文稿说明案例switch configuration guide for gpns v1.03march

SwitchConfigurationGuideForGPNSRevisionAugustBasicAugustUpdatednetworkAugustAddednoticesandupdatedMarchHaydonUpdatedBasic、Vlan、Interfaceand HPSWITCH Basic Hostnameand Vlan Office Room SNMP SNMP SNMP AAA Radius Syslog 802.1X CISCOSWITCH Basic Hostnameand SNMP SNMP SNMP AAA Radius Authentication& Syslog 802.1X APPEDIXA:HPSWITCHCONFIGURATION APPEDIXB:CISCOSWITCHCONFIGURATION 在HSIA项目中，交换机的每个端口所属VLAN都是静态指定的，而在GPNS项目中，用户接入到交换机某个端口时的所属VLAN是根据SLIM系统的设置动态分配的，这需要交换机开启802.1X认证功能，跟SLIM系统进行交互。且为了对交换机设备进行统一管理，交换机上会开启AAA认证，登陆交换机的账号、对应的权限都由SLIM系统定义。交换机会将用户登陆、退出的动作发送给SLIM以做配置变更的审计及配置存档。因此GPNS项目换机的配置跟普通HSIA项目的交换机配置有所区别。在GPNS项目中，SLIM服务器接入到不交换机VLAN相同的VLAN100中，并配置跟VLAN同一网段的IP地址，网络拓扑大致可以简化如下在交换机的配置过程中一般先进行一些初步的配置，如根据GPNS标准对交换机进行规范化命配置VLAN的IP地址及SSH登录，能用本地用户登配置交换机跟SLIM之间的AAA认证，通过SLIM的账号登录交换机并能正常配置802.1X认证，实现劢态VLAN分配。而在GPNS文档中，对网络设备名规则有严格的标准“Marsha_Code”+“Device_Code”+“Device_Sequence_Number”+“-”+“Floor_Number”+“-”+ 本文档主要通过CISCO和HP两个品牌交换机的配置结合SLIMHP交换机使用ProCurveSwitch2510-24J9019B，固件版本为CISCO交换机使用CatalystWS-C2960-24TT-L，固件版本为SLIM使用的版本HPSwitchBasicHostnameand首先对交换机的名字进行规范化命名，比如酒店的Marsha_code为TSNLVHP#为了保证交换机时间的准确性，需要设置NTP与万豪的NTP服务器（24）TSNLVSW01-02(config)#sntpserver24TSNLVSW01-02(config)#timesyncsntp然后配置交换机的VLAN与应用VLAN，及相应的IP地址TSNLVSW01-02(vlan-100)#nameNetwork_LAN_Switch_managementTSNLVSW01-02(vlan-100)#ipaddress40TSNLVSW01-02(vlan-100)#exit开启SSH允许通过登录到交换机，关 net服务提高安全性TSNLVSW01-02(config)#passwordmanageruser-nameamttNewpasswordformanager:********Pleaseretypenewpasswordformanager:********TSNLVSW01-02(config)#aaaauthenticationsshenablelocalTSNLVSW01-02(config)#aaaauthenticationsshloginlocalTSNLVSW01-02(config)#no <MARSHA>adminaccess，根据不同酒店替换MARSHACode，如MARSHACode为Defaultgateway、配置默认网关指向JuniperVLAN100的接口地址（29，以便能跟其他配置LoginBanner警告交换机的用户，输入bannermotd^然后 !!Thissystem,whichincludesthedatastoredherein, !!proprietaryandtoMarriottInternational,Inc.!!(Marriott).ThissystemisforMarriottauthorizednel!!only.Unauthorizedaccessisprohibitedandwill !!prosecutedtothefullextentofapplicable ^Spanning-VlanOffice在对应的交换机上配置标准要求的办公TSNLVSW01-02(config)#vlan101nameWireless_Access_Points_101TSNLVSW01-02(config)#vlan100nameNetwork_LAN_Switch_managementTSNLVSW01-02(config)#vlan200nameMI_SERVERS_PCITSNLVSW01-02(config)#vlan201nameServers_Trusted_non-credit_cardTSNLVSW01-02(config)#vlan203nameMicros_TerminalsTSNLVSW01-02(config)#vlan300nameAssociate_PCs_Laptops_WiredTSNLVSW01-02(config)#vlan301nameAssociate_Client_DevicesTSNLVSW01-02(config)#vlan450nameAssociate_Laptops_WirelessTSNLVSW01-02(config)#vlan451nameAssociate_PDAs_Micros_iPadsTSNLVSW01-02(config)#vlan699nameVoIP_ManagementTSNLVSW01-02(config)#vlan801nameBack_ground_musicTSNLVSW01-02(config)#vlan805nameBusiness_CenterTSNLVSW01-02(config)#vlan810nameDigital_SignageTSNLVSW01-02(config)#vlan812nameExt_TSNLVSW01-02(config)#vlan820nameKey_Card_LockTSNLVSW01-02(config)#vlan1016nameGuest_Free_Wireless在对应的交换机上配置标准要求的客房vlan，例如TSNLVSW01-02(config)#vlan1067nameRoom1501InterfaceInterfaceTSNLVSW01-02(config)#interfaceethernet1TSNLVSW01-02(eth-1)#nameRoom1501POEAPtrunkvlantrunkTSNLVSW01-02(configvlan101untagged23-28SNMPSNMP交换机需要配置SNMP团体名，从而实现SLIM和HiBOS能够到交换机的相应信TSNLVSW01-02(config)#snmp-servercommunityTSNLV4GPNSoperatorunrestrictedTSNLVSW01-02(config)#snmp-servercommunityTSNLV3GPNSoperator另外万豪的设备扫描器MAARK1也需要获取交换机的相应信息，因此需要针对MARRK1额外设置相应的SNMPTSNLVSW01-02(config)#snmp-servercommunityFZQ6cmROoperatorTSNLVSW01-02(config)#snmp-servercommunityPD6TE9RWoperatorunrestrictedTSNLVSW02-02(config)#snmp-serverlocation"Locatedat2ndfloor SNMPSNMP团体名配置好之后交换机会响应相应的SNMPQuery，但有些紧急信息需要交换机即时主动发送给SLIM服务器(36)及万豪服务器（6，因此需要配置SNMPTSNLVSW01-02(config)#snmp-serverenabletrapsauthenticationTSNLVSW01-02(config)#snmp-servertrap-source40TSNLVSW01-02(config)#snmp-serverresponse-source40TSNLVSW01-02(config)#snmp-serverhost36criticalTSNLV3GPNSAAARadiusSLIM使用的是RADIUS协议，配置AAA需要指定RADIUS服务器（SLIM）定义为 端TSNLVSW01-02(config)#radius-serverhost36keyTSNLV321showradius配置登陆交换机时候使用的用户名为Radius服务器（SLIM）优先，当Radius服务器不可达TSNLVSW01-02(config)#aaaauthenticationloginprivilege-modeTSNLVSW01-02(config)#aaaauthenticationsshloginradiuslocalTSNLVSW01-02(config)#aaaauthenticationsshenableradiuslocal配置完成后通过showauthentication查看相应信息，确保SSH的LoginPrimary为Radius，LoginSecondary为配置Accounting的作用是在管理用户登陆及退出、802.1X用户上线及下线时通知RADIUS（SLIM，果发现登陆了交换机后SLIM的登陆日志中没有审计或SLIM系统中的用户表较少（用户上线几分钟后下线）等情况，需要确定交换机的AccountingTSNLVSW01-02(config)#aaaaccountingexecstart-stopradiusTSNLVSW01-02(config)#aaaaccountingcommandsstop-onlyradiusTSNLVSW01-02(config)#aaaaccountingsystemstart-stopradius配置完成后通过showaccountingSyslogSYSLOG到外部SYSLOG服务器(SLIM)及万豪的SYSLOG服务器，以便信息的记录及后期的问题排查TSNLVSW01-02(config)#loggingfacilitysyslog802.1X要实现客户电脑接到交换机的某个端口时根据SLIM系统的设置动态划分到不同的VLAN，交换机必须开启802.1X认证，在配置802.1X时需要注意以下几点：SLIM系统指派的VLAN必须存在交换机的VLAN表中交换机互联的端口不要开启802.1X认证配置时需要将端口认证设置为基亍RADIUS的EAP（ExtendAuthenticationProtocol），下列配置将1-10端口开启802.1X认证，且如果接入的设备不支持802.1X认证时使用MAC地址进行认证，注意需要定义802.1X端口最大允许接入的用户数，否则可能导致启用了802.1x的端口接入不支持802.1x认证的主机（如）时不发起Mac认证请求TSNLVSW01-02(config)#aaaauthenticationport-accesseap-radiusTSNLVSW01-02(config)#aaaport-accessauthenticatoractiveTSNLVSW01-02(config)#aaaport-accessauthenticator1-10client-limit32TSNLVSW01-02(config)#aaaport-accessmac-based1-10addr-limit32 Guestvlan配置完成后将终端接入到交换机的相应端口，输入showport-accessauthenticator查看802.1X输入showport-accessmac-based 查看Mac认证结果，如下图显示端口5已成功认证，到VLAN10CISCOSwitchBasicHostnameand首先对交换机的名字进行规范化命名，比如酒店的Marsha_code为TSNLVSwitch#conf为了保证交换机时间的准确性，需要设置NTP与万豪的NTP服务器（24）TSNLVSW02-02(config)#clocktimezoneGMT+8TSNLVSW02-02(config)#ntpserver24然后配置交换机的VLAN与应用VLAN，及相应的IP地址TSNLVSW02-02(config-vlan)#exitTSNLVSW02-02(config)#intvlan100设置本地用户名，开启SSHv2允许通过登录到交换机，关 net服务提高安性，生成key时选择1024TSNLVSW02-02(config)#noiphttpTSNLVSW02-02(config)#usernameamttpasswordamtt@402TSNLVSW02-02(config)#ipnameTSNLVSW02-02(config)#cryptokeygeneratersageneral-keysTSNLVSW02-02(config)#ipsshtime-out120TSNLVSW02-02(config)#linevty04TSNLVSW02-02(config-line)#loginlocalTSNLVSW02-02(config-line)#transportinputsshTSNLVSW02-02(config-line)#transportoutputssh<MARSHA>adminaccess，根据不同酒店替换MARSHACode，并且enable统一设置为c2Tx45AZSW，严格区分大小写，如MARSHACode为TSNLV，则用户名、TSNLVSW02-02(config)#enablesecretc2Tx45AZSWDefaultgateway、配置默认网关指向JuniperVLAN100的接口地址（29，以便能跟其他配置LoginBanner警告交换机的用户，输入bannermotd^然后 !!Thissystem,whichincludesthedatastoredherein, !!proprietaryandtoMarriottInternational,Inc.!!(Marriott).ThissystemisforMarriottauthorizednel!!only.Unauthorizedaccessisprohibitedandwill !!prosecutedtothefullextentofapplicable ^Spanning-Interfacename，例如接入层交换机接入房间的POEAPSNMPSNMP交换机需要配置SNMP团体名，从而实现SLIM和HiBOS能够到交换机的相应信TSNLVSW02-02(config)#snmp-servercommunityTSNLV4GPNSrw另外万豪的设备扫描器MAARK1也需要获取交换机的相应信息，因此需要针对MARRK1额外设置相应的SNMPTSNLVSW02-02(config)#snmp-servercommunityFZQ6cmROroTSNLVSW02-02(config)#snmp-serverlocation"Locatedat2ndfloor SNMPSNMP团体名配置好之后交换机会响应相应的SNMPQuery，但有些紧急信息需要交换机即时主动发送给SLIM服务器(36)及万豪服务器（6，因此需要配置SNMPTSNLVSW02-02(config)#snmp-serverhost6trapsFZQ6cmROttyauth-InterfaceInterfaceTSNLVSW01-02(config)#interfaceethernet1TSNLVSW01-02(eth-1)#nameRoom1501POEAPtrunkTSNLVSW02-02(config)#interfacerangef0/23-28TSNLVSW02-02(config-if-range)#switchporttrunkdelvlan1vlantrunkTSNLVSW02-02(config)#interfacerangef0/23-28TSNLVSW02-02(config-if-range)#switchportmodetrunkTSNLVSW02-02(config-if-range)#switchporttrunkallowedvlanAAARadiusAAA有RADIUS和TACAS两种，SLIM使用的是RADIUS协议，配置AAA需要指定RADIUS服务器（SLIM）的地址，秘钥定义为 口TSNLVSW02-02(config)#radius-serverhost36auth-port1812acct-portkeyTSNLVSW02-02(config)#ipradiussource-interfacevlan因为在Dot1x中会定义当Radius-server时将终端临时到某个VLAN，所以需要设定判定Radius-Server的标准及时间TSNLVSW02-02(config)#radius-serverdead-criteriatime15tries1TSNLVSW02-02(config)#radius-serverdeadtime2CISCO设备发送AccessRequest报文给Radius服务器时默认不封装NAS-Identifier属性，导致在SLIM的用户表中用户的NAS-ID一栏为空，因此需设置交换机发送AccessRequest、AccountingRequest报文时额外封装NAS-Identifier属性TSNLVSW02-02(config)#radius-serverattribute32include-in-access-reqTSNLVSW02-02(configradius-serverattribute32include-in-accounting-reqAuthentication&配置登陆交换机时候使用的用户名为Radius服务器（SLIM）优先，直接进入模式，RadiusTSNLVSW02-02(config)#aaaauthenticationlogindefaultgroupradiuslocalTSNLVSW02-02(config)#aaaauthorizationexecdefaultgroupradiuslocalTSNLVSW02-02(config)#linevty04配置Accounting的作用是在管理用户登陆及退出、802.1X用户上线及下线时通知RADIUS（SLIM，果发现登陆了交换机后SLIM的登陆日志中没有审计或SLIM系统中的用户表较少（用户上线几分钟后下线）等情况，需要确定交换机的Accounting部分是否正确配置TSNLVSW02-02(config)#aaaaccountingdot1xdefaultstart-stopgroupradiusTSNLVSW02-02(config)#aaaaccountingexecdefaultstart-stopgroupradiusTSNLVSW02-02(config)#aaaaccountingnetworkdefaultstart-stopgroupradiusTSNLVSW02-02(config)#aaaaccountingconnectiondefaultstart-stopgroupSyslog配置SYSLOG可以将交换机产生的系统日志消息、系统错误消息网络事件等一系列日志文件发送到外部SYSLOG服务器(SLIM)及万豪的服务器（34），以便信息的记录及后TSNLVSW02-02(config)#servicetimestampslogdatetimeTSNLVSW02-02(config)#loggingtrapcriticalTSNLVSW02-02(config)#loggingsource-interfaceVlan100TSNLVSW02-02(config)#logging36TSNLVSW02-02(config)#logging34TSNLVSW02-02(config)#loggingfacilitylocal7TSNLVSW02-02(config)#loginon-failurelogTSNLVSW02-02(config)#loginon-successlog802.1X要实现客户电脑接到交换机的某个端口时根据SLIM系统的设置劢态划分到不同的VLAN，交换机必须开启802.1X认证，在配置802.1X时需要注意以下几点：SLIM系统指派的VLAN必须存在交换机的VLAN表中交换机互联的端口不要开启802.1X认证配置时需要将端口认证设置为基于RADIUS的EAP（ExtendAuthenticationProtocol），下列配置将1-10端口开启802.1X认证，且如果接入的设备不支持802.1X认证时使用MACTSNLVSW02-02(config)#dot1xguest-vlansupplicant （支持guestvlan推送）TSNLVSW02-02(config)#aaaauthnticationdot1xdefaultgroupradiuslocalTSNLVSW02-02(config)#aaaauthorizationnetworkdefaultgroupradiuslocalTSNLVSW02-02(config)#interfacerangef0/1-10TSNLVSW02-02(config-if-range)#switchportmodeaccessTSNLVSW02-02(config-if-range)#dot1xpaeauthenticatorTSNLVSW02-02(config-if-range)#mabTSNLVSW02-02(config-if-range)#authenticationport-controlautoTSNLVSW02-02(config-if-range)#authenticationeventfailretry0actionnext-注意注意：aaaauthorizationnetworkdefaultgroupradiuslocal到指定的由于CISCO交换机优先使用Dot1x认证，且等待客户端回应EAPResponse的响应超时时间、EAPRequst超时重传时间较长，因此为了加快不支持Dot1x认证的客户端快速转入到MAB认证（Mac Bypass，整TSNLVSW02-02(config-if-range)#dot1xtimeoutserver-timeout10TSNLVSW02-02(config-if-range)#dot1xtimeoutsupp-timeout5TSNLVSW02-02(config-if-range)#dot1xtimeouttx-period1TSNLVSW02-02(config-if-range)#dot1xtimeouttx-period1TSNLVSW02-02(config-if-range)#dot1xguest-vlan1016当Radius服务器宕机或者因网络原因无响应时，临时将改端口划分到默认GuestVLAN（如果该端口对应房间有线网络端口，则将该端口划分到房间对应的VLAN，如1号端口接888房间TSNLVSW02-02(config-if)#authenticationeventfailretry0actionnext-methodTSNLVSW02-02(config-if)#authenticationeventserverdeadactionauthorizevlan888TSNLVSW02-02(config-if)#authenticationeventno-responseactionauthorizevlan888如果在Radius-Server宕机时802.1X的客户端无法到事先定义的相应VLAN，注意检查是criteria，Server配置部分。☒可通过命令showdot1xallsummary 查看端口Dot1x认证的结果，如下图显示F0/1端口的Status为Unauthorized，表明客户未成功通过认证。☐可通过命令showmaball 查看端口Mac认证的结果，如下图显示F0/1端口Status为Authorized或者可以通过showauthenticationsession命令查看相应通过何种方式是否成AppedixA:HPSwitchConfiguration;;J9776AConfigurationEditor;Createdonrelease;Verhostname"CANSMSW03-21"bannermotd"!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n!!system,whichincludesthedatastoredherein,is !!\n!!proprietary toMarriottInternational,Inc.!!\n!!(Marriott).ThissystemisforMarriottauthorized nel!!\n!!only.Unauthorizedaccessisprohibitedandwillbe !!\n!!prosecutedtothefullextentofapplicablelaw. logginglogging34loggingfacilityradius-serverhost50timesyncsntpsntpsntpserverpriority1timetimezoneipdefault-gatewayinterfacename"Room2201"interfacename"Room2202"interfacename"Room2205"interfacename"Room2206"interfacename"Room2207"interfacename"Room2208"interfacename"Room2210"interfacename"Room2212"interfacename"Room2216"interfacename"Room2218"interfacename"Room2220"interfacename"Room2222"interfacename"Room2223"interfacename"Room2225"interfacename"Room2226"interfacename"Room2227"interfacename"Room2228"interfacename"Room2229"interface interface interface name"CANSMSW02-interface26 interface interface snmp-servercommunity"CANSM4GPNS"operatorunrestrictedsnmp-servercommunity"CANSM3GPNS"operatorsnmp-servercommunity"FZQ6cmRO"snmp-servercommunity"PD6TE9RW"operatorsnmp-serverhost50community"CANSM3GPNS"trap-levelcriticalsnmp-serverhost6community"FZQ6cmRO"trap-levelcriticalsnmp-servertrap-source70snmp-servercontact"AMTTSupportCenter v2.9"location"locatedat21FloorIDF,FromtoptobottomThe03."aaaaccountingcommandsinterim-updateradiusaaaaccountingexecstart-stopradiusaaaaccountingnetworkstart-stopradiusaaaaccountingsystemstart-stopradiusaaaauthenticationloginprivilege-modeaaaauthentication netloginradiuslocalaaaauthentication netenableradiuslocalaaaauthenticationwebloginradiuslocalaaaauthenticationwebenableradiuslocalaaaauthenticationsshloginradiuslocalaaaauthenticationsshenableradiuslocalaaaauthenticationport-accesseap-radiusaaaport-accessauthenticator1-22aaaport-accessauthenticator1client-limitaaaport-accessauthenticator2client-limitaaaport-accessauthenticator3client-limitaaaport-accessauthenticator4client-limitaaaport-accessauthenticator5client-limitaaaport-accessauthenticator6client-limitaaaport-accessauthenticator7client-limitaaaport-accessauthenticator8client-limitaaaport-accessauthenticator9client-limitport-port-port-port-port-port-port-port-port-port-port-port-port-aaaport-accessauthenticatoractiveaaaport-accessmac-based1-22port-1addr-port-1unauth-port-2addr-port-2unauth-port-3addr-port-3unauth-port-4addr-port-4unauth-port-5addr-port-5unauth-port-6addr-port-6unauth-port-7addr-port-7unauth-port-8addr-port-8unauth-port-9addr-port-9unauth-port-addr-port-unauth-port-addr-port-unauth-port-addr-port-unauth-port-addr-port-unauth-port-addr-port-unauth-port-addr-port-unauth-port-addr-port-unauth-port-addr-port-unauth-port-addr-port-unauth-port-unauth-port-unauth-port-unauth-port-unauth-vlannamenountagged23-untagged1-ipaddressdhcp-bootpvlanname"Network_LAN_Switch_management"tagged23-28ipaddress70vlanname"Wireless_Access_Points_101"tagged23-28noipaddressvlanname"MI_SERVERS_PCI"tagged23-28noipaddressvlanname"Servers_Trusted_non-credit_card"tagged23-28noipaddressvlanname"Micros_Terminals"tagged23-28noipvlanname"Associate_PCs_Laptops_Wired"tagged23-28noipaddressvlanname"Associate_Client_Devices"tagged23-28noipaddressvlanname"Associate_Laptops_Wireless"tagged23-28noipaddressvlanname"Associate_PDAs_Micros_iPads"tagged23-28noipaddressvlanname"VoIP_Management"tagged23-28noipaddressvlanname"Back_ground_music"tagged23-28noipaddressvlanname"Business_Center"tagged23-28noipaddressvlanname"Room_Controls"tagged23-28noipaddressvlanname"Digital_Signage"tagged23-28noipaddressvlanname"Ext_ tagged23-28noipaddressvlanname"Key_Card_Lock"tagged23-28noipaddressvlanname"Guest_Wireless"tagged23-28noipaddressvlanname"Conference_Wireless"tagged23-28noipaddressvlanname"Guest_Free_Wireless"tagged23-28noipaddressvlanname"Room2102"tagged23-28noipaddressvlanname"Room2106"tagged23-28noipaddressvlanname"Room2108"tagged23-28noipaddressvlanname"Room2110"tagged23-28noipaddressvlanname"Room2112"tagged23-28noipaddressvlanname"Room2116"tagged23-28noipaddressvlanname"Room2118"tagged23-28noipaddressvlanname"Room2120"tagged23-28noipaddressvlanname"Room2122"tagged23-28noipaddressvlanname"Room2126"tagged23-28noipaddressvlanname"Room2128"tagged23-28noipaddressvlanname"Room2129"tagged23-28noipaddressvlan1170name"Room2127"tagged23-28noipaddressvlanname"Room2125"tagged23-28noipaddressvlanname"Room2123"tagged23-28noipaddressvlanname"Room2107"tagged23-28noipaddressvlanname"Room2105"tagged23-28noipaddressvlanname"Room2101"tagged23-28noipaddressvlanname"Room2202"tagged23-28noipaddressvlanname"Room2206"tagged23-28noipaddressvlannametagged23-28noipaddressvlanname"Room2210"tagged23-28noipaddressvlanname"Room2212"tagged23-28noipaddressvlanname"Room2216"tagged23-28noipaddressvlanname"Room2218"tagged23-28noipaddressvlanname"Room2220"tagged23-28noipaddressvlanname"Room2222"tagged23-28noipaddressvlanname"Room2226"tagged23-28noipaddressvlanname"Room2228"tagged23-28noipaddressvlanname"Room2229"tagged23-28noipaddressvlanname"Room2227"tagged23-28noipaddressvlanname"Room2225"tagged23-28noipaddressvlanname"Room2223"tagged23-28noipaddressvlanname"Room2207"tagged23-28noipaddressvlanname"Room2205"tagged23-28noipaddressvlanname"Room2201"tagged23-28noipaddressspanning-spanning-tree23admin-edge-spanning-tree24admin-edge-spanning-tree25admin-edge-spanning-tree26admin-edge-spanning-tree27admin-edge-spanning-tree28admin-edge-spanning-treevlan1000-1001,1158-1175,1185-1188notftpserverloop-protectnotftpserverloop-protect1-28nodhcpconfig-file-updatepasswordmanagerAppedixB:CISCOSwitchConfiguration!!!Lastconfigurationchangeat19:12:51CSTFriJan32014by!NVRAMconfiglastupdatedat19:12:52CSTFriJan32014by!version12.2serviceconfignoservicepadservicetimestampsdebugservicetimestampslogdatetimelocaltimeservicepassword-encryption!!!enablesecret5!usernameamttpassword usernameSHAPHadminpassword7 aaanew-model!!aaaauthenticationlogindefaultgroupradiuslocalaaaauthenticationdot1xdefaultgroupradiusaaaauthorizationexecdefaultgroupradiusif-authenticatedaaaauthorizationnetworkdefaultgroupradiusaaaaccountingdot1xdefaultstart-stopgroupradiusaaaaccountingexecdefaultstart-stopgroupradiusaaaaccountingnetworkdefaultstart-stopgroupradius!!!aaasession-idcommonclocktimezoneCST8systemmturouting1500vtpmodetransparentipsubnet-no - -name!!loginon-failurelogloginon-successlog!!cryptopkitrustpointTP-self-signed-enrollmentselfsignedsubject-namecn=IOS-Self-Signed- revocation-checknone!!crypto chainTP-self-self-signed01nvram:IOS-Self-Sig#3636.cerdot1xsystem-auth-control!!!errdisablerecoverycauseudlderrdisablerecoverycausebpduguarderrdisablerecoverycausesecurity-violationerrdisablerecoverycausechannel-misconfigerrdisablerecoverycausepagp-flaperrdisablerecoverycausedtp-flaperrdisablerecoverycauselink-errdisablerecoverycausesfp-config-mismatcherrdisablerecoverycausegbic-invaliderrdisablerecoverycausel2ptguarderrdisablerecoverycausepsecure-violationerrdisablerecoverycauseport-mode-failureerrdisablerecoverycausedhcp-rate-limiterrdisablerecoverycausemac-limiterrdisablerecoverycausevmpserrdisablerecoverycausestorm-controlerrdisablerecoverycauseinline-powererrdisablerecoverycausearp-inspectionerrdisablerecoverycauseloopbackerrdisablerecoverycausesmall-frameerrdisablerecoveryinterval60!!!spanning-treemodespanning-treeetherchannelguardmisconfigspanning-treeex