- Nov 23, 2017
- 17
- 0
- 510
Hey guys,
So, I just got my network reconfigured and Intervlan Routing set up with 6 different VLANs. The switch has DHCP enabled and configured and WAS issuing IP addresses to the devices. What SEEMS to be happening is when the lease expires for a device and tries to renew, the switch fails to renew or reissue and IP Address, thus resulting in the device losing its IP Address and no longer having connection to the internet.
I have attached the Configs of both my Router and my Switch.
Any help would be amazing.
Configs are below for both Router and Switch
ROUTER CONFIG:
Using 11174 out of 262136 bytes
!
! Last configuration change at 03:08:15 UTC Sat Nov 25 2017 by administrator
! NVRAM config last updated at 03:08:19 UTC Sat Nov 25 2017 by administrator
!
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.154-3.M4.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret HIDDEN
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
clock timezone UTC -8 0
!
!
!
!
!
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.99
ip dhcp excluded-address 10.0.0.211 10.0.255.254
!
ip dhcp pool ARAMISDOMAIN
network 10.0.0.0 255.255.0.0
default-router 10.0.0.1
dns-server 8.8.8.8 10.0.0.5
domain-name Aramis.Local
option 150 ip 10.0.0.6
lease 0 4
!
!
!
no ip bootp server
ip domain name Aramis.Local
ip name-server 8.8.8.8
ip name-server 10.0.1.5
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name CCP_LOW appfw CCP_LOW
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
ip cef
login block-for 240 attempts 2 within 60
no ipv6 cef
!
appfw policy-name CCP_LOW
application im aol
service default action reset
service text-chat action reset
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail off
application http
strict-http action allow alarm
port-misuse p2p action reset alarm
port-misuse im action reset alarm
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
multilink bundle-name authenticated
crypto pki certificate
license udi pid CISCO2911/K9 sn FTX1443AHBX
!
!
username HIDDEN
username CCP HIDDEN
!
redundancy
!
!
!
!
no cdp run
!
ip tcp synwait-time 10
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
policy-map sdmappfwp2p_CCP_LOW
class sdm_p2p_edonkey
drop
class sdm_p2p_gnutella
drop
class sdm_p2p_kazaa
drop
class sdm_p2p_bittorrent
drop
!
!
!
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface GigabitEthernet0/0
description COMCAST_WAN
ip address dhcp
ip access-group 105 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 102
duplex auto
speed auto
no mop enabled
service-policy input sdmappfwp2p_CCP_LOW
service-policy output sdmappfwp2p_CCP_LOW
!
interface GigabitEthernet0/1
description Aramis.Local
ip address 10.0.0.1 255.255.0.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
shutdown
!
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 99 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.0.0.5 443 interface GigabitEthernet0/0 443
ip ssh time-out 60
ip ssh authentication-retries 2
!
ip access-list extended OUTSIDE-IN
remark CCP_ACL Category=16
deny ip 23.32.0.0 0.31.255.255 any
deny ip 23.64.0.0 0.3.255.255 any
deny ip 104.0.0.0 0.0.0.255 any
permit ip any any
ip access-list extended autosec_firewall_acl
remark CCP_ACL Category=17
deny ip 10.0.0.0 0.0.255.255 any log
permit udp any eq bootps any eq bootpc log
permit icmp any any log unreachable
permit tcp any any eq 443 log
remark Auto generated by CCP for NTP (123) 10.0.0.5
permit udp host 10.0.0.5 eq ntp any eq ntp log
permit udp any any eq bootpc log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip host 255.255.255.255 any log
deny ip any any log
!
logging trap notifications
logging facility local2
logging host 10.0.1.5
!
!
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 10.0.0.0 0.0.255.255 log
access-list 2 deny 23.32.0.0 0.31.255.255 log
access-list 2 deny 23.64.0.0 0.3.255.255 log
access-list 99 permit 10.0.0.0 0.0.255.255
access-list 100 remark auto generated by CCP firewall configuration
access-list 100 remark CCP_ACL Category=0
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 10.0.0.0 0.0.255.255 any log
access-list 102 permit udp any any eq bootpc
access-list 103 remark CCP_ACL Category=1
access-list 103 permit ip 10.0.0.0 0.0.255.255 any log
access-list 104 remark auto generated by CCP firewall configuration
access-list 104 remark CCP_ACL Category=1
access-list 104 permit udp host 8.8.8.8 eq domain any
access-list 104 permit tcp any any eq 443
access-list 104 deny ip 10.0.0.0 0.0.255.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip any any log
access-list 105 remark auto generated by CCP firewall configuration
access-list 105 remark CCP_ACL Category=1
access-list 105 permit udp host 8.8.8.8 eq domain any
access-list 105 permit tcp any any eq 443
access-list 105 deny ip 10.0.0.0 0.0.255.255 any
access-list 105 permit udp any eq bootps any eq bootpc
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any unreachable
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip any any log
!
!
!
control-plane
!
!
banner exec ^C
^[[36;1m
HOSTNAME: R1.AramisDomain
Administrator: Chris Shinneman ^[[37;1m
+----------------------------------------------------------------------+
| |
| ^[[34;1m| |^[[37;1m |
| ^[[34;1m||| |||^[[37;1m |
| ^[[34;1m.|||||. .|||||.^[[37;1m |
| ^[[34;1m.:|||||||||:..:|||||||||:.^[[37;1m |
| ^[[31;1mC i s c o S y s t e m s^[[37;1m |
| |
| |
| ^[[31;1mSite:^[[37;1m Aramis Domain |
| ^[[31;1mModel:^[[37;1m Cisco 2911 2900 Series |
| ^[[31;1mInstalled:^[[37;1m 01/09/2016 |
| |
+----------------------------------------------------------------------+
^[[37;1m
^C
banner login ^C
!
^[[31;1m
+----------------------------------------------------------------------+
| |
| ^[[32;1mTHIS DEVICE IS MONITORED!^[[31;1m |
| |
| ^[[36;1mThis Device is managed by Aramis Domain^[[31;1m |
| |
| ** Access to this system is PROHIBITED unless AUTHORIZED ** |
| All activities are monitored and recorded. |
| Unauthorized Users will be prosecuted to the fullest |
| extent of the Law. |
| |
+----------------------------------------------------------------------+
^[[37;1m
^C
banner motd ^C
^C
!
line con 0
password
logging synchronous
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 103 in
authorization exec local_author
logging synchronous
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 101 in
authorization exec local_author
logging synchronous
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 10.0.1.5
!
end
SWITCH CONFIG:
Using 7374 out of 524288 bytes
!
! Last configuration change at 11:54:18 UTC Sat Nov 25 2017
! NVRAM config last updated at 11:54:21 UTC Sat Nov 25 2017
!
version 15.0
no service pad
service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
!
hostname S1
!
boot-start-marker
boot-end-marker
no aaa new-model
switch 2 provision ws-c3750e-24td
system mtu routing 1500
ip routing
no ip cef optimize neighbor resolution
ip dhcp excluded-address 10.0.1.1 10.0.1.100
ip dhcp excluded-address 10.0.2.1 10.0.2.100
ip dhcp excluded-address 10.0.3.1 10.0.3.100
ip dhcp excluded-address 10.0.4.1 10.0.4.100
ip dhcp excluded-address 10.0.5.1 10.0.5.100
ip dhcp excluded-address 10.0.6.1 10.0.6.100
ip dhcp excluded-address 10.0.0.1 10.0.0.100
ip dhcp excluded-address 10.0.7.1 10.0.7.100
!
ip dhcp pool VLAN21
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
option 150 ip 10.0.1.6
lease 0 4
!
ip dhcp pool VLAN22
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
option 150 ip 10.0.1.6
lease 0 4
!
ip dhcp pool VLAN23
network 10.0.3.0 255.255.255.0
default-router 10.0.3.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
option 150 ip 10.0.1.6
lease 0 4
!
ip dhcp pool VLAN24
network 10.0.4.0 255.255.255.0
default-router 10.0.4.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
option 150 ip 10.0.1.6
lease 0 4
!
ip dhcp pool VLAN25
network 10.0.5.0 255.255.255.0
default-router 10.0.5.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
option 150 ip 10.0.1.6
lease 0 4
!
ip dhcp pool VLAN26
network 10.0.6.0 255.255.255.0
default-router 10.0.6.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
option 150 ip 10.0.1.6
lease 0 4
!
ip dhcp pool VLAN20
network 10.0.7.0 255.255.255.0
default-router 10.0.7.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
!
!
no ip domain-lookup
ip domain-name Aramis.Local
ip name-server 10.0.1.5
ip name-server 8.8.8.8
login block-for 240 attempts 2 within 60
!
!
crypto pki trustpoint TP-self-signed
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate
revocation-check none
rsakeypair TP-self-signed
!
!
crypto pki certificate chain TP-self-signed
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
!
errdisable recovery cause bpduguard
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh authentication-retries 2
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
!
interface GigabitEthernet2/0/1
switchport access vlan 21
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/2
switchport access vlan 21
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/3
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/4
switchport access vlan 24
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/5
switchport access vlan 24
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/6
switchport access vlan 24
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/7
switchport access vlan 24
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/8
switchport access vlan 24
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/9
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/10
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/11
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/12
switchport access vlan 21
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/13
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet2/0/14
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet2/0/15
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet2/0/16
switchport access vlan 23
switchport mode access
!
interface GigabitEthernet2/0/17
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/18
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/19
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/20
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/21
description Connection to S2
switchport access vlan 20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet2/0/22
switchport access vlan 20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet2/0/23
description To Router g0/1
no switchport
ip address 10.0.0.2 255.255.255.0
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/24
switchport access vlan 22
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/25
switchport access vlan 80
description Blackhole VLAN
shutdown
!
interface GigabitEthernet2/0/26
switchport access vlan 80
shutdown
!
interface GigabitEthernet2/0/27
switchport access vlan 80
shutdown
!
interface GigabitEthernet2/0/28
switchport access vlan 80
shutdown
!
interface TenGigabitEthernet2/0/1
shutdown
spanning-tree portfast trunk
!
interface TenGigabitEthernet2/0/2
shutdown
spanning-tree portfast trunk
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
description Aramis-LAN
ip address 10.0.7.1 255.255.255.0
!
interface Vlan21
ip address 10.0.1.1 255.255.255.0
!
interface Vlan22
ip address 10.0.2.1 255.255.255.0
!
interface Vlan23
ip address 10.0.3.1 255.255.255.0
!
interface Vlan24
ip address 10.0.4.1 255.255.255.0
!
interface Vlan25
ip address 10.0.5.1 255.255.255.0
!
interface Vlan26
ip address 10.0.6.1 255.255.255.0
!
interface Vlan80
no ip address
!
interface Vlan99
no ip address
shutdown
!
ip default-gateway 10.0.0.1
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
!
logging trap notifications
logging host 10.0.1.5
!
!
banner motd ^C
UNAUTHORIZED ACCESS IS PROHIBITED!^C
!
line con 0
password HIDDEN
logging synchronous
login
speed 115200
line vty 0 4
privilege level 15
password HIDDEN
logging synchronous
login local
transport input telnet ssh
line vty 5 15
password HIDDEN
logging synchronous
login local
transport input ssh
!
ntp server 10.0.1.5
end
So, I just got my network reconfigured and Intervlan Routing set up with 6 different VLANs. The switch has DHCP enabled and configured and WAS issuing IP addresses to the devices. What SEEMS to be happening is when the lease expires for a device and tries to renew, the switch fails to renew or reissue and IP Address, thus resulting in the device losing its IP Address and no longer having connection to the internet.
I have attached the Configs of both my Router and my Switch.
Any help would be amazing.
Configs are below for both Router and Switch
ROUTER CONFIG:
Using 11174 out of 262136 bytes
!
! Last configuration change at 03:08:15 UTC Sat Nov 25 2017 by administrator
! NVRAM config last updated at 03:08:19 UTC Sat Nov 25 2017 by administrator
!
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.154-3.M4.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret HIDDEN
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
clock timezone UTC -8 0
!
!
!
!
!
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.99
ip dhcp excluded-address 10.0.0.211 10.0.255.254
!
ip dhcp pool ARAMISDOMAIN
network 10.0.0.0 255.255.0.0
default-router 10.0.0.1
dns-server 8.8.8.8 10.0.0.5
domain-name Aramis.Local
option 150 ip 10.0.0.6
lease 0 4
!
!
!
no ip bootp server
ip domain name Aramis.Local
ip name-server 8.8.8.8
ip name-server 10.0.1.5
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name CCP_LOW appfw CCP_LOW
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
ip cef
login block-for 240 attempts 2 within 60
no ipv6 cef
!
appfw policy-name CCP_LOW
application im aol
service default action reset
service text-chat action reset
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail off
application http
strict-http action allow alarm
port-misuse p2p action reset alarm
port-misuse im action reset alarm
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
multilink bundle-name authenticated
crypto pki certificate
license udi pid CISCO2911/K9 sn FTX1443AHBX
!
!
username HIDDEN
username CCP HIDDEN
!
redundancy
!
!
!
!
no cdp run
!
ip tcp synwait-time 10
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
policy-map sdmappfwp2p_CCP_LOW
class sdm_p2p_edonkey
drop
class sdm_p2p_gnutella
drop
class sdm_p2p_kazaa
drop
class sdm_p2p_bittorrent
drop
!
!
!
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface GigabitEthernet0/0
description COMCAST_WAN
ip address dhcp
ip access-group 105 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 102
duplex auto
speed auto
no mop enabled
service-policy input sdmappfwp2p_CCP_LOW
service-policy output sdmappfwp2p_CCP_LOW
!
interface GigabitEthernet0/1
description Aramis.Local
ip address 10.0.0.1 255.255.0.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
shutdown
!
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 99 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.0.0.5 443 interface GigabitEthernet0/0 443
ip ssh time-out 60
ip ssh authentication-retries 2
!
ip access-list extended OUTSIDE-IN
remark CCP_ACL Category=16
deny ip 23.32.0.0 0.31.255.255 any
deny ip 23.64.0.0 0.3.255.255 any
deny ip 104.0.0.0 0.0.0.255 any
permit ip any any
ip access-list extended autosec_firewall_acl
remark CCP_ACL Category=17
deny ip 10.0.0.0 0.0.255.255 any log
permit udp any eq bootps any eq bootpc log
permit icmp any any log unreachable
permit tcp any any eq 443 log
remark Auto generated by CCP for NTP (123) 10.0.0.5
permit udp host 10.0.0.5 eq ntp any eq ntp log
permit udp any any eq bootpc log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip host 255.255.255.255 any log
deny ip any any log
!
logging trap notifications
logging facility local2
logging host 10.0.1.5
!
!
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 10.0.0.0 0.0.255.255 log
access-list 2 deny 23.32.0.0 0.31.255.255 log
access-list 2 deny 23.64.0.0 0.3.255.255 log
access-list 99 permit 10.0.0.0 0.0.255.255
access-list 100 remark auto generated by CCP firewall configuration
access-list 100 remark CCP_ACL Category=0
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 10.0.0.0 0.0.255.255 any log
access-list 102 permit udp any any eq bootpc
access-list 103 remark CCP_ACL Category=1
access-list 103 permit ip 10.0.0.0 0.0.255.255 any log
access-list 104 remark auto generated by CCP firewall configuration
access-list 104 remark CCP_ACL Category=1
access-list 104 permit udp host 8.8.8.8 eq domain any
access-list 104 permit tcp any any eq 443
access-list 104 deny ip 10.0.0.0 0.0.255.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip any any log
access-list 105 remark auto generated by CCP firewall configuration
access-list 105 remark CCP_ACL Category=1
access-list 105 permit udp host 8.8.8.8 eq domain any
access-list 105 permit tcp any any eq 443
access-list 105 deny ip 10.0.0.0 0.0.255.255 any
access-list 105 permit udp any eq bootps any eq bootpc
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any unreachable
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip any any log
!
!
!
control-plane
!
!
banner exec ^C
^[[36;1m
HOSTNAME: R1.AramisDomain
Administrator: Chris Shinneman ^[[37;1m
+----------------------------------------------------------------------+
| |
| ^[[34;1m| |^[[37;1m |
| ^[[34;1m||| |||^[[37;1m |
| ^[[34;1m.|||||. .|||||.^[[37;1m |
| ^[[34;1m.:|||||||||:..:|||||||||:.^[[37;1m |
| ^[[31;1mC i s c o S y s t e m s^[[37;1m |
| |
| |
| ^[[31;1mSite:^[[37;1m Aramis Domain |
| ^[[31;1mModel:^[[37;1m Cisco 2911 2900 Series |
| ^[[31;1mInstalled:^[[37;1m 01/09/2016 |
| |
+----------------------------------------------------------------------+
^[[37;1m
^C
banner login ^C
!
^[[31;1m
+----------------------------------------------------------------------+
| |
| ^[[32;1mTHIS DEVICE IS MONITORED!^[[31;1m |
| |
| ^[[36;1mThis Device is managed by Aramis Domain^[[31;1m |
| |
| ** Access to this system is PROHIBITED unless AUTHORIZED ** |
| All activities are monitored and recorded. |
| Unauthorized Users will be prosecuted to the fullest |
| extent of the Law. |
| |
+----------------------------------------------------------------------+
^[[37;1m
^C
banner motd ^C
^C
!
line con 0
password
logging synchronous
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 103 in
authorization exec local_author
logging synchronous
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 101 in
authorization exec local_author
logging synchronous
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 10.0.1.5
!
end
SWITCH CONFIG:
Using 7374 out of 524288 bytes
!
! Last configuration change at 11:54:18 UTC Sat Nov 25 2017
! NVRAM config last updated at 11:54:21 UTC Sat Nov 25 2017
!
version 15.0
no service pad
service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
!
hostname S1
!
boot-start-marker
boot-end-marker
no aaa new-model
switch 2 provision ws-c3750e-24td
system mtu routing 1500
ip routing
no ip cef optimize neighbor resolution
ip dhcp excluded-address 10.0.1.1 10.0.1.100
ip dhcp excluded-address 10.0.2.1 10.0.2.100
ip dhcp excluded-address 10.0.3.1 10.0.3.100
ip dhcp excluded-address 10.0.4.1 10.0.4.100
ip dhcp excluded-address 10.0.5.1 10.0.5.100
ip dhcp excluded-address 10.0.6.1 10.0.6.100
ip dhcp excluded-address 10.0.0.1 10.0.0.100
ip dhcp excluded-address 10.0.7.1 10.0.7.100
!
ip dhcp pool VLAN21
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
option 150 ip 10.0.1.6
lease 0 4
!
ip dhcp pool VLAN22
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
option 150 ip 10.0.1.6
lease 0 4
!
ip dhcp pool VLAN23
network 10.0.3.0 255.255.255.0
default-router 10.0.3.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
option 150 ip 10.0.1.6
lease 0 4
!
ip dhcp pool VLAN24
network 10.0.4.0 255.255.255.0
default-router 10.0.4.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
option 150 ip 10.0.1.6
lease 0 4
!
ip dhcp pool VLAN25
network 10.0.5.0 255.255.255.0
default-router 10.0.5.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
option 150 ip 10.0.1.6
lease 0 4
!
ip dhcp pool VLAN26
network 10.0.6.0 255.255.255.0
default-router 10.0.6.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
option 150 ip 10.0.1.6
lease 0 4
!
ip dhcp pool VLAN20
network 10.0.7.0 255.255.255.0
default-router 10.0.7.1
dns-server 8.8.8.8 10.0.1.5
domain-name Aramis.Local
!
!
no ip domain-lookup
ip domain-name Aramis.Local
ip name-server 10.0.1.5
ip name-server 8.8.8.8
login block-for 240 attempts 2 within 60
!
!
crypto pki trustpoint TP-self-signed
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate
revocation-check none
rsakeypair TP-self-signed
!
!
crypto pki certificate chain TP-self-signed
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
!
errdisable recovery cause bpduguard
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh authentication-retries 2
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
!
interface GigabitEthernet2/0/1
switchport access vlan 21
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/2
switchport access vlan 21
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/3
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/4
switchport access vlan 24
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/5
switchport access vlan 24
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/6
switchport access vlan 24
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/7
switchport access vlan 24
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/8
switchport access vlan 24
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/9
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/10
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/11
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/12
switchport access vlan 21
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/13
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet2/0/14
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet2/0/15
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet2/0/16
switchport access vlan 23
switchport mode access
!
interface GigabitEthernet2/0/17
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/18
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/19
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/20
switchport access vlan 80
switchport mode access
shutdown
!
interface GigabitEthernet2/0/21
description Connection to S2
switchport access vlan 20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet2/0/22
switchport access vlan 20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet2/0/23
description To Router g0/1
no switchport
ip address 10.0.0.2 255.255.255.0
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/24
switchport access vlan 22
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/25
switchport access vlan 80
description Blackhole VLAN
shutdown
!
interface GigabitEthernet2/0/26
switchport access vlan 80
shutdown
!
interface GigabitEthernet2/0/27
switchport access vlan 80
shutdown
!
interface GigabitEthernet2/0/28
switchport access vlan 80
shutdown
!
interface TenGigabitEthernet2/0/1
shutdown
spanning-tree portfast trunk
!
interface TenGigabitEthernet2/0/2
shutdown
spanning-tree portfast trunk
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
description Aramis-LAN
ip address 10.0.7.1 255.255.255.0
!
interface Vlan21
ip address 10.0.1.1 255.255.255.0
!
interface Vlan22
ip address 10.0.2.1 255.255.255.0
!
interface Vlan23
ip address 10.0.3.1 255.255.255.0
!
interface Vlan24
ip address 10.0.4.1 255.255.255.0
!
interface Vlan25
ip address 10.0.5.1 255.255.255.0
!
interface Vlan26
ip address 10.0.6.1 255.255.255.0
!
interface Vlan80
no ip address
!
interface Vlan99
no ip address
shutdown
!
ip default-gateway 10.0.0.1
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
!
logging trap notifications
logging host 10.0.1.5
!
!
banner motd ^C
UNAUTHORIZED ACCESS IS PROHIBITED!^C
!
line con 0
password HIDDEN
logging synchronous
login
speed 115200
line vty 0 4
privilege level 15
password HIDDEN
logging synchronous
login local
transport input telnet ssh
line vty 5 15
password HIDDEN
logging synchronous
login local
transport input ssh
!
ntp server 10.0.1.5
end
Facebook
Twitter
Instagram