.7.0 255.255.255.0
default-router 10.0.7.1
dns-server 8.8.8.8 10.0.1.5
!
!
no ip domain-lookup
ip domain-name Aramis.Local
ip name-server 10.0.1.5
ip name-server 8.8.8.8
login block-for 240 attempts 2 within 60
!
!
crypto pki trustpoint TP-self-signed-1337076096
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1337076096
revocation-check none
rsakeypair TP-self-signed-1337076096
!
!
crypto pki certificate chain TP-self-signed-1337076096
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
!
errdisable recovery cause bpduguard
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh authentication-retries 2
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
!
interface GigabitEthernet2/0/1
switchport access vlan 21
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/2
switchport access vlan 21
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/3
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/4
switchport access vlan 24
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/5
switchport access vlan 24
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/6
switchport access vlan 24
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/7
switchport access vlan 24
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/8
switchport access vlan 24
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/9
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/10
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/11
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/12
switchport access vlan 21
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/13
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet2/0/14
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet2/0/15
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet2/0/16
switchport access vlan 23
switchport mode access
!
interface GigabitEthernet2/0/17
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/18
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/19
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/20
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/21
description Connection to S2
switchport access vlan 20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet2/0/22
switchport access vlan 20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet2/0/23
description To Router g0/1
no switchport
ip address 10.0.0.2 255.255.255.0
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/24
switchport access vlan 20
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/25
switchport access vlan 80
shutdown
!
interface GigabitEthernet2/0/26
switchport access vlan 80
shutdown
!
interface GigabitEthernet2/0/27
switchport access vlan 80
shutdown
!
interface GigabitEthernet2/0/28
switchport access vlan 80
shutdown
!
interface TenGigabitEthernet2/0/1
shutdown
spanning-tree portfast trunk
!
interface TenGigabitEthernet2/0/2
shutdown
spanning-tree portfast trunk
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
description Aramis-LAN
ip address 10.0.7.1 255.255.255.0
!
interface Vlan21
ip address 10.0.1.1 255.255.255.0
!
interface Vlan22
ip address 10.0.2.1 255.255.255.0
!
interface Vlan23
ip address 10.0.3.1 255.255.255.0
!
interface Vlan24
ip address 10.0.4.1 255.255.255.0
!
interface Vlan25
ip address 10.0.5.1 255.255.255.0
!
interface Vlan26
ip address 10.0.6.1 255.255.255.0
!
interface Vlan80
no ip address
!
interface Vlan99
no ip address
shutdown
!
ip default-gateway 10.0.0.1
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
!
logging trap notifications
logging host 10.0.0.5
logging host 10.0.1.5
!
!
banner motd ^C
UNAUTHORIZED ACCESS IS PROHIBITED!^C
!
line con 0
password 7 02050C542A055A77590D584B
logging synchronous
login
speed 115200
line vty 0 4
privilege level 15
password 7 104D01162414475D19477B79
logging synchronous
login local
transport input telnet ssh
line vty 5 15
password 7 104D01162414475D19477B79
logging synchronous
login local
transport input ssh
!
ntp server 10.0.1.5
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide