!Software Version V600R022C01SPC500 # pki realm default # clock timezone Beijing add 08:00:00 # sysname ASW-C-2-IDF2.PEK3-G # undo ftp server source all-interface undo ftp ipv6 server source all-interface # ssl policy default pki-domain default ssl minimum version tls1.2 cipher-suite exclude key-exchange rsa cipher-suite exclude cipher mode cbc cipher-suite exclude hmac sha1 diffie-hellman modulus 3072 ecdh group curve brainpool signature algorithm-list ed25519 ed448 rsa-pss-pss-sha256 rsa-pss-pss-sha384 rsa-pss-pss-sha512 rsa-pss-rsae-sha256 rsa-pss-rsae-sha384 rsa-pss-rsae-sha512 # device board 1 board-type S5735-S24P4XE-V2 # dhcp enable # authentication-profile name default_authen_profile authentication-profile name dot1x_authen_profile authentication-profile name dot1xmac_authen_profile authentication-profile name mac_authen_profile # access-user dot1x-identity speed-limit 80 # dhcp snooping enable # drop-profile default # ntp server source-interface all disable ntp ipv6 server source-interface all disable ntp unicast-server 203.107.6.88 ntp source-interface Vlanif254 # arp anti-attack check user-bind alarm threshold 200 # vlan batch 128 254 # stp bpdu-protection # arp anti-attack gateway-duplicate enable arp anti-attack rate-limit 100 arp learning strict arp anti-attack entry-check fixed-mac enable # error-down auto-recovery cause link-flap interval 60 # undo telnet server-source all-interface undo telnet ipv6 server-source all-interface # mac-address update arp enable # qos schedule-profile default # diffserv domain default # ip vpn-instance _management_vpn_ ipv4-family # vlan 128 name ap-mgt # vlan 254 name sw-mgt # aaa authentication-scheme default authentication-mode local authentication-scheme radius authentication-mode radius authentication-scheme tacacs1 authentication-mode hwtacacs local authorization-scheme default authorization-mode local authorization-scheme tacacs2 authorization-mode hwtacacs local authorization-cmd 3 hwtacacs local accounting-scheme default accounting-mode none accounting-scheme tacacs3 accounting-mode hwtacacs accounting start-fail online recording-scheme tacacs0 recording-mode hwtacacs cainiao cmd recording-scheme tacacs0 local-aaa-user password policy administrator domain default authentication-scheme default accounting-scheme default domain default_admin authentication-scheme default accounting-scheme default domain cainiao.com authentication-scheme tacacs1 accounting-scheme tacacs3 authorization-scheme tacacs2 hwtacacs-server cainiao local-user cnadmin password irreversible-cipher $1d$%!:I%g(SSS*84GQt$TKy=FEoGj:|Uf]5Z2~$!|QR>Kd1Vh:Pr{8,E)9}.$ local-user cnadmin password-force-change disable local-user cnadmin privilege level 3 local-user cnadmin service-type terminal ssh # free-rule-template name default_free_rule # hwtacacs-server template cainiao hwtacacs-server authentication 101.200.147.225 hwtacacs-server authentication 47.107.62.135 secondary hwtacacs-server authorization 101.200.147.225 hwtacacs-server authorization 47.107.62.135 secondary hwtacacs-server accounting 101.200.147.225 hwtacacs-server accounting 47.107.62.135 secondary hwtacacs-server shared-key cipher Q9JAFKegkGNE4wHX # dot1x-access-profile name dot1x_access_profile # mac-access-profile name mac_access_profile # domain cainiao.com admin # stack # license # interface Vlanif254 description sw-mgt ip address 10.0.0.131 255.255.255.128 # interface Eth-Trunk25 description link_to_CSW-C-1.PEK3-G_Eth-Trunk2 port link-type trunk port trunk allow-pass vlan 128 254 mode lacp-static dhcp snooping trusted # interface Stack-Port1/1 # interface Stack-Port1/2 # interface GE1/0/1 description AP-MGT port link-type trunk port trunk pvid vlan 128 port trunk allow-pass vlan 128 stp edged-port enable # interface GE1/0/2 description AP-MGT port link-type trunk port trunk pvid vlan 128 port trunk allow-pass vlan 128 stp edged-port enable # interface GE1/0/3 description AP-MGT port link-type trunk port trunk pvid vlan 128 port trunk allow-pass vlan 128 stp edged-port enable # interface GE1/0/4 description AP-MGT port link-type trunk port trunk pvid vlan 128 port trunk allow-pass vlan 128 stp edged-port enable # interface GE1/0/5 description AP-MGT port link-type trunk port trunk pvid vlan 128 port trunk allow-pass vlan 128 stp edged-port enable # interface GE1/0/6 description AP-MGT port link-type trunk port trunk pvid vlan 128 port trunk allow-pass vlan 128 stp edged-port enable # interface GE1/0/7 description AP-MGT port link-type trunk port trunk pvid vlan 128 port trunk allow-pass vlan 128 stp edged-port enable # interface GE1/0/8 description AP-MGT port link-type trunk port trunk pvid vlan 128 port trunk allow-pass vlan 128 stp edged-port enable # interface GE1/0/9 description AP-MGT port link-type trunk port trunk pvid vlan 128 port trunk allow-pass vlan 128 stp edged-port enable # interface GE1/0/10 description AP-MGT port link-type trunk port trunk pvid vlan 128 port trunk allow-pass vlan 128 stp edged-port enable # interface GE1/0/11 # interface GE1/0/12 # interface GE1/0/13 # interface GE1/0/14 # interface GE1/0/15 # interface GE1/0/16 # interface GE1/0/17 # interface GE1/0/18 # interface GE1/0/19 # interface GE1/0/20 # interface GE1/0/21 # interface GE1/0/22 # interface GE1/0/23 # interface GE1/0/24 # interface 10GE1/0/1 description link_to_CSW-C-1.PEK3-G_GigabitEthernet0/0/2 eth-trunk 25 # interface 10GE1/0/2 description link_to_CSW-C-1.PEK3-G_GigabitEthernet1/0/2 eth-trunk 25 # interface 10GE1/0/3 # interface 10GE1/0/4 # interface 10GE1/0/5 # interface 10GE1/0/6 # interface NULL0 # ip route-static 0.0.0.0 0.0.0.0 10.0.0.129 # snmp-agent snmp-agent community read cipher %@%##!!!!!!!!!"!!!!"!!!!*!!!!m6!=C+/b]95/lP7]`HLDK=w2Sb!cu#|d#]V!!!!!2jp5!!!!!!U!!!!=4Z."cLeuEk8FTA~`(a"o_&.28exa$Bx;b%%&JR/$x/lGI,W%F7^cWT9TPG$"fh)0!!!!!!!!!!!!!!!%@%# acl 2099 alias cmn # snmp-agent sys-info version v2c v3 snmp-agent community complexity-check disable # snmp-agent protocol source-interface Vlanif254 undo snmp-agent protocol source-status all-interface undo snmp-agent protocol source-status ipv6 all-interface # undo snmp-agent proxy protocol source-status all-interface undo snmp-agent proxy protocol source-status ipv6 all-interface # # stelnet server enable ssh user cnadmin ssh user cnadmin authentication-type password ssh user cnadmin service-type stelnet ssh server-source all-interface undo ssh ipv6 server-source all-interface ssh authorization-type default aaa # ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr ssh server hmac sha2_512 sha2_256 ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512 curve25519_sha256 # ssh server publickey rsa rsa_sha2_256 rsa_sha2_512 # ssh server dh-exchange min-len 3072 # ssh client first-time enable # ssh client publickey rsa rsa_sha2_256 rsa_sha2_512 # ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr ssh client hmac sha2_512 sha2_256 ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512 curve25519_sha256 # user-interface con 0 authentication-mode password set authentication password cipher $1d$l:hWOoUtPLA/[3O,$dhJ.TyAMM0#Su3*Zq@IS9oG}>`b,|YV30$(S8BA($ idle-timeout 10 0 # user-interface vty 0 4 authentication-mode aaa user privilege level 3 protocol inbound ssh # web-manager enable port 8443 web-manager http forward enable # warranty # return