文稿說(shuō)明案例switch configuration guide for gpns v1.03march

SwitchConfigurationGuideForGPNSRevisionAugustBasicAugustUpdatednetworkAugustAddednoticesandupdatedMarchHaydonUpdatedBasic、Vlan、Interfaceand HPSWITCH Basic Hostnameand Vlan Office Room SNMP SNMP SNMP AAA Radius Syslog 802.1X CISCOSWITCH Basic Hostnameand SNMP SNMP SNMP AAA Radius Authentication& Syslog 802.1X APPEDIXA:HPSWITCHCONFIGURATION APPEDIXB:CISCOSWITCHCONFIGURATION 在HSIA項(xiàng)目中，交換機(jī)的每個(gè)端口所屬VLAN都是靜態(tài)指定的，而在GPNS項(xiàng)目中，用戶接入到交換機(jī)某個(gè)端口時(shí)的所屬VLAN是根據(jù)SLIM系統(tǒng)的設(shè)置動(dòng)態(tài)分配的，這需要交換機(jī)開啟802.1X認(rèn)證功能，跟SLIM系統(tǒng)進(jìn)行交互。且為了對(duì)交換機(jī)設(shè)備進(jìn)行統(tǒng)一管理，交換機(jī)上會(huì)開啟AAA認(rèn)證，登陸交換機(jī)的賬號(hào)、對(duì)應(yīng)的權(quán)限都由SLIM系統(tǒng)定義。交換機(jī)會(huì)將用戶登陸、退出的動(dòng)作發(fā)送給SLIM以做配置變更的審計(jì)及配置存檔。因此GPNS項(xiàng)目換機(jī)的配置跟普通HSIA項(xiàng)目的交換機(jī)配置有所區(qū)別。在GPNS項(xiàng)目中，SLIM服務(wù)器接入到不交換機(jī)VLAN相同的VLAN100中，并配置跟VLAN同一網(wǎng)段的IP地址，網(wǎng)絡(luò)拓?fù)浯笾驴梢院?jiǎn)化如下在交換機(jī)的配置過程中一般先進(jìn)行一些初步的配置，如根據(jù)GPNS標(biāo)準(zhǔn)對(duì)交換機(jī)進(jìn)行規(guī)范化命配置VLAN的IP地址及SSH登錄，能用本地用戶登配置交換機(jī)跟SLIM之間的AAA認(rèn)證，通過SLIM的賬號(hào)登錄交換機(jī)并能正常配置802.1X認(rèn)證，實(shí)現(xiàn)勱態(tài)VLAN分配。而在GPNS文檔中，對(duì)網(wǎng)絡(luò)設(shè)備名規(guī)則有嚴(yán)格的標(biāo)準(zhǔn)“Marsha_Code”+“Device_Code”+“Device_Sequence_Number”+“-”+“Floor_Number”+“-”+ 本文檔主要通過CISCO和HP兩個(gè)品牌交換機(jī)的配置結(jié)合SLIMHP交換機(jī)使用ProCurveSwitch2510-24J9019B，固件版本為CISCO交換機(jī)使用CatalystWS-C2960-24TT-L，固件版本為SLIM使用的版本HPSwitchBasicHostnameand首先對(duì)交換機(jī)的名字進(jìn)行規(guī)范化命名，比如酒店的Marsha_code為TSNLVHP#為了保證交換機(jī)時(shí)間的準(zhǔn)確性，需要設(shè)置NTP與萬(wàn)豪的NTP服務(wù)器（24）TSNLVSW01-02(config)#sntpserver24TSNLVSW01-02(config)#timesyncsntp然后配置交換機(jī)的VLAN與應(yīng)用VLAN，及相應(yīng)的IP地址TSNLVSW01-02(vlan-100)#nameNetwork_LAN_Switch_managementTSNLVSW01-02(vlan-100)#ipaddress40TSNLVSW01-02(vlan-100)#exit開啟SSH允許通過登錄到交換機(jī)，關(guān) net服務(wù)提高安全性TSNLVSW01-02(config)#passwordmanageruser-nameamttNewpasswordformanager:********Pleaseretypenewpasswordformanager:********TSNLVSW01-02(config)#aaaauthenticationsshenablelocalTSNLVSW01-02(config)#aaaauthenticationsshloginlocalTSNLVSW01-02(config)#no <MARSHA>adminaccess，根據(jù)不同酒店替換MARSHACode，如MARSHACode為Defaultgateway、配置默認(rèn)網(wǎng)關(guān)指向JuniperVLAN100的接口地址（29，以便能跟其他配置LoginBanner警告交換機(jī)的用戶，輸入bannermotd^然后 !!Thissystem,whichincludesthedatastoredherein, !!proprietaryandtoMarriottInternational,Inc.!!(Marriott).ThissystemisforMarriottauthorizednel!!only.Unauthorizedaccessisprohibitedandwill !!prosecutedtothefullextentofapplicable ^Spanning-VlanOffice在對(duì)應(yīng)的交換機(jī)上配置標(biāo)準(zhǔn)要求的辦公TSNLVSW01-02(config)#vlan101nameWireless_Access_Points_101TSNLVSW01-02(config)#vlan100nameNetwork_LAN_Switch_managementTSNLVSW01-02(config)#vlan200nameMI_SERVERS_PCITSNLVSW01-02(config)#vlan201nameServers_Trusted_non-credit_cardTSNLVSW01-02(config)#vlan203nameMicros_TerminalsTSNLVSW01-02(config)#vlan300nameAssociate_PCs_Laptops_WiredTSNLVSW01-02(config)#vlan301nameAssociate_Client_DevicesTSNLVSW01-02(config)#vlan450nameAssociate_Laptops_WirelessTSNLVSW01-02(config)#vlan451nameAssociate_PDAs_Micros_iPadsTSNLVSW01-02(config)#vlan699nameVoIP_ManagementTSNLVSW01-02(config)#vlan801nameBack_ground_musicTSNLVSW01-02(config)#vlan805nameBusiness_CenterTSNLVSW01-02(config)#vlan810nameDigital_SignageTSNLVSW01-02(config)#vlan812nameExt_TSNLVSW01-02(config)#vlan820nameKey_Card_LockTSNLVSW01-02(config)#vlan1016nameGuest_Free_Wireless在對(duì)應(yīng)的交換機(jī)上配置標(biāo)準(zhǔn)要求的客房vlan，例如TSNLVSW01-02(config)#vlan1067nameRoom1501InterfaceInterfaceTSNLVSW01-02(config)#interfaceethernet1TSNLVSW01-02(eth-1)#nameRoom1501POEAPtrunkvlantrunkTSNLVSW01-02(configvlan101untagged23-28SNMPSNMP交換機(jī)需要配置SNMP團(tuán)體名，從而實(shí)現(xiàn)SLIM和HiBOS能夠到交換機(jī)的相應(yīng)信TSNLVSW01-02(config)#snmp-servercommunityTSNLV4GPNSoperatorunrestrictedTSNLVSW01-02(config)#snmp-servercommunityTSNLV3GPNSoperator另外萬(wàn)豪的設(shè)備掃描器MAARK1也需要獲取交換機(jī)的相應(yīng)信息，因此需要針對(duì)MARRK1額外設(shè)置相應(yīng)的SNMPTSNLVSW01-02(config)#snmp-servercommunityFZQ6cmROoperatorTSNLVSW01-02(config)#snmp-servercommunityPD6TE9RWoperatorunrestrictedTSNLVSW02-02(config)#snmp-serverlocation"Locatedat2ndfloor SNMPSNMP團(tuán)體名配置好之后交換機(jī)會(huì)響應(yīng)相應(yīng)的SNMPQuery，但有些緊急信息需要交換機(jī)即時(shí)主動(dòng)發(fā)送給SLIM服務(wù)器(36)及萬(wàn)豪服務(wù)器（6，因此需要配置SNMPTSNLVSW01-02(config)#snmp-serverenabletrapsauthenticationTSNLVSW01-02(config)#snmp-servertrap-source40TSNLVSW01-02(config)#snmp-serverresponse-source40TSNLVSW01-02(config)#snmp-serverhost36criticalTSNLV3GPNSAAARadiusSLIM使用的是RADIUS協(xié)議，配置AAA需要指定RADIUS服務(wù)器（SLIM）定義為 端TSNLVSW01-02(config)#radius-serverhost36keyTSNLV321showradius配置登陸交換機(jī)時(shí)候使用的用戶名為Radius服務(wù)器（SLIM）優(yōu)先，當(dāng)Radius服務(wù)器不可達(dá)TSNLVSW01-02(config)#aaaauthenticationloginprivilege-modeTSNLVSW01-02(config)#aaaauthenticationsshloginradiuslocalTSNLVSW01-02(config)#aaaauthenticationsshenableradiuslocal配置完成后通過showauthentication查看相應(yīng)信息，確保SSH的LoginPrimary為Radius，LoginSecondary為配置Accounting的作用是在管理用戶登陸及退出、802.1X用戶上線及下線時(shí)通知RADIUS（SLIM，果發(fā)現(xiàn)登陸了交換機(jī)后SLIM的登陸日志中沒有審計(jì)或SLIM系統(tǒng)中的用戶表較少（用戶上線幾分鐘后下線）等情況，需要確定交換機(jī)的AccountingTSNLVSW01-02(config)#aaaaccountingexecstart-stopradiusTSNLVSW01-02(config)#aaaaccountingcommandsstop-onlyradiusTSNLVSW01-02(config)#aaaaccountingsystemstart-stopradius配置完成后通過showaccountingSyslogSYSLOG到外部SYSLOG服務(wù)器(SLIM)及萬(wàn)豪的SYSLOG服務(wù)器，以便信息的記錄及后期的問題排查TSNLVSW01-02(config)#loggingfacilitysyslog802.1X要實(shí)現(xiàn)客戶電腦接到交換機(jī)的某個(gè)端口時(shí)根據(jù)SLIM系統(tǒng)的設(shè)置動(dòng)態(tài)劃分到不同的VLAN，交換機(jī)必須開啟802.1X認(rèn)證，在配置802.1X時(shí)需要注意以下幾點(diǎn)：SLIM系統(tǒng)指派的VLAN必須存在交換機(jī)的VLAN表中交換機(jī)互聯(lián)的端口不要開啟802.1X認(rèn)證配置時(shí)需要將端口認(rèn)證設(shè)置為基亍RADIUS的EAP（ExtendAuthenticationProtocol），下列配置將1-10端口開啟802.1X認(rèn)證，且如果接入的設(shè)備不支持802.1X認(rèn)證時(shí)使用MAC地址進(jìn)行認(rèn)證，注意需要定義802.1X端口最大允許接入的用戶數(shù)，否則可能導(dǎo)致啟用了802.1x的端口接入不支持802.1x認(rèn)證的主機(jī)（如）時(shí)不發(fā)起Mac認(rèn)證請(qǐng)求TSNLVSW01-02(config)#aaaauthenticationport-accesseap-radiusTSNLVSW01-02(config)#aaaport-accessauthenticatoractiveTSNLVSW01-02(config)#aaaport-accessauthenticator1-10client-limit32TSNLVSW01-02(config)#aaaport-accessmac-based1-10addr-limit32 Guestvlan配置完成后將終端接入到交換機(jī)的相應(yīng)端口，輸入showport-accessauthenticator查看802.1X輸入showport-accessmac-based 查看Mac認(rèn)證結(jié)果，如下圖顯示端口5已成功認(rèn)證，到VLAN10CISCOSwitchBasicHostnameand首先對(duì)交換機(jī)的名字進(jìn)行規(guī)范化命名，比如酒店的Marsha_code為TSNLVSwitch#conf為了保證交換機(jī)時(shí)間的準(zhǔn)確性，需要設(shè)置NTP與萬(wàn)豪的NTP服務(wù)器（24）TSNLVSW02-02(config)#clocktimezoneGMT+8TSNLVSW02-02(config)#ntpserver24然后配置交換機(jī)的VLAN與應(yīng)用VLAN，及相應(yīng)的IP地址TSNLVSW02-02(config-vlan)#exitTSNLVSW02-02(config)#intvlan100設(shè)置本地用戶名，開啟SSHv2允許通過登錄到交換機(jī)，關(guān) net服務(wù)提高安性，生成key時(shí)選擇1024TSNLVSW02-02(config)#noiphttpTSNLVSW02-02(config)#usernameamttpasswordamtt@402TSNLVSW02-02(config)#ipnameTSNLVSW02-02(config)#cryptokeygeneratersageneral-keysTSNLVSW02-02(config)#ipsshtime-out120TSNLVSW02-02(config)#linevty04TSNLVSW02-02(config-line)#loginlocalTSNLVSW02-02(config-line)#transportinputsshTSNLVSW02-02(config-line)#transportoutputssh<MARSHA>adminaccess，根據(jù)不同酒店替換MARSHACode，并且enable統(tǒng)一設(shè)置為c2Tx45AZSW，嚴(yán)格區(qū)分大小寫，如MARSHACode為TSNLV，則用戶名、TSNLVSW02-02(config)#enablesecretc2Tx45AZSWDefaultgateway、配置默認(rèn)網(wǎng)關(guān)指向JuniperVLAN100的接口地址（29，以便能跟其他配置LoginBanner警告交換機(jī)的用戶，輸入bannermotd^然后 !!Thissystem,whichincludesthedatastoredherein, !!proprietaryandtoMarriottInternational,Inc.!!(Marriott).ThissystemisforMarriottauthorizednel!!only.Unauthorizedaccessisprohibitedandwill !!prosecutedtothefullextentofapplicable ^Spanning-Interfacename，例如接入層交換機(jī)接入房間的POEAPSNMPSNMP交換機(jī)需要配置SNMP團(tuán)體名，從而實(shí)現(xiàn)SLIM和HiBOS能夠到交換機(jī)的相應(yīng)信TSNLVSW02-02(config)#snmp-servercommunityTSNLV4GPNSrw另外萬(wàn)豪的設(shè)備掃描器MAARK1也需要獲取交換機(jī)的相應(yīng)信息，因此需要針對(duì)MARRK1額外設(shè)置相應(yīng)的SNMPTSNLVSW02-02(config)#snmp-servercommunityFZQ6cmROroTSNLVSW02-02(config)#snmp-serverlocation"Locatedat2ndfloor SNMPSNMP團(tuán)體名配置好之后交換機(jī)會(huì)響應(yīng)相應(yīng)的SNMPQuery，但有些緊急信息需要交換機(jī)即時(shí)主動(dòng)發(fā)送給SLIM服務(wù)器(36)及萬(wàn)豪服務(wù)器（6，因此需要配置SNMPTSNLVSW02-02(config)#snmp-serverhost6trapsFZQ6cmROttyauth-InterfaceInterfaceTSNLVSW01-02(config)#interfaceethernet1TSNLVSW01-02(eth-1)#nameRoom1501POEAPtrunkTSNLVSW02-02(config)#interfacerangef0/23-28TSNLVSW02-02(config-if-range)#switchporttrunkdelvlan1vlantrunkTSNLVSW02-02(config)#interfacerangef0/23-28TSNLVSW02-02(config-if-range)#switchportmodetrunkTSNLVSW02-02(config-if-range)#switchporttrunkallowedvlanAAARadiusAAA有RADIUS和TACAS兩種，SLIM使用的是RADIUS協(xié)議，配置AAA需要指定RADIUS服務(wù)器（SLIM）的地址，秘鑰定義為 口TSNLVSW02-02(config)#radius-serverhost36auth-port1812acct-portkeyTSNLVSW02-02(config)#ipradiussource-interfacevlan因?yàn)樵贒ot1x中會(huì)定義當(dāng)Radius-server時(shí)將終端臨時(shí)到某個(gè)VLAN，所以需要設(shè)定判定Radius-Server的標(biāo)準(zhǔn)及時(shí)間TSNLVSW02-02(config)#radius-serverdead-criteriatime15tries1TSNLVSW02-02(config)#radius-serverdeadtime2CISCO設(shè)備發(fā)送AccessRequest報(bào)文給Radius服務(wù)器時(shí)默認(rèn)不封裝NAS-Identifier屬性，導(dǎo)致在SLIM的用戶表中用戶的NAS-ID一欄為空，因此需設(shè)置交換機(jī)發(fā)送AccessRequest、AccountingRequest報(bào)文時(shí)額外封裝NAS-Identifier屬性TSNLVSW02-02(config)#radius-serverattribute32include-in-access-reqTSNLVSW02-02(configradius-serverattribute32include-in-accounting-reqAuthentication&配置登陸交換機(jī)時(shí)候使用的用戶名為Radius服務(wù)器（SLIM）優(yōu)先，直接進(jìn)入模式，RadiusTSNLVSW02-02(config)#aaaauthenticationlogindefaultgroupradiuslocalTSNLVSW02-02(config)#aaaauthorizationexecdefaultgroupradiuslocalTSNLVSW02-02(config)#linevty04配置Accounting的作用是在管理用戶登陸及退出、802.1X用戶上線及下線時(shí)通知RADIUS（SLIM，果發(fā)現(xiàn)登陸了交換機(jī)后SLIM的登陸日志中沒有審計(jì)或SLIM系統(tǒng)中的用戶表較少（用戶上線幾分鐘后下線）等情況，需要確定交換機(jī)的Accounting部分是否正確配置TSNLVSW02-02(config)#aaaaccountingdot1xdefaultstart-stopgroupradiusTSNLVSW02-02(config)#aaaaccountingexecdefaultstart-stopgroupradiusTSNLVSW02-02(config)#aaaaccountingnetworkdefaultstart-stopgroupradiusTSNLVSW02-02(config)#aaaaccountingconnectiondefaultstart-stopgroupSyslog配置SYSLOG可以將交換機(jī)產(chǎn)生的系統(tǒng)日志消息、系統(tǒng)錯(cuò)誤消息網(wǎng)絡(luò)事件等一系列日志文件發(fā)送到外部SYSLOG服務(wù)器(SLIM)及萬(wàn)豪的服務(wù)器（34），以便信息的記錄及后TSNLVSW02-02(config)#servicetimestampslogdatetimeTSNLVSW02-02(config)#loggingtrapcriticalTSNLVSW02-02(config)#loggingsource-interfaceVlan100TSNLVSW02-02(config)#logging36TSNLVSW02-02(config)#logging34TSNLVSW02-02(config)#loggingfacilitylocal7TSNLVSW02-02(config)#loginon-failurelogTSNLVSW02-02(config)#loginon-successlog802.1X要實(shí)現(xiàn)客戶電腦接到交換機(jī)的某個(gè)端口時(shí)根據(jù)SLIM系統(tǒng)的設(shè)置勱態(tài)劃分到不同的VLAN，交換機(jī)必須開啟802.1X認(rèn)證，在配置802.1X時(shí)需要注意以下幾點(diǎn)：SLIM系統(tǒng)指派的VLAN必須存在交換機(jī)的VLAN表中交換機(jī)互聯(lián)的端口不要開啟802.1X認(rèn)證配置時(shí)需要將端口認(rèn)證設(shè)置為基于RADIUS的EAP（ExtendAuthenticationProtocol），下列配置將1-10端口開啟802.1X認(rèn)證，且如果接入的設(shè)備不支持802.1X認(rèn)證時(shí)使用MACTSNLVSW02-02(config)#dot1xguest-vlansupplicant （支持guestvlan推送）TSNLVSW02-02(config)#aaaauthnticationdot1xdefaultgroupradiuslocalTSNLVSW02-02(config)#aaaauthorizationnetworkdefaultgroupradiuslocalTSNLVSW02-02(config)#interfacerangef0/1-10TSNLVSW02-02(config-if-range)#switchportmodeaccessTSNLVSW02-02(config-if-range)#dot1xpaeauthenticatorTSNLVSW02-02(config-if-range)#mabTSNLVSW02-02(config-if-range)#authenticationport-controlautoTSNLVSW02-02(config-if-range)#authenticationeventfailretry0actionnext-注意注意：aaaauthorizationnetworkdefaultgroupradiuslocal到指定的由于CISCO交換機(jī)優(yōu)先使用Dot1x認(rèn)證，且等待客戶端回應(yīng)EAPResponse的響應(yīng)超時(shí)時(shí)間、EAPRequst超時(shí)重傳時(shí)間較長(zhǎng)，因此為了加快不支持Dot1x認(rèn)證的客戶端快速轉(zhuǎn)入到MAB認(rèn)證（Mac Bypass，整TSNLVSW02-02(config-if-range)#dot1xtimeoutserver-timeout10TSNLVSW02-02(config-if-range)#dot1xtimeoutsupp-timeout5TSNLVSW02-02(config-if-range)#dot1xtimeouttx-period1TSNLVSW02-02(config-if-range)#dot1xtimeouttx-period1TSNLVSW02-02(config-if-range)#dot1xguest-vlan1016當(dāng)Radius服務(wù)器宕機(jī)或者因網(wǎng)絡(luò)原因無(wú)響應(yīng)時(shí)，臨時(shí)將改端口劃分到默認(rèn)GuestVLAN（如果該端口對(duì)應(yīng)房間有線網(wǎng)絡(luò)端口，則將該端口劃分到房間對(duì)應(yīng)的VLAN，如1號(hào)端口接888房間TSNLVSW02-02(config-if)#authenticationeventfailretry0actionnext-methodTSNLVSW02-02(config-if)#authenticationeventserverdeadactionauthorizevlan888TSNLVSW02-02(config-if)#authenticationeventno-responseactionauthorizevlan888如果在Radius-Server宕機(jī)時(shí)802.1X的客戶端無(wú)法到事先定義的相應(yīng)VLAN，注意檢查是criteria，Server配置部分。?可通過命令showdot1xallsummary 查看端口Dot1x認(rèn)證的結(jié)果，如下圖顯示F0/1端口的Status為Unauthorized，表明客戶未成功通過認(rèn)證。?可通過命令showmaball 查看端口Mac認(rèn)證的結(jié)果，如下圖顯示F0/1端口Status為Authorized或者可以通過showauthenticationsession命令查看相應(yīng)通過何種方式是否成AppedixA:HPSwitchConfiguration;;J9776AConfigurationEditor;Createdonrelease;Verhostname"CANSMSW03-21"bannermotd"!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n!!system,whichincludesthedatastoredherein,is !!\n!!proprietary toMarriottInternational,Inc.!!\n!!(Marriott).ThissystemisforMarriottauthorized nel!!\n!!only.Unauthorizedaccessisprohibitedandwillbe !!\n!!prosecutedtothefullextentofapplicablelaw. logginglogging34loggingfacilityradius-serverhost50timesyncsntpsntpsntpserverpriority1timetimezoneipdefault-gatewayinterfacename"Room2201"interfacename"Room2202"interfacename"Room2205"interfacename"Room2206"interfacename"Room2207"interfacename"Room2208"interfacename"Room2210"interfacename"Room2212"interfacename"Room2216"interfacename"Room2218"interfacename"Room2220"interfacename"Room2222"interfacename"Room2223"interfacename"Room2225"interfacename"Room2226"interfacename"Room2227"interfacename"Room2228"interfacename"Room2229"interface interface interface name"CANSMSW02-interface26 interface interface snmp-servercommunity"CANSM4GPNS"operatorunrestrictedsnmp-servercommunity"CANSM3GPNS"operatorsnmp-servercommunity"FZQ6cmRO"snmp-servercommunity"PD6TE9RW"operatorsnmp-serverhost50community"CANSM3GPNS"trap-levelcriticalsnmp-serverhost6community"FZQ6cmRO"trap-levelcriticalsnmp-servertrap-source70snmp-servercontact"AMTTSupportCenter v2.9"location"locatedat21FloorIDF,FromtoptobottomThe03."aaaaccountingcommandsinterim-updateradiusaaaaccountingexecstart-stopradiusaaaaccountingnetworkstart-stopradiusaaaaccountingsystemstart-stopradiusaaaauthenticationloginprivilege-modeaaaauthentication netloginradiuslocalaaaauthentication netenableradiuslocalaaaauthenticationwebloginradiuslocalaaaauthenticationwebenableradiuslocalaaaauthenticationsshloginradiuslocalaaaauthenticationsshenableradiuslocalaaaauthenticationport-accesseap-radiusaaaport-accessauthenticator1-22aaaport-accessauthenticator1client-limitaaaport-accessauthenticator2client-limitaaaport-accessauthenticator3client-limitaaaport-accessauthenticator4client-limitaaaport-accessauthenticator5client-limitaaaport-accessauthenticator6client-limitaaaport-accessauthenticator7client-limitaaaport-accessauthenticator8client-limitaaaport-accessauthenticator9client-limitport-port-port-port-port-port-port-port-port-port-port-port-port-aaaport-accessauthenticatoractiveaaaport-accessmac-based1-22port-1addr-port-1unauth-port-2addr-port-2unauth-port-3addr-port-3unauth-port-4addr-port-4unauth-port-5addr-port-5unauth-port-6addr-port-6unauth-port-7addr-port-7unauth-port-8addr-port-8unauth-port-9addr-port-9unauth-port-addr-port-unauth-port-addr-port-unauth-port-addr-port-unauth-port-addr-port-unauth-port-addr-port-unauth-port-addr-port-unauth-port-addr-port-unauth-port-addr-port-unauth-port-addr-port-unauth-port-unauth-port-unauth-port-unauth-port-unauth-vlannamenountagged23-untagged1-ipaddressdhcp-bootpvlanname"Network_LAN_Switch_management"tagged23-28ipaddress70vlanname"Wireless_Access_Points_101"tagged23-28noipaddressvlanname"MI_SERVERS_PCI"tagged23-28noipaddressvlanname"Servers_Trusted_non-credit_card"tagged23-28noipaddressvlanname"Micros_Terminals"tagged23-28noipvlanname"Associate_PCs_Laptops_Wired"tagged23-28noipaddressvlanname"Associate_Client_Devices"tagged23-28noipaddressvlanname"Associate_Laptops_Wireless"tagged23-28noipaddressvlanname"Associate_PDAs_Micros_iPads"tagged23-28noipaddressvlanname"VoIP_Management"tagged23-28noipaddressvlanname"Back_ground_music"tagged23-28noipaddressvlanname"Business_Center"tagged23-28noipaddressvlanname"Room_Controls"tagged23-28noipaddressvlanname"Digital_Signage"tagged23-28noipaddressvlanname"Ext_ tagged23-28noipaddressvlanname"Key_Card_Lock"tagged23-28noipaddressvlanname"Guest_Wireless"tagged23-28noipaddressvlanname"Conference_Wireless"tagged23-28noipaddressvlanname"Guest_Free_Wireless"tagged23-28noipaddressvlanname"Room2102"tagged23-28noipaddressvlanname"Room2106"tagged23-28noipaddressvlanname"Room2108"tagged23-28noipaddressvlanname"Room2110"tagged23-28noipaddressvlanname"Room2112"tagged23-28noipaddressvlanname"Room2116"tagged23-28noipaddressvlanname"Room2118"tagged23-28noipaddressvlanname"Room2120"tagged23-28noipaddressvlanname"Room2122"tagged23-28noipaddressvlanname"Room2126"tagged23-28noipaddressvlanname"Room2128"tagged23-28noipaddressvlanname"Room2129"tagged23-28noipaddressvlan1170name"Room2127"tagged23-28noipaddressvlanname"Room2125"tagged23-28noipaddressvlanname"Room2123"tagged23-28noipaddressvlanname"Room2107"tagged23-28noipaddressvlanname"Room2105"tagged23-28noipaddressvlanname"Room2101"tagged23-28noipaddressvlanname"Room2202"tagged23-28noipaddressvlanname"Room2206"tagged23-28noipaddressvlannametagged23-28noipaddressvlanname"Room2210"tagged23-28noipaddressvlanname"Room2212"tagged23-28noipaddressvlanname"Room2216"tagged23-28noipaddressvlanname"Room2218"tagged23-28noipaddressvlanname"Room2220"tagged23-28noipaddressvlanname"Room2222"tagged23-28noipaddressvlanname"Room2226"tagged23-28noipaddressvlanname"Room2228"tagged23-28noipaddressvlanname"Room2229"tagged23-28noipaddressvlanname"Room2227"tagged23-28noipaddressvlanname"Room2225"tagged23-28noipaddressvlanname"Room2223"tagged23-28noipaddressvlanname"Room2207"tagged23-28noipaddressvlanname"Room2205"tagged23-28noipaddressvlanname"Room2201"tagged23-28noipaddressspanning-spanning-tree23admin-edge-spanning-tree24admin-edge-spanning-tree25admin-edge-spanning-tree26admin-edge-spanning-tree27admin-edge-spanning-tree28admin-edge-spanning-treevlan1000-1001,1158-1175,1185-1188notftpserverloop-protectnotftpserverloop-protect1-28nodhcpconfig-file-updatepasswordmanagerAppedixB:CISCOSwitchConfiguration!!!Lastconfigurationchangeat19:12:51CSTFriJan32014by!NVRAMconfiglastupdatedat19:12:52CSTFriJan32014by!version12.2serviceconfignoservicepadservicetimestampsdebugservicetimestampslogdatetimelocaltimeservicepassword-encryption!!!enablesecret5!usernameamttpassword usernameSHAPHadminpassword7 aaanew-model!!aaaauthenticationlogindefaultgroupradiuslocalaaaauthenticationdot1xdefaultgroupradiusaaaauthorizationexecdefaultgroupradiusif-authenticatedaaaauthorizationnetworkdefaultgroupradiusaaaaccountingdot1xdefaultstart-stopgroupradiusaaaaccountingexecdefaultstart-stopgroupradiusaaaaccountingnetworkdefaultstart-stopgroupradius!!!aaasession-idcommonclocktimezoneCST8systemmturouting1500vtpmodetransparentipsubnet-no - -name!!loginon-failurelogloginon-successlog!!cryptopkitrustpointTP-self-signed-enrollmentselfsignedsubject-namecn=IOS-Self-Signed- revocation-checknone!!crypto chainTP-self-self-signed01nvram:IOS-Self-Sig#3636.cerdot1xsystem-auth-control!!!errdisablerecoverycauseudlderrdisablerecoverycausebpduguarderrdisablerecoverycausesecurity-violationerrdisablerecoverycausechannel-misconfigerrdisablerecoverycausepagp-flaperrdisablerecoverycausedtp-flaperrdisablerecoverycauselink-errdisablerecoverycausesfp-config-mismatcherrdisablerecoverycausegbic-invaliderrdisablerecoverycausel2ptguarderrdisablerecoverycausepsecure-violationerrdisablerecoverycauseport-mode-failureerrdisablerecoverycausedhcp-rate-limiterrdisablerecoverycausemac-limiterrdisablerecoverycausevmpserrdisablerecoverycausestorm-controlerrdisablerecoverycauseinline-powererrdisablerecoverycausearp-inspectionerrdisablerecoverycauseloopbackerrdisablerecoverycausesmall-frameerrdisablerecoveryinterval60!!!spanning-treemodespanning-treeetherchannelguardmisconfigspanning-treeex