!
version 12.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname beijiao3750
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$asmC$OBSeNMMe6xQdRV6321rvE1
enable password 7 030752180500721B1B59090404011C03162AE
!
!
!
no aaa new-model
clock timezone beijing 8
switch 1 provision ws-c3750g-12s
system mtu routing 1500
ip routing
no ip domain-lookup
ip name-server 192.168.100.100
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.198.0
ip dhcp excluded-address 192.168.198.255
ip dhcp excluded-address 192.168.199.0
ip dhcp excluded-address 192.168.198.1 192.168.198.50
!
ip dhcp pool beijiao
network 192.168.198.0 255.255.254.0
default-router 192.168.199.254
dns-server 202.98.0.68 202.98.5.68
lease 0 1
!
!
ip dhcp snooping vlan 109
no ip dhcp snooping information option
ip dhcp snooping
ip arp inspection vlan 109
ip arp inspection filter beijiao vlan 109
ipv6 unicast-routing
!
mls qos
!
crypto pki trustpoint TP-self-signed-2705099264
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2705099264
revocation-check none
rsakeypair TP-self-signed-2705099264
!
!
crypto pki certificate chain TP-self-signed-2705099264
certificate self-signed 01
30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373035 30393932 3634301E 170D3933 30333031 30303031
34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37303530
39393236 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CA53 DD5DBB4F 50CE86E1 F9D56795 99B22464 AD20DC15 5C641635 CF1200AD
121033F4 5C833DA4 E2138FB1 C9D38453 B7A60505 E7EB5435 3B3ABD73 87E0DC58
F2A7424A 9D7E1E26 D3A507B7 EBD96FE3 304184F2 367CE517 6524357C 2B4EE5C5
08776685 1A19D201 1B63AA7C 3F360051 43256218 B7517ABF E9C2D94F 93701F97
65950203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603
551D1104 10300E82 0C626569 6A69616F 33373530 2E301F06 03551D23 04183016
80147B7A 802DAE52 2C369C7B 53E2E827 86306934 E984301D 0603551D 0E041604
147B7A80 2DAE522C 369C7B53 E2E82786 306934E9 84300D06 092A8648 86F70D01
01040500 03818100 9A64C55E 8FA1357D 42F2BAB3 1D2E14A1 B80EEB47 327B9D7B
E97F2DCA A418B0C6 FE48522A E2F69C86 0D4F25AF 80559994 B8877962 ADC3090B
9CBE026C CAB1212F ACB00DB9 D5585DA5 D037A1B2 C1E468E4 0772BBCC DACFFE4D
33AEDB37 24366AC2 EA7A55A9 DCBEBDBE D53C4154 45A07D4F 840ED964 04996897
7A7AE69A 6EE310BA
quit
!
!
!
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig (STP)
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
spanning-tree vlan 1,109,602 priority 24576
!
vlan internal allocation policy ascending
!
!
class-map match-all classlimitudp
match access-group name limitudp
!
!
policy-map policylimitudp
class classlimitudp
police 100000 8000 exceed-action drop
!
!
!
!
interface Tunnel0
no ip address
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection limit none
ipv6 traffic-filter ACCESS_PORT in
spanning-tree portfast
service-policy input policylimitudp
!
interface GigabitEthernet1/0/2
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection limit none
ipv6 traffic-filter ACCESS_PORT in
service-policy input policylimitudp
!
interface GigabitEthernet1/0/3
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection limit none
ipv6 traffic-filter ACCESS_PORT in
service-policy input policylimitudp
!
interface GigabitEthernet1/0/4
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection limit none
ipv6 traffic-filter ACCESS_PORT in
service-policy input policylimitudp
!
interface GigabitEthernet1/0/5
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection limit none
ipv6 traffic-filter ACCESS_PORT in
service-policy input policylimitudp
!
interface GigabitEthernet1/0/6
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection limit none
ipv6 traffic-filter ACCESS_PORT in
service-policy input policylimitudp
!
interface GigabitEthernet1/0/7
switchport trunk encapsulation dot1q
switchport mode trunk
ipv6 traffic-filter ACCESS_PORT in
service-policy input policylimitudp
!
interface GigabitEthernet1/0/8
switchport trunk encapsulation dot1q
switchport mode trunk
ipv6 traffic-filter ACCESS_PORT in
service-policy input policylimitudp
!
interface GigabitEthernet1/0/9
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection limit none
ipv6 traffic-filter ACCESS_PORT in
service-policy input policylimitudp
!
interface GigabitEthernet1/0/10
switchport trunk encapsulation dot1q
switchport mode trunk
ipv6 traffic-filter ACCESS_PORT in
service-policy input policylimitudp
!
interface GigabitEthernet1/0/11
switchport trunk encapsulation dot1q
switchport mode trunk
ipv6 traffic-filter ACCESS_PORT in
spanning-tree portfast trunk
service-policy input policylimitudp
!
interface GigabitEthernet1/0/12
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection trust
ipv6 traffic-filter ACCESS_PORT in
spanning-tree bpdufilter enable
!
interface Vlan1
ip address 192.168.100.70 255.255.255.128
ipv6 address 1001:CC0:2020:1::3/64
ipv6 enable
ipv6 nd ra suppress
ipv6 ospf 1 area 0
!
interface Vlan109
ip address 192.168.199.254 255.255.254.0
ipv6 address 1001:CC0:2020:3001::1/64
ipv6 enable
ipv6 nd router-preference High
ipv6 ospf 1 area 0
!
router ospf 1
log-adjacency-changes
passive-interface default
no passive-interface Vlan1
network 192.168.199.254 0.0.0.0 area 0
network 192.168.100.70 0.0.0.0 area 0
!
no ip http server
ip http access-class 10
ip http secure-server
!
!
ip access-list extended limitudp
deny udp any any eq domain bootpc bootps snmp snmptrap
deny ip 192.168.100.0 0.0.0.255 any
deny ip any 192.168.100.0 0.0.0.255
deny udp host 192.168.198.10 any
deny udp any host 192.168.30.71
permit udp any any
ip access-list extended match_all
permit ip any any
!
ip sla enable reaction-alerts
logging 192.168.100.45
access-list 10 permit 192.168.100.0 0.0.0.255
access-list 115 permit ip host 192.168.198.1 host 192.168.30.70
access-list 115 permit ip host 192.168.30.70 host 192.168.198.1
access-list 115 deny udp any any eq 1434
access-list 115 deny udp any any eq 1433
access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq netbios-ns
access-list 115 deny udp any any eq netbios-dgm
access-list 115 deny tcp any any eq 139
access-list 115 deny udp any any eq netbios-ss
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 593
access-list 115 deny tcp any any eq 3389
access-list 115 deny tcp any any eq 1025
access-list 115 deny tcp any any eq 2745
access-list 115 deny tcp any any eq 3127
access-list 115 deny tcp any any eq 6129
access-list 115 deny tcp any any eq 4444
access-list 115 deny tcp any any eq 5554
access-list 115 deny tcp any any eq 9996
access-list 115 deny tcp any any eq 1068
access-list 115 deny udp any any eq 8000
access-list 115 deny icmp any any
access-list 115 permit ip any any
!
arp access-list beijiao
permit ip host 192.168.198.1 mac host 001c.25c9.dfdb
permit ip host 192.168.198.2 mac host 00e0.b800.0570 log
arp 192.168.198.1 001c.25c9.dfdb ARPA
arp 192.168.198.2 00e0.b800.0580 ARPA
ipv6 router ospf 1
log-adjacency-changes
!
!
!
snmp-server community rcode RO 10
snmp-server community public RO
snmp-server enable traps tty
snmp-server enable traps license
snmp-server enable traps stpx root-inconsistency loop-inconsistency
snmp ifmib ifindex persist
!
ipv6 access-list ACCESS_PORT
remark Block all traffic DHCP server -> client
deny udp any eq 547 any eq 546
remark Block Router Advertisements
deny icmp any any router-advertisement
permit ipv6 any any
!
ipv6 access-list vty-v6-acl
permit ipv6 1001:CC0:2020:1::/64 1001:CC0:2020:1::/64
permit ipv6 1001:CC0:2020:1001::/64 1001:CC0:2020:1::/64
!
!
line con 0
line vty 0 4
access-class 10 in
password 7 01100F1758045558741C5E080A16001D19058
ipv6 access-class vty-v6-acl in
login
line vty 5 15
access-class 10 in
password 7 01100F1758045558741C5E080A16001D19058
ipv6 access-class vty-v6-acl in
login
!
ntp clock-period 36028805
ntp server 192.168.100.45
endreact