!Software Version V600R022C01SPC500
#
pki realm default
#
clock timezone Beijing add 08:00:00
#
sysname ASW-C-2-IDF2.PEK3-G
#
undo ftp server source all-interface
undo ftp ipv6 server source all-interface
#
ssl policy default
 pki-domain default
 ssl minimum version tls1.2
 cipher-suite exclude key-exchange rsa
 cipher-suite exclude cipher mode cbc
 cipher-suite exclude hmac sha1
 diffie-hellman modulus 3072
 ecdh group curve brainpool
 signature algorithm-list ed25519 ed448 rsa-pss-pss-sha256 rsa-pss-pss-sha384 rsa-pss-pss-sha512 rsa-pss-rsae-sha256 rsa-pss-rsae-sha384 rsa-pss-rsae-sha512
#
device board 1 board-type S5735-S24P4XE-V2
#
dhcp enable
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name dot1xmac_authen_profile
authentication-profile name mac_authen_profile
#
access-user dot1x-identity speed-limit 80
#
dhcp snooping enable
#
drop-profile default
#
ntp server source-interface all disable
ntp ipv6 server source-interface all disable
ntp unicast-server 203.107.6.88
ntp source-interface Vlanif254
#
arp anti-attack check user-bind alarm threshold 200
#
vlan batch 128 254
#
stp bpdu-protection
#
arp anti-attack gateway-duplicate enable
arp anti-attack rate-limit 100
arp learning strict
arp anti-attack entry-check fixed-mac enable
#
error-down auto-recovery cause link-flap interval 60
#
undo telnet server-source all-interface
undo telnet ipv6 server-source all-interface
#
mac-address update arp enable
#
qos schedule-profile default
#
diffserv domain default
#
ip vpn-instance _management_vpn_
 ipv4-family
#
vlan 128
 name ap-mgt
#
vlan 254
 name sw-mgt
#
aaa
 authentication-scheme default
  authentication-mode local
 authentication-scheme radius
  authentication-mode radius
 authentication-scheme tacacs1
  authentication-mode hwtacacs local
 authorization-scheme default
  authorization-mode local
 authorization-scheme tacacs2
  authorization-mode hwtacacs local
  authorization-cmd 3 hwtacacs local
 accounting-scheme default
  accounting-mode none
 accounting-scheme tacacs3
  accounting-mode hwtacacs
  accounting start-fail online
 recording-scheme tacacs0
  recording-mode hwtacacs cainiao
 cmd recording-scheme tacacs0
 local-aaa-user password policy administrator
 domain default
  authentication-scheme default
  accounting-scheme default
 domain default_admin
  authentication-scheme default
  accounting-scheme default
 domain cainiao.com
  authentication-scheme tacacs1
  accounting-scheme tacacs3
  authorization-scheme tacacs2
  hwtacacs-server cainiao
 local-user cnadmin password irreversible-cipher $1d$%!:I%g(SSS*84GQt$TKy=FEoGj:|Uf]5Z2~$!|QR>Kd1Vh:Pr{8,E)9}.$
 local-user cnadmin password-force-change disable
 local-user cnadmin privilege level 3
 local-user cnadmin service-type terminal ssh
#
free-rule-template name default_free_rule
#
hwtacacs-server template cainiao
 hwtacacs-server authentication 101.200.147.225
 hwtacacs-server authentication 47.107.62.135 secondary
 hwtacacs-server authorization 101.200.147.225
 hwtacacs-server authorization 47.107.62.135 secondary
 hwtacacs-server accounting 101.200.147.225
 hwtacacs-server accounting 47.107.62.135 secondary
 hwtacacs-server shared-key cipher Q9JAFKegkGNE4wHX
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
domain cainiao.com admin
#
stack
#
license
#
interface Vlanif254
 description sw-mgt
 ip address 10.0.0.131 255.255.255.128
#
interface Eth-Trunk25
 description link_to_CSW-C-1.PEK3-G_Eth-Trunk2
 port link-type trunk
 port trunk allow-pass vlan 128 254
 mode lacp-static
 dhcp snooping trusted
#
interface Stack-Port1/1
#
interface Stack-Port1/2
#
interface GE1/0/1
 description AP-MGT
 port link-type trunk
 port trunk pvid vlan 128
 port trunk allow-pass vlan 128
 stp edged-port enable
#
interface GE1/0/2
 description AP-MGT
 port link-type trunk
 port trunk pvid vlan 128
 port trunk allow-pass vlan 128
 stp edged-port enable
#
interface GE1/0/3
 description AP-MGT
 port link-type trunk
 port trunk pvid vlan 128
 port trunk allow-pass vlan 128
 stp edged-port enable
#
interface GE1/0/4
 description AP-MGT
 port link-type trunk
 port trunk pvid vlan 128
 port trunk allow-pass vlan 128
 stp edged-port enable
#
interface GE1/0/5
 description AP-MGT
 port link-type trunk
 port trunk pvid vlan 128
 port trunk allow-pass vlan 128
 stp edged-port enable
#
interface GE1/0/6
 description AP-MGT
 port link-type trunk
 port trunk pvid vlan 128
 port trunk allow-pass vlan 128
 stp edged-port enable
#
interface GE1/0/7
 description AP-MGT
 port link-type trunk
 port trunk pvid vlan 128
 port trunk allow-pass vlan 128
 stp edged-port enable
#
interface GE1/0/8
 description AP-MGT
 port link-type trunk
 port trunk pvid vlan 128
 port trunk allow-pass vlan 128
 stp edged-port enable
#
interface GE1/0/9
 description AP-MGT
 port link-type trunk
 port trunk pvid vlan 128
 port trunk allow-pass vlan 128
 stp edged-port enable
#
interface GE1/0/10
 description AP-MGT
 port link-type trunk
 port trunk pvid vlan 128
 port trunk allow-pass vlan 128
 stp edged-port enable
#
interface GE1/0/11
#
interface GE1/0/12
#
interface GE1/0/13
#
interface GE1/0/14
#
interface GE1/0/15
#
interface GE1/0/16
#
interface GE1/0/17
#
interface GE1/0/18
#
interface GE1/0/19
#
interface GE1/0/20
#
interface GE1/0/21
#
interface GE1/0/22
#
interface GE1/0/23
#
interface GE1/0/24
#
interface 10GE1/0/1
 description link_to_CSW-C-1.PEK3-G_GigabitEthernet0/0/2
 eth-trunk 25
#
interface 10GE1/0/2
 description link_to_CSW-C-1.PEK3-G_GigabitEthernet1/0/2
 eth-trunk 25
#
interface 10GE1/0/3
#
interface 10GE1/0/4
#
interface 10GE1/0/5
#
interface 10GE1/0/6
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.0.129
#
snmp-agent
snmp-agent community read cipher %@%##!!!!!!!!!"!!!!"!!!!*!!!!m6!=C+/b]95/lP7]`HLDK=w2Sb!cu#|d#]V!!!!!2jp5!!!!!!U!!!!=4Z."cLeuEk8FTA~`(a"o_&.28exa$Bx;b%%&JR/$x/lGI,W%F7^cWT9TPG$"fh)0!!!!!!!!!!!!!!!%@%# acl 2099 alias cmn
#
snmp-agent sys-info version v2c v3
snmp-agent community complexity-check disable
#
snmp-agent protocol source-interface Vlanif254
undo snmp-agent protocol source-status all-interface
undo snmp-agent protocol source-status ipv6 all-interface
#
undo snmp-agent proxy protocol source-status all-interface
undo snmp-agent proxy protocol source-status ipv6 all-interface
#
#
stelnet server enable
ssh user cnadmin
ssh user cnadmin authentication-type password
ssh user cnadmin service-type stelnet
ssh server-source all-interface
undo ssh ipv6 server-source all-interface
ssh authorization-type default aaa
#
ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
ssh server hmac sha2_512 sha2_256
ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512 curve25519_sha256
#
ssh server publickey rsa rsa_sha2_256 rsa_sha2_512
#
ssh server dh-exchange min-len 3072
#
ssh client first-time enable
#
ssh client publickey rsa rsa_sha2_256 rsa_sha2_512
#
ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
ssh client hmac sha2_512 sha2_256
ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512 curve25519_sha256
#
user-interface con 0
 authentication-mode password
 set authentication password cipher $1d$l:hWOoUtPLA/[3O,$dhJ.TyAMM0#Su3*Zq@IS9oG}>`b,|YV30$(S8BA($
 idle-timeout 10 0
#
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 3
 protocol inbound ssh
#
web-manager enable port 8443
web-manager http forward enable
#
warranty
#
return