Cisco3560配置（生产环境）

version 12.2 no service pad service timestamps debug uptime service timestamps log datetime localtime service password-encryption service sequence-numbers ! hostname qngy-zx-3560 ! no logging exception no logging buffered logging rate-limit all 2 except debugging no logging console enable secret 5 $1$ozUD$Qw/SVu16l6mVvXY82mtwV12 ! no aaa new-model clock timezone beijing 8 system mtu routing 1500 ip subnet-zero no ip source-route ip routing ip domain-list 192.168.100.100 ip name-server 192.168.100.100 ip dhcp smart-relay ! ip dhcp snooping vlan 53-55 no ip dhcp snooping information option ip dhcp snooping ip arp inspection vlan 53-55 ip arp inspection filter kefu vlan 5,505 ip arp inspection filter vlan54 vlan 54 ip arp inspection filter vlan55 vlan 55 no ip igmp snooping ipv6 unicast-routing ! mls qos ! ! ! ! ! no errdisable detect cause arp-inspection errdisable recovery cause dhcp-rate-limit errdisable recovery cause arp-inspection errdisable recovery interval 30 port-channel load-balance dst-mac ! ! ! spanning-tree mode pvst spanning-tree extend system-id spanning-tree vlan 1,5,53-55,602 priority 24576 ! ! vlan access-map buildD 10 action drop match ip address bad_port vlan access-map buildD 20 action forward match ip address match_all ! vlan filter buildD vlan-list 54-55 vlan internal allocation policy ascending ! ! class-map match-all classlimitudp match access-group name limitudp ! ! policy-map policylimitudp class classlimitudp police 100000 8000 exceed-action drop ! ! ! ! interface Port-channel1 description link to build D switchport trunk encapsulation dot1q switchport trunk allowed vlan 55,602 switchport mode trunk ip arp inspection limit none ! interface Port-channel2 description link to build 123 switchport trunk encapsulation isl switchport mode trunk ip arp inspection limit none ! interface Port-channel3 description Link To QngyBungalow switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-252,254-4094 switchport mode trunk ip arp inspection limit none ! interface GigabitEthernet0/1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 55,602 switchport mode trunk ipv6 traffic-filter ACCESS_PORT in channel-group 1 mode on service-policy input policylimitudp ! interface GigabitEthernet0/2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 55,602 switchport mode trunk ipv6 traffic-filter ACCESS_PORT in channel-group 1 mode on service-policy input policylimitudp ! interface GigabitEthernet0/3 description link to build A switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit none ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/4 description link to build C switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit none ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/5 switchport trunk encapsulation isl switchport mode trunk ipv6 traffic-filter ACCESS_PORT in channel-group 2 mode on service-policy input policylimitudp ! interface GigabitEthernet0/6 switchport trunk encapsulation isl switchport mode trunk ipv6 traffic-filter ACCESS_PORT in channel-group 2 mode on service-policy input policylimitudp ! interface GigabitEthernet0/7 description link to B4 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/8 description link to B4 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/9 description link to B4 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/10 description link to B4 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/11 description link to B7 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/12 description link to B7 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/13 description link to B7 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/14 description link to B7 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/15 description link to B7 switchport trunk encapsulation dot1q switchport trunk allowed vlan 53-55 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 shutdown ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/16 description link to B10 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/17 description link to B10 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/18 description link to B10 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/19 description link to B10 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/20 description link to B10 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/21 description link to B13 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/22 description link to B13 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/23 description link to B13 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/24 description link to B13 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/25 description link to B13 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/26 description link to B13 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/27 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/28 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/29 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/30 switchport trunk encapsulation dot1q switchport trunk allowed vlan 54,602 switchport mode trunk ip arp inspection limit rate 500 burst interval 15 ipv6 traffic-filter ACCESS_PORT in service-policy input policylimitudp ! interface GigabitEthernet0/31 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-252,254-4094 switchport mode trunk ip arp inspection limit none ipv6 traffic-filter ACCESS_PORT in channel-group 3 mode on ! interface GigabitEthernet0/32 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-252,254-4094 switchport mode trunk ip arp inspection limit none ipv6 traffic-filter ACCESS_PORT in channel-group 3 mode on ! interface GigabitEthernet0/33 switchport trunk encapsulation dot1q ip arp inspection trust shutdown spanning-tree portfast ! interface GigabitEthernet0/34 switchport access vlan 253 switchport mode access ipv6 traffic-filter ACCESS_PORT in ! interface GigabitEthernet0/35 switchport trunk allowed vlan 1-252,254-4094 shutdown ipv6 traffic-filter ACCESS_PORT in ! interface GigabitEthernet0/36 switchport trunk allowed vlan 1-252,254-4094 shutdown ipv6 traffic-filter ACCESS_PORT in ! interface GigabitEthernet0/37 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet0/38 switchport trunk allowed vlan 1-252,254-4094 shutdown ipv6 traffic-filter ACCESS_PORT in ! interface GigabitEthernet0/39 switchport trunk allowed vlan 1-252,254-4094 shutdown ipv6 traffic-filter ACCESS_PORT in ! interface GigabitEthernet0/40 switchport trunk allowed vlan 1-252,254-4094 shutdown ipv6 traffic-filter ACCESS_PORT in ! interface GigabitEthernet0/41 switchport trunk allowed vlan 1-252,254-4094 shutdown ipv6 traffic-filter ACCESS_PORT in ! interface GigabitEthernet0/42 switchport trunk allowed vlan 1-252,254-4094 shutdown ipv6 traffic-filter ACCESS_PORT in ! interface GigabitEthernet0/43 switchport trunk allowed vlan 1-252,254-4094 switchport mode access shutdown ipv6 traffic-filter ACCESS_PORT in ! interface GigabitEthernet0/44 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-252,254-4094 switchport mode trunk shutdown ipv6 traffic-filter ACCESS_PORT in ! interface GigabitEthernet0/45 switchport trunk allowed vlan 1-252,254-4094 switchport mode access shutdown ipv6 traffic-filter ACCESS_PORT in ! interface GigabitEthernet0/46 switchport access vlan 54 switchport mode access ipv6 traffic-filter ACCESS_PORT in ! interface GigabitEthernet0/47 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-252,254-4094 switchport mode trunk ip arp inspection trust ipv6 traffic-filter ACCESS_PORT in spanning-tree bpdufilter enable ! interface GigabitEthernet0/48 switchport access vlan 54 switchport mode access ipv6 traffic-filter ACCESS_PORT in ! interface GigabitEthernet0/49 description link to Build F (6506) switchport trunk encapsulation dot1q switchport mode trunk ip arp inspection trust spanning-tree bpdufilter enable ip dhcp snooping trust ! interface GigabitEthernet0/50 shutdown flowcontrol receive on service-policy input policylimitudp ! interface GigabitEthernet0/51 shutdown ! interface GigabitEthernet0/52 shutdown ! interface Vlan1 ip address 192.168.100.78 255.255.255.128 no ip proxy-arp ipv6 address 1001:CC0:2020:1::7/64 ipv6 enable ipv6 nd ra suppress ipv6 ospf 1 area 0 ! interface Vlan5 no ip address ip helper-address 192.168.100.77 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan53 ip address 192.168.31.254 255.255.255.0 secondary ip address 192.168.15.254 255.255.255.0 ip helper-address 192.168.100.77 no ip proxy-arp ipv6 address 1001:CC0:2020:2020::1/64 ipv6 enable ipv6 nd router-preference High ipv6 ospf 1 area 0 ! interface Vlan54 ip address 192.168.209.254 255.255.255.0 secondary ip address 192.168.11.254 255.255.252.0 ip helper-address 192.168.100.77 no ip redirects no ip unreachables no ip proxy-arp ipv6 address 1001:CC0:2020:2021::1/64 ipv6 enable ipv6 nd router-preference High ipv6 ospf 1 area 0 ! interface Vlan55 ip address 192.168.14.254 255.255.255.0 ip helper-address 192.168.100.77 no ip redirects no ip unreachables no ip proxy-arp ipv6 address 1001:CC0:2020:2022::1/64 ipv6 enable ipv6 nd router-preference High ipv6 ospf 1 area 0 ! interface Vlan501 no ip address ! interface Vlan602 no ip address ! no ip http server ip http access-class 10 ip http secure-server ! ! ip access-list extended bad_port deny ip host 192.168.8.2 host 192.168.0.10 deny ip host 192.168.0.10 host 192.168.8.2 deny ip host 192.168.8.3 host 192.168.0.10 deny ip host 192.168.0.10 host 192.168.8.3 deny ip host 192.168.8.1 host 192.168.0.10 deny ip host 192.168.0.10 host 192.168.8.1 permit tcp any any eq 445 permit tcp any any eq 139 permit tcp any any eq 135 permit udp any any eq netbios-dgm permit udp any any eq 445 permit udp any any eq 135 permit udp any any eq netbios-ns ip access-list extended limitudp deny udp 192.168.100.0 0.0.0.255 any deny udp 192.168.10.0 0.0.0.255 any deny udp 192.168.1.0 0.0.0.255 any deny udp any any eq domain bootpc bootps deny udp 192.168.200.0 0.0.0.255 any ip access-list extended match_all permit ip any any ! ip source binding 0050.C225.99B1 vlan 54 192.168.8.2 interface Gi0/48 logging 192.168.100.45 access-list 2 permit 10.0.0.2 access-list 2 permit 192.168.203.36 access-list 2 permit 192.168.100.0 0.0.0.255 access-list 10 permit 192.168.100.0 0.0.0.255 ! arp access-list vlan54 permit ip host 192.168.11.250 mac host 0014.970f.5a08 permit ip host 192.168.11.249 mac host 0014.970f.5a07 permit ip host 192.168.11.248 mac host 0014.970f.5a36 permit ip host 192.168.1.245 mac any permit ip host 192.168.1.246 mac any arp access-list vlan55 permit ip host 192.168.14.200 mac host 0010.5cb2.3a8c permit ip host 192.168.14.249 mac host 0014.970f.5a04 permit ip host 192.168.14.1 mac host 0050.c225.99b5 arp 192.168.10.139 00bc.5c1d.4820 ARPA arp 192.168.11.244 8080.d24d.0bf4 ARPA arp 192.168.14.253 0040.63f7.62ef ARPA arp 192.168.14.1 0050.c225.99b5 ARPA arp 192.168.8.3 0050.c225.9a07 ARPA arp 192.168.8.2 0050.c225.99b1 ARPA arp 192.168.8.1 0050.c225.998f ARPA ipv6 router ospf 1 log-adjacency-changes ! ! snmp-server community rcode RO 2 snmp-server community public RO snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps tty snmp-server enable traps cluster snmp-server enable traps entity snmp-server enable traps cpu threshold snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps port-security snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps hsrp snmp-server enable traps bridge newroot topologychange snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency snmp-server enable traps syslog snmp-server enable traps vlan-membership ! ipv6 access-list ACCESS_PORT remark Block all traffic DHCP server -> client deny udp any eq 547 any eq 546 remark Block Router Advertisements deny icmp any any router-advertisement permit ipv6 any any ! ipv6 access-list vty permit ipv6 1001:CC0:2020:1::/64 1001:CC0:2020:1::/64 permit ipv6 1001:CC0:2020:1001::/64 1001:CC0:2020:1::/64 ! control-plane ! ! line con 0 password 7 060506324F415A4C5347020A1F173D24362C1 login line vty 0 4 access-class 10 in password 7 104D000A0618415E5A543A2A373B243A30172 ipv6 access-class vty in login line vty 5 15 access-class 10 in password 7 104D000A0618415E5A543A2A373B243A30174 ipv6 access-class vty in login ! ! monitor session 1 source vlan 54 monitor session 1 destination interface Gi0/47 mac-address-table static 14cf.9274.00eb vlan 53 drop ntp clock-period 36029575 ntp server 192.168.100.45 prefer end