SAFE 1.0 Release Notes [Design Zone for Security]

This Release Notes provides a list of all platforms and software releases that were validated for the SAFE reference architecture. There are also network diagrams for each module and complete configuration for each platform.

This Release Notes document is associated with the Cisco SAFE Reference Guide available at the following URL:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg.htm

The Cisco SAFE consists of design blueprints based on the Cisco Validated Designs (CVDs) and proven security best practices that provide the design guidelines for building secure and reliable network infrastructures. The design blueprint follows a modular design where the overall network infrastructure is divided into functional modules, each one representing a place-in-the network (PIN). Functional modules are then subdivided into more manageable and granular functional blocks, each serving a specific role in the network.

Cisco Platforms and Versions

This section lists the Cisco platforms and releases used for SAFE 1.0 reference architecture.

Enterprise Core


Role	Platforms	Version
Core Switch	Catalyst 6500 Series VS-S720-10G WS-X6716-10GE WS-X6148A-GE-TX	12.2(33)SXH4

Intranet Data Center


Role	Platforms	Version
Core Switch	Catalyst 6500 Series WS-X6724-SFP WS-6704-10GE VS-S720-10G	12.2(33)SXH2
Aggregation Switch	Nexus 7000 Series N7K-M132XP-12 N&K-M148GT-11 N7K-SUP1	4.1(2)
Services Layer Switch	Catalyst 6500 Series VS-S720-10G WS-6708-10GE WS-6748-GE-TX ACE20-MOD-K9 WS-SVC-NAM-2 ASA5580-40 IPS4270-20-k9 ACE-XML-K9	12.2(33)SXI A2(1.3) 4.0(1) 8.1(2) 6.2(1)E3 6.0.2-2008-09-15T22
Access Layer Switch	Catalyst 6500 Series WS-6708-10GE WS-6704-10GE WS-SVC-NAM-2 VS-S720-10G WS-X6748-GE-TX WS-C4900M WS-X4904-10GE WS-X4920-GB-RJ45 N5k-C5020P-BF N5K-M1404 WS-CBS3120G-S WS-CBS3120X-S Nexus 1000V	12.2(33)SXI 4.0(1) 12.2(46)SG 4.0(1a)N1(1) 12.2(40)EX1 12.2(40)EX1 4.0(1a)S1(0.14
Server Environments	HP DL380 G5 HP DL380 G4	VMWare 3.5u2 and 4.0(RC) Windows Server 2003 Oracle Linux 5.2 (Carthage)
Intrusion Prevention System	IPS 4270	6.1(2)E3
Firewall	ASA 5580	8.1(1)
Host-based Intrusion Prevention System	CSA	6

Enterprise Campus


Role	Platforms	Version
Core Switch	Catalyst 6500 Series VS-S720-10G WS-X6716-10GE WS-X6148A-GE-TX	12.2(33)SXH4
Distribution Layer Switch	Catalyst 6500 Series VS-S720-10G WS-X6716-10GE WS-X6148A-GE-TX Catalyst 6500 Series (For IBNS) Catalyst 4500 Series (For IBNS)	12.2(33)SXH4 12.2(33)SXI (For IBNS) 12.2(50)SG (For IBNS)
Services Block Switch	Catalyst 6500 Series WS-SUP720-BASE WS-X6416-GBIC WS-X6748-GE-TX	12.2(33)SXH4
Access Layer Switch	Catalyst 4500 Series WS-X4516-10GE WS-X4548-GB-RJ45V Catalyst 4500 Series (For IBNS) Catalyst 3750 (For IBNS)	12.2(31)SGA8 12.2(50)SG (For IBNS) 12.2(50)SE (For IBNS)
Intrusion Prevention System	IPS 4270	6.1(2)E3
Firewall	ASA 5580	8.1(1)
Host-based Intrusion Prevention System	CSA	6.0
NAC Manager	NAC3310MGR	4.1.6
NAC Server	NAC3350	4.1.6
NAC Profiler	NAC3310	2.1.8
Cisco Unified Communications Manager	MCS-7825-H2-IPC1	7.0.1
Cisco IP Phone	CP-7960	8.0(9.0)

Enterprise Internet Edge


Role	Platforms	Version
Inner Switches	Catalyst 6500 Series Sup32P-10GE WS X6516-GE-TX	12.2(18)ZYA
Outer Switches	Catalyst 6500 Series Sup720-3BXL WS-6704-10GE WS-6516-GE-TX	12.2(33)SXH4
Internet Backup Router	ASR1004	2.3.0 12.2(33)XNC
Intrusion Prevention System	IPS4260	6.1(2)E3
Firewall	ASA5580	8.1(1)
Remote-Access Termination	ASA5520	8.0(4)
Border Router	7200	12.4(20)T1
Ironport web appliance	S650	5.6
Ironport email appliance	C650	6.4
Web Application Firewall	WAF	6.0.2

Enterprise WAN Edge


Role	Platforms	Version
Unified WAN Platform	ASR1004	2.3.0 12.2(33)XNC
Intrusion Prevention System	IPS 4270	6.1(2)E3
Switch	Catalyst 3750	12.2(35)SE5

Enterprise Branch


Role	Platforms	Version
Integrated Services Router	ISR 2821, ISR 3845	12.4(20)T2
Firewall	ASA5520 ISR 2821 (IOS Zone-based Firewall)	8.0(3) 12.4(20)T2
Intrusion Prevention System	IPS-AIM in ISR 2821, AIP-SSM in ASA 5520	6.1(2)E3
Switch	Catalyst 3750	12.2(35)SE5

Management


Role	Platforms	Version
AAA Server	CS-ACS	4.1.4
Security Manager	CSM	3.2.2 SP1
Monitoring, Analysis, and Correlation	CS-MARS	6.0.2
Firewall	ASA 5540	8.0(3)

SAFE Configurations

This section contains a network diagram for each module that was tested in the lab and a copy of the complete configuration for each platform validated in the SAFE system testing (only for platforms with command-line (CLI) configurations; does not include GUI configurations). Note that externally accessible IP addresses and passwords have been replaced with descriptive text.

Enterprise Core

Figure 1 Enterprise Core Network Diagram

Core Switch—Catalyst 6500

sfx14-6504e-1

! Last configuration change at 16:05:10 GMT Mon Apr 13 2009 by mapuebla-ops

! NVRAM config last updated at <tacacs+ server>16:08:04 GMT Mon Apr 13 2009 by 
mapuebla-ops

upgrade fpd auto<CS-MARS>

version 12.2

no service pad

service tcp-keepalives-in

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service counters max age 5

hostname SFX14-6504E-1

boot-start-marker

boot system flash sup-bootdisk:/s72033-advipservicesk9_wan-mz.122-33.SXH4.bin

boot-end-marker

logging rate-limit 10

no logging console

enable secret 5 <encrypted password>

username admin privilege 15 secret 5 <encrypted password>

username csmars privilege 15 secret 5 <encrypted password>

aaa new-model

aaa group server tacacs+ tacacs-group

 server <tacacs+ server>

aaa authentication login authen-exec-list group tacacs-group local-case

aaa authentication enable default group tacacs-group enable

aaa authorization exec author-exec-list group tacacs-group if-authenticated

aaa authorization commands 15 author-15-list group tacacs-group none

aaa accounting send stop-record authentication failure

aaa accounting exec default start-stop group tacacs-group

aaa accounting commands 15 default start-stop group tacacs-group

aaa accounting system default start-stop group tacacs-group

aaa session-id common

clock timezone GMT 0

call-home

  alert-group configuration

  alert-group diagnostic

  alert-group environment

  alert-group inventory

  alert-group syslog

 profile "CiscoTAC-1"

   no active

   no destination transport-method http

   destination transport-method email

   destination address email callhome@cisco.com

   destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

   subscribe-to-alert-group diagnostic severity minor

   subscribe-to-alert-group environment severity minor

   subscribe-to-alert-group syslog severity major pattern ".*"

   subscribe-to-alert-group configuration periodic monthly 3 11:25

   subscribe-to-alert-group inventory periodic monthly 3 11:10

ip subnet-zero

no ip source-route

ip ftp source-interface GigabitEthernet1/3

ip ftp username admin

ip ftp password 7 <encrypted password>

no ip bootp server

ip ssh time-out 60

ip ssh authentication-retries 2

ip scp server enable

no ip domain-lookup

ip domain-name cisco.com

login block-for 100 attempts 5 within 50

login quiet-mode access-class 10

login on-failure log

mls ip slb purge global

mls netflow interface

no mls flow ip

no mls flow ipv6

mls qos

mls cef error action reset

key chain eigrp-chain

 key 10

   key-string 7 <key>

memory reserve critical 1000

memory free low-watermark processor 91490

memory free low-watermark IO 6710

no hw-module slot 3 oversubscription port-group 1

redundancy

 keepalive-enable

 mode sso

 main-cpu

  auto-sync running-config

spanning-tree mode pvst

spanning-tree extend system-id

diagnostic cns publish cisco.cns.device.diag_results

diagnostic cns subscribe cisco.cns.device.diag_commands

power redundancy-mode combined

fabric timer 15

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

class-map match-all coppclass-igp

  match access-group name coppacl-igp

class-map match-all coppclass-monitoring

  match access-group name coppacl-monitoring

class-map match-all coppclass-filemanagement

  match access-group name coppacl-filemanagement

class-map match-all coppclass-management

  match access-group name coppacl-management

policy-map copp-policy

  class coppclass-igp

   police cir 300000 bc 3000 be 3000    conform-action transmit     exceed-action drop     
violate-action drop

  class coppclass-filemanagement

   police cir 6000000 bc 60000 be 60000    conform-action transmit     exceed-action drop     
violate-action drop

  class coppclass-management

   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop

  class coppclass-monitoring

   police cir 900000 bc 9000 be 9000    conform-action transmit     exceed-action drop     
violate-action drop

  class class-default

   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop

interface Loopback0

 ip address 10.242.10.36 255.255.255.254

interface GigabitEthernet1/1

 description WAN Edge he4-3750-1 Gig 1/0/50

 ip address 10.242.10.2 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface GigabitEthernet1/2

 description WAN Edge he4-3750-2 Gig 1/0/50

 ip address 10.242.10.4 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface GigabitEthernet1/3

 description FLASH NET

 ip address <management IP add> 255.255.254.0

 ip access-group 133 in

 ip access-group 134 out

 load-interval 60

interface TenGigabitEthernet1/4

 description DATA CENTER

 ip address 10.242.10.24 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface TenGigabitEthernet1/5

 no ip address

 shutdown

interface TenGigabitEthernet3/1

 no ip address

 shutdown

 no rcv-queue random-detect 1

interface TenGigabitEthernet3/2

 no ip address

 shutdown

interface TenGigabitEthernet3/3

 no ip address

 shutdown

interface TenGigabitEthernet3/4

 no ip address

 shutdown

interface TenGigabitEthernet3/5

 no ip address

 shutdown

interface TenGigabitEthernet3/6

 no ip address

 shutdown

interface TenGigabitEthernet3/7

 no ip address

 shutdown

interface TenGigabitEthernet3/8

 no ip address

 shutdown

interface TenGigabitEthernet3/9

 no ip address

 shutdown

interface TenGigabitEthernet3/10

 no ip address

 shutdown

interface TenGigabitEthernet3/11

 no ip address

 shutdown

interface TenGigabitEthernet3/12

 no ip address

 shutdown

interface TenGigabitEthernet3/13

 no ip address

 shutdown

interface TenGigabitEthernet3/14

 no ip address

 shutdown

interface TenGigabitEthernet3/15

 no ip address

 shutdown

interface TenGigabitEthernet3/16

 no ip address

 shutdown

interface GigabitEthernet4/1

 description Internet Edge IE-6500-3 g2/26

 ip address 10.242.10.10 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface GigabitEthernet4/2

 ip address 10.242.10.12 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface GigabitEthernet4/3

 description OOB Switch Fe0/23

 ip address 10.242.10.18 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface GigabitEthernet4/4

 no ip address

 shutdown

interface GigabitEthernet4/5

 no ip address

 shutdown

interface GigabitEthernet4/6

 no ip address

 shutdown

interface GigabitEthernet4/7

 no ip address

 shutdown

interface GigabitEthernet4/8

 no ip address

 shutdown

interface GigabitEthernet4/9

 no ip address

 shutdown

interface GigabitEthernet4/10

 no ip address

 shutdown

interface GigabitEthernet4/11

 no ip address

 shutdown

interface GigabitEthernet4/12

 no ip address

 shutdown

interface GigabitEthernet4/13

 no ip address

 shutdown

interface GigabitEthernet4/14

 no ip address

 shutdown

interface GigabitEthernet4/15

 no ip address

 shutdown

interface GigabitEthernet4/16

 no ip address

 shutdown

interface GigabitEthernet4/17

 no ip address

 shutdown

interface GigabitEthernet4/18

 no ip address

 shutdown

interface GigabitEthernet4/19

 no ip address

 shutdown

interface GigabitEthernet4/20

 no ip address

 shutdown

interface GigabitEthernet4/21

 no ip address

 shutdown

interface GigabitEthernet4/22

 no ip address

 shutdown

interface GigabitEthernet4/23

 no ip address

 shutdown

interface GigabitEthernet4/24

 no ip address

 shutdown

interface GigabitEthernet4/25

 no ip address

 shutdown

interface GigabitEthernet4/26

 no ip address

 shutdown

interface GigabitEthernet4/27

 no ip address

 shutdown

interface GigabitEthernet4/28

 no ip address

 shutdown

interface GigabitEthernet4/29

 no ip address

 shutdown

interface GigabitEthernet4/30

 no ip address

 shutdown

interface GigabitEthernet4/31

 no ip address

 shutdown

interface GigabitEthernet4/32

 no ip address

 shutdown

interface GigabitEthernet4/33

 no ip address

 shutdown

interface GigabitEthernet4/34

 no ip address

 shutdown

interface GigabitEthernet4/35

 ip address 10.242.150.1 255.255.255.0

interface GigabitEthernet4/36

 no ip address

 shutdown

interface GigabitEthernet4/37

 no ip address

 shutdown

interface GigabitEthernet4/38

 no ip address

 shutdown

interface GigabitEthernet4/39

 no ip address

 shutdown

interface GigabitEthernet4/40

 no ip address

 shutdown

interface GigabitEthernet4/41

 no ip address

 shutdown

interface GigabitEthernet4/42

 no ip address

 shutdown

interface GigabitEthernet4/43

 no ip address

 shutdown

interface GigabitEthernet4/44

 no ip address

 shutdown

interface GigabitEthernet4/45

 no ip address

 shutdown

interface GigabitEthernet4/46

 description CAMPUS SFX13-6504E-2 Gig 4/46

 ip address 10.242.10.32 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface GigabitEthernet4/47

 description CAMPUS SFX13-6504E-1 Gig 4/47

 ip address 10.242.10.28 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface GigabitEthernet4/48

 description SFX14-6504E-2 Gig 4/48

 ip address 10.242.10.22 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface Vlan1

 no ip address

 shutdown

router eigrp 1

 network 10.0.0.0

 auto-summary

ip classless

ip route 172.26.0.0 255.255.0.0 172.26.170.1

no ip http server

no ip http secure-server

ip tacacs source-interface GigabitEthernet1/3

ip access-list extended coppacl-filemanagement

 remark CoPP File transfer traffic class

 permit tcp 172.26.0.0 0.0.255.255 eq ftp host <management IP add> gt 1023 established

 permit tcp 172.26.0.0 0.0.255.255 eq ftp-data host <management IP add> gt 1023

 permit tcp 172.26.0.0 0.0.255.255 gt 1023 host <management IP add> gt 1023 established

 permit udp 172.26.0.0 0.0.255.255 gt 1023 host <management IP add> gt 1023

ip access-list extended coppacl-igp

 remark IGP traffic class

 permit eigrp any host 224.0.0.10

 permit eigrp 10.0.0.0 0.255.255.255 host <management IP add>

ip access-list extended coppacl-management

 remark CoPP management traffic class

 permit tcp 172.26.0.0 0.0.255.255 eq tacacs host <management IP add> established

 permit tcp 172.26.0.0 0.0.255.255 host <management IP add> eq 22

 permit tcp 172.26.0.0 0.0.255.255 host <management IP add> eq telnet

 permit udp 172.26.0.0 0.0.255.255 host <management IP add> eq snmp

 permit udp 172.26.0.0 0.0.255.255 host <management IP add> eq ntp

 permit udp 10.0.0.0 0.255.255.255 host 10.242.10.36 eq ntp

ip access-list extended coppacl-monitoring

 remark C<tacacs+ server>oPP monitoring traffic class

 permit icmp any any ttl-exceeded

 permit icmp any any port-unreachable

 permit icmp any any echo-reply

 permit icmp any any echo

logging trap critical

logging source-interface GigabitEthernet1/3

logging <CS-MARS>

access-list 10 permit 172.26.191.92

access-list 20 permit <ntp peer>

access-list 20 remark ACL for NTP Servers and Peers

access-list 20 permit <ntp server>

access-list 21 remark ACL for NTP Client

access-list 21 permit 10.0.0.0 0.255.255.255

access-list 21 permit 172.0.0.0 0.255.255.255

access-list 21 deny   any log

access-list 111 remark ACL for SSH

access-list 111 permit tcp 172.26.0.0 0.0.255.255 any eq 22

access-list 111 deny   ip any any log-input

access-list 112 remark ACL for last resort access

access-list 112 permit tcp host 172.26.191.92 any eq 22

access-list 112 deny   ip any any log-input

access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP add> ttl-exceeded

access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP add> 
port-unreachable

access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP add> echo-reply

access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP add> echo

access-list 133 permit tcp 172.26.0.0 0.0.255.255 eq tacacs host <management IP add> 
established

access-list 133 permit tcp 172.26.0.0 0.0.255.255 host <management IP add> eq tacacs

access-list 133 permit udp 172.26.0.0 0.0.255.255 host <management IP add> eq ntp

access-list 133 permit tcp 172.26.0.0 0.0.255.255 host <management IP add> eq 22

access-list 133 permit tcp 172.26.0.0 0.0.255.255 eq ftp host <management IP add> gt 1023 
established

access-list 133 permit tcp 172.26.0.0 0.0.255.255 eq ftp-data host <management IP add> gt 
1023

access-list 133 permit tcp 172.26.0.0 0.0.255.255 gt 1023 host <management IP add> gt 1023 
established

access-list 133 permit udp 172.26.0.0 0.0.255.255 gt 1023 host <management IP add> gt 1023

access-list 133 permit ip any any log

access-list 134 permit ip host <management IP add> 172.26.0.0 0.0.255.255

access-list 134 deny   ip any <tacacs+ server>any log

access-list 155 permit ip any any log

snmp-server enable traps cpu threshold

snmp-server host <CS-MARS> csmars  cpu

tacacs-server host <tacacs+ server> single-connection key 7 <key>

no tacacs-server directed-request

radius-server source-ports 1645-1646

control-plane

 service-policy input copp-policy

dial-peer cor custom

banner login

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have explicit, authorized permission to access or configure this device.

Unauthorized attempts and actions to access or use this system may result in civil and/or 
criminal penalties.

All activities performed on this device are logged and monitored.

line con 0

 session-timeout 3

 exec-timeout 3 0

 login authentication authen-exec-list

line vty 0 3

 session-timeout 3

 access-class 111 in

 exec-timeout 3 0

 password 7 <encrypted password>

 authorization commands 15 author-15-list

 authorization exec author-exec-list

 login authentication authen-exec-list

 transport preferred none

 transport input telnet ssh

 transport output none

line vty 4

 session-timeout 3

 access-class 112 in

 exec-timeout 3 0

 password 7 <encrypted password>

 authorization commands 15 author-15-list

 authorization exec author-exec-list

 login authentication authen-exec-list

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 no exec

exception protocol ftp

exception dump <ftp-server>

process cpu threshold type total rising 80 interval 5 falling 20 interval 5

process cpu statistics limit entry-percentage 40 size 300

ntp authentication-key 10 md5 <encrypted password> 7

ntp authenticate

ntp trusted-key 10

ntp clock-period 17180041

ntp access-group peer 20

ntp access-group serve-only 21

ntp update-calendar

ntp peer <ntp peer>

ntp server <ntp server>

no event manager policy Mandatory.go_switchbus.tcl type system

end

sfx14-6504e-2

! Last configuration change at 16:05:13 GMT Mon Apr 13 2009 by mapuebla-ops

! NVRAM config last updated at 16:08:03 GMT Mon Apr 13 2009 by mapuebla-ops

upgrade fpd auto<management IP add>

version 12.2

no service pad

service tcp-keepalives-in

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service counters max age 5

hostname SFX14-6504E-2

boot-start-marker

boot system flash bootflash:s72033-advipservicesk9_wan-mz.122-33.SXH4.bin

boot-end-marker

no logging console

enable secret 5 <encrypted password>

username admin privilege 15 secret 5 <encrypted password>

username csmars privilege 15 secret 5 <encrypted password>

aaa new-model

aaa group server tacacs+ tacacs-group

 server <tacacs+ server>

aaa authentication login authen-exec-list group tacacs-group local-case

aaa authentication enable default group tacacs-group enable

aaa authorization exec author-exec-list group tacacs-group if-authenticated

aaa authorization commands 15 author-15-list group tacacs-group none

aaa accounting send stop-record authentication failure

aaa accounting exec default start-stop group tacacs-group

aaa accounting commands 15 default start-stop group tacacs-group

aaa accounting system default start-stop group tacacs-group

aaa session-id common

clock timezone GMT 0

call-home

  alert-group configuration

  alert-group diagnostic

  alert-group environment

  alert-group inventory

  alert-group syslog

 profile "CiscoTAC-1"

   no active

   no destination transport-method http

   destination transport-method email

   destination address email callhome@cisco.com

   destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

   subscribe-to-alert-group diagnostic severity minor

   subscribe-to-alert-group environment severity minor

   subscribe-to-alert-group syslog severity major pattern ".*"

   subscribe-to-alert-group configuration periodic monthly 3 15:57

   subscribe-to-alert-group inventory periodic monthly 3 15:42

ip subnet-zero

no ip source-route

ip ftp source-interface GigabitEthernet4/4

ip ftp username admin

ip ftp password 7 <encrypted password>

no ip bootp server

ip ssh time-out 60

ip ssh authentication-retries 2

ip scp server enable

ip domain-name cisco.com

login block-for 100 attempts 5 within 50

login quiet-mode access-class 10

login on-failure log

mls ip slb purge global

mls netflow interface

no mls flow ip

no mls flow ipv6

mls qos

mls cef error action reset

key chain eigrp-chain

 key 10

   key-string 7 <key>

memory reserve critical 1000

memory free low-watermark processor 91490

memory free low-watermark IO 6710

redundancy

 keepalive-enable

 mode sso

 main-cpu

  auto-sync running-config

spanning-tree mode pvst

spanning-tree extend system-id

diagnostic cns publish cisco.cns.device.diag_results

diagnostic cns subscribe cisco.cns.device.diag_commands

fabric timer 15

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

class-map match-all coppclass-igp

  match access-group name coppacl-igp

class-map match-all coppclass-monitoring

  match access-group name coppacl-monitoring

class-map match-all coppclass-filemanagement

  match access-group name coppacl-filemanagement

class-map match-all coppclass-management

  match access-group name coppacl-management

policy-map copp-policy

  class coppclass-igp

   police cir 300000 bc 3000 be 3000    conform-action transmit     exceed-action drop     
violate-action drop

  class coppclass-filemanagement

   police cir 6000000 bc 60000 be 60000    conform-action transmit     exceed-action drop     
violate-action drop

  class coppclass-management

   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop

  class coppclass-monitoring

   police cir 900000 bc 9000 be 9000    conform-action transmit     exceed-action drop     
violate-action drop

  class class-default

   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop

interface Loopback0

 ip address 10.242.10.38 255.255.255.254

interface GigabitEthernet1/1

 description Wan Edge he4-3750-1 Gig1/0/52

 ip address 10.242.10.6 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface GigabitEthernet1/2

 description Wan Edge he4-3750-2 Gig1/0/52

 ip address 10.242.10.8 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface GigabitEthernet1/3

 no ip address

 shutdown

interface TenGigabitEthernet1/4

 ip address 10.242.10.26 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface TenGigabitEthernet1/5

 no ip address

 shutdown

interface TenGigabitEthernet3/1

 no ip address

 shutdown

interface TenGigabitEthernet3/2

 no ip address

 shutdown

interface TenGigabitEthernet3/3

 no ip address

 shutdown

interface TenGigabitEthernet3/4

 no ip address

 shutdown

interface TenGigabitEthernet3/5

 no ip address

 shutdown

interface TenGigabitEthernet3/6

 no ip address

 shutdown

interface TenGigabitEthernet3/7

 no ip address

 shutdown

interface TenGigabitEthernet3/8

 no ip address

 shutdown

interface TenGigabitEthernet3/9

 no ip address

 shutdown

interface TenGigabitEthernet3/10

 no ip address

 shutdown

interface TenGigabitEthernet3/11

 no ip address

 shutdown

interface TenGigabitEthernet3/12

 no ip address

 shutdown

interface TenGigabitEthernet3/13

 no ip address

 shutdown

interface TenGigabitEthernet3/14

 no ip address

 shutdown

interface TenGigabitEthernet3/15

 no ip address

 shutdown

interface TenGigabitEthernet3/16

 no ip address

 shutdown

interface GigabitEthernet4/1

 description Internet Edge IE-6500-4

 ip address 10.242.10.14 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface GigabitEthernet4/2

 ip address 10.242.10.16 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface GigabitEthernet4/3

 description OOB Switch Fe0/24

 ip address 10.242.10.20 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface GigabitEthernet4/4

 description FLASH NET

 ip address <management IP add> 255.255.254.0

 ip access-group 133 in

 ip access-group 134 out

 load-interval 60

interface GigabitEthernet4/5

 no ip address

 shutdown

interface GigabitEthernet4/6

 no ip address

 shutdown

interface GigabitEthernet4/7

 no ip address

 shutdown

interface GigabitEthernet4/8

 no ip address

 shutdown

interface GigabitEthernet4/9

 no ip address

 shutdown

interface GigabitEthernet4/10

 no ip address

 shutdown

interface GigabitEthernet4/11

 no ip address

 shutdown

interface GigabitEthernet4/12

 no ip address

 shutdown

interface GigabitEthernet4/13

 no ip address

 shutdown

interface GigabitEthernet4/14

 no ip address

 shutdown

interface GigabitEthernet4/15

 no ip address

 shutdown

interface GigabitEthernet4/16

 no ip address

 shutdown

interface GigabitEthernet4/17

 no ip address

 shutdown

interface GigabitEthernet4/18

 no ip address

 shutdown

interface GigabitEthernet4/19

 no ip address

 shutdown

interface GigabitEthernet4/20

 no ip address

 shutdown

interface GigabitEthernet4/21

 no ip address

 shutdown

interface GigabitEthernet4/22

 no ip address

 shutdown

interface GigabitEthernet4/23

 no ip address

 shutdown

interface GigabitEthernet4/24

 no ip address

 shutdown

interface GigabitEthernet4/25

 no ip address

 shutdown

interface GigabitEthernet4/26

 no ip address

 shutdown

interface GigabitEthernet4/27

 no ip address

 shutdown

interface GigabitEthernet4/28

 no ip address

 shutdown

interface GigabitEthernet4/29

 no ip address

 shutdown

interface GigabitEthernet4/30

 no ip address

 shutdown

interface GigabitEthernet4/31

 no ip address

 shutdown

interface GigabitEthernet4/32

 no ip address

 shutdown

interface GigabitEthernet4/33

 no ip address

 shutdown

interface GigabitEthernet4/34

 no ip address

 shutdown

interface GigabitEthernet4/35

 no ip address

 shutdown

interface GigabitEthernet4/36

 no ip address

 shutdown

interface GigabitEthernet4/37

 no ip address

 shutdown

interface GigabitEthernet4/38

 no ip address

 shutdown

interface GigabitEthernet4/39

 no ip address

 shutdown

interface GigabitEthernet4/40

 no ip address

 shutdown

interface GigabitEthernet4/41

 no ip address

 shutdown

interface GigabitEthernet4/42

 no ip address

 shutdown

interface GigabitEthernet4/43

 no ip address

 shutdown

interface GigabitEthernet4/44

 no ip address

 shutdown

interface GigabitEthernet4/45

 no ip address

 shutdown

interface GigabitEthernet4/46

 description CAMPUS SFX13-6504E-1    Gig 4/46

 ip address 10.242.10.30 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface GigabitEthernet4/47

 description CAMPUS SFX13-6504E-2    Gig 4/47

 ip address 10.242.10.34 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface GigabitEthernet4/48

 description SFX14-6504E-1    Gig 4/48

 ip address 10.242.10.23 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface Vlan1

 no ip address

 shutdown

router eigrp 1

 network 10.0.0.0

 auto-summary

ip classless

ip route 172.26.0.0 255.255.0.0 172.26.170.1

no ip http server

no ip http secure-server

ip tacacs source-interface GigabitEthernet4/4

ip access-list extended coppacl-filemanagement

 remark CoPP File transfer traffic class

 permit tcp 172.26.0.0 0.0.255.255 eq ftp host <management IP add> gt 1023 established

 permit tcp 172.26.0.0 0.0.255.255 eq ftp-data host <management IP add> gt 1023

 permit tcp 172.26.0.0 0.0.255.255 gt 1023 host <management IP add> gt 1023 established

 permit udp 172.26.0.0 0.0.255.255 gt 1023 host <management IP add> gt 1023

ip access-list extended coppacl-igp

 remark IGP traffic class

 permit eigrp any host 224.0.0.10

 permit eigrp 10.0.0.0 0.255.255.255 host <management IP add>

ip access-list extended coppacl-management

 remark CoPP management traffic class

 permit tcp 172.26.0.0 0.0.255.255 eq tacacs host <management IP add> established

 permit tcp 172.26.0.0 0.0.255.255 host <management IP add> eq 22

 permit tcp 172.26.0.0 0.0.255.255 host <management IP add> eq telnet

 permit udp 172.26.0.0 0.0.255.255 host <management IP add> eq snmp

 permit udp 172.26.0.0 0.0.255.255 host <management IP add> eq ntp

 permit udp 10.0.0.0 0.255.255.255 host 10.242.10.38 eq ntp

ip access-list extended coppacl-monitoring

 remark CoPP monitoring traffic class

 permit icmp any any ttl-exceeded

 permit icmp any any port-unreachable

 permit icmp any any echo-reply

 permit icmp any any echo

logging trap critical

logging source-interface GigabitEthernet4/4<tacacs+ server>

logging <CS-MARS>

access-list 10 permit 172.26.191.92

access-list 20 permit <ntp peer>

access-list 20 remark ACL for NTP Servers and Peers

access-list 20 permit <ntp server>

access-list 21 remark ACL for NTP Client

access-list 21 permit 10.0.0.0 0.255.255.255

access-list 21 permit 172.0.0.0 0.255.255.255

access-list 21 deny   any log

access-list 111 remark ACL for SSH

access-list 111 permit tcp 172.26.0.0 0.0.255.255 any eq 22

access-list 111 deny   ip any any log-input

access-list 112 remark ACL for last resort access

access-list 112 permit tcp host 172.26.191.92 any eq 22

access-list 112 deny   ip any any log-input

access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP add> ttl-exceeded

access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP add> 
port-unreachable

access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP add> echo-reply

access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP add> echo

access-list 133 permit tcp 172.26.0.0 0.0.255.255 eq tacacs host <management IP add> 
established

access-list 133 permit tcp 172.26.0.0 0.0.255.255 host <management IP add> eq tacacs

access-list 133 permit udp 172.26.0.0 0.0.255.255 host <management IP add> eq ntp

access-list 133 permit tcp 172.26.0.0 0.0.255.255 host <management IP add> eq 22

access-list 133 permit tcp 172.26.0.0 0.0.255.255 eq ftp host <management IP add> gt 1023 
established

access-list 133 permit tcp 172.26.0.0 0.0.255.255 eq ftp-data host <management IP add> gt 
1023

access-list 133 permit tcp 172.26.0.0 0.0.255.255 gt 1023 host <management IP add> gt 1023 
established

access-list 133 permit udp 172.26.0.0 0.0.255.255 gt 1023 host <management IP add> gt 1023

access-list 133 permit ip any any log

access-list 134 permit ip host <management IP add><CS-MARS> 172.26.0.0 0.0.255.255

access-list 134 deny   ip any any log

snmp-server enable traps cpu threshold<tacacs+ server>

snmp-server host <CS-MARS> csmars  cpu

tacacs-server host <tacacs+ server> single-connection key 7 <key>

tacacs-server directed-request

radius-server source-ports 1645-1646

control-plane

 service-policy input copp-policy

dial-peer cor custom

banner login

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have explicit, authorized permission to access or configure this device.

Unauthorized attempts and actions to access or use this system may result in civil and/or 
criminal penalties.

All activities performed on this device are logged and monitored.

line con 0

 session-timeout 3

 exec-timeout 3 0

 login authentication authen-exec-list

line vty 0 3

 session-timeout 3

 access-class 111 in

 exec-timeout 3 0

 password 7 <encrypted password><tacacs+ server>

 authorization commands 15 author-15-list

 authorization exec author-exec-list

 login authentication authen-exec-list

 transport preferred none

 transport input ssh

 transport output none

line vty 4

 session-timeout 3

 access-class 112 in

 exec-timeout 3 0

 password 7 <encrypted password>

 authorization commands 15 author-15-list

 authorization exec author-exec-list

 login authentication authen-exec-list

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 no exec

 transport input lat pad udptn telnet rlogin

exception protocol ftp

exception dump <ftp-server>

process cpu threshold type total rising 80 interval 5 falling 20 interval 5

process cpu statistics limit entry-percentage 40 size 300

ntp authentication-key 10 md5 <encrypted password> 7

ntp authenticate

ntp trusted-key 10

ntp clock-period 17179940

ntp access-group peer 20

ntp access-group serve-only 21

ntp update-calendar

ntp peer <ntp peer>

ntp server <ntp server>

end

Intranet Data Center

Figure 2 Intranet Data Center Network Diagram

Figure 3 Intranet Data Center Security Service Traffic Flow Diagram

Core Switch—Catalyst 6500

DCA-core1

dca-core1#sh run

Building configuration...

.May 14 21:15:44.150 EST: %SEC-6-IPACCESSLOGP: list 133 denied udp x.26.146.86(138) -> 
x.26.147.255(138), 1 packet

Current configuration : 16685 bytes

! Last configuration change at 19:50:45 EST Mon Mar 23 2009 by chris

! NVRAM config last updated at 00:05:54 EST Thu May 14 2009

upgrade fpd auto

version 12.2

no service pad

service tcp-keepalives-in

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service counters max age 5

hostname dca-core1

boot-start-marker

boot system disk0:s72033-ipservicesk9-mz.122-33.SXH2a.bin

boot-end-marker

enable secret 5 <encrypted password>.

username admin privilege 15 password <encrypted password>

username dma password <encrypted password>

username chris password <encrypted password>

username csmars privilege 15 secret 5 <encrypted password>

aaa new-model

aaa group server tacacs+ tacacs-group

 server x.26.191.94

aaa authentication login authen-exec-list group tacacs-group local-case

aaa authentication enable default group tacacs-group enable

aaa authorization exec author-exec-list group tacacs-group if-authenticated

aaa authorization commands 15 author-15-list group tacacs-group none

aaa accounting send stop-record authentication failure

aaa accounting exec default start-stop group tacacs-group

aaa accounting commands 15 default start-stop group tacacs-group

aaa accounting system default start-stop group tacacs-group

aaa session-id common

clock timezone GMT 0

clock summer-time EST recurring

call-home

  alert-group configuration

  alert-group diagnostic

  alert-group environment

  alert-group inventory

  alert-group syslog

 profile "CiscoTAC-1"

   no active

   no destination transport-method http

   destination transport-method email

   destination address email callhome@cisco.com

   destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

   subscribe-to-alert-group diagnostic severity minor

   subscribe-to-alert-group environment severity minor

   subscribe-to-alert-group syslog severity major pattern ".*"

   subscribe-to-alert-group configuration periodic monthly 9 9:39

   subscribe-to-alert-group inventory periodic monthly 9 9:24

ip subnet-zero

no ip source-route

ip ftp source-interface GigabitEthernet6/3

ip ftp username dma1

ip ftp password <encrypted password>

no ip bootp server

ip multicast-routing

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

ip domain-name cisco.com

login block-for 100 attempts 5 within 50

login quiet-mode access-class 10

login on-failure log

udld enable

vtp domain datacenter

vtp mode transparent

switch virtual domain 100

mls ip cef load-sharing full simple

mls netflow interface

mls flow ip interface-full

mls nde sender version 5

mls sampling packet-based 128 16000

mls qos

mls cef error action reset

flow-sampler-map csmars-sample

 mode random one-out-of 100

key chain eigrp

 key 7

   key-string 7 05080F1C2243

key chain eigrp-chain

 key 10

   key-string 7 121A0C0411045D5679

archive

  path ftp://chrobrie:J0eyD0gg2@x.26.129.252/VSSarchives/$h-$t

  write-memory

memory reserve critical 1000

memory free low-watermark processor 91492

memory free low-watermark IO 6710

redundancy

 keepalive-enable

 mode sso

 main-cpu

  auto-sync running-config

spanning-tree mode rapid-pvst

spanning-tree extend system-id

diagnostic cns publish cisco.cns.device.diag_results

diagnostic cns subscribe cisco.cns.device.diag_commands

fabric switching-mode allow truncated threshold 1

fabric switching-mode allow truncated

port-channel hash-distribution adaptive

port-channel load-balance src-dst-mixed-ip-port

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

class-map match-all coppclass-igp

  match access-group name coppacl-igp

class-map match-all coppclass-monitoring

  match access-group name coppacl-monitoring

class-map match-all coppclass-filemanagement

  match access-group name coppacl-filemanagement

class-map match-all coppclass-management

  match access-group name coppacl-management

policy-map copp-policy

  class coppclass-igp

   police cir 300000 bc 3000 be 3000    conform-action transmit     exceed-action drop     
violate-action drop

  class coppclass-filemanagement

   police cir 6000000 bc 60000 be 60000    conform-action transmit     exceed-action drop     
violate-action drop

  class coppclass-management

   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop

  class coppclass-monitoring

   police cir 900000 bc 9000 be 9000    conform-action transmit     exceed-action drop     
violate-action drop

  class class-default

   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop

interface Loopback0

 ip address 10.7.20.1 255.255.255.0

 ip pim sparse-mode

 ip igmp version 3

interface Port-channel11

 description <<** to VSS **>>

 ip address 10.7.1.1 255.255.255.0

 ip pim sparse-mode

 ip authentication mode eigrp 7 md5

 ip authentication key-chain eigrp 7 eigrp

 ip igmp version 3

 logging event link-status

 logging event trunk-status

 logging event bundle-status

 load-interval 30

interface GigabitEthernet1/1

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/2

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/3

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/4

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/5

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/6

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/7

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/8

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/9

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/10

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/11

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/12

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/13

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/14

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/15

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/16

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/17

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/18

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/19

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/20

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/21

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/22

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/23

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/24

 description G1/24 -- to NETEM -- ToAbstr1

 ip address 10.7.15.1 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-mode

 ip igmp version 3

 load-interval 30

interface TenGigabitEthernet4/1

 description <to dc03-agg>

 no ip address

 no ip redirects

 no ip proxy-arp

 ip pim sparse-mode

 ip igmp version 3

 load-interval 30

 channel-protocol pagp

 channel-group 11 mode desirable

interface TenGigabitEthernet4/2

 description <to dc01-agg>

 no ip address

 no ip redirects

 no ip proxy-arp

 ip pim sparse-mode

 ip igmp version 3

 load-interval 30

 channel-protocol pagp

 channel-group 11 mode desirable

interface TenGigabitEthernet4/3

 description <to core-2>

 ip address 10.8.0.1 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-mode

 ip igmp version 3

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 00071A150754

 ip ospf hello-interval 1

 ip ospf dead-interval 3

 logging event link-status

 load-interval 30

interface TenGigabitEthernet4/4

 ip address 10.8.1.1 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-mode

 ip igmp version 3

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 094F471A1A0A

 ip ospf hello-interval 1

 ip ospf dead-interval 3

 logging event link-status

 load-interval 30

interface TenGigabitEthernet5/1

 description <to abs1>

 ip address 10.7.11.1 255.255.255.0

 ip pim sparse-mode

 ip igmp version 3

 load-interval 30

interface TenGigabitEthernet5/2

 description <to abs2>

 ip address 10.7.12.1 255.255.255.0

 ip flow ingress

 ip pim sparse-mode

 ip igmp version 3

 load-interval 30

 mls netflow sampling

 flow-sampler csmars-sample

interface TenGigabitEthernet5/3

 no ip address

 ip pim sparse-mode

 ip igmp version 3

 load-interval 30

interface TenGigabitEthernet5/4

 ip address 10.242.10.25 255.255.255.254

 ip flow ingress

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 logging event link-status

 load-interval 30

 mls netflow sampling

 flow-sampler csmars-sample

interface GigabitEthernet6/1

 no ip address

 shutdown

interface GigabitEthernet6/2

 no ip address

 shutdown

interface GigabitEthernet6/3

 ip address x.26.146.14 255.255.254.0

 ip access-group 133 in

 ip access-group 134 out

 no ip redirects

 no ip proxy-arp

interface TenGigabitEthernet6/4

 no ip address

 shutdown

interface TenGigabitEthernet6/5

 no ip address

 shutdown

interface Vlan1

 no ip address

 shutdown

router eigrp 7

 redistribute ospf 8

 network 10.7.0.0 0.0.255.255

 default-metric 1000000 100 255 1 1500

 no auto-summary

 eigrp router-id 1.1.1.1

router eigrp 1

 redistribute ospf 8

 network 10.242.0.0 0.0.255.255

 default-metric 1000000 100 255 1 1500

 no auto-summary

router ospf 8

 router-id 8.8.8.1

 log-adjacency-changes

 auto-cost reference-bandwidth 10000

 area 0 authentication message-digest

 timers throttle spf 10 100 5000

 timers throttle lsa all 10 100 5000

 redistribute connected

 redistribute static subnets

 redistribute eigrp 7 subnets

 passive-interface default

 no passive-interface TenGigabitEthernet4/3

 no passive-interface TenGigabitEthernet4/4

 network 10.8.0.0 0.0.0.255 area 0

 network 10.8.1.0 0.0.0.255 area 0

 network 10.8.2.0 0.0.0.255 area 0

 default-information originate

ip classless

ip route 0.0.0.0 0.0.0.0 10.242.10.24

ip route 10.116.132.0 255.255.255.240 x.26.146.1

ip route 64.102.208.0 255.255.254.0 x.26.146.1

ip route x.26.0.0 255.255.0.0 x.26.146.1

ip route x.26.0.0 255.255.0.0 x.26.170.1

ip route x.26.129.252 255.255.255.255 x.26.146.1

ip flow-export source GigabitEthernet6/3

ip flow-export version 5

ip flow-export destination x.26.191.99 2055

no ip http server

no ip http secure-server

ip pim bsr-candidate Loopback0 0

ip pim rp-candidate Loopback0 priority 100

ip tacacs source-interface GigabitEthernet6/3

ip access-list extended coppacl-filemanagement

 remark CoPP File transfer traffic class

 permit tcp x.26.0.0 0.0.255.255 eq ftp host x.26.146.14 gt 1023 established

 permit tcp x.26.0.0 0.0.255.255 eq ftp-data host x.26.146.14 gt 1023

 permit tcp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.14 gt 1023 established

 permit udp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.14 gt 1023

ip access-list extended coppacl-igp

 remark IGP traffic class

 permit eigrp any host 224.0.0.10

 permit eigrp x.26.0.0 0.0.255.255 host x.26.146.14

ip access-list extended coppacl-management

 remark CoPP management traffic class

 permit tcp x.26.0.0 0.0.255.255 eq tacacs host x.26.146.14 established

 permit tcp x.26.0.0 0.0.255.255 host x.26.146.14 eq 22

 permit tcp x.26.0.0 0.0.255.255 host x.26.146.14 eq telnet

 permit udp x.26.0.0 0.0.255.255 host x.26.146.14 eq snmp

 permit udp x.26.0.0 0.0.255.255 host x.26.146.14 eq ntp

ip access-list extended coppacl-monitoring

 remark CoPP monitoring traffic class

 permit icmp any any ttl-exceeded

 permit icmp any any port-unreachable

 permit icmp any any echo-reply

 permit icmp any any echo

kron occurrence daily-config-backup at 0:05 recurring

 policy-list backup-config

kron policy-list backup-config

 cli write memory

logging trap critical

logging source-interface GigabitEthernet6/3

logging x.26.191.94

access-list 7 permit 10.7.0.0 0.0.255.255

access-list 8 permit 10.8.0.0 0.0.255.255

access-list 10 permit x.26.191.92

access-list 55 remark ACL for SNMP access to device

access-list 55 permit x.26.191.99

access-list 55 deny   any log

access-list 111 remark ACL for SSH

access-list 111 permit tcp x.26.0.0 0.0.255.255 any eq 22

access-list 111 deny   ip any any log-input

access-list 111 permit tcp x.26.0.0 0.0.255.255 eq telnet any

access-list 111 permit tcp 10.0.0.0 0.255.255.255 eq telnet any

access-list 112 remark ACL for last resort access

access-list 112 permit tcp host x.26.191.92 any eq 22

access-list 112 deny   ip any any log-input

access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.146.14 ttl-exceeded

access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.146.14 port-unreachable

access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.146.14 echo-reply

access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.146.14 echo

access-list 133 permit tcp x.26.0.0 0.0.255.255 eq tacacs host x.26.146.14 established

access-list 133 permit tcp x.26.0.0 0.0.255.255 host x.26.146.14 eq tacacs

access-list 133 permit udp x.26.0.0 0.0.255.255 host x.26.146.14 eq ntp

access-list 133 permit tcp x.26.0.0 0.0.255.255 host x.26.146.14 eq 22

access-list 133 permit tcp x.26.0.0 0.0.255.255 eq ftp host x.26.146.14 gt 1023 
established

access-list 133 permit tcp x.26.0.0 0.0.255.255 eq ftp-data host x.26.146.14 gt 1023

access-list 133 permit tcp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.14 gt 1023 
established

access-list 133 permit udp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.14 gt 1023

access-list 133 permit udp host x.26.191.99 host x.26.146.14 eq snmp

access-list 133 deny   ip any any log

access-list 134 permit ip host x.26.146.14 x.26.0.0 0.0.255.255

access-list 134 deny   ip any any log

snmp-server community public RO

snmp-server community csmars RO 55

snmp-server chassis-id DCA-agg2

snmp-server enable traps cpu threshold

snmp-server host x.26.191.99 csmars  cpu

snmp ifmib ifindex persist

tacacs-server host x.26.191.94 single-connection key 7 02050D4808095E731F

tacacs-server directed-request

radius-server source-ports 1645-1646

control-plane

 service-policy input copp-policy

dial-peer cor custom

banner login ^C

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED You must have explicit, authorized 
permission to access or configure this device.Unauthorized attempts and actions to access 
or use this system may result in civil and/or criminal penalties.

All activities performed on this device are logged and monitored.

^C

line con 0

 session-timeout 3

 login authentication authen-exec-list

line vty 0 3

 session-timeout 480

 access-class 111 in

 exec-timeout 480 0

 password <encrypted password>

 authorization commands 15 author-15-list

 authorization exec author-exec-list

 login authentication authen-exec-list

 length 0

 transport preferred none

 transport input ssh

 transport output none

line vty 4

 session-timeout 480

 access-class 112 in

 exec-timeout 480 0

 password <encrypted password>

 authorization commands 15 author-15-list

 authorization exec author-exec-list

 login authentication authen-exec-list

 length 0

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 no exec

 transport input none

exception protocol ftp

exception dump x.26.129.252

process cpu threshold type total rising 80 interval 5 falling 20 interval 5

process cpu statistics limit entry-percentage 40 size 300

ntp authentication-key 10 md5 110A1016141D5A5E57 7

ntp authenticate

ntp trusted-key 10

ntp clock-period 17238214

ntp source GigabitEthernet6/3

ntp update-calendar

ntp server x.26.170.14

ntp server x.26.170.13

end

DCA-core2

dca-core2#sh run

Building configuration...

Current configuration : 16721 bytes

! Last configuration change at 23:27:03 EST Tue May 12 2009 by chris

! NVRAM config last updated at 00:05:37 EST Thu May 14 2009

upgrade fpd auto

version 12.2

no service pad

service tcp-keepalives-in

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service counters max age 5

hostname dca-core2

boot-start-marker

boot system disk0:s72033-ipservi

.May 14 21:17:19.448 EST: %SEC-6-IPACCESSLOGP: list 133 denied udp x.26.146.21(137) -> 
x.26.147.255(137), 1 packetcesk9-mz.122-33.SXH2a.bin

boot-end-marker

enable secret 5 $<encrypted password>/

enable password <encrypted password>

username admin privilege 15 password <encrypted password>

username dm

username dma password 7 <encrypted password>

username chris password 7 <encrypted password>

username csmars privilege 15 secret 5 <encrypted password>/

aaa new-model

aaa group server tacacs+ tacacs-group

 server x.26.191.94

aaa authentication login authen-exec-list group tacacs-group local-case

aaa authentication enable default group tacacs-group enable

aaa authorization exec author-exec-list group tacacs-group if-authenticated

aaa authorization commands 15 author-15-list group tacacs-group none

aaa accounting send stop-record authentication failure

aaa accounting exec default start-stop group tacacs-group

aaa accounting commands 15 default start-stop group tacacs-group

aaa accounting system default start-stop group tacacs-group

aaa session-id common

clock timezone GMT 0

clock summer-time EST recurring

call-home

  alert-group configuration

  alert-group diagnostic

  alert-group environment

  alert-group inventory

  alert-group syslog

 profile "CiscoTAC-1"

   no active

   no destination transport-method http

   destination transport-method email

   destination address email callhome@cisco.com

   destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

   subscribe-to-alert-group diagnostic severity minor

   subscribe-to-alert-group environment severity minor

   subscribe-to-alert-group syslog severity major pattern ".*"

   subscribe-to-alert-group configuration periodic monthly 16 16:46

   subscribe-to-alert-group inventory periodic monthly 16 16:31

ip subnet-zero

no ip source-route

ip ftp source-interface GigabitEthernet6/3

ip ftp username admin

ip ftp password 7 <encrypted password>

no ip bootp server

ip multicast-routing

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

no ip domain-lookup

ip domain-name cisco.com

login block-for 100 attempts 5 within 50

login quiet-mode access-class 10

login on-failure log

udld enable

vtp domain datacenter

vtp mode transparent

switch virtual domain 100

mls ip cef load-sharing full simple

mls netflow interface

mls flow ip interface-full

mls nde sender version 5

mls sampling packet-based 128 16000

mls qos

mls cef error action reset

flow-sampler-map csmars-sample

 mode random one-out-of 100

key chain eigrp

 key 7

   key-string 7 13061E010803

key chain eigrp-chain

 key 10

   key-string 7 05080F1C22431F5B4A

archive

  path ftp://chrobrie:J0eyD0gg2@x.26.129.252/VSSarchives/$h-$t

  write-memory

memory reserve critical 1000

memory free low-watermark processor 91492

memory free low-watermark IO 6710

redundancy

 keepalive-enable

 mode sso

 main-cpu

  auto-sync running-config

spanning-tree mode rapid-pvst

spanning-tree extend system-id

diagnostic cns publish cisco.cns.device.diag_results

diagnostic cns subscribe cisco.cns.device.diag_commands

fabric switching-mode allow truncated threshold 1

fabric switching-mode allow truncated

port-channel hash-distribution adaptive

port-channel load-balance src-dst-mixed-ip-port

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

class-map match-all coppclass-igp

  match access-group name coppacl-igp

class-map match-all coppclass-monitoring

  match access-group name coppacl-monitoring

class-map match-all coppclass-filemanagement

  match access-group name coppacl-filemanagement

class-map match-all coppclass-management

  match access-group name coppacl-management

policy-map copp-policy

  class coppclass-igp

   police cir 300000 bc 3000 be 3000    conform-action transmit     exceed-action drop     
violate-action drop

  class coppclass-filemanagement

   police cir 6000000 bc 60000 be 60000    conform-action transmit     exceed-action drop     
violate-action drop

  class coppclass-management

   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop

  class coppclass-monitoring

   police cir 900000 bc 9000 be 9000    conform-action transmit     exceed-action drop     
violate-action drop

  class class-default

   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop

interface Loopback0

 ip address 10.7.21.1 255.255.255.0

 ip pim sparse-mode

 ip igmp version 3

interface Port-channel12

 ip address 10.7.2.1 255.255.255.0

 ip pim sparse-mode

 ip authentication mode eigrp 7 md5

 ip authentication key-chain eigrp 7 eigrp

 ip igmp version 3

 logging event link-status

 logging event trunk-status

 logging event bundle-status

interface GigabitEthernet1/1

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/2

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/3

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/4

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/5

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/6

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/7

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/8

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/9

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/10

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

  -More--

.May 14 21:17:26.937 EST: %SEC-6-IPACCESSLOGP: list 133 denied udp x.26.146.34(137) -> 
x.26.147.255(137), 3 packets

.May 14 21:17:26.937 EST: %SEC-6-IPACCESSLOGRP: list 133 denied igmp x.26.146.75 -> 
224.0.0.2, 5 packeinterface GigabitEthernet1/11

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/12

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/13

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/14

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/15

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/16

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/17

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/18

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/19

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/20

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/21

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/22

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/23

 no ip address

 no ip redirects

 no ip proxy-arp

 load-interval 30

 shutdown

interface GigabitEthernet1/24

 description G1/24 -- NETEM -- Abstr2

 ip address 10.7.16.1 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-mode

 ip igmp version 3

 load-interval 30

interface TenGigabitEthernet4/1

 description <** to Agg2 **>

 no ip address

 no ip redirects

 no ip proxy-arp

 ip pim sparse-mode

 ip igmp version 3

 load-interval 30

 channel-protocol pagp

 channel-group 12 mode desirable

interface TenGigabitEthernet4/2

 description <** to Agg1 **>>

 no ip address

 no ip redirects

 no ip proxy-arp

 ip pim sparse-mode

 ip igmp version 3

 load-interval 30

 channel-protocol pagp

 channel-group 12 mode desirable

interface TenGigabitEthernet4/3

 description <<** to Core1  **>>

 ip address 10.8.0.2 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-mode

 ip igmp version 3

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 0822455D0A16

 ip ospf hello-interval 1

 ip ospf dead-interval 3

 logging event link-status

 load-interval 30

interface TenGigabitEthernet4/4

 ip address 10.8.2.1 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-mode

 ip igmp query-interval 125

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 05080F1C2243

 ip ospf hello-interval 1

 ip ospf dead-interval 3

 logging event link-status

 load-interval 30

interface TenGigabitEthernet5/1

 description <<** to Abstr1 **>>

 ip address 10.7.13.1 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-mode

 ip igmp version 3

 load-interval 30

interface TenGigabitEthernet5/2

 description <<** to Abstr2 **>>

 ip address 10.7.14.1 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip flow ingress

 ip pim sparse-mode

 ip igmp version 3

 load-interval 30

 mls netflow sampling

 flow-sampler csmars-sample

interface TenGigabitEthernet5/3

 no ip address

 no ip redirects

 no ip proxy-arp

 ip pim sparse-mode

 ip igmp version 3

 load-interval 30

interface TenGigabitEthernet5/4

 ip address 10.242.10.27 255.255.255.254

 no ip redirects

 no ip proxy-arp

 ip flow ingress

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 logging event link-status

 load-interval 30

 mls netflow sampling

 flow-sampler csmars-sample

interface GigabitEthernet6/1

 no ip address

 shutdown

interface GigabitEthernet6/2

 no ip address

 shutdown

interface GigabitEthernet6/3

 ip address x.26.146.15 255.255.254.0

 ip access-group 133 in

 ip access-group 134 out

 no ip redirects

 no ip proxy-arp

interface TenGigabitEthernet6/4

 no ip address

--

.May 14 21:17:31.964 EST: %SEC-6-IPACCESSLOGP: list 133 denied udp x.26.146.133(137) -> 
x.26.147.255(137), 1 pac shutdown

interface TenGigabitEthernet6/5

 no ip address

interface Vlan1

 no ip address

 shutdown

router eigrp 7

 redistribute ospf 8

 network 10.7.0.0 0.0.255.255

 default-metric 1000000 100 255 1 1500

 no auto-summary

 eigrp router-id 1.1.1.2

router eigrp 1

 redistribute ospf 8

 network 10.242.0.0 0.0.255.255

 default-metric 1000000 100 255 1 1500

 no auto-summary

router ospf 8

 router-id 8.8.8.2

 log-adjacency-changes

 auto-cost reference-bandwidth 10000

 area 0 authentication message-digest

 timers throttle spf 10 100 5000

 timers throttle lsa all 10 100 5000

 redistribute connected

 redistribute static subnets

 redistribute eigrp 7 subnets

 passive-interface default

 no passive-interface TenGigabitEthernet4/3

 no passive-interface TenGigabitEthernet4/4

 network 10.8.0.0 0.0.0.255 area 0

 network 10.8.1.0 0.0.0.255 area 0

 network 10.8.2.0 0.0.0.255 area 0

 default-information originate

ip classless

ip route 0.0.0.0 0.0.0.0 10.242.10.26

ip route 10.116.132.0 255.255.255.240 x.26.146.1

ip route 64.102.208.0 255.255.254.0 x.26.146.1

ip route x.26.0.0 255.255.0.0 x.26.146.1

ip route x.26.129.252 255.255.255.255 x.26.146.1

ip flow-export source GigabitEthernet6/3

ip flow-export destination x.26.191.99 2055

no ip http server

no ip http secure-server

ip pim bsr-candidate Loopback0 0

ip pim rp-candidate Loopback0 priority 90

ip tacacs source-interface GigabitEthernet6/3

ip access-list extended coppacl-filemanagement

 remark CoPP File transfer traffic class

 permit tcp x.26.0.0 0.0.255.255 eq ftp host x.26.146.15 gt 1023 established

 permit tcp x.26.0.0 0.0.255.255 eq ftp-data host x.26.146.15 gt 1023

 permit tcp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.15 gt 1023 established

 permit udp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.15 gt 1023

ip access-list extended coppacl-igp

 remark IGP traffic class

 permit eigrp any host 224.0.0.10

 permit eigrp x.26.0.0 0.0.255.255 host x.26.146.15

ip access-list extended coppacl-management

 remark CoPP management traffic class

 permit tcp x.26.0.0 0.0.255.255 eq tacacs host x.26.146.15 established

 permit tcp x.26.0.0 0.0.255.255 host x.26.146.15 eq 22

 permit tcp x.26.0.0 0.0.255.255 host x.26.146.15 eq telnet

 permit udp x.26.0.0 0.0.255.255 host x.26.146.15 eq snmp

 permit udp x.26.0.0 0.0.255.255 host x.26.146.15 eq ntp

ip access-list extended coppacl-monitoring

 remark CoPP monitoring traffic class

 permit icmp any any ttl-exceeded

 permit icmp any any port-unreachable

 permit icmp any any echo-reply

 permit icmp any any echo

kron occurrence daily-config-backup at 0:05 recurring

 policy-list backup-config

kron policy-list backup-config

 cli write memory

logging trap critical

logging x.26.191.99

access-list 7 permit 10.7.0.0 0.0.255.255

access-list 8 permit 10.8.0.0 0.0.255.255

access-list 10 permit x.26.191.92

access-list 10 remark

access-list 10 remark Login Delay a 100-second quiet period if 5 failed login attempts is 
exceeded

access-list 55 remark ACL for SNMP access to device

access-list 55 permit x.26.191.99

access-list 55 deny   any log

access-list 111 remark ACL for SSH

access-list 111 permit tcp x.26.0.0 0.0.255.255 any eq 22

access-list 111 deny   ip any any log-input

access-list 112 remark ACL for last resort access

access-list 112 permit tcp host x.26.191.92 any eq 22

access-list 112 deny   ip any any log-input

access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.146.15 ttl-exceeded

access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.146.15 port-unreachable

access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.146.15 echo-reply

access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.146.15 echo

access-list 133 permit tcp x.26.0.0 0.0.255.255 eq tacacs host x.26.146.15 established

access-list 133 permit tcp x.26.0.0 0.0.255.255 host x.26.146.15 eq tacacs

access-list 133 permit udp x.26.0.0 0.0.255.255 host x.26.146.15 eq ntp

access-list 133 permit tcp x.26.0.0 0.0.255.255 host x.26.146.15 eq 22

access-list 133 permit tcp x.26.0.0 0.0.255.255 eq ftp host x.26.146.15 gt 1023 
established

access-list 133 permit tcp x.26.0.0 0.0.255.255 eq ftp-data host x.26.146.15 gt 1023

access-list 133 permit tcp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.15 gt 1023 
established

access-list 133 permit udp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.15 gt 1023

access-list 133 permit udp host x.26.191.99 host x.26.146.15 eq snmp

access-list 133 deny   ip any any log

access-list 134 permit ip host x.26.146.15 x.26.0.0 0.0.255.255

access-list 134 deny   ip any any log

snmp-server community public RO

snmp-server community csmars RO 55

snmp-server chassis-id DCA-agg2

snmp-server enable traps cpu threshold

snmp-server host x.26.191.99 public  cpu

snmp ifmib ifindex persist

tacacs-server host x.26.191.94 single-connection key 7 01100F175804575D72

tacacs-server directed-request

radius-server source-ports 1645-1646

control-plane

 service-policy input copp-policy

dial-peer cor custom

banner login ^C

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have explicit, authorized permission to access or configure this device.

Unauthorized attempts and actions to access or use this system may result in civil and/or 
criminal penalties.

All activities performed on this device are logged and monitored.

^C

line con 0

 session-timeout 3

 login authentication authen-exec-list

line vty 0 3

 session-timeout 480

 access-class 111 in

 exec-timeout 480 0

 password 7 <encrypted password>

 authorization commands 15 author-15-list

 authorization exec author-exec-list

 login authentication authen-exec-list

 length 0

 transport preferred none

 transport input ssh

 transport output none

line vty 4

 session-timeout 480

 access-class 112 in

 exec-timeout 480 0

 password 7 <encrypted password>

 authorization commands 15 author-15-list

 authorization exec author-exec-list

 login authentication authen-exec-list

 length 0

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 no exec

 transport input none

exception protocol ftp

exception dump x.26.129.252

process cpu threshold type total rising 80 interval 5 falling 20 interval 5

process cpu statistics limit entry-percentage 40 size 300

ntp authentication-key 10 md5 13061E010803557878 7

ntp authenticate

ntp trusted-key 10

ntp clock-period 17093461

ntp source GigabitEthernet6/3

ntp server x.26.170.14

ntp server x.26.170.13

end

Aggregation Switch - Nexus 7000

Nexus 7000 1

dca-n7k1# sh run vdc-all

!Running config for default vdc: dca-n7k1

version 4.1(2)

power redundancy-mode combined force

feature telnet

feature tacacs+

feature ospf

feature pim

feature private-vlan

feature udld

feature interface-vlan

feature netflow

feature hsrp

feature lacp

role feature-group name network-admin

username admin password 5 <encrypted password>role network-admin

username dma password 5 <encrypted password>role network-admin

username chris password 5 <encrypted password>.  role network-admin

username me password 5 <encrypted password>role network-operator

ntp server x.26.146.1 use-vrf management

ntp source x.26.146.136

ip domain-lookup

ip host dca-n7k1 x.26.146.136

tacacs-server key 7 "<key>"

tacacs-server host x.26.191.94 key 7 "<key>"

aaa group server tacacs+ tacacs-group

    server x.26.191.94

    use-vrf management

switchname dca-n7k1

ip access-list copp-system-acl-ftp

  10 permit tcp any any eq ftp-data

  20 permit tcp any any eq ftp

  30 permit tcp any eq ftp-data any

  40 permit tcp any eq ftp any

ip access-list copp-system-acl-bgp

  10 permit tcp any gt 1024 any eq bgp

  20 permit tcp any eq bgp any gt 1024

ip access-list copp-system-acl-rip

  10 permit udp any 224.0.0.0/24 eq rip

ip access-list copp-system-acl-vrrp

  10 permit 112 any 224.0.0.0/24

ip access-list 134

  10 permit ip x.26.146.136/32 x.26.0.0/16

  20 deny ip any any log

ip access-list copp-system-acl-igmp

  10 permit igmp any 224.0.0.0/24

ip access-list copp-system-acl-pim

  10 permit pim any 224.0.0.0/24

  20 permit udp any any eq pim-auto-rp

ip access-list copp-system-acl-msdp

  10 permit tcp any gt 1024 any eq 639

  20 permit tcp any eq 639 any gt 1024

ip access-list copp-system-acl-telnet

  10 permit tcp any any eq telnet

  20 permit tcp any any eq 107

  30 permit tcp any eq telnet any

  40 permit tcp any eq 107 any

ip access-list copp-system-acl-tftp

  10 permit udp any any eq tftp

  20 permit udp any any eq 1758

  30 permit udp any eq tftp any

  40 permit udp any eq 1758 any

ip access-list copp-system-acl-eigrp

  10 permit eigrp any any

ip access-list copp-system-acl-ssh

  10 permit tcp any any eq 22

  20 permit tcp any eq 22 any

ip access-list copp-system-acl-glbp

  10 permit udp any eq 3222 224.0.0.0/24 eq 3222

ip access-list copp-system-acl-snmp

  10 permit udp any any eq snmp

  20 permit udp any any eq snmptrap

ip access-list copp-system-acl-hsrp

  10 permit udp any 224.0.0.0/24 eq 1985

ip access-list copp-system-acl-ospf

  10 permit ospf any any

ip access-list copp-system-acl-sftp

  10 permit tcp any any eq 115

  20 permit tcp any eq 115 any

ip access-list copp-system-acl-tacacs

  10 permit tcp any any eq tacacs

  20 permit tcp any eq tacacs any

ip access-list 133

  10 permit icmp x.26.0.0/16 x.26.146.136/32 ttl-exceeded

  20 permit icmp x.26.0.0/16 x.26.146.136/32 port-unreachable

  30 permit icmp x.26.0.0/16 x.26.146.136/32 echo-reply

  40 permit icmp x.26.0.0/16 x.26.146.136/32 echo

  50 permit tcp x.26.0.0/16 eq tacacs x.26.146.136/32 established

  60 permit tcp x.26.0.0/16 x.26.146.136/32 eq tacacs

  70 permit udp x.26.0.0/16 x.26.146.136/32 eq ntp

  80 permit tcp x.26.0.0/16 x.26.146.136/32 eq 22

  90 permit tcp x.26.0.0/16 eq ftp x.26.146.136/32 gt 1023 established

  100 permit tcp x.26.0.0/16 eq ftp-data x.26.146.136/32 gt 1023

  110 permit tcp x.26.0.0/16 gt 1023 x.26.146.136/32 gt 1023 established

  120 permit udp x.26.0.0/16 gt 1023 x.26.146.136/32 gt 1023

  130 permit udp x.26.191.99/32 x.26.146.136/32 eq snmp

  140 deny ip any any log

ip access-list copp-system-acl-traceroute

  10 permit icmp any any ttl-exceeded

  20 permit icmp any any port-unreachable

ip access-list copp-system-acl-undesirable

  10 permit udp any any eq 1434

ip access-list copp-system-acl-icmp

  10 permit icmp any any echo

  20 permit icmp any any echo-reply

ip access-list copp-system-acl-radius

  10 permit udp any any eq 1812

  20 permit udp any any eq 1813

  30 permit udp any any eq 1645

  40 permit udp any any eq 1646

  50 permit udp any eq 1812 any

  60 permit udp any eq 1813 any

  70 permit udp any eq 1645 any

  80 permit udp any eq 1646 any

ip access-list copp-system-acl-ntp

  10 permit udp any any eq ntp

  20 permit udp any eq ntp any

class-map type control-plane match-any copp-system-class-critical

  match access-group name copp-system-acl-bgp

  match access-group name copp-system-acl-eigrp

  match access-group name copp-system-acl-igmp

  match access-group name copp-system-acl-msdp

  match access-group name copp-system-acl-ospf

  match access-group name copp-system-acl-pim

  match access-group name copp-system-acl-rip

class-map type control-plane match-any copp-system-class-exception

  match exception ip option

  match exception ip icmp unreachable

class-map type control-plane match-any copp-system-class-important

  match access-group name copp-system-acl-glbp

  match access-group name copp-system-acl-hsrp

  match access-group name copp-system-acl-vrrp

class-map type control-plane match-any copp-system-class-management

  match access-group name copp-system-acl-ftp

  match access-group name copp-system-acl-ntp

  match access-group name copp-system-acl-radius

  match access-group name copp-system-acl-sftp

  match access-group name copp-system-acl-snmp

  match access-group name copp-system-acl-ssh

  match access-group name copp-system-acl-tacacs

  match access-group name copp-system-acl-telnet

  match access-group name copp-system-acl-tftp

class-map type control-plane match-any copp-system-class-monitoring

  match access-group name copp-system-acl-icmp

  match access-group name copp-system-acl-traceroute

class-map type control-plane match-any copp-system-class-normal

  match protocol arp

class-map type control-plane match-any copp-system-class-redirect

  match redirect dhcp-snoop

  match redirect arp-inspect

class-map type control-plane match-any copp-system-class-undesirable

  match access-group name copp-system-acl-undesirable

policy-map type control-plane copp-system-policy

  class copp-system-class-critical

    police cir 40900 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-important

    police cir 1060 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-management

    police cir 10000 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-normal

    police cir 680 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-redirect

    police cir 280 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-monitoring

    police cir 100 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-exception

    police cir 360 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-undesirable

    police cir 32 kbps bc 250 ms conform drop violate drop

  class class-default

    police cir 100 kbps bc 250 ms conform transmit violate drop

control-plane

  service-policy input copp-system-policy

snmp-server user me network-operator auth md5 0xdd0bd06e76f692a1bbaebceac6f6ee1a

 priv 0xdd0bd06e76f692a1bbaebceac6f6ee1a localizedkey

snmp-server user dma network-admin auth md5 0xdd0bd06e76f692a1bbaebceac6f6ee1a p

riv 0xdd0bd06e76f692a1bbaebceac6f6ee1a localizedkey

snmp-server user admin network-admin auth md5 0xdd0bd06e76f692a1bbaebceac6f6ee1a

 priv 0xdd0bd06e76f692a1bbaebceac6f6ee1a localizedkey

snmp-server user chris network-admin auth md5 0xdd0bd06e76f692a1bbaebceac6f6ee1a

 priv 0xdd0bd06e76f692a1bbaebceac6f6ee1a localizedkey

snmp-server enable traps entity fru

aaa authentication login console group tacacs-group

aaa accounting default group tacacs-group

aaa authentication login error-enable

aaa authentication login ascii-authentication

vrf context management

  ip route 0.0.0.0/0 10.1.1.1

  ip route 0.0.0.0/0 x.26.146.1

vlan 1

route-map clients permit 1

vdc dca-n7k1 id 1

  limit-resource vlan minimum 16 maximum 4094

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource vrf minimum 16 maximum 8192

  limit-resource port-channel minimum 0 maximum 192

  limit-resource u4route-mem minimum 32 maximum 32

  limit-resource u6route-mem minimum 16 maximum 16

  limit-resource m4route-mem minimum 48 maximum 48

  limit-resource m6route-mem minimum 8 maximum 8

vdc vdc1 id 2

  allocate interface Ethernet1/1,Ethernet1/3,Ethernet1/5,Ethernet1/7,Ethernet1/9

,Ethernet1/11,Ethernet1/13,Ethernet1/15

  allocate interface Ethernet2/2,Ethernet2/4,Ethernet2/6,Ethernet2/8

  limit-resource vlan minimum 16 maximum 4094

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource vrf minimum 16 maximum 8192

  limit-resource port-channel minimum 0 maximum 192

  limit-resource u4route-mem minimum 8 maximum 8

  limit-resource u6route-mem minimum 4 maximum 4

  limit-resource m4route-mem minimum 8 maximum 8

  limit-resource m6route-mem minimum 2 maximum 2

vdc vdc2 id 3

  allocate interface Ethernet1/2,Ethernet1/4,Ethernet1/6,Ethernet1/8,Ethernet1/1

0,Ethernet1/12,Ethernet1/14,Ethernet1/16-32

  allocate interface Ethernet2/1,Ethernet2/3,Ethernet2/5,Ethernet2/7,Ethernet2/9

-48

  limit-resource vlan minimum 16 maximum 4094

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource vrf minimum 16 maximum 8192

  limit-resource port-channel minimum 0 maximum 192

  limit-resource u4route-mem minimum 8 maximum 8

  limit-resource u6route-mem minimum 4 maximum 4

  limit-resource m4route-mem minimum 8 maximum 8

  limit-resource m6route-mem minimum 2 maximum 2

interface Vlan1

interface cmp-mgmt module 5

      ip address x.26.146.175 255.255.254.0

      ip default-gateway x.26.146.1

interface cmp-mgmt module 6

      ip address x.26.146.176 255.255.254.0

      ip default-gateway x.26.146.1

interface Ethernet10/1

interface Ethernet10/2

interface Ethernet10/3

interface Ethernet10/4

interface Ethernet10/5

interface Ethernet10/6

interface Ethernet10/7

interface Ethernet10/8

interface Ethernet10/9

interface Ethernet10/10

interface Ethernet10/11

interface Ethernet10/12

interface Ethernet10/13

interface Ethernet10/14

interface Ethernet10/15

interface Ethernet10/16

interface Ethernet10/17

interface Ethernet10/18

interface Ethernet10/19

interface Ethernet10/20

interface Ethernet10/21

interface Ethernet10/22

interface Ethernet10/23

interface Ethernet10/24

interface Ethernet10/25

interface Ethernet10/26

interface Ethernet10/27

interface Ethernet10/28

interface Ethernet10/29

interface Ethernet10/30

interface Ethernet10/31

interface Ethernet10/32

interface Ethernet10/33

interface Ethernet10/34

interface Ethernet10/35

interface Ethernet10/36

interface Ethernet10/37

interface Ethernet10/38

interface Ethernet10/39

interface Ethernet10/40

interface Ethernet10/41

interface Ethernet10/42

interface Ethernet10/43

interface Ethernet10/44

interface Ethernet10/45

interface Ethernet10/46

interface Ethernet10/47

interface Ethernet10/48

interface mgmt0

  ip access-group 133 in

  ip access-group 134 out

  vrf member management

  ip address x.26.146.136/23

  no ip redirects

clock timezone EDT -5 0

clock summer-time EDT 3 Sun Mar 00:00 3 Sunday Oct 00:00 60

cli alias name save copy runn start vdc

line console

  terminal length 30

boot kickstart bootflash:/n7000-s1-kickstart.4.1.2.bin sup-1

boot system bootflash:/n7000-s1-dk9.4.1.2.bin sup-1

boot kickstart bootflash:/n7000-s1-kickstart.4.1.2.bin sup-2

boot system bootflash:/n7000-s1-dk9.4.1.2.bin sup-2

ip route x.26.0.0/16 x.26.146.1

monitor session 1

!Running config for vdc: vdc1

switchto vdc vdc1

version 4.1(2)

feature tacacs+

feature ospf

feature ospfv3

feature pim

feature udld

feature interface-vlan

feature hsrp

feature lacp

logging level monitor 7

username admin password 5 <encrypted password>role vdc-admin

ip domain-lookup

ip domain-name cisco.com

tacacs-server key 7 "fewhg123"

tacacs-server host x.26.191.94 key 7 "fewhg123"

aaa group server tacacs+ tacacs-group

    server x.26.191.94

service unsupported-transceiver

ip access-list 112

  10 remark ACL for last resort access

  20 permit tcp x.26.191.92/32 any eq 22

  30 deny ip any any log

ip access-list 111

  10 remark ACL for SSH

  20 permit tcp x.26.0.0/16 any eq 22

  30 deny ip any any log

snmp-server user admin vdc-admin auth md5 0xdd0bd06e76f692a1bbaebceac6f6ee1a pri

v 0xdd0bd06e76f692a1bbaebceac6f6ee1a localizedkey

aaa accounting default group tacacs-group

vrf context management

  ip route 0.0.0.0/0 x.26.146.1

vlan 1,3

vlan 99

  name vmconsole

vlan 128-133

vlan 151

  name asa-vdc2-Outside

vlan 161

  name asa-vdc1-Outside

vlan 770-771

spanning-tree pathcost method long

spanning-tree port type network default

spanning-tree vlan 99,128,130,132,166,770-771 priority 24576

spanning-tree vlan 129,131,133 priority 28672

route-map static permit 10

interface Vlan1

interface Vlan3

  no shutdown

  ip address 10.8.3.1/24

  ip ospf authentication message-digest

  ip ospf authentication-key 3 9125d59c18a9b015

  ip ospf dead-interval 3

  ip ospf hello-interval 1

  ip router ospf 8 area 0.0.0.0

  ip pim sparse-mode

  ip igmp version 3

interface Vlan99

  no shutdown

  ip address 10.8.99.3/24

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20

    timers  1  3

    ip 10.8.99.1

interface Vlan128

  no shutdown

  ip address 10.8.128.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.128.1

interface Vlan129

  no shutdown

  ip address 10.8.129.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.129.1

interface Vlan130

  no shutdown

  ip address 10.8.130.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.130.1

interface Vlan131

  no shutdown

  ip address 10.8.131.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.131.1

interface Vlan132

  no shutdown

  ip address 10.8.132.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.132.1

interface Vlan133

  no shutdown

  ip address 10.8.133.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.133.1

interface Vlan151

  no shutdown

  ip address 10.8.152.3/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.152.1

interface Vlan161

  no shutdown

  ip address 10.8.162.3/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.162.1

interface port-channel99

  description to dca-n7k2-vdc1

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 3,50-51,99,128-133,151,161,770-771

  spanning-tree port type network

  logging event port link-status

interface Ethernet1/1

  description to dca-core2 Ten4/4

  ip address 10.8.1.2/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 9125d59c18a9b015

  ip ospf dead-interval 3

  ip ospf hello-interval 1

  ip router ospf 8 area 0.0.0.0

  ip pim sparse-mode

  ip igmp version 3

  no shutdown

interface Ethernet1/3

  description to dca-asa2 Ten5/0

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 161

  spanning-tree port type normal

  no shutdown

interface Ethernet1/5

  description to dca-asa2 Ten7/0

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 151

  spanning-tree port type normal

  no shutdown

interface Ethernet1/7

  no shutdown

interface Ethernet1/9

interface Ethernet1/11

interface Ethernet1/13

  description ISL

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 3,50-51,99,128-133,151,161,770-771

  channel-group 99 mode active

  no shutdown

interface Ethernet1/15

  description ISL

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 3,50-51,99,128-133,151,161,770-771

  channel-group 99 mode active

  no shutdown

interface Ethernet2/2

  description IXIA port 4/1

  switchport

  switchport access vlan 128

  spanning-tree port type edge

  no shutdown

interface Ethernet2/4

  description IXIA port 4/2

  switchport

  switchport access vlan 130

  spanning-tree port type edge

  no shutdown

interface Ethernet2/6

  description IXIA port 4/3

  switchport

  switchport access vlan 132

  spanning-tree port type edge

  no shutdown

interface Ethernet2/8

  description IXIA port 4/4

interface mgmt0

  description <<mgmt interface>>

  ip address x.26.146.137/23

clock timezone EDT -5 0

clock summer-time EDT 3 Sun Mar 00:00 3 Sunday Oct 00:00 60

no logging console

cli alias name save copy runn start

line console

  terminal length 30

router ospf 8

  router-id 3.3.3.1

  area 81 nssa

  default-information originate

  area 0.0.0.0 range 10.8.0.0/24

  area 0.0.0.0 range 10.8.1.0/24

  area 0.0.0.0 range 10.8.2.0/24

  area 0.0.0.0 range 10.8.3.0/24

  area 0.0.0.81 range 10.8.128.0/18

  area 0.0.0.0 authentication message-digest

  area 0.0.0.81 authentication message-digest

  timers throttle spf 10 100 5000

  timers throttle lsa router 1000

  timers throttle lsa network 1000

  auto-cost reference-bandwidth 10000

no ip source-route

ip pim ssm range 232.0.0.0/8

switchback

!Running config for vdc: vdc2

switchto vdc vdc2

version 4.1(2)

feature ospf

feature ospfv3

feature pim

feature udld

feature interface-vlan

feature hsrp

feature lacp

username admin password 5 <encrypted password>/  role vdc-admin

ip domain-lookup

system default switchport

logging event link-status default

logging event trunk-status default

service unsupported-transceiver

snmp-server user admin vdc-admin auth md5 0xdd0bd06e76f692a1bbaebceac6f6ee1a pri

v 0xdd0bd06e76f692a1bbaebceac6f6ee1a localizedkey

vrf context erspan

vrf context servers1

  ip route 0.0.0.0/0 10.8.162.1

vrf context servers2

  ip route 0.0.0.0/0 10.8.152.1

vrf context management

  ip route 0.0.0.0/0 x.26.146.1

vlan 1

vlan 15

  name vmkernel

vlan 50-51

vlan 98

  name serviceconsole

vlan 141-142,152-153,162-164,166-169

vlan 171

  name failover

vlan 172

  name state

vlan 180-183

vlan 191

  name waas

vlan 200

  name Mike-Server-1

vlan 201

  name Mike-Server-2

vlan 202

  name Mike-Server-3

vlan 300-399

vlan 999

  name ACEquery

vlan 3000

  name erspan

vlan 3001

  name erspan-ss1

vlan 3002

  name vemcontrol

vlan 3003

  name vempacket

spanning-tree pathcost method long

spanning-tree port type network default

spanning-tree vlan 1,15,98,142,166,168,180,182,200-202,300-399,3000,3002-3003 pr

iority 24576

spanning-tree vlan 50-51,167,169,181,183 priority 28672

interface Vlan1

interface Vlan15

  no shutdown

  vrf member servers1

  ip address 10.8.15.3/24

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20

    timers  1  3

    ip 10.8.15.1

interface Vlan50

  no shutdown

  vrf member servers2

  ip address 10.8.50.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.50.1

interface Vlan51

  no shutdown

  vrf member servers2

  ip address 10.8.51.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.51.1

interface Vlan98

  no shutdown

  vrf member servers1

  ip address 10.8.98.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20

    timers  1  3

    ip 10.8.98.1

interface Vlan141

  vrf member servers1

  ip address 10.8.141.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.141.1

interface Vlan142

  no shutdown

  vrf member servers1

  ip address 10.8.141.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.141.1

interface Vlan152

  no shutdown

  vrf member servers2

  ip address 10.8.152.5/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.152.7

interface Vlan153

  vrf member servers2

  ip address 10.8.152.5/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.152.7

interface Vlan164

  no shutdown

  vrf member servers1

  ip address 10.8.162.5/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.162.7

interface Vlan166

  no shutdown

  vrf member servers1

  ip address 10.8.166.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.166.1

interface Vlan167

  no shutdown

  vrf member servers2

  ip address 10.8.167.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.167.1

interface Vlan168

  no shutdown

  vrf member servers1

  ip address 10.8.168.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.168.1

interface Vlan169

  no shutdown

  vrf member servers2

  ip address 10.8.169.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.169.1

interface Vlan180

  no shutdown

  vrf member servers1

  ip address 10.8.180.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.180.1

interface Vlan181

  no shutdown

  vrf member servers2

  ip address 10.8.181.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.181.1

interface Vlan182

  no shutdown

  vrf member servers1

  ip address 10.8.182.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.182.1

interface Vlan183

  no shutdown

  vrf member servers2

  ip address 10.8.183.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.183.1

interface Vlan200

  no shutdown

  vrf member servers2

  ip address 10.8.200.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 600 reload 300

    timers  1  3

    ip 10.8.200.1

interface Vlan201

  no shutdown

  vrf member servers2

  ip address 10.8.201.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 600 reload 300

    timers  1  3

    ip 10.8.201.1

interface Vlan202

  no shutdown

  vrf member servers2

  ip address 10.8.202.3/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 600 reload 300

    timers  1  3

    ip 10.8.202.1

interface Vlan3000

  no shutdown

  ip address 10.8.3.3/24

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.3.1

interface Vlan3001

  no shutdown

  ip address 10.8.33.3/24

interface port-channel7

  description to vbs

  switchport mode trunk

  switchport trunk allowed vlan 180-183

  spanning-tree port type normal

  spanning-tree guard root

  logging event port link-status

  logging event port trunk-status

interface port-channel71

  switchport mode trunk

  switchport trunk allowed vlan 15,142,180-183,300-399,3002-3003

  spanning-tree port type network

  spanning-tree guard root

  logging event port link-status

  logging event port trunk-status

interface port-channel72

interface port-channel99

  description ISL to dca-n7k2-vdc1

  switchport mode trunk

  switchport trunk allowed vlan 15,50-51,98,141-142,152-153,162-164

  switchport trunk allowed vlan add 166-169,171-172,180-183,191,200-202

  switchport trunk allowed vlan add 300-399,999,3000-3003

  spanning-tree cost 500

  spanning-tree port type network

  logging event port link-status

interface port-channel200

  description to dc10-5020-5

  switchport mode trunk

  switchport trunk allowed vlan 200-202

  spanning-tree port type network

  spanning-tree guard loop

  logging event port link-status

  logging event port trunk-status

interface Ethernet1/2

  description E1/2 to dca-newSS2 Ten1/2

  switchport mode trunk

  switchport trunk allowed vlan 152-153,162-164,191,999,3001

  spanning-tree port type network

  spanning-tree guard loop

  mtu 9216

  logging event port link-status

  logging event port trunk-status

interface Ethernet1/4

  description E1/4 to dca-newSS1 Ten1/1

  switchport mode trunk

  switchport trunk allowed vlan 152-153,162-164,191,999,3001

  spanning-tree port type network

  spanning-tree guard loop

  mtu 9216

  logging event port link-status

  logging event port trunk-status

interface Ethernet1/6

  description to dc10-5020-5

  switchport mode trunk

  switchport trunk allowed vlan 200-202

  logging event port link-status

  logging event port trunk-status

  udld enable

  channel-group 200 mode active

interface Ethernet1/8

  description to dc10-5020-6

  switchport mode trunk

  switchport trunk allowed vlan 200-202

  spanning-tree port type network

  spanning-tree guard loop

  logging event port link-status

  logging event port trunk-status

  udld enable

interface Ethernet1/10

  description to dca-asa2 Ten5/1

  switchport mode trunk

  switchport trunk allowed vlan 162

  spanning-tree port type normal

interface Ethernet1/12

  description to dca-asa2 Ten7/1

  switchport mode trunk

  switchport trunk allowed vlan 152

  spanning-tree port type normal

interface Ethernet1/14

  description ISL

  switchport mode trunk

  switchport trunk allowed vlan 15,50-51,98,141-142,152-153,162-164

  switchport trunk allowed vlan add 166-169,171-172,180-183,191,200-202

  switchport trunk allowed vlan add 300-399,999,3000-3003

  channel-group 99 mode active

interface Ethernet1/16

  description ISL

  switchport mode trunk

  switchport trunk allowed vlan 15,50-51,98,141-142,152-153,162-164

  switchport trunk allowed vlan add 166-169,171-172,180-183,191,200-202

  switchport trunk allowed vlan add 300-399,999,3000-3003

  channel-group 99 mode active

interface Ethernet1/17

  description dc20-4948-1

  switchport mode trunk

  switchport trunk allowed vlan 50-51,142

  spanning-tree port type normal

  spanning-tree guard root

interface Ethernet1/18

  description dc07-3120-vbs Ten4/0/2

  switchport mode trunk

  switchport trunk allowed vlan 180-183

  spanning-tree port type normal

  spanning-tree guard root

  channel-group 7 mode active

interface Ethernet1/19

  description dc20-4948-2

  switchport mode trunk

  switchport trunk allowed vlan 50-51,142

  spanning-tree port type normal

  spanning-tree guard root

interface Ethernet1/20

  description dc07-3120-vbs Ten2/0/1

  switchport mode trunk

  switchport trunk allowed vlan 180-183

  spanning-tree port type normal

  spanning-tree guard root

  channel-group 7 mode active

interface Ethernet1/21

interface Ethernet1/22

  description to dc10-5020-5

  switchport mode trunk

  switchport trunk allowed vlan 200-202

  logging event port link-status

  logging event port trunk-status

  udld enable

  channel-group 200 mode active

interface Ethernet1/23

interface Ethernet1/24

interface Ethernet1/25

  description dca-vss-acc

  switchport mode trunk

  switchport trunk allowed vlan 15,142,180-183,300-399,3002-3003

  spanning-tree port type network

  spanning-tree guard root

  logging event port link-status

  logging event port trunk-status

  channel-group 71 mode active

interface Ethernet1/26

  description dc10-5020-1

  switchport mode trunk

  switchport trunk allowed vlan 15,98,142,180-183,3000,3002-3003

  spanning-tree port type network

  spanning-tree guard root

  mtu 9216

  logging event port link-status

  logging event port trunk-status

interface Ethernet1/27

  description dca-vss-acc

  switchport mode trunk

  switchport trunk allowed vlan 15,142,180-183,300-399,3002-3003

  spanning-tree port type network

  spanning-tree guard root

  logging event port link-status

  logging event port trunk-status

  channel-group 71 mode active

interface Ethernet1/28

  description dc10.5020-2

  switchport mode trunk

  switchport trunk allowed vlan 15,98,142,180-183,3000,3002-3003

  spanning-tree port type network

  spanning-tree guard root

  mtu 9216

  logging event port link-status

  logging event port trunk-status

interface Ethernet1/29

  description to 6k access

  switchport mode trunk

  switchport trunk allowed vlan 128-133,164-169,180-183,300-399

  spanning-tree port type normal

  spanning-tree guard root

interface Ethernet1/30

  description dc10-5020-1

  switchport mode trunk

  switchport trunk allowed vlan 15,98,180-183

  spanning-tree port type network

interface Ethernet1/31

  description to 6k access

  switchport mode trunk

  switchport trunk allowed vlan 128-133,164-169,180-183,300-399

  spanning-tree port type normal

  spanning-tree guard root

interface Ethernet1/32

  description dc10-5020-1

  switchport mode trunk

  switchport trunk allowed vlan 15,98,180-183

  spanning-tree port type network

interface Ethernet2/1

  switchport access vlan 172

  spanning-tree port type normal

interface Ethernet2/3

  switchport access vlan 171

  spanning-tree port type normal

interface Ethernet2/5

interface Ethernet2/7

interface Ethernet2/9

interface Ethernet2/10

interface Ethernet2/11

interface Ethernet2/12

interface Ethernet2/13

interface Ethernet2/14

interface Ethernet2/15

interface Ethernet2/16

interface Ethernet2/17

interface Ethernet2/18

interface Ethernet2/19

interface Ethernet2/20

interface Ethernet2/21

interface Ethernet2/22

interface Ethernet2/23

interface Ethernet2/24

interface Ethernet2/25

interface Ethernet2/26

interface Ethernet2/27

interface Ethernet2/28

interface Ethernet2/29

interface Ethernet2/30

interface Ethernet2/31

interface Ethernet2/32

interface Ethernet2/33

interface Ethernet2/34

interface Ethernet2/35

interface Ethernet2/36

interface Ethernet2/37

  description ASA1 int g3/3

  switchport mode trunk

  switchport trunk allowed vlan 142

  spanning-tree port type normal

  logging event port link-status

  logging event port trunk-status

interface Ethernet2/38

  description ASA int g3/2

  switchport mode trunk

  switchport trunk allowed vlan 141

  spanning-tree port type normal

  logging event port link-status

  logging event port trunk-status

interface Ethernet2/39

interface Ethernet2/40

interface Ethernet2/41

interface Ethernet2/42

interface Ethernet2/43

interface Ethernet2/44

interface Ethernet2/45

interface Ethernet2/46

interface Ethernet2/47

interface Ethernet2/48

interface mgmt0

  ip address x.26.146.138/23

clock timezone EDT -5 0

clock summer-time EDT 3 Sun Mar 00:00 3 Sunday Oct 00:00 60

cli alias name save copy runn start

line console

  terminal length 30

router ospf 8

  vrf servers1

    router-id 4.4.4.1

    area 81 nssa

    area 0.0.0.81 authentication message-digest

    timers throttle spf 10 100 5000

    timers throttle lsa router 1000

    timers throttle lsa network 1000

  vrf servers2

    router-id 5.5.5.1

    area 81 nssa

    area 0.0.0.81 authentication message-digest

    timers throttle spf 10 100 5000

    timers throttle lsa router 1000

    timers throttle lsa network 1000

ip pim rp-address 10.8.20.1 group-list 224.0.0.0/4

ip pim ssm range 232.0.0.0/8

no system default switchport shutdown

switchback

dca-n7k1#

Nexus 7000 2

dca-n7k2# sh run vdc-all

!Running config for default vdc: dca-n7k2

version 4.1(2)

power redundancy-mode combined force

feature telnet

feature tacacs+

feature ospf

feature pim

feature private-vlan

feature udld

feature interface-vlan

feature netflow

feature hsrp

feature lacp

username admin password 5 <encrypted password>role network-admin

username dma password 5 <encrypted password>.  role network-admin

username chris password 5 <encrypted password>.  role network-admin

username dma1-ops password 5 <encrypted password>role network-operator

ntp server x.26.146.1 use-vrf management

ip domain-lookup

ip host dca-n7k2 x.26.146.204

ip host dca-n7k2 x.26.146.204

tacacs-server key 7 "<key>"

tacacs-server host x.26.191.94 key 7 "<key>"

aaa group server tacacs+ tacacs-group

    server x.26.191.94

    use-vrf management

hostname dca-n7k2

service unsupported-transceiver

ip access-list copp-system-acl-ftp

  10 permit tcp any any eq ftp-data

  20 permit tcp any any eq ftp

  30 permit tcp any eq ftp-data any

  40 permit tcp any eq ftp any

ip access-list copp-system-acl-bgp

  10 permit tcp any gt 1024 any eq bgp

  20 permit tcp any eq bgp any gt 1024

ip access-list copp-system-acl-rip

  10 permit udp any 224.0.0.0/24 eq rip

ip access-list copp-system-acl-vrrp

  10 permit 112 any 224.0.0.0/24

ip access-list 134

  10 permit ip x.26.146.204/32 x.26.0.0/16

  20 deny ip any any log

ip access-list copp-system-acl-igmp

  10 permit igmp any 224.0.0.0/24

ip access-list copp-system-acl-pim

  10 permit pim any 224.0.0.0/24

  20 permit udp any any eq pim-auto-rp

ip access-list copp-system-acl-msdp

  10 permit tcp any gt 1024 any eq 639

  20 permit tcp any eq 639 any gt 1024

ip access-list copp-system-acl-telnet

  10 permit tcp any any eq telnet

  20 permit tcp any any eq 107

  30 permit tcp any eq telnet any

  40 permit tcp any eq 107 any

ip access-list copp-system-acl-tftp

  10 permit udp any any eq tftp

  20 permit udp any any eq 1758

  30 permit udp any eq tftp any

  40 permit udp any eq 1758 any

ip access-list copp-system-acl-eigrp

  10 permit eigrp any any

ip access-list copp-system-acl-ssh

  10 permit tcp any any eq 22

  20 permit tcp any eq 22 any

ip access-list copp-system-acl-glbp

  10 permit udp any eq 3222 224.0.0.0/24 eq 3222

ip access-list copp-system-acl-snmp

  10 permit udp any any eq snmp

  20 permit udp any any eq snmptrap

ip access-list copp-system-acl-hsrp

  10 permit udp any 224.0.0.0/24 eq 1985

ip access-list copp-system-acl-ospf

  10 permit ospf any any

ip access-list copp-system-acl-sftp

  10 permit tcp any any eq 115

  20 permit tcp any eq 115 any

ip access-list copp-system-acl-tacacs

  10 permit tcp any any eq tacacs

  20 permit tcp any eq tacacs any

ip access-list 133

  10 permit icmp x.26.0.0/16 x.26.146.204/32 ttl-exceeded

  20 permit icmp x.26.0.0/16 x.26.146.204/32 port-unreachable

  30 permit icmp x.26.0.0/16 x.26.146.204/32 echo-reply

  40 permit icmp x.26.0.0/16 x.26.146.204/32 echo

  50 permit tcp x.26.0.0/16 eq tacacs x.26.146.204/32 established

  60 permit tcp x.26.0.0/16 x.26.146.204/32 eq tacacs

  70 permit udp x.26.0.0/16 x.26.146.204/32 eq ntp

  80 permit tcp x.26.0.0/16 x.26.146.204/32 eq 22

  90 permit tcp x.26.0.0/16 eq ftp x.26.146.204/32 gt 1023 established

  100 permit tcp x.26.0.0/16 eq ftp-data x.26.146.204/32 gt 1023

  110 permit tcp x.26.0.0/16 gt 1023 x.26.146.204/32 gt 1023 established

  120 permit udp x.26.0.0/16 gt 1023 x.26.146.204/32 gt 1023

  130 permit udp x.26.191.99/32 x.26.146.204/32 eq snmp

  140 deny ip any any log

ip access-list copp-system-acl-traceroute

  10 permit icmp any any ttl-exceeded

  20 permit icmp any any port-unreachable

ip access-list copp-system-acl-undesirable

  10 permit udp any any eq 1434

ip access-list copp-system-acl-icmp

  10 permit icmp any any echo

  20 permit icmp any any echo-reply

ip access-list copp-system-acl-radius

  10 permit udp any any eq 1812

  20 permit udp any any eq 1813

  30 permit udp any any eq 1645

  40 permit udp any any eq 1646

  50 permit udp any eq 1812 any

  60 permit udp any eq 1813 any

  70 permit udp any eq 1645 any

  80 permit udp any eq 1646 any

ip access-list copp-system-acl-ntp

  10 permit udp any any eq ntp

  20 permit udp any eq ntp any

class-map type control-plane match-any copp-system-class-critical

  match access-group name copp-system-acl-bgp

  match access-group name copp-system-acl-eigrp

  match access-group name copp-system-acl-igmp

  match access-group name copp-system-acl-msdp

  match access-group name copp-system-acl-ospf

  match access-group name copp-system-acl-pim

  match access-group name copp-system-acl-rip

class-map type control-plane match-any copp-system-class-exception

  match exception ip option

  match exception ip icmp unreachable

class-map type control-plane match-any copp-system-class-important

  match access-group name copp-system-acl-glbp

  match access-group name copp-system-acl-hsrp

  match access-group name copp-system-acl-vrrp

class-map type control-plane match-any copp-system-class-management

  match access-group name copp-system-acl-ftp

  match access-group name copp-system-acl-ntp

  match access-group name copp-system-acl-radius

  match access-group name copp-system-acl-sftp

  match access-group name copp-system-acl-snmp

  match access-group name copp-system-acl-ssh

  match access-group name copp-system-acl-tacacs

  match access-group name copp-system-acl-telnet

  match access-group name copp-system-acl-tftp

class-map type control-plane match-any copp-system-class-monitoring

  match access-group name copp-system-acl-icmp

  match access-group name copp-system-acl-traceroute

class-map type control-plane match-any copp-system-class-normal

  match protocol arp

class-map type control-plane match-any copp-system-class-redirect

  match redirect dhcp-snoop

  match redirect arp-inspect

class-map type control-plane match-any copp-system-class-undesirable

  match access-group name copp-system-acl-undesirable

policy-map type control-plane copp-system-policy

  class copp-system-class-critical

    police cir 40900 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-important

    police cir 1060 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-management

    police cir 10000 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-normal

    police cir 680 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-redirect

    police cir 280 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-monitoring

    police cir 100 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-exception

    police cir 360 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-undesirable

    police cir 32 kbps bc 250 ms conform drop violate drop

  class class-default

    police cir 100 kbps bc 250 ms conform transmit violate drop

control-plane

  service-policy input copp-system-policy

snmp-server user dma network-admin auth md5 0xb1f79b0d0c98a2387bb30043f9c8e5ce priv 
0xb1f79b0d0c98a2387bb30043f9c8e5ce localizedkey

snmp-server user admin network-admin auth md5 0xb1f79b0d0c98a2387bb30043f9c8e5ce priv 
0xb1f79b0d0c98a2387bb30043f9c8e5ce localizedkey

snmp-server user chris network-admin auth md5 0xb1f79b0d0c98a2387bb30043f9c8e5ce priv 
0xb1f79b0d0c98a2387bb30043f9c8e5ce localizedkey

snmp-server user dma1-ops network-operator auth md5 0xb1f79b0d0c98a2387bb30043f9c8e5ce 
priv 0xb1f79b0d0c98a2387bb30043f9c8e5ce localizedkey

snmp-server enable traps entity fru

aaa authentication login console group tacacs-group

aaa accounting default group tacacs-group

aaa authentication login error-enable

vrf context management

  ip route 0.0.0.0/0 x.26.146.1

vlan 1

vdc dca-n7k2 id 1

  limit-resource vlan minimum 16 maximum 4094

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource vrf minimum 16 maximum 8192

  limit-resource port-channel minimum 0 maximum 192

  limit-resource u4route-mem minimum 32 maximum 32

  limit-resource u6route-mem minimum 16 maximum 16

  limit-resource m4route-mem minimum 48 maximum 48

  limit-resource m6route-mem minimum 8 maximum 8

vdc vdc1 id 2

  allocate interface 
Ethernet1/1,Ethernet1/3,Ethernet1/5,Ethernet1/7,Ethernet1/9,Ethernet1/11,Ethernet1/13,Ethe
rnet1/15

  allocate interface Ethernet2/2,Ethernet2/4,Ethernet2/6,Ethernet2/8

  limit-resource vlan minimum 16 maximum 4094

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource vrf minimum 16 maximum 8192

  limit-resource port-channel minimum 0 maximum 192

  limit-resource u4route-mem minimum 8 maximum 8

  limit-resource u6route-mem minimum 4 maximum 4

  limit-resource m4route-mem minimum 8 maximum 8

  limit-resource m6route-mem minimum 2 maximum 2

vdc vdc2 id 3

  allocate interface 
Ethernet1/2,Ethernet1/4,Ethernet1/6,Ethernet1/8,Ethernet1/10,Ethernet1/12,Ethernet1/14,Eth
ernet1/16-32

  allocate interface Ethernet2/1,Ethernet2/3,Ethernet2/5,Ethernet2/7,Ethernet2/9-48

  limit-resource vlan minimum 16 maximum 4094

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource vrf minimum 16 maximum 8192

  limit-resource port-channel minimum 0 maximum 192

  limit-resource u4route-mem minimum 8 maximum 8

  limit-resource u6route-mem minimum 4 maximum 4

  limit-resource m4route-mem minimum 8 maximum 8

  limit-resource m6route-mem minimum 2 maximum 2

interface Vlan1

interface cmp-mgmt module 5

      ip address x.26.146.85 255.255.254.0

      ip default-gateway x.26.146.1

interface cmp-mgmt module 6

      ip address x.26.146.86 255.255.254.0

      ip default-gateway x.26.146.1

interface mgmt0

  description <<** Flash address **>>

  ip access-group 133 in

  ip access-group 134 out

  vrf member management

  ip address x.26.146.204/23

  no ip redirects

clock timezone EDT -5 0

clock summer-time EDT 3 Sun Mar 00:00 3 Sunday Oct 00:00 60

cli alias name save copy runn start vdc

line console

  terminal length 30

boot kickstart bootflash:/n7000-s1-kickstart.4.1.2.bin sup-1

boot system bootflash:/n7000-s1-dk9.4.1.2.bin sup-1

boot kickstart bootflash:/n7000-s1-kickstart.4.1.2.bin sup-2

boot system bootflash:/n7000-s1-dk9.4.1.2.bin sup-2

interface Ethernet10/1

interface Ethernet10/2

interface Ethernet10/3

interface Ethernet10/4

interface Ethernet10/5

interface Ethernet10/6

interface Ethernet10/7

interface Ethernet10/8

interface Ethernet10/9

interface Ethernet10/10

interface Ethernet10/11

interface Ethernet10/12

interface Ethernet10/13

interface Ethernet10/14

interface Ethernet10/15

interface Ethernet10/16

interface Ethernet10/17

interface Ethernet10/18

interface Ethernet10/19

interface Ethernet10/20

interface Ethernet10/21

interface Ethernet10/22

interface Ethernet10/23

interface Ethernet10/24

interface Ethernet10/25

interface Ethernet10/26

interface Ethernet10/27

interface Ethernet10/28

interface Ethernet10/29

interface Ethernet10/30

interface Ethernet10/31

interface Ethernet10/32

interface Ethernet10/33

interface Ethernet10/34

interface Ethernet10/35

interface Ethernet10/36

interface Ethernet10/37

interface Ethernet10/38

interface Ethernet10/39

interface Ethernet10/40

interface Ethernet10/41

interface Ethernet10/42

interface Ethernet10/43

interface Ethernet10/44

interface Ethernet10/45

interface Ethernet10/46

interface Ethernet10/47

interface Ethernet10/48

ip route x.26.0.0/16 x.26.146.1

no ip source-route

logging timestamp milliseconds

!Running config for vdc: vdc1

switchto vdc vdc1

version 4.1(2)

feature telnet

feature ospf

feature pim

feature private-vlan

feature udld

feature interface-vlan

feature hsrp

feature lacp

username admin password 5 <encrypted password>.  role vdc-admin

ip domain-lookup

service unsupported-transceiver

snmp-server user admin vdc-admin auth md5 <encrypted password> priv

<encrypted password> localizedkey

vrf context management

  ip route 0.0.0.0/0 x.26.146.1

vlan 1,3

vlan 99

  name vmconsole

vlan 128-133

vlan 151

  name asa-vdc2-Outside

vlan 161

  name asa-vdc1-Outside

vlan 770-771

spanning-tree pathcost method long

spanning-tree port type network default

spanning-tree vlan 99,128,130,132,166,770-771 priority 28672

spanning-tree vlan 129,131,133 priority 24576

interface Vlan1

interface Vlan3

  no shutdown

  ip address 10.8.3.2/24

  ip ospf authentication message-digest

  ip ospf authentication-key 3 9125d59c18a9b015

  ip ospf dead-interval 3

  ip ospf hello-interval 1

  ip router ospf 8 area 0.0.0.0

  ip pim sparse-mode

  ip igmp version 3

interface Vlan99

  no shutdown

  ip address 10.8.99.2/24

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10

    timers  1  3

    ip 10.8.99.1

interface Vlan128

  no shutdown

  ip address 10.8.128.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.128.1

interface Vlan129

  no shutdown

  ip address 10.8.129.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.129.1

interface Vlan130

  no shutdown

  ip address 10.8.130.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.130.1

interface Vlan131

  no shutdown

  ip address 10.8.131.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.131.1

interface Vlan132

  no shutdown

  ip address 10.8.132.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.132.1

interface Vlan133

  no shutdown

  ip address 10.8.133.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.133.1

interface Vlan151

  no shutdown

  ip address 10.8.152.2/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.152.1

interface Vlan161

  no shutdown

  ip address 10.8.162.2/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.162.1

interface port-channel99

  description to dca-n7k1-vdc1

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 3,50-51,99,128-133,151,161,770-771

  spanning-tree port type network

  logging event port link-status

interface Ethernet1/1

  description to dca-core2 Ten4/4

  ip address 10.8.2.2/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 9125d59c18a9b015

  ip ospf dead-interval 3

  ip ospf hello-interval 1

  ip router ospf 8 area 0.0.0.0

  ip pim sparse-mode

  ip igmp version 3

  no shutdown

interface Ethernet1/3

  description to dca-asa2 Ten5/0

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 161

  spanning-tree port type normal

  no shutdown

interface Ethernet1/5

  description to dca-asa2 Ten7/0

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 151

  spanning-tree port type normal

  no shutdown

interface Ethernet1/7

  no shutdown

interface Ethernet1/9

interface Ethernet1/11

interface Ethernet1/13

  description ISL

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 3,50-51,99,128-133,151,161,770-771

  channel-group 99 mode active

  no shutdown

interface Ethernet1/15

  description ISL

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 3,50-51,99,128-133,151,161,770-771

  channel-group 99 mode active

  no shutdown

interface Ethernet2/2

  description IXIA port 4/5

  switchport

  switchport access vlan 129

  spanning-tree port type edge

  no shutdown

interface Ethernet2/4

  description IXIA port 4/6

  switchport

  switchport access vlan 131

  spanning-tree port type edge

  no shutdown

interface Ethernet2/6

  description IXIA port 4/7

  switchport

  switchport access vlan 133

  spanning-tree port type edge

  no shutdown

interface Ethernet2/8

  description IXIA port 4/8

interface mgmt0

  ip address x.26.146.202/23

clock timezone EDT -5 0

clock summer-time EDT 3 Sun Mar 00:00 3 Sunday Oct 00:00 60

cli alias name save copy runn start

line console

  terminal length 0

router ospf 8

  router-id 3.3.3.2

  area 81 nssa

  default-information originate

  area 0.0.0.0 range 10.8.0.0/24

  area 0.0.0.0 range 10.8.1.0/24

  area 0.0.0.0 range 10.8.2.0/24

  area 0.0.0.0 range 10.8.3.0/24

  area 0.0.0.81 range 10.8.128.0/18

  area 0.0.0.0 authentication message-digest

  area 0.0.0.81 authentication message-digest

  timers throttle spf 10 100 5000

  timers throttle lsa router 1000

  timers throttle lsa network 1000

  auto-cost reference-bandwidth 10000

no ip source-route

ip pim ssm range 232.0.0.0/8

switchback

!Running config for vdc: vdc2

switchto vdc vdc2

version 4.1(2)

feature ospf

feature pim

feature udld

feature interface-vlan

feature hsrp

feature lacp

logging level monitor 7

username admin password 5 <encrypted password>  role vdc-admin

ssh key rsa 768

ip domain-lookup

switchname vdc2

system default switchport

logging event link-status default

logging event trunk-status default

service unsupported-transceiver

snmp-server user admin vdc-admin auth md5 <encrypted password> priv

<encrypted password> localizedkey

vrf context erspan

vrf context servers1

  ip route 0.0.0.0/0 10.8.162.1

vrf context servers2

  ip route 0.0.0.0/0 10.8.152.1

vrf context management

  ip route 0.0.0.0/0 x.26.146.1

vlan 1

vlan 15

  name vmkernel

vlan 50-51

vlan 98

  name serviceconsole

vlan 141-142,152-153,162-164,166-169

vlan 171

  name failover

vlan 172

  name state

vlan 180-183

vlan 191

  name waas

vlan 200

  name Mike-Server-1

vlan 201

  name Mike-Server-2

vlan 202

  name Mike-Server-3

vlan 300-399,999

vlan 3000

  name erspan

vlan 3001

  name erspan-ss1

vlan 3002

  name vemcontrol

vlan 3003

  name vempacket

spanning-tree pathcost method long

spanning-tree port type network default

spanning-tree vlan 1,15,98,142,166,168,180,182,200-202,300-399,3000,3002-3003 priority 
28672

spanning-tree vlan 50-51,167,169,181,183 priority 24576

interface Vlan1

interface Vlan15

  no shutdown

  vrf member servers1

  ip address 10.8.15.2/24

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10

    timers  1  3

    ip 10.8.15.1

interface Vlan50

  no shutdown

  vrf member servers2

  ip address 10.8.50.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.50.1

interface Vlan51

  no shutdown

  vrf member servers2

  ip address 10.8.51.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.51.1

interface Vlan98

  no shutdown

  vrf member servers1

  ip address 10.8.98.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20

    timers  1  3

    ip 10.8.98.1

interface Vlan141

  vrf member servers1

  ip address 10.8.141.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.141.1

interface Vlan152

  no shutdown

  vrf member servers2

  ip address 10.8.152.6/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.152.7

interface Vlan153

  vrf member servers2

  ip address 10.8.152.6/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.152.7

interface Vlan164

  no shutdown

  vrf member servers1

  ip address 10.8.162.6/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.162.7

interface Vlan166

  no shutdown

  vrf member servers1

  ip address 10.8.166.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.166.1

interface Vlan167

  no shutdown

  vrf member servers2

  ip address 10.8.167.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.167.1

interface Vlan168

  no shutdown

  vrf member servers1

  ip address 10.8.168.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.168.1

interface Vlan169

  no shutdown

  vrf member servers2

  ip address 10.8.169.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.169.1

interface Vlan180

  no shutdown

  vrf member servers1

  ip address 10.8.180.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.180.1

interface Vlan181

  no shutdown

  vrf member servers2

  ip address 10.8.181.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.181.1

interface Vlan182

  no shutdown

  vrf member servers1

  ip address 10.8.182.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.182.1

interface Vlan183

  no shutdown

  vrf member servers2

  ip address 10.8.183.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 20 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.183.1

interface Vlan200

  no shutdown

  vrf member servers2

  ip address 10.8.200.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 600 reload 300

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.200.1

interface Vlan201

  no shutdown

  vrf member servers2

  ip address 10.8.201.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 600 reload 300

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.201.1

interface Vlan202

  no shutdown

  vrf member servers2

  ip address 10.8.202.2/24

  ip ospf passive-interface

  ip router ospf 8 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 600 reload 300

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.202.1

interface Vlan3000

  no shutdown

  ip address 10.8.3.2/24

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 10.8.3.1

interface Vlan3001

  no shutdown

  ip address 10.8.33.2/24

interface port-channel8

  description to vbs

  switchport mode trunk

  switchport trunk allowed vlan 180-183

  spanning-tree port type normal

  spanning-tree guard root

  logging event port link-status

  logging event port trunk-status

interface port-channel72

  switchport mode trunk

  switchport trunk allowed vlan 15,142,180-183,300-399,3002-3003

  spanning-tree port type network

  spanning-tree guard root

  logging event port link-status

  logging event port trunk-status

interface port-channel99

  description ISL to dca-n7k1-vdc1

  switchport mode trunk

  switchport trunk allowed vlan 15,50-51,98,141-142,152-153,162-164

  switchport trunk allowed vlan add 166-169,171-172,180-183,191,200-202

  switchport trunk allowed vlan add 300-399,999,3000-3003

  spanning-tree cost 500

  spanning-tree port type network

  logging event port link-status

interface port-channel201

  switchport mode trunk

  switchport trunk allowed vlan 200-202

  spanning-tree port type network

  logging event port link-status

  logging event port trunk-status

interface Ethernet1/2

  description E1/2 to dca-newSS1 T1/1

  switchport mode trunk

  switchport trunk allowed vlan 152-153,162-164,191,999,3001

  spanning-tree port type network

  spanning-tree guard loop

  mtu 9216

  logging event port link-status

  logging event port trunk-status

interface Ethernet1/4

  description E1/4 to dca-newSS2 T1/2

  switchport mode trunk

  switchport trunk allowed vlan 152-153,162-164,191,999,3001

  spanning-tree port type network

  spanning-tree guard loop

  mtu 9216

  logging event port link-status

  logging event port trunk-status

interface Ethernet1/6

  description to dc10-5020-5

  switchport mode trunk

  switchport trunk allowed vlan 200-202

  logging event port link-status

  logging event port trunk-status

  udld enable

  channel-group 201 mode active

interface Ethernet1/8

  description to dc10-5020-6

  switchport mode trunk

  switchport trunk allowed vlan 200-202

  spanning-tree port type network

  spanning-tree guard loop

  logging event port link-status

  logging event port trunk-status

  udld enable

interface Ethernet1/10

  description to dca-asa2 Ten5/1

  switchport mode trunk

  switchport trunk allowed vlan 162

  spanning-tree port type normal

interface Ethernet1/12

  description to dca-asa2 Ten7/1

  switchport mode trunk

  switchport trunk allowed vlan 152

  spanning-tree port type normal

interface Ethernet1/14

  description ISL

  switchport mode trunk

  switchport trunk allowed vlan 15,50-51,98,141-142,152-153,162-164

  switchport trunk allowed vlan add 166-169,171-172,180-183,191,200-202

  switchport trunk allowed vlan add 300-399,999,3000-3003

  channel-group 99 mode active

interface Ethernet1/16

  description ISL

  switchport mode trunk

  switchport trunk allowed vlan 15,50-51,98,141-142,152-153,162-164

  switchport trunk allowed vlan add 166-169,171-172,180-183,191,200-202

  switchport trunk allowed vlan add 300-399,999,3000-3003

  channel-group 99 mode active

interface Ethernet1/17

  description dc20-4948-1

  switchport mode trunk

  switchport trunk allowed vlan 50-51,142

  spanning-tree port type normal

  spanning-tree guard root

interface Ethernet1/18

  description dc07-3120-vbs Ten4/0/2

  switchport mode trunk

  switchport trunk allowed vlan 180-183

  spanning-tree port type normal

  spanning-tree guard root

  channel-group 8 mode active

interface Ethernet1/19

  description dc20-4948-2

  switchport mode trunk

  switchport trunk allowed vlan 50-51,142

  spanning-tree port type normal

  spanning-tree guard root

interface Ethernet1/20

  description dc07-3120-vbs Ten2/0/2

  switchport mode trunk

  switchport trunk allowed vlan 180-183

  spanning-tree port type normal

  spanning-tree guard root

  channel-group 8 mode active

interface Ethernet1/21

interface Ethernet1/22

  switchport mode trunk

  switchport trunk allowed vlan 200-202

  logging event port link-status

  logging event port trunk-status

  udld enable

  channel-group 201 mode active

interface Ethernet1/23

interface Ethernet1/24

interface Ethernet1/25

  description dca-vss-acc

  switchport mode trunk

  switchport trunk allowed vlan 15,142,180-183,300-399,3002-3003

  spanning-tree port type network

  spanning-tree guard root

  channel-group 72 mode active

interface Ethernet1/26

  description dc10-5020-1

  switchport mode trunk

  switchport trunk allowed vlan 15,98,142,180-183,3000,3002-3003

  spanning-tree port type network

  spanning-tree guard root

  mtu 9216

  logging event port link-status

  logging event port trunk-status

interface Ethernet1/27

  description dca-vss-acc

  switchport mode trunk

  switchport trunk allowed vlan 15,142,180-183,300-399,3002-3003

  spanning-tree port type network

  spanning-tree guard root

  channel-group 72 mode active

interface Ethernet1/28

  description dc10-5020-2

  switchport mode trunk

  switchport trunk allowed vlan 15,98,142,180-183,3000,3002-3003

  spanning-tree port type network

  spanning-tree guard root

  mtu 9216

  logging event port link-status

  logging event port trunk-status

interface Ethernet1/29

  description to 6k access

  switchport mode trunk

  switchport trunk allowed vlan 128-133,164-169,180-183,300-399

  spanning-tree port type normal

  spanning-tree guard root

interface Ethernet1/30

  description dc10-5020-3

  switchport mode trunk

  switchport trunk allowed vlan 15,98,180-183

  spanning-tree port type network

interface Ethernet1/31

  description to 6k access

  switchport mode trunk

  switchport trunk allowed vlan 128-133,164-169,180-183,300-399

  spanning-tree port type normal

  spanning-tree guard root

interface Ethernet1/32

  description dc10-5020-4

  switchport mode trunk

  switchport trunk allowed vlan 15,98,180-183

  spanning-tree port type network

interface Ethernet2/1

  switchport access vlan 172

  spanning-tree port type normal

interface Ethernet2/3

  switchport access vlan 171

  spanning-tree port type normal

interface Ethernet2/5

  spanning-tree port type normal

interface Ethernet2/7

interface Ethernet2/9

interface Ethernet2/10

interface Ethernet2/11

interface Ethernet2/12

interface Ethernet2/13

interface Ethernet2/14

interface Ethernet2/15

interface Ethernet2/16

interface Ethernet2/17

interface Ethernet2/18

interface Ethernet2/19

interface Ethernet2/20

interface Ethernet2/21

interface Ethernet2/22

interface Ethernet2/23

interface Ethernet2/24

interface Ethernet2/25

interface Ethernet2/26

interface Ethernet2/27

interface Ethernet2/28

interface Ethernet2/29

interface Ethernet2/30

interface Ethernet2/31

interface Ethernet2/32

interface Ethernet2/33

interface Ethernet2/34

interface Ethernet2/35

interface Ethernet2/36

interface Ethernet2/37

  description ASA1 int g3/3

  switchport mode trunk

  switchport trunk allowed vlan 142

  spanning-tree port type normal

  logging event port link-status

  logging event port trunk-status

interface Ethernet2/38

  description ASA int g3/2

  switchport mode trunk

  switchport trunk allowed vlan 141

  spanning-tree port type normal

  logging event port link-status

  logging event port trunk-status

interface Ethernet2/39

interface Ethernet2/40

interface Ethernet2/41

interface Ethernet2/42

interface Ethernet2/43

interface Ethernet2/44

interface Ethernet2/45

interface Ethernet2/46

interface Ethernet2/47

interface Ethernet2/48

interface mgmt0

  ip address x.26.146.203/23

interface loopback88

  vrf member test

clock timezone EDT -5 0

clock summer-time EDT 3 Sun Mar 00:00 3 Sunday Oct 00:00 60

cli alias name save copy runn start

line console

  terminal length 0

router ospf 8

  vrf servers1

    router-id 4.4.4.2

    area 81 nssa

    area 0.0.0.81 authentication message-digest

    timers throttle spf 10 100 5000

    timers throttle lsa router 1000

    timers throttle lsa network 1000

  vrf servers2

    router-id 5.5.5.2

    area 81 nssa

    area 0.0.0.81 authentication message-digest

    timers throttle spf 10 100 5000

    timers throttle lsa router 1000

    timers throttle lsa network 1000

ip pim rp-address 10.8.20.1 group-list 224.0.0.0/4

ip pim ssm range 232.0.0.0/8

no system default switchport shutdown

switchback

dca-n7k2#

Services Layer Switch—Catalyst 6500

Service Switch 1

dca-newSS1#sh run

Building configuration...

Current configuration : 20243 bytes

! Last configuration change at 03:21:52 EST Fri May 1 2009 by chris

! NVRAM config last updated at 00:05:07 EST Thu May 14 2009

upgrade fpd auto

version 12.2

no service pad

service tcp-keepalives-in

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service counters max age 5

hostname dca-newSS1

boot-start-marker

boot system flash bootflash:s72033-adventerprisek9_wan-mz.122-33.SXI.bin

boot-end-marker

enable secret 5 <encrypted password>

username admin privilege 15 secret 5 <encrypted password>

username dma-ops password 7 <encrypted password>

username chris-ops password 7 <encrypted password>

username martin password 7 <encrypted password>

aaa new-model

aaa group server tacacs+ tacacs-group

 server x.26.191.94

aaa authentication login authen-exec-list group tacacs-group local-case

aaa authentication enable default group tacacs-group enable

aaa authorization exec author-exec-list group tacacs-group if-authenticated

aaa authorization commands 15 author-15-list group tacacs-group none

aaa accounting send stop-record authentication failure

aaa accounting exec default start-stop group tacacs-group

aaa accounting commands 15 default start-stop group tacacs-group

aaa accounting system default start-stop group tacacs-group

aaa session-id common

clock timezone EST -5

clock summer-time EST recurring

svclc autostate

svclc multiple-vlan-interfaces

svclc module 7 vlan-group 1

svclc module 8 vlan-group 1,2,150,160,190,999

svclc vlan-group 1  146

svclc vlan-group 2  170

svclc vlan-group 150  152,153

svclc vlan-group 160  162,163

svclc vlan-group 190  190,191

svclc vlan-group 999  999

firewall autostate

firewall multiple-vlan-interfaces

firewall module 7 vlan-group 1

analysis module 9 management-port access-vlan 146

ip subnet-zero

no ip source-route

ip ftp source-interface Vlan146

ip ftp username chrobrie

ip ftp password 7 <encrypted password>

no ip bootp server

ip ssh authentication-retries 2

ip ssh logging events

ip ssh version 2

ip scp server enable

ip domain-name cisco.com

ip name-server x.26.129.252

login block-for 100 attempts 5 within 50

login quiet-mode access-class 10

login on-failure log

vtp mode transparent

mls ip slb purge global

mls netflow interface

mls flow ip interface-full

no mls flow ipv6

mls nde sender version 5

mls qos

mls cef error action reset

archive

 path ftp://test:test@x.26.129.252/NexusDCPhase1/$h-$t

 write-memory

memory reserve critical 1000

memory free low-watermark processor 91492

memory free low-watermark IO 6710

spanning-tree mode rapid-pvst

spanning-tree portfast network default

spanning-tree extend system-id

spanning-tree pathcost method long

spanning-tree vlan 163,170-172,191,999,3001 priority 24576

diagnostic bootup level minimal

diagnostic cns publish cisco.cns.device.diag_results

diagnostic cns subscribe cisco.cns.device.diag_commands

fabric timer 15

fabric switching-mode allow truncated threshold 1

fabric switching-mode allow truncated

port-channel hash-distribution adaptive

redundancy

 main-cpu

  auto-sync running-config

 mode sso

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

vlan 146

 name flash

vlan 152-153,162-164,170-172

vlan 190

 name waflan

vlan 191

 name waas

vlan 999

vlan 3001

 name erspan

class-map match-all coppclass-igp

  match access-group name coppacl-igp

class-map match-all coppclass-monitoring

  match access-group name coppacl-monitoring

class-map match-all coppclass-filemanagement

  match access-group name coppacl-filemanagement

class-map match-all coppclass-management

  match access-group name coppacl-management

policy-map copp-policy

  class coppclass-igp

   police cir 300000 bc 3000 be 3000    conform-action transmit     exceed-action drop     
violate-action drop

  class coppclass-filemanagement

   police cir 6000000 bc 60000 be 60000    conform-action transmit     exceed-action drop     
violate-action drop

  class coppclass-management

   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop

  class coppclass-monitoring

   police cir 900000 bc 9000 be 9000    conform-action transmit     exceed-action drop     
violate-action drop

  class class-default

   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop

interface Port-channel31

 switchport

 switchport access vlan 191

 switchport mode access

 logging event link-status

 spanning-tree portfast edge

interface Port-channel2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 163,164

 switchport mode trunk

 switchport nonegotiate

 mtu 9216

interface Port-channel99

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 170-172

 switchport mode trunk

 logging event link-status

 logging event trunk-status

 logging event bundle-status

 logging event spanning-tree status

 spanning-tree portfast network

interface GigabitEthernet3/21

 description <<** G3/25 to dc-waecm G2/0 **>>

 switchport

 switchport access vlan 191

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 163,164

 switchport mode access

 logging event link-status

 spanning-tree portfast edge

interface GigabitEthernet3/23

 description <<** G3/23 to dc-wae2 G2/0 **>>

 switchport

 switchport access vlan 191

 switchport mode access

 logging event link-status

 spanning-tree portfast edge

 channel-group 31 mode on

interface GigabitEthernet3/24

 description <<** G3/23 to dc-wae1 G1/0 **>>

 switchport

 switchport access vlan 191

 switchport mode access

 logging event link-status

 spanning-tree portfast edge

 channel-group 31 mode on

interface GigabitEthernet3/25

 switchport

 switchport access vlan 191

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 163,164

 switchport mode trunk

 logging event link-status

 shutdown

 rmon collection stats 6028 owner monitor

 rmon collection stats 6032 owner monitor

 spanning-tree portfast edge

interface TenGigabitEthernet1/1

 description <<** T1/1 to dca-n7k2-vdc2 **>>

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 152,153,162-164,191,999,3001

 switchport mode trunk

 mtu 9216

 logging event link-status

 logging event trunk-status

 logging event bundle-status

 logging event spanning-tree status

 rmon collection stats 6000 owner monitor

 spanning-tree portfast network

interface TenGigabitEthernet1/2

 description <<** T1/2 to dca-n7k1-vdc2 **>>

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 152,153,162-164,191,999,3001

 switchport mode trunk

 mtu 9216

 logging event link-status

 logging event trunk-status

 logging event bundle-status

 logging event spanning-tree status

 rmon collection stats 6001 owner monitor

 spanning-tree portfast network

interface TenGigabitEthernet1/3

 description to ips2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 163,164

 switchport mode trunk

 switchport nonegotiate

 mtu 9216

 logging event link-status

 logging event trunk-status

 logging event bundle-status

 logging event spanning-tree status

 shutdown

 rmon collection stats 6002 owner monitor

 channel-group 2 mode on

interface TenGigabitEthernet1/4

 description to ips1 7/1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 163,164

 switchport mode trunk

 switchport nonegotiate

 mtu 9216

 logging event link-status

 logging event trunk-status

 logging event bundle-status

 logging event spanning-tree status

 rmon collection stats 6003 owner monitor

 channel-group 2 mode on

interface TenGigabitEthernet1/5

 no ip address

 rmon collection stats 6004 owner monitor

interface TenGigabitEthernet1/6

 no ip address

 rmon collection stats 6005 owner monitor

interface TenGigabitEthernet1/7

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 170-172

 switchport mode trunk

 logging event link-status

 logging event trunk-status

 logging event bundle-status

 logging event spanning-tree status

 rmon collection stats 6006 owner monitor

 channel-protocol lacp

 channel-group 99 mode active

interface TenGigabitEthernet1/8

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 170-172

 switchport mode trunk

 logging event link-status

 logging event trunk-status

 logging event bundle-status

 logging event spanning-tree status

 rmon collection stats 6007 owner monitor

 channel-protocol lacp

 channel-group 99 mode active

interface GigabitEthernet3/1

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6008 owner monitor

interface GigabitEthernet3/2

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6009 owner monitor

interface GigabitEthernet3/3

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6010 owner monitor

interface GigabitEthernet3/4

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6011 owner monitor

interface GigabitEthernet3/5

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6012 owner monitor

interface GigabitEthernet3/6

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6013 owner monitor

interface GigabitEthernet3/7

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6014 owner monitor

interface GigabitEthernet3/8

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6015 owner monitor

interface GigabitEthernet3/9

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6016 owner monitor

interface GigabitEthernet3/10

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6017 owner monitor

interface GigabitEthernet3/11

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6018 owner monitor

interface GigabitEthernet3/12

 description to waf2 eth3

 switchport

 switchport access vlan 190

 switchport mode access

 rmon collection stats 6019 owner monitor

 spanning-tree portfast edge

interface GigabitEthernet3/13

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6020 owner monitor

interface GigabitEthernet3/14

 description to waf1 eth3

 switchport

 switchport access vlan 190

 switchport mode access

 rmon collection stats 6021 owner monitor

 spanning-tree portfast edge

interface GigabitEthernet3/15

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6022 owner monitor

interface GigabitEthernet3/16

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6023 owner monitor

interface GigabitEthernet3/17

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6024 owner monitor

interface GigabitEthernet3/18

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6025 owner monitor

interface GigabitEthernet3/19

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6026 owner monitor

interface GigabitEthernet3/20

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6027 owner monitor

interface GigabitEthernet3/22

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6029 owner monitor

interface GigabitEthernet3/26

 description to IPS1 gig 3/3

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

 logging event link-status

 logging event trunk-status

 load-interval 30

 rmon collection stats 6033 owner monitor

 spanning-tree portfast edge trunk

interface GigabitEthernet3/27

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6034 owner monitor

interface GigabitEthernet3/28

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6035 owner monitor

interface GigabitEthernet3/29

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6036 owner monitor

interface GigabitEthernet3/30

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6037 owner monitor

interface GigabitEthernet3/31

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6038 owner monitor

interface GigabitEthernet3/32

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6039 owner monitor

interface GigabitEthernet3/33

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6040 owner monitor

interface GigabitEthernet3/34

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6041 owner monitor

interface GigabitEthernet3/35

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6042 owner monitor

interface GigabitEthernet3/36

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6043 owner monitor

interface GigabitEthernet3/37

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 163,164

 switchport mode trunk

 shutdown

 rmon collection stats 6044 owner monitor

interface GigabitEthernet3/38

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6045 owner monitor

interface GigabitEthernet3/39

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6046 owner monitor

interface GigabitEthernet3/40

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6047 owner monitor

interface GigabitEthernet3/41

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6048 owner monitor

interface GigabitEthernet3/42

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6049 owner monitor

interface GigabitEthernet3/43

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6050 owner monitor

interface GigabitEthernet3/44

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6051 owner monitor

interface GigabitEthernet3/45

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6052 owner monitor

interface GigabitEthernet3/46

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6053 owner monitor

interface GigabitEthernet3/47

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6054 owner monitor

interface GigabitEthernet3/48

 switchport

 switchport access vlan 4000

 switchport mode access

 logging event link-status

 logging event spanning-tree status

 shutdown

 rmon collection stats 6055 owner monitor

 spanning-tree portfast edge trunk

interface GigabitEthernet5/1

 description <<** to mgmt net **>>

 switchport

 switchport access vlan 146

 switchport mode access

 logging event link-status

 logging event spanning-tree status

 udld port

 rmon collection stats 6056 owner monitor

interface GigabitEthernet5/2

 no ip address

 rmon collection stats 6057 owner monitor

interface GigabitEthernet5/3

 description To Mgmt Net

 no ip address

 speed 1000

 duplex full

 rmon collection stats 6058 owner monitor

interface TenGigabitEthernet5/4

 no ip address

 rmon collection stats 6059 owner monitor

interface TenGigabitEthernet5/5

 no ip address

 rmon collection stats 6060 owner monitor

interface Vlan191

 ip address 10.8.191.191 255.255.255.0

 ntp broadcast

interface Vlan1

 no ip address

 shutdown

interface Vlan146

 ip address x.26.147.209 255.255.254.0

 ip access-group 133 in

 ip access-group 134 out

 ip flow ingress

interface Vlan3001

 mtu 9216

 ip address 10.8.33.4 255.255.255.0

 load-interval 30

ip classless

ip route 0.0.0.0 0.0.0.0 x.26.146.1

ip route 10.8.0.0 255.255.0.0 10.8.33.2

ip route 10.8.0.0 255.255.0.0 10.8.33.3

ip flow-export destination x.26.147.230 3000

ip http server

ip http authentication local

no ip http secure-server

ip http path disk0:

ip tacacs source-interface Vlan146

ip access-list extended coppacl-monitoring

 remark CoPP monitoring traffic class

 permit icmp any any ttl-exceeded

 permit icmp any any port-unreachable

 permit icmp any any echo-reply

 permit icmp any any echo

ip access-list extended dma

 permit ip any host 10.8.180.153

kron occurrence daily-config-backup at 0:05 recurring

 policy-list backup-config

kron policy-list backup-config

 cli write memory

logging trap critical

logging source-interface GigabitEthernet5/3

logging x.26.191.94

access-list 10 permit x.26.191.92

access-list 10 remark a 100-second quiet period if 5 failed login attempts is exceeded

access-list 111 remark ACL for SSH

access-list 111 permit tcp x.26.0.0 0.0.255.255 any eq 22

access-list 111 deny   ip any any log-input

access-list 112 remark ACL for last resort access

access-list 112 permit tcp host x.26.191.92 any eq 22

access-list 112 deny   ip any any log-input

access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.147.209 ttl-exceeded

access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.147.209 port-unreachable

access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.147.209 echo-reply

access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.147.209 echo

access-list 133 permit tcp x.26.0.0 0.0.255.255 eq tacacs host x.26.147.209 established

access-list 133 permit tcp x.26.0.0 0.0.255.255 host x.26.147.209 eq tacacs

access-list 133 permit udp x.26.0.0 0.0.255.255 host x.26.147.209 eq ntp

access-list 133 permit tcp x.26.0.0 0.0.255.255 host x.26.147.209 eq 22

access-list 133 permit tcp x.26.0.0 0.0.255.255 eq ftp host x.26.147.209 gt 1023 
established

access-list 133 permit tcp x.26.0.0 0.0.255.255 eq ftp-data host x.26.147.209 gt 1023

access-list 133 permit tcp x.26.0.0 0.0.255.255 gt 1023 host x.26.147.209 gt 1023 
established

access-list 133 permit udp x.26.0.0 0.0.255.255 gt 1023 host x.26.147.209 gt 1023

access-list 134 permit ip host x.26.147.209 x.26.0.0 0.0.255.255

access-list 134 deny   ip any any log

snmp-server engineID local 8000000903000021D72AC000

snmp-server enable traps cpu threshold

snmp-server host x.26.191.94 public  cpu

tacacs-server host x.26.191.94 single-connection key 7 01100F175804575D72

tacacs-server directed-request

control-plane

 service-policy input copp-policy

dial-peer cor custom

banner login ^C

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have explicit, authorized permission to access or configure this device.

Unauthorized attempts and actions to access or use this system may result in civil and/or 
criminal penalties.

All activities performed on this device are logged and monitored.

^C

line con 0

 login authentication authen-exec-list

line vty 0 3

 exec-timeout 180 0

 password 7 <encrypted password>

 authorization commands 15 author-15-list

 authorization exec author-exec-list

 login authentication authen-exec-list

 transport preferred none

 transport input all

 transport output none

line vty 4

 exec-timeout 180 0

 password 7 <encrypted password>

 authorization commands 15 author-15-list

 authorization exec author-exec-list

 login authentication authen-exec-list

 transport preferred none

 transport input all

 transport output none

line vty 5 15

 login authentication authen-exec-list

 no exec

 transport input all

exception protocol ftp

exception dump x.26.129.252

monitor session 1 type erspan-source

 description <** N1k ERSPAN - originating from dcesx4n1 monitor session 1 **>>

 source vlan 3001

 destination

  erspan-id 1

  ip address 10.8.33.4

monitor session 2 type erspan-source

 description <** N1k ERSPAN - originating from dcesx4n1 monitor session 2 **>>

 source vlan 3001

 destination

  erspan-id 2

  ip address 10.8.33.4

monitor session 3 type erspan-destination

 description <** N1k ERSPAN to NAM - originating from dcesx4n1  **>>

 destination analysis-module 9 data-port 2

 source

  erspan-id 1

  ip address 10.8.33.4

monitor session 4 type erspan-destination

 description <** N1k ERSPAN to IDS-1 - originating from dcesx4n1  **>>

 destination interface Gi3/26

 source

  erspan-id 2

  ip address 10.8.33.4

process cpu threshold type total rising 80 interval 5 falling 20 interval 5

process cpu statistics limit entry-percentage 40 size 300

ntp clock-period 17179890

ntp server x.26.146.1

mac-address-table aging-time 480

end

dca-newSS1#

Service Switch 2

dca-newSS2>en

Password:

dca-newSS2#sh run

Building configuration...

Current configuration : 18580 bytes

! Last configuration change at 12:08:19 EST Wed Mar 25 2009 by chris

! NVRAM config last updated at 00:05:29 EST Thu May 14 2009

upgrade fpd auto

version 12.2

no service pad

service tcp-keepalives-in

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service counters max age 5

hostname dca-newSS2

boot-start-marker

boot system flash bootflash:s72033-adventerprisek9_wan-mz.122-33.SXI.bin

boot-end-marker

enable secret 5 <encrypted password>

username admin privilege 15 secret 5 <encrypted password>

aaa new-model

aaa group server tacacs+ tacacs-group

 server x.26.191.94

aaa authentication login authen-exec-list group tacacs-group local-case

aaa authentication enable default group tacacs-group enable

aaa authorization exec author-exec-list group tacacs-group if-authenticated

aaa authorization commands 15 author-15-list group tacacs-group none

aaa accounting send stop-record authentication failure

aaa accounting exec default start-stop group tacacs-group

aaa accounting commands 15 default start-stop group tacacs-group

aaa accounting system default start-stop group tacacs-group

aaa session-id common

clock timezone EST -5

clock summer-time EST recurring

svclc autostate

svclc multiple-vlan-interfaces

svclc module 7 vlan-group 1

svclc module 8 vlan-group 1,2,150,160,190,999

svclc vlan-group 1  146

svclc vlan-group 2  170

svclc vlan-group 150  152,153

svclc vlan-group 160  162,163

svclc vlan-group 190  190,191

svclc vlan-group 999  999

firewall autostate

firewall multiple-vlan-interfaces

firewall module 7 vlan-group 1

analysis module 9 management-port access-vlan 146

ip subnet-zero

no ip source-route

ip ftp source-interface GigabitEthernet5/3

ip ftp username anonymous

ip ftp password 7 <encrypted password>

no ip bootp server

ip ssh authentication-retries 2

ip ssh version 2

no ip domain-lookup

ip domain-name cisco.com

ip name-server x.26.129.252

login block-for 100 attempts 5 within 50

login quiet-mode access-class 10

login on-failure log

vtp mode transparent

mls ip slb purge global

mls netflow interface

no mls flow ip

no mls flow ipv6

mls cef error action reset

archive

 path ftp://test:test@x.26.129.252/NexusDCPhase1/$h-$t

 write-memory

memory reserve critical 1000

memory free low-watermark processor 91492

memory free low-watermark IO 6710

spanning-tree mode rapid-pvst

spanning-tree portfast network default

spanning-tree extend system-id

spanning-tree pathcost method long

spanning-tree vlan 153 priority 24576

spanning-tree vlan 163,170-172,191,999 priority 28672

diagnostic bootup level minimal

diagnostic cns publish cisco.cns.device.diag_results

diagnostic cns subscribe cisco.cns.device.diag_commands

fabric timer 15

fabric switching-mode allow truncated threshold 1

fabric switching-mode allow truncated

port-channel hash-distribution adaptive

redundancy

 main-cpu

  auto-sync running-config

 mode sso

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

vlan 146

 name flash

vlan 152-153,162-164,170-172

vlan 190

 name waf

vlan 191

 name waas

vlan 999

vlan 3001

 name erspan

interface Port-channel32

 switchport

 switchport access vlan 191

 switchport mode access

 logging event link-status

 spanning-tree portfast edge

interface Port-channel2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 163,164

 switchport mode trunk

 switchport nonegotiate

 mtu 9216

interface Port-channel99

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 170-172

 switchport mode trunk

 logging event link-status

 logging event trunk-status

 logging event bundle-status

 logging event spanning-tree status

 spanning-tree portfast network

interface GigabitEthernet3/23

 description <<** G3/23 to dca-wae2 G1/0 **>>

 switchport

 switchport access vlan 191

 switchport mode access

 logging event link-status

 spanning-tree portfast edge

 channel-group 32 mode on

interface GigabitEthernet3/24

 description <<** G3/24 to dc-wae1 G2/0 **>>

 switchport

 switchport access vlan 191

 switchport mode access

 logging event link-status

 spanning-tree portfast edge

 channel-group 32 mode on

interface TenGigabitEthernet1/1

 description <<** T1/1 to dca-n7k1-vdc2 **>>

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 152,153,162-164,191,999,3001

 switchport mode trunk

 mtu 9216

 logging event link-status

 logging event trunk-status

 logging event bundle-status

 logging event spanning-tree status

 rmon collection stats 6000 owner monitor

 spanning-tree portfast network

interface TenGigabitEthernet1/2

 description <<** T1/2 to dca-n7k2-vdc2 **>>

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 152,153,162-164,191,999,3001

 switchport mode trunk

 mtu 9216

 logging event link-status

 logging event trunk-status

 logging event bundle-status

 logging event spanning-tree status

 rmon collection stats 6001 owner monitor

 spanning-tree portfast network

interface TenGigabitEthernet1/3

 description to ips2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 163,164

 switchport mode trunk

 switchport nonegotiate

 mtu 9216

 logging event link-status

 logging event trunk-status

 logging event bundle-status

 logging event spanning-tree status

 rmon collection stats 6002 owner monitor

 channel-group 2 mode on

interface TenGigabitEthernet1/4

 description to ips1 7/0

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 163,164

 switchport mode trunk

 switchport nonegotiate

 mtu 9216

 logging event link-status

 logging event trunk-status

 logging event bundle-status

 logging event spanning-tree status

 shutdown

 rmon collection stats 6003 owner monitor

 channel-group 2 mode on

interface TenGigabitEthernet1/5

 no ip address

 rmon collection stats 6004 owner monitor

interface TenGigabitEthernet1/6

 no ip address

 rmon collection stats 6005 owner monitor

interface TenGigabitEthernet1/7

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 170-172

 switchport mode trunk

 logging event link-status

 logging event trunk-status

 logging event bundle-status

 logging event spanning-tree status

 rmon collection stats 6006 owner monitor

 spanning-tree portfast network

 channel-protocol lacp

 channel-group 99 mode active

interface TenGigabitEthernet1/8

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 170-172

 switchport mode trunk

 logging event link-status

 logging event trunk-status

 logging event bundle-status

 logging event spanning-tree status

 rmon collection stats 6007 owner monitor

 spanning-tree portfast network

 channel-protocol lacp

 channel-group 99 mode active

interface GigabitEthernet3/1

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6008 owner monitor

interface GigabitEthernet3/2

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6009 owner monitor

interface GigabitEthernet3/3

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6010 owner monitor

interface GigabitEthernet3/4

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6011 owner monitor

interface GigabitEthernet3/5

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6012 owner monitor

interface GigabitEthernet3/6

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6013 owner monitor

interface GigabitEthernet3/7

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6014 owner monitor

interface GigabitEthernet3/8

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6015 owner monitor

interface GigabitEthernet3/9

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6016 owner monitor

interface GigabitEthernet3/10

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6017 owner monitor

interface GigabitEthernet3/11

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6018 owner monitor

interface GigabitEthernet3/12

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6019 owner monitor

interface GigabitEthernet3/13

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6020 owner monitor

interface GigabitEthernet3/14

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6021 owner monitor

interface GigabitEthernet3/15

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6022 owner monitor

interface GigabitEthernet3/16

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6023 owner monitor

interface GigabitEthernet3/17

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6024 owner monitor

interface GigabitEthernet3/18

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6025 owner monitor

interface GigabitEthernet3/19

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6026 owner monitor

interface GigabitEthernet3/20

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6027 owner monitor

interface GigabitEthernet3/21

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6028 owner monitor

interface GigabitEthernet3/22

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6029 owner monitor

interface GigabitEthernet3/25

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6032 owner monitor

interface GigabitEthernet3/26

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6033 owner monitor

interface GigabitEthernet3/27

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6034 owner monitor

interface GigabitEthernet3/28

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6035 owner monitor

interface GigabitEthernet3/29

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6036 owner monitor

interface GigabitEthernet3/30

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6037 owner monitor

interface GigabitEthernet3/31

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6038 owner monitor

interface GigabitEthernet3/32

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6039 owner monitor

interface GigabitEthernet3/33

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6040 owner monitor

interface GigabitEthernet3/34

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6041 owner monitor

interface GigabitEthernet3/35

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6042 owner monitor

interface GigabitEthernet3/36

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6043 owner monitor

interface GigabitEthernet3/37

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6044 owner monitor

interface GigabitEthernet3/38

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6045 owner monitor

interface GigabitEthernet3/39

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6046 owner monitor

interface GigabitEthernet3/40

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6047 owner monitor

interface GigabitEthernet3/41

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6048 owner monitor

interface GigabitEthernet3/42

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6049 owner monitor

interface GigabitEthernet3/43

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6050 owner monitor

interface GigabitEthernet3/44

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6051 owner monitor

interface GigabitEthernet3/45

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6052 owner monitor

interface GigabitEthernet3/46

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6053 owner monitor

interface GigabitEthernet3/47

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6054 owner monitor

interface GigabitEthernet3/48

 no ip address

 no ip redirects

 no ip proxy-arp

 rmon collection stats 6055 owner monitor

interface GigabitEthernet5/1

 no ip address

 shutdown

 rmon collection stats 6056 owner monitor

interface GigabitEthernet5/2

 no ip address

 shutdown

 rmon collection stats 6057 owner monitor

interface GigabitEthernet5/3

 switchport

 switchport access vlan 146

 switchport mode access

 speed 1000

 duplex full

 rmon collection stats 6058 owner monitor

interface TenGigabitEthernet5/4

 no ip address

 shutdown

 rmon collection stats 6059 owner monitor

interface TenGigabitEthernet5/5

 no ip address

 shutdown

 rmon collection stats 6060 owner monitor

interface Vlan1

 no ip address

 shutdown

interface Vlan146

 ip address x.26.147.210 255.255.254.0

 ip access-group 133 in

 ip access-group 134 out

interface Vlan3001

 mtu 9216

 ip address 10.8.33.5 255.255.255.0

ip classless

ip route 0.0.0.0 0.0.0.0 x.26.146.1

ip route 10.8.0.0 255.255.0.0 10.8.33.2

ip route 10.8.0.0 255.255.0.0 10.8.33.3

no ip http server

no ip http secure-server

ip tacacs source-interface GigabitEthernet5/3

ip access-list extended coppacl-filemanagement

 remark CoPP File transfer traffic class

 permit tcp x.26.0.0 0.0.255.255 eq ftp host x.26.146.210 gt 1023 established

 permit tcp x.26.0.0 0.0.255.255 eq ftp-data host x.26.146.210 gt 1023

 permit tcp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.210 gt 1023 established

 permit udp x.26.0.0 0.0.255.255 gt 1023 host x.26.146.210 gt 1023

ip access-list extended coppacl-management

 remark CoPP management traffic class

 permit tcp x.26.0.0 0.0.255.255 eq tacacs host x.26.146.210 established

 permit tcp x.26.0.0 0.0.255.255 host x.26.146.210 eq 22

 permit tcp x.26.0.0 0.0.255.255 host x.26.146.210 eq telnet

 permit udp x.26.0.0 0.0.255.255 host x.26.146.210 eq snmp

 permit udp x.26.0.0 0.0.255.255 host x.26.146.210 eq ntp

kron occurrence daily-config-backup at 0:05 recurring

 policy-list backup-config

kron policy-list backup-config

 cli write memory

logging trap critical

logging source-interface GigabitEthernet5/3

logging x.26.191.94

access-list 10 permit x.26.191.92

access-list 10 remark a 100-second quiet period if 5 failed login attempts is exceeded

access-list 111 remark ACL for SSH

access-list 111 permit tcp x.26.0.0 0.0.255.255 any eq 22

access-list 111 deny   ip any any log-input

access-list 112 remark ACL for last resort access

access-list 112 permit tcp host x.26.191.92 any eq 22

access-list 112 deny   ip any any log-input

access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.147.210 ttl-exceeded

access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.147.210 port-unreachable

access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.147.210 echo-reply

access-list 133 permit icmp x.26.0.0 0.0.255.255 host x.26.147.210 echo

access-list 133 permit tcp x.26.0.0 0.0.255.255 eq tacacs host x.26.147.210 established

access-list 133 permit tcp x.26.0.0 0.0.255.255 host x.26.147.210 eq tacacs

access-list 133 permit udp x.26.0.0 0.0.255.255 host x.26.147.210 eq ntp

access-list 133 permit tcp x.26.0.0 0.0.255.255 host x.26.147.210 eq 22

access-list 133 permit tcp x.26.0.0 0.0.255.255 eq ftp host x.26.147.210 gt 1023 
established

access-list 133 permit tcp x.26.0.0 0.0.255.255 eq ftp-data host x.26.147.210 gt 1023

access-list 133 permit tcp x.26.0.0 0.0.255.255 gt 1023 host x.26.147.210 gt 1023 
established

access-list 133 permit udp x.26.0.0 0.0.255.255 gt 1023 host x.26.147.210 gt 1023

access-list 134 permit ip host x.26.147.210 x.26.0.0 0.0.255.255

access-list 134 deny   ip any any log

snmp-server engineID local 8000000903000021D72C4400

snmp-server enable traps cpu threshold

snmp-server host x.26.191.94 public  cpu

tacacs-server host x.26.191.94 single-connection key 7 104D000A061843595F

tacacs-server directed-request

control-plane

dial-peer cor custom

banner login ^C UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have explicit, authorized permission to access or configure this device.

Unauthorized attempts and actions to access or use this system may result in civil and/or 
criminal penalties.

All activities performed on this device are logged and monitored.

^C

line con 0

 login authentication authen-exec-list

line vty 0 3

 access-class 111 in

 exec-timeout 0 0

 password 7 <encrypted password>

 authorization commands 15 author-15-list

 authorization exec author-exec-list

 login authentication authen-exec-list

 transport preferred none

 transport input ssh

 transport output none

line vty 4

 access-class 112 in

 exec-timeout 0 0

 password 7 <encrypted password>

 authorization commands 15 author-15-list

 authorization exec author-exec-list

 login authentication authen-exec-list

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 exec-timeout 0 0

 transport input lat pad udptn telnet rlogin ssh

exception protocol ftp

exception dump x.26.129.252

monitor session 1 type erspan-source

 shutdown

 description <** N1k ERSPAN - originating from dcesx4n1 monitor session 1 **>>

 source vlan 3001

 destination

  erspan-id 1

  ip address 10.8.33.5

  origin ip address 10.8.3.100

monitor session 2 type erspan-source

 shutdown

 description <** N1k ERSPAN - originating from dcesx4n1 monitor session 2 **>>

 source vlan 3001

 destination

  erspan-id 2

  ip address 10.8.33.5

  origin ip address 10.8.3.100

monitor session 3 type erspan-destination

 shutdown

 description <** N1k ERSPAN to NAM - originating from dcesx4n1  **>>

 destination analysis-module 9 data-port 2

 source

  erspan-id 1

  ip address 10.8.33.5

monitor session 4 type erspan-destination

 shutdown

 description <** N1k ERSPAN to IDS-1 - originating from dcesx4n1  **>>

 destination interface Gi3/26

 source

  erspan-id 2

  ip address 10.8.33.5

process cpu threshold type total rising 80 interval 5 falling 20 interval 5

process cpu statistics limit entry-percentage 40 size 300

ntp clock-period 17179808

ntp server x.26.129.252

mac-address-table aging-time 480

end

Services Layer ACE

ACE 1

switch/Admin# sh run

Generating configuration....

logging enable

logging standby

logging timestamp

logging buffered 5

login timeout 0

boot system image:c6ace-t1k9-mz.A2_2_0.bin

resource-class dc-gold

  limit-resource all minimum 0.00 maximum unlimited

  limit-resource sticky minimum 10.00 maximum unlimited

clock timezone standard EST

clock summer-time standard EDT

access-list IPANYANY line 8 extended permit ip any any

access-list IPANYANY line 16 extended permit icmp any any

access-list ipanyany line 8 extended permit ip any any

probe icmp ICMPProbe

  description Ping probe

class-map type management match-any MANAGEMENT

  3 match protocol snmp any

  4 match protocol telnet any

  5 match protocol ssh any

  6 match protocol icmp any

  7 match protocol https any

  8 match protocol http any

class-map type management match-all class-Query

  2 match protocol icmp source-address 10.8.99.0 255.255.255.0

policy-map type management first-match MANAGEMENT

  class MANAGEMENT

    permit

policy-map type management first-match QUERY

  class class-Query

    permit

interface vlan 146

  ip address x.26.146.140 255.255.254.0

  peer ip address x.26.146.141 255.255.254.0

  service-policy input MANAGEMENT

  no shutdown

ft interface vlan 170

  ip address 10.8.170.1 255.255.255.0

  peer ip address 10.8.170.2 255.255.255.0

  no shutdown

ft peer 1

  heartbeat interval 100

  heartbeat count 10

  ft-interface vlan 170

ip route 0.0.0.0 0.0.0.0 x.26.146.1

ip route x.26.129.252 255.255.255.255 x.26.146.1

context dca-ace-one

  description ** ACE Transparent Mode - **

  allocate-interface vlan 146

  allocate-interface vlan 162-163

  allocate-interface vlan 190-191

  member dc-gold

context dca-ace-two

  description ** 2nd ACE Transp. context **

  allocate-interface vlan 146

  allocate-interface vlan 152-153

snmp-server contact "ANM"

snmp-server location "ANM"

snmp-server community public group Network-Monitor

ft group 1

  peer 1

  priority 150

  peer priority 50

ft group 2

  peer 1

  priority 150

  peer priority 50

  associate-context dca-ace-one

  inservice

ft group 3

  peer 1

  priority 50

  peer priority 150

  associate-context dca-ace-two

  inservice

username admin password 5 <encrypted password>.  role Admin domain default-domain

username www password 5 <encrypted password>  role Admin domain default-domain

switch/Admin#

switch/Admin# changeto dca-ace-one

switch/dca-ace-one# sh run

Generating configuration....

logging enable

logging standby

logging timestamp

logging buffered 5

switch-mode

crypto csr-params CSR_PARAMS_1

  country US

  state North Carolina

  locality RTP

  organization-name ESE

  organization-unit BANK VAULT

  common-name crackme.com

crypto csr-params CSR_ORACLE12i

  country US

  state North Carolina

  locality RTP

  organization-name ESE

  organization-unit OracleApps

  common-name oapp.eselab.com

access-list BPDU ethertype permit bpdu

access-list ALLOW_TRAFFIC line 8 extended permit icmp any any

access-list ALLOW_TRAFFIC line 16 extended permit ospf any any

access-list ALLOW_TRAFFIC line 48 extended permit ip any any

access-list test line 2 extended permit tcp 10.7.53.0 255.255.255.0 any

access-list test line 3 extended permit tcp any 10.7.53.0 255.255.255.0

probe http 12i

  description probes Oracle front end

  port 8000

  interval 5

  passdetect interval 5

  passdetect count 5

  expect status 200 200

probe http CRACKME

  port 81

  interval 2

  passdetect interval 5

  request method get url /Kelev/view/home.php

  expect status 200 200

probe icmp TrackHostProbe

  description this is a ping probe

  interval 2

  faildetect 1

  passdetect interval 2

  passdetect count 1

  receive 1

probe http UBER

  port 8081

  interval 2

  passdetect interval 5

  request method get url /Kelev/view/home.php

  expect status 200 200

parameter-map type http PERSIST

  persistence-rebalance

parameter-map type http cookiesecurity

  case-insensitive

  header modify per-request

  set header-maxparse-length 65535

parameter-map type ssl test

  session-cache timeout 1800

  version TLS1

action-list type modify http HTTPONLY

  header rewrite response Set-Cookie header-value "(.*)*secure*(.*)*" replace "%1secure; 
HTTPOnly;"

rserver redirect OAPP-Redirect

  description Oracle Login Redirection

  webhost-redirection https://oapp.eselab.com/OA_HTML/AppsLocalLogin.jsp

  inservice

rserver host dc-wae1

  ip address 10.8.191.101

  inservice

rserver host dc-wae2

  ip address 10.8.191.102

  inservice

rserver host ix_server800

  ip address 10.8.180.100

  inservice

rserver host ix_server801

  ip address 10.8.180.101

  inservice

rserver host ix_server802

  ip address 10.8.180.102

  inservice

rserver host ix_server803

  ip address 10.8.180.103

  inservice

rserver host ix_server804

  ip address 10.8.180.104

  inservice

rserver host ix_server805

  ip address 10.8.180.105

  inservice

rserver host ix_server806

  ip address 10.8.180.106

  inservice

rserver host ix_server807

  ip address 10.8.180.107

  inservice

rserver host ix_server808

  ip address 10.8.180.108

  inservice

rserver host ix_server809

  ip address 10.8.180.109

  inservice

rserver host oelnode1

  ip address 10.8.180.250

  inservice

rserver host oelnode2

  ip address 10.8.180.252

  inservice

rserver host oelnode3

  ip address 10.8.180.253

  inservice

rserver host tbox1

  ip address 10.8.180.8

  inservice

rserver host uber0

  ip address 10.8.180.230

  inservice

rserver host uber1

  description USING 10.8.141.231 IP ADDRESS

  ip address 10.8.180.231

rserver host uber2

  ip address 10.8.180.232

rserver host uber3

  ip address 10.8.180.233

rserver host uber4

  ip address 10.8.180.234

rserver host uber5

  ip address 10.8.180.235

rserver host waf1

  ip address 10.8.190.210

  inservice

rserver host waf2

  ip address 10.8.190.211

  inservice

rserver host websrv1

  ip address 10.8.180.153

  inservice

ssl-proxy service SSL_OAPP

  key oappkey

  cert oapp-cert.pem

ssl-proxy service SSL_PSERVICE_CRACKME

  key my2048RSAkey.PEM

  cert crackme-cert.pem

serverfarm redirect sf-oapp-redirect

  rserver OAPP-Redirect

    inservice

serverfarm host sf_180

  rserver ix_server800

    inservice

  rserver ix_server801

    inservice

  rserver ix_server802

    inservice

  rserver ix_server803

    inservice

  rserver ix_server804

    inservice

  rserver ix_server805

    inservice

  rserver ix_server806

    inservice

  rserver ix_server807

    inservice

  rserver ix_server808

    inservice

  rserver ix_server809

    inservice

serverfarm host sf_bank

  rserver tbox1 8081

    inservice

  rserver uber0 8081

    inservice

  rserver uber1 8081

  rserver uber2 8081

    inservice

  rserver uber3 8081

    inservice

  rserver uber4 8081

    inservice

  rserver uber5 8081

    inservice

serverfarm host sf_books

  rserver uber0 8989

    inservice

serverfarm host sf_oapp

  predictor leastconns

  rserver oelnode1 8000

    inservice

  rserver oelnode2 8000

    inservice

  rserver oelnode3 8000

    inservice

serverfarm host sf_wae

  transparent

  predictor hash address source 255.255.255.255

  probe TrackHostProbe

  rserver dc-wae1

    inservice

  rserver dc-wae2

    inservice

serverfarm host sf_waf

  rserver waf1 81

    inservice

  rserver waf2 81

    probe TrackHostProbe

    inservice

serverfarm host sf_waf_books

  rserver waf1 82

  rserver waf2 82

    inservice

sticky http-cookie wafcookie wafstkygrp

  cookie insert

  replicate sticky

  serverfarm sf_waf

sticky http-cookie bankcookie bnkstygrp

  cookie insert

  replicate sticky

  serverfarm sf_bank

sticky http-cookie oracookie oapp-stkygrp

  cookie insert

  timeout 720

  replicate sticky

  serverfarm sf_oapp

class-map type management match-any ANMManagement

  201 match protocol snmp any

  202 match protocol http any

  203 match protocol https any

  204 match protocol icmp any

  205 match protocol ssh any

  206 match protocol telnet any

class-map match-all ANY_TCP

  2 match virtual-address 0.0.0.0 0.0.0.0 tcp any

class-map match-all L4_HTTPS_VIP_ADDRESS

  2 match virtual-address 10.8.162.200 tcp eq https

class-map match-all L4_HTTP_VIP_ADDRESS

  2 match virtual-address 10.8.162.200 tcp eq www

class-map match-all L4_OAPP_VIP

  2 match virtual-address 10.8.162.250 tcp any

class-map match-all OELNODES

  2 match source-address 10.8.180.0 255.255.255.0

class-map match-all VIP_180

  description *VIP for VLAN 180*

  2 match virtual-address 10.8.162.100 any

class-map match-all cm-acl-tcp

  2 match access-list test

policy-map type management first-match ANMManagement

  class ANMManagement

    permit

policy-map type loadbalance first-match pm-forward

  class class-default

    forward

policy-map type loadbalance http first-match pm-oapp

  class class-default

    sticky-serverfarm oapp-stkygrp

    action HTTPONLY

    insert-http ACEForwarded header-value "%is"

policy-map type loadbalance first-match pm-slb

  class class-default

    serverfarm sf_180

policy-map type loadbalance first-match pm-waas

  class class-default

    serverfarm sf_wae

policy-map type loadbalance http first-match pm-waf

  class class-default

    sticky-serverfarm wafstkygrp

    insert-http ACEForwarded header-value "%is"

policy-map type loadbalance http first-match pm-waf2

  class class-default

    serverfarm sf_waf_books

policy-map type loadbalance first-match pm-webbank

  class class-default

    sticky-serverfarm bnkstygrp

policy-map type loadbalance first-match pm_books

  class class-default

    serverfarm sf_books

policy-map multi-match L4_LB_VIP_HTTP_POLICY

  class L4_HTTP_VIP_ADDRESS

    loadbalance vip inservice

    loadbalance policy pm-webbank

    loadbalance vip icmp-reply

policy-map multi-match LB_WAAS_POLICY

  class ANY_TCP

    loadbalance vip inservice

    loadbalance policy pm-waas

    loadbalance vip icmp-reply

  class L4_HTTP_VIP_ADDRESS

    loadbalance vip inservice

    loadbalance policy pm-waas

  class L4_OAPP_VIP

    loadbalance vip inservice

    loadbalance policy pm-waas

    loadbalance vip icmp-reply

policy-map multi-match aggregate-slb-policy

  class VIP_180

    loadbalance vip inservice

    loadbalance policy pm-slb

    loadbalance vip icmp-reply

    loadbalance vip advertise active

  class L4_HTTP_VIP_ADDRESS

    loadbalance vip inservice

    loadbalance policy pm-waf

    loadbalance vip icmp-reply

  class L4_HTTPS_VIP_ADDRESS

    loadbalance vip inservice

    loadbalance policy pm-waf

    loadbalance vip icmp-reply

    ssl-proxy server SSL_PSERVICE_CRACKME

  class L4_OAPP_VIP

    loadbalance vip inservice

    loadbalance policy pm-oapp

    loadbalance vip icmp-reply

    appl-parameter http advanced-options cookiesecurity

    ssl-proxy server SSL_OAPP

  class ANY_TCP

    loadbalance vip inservice

    loadbalance policy pm-forward

interface vlan 146

  ip address x.26.146.142 255.255.254.0

  peer ip address x.26.146.143 255.255.254.0

  service-policy input ANMManagement

  no shutdown

interface vlan 162

  description ** North Side facing FWSM **

  bridge-group 161

  no normalization

  mac-sticky enable

  no icmp-guard

  access-group input BPDU

  access-group input ALLOW_TRAFFIC

  service-policy input LB_WAAS_POLICY

  no shutdown

interface vlan 163

  description ** South Side facing Servers **

  bridge-group 161

  no normalization

  mac-sticky enable

  no icmp-guard

  access-group input BPDU

  access-group input ALLOW_TRAFFIC

  no shutdown

interface vlan 190

  ip address 10.8.190.2 255.255.255.0

  alias 10.8.190.1 255.255.255.0

  peer ip address 10.8.190.3 255.255.255.0

  no normalization

  mac-sticky enable

  no icmp-guard

  access-group input ALLOW_TRAFFIC

  service-policy input L4_LB_VIP_HTTP_POLICY

  service-policy input LB_WAAS_POLICY

  no shutdown

interface vlan 191

  description waas farm vlan 191

  ip address 10.8.191.2 255.255.255.0

  alias 10.8.191.1 255.255.255.0

  peer ip address 10.8.191.3 255.255.255.0

  no normalization

  mac-sticky enable

  no icmp-guard

  access-group input ALLOW_TRAFFIC

  service-policy input aggregate-slb-policy

  no shutdown

interface bvi 161

  ip address 10.8.162.20 255.255.255.0

  alias 10.8.162.22 255.255.255.0

  peer ip address 10.8.162.21 255.255.255.0

  no shutdown

ft track interface  TrackVlan163

  track-interface vlan 163

  peer track-interface vlan 163

  priority 150

  peer priority 50

ip route 0.0.0.0 0.0.0.0 10.8.162.1

ip route 10.8.180.0 255.255.255.0 10.8.162.7

snmp-server contact "ANM"

snmp-server location "ANM"

snmp-server community public group Network-Monitor

snmp-server trap-source vlan 146

switch/dca-ace-two# sh run

Generating configuration....

logging enable

logging standby

logging timestamp

logging buffered 5

access-list BPDU ethertype permit bpdu

access-list ALLOW_TRAFFIC line 8 extended permit icmp any any

access-list ALLOW_TRAFFIC line 16 extended permit ospf any any

access-list ALLOW_TRAFFIC line 48 extended permit ip any any

probe icmp TrackHostProbe

  description this is a ping probe

  interval 2

  faildetect 1

  passdetect interval 2

  passdetect count 1

  receive 1

rserver host ix_server810

  ip address 10.8.181.100

  inservice

rserver host ix_server811

  ip address 10.8.181.101

  inservice

rserver host ix_server812

  ip address 10.8.181.102

  inservice

rserver host ix_server813

  ip address 10.8.181.103

  inservice

rserver host ix_server814

  ip address 10.8.181.104

  inservice

rserver host ix_server815

  ip address 10.8.181.105

  inservice

rserver host ix_server816

  ip address 10.8.181.106

  inservice

rserver host ix_server817

  ip address 10.8.181.107

  inservice

rserver host ix_server818

  ip address 10.8.181.108

  inservice

rserver host ix_server819

  ip address 10.8.181.109

  inservice

serverfarm host sf_181

  probe TrackHostProbe

  rserver ix_server810

    inservice

  rserver ix_server811

    inservice

  rserver ix_server812

    inservice

  rserver ix_server813

    inservice

  rserver ix_server814

    inservice

  rserver ix_server815

    inservice

  rserver ix_server816

    inservice

  rserver ix_server817

    inservice

  rserver ix_server818

    inservice

  rserver ix_server819

    inservice

class-map type management match-any ANMManagement

  201 match protocol snmp any

  202 match protocol http any

  203 match protocol https any

  204 match protocol icmp any

  205 match protocol ssh any

  206 match protocol telnet any

class-map match-all VIP_181

  description *VIP for VLAN 181*

  2 match virtual-address 10.8.152.100 any

policy-map type management first-match ANMManagement

  class ANMManagement

    permit

policy-map type loadbalance first-match pm-slb1

  class class-default

    serverfarm sf_181

policy-map multi-match aggregate-slb-policy

  class VIP_181

    loadbalance vip inservice

    loadbalance policy pm-slb1

    loadbalance vip icmp-reply

    loadbalance vip advertise active

interface vlan 146

  ip address x.26.146.252 255.255.254.0

  peer ip address x.26.146.253 255.255.254.0

  service-policy input ANMManagement

  no shutdown

interface vlan 152

  description ** North Side facing FWSM2 **

  bridge-group 151

  no normalization

  mac-sticky enable

  no icmp-guard

  access-group input BPDU

  access-group input ALLOW_TRAFFIC

  service-policy input aggregate-slb-policy

  no shutdown

interface vlan 153

  description ** South Side facing Servers2 **

  bridge-group 151

  no normalization

  mac-sticky enable

  no icmp-guard

  access-group input BPDU

  access-group input ALLOW_TRAFFIC

  no shutdown

interface bvi 151

  ip address 10.8.152.20 255.255.255.0

  alias 10.8.152.22 255.255.255.0

  peer ip address 10.8.152.21 255.255.255.0

  no shutdown

ft track interface  TrackVlan153

  track-interface vlan 153

  peer track-interface vlan 153

  priority 150

  peer priority 50

ip route 10.8.181.0 255.255.255.0 10.8.152.7

ip route 0.0.0.0 0.0.0.0 10.8.152.1

snmp-server contact "ANM"

snmp-server location "ANM"

snmp-server community public group Network-Monitor

snmp-server trap-source vlan 146

ACE 2

switch/Admin# sh run

Generating configuration....

logging enable

logging standby

logging timestamp

logging buffered 5

boot system image:c6ace-t1k9-mz.A2_2_0.bin

resource-class dc-gold

  limit-resource all minimum 0.00 maximum unlimited

  limit-resource sticky minimum 10.00 maximum unlimited

clock timezone standard EST

clock summer-time standard EDT

access-list IPANYANY line 8 extended permit ip any any

access-list IPANYANY line 16 extended permit icmp any any

access-list ipanyany line 8 extended permit ip any any

probe icmp ICMPProbe

  description Ping probe

class-map type management match-any MANAGEMENT

  3 match protocol snmp any

  4 match protocol telnet any

  5 match protocol ssh any

  6 match protocol icmp any

  7 match protocol https any

  8 match protocol http any

class-map type management match-all class-Query

  2 match protocol icmp source-address 10.8.99.0 255.255.255.0

policy-map type management first-match MANAGEMENT

  class MANAGEMENT

    permit

policy-map type management first-match QUERY

  class class-Query

    permit

interface vlan 146

  ip address x.26.146.141 255.255.254.0

  peer ip address x.26.146.140 255.255.254.0

  service-policy input MANAGEMENT

  no shutdown

ft interface vlan 170

  ip address 10.8.170.2 255.255.255.0

  peer ip address 10.8.170.1 255.255.255.0

  no shutdown

ft peer 1

  heartbeat interval 100

  heartbeat count 10

  ft-interface vlan 170

ft group 1

  peer 1

  priority 50

  peer priority 150

  associate-context Admin

  inservice

ip route 0.0.0.0 0.0.0.0 x.26.146.1

ip route x.26.129.252 255.255.255.255 x.26.146.1

context dca-ace-one

  description ** ACE Transparent Mode - **

  allocate-interface vlan 146

  allocate-interface vlan 162-163

  allocate-interface vlan 190-191

  member dc-gold

context dca-ace-two

  description ** 2nd ACE Transp. context **

  allocate-interface vlan 146

  allocate-interface vlan 152-153

snmp-server contact "ANM"

snmp-server location "ANM"

snmp-server community public group Network-Monitor

ft group 2

  peer 1

  priority 50

  peer priority 150

  associate-context dca-ace-one

  inservice

ft group 3

  peer 1

  priority 150

  peer priority 50

  associate-context dca-ace-two

  inservice

username admin password 5 <encrypted password> .  role Admin domain default-domain

username www password 5 <encrypted password> role Admin domain default-domain

switch/Admin#

switch/dca-ace-one# sh run

Generating configuration....

logging enable

logging standby

logging timestamp

logging buffered 5

switch-mode

crypto csr-params CSR_PARAMS_1

  country US

  state North Carolina

  locality RTP

  organization-name ESE

  organization-unit BANK VAULT

  common-name crackme.com

crypto csr-params CSR_ORACLE12i

  country US

  state North Carolina

  locality RTP

  organization-name ESE

  organization-unit OracleApps

  common-name oapp.eselab.com

access-list BPDU ethertype permit bpdu

access-list ALLOW_TRAFFIC line 8 extended permit icmp any any

access-list ALLOW_TRAFFIC line 16 extended permit ospf any any

access-list ALLOW_TRAFFIC line 48 extended permit ip any any

access-list test line 2 extended permit tcp 10.7.53.0 255.255.255.0 any

access-list test line 3 extended permit tcp any 10.7.53.0 255.255.255.0

probe http 12i

  description probes Oracle front end

  port 8000

  interval 5

  passdetect interval 5

  passdetect count 5

  expect status 200 200

probe http CRACKME

  port 81

  interval 2

  passdetect interval 5

  request method get url /Kelev/view/home.php

  expect status 200 200

probe icmp TrackHostProbe

  description this is a ping probe

  interval 2

  faildetect 1

  passdetect interval 2

  passdetect count 1

  receive 1

probe http UBER

  port 8081

  interval 2

  passdetect interval 5

  request method get url /Kelev/view/home.php

  expect status 200 200

parameter-map type http PERSIST

  persistence-rebalance

parameter-map type http cookiesecurity

  case-insensitive

  header modify per-request

  set header-maxparse-length 65535

parameter-map type ssl test

  session-cache timeout 1800

  version TLS1

action-list type modify http HTTPONLY

  header rewrite response Set-Cookie header-value "(.*)*secure*(.*)*" replace "%1secure; 
HTTPOnly;"

rserver redirect OAPP-Redirect

  description Oracle Login Redirection

  webhost-redirection https://oapp.eselab.com/OA_HTML/AppsLocalLogin.jsp

  inservice

rserver host dc-wae1

  ip address 10.8.191.101

  inservice

rserver host dc-wae2

  ip address 10.8.191.102

  inservice

rserver host ix_server800

  ip address 10.8.180.100

  inservice

rserver host ix_server801

  ip address 10.8.180.101

  inservice

rserver host ix_server802

  ip address 10.8.180.102

  inservice

rserver host ix_server803

  ip address 10.8.180.103

  inservice

rserver host ix_server804

  ip address 10.8.180.104

  inservice

rserver host ix_server805

  ip address 10.8.180.105

  inservice

rserver host ix_server806

  ip address 10.8.180.106

  inservice

rserver host ix_server807

  ip address 10.8.180.107

  inservice

rserver host ix_server808

  ip address 10.8.180.108

  inservice

rserver host ix_server809

  ip address 10.8.180.109

  inservice

rserver host oelnode1

  ip address 10.8.180.250

  inservice

rserver host oelnode2

  ip address 10.8.180.252

  inservice

rserver host oelnode3

  ip address 10.8.180.253

  inservice

rserver host tbox1

  ip address 10.8.180.8

  inservice

rserver host uber0

  ip address 10.8.180.230

  inservice

rserver host uber1

  description USING 10.8.141.231 IP ADDRESS

  ip address 10.8.180.231

rserver host uber2

  ip address 10.8.180.232

rserver host uber3

  ip address 10.8.180.233

rserver host uber4

  ip address 10.8.180.234

rserver host uber5

  ip address 10.8.180.235

rserver host waf1

  ip address 10.8.190.210

  inservice

rserver host waf2

  ip address 10.8.190.211

  inservice

rserver host websrv1

  ip address 10.8.180.153

  inservice

ssl-proxy service SSL_OAPP

  key oappkey

  cert oapp-cert.pem

ssl-proxy service SSL_PSERVICE_CRACKME

  key my2048RSAkey.PEM

  cert crackme-cert.pem

serverfarm redirect sf-oapp-redirect

  rserver OAPP-Redirect

    inservice

serverfarm host sf_180

  rserver ix_server800

    inservice

  rserver ix_server801

    inservice

  rserver ix_server802

    inservice

  rserver ix_server803

    inservice

  rserver ix_server804

    inservice

  rserver ix_server805

    inservice

  rserver ix_server806

    inservice

  rserver ix_server807

    inservice

  rserver ix_server808

    inservice

  rserver ix_server809

    inservice

serverfarm host sf_bank

  rserver tbox1 8081

    inservice

  rserver uber0 8081

    inservice

  rserver uber1 8081

  rserver uber2 8081

    inservice

  rserver uber3 8081

    inservice

  rserver uber4 8081

    inservice

  rserver uber5 8081

    inservice

serverfarm host sf_books

  rserver uber0 8989

    inservice

serverfarm host sf_oapp

  predictor leastconns

  rserver oelnode1 8000

    inservice

  rserver oelnode2 8000

    inservice

  rserver oelnode3 8000

    inservice

serverfarm host sf_wae

  transparent

  predictor hash address source 255.255.255.255

  probe TrackHostProbe

  rserver dc-wae1

    inservice

  rserver dc-wae2

    inservice

serverfarm host sf_waf

  rserver waf1 81

    inservice

  rserver waf2 81

    probe TrackHostProbe

    inservice

serverfarm host sf_waf_books

  rserver waf1 82

  rserver waf2 82

    inservice

sticky http-cookie wafcookie wafstkygrp

  cookie insert

  replicate sticky

  serverfarm sf_waf

sticky http-cookie bankcookie bnkstygrp

  cookie insert

  replicate sticky

  serverfarm sf_bank

sticky http-cookie oracookie oapp-stkygrp

  cookie insert

  timeout 720

  replicate sticky

  serverfarm sf_oapp

class-map type management match-any ANMManagement

  201 match protocol snmp any

  202 match protocol http any

  203 match protocol https any

  204 match protocol icmp any

  205 match protocol ssh any

  206 match protocol telnet any

class-map match-all ANY_TCP

  2 match virtual-address 0.0.0.0 0.0.0.0 tcp any

class-map match-all L4_HTTPS_VIP_ADDRESS

  2 match virtual-address 10.8.162.200 tcp eq https

class-map match-all L4_HTTP_VIP_ADDRESS

  2 match virtual-address 10.8.162.200 tcp eq www

class-map match-all L4_OAPP_VIP

  2 match virtual-address 10.8.162.250 tcp any

class-map match-all OELNODES

  2 match source-address 10.8.180.0 255.255.255.0

class-map match-all VIP_180

  description *VIP for VLAN 180*

  2 match virtual-address 10.8.162.100 any

class-map match-all cm-acl-tcp

  2 match access-list test

policy-map type management first-match ANMManagement

  class ANMManagement

    permit

policy-map type loadbalance first-match pm-forward

  class class-default

    forward

policy-map type loadbalance http first-match pm-oapp

  class class-default

    sticky-serverfarm oapp-stkygrp

    action HTTPONLY

    insert-http ACEForwarded header-value "%is"

policy-map type loadbalance first-match pm-slb

  class class-default

    serverfarm sf_180

policy-map type loadbalance first-match pm-waas

  class class-default

    serverfarm sf_wae

policy-map type loadbalance http first-match pm-waf

  class class-default

    sticky-serverfarm wafstkygrp

    insert-http ACEForwarded header-value "%is"

policy-map type loadbalance http first-match pm-waf2

  class class-default

    serverfarm sf_waf_books

policy-map type loadbalance first-match pm-webbank

  class class-default

    sticky-serverfarm bnkstygrp

policy-map type loadbalance first-match pm_books

  class class-default

    serverfarm sf_books

policy-map multi-match L4_LB_VIP_HTTP_POLICY

  class L4_HTTP_VIP_ADDRESS

    loadbalance vip inservice

    loadbalance policy pm-webbank

    loadbalance vip icmp-reply

policy-map multi-match LB_WAAS_POLICY

  class ANY_TCP

    loadbalance vip inservice

    loadbalance policy pm-waas

    loadbalance vip icmp-reply

  class L4_HTTP_VIP_ADDRESS

    loadbalance vip inservice

    loadbalance policy pm-waas

  class L4_OAPP_VIP

    loadbalance vip inservice

    loadbalance policy pm-waas

    loadbalance vip icmp-reply

policy-map multi-match aggregate-slb-policy

  class VIP_180

    loadbalance vip inservice

    loadbalance policy pm-slb

    loadbalance vip icmp-reply

    loadbalance vip advertise active

  class L4_HTTP_VIP_ADDRESS

    loadbalance vip inservice

    loadbalance policy pm-waf

    loadbalance vip icmp-reply

  class L4_HTTPS_VIP_ADDRESS

    loadbalance vip inservice

    loadbalance policy pm-waf

    loadbalance vip icmp-reply

    ssl-proxy server SSL_PSERVICE_CRACKME

  class L4_OAPP_VIP

    loadbalance vip inservice

    loadbalance policy pm-oapp

    loadbalance vip icmp-reply

    appl-parameter http advanced-options cookiesecurity

    ssl-proxy server SSL_OAPP

  class ANY_TCP

    loadbalance vip inservice

    loadbalance policy pm-forward

interface vlan 146

  ip address x.26.146.143 255.255.254.0

  peer ip address x.26.146.142 255.255.254.0

  service-policy input ANMManagement

  no shutdown

interface vlan 162

  description ** North Side facing FWSM **

  bridge-group 161

  no normalization

  mac-sticky enable

  no icmp-guard

  access-group input BPDU

  access-group input ALLOW_TRAFFIC

  service-policy input LB_WAAS_POLICY

  no shutdown

interface vlan 163

  description ** South Side facing Servers **

  bridge-group 161

  no normalization

  mac-sticky enable

  no icmp-guard

  access-group input BPDU

  access-group input ALLOW_TRAFFIC

  no shutdown

interface vlan 190

  ip address 10.8.190.3 255.255.255.0

  alias 10.8.190.1 255.255.255.0

  peer ip address 10.8.190.2 255.255.255.0

  no normalization

  mac-sticky enable

  no icmp-guard

  access-group input ALLOW_TRAFFIC

  service-policy input L4_LB_VIP_HTTP_POLICY

  service-policy input LB_WAAS_POLICY

  no shutdown

interface vlan 191

  description waas farm vlan 191

  ip address 10.8.191.3 255.255.255.0

  alias 10.8.191.1 255.255.255.0

  peer ip address 10.8.191.2 255.255.255.0

  no normalization

  mac-sticky enable

  no icmp-guard

  access-group input ALLOW_TRAFFIC

  service-policy input aggregate-slb-policy

  no shutdown

interface bvi 161

  ip address 10.8.162.21 255.255.255.0

  alias 10.8.162.22 255.255.255.0

  peer ip address 10.8.162.20 255.255.255.0

  no shutdown

ft track interface  TrackVlan163

  track-interface vlan 163

  peer track-interface vlan 163

  priority 50

  peer priority 150

ip route 0.0.0.0 0.0.0.0 10.8.162.1

ip route 10.8.180.0 255.255.255.0 10.8.162.7

snmp-server contact "ANM"

snmp-server location "ANM"

snmp-server community public group Network-Monitor

snmp-server trap-source vlan 146

switch/dca-ace-two# sh run

Generating configuration....

logging enable

logging standby

logging timestamp

logging buffered 5

access-list BPDU ethertype permit bpdu

access-list ALLOW_TRAFFIC line 8 extended permit icmp any any

access-list ALLOW_TRAFFIC line 16 extended permit ospf any any

access-list ALLOW_TRAFFIC line 48 extended permit ip any any

probe icmp TrackHostProbe

  description this is a ping probe

  interval 2

  faildetect 1

  passdetect interval 2

  passdetect count 1

  receive 1

rserver host ix_server810

  ip address 10.8.181.100

  inservice

rserver host ix_server811

  ip address 10.8.181.101

  inservice

rserver host ix_server812

  ip address 10.8.181.102

  inservice

rserver host ix_server813

  ip address 10.8.181.103

  inservice

rserver host ix_server814

  ip address 10.8.181.104

  inservice

rserver host ix_server815

  ip address 10.8.181.105

  inservice

rserver host ix_server816

  ip address 10.8.181.106

  inservice

rserver host ix_server817

  ip address 10.8.181.107

  inservice

rserver host ix_server818

  ip address 10.8.181.108

  inservice

rserver host ix_server819

  ip address 10.8.181.109

  inservice

serverfarm host sf_181

  probe TrackHostProbe

  rserver ix_server810

    inservice

  rserver ix_server811

    inservice

  rserver ix_server812

    inservice

  rserver ix_server813

    inservice

  rserver ix_server814

    inservice

  rserver ix_server815

    inservice

  rserver ix_server816

    inservice

  rserver ix_server817

    inservice

  rserver ix_server818

    inservice

  rserver ix_server819

    inservice

class-map type management match-any ANMManagement

  201 match protocol snmp any

  202 match protocol http any

  203 match protocol https any

  204 match protocol icmp any

  205 match protocol ssh any

  206 match protocol telnet any

class-map match-all VIP_181

  description *VIP for VLAN 181*

  2 match virtual-address 10.8.152.100 any

policy-map type management first-match ANMManagement

  class ANMManagement

    permit

policy-map type loadbalance first-match pm-slb1

  class class-default

    serverfarm sf_181

policy-map multi-match aggregate-slb-policy

  class VIP_181

    loadbalance vip inservice

    loadbalance policy pm-slb1

    loadbalance vip icmp-reply

    loadbalance vip advertise active

interface vlan 146

  ip address x.26.146.253 255.255.254.0

  peer ip address x.26.146.252 255.255.254.0

  service-policy input ANMManagement

  no shutdown

interface vlan 152

  description ** North Side facing FWSM2 **

  bridge-group 151

  no normalization

  mac-sticky enable

  no icmp-guard

  access-group input BPDU

  access-group input ALLOW_TRAFFIC

  service-policy input aggregate-slb-policy

  no shutdown

interface vlan 153

  description ** South Side facing Servers2 **

  bridge-group 151

  no normalization

  mac-sticky enable

  no icmp-guard

  access-group input BPDU

  access-group input ALLOW_TRAFFIC

  no shutdown

interface bvi 151

  ip address 10.8.152.21 255.255.255.0

  alias 10.8.152.22 255.255.255.0

  peer ip address 10.8.152.20 255.255.255.0

  no shutdown

ft track interface  TrackVlan153

  track-interface vlan 153

  peer track-interface vlan 153

  priority 50

  peer priority 150

ip route 10.8.181.0 255.255.255.0 10.8.152.7

ip route 0.0.0.0 0.0.0.0 10.8.152.1

snmp-server contact "ANM"

snmp-server location "ANM"

snmp-server community public group Network-Monitor

snmp-server trap-source vlan 146

switch/dca-ace-two#

Services Layer IPS

IPS 1

dca-ips1# sh configuration

! ------------------------------

! Current configuration last modified Thu Mar 05 14:27:20 2009

! ------------------------------

! Version 6.2(1)

! Host:

!     Realm Keys          key1.0

! Signature Definition:

!     Signature Update    S386.0   2009-03-09

!     Virus Update        V1.4     2007-03-02

! ------------------------------

service interface

physical-interfaces GigabitEthernet3/0

admin-state disabled

subinterface-type none

exit

physical-interfaces GigabitEthernet3/3

description to ss1 gig3/26

admin-state enabled

duplex auto

speed auto

default-vlan 0

alt-tcp-reset-interface none

exit

physical-interfaces TenGigabitEthernet7/0

description to ss2

admin-state disabled

duplex auto

speed auto

default-vlan 0

alt-tcp-reset-interface none

subinterface-type inline-vlan-pair

subinterface 1

description to ss2

vlan1 163

vlan2 164

exit

exit

exit

physical-interfaces TenGigabitEthernet7/1

no description

admin-state enabled

duplex auto

speed auto

default-vlan 1

alt-tcp-reset-interface none

subinterface-type inline-vlan-pair

subinterface 1

description ss1

vlan1 163

vlan2 164

exit

exit

exit

bypass-mode auto

cdp-mode forward-cdp-packets

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

overrides deny-packet-inline

override-item-status Disabled

risk-rating-range 90-100

exit

overrides log-attacker-packets

override-item-status Enabled

risk-rating-range 90-100

exit

overrides log-victim-packets

override-item-status Enabled

risk-rating-range 90-100

exit

overrides log-pair-packets

override-item-status Enabled

risk-rating-range 90-100

exit

overrides produce-alert

override-item-status Enabled

risk-rating-range 90-100

exit

overrides produce-verbose-alert

override-item-status Enabled

risk-rating-range 1-69

exit

filters edit Q00000

signature-id-range 1301

subsignature-id-range 0

attacker-address-range 10.8.162.20

victim-address-range 10.8.180.232

victim-port-range 8081

actions-to-remove log-attacker-packets|produce-alert|produce-verbose-alert

os-relevance relevant|not-relevant|unknown

exit

filters move Q00000 begin

exit

! ------------------------------

service host

network-settings

host-ip x.26.146.87/24,x.26.146.1

host-name dca-ips1

telnet-option disabled

access-list 10.0.0.0/8

access-list 64.0.0.0/8

access-list x.0.0.0/8

exit

time-zone-settings

offset -300

standard-time-zone-name GMT-05:00

exit

ntp-option enabled

ntp-keys 10 md5-key cisco123

ntp-servers x.26.170.13 key-id 10

exit

summertime-option disabled

auto-upgrade

cisco-server enabled

schedule-option calendar-schedule

times-of-day 17:20:00

days-of-week monday

days-of-week tuesday

days-of-week wednesday

days-of-week thursday

days-of-week friday

exit

cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

exit

exit

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

general

block-enable false

exit

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

signatures 1301 0

engine normalizer

event-action produce-alert

exit

exit

signatures 1302 0

engine normalizer

event-action produce-alert

exit

exit

signatures 1303 0

engine normalizer

event-action produce-alert

exit

exit

signatures 1304 0

engine normalizer

event-action produce-alert

exit

exit

signatures 1305 0

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1306 1

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1306 2

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1306 3

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1306 4

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1306 5

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1306 6

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1312 0

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1313 0

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1316 0

engine normalizer

event-action produce-alert

exit

exit

signatures 1330 0

engine normalizer

event-action produce-alert|deny-packet-inline

exit

exit

signatures 1330 1

engine normalizer

event-action produce-alert|deny-packet-inline

exit

exit

signatures 1330 2

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1330 5

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1330 6

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1330 7

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1330 8

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1330 9

engine normalizer

event-action produce-alert|deny-packet-inline

exit

exit

signatures 1330 10

engine normalizer

event-action produce-alert|deny-packet-inline

exit

exit

signatures 1330 12

engine normalizer

event-action produce-alert

exit

exit

signatures 1330 17

engine normalizer

event-action produce-alert

exit

exit

signatures 1330 18

engine normalizer

event-action produce-alert|deny-packet-inline

exit

exit

signatures 1330 19

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1330 20

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1330 21

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 2000 0

status

enabled false

exit

exit

signatures 2004 0

status

enabled false

exit

exit

signatures 2007 0

status

enabled false

exit

exit

signatures 2008 0

status

enabled false

exit

exit

signatures 2100 0

status

enabled false

exit

exit

signatures 2151 0

status

enabled true

exit

exit

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

trusted-certificates x.26.191.99 certificate 
MIICaDCCAdECBEhdNM4wDQYJKoZIhvcNAQEEBQAwezELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExET
APBgNVBAcTCFNhbiBKb3NlMRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRQwEgYDVQQLEwtTVEcgQ1MtTUFSUzEWMBQG
A1UEAxMNd3d3LmNpc2NvLmNvbTAeFw0wODA2MjExNzA1MThaFw0yMzA2MTgxNzA1MThaMHsxCzAJBgNVBAYTAlVTMR
MwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczEUMBIG
A1UECxMLU1RHIENTLU1BUlMxFjAUBgNVBAMTDXd3dy5jaXNjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAo
GBAM/IsMmkz4/gg6cuqu2CylSBqc+YlMELHTnU20Rfx05oaYIl4YBFJwgQ9Y9w0G7N7LIjrmWwUCmwnwFsHkn8BwLN
r5+qVCT6Y+5GXzD8zC2kdRud06T4n4l5Oj1dfxb2GuMnYSK+tKO0R1/fYIK5zvhYJ/8AVfRZ4okWdiGfu/EdAgMBAA
EwDQYJKoZIhvcNAQEEBQADgYEAtvqJE5f9XqDrSxTh5bL75A1/taePqpaYgpS4rLvP2OZ7Rf0tU7SCANS6OmykM5OB
xCPsdzoGreHymP7v4exnesJZp3ptCFNAW67COoWA29UfKYrIamXopBh1tTWzI+3igrlyZnHEQVXgsHx9lbyHXGE/GV
7y0LrS4Qhr5OPKjQk=

exit

! ------------------------------

service web-server

port 443

exit

! ------------------------------

service anomaly-detection ad0

ignore

source-ip-address-range 10.7.52.30

dest-ip-address-range 10.8.180.153,10.8.162.200

exit

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

physical-interface TenGigabitEthernet7/0 subinterface-number 1

physical-interface TenGigabitEthernet7/1 subinterface-number 1

inline-TCP-session-tracking-mode virtual-sensor

inline-TCP-evasion-protection-mode strict

exit

virtual-sensor vs1

signature-definition sig0

event-action-rules rules0

anomaly-detection

anomaly-detection-name ad0

exit

physical-interface GigabitEthernet3/3 subinterface-number 0

exit

exit

IPS 2

dca-ips2# sh configuration

! ------------------------------

! Current configuration last modified Thu Mar 05 14:03:20 2009

! ------------------------------

! Version 6.2(1)

! Host:

!     Realm Keys          key1.0

! Signature Definition:

!     Signature Update    S386.0   2009-03-09

!     Virus Update        V1.4     2007-03-02

! ------------------------------

service interface

physical-interfaces TenGigabitEthernet7/0

admin-state enabled

subinterface-type inline-vlan-pair

subinterface 1

no description

vlan1 163

vlan2 164

exit

exit

exit

physical-interfaces TenGigabitEthernet7/1

description to ss2

admin-state enabled

duplex auto

speed auto

default-vlan 0

alt-tcp-reset-interface none

subinterface-type inline-vlan-pair

subinterface 1

description ss2

vlan1 163

vlan2 164

exit

exit

exit

bypass-mode auto

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

overrides deny-packet-inline

override-item-status Disabled

risk-rating-range 90-100

exit

exit

! ------------------------------

service host

network-settings

host-ip x.26.146.88/24,x.26.146.1

host-name dca-ips2

telnet-option disabled

access-list 10.0.0.0/8

access-list 64.0.0.0/8

access-list x.0.0.0/8

exit

time-zone-settings

offset -300

standard-time-zone-name GMT-05:00

exit

ntp-option enabled

ntp-keys 10 md5-key cisco123

ntp-servers x.26.170.13 key-id 10

exit

summertime-option recurring

summertime-zone-name GMT-05:00

exit

auto-upgrade

cisco-server enabled

schedule-option calendar-schedule

times-of-day 17:20:00

days-of-week monday

days-of-week tuesday

days-of-week wednesday

days-of-week thursday

days-of-week friday

exit

cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

exit

exit

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

signatures 1301 0

engine normalizer

event-action produce-alert

exit

exit

signatures 1302 0

engine normalizer

event-action produce-alert

exit

exit

signatures 1303 0

engine normalizer

event-action produce-alert

exit

exit

signatures 1304 0

engine normalizer

event-action produce-alert

exit

exit

signatures 1305 0

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1306 1

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1306 2

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1306 3

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1306 4

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1306 5

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1306 6

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1312 0

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1313 0

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1316 0

engine normalizer

event-action produce-alert

exit

exit

signatures 1330 0

engine normalizer

event-action produce-alert|deny-packet-inline

exit

exit

signatures 1330 1

engine normalizer

event-action produce-alert|deny-packet-inline

exit

exit

signatures 1330 2

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1330 5

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1330 6

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1330 7

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1330 8

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1330 9

engine normalizer

event-action produce-alert|deny-packet-inline

exit

exit

signatures 1330 10

engine normalizer

event-action produce-alert|deny-packet-inline

exit

exit

signatures 1330 12

engine normalizer

event-action produce-alert

exit

exit

signatures 1330 17

engine normalizer

event-action produce-alert

exit

exit

signatures 1330 18

engine normalizer

event-action produce-alert|deny-packet-inline

exit

exit

signatures 1330 19

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1330 20

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

signatures 1330 21

engine normalizer

event-action produce-alert|modify-packet-inline

exit

exit

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

trusted-certificates x.26.191.99 certificate 
MIICaDCCAdECBEhdNM4wDQYJKoZIhvcNAQEEBQAwezELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExET
APBgNVBAcTCFNhbiBKb3NlMRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRQwEgYDVQQLEwtTVEcgQ1MtTUFSUzEWMBQG
A1UEAxMNd3d3LmNpc2NvLmNvbTAeFw0wODA2MjExNzA1MThaFw0yMzA2MTgxNzA1MThaMHsxCzAJBgNVBAYTAlVTMR
MwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczEUMBIG
A1UECxMLU1RHIENTLU1BUlMxFjAUBgNVBAMTDXd3dy5jaXNjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAo
GBAM/IsMmkz4/gg6cuqu2CylSBqc+YlMELHTnU20Rfx05oaYIl4YBFJwgQ9Y9w0G7N7LIjrmWwUCmwnwFsHkn8BwLN
r5+qVCT6Y+5GXzD8zC2kdRud06T4n4l5Oj1dfxb2GuMnYSK+tKO0R1/fYIK5zvhYJ/8AVfRZ4okWdiGfu/EdAgMBAA
EwDQYJKoZIhvcNAQEEBQADgYEAtvqJE5f9XqDrSxTh5bL75A1/taePqpaYgpS4rLvP2OZ7Rf0tU7SCANS6OmykM5OB
xCPsdzoGreHymP7v4exnesJZp3ptCFNAW67COoWA29UfKYrIamXopBh1tTWzI+3igrlyZnHEQVXgsHx9lbyHXGE/GV
7y0LrS4Qhr5OPKjQk=

exit

! ------------------------------

service web-server

exit

! ------------------------------

service anomaly-detection ad0

ignore

source-ip-address-range 10.7.52.30

dest-ip-address-range 10.8.180.153,10.8.162.200

exit

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

physical-interface TenGigabitEthernet7/0 subinterface-number 1

physical-interface TenGigabitEthernet7/1 subinterface-number 1

inline-TCP-session-tracking-mode virtual-sensor

inline-TCP-evasion-protection-mode strict

exit

exit

Access Layer Nexus 5000

Nexus 5000 1

dc10-5020-1# sh run

version 4.0(1a)N1(1)

feature tacacs+

feature lacp

feature fcoe

username admin password 5 <encrypted password> role network-admin

username dma password 5 <encrypted password>/  role network-admin

username chris password 5 <encrypted password> role network-admin

ssh key rsa 2048 force

ntp server x.26.146.1 use-vrf management

ip host dc10-5020-1 x.26.146.191

tacacs-server key 7 "<key>"

tacacs-server host x.26.191.94 key 7 "<key>"

aaa group server tacacs+ tacacs-group

    server x.26.191.94

    use-vrf management

aaa group server tacacs+ tacacs

system default switchport

service unsupported-transceiver

ip access-list 134

  10 permit ip x.26.146.191/32 x.26.0.0/16

  20 deny ip any any

ip access-list 133

  10 permit icmp x.26.0.0/16 x.26.146.191/32 ttl-exceeded

  20 permit icmp x.26.0.0/16 x.26.146.191/32 port-unreachable

  30 permit icmp x.26.0.0/16 x.26.146.191/32 echo-reply

  40 permit icmp x.26.0.0/16 x.26.146.191/32 echo

  50 permit tcp x.26.0.0/16 eq tacacs x.26.146.191/32 established

  60 permit tcp x.26.0.0/16 x.26.146.191/32 eq tacacs

  70 permit udp x.26.0.0/16 x.26.146.191/32 eq ntp

  80 permit tcp x.26.0.0/16 x.26.146.191/32 eq 22

  90 permit tcp x.26.0.0/16 eq ftp x.26.146.191/32 gt 1023 established

  100 permit tcp x.26.0.0/16 eq ftp-data x.26.146.191/32 gt 1023

  110 permit tcp x.26.0.0/16 gt 1023 x.26.146.191/32 gt 1023 established

  120 permit udp x.26.0.0/16 gt 1023 x.26.146.191/32 gt 1023

  130 permit udp x.26.191.99/32 x.26.146.191/32 eq snmp

  140 deny ip any any

snmp-server user dma network-admin auth md5 0x9087aa934c0a90dc2e7456b14f13cb31 p

riv 0x9087aa934c0a90dc2e7456b14f13cb31 localizedkey

snmp-server user admin network-admin auth md5 0x9087aa934c0a90dc2e7456b14f13cb31

 priv 0x9087aa934c0a90dc2e7456b14f13cb31 localizedkey

snmp-server user chris network-admin auth md5 0x9087aa934c0a90dc2e7456b14f13cb31

 priv 0x9087aa934c0a90dc2e7456b14f13cb31 localizedkey

snmp-server host 10.116.132.2 version 2c public  udp-port 2162

snmp-server host 192.168.174.131 version 2c public  udp-port 2162

aaa authentication login console group tacacs-group

aaa accounting default group tacacs-group

aaa authentication login error-enable

vrf context management

  ip route 0.0.0.0/0 x.26.146.1

  ip route x.26.0.0/16 x.26.146.1

switchname dc10-5020-1

vlan 1,15

vlan 98

  name serviceconsole

vlan 142

  name dbvlan

vlan 180-183

vlan 3000

  name erspan

vlan 3002

  name vemcontrol

vlan 3003

  name vempacket

spanning-tree pathcost method long

spanning-tree port type network default

vsan database

  vsan 60 name "SAN_VSAN"

class-map iSCSI

  match cos 2

class-map VMotion

  match cos 1

class-map Service-Console

  match cos 4

policy-map VMWare-Classes

  class class-default

  class class-fcoe

  class iSCSI

    pause no-drop

  class VMotion

  class Service-Console

policy-map jumbo

  class class-default

    mtu 9216

system qos

  service-policy jumbo

interface vfc1

  no shutdown

  bind interface Ethernet1/1

interface vfc2

  no shutdown

  bind interface Ethernet1/2

interface vfc3

  no shutdown

  bind interface Ethernet1/3

interface vfc4

  no shutdown

  bind interface Ethernet1/4

interface vfc5

  no shutdown

  bind interface Ethernet1/5

interface vfc6

  no shutdown

  bind interface Ethernet1/6

vsan database

  vsan 60 interface vfc1

  vsan 60 interface vfc2

  vsan 60 interface vfc3

  vsan 60 interface vfc4

  vsan 60 interface vfc5

  vsan 60 interface vfc6

  vsan 60 interface fc2/1

interface fc2/1

  no shutdown

  switchport trunk allowed vsan 60

interface fc2/2

interface fc2/3

interface fc2/4

interface fc3/1

interface fc3/2

interface fc3/3

interface fc3/4

interface Ethernet1/1

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,142,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/2

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,142,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/3

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/4

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/5

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,142,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/6

  shutdown

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/7

  shutdown

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/8

  shutdown

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/9

  shutdown

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/10

  shutdown

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/11

interface Ethernet1/12

interface Ethernet1/13

interface Ethernet1/14

interface Ethernet1/15

interface Ethernet1/16

interface Ethernet1/17

interface Ethernet1/18

interface Ethernet1/19

interface Ethernet1/20

interface Ethernet1/21

interface Ethernet1/22

interface Ethernet1/23

interface Ethernet1/24

interface Ethernet1/25

interface Ethernet1/26

interface Ethernet1/27

interface Ethernet1/28

interface Ethernet1/29

interface Ethernet1/30

interface Ethernet1/31

interface Ethernet1/32

interface Ethernet1/33

interface Ethernet1/34

interface Ethernet1/35

interface Ethernet1/36

interface Ethernet1/37

interface Ethernet1/38

interface Ethernet1/39

interface Ethernet1/40

interface Ethernet2/1

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,142,180-183,3000,3002-3003

  spanning-tree port type network

interface Ethernet2/2

interface Ethernet2/3

interface Ethernet2/4

interface Ethernet3/1

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,142,180-183,3000,3002-3003

  spanning-tree port type network

interface Ethernet3/2

interface Ethernet3/3

interface Ethernet3/4

interface mgmt0

  vrf member management

  ip address x.26.146.191/23

  no ip redirects

interface fc2/1

interface fc2/2

interface fc2/3

interface fc2/4

interface fc3/1

interface fc3/2

interface fc3/3

interface fc3/4

snmp-server enable traps entity fru

snmp-server enable traps license

boot kickstart bootflash:/n5000-uk9-kickstart.4.0.1a.N1.1.bin

boot system bootflash:/n5000-uk9.4.0.1a.N1.1.bin

device-alias database

  device-alias name Atto1 pwwn 22:00:00:10:86:13:36:48

  device-alias name Atto2 pwwn 22:00:00:10:86:13:36:40

  device-alias name HPBlade1 pwwn 50:05:08:b2:00:b1:68:63

  device-alias name HPBlade2 pwwn 50:05:08:b2:00:b0:d6:83

  device-alias name HPBlade3 pwwn 50:05:08:b2:00:b1:66:93

  device-alias name DellBlade3 pwwn 21:00:00:14:22:73:ce:c2

  device-alias name DellBlade5 pwwn 21:00:00:14:22:73:ce:e4

  device-alias name dc-dl580-1 pwwn 10:00:00:00:c9:57:fa:cc

  device-alias name dc-dl580-2 pwwn 10:00:00:00:c9:57:fc:c6

  device-alias name dc-dl580-3 pwwn 10:00:00:00:c9:57:e8:20

  device-alias name dc-dl580-4 pwwn 10:00:00:00:c9:57:e7:b8

  device-alias name dc-dl580-5 pwwn 10:00:00:00:c9:57:fb:d0

  device-alias name dc-dl580-6 pwwn 10:00:00:00:c9:57:fd:ce

device-alias commit

ip route 0.0.0.0/23 x.26.146.1

ip route x.26.0.0/16 x.26.146.1

no system default switchport shutdown

zoneset activate name RTP-DataCenter1 vsan 1

zoneset activate name RTP-DataCenter1 vsan 60

Nexus 5000 2

dc10-5020-2# sh run

version 4.0(1a)N1(1)

feature tacacs+

feature udld

feature interface-vlan

feature lacp

feature fcoe

username admin password 5 <encrypted password>role network-admin

username chris password 5 <encrypted password>role network-admin

username dma password 5 <encrypted password>.  role network-admin

ssh key rsa 2048 force

ntp server x.26.146.1 use-vrf management

tacacs-server key 7 "<key>"

tacacs-server host x.26.191.94 key 7 "<key>"

aaa group server tacacs+ tacacs-group

    server x.26.191.94

    use-vrf management

aaa group server tacacs+ tacacs

system default switchport

service unsupported-transceiver

snmp-server user dma network-admin auth md5 0x7f5109316dadcd2bd3322c3baa49167e p

riv 0x7f5109316dadcd2bd3322c3baa49167e localizedkey

snmp-server user admin network-admin auth md5 0x7f5109316dadcd2bd3322c3baa49167e

 priv 0x7f5109316dadcd2bd3322c3baa49167e localizedkey

snmp-server user chris network-admin auth md5 0x7f5109316dadcd2bd3322c3baa49167e

 priv 0x7f5109316dadcd2bd3322c3baa49167e localizedkey

snmp-server host 10.116.132.3 version 2c public  udp-port 1163

snmp-server host 192.168.174.131 version 2c public  udp-port 2162

aaa authentication login console group tacacs-group

aaa accounting default group tacacs-group

aaa authentication login error-enable

vrf context management

  ip route 0.0.0.0/0 x.26.146.1

switchname dc10-5020-2

vlan 1

vlan 15

  name vmkernel

vlan 98

  name vmprod

vlan 142

  name db

vlan 180-183

vlan 3000

  name erspan

vlan 3002

  name vemcontrol

vlan 3003

  name vempacket

spanning-tree pathcost method long

spanning-tree port type network default

policy-map jumbo

  class class-default

    mtu 9216

system qos

  service-policy jumbo

interface Vlan1

interface fc2/1

interface fc2/2

interface fc2/3

interface fc2/4

interface fc3/1

interface fc3/2

interface fc3/3

interface fc3/4

interface Ethernet1/1

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,142,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/2

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,142,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/3

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/4

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/5

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,142,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/6

  shutdown

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/7

  shutdown

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/8

  shutdown

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/9

  shutdown

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/10

  shutdown

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,180-183,3000,3002-3003

  spanning-tree port type edge trunk

interface Ethernet1/11

interface Ethernet1/12

interface Ethernet1/13

interface Ethernet1/14

interface Ethernet1/15

interface Ethernet1/16

interface Ethernet1/17

interface Ethernet1/18

interface Ethernet1/19

interface Ethernet1/20

interface Ethernet1/21

interface Ethernet1/22

interface Ethernet1/23

interface Ethernet1/24

interface Ethernet1/25

interface Ethernet1/26

interface Ethernet1/27

interface Ethernet1/28

interface Ethernet1/29

interface Ethernet1/30

interface Ethernet1/31

interface Ethernet1/32

interface Ethernet1/33

interface Ethernet1/34

interface Ethernet1/35

interface Ethernet1/36

interface Ethernet1/37

interface Ethernet1/38

interface Ethernet1/39

interface Ethernet1/40

interface Ethernet2/1

  switchport mode trunk

  description to dca-n7k1-vdc2 port 1/28

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,142,180-183,3000,3002-3003

  spanning-tree port type network

interface Ethernet2/2

interface Ethernet2/3

interface Ethernet2/4

interface Ethernet3/1

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,142,180-183,3000,3002-3003

  spanning-tree port type network

interface Ethernet3/2

  shutdown

  switchport mode trunk

  logging event port link-status

  logging event port trunk-status

  switchport trunk allowed vlan 15,98,180-183

  spanning-tree port type network

interface Ethernet3/3

interface Ethernet3/4

interface mgmt0

  vrf member management

  ip address x.26.146.192/23

clock timezone EST -5 0

clock summer-time EST 1 Sunday April 00:00 5 Saturday Oct 00:00 60

system default switchport trunk mode auto

interface fc2/1

interface fc2/2

interface fc2/3

interface fc2/4

interface fc3/1

interface fc3/2

interface fc3/3

interface fc3/4

snmp-server enable traps entity fru

snmp-server enable traps license

boot kickstart bootflash:/n5000-uk9-kickstart.4.0.1a.N1.1.bin

boot system bootflash:/n5000-uk9.4.0.1a.N1.1.bin

ip route 0.0.0.0/0 x.26.146.0/23

ip route 0.0.0.0/0 x.26.146.1

no system default switchport shutdown

monitor session 1

Access Layer Nexus 1000V

dcvsm# sh run

version 4.0(1)

feature port-security

username admin password 5 $<encrypted password>role network-admin

telnet server enable

ssh key rsa 1024 force

kernel core target 0.0.0.0

kernel core limit 1

system default switchport

mac access-list x.1

vem 3

  host vmware id <encrypted password>

vem 4

  host vmware id <encrypted password>

vem 5

  host vmware id <encrypted password>

vem 6

  host vmware id 4998d511-622d-da10-bd0c-0019bbe97d20

snmp-server user admin network-admin auth md5 <encrypted password> priv

<encrypted password> localizedkey

snmp-server enable traps license

vrf context management

  ip route 0.0.0.0/0 x.26.146.1

switchname dcvsm

flow exporter dc-mgmt

  description Netflow Collector v9

  destination x.26.146.164

  transport udp 3000

  source mgmt0

  version 9

    template data timeout 300

    option exporter-stats timeout 120

flow exporter lnxnf

  description Cisco Netflow Collector

  destination x.26.147.141

  transport udp 3000

  source mgmt0

  version 9

    template data timeout 300

    option exporter-stats timeout 120

flow monitor ESE-flow

  description Flow to Collector

  record netflow-original

  exporter lnxnf

  timeout active 1800

  cache size 4096

flow monitor test

  record ipv4 protocol-port

  exporter lnxnf

  timeout active 1800

  cache size 4096

vlan 15,98

vlan 180

  private-vlan primary

  private-vlan association 500-501

vlan 181-183

vlan 500

  private-vlan isolated

vlan 501

  private-vlan community

vlan 3000

  name erspan

vlan 3002

  name control

vlan 3003

  name packet

vdc dcvsm id 1

  limit-resource vlan minimum 16 maximum 256

  limit-resource monitor-session minimum 0 maximum 64

  limit-resource vrf minimum 16 maximum 8192

  limit-resource port-channel minimum 0 maximum 256

  limit-resource u4route-mem minimum 32 maximum 256

  limit-resource u6route-mem minimum 16 maximum 256

port-profile system-mgmt

  capability uplink

  vmware port-group SystemUplinks

  switchport mode trunk

  switchport trunk allowed vlan 15,98,180-183,3000,3002-3003

  switchport private-vlan mapping trunk 180 500-501

  channel-group auto mode on sub-group cdp

  ip flow monitor ESE-flow input

  ip flow monitor ESE-flow output

  no shutdown

  system vlan 3002-3003

  state enabled

port-profile vm180

  vmware port-group pg180

  switchport mode access

  switchport access vlan 180

  ip flow monitor ESE-flow input

  ip flow monitor ESE-flow output

  no shutdown

  state enabled

port-profile vmotion

  description VMOTION

  vmware port-group pgVM15

  switchport access vlan 15

  ip flow monitor ESE-flow input

  ip flow monitor ESE-flow output

  no shutdown

  state enabled

port-profile erspan

  capability l3control

  vmware port-group

  switchport access vlan 3000

  no shutdown

  system vlan 3000

  state enabled

interface port-channel1

  mtu 1500

  inherit port-profile system-mgmt

interface port-channel2

  inherit port-profile system-mgmt

interface port-channel3

  inherit port-profile system-mgmt

interface Ethernet3/3

  mtu 1500

  channel-group 1

  inherit port-profile system-mgmt

interface Ethernet3/4

  mtu 1500

  channel-group 1

  inherit port-profile system-mgmt

interface Ethernet4/3

  channel-group 2

  inherit port-profile system-mgmt

interface Ethernet4/4

  channel-group 2

  inherit port-profile system-mgmt

interface Ethernet5/3

  channel-group 3

  inherit port-profile system-mgmt

interface Ethernet5/4

  channel-group 3

  inherit port-profile system-mgmt

interface mgmt0

  ip address x.26.147.240/23

interface Vethernet1

  inherit port-profile vm180

interface Vethernet2

  inherit port-profile vmotion

interface Vethernet3

  mtu 9216

  inherit port-profile erspan

interface Vethernet4

  inherit port-profile vmotion

interface Vethernet5

  mtu 9216

  inherit port-profile erspan

interface Vethernet6

  inherit port-profile vmotion

interface Vethernet7

  mtu 9216

  inherit port-profile erspan

interface Vethernet8

  switchport private-vlan host-association 180 500

  no shutdown

  inherit port-profile vm180

interface Vethernet9

interface Vethernet10

interface Vethernet11

  inherit port-profile vm180

interface Vethernet12

interface Vethernet13

interface Vethernet14

interface Vethernet15

interface Vethernet16

interface Vethernet17

  inherit port-profile vm180

interface Vethernet18

  inherit port-profile vm180

interface Vethernet19

  inherit port-profile vm180

boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.0.1a.S1.0.149.bin sup-1

boot system bootflash:/nexus-1000v-mz.4.0.1a.S1.0.149.bin sup-1

boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.0.1a.S1.0.149.bin sup-2

boot system bootflash:/nexus-1000v-mz.4.0.1a.S1.0.149.bin sup-2

monitor session 1 type erspan-source

  description - to SS1 NAM via VLAN 3000

  source interface Vethernet1 both

  source interface Vethernet8 both

  source interface Vethernet9 both

  source interface Vethernet10 both

  source interface Vethernet11 both

  source interface Vethernet12 both

  source interface Vethernet13 both

  destination ip 10.8.33.4

  erspan-id 1

  ip ttl 64

  ip prec 0

  ip dscp 0

  mtu 1500

  no shut

monitor session 2 type erspan-source

  description - to SS1 IDS1 via VLAN 3000

  source interface Vethernet1 both

  source interface Vethernet8 both

  source interface Vethernet9 both

  source interface Vethernet10 both

  source interface Vethernet11 both

  source interface Vethernet12 both

  source interface Vethernet13 both

  destination ip 10.8.33.4

  erspan-id 2

  ip ttl 64

  ip prec 0

  ip dscp 0

  mtu 1500

  no shut

svs-domain

  domain id 1

  control vlan 3002

  packet vlan 3003

svs connection VC

  protocol vmware-vim

  remote ip address x.26.146.133

  vmware dvs datacenter-name ESERTP

  connect

dcvsm#

Enterprise Campus

Figure 4 Enterprise Campus Network Diagram

Core Switch—Catalyst 6500

See Enterprise Core, for configurations.

Distribution Layer Switch - Catalyst 6500

Sfx13-Cat6504E-1

! Last configuration change at 20:15:03 GMT Wed Apr 1 2009 by danhamil-ops

! NVRAM config last updated at 20:22:35 GMT Wed Apr 1 2009 by danhamil-ops

upgrade fpd auto

version 12.2

no service pad

service tcp-keepalives-in

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service counters max age 5

hostname SFX13-6504E-1

boot-start-marker

boot system flash sup-bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXH4.bin

boot-end-marker

enable secret 5 <encrypted password>

username admin privilege 15 secret 5 <encrypted password>

aaa new-model

aaa group server tacacs+ tacacs-group

 server <tacacs+-server>

aaa authentication login authen-exec-list group tacacs-group local-case

aaa authentication enable default group tacacs-group enable

aaa authorization exec author-exec-list group tacacs-group if-authenticated

aaa authorization commands 15 author-15-list group tacacs-group none

aaa accounting send stop-record authentication failure

aaa accounting exec default start-stop group tacacs-group

aaa accounting commands 15 default start-stop group tacacs-group

aaa accounting system default start-stop group tacacs-group

aaa session-id common

clock timezone GMT 0

call-home

  alert-group configuration

  alert-group diagnostic

  alert-group environment

  alert-group inventory

  alert-group syslog

 profile "CiscoTAC-1"

   no active

   no destination transport-method http

   destination transport-method email

   destination address email callhome@cisco.com

   destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

   subscribe-to-alert-group diagnostic severity minor

   subscribe-to-alert-group environment severity minor

   subscribe-to-alert-group syslog severity major pattern ".*"

   subscribe-to-alert-group configuration periodic monthly 23 11:17

   subscribe-to-alert-group inventory periodic monthly 23 11:02

ip subnet-zero

no ip source-route

ip ftp source-interface GigabitEthernet1/3

ip ftp username admin

ip ftp password 7 <encrypted password>

no ip bootp server

ip vrf access

 rd 13:1

 route-target export 13:1

 route-target import 13:1

ip ssh time-out 60

ip ssh authentication-retries 2

ip scp server enable

no ip domain-lookup

ip domain-name cisco.com

login block-for 100 attempts 5 within 50

login quiet-mode access-class 10

login on-failure log

mls ip slb purge global

mls netflow interface

mls flow ip interface-full

no mls flow ipv6

mls nde sender version 5

mls sampling packet-based 128 16000

mls qos

mls cef error action reset

flow-sampler-map csmars-sample

 mode random one-out-of 100

key chain eigrp-chain

 key 10

   key-string 7 <key>

memory reserve critical 1000

memory free low-watermark processor 91492

memory free low-watermark IO 6710

redundancy

 keepalive-enable

 mode sso

 main-cpu

  auto-sync running-config

spanning-tree mode pvst

spanning-tree extend system-id

diagnostic cns publish cisco.cns.device.diag_results

diagnostic cns subscribe cisco.cns.device.diag_commands

fabric timer 15

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

class-map match-all coppclass-igp

  match access-group name coppacl-igp

class-map match-all coppclass-monitoring

  match access-group name coppacl-monitoring

class-map match-all coppclass-filemanagement

  match access-group name coppacl-filemanagement

class-map match-all coppclass-management

  match access-group name coppacl-management

policy-map copp-policy

  class coppclass-igp

   police cir 300000 bc 3000 be 3000    conform-action transmit     exceed-action drop     
violate-action drop

  class coppclass-filemanagement

   police cir 6000000 bc 60000 be 60000    conform-action transmit     exceed-action drop     
violate-action drop

  class coppclass-management

   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop

  class coppclass-monitoring

   police cir 900000 bc 9000 be 9000    conform-action transmit     exceed-action drop     
violate-action drop

  class class-default

   police cir 500000 bc 5000 be 5000    conform-action transmit     exceed-action drop     
violate-action drop

interface Port-channel1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 12,13

 switchport mode trunk

interface GigabitEthernet1/1

 no ip address

interface GigabitEthernet1/2

 no ip address

 shutdown

interface GigabitEthernet1/3

 description FLASH NET

 ip address <management IP> 255.255.254.0

 ip access-group 133 in

 ip access-group 134 out

 load-interval 60

interface TenGigabitEthernet1/4

 description CAMPUS ACCESS SFX13-4500-1 Ten 1/1

 ip vrf forwarding access

 ip address 10.240.10.4 255.255.255.254

 ip hello-interval eigrp 1 1

 ip hold-time eigrp 1 3

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 ip policy route-map nac_redirect

 load-interval 60

interface TenGigabitEthernet1/5

 description CAMPUS ACCESS SFX13-4500-2 Ten 1/2

 ip vrf forwarding access

 ip address 10.240.10.6 255.255.255.254

 ip hello-interval eigrp 1 1

 ip hold-time eigrp 1 3

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 ip policy route-map nac_redirect

 load-interval 60

interface TenGigabitEthernet3/1

 description Connection to SFX13-ASA5580-1 T5/0

 switchport

 switchport access vlan 50

 switchport mode access

 load-interval 30

interface TenGigabitEthernet3/2

 description Connection to SFX13-ASA5580-1 T5/1

 switchport

 switchport access vlan 16

 switchport mode access

 load-interval 30

interface TenGigabitEthernet3/3

 no ip address

 shutdown

interface TenGigabitEthernet3/4

 no ip address

 shutdown

interface TenGigabitEthernet3/5

 no ip address

 shutdown

interface TenGigabitEthernet3/6

 no ip address

 shutdown

interface TenGigabitEthernet3/7

 no ip address

 shutdown

interface TenGigabitEthernet3/8

 no ip address

 shutdown

interface TenGigabitEthernet3/9

 no ip address

 shutdown

interface TenGigabitEthernet3/10

 no ip address

 shutdown

interface TenGigabitEthernet3/11

 no ip address

 shutdown

interface TenGigabitEthernet3/12

 no ip address

 shutdown

interface TenGigabitEthernet3/13

 no ip address

 shutdown

interface TenGigabitEthernet3/14

 no ip address

 shutdown

interface TenGigabitEthernet3/15

 no ip address

 shutdown

interface TenGigabitEthernet3/16

 no ip address

 shutdown

interface GigabitEthernet4/1

 no ip address

 shutdown

interface GigabitEthernet4/2

 no ip address

 shutdown

interface GigabitEthernet4/3

 no ip address

 shutdown

interface GigabitEthernet4/4

 no ip address

 shutdown

interface GigabitEthernet4/5

 no ip address

 shutdown

interface GigabitEthernet4/6

 no ip address

 shutdown

interface GigabitEthernet4/7

 no ip address

 shutdown

interface GigabitEthernet4/8

 no ip address

 shutdown

interface GigabitEthernet4/9

 no ip address

 shutdown

interface GigabitEthernet4/10

 no ip address

 shutdown

interface GigabitEthernet4/11

 no ip address

 shutdown

interface GigabitEthernet4/12

 description IPS bypass

 switchport

 switchport access vlan 12

 switchport mode access

 shutdown

interface GigabitEthernet4/13

 description IPS bypass

 switchport

 switchport access vlan 13

 switchport mode access

 shutdown

interface GigabitEthernet4/14

 no ip address

 shutdown

interface GigabitEthernet4/15

 no ip address

 shutdown

interface GigabitEthernet4/16

 no ip address

 shutdown

interface GigabitEthernet4/17

 no ip address

 shutdown

interface GigabitEthernet4/18

 no ip address

 shutdown

interface GigabitEthernet4/19

 no ip address

 shutdown

interface GigabitEthernet4/20

 no ip address

 shutdown

interface GigabitEthernet4/21

 no ip address

 shutdown

interface GigabitEthernet4/22

 no ip address

 shutdown

interface GigabitEthernet4/23

 description description Connection to SFX13-CAS-1 Trusted port (eth0)

 switchport

 switchport access vlan 400

 switchport mode access

interface GigabitEthernet4/24

 description Connection to SFX13-CAS-1 untrusted port (eth1)

 switchport

 switchport access vlan 300

 switchport mode access

interface GigabitEthernet4/25

 no ip address

 shutdown

interface GigabitEthernet4/26

 no ip address

 shutdown

interface GigabitEthernet4/27

 no ip address

 shutdown

interface GigabitEthernet4/28

 no ip address

 shutdown

interface GigabitEthernet4/29

 description trunk to sfx14-c6506-1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 12,13

 switchport mode trunk

 channel-group 1 mode on

interface GigabitEthernet4/30

 description trunk to sfx14-c6506-1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 12,13

 switchport mode trunk

 channel-group 1 mode on

interface GigabitEthernet4/31

 description trunk to sfx14-c6506-1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 12,13

 switchport mode trunk

 channel-group 1 mode on

interface GigabitEthernet4/32

 description trunk to sfx14-c6506-1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 12,13

 switchport mode trunk

 channel-group 1 mode on

interface GigabitEthernet4/33

 no ip address

 shutdown

interface GigabitEthernet4/34

 no ip address

 shutdown

interface GigabitEthernet4/35

 no ip address

 shutdown

interface GigabitEthernet4/36

 no ip address

 shutdown

interface GigabitEthernet4/37

 description Connection to sfx14-c6506-1 g3/37

 switchport

 switchport access vlan 50

 switchport mode access

 load-interval 30

interface GigabitEthernet4/38

 no ip address

 shutdown

interface GigabitEthernet4/39

 no ip address

 shutdown

interface GigabitEthernet4/40

 no ip address

 shutdown

interface GigabitEthernet4/41

 no ip address

 shutdown

interface GigabitEthernet4/42

 no ip address

 shutdown

interface GigabitEthernet4/43

 description connection to SFX-6504E-2 4/43 for CAS HA

 switchport

 switchport access vlan 300

 switchport mode access

interface GigabitEthernet4/44

 description RSPAN Connection to SFX13-6504E-2 port G4/44

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 500,501

 switchport mode trunk

 load-interval 60

interface GigabitEthernet4/45

 no ip address

interface GigabitEthernet4/46

 description SAFE CORE SFX14-6504E-2 Gig 4/46

 ip address 10.242.10.31 255.255.255.254

 ip flow ingress

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

 mls netflow sampling

 flow-sampler csmars-sample

interface GigabitEthernet4/47

 description SAFE CORE SFX14-6504E-1 Gig 4/47

 ip address 10.242.10.29 255.255.255.254

 ip flow ingress

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

 mls netflow sampling

 flow-sampler csmars-sample

interface GigabitEthernet4/48

 description trunk to SFX13-6504E-2 Gig 4/48

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 2,16,40,400

 switchport mode trunk

 load-interval 60

interface Vlan1

 no ip address

 shutdown

interface Vlan2

 description layer 3 connection to SFX13-6504E-2 Gig 4/48

 ip address 10.240.10.2 255.255.255.254

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 load-interval 60

interface Vlan12

 description Outside IPS

 mac-address 0000.0000.0012

 ip address 10.240.10.12 255.255.255.254

 ip flow ingress

 ip hello-interval eigrp 1 1

 ip hold-time eigrp 1 3

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

 mls netflow sampling

 flow-sampler csmars-sample

interface Vlan13

 description Inside IPS

 mac-address 0000.0000.0013

 ip vrf forwarding access

 ip address 10.240.10.13 255.255.255.254

 ip hello-interval eigrp 1 1

 ip hold-time eigrp 1 3

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

interface Vlan16

 description Layer-3 connection to ASA Outside Interfaces

 ip address 10.240.10.17 255.255.255.248

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 eigrp-chain

interface Vlan40

 description trunk port to SFX13-6504E-1 for access VRF

 mac-address 0000.0000.0040

 ip vrf forwarding access

 ip address 10.240.10.40 255.255.255.254

interface Vlan300

 description Routing interface for NAC CAS untrusted VLAN interface

 mac-address 0000.0000.0300

 ip vrf forwarding access

 ip address 10.240.10.26 255.255.255.248

 standby 1 ip 10.240.10.25

 standby 1 priority 105

 standby 1 preempt

 standby 1 track TenGigabitEthernet1/4

 standby 1 track TenGigabitEthernet1/5

interface Vlan400

 description Routing interface for NAC CAS trusted VLAN interface

 ip address 10.240.10.34 255.255.255.248

router eigrp 1

 passive-interface Vlan300

 passive-interface Vlan400

 network 10.0.0.0

 auto-summary

 address-family ipv4 vrf access

  network 10.0.0.0

  auto-summary

  autonomous-system 1

 exit-address-family

ip classless

ip route 172.26.0.0 255.255.0.0 172.26.170.1

ip flow-export source GigabitEthernet1/3

ip flow-export version 5

ip flow-export destination <CS-MARS> 2055

no ip http server

no ip http secure-server

ip tacacs source-interface GigabitEthernet1/3

ip access-list extended coppacl-filemanagement

 remark CoPP File transfer traffic class

 permit tcp 172.26.0.0 0.0.255.255 eq ftp host <management IP> gt 1023 established

 permit tcp 172.26.0.0 0.0.255.255 eq ftp-data host <management IP> gt 1023

 permit tcp 172.26.0.0 0.0.255.255 gt 1023 host <management IP> gt 1023 established

 permit udp 172.26.0.0 0.0.255.255 gt 1023 host <management IP> gt 1023

ip access-list extended coppacl-igp

 remark IGP traffic class

 permit eigrp any host 224.0.0.10

 permit eigrp 10.0.0.0 0.255.255.255 host <management IP>

ip access-list extended coppacl-management

 remark CoPP management traffic class

 permit tcp 172.26.0.0 0.0.255.255 eq tacacs host <management IP> established

 permit tcp 172.26.0.0 0.0.255.255 host <management IP> eq 22

 permit tcp 172.26.0.0 0.0.255.255 host <management IP> eq telnet

 permit udp 172.26.0.0 0.0.255.255 host <management IP> eq snmp

 permit udp 172.26.0.0 0.0.255.255 host <management IP> eq ntp

ip access-list extended coppacl-monitoring

 remark CoPP monitoring traffic class

 permit icmp any any ttl-exceeded

 permit icmp any any port-unreachable

 permit icmp any any echo-reply

 permit icmp any any echo

ip access-list extended nac_redirect_acl

 deny   tcp 10.240.120.0 0.0.0.255 host 10.8.51.10 eq www

 deny   tcp 10.240.220.0 0.0.0.255 host 10.8.51.10 eq www

 deny   tcp 10.240.120.0 0.0.0.255 host 10.8.51.10 eq 443

 deny   tcp 10.240.220.0 0.0.0.255 host 10.8.51.10 eq 443

 permit tcp 10.240.220.0 0.0.0.255 any eq www

 permit tcp 10.240.220.0 0.0.0.255 any eq 443

 permit tcp 10.240.120.0 0.0.0.255 any eq www

 permit tcp 10.240.120.0 0.0.0.255 any eq 443

logging trap critical

logging source-interface GigabitEthernet1/3

logging <CS-MARS>

access-list 10 permit 172.26.191.92

access-list 55 remark ACL for SNMP access to device

access-list 55 permit <CS-MARS>

access-list 55 deny   any log

access-list 111 remark ACL for SSH

access-list 111 permit tcp 172.26.0.0 0.0.255.255 any eq 22

access-list 111 deny   ip any any log-input

access-list 112 remark ACL for last resort access

access-list 112 permit tcp host 172.26.191.92 any eq 22

access-list 112 permit tcp host <CS-MARS> any eq 22

access-list 112 deny   ip any any log-input

access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP> ttl-exceeded

access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP> port-unreachable

access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP> echo-reply

access-list 133 permit icmp 172.26.0.0 0.0.255.255 host <management IP> echo

access-list 133 permit tcp 172.26.0.0 0.0.255.255 eq tacacs host <management IP> 
established

access-list 133 permit tcp 172.26.0.0 0.0.255.255 host <management IP> eq tacacs

access-list 133 permit udp 172.26.0.0 0.0.255.255 host <management IP> eq ntp

access-list 133 permit tcp 172.26.0.0 0.0.255.255 host <management IP> eq 22

access-list 133 permit tcp 172.26.0.0 0.0.255.255 eq ftp host <management IP> gt 1023 
established

access-list 133 permit tcp 172.26.0.0 0.0.255.255 eq ftp-data host <management IP> gt 1023

access-list 133 permit tcp 172.26.0.0 0.0.255.255 gt 1023 host <management IP> gt 1023 
established

access-list 133 permit udp 172.26.0.0 0.0.255.255 gt 1023 host <management IP> gt 1023

access-list 133 permit udp host <CS-MARS> host <management IP> eq snmp

access-list 133 deny   ip any any log

access-list 134 permit ip host <management IP> 172.26.0.0 0.0.255.255

access-list 134 deny   ip any any log

route-map nac_redirect permit 10

 match ip address nac_redirect_acl

 set ip vrf access next-hop 10.240.10.30

snmp-server community csmars RO 55

snmp-server enable traps cpu threshold

snmp-server host <CS-MARS> csmars  memory cpu

tacacs-server host <tacacs+-server> single-connection key 7 <secret-key>

tacacs-server directed-request

radius-server source-ports 1645-1646

control-plane

 service-policy input copp-policy

dial-peer cor custom

banner login

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have explicit, authorized permission to access or configure this device.

Unauthorized attempts and actions to access or use this system may result in civil and/or 
criminal penalties.

All activities performed on this device are logged and monitored.

line con 0

 session-timeout 3

 exec-timeout 3 0

 login authentication authen-exec-list

line vty 0 3

 session-timeout 3

 access-class 111 in

 exec-timeout 3 0

 password 7 <encrypted password>

 authorization commands 15 author-15-list

 authorization exec author-exec-list

 login authentication authen-exec-list

 transport preferred none

 transport input ssh

 transport output none

line vty 4

 session-timeout 3

 access-class 112 in

 exec-timeout 3 0

 password 7 <encrypted password>

 authorization commands 15 author-15-list

 authorization exec author-exec-list

 login authentication authen-exec-list

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 no exec

exception protocol ftp

exception dump <core-dump-host>

monitor session 1 source interface Te1/4 - 5

monitor session 1 destination interface Gi4/45

monitor session 2 destination interface Gi4/45

monitor sessi

Design Zone for Security