Guest

Design Zone for Security

SAFE 1.0 Release Notes

  • Viewing Options

  • PDF (6.6 MB)
  • Feedback
SAFE 1.0 Release Notes

Table Of Contents

SAFE 1.0 Release Notes

Contents

Cisco Platforms and Versions

Enterprise Core

Intranet Data Center

Enterprise Campus

Enterprise Internet Edge

Enterprise WAN Edge

Enterprise Branch

Management

SAFE Configurations

Enterprise Core

Core Switch—Catalyst 6500

Intranet Data Center

Core Switch—Catalyst 6500

Services Layer Switch—Catalyst 6500

Services Layer ACE

Services Layer IPS

Access Layer Nexus 5000

Access Layer Nexus 1000V

Enterprise Campus

Core Switch—Catalyst 6500

Services Block Switch - Catalyst 6500

Access Layer Switch—Catalyst 4500

Enterprise Internet Edge

Outer Switches Catalyst 6500

Inner Switches Catalyst 6500

Firewall ASA 5580

Remote-Access Termination ASA 5520

Border Router

PfR Master Controller

Enterprise WAN Edge

Unified WAN Platform ASR1004

Catalyst 3750 Switch

IPS 4270

Enterprise Branch

Integrated Services Router

Switch Catalyst 3750

Integrated Services Router

Firewall ASA 5520

Switch Catalyst 3750


SAFE 1.0 Release Notes


Created: August 20, 2009, OL

This Release Notes provides a list of all platforms and software releases that were validated for the SAFE reference architecture. There are also network diagrams for each module and complete configuration for each platform.

This Release Notes document is associated with the Cisco SAFE Reference Guide available at the following URL:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg.htm

The Cisco SAFE consists of design blueprints based on the Cisco Validated Designs (CVDs) and proven security best practices that provide the design guidelines for building secure and reliable network infrastructures. The design blueprint follows a modular design where the overall network infrastructure is divided into functional modules, each one representing a place-in-the network (PIN). Functional modules are then subdivided into more manageable and granular functional blocks, each serving a specific role in the network.

Contents

Cisco Platforms and Versions

This section lists the Cisco platforms and releases used for SAFE 1.0 reference architecture.

Enterprise Core

Role
Platforms
Version
Core Switch

Catalyst 6500 Series

VS-S720-10G

WS-X6716-10GE

WS-X6148A-GE-TX

12.2(33)SXH4


Intranet Data Center

Role
Platforms
Version
Core Switch

Catalyst 6500 Series

WS-X6724-SFP

WS-6704-10GE

VS-S720-10G

12.2(33)SXH2

Aggregation Switch

Nexus 7000 Series

N7K-M132XP-12

N&K-M148GT-11

N7K-SUP1

4.1(2)

Services Layer Switch

Catalyst 6500 Series

VS-S720-10G

WS-6708-10GE

WS-6748-GE-TX

ACE20-MOD-K9

WS-SVC-NAM-2

ASA5580-40

IPS4270-20-k9

ACE-XML-K9

12.2(33)SXI

A2(1.3)

4.0(1)

8.1(2)

6.2(1)E3

6.0.2-2008-09-15T22

Access Layer Switch

Catalyst 6500 Series

WS-6708-10GE

WS-6704-10GE

WS-SVC-NAM-2

VS-S720-10G

WS-X6748-GE-TX

WS-C4900M

WS-X4904-10GE

WS-X4920-GB-RJ45

N5k-C5020P-BF

N5K-M1404

WS-CBS3120G-S

WS-CBS3120X-S

Nexus 1000V

12.2(33)SXI

4.0(1)

12.2(46)SG

4.0(1a)N1(1)

12.2(40)EX1

12.2(40)EX1

4.0(1a)S1(0.14

Server Environments

HP DL380 G5

HP DL380 G4

VMWare 3.5u2 and 4.0(RC)

Windows Server 2003

Oracle Linux 5.2 (Carthage)

Intrusion Prevention System

IPS 4270

6.1(2)E3

Firewall

ASA 5580

8.1(1)

Host-based Intrusion Prevention System

CSA

6


Enterprise Campus

Role
Platforms
Version
Core Switch

Catalyst 6500 Series

VS-S720-10G

WS-X6716-10GE

WS-X6148A-GE-TX

12.2(33)SXH4

Distribution Layer Switch

Catalyst 6500 Series

VS-S720-10G

WS-X6716-10GE

WS-X6148A-GE-TX

Catalyst 6500 Series (For IBNS)

Catalyst 4500 Series (For IBNS)

12.2(33)SXH4

12.2(33)SXI (For IBNS)

12.2(50)SG (For IBNS)

Services Block Switch

Catalyst 6500 Series

WS-SUP720-BASE

WS-X6416-GBIC

WS-X6748-GE-TX

12.2(33)SXH4

Access Layer Switch

Catalyst 4500 Series
WS-X4516-10GE
WS-X4548-GB-RJ45V

Catalyst 4500 Series (For IBNS)

Catalyst 3750 (For IBNS)

12.2(31)SGA8

12.2(50)SG (For IBNS)

12.2(50)SE (For IBNS)

Intrusion Prevention System

IPS 4270

6.1(2)E3

Firewall

ASA 5580

8.1(1)

Host-based Intrusion Prevention System

CSA

6.0

NAC Manager

NAC3310MGR

4.1.6

NAC Server

NAC3350

4.1.6

NAC Profiler

NAC3310

2.1.8

Cisco Unified Communications Manager

MCS-7825-H2-IPC1

7.0.1

Cisco IP Phone

CP-7960

8.0(9.0)


Enterprise Internet Edge

Role
Platforms
Version
Inner Switches

Catalyst 6500 Series

Sup32P-10GE

WS X6516-GE-TX

12.2(18)ZYA

Outer Switches

Catalyst 6500 Series

Sup720-3BXL

WS-6704-10GE

WS-6516-GE-TX

12.2(33)SXH4

Internet Backup Router

ASR1004

2.3.0 12.2(33)XNC

Intrusion Prevention System

IPS4260

6.1(2)E3

Firewall

ASA5580

8.1(1)

Remote-Access Termination

ASA5520

8.0(4)

Border Router

7200

12.4(20)T1

Ironport web appliance

S650

5.6

Ironport email appliance

C650

6.4

Web Application Firewall

WAF

6.0.2


Enterprise WAN Edge

Role
Platforms
Version
Unified WAN Platform

ASR1004

2.3.0 12.2(33)XNC

Intrusion Prevention System

IPS 4270

6.1(2)E3

Switch

Catalyst 3750

12.2(35)SE5


Enterprise Branch

Role
Platforms
Version
Integrated Services Router

ISR 2821, ISR 3845

12.4(20)T2

Firewall

ASA5520

ISR 2821 (IOS Zone-based Firewall)

8.0(3)

12.4(20)T2

Intrusion Prevention System

IPS-AIM in ISR 2821, AIP-SSM in ASA 5520

6.1(2)E3

Switch

Catalyst 3750

12.2(35)SE5


Management

Role
Platforms
Version
AAA Server

CS-ACS

4.1.4

Security Manager

CSM

3.2.2 SP1

Monitoring, Analysis, and Correlation

CS-MARS

6.0.2

Firewall

ASA 5540

8.0(3)


SAFE Configurations

This section contains a network diagram for each module that was tested in the lab and a copy of the complete configuration for each platform validated in the SAFE system testing (only for platforms with command-line (CLI) configurations; does not include GUI configurations). Note that externally accessible IP addresses and passwords have been replaced with descriptive text.

Enterprise Core

Figure 1 Enterprise Core Network Diagram

Core Switch—Catalyst 6500

sfx14-6504e-1
!
! Last configuration change at 16:05:10 GMT Mon Apr 13 2009 by mapuebla-ops
! NVRAM config last updated at <tacacs+ server>16:08:04 GMT Mon Apr 13 2009 by 
mapuebla-ops
!
upgrade fpd auto<CS-MARS>
version 12.2
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service counters max age 5
!
hostname SFX14-6504E-1
!
boot-start-marker
boot system flash sup-bootdisk:/s72033-advipservicesk9_wan-mz.122-33.SXH4.bin
boot-end-marker
!
logging rate-limit 10
no logging console
enable secret 5 <encrypted password>
!
username admin privilege 15 secret 5 <encrypted password>
username csmars privilege 15 secret 5 <encrypted password>
aaa new-model
aaa group server tacacs+ tacacs-group
 server <tacacs+ server>
!
aaa authentication login authen-exec-list group tacacs-group local-case
aaa authentication enable default group tacacs-group enable
aaa authorization exec author-exec-list group tacacs-group if-authenticated 
aaa authorization commands 15 author-15-list group tacacs-group none 
aaa accounting send stop-record authentication failure 
aaa accounting exec default start-stop group tacacs-group
aaa accounting commands 15 default start-stop group tacacs-group
aaa accounting system default start-stop group tacacs-group
!
aaa session-id common
clock timezone GMT 0
call-home
  alert-group configuration
  alert-group diagnostic
  alert-group environment
  alert-group inventory
  alert-group syslog
 profile "CiscoTAC-1"
   no active
   no destination transport-method http
   destination transport-method email
   destination address email callhome@cisco.com
   destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
   subscribe-to-alert-group diagnostic severity minor 
   subscribe-to-alert-group environment severity minor 
   subscribe-to-alert-group syslog severity major pattern ".*"
   subscribe-to-alert-group configuration periodic monthly 3 11:25
   subscribe-to-alert-group inventory periodic monthly 3 11:10
ip subnet-zero
no ip source-route
!
!
!
ip ftp source-interface GigabitEthernet1/3
ip ftp username admin
ip ftp password 7 <encrypted password>
no ip bootp server
ip ssh time-out 60
ip ssh authentication-retries 2
ip scp server enable
no ip domain-lookup
ip domain-name cisco.com
login block-for 100 attempts 5 within 50
login quiet-mode access-class 10
login on-failure log
mls ip slb purge global
mls netflow interface
no mls flow ip
no mls flow ipv6
mls qos
mls cef error action reset
!
key chain eigrp-chain
 key 10
   key-string 7 <key>
!
!
!
!
!
!
!
!
!
memory reserve critical 1000
memory free low-watermark processor 91490
memory free low-watermark IO 6710
no hw-module slot 3 oversubscription port-group 1
!
redundancy
 keepalive-enable
 mode sso
 main-cpu
  auto-sync running-config
spanning-tree mode pvst
spanning-tree extend system-id
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
!
power redundancy-mode combined
fabric timer 15
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
class-map match-all coppclass-igp
  match access-group name coppacl-igp
class-map match-all coppclass-monitoring
  match access-group name coppacl-monitoring
class-map match-all coppclass-filemanagement
  match access-group name coppacl-filemanagement
class-map match-all coppclass-management
  match access-group name coppacl-management
!
!
policy-map copp-policy
  class coppclass-igp
   police cir 300000 bc 3000 be 3000    conform-action transmit     exceed-action drop     
violate-action drop 
  class coppclass-filemanagement
   police cir 6000000 bc 60000 be 60000    conform-action transmit     exceed-action drop     
violate-action drop 
  class coppclass-management
   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop 
  class coppclass-monitoring
   police cir 900000 bc 9000 be 9000    conform-action transmit     exceed-action drop     
violate-action drop 
  class class-default
   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop 
!
! 
!
!
!
!
interface Loopback0
 ip address 10.242.10.36 255.255.255.254
!
interface GigabitEthernet1/1
 description WAN Edge he4-3750-1 Gig 1/0/50
 ip address 10.242.10.2 255.255.255.254
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 load-interval 60
!
interface GigabitEthernet1/2
 description WAN Edge he4-3750-2 Gig 1/0/50
 ip address 10.242.10.4 255.255.255.254
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 load-interval 60
!
interface GigabitEthernet1/3
 description FLASH NET
 ip address <management IP add> 255.255.254.0
 ip access-group 133 in
 ip access-group 134 out
 load-interval 60
!
interface TenGigabitEthernet1/4
 description DATA CENTER 
 ip address 10.242.10.24 255.255.255.254
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 load-interval 60
!
interface TenGigabitEthernet1/5
 no ip address
 shutdown
!
interface TenGigabitEthernet3/1
 no ip address
 shutdown
 no rcv-queue random-detect 1 
!
interface TenGigabitEthernet3/2
 no ip address
 shutdown
!
interface TenGigabitEthernet3/3
 no ip address
 shutdown
!
interface TenGigabitEthernet3/4
 no ip address
 shutdown
!
interface TenGigabitEthernet3/5
 no ip address
 shutdown
!
interface TenGigabitEthernet3/6
 no ip address
 shutdown
!
interface TenGigabitEthernet3/7
 no ip address
 shutdown
!
interface TenGigabitEthernet3/8
 no ip address
 shutdown
!
interface TenGigabitEthernet3/9
 no ip address
 shutdown
!
interface TenGigabitEthernet3/10
 no ip address
 shutdown
!
interface TenGigabitEthernet3/11
 no ip address
 shutdown
!
interface TenGigabitEthernet3/12
 no ip address
 shutdown
!
interface TenGigabitEthernet3/13
 no ip address
 shutdown
!
interface TenGigabitEthernet3/14
 no ip address
 shutdown
!
interface TenGigabitEthernet3/15
 no ip address
 shutdown
!
interface TenGigabitEthernet3/16
 no ip address
 shutdown
!
interface GigabitEthernet4/1
 description Internet Edge IE-6500-3 g2/26
 ip address 10.242.10.10 255.255.255.254
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 load-interval 60
!
interface GigabitEthernet4/2
 ip address 10.242.10.12 255.255.255.254
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 load-interval 60
!
interface GigabitEthernet4/3
 description OOB Switch Fe0/23
 ip address 10.242.10.18 255.255.255.254
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 load-interval 60
!
interface GigabitEthernet4/4
 no ip address
 shutdown
!
interface GigabitEthernet4/5
 no ip address
 shutdown
!
interface GigabitEthernet4/6
 no ip address
 shutdown
!
interface GigabitEthernet4/7
 no ip address
 shutdown
!
interface GigabitEthernet4/8
 no ip address
 shutdown
!
interface GigabitEthernet4/9
 no ip address
 shutdown
!
interface GigabitEthernet4/10
 no ip address
 shutdown
!
interface GigabitEthernet4/11
 no ip address
 shutdown
!
interface GigabitEthernet4/12
 no ip address
 shutdown
!
interface GigabitEthernet4/13
 no ip address
 shutdown
!
interface GigabitEthernet4/14
 no ip address
 shutdown
!
interface GigabitEthernet4/15
 no ip address
 shutdown
!
interface GigabitEthernet4/16
 no ip address
 shutdown
!
interface GigabitEthernet4/17
 no ip address
 shutdown
!
interface GigabitEthernet4/18
 no ip address
 shutdown
!
interface GigabitEthernet4/19
 no ip address
 shutdown
!
interface GigabitEthernet4/20
 no ip address
 shutdown
!
interface GigabitEthernet4/21
 no ip address
 shutdown
!
interface GigabitEthernet4/22
 no ip address
 shutdown
!
interface GigabitEthernet4/23
 no ip address
 shutdown
!
interface GigabitEthernet4/24
 no ip address
 shutdown
!
interface GigabitEthernet4/25
 no ip address
 shutdown
!
interface GigabitEthernet4/26
 no ip address
 shutdown
!
interface GigabitEthernet4/27
 no ip address
 shutdown
!
interface GigabitEthernet4/28
 no ip address
 shutdown
!
interface GigabitEthernet4/29
 no ip address
 shutdown
!
interface GigabitEthernet4/30
 no ip address
 shutdown
!
interface GigabitEthernet4/31
 no ip address
 shutdown
!
interface GigabitEthernet4/32
 no ip address
 shutdown
!
interface GigabitEthernet4/33
 no ip address
 shutdown
!
interface GigabitEthernet4/34
 no ip address
 shutdown
!
interface GigabitEthernet4/35
 ip address 10.242.150.1 255.255.255.0
!
interface GigabitEthernet4/36
 no ip address
 shutdown
!
interface GigabitEthernet4/37
 no ip address
 shutdown
!
interface GigabitEthernet4/38
 no ip address
 shutdown
!
interface GigabitEthernet4/39
 no ip address
 shutdown
!
interface GigabitEthernet4/40
 no ip address
 shutdown
!
interface GigabitEthernet4/41
 no ip address
 shutdown
!
interface GigabitEthernet4/42
 no ip address
 shutdown
!
interface GigabitEthernet4/43
 no ip address
 shutdown
!
interface GigabitEthernet4/44
 no ip address
 shutdown
!
interface GigabitEthernet4/45
 no ip address
 shutdown
!
interface GigabitEthernet4/46
 description CAMPUS SFX13-6504E-2 Gig 4/46
 ip address 10.242.10.32 255.255.255.254
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 load-interval 60
!
interface GigabitEthernet4/47
 description CAMPUS SFX13-6504E-1 Gig 4/47
 ip address 10.242.10.28 255.255.255.254
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 load-interval 60
!
interface GigabitEthernet4/48
 description SFX14-6504E-2 Gig 4/48
 ip address 10.242.10.22 255.255.255.254
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 load-interval 60
!
interface Vlan1
 no ip address
 shutdown
!
router eigrp 1
 network 10.0.0.0
 auto-summary
!
ip classless
ip route 172.26.0.0 255.255.0.0 172.26.170.1
!
!
no ip http server
no ip http secure-server
ip tacacs source-interface GigabitEthernet1/3
!
ip access-list extended coppacl-filemanagement
 remark CoPP File transfer traffic class
 permit tcp 172.26.0.0 0.0.255.255 eq ftp host <management IP add> gt 1023 established
 permit tcp 172.26.0.0 0.0.255.255 eq ftp-data host <management IP add> gt 1023
 permit tcp 172.26.0.0 0.0.255.255 gt 1023 host <management IP add> gt 1023 established
 permit udp 172.26.0.0 0.0.255.255 gt 1023 host <management IP add> gt 1023
ip access-list extended coppacl-igp
 remark IGP traffic class
 permit eigrp any host 224.0.0.10
 permit eigrp 10.0.0.0 0.255.255.255 host <management IP add>
ip access-list extended coppacl-management
 remark CoPP management traffic class
 permit tcp 172.26.0.0 0.0.255.255 eq tacacs host <management IP add> established
 permit tcp 172.26.0.0 0.0.255.255 host <management IP add> eq 22
 permit tcp 172.26.0.0 0.0.255.255 host <management IP add> eq telnet
 permit udp 172.26.0.0 0.0.255.255 host <management IP add> eq snmp
 permit udp 172.26.0.0 0.0.255.255 host <management IP add> eq ntp
 permit udp 10.0.0.0 0.255.255.255 host 10.242.10.36 eq ntp
ip access-list extended coppacl-monitoring
 remark C<tacacs+ server>oPP monitoring traffic class
 permit icmp any any ttl-exceeded
 permit icmp any any port-unreachable
 permit icmp any any echo-reply
 permit icmp any any echo
!
logging trap critical
logging source-interface GigabitEthernet1/3
logging <CS-MARS>
access-list 10 permit 172.26.191.92
access-list 20 permit <ntp peer>
access-list 20 remark ACL for NTP Servers and Peers
access-list 20 permit <ntp server>
access-list 21 remark ACL for NTP Client
access-list 21 permit 10.0.0.0 0.255.255.255
access-list 21 permit 172.0.0.0 0.255.255.255
access-list 21 deny   any log
access-list 111 remark ACL for SSH
access-list 111 permit tcp 172.26.0.0 0.0.255.255 any eq 22
access-list 111 deny   ip any any log-input
access-list 112 remark ACL for last resort access
access-list 112 permit tcp host 172.26.191.92 any eq 22
access-list 112 deny   ip any any log-input
access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP add> ttl-exceeded
access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP add> 
port-unreachable
access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP add> echo-reply
access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP add> echo
access-list 133 permit tcp 172.26.0.0 0.0.255.255 eq tacacs host <management IP add> 
established
access-list 133 permit tcp 172.26.0.0 0.0.255.255 host <management IP add> eq tacacs
access-list 133 permit udp 172.26.0.0 0.0.255.255 host <management IP add> eq ntp
access-list 133 permit tcp 172.26.0.0 0.0.255.255 host <management IP add> eq 22
access-list 133 permit tcp 172.26.0.0 0.0.255.255 eq ftp host <management IP add> gt 1023 
established
access-list 133 permit tcp 172.26.0.0 0.0.255.255 eq ftp-data host <management IP add> gt 
1023
access-list 133 permit tcp 172.26.0.0 0.0.255.255 gt 1023 host <management IP add> gt 1023 
established
access-list 133 permit udp 172.26.0.0 0.0.255.255 gt 1023 host <management IP add> gt 1023
access-list 133 permit ip any any log
access-list 134 permit ip host <management IP add> 172.26.0.0 0.0.255.255
access-list 134 deny   ip any <tacacs+ server>any log
access-list 155 permit ip any any log
!
snmp-server enable traps cpu threshold
snmp-server host <CS-MARS> csmars  cpu
tacacs-server host <tacacs+ server> single-connection key 7 <key>
no tacacs-server directed-request
!
radius-server source-ports 1645-1646
!
control-plane
 service-policy input copp-policy
!
!
dial-peer cor custom
!
!
!
banner login 
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this device.
Unauthorized attempts and actions to access or use this system may result in civil and/or 
criminal penalties.
All activities performed on this device are logged and monitored.

!
line con 0
 session-timeout 3 
 exec-timeout 3 0
 login authentication authen-exec-list
line vty 0 3
 session-timeout 3 
 access-class 111 in
 exec-timeout 3 0
 password 7 <encrypted password>
 authorization commands 15 author-15-list
 authorization exec author-exec-list
 login authentication authen-exec-list
 transport preferred none
 transport input telnet ssh
 transport output none
line vty 4
 session-timeout 3 
 access-class 112 in
 exec-timeout 3 0
 password 7 <encrypted password>
 authorization commands 15 author-15-list
 authorization exec author-exec-list
 login authentication authen-exec-list
 transport preferred none
 transport input ssh
 transport output none
line vty 5 15
 no exec
!
exception protocol ftp
exception dump <ftp-server>
process cpu threshold type total rising 80 interval 5 falling 20 interval 5
process cpu statistics limit entry-percentage 40 size 300
ntp authentication-key 10 md5 <encrypted password> 7
ntp authenticate
ntp trusted-key 10
ntp clock-period 17180041
ntp access-group peer 20
ntp access-group serve-only 21
ntp update-calendar
ntp peer <ntp peer>
ntp server <ntp server>
no event manager policy Mandatory.go_switchbus.tcl type system
!
end

sfx14-6504e-2
!
! Last configuration change at 16:05:13 GMT Mon Apr 13 2009 by mapuebla-ops
! NVRAM config last updated at 16:08:03 GMT Mon Apr 13 2009 by mapuebla-ops
!
upgrade fpd auto<management IP add>
version 12.2
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service counters max age 5
!
hostname SFX14-6504E-2
!
boot-start-marker
boot system flash bootflash:s72033-advipservicesk9_wan-mz.122-33.SXH4.bin
boot-end-marker
!
no logging console
enable secret 5 <encrypted password>
!
username admin privilege 15 secret 5 <encrypted password>
username csmars privilege 15 secret 5 <encrypted password>
aaa new-model
aaa group server tacacs+ tacacs-group
 server <tacacs+ server>
!
aaa authentication login authen-exec-list group tacacs-group local-case
aaa authentication enable default group tacacs-group enable
aaa authorization exec author-exec-list group tacacs-group if-authenticated 
aaa authorization commands 15 author-15-list group tacacs-group none 
aaa accounting send stop-record authentication failure 
aaa accounting exec default start-stop group tacacs-group
aaa accounting commands 15 default start-stop group tacacs-group
aaa accounting system default start-stop group tacacs-group
!
aaa session-id common
clock timezone GMT 0
call-home
  alert-group configuration
  alert-group diagnostic
  alert-group environment
  alert-group inventory
  alert-group syslog
 profile "CiscoTAC-1"
   no active
   no destination transport-method http
   destination transport-method email
   destination address email callhome@cisco.com
   destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
   subscribe-to-alert-group diagnostic severity minor 
   subscribe-to-alert-group environment severity minor 
   subscribe-to-alert-group syslog severity major pattern ".*"
   subscribe-to-alert-group configuration periodic monthly 3 15:57
   subscribe-to-alert-group inventory periodic monthly 3 15:42
ip subnet-zero
no ip source-route
!
!
!
ip ftp source-interface GigabitEthernet4/4
ip ftp username admin
ip ftp password 7 <encrypted password>
no ip bootp server
ip ssh time-out 60
ip ssh authentication-retries 2
ip scp server enable
ip domain-name cisco.com
login block-for 100 attempts 5 within 50
login quiet-mode access-class 10
login on-failure log
mls ip slb purge global
mls netflow interface
no mls flow ip
no mls flow ipv6
mls qos
mls cef error action reset
!
key chain eigrp-chain
 key 10
   key-string 7 <key>
!
!
!
!
!
!
!
!
!
memory reserve critical 1000
memory free low-watermark processor 91490
memory free low-watermark IO 6710
!
redundancy
 keepalive-enable
 mode sso
 main-cpu
  auto-sync running-config
spanning-tree mode pvst
spanning-tree extend system-id
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
fabric timer 15
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
class-map match-all coppclass-igp
  match access-group name coppacl-igp
class-map match-all coppclass-monitoring
  match access-group name coppacl-monitoring
class-map match-all coppclass-filemanagement
  match access-group name coppacl-filemanagement
class-map match-all coppclass-management
  match access-group name coppacl-management
!
!
policy-map copp-policy
  class coppclass-igp
   police cir 300000 bc 3000 be 3000    conform-action transmit     exceed-action drop     
violate-action drop 
  class coppclass-filemanagement
   police cir 6000000 bc 60000 be 60000    conform-action transmit     exceed-action drop     
violate-action drop 
  class coppclass-management
   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop 
  class coppclass-monitoring
   police cir 900000 bc 9000 be 9000    conform-action transmit     exceed-action drop     
violate-action drop 
  class class-default
   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop 
!
! 
!
!
!
!
interface Loopback0
 ip address 10.242.10.38 255.255.255.254
!
interface GigabitEthernet1/1
 description Wan Edge he4-3750-1 Gig1/0/52
 ip address 10.242.10.6 255.255.255.254
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 load-interval 60
!
interface GigabitEthernet1/2
 description Wan Edge he4-3750-2 Gig1/0/52
 ip address 10.242.10.8 255.255.255.254
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 load-interval 60
!
interface GigabitEthernet1/3
 no ip address
 shutdown
!
interface TenGigabitEthernet1/4
 ip address 10.242.10.26 255.255.255.254
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 load-interval 60
!
interface TenGigabitEthernet1/5
 no ip address
 shutdown
!
interface TenGigabitEthernet3/1
 no ip address
 shutdown
!
interface TenGigabitEthernet3/2
 no ip address
 shutdown
!
interface TenGigabitEthernet3/3
 no ip address
 shutdown
!
interface TenGigabitEthernet3/4
 no ip address
 shutdown
!
interface TenGigabitEthernet3/5
 no ip address
 shutdown
!
interface TenGigabitEthernet3/6
 no ip address
 shutdown
!
interface TenGigabitEthernet3/7
 no ip address
 shutdown
!
interface TenGigabitEthernet3/8
 no ip address
 shutdown
!
interface TenGigabitEthernet3/9
 no ip address
 shutdown
!
interface TenGigabitEthernet3/10
 no ip address
 shutdown
!
interface TenGigabitEthernet3/11
 no ip address
 shutdown
!
interface TenGigabitEthernet3/12
 no ip address
 shutdown
!
interface TenGigabitEthernet3/13
 no ip address
 shutdown
!
interface TenGigabitEthernet3/14
 no ip address
 shutdown
!
interface TenGigabitEthernet3/15
 no ip address
 shutdown
!
interface TenGigabitEthernet3/16
 no ip address
 shutdown
!
interface GigabitEthernet4/1
 description Internet Edge IE-6500-4
 ip address 10.242.10.14 255.255.255.254
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 load-interval 60
!
interface GigabitEthernet4/2
 ip address 10.242.10.16 255.255.255.254
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 load-interval 60
!
interface GigabitEthernet4/3
 description OOB Switch Fe0/24
 ip address 10.242.10.20 255.255.255.254
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 load-interval 60
!
interface GigabitEthernet4/4
 description FLASH NET
 ip address <management IP add> 255.255.254.0
 ip access-group 133 in
 ip access-group 134 out
 load-interval 60
!
interface GigabitEthernet4/5
 no ip address
 shutdown
!
interface GigabitEthernet4/6
 no ip address
 shutdown
!
interface GigabitEthernet4/7
 no ip address
 shutdown
!
interface GigabitEthernet4/8
 no ip address
 shutdown
!
interface GigabitEthernet4/9
 no ip address
 shutdown
!
interface GigabitEthernet4/10
 no ip address
 shutdown
!
interface GigabitEthernet4/11
 no ip address
 shutdown
!
interface GigabitEthernet4/12
 no ip address
 shutdown
!
interface GigabitEthernet4/13
 no ip address
 shutdown
!
interface GigabitEthernet4/14
 no ip address
 shutdown
!
interface GigabitEthernet4/15
 no ip address
 shutdown
!
interface GigabitEthernet4/16
 no ip address
 shutdown
!
interface GigabitEthernet4/17
 no ip address
 shutdown
!
interface GigabitEthernet4/18
 no ip address
 shutdown
!
interface GigabitEthernet4/19
 no ip address
 shutdown
!
interface GigabitEthernet4/20
 no ip address
 shutdown
!
interface GigabitEthernet4/21
 no ip address
 shutdown
!
interface GigabitEthernet4/22
 no ip address
 shutdown
!
interface GigabitEthernet4/23
 no ip address
 shutdown
!
interface GigabitEthernet4/24
 no ip address
 shutdown
!
interface GigabitEthernet4/25
 no ip address
 shutdown
!
interface GigabitEthernet4/26
 no ip address
 shutdown
!
interface GigabitEthernet4/27
 no ip address
 shutdown
!
interface GigabitEthernet4/28
 no ip address
 shutdown
!
interface GigabitEthernet4/29
 no ip address
 shutdown
!
interface GigabitEthernet4/30
 no ip address
 shutdown
!
interface GigabitEthernet4/31
 no ip address
 shutdown
!
interface GigabitEthernet4/32
 no ip address
 shutdown
!
interface GigabitEthernet4/33
 no ip address
 shutdown
!
interface GigabitEthernet4/34
 no ip address
 shutdown
!
interface GigabitEthernet4/35
 no ip address
 shutdown
!
interface GigabitEthernet4/36
 no ip address
 shutdown
!
interface GigabitEthernet4/37
 no ip address
 shutdown
!
interface GigabitEthernet4/38
 no ip address
 shutdown
!
interface GigabitEthernet4/39
 no ip address
 shutdown
!
interface GigabitEthernet4/40
 no ip address
 shutdown
!
interface GigabitEthernet4/41
 no ip address
 shutdown
!
interface GigabitEthernet4/42
 no ip address
 shutdown
!
interface GigabitEthernet4/43
 no ip address
 shutdown
!
interface GigabitEthernet4/44
 no ip address
 shutdown
!
interface GigabitEthernet4/45
 no ip address
 shutdown
!
interface GigabitEthernet4/46
 description CAMPUS SFX13-6504E-1    Gig 4/46
 ip address 10.242.10.30 255.255.255.254
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 load-interval 60
!
interface GigabitEthernet4/47
 description CAMPUS SFX13-6504E-2    Gig 4/47
 ip address 10.242.10.34 255.255.255.254
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 load-interval 60
!
interface GigabitEthernet4/48
 description SFX14-6504E-1    Gig 4/48
 ip address 10.242.10.23 255.255.255.254
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 load-interval 60
!
interface Vlan1
 no ip address
 shutdown
!
router eigrp 1
 network 10.0.0.0
 auto-summary
!
ip classless
ip route 172.26.0.0 255.255.0.0 172.26.170.1
!
!
no ip http server
no ip http secure-server
ip tacacs source-interface GigabitEthernet4/4
!
ip access-list extended coppacl-filemanagement
 remark CoPP File transfer traffic class
 permit tcp 172.26.0.0 0.0.255.255 eq ftp host <management IP add> gt 1023 established
 permit tcp 172.26.0.0 0.0.255.255 eq ftp-data host <management IP add> gt 1023
 permit tcp 172.26.0.0 0.0.255.255 gt 1023 host <management IP add> gt 1023 established
 permit udp 172.26.0.0 0.0.255.255 gt 1023 host <management IP add> gt 1023
ip access-list extended coppacl-igp
 remark IGP traffic class
 permit eigrp any host 224.0.0.10
 permit eigrp 10.0.0.0 0.255.255.255 host <management IP add>
ip access-list extended coppacl-management
 remark CoPP management traffic class
 permit tcp 172.26.0.0 0.0.255.255 eq tacacs host <management IP add> established
 permit tcp 172.26.0.0 0.0.255.255 host <management IP add> eq 22
 permit tcp 172.26.0.0 0.0.255.255 host <management IP add> eq telnet
 permit udp 172.26.0.0 0.0.255.255 host <management IP add> eq snmp
 permit udp 172.26.0.0 0.0.255.255 host <management IP add> eq ntp
 permit udp 10.0.0.0 0.255.255.255 host 10.242.10.38 eq ntp
ip access-list extended coppacl-monitoring
 remark CoPP monitoring traffic class
 permit icmp any any ttl-exceeded
 permit icmp any any port-unreachable
 permit icmp any any echo-reply
 permit icmp any any echo
!
logging trap critical
logging source-interface GigabitEthernet4/4<tacacs+ server>
logging <CS-MARS>
access-list 10 permit 172.26.191.92
access-list 20 permit <ntp peer>
access-list 20 remark ACL for NTP Servers and Peers
access-list 20 permit <ntp server>
access-list 21 remark ACL for NTP Client
access-list 21 permit 10.0.0.0 0.255.255.255
access-list 21 permit 172.0.0.0 0.255.255.255
access-list 21 deny   any log
access-list 111 remark ACL for SSH
access-list 111 permit tcp 172.26.0.0 0.0.255.255 any eq 22
access-list 111 deny   ip any any log-input
access-list 112 remark ACL for last resort access
access-list 112 permit tcp host 172.26.191.92 any eq 22
access-list 112 deny   ip any any log-input
access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP add> ttl-exceeded
access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP add> 
port-unreachable
access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP add> echo-reply
access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP add> echo
access-list 133 permit tcp 172.26.0.0 0.0.255.255 eq tacacs host <management IP add> 
established
access-list 133 permit tcp 172.26.0.0 0.0.255.255 host <management IP add> eq tacacs
access-list 133 permit udp 172.26.0.0 0.0.255.255 host <management IP add> eq ntp
access-list 133 permit tcp 172.26.0.0 0.0.255.255 host <management IP add> eq 22
access-list 133 permit tcp 172.26.0.0 0.0.255.255 eq ftp host <management IP add> gt 1023 
established
access-list 133 permit tcp 172.26.0.0 0.0.255.255 eq ftp-data host <management IP add> gt 
1023
access-list 133 permit tcp 172.26.0.0 0.0.255.255 gt 1023 host <management IP add> gt 1023 
established
access-list 133 permit udp 172.26.0.0 0.0.255.255 gt 1023 host <management IP add> gt 1023
access-list 133 permit ip any any log
access-list 134 permit ip host <management IP add><CS-MARS> 172.26.0.0 0.0.255.255
access-list 134 deny   ip any any log
!
snmp-server enable traps cpu threshold<tacacs+ server>
snmp-server host <CS-MARS> csmars  cpu
tacacs-server host <tacacs+ server> single-connection key 7 <key>
tacacs-server directed-request
!
radius-server source-ports 1645-1646
!
control-plane
 service-policy input copp-policy
!
!
dial-peer cor custom
!
!
!
banner login 
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this device.
Unauthorized attempts and actions to access or use this system may result in civil and/or 
criminal penalties.
All activities performed on this device are logged and monitored.

!
line con 0
 session-timeout 3 
 exec-timeout 3 0
 login authentication authen-exec-list
line vty 0 3
 session-timeout 3 
 access-class 111 in
 exec-timeout 3 0
 password 7 <encrypted password><tacacs+ server>
 authorization commands 15 author-15-list
 authorization exec author-exec-list
 login authentication authen-exec-list
 transport preferred none
 transport input ssh
 transport output none
line vty 4
 session-timeout 3 
 access-class 112 in
 exec-timeout 3 0
 password 7 <encrypted password>
 authorization commands 15 author-15-list
 authorization exec author-exec-list
 login authentication authen-exec-list
 transport preferred none
 transport input ssh
 transport output none
line vty 5 15
 no exec
 transport input lat pad udptn telnet rlogin
!
exception protocol ftp
exception dump <ftp-server>
process cpu threshold type total rising 80 interval 5 falling 20 interval 5
process cpu statistics limit entry-percentage 40 size 300
ntp authentication-key 10 md5 <encrypted password> 7
ntp authenticate
ntp trusted-key 10
ntp clock-period 17179940
ntp access-group peer 20
ntp access-group serve-only 21
ntp update-calendar
ntp peer <ntp peer>
ntp server <ntp server>
!
end

Intranet Data Center

Figure 2 Intranet Data Center Network Diagram

Figure 3 Intranet Data Center Security Service Traffic Flow Diagram

Core Switch—Catalyst 6500

DCA-core1
dca-core1#sh run
Building configuration...

.May 14 21:15:44.150 EST: %SEC-6-IPACCESSLOGP: list 133 denied udp x.26.146.86(138) -> 
x.26.147.255(138), 1 packet
Current configuration : 16685 bytes
!
! Last configuration change at 19:50:45 EST Mon Mar 23 2009 by chris
! NVRAM config last updated at 00:05:54 EST Thu May 14 2009
!
upgrade fpd auto
version 12.2
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service counters max age 5
!
hostname dca-core1
!
boot-start-marker
boot system disk0:s72033-ipservicesk9-mz.122-33.SXH2a.bin
boot-end-marker
!
enable secret 5 <encrypted password>.
!
username admin privilege 15 password <encrypted password>
username dma password <encrypted password>
username chris password <encrypted password>
username csmars privilege 15 secret 5 <encrypted password>
aaa new-model
aaa group server tacacs+ tacacs-group
 server x.26.191.94
!
aaa authentication login authen-exec-list group tacacs-group local-case
aaa authentication enable default group tacacs-group enable
aaa authorization exec author-exec-list group tacacs-group if-authenticated 
aaa authorization commands 15 author-15-list group tacacs-group none 
aaa accounting send stop-record authentication failure 
aaa accounting exec default start-stop group tacacs-group
aaa accounting commands 15 default start-stop group tacacs-group
aaa accounting system default start-stop group tacacs-group
!
aaa session-id common
clock timezone GMT 0
clock summer-time EST recurring
call-home
  alert-group configuration
  alert-group diagnostic
  alert-group environment
  alert-group inventory
  alert-group syslog
 profile "CiscoTAC-1"
   no active
   no destination transport-method http
   destination transport-method email
   destination address email callhome@cisco.com
   destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
   subscribe-to-alert-group diagnostic severity minor 
   subscribe-to-alert-group environment severity minor 
   subscribe-to-alert-group syslog severity major pattern ".*"
   subscribe-to-alert-group configuration periodic monthly 9 9:39
   subscribe-to-alert-group inventory periodic monthly 9 9:24
ip subnet-zero
no ip source-route
!
!
!
ip ftp source-interface GigabitEthernet6/3
ip ftp username dma1
ip ftp password <encrypted password>
no ip bootp server
ip multicast-routing 
ip ssh authentication-retries 2
ip ssh version 2
ip scp server enable
ip domain-name cisco.com
login block-for 100 attempts 5 within 50
login quiet-mode access-class 10
login on-failure log
udld enable

vtp domain datacenter
vtp mode transparent
!
switch virtual domain 100
!
mls ip cef load-sharing full simple
mls netflow interface
mls flow ip interface-full
mls nde sender version 5
mls sampling packet-based 128 16000
mls qos
mls cef error action reset
!         
flow-sampler-map csmars-sample
 mode random one-out-of 100
!
key chain eigrp
 key 7
   key-string 7 05080F1C2243
key chain eigrp-chain
 key 10
   key-string 7 121A0C0411045D5679
!
!
!
!
!
!
!
!
!
archive
  path ftp://chrobrie:J0eyD0gg2@x.26.129.252/VSSarchives/$h-$t
  write-memory
memory reserve critical 1000
memory free low-watermark processor 91492
memory free low-watermark IO 6710
!
redundancy
 keepalive-enable
 mode sso
 main-cpu
  auto-sync running-config
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
fabric switching-mode allow truncated threshold 1
fabric switching-mode allow truncated
port-channel hash-distribution adaptive
port-channel load-balance src-dst-mixed-ip-port
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
class-map match-all coppclass-igp
  match access-group name coppacl-igp
class-map match-all coppclass-monitoring
  match access-group name coppacl-monitoring
class-map match-all coppclass-filemanagement
  match access-group name coppacl-filemanagement
class-map match-all coppclass-management
  match access-group name coppacl-management
!
!
policy-map copp-policy
  class coppclass-igp
   police cir 300000 bc 3000 be 3000    conform-action transmit     exceed-action drop     
violate-action drop 
  class coppclass-filemanagement
   police cir 6000000 bc 60000 be 60000    conform-action transmit     exceed-action drop     
violate-action drop 
  class coppclass-management
   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop 
  class coppclass-monitoring
   police cir 900000 bc 9000 be 9000    conform-action transmit     exceed-action drop     
violate-action drop 
  class class-default
   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop 
!         
!
!
!
interface Loopback0
 ip address 10.7.20.1 255.255.255.0
 ip pim sparse-mode
 ip igmp version 3
!
interface Port-channel11
 description <<** to VSS **>>
 ip address 10.7.1.1 255.255.255.0
 ip pim sparse-mode
 ip authentication mode eigrp 7 md5
 ip authentication key-chain eigrp 7 eigrp
 ip igmp version 3
 logging event link-status
 logging event trunk-status
 logging event bundle-status
 load-interval 30
!
interface GigabitEthernet1/1
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/2
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/3
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/4
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/5
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/6
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/7
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!         
interface GigabitEthernet1/8
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/9
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/10
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/11
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/12
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/13
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/14
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/15
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/16
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/17
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown 
!
interface GigabitEthernet1/18
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/19
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/20
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/21
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/22
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/23
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/24
 description G1/24 -- to NETEM -- ToAbstr1
 ip address 10.7.15.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip pim sparse-mode
 ip igmp version 3
 load-interval 30
!
interface TenGigabitEthernet4/1
 description <to dc03-agg>
 no ip address
 no ip redirects
 no ip proxy-arp
 ip pim sparse-mode
 ip igmp version 3
 load-interval 30
 channel-protocol pagp
 channel-group 11 mode desirable
!
interface TenGigabitEthernet4/2
 description <to dc01-agg>
 no ip address
 no ip redirects
 no ip proxy-arp
 ip pim sparse-mode
 ip igmp version 3
 load-interval 30
 channel-protocol pagp
 channel-group 11 mode desirable
!
interface TenGigabitEthernet4/3
 description <to core-2>
 ip address 10.8.0.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip pim sparse-mode
 ip igmp version 3
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 7 00071A150754
 ip ospf hello-interval 1
 ip ospf dead-interval 3
 logging event link-status
 load-interval 30
!
interface TenGigabitEthernet4/4
 ip address 10.8.1.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip pim sparse-mode
 ip igmp version 3
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 7 094F471A1A0A
 ip ospf hello-interval 1
 ip ospf dead-interval 3
 logging event link-status
 load-interval 30
!
interface TenGigabitEthernet5/1
 description <to abs1>
 ip address 10.7.11.1 255.255.255.0
 ip pim sparse-mode
 ip igmp version 3
 load-interval 30
!
interface TenGigabitEthernet5/2
 description <to abs2>
 ip address 10.7.12.1 255.255.255.0
 ip flow ingress
 ip pim sparse-mode
 ip igmp version 3
 load-interval 30
 mls netflow sampling
 flow-sampler csmars-sample
!
interface TenGigabitEthernet5/3
 no ip address
 ip pim sparse-mode
 ip igmp version 3
 load-interval 30
!
interface TenGigabitEthernet5/4
 ip address 10.242.10.25 255.255.255.254
 ip flow ingress
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 logging event link-status
 load-interval 30
 mls netflow sampling
 flow-sampler csmars-sample
!
interface GigabitEthernet6/1
 no ip address
 shutdown
!         
interface GigabitEthernet6/2
 no ip address
 shutdown
!
interface GigabitEthernet6/3
 ip address x.26.146.14 255.255.254.0
 ip access-group 133 in
 ip access-group 134 out
 no ip redirects
 no ip proxy-arp
!
interface TenGigabitEthernet6/4
 no ip address
 shutdown
!
interface TenGigabitEthernet6/5
 no ip address
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!         
router eigrp 7
 redistribute ospf 8
 network 10.7.0.0 0.0.255.255
 default-metric 1000000 100 255 1 1500
 no auto-summary
 eigrp router-id 1.1.1.1
!
router eigrp 1
 redistribute ospf 8
 network 10.242.0.0 0.0.255.255
 default-metric 1000000 100 255 1 1500
 no auto-summary
!
router ospf 8
 router-id 8.8.8.1
 log-adjacency-changes
 auto-cost reference-bandwidth 10000
 area 0 authentication message-digest
 timers throttle spf 10 100 5000
 timers throttle lsa all 10 100 5000
 redistribute connected
 redistribute static subnets
 redistribute eigrp 7 subnets
 passive-interface default
 no passive-interface TenGigabitEthernet4/3
 no passive-interface TenGigabitEthernet4/4
 network 10.8.0.0 0.0.0.255 area 0
 network 10.8.1.0 0.0.0.255 area 0
 network 10.8.2.0 0.0.0.255 area 0
 default-information originate
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.242.10.24
ip route 10.116.132.0 255.255.255.240 x.26.146.1
ip route 64.102.208.0 255.255.254.0 x.26.146.1
ip route x.26.0.0 255.255.0.0 x.26.146.1
ip route x.26.0.0 255.255.0.0 x.26.170.1
ip route x.26.129.252 255.255.255.255 x.26.146.1
!
ip flow-export source GigabitEthernet6/3
ip flow-export version 5
ip flow-export destination x.26.191.99 2055
!
no ip http server
no ip http secure-server
ip pim bsr-candidate Loopback0 0
ip pim rp-candidate Loopback0 priority 100
ip tacacs source-interface GigabitEthernet6/3
!
ip access-list extended coppacl-filemanagement
 remark CoPP File transfer traffic class
 permit tcp x.26.0.0 0.0.255.255 eq ftp host x.26.146.14 gt 1023 established
 permit tcp x.26.0.0 0.0.255.255 eq ftp-data host x.26.146.14 gt 1023
 permit tcp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.14 gt 1023 established
 permit udp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.14 gt 1023
ip access-list extended coppacl-igp
 remark IGP traffic class
 permit eigrp any host 224.0.0.10
 permit eigrp x.26.0.0 0.0.255.255 host x.26.146.14
ip access-list extended coppacl-management
 remark CoPP management traffic class
 permit tcp x.26.0.0 0.0.255.255 eq tacacs host x.26.146.14 established
 permit tcp x.26.0.0 0.0.255.255 host x.26.146.14 eq 22
 permit tcp x.26.0.0 0.0.255.255 host x.26.146.14 eq telnet
 permit udp x.26.0.0 0.0.255.255 host x.26.146.14 eq snmp
 permit udp x.26.0.0 0.0.255.255 host x.26.146.14 eq ntp
ip access-list extended coppacl-monitoring
 remark CoPP monitoring traffic class
 permit icmp any any ttl-exceeded
 permit icmp any any port-unreachable
 permit icmp any any echo-reply
 permit icmp any any echo
!
kron occurrence daily-config-backup at 0:05 recurring
 policy-list backup-config
!
kron policy-list backup-config
 cli write memory 
!
logging trap critical
logging source-interface GigabitEthernet6/3
logging x.26.191.94
access-list 7 permit 10.7.0.0 0.0.255.255
access-list 8 permit 10.8.0.0 0.0.255.255
access-list 10 permit x.26.191.92
access-list 55 remark ACL for SNMP access to device
access-list 55 permit x.26.191.99
access-list 55 deny   any log
access-list 111 remark ACL for SSH
access-list 111 permit tcp x.26.0.0 0.0.255.255 any eq 22
access-list 111 deny   ip any any log-input
access-list 111 permit tcp x.26.0.0 0.0.255.255 eq telnet any
access-list 111 permit tcp 10.0.0.0 0.255.255.255 eq telnet any
access-list 112 remark ACL for last resort access
access-list 112 permit tcp host x.26.191.92 any eq 22
access-list 112 deny   ip any any log-input
access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.146.14 ttl-exceeded
access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.146.14 port-unreachable
access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.146.14 echo-reply
access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.146.14 echo
access-list 133 permit tcp x.26.0.0 0.0.255.255 eq tacacs host x.26.146.14 established
access-list 133 permit tcp x.26.0.0 0.0.255.255 host x.26.146.14 eq tacacs
access-list 133 permit udp x.26.0.0 0.0.255.255 host x.26.146.14 eq ntp
access-list 133 permit tcp x.26.0.0 0.0.255.255 host x.26.146.14 eq 22
access-list 133 permit tcp x.26.0.0 0.0.255.255 eq ftp host x.26.146.14 gt 1023 
established
access-list 133 permit tcp x.26.0.0 0.0.255.255 eq ftp-data host x.26.146.14 gt 1023
access-list 133 permit tcp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.14 gt 1023 
established
access-list 133 permit udp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.14 gt 1023
access-list 133 permit udp host x.26.191.99 host x.26.146.14 eq snmp
access-list 133 deny   ip any any log
access-list 134 permit ip host x.26.146.14 x.26.0.0 0.0.255.255
access-list 134 deny   ip any any log
snmp-server community public RO
snmp-server community csmars RO 55
snmp-server chassis-id DCA-agg2
snmp-server enable traps cpu threshold
snmp-server host x.26.191.99 csmars  cpu
snmp ifmib ifindex persist
tacacs-server host x.26.191.94 single-connection key 7 02050D4808095E731F
tacacs-server directed-request
!
radius-server source-ports 1645-1646
!
control-plane
 service-policy input copp-policy
!
!
dial-peer cor custom
!
!         
!
banner login ^C 
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED You must have explicit, authorized 
permission to access or configure this device.Unauthorized attempts and actions to access 
or use this system may result in civil and/or criminal penalties.
All activities performed on this device are logged and monitored.

^C
!
line con 0
 session-timeout 3 
 login authentication authen-exec-list
line vty 0 3
 session-timeout 480 
 access-class 111 in
 exec-timeout 480 0
 password <encrypted password>
 authorization commands 15 author-15-list
 authorization exec author-exec-list
 login authentication authen-exec-list
 length 0
 transport preferred none
 transport input ssh
 transport output none
line vty 4
 session-timeout 480 
 access-class 112 in
 exec-timeout 480 0
 password <encrypted password>
 authorization commands 15 author-15-list
 authorization exec author-exec-list
 login authentication authen-exec-list
 length 0
 transport preferred none
 transport input ssh
 transport output none
line vty 5 15
 no exec
 transport input none
!
exception protocol ftp
exception dump x.26.129.252
process cpu threshold type total rising 80 interval 5 falling 20 interval 5
process cpu statistics limit entry-percentage 40 size 300
ntp authentication-key 10 md5 110A1016141D5A5E57 7
ntp authenticate
ntp trusted-key 10
ntp clock-period 17238214
ntp source GigabitEthernet6/3
ntp update-calendar
ntp server x.26.170.14
ntp server x.26.170.13
!
end




DCA-core2
dca-core2#sh run
Building configuration...

Current configuration : 16721 bytes
!
! Last configuration change at 23:27:03 EST Tue May 12 2009 by chris
! NVRAM config last updated at 00:05:37 EST Thu May 14 2009
!
upgrade fpd auto
version 12.2
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service counters max age 5
!
hostname dca-core2
!
boot-start-marker
boot system disk0:s72033-ipservi
.May 14 21:17:19.448 EST: %SEC-6-IPACCESSLOGP: list 133 denied udp x.26.146.21(137) -> 
x.26.147.255(137), 1 packetcesk9-mz.122-33.SXH2a.bin
boot-end-marker
!
enable secret 5 $<encrypted password>/
enable password <encrypted password>
!         
username admin privilege 15 password <encrypted password>
username dm
username dma password 7 <encrypted password>
username chris password 7 <encrypted password>
username csmars privilege 15 secret 5 <encrypted password>/
aaa new-model
aaa group server tacacs+ tacacs-group
 server x.26.191.94
!
aaa authentication login authen-exec-list group tacacs-group local-case
aaa authentication enable default group tacacs-group enable
aaa authorization exec author-exec-list group tacacs-group if-authenticated 
aaa authorization commands 15 author-15-list group tacacs-group none 
aaa accounting send stop-record authentication failure 
aaa accounting exec default start-stop group tacacs-group
aaa accounting commands 15 default start-stop group tacacs-group
aaa accounting system default start-stop group tacacs-group
!
aaa session-id common
clock timezone GMT 0
clock summer-time EST recurring
call-home
  alert-group configuration
  alert-group diagnostic
  alert-group environment
  alert-group inventory
  alert-group syslog
 profile "CiscoTAC-1"
   no active
   no destination transport-method http
   destination transport-method email
   destination address email callhome@cisco.com
   destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
   subscribe-to-alert-group diagnostic severity minor 
   subscribe-to-alert-group environment severity minor 
   subscribe-to-alert-group syslog severity major pattern ".*"
   subscribe-to-alert-group configuration periodic monthly 16 16:46
   subscribe-to-alert-group inventory periodic monthly 16 16:31
ip subnet-zero
no ip source-route
!
!
!
ip ftp source-interface GigabitEthernet6/3
ip ftp username admin
ip ftp password 7 <encrypted password>
no ip bootp server
ip multicast-routing 
ip ssh authentication-retries 2
ip ssh version 2
ip scp server enable
no ip domain-lookup
ip domain-name cisco.com
login block-for 100 attempts 5 within 50
login quiet-mode access-class 10
login on-failure log
udld enable

vtp domain datacenter
vtp mode transparent
!
switch virtual domain 100
!
mls ip cef load-sharing full simple
mls netflow interface
mls flow ip interface-full
mls nde sender version 5
mls sampling packet-based 128 16000
mls qos
mls cef error action reset
!
flow-sampler-map csmars-sample
 mode random one-out-of 100
!
key chain eigrp
 key 7
   key-string 7 13061E010803
key chain eigrp-chain
 key 10
   key-string 7 05080F1C22431F5B4A
!
!
!
!
!
!
!
!
!
archive
  path ftp://chrobrie:J0eyD0gg2@x.26.129.252/VSSarchives/$h-$t
  write-memory
memory reserve critical 1000
memory free low-watermark processor 91492
memory free low-watermark IO 6710
!
redundancy
 keepalive-enable
 mode sso
 main-cpu
  auto-sync running-config
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
fabric switching-mode allow truncated threshold 1
fabric switching-mode allow truncated
port-channel hash-distribution adaptive
port-channel load-balance src-dst-mixed-ip-port
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!         
class-map match-all coppclass-igp
  match access-group name coppacl-igp
class-map match-all coppclass-monitoring
  match access-group name coppacl-monitoring
class-map match-all coppclass-filemanagement
  match access-group name coppacl-filemanagement
class-map match-all coppclass-management
  match access-group name coppacl-management
!
!
policy-map copp-policy
  class coppclass-igp
   police cir 300000 bc 3000 be 3000    conform-action transmit     exceed-action drop     
violate-action drop 
  class coppclass-filemanagement
   police cir 6000000 bc 60000 be 60000    conform-action transmit     exceed-action drop     
violate-action drop 
  class coppclass-management
   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop 
  class coppclass-monitoring
   police cir 900000 bc 9000 be 9000    conform-action transmit     exceed-action drop     
violate-action drop 
  class class-default
   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop 
!
!
!
!
interface Loopback0
 ip address 10.7.21.1 255.255.255.0
 ip pim sparse-mode
 ip igmp version 3
!
interface Port-channel12
 ip address 10.7.2.1 255.255.255.0
 ip pim sparse-mode
 ip authentication mode eigrp 7 md5
 ip authentication key-chain eigrp 7 eigrp
 ip igmp version 3
 logging event link-status
 logging event trunk-status
 logging event bundle-status
!
interface GigabitEthernet1/1
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/2
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/3
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/4
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/5
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/6
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/7
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown 
!
interface GigabitEthernet1/8
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/9
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/10
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
  -More-- 
.May 14 21:17:26.937 EST: %SEC-6-IPACCESSLOGP: list 133 denied udp x.26.146.34(137) -> 
x.26.147.255(137), 3 packets
.May 14 21:17:26.937 EST: %SEC-6-IPACCESSLOGRP: list 133 denied igmp x.26.146.75 -> 
224.0.0.2, 5 packeinterface GigabitEthernet1/11
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/12
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/13
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/14
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/15
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/16
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/17
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/18
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/19
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/20
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!         
interface GigabitEthernet1/21
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/22
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/23
 no ip address
 no ip redirects
 no ip proxy-arp
 load-interval 30
 shutdown
!
interface GigabitEthernet1/24
 description G1/24 -- NETEM -- Abstr2
 ip address 10.7.16.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip pim sparse-mode
 ip igmp version 3
 load-interval 30
!
interface TenGigabitEthernet4/1
 description <** to Agg2 **>
 no ip address
 no ip redirects
 no ip proxy-arp
 ip pim sparse-mode
 ip igmp version 3
 load-interval 30
 channel-protocol pagp
 channel-group 12 mode desirable
!
interface TenGigabitEthernet4/2
 description <** to Agg1 **>>
 no ip address
 no ip redirects
 no ip proxy-arp
 ip pim sparse-mode
 ip igmp version 3
 load-interval 30
 channel-protocol pagp
 channel-group 12 mode desirable
!
interface TenGigabitEthernet4/3
 description <<** to Core1  **>>
 ip address 10.8.0.2 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip pim sparse-mode
 ip igmp version 3
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 7 0822455D0A16
 ip ospf hello-interval 1
 ip ospf dead-interval 3
 logging event link-status
 load-interval 30
!
interface TenGigabitEthernet4/4
 ip address 10.8.2.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip pim sparse-mode
 ip igmp query-interval 125
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 7 05080F1C2243
 ip ospf hello-interval 1
 ip ospf dead-interval 3
 logging event link-status
 load-interval 30
!
interface TenGigabitEthernet5/1
 description <<** to Abstr1 **>>
 ip address 10.7.13.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip pim sparse-mode
 ip igmp version 3
 load-interval 30
!
interface TenGigabitEthernet5/2
 description <<** to Abstr2 **>>
 ip address 10.7.14.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip pim sparse-mode
 ip igmp version 3
 load-interval 30
 mls netflow sampling
 flow-sampler csmars-sample
!
interface TenGigabitEthernet5/3
 no ip address
 no ip redirects
 no ip proxy-arp
 ip pim sparse-mode
 ip igmp version 3
 load-interval 30
!
interface TenGigabitEthernet5/4
 ip address 10.242.10.27 255.255.255.254
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 eigrp-chain
 logging event link-status
 load-interval 30
 mls netflow sampling
 flow-sampler csmars-sample
!
interface GigabitEthernet6/1
 no ip address
 shutdown
!
interface GigabitEthernet6/2
 no ip address
 shutdown
!
interface GigabitEthernet6/3
 ip address x.26.146.15 255.255.254.0
 ip access-group 133 in
 ip access-group 134 out
 no ip redirects
 no ip proxy-arp
!
interface TenGigabitEthernet6/4
 no ip address
 --
.May 14 21:17:31.964 EST: %SEC-6-IPACCESSLOGP: list 133 denied udp x.26.146.133(137) -> 
x.26.147.255(137), 1 pac shutdown 
!
interface TenGigabitEthernet6/5
 no ip address
!
interface Vlan1
 no ip address
 shutdown
!
router eigrp 7
 redistribute ospf 8
 network 10.7.0.0 0.0.255.255
 default-metric 1000000 100 255 1 1500
 no auto-summary
 eigrp router-id 1.1.1.2
!
router eigrp 1
 redistribute ospf 8
 network 10.242.0.0 0.0.255.255
 default-metric 1000000 100 255 1 1500
 no auto-summary
!
router ospf 8
 router-id 8.8.8.2
 log-adjacency-changes
 auto-cost reference-bandwidth 10000
 area 0 authentication message-digest
 timers throttle spf 10 100 5000
 timers throttle lsa all 10 100 5000
 redistribute connected
 redistribute static subnets
 redistribute eigrp 7 subnets
 passive-interface default
 no passive-interface TenGigabitEthernet4/3
 no passive-interface TenGigabitEthernet4/4
 network 10.8.0.0 0.0.0.255 area 0
 network 10.8.1.0 0.0.0.255 area 0
 network 10.8.2.0 0.0.0.255 area 0
 default-information originate
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.242.10.26
ip route 10.116.132.0 255.255.255.240 x.26.146.1
ip route 64.102.208.0 255.255.254.0 x.26.146.1
ip route x.26.0.0 255.255.0.0 x.26.146.1
ip route x.26.129.252 255.255.255.255 x.26.146.1
!         
ip flow-export source GigabitEthernet6/3
ip flow-export destination x.26.191.99 2055
!
no ip http server
no ip http secure-server
ip pim bsr-candidate Loopback0 0
ip pim rp-candidate Loopback0 priority 90
ip tacacs source-interface GigabitEthernet6/3
!
ip access-list extended coppacl-filemanagement
 remark CoPP File transfer traffic class
 permit tcp x.26.0.0 0.0.255.255 eq ftp host x.26.146.15 gt 1023 established
 permit tcp x.26.0.0 0.0.255.255 eq ftp-data host x.26.146.15 gt 1023
 permit tcp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.15 gt 1023 established
 permit udp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.15 gt 1023
ip access-list extended coppacl-igp
 remark IGP traffic class
 permit eigrp any host 224.0.0.10
 permit eigrp x.26.0.0 0.0.255.255 host x.26.146.15
ip access-list extended coppacl-management
 remark CoPP management traffic class
 permit tcp x.26.0.0 0.0.255.255 eq tacacs host x.26.146.15 established
 permit tcp x.26.0.0 0.0.255.255 host x.26.146.15 eq 22
 permit tcp x.26.0.0 0.0.255.255 host x.26.146.15 eq telnet
 permit udp x.26.0.0 0.0.255.255 host x.26.146.15 eq snmp
 permit udp x.26.0.0 0.0.255.255 host x.26.146.15 eq ntp
ip access-list extended coppacl-monitoring
 remark CoPP monitoring traffic class
 permit icmp any any ttl-exceeded
 permit icmp any any port-unreachable
 permit icmp any any echo-reply
 permit icmp any any echo
!
kron occurrence daily-config-backup at 0:05 recurring
 policy-list backup-config
!
kron policy-list backup-config
 cli write memory 
!
logging trap critical
logging x.26.191.99
access-list 7 permit 10.7.0.0 0.0.255.255
access-list 8 permit 10.8.0.0 0.0.255.255
access-list 10 permit x.26.191.92
access-list 10 remark 
access-list 10 remark Login Delay a 100-second quiet period if 5 failed login attempts is 
exceeded
access-list 55 remark ACL for SNMP access to device
access-list 55 permit x.26.191.99
access-list 55 deny   any log
access-list 111 remark ACL for SSH
access-list 111 permit tcp x.26.0.0 0.0.255.255 any eq 22
access-list 111 deny   ip any any log-input
access-list 112 remark ACL for last resort access
access-list 112 permit tcp host x.26.191.92 any eq 22
access-list 112 deny   ip any any log-input
access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.146.15 ttl-exceeded
access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.146.15 port-unreachable
access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.146.15 echo-reply
access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.146.15 echo
access-list 133 permit tcp x.26.0.0 0.0.255.255 eq tacacs host x.26.146.15 established
access-list 133 permit tcp x.26.0.0 0.0.255.255 host x.26.146.15 eq tacacs
access-list 133 permit udp x.26.0.0 0.0.255.255 host x.26.146.15 eq ntp
access-list 133 permit tcp x.26.0.0 0.0.255.255 host x.26.146.15 eq 22
access-list 133 permit tcp x.26.0.0 0.0.255.255 eq ftp host x.26.146.15 gt 1023 
established
access-list 133 permit tcp x.26.0.0 0.0.255.255 eq ftp-data host x.26.146.15 gt 1023
access-list 133 permit tcp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.15 gt 1023 
established
access-list 133 permit udp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.15 gt 1023
access-list 133 permit udp host x.26.191.99 host x.26.146.15 eq snmp
access-list 133 deny   ip any any log
access-list 134 permit ip host x.26.146.15 x.26.0.0 0.0.255.255
access-list 134 deny   ip any any log
snmp-server community public RO
snmp-server community csmars RO 55
snmp-server chassis-id DCA-agg2
snmp-server enable traps cpu threshold
snmp-server host x.26.191.99 public  cpu
snmp ifmib ifindex persist
tacacs-server host x.26.191.94 single-connection key 7 01100F175804575D72
tacacs-server directed-request
!
radius-server source-ports 1645-1646
!
control-plane
 service-policy input copp-policy
!
!
dial-peer cor custom
!
!
!
banner login ^C
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this device.
Unauthorized attempts and actions to access or use this system may result in civil and/or 
criminal penalties.
All activities performed on this device are logged and monitored.
^C
!
line con 0
 session-timeout 3 
 login authentication authen-exec-list
line vty 0 3
 session-timeout 480 
 access-class 111 in
 exec-timeout 480 0
 password 7 <encrypted password>
 authorization commands 15 author-15-list
 authorization exec author-exec-list
 login authentication authen-exec-list
 length 0
 transport preferred none
 transport input ssh
 transport output none
line vty 4
 session-timeout 480 
 access-class 112 in
 exec-timeout 480 0
 password 7 <encrypted password>
 authorization commands 15 author-15-list
 authorization exec author-exec-list
 login authentication authen-exec-list
 length 0
 transport preferred none
 transport input ssh
 transport output none
line vty 5 15
 no exec
 transport input none
!
exception protocol ftp
exception dump x.26.129.252
process cpu threshold type total rising 80 interval 5 falling 20 interval 5
process cpu statistics limit entry-percentage 40 size 300
ntp authentication-key 10 md5 13061E010803557878 7
ntp authenticate
ntp trusted-key 10
ntp clock-period 17093461
ntp source GigabitEthernet6/3
ntp server x.26.170.14
ntp server x.26.170.13
!
end

Aggregation Switch - Nexus 7000
Nexus 7000 1
dca-n7k1# sh run vdc-all
!Running config for default vdc: dca-n7k1

version 4.1(2)
power redundancy-mode combined force

feature telnet
feature tacacs+
feature ospf
feature pim
feature private-vlan
feature udld
feature interface-vlan
feature netflow
feature hsrp
feature lacp

role feature-group name network-admin
username admin password 5 <encrypted password>role network-admin
username dma password 5 <encrypted password>role network-admin
username chris password 5 <encrypted password>.  role network-admin
username me password 5 <encrypted password>role network-operator
ntp server x.26.146.1 use-vrf management
ntp source x.26.146.136
ip domain-lookup
ip host dca-n7k1 x.26.146.136
tacacs-server key 7 "<key>"
tacacs-server host x.26.191.94 key 7 "<key>" 
aaa group server tacacs+ tacacs-group 
    server x.26.191.94 
    use-vrf management
switchname dca-n7k1
ip access-list copp-system-acl-ftp
  10 permit tcp any any eq ftp-data 
  20 permit tcp any any eq ftp 
  30 permit tcp any eq ftp-data any 
  40 permit tcp any eq ftp any 
ip access-list copp-system-acl-bgp
  10 permit tcp any gt 1024 any eq bgp 
  20 permit tcp any eq bgp any gt 1024 
ip access-list copp-system-acl-rip
  10 permit udp any 224.0.0.0/24 eq rip 
ip access-list copp-system-acl-vrrp
  10 permit 112 any 224.0.0.0/24 
ip access-list 134
  10 permit ip x.26.146.136/32 x.26.0.0/16 
  20 deny ip any any log 
ip access-list copp-system-acl-igmp
  10 permit igmp any 224.0.0.0/24 
ip access-list copp-system-acl-pim
  10 permit pim any 224.0.0.0/24 
  20 permit udp any any eq pim-auto-rp 
ip access-list copp-system-acl-msdp
  10 permit tcp any gt 1024 any eq 639 
  20 permit tcp any eq 639 any gt 1024 
ip access-list copp-system-acl-telnet
  10 permit tcp any any eq telnet 
  20 permit tcp any any eq 107 
  30 permit tcp any eq telnet any 
  40 permit tcp any eq 107 any 
ip access-list copp-system-acl-tftp
  10 permit udp any any eq tftp 
  20 permit udp any any eq 1758 
  30 permit udp any eq tftp any 
  40 permit udp any eq 1758 any 
ip access-list copp-system-acl-eigrp
  10 permit eigrp any any 
ip access-list copp-system-acl-ssh
  10 permit tcp any any eq 22 
  20 permit tcp any eq 22 any 
ip access-list copp-system-acl-glbp
  10 permit udp any eq 3222 224.0.0.0/24 eq 3222 
ip access-list copp-system-acl-snmp
  10 permit udp any any eq snmp 
  20 permit udp any any eq snmptrap 
ip access-list copp-system-acl-hsrp
  10 permit udp any 224.0.0.0/24 eq 1985 
ip access-list copp-system-acl-ospf
  10 permit ospf any any 
ip access-list copp-system-acl-sftp
  10 permit tcp any any eq 115 
  20 permit tcp any eq 115 any 
ip access-list copp-system-acl-tacacs
  10 permit tcp any any eq tacacs 
  20 permit tcp any eq tacacs any 
ip access-list 133
  10 permit icmp x.26.0.0/16 x.26.146.136/32 ttl-exceeded 
  20 permit icmp x.26.0.0/16 x.26.146.136/32 port-unreachable 
  30 permit icmp x.26.0.0/16 x.26.146.136/32 echo-reply 
  40 permit icmp x.26.0.0/16 x.26.146.136/32 echo 
  50 permit tcp x.26.0.0/16 eq tacacs x.26.146.136/32 established 
  60 permit tcp x.26.0.0/16 x.26.146.136/32 eq tacacs 
  70 permit udp x.26.0.0/16 x.26.146.136/32 eq ntp 
  80 permit tcp x.26.0.0/16 x.26.146.136/32 eq 22 
  90 permit tcp x.26.0.0/16 eq ftp x.26.146.136/32 gt 1023 established 
  100 permit tcp x.26.0.0/16 eq ftp-data x.26.146.136/32 gt 1023 
  110 permit tcp x.26.0.0/16 gt 1023 x.26.146.136/32 gt 1023 established 
  120 permit udp x.26.0.0/16 gt 1023 x.26.146.136/32 gt 1023 
  130 permit udp x.26.191.99/32 x.26.146.136/32 eq snmp 
  140 deny ip any any log 
ip access-list copp-system-acl-traceroute
  10 permit icmp any any ttl-exceeded 
  20 permit icmp any any port-unreachable 
ip access-list copp-system-acl-undesirable
  10 permit udp any any eq 1434 
ip access-list copp-system-acl-icmp
  10 permit icmp any any echo 
  20 permit icmp any any echo-reply 
ip access-list copp-system-acl-radius
  10 permit udp any any eq 1812 
  20 permit udp any any eq 1813 
  30 permit udp any any eq 1645 
  40 permit udp any any eq 1646 
  50 permit udp any eq 1812 any 
  60 permit udp any eq 1813 any 
  70 permit udp any eq 1645 any 
  80 permit udp any eq 1646 any 
ip access-list copp-system-acl-ntp
  10 permit udp any any eq ntp 
  20 permit udp any eq ntp any 
class-map type control-plane match-any copp-system-class-critical
  match access-group name copp-system-acl-bgp
  match access-group name copp-system-acl-eigrp
  match access-group name copp-system-acl-igmp
  match access-group name copp-system-acl-msdp
  match access-group name copp-system-acl-ospf
  match access-group name copp-system-acl-pim
  match access-group name copp-system-acl-rip
class-map type control-plane match-any copp-system-class-exception
  match exception ip option
  match exception ip icmp unreachable
class-map type control-plane match-any copp-system-class-important
  match access-group name copp-system-acl-glbp
  match access-group name copp-system-acl-hsrp
  match access-group name copp-system-acl-vrrp
class-map type control-plane match-any copp-system-class-management
  match access-group name copp-system-acl-ftp
  match access-group name copp-system-acl-ntp
  match access-group name copp-system-acl-radius
  match access-group name copp-system-acl-sftp
  match access-group name copp-system-acl-snmp
  match access-group name copp-system-acl-ssh
  match access-group name copp-system-acl-tacacs
  match access-group name copp-system-acl-telnet
  match access-group name copp-system-acl-tftp
class-map type control-plane match-any copp-system-class-monitoring
  match access-group name copp-system-acl-icmp
  match access-group name copp-system-acl-traceroute
class-map type control-plane match-any copp-system-class-normal
  match protocol arp
class-map type control-plane match-any copp-system-class-redirect
  match redirect dhcp-snoop
  match redirect arp-inspect
class-map type control-plane match-any copp-system-class-undesirable
  match access-group name copp-system-acl-undesirable
policy-map type control-plane copp-system-policy 
  class copp-system-class-critical
    police cir 40900 kbps bc 250 ms conform transmit violate drop 
  class copp-system-class-important
    police cir 1060 kbps bc 250 ms conform transmit violate drop 
  class copp-system-class-management
    police cir 10000 kbps bc 250 ms conform transmit violate drop 
  class copp-system-class-normal
    police cir 680 kbps bc 250 ms conform transmit violate drop 
  class copp-system-class-redirect
    police cir 280 kbps bc 250 ms conform transmit violate drop 
  class copp-system-class-monitoring
    police cir 100 kbps bc 250 ms conform transmit violate drop 
  class copp-system-class-exception
    police cir 360 kbps bc 250 ms conform transmit violate drop 
  class copp-system-class-undesirable
    police cir 32 kbps bc 250 ms conform drop violate drop 
  class class-default
    police cir 100 kbps bc 250 ms conform transmit violate drop 
control-plane
  service-policy input copp-system-policy 
snmp-server user me network-operator auth md5 0xdd0bd06e76f692a1bbaebceac6f6ee1a
 priv 0xdd0bd06e76f692a1bbaebceac6f6ee1a localizedkey
snmp-server user dma network-admin auth md5 0xdd0bd06e76f692a1bbaebceac6f6ee1a p
riv 0xdd0bd06e76f692a1bbaebceac6f6ee1a localizedkey
snmp-server user admin network-admin auth md5 0xdd0bd06e76f692a1bbaebceac6f6ee1a
 priv 0xdd0bd06e76f692a1bbaebceac6f6ee1a localizedkey
snmp-server user chris network-admin auth md5 0xdd0bd06e76f692a1bbaebceac6f6ee1a
 priv 0xdd0bd06e76f692a1bbaebceac6f6ee1a localizedkey
snmp-server enable traps entity fru
aaa authentication login console group tacacs-group 
aaa accounting default group tacacs-group 
aaa authentication login error-enable 
aaa authentication login ascii-authentication 

vrf context management
  ip route 0.0.0.0/0 10.1.1.1
  ip route 0.0.0.0/0 x.26.146.1
vlan 1
route-map clients permit 1

vdc dca-n7k1 id 1
  limit-resource vlan minimum 16 maximum 4094
  limit-resource monitor-session minimum 0 maximum 2
  limit-resource vrf minimum 16 maximum 8192
  limit-resource port-channel minimum 0 maximum 192
  limit-resource u4route-mem minimum 32 maximum 32
  limit-resource u6route-mem minimum 16 maximum 16
  limit-resource m4route-mem minimum 48 maximum 48
  limit-resource m6route-mem minimum 8 maximum 8
vdc vdc1 id 2
  allocate interface Ethernet1/1,Ethernet1/3,Ethernet1/5,Ethernet1/7,Ethernet1/9
,Ethernet1/11,Ethernet1/13,Ethernet1/15
  allocate interface Ethernet2/2,Ethernet2/4,Ethernet2/6,Ethernet2/8
  limit-resource vlan minimum 16 maximum 4094
  limit-resource monitor-session minimum 0 maximum 2
  limit-resource vrf minimum 16 maximum 8192
  limit-resource port-channel minimum 0 maximum 192
  limit-resource u4route-mem minimum 8 maximum 8
  limit-resource u6route-mem minimum 4 maximum 4
  limit-resource m4route-mem minimum 8 maximum 8
  limit-resource m6route-mem minimum 2 maximum 2
vdc vdc2 id 3
  allocate interface Ethernet1/2,Ethernet1/4,Ethernet1/6,Ethernet1/8,Ethernet1/1
0,Ethernet1/12,Ethernet1/14,Ethernet1/16-32
  allocate interface Ethernet2/1,Ethernet2/3,Ethernet2/5,Ethernet2/7,Ethernet2/9
-48
  limit-resource vlan minimum 16 maximum 4094
  limit-resource monitor-session minimum 0 maximum 2
  limit-resource vrf minimum 16 maximum 8192
  limit-resource port-channel minimum 0 maximum 192
  limit-resource u4route-mem minimum 8 maximum 8
  limit-resource u6route-mem minimum 4 maximum 4
  limit-resource m4route-mem minimum 8 maximum 8
  limit-resource m6route-mem minimum 2 maximum 2

interface Vlan1

interface cmp-mgmt module 5
      ip address x.26.146.175 255.255.254.0
      ip default-gateway x.26.146.1
interface cmp-mgmt module 6
      ip address x.26.146.176 255.255.254.0
      ip default-gateway x.26.146.1


interface Ethernet10/1

interface Ethernet10/2

interface Ethernet10/3

interface Ethernet10/4

interface Ethernet10/5

interface Ethernet10/6

interface Ethernet10/7

interface Ethernet10/8

interface Ethernet10/9

interface Ethernet10/10

interface Ethernet10/11

interface Ethernet10/12

interface Ethernet10/13

interface Ethernet10/14

interface Ethernet10/15

interface Ethernet10/16

interface Ethernet10/17

interface Ethernet10/18

interface Ethernet10/19

interface Ethernet10/20

interface Ethernet10/21

interface Ethernet10/22

interface Ethernet10/23

interface Ethernet10/24

interface Ethernet10/25

interface Ethernet10/26

interface Ethernet10/27

interface Ethernet10/28

interface Ethernet10/29

interface Ethernet10/30

interface Ethernet10/31

interface Ethernet10/32

interface Ethernet10/33

interface Ethernet10/34

interface Ethernet10/35

interface Ethernet10/36

interface Ethernet10/37

interface Ethernet10/38

interface Ethernet10/39

interface Ethernet10/40

interface Ethernet10/41

interface Ethernet10/42

interface Ethernet10/43

interface Ethernet10/44

interface Ethernet10/45

interface Ethernet10/46

interface Ethernet10/47

interface Ethernet10/48

interface mgmt0
  ip access-group 133 in
  ip access-group 134 out
  vrf member management
  ip address x.26.146.136/23
  no ip redirects
clock timezone EDT -5 0
clock summer-time EDT 3 Sun Mar 00:00 3 Sunday Oct 00:00 60
cli alias name save copy runn start vdc
line console
  terminal length 30
boot kickstart bootflash:/n7000-s1-kickstart.4.1.2.bin sup-1
boot system bootflash:/n7000-s1-dk9.4.1.2.bin sup-1
boot kickstart bootflash:/n7000-s1-kickstart.4.1.2.bin sup-2
boot system bootflash:/n7000-s1-dk9.4.1.2.bin sup-2
ip route x.26.0.0/16 x.26.146.1
monitor session 1 


!Running config for vdc: vdc1


switchto vdc vdc1
version 4.1(2)
feature tacacs+
feature ospf
feature ospfv3
feature pim
feature udld
feature interface-vlan
feature hsrp
feature lacp

logging level monitor 7
username admin password 5 <encrypted password>role vdc-admin
ip domain-lookup
ip domain-name cisco.com
tacacs-server key 7 "fewhg123"
tacacs-server host x.26.191.94 key 7 "fewhg123" 
aaa group server tacacs+ tacacs-group 
    server x.26.191.94 
service unsupported-transceiver
ip access-list 112
  10 remark ACL for last resort access
  20 permit tcp x.26.191.92/32 any eq 22 
  30 deny ip any any log 
ip access-list 111
  10 remark ACL for SSH
  20 permit tcp x.26.0.0/16 any eq 22 
  30 deny ip any any log 
snmp-server user admin vdc-admin auth md5 0xdd0bd06e76f692a1bbaebceac6f6ee1a pri
v 0xdd0bd06e76f692a1bbaebceac6f6ee1a localizedkey
aaa accounting default group tacacs-group 

vrf context management
  ip route 0.0.0.0/0 x.26.146.1
vlan 1,3
vlan 99
  name vmconsole
vlan 128-133
vlan 151
  name asa-vdc2-Outside
vlan 161
  name asa-vdc1-Outside
vlan 770-771
spanning-tree pathcost method long
spanning-tree port type network default
spanning-tree vlan 99,128,130,132,166,770-771 priority 24576
spanning-tree vlan 129,131,133 priority 28672
route-map static permit 10


interface Vlan1

interface Vlan3
  no shutdown
  ip address 10.8.3.1/24
  ip ospf authentication message-digest
  ip ospf authentication-key 3 9125d59c18a9b015
  ip ospf dead-interval 3
  ip ospf hello-interval 1
  ip router ospf 8 area 0.0.0.0
  ip pim sparse-mode
  ip igmp version 3

interface Vlan99
  no shutdown
  ip address 10.8.99.3/24
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20
    timers  1  3
    ip 10.8.99.1 

interface Vlan128
  no shutdown
  ip address 10.8.128.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.128.1 

interface Vlan129
  no shutdown
  ip address 10.8.129.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.129.1 

interface Vlan130
  no shutdown
  ip address 10.8.130.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.130.1 

interface Vlan131
  no shutdown
  ip address 10.8.131.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.131.1 

interface Vlan132
  no shutdown
  ip address 10.8.132.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.132.1 

interface Vlan133
  no shutdown
  ip address 10.8.133.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.133.1 

interface Vlan151
  no shutdown
  ip address 10.8.152.3/24
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.152.1 

interface Vlan161
  no shutdown
  ip address 10.8.162.3/24
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.162.1 

interface port-channel99
  description to dca-n7k2-vdc1
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 3,50-51,99,128-133,151,161,770-771
  spanning-tree port type network
  logging event port link-status

interface Ethernet1/1
  description to dca-core2 Ten4/4
  ip address 10.8.1.2/24
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 3 9125d59c18a9b015
  ip ospf dead-interval 3
  ip ospf hello-interval 1
  ip router ospf 8 area 0.0.0.0
  ip pim sparse-mode
  ip igmp version 3
  no shutdown

interface Ethernet1/3
  description to dca-asa2 Ten5/0
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 161
  spanning-tree port type normal
  no shutdown

interface Ethernet1/5
  description to dca-asa2 Ten7/0
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 151
  spanning-tree port type normal
  no shutdown

interface Ethernet1/7
  no shutdown

interface Ethernet1/9

interface Ethernet1/11

interface Ethernet1/13
  description ISL 
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 3,50-51,99,128-133,151,161,770-771
  channel-group 99 mode active
  no shutdown

interface Ethernet1/15
  description ISL 
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 3,50-51,99,128-133,151,161,770-771
  channel-group 99 mode active
  no shutdown

interface Ethernet2/2
  description IXIA port 4/1
  switchport
  switchport access vlan 128
  spanning-tree port type edge
  no shutdown

interface Ethernet2/4
  description IXIA port 4/2
  switchport
  switchport access vlan 130
  spanning-tree port type edge
  no shutdown

interface Ethernet2/6
  description IXIA port 4/3
  switchport
  switchport access vlan 132
  spanning-tree port type edge
  no shutdown

interface Ethernet2/8
  description IXIA port 4/4

interface mgmt0
  description <<mgmt interface>>
  ip address x.26.146.137/23
clock timezone EDT -5 0
clock summer-time EDT 3 Sun Mar 00:00 3 Sunday Oct 00:00 60
no logging console
cli alias name save copy runn start
line console
  terminal length 30
router ospf 8
  router-id 3.3.3.1
  area 81 nssa
  default-information originate
  area 0.0.0.0 range 10.8.0.0/24
  area 0.0.0.0 range 10.8.1.0/24
  area 0.0.0.0 range 10.8.2.0/24
  area 0.0.0.0 range 10.8.3.0/24
  area 0.0.0.81 range 10.8.128.0/18
  area 0.0.0.0 authentication message-digest
  area 0.0.0.81 authentication message-digest
  timers throttle spf 10 100 5000
  timers throttle lsa router 1000
  timers throttle lsa network 1000
  auto-cost reference-bandwidth 10000
no ip source-route
ip pim ssm range 232.0.0.0/8


switchback
!Running config for vdc: vdc2


switchto vdc vdc2
version 4.1(2)
feature ospf
feature ospfv3
feature pim
feature udld
feature interface-vlan
feature hsrp
feature lacp

username admin password 5 <encrypted password>/  role vdc-admin
ip domain-lookup
system default switchport
logging event link-status default
logging event trunk-status default
service unsupported-transceiver
snmp-server user admin vdc-admin auth md5 0xdd0bd06e76f692a1bbaebceac6f6ee1a pri
v 0xdd0bd06e76f692a1bbaebceac6f6ee1a localizedkey

vrf context erspan
vrf context servers1
  ip route 0.0.0.0/0 10.8.162.1
vrf context servers2
  ip route 0.0.0.0/0 10.8.152.1
vrf context management
  ip route 0.0.0.0/0 x.26.146.1
vlan 1
vlan 15
  name vmkernel
vlan 50-51
vlan 98
  name serviceconsole
vlan 141-142,152-153,162-164,166-169
vlan 171
  name failover
vlan 172
  name state
vlan 180-183
vlan 191
  name waas
vlan 200
  name Mike-Server-1
vlan 201
  name Mike-Server-2
vlan 202
  name Mike-Server-3
vlan 300-399
vlan 999
  name ACEquery
vlan 3000
  name erspan
vlan 3001
  name erspan-ss1
vlan 3002
  name vemcontrol
vlan 3003
  name vempacket
spanning-tree pathcost method long
spanning-tree port type network default
spanning-tree vlan 1,15,98,142,166,168,180,182,200-202,300-399,3000,3002-3003 pr
iority 24576
spanning-tree vlan 50-51,167,169,181,183 priority 28672


interface Vlan1

interface Vlan15
  no shutdown
  vrf member servers1
  ip address 10.8.15.3/24
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20
    timers  1  3
    ip 10.8.15.1 

interface Vlan50
  no shutdown
  vrf member servers2
  ip address 10.8.50.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.50.1 

interface Vlan51
  no shutdown
  vrf member servers2
  ip address 10.8.51.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.51.1 

interface Vlan98
  no shutdown
  vrf member servers1
  ip address 10.8.98.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20
    timers  1  3
    ip 10.8.98.1 

interface Vlan141
  vrf member servers1
  ip address 10.8.141.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.141.1 

interface Vlan142
  no shutdown
  vrf member servers1
  ip address 10.8.141.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.141.1 

interface Vlan152
  no shutdown
  vrf member servers2
  ip address 10.8.152.5/24
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 2
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.152.7 

interface Vlan153
  vrf member servers2
  ip address 10.8.152.5/24
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 2
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.152.7 

interface Vlan164
  no shutdown
  vrf member servers1
  ip address 10.8.162.5/24
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 2
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.162.7 

interface Vlan166
  no shutdown
  vrf member servers1
  ip address 10.8.166.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.166.1 

interface Vlan167
  no shutdown
  vrf member servers2
  ip address 10.8.167.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.167.1 

interface Vlan168
  no shutdown
  vrf member servers1
  ip address 10.8.168.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.168.1 

interface Vlan169
  no shutdown
  vrf member servers2
  ip address 10.8.169.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.169.1 

interface Vlan180
  no shutdown
  vrf member servers1
  ip address 10.8.180.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.180.1 

interface Vlan181
  no shutdown
  vrf member servers2
  ip address 10.8.181.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.181.1 

interface Vlan182
  no shutdown
  vrf member servers1
  ip address 10.8.182.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.182.1 

interface Vlan183
  no shutdown
  vrf member servers2
  ip address 10.8.183.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.183.1 

interface Vlan200
  no shutdown
  vrf member servers2
  ip address 10.8.200.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 600 reload 300 
    timers  1  3
    ip 10.8.200.1 

interface Vlan201
  no shutdown
  vrf member servers2
  ip address 10.8.201.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 600 reload 300 
    timers  1  3
    ip 10.8.201.1 

interface Vlan202
  no shutdown
  vrf member servers2
  ip address 10.8.202.3/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 600 reload 300 
    timers  1  3
    ip 10.8.202.1 

interface Vlan3000
  no shutdown
  ip address 10.8.3.3/24
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.3.1 

interface Vlan3001
  no shutdown
  ip address 10.8.33.3/24

interface port-channel7
  description to vbs
  switchport mode trunk
  switchport trunk allowed vlan 180-183
  spanning-tree port type normal
  spanning-tree guard root
  logging event port link-status
  logging event port trunk-status

interface port-channel71
  switchport mode trunk
  switchport trunk allowed vlan 15,142,180-183,300-399,3002-3003
  spanning-tree port type network
  spanning-tree guard root
  logging event port link-status
  logging event port trunk-status

interface port-channel72

interface port-channel99
  description ISL to dca-n7k2-vdc1
  switchport mode trunk
  switchport trunk allowed vlan 15,50-51,98,141-142,152-153,162-164
  switchport trunk allowed vlan add 166-169,171-172,180-183,191,200-202
  switchport trunk allowed vlan add 300-399,999,3000-3003
  spanning-tree cost 500
  spanning-tree port type network
  logging event port link-status

interface port-channel200
  description to dc10-5020-5
  switchport mode trunk
  switchport trunk allowed vlan 200-202
  spanning-tree port type network
  spanning-tree guard loop
  logging event port link-status
  logging event port trunk-status

interface Ethernet1/2
  description E1/2 to dca-newSS2 Ten1/2
  switchport mode trunk
  switchport trunk allowed vlan 152-153,162-164,191,999,3001
  spanning-tree port type network
  spanning-tree guard loop
  mtu 9216
  logging event port link-status
  logging event port trunk-status

interface Ethernet1/4
  description E1/4 to dca-newSS1 Ten1/1
  switchport mode trunk
  switchport trunk allowed vlan 152-153,162-164,191,999,3001
  spanning-tree port type network
  spanning-tree guard loop
  mtu 9216
  logging event port link-status
  logging event port trunk-status

interface Ethernet1/6
  description to dc10-5020-5
  switchport mode trunk
  switchport trunk allowed vlan 200-202
  logging event port link-status
  logging event port trunk-status
  udld enable
  channel-group 200 mode active

interface Ethernet1/8
  description to dc10-5020-6
  switchport mode trunk
  switchport trunk allowed vlan 200-202
  spanning-tree port type network
  spanning-tree guard loop
  logging event port link-status
  logging event port trunk-status
  udld enable

interface Ethernet1/10
  description to dca-asa2 Ten5/1
  switchport mode trunk
  switchport trunk allowed vlan 162
  spanning-tree port type normal

interface Ethernet1/12
  description to dca-asa2 Ten7/1
  switchport mode trunk
  switchport trunk allowed vlan 152
  spanning-tree port type normal

interface Ethernet1/14
  description ISL 
  switchport mode trunk
  switchport trunk allowed vlan 15,50-51,98,141-142,152-153,162-164
  switchport trunk allowed vlan add 166-169,171-172,180-183,191,200-202
  switchport trunk allowed vlan add 300-399,999,3000-3003
  channel-group 99 mode active

interface Ethernet1/16
  description ISL 
  switchport mode trunk
  switchport trunk allowed vlan 15,50-51,98,141-142,152-153,162-164
  switchport trunk allowed vlan add 166-169,171-172,180-183,191,200-202
  switchport trunk allowed vlan add 300-399,999,3000-3003
  channel-group 99 mode active

interface Ethernet1/17
  description dc20-4948-1 
  switchport mode trunk
  switchport trunk allowed vlan 50-51,142
  spanning-tree port type normal
  spanning-tree guard root

interface Ethernet1/18
  description dc07-3120-vbs Ten4/0/2
  switchport mode trunk
  switchport trunk allowed vlan 180-183
  spanning-tree port type normal
  spanning-tree guard root
  channel-group 7 mode active

interface Ethernet1/19
  description dc20-4948-2 
  switchport mode trunk
  switchport trunk allowed vlan 50-51,142
  spanning-tree port type normal
  spanning-tree guard root

interface Ethernet1/20
  description dc07-3120-vbs Ten2/0/1 
  switchport mode trunk
  switchport trunk allowed vlan 180-183
  spanning-tree port type normal
  spanning-tree guard root
  channel-group 7 mode active

interface Ethernet1/21

interface Ethernet1/22
  description to dc10-5020-5
  switchport mode trunk
  switchport trunk allowed vlan 200-202
  logging event port link-status
  logging event port trunk-status
  udld enable
  channel-group 200 mode active

interface Ethernet1/23

interface Ethernet1/24

interface Ethernet1/25
  description dca-vss-acc
  switchport mode trunk
  switchport trunk allowed vlan 15,142,180-183,300-399,3002-3003
  spanning-tree port type network
  spanning-tree guard root
  logging event port link-status
  logging event port trunk-status
  channel-group 71 mode active

interface Ethernet1/26
  description dc10-5020-1 
  switchport mode trunk
  switchport trunk allowed vlan 15,98,142,180-183,3000,3002-3003
  spanning-tree port type network
  spanning-tree guard root
  mtu 9216
  logging event port link-status
  logging event port trunk-status

interface Ethernet1/27
  description dca-vss-acc
  switchport mode trunk
  switchport trunk allowed vlan 15,142,180-183,300-399,3002-3003
  spanning-tree port type network
  spanning-tree guard root
  logging event port link-status
  logging event port trunk-status
  channel-group 71 mode active

interface Ethernet1/28
  description dc10.5020-2
  switchport mode trunk
  switchport trunk allowed vlan 15,98,142,180-183,3000,3002-3003
  spanning-tree port type network
  spanning-tree guard root
  mtu 9216
  logging event port link-status
  logging event port trunk-status

interface Ethernet1/29
  description to 6k access
  switchport mode trunk
  switchport trunk allowed vlan 128-133,164-169,180-183,300-399
  spanning-tree port type normal
  spanning-tree guard root

interface Ethernet1/30
  description dc10-5020-1 
  switchport mode trunk
  switchport trunk allowed vlan 15,98,180-183
  spanning-tree port type network

interface Ethernet1/31
  description to 6k access
  switchport mode trunk
  switchport trunk allowed vlan 128-133,164-169,180-183,300-399
  spanning-tree port type normal
  spanning-tree guard root

interface Ethernet1/32
  description dc10-5020-1 
  switchport mode trunk
  switchport trunk allowed vlan 15,98,180-183
  spanning-tree port type network

interface Ethernet2/1
  switchport access vlan 172
  spanning-tree port type normal

interface Ethernet2/3
  switchport access vlan 171
  spanning-tree port type normal

interface Ethernet2/5

interface Ethernet2/7

interface Ethernet2/9

interface Ethernet2/10

interface Ethernet2/11

interface Ethernet2/12

interface Ethernet2/13

interface Ethernet2/14

interface Ethernet2/15

interface Ethernet2/16

interface Ethernet2/17

interface Ethernet2/18

interface Ethernet2/19

interface Ethernet2/20

interface Ethernet2/21

interface Ethernet2/22

interface Ethernet2/23

interface Ethernet2/24

interface Ethernet2/25

interface Ethernet2/26

interface Ethernet2/27

interface Ethernet2/28

interface Ethernet2/29

interface Ethernet2/30

interface Ethernet2/31

interface Ethernet2/32

interface Ethernet2/33

interface Ethernet2/34

interface Ethernet2/35

interface Ethernet2/36

interface Ethernet2/37
  description ASA1 int g3/3
  switchport mode trunk
  switchport trunk allowed vlan 142
  spanning-tree port type normal
  logging event port link-status
  logging event port trunk-status

interface Ethernet2/38
  description ASA int g3/2
  switchport mode trunk
  switchport trunk allowed vlan 141
  spanning-tree port type normal
  logging event port link-status
  logging event port trunk-status

interface Ethernet2/39

interface Ethernet2/40

interface Ethernet2/41

interface Ethernet2/42

interface Ethernet2/43

interface Ethernet2/44

interface Ethernet2/45

interface Ethernet2/46

interface Ethernet2/47

interface Ethernet2/48

interface mgmt0
  ip address x.26.146.138/23
clock timezone EDT -5 0
clock summer-time EDT 3 Sun Mar 00:00 3 Sunday Oct 00:00 60
cli alias name save copy runn start
line console
  terminal length 30
router ospf 8
  vrf servers1
    router-id 4.4.4.1
    area 81 nssa
    area 0.0.0.81 authentication message-digest
    timers throttle spf 10 100 5000
    timers throttle lsa router 1000
    timers throttle lsa network 1000
  vrf servers2
    router-id 5.5.5.1
    area 81 nssa
    area 0.0.0.81 authentication message-digest
    timers throttle spf 10 100 5000
    timers throttle lsa router 1000
    timers throttle lsa network 1000
ip pim rp-address 10.8.20.1 group-list 224.0.0.0/4
ip pim ssm range 232.0.0.0/8
no system default switchport shutdown


switchback
dca-n7k1# 


Nexus 7000 2
dca-n7k2# sh run vdc-all
!Running config for default vdc: dca-n7k2

version 4.1(2)
power redundancy-mode combined force

feature telnet
feature tacacs+
feature ospf
feature pim
feature private-vlan
feature udld
feature interface-vlan
feature netflow
feature hsrp
feature lacp

username admin password 5 <encrypted password>role network-admin
username dma password 5 <encrypted password>.  role network-admin
username chris password 5 <encrypted password>.  role network-admin
username dma1-ops password 5 <encrypted password>role network-operator
ntp server x.26.146.1 use-vrf management
ip domain-lookup
ip host dca-n7k2 x.26.146.204
ip host dca-n7k2 x.26.146.204
tacacs-server key 7 "<key>"
tacacs-server host x.26.191.94 key 7 "<key>" 
aaa group server tacacs+ tacacs-group 
    server x.26.191.94 
    use-vrf management
hostname dca-n7k2
service unsupported-transceiver
ip access-list copp-system-acl-ftp
  10 permit tcp any any eq ftp-data 
  20 permit tcp any any eq ftp 
  30 permit tcp any eq ftp-data any 
  40 permit tcp any eq ftp any 
ip access-list copp-system-acl-bgp
  10 permit tcp any gt 1024 any eq bgp 
  20 permit tcp any eq bgp any gt 1024 
ip access-list copp-system-acl-rip
  10 permit udp any 224.0.0.0/24 eq rip 
ip access-list copp-system-acl-vrrp
  10 permit 112 any 224.0.0.0/24 
ip access-list 134
  10 permit ip x.26.146.204/32 x.26.0.0/16 
  20 deny ip any any log 
ip access-list copp-system-acl-igmp
  10 permit igmp any 224.0.0.0/24 
ip access-list copp-system-acl-pim
  10 permit pim any 224.0.0.0/24 
  20 permit udp any any eq pim-auto-rp 
ip access-list copp-system-acl-msdp
  10 permit tcp any gt 1024 any eq 639 
  20 permit tcp any eq 639 any gt 1024 
ip access-list copp-system-acl-telnet
  10 permit tcp any any eq telnet 
  20 permit tcp any any eq 107 
  30 permit tcp any eq telnet any 
  40 permit tcp any eq 107 any 
ip access-list copp-system-acl-tftp
  10 permit udp any any eq tftp 
  20 permit udp any any eq 1758 
  30 permit udp any eq tftp any 
  40 permit udp any eq 1758 any 
ip access-list copp-system-acl-eigrp
  10 permit eigrp any any 
ip access-list copp-system-acl-ssh
  10 permit tcp any any eq 22 
  20 permit tcp any eq 22 any 
ip access-list copp-system-acl-glbp
  10 permit udp any eq 3222 224.0.0.0/24 eq 3222 
ip access-list copp-system-acl-snmp
  10 permit udp any any eq snmp 
  20 permit udp any any eq snmptrap 
ip access-list copp-system-acl-hsrp
  10 permit udp any 224.0.0.0/24 eq 1985 
ip access-list copp-system-acl-ospf
  10 permit ospf any any 
ip access-list copp-system-acl-sftp
  10 permit tcp any any eq 115 
  20 permit tcp any eq 115 any 
ip access-list copp-system-acl-tacacs
  10 permit tcp any any eq tacacs 
  20 permit tcp any eq tacacs any 
ip access-list 133
  10 permit icmp x.26.0.0/16 x.26.146.204/32 ttl-exceeded 
  20 permit icmp x.26.0.0/16 x.26.146.204/32 port-unreachable 
  30 permit icmp x.26.0.0/16 x.26.146.204/32 echo-reply 
  40 permit icmp x.26.0.0/16 x.26.146.204/32 echo 
  50 permit tcp x.26.0.0/16 eq tacacs x.26.146.204/32 established 
  60 permit tcp x.26.0.0/16 x.26.146.204/32 eq tacacs 
  70 permit udp x.26.0.0/16 x.26.146.204/32 eq ntp 
  80 permit tcp x.26.0.0/16 x.26.146.204/32 eq 22 
  90 permit tcp x.26.0.0/16 eq ftp x.26.146.204/32 gt 1023 established 
  100 permit tcp x.26.0.0/16 eq ftp-data x.26.146.204/32 gt 1023 
  110 permit tcp x.26.0.0/16 gt 1023 x.26.146.204/32 gt 1023 established 
  120 permit udp x.26.0.0/16 gt 1023 x.26.146.204/32 gt 1023 
  130 permit udp x.26.191.99/32 x.26.146.204/32 eq snmp 
  140 deny ip any any log 
ip access-list copp-system-acl-traceroute
  10 permit icmp any any ttl-exceeded 
  20 permit icmp any any port-unreachable 
ip access-list copp-system-acl-undesirable
  10 permit udp any any eq 1434 
ip access-list copp-system-acl-icmp
  10 permit icmp any any echo 
  20 permit icmp any any echo-reply 
ip access-list copp-system-acl-radius
  10 permit udp any any eq 1812 
  20 permit udp any any eq 1813 
  30 permit udp any any eq 1645 
  40 permit udp any any eq 1646 
  50 permit udp any eq 1812 any 
  60 permit udp any eq 1813 any 
  70 permit udp any eq 1645 any 
  80 permit udp any eq 1646 any 
ip access-list copp-system-acl-ntp
  10 permit udp any any eq ntp 
  20 permit udp any eq ntp any 
class-map type control-plane match-any copp-system-class-critical
  match access-group name copp-system-acl-bgp
  match access-group name copp-system-acl-eigrp
  match access-group name copp-system-acl-igmp
  match access-group name copp-system-acl-msdp
  match access-group name copp-system-acl-ospf
  match access-group name copp-system-acl-pim
  match access-group name copp-system-acl-rip
class-map type control-plane match-any copp-system-class-exception
  match exception ip option
  match exception ip icmp unreachable
class-map type control-plane match-any copp-system-class-important
  match access-group name copp-system-acl-glbp
  match access-group name copp-system-acl-hsrp
  match access-group name copp-system-acl-vrrp
class-map type control-plane match-any copp-system-class-management
  match access-group name copp-system-acl-ftp
  match access-group name copp-system-acl-ntp
  match access-group name copp-system-acl-radius
  match access-group name copp-system-acl-sftp
  match access-group name copp-system-acl-snmp
  match access-group name copp-system-acl-ssh
  match access-group name copp-system-acl-tacacs
  match access-group name copp-system-acl-telnet
  match access-group name copp-system-acl-tftp
class-map type control-plane match-any copp-system-class-monitoring
  match access-group name copp-system-acl-icmp
  match access-group name copp-system-acl-traceroute
class-map type control-plane match-any copp-system-class-normal
  match protocol arp
class-map type control-plane match-any copp-system-class-redirect
  match redirect dhcp-snoop
  match redirect arp-inspect
class-map type control-plane match-any copp-system-class-undesirable
  match access-group name copp-system-acl-undesirable
policy-map type control-plane copp-system-policy 
  class copp-system-class-critical
    police cir 40900 kbps bc 250 ms conform transmit violate drop 
  class copp-system-class-important
    police cir 1060 kbps bc 250 ms conform transmit violate drop 
  class copp-system-class-management
    police cir 10000 kbps bc 250 ms conform transmit violate drop 
  class copp-system-class-normal
    police cir 680 kbps bc 250 ms conform transmit violate drop 
  class copp-system-class-redirect
    police cir 280 kbps bc 250 ms conform transmit violate drop 
  class copp-system-class-monitoring
    police cir 100 kbps bc 250 ms conform transmit violate drop 
  class copp-system-class-exception
    police cir 360 kbps bc 250 ms conform transmit violate drop 
  class copp-system-class-undesirable
    police cir 32 kbps bc 250 ms conform drop violate drop 
  class class-default
    police cir 100 kbps bc 250 ms conform transmit violate drop 
control-plane
  service-policy input copp-system-policy 
snmp-server user dma network-admin auth md5 0xb1f79b0d0c98a2387bb30043f9c8e5ce priv 
0xb1f79b0d0c98a2387bb30043f9c8e5ce localizedkey
snmp-server user admin network-admin auth md5 0xb1f79b0d0c98a2387bb30043f9c8e5ce priv 
0xb1f79b0d0c98a2387bb30043f9c8e5ce localizedkey
snmp-server user chris network-admin auth md5 0xb1f79b0d0c98a2387bb30043f9c8e5ce priv 
0xb1f79b0d0c98a2387bb30043f9c8e5ce localizedkey
snmp-server user dma1-ops network-operator auth md5 0xb1f79b0d0c98a2387bb30043f9c8e5ce 
priv 0xb1f79b0d0c98a2387bb30043f9c8e5ce localizedkey
snmp-server enable traps entity fru
aaa authentication login console group tacacs-group 
aaa accounting default group tacacs-group 
aaa authentication login error-enable 

vrf context management
  ip route 0.0.0.0/0 x.26.146.1
vlan 1
vdc dca-n7k2 id 1
  limit-resource vlan minimum 16 maximum 4094
  limit-resource monitor-session minimum 0 maximum 2
  limit-resource vrf minimum 16 maximum 8192
  limit-resource port-channel minimum 0 maximum 192
  limit-resource u4route-mem minimum 32 maximum 32
  limit-resource u6route-mem minimum 16 maximum 16
  limit-resource m4route-mem minimum 48 maximum 48
  limit-resource m6route-mem minimum 8 maximum 8
vdc vdc1 id 2
  allocate interface 
Ethernet1/1,Ethernet1/3,Ethernet1/5,Ethernet1/7,Ethernet1/9,Ethernet1/11,Ethernet1/13,Ethe
rnet1/15
  allocate interface Ethernet2/2,Ethernet2/4,Ethernet2/6,Ethernet2/8
  limit-resource vlan minimum 16 maximum 4094
  limit-resource monitor-session minimum 0 maximum 2
  limit-resource vrf minimum 16 maximum 8192
  limit-resource port-channel minimum 0 maximum 192
  limit-resource u4route-mem minimum 8 maximum 8
  limit-resource u6route-mem minimum 4 maximum 4
  limit-resource m4route-mem minimum 8 maximum 8
  limit-resource m6route-mem minimum 2 maximum 2
vdc vdc2 id 3
  allocate interface 
Ethernet1/2,Ethernet1/4,Ethernet1/6,Ethernet1/8,Ethernet1/10,Ethernet1/12,Ethernet1/14,Eth
ernet1/16-32
  allocate interface Ethernet2/1,Ethernet2/3,Ethernet2/5,Ethernet2/7,Ethernet2/9-48
  limit-resource vlan minimum 16 maximum 4094
  limit-resource monitor-session minimum 0 maximum 2
  limit-resource vrf minimum 16 maximum 8192
  limit-resource port-channel minimum 0 maximum 192
  limit-resource u4route-mem minimum 8 maximum 8
  limit-resource u6route-mem minimum 4 maximum 4
  limit-resource m4route-mem minimum 8 maximum 8
  limit-resource m6route-mem minimum 2 maximum 2

interface Vlan1

interface cmp-mgmt module 5
      ip address x.26.146.85 255.255.254.0
      ip default-gateway x.26.146.1
interface cmp-mgmt module 6
      ip address x.26.146.86 255.255.254.0
      ip default-gateway x.26.146.1


interface mgmt0
  description <<** Flash address **>>
  ip access-group 133 in
  ip access-group 134 out
  vrf member management
  ip address x.26.146.204/23
  no ip redirects
clock timezone EDT -5 0
clock summer-time EDT 3 Sun Mar 00:00 3 Sunday Oct 00:00 60
cli alias name save copy runn start vdc
line console
  terminal length 30
boot kickstart bootflash:/n7000-s1-kickstart.4.1.2.bin sup-1
boot system bootflash:/n7000-s1-dk9.4.1.2.bin sup-1
boot kickstart bootflash:/n7000-s1-kickstart.4.1.2.bin sup-2
boot system bootflash:/n7000-s1-dk9.4.1.2.bin sup-2

interface Ethernet10/1

interface Ethernet10/2

interface Ethernet10/3

interface Ethernet10/4

interface Ethernet10/5

interface Ethernet10/6

interface Ethernet10/7

interface Ethernet10/8

interface Ethernet10/9

interface Ethernet10/10

interface Ethernet10/11

interface Ethernet10/12

interface Ethernet10/13

interface Ethernet10/14

interface Ethernet10/15

interface Ethernet10/16

interface Ethernet10/17

interface Ethernet10/18

interface Ethernet10/19

interface Ethernet10/20

interface Ethernet10/21

interface Ethernet10/22

interface Ethernet10/23

interface Ethernet10/24

interface Ethernet10/25

interface Ethernet10/26

interface Ethernet10/27

interface Ethernet10/28

interface Ethernet10/29

interface Ethernet10/30

interface Ethernet10/31

interface Ethernet10/32

interface Ethernet10/33

interface Ethernet10/34

interface Ethernet10/35

interface Ethernet10/36

interface Ethernet10/37

interface Ethernet10/38

interface Ethernet10/39

interface Ethernet10/40

interface Ethernet10/41

interface Ethernet10/42

interface Ethernet10/43

interface Ethernet10/44

interface Ethernet10/45

interface Ethernet10/46

interface Ethernet10/47

interface Ethernet10/48
ip route x.26.0.0/16 x.26.146.1
no ip source-route
logging timestamp milliseconds


!Running config for vdc: vdc1


switchto vdc vdc1
version 4.1(2)
feature telnet
feature ospf
feature pim
feature private-vlan
feature udld
feature interface-vlan
feature hsrp
feature lacp

username admin password 5 <encrypted password>.  role vdc-admin
ip domain-lookup
service unsupported-transceiver
snmp-server user admin vdc-admin auth md5 <encrypted password> priv 
<encrypted password> localizedkey

vrf context management
  ip route 0.0.0.0/0 x.26.146.1
vlan 1,3
vlan 99
  name vmconsole
vlan 128-133
vlan 151
  name asa-vdc2-Outside
vlan 161
  name asa-vdc1-Outside
vlan 770-771
spanning-tree pathcost method long
spanning-tree port type network default
spanning-tree vlan 99,128,130,132,166,770-771 priority 28672
spanning-tree vlan 129,131,133 priority 24576


interface Vlan1

interface Vlan3
  no shutdown
  ip address 10.8.3.2/24
  ip ospf authentication message-digest
  ip ospf authentication-key 3 9125d59c18a9b015
  ip ospf dead-interval 3
  ip ospf hello-interval 1
  ip router ospf 8 area 0.0.0.0
  ip pim sparse-mode
  ip igmp version 3

interface Vlan99
  no shutdown
  ip address 10.8.99.2/24
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10
    timers  1  3
    ip 10.8.99.1 

interface Vlan128
  no shutdown
  ip address 10.8.128.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.128.1 

interface Vlan129
  no shutdown
  ip address 10.8.129.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.129.1 

interface Vlan130
  no shutdown
  ip address 10.8.130.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.130.1 

interface Vlan131
  no shutdown
  ip address 10.8.131.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.131.1 

interface Vlan132
  no shutdown
  ip address 10.8.132.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.132.1 

interface Vlan133
  no shutdown
  ip address 10.8.133.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.133.1 

interface Vlan151
  no shutdown
  ip address 10.8.152.2/24
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.152.1 

interface Vlan161
  no shutdown
  ip address 10.8.162.2/24
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.162.1 

interface port-channel99
  description to dca-n7k1-vdc1
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 3,50-51,99,128-133,151,161,770-771
  spanning-tree port type network
  logging event port link-status

interface Ethernet1/1
  description to dca-core2 Ten4/4
  ip address 10.8.2.2/24
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 3 9125d59c18a9b015
  ip ospf dead-interval 3
  ip ospf hello-interval 1
  ip router ospf 8 area 0.0.0.0
  ip pim sparse-mode
  ip igmp version 3
  no shutdown

interface Ethernet1/3
  description to dca-asa2 Ten5/0
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 161
  spanning-tree port type normal
  no shutdown

interface Ethernet1/5
  description to dca-asa2 Ten7/0
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 151
  spanning-tree port type normal
  no shutdown

interface Ethernet1/7
  no shutdown

interface Ethernet1/9

interface Ethernet1/11

interface Ethernet1/13
  description ISL 
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 3,50-51,99,128-133,151,161,770-771
  channel-group 99 mode active
  no shutdown

interface Ethernet1/15
  description ISL 
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 3,50-51,99,128-133,151,161,770-771
  channel-group 99 mode active
  no shutdown

interface Ethernet2/2
  description IXIA port 4/5
  switchport
  switchport access vlan 129
  spanning-tree port type edge
  no shutdown

interface Ethernet2/4
  description IXIA port 4/6
  switchport
  switchport access vlan 131
  spanning-tree port type edge
  no shutdown

interface Ethernet2/6
  description IXIA port 4/7
  switchport
  switchport access vlan 133
  spanning-tree port type edge
  no shutdown

interface Ethernet2/8
  description IXIA port 4/8

interface mgmt0
  ip address x.26.146.202/23
clock timezone EDT -5 0
clock summer-time EDT 3 Sun Mar 00:00 3 Sunday Oct 00:00 60
cli alias name save copy runn start
line console
  terminal length 0
router ospf 8
  router-id 3.3.3.2
  area 81 nssa
  default-information originate
  area 0.0.0.0 range 10.8.0.0/24
  area 0.0.0.0 range 10.8.1.0/24
  area 0.0.0.0 range 10.8.2.0/24
  area 0.0.0.0 range 10.8.3.0/24
  area 0.0.0.81 range 10.8.128.0/18
  area 0.0.0.0 authentication message-digest
  area 0.0.0.81 authentication message-digest
  timers throttle spf 10 100 5000
  timers throttle lsa router 1000
  timers throttle lsa network 1000
  auto-cost reference-bandwidth 10000
no ip source-route
ip pim ssm range 232.0.0.0/8


switchback
!Running config for vdc: vdc2


switchto vdc vdc2
version 4.1(2)
feature ospf
feature pim
feature udld
feature interface-vlan
feature hsrp
feature lacp

logging level monitor 7
username admin password 5 <encrypted password>  role vdc-admin
ssh key rsa 768 
ip domain-lookup
switchname vdc2
system default switchport
logging event link-status default
logging event trunk-status default
service unsupported-transceiver
snmp-server user admin vdc-admin auth md5 <encrypted password> priv 
<encrypted password> localizedkey

vrf context erspan
vrf context servers1
  ip route 0.0.0.0/0 10.8.162.1
vrf context servers2
  ip route 0.0.0.0/0 10.8.152.1
vrf context management
  ip route 0.0.0.0/0 x.26.146.1
vlan 1
vlan 15
  name vmkernel
vlan 50-51
vlan 98
  name serviceconsole
vlan 141-142,152-153,162-164,166-169
vlan 171
  name failover
vlan 172
  name state
vlan 180-183
vlan 191
  name waas
vlan 200
  name Mike-Server-1
vlan 201
  name Mike-Server-2
vlan 202
  name Mike-Server-3
vlan 300-399,999
vlan 3000
  name erspan
vlan 3001
  name erspan-ss1
vlan 3002
  name vemcontrol
vlan 3003
  name vempacket
spanning-tree pathcost method long
spanning-tree port type network default
spanning-tree vlan 1,15,98,142,166,168,180,182,200-202,300-399,3000,3002-3003 priority 
28672
spanning-tree vlan 50-51,167,169,181,183 priority 24576


interface Vlan1

interface Vlan15
  no shutdown
  vrf member servers1
  ip address 10.8.15.2/24
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10
    timers  1  3
    ip 10.8.15.1 

interface Vlan50
  no shutdown
  vrf member servers2
  ip address 10.8.50.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.50.1 

interface Vlan51
  no shutdown
  vrf member servers2
  ip address 10.8.51.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.51.1 

interface Vlan98
  no shutdown
  vrf member servers1
  ip address 10.8.98.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20
    timers  1  3
    ip 10.8.98.1 

interface Vlan141
  vrf member servers1
  ip address 10.8.141.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.141.1 

interface Vlan152
  no shutdown
  vrf member servers2
  ip address 10.8.152.6/24
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 2
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.152.7 

interface Vlan153
  vrf member servers2
  ip address 10.8.152.6/24
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 2
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.152.7 

interface Vlan164
  no shutdown
  vrf member servers1
  ip address 10.8.162.6/24
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 2
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.162.7 

interface Vlan166
  no shutdown
  vrf member servers1
  ip address 10.8.166.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.166.1 

interface Vlan167
  no shutdown
  vrf member servers2
  ip address 10.8.167.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.167.1 

interface Vlan168
  no shutdown
  vrf member servers1
  ip address 10.8.168.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.168.1 

interface Vlan169
  no shutdown
  vrf member servers2
  ip address 10.8.169.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.169.1 

interface Vlan180
  no shutdown
  vrf member servers1
  ip address 10.8.180.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.180.1 

interface Vlan181
  no shutdown
  vrf member servers2
  ip address 10.8.181.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.181.1 

interface Vlan182
  no shutdown
  vrf member servers1
  ip address 10.8.182.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.182.1 

interface Vlan183
  no shutdown
  vrf member servers2
  ip address 10.8.183.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 20 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.183.1 

interface Vlan200
  no shutdown
  vrf member servers2
  ip address 10.8.200.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 600 reload 300 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.200.1 

interface Vlan201
  no shutdown
  vrf member servers2
  ip address 10.8.201.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 600 reload 300 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.201.1 

interface Vlan202
  no shutdown
  vrf member servers2
  ip address 10.8.202.2/24
  ip ospf passive-interface
  ip router ospf 8 area 0.0.0.81
  ip pim sparse-mode
  ip igmp version 3
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 600 reload 300 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.202.1 

interface Vlan3000
  no shutdown
  ip address 10.8.3.2/24
  hsrp 1
    authentication text c1sc0
    preempt delay minimum 180 
    priority 10 forwarding-threshold lower 0 upper 0
    timers  1  3
    ip 10.8.3.1 

interface Vlan3001
  no shutdown
  ip address 10.8.33.2/24

interface port-channel8
  description to vbs
  switchport mode trunk
  switchport trunk allowed vlan 180-183
  spanning-tree port type normal
  spanning-tree guard root
  logging event port link-status
  logging event port trunk-status

interface port-channel72
  switchport mode trunk
  switchport trunk allowed vlan 15,142,180-183,300-399,3002-3003
  spanning-tree port type network
  spanning-tree guard root
  logging event port link-status
  logging event port trunk-status

interface port-channel99
  description ISL to dca-n7k1-vdc1
  switchport mode trunk
  switchport trunk allowed vlan 15,50-51,98,141-142,152-153,162-164
  switchport trunk allowed vlan add 166-169,171-172,180-183,191,200-202
  switchport trunk allowed vlan add 300-399,999,3000-3003
  spanning-tree cost 500
  spanning-tree port type network
  logging event port link-status

interface port-channel201
  switchport mode trunk
  switchport trunk allowed vlan 200-202
  spanning-tree port type network
  logging event port link-status
  logging event port trunk-status

interface Ethernet1/2
  description E1/2 to dca-newSS1 T1/1
  switchport mode trunk
  switchport trunk allowed vlan 152-153,162-164,191,999,3001
  spanning-tree port type network
  spanning-tree guard loop
  mtu 9216
  logging event port link-status
  logging event port trunk-status

interface Ethernet1/4
  description E1/4 to dca-newSS2 T1/2
  switchport mode trunk
  switchport trunk allowed vlan 152-153,162-164,191,999,3001
  spanning-tree port type network
  spanning-tree guard loop
  mtu 9216
  logging event port link-status
  logging event port trunk-status

interface Ethernet1/6
  description to dc10-5020-5
  switchport mode trunk
  switchport trunk allowed vlan 200-202
  logging event port link-status
  logging event port trunk-status
  udld enable
  channel-group 201 mode active

interface Ethernet1/8
  description to dc10-5020-6
  switchport mode trunk
  switchport trunk allowed vlan 200-202
  spanning-tree port type network
  spanning-tree guard loop
  logging event port link-status
  logging event port trunk-status
  udld enable

interface Ethernet1/10
  description to dca-asa2 Ten5/1
  switchport mode trunk
  switchport trunk allowed vlan 162
  spanning-tree port type normal

interface Ethernet1/12
  description to dca-asa2 Ten7/1
  switchport mode trunk
  switchport trunk allowed vlan 152
  spanning-tree port type normal

interface Ethernet1/14
  description ISL 
  switchport mode trunk
  switchport trunk allowed vlan 15,50-51,98,141-142,152-153,162-164
  switchport trunk allowed vlan add 166-169,171-172,180-183,191,200-202
  switchport trunk allowed vlan add 300-399,999,3000-3003
  channel-group 99 mode active

interface Ethernet1/16
  description ISL 
  switchport mode trunk
  switchport trunk allowed vlan 15,50-51,98,141-142,152-153,162-164
  switchport trunk allowed vlan add 166-169,171-172,180-183,191,200-202
  switchport trunk allowed vlan add 300-399,999,3000-3003
  channel-group 99 mode active

interface Ethernet1/17
  description dc20-4948-1 
  switchport mode trunk
  switchport trunk allowed vlan 50-51,142
  spanning-tree port type normal
  spanning-tree guard root

interface Ethernet1/18
  description dc07-3120-vbs Ten4/0/2
  switchport mode trunk
  switchport trunk allowed vlan 180-183
  spanning-tree port type normal
  spanning-tree guard root
  channel-group 8 mode active

interface Ethernet1/19
  description dc20-4948-2 
  switchport mode trunk
  switchport trunk allowed vlan 50-51,142
  spanning-tree port type normal
  spanning-tree guard root

interface Ethernet1/20
  description dc07-3120-vbs Ten2/0/2 
  switchport mode trunk
  switchport trunk allowed vlan 180-183
  spanning-tree port type normal
  spanning-tree guard root
  channel-group 8 mode active

interface Ethernet1/21

interface Ethernet1/22
  switchport mode trunk
  switchport trunk allowed vlan 200-202
  logging event port link-status
  logging event port trunk-status
  udld enable
  channel-group 201 mode active

interface Ethernet1/23

interface Ethernet1/24

interface Ethernet1/25
  description dca-vss-acc
  switchport mode trunk
  switchport trunk allowed vlan 15,142,180-183,300-399,3002-3003
  spanning-tree port type network
  spanning-tree guard root
  channel-group 72 mode active

interface Ethernet1/26
  description dc10-5020-1 
  switchport mode trunk
  switchport trunk allowed vlan 15,98,142,180-183,3000,3002-3003
  spanning-tree port type network
  spanning-tree guard root
  mtu 9216
  logging event port link-status
  logging event port trunk-status

interface Ethernet1/27
  description dca-vss-acc
  switchport mode trunk
  switchport trunk allowed vlan 15,142,180-183,300-399,3002-3003
  spanning-tree port type network
  spanning-tree guard root
  channel-group 72 mode active

interface Ethernet1/28
  description dc10-5020-2 
  switchport mode trunk
  switchport trunk allowed vlan 15,98,142,180-183,3000,3002-3003
  spanning-tree port type network
  spanning-tree guard root
  mtu 9216
  logging event port link-status
  logging event port trunk-status

interface Ethernet1/29
  description to 6k access
  switchport mode trunk
  switchport trunk allowed vlan 128-133,164-169,180-183,300-399
  spanning-tree port type normal
  spanning-tree guard root

interface Ethernet1/30
  description dc10-5020-3
  switchport mode trunk
  switchport trunk allowed vlan 15,98,180-183
  spanning-tree port type network

interface Ethernet1/31
  description to 6k access
  switchport mode trunk
  switchport trunk allowed vlan 128-133,164-169,180-183,300-399
  spanning-tree port type normal
  spanning-tree guard root

interface Ethernet1/32
  description dc10-5020-4
  switchport mode trunk
  switchport trunk allowed vlan 15,98,180-183
  spanning-tree port type network

interface Ethernet2/1
  switchport access vlan 172
  spanning-tree port type normal

interface Ethernet2/3
  switchport access vlan 171
  spanning-tree port type normal

interface Ethernet2/5
  spanning-tree port type normal

interface Ethernet2/7

interface Ethernet2/9

interface Ethernet2/10

interface Ethernet2/11

interface Ethernet2/12

interface Ethernet2/13

interface Ethernet2/14

interface Ethernet2/15

interface Ethernet2/16

interface Ethernet2/17

interface Ethernet2/18

interface Ethernet2/19

interface Ethernet2/20

interface Ethernet2/21

interface Ethernet2/22

interface Ethernet2/23

interface Ethernet2/24

interface Ethernet2/25

interface Ethernet2/26

interface Ethernet2/27

interface Ethernet2/28

interface Ethernet2/29

interface Ethernet2/30

interface Ethernet2/31

interface Ethernet2/32

interface Ethernet2/33

interface Ethernet2/34

interface Ethernet2/35

interface Ethernet2/36

interface Ethernet2/37
  description ASA1 int g3/3
  switchport mode trunk
  switchport trunk allowed vlan 142
  spanning-tree port type normal
  logging event port link-status
  logging event port trunk-status

interface Ethernet2/38
  description ASA int g3/2
  switchport mode trunk
  switchport trunk allowed vlan 141
  spanning-tree port type normal
  logging event port link-status
  logging event port trunk-status

interface Ethernet2/39

interface Ethernet2/40

interface Ethernet2/41

interface Ethernet2/42

interface Ethernet2/43

interface Ethernet2/44

interface Ethernet2/45

interface Ethernet2/46

interface Ethernet2/47

interface Ethernet2/48

interface mgmt0
  ip address x.26.146.203/23

interface loopback88
  vrf member test
clock timezone EDT -5 0
clock summer-time EDT 3 Sun Mar 00:00 3 Sunday Oct 00:00 60
cli alias name save copy runn start
line console
  terminal length 0
router ospf 8
  vrf servers1
    router-id 4.4.4.2
    area 81 nssa
    area 0.0.0.81 authentication message-digest
    timers throttle spf 10 100 5000
    timers throttle lsa router 1000
    timers throttle lsa network 1000
  vrf servers2
    router-id 5.5.5.2
    area 81 nssa
    area 0.0.0.81 authentication message-digest
    timers throttle spf 10 100 5000
    timers throttle lsa router 1000
    timers throttle lsa network 1000
ip pim rp-address 10.8.20.1 group-list 224.0.0.0/4
ip pim ssm range 232.0.0.0/8
no system default switchport shutdown


switchback
dca-n7k2# 

Services Layer Switch—Catalyst 6500

Service Switch 1

dca-newSS1#sh run
Building configuration...

Current configuration : 20243 bytes
!
! Last configuration change at 03:21:52 EST Fri May 1 2009 by chris
! NVRAM config last updated at 00:05:07 EST Thu May 14 2009
!
upgrade fpd auto
version 12.2
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service counters max age 5
!
hostname dca-newSS1
!
boot-start-marker
boot system flash bootflash:s72033-adventerprisek9_wan-mz.122-33.SXI.bin
boot-end-marker
!
enable secret 5 <encrypted password>
!
username admin privilege 15 secret 5 <encrypted password>
username dma-ops password 7 <encrypted password>
username chris-ops password 7 <encrypted password>
username martin password 7 <encrypted password>
aaa new-model
!
!
aaa group server tacacs+ tacacs-group
 server x.26.191.94
!
aaa authentication login authen-exec-list group tacacs-group local-case
aaa authentication enable default group tacacs-group enable
aaa authorization exec author-exec-list group tacacs-group if-authenticated 
aaa authorization commands 15 author-15-list group tacacs-group none 
aaa accounting send stop-record authentication failure 
aaa accounting exec default start-stop group tacacs-group
aaa accounting commands 15 default start-stop group tacacs-group
aaa accounting system default start-stop group tacacs-group
!
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EST recurring
svclc autostate
svclc multiple-vlan-interfaces
svclc module 7 vlan-group 1
svclc module 8 vlan-group 1,2,150,160,190,999
svclc vlan-group 1  146
svclc vlan-group 2  170
svclc vlan-group 150  152,153
svclc vlan-group 160  162,163
svclc vlan-group 190  190,191
svclc vlan-group 999  999
firewall autostate
firewall multiple-vlan-interfaces
firewall module 7 vlan-group 1
analysis module 9 management-port access-vlan 146
ip subnet-zero
no ip source-route
!
!
!
ip ftp source-interface Vlan146
ip ftp username chrobrie
ip ftp password 7 <encrypted password>
no ip bootp server
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
ip scp server enable
ip domain-name cisco.com
ip name-server x.26.129.252
login block-for 100 attempts 5 within 50
login quiet-mode access-class 10
login on-failure log
vtp mode transparent
mls ip slb purge global
mls netflow interface
mls flow ip interface-full
no mls flow ipv6
mls nde sender version 5
mls qos
mls cef error action reset
!
!
!
!
!
!         
!
!
!
archive
 path ftp://test:test@x.26.129.252/NexusDCPhase1/$h-$t
 write-memory
memory reserve critical 1000
memory free low-watermark processor 91492
memory free low-watermark IO 6710
!
spanning-tree mode rapid-pvst
spanning-tree portfast network default
spanning-tree extend system-id
spanning-tree pathcost method long
spanning-tree vlan 163,170-172,191,999,3001 priority 24576
diagnostic bootup level minimal
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
fabric timer 15
fabric switching-mode allow truncated threshold 1
fabric switching-mode allow truncated
port-channel hash-distribution adaptive
!         
redundancy
 main-cpu
  auto-sync running-config
 mode sso
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
vlan 146
 name flash
!
vlan 152-153,162-164,170-172 
!
vlan 190
 name waflan
!
vlan 191
 name waas
!
vlan 999 
!
vlan 3001
 name erspan
!
class-map match-all coppclass-igp
  match access-group name coppacl-igp
class-map match-all coppclass-monitoring
  match access-group name coppacl-monitoring
class-map match-all coppclass-filemanagement
  match access-group name coppacl-filemanagement
class-map match-all coppclass-management
  match access-group name coppacl-management
!
!
policy-map copp-policy
  class coppclass-igp
   police cir 300000 bc 3000 be 3000    conform-action transmit     exceed-action drop     
violate-action drop 
  class coppclass-filemanagement
   police cir 6000000 bc 60000 be 60000    conform-action transmit     exceed-action drop     
violate-action drop 
  class coppclass-management
   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop 
  class coppclass-monitoring
   police cir 900000 bc 9000 be 9000    conform-action transmit     exceed-action drop     
violate-action drop 
  class class-default
   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop 
!
!
! 
!
!
!
interface Port-channel31
 switchport
 switchport access vlan 191
 switchport mode access
 logging event link-status
 spanning-tree portfast edge
!
interface Port-channel2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 163,164
 switchport mode trunk
 switchport nonegotiate
 mtu 9216
!
interface Port-channel99
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 170-172
 switchport mode trunk
 logging event link-status
 logging event trunk-status
 logging event bundle-status
 logging event spanning-tree status
 spanning-tree portfast network
!
interface GigabitEthernet3/21
 description <<** G3/25 to dc-waecm G2/0 **>>
 switchport
 switchport access vlan 191
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 163,164
 switchport mode access
 logging event link-status
 spanning-tree portfast edge
!         
interface GigabitEthernet3/23
 description <<** G3/23 to dc-wae2 G2/0 **>>
 switchport
 switchport access vlan 191
 switchport mode access
 logging event link-status
 spanning-tree portfast edge
 channel-group 31 mode on
!
interface GigabitEthernet3/24
 description <<** G3/23 to dc-wae1 G1/0 **>>
 switchport
 switchport access vlan 191
 switchport mode access
 logging event link-status
 spanning-tree portfast edge
 channel-group 31 mode on
!
interface GigabitEthernet3/25
 switchport
 switchport access vlan 191
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 163,164
 switchport mode trunk
 logging event link-status
 shutdown
 rmon collection stats 6028 owner monitor
 rmon collection stats 6032 owner monitor
 spanning-tree portfast edge
!
interface TenGigabitEthernet1/1
 description <<** T1/1 to dca-n7k2-vdc2 **>>
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 152,153,162-164,191,999,3001
 switchport mode trunk
 mtu 9216
 logging event link-status
 logging event trunk-status
 logging event bundle-status
 logging event spanning-tree status
 rmon collection stats 6000 owner monitor
 spanning-tree portfast network
!
interface TenGigabitEthernet1/2
 description <<** T1/2 to dca-n7k1-vdc2 **>>
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 152,153,162-164,191,999,3001
 switchport mode trunk
 mtu 9216
 logging event link-status
 logging event trunk-status
 logging event bundle-status
 logging event spanning-tree status
 rmon collection stats 6001 owner monitor
 spanning-tree portfast network
!
interface TenGigabitEthernet1/3
 description to ips2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 163,164
 switchport mode trunk
 switchport nonegotiate
 mtu 9216
 logging event link-status
 logging event trunk-status
 logging event bundle-status
 logging event spanning-tree status
 shutdown
 rmon collection stats 6002 owner monitor
 channel-group 2 mode on
!
interface TenGigabitEthernet1/4
 description to ips1 7/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 163,164
 switchport mode trunk
 switchport nonegotiate
 mtu 9216
 logging event link-status
 logging event trunk-status
 logging event bundle-status
 logging event spanning-tree status
 rmon collection stats 6003 owner monitor
 channel-group 2 mode on
!
interface TenGigabitEthernet1/5
 no ip address
 rmon collection stats 6004 owner monitor
!
interface TenGigabitEthernet1/6
 no ip address
 rmon collection stats 6005 owner monitor
!
interface TenGigabitEthernet1/7
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 170-172
 switchport mode trunk
 logging event link-status
 logging event trunk-status
 logging event bundle-status
 logging event spanning-tree status
 rmon collection stats 6006 owner monitor
 channel-protocol lacp
 channel-group 99 mode active
!
interface TenGigabitEthernet1/8
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 170-172
 switchport mode trunk
 logging event link-status
 logging event trunk-status
 logging event bundle-status
 logging event spanning-tree status
 rmon collection stats 6007 owner monitor
 channel-protocol lacp
 channel-group 99 mode active
!
interface GigabitEthernet3/1
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6008 owner monitor
!
interface GigabitEthernet3/2
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6009 owner monitor
!
interface GigabitEthernet3/3
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6010 owner monitor
!
interface GigabitEthernet3/4
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6011 owner monitor
!
interface GigabitEthernet3/5
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6012 owner monitor
!
interface GigabitEthernet3/6
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6013 owner monitor
!
interface GigabitEthernet3/7
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6014 owner monitor
!
interface GigabitEthernet3/8
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6015 owner monitor
!
interface GigabitEthernet3/9
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6016 owner monitor
!
interface GigabitEthernet3/10
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6017 owner monitor
!
interface GigabitEthernet3/11
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6018 owner monitor
!
interface GigabitEthernet3/12
 description to waf2 eth3
 switchport
 switchport access vlan 190
 switchport mode access
 rmon collection stats 6019 owner monitor
 spanning-tree portfast edge
!
interface GigabitEthernet3/13
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6020 owner monitor
!
interface GigabitEthernet3/14
 description to waf1 eth3
 switchport
 switchport access vlan 190
 switchport mode access
 rmon collection stats 6021 owner monitor
 spanning-tree portfast edge
!
interface GigabitEthernet3/15
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6022 owner monitor
!
interface GigabitEthernet3/16
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6023 owner monitor
!
interface GigabitEthernet3/17
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6024 owner monitor
!
interface GigabitEthernet3/18
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6025 owner monitor
!
interface GigabitEthernet3/19
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6026 owner monitor
!
interface GigabitEthernet3/20
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6027 owner monitor
!
interface GigabitEthernet3/22
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6029 owner monitor
!         
interface GigabitEthernet3/26
 description to IPS1 gig 3/3
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 logging event link-status
 logging event trunk-status
 load-interval 30
 rmon collection stats 6033 owner monitor
 spanning-tree portfast edge trunk
!
interface GigabitEthernet3/27
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6034 owner monitor
!
interface GigabitEthernet3/28
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6035 owner monitor
!         
interface GigabitEthernet3/29
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6036 owner monitor
!
interface GigabitEthernet3/30
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6037 owner monitor
!
interface GigabitEthernet3/31
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6038 owner monitor
!
interface GigabitEthernet3/32
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6039 owner monitor
!
interface GigabitEthernet3/33
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6040 owner monitor
!
interface GigabitEthernet3/34
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6041 owner monitor
!
interface GigabitEthernet3/35
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6042 owner monitor
!
interface GigabitEthernet3/36
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6043 owner monitor
!
interface GigabitEthernet3/37
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 163,164
 switchport mode trunk
 shutdown
 rmon collection stats 6044 owner monitor
!
interface GigabitEthernet3/38
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6045 owner monitor
!
interface GigabitEthernet3/39
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6046 owner monitor
!
interface GigabitEthernet3/40
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6047 owner monitor
!
interface GigabitEthernet3/41
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6048 owner monitor
!
interface GigabitEthernet3/42
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6049 owner monitor
!
interface GigabitEthernet3/43
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6050 owner monitor
!         
interface GigabitEthernet3/44
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6051 owner monitor
!
interface GigabitEthernet3/45
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6052 owner monitor
!
interface GigabitEthernet3/46
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6053 owner monitor
!
interface GigabitEthernet3/47
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6054 owner monitor
!
interface GigabitEthernet3/48
 switchport
 switchport access vlan 4000
 switchport mode access
 logging event link-status
 logging event spanning-tree status
 shutdown
 rmon collection stats 6055 owner monitor
 spanning-tree portfast edge trunk
!
interface GigabitEthernet5/1
 description <<** to mgmt net **>>
 switchport
 switchport access vlan 146
 switchport mode access
 logging event link-status
 logging event spanning-tree status
 udld port
 rmon collection stats 6056 owner monitor
!
interface GigabitEthernet5/2
 no ip address
 rmon collection stats 6057 owner monitor
!
interface GigabitEthernet5/3
 description To Mgmt Net
 no ip address
 speed 1000
 duplex full
 rmon collection stats 6058 owner monitor
!
interface TenGigabitEthernet5/4
 no ip address
 rmon collection stats 6059 owner monitor
!
interface TenGigabitEthernet5/5
 no ip address
 rmon collection stats 6060 owner monitor
!
interface Vlan191
 ip address 10.8.191.191 255.255.255.0
 ntp broadcast
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan146
 ip address x.26.147.209 255.255.254.0
 ip access-group 133 in
 ip access-group 134 out
 ip flow ingress
!
interface Vlan3001
 mtu 9216
 ip address 10.8.33.4 255.255.255.0
 load-interval 30
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.26.146.1
ip route 10.8.0.0 255.255.0.0 10.8.33.2
ip route 10.8.0.0 255.255.0.0 10.8.33.3
!
ip flow-export destination x.26.147.230 3000
!
ip http server
ip http authentication local
no ip http secure-server
ip http path disk0:
ip tacacs source-interface Vlan146
!
ip access-list extended coppacl-monitoring
 remark CoPP monitoring traffic class
 permit icmp any any ttl-exceeded
 permit icmp any any port-unreachable
 permit icmp any any echo-reply
 permit icmp any any echo
ip access-list extended dma
 permit ip any host 10.8.180.153
!
kron occurrence daily-config-backup at 0:05 recurring
 policy-list backup-config
!
kron policy-list backup-config
 cli write memory
!
logging trap critical
logging source-interface GigabitEthernet5/3
logging x.26.191.94
access-list 10 permit x.26.191.92
access-list 10 remark a 100-second quiet period if 5 failed login attempts is exceeded
access-list 111 remark ACL for SSH
access-list 111 permit tcp x.26.0.0 0.0.255.255 any eq 22
access-list 111 deny   ip any any log-input
access-list 112 remark ACL for last resort access
access-list 112 permit tcp host x.26.191.92 any eq 22
access-list 112 deny   ip any any log-input
access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.147.209 ttl-exceeded
access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.147.209 port-unreachable
access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.147.209 echo-reply
access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.147.209 echo
access-list 133 permit tcp x.26.0.0 0.0.255.255 eq tacacs host x.26.147.209 established
access-list 133 permit tcp x.26.0.0 0.0.255.255 host x.26.147.209 eq tacacs
access-list 133 permit udp x.26.0.0 0.0.255.255 host x.26.147.209 eq ntp
access-list 133 permit tcp x.26.0.0 0.0.255.255 host x.26.147.209 eq 22
access-list 133 permit tcp x.26.0.0 0.0.255.255 eq ftp host x.26.147.209 gt 1023 
established
access-list 133 permit tcp x.26.0.0 0.0.255.255 eq ftp-data host x.26.147.209 gt 1023
access-list 133 permit tcp x.26.0.0 0.0.255.255 gt 1023 host x.26.147.209 gt 1023 
established
access-list 133 permit udp x.26.0.0 0.0.255.255 gt 1023 host x.26.147.209 gt 1023
access-list 134 permit ip host x.26.147.209 x.26.0.0 0.0.255.255
access-list 134 deny   ip any any log
!
!
!
!
snmp-server engineID local 8000000903000021D72AC000
snmp-server enable traps cpu threshold
snmp-server host x.26.191.94 public  cpu
tacacs-server host x.26.191.94 single-connection key 7 01100F175804575D72
tacacs-server directed-request
!
!
control-plane
 service-policy input copp-policy
!
!
dial-peer cor custom
!
!         
!
banner login ^C
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this device.
Unauthorized attempts and actions to access or use this system may result in civil and/or 
criminal penalties.
All activities performed on this device are logged and monitored.
^C
!
line con 0
 login authentication authen-exec-list
line vty 0 3
 exec-timeout 180 0
 password 7 <encrypted password>
 authorization commands 15 author-15-list
 authorization exec author-exec-list
 login authentication authen-exec-list
 transport preferred none
 transport input all
 transport output none
line vty 4
 exec-timeout 180 0
 password 7 <encrypted password>
 authorization commands 15 author-15-list
 authorization exec author-exec-list
 login authentication authen-exec-list
 transport preferred none
 transport input all
 transport output none
line vty 5 15
 login authentication authen-exec-list
 no exec
 transport input all
!
exception protocol ftp
exception dump x.26.129.252
!
monitor session 1 type erspan-source
 description <** N1k ERSPAN - originating from dcesx4n1 monitor session 1 **>>
 source vlan 3001
 destination
  erspan-id 1
  ip address 10.8.33.4
!
!         
monitor session 2 type erspan-source
 description <** N1k ERSPAN - originating from dcesx4n1 monitor session 2 **>>
 source vlan 3001
 destination
  erspan-id 2
  ip address 10.8.33.4
!
!
monitor session 3 type erspan-destination
 description <** N1k ERSPAN to NAM - originating from dcesx4n1  **>>
 destination analysis-module 9 data-port 2
 source
  erspan-id 1
  ip address 10.8.33.4
!
!
monitor session 4 type erspan-destination
 description <** N1k ERSPAN to IDS-1 - originating from dcesx4n1  **>>
 destination interface Gi3/26
 source
  erspan-id 2
  ip address 10.8.33.4
!         
!
process cpu threshold type total rising 80 interval 5 falling 20 interval 5
process cpu statistics limit entry-percentage 40 size 300
ntp clock-period 17179890
ntp server x.26.146.1
mac-address-table aging-time 480
!
end

dca-newSS1#


Service Switch 2
dca-newSS2>en
Password: 
dca-newSS2#sh run
Building configuration...

Current configuration : 18580 bytes
!
! Last configuration change at 12:08:19 EST Wed Mar 25 2009 by chris
! NVRAM config last updated at 00:05:29 EST Thu May 14 2009
!
upgrade fpd auto
version 12.2
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service counters max age 5
!
hostname dca-newSS2
!
boot-start-marker
boot system flash bootflash:s72033-adventerprisek9_wan-mz.122-33.SXI.bin
boot-end-marker
!
enable secret 5 <encrypted password>
!
username admin privilege 15 secret 5 <encrypted password>
aaa new-model
!
!
aaa group server tacacs+ tacacs-group
 server x.26.191.94
!
aaa authentication login authen-exec-list group tacacs-group local-case
aaa authentication enable default group tacacs-group enable
aaa authorization exec author-exec-list group tacacs-group if-authenticated 
aaa authorization commands 15 author-15-list group tacacs-group none 
aaa accounting send stop-record authentication failure 
aaa accounting exec default start-stop group tacacs-group
aaa accounting commands 15 default start-stop group tacacs-group
aaa accounting system default start-stop group tacacs-group
!
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EST recurring
svclc autostate
svclc multiple-vlan-interfaces
svclc module 7 vlan-group 1
svclc module 8 vlan-group 1,2,150,160,190,999
svclc vlan-group 1  146
svclc vlan-group 2  170
svclc vlan-group 150  152,153
svclc vlan-group 160  162,163
svclc vlan-group 190  190,191
svclc vlan-group 999  999
firewall autostate
firewall multiple-vlan-interfaces
firewall module 7 vlan-group 1
analysis module 9 management-port access-vlan 146
ip subnet-zero
no ip source-route
!
!
!
ip ftp source-interface GigabitEthernet5/3
ip ftp username anonymous
ip ftp password 7 <encrypted password>
no ip bootp server
ip ssh authentication-retries 2
ip ssh version 2
no ip domain-lookup
ip domain-name cisco.com
ip name-server x.26.129.252
login block-for 100 attempts 5 within 50
login quiet-mode access-class 10
login on-failure log
vtp mode transparent
mls ip slb purge global
mls netflow interface
no mls flow ip
no mls flow ipv6
mls cef error action reset
!
!
!
!
!
!
!
!
!
archive
 path ftp://test:test@x.26.129.252/NexusDCPhase1/$h-$t
 write-memory
memory reserve critical 1000
memory free low-watermark processor 91492
memory free low-watermark IO 6710
!
spanning-tree mode rapid-pvst
spanning-tree portfast network default
spanning-tree extend system-id
spanning-tree pathcost method long
spanning-tree vlan 153 priority 24576
spanning-tree vlan 163,170-172,191,999 priority 28672
diagnostic bootup level minimal
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
fabric timer 15
fabric switching-mode allow truncated threshold 1
fabric switching-mode allow truncated
port-channel hash-distribution adaptive
!
redundancy
 main-cpu
  auto-sync running-config
 mode sso
!         
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
vlan 146
 name flash
!
vlan 152-153,162-164,170-172 
!
vlan 190
 name waf
!
vlan 191
 name waas
!
vlan 999 
!
vlan 3001
 name erspan
!
! 
!
!
!         
interface Port-channel32
 switchport
 switchport access vlan 191
 switchport mode access
 logging event link-status
 spanning-tree portfast edge
!
interface Port-channel2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 163,164
 switchport mode trunk
 switchport nonegotiate
 mtu 9216
!
interface Port-channel99
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 170-172
 switchport mode trunk
 logging event link-status
 logging event trunk-status
 logging event bundle-status
 logging event spanning-tree status
 spanning-tree portfast network
!
interface GigabitEthernet3/23
 description <<** G3/23 to dca-wae2 G1/0 **>>
 switchport
 switchport access vlan 191
 switchport mode access
 logging event link-status
 spanning-tree portfast edge
 channel-group 32 mode on
!
interface GigabitEthernet3/24
 description <<** G3/24 to dc-wae1 G2/0 **>>
 switchport
 switchport access vlan 191
 switchport mode access
 logging event link-status
 spanning-tree portfast edge
 channel-group 32 mode on
!
interface TenGigabitEthernet1/1
 description <<** T1/1 to dca-n7k1-vdc2 **>>
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 152,153,162-164,191,999,3001
 switchport mode trunk
 mtu 9216
 logging event link-status
 logging event trunk-status
 logging event bundle-status
 logging event spanning-tree status
 rmon collection stats 6000 owner monitor
 spanning-tree portfast network
!
interface TenGigabitEthernet1/2
 description <<** T1/2 to dca-n7k2-vdc2 **>>
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 152,153,162-164,191,999,3001
 switchport mode trunk
 mtu 9216
 logging event link-status
 logging event trunk-status
 logging event bundle-status
 logging event spanning-tree status
 rmon collection stats 6001 owner monitor
 spanning-tree portfast network
!
interface TenGigabitEthernet1/3
 description to ips2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 163,164
 switchport mode trunk
 switchport nonegotiate
 mtu 9216
 logging event link-status
 logging event trunk-status
 logging event bundle-status
 logging event spanning-tree status
 rmon collection stats 6002 owner monitor
 channel-group 2 mode on
!
interface TenGigabitEthernet1/4
 description to ips1 7/0
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 163,164
 switchport mode trunk
 switchport nonegotiate
 mtu 9216
 logging event link-status
 logging event trunk-status
 logging event bundle-status
 logging event spanning-tree status
 shutdown
 rmon collection stats 6003 owner monitor
 channel-group 2 mode on
!
interface TenGigabitEthernet1/5
 no ip address
 rmon collection stats 6004 owner monitor
!
interface TenGigabitEthernet1/6
 no ip address
 rmon collection stats 6005 owner monitor
!
interface TenGigabitEthernet1/7
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 170-172
 switchport mode trunk
 logging event link-status
 logging event trunk-status
 logging event bundle-status
 logging event spanning-tree status
 rmon collection stats 6006 owner monitor
 spanning-tree portfast network
 channel-protocol lacp
 channel-group 99 mode active
!
interface TenGigabitEthernet1/8
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 170-172
 switchport mode trunk
 logging event link-status
 logging event trunk-status
 logging event bundle-status
 logging event spanning-tree status
 rmon collection stats 6007 owner monitor
 spanning-tree portfast network
 channel-protocol lacp
 channel-group 99 mode active
!
interface GigabitEthernet3/1
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6008 owner monitor
!
interface GigabitEthernet3/2
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6009 owner monitor
!
interface GigabitEthernet3/3
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6010 owner monitor
!
interface GigabitEthernet3/4
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6011 owner monitor
!
interface GigabitEthernet3/5
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6012 owner monitor
!
interface GigabitEthernet3/6
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6013 owner monitor
!
interface GigabitEthernet3/7
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6014 owner monitor
!
interface GigabitEthernet3/8
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6015 owner monitor
!
interface GigabitEthernet3/9
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6016 owner monitor
!
interface GigabitEthernet3/10
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6017 owner monitor
!
interface GigabitEthernet3/11
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6018 owner monitor
!
interface GigabitEthernet3/12
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6019 owner monitor
!
interface GigabitEthernet3/13
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6020 owner monitor
!
interface GigabitEthernet3/14
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6021 owner monitor
!
interface GigabitEthernet3/15
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6022 owner monitor
!
interface GigabitEthernet3/16
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6023 owner monitor
!
interface GigabitEthernet3/17
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6024 owner monitor
!
interface GigabitEthernet3/18
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6025 owner monitor
!
interface GigabitEthernet3/19
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6026 owner monitor
!         
interface GigabitEthernet3/20
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6027 owner monitor
!
interface GigabitEthernet3/21
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6028 owner monitor
!
interface GigabitEthernet3/22
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6029 owner monitor
!
interface GigabitEthernet3/25
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6032 owner monitor
!
interface GigabitEthernet3/26
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6033 owner monitor
!
interface GigabitEthernet3/27
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6034 owner monitor
!
interface GigabitEthernet3/28
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6035 owner monitor
!
interface GigabitEthernet3/29
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6036 owner monitor
!
interface GigabitEthernet3/30
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6037 owner monitor
!
interface GigabitEthernet3/31
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6038 owner monitor
!
interface GigabitEthernet3/32
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6039 owner monitor
!
interface GigabitEthernet3/33
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6040 owner monitor
!
interface GigabitEthernet3/34
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6041 owner monitor
!
interface GigabitEthernet3/35
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6042 owner monitor
!
interface GigabitEthernet3/36
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6043 owner monitor
!
interface GigabitEthernet3/37
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6044 owner monitor
!
interface GigabitEthernet3/38
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6045 owner monitor
!
interface GigabitEthernet3/39
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6046 owner monitor
!
interface GigabitEthernet3/40
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6047 owner monitor
!
interface GigabitEthernet3/41
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6048 owner monitor
!
interface GigabitEthernet3/42
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6049 owner monitor
!
interface GigabitEthernet3/43
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6050 owner monitor
!
interface GigabitEthernet3/44
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6051 owner monitor
!         
interface GigabitEthernet3/45
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6052 owner monitor
!
interface GigabitEthernet3/46
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6053 owner monitor
!
interface GigabitEthernet3/47
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6054 owner monitor
!
interface GigabitEthernet3/48
 no ip address
 no ip redirects
 no ip proxy-arp
 rmon collection stats 6055 owner monitor
!
interface GigabitEthernet5/1
 no ip address
 shutdown
 rmon collection stats 6056 owner monitor
!
interface GigabitEthernet5/2
 no ip address
 shutdown
 rmon collection stats 6057 owner monitor
!
interface GigabitEthernet5/3
 switchport
 switchport access vlan 146
 switchport mode access
 speed 1000
 duplex full
 rmon collection stats 6058 owner monitor
!
interface TenGigabitEthernet5/4
 no ip address
 shutdown
 rmon collection stats 6059 owner monitor
!
interface TenGigabitEthernet5/5
 no ip address
 shutdown
 rmon collection stats 6060 owner monitor
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan146
 ip address x.26.147.210 255.255.254.0
 ip access-group 133 in
 ip access-group 134 out
!
interface Vlan3001
 mtu 9216
 ip address 10.8.33.5 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.26.146.1
ip route 10.8.0.0 255.255.0.0 10.8.33.2
ip route 10.8.0.0 255.255.0.0 10.8.33.3
!
!
no ip http server
no ip http secure-server
ip tacacs source-interface GigabitEthernet5/3
!
ip access-list extended coppacl-filemanagement
 remark CoPP File transfer traffic class
 permit tcp x.26.0.0 0.0.255.255 eq ftp host x.26.146.210 gt 1023 established
 permit tcp x.26.0.0 0.0.255.255 eq ftp-data host x.26.146.210 gt 1023
 permit tcp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.210 gt 1023 established
 permit udp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.210 gt 1023
ip access-list extended coppacl-management
 remark CoPP management traffic class
 permit tcp x.26.0.0 0.0.255.255 eq tacacs host x.26.146.210 established
 permit tcp x.26.0.0 0.0.255.255 host x.26.146.210 eq 22
 permit tcp x.26.0.0 0.0.255.255 host x.26.146.210 eq telnet
 permit udp x.26.0.0 0.0.255.255 host x.26.146.210 eq snmp
 permit udp x.26.0.0 0.0.255.255 host x.26.146.210 eq ntp
!
kron occurrence daily-config-backup at 0:05 recurring
 policy-list backup-config
!
kron policy-list backup-config
 cli write memory
!
logging trap critical
logging source-interface GigabitEthernet5/3
logging x.26.191.94
access-list 10 permit x.26.191.92
access-list 10 remark a 100-second quiet period if 5 failed login attempts is exceeded
access-list 111 remark ACL for SSH
access-list 111 permit tcp x.26.0.0 0.0.255.255 any eq 22
access-list 111 deny   ip any any log-input
access-list 112 remark ACL for last resort access
access-list 112 permit tcp host x.26.191.92 any eq 22
access-list 112 deny   ip any any log-input
access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.147.210 ttl-exceeded
access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.147.210 port-unreachable
access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.147.210 echo-reply
access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.147.210 echo
access-list 133 permit tcp x.26.0.0 0.0.255.255 eq tacacs host x.26.147.210 established
access-list 133 permit tcp x.26.0.0 0.0.255.255 host x.26.147.210 eq tacacs
access-list 133 permit udp x.26.0.0 0.0.255.255 host x.26.147.210 eq ntp
access-list 133 permit tcp x.26.0.0 0.0.255.255 host x.26.147.210 eq 22
access-list 133 permit tcp x.26.0.0 0.0.255.255 eq ftp host x.26.147.210 gt 1023 
established
access-list 133 permit tcp x.26.0.0 0.0.255.255 eq ftp-data host x.26.147.210 gt 1023
access-list 133 permit tcp x.26.0.0 0.0.255.255 gt 1023 host x.26.147.210 gt 1023 
established
access-list 133 permit udp x.26.0.0 0.0.255.255 gt 1023 host x.26.147.210 gt 1023
access-list 134 permit ip host x.26.147.210 x.26.0.0 0.0.255.255
access-list 134 deny   ip any any log
!
!
!
!
snmp-server engineID local 8000000903000021D72C4400
snmp-server enable traps cpu threshold
snmp-server host x.26.191.94 public  cpu
tacacs-server host x.26.191.94 single-connection key 7 104D000A061843595F
tacacs-server directed-request
!
!
control-plane
!
!
dial-peer cor custom
!
!
!
banner login ^C UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this device.
Unauthorized attempts and actions to access or use this system may result in civil and/or 
criminal penalties.
All activities performed on this device are logged and monitored.
^C
!
line con 0
 login authentication authen-exec-list
line vty 0 3
 access-class 111 in
 exec-timeout 0 0
 password 7 <encrypted password>
 authorization commands 15 author-15-list
 authorization exec author-exec-list
 login authentication authen-exec-list
 transport preferred none
 transport input ssh
 transport output none
line vty 4
 access-class 112 in
 exec-timeout 0 0
 password 7 <encrypted password>
 authorization commands 15 author-15-list
 authorization exec author-exec-list
 login authentication authen-exec-list
 transport preferred none
 transport input ssh
 transport output none
line vty 5 15
 exec-timeout 0 0
 transport input lat pad udptn telnet rlogin ssh
!
exception protocol ftp
exception dump x.26.129.252
!
monitor session 1 type erspan-source
 shutdown
 description <** N1k ERSPAN - originating from dcesx4n1 monitor session 1 **>>
 source vlan 3001
 destination
  erspan-id 1
  ip address 10.8.33.5
  origin ip address 10.8.3.100
!
!
monitor session 2 type erspan-source
 shutdown
 description <** N1k ERSPAN - originating from dcesx4n1 monitor session 2 **>>
 source vlan 3001
 destination
  erspan-id 2
  ip address 10.8.33.5
  origin ip address 10.8.3.100
!
!
monitor session 3 type erspan-destination
 shutdown 
 description <** N1k ERSPAN to NAM - originating from dcesx4n1  **>>
 destination analysis-module 9 data-port 2
 source
  erspan-id 1
  ip address 10.8.33.5
!
!
monitor session 4 type erspan-destination
 shutdown
 description <** N1k ERSPAN to IDS-1 - originating from dcesx4n1  **>>
 destination interface Gi3/26
 source
  erspan-id 2
  ip address 10.8.33.5
!
!
process cpu threshold type total rising 80 interval 5 falling 20 interval 5
process cpu statistics limit entry-percentage 40 size 300
ntp clock-period 17179808
ntp server x.26.129.252
mac-address-table aging-time 480
!
end       

Services Layer ACE

ACE 1

switch/Admin# sh run
Generating configuration....


logging enable
logging standby
logging timestamp
logging buffered 5



login timeout 0
boot system image:c6ace-t1k9-mz.A2_2_0.bin

resource-class dc-gold
  limit-resource all minimum 0.00 maximum unlimited
  limit-resource sticky minimum 10.00 maximum unlimited

clock timezone standard EST
clock summer-time standard EDT

access-list IPANYANY line 8 extended permit ip any any 
access-list IPANYANY line 16 extended permit icmp any any 
access-list ipanyany line 8 extended permit ip any any 


probe icmp ICMPProbe
  description Ping probe


class-map type management match-any MANAGEMENT
  3 match protocol snmp any
  4 match protocol telnet any
  5 match protocol ssh any
  6 match protocol icmp any
  7 match protocol https any
  8 match protocol http any
class-map type management match-all class-Query
  2 match protocol icmp source-address 10.8.99.0 255.255.255.0

policy-map type management first-match MANAGEMENT
  class MANAGEMENT
    permit
policy-map type management first-match QUERY
  class class-Query
    permit

interface vlan 146
  ip address x.26.146.140 255.255.254.0
  peer ip address x.26.146.141 255.255.254.0
  service-policy input MANAGEMENT
  no shutdown

ft interface vlan 170
  ip address 10.8.170.1 255.255.255.0
  peer ip address 10.8.170.2 255.255.255.0
  no shutdown

ft peer 1
  heartbeat interval 100
  heartbeat count 10
  ft-interface vlan 170

ip route 0.0.0.0 0.0.0.0 x.26.146.1
ip route x.26.129.252 255.255.255.255 x.26.146.1

context dca-ace-one
  description ** ACE Transparent Mode - **
  allocate-interface vlan 146
  allocate-interface vlan 162-163
  allocate-interface vlan 190-191
  member dc-gold
context dca-ace-two
  description ** 2nd ACE Transp. context **
  allocate-interface vlan 146
  allocate-interface vlan 152-153

snmp-server contact "ANM"
snmp-server location "ANM"
snmp-server community public group Network-Monitor

  
ft group 1
  peer 1
  priority 150
  peer priority 50
ft group 2
  peer 1
  priority 150
  peer priority 50
  associate-context dca-ace-one
  inservice
ft group 3
  peer 1
  priority 50
  peer priority 150
  associate-context dca-ace-two
  inservice
username admin password 5 <encrypted password>.  role Admin domain default-domain 
username www password 5 <encrypted password>  role Admin domain default-domain 

switch/Admin# 



switch/Admin# changeto dca-ace-one
switch/dca-ace-one# sh run
Generating configuration....


logging enable
logging standby
logging timestamp
logging buffered 5
switch-mode



crypto csr-params CSR_PARAMS_1
  country US
  state North Carolina
  locality RTP
  organization-name ESE
  organization-unit BANK VAULT
  common-name crackme.com
crypto csr-params CSR_ORACLE12i
  country US
  state North Carolina
  locality RTP
  organization-name ESE
  organization-unit OracleApps
  common-name oapp.eselab.com
access-list BPDU ethertype permit bpdu

access-list ALLOW_TRAFFIC line 8 extended permit icmp any any 
access-list ALLOW_TRAFFIC line 16 extended permit ospf any any 
access-list ALLOW_TRAFFIC line 48 extended permit ip any any 
access-list test line 2 extended permit tcp 10.7.53.0 255.255.255.0 any 
access-list test line 3 extended permit tcp any 10.7.53.0 255.255.255.0 


probe http 12i
  description probes Oracle front end
  port 8000
  interval 5
  passdetect interval 5
  passdetect count 5
  expect status 200 200
probe http CRACKME
  port 81
  interval 2
  passdetect interval 5
  request method get url /Kelev/view/home.php
  expect status 200 200
probe icmp TrackHostProbe
  description this is a ping probe
  interval 2
  faildetect 1
  passdetect interval 2
  passdetect count 1
  receive 1
probe http UBER
  port 8081
  interval 2
  passdetect interval 5
  request method get url /Kelev/view/home.php
  expect status 200 200


parameter-map type http PERSIST
  persistence-rebalance
parameter-map type http cookiesecurity
  case-insensitive
  header modify per-request
  set header-maxparse-length 65535
parameter-map type ssl test
  session-cache timeout 1800
  version TLS1

action-list type modify http HTTPONLY
  header rewrite response Set-Cookie header-value "(.*)*secure*(.*)*" replace "%1secure; 
HTTPOnly;"

rserver redirect OAPP-Redirect
  description Oracle Login Redirection
  webhost-redirection https://oapp.eselab.com/OA_HTML/AppsLocalLogin.jsp
  inservice
rserver host dc-wae1
  ip address 10.8.191.101
  inservice
rserver host dc-wae2
  ip address 10.8.191.102
  inservice
rserver host ix_server800
  ip address 10.8.180.100
  inservice
rserver host ix_server801
  ip address 10.8.180.101
  inservice
rserver host ix_server802
  ip address 10.8.180.102
  inservice
rserver host ix_server803
  ip address 10.8.180.103
  inservice
rserver host ix_server804
  ip address 10.8.180.104
  inservice
rserver host ix_server805
  ip address 10.8.180.105
  inservice
rserver host ix_server806
  ip address 10.8.180.106
  inservice
rserver host ix_server807
  ip address 10.8.180.107
  inservice
rserver host ix_server808
  ip address 10.8.180.108
  inservice
rserver host ix_server809
  ip address 10.8.180.109
  inservice
rserver host oelnode1
  ip address 10.8.180.250
  inservice
rserver host oelnode2
  ip address 10.8.180.252
  inservice
rserver host oelnode3
  ip address 10.8.180.253
  inservice
rserver host tbox1
  ip address 10.8.180.8
  inservice
rserver host uber0
  ip address 10.8.180.230
  inservice
rserver host uber1
  description USING 10.8.141.231 IP ADDRESS
  ip address 10.8.180.231
rserver host uber2
  ip address 10.8.180.232
rserver host uber3
  ip address 10.8.180.233
rserver host uber4
  ip address 10.8.180.234
rserver host uber5
  ip address 10.8.180.235
rserver host waf1
  ip address 10.8.190.210
  inservice
rserver host waf2
  ip address 10.8.190.211
  inservice
rserver host websrv1
  ip address 10.8.180.153
  inservice

ssl-proxy service SSL_OAPP
  key oappkey
  cert oapp-cert.pem
ssl-proxy service SSL_PSERVICE_CRACKME
  key my2048RSAkey.PEM
  cert crackme-cert.pem

serverfarm redirect sf-oapp-redirect
  rserver OAPP-Redirect
    inservice
serverfarm host sf_180
  rserver ix_server800
    inservice
  rserver ix_server801
    inservice
  rserver ix_server802
    inservice
  rserver ix_server803
    inservice
  rserver ix_server804
    inservice
  rserver ix_server805
    inservice
  rserver ix_server806
    inservice
  rserver ix_server807
    inservice
  rserver ix_server808
    inservice
  rserver ix_server809
    inservice
serverfarm host sf_bank
  rserver tbox1 8081
    inservice
  rserver uber0 8081
    inservice
  rserver uber1 8081
  rserver uber2 8081
    inservice
  rserver uber3 8081
    inservice
  rserver uber4 8081
    inservice
  rserver uber5 8081
    inservice
serverfarm host sf_books
  rserver uber0 8989
    inservice
serverfarm host sf_oapp
  predictor leastconns
  rserver oelnode1 8000
    inservice
  rserver oelnode2 8000
    inservice
  rserver oelnode3 8000
    inservice
serverfarm host sf_wae
  transparent
  predictor hash address source 255.255.255.255
  probe TrackHostProbe
  rserver dc-wae1
    inservice
  rserver dc-wae2
    inservice
serverfarm host sf_waf
  rserver waf1 81
    inservice
  rserver waf2 81
    probe TrackHostProbe
    inservice
serverfarm host sf_waf_books
  rserver waf1 82
  rserver waf2 82
    inservice

sticky http-cookie wafcookie wafstkygrp
  cookie insert
  replicate sticky
  serverfarm sf_waf
sticky http-cookie bankcookie bnkstygrp
  cookie insert
  replicate sticky
  serverfarm sf_bank
sticky http-cookie oracookie oapp-stkygrp
  cookie insert
  timeout 720
  replicate sticky
  serverfarm sf_oapp

class-map type management match-any ANMManagement
  201 match protocol snmp any
  202 match protocol http any
  203 match protocol https any
  204 match protocol icmp any
  205 match protocol ssh any
  206 match protocol telnet any
class-map match-all ANY_TCP
  2 match virtual-address 0.0.0.0 0.0.0.0 tcp any
class-map match-all L4_HTTPS_VIP_ADDRESS
  2 match virtual-address 10.8.162.200 tcp eq https
class-map match-all L4_HTTP_VIP_ADDRESS
  2 match virtual-address 10.8.162.200 tcp eq www
class-map match-all L4_OAPP_VIP
  2 match virtual-address 10.8.162.250 tcp any
class-map match-all OELNODES
  2 match source-address 10.8.180.0 255.255.255.0
class-map match-all VIP_180
  description *VIP for VLAN 180*
  2 match virtual-address 10.8.162.100 any
class-map match-all cm-acl-tcp
  2 match access-list test

policy-map type management first-match ANMManagement
  class ANMManagement
    permit

policy-map type loadbalance first-match pm-forward
  class class-default
    forward
policy-map type loadbalance http first-match pm-oapp
  class class-default
    sticky-serverfarm oapp-stkygrp
    action HTTPONLY
    insert-http ACEForwarded header-value "%is"
policy-map type loadbalance first-match pm-slb
  class class-default
    serverfarm sf_180
policy-map type loadbalance first-match pm-waas
  class class-default
    serverfarm sf_wae
policy-map type loadbalance http first-match pm-waf
  class class-default
    sticky-serverfarm wafstkygrp
    insert-http ACEForwarded header-value "%is"
policy-map type loadbalance http first-match pm-waf2
  class class-default
    serverfarm sf_waf_books
policy-map type loadbalance first-match pm-webbank
  class class-default
    sticky-serverfarm bnkstygrp
policy-map type loadbalance first-match pm_books
  class class-default
    serverfarm sf_books

policy-map multi-match L4_LB_VIP_HTTP_POLICY
  class L4_HTTP_VIP_ADDRESS
    loadbalance vip inservice
    loadbalance policy pm-webbank
    loadbalance vip icmp-reply
policy-map multi-match LB_WAAS_POLICY
  class ANY_TCP
    loadbalance vip inservice
    loadbalance policy pm-waas
    loadbalance vip icmp-reply
  class L4_HTTP_VIP_ADDRESS
    loadbalance vip inservice
    loadbalance policy pm-waas
  class L4_OAPP_VIP
    loadbalance vip inservice
    loadbalance policy pm-waas
    loadbalance vip icmp-reply
policy-map multi-match aggregate-slb-policy
  class VIP_180
    loadbalance vip inservice
    loadbalance policy pm-slb
    loadbalance vip icmp-reply
    loadbalance vip advertise active
  class L4_HTTP_VIP_ADDRESS
    loadbalance vip inservice
    loadbalance policy pm-waf
    loadbalance vip icmp-reply
  class L4_HTTPS_VIP_ADDRESS
    loadbalance vip inservice
    loadbalance policy pm-waf
    loadbalance vip icmp-reply
    ssl-proxy server SSL_PSERVICE_CRACKME
  class L4_OAPP_VIP
    loadbalance vip inservice
    loadbalance policy pm-oapp
    loadbalance vip icmp-reply
    appl-parameter http advanced-options cookiesecurity
    ssl-proxy server SSL_OAPP
  class ANY_TCP
    loadbalance vip inservice
    loadbalance policy pm-forward

interface vlan 146
  ip address x.26.146.142 255.255.254.0
  peer ip address x.26.146.143 255.255.254.0
  service-policy input ANMManagement
  no shutdown
interface vlan 162
  description ** North Side facing FWSM **
  bridge-group 161
  no normalization
  mac-sticky enable
  no icmp-guard
  access-group input BPDU
  access-group input ALLOW_TRAFFIC
  service-policy input LB_WAAS_POLICY
  no shutdown
interface vlan 163
  description ** South Side facing Servers **
  bridge-group 161
  no normalization
  mac-sticky enable
  no icmp-guard
  access-group input BPDU
  access-group input ALLOW_TRAFFIC
  no shutdown
interface vlan 190
  ip address 10.8.190.2 255.255.255.0
  alias 10.8.190.1 255.255.255.0
  peer ip address 10.8.190.3 255.255.255.0
  no normalization
  mac-sticky enable
  no icmp-guard
  access-group input ALLOW_TRAFFIC
  service-policy input L4_LB_VIP_HTTP_POLICY
  service-policy input LB_WAAS_POLICY
  no shutdown
interface vlan 191
  description waas farm vlan 191
  ip address 10.8.191.2 255.255.255.0
  alias 10.8.191.1 255.255.255.0
  peer ip address 10.8.191.3 255.255.255.0
  no normalization
  mac-sticky enable
  no icmp-guard
  access-group input ALLOW_TRAFFIC
  service-policy input aggregate-slb-policy
  no shutdown

interface bvi 161
  ip address 10.8.162.20 255.255.255.0
  alias 10.8.162.22 255.255.255.0
  peer ip address 10.8.162.21 255.255.255.0
  no shutdown
  
ft track interface  TrackVlan163
  track-interface vlan 163
  peer track-interface vlan 163
  priority 150
  peer priority 50

ip route 0.0.0.0 0.0.0.0 10.8.162.1
ip route 10.8.180.0 255.255.255.0 10.8.162.7

snmp-server contact "ANM"
snmp-server location "ANM"
snmp-server community public group Network-Monitor

snmp-server trap-source vlan 146

switch/dca-ace-two# sh run
Generating configuration....


logging enable
logging standby
logging timestamp
logging buffered 5


access-list BPDU ethertype permit bpdu

access-list ALLOW_TRAFFIC line 8 extended permit icmp any any 
access-list ALLOW_TRAFFIC line 16 extended permit ospf any any 
access-list ALLOW_TRAFFIC line 48 extended permit ip any any 


probe icmp TrackHostProbe
  description this is a ping probe
  interval 2
  faildetect 1
  passdetect interval 2
  passdetect count 1
  receive 1


rserver host ix_server810
  ip address 10.8.181.100
  inservice
rserver host ix_server811
  ip address 10.8.181.101
  inservice
rserver host ix_server812
  ip address 10.8.181.102
  inservice
rserver host ix_server813
  ip address 10.8.181.103
  inservice
rserver host ix_server814
  ip address 10.8.181.104
  inservice
rserver host ix_server815
  ip address 10.8.181.105
  inservice
rserver host ix_server816
  ip address 10.8.181.106
  inservice
rserver host ix_server817
  ip address 10.8.181.107
  inservice
rserver host ix_server818
  ip address 10.8.181.108
  inservice
rserver host ix_server819
  ip address 10.8.181.109
  inservice

serverfarm host sf_181
  probe TrackHostProbe
  rserver ix_server810
    inservice
  rserver ix_server811
    inservice
  rserver ix_server812
    inservice
  rserver ix_server813
    inservice
  rserver ix_server814
    inservice
  rserver ix_server815
    inservice
  rserver ix_server816
    inservice
  rserver ix_server817
    inservice
  rserver ix_server818
    inservice
  rserver ix_server819
    inservice

class-map type management match-any ANMManagement
  201 match protocol snmp any
  202 match protocol http any
  203 match protocol https any
  204 match protocol icmp any
  205 match protocol ssh any
  206 match protocol telnet any
class-map match-all VIP_181
  description *VIP for VLAN 181*
  2 match virtual-address 10.8.152.100 any

policy-map type management first-match ANMManagement
  class ANMManagement
    permit

policy-map type loadbalance first-match pm-slb1
  class class-default
    serverfarm sf_181

policy-map multi-match aggregate-slb-policy
  class VIP_181
    loadbalance vip inservice
    loadbalance policy pm-slb1
    loadbalance vip icmp-reply
    loadbalance vip advertise active

interface vlan 146
  ip address x.26.146.252 255.255.254.0
  peer ip address x.26.146.253 255.255.254.0
  service-policy input ANMManagement
  no shutdown
interface vlan 152
  description ** North Side facing FWSM2 **
  bridge-group 151
  no normalization
  mac-sticky enable
  no icmp-guard
  access-group input BPDU
  access-group input ALLOW_TRAFFIC
  service-policy input aggregate-slb-policy
  no shutdown
interface vlan 153
  description ** South Side facing Servers2 **
  bridge-group 151
  no normalization
  mac-sticky enable
  no icmp-guard
  access-group input BPDU
  access-group input ALLOW_TRAFFIC
  no shutdown

interface bvi 151
  ip address 10.8.152.20 255.255.255.0
  alias 10.8.152.22 255.255.255.0
  peer ip address 10.8.152.21 255.255.255.0
  no shutdown
  
ft track interface  TrackVlan153
  track-interface vlan 153
  peer track-interface vlan 153
  priority 150
  peer priority 50

ip route 10.8.181.0 255.255.255.0 10.8.152.7
ip route 0.0.0.0 0.0.0.0 10.8.152.1

snmp-server contact "ANM"
snmp-server location "ANM"
snmp-server community public group Network-Monitor

snmp-server trap-source vlan 146


ACE 2
switch/Admin# sh run
Generating configuration....


logging enable
logging standby
logging timestamp
logging buffered 5


boot system image:c6ace-t1k9-mz.A2_2_0.bin

resource-class dc-gold
  limit-resource all minimum 0.00 maximum unlimited
  limit-resource sticky minimum 10.00 maximum unlimited

clock timezone standard EST
clock summer-time standard EDT

access-list IPANYANY line 8 extended permit ip any any 
access-list IPANYANY line 16 extended permit icmp any any 
access-list ipanyany line 8 extended permit ip any any 


probe icmp ICMPProbe
  description Ping probe


class-map type management match-any MANAGEMENT
  3 match protocol snmp any
  4 match protocol telnet any
  5 match protocol ssh any
  6 match protocol icmp any
  7 match protocol https any
  8 match protocol http any
class-map type management match-all class-Query
  2 match protocol icmp source-address 10.8.99.0 255.255.255.0

policy-map type management first-match MANAGEMENT
  class MANAGEMENT
    permit
policy-map type management first-match QUERY
  class class-Query
    permit

interface vlan 146
  ip address x.26.146.141 255.255.254.0
  peer ip address x.26.146.140 255.255.254.0
  service-policy input MANAGEMENT
  no shutdown

ft interface vlan 170
  ip address 10.8.170.2 255.255.255.0
  peer ip address 10.8.170.1 255.255.255.0
  no shutdown

ft peer 1
  heartbeat interval 100
  heartbeat count 10
  ft-interface vlan 170
ft group 1
  peer 1
  priority 50
  peer priority 150
  associate-context Admin
  inservice

ip route 0.0.0.0 0.0.0.0 x.26.146.1
ip route x.26.129.252 255.255.255.255 x.26.146.1

context dca-ace-one
  description ** ACE Transparent Mode - **
  allocate-interface vlan 146
  allocate-interface vlan 162-163
  allocate-interface vlan 190-191
  member dc-gold
context dca-ace-two
  description ** 2nd ACE Transp. context **
  allocate-interface vlan 146
  allocate-interface vlan 152-153

snmp-server contact "ANM"
snmp-server location "ANM"
snmp-server community public group Network-Monitor

  
ft group 2
  peer 1
  priority 50
  peer priority 150
  associate-context dca-ace-one
  inservice
ft group 3
  peer 1
  priority 150
  peer priority 50
  associate-context dca-ace-two
  inservice
username admin password 5 <encrypted password> .  role Admin domain default-domain 
username www password 5 <encrypted password> role Admin domain default-domain 

switch/Admin# 

switch/dca-ace-one# sh run
Generating configuration....


logging enable
logging standby
logging timestamp
logging buffered 5
switch-mode



crypto csr-params CSR_PARAMS_1
  country US
  state North Carolina
  locality RTP
  organization-name ESE
  organization-unit BANK VAULT
  common-name crackme.com
crypto csr-params CSR_ORACLE12i
  country US
  state North Carolina
  locality RTP
  organization-name ESE
  organization-unit OracleApps
  common-name oapp.eselab.com
access-list BPDU ethertype permit bpdu

access-list ALLOW_TRAFFIC line 8 extended permit icmp any any 
access-list ALLOW_TRAFFIC line 16 extended permit ospf any any 
access-list ALLOW_TRAFFIC line 48 extended permit ip any any 
access-list test line 2 extended permit tcp 10.7.53.0 255.255.255.0 any 
access-list test line 3 extended permit tcp any 10.7.53.0 255.255.255.0 


probe http 12i
  description probes Oracle front end
  port 8000
  interval 5
  passdetect interval 5
  passdetect count 5
  expect status 200 200
probe http CRACKME
  port 81
  interval 2
  passdetect interval 5
  request method get url /Kelev/view/home.php
  expect status 200 200
probe icmp TrackHostProbe
  description this is a ping probe
  interval 2
  faildetect 1
  passdetect interval 2
  passdetect count 1
  receive 1
probe http UBER
  port 8081
  interval 2
  passdetect interval 5
  request method get url /Kelev/view/home.php
  expect status 200 200


parameter-map type http PERSIST
  persistence-rebalance
parameter-map type http cookiesecurity
  case-insensitive
  header modify per-request
  set header-maxparse-length 65535
parameter-map type ssl test
  session-cache timeout 1800
  version TLS1

action-list type modify http HTTPONLY
  header rewrite response Set-Cookie header-value "(.*)*secure*(.*)*" replace "%1secure; 
HTTPOnly;"

rserver redirect OAPP-Redirect
  description Oracle Login Redirection
  webhost-redirection https://oapp.eselab.com/OA_HTML/AppsLocalLogin.jsp
  inservice
rserver host dc-wae1
  ip address 10.8.191.101
  inservice
rserver host dc-wae2
  ip address 10.8.191.102
  inservice
rserver host ix_server800
  ip address 10.8.180.100
  inservice
rserver host ix_server801
  ip address 10.8.180.101
  inservice
rserver host ix_server802
  ip address 10.8.180.102
  inservice
rserver host ix_server803
  ip address 10.8.180.103
  inservice
rserver host ix_server804
  ip address 10.8.180.104
  inservice
rserver host ix_server805
  ip address 10.8.180.105
  inservice
rserver host ix_server806
  ip address 10.8.180.106
  inservice
rserver host ix_server807
  ip address 10.8.180.107
  inservice
rserver host ix_server808
  ip address 10.8.180.108
  inservice
rserver host ix_server809
  ip address 10.8.180.109
  inservice
rserver host oelnode1
  ip address 10.8.180.250
  inservice
rserver host oelnode2
  ip address 10.8.180.252
  inservice
rserver host oelnode3
  ip address 10.8.180.253
  inservice
rserver host tbox1
  ip address 10.8.180.8
  inservice
rserver host uber0
  ip address 10.8.180.230
  inservice
rserver host uber1
  description USING 10.8.141.231 IP ADDRESS
  ip address 10.8.180.231
rserver host uber2
  ip address 10.8.180.232
rserver host uber3
  ip address 10.8.180.233
rserver host uber4
  ip address 10.8.180.234
rserver host uber5
  ip address 10.8.180.235
rserver host waf1
  ip address 10.8.190.210
  inservice
rserver host waf2
  ip address 10.8.190.211
  inservice
rserver host websrv1
  ip address 10.8.180.153
  inservice

ssl-proxy service SSL_OAPP
  key oappkey
  cert oapp-cert.pem
ssl-proxy service SSL_PSERVICE_CRACKME
  key my2048RSAkey.PEM
  cert crackme-cert.pem

serverfarm redirect sf-oapp-redirect
  rserver OAPP-Redirect
    inservice
serverfarm host sf_180
  rserver ix_server800
    inservice
  rserver ix_server801
    inservice
  rserver ix_server802
    inservice
  rserver ix_server803
    inservice
  rserver ix_server804
    inservice
  rserver ix_server805
    inservice
  rserver ix_server806
    inservice
  rserver ix_server807
    inservice
  rserver ix_server808
    inservice
  rserver ix_server809
    inservice
serverfarm host sf_bank
  rserver tbox1 8081
    inservice
  rserver uber0 8081
    inservice
  rserver uber1 8081
  rserver uber2 8081
    inservice
  rserver uber3 8081
    inservice
  rserver uber4 8081
    inservice
  rserver uber5 8081
    inservice
serverfarm host sf_books
  rserver uber0 8989
    inservice
serverfarm host sf_oapp
  predictor leastconns
  rserver oelnode1 8000
    inservice
  rserver oelnode2 8000
    inservice
  rserver oelnode3 8000
    inservice
serverfarm host sf_wae
  transparent
  predictor hash address source 255.255.255.255
  probe TrackHostProbe
  rserver dc-wae1
    inservice
  rserver dc-wae2
    inservice
serverfarm host sf_waf
  rserver waf1 81
    inservice
  rserver waf2 81
    probe TrackHostProbe
    inservice
serverfarm host sf_waf_books
  rserver waf1 82
  rserver waf2 82
    inservice

sticky http-cookie wafcookie wafstkygrp
  cookie insert
  replicate sticky
  serverfarm sf_waf
sticky http-cookie bankcookie bnkstygrp
  cookie insert
  replicate sticky
  serverfarm sf_bank
sticky http-cookie oracookie oapp-stkygrp
  cookie insert
  timeout 720
  replicate sticky
  serverfarm sf_oapp

class-map type management match-any ANMManagement
  201 match protocol snmp any
  202 match protocol http any
  203 match protocol https any
  204 match protocol icmp any
  205 match protocol ssh any
  206 match protocol telnet any
class-map match-all ANY_TCP
  2 match virtual-address 0.0.0.0 0.0.0.0 tcp any
class-map match-all L4_HTTPS_VIP_ADDRESS
  2 match virtual-address 10.8.162.200 tcp eq https
class-map match-all L4_HTTP_VIP_ADDRESS
  2 match virtual-address 10.8.162.200 tcp eq www
class-map match-all L4_OAPP_VIP
  2 match virtual-address 10.8.162.250 tcp any
class-map match-all OELNODES
  2 match source-address 10.8.180.0 255.255.255.0
class-map match-all VIP_180
  description *VIP for VLAN 180*
  2 match virtual-address 10.8.162.100 any
class-map match-all cm-acl-tcp
  2 match access-list test

policy-map type management first-match ANMManagement
  class ANMManagement
    permit

policy-map type loadbalance first-match pm-forward
  class class-default
    forward
policy-map type loadbalance http first-match pm-oapp
  class class-default
    sticky-serverfarm oapp-stkygrp
    action HTTPONLY
    insert-http ACEForwarded header-value "%is"
policy-map type loadbalance first-match pm-slb
  class class-default
    serverfarm sf_180
policy-map type loadbalance first-match pm-waas
  class class-default
    serverfarm sf_wae
policy-map type loadbalance http first-match pm-waf
  class class-default
    sticky-serverfarm wafstkygrp
    insert-http ACEForwarded header-value "%is"
policy-map type loadbalance http first-match pm-waf2
  class class-default
    serverfarm sf_waf_books
policy-map type loadbalance first-match pm-webbank
  class class-default
    sticky-serverfarm bnkstygrp
policy-map type loadbalance first-match pm_books
  class class-default
    serverfarm sf_books

policy-map multi-match L4_LB_VIP_HTTP_POLICY
  class L4_HTTP_VIP_ADDRESS
    loadbalance vip inservice
    loadbalance policy pm-webbank
    loadbalance vip icmp-reply
policy-map multi-match LB_WAAS_POLICY
  class ANY_TCP
    loadbalance vip inservice
    loadbalance policy pm-waas
    loadbalance vip icmp-reply
  class L4_HTTP_VIP_ADDRESS
    loadbalance vip inservice
    loadbalance policy pm-waas
  class L4_OAPP_VIP
    loadbalance vip inservice
    loadbalance policy pm-waas
    loadbalance vip icmp-reply
policy-map multi-match aggregate-slb-policy
  class VIP_180
    loadbalance vip inservice
    loadbalance policy pm-slb
    loadbalance vip icmp-reply
    loadbalance vip advertise active
  class L4_HTTP_VIP_ADDRESS
    loadbalance vip inservice
    loadbalance policy pm-waf
    loadbalance vip icmp-reply
  class L4_HTTPS_VIP_ADDRESS
    loadbalance vip inservice
    loadbalance policy pm-waf
    loadbalance vip icmp-reply
    ssl-proxy server SSL_PSERVICE_CRACKME
  class L4_OAPP_VIP
    loadbalance vip inservice
    loadbalance policy pm-oapp
    loadbalance vip icmp-reply
    appl-parameter http advanced-options cookiesecurity
    ssl-proxy server SSL_OAPP
  class ANY_TCP
    loadbalance vip inservice
    loadbalance policy pm-forward

interface vlan 146
  ip address x.26.146.143 255.255.254.0
  peer ip address x.26.146.142 255.255.254.0
  service-policy input ANMManagement
  no shutdown
interface vlan 162
  description ** North Side facing FWSM **
  bridge-group 161
  no normalization
  mac-sticky enable
  no icmp-guard
  access-group input BPDU
  access-group input ALLOW_TRAFFIC
  service-policy input LB_WAAS_POLICY
  no shutdown
interface vlan 163
  description ** South Side facing Servers **
  bridge-group 161
  no normalization
  mac-sticky enable
  no icmp-guard
  access-group input BPDU
  access-group input ALLOW_TRAFFIC
  no shutdown
interface vlan 190
  ip address 10.8.190.3 255.255.255.0
  alias 10.8.190.1 255.255.255.0
  peer ip address 10.8.190.2 255.255.255.0
  no normalization
  mac-sticky enable
  no icmp-guard
  access-group input ALLOW_TRAFFIC
  service-policy input L4_LB_VIP_HTTP_POLICY
  service-policy input LB_WAAS_POLICY
  no shutdown
interface vlan 191
  description waas farm vlan 191
  ip address 10.8.191.3 255.255.255.0
  alias 10.8.191.1 255.255.255.0
  peer ip address 10.8.191.2 255.255.255.0
  no normalization
  mac-sticky enable
  no icmp-guard
  access-group input ALLOW_TRAFFIC
  service-policy input aggregate-slb-policy
  no shutdown

interface bvi 161
  ip address 10.8.162.21 255.255.255.0
  alias 10.8.162.22 255.255.255.0
  peer ip address 10.8.162.20 255.255.255.0
  no shutdown
  
ft track interface  TrackVlan163
  track-interface vlan 163
  peer track-interface vlan 163
  priority 50
  peer priority 150

ip route 0.0.0.0 0.0.0.0 10.8.162.1
ip route 10.8.180.0 255.255.255.0 10.8.162.7

snmp-server contact "ANM"
snmp-server location "ANM"
snmp-server community public group Network-Monitor

snmp-server trap-source vlan 146


switch/dca-ace-two# sh run
Generating configuration....


logging enable
logging standby
logging timestamp
logging buffered 5


access-list BPDU ethertype permit bpdu

access-list ALLOW_TRAFFIC line 8 extended permit icmp any any 
access-list ALLOW_TRAFFIC line 16 extended permit ospf any any 
access-list ALLOW_TRAFFIC line 48 extended permit ip any any 


probe icmp TrackHostProbe
  description this is a ping probe
  interval 2
  faildetect 1
  passdetect interval 2
  passdetect count 1
  receive 1


rserver host ix_server810
  ip address 10.8.181.100
  inservice
rserver host ix_server811
  ip address 10.8.181.101
  inservice
rserver host ix_server812
  ip address 10.8.181.102
  inservice
rserver host ix_server813
  ip address 10.8.181.103
  inservice
rserver host ix_server814
  ip address 10.8.181.104
  inservice
rserver host ix_server815
  ip address 10.8.181.105
  inservice
rserver host ix_server816
  ip address 10.8.181.106
  inservice
rserver host ix_server817
  ip address 10.8.181.107
  inservice
rserver host ix_server818
  ip address 10.8.181.108
  inservice
rserver host ix_server819
  ip address 10.8.181.109
  inservice

serverfarm host sf_181
  probe TrackHostProbe
  rserver ix_server810
    inservice
  rserver ix_server811
    inservice
  rserver ix_server812
    inservice
  rserver ix_server813
    inservice
  rserver ix_server814
    inservice
  rserver ix_server815
    inservice
  rserver ix_server816
    inservice
  rserver ix_server817
    inservice
  rserver ix_server818
    inservice
  rserver ix_server819
    inservice

class-map type management match-any ANMManagement
  201 match protocol snmp any
  202 match protocol http any
  203 match protocol https any
  204 match protocol icmp any
  205 match protocol ssh any
  206 match protocol telnet any
class-map match-all VIP_181
  description *VIP for VLAN 181*
  2 match virtual-address 10.8.152.100 any

policy-map type management first-match ANMManagement
  class ANMManagement
    permit

policy-map type loadbalance first-match pm-slb1
  class class-default
    serverfarm sf_181

policy-map multi-match aggregate-slb-policy
  class VIP_181
    loadbalance vip inservice
    loadbalance policy pm-slb1
    loadbalance vip icmp-reply
    loadbalance vip advertise active

interface vlan 146
  ip address x.26.146.253 255.255.254.0
  peer ip address x.26.146.252 255.255.254.0
  service-policy input ANMManagement
  no shutdown
interface vlan 152
  description ** North Side facing FWSM2 **
  bridge-group 151
  no normalization
  mac-sticky enable
  no icmp-guard
  access-group input BPDU
  access-group input ALLOW_TRAFFIC
  service-policy input aggregate-slb-policy
  no shutdown
interface vlan 153
  description ** South Side facing Servers2 **
  bridge-group 151
  no normalization
  mac-sticky enable
  no icmp-guard
  access-group input BPDU
  access-group input ALLOW_TRAFFIC
  no shutdown

interface bvi 151
  ip address 10.8.152.21 255.255.255.0
  alias 10.8.152.22 255.255.255.0
  peer ip address 10.8.152.20 255.255.255.0
  no shutdown
  
ft track interface  TrackVlan153
  track-interface vlan 153
  peer track-interface vlan 153
  priority 50
  peer priority 150

ip route 10.8.181.0 255.255.255.0 10.8.152.7
ip route 0.0.0.0 0.0.0.0 10.8.152.1

snmp-server contact "ANM"
snmp-server location "ANM"
snmp-server community public group Network-Monitor

snmp-server trap-source vlan 146


switch/dca-ace-two#    


Services Layer IPS

IPS 1

dca-ips1# sh configuration 
! ------------------------------       
! Current configuration last modified Thu Mar 05 14:27:20 2009
! ------------------------------
! Version 6.2(1)
! Host:                                         
!     Realm Keys          key1.0                
! Signature Definition:                         
!     Signature Update    S386.0   2009-03-09   
!     Virus Update        V1.4     2007-03-02   
! ------------------------------
service interface
physical-interfaces GigabitEthernet3/0 
admin-state disabled
subinterface-type none
exit
physical-interfaces GigabitEthernet3/3 
description to ss1 gig3/26
admin-state enabled
duplex auto
speed auto
default-vlan 0
alt-tcp-reset-interface none
exit
physical-interfaces TenGigabitEthernet7/0 
description to ss2
admin-state disabled
duplex auto
speed auto
default-vlan 0
alt-tcp-reset-interface none
subinterface-type inline-vlan-pair
subinterface 1 
description to ss2
vlan1 163
vlan2 164
exit
exit
exit
physical-interfaces TenGigabitEthernet7/1 
no description
admin-state enabled
duplex auto
speed auto
default-vlan 1
alt-tcp-reset-interface none
subinterface-type inline-vlan-pair
subinterface 1 
description ss1
vlan1 163
vlan2 164
exit
exit
exit
bypass-mode auto
cdp-mode forward-cdp-packets
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
overrides deny-packet-inline 
override-item-status Disabled
risk-rating-range 90-100
exit
overrides log-attacker-packets 
override-item-status Enabled
risk-rating-range 90-100
exit
overrides log-victim-packets 
override-item-status Enabled
risk-rating-range 90-100
exit    
overrides log-pair-packets 
override-item-status Enabled
risk-rating-range 90-100
exit
overrides produce-alert 
override-item-status Enabled
risk-rating-range 90-100
exit
overrides produce-verbose-alert 
override-item-status Enabled
risk-rating-range 1-69
exit
filters edit Q00000 
signature-id-range 1301
subsignature-id-range 0
attacker-address-range 10.8.162.20
victim-address-range 10.8.180.232
victim-port-range 8081
actions-to-remove log-attacker-packets|produce-alert|produce-verbose-alert
os-relevance relevant|not-relevant|unknown
exit
filters move Q00000 begin 
exit
! ------------------------------
service host
network-settings
host-ip x.26.146.87/24,x.26.146.1
host-name dca-ips1
telnet-option disabled
access-list 10.0.0.0/8 
access-list 64.0.0.0/8 
access-list x.0.0.0/8 
exit
time-zone-settings
offset -300
standard-time-zone-name GMT-05:00
exit
ntp-option enabled
ntp-keys 10 md5-key cisco123
ntp-servers x.26.170.13 key-id 10
exit
summertime-option disabled
auto-upgrade
cisco-server enabled
schedule-option calendar-schedule
times-of-day 17:20:00 
days-of-week monday 
days-of-week tuesday 
days-of-week wednesday 
days-of-week thursday 
days-of-week friday 
exit
cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
exit
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
general
block-enable false
exit
exit
! ------------------------------
service notification
exit
! ------------------------------
service signature-definition sig0
signatures 1301 0 
engine normalizer
event-action produce-alert
exit
exit
signatures 1302 0 
engine normalizer
event-action produce-alert
exit
exit
signatures 1303 0 
engine normalizer
event-action produce-alert
exit
exit
signatures 1304 0 
engine normalizer
event-action produce-alert
exit
exit
signatures 1305 0 
engine normalizer
event-action produce-alert|modify-packet-inline
exit    
exit
signatures 1306 1 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1306 2 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1306 3 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1306 4 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1306 5 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1306 6 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1312 0 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1313 0 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1316 0 
engine normalizer
event-action produce-alert
exit
exit
signatures 1330 0 
engine normalizer
event-action produce-alert|deny-packet-inline
exit
exit
signatures 1330 1 
engine normalizer
event-action produce-alert|deny-packet-inline
exit
exit
signatures 1330 2 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1330 5 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1330 6 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1330 7 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1330 8 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1330 9 
engine normalizer
event-action produce-alert|deny-packet-inline
exit
exit
signatures 1330 10 
engine normalizer
event-action produce-alert|deny-packet-inline
exit
exit
signatures 1330 12 
engine normalizer
event-action produce-alert
exit
exit    
signatures 1330 17 
engine normalizer
event-action produce-alert
exit
exit
signatures 1330 18 
engine normalizer
event-action produce-alert|deny-packet-inline
exit
exit
signatures 1330 19 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1330 20 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1330 21 
engine normalizer
event-action produce-alert|modify-packet-inline
exit    
exit
signatures 2000 0 
status
enabled false
exit
exit
signatures 2004 0 
status
enabled false
exit
exit
signatures 2007 0 
status
enabled false
exit
exit
signatures 2008 0 
status
enabled false
exit
exit
signatures 2100 0 
status
enabled false
exit
exit
signatures 2151 0 
status
enabled true
exit
exit
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
trusted-certificates x.26.191.99 certificate 
MIICaDCCAdECBEhdNM4wDQYJKoZIhvcNAQEEBQAwezELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExET
APBgNVBAcTCFNhbiBKb3NlMRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRQwEgYDVQQLEwtTVEcgQ1MtTUFSUzEWMBQG
A1UEAxMNd3d3LmNpc2NvLmNvbTAeFw0wODA2MjExNzA1MThaFw0yMzA2MTgxNzA1MThaMHsxCzAJBgNVBAYTAlVTMR
MwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczEUMBIG
A1UECxMLU1RHIENTLU1BUlMxFjAUBgNVBAMTDXd3dy5jaXNjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAo
GBAM/IsMmkz4/gg6cuqu2CylSBqc+YlMELHTnU20Rfx05oaYIl4YBFJwgQ9Y9w0G7N7LIjrmWwUCmwnwFsHkn8BwLN
r5+qVCT6Y+5GXzD8zC2kdRud06T4n4l5Oj1dfxb2GuMnYSK+tKO0R1/fYIK5zvhYJ/8AVfRZ4okWdiGfu/EdAgMBAA
EwDQYJKoZIhvcNAQEEBQADgYEAtvqJE5f9XqDrSxTh5bL75A1/taePqpaYgpS4rLvP2OZ7Rf0tU7SCANS6OmykM5OB
xCPsdzoGreHymP7v4exnesJZp3ptCFNAW67COoWA29UfKYrIamXopBh1tTWzI+3igrlyZnHEQVXgsHx9lbyHXGE/GV
7y0LrS4Qhr5OPKjQk=
exit
! ------------------------------
service web-server
port 443
exit
! ------------------------------
service anomaly-detection ad0
ignore
source-ip-address-range 10.7.52.30
dest-ip-address-range 10.8.180.153,10.8.162.200
exit
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service health-monitor
exit
! ------------------------------
service analysis-engine
virtual-sensor vs0 
physical-interface TenGigabitEthernet7/0 subinterface-number 1 
physical-interface TenGigabitEthernet7/1 subinterface-number 1 
inline-TCP-session-tracking-mode virtual-sensor
inline-TCP-evasion-protection-mode strict
exit
virtual-sensor vs1 
signature-definition sig0
event-action-rules rules0
anomaly-detection
anomaly-detection-name ad0
exit
physical-interface GigabitEthernet3/3 subinterface-number 0 
exit    
exit


IPS 2
dca-ips2# sh configuration
! ------------------------------       
! Current configuration last modified Thu Mar 05 14:03:20 2009
! ------------------------------
! Version 6.2(1)
! Host:                                         
!     Realm Keys          key1.0                
! Signature Definition:                         
!     Signature Update    S386.0   2009-03-09   
!     Virus Update        V1.4     2007-03-02   
! ------------------------------
service interface
physical-interfaces TenGigabitEthernet7/0 
admin-state enabled
subinterface-type inline-vlan-pair
subinterface 1 
no description
vlan1 163
vlan2 164
exit
exit
exit
physical-interfaces TenGigabitEthernet7/1 
description to ss2
admin-state enabled
duplex auto
speed auto
default-vlan 0
alt-tcp-reset-interface none
subinterface-type inline-vlan-pair
subinterface 1 
description ss2
vlan1 163
vlan2 164
exit
exit
exit
bypass-mode auto
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
overrides deny-packet-inline 
override-item-status Disabled
risk-rating-range 90-100
exit
exit
! ------------------------------
service host
network-settings
host-ip x.26.146.88/24,x.26.146.1
host-name dca-ips2
telnet-option disabled
access-list 10.0.0.0/8 
access-list 64.0.0.0/8 
access-list x.0.0.0/8 
exit
time-zone-settings
offset -300
standard-time-zone-name GMT-05:00
exit
ntp-option enabled
ntp-keys 10 md5-key cisco123
ntp-servers x.26.170.13 key-id 10
exit
summertime-option recurring
summertime-zone-name GMT-05:00
exit
auto-upgrade
cisco-server enabled
schedule-option calendar-schedule
times-of-day 17:20:00 
days-of-week monday 
days-of-week tuesday 
days-of-week wednesday 
days-of-week thursday 
days-of-week friday 
exit
cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
exit
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
exit
! ------------------------------
service signature-definition sig0
signatures 1301 0 
engine normalizer
event-action produce-alert
exit
exit
signatures 1302 0 
engine normalizer
event-action produce-alert
exit
exit
signatures 1303 0 
engine normalizer
event-action produce-alert
exit
exit
signatures 1304 0 
engine normalizer
event-action produce-alert
exit
exit
signatures 1305 0 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit    
signatures 1306 1 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1306 2 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1306 3 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1306 4 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1306 5 
engine normalizer
event-action produce-alert|modify-packet-inline
exit    
exit
signatures 1306 6 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1312 0 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1313 0 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1316 0 
engine normalizer
event-action produce-alert
exit
exit
signatures 1330 0 
engine normalizer
event-action produce-alert|deny-packet-inline
exit
exit
signatures 1330 1 
engine normalizer
event-action produce-alert|deny-packet-inline
exit
exit
signatures 1330 2 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1330 5 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1330 6 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1330 7 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1330 8 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1330 9 
engine normalizer
event-action produce-alert|deny-packet-inline
exit
exit
signatures 1330 10 
engine normalizer
event-action produce-alert|deny-packet-inline
exit
exit
signatures 1330 12 
engine normalizer
event-action produce-alert
exit
exit
signatures 1330 17 
engine normalizer
event-action produce-alert
exit
exit
signatures 1330 18 
engine normalizer
event-action produce-alert|deny-packet-inline
exit
exit
signatures 1330 19 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1330 20 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit
signatures 1330 21 
engine normalizer
event-action produce-alert|modify-packet-inline
exit
exit    
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
trusted-certificates x.26.191.99 certificate 
MIICaDCCAdECBEhdNM4wDQYJKoZIhvcNAQEEBQAwezELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExET
APBgNVBAcTCFNhbiBKb3NlMRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRQwEgYDVQQLEwtTVEcgQ1MtTUFSUzEWMBQG
A1UEAxMNd3d3LmNpc2NvLmNvbTAeFw0wODA2MjExNzA1MThaFw0yMzA2MTgxNzA1MThaMHsxCzAJBgNVBAYTAlVTMR
MwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczEUMBIG
A1UECxMLU1RHIENTLU1BUlMxFjAUBgNVBAMTDXd3dy5jaXNjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAo
GBAM/IsMmkz4/gg6cuqu2CylSBqc+YlMELHTnU20Rfx05oaYIl4YBFJwgQ9Y9w0G7N7LIjrmWwUCmwnwFsHkn8BwLN
r5+qVCT6Y+5GXzD8zC2kdRud06T4n4l5Oj1dfxb2GuMnYSK+tKO0R1/fYIK5zvhYJ/8AVfRZ4okWdiGfu/EdAgMBAA
EwDQYJKoZIhvcNAQEEBQADgYEAtvqJE5f9XqDrSxTh5bL75A1/taePqpaYgpS4rLvP2OZ7Rf0tU7SCANS6OmykM5OB
xCPsdzoGreHymP7v4exnesJZp3ptCFNAW67COoWA29UfKYrIamXopBh1tTWzI+3igrlyZnHEQVXgsHx9lbyHXGE/GV
7y0LrS4Qhr5OPKjQk=
exit
! ------------------------------
service web-server
exit
! ------------------------------
service anomaly-detection ad0
ignore
source-ip-address-range 10.7.52.30
dest-ip-address-range 10.8.180.153,10.8.162.200
exit
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service health-monitor
exit    
! ------------------------------
service analysis-engine
virtual-sensor vs0 
physical-interface TenGigabitEthernet7/0 subinterface-number 1 
physical-interface TenGigabitEthernet7/1 subinterface-number 1 
inline-TCP-session-tracking-mode virtual-sensor
inline-TCP-evasion-protection-mode strict
exit
exit



Access Layer Nexus 5000

Nexus 5000 1

dc10-5020-1# sh run
version 4.0(1a)N1(1)
feature tacacs+
feature lacp
feature fcoe
username admin password 5 <encrypted password> role network-admin
username dma password 5 <encrypted password>/  role network-admin
username chris password 5 <encrypted password> role network-admin
ssh key rsa 2048 force
ntp server x.26.146.1 use-vrf management
ip host dc10-5020-1 x.26.146.191
tacacs-server key 7 "<key>"
tacacs-server host x.26.191.94 key 7 "<key>" 
aaa group server tacacs+ tacacs-group 
    server x.26.191.94 
    use-vrf management
aaa group server tacacs+ tacacs 
system default switchport
service unsupported-transceiver
ip access-list 134
  10 permit ip x.26.146.191/32 x.26.0.0/16 
  20 deny ip any any 
ip access-list 133
  10 permit icmp x.26.0.0/16 x.26.146.191/32 ttl-exceeded 
  20 permit icmp x.26.0.0/16 x.26.146.191/32 port-unreachable 
  30 permit icmp x.26.0.0/16 x.26.146.191/32 echo-reply 
  40 permit icmp x.26.0.0/16 x.26.146.191/32 echo 
  50 permit tcp x.26.0.0/16 eq tacacs x.26.146.191/32 established 
  60 permit tcp x.26.0.0/16 x.26.146.191/32 eq tacacs 
  70 permit udp x.26.0.0/16 x.26.146.191/32 eq ntp 
  80 permit tcp x.26.0.0/16 x.26.146.191/32 eq 22 
  90 permit tcp x.26.0.0/16 eq ftp x.26.146.191/32 gt 1023 established 
  100 permit tcp x.26.0.0/16 eq ftp-data x.26.146.191/32 gt 1023 
  110 permit tcp x.26.0.0/16 gt 1023 x.26.146.191/32 gt 1023 established 
  120 permit udp x.26.0.0/16 gt 1023 x.26.146.191/32 gt 1023 
  130 permit udp x.26.191.99/32 x.26.146.191/32 eq snmp 
  140 deny ip any any 
snmp-server user dma network-admin auth md5 0x9087aa934c0a90dc2e7456b14f13cb31 p
riv 0x9087aa934c0a90dc2e7456b14f13cb31 localizedkey
snmp-server user admin network-admin auth md5 0x9087aa934c0a90dc2e7456b14f13cb31
 priv 0x9087aa934c0a90dc2e7456b14f13cb31 localizedkey
s