Drag to reposition cover

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

ProZak512

New Member
Oct 5, 2022
5
1
3
Plugged in a Ubiquiti WiFi AP and it powers right up:
Code:
SSH@ICX6610-48P Router(config)#show inline power 

Power Capacity:        Total is 748000 mWatts. Current Free is 732600 mWatts.

Power Allocations:     Requests Honored 26 times

 Port    Admin     Oper    ---Power(mWatts)---  PD Type  PD Class  Pri  Fault/
         State     State   Consumed  Allocated                          Error
--------------------------------------------------------------------------
  1/1/1    On     Off            0          0  n/a      n/a         3  n/a
  1/1/2    On     Off            0          0  n/a      n/a         3  n/a
  1/1/3    On     Off            0          0  n/a      n/a         3  n/a
  1/1/4    On     Off            0          0  n/a      n/a         3  n/a
  1/1/5    On     Off            0          0  n/a      n/a         3  n/a
  1/1/6    On     Off            0          0  n/a      n/a         3  n/a
  1/1/7    On     Off            0          0  n/a      n/a         3  n/a
  1/1/8    On     Off            0          0  n/a      n/a         3  n/a
  1/1/9    On     Off            0          0  n/a      n/a         3  n/a
 1/1/10    On     Off            0          0  n/a      n/a         3  n/a
 1/1/11    On     On          3000      15400  802.3af  n/a         3  n/a
 1/1/12    On     Off            0          0  n/a      n/a         3  n/a
So! That's progress. I'll keep messing with the camera(s) and trouble shoot from there. Thanks for your attention, sorry for the waste of everyone's time.

-Zak-
 
  • Like
Reactions: fohdeesha

simbo

New Member
Feb 24, 2022
10
2
3
I'm having a problem with L3 features on a 6610. I can't add an IP to an ethernet interface. Not sure if it's a licensing problem. Do I need a ICX6610-PREM-LIC-SW?

I followed Fohdeesha guides when I originally set this up. Apologies if the ICX6610-PREM-LIC-SW license is mentioned in the docs, but I couldn't see a reference to it.

Here's me adding an IP to an interface and failing:
Code:
SSH@sw-core#conf t
SSH@sw-core(config)#int ethe 1/1/3
SSH@sw-core(config-if-e1000-1/1/3)#ip address 10.0.0.6/30
Invalid input -> address 10.0.0.6/30
Type ? for a list
SSH@sw-core(config-if-e1000-1/1/3)#
Here's my license:
Code:
#show lic
Index    Lic Mode        Lic Name               Lid/Serial No  Lic Type    Status     Lic Period    Lic Capacity
Stack unit 1:
2        Node Lock       ICX6610-10G-LIC-POD    H4CKTH3PLN8    Normal      Active     Unlimited         8
3        Node Lock       ICX-MACSEC-LIC         H4CKTH3PLN8    Normal      Active     Unlimited         1
4        Node Lock       ICX6610-ADV-LIC-SW     H4CKTH3PLN8    Normal      Active     Unlimited         1
Here's the firmware:
Code:
show flash
Stack unit 1:
  Compressed Pri Code size = 10545591, Version:08.0.30uT7f3 (FCXR08030u.bin)
  Compressed Sec Code size = 10543944, Version:08.0.30hT7f3 (FCXR08030h.bin)
  Compressed Boot-Monitor Image size = 370695, Version:10.1.00T7f5
  Code Flash Free Space = 43646976
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,839
3,280
113
33
fohdeesha.com
I'm having a problem with L3 features on a 6610. I can't add an IP to an ethernet interface. Not sure if it's a licensing problem. Do I need a ICX6610-PREM-LIC-SW?

I followed Fohdeesha guides when I originally set this up. Apologies if the ICX6610-PREM-LIC-SW license is mentioned in the docs, but I couldn't see a reference to it.

Here's me adding an IP to an interface and failing:
Code:
SSH@sw-core#conf t
SSH@sw-core(config)#int ethe 1/1/3
SSH@sw-core(config-if-e1000-1/1/3)#ip address 10.0.0.6/30
Invalid input -> address 10.0.0.6/30
Type ? for a list
SSH@sw-core(config-if-e1000-1/1/3)#
Here's my license:
Code:
#show lic
Index    Lic Mode        Lic Name               Lid/Serial No  Lic Type    Status     Lic Period    Lic Capacity
Stack unit 1:
2        Node Lock       ICX6610-10G-LIC-POD    H4CKTH3PLN8    Normal      Active     Unlimited         8
3        Node Lock       ICX-MACSEC-LIC         H4CKTH3PLN8    Normal      Active     Unlimited         1
4        Node Lock       ICX6610-ADV-LIC-SW     H4CKTH3PLN8    Normal      Active     Unlimited         1
Here's the firmware:
Code:
show flash
Stack unit 1:
  Compressed Pri Code size = 10545591, Version:08.0.30uT7f3 (FCXR08030u.bin)
  Compressed Sec Code size = 10543944, Version:08.0.30hT7f3 (FCXR08030h.bin)
  Compressed Boot-Monitor Image size = 370695, Version:10.1.00T7f5
  Code Flash Free Space = 43646976
the "ICX6610-ADV-LIC-SW" license from the guide is the PREM license with even more features, it's not a license issue. you probably have that port in a vlan with a virtual interface assigned to it. when a port is in a vlan, and the vlan has a VE assigned to it, that's where l3 stuff like IP is handled. if you want an IP directly on a port, take the port out of any vlans with l3 VEs on them
 

simbo

New Member
Feb 24, 2022
10
2
3
the "ICX6610-ADV-LIC-SW" license from the guide is the PREM license with even more features, it's not a license issue. you probably have that port in a vlan with a virtual interface assigned to it. when a port is in a vlan, and the vlan has a VE assigned to it, that's where l3 stuff like IP is handled. if you want an IP directly on a port, take the port out of any vlans with l3 VEs on them
Thanks for the info re the Advanced license.

Hmm.....No VLAN on the port (other than VLAN 1). Here's the interface info:
Code:
#show int e 1/1/3
GigabitEthernet1/1/3 is up, line protocol is up
  Port up for 2 hour(s) 24 minute(s) 13 second(s)
  Hardware is GigabitEthernet, address is 748e.f8fe.c148 (bia 748e.f8fe.c14a)
  Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx
  Configured mdi mode AUTO, actual MDI
  Member of L2 VLAN ID 1, port is untagged, port state is FORWARDING
  BPDU guard is Disabled, ROOT protect is Disabled, Designated protect is Disabled
  Link Error Dampening is Disabled
  STP configured to ON, priority is level0, mac-learning is enabled
  Openflow is Disabled, Openflow Hybrid mode is Disabled,  Flow Control is config enabled, oper enabled, negotiation disabled
  Mirror enabled, Monitor disabled
  Mac-notification is disabled
  Not member of any active trunks
  Not member of any configured trunks
  Port name is SRV-FIREWALL
  Inter-Packet Gap (IPG) is 96 bit times
  MTU 10200 bytes, encapsulation ethernet
  300 second input rate: 136 bits/sec, 0 packets/sec, 0.00% utilization
  300 second output rate: 1432 bits/sec, 2 packets/sec, 0.00% utilization
  604 packets input, 156541 bytes, 0 no buffer
  Received 0 broadcasts, 603 multicasts, 1 unicasts
  0 input errors, 0 CRC, 0 frame, 0 ignored
  0 runts, 0 giants
  16586 packets output, 1281589 bytes, 0 underruns
  Transmitted 10856 broadcasts, 5722 multicasts, 8 unicasts
  0 output errors, 0 collisions
  Relay Agent Information option: Disabled

Egress queues:
Queue counters    Queued packets    Dropped Packets
    0                8881                   0
    1                   0                   0
    2                   0                   0
    3                   0                   0
    4                   0                   0
    5                3606                   0
    6                   0                   0
    7                4099                   0
Its also weird that I don't get offered an option for 'address' when I tab complete on 'ip':
Code:
SSH@sw-core(config-if-e1000-1/1/19)#ip
  access-list                   Configure named access list
  add-host-route-first          Add host route before sending buffered packets
  arp                           Set ARP option
  arp-age                       Set ARP aging period
  as-path                       Set BGP AS Path filter
  bootp-use-intf-ip             Use incoming interface IP as source IP
  broadcast-zero                Enable directed broadcast forwarding
  community-list                Set BGP Community filter
  default-network               Configure default network route
  dhcp                          Set DHCP option
  dhcp-client                   DHCP client options
  dhcp-server                   DHCP Server
  dhcp-valid-check              Check DHCP offer packet for NULL client addr
  directed-broadcast            Enable directed broadcast forwarding
  dns                           Set DNS properties
  dscp-remark                   Mark IP packets with DSCP parameters
  follow-ingress-vrf            Follow ingress VRF for replying to SNMP request
  forward-protocol              Select protocols to be included in broadcast
                                forwarding
  helper-use-responder-ip       Retain Responder's Source IP In Reply
  hitless-route-purge-timer     Time after switchover, to start IPv4 route purge
  icmp                          Control ICMP attacks
  igmp                          Set IGMP properties
  igmp-report-control           Rate limit forwarding IGMP reports to upstream
                                Router
  irdp                          Enable IRDP for dynamic route learning
  load-sharing                  Enable IP load sharing
  max-mroute                    Configure maximum multicast route (mroute)
  mroute                        Configure static multicast route
  multicast                     Set IGMP snooping globally
  multicast-debug-mode          Enable global multicast debug mode for all vrf
  multicast-nonstop-routing     Enable global multicast nonstop-routing support
                                for all vrf
  multicast-routing             Enable global support for Multicast routing and
                                IGMP
  pcp-remark                    Mark tagged packets with PCP parameters
  pimsm-snooping                Set PIMSM snooping globally
  policy                        Enable policy routing
  prefix-list                   Build a IPv4 prefix list
  preserve-acl-user-input-format
  proxy-arp                     Enable router to act as ARP proxy for its
                                subnets
  radius                        Configure RADIUS authentication
  rarp                          Enable RARP protocol on this router
  route                         Define static route
  router-id                     Change the router ID already in use
  show-acl-service-number       Use TCP/UDP service number to display ACL clause
  show-portname                 Display port name for the interface on log
                                messages
  show-service-number-in-log    Use App service number in log display
  show-subnet-length            Change subnet mask display to prefix format
  source                        Set source guard option
  source-route                  Process packets with source routing option
  ssh                           Configure Secure Shell
  ssl                           Configure Secure Socket
  syslog                        Specify syslog options
  tacacs                        Configure TACACS authentication
  tcp                           Control TCP SYN attacks
  telnet                        Specify telnet options
  tftp                          Specify tftp options
  ttl                           Set time-to-live for packets on the network
  <cr>
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,839
3,280
113
33
fohdeesha.com
Thanks for the info re the Advanced license.

Hmm.....No VLAN on the port (other than VLAN 1). Here's the interface info:
Code:
#show int e 1/1/3
GigabitEthernet1/1/3 is up, line protocol is up
  Port up for 2 hour(s) 24 minute(s) 13 second(s)
  Hardware is GigabitEthernet, address is 748e.f8fe.c148 (bia 748e.f8fe.c14a)
  Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx
  Configured mdi mode AUTO, actual MDI
  Member of L2 VLAN ID 1, port is untagged, port state is FORWARDING
  BPDU guard is Disabled, ROOT protect is Disabled, Designated protect is Disabled
  Link Error Dampening is Disabled
  STP configured to ON, priority is level0, mac-learning is enabled
  Openflow is Disabled, Openflow Hybrid mode is Disabled,  Flow Control is config enabled, oper enabled, negotiation disabled
  Mirror enabled, Monitor disabled
  Mac-notification is disabled
  Not member of any active trunks
  Not member of any configured trunks
  Port name is SRV-FIREWALL
  Inter-Packet Gap (IPG) is 96 bit times
  MTU 10200 bytes, encapsulation ethernet
  300 second input rate: 136 bits/sec, 0 packets/sec, 0.00% utilization
  300 second output rate: 1432 bits/sec, 2 packets/sec, 0.00% utilization
  604 packets input, 156541 bytes, 0 no buffer
  Received 0 broadcasts, 603 multicasts, 1 unicasts
  0 input errors, 0 CRC, 0 frame, 0 ignored
  0 runts, 0 giants
  16586 packets output, 1281589 bytes, 0 underruns
  Transmitted 10856 broadcasts, 5722 multicasts, 8 unicasts
  0 output errors, 0 collisions
  Relay Agent Information option: Disabled

Egress queues:
Queue counters    Queued packets    Dropped Packets
    0                8881                   0
    1                   0                   0
    2                   0                   0
    3                   0                   0
    4                   0                   0
    5                3606                   0
    6                   0                   0
    7                4099                   0
did you assign vlan 1 a ve interface? what does "show ip int" and "show int ve 1" show? alternatively you can just paste your whole config here
 

simbo

New Member
Feb 24, 2022
10
2
3
did you assign vlan 1 a ve interface? what does "show ip int" and "show int ve 1" show? alternatively you can just paste your whole config here
Code:
SSH@switch-garage-rack-2>show ip int
Interface           IP-Address      OK?  Method    Status             Protocol   VRF
Eth mgmt1           172.16.0.13     YES  NVRAM     up                 up         default-vrf
SSH@switch-garage-rack-2>show int ve 1
Error - ve 1 was not configured

There's a bit in here. Sorry in advance!

Code:
SSH@sw-core#show config
!
Startup-config data location is flash memory
!
Startup configuration:
!
ver 08.0.30uT7f3
!
stack unit 1
  module 1 icx6610-48p-poe-port-management-module
  module 2 icx6610-qsfp-10-port-160g-module
  module 3 icx6610-8-port-10g-dual-mode-module
stack disable
!
global-stp
!
!
lag LAG-SW-R2-TOR dynamic id 2
ports ethernet 1/3/5 to 1/3/6
primary-port 1/3/5
deploy
sflow forwarding ethernet 1/3/5
port-name SW-R2-TOR ethernet 1/3/5
sflow forwarding ethernet 1/3/6
port-name SW-R2-TOR ethernet 1/3/6
!
!
vlan 1 name DEFAULT-VLAN by port
router-interface ve 1
spanning-tree 802-1w
!
vlan 2 name VLAN-VIDEO by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/41 to 1/1/48
router-interface ve 2
!
vlan 3 name VLAN-VOIP by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 3
spanning-tree 802-1w
!
vlan 4 name VLAN-CORP-WIFI by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 4
spanning-tree 802-1w
!
vlan 5 name VLAN-GUEST by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10
router-interface ve 5
spanning-tree 802-1w
!
vlan 6 name VLAN-CORPORATE by port
tagged ethe 1/1/1 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 6
spanning-tree 802-1w
!
vlan 7 name VLAN-DMZ-1 by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 7
spanning-tree 802-1w
!
vlan 8 name VLAN-IOT by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/35
router-interface ve 8
spanning-tree 802-1w
!
vlan 9 name VLAN-KIDS-WIFI by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 9
spanning-tree 802-1w
!
vlan 10 name VLAN-NET-SVC by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/4
router-interface ve 10
spanning-tree 802-1w
!
vlan 11 name VLAN-APT-CACHE by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 11
spanning-tree 802-1w
!
vlan 20 name VLAN-APPS by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 20
spanning-tree 802-1w
!
vlan 30 name VLAN-DEV by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 30
spanning-tree 802-1w
!
vlan 71 name VLAN-ALEXA by port
tagged ethe 1/1/1 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 71
spanning-tree 802-1w
!
vlan 72 name VLAN-SONOS by port
tagged ethe 1/1/1 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 72
spanning-tree 802-1w
!
vlan 73 name VLAN-MAILBOX by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 73
spanning-tree 802-1w
!
vlan 74 name VLAN-TV by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 74
spanning-tree 802-1w
!
vlan 75 name VLAN-PLEX by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 75
spanning-tree 802-1w
!
vlan 76 name VLAN-SYNCTHING by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 76
spanning-tree 802-1w
!
vlan 77 name VLAN-GAMING by port
tagged ethe 1/1/1 ethe 1/2/2 ethe 1/2/4 to 1/2/10 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/10
router-interface ve 77
spanning-tree 802-1w
!
vlan 78 name VLAN-LOGGING by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/1 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 78
spanning-tree 802-1w
!
vlan 81 name VLAN-NEST by port
tagged ethe 1/1/1 ethe 1/2/1 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 81
spanning-tree 802-1w
!
vlan 82 name VLAN-ESP-HOME by port
tagged ethe 1/1/1 ethe 1/2/1 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 82
spanning-tree 802-1w
!
vlan 83 name VLAN-XIAOMI by port
tagged ethe 1/1/1 ethe 1/2/1 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 83
spanning-tree 802-1w
!
vlan 88 name VLAN-MIKROTIK by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 88
spanning-tree 802-1w
!
vlan 95 name VLAN-BASTION by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/8
router-interface ve 95
spanning-tree 802-1w
!
vlan 96 name VLAN-BACKUP by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/6 ethe 1/1/12 ethe 1/1/16
router-interface ve 96
spanning-tree 802-1w
!
vlan 97 name VLAN-TRUENAS by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 97
spanning-tree 802-1w
!
vlan 98 name VLAN-PROXMOX by port
tagged ethe 1/1/1 ethe 1/2/1 ethe 1/2/3 ethe 1/3/1 to 1/3/8
router-interface ve 98
spanning-tree 802-1w
!
vlan 99 name VLAN-IPMI by port
tagged ethe 1/1/1 ethe 1/2/1 ethe 1/2/3 ethe 1/3/1 to 1/3/2 ethe 1/3/8
untagged ethe 1/1/9 ethe 1/1/11 ethe 1/1/15
router-interface ve 99
spanning-tree 802-1w
!
vlan 100 name VLAN-STORAGE by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 100
spanning-tree 802-1w
!
vlan 202 name VLAN-HIKVISION by port
tagged ethe 1/3/1 to 1/3/8
spanning-tree 802-1w
!
!
!
!
!
system-max l3-vlan 64
system-max ip-route 4096
system-max ip-route-default-vrf 1024
system-max ip6-route-default-vrf 100
system-max ip-route-vrf 128
system-max ip6-route-vrf 64
system-max max-dhcp-snoop-entries 2048
!
aaa authentication web-server default local
aaa authentication login default local
jumbo
enable password-display
enable telnet authentication
enable aaa console
enable user password-masking
hostname sw-core
ip dhcp-client disable
ip dns domain-list kellgari.local
ip dns domain-list kellgari
ip dns server-address 10.0.1.1 10.0.10.10 10.0.10.20 1.1.1.1
ip forward-protocol udp 5353
ip forward-protocol udp bootps
ip proxy-arp
ip route 0.0.0.0/0 172.16.0.1
ip router-id 172.16.0.14
ip multicast query-interval 120
!
logging host 10.0.78.10
logging console
mirror-port ethernet 1/1/3
!
username root password 8 XXXXXXX
radius-server host 10.0.1.1 auth-port 1812 acct-port 1813 default key 2 XXXXXXX
cdp run
fdp run
snmp-server community 2 $JiYmJiY= ro
snmp-server community 2 $U2kyXj1k ro
!
!
clock timezone gmt GMT+10
!
!
ntp
disable serve
server 10.0.1.1
!
!
web-management https
ssh access-group 90
ip multicast-routing
!
router ospf
area 0
redistribute connected
!
!
!
!
!
!
router pim
bsr-candidate ethernet 1/1/1 30 255
!
!
interface ethernet 1/1/1
port-name ROUTER
dual-mode
sflow forwarding
!
interface ethernet 1/1/2
port-name AP-GARAGE
dual-mode
inline power
sflow forwarding
!
interface ethernet 1/1/3
port-name SRV-FIREWALL
sflow forwarding
!
interface ethernet 1/1/4
port-name PI-DHCP-1
dhcp snooping trust
inline power priority 1 power-by-class 4
sflow forwarding
!
interface ethernet 1/1/5
port-name PI-MONITORING-1
inline power
sflow forwarding
!
interface ethernet 1/1/6
port-name SW-R1-TOR-MANAGEMENT
sflow forwarding
!
interface ethernet 1/1/7
sflow forwarding
!
interface ethernet 1/1/8
port-name PI-BASTION-1
inline power
sflow forwarding
!
interface ethernet 1/1/9
port-name SRV-FIREWALL-IPMI
sflow forwarding
!
interface ethernet 1/1/10
port-name PC-GAMING
sflow forwarding
!
interface ethernet 1/1/11
port-name SRV-BACKUP-1-IPMI
sflow forwarding
!
interface ethernet 1/1/12
port-name SRV-BACKUP-1
sflow forwarding
!
interface ethernet 1/1/13
port-name PC-LOCAL-MGMT
sflow forwarding
!
interface ethernet 1/1/14
port-name PI-KVM-1
inline power priority 2 power-by-class 4
sflow forwarding
!
interface ethernet 1/1/15
port-name SRV-BACKUP-2-IPMI
sflow forwarding
!
interface ethernet 1/1/16
port-name SRV-BACKUP-2
sflow forwarding
!
interface ethernet 1/1/17
sflow forwarding
!
interface ethernet 1/1/18
sflow forwarding
!
interface ethernet 1/1/19
sflow forwarding
!
interface ethernet 1/1/20
sflow forwarding
!
interface ethernet 1/1/21
sflow forwarding
!
interface ethernet 1/1/22
sflow forwarding
!
interface ethernet 1/1/23
sflow forwarding
!
interface ethernet 1/1/24
sflow forwarding
!
interface ethernet 1/1/25
sflow forwarding
!
interface ethernet 1/1/26
sflow forwarding
!
interface ethernet 1/1/27
sflow forwarding
!
interface ethernet 1/1/28
sflow forwarding
!
interface ethernet 1/1/29
sflow forwarding
!
interface ethernet 1/1/30
sflow forwarding
!
interface ethernet 1/1/31
sflow forwarding
!
interface ethernet 1/1/32
sflow forwarding
!
interface ethernet 1/1/33
sflow forwarding
!
interface ethernet 1/1/34
sflow forwarding
!
interface ethernet 1/1/35
port-name TRADFRI
sflow forwarding
!
interface ethernet 1/1/36
sflow forwarding
!
interface ethernet 1/1/37
sflow forwarding
!
interface ethernet 1/1/38
sflow forwarding
!
interface ethernet 1/1/39
sflow forwarding
!
interface ethernet 1/1/40
sflow forwarding
!
interface ethernet 1/1/41
port-name CAM-1
inline power
sflow forwarding
!
interface ethernet 1/1/42
port-name CAM-2
inline power
sflow forwarding
!
interface ethernet 1/1/43
port-name CAM-3
inline power
sflow forwarding
!
interface ethernet 1/1/44
port-name CAM-4
inline power
sflow forwarding
!
interface ethernet 1/1/45
port-name CAM-5
inline power
sflow forwarding
!
interface ethernet 1/1/46
port-name CAM-6
inline power
sflow forwarding
!
interface ethernet 1/1/47
inline power
sflow forwarding
!
interface ethernet 1/1/48
inline power
sflow forwarding
!
interface ethernet 1/2/1
dual-mode
sflow forwarding
!
interface ethernet 1/2/2
sflow forwarding
!
interface ethernet 1/2/3
dual-mode
sflow forwarding
!
interface ethernet 1/2/4
sflow forwarding
!
interface ethernet 1/2/5
sflow forwarding
!
interface ethernet 1/2/6
sflow forwarding
!
interface ethernet 1/2/7
dual-mode
sflow forwarding
!
interface ethernet 1/2/8
port-name SW-LOUNGE
dual-mode
sflow forwarding
!
interface ethernet 1/2/9
port-name SW-OFFICE
dual-mode
sflow forwarding
!
interface ethernet 1/2/10
port-name SW-MASTER
dual-mode
sflow forwarding
!
interface ethernet 1/3/1
dual-mode
speed-duplex 10G-full
tag-profile enable
!
interface ethernet 1/3/2
dual-mode
speed-duplex 10G-full
tag-profile enable
!
interface ethernet 1/3/3
dual-mode
speed-duplex 10G-full
!
interface ethernet 1/3/4
dual-mode
disable
speed-duplex 10G-full
!
interface ethernet 1/3/5
port-name SW-R2-TOR
dual-mode
speed-duplex 10G-full
!
interface ethernet 1/3/7
dual-mode
speed-duplex 10G-full
!
interface ethernet 1/3/8
dual-mode
speed-duplex 10G-full
!
interface ve 1
ip address 172.16.0.14 255.255.255.0
ip helper-address 1 10.0.10.34
ip ospf area 0
!
interface ve 2
port-name VLAN-VIDEO
ip access-group VIDEO-IN in
ip address 192.168.1.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 3
port-name VLAN-VOIP
ip address 172.16.3.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 4
port-name CORP-WIRELESS
acl-logging
ip access-group CORP-IN in
ip address 172.16.4.250 255.255.255.0
ip pim
ip helper-address 1 10.0.10.34
!
interface ve 5
port-name VLAN-GUEST
ip access-group GUEST-IN in
ip address 172.16.5.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 6
port-name CORP-WIRED
ip access-group CORP-IN in
ip address 172.16.6.250 255.255.255.0
ip pim
ip helper-address 1 10.0.10.34
!
interface ve 7
port-name VLAN-DMZ-1
ip address 10.0.7.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 8
port-name VLAN-IOT
ip address 10.0.8.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 9
port-name "VLAN-KIDS"
ip access-group KIDS-IN in
ip address 10.0.9.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 10
port-name VLAN-NET-SVC
ip address 10.0.10.250 255.255.255.0
!
interface ve 11
port-name VLAN-APT-CACHE
ip access-group APT-CACHE-IN in
ip address 10.0.11.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 20
port-name VLAN-APPS
ip address 10.0.20.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 30
port-name VLAN-DEV
ip address 10.0.30.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 71
port-name VLAN-ALEXA
ip access-group ALEXA-IN in
ip address 10.0.71.250 255.255.255.0
ip pim
ip helper-address 1 10.0.10.34
!
interface ve 72
port-name VLAN-SONOS
ip address 10.0.72.250 255.255.255.0
ip pim
ip helper-address 1 10.0.10.34
!
interface ve 73
port-name VLAN-MAILBOX
ip address 10.0.73.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 74
port-name VLAN-TV
ip address 10.0.74.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 75
port-name VLAN-PLEX
ip address 10.0.75.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 76
port-name VLAN-SYNCTHING
ip access-group ALL-IN in
ip address 10.0.76.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 77
port-name VLAN-GAMING
ip access-group GAMING-IN in
ip address 10.0.77.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 78
port-name VLAN-LOGGING
ip access-group LOGGING-IN in
ip address 10.0.78.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 81
port-name VLAN-NEST
ip access-group IOT-NEST-IN in
ip address 10.0.81.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 82
port-name VLAN-ESP-HOME
ip helper-address 1 10.0.10.34
!
interface ve 83
port-name VLAN-XIAOMI
ip access-group IOT-XAIOMI-IN in
ip address 10.0.83.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 88
port-name VLAN-MIKROTIK
ip address 192.168.88.1 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 95
port-name VLAN-BASTION
ip address 172.16.95.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 96
port-name VLAN-BACKUP
ip access-group BACKUP-IN in
ip address 172.16.96.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 97
port-name VLAN-TRUENAS
ip access-group ALL-IN in
ip address 172.16.97.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 98
port-name VLAN-PROXMOX
ip address 172.16.98.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 99
port-name VLAN-IPMI
ip address 172.16.99.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 100
port-name VLAN-STORAGE
ip address 10.0.100.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
!
!
ip access-list extended ALEXA-IN
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended ALL-IN
permit ip any any
!
ip access-list extended APPS-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit igmp in
permit igmp any any
remark permit ssdp udp
permit ip any host 239.255.255.250
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit ad udp access
permit udp any host 10.0.10.10 eq dns
permit udp any host 10.0.10.10 eq kerberos
permit udp any host 10.0.10.10 eq ntp
permit udp any host 10.0.10.10 eq ldap
permit udp any host 10.0.10.10 eq kpasswd
permit udp any host 10.0.10.20 eq dns
permit udp any host 10.0.10.20 eq kerberos
permit udp any host 10.0.10.20 eq ntp
permit udp any host 10.0.10.20 eq ldap
permit udp any host 10.0.10.20 eq kpasswd
remark permit ad tcp access
permit tcp any host 10.0.10.10 eq dns
permit tcp any host 10.0.10.10 eq kerberos
permit tcp any host 10.0.10.10 eq loc-srv
permit tcp any host 10.0.10.10 eq ldap
permit tcp any host 10.0.10.10 eq microsoft-ds
permit tcp any host 10.0.10.10 eq kpasswd
permit tcp any host 10.0.10.10 eq ldaps
permit tcp any host 10.0.10.10 eq 3268
permit tcp any host 10.0.10.10 eq 3269
permit tcp any host 10.0.10.20 eq dns
permit tcp any host 10.0.10.20 eq kerberos
permit tcp any host 10.0.10.20 eq loc-srv
permit tcp any host 10.0.10.20 eq ldap
permit tcp any host 10.0.10.20 eq microsoft-ds
permit tcp any host 10.0.10.20 eq kpasswd
permit tcp any host 10.0.10.20 eq ldaps
permit tcp any host 10.0.10.20 eq 3268
permit tcp any host 10.0.10.20 eq 3269
remark permit apt proxy tcp in
permit tcp any host 10.0.11.10 eq 3142
remark permit sonos controller tcp in
permit tcp any 10.0.72.0 0.0.0.255 eq 1400
permit tcp any 10.0.72.0 0.0.0.255 eq 1433
permit tcp any 10.0.72.0 0.0.0.255 eq 1443
permit tcp any 10.0.72.0 0.0.0.255 eq 4444
remark permit airplay controller udp in
permit udp any 10.0.72.0 0.0.0.255 eq ptp-event
permit udp any 10.0.72.0 0.0.0.255 eq ptp-gen
permit udp any 10.0.72.0 0.0.0.255 range 30000 65535
remark permit airplay controller udp in
permit tcp any 10.0.72.0 0.0.0.255 eq 7000
permit tcp any 10.0.72.0 0.0.0.255 range 30000 65535
remark permit site smtp tcp access
permit tcp any host 10.0.1.1 eq smtp
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended APT-CACHE-IN
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended BACKUP-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit local app servers
permit tcp any 10.0.20.0 0.0.0.255
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended CORP-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit igmp in
permit igmp any any
remark permit ssdp udp
permit ip any host 239.255.255.250
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit ad udp access
permit udp any host 10.0.10.10 eq dns
permit udp any host 10.0.10.10 eq kerberos
permit udp any host 10.0.10.10 eq ntp
permit udp any host 10.0.10.10 eq ldap
permit udp any host 10.0.10.10 eq kpasswd
permit udp any host 10.0.10.20 eq dns
permit udp any host 10.0.10.20 eq kerberos
permit udp any host 10.0.10.20 eq ntp
permit udp any host 10.0.10.20 eq ldap
permit udp any host 10.0.10.20 eq kpasswd
remark permit ad tcp access
permit tcp any host 10.0.10.10 eq dns
permit tcp any host 10.0.10.10 eq kerberos
permit tcp any host 10.0.10.10 eq loc-srv
permit tcp any host 10.0.10.10 eq ldap
permit tcp any host 10.0.10.10 eq microsoft-ds
permit tcp any host 10.0.10.10 eq kpasswd
permit tcp any host 10.0.10.10 eq ldaps
permit tcp any host 10.0.10.10 eq 3268
permit tcp any host 10.0.10.10 eq 3269
permit tcp any host 10.0.10.20 eq dns
permit tcp any host 10.0.10.20 eq kerberos
permit tcp any host 10.0.10.20 eq loc-srv
permit tcp any host 10.0.10.20 eq ldap
permit tcp any host 10.0.10.20 eq microsoft-ds
permit tcp any host 10.0.10.20 eq kpasswd
permit tcp any host 10.0.10.20 eq ldaps
permit tcp any host 10.0.10.20 eq 3268
permit tcp any host 10.0.10.20 eq 3269
remark permit plex tcp ingress
permit tcp any host 10.0.20.41 eq 32400
remark permit sonos controller tcp in
permit tcp any 10.0.72.0 0.0.0.255 eq 1400
permit tcp any 10.0.72.0 0.0.0.255 eq 1433
permit tcp any 10.0.72.0 0.0.0.255 eq 1443
permit tcp any 10.0.72.0 0.0.0.255 eq 4444
remark permit airplay controller udp in
permit udp any 10.0.72.0 0.0.0.255 eq ptp-event
permit udp any 10.0.72.0 0.0.0.255 eq ptp-gen
permit udp any 10.0.72.0 0.0.0.255 range 30000 65535
remark permit airplay controller udp in
permit tcp any 10.0.72.0 0.0.0.255 eq 7000
permit tcp any 10.0.72.0 0.0.0.255 range 30000 65535
remark permit local app servers
permit tcp any 10.0.20.0 0.0.0.255
remark permit corp tcp in
permit tcp any 172.16.4.0 0.0.0.255
permit tcp any 172.16.6.0 0.0.0.255
remark permit corp udp in
permit udp any 172.16.4.0 0.0.0.255
permit udp any 172.16.6.0 0.0.0.255
remark permit smb tcp ingress
permit tcp any host 10.0.100.20 range 137 netbios-ssn
permit tcp any host 10.0.100.20 eq microsoft-ds
remark permit smb tcp ingress
permit udp any host 10.0.100.20 range netbios-ns netbios-ssn
permit udp any host 10.0.100.20 eq microsoft-ds
remark permit management-workstations tcp ingress
permit tcp host 172.16.6.103 any
remark permit management-workstations udp ingress
permit udp host 172.16.6.103 any
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit gaming tcp in
permit tcp any 10.0.77.0 0.0.0.255
remark permit gaming udp in
permit udp any 10.0.77.0 0.0.0.255
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended GAMING-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit virtualhere USB access to desktop PC
permit udp any host 172.16.6.103 eq 7575
remark permit virtualhere USB access to desktop PC
permit tcp any host 172.16.6.103 eq 7575
remark permit Parsec access to corp network
permit udp any 172.16.4.0 0.0.0.255 eq 9000
permit udp any 172.16.6.0 0.0.0.255 eq 9000
remark permit Parsec access to corp network
permit udp any range 8000 8010 172.16.4.0 0.0.0.255
permit udp any range 8000 8010 172.16.6.0 0.0.0.255
remark permit RDP udp access to corp network
permit udp any eq 3389 172.16.4.0 0.0.0.255
permit udp any eq 3389 172.16.6.0 0.0.0.255
remark permit RDP tcp access to corp network
permit tcp any eq 3389 172.16.4.0 0.0.0.255
permit tcp any eq 3389 172.16.6.0 0.0.0.255
remark permit steamlink access to corp network
permit udp any eq 27031 172.16.4.0 0.0.0.255
permit udp any eq 27036 172.16.4.0 0.0.0.255
permit udp any eq 27031 172.16.6.0 0.0.0.255
permit udp any eq 27036 172.16.6.0 0.0.0.255
remark permit RDP tcp access to corp network
permit tcp any eq 27036 172.16.4.0 0.0.0.255
permit tcp any eq 27037 172.16.4.0 0.0.0.255
permit tcp any eq 27036 172.16.6.0 0.0.0.255
permit tcp any eq 27037 172.16.6.0 0.0.0.255
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
remark deny all networks
deny ip any any
!
ip access-list extended GUEST-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended IOT-NEST-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended IOT-XAIOMI-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended KIDS-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit kids dns udp access
permit udp any host 10.0.10.30 eq dns
remark permit kids dns tcp access
permit tcp any host 10.0.10.30 eq dns
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended LOGGING-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit apt proxy tcp in
permit tcp any host 10.0.11.10 eq 3142
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended NET-SVC-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended SONOS-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit igmp in
permit igmp any any
remark permit ssdp udp
permit ip any host 239.255.255.250
remark permit sonos device tcp in
permit tcp any host 10.0.20.35 eq 3400
permit tcp any host 10.0.20.35 eq 3401
permit tcp any host 10.0.20.35 eq 3500
permit tcp any 172.16.4.0 0.0.0.255 eq 3400
permit tcp any 172.16.4.0 0.0.0.255 eq 3401
permit tcp any 172.16.4.0 0.0.0.255 eq 3500
permit tcp any 172.16.6.0 0.0.0.255 eq 3400
permit tcp any 172.16.6.0 0.0.0.255 eq 3401
permit tcp any 172.16.6.0 0.0.0.255 eq 3500
remark permit airplay device udp in
permit udp any host 10.0.20.35 eq ptp-event
permit udp any host 10.0.20.35 eq ptp-gen
permit udp any 172.16.4.0 0.0.0.255 eq ptp-event
permit udp any 172.16.4.0 0.0.0.255 eq ptp-gen
permit udp any 172.16.6.0 0.0.0.255 eq ptp-event
permit udp any 172.16.6.0 0.0.0.255 eq ptp-gen
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended TRUENAS-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit ad udp access
permit udp any host 10.0.10.10 eq dns
permit udp any host 10.0.10.10 eq kerberos
permit udp any host 10.0.10.10 eq ntp
permit udp any host 10.0.10.10 eq ldap
permit udp any host 10.0.10.10 eq kpasswd
permit udp any host 10.0.10.20 eq dns
permit udp any host 10.0.10.20 eq kerberos
permit udp any host 10.0.10.20 eq ntp
permit udp any host 10.0.10.20 eq ldap
permit udp any host 10.0.10.20 eq kpasswd
remark permit ad tcp access
permit tcp any host 10.0.10.10 eq dns
permit tcp any host 10.0.10.10 eq kerberos
permit tcp any host 10.0.10.10 eq loc-srv
permit tcp any host 10.0.10.10 eq ldap
permit tcp any host 10.0.10.10 eq microsoft-ds
permit tcp any host 10.0.10.10 eq kpasswd
permit tcp any host 10.0.10.10 eq ldaps
permit tcp any host 10.0.10.10 eq 3268
permit tcp any host 10.0.10.10 eq 3269
permit tcp any host 10.0.10.20 eq dns
permit tcp any host 10.0.10.20 eq kerberos
permit tcp any host 10.0.10.20 eq loc-srv
permit tcp any host 10.0.10.20 eq ldap
permit tcp any host 10.0.10.20 eq microsoft-ds
permit tcp any host 10.0.10.20 eq kpasswd
permit tcp any host 10.0.10.20 eq ldaps
permit tcp any host 10.0.10.20 eq 3268
permit tcp any host 10.0.10.20 eq 3269
remark permit apt proxy tcp in
permit tcp any host 10.0.11.10 eq 3142
remark permit site smtp tcp access
permit tcp any host 10.0.1.1 eq smtp
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended TV-IN
permit icmp any any
permit tcp any any established
remark allow multicast
permit ip any 224.0.0.0 15.255.255.255
remark allow DNS
permit udp any host 10.0.1.1 eq dns
remark allow NTP
permit tcp any host 10.0.1.1 eq 123
permit udp any host 10.0.1.1 eq ntp
remark deny all local networks
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255
deny ip any 192.16.0.0 0.0.0.255
remark allow internet
permit ip any any
!
ip access-list extended VIDEO-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit rtsp udp access to blue iris servers
permit udp any host 10.0.20.28 eq rtsp
remark permit rtsp tcp access to blue iris servers
permit tcp any host 10.0.20.28 eq rtsp
remark deny all networks
deny ip any any
!
ip access-list extended XBOX-IN
permit icmp any any
permit tcp any any established
remark allow multicast
permit ip any 224.0.0.0 15.255.255.255
remark allow DNS
permit udp any host 10.0.1.1 eq dns
remark allow NTP
permit tcp any host 10.0.1.1 eq 123
permit udp any host 10.0.1.1 eq ntp
remark allow parsec ports
permit udp any 172.16.4.0 0.0.0.255 eq 9000
permit udp any 172.16.6.0 0.0.0.255 eq 9000
permit udp any eq 3389 172.16.4.0 0.0.0.255
permit tcp any eq 3389 172.16.4.0 0.0.0.255
permit udp any eq 3389 172.16.6.0 0.0.0.255
permit tcp any eq 3389 172.16.6.0 0.0.0.255
remark deny all local networks
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255 log
deny ip any 192.16.0.0 0.0.0.255
remark allow internet
permit ip any any
!
!
sflow destination 10.0.1.1
!
lldp run
!
!
!
!
end

SSH@sw-core#
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,839
3,280
113
33
fohdeesha.com
Code:
SSH@switch-garage-rack-2>show ip int
Interface           IP-Address      OK?  Method    Status             Protocol   VRF
Eth mgmt1           172.16.0.13     YES  NVRAM     up                 up         default-vrf
SSH@switch-garage-rack-2>show int ve 1
Error - ve 1 was not configured

There's a bit in here. Sorry in advance!

Code:
SSH@sw-core#show config
!
Startup-config data location is flash memory
!
Startup configuration:
!
ver 08.0.30uT7f3
!
stack unit 1
  module 1 icx6610-48p-poe-port-management-module
  module 2 icx6610-qsfp-10-port-160g-module
  module 3 icx6610-8-port-10g-dual-mode-module
stack disable
!
global-stp
!
!
lag LAG-SW-R2-TOR dynamic id 2
ports ethernet 1/3/5 to 1/3/6
primary-port 1/3/5
deploy
sflow forwarding ethernet 1/3/5
port-name SW-R2-TOR ethernet 1/3/5
sflow forwarding ethernet 1/3/6
port-name SW-R2-TOR ethernet 1/3/6
!
!
vlan 1 name DEFAULT-VLAN by port
router-interface ve 1
spanning-tree 802-1w
!
vlan 2 name VLAN-VIDEO by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/41 to 1/1/48
router-interface ve 2
!
vlan 3 name VLAN-VOIP by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 3
spanning-tree 802-1w
!
vlan 4 name VLAN-CORP-WIFI by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 4
spanning-tree 802-1w
!
vlan 5 name VLAN-GUEST by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10
router-interface ve 5
spanning-tree 802-1w
!
vlan 6 name VLAN-CORPORATE by port
tagged ethe 1/1/1 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 6
spanning-tree 802-1w
!
vlan 7 name VLAN-DMZ-1 by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 7
spanning-tree 802-1w
!
vlan 8 name VLAN-IOT by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/35
router-interface ve 8
spanning-tree 802-1w
!
vlan 9 name VLAN-KIDS-WIFI by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 9
spanning-tree 802-1w
!
vlan 10 name VLAN-NET-SVC by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/4
router-interface ve 10
spanning-tree 802-1w
!
vlan 11 name VLAN-APT-CACHE by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 11
spanning-tree 802-1w
!
vlan 20 name VLAN-APPS by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 20
spanning-tree 802-1w
!
vlan 30 name VLAN-DEV by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 30
spanning-tree 802-1w
!
vlan 71 name VLAN-ALEXA by port
tagged ethe 1/1/1 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 71
spanning-tree 802-1w
!
vlan 72 name VLAN-SONOS by port
tagged ethe 1/1/1 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 72
spanning-tree 802-1w
!
vlan 73 name VLAN-MAILBOX by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 73
spanning-tree 802-1w
!
vlan 74 name VLAN-TV by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 74
spanning-tree 802-1w
!
vlan 75 name VLAN-PLEX by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 75
spanning-tree 802-1w
!
vlan 76 name VLAN-SYNCTHING by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 76
spanning-tree 802-1w
!
vlan 77 name VLAN-GAMING by port
tagged ethe 1/1/1 ethe 1/2/2 ethe 1/2/4 to 1/2/10 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/10
router-interface ve 77
spanning-tree 802-1w
!
vlan 78 name VLAN-LOGGING by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/1 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 78
spanning-tree 802-1w
!
vlan 81 name VLAN-NEST by port
tagged ethe 1/1/1 ethe 1/2/1 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 81
spanning-tree 802-1w
!
vlan 82 name VLAN-ESP-HOME by port
tagged ethe 1/1/1 ethe 1/2/1 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 82
spanning-tree 802-1w
!
vlan 83 name VLAN-XIAOMI by port
tagged ethe 1/1/1 ethe 1/2/1 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 83
spanning-tree 802-1w
!
vlan 88 name VLAN-MIKROTIK by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 88
spanning-tree 802-1w
!
vlan 95 name VLAN-BASTION by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/8
router-interface ve 95
spanning-tree 802-1w
!
vlan 96 name VLAN-BACKUP by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/6 ethe 1/1/12 ethe 1/1/16
router-interface ve 96
spanning-tree 802-1w
!
vlan 97 name VLAN-TRUENAS by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 97
spanning-tree 802-1w
!
vlan 98 name VLAN-PROXMOX by port
tagged ethe 1/1/1 ethe 1/2/1 ethe 1/2/3 ethe 1/3/1 to 1/3/8
router-interface ve 98
spanning-tree 802-1w
!
vlan 99 name VLAN-IPMI by port
tagged ethe 1/1/1 ethe 1/2/1 ethe 1/2/3 ethe 1/3/1 to 1/3/2 ethe 1/3/8
untagged ethe 1/1/9 ethe 1/1/11 ethe 1/1/15
router-interface ve 99
spanning-tree 802-1w
!
vlan 100 name VLAN-STORAGE by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 100
spanning-tree 802-1w
!
vlan 202 name VLAN-HIKVISION by port
tagged ethe 1/3/1 to 1/3/8
spanning-tree 802-1w
!
!
!
!
!
system-max l3-vlan 64
system-max ip-route 4096
system-max ip-route-default-vrf 1024
system-max ip6-route-default-vrf 100
system-max ip-route-vrf 128
system-max ip6-route-vrf 64
system-max max-dhcp-snoop-entries 2048
!
aaa authentication web-server default local
aaa authentication login default local
jumbo
enable password-display
enable telnet authentication
enable aaa console
enable user password-masking
hostname sw-core
ip dhcp-client disable
ip dns domain-list kellgari.local
ip dns domain-list kellgari
ip dns server-address 10.0.1.1 10.0.10.10 10.0.10.20 1.1.1.1
ip forward-protocol udp 5353
ip forward-protocol udp bootps
ip proxy-arp
ip route 0.0.0.0/0 172.16.0.1
ip router-id 172.16.0.14
ip multicast query-interval 120
!
logging host 10.0.78.10
logging console
mirror-port ethernet 1/1/3
!
username root password 8 XXXXXXX
radius-server host 10.0.1.1 auth-port 1812 acct-port 1813 default key 2 XXXXXXX
cdp run
fdp run
snmp-server community 2 $JiYmJiY= ro
snmp-server community 2 $U2kyXj1k ro
!
!
clock timezone gmt GMT+10
!
!
ntp
disable serve
server 10.0.1.1
!
!
web-management https
ssh access-group 90
ip multicast-routing
!
router ospf
area 0
redistribute connected
!
!
!
!
!
!
router pim
bsr-candidate ethernet 1/1/1 30 255
!
!
interface ethernet 1/1/1
port-name ROUTER
dual-mode
sflow forwarding
!
interface ethernet 1/1/2
port-name AP-GARAGE
dual-mode
inline power
sflow forwarding
!
interface ethernet 1/1/3
port-name SRV-FIREWALL
sflow forwarding
!
interface ethernet 1/1/4
port-name PI-DHCP-1
dhcp snooping trust
inline power priority 1 power-by-class 4
sflow forwarding
!
interface ethernet 1/1/5
port-name PI-MONITORING-1
inline power
sflow forwarding
!
interface ethernet 1/1/6
port-name SW-R1-TOR-MANAGEMENT
sflow forwarding
!
interface ethernet 1/1/7
sflow forwarding
!
interface ethernet 1/1/8
port-name PI-BASTION-1
inline power
sflow forwarding
!
interface ethernet 1/1/9
port-name SRV-FIREWALL-IPMI
sflow forwarding
!
interface ethernet 1/1/10
port-name PC-GAMING
sflow forwarding
!
interface ethernet 1/1/11
port-name SRV-BACKUP-1-IPMI
sflow forwarding
!
interface ethernet 1/1/12
port-name SRV-BACKUP-1
sflow forwarding
!
interface ethernet 1/1/13
port-name PC-LOCAL-MGMT
sflow forwarding
!
interface ethernet 1/1/14
port-name PI-KVM-1
inline power priority 2 power-by-class 4
sflow forwarding
!
interface ethernet 1/1/15
port-name SRV-BACKUP-2-IPMI
sflow forwarding
!
interface ethernet 1/1/16
port-name SRV-BACKUP-2
sflow forwarding
!
interface ethernet 1/1/17
sflow forwarding
!
interface ethernet 1/1/18
sflow forwarding
!
interface ethernet 1/1/19
sflow forwarding
!
interface ethernet 1/1/20
sflow forwarding
!
interface ethernet 1/1/21
sflow forwarding
!
interface ethernet 1/1/22
sflow forwarding
!
interface ethernet 1/1/23
sflow forwarding
!
interface ethernet 1/1/24
sflow forwarding
!
interface ethernet 1/1/25
sflow forwarding
!
interface ethernet 1/1/26
sflow forwarding
!
interface ethernet 1/1/27
sflow forwarding
!
interface ethernet 1/1/28
sflow forwarding
!
interface ethernet 1/1/29
sflow forwarding
!
interface ethernet 1/1/30
sflow forwarding
!
interface ethernet 1/1/31
sflow forwarding
!
interface ethernet 1/1/32
sflow forwarding
!
interface ethernet 1/1/33
sflow forwarding
!
interface ethernet 1/1/34
sflow forwarding
!
interface ethernet 1/1/35
port-name TRADFRI
sflow forwarding
!
interface ethernet 1/1/36
sflow forwarding
!
interface ethernet 1/1/37
sflow forwarding
!
interface ethernet 1/1/38
sflow forwarding
!
interface ethernet 1/1/39
sflow forwarding
!
interface ethernet 1/1/40
sflow forwarding
!
interface ethernet 1/1/41
port-name CAM-1
inline power
sflow forwarding
!
interface ethernet 1/1/42
port-name CAM-2
inline power
sflow forwarding
!
interface ethernet 1/1/43
port-name CAM-3
inline power
sflow forwarding
!
interface ethernet 1/1/44
port-name CAM-4
inline power
sflow forwarding
!
interface ethernet 1/1/45
port-name CAM-5
inline power
sflow forwarding
!
interface ethernet 1/1/46
port-name CAM-6
inline power
sflow forwarding
!
interface ethernet 1/1/47
inline power
sflow forwarding
!
interface ethernet 1/1/48
inline power
sflow forwarding
!
interface ethernet 1/2/1
dual-mode
sflow forwarding
!
interface ethernet 1/2/2
sflow forwarding
!
interface ethernet 1/2/3
dual-mode
sflow forwarding
!
interface ethernet 1/2/4
sflow forwarding
!
interface ethernet 1/2/5
sflow forwarding
!
interface ethernet 1/2/6
sflow forwarding
!
interface ethernet 1/2/7
dual-mode
sflow forwarding
!
interface ethernet 1/2/8
port-name SW-LOUNGE
dual-mode
sflow forwarding
!
interface ethernet 1/2/9
port-name SW-OFFICE
dual-mode
sflow forwarding
!
interface ethernet 1/2/10
port-name SW-MASTER
dual-mode
sflow forwarding
!
interface ethernet 1/3/1
dual-mode
speed-duplex 10G-full
tag-profile enable
!
interface ethernet 1/3/2
dual-mode
speed-duplex 10G-full
tag-profile enable
!
interface ethernet 1/3/3
dual-mode
speed-duplex 10G-full
!
interface ethernet 1/3/4
dual-mode
disable
speed-duplex 10G-full
!
interface ethernet 1/3/5
port-name SW-R2-TOR
dual-mode
speed-duplex 10G-full
!
interface ethernet 1/3/7
dual-mode
speed-duplex 10G-full
!
interface ethernet 1/3/8
dual-mode
speed-duplex 10G-full
!
interface ve 1
ip address 172.16.0.14 255.255.255.0
ip helper-address 1 10.0.10.34
ip ospf area 0
!
interface ve 2
port-name VLAN-VIDEO
ip access-group VIDEO-IN in
ip address 192.168.1.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 3
port-name VLAN-VOIP
ip address 172.16.3.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 4
port-name CORP-WIRELESS
acl-logging
ip access-group CORP-IN in
ip address 172.16.4.250 255.255.255.0
ip pim
ip helper-address 1 10.0.10.34
!
interface ve 5
port-name VLAN-GUEST
ip access-group GUEST-IN in
ip address 172.16.5.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 6
port-name CORP-WIRED
ip access-group CORP-IN in
ip address 172.16.6.250 255.255.255.0
ip pim
ip helper-address 1 10.0.10.34
!
interface ve 7
port-name VLAN-DMZ-1
ip address 10.0.7.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 8
port-name VLAN-IOT
ip address 10.0.8.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 9
port-name "VLAN-KIDS"
ip access-group KIDS-IN in
ip address 10.0.9.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 10
port-name VLAN-NET-SVC
ip address 10.0.10.250 255.255.255.0
!
interface ve 11
port-name VLAN-APT-CACHE
ip access-group APT-CACHE-IN in
ip address 10.0.11.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 20
port-name VLAN-APPS
ip address 10.0.20.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 30
port-name VLAN-DEV
ip address 10.0.30.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 71
port-name VLAN-ALEXA
ip access-group ALEXA-IN in
ip address 10.0.71.250 255.255.255.0
ip pim
ip helper-address 1 10.0.10.34
!
interface ve 72
port-name VLAN-SONOS
ip address 10.0.72.250 255.255.255.0
ip pim
ip helper-address 1 10.0.10.34
!
interface ve 73
port-name VLAN-MAILBOX
ip address 10.0.73.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 74
port-name VLAN-TV
ip address 10.0.74.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 75
port-name VLAN-PLEX
ip address 10.0.75.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 76
port-name VLAN-SYNCTHING
ip access-group ALL-IN in
ip address 10.0.76.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 77
port-name VLAN-GAMING
ip access-group GAMING-IN in
ip address 10.0.77.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 78
port-name VLAN-LOGGING
ip access-group LOGGING-IN in
ip address 10.0.78.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 81
port-name VLAN-NEST
ip access-group IOT-NEST-IN in
ip address 10.0.81.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 82
port-name VLAN-ESP-HOME
ip helper-address 1 10.0.10.34
!
interface ve 83
port-name VLAN-XIAOMI
ip access-group IOT-XAIOMI-IN in
ip address 10.0.83.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 88
port-name VLAN-MIKROTIK
ip address 192.168.88.1 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 95
port-name VLAN-BASTION
ip address 172.16.95.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 96
port-name VLAN-BACKUP
ip access-group BACKUP-IN in
ip address 172.16.96.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 97
port-name VLAN-TRUENAS
ip access-group ALL-IN in
ip address 172.16.97.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 98
port-name VLAN-PROXMOX
ip address 172.16.98.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 99
port-name VLAN-IPMI
ip address 172.16.99.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 100
port-name VLAN-STORAGE
ip address 10.0.100.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
!
!
ip access-list extended ALEXA-IN
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended ALL-IN
permit ip any any
!
ip access-list extended APPS-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit igmp in
permit igmp any any
remark permit ssdp udp
permit ip any host 239.255.255.250
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit ad udp access
permit udp any host 10.0.10.10 eq dns
permit udp any host 10.0.10.10 eq kerberos
permit udp any host 10.0.10.10 eq ntp
permit udp any host 10.0.10.10 eq ldap
permit udp any host 10.0.10.10 eq kpasswd
permit udp any host 10.0.10.20 eq dns
permit udp any host 10.0.10.20 eq kerberos
permit udp any host 10.0.10.20 eq ntp
permit udp any host 10.0.10.20 eq ldap
permit udp any host 10.0.10.20 eq kpasswd
remark permit ad tcp access
permit tcp any host 10.0.10.10 eq dns
permit tcp any host 10.0.10.10 eq kerberos
permit tcp any host 10.0.10.10 eq loc-srv
permit tcp any host 10.0.10.10 eq ldap
permit tcp any host 10.0.10.10 eq microsoft-ds
permit tcp any host 10.0.10.10 eq kpasswd
permit tcp any host 10.0.10.10 eq ldaps
permit tcp any host 10.0.10.10 eq 3268
permit tcp any host 10.0.10.10 eq 3269
permit tcp any host 10.0.10.20 eq dns
permit tcp any host 10.0.10.20 eq kerberos
permit tcp any host 10.0.10.20 eq loc-srv
permit tcp any host 10.0.10.20 eq ldap
permit tcp any host 10.0.10.20 eq microsoft-ds
permit tcp any host 10.0.10.20 eq kpasswd
permit tcp any host 10.0.10.20 eq ldaps
permit tcp any host 10.0.10.20 eq 3268
permit tcp any host 10.0.10.20 eq 3269
remark permit apt proxy tcp in
permit tcp any host 10.0.11.10 eq 3142
remark permit sonos controller tcp in
permit tcp any 10.0.72.0 0.0.0.255 eq 1400
permit tcp any 10.0.72.0 0.0.0.255 eq 1433
permit tcp any 10.0.72.0 0.0.0.255 eq 1443
permit tcp any 10.0.72.0 0.0.0.255 eq 4444
remark permit airplay controller udp in
permit udp any 10.0.72.0 0.0.0.255 eq ptp-event
permit udp any 10.0.72.0 0.0.0.255 eq ptp-gen
permit udp any 10.0.72.0 0.0.0.255 range 30000 65535
remark permit airplay controller udp in
permit tcp any 10.0.72.0 0.0.0.255 eq 7000
permit tcp any 10.0.72.0 0.0.0.255 range 30000 65535
remark permit site smtp tcp access
permit tcp any host 10.0.1.1 eq smtp
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended APT-CACHE-IN
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended BACKUP-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit local app servers
permit tcp any 10.0.20.0 0.0.0.255
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended CORP-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit igmp in
permit igmp any any
remark permit ssdp udp
permit ip any host 239.255.255.250
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit ad udp access
permit udp any host 10.0.10.10 eq dns
permit udp any host 10.0.10.10 eq kerberos
permit udp any host 10.0.10.10 eq ntp
permit udp any host 10.0.10.10 eq ldap
permit udp any host 10.0.10.10 eq kpasswd
permit udp any host 10.0.10.20 eq dns
permit udp any host 10.0.10.20 eq kerberos
permit udp any host 10.0.10.20 eq ntp
permit udp any host 10.0.10.20 eq ldap
permit udp any host 10.0.10.20 eq kpasswd
remark permit ad tcp access
permit tcp any host 10.0.10.10 eq dns
permit tcp any host 10.0.10.10 eq kerberos
permit tcp any host 10.0.10.10 eq loc-srv
permit tcp any host 10.0.10.10 eq ldap
permit tcp any host 10.0.10.10 eq microsoft-ds
permit tcp any host 10.0.10.10 eq kpasswd
permit tcp any host 10.0.10.10 eq ldaps
permit tcp any host 10.0.10.10 eq 3268
permit tcp any host 10.0.10.10 eq 3269
permit tcp any host 10.0.10.20 eq dns
permit tcp any host 10.0.10.20 eq kerberos
permit tcp any host 10.0.10.20 eq loc-srv
permit tcp any host 10.0.10.20 eq ldap
permit tcp any host 10.0.10.20 eq microsoft-ds
permit tcp any host 10.0.10.20 eq kpasswd
permit tcp any host 10.0.10.20 eq ldaps
permit tcp any host 10.0.10.20 eq 3268
permit tcp any host 10.0.10.20 eq 3269
remark permit plex tcp ingress
permit tcp any host 10.0.20.41 eq 32400
remark permit sonos controller tcp in
permit tcp any 10.0.72.0 0.0.0.255 eq 1400
permit tcp any 10.0.72.0 0.0.0.255 eq 1433
permit tcp any 10.0.72.0 0.0.0.255 eq 1443
permit tcp any 10.0.72.0 0.0.0.255 eq 4444
remark permit airplay controller udp in
permit udp any 10.0.72.0 0.0.0.255 eq ptp-event
permit udp any 10.0.72.0 0.0.0.255 eq ptp-gen
permit udp any 10.0.72.0 0.0.0.255 range 30000 65535
remark permit airplay controller udp in
permit tcp any 10.0.72.0 0.0.0.255 eq 7000
permit tcp any 10.0.72.0 0.0.0.255 range 30000 65535
remark permit local app servers
permit tcp any 10.0.20.0 0.0.0.255
remark permit corp tcp in
permit tcp any 172.16.4.0 0.0.0.255
permit tcp any 172.16.6.0 0.0.0.255
remark permit corp udp in
permit udp any 172.16.4.0 0.0.0.255
permit udp any 172.16.6.0 0.0.0.255
remark permit smb tcp ingress
permit tcp any host 10.0.100.20 range 137 netbios-ssn
permit tcp any host 10.0.100.20 eq microsoft-ds
remark permit smb tcp ingress
permit udp any host 10.0.100.20 range netbios-ns netbios-ssn
permit udp any host 10.0.100.20 eq microsoft-ds
remark permit management-workstations tcp ingress
permit tcp host 172.16.6.103 any
remark permit management-workstations udp ingress
permit udp host 172.16.6.103 any
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit gaming tcp in
permit tcp any 10.0.77.0 0.0.0.255
remark permit gaming udp in
permit udp any 10.0.77.0 0.0.0.255
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended GAMING-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit virtualhere USB access to desktop PC
permit udp any host 172.16.6.103 eq 7575
remark permit virtualhere USB access to desktop PC
permit tcp any host 172.16.6.103 eq 7575
remark permit Parsec access to corp network
permit udp any 172.16.4.0 0.0.0.255 eq 9000
permit udp any 172.16.6.0 0.0.0.255 eq 9000
remark permit Parsec access to corp network
permit udp any range 8000 8010 172.16.4.0 0.0.0.255
permit udp any range 8000 8010 172.16.6.0 0.0.0.255
remark permit RDP udp access to corp network
permit udp any eq 3389 172.16.4.0 0.0.0.255
permit udp any eq 3389 172.16.6.0 0.0.0.255
remark permit RDP tcp access to corp network
permit tcp any eq 3389 172.16.4.0 0.0.0.255
permit tcp any eq 3389 172.16.6.0 0.0.0.255
remark permit steamlink access to corp network
permit udp any eq 27031 172.16.4.0 0.0.0.255
permit udp any eq 27036 172.16.4.0 0.0.0.255
permit udp any eq 27031 172.16.6.0 0.0.0.255
permit udp any eq 27036 172.16.6.0 0.0.0.255
remark permit RDP tcp access to corp network
permit tcp any eq 27036 172.16.4.0 0.0.0.255
permit tcp any eq 27037 172.16.4.0 0.0.0.255
permit tcp any eq 27036 172.16.6.0 0.0.0.255
permit tcp any eq 27037 172.16.6.0 0.0.0.255
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
remark deny all networks
deny ip any any
!
ip access-list extended GUEST-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended IOT-NEST-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended IOT-XAIOMI-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended KIDS-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit kids dns udp access
permit udp any host 10.0.10.30 eq dns
remark permit kids dns tcp access
permit tcp any host 10.0.10.30 eq dns
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended LOGGING-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit apt proxy tcp in
permit tcp any host 10.0.11.10 eq 3142
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended NET-SVC-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended SONOS-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit igmp in
permit igmp any any
remark permit ssdp udp
permit ip any host 239.255.255.250
remark permit sonos device tcp in
permit tcp any host 10.0.20.35 eq 3400
permit tcp any host 10.0.20.35 eq 3401
permit tcp any host 10.0.20.35 eq 3500
permit tcp any 172.16.4.0 0.0.0.255 eq 3400
permit tcp any 172.16.4.0 0.0.0.255 eq 3401
permit tcp any 172.16.4.0 0.0.0.255 eq 3500
permit tcp any 172.16.6.0 0.0.0.255 eq 3400
permit tcp any 172.16.6.0 0.0.0.255 eq 3401
permit tcp any 172.16.6.0 0.0.0.255 eq 3500
remark permit airplay device udp in
permit udp any host 10.0.20.35 eq ptp-event
permit udp any host 10.0.20.35 eq ptp-gen
permit udp any 172.16.4.0 0.0.0.255 eq ptp-event
permit udp any 172.16.4.0 0.0.0.255 eq ptp-gen
permit udp any 172.16.6.0 0.0.0.255 eq ptp-event
permit udp any 172.16.6.0 0.0.0.255 eq ptp-gen
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended TRUENAS-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit ad udp access
permit udp any host 10.0.10.10 eq dns
permit udp any host 10.0.10.10 eq kerberos
permit udp any host 10.0.10.10 eq ntp
permit udp any host 10.0.10.10 eq ldap
permit udp any host 10.0.10.10 eq kpasswd
permit udp any host 10.0.10.20 eq dns
permit udp any host 10.0.10.20 eq kerberos
permit udp any host 10.0.10.20 eq ntp
permit udp any host 10.0.10.20 eq ldap
permit udp any host 10.0.10.20 eq kpasswd
remark permit ad tcp access
permit tcp any host 10.0.10.10 eq dns
permit tcp any host 10.0.10.10 eq kerberos
permit tcp any host 10.0.10.10 eq loc-srv
permit tcp any host 10.0.10.10 eq ldap
permit tcp any host 10.0.10.10 eq microsoft-ds
permit tcp any host 10.0.10.10 eq kpasswd
permit tcp any host 10.0.10.10 eq ldaps
permit tcp any host 10.0.10.10 eq 3268
permit tcp any host 10.0.10.10 eq 3269
permit tcp any host 10.0.10.20 eq dns
permit tcp any host 10.0.10.20 eq kerberos
permit tcp any host 10.0.10.20 eq loc-srv
permit tcp any host 10.0.10.20 eq ldap
permit tcp any host 10.0.10.20 eq microsoft-ds
permit tcp any host 10.0.10.20 eq kpasswd
permit tcp any host 10.0.10.20 eq ldaps
permit tcp any host 10.0.10.20 eq 3268
permit tcp any host 10.0.10.20 eq 3269
remark permit apt proxy tcp in
permit tcp any host 10.0.11.10 eq 3142
remark permit site smtp tcp access
permit tcp any host 10.0.1.1 eq smtp
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended TV-IN
permit icmp any any
permit tcp any any established
remark allow multicast
permit ip any 224.0.0.0 15.255.255.255
remark allow DNS
permit udp any host 10.0.1.1 eq dns
remark allow NTP
permit tcp any host 10.0.1.1 eq 123
permit udp any host 10.0.1.1 eq ntp
remark deny all local networks
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255
deny ip any 192.16.0.0 0.0.0.255
remark allow internet
permit ip any any
!
ip access-list extended VIDEO-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit rtsp udp access to blue iris servers
permit udp any host 10.0.20.28 eq rtsp
remark permit rtsp tcp access to blue iris servers
permit tcp any host 10.0.20.28 eq rtsp
remark deny all networks
deny ip any any
!
ip access-list extended XBOX-IN
permit icmp any any
permit tcp any any established
remark allow multicast
permit ip any 224.0.0.0 15.255.255.255
remark allow DNS
permit udp any host 10.0.1.1 eq dns
remark allow NTP
permit tcp any host 10.0.1.1 eq 123
permit udp any host 10.0.1.1 eq ntp
remark allow parsec ports
permit udp any 172.16.4.0 0.0.0.255 eq 9000
permit udp any 172.16.6.0 0.0.0.255 eq 9000
permit udp any eq 3389 172.16.4.0 0.0.0.255
permit tcp any eq 3389 172.16.4.0 0.0.0.255
permit udp any eq 3389 172.16.6.0 0.0.0.255
permit tcp any eq 3389 172.16.6.0 0.0.0.255
remark deny all local networks
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255 log
deny ip any 192.16.0.0 0.0.0.255
remark allow internet
permit ip any any
!
!
sflow destination 10.0.1.1
!
lldp run
!
!
!
!
end

SSH@sw-core#
right off the bat I see you have that port (1/1/3) configured as a mirror port, which obviously can't have an IP
 

simbo

New Member
Feb 24, 2022
10
2
3
right off the bat I see you have that port (1/1/3) configured as a mirror port, which obviously can't have an IP
Thanks that was stupid of me. I've removed the mirror port and it's still not allowing me to add an IP addr. For the sake of testing, here's another port 1/1/19 that's unused.

Code:
SSH@sw-core(config)#show int ethe 1/1/19
GigabitEthernet1/1/19 is down, line protocol is down
  Port down for 9 day(s) 23 hour(s) 4 minute(s) 24 second(s)
  Hardware is GigabitEthernet, address is 748e.f8fe.c148 (bia 748e.f8fe.c15a)
  Configured speed auto, actual unknown, configured duplex fdx, actual unknown
  Configured mdi mode AUTO, actual unknown
  Member of L2 VLAN ID 1, port is untagged, port state is BLOCKING
  BPDU guard is Disabled, ROOT protect is Disabled, Designated protect is Disabled
  Link Error Dampening is Disabled
  STP configured to ON, priority is level0, mac-learning is enabled
  Openflow is Disabled, Openflow Hybrid mode is Disabled,  Flow Control is config enabled, oper disabled, negotiation disabled
  Mirror disabled, Monitor disabled
  Mac-notification is disabled
  Not member of any active trunks
  Not member of any configured trunks
  No port name
  Inter-Packet Gap (IPG) is 96 bit times
  MTU 10200 bytes, encapsulation ethernet
  300 second input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization
  300 second output rate: 0 bits/sec, 0 packets/sec, 0.00% utilization
  0 packets input, 0 bytes, 0 no buffer
  Received 0 broadcasts, 0 multicasts, 0 unicasts
  0 input errors, 0 CRC, 0 frame, 0 ignored
  0 runts, 0 giants
  0 packets output, 0 bytes, 0 underruns
  Transmitted 0 broadcasts, 0 multicasts, 0 unicasts
  0 output errors, 0 collisions
  Relay Agent Information option: Disabled

Egress queues:
Queue counters    Queued packets    Dropped Packets
    0                   0                   0
    1                   0                   0
    2                   0                   0
    3                   0                   0
    4                   0                   0
    5                   0                   0
    6                   0                   0
    7                   0                   0
Here's trying to add the IP
Code:
SSH@sw-core(config)#int ethe 1/1/19
SSH@sw-core(config-if-e1000-1/1/19)#ip add
  add-host-route-first          Add host route before sending buffered packets
SSH@sw-core(config-if-e1000-1/1/19)#ip address 10.0.0.6/30
Invalid input -> address 10.0.0.6/30
Type ? for a list
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,839
3,280
113
33
fohdeesha.com
Thanks that was stupid of me. I've removed the mirror port and it's still not allowing me to add an IP addr. For the sake of testing, here's another port 1/1/19 that's unused.

Code:
SSH@sw-core(config)#show int ethe 1/1/19
GigabitEthernet1/1/19 is down, line protocol is down
  Port down for 9 day(s) 23 hour(s) 4 minute(s) 24 second(s)
  Hardware is GigabitEthernet, address is 748e.f8fe.c148 (bia 748e.f8fe.c15a)
  Configured speed auto, actual unknown, configured duplex fdx, actual unknown
  Configured mdi mode AUTO, actual unknown
  Member of L2 VLAN ID 1, port is untagged, port state is BLOCKING
  BPDU guard is Disabled, ROOT protect is Disabled, Designated protect is Disabled
  Link Error Dampening is Disabled
  STP configured to ON, priority is level0, mac-learning is enabled
  Openflow is Disabled, Openflow Hybrid mode is Disabled,  Flow Control is config enabled, oper disabled, negotiation disabled
  Mirror disabled, Monitor disabled
  Mac-notification is disabled
  Not member of any active trunks
  Not member of any configured trunks
  No port name
  Inter-Packet Gap (IPG) is 96 bit times
  MTU 10200 bytes, encapsulation ethernet
  300 second input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization
  300 second output rate: 0 bits/sec, 0 packets/sec, 0.00% utilization
  0 packets input, 0 bytes, 0 no buffer
  Received 0 broadcasts, 0 multicasts, 0 unicasts
  0 input errors, 0 CRC, 0 frame, 0 ignored
  0 runts, 0 giants
  0 packets output, 0 bytes, 0 underruns
  Transmitted 0 broadcasts, 0 multicasts, 0 unicasts
  0 output errors, 0 collisions
  Relay Agent Information option: Disabled

Egress queues:
Queue counters    Queued packets    Dropped Packets
    0                   0                   0
    1                   0                   0
    2                   0                   0
    3                   0                   0
    4                   0                   0
    5                   0                   0
    6                   0                   0
    7                   0                   0
Here's trying to add the IP
Code:
SSH@sw-core(config)#int ethe 1/1/19
SSH@sw-core(config-if-e1000-1/1/19)#ip add
  add-host-route-first          Add host route before sending buffered packets
SSH@sw-core(config-if-e1000-1/1/19)#ip address 10.0.0.6/30
Invalid input -> address 10.0.0.6/30
Type ? for a list
can you create a new vlan with nothing in it, no other ports or VEs, and put 1/1/3 in it? then try to add an ip? I don't remember shit about adding IPs directly to ports as I almost never do it (use VEs)
 

simbo

New Member
Feb 24, 2022
10
2
3
can you create a new vlan with nothing in it, no other ports or VEs, and put 1/1/3 in it? then try to add an ip? I don't remember shit about adding IPs directly to ports as I almost never do it (use VEs)
Code:
SSH@sw-core(config)#vlan 250 name VLAN-CORE-FW by port
SSH@sw-core(config-vlan-250)# untagged ethe 1/1/3
Added untagged port(s) ethe 1/1/3 to port-vlan 250.
SSH@sw-core(config-vlan-250)# router-interface ve 250
SSH@sw-core(config-vlan-250)#!
SSH@sw-core(config-vlan-250)#
SSH@sw-core(config-vlan-250)#interface ve 250
SSH@sw-core(config-vif-250)# port-name VLAN-CORE-FW
SSH@sw-core(config-vif-250)# ip address 10.0.0.6 255.255.255.252
SSH@sw-core(config-vif-250)#!
SSH@sw-core(config-vif-250)#
SSH@sw-core(config-vif-250)#
SSH@sw-core(config-vif-250)#exit
SSH@sw-core(config)#write mem
........Write startup-config done.
SSH@sw-core(config)#Flash Memory Write (8192 bytes per dot) .....
Copy Done.
SSH@sw-core(config)#show int e 1/1/3
GigabitEthernet1/1/3 is up, line protocol is up
  Port up for 2 hour(s) 46 minute(s) 42 second(s)
  Hardware is GigabitEthernet, address is 748e.f8fe.c148 (bia 748e.f8fe.c14a)
  Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx
  Configured mdi mode AUTO, actual MDI
  Member of L2 VLAN ID 250, port is untagged, port state is FORWARDING
  BPDU guard is Disabled, ROOT protect is Disabled, Designated protect is Disabled
  Link Error Dampening is Disabled
  STP configured to ON, priority is level0, mac-learning is enabled
  Openflow is Disabled, Openflow Hybrid mode is Disabled,  Flow Control is config enabled, oper enabled, negotiation disabled
  Mirror disabled, Monitor disabled
  Mac-notification is disabled
  Not member of any active trunks
  Not member of any configured trunks
  Port name is SRV-FIREWALL
  Inter-Packet Gap (IPG) is 96 bit times
  MTU 10200 bytes, encapsulation ethernet
  300 second input rate: 136 bits/sec, 0 packets/sec, 0.00% utilization
  300 second output rate: 3408 bits/sec, 6 packets/sec, 0.00% utilization
  698 packets input, 180887 bytes, 0 no buffer
  Received 0 broadcasts, 697 multicasts, 1 unicasts
  0 input errors, 0 CRC, 0 frame, 0 ignored
  0 runts, 0 giants
  22372 packets output, 1690568 bytes, 0 underruns
  Transmitted 15290 broadcasts, 7068 multicasts, 14 unicasts
  0 output errors, 0 collisions
  Relay Agent Information option: Disabled

Egress queues:
Queue counters    Queued packets    Dropped Packets
    0               13296                   0
    1                   0                   0
    2                   0                   0
    3                   0                   0
    4                   0                   0
    5                4250                   0
    6                   0                   0
    7                4826                   0

SSH@sw-core(config)#show vlan br

System-max vlan Params: Max(4095) Default(64) Current(64)
Default vlan Id :1
Total Number of Vlan Configured :33
VLANs Configured :1 to 11 20 30 71 to 78 81 to 83 88 95 to 100 202 250
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,839
3,280
113
33
fohdeesha.com
Code:
SSH@sw-core(config)#vlan 250 name VLAN-CORE-FW by port
SSH@sw-core(config-vlan-250)# untagged ethe 1/1/3
Added untagged port(s) ethe 1/1/3 to port-vlan 250.
SSH@sw-core(config-vlan-250)# router-interface ve 250
SSH@sw-core(config-vlan-250)#!
SSH@sw-core(config-vlan-250)#
SSH@sw-core(config-vlan-250)#interface ve 250
SSH@sw-core(config-vif-250)# port-name VLAN-CORE-FW
SSH@sw-core(config-vif-250)# ip address 10.0.0.6 255.255.255.252
SSH@sw-core(config-vif-250)#!
SSH@sw-core(config-vif-250)#
SSH@sw-core(config-vif-250)#
SSH@sw-core(config-vif-250)#exit
SSH@sw-core(config)#write mem
........Write startup-config done.
SSH@sw-core(config)#Flash Memory Write (8192 bytes per dot) .....
Copy Done.
SSH@sw-core(config)#show int e 1/1/3
GigabitEthernet1/1/3 is up, line protocol is up
  Port up for 2 hour(s) 46 minute(s) 42 second(s)
  Hardware is GigabitEthernet, address is 748e.f8fe.c148 (bia 748e.f8fe.c14a)
  Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx
  Configured mdi mode AUTO, actual MDI
  Member of L2 VLAN ID 250, port is untagged, port state is FORWARDING
  BPDU guard is Disabled, ROOT protect is Disabled, Designated protect is Disabled
  Link Error Dampening is Disabled
  STP configured to ON, priority is level0, mac-learning is enabled
  Openflow is Disabled, Openflow Hybrid mode is Disabled,  Flow Control is config enabled, oper enabled, negotiation disabled
  Mirror disabled, Monitor disabled
  Mac-notification is disabled
  Not member of any active trunks
  Not member of any configured trunks
  Port name is SRV-FIREWALL
  Inter-Packet Gap (IPG) is 96 bit times
  MTU 10200 bytes, encapsulation ethernet
  300 second input rate: 136 bits/sec, 0 packets/sec, 0.00% utilization
  300 second output rate: 3408 bits/sec, 6 packets/sec, 0.00% utilization
  698 packets input, 180887 bytes, 0 no buffer
  Received 0 broadcasts, 697 multicasts, 1 unicasts
  0 input errors, 0 CRC, 0 frame, 0 ignored
  0 runts, 0 giants
  22372 packets output, 1690568 bytes, 0 underruns
  Transmitted 15290 broadcasts, 7068 multicasts, 14 unicasts
  0 output errors, 0 collisions
  Relay Agent Information option: Disabled

Egress queues:
Queue counters    Queued packets    Dropped Packets
    0               13296                   0
    1                   0                   0
    2                   0                   0
    3                   0                   0
    4                   0                   0
    5                4250                   0
    6                   0                   0
    7                4826                   0

SSH@sw-core(config)#show vlan br

System-max vlan Params: Max(4095) Default(64) Current(64)
Default vlan Id :1
Total Number of Vlan Configured :33
VLANs Configured :1 to 11 20 30 71 to 78 81 to 83 88 95 to 100 202 250
well I meant put it in a new empty vlan *without* a VE to see if you could assign an IP directly to the port then, but that works too lol
 

Craig Curtin

Member
Jun 18, 2017
103
20
18
59
Code:
SSH@sw-core(config)#vlan 250 name VLAN-CORE-FW by port
SSH@sw-core(config-vlan-250)# untagged ethe 1/1/3
Added untagged port(s) ethe 1/1/3 to port-vlan 250.
SSH@sw-core(config-vlan-250)# router-interface ve 250
SSH@sw-core(config-vlan-250)#!
SSH@sw-core(config-vlan-250)#
SSH@sw-core(config-vlan-250)#interface ve 250
SSH@sw-core(config-vif-250)# port-name VLAN-CORE-FW
SSH@sw-core(config-vif-250)# ip address 10.0.0.6 255.255.255.252
SSH@sw-core(config-vif-250)#!
SSH@sw-core(config-vif-250)#
SSH@sw-core(config-vif-250)#
SSH@sw-core(config-vif-250)#exit
SSH@sw-core(config)#write mem
........Write startup-config done.
SSH@sw-core(config)#Flash Memory Write (8192 bytes per dot) .....
Copy Done.
SSH@sw-core(config)#show int e 1/1/3
GigabitEthernet1/1/3 is up, line protocol is up
  Port up for 2 hour(s) 46 minute(s) 42 second(s)
  Hardware is GigabitEthernet, address is 748e.f8fe.c148 (bia 748e.f8fe.c14a)
  Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx
  Configured mdi mode AUTO, actual MDI
  Member of L2 VLAN ID 250, port is untagged, port state is FORWARDING
  BPDU guard is Disabled, ROOT protect is Disabled, Designated protect is Disabled
  Link Error Dampening is Disabled
  STP configured to ON, priority is level0, mac-learning is enabled
  Openflow is Disabled, Openflow Hybrid mode is Disabled,  Flow Control is config enabled, oper enabled, negotiation disabled
  Mirror disabled, Monitor disabled
  Mac-notification is disabled
  Not member of any active trunks
  Not member of any configured trunks
  Port name is SRV-FIREWALL
  Inter-Packet Gap (IPG) is 96 bit times
  MTU 10200 bytes, encapsulation ethernet
  300 second input rate: 136 bits/sec, 0 packets/sec, 0.00% utilization
  300 second output rate: 3408 bits/sec, 6 packets/sec, 0.00% utilization
  698 packets input, 180887 bytes, 0 no buffer
  Received 0 broadcasts, 697 multicasts, 1 unicasts
  0 input errors, 0 CRC, 0 frame, 0 ignored
  0 runts, 0 giants
  22372 packets output, 1690568 bytes, 0 underruns
  Transmitted 15290 broadcasts, 7068 multicasts, 14 unicasts
  0 output errors, 0 collisions
  Relay Agent Information option: Disabled

Egress queues:
Queue counters    Queued packets    Dropped Packets
    0               13296                   0
    1                   0                   0
    2                   0                   0
    3                   0                   0
    4                   0                   0
    5                4250                   0
    6                   0                   0
    7                4826                   0

SSH@sw-core(config)#show vlan br

System-max vlan Params: Max(4095) Default(64) Current(64)
Default vlan Id :1
Total Number of Vlan Configured :33
VLANs Configured :1 to 11 20 30 71 to 78 81 to 83 88 95 to 100 202 250
I think @fohdeesha meant to create a VLAN without adding a VE to it and then adding an IP address to the port.

i.e. it is a member of a L2 VLAN and you give it an IP address.

Craig
 

simbo

New Member
Feb 24, 2022
10
2
3
well I meant put it in a new empty vlan *without* a VE to see if you could assign an IP directly to the port then, but that works too lol
Yeah that works. I can ping the VE 10.0.0.6 ok. But I can't ping the firewall that's sitting on the other side of 1/1/3 on 10.0.0.5 when using a VE

Code:
SSH@sw-core#show ip route
Total number of IP routes: 32
Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP  Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
        Destination        Gateway         Port          Cost          Type Uptime
1       0.0.0.0/0          172.16.0.1      ve 1          1/1           S    9d23h
2       10.0.0.4/30        DIRECT          ve 250        0/0           D    8m29s
3       10.0.7.0/24        DIRECT          ve 7          0/0           D    9d23h
4       10.0.8.0/24        DIRECT          ve 8          0/0           D    9d23h
5       10.0.9.0/24        DIRECT          ve 9          0/0           D    9d23h
6       10.0.10.0/24       DIRECT          ve 10         0/0           D    9d23h
7       10.0.11.0/24       DIRECT          ve 11         0/0           D    9d23h
8       10.0.20.0/24       DIRECT          ve 20         0/0           D    9d23h
9       10.0.30.0/24       DIRECT          ve 30         0/0           D    9d23h
10      10.0.71.0/24       DIRECT          ve 71         0/0           D    9d23h
11      10.0.72.0/24       DIRECT          ve 72         0/0           D    9d23h
12      10.0.73.0/24       DIRECT          ve 73         0/0           D    9d23h
13      10.0.74.0/24       DIRECT          ve 74         0/0           D    9d23h
14      10.0.75.0/24       DIRECT          ve 75         0/0           D    9d23h
15      10.0.76.0/24       DIRECT          ve 76         0/0           D    9d23h
16      10.0.77.0/24       DIRECT          ve 77         0/0           D    9d23h
17      10.0.78.0/24       DIRECT          ve 78         0/0           D    9d23h
18      10.0.81.0/24       DIRECT          ve 81         0/0           D    9d23h
19      10.0.83.0/24       DIRECT          ve 83         0/0           D    9d23h
20      10.0.100.0/24      DIRECT          ve 100        0/0           D    9d23h
21      172.16.0.0/24      DIRECT          ve 1          0/0           D    9d23h
22      172.16.3.0/24      DIRECT          ve 3          0/0           D    9d23h
23      172.16.4.0/24      DIRECT          ve 4          0/0           D    9d23h
24      172.16.5.0/24      DIRECT          ve 5          0/0           D    9d23h
25      172.16.6.0/24      DIRECT          ve 6          0/0           D    9d23h
26      172.16.95.0/24     DIRECT          ve 95         0/0           D    9d23h
27      172.16.96.0/24     DIRECT          ve 96         0/0           D    9d23h
28      172.16.97.0/24     DIRECT          ve 97         0/0           D    9d23h
29      172.16.98.0/24     DIRECT          ve 98         0/0           D    9d23h
30      172.16.99.0/24     DIRECT          ve 99         0/0           D    9d23h
31      192.168.1.0/24     DIRECT          ve 2          0/0           D    9d23h
32      192.168.88.0/24    DIRECT          ve 88         0/0           D    9d23h
 

simbo

New Member
Feb 24, 2022
10
2
3
Ok...by creating a VLAN with no VE and then putting the port in the VLAN I can now assign an IP to that interface.

Code:
SH@sw-core(config-if-e1000-1/1/3)#no vlan 250
SSH@sw-core(config-if-e1000-1/1/3)#
SSH@sw-core(config-if-e1000-1/1/3)#
SSH@sw-core(config-if-e1000-1/1/3)#no ve 250
SSH@sw-core(config-if-e1000-1/1/3)#
SSH@sw-core(config-if-e1000-1/1/3)#
SSH@sw-core(config-if-e1000-1/1/3)#vlan 250 name VLAN-CORE-FW by port
SSH@sw-core(config-vlan-250)# untagged ethe 1/1/3
Added untagged port(s) ethe 1/1/3 to port-vlan 250.
SSH@sw-core(config-vlan-250)#!
SSH@sw-core(config-vlan-250)#int ethe 1/1/3
SSH@sw-core(config-if-e1000-1/1/3)#ip address 10.0.0.6/30
SSH@sw-core(config-if-e1000-1/1/3)#exit
SSH@sw-core(config)#

SSH@sw-core#sho ip route
Total number of IP routes: 32
Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP  Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
        Destination        Gateway         Port          Cost          Type Uptime
1       0.0.0.0/0          172.16.0.1      ve 1          1/1           S    9d23h
2       10.0.0.4/30        DIRECT          e 1/1/3       0/0           D    0m47s
3       10.0.7.0/24        DIRECT          ve 7          0/0           D    9d23h
4       10.0.8.0/24        DIRECT          ve 8          0/0           D    9d23h
5       10.0.9.0/24        DIRECT          ve 9          0/0           D    9d23h
6       10.0.10.0/24       DIRECT          ve 10         0/0           D    9d23h
7       10.0.11.0/24       DIRECT          ve 11         0/0           D    9d23h
8       10.0.20.0/24       DIRECT          ve 20         0/0           D    9d23h
9       10.0.30.0/24       DIRECT          ve 30         0/0           D    9d23h
10      10.0.71.0/24       DIRECT          ve 71         0/0           D    9d23h
11      10.0.72.0/24       DIRECT          ve 72         0/0           D    9d23h
12      10.0.73.0/24       DIRECT          ve 73         0/0           D    9d23h
13      10.0.74.0/24       DIRECT          ve 74         0/0           D    9d23h
14      10.0.75.0/24       DIRECT          ve 75         0/0           D    9d23h
15      10.0.76.0/24       DIRECT          ve 76         0/0           D    9d23h
16      10.0.77.0/24       DIRECT          ve 77         0/0           D    9d23h
17      10.0.78.0/24       DIRECT          ve 78         0/0           D    9d23h
18      10.0.81.0/24       DIRECT          ve 81         0/0           D    9d23h
19      10.0.83.0/24       DIRECT          ve 83         0/0           D    9d23h
20      10.0.100.0/24      DIRECT          ve 100        0/0           D    9d23h
21      172.16.0.0/24      DIRECT          ve 1          0/0           D    9d23h
22      172.16.3.0/24      DIRECT          ve 3          0/0           D    9d23h
23      172.16.4.0/24      DIRECT          ve 4          0/0           D    9d23h
24      172.16.5.0/24      DIRECT          ve 5          0/0           D    9d23h
25      172.16.6.0/24      DIRECT          ve 6          0/0           D    9d23h
26      172.16.95.0/24     DIRECT          ve 95         0/0           D    9d23h
27      172.16.96.0/24     DIRECT          ve 96         0/0           D    9d23h
28      172.16.97.0/24     DIRECT          ve 97         0/0           D    9d23h
29      172.16.98.0/24     DIRECT          ve 98         0/0           D    9d23h
30      172.16.99.0/24     DIRECT          ve 99         0/0           D    9d23h
31      192.168.1.0/24     DIRECT          ve 2          0/0           D    9d23h
32      192.168.88.0/24    DIRECT          ve 88         0/0           D    9d23h
 
  • Like
Reactions: fohdeesha

LodeRunner

Active Member
Apr 27, 2019
553
235
43
Camera is an Amcrest IP8M-2693EW-AI, works fine (though a different switch) using a Ubiquiti POE injector I had laying around.

Code:
1/1/41    Off    Off            0          0  n/a      n/a         3  n/a
1/1/42    On     Off            0          0  n/a      n/a         3  n/a
1/1/43    Off    Off            0          0  n/a      n/a         3  n/a
Maybe I should nuke the switch from orbit and start over? Could I have missed something in the firmware / licensing / etc from the instructions? (I'm still in testing mode, this isn't a production switch yet)
The manual and product page for that camera do not specify which PoE version the camera supports other than (HD IP POE). No listing of if it's 802.3af, at, or bt. The 6610 supports af and at modes. I would remove the power limits from the inline-power statements in case this camera is trying to negotiate for 30W. You're capping all your ports at 15.

At a guess, the injector you were using before is a 802.3at unit supporting 30W. I see lower models of Amcrest cameras saying 802.3at is required in the manual.
 
  • Like
Reactions: itronin

NablaSquaredG

Bringing 100G switches to homelabs
Aug 17, 2020
1,618
1,072
113
RIP 7250-48P...

Bought as "fully functional"
Code:
PoE Severe Error: Hardware Fault with ports 1/1/33 to 1/1/40. Remove PDs and then configure "no inline power" on these ports.
..
show inline power detail
...
Hardware
Version
----------------
UNKNOWN

Device HW version         : 0:V1R3      1:V1R3      2:V1R3      3:V1R3      4:UNKNOWN   5:V1R3     
Device Temperature(deg-C) : 0:37        1:39        2:37        3:37        4:n/a       5:31       
Device Status             : 0:Good      1:Good      2:VOP-Sev1  3:Good      4:Failed    5:Good     



Cumulative Port State Data:
+++++++++++++++++++++++++++

#Ports    #Ports     #Ports   #Ports    #Ports       #Ports     #Ports
Admin-On  Admin-Off  Oper-On  Oper-Off  Off-Denied   Off-No-PD  Off-Fault
-------------------------------------------------------------------------
48        0          0        48        24           24         0
 
  • Sad
Reactions: Silly Valley Serf

Sea Monkey

New Member
Jan 7, 2023
2
1
3
For anyone struggling setting up key-based SSH authentication, as I did, use
Code:
ssh-keygen -t ssh-rsa -b 2048
when generating keys. The default on my system was greater than 2048. Also, add the following to /etc/ssh/ssh_config client-side, replacing values where appropriate.

Code:
Host sens-o-matic sens-o-matic.thegalaxy 192.168.0.100
    HostKeyAlgorithms +ssh-rsa
    PubkeyAcceptedAlgorithms=+ssh-rsa
    KexAlgorithms +diffie-hellman-group1-sha1
    IdentityFile /home/seamonkey/.ssh/brocade
 
Last edited:
  • Like
Reactions: Silly Valley Serf

kpfleming

Active Member
Dec 28, 2021
419
217
43
Pelham NY USA
For anyone struggling setting up key-based SSH authentication, as I did, use
Code:
ssh-keygen -t ssh-rsa 2048
when generating keys. The default on my system was greater than 2048. Also, add the following to /etc/ssh/ssh_config client-side, replacing values where appropriate.

Code:
Host sens-o-matic sens-o-matic.thegalaxy 192.168.0.100
    HostKeyAlgorithms +ssh-rsa
    PubkeyAcceptedAlgorithms=+ssh-rsa
    KexAlgorithms +diffie-hellman-group1-sha1
    IdentityFile /home/seamonkey/.ssh/brocade
Also note that various Linux distributions are putting new security policies in place which disallow usage of SHA1 for various purposes, and that might mean that even a configuration like this won't work unless the system-wide security policy is relaxed. If you try to follow these instructions and your SSH client still won't accept the switch's host key, that may be the reason why.