Fat Configuration
Configuration Cisco Catalyst 2960X
Au ResEl, nous fournissons Internet à plus de 700 chambres réparties entre Brest et Rennes.
La plupart de nos switchs de distribution sont des Switchs Cisco 2960/2960X. Du 802.1x est réalisé en Ethernet (Dot1x, puis MacBypass, puis fallback sur portail captif).
Voici une des configurations en production, réalisée conjointement avec Benjamin Somers, qui a réalisé toute la configuration radius et développé une API en backend de Freeradius (ouais, il gère de ouf ._.)
Ce switch a la particularité de fournir le réseau et le PoE sur les bornes Wi-Fi du bâtiment, en plus de desservir des résidents.
Building configuration…
Current configuration : 14919 bytes
!
! Last configuration change at 12:43:03 GMT Wed Oct 28 2020
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname swbr-i12-02
!
boot-start-marker
boot-end-marker
!
!
username admin privilege 15 password 7 SECRET_HERE
aaa new-model
!
!
aaa group server radius user-radius
server-private 10.3.12.1 auth-port 1812 acct-port 1813 key SECRET_HERE
server-private 10.3.12.101 auth-port 1812 acct-port 1813 key SECRET_HERE
!
aaa group server radius admin-radius
server-private 10.3.12.2 auth-port 1812 acct-port 1813 key SECRET_HERE
server-private 10.3.12.102 auth-port 1812 acct-port 1813 key SECRET_HERE
!
aaa authentication login default group admin-radius local
aaa authentication login console local
aaa authentication enable default none
aaa authentication dot1x default group user-radius
aaa authorization console
aaa authorization exec default group admin-radius local if-authenticated
aaa authorization network default group radius
!
!
!
!
!
!
aaa session-id common
clock timezone GMT 1 0
clock summer-time GMT+2 recurring last Sun Mar 3:00 last Sun Oct 2:00
switch 1 provision ws-c2960x-24pd-l
!
!
!
!
!
!
vtp domain ResEl
vtp mode transparent
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1569061504
enrollment selfsigned
serial-number
ip-address Vlan998
revocation-check crl
rsakeypair swbr-12-02
!
!
crypto pki certificate chain TP-self-signed-1569061504
certificate self-signed 01
CERT_HERE
quit
dot1x system-auth-control
!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 2117-2700,2750-2950
!
!
!
!
vlan internal allocation policy ascending
!
vlan 1101
name system_switch
!
vlan 1201
name ap_wifi
!
vlan 1301
name public_captive_wlan
!
vlan 1302
name public_captive_lan
!
vlan 1310
name public_registration
!
vlan 1311
name public_register_tag
!
vlan 1412
name user_lan_i12
!
vlan 1451
name user_wifi
!
vlan 1452
name user_wifi_free
!
vlan 1481
name user_bde
!
vlan 2000-2700,2750-2950
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface GigabitEthernet1/0/1
description "I12 24"
switchport access vlan 1302
switchport mode access
ip access-group 101 in
power inline never
authentication event no-response action authorize vlan 1302
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
no lldp transmit
no lldp receive
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/2
description "I12 26"
switchport access vlan 1302
switchport mode access
ip access-group 101 in
power inline never
authentication event no-response action authorize vlan 1302
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
no lldp transmit
no lldp receive
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/3
description "I12 27"
switchport access vlan 1302
switchport mode access
ip access-group 101 in
power inline never
authentication event no-response action authorize vlan 1302
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
no lldp transmit
no lldp receive
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/4
description "I12 28"
switchport access vlan 1302
switchport mode access
ip access-group 101 in
power inline never
authentication event no-response action authorize vlan 1302
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
no lldp transmit
no lldp receive
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/5
description "I12 29"
switchport access vlan 1302
switchport mode access
ip access-group 101 in
power inline never
authentication event no-response action authorize vlan 1302
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
no lldp transmit
no lldp receive
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/6
description "I12 30"
switchport access vlan 1302
switchport mode access
ip access-group 101 in
power inline never
authentication event no-response action authorize vlan 1302
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
no lldp transmit
no lldp receive
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/7
description "I12 31"
switchport access vlan 1302
switchport mode access
ip access-group 101 in
power inline never
authentication event no-response action authorize vlan 1302
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
no lldp transmit
no lldp receive
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/8
description "I12 32"
switchport access vlan 1302
switchport mode access
ip access-group 101 in
power inline never
authentication event no-response action authorize vlan 1302
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
no lldp transmit
no lldp receive
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/9
description "I12 33"
switchport access vlan 1302
switchport mode access
ip access-group 101 in
power inline never
authentication event no-response action authorize vlan 1302
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
no lldp transmit
no lldp receive
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/10
description "Dispo User 1"
switchport access vlan 1302
switchport mode access
ip access-group 101 in
power inline never
authentication event no-response action authorize vlan 1302
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
no lldp transmit
no lldp receive
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/11
description "Dispo User 2"
switchport access vlan 1302
switchport mode access
ip access-group 101 in
power inline never
authentication event no-response action authorize vlan 1302
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
no lldp transmit
no lldp receive
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/12
description "Dispo User 3"
switchport access vlan 1302
switchport mode access
ip access-group 101 in
power inline never
authentication event no-response action authorize vlan 1302
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
no lldp transmit
no lldp receive
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/13
description "Dispo User 4"
switchport access vlan 1302
switchport mode access
ip access-group 101 in
power inline never
authentication event no-response action authorize vlan 1302
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
no lldp transmit
no lldp receive
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/14
description "ap-12-01-iw"
switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
switchport trunk allowed vlan add 2000-2700,2750-2950
switchport trunk native vlan 1201
switchport mode trunk
no lldp transmit
no lldp receive
!
interface GigabitEthernet1/0/15
description "ap-12-02-iw"
switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
switchport trunk allowed vlan add 2000-2700,2750-2950
switchport trunk native vlan 1201
switchport mode trunk
no lldp transmit
no lldp receive
!
interface GigabitEthernet1/0/16
description "ap-12-03-iw"
switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
switchport trunk allowed vlan add 2000-2700,2750-2950
switchport trunk native vlan 1201
switchport mode trunk
no lldp transmit
no lldp receive
!
interface GigabitEthernet1/0/17
description "ap-12-04-iw"
switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
switchport trunk allowed vlan add 2000-2700,2750-2950
switchport trunk native vlan 1201
switchport mode trunk
no lldp transmit
no lldp receive
!
interface GigabitEthernet1/0/18
description "ap-12-05-iw"
switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
switchport trunk allowed vlan add 2000-2700,2750-2950
switchport trunk native vlan 1201
switchport mode trunk
no lldp transmit
no lldp receive
!
interface GigabitEthernet1/0/19
description "ap-12-06-iw"
switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
switchport trunk allowed vlan add 2000-2700,2750-2950
switchport trunk native vlan 1201
switchport mode trunk
no lldp transmit
no lldp receive
!
interface GigabitEthernet1/0/20
description "ap-12-07-iw"
switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
switchport trunk allowed vlan add 2000-2700,2750-2950
switchport trunk native vlan 1201
switchport mode trunk
no lldp transmit
no lldp receive
!
interface GigabitEthernet1/0/21
description "ap-12-08-iw"
switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
switchport trunk allowed vlan add 2000-2700,2750-2950
switchport trunk native vlan 1201
switchport mode trunk
no lldp transmit
no lldp receive
!
interface GigabitEthernet1/0/22
description "ap-12-09-iw"
switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
switchport trunk allowed vlan add 2000-2700,2750-2950
switchport trunk native vlan 1201
switchport mode trunk
no lldp transmit
no lldp receive
!
interface GigabitEthernet1/0/23
description "ap-12-10-iw"
switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
switchport trunk allowed vlan add 2000-2700,2750-2950
switchport trunk native vlan 1201
switchport mode trunk
no lldp transmit
no lldp receive
!
interface GigabitEthernet1/0/24
description "ap-12-11-iw"
switchport trunk allowed vlan 1103,1201,1301,1302,1310,1311,1451,1452
switchport trunk allowed vlan add 2000-2700,2750-2950
switchport trunk native vlan 1201
switchport mode trunk
no lldp transmit
no lldp receive
!
interface GigabitEthernet1/0/25
description Uplink vers swbr-12-01
switchport mode trunk
ip dhcp snooping trust
!
interface GigabitEthernet1/0/26
switchport mode trunk
ip dhcp snooping trust
!
interface TenGigabitEthernet1/0/1
switchport mode trunk
ip dhcp snooping trust
!
interface TenGigabitEthernet1/0/2
switchport mode trunk
ip dhcp snooping trust
!
interface Vlan1
no ip address
!
interface Vlan995
no ip address
!
interface Vlan998
ip address 172.22.0.121 255.255.254.0
no ip route-cache
!
interface Vlan999
no ip address
!
interface Vlan1101
description system_switch
ip address 10.0.88.2 255.255.128.0
ip accounting mac-address input
ip accounting mac-address output
no ip route-cache
!
ip default-gateway 10.0.127.254
no ip http server
ip http secure-server
!
!
!
snmp-server community public RO ACL_SNMP
snmp-server queue-length 100
snmp-server location BR-I12 [48.35809,-4.57231]
snmp-server contact Association ResEl
snmp-server system-shutdown
snmp-server enable traps storm-control trap-rate 5
snmp-server enable traps mac-notification change move threshold
snmp-server host 172.22.1.212 version 2c public
!
radius-server dead-criteria tries 2
radius-server deadtime 1
!
no vstack
!
line con 0
line vty 0 4
privilege level 15
line vty 5 15
privilege level 15
!
ntp server 172.22.1.254
!
end
