! ! Last configuration change at 11:07:35 MDT Sat Mar 16 2019 by pingpongguy ! NVRAM config last updated at 11:07:37 MDT Sat Mar 16 2019 by pingpongguy ! version 15.2 no service pad service timestamps debug datetime msec localtime show-timezone year service timestamps log datetime msec localtime show-timezone year service password-encryption service compress-config ! hostname lsmr-0307-swd1 ! boot-start-marker boot system switch all flash:cat3k_caa-universalk9.SPA.03.07.00.E.152-3.E.bin boot-end-marker ! ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! ! aaa new-model ! ! aaa group server tacacs+ ISE-TACACS server name il-chi-eqx-dpsn1 server name tx-dal-eqx-dpsn1 ! aaa authentication login default group ISE-TACACS enable aaa authentication enable default group ISE-TACACS enable aaa authorization console aaa authorization exec default group ISE-TACACS none aaa authorization commands 1 default group ISE-TACACS none aaa authorization commands 15 default group ISE-TACACS none aaa accounting exec default start-stop group ISE-TACACS aaa accounting commands 15 default start-stop group ISE-TACACS aaa accounting network default start-stop group ISE-TACACS aaa accounting connection default start-stop group ISE-TACACS ! ! ! ! ! ! aaa session-id common clock timezone MNT -7 0 clock summer-time MDT recurring switch 1 provision ws-c3850-24u ! ! ! ! ! ip routing ! ip domain-lookup source-interface Vlan10 ip name-server 172.20.32.10 ip name-server 10.64.134.69 no ip dhcp use vrf connected ip dhcp excluded-address 10.78.111.1 10.78.111.50 ip dhcp excluded-address 10.74.187.1 10.74.187.50 ip dhcp excluded-address 10.74.186.1 10.74.186.50 ! ip dhcp pool DATA network 10.78.111.0 255.255.255.128 default-router 10.78.111.1 domain-name corp.dvn.com dns-server 172.20.32.10 10.64.134.69 netbios-node-type h-node option 60 ascii "Cisco AP c3500" option 43 hex f104.ac14.1711 ! ip dhcp pool VOICE network 10.74.187.0 255.255.255.0 default-router 10.74.187.1 dns-server 172.20.32.10 10.64.134.69 domain-name net.dvn option 150 ip 172.20.13.112 172.20.12.114 lease 0 1 ! ip dhcp pool WIRELESS network 10.74.186.0 255.255.255.0 default-router 10.74.186.1 option 60 ascii "Cisco AP c3500" option 43 hex f104.ac14.1711 dns-server 172.20.32.10 10.64.134.69 lease 0 1 ! ! ip wccp check services all ip wccp source-interface Vlan11 ip wccp 61 redirect-list WCCP_LAN vtp mode transparent ! ! diagnostic bootup level minimal ! spanning-tree mode pvst spanning-tree extend system-id spanning-tree vlan 1-4094 priority 4096 hw-switch switch 1 logging onboard message level 3 ! redundancy mode sso ! ! vlan 2 name SCADA ! vlan 3 name Admin ! vlan 10 name Management ! vlan 11 name WCCP11 ! vlan 20 name Data ! vlan 30 name Voice ! vlan 50 name Wireless ! vlan 60 name PIN ! vlan 65 name PCN ! vlan 973 name security ! ip tftp source-interface Vlan10 ip ssh time-out 60 ip ssh authentication-retries 2 ! class-map match-any non-client-nrt-class ! policy-map port_child_policy class non-client-nrt-class bandwidth remaining ratio 10 ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 no ip address ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address negotiation auto ! interface GigabitEthernet1/0/1 description lsmr-0307-fo1-rte1 switchport trunk allowed vlan 11 switchport mode trunk ! interface GigabitEthernet1/0/2 description lsmr-0307-swa1 switchport mode trunk ! interface GigabitEthernet1/0/3 description lsmr-fo1-sw2-AP switchport access vlan 20 switchport mode access switchport voice vlan 30 spanning-tree portfast ! interface GigabitEthernet1/0/4 description ##scadapc.154 switchport access vlan 2 switchport voice vlan 30 spanning-tree portfast ! interface GigabitEthernet1/0/5 switchport access vlan 20 switchport mode access switchport voice vlan 30 spanning-tree portfast ! interface GigabitEthernet1/0/6 switchport access vlan 20 switchport mode access switchport voice vlan 30 spanning-tree portfast ! interface GigabitEthernet1/0/7 ! interface GigabitEthernet1/0/8 switchport access vlan 20 switchport mode access switchport voice vlan 30 spanning-tree portfast ! interface GigabitEthernet1/0/9 switchport access vlan 20 switchport mode access switchport voice vlan 30 spanning-tree portfast ! interface GigabitEthernet1/0/10 description lsmr-fo1-sw2 fa0/1 switchport access vlan 3 switchport mode trunk ! interface GigabitEthernet1/0/11 switchport access vlan 20 switchport mode access switchport voice vlan 30 spanning-tree portfast ! interface GigabitEthernet1/0/12 switchport access vlan 20 switchport mode access switchport voice vlan 30 spanning-tree portfast ! interface GigabitEthernet1/0/13 switchport access vlan 20 switchport mode access switchport voice vlan 30 spanning-tree portfast ! interface GigabitEthernet1/0/14 switchport access vlan 20 switchport mode access switchport voice vlan 30 spanning-tree portfast ! interface GigabitEthernet1/0/15 switchport access vlan 20 switchport mode access switchport voice vlan 30 speed 100 duplex full spanning-tree portfast ! interface GigabitEthernet1/0/16 description lsmr-0307-vg1 switchport access vlan 30 switchport mode access speed 100 duplex full spanning-tree portfast ! interface GigabitEthernet1/0/17 description UPS 2 switchport access vlan 10 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/18 description ## lsmr-fo1-sh1 : AUX switchport access vlan 20 switchport mode access switchport voice vlan 30 spanning-tree portfast ! interface GigabitEthernet1/0/19 description RB-PRI switchport access vlan 10 spanning-tree portfast ! interface GigabitEthernet1/0/20 description lsmr-0307-sh1 switchport access vlan 11 spanning-tree portfast ! interface GigabitEthernet1/0/21 switchport access vlan 2 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/22 ! interface GigabitEthernet1/0/23 switchport access vlan 2 spanning-tree portfast ! interface GigabitEthernet1/0/24 ! interface GigabitEthernet1/1/1 ! interface GigabitEthernet1/1/2 ! interface GigabitEthernet1/1/3 ! interface GigabitEthernet1/1/4 ! interface TenGigabitEthernet1/1/1 ! interface TenGigabitEthernet1/1/2 ! interface TenGigabitEthernet1/1/3 ! interface TenGigabitEthernet1/1/4 ! interface Vlan1 no ip address shutdown ! interface Vlan2 description ## Scada VLAN ip address 10.78.111.129 255.255.255.128 ip access-group scada_in in no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan10 description Management ip address 10.74.188.1 255.255.255.192 no ip redirects no ip unreachables no ip proxy-arp ip wccp redirect exclude in ! interface Vlan11 description WCCP ip address 10.74.185.1 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip wccp redirect exclude in ! interface Vlan20 description DATA ip address 10.78.111.1 255.255.255.128 no ip redirects no ip unreachables no ip proxy-arp ip wccp 61 redirect in ! interface Vlan30 description VOICE ip address 10.74.187.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan50 description WIRELESS ip address 10.74.186.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip wccp 61 redirect in ! interface Vlan60 description PIN ip address 10.74.188.129 255.255.255.192 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan65 description PCN ip address 10.74.188.193 255.255.255.192 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan973 description Security ip address 10.74.188.65 255.255.255.192 no ip redirects no ip unreachables no ip proxy-arp ! router ospf 100 router-id 10.74.185.201 passive-interface default no passive-interface Vlan11 network 10.74.185.0 0.0.0.7 area 0 network 10.74.186.0 0.0.0.255 area 0 network 10.74.187.0 0.0.0.255 area 0 network 10.74.188.0 0.0.0.63 area 0 network 10.74.188.64 0.0.0.63 area 0 network 10.74.188.128 0.0.0.63 area 0 network 10.74.188.192 0.0.0.63 area 0 network 10.78.111.0 0.0.0.127 area 0 network 10.78.111.128 0.0.0.127 area 0 ! ip forward-protocol nd no ip http server no ip http secure-server ! ip tacacs source-interface Vlan10 ! ip access-list extended AccessControl permit ip host 10.52.5.69 any permit ip host 10.64.132.69 any permit ip 172.16.5.0 0.0.0.255 any permit ip 172.20.5.0 0.0.0.255 any permit ip 172.24.225.0 0.0.0.255 any permit ip 172.25.225.0 0.0.0.255 any permit tcp host 63.99.29.18 any eq 22 permit tcp host 63.99.29.40 any eq 22 permit tcp host 206.47.24.18 any eq 22 permit tcp host 206.47.24.169 any eq 22 ip access-list extended WCCP_LAN permit tcp any any ip access-list extended scada_in permit ip host 10.78.111.152 host 10.77.110.97 permit ip host 10.78.111.152 host 10.74.16.110 permit ip host 10.78.111.150 host 10.74.16.87 remark Permit Scada to Admin Printer permit tcp any 10.78.111.0 0.0.0.127 eq 9100 remark Permit Scada to admin PC for file sharing permit tcp any 10.78.111.0 0.0.0.127 range 137 139 permit udp any 10.78.111.0 0.0.0.127 eq netbios-ns permit tcp any 10.78.111.0 0.0.0.127 eq 445 remark ***************************************** remark Allow Trusted Host established connection permit tcp any host 10.72.15.63 established permit tcp any host 10.72.15.68 established permit tcp any host 10.72.15.69 established permit udp any range 5631 5632 host 10.72.15.63 permit udp any range 5631 5632 host 10.72.15.68 permit udp any range 5631 5632 host 10.72.15.69 permit tcp any host 172.20.192.100 established permit tcp any host 172.20.192.104 established permit tcp any host 172.20.192.105 established permit tcp any host 172.20.192.106 established permit tcp any host 172.20.192.107 established permit tcp any host 172.20.192.108 established permit tcp any host 172.16.192.106 established permit tcp any host 172.16.192.107 established permit udp any range 5631 5632 host 172.16.192.106 permit udp any range 5631 5632 host 10.74.16.87 permit tcp host 10.78.111.150 range 5631 5632 host 10.74.16.87 permit udp any range 5631 5632 host 10.74.16.76 permit tcp host 10.78.111.150 range 5631 5632 host 10.74.16.76 remark ******************************************************* remark Permit echo replys to mgmt networks and to trusted host permit icmp any 216.208.7.0 0.0.0.255 echo-reply permit udp any range 5631 5632 host 172.16.192.107 permit icmp any 172.16.5.0 0.0.0.255 echo-reply permit icmp any 172.20.5.0 0.0.0.255 echo-reply remark ******************************** remark Deny Scada to all other networks deny ip any any log ! logging facility local1 logging source-interface Vlan10 logging host 172.25.20.61 access-list 96 permit 172.18.2.37 access-list 96 permit 172.18.18.21 access-list 97 permit 10.66.37.101 access-list 97 permit 10.52.12.12 access-list 97 permit 172.16.32.30 access-list 97 permit 172.16.32.31 access-list 97 permit 172.20.32.30 access-list 97 permit 172.20.32.31 access-list 97 permit 172.16.12.104 access-list 97 permit 172.16.32.116 access-list 97 permit 10.64.146.32 access-list 97 permit 172.16.5.0 0.0.0.255 access-list 97 permit 172.20.5.0 0.0.0.255 access-list 97 permit 172.24.225.0 0.0.0.255 access-list 97 permit 172.25.225.0 0.0.0.255 access-list 98 permit 172.25.36.129 access-list 98 permit 172.25.17.190 access-list 98 permit 172.22.136.17 access-list 98 permit 172.18.200.80 access-list 98 permit 172.18.136.27 access-list 98 permit 172.18.2.121 access-list 98 permit 172.18.66.57 access-list 98 permit 172.18.2.122 access-list 98 permit 172.25.40.78 ! snmp-server group HPpriv v3 priv read HPmib-exclude access 98 snmp-server group DevonPriv v3 priv access 97 snmp-server view HPmib-exclude iso included snmp-server view HPmib-exclude lldpMIB excluded snmp-server view HPmib-exclude at excluded snmp-server view HPmib-exclude snmpUsmMIB excluded snmp-server view HPmib-exclude snmpVacmMIB excluded snmp-server view HPmib-exclude snmpCommunityMIB excluded snmp-server view HPmib-exclude ip.21 excluded snmp-server view HPmib-exclude ip.22 excluded snmp-server trap-source Vlan10 snmp-server location Leismer, AB snmp-server contact Infrastructure snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps flowmon snmp-server enable traps transceiver all snmp-server enable traps call-home message-send-fail server-fail snmp-server enable traps rf snmp-server enable traps memory snmp-server enable traps cpu threshold snmp-server enable traps wireless bsnMobileStation bsnAccessPoint bsnRogue bsn80211Security bsnAutoRF bsnGeneral SI mobility mfp RRM AP rogue client snmp-server enable traps tty snmp-server enable traps eigrp snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps auth-framework sec-violation snmp-server enable traps flash insertion removal snmp-server enable traps power-ethernet group 1 snmp-server enable traps power-ethernet police snmp-server enable traps energywise snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps license snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps stackwise snmp-server enable traps local-auth snmp-server enable traps port-security snmp-server enable traps fru-ctrl snmp-server enable traps entity snmp-server enable traps trustsec-sxp conn-srcaddr-err msg-parse-err conn-config-err binding-err conn-up conn-down binding-expn-fail oper-nodeid-change binding-conflict snmp-server enable traps trustsec-server radius-server provision-secret snmp-server enable traps trustsec authz-file-error cache-file-error keystore-file-error keystore-sync-fail random-number-fail src-entropy-fail snmp-server enable traps trustsec-interface unauthorized sap-fail authc-fail supplicant-fail authz-fail snmp-server enable traps bgp cbgp2 snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps event-manager snmp-server enable traps hsrp snmp-server enable traps ipmulticast snmp-server enable traps isis snmp-server enable traps msdp snmp-server enable traps ospfv3 state-change snmp-server enable traps ospfv3 errors snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message snmp-server enable traps vstack snmp-server enable traps bridge newroot topologychange snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency snmp-server enable traps syslog snmp-server enable traps ipsla snmp-server enable traps ike policy add snmp-server enable traps ike policy delete snmp-server enable traps ike tunnel start snmp-server enable traps ike tunnel stop snmp-server enable traps ipsec cryptomap add snmp-server enable traps ipsec cryptomap delete snmp-server enable traps ipsec cryptomap attach snmp-server enable traps ipsec cryptomap detach snmp-server enable traps ipsec tunnel start snmp-server enable traps ipsec tunnel stop snmp-server enable traps ipsec too-many-sas snmp-server enable traps errdisable snmp-server enable traps mac-notification change move threshold snmp-server enable traps vlan-membership snmp-server enable traps bulkstat collection transfer snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down snmp-server host 172.16.5.60 version 3 priv SNMPninja snmp-server host 172.20.5.82 version 3 priv SNMPninja snmp ifmib ifindex persist ! tacacs-server timeout 6 tacacs-server directed-request tacacs server il-chi-eqx-dpsn1 address ipv4 172.25.243.22 tacacs server tx-dal-eqx-dpsn1 address ipv4 172.24.243.22 ! ! ! no vstack banner exec ^C ***********************SYSTEM DESCRIPTION************************ * * * NAME: lsmr-0307-swd1 * * LOCATION: Leismer A Plant * * CORPORATION: Devon Canada Corporation * * SITE CONTACT: Enterprise Network Services * * MODEL: Cisco WS-C3850-24U * * ASSET #: * ***************************************************************** ^C banner motd ^CCC *****************************SECURITY NOTICE************************ * * ACCESS TO THIS SYSTEM IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY * USAGE OF THIS SYSTEM MAY BE LOGGED AND/OR MONITORED WITHOUT NOTICE. * DISCONNECT IMMEDIATELY IF YOU ARE NOT AN AUTHORIZED USER! * ******************************************************************** ^C ! line con 0 exec-timeout 15 0 stopbits 1 line aux 0 exec-timeout 0 1 no exec transport output none stopbits 1 line vty 0 4 access-class AccessControl in exec-timeout 5 0 timeout login response 90 privilege level 15 transport input ssh line vty 5 15 access-class AccessControl in exec-timeout 5 0 timeout login response 90 privilege level 15 transport input ssh ! ntp source Vlan10 ntp server 172.20.2.33 prefer ntp server 172.20.2.34 wsma agent exec profile httplistener profile httpslistener ! wsma agent config profile httplistener profile httpslistener ! wsma agent filesys profile httplistener profile httpslistener ! wsma agent notify profile httplistener profile httpslistener ! ! wsma profile listener httplistener transport http ! wsma profile listener httpslistener transport https ! ap group default-group end