Configuration Cisco Catalyst 2960X

Fat Configuration

Configuration Cisco Catalyst 2960X

Au ResEl, nous fournissons Internet à plus de 700 chambres réparties entre Brest et Rennes.

La plupart de nos switchs de distribution sont des Switchs Cisco 2960/2960X. Du 802.1x est réalisé en Ethernet (Dot1x, puis MacBypass, puis fallback sur portail captif).

Voici une des configurations en production, réalisée conjointement avec Benjamin Somers, qui a réalisé toute la configuration radius et développé une API en backend de Freeradius (ouais, il gère de ouf ._.)

Ce switch a la particularité de fournir le réseau et le PoE sur les bornes Wi-Fi du bâtiment, en plus de desservir des résidents.

Building configuration…
 Current configuration : 14919 bytes
 !
 ! Last configuration change at 12:43:03 GMT Wed Oct 28 2020
 !
 version 15.2
 no service pad
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 !
 hostname swbr-i12-02
 !
 boot-start-marker
 boot-end-marker
 !
 !
 username admin privilege 15 password 7 SECRET_HERE
 aaa new-model
 !
 !
 aaa group server radius user-radius
  server-private 10.3.12.1 auth-port 1812 acct-port 1813 key SECRET_HERE
  server-private 10.3.12.101 auth-port 1812 acct-port 1813 key SECRET_HERE
 !
 aaa group server radius admin-radius
  server-private 10.3.12.2 auth-port 1812 acct-port 1813 key SECRET_HERE
  server-private 10.3.12.102 auth-port 1812 acct-port 1813 key SECRET_HERE
 !
 aaa authentication login default group admin-radius local
 aaa authentication login console local
 aaa authentication enable default none
 aaa authentication dot1x default group user-radius
 aaa authorization console
 aaa authorization exec default group admin-radius local if-authenticated
 aaa authorization network default group radius
 !
 !
 !
 !
 !
 !
 aaa session-id common
 clock timezone GMT 1 0
 clock summer-time GMT+2 recurring last Sun Mar 3:00 last Sun Oct 2:00
 switch 1 provision ws-c2960x-24pd-l
 !
 !
 !
 !
 !
 !
 vtp domain ResEl
 vtp mode transparent
 !
 !
 !
 !
 !
 !
 !
 crypto pki trustpoint TP-self-signed-1569061504
  enrollment selfsigned
  serial-number
  ip-address Vlan998
  revocation-check crl
  rsakeypair swbr-12-02
 !
 !
 crypto pki certificate chain TP-self-signed-1569061504
  certificate self-signed 01
   CERT_HERE
         quit
 dot1x system-auth-control
 !
 spanning-tree mode pvst
 spanning-tree extend system-id
 no spanning-tree vlan 2117-2700,2750-2950
 !
 !
 !
 !
 vlan internal allocation policy ascending
 !
 vlan 1101
  name system_switch
 !
 vlan 1201
  name ap_wifi
 !
 vlan 1301
  name public_captive_wlan
 !
 vlan 1302
  name public_captive_lan
 !
 vlan 1310
  name public_registration
 !
 vlan 1311
  name public_register_tag
 !
 vlan 1412
  name user_lan_i12
 !
 vlan 1451
  name user_wifi
 !
 vlan 1452
  name user_wifi_free
 !
 vlan 1481
  name user_bde
 !
 vlan 2000-2700,2750-2950
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface FastEthernet0
  no ip address
 !
 interface GigabitEthernet1/0/1
  description "I12 24"
  switchport access vlan 1302
  switchport mode access
  ip access-group 101 in
  power inline never
  authentication event no-response action authorize vlan 1302
  authentication host-mode multi-auth
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 5
  dot1x max-req 1
  no lldp transmit
  no lldp receive
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 interface GigabitEthernet1/0/2
  description "I12 26"
  switchport access vlan 1302
  switchport mode access
  ip access-group 101 in
  power inline never
  authentication event no-response action authorize vlan 1302
  authentication host-mode multi-auth
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 5
  dot1x max-req 1
  no lldp transmit
  no lldp receive
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 interface GigabitEthernet1/0/3
  description "I12 27"
  switchport access vlan 1302
  switchport mode access
  ip access-group 101 in
  power inline never
  authentication event no-response action authorize vlan 1302
  authentication host-mode multi-auth
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 5
  dot1x max-req 1
  no lldp transmit
  no lldp receive
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 interface GigabitEthernet1/0/4
  description "I12 28"
  switchport access vlan 1302
  switchport mode access
  ip access-group 101 in
  power inline never
  authentication event no-response action authorize vlan 1302
  authentication host-mode multi-auth
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 5
  dot1x max-req 1
  no lldp transmit
  no lldp receive
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 interface GigabitEthernet1/0/5
  description "I12 29"
  switchport access vlan 1302
  switchport mode access
  ip access-group 101 in
  power inline never
  authentication event no-response action authorize vlan 1302
  authentication host-mode multi-auth
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 5
  dot1x max-req 1
  no lldp transmit
  no lldp receive
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 interface GigabitEthernet1/0/6
  description "I12 30"
  switchport access vlan 1302
  switchport mode access
  ip access-group 101 in
  power inline never
  authentication event no-response action authorize vlan 1302
  authentication host-mode multi-auth
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 5
  dot1x max-req 1
  no lldp transmit
  no lldp receive
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 interface GigabitEthernet1/0/7
  description "I12 31"
  switchport access vlan 1302
  switchport mode access
  ip access-group 101 in
  power inline never
  authentication event no-response action authorize vlan 1302
  authentication host-mode multi-auth
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 5
  dot1x max-req 1
  no lldp transmit
  no lldp receive
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 interface GigabitEthernet1/0/8
  description "I12 32"
  switchport access vlan 1302
  switchport mode access
  ip access-group 101 in
  power inline never
  authentication event no-response action authorize vlan 1302
  authentication host-mode multi-auth
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 5
  dot1x max-req 1
  no lldp transmit
  no lldp receive
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 interface GigabitEthernet1/0/9
  description "I12 33"
  switchport access vlan 1302
  switchport mode access
  ip access-group 101 in
  power inline never
  authentication event no-response action authorize vlan 1302
  authentication host-mode multi-auth
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 5
  dot1x max-req 1
  no lldp transmit
  no lldp receive
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 interface GigabitEthernet1/0/10
  description "Dispo User 1"
  switchport access vlan 1302
  switchport mode access
  ip access-group 101 in
  power inline never
  authentication event no-response action authorize vlan 1302
  authentication host-mode multi-auth
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 5
  dot1x max-req 1
  no lldp transmit
  no lldp receive
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 interface GigabitEthernet1/0/11
  description "Dispo User 2"
  switchport access vlan 1302
  switchport mode access
  ip access-group 101 in
  power inline never
  authentication event no-response action authorize vlan 1302
  authentication host-mode multi-auth
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 5
  dot1x max-req 1
  no lldp transmit
  no lldp receive
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 interface GigabitEthernet1/0/12
  description "Dispo User 3"
  switchport access vlan 1302
  switchport mode access
  ip access-group 101 in
  power inline never
  authentication event no-response action authorize vlan 1302
  authentication host-mode multi-auth
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 5
  dot1x max-req 1
  no lldp transmit
  no lldp receive
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 interface GigabitEthernet1/0/13
  description "Dispo User 4"
  switchport access vlan 1302
  switchport mode access
  ip access-group 101 in
  power inline never
  authentication event no-response action authorize vlan 1302
  authentication host-mode multi-auth
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 5
  dot1x max-req 1
  no lldp transmit
  no lldp receive
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 interface GigabitEthernet1/0/14
  description "ap-12-01-iw"
  switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
  switchport trunk allowed vlan add 2000-2700,2750-2950
  switchport trunk native vlan 1201
  switchport mode trunk
  no lldp transmit
  no lldp receive
 !
 interface GigabitEthernet1/0/15
  description "ap-12-02-iw"
  switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
  switchport trunk allowed vlan add 2000-2700,2750-2950
  switchport trunk native vlan 1201
  switchport mode trunk
  no lldp transmit
  no lldp receive
 !
 interface GigabitEthernet1/0/16
  description "ap-12-03-iw"
  switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
  switchport trunk allowed vlan add 2000-2700,2750-2950
  switchport trunk native vlan 1201
  switchport mode trunk
  no lldp transmit
  no lldp receive
 !
 interface GigabitEthernet1/0/17
  description "ap-12-04-iw"
  switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
  switchport trunk allowed vlan add 2000-2700,2750-2950
  switchport trunk native vlan 1201
  switchport mode trunk
  no lldp transmit
  no lldp receive
 !
 interface GigabitEthernet1/0/18
  description "ap-12-05-iw"
  switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
  switchport trunk allowed vlan add 2000-2700,2750-2950
  switchport trunk native vlan 1201
  switchport mode trunk
  no lldp transmit
  no lldp receive
 !
 interface GigabitEthernet1/0/19
  description "ap-12-06-iw"
  switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
  switchport trunk allowed vlan add 2000-2700,2750-2950
  switchport trunk native vlan 1201
  switchport mode trunk
  no lldp transmit
  no lldp receive
 !
 interface GigabitEthernet1/0/20
  description "ap-12-07-iw"
  switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
  switchport trunk allowed vlan add 2000-2700,2750-2950
  switchport trunk native vlan 1201
  switchport mode trunk
  no lldp transmit
  no lldp receive
 !
 interface GigabitEthernet1/0/21
  description "ap-12-08-iw"
  switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
  switchport trunk allowed vlan add 2000-2700,2750-2950
  switchport trunk native vlan 1201
  switchport mode trunk
  no lldp transmit
  no lldp receive
 !
 interface GigabitEthernet1/0/22
  description "ap-12-09-iw"
  switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
  switchport trunk allowed vlan add 2000-2700,2750-2950
  switchport trunk native vlan 1201
  switchport mode trunk
  no lldp transmit
  no lldp receive
 !
 interface GigabitEthernet1/0/23
  description "ap-12-10-iw"
  switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
  switchport trunk allowed vlan add 2000-2700,2750-2950
  switchport trunk native vlan 1201
  switchport mode trunk
  no lldp transmit
  no lldp receive
 !
 interface GigabitEthernet1/0/24
  description "ap-12-11-iw"
  switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
  switchport trunk allowed vlan add 2000-2700,2750-2950
  switchport trunk native vlan 1201
  switchport mode trunk
  no lldp transmit
  no lldp receive
 !
 interface GigabitEthernet1/0/25
  description Uplink vers swbr-12-01
  switchport mode trunk
  ip dhcp snooping trust
 !
 interface GigabitEthernet1/0/26
  switchport mode trunk
  ip dhcp snooping trust
 !
 interface TenGigabitEthernet1/0/1
  switchport mode trunk
  ip dhcp snooping trust
 !
 interface TenGigabitEthernet1/0/2
  switchport mode trunk
  ip dhcp snooping trust
 !
 interface Vlan1
  no ip address
 !
 interface Vlan995
  no ip address
 !
 interface Vlan998
  ip address 172.22.0.121 255.255.254.0
  no ip route-cache
 !
 interface Vlan999
  no ip address
 !
 interface Vlan1101
  description system_switch
  ip address 10.0.88.2 255.255.128.0
  ip accounting mac-address input
  ip accounting mac-address output
  no ip route-cache
 !
 ip default-gateway 10.0.127.254
 no ip http server
 ip http secure-server
 !
 !
 !
 snmp-server community public RO ACL_SNMP
 snmp-server queue-length 100
 snmp-server location BR-I12 [48.35809,-4.57231]
 snmp-server contact Association ResEl
 snmp-server system-shutdown
 snmp-server enable traps storm-control trap-rate 5
 snmp-server enable traps mac-notification change move threshold
 snmp-server host 172.22.1.212 version 2c public
 !
 radius-server dead-criteria tries 2
 radius-server deadtime 1
 !
 no vstack
 !
 line con 0
 line vty 0 4
  privilege level 15
 line vty 5 15
  privilege level 15
 !
 ntp server 172.22.1.254
 !
 end

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *