Drag to reposition cover

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
C

Craig Curtin

Member
Jun 18, 2017
103
20
18
60
narapon said:
Just got a ICX6450-48P that powers on but I can't get anything from either the console port or the management port.
I've used the same RS232 USB RJ45 that works on my ICX7150-C12P

Is there any possibility that the console port or the management port gets disabled? If so how do I reset it or gain access to reconfigure it? Also is there a default IP for the management port?

Thanks!
Click to expand...
No there is no default IP applied to the port until you do so through the console cable

I am not aware of anyway to (programmatically) disable the ports - someone may have damaged them but seems unlikely - more often than not it is a faulty cable/port on the computer end - personally for $10 or so i would just order another Console cable with USB connector

Craig
 
N

narapon

New Member
Mar 31, 2017
18
2
3
35
Craig Curtin said:
No there is no default IP applied to the port until you do so through the console cable

I am not aware of anyway to (programmatically) disable the ports - someone may have damaged them but seems unlikely - more often than not it is a faulty cable/port on the computer end - personally for $10 or so i would just order another Console cable with USB connector

Craig
Click to expand...
There is no hint of any physical damage on console or management ports, the console cable I used is known to be good and it works with the my ICX7150-C12P that I also have. I've also opened up the switch to visually check the console port area, nothing seems off or dusty

A bit lost at what to do besides sending it back via ebay returns
 
N

narapon

New Member
Mar 31, 2017
18
2
3
35
narapon said:
There is no hint of any physical damage on console or management ports, the console cable I used is known to be good and it works with the my ICX7150-C12P that I also have. I've also opened up the switch to visually check the console port area, nothing seems off or dusty

A bit lost at what to do besides sending it back via ebay returns
Click to expand...
turns out dust was the culprit! after blowing out the dust, it worked again!
 
  • Like
Reactions: Craig Curtin
C

Craig Curtin

Member
Jun 18, 2017
103
20
18
60
OK more updates on my attempts to get these switches working reliably with Intel 10Gb adapters and ESXi

So i have a new testbed setup

2 x 6450 standard setup as per fohdeesha's docs - all licensing done etc.
Lets call them switch 1 and switch 2


I have connected the two 6450 via the 1/2/1 port using Dell Coded 10GB-RJ45 transceivers - running over a 50m CAT6 cable and they both come up at 10GB and report all is well - says to me that the switches are happy with the Transceivers and all works OK

Doing a show brief e 1/2/1 on both shows them both up and connected at 10GB and traffic flows across the switches

I cna reboot both switches (both hot and cold boots) and they come back up and bring the links up in due course.

Connect a Dell R730 (ESXI 7.01) with an added Intel 540T dual port adapter - connect the 4 onboard 1GB ports to switch 1 port 1/1 to 1/4 - no LAG or other config on the switch - all 4 ports come up and see traffic

I then take one of the 540T ports and connect that to a Linux host with a CAT 6 cable - this linux host has a dual port Intel 520DA adapter with the firmware update done to allow the adapter to accept any transceivers. Both the ESXi host and the Linux host see the direct link between the two machines and bring it up and can transfer traffic across it. I have configured this up as a seperate subnet with appropriate addressing

I then take the 2nd port on the Linux host and connect it to 1/2/4 on switch 1 with a DAC cable and it connects straight away and works

I then take the 2nd Port from the R730 540T and connect that to a Dell transceiver in port 1/2/3 on switch 1 - this is recognised and comes up immediately - it has no IP addressing or VLANs at this stage - a simple vSwitch on ESXI with the Physical adapter added to that switch.

I add the jumbo setting to switch 1 and perform a reboot - when it comes back up the 540T port is now showing as disconnected

So i delete the vswitch and create a new one with packet size set to 9000 and attach the Intel 540T to that vswitch - make sure the adapter is set to autoconfigure for speed - and still it will not come back up

Change it from Autoconfigure to set it hardcoded at 10,000 and still it will not come back up.

The only thing i have not done yet is reboot the host

I have then removed the Jumbo setting from the switch and tried it again after a reboot and still no difference regardless of the permutations of settings in ESXi.

I have another Dell R710 here that i am going to run up with ESXI 6.7 shortly and try that and see where i get to.

There seems to be something flakey with ESXI 7 and these switches and 10GB cards

Craig
 
P

ProZak512

New Member
Oct 5, 2022
5
1
3
OK I'm crying Uncle. I can't get either an Amcrest or a Reolink POE IP camera to power on. ICX6610, single PSU but it shows 748000 mw available, POE is enabled, firmwares are all updated based on Fohdeesha's instructions... I have no idea how to trouble shoot this. What useful diagnostic info can I provide? Thanks in advance, y'all. Google has failed me.
 
L

LodeRunner

Active Member
Apr 27, 2019
554
235
43
On the 6610 do you need to add "inline power" statements to ports to enable PoE or are they all powered by default?

'sh inline power' should show the PoE overview and if the port is in an error/fault state. On my 7450 I also have 'sh inline power detail' and 'sh inline power debug' commands.

On my 7150 which is powering an AP, here's the debug output:
Code: 
 1/1/12 On      On          4400      15400  2P-IEEE  n/a            3  n/a
 Last 5 HW port status:
        1:Not Read From Hardware                        2:Not Read From Hardware                  
        3:Not Read From Hardware                        4:0x1B Detection in Progress              
        5:0x01 af/at PD Detected                  

Max Power Capability for 2pair PD :30000 mWatts
Highest Power Requested by PD Through LLDP/CDP :n/a
 
P

ProZak512

New Member
Oct 5, 2022
5
1
3
Yep, followed the (superb) documentation and added inline power to the first 24 ports:

Code: 
SSH@ICX6610-48P Router#show inline power

Power Capacity:        Total is 748000 mWatts. Current Free is 748000 mWatts.

Power Allocations:     Requests Honored 24 times


 Port    Admin     Oper    ---Power(mWatts)---  PD Type  PD Class  Pri  Fault/
         State     State   Consumed  Allocated                          Error
--------------------------------------------------------------------------
  1/1/1    On     Off            0          0  n/a      n/a         3  n/a
  1/1/2    On     Off            0          0  n/a      n/a         3  n/a
  1/1/3    On     Off            0          0  n/a      n/a         3  n/a
  1/1/4    On     Off            0          0  n/a      n/a         3  n/a
  1/1/5    On     Off            0          0  n/a      n/a         3  n/a
  1/1/6    On     Off            0          0  n/a      n/a         3  n/a
  1/1/7    On     Off            0          0  n/a      n/a         3  n/a
  1/1/8    On     Off            0          0  n/a      n/a         3  n/a
  1/1/9    On     Off            0          0  n/a      n/a         3  n/a
 1/1/10    On     Off            0          0  n/a      n/a         3  n/a
 1/1/11    On     Off            0          0  n/a      n/a         3  n/a
 1/1/12    On     Off            0          0  n/a      n/a         3  n/a
 1/1/13    On     Off            0          0  n/a      n/a         3  n/a
 1/1/14    On     Off            0          0  n/a      n/a         3  n/a
 1/1/15 On      Off            0          0  n/a      n/a         3  n/a
 1/1/16 On      Off            0          0  n/a      n/a         3  n/a
 1/1/17 On      Off            0          0  n/a      n/a         3  n/a
 1/1/18 On      Off            0          0  n/a      n/a         3  n/a
 1/1/19 On      Off            0          0  n/a      n/a         3  n/a
 1/1/20 On      Off            0          0  n/a      n/a         3  n/a
 1/1/21 On      Off            0          0  n/a      n/a         3  n/a
 1/1/22 On      Off            0          0  n/a      n/a         3  n/a
 1/1/23 On      Off            0          0  n/a      n/a         3  n/a
 1/1/24 On      Off            0          0  n/a      n/a         3  n/a
and

Code: 
SSH@ICX6610-48P Router#show inline power detail 

Power Supply Data On stack 1:
++++++++++++++++++
Power Supply Data:
++++++++++++++++++
power supply 1 is not present 

Power Supply #2:
    Max Curr:      13.6 Amps
    Voltage:       55.0 Volts
    Capacity:      748 Watts

POE Details Info. On Stack 1 : 

General PoE Data:
+++++++++++++++++
Firmware                                                          
Version                                                           
----------------                                                  
02.1.0 Build 004

Cumulative Port State Data:                                       
+++++++++++++++++++++++++++                                       
#Ports    #Ports     #Ports   #Ports    #Ports       #Ports     #Ports
Admin-On  Admin-Off  Oper-On  Oper-Off  Off-Denied   Off-No-PD  Off-Fault
-------------------------------------------------------------------------
24        24         0        48        0            24         0        
Cumulative Port Power Data:                                       
+++++++++++++++++++++++++++                                       
#Ports  #Ports  #Ports        Power       Power                   
Pri: 1  Pri: 2  Pri: 3  Consumption  Allocation                   
-----------------------------------------------                   
0       0       24          0.0   W     0.0   W
I have a known working camera plugged into port 15 and it's not showing anything. :/

Where else can I look?

Thanks again y'all. This forum is amazing.

-Zak-
 
fohdeesha

fohdeesha

Kaini Industries
Nov 20, 2016
2,911
3,437
113
34
fohdeesha.com
ProZak512 said:
Yep, followed the (superb) documentation and added inline power to the first 24 ports:

Code: 
SSH@ICX6610-48P Router#show inline power

Power Capacity:        Total is 748000 mWatts. Current Free is 748000 mWatts.

Power Allocations:     Requests Honored 24 times


Port    Admin     Oper    ---Power(mWatts)---  PD Type  PD Class  Pri  Fault/
         State     State   Consumed  Allocated                          Error
--------------------------------------------------------------------------
  1/1/1    On     Off            0          0  n/a      n/a         3  n/a
  1/1/2    On     Off            0          0  n/a      n/a         3  n/a
  1/1/3    On     Off            0          0  n/a      n/a         3  n/a
  1/1/4    On     Off            0          0  n/a      n/a         3  n/a
  1/1/5    On     Off            0          0  n/a      n/a         3  n/a
  1/1/6    On     Off            0          0  n/a      n/a         3  n/a
  1/1/7    On     Off            0          0  n/a      n/a         3  n/a
  1/1/8    On     Off            0          0  n/a      n/a         3  n/a
  1/1/9    On     Off            0          0  n/a      n/a         3  n/a
1/1/10    On     Off            0          0  n/a      n/a         3  n/a
1/1/11    On     Off            0          0  n/a      n/a         3  n/a
1/1/12    On     Off            0          0  n/a      n/a         3  n/a
1/1/13    On     Off            0          0  n/a      n/a         3  n/a
1/1/14    On     Off            0          0  n/a      n/a         3  n/a
1/1/15 On      Off            0          0  n/a      n/a         3  n/a
1/1/16 On      Off            0          0  n/a      n/a         3  n/a
1/1/17 On      Off            0          0  n/a      n/a         3  n/a
1/1/18 On      Off            0          0  n/a      n/a         3  n/a
1/1/19 On      Off            0          0  n/a      n/a         3  n/a
1/1/20 On      Off            0          0  n/a      n/a         3  n/a
1/1/21 On      Off            0          0  n/a      n/a         3  n/a
1/1/22 On      Off            0          0  n/a      n/a         3  n/a
1/1/23 On      Off            0          0  n/a      n/a         3  n/a
1/1/24 On      Off            0          0  n/a      n/a         3  n/a
and

Code: 
SSH@ICX6610-48P Router#show inline power detail

Power Supply Data On stack 1:
++++++++++++++++++
Power Supply Data:
++++++++++++++++++
power supply 1 is not present

Power Supply #2:
    Max Curr:      13.6 Amps
    Voltage:       55.0 Volts
    Capacity:      748 Watts

POE Details Info. On Stack 1 :

General PoE Data:
+++++++++++++++++
Firmware                                                         
Version                                                          
----------------                                                 
02.1.0 Build 004

Cumulative Port State Data:                                      
+++++++++++++++++++++++++++                                      
#Ports    #Ports     #Ports   #Ports    #Ports       #Ports     #Ports
Admin-On  Admin-Off  Oper-On  Oper-Off  Off-Denied   Off-No-PD  Off-Fault
-------------------------------------------------------------------------
24        24         0        48        0            24         0       
Cumulative Port Power Data:                                      
+++++++++++++++++++++++++++                                      
#Ports  #Ports  #Ports        Power       Power                  
Pri: 1  Pri: 2  Pri: 3  Consumption  Allocation                  
-----------------------------------------------                  
0       0       24          0.0   W     0.0   W
I have a known working camera plugged into port 15 and it's not showing anything. :/

Where else can I look?

Thanks again y'all. This forum is amazing.

-Zak-
Click to expand...
What's the exact camera model? Also, try one of the end ports, like 42 (be sure to enable inline power)
 
P

ProZak512

New Member
Oct 5, 2022
5
1
3
Camera is an Amcrest IP8M-2693EW-AI, works fine (though a different switch) using a Ubiquiti POE injector I had laying around.

Code: 
 1/1/41    Off    Off            0          0  n/a      n/a         3  n/a
 1/1/42    On     Off            0          0  n/a      n/a         3  n/a
 1/1/43    Off    Off            0          0  n/a      n/a         3  n/a
Maybe I should nuke the switch from orbit and start over? Could I have missed something in the firmware / licensing / etc from the instructions? (I'm still in testing mode, this isn't a production switch yet)
 
C

Craig Curtin

Member
Jun 18, 2017
103
20
18
60
ProZak512 said:
Camera is an Amcrest IP8M-2693EW-AI, works fine (though a different switch) using a Ubiquiti POE injector I had laying around.

Code: 
1/1/41    Off    Off            0          0  n/a      n/a         3  n/a
1/1/42    On     Off            0          0  n/a      n/a         3  n/a
1/1/43    Off    Off            0          0  n/a      n/a         3  n/a
Maybe I should nuke the switch from orbit and start over? Could I have missed something in the firmware / licensing / etc from the instructions? (I'm still in testing mode, this isn't a production switch yet)
Click to expand...
Post up your config maybe - but as long as you have the inline power options you should be good.

I was reading the manual the other day looking for something and i saw there are different styles of POE that can be enabled - is this an old camera ? May be worth reading up on those and also how much power it needs ?

Craig
 
P

ProZak512

New Member
Oct 5, 2022
5
1
3
Craig Curtin said:
Post up your config maybe - but as long as you have the inline power options you should be good.

I was reading the manual the other day looking for something and i saw there are different styles of POE that can be enabled - is this an old camera ? May be worth reading up on those and also how much power it needs ?

Craig
Click to expand...
Thanks for chiming in, Craig, I appreciate it. This is only about a year old, more specs here.

Config information:
Code: 
SSH@ICX6610-48P Router(config)#show config
!
Startup-config data location is flash memory
!
Startup configuration:
!
ver 08.0.30uT7f3
!
stack unit 1
  module 1 icx6610-48p-poe-port-management-module
  module 2 icx6610-qsfp-10-port-160g-module
  module 3 icx6610-8-port-10g-dual-mode-module
  no legacy-inline-power
stack disable
!
vlan 1 name DEFAULT-VLAN by port
 router-interface ve 1
!                                                                 
aaa authentication web-server default local
aaa authentication login default local
ip dhcp-client disable
ip dns server-address 192.168.1.1
ip route 0.0.0.0/0 192.168.1.1
!
logging buffered 1000
no telnet server
username USER password .....
!
clock summer-time
clock timezone gmt GMT-06
!
ntp
 disable serve
 server 216.239.35.0
 server 216.239.35.4
!
interface ethernet 1/1/1
 inline power power-limit 15400
!
interface ethernet 1/1/2
 inline power power-limit 15400
!
interface ethernet 1/1/3
 inline power power-limit 15400
!
interface ethernet 1/1/4
 inline power power-limit 15400
!
interface ethernet 1/1/5
 inline power power-limit 15400
!
interface ethernet 1/1/6
 inline power power-limit 15400
!                                                                 
interface ethernet 1/1/7
 inline power power-limit 15400
!
interface ethernet 1/1/8
 inline power power-limit 15400
!
interface ethernet 1/1/9
 inline power power-limit 15400
!
interface ethernet 1/1/10
 inline power power-limit 15400
!
interface ethernet 1/1/11
 inline power power-limit 15400
!
interface ethernet 1/1/12
 inline power power-limit 15400
!
interface ethernet 1/1/13
 inline power power-limit 15400
!
interface ethernet 1/1/14
 inline power power-limit 15400                                   
!
interface ethernet 1/1/15
 inline power power-limit 15400
!
interface ethernet 1/1/16
 inline power power-limit 15400
!
interface ethernet 1/1/17
 inline power power-limit 15400
!
interface ethernet 1/1/18
 inline power power-limit 15400
!
interface ethernet 1/1/19
 inline power power-limit 15400
!
interface ethernet 1/1/20
 inline power power-limit 15400
!
interface ethernet 1/1/21
 inline power power-limit 15400
!
interface ethernet 1/1/22                                         
 inline power power-limit 15400
!
interface ethernet 1/1/23
 inline power power-limit 15400
!
interface ethernet 1/1/24
 inline power power-limit 15400
!
interface ethernet 1/3/1
 speed-duplex 10G-full
!
interface ethernet 1/3/2
 speed-duplex 10G-full
!
interface ethernet 1/3/3
 speed-duplex 10G-full
!
interface ethernet 1/3/4
 speed-duplex 10G-full
!
interface ethernet 1/3/5
 speed-duplex 10G-full
!                                                                 
interface ethernet 1/3/6
 speed-duplex 10G-full
!
interface ethernet 1/3/7
 speed-duplex 10G-full
!
interface ethernet 1/3/8
 speed-duplex 10G-full
!
interface ve 1
 ip address 192.168.1.200 255.255.255.0
!
end
 
Last edited:
P

ProZak512

New Member
Oct 5, 2022
5
1
3
Plugged in a Ubiquiti WiFi AP and it powers right up:
Code: 
SSH@ICX6610-48P Router(config)#show inline power 

Power Capacity:        Total is 748000 mWatts. Current Free is 732600 mWatts.

Power Allocations:     Requests Honored 26 times

 Port    Admin     Oper    ---Power(mWatts)---  PD Type  PD Class  Pri  Fault/
         State     State   Consumed  Allocated                          Error
--------------------------------------------------------------------------
  1/1/1    On     Off            0          0  n/a      n/a         3  n/a
  1/1/2    On     Off            0          0  n/a      n/a         3  n/a
  1/1/3    On     Off            0          0  n/a      n/a         3  n/a
  1/1/4    On     Off            0          0  n/a      n/a         3  n/a
  1/1/5    On     Off            0          0  n/a      n/a         3  n/a
  1/1/6    On     Off            0          0  n/a      n/a         3  n/a
  1/1/7    On     Off            0          0  n/a      n/a         3  n/a
  1/1/8    On     Off            0          0  n/a      n/a         3  n/a
  1/1/9    On     Off            0          0  n/a      n/a         3  n/a
 1/1/10    On     Off            0          0  n/a      n/a         3  n/a
 1/1/11    On     On          3000      15400  802.3af  n/a         3  n/a
 1/1/12    On     Off            0          0  n/a      n/a         3  n/a
So! That's progress. I'll keep messing with the camera(s) and trouble shoot from there. Thanks for your attention, sorry for the waste of everyone's time.

-Zak-
 
  • Like
Reactions: fohdeesha
S

simbo

New Member
Feb 24, 2022
10
2
3
I'm having a problem with L3 features on a 6610. I can't add an IP to an ethernet interface. Not sure if it's a licensing problem. Do I need a ICX6610-PREM-LIC-SW?

I followed Fohdeesha guides when I originally set this up. Apologies if the ICX6610-PREM-LIC-SW license is mentioned in the docs, but I couldn't see a reference to it.

Here's me adding an IP to an interface and failing:
Code: 
SSH@sw-core#conf t
SSH@sw-core(config)#int ethe 1/1/3
SSH@sw-core(config-if-e1000-1/1/3)#ip address 10.0.0.6/30
Invalid input -> address 10.0.0.6/30
Type ? for a list
SSH@sw-core(config-if-e1000-1/1/3)#
Here's my license:
Code: 
#show lic
Index    Lic Mode        Lic Name               Lid/Serial No  Lic Type    Status     Lic Period    Lic Capacity
Stack unit 1:
2        Node Lock       ICX6610-10G-LIC-POD    H4CKTH3PLN8    Normal      Active     Unlimited         8
3        Node Lock       ICX-MACSEC-LIC         H4CKTH3PLN8    Normal      Active     Unlimited         1
4        Node Lock       ICX6610-ADV-LIC-SW     H4CKTH3PLN8    Normal      Active     Unlimited         1
Here's the firmware:
Code: 
show flash
Stack unit 1:
  Compressed Pri Code size = 10545591, Version:08.0.30uT7f3 (FCXR08030u.bin)
  Compressed Sec Code size = 10543944, Version:08.0.30hT7f3 (FCXR08030h.bin)
  Compressed Boot-Monitor Image size = 370695, Version:10.1.00T7f5
  Code Flash Free Space = 43646976
 
fohdeesha

fohdeesha

Kaini Industries
Nov 20, 2016
2,911
3,437
113
34
fohdeesha.com
simbo said:
I'm having a problem with L3 features on a 6610. I can't add an IP to an ethernet interface. Not sure if it's a licensing problem. Do I need a ICX6610-PREM-LIC-SW?

I followed Fohdeesha guides when I originally set this up. Apologies if the ICX6610-PREM-LIC-SW license is mentioned in the docs, but I couldn't see a reference to it.

Here's me adding an IP to an interface and failing:
Code: 
SSH@sw-core#conf t
SSH@sw-core(config)#int ethe 1/1/3
SSH@sw-core(config-if-e1000-1/1/3)#ip address 10.0.0.6/30
Invalid input -> address 10.0.0.6/30
Type ? for a list
SSH@sw-core(config-if-e1000-1/1/3)#
Here's my license:
Code: 
#show lic
Index    Lic Mode        Lic Name               Lid/Serial No  Lic Type    Status     Lic Period    Lic Capacity
Stack unit 1:
2        Node Lock       ICX6610-10G-LIC-POD    H4CKTH3PLN8    Normal      Active     Unlimited         8
3        Node Lock       ICX-MACSEC-LIC         H4CKTH3PLN8    Normal      Active     Unlimited         1
4        Node Lock       ICX6610-ADV-LIC-SW     H4CKTH3PLN8    Normal      Active     Unlimited         1
Here's the firmware:
Code: 
show flash
Stack unit 1:
  Compressed Pri Code size = 10545591, Version:08.0.30uT7f3 (FCXR08030u.bin)
  Compressed Sec Code size = 10543944, Version:08.0.30hT7f3 (FCXR08030h.bin)
  Compressed Boot-Monitor Image size = 370695, Version:10.1.00T7f5
  Code Flash Free Space = 43646976
Click to expand...
the "ICX6610-ADV-LIC-SW" license from the guide is the PREM license with even more features, it's not a license issue. you probably have that port in a vlan with a virtual interface assigned to it. when a port is in a vlan, and the vlan has a VE assigned to it, that's where l3 stuff like IP is handled. if you want an IP directly on a port, take the port out of any vlans with l3 VEs on them
 
S

simbo

New Member
Feb 24, 2022
10
2
3
fohdeesha said:
the "ICX6610-ADV-LIC-SW" license from the guide is the PREM license with even more features, it's not a license issue. you probably have that port in a vlan with a virtual interface assigned to it. when a port is in a vlan, and the vlan has a VE assigned to it, that's where l3 stuff like IP is handled. if you want an IP directly on a port, take the port out of any vlans with l3 VEs on them
Click to expand...
Thanks for the info re the Advanced license.

Hmm.....No VLAN on the port (other than VLAN 1). Here's the interface info:
Code: 
#show int e 1/1/3
GigabitEthernet1/1/3 is up, line protocol is up
  Port up for 2 hour(s) 24 minute(s) 13 second(s)
  Hardware is GigabitEthernet, address is 748e.f8fe.c148 (bia 748e.f8fe.c14a)
  Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx
  Configured mdi mode AUTO, actual MDI
  Member of L2 VLAN ID 1, port is untagged, port state is FORWARDING
  BPDU guard is Disabled, ROOT protect is Disabled, Designated protect is Disabled
  Link Error Dampening is Disabled
  STP configured to ON, priority is level0, mac-learning is enabled
  Openflow is Disabled, Openflow Hybrid mode is Disabled,  Flow Control is config enabled, oper enabled, negotiation disabled
  Mirror enabled, Monitor disabled
  Mac-notification is disabled
  Not member of any active trunks
  Not member of any configured trunks
  Port name is SRV-FIREWALL
  Inter-Packet Gap (IPG) is 96 bit times
  MTU 10200 bytes, encapsulation ethernet
  300 second input rate: 136 bits/sec, 0 packets/sec, 0.00% utilization
  300 second output rate: 1432 bits/sec, 2 packets/sec, 0.00% utilization
  604 packets input, 156541 bytes, 0 no buffer
  Received 0 broadcasts, 603 multicasts, 1 unicasts
  0 input errors, 0 CRC, 0 frame, 0 ignored
  0 runts, 0 giants
  16586 packets output, 1281589 bytes, 0 underruns
  Transmitted 10856 broadcasts, 5722 multicasts, 8 unicasts
  0 output errors, 0 collisions
  Relay Agent Information option: Disabled

Egress queues:
Queue counters    Queued packets    Dropped Packets
    0                8881                   0
    1                   0                   0
    2                   0                   0
    3                   0                   0
    4                   0                   0
    5                3606                   0
    6                   0                   0
    7                4099                   0
Its also weird that I don't get offered an option for 'address' when I tab complete on 'ip':
Code: 
SSH@sw-core(config-if-e1000-1/1/19)#ip
  access-list                   Configure named access list
  add-host-route-first          Add host route before sending buffered packets
  arp                           Set ARP option
  arp-age                       Set ARP aging period
  as-path                       Set BGP AS Path filter
  bootp-use-intf-ip             Use incoming interface IP as source IP
  broadcast-zero                Enable directed broadcast forwarding
  community-list                Set BGP Community filter
  default-network               Configure default network route
  dhcp                          Set DHCP option
  dhcp-client                   DHCP client options
  dhcp-server                   DHCP Server
  dhcp-valid-check              Check DHCP offer packet for NULL client addr
  directed-broadcast            Enable directed broadcast forwarding
  dns                           Set DNS properties
  dscp-remark                   Mark IP packets with DSCP parameters
  follow-ingress-vrf            Follow ingress VRF for replying to SNMP request
  forward-protocol              Select protocols to be included in broadcast
                                forwarding
  helper-use-responder-ip       Retain Responder's Source IP In Reply
  hitless-route-purge-timer     Time after switchover, to start IPv4 route purge
  icmp                          Control ICMP attacks
  igmp                          Set IGMP properties
  igmp-report-control           Rate limit forwarding IGMP reports to upstream
                                Router
  irdp                          Enable IRDP for dynamic route learning
  load-sharing                  Enable IP load sharing
  max-mroute                    Configure maximum multicast route (mroute)
  mroute                        Configure static multicast route
  multicast                     Set IGMP snooping globally
  multicast-debug-mode          Enable global multicast debug mode for all vrf
  multicast-nonstop-routing     Enable global multicast nonstop-routing support
                                for all vrf
  multicast-routing             Enable global support for Multicast routing and
                                IGMP
  pcp-remark                    Mark tagged packets with PCP parameters
  pimsm-snooping                Set PIMSM snooping globally
  policy                        Enable policy routing
  prefix-list                   Build a IPv4 prefix list
  preserve-acl-user-input-format
  proxy-arp                     Enable router to act as ARP proxy for its
                                subnets
  radius                        Configure RADIUS authentication
  rarp                          Enable RARP protocol on this router
  route                         Define static route
  router-id                     Change the router ID already in use
  show-acl-service-number       Use TCP/UDP service number to display ACL clause
  show-portname                 Display port name for the interface on log
                                messages
  show-service-number-in-log    Use App service number in log display
  show-subnet-length            Change subnet mask display to prefix format
  source                        Set source guard option
  source-route                  Process packets with source routing option
  ssh                           Configure Secure Shell
  ssl                           Configure Secure Socket
  syslog                        Specify syslog options
  tacacs                        Configure TACACS authentication
  tcp                           Control TCP SYN attacks
  telnet                        Specify telnet options
  tftp                          Specify tftp options
  ttl                           Set time-to-live for packets on the network
  <cr>
 
fohdeesha

fohdeesha

Kaini Industries
Nov 20, 2016
2,911
3,437
113
34
fohdeesha.com
simbo said:
Thanks for the info re the Advanced license.

Hmm.....No VLAN on the port (other than VLAN 1). Here's the interface info:
Code: 
#show int e 1/1/3
GigabitEthernet1/1/3 is up, line protocol is up
  Port up for 2 hour(s) 24 minute(s) 13 second(s)
  Hardware is GigabitEthernet, address is 748e.f8fe.c148 (bia 748e.f8fe.c14a)
  Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx
  Configured mdi mode AUTO, actual MDI
  Member of L2 VLAN ID 1, port is untagged, port state is FORWARDING
  BPDU guard is Disabled, ROOT protect is Disabled, Designated protect is Disabled
  Link Error Dampening is Disabled
  STP configured to ON, priority is level0, mac-learning is enabled
  Openflow is Disabled, Openflow Hybrid mode is Disabled,  Flow Control is config enabled, oper enabled, negotiation disabled
  Mirror enabled, Monitor disabled
  Mac-notification is disabled
  Not member of any active trunks
  Not member of any configured trunks
  Port name is SRV-FIREWALL
  Inter-Packet Gap (IPG) is 96 bit times
  MTU 10200 bytes, encapsulation ethernet
  300 second input rate: 136 bits/sec, 0 packets/sec, 0.00% utilization
  300 second output rate: 1432 bits/sec, 2 packets/sec, 0.00% utilization
  604 packets input, 156541 bytes, 0 no buffer
  Received 0 broadcasts, 603 multicasts, 1 unicasts
  0 input errors, 0 CRC, 0 frame, 0 ignored
  0 runts, 0 giants
  16586 packets output, 1281589 bytes, 0 underruns
  Transmitted 10856 broadcasts, 5722 multicasts, 8 unicasts
  0 output errors, 0 collisions
  Relay Agent Information option: Disabled

Egress queues:
Queue counters    Queued packets    Dropped Packets
    0                8881                   0
    1                   0                   0
    2                   0                   0
    3                   0                   0
    4                   0                   0
    5                3606                   0
    6                   0                   0
    7                4099                   0
Click to expand...
did you assign vlan 1 a ve interface? what does "show ip int" and "show int ve 1" show? alternatively you can just paste your whole config here
 
S

simbo

New Member
Feb 24, 2022
10
2
3
fohdeesha said:
did you assign vlan 1 a ve interface? what does "show ip int" and "show int ve 1" show? alternatively you can just paste your whole config here
Click to expand...
Code: 
SSH@switch-garage-rack-2>show ip int
Interface           IP-Address      OK?  Method    Status             Protocol   VRF
Eth mgmt1           172.16.0.13     YES  NVRAM     up                 up         default-vrf
SSH@switch-garage-rack-2>show int ve 1
Error - ve 1 was not configured

There's a bit in here. Sorry in advance!

Code: 
SSH@sw-core#show config
!
Startup-config data location is flash memory
!
Startup configuration:
!
ver 08.0.30uT7f3
!
stack unit 1
  module 1 icx6610-48p-poe-port-management-module
  module 2 icx6610-qsfp-10-port-160g-module
  module 3 icx6610-8-port-10g-dual-mode-module
stack disable
!
global-stp
!
!
lag LAG-SW-R2-TOR dynamic id 2
ports ethernet 1/3/5 to 1/3/6
primary-port 1/3/5
deploy
sflow forwarding ethernet 1/3/5
port-name SW-R2-TOR ethernet 1/3/5
sflow forwarding ethernet 1/3/6
port-name SW-R2-TOR ethernet 1/3/6
!
!
vlan 1 name DEFAULT-VLAN by port
router-interface ve 1
spanning-tree 802-1w
!
vlan 2 name VLAN-VIDEO by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/41 to 1/1/48
router-interface ve 2
!
vlan 3 name VLAN-VOIP by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 3
spanning-tree 802-1w
!
vlan 4 name VLAN-CORP-WIFI by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 4
spanning-tree 802-1w
!
vlan 5 name VLAN-GUEST by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10
router-interface ve 5
spanning-tree 802-1w
!
vlan 6 name VLAN-CORPORATE by port
tagged ethe 1/1/1 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 6
spanning-tree 802-1w
!
vlan 7 name VLAN-DMZ-1 by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 7
spanning-tree 802-1w
!
vlan 8 name VLAN-IOT by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/35
router-interface ve 8
spanning-tree 802-1w
!
vlan 9 name VLAN-KIDS-WIFI by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 9
spanning-tree 802-1w
!
vlan 10 name VLAN-NET-SVC by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/4
router-interface ve 10
spanning-tree 802-1w
!
vlan 11 name VLAN-APT-CACHE by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 11
spanning-tree 802-1w
!
vlan 20 name VLAN-APPS by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 20
spanning-tree 802-1w
!
vlan 30 name VLAN-DEV by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 30
spanning-tree 802-1w
!
vlan 71 name VLAN-ALEXA by port
tagged ethe 1/1/1 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 71
spanning-tree 802-1w
!
vlan 72 name VLAN-SONOS by port
tagged ethe 1/1/1 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 72
spanning-tree 802-1w
!
vlan 73 name VLAN-MAILBOX by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 73
spanning-tree 802-1w
!
vlan 74 name VLAN-TV by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 74
spanning-tree 802-1w
!
vlan 75 name VLAN-PLEX by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 75
spanning-tree 802-1w
!
vlan 76 name VLAN-SYNCTHING by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 76
spanning-tree 802-1w
!
vlan 77 name VLAN-GAMING by port
tagged ethe 1/1/1 ethe 1/2/2 ethe 1/2/4 to 1/2/10 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/10
router-interface ve 77
spanning-tree 802-1w
!
vlan 78 name VLAN-LOGGING by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/1 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 78
spanning-tree 802-1w
!
vlan 81 name VLAN-NEST by port
tagged ethe 1/1/1 ethe 1/2/1 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 81
spanning-tree 802-1w
!
vlan 82 name VLAN-ESP-HOME by port
tagged ethe 1/1/1 ethe 1/2/1 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 82
spanning-tree 802-1w
!
vlan 83 name VLAN-XIAOMI by port
tagged ethe 1/1/1 ethe 1/2/1 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 83
spanning-tree 802-1w
!
vlan 88 name VLAN-MIKROTIK by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 88
spanning-tree 802-1w
!
vlan 95 name VLAN-BASTION by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/8
router-interface ve 95
spanning-tree 802-1w
!
vlan 96 name VLAN-BACKUP by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/6 ethe 1/1/12 ethe 1/1/16
router-interface ve 96
spanning-tree 802-1w
!
vlan 97 name VLAN-TRUENAS by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 97
spanning-tree 802-1w
!
vlan 98 name VLAN-PROXMOX by port
tagged ethe 1/1/1 ethe 1/2/1 ethe 1/2/3 ethe 1/3/1 to 1/3/8
router-interface ve 98
spanning-tree 802-1w
!
vlan 99 name VLAN-IPMI by port
tagged ethe 1/1/1 ethe 1/2/1 ethe 1/2/3 ethe 1/3/1 to 1/3/2 ethe 1/3/8
untagged ethe 1/1/9 ethe 1/1/11 ethe 1/1/15
router-interface ve 99
spanning-tree 802-1w
!
vlan 100 name VLAN-STORAGE by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 100
spanning-tree 802-1w
!
vlan 202 name VLAN-HIKVISION by port
tagged ethe 1/3/1 to 1/3/8
spanning-tree 802-1w
!
!
!
!
!
system-max l3-vlan 64
system-max ip-route 4096
system-max ip-route-default-vrf 1024
system-max ip6-route-default-vrf 100
system-max ip-route-vrf 128
system-max ip6-route-vrf 64
system-max max-dhcp-snoop-entries 2048
!
aaa authentication web-server default local
aaa authentication login default local
jumbo
enable password-display
enable telnet authentication
enable aaa console
enable user password-masking
hostname sw-core
ip dhcp-client disable
ip dns domain-list kellgari.local
ip dns domain-list kellgari
ip dns server-address 10.0.1.1 10.0.10.10 10.0.10.20 1.1.1.1
ip forward-protocol udp 5353
ip forward-protocol udp bootps
ip proxy-arp
ip route 0.0.0.0/0 172.16.0.1
ip router-id 172.16.0.14
ip multicast query-interval 120
!
logging host 10.0.78.10
logging console
mirror-port ethernet 1/1/3
!
username root password 8 XXXXXXX
radius-server host 10.0.1.1 auth-port 1812 acct-port 1813 default key 2 XXXXXXX
cdp run
fdp run
snmp-server community 2 $JiYmJiY= ro
snmp-server community 2 $U2kyXj1k ro
!
!
clock timezone gmt GMT+10
!
!
ntp
disable serve
server 10.0.1.1
!
!
web-management https
ssh access-group 90
ip multicast-routing
!
router ospf
area 0
redistribute connected
!
!
!
!
!
!
router pim
bsr-candidate ethernet 1/1/1 30 255
!
!
interface ethernet 1/1/1
port-name ROUTER
dual-mode
sflow forwarding
!
interface ethernet 1/1/2
port-name AP-GARAGE
dual-mode
inline power
sflow forwarding
!
interface ethernet 1/1/3
port-name SRV-FIREWALL
sflow forwarding
!
interface ethernet 1/1/4
port-name PI-DHCP-1
dhcp snooping trust
inline power priority 1 power-by-class 4
sflow forwarding
!
interface ethernet 1/1/5
port-name PI-MONITORING-1
inline power
sflow forwarding
!
interface ethernet 1/1/6
port-name SW-R1-TOR-MANAGEMENT
sflow forwarding
!
interface ethernet 1/1/7
sflow forwarding
!
interface ethernet 1/1/8
port-name PI-BASTION-1
inline power
sflow forwarding
!
interface ethernet 1/1/9
port-name SRV-FIREWALL-IPMI
sflow forwarding
!
interface ethernet 1/1/10
port-name PC-GAMING
sflow forwarding
!
interface ethernet 1/1/11
port-name SRV-BACKUP-1-IPMI
sflow forwarding
!
interface ethernet 1/1/12
port-name SRV-BACKUP-1
sflow forwarding
!
interface ethernet 1/1/13
port-name PC-LOCAL-MGMT
sflow forwarding
!
interface ethernet 1/1/14
port-name PI-KVM-1
inline power priority 2 power-by-class 4
sflow forwarding
!
interface ethernet 1/1/15
port-name SRV-BACKUP-2-IPMI
sflow forwarding
!
interface ethernet 1/1/16
port-name SRV-BACKUP-2
sflow forwarding
!
interface ethernet 1/1/17
sflow forwarding
!
interface ethernet 1/1/18
sflow forwarding
!
interface ethernet 1/1/19
sflow forwarding
!
interface ethernet 1/1/20
sflow forwarding
!
interface ethernet 1/1/21
sflow forwarding
!
interface ethernet 1/1/22
sflow forwarding
!
interface ethernet 1/1/23
sflow forwarding
!
interface ethernet 1/1/24
sflow forwarding
!
interface ethernet 1/1/25
sflow forwarding
!
interface ethernet 1/1/26
sflow forwarding
!
interface ethernet 1/1/27
sflow forwarding
!
interface ethernet 1/1/28
sflow forwarding
!
interface ethernet 1/1/29
sflow forwarding
!
interface ethernet 1/1/30
sflow forwarding
!
interface ethernet 1/1/31
sflow forwarding
!
interface ethernet 1/1/32
sflow forwarding
!
interface ethernet 1/1/33
sflow forwarding
!
interface ethernet 1/1/34
sflow forwarding
!
interface ethernet 1/1/35
port-name TRADFRI
sflow forwarding
!
interface ethernet 1/1/36
sflow forwarding
!
interface ethernet 1/1/37
sflow forwarding
!
interface ethernet 1/1/38
sflow forwarding
!
interface ethernet 1/1/39
sflow forwarding
!
interface ethernet 1/1/40
sflow forwarding
!
interface ethernet 1/1/41
port-name CAM-1
inline power
sflow forwarding
!
interface ethernet 1/1/42
port-name CAM-2
inline power
sflow forwarding
!
interface ethernet 1/1/43
port-name CAM-3
inline power
sflow forwarding
!
interface ethernet 1/1/44
port-name CAM-4
inline power
sflow forwarding
!
interface ethernet 1/1/45
port-name CAM-5
inline power
sflow forwarding
!
interface ethernet 1/1/46
port-name CAM-6
inline power
sflow forwarding
!
interface ethernet 1/1/47
inline power
sflow forwarding
!
interface ethernet 1/1/48
inline power
sflow forwarding
!
interface ethernet 1/2/1
dual-mode
sflow forwarding
!
interface ethernet 1/2/2
sflow forwarding
!
interface ethernet 1/2/3
dual-mode
sflow forwarding
!
interface ethernet 1/2/4
sflow forwarding
!
interface ethernet 1/2/5
sflow forwarding
!
interface ethernet 1/2/6
sflow forwarding
!
interface ethernet 1/2/7
dual-mode
sflow forwarding
!
interface ethernet 1/2/8
port-name SW-LOUNGE
dual-mode
sflow forwarding
!
interface ethernet 1/2/9
port-name SW-OFFICE
dual-mode
sflow forwarding
!
interface ethernet 1/2/10
port-name SW-MASTER
dual-mode
sflow forwarding
!
interface ethernet 1/3/1
dual-mode
speed-duplex 10G-full
tag-profile enable
!
interface ethernet 1/3/2
dual-mode
speed-duplex 10G-full
tag-profile enable
!
interface ethernet 1/3/3
dual-mode
speed-duplex 10G-full
!
interface ethernet 1/3/4
dual-mode
disable
speed-duplex 10G-full
!
interface ethernet 1/3/5
port-name SW-R2-TOR
dual-mode
speed-duplex 10G-full
!
interface ethernet 1/3/7
dual-mode
speed-duplex 10G-full
!
interface ethernet 1/3/8
dual-mode
speed-duplex 10G-full
!
interface ve 1
ip address 172.16.0.14 255.255.255.0
ip helper-address 1 10.0.10.34
ip ospf area 0
!
interface ve 2
port-name VLAN-VIDEO
ip access-group VIDEO-IN in
ip address 192.168.1.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 3
port-name VLAN-VOIP
ip address 172.16.3.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 4
port-name CORP-WIRELESS
acl-logging
ip access-group CORP-IN in
ip address 172.16.4.250 255.255.255.0
ip pim
ip helper-address 1 10.0.10.34
!
interface ve 5
port-name VLAN-GUEST
ip access-group GUEST-IN in
ip address 172.16.5.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 6
port-name CORP-WIRED
ip access-group CORP-IN in
ip address 172.16.6.250 255.255.255.0
ip pim
ip helper-address 1 10.0.10.34
!
interface ve 7
port-name VLAN-DMZ-1
ip address 10.0.7.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 8
port-name VLAN-IOT
ip address 10.0.8.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 9
port-name "VLAN-KIDS"
ip access-group KIDS-IN in
ip address 10.0.9.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 10
port-name VLAN-NET-SVC
ip address 10.0.10.250 255.255.255.0
!
interface ve 11
port-name VLAN-APT-CACHE
ip access-group APT-CACHE-IN in
ip address 10.0.11.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 20
port-name VLAN-APPS
ip address 10.0.20.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 30
port-name VLAN-DEV
ip address 10.0.30.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 71
port-name VLAN-ALEXA
ip access-group ALEXA-IN in
ip address 10.0.71.250 255.255.255.0
ip pim
ip helper-address 1 10.0.10.34
!
interface ve 72
port-name VLAN-SONOS
ip address 10.0.72.250 255.255.255.0
ip pim
ip helper-address 1 10.0.10.34
!
interface ve 73
port-name VLAN-MAILBOX
ip address 10.0.73.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 74
port-name VLAN-TV
ip address 10.0.74.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 75
port-name VLAN-PLEX
ip address 10.0.75.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 76
port-name VLAN-SYNCTHING
ip access-group ALL-IN in
ip address 10.0.76.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 77
port-name VLAN-GAMING
ip access-group GAMING-IN in
ip address 10.0.77.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 78
port-name VLAN-LOGGING
ip access-group LOGGING-IN in
ip address 10.0.78.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 81
port-name VLAN-NEST
ip access-group IOT-NEST-IN in
ip address 10.0.81.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 82
port-name VLAN-ESP-HOME
ip helper-address 1 10.0.10.34
!
interface ve 83
port-name VLAN-XIAOMI
ip access-group IOT-XAIOMI-IN in
ip address 10.0.83.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 88
port-name VLAN-MIKROTIK
ip address 192.168.88.1 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 95
port-name VLAN-BASTION
ip address 172.16.95.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 96
port-name VLAN-BACKUP
ip access-group BACKUP-IN in
ip address 172.16.96.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 97
port-name VLAN-TRUENAS
ip access-group ALL-IN in
ip address 172.16.97.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 98
port-name VLAN-PROXMOX
ip address 172.16.98.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 99
port-name VLAN-IPMI
ip address 172.16.99.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 100
port-name VLAN-STORAGE
ip address 10.0.100.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
!
!
ip access-list extended ALEXA-IN
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended ALL-IN
permit ip any any
!
ip access-list extended APPS-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit igmp in
permit igmp any any
remark permit ssdp udp
permit ip any host 239.255.255.250
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit ad udp access
permit udp any host 10.0.10.10 eq dns
permit udp any host 10.0.10.10 eq kerberos
permit udp any host 10.0.10.10 eq ntp
permit udp any host 10.0.10.10 eq ldap
permit udp any host 10.0.10.10 eq kpasswd
permit udp any host 10.0.10.20 eq dns
permit udp any host 10.0.10.20 eq kerberos
permit udp any host 10.0.10.20 eq ntp
permit udp any host 10.0.10.20 eq ldap
permit udp any host 10.0.10.20 eq kpasswd
remark permit ad tcp access
permit tcp any host 10.0.10.10 eq dns
permit tcp any host 10.0.10.10 eq kerberos
permit tcp any host 10.0.10.10 eq loc-srv
permit tcp any host 10.0.10.10 eq ldap
permit tcp any host 10.0.10.10 eq microsoft-ds
permit tcp any host 10.0.10.10 eq kpasswd
permit tcp any host 10.0.10.10 eq ldaps
permit tcp any host 10.0.10.10 eq 3268
permit tcp any host 10.0.10.10 eq 3269
permit tcp any host 10.0.10.20 eq dns
permit tcp any host 10.0.10.20 eq kerberos
permit tcp any host 10.0.10.20 eq loc-srv
permit tcp any host 10.0.10.20 eq ldap
permit tcp any host 10.0.10.20 eq microsoft-ds
permit tcp any host 10.0.10.20 eq kpasswd
permit tcp any host 10.0.10.20 eq ldaps
permit tcp any host 10.0.10.20 eq 3268
permit tcp any host 10.0.10.20 eq 3269
remark permit apt proxy tcp in
permit tcp any host 10.0.11.10 eq 3142
remark permit sonos controller tcp in
permit tcp any 10.0.72.0 0.0.0.255 eq 1400
permit tcp any 10.0.72.0 0.0.0.255 eq 1433
permit tcp any 10.0.72.0 0.0.0.255 eq 1443
permit tcp any 10.0.72.0 0.0.0.255 eq 4444
remark permit airplay controller udp in
permit udp any 10.0.72.0 0.0.0.255 eq ptp-event
permit udp any 10.0.72.0 0.0.0.255 eq ptp-gen
permit udp any 10.0.72.0 0.0.0.255 range 30000 65535
remark permit airplay controller udp in
permit tcp any 10.0.72.0 0.0.0.255 eq 7000
permit tcp any 10.0.72.0 0.0.0.255 range 30000 65535
remark permit site smtp tcp access
permit tcp any host 10.0.1.1 eq smtp
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended APT-CACHE-IN
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended BACKUP-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit local app servers
permit tcp any 10.0.20.0 0.0.0.255
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended CORP-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit igmp in
permit igmp any any
remark permit ssdp udp
permit ip any host 239.255.255.250
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit ad udp access
permit udp any host 10.0.10.10 eq dns
permit udp any host 10.0.10.10 eq kerberos
permit udp any host 10.0.10.10 eq ntp
permit udp any host 10.0.10.10 eq ldap
permit udp any host 10.0.10.10 eq kpasswd
permit udp any host 10.0.10.20 eq dns
permit udp any host 10.0.10.20 eq kerberos
permit udp any host 10.0.10.20 eq ntp
permit udp any host 10.0.10.20 eq ldap
permit udp any host 10.0.10.20 eq kpasswd
remark permit ad tcp access
permit tcp any host 10.0.10.10 eq dns
permit tcp any host 10.0.10.10 eq kerberos
permit tcp any host 10.0.10.10 eq loc-srv
permit tcp any host 10.0.10.10 eq ldap
permit tcp any host 10.0.10.10 eq microsoft-ds
permit tcp any host 10.0.10.10 eq kpasswd
permit tcp any host 10.0.10.10 eq ldaps
permit tcp any host 10.0.10.10 eq 3268
permit tcp any host 10.0.10.10 eq 3269
permit tcp any host 10.0.10.20 eq dns
permit tcp any host 10.0.10.20 eq kerberos
permit tcp any host 10.0.10.20 eq loc-srv
permit tcp any host 10.0.10.20 eq ldap
permit tcp any host 10.0.10.20 eq microsoft-ds
permit tcp any host 10.0.10.20 eq kpasswd
permit tcp any host 10.0.10.20 eq ldaps
permit tcp any host 10.0.10.20 eq 3268
permit tcp any host 10.0.10.20 eq 3269
remark permit plex tcp ingress
permit tcp any host 10.0.20.41 eq 32400
remark permit sonos controller tcp in
permit tcp any 10.0.72.0 0.0.0.255 eq 1400
permit tcp any 10.0.72.0 0.0.0.255 eq 1433
permit tcp any 10.0.72.0 0.0.0.255 eq 1443
permit tcp any 10.0.72.0 0.0.0.255 eq 4444
remark permit airplay controller udp in
permit udp any 10.0.72.0 0.0.0.255 eq ptp-event
permit udp any 10.0.72.0 0.0.0.255 eq ptp-gen
permit udp any 10.0.72.0 0.0.0.255 range 30000 65535
remark permit airplay controller udp in
permit tcp any 10.0.72.0 0.0.0.255 eq 7000
permit tcp any 10.0.72.0 0.0.0.255 range 30000 65535
remark permit local app servers
permit tcp any 10.0.20.0 0.0.0.255
remark permit corp tcp in
permit tcp any 172.16.4.0 0.0.0.255
permit tcp any 172.16.6.0 0.0.0.255
remark permit corp udp in
permit udp any 172.16.4.0 0.0.0.255
permit udp any 172.16.6.0 0.0.0.255
remark permit smb tcp ingress
permit tcp any host 10.0.100.20 range 137 netbios-ssn
permit tcp any host 10.0.100.20 eq microsoft-ds
remark permit smb tcp ingress
permit udp any host 10.0.100.20 range netbios-ns netbios-ssn
permit udp any host 10.0.100.20 eq microsoft-ds
remark permit management-workstations tcp ingress
permit tcp host 172.16.6.103 any
remark permit management-workstations udp ingress
permit udp host 172.16.6.103 any
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit gaming tcp in
permit tcp any 10.0.77.0 0.0.0.255
remark permit gaming udp in
permit udp any 10.0.77.0 0.0.0.255
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended GAMING-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit virtualhere USB access to desktop PC
permit udp any host 172.16.6.103 eq 7575
remark permit virtualhere USB access to desktop PC
permit tcp any host 172.16.6.103 eq 7575
remark permit Parsec access to corp network
permit udp any 172.16.4.0 0.0.0.255 eq 9000
permit udp any 172.16.6.0 0.0.0.255 eq 9000
remark permit Parsec access to corp network
permit udp any range 8000 8010 172.16.4.0 0.0.0.255
permit udp any range 8000 8010 172.16.6.0 0.0.0.255
remark permit RDP udp access to corp network
permit udp any eq 3389 172.16.4.0 0.0.0.255
permit udp any eq 3389 172.16.6.0 0.0.0.255
remark permit RDP tcp access to corp network
permit tcp any eq 3389 172.16.4.0 0.0.0.255
permit tcp any eq 3389 172.16.6.0 0.0.0.255
remark permit steamlink access to corp network
permit udp any eq 27031 172.16.4.0 0.0.0.255
permit udp any eq 27036 172.16.4.0 0.0.0.255
permit udp any eq 27031 172.16.6.0 0.0.0.255
permit udp any eq 27036 172.16.6.0 0.0.0.255
remark permit RDP tcp access to corp network
permit tcp any eq 27036 172.16.4.0 0.0.0.255
permit tcp any eq 27037 172.16.4.0 0.0.0.255
permit tcp any eq 27036 172.16.6.0 0.0.0.255
permit tcp any eq 27037 172.16.6.0 0.0.0.255
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
remark deny all networks
deny ip any any
!
ip access-list extended GUEST-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended IOT-NEST-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended IOT-XAIOMI-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended KIDS-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit kids dns udp access
permit udp any host 10.0.10.30 eq dns
remark permit kids dns tcp access
permit tcp any host 10.0.10.30 eq dns
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended LOGGING-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit apt proxy tcp in
permit tcp any host 10.0.11.10 eq 3142
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended NET-SVC-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended SONOS-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit igmp in
permit igmp any any
remark permit ssdp udp
permit ip any host 239.255.255.250
remark permit sonos device tcp in
permit tcp any host 10.0.20.35 eq 3400
permit tcp any host 10.0.20.35 eq 3401
permit tcp any host 10.0.20.35 eq 3500
permit tcp any 172.16.4.0 0.0.0.255 eq 3400
permit tcp any 172.16.4.0 0.0.0.255 eq 3401
permit tcp any 172.16.4.0 0.0.0.255 eq 3500
permit tcp any 172.16.6.0 0.0.0.255 eq 3400
permit tcp any 172.16.6.0 0.0.0.255 eq 3401
permit tcp any 172.16.6.0 0.0.0.255 eq 3500
remark permit airplay device udp in
permit udp any host 10.0.20.35 eq ptp-event
permit udp any host 10.0.20.35 eq ptp-gen
permit udp any 172.16.4.0 0.0.0.255 eq ptp-event
permit udp any 172.16.4.0 0.0.0.255 eq ptp-gen
permit udp any 172.16.6.0 0.0.0.255 eq ptp-event
permit udp any 172.16.6.0 0.0.0.255 eq ptp-gen
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended TRUENAS-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit ad udp access
permit udp any host 10.0.10.10 eq dns
permit udp any host 10.0.10.10 eq kerberos
permit udp any host 10.0.10.10 eq ntp
permit udp any host 10.0.10.10 eq ldap
permit udp any host 10.0.10.10 eq kpasswd
permit udp any host 10.0.10.20 eq dns
permit udp any host 10.0.10.20 eq kerberos
permit udp any host 10.0.10.20 eq ntp
permit udp any host 10.0.10.20 eq ldap
permit udp any host 10.0.10.20 eq kpasswd
remark permit ad tcp access
permit tcp any host 10.0.10.10 eq dns
permit tcp any host 10.0.10.10 eq kerberos
permit tcp any host 10.0.10.10 eq loc-srv
permit tcp any host 10.0.10.10 eq ldap
permit tcp any host 10.0.10.10 eq microsoft-ds
permit tcp any host 10.0.10.10 eq kpasswd
permit tcp any host 10.0.10.10 eq ldaps
permit tcp any host 10.0.10.10 eq 3268
permit tcp any host 10.0.10.10 eq 3269
permit tcp any host 10.0.10.20 eq dns
permit tcp any host 10.0.10.20 eq kerberos
permit tcp any host 10.0.10.20 eq loc-srv
permit tcp any host 10.0.10.20 eq ldap
permit tcp any host 10.0.10.20 eq microsoft-ds
permit tcp any host 10.0.10.20 eq kpasswd
permit tcp any host 10.0.10.20 eq ldaps
permit tcp any host 10.0.10.20 eq 3268
permit tcp any host 10.0.10.20 eq 3269
remark permit apt proxy tcp in
permit tcp any host 10.0.11.10 eq 3142
remark permit site smtp tcp access
permit tcp any host 10.0.1.1 eq smtp
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended TV-IN
permit icmp any any
permit tcp any any established
remark allow multicast
permit ip any 224.0.0.0 15.255.255.255
remark allow DNS
permit udp any host 10.0.1.1 eq dns
remark allow NTP
permit tcp any host 10.0.1.1 eq 123
permit udp any host 10.0.1.1 eq ntp
remark deny all local networks
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255
deny ip any 192.16.0.0 0.0.0.255
remark allow internet
permit ip any any
!
ip access-list extended VIDEO-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit rtsp udp access to blue iris servers
permit udp any host 10.0.20.28 eq rtsp
remark permit rtsp tcp access to blue iris servers
permit tcp any host 10.0.20.28 eq rtsp
remark deny all networks
deny ip any any
!
ip access-list extended XBOX-IN
permit icmp any any
permit tcp any any established
remark allow multicast
permit ip any 224.0.0.0 15.255.255.255
remark allow DNS
permit udp any host 10.0.1.1 eq dns
remark allow NTP
permit tcp any host 10.0.1.1 eq 123
permit udp any host 10.0.1.1 eq ntp
remark allow parsec ports
permit udp any 172.16.4.0 0.0.0.255 eq 9000
permit udp any 172.16.6.0 0.0.0.255 eq 9000
permit udp any eq 3389 172.16.4.0 0.0.0.255
permit tcp any eq 3389 172.16.4.0 0.0.0.255
permit udp any eq 3389 172.16.6.0 0.0.0.255
permit tcp any eq 3389 172.16.6.0 0.0.0.255
remark deny all local networks
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255 log
deny ip any 192.16.0.0 0.0.0.255
remark allow internet
permit ip any any
!
!
sflow destination 10.0.1.1
!
lldp run
!
!
!
!
end

SSH@sw-core#
 
You must log in or register to reply here.
Top Bottom