11-Mar-25
Access Switch Reference Configuration
hostname HERCP-AG1-AC1
user admin group administrators password ciphertext ******
vrf Corporate
rd 10.10.1.11:20000
route-target export 65001:20000 evpn
route-target import 65001:20000 evpn
vrf Guest
rd 10.10.1.11:30000
route-target export 65001:30000 evpn
route-target import 65001:30000 evpn
vrf Infrastructure
rd 10.10.1.11:10000
route-target export 65001:10000 evpn
route-target import 65001:10000 evpn
ntp server 10.2.120.98 minpoll 4 maxpoll 4 iburst
ntp server 10.2.120.99 minpoll 4 maxpoll 4 iburst
ntp enable
radius-server host 10.2.120.192 key ciphertext ******
radius-server host 10.2.120.193 key ciphertext ******
aaa group server radius clearpass_radius_group
server 10.2.120.192
server 10.2.120.193
aaa accounting port-access start-stop interim group clearpass_radius_group
radius dyn-authorization enable
radius dyn-authorization client 10.2.120.194 secret-key ciphertext ******
radius dyn-authorization client 10.2.120.195 secret-key ciphertext ******
ssh server vrf default
ssh server vrf mgmt
vsf secondary-member 2
vsf member 1
type jl660a
link 1 1/1/25
link 2 1/1/26
vsf member 2
type jl660a
link 1 2/1/25
link 2 2/1/26
gbp enable
gbp role intranet 4
gbp role internet 3
gbp role infra 2
gbp role EMPLOYEE 100
gbp role IT-ADMIN 200
gbp role CONTRACTOR 201
gbp role IT-SUPP 300
gbp role VISITOR 400
gbp role PRINTER 500
gbp role IOT-NO-INET 600
gbp role IOT-INTERNAL 700
gbp role IOT-LMT-INET 800
gbp role REJECT 900
gbp role QUARANTINE 1000
gbp role CRITICAL 1100
gbp role SECURITY 1200
class gbp-ip CONTRACTOR_ALLOW
1 match any CONTRACTOR CONTRACTOR
2 match any EMPLOYEE CONTRACTOR
4 match any IT-SUPP CONTRACTOR
10000 match any default CONTRACTOR count
class gbp-ip CRITICAL_ALLOW
1 match any IT-ADMIN CRITICAL
class gbp-ip EMPLOYEE_ALLOW
2 match any IT-ADMIN EMPLOYEE
3 match any IT-SUPP EMPLOYEE
5 match any CONTRACTOR EMPLOYEE
class gbp-ip IOT-INTERNAL_ALLOW
1 match any IT-ADMIN IOT-INTERNAL
2 match any IT-SUPP IOT-INTERNAL
class gbp-ip IOT-LMT-INET_ALLOW
1 match any IT-ADMIN IOT-LMT-INET
2 match any IT-SUPP IOT-LMT-INET
class gbp-ip IOT-NO-INET_ALLOW
1 match any IOT-NO-INET IOT-NO-INET
2 match any IT-SUPP IOT-NO-INET
class gbp-ip IT-ADMIN_ALLOW
1 match any IT-ADMIN IT-ADMIN
12 match any IT-SUPP IT-ADMIN
class gbp-ip IT-SUPP_ALLOW
1 match any IT-ADMIN IT-SUPP
10 match any CONTRACTOR IT-SUPP
class gbp-ip PRINTER_ALLOW
1 match any EMPLOYEE PRINTER
2 match any IT-ADMIN PRINTER
3 match any IT-SUPP PRINTER
class gbp-ip QUARANTINE_ALLOW
1 match any IT-ADMIN QUARANTINE
class gbp-ip REJECT_ALLOW
1 match any IT-ADMIN REJECT
2 match any IT-SUPP REJECT
class gbp-ip SECURITY_ALLOW
1 match any IT-ADMIN SECURITY
class gbp-ip VISITOR_ALLOW
1 match any IT-ADMIN VISITOR
class gbp-ipv6 CONTRACTOR_ALLOW
1 match any CONTRACTOR CONTRACTOR
2 match any EMPLOYEE CONTRACTOR
4 match any IT-SUPP CONTRACTOR
10000 match any default CONTRACTOR count
class gbp-ipv6 CRITICAL_ALLOW
1 match any IT-ADMIN CRITICAL
class gbp-ipv6 EMPLOYEE_ALLOW
2 match any IT-ADMIN EMPLOYEE
3 match any IT-SUPP EMPLOYEE
5 match any CONTRACTOR EMPLOYEE
class gbp-ipv6 IOT-INTERNAL_ALLOW
1 match any IT-ADMIN IOT-INTERNAL
2 match any IT-SUPP IOT-INTERNAL
class gbp-ipv6 IOT-LMT-INET_ALLOW
1 match any IT-ADMIN IOT-LMT-INET
2 match any IT-SUPP IOT-LMT-INET
class gbp-ipv6 IOT-NO-INET_ALLOW
1 match any IOT-NO-INET IOT-NO-INET
2 match any IT-SUPP IOT-NO-INET
class gbp-ipv6 IT-ADMIN_ALLOW
1 match any IT-ADMIN IT-ADMIN
12 match any IT-SUPP IT-ADMIN
class gbp-ipv6 IT-SUPP_ALLOW
1 match any IT-ADMIN IT-SUPP
10 match any CONTRACTOR IT-SUPP
class gbp-ipv6 PRINTER_ALLOW
1 match any EMPLOYEE PRINTER
2 match any IT-ADMIN PRINTER
3 match any IT-SUPP PRINTER
class gbp-ipv6 QUARANTINE_ALLOW
1 match any IT-ADMIN QUARANTINE
class gbp-ipv6 REJECT_ALLOW
1 match any IT-ADMIN REJECT
2 match any IT-SUPP REJECT
class gbp-ipv6 SECURITY_ALLOW
1 match any IT-ADMIN SECURITY
class gbp-ipv6 VISITOR_ALLOW
1 match any IT-ADMIN VISITOR
class gbp-mac CONTRACTOR_ALLOW
1 match CONTRACTOR CONTRACTOR any
2 match EMPLOYEE CONTRACTOR any
4 match IT-SUPP CONTRACTOR any
10000 match default CONTRACTOR any count
10001 match any CONTRACTOR arp count
class gbp-mac CRITICAL_ALLOW
1 match IT-ADMIN CRITICAL any
class gbp-mac EMPLOYEE_ALLOW
2 match IT-ADMIN EMPLOYEE any
3 match IT-SUPP EMPLOYEE any
5 match CONTRACTOR EMPLOYEE any
class gbp-mac IOT-INTERNAL_ALLOW
1 match IT-ADMIN IOT-INTERNAL any
2 match IT-SUPP IOT-INTERNAL any
class gbp-mac IOT-LMT-INET_ALLOW
1 match IT-ADMIN IOT-LMT-INET any
2 match IT-SUPP IOT-LMT-INET any
class gbp-mac IOT-NO-INET_ALLOW
1 match IOT-NO-INET IOT-NO-INET any
2 match IT-SUPP IOT-NO-INET any
class gbp-mac IT-ADMIN_ALLOW
1 match IT-ADMIN IT-ADMIN any
12 match IT-SUPP IT-ADMIN any
class gbp-mac IT-SUPP_ALLOW
1 match IT-ADMIN IT-SUPP any
10 match CONTRACTOR IT-SUPP any
class gbp-mac PRINTER_ALLOW
1 match EMPLOYEE PRINTER any
2 match IT-ADMIN PRINTER any
3 match IT-SUPP PRINTER any
class gbp-mac QUARANTINE_ALLOW
1 match IT-ADMIN QUARANTINE any
class gbp-mac REJECT_ALLOW
1 match IT-ADMIN REJECT any
2 match IT-SUPP REJECT any
class gbp-mac SECURITY_ALLOW
1 match IT-ADMIN SECURITY any
class gbp-mac VISITOR_ALLOW
1 match IT-ADMIN VISITOR any
vlan 1
vlan 200
name Overlay Fabric Wired - Guest
vlan 303
name AP Management
system vlan-client-presence-detect
virtual-mac 02:00:00:00:00:49
evpn
arp-suppression
vlan 303
rd auto
route-target export auto
route-target import auto
redistribute host-route
spanning-tree
interface mgmt
no shutdown
ip dhcp
no dhcp-relay l2vpn-clients
dhcp-relay option 82 replace
dhcp-relay option 82 source-interface
port-access gbp CONTRACTOR_r2r_policy
10 class gbp-ip CONTRACTOR_ALLOW
20 class gbp-ipv6 CONTRACTOR_ALLOW
30 class gbp-mac CONTRACTOR_ALLOW
port-access gbp CRITICAL_r2r_policy
10 class gbp-ip CRITICAL_ALLOW
20 class gbp-ipv6 CRITICAL_ALLOW
30 class gbp-mac CRITICAL_ALLOW
port-access gbp EMPLOYEE_r2r_policy
10 class gbp-ip EMPLOYEE_ALLOW
20 class gbp-ipv6 EMPLOYEE_ALLOW
30 class gbp-mac EMPLOYEE_ALLOW
port-access gbp IOT-INTERNAL_r2r_policy
10 class gbp-ip IOT-INTERNAL_ALLOW
20 class gbp-ipv6 IOT-INTERNAL_ALLOW
30 class gbp-mac IOT-INTERNAL_ALLOW
port-access gbp IOT-LMT-INET_r2r_policy
10 class gbp-ip IOT-LMT-INET_ALLOW
20 class gbp-ipv6 IOT-LMT-INET_ALLOW
30 class gbp-mac IOT-LMT-INET_ALLOW
port-access gbp IOT-NO-INET_r2r_policy
10 class gbp-ip IOT-NO-INET_ALLOW
20 class gbp-ipv6 IOT-NO-INET_ALLOW
30 class gbp-mac IOT-NO-INET_ALLOW
port-access gbp IT-ADMIN_r2r_policy
10 class gbp-ip IT-ADMIN_ALLOW
20 class gbp-ipv6 IT-ADMIN_ALLOW
30 class gbp-mac IT-ADMIN_ALLOW
port-access gbp IT-SUPP_r2r_policy
10 class gbp-ip IT-SUPP_ALLOW
20 class gbp-ipv6 IT-SUPP_ALLOW
30 class gbp-mac IT-SUPP_ALLOW
port-access gbp PRINTER_r2r_policy
10 class gbp-ip PRINTER_ALLOW
20 class gbp-ipv6 PRINTER_ALLOW
30 class gbp-mac PRINTER_ALLOW
port-access gbp QUARANTINE_r2r_policy
10 class gbp-ip QUARANTINE_ALLOW
20 class gbp-ipv6 QUARANTINE_ALLOW
30 class gbp-mac QUARANTINE_ALLOW
port-access gbp REJECT_r2r_policy
10 class gbp-ip REJECT_ALLOW
20 class gbp-ipv6 REJECT_ALLOW
30 class gbp-mac REJECT_ALLOW
port-access gbp SECURITY_r2r_policy
10 class gbp-ip SECURITY_ALLOW
20 class gbp-ipv6 SECURITY_ALLOW
30 class gbp-mac SECURITY_ALLOW
port-access gbp VISITOR_r2r_policy
10 class gbp-ip VISITOR_ALLOW
20 class gbp-ipv6 VISITOR_ALLOW
30 class gbp-mac VISITOR_ALLOW
port-access lldp-group AP-LLDP-GROUP
seq 10 match vendor-oui 000b86
seq 20 match vendor-oui D8C7C8
seq 30 match vendor-oui 6CF37F
seq 40 match vendor-oui 186472
seq 50 match sys-desc ArubaOS
port-access role ARUBA-AP
auth-mode device-mode
vlan access 303
port-access role CONTRACTOR
associate gbp CONTRACTOR_r2r_policy
port-access role CRITICAL
associate gbp CRITICAL_r2r_policy
port-access role EMPLOYEE
associate gbp EMPLOYEE_r2r_policy
port-access role IOT-INTERNAL
associate gbp IOT-INTERNAL_r2r_policy
port-access role IOT-LMT-INET
associate gbp IOT-LMT-INET_r2r_policy
port-access role IOT-NO-INET
associate gbp IOT-NO-INET_r2r_policy
port-access role IT-ADMIN
associate gbp IT-ADMIN_r2r_policy
port-access role IT-SUPP
associate gbp IT-SUPP_r2r_policy
port-access role PRINTER
associate gbp PRINTER_r2r_policy
port-access role QUARANTINE
associate gbp QUARANTINE_r2r_policy
port-access role REJECT
associate gbp REJECT_r2r_policy
port-access role SECURITY
associate gbp SECURITY_r2r_policy
port-access role VISITOR
associate gbp VISITOR_r2r_policy
port-access device-profile ARUBA_AP
enable
associate role ARUBA-AP
associate lldp-group AP-LLDP-GROUP
aaa authentication port-access dot1x authenticator
radius server-group clearpass_radius_group
enable
aaa authentication port-access mac-auth
radius server-group clearpass_radius_group
enable
interface 1/1/1
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/2
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/3
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/4
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/5
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/6
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/7
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/8
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/9
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/10
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/11
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/12
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/13
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/14
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/15
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/16
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/17
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/18
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/19
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/20
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/21
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/22
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/23
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/24
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 1/1/25
no shutdown
interface 1/1/26
no shutdown
interface 1/1/27
no shutdown
no routing
vlan access 1
interface 1/1/28
no shutdown
mtu 9198
routing
description access accessAgg ROP to Peer Switch
ip mtu 9198
ip address 10.10.0.65/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
no ip ospf passive
interface 2/1/1
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/2
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/3
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/4
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/5
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/6
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/7
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/8
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/9
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/10
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/11
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/12
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/13
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/14
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/15
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/16
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/17
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/18
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/19
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/20
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/21
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/22
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/23
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/24
no shutdown
no routing
description ACCESS_PORT
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
reauth
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
interface 2/1/25
no shutdown
interface 2/1/26
no shutdown
interface 2/1/27
no shutdown
no routing
vlan access 1
interface 2/1/28
no shutdown
mtu 9198
routing
description access accessAgg ROP to Peer Switch
ip mtu 9198
ip address 10.10.0.41/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
no ip ospf passive
interface loopback 0
description OSPF Underlay
ip address 10.10.1.11/32
interface loopback 1
description VTEP Non-redundant Source
ip address 10.10.1.23/32
interface vlan 1
ip dhcp
interface vlan 303
vrf attach Infrastructure
ip mtu 9198
ip address 10.10.4.1/24
active-gateway ip mac 00:00:00:00:00:01
active-gateway ip 10.10.4.1
ip helper-address 10.2.120.98 vrf default
ip helper-address 10.2.120.99 vrf default
interface vxlan 1
source ip 10.10.1.23
no shutdown
vni 303
vlan 303
vni 10000
vrf Infrastructure
routing
vni 20000
vrf Corporate
routing
vni 30000
vrf Guest
routing
ip dns server-address 10.2.120.98
ip dns server-address 10.2.120.99
router ospf 1
router-id 10.10.1.11
max-metric router-lsa include-stub on-startup 300
passive-interface default
redistribute local loopback
area 0.0.0.0
router bgp 65001
bgp router-id 10.10.1.11
neighbor Herndon_Fabric peer-group
neighbor Herndon_Fabric remote-as 65001
neighbor Herndon_Fabric fall-over
neighbor Herndon_Fabric update-source loopback 0
neighbor 10.10.1.0 peer-group Herndon_Fabric
neighbor 10.10.1.1 peer-group Herndon_Fabric
address-family l2vpn evpn
neighbor 10.10.1.0 activate
neighbor 10.10.1.0 send-community extended
neighbor 10.10.1.1 activate
neighbor 10.10.1.1 send-community extended
vrf Corporate
address-family ipv4 unicast
redistribute connected
redistribute local loopback
address-family ipv6 unicast
redistribute connected
vrf Guest
address-family ipv4 unicast
redistribute connected
redistribute local loopback
address-family ipv6 unicast
redistribute connected
vrf Infrastructure
address-family ipv4 unicast
redistribute connected
redistribute local loopback
address-family ipv6 unicast
redistribute connected
ip source-interface dhcp_relay interface loopback1
ip source-interface radius interface loopback0
https-server vrf default
https-server vrf mgmt
configuration-lockout central managed