What's the exact camera model? Also, try one of the end ports, like 42 (be sure to enable inline power)
Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)
- Thread starter fohdeesha
- Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
Camera is an Amcrest IP8M-2693EW-AI, works fine (though a different switch) using a Ubiquiti POE injector I had laying around.
Maybe I should nuke the switch from orbit and start over? Could I have missed something in the firmware / licensing / etc from the instructions? (I'm still in testing mode, this isn't a production switch yet)
Code:
1/1/41 Off Off 0 0 n/a n/a 3 n/a
1/1/42 On Off 0 0 n/a n/a 3 n/a
1/1/43 Off Off 0 0 n/a n/a 3 n/aPost up your config maybe - but as long as you have the inline power options you should be good.
I was reading the manual the other day looking for something and i saw there are different styles of POE that can be enabled - is this an old camera ? May be worth reading up on those and also how much power it needs ?
Craig
Thanks for chiming in, Craig, I appreciate it. This is only about a year old, more specs here.
Config information:
Code:
SSH@ICX6610-48P Router(config)#show config
!
Startup-config data location is flash memory
!
Startup configuration:
!
ver 08.0.30uT7f3
!
stack unit 1
module 1 icx6610-48p-poe-port-management-module
module 2 icx6610-qsfp-10-port-160g-module
module 3 icx6610-8-port-10g-dual-mode-module
no legacy-inline-power
stack disable
!
vlan 1 name DEFAULT-VLAN by port
router-interface ve 1
!
aaa authentication web-server default local
aaa authentication login default local
ip dhcp-client disable
ip dns server-address 192.168.1.1
ip route 0.0.0.0/0 192.168.1.1
!
logging buffered 1000
no telnet server
username USER password .....
!
clock summer-time
clock timezone gmt GMT-06
!
ntp
disable serve
server 216.239.35.0
server 216.239.35.4
!
interface ethernet 1/1/1
inline power power-limit 15400
!
interface ethernet 1/1/2
inline power power-limit 15400
!
interface ethernet 1/1/3
inline power power-limit 15400
!
interface ethernet 1/1/4
inline power power-limit 15400
!
interface ethernet 1/1/5
inline power power-limit 15400
!
interface ethernet 1/1/6
inline power power-limit 15400
!
interface ethernet 1/1/7
inline power power-limit 15400
!
interface ethernet 1/1/8
inline power power-limit 15400
!
interface ethernet 1/1/9
inline power power-limit 15400
!
interface ethernet 1/1/10
inline power power-limit 15400
!
interface ethernet 1/1/11
inline power power-limit 15400
!
interface ethernet 1/1/12
inline power power-limit 15400
!
interface ethernet 1/1/13
inline power power-limit 15400
!
interface ethernet 1/1/14
inline power power-limit 15400
!
interface ethernet 1/1/15
inline power power-limit 15400
!
interface ethernet 1/1/16
inline power power-limit 15400
!
interface ethernet 1/1/17
inline power power-limit 15400
!
interface ethernet 1/1/18
inline power power-limit 15400
!
interface ethernet 1/1/19
inline power power-limit 15400
!
interface ethernet 1/1/20
inline power power-limit 15400
!
interface ethernet 1/1/21
inline power power-limit 15400
!
interface ethernet 1/1/22
inline power power-limit 15400
!
interface ethernet 1/1/23
inline power power-limit 15400
!
interface ethernet 1/1/24
inline power power-limit 15400
!
interface ethernet 1/3/1
speed-duplex 10G-full
!
interface ethernet 1/3/2
speed-duplex 10G-full
!
interface ethernet 1/3/3
speed-duplex 10G-full
!
interface ethernet 1/3/4
speed-duplex 10G-full
!
interface ethernet 1/3/5
speed-duplex 10G-full
!
interface ethernet 1/3/6
speed-duplex 10G-full
!
interface ethernet 1/3/7
speed-duplex 10G-full
!
interface ethernet 1/3/8
speed-duplex 10G-full
!
interface ve 1
ip address 192.168.1.200 255.255.255.0
!
end
Last edited:
Plugged in a Ubiquiti WiFi AP and it powers right up:
So! That's progress. I'll keep messing with the camera(s) and trouble shoot from there. Thanks for your attention, sorry for the waste of everyone's time.
-Zak-
Code:
SSH@ICX6610-48P Router(config)#show inline power
Power Capacity: Total is 748000 mWatts. Current Free is 732600 mWatts.
Power Allocations: Requests Honored 26 times
Port Admin Oper ---Power(mWatts)--- PD Type PD Class Pri Fault/
State State Consumed Allocated Error
--------------------------------------------------------------------------
1/1/1 On Off 0 0 n/a n/a 3 n/a
1/1/2 On Off 0 0 n/a n/a 3 n/a
1/1/3 On Off 0 0 n/a n/a 3 n/a
1/1/4 On Off 0 0 n/a n/a 3 n/a
1/1/5 On Off 0 0 n/a n/a 3 n/a
1/1/6 On Off 0 0 n/a n/a 3 n/a
1/1/7 On Off 0 0 n/a n/a 3 n/a
1/1/8 On Off 0 0 n/a n/a 3 n/a
1/1/9 On Off 0 0 n/a n/a 3 n/a
1/1/10 On Off 0 0 n/a n/a 3 n/a
1/1/11 On On 3000 15400 802.3af n/a 3 n/a
1/1/12 On Off 0 0 n/a n/a 3 n/a-Zak-
I'm having a problem with L3 features on a 6610. I can't add an IP to an ethernet interface. Not sure if it's a licensing problem. Do I need a ICX6610-PREM-LIC-SW?
I followed Fohdeesha guides when I originally set this up. Apologies if the ICX6610-PREM-LIC-SW license is mentioned in the docs, but I couldn't see a reference to it.
Here's me adding an IP to an interface and failing:
Here's my license:
Here's the firmware:
I followed Fohdeesha guides when I originally set this up. Apologies if the ICX6610-PREM-LIC-SW license is mentioned in the docs, but I couldn't see a reference to it.
Here's me adding an IP to an interface and failing:
Code:
SSH@sw-core#conf t
SSH@sw-core(config)#int ethe 1/1/3
SSH@sw-core(config-if-e1000-1/1/3)#ip address 10.0.0.6/30
Invalid input -> address 10.0.0.6/30
Type ? for a list
SSH@sw-core(config-if-e1000-1/1/3)#
Code:
#show lic
Index Lic Mode Lic Name Lid/Serial No Lic Type Status Lic Period Lic Capacity
Stack unit 1:
2 Node Lock ICX6610-10G-LIC-POD H4CKTH3PLN8 Normal Active Unlimited 8
3 Node Lock ICX-MACSEC-LIC H4CKTH3PLN8 Normal Active Unlimited 1
4 Node Lock ICX6610-ADV-LIC-SW H4CKTH3PLN8 Normal Active Unlimited 1
Code:
show flash
Stack unit 1:
Compressed Pri Code size = 10545591, Version:08.0.30uT7f3 (FCXR08030u.bin)
Compressed Sec Code size = 10543944, Version:08.0.30hT7f3 (FCXR08030h.bin)
Compressed Boot-Monitor Image size = 370695, Version:10.1.00T7f5
Code Flash Free Space = 43646976the "ICX6610-ADV-LIC-SW" license from the guide is the PREM license with even more features, it's not a license issue. you probably have that port in a vlan with a virtual interface assigned to it. when a port is in a vlan, and the vlan has a VE assigned to it, that's where l3 stuff like IP is handled. if you want an IP directly on a port, take the port out of any vlans with l3 VEs on them
Thanks for the info re the Advanced license.
Hmm.....No VLAN on the port (other than VLAN 1). Here's the interface info:
Code:
#show int e 1/1/3
GigabitEthernet1/1/3 is up, line protocol is up
Port up for 2 hour(s) 24 minute(s) 13 second(s)
Hardware is GigabitEthernet, address is 748e.f8fe.c148 (bia 748e.f8fe.c14a)
Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx
Configured mdi mode AUTO, actual MDI
Member of L2 VLAN ID 1, port is untagged, port state is FORWARDING
BPDU guard is Disabled, ROOT protect is Disabled, Designated protect is Disabled
Link Error Dampening is Disabled
STP configured to ON, priority is level0, mac-learning is enabled
Openflow is Disabled, Openflow Hybrid mode is Disabled, Flow Control is config enabled, oper enabled, negotiation disabled
Mirror enabled, Monitor disabled
Mac-notification is disabled
Not member of any active trunks
Not member of any configured trunks
Port name is SRV-FIREWALL
Inter-Packet Gap (IPG) is 96 bit times
MTU 10200 bytes, encapsulation ethernet
300 second input rate: 136 bits/sec, 0 packets/sec, 0.00% utilization
300 second output rate: 1432 bits/sec, 2 packets/sec, 0.00% utilization
604 packets input, 156541 bytes, 0 no buffer
Received 0 broadcasts, 603 multicasts, 1 unicasts
0 input errors, 0 CRC, 0 frame, 0 ignored
0 runts, 0 giants
16586 packets output, 1281589 bytes, 0 underruns
Transmitted 10856 broadcasts, 5722 multicasts, 8 unicasts
0 output errors, 0 collisions
Relay Agent Information option: Disabled
Egress queues:
Queue counters Queued packets Dropped Packets
0 8881 0
1 0 0
2 0 0
3 0 0
4 0 0
5 3606 0
6 0 0
7 4099 0
Code:
SSH@sw-core(config-if-e1000-1/1/19)#ip
access-list Configure named access list
add-host-route-first Add host route before sending buffered packets
arp Set ARP option
arp-age Set ARP aging period
as-path Set BGP AS Path filter
bootp-use-intf-ip Use incoming interface IP as source IP
broadcast-zero Enable directed broadcast forwarding
community-list Set BGP Community filter
default-network Configure default network route
dhcp Set DHCP option
dhcp-client DHCP client options
dhcp-server DHCP Server
dhcp-valid-check Check DHCP offer packet for NULL client addr
directed-broadcast Enable directed broadcast forwarding
dns Set DNS properties
dscp-remark Mark IP packets with DSCP parameters
follow-ingress-vrf Follow ingress VRF for replying to SNMP request
forward-protocol Select protocols to be included in broadcast
forwarding
helper-use-responder-ip Retain Responder's Source IP In Reply
hitless-route-purge-timer Time after switchover, to start IPv4 route purge
icmp Control ICMP attacks
igmp Set IGMP properties
igmp-report-control Rate limit forwarding IGMP reports to upstream
Router
irdp Enable IRDP for dynamic route learning
load-sharing Enable IP load sharing
max-mroute Configure maximum multicast route (mroute)
mroute Configure static multicast route
multicast Set IGMP snooping globally
multicast-debug-mode Enable global multicast debug mode for all vrf
multicast-nonstop-routing Enable global multicast nonstop-routing support
for all vrf
multicast-routing Enable global support for Multicast routing and
IGMP
pcp-remark Mark tagged packets with PCP parameters
pimsm-snooping Set PIMSM snooping globally
policy Enable policy routing
prefix-list Build a IPv4 prefix list
preserve-acl-user-input-format
proxy-arp Enable router to act as ARP proxy for its
subnets
radius Configure RADIUS authentication
rarp Enable RARP protocol on this router
route Define static route
router-id Change the router ID already in use
show-acl-service-number Use TCP/UDP service number to display ACL clause
show-portname Display port name for the interface on log
messages
show-service-number-in-log Use App service number in log display
show-subnet-length Change subnet mask display to prefix format
source Set source guard option
source-route Process packets with source routing option
ssh Configure Secure Shell
ssl Configure Secure Socket
syslog Specify syslog options
tacacs Configure TACACS authentication
tcp Control TCP SYN attacks
telnet Specify telnet options
tftp Specify tftp options
ttl Set time-to-live for packets on the network
<cr>did you assign vlan 1 a ve interface? what does "show ip int" and "show int ve 1" show? alternatively you can just paste your whole config here
think it might also have to be in a vlan by itself (no other ports in the vlan), but I can't remember
Code:
SSH@switch-garage-rack-2>show ip int
Interface IP-Address OK? Method Status Protocol VRF
Eth mgmt1 172.16.0.13 YES NVRAM up up default-vrf
SSH@switch-garage-rack-2>show int ve 1
Error - ve 1 was not configuredThere's a bit in here. Sorry in advance!
Code:
SSH@sw-core#show config
!
Startup-config data location is flash memory
!
Startup configuration:
!
ver 08.0.30uT7f3
!
stack unit 1
module 1 icx6610-48p-poe-port-management-module
module 2 icx6610-qsfp-10-port-160g-module
module 3 icx6610-8-port-10g-dual-mode-module
stack disable
!
global-stp
!
!
lag LAG-SW-R2-TOR dynamic id 2
ports ethernet 1/3/5 to 1/3/6
primary-port 1/3/5
deploy
sflow forwarding ethernet 1/3/5
port-name SW-R2-TOR ethernet 1/3/5
sflow forwarding ethernet 1/3/6
port-name SW-R2-TOR ethernet 1/3/6
!
!
vlan 1 name DEFAULT-VLAN by port
router-interface ve 1
spanning-tree 802-1w
!
vlan 2 name VLAN-VIDEO by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/41 to 1/1/48
router-interface ve 2
!
vlan 3 name VLAN-VOIP by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 3
spanning-tree 802-1w
!
vlan 4 name VLAN-CORP-WIFI by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 4
spanning-tree 802-1w
!
vlan 5 name VLAN-GUEST by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10
router-interface ve 5
spanning-tree 802-1w
!
vlan 6 name VLAN-CORPORATE by port
tagged ethe 1/1/1 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 6
spanning-tree 802-1w
!
vlan 7 name VLAN-DMZ-1 by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 7
spanning-tree 802-1w
!
vlan 8 name VLAN-IOT by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/35
router-interface ve 8
spanning-tree 802-1w
!
vlan 9 name VLAN-KIDS-WIFI by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 9
spanning-tree 802-1w
!
vlan 10 name VLAN-NET-SVC by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/4
router-interface ve 10
spanning-tree 802-1w
!
vlan 11 name VLAN-APT-CACHE by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 11
spanning-tree 802-1w
!
vlan 20 name VLAN-APPS by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 20
spanning-tree 802-1w
!
vlan 30 name VLAN-DEV by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 30
spanning-tree 802-1w
!
vlan 71 name VLAN-ALEXA by port
tagged ethe 1/1/1 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 71
spanning-tree 802-1w
!
vlan 72 name VLAN-SONOS by port
tagged ethe 1/1/1 ethe 1/2/7 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 72
spanning-tree 802-1w
!
vlan 73 name VLAN-MAILBOX by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 73
spanning-tree 802-1w
!
vlan 74 name VLAN-TV by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 74
spanning-tree 802-1w
!
vlan 75 name VLAN-PLEX by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 75
spanning-tree 802-1w
!
vlan 76 name VLAN-SYNCTHING by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 76
spanning-tree 802-1w
!
vlan 77 name VLAN-GAMING by port
tagged ethe 1/1/1 ethe 1/2/2 ethe 1/2/4 to 1/2/10 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/10
router-interface ve 77
spanning-tree 802-1w
!
vlan 78 name VLAN-LOGGING by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/2/1 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 78
spanning-tree 802-1w
!
vlan 81 name VLAN-NEST by port
tagged ethe 1/1/1 ethe 1/2/1 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 81
spanning-tree 802-1w
!
vlan 82 name VLAN-ESP-HOME by port
tagged ethe 1/1/1 ethe 1/2/1 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 82
spanning-tree 802-1w
!
vlan 83 name VLAN-XIAOMI by port
tagged ethe 1/1/1 ethe 1/2/1 to 1/2/10 ethe 1/3/1 to 1/3/8
router-interface ve 83
spanning-tree 802-1w
!
vlan 88 name VLAN-MIKROTIK by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 88
spanning-tree 802-1w
!
vlan 95 name VLAN-BASTION by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/8
router-interface ve 95
spanning-tree 802-1w
!
vlan 96 name VLAN-BACKUP by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
untagged ethe 1/1/6 ethe 1/1/12 ethe 1/1/16
router-interface ve 96
spanning-tree 802-1w
!
vlan 97 name VLAN-TRUENAS by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 97
spanning-tree 802-1w
!
vlan 98 name VLAN-PROXMOX by port
tagged ethe 1/1/1 ethe 1/2/1 ethe 1/2/3 ethe 1/3/1 to 1/3/8
router-interface ve 98
spanning-tree 802-1w
!
vlan 99 name VLAN-IPMI by port
tagged ethe 1/1/1 ethe 1/2/1 ethe 1/2/3 ethe 1/3/1 to 1/3/2 ethe 1/3/8
untagged ethe 1/1/9 ethe 1/1/11 ethe 1/1/15
router-interface ve 99
spanning-tree 802-1w
!
vlan 100 name VLAN-STORAGE by port
tagged ethe 1/1/1 ethe 1/3/1 to 1/3/8
router-interface ve 100
spanning-tree 802-1w
!
vlan 202 name VLAN-HIKVISION by port
tagged ethe 1/3/1 to 1/3/8
spanning-tree 802-1w
!
!
!
!
!
system-max l3-vlan 64
system-max ip-route 4096
system-max ip-route-default-vrf 1024
system-max ip6-route-default-vrf 100
system-max ip-route-vrf 128
system-max ip6-route-vrf 64
system-max max-dhcp-snoop-entries 2048
!
aaa authentication web-server default local
aaa authentication login default local
jumbo
enable password-display
enable telnet authentication
enable aaa console
enable user password-masking
hostname sw-core
ip dhcp-client disable
ip dns domain-list kellgari.local
ip dns domain-list kellgari
ip dns server-address 10.0.1.1 10.0.10.10 10.0.10.20 1.1.1.1
ip forward-protocol udp 5353
ip forward-protocol udp bootps
ip proxy-arp
ip route 0.0.0.0/0 172.16.0.1
ip router-id 172.16.0.14
ip multicast query-interval 120
!
logging host 10.0.78.10
logging console
mirror-port ethernet 1/1/3
!
username root password 8 XXXXXXX
radius-server host 10.0.1.1 auth-port 1812 acct-port 1813 default key 2 XXXXXXX
cdp run
fdp run
snmp-server community 2 $JiYmJiY= ro
snmp-server community 2 $U2kyXj1k ro
!
!
clock timezone gmt GMT+10
!
!
ntp
disable serve
server 10.0.1.1
!
!
web-management https
ssh access-group 90
ip multicast-routing
!
router ospf
area 0
redistribute connected
!
!
!
!
!
!
router pim
bsr-candidate ethernet 1/1/1 30 255
!
!
interface ethernet 1/1/1
port-name ROUTER
dual-mode
sflow forwarding
!
interface ethernet 1/1/2
port-name AP-GARAGE
dual-mode
inline power
sflow forwarding
!
interface ethernet 1/1/3
port-name SRV-FIREWALL
sflow forwarding
!
interface ethernet 1/1/4
port-name PI-DHCP-1
dhcp snooping trust
inline power priority 1 power-by-class 4
sflow forwarding
!
interface ethernet 1/1/5
port-name PI-MONITORING-1
inline power
sflow forwarding
!
interface ethernet 1/1/6
port-name SW-R1-TOR-MANAGEMENT
sflow forwarding
!
interface ethernet 1/1/7
sflow forwarding
!
interface ethernet 1/1/8
port-name PI-BASTION-1
inline power
sflow forwarding
!
interface ethernet 1/1/9
port-name SRV-FIREWALL-IPMI
sflow forwarding
!
interface ethernet 1/1/10
port-name PC-GAMING
sflow forwarding
!
interface ethernet 1/1/11
port-name SRV-BACKUP-1-IPMI
sflow forwarding
!
interface ethernet 1/1/12
port-name SRV-BACKUP-1
sflow forwarding
!
interface ethernet 1/1/13
port-name PC-LOCAL-MGMT
sflow forwarding
!
interface ethernet 1/1/14
port-name PI-KVM-1
inline power priority 2 power-by-class 4
sflow forwarding
!
interface ethernet 1/1/15
port-name SRV-BACKUP-2-IPMI
sflow forwarding
!
interface ethernet 1/1/16
port-name SRV-BACKUP-2
sflow forwarding
!
interface ethernet 1/1/17
sflow forwarding
!
interface ethernet 1/1/18
sflow forwarding
!
interface ethernet 1/1/19
sflow forwarding
!
interface ethernet 1/1/20
sflow forwarding
!
interface ethernet 1/1/21
sflow forwarding
!
interface ethernet 1/1/22
sflow forwarding
!
interface ethernet 1/1/23
sflow forwarding
!
interface ethernet 1/1/24
sflow forwarding
!
interface ethernet 1/1/25
sflow forwarding
!
interface ethernet 1/1/26
sflow forwarding
!
interface ethernet 1/1/27
sflow forwarding
!
interface ethernet 1/1/28
sflow forwarding
!
interface ethernet 1/1/29
sflow forwarding
!
interface ethernet 1/1/30
sflow forwarding
!
interface ethernet 1/1/31
sflow forwarding
!
interface ethernet 1/1/32
sflow forwarding
!
interface ethernet 1/1/33
sflow forwarding
!
interface ethernet 1/1/34
sflow forwarding
!
interface ethernet 1/1/35
port-name TRADFRI
sflow forwarding
!
interface ethernet 1/1/36
sflow forwarding
!
interface ethernet 1/1/37
sflow forwarding
!
interface ethernet 1/1/38
sflow forwarding
!
interface ethernet 1/1/39
sflow forwarding
!
interface ethernet 1/1/40
sflow forwarding
!
interface ethernet 1/1/41
port-name CAM-1
inline power
sflow forwarding
!
interface ethernet 1/1/42
port-name CAM-2
inline power
sflow forwarding
!
interface ethernet 1/1/43
port-name CAM-3
inline power
sflow forwarding
!
interface ethernet 1/1/44
port-name CAM-4
inline power
sflow forwarding
!
interface ethernet 1/1/45
port-name CAM-5
inline power
sflow forwarding
!
interface ethernet 1/1/46
port-name CAM-6
inline power
sflow forwarding
!
interface ethernet 1/1/47
inline power
sflow forwarding
!
interface ethernet 1/1/48
inline power
sflow forwarding
!
interface ethernet 1/2/1
dual-mode
sflow forwarding
!
interface ethernet 1/2/2
sflow forwarding
!
interface ethernet 1/2/3
dual-mode
sflow forwarding
!
interface ethernet 1/2/4
sflow forwarding
!
interface ethernet 1/2/5
sflow forwarding
!
interface ethernet 1/2/6
sflow forwarding
!
interface ethernet 1/2/7
dual-mode
sflow forwarding
!
interface ethernet 1/2/8
port-name SW-LOUNGE
dual-mode
sflow forwarding
!
interface ethernet 1/2/9
port-name SW-OFFICE
dual-mode
sflow forwarding
!
interface ethernet 1/2/10
port-name SW-MASTER
dual-mode
sflow forwarding
!
interface ethernet 1/3/1
dual-mode
speed-duplex 10G-full
tag-profile enable
!
interface ethernet 1/3/2
dual-mode
speed-duplex 10G-full
tag-profile enable
!
interface ethernet 1/3/3
dual-mode
speed-duplex 10G-full
!
interface ethernet 1/3/4
dual-mode
disable
speed-duplex 10G-full
!
interface ethernet 1/3/5
port-name SW-R2-TOR
dual-mode
speed-duplex 10G-full
!
interface ethernet 1/3/7
dual-mode
speed-duplex 10G-full
!
interface ethernet 1/3/8
dual-mode
speed-duplex 10G-full
!
interface ve 1
ip address 172.16.0.14 255.255.255.0
ip helper-address 1 10.0.10.34
ip ospf area 0
!
interface ve 2
port-name VLAN-VIDEO
ip access-group VIDEO-IN in
ip address 192.168.1.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 3
port-name VLAN-VOIP
ip address 172.16.3.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 4
port-name CORP-WIRELESS
acl-logging
ip access-group CORP-IN in
ip address 172.16.4.250 255.255.255.0
ip pim
ip helper-address 1 10.0.10.34
!
interface ve 5
port-name VLAN-GUEST
ip access-group GUEST-IN in
ip address 172.16.5.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 6
port-name CORP-WIRED
ip access-group CORP-IN in
ip address 172.16.6.250 255.255.255.0
ip pim
ip helper-address 1 10.0.10.34
!
interface ve 7
port-name VLAN-DMZ-1
ip address 10.0.7.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 8
port-name VLAN-IOT
ip address 10.0.8.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 9
port-name "VLAN-KIDS"
ip access-group KIDS-IN in
ip address 10.0.9.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 10
port-name VLAN-NET-SVC
ip address 10.0.10.250 255.255.255.0
!
interface ve 11
port-name VLAN-APT-CACHE
ip access-group APT-CACHE-IN in
ip address 10.0.11.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 20
port-name VLAN-APPS
ip address 10.0.20.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 30
port-name VLAN-DEV
ip address 10.0.30.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 71
port-name VLAN-ALEXA
ip access-group ALEXA-IN in
ip address 10.0.71.250 255.255.255.0
ip pim
ip helper-address 1 10.0.10.34
!
interface ve 72
port-name VLAN-SONOS
ip address 10.0.72.250 255.255.255.0
ip pim
ip helper-address 1 10.0.10.34
!
interface ve 73
port-name VLAN-MAILBOX
ip address 10.0.73.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 74
port-name VLAN-TV
ip address 10.0.74.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 75
port-name VLAN-PLEX
ip address 10.0.75.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 76
port-name VLAN-SYNCTHING
ip access-group ALL-IN in
ip address 10.0.76.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 77
port-name VLAN-GAMING
ip access-group GAMING-IN in
ip address 10.0.77.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 78
port-name VLAN-LOGGING
ip access-group LOGGING-IN in
ip address 10.0.78.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 81
port-name VLAN-NEST
ip access-group IOT-NEST-IN in
ip address 10.0.81.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 82
port-name VLAN-ESP-HOME
ip helper-address 1 10.0.10.34
!
interface ve 83
port-name VLAN-XIAOMI
ip access-group IOT-XAIOMI-IN in
ip address 10.0.83.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 88
port-name VLAN-MIKROTIK
ip address 192.168.88.1 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 95
port-name VLAN-BASTION
ip address 172.16.95.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 96
port-name VLAN-BACKUP
ip access-group BACKUP-IN in
ip address 172.16.96.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 97
port-name VLAN-TRUENAS
ip access-group ALL-IN in
ip address 172.16.97.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 98
port-name VLAN-PROXMOX
ip address 172.16.98.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 99
port-name VLAN-IPMI
ip address 172.16.99.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
interface ve 100
port-name VLAN-STORAGE
ip address 10.0.100.250 255.255.255.0
ip helper-address 1 10.0.10.34
!
!
!
ip access-list extended ALEXA-IN
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended ALL-IN
permit ip any any
!
ip access-list extended APPS-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit igmp in
permit igmp any any
remark permit ssdp udp
permit ip any host 239.255.255.250
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit ad udp access
permit udp any host 10.0.10.10 eq dns
permit udp any host 10.0.10.10 eq kerberos
permit udp any host 10.0.10.10 eq ntp
permit udp any host 10.0.10.10 eq ldap
permit udp any host 10.0.10.10 eq kpasswd
permit udp any host 10.0.10.20 eq dns
permit udp any host 10.0.10.20 eq kerberos
permit udp any host 10.0.10.20 eq ntp
permit udp any host 10.0.10.20 eq ldap
permit udp any host 10.0.10.20 eq kpasswd
remark permit ad tcp access
permit tcp any host 10.0.10.10 eq dns
permit tcp any host 10.0.10.10 eq kerberos
permit tcp any host 10.0.10.10 eq loc-srv
permit tcp any host 10.0.10.10 eq ldap
permit tcp any host 10.0.10.10 eq microsoft-ds
permit tcp any host 10.0.10.10 eq kpasswd
permit tcp any host 10.0.10.10 eq ldaps
permit tcp any host 10.0.10.10 eq 3268
permit tcp any host 10.0.10.10 eq 3269
permit tcp any host 10.0.10.20 eq dns
permit tcp any host 10.0.10.20 eq kerberos
permit tcp any host 10.0.10.20 eq loc-srv
permit tcp any host 10.0.10.20 eq ldap
permit tcp any host 10.0.10.20 eq microsoft-ds
permit tcp any host 10.0.10.20 eq kpasswd
permit tcp any host 10.0.10.20 eq ldaps
permit tcp any host 10.0.10.20 eq 3268
permit tcp any host 10.0.10.20 eq 3269
remark permit apt proxy tcp in
permit tcp any host 10.0.11.10 eq 3142
remark permit sonos controller tcp in
permit tcp any 10.0.72.0 0.0.0.255 eq 1400
permit tcp any 10.0.72.0 0.0.0.255 eq 1433
permit tcp any 10.0.72.0 0.0.0.255 eq 1443
permit tcp any 10.0.72.0 0.0.0.255 eq 4444
remark permit airplay controller udp in
permit udp any 10.0.72.0 0.0.0.255 eq ptp-event
permit udp any 10.0.72.0 0.0.0.255 eq ptp-gen
permit udp any 10.0.72.0 0.0.0.255 range 30000 65535
remark permit airplay controller udp in
permit tcp any 10.0.72.0 0.0.0.255 eq 7000
permit tcp any 10.0.72.0 0.0.0.255 range 30000 65535
remark permit site smtp tcp access
permit tcp any host 10.0.1.1 eq smtp
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended APT-CACHE-IN
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended BACKUP-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit local app servers
permit tcp any 10.0.20.0 0.0.0.255
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended CORP-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit igmp in
permit igmp any any
remark permit ssdp udp
permit ip any host 239.255.255.250
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit ad udp access
permit udp any host 10.0.10.10 eq dns
permit udp any host 10.0.10.10 eq kerberos
permit udp any host 10.0.10.10 eq ntp
permit udp any host 10.0.10.10 eq ldap
permit udp any host 10.0.10.10 eq kpasswd
permit udp any host 10.0.10.20 eq dns
permit udp any host 10.0.10.20 eq kerberos
permit udp any host 10.0.10.20 eq ntp
permit udp any host 10.0.10.20 eq ldap
permit udp any host 10.0.10.20 eq kpasswd
remark permit ad tcp access
permit tcp any host 10.0.10.10 eq dns
permit tcp any host 10.0.10.10 eq kerberos
permit tcp any host 10.0.10.10 eq loc-srv
permit tcp any host 10.0.10.10 eq ldap
permit tcp any host 10.0.10.10 eq microsoft-ds
permit tcp any host 10.0.10.10 eq kpasswd
permit tcp any host 10.0.10.10 eq ldaps
permit tcp any host 10.0.10.10 eq 3268
permit tcp any host 10.0.10.10 eq 3269
permit tcp any host 10.0.10.20 eq dns
permit tcp any host 10.0.10.20 eq kerberos
permit tcp any host 10.0.10.20 eq loc-srv
permit tcp any host 10.0.10.20 eq ldap
permit tcp any host 10.0.10.20 eq microsoft-ds
permit tcp any host 10.0.10.20 eq kpasswd
permit tcp any host 10.0.10.20 eq ldaps
permit tcp any host 10.0.10.20 eq 3268
permit tcp any host 10.0.10.20 eq 3269
remark permit plex tcp ingress
permit tcp any host 10.0.20.41 eq 32400
remark permit sonos controller tcp in
permit tcp any 10.0.72.0 0.0.0.255 eq 1400
permit tcp any 10.0.72.0 0.0.0.255 eq 1433
permit tcp any 10.0.72.0 0.0.0.255 eq 1443
permit tcp any 10.0.72.0 0.0.0.255 eq 4444
remark permit airplay controller udp in
permit udp any 10.0.72.0 0.0.0.255 eq ptp-event
permit udp any 10.0.72.0 0.0.0.255 eq ptp-gen
permit udp any 10.0.72.0 0.0.0.255 range 30000 65535
remark permit airplay controller udp in
permit tcp any 10.0.72.0 0.0.0.255 eq 7000
permit tcp any 10.0.72.0 0.0.0.255 range 30000 65535
remark permit local app servers
permit tcp any 10.0.20.0 0.0.0.255
remark permit corp tcp in
permit tcp any 172.16.4.0 0.0.0.255
permit tcp any 172.16.6.0 0.0.0.255
remark permit corp udp in
permit udp any 172.16.4.0 0.0.0.255
permit udp any 172.16.6.0 0.0.0.255
remark permit smb tcp ingress
permit tcp any host 10.0.100.20 range 137 netbios-ssn
permit tcp any host 10.0.100.20 eq microsoft-ds
remark permit smb tcp ingress
permit udp any host 10.0.100.20 range netbios-ns netbios-ssn
permit udp any host 10.0.100.20 eq microsoft-ds
remark permit management-workstations tcp ingress
permit tcp host 172.16.6.103 any
remark permit management-workstations udp ingress
permit udp host 172.16.6.103 any
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit gaming tcp in
permit tcp any 10.0.77.0 0.0.0.255
remark permit gaming udp in
permit udp any 10.0.77.0 0.0.0.255
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended GAMING-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit virtualhere USB access to desktop PC
permit udp any host 172.16.6.103 eq 7575
remark permit virtualhere USB access to desktop PC
permit tcp any host 172.16.6.103 eq 7575
remark permit Parsec access to corp network
permit udp any 172.16.4.0 0.0.0.255 eq 9000
permit udp any 172.16.6.0 0.0.0.255 eq 9000
remark permit Parsec access to corp network
permit udp any range 8000 8010 172.16.4.0 0.0.0.255
permit udp any range 8000 8010 172.16.6.0 0.0.0.255
remark permit RDP udp access to corp network
permit udp any eq 3389 172.16.4.0 0.0.0.255
permit udp any eq 3389 172.16.6.0 0.0.0.255
remark permit RDP tcp access to corp network
permit tcp any eq 3389 172.16.4.0 0.0.0.255
permit tcp any eq 3389 172.16.6.0 0.0.0.255
remark permit steamlink access to corp network
permit udp any eq 27031 172.16.4.0 0.0.0.255
permit udp any eq 27036 172.16.4.0 0.0.0.255
permit udp any eq 27031 172.16.6.0 0.0.0.255
permit udp any eq 27036 172.16.6.0 0.0.0.255
remark permit RDP tcp access to corp network
permit tcp any eq 27036 172.16.4.0 0.0.0.255
permit tcp any eq 27037 172.16.4.0 0.0.0.255
permit tcp any eq 27036 172.16.6.0 0.0.0.255
permit tcp any eq 27037 172.16.6.0 0.0.0.255
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
remark deny all networks
deny ip any any
!
ip access-list extended GUEST-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended IOT-NEST-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended IOT-XAIOMI-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended KIDS-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit kids dns udp access
permit udp any host 10.0.10.30 eq dns
remark permit kids dns tcp access
permit tcp any host 10.0.10.30 eq dns
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark deny local networks
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended LOGGING-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit apt proxy tcp in
permit tcp any host 10.0.11.10 eq 3142
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended NET-SVC-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended SONOS-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit igmp in
permit igmp any any
remark permit ssdp udp
permit ip any host 239.255.255.250
remark permit sonos device tcp in
permit tcp any host 10.0.20.35 eq 3400
permit tcp any host 10.0.20.35 eq 3401
permit tcp any host 10.0.20.35 eq 3500
permit tcp any 172.16.4.0 0.0.0.255 eq 3400
permit tcp any 172.16.4.0 0.0.0.255 eq 3401
permit tcp any 172.16.4.0 0.0.0.255 eq 3500
permit tcp any 172.16.6.0 0.0.0.255 eq 3400
permit tcp any 172.16.6.0 0.0.0.255 eq 3401
permit tcp any 172.16.6.0 0.0.0.255 eq 3500
remark permit airplay device udp in
permit udp any host 10.0.20.35 eq ptp-event
permit udp any host 10.0.20.35 eq ptp-gen
permit udp any 172.16.4.0 0.0.0.255 eq ptp-event
permit udp any 172.16.4.0 0.0.0.255 eq ptp-gen
permit udp any 172.16.6.0 0.0.0.255 eq ptp-event
permit udp any 172.16.6.0 0.0.0.255 eq ptp-gen
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended TRUENAS-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark permit site dns udp access
permit udp any host 10.0.1.1 eq dns
remark permit site dns tcp access
permit tcp any host 10.0.1.1 eq dns
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit ad udp access
permit udp any host 10.0.10.10 eq dns
permit udp any host 10.0.10.10 eq kerberos
permit udp any host 10.0.10.10 eq ntp
permit udp any host 10.0.10.10 eq ldap
permit udp any host 10.0.10.10 eq kpasswd
permit udp any host 10.0.10.20 eq dns
permit udp any host 10.0.10.20 eq kerberos
permit udp any host 10.0.10.20 eq ntp
permit udp any host 10.0.10.20 eq ldap
permit udp any host 10.0.10.20 eq kpasswd
remark permit ad tcp access
permit tcp any host 10.0.10.10 eq dns
permit tcp any host 10.0.10.10 eq kerberos
permit tcp any host 10.0.10.10 eq loc-srv
permit tcp any host 10.0.10.10 eq ldap
permit tcp any host 10.0.10.10 eq microsoft-ds
permit tcp any host 10.0.10.10 eq kpasswd
permit tcp any host 10.0.10.10 eq ldaps
permit tcp any host 10.0.10.10 eq 3268
permit tcp any host 10.0.10.10 eq 3269
permit tcp any host 10.0.10.20 eq dns
permit tcp any host 10.0.10.20 eq kerberos
permit tcp any host 10.0.10.20 eq loc-srv
permit tcp any host 10.0.10.20 eq ldap
permit tcp any host 10.0.10.20 eq microsoft-ds
permit tcp any host 10.0.10.20 eq kpasswd
permit tcp any host 10.0.10.20 eq ldaps
permit tcp any host 10.0.10.20 eq 3268
permit tcp any host 10.0.10.20 eq 3269
remark permit apt proxy tcp in
permit tcp any host 10.0.11.10 eq 3142
remark permit site smtp tcp access
permit tcp any host 10.0.1.1 eq smtp
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit all networks (ie internet)
permit ip any any
!
ip access-list extended TV-IN
permit icmp any any
permit tcp any any established
remark allow multicast
permit ip any 224.0.0.0 15.255.255.255
remark allow DNS
permit udp any host 10.0.1.1 eq dns
remark allow NTP
permit tcp any host 10.0.1.1 eq 123
permit udp any host 10.0.1.1 eq ntp
remark deny all local networks
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255
deny ip any 192.16.0.0 0.0.0.255
remark allow internet
permit ip any any
!
ip access-list extended VIDEO-IN
remark permit all ICMP from internal networks
permit icmp 10.0.0.0 0.255.255.255 any
permit icmp 172.16.0.0 0.15.255.255 any
permit icmp 192.168.0.0 0.0.255.255 any
remark permit responses to any tcp established sessions
permit tcp any any established
remark permit ntp udp
permit udp any host 10.0.1.1 eq ntp
remark permit ntp tcp
permit tcp any host 10.0.1.1 eq 123
remark deny dns udp access
deny udp any any eq dns log
remark deny dns tcp access
deny tcp any any eq dns log
remark permit local DHCP udp access
permit udp any eq bootps any eq bootpc
remark permit local DHCP udp access
permit udp any eq bootpc any eq bootps
remark permit rtsp udp access to blue iris servers
permit udp any host 10.0.20.28 eq rtsp
remark permit rtsp tcp access to blue iris servers
permit tcp any host 10.0.20.28 eq rtsp
remark deny all networks
deny ip any any
!
ip access-list extended XBOX-IN
permit icmp any any
permit tcp any any established
remark allow multicast
permit ip any 224.0.0.0 15.255.255.255
remark allow DNS
permit udp any host 10.0.1.1 eq dns
remark allow NTP
permit tcp any host 10.0.1.1 eq 123
permit udp any host 10.0.1.1 eq ntp
remark allow parsec ports
permit udp any 172.16.4.0 0.0.0.255 eq 9000
permit udp any 172.16.6.0 0.0.0.255 eq 9000
permit udp any eq 3389 172.16.4.0 0.0.0.255
permit tcp any eq 3389 172.16.4.0 0.0.0.255
permit udp any eq 3389 172.16.6.0 0.0.0.255
permit tcp any eq 3389 172.16.6.0 0.0.0.255
remark deny all local networks
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255 log
deny ip any 192.16.0.0 0.0.0.255
remark allow internet
permit ip any any
!
!
sflow destination 10.0.1.1
!
lldp run
!
!
!
!
end
SSH@sw-core#right off the bat I see you have that port (1/1/3) configured as a mirror port, which obviously can't have an IP
Thanks that was stupid of me. I've removed the mirror port and it's still not allowing me to add an IP addr. For the sake of testing, here's another port 1/1/19 that's unused.
Code:
SSH@sw-core(config)#show int ethe 1/1/19
GigabitEthernet1/1/19 is down, line protocol is down
Port down for 9 day(s) 23 hour(s) 4 minute(s) 24 second(s)
Hardware is GigabitEthernet, address is 748e.f8fe.c148 (bia 748e.f8fe.c15a)
Configured speed auto, actual unknown, configured duplex fdx, actual unknown
Configured mdi mode AUTO, actual unknown
Member of L2 VLAN ID 1, port is untagged, port state is BLOCKING
BPDU guard is Disabled, ROOT protect is Disabled, Designated protect is Disabled
Link Error Dampening is Disabled
STP configured to ON, priority is level0, mac-learning is enabled
Openflow is Disabled, Openflow Hybrid mode is Disabled, Flow Control is config enabled, oper disabled, negotiation disabled
Mirror disabled, Monitor disabled
Mac-notification is disabled
Not member of any active trunks
Not member of any configured trunks
No port name
Inter-Packet Gap (IPG) is 96 bit times
MTU 10200 bytes, encapsulation ethernet
300 second input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization
300 second output rate: 0 bits/sec, 0 packets/sec, 0.00% utilization
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 multicasts, 0 unicasts
0 input errors, 0 CRC, 0 frame, 0 ignored
0 runts, 0 giants
0 packets output, 0 bytes, 0 underruns
Transmitted 0 broadcasts, 0 multicasts, 0 unicasts
0 output errors, 0 collisions
Relay Agent Information option: Disabled
Egress queues:
Queue counters Queued packets Dropped Packets
0 0 0
1 0 0
2 0 0
3 0 0
4 0 0
5 0 0
6 0 0
7 0 0
Code:
SSH@sw-core(config)#int ethe 1/1/19
SSH@sw-core(config-if-e1000-1/1/19)#ip add
add-host-route-first Add host route before sending buffered packets
SSH@sw-core(config-if-e1000-1/1/19)#ip address 10.0.0.6/30
Invalid input -> address 10.0.0.6/30
Type ? for a listcan you create a new vlan with nothing in it, no other ports or VEs, and put 1/1/3 in it? then try to add an ip? I don't remember shit about adding IPs directly to ports as I almost never do it (use VEs)
Code:
SSH@sw-core(config)#vlan 250 name VLAN-CORE-FW by port
SSH@sw-core(config-vlan-250)# untagged ethe 1/1/3
Added untagged port(s) ethe 1/1/3 to port-vlan 250.
SSH@sw-core(config-vlan-250)# router-interface ve 250
SSH@sw-core(config-vlan-250)#!
SSH@sw-core(config-vlan-250)#
SSH@sw-core(config-vlan-250)#interface ve 250
SSH@sw-core(config-vif-250)# port-name VLAN-CORE-FW
SSH@sw-core(config-vif-250)# ip address 10.0.0.6 255.255.255.252
SSH@sw-core(config-vif-250)#!
SSH@sw-core(config-vif-250)#
SSH@sw-core(config-vif-250)#
SSH@sw-core(config-vif-250)#exit
SSH@sw-core(config)#write mem
........Write startup-config done.
SSH@sw-core(config)#Flash Memory Write (8192 bytes per dot) .....
Copy Done.
SSH@sw-core(config)#show int e 1/1/3
GigabitEthernet1/1/3 is up, line protocol is up
Port up for 2 hour(s) 46 minute(s) 42 second(s)
Hardware is GigabitEthernet, address is 748e.f8fe.c148 (bia 748e.f8fe.c14a)
Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx
Configured mdi mode AUTO, actual MDI
Member of L2 VLAN ID 250, port is untagged, port state is FORWARDING
BPDU guard is Disabled, ROOT protect is Disabled, Designated protect is Disabled
Link Error Dampening is Disabled
STP configured to ON, priority is level0, mac-learning is enabled
Openflow is Disabled, Openflow Hybrid mode is Disabled, Flow Control is config enabled, oper enabled, negotiation disabled
Mirror disabled, Monitor disabled
Mac-notification is disabled
Not member of any active trunks
Not member of any configured trunks
Port name is SRV-FIREWALL
Inter-Packet Gap (IPG) is 96 bit times
MTU 10200 bytes, encapsulation ethernet
300 second input rate: 136 bits/sec, 0 packets/sec, 0.00% utilization
300 second output rate: 3408 bits/sec, 6 packets/sec, 0.00% utilization
698 packets input, 180887 bytes, 0 no buffer
Received 0 broadcasts, 697 multicasts, 1 unicasts
0 input errors, 0 CRC, 0 frame, 0 ignored
0 runts, 0 giants
22372 packets output, 1690568 bytes, 0 underruns
Transmitted 15290 broadcasts, 7068 multicasts, 14 unicasts
0 output errors, 0 collisions
Relay Agent Information option: Disabled
Egress queues:
Queue counters Queued packets Dropped Packets
0 13296 0
1 0 0
2 0 0
3 0 0
4 0 0
5 4250 0
6 0 0
7 4826 0
SSH@sw-core(config)#show vlan br
System-max vlan Params: Max(4095) Default(64) Current(64)
Default vlan Id :1
Total Number of Vlan Configured :33
VLANs Configured :1 to 11 20 30 71 to 78 81 to 83 88 95 to 100 202 250well I meant put it in a new empty vlan *without* a VE to see if you could assign an IP directly to the port then, but that works too lol
I think @fohdeesha meant to create a VLAN without adding a VE to it and then adding an IP address to the port.
i.e. it is a member of a L2 VLAN and you give it an IP address.
Craig
Yeah that works. I can ping the VE 10.0.0.6 ok. But I can't ping the firewall that's sitting on the other side of 1/1/3 on 10.0.0.5 when using a VE
Code:
SSH@sw-core#show ip route
Total number of IP routes: 32
Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
Destination Gateway Port Cost Type Uptime
1 0.0.0.0/0 172.16.0.1 ve 1 1/1 S 9d23h
2 10.0.0.4/30 DIRECT ve 250 0/0 D 8m29s
3 10.0.7.0/24 DIRECT ve 7 0/0 D 9d23h
4 10.0.8.0/24 DIRECT ve 8 0/0 D 9d23h
5 10.0.9.0/24 DIRECT ve 9 0/0 D 9d23h
6 10.0.10.0/24 DIRECT ve 10 0/0 D 9d23h
7 10.0.11.0/24 DIRECT ve 11 0/0 D 9d23h
8 10.0.20.0/24 DIRECT ve 20 0/0 D 9d23h
9 10.0.30.0/24 DIRECT ve 30 0/0 D 9d23h
10 10.0.71.0/24 DIRECT ve 71 0/0 D 9d23h
11 10.0.72.0/24 DIRECT ve 72 0/0 D 9d23h
12 10.0.73.0/24 DIRECT ve 73 0/0 D 9d23h
13 10.0.74.0/24 DIRECT ve 74 0/0 D 9d23h
14 10.0.75.0/24 DIRECT ve 75 0/0 D 9d23h
15 10.0.76.0/24 DIRECT ve 76 0/0 D 9d23h
16 10.0.77.0/24 DIRECT ve 77 0/0 D 9d23h
17 10.0.78.0/24 DIRECT ve 78 0/0 D 9d23h
18 10.0.81.0/24 DIRECT ve 81 0/0 D 9d23h
19 10.0.83.0/24 DIRECT ve 83 0/0 D 9d23h
20 10.0.100.0/24 DIRECT ve 100 0/0 D 9d23h
21 172.16.0.0/24 DIRECT ve 1 0/0 D 9d23h
22 172.16.3.0/24 DIRECT ve 3 0/0 D 9d23h
23 172.16.4.0/24 DIRECT ve 4 0/0 D 9d23h
24 172.16.5.0/24 DIRECT ve 5 0/0 D 9d23h
25 172.16.6.0/24 DIRECT ve 6 0/0 D 9d23h
26 172.16.95.0/24 DIRECT ve 95 0/0 D 9d23h
27 172.16.96.0/24 DIRECT ve 96 0/0 D 9d23h
28 172.16.97.0/24 DIRECT ve 97 0/0 D 9d23h
29 172.16.98.0/24 DIRECT ve 98 0/0 D 9d23h
30 172.16.99.0/24 DIRECT ve 99 0/0 D 9d23h
31 192.168.1.0/24 DIRECT ve 2 0/0 D 9d23h
32 192.168.88.0/24 DIRECT ve 88 0/0 D 9d23hOk...by creating a VLAN with no VE and then putting the port in the VLAN I can now assign an IP to that interface.
Code:
SH@sw-core(config-if-e1000-1/1/3)#no vlan 250
SSH@sw-core(config-if-e1000-1/1/3)#
SSH@sw-core(config-if-e1000-1/1/3)#
SSH@sw-core(config-if-e1000-1/1/3)#no ve 250
SSH@sw-core(config-if-e1000-1/1/3)#
SSH@sw-core(config-if-e1000-1/1/3)#
SSH@sw-core(config-if-e1000-1/1/3)#vlan 250 name VLAN-CORE-FW by port
SSH@sw-core(config-vlan-250)# untagged ethe 1/1/3
Added untagged port(s) ethe 1/1/3 to port-vlan 250.
SSH@sw-core(config-vlan-250)#!
SSH@sw-core(config-vlan-250)#int ethe 1/1/3
SSH@sw-core(config-if-e1000-1/1/3)#ip address 10.0.0.6/30
SSH@sw-core(config-if-e1000-1/1/3)#exit
SSH@sw-core(config)#
SSH@sw-core#sho ip route
Total number of IP routes: 32
Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
Destination Gateway Port Cost Type Uptime
1 0.0.0.0/0 172.16.0.1 ve 1 1/1 S 9d23h
2 10.0.0.4/30 DIRECT e 1/1/3 0/0 D 0m47s
3 10.0.7.0/24 DIRECT ve 7 0/0 D 9d23h
4 10.0.8.0/24 DIRECT ve 8 0/0 D 9d23h
5 10.0.9.0/24 DIRECT ve 9 0/0 D 9d23h
6 10.0.10.0/24 DIRECT ve 10 0/0 D 9d23h
7 10.0.11.0/24 DIRECT ve 11 0/0 D 9d23h
8 10.0.20.0/24 DIRECT ve 20 0/0 D 9d23h
9 10.0.30.0/24 DIRECT ve 30 0/0 D 9d23h
10 10.0.71.0/24 DIRECT ve 71 0/0 D 9d23h
11 10.0.72.0/24 DIRECT ve 72 0/0 D 9d23h
12 10.0.73.0/24 DIRECT ve 73 0/0 D 9d23h
13 10.0.74.0/24 DIRECT ve 74 0/0 D 9d23h
14 10.0.75.0/24 DIRECT ve 75 0/0 D 9d23h
15 10.0.76.0/24 DIRECT ve 76 0/0 D 9d23h
16 10.0.77.0/24 DIRECT ve 77 0/0 D 9d23h
17 10.0.78.0/24 DIRECT ve 78 0/0 D 9d23h
18 10.0.81.0/24 DIRECT ve 81 0/0 D 9d23h
19 10.0.83.0/24 DIRECT ve 83 0/0 D 9d23h
20 10.0.100.0/24 DIRECT ve 100 0/0 D 9d23h
21 172.16.0.0/24 DIRECT ve 1 0/0 D 9d23h
22 172.16.3.0/24 DIRECT ve 3 0/0 D 9d23h
23 172.16.4.0/24 DIRECT ve 4 0/0 D 9d23h
24 172.16.5.0/24 DIRECT ve 5 0/0 D 9d23h
25 172.16.6.0/24 DIRECT ve 6 0/0 D 9d23h
26 172.16.95.0/24 DIRECT ve 95 0/0 D 9d23h
27 172.16.96.0/24 DIRECT ve 96 0/0 D 9d23h
28 172.16.97.0/24 DIRECT ve 97 0/0 D 9d23h
29 172.16.98.0/24 DIRECT ve 98 0/0 D 9d23h
30 172.16.99.0/24 DIRECT ve 99 0/0 D 9d23h
31 192.168.1.0/24 DIRECT ve 2 0/0 D 9d23h
32 192.168.88.0/24 DIRECT ve 88 0/0 D 9d23h