Cisco Compliance Solution for PCI DSS 2.0 Design and Implementation Guide - Detailed Full Running Configurations [Design Zone for Security]

Detailed Full Running Configurations

Data Center

WAN

Converged Core/Aggregation

Managed Service Provider

FW-A2-MSP-1

S-A2-MSP-1

Detailed Full Running Configurations

Data Center

WAN

ASA-WAN-1

ASA Version 9.1(1)

firewall transparent

terminal width 511

hostname ASA-WAN-1

domain-name cisco-irn.com

enable password <removed>

passwd <removed>

names

interface GigabitEthernet0/0

 nameif outside

 bridge-group 1

 security-level 0

interface GigabitEthernet0/1

 nameif inside

 bridge-group 1

 security-level 100

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

interface GigabitEthernet0/3

 description LAN/STATE Failover Interface

interface GigabitEthernet0/4

 shutdown

 no nameif

 no security-level

interface GigabitEthernet0/5

 shutdown

 no nameif

 no security-level

interface GigabitEthernet0/6

 shutdown

 no nameif

 no security-level

interface GigabitEthernet0/7

 shutdown

 no nameif

 no security-level

interface Management0/0

 management-only

 no nameif

 no security-level

interface BVI1

 ip address 192.168.11.20 255.255.255.0 standby 192.168.11.21

boot system disk0:/asa911-smp-k8.bin

boot system disk0:/asa900-129-smp-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

 domain-name cisco-irn.com

object network AdminStation

 host 192.168.41.101

object network AdminStation2

 host 192.168.41.102

object network AdminStation4-bart

 host 10.19.151.99

object network EMC-NCM

 host 192.168.42.122

 description EMC Network Configuration Manager

object network CSManager

 host 192.168.42.133

 description Cisco Security Manager

object network AdminStation3

 host 192.168.42.138

object network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object network Stores-ALL

 subnet 10.10.0.0 255.255.0.0

 description all store networks

object network vSphere-1

 host 192.168.41.102

 description vSphere server for Lab

object network WCSManager

 host 192.168.43.135

 description Wireless Manager

object network PAME-DC-1

 host 192.168.44.111

object network MSP-DC-1

 host 192.168.44.121

 description Data Center VSOM

object network DC-ALL

 subnet 192.168.0.0 255.255.0.0

 description All of the Data Center

object network RSA-enVision

 host 192.168.42.124

 description RSA EnVision Syslog collector and SIM

object network TACACS

 host 192.168.42.131

 description Csico Secure ACS server for TACACS and Radius

object network RSA-AM

 host 192.168.42.137

 description RSA Authentication Manager for SecureID

object network ISE-2

 host 192.168.42.112

 description HA ISE Server

object network ISE-1

 host 192.168.42.111

 description ISE server for NAC

object network MS-Update

 host 192.168.42.150

 description Windows Update Server

object network MSExchange

 host 192.168.42.140

 description Mail Server

object network DC-POS

 subnet 192.168.52.0 255.255.255.0

 description POS in the Data Center

object service RPC

 service tcp destination eq 135

object service LDAP-GC

 service tcp destination eq 3268

object service LDAP-GC-SSL

 service tcp destination eq 3269

object service Kerberos-TCP

 service tcp destination eq 88

object service Microsoft-DS-SMB

 service tcp destination eq 445

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

object service LDAP-UDP

 service udp destination eq 389

object service RPC-HighPorts

 service tcp destination range 1024 65535

object service IP-Protocol-97

 service 97

 description IP protocol 97

object service TCP1080

 service tcp destination eq 1080

object service TCP8080

 service tcp destination eq 8080

object service RDP

 service tcp destination eq 3389

 description Windows Remote Desktop

object network LMS

 host 192.168.42.139

 description Cisco Prime LMS

object-group network STORE-POS

 network-object 10.10.0.0 255.255.0.0

object-group network Admin-Systems

 network-object object EMC-NCM

 network-object object AdminStation

 network-object object AdminStation2

 network-object object CSManager

 network-object object AdminStation3

 network-object object ISE-1

 network-object object ISE-2

 network-object object LMS

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 network-object 192.168.43.21 255.255.255.255

 network-object 192.168.43.22 255.255.255.255

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 network-object 192.168.43.31 255.255.255.255

 network-object 192.168.43.32 255.255.255.255

object-group network DM_INLINE_NETWORK_5

 network-object object ISE-1

 network-object object ISE-2

 network-object object RSA-AM

 network-object object TACACS

object-group network DM_INLINE_NETWORK_6

 network-object object ISE-1

 network-object object ISE-2

object-group network DC-WAAS

 description WAE Appliances in Data Center

 network-object 192.168.48.10 255.255.255.255

 network-object 192.168.49.10 255.255.255.255

 network-object 192.168.47.11 255.255.255.255

 network-object 192.168.47.12 255.255.255.255

object-group network NTP-Servers

 description NTP Servers

 network-object 192.168.62.161 255.255.255.255

 network-object 162.168.62.162 255.255.255.255

object-group icmp-type DM_INLINE_ICMP_1

 icmp-object echo

 icmp-object echo-reply

 icmp-object time-exceeded

 icmp-object traceroute

 icmp-object unreachable

object-group service DM_INLINE_TCP_3 tcp

 port-object eq www

 port-object eq https

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 network-object 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 network-object 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 network-object 192.168.52.128 255.255.255.240

object-group service HTTPS-8443

 service-object tcp destination eq 8443

object-group network DM_INLINE_NETWORK_7

 network-object object MSP-DC-1

 network-object object PAME-DC-1

object-group service DNS-Resolving

 description Domain Name Server

 service-object tcp destination eq domain

 service-object udp destination eq domain

object-group network DM_INLINE_NETWORK_8

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 service-object tcp destination eq 5989

 service-object tcp destination eq 8000

 service-object tcp destination eq 902

 service-object tcp destination eq 903

object-group network DM_INLINE_NETWORK_9

 network-object object DC-POS

 group-object DC-POS-Oracle

 group-object DC-POS-SAP

 group-object DC-POS-Tomax

object-group service TFTP

 description Trivial File Transfer

 service-object tcp destination eq 69

 service-object udp destination eq tftp

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 service-object udp destination eq 12222

 service-object udp destination eq 12223

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 service-object udp destination eq 5246

 service-object udp destination eq 5247

object-group service DM_INLINE_SERVICE_10

 group-object HTTPS-8443

 service-object tcp destination eq www

 service-object tcp destination eq https

object-group service ESX-SLP

 description CIM Service Location Protocol (SLP) for VMware systems

 service-object udp destination eq 427

 service-object tcp destination eq 427

object-group service DM_INLINE_SERVICE_11

 group-object ESX-SLP

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq ssh

 group-object vCenter-to-ESX4

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 service-object tcp destination eq 4050

object-group service Netbios

 description Netbios Servers

 service-object udp destination eq netbios-dgm

 service-object udp destination eq netbios-ns

 service-object tcp destination eq netbios-ssn

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 service-object udp destination eq 16666

 service-object udp destination eq 16667

object-group service DM_INLINE_SERVICE_12

 group-object CAPWAP

 group-object Cisco-Mobility

 service-object object IP-Protocol-97

 group-object LWAPP

 service-object tcp destination eq https

 service-object udp destination eq isakmp

object-group service DM_INLINE_SERVICE_13

 service-object tcp-udp destination eq sip

 service-object tcp destination eq 2000

object-group network DM_INLINE_NETWORK_2

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

 network-object object WCSManager

object-group network DM_INLINE_NETWORK_3

 network-object object DC-ALL

 group-object STORE-POS

object-group network DM_INLINE_NETWORK_4

 network-object object MSP-DC-1

 network-object object PAME-DC-1

object-group service DM_INLINE_SERVICE_2

 service-object icmp

 group-object HTTPS-8443

 service-object tcp destination eq https

 service-object tcp destination eq ssh

 service-object udp destination eq snmp

object-group service DM_INLINE_SERVICE_3

 group-object DNS-Resolving

 service-object object Kerberos-TCP

 service-object object LDAP-GC

 service-object object LDAP-GC-SSL

 service-object object LDAP-UDP

 service-object object Microsoft-DS-SMB

 service-object object RPC

 service-object object RPC-HighPorts

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

 service-object udp destination eq 88

 service-object udp destination eq netbios-dgm

 service-object udp destination eq ntp

object-group service DM_INLINE_SERVICE_4

 service-object tcp destination eq https

 service-object tcp destination eq ssh

 group-object vCenter-to-ESX4

object-group service DM_INLINE_SERVICE_5

 group-object CAPWAP

 service-object object IP-Protocol-97

 group-object LWAPP

 group-object TFTP

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq ssh

 service-object tcp destination eq telnet

 service-object udp destination eq isakmp

object-group service DM_INLINE_SERVICE_6

 group-object HTTPS-8443

 service-object object RDP

 service-object object TCP1080

 service-object object TCP8080

 service-object icmp echo

 service-object icmp echo-reply

 service-object tcp destination eq ftp

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq ssh

object-group service DM_INLINE_SERVICE_7

 group-object CISCO-WAAS

 group-object HTTPS-8443

 service-object object Microsoft-DS-SMB

 group-object Netbios

object-group service DM_INLINE_SERVICE_8

 service-object tcp-udp destination eq sip

 service-object tcp destination eq 2000

object-group service DM_INLINE_SERVICE_14

 group-object CISCO-WAAS

 group-object HTTPS-8443

 service-object object Microsoft-DS-SMB

 group-object Netbios

object-group service DM_INLINE_SERVICE_15

 group-object DNS-Resolving

 service-object object Kerberos-TCP

 service-object object LDAP-GC

 service-object object LDAP-GC-SSL

 service-object object LDAP-UDP

 service-object object Microsoft-DS-SMB

 service-object object RPC

 service-object object RPC-HighPorts

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

 service-object udp destination eq 88

 service-object udp destination eq netbios-dgm

 service-object udp destination eq ntp

object-group service DM_INLINE_SERVICE_9

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

 service-object udp destination eq domain

object-group service DM_INLINE_TCP_1 tcp

 port-object eq www

 port-object eq https

object-group service DM_INLINE_TCP_2 tcp

 port-object eq www

 port-object eq https

 port-object eq imap4

 port-object eq pop3

 port-object eq smtp

object-group service DM_INLINE_UDP_1 udp

 port-object eq snmp

 port-object eq snmptrap

 port-object eq syslog

object-group service DM_INLINE_UDP_2 udp

 port-object eq 1812

 port-object eq 1813

access-list INSIDE extended permit ip any any

access-list INSIDE extended permit object-group DM_INLINE_SERVICE_2 object-group 
Admin-Systems object-group DM_INLINE_NETWORK_3

access-list INSIDE remark Allow Active Directory Domain

access-list INSIDE extended permit object-group DM_INLINE_SERVICE_3 object 
ActiveDirectory.cisco-irn.com object Stores-ALL

access-list INSIDE remark VMWare - ESX systems

access-list INSIDE extended permit object-group DM_INLINE_SERVICE_4 object vSphere-1 
object Stores-ALL

access-list INSIDE remark Wireless Management to Stores

access-list INSIDE extended permit object-group DM_INLINE_SERVICE_5 object-group 
DM_INLINE_NETWORK_2 object Stores-ALL

access-list INSIDE remark Physical security systems

access-list INSIDE extended permit tcp object-group DM_INLINE_NETWORK_4 object Stores-ALL 
eq https

access-list INSIDE remark Allow Management of store systems

access-list INSIDE extended permit object-group DM_INLINE_SERVICE_6 object DC-ALL object 
Stores-ALL

access-list INSIDE remark WAAS systems

access-list INSIDE extended permit object-group DM_INLINE_SERVICE_7 object-group DC-WAAS 
object Stores-ALL

access-list INSIDE remark Voice calls

access-list INSIDE extended permit object-group DM_INLINE_SERVICE_8 object DC-ALL object 
Stores-ALL

access-list INSIDE remark Drop and Log all other traffic

access-list INSIDE extended deny ip any any log

access-list OUTSIDE extended permit ip any any

access-list OUTSIDE remark Connectivity validation

access-list OUTSIDE extended permit icmp object Stores-ALL any object-group 
DM_INLINE_ICMP_1

access-list OUTSIDE remark Internet Browsing

access-list OUTSIDE extended permit tcp object Stores-ALL any object-group DM_INLINE_TCP_3

access-list OUTSIDE remark Config uploading

access-list OUTSIDE extended permit tcp object Stores-ALL object EMC-NCM eq ssh

access-list OUTSIDE remark Log reporting

access-list OUTSIDE extended permit udp object Stores-ALL object RSA-enVision object-group 
DM_INLINE_UDP_1

access-list OUTSIDE remark Authentication and DNS lookup

access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_9 object Stores-ALL 
object ActiveDirectory.cisco-irn.com

access-list OUTSIDE remark Authentication and authorization

access-list OUTSIDE extended permit tcp object Stores-ALL object TACACS eq tacacs

access-list OUTSIDE remark Time Sync

access-list OUTSIDE extended permit udp object Stores-ALL object-group NTP-Servers eq ntp

access-list OUTSIDE remark Authentication

access-list OUTSIDE extended permit udp object Stores-ALL object-group DM_INLINE_NETWORK_5 
object-group DM_INLINE_UDP_2

access-list OUTSIDE remark Authentication web portal

access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_10 object Stores-ALL 
object-group DM_INLINE_NETWORK_6

access-list OUTSIDE remark VMWare ESX to Data Center

access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_11 object Stores-ALL 
object vSphere-1

access-list OUTSIDE remark Physical security systems

access-list OUTSIDE extended permit tcp object Stores-ALL object-group DM_INLINE_NETWORK_7 
eq https

access-list OUTSIDE remark Wireless control systems

access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_12 object Stores-ALL 
object-group DM_INLINE_NETWORK_8

access-list OUTSIDE remark Voice calls

access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_13 object Stores-ALL 
object DC-ALL

access-list OUTSIDE remark WAAS systems

access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_14 object Stores-ALL 
object-group DC-WAAS

access-list OUTSIDE remark Allow Active Directory Domain

access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_15 object Stores-ALL 
object ActiveDirectory.cisco-irn.com

access-list OUTSIDE remark Allow Windows Updates

access-list OUTSIDE extended permit tcp object Stores-ALL object MS-Update object-group 
DM_INLINE_TCP_1

access-list OUTSIDE remark Allow Mail

access-list OUTSIDE extended permit tcp object Stores-ALL object MSExchange object-group 
DM_INLINE_TCP_2

access-list OUTSIDE remark Allow Applications

access-list OUTSIDE extended permit tcp object Stores-ALL object-group DM_INLINE_NETWORK_9 
eq https

access-list OUTSIDE remark Drop all other traffic

access-list OUTSIDE extended deny ip any any log

pager lines 24

logging enable

logging host inside 192.168.42.124

logging host inside 192.168.42.139

mtu outside 1500

mtu inside 1500

failover

failover lan unit primary

failover lan interface folink GigabitEthernet0/3

failover link folink GigabitEthernet0/3

failover interface ip folink 192.168.12.20 255.255.255.0 standby 192.168.12.21

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-711.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group OUTSIDE in interface outside

access-group INSIDE in interface inside

route inside 0.0.0.0 0.0.0.0 192.168.11.60 1

route outside 10.10.0.0 255.255.0.0 192.168.11.1 1

route inside 10.10.0.0 255.255.255.0 192.168.11.60 1

route outside 10.10.1.0 255.255.255.0 192.168.11.2 1

route outside 10.10.2.0 255.255.255.0 192.168.11.3 1

route inside 10.10.3.0 255.255.255.0 192.168.11.60 1

route inside 10.10.4.0 255.255.255.0 192.168.11.60 1

route outside 10.10.254.0 255.255.255.0 192.168.11.3 1

route outside 10.10.255.0 255.255.255.0 192.168.11.2 1

route inside 192.168.0.0 255.255.0.0 192.168.11.10 1

route outside 192.168.1.111 255.255.255.255 192.168.11.2 1

route outside 192.168.1.112 255.255.255.255 192.168.11.3 1

route inside 192.168.20.0 255.255.252.0 192.168.11.60 1

route inside 192.168.24.0 255.255.255.0 192.168.11.60 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RETAIL protocol tacacs+

aaa-server RETAIL (inside) host 192.168.42.131

 key *****

user-identity default-domain LOCAL

aaa authentication ssh console RETAIL LOCAL

aaa authentication enable console RETAIL LOCAL

aaa authentication http console RETAIL LOCAL

aaa accounting ssh console RETAIL

aaa accounting enable console RETAIL

aaa accounting command privilege 15 RETAIL

aaa authentication secure-http-client

aaa local authentication attempts max-fail 6

aaa authorization exec authentication-server

http server enable

http server idle-timeout 15

http server session-timeout 60

http 192.168.41.102 255.255.255.255 inside

http 192.168.41.101 255.255.255.255 inside

http 192.168.42.122 255.255.255.255 inside

http 192.168.42.124 255.255.255.255 inside

http 192.168.42.133 255.255.255.255 inside

http 192.168.42.138 255.255.255.255 inside

http 192.168.42.139 255.255.255.255 inside

http 192.168.42.134 255.255.255.255 inside

snmp-server group V3Group v3 priv

snmp-server user csmadmin V3Group v3 encrypted auth sha 
9e:72:6a:fa:06:f5:29:f9:8a:87:ce:fa:46:19:a5:80:6c:2d:2e:b8 priv aes 256 
9e:72:6a:fa:06:f5:29:f9:8a:87:ce:fa:46:19:a5:80:6c:2d:2e:b8:bb:47:d1:68:d7:39:58:f4:62:f7:
38:36

snmp-server user ciscolms V3Group v3 encrypted auth sha 
9e:72:6a:fa:06:f5:29:f9:8a:87:ce:fa:46:19:a5:80:6c:2d:2e:b8 priv aes 256 
9e:72:6a:fa:06:f5:29:f9:8a:87:ce:fa:46:19:a5:80:6c:2d:2e:b8:bb:47:d1:68:d7:39:58:f4:62:f7:
38:36

snmp-server host inside 192.168.42.134 version 3 ciscolms

snmp-server host inside 192.168.42.139 version 3 ciscolms

snmp-server host inside 192.168.42.133 version 3 csmadmin

snmp-server location Building SJC-17-1 Aisle 1 Rack 3

snmp-server contact EmployeeA

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps memory-threshold

snmp-server enable traps interface-threshold

snmp-server enable traps remote-access session-threshold-exceeded

snmp-server enable traps connection-limit-reached

snmp-server enable traps cpu threshold rising

snmp-server enable traps ikev2 start stop

snmp-server enable traps nat packet-discard

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 1

ssh scopy enable

ssh 192.168.41.101 255.255.255.255 inside

ssh 192.168.41.102 255.255.255.255 inside

ssh 192.168.42.122 255.255.255.255 inside

ssh 192.168.42.124 255.255.255.255 inside

ssh 192.168.42.133 255.255.255.255 inside

ssh 192.168.42.138 255.255.255.255 inside

ssh 192.168.42.139 255.255.255.255 inside

ssh 192.168.42.134 255.255.255.255 inside

ssh timeout 15

ssh version 2

console timeout 15

tls-proxy maximum-session 1000

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.62.162 source inside

ntp server 192.168.62.161 source inside prefer

ssl encryption aes256-sha1 3des-sha1

username csmadmin password <removed> privilege 15

username retail password <removed> privilege 15

username ciscolms password <removed> privilege 15

username bmcgloth password <removed> privilege 15

class-map inspection_default

 match default-inspection-traffic

class-map global-class-PCI

 match any

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 description IPS inspection policy for Cisco PCI LAB

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

 class global-class-PCI

  ips promiscuous fail-open

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

password encryption aes

Cryptochecksum:74ca008c5477bc602c2080c680584775

: end

ASA-WAN-1_IDS

! ------------------------------

! Current configuration last modified Fri Dec 07 09:38:41 2012

! ------------------------------

! Version 7.1(6)

! Host:

!     Realm Keys          key1.0

! Signature Definition:

!     Signature Update    S648.0   2012-05-30

! ------------------------------

service interface

exit

! ------------------------------

service authentication

attemptLimit 6

password-strength

size 7-64

digits-min 1

lowercase-min 1

other-min 1

number-old-passwords 4

exit

cli-inactivity-timeout 15

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 192.168.11.23/24,192.168.11.10

host-name IPS-WAN-1

telnet-option disabled

access-list 192.168.41.101/32

access-list 192.168.41.102/32

access-list 192.168.42.122/32

access-list 192.168.42.124/32

access-list 192.168.42.133/32

access-list 192.168.42.134/32

access-list 192.168.42.138/32

access-list 192.168.42.139/32

login-banner-text WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS 
ONLY!

dns-primary-server enabled

address 192.168.42.130

exit

dns-secondary-server disabled

dns-tertiary-server disabled

exit

time-zone-settings

offset -480

standard-time-zone-name PST

exit

ntp-option enabled-ntp-unauthenticated

ntp-server 192.168.62.161

exit

summertime-option recurring

summertime-zone-name PDT

start-summertime

month march

week-of-month second

day-of-week sunday

time-of-day 02:00:00

exit

end-summertime

month november

week-of-month first

day-of-week sunday

time-of-day 02:00:00

exit

exit

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

trap-destinations 192.168.42.124

trap-community-name RSAenvision

exit

enable-notifications true

trap-community-name RSAenvision

system-location Building SJC-17-1 Row 1 Rack 1

system-contact EmployeeA

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

enable-tls true

port 443

server-id IPS-WAN-1

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service aaa

aaa radius

primary-server

server-address 192.168.42.131

shared-secret retailpci

exit

nas-id IPS-WAN-1

local-fallback enabled

console-authentication radius-and-local

default-user-role administrator

exit

exit

! ------------------------------

service analysis-engine

exit

IPS-WAN-1#

RWAN-1

! Last configuration change at 01:17:13 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:17:14 PSTDST Sat Apr 30 2011 by retail

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

no platform punt-keepalive disable-kernel-core

hostname RWAN-1

boot-start-marker

boot-end-marker

vrf definition Mgmt-intf

 address-family ipv4

 exit-address-family

 address-family ipv6

 exit-address-family

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 4 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PSTDST recurring

ip source-route

no ip bootp server

no ip domain lookup

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip multicast-routing distributed

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

multilink bundle-name authenticated

password encryption aes

crypto pki trustpoint TP-self-signed-1264044905

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1264044905

 revocation-check none

 rsakeypair TP-self-signed-1264044905

crypto pki certificate chain TP-self-signed-1264044905

 certificate self-signed 01

  <removed>   	quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

username retail privilege 15 secret 4 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 4 <removed>

username bmcgloth privilege 15 secret 4 <removed>

username csmadmin privilege 15 secret 4 <removed>

redundancy

 mode none

ip ssh version 2

ip scp server enable

class-map match-all BRANCH-BULK-DATA

 match access-group name BULK-DATA-APPS

class-map match-all BULK-DATA

 match ip dscp af11  af12

class-map match-all INTERACTIVE-VIDEO

 match ip dscp af41  af42

class-map match-any BRANCH-TRANSACTIONAL-DATA

 match protocol telnet

 match access-group name TRANSACTIONAL-DATA-APPS

class-map match-all BRANCH-MISSION-CRITICAL

 match access-group name MISSION-CRITICAL-SERVERS

class-map match-all VOICE

 match ip dscp ef

class-map match-all MISSION-CRITICAL-DATA

 match ip dscp 25

class-map match-any BRANCH-NET-MGMT

 match protocol dns

 match access-group name NET-MGMT-APPS

class-map match-all ROUTING

 match ip dscp cs6

class-map match-all SCAVENGER

 match ip dscp cs1

class-map match-all NET-MGMT

 match ip dscp cs2

class-map match-any BRANCH-SCAVENGER

class-map match-any CALL-SIGNALING

 match ip dscp cs3

class-map match-all TRANSACTIONAL-DATA

 match ip dscp af21  af22

policy-map DataCenter-LAN-EDGE-OUT

 class class-default

policy-map DataCenter-LAN-EDGE-IN

 class BRANCH-MISSION-CRITICAL

  set ip dscp 25

 class BRANCH-TRANSACTIONAL-DATA

  set ip dscp af21

 class BRANCH-NET-MGMT

  set ip dscp cs2

 class BRANCH-BULK-DATA

  set ip dscp af11

 class BRANCH-SCAVENGER

  set ip dscp cs1

policy-map DataCenter-WAN-EDGE

 class VOICE

  priority percent 18

 class INTERACTIVE-VIDEO

  priority percent 15

 class CALL-SIGNALING

  bandwidth percent 5

 class ROUTING

  bandwidth percent 3

 class NET-MGMT

  bandwidth percent 2

 class MISSION-CRITICAL-DATA

  bandwidth percent 15

  random-detect

 class TRANSACTIONAL-DATA

  bandwidth percent 1

  random-detect dscp-based

 class class-default

  bandwidth percent 25

  random-detect

interface Loopback0

 ip address 192.168.1.111 255.255.255.255

interface GigabitEthernet0/0/0

 description SWAN-1

 ip address 192.168.11.2 255.255.255.0

 standby 1 ip 192.168.11.1

 standby 1 priority 105

 standby 1 preempt

 no negotiation auto

 service-policy input DataCenter-LAN-EDGE-IN

 service-policy output DataCenter-LAN-EDGE-OUT

interface GigabitEthernet0/0/1

 no ip address

 no negotiation auto

interface GigabitEthernet0/0/2

 description RSP-1 G0/1

 ip address 10.10.1.6 255.255.255.0

 no negotiation auto

 service-policy output DataCenter-WAN-EDGE

interface GigabitEthernet0/0/3

 no ip address

 shutdown

 no negotiation auto

interface GigabitEthernet0

 vrf forwarding Mgmt-intf

 no ip address

 shutdown

 negotiation auto

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 192.168.11.60

ip route 10.10.0.0 255.255.0.0 10.10.1.1

ip route 10.10.0.0 255.255.0.0 192.168.11.3 50

ip route 10.10.0.0 255.255.255.0 192.168.11.60

ip route 10.10.2.0 255.255.255.0 192.168.11.3

ip route 10.10.3.0 255.255.255.0 192.168.11.60

ip route 10.10.4.0 255.255.255.0 192.168.11.60

ip route 10.10.110.2 255.255.255.255 192.168.11.3

ip route 10.10.126.2 255.255.255.255 192.168.11.3

ip route 10.10.254.0 255.255.255.0 192.168.11.3

ip route 192.168.0.0 255.255.0.0 192.168.11.10

ip route 192.168.1.112 255.255.255.255 192.168.11.3

ip route 192.168.20.0 255.255.252.0 192.168.11.60

ip route 192.168.24.0 255.255.255.0 192.168.11.60

ip tacacs source-interface Loopback0

ip access-list extended BULK-DATA-APPS

 remark ---File Transfer---

 permit tcp any any eq ftp

 permit tcp any any eq ftp-data

 remark ---E-mail traffic---

 permit tcp any any eq smtp

 permit tcp any any eq pop3

 permit tcp any any eq 143

 remark ---other EDM app protocols---

 permit tcp any any range 3460 3466

 permit tcp any range 3460 3466 any

 remark ---messaging services---

 permit tcp any any eq 2980

 permit tcp any eq 2980 any

 remark ---Microsoft file services---

 permit tcp any any range 137 139

 permit tcp any range 137 139 any

ip access-list extended MISSION-CRITICAL-SERVERS

 remark ---POS Applications---

 permit ip 192.168.52.0 0.0.0.255 any

ip access-list extended NET-MGMT-APPS

 remark - Router user Authentication - Identifies TACACS Control traffic

 permit tcp any any eq tacacs

 permit tcp any eq tacacs any

ip access-list extended TRANSACTIONAL-DATA-APPS

 remark ---Workbrain Application---

 remark --Large Store Clock Server to Central Clock Application

 permit tcp host 192.168.46.72 eq 8444 host 10.10.49.94

 remark --Large store Clock Server to CUAE

 permit tcp host 192.168.45.185 eq 8000 host 10.10.49.94

 remark ---LiteScape Application---

 permit ip host 192.168.46.82 any

 permit ip 239.192.0.0 0.0.0.255 any

 permit ip host 239.255.255.250 any

 remark ---Remote Desktop---

 permit tcp any any eq 3389

 permit tcp any eq 3389 any

 remark ---Oracle SIM---

 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any

 permit tcp 192.168.46.0 0.0.0.255 eq 6003 any

 permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any

logging esm config

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

cdp run

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps ipsla

snmp-server enable traps syslog

snmp-server enable traps flash insertion removal

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

banner exec C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 stopbits 1

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 no exec

 transport preferred none

 transport output none

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 17186047

ntp source Loopback0

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

RWAN-2

! Last configuration change at 01:31:03 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:31:04 PST Sat Apr 30 2011 by retail

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

no platform punt-keepalive disable-kernel-core

hostname RWAN-2

boot-start-marker

boot-end-marker

vrf definition Mgmt-intf

 address-family ipv4

 exit-address-family

 address-family ipv6

 exit-address-family

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PST recurring

ip source-route

no ip bootp server

no ip domain lookup

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip multicast-routing distributed

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

multilink bundle-name authenticated

password encryption aes

crypto pki trustpoint TP-self-signed-1414178861

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1414178861

 revocation-check none

 rsakeypair TP-self-signed-1414178861

crypto pki certificate chain TP-self-signed-1414178861

 certificate self-signed 01

  <removed>

  	quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

username retail privilege 15 secret 4 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 4 <removed>

username bmcgloth privilege 15 secret 4 <removed>

username csmadmin privilege 15 secret 4 <removed>

redundancy

 mode none

ip ssh version 2

ip scp server enable

interface Loopback0

 ip address 192.168.1.112 255.255.255.255

 ip pim sparse-dense-mode

interface GigabitEthernet0/0/0

 description SWAN-2

 ip address 192.168.11.3 255.255.255.0

 standby 1 ip 192.168.11.1

 standby 1 priority 95

 no negotiation auto

interface GigabitEthernet0/0/1

 no ip address

 no negotiation auto

interface GigabitEthernet0/0/2

 description RSP-2 G0/1

 ip address 10.10.2.6 255.255.255.0

 no negotiation auto

interface GigabitEthernet0/0/3

 no ip address

 no negotiation auto

interface GigabitEthernet0

 vrf forwarding Mgmt-intf

 no ip address

 shutdown

 negotiation auto

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 192.168.11.60

ip route 10.10.0.0 255.255.0.0 10.10.2.1

ip route 10.10.0.0 255.255.0.0 192.168.11.2 50

ip route 10.10.0.0 255.255.255.0 192.168.11.60

ip route 10.10.1.0 255.255.255.0 192.168.11.2

ip route 10.10.3.0 255.255.255.0 192.168.11.60

ip route 10.10.4.0 255.255.255.0 192.168.11.60

ip route 10.10.110.1 255.255.255.255 192.168.11.2

ip route 10.10.126.1 255.255.255.255 192.168.11.2

ip route 10.10.255.0 255.255.255.0 192.168.11.2

ip route 192.168.0.0 255.255.0.0 192.168.11.10

ip route 192.168.1.111 255.255.255.255 192.168.11.2

ip route 192.168.20.0 255.255.252.0 192.168.11.60

ip route 192.168.24.0 255.255.255.0 192.168.11.60

ip tacacs source-interface Loopback0

logging esm config

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps ipsla

snmp-server enable traps syslog

snmp-server enable traps flash insertion removal

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

banner exec C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 stopbits 1

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 login authentication RETAIL

 no exec

 transport preferred none

 transport output none

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 17219603

ntp source Loopback0

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

SWAN-1

Current configuration : 12174 bytes

! Last configuration change at 14:08:38 PST Fri Dec 21 2012 by bmcgloth

! NVRAM config last updated at 13:54:15 PST Fri Dec 21 2012 by bmcgloth

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname SWAN-1

boot-start-marker

boot-end-marker

logging buffered 51200

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

username ciscolms privilege 15 secret 5 <removed>

aaa new-model

aaa group server tacacs+ PRIMARY1

aaa authentication login RETAIL group tacacs+ local

aaa authentication login COMPLIANCE group PRIMARY1 local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PST recurring

switch 1 provision ws-c3750x-48p

switch 2 provision ws-c3750x-48p

system mtu routing 1500

authentication mac-move permit

ip subnet-zero

no ip source-route

no ip gratuitous-arps

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-722491520

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-722491520

 revocation-check none

 rsakeypair TP-self-signed-722491520

crypto pki certificate chain TP-self-signed-722491520

 certificate self-signed 01

<removed>

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

vlan internal allocation policy ascending

ip tcp synwait-time 10

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

interface GigabitEthernet1/0/1

 description Link to RWAN-1 G0-0-0

interface GigabitEthernet1/0/2

description Link to ASA-WAN-1 G0-0

!    |

!<removed for brevity>

!    |

interface GigabitEthernet1/0/48

shutdown

interface GigabitEthernet1/1/1

shutdown

interface GigabitEthernet1/1/2

shutdown

interface GigabitEthernet1/1/3

shutdown

interface GigabitEthernet1/1/4

shutdown

interface TenGigabitEthernet1/1/1

shutdown

interface TenGigabitEthernet1/1/2

shutdown

interface GigabitEthernet2/0/1

 description Link to RWAN-2 G0-0-0

interface GigabitEthernet2/0/2

description Link to ASA-WAN-2 G0-0

! <removed for brevity>

interface GigabitEthernet2/0/48

shutdown

interface GigabitEthernet2/1/1

shutdown

interface GigabitEthernet2/1/2

shutdown

interface GigabitEthernet2/1/3

shutdown

interface GigabitEthernet2/1/4

shutdown

interface TenGigabitEthernet2/1/1

shutdown

interface TenGigabitEthernet2/1/2

shutdown

interface Vlan1

 ip address 192.168.11.14 255.255.255.0

ip default-gateway 192.168.11.10

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip sla enable reaction-alerts

logging trap debugging

logging 192.168.42.124

logging 192.168.42.139

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 192.168.42.139 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 permit 192.168.42.139 log

access-list 88 deny   any log

snmp-server group V3Group v3 priv read V3Read write V3Write notify 
*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server view V3Read iso included

snmp-server view V3Write iso included

snmp-server packetsize 8192

snmp-server location Building SJC-17-1 Aisle 2 Rack 3

snmp-server contact Bart McGlothin

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps power-ethernet group 1-4

snmp-server enable traps power-ethernet police

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps hsrp

snmp-server enable traps energywise

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps rtr

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server enable traps errdisable

snmp-server host 192.168.42.134 version 3 priv ciscolms

snmp-server host 192.168.42.139 version 3 priv ciscolms

snmp-server host 192.168.42.133 version 3 priv csmadmin

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

monitor session 1 source interface Fa1/0/1

monitor session 1 destination interface Fa1/0/48

ntp clock-period 36029318

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

SWAN-3

Current configuration : 12174 bytes

! Last configuration change at 14:08:38 PST Fri Dec 21 2012 by bmcgloth

! NVRAM config last updated at 13:54:15 PST Fri Dec 21 2012 by bmcgloth

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname SWAN-3

boot-start-marker

boot-end-marker

logging buffered 51200

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

username ciscolms privilege 15 secret 5 <removed>

aaa new-model

aaa group server tacacs+ PRIMARY1

aaa authentication login RETAIL group tacacs+ local

aaa authentication login COMPLIANCE group PRIMARY1 local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PST recurring

switch 1 provision ws-c3750x-48p

switch 2 provision ws-c3750x-48p

system mtu routing 1500

authentication mac-move permit

ip subnet-zero

no ip source-route

no ip gratuitous-arps

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-722491520

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-722491520

 revocation-check none

 rsakeypair TP-self-signed-722491520

crypto pki certificate chain TP-self-signed-722491520

 certificate self-signed 01

<removed>

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

vlan internal allocation policy ascending

ip tcp synwait-time 10

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

interface GigabitEthernet1/0/1

 description Link to RCORE-2 G1-1

interface GigabitEthernet1/0/2

description Link to ASA-WAN-1 G0-1

!    |

!<removed for brevity>

!    |

interface GigabitEthernet1/0/48

shutdown

interface GigabitEthernet1/1/1

shutdown

interface GigabitEthernet1/1/2

shutdown

interface GigabitEthernet1/1/3

shutdown

interface GigabitEthernet1/1/4

shutdown

interface TenGigabitEthernet1/1/1

shutdown

interface TenGigabitEthernet1/1/2

shutdown

interface GigabitEthernet2/0/1

 description Link to RCORE-1 G1-1

interface GigabitEthernet2/0/2

description Link to ASA-WAN-2 G0-1

! <removed for brevity>

interface GigabitEthernet2/0/48

shutdown

interface GigabitEthernet2/1/1

shutdown

interface GigabitEthernet2/1/2

shutdown

interface GigabitEthernet2/1/3

shutdown

interface GigabitEthernet2/1/4

shutdown

interface TenGigabitEthernet2/1/1

shutdown

interface TenGigabitEthernet2/1/2

shutdown

interface Vlan1

 ip address 192.168.11.14 255.255.255.0

ip default-gateway 192.168.11.10

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip sla enable reaction-alerts

logging trap debugging

logging 192.168.42.124

logging 192.168.42.139

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 192.168.42.139 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 permit 192.168.42.139 log

access-list 88 deny   any log

snmp-server group V3Group v3 priv read V3Read write V3Write notify 
*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server view V3Read iso included

snmp-server view V3Write iso included

snmp-server packetsize 8192

snmp-server location Building SJC-17-1 Aisle 2 Rack 3

snmp-server contact Bart McGlothin

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps power-ethernet group 1-4

snmp-server enable traps power-ethernet police

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps hsrp

snmp-server enable traps energywise

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps rtr

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server enable traps errdisable

snmp-server host 192.168.42.134 version 3 priv ciscolms

snmp-server host 192.168.42.139 version 3 priv ciscolms

snmp-server host 192.168.42.133 version 3 priv csmadmin

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

monitor session 1 source interface Fa1/0/1

monitor session 1 destination interface Fa1/0/48

ntp clock-period 36029318

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

Core

RCORE-1

! Last configuration change at 01:37:46 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:37:47 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

service counters max age 5

hostname RCORE-1

boot-start-marker

boot system flash disk0:s72033-adventerprisek9_wan-mz.122-33.SXJ.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

ip wccp 61

ip wccp 62

no ip bootp server

ip multicast-routing

ip ssh version 2

ip scp server enable

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

ipv6 mfib hardware-switching replication-mode ingress

vtp domain CiscoRetail

vtp mode transparent

mls ip cef load-sharing full simple

no mls acl tcam share-global

mls netflow interface

mls cef error action freeze

password encryption aes

crypto pki trustpoint TP-self-signed-1104

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1104

 revocation-check none

 rsakeypair TP-self-signed-1104

crypto pki certificate chain TP-self-signed-1104

 certificate self-signed 01

  <removed>

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode rapid-pvst

spanning-tree loopguard default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

spanning-tree pathcost method long

environment temperature-controlled

diagnostic bootup level minimal

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

redundancy

 main-cpu

  auto-sync running-config

 mode sso

vlan internal allocation policy descending

vlan dot1q tag native

vlan access-log ratelimit 2000

interface Loopback0

 ip address 192.168.1.1 255.255.255.255

interface Port-channel99

 ip address 192.168.10.29 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 <removed>

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

interface GigabitEthernet1/1

 description to DC WAN_SWAN-3

 ip address 192.168.11.11 255.255.255.0

 standby 0 ip 192.168.11.10

 standby 0 priority 101

 standby 0 preempt

interface GigabitEthernet1/2

 no ip address

 shutdown

interface GigabitEthernet1/3

 no ip address

 shutdown

interface GigabitEthernet1/4

 no ip address

 shutdown

interface GigabitEthernet1/5

 no ip address

 shutdown

interface GigabitEthernet1/6

 no ip address

 shutdown

interface GigabitEthernet1/7

 no ip address

 shutdown

interface GigabitEthernet1/8

 no ip address

 shutdown

interface GigabitEthernet1/9

 no ip address

 shutdown

interface GigabitEthernet1/10

 no ip address

 shutdown

interface GigabitEthernet1/11

 no ip address

 shutdown

interface GigabitEthernet1/12

 no ip address

 shutdown

interface GigabitEthernet1/13

 no ip address

 shutdown

interface GigabitEthernet1/14

 no ip address

 shutdown

interface GigabitEthernet1/15

 no ip address

 shutdown

interface GigabitEthernet1/16

 no ip address

 shutdown

interface GigabitEthernet1/17

 no ip address

 shutdown

interface GigabitEthernet1/18

 no ip address

 shutdown

interface GigabitEthernet1/19

 no ip address

 shutdown

interface GigabitEthernet1/20

 no ip address

 shutdown

interface GigabitEthernet1/21

 no ip address

 shutdown

interface GigabitEthernet1/22

 no ip address

 shutdown

interface GigabitEthernet1/23

 no ip address

 shutdown

interface GigabitEthernet1/24

 no ip address

 shutdown

interface GigabitEthernet1/25

 no ip address

 shutdown

interface GigabitEthernet1/26

 no ip address

 shutdown

interface GigabitEthernet1/27

 no ip address

 shutdown

interface GigabitEthernet1/28

 no ip address

 shutdown

interface GigabitEthernet1/29

 no ip address

 shutdown

interface GigabitEthernet1/30

 no ip address

 shutdown

interface GigabitEthernet1/31

 no ip address

 shutdown

interface GigabitEthernet1/32

 no ip address

 shutdown

interface GigabitEthernet1/33

 no ip address

 shutdown

interface GigabitEthernet1/34

 no ip address

 shutdown

interface GigabitEthernet1/35

 no ip address

 shutdown

interface GigabitEthernet1/36

 no ip address

 shutdown

interface GigabitEthernet1/37

 no ip address

 shutdown

interface GigabitEthernet1/38

 no ip address

 shutdown

interface GigabitEthernet1/39

 no ip address

 shutdown

interface GigabitEthernet1/40

 no ip address

 shutdown

interface GigabitEthernet1/41

 no ip address

 shutdown

interface GigabitEthernet1/42

 no ip address

 shutdown

interface GigabitEthernet1/43

 no ip address

 shutdown

interface GigabitEthernet1/44

 no ip address

 shutdown

interface GigabitEthernet1/45

 no ip address

 shutdown

interface GigabitEthernet1/46

 no ip address

 shutdown

interface GigabitEthernet1/47

 no ip address

 shutdown

interface GigabitEthernet1/48

 no ip address

 shutdown

interface TenGigabitEthernet2/1

 description 10Gig LINK to RAGG-1 T1/3

 ip address 192.168.10.13 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip igmp query-interval 125

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 <removed>

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

interface TenGigabitEthernet2/2

 description 10Gig LINK to RAGG-2 T1/3

 ip address 192.168.10.17 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip igmp query-interval 125

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 <removed>

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

interface TenGigabitEthernet2/3

 description 10Gig LINK to RCORE-2

 no ip address

 channel-group 99 mode active

interface TenGigabitEthernet2/4

 description 10Gig LINK to RCORE-2

 no ip address

 channel-group 99 mode active

interface TenGigabitEthernet2/5

 no ip address

 shutdown

interface TenGigabitEthernet2/6

 no ip address

 shutdown

interface TenGigabitEthernet2/7

 no ip address

 shutdown

interface TenGigabitEthernet2/8

 no ip address

 shutdown

interface GigabitEthernet5/1

 no ip address

 shutdown

interface GigabitEthernet5/2

 no ip address

 shutdown

interface GigabitEthernet6/1

 no ip address

 shutdown

interface GigabitEthernet6/2

 no ip address

 shutdown

interface Vlan1

 no ip address

 shutdown

router ospf 5

 router-id 192.168.1.1

 log-adjacency-changes

 auto-cost reference-bandwidth 10000

nsf

 redistribute static subnets

 passive-interface default

 no passive-interface TenGigabitEthernet2/1

 no passive-interface TenGigabitEthernet2/2

 no passive-interface Port-channel99

 network 192.168.0.0 0.0.255.255 area 0

 default-information originate metric 20 metric-type 1

ip classless

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.11.60 name default-to-internet

ip route 10.10.0.0 255.255.0.0 192.168.11.1 name route-to-stores

ip route 10.10.0.0 255.255.255.0 192.168.11.60 name route-to-SP

ip route 10.10.1.0 255.255.255.0 192.168.11.2

ip route 10.10.2.0 255.255.255.0 192.168.11.3

ip route 10.10.110.1 255.255.255.255 192.168.11.2

ip route 10.10.110.2 255.255.255.255 192.168.11.3

ip route 10.10.126.1 255.255.255.255 192.168.11.2

ip route 10.10.126.2 255.255.255.255 192.168.11.3

ip route 10.10.254.0 255.255.255.0 192.168.11.3

ip route 10.10.255.0 255.255.255.0 192.168.11.2

ip route 192.168.1.111 255.255.255.255 192.168.11.2

ip route 192.168.1.112 255.255.255.255 192.168.11.3

ip route 192.168.20.0 255.255.255.0 192.168.11.60 name route-to-DMZ

ip route 192.168.21.0 255.255.255.0 192.168.11.60 name route-to-DMZ

ip route 192.168.22.0 255.255.255.0 192.168.11.60 name route-to-DMZ

ip route 192.168.23.0 255.255.255.0 192.168.11.60 name route-to-DMZ

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip pim send-rp-discovery scope 2

ip tacacs source-interface Loopback0

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps hsrp

snmp-server enable traps MAC-Notification change move threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps port-security

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

dial-peer cor custom

banner exec C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp source Loopback0

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

mac-address-table aging-time 480

end

RCORE-2

! Last configuration change at 01:42:02 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:42:02 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

service counters max age 5

hostname RCORE-2

boot-start-marker

boot system flash disk1:s72033-adventerprisek9_wan-mz.122-33.SXJ.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 
<removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

call-home

 no alert-group configuration

 no alert-group diagnostic

 no alert-group environment

 no alert-group inventory

 no alert-group syslog

ip wccp 61

ip wccp 62

no ip bootp server

ip multicast-routing

ip ssh version 2

ip scp server enable

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

ipv6 mfib hardware-switching replication-mode ingress

vtp domain CiscoRetail

vtp mode transparent

mls ip cef load-sharing full simple

no mls acl tcam share-global

mls netflow interface

mls cef error action freeze

password encryption aes

crypto pki trustpoint TP-self-signed-1051

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1051

 revocation-check none

 rsakeypair TP-self-signed-1051

crypto pki certificate chain TP-self-signed-1051

 certificate self-signed 01

  <removed>

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode rapid-pvst

spanning-tree loopguard default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

spanning-tree pathcost method long

environment temperature-controlled

diagnostic bootup level minimal

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

redundancy

 main-cpu

  auto-sync running-config

 mode sso

vlan internal allocation policy descending

vlan dot1q tag native

vlan access-log ratelimit 2000

interface Loopback0

 ip address 192.168.1.2 255.255.255.255

interface Port-channel99

 description link between CORE's

 ip address 192.168.10.30 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 <removed>

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

interface GigabitEthernet1/1

 description to DC WAN_SWAN-3/4

 ip address 192.168.11.12 255.255.255.0

 standby 0 ip 192.168.11.10

 standby 0 priority 99

 standby 0 preempt

interface GigabitEthernet1/2

 no ip address

 shutdown

interface GigabitEthernet1/3

 no ip address

 shutdown

interface GigabitEthernet1/4

 no ip address

 shutdown

interface GigabitEthernet1/5

 no ip address

 shutdown

interface GigabitEthernet1/6

 no ip address

 shutdown

interface GigabitEthernet1/7

 no ip address

 shutdown

interface GigabitEthernet1/8

 no ip address

 shutdown

interface GigabitEthernet1/9

 no ip address

 shutdown

interface GigabitEthernet1/10

 no ip address

 shutdown

interface GigabitEthernet1/11

 no ip address

 shutdown

interface GigabitEthernet1/12

 no ip address

 shutdown

interface GigabitEthernet1/13

 no ip address

 shutdown

interface GigabitEthernet1/14

 no ip address

 shutdown

interface GigabitEthernet1/15

 no ip address

 shutdown

interface GigabitEthernet1/16

 no ip address

 shutdown

interface GigabitEthernet1/17

 no ip address

 shutdown

interface GigabitEthernet1/18

 no ip address

 shutdown

interface GigabitEthernet1/19

 no ip address

 shutdown

interface GigabitEthernet1/20

 no ip address

 shutdown

interface GigabitEthernet1/21

 no ip address

 shutdown

interface GigabitEthernet1/22

 no ip address

 shutdown

interface GigabitEthernet1/23

 no ip address

 shutdown

interface GigabitEthernet1/24

 no ip address

 shutdown

interface GigabitEthernet1/25

 no ip address

 shutdown

interface GigabitEthernet1/26

 no ip address

 shutdown

interface GigabitEthernet1/27

 no ip address

 shutdown

interface GigabitEthernet1/28

 no ip address

 shutdown

interface GigabitEthernet1/29

 no ip address

 shutdown

interface GigabitEthernet1/30

 no ip address

 shutdown

interface GigabitEthernet1/31

 no ip address

 shutdown

interface GigabitEthernet1/32

 no ip address

 shutdown

interface GigabitEthernet1/33

 no ip address

 shutdown

interface GigabitEthernet1/34

 no ip address

 shutdown

interface GigabitEthernet1/35

 no ip address

 shutdown

interface GigabitEthernet1/36

 no ip address

 shutdown

interface GigabitEthernet1/37

 no ip address

 shutdown

interface GigabitEthernet1/38

 no ip address

 shutdown

interface GigabitEthernet1/39

 no ip address

 shutdown

interface GigabitEthernet1/40

 no ip address

 shutdown

interface GigabitEthernet1/41

 no ip address

 shutdown

interface GigabitEthernet1/42

 no ip address

 shutdown

interface GigabitEthernet1/43

 no ip address

 shutdown

interface GigabitEthernet1/44

 no ip address

 shutdown

interface GigabitEthernet1/45

 no ip address

 shutdown

interface GigabitEthernet1/46

 no ip address

 shutdown

interface GigabitEthernet1/47

 no ip address

 shutdown

interface GigabitEthernet1/48

 no ip address

 shutdown

interface TenGigabitEthernet2/1

 description 10Gig LINK to RAGG-1 T1/4

 ip address 192.168.10.21 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip igmp query-interval 125

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 <removed>

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

interface TenGigabitEthernet2/2

 description 10Gig LINK to RAGG-2 T1/4

 ip address 192.168.10.25 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip igmp query-interval 125

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 <removed>

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

interface TenGigabitEthernet2/3

 description 10Gig LINK to RCORE-1

 no ip address

 channel-group 99 mode active

interface TenGigabitEthernet2/4

 description 10Gig LINK to RCORE-1

 no ip address

 channel-group 99 mode active

interface TenGigabitEthernet2/5

 no ip address

 shutdown

interface TenGigabitEthernet2/6

 no ip address

 shutdown

interface TenGigabitEthernet2/7

 no ip address

 shutdown

interface TenGigabitEthernet2/8

 no ip address

 shutdown

interface GigabitEthernet5/1

 no ip address

 shutdown

interface GigabitEthernet5/2

 no ip address

 shutdown

interface GigabitEthernet6/1

 no ip address

 shutdown

interface GigabitEthernet6/2

 no ip address

 shutdown

interface Vlan1

 no ip address

 shutdown

router ospf 5

 router-id 192.168.1.2

 log-adjacency-changes

 auto-cost reference-bandwidth 10000

nsf

 redistribute static subnets

 passive-interface default

 no passive-interface TenGigabitEthernet2/1

 no passive-interface TenGigabitEthernet2/2

 no passive-interface Port-channel99

 network 192.168.0.0 0.0.255.255 area 0

 default-information originate metric 22 metric-type 1

ip classless

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.11.60 name default-to-internet

ip route 10.10.0.0 255.255.0.0 192.168.11.1 name route-to-stores

ip route 10.10.0.0 255.255.255.0 192.168.11.60 name route-to-SP

ip route 10.10.1.0 255.255.255.0 192.168.11.2

ip route 10.10.2.0 255.255.255.0 192.168.11.3

ip route 10.10.110.1 255.255.255.255 192.168.11.2

ip route 10.10.110.2 255.255.255.255 192.168.11.3

ip route 10.10.126.1 255.255.255.255 192.168.11.2

ip route 10.10.126.2 255.255.255.255 192.168.11.3

ip route 10.10.254.0 255.255.255.0 192.168.11.3

ip route 10.10.255.0 255.255.255.0 192.168.11.2

ip route 192.168.20.0 255.255.255.0 192.168.11.60 name route-to-DMZ

ip route 192.168.21.0 255.255.255.0 192.168.11.60 name route-to-DMZ

ip route 192.168.22.0 255.255.255.0 192.168.11.60 name route-to-DMZ

ip route 192.168.23.0 255.255.255.0 192.168.11.60 name route-to-DMZ

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip pim send-rp-discovery scope 2

ip tacacs source-interface Loopback0

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps hsrp

snmp-server enable traps MAC-Notification change move threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps port-security

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131 timeout 5

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

dial-peer cor custom

banner exec C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp source Loopback0

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

mac-address-table aging-time 480

end

Aggregation

ASA-DC-1

: Saved

ASA Version 8.4(1) <context>

firewall transparent

hostname dca-vc1

domain-name cisco-irn.com

enable password <removed> encrypted

passwd <removed> encrypted

names

interface outside

 nameif north

 bridge-group 1

 security-level 0

interface inside

 nameif south

 bridge-group 1

 security-level 100

interface BVI1

 ip address 192.168.162.21 255.255.255.0 standby 192.168.162.22

dns domain-lookup south

dns server-group DefaultDNS

 name-server 192.168.42.130

 domain-name cisco-irn.com

object-group network AdminStation

 network-object 192.168.41.101 255.255.255.255

object-group network AdminStation2

 network-object 192.168.41.102 255.255.255.255

object-group network AdminStation4-bart

 network-object 10.19.151.99 255.255.255.255

object-group network CSM_INLINE_src_rule_77309411633

 description Generated by CS-Manager from src of FirewallRule# 2 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object AdminStation

 group-object AdminStation2

 group-object AdminStation4-bart

object-group network DC-ALL

 description All of the Data Center

 network-object 192.168.0.0 255.255.0.0

object-group network Stores-ALL

 description all store networks

 network-object 10.10.0.0 255.255.0.0

object-group network CSM_INLINE_dst_rule_77309411633

 description Generated by CS-Manager from dst of FirewallRule# 2 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network EMC-NCM

 description EMC Network Configuration Manager

 network-object 192.168.42.122 255.255.255.255

object-group network CSManager

 description Cisco Security Manager

 network-object 192.168.42.133 255.255.255.255

object-group network RSA-enVision

 description RSA EnVision Syslog collector and SIM

 network-object 192.168.42.124 255.255.255.255

object-group network AdminStation3

 network-object 192.168.42.138 255.255.255.255

object-group network Admin-Systems

 group-object EMC-NCM

 group-object AdminStation

 group-object AdminStation2

 group-object CSManager

 group-object RSA-enVision

 group-object AdminStation3

 group-object AdminStation4-bart

object-group network DC-DMZ

 description (Optimized by CS-Manager)

 network-object 192.168.20.0 255.255.252.0

 network-object 192.168.24.0 255.255.255.0

object-group network CSM_INLINE_dst_rule_77309411635

 description Generated by CS-Manager from dst of FirewallRule# 3 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

 group-object DC-DMZ

object-group network CSM_INLINE_src_rule_77309414079

 description Generated by CS-Manager from src of FirewallRule# 4 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_src_rule_77309414081

 description Generated by CS-Manager from src of FirewallRule# 5 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network ActiveDirectory.cisco-irn.com

 network-object 192.168.42.130 255.255.255.255

object-group network vSphere-1

 description vSphere server for Lab

 network-object 192.168.41.102 255.255.255.255

object-group network WCSManager

 description Wireless Manager

 network-object 192.168.43.135 255.255.255.255

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 network-object 192.168.43.21 255.255.255.255

 network-object 192.168.43.22 255.255.255.255

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 network-object 192.168.43.31 255.255.255.255

 network-object 192.168.43.32 255.255.255.255

object-group network CSM_INLINE_src_rule_77309411641

 description Generated by CS-Manager from src of FirewallRule# 9 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network PAME-DC-1

 network-object 192.168.44.111 255.255.255.255

object-group network MSP-DC-1

 description Data Center VSOM

 network-object 192.168.44.121 255.255.255.255

object-group network CSM_INLINE_src_rule_77309411643

 description Generated by CS-Manager from src of FirewallRule# 10 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 network-object 192.168.48.10 255.255.255.255

 network-object 192.168.49.10 255.255.255.255

 network-object 192.168.47.11 255.255.255.255

 network-object 192.168.47.12 255.255.255.255

object-group network CSM_INLINE_src_rule_77309414071

 description Generated by CS-Manager from src of FirewallRule# 15 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network NTP-Servers

 description NTP Servers

 network-object 192.168.62.161 255.255.255.255

 network-object 162.168.62.162 255.255.255.255

object-group network TACACS

 description Csico Secure ACS server for TACACS and Radius

 network-object 192.168.42.131 255.255.255.255

object-group network RSA-AM

 description RSA Authentication Manager for SecureID

 network-object 192.168.42.137 255.255.255.255

object-group network NAC-2

 network-object 192.168.42.112 255.255.255.255

object-group network NAC-1

 description ISE server for NAC

 network-object 192.168.42.111 255.255.255.255

object-group network CSM_INLINE_dst_rule_77309411663

 description Generated by CS-Manager from dst of FirewallRule# 25 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object TACACS

 group-object RSA-AM

 group-object NAC-2

 group-object NAC-1

object-group network CSM_INLINE_dst_rule_77309411665

 description Generated by CS-Manager from dst of FirewallRule# 26 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object NAC-2

 group-object NAC-1

object-group network CSM_INLINE_dst_rule_77309411669

 description Generated by CS-Manager from dst of FirewallRule# 28 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network CSM_INLINE_dst_rule_77309411671

 description Generated by CS-Manager from dst of FirewallRule# 29 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network MS-Update

 description Windows Update Server

 network-object 192.168.42.150 255.255.255.255

object-group network MSExchange

 description Mail Server

 network-object 192.168.42.140 255.255.255.255

object-group network POS-Store-Conv

 network-object 10.10.160.81 255.255.255.255

object-group network POS-Store-MSP

 network-object 10.10.176.81 255.255.255.255

object-group network POS-Store-SMALL-1

 description Small Store POS devices

 network-object 10.10.128.81 255.255.255.255

 network-object 10.10.128.82 255.255.255.255

object-group network POS-Store-Medium

 network-object 10.10.112.81 255.255.255.255

 network-object 10.10.125.40 255.255.255.255

object-group network POS-Store-Mini

 network-object 10.10.144.81 255.255.255.255

object-group network POS-Store-3g

 network-object 10.10.192.82 255.255.255.255

object-group network POS-Store-Large

 network-object 10.10.96.81 255.255.255.255

 network-object 10.10.96.82 255.255.255.255

object-group network CSM_INLINE_src_rule_77309411683

 description Generated by CS-Manager from src of FirewallRule# 35 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object POS-Store-Conv

 group-object POS-Store-MSP

 group-object POS-Store-SMALL-1

 group-object POS-Store-Medium

 group-object POS-Store-Mini

 group-object POS-Store-3g

 group-object POS-Store-Large

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 network-object 192.168.52.96 255.255.255.224

object-group network DC-POS

 description POS in the Data Center

 network-object 192.168.52.0 255.255.255.0

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 network-object 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 network-object 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_dst_rule_77309411683

 description Generated by CS-Manager from dst of FirewallRule# 35 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object DC-POS-Tomax

 group-object DC-POS

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_77309414158

 description Generated by CS-Manager from src of FirewallRule# 36 
(ASA-DC-1-vdc1_v1/mandatory)

 network-object 192.168.22.11 255.255.255.255

 network-object 192.168.22.12 255.255.255.255

 network-object 192.168.21.0 255.255.255.0

object-group network CSM_INLINE_src_rule_77309414160

 description Generated by CS-Manager from src of FirewallRule# 37 
(ASA-DC-1-vdc1_v1/mandatory)

 network-object 192.168.22.11 255.255.255.255

 network-object 192.168.22.12 255.255.255.255

 network-object 192.168.21.0 255.255.255.0

object-group network CSM_INLINE_src_rule_77309414162

 description Generated by CS-Manager from src of FirewallRule# 38 
(ASA-DC-1-vdc1_v1/mandatory)

 network-object 192.168.22.11 255.255.255.255

 network-object 192.168.22.12 255.255.255.255

 network-object 192.168.21.0 255.255.255.0

object-group service HTTPS-8443

 service-object tcp destination eq 8443

object-group service CSM_INLINE_svc_rule_77309411635

 description Generated by CS-Manager from service of FirewallRule# 3 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq ssh

 service-object tcp destination eq https

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_77309414079

 description Generated by CS-Manager from service of FirewallRule# 4 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq smtp

 service-object tcp destination eq https

 service-object tcp destination eq ssh

object-group service CSM_INLINE_svc_rule_77309414081

 description Generated by CS-Manager from service of FirewallRule# 5 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq ssh

object-group service RPC

 service-object tcp destination eq 135

object-group service LDAP-GC

 service-object tcp destination eq 3268

object-group service LDAP-GC-SSL

 service-object tcp destination eq 3269

object-group service DNS-Resolving

 description Domain Name Server

 service-object tcp destination eq domain

 service-object udp destination eq domain

object-group service Kerberos-TCP

 service-object tcp destination eq 88

object-group service Microsoft-DS-SMB

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

 service-object tcp destination eq 445

object-group service LDAP-UDP

 service-object udp destination eq 389

object-group service RPC-HighPorts

 service-object tcp destination range 1024 65535

object-group service CSM_INLINE_svc_rule_77309411637

 description Generated by CS-Manager from service of FirewallRule# 7 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

 service-object udp destination eq 88

 service-object udp destination eq ntp

 service-object udp destination eq netbios-dgm

 group-object RPC

 group-object LDAP-GC

 group-object LDAP-GC-SSL

 group-object DNS-Resolving

 group-object Kerberos-TCP

 group-object Microsoft-DS-SMB

 group-object LDAP-UDP

 group-object RPC-HighPorts

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 service-object tcp destination eq 5989

 service-object tcp destination eq 8000

 service-object tcp destination eq 902

 service-object tcp destination eq 903

object-group service CSM_INLINE_svc_rule_77309411639

 description Generated by CS-Manager from service of FirewallRule# 8 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq ssh

 group-object vCenter-to-ESX4

object-group service IP-Protocol-97

 description IP protocol 97

 service-object 97

object-group service TFTP

 description Trivial File Transfer

 service-object tcp destination eq 69

 service-object udp destination eq tftp

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 service-object udp destination eq 12222

 service-object udp destination eq 12223

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 service-object udp destination eq 5246

 service-object udp destination eq 5247

object-group service CSM_INLINE_svc_rule_77309411641

 description Generated by CS-Manager from service of FirewallRule# 9 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq www

 service-object udp destination eq isakmp

 service-object tcp destination eq telnet

 service-object tcp destination eq ssh

 group-object IP-Protocol-97

 group-object TFTP

 group-object LWAPP

 group-object CAPWAP

object-group service TCP1080

 service-object tcp destination eq 1080

object-group service TCP8080

 service-object tcp destination eq 8080

object-group service RDP

 description Windows Remote Desktop

 service-object tcp destination eq 3389

object-group service CSM_INLINE_svc_rule_77309411645

 description Generated by CS-Manager from service of FirewallRule# 11 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object icmp echo

 service-object icmp echo-reply

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq ssh

 service-object tcp destination eq ftp

 group-object HTTPS-8443

 group-object TCP1080

 group-object TCP8080

 group-object RDP

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 service-object tcp destination eq 4050

object-group service Netbios

 description Netbios Servers

 service-object udp destination eq netbios-dgm

 service-object udp destination eq netbios-ns

 service-object tcp destination eq netbios-ssn

object-group service CSM_INLINE_svc_rule_77309411647

 description Generated by CS-Manager from service of FirewallRule# 12 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

 group-object Netbios

object-group service CSM_INLINE_svc_rule_77309411649

 description Generated by CS-Manager from service of FirewallRule# 13 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp-udp destination eq sip

 service-object tcp destination eq 2000

object-group service CSM_INLINE_svc_rule_77309414071

 description Generated by CS-Manager from service of FirewallRule# 15 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object icmp echo

 service-object icmp echo-reply

 service-object icmp unreachable

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq ftp

 service-object tcp destination eq ssh

 group-object TCP1080

 group-object TCP8080

 group-object RDP

object-group service NTP

 description NTP Protocols

 service-object tcp destination eq 123

 service-object udp destination eq ntp

object-group service CSM_INLINE_svc_rule_77309414073

 description Generated by CS-Manager from service of FirewallRule# 16 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object DNS-Resolving

 group-object NTP

object-group service CSM_INLINE_svc_rule_77309414077

 description Generated by CS-Manager from service of FirewallRule# 18 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

 group-object LDAP-GC

 group-object LDAP-GC-SSL

 group-object LDAP-UDP

object-group service CSM_INLINE_svc_rule_77309411655

 description Generated by CS-Manager from service of FirewallRule# 21 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object udp destination eq snmptrap

 service-object udp destination eq snmp

 service-object udp destination eq syslog

object-group service CSM_INLINE_svc_rule_77309411657

 description Generated by CS-Manager from service of FirewallRule# 22 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object udp destination eq domain

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

object-group service CSM_INLINE_svc_rule_77309411663

 description Generated by CS-Manager from service of FirewallRule# 25 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object udp destination eq 1812

 service-object udp destination eq 1813

object-group service CSM_INLINE_svc_rule_77309411665

 description Generated by CS-Manager from service of FirewallRule# 26 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq www

 group-object HTTPS-8443

object-group service ESX-SLP

 description CIM Service Location Protocol (SLP) for VMware systems

 service-object udp destination eq 427

 service-object tcp destination eq 427

object-group service CSM_INLINE_svc_rule_77309411667

 description Generated by CS-Manager from service of FirewallRule# 27 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq www

 service-object tcp destination eq ssh

 group-object vCenter-to-ESX4

 group-object ESX-SLP

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 service-object udp destination eq 16666

 service-object udp destination eq 16667

object-group service CSM_INLINE_svc_rule_77309411671

 description Generated by CS-Manager from service of FirewallRule# 29 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq https

 service-object udp destination eq isakmp

 group-object Cisco-Mobility

 group-object IP-Protocol-97

 group-object LWAPP

 group-object CAPWAP

object-group service CSM_INLINE_svc_rule_77309411673

 description Generated by CS-Manager from service of FirewallRule# 30 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp-udp destination eq sip

 service-object tcp destination eq 2000

object-group service CSM_INLINE_svc_rule_77309411675

 description Generated by CS-Manager from service of FirewallRule# 31 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

 group-object Netbios

object-group service CSM_INLINE_svc_rule_77309411677

 description Generated by CS-Manager from service of FirewallRule# 32 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

 service-object udp destination eq 88

 service-object udp destination eq ntp

 service-object udp destination eq netbios-dgm

 group-object RPC

 group-object LDAP-GC

 group-object LDAP-GC-SSL

 group-object DNS-Resolving

 group-object Kerberos-TCP

 group-object Microsoft-DS-SMB

 group-object LDAP-UDP

 group-object RPC-HighPorts

object-group service CSM_INLINE_svc_rule_77309411679

 description Generated by CS-Manager from service of FirewallRule# 33 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq www

 service-object tcp destination eq https

object-group service CSM_INLINE_svc_rule_77309411681

 description Generated by CS-Manager from service of FirewallRule# 34 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq smtp

 service-object tcp destination eq pop3

 service-object tcp destination eq imap4

object-group service CSM_INLINE_svc_rule_77309414166

 description Generated by CS-Manager from service of FirewallRule# 40 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq smtp

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_77309414172

 description Generated by CS-Manager from service of FirewallRule# 43 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object udp destination eq 1812

 service-object udp destination eq 1813

object-group service CSM_INLINE_svc_rule_77309414176

 description Generated by CS-Manager from service of FirewallRule# 45 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object icmp

 service-object tcp destination eq ssh

 service-object tcp destination eq telnet

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq 8880

 service-object tcp destination eq 8444

 service-object tcp destination eq 5900

 service-object tcp destination eq 5800

 group-object RDP

 group-object TCP1080

 group-object TCP8080

 group-object TFTP

 group-object HTTPS-8443

 group-object vCenter-to-ESX4

access-list CSM_FW_ACL_north extended permit ospf 192.168.162.0 255.255.255.0 
192.168.162.0 255.255.255.0

access-list CSM_FW_ACL_north extended permit tcp object-group Stores-ALL object-group 
EMC-NCM eq ssh

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411655 
object-group Stores-ALL object-group RSA-enVision

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411657 
object-group Stores-ALL object-group ActiveDirectory.cisco-irn.com

access-list CSM_FW_ACL_north extended permit tcp object-group Stores-ALL object-group 
TACACS eq tacacs

access-list CSM_FW_ACL_north extended permit udp object-group Stores-ALL object-group 
NTP-Servers eq ntp

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411663 
object-group Stores-ALL object-group CSM_INLINE_dst_rule_77309411663

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411665 
object-group Stores-ALL object-group CSM_INLINE_dst_rule_77309411665

access-list CSM_FW_ACL_north remark VMWare ESX to Data Center

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411667 
object-group Stores-ALL object-group vSphere-1

access-list CSM_FW_ACL_north remark Physical security systems

access-list CSM_FW_ACL_north extended permit tcp object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_77309411669 eq https

access-list CSM_FW_ACL_north remark Wireless control systems

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411671 
object-group Stores-ALL object-group CSM_INLINE_dst_rule_77309411671

access-list CSM_FW_ACL_north remark Voice calls

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411673 
object-group Stores-ALL object-group DC-ALL

access-list CSM_FW_ACL_north remark WAAS systems

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411675 
object-group Stores-ALL object-group DC-WAAS

access-list CSM_FW_ACL_north remark Allow Active Directory Domain

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411677 
object-group Stores-ALL object-group ActiveDirectory.cisco-irn.com

access-list CSM_FW_ACL_north remark Allow Windows Updates

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411679 
object-group Stores-ALL object-group MS-Update

access-list CSM_FW_ACL_north remark Allow Mail

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411681 
object-group Stores-ALL object-group MSExchange

access-list CSM_FW_ACL_north remark Allow Applications

access-list CSM_FW_ACL_north extended permit tcp object-group 
CSM_INLINE_src_rule_77309411683 object-group CSM_INLINE_dst_rule_77309411683 eq https

access-list CSM_FW_ACL_north extended permit udp object-group 
CSM_INLINE_src_rule_77309414158 object-group NTP-Servers eq ntp

access-list CSM_FW_ACL_north remark - RIE-2

access-list CSM_FW_ACL_north extended permit udp object-group 
CSM_INLINE_src_rule_77309414160 object-group RSA-enVision eq syslog

access-list CSM_FW_ACL_north extended permit tcp object-group 
CSM_INLINE_src_rule_77309414162 object-group TACACS eq tacacs

access-list CSM_FW_ACL_north extended permit udp 192.168.21.0 255.255.255.0 object-group 
ActiveDirectory.cisco-irn.com eq domain

access-list CSM_FW_ACL_north remark Ironport traffic in from DNZ

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309414166 
host 192.168.23.68 any

access-list CSM_FW_ACL_north extended permit udp host 192.168.23.68 object-group 
RSA-enVision eq syslog

access-list CSM_FW_ACL_north extended permit udp host 192.168.23.68 object-group 
NTP-Servers eq ntp

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309414172 
host 192.168.23.68 object-group TACACS

access-list CSM_FW_ACL_north remark Drop all other traffic

access-list CSM_FW_ACL_north extended deny ip any any log

access-list CSM_FW_ACL_south extended permit ospf 192.168.162.0 255.255.255.0 
192.168.162.0 255.255.255.0

access-list CSM_FW_ACL_south extended permit ip object-group 
CSM_INLINE_src_rule_77309411633 object-group CSM_INLINE_dst_rule_77309411633

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411635 
object-group Admin-Systems object-group CSM_INLINE_dst_rule_77309411635

access-list CSM_FW_ACL_south remark Allow services for Ironport apps

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414079 
object-group CSM_INLINE_src_rule_77309414079 192.168.23.64 255.255.255.224

access-list CSM_FW_ACL_south remark Allow traffic to DMZ

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414081 
object-group CSM_INLINE_src_rule_77309414081 host 192.168.20.30

access-list CSM_FW_ACL_south remark Drop unauthorized traffic to DMZ

access-list CSM_FW_ACL_south extended deny ip any 192.168.20.0 255.255.252.0 log

access-list CSM_FW_ACL_south remark Allow Active Directory Domain

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411637 
object-group ActiveDirectory.cisco-irn.com object-group Stores-ALL

access-list CSM_FW_ACL_south remark VMWare - ESX systems

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411639 
object-group vSphere-1 object-group Stores-ALL

access-list CSM_FW_ACL_south remark Wireless Management to Stores

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411641 
object-group CSM_INLINE_src_rule_77309411641 object-group Stores-ALL

access-list CSM_FW_ACL_south remark Physical security systems

access-list CSM_FW_ACL_south extended permit tcp object-group 
CSM_INLINE_src_rule_77309411643 object-group Stores-ALL eq https

access-list CSM_FW_ACL_south remark Allow Management of store systems

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411645 
object-group DC-ALL object-group Stores-ALL

access-list CSM_FW_ACL_south remark WAAS systems

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411647 
object-group DC-WAAS object-group Stores-ALL

access-list CSM_FW_ACL_south remark Voice calls

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411649 
object-group DC-ALL object-group Stores-ALL

access-list CSM_FW_ACL_south extended deny ip any object-group Stores-ALL

access-list CSM_FW_ACL_south remark Allow outbound services for Internet

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414071 
object-group CSM_INLINE_src_rule_77309414071 any

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414073 
object-group ActiveDirectory.cisco-irn.com any

access-list CSM_FW_ACL_south extended permit udp object-group NTP-Servers any eq ntp

access-list CSM_FW_ACL_south remark Allow LDAP out LAB test

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414077 
object-group PAME-DC-1 any log

access-list CSM_FW_ACL_south remark Drop and Log all other traffic

access-list CSM_FW_ACL_south extended deny ip any any log

pager lines 24

logging host south 192.168.42.124

mtu north 1500

mtu south 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any north

icmp permit any south

asdm history enable

arp timeout 14400

access-group CSM_FW_ACL_north in interface north

access-group CSM_FW_ACL_south in interface south

route north 0.0.0.0 0.0.0.0 192.168.162.1 1

route south 192.168.38.0 255.255.255.0 192.168.162.7 1

route south 192.168.39.0 255.255.255.0 192.168.162.7 1

route south 192.168.40.0 255.255.255.0 192.168.162.7 1

route south 192.168.41.0 255.255.255.0 192.168.162.7 1

route south 192.168.42.0 255.255.255.0 192.168.162.7 1

route south 192.168.43.0 255.255.255.0 192.168.162.7 1

route south 192.168.44.0 255.255.255.0 192.168.162.7 1

route south 192.168.45.0 255.255.255.0 192.168.162.7 1

route south 192.168.46.0 255.255.255.0 192.168.162.7 1

route south 192.168.52.0 255.255.255.0 192.168.162.7 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

aaa-server RETAIL protocol tacacs+

aaa-server RETAIL (south) host 192.168.42.131

 key *****

aaa authentication ssh console RETAIL LOCAL

aaa authentication enable console RETAIL LOCAL

aaa authentication http console RETAIL LOCAL

aaa accounting ssh console RETAIL

aaa accounting enable console RETAIL

aaa accounting command privilege 15 RETAIL

aaa authentication secure-http-client

aaa local authentication attempts max-fail 6

aaa authorization exec authentication-server

http server enable

http server idle-timeout 15

http server session-timeout 60

http 10.19.151.99 255.255.255.255 north

http 192.168.41.101 255.255.255.255 south

http 192.168.41.102 255.255.255.255 south

http 192.168.42.122 255.255.255.255 south

http 192.168.42.124 255.255.255.255 south

http 192.168.42.133 255.255.255.255 south

http 192.168.42.138 255.255.255.255 south

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh 10.19.151.99 255.255.255.255 north

ssh 192.168.41.101 255.255.255.255 south

ssh 192.168.41.102 255.255.255.255 south

ssh 192.168.42.122 255.255.255.255 south

ssh 192.168.42.124 255.255.255.255 south

ssh 192.168.42.133 255.255.255.255 south

ssh 192.168.42.138 255.255.255.255 south

ssh timeout 15

ssh version 2

no threat-detection statistics tcp-intercept

username csmadmin password  <removed> encrypted privilege 15

username retail password <removed> encrypted privilege 15

username bmcgloth password <removed> encrypted privilege 15

class-map inspection_default

 match default-inspection-traffic

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

service-policy global_policy global

Cryptochecksum:70afa3a2a3007db41f3f336aca5cf51d

: end

asdm history enable

RAGG-1-RUNNING

!Command: show running-config

!Time: Sun Apr 24 16:49:11 2011

version 5.1(2)

hostname RAGG-1

vdc RAGG-1 id 1

  limit-resource vlan minimum 16 maximum 4094

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource monitor-session-erspan-dst minimum 0 maximum 23

  limit-resource vrf minimum 2 maximum 1000

  limit-resource port-channel minimum 0 maximum 768

  limit-resource u4route-mem minimum 32 maximum 32

  limit-resource u6route-mem minimum 16 maximum 16

  limit-resource m4route-mem minimum 48 maximum 48

  limit-resource m6route-mem minimum 8 maximum 8

vdc vdc1 id 2

  allocate interface Ethernet1/1,Ethernet1/3,Ethernet1/5,Ethernet1/7,Ethernet1/25-32

  allocate interface Ethernet2/1-12

  boot-order 1

  limit-resource vlan minimum 16 maximum 4094

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource monitor-session-erspan-dst minimum 0 maximum 23

  limit-resource vrf minimum 2 maximum 1000

  limit-resource port-channel minimum 0 maximum 768

  limit-resource u4route-mem minimum 8 maximum 8

  limit-resource u6route-mem minimum 4 maximum 4

  limit-resource m4route-mem minimum 8 maximum 8

  limit-resource m6route-mem minimum 5 maximum 5

vdc vdc2 id 3

  allocate interface Ethernet1/2,Ethernet1/4,Ethernet1/6,Ethernet1/8-24

  allocate interface Ethernet2/13-48

  boot-order 1

  limit-resource vlan minimum 16 maximum 4094

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource monitor-session-erspan-dst minimum 0 maximum 23

  limit-resource vrf minimum 2 maximum 1000

  limit-resource port-channel minimum 0 maximum 768

  limit-resource u4route-mem minimum 8 maximum 8

  limit-resource u6route-mem minimum 4 maximum 4

  limit-resource m4route-mem minimum 8 maximum 8

  limit-resource m6route-mem minimum 5 maximum 5

feature privilege

feature tacacs+

username admin password 5 <removed>   role network-admin

username retail password 5 <removed> role network-admin

username bart password 5 <removed> role network-admin

username emc-ncm password 5 <removed>  role network-admin

enable secret 5 <removed>

banner motd @

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

ip host RAGG-1 192.168.42.36

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    use-vrf management

ip access-list 23

  statistics per-entry

  10 permit ip 127.0.0.1/32 192.168.42.36/32

  20 permit ip 192.168.41.101/32 192.168.42.36/32

  30 permit ip 192.168.41.102/32 192.168.42.36/32

  40 permit ip 192.168.42.111/32 192.168.42.36/32

  50 permit ip 192.168.42.122/32 192.168.42.36/32

  60 permit ip 192.168.42.131/32 192.168.42.36/32

  70 permit ip 192.168.42.133/32 192.168.42.36/32

  80 permit ip 192.168.42.138/32 192.168.42.36/32

  90 permit ip 10.19.151.99/32 192.168.42.36/32

  100 deny ip any any

ip access-list 88

  statistics per-entry

  10 permit ip 192.168.42.122/32 192.168.42.36/32

  20 deny ip any any

ip access-list copp-system-acl-bgp

  10 permit tcp any gt 1024 any eq bgp

  20 permit tcp any eq bgp any gt 1024

ipv6 access-list copp-system-acl-bgp6

  10 permit tcp any gt 1024 any eq bgp

  20 permit tcp any eq bgp any gt 1024

ip access-list copp-system-acl-eigrp

  10 permit eigrp any any

ip access-list copp-system-acl-ftp

  10 permit tcp any any eq ftp-data

  20 permit tcp any any eq ftp

  30 permit tcp any eq ftp-data any

  40 permit tcp any eq ftp any

ip access-list copp-system-acl-glbp

  10 permit udp any eq 3222 224.0.0.0/24 eq 3222

ip access-list copp-system-acl-hsrp

  10 permit udp any 224.0.0.0/24 eq 1985

ip access-list copp-system-acl-icmp

  10 permit icmp any any echo

  20 permit icmp any any echo-reply

ipv6 access-list copp-system-acl-icmp6

  10 permit icmp any any echo-request

  20 permit icmp any any echo-reply

ipv6 access-list copp-system-acl-icmp6-msgs

  10 permit icmp any any router-advertisement

  20 permit icmp any any router-solicitation

  30 permit icmp any any nd-na

  40 permit icmp any any nd-ns

  50 permit icmp any any mld-query

  60 permit icmp any any mld-report

  70 permit icmp any any mld-reduction

ip access-list copp-system-acl-igmp

  10 permit igmp any 224.0.0.0/3

ip access-list copp-system-acl-msdp

  10 permit tcp any gt 1024 any eq 639

  20 permit tcp any eq 639 any gt 1024

ip access-list copp-system-acl-ntp

  10 permit udp any any eq ntp

  20 permit udp any eq ntp any

ipv6 access-list copp-system-acl-ntp6

  10 permit udp any any eq ntp

  20 permit udp any eq ntp any

ip access-list copp-system-acl-ospf

  10 permit ospf any any

ipv6 access-list copp-system-acl-ospf6

  10 permit 89 any any

ip access-list copp-system-acl-pim

  10 permit pim any 224.0.0.0/24

  20 permit udp any any eq pim-auto-rp

ip access-list copp-system-acl-pim-reg

  10 permit pim any any

ipv6 access-list copp-system-acl-pim6

  10 permit 103 any ff02::d/128

  20 permit udp any any eq pim-auto-rp

ip access-list copp-system-acl-radius

  10 permit udp any any eq 1812

  20 permit udp any any eq 1813

  30 permit udp any any eq 1645

  40 permit udp any any eq 1646

  50 permit udp any eq 1812 any

  60 permit udp any eq 1813 any

  70 permit udp any eq 1645 any

  80 permit udp any eq 1646 any

ipv6 access-list copp-system-acl-radius6

  10 permit udp any any eq 1812

  20 permit udp any any eq 1813

  30 permit udp any any eq 1645

  40 permit udp any any eq 1646

  50 permit udp any eq 1812 any

  60 permit udp any eq 1813 any

  70 permit udp any eq 1645 any

  80 permit udp any eq 1646 any

ip access-list copp-system-acl-rip

  10 permit udp any 224.0.0.0/24 eq rip

ip access-list copp-system-acl-sftp

  10 permit tcp any any eq 115

  20 permit tcp any eq 115 any

ip access-list copp-system-acl-snmp

  10 permit udp any any eq snmp

  20 permit udp any any eq snmptrap

ip access-list copp-system-acl-ssh

  10 permit tcp any any eq 22

  20 permit tcp any eq 22 any

ipv6 access-list copp-system-acl-ssh6

  10 permit tcp any any eq 22

  20 permit tcp any eq 22 any

ip access-list copp-system-acl-tacacs

  10 permit tcp any any eq tacacs

  20 permit tcp any eq tacacs any

ipv6 access-list copp-system-acl-tacacs6

  10 permit tcp any any eq tacacs

  20 permit tcp any eq tacacs any

ip access-list copp-system-acl-telnet

  10 permit tcp any any eq telnet

  20 permit tcp any any eq 107

  30 permit tcp any eq telnet any

  40 permit tcp any eq 107 any

ipv6 access-list copp-system-acl-telnet6

  10 permit tcp any any eq telnet

  20 permit tcp any any eq 107

  30 permit tcp any eq telnet any

  40 permit tcp any eq 107 any

ip access-list copp-system-acl-tftp

  10 permit udp any any eq tftp

  20 permit udp any any eq 1758

  30 permit udp any eq tftp any

  40 permit udp any eq 1758 any

ipv6 access-list copp-system-acl-tftp6

  10 permit udp any any eq tftp

  20 permit udp any any eq 1758

  30 permit udp any eq tftp any

  40 permit udp any eq 1758 any

ip access-list copp-system-acl-traceroute

  10 permit icmp any any ttl-exceeded

  20 permit icmp any any port-unreachable

ip access-list copp-system-acl-undesirable

  10 permit udp any any eq 1434

ip access-list copp-system-acl-vpc

  10 permit udp any any eq 3200

ip access-list copp-system-acl-vrrp

  10 permit 112 any 224.0.0.0/24

class-map type control-plane match-any copp-system-class-critical

  match access-group name copp-system-acl-bgp

  match access-group name copp-system-acl-bgp6

  match access-group name copp-system-acl-eigrp

  match access-group name copp-system-acl-igmp

  match access-group name copp-system-acl-msdp

  match access-group name copp-system-acl-ospf

  match access-group name copp-system-acl-ospf6

  match access-group name copp-system-acl-pim

  match access-group name copp-system-acl-pim6

  match access-group name copp-system-acl-rip

  match access-group name copp-system-acl-vpc

class-map type control-plane match-any copp-system-class-exception

  match exception ip option

  match exception ip icmp unreachable

  match exception ipv6 option

  match exception ipv6 icmp unreachable

class-map type control-plane match-any copp-system-class-important

  match access-group name copp-system-acl-glbp

  match access-group name copp-system-acl-hsrp

  match access-group name copp-system-acl-vrrp

  match access-group name copp-system-acl-icmp6-msgs

  match access-group name copp-system-acl-pim-reg

class-map type control-plane match-any copp-system-class-management

  match access-group name copp-system-acl-ftp

  match access-group name copp-system-acl-ntp

  match access-group name copp-system-acl-ntp6

  match access-group name copp-system-acl-radius

  match access-group name copp-system-acl-sftp

  match access-group name copp-system-acl-snmp

  match access-group name copp-system-acl-ssh

  match access-group name copp-system-acl-ssh6

  match access-group name copp-system-acl-tacacs

  match access-group name copp-system-acl-telnet

  match access-group name copp-system-acl-tftp

  match access-group name copp-system-acl-tftp6

  match access-group name copp-system-acl-radius6

  match access-group name copp-system-acl-tacacs6

  match access-group name copp-system-acl-telnet6

class-map type control-plane match-any copp-system-class-monitoring

  match access-group name copp-system-acl-icmp

  match access-group name copp-system-acl-icmp6

  match access-group name copp-system-acl-traceroute

class-map type control-plane match-any copp-system-class-normal

  match protocol arp

class-map type control-plane match-any copp-system-class-redirect

  match redirect dhcp-snoop

  match redirect arp-inspect

class-map type control-plane match-any copp-system-class-undesirable

  match access-group name copp-system-acl-undesirable

policy-map type control-plane copp-system-policy

  class copp-system-class-critical

    police cir 39600 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-important

    police cir 1060 kbps bc 1000 ms conform transmit violate drop

  class copp-system-class-management

    police cir 10000 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-normal

    police cir 680 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-redirect

    police cir 280 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-monitoring

    police cir 130 kbps bc 1000 ms conform transmit violate drop

  class copp-system-class-exception

    police cir 360 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-undesirable

    police cir 32 kbps bc 250 ms conform drop violate drop

  class class-default

    police cir 100 kbps bc 250 ms conform transmit violate drop

control-plane

  service-policy input copp-system-policy

snmp-server user bart network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user retail network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user emc-ncm network-admin auth md5 <removed> priv <removed> localizedkey

ntp server 192.168.62.161 use-vrf management

ntp server 192.168.62.162 use-vrf management

aaa authentication login default group CiscoACS

aaa authentication login console group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

vrf context management

  ip route 0.0.0.0/0 192.168.42.1

vlan 1

interface mgmt0

  ip address 192.168.42.36/24

clock timezone PST -8 0

clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60

  logout-warning 20

line console

  exec-timeout 15

line vty

  exec-timeout 15

  access-class 23 in

boot kickstart bootflash:/n7000-s1-kickstart.5.1.2.bin sup-1

boot system bootflash:/n7000-s1-dk9.5.1.2.bin sup-1

boot kickstart bootflash:/n7000-s1-kickstart.5.1.2.bin sup-2

boot system bootflash:/n7000-s1-dk9.5.1.2.bin sup-2

logging server 192.168.42.124 6 use-vrf management

RAGG-1-VDC1-RUNNING

!Command: show running-config

!Time: Sun Apr 24 16:50:08 2011

version 5.1(2)

hostname vdc1

feature privilege

feature tacacs+

cfs eth distribute

feature ospf

feature pim

feature udld

feature interface-vlan

feature hsrp

feature lacp

feature glbp

feature vpc

username admin password 5 <removed> role vdc-admin

username retail password 5 <removed> role vdc-admin

username emc-ncm password 5 <removed> role vdc-admin

username bart password 5 <removed>  role vdc-admin

enable secret 5 <removed>

banner motd @

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    source-interface loopback0

ip access-list 23

  statistics per-entry

  10 permit ip 127.0.0.1/32 192.168.1.11/32

  20 permit ip 192.168.41.101/32 192.168.1.11/32

  30 permit ip 192.168.41.102/32 192.168.1.11/32

  40 permit ip 192.168.42.111/32 192.168.1.11/32

  50 permit ip 192.168.42.122/32 192.168.1.11/32

  60 permit ip 192.168.42.131/32 192.168.1.11/32

  70 permit ip 192.168.42.133/32 192.168.1.11/32

  80 permit ip 192.168.42.138/32 192.168.1.11/32

  90 permit ip 10.19.151.99/32 192.168.1.11/32

  100 deny ip any any

ip access-list 88

  statistics per-entry

  10 permit ip 192.168.42.122/32 192.168.1.11/32

  20 deny ip any any

snmp-server source-interface trap loopback0

snmp-server source-interface inform loopback0

snmp-server user bart vdc-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user admin vdc-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user retail vdc-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user emc-ncm vdc-admin auth md5 <removed> priv <removed> localizedkey

no snmp-server enable traps entity entity_mib_change

no snmp-server enable traps entity entity_module_status_change

no snmp-server enable traps entity entity_power_status_change

no snmp-server enable traps entity entity_module_inserted

no snmp-server enable traps entity entity_module_removed

no snmp-server enable traps entity entity_unrecognised_module

no snmp-server enable traps entity entity_fan_status_change

no snmp-server enable traps entity entity_power_out_change

no snmp-server enable traps link linkDown

no snmp-server enable traps link linkUp

no snmp-server enable traps link IETF-extended-linkDown

no snmp-server enable traps link IETF-extended-linkUp

no snmp-server enable traps link cisco-extended-linkDown

no snmp-server enable traps link cisco-extended-linkUp

snmp-server enable traps callhome event-notify

snmp-server enable traps callhome smtp-send-fail

snmp-server enable traps cfs state-change-notif

snmp-server enable traps cfs merge-failure

no snmp-server enable traps rf redundancy_framework

snmp-server enable traps aaa server-state-change

no snmp-server enable traps license notify-license-expiry

no snmp-server enable traps license notify-no-license-for-feature

no snmp-server enable traps license notify-licensefile-missing

no snmp-server enable traps license notify-license-expiry-warning

snmp-server enable traps hsrp state-change

no snmp-server enable traps upgrade UpgradeOpNotifyOnCompletion

no snmp-server enable traps upgrade UpgradeJobStatusNotify

snmp-server enable traps feature-control FeatureOpStatusChange

snmp-server enable traps link cisco-xcvr-mon-status-chg

snmp-server enable traps vtp notifs

snmp-server enable traps vtp vlancreate

snmp-server enable traps vtp vlandelete

snmp-server enable traps bridge newroot

snmp-server enable traps bridge topologychange

snmp-server enable traps stpx inconsistency

snmp-server enable traps stpx root-inconsistency

snmp-server enable traps stpx loop-inconsistency

aaa authentication login default group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

vrf context management

vlan 1,3,151,161

interface Vlan1

interface Vlan3

  no shutdown

  ip address 192.168.10.61/30

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip ospf dead-interval 3

  ip ospf hello-interval 1

  ip router ospf 5 area 0.0.0.0

interface Vlan151

  no shutdown

  ip address 192.168.152.3/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip ospf priority 3

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.152.1

interface Vlan161

  no shutdown

  ip address 192.168.162.3/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip ospf priority 5

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.162.1

interface port-channel99

  switchport

  switchport mode trunk

  spanning-tree port type network

interface Ethernet1/1

  description 10Gig LINK to RCORE-1 T2/1

  no switchport

  logging event port link-status

  no ip redirects

  ip address 192.168.10.14/30

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip ospf dead-interval 6

  ip ospf hello-interval 2

  ip ospf network point-to-point

  ip router ospf 5 area 0.0.0.0

  ip pim sparse-mode

  ip igmp version 3

  no shutdown

interface Ethernet1/3

  description 10Gig LINK to RCORE-2 T2/1

  no switchport

  logging event port link-status

  no ip redirects

  ip address 192.168.10.22/30

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip ospf dead-interval 6

  ip ospf hello-interval 2

  ip ospf network point-to-point

  ip router ospf 5 area 0.0.0.0

  ip pim sparse-mode

  ip igmp version 3

  no shutdown

interface Ethernet1/5

  description to DC-ASA-1 vc1 T0/6

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 161

  spanning-tree port type normal

  no shutdown

interface Ethernet1/7

  description to DC-ASA-1 vc2 T0/8

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 151

  spanning-tree port type normal

  no shutdown

interface Ethernet1/25

  no switchport

interface Ethernet1/26

  no switchport

interface Ethernet1/27

  no switchport

interface Ethernet1/28

  no switchport

interface Ethernet1/29

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  channel-group 99 mode active

  no shutdown

interface Ethernet1/30

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  channel-group 99 mode active

  no shutdown

interface Ethernet1/31

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  channel-group 99 mode active

  no shutdown

interface Ethernet1/32

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  channel-group 99 mode active

  no shutdown

interface Ethernet2/1

  no switchport

interface Ethernet2/2

  no switchport

interface Ethernet2/3

  no switchport

interface Ethernet2/4

  no switchport

interface Ethernet2/5

  no switchport

interface Ethernet2/6

  no switchport

interface Ethernet2/7

  no switchport

interface Ethernet2/8

  no switchport

interface Ethernet2/9

  no switchport

interface Ethernet2/10

  no switchport

interface Ethernet2/11

  no switchport

interface Ethernet2/12

  no switchport

interface loopback0

  ip address 192.168.1.11/32

  ip router ospf 5 area 0.0.0.0

logging server 192.168.42.124 6

logging source-interface loopback 0

  logout-warning 20

line console

  exec-timeout 15

line vty

  exec-timeout 15

  access-class 23 in

router ospf 5

  router-id 192.168.1.11

  area 0.0.0.81 nssa

  area 0.0.0.0 range 192.168.1.11/32

  area 0.0.0.0 range 192.168.10.12/30

  area 0.0.0.0 range 192.168.10.20/30

  area 0.0.0.0 range 192.168.10.60/30

  area 0.0.0.81 range 192.168.152.0/24

  area 0.0.0.81 range 192.168.162.0/24

  area 0.0.0.0 authentication message-digest

  area 0.0.0.81 authentication message-digest

  timers throttle spf 10 100 5000

  auto-cost reference-bandwidth 10000

ip pim ssm range 232.0.0.0/8

RAGG-1-VDC2-RUNNING

!Command: show running-config

!Time: Sun Apr 24 16:50:48 2011

version 5.1(2)

hostname vdc2

feature privilege

feature tacacs+

cfs eth distribute

feature ospf

feature pim

feature udld

feature interface-vlan

feature hsrp

feature lacp

feature vpc

username admin password 5 <removed>   role vdc-admin

username retail password 5 <removed>   role vdc-admin

username bart password 5 <removed>   role vdc-admin

username emc-ncm password 5 <removed> role vdc-admin

enable secret 5 <removed>

banner motd @

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    use-vrf servers1

    source-interface loopback0

ip access-list 23

  statistics per-entry

  10 permit ip 127.0.0.1/32 192.168.1.31/32

  20 permit ip 192.168.41.101/32 192.168.1.31/32

  30 permit ip 192.168.41.102/32 192.168.1.31/32

  40 permit ip 192.168.42.111/32 192.168.1.31/32

  50 permit ip 192.168.42.122/32 192.168.1.31/32

  60 permit ip 192.168.42.131/32 192.168.1.31/32

  70 permit ip 192.168.42.133/32 192.168.1.31/32

  80 permit ip 192.168.42.138/32 192.168.1.31/32

  90 permit ip 10.19.151.99/32 192.168.1.31/32

  100 deny ip any any

ip access-list 88

  statistics per-entry

  10 permit ip 192.168.42.122/32 192.168.1.31/32

  20 deny ip any any

snmp-server source-interface trap loopback0

snmp-server source-interface inform loopback0

snmp-server user bart vdc-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user admin vdc-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user retail vdc-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user emc-ncm vdc-admin auth md5 <removed> priv <removed> localizedkey

no snmp-server enable traps entity entity_mib_change

no snmp-server enable traps entity entity_module_status_change

no snmp-server enable traps entity entity_power_status_change

no snmp-server enable traps entity entity_module_inserted

no snmp-server enable traps entity entity_module_removed

no snmp-server enable traps entity entity_unrecognised_module

no snmp-server enable traps entity entity_fan_status_change

no snmp-server enable traps entity entity_power_out_change

no snmp-server enable traps link linkDown

no snmp-server enable traps link linkUp

no snmp-server enable traps link IETF-extended-linkDown

no snmp-server enable traps link IETF-extended-linkUp

no snmp-server enable traps link cisco-extended-linkDown

no snmp-server enable traps link cisco-extended-linkUp

snmp-server enable traps callhome event-notify

snmp-server enable traps callhome smtp-send-fail

snmp-server enable traps cfs state-change-notif

snmp-server enable traps cfs merge-failure

no snmp-server enable traps rf redundancy_framework

snmp-server enable traps aaa server-state-change

no snmp-server enable traps license notify-license-expiry

no snmp-server enable traps license notify-no-license-for-feature

no snmp-server enable traps license notify-licensefile-missing

no snmp-server enable traps license notify-license-expiry-warning

snmp-server enable traps hsrp state-change

no snmp-server enable traps upgrade UpgradeOpNotifyOnCompletion

no snmp-server enable traps upgrade UpgradeJobStatusNotify

snmp-server enable traps feature-control FeatureOpStatusChange

snmp-server enable traps link cisco-xcvr-mon-status-chg

snmp-server enable traps vtp notifs

snmp-server enable traps vtp vlancreate

snmp-server enable traps vtp vlandelete

snmp-server enable traps bridge newroot

snmp-server enable traps bridge topologychange

snmp-server enable traps stpx inconsistency

snmp-server enable traps stpx root-inconsistency

snmp-server enable traps stpx loop-inconsistency

aaa authentication login default group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

vrf context VPC

vrf context servers1

  ip route 0.0.0.0/0 192.168.162.1

  ip route 192.168.41.0/24 192.168.42.135

  ip pim ssm range 232.0.0.0/8

vrf context servers2

  ip pim ssm range 232.0.0.0/8

vrf context management

vlan 1

vlan 36

  name DeviceMgmtHigh

vlan 37

  name DeviceMgmtLow

vlan 38

  name UIM-OS-INSTALL

vlan 40-41

vlan 42

  name CoreManagement

vlan 43

  name WirelessSystems

vlan 44

  name PhysicalSec

vlan 45

  name VOICE

vlan 52

  name POS

vlan 151-152,154,161-162,164,180-181

spanning-tree domain 777

spanning-tree vlan 1 priority 4096

ip prefix-list VLAN41 seq 5 permit 192.168.41.0/24

route-map VLAN41 permit 20

  match ip address prefix-list VLAN41

vpc domain 99

  peer-switch

  peer-keepalive destination 192.168.10.66 source 192.168.10.65 vrf VPC

  peer-gateway

interface Vlan1

  no shutdown

  no ip redirects

interface Vlan36

  no shutdown

  description DeviceMgmtHigh

  vrf member servers1

  no ip redirects

  ip address 192.168.36.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.36.1

interface Vlan37

  no shutdown

  description DeviceMgmtLow

  vrf member servers1

  no ip redirects

  ip address 192.168.37.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.37.1

interface Vlan38

  no shutdown

  description UIM OS Install only

  vrf member servers1

  no ip redirects

  ip address 192.168.38.201/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

interface Vlan40

  no shutdown

  vrf member servers1

  no ip redirects

  ip address 192.168.40.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 120 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.40.1

interface Vlan41

  shutdown

  description SHUTDOWN - NOW ROUTE VIA HyTrust

  vrf member servers1

  no ip redirects

  ip address 192.168.41.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 120 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.41.1

interface Vlan42

  no shutdown

  vrf member servers1

  no ip redirects

  ip address 192.168.42.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 120 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.42.1

interface Vlan43

  no shutdown

  description Wireless Systems

  vrf member servers1

  no ip redirects

  ip address 192.168.43.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.43.1

interface Vlan44

  no shutdown

  description Wireless Systems

  vrf member servers1

  no ip redirects

  ip address 192.168.44.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.44.1

interface Vlan45

  no shutdown

  description VOICE

  vrf member servers1

  no ip redirects

  ip address 192.168.45.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.45.1

interface Vlan52

  no shutdown

  description POS

  vrf member servers1

  no ip redirects

  ip address 192.168.52.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.52.1

interface Vlan154

  no shutdown

  vrf member servers2

  no ip redirects

  ip address 192.168.152.5/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.152.7

interface Vlan164

  no shutdown

  vrf member servers1

  no ip redirects

  ip address 192.168.162.5/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 120 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.162.7

interface Vlan180

  no shutdown

  vrf member servers1

  no ip redirects

  ip address 192.168.180.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 120 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.180.1

interface Vlan181

  no shutdown

  vrf member servers2

  no ip redirects

  ip address 192.168.181.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.181.1

interface port-channel1

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-42,44

  vpc 1

interface port-channel2

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-42,44

  vpc 2

interface port-channel3

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  vpc 3

interface port-channel4

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  vpc 4

interface port-channel11

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  spanning-tree port type edge trunk

  vpc 11

interface port-channel12

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  spanning-tree port type edge trunk

  vpc 12

interface port-channel99

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  spanning-tree port type network

  spanning-tree guard loop

  vpc peer-link

interface Ethernet1/2

  description F-UCS-1_E2/1 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  channel-group 11 mode active

  no shutdown

interface Ethernet1/4

  description F-UCS-1_E2/2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  channel-group 11 mode active

  no shutdown

interface Ethernet1/6

  description F-UCS-2_E2/1 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  channel-group 12 mode active

  no shutdown

interface Ethernet1/8

  description F-UCS-2_E2/2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  channel-group 12 mode active

  no shutdown

interface Ethernet1/9

  description SACCESS-3 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  channel-group 3 mode active

  no shutdown

interface Ethernet1/10

  description SACCESS-3 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  channel-group 3 mode active

  no shutdown

interface Ethernet1/11

  description SACCESS-4 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  channel-group 4 mode active

  no shutdown

interface Ethernet1/12

  description SACCESS-4 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  channel-group 4 mode active

  no shutdown

interface Ethernet1/13

  description SACCESS-1 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-42,44

  channel-group 1 mode active

  no shutdown

interface Ethernet1/14

  description SACCESS-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-42,44

  channel-group 2 mode active

  no shutdown

interface Ethernet1/15

  description to RSERV-1 T2/1

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 162

  spanning-tree port type normal

  no shutdown

interface Ethernet1/16

  description to RSERV-1 T2/2

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 152

  spanning-tree port type normal

  no shutdown

interface Ethernet1/17

  description to RSERV-1 T2/5

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 41-44,164

  spanning-tree port type normal

  no shutdown

interface Ethernet1/18

  description to RSERV-1 T2/6

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 154

  spanning-tree port type normal

  no shutdown

interface Ethernet1/19

  description to DC-ASA-1 vc1 T5/1

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 162

  spanning-tree port type normal

  no shutdown

interface Ethernet1/20

  description to DC-ASA-1 vc2 T7/1

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 152

  spanning-tree port type normal

  no shutdown

interface Ethernet1/21

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  udld aggressive

  channel-group 99 mode active

  no shutdown

interface Ethernet1/22

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  udld aggressive

  channel-group 99 mode active

  no shutdown

interface Ethernet1/23

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  udld aggressive

  channel-group 99 mode active

  no shutdown

interface Ethernet1/24

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  udld aggressive

  channel-group 99 mode active

  no shutdown

interface Ethernet2/13

  description SACCESS-5

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  no shutdown

interface Ethernet2/14

  description linkstate for vpc

  no switchport

  vrf member VPC

  ip address 192.168.10.65/30

  no shutdown

interface Ethernet2/15

  no switchport

interface Ethernet2/16

  no switchport

interface Ethernet2/17

  no switchport

interface Ethernet2/18

  no switchport

interface Ethernet2/19

  no switchport

interface Ethernet2/20

  no switchport

interface Ethernet2/21

  no switchport

interface Ethernet2/22

  no switchport

interface Ethernet2/23

  no switchport

interface Ethernet2/24

  no switchport

interface Ethernet2/25

  no switchport

interface Ethernet2/26

  no switchport

interface Ethernet2/27

  no switchport

interface Ethernet2/28

  no switchport

interface Ethernet2/29

  no switchport

interface Ethernet2/30

  no switchport

interface Ethernet2/31

  no switchport

interface Ethernet2/32

  no switchport

interface Ethernet2/33

  no switchport

interface Ethernet2/34

  no switchport

interface Ethernet2/35

  no switchport

interface Ethernet2/36

  no switchport

interface Ethernet2/37

  no switchport

interface Ethernet2/38

  no switchport

interface Ethernet2/39

  no switchport

interface Ethernet2/40

  no switchport

interface Ethernet2/41

  no switchport

interface Ethernet2/42

  no switchport

interface Ethernet2/43

  no switchport

interface Ethernet2/44

  no switchport

interface Ethernet2/45

  no switchport

interface Ethernet2/46

  no switchport

interface Ethernet2/47

  no switchport

interface Ethernet2/48

  no switchport

interface loopback0

  vrf member servers1

  ip address 192.168.1.31/32

  ip router ospf 5 area 0.0.0.81

logging server 192.168.42.124 6 use-vrf servers1

logging source-interface loopback 0

  logout-warning 20

line console

  exec-timeout 15

line vty

  exec-timeout 15

  access-class 23 in

router ospf 5

  vrf servers1

    router-id 4.4.4.1

    area 0.0.0.81 nssa

    redistribute static route-map VLAN41

    area 0.0.0.81 range 192.168.0.0/16

    area 0.0.0.81 range 192.168.162.0/24

    area 0.0.0.81 authentication message-digest

    timers throttle spf 10 100 5000

  vrf servers2

    router-id 5.5.5.1

    area 0.0.0.81 nssa

    area 0.0.0.81 range 192.168.0.0/16

    area 0.0.0.81 range 192.168.152.0/24

    area 0.0.0.81 authentication message-digest

    timers throttle spf 10 100 5000

ip pim ssm range 232.0.0.0/8

RAGG-2-RUNNING

!Command: show running-config

!Time: Sun Apr 24 16:52:03 2011

version 5.1(2)

hostname RAGG-2

vdc RAGG-2 id 1

  limit-resource vlan minimum 16 maximum 4094

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource monitor-session-erspan-dst minimum 0 maximum 23

  limit-resource vrf minimum 2 maximum 1000

  limit-resource port-channel minimum 0 maximum 768

  limit-resource u4route-mem minimum 32 maximum 32

  limit-resource u6route-mem minimum 16 maximum 16

  limit-resource m4route-mem minimum 48 maximum 48

  limit-resource m6route-mem minimum 8 maximum 8

vdc vdc1 id 2

  allocate interface Ethernet1/1,Ethernet1/3,Ethernet1/5,Ethernet1/7,Ethernet1/25-32

  allocate interface Ethernet2/1-12

  boot-order 1

  limit-resource vlan minimum 16 maximum 4094

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource monitor-session-erspan-dst minimum 0 maximum 23

  limit-resource vrf minimum 2 maximum 1000

  limit-resource port-channel minimum 0 maximum 768

  limit-resource u4route-mem minimum 8 maximum 8

  limit-resource u6route-mem minimum 4 maximum 4

  limit-resource m4route-mem minimum 8 maximum 8

  limit-resource m6route-mem minimum 5 maximum 5

vdc vdc2 id 3

  allocate interface Ethernet1/2,Ethernet1/4,Ethernet1/6,Ethernet1/8-24

  allocate interface Ethernet2/13-48

  boot-order 1

  limit-resource vlan minimum 16 maximum 4094

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource monitor-session-erspan-dst minimum 0 maximum 23

  limit-resource vrf minimum 2 maximum 1000

  limit-resource port-channel minimum 0 maximum 768

  limit-resource u4route-mem minimum 8 maximum 8

  limit-resource u6route-mem minimum 4 maximum 4

  limit-resource m4route-mem minimum 8 maximum 8

  limit-resource m6route-mem minimum 5 maximum 5

feature privilege

feature tacacs+

username admin password 5 <removed> role network-admin

username retail password 5 <removed> role network-admin

username bart password 5 <removed> role network-admin

username emc-ncm password 5 <removed> role network-admin

enable secret 5 <removed>

banner motd @

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

ip host RAGG-2 192.168.42.37

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    use-vrf management

ip access-list 23

  statistics per-entry

  10 permit ip 127.0.0.1/32 192.168.42.37/32

  20 permit ip 192.168.41.101/32 192.168.42.37/32

  30 permit ip 192.168.41.102/32 192.168.42.37/32

  40 permit ip 192.168.42.111/32 192.168.42.37/32

  50 permit ip 192.168.42.122/32 192.168.42.37/32

  60 permit ip 192.168.42.131/32 192.168.42.37/32

  70 permit ip 192.168.42.133/32 192.168.42.37/32

  80 permit ip 192.168.42.138/32 192.168.42.37/32

  90 permit ip 10.19.151.99/32 192.168.42.37/32

  100 deny ip any any

ip access-list 88

  statistics per-entry

  10 permit ip 192.168.42.122/32 192.168.42.37/32

  20 deny ip any any

ip access-list copp-system-acl-bgp

  10 permit tcp any gt 1024 any eq bgp

  20 permit tcp any eq bgp any gt 1024

ipv6 access-list copp-system-acl-bgp6

  10 permit tcp any gt 1024 any eq bgp

  20 permit tcp any eq bgp any gt 1024

ip access-list copp-system-acl-eigrp

  10 permit eigrp any any

ip access-list copp-system-acl-ftp

  10 permit tcp any any eq ftp-data

  20 permit tcp any any eq ftp

  30 permit tcp any eq ftp-data any

  40 permit tcp any eq ftp any

ip access-list copp-system-acl-glbp

  10 permit udp any eq 3222 224.0.0.0/24 eq 3222

ip access-list copp-system-acl-hsrp

  10 permit udp any 224.0.0.0/24 eq 1985

ip access-list copp-system-acl-icmp

  10 permit icmp any any echo

  20 permit icmp any any echo-reply

ipv6 access-list copp-system-acl-icmp6

  10 permit icmp any any echo-request

  20 permit icmp any any echo-reply

ipv6 access-list copp-system-acl-icmp6-msgs

  10 permit icmp any any router-advertisement

  20 permit icmp any any router-solicitation

  30 permit icmp any any nd-na

  40 permit icmp any any nd-ns

  50 permit icmp any any mld-query

  60 permit icmp any any mld-report

  70 permit icmp any any mld-reduction

ip access-list copp-system-acl-igmp

  10 permit igmp any 224.0.0.0/3

ip access-list copp-system-acl-msdp

  10 permit tcp any gt 1024 any eq 639

  20 permit tcp any eq 639 any gt 1024

ip access-list copp-system-acl-ntp

  10 permit udp any any eq ntp

  20 permit udp any eq ntp any

ipv6 access-list copp-system-acl-ntp6

  10 permit udp any any eq ntp

  20 permit udp any eq ntp any

ip access-list copp-system-acl-ospf

  10 permit ospf any any

ipv6 access-list copp-system-acl-ospf6

  10 permit 89 any any

ip access-list copp-system-acl-pim

  10 permit pim any 224.0.0.0/24

  20 permit udp any any eq pim-auto-rp

ip access-list copp-system-acl-pim-reg

  10 permit pim any any

ipv6 access-list copp-system-acl-pim6

  10 permit 103 any ff02::d/128

  20 permit udp any any eq pim-auto-rp

ip access-list copp-system-acl-radius

  10 permit udp any any eq 1812

  20 permit udp any any eq 1813

  30 permit udp any any eq 1645

  40 permit udp any any eq 1646

  50 permit udp any eq 1812 any

  60 permit udp any eq 1813 any

  70 permit udp any eq 1645 any

  80 permit udp any eq 1646 any

ipv6 access-list copp-system-acl-radius6

  10 permit udp any any eq 1812

  20 permit udp any any eq 1813

  30 permit udp any any eq 1645

  40 permit udp any any eq 1646

  50 permit udp any eq 1812 any

  60 permit udp any eq 1813 any

  70 permit udp any eq 1645 any

  80 permit udp any eq 1646 any

ip access-list copp-system-acl-rip

  10 permit udp any 224.0.0.0/24 eq rip

ip access-list copp-system-acl-sftp

  10 permit tcp any any eq 115

  20 permit tcp any eq 115 any

ip access-list copp-system-acl-snmp

  10 permit udp any any eq snmp

  20 permit udp any any eq snmptrap

ip access-list copp-system-acl-ssh

  10 permit tcp any any eq 22

  20 permit tcp any eq 22 any

ipv6 access-list copp-system-acl-ssh6

  10 permit tcp any any eq 22

  20 permit tcp any eq 22 any

ip access-list copp-system-acl-tacacs

  10 permit tcp any any eq tacacs

  20 permit tcp any eq tacacs any

ipv6 access-list copp-system-acl-tacacs6

  10 permit tcp any any eq tacacs

  20 permit tcp any eq tacacs any

ip access-list copp-system-acl-telnet

  10 permit tcp any any eq telnet

  20 permit tcp any any eq 107

  30 permit tcp any eq telnet any

  40 permit tcp any eq 107 any

ipv6 access-list copp-system-acl-telnet6

  10 permit tcp any any eq telnet

  20 permit tcp any any eq 107

  30 permit tcp any eq telnet any

  40 permit tcp any eq 107 any

ip access-list copp-system-acl-tftp

  10 permit udp any any eq tftp

  20 permit udp any any eq 1758

  30 permit udp any eq tftp any

  40 permit udp any eq 1758 any

ipv6 access-list copp-system-acl-tftp6

  10 permit udp any any eq tftp

  20 permit udp any any eq 1758

  30 permit udp any eq tftp any

  40 permit udp any eq 1758 any

ip access-list copp-system-acl-traceroute

  10 permit icmp any any ttl-exceeded

  20 permit icmp any any port-unreachable

ip access-list copp-system-acl-undesirable

  10 permit udp any any eq 1434

ip access-list copp-system-acl-vpc

  10 permit udp any any eq 3200

ip access-list copp-system-acl-vrrp

  10 permit 112 any 224.0.0.0/24

class-map type control-plane match-any copp-system-class-critical

  match access-group name copp-system-acl-bgp

  match access-group name copp-system-acl-bgp6

  match access-group name copp-system-acl-eigrp

  match access-group name copp-system-acl-igmp

  match access-group name copp-system-acl-msdp

  match access-group name copp-system-acl-ospf

  match access-group name copp-system-acl-ospf6

  match access-group name copp-system-acl-pim

  match access-group name copp-system-acl-pim6

  match access-group name copp-system-acl-rip

  match access-group name copp-system-acl-vpc

class-map type control-plane match-any copp-system-class-exception

  match exception ip option

  match exception ip icmp unreachable

  match exception ipv6 option

  match exception ipv6 icmp unreachable

class-map type control-plane match-any copp-system-class-important

  match access-group name copp-system-acl-glbp

  match access-group name copp-system-acl-hsrp

  match access-group name copp-system-acl-vrrp

  match access-group name copp-system-acl-icmp6-msgs

  match access-group name copp-system-acl-pim-reg

class-map type control-plane match-any copp-system-class-management

  match access-group name copp-system-acl-ftp

  match access-group name copp-system-acl-ntp

  match access-group name copp-system-acl-ntp6

  match access-group name copp-system-acl-radius

  match access-group name copp-system-acl-sftp

  match access-group name copp-system-acl-snmp

  match access-group name copp-system-acl-ssh

  match access-group name copp-system-acl-ssh6

  match access-group name copp-system-acl-tacacs

  match access-group name copp-system-acl-telnet

  match access-group name copp-system-acl-tftp

  match access-group name copp-system-acl-tftp6

  match access-group name copp-system-acl-radius6

  match access-group name copp-system-acl-tacacs6

  match access-group name copp-system-acl-telnet6

class-map type control-plane match-any copp-system-class-monitoring

  match access-group name copp-system-acl-icmp

  match access-group name copp-system-acl-icmp6

  match access-group name copp-system-acl-traceroute

class-map type control-plane match-any copp-system-class-normal

  match protocol arp

class-map type control-plane match-any copp-system-class-redirect

  match redirect dhcp-snoop

  match redirect arp-inspect

class-map type control-plane match-any copp-system-class-undesirable

  match access-group name copp-system-acl-undesirable

policy-map type control-plane copp-system-policy

  class copp-system-class-critical

    police cir 39600 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-important

    police cir 1060 kbps bc 1000 ms conform transmit violate drop

  class copp-system-class-management

    police cir 10000 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-normal

    police cir 680 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-redirect

    police cir 280 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-monitoring

    police cir 130 kbps bc 1000 ms conform transmit violate drop

  class copp-system-class-exception

    police cir 360 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-undesirable

    police cir 32 kbps bc 250 ms conform drop violate drop

  class class-default

    police cir 100 kbps bc 250 ms conform transmit violate drop

control-plane

  service-policy input copp-system-policy

snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey

ntp server 192.168.62.161 use-vrf management

ntp server 192.168.62.162 use-vrf management

aaa authentication login default group CiscoACS

aaa authentication login console group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

vrf context management

  ip route 0.0.0.0/0 192.168.42.1

vlan 1

interface mgmt0

  ip address 192.168.42.37/24

clock timezone PST -8 0

clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60

  logout-warning 20

line console

  exec-timeout 15

line vty

  exec-timeout 15

  access-class 23 in

boot kickstart bootflash:/n7000-s1-kickstart.5.1.2.bin sup-1

boot system bootflash:/n7000-s1-dk9.5.1.2.bin sup-1

boot kickstart bootflash:/n7000-s1-kickstart.5.1.2.bin sup-2

boot system bootflash:/n7000-s1-dk9.5.1.2.bin sup-2

logging server 192.168.42.124 6 use-vrf management

RAGG-2-VDC1-RUNNING

!Command: show running-config

!Time: Sun Apr 24 16:52:35 2011

version 5.1(2)

hostname vdc1

feature privilege

feature tacacs+

cfs eth distribute

feature ospf

feature pim

feature udld

feature interface-vlan

feature hsrp

feature lacp

feature glbp

feature vpc

username admin password 5 <removed>   role vdc-admin

username retail password 5 <removed>   role vdc-admin

username emc-ncm password 5 <removed>   role vdc-admin

username bart password 5 <removed>   role vdc-admin

enable secret 5 <removed>

banner motd @

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    source-interface loopback0

ip access-list 23

  statistics per-entry

  10 permit ip 127.0.0.1/32 192.168.1.12/32

  20 permit ip 192.168.41.101/32 192.168.1.12/32

  30 permit ip 192.168.41.102/32 192.168.1.12/32

  40 permit ip 192.168.42.111/32 192.168.1.12/32

  50 permit ip 192.168.42.122/32 192.168.1.12/32

  60 permit ip 192.168.42.131/32 192.168.1.12/32

  70 permit ip 192.168.42.133/32 192.168.1.12/32

  80 permit ip 192.168.42.138/32 192.168.1.12/32

  90 permit ip 10.19.151.99/32 192.168.1.12/32

  100 deny ip any any

ip access-list 88

  statistics per-entry

  10 permit ip 192.168.42.122/32 192.168.1.12/32

  20 deny ip any any

snmp-server user admin vdc-admin auth md5 <removed> priv <removed> localizedkey

aaa authentication login default group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

vrf context management

vlan 1,3,151,161

interface Vlan1

interface Vlan3

  no shutdown

  ip address 192.168.10.62/30

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip ospf dead-interval 3

  ip ospf hello-interval 1

  ip router ospf 5 area 0.0.0.0

interface Vlan151

  no shutdown

  ip address 192.168.152.4/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.152.1

interface Vlan161

  no shutdown

  ip address 192.168.162.4/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.162.1

interface port-channel99

  switchport

  switchport mode trunk

  spanning-tree port type network

interface Ethernet1/1

  description 10Gig LINK to RCORE-1 T2/2

  no switchport

  logging event port link-status

  no ip redirects

  ip address 192.168.10.18/30

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip ospf dead-interval 6

  ip ospf hello-interval 2

  ip ospf network point-to-point

  ip router ospf 5 area 0.0.0.0

  ip pim sparse-mode

  ip igmp version 3

  no shutdown

interface Ethernet1/3

  description 10Gig LINK to RCORE-2 T2/2

  no switchport

  logging event port link-status

  no ip redirects

  ip address 192.168.10.26/30

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip ospf dead-interval 6

  ip ospf hello-interval 2

  ip ospf network point-to-point

  ip router ospf 5 area 0.0.0.0

  ip pim sparse-mode

  ip igmp version 3

  no shutdown

interface Ethernet1/5

  description to DC-ASA-2 vc1 T0/6

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 161

  spanning-tree port type normal

  no shutdown

interface Ethernet1/7

  description to DC-ASA-2 vc2 T0/8

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 151

  spanning-tree port type normal

  no shutdown

interface Ethernet1/25

  no switchport

interface Ethernet1/26

  no switchport

interface Ethernet1/27

  no switchport

interface Ethernet1/28

  no switchport

interface Ethernet1/29

  description RAGG-1 vPC Channel link

  switchport

  switchport mode trunk

  channel-group 99 mode active

  no shutdown

interface Ethernet1/30

  description RAGG-1 vPC Channel link

  switchport

  switchport mode trunk

  channel-group 99 mode active

  no shutdown

interface Ethernet1/31

  description RAGG-1 vPC Channel link

  switchport

  switchport mode trunk

  channel-group 99 mode active

  no shutdown

interface Ethernet1/32

  description RAGG-1 vPC Channel link

  switchport

  switchport mode trunk

  channel-group 99 mode active

  no shutdown

interface Ethernet2/1

  no switchport

interface Ethernet2/2

  no switchport

interface Ethernet2/3

  no switchport

interface Ethernet2/4

  no switchport

interface Ethernet2/5

  no switchport

interface Ethernet2/6

  no switchport

interface Ethernet2/7

  no switchport

interface Ethernet2/8

  no switchport

interface Ethernet2/9

  no switchport

interface Ethernet2/10

  no switchport

interface Ethernet2/11

  no switchport

interface Ethernet2/12

  no switchport

interface loopback0

  ip address 192.168.1.12/32

  ip router ospf 5 area 0.0.0.0

logging server 192.168.42.124 6

logging source-interface loopback 0

  logout-warning 20

line console

  exec-timeout 15

line vty

  exec-timeout 15

  access-class 23 in

router ospf 5

  router-id 192.168.1.12

  area 0.0.0.81 nssa

  area 0.0.0.0 range 192.168.1.12/32

  area 0.0.0.0 range 192.168.10.12/30

  area 0.0.0.0 range 192.168.10.20/30

  area 0.0.0.0 range 192.168.10.60/30

  area 0.0.0.81 range 192.168.152.0/24

  area 0.0.0.81 range 192.168.162.0/24

  area 0.0.0.0 authentication message-digest

  area 0.0.0.81 authentication message-digest

  timers throttle spf 10 100 5000

  auto-cost reference-bandwidth 10000

ip pim ssm range 232.0.0.0/8

RAGG-2-VDC2-RUNNING

!Command: show running-config

!Time: Sun Apr 24 16:53:03 2011

version 5.1(2)

hostname vdc2

feature privilege

feature tacacs+

cfs eth distribute

feature ospf

feature pim

feature udld

feature interface-vlan

feature hsrp

feature lacp

feature dhcp

feature vpc

username admin password 5 <removed>   role vdc-admin

username retail password 5 <removed>   role vdc-admin

username bart password 5 <removed>   role vdc-admin

username emc-ncm password 5 <removed>   role vdc-admin

enable secret 5 <removed>

banner motd @

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    use-vrf servers1

    source-interface loopback0

ip access-list 23

  statistics per-entry

  10 permit ip 127.0.0.1/32 192.168.1.32/32

  20 permit ip 192.168.41.101/32 192.168.1.32/32

  30 permit ip 192.168.41.102/32 192.168.1.32/32

  40 permit ip 192.168.42.111/32 192.168.1.32/32

  50 permit ip 192.168.42.122/32 192.168.1.32/32

  60 permit ip 192.168.42.131/32 192.168.1.32/32

  70 permit ip 192.168.42.133/32 192.168.1.32/32

  80 permit ip 192.168.42.138/32 192.168.1.32/32

  90 permit ip 10.19.151.99/32 192.168.1.32/32

  100 deny ip any any

ip access-list 88

  statistics per-entry

  10 permit ip 192.168.42.122/32 192.168.1.32/32

  20 deny ip any any

snmp-server user admin vdc-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user retail vdc-admin auth md5 <removed> priv <removed> localizedkey

aaa authentication login default group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

vrf context VPC

vrf context servers1

  ip route 0.0.0.0/0 192.168.36.3

  ip pim ssm range 232.0.0.0/8

vrf context servers2

  ip pim ssm range 232.0.0.0/8

vrf context management

vlan 1

vlan 36

  name DeviceMgmtHigh

vlan 37

  name DeviceMgmtLow

vlan 38

  name UIM-OS-INSTALL

vlan 40-41

vlan 42

  name CoreManagement

vlan 43

  name WirelessSystems

vlan 44

  name PhysicalSec

vlan 45

  name VOICE

vlan 52

  name POS

vlan 151-152,154,161-162,164,180-181

spanning-tree domain 777

ip prefix-list VLAN41 seq 5 permit 192.168.41.0/24

route-map VLAN41 permit 20

  match ip address prefix-list VLAN41

service dhcp

ip dhcp relay

vpc domain 99

  peer-keepalive destination 192.168.10.65 source 192.168.10.66 vrf VPC

interface Vlan1

  no ip redirects

  no shutdown

interface Vlan36

  vrf member servers1

  no ip redirects

  ip address 192.168.36.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 105 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.36.1

  no shutdown

  description DeviceMgmtHigh

interface Vlan37

  vrf member servers1

  no ip redirects

  ip address 192.168.37.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 105 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.37.1

  no shutdown

  description DeviceMgmtLow

interface Vlan38

  vrf member servers1

  no ip redirects

  ip address 192.168.38.202/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  no shutdown

  description UIM OS Install only

interface Vlan40

  vrf member servers1

  no ip redirects

  ip address 192.168.40.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 105 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.40.1

  no shutdown

interface Vlan41

  vrf member servers1

  ip address 192.168.41.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 90 forwarding-threshold lower 1 upper 1

    timers  1  3

    ip 192.168.41.1

  shutdown

  description SHUTDOWN - NOW ROUTE VIA HyTrust

interface Vlan42

  vrf member servers1

  no ip redirects

  ip address 192.168.42.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 105 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.42.1

  no shutdown

interface Vlan43

  vrf member servers1

  no ip redirects

  ip address 192.168.43.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 105 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.43.1

  no shutdown

  description Wireless Systems

interface Vlan44

  vrf member servers1

  no ip redirects

  ip address 192.168.44.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 105 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.44.1

  no shutdown

  description Wireless Systems

interface Vlan45

  vrf member servers1

  no ip redirects

  ip address 192.168.45.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 105 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.45.1

  no shutdown

  description VOICE

interface Vlan52

  vrf member servers1

  no ip redirects

  ip address 192.168.52.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 105 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.52.1

  no shutdown

  description POS

interface Vlan154

  vrf member servers2

  no ip redirects

  ip address 192.168.152.6/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 120 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.152.7

  no shutdown

interface Vlan164

  vrf member servers1

  no ip redirects

  ip address 192.168.162.6/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.162.7

  no shutdown

interface Vlan180

  vrf member servers1

  no ip redirects

  ip address 192.168.180.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.180.1

  no shutdown

interface Vlan181

  vrf member servers2

  no ip redirects

  ip address 192.168.181.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 120 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.181.1

  no shutdown

interface port-channel1

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-42,44

  vpc 1

interface port-channel2

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-42,44

  vpc 2

interface port-channel3

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  vpc 3

interface port-channel4

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  vpc 4

interface port-channel11

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  spanning-tree port type edge trunk

  vpc 11

interface port-channel12

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  spanning-tree port type edge trunk

  vpc 12

interface port-channel99

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  spanning-tree port type network

  spanning-tree guard loop

  vpc peer-link

interface Ethernet1/2

  description F-UCS-1_E2/1 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  channel-group 11 mode active

  no shutdown

interface Ethernet1/4

  description F-UCS-1_E2/2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  spanning-tree port type normal

  channel-group 11 mode active

  no shutdown

interface Ethernet1/6

  description F-UCS-2_E2/1 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  channel-group 12 mode active

  no shutdown

interface Ethernet1/8

  description F-UCS-2_E2/2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  channel-group 12 mode active

  no shutdown

interface Ethernet1/9

  description SACCESS-3 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  channel-group 3 mode active

  no shutdown

interface Ethernet1/10

  description SACCESS-3 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  channel-group 3 mode active

  no shutdown

interface Ethernet1/11

  description SACCESS-4 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  channel-group 4 mode active

  no shutdown

interface Ethernet1/12

  description SACCESS-4 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  channel-group 4 mode active

  no shutdown

interface Ethernet1/13

  description SACCESS-1 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-42,44

  channel-group 1 mode active

  no shutdown

interface Ethernet1/14

  description SACCESS-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-42,44

  channel-group 2 mode active

  no shutdown

interface Ethernet1/15

  no switchport

interface Ethernet1/16

  no switchport

interface Ethernet1/17

  description to RSERV-2 T2/6

  switchport

  switchport mode trunk

  spanning-tree port type normal

  no shutdown

interface Ethernet1/18

  description to RSERV-2 T2/5

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 42,164

  no shutdown

interface Ethernet1/19

  description to DC-ASA-2 vc1 T5/1

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 152

  spanning-tree port type normal

  no shutdown

interface Ethernet1/20

  description to DC-ASA-2 vc2 T7/1

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 152

  spanning-tree port type normal

  no shutdown

interface Ethernet1/21

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  udld aggressive

  channel-group 99 mode active

  no shutdown

interface Ethernet1/22

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  udld aggressive

  channel-group 99 mode active

  no shutdown

interface Ethernet1/23

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  udld aggressive

  channel-group 99 mode active

  no shutdown

interface Ethernet1/24

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  udld aggressive

  channel-group 99 mode active

  no shutdown

interface Ethernet2/13

  description SACCESS-5 vPC Channel link

  switchport

  switchport mode trunk

interface Ethernet2/14

  description linkstate for vpc

  no switchport

  vrf member VPC

  ip address 192.168.10.66/30

  no shutdown

interface Ethernet2/15

  no switchport

interface Ethernet2/16

  no switchport

interface Ethernet2/17

  no switchport

interface Ethernet2/18

  no switchport

interface Ethernet2/19

  no switchport

interface Ethernet2/20

  no switchport

interface Ethernet2/21

  no switchport

interface Ethernet2/22

  no switchport

interface Ethernet2/23

  no switchport

interface Ethernet2/24

  no switchport

interface Ethernet2/25

  no switchport

interface Ethernet2/26

  no switchport

interface Ethernet2/27

  no switchport

interface Ethernet2/28

  no switchport

interface Ethernet2/29

  no switchport

interface Ethernet2/30

  no switchport

interface Ethernet2/31

  no switchport

interface Ethernet2/32

  no switchport

interface Ethernet2/33

  no switchport

interface Ethernet2/34

  no switchport

interface Ethernet2/35

  no switchport

interface Ethernet2/36

  no switchport

interface Ethernet2/37

  no switchport

interface Ethernet2/38

  no switchport

interface Ethernet2/39

  no switchport

interface Ethernet2/40

  no switchport

interface Ethernet2/41

  no switchport

interface Ethernet2/42

  no switchport

interface Ethernet2/43

  no switchport

interface Ethernet2/44

  no switchport

interface Ethernet2/45

  no switchport

interface Ethernet2/46

  no switchport

interface Ethernet2/47

  no switchport

interface Ethernet2/48

  no switchport

interface loopback0

  vrf member servers1

  ip address 192.168.1.32/32

  ip router ospf 5 area 0.0.0.81

logging server 192.168.42.124 6 use-vrf servers1

logging source-interface loopback 0

  logout-warning 20

line console

  exec-timeout 15

line vty

  exec-timeout 15

  access-class 23 in

router ospf 5

  vrf servers1

    router-id 4.4.4.2

    area 0.0.0.81 nssa

    area 0.0.0.81 range 192.168.0.0/16

    area 0.0.0.81 range 192.168.162.0/24

    area 0.0.0.81 authentication message-digest

    timers throttle spf 10 100 5000

  vrf servers2

    router-id 5.5.5.2

    area 0.0.0.81 nssa

    area 0.0.0.81 range 192.168.0.0/16

    area 0.0.0.81 range 192.168.152.0/24

    area 0.0.0.81 authentication message-digest

    timers throttle spf 10 100 5000

ip pim ssm range 232.0.0.0/8

N1KV-1-RUNNING

!Command: show running-config

!Time: Sat Apr 30 03:02:54 2011

version 4.2(1)SV1(4)

no feature telnet

feature tacacs+

username admin password 5 <removed>   role network-admin

username retail password 5 <removed>   role network-admin

banner motd # 
WARNING: 
    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail **** 
                    **** AUTHORIZED USERS ONLY! **** 
 
ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT 
TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY 
TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER 
REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT 
FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER 
CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW 
ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. 
 
UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. 
#

ssh key rsa 2048

ip domain-lookup

ip domain-lookup

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    use-vrf management

    source-interface mgmt0

aaa group server tacacs+ tacacs

hostname N1kv-1

ip access-list 23

  10 permit ip 192.168.42.0/24 any

  20 permit ip any any

  30 deny ip any any

ip access-list 88

  10 permit ip 192.168.42.0/24 any

  20 permit ip any any

  30 deny ip any any

vem 3

  host vmware id 414e3537-3441-3255-5838-34353034544b

vem 4

  host vmware id 414e3537-3441-3255-5838-34353034544d

vem 5

  host vmware id 414e3537-3441-3255-5838-333930345046

vem 6

  host vmware id 414e3537-3441-3255-5838-34353034544c

vem 7

  host vmware id 414e3537-3441-3255-5838-333930344e59

vem 8

  host vmware id 414e3537-3441-3255-5838-333830333330

vem 9

  host vmware id 414e3537-3441-3255-5838-333930345057

vem 10

  host vmware id 414e3537-3441-3255-5838-343530345630

vem 11

  host vmware id 414e3537-3441-3255-5838-343530345448

vem 12

  host vmware id 414e3537-3441-3255-5838-333930345048

snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user retail network-admin auth md5 <removed> priv <removed> localizedkey

ntp server 192.168.62.161 use-vrf management

ntp server 192.168.62.162 use-vrf management

ntp source 192.168.41.61

aaa authentication login default group CiscoACS

aaa authentication login console group CiscoACS

vrf context management

  ip route 0.0.0.0/0 192.168.41.1

vlan 1

vlan 36

  name VLAN36

vlan 37

  name VLAN37

vlan 38

  name VLAN38

vlan 39

  name VLAN39

vlan 40

  name VLAN40

vlan 41

  name VLAN41

vlan 42

  name VLAN42

vlan 43

  name VLAN43

vlan 44

  name VLAN44

vlan 45

  name VLAN45

vlan 46

  name VLAN46

vlan 52

  name VLAN52

vlan 64

  name VLAN64

vlan 72

  name VLAN72

vlan 80

  name VLAN80

vlan 81

  name VLAN81

vlan 82

  name VLAN82

vlan 83

  name VLAN83

port-channel load-balance ethernet source-mac

port-profile default max-ports 32

port-profile type vethernet VLAN38

  vmware port-group

  switchport mode access

  switchport access vlan 38

  no shutdown

  state enabled

port-profile type vethernet VLAN36

  vmware port-group

  switchport mode access

  switchport access vlan 36

  no shutdown

  state enabled

port-profile type vethernet VLAN37

  vmware port-group

  switchport mode access

  switchport access vlan 37

  no shutdown

  state enabled

port-profile type vethernet VLAN39

  vmware port-group

  switchport mode access

  switchport access vlan 39

  no shutdown

  state enabled

port-profile type vethernet VLAN40

  vmware port-group

  switchport mode access

  switchport access vlan 40

  no shutdown

  state enabled

port-profile type vethernet VLAN41

  vmware port-group

  switchport mode access

  switchport access vlan 41

  no shutdown

  system vlan 41

  state enabled

port-profile type vethernet VLAN42

  vmware port-group

  switchport mode access

  switchport access vlan 42

  no shutdown

  state enabled

port-profile type vethernet VLAN43

  vmware port-group

  switchport mode access

  switchport access vlan 43

  no shutdown

  state enabled

port-profile type vethernet VLAN44

  vmware port-group

  switchport mode access

  switchport access vlan 44

  no shutdown

  state enabled

port-profile type vethernet VLAN45

  vmware port-group

  switchport mode access

  switchport access vlan 45

  no shutdown

  state enabled

port-profile type vethernet VLAN46

  vmware port-group

  switchport mode access

  switchport access vlan 46

  no shutdown

  state enabled

port-profile type vethernet VLAN52

  vmware port-group

  switchport mode access

  switchport access vlan 52

  no shutdown

  state enabled

port-profile type vethernet VLAN64

  vmware port-group

  switchport mode access

  switchport access vlan 64

  no shutdown

  state enabled

port-profile type vethernet VLAN72

  vmware port-group

  switchport mode access

  switchport access vlan 72

  no shutdown

  state enabled

port-profile type vethernet VLAN80

  vmware port-group

  switchport mode access

  switchport access vlan 80

  no shutdown

  state enabled

port-profile type vethernet VLAN81

  vmware port-group

  switchport mode access

  switchport access vlan 81

  no shutdown

  state enabled

port-profile type vethernet VLAN82

  vmware port-group

  switchport mode access

  switchport access vlan 82

  no shutdown

  state enabled

port-profile type vethernet VLAN83

  vmware port-group

  switchport mode access

  switchport access vlan 83

  no shutdown

  state enabled

port-profile type ethernet Unused_Or_Quarantine_Uplink

  vmware port-group

  shutdown

  description Port-group created for Nexus1000V internal usage. Do not use.

  state enabled

port-profile type vethernet Unused_Or_Quarantine_Veth

  vmware port-group

  shutdown

  description Port-group created for Nexus1000V internal usage. Do not use.

  state enabled

port-profile type ethernet sysuplink

  vmware port-group

  switchport mode trunk

  switchport trunk allowed vlan 36-83

  no shutdown

  system vlan 41

  state enabled

port-profile type vethernet VSG-DADA-HA

  vmware port-group

  switchport access vlan 41

  no shutdown

  state enabled

port-profile type vethernet Tenant-1

  vmware port-group

  org root/Tenant-1

  vn-service ip-address 192.168.52.11 vlan 52 security-profile SecurityProfile-1

  switchport mode access

  switchport access vlan 41

  no shutdown

  state enabled

vdc N1kv-1 id 1

  limit-resource vlan minimum 16 maximum 2049

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource vrf minimum 16 maximum 8192

  limit-resource port-channel minimum 0 maximum 768

  limit-resource u4route-mem minimum 32 maximum 32

  limit-resource u6route-mem minimum 16 maximum 16

  limit-resource m4route-mem minimum 58 maximum 58

  limit-resource m6route-mem minimum 8 maximum 8

interface mgmt0

  ip address 192.168.41.61/24

interface Vethernet3

  inherit port-profile VLAN42

  description RSA-Archer,Network Adapter 1

  vmware dvport 207 dvswitch uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0"

  vmware vm mac 0050.56BB.001E

interface Vethernet5

  inherit port-profile VSG-DADA-HA

  description Nexus1000VSG,Network Adapter 3

  vmware dvport 1057 dvswitch uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0"

  vmware vm mac 0050.56BB.0004

interface Vethernet6

  inherit port-profile VSG-DADA-HA

  description Nexus1000VSG,Network Adapter 1

  vmware dvport 1056 dvswitch uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0"

  vmware vm mac 0050.56BB.0002

interface Vethernet7

  inherit port-profile VLAN52

  description POS Terminal,Network Adapter 1

  vmware dvport 352 dvswitch uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0"

  vmware vm mac 0050.56BB.0005

interface control0

clock timezone PST -8 0

clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60

line vty

  exec-timeout 15

line console

  exec-timeout 15

boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.4.bin sup-1

boot system bootflash:/nexus-1000v-mz.4.2.1.SV1.4.bin sup-1

boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.4.bin sup-2

boot system bootflash:/nexus-1000v-mz.4.2.1.SV1.4.bin sup-2

svs-domain

  domain id 2

  control vlan 41

  packet vlan 41

  svs mode L2

svs connection vc

  protocol vmware-vim

  remote ip address 192.168.41.102 port 80

  vmware dvs uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0" datacenter-name Retail 
Lab-CMO

  connect

vnm-policy-agent

  registration-ip 192.168.41.65

  shared-secret **********

  policy-agent-image bootflash:/vnmc-vsmpa.1.0.1j.bin

  log-level

logging server 192.168.42.124 7 facility syslog

logging timestamp milliseconds

VSG-TENANT-1-RUNNING

!Command: show running-config

!Time: Sat Apr 30 03:09:08 2011

version 4.2(1)VSG1(1)

no feature telnet

feature tacacs+

username admin password 5 <removed> role network-admin

banner motd # 
WARNING: 
    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail **** 
                    **** AUTHORIZED USERS ONLY! **** 
 
ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT 
TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY 
TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER 
REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT 
FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER 
CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW 
ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. 
 
UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. 
#

ssh key rsa 2048

ip domain-lookup

ip domain-lookup

tacacs-server key 7 " <removed> "

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    use-vrf management

    source-interface mgmt0

aaa group server tacacs+ tacacs

hostname VSG-Tenant-1

no snmp-server protocol enable

snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey

ntp source 192.168.41.63

aaa authentication login default group CiscoACS

aaa authentication login console group CiscoACS

vrf context management

  ip domain-name cisco-irn.com

  ip name-server 192.168.42.130

  ip route 0.0.0.0/0 192.168.41.1

vlan 1

port-channel load-balance ethernet source-mac

port-profile default max-ports 32

vdc VSG-Tenant-1 id 1

  limit-resource vlan minimum 16 maximum 2049

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource vrf minimum 16 maximum 8192

  limit-resource port-channel minimum 0 maximum 768

  limit-resource u4route-mem minimum 32 maximum 32

  limit-resource u6route-mem minimum 16 maximum 16

  limit-resource m4route-mem minimum 58 maximum 58

  limit-resource m6route-mem minimum 8 maximum 8

interface mgmt0

  ip address 192.168.41.63/24

interface data0

  ip address 192.168.52.11/24

clock timezone PST -8 0

clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60

line vty

  exec-timeout 15

line console

  exec-timeout 15

boot kickstart bootflash:/nexus-1000v-kickstart-mz.VSG1.1.bin sup-1

boot system bootflash:/nexus-1000v-mz.VSG1.1.bin sup-1

boot kickstart bootflash:/nexus-1000v-kickstart-mz.VSG1.1.bin sup-2

boot system bootflash:/nexus-1000v-mz.VSG1.1.bin sup-2

ip access-list match-local-traffic

  ha-pair id 41

security-profile SecurityProfile-1@root/Tenant-1

  policy PolicySet-A@root/Tenant-1

  custom-attribute vnsporg "root/tenant-1"

security-profile default@root

  policy default@root

  custom-attribute vnsporg "root"

rule default/default-rule@root

  action 10 drop

rule PolicyA/allow_ICMP@root/Tenant-1

  condition 10 dst.net.ip-address eq 192.168.1.1

  condition 11 net.protocol eq 1

  action 10 log

  action 11 permit

policy default@root

  rule default/default-rule@root order 2

policy PolicySet-A@root/Tenant-1

  rule PolicyA/allow_ICMP@root/Tenant-1 order 101

vnm-policy-agent

  registration-ip 192.168.41.65

  shared-secret **********

  policy-agent-image bootflash:/vnmc-vsgpa.1.0.1j.bin

  log-level

logging logfile messages 2

logging server 192.168.42.124 6 facility local0

logging monitor 2

RSERV-1

! Last configuration change at 01:53:06 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:53:07 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

service counters max age 5

hostname RSERV-1

boot-start-marker

boot system flash sup-bootdisk:/s72033-adventerprisek9_wan-mz.122-33.SXJ.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

svclc module 4 vlan-group 162,163

svclc vlan-group 162  152,162

svclc vlan-group 163  153,163

intrusion-detection module 9 management-port access-vlan 42

intrusion-detection module 9 data-port 1 trunk allowed-vlan 153,154

intrusion-detection module 9 data-port 2 trunk allowed-vlan 163,164

ip wccp 61

ip wccp 62

no ip bootp server

ip multicast-routing

ip ssh version 2

ip scp server enable

no ip domain-lookup

ip domain-name cisco-irn.com

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

ipv6 mfib hardware-switching replication-mode ingress

vtp domain datacenter

vtp mode transparent

no mls acl tcam share-global

mls netflow interface

mls cef error action freeze

password encryption aes

crypto pki trustpoint TP-self-signed-1027

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1027

 revocation-check none

 rsakeypair TP-self-signed-1027

crypto pki certificate chain TP-self-signed-1027

 certificate self-signed 01

  <removed>

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

no power enable module 8

diagnostic bootup level minimal

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

redundancy

 main-cpu

  auto-sync running-config

 mode sso

vlan internal allocation policy descending

vlan dot1q tag native

vlan access-log ratelimit 2000

vlan 41

 name DeviceManagementHTA

vlan 42

 name DeviceManagement

vlan 43

 name WIRELESS-CONTROL

vlan 44

 name PhysicalSec

vlan 47

 name WAAS_Central_Manager

vlan 49

 name WAAS_DC

vlan 152

 name NorthSide_facing_ASA_Servers2

vlan 153

 name ACE_to_IDS_Servers2

vlan 154

 name SouthSide_facing_Servers2

vlan 162

 name NorthSide_facing_ASA_Servers1

vlan 163

 name ACE_to_IDS_Servers1

vlan 164

 name SouthSide_facing_Servers1

vlan 803

 name RSERV-1_to_RAGG-1-VDC-2

vlan 1000

interface Loopback0

 ip address 192.168.1.21 255.255.255.255

interface Loopback62

 ip address 192.168.62.161 255.255.255.255

interface GigabitEthernet1/1

 no ip address

 shutdown

interface GigabitEthernet1/2

 no ip address

 shutdown

interface GigabitEthernet1/3

 no ip address

 shutdown

interface GigabitEthernet1/4

 no ip address

 shutdown

interface GigabitEthernet1/5

 no ip address

 shutdown

interface GigabitEthernet1/6

 no ip address

 shutdown

interface GigabitEthernet1/7

 no ip address

 shutdown

interface GigabitEthernet1/8

 no ip address

 shutdown

interface GigabitEthernet1/9

 no ip address

 shutdown

interface GigabitEthernet1/10

 no ip address

 shutdown

interface GigabitEthernet1/11

 no ip address

 shutdown

interface GigabitEthernet1/12

 no ip address

 shutdown

interface GigabitEthernet1/13

 no ip address

 shutdown

interface GigabitEthernet1/14

 no ip address

 shutdown

interface GigabitEthernet1/15

 no ip address

 shutdown

interface GigabitEthernet1/16

 no ip address

 shutdown

interface TenGigabitEthernet2/1

 description to RAGG-1 vdc2 T1/15

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 162

 switchport mode trunk

interface TenGigabitEthernet2/2

 description to RAGG-1 vdc2 T1/16

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 152

 switchport mode trunk

interface TenGigabitEthernet2/3

 no ip address

 shutdown

interface TenGigabitEthernet2/4

 no ip address

 shutdown

interface TenGigabitEthernet2/5

 description to RAGG-1 vdc2 T1/17

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 41-44,164,803

 switchport mode trunk

interface TenGigabitEthernet2/6

 description to RAGG-1 vdc2 T1/18

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 154

 switchport mode trunk

interface TenGigabitEthernet2/7

 no ip address

 shutdown

interface TenGigabitEthernet2/8

 no ip address

 shutdown

interface GigabitEthernet5/1

 no ip address

 shutdown

interface GigabitEthernet5/2

 no ip address

 shutdown

interface GigabitEthernet6/1

 no ip address

 shutdown

interface GigabitEthernet6/2

 no ip address

 shutdown

interface GigabitEthernet7/1

 no ip address

 shutdown

interface GigabitEthernet7/2

 no ip address

 shutdown

interface GigabitEthernet7/3

 no ip address

interface GigabitEthernet7/4

 no ip address

interface GigabitEthernet7/5

 no ip address

interface GigabitEthernet7/6

 no ip address

interface GigabitEthernet7/7

 no ip address

interface GigabitEthernet7/8

 no ip address

interface GigabitEthernet7/9

 no ip address

interface GigabitEthernet7/10

 no ip address

interface GigabitEthernet7/11

 no ip address

interface GigabitEthernet7/12

 no ip address

interface GigabitEthernet7/13

 no ip address

interface GigabitEthernet7/14

 no ip address

interface GigabitEthernet7/15

 no ip address

interface GigabitEthernet7/16

 no ip address

interface GigabitEthernet7/17

 description WAAS Central Manager

 switchport

 switchport access vlan 47

 switchport mode access

interface GigabitEthernet7/18

 no ip address

interface GigabitEthernet7/19

 no ip address

interface GigabitEthernet7/20

 no ip address

interface GigabitEthernet7/21

 description AW-DC-1_G1

 switchport

 switchport access vlan 43

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/22

 description AW-DC-2_G1

 switchport

 switchport access vlan 43

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/23

 description MDS Management PAME-DC-1

 switchport

 switchport access vlan 44

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/24

 description MDS Management MDS-DC-1_M0

 switchport

 switchport access vlan 41

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/25

 description MDS Management MDS-DC-2_M0

 switchport

 switchport access vlan 41

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/26

 no ip address

interface GigabitEthernet7/27

 description ASA-WAN-1_M0

 switchport

 switchport access vlan 42

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/28

 no ip address

interface GigabitEthernet7/29

 description MSE-DC-1_G1

 switchport

 switchport access vlan 43

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/30

 description MSE-DC-2_G1

 switchport

 switchport access vlan 43

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/31

 no ip address

interface GigabitEthernet7/32

 no ip address

interface GigabitEthernet7/33

 description RSA enVision

 switchport

 switchport access vlan 42

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/34

 no ip address

interface GigabitEthernet7/35

 description WAE-DC-1

 switchport

 switchport access vlan 49

 switchport mode access

interface GigabitEthernet7/36

 no ip address

interface GigabitEthernet7/37

 no ip address

interface GigabitEthernet7/38

 no ip address

interface GigabitEthernet7/39

 no ip address

interface GigabitEthernet7/40

 no ip address

interface GigabitEthernet7/41

 no ip address

interface GigabitEthernet7/42

 no ip address

interface GigabitEthernet7/43

 no ip address

interface GigabitEthernet7/44

 no ip address

interface GigabitEthernet7/45

 description hard crossover bridge

 no ip address

 shutdown

interface GigabitEthernet7/46

 no ip address

interface GigabitEthernet7/47

 no ip address

 shutdown

interface GigabitEthernet7/48

 no ip address

 shutdown

interface Vlan1

 no ip address

 shutdown

interface Vlan803

 description ** South Side facing Servers1 **

 ip address 192.168.130.10 255.255.255.252

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 <removed>

 ip ospf priority 0

router ospf 5

 router-id 192.168.1.21

 log-adjacency-changes

 area 81 authentication message-digest

 area 81 nssa

 area 81 range 192.168.0.0 255.255.0.0

 timers throttle spf 10 100 5000

 passive-interface default

 no passive-interface Vlan803

 network 192.168.0.0 0.0.255.255 area 81

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Loopback0

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps hsrp

snmp-server enable traps MAC-Notification change move threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps port-security

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

dial-peer cor custom

banner exec C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp source Loopback0

ntp master 5

ntp update-calendar

ntp server 171.68.10.150

ntp server 171.68.10.80 prefer

mac-address-table aging-time 480

end

RSERV-2

! Last configuration change at 01:50:12 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:50:13 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

service counters max age 5

hostname RSERV-2

boot-start-marker

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

svclc module 4 vlan-group 162,163

svclc vlan-group 162  152,162

svclc vlan-group 163  153,163

intrusion-detection module 9 management-port access-vlan 42

intrusion-detection module 9 data-port 1 trunk allowed-vlan 153,154

intrusion-detection module 9 data-port 2 trunk allowed-vlan 163,164

ip wccp 61

ip wccp 62

no ip bootp server

ip multicast-routing

ip ssh version 2

ip scp server enable

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

ipv6 mfib hardware-switching replication-mode ingress

vtp domain CiscoRetail

vtp mode transparent

no mls acl tcam share-global

mls netflow interface

mls cef error action freeze

password encryption aes

crypto pki trustpoint TP-self-signed-1027

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1027

 revocation-check none

 rsakeypair TP-self-signed-1027

crypto pki certificate chain TP-self-signed-1027

 certificate self-signed 01

  30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  2B312930 27060355 04031320 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31303237 301E170D 31313034 32313030 30353139 5A170D32

  30303130 31303030 3030305A 302B3129 30270603 55040313 20494F53 2D53656C

  662D5369 676E6564 2D436572 74696669 63617465 2D313032 3730819F 300D0609

  2A864886 F70D0101 01050003 818D0030 81890281 8100A365 80CA486A 1FCC3F72

  4B6DDFE1 AA57CE0A 4726554C B0D6B6F3 BC9F3F3A 84AAD96D 0C8D4E07 3E5C42FD

  2AB0BA8A 1E5E28AE BDA4FE3A F1A425A6 2D2F09E0 3DC30109 F4561A9B EADC4896

  87FD5133 4FEAFA2F C214CB35 11B7AEB6 F0C3DE4F 4453DA89 6177A6D3 9FDA59BA

  EE11414E 008C40A8 FF768B0D 0CE97204 82FB71C6 10C30203 010001A3 75307330

  0F060355 1D130101 FF040530 030101FF 30200603 551D1104 19301782 15525345

  52562D32 2E636973 636F2D69 726E2E63 6F6D301F 0603551D 23041830 16801425

  E9402754 9D8FF072 B2B9284C D1157536 23A79C30 1D060355 1D0E0416 041425E9

  4027549D 8FF072B2 B9284CD1 15753623 A79C300D 06092A86 4886F70D 01010405

  00038181 003EACB3 84C4E98F 65FE3BE2 F4984B3D 908DCF32 E89B4217 6F3444EB

  E844C491 A50B817E 508BE874 E4C1FE1E 9A92EDC5 8566CC69 AB760674 E802086B

  DDD7DF6A 3964355C 0F88B1AB 52E69373 D25A2877 3379ECAF A8D3DAE8 239C2708

  8B1C24DF 4210091C 8C3DF041 7B10147C E399480E 6A7D00DD 64D8AD86 528815E4

  7FAECE3C 2B

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

no power enable module 8

diagnostic bootup level minimal

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

redundancy

 main-cpu

  auto-sync running-config

 mode sso

vlan internal allocation policy descending

vlan dot1q tag native

vlan access-log ratelimit 2000

vlan 41

 name DeviceManagementHTA

vlan 42

 name DeviceManagement

vlan 43

 name WIRELESS-CONTROL

vlan 44

 name PhysicalSec

vlan 47

 name WAAS_Central_Manager

vlan 49

 name WAAS_DC

vlan 152

 name NorthSide_facing_ASA_Servers2

vlan 153

 name ACE_to_IDS_Servers2

vlan 154

 name SouthSide_facing_Servers2

vlan 162

 name NorthSide_facing_ASA_Servers1

vlan 163

 name ACE_to_IDS_Servers1

vlan 164

 name SouthSide_facing_Servers1

vlan 804

 name RSERV-2_to_RAGG-2-VDC-2

vlan 1000

interface Loopback0

 ip address 192.168.1.22 255.255.255.255

interface Loopback62

 ip address 192.168.62.162 255.255.255.255

interface GigabitEthernet1/1

 no ip address

 shutdown

interface GigabitEthernet1/2

 no ip address

 shutdown

interface GigabitEthernet1/3

 no ip address

 shutdown

interface GigabitEthernet1/4

 no ip address

 shutdown

interface GigabitEthernet1/5

 no ip address

 shutdown

interface GigabitEthernet1/6

 no ip address

 shutdown

interface GigabitEthernet1/7

 no ip address

 shutdown

interface GigabitEthernet1/8

 no ip address

 shutdown

interface GigabitEthernet1/9

 no ip address

 shutdown

interface GigabitEthernet1/10

 no ip address

 shutdown

interface GigabitEthernet1/11

 no ip address

 shutdown

interface GigabitEthernet1/12

 no ip address

 shutdown

interface GigabitEthernet1/13

 no ip address

 shutdown

interface GigabitEthernet1/14

 no ip address

 shutdown

interface GigabitEthernet1/15

 no ip address

 shutdown

interface GigabitEthernet1/16

 no ip address

 shutdown

interface TenGigabitEthernet2/1

 description to RAGG-2 vdc2 T1/15

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 162

 switchport mode trunk

interface TenGigabitEthernet2/2

 description to RAGG-2 vdc2 T1/16

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 152

 switchport mode trunk

interface TenGigabitEthernet2/3

 no ip address

 shutdown

interface TenGigabitEthernet2/4

 no ip address

 shutdown

interface TenGigabitEthernet2/5

 description to RAGG-2 vdc2 T1/18

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 41-44,164,804

 switchport mode trunk

interface TenGigabitEthernet2/6

 description to RAGG-2 vdc2 T1/17

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 154

 switchport mode trunk

interface TenGigabitEthernet2/7

 no ip address

 shutdown

interface TenGigabitEthernet2/8

 no ip address

 shutdown

interface GigabitEthernet5/1

 no ip address

 shutdown

interface GigabitEthernet5/2

 no ip address

 shutdown

interface GigabitEthernet6/1

 no ip address

 shutdown

interface GigabitEthernet6/2

 no ip address

 shutdown

interface GigabitEthernet7/1

 switchport

 switchport access vlan 42

interface GigabitEthernet7/2

 no ip address

interface GigabitEthernet7/3

 no ip address

interface GigabitEthernet7/4

 no ip address

interface GigabitEthernet7/5

 description WAE-DC-2

 switchport

 switchport access vlan 48

 switchport mode access

interface GigabitEthernet7/6

 no ip address

interface GigabitEthernet7/7

 no ip address

interface GigabitEthernet7/8

 no ip address

interface GigabitEthernet7/9

 no ip address

interface GigabitEthernet7/10

 no ip address

interface GigabitEthernet7/11

 no ip address

interface GigabitEthernet7/12

 no ip address

interface GigabitEthernet7/13

 no ip address

interface GigabitEthernet7/14

 no ip address

interface GigabitEthernet7/15

 no ip address

interface GigabitEthernet7/16

 no ip address

interface GigabitEthernet7/17

 no ip address

interface GigabitEthernet7/18

 no ip address

interface GigabitEthernet7/19

 no ip address

interface GigabitEthernet7/20

 no ip address

interface GigabitEthernet7/21

 no ip address

interface GigabitEthernet7/22

 no ip address

interface GigabitEthernet7/23

 description PAME-DC-1

 switchport

 switchport access vlan 44

 switchport mode access

interface GigabitEthernet7/24

 no ip address

interface GigabitEthernet7/25

 no ip address

interface GigabitEthernet7/26

 no ip address

interface GigabitEthernet7/27

 description ASA-WAN-2_M0

 switchport

 switchport access vlan 42

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/28

 no ip address

interface GigabitEthernet7/29

 no ip address

interface GigabitEthernet7/30

 no ip address

interface GigabitEthernet7/31

 no ip address

interface GigabitEthernet7/32

 no ip address

interface GigabitEthernet7/33

 no ip address

interface GigabitEthernet7/34

 no ip address

interface GigabitEthernet7/35

 no ip address

interface GigabitEthernet7/36

 no ip address

interface GigabitEthernet7/37

 no ip address

interface GigabitEthernet7/38

 no ip address

interface GigabitEthernet7/39

 no ip address

interface GigabitEthernet7/40

 no ip address

interface GigabitEthernet7/41

 no ip address

interface GigabitEthernet7/42

 no ip address

interface GigabitEthernet7/43

 no ip address

interface GigabitEthernet7/44

 no ip address

interface GigabitEthernet7/45

 no ip address

interface GigabitEthernet7/46

 no ip address

interface GigabitEthernet7/47

 no ip address

interface GigabitEthernet7/48

 no ip address

interface Vlan1

 no ip address

 shutdown

interface Vlan42

 ip address 192.168.42.47 255.255.255.0

interface Vlan804

 description ** South Side facing Servers1 **

 ip address 192.168.130.14 255.255.255.252

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 <removed>

 ip ospf priority 0

router ospf 5

 router-id 192.168.1.22

 log-adjacency-changes

 area 81 authentication message-digest

 area 81 nssa

 area 81 range 192.168.0.0 255.255.0.0

 timers throttle spf 10 100 5000

 passive-interface default

 no passive-interface Vlan804

 network 192.168.0.0 0.0.255.255 area 81

ip classless

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.42.1 255 name backup_default

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Loopback0

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps hsrp

snmp-server enable traps MAC-Notification change move threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps port-security

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

dial-peer cor custom

banner exec C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp source Loopback0

ntp master 5

ntp update-calendar

ntp server 171.68.10.150

ntp server 171.68.10.80 prefer

mac-address-table aging-time 480

end

Access

SACCESS-1

! Last configuration change at 01:58:36 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:58:36 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

service compress-config

service sequence-numbers

hostname SACCESS-1

boot-start-marker

boot-end-marker

logging snmp-authfail

logging buffered 51200 debugging

enable secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 
<removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

ip subnet-zero

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

no ip bootp server

ip ssh version 2

ip scp server enable

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

vtp mode transparent

password encryption aes

crypto pki trustpoint TP-self-signed-112603

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-112603

 revocation-check none

 rsakeypair TP-self-signed-112603

crypto pki certificate chain TP-self-signed-112603

 certificate self-signed 01

  <removed>

  quit

power redundancy-mode redundant

archive

 log config

  logging enable

  hidekeys

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

vlan 20,41-43

vlan 44

 name PhysicalSec

vlan 45-50,52,62

vlan 64

 name Databases

vlan 72,146,164,256,666,1000

interface Loopback0

 no ip address

interface Port-channel1

 description to Aggregation Switches

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 38,41,42,44

 switchport mode trunk

 logging event link-status

 flowcontrol receive on

interface GigabitEthernet1/1

 description SRV-DC-1

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/2

 description SRV-DC-2

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 41

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/3

 description SRV-DC-3

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/4

 description SRV-DC-4

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/5

 description SRV-DC-5

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/6

 description SRV-DC-6=CUAE

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/7

 description SRV-DC-7=CCM511

 switchport access vlan 45

 spanning-tree portfast

interface GigabitEthernet1/8

 description SRV-DC-8 - Oracle RDBMS 10g

 switchport access vlan 64

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 64

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/9

 description MSP-DC-1

 switchport access vlan 44

 switchport trunk encapsulation dot1q

 switchport mode access

 spanning-tree portfast

interface GigabitEthernet1/10

 description SRV-DC-10

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/11

 description SRV-DC-11

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/12

 description SRV-DC-12

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/13

 description SRV-DC-13

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/14

 description SRV-DC-14

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/15

 description SRV-DC-15

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/16

 description SRV-DC-16

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/17

 description SRV-DC-17

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/18

 description SRV-DC-18

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/19

 description SRV-DC-19

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/20

 description SRV-DC-20

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/21

 description SRV-DC-21

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/22

 description SRV-DC-22

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/23

 description SRV-DC-23

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/24

 description SRV-DC-24

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/25

 description SRV-DC-25

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/26

 description server 14 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/27

 description server 15 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/28

 description server 16 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/29

 description server 18 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/30

 description server 19 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/31

 description server 20 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/32

 description server 21 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/33

 description VXML Rouer VEM

 switchport access vlan 45

 spanning-tree portfast

interface GigabitEthernet1/34

 description SPAN to SRV-DC-28-NICE VoiceRecorder

 switchport trunk encapsulation dot1q

 spanning-tree portfast

interface GigabitEthernet1/35

 description Small store 1800 server e1

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 spanning-tree portfast

interface GigabitEthernet1/36

 description small store 1800 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/37

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/38

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/39

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/40

 description IPcelerate Server

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/41

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/42

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/43

 description EMC SAN Mgt-A

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/44

 description PRomise SAN M1

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/45

 switchport access vlan 42

 switchport mode access

 spanning-tree portfast

interface GigabitEthernet1/46

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/47

 description Uplink to RSERV-1 Management G7/1

 switchport access vlan 42

 switchport mode access

 spanning-tree portfast

interface GigabitEthernet1/48

 description Uplink to RSERV-2 Management G7/1

 switchport access vlan 42

 switchport mode access

 spanning-tree portfast

interface TenGigabitEthernet1/49

 description Uplink to RAGG-1-VDC2 T1/13

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 38,41,42,44

 switchport mode trunk

 channel-group 1 mode active

 spanning-tree portfast trunk

interface TenGigabitEthernet1/50

 description Uplink to RAGG-2-VDC2 T1/13

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 38,41,42,44

 switchport mode trunk

 channel-group 1 mode active

 spanning-tree portfast trunk

interface Vlan1

 no ip address

interface Vlan42

 ip address 192.168.42.33 255.255.255.0

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.42.1

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan42

logging source-interface Vlan42

logging 192.168.42.121

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan42

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps entity

snmp-server enable traps flash insertion removal

snmp-server enable traps cpu threshold

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps port-security

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps hsrp

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps vlan-membership

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

no tacacs-server directed-request

tacacs-server key 7 <removed>

radius-server source-ports 1645-1646

control-plane

banner exec

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

monitor session 1 source interface Gi1/33

monitor session 1 destination interface Gi1/34

ntp clock-period 17181001

ntp server 192.168.0.1

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

SACCESS-2

! Last configuration change at 01:59:33 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:59:33 PST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service compress-config

service sequence-numbers

hostname SACCESS-2

boot-start-marker

boot-end-marker

logging buffered 51200 debugging

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PST recurring

vtp mode transparent

ip subnet-zero

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

no ip bootp server

ip ssh version 2

ip scp server enable

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

power redundancy-mode redundant

vlan internal allocation policy ascending

vlan 20,40-43

vlan 44

 name PhysicalSec

vlan 45-49,52,62,64,72,146,164,256,666,1000

interface Port-channel2

 description to Aggregation Switches

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 38,41,42,44

 switchport mode trunk

 logging event link-status

 flowcontrol receive on

interface GigabitEthernet1/1

 description SRV-DC-1

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/2

 description SRV-DC-2

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/3

 description SRV-DC-3

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/4

 description SRV-DC-4

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/5

 description SRV-DC-5

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/6

 description SRV-DC-6=CUAE

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/7

 description SRV-DC-7=CCM511

 switchport access vlan 45

 spanning-tree portfast

interface GigabitEthernet1/8

 description SRV-DC-8

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/9

 description MSP-DC-1

 switchport access vlan 44

 switchport trunk encapsulation dot1q

 switchport mode access

 spanning-tree portfast

interface GigabitEthernet1/10

 description SRV-DC-10

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/11

 description SRV-DC-11

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/12

 description SRV-DC-12

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/13

 description SRV-DC-13

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/14

 description SRV-DC-14

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/15

 description SRV-DC-15

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/16

 description SRV-DC-16

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/17

 description SRV-DC-17

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/18

 description SRV-DC-18

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/19

 description SRV-DC-19

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/20

 description SRV-DC-20

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/21

 description SRV-DC-21

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/22

 description SRV-DC-22

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/23

 description SRV-DC-23

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/24

 description SRV-DC-24

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/25

 description SRV-DC-25

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/26

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/27

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/28

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/29

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/30

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/31

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/32

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/33

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/34

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/35

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/36

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/37

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/38

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/39

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/40

 description IPcelerate Server

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/41

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/42

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/43

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/44

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/45

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/46

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 shutdown

 spanning-tree portfast trunk

interface GigabitEthernet1/47

 description TEMP Uplink to RSERV-1 Management G7/2

 switchport access vlan 42

 switchport mode access

 spanning-tree portfast

interface GigabitEthernet1/48

 description TEMP Uplink to RSERV-2 Management G7/2

 switchport access vlan 42

 switchport mode access

 spanning-tree portfast

interface TenGigabitEthernet1/49

 description Uplink to RAGG-1-VDC2 T1/14

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 38,41,42,44

 switchport mode trunk

 spanning-tree portfast trunk

 channel-group 2 mode active

interface TenGigabitEthernet1/50

 description Uplink to RAGG-2-VDC2 T1/14

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 38,41,42,44

 switchport mode trunk

 spanning-tree portfast trunk

 channel-group 2 mode active

interface Vlan1

 no ip address

interface Vlan42

 ip address 192.168.42.34 255.255.255.0

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.42.1

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan42

logging trap debugging

logging source-interface Vlan42

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan42

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps port-security

snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps flash insertion removal

snmp-server enable traps syslog

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps hsrp

snmp-server enable traps vlan-membership

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

radius-server source-ports 1645-1646

banner exec

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 17181029

ntp source Vlan42

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

SACCESS-3

!Command: show running-config

!Time: Sat Apr 30 01:56:18 2011

version 5.0(3)N1(1b)

feature fcoe

feature privilege

no feature telnet

no telnet server enable

feature tacacs+

cfs eth distribute

feature lacp

feature vpc

feature lldp

feature fex

username admin password 5 <removed>   role network-admin

username retail password 5 <removed>   role network-admin

username bart password 5 <removed>  role network-admin

username emc-ncm password 5 <removed>  role network-admin

enable secret 5 <removed>

banner motd #

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

ip host SACCESS-3 192.168.41.33

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    use-vrf management

    source-interface mgmt0

hostname SACCESS-3

ip access-list 23

  statistics per-entry

  10 permit ip 127.0.0.1/32 192.168.41.33/32

  20 permit ip 192.168.41.101/32 192.168.41.33/32

  30 permit ip 192.168.41.102/32 192.168.41.33/32

  40 permit ip 192.168.42.111/32 192.168.41.33/32

  50 permit ip 192.168.42.122/32 192.168.41.33/32

  60 permit ip 192.168.42.131/32 192.168.41.33/32

  70 permit ip 192.168.42.133/32 192.168.41.33/32

  80 permit ip 192.168.42.138/32 192.168.41.33/32

  90 permit ip 10.19.151.99/32 192.168.41.33/32

  100 deny ip any any

ip access-list 88

  statistics per-entry

  10 permit ip 192.168.42.122/32 192.168.41.33/32

  20 deny ip any any

class-map type qos class-fcoe

class-map type queuing class-all-flood

  match qos-group 2

class-map type queuing class-ip-multicast

  match qos-group 2

class-map type network-qos class-all-flood

  match qos-group 2

class-map type network-qos class-ip-multicast

  match qos-group 2

snmp-server user bart network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user retail network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user emc-ncm network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server host 192.168.41.101 traps version 2c public  udp-port 2162

no snmp-server enable traps entity entity_mib_change

no snmp-server enable traps entity entity_module_status_change

no snmp-server enable traps entity entity_power_status_change

no snmp-server enable traps entity entity_module_inserted

no snmp-server enable traps entity entity_module_removed

no snmp-server enable traps entity entity_unrecognised_module

no snmp-server enable traps entity entity_fan_status_change

no snmp-server enable traps rf redundancy_framework

snmp-server enable traps entity fru

ntp server 192.168.62.161 use-vrf management

ntp server 192.168.62.162 use-vrf management

aaa authentication login default group CiscoACS

aaa authentication login console group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

vrf context management

  ip route 0.0.0.0/0 192.168.41.1

vlan 1

vlan 36

  name DeviceMgmtHigh

vlan 37

  name DeviceMgmtLow

vlan 38

  name HyTrust

vlan 40

  name Server_iLO

vlan 41

  name ESX_Server

vlan 42

  name CoreManagement

vlan 43

  name WirelessSystems

vlan 45

vlan 52

  name POS

vlan 80-82,140-141

vlan 302

  fcoe vsan 2

vsan database

  vsan 2 name "Promise-2"

fcdomain fcid database

  vsan 2 wwn 21:00:00:1b:32:00:ab:0d fcid 0xee0000 area dynamic

  vsan 2 wwn 21:00:00:1b:32:00:70:0d fcid 0xee0100 area dynamic

  vsan 2 wwn 21:00:00:1b:32:00:33:0c fcid 0xee0200 area dynamic

  vsan 2 wwn 21:00:00:1b:32:00:5d:0d fcid 0xee0300 area dynamic

  vsan 2 wwn 21:00:00:1b:32:80:0b:10 fcid 0xee0400 area dynamic

  vsan 2 wwn 21:00:00:1b:32:80:52:10 fcid 0xee0500 area dynamic

  vsan 2 wwn 21:00:00:1b:32:80:da:0f fcid 0xee0600 area dynamic

  vsan 2 wwn 21:00:00:1b:32:00:3a:0c fcid 0xee0700 area dynamic

  vsan 2 wwn 21:00:00:1b:32:80:f1:0f fcid 0xee0800 area dynamic

  vsan 1 wwn 26:01:00:01:55:35:7e:44 fcid 0xee0000 dynamic

  vsan 2 wwn 21:00:00:1b:32:00:5e:0d fcid 0xee0900 area dynamic

interface port-channel3

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

interface vfc513

  bind interface Ethernet1/13

  no shutdown

interface vfc514

  bind interface Ethernet1/14

  no shutdown

interface vfc515

  bind interface Ethernet1/15

  no shutdown

interface vfc516

  bind interface Ethernet1/16

  no shutdown

interface vfc517

  bind interface Ethernet1/17

  no shutdown

interface vfc518

  bind interface Ethernet1/18

  no shutdown

interface vfc519

  bind interface Ethernet1/19

  no shutdown

interface vfc520

  bind interface Ethernet1/20

  no shutdown

interface vfc521

  bind interface Ethernet1/21

  no shutdown

interface vfc522

  bind interface Ethernet1/22

  no shutdown

interface vfc523

  bind interface Ethernet1/23

  no shutdown

interface vfc524

  bind interface Ethernet1/24

  no shutdown

interface vfc525

  bind interface Ethernet1/25

  no shutdown

interface vfc526

  bind interface Ethernet1/26

  no shutdown

interface vfc527

  bind interface Ethernet1/27

  no shutdown

interface vfc528

  bind interface Ethernet1/28

  no shutdown

interface vfc529

  bind interface Ethernet1/29

  no shutdown

interface vfc530

  bind interface Ethernet1/30

  no shutdown

interface vfc531

  bind interface Ethernet1/31

  no shutdown

interface vfc532

  bind interface Ethernet1/32

  no shutdown

interface vfc505

  bind interface Ethernet1/5

  no shutdown

interface vfc506

  bind interface Ethernet1/6

  no shutdown

interface vfc507

  bind interface Ethernet1/7

  no shutdown

interface vfc508

  bind interface Ethernet1/8

  no shutdown

interface vfc509

  bind interface Ethernet1/9

  no shutdown

interface vfc510

  bind interface Ethernet1/10

  no shutdown

interface vfc511

  bind interface Ethernet1/11

  no shutdown

interface vfc512

  bind interface Ethernet1/12

  no shutdown

vsan database

  vsan 2 interface vfc513

  vsan 2 interface vfc514

  vsan 2 interface vfc515

  vsan 2 interface vfc516

  vsan 2 interface vfc517

  vsan 2 interface vfc518

  vsan 2 interface vfc519

  vsan 2 interface vfc520

  vsan 2 interface vfc521

  vsan 2 interface vfc522

  vsan 2 interface vfc523

  vsan 2 interface vfc524

  vsan 2 interface vfc525

  vsan 2 interface vfc526

  vsan 2 interface vfc527

  vsan 2 interface vfc528

  vsan 2 interface vfc529

  vsan 2 interface vfc530

  vsan 2 interface vfc531

  vsan 2 interface vfc532

  vsan 4094 interface vfc505

  vsan 4094 interface vfc506

  vsan 4094 interface vfc507

  vsan 4094 interface vfc508

  vsan 4094 interface vfc509

  vsan 4094 interface vfc510

  vsan 2 interface vfc511

  vsan 2 interface vfc512

  vsan 2 interface fc2/1

  vsan 2 interface fc2/2

  vsan 2 interface fc2/3

  vsan 2 interface fc2/4

  vsan 2 interface fc3/1

  vsan 2 interface fc3/2

  vsan 2 interface fc3/3

  vsan 2 interface fc3/4

interface fc2/1

  switchport description Connection to MDS-DC-1

  no shutdown

interface fc2/2

interface fc2/3

interface fc2/4

interface fc3/1

  switchport description Connection to Promise 600 san

  no shutdown

interface fc3/2

interface fc3/3

interface fc3/4

interface Ethernet1/1

  description to DC-F-UCS-1 TG0/1

  switchport mode trunk

  spanning-tree port type network

interface Ethernet1/2

  description to DC-F-UCS-1 TG0/2

  switchport mode trunk

  spanning-tree port type network

interface Ethernet1/3

  description to DC-F-UCS-2 TG0/3

  switchport mode trunk

  spanning-tree port type network

interface Ethernet1/4

  description to DC-F-UCS-2 TG0/4

  switchport mode trunk

  spanning-tree port type network

interface Ethernet1/5

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/6

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/7

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/8

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/9

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/10

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/11

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/12

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/13

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/14

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/15

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/16

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/17

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/18

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/19

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/20

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/21

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/22

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/23

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/24

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/25

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/26

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/27

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/28

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/29

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/30

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/31

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/32

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/33

  description to RAGG-1-VDC2 TG1/9

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  spanning-tree port type network

  channel-group 3 mode active

interface Ethernet1/34

  description to RAGG-1-VDC2 TG1/10

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  spanning-tree port type network

  channel-group 3 mode active

interface Ethernet1/35

  description to RAGG-2-VDC2 TG1/11

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  spanning-tree port type network

  channel-group 3 mode active

interface Ethernet1/36

  description to RAGG-2-VDC2 TG1/12

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  spanning-tree port type network

  channel-group 3 mode active

interface Ethernet1/37

  shutdown

interface Ethernet1/38

  shutdown

interface Ethernet1/39

  description to SACCESS-4

  shutdown

interface Ethernet1/40

  description to SACCESS-4

  shutdown

interface Ethernet2/1

interface Ethernet2/2

interface Ethernet2/3

interface Ethernet2/4

interface Ethernet3/1

interface Ethernet3/2

interface Ethernet3/3

interface Ethernet3/4

interface mgmt0

  ip address 192.168.41.33/24

clock timezone PST -8 0

clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60

system default zone default-zone permit

system default zone distribute full

line console

  exec-timeout 15

line vty

  exec-timeout 15

  access-class 23 in

boot kickstart bootflash:/n5000-uk9-kickstart.5.0.3.N1.1b.bin

boot system bootflash:/n5000-uk9.5.0.3.N1.1b.bin

interface fc2/2

interface fc2/3

interface fc2/4

interface fc2/1

  switchport fcrxbbcredit 1

  switchport fcrxbbcredit 2 mode E

interface fc3/1

interface fc3/2

interface fc3/3

interface fc3/4

logging server 192.168.42.124 6

zone default-zone permit vsan 2

zoneset distribute full vsan 2

!Full Zone Database Section for vsan 2

zone name global_zone vsan 2

    member pwwn 26:00:00:01:55:35:7e:44

    member pwwn 26:02:00:01:55:35:7e:44

    member pwwn 10:00:00:00:c9:75:68:c3

    member pwwn 10:00:00:00:c9:77:92:e9

    member pwwn 10:00:00:00:c9:77:db:c3

    member pwwn 10:00:00:00:c9:77:dc:c3

    member pwwn 10:00:00:00:c9:77:dd:bc

    member pwwn 21:00:00:1b:32:00:33:0c

    member pwwn 21:00:00:1b:32:00:3a:0c

    member pwwn 21:00:00:1b:32:00:5d:0d

    member pwwn 21:00:00:1b:32:00:5e:0d

    member pwwn 21:00:00:1b:32:00:70:0d

    member pwwn 21:00:00:1b:32:00:ab:0d

    member pwwn 21:00:00:1b:32:80:0b:10

    member pwwn 21:00:00:1b:32:80:52:10

    member pwwn 21:00:00:1b:32:80:da:0f

    member pwwn 21:00:00:1b:32:80:f1:0f

zoneset name promise-2_zs vsan 2

    member global_zone

zoneset activate name promise-2_zs vsan 2

SACCESS-4

!Command: show running-config

!Time: Sat Apr 30 01:57:14 2011

version 5.0(3)N1(1b)

feature fcoe

feature privilege

no feature telnet

no telnet server enable

feature tacacs+

cfs eth distribute

feature lacp

feature vpc

feature lldp

feature fex

username admin password 5 <removed> role network-admin

username retail password 5 <removed> role network-admin

username emc-ncm password 5 <removed> role network-admin

username bart password 5 <removed> role network-admin

enable secret 5 <removed>

banner motd #

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

ip host SACCESS-4 192.168.41.34

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    use-vrf management

    source-interface mgmt0

switchname SACCESS-4

ip access-list 23

  statistics per-entry

  10 permit ip 127.0.0.1/32 192.168.41.34/32

  20 permit ip 192.168.41.101/32 192.168.41.34/32

  30 permit ip 192.168.41.102/32 192.168.41.34/32

  40 permit ip 192.168.42.111/32 192.168.41.34/32

  50 permit ip 192.168.42.122/32 192.168.41.34/32

  60 permit ip 192.168.42.131/32 192.168.41.34/32

  70 permit ip 192.168.42.133/32 192.168.41.34/32

  80 permit ip 192.168.42.138/32 192.168.41.34/32

  90 permit ip 10.19.151.99/32 192.168.41.34/32

  100 deny ip any any

ip access-list 88

  statistics per-entry

  10 permit ip 192.168.42.122/32 192.168.41.34/32

  20 deny ip any any

class-map type qos class-fcoe

class-map type queuing class-all-flood

  match qos-group 2

class-map type queuing class-ip-multicast

  match qos-group 2

class-map type network-qos class-all-flood

  match qos-group 2

class-map type network-qos class-ip-multicast

  match qos-group 2

snmp-server user bart network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user retail network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user emc-ncm network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server enable traps entity fru

no snmp-server enable traps entity entity_mib_change

no snmp-server enable traps entity entity_module_status_change

no snmp-server enable traps entity entity_power_status_change

no snmp-server enable traps entity entity_module_inserted

no snmp-server enable traps entity entity_module_removed

no snmp-server enable traps entity entity_unrecognised_module

no snmp-server enable traps entity entity_fan_status_change

no snmp-server enable traps rf redundancy_framework

aaa authentication login default group CiscoACS

aaa authentication login console group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

vrf context management

  ip route 0.0.0.0/0 192.168.41.1

vlan 1

vlan 36

  name DeviceMgmtHigh

vlan 37

  name DeviceMgmtLow

vlan 38

  name HyTrust

vlan 40

  name Server_iLO

vlan 41

  name ESX_Server

vlan 42

  name CoreManagement

vlan 45,80-82,141-142

vlan 402

  fcoe vsan 2

vsan database

  vsan 2

fcdomain fcid database

  vsan 2 wwn 21:01:00:1b:32:20:5e:0d fcid 0xa20000 area dynamic

  vsan 2 wwn 21:01:00:1b:32:20:ab:0d fcid 0xa20100 area dynamic

  vsan 2 wwn 21:01:00:1b:32:20:70:0d fcid 0xa20200 area dynamic

  vsan 2 wwn 21:01:00:1b:32:20:33:0c fcid 0xa20300 area dynamic

  vsan 2 wwn 21:01:00:1b:32:20:5d:0d fcid 0xa20400 area dynamic

  vsan 2 wwn 21:01:00:1b:32:a0:0b:10 fcid 0xa20500 area dynamic

  vsan 2 wwn 21:01:00:1b:32:a0:52:10 fcid 0xa20600 area dynamic

  vsan 2 wwn 21:01:00:1b:32:a0:da:0f fcid 0xa20700 area dynamic

  vsan 2 wwn 21:01:00:1b:32:a0:f1:0f fcid 0xa20800 area dynamic

  vsan 2 wwn 21:01:00:1b:32:20:3a:0c fcid 0xa20900 area dynamic

interface port-channel4

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

interface vfc513

  bind interface Ethernet1/13

  no shutdown

interface vfc514

  bind interface Ethernet1/14

  no shutdown

interface vfc515

  bind interface Ethernet1/15

  no shutdown

interface vfc516

  bind interface Ethernet1/16

  no shutdown

interface vfc517

  bind interface Ethernet1/17

  no shutdown

interface vfc518

  bind interface Ethernet1/18

  no shutdown

interface vfc519

  bind interface Ethernet1/19

  no shutdown

interface vfc520

  bind interface Ethernet1/20

  no shutdown

interface vfc521

  bind interface Ethernet1/21

  no shutdown

interface vfc522

  bind interface Ethernet1/22

  no shutdown

interface vfc523

  bind interface Ethernet1/23

  no shutdown

interface vfc524

  bind interface Ethernet1/24

  no shutdown

interface vfc525

  bind interface Ethernet1/25

  no shutdown

interface vfc526

  bind interface Ethernet1/26

  no shutdown

interface vfc527

  bind interface Ethernet1/27

  no shutdown

interface vfc528

  bind interface Ethernet1/28

  no shutdown

interface vfc529

  bind interface Ethernet1/29

  no shutdown

interface vfc530

  bind interface Ethernet1/30

  no shutdown

interface vfc531

  bind interface Ethernet1/31

  no shutdown

interface vfc532

  bind interface Ethernet1/32

  no shutdown

interface vfc505

  bind interface Ethernet1/5

  no shutdown

interface vfc506

  bind interface Ethernet1/6

  no shutdown

interface vfc507

  bind interface Ethernet1/7

  no shutdown

interface vfc508

  bind interface Ethernet1/8

  no shutdown

interface vfc509

  bind interface Ethernet1/9

  no shutdown

interface vfc510

  bind interface Ethernet1/10

  no shutdown

interface vfc511

  bind interface Ethernet1/11

  no shutdown

interface vfc512

  bind interface Ethernet1/12

  no shutdown

vsan database

  vsan 2 interface vfc513

  vsan 2 interface vfc514

  vsan 2 interface vfc515

  vsan 2 interface vfc516

  vsan 2 interface vfc517

  vsan 2 interface vfc518

  vsan 2 interface vfc519

  vsan 2 interface vfc520

  vsan 2 interface vfc521

  vsan 2 interface vfc522

  vsan 2 interface vfc523

  vsan 2 interface vfc524

  vsan 2 interface vfc525

  vsan 2 interface vfc526

  vsan 2 interface vfc527

  vsan 2 interface vfc528

  vsan 2 interface vfc529

  vsan 2 interface vfc530

  vsan 2 interface vfc531

  vsan 2 interface vfc532

  vsan 2 interface vfc505

  vsan 2 interface vfc506

  vsan 2 interface vfc507

  vsan 2 interface vfc508

  vsan 2 interface vfc509

  vsan 2 interface vfc510

  vsan 2 interface vfc511

  vsan 2 interface vfc512

  vsan 2 interface fc3/1

interface fc2/1

  switchport description Connection to MDS-DC-1

  no shutdown

interface fc2/2

interface fc2/3

interface fc2/4

interface fc3/1

  switchport description Connection to Promise 600 san

  no shutdown

interface fc3/2

interface fc3/3

interface fc3/4

interface Ethernet1/1

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/2

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/3

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/4

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/5

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/6

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/7

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/8

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/9

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/10

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/11

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/12

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/13

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/14

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/15

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/16

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/17

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/18

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/19

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/20

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/21

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/22

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/23

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/24

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/25

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/26

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/27

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/28

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/29

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/30

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/31

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/32

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/33

  description to RAGG-2-VDC2 TG1/9

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  spanning-tree port type network

  channel-group 4 mode active

interface Ethernet1/34

  description to RAGG-2-VDC2 TG1/10

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  spanning-tree port type network

  channel-group 4 mode active

interface Ethernet1/35

  description to RAGG-1-VDC2 TG1/11

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  spanning-tree port type network

  channel-group 4 mode active

interface Ethernet1/36

  description to RAGG-1-VDC2 TG1/12

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  spanning-tree port type network

  channel-group 4 mode active

interface Ethernet1/37

  shutdown

interface Ethernet1/38

  shutdown

interface Ethernet1/39

  description link to SACCESS-3

  shutdown

interface Ethernet1/40

  description link to SACCESS-3

  shutdown

interface Ethernet2/1

interface Ethernet2/2

interface Ethernet2/3

interface Ethernet2/4

interface Ethernet3/1

interface Ethernet3/2

interface Ethernet3/3

interface Ethernet3/4

interface mgmt0

  ip address 192.168.41.34/24

clock timezone PST -8 0

clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60

line console

  exec-timeout 15

line vty

  exec-timeout 15

  access-class 23 in

boot kickstart bootflash:/n5000-uk9-kickstart.5.0.3.N1.1b.bin

boot system bootflash:/n5000-uk9.5.0.3.N1.1b.bin

interface fc2/1

interface fc2/2

interface fc2/3

interface fc2/4

interface fc3/1

interface fc3/2

interface fc3/3

interface fc3/4

logging server 192.168.42.124 6

zone default-zone permit vsan 2

!Full Zone Database Section for vsan 2

zone name global_zone vsan 2

zoneset name promise-2_zs vsan 2

    member global_zone

SACCESS-5

! Last configuration change at 02:02:07 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:02:10 PST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname SACCESS-5

boot-start-marker

boot-end-marker

logging buffered 51200

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PST recurring

switch 1 provision ws-c3750e-48td

system mtu routing 1500

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 65535

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-2654502656

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-2654502656

 revocation-check none

 rsakeypair TP-self-signed-2654502656

crypto pki certificate chain TP-self-signed-2654502656

 certificate self-signed 01

  <removed>   quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

vlan dot1q tag native

ip ssh version 2

ip scp server enable

interface FastEthernet0

 no ip address

 shutdown

interface GigabitEthernet1/0/1

 description SRV-DC-22 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/2

 description SRV-DC-23 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/3

 description SRV-DC-24 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/4

 description SRV-DC-25 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/5

 description SRV-DC-26 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/6

 description SRV-DC-27 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/7

 description SRV-DC-28 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/8

 description SRV-DC-29 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/9

 description SRV-DC-30 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/10

 description SRV-DC-31 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/11

 description DC-UCSFabric-1-A Mgmt0

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/12

 description DC-UCSFabric-1-B Mgmt0

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/13

 description DC-ASA-1 Mgmt0

 switchport access vlan 42

 spanning-tree portfast

interface GigabitEthernet1/0/14

 description DC-ASA-2 Mgmt0

 switchport access vlan 42

 spanning-tree portfast

interface GigabitEthernet1/0/15

interface GigabitEthernet1/0/16

interface GigabitEthernet1/0/17

interface GigabitEthernet1/0/18

interface GigabitEthernet1/0/19

interface GigabitEthernet1/0/20

interface GigabitEthernet1/0/21

interface GigabitEthernet1/0/22

 description SRV-DC-22 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/23

 description SRV-DC-23 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/24

 description SRV-DC-24 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/25

 description SRV-DC-25 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/26

 description SRV-DC-26 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/27

 description SRV-DC-27 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/28

 description SRV-DC-28 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/29

 description SRV-DC-29 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/30

 description SRV-DC-30 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/31

 description SRV-DC-31 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/32

 description SRV-DC-32 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/33

 description SRV-DC-33 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/34

 description SRV-DC-34 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/35

 description SRV-DC-35 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/36

interface GigabitEthernet1/0/37

 description SACCESS-3 Mgmt

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/38

 description SACCESS-4 Mgmt

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/39

 description RCORE-1 Mgmt-a

 switchport access vlan 42

 spanning-tree portfast

interface GigabitEthernet1/0/40

 description RCORE-1 Mgmt-b

 switchport access vlan 42

 spanning-tree portfast

interface GigabitEthernet1/0/41

 description RCORE-2 Mgmt-a

 switchport access vlan 42

 spanning-tree portfast

interface GigabitEthernet1/0/42

 description RCORE-2 Mgmt-b

 switchport access vlan 42

 spanning-tree portfast

interface GigabitEthernet1/0/43

interface GigabitEthernet1/0/44

interface GigabitEthernet1/0/45

interface GigabitEthernet1/0/46

interface GigabitEthernet1/0/47

 description Uplink to RAGG-2-vdc2 T2/13

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet1/0/48

 description Uplink to RAGG-1-vdc2 T2/13

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet1/0/49

interface GigabitEthernet1/0/50

interface GigabitEthernet1/0/51

interface GigabitEthernet1/0/52

interface TenGigabitEthernet1/0/1

interface TenGigabitEthernet1/0/2

interface Vlan1

 no ip address

 shutdown

interface Vlan41

 ip address 192.168.41.222 255.255.255.0

interface Vlan42

 ip address 192.168.42.30 255.255.255.0

interface Vlan1000

 no ip address

ip default-gateway 192.168.42.1

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan42

ip sla enable reaction-alerts

logging trap debugging

logging source-interface Vlan42

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan42

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps power-ethernet group 1-4

snmp-server enable traps power-ethernet police

snmp-server enable traps cpu threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps errdisable

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131 timeout 5

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 36029147

ntp source Vlan42

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

Storage

MDS-DC-1-RUNNING

!Command: show running-config

!Time: Sun Apr 24 16:47:39 2011

version 5.0(1a)

system default switchport mode F

feature npiv

feature privilege

feature tacacs+

role name default-role

  description This is a system defined role and applies to all users.

  rule 5 permit show feature environment

  rule 4 permit show feature hardware

  rule 3 permit show feature module

  rule 2 permit show feature snmp

  rule 1 permit show feature system

username admin password 5 <removed> role network-admin

username retail password 5 <removed>   role network-admin

username emc-ncm password 5 <removed>   role network-admin

username bart password 5 <removed>   role network-admin

enable secret 5 <removed>

banner motd #WARNING:    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail 
****                    **** AUTHORIZED USERS ONLY! ****ANY USE OF THIS COMPUTER NETWORK 
SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENTTO MONITORING OF SUCH USE AND TO SUCH 
ADDITIONAL MONITORING AS MAY BE NECESSARYTO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM 
ADMINISTRATOR OR OTHERREPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY 
TIME WITHOUTFURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY 
OTHERCRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAWENFORCEMENT 
OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.UNAUTHORIZED ACCESS IS A VIOLATION 
OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.#

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

ip host MDS-DC-1 192.168.41.51

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

aaa group server radius radius

snmp-server user bart network-admin auth md5 <removed>  priv <removed>  localizedkey

snmp-server user admin network-admin auth md5 <removed>  priv <removed>  localizedkey

snmp-server user retail network-admin auth md5 <removed>  priv <removed>  localizedkey

snmp-server user emc-ncm network-admin auth md5 <removed>  priv <removed>  localizedkey

snmp-server host 192.168.41.101 traps version 2c public  udp-port 2162

snmp-server host 192.168.42.121 traps version 3 auth public

no snmp-server enable traps entity entity_mib_change

no snmp-server enable traps entity entity_module_status_change

no snmp-server enable traps entity entity_power_status_change

no snmp-server enable traps entity entity_module_inserted

no snmp-server enable traps entity entity_module_removed

no snmp-server enable traps entity entity_unrecognised_module

no snmp-server enable traps entity entity_fan_status_change

no snmp-server enable traps entity entity_power_out_change

no snmp-server enable traps rf redundancy_framework

ntp server 192.168.62.161

ntp server 192.168.62.162

aaa authentication login default group CiscoACS

aaa authentication login console group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

ip access-list 23 permit ip 127.0.0.1 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 permit ip 192.168.41.101 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 permit ip 192.168.41.102 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 permit ip 192.168.42.111 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 permit ip 192.168.42.121 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 permit ip 192.168.42.122 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 permit ip 192.168.42.131 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 permit ip 192.168.42.133 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 permit ip 192.168.42.138 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 permit ip 10.19.151.99 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 deny ip any any log-deny

vsan database

  vsan 2 name "Promise-2"

  vsan 10 name "UIM_VSAN_A_10"

fcdomain fcid database

  vsan 1 wwn 50:00:40:20:03:fc:44:6a fcid 0x020000 dynamic

  vsan 1 wwn 50:00:40:21:03:fc:44:6a fcid 0x020001 dynamic

  vsan 1 wwn 21:00:00:e0:8b:19:70:09 fcid 0x020100 area dynamic

  vsan 1 wwn 20:89:00:05:30:00:99:de fcid 0x020200 area dynamic

  vsan 1 wwn 20:8a:00:05:30:00:99:de fcid 0x020300 area dynamic

  vsan 1 wwn 23:00:00:05:30:00:99:e0 fcid 0x020002 dynamic

  vsan 1 wwn 23:01:00:05:30:00:99:e0 fcid 0x020003 dynamic

  vsan 1 wwn 23:02:00:05:30:00:99:e0 fcid 0x020004 dynamic

  vsan 1 wwn 23:03:00:05:30:00:99:e0 fcid 0x020005 dynamic

  vsan 1 wwn 23:04:00:05:30:00:99:e0 fcid 0x020006 dynamic

  vsan 1 wwn 23:05:00:05:30:00:99:e0 fcid 0x020007 dynamic

  vsan 1 wwn 23:06:00:05:30:00:99:e0 fcid 0x020008 dynamic

  vsan 1 wwn 23:07:00:05:30:00:99:e0 fcid 0x020009 dynamic

  vsan 1 wwn 23:08:00:05:30:00:99:e0 fcid 0x02000a dynamic

  vsan 1 wwn 22:02:00:05:30:00:99:e0 fcid 0x02000b dynamic

  vsan 1 wwn 22:04:00:05:30:00:99:e0 fcid 0x02000c dynamic

  vsan 1 wwn 22:06:00:05:30:00:99:e0 fcid 0x02000d dynamic

  vsan 1 wwn 22:08:00:05:30:00:99:e0 fcid 0x02000e dynamic

  vsan 1 wwn 22:0a:00:05:30:00:99:e0 fcid 0x02000f dynamic

  vsan 1 wwn 22:0c:00:05:30:00:99:e0 fcid 0x020010 dynamic

  vsan 1 wwn 10:00:00:00:c9:60:df:80 fcid 0x020011 dynamic

  vsan 1 wwn 23:12:00:05:30:00:99:e0 fcid 0x020012 dynamic

  vsan 1 wwn 23:13:00:05:30:00:99:e0 fcid 0x020013 dynamic

  vsan 1 wwn 23:14:00:05:30:00:99:e0 fcid 0x020014 dynamic

  vsan 1 wwn 23:15:00:05:30:00:99:e0 fcid 0x020015 dynamic

  vsan 1 wwn 23:17:00:05:30:00:99:e0 fcid 0x020016 dynamic

  vsan 1 wwn 23:16:00:05:30:00:99:e0 fcid 0x020017 dynamic

  vsan 1 wwn 23:18:00:05:30:00:99:e0 fcid 0x020018 dynamic

  vsan 1 wwn 23:19:00:05:30:00:99:e0 fcid 0x020019 dynamic

  vsan 1 wwn 11:00:00:00:00:00:00:01 fcid 0x02001a dynamic

  vsan 1 wwn 20:00:00:00:00:00:00:01 fcid 0x02001b dynamic

  vsan 1 wwn 10:00:00:00:c9:77:94:21 fcid 0x02001c dynamic

  vsan 1 wwn 10:00:00:00:c9:77:92:e9 fcid 0x02001d dynamic

  vsan 1 wwn 10:00:00:00:c9:77:dd:bc fcid 0x02001e dynamic

  vsan 1 wwn 20:41:00:05:9b:73:10:c0 fcid 0x02001f dynamic

  vsan 1 wwn 20:41:00:05:9b:73:17:40 fcid 0x020020 dynamic

  vsan 1 wwn 10:00:00:00:c9:77:dc:c3 fcid 0x020021 dynamic

  vsan 1 wwn 10:00:00:00:c9:75:68:c3 fcid 0x020022 dynamic

  vsan 1 wwn 20:4c:00:0d:ec:2d:94:c0 fcid 0x020400 area dynamic

  vsan 1 wwn 20:64:00:0d:ec:2d:94:c0 fcid 0x020500 area dynamic

  vsan 1 wwn 10:00:00:00:c9:77:db:c3 fcid 0x020023 dynamic

  vsan 2 wwn 20:4c:00:0d:ec:2d:94:c0 fcid 0xef0000 area dynamic

  vsan 2 wwn 10:00:00:00:c9:75:68:c3 fcid 0xef0100 dynamic

  vsan 2 wwn 10:00:00:00:c9:77:dc:c3 fcid 0xef0101 dynamic

  vsan 2 wwn 10:00:00:00:c9:77:dd:bc fcid 0xef0102 dynamic

  vsan 2 wwn 10:00:00:00:c9:77:db:c3 fcid 0xef0103 dynamic

  vsan 2 wwn 10:00:00:00:c9:77:92:e9 fcid 0xef0104 dynamic

  vsan 2 wwn 50:06:01:60:46:e0:33:aa fcid 0xef01ef dynamic

  vsan 2 wwn 20:41:00:05:9b:73:10:c0 fcid 0xef0105 dynamic

  vsan 1 wwn 50:06:01:68:46:e0:33:aa fcid 0x0200ef dynamic

  vsan 1 wwn 50:06:01:60:46:e0:33:aa fcid 0x0206ef dynamic

  vsan 2 wwn 20:41:00:05:9b:73:17:40 fcid 0xef0106 dynamic

  vsan 2 wwn 10:00:00:00:c9:77:94:21 fcid 0xef0107 dynamic

  vsan 2 wwn 20:64:00:0d:ec:2d:94:c0 fcid 0xef0200 area dynamic

  vsan 2 wwn 50:06:01:68:46:e0:33:aa fcid 0xef03ef dynamic

  vsan 10 wwn 50:06:01:60:46:e0:33:aa fcid 0xd800ef dynamic

  vsan 10 wwn 20:41:00:05:9b:73:10:c0 fcid 0xd80000 dynamic

  vsan 10 wwn 20:41:00:05:9b:73:17:40 fcid 0xd80001 dynamic

  vsan 10 wwn 10:00:00:00:c9:77:94:21 fcid 0xd80002 dynamic

  vsan 10 wwn 50:06:01:61:46:e0:33:aa fcid 0xd801ef dynamic

  vsan 10 wwn 50:06:01:69:46:e0:33:aa fcid 0xd802ef dynamic

  vsan 10 wwn 20:42:00:05:9b:73:10:c0 fcid 0xd80003 dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:0f fcid 0xd80004 dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:18 fcid 0xd80005 dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:12 fcid 0xd80006 dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:15 fcid 0xd80007 dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:19 fcid 0xd80008 dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:10 fcid 0xd80009 dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:1c fcid 0xd8000a dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:25 fcid 0xd8000b dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:22 fcid 0xd8000c dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:1f fcid 0xd8000d dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:2b fcid 0xd8000e dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:28 fcid 0xd8000f dynamic

vsan database

  vsan 2 interface fc2/1

  vsan 2 interface fc2/2

  vsan 2 interface fc2/3

  vsan 2 interface fc2/4

  vsan 2 interface fc2/5

  vsan 2 interface fc2/6

  vsan 2 interface fc2/7

  vsan 2 interface fc2/8

  vsan 2 interface fc2/9

  vsan 2 interface fc2/10

  vsan 2 interface fc2/11

  vsan 2 interface fc2/12

  vsan 2 interface fc2/13

  vsan 2 interface fc2/14

  vsan 2 interface fc2/15

  vsan 2 interface fc2/16

  vsan 2 interface fc2/17

  vsan 2 interface fc2/18

  vsan 2 interface fc2/19

  vsan 2 interface fc2/20

  vsan 2 interface fc2/21

  vsan 2 interface fc2/22

  vsan 2 interface fc2/23

  vsan 10 interface fc2/24

  vsan 10 interface fc2/25

  vsan 10 interface fc2/26

  vsan 2 interface fc2/27

  vsan 2 interface fc2/28

  vsan 2 interface fc2/29

  vsan 2 interface fc2/30

  vsan 2 interface fc2/31

  vsan 2 interface fc2/32

  vsan 2 interface fc2/33

  vsan 2 interface fc2/34

  vsan 2 interface fc2/35

  vsan 2 interface fc2/36

  vsan 2 interface fc2/37

  vsan 2 interface fc2/38

  vsan 2 interface fc2/39

  vsan 2 interface fc2/40

  vsan 2 interface fc2/41

  vsan 2 interface fc2/42

  vsan 2 interface fc2/43

  vsan 2 interface fc2/44

  vsan 2 interface fc2/45

  vsan 2 interface fc2/46

  vsan 2 interface fc2/47

  vsan 10 interface fc2/48

  vsan 2 interface fc4/1

  vsan 2 interface fc4/2

  vsan 2 interface fc4/3

  vsan 2 interface fc4/4

  vsan 2 interface fc4/5

  vsan 2 interface fc4/6

  vsan 2 interface fc4/7

  vsan 2 interface fc4/8

  vsan 2 interface fc4/9

  vsan 2 interface fc4/10

  vsan 2 interface fc4/11

  vsan 2 interface fc4/12

  vsan 2 interface fc4/13

  vsan 2 interface fc4/14

  vsan 2 interface fc4/15

  vsan 2 interface fc4/16

  vsan 2 interface fc4/17

  vsan 2 interface fc4/18

clock timezone PST -8 0

clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60

ip default-gateway 192.168.41.1

switchname MDS-DC-1

line vty

  exec-timeout 15

line console

  exec-timeout 15

boot kickstart bootflash:/m9500-sf2ek9-kickstart-mzg.5.0.1a.bin.S4 sup-1

boot system bootflash:/m9500-sf2ek9-mzg.5.0.1a.bin.S4 sup-1

boot kickstart bootflash:/m9500-sf2ek9-kickstart-mzg.5.0.1a.bin.S4 sup-2

boot system bootflash:/m9500-sf2ek9-mzg.5.0.1a.bin.S4 sup-2

interface fc2/12

  switchport speed 4000

  switchport rate-mode shared

interface fc2/11

  switchport rate-mode dedicated

interface fc2/36

  switchport rate-mode dedicated

interface fc2/1

interface fc2/2

interface fc2/3

interface fc2/4

interface fc2/5

interface fc2/6

interface fc2/7

interface fc2/8

interface fc2/9

interface fc2/10

interface fc2/12

  switchport mode FL

interface fc2/13

interface fc2/14

interface fc2/15

interface fc2/16

interface fc2/17

interface fc2/18

interface fc2/19

interface fc2/20

interface fc2/21

interface fc2/22

interface fc2/23

interface fc2/24

interface fc2/25

interface fc2/26

interface fc2/27

interface fc2/28

interface fc2/29

interface fc2/30

interface fc2/31

interface fc2/32

interface fc2/33

interface fc2/34

interface fc2/35

interface fc2/37

interface fc2/38

interface fc2/39

interface fc2/40

interface fc2/41

interface fc2/42

interface fc2/43

interface fc2/44

interface fc2/45

interface fc2/46

interface fc2/47

interface fc2/48

interface fc2/11

  switchport mode auto

interface fc2/36

  switchport mode auto

interface fc4/1

interface fc4/2

interface fc4/3

interface fc4/4

interface fc4/5

interface fc4/6

interface fc4/7

interface fc4/8

interface fc4/9

interface fc4/10

interface fc4/11

interface fc4/12

interface fc4/13

interface fc4/14

interface fc4/15

interface fc4/16

interface fc4/17

interface fc4/18

logging server 192.168.42.121

logging server 192.168.42.124 6

system default zone default-zone permit

system default zone distribute full

zone default-zone permit vsan 2

zone default-zone permit vsan 10

zoneset distribute full vsan 1-2

zoneset distribute full vsan 10

!Full Zone Database Section for vsan 2

zone name global_zone vsan 2

    member pwwn 26:00:00:01:55:35:7e:44

    member pwwn 26:02:00:01:55:35:7e:44

    member pwwn 10:00:00:00:c9:75:68:c3

    member pwwn 10:00:00:00:c9:77:92:e9

    member pwwn 10:00:00:00:c9:77:db:c3

    member pwwn 10:00:00:00:c9:77:dc:c3

    member pwwn 10:00:00:00:c9:77:dd:bc

    member pwwn 21:00:00:1b:32:00:33:0c

    member pwwn 21:00:00:1b:32:00:3a:0c

    member pwwn 21:00:00:1b:32:00:5d:0d

    member pwwn 21:00:00:1b:32:00:5e:0d

    member pwwn 21:00:00:1b:32:00:70:0d

    member pwwn 21:00:00:1b:32:00:ab:0d

    member pwwn 21:00:00:1b:32:80:0b:10

    member pwwn 21:00:00:1b:32:80:52:10

    member pwwn 21:00:00:1b:32:80:da:0f

    member pwwn 21:00:00:1b:32:80:f1:0f

zoneset name promise-2_zs vsan 2

    member global_zone

zoneset activate name promise-2_zs vsan 2

!Full Zone Database Section for vsan 10

zone name UIM_20000025B5011112_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:12

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011110_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:10

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011112_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:12

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011110_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:10

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011112_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:12

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011110_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:10

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011112_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:12

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011110_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:10

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011115_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:15

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011116_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:16

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011115_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:15

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011116_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:16

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011115_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:15

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011116_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:16

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011115_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:15

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011116_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:16

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501111A_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1a

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011119_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:19

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501111A_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1a

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011119_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:19

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501111A_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1a

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011119_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:19

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501111A_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1a

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011119_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:19

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501111D_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1d

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501111C_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1c

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501111D_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1d

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501111C_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1c

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501111D_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1d

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501111C_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1c

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501111D_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1d

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501111C_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1c

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501111F_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1f

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011120_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:20

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501111F_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1f

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011120_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:20

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501111F_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1f

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011120_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:20

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501111F_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1f

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011120_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:20

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011123_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:23

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011122_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:22

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011123_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:23

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011122_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:22

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011123_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:23

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011122_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:22

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011123_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:23

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011122_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:22

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011125_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:25

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011126_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:26

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011125_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:25

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011126_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:26

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011125_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:25

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011126_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:26

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011125_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:25

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011126_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:26

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011129_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:29

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011128_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:28

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011129_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:29

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011128_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:28

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011129_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:29

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011128_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:28

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011129_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:29

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011128_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:28

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501112B_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:2b

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501112C_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:2c

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501112B_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:2b

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501112C_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:2c

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501112B_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:2b

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501112C_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:2c

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501112B_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:2b

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501112C_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:2c

    member pwwn 50:06:01:61:46:e0:33:aa

zoneset name UIM_ZONESET_A vsan 10

    member UIM_20000025B5011112_5006016046E033AA

    member UIM_20000025B5011110_5006016046E033AA

    member UIM_20000025B5011112_5006016946E033AA

    member UIM_20000025B5011110_5006016946E033AA

    member UIM_20000025B5011112_5006016846E033AA

    member UIM_20000025B5011110_5006016846E033AA

    member UIM_20000025B5011112_5006016146E033AA

    member UIM_20000025B5011110_5006016146E033AA

    member UIM_20000025B5011115_5006016846E033AA

    member UIM_20000025B5011116_5006016846E033AA

    member UIM_20000025B5011115_5006016146E033AA

    member UIM_20000025B5011116_5006016146E033AA

    member UIM_20000025B5011115_5006016946E033AA

    member UIM_20000025B5011116_5006016946E033AA

    member UIM_20000025B5011115_5006016046E033AA

    member UIM_20000025B5011116_5006016046E033AA

    member UIM_20000025B501111A_5006016946E033AA

    member UIM_20000025B5011119_5006016946E033AA

    member UIM_20000025B501111A_5006016146E033AA

    member UIM_20000025B5011119_5006016146E033AA

    member UIM_20000025B501111A_5006016846E033AA

    member UIM_20000025B5011119_5006016846E033AA

    member UIM_20000025B501111A_5006016046E033AA

    member UIM_20000025B5011119_5006016046E033AA

    member UIM_20000025B501111D_5006016146E033AA

    member UIM_20000025B501111C_5006016146E033AA

    member UIM_20000025B501111D_5006016846E033AA

    member UIM_20000025B501111C_5006016846E033AA

    member UIM_20000025B501111D_5006016946E033AA

    member UIM_20000025B501111C_5006016946E033AA

    member UIM_20000025B501111D_5006016046E033AA

    member UIM_20000025B501111C_5006016046E033AA

    member UIM_20000025B501111F_5006016146E033AA

    member UIM_20000025B5011120_5006016146E033AA

    member UIM_20000025B501111F_5006016946E033AA

    member UIM_20000025B5011120_5006016946E033AA

    member UIM_20000025B501111F_5006016846E033AA

    member UIM_20000025B5011120_5006016846E033AA

    member UIM_20000025B501111F_5006016046E033AA

    member UIM_20000025B5011120_5006016046E033AA

    member UIM_20000025B5011123_5006016946E033AA

    member UIM_20000025B5011122_5006016946E033AA

    member UIM_20000025B5011123_5006016146E033AA

    member UIM_20000025B5011122_5006016146E033AA

    member UIM_20000025B5011123_5006016846E033AA

    member UIM_20000025B5011122_5006016846E033AA

    member UIM_20000025B5011123_5006016046E033AA

    member UIM_20000025B5011122_5006016046E033AA

    member UIM_20000025B5011125_5006016146E033AA

    member UIM_20000025B5011126_5006016146E033AA

    member UIM_20000025B5011125_5006016946E033AA

    member UIM_20000025B5011126_5006016946E033AA

    member UIM_20000025B5011125_5006016846E033AA

    member UIM_20000025B5011126_5006016846E033AA

    member UIM_20000025B5011125_5006016046E033AA

    member UIM_20000025B5011126_5006016046E033AA

    member UIM_20000025B5011129_5006016846E033AA

    member UIM_20000025B5011128_5006016846E033AA

    member UIM_20000025B5011129_5006016046E033AA

    member UIM_20000025B5011128_5006016046E033AA

    member UIM_20000025B5011129_5006016146E033AA

    member UIM_20000025B5011128_5006016146E033AA

    member UIM_20000025B5011129_5006016946E033AA

    member UIM_20000025B5011128_5006016946E033AA

    member UIM_20000025B501112B_5006016946E033AA

    member UIM_20000025B501112C_5006016946E033AA

    member UIM_20000025B501112B_5006016846E033AA

    member UIM_20000025B501112C_5006016846E033AA

    member UIM_20000025B501112B_5006016046E033AA

    member UIM_20000025B501112C_5006016046E033AA

    member UIM_20000025B501112B_5006016146E033AA

    member UIM_20000025B501112C_5006016146E033AA

zoneset activate name UIM_ZONESET_A vsan 10

interface fc2/1

interface fc2/2

interface fc2/3

interface fc2/4

interface fc2/5

interface fc2/6

interface fc2/7

interface fc2/8

interface fc2/9

interface fc2/10

interface fc2/11

  no shutdown

interface fc2/12

  no shutdown

interface fc2/13

interface fc2/14

interface fc2/15

interface fc2/16

interface fc2/17

interface fc2/18

interface fc2/19

interface fc2/20

interface fc2/21

interface fc2/22

interface fc2/23

interface fc2/24

  no shutdown

interface fc2/25

  no shutdown

interface fc2/26

  no shutdown

interface fc2/27

interface fc2/28

interface fc2/29

interface fc2/30

interface fc2/31

interface fc2/32

interface fc2/33

interface fc2/34

interface fc2/35

interface fc2/36

  no shutdown

interface fc2/37

  shutdown

interface fc2/38

interface fc2/39

interface fc2/40

interface fc2/41

interface fc2/42

interface fc2/43

interface fc2/44

interface fc2/45

interface fc2/46

interface fc2/47

interface fc2/48

  no shutdown

interface fc4/1

interface fc4/2

interface fc4/3

interface fc4/4

interface fc4/5

interface fc4/6

interface fc4/7

interface fc4/8

interface fc4/9

interface fc4/10

interface fc4/11

interface fc4/12

interface fc4/13

interface fc4/14

interface fc4/15

interface fc4/16

interface fc4/17

interface fc4/18

interface GigabitEthernet4/1

interface GigabitEthernet4/2

interface GigabitEthernet4/3

interface GigabitEthernet4/4

interface mgmt0

  ip address 192.168.41.51 255.255.255.0

  ip access-group 23 in

no system default switchport shutdown

MDS-DC-2-RUNNING

!Command: show running-config

!Time: Sun Apr 24 16:48:05 2011

version 5.0(4)

system default switchport mode F

feature npiv

feature privilege

feature tacacs+

role name default-role

  description This is a system defined role and applies to all users.

  rule 5 permit show feature environment

  rule 4 permit show feature hardware

  rule 3 permit show feature module

  rule 2 permit show feature snmp

  rule 1 permit show feature system

username admin password 5 <removed>   role network-admin

username retail password 5 <removed>   role network-admin

username emc-ncm password 5 <removed>   role network-admin

username bart password 5 <removed>   role network-admin

enable secret 5 <removed>

banner motd #

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

ip host MDS-DC-2 192.168.41.52

ip host MDS-DC-2 192.168.41.52

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

aaa group server radius radius

snmp-server user bart network-admin auth md5 <removed>  priv <removed> localizedkey

snmp-server user admin network-admin auth md5 <removed> localizedkey

snmp-server user retail network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user emc-ncm network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server host 192.168.41.101 traps version 2c public  udp-port 2162

snmp-server host 192.168.42.121 traps version 3 auth public

rmon event 1 log trap public description FATAL(1) owner PMON@FATAL

rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL

rmon event 3 log trap public description ERROR(3) owner PMON@ERROR

rmon event 4 log trap public description WARNING(4) owner PMON@WARNING

rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO

ntp server 192.168.62.161

ntp server 192.168.62.162

aaa authentication login default group CiscoACS

aaa authentication login console group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

ip access-list 23 permit ip 127.0.0.1 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 permit ip 192.168.41.101 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 permit ip 192.168.41.102 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 permit ip 192.168.42.111 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 permit ip 192.168.42.121 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 permit ip 192.168.42.122 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 permit ip 192.168.42.131 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 permit ip 192.168.42.133 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 permit ip 192.168.42.138 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 permit ip 10.19.151.99 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 deny ip any any log-deny

vsan database

  vsan 2 name "Promise-2"

  vsan 11 name "UIM_VSAN_B_11"

fcdomain fcid database

  vsan 1 wwn 21:01:00:e0:8b:39:35:58 fcid 0x010000 area dynamic

  vsan 1 wwn 22:03:00:0d:ec:20:2b:40 fcid 0x010100 area dynamic

  vsan 11 wwn 20:41:00:05:9b:73:17:40 fcid 0xd40000 dynamic

  vsan 11 wwn 20:42:00:05:9b:73:17:40 fcid 0xd40001 dynamic

  vsan 1 wwn 21:00:00:e0:8b:19:35:58 fcid 0x010200 area dynamic

  vsan 11 wwn 50:06:01:69:46:e0:33:aa fcid 0xd400ef dynamic

  vsan 11 wwn 50:06:01:68:46:e0:33:aa fcid 0xd401ef dynamic

  vsan 1 wwn 26:01:00:01:55:35:7e:44 fcid 0x010300 dynamic

  vsan 2 wwn 26:01:00:01:55:35:7e:44 fcid 0x890000 dynamic

  vsan 2 wwn 20:64:00:0d:ec:38:76:00 fcid 0x890100 area dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:10 fcid 0xd40002 dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:19 fcid 0xd40003 dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:13 fcid 0xd40004 dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:16 fcid 0xd40005 dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:1a fcid 0xd40006 dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:12 fcid 0xd40007 dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:1d fcid 0xd40008 dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:26 fcid 0xd40009 dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:23 fcid 0xd4000a dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:20 fcid 0xd4000b dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:2c fcid 0xd4000c dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:29 fcid 0xd4000d dynamic

vsan database

  vsan 11 interface fc2/24

  vsan 11 interface fc2/25

  vsan 11 interface fc2/26

  vsan 11 interface fc2/48

clock timezone PST -8 0

clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60

ip default-gateway 192.168.41.1

switchname MDS-DC-2

line vty

  session-limit 32

  exec-timeout 15

line console

  exec-timeout 15

boot kickstart bootflash:/m9500-sf2ek9-kickstart-mz.5.0.4.bin sup-1

boot system bootflash:/m9500-sf2ek9-mz.5.0.4.bin sup-1

boot kickstart bootflash:/m9500-sf2ek9-kickstart-mz.5.0.4.bin sup-2

boot system bootflash:/m9500-sf2ek9-mz.5.0.4.bin sup-2

interface fc2/1

interface fc2/2

interface fc2/3

interface fc2/4

interface fc2/5

interface fc2/6

interface fc2/7

interface fc2/8

interface fc2/9

interface fc2/10

interface fc2/11

interface fc2/12

interface fc2/13

interface fc2/14

interface fc2/15

interface fc2/16

interface fc2/17

interface fc2/18

interface fc2/19

interface fc2/20

interface fc2/21

interface fc2/22

interface fc2/23

interface fc2/24

interface fc2/25

interface fc2/26

interface fc2/27

interface fc2/28

interface fc2/29

interface fc2/30

interface fc2/31

interface fc2/32

interface fc2/33

interface fc2/34

interface fc2/35

interface fc2/36

interface fc2/37

interface fc2/38

interface fc2/39

interface fc2/40

interface fc2/41

interface fc2/42

interface fc2/43

interface fc2/44

interface fc2/45

interface fc2/46

interface fc2/47

interface fc2/48

logging server 192.168.42.121

logging server 192.168.42.124 6

system default zone default-zone permit

system default zone distribute full

zone default-zone permit vsan 2

zone default-zone permit vsan 11

zoneset distribute full vsan 1-2

zoneset distribute full vsan 11

!Full Zone Database Section for vsan 2

zone name global_zone vsan 2

zoneset name promise-2_zs vsan 2

    member global_zone

!Full Zone Database Section for vsan 11

zone name UIM_20000025B5011110_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:10

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011112_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:12

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011110_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:10

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011112_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:12

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011110_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:10

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011112_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:12

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011110_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:10

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011112_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:12

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011116_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:16

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011115_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:15

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011116_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:16

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011115_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:15

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011116_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:16

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011115_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:15

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011116_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:16

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011115_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:15

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011119_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:19

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501111A_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1a

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011119_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:19

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501111A_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1a

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011119_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:19

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501111A_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1a

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011119_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:19

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501111A_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1a

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501111D_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1d

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501111C_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1c

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501111D_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1d

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501111C_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1c

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501111D_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1d

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501111C_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1c

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501111D_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1d

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501111C_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1c

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011120_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:20

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501111F_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1f

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011120_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:20

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501111F_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1f

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011120_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:20

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501111F_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1f

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011120_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:20

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501111F_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1f

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011122_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:22

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011123_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:23

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011122_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:22

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011123_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:23

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011122_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:22

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011123_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:23

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011122_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:22

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011123_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:23

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011126_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:26

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011125_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:25

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011126_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:26

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011125_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:25

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011126_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:26

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011125_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:25

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011126_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:26

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011125_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:25

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011128_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:28

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011129_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:29

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011128_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:28

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011129_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:29

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011128_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:28

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011129_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:29

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011128_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:28

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011129_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:29

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501112C_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:2c

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501112B_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:2b

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501112C_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:2c

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501112B_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:2b

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501112C_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:2c

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501112B_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:2b

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501112C_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:2c

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501112B_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:2b

    member pwwn 50:06:01:61:46:e0:33:aa

zoneset name UIM_ZONESET_B vsan 11

    member UIM_20000025B5011110_5006016946E033AA

    member UIM_20000025B5011112_5006016946E033AA

    member UIM_20000025B5011110_5006016046E033AA

    member UIM_20000025B5011112_5006016046E033AA

    member UIM_20000025B5011110_5006016146E033AA

    member UIM_20000025B5011112_5006016146E033AA

    member UIM_20000025B5011110_5006016846E033AA

    member UIM_20000025B5011112_5006016846E033AA

    member UIM_20000025B5011116_5006016046E033AA

    member UIM_20000025B5011115_5006016046E033AA

    member UIM_20000025B5011116_5006016946E033AA

    member UIM_20000025B5011115_5006016946E033AA

    member UIM_20000025B5011116_5006016846E033AA

    member UIM_20000025B5011115_5006016846E033AA

    member UIM_20000025B5011116_5006016146E033AA

    member UIM_20000025B5011115_5006016146E033AA

    member UIM_20000025B5011119_5006016146E033AA

    member UIM_20000025B501111A_5006016146E033AA

    member UIM_20000025B5011119_5006016046E033AA

    member UIM_20000025B501111A_5006016046E033AA

    member UIM_20000025B5011119_5006016946E033AA

    member UIM_20000025B501111A_5006016946E033AA

    member UIM_20000025B5011119_5006016846E033AA

    member UIM_20000025B501111A_5006016846E033AA

    member UIM_20000025B501111D_5006016146E033AA

    member UIM_20000025B501111C_5006016146E033AA

    member UIM_20000025B501111D_5006016846E033AA

    member UIM_20000025B501111C_5006016846E033AA

    member UIM_20000025B501111D_5006016946E033AA

    member UIM_20000025B501111C_5006016946E033AA

    member UIM_20000025B501111D_5006016046E033AA

    member UIM_20000025B501111C_5006016046E033AA

    member UIM_20000025B5011120_5006016846E033AA

    member UIM_20000025B501111F_5006016846E033AA

    member UIM_20000025B5011120_5006016146E033AA

    member UIM_20000025B501111F_5006016146E033AA

    member UIM_20000025B5011120_5006016046E033AA

    member UIM_20000025B501111F_5006016046E033AA

    member UIM_20000025B5011120_5006016946E033AA

    member UIM_20000025B501111F_5006016946E033AA

    member UIM_20000025B5011122_5006016946E033AA

    member UIM_20000025B5011123_5006016946E033AA

    member UIM_20000025B5011122_5006016146E033AA

    member UIM_20000025B5011123_5006016146E033AA

    member UIM_20000025B5011122_5006016046E033AA

    member UIM_20000025B5011123_5006016046E033AA

    member UIM_20000025B5011122_5006016846E033AA

    member UIM_20000025B5011123_5006016846E033AA

    member UIM_20000025B5011126_5006016846E033AA

    member UIM_20000025B5011125_5006016846E033AA

    member UIM_20000025B5011126_5006016946E033AA

    member UIM_20000025B5011125_5006016946E033AA

    member UIM_20000025B5011126_5006016146E033AA

    member UIM_20000025B5011125_5006016146E033AA

    member UIM_20000025B5011126_5006016046E033AA

    member UIM_20000025B5011125_5006016046E033AA

    member UIM_20000025B5011128_5006016946E033AA

    member UIM_20000025B5011129_5006016946E033AA

    member UIM_20000025B5011128_5006016046E033AA

    member UIM_20000025B5011129_5006016046E033AA

    member UIM_20000025B5011128_5006016146E033AA

    member UIM_20000025B5011129_5006016146E033AA

    member UIM_20000025B5011128_5006016846E033AA

    member UIM_20000025B5011129_5006016846E033AA

    member UIM_20000025B501112C_5006016046E033AA

    member UIM_20000025B501112B_5006016046E033AA

    member UIM_20000025B501112C_5006016946E033AA

    member UIM_20000025B501112B_5006016946E033AA

    member UIM_20000025B501112C_5006016846E033AA

    member UIM_20000025B501112B_5006016846E033AA

    member UIM_20000025B501112C_5006016146E033AA

    member UIM_20000025B501112B_5006016146E033AA

zoneset activate name UIM_ZONESET_B vsan 11

interface fc2/1

interface fc2/2

interface fc2/3

interface fc2/4

interface fc2/5

interface fc2/6

interface fc2/7

interface fc2/8

interface fc2/9

interface fc2/10

interface fc2/11

interface fc2/12

interface fc2/13

interface fc2/14

interface fc2/15

interface fc2/16

interface fc2/17

interface fc2/18

interface fc2/19

interface fc2/20

interface fc2/21

interface fc2/22

interface fc2/23

interface fc2/24

interface fc2/25

interface fc2/26

interface fc2/27

interface fc2/28

interface fc2/29

interface fc2/30

interface fc2/31

interface fc2/32

interface fc2/33

interface fc2/34

interface fc2/35

interface fc2/36

interface fc2/37

interface fc2/38

interface fc2/39

interface fc2/40

interface fc2/41

interface fc2/42

interface fc2/43

interface fc2/44

interface fc2/45

interface fc2/46

interface fc2/47

interface fc2/48

interface mgmt0

  ip address 192.168.41.52 255.255.255.0

  ip access-group 23 in

no system default switchport shutdown

Internet Edge

WAN

RIE-1

Building configuration...

No l4r_shim subsystem is included in this platform.

Current configuration : 16789 bytes

! Last configuration change at 16:43:41 PST Thu Dec 6 2012 by bmcgloth

! NVRAM config last updated at 16:45:21 PST Thu Dec 6 2012 by bmcgloth

version 15.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

no platform punt-keepalive disable-kernel-core

hostname RIE-1

boot-start-marker

boot-end-marker

vrf definition Mgmt-intf

 address-family ipv4

 exit-address-family

 address-family ipv6

 exit-address-family

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 4 4mpXLtxxAt3wHwQSfKdYXXs2NGTp5BcHyPEnpZ9P/Tk

aaa new-model

aaa group server tacacs+ PRIMARY1

 server name PRIMARY

 ip tacacs source-interface GigabitEthernet0/0/1

aaa authentication login COMPLIANCE group PRIMARY1 local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default

 action-type start-stop

 group tacacs+

aaa accounting commands 15 default

 action-type start-stop

 group tacacs+

aaa accounting system default

 action-type start-stop

 group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PST recurring

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

no ipv6 source-route

ipv6 unicast-routing

ipv6 multicast rpf use-bgp

multilink bundle-name authenticated

password encryption aes

crypto pki trustpoint TP-self-signed-2651906707

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-2651906707

 revocation-check none

 rsakeypair TP-self-signed-2651906707

crypto pki certificate chain TP-self-signed-2651906707

 certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32363531 39303637 3037301E 170D3132 31313036 31323232

  33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36353139

  30363730 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100AECB 6BFA1E96 248A2BFB E7B5D97E 9E9F99B1 4A2A7548 89CBC154 14CA1328

  5625CD4E 0E7F9D0F 8B0A76D7 48B1A6EB 264E67FE 70BBC476 B21A22C7 6431842D

  E5C6FBD1 3E0BBBDF 73A3088C BA6B8172 C32D446F 406F1269 0C4638D5 A422A709

  7AF6DCCE 8ACE5CD8 D686075C 46E44292 308E3E34 EFA13429 E198C0CA E8FE7300

  2A130203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 14EB092C 62224E75 39C28FA2 B39CD19D 58235B24 FB301D06

  03551D0E 04160414 EB092C62 224E7539 C28FA2B3 9CD19D58 235B24FB 300D0609

  2A864886 F70D0101 05050003 81810077 4AF3549B 69563163 6AB2398F 3068F49F

  48284235 25D42BF2 A4C45F09 17AF8EFF 5C92A80E 50AD61C8 C309E328 AE7EA370

  02CCC23E 31F1034D 69A35747 C954DFA1 0F08DB33 081F69B4 43D00153 33F03918

  68B2FD17 7070FA3C 344CB4D9 AFFE2671 3B7087F0 177F7AF2 DF3F9B1D 08144FC0

  1F42863C 4948E425 DFF1C657 1B37D6

        quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

username retail privilege 15 secret 4 <removed>

username bart privilege 15 secret 4 <removed>

username emc-ncm privilege 15 secret 4 <removed>

username bmcgloth privilege 15 secret 4 <removed>

username csmadmin privilege 15 secret 4 <removed>

username ciscolms privilege 15 secret 4 <removed>

redundancy

 mode none

ip ssh version 2

ip scp server enable

policy-map COPPr

 class class-default

  police 8000

interface GigabitEthernet0/0/0

 no ip address

 shutdown

 negotiation auto

interface GigabitEthernet0/0/1

 description link to RIE-3 G1/1

 ip address 192.168.22.11 255.255.255.0

 ip access-group INTERNAL-FILTER-IN in

 standby version 2

 standby 1 ip 192.168.22.10

 standby 1 priority 105

 standby 1 preempt

 standby 1 authentication TheCure

 standby 2 ipv6 2001:DB8:192:22::10/64

 standby 2 priority 105

 standby 2 preempt

 standby 2 authentication TheCure

 speed 1000

 no negotiation auto

 ipv6 address 2001:DB8:192:22::11/64

 ipv6 verify unicast source reachable-via rx

 ipv6 traffic-filter IPv6-INTERNAL-FILTER-IN in

interface GigabitEthernet0/0/2

 description link to RIE-4 G1/1

 no ip address

 shutdown

 speed 1000

 no negotiation auto

interface GigabitEthernet0/0/3

 description Link to RSP-3 G0/2

 ip address 10.10.3.6 255.255.255.0

 ip access-group COARSE-FILTER-INTERNET-IN in

 ip access-group COARSE-FILTER-INTERNET-OUT out

 speed 1000

 no negotiation auto

 ipv6 address 2001:DB8:1010:3::6/64

 no ipv6 redirects

 ipv6 verify unicast source reachable-via rx allow-default

 ipv6 traffic-filter IPv6-COARSE-FILTER-INTERNET-IN in

 ipv6 traffic-filter IPv6-COARSE-FILTER-INTERNET-OUT out

interface GigabitEthernet0/0/4

 no ip address

 shutdown

 negotiation auto

interface GigabitEthernet0/0/5

 no ip address

 shutdown

 negotiation auto

interface GigabitEthernet0

 vrf forwarding Mgmt-intf

 no ip address

 shutdown

 negotiation auto

no ip forward-protocol nd

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 10.10.3.1

ip route 10.10.0.0 255.255.0.0 192.168.22.1

ip route 10.10.0.0 255.255.255.0 10.10.3.1

ip route 10.10.4.0 255.255.255.0 192.168.22.12

ip route 192.168.0.0 255.255.0.0 192.168.22.1

ip tacacs source-interface GigabitEthernet0/0/1

ip access-list extended COARSE-FILTER-INTERNET-IN

 remark ---Temporary LAB permit - will remove from PCI GUIDE---

 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255

 permit ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255

 permit ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255

 remark -------------------------------------------------------

 remark ---Block Private Networks---

 deny   ip 10.0.0.0 0.255.255.255 any log

 deny   ip 172.16.0.0 0.15.255.255 any log

 deny   ip 192.168.0.0 0.0.255.255 any

 remark -

 remark ---Block Autoconfiguration Networks---

 deny   ip 169.254.0.0 0.0.255.255 any log

 remark -

 remark ---Block Loopback Networks---

 deny   ip 127.0.0.0 0.0.255.255 any log

 remark -

 remark ---Block Multicast Networks---

 deny   ip 224.0.0.0 15.255.255.255 any log

 remark -

 remark ---Block Traffic targeted at DMZ Network Edge Devices---

 deny   ip any 192.168.22.0 0.0.0.255 log

 remark -

 remark ---Block Spoofing of your networks---

 remark enter your IP block here

 remark ---Permit all other traffic---

 permit ip any any

ip access-list extended COARSE-FILTER-INTERNET-OUT

 remark ---Block private networks from reaching Internet---

 remark ---Temporary LAB permit - will remove from PCI GUIDE---

 permit ip any any

 remark -------------------------------------------------------

 remark ---Block Private Networks---

 deny   ip 10.0.0.0 0.255.255.255 any log

 deny   ip 172.16.0.0 0.15.255.255 any log

 deny   ip 192.168.0.0 0.0.255.255 any log

 remark -

 remark ---Block Autoconfiguration Networks---

 deny   ip 169.254.0.0 0.0.255.255 any log

 remark -

 remark ---Block Loopback Networks---

 deny   ip 127.0.0.0 0.0.255.255 any log

 remark -

 remark ---Block Multicast Networks---

 deny   ip 224.0.0.0 15.255.255.255 any log

 remark -

 remark ---Block Traffic targeted at DMZ Network Edge Devices---

 deny   ip any 192.168.22.0 0.0.0.255 log

 remark -

 remark ---Permit all other traffic---

 permit tcp any any

 permit udp any any

 permit icmp any any

ip access-list extended INTERNAL-FILTER-IN

 remark -------------------------------------------------------

 remark ---Permit Admin Management---

 permit icmp any any

 permit tcp host 192.168.41.101 host 192.168.22.11 eq 22 log

 permit tcp host 192.168.41.102 host 192.168.22.11 eq 22 log

 permit tcp host 192.168.42.122 host 192.168.22.11 eq 22 log

 permit tcp host 192.168.42.124 host 192.168.22.11 eq 22 log

 permit tcp host 192.168.42.131 eq tacacs host 192.168.22.11

 permit tcp host 192.168.42.133 host 192.168.22.11 eq 22 log

 permit tcp host 192.168.42.139 host 192.168.22.11 eq 22 log

 permit tcp host 10.19.151.104 host 192.168.22.11 eq 22 log

 permit tcp host 10.19.151.102 host 192.168.22.11 eq 22 log

 permit tcp host 10.19.151.103 host 192.168.22.11 eq 22 log

 permit tcp host 10.19.151.100 host 192.168.22.11 eq 22 log

 permit tcp host 10.19.151.101 host 192.168.22.11 eq 22 log

 permit tcp host 10.19.151.98 host 192.168.22.11 eq 22 log

 permit tcp host 10.19.151.99 host 192.168.22.11 eq 22 log

 permit udp host 192.168.42.122 host 192.168.22.11 eq snmp

 permit udp host 192.168.42.124 host 192.168.22.11 eq snmp

 permit udp host 192.168.42.133 host 192.168.22.11 eq snmp

 permit udp host 192.168.42.139 host 192.168.22.11 eq snmp

 remark -

 remark ---Permit HSRP V2 packets---

 permit udp host 192.168.22.12 host 224.0.0.102 eq 1985

 remark -

 remark ---Deny other connections to Edge Router---

 deny   ip any host 192.168.22.11 log

 deny   ip any host 192.168.22.10 log

 deny   ip any host 10.10.0.3 log

 remark -

 remark ---Permit all other traffic to Internet---

 permit ip any any

logging trap debugging

logging source-interface GigabitEthernet0/0/1

logging host 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 192.168.42.139 log

access-list 23 permit 10.19.151.104 log

access-list 23 permit 10.19.151.102 log

access-list 23 permit 10.19.151.103 log

access-list 23 permit 10.19.151.100 log

access-list 23 permit 10.19.151.101 log

access-list 23 permit 10.19.151.98 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

ipv6 route 2001:DB8:192::/48 2001:DB8:192:22::1

ipv6 route ::/0 2001:DB8:1010:3::1

snmp-server group V3Group v3 priv read V3Read write V3Write

snmp-server view V3Read iso included

snmp-server view V3Write iso included

snmp-server trap-source GigabitEthernet0/0/1

snmp-server packetsize 8192

snmp-server location Building SJC-17-1 Aisle 1 Rack 1

snmp-server contact Bart McGlothin

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps ipsla

snmp-server enable traps flash insertion removal

snmp-server host 192.168.42.134 version 3 priv <removed>

snmp-server host 192.168.42.139 version 3 priv <removed>

snmp-server host 192.168.42.133 version 3 priv <removed>

tacacs server PRIMARY

 address ipv4 192.168.42.131

 key 7 <removed>

ipv6 access-list BLOCKALL-IPv6

 deny ipv6 any any log

ipv6 access-list IPv6-COARSE-FILTER-INTERNET-IN

 remark ---Temporary LAB permit for use of documentation IPv6 space---

 permit ipv6 2001:DB8::/32 2001:DB8::/32

 remark --------------------------------------------------------------

 remark ---Block all traffic DHCP server -> client---

 deny udp any eq 547 any eq 546

 remark ---Block all traffic DHCP client -> server---

 deny udp any eq 546 any eq 547

 remark ---Block all traffic Routing Header Type 0---

 deny ipv6 any any routing-type 0

 remark -

 remark ---Accept all ICMPv6 packets for Neighbor Discovery and Path MTU Discovery ---

 permit icmp any any nd-na

 permit icmp any any nd-ns

 permit icmp any any router-advertisement

 permit icmp any any router-solicitation

 permit icmp any any packet-too-big

 permit icmp any any destination-unreachable

 permit icmp any any unreachable

 permit icmp any any no-route

 permit icmp any any echo-reply

 permit icmp any any echo-request

 permit icmp any any time-exceeded

 permit icmp any any parameter-problem

 permit icmp any any mld-query

 permit icmp any any mld-reduction

 permit icmp any any mld-report

 permit icmp any any port-unreachable

 remark --

 remark ---Block IETF Documentation Network---

 deny ipv6 2001:DB8::/32 any

 remark ---

 remark ---Block Spoofing of Your Networks---

 deny ipv6 2001:DB8:192::/48 any

 remark ----

 remark ---Block Traffic targeted at DMZ Network Edge Devices---

 deny ipv6 any 2001:DB8:192:22::/64 log

 remark ------

 remark ---Permit Only Assigned Networks to Your Network---

 permit ipv6 2000::/3 2001:DB8:192::/48

ipv6 access-list IPv6-COARSE-FILTER-INTERNET-OUT

 remark ---Temporary LAB permit for use of documentation IPv6 space---

 permit ipv6 2001:DB8::/32 2001:DB8::/32

 remark -------------------------------------------------------

 remark ---Block private networks from reaching Internet---

 remark ---Block IETF reserved Networks---

 deny ipv6 FEC0::/10 any log

 deny ipv6 FC00::/7 any log

 deny ipv6 host :: any log

 deny ipv6 ::/96 any log

 deny ipv6 ::/8 any log

 deny ipv6 ::FFFF:0.0.0.0/96 any log

 deny ipv6 2001:DB8::/32 any log

 remark -

 remark ---Block Loopback Address---

 deny ipv6 host ::1 any log

 remark --

 remark ---Block Multicast Networks---

 deny ipv6 FE00::/7 any log

 remark ---

 remark ---Alternate is to Permit Traffic From My Network to Assigned Networks---

 remark ----

 permit ipv6 2001:DB8:192::/48 2000::/3

 remark -----

 remark ---Explicit Deny for All Other Networks and Log---

 deny ipv6 any any log

ipv6 access-list IPv6-INTERNAL-FILTER-IN

 remark -------------------------------------------------------

 permit icmp any any

 remark -

 remark ---Permit HSRP V2 packets---

 permit udp host 2001:DB8:192:22::12 eq 2029 host FF02::66 eq 2029

 permit udp host FE80::E6D3:F1FF:FE77:A202 eq 2029 host FF02::66 eq 2029

 remark ---Deny other connections to Edge Router---

 deny ipv6 any 2001:DB8:192:22::/64 log

 remark ---Permit My Network Traffic to Assigned Networks---

 permit ipv6 2001:DB8:192::/48 2000::/3

control-plane

banner exec ^CCC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^CCC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^CCC

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication COMPLIANCE

 stopbits 1

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 no exec

 transport preferred none

 transport output none

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 ipv6 access-class BLOCKALL-IPv6 in

 logging synchronous

 login authentication COMPLIANCE

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 ipv6 access-class BLOCKALL-IPv6 in

 logging synchronous

 login authentication COMPLIANCE

 transport preferred none

 transport input ssh

 transport output none

ntp source GigabitEthernet0/0/3

ntp server 171.68.10.80 prefer

ntp server 171.68.10.150

end

RIE-2

Building configuration...

No l4r_shim subsystem is included in this platform.

Current configuration : 15119 bytes

! Last configuration change at 14:30:46 PST Fri Nov 30 2012 by bmcgloth

version 15.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

no platform punt-keepalive disable-kernel-core

hostname RIE-2

boot-start-marker

boot-end-marker

vrf definition Mgmt-intf

 address-family ipv4

 exit-address-family

 address-family ipv6

 exit-address-family

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 4 4mpXLtxxAt3wHwQSfKdYXXs2NGTp5BcHyPEnpZ9P/Tk

aaa new-model

aaa group server tacacs+ PRIMARY1

 server name PRIMARY

 ip tacacs source-interface GigabitEthernet0/0/2

aaa authentication login COMPLIANCE group PRIMARY1 local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default

 action-type start-stop

 group tacacs+

aaa accounting commands 15 default

 action-type start-stop

 group tacacs+

aaa accounting system default

 action-type start-stop

 group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PST recurring

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

no ipv6 source-route

ipv6 unicast-routing

ipv6 multicast rpf use-bgp

multilink bundle-name authenticated

password encryption aes

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

username retail privilege 15 secret 4 4mpXLtxxAt3wHwQSfKdYXXs2NGTp5BcHyPEnpZ9P/Tk

username bart privilege 15 secret 4 y.Hu5omquu3STdi3Z65rJiGArfomMTMWv75ITNG12f2

username emc-ncm privilege 15 secret 4 4mpXLtxxAt3wHwQSfKdYXXs2NGTp5BcHyPEnpZ9P/Tk

username bmcgloth privilege 15 secret 4 y.Hu5omquu3STdi3Z65rJiGArfomMTMWv75ITNG12f2

username csmadmin privilege 15 secret 4 4mpXLtxxAt3wHwQSfKdYXXs2NGTp5BcHyPEnpZ9P/Tk

username ciscolms privilege 15 secret 4 4mpXLtxxAt3wHwQSfKdYXXs2NGTp5BcHyPEnpZ9P/Tk

redundancy

 mode none

ip ssh version 2

ip scp server enable

policy-map COPPr

 class class-default

  police 8000

interface GigabitEthernet0/0/0

 no ip address

 shutdown

 negotiation auto

interface GigabitEthernet0/0/1

 description link to RIE-3 G1/2

 no ip address

 shutdown

 negotiation auto

interface GigabitEthernet0/0/2

 description link to RIE-4 G1/2

 ip address 192.168.22.12 255.255.255.0

 ip access-group INTERNAL-FILTER-IN in

 standby version 2

 standby 1 ip 192.168.22.10

 standby 1 authentication TheCure

 standby 2 ipv6 2001:DB8:192:22::10/64

 standby 2 authentication TheCure

 negotiation auto

 ipv6 address 2001:DB8:192:22::12/64

 ipv6 verify unicast source reachable-via rx

 ipv6 traffic-filter IPv6-INTERNAL-FILTER-IN in

interface GigabitEthernet0/0/3

 description Link to RSP-4 G0/2

RIE-2#

RIE-2#

RIE-2#

RIE-2#

RIE-2#sh tech

RIE-2#sh tech-support ?

  cef          CEF related information

  ipc          IPC related information

  ipmulticast  IP multicast related information

  isis         CLNS and ISIS related information

  mfib         MFIB related information

  ospf         OSPF related information

  page         Page through output

  password     Include passwords

  rsvp         IP RSVP related information

  vrrp         VRRP related information

  wccp         WCCP related information

  |            Output modifiers

  <cr>

RIE-2#sh tech-support page

RIE-2#sh tech-support page

------------------ show clock ------------------

*14:03:13.372 PST Wed Jan 30 2013

------------------ show version ------------------

Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.3(1)S, 
RELEASE SOFTWARE (fc4)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Compiled Tue 27-Nov-12 11:16 by mcpre

IOS XE Version: 03.08.00.S

Cisco IOS-XE software, Copyright (c) 2005-2012 by cisco Systems, Inc.

All rights reserved.  Certain components of Cisco IOS-XE software are

licensed under the GNU General Public License ("GPL") Version 2.0.  The

software code licensed under GPL Version 2.0 is free software that comes

with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such

GPL code under the terms of GPL Version 2.0.  For more details, see the

documentation or "License Notice" file accompanying the IOS-XE software,

or the applicable URL provided on the flyer accompanying the IOS-XE

software.

ROM: IOS-XE ROMMON

RIE-2 uptime is 8 weeks, 5 days, 2 hours, 32 minutes

Uptime for this control processor is 8 weeks, 5 days, 2 hours, 34 minutes

System returned to ROM by reload at 11:27:32 PST Fri Nov 30 2012

System image file is "bootflash:/asr1002x-universalk9.03.08.00.S.153-1.S.SPA.bin"

Last reload reason: Reload Command

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

License Level: ipbase

License Type: Default. No valid license found.

Next reload license Level: ipbase

cisco ASR1002-X (2RU-X) processor with 1140957K/6147K bytes of memory.

Processor board ID SSI16150DLD

6 Gigabit Ethernet interfaces

32768K bytes of non-volatile configuration memory.

4194304K bytes of physical memory.

6684671K bytes of eUSB flash at bootflash:.

Configuration register is 0x2102

------------------ show running-config ------------------

Building configuration...

No l4r_shim subsystem is included in this platform.

Current configuration : 14907 bytes

! Last configuration change at 14:30:46 PST Fri Nov 30 2012 by bmcgloth

version 15.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

no platform punt-keepalive disable-kernel-core

hostname RIE-2

boot-start-marker

boot-end-marker

vrf definition Mgmt-intf

 address-family ipv4

 exit-address-family

 address-family ipv6

 exit-address-family

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 4 4mpXLtxxAt3wHwQSfKdYXXs2NGTp5BcHyPEnpZ9P/Tk

aaa new-model

aaa group server tacacs+ PRIMARY1

 server name PRIMARY

 ip tacacs source-interface GigabitEthernet0/0/2

aaa authentication login COMPLIANCE group PRIMARY1 local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default

 action-type start-stop

 group tacacs+

aaa accounting commands 15 default

 action-type start-stop

 group tacacs+

aaa accounting system default

 action-type start-stop

 group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PST recurring

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

no ipv6 source-route

ipv6 unicast-routing

ipv6 multicast rpf use-bgp

multilink bundle-name authenticated

password encryption aes

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

username retail privilege 15 secret 4 <removed>

username bart privilege 15 secret 4 <removed>

username emc-ncm privilege 15 secret 4 <removed>

username bmcgloth privilege 15 secret 4 <removed>

username csmadmin privilege 15 secret 4 <removed>

username ciscolms privilege 15 secret 4 <removed>

redundancy

 mode none

ip ssh version 2

ip scp server enable

policy-map COPPr

 class class-default

  police 8000

interface GigabitEthernet0/0/0

 no ip address

 shutdown

 negotiation auto

interface GigabitEthernet0/0/1

 description link to RIE-3 G1/2

 no ip address

 shutdown

 negotiation auto

interface GigabitEthernet0/0/2

 description link to RIE-4 G1/2

 ip address 192.168.22.12 255.255.255.0

 ip access-group INTERNAL-FILTER-IN in

 standby version 2

 standby 1 ip 192.168.22.10

 standby 1 authentication TheCure

 standby 2 ipv6 2001:DB8:192:22::10/64

 standby 2 authentication TheCure

 negotiation auto

 ipv6 address 2001:DB8:192:22::12/64

 ipv6 verify unicast source reachable-via rx

 ipv6 traffic-filter IPv6-INTERNAL-FILTER-IN in

interface GigabitEthernet0/0/3

 description Link to RSP-4 G0/2

 ip address 10.10.4.6 255.255.255.0

 ip access-group COARSE-FILTER-INTERNET-IN in

 ip access-group COARSE-FILTER-INTERNET-OUT out

 negotiation auto

 ipv6 address 2001:DB8:1010:4::6/64

 no ipv6 redirects

 ipv6 verify unicast source reachable-via rx

 ipv6 traffic-filter IPv6-COARSE-FILTER-INTERNET-IN in

 ipv6 traffic-filter IPv6-COARSE-FILTER-INTERNET-OUT out

interface GigabitEthernet0/0/4

 no ip address

 shutdown

 negotiation auto

interface GigabitEthernet0/0/5

 no ip address

 shutdown

 negotiation auto

interface GigabitEthernet0

 vrf forwarding Mgmt-intf

 no ip address

 shutdown

 negotiation auto

no ip forward-protocol nd

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 10.10.4.1

ip route 10.10.0.0 255.255.0.0 192.168.22.1

ip route 10.10.0.0 255.255.255.0 10.10.4.1

ip route 10.10.3.0 255.255.255.0 192.168.22.11

ip route 192.168.0.0 255.255.0.0 192.168.22.1

ip access-list extended COARSE-FILTER-INTERNET-IN

 remark ---Temporary LAB permit - will remove from PCI GUIDE---

 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255

 permit ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255

 permit ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255

 remark -------------------------------------------------------

 remark ---Block Private Networks---

 deny   ip 10.0.0.0 0.255.255.255 any log

 deny   ip 172.16.0.0 0.15.255.255 any log

 deny   ip 192.168.0.0 0.0.255.255 any log

 remark -

 remark ---Block Autoconfiguration Networks---

 deny   ip 169.254.0.0 0.0.255.255 any log

 remark -

 remark ---Block Loopback Networks---

 deny   ip 127.0.0.0 0.0.255.255 any log

 remark -

 remark ---Block Multicast Networks---

 deny   ip 224.0.0.0 15.255.255.255 any log

 remark -

 remark ---Block Traffic targeted at DMZ Network Edge Devices---

 deny   ip any 192.168.22.0 0.0.0.255 log

 remark -

 remark ---Block Spoofing of your networks---

 remark enter your IP block here

 deny   ip 192.168.20.0 0.0.0.255 any

 remark --

 remark ---Permit all other traffic---

 permit ip any any

ip access-list extended COARSE-FILTER-INTERNET-OUT

 remark ---Block private networks from reaching Internet---

 remark ---Temporary LAB permit - will remove from PCI GUIDE---

 permit ip any any

 remark -------------------------------------------------------

 remark ---Block Private Networks---

 deny   ip 10.0.0.0 0.255.255.255 any log

 deny   ip 172.16.0.0 0.15.255.255 any log

 deny   ip 192.168.0.0 0.0.255.255 any log

 remark -

 remark ---Block Autoconfiguration Networks---

 deny   ip 169.254.0.0 0.0.255.255 any log

 remark -

 remark ---Block Loopback Networks---

 deny   ip 127.0.0.0 0.0.255.255 any log

 remark -

 remark ---Block Multicast Networks---

 deny   ip 224.0.0.0 15.255.255.255 any log

 remark -

 remark ---Block Traffic targeted at DMZ Network Edge Devices---

 deny   ip any 192.168.22.0 0.0.0.255 log

 remark -

 remark ---Permit all other traffic---

 permit tcp any any

 permit udp any any

 permit icmp any any

ip access-list extended INTERNAL-FILTER-IN

 remark -------------------------------------------------------

 remark ---Permit Admin Management---

 permit icmp any any

 permit tcp host 192.168.41.101 host 192.168.22.12 eq 22 log

 permit tcp host 192.168.41.102 host 192.168.22.12 eq 22 log

 permit tcp host 192.168.42.122 host 192.168.22.12 eq 22 log

 permit tcp host 192.168.42.124 host 192.168.22.12 eq 22 log

 permit tcp host 192.168.42.131 eq tacacs host 192.168.22.12

 permit tcp host 192.168.42.133 host 192.168.22.12 eq 22 log

 permit tcp host 192.168.42.139 host 192.168.22.12 eq 22 log

 permit tcp host 10.19.151.104 host 192.168.22.12 eq 22 log

 permit tcp host 10.19.151.102 host 192.168.22.12 eq 22 log

 permit tcp host 10.19.151.103 host 192.168.22.12 eq 22 log

 permit tcp host 10.19.151.100 host 192.168.22.12 eq 22 log

 permit tcp host 10.19.151.101 host 192.168.22.12 eq 22 log

 permit tcp host 10.19.151.98 host 192.168.22.12 eq 22 log

 permit tcp host 10.19.151.99 host 192.168.22.12 eq 22 log

 permit udp host 192.168.42.122 host 192.168.22.12 eq snmp

 permit udp host 192.168.42.124 host 192.168.22.12 eq snmp

 permit udp host 192.168.42.133 host 192.168.22.12 eq snmp

 permit udp host 192.168.42.139 host 192.168.22.12 eq snmp

 remark -

 remark ---Permit HSRP V2 packets---

 permit udp host 192.168.22.11 host 224.0.0.102 eq 1985

 remark -

 remark ---Deny other connections to Edge Router---

 deny   ip any host 192.168.22.12 log

 deny   ip any host 192.168.22.10 log

 deny   ip any host 10.10.0.3 log

 remark -

 remark ---Permit all other traffic to Internet---

 permit ip any any

logging trap debugging

logging source-interface GigabitEthernet0/0/2

logging host 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 192.168.42.139 log

access-list 23 permit 10.19.151.104 log

access-list 23 permit 10.19.151.102 log

access-list 23 permit 10.19.151.103 log

access-list 23 permit 10.19.151.100 log

access-list 23 permit 10.19.151.101 log

access-list 23 permit 10.19.151.98 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

ipv6 route 2001:DB8:192::/48 2001:DB8:192:22::1

ipv6 route ::/0 2001:DB8:1010:4::1

snmp-server group V3Group v3 priv read V3Read write V3Write

snmp-server view V3Read iso included

snmp-server view V3Write iso included

snmp-server trap-source GigabitEthernet0/0/2

snmp-server packetsize 8192

snmp-server location Building SJC-17-1 Aisle 1 Rack 1

snmp-server contact Bart McGlothin

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps ipsla

snmp-server enable traps flash insertion removal

snmp-server host 192.168.42.134 version 3 priv <removed>

snmp-server host 192.168.42.139 version 3 priv <removed>

snmp-server host 192.168.42.133 version 3 priv <removed>

tacacs server PRIMARY

 address ipv4 192.168.42.131

 key 7 <removed>

ipv6 access-list BLOCKALL-IPv6

 deny ipv6 any any log

ipv6 access-list IPv6-COARSE-FILTER-INTERNET-IN

 remark --------------------------------------------------------------

 remark ---Block all traffic DHCP server -> client---

 deny udp any eq 547 any eq 546

 remark ---Block all traffic DHCP client -> server---

 deny udp any eq 546 any eq 547

 remark ---Block all traffic Routing Header Type 0---

 deny ipv6 any any routing-type 0

 remark -

 remark ---Accept all ICMPv6 packets for Neighbor Discovery and Path MTU Discovery ---

 permit icmp any any nd-na

 permit icmp any any nd-ns

 permit icmp any any router-advertisement

 permit icmp any any router-solicitation

 permit icmp any any packet-too-big

 permit icmp any any destination-unreachable

 permit icmp any any unreachable

 permit icmp any any no-route

 permit icmp any any echo-reply

 permit icmp any any echo-request

 permit icmp any any time-exceeded

 permit icmp any any parameter-problem

 permit icmp any any mld-query

 permit icmp any any mld-reduction

 permit icmp any any mld-report

 permit icmp any any port-unreachable

 remark --

 remark ---Block IETF Documentation Network---

 remark - deny ipv6 2001:DB8::/32 any - need for Lab validation

 remark ---

 remark ---Block Spoofing of Your Networks---

 deny ipv6 2001:DB8:192::/48 any

 remark ----

 remark ---Block Traffic targeted at DMZ Network Edge Devices---

 deny ipv6 any 2001:DB8:192:22::/64 log

 remark ------

 remark ---Permit Only Assigned Networks to Your Network---

 permit ipv6 2000::/3 2001:DB8:192::/48

ipv6 access-list IPv6-COARSE-FILTER-INTERNET-OUT

 remark ---Temporary LAB permit for use of documentation IPv6 space---

 permit ipv6 2001:DB8::/32 2001:DB8::/32

 remark -------------------------------------------------------

 remark ---Block private networks from reaching Internet---

 remark ---Block IETF reserved Networks---

 deny ipv6 FEC0::/10 any log

 deny ipv6 FC00::/7 any log

 deny ipv6 host :: any log

 deny ipv6 ::/96 any log

 deny ipv6 ::/8 any log

 deny ipv6 ::FFFF:0.0.0.0/96 any log

 deny ipv6 2001:DB8::/32 any log

 remark -

 remark ---Block Loopback Address---

 deny ipv6 host ::1 any log

 remark --

 remark ---Block Multicast Networks---

 deny ipv6 FE00::/7 any log

 remark ---

 remark ---Alternate is to Permit Traffic From My Network to Assigned Networks---

 remark ----

 permit ipv6 2001:DB8:192::/48 2000::/3

 remark -----

 remark ---Explicit Deny for All Other Networks and Log---

 deny ipv6 any any log

ipv6 access-list IPv6-INTERNAL-FILTER-IN

 remark -------------------------------------------------------

 permit icmp any any

 remark -

 remark ---Permit HSRP V2 packets---

 permit udp host 2001:DB8:192:22::11 eq 2029 host FF02::66 eq 2029

 permit udp host FE80::E6D3:F1FF:FE77:D901 eq 2029 host FF02::66 eq 2029

 remark ---Deny other connections to Edge Router---

 deny ipv6 any 2001:DB8:192:22::/64 log

 remark ---Permit My Network Traffic to Assigned Networks---

 permit ipv6 2001:DB8:192::/48 2000::/3

control-plane

banner exec ^CC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^CC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^CC

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication COMPLIANCE

 stopbits 1

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 no exec

 transport preferred none

 transport output none

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 ipv6 access-class BLOCKALL-IPv6 in

 logging synchronous

 login authentication COMPLIANCE

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 ipv6 access-class BLOCKALL-IPv6 in

 logging synchronous

 login authentication COMPLIANCE

 transport preferred none

 transport input ssh

 transport output none

ntp source GigabitEthernet0/0/3

ntp server 171.68.10.80 prefer

ntp server 171.68.10.150

end

Converged Core/Aggregation

ASA-IE-1

ASA-IE-1# sh run

: Saved

ASA Version 9.1(1)

hostname ASA-IE-1

domain-name cisco-irn.com

enable password WKlYt0jXwtQLFcz7 encrypted

passwd WKlYt0jXwtQLFcz7 encrypted

names

dns-guard

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 192.168.21.1 255.255.255.0 standby 192.168.21.2

 ipv6 address 2001:db8:192:21::1/64 standby 2001:db8:192:21::2

 ipv6 enable

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.11.60 255.255.255.0 standby 192.168.11.62

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

interface GigabitEthernet0/3

 description LAN/STATE Failover Interface

interface GigabitEthernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

interface GigabitEthernet0/5

 shutdown

 no nameif

 no security-level

 no ip address

interface GigabitEthernet0/6

 shutdown

 no nameif

 no security-level

 no ip address

interface GigabitEthernet0/7

 shutdown

 no nameif

 no security-level

 no ip address

interface Management0/0

 management-only

 nameif management

 security-level 0

 no ip address

banner exec WARNING:

banner exec **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF COMPLIANCE ****

banner exec                              **** AUTHORIZED USERS ONLY! ****

banner exec

banner exec ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

banner exec TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE 
NECESSARY

banner exec TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

banner exec REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME 
WITHOUT

banner exec FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

banner exec CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

banner exec ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

banner exec

banner exec UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL 
LAWS.

banner login WARNING:

banner login THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

banner asdm WARNING:

banner asdm   **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF COMPLIANCE ****

banner asdm                   **** AUTHORIZED USERS ONLY! ****

banner asdm

banner asdm ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT 
TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO 
IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE 
SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT.  
UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS 
SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE F

banner asdm

banner asdm UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL 
LAWS

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 192.168.42.130

 domain-name cisco-irn.com

same-security-traffic permit inter-interface

object network PrimeLMS

 host 192.168.42.139

 description Cisco Prime LMS

object network RIE-1_G0-0-1

 host 192.168.22.11

 description ASA1002-X

object network RIE-1_G0-0-1_ipv6

 host 2001:db8:192:22::11

object network RIE-2_G0-0-2

 host 192.168.22.12

 description ASR1002-x

object network RIE-2_G0-0-2_ipv6

 host 2001:db8:192:22::12

object network RIE1+2_HSRP_ipv6

 host 2001:db8:192:22::10

object network RIE1+2_HSRP

 host 192.168.22.10

object network ASA-IE-1-outside.cisco-irn.com

 host 192.168.21.1

object network Bart-Admin99

 host 10.19.151.99

object network DMZ-Network-4

 subnet 192.168.20.24 255.255.255.248

object network DMZ-Networks

 subnet 192.168.20.0 255.255.252.0

object network DMZ-VIP-30

 host 192.168.20.30

object network DataCenter-Networks

 subnet 192.168.0.0 255.255.0.0

 description Private 1918 block

object network EMC-NCM.cisco-irn.com

 host 192.168.42.122

object network ESA-IE-1.cisco-irn.com

 host 192.168.23.68

object network ESMA-IE-1.cisco-irn.com

 host 192.168.23.84

object network EmailSecurityAppliance-Network

 subnet 192.168.23.64 255.255.255.240

object network EmailSecurityManager-Network

 subnet 192.168.23.80 255.255.255.240

object network FSU.cisco-irn.com

 host 192.168.42.138

object network InSide-Network

 subnet 192.168.21.0 255.255.255.0

object network InternetEdge-Networks

 subnet 192.168.20.0 255.255.252.0

object network NTP1.cisco-irn.com

 host 192.168.62.161

object network NTP2.cisco-irn.com

 host 192.168.62.162

object network OutSide-Network

 subnet 192.168.22.0 255.255.255.0

object network PAME-DC-1.cisco-irn.com

 host 192.168.44.111

object network RSA-enVision.cisco-irn.com

 host 192.168.42.124

object network SRV-DC-1.cisco-irn.com

 host 192.168.41.101

object network SRV-DC-2.cisco-irn.com

 host 192.168.41.102

object network Branch-Networks

 subnet 10.10.0.0 255.255.0.0

object network WebSecurityAppliance-Network

 subnet 192.168.23.96 255.255.255.240

object network csmanager.cisco-irn.com

 host 192.168.42.133

object network tacacs.cisco-irn.com

 host 192.168.42.131

object network ActiveDirectory

 host 192.168.42.130

object network LABNTP-1.cisco.com

 host 171.68.10.150

object network LABNTP-2.cisco.com

 host 171.68.10.80

object network nist-chicago-NoDNS-

 host 38.106.177.10

 description Chicago, Illinois

object network nist-time-server.eoni.com

 host 216.228.192.69

 description La Grande, Oregon

object network nist.expertsmi.com

 host 50.77.217.185

 description Monroe, Michigan

object network nist.netservicesgroup.com

 host 64.113.32.5

 description Southfield, Michigan

object network nist.time.nosc.us

 host 96.226.123.117

 description Carrollton, Texas

object network nist1-atl.ustiming.org

 host 64.250.177.145

 description Atlanta, Georgia

object network nist1-chi.ustiming.org

 host 216.171.120.36

 description Chicago, Illinois

object network nist1-la.ustiming.org

 host 64.147.116.229

 description Los Angeles, California

object network nist1-lnk.binary.net

 host 216.229.0.179

 description Lincoln, Nebraska

object network nist1-lv.ustiming.org

 host 64.250.229.100

 description Las Vegas, Nevada

object network nist1-nj.ustiming.org

 host 96.47.67.105

 description Bridgewater, NJ

object network nist1-nj2.ustiming.org

 host 165.193.126.229

 description Weehawken, NJ

object network nist1-ny.ustiming.org

 host 64.90.182.55

 description New York City, NY

object network nist1-pa.ustiming.org

 host 206.246.122.250

 description Hatfield, PA

object network nist1-sj.ustiming.org

 host 216.171.124.36

 description San Jose, California

object network nist1.aol-ca.symmetricom.com

 host 207.200.81.113

 description Mountain View, California

object network nist1.aol-va.symmetricom.com

 host 64.236.96.53

 description Reston, Virginia

object network nist1.columbiacountyga.gov

 host 216.119.63.113

 description Columbia County, Georgia

object network nist1.symmetricom.com

 host 69.25.96.13

 description San Jose, California

object network nist2-nj2.ustiming.org

 host 165.193.126.232

 description Weehawken, NJ

object network nisttime.carsoncity.k12.mi.us

 host 66.219.116.140

 description Carson City, Michigan

object network ntp-nist.ldsbc.edu

 host 198.60.73.8

 description LDSBC, Salt Lake City, Utah

object network time-a.nist.gov

 host 129.6.15.28

 description NIST, Gaithersburg, Maryland

object network time-a.timefreq.bldrdoc.gov

 host 132.163.4.101

 description NIST, Boulder, Colorado

object network time-b.nist.gov

 host 129.6.15.29

 description NIST, Gaithersburg, Maryland

object network time-b.timefreq.bldrdoc.gov

 host 132.163.4.102

 description NIST, Boulder, Colorado

object network time-c.timefreq.bldrdoc.gov

 host 132.163.4.103

 description NIST, Boulder, Colorado

object network time-d.nist.gov

 host 2610:20:6f15:15::27

 description NIST, Gaithersburg, Maryland

object network time-nw.nist.gov

 host 131.107.13.100

 description Microsoft, Redmond, Washington

object network utcnist.colorado.edu

 host 128.138.140.44

 description University of Colorado, Boulder

object network utcnist2.colorado.edu

 host 128.138.141.172

 description University of Colorado, Boulder

object network wwv.nist.gov

 host 24.56.178.140

 description WWV, Fort Collins, Colorado

object network ASA-IE-1-outside_ipv6.cisco-irn.com

 host 2001:db8:192:21::1

object network DMZ-VIP-30_ipv6

 host 2001:db8:192:20a4::30

object network CiscoLAB10-Network

 subnet 10.0.0.0 255.0.0.0

 description Private 1918 block

object network CiscoLAB171-Network

 subnet 171.68.0.0 255.255.0.0

 description ARIN Block

object network CiscoLAB172-Network

 subnet 172.16.0.0 255.240.0.0

 description Private 1918 block

object network DMZ-Network-4v6

 subnet 2001:db8:192:20a4::/64

object network EmailSecurityAppliance-Networkv6

 subnet 2001:db8:192:23a5::/64

object network EmailSecurityManager-Networkv6

 subnet 2001:db8:192:23a6::/64

object network InSide-Networkv6

 subnet 2001:db8:192:21::/64

object network OutSide-Networkv6

 subnet 2001:db8:192:22::/64

object network WebSecurityAppliance-Networkv6

 subnet 2001:db8:192:23a7::/64

object network ESA-IE-1.cisco-irn.com_ipv6

 host 2001:db8:192:23a5::68

object network ESMA-IE-1.cisco-irn.com_ipv6

 host 2001:db8:192:23a6::84

object network WSA-IE-1.cisco-irn.com

 host 192.168.23.100

object network WSA-IE-1.cisco-irn.com_ipv6

 host 2001:db8:192:23a7::100

object network ASASM-DMZ-1.cisco-irn.com

 host 192.168.21.10

object network ASASM-DMZ-2.cicso-irn.com

 host 192.168.21.12

object network ASASM-DMZ-1.cisco-irn.com_ipv6

 host 2001:db8:192:21::10

object-group service RDP tcp

 port-object eq 3389

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group service vCenter-to-ESX4 tcp

 description Communication from vCetner to ESX hosts

 port-object eq 5989

 port-object eq 8000

 port-object eq 902

 port-object eq 903

object-group network NTP-Servers

 description NTP Servers

 network-object object NTP1.cisco-irn.com

 network-object object NTP2.cisco-irn.com

 network-object object ActiveDirectory

object-group network NTP-PublicServers

 description Public time.nist.gov servers

 network-object object nist-chicago-NoDNS-

 network-object object nist-time-server.eoni.com

 network-object object nist.expertsmi.com

 network-object object nist.netservicesgroup.com

 network-object object nist.time.nosc.us

 network-object object nist1-atl.ustiming.org

 network-object object nist1-chi.ustiming.org

 network-object object nist1-la.ustiming.org

 network-object object nist1-lnk.binary.net

 network-object object nist1-lv.ustiming.org

 network-object object nist1-nj.ustiming.org

 network-object object nist1-nj2.ustiming.org

 network-object object nist1-ny.ustiming.org

 network-object object nist1-pa.ustiming.org

 network-object object nist1-sj.ustiming.org

 network-object object nist1.aol-ca.symmetricom.com

 network-object object nist1.aol-va.symmetricom.com

 network-object object nist1.columbiacountyga.gov

 network-object object nist1.symmetricom.com

 network-object object nist2-nj2.ustiming.org

 network-object object nisttime.carsoncity.k12.mi.us

 network-object object ntp-nist.ldsbc.edu

 network-object object time-a.nist.gov

 network-object object time-a.timefreq.bldrdoc.gov

 network-object object time-b.nist.gov

 network-object object time-b.timefreq.bldrdoc.gov

 network-object object time-c.timefreq.bldrdoc.gov

 network-object object time-d.nist.gov

 network-object object time-nw.nist.gov

 network-object object utcnist.colorado.edu

 network-object object utcnist2.colorado.edu

 network-object object wwv.nist.gov

 network-object object LABNTP-1.cisco.com

 network-object object LABNTP-2.cisco.com

object-group network Admin-Systems

 network-object object PrimeLMS

 network-object object Bart-Admin99

 network-object object EMC-NCM.cisco-irn.com

 network-object object RSA-enVision.cisco-irn.com

 network-object object SRV-DC-1.cisco-irn.com

 network-object object SRV-DC-2.cisco-irn.com

 network-object object csmanager.cisco-irn.com

object-group network DM_INLINE_NETWORK_1

 network-object object EMC-NCM.cisco-irn.com

 network-object object PrimeLMS

 network-object object csmanager.cisco-irn.com

object-group network DM_INLINE_NETWORK_2

 network-object object Branch-Networks

 network-object object DataCenter-Networks

object-group network DM_INLINE_NETWORK_3

 network-object object EmailSecurityAppliance-Network

 network-object object EmailSecurityManager-Network

 network-object object WebSecurityAppliance-Network

object-group network DM_INLINE_NETWORK_4

 network-object object Branch-Networks

 network-object object DataCenter-Networks

object-group network DM_INLINE_NETWORK_5

 network-object object Branch-Networks

 network-object object DataCenter-Networks

object-group network DM_INLINE_NETWORK_6

 network-object object Branch-Networks

 network-object object DataCenter-Networks

object-group icmp-type DM_INLINE_ICMP_1

 icmp-object echo

 icmp-object echo-reply

 icmp-object information-reply

 icmp-object information-request

 icmp-object redirect

 icmp-object time-exceeded

 icmp-object traceroute

object-group service DM_INLINE_TCP_1 tcp

 group-object RDP

 port-object eq https

 port-object eq ssh

 group-object vCenter-to-ESX4

object-group service DM_INLINE_TCP_2 tcp

 port-object eq https

 port-object eq smtp

 port-object eq ssh

object-group service DM_INLINE_TCP_3 tcp

 port-object eq https

 port-object eq ssh

object-group service DM_INLINE_TCP_4 tcp

 port-object eq 1080

 port-object eq 8080

 port-object eq 8443

 port-object eq www

 port-object eq https

 port-object eq ssh

object-group network DM_INLINE_NETWORK_10

 network-object object Branch-Networks

 network-object object DataCenter-Networks

object-group network DM_INLINE_NETWORK_11

 network-object object CiscoLAB10-Network

 network-object object CiscoLAB171-Network

 network-object object CiscoLAB172-Network

object-group network DM_INLINE_NETWORK_12

 network-object object Branch-Networks

 network-object object DataCenter-Networks

object-group network DM_INLINE_NETWORK_7

 network-object object RIE-1_G0-0-1

 network-object object RIE-2_G0-0-2

 network-object object DMZ-Networks

object-group network DM_INLINE_NETWORK_8

 network-object object RIE-1_G0-0-1

 network-object object RIE-2_G0-0-2

 network-object object DMZ-Networks

 network-object object ASASM-DMZ-1.cisco-irn.com

 network-object object ASASM-DMZ-2.cicso-irn.com

object-group network DM_INLINE_NETWORK_9

 network-object object CiscoLAB10-Network

 network-object object CiscoLAB171-Network

 network-object object CiscoLAB172-Network

object-group service DM_INLINE_TCP_5 tcp

 group-object RDP

 port-object eq 1080

 port-object eq 8080

 port-object eq 8443

 port-object eq 8444

 port-object eq 8880

 port-object eq www

 port-object eq https

 port-object eq ssh

 group-object vCenter-to-ESX4

object-group network DM_INLINE_NETWORK_13

 network-object object RIE-1_G0-0-1

 network-object object RIE-2_G0-0-2

 network-object object DMZ-Networks

access-list all extended permit ip any any

access-list OUTSIDE_IN extended permit icmp6 any6 any6

access-list OUTSIDE_IN remark Clientless VPN for IPv6

access-list OUTSIDE_IN extended permit tcp any6 object ASASM-DMZ-1.cisco-irn.com_ipv6 eq 
https

access-list OUTSIDE_IN remark Clientless VPN

access-list OUTSIDE_IN extended permit tcp any object ASA-IE-1-outside_ipv6.cisco-irn.com 
eq https

access-list OUTSIDE_IN remark DMZ Systems send Syslog messages

access-list OUTSIDE_IN extended permit udp object-group DM_INLINE_NETWORK_7 object 
RSA-enVision.cisco-irn.com eq syslog

access-list OUTSIDE_IN remark DMZ Systems Authenticate access

access-list OUTSIDE_IN extended permit tcp object-group DM_INLINE_NETWORK_8 object 
tacacs.cisco-irn.com eq tacacs

access-list OUTSIDE_IN remark DMZ Systems Authenticate access

access-list OUTSIDE_IN extended permit object-group TCPUDP object-group 
DM_INLINE_NETWORK_13 object ActiveDirectory eq domain

access-list OUTSIDE_IN remark ====LAB ACCESS to TEST===REMOVE===

access-list OUTSIDE_IN extended permit icmp object-group DM_INLINE_NETWORK_9 object-group 
DM_INLINE_NETWORK_10

access-list OUTSIDE_IN remark ====LAB ACCESS to TEST===REMOVE===

access-list OUTSIDE_IN extended permit tcp object-group DM_INLINE_NETWORK_11 object-group 
DM_INLINE_NETWORK_12 object-group DM_INLINE_TCP_5

access-list OUTSIDE_IN remark Drop all other traffic

access-list OUTSIDE_IN extended deny ip any any log

access-list DROP-ALL extended deny ip any any

access-list INSIDE_IN remark Admin Access to DMZ

access-list INSIDE_IN extended permit tcp object-group Admin-Systems object DMZ-Networks 
object-group DM_INLINE_TCP_1

access-list INSIDE_IN remark Manage DMZ Devices

access-list INSIDE_IN extended permit udp object-group DM_INLINE_NETWORK_1 object 
DMZ-Networks eq snmp

access-list INSIDE_IN remark Network Time

access-list INSIDE_IN extended permit udp object-group NTP-Servers object-group 
NTP-PublicServers eq ntp

access-list INSIDE_IN remark Allow Access to services for Ironport Apps

access-list INSIDE_IN extended permit tcp object-group DM_INLINE_NETWORK_2 object-group 
DM_INLINE_NETWORK_3 object-group DM_INLINE_TCP_2

access-list INSIDE_IN remark Allow Secure traffic to DMZ

access-list INSIDE_IN extended permit tcp object-group DM_INLINE_NETWORK_4 object 
DMZ-VIP-30 object-group DM_INLINE_TCP_3

access-list INSIDE_IN remark - Block non-secure traffic to DMZ

access-list INSIDE_IN extended deny ip any object DMZ-Networks

access-list INSIDE_IN remark Allow outbound services for Internet

access-list INSIDE_IN extended permit icmp object-group DM_INLINE_NETWORK_5 any 
object-group DM_INLINE_ICMP_1

access-list INSIDE_IN remark General Internet Browsing

access-list INSIDE_IN extended permit tcp object-group DM_INLINE_NETWORK_6 any 
object-group DM_INLINE_TCP_4

access-list INSIDE_IN remark DNS Services

access-list INSIDE_IN extended permit object-group TCPUDP object ActiveDirectory any eq 
domain

access-list INSIDE_IN remark Drop and Log all other traffic - END-OF-LINE

access-list INSIDE_IN extended deny ip any any log

access-list all-web webtype permit url any log default

pager lines 24

logging enable

logging timestamp

logging standby

logging buffer-size 1048576

logging asdm-buffer-size 512

logging trap informational

logging asdm informational

logging host inside 192.168.42.124

mtu outside 1500

mtu inside 1500

mtu management 1500

failover

failover lan unit primary

failover lan interface folink GigabitEthernet0/3

failover link folink GigabitEthernet0/3

failover interface ip folink 192.168.12.31 255.255.255.0 standby 192.168.12.32

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-711.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group OUTSIDE_IN in interface outside

access-group INSIDE_IN in interface inside

access-group DROP-ALL in interface management

ipv6 icmp permit any echo outside

ipv6 icmp permit any echo-reply outside

ipv6 icmp permit any membership-query inside

ipv6 icmp permit any membership-reduction inside

ipv6 icmp permit any membership-report inside

ipv6 icmp permit any neighbor-advertisement inside

ipv6 icmp permit any neighbor-redirect inside

ipv6 icmp permit any neighbor-solicitation inside

ipv6 icmp permit any packet-too-big inside

ipv6 icmp permit any parameter-problem inside

ipv6 icmp permit any router-advertisement inside

ipv6 icmp permit any router-solicitation inside

ipv6 icmp permit any time-exceeded inside

ipv6 icmp permit any unreachable inside

ipv6 route outside ::/0 2001:db8:192:21::10

route outside 0.0.0.0 0.0.0.0 192.168.21.10 1

route inside 10.10.0.0 255.255.0.0 192.168.11.1 1

route outside 10.10.0.0 255.255.255.0 192.168.21.10 1

route inside 192.168.0.0 255.255.0.0 192.168.11.10 10

route outside 192.168.20.0 255.255.255.0 192.168.21.10 1

route outside 192.168.22.0 255.255.255.0 192.168.21.10 1

route outside 192.168.23.0 255.255.255.0 192.168.21.10 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

 network-acl all

 webvpn

  appl-acl all-web

  file-browsing enable

  file-entry enable

  http-proxy enable

  url-entry enable

  svc ask enable default webvpn

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host 192.168.42.137

 timeout 5

 key *****

 radius-common-pw *****

aaa-server COMPLIANCE protocol tacacs+

 reactivation-mode depletion deadtime 15

 max-failed-attempts 5

aaa-server COMPLIANCE (inside) host 192.168.42.131

 key *****

user-identity default-domain LOCAL

aaa authentication enable console COMPLIANCE LOCAL

aaa authentication http console COMPLIANCE LOCAL

aaa authentication serial console COMPLIANCE LOCAL

aaa authentication ssh console COMPLIANCE LOCAL

aaa authorization command COMPLIANCE LOCAL

aaa accounting enable console COMPLIANCE

aaa accounting serial console COMPLIANCE

aaa accounting ssh console COMPLIANCE

aaa accounting command COMPLIANCE

aaa authentication secure-http-client

aaa local authentication attempts max-fail 6

aaa authorization exec authentication-server

http server enable

http server idle-timeout 15

http server session-timeout 15

http 192.168.41.101 255.255.255.255 inside

http 192.168.41.102 255.255.255.255 inside

http 192.168.42.122 255.255.255.255 inside

http 192.168.42.124 255.255.255.255 inside

http 192.168.42.133 255.255.255.255 inside

http 192.168.42.138 255.255.255.255 inside

http 192.168.42.139 255.255.255.255 inside

snmp-server group V3Group v3 priv

snmp-server user ciscolms V3Group v3 encrypted auth sha 
56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db priv aes 256 
56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db:88:e3:53:03:7b:f1:02:30:bc:14:
98:e5

snmp-server user csmadmin V3Group v3 encrypted auth sha 
56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db priv aes 256 
56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db:88:e3:53:03:7b:f1:02:30:bc:14:
98:e5

snmp-server host inside 192.168.42.134 version 3 ciscolms

snmp-server host inside 192.168.42.139 version 3 ciscolms

snmp-server host inside 192.168.42.133 version 3 csmadmin

snmp-server location Building SJC-17-1 Aisle 2 Rack 3

snmp-server contact EmployeeA

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps memory-threshold

snmp-server enable traps interface-threshold

snmp-server enable traps remote-access session-threshold-exceeded

snmp-server enable traps connection-limit-reached

snmp-server enable traps cpu threshold rising

snmp-server enable traps ikev2 start stop

snmp-server enable traps nat packet-discard

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh scopy enable

ssh 192.168.41.101 255.255.255.255 inside

ssh 192.168.41.102 255.255.255.255 inside

ssh 192.168.42.122 255.255.255.255 inside

ssh 192.168.42.124 255.255.255.255 inside

ssh 192.168.42.133 255.255.255.255 inside

ssh 192.168.42.138 255.255.255.255 inside

ssh 192.168.42.139 255.255.255.255 inside

ssh timeout 15

ssh version 2

console timeout 15

management-access inside

tls-proxy maximum-session 1000

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.62.162 source inside

ntp server 192.168.62.161 source inside prefer

ssl encryption 3des-sha1 aes128-sha1 aes256-sha1

webvpn

 enable outside

 anyconnect-essentials

 internal-password enable

 smart-tunnel list AllExternalApplications All-Applications * platform windows

group-policy DfltGrpPolicy attributes

 webvpn

  smart-tunnel enable AllExternalApplications

group-policy Retail-PCI internal

group-policy Retail-PCI attributes

 vpn-tunnel-protocol ssl-clientless

username csmadmin password 9CmOJ.jq4D54PXDW encrypted privilege 15

username retail password XgJyMnijuEPQSGoY encrypted privilege 15

username emc-ncm password 4gFPrpXqWo/ncR1h encrypted privilege 15

username ciscolms password huo2PmvTsMk6Cv1L encrypted privilege 15

username bmcgloth password gITSY3iZ3UnCQoKf encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

 authentication-server-group partnerauth

tunnel-group DefaultWEBVPNGroup general-attributes

 authentication-server-group partnerauth

tunnel-group Retail-Lab type remote-access

tunnel-group Retail-Lab general-attributes

 authentication-server-group partnerauth LOCAL

 default-group-policy Retail-PCI

class-map inspection_default

 match default-inspection-traffic

class-map global-class-PCI

 match any

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 description IPS inspection policy for Cisco PCI LAB

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

 class global-class-PCI

  ips inline fail-close

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum client auto

  message-length maximum 512

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

password encryption aes

Cryptochecksum:d01b4c45ee6507fcc152f2f9e01983b1

: end

ASA-IE-1# $

DMZ-IDS-1

! ------------------------------

! Current configuration last modified Thu Apr 28 21:34:42 2011

! ------------------------------

! Version 7.0(4)

! Host:

!     Realm Keys          key1.0

! Signature Definition:

!     Signature Update    S500.0   2010-07-09

! ------------------------------

service interface

physical-interfaces GigabitEthernet0/7

subinterface-type inline-vlan-pair

subinterface 1

description INT1 vlans 83 and 84

vlan1 83

vlan2 84

exit

exit

exit

exit

! ------------------------------

service authentication

attemptLimit 6

password-strength

size 7-64

digits-min 1

lowercase-min 1

other-min 1

number-old-passwords 4

exit

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 192.168.21.93/24,192.168.21.1

host-name DMZ-IDS1

telnet-option disabled

access-list 10.19.151.99/32

access-list 192.168.41.101/32

access-list 192.168.41.102/32

access-list 192.168.42.122/32

access-list 192.168.42.124/32

access-list 192.168.42.133/32

access-list 192.168.42.138/32

dns-primary-server enabled

address 192.168.42.130

exit

dns-secondary-server disabled

dns-tertiary-server disabled

http-proxy proxy-server

address 128.107.241.169

port 80

exit

exit

time-zone-settings

offset -8

standard-time-zone-name PST

exit

ntp-option enabled-ntp-unauthenticated

ntp-server 192.168.62.161

exit

summertime-option recurring

summertime-zone-name PDT

exit

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

trap-destinations 192.168.42.124

trap-community-name <removed>

exit

enable-notifications true

trap-community-name <removed>

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service aaa

aaa radius

primary-server

server-address 192.168.42.131

shared-secret <removed>

exit

nas-id DMZ-IDS1

local-fallback enabled

console-authentication radius-and-local

default-user-role administrator

exit

exit

! ------------------------------

service analysis-engine

exit

DMZ-ASASM

ASASM-RIE-3#                sh run

: Saved

ASA Version 9.1(1)

hostname ASASM-RIE-3

domain-name cisco-irn.com

enable password WKlYt0jXwtQLFcz7 encrypted

passwd WKlYt0jXwtQLFcz7 encrypted

names

dns-guard

interface Vlan21

 nameif inside

 security-level 100

 ip address 192.168.21.10 255.255.255.0 standby 192.168.21.12

 ipv6 address 2001:db8:192:21::10/64 standby 2001:db8:192:21::12

 ipv6 enable

interface Vlan22

 nameif outside

 security-level 0

 ip address 192.168.22.1 255.255.255.0 standby 192.168.22.2

 ipv6 address 2001:db8:192:22::1/64 standby 2001:db8:192:22::3

 ipv6 enable

interface Vlan82

 nameif DMZ

 security-level 20

 ip address 192.168.20.25 255.255.255.248 standby 192.168.20.26

 ipv6 address 2001:db8:192:20a4::25/64 standby 2001:db8:192:20a4::26

 ipv6 enable

interface Vlan91

 description LAN Failover Interface

interface Vlan92

 description STATE Failover Interface

interface Vlan2305

 nameif EmailSecurityAppliance

 security-level 50

 ip address 192.168.23.65 255.255.255.240 standby 192.168.23.66

 ipv6 address 2001:db8:192:23a5::65/64 standby 2001:db8:192:23a5::66

 ipv6 enable

interface Vlan2306

 nameif EmailSecurityMgrAppliance

 security-level 60

 ip address 192.168.23.81 255.255.255.240 standby 192.168.23.82

 ipv6 address 2001:db8:192:23a6::81/64 standby 2001:db8:192:23a6::82

 ipv6 enable

interface Vlan2307

 shutdown

 nameif WebSecurityAppliance

 security-level 40

 ip address 192.168.23.97 255.255.255.240 standby 192.168.23.98

 ipv6 address 2001:db8:192:23a7::97/64 standby 2001:db8:192:23a7::98

 ipv6 enable

banner exec WARNING:

banner exec     **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF COMPLIANCE ****

banner exec                     **** AUTHORIZED USERS ONLY! ****

banner exec

banner exec ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

banner exec TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE 
NECESSARY

banner exec TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

banner exec REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME 
WITHOUT

banner exec FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

banner exec CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

banner exec ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

banner exec

banner exec UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL 
LAWS.

banner login WARNING:

banner login THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

banner asdm WARNING:

banner asdm     **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF COMPLIANCE ****

banner asdm                     **** AUTHORIZED USERS ONLY! ****

banner asdm

banner asdm ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

banner asdm TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE 
NECESSARY

banner asdm TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

banner asdm REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME 
WITHOUT

banner asdm FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

banner asdm CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

banner asdm ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

banner asdm

banner asdm UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL 
LAWS

boot system disk0:/asa911-smp-k8.bin

boot system disk0:/asa901-smp-k8.bin

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 192.168.42.130

 domain-name cisco-irn.com

same-security-traffic permit inter-interface

object network PrimeLMS

 host 192.168.42.139

 description Cisco Prime LMS

object network RIE-1_G0-0-1

 host 192.168.22.11

 description ASA1002-X

object network RIE-1_G0-0-1_ipv6

 host 2001:db8:192:22::11

object network RIE-2_G0-0-2

 host 192.168.22.12

 description ASR1002-x

object network RIE-2_G0-0-2_ipv6

 host 2001:db8:192:22::12

object network RIE1+2_HSRP_ipv6

 host 2001:db8:192:22::10

object network RIE1+2_HSRP

 host 192.168.22.10

object network ASA-IE-1-outside.cisco-irn.com

 host 192.168.21.1

object network Bart-Admin99

 host 10.19.151.99

object network DMZ-Network-4

 subnet 192.168.20.24 255.255.255.248

object network DMZ-Networks

 subnet 192.168.20.0 255.255.255.0

object network DMZ-VIP-30

 host 192.168.20.30

object network DataCenter-Networks

 subnet 192.168.0.0 255.255.0.0

 description Private 1918 block

object network EMC-NCM.cisco-irn.com

 host 192.168.42.122

object network ESA-IE-1.cisco-irn.com

 host 192.168.23.68

object network ESMA-IE-1.cisco-irn.com

 host 192.168.23.84

object network EmailSecurityAppliance-Network

 subnet 192.168.23.64 255.255.255.240

object network EmailSecurityManager-Network

 subnet 192.168.23.80 255.255.255.240

object network FSU.cisco-irn.com

 host 192.168.42.138

object network InSide-Network

 subnet 192.168.21.0 255.255.255.0

object network InternetEdge-Networks

 subnet 192.168.20.0 255.255.252.0

object network NTP1.cisco-irn.com

 host 192.168.62.161

object network NTP2.cisco-irn.com

 host 192.168.62.162

object network OutSide-Network

 subnet 192.168.22.0 255.255.255.0

object network PAME-DC-1.cisco-irn.com

 host 192.168.44.111

object network RSA-enVision.cisco-irn.com

 host 192.168.42.124

object network SRV-DC-1.cisco-irn.com

 host 192.168.41.101

object network SRV-DC-2.cisco-irn.com

 host 192.168.41.102

object network Branch-Networks

 subnet 10.10.0.0 255.255.0.0

object network WebSecurityAppliance-Network

 subnet 192.168.23.96 255.255.255.240

object network csmanager.cisco-irn.com

 host 192.168.42.133

object network tacacs.cisco-irn.com

 host 192.168.42.131

object network ActiveDirectory

 host 192.168.42.130

object network LABNTP-1.cisco.com

 host 172.26.129.252

object network LABNTP-2.cisco.com

 host 172.28.189.1

object network nist-chicago-NoDNS-

 host 38.106.177.10

 description Chicago, Illinois

object network nist-time-server.eoni.com

 host 216.228.192.69

 description La Grande, Oregon

object network nist.expertsmi.com

 host 50.77.217.185

 description Monroe, Michigan

object network nist.netservicesgroup.com

 host 64.113.32.5

 description Southfield, Michigan

object network nist.time.nosc.us

 host 96.226.123.117

 description Carrollton, Texas

object network nist1-atl.ustiming.org

 host 64.250.177.145

 description Atlanta, Georgia

object network nist1-chi.ustiming.org

 host 216.171.120.36

 description Chicago, Illinois

object network nist1-la.ustiming.org

 host 64.147.116.229

 description Los Angeles, California

object network nist1-lnk.binary.net

 host 216.229.0.179

 description Lincoln, Nebraska

object network nist1-lv.ustiming.org

 host 64.250.229.100

 description Las Vegas, Nevada

object network nist1-nj.ustiming.org

 host 96.47.67.105

 description Bridgewater, NJ

object network nist1-nj2.ustiming.org

 host 165.193.126.229

 description Weehawken, NJ

object network nist1-ny.ustiming.org

 host 64.90.182.55

 description New York City, NY

object network nist1-pa.ustiming.org

 host 206.246.122.250

 description Hatfield, PA

object network nist1-sj.ustiming.org

 host 216.171.124.36

 description San Jose, California

object network nist1.aol-ca.symmetricom.com

 host 207.200.81.113

 description Mountain View, California

object network nist1.aol-va.symmetricom.com

 host 64.236.96.53

 description Reston, Virginia

object network nist1.columbiacountyga.gov

 host 216.119.63.113

 description Columbia County, Georgia

object network nist1.symmetricom.com

 host 69.25.96.13

 description San Jose, California

object network nist2-nj2.ustiming.org

 host 165.193.126.232

 description Weehawken, NJ

object network nisttime.carsoncity.k12.mi.us

 host 66.219.116.140

 description Carson City, Michigan

object network ntp-nist.ldsbc.edu

 host 198.60.73.8

 description LDSBC, Salt Lake City, Utah

object network time-a.nist.gov

 host 129.6.15.28

 description NIST, Gaithersburg, Maryland

object network time-a.timefreq.bldrdoc.gov

 host 132.163.4.101

 description NIST, Boulder, Colorado

object network time-b.nist.gov

 host 129.6.15.29

 description NIST, Gaithersburg, Maryland

object network time-b.timefreq.bldrdoc.gov

 host 132.163.4.102

 description NIST, Boulder, Colorado

object network time-c.timefreq.bldrdoc.gov

 host 132.163.4.103

 description NIST, Boulder, Colorado

object network time-d.nist.gov

 host 2610:20:6f15:15::27

 description NIST, Gaithersburg, Maryland

object network time-nw.nist.gov

 host 131.107.13.100

 description Microsoft, Redmond, Washington

object network utcnist.colorado.edu

 host 128.138.140.44

 description University of Colorado, Boulder

object network utcnist2.colorado.edu

 host 128.138.141.172

 description University of Colorado, Boulder

object network wwv.nist.gov

 host 24.56.178.140

 description WWV, Fort Collins, Colorado

object network ASA-IE-1-outside_ipv6.cisco-irn.com

 host 2001:db8:192:21::1

object network DMZ-VIP-30_ipv6

 host 2001:db8:192:20a4::30

object network CiscoLAB10-Network

 subnet 10.0.0.0 255.0.0.0

 description Private 1918 block

object network CiscoLAB171-Network

 subnet 171.68.0.0 255.255.0.0

 description ARIN Block

object network CiscoLAB172-Network

 subnet 172.16.0.0 255.240.0.0

 description Private 1918 block

object network DMZ-Network-4v6

 subnet 2001:db8:192:20a4::/64

object network EmailSecurityAppliance-Networkv6

 subnet 2001:db8:192:23a5::/64

object network EmailSecurityManager-Networkv6

 subnet 2001:db8:192:23a6::/64

object network InSide-Networkv6

 subnet 2001:db8:192:21::/64

object network OutSide-Networkv6

 subnet 2001:db8:192:22::/64

object network WebSecurityAppliance-Networkv6

 subnet 2001:db8:192:23a7::/64

object network ESA-IE-1.cisco-irn.com_ipv6

 host 2001:db8:192:23a5::68

object network ESMA-IE-1.cisco-irn.com_ipv6

 host 2001:db8:192:23a6::84

object network WSA-IE-1.cisco-irn.com

 host 192.168.23.100

object network WSA-IE-1.cisco-irn.com_ipv6

 host 2001:db8:192:23a7::100

object-group icmp-type DM_INLINE_ICMP_1

 icmp-object echo

 icmp-object echo-reply

 icmp-object information-reply

 icmp-object redirect

 icmp-object time-exceeded

 icmp-object traceroute

object-group network DM_INLINE_NETWORK_27

 network-object object ESA-IE-1.cisco-irn.com

 network-object object ESA-IE-1.cisco-irn.com_ipv6

object-group protocol ICMP-v6

 protocol-object icmp6

object-group network DM_INLINE_NETWORK_20

 network-object object ESA-IE-1.cisco-irn.com

 network-object object ESA-IE-1.cisco-irn.com_ipv6

object-group service DM_INLINE_SERVICE_1

 service-object tcp destination eq https

 service-object tcp destination eq ssh

object-group network NTP-Servers

 description NTP Servers

 network-object object NTP1.cisco-irn.com

 network-object object NTP2.cisco-irn.com

 network-object object ActiveDirectory

object-group network DM_INLINE_NETWORK_6

 network-object object EmailSecurityAppliance-Network

 network-object object EmailSecurityManager-Network

 network-object object WebSecurityAppliance-Network

object-group service RDP tcp

 port-object eq 3389

object-group service vCenter-to-ESX4 tcp

 description Communication from vCetner to ESX hosts

 port-object eq 5989

 port-object eq 8000

 port-object eq 902

 port-object eq 903

object-group service DM_INLINE_TCP_2 tcp

 group-object RDP

 port-object eq https

 port-object eq ssh

 group-object vCenter-to-ESX4

object-group service DM_INLINE_UDP_1 udp

 port-object eq 1812

 port-object eq 1813

object-group service DM_INLINE_UDP_2 udp

 port-object eq 1812

 port-object eq 1813

object-group network DM_INLINE_NETWORK_2

 network-object object EMC-NCM.cisco-irn.com

 network-object object PrimeLMS

 network-object object csmanager.cisco-irn.com

object-group service DM_INLINE_UDP_3 udp

 port-object eq 1812

 port-object eq 1813

object-group network DM_INLINE_NETWORK_21

 network-object object Branch-Networks

 network-object object DataCenter-Networks

object-group service DM_INLINE_TCP_3 tcp

 port-object eq https

 port-object eq smtp

 port-object eq ssh

object-group network DM_INLINE_NETWORK_22

 network-object object Branch-Networks

 network-object object DataCenter-Networks

object-group network DM_INLINE_NETWORK_23

 network-object object Branch-Networks

 network-object object DataCenter-Networks

object-group network Admin-Systems

 network-object object PrimeLMS

 network-object object Bart-Admin99

 network-object object EMC-NCM.cisco-irn.com

 network-object object RSA-enVision.cisco-irn.com

 network-object object SRV-DC-1.cisco-irn.com

 network-object object SRV-DC-2.cisco-irn.com

 network-object object csmanager.cisco-irn.com

object-group network DM_INLINE_NETWORK_24

 network-object object Branch-Networks

 network-object object DataCenter-Networks

object-group service DM_INLINE_TCP_4 tcp

 port-object eq https

 port-object eq ssh

object-group service DM_INLINE_TCP_5 tcp

 port-object eq 1080

 port-object eq 8080

 port-object eq 8443

 port-object eq www

 port-object eq https

 port-object eq ssh

object-group network DM_INLINE_NETWORK_25

 network-object object RIE-1_G0-0-1

 network-object object RIE-2_G0-0-2

object-group network DM_INLINE_NETWORK_26

 network-object object RIE-1_G0-0-1

 network-object object RIE-2_G0-0-2

object-group network DM_INLINE_NETWORK_3

 network-object object DataCenter-Networks

 network-object object Branch-Networks

object-group network NTP-PublicServers

 description Public time.nist.gov servers

 network-object object LABNTP-1.cisco.com

 network-object object LABNTP-2.cisco.com

 network-object object nist-chicago-NoDNS-

 network-object object nist-time-server.eoni.com

 network-object object nist.expertsmi.com

 network-object object nist.netservicesgroup.com

 network-object object nist.time.nosc.us

 network-object object nist1-atl.ustiming.org

 network-object object nist1-chi.ustiming.org

 network-object object nist1-la.ustiming.org

 network-object object nist1-lnk.binary.net

 network-object object nist1-lv.ustiming.org

 network-object object nist1-nj.ustiming.org

 network-object object nist1-nj2.ustiming.org

 network-object object nist1-ny.ustiming.org

 network-object object nist1-pa.ustiming.org

 network-object object nist1-sj.ustiming.org

 network-object object nist1.aol-ca.symmetricom.com

 network-object object nist1.aol-va.symmetricom.com

 network-object object nist1.columbiacountyga.gov

 network-object object nist1.symmetricom.com

 network-object object nist2-nj2.ustiming.org

 network-object object nisttime.carsoncity.k12.mi.us

 network-object object ntp-nist.ldsbc.edu

 network-object object time-a.nist.gov

 network-object object time-a.timefreq.bldrdoc.gov

 network-object object time-b.nist.gov

 network-object object time-b.timefreq.bldrdoc.gov

 network-object object time-c.timefreq.bldrdoc.gov

 network-object object time-d.nist.gov

 network-object object time-nw.nist.gov

 network-object object utcnist.colorado.edu

 network-object object utcnist2.colorado.edu

 network-object object wwv.nist.gov

object-group network DM_INLINE_NETWORK_4

 network-object object DMZ-VIP-30

 network-object object DMZ-VIP-30_ipv6

object-group network DM_INLINE_NETWORK_5

 network-object object ASA-IE-1-outside.cisco-irn.com

 network-object object ASA-IE-1-outside_ipv6.cisco-irn.com

object-group network DM_INLINE_NETWORK_7

 network-object object DataCenter-Networks

 network-object object Branch-Networks

object-group service DM_INLINE_TCP_1 tcp

 group-object RDP

 port-object eq www

 port-object eq https

 port-object eq ssh

 group-object vCenter-to-ESX4

 port-object eq 1080

 port-object eq 8080

 port-object eq 8443

 port-object eq 8444

 port-object eq 8880

object-group network DM_INLINE_NETWORK_8

 network-object object CiscoLAB10-Network

 network-object object CiscoLAB171-Network

 network-object object CiscoLAB172-Network

object-group network DM_INLINE_NETWORK_9

 network-object object CiscoLAB10-Network

 network-object object CiscoLAB171-Network

 network-object object CiscoLAB172-Network

object-group network DM_INLINE_NETWORK_1

 network-object object WSA-IE-1.cisco-irn.com

 network-object object WSA-IE-1.cisco-irn.com_ipv6

object-group network DM_INLINE_NETWORK_10

 network-object object ESMA-IE-1.cisco-irn.com

 network-object object ESMA-IE-1.cisco-irn.com_ipv6

object-group network DM_INLINE_NETWORK_11

 network-object object WSA-IE-1.cisco-irn.com

 network-object object WSA-IE-1.cisco-irn.com_ipv6

object-group network DM_INLINE_NETWORK_12

 network-object object ESMA-IE-1.cisco-irn.com

 network-object object ESMA-IE-1.cisco-irn.com_ipv6

object-group network DM_INLINE_NETWORK_13

 network-object object ESA-IE-1.cisco-irn.com

 network-object object ESA-IE-1.cisco-irn.com_ipv6

object-group network DM_INLINE_NETWORK_14

 network-object object WebSecurityAppliance-Network

 network-object object WebSecurityAppliance-Networkv6

object-group network DM_INLINE_NETWORK_15

 network-object object DataCenter-Networks

 network-object object Branch-Networks

object-group network DM_INLINE_NETWORK_16

 network-object object EmailSecurityManager-Network

 network-object object EmailSecurityManager-Networkv6

object-group network DM_INLINE_NETWORK_17

 network-object object DataCenter-Networks

 network-object object Branch-Networks

object-group network DM_INLINE_NETWORK_18

 network-object object EmailSecurityAppliance-Network

 network-object object EmailSecurityAppliance-Networkv6

object-group network DM_INLINE_NETWORK_19

 network-object object DataCenter-Networks

 network-object object Branch-Networks

object-group service DM_INLINE_SERVICE_2

 service-object tcp-udp destination eq domain

 service-object tcp destination eq smtp

object-group service DM_INLINE_SERVICE_3

 service-object tcp-udp destination eq domain

 service-object tcp destination eq www

 service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_4

 service-object tcp-udp destination eq domain

 service-object tcp destination eq smtp

object-group service DM_INLINE_SERVICE_5

 service-object tcp-udp destination eq domain

 service-object tcp destination eq www

 service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_6

 service-object tcp-udp destination eq domain

 service-object tcp destination eq smtp

object-group service DM_INLINE_SERVICE_7

 service-object tcp-udp destination eq domain

 service-object tcp destination eq smtp

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

access-list Ironport-ESA_IN remark IPv6 Discovery-opperation

access-list Ironport-ESA_IN extended permit object-group ICMP-v6 any6 any6

access-list Ironport-ESA_IN remark Block traffic from DMZ to Internal networks

access-list Ironport-ESA_IN extended deny object-group DM_INLINE_SERVICE_7 object-group 
DM_INLINE_NETWORK_18 object-group DM_INLINE_NETWORK_19

access-list Ironport-ESA_IN remark DNS lookup and Mail to Internet

access-list Ironport-ESA_IN extended permit object-group DM_INLINE_SERVICE_4 object-group 
DM_INLINE_NETWORK_27 any

access-list Ironport-ESA_IN remark Network Time

access-list Ironport-ESA_IN extended permit udp object-group DM_INLINE_NETWORK_13 
object-group NTP-PublicServers eq ntp

access-list Ironport-ESA_IN remark Logging

access-list Ironport-ESA_IN extended permit udp object ESA-IE-1.cisco-irn.com object 
RSA-enVision.cisco-irn.com eq syslog

access-list Ironport-ESA_IN remark Authentication

access-list Ironport-ESA_IN extended permit udp object ESA-IE-1.cisco-irn.com object 
tacacs.cisco-irn.com object-group DM_INLINE_UDP_1

access-list DMZ-WebServers_IN remark IPv6 Discovery-opperation

access-list DMZ-WebServers_IN extended permit object-group ICMP-v6 any6 any6

access-list DMZ-WebServers_IN remark Logging

access-list DMZ-WebServers_IN extended permit udp object DMZ-Networks object 
RSA-enVision.cisco-irn.com eq syslog

access-list DMZ-WebServers_IN remark Authentication

access-list DMZ-WebServers_IN extended permit tcp object DMZ-Networks object 
tacacs.cisco-irn.com eq tacacs

access-list DMZ-WebServers_IN remark Network Time

access-list DMZ-WebServers_IN extended permit udp object DMZ-Networks object-group 
NTP-PublicServers eq ntp

access-list Ironport-ESMA_IN remark IPv6 Discovery-opperation

access-list Ironport-ESMA_IN extended permit object-group ICMP-v6 any6 any6

access-list Ironport-ESMA_IN remark Block traffic from DMZ to Internal networks

access-list Ironport-ESMA_IN extended deny object-group DM_INLINE_SERVICE_6 object-group 
DM_INLINE_NETWORK_16 object-group DM_INLINE_NETWORK_17

access-list Ironport-ESMA_IN remark DNS Lookup and Mail relay

access-list Ironport-ESMA_IN extended permit object-group DM_INLINE_SERVICE_2 object-group 
DM_INLINE_NETWORK_10 any

access-list Ironport-ESMA_IN remark Network Time

access-list Ironport-ESMA_IN extended permit udp object-group DM_INLINE_NETWORK_12 
object-group NTP-PublicServers eq ntp

access-list Ironport-ESMA_IN remark Logging

access-list Ironport-ESMA_IN extended permit udp object ESMA-IE-1.cisco-irn.com object 
RSA-enVision.cisco-irn.com eq syslog

access-list Ironport-ESMA_IN remark Authentication

access-list Ironport-ESMA_IN extended permit udp object ESMA-IE-1.cisco-irn.com object 
tacacs.cisco-irn.com object-group DM_INLINE_UDP_2

access-list INSIDE remark Admin Access to DMZ

access-list INSIDE extended permit tcp object-group Admin-Systems object 
InternetEdge-Networks object-group DM_INLINE_TCP_2

access-list INSIDE remark Manage DMZ Devices

access-list INSIDE extended permit udp object-group DM_INLINE_NETWORK_2 object 
InternetEdge-Networks eq snmp

access-list INSIDE remark Network Time

access-list INSIDE extended permit udp object-group NTP-Servers object-group 
NTP-PublicServers eq ntp

access-list INSIDE remark Allow Access to services for Ironport Apps

access-list INSIDE extended permit tcp object-group DM_INLINE_NETWORK_22 object-group 
DM_INLINE_NETWORK_6 object-group DM_INLINE_TCP_3

access-list INSIDE remark Allow Secure traffic to DMZ

access-list INSIDE extended permit tcp object-group DM_INLINE_NETWORK_21 object DMZ-VIP-30 
object-group DM_INLINE_TCP_4

access-list INSIDE remark - Block non-secure traffic to DMZ

access-list INSIDE extended deny ip any object InternetEdge-Networks log

access-list INSIDE remark Allow outbound services for Internet

access-list INSIDE extended permit icmp object-group DM_INLINE_NETWORK_23 any object-group 
DM_INLINE_ICMP_1

access-list INSIDE remark General Internet Browsing

access-list INSIDE extended permit tcp object-group DM_INLINE_NETWORK_24 any object-group 
DM_INLINE_TCP_5

access-list INSIDE remark DNS Services

access-list INSIDE extended permit object-group TCPUDP object ActiveDirectory any eq 
domain

access-list INSIDE remark Drop and Log all other traffic - END-OF-LINE

access-list INSIDE extended deny ip any any log

access-list OUTSIDE remark IPv6 Discovery-opperation

access-list OUTSIDE extended permit object-group ICMP-v6 any6 any6

access-list OUTSIDE remark Allow traffic to DMZ e-commerce Server

access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_1 any object-group 
DM_INLINE_NETWORK_4

access-list OUTSIDE remark Mail to Ironport

access-list OUTSIDE extended permit tcp any object-group DM_INLINE_NETWORK_20 eq smtp

access-list OUTSIDE remark Remote Access SSL VPN

access-list OUTSIDE extended permit tcp any object-group DM_INLINE_NETWORK_5 eq https

access-list OUTSIDE remark Allow traffic from edge routers - RIE-1

access-list OUTSIDE extended permit udp object-group DM_INLINE_NETWORK_25 object 
RSA-enVision.cisco-irn.com eq syslog

access-list OUTSIDE remark Allow traffic from edge routers - RIE-1

access-list OUTSIDE extended permit tcp object-group DM_INLINE_NETWORK_26 object 
tacacs.cisco-irn.com eq tacacs

access-list OUTSIDE remark ====LAB ACCESS to TEST===REMOVE===

access-list OUTSIDE extended permit icmp object-group DM_INLINE_NETWORK_9 object-group 
DM_INLINE_NETWORK_7

access-list OUTSIDE remark ====LAB ACCESS TO TEST===REMOVE====

access-list OUTSIDE extended permit tcp object-group DM_INLINE_NETWORK_8 object-group 
DM_INLINE_NETWORK_3 object-group DM_INLINE_TCP_1

access-list OUTSIDE remark Drop all other traffic

access-list OUTSIDE extended deny ip any any log

access-list Ironport-WSA_IN remark IPv6 Discovery-opperation

access-list Ironport-WSA_IN extended permit object-group ICMP-v6 any6 any6

access-list Ironport-WSA_IN remark Block traffic from DMZ to Internal networks

access-list Ironport-WSA_IN extended deny object-group DM_INLINE_SERVICE_5 object-group 
DM_INLINE_NETWORK_14 object-group DM_INLINE_NETWORK_15

access-list Ironport-WSA_IN remark DNS Lookup, Web Surfing

access-list Ironport-WSA_IN extended permit object-group DM_INLINE_SERVICE_3 object-group 
DM_INLINE_NETWORK_11 any

access-list Ironport-WSA_IN remark Network Time

access-list Ironport-WSA_IN extended permit udp object-group DM_INLINE_NETWORK_1 
object-group NTP-PublicServers eq ntp

access-list Ironport-WSA_IN remark Logging

access-list Ironport-WSA_IN extended permit udp object WSA-IE-1.cisco-irn.com object 
RSA-enVision.cisco-irn.com eq syslog

access-list Ironport-WSA_IN remark Authentication

access-list Ironport-WSA_IN extended permit udp object WSA-IE-1.cisco-irn.com object 
tacacs.cisco-irn.com object-group DM_INLINE_UDP_3

pager lines 24

logging enable

logging standby

logging buffer-size 1048576

logging asdm-buffer-size 512

logging asdm informational

logging host inside 192.168.42.124

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

mtu EmailSecurityAppliance 1500

mtu EmailSecurityMgrAppliance 1500

mtu WebSecurityAppliance 1500

failover

failover lan unit primary

failover lan interface failover Vlan91

failover link statelink Vlan92

failover interface ip failover 192.168.20.13 255.255.255.252 standby 192.168.20.14

failover interface ip statelink 192.168.20.33 255.255.255.252 standby 192.168.20.34

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

icmp permit any DMZ

icmp permit any EmailSecurityAppliance

icmp permit any EmailSecurityMgrAppliance

icmp permit any WebSecurityAppliance

asdm image disk0:/asdm-711.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group INSIDE in interface inside

access-group OUTSIDE in interface outside

access-group DMZ-WebServers_IN in interface DMZ

access-group Ironport-ESA_IN in interface EmailSecurityAppliance

access-group Ironport-ESMA_IN in interface EmailSecurityMgrAppliance

access-group Ironport-WSA_IN in interface WebSecurityAppliance

ipv6 route DMZ 2001:db8:192:20a1::/64 2001:db8:192:20a4::28

ipv6 route outside ::/0 2001:db8:192:22::10

route outside 0.0.0.0 0.0.0.0 192.168.22.10 1

route inside 10.10.0.0 255.255.0.0 192.168.21.1 1

route outside 10.10.0.0 255.255.255.0 192.168.22.10 1

route outside 10.10.3.0 255.255.255.0 192.168.22.11 1

route outside 10.10.4.0 255.255.255.0 192.168.22.12 1

route inside 192.168.0.0 255.255.0.0 192.168.21.1 1

route DMZ 192.168.20.0 255.255.255.248 192.168.20.28 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server COMPLIANCE protocol tacacs+

 reactivation-mode depletion deadtime 15

 max-failed-attempts 5

aaa-server COMPLIANCE (inside) host 192.168.42.131

 key *****

user-identity default-domain LOCAL

aaa authentication enable console COMPLIANCE LOCAL

aaa authentication http console COMPLIANCE LOCAL

aaa authentication ssh console COMPLIANCE LOCAL

aaa authentication serial console COMPLIANCE LOCAL

aaa authorization command COMPLIANCE LOCAL

aaa accounting enable console COMPLIANCE

aaa accounting serial console COMPLIANCE

aaa accounting ssh console COMPLIANCE

aaa accounting command privilege 15 COMPLIANCE

aaa authentication secure-http-client

aaa local authentication attempts max-fail 6

aaa authorization exec authentication-server

http server enable

http server idle-timeout 15

http server session-timeout 15

http 192.168.41.101 255.255.255.255 inside

http 192.168.41.102 255.255.255.255 inside

http 192.168.42.122 255.255.255.255 inside

http 192.168.42.124 255.255.255.255 inside

http 192.168.42.133 255.255.255.255 inside

http 192.168.42.138 255.255.255.255 inside

http 192.168.42.139 255.255.255.255 inside

snmp-server group Authentication&Encryption v3 priv

snmp-server user ciscolms Authentication&Encryption v3 encrypted auth sha 
22:c2:d0:4d:34:22:54:cd:e7:15:55:63:70:0e:b9:49:c6:09:75:17 priv aes 256 
22:c2:d0:4d:34:22:54:cd:e7:15:55:63:70:0e:b9:49:c6:09:75:17:14:95:f7:2f:f8:6a:ee:62:d6:03:
7f:db

snmp-server user csmadmin Authentication&Encryption v3 encrypted auth sha 
22:c2:d0:4d:34:22:54:cd:e7:15:55:63:70:0e:b9:49:c6:09:75:17 priv aes 256 
22:c2:d0:4d:34:22:54:cd:e7:15:55:63:70:0e:b9:49:c6:09:75:17:14:95:f7:2f:f8:6a:ee:62:d6:03:
7f:db

snmp-server host inside 192.168.42.134 version 3 ciscolms

snmp-server host inside 192.168.42.139 version 3 ciscolms

snmp-server host inside 192.168.42.133 version 3 csmadmin

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

no snmp-server enable

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh scopy enable

ssh 192.168.41.101 255.255.255.255 inside

ssh 192.168.41.102 255.255.255.255 inside

ssh 192.168.42.122 255.255.255.255 inside

ssh 192.168.42.124 255.255.255.255 inside

ssh 192.168.42.133 255.255.255.255 inside

ssh 192.168.42.138 255.255.255.255 inside

ssh 192.168.42.139 255.255.255.255 inside

ssh timeout 15

ssh version 2

console timeout 15

tls-proxy maximum-session 1000

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption aes256-sha1 aes128-sha1 3des-sha1

username csmadmin password 9CmOJ.jq4D54PXDW encrypted privilege 15

username retail password XgJyMnijuEPQSGoY encrypted privilege 15

username bmcgloth password gITSY3iZ3UnCQoKf encrypted privilege 15

class-map inspection_default

 match default-inspection-traffic

policy-map global_policy

 class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect skinny

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly 8

  subscribe-to-alert-group configuration periodic monthly 8

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:3461835c1b952f647c39ea90dc41d8b4

: end

DMZ-ACE-1

ACE1/Admin# sh run

Generating configuration....

logging enable

logging timestamp

logging trap 6

logging buffered 6

logging device-id context-name

logging host 192.168.42.124 udp/514

logging rate-limit 1 120 message 302027

login timeout 15

hostname ACE1

boot system image:c6ace-t1k9-mz.A5_1_2.bin

resource-class Gold

  limit-resource all minimum 0.00 maximum unlimited

  limit-resource conc-connections minimum 10.00 maximum unlimited

  limit-resource sticky minimum 10.00 maximum unlimited

tacacs-server host 192.168.42.131 key 7 "uaxfalkha"

aaa group server tacacs+ COMPLIANCE

  server 192.168.42.131

clock timezone standard PST

clock summer-time standard PDT

aaa authentication login default group COMPLIANCE local

aaa authentication login console group COMPLIANCE local

aaa accounting default group COMPLIANCE local

class-map type management match-any remote-mgmt

  9 match protocol ssh source-address 192.168.41.102 255.255.255.255

  10 match protocol ssh source-address 192.168.42.131 255.255.255.255

  30 match protocol icmp any

  32 match protocol ssh source-address 192.168.41.101 255.255.255.255

  33 match protocol ssh source-address 192.168.42.111 255.255.255.255

  34 match protocol ssh source-address 192.168.42.122 255.255.255.255

  35 match protocol ssh source-address 192.168.42.124 255.255.255.255

  36 match protocol ssh source-address 192.168.42.133 255.255.255.255

  37 match protocol ssh source-address 192.168.42.138 255.255.255.255

policy-map type management first-match remote-access

  class remote-mgmt

    permit

interface vlan 21

  ip address 192.168.21.95 255.255.255.0

  service-policy input remote-access

  no shutdown

ft interface vlan 85

  ip address 192.168.20.9 255.255.255.252

  peer ip address 192.168.20.10 255.255.255.252

  no shutdown

ft peer 1

  heartbeat interval 300

  heartbeat count 10

  ft-interface vlan 85

ft group 11

  peer 1

  priority 110

  peer priority 105

  associate-context Admin

  inservice

domain cisco-irn.com

ip route 0.0.0.0 0.0.0.0 192.168.21.1

context PCI

  allocate-interface vlan 82-83

  allocate-interface vlan 95

ft group 10

  peer 1

  priority 110

  peer priority 105

  associate-context PCI

  inservice

username admin password 5 $1$nCzsvkY0$QKCSN2jtbE8nsgxxeHMKe1  role Admin domain 
default-domain

username www password 5 $1$.4drq4sB$qBpfZsTgtJufI865poqTr1  role Admin domain 
default-domain

username csmadmin password 5 $1$1VYOv92B$VMTmZoUY0NNcYV1paA1eo0  role Admin domain 
default-domain cisco-irn.com

username bmcgloth password 5 $1$IVI7Dovp$tGZ11k6CUpxTAfuI.pAax/  role Admin domain 
default-domain cisco-irn.com

username lmsadmin password 5 $1$vnpXp4FR$KrnWUl8lwQYbyxmcKOGc5.  role Admin domain 
default-domain cisco-irn.com

ssh key rsa 2048 force

ACE1/Admin#

DMZ-ACE-1_PCI

ACE1/PCI# sh run

Generating configuration....

logging enable

logging timestamp

logging buffered 7

logging monitor 7

logging device-id context-name

logging host 192.168.42.124 udp/514

logging rate-limit 1 120 message 302027

login timeout 15

tacacs-server host 192.168.42.131 key 7 "uaxfalkha"

aaa group server tacacs+ COMPLIANCE

  server 192.168.42.131

aaa authentication login default group COMPLIANCE local

aaa authentication login console group COMPLIANCE local

aaa accounting default group COMPLIANCE local

access-list in2out line 10 extended permit ip host 192.168.20.2 any

access-list in2out line 12 extended permit ip host 192.168.20.1 any

access-list in2out line 15 extended deny ip any any

access-list out2in line 10 extended permit tcp any host 192.168.20.1 eq ssh

access-list out2in line 11 extended permit tcp any host 192.168.20.2 eq ssh

access-list out2in line 12 extended permit tcp any host 192.168.20.1 eq https

access-list out2in line 13 extended permit tcp any host 192.168.20.2 eq https

access-list out2in line 14 extended permit icmp any host 192.168.20.1

access-list out2in line 15 extended permit icmp any host 192.168.20.2

access-list out2in line 16 extended deny ip any any

access-list out2in_ipv6 line 8 extended permit icmpv6 anyv6 host 2001:db8:192:20a1::1

access-list out2in_ipv6 line 16 extended permit tcp anyv6 host 2001:db8:192:20a1::1 eq ssh

access-list out2in_ipv6 line 24 extended permit tcp anyv6 host 2001:db8:192:20a1::1 eq 
https

probe icmp ICMP

  interval 2

  faildetect 2

  passdetect count 2

rserver host ECOM

  ip address 192.168.20.2

  inservice

serverfarm host PCI-ECOM

  predictor leastconns

  probe ICMP

  rserver ECOM

    inservice

class-map match-any ECOMVIP

  5 match virtual-address 2001:db8:192:20a1::1 tcp eq 22

  6 match virtual-address 2001:db8:192:20a1::1 tcp eq https

class-map match-any ECOMVIP_v4

  3 match virtual-address 192.168.20.1 tcp eq 22

  4 match virtual-address 192.168.20.1 tcp eq https

class-map type management match-any MANAGEMENT

  7 match protocol icmp any

  8 match protocol ssh source-address 192.168.41.101 255.255.255.255

  9 match protocol ssh source-address 192.168.41.102 255.255.255.255

  10 match protocol ssh source-address 192.168.42.111 255.255.255.255

  11 match protocol ssh source-address 192.168.42.122 255.255.255.255

  12 match protocol ssh source-address 192.168.42.124 255.255.255.255

  13 match protocol ssh source-address 192.168.42.131 255.255.255.255

  14 match protocol ssh source-address 192.168.42.133 255.255.255.255

  15 match protocol ssh source-address 192.168.42.138 255.255.255.255

  16 match protocol ssh source-address 192.168.42.139 255.255.255.255

class-map type management match-all V6-MGMT

  2 match protocol icmpv6 anyv6

policy-map type management first-match MGMT

  class MANAGEMENT

    permit

  class V6-MGMT

    permit

policy-map type loadbalance first-match ECOMPOLICY

  class class-default

    serverfarm PCI-ECOM

    nat dynamic 2 vlan 83 serverfarm primary

    insert-http x-forward-for header-value "%is"

policy-map type loadbalance first-match ECOMPOLICY_v4

  class class-default

    serverfarm PCI-ECOM

policy-map multi-match ECOM_MATCH

  class ECOMVIP

    loadbalance vip inservice

    loadbalance policy ECOMPOLICY

    loadbalance vip icmp-reply active

  class ECOMVIP_v4

    loadbalance vip inservice

    loadbalance policy ECOMPOLICY_v4

    loadbalance vip icmp-reply active

interface vlan 82

  description ACE_outside

  ipv6 enable

  ip address 2001:db8:192:20a4::28/64

  ip address 192.168.20.28 255.255.255.248

  alias 192.168.20.30 255.255.255.248

  peer ip address 192.168.20.29 255.255.255.248

  access-group input out2in

  access-group input out2in_ipv6

  service-policy input ECOM_MATCH

  service-policy input MGMT

  no shutdown

interface vlan 83

  description ACE_inside

  ip address 192.168.20.4 255.255.255.248

  alias 192.168.20.6 255.255.255.248

  peer ip address 192.168.20.5 255.255.255.248

  access-group input in2out

  nat-pool 2 192.168.20.3 192.168.20.3 netmask 255.255.255.248

  no shutdown

domain cisco-irn.com

ip route 0.0.0.0 0.0.0.0 192.168.20.25

ip route ::/0 2001:db8:192:20a4::25

username csmadmin password 5 $1$1VYOv92B$VMTmZoUY0NNcYV1paA1eo0  role Admin domain 
default-domain cisco-irn.com

username bmcgloth password 5 $1$IVI7Dovp$tGZ11k6CUpxTAfuI.pAax/  role Admin domain 
default-domain cisco-irn.com

username lmsadmin password 5 $1$vnpXp4FR$KrnWUl8lwQYbyxmcKOGc5.  role Admin domain 
default-domain cisco-irn.com

ACE1/PCI#

RIE-3

Building configuration...

Current configuration : 14480 bytes

! Last configuration change at 08:57:09 PST Thu Dec 6 2012 by bmcgloth

! NVRAM config last updated at 08:57:11 PST Thu Dec 6 2012 by bmcgloth

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

service counters max age 5

hostname RIE-3

boot-start-marker

boot system flash disk0:/s72033-adventerprisek9-mz.151-1.SY.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 51200

logging cns-events

enable secret 5 <removed>

enable password 7 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

svclc multiple-vlan-interfaces

svclc module 3 vlan-group 21,82,83,85

svclc vlan-group 21  21

svclc vlan-group 82  82

svclc vlan-group 83  83

svclc vlan-group 85  85

firewall multiple-vlan-interfaces

firewall module 7 vlan-group 21,82,200,300

firewall vlan-group 200  22,2305-2307

firewall vlan-group 300  91,92

intrusion-detection module 2 management-port access-vlan 21

intrusion-detection module 2 data-port 1 trunk allowed-vlan 21,83,84,421

clock timezone PST -8

clock summer-time PSTDST recurring

vtp mode transparent

no ip bootp server

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

ipv6 multicast rpf use-bgp

mls netflow interface

no mls acl tcam share-global

mls cef error action freeze

password encryption aes

crypto pki trustpoint TP-self-signed-1014

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1014

 revocation-check none

 rsakeypair TP-self-signed-1014

crypto pki certificate chain TP-self-signed-1014

 certificate self-signed 01

  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  2B312930 27060355 04031320 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31303134 301E170D 31313032 31323030 35393332 5A170D32

  30303130 31303030 3030305A 302B3129 30270603 55040313 20494F53 2D53656C

  662D5369 676E6564 2D436572 74696669 63617465 2D313031 3430819F 300D0609

  2A864886 F70D0101 01050003 818D0030 81890281 8100BD3E 21BA6626 B7F82E4E

  6B794439 27C36926 27B198DA D92E879D A437284D 4076D650 F671EA49 CC7A9DA4

  BC96B207 7807450D A55F5A9B 85CACE8E E9B85199 B84525E5 FBC82F1D 733A1942

  C47E1F87 87E1026B CD22859C 52307096 B3A6EEEB BCCB3C20 7F39EBCF 6729C4FC

  A13306CF 90815A20 CFA00678 E0856486 3BC8BB88 D51D0203 010001A3 73307130

  0F060355 1D130101 FF040530 030101FF 301E0603 551D1104 17301582 13524945

  2D332E63 6973636F 2D69726E 2E636F6D 301F0603 551D2304 18301680 14E7FF36

  6947643E 752F921F 7674D7DE F1370E50 C6301D06 03551D0E 04160414 E7FF3669

  47643E75 2F921F76 74D7DEF1 370E50C6 300D0609 2A864886 F70D0101 04050003

  81810080 3C7C2250 36EB62DD 12772E91 E3A2CB7D 3D175E31 611404A1 947D97EA

  37E4A5B5 8E888072 B765C977 08C0108C 34FD4AE5 D642F10D 839BE779 F6F2E03F

  581EC8E1 012FA710 583A0E9E B97CCFC0 16AB39CE B8E7A5AB E42C38EB 33CD9F4C

  1D9D5666 1EF8DC52 22C084B1 1C33DB38 0C9E2045 6EBD8BCD B779B172 0B5BE8F5 E5D9DB

        quit

no power enable module 4

diagnostic bootup level minimal

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

redundancy

 main-cpu

  auto-sync running-config

 mode sso

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

vlan 21

 name asasm_inside

vlan 22

 name asasm_outside

vlan 82

 name asasm_Loadbalance_top

vlan 83

 name Loadbalance_bottom

vlan 84

 name Servers

vlan 85

 name Loadbalance_sync

vlan 91

 name asasm_failover

vlan 92

 name asasm_statelink

vlan 421

 name ASASM-to-IDSM

vlan 993

 name Management

vlan 995

 name DMZ_Management

vlan 2305

 name asasm_EmailSecurityAppliance

vlan 2306

 name asasm_EmailSecurityMgrAppliance

vlan 2307

 name asasm_WebSecApp

ip ssh version 2

ip scp server enable

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key <removed> address 128.107.147.109

crypto ipsec transform-set to_fred esp-des esp-md5-hmac

 mode tunnel

crypto map myvpn 10 ipsec-isakmp

 set peer 128.107.147.109

 set transform-set to_fred

 match address 101

interface Port-channel99

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface Tunnel0

 ip address 172.26.0.1 255.255.255.0

 tunnel source Vlan21

 tunnel destination 128.107.147.109

interface GigabitEthernet1/1

 description RIE-1 G0/1

 switchport

 switchport access vlan 22

interface GigabitEthernet1/2

 description RIE-2 G0/1

 switchport

 switchport access vlan 22

interface GigabitEthernet1/3

 no ip address

interface GigabitEthernet1/4

 no ip address

interface GigabitEthernet1/5

 description ASA-IE-1 G0

 switchport

 switchport access vlan 21

interface GigabitEthernet1/6

 no ip address

interface GigabitEthernet1/7

 no ip address

interface GigabitEthernet1/8

 no ip address

interface GigabitEthernet1/9

 no ip address

interface GigabitEthernet1/10

 no ip address

interface GigabitEthernet1/11

 no ip address

interface GigabitEthernet1/12

 no ip address

interface GigabitEthernet1/13

 description ESA-IE-1 port M

 switchport

 switchport access vlan 2306

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet1/14

 description ESA-IE-1 port D1

 switchport

 switchport access vlan 2306

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet1/15

 description ESA-IE-1 port D2

 switchport

 switchport access vlan 2306

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet1/16

 description ESA-IE-1 port D3

 switchport

 switchport access vlan 2306

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet1/17

 description WSA-IE-1 port P1

 no ip address

interface GigabitEthernet1/18

 description WSA-IE-1 port P2

 no ip address

interface GigabitEthernet1/19

 description WSA-IE-1 port T1

 no ip address

interface GigabitEthernet1/20

 description WSA-IE-1 port T2

 no ip address

interface GigabitEthernet1/21

 description ESA-IE-1 port M

 switchport

 switchport access vlan 2305

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet1/22

 description ESA-IE-1 port D1

 switchport

 switchport access vlan 2305

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet1/23

 description ESA-IE-1 port D2

 switchport

 switchport access vlan 2305

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet1/24

 description ESA-IE-1 port D3

 switchport

 switchport access vlan 2305

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet1/25

 description WSA-IE-1 port M

 switchport

 switchport access vlan 2307

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet1/26

 no ip address

interface GigabitEthernet1/27

 no ip address

interface GigabitEthernet1/28

 no ip address

interface GigabitEthernet1/29

 no ip address

interface GigabitEthernet1/30

 no ip address

interface GigabitEthernet1/31

 no ip address

interface GigabitEthernet1/32

 no ip address

interface GigabitEthernet1/33

 no ip address

interface GigabitEthernet1/34

 no ip address

interface GigabitEthernet1/35

 no ip address

interface GigabitEthernet1/36

 no ip address

interface GigabitEthernet1/37

 no ip address

interface GigabitEthernet1/38

 no ip address

interface GigabitEthernet1/39

 no ip address

interface GigabitEthernet1/40

 no ip address

interface GigabitEthernet1/41

 no ip address

interface GigabitEthernet1/42

 no ip address

interface GigabitEthernet1/43

 no ip address

interface GigabitEthernet1/44

 no ip address

interface GigabitEthernet1/45

 no ip address

interface GigabitEthernet1/46

 no ip address

interface GigabitEthernet1/47

 description UPLINK from SIE-1

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet1/48

 description UPLINK from SIE-2

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet5/1

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

 channel-group 99 mode active

interface GigabitEthernet5/2

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

 channel-group 99 mode active

interface Vlan1

 no ip address

interface Vlan21

 description RIE-3 Management

 ip address 192.168.21.91 255.255.255.0

 crypto map myvpn

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha rc4-128-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 192.168.21.10

ip route 10.10.0.0 255.255.0.0 192.168.21.1

ip route 10.10.0.0 255.255.252.0 192.168.21.10

ip route 10.10.192.0 255.255.240.0 172.26.0.2

ip route 192.168.0.0 255.255.0.0 192.168.21.1

ip route 192.168.23.0 255.255.255.0 192.168.21.10

ip tacacs source-interface Vlan21

logging trap debugging

logging source-interface Vlan21

logging host 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 192.168.42.139 log

access-list 23 permit 10.19.151.104 log

access-list 23 permit 10.19.151.102 log

access-list 23 permit 10.19.151.103 log

access-list 23 permit 10.19.151.100 log

access-list 23 permit 10.19.151.101 log

access-list 23 permit 10.19.151.98 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.122 log

access-list 88 deny   any log

access-list 101 permit gre host 192.168.21.91 host 128.107.147.109

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  23

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps port-security

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps hsrp

snmp-server enable traps mac-notification move threshold change

snmp-server enable traps ipsla

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 <removed>

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

dial-peer cor custom

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

scheduler allocate 20000 1000

ntp source Vlan21

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

end

Branch

Large Branch

R-A2-LRG-1

! Last configuration change at 00:54:49 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 00:54:49 PST Sat Apr 30 2011 by retail

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname R-A2-Lrg-1

boot-start-marker

boot system flash0 c3900-universalk9-mz.SPA.151-3.T.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default

 action-type start-stop

 group tacacs+

aaa accounting commands 15 default

 action-type start-stop

 group tacacs+

aaa accounting system default

 action-type start-stop

 group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PST recurring

crypto pki token default removal timeout 0

crypto pki trustpoint TP-self-signed-72006796

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-72006796

 revocation-check none

crypto pki certificate chain TP-self-signed-72006796

 certificate self-signed 03

  <removed>

  	quit

no ipv6 cef

no ip source-route

ip cef

ip multicast-routing

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip port-map user-8443 port tcp 8443

ip inspect log drop-pkt

ip inspect audit-trail

ip ips config location flash0: retries 1 timeout 1

ip ips name Store-IPS

ip ips signature-category

  category all

   retired true

  category ios_ips default

   retired false

ip wccp 61

ip wccp 62

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

multilink bundle-name authenticated

parameter-map type inspect global

 WAAS enable

parameter-map type inspect Inspect-1

 audit-trail on

parameter-map type trend-global trend-glob-map

password encryption aes

voice-card 0

license udi pid C3900-SPE150/K9 sn <removed>

hw-module pvdm 0/0

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

object-group network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 udp eq 5246

 udp eq 5247

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 tcp eq 4050

object-group network EMC-NCM

 description EMC Network Configuration Manager

 host 192.168.42.122

object-group network RSA-enVision

 description RSA EnVision Syslog collector and SIM

 host 192.168.42.124

object-group network CSM_INLINE_dst_rule_81604380995

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object EMC-NCM

 group-object RSA-enVision

object-group network TACACS

 description Csico Secure ACS server for TACACS and Radius

 host 192.168.42.131

object-group network RSA-AM

 description RSA Authentication Manager for SecureID

 host 192.168.42.137

object-group network NAC-1

 description ISE server for NAC

 host 192.168.42.111

object-group network CSM_INLINE_dst_rule_81604381001

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object ActiveDirectory.cisco-irn.com

 group-object TACACS

 group-object RSA-AM

 group-object NAC-1

object-group network NAC-2

 host 192.168.42.112

object-group network CSM_INLINE_dst_rule_81604381037

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object NAC-2

 group-object NAC-1

object-group network DC-ALL

 description All of the Data Center

 192.168.0.0 255.255.0.0

object-group network Stores-ALL

 description all store networks

 10.10.0.0 255.255.0.0

object-group network CSM_INLINE_dst_rule_81604381039

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network WCSManager

 description Wireless Manager

 host 192.168.43.135

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 host 192.168.43.21

 host 192.168.43.22

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 host 192.168.43.31

 host 192.168.43.32

object-group network CSM_INLINE_dst_rule_81604381045

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network PAME-DC-1

 host 192.168.44.111

object-group network MSP-DC-1

 description Data Center VSOM

 host 192.168.44.121

object-group network CSM_INLINE_dst_rule_81604381049

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network CSM_INLINE_dst_rule_81604381059

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381067

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381071

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381150

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network CSM_INLINE_dst_rule_81604381152

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network DC-Admin

 description DC Admin Systems

 host 192.168.41.101

 host 192.168.41.102

object-group network CSManager

 description Cisco Security Manager

 host 192.168.42.133

object-group network CSM_INLINE_src_rule_81604380993

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object EMC-NCM

 group-object CSManager

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_src_rule_81604381021

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_81604381023

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_81604381041

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_src_rule_81604381043

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network CSM_INLINE_src_rule_81604381047

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 host 192.168.48.10

 host 192.168.49.10

 host 192.168.47.11

 host 192.168.47.12

object-group network CSM_INLINE_src_rule_81604381051

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-WAAS

object-group network CSM_INLINE_src_rule_81604381150

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network CSM_INLINE_src_rule_81604381152

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group service CSM_INLINE_svc_rule_81604380993

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

object-group service CSM_INLINE_svc_rule_81604380995

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq syslog

 udp eq snmp

 udp eq snmptrap

object-group service CSM_INLINE_svc_rule_81604381001

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq tacacs

 udp eq 1812

 udp eq 1813

 tcp eq 389

 tcp eq 636

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 tcp eq 5989

 tcp eq 8000

 tcp eq 902

 tcp eq 903

object-group service CSM_INLINE_svc_rule_81604381003

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq 22

 group-object vCenter-to-ESX4

object-group service ESX-SLP

 description CIM Service Location Protocol (SLP) for VMware systems

 udp eq 427

 tcp eq 427

object-group service CSM_INLINE_svc_rule_81604381005

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object vCenter-to-ESX4

 group-object ESX-SLP

object-group service ORACLE-RMI

 description RMI TCP ports 1300 and 1301-1319.

 tcp range 1300 1319

object-group service ORACLE-Weblogic

 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.

 tcp eq 7001

 tcp eq 7002

 tcp eq 1521

object-group service ORACLE-WAS

 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414

 tcp eq 2809

 tcp eq 9443

 tcp eq 1414

object-group service ORACLE-OAS

 description OAS uses one port for HTTP and RMI - 12601.

 tcp eq 12601

object-group service CSM_INLINE_svc_rule_81604381009

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_81604381011

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service HTTPS-8443

 tcp eq 8443

object-group service CSM_INLINE_svc_rule_81604381013

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_81604381015

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service TOMAX-8990

 description Tomax Application Port

 tcp eq 8990

object-group service CSM_INLINE_svc_rule_81604381017

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service CSM_INLINE_svc_rule_81604381019

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service ICMP-Requests

 description ICMP requests

 icmp information-request

 icmp mask-request

 icmp timestamp-request

object-group service CSM_INLINE_svc_rule_81604381021

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_81604381023

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_81604381025

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service CSM_INLINE_svc_rule_81604381027

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_81604381029

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

udp

 tcp eq 443

object-group service DNS-Resolving

 description Domain Name Server

 tcp eq domain

 udp eq domain

object-group service CSM_INLINE_svc_rule_81604381035

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq bootps

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_81604381037

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_81604381039

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service CSM_INLINE_svc_rule_81604381041

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 udp eq 12222

 udp eq 12223

object-group service TFTP

 description Trivial File Transfer

 tcp eq 69

 udp eq tftp

object-group service IP-Protocol-97

 description IP protocol 97

object-group service CSM_INLINE_svc_rule_81604381043

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq www

 tcp eq 22

 tcp eq telnet

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object TFTP

 group-object IP-Protocol-97

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 udp eq 16666

 udp eq 16667

object-group service CSM_INLINE_svc_rule_81604381045

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object Cisco-Mobility

 group-object IP-Protocol-97

object-group service Microsoft-DS-SMB

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

 tcp eq 445

object-group service CSM_INLINE_svc_rule_81604381051

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381053

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381055

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381057

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp

 tcp-udp eq 5060

 tcp eq 2000

 tcp eq www

 tcp eq 443

 group-object TFTP

object-group service CSM_INLINE_svc_rule_81604381059

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp-udp eq 5060

 tcp eq 2000

object-group service CSM_INLINE_svc_rule_81604381061

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_81604381063

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service Netbios

 description Netbios Servers

 udp eq netbios-dgm

 udp eq netbios-ns

 tcp eq 139

object-group service ORACLE-SIM

 description Oracle Store Inventory Management

 tcp eq 7777

 tcp eq 6003

 tcp range 12401 12500

object-group service RDP

 description Windows Remote Desktop

 tcp eq 3389

object-group service Workbrain

 tcp eq 8444

object-group service CSM_INLINE_svc_rule_81604381065

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq ftp

 tcp eq www

 tcp eq 443

 udp eq 88

 tcp-udp eq 42

 group-object Microsoft-DS-SMB

 group-object Netbios

 group-object ORACLE-SIM

 group-object RDP

 group-object Workbrain

object-group network DC-Applications

 description Applications in the Data Center that are non-PCI related(Optimized by 
CS-Manager)

 192.168.180.0 255.255.254.0

object-group network DC-Voice

 description Data Center Voice

 192.168.45.0 255.255.255.0

object-group network MS-Update

 description Windows Update Server

 host 192.168.42.150

object-group network MSExchange

 description Mail Server

 host 192.168.42.140

object-group service NTP

 description NTP Protocols

 tcp eq 123

 udp eq ntp

object-group network NTP-Servers

 description NTP Servers

 host 192.168.62.161

 host 162.168.62.162

object-group network STORE-POS

 10.10.0.0 255.255.0.0

object-group network vSphere-1

 description vSphere server for Lab

 host 192.168.41.102

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

redundancy

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7

 match protocol http

 match protocol https

 match protocol microsoft-ds

 match protocol ms-sql

 match protocol ms-sql-m

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol oracle

 match protocol oracle-em-vp

 match protocol oraclenames

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_10

 match access-group name CSM_ZBF_CMAP_ACL_10

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4

 match protocol http

 match protocol https

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_23

 match access-group name CSM_ZBF_CMAP_ACL_23

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17

 match protocol http

 match protocol https

 match protocol imap3

 match protocol pop3

 match protocol pop3s

 match protocol smtp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_32

 match access-group name CSM_ZBF_CMAP_ACL_32

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-all CSM_ZBF_CLASS_MAP_11

 match access-group name CSM_ZBF_CMAP_ACL_11

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14

 match protocol http

 match protocol https

 match protocol user-8443

class-map type inspect match-all CSM_ZBF_CLASS_MAP_22

 match access-group name CSM_ZBF_CMAP_ACL_22

 match class-map CSM_ZBF_CMAP_PLMAP_14

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol ftp

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_33

 match access-group name CSM_ZBF_CMAP_ACL_33

 match class-map CSM_ZBF_CMAP_PLMAP_20

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tftp

 match protocol http

 match protocol https

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_12

 match access-group name CSM_ZBF_CMAP_ACL_12

 match class-map CSM_ZBF_CMAP_PLMAP_8

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13

 match protocol https

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_21

 match access-group name CSM_ZBF_CMAP_ACL_21

 match class-map CSM_ZBF_CMAP_PLMAP_13

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19

 match protocol http

 match protocol https

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_30

 match access-group name CSM_ZBF_CMAP_ACL_30

 match class-map CSM_ZBF_CMAP_PLMAP_19

class-map type inspect match-all CSM_ZBF_CLASS_MAP_13

 match access-group name CSM_ZBF_CMAP_ACL_13

class-map type inspect match-all CSM_ZBF_CLASS_MAP_20

 match access-group name CSM_ZBF_CMAP_ACL_20

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18

 match protocol http

 match protocol https

 match protocol udp

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_31

 match access-group name CSM_ZBF_CMAP_ACL_31

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map match-all BRANCH-BULK-DATA

 match protocol tftp

 match protocol nfs

 match access-group name BULK-DATA-APPS

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_14

 match access-group name CSM_ZBF_CMAP_ACL_14

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_27

 match access-group name CSM_ZBF_CMAP_ACL_27

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_36

 match access-group name CSM_ZBF_CMAP_ACL_36

class-map type inspect match-all CSM_ZBF_CLASS_MAP_15

 match access-group name CSM_ZBF_CMAP_ACL_15

class-map type inspect match-all CSM_ZBF_CLASS_MAP_26

 match access-group name CSM_ZBF_CMAP_ACL_26

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21

 match protocol tcp

 match protocol udp

 match protocol http

 match protocol https

class-map type inspect match-all CSM_ZBF_CLASS_MAP_37

 match access-group name CSM_ZBF_CMAP_ACL_37

 match class-map CSM_ZBF_CMAP_PLMAP_21

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9

 match protocol syslog

 match protocol syslog-conn

 match protocol snmp

 match protocol snmptrap

class-map type inspect match-all CSM_ZBF_CLASS_MAP_16

 match access-group name CSM_ZBF_CMAP_ACL_16

 match class-map CSM_ZBF_CMAP_PLMAP_9

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16

 match protocol http

 match protocol https

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_25

 match access-group name CSM_ZBF_CMAP_ACL_25

 match class-map CSM_ZBF_CMAP_PLMAP_16

class-map type inspect match-all CSM_ZBF_CLASS_MAP_34

 match access-group name CSM_ZBF_CMAP_ACL_34

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10

 match protocol ldaps

 match protocol ldap

 match protocol ldap-admin

 match protocol radius

 match protocol tacacs

 match protocol tacacs-ds

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_17

 match access-group name CSM_ZBF_CMAP_ACL_17

 match class-map CSM_ZBF_CMAP_PLMAP_10

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15

 match protocol http

 match protocol https

 match protocol netbios-ns

 match protocol netbios-dgm

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_24

 match access-group name CSM_ZBF_CMAP_ACL_24

 match class-map CSM_ZBF_CMAP_PLMAP_15

class-map type inspect match-all CSM_ZBF_CLASS_MAP_35

 match access-group name CSM_ZBF_CMAP_ACL_35

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11

 match protocol ntp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_18

 match access-group name CSM_ZBF_CMAP_ACL_18

 match class-map CSM_ZBF_CMAP_PLMAP_11

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12

 match protocol bootpc

 match protocol bootps

 match protocol udp

 match protocol tcp

 match protocol dns

 match protocol dhcp-failover

class-map type inspect match-all CSM_ZBF_CLASS_MAP_19

 match access-group name CSM_ZBF_CMAP_ACL_19

 match class-map CSM_ZBF_CMAP_PLMAP_12

class-map type inspect match-all CSM_ZBF_CLASS_MAP_29

 match access-group name CSM_ZBF_CMAP_ACL_29

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_38

 match access-group name CSM_ZBF_CMAP_ACL_38

 match class-map CSM_ZBF_CMAP_PLMAP_22

class-map type inspect match-all CSM_ZBF_CLASS_MAP_28

 match access-group name CSM_ZBF_CMAP_ACL_28

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1

 match protocol https

 match protocol ssh

class-map type inspect match-all CSM_ZBF_CLASS_MAP_1

 match access-group name CSM_ZBF_CMAP_ACL_1

 match class-map CSM_ZBF_CMAP_PLMAP_1

class-map type inspect match-all CSM_ZBF_CLASS_MAP_3

 match access-group name CSM_ZBF_CMAP_ACL_3

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2

 match protocol https

 match protocol http

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_2

 match access-group name CSM_ZBF_CMAP_ACL_2

 match class-map CSM_ZBF_CMAP_PLMAP_2

class-map type inspect match-all CSM_ZBF_CLASS_MAP_5

 match access-group name CSM_ZBF_CMAP_ACL_5

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3

 match protocol http

 match protocol https

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

 match access-group name CSM_ZBF_CMAP_ACL_4

 match class-map CSM_ZBF_CMAP_PLMAP_3

class-map type inspect match-all CSM_ZBF_CLASS_MAP_7

 match access-group name CSM_ZBF_CMAP_ACL_7

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_6

 match access-group name CSM_ZBF_CMAP_ACL_6

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_9

 match access-group name CSM_ZBF_CMAP_ACL_9

 match protocol tcp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6

 match protocol http

 match protocol https

 match protocol ssh

 match protocol telnet

 match protocol tftp

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_8

 match access-group name CSM_ZBF_CMAP_ACL_8

 match class-map CSM_ZBF_CMAP_PLMAP_6

class-map match-all BULK-DATA

 match ip dscp af11  af12

class-map match-all INTERACTIVE-VIDEO

 match ip dscp af41  af42

class-map match-any BRANCH-TRANSACTIONAL-DATA

 match protocol citrix

 match protocol ldap

 match protocol telnet

 match protocol sqlnet

 match protocol http url "*SalesReport*"

 match access-group name TRANSACTIONAL-DATA-APPS

class-map match-all BRANCH-MISSION-CRITICAL

 match access-group name MISSION-CRITICAL-SERVERS

class-map match-all VOICE

 match ip dscp ef

class-map match-all MISSION-CRITICAL-DATA

 match ip dscp 25

class-map match-any BRANCH-NET-MGMT

 match protocol snmp

 match protocol syslog

 match protocol dns

 match protocol icmp

 match protocol ssh

 match access-group name NET-MGMT-APPS

class-map match-all ROUTING

 match ip dscp cs6

class-map match-all SCAVENGER

 match ip dscp cs1

class-map match-all NET-MGMT

 match ip dscp cs2

class-map match-any BRANCH-SCAVENGER

 match protocol gnutella

 match protocol fasttrack

 match protocol kazaa2

class-map match-any CALL-SIGNALING

 match ip dscp cs3

class-map match-all TRANSACTIONAL-DATA

 match ip dscp af21  af22

policy-map BRANCH-LAN-EDGE-OUT

 class class-default

policy-map BRANCH-WAN-EDGE

 class VOICE

  priority percent 18

 class INTERACTIVE-VIDEO

  priority percent 15

 class CALL-SIGNALING

  bandwidth percent 5

 class ROUTING

  bandwidth percent 3

 class NET-MGMT

  bandwidth percent 2

 class MISSION-CRITICAL-DATA

  bandwidth percent 15

  random-detect

 class TRANSACTIONAL-DATA

  bandwidth percent 12

  random-detect dscp-based

 class BULK-DATA

  bandwidth percent 4

  random-detect dscp-based

 class SCAVENGER

  bandwidth percent 1

 class class-default

  bandwidth percent 25

  random-detect

policy-map type inspect CSM_ZBF_POLICY_MAP_18

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_19

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_16

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_23

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_25

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_36

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_37

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_17

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_24

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_24

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_34

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_35

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_14

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_27

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_15

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_21

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_26

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_38

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_12

 class type inspect CSM_ZBF_CLASS_MAP_15

  pass

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_21

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_13

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_20

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_10

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_23

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_31

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_33

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_11

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_22

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_9

 class type inspect CSM_ZBF_CLASS_MAP_13

  pass

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_8

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_12

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_7

 class type inspect CSM_ZBF_CLASS_MAP_9

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_10

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_11

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_6

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_5

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_8

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_4

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_7

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_3

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_5

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_2

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_4

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_1

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_2

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop

policy-map BRANCH-LAN-EDGE-IN

 class BRANCH-MISSION-CRITICAL

  set ip dscp 25

 class BRANCH-TRANSACTIONAL-DATA

  set ip dscp af21

 class BRANCH-NET-MGMT

  set ip dscp cs2

 class BRANCH-BULK-DATA

  set ip dscp af11

 class BRANCH-SCAVENGER

  set ip dscp cs1

zone security S_WAN

 description Store WAN Link

zone security S_R-2-R

 description Bridge link between routers

zone security LOOPBACK

 description Loopback interface

zone security S_MGMT

 description VLAN1000 Management

zone security S_Security

 description VLAN20 Physical Security Systems

zone security S_WAAS

 description VLAN19 WAAS optimization

zone security S_WLC-AP

 description VLAN18 Wireless Systems

zone security S_Data

 description VLAN12 Store Data

zone security S_Data-W

 description VLAN14 Store Wireless Data

zone security S_Guest

 description VLAN17 Guest/Public Wireless

zone security S_Voice

 description VLAN13 Store Voice

zone security S_Partners

 description VLAN16 Partner network

zone security S_POS

 description VLAN 11 POS Data

zone security S_POS-W

 description VLAN15 Store Wireless POS

zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_8

zone-pair security CSM_S_R-2-R-LOOPBACK_1 source S_R-2-R destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_R-2-R-S_MGMT_1 source S_R-2-R destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_R-2-R-S_Security_1 source S_R-2-R destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_R-2-R-S_WAAS_1 source S_R-2-R destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_R-2-R-S_WLC-AP_1 source S_R-2-R destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_R-2-R-self_1 source S_R-2-R destination self

 service-policy type inspect CSM_ZBF_POLICY_MAP_9

zone-pair security CSM_S_R-2-R-S_Data_1 source S_R-2-R destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_Data-W_1 source S_R-2-R destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_Guest_1 source S_R-2-R destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_R-2-R-S_Partners_1 source S_R-2-R destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_POS_1 source S_R-2-R destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_R-2-R-S_POS-W_1 source S_R-2-R destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_R-2-R-S_Voice_1 source S_R-2-R destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_11

zone-pair security CSM_self-S_R-2-R_1 source self destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_12

zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_LOOPBACK-S_R-2-R_1 source LOOPBACK destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_MGMT-S_R-2-R_1 source S_MGMT destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_Security-S_R-2-R_1 source S_Security destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_WAAS-S_R-2-R_1 source S_WAAS destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_WLC-AP-S_R-2-R_1 source S_WLC-AP destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_POS-S_R-2-R_1 source S_POS destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_POS-W-S_R-2-R_1 source S_POS-W destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_22

zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-S_R-2-R_1 source S_Data destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-W-S_R-2-R_1 source S_Data-W destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_24

zone-pair security CSM_S_Guest-S_R-2-R_1 source S_Guest destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_24

zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_25

zone-pair security CSM_S_Partners-S_R-2-R_1 source S_Partners destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_25

zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_26

zone-pair security CSM_S_Voice-S_R-2-R_1 source S_Voice destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_27

interface Loopback0

 ip address 10.10.110.1 255.255.255.255

 ip pim sparse-dense-mode

 zone-member security LOOPBACK

interface GigabitEthernet0/0

 description ROUTER LINK TO SWITCH

 no ip address

 duplex auto

 speed auto

interface GigabitEthernet0/0.11

 description POS

 encapsulation dot1Q 11

 ip address 10.10.96.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip helper-address 192.168.42.111

 ip pim sparse-dense-mode

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS

 standby 11 ip 10.10.96.1

 standby 11 priority 101

 standby 11 preempt

 ip igmp query-interval 125

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.12

 description DATA

 encapsulation dot1Q 12

 ip address 10.10.97.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip wccp 61 redirect in

 ip pim sparse-dense-mode

 zone-member security S_Data

 standby 12 ip 10.10.97.1

 standby 12 priority 101

 standby 12 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.13

 description VOICE

 encapsulation dot1Q 13

 ip address 10.10.98.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Voice

 standby 13 ip 10.10.98.1

 standby 13 priority 101

 standby 13 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.14

 description WIRELESS

 encapsulation dot1Q 14

 ip address 10.10.99.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Data-W

 standby 14 ip 10.10.99.1

 standby 14 priority 101

 standby 14 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.15

 description WIRELESS-POS

 encapsulation dot1Q 15

 ip address 10.10.100.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS-W

 standby 15 ip 10.10.100.1

 standby 15 priority 101

 standby 15 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.16

 description PARTNER

 encapsulation dot1Q 16

 ip address 10.10.101.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Partners

 standby 16 ip 10.10.101.1

 standby 16 priority 101

 standby 16 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.17

 description WIRELESS-GUEST

 encapsulation dot1Q 17

 ip address 10.10.102.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Guest

 standby 17 ip 10.10.102.1

 standby 17 priority 101

 standby 17 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.18

 description WIRELESS-CONTROL

 encapsulation dot1Q 18

 ip address 10.10.103.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WLC-AP

 standby 18 ip 10.10.103.1

 standby 18 priority 101

 standby 18 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.19

 description WAAS

 encapsulation dot1Q 19

 ip address 10.10.104.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WAAS

 standby 19 ip 10.10.104.1

 standby 19 priority 101

 standby 19 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.20

 description SECURITY-SYSTEMS

 encapsulation dot1Q 20

 ip address 10.10.105.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Security

 standby 20 ip 10.10.105.1

 standby 20 priority 101

 standby 20 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.102

 description ROUTER LINK TO

 encapsulation dot1Q 102

 ip address 10.10.110.29 255.255.255.252

 ip pim sparse-dense-mode

 zone-member security S_R-2-R

 service-policy input BRANCH-LAN-EDGE-IN

interface GigabitEthernet0/0.1000

 description MANAGEMENT

 encapsulation dot1Q 1000

 ip address 10.10.111.2 255.255.255.0

 zone-member security S_MGMT

 standby 100 ip 10.10.111.1

 standby 100 priority 101

 standby 100 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1

 no ip address

 duplex auto

 speed auto

interface GigabitEthernet0/1.101

 description ROUTER LINK TO

 encapsulation dot1Q 101

 ip address 10.10.110.25 255.255.255.252

 ip pim sparse-dense-mode

 zone-member security S_R-2-R

 service-policy input BRANCH-LAN-EDGE-IN

interface GigabitEthernet0/2

 ip address 10.10.255.96 255.255.255.0

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_WAN

 duplex auto

 speed auto

 service-policy output BRANCH-WAN-EDGE

router ospf 5

 router-id 10.10.110.1

 redistribute connected subnets

 passive-interface default

 no passive-interface GigabitEthernet0/0.102

 no passive-interface GigabitEthernet0/1.101

 network 10.10.0.0 0.0.255.255 area 10

 default-information originate

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 10.10.255.11

ip tacacs source-interface Loopback0

ip access-list extended BULK-DATA-APPS

 remark ---File Transfer---

 permit tcp any any eq ftp

 permit tcp any any eq ftp-data

 remark ---E-mail traffic---

 permit tcp any any eq smtp

 permit tcp any any eq pop3

 permit tcp any any eq 143

 remark ---other EDM app protocols---

 permit tcp any any range 3460 3466

 permit tcp any range 3460 3466 any

 remark ---messaging services---

 permit tcp any any eq 2980

 permit tcp any eq 2980 any

 remark ---Microsoft file services---

 permit tcp any any range 137 139

 permit tcp any range 137 139 any

ip access-list extended CSM_ZBF_CMAP_ACL_1

 remark Data Center Mgmt to Devices

 permit object-group CSM_INLINE_svc_rule_81604380993 object-group 
CSM_INLINE_src_rule_81604380993 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_10

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381011 object-group DC-POS-Oracle 
object-group STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381015 object-group DC-POS-SAP object-group 
STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381019 object-group DC-POS-Tomax 
object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_11

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381021 object-group 
CSM_INLINE_src_rule_81604381021 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_12

 remark Data Center VOICE (wired and Wireless)

 permit object-group CSM_INLINE_svc_rule_81604381057 object-group DC-Voice object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_13

 permit ospf object-group CSM_INLINE_src_rule_81604381150 object-group 
CSM_INLINE_dst_rule_81604381150

ip access-list extended CSM_ZBF_CMAP_ACL_14

 remark Store WAAS to Clients and Servers

 permit object-group CSM_INLINE_svc_rule_81604381055 object-group Stores-ALL object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_15

 permit ospf object-group CSM_INLINE_src_rule_81604381152 object-group 
CSM_INLINE_dst_rule_81604381152

ip access-list extended CSM_ZBF_CMAP_ACL_16

 remark Syslog and SNMP Alerts

 permit object-group CSM_INLINE_svc_rule_81604380995 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604380995

ip access-list extended CSM_ZBF_CMAP_ACL_17

 remark Store to Data Center Authentications

 permit object-group CSM_INLINE_svc_rule_81604381001 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381001

ip access-list extended CSM_ZBF_CMAP_ACL_18

 remark Store to Data Center for NTP

 permit object-group NTP object-group Stores-ALL object-group NTP-Servers

ip access-list extended CSM_ZBF_CMAP_ACL_19

 remark Store to Data Center for DHCP and DNS

 permit object-group CSM_INLINE_svc_rule_81604381035 object-group Stores-ALL object-group 
ActiveDirectory.cisco-irn.com

ip access-list extended CSM_ZBF_CMAP_ACL_2

 remark Data Center subscribe to IPS SDEE events

 permit tcp object-group RSA-enVision object-group Stores-ALL eq 443

ip access-list extended CSM_ZBF_CMAP_ACL_20

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_81604381039 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381039

ip access-list extended CSM_ZBF_CMAP_ACL_21

 remark Store UCS E-series server to Data Center vShphere

 permit object-group CSM_INLINE_svc_rule_81604381005 object-group Stores-ALL object-group 
vSphere-1

ip access-list extended CSM_ZBF_CMAP_ACL_22

 remark Store NAC

 permit object-group CSM_INLINE_svc_rule_81604381037 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381037

ip access-list extended CSM_ZBF_CMAP_ACL_23

 remark Store to Data Center Physical Security

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381049

ip access-list extended CSM_ZBF_CMAP_ACL_24

 remark Store WAAS (WAAS Devices need their own zone)

 permit object-group CSM_INLINE_svc_rule_81604381053 object-group Stores-ALL object-group 
DC-WAAS

ip access-list extended CSM_ZBF_CMAP_ACL_25

 remark Store to Data Center wireless controller traffic

 permit object-group CSM_INLINE_svc_rule_81604381045 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381045

ip access-list extended CSM_ZBF_CMAP_ACL_26

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381009 object-group STORE-POS object-group 
DC-POS-Oracle

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381013 object-group STORE-POS object-group 
DC-POS-SAP

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381017 object-group STORE-POS object-group 
DC-POS-Tomax

ip access-list extended CSM_ZBF_CMAP_ACL_27

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381023 object-group 
CSM_INLINE_src_rule_81604381023 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_28

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_81604381025 object-group STORE-POS object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_29

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_81604381027 object-group STORE-POS object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_3

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_81604381041 object-group 
CSM_INLINE_src_rule_81604381041 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_30

 remark Permit POS clients to talk to store POS server

 permit object-group CSM_INLINE_svc_rule_81604381029 object-group STORE-POS object-group 
STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_31

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_81604381061 object-group Stores-ALL object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_32

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_81604381063 object-group Stores-ALL object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_33

 remark Store DATA (wired and Wireless - Access to DC Other applications)

 permit object-group CSM_INLINE_svc_rule_81604381065 object-group Stores-ALL object-group 
DC-Applications

ip access-list extended CSM_ZBF_CMAP_ACL_34

 remark Store GUEST - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381071

ip access-list extended CSM_ZBF_CMAP_ACL_35

 remark Store GUEST (access to internet/DMZ web servers)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_36

 remark Store PARTNERS - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381067

ip access-list extended CSM_ZBF_CMAP_ACL_37

 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_38

 remark Store VOICE (wired and Wireless - Acess to corporate wide voice)

 permit object-group CSM_INLINE_svc_rule_81604381059 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381059

ip access-list extended CSM_ZBF_CMAP_ACL_4

 remark Data Center vSphere to UCS E-series server

 permit object-group CSM_INLINE_svc_rule_81604381003 object-group vSphere-1 object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_5

 remark Data Center to Store Physical Security

 permit ip object-group CSM_INLINE_src_rule_81604381047 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_6

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_7

 remark Data Center WAAS to Store

 permit object-group CSM_INLINE_svc_rule_81604381051 object-group 
CSM_INLINE_src_rule_81604381051 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_8

 remark Data Center Wireless Control to AP's and Controllers in stores

 permit object-group CSM_INLINE_svc_rule_81604381043 object-group 
CSM_INLINE_src_rule_81604381043 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_9

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group STORE-POS

ip access-list extended MISSION-CRITICAL-SERVERS

 remark ---POS Applications---

 permit ip any 192.168.52.0 0.0.0.255

ip access-list extended NET-MGMT-APPS

 remark - Router user Authentication - Identifies TACACS Control traffic

 permit tcp any any eq tacacs

 permit tcp any eq tacacs any

ip access-list extended TRANSACTIONAL-DATA-APPS

 remark ---Workbrain Application---

 remark --Large Store Clock Server to Central Clock Application

 permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444

 remark --Large store Clock Server to CUAE

 permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000

 remark ---LiteScape Application---

 permit ip any host 192.168.46.82

 permit ip any 239.192.0.0 0.0.0.255

 permit ip any host 239.255.255.250

 remark ---Remote Desktop---

 permit tcp any any eq 3389

 permit tcp any eq 3389 any

 remark ---Oracle SIM---

 permit tcp any 192.168.46.0 0.0.0.255 eq 7777

 permit tcp any 192.168.46.0 0.0.0.255 eq 6003

 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500

 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any

 permit tcp 192.168.46.0 0.0.0.255 eq 6003 any

 permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any

logging esm config

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

nls resp-timeout 1

cpd cr-id 1

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps flash insertion removal

snmp-server enable traps energywise

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps ipsla

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

mgcp profile default

gatekeeper

 shutdown

banner exec C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 login authentication RETAIL

 no exec

 transport preferred none

 transport output none

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

scheduler allocate 20000 1000

ntp source Loopback0

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

end

R-A2-LRG-2

! Last configuration change at 00:59:26 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:00:56 PST Sat Apr 30 2011 by retail

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname R-A2-Lrg-2

boot-start-marker

boot system flash0 c3900-universalk9-mz.SPA.151-3.T.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default

 action-type start-stop

 group tacacs+

aaa accounting commands 15 default

 action-type start-stop

 group tacacs+

aaa accounting system default

 action-type start-stop

 group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PST recurring

crypto pki token default removal timeout 0

crypto pki trustpoint TP-self-signed-660084654

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-660084654

 revocation-check none

 rsakeypair TP-self-signed-660084654

crypto pki certificate chain TP-self-signed-660084654

 certificate self-signed 01

  <removed>

  	quit

no ipv6 cef

no ip source-route

ip cef

ip multicast-routing

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip port-map user-8443 port tcp 8443

ip inspect log drop-pkt

ip inspect audit-trail

ip ips config location flash0: retries 1 timeout 1

ip ips name Store-IPS

ip ips signature-category

  category all

   retired true

  category ios_ips default

   retired false

ip wccp 61

ip wccp 62

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

multilink bundle-name authenticated

parameter-map type inspect global

 WAAS enable

parameter-map type inspect Inspect-1

 audit-trail on

parameter-map type trend-global trend-glob-map

password encryption aes

voice-card 0

license udi pid C3900-SPE150/K9 sn <removed>

hw-module pvdm 0/0

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

object-group network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 udp eq 5246

 udp eq 5247

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 tcp eq 4050

object-group network EMC-NCM

 description EMC Network Configuration Manager

 host 192.168.42.122

object-group network RSA-enVision

 description RSA EnVision Syslog collector and SIM

 host 192.168.42.124

object-group network CSM_INLINE_dst_rule_81604380995

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object EMC-NCM

 group-object RSA-enVision

object-group network TACACS

 description Csico Secure ACS server for TACACS and Radius

 host 192.168.42.131

object-group network RSA-AM

 description RSA Authentication Manager for SecureID

 host 192.168.42.137

object-group network NAC-1

 description ISE server for NAC

 host 192.168.42.111

object-group network CSM_INLINE_dst_rule_81604381001

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object ActiveDirectory.cisco-irn.com

 group-object TACACS

 group-object RSA-AM

 group-object NAC-1

object-group network NAC-2

 host 192.168.42.112

object-group network CSM_INLINE_dst_rule_81604381037

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object NAC-2

 group-object NAC-1

object-group network DC-ALL

 description All of the Data Center

 192.168.0.0 255.255.0.0

object-group network Stores-ALL

 description all store networks

 10.10.0.0 255.255.0.0

object-group network CSM_INLINE_dst_rule_81604381039

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network WCSManager

 description Wireless Manager

 host 192.168.43.135

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 host 192.168.43.21

 host 192.168.43.22

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 host 192.168.43.31

 host 192.168.43.32

object-group network CSM_INLINE_dst_rule_81604381045

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network PAME-DC-1

 host 192.168.44.111

object-group network MSP-DC-1

 description Data Center VSOM

 host 192.168.44.121

object-group network CSM_INLINE_dst_rule_81604381049

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network CSM_INLINE_dst_rule_81604381059

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381067

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381071

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381150

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network CSM_INLINE_dst_rule_81604381152

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network DC-Admin

 description DC Admin Systems

 host 192.168.41.101

 host 192.168.41.102

object-group network CSManager

 description Cisco Security Manager

 host 192.168.42.133

object-group network CSM_INLINE_src_rule_81604380993

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object EMC-NCM

 group-object CSManager

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_src_rule_81604381021

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_81604381023

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_81604381041

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_src_rule_81604381043

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network CSM_INLINE_src_rule_81604381047

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 host 192.168.48.10

 host 192.168.49.10

 host 192.168.47.11

 host 192.168.47.12

object-group network CSM_INLINE_src_rule_81604381051

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-WAAS

object-group network CSM_INLINE_src_rule_81604381150

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network CSM_INLINE_src_rule_81604381152

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group service CSM_INLINE_svc_rule_81604380993

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

object-group service CSM_INLINE_svc_rule_81604380995

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq syslog

 udp eq snmp

 udp eq snmptrap

object-group service CSM_INLINE_svc_rule_81604381001

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq tacacs

 udp eq 1812

 udp eq 1813

 tcp eq 389

 tcp eq 636

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 tcp eq 5989

 tcp eq 8000

 tcp eq 902

 tcp eq 903

object-group service CSM_INLINE_svc_rule_81604381003

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq 22

 group-object vCenter-to-ESX4

object-group service ESX-SLP

 description CIM Service Location Protocol (SLP) for VMware systems

 udp eq 427

 tcp eq 427

object-group service CSM_INLINE_svc_rule_81604381005

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object vCenter-to-ESX4

 group-object ESX-SLP

object-group service ORACLE-RMI

 description RMI TCP ports 1300 and 1301-1319.

 tcp range 1300 1319

object-group service ORACLE-Weblogic

 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.

 tcp eq 7001

 tcp eq 7002

 tcp eq 1521

object-group service ORACLE-WAS

 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414

 tcp eq 2809

 tcp eq 9443

 tcp eq 1414

object-group service ORACLE-OAS

 description OAS uses one port for HTTP and RMI - 12601.

 tcp eq 12601

object-group service CSM_INLINE_svc_rule_81604381009

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_81604381011

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service HTTPS-8443

 tcp eq 8443

object-group service CSM_INLINE_svc_rule_81604381013

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_81604381015

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service TOMAX-8990

 description Tomax Application Port

 tcp eq 8990

object-group service CSM_INLINE_svc_rule_81604381017

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service CSM_INLINE_svc_rule_81604381019

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service ICMP-Requests

 description ICMP requests

 icmp information-request

 icmp mask-request

 icmp timestamp-request

object-group service CSM_INLINE_svc_rule_81604381021

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_81604381023

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_81604381025

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service CSM_INLINE_svc_rule_81604381027

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_81604381029

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

udp

 tcp eq 443

object-group service DNS-Resolving

 description Domain Name Server

 tcp eq domain

 udp eq domain

object-group service CSM_INLINE_svc_rule_81604381035

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq bootps

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_81604381037

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_81604381039

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service CSM_INLINE_svc_rule_81604381041

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 udp eq 12222

 udp eq 12223

object-group service TFTP

 description Trivial File Transfer

 tcp eq 69

 udp eq tftp

object-group service IP-Protocol-97

 description IP protocol 97

object-group service CSM_INLINE_svc_rule_81604381043

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq www

 tcp eq 22

 tcp eq telnet

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object TFTP

 group-object IP-Protocol-97

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 udp eq 16666

 udp eq 16667

object-group service CSM_INLINE_svc_rule_81604381045

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object Cisco-Mobility

 group-object IP-Protocol-97

object-group service Microsoft-DS-SMB

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

 tcp eq 445

object-group service CSM_INLINE_svc_rule_81604381051

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381053

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381055

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381057

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp

 tcp-udp eq 5060

 tcp eq 2000

 tcp eq www

 tcp eq 443

 group-object TFTP

object-group service CSM_INLINE_svc_rule_81604381059

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp-udp eq 5060

 tcp eq 2000

object-group service CSM_INLINE_svc_rule_81604381061

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_81604381063

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service Netbios

 description Netbios Servers

 udp eq netbios-dgm

 udp eq netbios-ns

 tcp eq 139

object-group service ORACLE-SIM

 description Oracle Store Inventory Management

 tcp eq 7777

 tcp eq 6003

 tcp range 12401 12500

object-group service RDP

 description Windows Remote Desktop

 tcp eq 3389

object-group service Workbrain

 tcp eq 8444

object-group service CSM_INLINE_svc_rule_81604381065

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq ftp

 tcp eq www

 tcp eq 443

 udp eq 88

 tcp-udp eq 42

 group-object Microsoft-DS-SMB

 group-object Netbios

 group-object ORACLE-SIM

 group-object RDP

 group-object Workbrain

object-group network DC-Applications

 description Applications in the Data Center that are non-PCI related(Optimized by 
CS-Manager)

 192.168.180.0 255.255.254.0

object-group network DC-Voice

 description Data Center Voice

 192.168.45.0 255.255.255.0

object-group network MS-Update

 description Windows Update Server

 host 192.168.42.150

object-group network MSExchange

 description Mail Server

 host 192.168.42.140

object-group service NTP

 description NTP Protocols

 tcp eq 123

 udp eq ntp

object-group network NTP-Servers

 description NTP Servers

 host 192.168.62.161

 host 162.168.62.162

object-group network STORE-POS

 10.10.0.0 255.255.0.0

object-group network vSphere-1

 description vSphere server for Lab

 host 192.168.41.102

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

redundancy

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7

 match protocol http

 match protocol https

 match protocol microsoft-ds

 match protocol ms-sql

 match protocol ms-sql-m

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol oracle

 match protocol oracle-em-vp

 match protocol oraclenames

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_10

 match access-group name CSM_ZBF_CMAP_ACL_10

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4

 match protocol http

 match protocol https

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_23

 match access-group name CSM_ZBF_CMAP_ACL_23

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17

 match protocol http

 match protocol https

 match protocol imap3

 match protocol pop3

 match protocol pop3s

 match protocol smtp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_32

 match access-group name CSM_ZBF_CMAP_ACL_32

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-all CSM_ZBF_CLASS_MAP_11

 match access-group name CSM_ZBF_CMAP_ACL_11

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14

 match protocol http

 match protocol https

 match protocol user-8443

class-map type inspect match-all CSM_ZBF_CLASS_MAP_22

 match access-group name CSM_ZBF_CMAP_ACL_22

 match class-map CSM_ZBF_CMAP_PLMAP_14

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol ftp

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_33

 match access-group name CSM_ZBF_CMAP_ACL_33

 match class-map CSM_ZBF_CMAP_PLMAP_20

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tftp

 match protocol http

 match protocol https

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_12

 match access-group name CSM_ZBF_CMAP_ACL_12

 match class-map CSM_ZBF_CMAP_PLMAP_8

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13

 match protocol https

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_21

 match access-group name CSM_ZBF_CMAP_ACL_21

 match class-map CSM_ZBF_CMAP_PLMAP_13

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19

 match protocol http

 match protocol https

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_30

 match access-group name CSM_ZBF_CMAP_ACL_30

 match class-map CSM_ZBF_CMAP_PLMAP_19

class-map type inspect match-all CSM_ZBF_CLASS_MAP_13

 match access-group name CSM_ZBF_CMAP_ACL_13

class-map type inspect match-all CSM_ZBF_CLASS_MAP_20

 match access-group name CSM_ZBF_CMAP_ACL_20

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18

 match protocol http

 match protocol https

 match protocol udp

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_31

 match access-group name CSM_ZBF_CMAP_ACL_31

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map match-all BRANCH-BULK-DATA

 match protocol tftp

 match protocol nfs

 match access-group name BULK-DATA-APPS

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_14

 match access-group name CSM_ZBF_CMAP_ACL_14

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_27

 match access-group name CSM_ZBF_CMAP_ACL_27

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_36

 match access-group name CSM_ZBF_CMAP_ACL_36

class-map type inspect match-all CSM_ZBF_CLASS_MAP_15

 match access-group name CSM_ZBF_CMAP_ACL_15

class-map type inspect match-all CSM_ZBF_CLASS_MAP_26

 match access-group name CSM_ZBF_CMAP_ACL_26

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21

 match protocol tcp

 match protocol udp

 match protocol http

 match protocol https

class-map type inspect match-all CSM_ZBF_CLASS_MAP_37

 match access-group name CSM_ZBF_CMAP_ACL_37

 match class-map CSM_ZBF_CMAP_PLMAP_21

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9

 match protocol syslog

 match protocol syslog-conn

 match protocol snmp

 match protocol snmptrap

class-map type inspect match-all CSM_ZBF_CLASS_MAP_16

 match access-group name CSM_ZBF_CMAP_ACL_16

 match class-map CSM_ZBF_CMAP_PLMAP_9

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16

 match protocol http

 match protocol https

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_25

 match access-group name CSM_ZBF_CMAP_ACL_25

 match class-map CSM_ZBF_CMAP_PLMAP_16

class-map type inspect match-all CSM_ZBF_CLASS_MAP_34

 match access-group name CSM_ZBF_CMAP_ACL_34

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10

 match protocol ldaps

 match protocol ldap

 match protocol ldap-admin

 match protocol radius

 match protocol tacacs

 match protocol tacacs-ds

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_17

 match access-group name CSM_ZBF_CMAP_ACL_17

 match class-map CSM_ZBF_CMAP_PLMAP_10

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15

 match protocol http

 match protocol https

 match protocol netbios-ns

 match protocol netbios-dgm

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_24

 match access-group name CSM_ZBF_CMAP_ACL_24

 match class-map CSM_ZBF_CMAP_PLMAP_15

class-map type inspect match-all CSM_ZBF_CLASS_MAP_35

 match access-group name CSM_ZBF_CMAP_ACL_35

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11

 match protocol ntp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_18

 match access-group name CSM_ZBF_CMAP_ACL_18

 match class-map CSM_ZBF_CMAP_PLMAP_11

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12

 match protocol bootpc

 match protocol bootps

 match protocol udp

 match protocol tcp

 match protocol dns

 match protocol dhcp-failover

class-map type inspect match-all CSM_ZBF_CLASS_MAP_19

 match access-group name CSM_ZBF_CMAP_ACL_19

 match class-map CSM_ZBF_CMAP_PLMAP_12

class-map type inspect match-all CSM_ZBF_CLASS_MAP_29

 match access-group name CSM_ZBF_CMAP_ACL_29

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_38

 match access-group name CSM_ZBF_CMAP_ACL_38

 match class-map CSM_ZBF_CMAP_PLMAP_22

class-map type inspect match-all CSM_ZBF_CLASS_MAP_28

 match access-group name CSM_ZBF_CMAP_ACL_28

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1

 match protocol https

 match protocol ssh

class-map type inspect match-all CSM_ZBF_CLASS_MAP_1

 match access-group name CSM_ZBF_CMAP_ACL_1

 match class-map CSM_ZBF_CMAP_PLMAP_1

class-map type inspect match-all CSM_ZBF_CLASS_MAP_3

 match access-group name CSM_ZBF_CMAP_ACL_3

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2

 match protocol https

 match protocol http

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_2

 match access-group name CSM_ZBF_CMAP_ACL_2

 match class-map CSM_ZBF_CMAP_PLMAP_2

class-map type inspect match-all CSM_ZBF_CLASS_MAP_5

 match access-group name CSM_ZBF_CMAP_ACL_5

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3

 match protocol http

 match protocol https

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

 match access-group name CSM_ZBF_CMAP_ACL_4

 match class-map CSM_ZBF_CMAP_PLMAP_3

class-map type inspect match-all CSM_ZBF_CLASS_MAP_7

 match access-group name CSM_ZBF_CMAP_ACL_7

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_6

 match access-group name CSM_ZBF_CMAP_ACL_6

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_9

 match access-group name CSM_ZBF_CMAP_ACL_9

 match protocol tcp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6

 match protocol http

 match protocol https

 match protocol ssh

 match protocol telnet

 match protocol tftp

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_8

 match access-group name CSM_ZBF_CMAP_ACL_8

 match class-map CSM_ZBF_CMAP_PLMAP_6

class-map match-all BULK-DATA

 match ip dscp af11  af12

class-map match-all INTERACTIVE-VIDEO

 match ip dscp af41  af42

class-map match-any BRANCH-TRANSACTIONAL-DATA

 match protocol citrix

 match protocol ldap

 match protocol telnet

 match protocol sqlnet

 match protocol http url "*SalesReport*"

 match access-group name TRANSACTIONAL-DATA-APPS

class-map match-all BRANCH-MISSION-CRITICAL

 match access-group name MISSION-CRITICAL-SERVERS

class-map match-all VOICE

 match ip dscp ef

class-map match-all MISSION-CRITICAL-DATA

 match ip dscp 25

class-map match-any BRANCH-NET-MGMT

 match protocol snmp

 match protocol syslog

 match protocol dns

 match protocol icmp

 match protocol ssh

 match access-group name NET-MGMT-APPS

class-map match-all ROUTING

 match ip dscp cs6

class-map match-all SCAVENGER

 match ip dscp cs1

class-map match-all NET-MGMT

 match ip dscp cs2

class-map match-any BRANCH-SCAVENGER

 match protocol gnutella

 match protocol fasttrack

 match protocol kazaa2

class-map match-any CALL-SIGNALING

 match ip dscp cs3

class-map match-all TRANSACTIONAL-DATA

 match ip dscp af21  af22

policy-map BRANCH-LAN-EDGE-OUT

 class class-default

policy-map BRANCH-WAN-EDGE

 class VOICE

  priority percent 18

 class INTERACTIVE-VIDEO

  priority percent 15

 class CALL-SIGNALING

  bandwidth percent 5

 class ROUTING

  bandwidth percent 3

 class NET-MGMT

  bandwidth percent 2

 class MISSION-CRITICAL-DATA

  bandwidth percent 15

  random-detect

 class TRANSACTIONAL-DATA

  bandwidth percent 12

  random-detect dscp-based

 class BULK-DATA

  bandwidth percent 4

  random-detect dscp-based

 class SCAVENGER

  bandwidth percent 1

 class class-default

  bandwidth percent 25

  random-detect

policy-map type inspect CSM_ZBF_POLICY_MAP_18

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_19

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_16

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_23

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_25

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_36

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_37

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_17

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_24

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_24

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_34

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_35

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_14

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_27

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_15

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_21

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_26

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_38

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_12

 class type inspect CSM_ZBF_CLASS_MAP_15

  pass

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_21

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_13

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_20

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_10

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_23

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_31

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_33

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_11

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_22

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_9

 class type inspect CSM_ZBF_CLASS_MAP_13

  pass

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_8

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_12

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_7

 class type inspect CSM_ZBF_CLASS_MAP_9

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_10

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_11

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_6

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_5

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_8

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_4

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_7

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_3

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_5

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_2

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_4

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_1

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_2

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop

policy-map BRANCH-LAN-EDGE-IN

 class BRANCH-MISSION-CRITICAL

  set ip dscp 25

 class BRANCH-TRANSACTIONAL-DATA

  set ip dscp af21

 class BRANCH-NET-MGMT

  set ip dscp cs2

 class BRANCH-BULK-DATA

  set ip dscp af11

 class BRANCH-SCAVENGER

  set ip dscp cs1

zone security S_WAN

 description Store WAN Link

zone security S_R-2-R

 description Bridge link between routers

zone security LOOPBACK

 description Loopback interface

zone security S_MGMT

 description VLAN1000 Management

zone security S_Security

 description VLAN20 Physical Security Systems

zone security S_WAAS

 description VLAN19 WAAS optimization

zone security S_WLC-AP

 description VLAN18 Wireless Systems

zone security S_Data

 description VLAN12 Store Data

zone security S_Data-W

 description VLAN14 Store Wireless Data

zone security S_Guest

 description VLAN17 Guest/Public Wireless

zone security S_Voice

 description VLAN13 Store Voice

zone security S_Partners

 description VLAN16 Partner network

zone security S_POS

 description VLAN 11 POS Data

zone security S_POS-W

 description VLAN15 Store Wireless POS

zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_8

zone-pair security CSM_S_R-2-R-LOOPBACK_1 source S_R-2-R destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_R-2-R-S_MGMT_1 source S_R-2-R destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_R-2-R-S_Security_1 source S_R-2-R destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_R-2-R-S_WAAS_1 source S_R-2-R destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_R-2-R-S_WLC-AP_1 source S_R-2-R destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_R-2-R-self_1 source S_R-2-R destination self

 service-policy type inspect CSM_ZBF_POLICY_MAP_9

zone-pair security CSM_S_R-2-R-S_Data_1 source S_R-2-R destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_Data-W_1 source S_R-2-R destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_Guest_1 source S_R-2-R destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_R-2-R-S_Partners_1 source S_R-2-R destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_POS_1 source S_R-2-R destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_R-2-R-S_POS-W_1 source S_R-2-R destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_R-2-R-S_Voice_1 source S_R-2-R destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_11

zone-pair security CSM_self-S_R-2-R_1 source self destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_12

zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_LOOPBACK-S_R-2-R_1 source LOOPBACK destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_MGMT-S_R-2-R_1 source S_MGMT destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_Security-S_R-2-R_1 source S_Security destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_WAAS-S_R-2-R_1 source S_WAAS destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_WLC-AP-S_R-2-R_1 source S_WLC-AP destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_POS-S_R-2-R_1 source S_POS destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_POS-W-S_R-2-R_1 source S_POS-W destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_22

zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-S_R-2-R_1 source S_Data destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-W-S_R-2-R_1 source S_Data-W destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_24

zone-pair security CSM_S_Guest-S_R-2-R_1 source S_Guest destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_24

zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_25

zone-pair security CSM_S_Partners-S_R-2-R_1 source S_Partners destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_25

zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_26

zone-pair security CSM_S_Voice-S_R-2-R_1 source S_Voice destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_27

interface Loopback0

 ip address 10.10.110.2 255.255.255.255

 ip pim sparse-dense-mode

 zone-member security LOOPBACK

interface GigabitEthernet0/0

 no ip address

 duplex auto

 speed auto

interface GigabitEthernet0/0.102

 description ROUTER LINK TO

 encapsulation dot1Q 102

 ip address 10.10.110.30 255.255.255.252

 ip pim sparse-dense-mode

 zone-member security S_R-2-R

interface GigabitEthernet0/1

 description ROUTER LINK TO SWITCH

 no ip address

 duplex auto

 speed auto

 media-type rj45

interface GigabitEthernet0/1.11

 description POS

 encapsulation dot1Q 11

 ip address 10.10.96.3 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS

 standby 11 ip 10.10.96.1

 standby 11 priority 99

 standby 11 preempt

 ip igmp query-interval 125

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.12

 description DATA

 encapsulation dot1Q 12

 ip address 10.10.97.3 255.255.255.0

 ip helper-address 192.168.42.130

 ip wccp 61 redirect in

 ip pim sparse-dense-mode

 zone-member security S_Data

 standby 12 ip 10.10.97.1

 standby 12 priority 99

 standby 12 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.13

 description VOICE

 encapsulation dot1Q 13

 ip address 10.10.98.3 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Voice

 standby 13 ip 10.10.98.1

 standby 13 priority 99

 standby 13 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.14

 description WIRELESS

 encapsulation dot1Q 14

 ip address 10.10.99.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Data-W

 standby 14 ip 10.10.99.1

 standby 14 priority 99

 standby 14 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.15

 description WIRELESS-POS

 encapsulation dot1Q 15

 ip address 10.10.100.3 255.255.255.0

 ip helper-address 192.168.42.130

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS-W

 standby 15 ip 10.10.100.1

 standby 15 priority 99

 standby 15 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.16

 description PARTNER

 encapsulation dot1Q 16

 ip address 10.10.101.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Partners

 standby 16 ip 10.10.101.1

 standby 16 priority 99

 standby 16 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.17

 description WIRELESS-GUEST

 encapsulation dot1Q 17

 ip address 10.10.102.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Guest

 standby 17 ip 10.10.102.1

 standby 17 priority 99

 standby 17 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.18

 description WIRELESS-CONTROL

 encapsulation dot1Q 18

 ip address 10.10.103.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WLC-AP

 standby 18 ip 10.10.103.1

 standby 18 priority 99

 standby 18 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.19

 description WAAS

 encapsulation dot1Q 19

 ip address 10.10.104.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WAAS

 standby 19 ip 10.10.104.1

 standby 19 priority 99

 standby 19 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.20

 description SECURITY-SYSTEMS

 encapsulation dot1Q 20

 ip address 10.10.105.3 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Security

 standby 20 ip 10.10.105.1

 standby 20 priority 99

 standby 20 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.101

 description ROUTER LINK TO

 encapsulation dot1Q 101

 ip address 10.10.110.26 255.255.255.252

 ip pim sparse-dense-mode

 zone-member security S_R-2-R

interface GigabitEthernet0/1.1000

 description MANAGEMENT

 encapsulation dot1Q 1000

 ip address 10.10.111.3 255.255.255.0

 zone-member security S_MGMT

 standby 100 ip 10.10.111.1

 standby 100 priority 99

 standby 100 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/2

 ip address 10.10.254.96 255.255.255.0

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_WAN

 duplex auto

 speed auto

 service-policy output BRANCH-WAN-EDGE

router ospf 5

 router-id 10.10.110.2

 redistribute connected subnets

 passive-interface default

 no passive-interface GigabitEthernet0/0.102

 no passive-interface GigabitEthernet0/1.101

 network 10.10.0.0 0.0.255.255 area 10

 default-information originate

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 10.10.254.11

ip tacacs source-interface Loopback0

ip access-list extended BULK-DATA-APPS

 remark ---File Transfer---

 permit tcp any any eq ftp

 permit tcp any any eq ftp-data

 remark ---E-mail traffic---

 permit tcp any any eq smtp

 permit tcp any any eq pop3

 permit tcp any any eq 143

 remark ---other EDM app protocols---

 permit tcp any any range 3460 3466

 permit tcp any range 3460 3466 any

 remark ---messaging services---

 permit tcp any any eq 2980

 permit tcp any eq 2980 any

 remark ---Microsoft file services---

 permit tcp any any range 137 139

 permit tcp any range 137 139 any

ip access-list extended CSM_ZBF_CMAP_ACL_1

 remark Data Center Mgmt to Devices

 permit object-group CSM_INLINE_svc_rule_81604380993 object-group 
CSM_INLINE_src_rule_81604380993 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_10

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381011 object-group DC-POS-Oracle 
object-group STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381015 object-group DC-POS-SAP object-group 
STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381019 object-group DC-POS-Tomax 
object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_11

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381021 object-group 
CSM_INLINE_src_rule_81604381021 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_12

 remark Data Center VOICE (wired and Wireless)

 permit object-group CSM_INLINE_svc_rule_81604381057 object-group DC-Voice object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_13

 permit ospf object-group CSM_INLINE_src_rule_81604381150 object-group 
CSM_INLINE_dst_rule_81604381150

ip access-list extended CSM_ZBF_CMAP_ACL_14

 remark Store WAAS to Clients and Servers

 permit object-group CSM_INLINE_svc_rule_81604381055 object-group Stores-ALL object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_15

 permit ospf object-group CSM_INLINE_src_rule_81604381152 object-group 
CSM_INLINE_dst_rule_81604381152

ip access-list extended CSM_ZBF_CMAP_ACL_16

 remark Syslog and SNMP Alerts

 permit object-group CSM_INLINE_svc_rule_81604380995 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604380995

ip access-list extended CSM_ZBF_CMAP_ACL_17

 remark Store to Data Center Authentications

 permit object-group CSM_INLINE_svc_rule_81604381001 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381001

ip access-list extended CSM_ZBF_CMAP_ACL_18

 remark Store to Data Center for NTP

 permit object-group NTP object-group Stores-ALL object-group NTP-Servers

ip access-list extended CSM_ZBF_CMAP_ACL_19

 remark Store to Data Center for DHCP and DNS

 permit object-group CSM_INLINE_svc_rule_81604381035 object-group Stores-ALL object-group 
ActiveDirectory.cisco-irn.com

ip access-list extended CSM_ZBF_CMAP_ACL_2

 remark Data Center subscribe to IPS SDEE events

 permit tcp object-group RSA-enVision object-group Stores-ALL eq 443

ip access-list extended CSM_ZBF_CMAP_ACL_20

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_81604381039 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381039

ip access-list extended CSM_ZBF_CMAP_ACL_21

 remark Store UCS E-series server to Data Center vShphere

 permit object-group CSM_INLINE_svc_rule_81604381005 object-group Stores-ALL object-group 
vSphere-1

ip access-list extended CSM_ZBF_CMAP_ACL_22

 remark Store NAC

 permit object-group CSM_INLINE_svc_rule_81604381037 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381037

ip access-list extended CSM_ZBF_CMAP_ACL_23

 remark Store to Data Center Physical Security

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381049

ip access-list extended CSM_ZBF_CMAP_ACL_24

 remark Store WAAS (WAAS Devices need their own zone)

 permit object-group CSM_INLINE_svc_rule_81604381053 object-group Stores-ALL object-group 
DC-WAAS

ip access-list extended CSM_ZBF_CMAP_ACL_25

 remark Store to Data Center wireless controller traffic

 permit object-group CSM_INLINE_svc_rule_81604381045 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381045

ip access-list extended CSM_ZBF_CMAP_ACL_26

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381009 object-group STORE-POS object-group 
DC-POS-Oracle

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381013 object-group STORE-POS object-group 
DC-POS-SAP

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381017 object-group STORE-POS object-group 
DC-POS-Tomax

ip access-list extended CSM_ZBF_CMAP_ACL_27

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381023 object-group 
CSM_INLINE_src_rule_81604381023 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_28

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_81604381025 object-group STORE-POS object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_29

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_81604381027 object-group STORE-POS object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_3

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_81604381041 object-group 
CSM_INLINE_src_rule_81604381041 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_30

 remark Permit POS clients to talk to store POS server

 permit object-group CSM_INLINE_svc_rule_81604381029 object-group STORE-POS object-group 
STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_31

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_81604381061 object-group Stores-ALL object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_32

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_81604381063 object-group Stores-ALL object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_33

 remark Store DATA (wired and Wireless - Access to DC Other applications)

 permit object-group CSM_INLINE_svc_rule_81604381065 object-group Stores-ALL object-group 
DC-Applications

ip access-list extended CSM_ZBF_CMAP_ACL_34

 remark Store GUEST - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381071

ip access-list extended CSM_ZBF_CMAP_ACL_35

 remark Store GUEST (access to internet/DMZ web servers)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_36

 remark Store PARTNERS - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381067

ip access-list extended CSM_ZBF_CMAP_ACL_37

 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_38

 remark Store VOICE (wired and Wireless - Acess to corporate wide voice)

 permit object-group CSM_INLINE_svc_rule_81604381059 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381059

ip access-list extended CSM_ZBF_CMAP_ACL_4

 remark Data Center vSphere to UCS E-series server

 permit object-group CSM_INLINE_svc_rule_81604381003 object-group vSphere-1 object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_5

 remark Data Center to Store Physical Security

 permit ip object-group CSM_INLINE_src_rule_81604381047 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_6

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_7

 remark Data Center WAAS to Store

 permit object-group CSM_INLINE_svc_rule_81604381051 object-group 
CSM_INLINE_src_rule_81604381051 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_8

 remark Data Center Wireless Control to AP's and Controllers in stores

 permit object-group CSM_INLINE_svc_rule_81604381043 object-group 
CSM_INLINE_src_rule_81604381043 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_9

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group STORE-POS

ip access-list extended MISSION-CRITICAL-SERVERS

 remark ---POS Applications---

 permit ip any 192.168.52.0 0.0.0.255

ip access-list extended NET-MGMT-APPS

 remark - Router user Authentication - Identifies TACACS Control traffic

 permit tcp any any eq tacacs

 permit tcp any eq tacacs any

ip access-list extended TRANSACTIONAL-DATA-APPS

 remark ---Workbrain Application---

 remark --Large Store Clock Server to Central Clock Application

 permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444

 remark --Large store Clock Server to CUAE

 permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000

 remark ---LiteScape Application---

 permit ip any host 192.168.46.82

 permit ip any 239.192.0.0 0.0.0.255

 permit ip any host 239.255.255.250

 remark ---Remote Desktop---

 permit tcp any any eq 3389

 permit tcp any eq 3389 any

 remark ---Oracle SIM---

 permit tcp any 192.168.46.0 0.0.0.255 eq 7777

 permit tcp any 192.168.46.0 0.0.0.255 eq 6003

 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500

 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any

 permit tcp 192.168.46.0 0.0.0.255 eq 6003 any

 permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any

logging esm config

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

nls resp-timeout 1

cpd cr-id 1

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps flash insertion removal

snmp-server enable traps energywise

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps ipsla

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

mgcp profile default

gatekeeper

 shutdown

banner exec C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 login authentication RETAIL

 no exec

 transport preferred none

 transport output none

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

scheduler allocate 20000 1000

ntp source Loopback0

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

end

S-A2-LRG-1

S-A2-LRG-1#sh run

Building configuration...

Current configuration : 21232 bytes

! Last configuration change at 02:39:20 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:39:22 PSTDST Sat Apr 30 2011 by retail

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service compress-config

service sequence-numbers

hostname S-A2-LRG-1

boot-start-marker

boot system flash bootflash:cat4500e-universalk9.SPA.03.01.00.SG.150-1.XO.bin

boot-end-marker

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

ip subnet-zero

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

no ip bootp server

ip vrf Mgmt-vrf

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

vtp mode transparent

password encryption aes

crypto pki trustpoint CISCO_IDEVID_SUDI

 revocation-check none

 rsakeypair CISCO_IDEVID_SUDI

crypto pki trustpoint CISCO_IDEVID_SUDI0

 revocation-check none

crypto pki trustpoint TP-self-signed-145264

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-145264

 revocation-check none

 rsakeypair TP-self-signed-145264

crypto pki certificate chain CISCO_IDEVID_SUDI

 certificate 686CBFDE00000015EFB1

  <removed>

  quit

 certificate ca 6A6967B3000000000003

  <removed>

  quit

crypto pki certificate chain CISCO_IDEVID_SUDI0

 certificate ca 5FF87B282B54DC8D42A315B568C9ADFF

  <removed>

  quit

crypto pki certificate chain TP-self-signed-145264

 certificate self-signed 01

  <removed>

  quit

power redundancy-mode redundant

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

redundancy

 mode rpr

vlan internal allocation policy ascending

vlan 11

 name POS

vlan 12

 name DATA

vlan 13

 name VOICE

vlan 14

 name WIRELESS

vlan 15

 name WIRELESS-POS

vlan 16

 name PARTNER

vlan 17

 name WIRELESS-GUEST

vlan 18

 name WIRELESS-CONTROL

vlan 19

 name WAAS

vlan 20

 name SECURITY-SYSTEMS

vlan 101

 name RouterLink101

vlan 102

 name RouterLink102

vlan 1000

 name MANAGEMENT

ip ssh version 2

ip scp server enable

interface FastEthernet1

 ip vrf forwarding Mgmt-vrf

 no ip address

 shutdown

 speed auto

 duplex auto

interface TenGigabitEthernet3/1

 shutdown

interface TenGigabitEthernet3/2

 shutdown

interface TenGigabitEthernet3/3

 shutdown

interface TenGigabitEthernet3/4

 shutdown

interface GigabitEthernet5/1

 shutdown

interface GigabitEthernet5/2

 shutdown

interface GigabitEthernet5/3

 shutdown

interface GigabitEthernet5/4

 shutdown

interface GigabitEthernet5/5

 shutdown

interface GigabitEthernet5/6

 shutdown

interface GigabitEthernet5/7

 shutdown

interface GigabitEthernet5/8

 shutdown

interface GigabitEthernet5/9

 shutdown

interface GigabitEthernet5/10

 shutdown

interface GigabitEthernet5/11

 shutdown

interface GigabitEthernet5/12

 shutdown

interface GigabitEthernet5/13

 shutdown

interface GigabitEthernet5/14

 shutdown

interface GigabitEthernet5/15

 shutdown

interface GigabitEthernet5/16

 shutdown

interface GigabitEthernet5/17

 shutdown

interface GigabitEthernet5/18

 shutdown

interface GigabitEthernet5/19

 shutdown

interface GigabitEthernet5/20

 shutdown

interface GigabitEthernet5/21

 shutdown

interface GigabitEthernet5/22

 shutdown

interface GigabitEthernet5/23

 shutdown

interface GigabitEthernet5/24

 shutdown

interface GigabitEthernet5/25

 shutdown

interface GigabitEthernet5/26

 shutdown

interface GigabitEthernet5/27

 shutdown

interface GigabitEthernet5/28

 shutdown

interface GigabitEthernet5/29

 shutdown

interface GigabitEthernet5/30

 shutdown

interface GigabitEthernet5/31

 shutdown

interface GigabitEthernet5/32

 shutdown

interface GigabitEthernet5/33

 shutdown

interface GigabitEthernet5/34

 shutdown

interface GigabitEthernet5/35

 shutdown

interface GigabitEthernet5/36

 shutdown

interface GigabitEthernet5/37

 shutdown

interface GigabitEthernet5/38

 shutdown

interface GigabitEthernet5/39

 shutdown

interface GigabitEthernet5/40

 shutdown

interface GigabitEthernet5/41

 shutdown

interface GigabitEthernet5/42

 shutdown

interface GigabitEthernet5/43

 shutdown

interface GigabitEthernet5/44

 shutdown

interface GigabitEthernet5/45

 shutdown

interface GigabitEthernet5/46

 shutdown

interface GigabitEthernet5/47

 shutdown

interface GigabitEthernet5/48

 shutdown

interface GigabitEthernet6/1

interface GigabitEthernet6/2

 shutdown

interface GigabitEthernet6/3

 shutdown

interface GigabitEthernet6/4

 shutdown

interface GigabitEthernet6/5

 shutdown

interface GigabitEthernet6/6

 shutdown

interface GigabitEthernet6/7

 shutdown

interface GigabitEthernet6/8

 shutdown

interface GigabitEthernet6/9

 shutdown

interface GigabitEthernet6/10

 description MSP-A2-LRG-1

 switchport access vlan 20

 switchport mode access

 spanning-tree portfast

interface GigabitEthernet6/11

 shutdown

interface GigabitEthernet6/12

 shutdown

interface GigabitEthernet6/13

 shutdown

interface GigabitEthernet6/14

 shutdown

interface GigabitEthernet6/15

 shutdown

interface GigabitEthernet6/16

 shutdown

interface GigabitEthernet6/17

 description WLC-A2-LRG-1_G1

 switchport access vlan 18

 switchport mode access

 spanning-tree portfast

interface GigabitEthernet6/18

 description WLC-A2-LRG-1_G2

 switchport trunk allowed vlan 14-17

 switchport mode trunk

interface GigabitEthernet6/19

 shutdown

interface GigabitEthernet6/20

 shutdown

interface GigabitEthernet6/21

 shutdown

interface GigabitEthernet6/22

 shutdown

interface GigabitEthernet6/23

 shutdown

interface GigabitEthernet6/24

 shutdown

interface GigabitEthernet6/25

 shutdown

interface GigabitEthernet6/26

 shutdown

interface GigabitEthernet6/27

 shutdown

interface GigabitEthernet6/28

 shutdown

interface GigabitEthernet6/29

 shutdown

interface GigabitEthernet6/30

 shutdown

interface GigabitEthernet6/31

 shutdown

interface GigabitEthernet6/32

 shutdown

interface GigabitEthernet6/33

 shutdown

interface GigabitEthernet6/34

 shutdown

interface GigabitEthernet6/35

 shutdown

interface GigabitEthernet6/36

 shutdown

interface GigabitEthernet6/37

 shutdown

interface GigabitEthernet6/38

 shutdown

interface GigabitEthernet6/39

 shutdown

interface GigabitEthernet6/40

 shutdown

interface GigabitEthernet6/41

 switchport mode trunk

interface GigabitEthernet6/42

 shutdown

interface GigabitEthernet6/43

 switchport mode trunk

interface GigabitEthernet6/44

 shutdown

interface GigabitEthernet6/45

 switchport mode trunk

interface GigabitEthernet6/46

interface GigabitEthernet6/47

 switchport mode trunk

interface GigabitEthernet6/48

 shutdown

interface Vlan1

 no ip address

 shutdown

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.111.11 255.255.255.0

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.10.111.1

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

no snmp-server enable traps license

snmp-server enable traps entity

snmp-server enable traps flash insertion removal

snmp-server enable traps power-ethernet police

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps port-security

snmp-server enable traps energywise

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps errdisable

snmp-server enable traps vlan-membership

snmp-server enable traps mac-notification change move threshold

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec ^CC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^CC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^CC

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 17202862

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

S-A2-LRG-1#

S-A2-LRG-2

S-A2-LRG-2#sh run

Building configuration...

Current configuration : 20118 bytes

! Last configuration change at 02:45:12 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:45:13 PSTDST Sat Apr 30 2011 by retail

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service compress-config

service sequence-numbers

hostname S-A2-LRG-2

boot-start-marker

boot system flash bootflash:cat4500e-universalk9.SPA.03.01.00.SG.150-1.XO.bin

boot-end-marker

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

ip subnet-zero

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

no ip bootp server

ip vrf Mgmt-vrf

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

vtp mode transparent

password encryption aes

crypto pki trustpoint CISCO_IDEVID_SUDI

 revocation-check none

 rsakeypair CISCO_IDEVID_SUDI

crypto pki trustpoint CISCO_IDEVID_SUDI0

 revocation-check none

crypto pki trustpoint TP-self-signed-145261

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-145261

 revocation-check none

 rsakeypair TP-self-signed-145261

crypto pki certificate chain CISCO_IDEVID_SUDI

 certificate 6B46CD9B00000015F50E

  <removed>

  quit

 certificate ca 6A6967B3000000000003

  <removed>

  quit

crypto pki certificate chain CISCO_IDEVID_SUDI0

 certificate ca 5FF87B282B54DC8D42A315B568C9ADFF

  <removed>

  quit

crypto pki certificate chain TP-self-signed-145261

 certificate self-signed 01

  <removed>

  quit

power redundancy-mode redundant

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

redundancy

 mode rpr

vlan internal allocation policy ascending

vlan 11

 name POS

vlan 12

 name DATA

vlan 13

 name VOICE

vlan 14

 name WIRELESS

vlan 15

 name WIRELESS-POS

vlan 16

 name PARTNER

vlan 17

 name WIRELESS-GUEST

vlan 18

 name WIRELESS-CONTROL

vlan 19

 name WAAS

vlan 20

 name SECURITY-SYSTEMS

vlan 101

 name RouterLink101

vlan 102

 name RouterLink102

vlan 1000

 name MANAGEMENT

ip ssh version 2

ip scp server enable

interface FastEthernet1

 ip vrf forwarding Mgmt-vrf

 no ip address

 shutdown

 speed auto

 duplex auto

interface TenGigabitEthernet3/1

 shutdown

interface TenGigabitEthernet3/2

 shutdown

interface TenGigabitEthernet3/3

 shutdown

interface TenGigabitEthernet3/4

 shutdown

interface GigabitEthernet6/1

interface GigabitEthernet6/2

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/3

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/4

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/5

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/6

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/7

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/8

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/9

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/10

 description MSP-A2-LRG-1

 switchport access vlan 20

 switchport mode access

 spanning-tree portfast

interface GigabitEthernet6/11

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/12

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/13

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/14

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/15

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/16

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/17

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/18

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/19

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/20

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/21

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/22

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/23

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/24

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/25

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/26

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/27

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/28

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/29

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/30

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/31

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/32

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/33

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/34

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/35

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/36

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/37

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/38

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/39

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/40

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/41

 switchport mode trunk

interface GigabitEthernet6/42

interface GigabitEthernet6/43

 switchport mode trunk

interface GigabitEthernet6/44

interface GigabitEthernet6/45

 switchport mode trunk

interface GigabitEthernet6/46

interface GigabitEthernet6/47

 switchport mode trunk

interface GigabitEthernet6/48

interface Vlan1

 no ip address

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.111.12 255.255.255.0

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.10.111.1

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

no snmp-server enable traps license

snmp-server enable traps entity

snmp-server enable traps flash insertion removal

snmp-server enable traps power-ethernet police

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps port-security

snmp-server enable traps energywise

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps errdisable

snmp-server enable traps vlan-membership

snmp-server enable traps mac-notification change move threshold

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec ^CC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^CC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^CC

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 17211501

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

S-A2-LRG-3

S-A2-LRG-3#sh run

Building configuration...

Current configuration : 20730 bytes

! Last configuration change at 02:52:21 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:52:23 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname S-A2-LRG-3

boot-start-marker

boot-end-marker

logging buffered 50000

logging monitor informational

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

macro name dot1x

switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

macro global description dot1x

macro auto sticky

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authentication dot1x default group radius local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa authorization configuration default group radius

aaa accounting update newinfo

aaa accounting auth-proxy default start-stop group radius

aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa server radius dynamic-author

 client 192.168.42.111

 server-key 7 <removed>

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

system mtu routing 1500

authentication mac-move permit

ip dhcp snooping vlan 1,11

no ip dhcp snooping information option

ip dhcp snooping

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

ip device tracking

ip admission name ise proxy http inactivity-time 60

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

vtp mode transparent

cts sxp enable

cts sxp default source-ip 10.10.111.13

password encryption aes

crypto pki trustpoint TP-self-signed-4268543232

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-4268543232

 revocation-check none

 rsakeypair TP-self-signed-4268543232

crypto pki certificate chain TP-self-signed-4268543232

 certificate self-signed 01

  <removed>

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

dot1x system-auth-control

fallback profile ise

 ip access-group ACL-DEFAULT in

 ip admission ise

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

vlan 11

 name POS

vlan 12

 name DATA

vlan 13

 name VOICE

vlan 14

 name WIRELESS

vlan 15

 name WIRELESS-POS

vlan 16

 name PARTNER

vlan 17

 name WIRELESS-GUEST

vlan 18

 name WIRELESS-CONTROL

vlan 19

 name WAAS

vlan 20

 name SECURITY-SYSTEMS

vlan 101

 name RouterLink101

vlan 102

 name RouterLink102

vlan 1000

 name MANAGEMENT

ip ssh version 2

ip scp server enable

interface FastEthernet0

 no ip address

 shutdown

interface GigabitEthernet0/1

 description uplink

interface GigabitEthernet0/2

 description uplink

interface GigabitEthernet0/3

 shutdown

interface GigabitEthernet0/4

 description Cisco9971 IP phone

 switchport access vlan 11

 switchport voice vlan 13

 spanning-tree portfast

interface GigabitEthernet0/5

 description IP Camera - 4300

 switchport access vlan 20

 switchport mode access

interface GigabitEthernet0/6

 description CIAC-GW

 switchport access vlan 20

 switchport mode access

interface GigabitEthernet0/7

 shutdown

interface GigabitEthernet0/8

 shutdown

interface GigabitEthernet0/9

 shutdown

interface GigabitEthernet0/10

 shutdown

interface GigabitEthernet0/11

 shutdown

interface GigabitEthernet0/12

 shutdown

interface GigabitEthernet0/13

 shutdown

interface GigabitEthernet0/14

 shutdown

interface GigabitEthernet0/15

 shutdown

interface GigabitEthernet0/16

 shutdown

interface GigabitEthernet0/17

 shutdown

interface GigabitEthernet0/18

 shutdown

interface GigabitEthernet0/19

 shutdown

interface GigabitEthernet0/20

 shutdown

interface GigabitEthernet0/21

 shutdown

interface GigabitEthernet0/22

 shutdown

interface GigabitEthernet0/23

 shutdown

interface GigabitEthernet0/24

 shutdown

interface GigabitEthernet0/25

 description open-mode 802.1x+mab+mda+acl

 switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

interface GigabitEthernet0/26

 description mobile worker

 switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 macro description dot1x

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

interface GigabitEthernet0/27

 shutdown

interface GigabitEthernet0/28

 shutdown

interface GigabitEthernet0/29

 shutdown

interface GigabitEthernet0/30

 switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 macro description dot1x

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

interface GigabitEthernet0/31

 switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 macro description dot1x

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

interface GigabitEthernet0/32

 switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 macro description dot1x

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

interface GigabitEthernet0/33

 switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 macro description dot1x

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

interface GigabitEthernet0/34

 switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 macro description dot1x

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

interface GigabitEthernet0/35

 switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 macro description dot1x

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

interface GigabitEthernet0/36

 switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 macro description dot1x

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

interface GigabitEthernet0/37

 shutdown

interface GigabitEthernet0/38

 shutdown

interface GigabitEthernet0/39

 shutdown

interface GigabitEthernet0/40

 shutdown

interface GigabitEthernet0/41

 shutdown

interface GigabitEthernet0/42

 shutdown

interface GigabitEthernet0/43

 shutdown

interface GigabitEthernet0/44

 shutdown

interface GigabitEthernet0/45

 shutdown

interface GigabitEthernet0/46

 shutdown

interface GigabitEthernet0/47

 shutdown

interface GigabitEthernet0/48

 shutdown

interface GigabitEthernet1/1

 shutdown

interface GigabitEthernet1/2

 shutdown

interface GigabitEthernet1/3

 shutdown

interface GigabitEthernet1/4

 shutdown

interface TenGigabitEthernet1/1

 shutdown

interface TenGigabitEthernet1/2

 shutdown

interface Vlan1

 no ip address

 shutdown

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.111.13 255.255.255.0

ip default-gateway 10.10.111.1

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

ip access-list extended ACL-ALLOW

 permit ip any any

ip access-list extended ACL-DEFAULT

 remark DHCP

 permit udp any eq bootpc any eq bootps

 remark DNS

 permit udp any any eq domain

 remark ICMP Ping

 permit icmp any any

 remark PXE Boot

 permit udp any any eq tftp

 remark URL Redirect

 permit tcp any host 192.168.42.111 eq www

 permit tcp any host 192.168.42.111 eq 443

 permit tcp any host 192.168.42.112 eq www

 permit tcp any host 192.168.42.112 eq 443

 remark Guest Portal

 permit tcp any host 192.168.42.111 eq 8443

 permit tcp any host 192.168.42.112 eq 8443

 deny   ip any any

ip access-list extended ACL-POSTURE-REDIRECT

 deny   ip any host 192.168.42.111

 deny   ip any host 192.168.42.130

 permit ip any any

ip access-list extended ACL-WEBAUTH-REDIRECT

 remark Don't match traffic sent to ISE PDP Nodes

 deny   ip any host 192.168.42.111

 deny   ip any host 192.168.42.112

 deny   ip any host 10.35.48.242

 deny   ip any host 171.71.169.207

 permit ip any any

ip sla enable reaction-alerts

logging trap debugging

logging origin-id ip

logging source-interface Vlan1000

logging 192.168.42.124

logging host 192.168.42.111 transport udp port 20514

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps power-ethernet group 1

snmp-server enable traps power-ethernet police

snmp-server enable traps cpu threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps errdisable

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server host 192.168.42.124 remoteuser

snmp-server host 192.168.42.111 version 2c retaillabISE  dot1x mac-notification snmp

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server dead-criteria time 5 tries 3

radius-server host 192.168.42.111 auth-port 1812 acct-port 1813 key 7 <removed>

radius-server vsa send accounting

radius-server vsa send authentication

banner exec ^CC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^CC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^CC

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 36027134

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

mac address-table notification change interval 0

mac address-table notification change

end

S-A2-LRG-4

S-A2-LRG-4#sh run

Building configuration...

Current configuration : 26605 bytes

! Last configuration change at 02:56:42 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:56:45 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname S-A2-LRG-4

boot-start-marker

boot-end-marker

logging buffered 50000

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 
<removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

macro auto device media-player ACCESS_VLAN=12

macro auto device ip-camera ACCESS_VLAN=20

macro auto device phone ACCESS_VLAN=17 VOICE_VLAN=13

macro auto device access-point ACCESS_VLAN=18

macro auto device lightweight-ap ACCESS_VLAN=18

macro auto global processing fallback cdp

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authentication dot1x default group radius local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa accounting update newinfo

aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

system mtu routing 1500

authentication mac-move permit

ip subnet-zero

no ip source-route

ip domain-name cisco-irn.com

ip host nac-2 192.168.42.112

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

mls qos map policed-dscp  24 26 46 to 0

mls qos map cos-dscp 0 8 16 24 32 46 48 56

mls qos srr-queue input bandwidth 90 10

mls qos srr-queue input threshold 1 8 16

mls qos srr-queue input threshold 2 34 66

mls qos srr-queue input buffers 67 33

mls qos srr-queue input cos-map queue 1 threshold 2 1

mls qos srr-queue input cos-map queue 1 threshold 3 0

mls qos srr-queue input cos-map queue 2 threshold 1 2

mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7

mls qos srr-queue input cos-map queue 2 threshold 3 3 5

mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15

mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7

mls qos srr-queue input dscp-map queue 1 threshold 3 32

mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23

mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48

mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56

mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63

mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31

mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47

mls qos srr-queue output cos-map queue 1 threshold 3 5

mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7

mls qos srr-queue output cos-map queue 3 threshold 3 2 4

mls qos srr-queue output cos-map queue 4 threshold 2 1

mls qos srr-queue output cos-map queue 4 threshold 3 0

mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47

mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31

mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55

mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63

mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23

mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39

mls qos srr-queue output dscp-map queue 4 threshold 1 8

mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15

mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7

mls qos queue-set output 1 threshold 1 138 138 92 138

mls qos queue-set output 1 threshold 2 138 138 92 400

mls qos queue-set output 1 threshold 3 36 77 100 318

mls qos queue-set output 1 threshold 4 20 50 67 400

mls qos queue-set output 2 threshold 1 149 149 100 149

mls qos queue-set output 2 threshold 2 118 118 100 235

mls qos queue-set output 2 threshold 3 41 68 100 272

mls qos queue-set output 2 threshold 4 42 72 100 242

mls qos queue-set output 1 buffers 10 10 26 54

mls qos queue-set output 2 buffers 16 6 17 61

mls qos

password encryption aes

crypto pki trustpoint TP-self-signed-4268542976

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-4268542976

 revocation-check none

 rsakeypair TP-self-signed-4268542976

crypto pki certificate chain TP-self-signed-4268542976

 certificate self-signed 01

  <removed> 1

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

dot1x system-auth-control

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

vlan internal allocation policy ascending

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

class-map match-all AutoQoS-VoIP-RTP-Trust

 match ip dscp ef

class-map match-all AutoQoS-VoIP-Control-Trust

 match ip dscp cs3  af31

policy-map AutoQoS-Police-CiscoPhone

 class AutoQoS-VoIP-RTP-Trust

  set dscp ef

  police 320000 8000 exceed-action policed-dscp-transmit

 class AutoQoS-VoIP-Control-Trust

  set dscp cs3

  police 32000 8000 exceed-action policed-dscp-transmit

interface FastEthernet0

 no ip address

 shutdown

interface GigabitEthernet0/1

 switchport trunk encapsulation dot1q

 switchport mode trunk

 srr-queue bandwidth share 10 10 60 20

 queue-set 2

 priority-queue out

 mls qos trust cos

 macro description CISCO_SWITCH_EVENT

 auto qos voip trust

interface GigabitEthernet0/2

 switchport trunk encapsulation dot1q

 switchport mode trunk

 srr-queue bandwidth share 10 10 60 20

 queue-set 2

 priority-queue out

 mls qos trust cos

 macro description CISCO_SWITCH_EVENT

 auto qos voip trust

interface GigabitEthernet0/3

 description AIR-CAP3502E

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 18

 switchport trunk allowed vlan 14-18

 switchport mode access

 switchport block unicast

 switchport port-security aging time 1

 switchport port-security violation protect

 switchport port-security aging type inactivity

 load-interval 30

 srr-queue bandwidth share 10 10 60 20

 priority-queue out

 mls qos trust dscp

 macro description CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT

 storm-control broadcast level pps 1k

 storm-control multicast level pps 2k

 storm-control action trap

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 15

interface GigabitEthernet0/4

 description AIR-CAP3502I

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 18

 switchport trunk allowed vlan 14-18

 switchport mode access

 switchport block unicast

 switchport port-security aging time 1

 switchport port-security violation protect

 switchport port-security aging type inactivity

 load-interval 30

 srr-queue bandwidth share 10 10 60 20

 priority-queue out

 mls qos trust dscp

 macro description CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT

 storm-control broadcast level pps 1k

 storm-control multicast level pps 2k

 storm-control action trap

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 15

interface GigabitEthernet0/5

 shutdown

interface GigabitEthernet0/6

 shutdown

interface GigabitEthernet0/7

 switchport trunk encapsulation dot1q

 switchport mode trunk

 srr-queue bandwidth share 10 10 60 20

 queue-set 2

 priority-queue out

 mls qos trust cos

 macro description CISCO_SWITCH_EVENT

 auto qos voip trust

interface GigabitEthernet0/8

 shutdown

interface GigabitEthernet0/9

 shutdown

interface GigabitEthernet0/10

 shutdown

interface GigabitEthernet0/11

 description Cisco7975 IP phone

 switchport mode access

 switchport block unicast

 switchport voice vlan 2

 switchport port-security maximum 3

 switchport port-security maximum 2 vlan access

 switchport port-security

 switchport port-security aging time 1

 switchport port-security violation restrict

 switchport port-security aging type inactivity

 load-interval 30

 srr-queue bandwidth share 10 10 60 20

 queue-set 2

 priority-queue out

 mls qos trust device cisco-phone

 mls qos trust cos

 macro description CISCO_PHONE_EVENT

 auto qos voip cisco-phone

 storm-control broadcast level pps 1k

 storm-control multicast level pps 2k

 storm-control action trap

 spanning-tree portfast

 spanning-tree bpduguard enable

 service-policy input AutoQoS-Police-CiscoPhone

 ip dhcp snooping limit rate 15

interface GigabitEthernet0/12

 shutdown

interface GigabitEthernet0/13

 shutdown

interface GigabitEthernet0/14

 shutdown

interface GigabitEthernet0/15

 shutdown

interface GigabitEthernet0/16

 shutdown

interface GigabitEthernet0/17

 shutdown

interface GigabitEthernet0/18

 shutdown

interface GigabitEthernet0/19

 shutdown

interface GigabitEthernet0/20

 shutdown

interface GigabitEthernet0/21

 shutdown

interface GigabitEthernet0/22

 shutdown

interface GigabitEthernet0/23

 shutdown

interface GigabitEthernet0/24

 shutdown

interface GigabitEthernet0/25

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/26

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/27

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/28

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/29

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/30

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/31

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/32

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/33

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/34

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/35

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/36

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/37

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/38

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/39

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/40

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/41

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/42

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/43

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/44

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/45

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/46

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/47

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/48

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet1/1

 shutdown

interface GigabitEthernet1/2

 shutdown

interface GigabitEthernet1/3

 shutdown

interface GigabitEthernet1/4

 shutdown

interface TenGigabitEthernet1/1

 shutdown

interface TenGigabitEthernet1/2

 shutdown

interface Vlan1

 no ip address

 shutdown

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.111.14 255.255.255.0

ip default-gateway 10.10.111.1

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

ip access-list extended ACL-DEFAULT

 remark DHCP

 permit udp any eq bootpc any eq bootps

 remark DNS

 permit udp any any eq domain

 remark ICMP Ping

 permit icmp any any

 remark PXE Boot

 permit udp any any eq tftp

 remark URL Redirect

 permit tcp any host 192.168.42.111 eq www

 permit tcp any host 192.168.42.111 eq 443

 permit tcp any host 192.168.42.112 eq www

 permit tcp any host 192.168.42.112 eq 443

 remark Guest Portal

 permit tcp any host 192.168.42.111 eq 8443

 permit tcp any host 192.168.42.112 eq 8443

 deny   ip any any

ip access-list extended ACL-WEBAUTH-REDIRECT

 remark Don't match traffic sent to ISE PDP Nodes

 deny   ip any host 192.168.42.111

 deny   ip any host 192.168.42.112

 deny   ip any host 10.35.48.242

 remark Don't match traffic sent to remediation services (wwwin-download.cisco.com)

 deny   ip any host 171.71.169.207

 remark Match all other traffic for redirection

 permit ip any any

ip sla enable reaction-alerts

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps power-ethernet group 1

snmp-server enable traps power-ethernet police

snmp-server enable traps cpu threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps errdisable

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server host 192.168.42.124 remoteuser

snmp-server host 192.168.42.111 version 2c retaillabISE  dot1x mac-notification snmp

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

radius-server dead-criteria time 5 tries 3

radius-server host 192.168.42.111 auth-port 1812 acct-port 1813 key 7 <removed>

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 36027569

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

S-A2-LRG-5

S-A2-LRG-5#sh run

Building configuration...

Current configuration : 10739 bytes

! Last configuration change at 03:00:15 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 03:00:17 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname S-A2-LRG-5

boot-start-marker

boot-end-marker

shell trigger POS-Systems POS-Systems

logging buffered 51200

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

macro global description cisco-desktop

macro auto execute CISCO_LAST_RESORT_EVENT builtin CISCO_AP_AUTO_SMARTPORT ACCESS_VLAN=17

macro auto execute Retail-POS builtin CISCO_PHONE_AUTO_SMARTPORT ACCESS_VLAN=11 
VOICE_VLAN=13

macro auto execute POS-Systems remote scp://SMARTPORT@192.168.42.122/POS-Systems.txt 
ACCESS_VLAN=11 VOICE_VLAN=13

macro auto mac-address-group Retail-POS

 oui list 001C26

 oui list 001C25

 mac-address list 0021.5C02.1DEF

 mac-address list 001C.25BE.99C2

macro auto device media-player ACCESS_VLAN=12

macro auto device ip-camera ACCESS_VLAN=20

macro auto device phone ACCESS_VLAN=17 VOICE_VLAN=13

macro auto device access-point ACCESS_VLAN=18

macro auto device lightweight-ap ACCESS_VLAN=18

macro auto global processing fallback cdp

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

system mtu routing 1500

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

mls qos map cos-dscp 0 8 16 24 32 46 48 56

mls qos srr-queue output cos-map queue 1 threshold 3 4 5

mls qos srr-queue output cos-map queue 2 threshold 1 2

mls qos srr-queue output cos-map queue 2 threshold 2 3

mls qos srr-queue output cos-map queue 2 threshold 3 6 7

mls qos srr-queue output cos-map queue 3 threshold 3 0

mls qos srr-queue output cos-map queue 4 threshold 3 1

mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45

mls qos srr-queue output dscp-map queue 1 threshold 3 46 47

mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23

mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35

mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39

mls qos srr-queue output dscp-map queue 2 threshold 2 24

mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55

mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63

mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7

mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15

mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14

mls qos queue-set output 1 threshold 1 100 100 50 200

mls qos queue-set output 1 threshold 2 125 125 100 400

mls qos queue-set output 1 threshold 3 100 100 100 400

mls qos queue-set output 1 threshold 4 60 150 50 200

mls qos queue-set output 1 buffers 15 25 40 20

mls qos

password encryption aes

crypto pki trustpoint TP-self-signed-3964801920

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3964801920

 revocation-check none

 rsakeypair TP-self-signed-3964801920

crypto pki certificate chain TP-self-signed-3964801920

 certificate self-signed 01

  <removed>

  quit

spanning-tree mode pvst

spanning-tree extend system-id

auto qos srnd4

vlan internal allocation policy ascending

ip ssh version 2

ip scp server enable

interface GigabitEthernet0/1

 switchport access vlan 17

interface GigabitEthernet0/2

 switchport access vlan 17

interface GigabitEthernet0/3

 switchport access vlan 17

interface GigabitEthernet0/4

 switchport access vlan 17

interface GigabitEthernet0/5

 switchport access vlan 17

interface GigabitEthernet0/6

 switchport access vlan 17

interface GigabitEthernet0/7

 switchport access vlan 17

interface GigabitEthernet0/8

 switchport access vlan 17

interface GigabitEthernet0/9

 description Uplink to S-A2-LRG-4 G0/7

 switchport trunk encapsulation dot1q

 switchport mode trunk

 srr-queue bandwidth share 1 30 35 5

 queue-set 2

 priority-queue out

 mls qos trust cos

 macro description CISCO_SWITCH_EVENT

 auto qos trust

interface GigabitEthernet0/10

interface Vlan1

 no ip address

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.111.15 255.255.255.0

ip default-gateway 10.10.111.1

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

ip sla enable reaction-alerts

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131 timeout 5

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 speed 115200

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 22518292

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

Medium Branch

R-A2-MED-1

! Last configuration change at 00:29:32 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 00:29:32 PSTDST Sat Apr 30 2011 by retail

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname R-A2-Med-1

boot-start-marker

boot system flash0 c2951-universalk9-mz.SPA.151-3.T.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default

 action-type start-stop

 group tacacs+

aaa accounting commands 15 default

 action-type start-stop

 group tacacs+

aaa accounting system default

 action-type start-stop

 group tacacs+

aaa session-id common

memory-size iomem 25

clock timezone PST -8 0

clock summer-time PSTDST recurring

crypto pki token default removal timeout 0

crypto pki trustpoint TP-self-signed-1670063162

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1670063162

 revocation-check none

 rsakeypair TP-self-signed-1670063162

crypto pki certificate chain TP-self-signed-1670063162

 certificate self-signed 01

  <removed>

  	quit

no ipv6 cef

no ip source-route

ip cef

ip multicast-routing

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip inspect audit-trail

ip ips config location ipstest retries 1 timeout 1

ip ips notify SDEE

ip ips name Retail-PCI

ip ips signature-category

  category all

   retired true

  category ios_ips basic

   retired false

ip wccp 61

ip wccp 62

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

multilink bundle-name authenticated

parameter-map type inspect global

 WAAS enable

parameter-map type inspect Inspect-1

 audit-trail on

parameter-map type trend-global trend-glob-map

password encryption aes

voice-card 0

license udi pid STARSCREAM sn <removed>

hw-module pvdm 0/2

hw-module sm 1

hw-module sm 2

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

object-group network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 udp eq 5246

 udp eq 5247

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 tcp eq 4050

object-group network EMC-NCM

 description EMC Network Configuration Manager

 host 192.168.42.122

object-group network RSA-enVision

 description RSA EnVision Syslog collector and SIM

 host 192.168.42.124

object-group network CSM_INLINE_dst_rule_81604380995

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object EMC-NCM

 group-object RSA-enVision

object-group network TACACS

 description Csico Secure ACS server for TACACS and Radius

 host 192.168.42.131

object-group network RSA-AM

 description RSA Authentication Manager for SecureID

 host 192.168.42.137

object-group network NAC-1

 description ISE server for NAC

 host 192.168.42.111

object-group network CSM_INLINE_dst_rule_81604381001

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object ActiveDirectory.cisco-irn.com

 group-object TACACS

 group-object RSA-AM

 group-object NAC-1

object-group network NAC-2

 host 192.168.42.112

object-group network CSM_INLINE_dst_rule_81604381037

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object NAC-2

 group-object NAC-1

object-group network DC-ALL

 description All of the Data Center

 192.168.0.0 255.255.0.0

object-group network Stores-ALL

 description all store networks

 10.10.0.0 255.255.0.0

object-group network CSM_INLINE_dst_rule_81604381039

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network WCSManager

 description Wireless Manager

 host 192.168.43.135

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 host 192.168.43.21

 host 192.168.43.22

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 host 192.168.43.31

 host 192.168.43.32

object-group network CSM_INLINE_dst_rule_81604381045

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network PAME-DC-1

 host 192.168.44.111

object-group network MSP-DC-1

 description Data Center VSOM

 host 192.168.44.121

object-group network CSM_INLINE_dst_rule_81604381049

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network CSM_INLINE_dst_rule_81604381059

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381067

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381071

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381150

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network CSM_INLINE_dst_rule_81604381152

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network DC-Admin

 description DC Admin Systems

 host 192.168.41.101

 host 192.168.41.102

object-group network CSManager

 description Cisco Security Manager

 host 192.168.42.133

object-group network CSM_INLINE_src_rule_81604380993

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object EMC-NCM

 group-object CSManager

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_src_rule_81604381021

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_81604381023

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_81604381041

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_src_rule_81604381043

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network CSM_INLINE_src_rule_81604381047

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 host 192.168.48.10

 host 192.168.49.10

 host 192.168.47.11

 host 192.168.47.12

object-group network CSM_INLINE_src_rule_81604381051

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-WAAS

object-group network CSM_INLINE_src_rule_81604381150

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network CSM_INLINE_src_rule_81604381152

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group service CSM_INLINE_svc_rule_81604380993

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

object-group service CSM_INLINE_svc_rule_81604380995

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq syslog

 udp eq snmp

 udp eq snmptrap

object-group service CSM_INLINE_svc_rule_81604381001

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq tacacs

 udp eq 1812

 udp eq 1813

 tcp eq 389

 tcp eq 636

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 tcp eq 5989

 tcp eq 8000

 tcp eq 902

 tcp eq 903

object-group service CSM_INLINE_svc_rule_81604381003

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq 22

 group-object vCenter-to-ESX4

object-group service ESX-SLP

 description CIM Service Location Protocol (SLP) for VMware systems

 udp eq 427

 tcp eq 427

object-group service CSM_INLINE_svc_rule_81604381005

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object vCenter-to-ESX4

 group-object ESX-SLP

object-group service ORACLE-RMI

 description RMI TCP ports 1300 and 1301-1319.

 tcp range 1300 1319

object-group service ORACLE-Weblogic

 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.

 tcp eq 7001

 tcp eq 7002

 tcp eq 1521

object-group service ORACLE-WAS

 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414

 tcp eq 2809

 tcp eq 9443

 tcp eq 1414

object-group service ORACLE-OAS

 description OAS uses one port for HTTP and RMI - 12601.

 tcp eq 12601

object-group service CSM_INLINE_svc_rule_81604381009

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_81604381011

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service HTTPS-8443

 tcp eq 8443

object-group service CSM_INLINE_svc_rule_81604381013

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_81604381015

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service TOMAX-8990

 description Tomax Application Port

 tcp eq 8990

object-group service CSM_INLINE_svc_rule_81604381017

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service CSM_INLINE_svc_rule_81604381019

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service ICMP-Requests

 description ICMP requests

 icmp information-request

 icmp mask-request

 icmp timestamp-request

object-group service CSM_INLINE_svc_rule_81604381021

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_81604381023

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_81604381025

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service CSM_INLINE_svc_rule_81604381027

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_81604381029

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

udp

 tcp eq 443

object-group service DNS-Resolving

 description Domain Name Server

 tcp eq domain

 udp eq domain

object-group service CSM_INLINE_svc_rule_81604381035

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq bootps

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_81604381037

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_81604381039

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service CSM_INLINE_svc_rule_81604381041

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 udp eq 12222

 udp eq 12223

object-group service TFTP

 description Trivial File Transfer

 tcp eq 69

 udp eq tftp

object-group service IP-Protocol-97

 description IP protocol 97

object-group service CSM_INLINE_svc_rule_81604381043

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq www

 tcp eq 22

 tcp eq telnet

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object TFTP

 group-object IP-Protocol-97

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 udp eq 16666

 udp eq 16667

object-group service CSM_INLINE_svc_rule_81604381045

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object Cisco-Mobility

 group-object IP-Protocol-97

object-group service Microsoft-DS-SMB

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

 tcp eq 445

object-group service CSM_INLINE_svc_rule_81604381051

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381053

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381055

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381057

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp

 tcp-udp eq 5060

 tcp eq 2000

 tcp eq www

 tcp eq 443

 group-object TFTP

object-group service CSM_INLINE_svc_rule_81604381059

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp-udp eq 5060

 tcp eq 2000

object-group service CSM_INLINE_svc_rule_81604381061

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_81604381063

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service Netbios

 description Netbios Servers

 udp eq netbios-dgm

 udp eq netbios-ns

 tcp eq 139

object-group service ORACLE-SIM

 description Oracle Store Inventory Management

 tcp eq 7777

 tcp eq 6003

 tcp range 12401 12500

object-group service RDP

 description Windows Remote Desktop

 tcp eq 3389

object-group service Workbrain

 tcp eq 8444

object-group service CSM_INLINE_svc_rule_81604381065

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq ftp

 tcp eq www

 tcp eq 443

 udp eq 88

 tcp-udp eq 42

 group-object Microsoft-DS-SMB

 group-object Netbios

 group-object ORACLE-SIM

 group-object RDP

 group-object Workbrain

object-group network DC-Applications

 description Applications in the Data Center that are non-PCI related(Optimized by 
CS-Manager)

 192.168.180.0 255.255.254.0

object-group network DC-Voice

 description Data Center Voice

 192.168.45.0 255.255.255.0

object-group network MS-Update

 description Windows Update Server

 host 192.168.42.150

object-group network MSExchange

 description Mail Server

 host 192.168.42.140

object-group service NTP

 description NTP Protocols

 tcp eq 123

 udp eq ntp

object-group network NTP-Servers

 description NTP Servers

 host 192.168.62.161

 host 162.168.62.162

object-group network STORE-POS

 10.10.0.0 255.255.0.0

object-group network vSphere-1

 description vSphere server for Lab

 host 192.168.41.102

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

redundancy

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7

 match protocol http

 match protocol https

 match protocol microsoft-ds

 match protocol ms-sql

 match protocol ms-sql-m

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol oracle

 match protocol oracle-em-vp

 match protocol oraclenames

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_10

 match access-group name CSM_ZBF_CMAP_ACL_10

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4

 match protocol http

 match protocol https

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_23

 match access-group name CSM_ZBF_CMAP_ACL_23

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17

 match protocol http

 match protocol https

 match protocol imap3

 match protocol pop3

 match protocol pop3s

 match protocol smtp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_32

 match access-group name CSM_ZBF_CMAP_ACL_32

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-all CSM_ZBF_CLASS_MAP_11

 match access-group name CSM_ZBF_CMAP_ACL_11

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14

 match protocol http

 match protocol https

class-map type inspect match-all CSM_ZBF_CLASS_MAP_22

 match access-group name CSM_ZBF_CMAP_ACL_22

 match class-map CSM_ZBF_CMAP_PLMAP_14

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol ftp

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_33

 match access-group name CSM_ZBF_CMAP_ACL_33

 match class-map CSM_ZBF_CMAP_PLMAP_20

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tftp

 match protocol http

 match protocol https

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_12

 match access-group name CSM_ZBF_CMAP_ACL_12

 match class-map CSM_ZBF_CMAP_PLMAP_8

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13

 match protocol https

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_21

 match access-group name CSM_ZBF_CMAP_ACL_21

 match class-map CSM_ZBF_CMAP_PLMAP_13

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19

 match protocol http

 match protocol https

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_30

 match access-group name CSM_ZBF_CMAP_ACL_30

 match class-map CSM_ZBF_CMAP_PLMAP_19

class-map type inspect match-all CSM_ZBF_CLASS_MAP_13

 match access-group name CSM_ZBF_CMAP_ACL_13

class-map type inspect match-all CSM_ZBF_CLASS_MAP_20

 match access-group name CSM_ZBF_CMAP_ACL_20

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18

 match protocol http

 match protocol https

 match protocol udp

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_31

 match access-group name CSM_ZBF_CMAP_ACL_31

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map match-all BRANCH-BULK-DATA

 match protocol tftp

 match protocol nfs

 match access-group name BULK-DATA-APPS

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_14

 match access-group name CSM_ZBF_CMAP_ACL_14

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_27

 match access-group name CSM_ZBF_CMAP_ACL_27

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_36

 match access-group name CSM_ZBF_CMAP_ACL_36

class-map type inspect match-all CSM_ZBF_CLASS_MAP_15

 match access-group name CSM_ZBF_CMAP_ACL_15

class-map type inspect match-all CSM_ZBF_CLASS_MAP_26

 match access-group name CSM_ZBF_CMAP_ACL_26

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21

 match protocol tcp

 match protocol udp

 match protocol http

 match protocol https

class-map type inspect match-all CSM_ZBF_CLASS_MAP_37

 match access-group name CSM_ZBF_CMAP_ACL_37

 match class-map CSM_ZBF_CMAP_PLMAP_21

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9

 match protocol syslog

 match protocol syslog-conn

 match protocol snmp

 match protocol snmptrap

class-map type inspect match-all CSM_ZBF_CLASS_MAP_16

 match access-group name CSM_ZBF_CMAP_ACL_16

 match class-map CSM_ZBF_CMAP_PLMAP_9

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16

 match protocol http

 match protocol https

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_25

 match access-group name CSM_ZBF_CMAP_ACL_25

 match class-map CSM_ZBF_CMAP_PLMAP_16

class-map type inspect match-all CSM_ZBF_CLASS_MAP_34

 match access-group name CSM_ZBF_CMAP_ACL_34

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10

 match protocol ldaps

 match protocol ldap

 match protocol ldap-admin

 match protocol radius

 match protocol tacacs

 match protocol tacacs-ds

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_17

 match access-group name CSM_ZBF_CMAP_ACL_17

 match class-map CSM_ZBF_CMAP_PLMAP_10

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15

 match protocol http

 match protocol https

 match protocol netbios-ns

 match protocol netbios-dgm

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_24

 match access-group name CSM_ZBF_CMAP_ACL_24

 match class-map CSM_ZBF_CMAP_PLMAP_15

class-map type inspect match-all CSM_ZBF_CLASS_MAP_35

 match access-group name CSM_ZBF_CMAP_ACL_35

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11

 match protocol ntp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_18

 match access-group name CSM_ZBF_CMAP_ACL_18

 match class-map CSM_ZBF_CMAP_PLMAP_11

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12

 match protocol bootpc

 match protocol bootps

 match protocol udp

 match protocol tcp

 match protocol dns

 match protocol dhcp-failover

class-map type inspect match-all CSM_ZBF_CLASS_MAP_19

 match access-group name CSM_ZBF_CMAP_ACL_19

 match class-map CSM_ZBF_CMAP_PLMAP_12

class-map type inspect match-all CSM_ZBF_CLASS_MAP_29

 match access-group name CSM_ZBF_CMAP_ACL_29

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_38

 match access-group name CSM_ZBF_CMAP_ACL_38

 match class-map CSM_ZBF_CMAP_PLMAP_22

class-map type inspect match-all CSM_ZBF_CLASS_MAP_28

 match access-group name CSM_ZBF_CMAP_ACL_28

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1

 match protocol https

 match protocol ssh

class-map type inspect match-all CSM_ZBF_CLASS_MAP_1

 match access-group name CSM_ZBF_CMAP_ACL_1

 match class-map CSM_ZBF_CMAP_PLMAP_1

class-map type inspect match-all CSM_ZBF_CLASS_MAP_3

 match access-group name CSM_ZBF_CMAP_ACL_3

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2

 match protocol https

 match protocol http

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_2

 match access-group name CSM_ZBF_CMAP_ACL_2

 match class-map CSM_ZBF_CMAP_PLMAP_2

class-map type inspect match-all CSM_ZBF_CLASS_MAP_5

 match access-group name CSM_ZBF_CMAP_ACL_5

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3

 match protocol http

 match protocol https

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

 match access-group name CSM_ZBF_CMAP_ACL_4

 match class-map CSM_ZBF_CMAP_PLMAP_3

class-map type inspect match-all CSM_ZBF_CLASS_MAP_7

 match access-group name CSM_ZBF_CMAP_ACL_7

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_6

 match access-group name CSM_ZBF_CMAP_ACL_6

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_9

 match access-group name CSM_ZBF_CMAP_ACL_9

 match protocol tcp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6

 match protocol http

 match protocol https

 match protocol ssh

 match protocol telnet

 match protocol tftp

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_8

 match access-group name CSM_ZBF_CMAP_ACL_8

 match class-map CSM_ZBF_CMAP_PLMAP_6

class-map match-all BULK-DATA

 match ip dscp af11  af12

class-map match-all INTERACTIVE-VIDEO

 match ip dscp af41  af42

class-map match-any BRANCH-TRANSACTIONAL-DATA

 match protocol citrix

 match protocol ldap

 match protocol telnet

 match protocol sqlnet

 match protocol http url "*SalesReport*"

 match access-group name TRANSACTIONAL-DATA-APPS

class-map match-all BRANCH-MISSION-CRITICAL

 match access-group name MISSION-CRITICAL-SERVERS

class-map match-all VOICE

 match ip dscp ef

class-map match-all MISSION-CRITICAL-DATA

 match ip dscp 25

class-map match-any BRANCH-NET-MGMT

 match protocol snmp

 match protocol syslog

 match protocol dns

 match protocol icmp

 match protocol ssh

 match access-group name NET-MGMT-APPS

class-map match-all ROUTING

 match ip dscp cs6

class-map match-all SCAVENGER

 match ip dscp cs1

class-map match-all NET-MGMT

 match ip dscp cs2

class-map match-any BRANCH-SCAVENGER

 match protocol gnutella

 match protocol fasttrack

 match protocol kazaa2

class-map match-any CALL-SIGNALING

 match ip dscp cs3

class-map match-all TRANSACTIONAL-DATA

 match ip dscp af21  af22

policy-map BRANCH-LAN-EDGE-OUT

 class class-default

policy-map BRANCH-WAN-EDGE

 class VOICE

  priority percent 18

 class INTERACTIVE-VIDEO

  priority percent 15

 class CALL-SIGNALING

  bandwidth percent 5

 class ROUTING

  bandwidth percent 3

 class NET-MGMT

  bandwidth percent 2

 class MISSION-CRITICAL-DATA

  bandwidth percent 15

  random-detect

 class TRANSACTIONAL-DATA

  bandwidth percent 12

  random-detect dscp-based

 class BULK-DATA

  bandwidth percent 4

  random-detect dscp-based

 class SCAVENGER

  bandwidth percent 1

 class class-default

  bandwidth percent 25

  random-detect

policy-map type inspect CSM_ZBF_POLICY_MAP_18

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_19

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_16

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_23

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_25

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_36

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_37

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_17

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_24

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_24

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_34

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_35

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_14

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_27

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_15

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_21

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_26

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_38

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_12

 class type inspect CSM_ZBF_CLASS_MAP_15

  pass

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_21

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_13

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_20

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_10

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_23

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_31

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_33

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_11

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_22

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_9

 class type inspect CSM_ZBF_CLASS_MAP_13

  pass

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_8

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_12

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_7

 class type inspect CSM_ZBF_CLASS_MAP_9

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_10

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_11

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_6

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_5

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_8

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_4

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_7

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_3

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_5

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_2

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_4

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_1

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_2

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop

policy-map BRANCH-LAN-EDGE-IN

 class BRANCH-MISSION-CRITICAL

  set ip dscp 25

 class BRANCH-TRANSACTIONAL-DATA

  set ip dscp af21

 class BRANCH-NET-MGMT

  set ip dscp cs2

 class BRANCH-BULK-DATA

  set ip dscp af11

 class BRANCH-SCAVENGER

  set ip dscp cs1

zone security S_WAN

 description Store WAN Link

zone security S_R-2-R

 description Bridge link between routers

zone security LOOPBACK

 description Loopback interface

zone security S_MGMT

 description VLAN1000 Management

zone security S_Security

 description VLAN20 Physical Security Systems

zone security S_WAAS

 description VLAN19 WAAS optimization

zone security S_WLC-AP

 description VLAN18 Wireless Systems

zone security S_Data

 description VLAN12 Store Data

zone security S_Data-W

 description VLAN14 Store Wireless Data

zone security S_Guest

 description VLAN17 Guest/Public Wireless

zone security S_Voice

 description VLAN13 Store Voice

zone security S_Partners

 description VLAN16 Partner network

zone security S_POS

 description VLAN 11 POS Data

zone security S_POS-W

 description VLAN15 Store Wireless POS

zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_8

zone-pair security CSM_S_R-2-R-LOOPBACK_1 source S_R-2-R destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_R-2-R-S_MGMT_1 source S_R-2-R destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_R-2-R-S_Security_1 source S_R-2-R destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_R-2-R-S_WAAS_1 source S_R-2-R destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_R-2-R-S_WLC-AP_1 source S_R-2-R destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_R-2-R-self_1 source S_R-2-R destination self

 service-policy type inspect CSM_ZBF_POLICY_MAP_9

zone-pair security CSM_S_R-2-R-S_Data_1 source S_R-2-R destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_Data-W_1 source S_R-2-R destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_Guest_1 source S_R-2-R destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_R-2-R-S_Partners_1 source S_R-2-R destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_POS_1 source S_R-2-R destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_R-2-R-S_POS-W_1 source S_R-2-R destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_R-2-R-S_Voice_1 source S_R-2-R destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_11

zone-pair security CSM_self-S_R-2-R_1 source self destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_12

zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_LOOPBACK-S_R-2-R_1 source LOOPBACK destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_MGMT-S_R-2-R_1 source S_MGMT destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_Security-S_R-2-R_1 source S_Security destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_WAAS-S_R-2-R_1 source S_WAAS destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_WLC-AP-S_R-2-R_1 source S_WLC-AP destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_POS-S_R-2-R_1 source S_POS destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_POS-W-S_R-2-R_1 source S_POS-W destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_22

zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-S_R-2-R_1 source S_Data destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-W-S_R-2-R_1 source S_Data-W destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_24

zone-pair security CSM_S_Guest-S_R-2-R_1 source S_Guest destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_24

zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_25

zone-pair security CSM_S_Partners-S_R-2-R_1 source S_Partners destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_25

zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_26

zone-pair security CSM_S_Voice-S_R-2-R_1 source S_Voice destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_27

interface Loopback0

 ip address 10.10.126.1 255.255.255.255

 ip pim sparse-dense-mode

 zone-member security LOOPBACK

interface GigabitEthernet0/0

 ip address 10.10.255.112 255.255.255.0

 ip ips Retail-PCI in

 zone-member security S_WAN

 duplex auto

 speed auto

 service-policy output BRANCH-WAN-EDGE

interface GigabitEthernet0/1

 description ROUTER LINK TO SWITCH

 no ip address

 duplex auto

 speed auto

 media-type rj45

interface GigabitEthernet0/1.11

 description POS

 encapsulation dot1Q 11

 ip address 10.10.112.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_POS

 standby 11 ip 10.10.112.1

 standby 11 priority 101

 standby 11 preempt

 ip igmp query-interval 125

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.12

 description DATA

 encapsulation dot1Q 12

 ip address 10.10.113.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip wccp 61 redirect in

 ip pim sparse-dense-mode

 zone-member security S_Data

 standby 12 ip 10.10.113.1

 standby 12 priority 101

 standby 12 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.13

 description VOICE

 encapsulation dot1Q 13

 ip address 10.10.114.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Voice

 standby 13 ip 10.10.114.1

 standby 13 priority 101

 standby 13 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.14

 description WIRELESS

 encapsulation dot1Q 14

 ip address 10.10.115.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Data-W

 standby 14 ip 10.10.115.1

 standby 14 priority 101

 standby 14 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.15

 description WIRELESS-POS

 encapsulation dot1Q 15

 ip address 10.10.116.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_POS-W

 standby 15 ip 10.10.116.1

 standby 15 priority 101

 standby 15 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.16

 description PARTNER

 encapsulation dot1Q 16

 ip address 10.10.117.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Partners

 standby 16 ip 10.10.117.1

 standby 16 priority 101

 standby 16 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.17

 description WIRELESS-GUEST

 encapsulation dot1Q 17

 ip address 10.10.118.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Guest

 standby 17 ip 10.10.118.1

 standby 17 priority 101

 standby 17 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.18

 description WIRELESS-CONTROL

 encapsulation dot1Q 18

 ip address 10.10.119.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WLC-AP

 standby 18 ip 10.10.119.1

 standby 18 priority 101

 standby 18 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.19

 description WAAS

 encapsulation dot1Q 19

 ip address 10.10.120.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WAAS

 standby 19 ip 10.10.120.1

 standby 19 priority 101

 standby 19 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.20

 description SECURITY-SYSTEMS

 encapsulation dot1Q 20

 ip address 10.10.121.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Security

 standby 20 ip 10.10.121.1

 standby 20 priority 101

 standby 20 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.102

 description ROUTER LINK TO

 encapsulation dot1Q 102

 ip address 10.10.126.29 255.255.255.252

 ip pim sparse-dense-mode

 zone-member security S_R-2-R

 service-policy input BRANCH-LAN-EDGE-IN

interface GigabitEthernet0/1.1000

 description MANAGEMENT

 encapsulation dot1Q 1000

 ip address 10.10.127.2 255.255.255.0

 zone-member security S_MGMT

 standby 100 ip 10.10.127.1

 standby 100 priority 101

 standby 100 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/2

 no ip address

 duplex auto

 speed auto

interface GigabitEthernet0/2.101

 description ROUTER LINK TO

 encapsulation dot1Q 101

 ip address 10.10.126.25 255.255.255.252

 ip pim sparse-dense-mode

 zone-member security S_R-2-R

 service-policy input BRANCH-LAN-EDGE-IN

interface SM1/0

 ip address 10.10.126.41 255.255.255.252

 zone-member security S_WAAS

 service-module fail-open

 service-module ip address 10.10.126.42 255.255.255.252

 service-module ip default-gateway 10.10.126.41

 hold-queue 60 out

interface SM1/1

 description Internal switch interface connected to Service Module

interface Vlan1

 no ip address

router ospf 5

 router-id 10.10.126.1

 redistribute connected subnets

 passive-interface default

 no passive-interface GigabitEthernet0/1.102

 no passive-interface GigabitEthernet0/2.101

 network 10.10.0.0 0.0.255.255 area 10

 default-information originate

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 10.10.255.11

ip tacacs source-interface Loopback0

ip access-list extended BULK-DATA-APPS

 remark ---File Transfer---

 permit tcp any any eq ftp

 permit tcp any any eq ftp-data

 remark ---E-mail traffic---

 permit tcp any any eq smtp

 permit tcp any any eq pop3

 permit tcp any any eq 143

 remark ---other EDM app protocols---

 permit tcp any any range 3460 3466

 permit tcp any range 3460 3466 any

 remark ---messaging services---

 permit tcp any any eq 2980

 permit tcp any eq 2980 any

 remark ---Microsoft file services---

 permit tcp any any range 137 139

 permit tcp any range 137 139 any

ip access-list extended CSM_ZBF_CMAP_ACL_1

 remark Data Center Mgmt to Devices

 permit object-group CSM_INLINE_svc_rule_81604380993 object-group 
CSM_INLINE_src_rule_81604380993 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_10

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381011 object-group DC-POS-Oracle 
object-group STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381015 object-group DC-POS-SAP object-group 
STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381019 object-group DC-POS-Tomax 
object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_11

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381021 object-group 
CSM_INLINE_src_rule_81604381021 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_12

 remark Data Center VOICE (wired and Wireless)

 permit object-group CSM_INLINE_svc_rule_81604381057 object-group DC-Voice object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_13

 permit ospf object-group CSM_INLINE_src_rule_81604381150 object-group 
CSM_INLINE_dst_rule_81604381150

ip access-list extended CSM_ZBF_CMAP_ACL_14

 remark Store WAAS to Clients and Servers

 permit object-group CSM_INLINE_svc_rule_81604381055 object-group Stores-ALL object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_15

 permit ospf object-group CSM_INLINE_src_rule_81604381152 object-group 
CSM_INLINE_dst_rule_81604381152

ip access-list extended CSM_ZBF_CMAP_ACL_16

 remark Syslog and SNMP Alerts

 permit object-group CSM_INLINE_svc_rule_81604380995 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604380995

ip access-list extended CSM_ZBF_CMAP_ACL_17

 remark Store to Data Center Authentications

 permit object-group CSM_INLINE_svc_rule_81604381001 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381001

ip access-list extended CSM_ZBF_CMAP_ACL_18

 remark Store to Data Center for NTP

 permit object-group NTP object-group Stores-ALL object-group NTP-Servers

ip access-list extended CSM_ZBF_CMAP_ACL_19

 remark Store to Data Center for DHCP and DNS

 permit object-group CSM_INLINE_svc_rule_81604381035 object-group Stores-ALL object-group 
ActiveDirectory.cisco-irn.com

ip access-list extended CSM_ZBF_CMAP_ACL_2

 remark Data Center subscribe to IPS SDEE events

 permit tcp object-group RSA-enVision object-group Stores-ALL eq 443

ip access-list extended CSM_ZBF_CMAP_ACL_20

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_81604381039 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381039

ip access-list extended CSM_ZBF_CMAP_ACL_21

 remark Store UCS E-series server to Data Center vShphere

 permit object-group CSM_INLINE_svc_rule_81604381005 object-group Stores-ALL object-group 
vSphere-1

ip access-list extended CSM_ZBF_CMAP_ACL_22

 remark Store NAC

 permit object-group CSM_INLINE_svc_rule_81604381037 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381037

ip access-list extended CSM_ZBF_CMAP_ACL_23

 remark Store to Data Center Physical Security

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381049

ip access-list extended CSM_ZBF_CMAP_ACL_24

 remark Store WAAS (WAAS Devices need their own zone)

 permit object-group CSM_INLINE_svc_rule_81604381053 object-group Stores-ALL object-group 
DC-WAAS

ip access-list extended CSM_ZBF_CMAP_ACL_25

 remark Store to Data Center wireless controller traffic

 permit object-group CSM_INLINE_svc_rule_81604381045 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381045

ip access-list extended CSM_ZBF_CMAP_ACL_26

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381009 object-group STORE-POS object-group 
DC-POS-Oracle

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381013 object-group STORE-POS object-group 
DC-POS-SAP

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381017 object-group STORE-POS object-group 
DC-POS-Tomax

ip access-list extended CSM_ZBF_CMAP_ACL_27

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381023 object-group 
CSM_INLINE_src_rule_81604381023 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_28

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_81604381025 object-group STORE-POS object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_29

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_81604381027 object-group STORE-POS object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_3

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_81604381041 object-group 
CSM_INLINE_src_rule_81604381041 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_30

 remark Permit POS clients to talk to store POS server

 permit object-group CSM_INLINE_svc_rule_81604381029 object-group STORE-POS object-group 
STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_31

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_81604381061 object-group Stores-ALL object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_32

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_81604381063 object-group Stores-ALL object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_33

 remark Store DATA (wired and Wireless - Access to DC Other applications)

 permit object-group CSM_INLINE_svc_rule_81604381065 object-group Stores-ALL object-group 
DC-Applications

ip access-list extended CSM_ZBF_CMAP_ACL_34

 remark Store GUEST - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381071

ip access-list extended CSM_ZBF_CMAP_ACL_35

 remark Store GUEST (access to internet/DMZ web servers)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_36

 remark Store PARTNERS - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381067

ip access-list extended CSM_ZBF_CMAP_ACL_37

 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_38

 remark Store VOICE (wired and Wireless - Acess to corporate wide voice)

 permit object-group CSM_INLINE_svc_rule_81604381059 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381059

ip access-list extended CSM_ZBF_CMAP_ACL_4

 remark Data Center vSphere to UCS E-series server

 permit object-group CSM_INLINE_svc_rule_81604381003 object-group vSphere-1 object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_5

 remark Data Center to Store Physical Security

 permit ip object-group CSM_INLINE_src_rule_81604381047 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_6

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_7

 remark Data Center WAAS to Store

 permit object-group CSM_INLINE_svc_rule_81604381051 object-group 
CSM_INLINE_src_rule_81604381051 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_8

 remark Data Center Wireless Control to AP's and Controllers in stores

 permit object-group CSM_INLINE_svc_rule_81604381043 object-group 
CSM_INLINE_src_rule_81604381043 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_9

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group STORE-POS

ip access-list extended MISSION-CRITICAL-SERVERS

 remark ---POS Applications---

 permit ip any 192.168.52.0 0.0.0.255

ip access-list extended NET-MGMT-APPS

 remark - Router user Authentication - Identifies TACACS Control traffic

 permit tcp any any eq tacacs

 permit tcp any eq tacacs any

ip access-list extended TRANSACTIONAL-DATA-APPS

 remark ---Workbrain Application---

 remark --Large Store Clock Server to Central Clock Application

 permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444

 remark --Large store Clock Server to CUAE

 permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000

 remark ---LiteScape Application---

 permit ip any host 192.168.46.82

 permit ip any 239.192.0.0 0.0.0.255

 permit ip any host 239.255.255.250

 remark ---Remote Desktop---

 permit tcp any any eq 3389

 permit tcp any eq 3389 any

 remark ---Oracle SIM---

 permit tcp any 192.168.46.0 0.0.0.255 eq 7777

 permit tcp any 192.168.46.0 0.0.0.255 eq 6003

 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500

 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any

 permit tcp 192.168.46.0 0.0.0.255 eq 6003 any

 permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any

logging esm config

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

nls resp-timeout 1

cpd cr-id 1

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps flash insertion removal

snmp-server enable traps energywise

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps ipsla

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

mgcp fax t38 ecm

mgcp profile default

gatekeeper

 shutdown

banner exec C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 login authentication RETAIL

 no exec

 transport preferred none

 transport output none

line 67

 no activation-character

 no exec

 transport preferred none

 transport input ssh

 transport output none

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

exception data-corruption buffer truncate

scheduler allocate 20000 1000

ntp source Loopback0

ntp update-calendar

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

end

R-A2-MED-2

! Last configuration change at 23:30:34 PCTime Fri Apr 29 2011 by retail

! NVRAM config last updated at 23:30:35 PCTime Fri Apr 29 2011 by retail

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

hostname R-A2-MED-2

boot-start-marker

boot system flash:c2951-universalk9-mz.SPA.151-3.T.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 500000

no logging rate-limit

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default

 action-type start-stop

 group tacacs+

aaa accounting commands 15 default

 action-type start-stop

 group tacacs+

aaa accounting system default

 action-type start-stop

 group tacacs+

aaa session-id common

clock timezone PCTime -8 0

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

crypto pki token default removal timeout 0

crypto pki trustpoint TP-self-signed-104836678

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-104836678

 revocation-check none

crypto pki certificate chain TP-self-signed-104836678

 certificate self-signed 02

  <removed>

  	quit

no ipv6 cef

no ip source-route

no ip gratuitous-arps

ip cef

ip multicast-routing

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip port-map user-8443 port tcp 8443

ip ips notify SDEE

ip ips name Retail-PCI

ip ips signature-category

  category all

   retired true

  category ios_ips default

   retired false

ip wccp 61

ip wccp 62

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

multilink bundle-name authenticated

parameter-map type inspect global

 WAAS enable

parameter-map type inspect Inspect-1

 audit-trail on

parameter-map type trend-global trend-glob-map

password encryption aes

voice-card 0

license udi pid CISCO2951/K9 sn <removed>

hw-module sm 1

hw-module sm 2

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

object-group network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 udp eq 5246

 udp eq 5247

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 tcp eq 4050

object-group network EMC-NCM

 description EMC Network Configuration Manager

 host 192.168.42.122

object-group network RSA-enVision

 description RSA EnVision Syslog collector and SIM

 host 192.168.42.124

object-group network CSM_INLINE_dst_rule_81604380995

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object EMC-NCM

 group-object RSA-enVision

object-group network TACACS

 description Csico Secure ACS server for TACACS and Radius

 host 192.168.42.131

object-group network RSA-AM

 description RSA Authentication Manager for SecureID

 host 192.168.42.137

object-group network NAC-1

 description ISE server for NAC

 host 192.168.42.111

object-group network CSM_INLINE_dst_rule_81604381001

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object ActiveDirectory.cisco-irn.com

 group-object TACACS

 group-object RSA-AM

 group-object NAC-1

object-group network NAC-2

 host 192.168.42.112

object-group network CSM_INLINE_dst_rule_81604381037

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object NAC-2

 group-object NAC-1

object-group network DC-ALL

 description All of the Data Center

 192.168.0.0 255.255.0.0

object-group network Stores-ALL

 description all store networks

 10.10.0.0 255.255.0.0

object-group network CSM_INLINE_dst_rule_81604381039

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network WCSManager

 description Wireless Manager

 host 192.168.43.135

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 host 192.168.43.21

 host 192.168.43.22

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 host 192.168.43.31

 host 192.168.43.32

object-group network CSM_INLINE_dst_rule_81604381045

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network PAME-DC-1

 host 192.168.44.111

object-group network MSP-DC-1

 description Data Center VSOM

 host 192.168.44.121

object-group network CSM_INLINE_dst_rule_81604381049

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network CSM_INLINE_dst_rule_81604381059

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381067

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381071

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381150

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network CSM_INLINE_dst_rule_81604381152

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network DC-Admin

 description DC Admin Systems

 host 192.168.41.101

 host 192.168.41.102

object-group network CSManager

 description Cisco Security Manager

 host 192.168.42.133

object-group network CSM_INLINE_src_rule_81604380993

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object EMC-NCM

 group-object CSManager

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_src_rule_81604381021

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_81604381023

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_81604381041

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_src_rule_81604381043

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network CSM_INLINE_src_rule_81604381047

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 host 192.168.48.10

 host 192.168.49.10

 host 192.168.47.11

 host 192.168.47.12

object-group network CSM_INLINE_src_rule_81604381051

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-WAAS

object-group network CSM_INLINE_src_rule_81604381150

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network CSM_INLINE_src_rule_81604381152

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group service CSM_INLINE_svc_rule_81604380993

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

object-group service CSM_INLINE_svc_rule_81604380995

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq syslog

 udp eq snmp

 udp eq snmptrap

object-group service CSM_INLINE_svc_rule_81604381001

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq tacacs

 udp eq 1812

 udp eq 1813

 tcp eq 389

 tcp eq 636

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 tcp eq 5989

 tcp eq 8000

 tcp eq 902

 tcp eq 903

object-group service CSM_INLINE_svc_rule_81604381003

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq 22

 group-object vCenter-to-ESX4

object-group service ESX-SLP

 description CIM Service Location Protocol (SLP) for VMware systems

 udp eq 427

 tcp eq 427

object-group service CSM_INLINE_svc_rule_81604381005

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object vCenter-to-ESX4

 group-object ESX-SLP

object-group service ORACLE-RMI

 description RMI TCP ports 1300 and 1301-1319.

 tcp range 1300 1319

object-group service ORACLE-Weblogic

 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.

 tcp eq 7001

 tcp eq 7002

 tcp eq 1521

object-group service ORACLE-WAS

 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414

 tcp eq 2809

 tcp eq 9443

 tcp eq 1414

object-group service ORACLE-OAS

 description OAS uses one port for HTTP and RMI - 12601.

 tcp eq 12601

object-group service CSM_INLINE_svc_rule_81604381009

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_81604381011

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service HTTPS-8443

 tcp eq 8443

object-group service CSM_INLINE_svc_rule_81604381013

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_81604381015

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service TOMAX-8990

 description Tomax Application Port

 tcp eq 8990

object-group service CSM_INLINE_svc_rule_81604381017

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service CSM_INLINE_svc_rule_81604381019

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service ICMP-Requests

 description ICMP requests

 icmp information-request

 icmp mask-request

 icmp timestamp-request

object-group service CSM_INLINE_svc_rule_81604381021

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_81604381023

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_81604381025

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service CSM_INLINE_svc_rule_81604381027

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_81604381029

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

udp

 tcp eq 443

object-group service DNS-Resolving

 description Domain Name Server

 tcp eq domain

 udp eq domain

object-group service CSM_INLINE_svc_rule_81604381035

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq bootps

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_81604381037

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_81604381039

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service CSM_INLINE_svc_rule_81604381041

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 udp eq 12222

 udp eq 12223

object-group service TFTP

 description Trivial File Transfer

 tcp eq 69

 udp eq tftp

object-group service IP-Protocol-97

 description IP protocol 97

object-group service CSM_INLINE_svc_rule_81604381043

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq www

 tcp eq 22

 tcp eq telnet

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object TFTP

 group-object IP-Protocol-97

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 udp eq 16666

 udp eq 16667

object-group service CSM_INLINE_svc_rule_81604381045

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object Cisco-Mobility

 group-object IP-Protocol-97

object-group service Microsoft-DS-SMB

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

 tcp eq 445

object-group service CSM_INLINE_svc_rule_81604381051

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381053

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381055

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381057

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp

 tcp-udp eq 5060

 tcp eq 2000

 tcp eq www

 tcp eq 443

 group-object TFTP

object-group service CSM_INLINE_svc_rule_81604381059

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp-udp eq 5060

 tcp eq 2000

object-group service CSM_INLINE_svc_rule_81604381061

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_81604381063

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service Netbios

 description Netbios Servers

 udp eq netbios-dgm

 udp eq netbios-ns

 tcp eq 139

object-group service ORACLE-SIM

 description Oracle Store Inventory Management

 tcp eq 7777

 tcp eq 6003

 tcp range 12401 12500

object-group service RDP

 description Windows Remote Desktop

 tcp eq 3389

object-group service Workbrain

 tcp eq 8444

object-group service CSM_INLINE_svc_rule_81604381065

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq ftp

 tcp eq www

 tcp eq 443

 udp eq 88

 tcp-udp eq 42

 group-object Microsoft-DS-SMB

 group-object Netbios

 group-object ORACLE-SIM

 group-object RDP

 group-object Workbrain

object-group network DC-Applications

 description Applications in the Data Center that are non-PCI related(Optimized by 
CS-Manager)

 192.168.180.0 255.255.254.0

object-group network DC-Voice

 description Data Center Voice

 192.168.45.0 255.255.255.0

object-group network MS-Update

 description Windows Update Server

 host 192.168.42.150

object-group network MSExchange

 description Mail Server

 host 192.168.42.140

object-group service NTP

 description NTP Protocols

 tcp eq 123

 udp eq ntp

object-group network NTP-Servers

 description NTP Servers

 host 192.168.62.161

 host 162.168.62.162

object-group network STORE-POS

 10.10.0.0 255.255.0.0

object-group network vSphere-1

 description vSphere server for Lab

 host 192.168.41.102

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

redundancy

ip tcp synwait-time 10

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7

 match protocol http

 match protocol https

 match protocol microsoft-ds

 match protocol ms-sql

 match protocol ms-sql-m

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol oracle

 match protocol oracle-em-vp

 match protocol oraclenames

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_10

 match access-group name CSM_ZBF_CMAP_ACL_10

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4

 match protocol http

 match protocol https

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_23

 match access-group name CSM_ZBF_CMAP_ACL_23

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17

 match protocol http

 match protocol https

 match protocol imap3

 match protocol pop3

 match protocol pop3s

 match protocol smtp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_32

 match access-group name CSM_ZBF_CMAP_ACL_32

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-all CSM_ZBF_CLASS_MAP_11

 match access-group name CSM_ZBF_CMAP_ACL_11

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14

 match protocol http

 match protocol https

 match protocol user-8443

class-map type inspect match-all CSM_ZBF_CLASS_MAP_22

 match access-group name CSM_ZBF_CMAP_ACL_22

 match class-map CSM_ZBF_CMAP_PLMAP_14

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol ftp

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_33

 match access-group name CSM_ZBF_CMAP_ACL_33

 match class-map CSM_ZBF_CMAP_PLMAP_20

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tftp

 match protocol http

 match protocol https

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_12

 match access-group name CSM_ZBF_CMAP_ACL_12

 match class-map CSM_ZBF_CMAP_PLMAP_8

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13

 match protocol https

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_21

 match access-group name CSM_ZBF_CMAP_ACL_21

 match class-map CSM_ZBF_CMAP_PLMAP_13

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19

 match protocol http

 match protocol https

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_30

 match access-group name CSM_ZBF_CMAP_ACL_30

 match class-map CSM_ZBF_CMAP_PLMAP_19

class-map type inspect match-all CSM_ZBF_CLASS_MAP_13

 match access-group name CSM_ZBF_CMAP_ACL_13

class-map type inspect match-all CSM_ZBF_CLASS_MAP_20

 match access-group name CSM_ZBF_CMAP_ACL_20

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18

 match protocol http

 match protocol https

 match protocol udp

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_31

 match access-group name CSM_ZBF_CMAP_ACL_31

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map match-all BRANCH-BULK-DATA

 match protocol tftp

 match protocol nfs

 match access-group name BULK-DATA-APPS

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_14

 match access-group name CSM_ZBF_CMAP_ACL_14

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_27

 match access-group name CSM_ZBF_CMAP_ACL_27

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_36

 match access-group name CSM_ZBF_CMAP_ACL_36

class-map type inspect match-all CSM_ZBF_CLASS_MAP_15

 match access-group name CSM_ZBF_CMAP_ACL_15

class-map type inspect match-all CSM_ZBF_CLASS_MAP_26

 match access-group name CSM_ZBF_CMAP_ACL_26

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21

 match protocol tcp

 match protocol udp

 match protocol http

 match protocol https

class-map type inspect match-all CSM_ZBF_CLASS_MAP_37

 match access-group name CSM_ZBF_CMAP_ACL_37

 match class-map CSM_ZBF_CMAP_PLMAP_21

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9

 match protocol syslog

 match protocol syslog-conn

 match protocol snmp

 match protocol snmptrap

class-map type inspect match-all CSM_ZBF_CLASS_MAP_16

 match access-group name CSM_ZBF_CMAP_ACL_16

 match class-map CSM_ZBF_CMAP_PLMAP_9

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16

 match protocol http

 match protocol https

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_25

 match access-group name CSM_ZBF_CMAP_ACL_25

 match class-map CSM_ZBF_CMAP_PLMAP_16

class-map type inspect match-all CSM_ZBF_CLASS_MAP_34

 match access-group name CSM_ZBF_CMAP_ACL_34

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10

 match protocol ldaps

 match protocol ldap

 match protocol ldap-admin

 match protocol radius

 match protocol tacacs

 match protocol tacacs-ds

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_17

 match access-group name CSM_ZBF_CMAP_ACL_17

 match class-map CSM_ZBF_CMAP_PLMAP_10

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15

 match protocol http

 match protocol https

 match protocol netbios-ns

 match protocol netbios-dgm

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_24

 match access-group name CSM_ZBF_CMAP_ACL_24

 match class-map CSM_ZBF_CMAP_PLMAP_15

class-map type inspect match-all CSM_ZBF_CLASS_MAP_35

 match access-group name CSM_ZBF_CMAP_ACL_35

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11

 match protocol ntp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_18

 match access-group name CSM_ZBF_CMAP_ACL_18

 match class-map CSM_ZBF_CMAP_PLMAP_11

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12

 match protocol bootpc

 match protocol bootps

 match protocol udp

 match protocol tcp

 match protocol dns

 match protocol dhcp-failover

class-map type inspect match-all CSM_ZBF_CLASS_MAP_19

 match access-group name CSM_ZBF_CMAP_ACL_19

 match class-map CSM_ZBF_CMAP_PLMAP_12

class-map type inspect match-all CSM_ZBF_CLASS_MAP_29

 match access-group name CSM_ZBF_CMAP_ACL_29

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_38

 match access-group name CSM_ZBF_CMAP_ACL_38

 match class-map CSM_ZBF_CMAP_PLMAP_22

class-map type inspect match-all CSM_ZBF_CLASS_MAP_28

 match access-group name CSM_ZBF_CMAP_ACL_28

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1

 match protocol https

 match protocol ssh

class-map type inspect match-all CSM_ZBF_CLASS_MAP_1

 match access-group name CSM_ZBF_CMAP_ACL_1

 match class-map CSM_ZBF_CMAP_PLMAP_1

class-map type inspect match-all CSM_ZBF_CLASS_MAP_3

 match access-group name CSM_ZBF_CMAP_ACL_3

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2

 match protocol https

 match protocol http

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_2

 match access-group name CSM_ZBF_CMAP_ACL_2

 match class-map CSM_ZBF_CMAP_PLMAP_2

class-map type inspect match-all CSM_ZBF_CLASS_MAP_5

 match access-group name CSM_ZBF_CMAP_ACL_5

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3

 match protocol http

 match protocol https

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

 match access-group name CSM_ZBF_CMAP_ACL_4

 match class-map CSM_ZBF_CMAP_PLMAP_3

class-map type inspect match-all CSM_ZBF_CLASS_MAP_7

 match access-group name CSM_ZBF_CMAP_ACL_7

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_6

 match access-group name CSM_ZBF_CMAP_ACL_6

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_9

 match access-group name CSM_ZBF_CMAP_ACL_9

 match protocol tcp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6

 match protocol http

 match protocol https

 match protocol ssh

 match protocol telnet

 match protocol tftp

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_8

 match access-group name CSM_ZBF_CMAP_ACL_8

 match class-map CSM_ZBF_CMAP_PLMAP_6

class-map match-all BULK-DATA

 match ip dscp af11  af12

class-map match-all INTERACTIVE-VIDEO

 match ip dscp af41  af42

class-map match-any BRANCH-TRANSACTIONAL-DATA

 match protocol citrix

 match protocol ldap

 match protocol telnet

 match protocol sqlnet

 match protocol http url "*SalesReport*"

 match access-group name TRANSACTIONAL-DATA-APPS

class-map match-all BRANCH-MISSION-CRITICAL

 match access-group name MISSION-CRITICAL-SERVERS

class-map match-all VOICE

 match ip dscp ef

class-map match-all MISSION-CRITICAL-DATA

 match ip dscp 25

class-map match-any BRANCH-NET-MGMT

 match protocol snmp

 match protocol syslog

 match protocol dns

 match protocol icmp

 match protocol ssh

 match access-group name NET-MGMT-APPS

class-map match-all ROUTING

 match ip dscp cs6

class-map match-all SCAVENGER

 match ip dscp cs1

class-map match-all NET-MGMT

 match ip dscp cs2

class-map match-any BRANCH-SCAVENGER

 match protocol gnutella

 match protocol fasttrack

 match protocol kazaa2

class-map match-any CALL-SIGNALING

 match ip dscp cs3

class-map match-all TRANSACTIONAL-DATA

 match ip dscp af21  af22

policy-map BRANCH-LAN-EDGE-OUT

 class class-default

policy-map BRANCH-WAN-EDGE

 class VOICE

  priority percent 18

 class INTERACTIVE-VIDEO

  priority percent 15

 class CALL-SIGNALING

  bandwidth percent 5

 class ROUTING

  bandwidth percent 3

 class NET-MGMT

  bandwidth percent 2

 class MISSION-CRITICAL-DATA

  bandwidth percent 15

  random-detect

 class TRANSACTIONAL-DATA

  bandwidth percent 12

  random-detect dscp-based

 class BULK-DATA

  bandwidth percent 4

  random-detect dscp-based

 class SCAVENGER

  bandwidth percent 1

 class class-default

  bandwidth percent 25

  random-detect

policy-map type inspect CSM_ZBF_POLICY_MAP_18

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_19

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_16

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_23

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_25

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_36

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_37

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_17

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_24

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_24

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_34

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_35

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_14

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_27

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_15

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_21

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_26

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_38

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_12

 class type inspect CSM_ZBF_CLASS_MAP_15

  pass

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_21

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_13

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_20

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_10

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_23

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_31

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_33

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_11

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_22

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_9

 class type inspect CSM_ZBF_CLASS_MAP_13

  pass

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_8

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_12

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_7

 class type inspect CSM_ZBF_CLASS_MAP_9

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_10

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_11

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_6

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_5

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_8

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_4

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_7

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_3

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_5

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_2

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_4

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_1

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_2

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop

policy-map BRANCH-LAN-EDGE-IN

 class BRANCH-MISSION-CRITICAL

  set ip dscp 25

 class BRANCH-TRANSACTIONAL-DATA

  set ip dscp af21

 class BRANCH-NET-MGMT

  set ip dscp cs2

 class BRANCH-BULK-DATA

  set ip dscp af11

 class BRANCH-SCAVENGER

  set ip dscp cs1

zone security S_WAN

 description Store WAN Link

zone security S_R-2-R

 description Bridge link between routers

zone security LOOPBACK

 description Loopback interface

zone security S_MGMT

 description VLAN1000 Management

zone security S_Security

 description VLAN20 Physical Security Systems

zone security S_WAAS

 description VLAN19 WAAS optimization

zone security S_WLC-AP

 description VLAN18 Wireless Systems

zone security S_Data

 description VLAN12 Store Data

zone security S_Data-W

 description VLAN14 Store Wireless Data

zone security S_Guest

 description VLAN17 Guest/Public Wireless

zone security S_Voice

 description VLAN13 Store Voice

zone security S_Partners

 description VLAN16 Partner network

zone security S_POS

 description VLAN 11 POS Data

zone security S_POS-W

 description VLAN15 Store Wireless POS

zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_8

zone-pair security CSM_S_R-2-R-LOOPBACK_1 source S_R-2-R destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_R-2-R-S_MGMT_1 source S_R-2-R destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_R-2-R-S_Security_1 source S_R-2-R destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_R-2-R-S_WAAS_1 source S_R-2-R destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_R-2-R-S_WLC-AP_1 source S_R-2-R destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_R-2-R-self_1 source S_R-2-R destination self

 service-policy type inspect CSM_ZBF_POLICY_MAP_9

zone-pair security CSM_S_R-2-R-S_Data_1 source S_R-2-R destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_Data-W_1 source S_R-2-R destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_Guest_1 source S_R-2-R destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_R-2-R-S_Partners_1 source S_R-2-R destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_POS_1 source S_R-2-R destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_R-2-R-S_POS-W_1 source S_R-2-R destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_R-2-R-S_Voice_1 source S_R-2-R destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_11

zone-pair security CSM_self-S_R-2-R_1 source self destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_12

zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_LOOPBACK-S_R-2-R_1 source LOOPBACK destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_MGMT-S_R-2-R_1 source S_MGMT destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_Security-S_R-2-R_1 source S_Security destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_WAAS-S_R-2-R_1 source S_WAAS destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_WLC-AP-S_R-2-R_1 source S_WLC-AP destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_POS-S_R-2-R_1 source S_POS destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_POS-W-S_R-2-R_1 source S_POS-W destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_22

zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-S_R-2-R_1 source S_Data destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-W-S_R-2-R_1 source S_Data-W destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_24

zone-pair security CSM_S_Guest-S_R-2-R_1 source S_Guest destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_24

zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_25

zone-pair security CSM_S_Partners-S_R-2-R_1 source S_Partners destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_25

zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_26

zone-pair security CSM_S_Voice-S_R-2-R_1 source S_Voice destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_27

interface Loopback0

 ip address 10.10.126.2 255.255.255.255

 ip pim sparse-dense-mode

 zone-member security LOOPBACK

interface GigabitEthernet0/0

 ip address 10.10.254.112 255.255.255.0

 ip ips Retail-PCI in

 zone-member security S_WAN

 duplex auto

 speed auto

 service-policy output BRANCH-WAN-EDGE

interface GigabitEthernet0/1

 description ROUTER LINK TO SWITCH

 no ip address

 duplex auto

 speed auto

 media-type rj45

interface GigabitEthernet0/1.11

 description POS

 encapsulation dot1Q 11

 ip address 10.10.112.3 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_POS

 standby 11 ip 10.10.112.1

 standby 11 priority 99

 standby 11 preempt

 ip igmp query-interval 125

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.12

 description DATA

 encapsulation dot1Q 12

 ip address 10.10.113.3 255.255.255.0

 ip helper-address 192.168.42.130

 ip wccp 61 redirect in

 ip pim sparse-dense-mode

 zone-member security S_Data

 standby 12 ip 10.10.113.1

 standby 12 priority 99

 standby 12 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.13

 description VOICE

 encapsulation dot1Q 13

 ip address 10.10.114.3 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Voice

 standby 13 ip 10.10.114.1

 standby 13 priority 99

 standby 13 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.14

 description WIRELESS

 encapsulation dot1Q 14

 ip address 10.10.115.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Data-W

 standby 14 ip 10.10.115.1

 standby 14 priority 99

 standby 14 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.15

 description WIRELESS-POS

 encapsulation dot1Q 15

 ip address 10.10.116.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_POS-W

 standby 15 ip 10.10.116.1

 standby 15 priority 99

 standby 15 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.16

 description PARTNER

 encapsulation dot1Q 16

 ip address 10.10.117.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Partners

 standby 16 ip 10.10.117.1

 standby 16 priority 99

 standby 16 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.17

 description WIRELESS-GUEST

 encapsulation dot1Q 17

 ip address 10.10.118.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Guest

 standby 17 ip 10.10.118.1

 standby 17 priority 99

 standby 17 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.18

 description WIRELESS-CONTROL

 encapsulation dot1Q 18

 ip address 10.10.119.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WLC-AP

 standby 18 ip 10.10.119.1

 standby 18 priority 99

 standby 18 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.19

 description WAAS

 encapsulation dot1Q 19

 ip address 10.10.120.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WAAS

 standby 19 ip 10.10.120.1

 standby 19 priority 99

 standby 19 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.20

 description SECURITY-SYSTEMS

 encapsulation dot1Q 20

 ip address 10.10.121.3 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Security

 standby 20 ip 10.10.121.1

 standby 20 priority 99

 standby 20 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.101

 description ROUTER LINK TO

 encapsulation dot1Q 101

 ip address 10.10.126.26 255.255.255.252

 ip pim sparse-dense-mode

 zone-member security S_R-2-R

 service-policy input BRANCH-LAN-EDGE-IN

interface GigabitEthernet0/1.1000

 description MANAGEMENT

 encapsulation dot1Q 1000

 ip address 10.10.127.3 255.255.255.0

 zone-member security S_MGMT

 standby 100 ip 10.10.127.1

 standby 100 priority 99

 standby 100 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/2

 no ip address

 duplex auto

 speed auto

interface GigabitEthernet0/2.102

 description ROUTER LINK TO

 encapsulation dot1Q 102

 ip address 10.10.126.30 255.255.255.252

 ip pim sparse-dense-mode

 zone-member security S_R-2-R

 service-policy input BRANCH-LAN-EDGE-IN

interface SM1/0

 description Video Survillance VMSS Module

 ip address 10.10.126.45 255.255.255.252

 zone-member security S_Security

 service-module ip address 10.10.126.46 255.255.255.252

 !Application: FNDN Running on SM

 service-module ip default-gateway 10.10.126.45

 hold-queue 60 out

interface SM1/1

 description Internal switch interface connected to Service Module

interface SM2/0

 ip address 10.10.126.50 255.255.255.252

 zone-member security S_MGMT

 service-module ip address 10.10.126.49 255.255.255.252

 !Application: SRE-V Running on SMV

 service-module ip default-gateway 10.10.126.50

 service-module mgf ip address 10.10.125.49 255.255.255.0

 hold-queue 60 out

interface SM2/1

 description Internal switch interface connected to Service Module

interface Vlan1

 description ESXi Host and Virtual Machines$ES_LAN$

 ip address 10.10.125.50 255.255.255.0

 zone-member security S_POS

router ospf 5

 router-id 10.10.126.2

 redistribute connected subnets

 passive-interface default

 no passive-interface GigabitEthernet0/1.101

 no passive-interface GigabitEthernet0/2.102

 network 10.10.0.0 0.0.255.255 area 10

 default-information originate

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 10.10.254.11

ip tacacs source-interface Loopback0

ip access-list extended BULK-DATA-APPS

 remark ---File Transfer---

 permit tcp any any eq ftp

 permit tcp any any eq ftp-data

 remark ---E-mail traffic---

 permit tcp any any eq smtp

 permit tcp any any eq pop3

 permit tcp any any eq 143

 remark ---other EDM app protocols---

 permit tcp any any range 3460 3466

 permit tcp any range 3460 3466 any

 remark ---messaging services---

 permit tcp any any eq 2980

 permit tcp any eq 2980 any

 remark ---Microsoft file services---

 permit tcp any any range 137 139

 permit tcp any range 137 139 any

ip access-list extended CSM_ZBF_CMAP_ACL_1

 remark Data Center Mgmt to Devices

 permit object-group CSM_INLINE_svc_rule_81604380993 object-group 
CSM_INLINE_src_rule_81604380993 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_10

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381011 object-group DC-POS-Oracle 
object-group STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381015 object-group DC-POS-SAP object-group 
STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381019 object-group DC-POS-Tomax 
object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_11

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381021 object-group 
CSM_INLINE_src_rule_81604381021 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_12

 remark Data Center VOICE (wired and Wireless)

 permit object-group CSM_INLINE_svc_rule_81604381057 object-group DC-Voice object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_13

 permit ospf object-group CSM_INLINE_src_rule_81604381150 object-group 
CSM_INLINE_dst_rule_81604381150

ip access-list extended CSM_ZBF_CMAP_ACL_14

 remark Store WAAS to Clients and Servers

 permit object-group CSM_INLINE_svc_rule_81604381055 object-group Stores-ALL object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_15

 permit ospf object-group CSM_INLINE_src_rule_81604381152 object-group 
CSM_INLINE_dst_rule_81604381152

ip access-list extended CSM_ZBF_CMAP_ACL_16

 remark Syslog and SNMP Alerts

 permit object-group CSM_INLINE_svc_rule_81604380995 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604380995

ip access-list extended CSM_ZBF_CMAP_ACL_17

 remark Store to Data Center Authentications

 permit object-group CSM_INLINE_svc_rule_81604381001 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381001

ip access-list extended CSM_ZBF_CMAP_ACL_18

 remark Store to Data Center for NTP

 permit object-group NTP object-group Stores-ALL object-group NTP-Servers

ip access-list extended CSM_ZBF_CMAP_ACL_19

 remark Store to Data Center for DHCP and DNS

 permit object-group CSM_INLINE_svc_rule_81604381035 object-group Stores-ALL object-group 
ActiveDirectory.cisco-irn.com

ip access-list extended CSM_ZBF_CMAP_ACL_2

 remark Data Center subscribe to IPS SDEE events

 permit tcp object-group RSA-enVision object-group Stores-ALL eq 443

ip access-list extended CSM_ZBF_CMAP_ACL_20

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_81604381039 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381039

ip access-list extended CSM_ZBF_CMAP_ACL_21

 remark Store UCS E-series server to Data Center vShphere

 permit object-group CSM_INLINE_svc_rule_81604381005 object-group Stores-ALL object-group 
vSphere-1

ip access-list extended CSM_ZBF_CMAP_ACL_22

 remark Store NAC

 permit object-group CSM_INLINE_svc_rule_81604381037 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381037

ip access-list extended CSM_ZBF_CMAP_ACL_23

 remark Store to Data Center Physical Security

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381049

ip access-list extended CSM_ZBF_CMAP_ACL_24

 remark Store WAAS (WAAS Devices need their own zone)

 permit object-group CSM_INLINE_svc_rule_81604381053 object-group Stores-ALL object-group 
DC-WAAS

ip access-list extended CSM_ZBF_CMAP_ACL_25

 remark Store to Data Center wireless controller traffic

 permit object-group CSM_INLINE_svc_rule_81604381045 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381045

ip access-list extended CSM_ZBF_CMAP_ACL_26

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381009 object-group STORE-POS object-group 
DC-POS-Oracle

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381013 object-group STORE-POS object-group 
DC-POS-SAP

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381017 object-group STORE-POS object-group 
DC-POS-Tomax

ip access-list extended CSM_ZBF_CMAP_ACL_27

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381023 object-group 
CSM_INLINE_src_rule_81604381023 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_28

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_81604381025 object-group STORE-POS object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_29

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_81604381027 object-group STORE-POS object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_3

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_81604381041 object-group 
CSM_INLINE_src_rule_81604381041 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_30

 remark Permit POS clients to talk to store POS server

 permit object-group CSM_INLINE_svc_rule_81604381029 object-group STORE-POS object-group 
STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_31

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_81604381061 object-group Stores-ALL object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_32

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_81604381063 object-group Stores-ALL object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_33

 remark Store DATA (wired and Wireless - Access to DC Other applications)

 permit object-group CSM_INLINE_svc_rule_81604381065 object-group Stores-ALL object-group 
DC-Applications

ip access-list extended CSM_ZBF_CMAP_ACL_34

 remark Store GUEST - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381071

ip access-list extended CSM_ZBF_CMAP_ACL_35

 remark Store GUEST (access to internet/DMZ web servers)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_36

 remark Store PARTNERS - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381067

ip access-list extended CSM_ZBF_CMAP_ACL_37

 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_38

 remark Store VOICE (wired and Wireless - Acess to corporate wide voice)

 permit object-group CSM_INLINE_svc_rule_81604381059 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381059

ip access-list extended CSM_ZBF_CMAP_ACL_4

 remark Data Center vSphere to UCS E-series server

 permit object-group CSM_INLINE_svc_rule_81604381003 object-group vSphere-1 object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_5

 remark Data Center to Store Physical Security

 permit ip object-group CSM_INLINE_src_rule_81604381047 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_6

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_7

 remark Data Center WAAS to Store

 permit object-group CSM_INLINE_svc_rule_81604381051 object-group 
CSM_INLINE_src_rule_81604381051 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_8

 remark Data Center Wireless Control to AP's and Controllers in stores

 permit object-group CSM_INLINE_svc_rule_81604381043 object-group 
CSM_INLINE_src_rule_81604381043 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_9

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group STORE-POS

ip access-list extended MISSION-CRITICAL-SERVERS

 remark ---POS Applications---

 permit ip any 192.168.52.0 0.0.0.255

ip access-list extended NET-MGMT-APPS

 remark - Router user Authentication - Identifies TACACS Control traffic

 permit tcp any any eq tacacs

 permit tcp any eq tacacs any

ip access-list extended TRANSACTIONAL-DATA-APPS

 remark ---Workbrain Application---

 remark --Large Store Clock Server to Central Clock Application

 permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444

 remark --Large store Clock Server to CUAE

 permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000

 remark ---LiteScape Application---

 permit ip any host 192.168.46.82

 permit ip any 239.192.0.0 0.0.0.255

 permit ip any host 239.255.255.250

 remark ---Remote Desktop---

 permit tcp any any eq 3389

 permit tcp any eq 3389 any

 remark ---Oracle SIM---

 permit tcp any 192.168.46.0 0.0.0.255 eq 7777

 permit tcp any 192.168.46.0 0.0.0.255 eq 6003

 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500

 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any

 permit tcp 192.168.46.0 0.0.0.255 eq 6003 any

 permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any

logging esm config

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

nls resp-timeout 1

cpd cr-id 1

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps flash insertion removal

snmp-server enable traps energywise

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps ipsla

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

mgcp profile default

gatekeeper

 shutdown

banner exec

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 login authentication RETAIL

 no exec

 transport preferred none

 transport output none

line 67

 no activation-character

 no exec

 transport preferred none

 transport input ssh

 transport output none

 stopbits 1

line 131

 no activation-character

 no exec

 transport preferred none

 transport input ssh

 transport output none

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

scheduler allocate 20000 1000

scheduler interval 500

ntp source Loopback0

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

end

S-A2-MED-1

S-A2-MED-1/2#sh run

Building configuration...

Current configuration : 16629 bytes

! Last configuration change at 02:28:28 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:28:32 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

hostname S-A2-MED-1/2

boot-start-marker

boot-end-marker

logging buffered 50000

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

switch 1 provision ws-c3750x-48p

switch 2 provision ws-c3750x-48p

system mtu routing 1500

authentication mac-move permit

ip subnet-zero

no ip source-route

no ip gratuitous-arps

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-4271428864

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-4271428864

 revocation-check none

 rsakeypair TP-self-signed-4271428864

crypto pki certificate chain TP-self-signed-4271428864

 certificate self-signed 01

  <removed>  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

vlan internal allocation policy ascending

ip tcp synwait-time 10

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

interface FastEthernet0

 no ip address

 shutdown

interface GigabitEthernet1/0/1

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet1/0/2

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet1/0/3

 description Cisco9971 IP phone

 switchport access vlan 11

 switchport trunk encapsulation dot1q

 switchport voice vlan 13

 spanning-tree portfast

interface GigabitEthernet1/0/4

 description Cisco7975 IP phone

 switchport access vlan 11

 switchport trunk encapsulation dot1q

 switchport voice vlan 13

 spanning-tree portfast

interface GigabitEthernet1/0/5

 switchport access vlan 20

interface GigabitEthernet1/0/6

 description CPAM Gateway

 switchport access vlan 20

interface GigabitEthernet1/0/7

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet1/0/8

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/9

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/10

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/11

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/12

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/13

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/14

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/15

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/16

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/17

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/18

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/19

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/20

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/21

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/22

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/23

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/24

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/25

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/26

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/27

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/28

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/29

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/30

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/31

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/32

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/33

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/34

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/35

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/36

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/37

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/38

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/39

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/40

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/41

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/42

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/43

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/44

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/45

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/46

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/47

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/48

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/1/1

 shutdown

interface GigabitEthernet1/1/2

 shutdown

interface GigabitEthernet1/1/3

 shutdown

interface GigabitEthernet1/1/4

 shutdown

interface TenGigabitEthernet1/1/1

 shutdown

interface TenGigabitEthernet1/1/2

 shutdown

interface GigabitEthernet2/0/1

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet2/0/2

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet2/0/3

interface GigabitEthernet2/0/4

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet2/0/5

 description AIR-CAP3502E

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 18

 switchport trunk allowed vlan 14-18

 switchport mode trunk

interface GigabitEthernet2/0/6

 description AIR-LAP1262N

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 18

 switchport trunk allowed vlan 14-18

 switchport mode trunk

interface GigabitEthernet2/0/7

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet2/0/8

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/9

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/10

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/11

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/12

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/13

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/14

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/15

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/16

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/17

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/18

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/19

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/20

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/21

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/22

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/23

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/24

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/25

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/26

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/27

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/28

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/29

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/30

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/31

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/32

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/33

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/34

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/35

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/36

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/37

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/38

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/39

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/40

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/41

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/42

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/43

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/44

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/45

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/46

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/47

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/48

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/1/1

 shutdown

interface GigabitEthernet2/1/2

 shutdown

interface GigabitEthernet2/1/3

 shutdown

interface GigabitEthernet2/1/4

 shutdown

interface TenGigabitEthernet2/1/1

 shutdown

interface TenGigabitEthernet2/1/2

 shutdown

interface Vlan1

 no ip address

 shutdown

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.127.11 255.255.255.0

ip default-gateway 10.10.127.1

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

ip sla enable reaction-alerts

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps power-ethernet group 1-4

snmp-server enable traps power-ethernet police

snmp-server enable traps cpu threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps errdisable

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 speed 115200

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

scheduler interval 500

ntp clock-period 36027426

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

S-A2-MED-1/2#

S-A2-MED-3

S-A2-MED-3#sh run

Building configuration...

Current configuration : 8650 bytes

! Last configuration change at 02:34:20 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:34:21 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname S-A2-MED-3

boot-start-marker

boot-end-marker

logging buffered 50000

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

system mtu routing 1500

no ip source-route

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-1308417408

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1308417408

 revocation-check none

 rsakeypair TP-self-signed-1308417408

crypto pki certificate chain TP-self-signed-1308417408

 certificate self-signed 01

  <removed>  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

interface FastEthernet0/1

 switchport access vlan 17

 shutdown

interface FastEthernet0/2

 switchport access vlan 17

 shutdown

interface FastEthernet0/3

 switchport access vlan 17

 shutdown

interface FastEthernet0/4

 switchport access vlan 17

 shutdown

interface FastEthernet0/5

 switchport access vlan 17

 shutdown

interface FastEthernet0/6

 switchport access vlan 17

 shutdown

interface FastEthernet0/7

 switchport access vlan 17

 shutdown

interface FastEthernet0/8

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/1

 shutdown

interface GigabitEthernet0/2

interface Vlan1

 no ip address

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.127.13 255.255.255.0

ip default-gateway 10.10.127.1

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

ip sla enable reaction-alerts

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps power-ethernet group 1

snmp-server enable traps power-ethernet police

snmp-server enable traps cpu threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps errdisable

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    *                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO ADMINISTRATOR OR OTHEMIME WITHOUT

FU L

NFORCEMENT OFFCIAL NDPRSETHO OF STATEAND FEER^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 speed 115200

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 36028775

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

Small Branch

R-A2-SMALL

! Last configuration change at 00:44:15 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 00:44:16 PSTDST Sat Apr 30 2011 by retail

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname R-A2-Small-1

boot-start-marker

boot system flash0 c2900-universalk9-mz.SPA.151-3.T.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PSTDST recurring

no ipv6 cef

ip source-route

ip cef

ip multicast-routing

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip port-map user-8443 port tcp 8443

ip ips notify SDEE

ip ips name Retail-PCI

ip ips signature-category

  category all

   retired true

  category ios_ips default

   retired false

ip wccp 61

ip wccp 62

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

multilink bundle-name authenticated

parameter-map type inspect global

 WAAS enable

parameter-map type inspect Inspect-1

 audit-trail on

parameter-map type trend-global trend-glob-map

password encryption aes

crypto pki token default removal timeout 0

crypto pki trustpoint TP-self-signed-503450500

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-503450500

 revocation-check none

 rsakeypair TP-self-signed-503450500

crypto pki certificate chain TP-self-signed-503450500

 certificate self-signed 01

  <removed>

  	quit

voice-card 0

license udi pid CISCO2921/K9 sn <removed>

hw-module ism 0

hw-module sm 1

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

object-group network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 udp eq 5246

 udp eq 5247

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 tcp eq 4050

object-group network DC-ALL

 description All of the Data Center

 192.168.0.0 255.255.0.0

object-group network Stores-ALL

 description all store networks

 10.10.0.0 255.255.0.0

object-group network CSM_INLINE_dst_rule_68719541425

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network WCSManager

 description Wireless Manager

 host 192.168.43.135

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 host 192.168.43.21

 host 192.168.43.22

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 host 192.168.43.31

 host 192.168.43.32

object-group network CSM_INLINE_dst_rule_68719541431

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network PAME-DC-1

 host 192.168.44.111

object-group network MSP-DC-1

 description Data Center VSOM

 host 192.168.44.121

object-group network CSM_INLINE_dst_rule_68719541435

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network CSM_INLINE_dst_rule_68719541457

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_68719541461

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_68719541465

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network EMC-NCM

 description EMC Network Configuration Manager

 host 192.168.42.122

object-group network RSA-enVision

 description RSA EnVision Syslog collector and SIM

 host 192.168.42.124

object-group network CSM_INLINE_dst_rule_73014451187

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object EMC-NCM

 group-object RSA-enVision

object-group network TACACS

 description Csico Secure ACS server for TACACS and Radius

 host 192.168.42.131

object-group network RSA-AM

 description RSA Authentication Manager for SecureID

 host 192.168.42.137

object-group network NAC-1

 description ISE server for NAC

 host 192.168.42.111

object-group network CSM_INLINE_dst_rule_73014451193

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object ActiveDirectory.cisco-irn.com

 group-object TACACS

 group-object RSA-AM

 group-object NAC-1

object-group network NAC-2

 host 192.168.42.112

object-group network CSM_INLINE_dst_rule_73014451223

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object NAC-2

 group-object NAC-1

object-group network DC-Admin

 description DC Admin Systems

 host 192.168.41.101

 host 192.168.41.102

object-group network CSManager

 description Cisco Security Manager

 host 192.168.42.133

object-group network CSM_INLINE_src_rule_68719541409

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object EMC-NCM

 group-object CSManager

object-group network CSM_INLINE_src_rule_68719541427

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_src_rule_68719541429

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network CSM_INLINE_src_rule_68719541433

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 host 192.168.48.10

 host 192.168.49.10

 host 192.168.47.11

 host 192.168.47.12

object-group network CSM_INLINE_src_rule_68719541437

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object DC-WAAS

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_src_rule_73014451215

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_73014451217

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group service CSM_INLINE_svc_rule_68719541409

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

object-group service CSM_INLINE_svc_rule_68719541425

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service CSM_INLINE_svc_rule_68719541427

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 udp eq 12222

 udp eq 12223

object-group service TFTP

 description Trivial File Transfer

 tcp eq 69

 udp eq tftp

object-group service IP-Protocol-97

 description IP protocol 97

object-group service CSM_INLINE_svc_rule_68719541429

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq www

 tcp eq 22

 tcp eq telnet

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object TFTP

 group-object IP-Protocol-97

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 udp eq 16666

 udp eq 16667

object-group service CSM_INLINE_svc_rule_68719541431

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object Cisco-Mobility

 group-object IP-Protocol-97

object-group service HTTPS-8443

 tcp eq 8443

object-group service Microsoft-DS-SMB

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

 tcp eq 445

object-group service CSM_INLINE_svc_rule_68719541437

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_68719541439

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_68719541455

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp

 tcp-udp eq 5060

 tcp eq 2000

 tcp eq www

 tcp eq 443

 group-object TFTP

object-group service CSM_INLINE_svc_rule_68719541457

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp-udp eq 5060

 tcp eq 2000

object-group service Netbios

 description Netbios Servers

 udp eq netbios-dgm

 udp eq netbios-ns

 tcp eq 139

object-group service ORACLE-SIM

 description Oracle Store Inventory Management

 tcp eq 7777

 tcp eq 6003

 tcp range 12401 12500

object-group service RDP

 description Windows Remote Desktop

 tcp eq 3389

object-group service Workbrain

 tcp eq 8444

object-group service CSM_INLINE_svc_rule_68719541459

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq ftp

 tcp eq www

 tcp eq 443

 udp eq 88

 tcp-udp eq 42

 group-object Microsoft-DS-SMB

 group-object Netbios

 group-object ORACLE-SIM

 group-object RDP

 group-object Workbrain

object-group service CSM_INLINE_svc_rule_73014451187

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 udp eq syslog

 udp eq snmp

 udp eq snmptrap

object-group service CSM_INLINE_svc_rule_73014451193

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq tacacs

 udp eq 1812

 udp eq 1813

 tcp eq 389

 tcp eq 636

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 tcp eq 5989

 tcp eq 8000

 tcp eq 902

 tcp eq 903

object-group service CSM_INLINE_svc_rule_73014451195

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq 22

 group-object vCenter-to-ESX4

object-group service ESX-SLP

 description CIM Service Location Protocol (SLP) for VMware systems

 udp eq 427

 tcp eq 427

object-group service CSM_INLINE_svc_rule_73014451197

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 group-object vCenter-to-ESX4

 group-object ESX-SLP

object-group service ORACLE-RMI

 description RMI TCP ports 1300 and 1301-1319.

 tcp range 1300 1319

object-group service ORACLE-Weblogic

 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.

 tcp eq 7001

 tcp eq 7002

 tcp eq 1521

object-group service ORACLE-WAS

 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414

 tcp eq 2809

 tcp eq 9443

 tcp eq 1414

object-group service ORACLE-OAS

 description OAS uses one port for HTTP and RMI - 12601.

 tcp eq 12601

object-group service CSM_INLINE_svc_rule_73014451203

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_73014451205

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_73014451207

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_73014451209

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service TOMAX-8990

 description Tomax Application Port

 tcp eq 8990

object-group service CSM_INLINE_svc_rule_73014451211

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service CSM_INLINE_svc_rule_73014451213

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service ICMP-Requests

 description ICMP requests

 icmp information-request

 icmp mask-request

 icmp timestamp-request

object-group service CSM_INLINE_svc_rule_73014451215

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_73014451217

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service DNS-Resolving

 description Domain Name Server

 tcp eq domain

 udp eq domain

object-group service CSM_INLINE_svc_rule_73014451221

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 udp eq bootps

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_73014451223

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_73014451388

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

 tcp eq 139

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_73014451393

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service CSM_INLINE_svc_rule_73014451395

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_73014451397

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

udp

 tcp eq 443

object-group service CSM_INLINE_svc_rule_73014451404

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_73014451406

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group network DC-Applications

 description Applications in the Data Center that are non-PCI related(Optimized by 
CS-Manager)

 192.168.180.0 255.255.254.0

object-group network DC-Voice

 description Data Center Voice

 192.168.45.0 255.255.255.0

object-group network MS-Update

 description Windows Update Server

 host 192.168.42.150

object-group network MSExchange

 description Mail Server

 host 192.168.42.140

object-group service NTP

 description NTP Protocols

 tcp eq 123

 udp eq ntp

object-group network NTP-Servers

 description NTP Servers

 host 192.168.62.161

 host 162.168.62.162

object-group network POS-Store-SMALL-1

 description Small Store POS devices

 host 10.10.128.81

 host 10.10.128.82

object-group network STORE-POS

 group-object POS-Store-SMALL-1

object-group network vSphere-1

 description vSphere server for Lab

 host 192.168.41.102

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 
<removed>

username csmadmin privilege 15 secret 5 <removed>

redundancy

ip ssh version 2

ip scp server enable

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7

 match protocol http

 match protocol https

 match protocol microsoft-ds

 match protocol ms-sql

 match protocol ms-sql-m

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol oracle

 match protocol oracle-em-vp

 match protocol oraclenames

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_10

 match access-group name CSM_ZBF_CMAP_ACL_10

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16

 match protocol http

 match protocol https

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_23

 match access-group name CSM_ZBF_CMAP_ACL_23

 match class-map CSM_ZBF_CMAP_PLMAP_16

class-map type inspect match-all CSM_ZBF_CLASS_MAP_32

 match access-group name CSM_ZBF_CMAP_ACL_32

class-map type inspect match-all CSM_ZBF_CLASS_MAP_11

 match access-group name CSM_ZBF_CMAP_ACL_11

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_22

 match access-group name CSM_ZBF_CMAP_ACL_22

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4

 match protocol http

 match protocol https

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_33

 match access-group name CSM_ZBF_CMAP_ACL_33

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tftp

 match protocol http

 match protocol https

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_12

 match access-group name CSM_ZBF_CMAP_ACL_12

 match class-map CSM_ZBF_CMAP_PLMAP_8

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15

 match protocol http

 match protocol https

 match protocol netbios-ns

 match protocol netbios-dgm

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_21

 match access-group name CSM_ZBF_CMAP_ACL_21

 match class-map CSM_ZBF_CMAP_PLMAP_15

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17

 match protocol http

 match protocol https

 match protocol imap3

 match protocol pop3

 match protocol pop3s

 match protocol smtp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_30

 match access-group name CSM_ZBF_CMAP_ACL_30

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9

 match protocol syslog

 match protocol syslog-conn

 match protocol snmp

 match protocol snmptrap

class-map type inspect match-all CSM_ZBF_CLASS_MAP_13

 match access-group name CSM_ZBF_CMAP_ACL_13

 match class-map CSM_ZBF_CMAP_PLMAP_9

class-map type inspect match-all CSM_ZBF_CLASS_MAP_20

 match access-group name CSM_ZBF_CMAP_ACL_20

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol ftp

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_31

 match access-group name CSM_ZBF_CMAP_ACL_31

 match class-map CSM_ZBF_CMAP_PLMAP_20

class-map match-all BRANCH-BULK-DATA

 match protocol tftp

 match protocol nfs

 match access-group name BULK-DATA-APPS

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10

 match protocol ldaps

 match protocol ldap

 match protocol ldap-admin

 match protocol radius

 match protocol tacacs

 match protocol tacacs-ds

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_14

 match access-group name CSM_ZBF_CMAP_ACL_14

 match class-map CSM_ZBF_CMAP_PLMAP_10

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18

 match protocol http

 match protocol https

 match protocol udp

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_27

 match access-group name CSM_ZBF_CMAP_ACL_27

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_36

 match access-group name CSM_ZBF_CMAP_ACL_36

 match class-map CSM_ZBF_CMAP_PLMAP_22

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11

 match protocol ntp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_15

 match access-group name CSM_ZBF_CMAP_ACL_15

 match class-map CSM_ZBF_CMAP_PLMAP_11

class-map type inspect match-all CSM_ZBF_CLASS_MAP_26

 match access-group name CSM_ZBF_CMAP_ACL_26

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12

 match protocol bootpc

 match protocol bootps

 match protocol udp

 match protocol tcp

 match protocol dns

 match protocol dhcp-failover

class-map type inspect match-all CSM_ZBF_CLASS_MAP_16

 match access-group name CSM_ZBF_CMAP_ACL_16

 match class-map CSM_ZBF_CMAP_PLMAP_12

class-map type inspect match-all CSM_ZBF_CLASS_MAP_25

 match access-group name CSM_ZBF_CMAP_ACL_25

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_34

 match access-group name CSM_ZBF_CMAP_ACL_34

class-map type inspect match-all CSM_ZBF_CLASS_MAP_17

 match access-group name CSM_ZBF_CMAP_ACL_17

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_24

 match access-group name CSM_ZBF_CMAP_ACL_24

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21

 match protocol tcp

 match protocol udp

 match protocol http

 match protocol https

class-map type inspect match-all CSM_ZBF_CLASS_MAP_35

 match access-group name CSM_ZBF_CMAP_ACL_35

 match class-map CSM_ZBF_CMAP_PLMAP_21

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13

 match protocol https

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_18

 match access-group name CSM_ZBF_CMAP_ACL_18

 match class-map CSM_ZBF_CMAP_PLMAP_13

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14

 match protocol http

 match protocol https

 match protocol user-8443

class-map type inspect match-all CSM_ZBF_CLASS_MAP_19

 match access-group name CSM_ZBF_CMAP_ACL_19

 match class-map CSM_ZBF_CMAP_PLMAP_14

class-map type inspect match-all CSM_ZBF_CLASS_MAP_29

 match access-group name CSM_ZBF_CMAP_ACL_29

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19

 match protocol http

 match protocol https

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_28

 match access-group name CSM_ZBF_CMAP_ACL_28

 match class-map CSM_ZBF_CMAP_PLMAP_19

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1

 match protocol https

 match protocol ssh

class-map type inspect match-all CSM_ZBF_CLASS_MAP_1

 match access-group name CSM_ZBF_CMAP_ACL_1

 match class-map CSM_ZBF_CMAP_PLMAP_1

class-map type inspect match-all CSM_ZBF_CLASS_MAP_3

 match access-group name CSM_ZBF_CMAP_ACL_3

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2

 match protocol https

 match protocol http

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_2

 match access-group name CSM_ZBF_CMAP_ACL_2

 match class-map CSM_ZBF_CMAP_PLMAP_2

class-map type inspect match-all CSM_ZBF_CLASS_MAP_5

 match access-group name CSM_ZBF_CMAP_ACL_5

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3

 match protocol http

 match protocol https

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

 match access-group name CSM_ZBF_CMAP_ACL_4

 match class-map CSM_ZBF_CMAP_PLMAP_3

class-map type inspect match-all CSM_ZBF_CLASS_MAP_7

 match access-group name CSM_ZBF_CMAP_ACL_7

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_6

 match access-group name CSM_ZBF_CMAP_ACL_6

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_9

 match access-group name CSM_ZBF_CMAP_ACL_9

 match protocol tcp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6

 match protocol http

 match protocol https

 match protocol ssh

 match protocol telnet

 match protocol tftp

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_8

 match access-group name CSM_ZBF_CMAP_ACL_8

 match class-map CSM_ZBF_CMAP_PLMAP_6

class-map match-all BULK-DATA

 match ip dscp af11  af12

class-map match-all INTERACTIVE-VIDEO

 match ip dscp af41  af42

class-map match-any BRANCH-TRANSACTIONAL-DATA

 match protocol citrix

 match protocol ldap

 match protocol telnet

 match protocol sqlnet

 match protocol http url "*SalesReport*"

 match access-group name TRANSACTIONAL-DATA-APPS

class-map match-all BRANCH-MISSION-CRITICAL

 match access-group name MISSION-CRITICAL-SERVERS

class-map match-all VOICE

 match ip dscp ef

class-map match-all MISSION-CRITICAL-DATA

 match ip dscp 25

class-map match-any BRANCH-NET-MGMT

 match protocol snmp

 match protocol syslog

 match protocol dns

 match protocol icmp

 match protocol ssh

 match access-group name NET-MGMT-APPS

class-map match-all ROUTING

 match ip dscp cs6

class-map match-all SCAVENGER

 match ip dscp cs1

class-map match-all NET-MGMT

 match ip dscp cs2

class-map match-any BRANCH-SCAVENGER

 match protocol gnutella

 match protocol fasttrack

 match protocol kazaa2

class-map match-any CALL-SIGNALING

 match ip dscp cs3

class-map match-all TRANSACTIONAL-DATA

 match ip dscp af21  af22

policy-map BRANCH-LAN-EDGE-OUT

 class class-default

policy-map BRANCH-WAN-EDGE

 class VOICE

  priority percent 18

 class INTERACTIVE-VIDEO

  priority percent 15

 class CALL-SIGNALING

  bandwidth percent 5

 class ROUTING

  bandwidth percent 3

 class NET-MGMT

  bandwidth percent 2

 class MISSION-CRITICAL-DATA

  bandwidth percent 15

  random-detect

 class TRANSACTIONAL-DATA

  bandwidth percent 12

  random-detect dscp-based

 class BULK-DATA

  bandwidth percent 4

  random-detect dscp-based

 class SCAVENGER

  bandwidth percent 1

 class class-default

  bandwidth percent 25

  random-detect

policy-map type inspect CSM_ZBF_POLICY_MAP_18

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_19

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_31

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_16

 class type inspect CSM_ZBF_CLASS_MAP_24

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_17

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_14

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_15

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_23

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_12

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_21

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_34

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_35

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_13

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_21

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_20

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_33

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_10

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_11

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_22

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_36

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_9

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_8

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_12

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_7

 class type inspect CSM_ZBF_CLASS_MAP_9

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_10

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_11

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_6

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_5

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_8

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_4

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_7

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_3

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_5

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_2

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_4

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_1

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_2

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop

policy-map BRANCH-LAN-EDGE-IN

 class BRANCH-MISSION-CRITICAL

  set ip dscp 25

 class BRANCH-TRANSACTIONAL-DATA

  set ip dscp af21

 class BRANCH-NET-MGMT

  set ip dscp cs2

 class BRANCH-BULK-DATA

  set ip dscp af11

 class BRANCH-SCAVENGER

  set ip dscp cs1

zone security S_WAN

 description Store WAN Link

zone security LOOPBACK

 description Loopback interface

zone security S_MGMT

 description VLAN1000 Management

zone security S_Security

 description VLAN20 Physical Security Systems

zone security S_WAAS

 description VLAN19 WAAS optimization

zone security S_WLC-AP

 description VLAN18 Wireless Systems

zone security S_Data

 description VLAN12 Store Data

zone security S_Data-W

 description VLAN14 Store Wireless Data

zone security S_Guest

 description VLAN17 Guest/Public Wireless

zone security S_Voice

 description VLAN13 Store Voice

zone security S_Partners

 description VLAN16 Partner network

zone security S_POS

 description VLAN 11 POS Data

zone security S_POS-W

 description VLAN15 Store Wireless POS

zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_8

zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_9

zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_11

zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_12

zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_22

interface Loopback0

 ip address 10.10.142.1 255.255.255.255

 ip pim sparse-dense-mode

 zone-member security LOOPBACK

interface GigabitEthernet0/0

 description ROUTER LINK TO SWITCH

 no ip address

 duplex auto

 speed auto

interface GigabitEthernet0/0.11

 description POS

 encapsulation dot1Q 11

 ip address 10.10.128.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_POS

 standby 11 ip 10.10.128.1

 standby 11 priority 101

 standby 11 preempt

 ip igmp query-interval 125

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.12

 description DATA

 encapsulation dot1Q 12

 ip address 10.10.129.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip wccp 61 redirect in

 ip pim sparse-dense-mode

 zone-member security S_Data

 standby 12 ip 10.10.129.1

 standby 12 priority 101

 standby 12 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.13

 description VOICE

 encapsulation dot1Q 13

 ip address 10.10.130.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Voice

 standby 13 ip 10.10.130.1

 standby 13 priority 101

 standby 13 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.14

 description WIRELESS

 encapsulation dot1Q 14

 ip address 10.10.131.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Data-W

 standby 14 ip 10.10.131.1

 standby 14 priority 101

 standby 14 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.15

 description WIRELESS-POS

 encapsulation dot1Q 15

 ip address 10.10.132.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_POS-W

 standby 15 ip 10.10.132.1

 standby 15 priority 101

 standby 15 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.16

 description PARTNER

 encapsulation dot1Q 16

 ip address 10.10.133.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Partners

 standby 16 ip 10.10.133.1

 standby 16 priority 101

 standby 16 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.17

 description WIRELESS-GUEST

 encapsulation dot1Q 17

 ip address 10.10.134.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Guest

 standby 17 ip 10.10.134.1

 standby 17 priority 101

 standby 17 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.18

 description WIRELESS-CONTROL

 encapsulation dot1Q 18

 ip address 10.10.135.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WLC-AP

 standby 18 ip 10.10.135.1

 standby 18 priority 101

 standby 18 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.19

 description WAAS

 encapsulation dot1Q 19

 ip address 10.10.136.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WAAS

 standby 19 ip 10.10.136.1

 standby 19 priority 101

 standby 19 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.20

 description SECURITY-SYSTEMS

 encapsulation dot1Q 20

 ip address 10.10.137.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Security

 standby 20 ip 10.10.137.1

 standby 20 priority 101

 standby 20 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.1000

 description MANAGEMENT

 encapsulation dot1Q 1000

 ip address 10.10.143.2 255.255.255.0

 zone-member security S_MGMT

 standby 100 ip 10.10.143.1

 standby 100 priority 101

 standby 100 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface ISM0/0

 no ip address

 shutdown

 !Application: Online on SME

 hold-queue 60 out

interface GigabitEthernet0/1

 ip address 10.10.255.128 255.255.255.0

 ip ips Retail-PCI in

 zone-member security S_WAN

 duplex auto

 speed auto

 service-policy output BRANCH-WAN-EDGE

interface GigabitEthernet0/2

 ip address 10.10.254.128 255.255.255.0

 ip ips Retail-PCI in

 zone-member security S_WAN

 duplex auto

 speed auto

 service-policy output BRANCH-WAN-EDGE

interface ISM0/1

 description Internal switch interface connected to Internal Service Module

 shutdown

interface SM1/0

 no ip address

 zone-member security S_Security

 shutdown

 service-module fail-open

 hold-queue 60 out

interface SM1/1

 description Internal switch interface connected to Service Module

interface Vlan1

 no ip address

 zone-member security S_POS

router ospf 5

 router-id 10.10.142.1

 passive-interface default

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 10.10.255.11

ip route 0.0.0.0 0.0.0.0 10.10.254.11 50

ip tacacs source-interface Loopback0

ip access-list extended BULK-DATA-APPS

 remark ---File Transfer---

 permit tcp any any eq ftp

 permit tcp any any eq ftp-data

 remark ---E-mail traffic---

 permit tcp any any eq smtp

 permit tcp any any eq pop3

 permit tcp any any eq 143

 remark ---other EDM app protocols---

 permit tcp any any range 3460 3466

 permit tcp any range 3460 3466 any

 remark ---messaging services---

 permit tcp any any eq 2980

 permit tcp any eq 2980 any

 remark ---Microsoft file services---

 permit tcp any any range 137 139

 permit tcp any range 137 139 any

ip access-list extended CSM_ZBF_CMAP_ACL_1

 remark Data Center Mgmt to Devices

 permit object-group CSM_INLINE_svc_rule_68719541409 object-group 
CSM_INLINE_src_rule_68719541409 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_10

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451205 object-group DC-POS-Oracle 
object-group STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451209 object-group DC-POS-SAP object-group 
STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451213 object-group DC-POS-Tomax 
object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_11

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451215 object-group 
CSM_INLINE_src_rule_73014451215 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_12

 remark Data Center VOICE (wired and Wireless)

 permit object-group CSM_INLINE_svc_rule_68719541455 object-group DC-Voice object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_13

 remark Syslog and SNMP Alerts

 permit object-group CSM_INLINE_svc_rule_73014451187 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451187

ip access-list extended CSM_ZBF_CMAP_ACL_14

 remark Store to Data Center Authentications

 permit object-group CSM_INLINE_svc_rule_73014451193 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451193

ip access-list extended CSM_ZBF_CMAP_ACL_15

 remark Store to Data Center for NTP

 permit object-group NTP object-group Stores-ALL object-group NTP-Servers

ip access-list extended CSM_ZBF_CMAP_ACL_16

 remark Store to Data Center for DHCP and DNS

 permit object-group CSM_INLINE_svc_rule_73014451221 object-group Stores-ALL object-group 
ActiveDirectory.cisco-irn.com

ip access-list extended CSM_ZBF_CMAP_ACL_17

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_68719541425 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541425

ip access-list extended CSM_ZBF_CMAP_ACL_18

 remark Store UCS E-series server to Data Center vShphere

 permit object-group CSM_INLINE_svc_rule_73014451197 object-group Stores-ALL object-group 
vSphere-1

ip access-list extended CSM_ZBF_CMAP_ACL_19

 remark Store NAC

 permit object-group CSM_INLINE_svc_rule_73014451223 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451223

ip access-list extended CSM_ZBF_CMAP_ACL_2

 remark Data Center subscribe to IPS SDEE events

 permit tcp object-group RSA-enVision object-group Stores-ALL eq 443

ip access-list extended CSM_ZBF_CMAP_ACL_20

 remark Store to Data Center Physical Security

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541435

ip access-list extended CSM_ZBF_CMAP_ACL_21

 remark Store WAAS (WAAS Devices need their own zone)

 permit object-group CSM_INLINE_svc_rule_68719541439 object-group Stores-ALL object-group 
DC-WAAS

ip access-list extended CSM_ZBF_CMAP_ACL_22

 remark Store WAAS to Clients and Servers

 permit object-group CSM_INLINE_svc_rule_73014451388 object-group Stores-ALL object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_23

 remark Store to Data Center wireless controller traffic

 permit object-group CSM_INLINE_svc_rule_68719541431 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541431

ip access-list extended CSM_ZBF_CMAP_ACL_24

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451203 object-group STORE-POS object-group 
DC-POS-Oracle

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451207 object-group STORE-POS object-group 
DC-POS-SAP

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451211 object-group STORE-POS object-group 
DC-POS-Tomax

ip access-list extended CSM_ZBF_CMAP_ACL_25

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451217 object-group 
CSM_INLINE_src_rule_73014451217 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_26

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_73014451393 object-group STORE-POS object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_27

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_73014451395 object-group STORE-POS object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_28

 remark Permit POS clients to talk to store POS server

 permit object-group CSM_INLINE_svc_rule_73014451397 object-group STORE-POS object-group 
STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_29

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_73014451404 object-group Stores-ALL object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_3

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_68719541427 object-group 
CSM_INLINE_src_rule_68719541427 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_30

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_73014451406 object-group Stores-ALL object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_31

 remark Store DATA (wired and Wireless - Access to DC Other applications)

 permit object-group CSM_INLINE_svc_rule_68719541459 object-group Stores-ALL object-group 
DC-Applications

ip access-list extended CSM_ZBF_CMAP_ACL_32

 remark Store GUEST - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541465

ip access-list extended CSM_ZBF_CMAP_ACL_33

 remark Store GUEST (access to internet/DMZ web servers)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_34

 remark Store PARTNERS - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541461

ip access-list extended CSM_ZBF_CMAP_ACL_35

 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_36

 remark Store VOICE (wired and Wireless - Acess to corporate wide voice)

 permit object-group CSM_INLINE_svc_rule_68719541457 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541457

ip access-list extended CSM_ZBF_CMAP_ACL_4

 remark Data Center vSphere to UCS E-series server

 permit object-group CSM_INLINE_svc_rule_73014451195 object-group vSphere-1 object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_5

 remark Data Center to Store Physical Security

 permit ip object-group CSM_INLINE_src_rule_68719541433 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_6

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_7

 remark Data Center WAAS to Store

 permit object-group CSM_INLINE_svc_rule_68719541437 object-group 
CSM_INLINE_src_rule_68719541437 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_8

 remark Data Center Wireless Control to AP's and Controllers in stores

 permit object-group CSM_INLINE_svc_rule_68719541429 object-group 
CSM_INLINE_src_rule_68719541429 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_9

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group STORE-POS

ip access-list extended MISSION-CRITICAL-SERVERS

 remark ---POS Applications---

 permit ip any 192.168.52.0 0.0.0.255

ip access-list extended NET-MGMT-APPS

 remark - Router user Authentication - Identifies TACACS Control traffic

 permit tcp any any eq tacacs

 permit tcp any eq tacacs any

ip access-list extended TRANSACTIONAL-DATA-APPS

 remark ---Workbrain Application---

 remark --Large Store Clock Server to Central Clock Application

 permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444

 remark --Large store Clock Server to CUAE

 permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000

 remark ---LiteScape Application---

 permit ip any host 192.168.46.82

 permit ip any 239.192.0.0 0.0.0.255

 permit ip any host 239.255.255.250

 remark ---Remote Desktop---

 permit tcp any any eq 3389

 permit tcp any eq 3389 any

 remark ---Oracle SIM---

 permit tcp any 192.168.46.0 0.0.0.255 eq 7777

 permit tcp any 192.168.46.0 0.0.0.255 eq 6003

 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500

 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any

 permit tcp 192.168.46.0 0.0.0.255 eq 6003 any

 permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any

logging esm config

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps flash insertion removal

snmp-server enable traps energywise

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps ipsla

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

mgcp profile default

gatekeeper

 shutdown

banner exec C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 no exec

 transport preferred none

 transport output none

line 67

 no activation-character

 no exec

 transport preferred none

 transport input ssh

 transport output none

 stopbits 1

 flowcontrol software

line 131

 no activation-character

 no exec

 transport preferred none

 transport input ssh

 transport output none

 stopbits 1

 flowcontrol software

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

scheduler allocate 20000 1000

ntp source Loopback0

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

end

S-A2-SMALL

S-A2-Small-1#sh run

Building configuration...

Current configuration : 16143 bytes

! Last configuration change at 02:23:14 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:23:18 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname S-A2-Small-1

boot-start-marker

boot-end-marker

logging buffered 50000

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 
<removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

switch 1 provision ws-c2960s-48fps-l

switch 2 provision ws-c2960s-48fps-l

authentication mac-move permit

ip subnet-zero

no ip source-route

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-1383908352

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1383908352

 revocation-check none

 rsakeypair TP-self-signed-1383908352

crypto pki certificate chain TP-self-signed-1383908352

 certificate self-signed 01

  30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31333833 39303833 3532301E 170D3131 30343232 30333331

  35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33383339

  30383335 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100BD50 C6915FE3 A1789C0E 11A0BABD EC2528DB 3F8FBCF6 64D90C72 AD2D2A13

  A012AB72 F5F9EEDE 4E77EDA9 D3CE6985 BA2246A1 21FF6D61 B8FFC558 331CD608

  DB59F546 838396C6 29266AF9 6B968127 75A7CE55 6D0B3734 0454EA42 24E9C995

  1AC5D0C3 0850D703 F58A2E82 6FB13D8D 372F03D8 A5B2B577 CDB7A9D5 7AFC40B6

  B26B0203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603

  551D1104 1E301C82 1A532D41 322D536D 616C6C2D 312E6369 73636F2D 69726E2E

  636F6D30 1F060355 1D230418 30168014 107F4DD8 762989FE 887F813D 62A1D871

  C9A4D3D4 301D0603 551D0E04 16041410 7F4DD876 2989FE88 7F813D62 A1D871C9

  A4D3D430 0D06092A 864886F7 0D010104 05000381 810045BF 884709EE FA837D06

  262E65C8 865912B1 44D5DE7F 459A7DEF DAEB3D94 B2D5A978 5CCF425E 1FED41CE

  2046BA9D 130DE1BD 4A7F3F99 B6AD32CA 3857A088 01083AAB 24557476 73F8AAC6

  634964A5 455F4DB2 AC36D64E EA2C71AD 296D82B6 CE1EDCCB 0724DB5D 0D332C10

  A17D5B1F E8926DC9 137519A1 521C9155 AF9AF52B 00BD

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

vlan internal allocation policy ascending

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

interface FastEthernet0

 no ip address

interface GigabitEthernet1/0/1

 switchport mode trunk

interface GigabitEthernet1/0/2

 switchport mode trunk

interface GigabitEthernet1/0/3

 description IP Cameras - 4300

 switchport access vlan 20

 switchport mode access

interface GigabitEthernet1/0/4

 description CPAM Gateway

 switchport access vlan 20

interface GigabitEthernet1/0/5

 switchport mode trunk

interface GigabitEthernet1/0/6

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/7

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/8

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/9

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/10

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/11

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/12

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/13

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/14

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/15

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/16

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/17

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/18

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/19

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/20

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/21

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/22

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/23

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/24

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/25

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/26

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/27

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/28

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/29

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/30

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/31

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/32

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/33

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/34

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/35

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/36

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/37

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/38

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/39

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/40

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/41

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/42

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/43

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/44

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/45

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/46

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/47

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/48

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/49

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/50

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/51

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/52

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/1

 shutdown

interface GigabitEthernet2/0/2

 shutdown

interface GigabitEthernet2/0/3

 description Cisco7975 IP phone

 switchport access vlan 11

 switchport voice vlan 13

 spanning-tree portfast

interface GigabitEthernet2/0/4

 description AIR-CAP3502I

 switchport trunk native vlan 18

 switchport trunk allowed vlan 14-18

 switchport mode trunk

interface GigabitEthernet2/0/5

 description Cisco9971 IP phone

 switchport access vlan 11

 switchport voice vlan 13

 spanning-tree portfast

interface GigabitEthernet2/0/6

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/7

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/8

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/9

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/10

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/11

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/12

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/13

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/14

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/15

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/16

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/17

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/18

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/19

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/20

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/21

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/22

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/23

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/24

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/25

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/26

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/27

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/28

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/29

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/30

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/31

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/32

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/33

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/34

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/35

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/36

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/37

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/38

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/39

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/40

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/41

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/42

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/43

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/44

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/45

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/46

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/47

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/48

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/49

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/50

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/51

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/52

 switchport access vlan 17

 shutdown

interface Vlan1

 no ip address

 shutdown

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.143.11 255.255.255.0

ip default-gateway 10.10.143.1

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

ip sla enable reaction-alerts

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps power-ethernet group 1-4

snmp-server enable traps power-ethernet police

snmp-server enable traps cpu threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps errdisable

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec ^CC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^CC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^CC

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 22518357

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

Mini Branch

R-A2-MINI-1

! Last configuration change at 00:50:32 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 00:50:35 PST Sat Apr 30 2011 by retail

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname R-A2-Mini-1

boot-start-marker

boot system flash0 c1900-universalk9-mz.SPA.151-3.T.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default

 action-type start-stop

 group tacacs+

aaa accounting commands 15 default

 action-type start-stop

 group tacacs+

aaa accounting system default

 action-type start-stop

 group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PST recurring

service-module wlan-ap 0 bootimage autonomous

no ipv6 cef

no ip source-route

ip cef

ip multicast-routing

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip port-map user-8443 port tcp 8443

ip inspect log drop-pkt

ip inspect audit-trail

ip ips config location flash0: retries 1 timeout 1

ip ips notify SDEE

ip ips name Store-IPS

ip ips signature-category

  category all

   retired true

  category ios_ips default

   retired false

ip wccp 61

ip wccp 62

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

multilink bundle-name authenticated

parameter-map type inspect Inspect-1

 audit-trail on

parameter-map type inspect global

 WAAS enable

parameter-map type trend-global trend-glob-map

password encryption aes

crypto pki token default removal timeout 0

crypto pki trustpoint TP-self-signed-1721465088

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1721465088

 revocation-check none

 rsakeypair TP-self-signed-1721465088

crypto pki certificate chain TP-self-signed-1721465088

 certificate self-signed 01

  <removed>

  	quit

license udi pid CISCO1941W-A/K9 sn <removed>

hw-module ism 0

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

object-group network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 udp eq 5246

 udp eq 5247

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 tcp eq 4050

object-group network DC-ALL

 description All of the Data Center

 192.168.0.0 255.255.0.0

object-group network Stores-ALL

 description all store networks

 10.10.0.0 255.255.0.0

object-group network CSM_INLINE_dst_rule_68719541425

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network WCSManager

 description Wireless Manager

 host 192.168.43.135

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 host 192.168.43.21

 host 192.168.43.22

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 host 192.168.43.31

 host 192.168.43.32

object-group network CSM_INLINE_dst_rule_68719541431

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network PAME-DC-1

 host 192.168.44.111

object-group network MSP-DC-1

 description Data Center VSOM

 host 192.168.44.121

object-group network CSM_INLINE_dst_rule_68719541435

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network CSM_INLINE_dst_rule_68719541457

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_68719541461

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_68719541465

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network EMC-NCM

 description EMC Network Configuration Manager

 host 192.168.42.122

object-group network RSA-enVision

 description RSA EnVision Syslog collector and SIM

 host 192.168.42.124

object-group network CSM_INLINE_dst_rule_73014451187

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object EMC-NCM

 group-object RSA-enVision

object-group network TACACS

 description Csico Secure ACS server for TACACS and Radius

 host 192.168.42.131

object-group network RSA-AM

 description RSA Authentication Manager for SecureID

 host 192.168.42.137

object-group network NAC-1

 description ISE server for NAC

 host 192.168.42.111

object-group network CSM_INLINE_dst_rule_73014451193

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object ActiveDirectory.cisco-irn.com

 group-object TACACS

 group-object RSA-AM

 group-object NAC-1

object-group network NAC-2

 host 192.168.42.112

object-group network CSM_INLINE_dst_rule_73014451223

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object NAC-2

 group-object NAC-1

object-group network DC-Admin

 description DC Admin Systems

 host 192.168.41.101

 host 192.168.41.102

object-group network CSManager

 description Cisco Security Manager

 host 192.168.42.133

object-group network CSM_INLINE_src_rule_68719541409

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object EMC-NCM

 group-object CSManager

object-group network CSM_INLINE_src_rule_68719541427

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_src_rule_68719541429

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network CSM_INLINE_src_rule_68719541433

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 host 192.168.48.10

 host 192.168.49.10

 host 192.168.47.11

 host 192.168.47.12

object-group network CSM_INLINE_src_rule_68719541437

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object DC-WAAS

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_src_rule_73014451215

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_73014451217

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group service CSM_INLINE_svc_rule_68719541409

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

object-group service CSM_INLINE_svc_rule_68719541425

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service CSM_INLINE_svc_rule_68719541427

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 udp eq 12222

 udp eq 12223

object-group service TFTP

 description Trivial File Transfer

 tcp eq 69

 udp eq tftp

object-group service IP-Protocol-97

 description IP protocol 97

object-group service CSM_INLINE_svc_rule_68719541429

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq www

 tcp eq 22

 tcp eq telnet

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object TFTP

 group-object IP-Protocol-97

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 udp eq 16666

 udp eq 16667

object-group service CSM_INLINE_svc_rule_68719541431

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object Cisco-Mobility

 group-object IP-Protocol-97

object-group service HTTPS-8443

 tcp eq 8443

object-group service Microsoft-DS-SMB

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

 tcp eq 445

object-group service CSM_INLINE_svc_rule_68719541437

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_68719541439

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_68719541455

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp

 tcp-udp eq 5060

 tcp eq 2000

 tcp eq www

 tcp eq 443

 group-object TFTP

object-group service CSM_INLINE_svc_rule_68719541457

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp-udp eq 5060

 tcp eq 2000

object-group service Netbios

 description Netbios Servers

 udp eq netbios-dgm

 udp eq netbios-ns

 tcp eq 139

object-group service ORACLE-SIM

 description Oracle Store Inventory Management

 tcp eq 7777

 tcp eq 6003

 tcp range 12401 12500

object-group service RDP

 description Windows Remote Desktop

 tcp eq 3389

object-group service Workbrain

 tcp eq 8444

object-group service CSM_INLINE_svc_rule_68719541459

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq ftp

 tcp eq www

 tcp eq 443

 udp eq 88

 tcp-udp eq 42

 group-object Microsoft-DS-SMB

 group-object Netbios

 group-object ORACLE-SIM

 group-object RDP

 group-object Workbrain

object-group service CSM_INLINE_svc_rule_73014451187

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 udp eq syslog

 udp eq snmp

 udp eq snmptrap

object-group service CSM_INLINE_svc_rule_73014451193

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq tacacs

 udp eq 1812

 udp eq 1813

 tcp eq 389

 tcp eq 636

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 tcp eq 5989

 tcp eq 8000

 tcp eq 902

 tcp eq 903

object-group service CSM_INLINE_svc_rule_73014451195

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq 22

 group-object vCenter-to-ESX4

object-group service ESX-SLP

 description CIM Service Location Protocol (SLP) for VMware systems

 udp eq 427

 tcp eq 427

object-group service CSM_INLINE_svc_rule_73014451197

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 group-object vCenter-to-ESX4

 group-object ESX-SLP

object-group service ORACLE-RMI

 description RMI TCP ports 1300 and 1301-1319.

 tcp range 1300 1319

object-group service ORACLE-Weblogic

 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.

 tcp eq 7001

 tcp eq 7002

 tcp eq 1521

object-group service ORACLE-WAS

 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414

 tcp eq 2809

 tcp eq 9443

 tcp eq 1414

object-group service ORACLE-OAS

 description OAS uses one port for HTTP and RMI - 12601.

 tcp eq 12601

object-group service CSM_INLINE_svc_rule_73014451203

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_73014451205

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_73014451207

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_73014451209

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service TOMAX-8990

 description Tomax Application Port

 tcp eq 8990

object-group service CSM_INLINE_svc_rule_73014451211

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service CSM_INLINE_svc_rule_73014451213

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service ICMP-Requests

 description ICMP requests

 icmp information-request

 icmp mask-request

 icmp timestamp-request

object-group service CSM_INLINE_svc_rule_73014451215

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_73014451217

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service DNS-Resolving

 description Domain Name Server

 tcp eq domain

 udp eq domain

object-group service CSM_INLINE_svc_rule_73014451221

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 udp eq bootps

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_73014451223

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_73014451388

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

 tcp eq 139

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_73014451393

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service CSM_INLINE_svc_rule_73014451395

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_73014451397

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

udp

 tcp eq 443

object-group service CSM_INLINE_svc_rule_73014451404

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_73014451406

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group network DC-Applications

 description Applications in the Data Center that are non-PCI related(Optimized by 
CS-Manager)

 192.168.180.0 255.255.254.0

object-group network DC-Voice

 description Data Center Voice

 192.168.45.0 255.255.255.0

object-group network MS-Update

 description Windows Update Server

 host 192.168.42.150

object-group network MSExchange

 description Mail Server

 host 192.168.42.140

object-group service NTP

 description NTP Protocols

 tcp eq 123

 udp eq ntp

object-group network NTP-Servers

 description NTP Servers

 host 192.168.62.161

 host 162.168.62.162

object-group network STORE-POS

 10.10.0.0 255.255.0.0

object-group network vSphere-1

 description vSphere server for Lab

 host 192.168.41.102

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

redundancy

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7

 match protocol http

 match protocol https

 match protocol microsoft-ds

 match protocol ms-sql

 match protocol ms-sql-m

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol oracle

 match protocol oracle-em-vp

 match protocol oraclenames

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_10

 match access-group name CSM_ZBF_CMAP_ACL_10

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16

 match protocol http

 match protocol https

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_23

 match access-group name CSM_ZBF_CMAP_ACL_23

 match class-map CSM_ZBF_CMAP_PLMAP_16

class-map type inspect match-all CSM_ZBF_CLASS_MAP_32

 match access-group name CSM_ZBF_CMAP_ACL_32

class-map type inspect match-all CSM_ZBF_CLASS_MAP_11

 match access-group name CSM_ZBF_CMAP_ACL_11

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_22

 match access-group name CSM_ZBF_CMAP_ACL_22

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4

 match protocol http

 match protocol https

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_33

 match access-group name CSM_ZBF_CMAP_ACL_33

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tftp

 match protocol http

 match protocol https

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_12

 match access-group name CSM_ZBF_CMAP_ACL_12

 match class-map CSM_ZBF_CMAP_PLMAP_8

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15

 match protocol http

 match protocol https

 match protocol netbios-ns

 match protocol netbios-dgm

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_21

 match access-group name CSM_ZBF_CMAP_ACL_21

 match class-map CSM_ZBF_CMAP_PLMAP_15

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17

 match protocol http

 match protocol https

 match protocol imap3

 match protocol pop3

 match protocol pop3s

 match protocol smtp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_30

 match access-group name CSM_ZBF_CMAP_ACL_30

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9

 match protocol syslog

 match protocol syslog-conn

 match protocol snmp

 match protocol snmptrap

class-map type inspect match-all CSM_ZBF_CLASS_MAP_13

 match access-group name CSM_ZBF_CMAP_ACL_13

 match class-map CSM_ZBF_CMAP_PLMAP_9

class-map type inspect match-all CSM_ZBF_CLASS_MAP_20

 match access-group name CSM_ZBF_CMAP_ACL_20

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol ftp

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_31

 match access-group name CSM_ZBF_CMAP_ACL_31

 match class-map CSM_ZBF_CMAP_PLMAP_20

class-map match-all BRANCH-BULK-DATA

 match protocol tftp

 match protocol nfs

 match access-group name BULK-DATA-APPS

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10

 match protocol ldaps

 match protocol ldap

 match protocol ldap-admin

 match protocol radius

 match protocol tacacs

 match protocol tacacs-ds

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_14

 match access-group name CSM_ZBF_CMAP_ACL_14

 match class-map CSM_ZBF_CMAP_PLMAP_10

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18

 match protocol http

 match protocol https

 match protocol udp

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_27

 match access-group name CSM_ZBF_CMAP_ACL_27

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_36

 match access-group name CSM_ZBF_CMAP_ACL_36

 match class-map CSM_ZBF_CMAP_PLMAP_22

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11

 match protocol ntp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_15

 match access-group name CSM_ZBF_CMAP_ACL_15

 match class-map CSM_ZBF_CMAP_PLMAP_11

class-map type inspect match-all CSM_ZBF_CLASS_MAP_26

 match access-group name CSM_ZBF_CMAP_ACL_26

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12

 match protocol bootpc

 match protocol bootps

 match protocol udp

 match protocol tcp

 match protocol dns

 match protocol dhcp-failover

class-map type inspect match-all CSM_ZBF_CLASS_MAP_16

 match access-group name CSM_ZBF_CMAP_ACL_16

 match class-map CSM_ZBF_CMAP_PLMAP_12

class-map type inspect match-all CSM_ZBF_CLASS_MAP_25

 match access-group name CSM_ZBF_CMAP_ACL_25

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_34

 match access-group name CSM_ZBF_CMAP_ACL_34

class-map type inspect match-all CSM_ZBF_CLASS_MAP_17

 match access-group name CSM_ZBF_CMAP_ACL_17

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_24

 match access-group name CSM_ZBF_CMAP_ACL_24

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21

 match protocol tcp

 match protocol udp

 match protocol http

 match protocol https

class-map type inspect match-all CSM_ZBF_CLASS_MAP_35

 match access-group name CSM_ZBF_CMAP_ACL_35

 match class-map CSM_ZBF_CMAP_PLMAP_21

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13

 match protocol https

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_18

 match access-group name CSM_ZBF_CMAP_ACL_18

 match class-map CSM_ZBF_CMAP_PLMAP_13

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14

 match protocol http

 match protocol https

 match protocol user-8443

class-map type inspect match-all CSM_ZBF_CLASS_MAP_19

 match access-group name CSM_ZBF_CMAP_ACL_19

 match class-map CSM_ZBF_CMAP_PLMAP_14

class-map type inspect match-all CSM_ZBF_CLASS_MAP_29

 match access-group name CSM_ZBF_CMAP_ACL_29

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19

 match protocol http

 match protocol https

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_28

 match access-group name CSM_ZBF_CMAP_ACL_28

 match class-map CSM_ZBF_CMAP_PLMAP_19

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1

 match protocol https

 match protocol ssh

class-map type inspect match-all CSM_ZBF_CLASS_MAP_1

 match access-group name CSM_ZBF_CMAP_ACL_1

 match class-map CSM_ZBF_CMAP_PLMAP_1

class-map type inspect match-all CSM_ZBF_CLASS_MAP_3

 match access-group name CSM_ZBF_CMAP_ACL_3

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2

 match protocol https

 match protocol http

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_2

 match access-group name CSM_ZBF_CMAP_ACL_2

 match class-map CSM_ZBF_CMAP_PLMAP_2

class-map type inspect match-all CSM_ZBF_CLASS_MAP_5

 match access-group name CSM_ZBF_CMAP_ACL_5

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3

 match protocol http

 match protocol https

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

 match access-group name CSM_ZBF_CMAP_ACL_4

 match class-map CSM_ZBF_CMAP_PLMAP_3

class-map type inspect match-all CSM_ZBF_CLASS_MAP_7

 match access-group name CSM_ZBF_CMAP_ACL_7

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_6

 match access-group name CSM_ZBF_CMAP_ACL_6

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_9

 match access-group name CSM_ZBF_CMAP_ACL_9

 match protocol tcp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6

 match protocol http

 match protocol https

 match protocol ssh

 match protocol telnet

 match protocol tftp

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_8

 match access-group name CSM_ZBF_CMAP_ACL_8

 match class-map CSM_ZBF_CMAP_PLMAP_6

class-map match-all BULK-DATA

 match ip dscp af11  af12

class-map match-all INTERACTIVE-VIDEO

 match ip dscp af41  af42

class-map match-any BRANCH-TRANSACTIONAL-DATA

 match protocol citrix

 match protocol ldap

 match protocol telnet

 match protocol sqlnet

 match protocol http url "*SalesReport*"

 match access-group name TRANSACTIONAL-DATA-APPS

class-map match-all BRANCH-MISSION-CRITICAL

 match access-group name MISSION-CRITICAL-SERVERS

class-map match-all VOICE

 match ip dscp ef

class-map match-all MISSION-CRITICAL-DATA

 match ip dscp 25

class-map match-any BRANCH-NET-MGMT

 match protocol snmp

 match protocol syslog

 match protocol dns

 match protocol icmp

 match protocol ssh

 match access-group name NET-MGMT-APPS

class-map match-all ROUTING

 match ip dscp cs6

class-map match-all SCAVENGER

 match ip dscp cs1

class-map match-all NET-MGMT

 match ip dscp cs2

class-map match-any BRANCH-SCAVENGER

 match protocol gnutella

 match protocol fasttrack

 match protocol kazaa2

class-map match-any CALL-SIGNALING

 match ip dscp cs3

class-map match-all TRANSACTIONAL-DATA

 match ip dscp af21  af22

policy-map type inspect CSM_ZBF_POLICY_S_Security_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Data_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Data-W_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_WAN_S_Guest

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_WAN_S_Data-W

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Voice_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Guest_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_MGMT_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_LOOPBACK_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_POS-W

 class class-default

  drop log

policy-map BRANCH-LAN-EDGE-OUT

 class class-default

policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_Partners

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_POS

 class class-default

  drop log

policy-map BRANCH-WAN-EDGE

 class VOICE

  priority percent 18

 class INTERACTIVE-VIDEO

  priority percent 15

 class CALL-SIGNALING

  bandwidth percent 5

 class ROUTING

  bandwidth percent 3

 class NET-MGMT

  bandwidth percent 2

 class MISSION-CRITICAL-DATA

  bandwidth percent 15

  random-detect

 class TRANSACTIONAL-DATA

  bandwidth percent 12

  random-detect dscp-based

 class BULK-DATA

  bandwidth percent 4

  random-detect dscp-based

 class SCAVENGER

  bandwidth percent 1

 class class-default

  bandwidth percent 25

  random-detect

policy-map type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_18

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_19

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_31

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_16

 class type inspect CSM_ZBF_CLASS_MAP_24

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_17

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_14

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_15

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_23

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_12

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_21

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_34

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_35

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_S_MGMT_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_13

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_21

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_20

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_33

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_10

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_11

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_22

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_36

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Voice_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Guest_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_9

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_8

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_12

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_7

 class type inspect CSM_ZBF_CLASS_MAP_9

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_10

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_11

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_6

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_5

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_8

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_4

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_7

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_3

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_5

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_2

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_4

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_1

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_2

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_S_Partners_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Security_S_POS

 class class-default

  drop log

policy-map BRANCH-LAN-EDGE-IN

 class BRANCH-MISSION-CRITICAL

  set ip dscp 25

 class BRANCH-TRANSACTIONAL-DATA

  set ip dscp af21

 class BRANCH-NET-MGMT

  set ip dscp cs2

 class BRANCH-BULK-DATA

  set ip dscp af11

 class BRANCH-SCAVENGER

  set ip dscp cs1

policy-map type inspect CSM_ZBF_POLICY_S_Data_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Data-W_S_POS-W

 class class-default

  drop log

zone security S_WAN

 description Store WAN Link

zone security LOOPBACK

 description Loopback interface

zone security S_MGMT

 description VLAN1000 Management

zone security S_Security

 description VLAN20 Physical Security Systems

zone security S_WAAS

 description VLAN19 WAAS optimization

zone security S_WLC-AP

 description VLAN18 Wireless Systems

zone security S_Data

 description VLAN12 Store Data

zone security S_Data-W

 description VLAN14 Store Wireless Data

zone security S_Guest

 description VLAN17 Guest/Public Wireless

zone security S_Voice

 description VLAN13 Store Voice

zone security S_Partners

 description VLAN16 Partner network

zone security S_POS

 description VLAN 11 POS Data

zone security S_POS-W

 description VLAN15 Store Wireless POS

zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_S_WAN_S_Data-W

zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_S_WAN_S_Guest

zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_8

zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_9

zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_LOOPBACK_S_POS-W

zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_11

zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_MGMT_S_POS

zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_MGMT_S_POS-W

zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_12

zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Security_S_POS

zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Security_S_POS-W

zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_POS

zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_POS-W

zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_Partners

zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS

zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS-W

zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Data_S_POS

zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Data_S_POS-W

zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Data-W_S_POS

zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Data-W_S_POS-W

zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Guest_S_POS

zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Guest_S_POS-W

zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Partners_S_POS

zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Voice_S_POS

zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Voice_S_POS-W

zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_22

interface Loopback0

 ip address 10.10.158.1 255.255.255.255

 ip pim sparse-dense-mode

 zone-member security LOOPBACK

interface GigabitEthernet0/0

 ip address 10.10.255.144 255.255.255.0

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_WAN

 duplex auto

 speed auto

 service-policy output BRANCH-WAN-EDGE

interface wlan-ap0

 description Service module interface to manage the embedded AP

 ip address 10.10.158.33 255.255.255.252

 zone-member security S_WLC-AP

 service-module ip address 10.10.158.34 255.255.255.252

 service-module ip default-gateway 10.10.158.33

 arp timeout 0

 no mop enabled

 no mop sysid

interface GigabitEthernet0/1

 description ROUTER LINK TO SWITCH

 no ip address

 duplex auto

 speed auto

interface GigabitEthernet0/1.11

 description POS

 encapsulation dot1Q 11

 ip address 10.10.144.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS

 standby 11 ip 10.10.144.1

 standby 11 priority 101

 standby 11 preempt

 ip igmp query-interval 125

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.12

 description DATA

 encapsulation dot1Q 12

 ip address 10.10.145.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip wccp 61 redirect in

 ip pim sparse-dense-mode

 zone-member security S_Data

 standby 12 ip 10.10.145.1

 standby 12 priority 101

 standby 12 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.13

 description VOICE

 encapsulation dot1Q 13

 ip address 10.10.146.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Voice

 standby 13 ip 10.10.146.1

 standby 13 priority 101

 standby 13 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.14

 description WIRELESS

 encapsulation dot1Q 14

 ip address 10.10.147.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Data-W

 standby 14 ip 10.10.147.1

 standby 14 priority 101

 standby 14 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.15

 description WIRELESS-POS

 encapsulation dot1Q 15

 ip address 10.10.148.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS-W

 standby 15 ip 10.10.148.1

 standby 15 priority 101

 standby 15 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.16

 description PARTNER

 encapsulation dot1Q 16

 ip address 10.10.149.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Partners

 standby 16 ip 10.10.149.1

 standby 16 priority 101

 standby 16 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.17

 description WIRELESS-GUEST

 encapsulation dot1Q 17

 ip address 10.10.150.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Guest

 standby 17 ip 10.10.150.1

 standby 17 priority 101

 standby 17 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.18

 description WIRELESS-CONTROL

 encapsulation dot1Q 18

 ip address 10.10.151.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WLC-AP

 standby 18 ip 10.10.151.1

 standby 18 priority 101

 standby 18 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.19

 description WAAS

 encapsulation dot1Q 19

 ip address 10.10.152.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WAAS

 standby 19 ip 10.10.152.1

 standby 19 priority 101

 standby 19 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.20

 zone-member security S_Security

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.1000

 description MANAGEMENT

 encapsulation dot1Q 1000

 ip address 10.10.159.2 255.255.255.0

 zone-member security S_MGMT

 standby 100 ip 10.10.159.1

 standby 100 priority 101

 standby 100 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Wlan-GigabitEthernet0/0

 description Internal switch interface connecting to the embedded AP

 zone-member security S_WLC-AP

 service-module ip address 10.10.158.34 255.255.255.252

 service-module ip default-gateway 10.10.158.33

interface Vlan1

 no ip address

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS

interface Vlan15

 no ip address

 zone-member security S_POS-W

interface Vlan1000

 no ip address

 zone-member security S_MGMT

router ospf 5

 router-id 10.10.158.1

 passive-interface default

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 10.10.255.11

ip tacacs source-interface Loopback0

ip access-list extended BULK-DATA-APPS

 remark ---File Transfer---

 permit tcp any any eq ftp

 permit tcp any any eq ftp-data

 remark ---E-mail traffic---

 permit tcp any any eq smtp

 permit tcp any any eq pop3

 permit tcp any any eq 143

 remark ---other EDM app protocols---

 permit tcp any any range 3460 3466

 permit tcp any range 3460 3466 any

 remark ---messaging services---

 permit tcp any any eq 2980

 permit tcp any eq 2980 any

 remark ---Microsoft file services---

 permit tcp any any range 137 139

 permit tcp any range 137 139 any

ip access-list extended CSM_ZBF_CMAP_ACL_1

 remark Data Center Mgmt to Devices

 permit object-group CSM_INLINE_svc_rule_68719541409 object-group 
CSM_INLINE_src_rule_68719541409 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_10

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451205 object-group DC-POS-Oracle 
object-group STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451209 object-group DC-POS-SAP object-group 
STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451213 object-group DC-POS-Tomax 
object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_11

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451215 object-group 
CSM_INLINE_src_rule_73014451215 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_12

 remark Data Center VOICE (wired and Wireless)

 permit object-group CSM_INLINE_svc_rule_68719541455 object-group DC-Voice object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_13

 remark Syslog and SNMP Alerts

 permit object-group CSM_INLINE_svc_rule_73014451187 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451187

ip access-list extended CSM_ZBF_CMAP_ACL_14

 remark Store to Data Center Authentications

 permit object-group CSM_INLINE_svc_rule_73014451193 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451193

ip access-list extended CSM_ZBF_CMAP_ACL_15

 remark Store to Data Center for NTP

 permit object-group NTP object-group Stores-ALL object-group NTP-Servers

ip access-list extended CSM_ZBF_CMAP_ACL_16

 remark Store to Data Center for DHCP and DNS

 permit object-group CSM_INLINE_svc_rule_73014451221 object-group Stores-ALL object-group 
ActiveDirectory.cisco-irn.com

ip access-list extended CSM_ZBF_CMAP_ACL_17

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_68719541425 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541425

ip access-list extended CSM_ZBF_CMAP_ACL_18

 remark Store UCS E-series server to Data Center vShphere

 permit object-group CSM_INLINE_svc_rule_73014451197 object-group Stores-ALL object-group 
vSphere-1

ip access-list extended CSM_ZBF_CMAP_ACL_19

 remark Store NAC

 permit object-group CSM_INLINE_svc_rule_73014451223 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451223

ip access-list extended CSM_ZBF_CMAP_ACL_2

 remark Data Center subscribe to IPS SDEE events

 permit tcp object-group RSA-enVision object-group Stores-ALL eq 443

ip access-list extended CSM_ZBF_CMAP_ACL_20

 remark Store to Data Center Physical Security

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541435

ip access-list extended CSM_ZBF_CMAP_ACL_21

 remark Store WAAS (WAAS Devices need their own zone)

 permit object-group CSM_INLINE_svc_rule_68719541439 object-group Stores-ALL object-group 
DC-WAAS

ip access-list extended CSM_ZBF_CMAP_ACL_22

 remark Store WAAS to Clients and Servers

 permit object-group CSM_INLINE_svc_rule_73014451388 object-group Stores-ALL object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_23

 remark Store to Data Center wireless controller traffic

 permit object-group CSM_INLINE_svc_rule_68719541431 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541431

ip access-list extended CSM_ZBF_CMAP_ACL_24

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451203 object-group STORE-POS object-group 
DC-POS-Oracle

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451207 object-group STORE-POS object-group 
DC-POS-SAP

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451211 object-group STORE-POS object-group 
DC-POS-Tomax

ip access-list extended CSM_ZBF_CMAP_ACL_25

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451217 object-group 
CSM_INLINE_src_rule_73014451217 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_26

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_73014451393 object-group STORE-POS object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_27

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_73014451395 object-group STORE-POS object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_28

 remark Permit POS clients to talk to store POS server

 permit object-group CSM_INLINE_svc_rule_73014451397 object-group STORE-POS object-group 
STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_29

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_73014451404 object-group Stores-ALL object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_3

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_68719541427 object-group 
CSM_INLINE_src_rule_68719541427 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_30

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_73014451406 object-group Stores-ALL object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_31

 remark Store DATA (wired and Wireless - Access to DC Other applications)

 permit object-group CSM_INLINE_svc_rule_68719541459 object-group Stores-ALL object-group 
DC-Applications

ip access-list extended CSM_ZBF_CMAP_ACL_32

 remark Store GUEST - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541465

ip access-list extended CSM_ZBF_CMAP_ACL_33

 remark Store GUEST (access to internet/DMZ web servers)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_34

 remark Store PARTNERS - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541461

ip access-list extended CSM_ZBF_CMAP_ACL_35

 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_36

 remark Store VOICE (wired and Wireless - Acess to corporate wide voice)

 permit object-group CSM_INLINE_svc_rule_68719541457 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541457

ip access-list extended CSM_ZBF_CMAP_ACL_4

 remark Data Center vSphere to UCS E-series server

 permit object-group CSM_INLINE_svc_rule_73014451195 object-group vSphere-1 object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_5

 remark Data Center to Store Physical Security

 permit ip object-group CSM_INLINE_src_rule_68719541433 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_6

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_7

 remark Data Center WAAS to Store

 permit object-group CSM_INLINE_svc_rule_68719541437 object-group 
CSM_INLINE_src_rule_68719541437 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_8

 remark Data Center Wireless Control to AP's and Controllers in stores

 permit object-group CSM_INLINE_svc_rule_68719541429 object-group 
CSM_INLINE_src_rule_68719541429 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_9

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group STORE-POS

ip access-list extended MISSION-CRITICAL-SERVERS

 remark ---POS Applications---

 permit ip any 192.168.52.0 0.0.0.255

ip access-list extended NET-MGMT-APPS

 remark - Router user Authentication - Identifies TACACS Control traffic

 permit tcp any any eq tacacs

 permit tcp any eq tacacs any

ip access-list extended TRANSACTIONAL-DATA-APPS

 remark ---Workbrain Application---

 remark --Large Store Clock Server to Central Clock Application

 permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444

 remark --Large store Clock Server to CUAE

 permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000

 remark ---LiteScape Application---

 permit ip any host 192.168.46.82

 permit ip any 239.192.0.0 0.0.0.255

 permit ip any host 239.255.255.250

 remark ---Remote Desktop---

 permit tcp any any eq 3389

 permit tcp any eq 3389 any

 remark ---Oracle SIM---

 permit tcp any 192.168.46.0 0.0.0.255 eq 7777

 permit tcp any 192.168.46.0 0.0.0.255 eq 6003

 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500

 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any

 permit tcp 192.168.46.0 0.0.0.255 eq 6003 any

 permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any

logging esm config

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group causer v3 priv

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps flash insertion removal

snmp-server enable traps energywise

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps ipsla

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

banner exec C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITACCESS IS A 
VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 login authentication RETAIL

 no exec

 transport preferred none

 transport output none

line 67

 no activation-character

 no exec

 transport preferred none

 transport output none

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

exception data-corruption buffer truncate

scheduler allocate 20000 1000

ntp source Loopback0

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

end

S-A2-MINI-1

S-A2-Mini-1#sh run

Building configuration...

Current configuration : 9017 bytes

! Last configuration change at 02:15:02 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:15:04 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

hostname S-A2-Mini-1

boot-start-marker

boot-end-marker

logging buffered 50000

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

system mtu routing 1500

ip subnet-zero

no ip source-route

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-1919348736

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1919348736

 revocation-check none

 rsakeypair TP-self-signed-1919348736

crypto pki certificate chain TP-self-signed-1919348736

 certificate self-signed 01

  <removed>

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

interface GigabitEthernet0/1

 switchport mode trunk

interface GigabitEthernet0/2

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/3

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/4

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/5

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/6

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/7

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/8

 switchport mode trunk

interface Vlan1

 no ip address

 no ip route-cache

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.159.11 255.255.255.0

 no ip route-cache

ip default-gateway 10.10.159.1

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps power-ethernet group 1

snmp-server enable traps power-ethernet police

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps energywise

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 36028654

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

S-A2-MINI-2

S-A2-Mini-2#sh run

Building configuration...

Current configuration : 9094 bytes

! Last configuration change at 02:19:10 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:19:11 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

hostname S-A2-Mini-2

boot-start-marker

boot-end-marker

logging buffered 50000

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

system mtu routing 1500

ip subnet-zero

no ip source-route

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-1919334912

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1919334912

 revocation-check none

 rsakeypair TP-self-signed-1919334912

crypto pki certificate chain TP-self-signed-1919334912

 certificate self-signed 01

  <removed>

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

interface GigabitEthernet0/1

 description AIR-CAP3502E

 switchport trunk native vlan 18

 switchport trunk allowed vlan 14-18

 switchport mode trunk

interface GigabitEthernet0/2

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/3

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/4

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/5

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/6

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/7

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/8

 switchport mode trunk

interface Vlan1

 no ip address

 no ip route-cache

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.159.12 255.255.255.0

 no ip route-cache

ip default-gateway 10.10.159.1

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps power-ethernet group 1

snmp-server enable traps power-ethernet police

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps energywise

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 36028680

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

Convenience

R-A2-CONV-1

! Last configuration change at 00:53:21 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 00:53:22 PST Sat Apr 30 2011 by retail

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

no service password-recovery

hostname R-A2-Conv-1

boot-start-marker

boot system flash c890-universalk9-mz.151-3.T.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default

 action-type start-stop

 group tacacs+

aaa accounting commands 15 default

 action-type start-stop

 group tacacs+

aaa accounting system default

 action-type start-stop

 group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PST recurring

service-module wlan-ap 0 bootimage autonomous

crypto pki token default removal timeout 0

crypto pki trustpoint TP-self-signed-479252603

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-479252603

 revocation-check none

 rsakeypair TP-self-signed-479252603

crypto pki certificate chain TP-self-signed-479252603

 certificate self-signed 01

  <removed>

  	quit

no ip source-route

ip cef

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip multicast-routing

ip port-map user-8443 port tcp 8443

ip ips config location flash: retries 1 timeout 1

ip ips name Store-IPS

ip ips signature-category

  category all

   retired true

  category ios_ips default

   retired false

ip inspect log drop-pkt

ip inspect audit-trail

ip wccp 61

ip wccp 62

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

no ipv6 cef

multilink bundle-name authenticated

parameter-map type inspect Inspect-1

 audit-trail on

parameter-map type inspect global

 WAAS enable

parameter-map type trend-global trend-glob-map

password encryption aes

license udi pid CISCO891W-AGN-N-K9 sn <removed>

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

object-group network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 udp eq 5246

 udp eq 5247

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 tcp eq 4050

object-group network DC-ALL

 description All of the Data Center

 192.168.0.0 255.255.0.0

object-group network Stores-ALL

 description all store networks

 10.10.0.0 255.255.0.0

object-group network CSM_INLINE_dst_rule_68719541425

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network WCSManager

 description Wireless Manager

 host 192.168.43.135

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 host 192.168.43.21

 host 192.168.43.22

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 host 192.168.43.31

 host 192.168.43.32

object-group network CSM_INLINE_dst_rule_68719541431

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network PAME-DC-1

 host 192.168.44.111

object-group network MSP-DC-1

 description Data Center VSOM

 host 192.168.44.121

object-group network CSM_INLINE_dst_rule_68719541435

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network CSM_INLINE_dst_rule_68719541457

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_68719541461

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_68719541465

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network EMC-NCM

 description EMC Network Configuration Manager

 host 192.168.42.122

object-group network RSA-enVision

 description RSA EnVision Syslog collector and SIM

 host 192.168.42.124

object-group network CSM_INLINE_dst_rule_73014451187

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object EMC-NCM

 group-object RSA-enVision

object-group network TACACS

 description Csico Secure ACS server for TACACS and Radius

 host 192.168.42.131

object-group network RSA-AM

 description RSA Authentication Manager for SecureID

 host 192.168.42.137

object-group network NAC-1

 description ISE server for NAC

 host 192.168.42.111

object-group network CSM_INLINE_dst_rule_73014451193

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object ActiveDirectory.cisco-irn.com

 group-object TACACS

 group-object RSA-AM

 group-object NAC-1

object-group network NAC-2

 host 192.168.42.112

object-group network CSM_INLINE_dst_rule_73014451223

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object NAC-2

 group-object NAC-1

object-group network DC-Admin

 description DC Admin Systems

 host 192.168.41.101

 host 192.168.41.102

object-group network CSManager

 description Cisco Security Manager

 host 192.168.42.133

object-group network CSM_INLINE_src_rule_68719541409

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object EMC-NCM

 group-object CSManager

object-group network CSM_INLINE_src_rule_68719541427

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_src_rule_68719541429

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network CSM_INLINE_src_rule_68719541433

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 host 192.168.48.10

 host 192.168.49.10

 host 192.168.47.11

 host 192.168.47.12

object-group network CSM_INLINE_src_rule_68719541437

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object DC-WAAS

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_src_rule_73014451215

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_73014451217

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group service CSM_INLINE_svc_rule_68719541409

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

object-group service CSM_INLINE_svc_rule_68719541425

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service CSM_INLINE_svc_rule_68719541427

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 udp eq 12222

 udp eq 12223

object-group service TFTP

 description Trivial File Transfer

 tcp eq 69

 udp eq tftp

object-group service IP-Protocol-97

 description IP protocol 97

object-group service CSM_INLINE_svc_rule_68719541429

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq www

 tcp eq 22

 tcp eq telnet

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object TFTP

 group-object IP-Protocol-97

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 udp eq 16666

 udp eq 16667

object-group service CSM_INLINE_svc_rule_68719541431

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object Cisco-Mobility

 group-object IP-Protocol-97

object-group service HTTPS-8443

 tcp eq 8443

object-group service Microsoft-DS-SMB

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

 tcp eq 445

object-group service CSM_INLINE_svc_rule_68719541437

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_68719541439

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_68719541455

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp

 tcp-udp eq 5060

 tcp eq 2000

 tcp eq www

 tcp eq 443

 group-object TFTP

object-group service CSM_INLINE_svc_rule_68719541457

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp-udp eq 5060

 tcp eq 2000

object-group service Netbios

 description Netbios Servers

 udp eq netbios-dgm

 udp eq netbios-ns

 tcp eq 139

object-group service ORACLE-SIM

 description Oracle Store Inventory Management

 tcp eq 7777

 tcp eq 6003

 tcp range 12401 12500

object-group service RDP

 description Windows Remote Desktop

 tcp eq 3389

object-group service Workbrain

 tcp eq 8444

object-group service CSM_INLINE_svc_rule_68719541459

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq ftp

 tcp eq www

 tcp eq 443

 udp eq 88

 tcp-udp eq 42

 group-object Microsoft-DS-SMB

 group-object Netbios

 group-object ORACLE-SIM

 group-object RDP

 group-object Workbrain

object-group service CSM_INLINE_svc_rule_73014451187

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 udp eq syslog

 udp eq snmp

 udp eq snmptrap

object-group service CSM_INLINE_svc_rule_73014451193

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq tacacs

 udp eq 1812

 udp eq 1813

 tcp eq 389

 tcp eq 636

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 tcp eq 5989

 tcp eq 8000

 tcp eq 902

 tcp eq 903

object-group service CSM_INLINE_svc_rule_73014451195

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq 22

 group-object vCenter-to-ESX4

object-group service ESX-SLP

 description CIM Service Location Protocol (SLP) for VMware systems

 udp eq 427

 tcp eq 427

object-group service CSM_INLINE_svc_rule_73014451197

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 group-object vCenter-to-ESX4

 group-object ESX-SLP

object-group service ORACLE-RMI

 description RMI TCP ports 1300 and 1301-1319.

 tcp range 1300 1319

object-group service ORACLE-Weblogic

 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.

 tcp eq 7001

 tcp eq 7002

 tcp eq 1521

object-group service ORACLE-WAS

 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414

 tcp eq 2809

 tcp eq 9443

 tcp eq 1414

object-group service ORACLE-OAS

 description OAS uses one port for HTTP and RMI - 12601.

 tcp eq 12601

object-group service CSM_INLINE_svc_rule_73014451203

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_73014451205

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_73014451207

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_73014451209

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service TOMAX-8990

 description Tomax Application Port

 tcp eq 8990

object-group service CSM_INLINE_svc_rule_73014451211

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service CSM_INLINE_svc_rule_73014451213

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service ICMP-Requests

 description ICMP requests

 icmp information-request

 icmp mask-request

 icmp timestamp-request

object-group service CSM_INLINE_svc_rule_73014451215

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_73014451217

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service DNS-Resolving

 description Domain Name Server

 tcp eq domain

 udp eq domain

object-group service CSM_INLINE_svc_rule_73014451221

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 udp eq bootps

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_73014451223

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_73014451388

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

 tcp eq 139

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_73014451393

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service CSM_INLINE_svc_rule_73014451395

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_73014451397

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

udp

 tcp eq 443

object-group service CSM_INLINE_svc_rule_73014451404

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_73014451406

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group network DC-Applications

 description Applications in the Data Center that are non-PCI related(Optimized by 
CS-Manager)

 192.168.180.0 255.255.254.0

object-group network DC-Voice

 description Data Center Voice

 192.168.45.0 255.255.255.0

object-group network MS-Update

 description Windows Update Server

 host 192.168.42.150

object-group network MSExchange

 description Mail Server

 host 192.168.42.140

object-group service NTP

 description NTP Protocols

 tcp eq 123

 udp eq ntp

object-group network NTP-Servers

 description NTP Servers

 host 192.168.62.161

 host 162.168.62.162

object-group network STORE-POS

 10.10.0.0 255.255.0.0

object-group network vSphere-1

 description vSphere server for Lab

 host 192.168.41.102

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7

 match protocol http

 match protocol https

 match protocol microsoft-ds

 match protocol ms-sql

 match protocol ms-sql-m

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol oracle

 match protocol oracle-em-vp

 match protocol oraclenames

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_10

 match access-group name CSM_ZBF_CMAP_ACL_10

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16

 match protocol http

 match protocol https

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_23

 match access-group name CSM_ZBF_CMAP_ACL_23

 match class-map CSM_ZBF_CMAP_PLMAP_16

class-map type inspect match-all CSM_ZBF_CLASS_MAP_32

 match access-group name CSM_ZBF_CMAP_ACL_32

class-map type inspect match-all CSM_ZBF_CLASS_MAP_11

 match access-group name CSM_ZBF_CMAP_ACL_11

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_22

 match access-group name CSM_ZBF_CMAP_ACL_22

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4

 match protocol http

 match protocol https

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_33

 match access-group name CSM_ZBF_CMAP_ACL_33

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tftp

 match protocol http

 match protocol https

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_12

 match access-group name CSM_ZBF_CMAP_ACL_12

 match class-map CSM_ZBF_CMAP_PLMAP_8

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15

 match protocol http

 match protocol https

 match protocol netbios-ns

 match protocol netbios-dgm

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_21

 match access-group name CSM_ZBF_CMAP_ACL_21

 match class-map CSM_ZBF_CMAP_PLMAP_15

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17

 match protocol http

 match protocol https

 match protocol imap3

 match protocol pop3

 match protocol pop3s

 match protocol smtp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_30

 match access-group name CSM_ZBF_CMAP_ACL_30

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9

 match protocol syslog

 match protocol syslog-conn

 match protocol snmp

 match protocol snmptrap

class-map type inspect match-all CSM_ZBF_CLASS_MAP_13

 match access-group name CSM_ZBF_CMAP_ACL_13

 match class-map CSM_ZBF_CMAP_PLMAP_9

class-map type inspect match-all CSM_ZBF_CLASS_MAP_20

 match access-group name CSM_ZBF_CMAP_ACL_20

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol ftp

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_31

 match access-group name CSM_ZBF_CMAP_ACL_31

 match class-map CSM_ZBF_CMAP_PLMAP_20

class-map match-all BRANCH-BULK-DATA

 match protocol tftp

 match protocol nfs

 match access-group name BULK-DATA-APPS

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10

 match protocol ldaps

 match protocol ldap

 match protocol ldap-admin

 match protocol radius

 match protocol tacacs

 match protocol tacacs-ds

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_14

 match access-group name CSM_ZBF_CMAP_ACL_14

 match class-map CSM_ZBF_CMAP_PLMAP_10

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18

 match protocol http

 match protocol https

 match protocol udp

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_27

 match access-group name CSM_ZBF_CMAP_ACL_27

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_36

 match access-group name CSM_ZBF_CMAP_ACL_36

 match class-map CSM_ZBF_CMAP_PLMAP_22

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11

 match protocol ntp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_15

 match access-group name CSM_ZBF_CMAP_ACL_15

 match class-map CSM_ZBF_CMAP_PLMAP_11

class-map type inspect match-all CSM_ZBF_CLASS_MAP_26

 match access-group name CSM_ZBF_CMAP_ACL_26

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12

 match protocol bootpc

 match protocol bootps

 match protocol udp

 match protocol tcp

 match protocol dns

 match protocol dhcp-failover

class-map type inspect match-all CSM_ZBF_CLASS_MAP_16

 match access-group name CSM_ZBF_CMAP_ACL_16

 match class-map CSM_ZBF_CMAP_PLMAP_12

class-map type inspect match-all CSM_ZBF_CLASS_MAP_25

 match access-group name CSM_ZBF_CMAP_ACL_25

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_34

 match access-group name CSM_ZBF_CMAP_ACL_34

class-map type inspect match-all CSM_ZBF_CLASS_MAP_17

 match access-group name CSM_ZBF_CMAP_ACL_17

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_24

 match access-group name CSM_ZBF_CMAP_ACL_24

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21

 match protocol tcp

 match protocol udp

 match protocol http

 match protocol https

class-map type inspect match-all CSM_ZBF_CLASS_MAP_35

 match access-group name CSM_ZBF_CMAP_ACL_35

 match class-map CSM_ZBF_CMAP_PLMAP_21

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13

 match protocol https

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_18

 match access-group name CSM_ZBF_CMAP_ACL_18

 match class-map CSM_ZBF_CMAP_PLMAP_13

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14

 match protocol http

 match protocol https

 match protocol user-8443

class-map type inspect match-all CSM_ZBF_CLASS_MAP_19

 match access-group name CSM_ZBF_CMAP_ACL_19

 match class-map CSM_ZBF_CMAP_PLMAP_14

class-map type inspect match-all CSM_ZBF_CLASS_MAP_29

 match access-group name CSM_ZBF_CMAP_ACL_29

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19

 match protocol http

 match protocol https

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_28

 match access-group name CSM_ZBF_CMAP_ACL_28

 match class-map CSM_ZBF_CMAP_PLMAP_19

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1

 match protocol https

 match protocol ssh

class-map type inspect match-all CSM_ZBF_CLASS_MAP_1

 match access-group name CSM_ZBF_CMAP_ACL_1

 match class-map CSM_ZBF_CMAP_PLMAP_1

class-map type inspect match-all CSM_ZBF_CLASS_MAP_3

 match access-group name CSM_ZBF_CMAP_ACL_3

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2

 match protocol https

 match protocol http

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_2

 match access-group name CSM_ZBF_CMAP_ACL_2

 match class-map CSM_ZBF_CMAP_PLMAP_2

class-map type inspect match-all CSM_ZBF_CLASS_MAP_5

 match access-group name CSM_ZBF_CMAP_ACL_5

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3

 match protocol http

 match protocol https

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

 match access-group name CSM_ZBF_CMAP_ACL_4

 match class-map CSM_ZBF_CMAP_PLMAP_3

class-map type inspect match-all CSM_ZBF_CLASS_MAP_7

 match access-group name CSM_ZBF_CMAP_ACL_7

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_6

 match access-group name CSM_ZBF_CMAP_ACL_6

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_9

 match access-group name CSM_ZBF_CMAP_ACL_9

 match protocol tcp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6

 match protocol http

 match protocol https

 match protocol ssh

 match protocol telnet

 match protocol tftp

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_8

 match access-group name CSM_ZBF_CMAP_ACL_8

 match class-map CSM_ZBF_CMAP_PLMAP_6

class-map match-all BULK-DATA

 match ip dscp af11  af12

class-map match-all INTERACTIVE-VIDEO

 match ip dscp af41  af42

class-map match-any BRANCH-TRANSACTIONAL-DATA

 match protocol citrix

 match protocol ldap

 match protocol telnet

 match protocol sqlnet

 match protocol http url "*SalesReport*"

 match access-group name TRANSACTIONAL-DATA-APPS

class-map match-all BRANCH-MISSION-CRITICAL

 match access-group name MISSION-CRITICAL-SERVERS

class-map match-all VOICE

 match ip dscp ef

class-map match-all MISSION-CRITICAL-DATA

 match ip dscp 25

class-map match-any BRANCH-NET-MGMT

 match protocol snmp

 match protocol syslog

 match protocol dns

 match protocol icmp

 match protocol ssh

 match access-group name NET-MGMT-APPS

class-map match-all ROUTING

 match ip dscp cs6

class-map match-all SCAVENGER

 match ip dscp cs1

class-map match-all NET-MGMT

 match ip dscp cs2

class-map match-any BRANCH-SCAVENGER

 match protocol gnutella

 match protocol fasttrack

 match protocol kazaa2

class-map match-any CALL-SIGNALING

 match ip dscp cs3

class-map match-all TRANSACTIONAL-DATA

 match ip dscp af21  af22

policy-map type inspect CSM_ZBF_POLICY_S_Security_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Data_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Data-W_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_WAN_S_Guest

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_WAN_S_Data-W

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Voice_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Guest_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_MGMT_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_LOOPBACK_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_POS-W

 class class-default

  drop log

policy-map BRANCH-LAN-EDGE-OUT

 class class-default

policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_Partners

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_POS

 class class-default

  drop log

policy-map BRANCH-WAN-EDGE

 class VOICE

  priority percent 18

 class INTERACTIVE-VIDEO

  priority percent 15

 class CALL-SIGNALING

  bandwidth percent 5

 class ROUTING

  bandwidth percent 3

 class NET-MGMT

  bandwidth percent 2

 class MISSION-CRITICAL-DATA

  bandwidth percent 15

  random-detect

 class TRANSACTIONAL-DATA

  bandwidth percent 12

  random-detect dscp-based

 class BULK-DATA

  bandwidth percent 4

  random-detect dscp-based

 class SCAVENGER

  bandwidth percent 1

 class class-default

  bandwidth percent 25

  random-detect

policy-map type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_18

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_19

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_31

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_16

 class type inspect CSM_ZBF_CLASS_MAP_24

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_17

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_14

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_15

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_23

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_12

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_21

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_34

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_35

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_S_MGMT_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_13

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_21

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_20

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_33

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_10

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_11

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_22

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_36

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Voice_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Guest_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_9

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_8

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_12

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_7

 class type inspect CSM_ZBF_CLASS_MAP_9

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_10

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_11

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_6

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_5

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_8

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_4

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_7

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_3

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_5

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_2

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_4

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_1

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_2

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_S_Partners_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Security_S_POS

 class class-default

  drop log

policy-map BRANCH-LAN-EDGE-IN

 class BRANCH-MISSION-CRITICAL

  set ip dscp 25

 class BRANCH-TRANSACTIONAL-DATA

  set ip dscp af21

 class BRANCH-NET-MGMT

  set ip dscp cs2

 class BRANCH-BULK-DATA

  set ip dscp af11

 class BRANCH-SCAVENGER

  set ip dscp cs1

policy-map type inspect CSM_ZBF_POLICY_S_Data_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Data-W_S_POS-W

 class class-default

  drop log

zone security S_WAN

 description Store WAN Link

zone security LOOPBACK

 description Loopback interface

zone security S_MGMT

 description VLAN1000 Management

zone security S_Security

 description VLAN20 Physical Security Systems

zone security S_WAAS

 description VLAN19 WAAS optimization

zone security S_WLC-AP

 description VLAN18 Wireless Systems

zone security S_Data

 description VLAN12 Store Data

zone security S_Data-W

 description VLAN14 Store Wireless Data

zone security S_Guest

 description VLAN17 Guest/Public Wireless

zone security S_Voice

 description VLAN13 Store Voice

zone security S_Partners

 description VLAN16 Partner network

zone security S_POS

 description VLAN 11 POS Data

zone security S_POS-W

 description VLAN15 Store Wireless POS

zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_S_WAN_S_Data-W

zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_S_WAN_S_Guest

zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_8

zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_9

zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_LOOPBACK_S_POS-W

zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_11

zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_MGMT_S_POS

zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_MGMT_S_POS-W

zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_12

zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Security_S_POS

zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Security_S_POS-W

zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_POS

zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_POS-W

zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_Partners

zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS

zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS-W

zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Data_S_POS

zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Data_S_POS-W

zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Data-W_S_POS

zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Data-W_S_POS-W

zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Guest_S_POS

zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Guest_S_POS-W

zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Partners_S_POS

zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Voice_S_POS

zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Voice_S_POS-W

zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_22

interface Loopback0

 ip address 10.10.174.1 255.255.255.255

 ip pim sparse-dense-mode

 zone-member security LOOPBACK

interface FastEthernet0

 switchport mode trunk

interface FastEthernet1

 switchport access vlan 17

 switchport protected

interface FastEthernet2

 switchport access vlan 17

 switchport protected

interface FastEthernet3

 switchport access vlan 17

 switchport protected

interface FastEthernet4

 switchport access vlan 17

 switchport protected

interface FastEthernet5

 switchport access vlan 17

 switchport protected

interface FastEthernet6

 switchport access vlan 17

 switchport protected

interface FastEthernet7

 switchport access vlan 17

 switchport protected

interface FastEthernet8

 no ip address

 duplex auto

 speed auto

interface FastEthernet8.1

interface GigabitEthernet0

 ip address 10.10.255.160 255.255.255.0

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_WAN

 duplex auto

 speed auto

 service-policy output BRANCH-WAN-EDGE

interface wlan-ap0

 description Service module interface to manage the embedded AP

 ip address 10.10.174.33 255.255.255.252

 zone-member security S_WLC-AP

 service-module ip address 10.10.174.34 255.255.255.252

 service-module ip default-gateway 10.10.174.33

 arp timeout 0

interface Wlan-GigabitEthernet0

 description Internal switch interface connecting to the embedded AP

 switchport mode trunk

 zone-member security S_WLC-AP

 service-module ip address 10.10.174.34 255.255.255.252

 service-module ip default-gateway 10.10.174.33

interface Vlan1

 no ip address

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS

interface Vlan11

 description POS

 ip address 10.10.160.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS

 standby 11 ip 10.10.160.1

 standby 11 priority 101

 standby 11 preempt

 ip igmp query-interval 125

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan12

 description DATA

 ip address 10.10.161.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip wccp 61 redirect in

 ip pim sparse-dense-mode

 zone-member security S_Data

 standby 12 ip 10.10.161.1

 standby 12 priority 101

 standby 12 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan13

 description VOICE

 ip address 10.10.162.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Voice

 standby 13 ip 10.10.162.1

 standby 13 priority 101

 standby 13 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan14

 description WIRELESS

 ip address 10.10.163.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Data-W

 standby 14 ip 10.10.163.1

 standby 14 priority 101

 standby 14 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan15

 description WIRELESS-POS

 ip address 10.10.164.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS-W

 standby 15 ip 10.10.164.1

 standby 15 priority 101

 standby 15 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan16

 description PARTNER

 ip address 10.10.165.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Partners

 standby 16 ip 10.10.165.1

 standby 16 priority 101

 standby 16 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan17

 description WIRELESS-GUEST

 ip address 10.10.166.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Guest

 standby 17 ip 10.10.166.1

 standby 17 priority 101

 standby 17 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan18

 description WIRELESS-CONTROL

 ip address 10.10.167.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WLC-AP

 standby 18 ip 10.10.167.1

 standby 18 priority 101

 standby 18 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan19

 description WAAS

 ip address 10.10.168.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WAAS

 standby 19 ip 10.10.168.1

 standby 19 priority 101

 standby 19 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan20

 description SECURITY

 ip address 10.10.169.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Security

 standby 20 ip 10.10.169.1

 standby 20 priority 101

 standby 20 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan1000

 description MANAGEMENT

 ip address 10.10.175.2 255.255.255.0

 zone-member security S_MGMT

 standby 100 ip 10.10.175.1

 standby 100 priority 101

 standby 100 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Async1

 no ip address

 encapsulation slip

interface Group-Async0

 physical-layer async

 no ip address

 encapsulation slip

 no group-range

router ospf 5

 router-id 10.10.174.1

 passive-interface default

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 10.10.255.11

ip tacacs source-interface Loopback0

ip access-list extended BULK-DATA-APPS

 remark ---File Transfer---

 permit tcp any any eq ftp

 permit tcp any any eq ftp-data

 remark ---E-mail traffic---

 permit tcp any any eq smtp

 permit tcp any any eq pop3

 permit tcp any any eq 143

 remark ---other EDM app protocols---

 permit tcp any any range 3460 3466

 permit tcp any range 3460 3466 any

 remark ---messaging services---

 permit tcp any any eq 2980

 permit tcp any eq 2980 any

 remark ---Microsoft file services---

 permit tcp any any range 137 139

 permit tcp any range 137 139 any

ip access-list extended CSM_ZBF_CMAP_ACL_1

 remark Data Center Mgmt to Devices

 permit object-group CSM_INLINE_svc_rule_68719541409 object-group 
CSM_INLINE_src_rule_68719541409 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_10

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451205 object-group DC-POS-Oracle 
object-group STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451209 object-group DC-POS-SAP object-group 
STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451213 object-group DC-POS-Tomax 
object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_11

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451215 object-group 
CSM_INLINE_src_rule_73014451215 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_12

 remark Data Center VOICE (wired and Wireless)

 permit object-group CSM_INLINE_svc_rule_68719541455 object-group DC-Voice object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_13

 remark Syslog and SNMP Alerts

 permit object-group CSM_INLINE_svc_rule_73014451187 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451187

ip access-list extended CSM_ZBF_CMAP_ACL_14

 remark Store to Data Center Authentications

 permit object-group CSM_INLINE_svc_rule_73014451193 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451193

ip access-list extended CSM_ZBF_CMAP_ACL_15

 remark Store to Data Center for NTP

 permit object-group NTP object-group Stores-ALL object-group NTP-Servers

ip access-list extended CSM_ZBF_CMAP_ACL_16

 remark Store to Data Center for DHCP and DNS

 permit object-group CSM_INLINE_svc_rule_73014451221 object-group Stores-ALL object-group 
ActiveDirectory.cisco-irn.com

ip access-list extended CSM_ZBF_CMAP_ACL_17

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_68719541425 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541425

ip access-list extended CSM_ZBF_CMAP_ACL_18

 remark Store UCS E-series server to Data Center vShphere

 permit object-group CSM_INLINE_svc_rule_73014451197 object-group Stores-ALL object-group 
vSphere-1

ip access-list extended CSM_ZBF_CMAP_ACL_19

 remark Store NAC

 permit object-group CSM_INLINE_svc_rule_73014451223 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451223

ip access-list extended CSM_ZBF_CMAP_ACL_2

 remark Data Center subscribe to IPS SDEE events

 permit tcp object-group RSA-enVision object-group Stores-ALL eq 443

ip access-list extended CSM_ZBF_CMAP_ACL_20

 remark Store to Data Center Physical Security

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541435

ip access-list extended CSM_ZBF_CMAP_ACL_21

 remark Store WAAS (WAAS Devices need their own zone)

 permit object-group CSM_INLINE_svc_rule_68719541439 object-group Stores-ALL object-group 
DC-WAAS

ip access-list extended CSM_ZBF_CMAP_ACL_22

 remark Store WAAS to Clients and Servers

 permit object-group CSM_INLINE_svc_rule_73014451388 object-group Stores-ALL object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_23

 remark Store to Data Center wireless controller traffic

 permit object-group CSM_INLINE_svc_rule_68719541431 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541431

ip access-list extended CSM_ZBF_CMAP_ACL_24

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451203 object-group STORE-POS object-group 
DC-POS-Oracle

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451207 object-group STORE-POS object-group 
DC-POS-SAP

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451211 object-group STORE-POS object-group 
DC-POS-Tomax

ip access-list extended CSM_ZBF_CMAP_ACL_25

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451217 object-group 
CSM_INLINE_src_rule_73014451217 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_26

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_73014451393 object-group STORE-POS object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_27

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_73014451395 object-group STORE-POS object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_28

 remark Permit POS clients to talk to store POS server

 permit object-group CSM_INLINE_svc_rule_73014451397 object-group STORE-POS object-group 
STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_29

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_73014451404 object-group Stores-ALL object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_3

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_68719541427 object-group 
CSM_INLINE_src_rule_68719541427 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_30

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_73014451406 object-group Stores-ALL object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_31

 remark Store DATA (wired and Wireless - Access to DC Other applications)

 permit object-group CSM_INLINE_svc_rule_68719541459 object-group Stores-ALL object-group 
DC-Applications

ip access-list extended CSM_ZBF_CMAP_ACL_32

 remark Store GUEST - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541465

ip access-list extended CSM_ZBF_CMAP_ACL_33

 remark Store GUEST (access to internet/DMZ web servers)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_34

 remark Store PARTNERS - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541461

ip access-list extended CSM_ZBF_CMAP_ACL_35

 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_36

 remark Store VOICE (wired and Wireless - Acess to corporate wide voice)

 permit object-group CSM_INLINE_svc_rule_68719541457 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541457

ip access-list extended CSM_ZBF_CMAP_ACL_4

 remark Data Center vSphere to UCS E-series server

 permit object-group CSM_INLINE_svc_rule_73014451195 object-group vSphere-1 object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_5

 remark Data Center to Store Physical Security

 permit ip object-group CSM_INLINE_src_rule_68719541433 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_6

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_7

 remark Data Center WAAS to Store

 permit object-group CSM_INLINE_svc_rule_68719541437 object-group 
CSM_INLINE_src_rule_68719541437 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_8

 remark Data Center Wireless Control to AP's and Controllers in stores

 permit object-group CSM_INLINE_svc_rule_68719541429 object-group 
CSM_INLINE_src_rule_68719541429 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_9

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group STORE-POS

ip access-list extended MISSION-CRITICAL-SERVERS

 remark ---POS Applications---

 permit ip any 192.168.52.0 0.0.0.255

ip access-list extended NET-MGMT-APPS

 remark - Router user Authentication - Identifies TACACS Control traffic

 permit tcp any any eq tacacs

 permit tcp any eq tacacs any

ip access-list extended TRANSACTIONAL-DATA-APPS

 remark ---Workbrain Application---

 remark --Large Store Clock Server to Central Clock Application

 permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444

 remark --Large store Clock Server to CUAE

 permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000

 remark ---LiteScape Application---

 permit ip any host 192.168.46.82

 permit ip any 239.192.0.0 0.0.0.255

 permit ip any host 239.255.255.250

 remark ---Remote Desktop---

 permit tcp any any eq 3389

 permit tcp any eq 3389 any

 remark ---Oracle SIM---

 permit tcp any 192.168.46.0 0.0.0.255 eq 7777

 permit tcp any 192.168.46.0 0.0.0.255 eq 6003

 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500

 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any

 permit tcp 192.168.46.0 0.0.0.255 eq 6003 any

 permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any

logging esm config

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group causer v3 priv

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps flash insertion removal

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps energywise

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps ipsla

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

banner exec C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line 1

 modem InOut

 stopbits 1

 speed 115200

 flowcontrol hardware

line 2

 no activation-character

 no exec

 transport preferred none

 transport input ssh

 transport output none

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 login authentication RETAIL

 no exec

 transport preferred none

 transport output none

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

scheduler max-task-time 5000

ntp source Loopback0

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

end

S-A2-CONV-1

Building configuration...

Current configuration : 8808 bytes

! Last configuration change at 02:11:23 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:11:23 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

service sequence-numbers

hostname S-A2-Conv-1

boot-start-marker

boot-end-marker

logging buffered 50000

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

system mtu routing 1500

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-3179870208

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3179870208

 revocation-check none

 rsakeypair TP-self-signed-3179870208

crypto pki certificate chain TP-self-signed-3179870208

 certificate self-signed 01

  <removed>

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

ip ssh version 2

ip scp server enable

interface FastEthernet0/1

 switchport mode trunk

interface FastEthernet0/2

 description AIR-CAP1042N

 switchport trunk native vlan 18

 switchport trunk allowed vlan 14-18

 switchport mode trunk

interface FastEthernet0/3

interface FastEthernet0/4

interface FastEthernet0/5

interface FastEthernet0/6

interface FastEthernet0/7

interface FastEthernet0/8

interface GigabitEthernet0/1

 switchport mode trunk

interface Vlan1

 no ip address

 no ip route-cache

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.175.11 255.255.255.0

 no ip route-cache

ip default-gateway 10.10.175.1

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

ip sla enable reaction-alerts

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps power-ethernet group 1

snmp-server enable traps power-ethernet police

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps energywise

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131 timeout 5

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 36028799

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

Managed Service Provider

FW-A2-MSP-1

FW-A2-MSP-1# sh ver

Cisco Adaptive Security Appliance Software Version 9.0(0)129

Device Manager Version 7.0(0)40

Compiled on Wed 03-Oct-12 14:19 PDT by builders

System image file is "disk0:/asa900-129-smp-k8.bin"

Config file at boot was "startup-config"

FW-A2-MSP-1 up 97 days 23 hours

Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)

            ASA: 4096 MB RAM, 1 CPU (1 core)

Internal ATA Compact Flash, 8192MB

BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)

                             Boot microcode        : CNPx-MC-BOOT-2.00

                             SSL/IKE microcode     : CNPx-MC-SSL-PLUS-T020

                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0022

                             Number of accelerators: 1

Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

 0: Int: Internal-Data0/0    : address is d48c.b54d.9520, irq 11

 1: Ext: GigabitEthernet0/0  : address is d48c.b54d.9524, irq 10

 2: Ext: GigabitEthernet0/1  : address is d48c.b54d.9521, irq 10

 3: Ext: GigabitEthernet0/2  : address is d48c.b54d.9525, irq 5

 4: Ext: GigabitEthernet0/3  : address is d48c.b54d.9522, irq 5

 5: Ext: GigabitEthernet0/4  : address is d48c.b54d.9526, irq 10

 6: Ext: GigabitEthernet0/5  : address is d48c.b54d.9523, irq 10

 7: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0

 8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0

 9: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0

10: Ext: Management0/0       : address is d48c.b54d.9520, irq 0

Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 100            perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Active  perpetual

Encryption-DES                    : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

Security Contexts                 : 5              perpetual

GTP/GPRS                          : Disabled       perpetual

AnyConnect Premium Peers          : 10             perpetual

AnyConnect Essentials             : 250            perpetual

Other VPN Peers                   : 250            perpetual

Total VPN Peers                   : 250            perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Enabled        perpetual

AnyConnect for Cisco VPN Phone    : Enabled        perpetual

Advanced Endpoint Assessment      : Enabled        perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Enabled        perpetual

IPS Module                        : Enabled        perpetual

Cluster                           : Disabled       perpetual

This platform has an ASA 5515 Security Plus license.

Serial Number: FCH162771K6

Running Permanent Activation Key: 0xbb3ac554 0x607ed951 0x5d428d70 0xcec038dc 0x0d09f584

Configuration register is 0x1

Configuration last modified by bmcgloth at 13:15:34.337 PST Fri Dec 21 2012

FW-A2-MSP-1#

FW-A2-MSP-1#

FW-A2-MSP-1#

FW-A2-MSP-1#

FW-A2-MSP-1# sh run

: Saved

ASA Version 9.0(0)129

terminal width 511

hostname FW-A2-MSP-1

domain-name cisco-irn.com

enable password WKlYt0jXwtQLFcz7 encrypted

passwd WKlYt0jXwtQLFcz7 encrypted

names

dns-guard

interface GigabitEthernet0/0

 nameif MSP-WAN

 security-level 0

 ip address 10.10.255.176 255.255.255.0

interface GigabitEthernet0/1

 no nameif

 no security-level

 no ip address

interface GigabitEthernet0/1.11

 vlan 11

 nameif POS

 security-level 95

 ip address 10.10.176.1 255.255.255.0

interface GigabitEthernet0/1.12

 vlan 12

 nameif DATA

 security-level 85

 ip address 10.10.177.1 255.255.255.0

interface GigabitEthernet0/1.13

 vlan 13

 nameif VOICE

 security-level 80

 ip address 10.10.178.1 255.255.255.0

interface GigabitEthernet0/1.14

 vlan 14

 nameif WIRELESS

 security-level 70

 ip address 10.10.179.1 255.255.255.0

interface GigabitEthernet0/1.15

 vlan 15

 nameif WIRELESS-POS

 security-level 90

 ip address 10.10.180.1 255.255.255.0

interface GigabitEthernet0/1.16

 vlan 16

 nameif PARTNER

 security-level 65

 ip address 10.10.181.1 255.255.255.0

interface GigabitEthernet0/1.17

 vlan 17

 nameif WIRELESS-GUEST

 security-level 10

 ip address 10.10.182.1 255.255.255.0

interface GigabitEthernet0/1.18

 vlan 18

 nameif WIRELESS-CONTROL

 security-level 75

 ip address 10.10.183.1 255.255.255.0

interface GigabitEthernet0/1.19

 vlan 19

 nameif WAAS

 security-level 100

 ip address 10.10.184.1 255.255.255.0

interface GigabitEthernet0/1.1000

 vlan 1000

 nameif MANAGEMENT

 security-level 100

 ip address 10.10.191.1 255.255.255.0

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

interface GigabitEthernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

interface GigabitEthernet0/5

 shutdown

 no nameif

 no security-level

 no ip address

interface Management0/0

 description IPS management connection

 management-only

 nameif IPS-Mgmt

 security-level 1

 no ip address

banner exec WARNING:

banner exec **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF COMPLIANCE ****

banner exec                              **** AUTHORIZED USERS ONLY! ****

banner exec

banner exec ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

banner exec TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE 
NECESSARY

banner exec TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

banner exec REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME 
WITHOUT

banner exec FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

banner exec CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

banner exec ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

banner exec

banner exec UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL 
LAWS.

banner login WARNING:

banner login THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

banner asdm WARNING:

banner asdm   **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF COMPLIANCE ****

banner asdm                   **** AUTHORIZED USERS ONLY! ****

banner asdm

banner asdm ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT 
TO MONITORING OF SUCH USE AND TO SUCH AD                                                       
DITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM 
ADMINISTRATOR OR OTHER REPRESENTATIVES OF T                                                       
HE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT.  
UNAUTHORIZED USE OF  THIS SYSTEM AND ANY O                                                       
THER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT 
OFFICIALS AND PROSECUTION TO THE F

banner asdm

banner asdm UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL 
LAWS

boot system disk0:/asa900-129-smp-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup MSP-WAN

dns server-group DefaultDNS

 name-server 192.168.42.130

 domain-name cisco-irn.com

same-security-traffic permit inter-interface

object network AdminStation

 host 192.168.41.101

object network AdminStation2

 host 192.168.41.102

object network AdminStation4-bart

 host 10.19.151.99

object network LMS

 host 192.168.42.139

object network CSManager

 host 192.168.42.133

 description Cisco Security Manager

object network AdminStation3

 host 192.168.42.139

object network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object network DC-POS

 subnet 192.168.52.0 255.255.255.0

 description POS in the Data Center

object network WCSManager

 host 192.168.43.135

 description Wireless Manager

object network PAME-DC-1

 host 192.168.44.111

object network MSP-DC-1

 host 192.168.44.121

 description Data Center VSOM

object network DC-ALL

 subnet 192.168.0.0 255.255.0.0

 description All of the Data Center

object network RSA-enVision

 host 192.168.42.124

 description RSA EnVision Syslog collector and SIM

object network TACACS

 host 192.168.42.131

 description Csico Secure ACS server for TACACS and Radius

object network RSA-AM

 host 192.168.42.137

 description RSA Authentication Manager for SecureID

object network NAC-2

 host 192.168.42.112

object network NAC-1

 host 192.168.42.111

 description ISE server for NAC

object network MS-Update

 host 192.168.42.150

 description Windows Update Server

object network MSExchange

 host 192.168.42.140

 description Mail Server

object service RPC

 service tcp destination eq 135

object service LDAP-GC

 service tcp destination eq 3268

object service LDAP-GC-SSL

 service tcp destination eq 3269

object service Kerberos-TCP

 service tcp destination eq 88

object service Microsoft-DS-SMB

 service tcp destination eq 445

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

object service LDAP-UDP

 service udp destination eq 389

object service RPC-HighPorts

 service tcp destination range 1024 65535

object service ORACLE-OAS

 service tcp destination eq 12601

 description OAS uses one port for HTTP and RMI - 12601.

object service TOMAX-8990

 service tcp destination eq 8990

 description Tomax Application Port

object service IP-Protocol-97

 service 97

 description IP protocol 97

object service TCP1080

 service tcp destination eq 1080

object service TCP8080

 service tcp destination eq 8080

object service RDP

 service tcp destination eq 3389

 description Windows Remote Desktop

object-group network CSM_INLINE_src_rule_73014461090

 description Generated by CS-Manager from src of FirewallRule# 1 (ASA-Store_V2/mandatory)

 network-object object AdminStation

 network-object object AdminStation2

 network-object object AdminStation4-bart

object-group network Admin-Systems

 network-object object AdminStation

 network-object object AdminStation2

 network-object object CSManager

 network-object object AdminStation4-bart

 network-object object LMS

 network-object object AdminStation3

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 network-object 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 network-object 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 network-object 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_src_rule_73014461184

 description Generated by CS-Manager from src of FirewallRule# 4 (ASA-Store_V2/mandatory)

 group-object DC-POS-Tomax

 network-object object DC-POS

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network POS-Store-MSP

 network-object 10.10.176.81 255.255.255.255

object-group network CSM_INLINE_dst_rule_73014461438

 description Generated by CS-Manager from dst of FirewallRule# 5 (ASA-Store_V2/mandatory)

 group-object DC-POS-Tomax

 network-object object DC-POS

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network Store-MSP-POS-net

 network-object 10.10.176.0 255.255.255.0

 network-object 10.10.180.0 255.255.255.0

object-group network CSM_INLINE_dst_rule_73014461436

 description Generated by CS-Manager from dst of FirewallRule# 7 (ASA-Store_V2/mandatory)

 group-object DC-POS-Tomax

 network-object object DC-POS

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 network-object 192.168.43.21 255.255.255.255

 network-object 192.168.43.22 255.255.255.255

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 network-object 192.168.43.31 255.255.255.255

 network-object 192.168.43.32 255.255.255.255

object-group network CSM_INLINE_src_rule_73014461098

 description Generated by CS-Manager from src of FirewallRule# 8 (ASA-Store_V2/mandatory)

 network-object object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network CSM_INLINE_src_rule_73014461100

 description Generated by CS-Manager from src of FirewallRule# 9 (ASA-Store_V2/mandatory)

 network-object object PAME-DC-1

 network-object object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 network-object 192.168.48.10 255.255.255.255

 network-object 192.168.49.10 255.255.255.255

 network-object 192.168.47.11 255.255.255.255

 network-object 192.168.47.12 255.255.255.255

object-group network NTP-Servers

 description NTP Servers

 network-object 192.168.62.161 255.255.255.255

 network-object 162.168.62.162 255.255.255.255

object-group network CSM_INLINE_dst_rule_73014461120

 description Generated by CS-Manager from dst of FirewallRule# 17 (ASA-Store_V2/mandatory)

 network-object object TACACS

 network-object object RSA-AM

 network-object object NAC-2

 network-object object NAC-1

object-group network CSM_INLINE_dst_rule_73014461126

 description Generated by CS-Manager from dst of FirewallRule# 18 (ASA-Store_V2/mandatory)

 network-object object PAME-DC-1

 network-object object MSP-DC-1

object-group network CSM_INLINE_dst_rule_73014461128

 description Generated by CS-Manager from dst of FirewallRule# 19 (ASA-Store_V2/mandatory)

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group service HTTPS-8443

 service-object tcp destination eq 8443

object-group service CSM_INLINE_svc_rule_73014461092

 description Generated by CS-Manager from service of FirewallRule# 2 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq ssh

 service-object tcp destination eq https

 group-object HTTPS-8443

 service-object udp destination eq snmp

object-group service DNS-Resolving

 description Domain Name Server

 service-object tcp destination eq domain

 service-object udp destination eq domain

object-group service CSM_INLINE_svc_rule_73014461094

 description Generated by CS-Manager from service of FirewallRule# 3 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

 service-object udp destination eq 88

 service-object udp destination eq ntp

 service-object udp destination eq netbios-dgm

 service-object object RPC

 service-object object LDAP-GC

 service-object object LDAP-GC-SSL

 service-object object Kerberos-TCP

 service-object object Microsoft-DS-SMB

 service-object object LDAP-UDP

 service-object object RPC-HighPorts

 group-object DNS-Resolving

object-group service ORACLE-RMI

 description RMI TCP ports 1300 and 1301-1319.

 service-object tcp destination range 1300 1319

object-group service ORACLE-Weblogic

 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.

 service-object tcp destination eq 7001

 service-object tcp destination eq 7002

 service-object tcp destination eq sqlnet

object-group service ORACLE-WAS

 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414

 service-object tcp destination eq 2809

 service-object tcp destination eq 9443

 service-object tcp destination eq 1414

object-group service CSM_INLINE_svc_rule_73014461184

 description Generated by CS-Manager from service of FirewallRule# 4 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq ssh

 service-object object ORACLE-OAS

 service-object object TOMAX-8990

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object HTTPS-8443

object-group service TFTP

 description Trivial File Transfer

 service-object tcp destination eq 69

 service-object udp destination eq tftp

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 service-object udp destination eq 12222

 service-object udp destination eq 12223

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 service-object udp destination eq 5246

 service-object udp destination eq 5247

object-group service CSM_INLINE_svc_rule_73014461098

 description Generated by CS-Manager from service of FirewallRule# 8 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq www

 service-object udp destination eq isakmp

 service-object tcp destination eq telnet

 service-object tcp destination eq ssh

 service-object object IP-Protocol-97

 group-object TFTP

 group-object LWAPP

 group-object CAPWAP

object-group service CSM_INLINE_svc_rule_73014461102

 description Generated by CS-Manager from service of FirewallRule# 10 
(ASA-Store_V2/mandatory)

 service-object icmp echo

 service-object icmp echo-reply

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq ssh

 service-object tcp destination eq ftp

 service-object object TCP1080

 service-object object TCP8080

 service-object object RDP

 group-object HTTPS-8443

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 service-object tcp destination eq 4050

object-group service Netbios

 description Netbios Servers

 service-object udp destination eq netbios-dgm

 service-object udp destination eq netbios-ns

 service-object tcp destination eq netbios-ssn

object-group service CSM_INLINE_svc_rule_73014461104

 description Generated by CS-Manager from service of FirewallRule# 11 
(ASA-Store_V2/mandatory)

 service-object object Microsoft-DS-SMB

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Netbios

object-group service CSM_INLINE_svc_rule_73014461106

 description Generated by CS-Manager from service of FirewallRule# 12 
(ASA-Store_V2/mandatory)

 service-object tcp-udp destination eq sip

 service-object tcp destination eq 2000

object-group service CSM_INLINE_svc_rule_73014461112

 description Generated by CS-Manager from service of FirewallRule# 14 
(ASA-Store_V2/mandatory)

 service-object udp destination eq snmptrap

 service-object udp destination eq snmp

 service-object udp destination eq syslog

object-group service CSM_INLINE_svc_rule_73014461120

 description Generated by CS-Manager from service of FirewallRule# 17 
(ASA-Store_V2/mandatory)

 service-object udp destination eq 1812

 service-object udp destination eq 1813

 service-object tcp destination eq https

 service-object tcp destination eq www

 group-object HTTPS-8443

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 service-object udp destination eq 16666

 service-object udp destination eq 16667

object-group service CSM_INLINE_svc_rule_73014461128

 description Generated by CS-Manager from service of FirewallRule# 19 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq https

 service-object udp destination eq isakmp

 service-object object IP-Protocol-97

 group-object Cisco-Mobility

 group-object LWAPP

 group-object CAPWAP

object-group service CSM_INLINE_svc_rule_73014461130

 description Generated by CS-Manager from service of FirewallRule# 20 
(ASA-Store_V2/mandatory)

 service-object tcp-udp destination eq sip

 service-object tcp destination eq 2000

object-group service CSM_INLINE_svc_rule_73014461132

 description Generated by CS-Manager from service of FirewallRule# 21 
(ASA-Store_V2/mandatory)

 service-object object Microsoft-DS-SMB

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Netbios

object-group service CSM_INLINE_svc_rule_73014461134

 description Generated by CS-Manager from service of FirewallRule# 22 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

 service-object udp destination eq 88

 service-object udp destination eq ntp

 service-object udp destination eq netbios-dgm

 service-object object RPC

 service-object object LDAP-GC

 service-object object LDAP-GC-SSL

 service-object object Kerberos-TCP

 service-object object Microsoft-DS-SMB

 service-object object LDAP-UDP

 service-object object RPC-HighPorts

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_73014461136

 description Generated by CS-Manager from service of FirewallRule# 23 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq www

 service-object tcp destination eq https

object-group service CSM_INLINE_svc_rule_73014461138

 description Generated by CS-Manager from service of FirewallRule# 24 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq smtp

 service-object tcp destination eq pop3

 service-object tcp destination eq imap4

object-group network DM_INLINE_NETWORK_2

 network-object object NAC-1

 network-object object NAC-2

 network-object object TACACS

object-group service DM_INLINE_SERVICE_1

 service-object icmp6 echo

 service-object udp destination eq ntp

object-group service DM_INLINE_SERVICE_2

 service-object icmp echo

 service-object tcp destination eq tacacs

object-group service DM_INLINE_SERVICE_3

 service-object icmp echo

 service-object udp destination eq radius

 service-object udp destination eq radius-acct

object-group service DM_INLINE_SERVICE_4

 service-object icmp echo

 service-object udp destination eq snmp

 service-object udp destination eq snmptrap

 service-object udp destination eq syslog

object-group network DM_INLINE_NETWORK_3

 network-object object LMS

 network-object object RSA-enVision

access-list OUTSIDE remark LAB Testing

access-list OUTSIDE extended permit ip object-group CSM_INLINE_src_rule_73014461090 
10.10.176.0 255.255.248.0

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461092 
object-group Admin-Systems 10.10.176.0 255.255.24                                                       
8.0

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461092 
object-group Admin-Systems host 10.10.255.176

access-list OUTSIDE remark Allow Active Directory Domain

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461094 object 
ActiveDirectory.cisco-irn.com 10.10.176.0                                                        
255.255.248.0

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461184 
object-group CSM_INLINE_src_rule_73014461184 obje                                                       
ct-group POS-Store-MSP

access-list OUTSIDE extended deny ip any object-group Store-MSP-POS-net

access-list OUTSIDE extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list OUTSIDE remark Wireless Management to Stores

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461098 
object-group CSM_INLINE_src_rule_73014461098 10.1                                                       
0.183.0 255.255.255.0

access-list OUTSIDE remark Physical security systems

access-list OUTSIDE extended permit tcp object-group CSM_INLINE_src_rule_73014461100 
10.10.191.0 255.255.255.0 eq https

access-list OUTSIDE remark Allow Management of store systems

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461102 object 
DC-ALL 10.10.176.0 255.255.248.0

access-list OUTSIDE remark WAAS systems

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461104 
object-group DC-WAAS 10.10.184.0 255.255.255.0

access-list OUTSIDE remark Voice calls

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461106 object 
DC-ALL 10.10.178.0 255.255.255.0

access-list OUTSIDE extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq ssh

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461112 
10.10.176.0 255.255.248.0 object RSA-enVision

access-list OUTSIDE extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq tacacs

access-list OUTSIDE extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers 
eq ntp

access-list OUTSIDE remark Drop all other traffic

access-list OUTSIDE extended deny ip any any log

access-list POS remark Allow Applications

access-list POS extended permit tcp object-group POS-Store-MSP object-group 
CSM_INLINE_dst_rule_73014461438 eq https

access-list POS extended deny ip any object-group Store-MSP-POS-net

access-list POS extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list POS extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq 
ntp

access-list POS extended permit object-group CSM_INLINE_svc_rule_73014461120 10.10.176.0 
255.255.248.0 object-group CSM_INLINE_dst                                                       
_rule_73014461120

access-list POS remark Allow Active Directory Domain

access-list POS extended permit object-group CSM_INLINE_svc_rule_73014461134 10.10.176.0 
255.255.248.0 object ActiveDirectory.cisc                                                       
o-irn.com

access-list POS remark Allow Windows Updates

access-list POS extended permit object-group CSM_INLINE_svc_rule_73014461136 10.10.176.0 
255.255.248.0 object MS-Update

access-list POS remark Allow Mail

access-list POS extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 
255.255.248.0 object MSExchange

access-list POS remark Drop all other traffic

access-list POS extended deny ip any any log

access-list WIRELESS-POS remark Allow Applications

access-list WIRELESS-POS extended permit tcp object-group POS-Store-MSP object-group 
CSM_INLINE_dst_rule_73014461438 eq https

access-list WIRELESS-POS extended deny ip any object-group Store-MSP-POS-net

access-list WIRELESS-POS extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list WIRELESS-POS extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp

access-list WIRELESS-POS remark Allow Active Directory Domain

access-list WIRELESS-POS extended permit object-group CSM_INLINE_svc_rule_73014461134 
10.10.176.0 255.255.248.0 object ActiveDirectory.cisco-irn.com

access-list WIRELESS-POS remark Allow Windows Updates

access-list WIRELESS-POS extended permit object-group CSM_INLINE_svc_rule_73014461136 
10.10.176.0 255.255.248.0 object MS-Update

access-list WIRELESS-POS remark Allow Mail

access-list WIRELESS-POS extended permit object-group CSM_INLINE_svc_rule_73014461138 
10.10.176.0 255.255.248.0 object MSExchange

access-list WIRELESS-POS remark Drop all other traffic

access-list WIRELESS-POS extended deny ip any any log

access-list DATA extended deny ip any object-group Store-MSP-POS-net

access-list DATA extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list DATA extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq 
ntp

access-list DATA extended permit object-group CSM_INLINE_svc_rule_73014461120 10.10.176.0 
255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120

access-list DATA remark Allow Active Directory Domain

access-list DATA extended permit object-group CSM_INLINE_svc_rule_73014461134 10.10.176.0 
255.255.248.0 object ActiveDirectory.cisco-irn.com

access-list DATA remark Allow Windows Updates

access-list DATA extended permit object-group CSM_INLINE_svc_rule_73014461136 10.10.176.0 
255.255.248.0 object MS-Update

access-list DATA remark Allow Mail

access-list DATA extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 
255.255.248.0 object MSExchange

access-list DATA remark Drop all other traffic

access-list DATA extended deny ip any any log

access-list MANAGEMENT extended deny ip any object-group Store-MSP-POS-net

access-list MANAGEMENT extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list MANAGEMENT extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq ssh

access-list MANAGEMENT extended permit object-group CSM_INLINE_svc_rule_73014461112 
10.10.176.0 255.255.248.0 object RSA-enVision

access-list MANAGEMENT extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq 
tacacs

access-list MANAGEMENT extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp

access-list MANAGEMENT extended permit icmp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers

access-list MANAGEMENT extended permit object-group CSM_INLINE_svc_rule_73014461120 
10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120

access-list MANAGEMENT remark Physical security systems

access-list MANAGEMENT extended permit tcp 10.10.191.0 255.255.255.0 object-group 
CSM_INLINE_dst_rule_73014461126 eq https

access-list MANAGEMENT remark Allow Mail

access-list MANAGEMENT extended permit object-group CSM_INLINE_svc_rule_73014461138 
10.10.176.0 255.255.248.0 object MSExchange

access-list MANAGEMENT remark Drop all other traffic

access-list MANAGEMENT extended deny ip any any log

access-list PARTNER extended deny ip any object-group Store-MSP-POS-net

access-list PARTNER extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list PARTNER extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers 
eq ntp

access-list PARTNER extended permit object-group CSM_INLINE_svc_rule_73014461120 
10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120

access-list PARTNER remark Allow Mail

access-list PARTNER extended permit object-group CSM_INLINE_svc_rule_73014461138 
10.10.176.0 255.255.248.0 object MSExchange

access-list PARTNER remark Drop all other traffic

access-list PARTNER extended deny ip any any log

access-list VOICE extended deny ip any object-group Store-MSP-POS-net

access-list VOICE extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list VOICE extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq ssh

access-list VOICE extended permit object-group CSM_INLINE_svc_rule_73014461112 10.10.176.0 
255.255.248.0 object RSA-enVision

access-list VOICE extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq tacacs

access-list VOICE extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers 
eq ntp

access-list VOICE extended permit object-group CSM_INLINE_svc_rule_73014461120 10.10.176.0 
255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120

access-list VOICE remark Voice calls

access-list VOICE extended permit object-group CSM_INLINE_svc_rule_73014461130 10.10.178.0 
255.255.255.0 object DC-ALL

access-list VOICE remark Allow Mail

access-list VOICE extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 
255.255.248.0 object MSExchange

access-list VOICE remark Drop all other traffic

access-list VOICE extended deny ip any any log

access-list WAAS extended deny ip any object-group Store-MSP-POS-net

access-list WAAS extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list WAAS extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq ssh

access-list WAAS extended permit object-group CSM_INLINE_svc_rule_73014461112 10.10.176.0 
255.255.248.0 object RSA-enVision

access-list WAAS extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq tacacs

access-list WAAS extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq 
ntp

access-list WAAS remark WAAS systems

access-list WAAS extended permit object-group CSM_INLINE_svc_rule_73014461132 10.10.184.0 
255.255.255.0 object-group DC-WAAS

access-list WAAS remark Allow Active Directory Domain

access-list WAAS extended permit object-group CSM_INLINE_svc_rule_73014461134 10.10.176.0 
255.255.248.0 object ActiveDirectory.cisco-irn.com

access-list WAAS remark Drop all other traffic

access-list WAAS extended deny ip any any log

access-list WIRELESS extended deny ip any object-group Store-MSP-POS-net

access-list WIRELESS extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list WIRELESS extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp

access-list WIRELESS remark Allow Active Directory Domain

access-list WIRELESS extended permit object-group CSM_INLINE_svc_rule_73014461134 
10.10.176.0 255.255.248.0 object ActiveDirectory.cisco-irn.com

access-list WIRELESS remark Allow Windows Updates

access-list WIRELESS extended permit object-group CSM_INLINE_svc_rule_73014461136 
10.10.176.0 255.255.248.0 object MS-Update

access-list WIRELESS remark Allow Mail

access-list WIRELESS extended permit object-group CSM_INLINE_svc_rule_73014461138 
10.10.176.0 255.255.248.0 object MSExchange

access-list WIRELESS remark Drop all other traffic

access-list WIRELESS extended deny ip any any log

access-list WIRELESS-CONTROL extended deny ip any object-group Store-MSP-POS-net

access-list WIRELESS-CONTROL extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436

access-list WIRELESS-CONTROL extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq 
ssh

access-list WIRELESS-CONTROL extended permit object-group CSM_INLINE_svc_rule_73014461112 
10.10.176.0 255.255.248.0 object RSA-enVision

access-list WIRELESS-CONTROL extended permit tcp 10.10.176.0 255.255.248.0 object TACACS 
eq tacacs

access-list WIRELESS-CONTROL extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp

access-list WIRELESS-CONTROL extended permit object-group CSM_INLINE_svc_rule_73014461120 
10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120

access-list WIRELESS-CONTROL remark Wireless control systems

access-list WIRELESS-CONTROL extended permit object-group CSM_INLINE_svc_rule_73014461128 
10.10.183.0 255.255.255.0 object-group CSM_INLINE_dst_rule_73014461128

access-list WIRELESS-CONTROL remark Drop all other traffic

access-list WIRELESS-CONTROL extended deny ip any any log

access-list WIRELESS-GUEST extended deny ip any object-group Store-MSP-POS-net

access-list WIRELESS-GUEST extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436

access-list WIRELESS-GUEST extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp

access-list WIRELESS-GUEST remark Drop all other traffic

access-list WIRELESS-GUEST extended deny ip any any log

access-list DROP-ALL extended deny ip any any log disable

access-list MANAGEMENT_access_in extended permit object-group DM_INLINE_SERVICE_1 
10.10.191.0 255.255.255.0 object-group NTP-Servers log disable

access-list MANAGEMENT_access_in extended permit object-group DM_INLINE_SERVICE_2 
10.10.191.0 255.255.255.0 object TACACS

access-list MANAGEMENT_access_in extended permit object-group DM_INLINE_SERVICE_3 
10.10.191.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 log disable

access-list MANAGEMENT_access_in extended permit object-group DM_INLINE_SERVICE_4 
10.10.191.0 255.255.255.0 object-group DM_INLINE_NETWORK_3 log disable

access-list MANAGEMENT_access_in extended deny ip any any

pager lines 24

logging enable

logging timestamp

logging buffer-size 100000

logging trap informational

logging asdm informational

logging host MSP-WAN 192.168.42.124

mtu MSP-WAN 1500

mtu POS 1500

mtu DATA 1500

mtu VOICE 1500

mtu WIRELESS 1500

mtu WIRELESS-POS 1500

mtu PARTNER 1500

mtu WIRELESS-GUEST 1500

mtu WIRELESS-CONTROL 1500

mtu WAAS 1500

mtu MANAGEMENT 1500

mtu IPS-Mgmt 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any MSP-WAN

icmp permit any POS

icmp permit any DATA

icmp permit any VOICE

icmp permit any WIRELESS

icmp permit any WIRELESS-POS

icmp permit any PARTNER

icmp permit any WIRELESS-GUEST

icmp permit any WIRELESS-CONTROL

icmp permit any WAAS

icmp permit any MANAGEMENT

asdm image disk0:/asdm-70040.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group OUTSIDE in interface MSP-WAN

access-group POS in interface POS

access-group DATA in interface DATA

access-group VOICE in interface VOICE

access-group WIRELESS in interface WIRELESS

access-group WIRELESS-POS in interface WIRELESS-POS

access-group PARTNER in interface PARTNER

access-group WIRELESS-GUEST in interface WIRELESS-GUEST

access-group WIRELESS-CONTROL in interface WIRELESS-CONTROL

access-group WAAS in interface WAAS

access-group MANAGEMENT_access_in in interface MANAGEMENT

access-group DROP-ALL in interface IPS-Mgmt

route MSP-WAN 0.0.0.0 0.0.0.0 10.10.255.11 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RETAIL protocol tacacs+

aaa-server RETAIL (MANAGEMENT) host 192.168.42.131

 key *****

aaa-server COMPLIANCE protocol tacacs+

aaa-server COMPLIANCE (MSP-WAN) host 192.168.42.131

 key *****

user-identity default-domain LOCAL

aaa authentication enable console COMPLIANCE LOCAL

aaa authentication http console COMPLIANCE LOCAL

aaa authentication ssh console COMPLIANCE LOCAL

aaa authorization command COMPLIANCE LOCAL

aaa accounting enable console COMPLIANCE

aaa accounting ssh console COMPLIANCE

aaa accounting command privilege 15 COMPLIANCE

aaa authentication secure-http-client

aaa local authentication attempts max-fail 6

aaa authorization exec authentication-server

http server enable

http server idle-timeout 15

http server session-timeout 15

http 192.168.41.101 255.255.255.255 MSP-WAN

http 192.168.41.102 255.255.255.255 MSP-WAN

http 192.168.42.122 255.255.255.255 MSP-WAN

http 192.168.42.124 255.255.255.255 MSP-WAN

http 192.168.42.133 255.255.255.255 MSP-WAN

http 192.168.42.138 255.255.255.255 MSP-WAN

http 192.168.42.139 255.255.255.255 MSP-WAN

http 192.168.42.134 255.255.255.255 MSP-WAN

snmp-server group V3Group v3 priv

snmp-server user ciscolms V3Group v3 encrypted auth sha 
56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db priv aes 256 
56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db:88:e3:53:03:7b:f1:02:30:bc:14:
98:e5

snmp-server user csmadmin V3Group v3 encrypted auth sha 
56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db priv aes 256 
56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db:88:e3:53:03:7b:f1:02:30:bc:14:
98:e5

snmp-server host MSP-WAN 192.168.42.134 version 3 ciscolms

snmp-server host MSP-WAN 192.168.42.139 version 3 ciscolms

snmp-server host MSP-WAN 192.168.42.133 version 3 csmadmin

snmp-server location Building SJC-17-1 Aisle 2 Rack 3

snmp-server contact Bart McGlothin

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps memory-threshold

snmp-server enable traps interface-threshold

snmp-server enable traps remote-access session-threshold-exceeded

snmp-server enable traps connection-limit-reached

snmp-server enable traps cpu threshold rising

snmp-server enable traps ikev2 start stop

snmp-server enable traps nat packet-discard

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh scopy enable

ssh 192.168.41.101 255.255.255.255 MSP-WAN

ssh 192.168.41.102 255.255.255.255 MSP-WAN

ssh 192.168.42.122 255.255.255.255 MSP-WAN

ssh 192.168.42.124 255.255.255.255 MSP-WAN

ssh 192.168.42.133 255.255.255.255 MSP-WAN

ssh 192.168.42.138 255.255.255.255 MSP-WAN

ssh 192.168.42.139 255.255.255.255 MSP-WAN

ssh 192.168.42.134 255.255.255.255 MSP-WAN

ssh timeout 15

ssh version 2

console timeout 15

dhcprelay server 192.168.42.130 MSP-WAN

dhcprelay enable POS

dhcprelay enable DATA

dhcprelay enable VOICE

dhcprelay enable WIRELESS

dhcprelay enable WIRELESS-POS

dhcprelay enable PARTNER

dhcprelay enable WIRELESS-GUEST

dhcprelay enable WIRELESS-CONTROL

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.62.162 source MSP-WAN

ntp server 192.168.62.161 source MSP-WAN prefer

ssl encryption aes128-sha1 aes256-sha1 3des-sha1

webvpn

 anyconnect-essentials

username csmadmin password 9CmOJ.jq4D54PXDW encrypted privilege 15

username retail password XgJyMnijuEPQSGoY encrypted privilege 15

username jchambers password zkGq5ojduHyZK1bA encrypted privilege 15

username ciscolms password huo2PmvTsMk6Cv1L encrypted privilege 15

username bmcgloth password gITSY3iZ3UnCQoKf encrypted privilege 15

class-map inspection_default

 match default-inspection-traffic

class-map global-class-PCI

 match any

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 description IPS inspection policy for Cisco PCI LAB

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

 class global-class-PCI

  ips inline fail-close

 class class-default

  ips promiscuous fail-open

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

password encryption aes

Cryptochecksum:0c17bedaf99e8d7c1ce43105b2a7d2c5

: end

FW-A2-FW-A2-MSP-1# sh ver

Cisco Adaptive Security Appliance Software Version 9.0(0)129

Device Manager Version 7.0(0)40

Compiled on Wed 03-Oct-12 14:19 PDT by builders

System image file is "disk0:/asa900-129-smp-k8.bin"

Config file at boot was "startup-config"

FW-A2-MSP-1 up 97 days 23 hours

Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)

            ASA: 4096 MB RAM, 1 CPU (1 core)

Internal ATA Compact Flash, 8192MB

BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)

                             Boot microcode        : CNPx-MC-BOOT-2.00

                             SSL/IKE microcode     : CNPx-MC-SSL-PLUS-T020

                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0022

                             Number of accelerators: 1

Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

 0: Int: Internal-Data0/0    : address is d48c.b54d.9520, irq 11

 1: Ext: GigabitEthernet0/0  : address is d48c.b54d.9524, irq 10

 2: Ext: GigabitEthernet0/1  : address is d48c.b54d.9521, irq 10

 3: Ext: GigabitEthernet0/2  : address is d48c.b54d.9525, irq 5

 4: Ext: GigabitEthernet0/3  : address is d48c.b54d.9522, irq 5

 5: Ext: GigabitEthernet0/4  : address is d48c.b54d.9526, irq 10

 6: Ext: GigabitEthernet0/5  : address is d48c.b54d.9523, irq 10

 7: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0

 8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0

 9: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0

10: Ext: Management0/0       : address is d48c.b54d.9520, irq 0

Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 100            perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Active  perpetual

Encryption-DES                    : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

Security Contexts                 : 5              perpetual

GTP/GPRS                          : Disabled       perpetual

AnyConnect Premium Peers          : 10             perpetual

AnyConnect Essentials             : 250            perpetual

Other VPN Peers                   : 250            perpetual

Total VPN Peers                   : 250            perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Enabled        perpetual

AnyConnect for Cisco VPN Phone    : Enabled        perpetual

Advanced Endpoint Assessment      : Enabled        perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Enabled        perpetual

IPS Module                        : Enabled        perpetual

Cluster                           : Disabled       perpetual

This platform has an ASA 5515 Security Plus license.

Serial Number: FCH162771K6

Running Permanent Activation Key: 0xbb3ac554 0x607ed951 0x5d428d70 0xcec038dc 0x0d09f584

Configuration register is 0x1

Configuration last modified by bmcgloth at 13:15:34.337 PST Fri Dec 21 2012

FW-A2-MSP-1#

FW-A2-MSP-1#

FW-A2-MSP-1#

FW-A2-MSP-1#

FW-A2-MSP-1# sh run

: Saved

ASA Version 9.0(0)129

terminal width 511

hostname FW-A2-MSP-1

domain-name cisco-irn.com

enable password WKlYt0jXwtQLFcz7 encrypted

passwd WKlYt0jXwtQLFcz7 encrypted

names

dns-guard

interface GigabitEthernet0/0

 nameif MSP-WAN

 security-level 0

 ip address 10.10.255.176 255.255.255.0

interface GigabitEthernet0/1

 no nameif

 no security-level

 no ip address

interface GigabitEthernet0/1.11

 vlan 11

 nameif POS

 security-level 95

 ip address 10.10.176.1 255.255.255.0

interface GigabitEthernet0/1.12

 vlan 12

 nameif DATA

 security-level 85

 ip address 10.10.177.1 255.255.255.0

interface GigabitEthernet0/1.13

 vlan 13

 nameif VOICE

 security-level 80

 ip address 10.10.178.1 255.255.255.0

interface GigabitEthernet0/1.14

 vlan 14

 nameif WIRELESS

 security-level 70

 ip address 10.10.179.1 255.255.255.0

interface GigabitEthernet0/1.15

 vlan 15

 nameif WIRELESS-POS

 security-level 90

 ip address 10.10.180.1 255.255.255.0

interface GigabitEthernet0/1.16

 vlan 16

 nameif PARTNER

 security-level 65

 ip address 10.10.181.1 255.255.255.0

interface GigabitEthernet0/1.17

 vlan 17

 nameif WIRELESS-GUEST

 security-level 10

 ip address 10.10.182.1 255.255.255.0

interface GigabitEthernet0/1.18

 vlan 18

 nameif WIRELESS-CONTROL

 security-level 75

 ip address 10.10.183.1 255.255.255.0

interface GigabitEthernet0/1.19

 vlan 19

 nameif WAAS

 security-level 100

 ip address 10.10.184.1 255.255.255.0

interface GigabitEthernet0/1.1000

 vlan 1000

 nameif MANAGEMENT

 security-level 100

 ip address 10.10.191.1 255.255.255.0

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

interface GigabitEthernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

interface GigabitEthernet0/5

 shutdown

 no nameif

 no security-level

 no ip address

interface Management0/0

 description IPS management connection

 management-only

 nameif IPS-Mgmt

 security-level 1

 no ip address

banner exec WARNING:

banner exec **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF COMPLIANCE ****

banner exec                              **** AUTHORIZED USERS ONLY! ****

banner exec

banner exec ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

banner exec TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE 
NECESSARY

banner exec TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

banner exec REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME 
WITHOUT

banner exec FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

banner exec CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

banner exec ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

banner exec

banner exec UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL 
LAWS.

banner login WARNING:

banner login THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

banner asdm WARNING:

banner asdm   **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF COMPLIANCE ****

banner asdm                   **** AUTHORIZED USERS ONLY! ****

banner asdm

banner asdm ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT 
TO MONITORING OF SUCH USE AND TO SUCH AD                                                       
DITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM 
ADMINISTRATOR OR OTHER REPRESENTATIVES OF T                                                       
HE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT.  
UNAUTHORIZED USE OF  THIS SYSTEM AND ANY O                                                       
THER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT 
OFFICIALS AND PROSECUTION TO THE F

banner asdm

banner asdm UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL 
LAWS

boot system disk0:/asa900-129-smp-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup MSP-WAN

dns server-group DefaultDNS

 name-server 192.168.42.130

 domain-name cisco-irn.com

same-security-traffic permit inter-interface

object network AdminStation

 host 192.168.41.101

object network AdminStation2

 host 192.168.41.102

object network AdminStation4-bart

 host 10.19.151.99

object network LMS

 host 192.168.42.139

object network CSManager

 host 192.168.42.133

 description Cisco Security Manager

object network AdminStation3

 host 192.168.42.139

object network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object network DC-POS

 subnet 192.168.52.0 255.255.255.0

 description POS in the Data Center

object network WCSManager

 host 192.168.43.135

 description Wireless Manager

object network PAME-DC-1

 host 192.168.44.111

object network MSP-DC-1

 host 192.168.44.121

 description Data Center VSOM

object network DC-ALL

 subnet 192.168.0.0 255.255.0.0

 description All of the Data Center

object network RSA-enVision

 host 192.168.42.124

 description RSA EnVision Syslog collector and SIM

object network TACACS

 host 192.168.42.131

 description Csico Secure ACS server for TACACS and Radius

object network RSA-AM

 host 192.168.42.137

 description RSA Authentication Manager for SecureID

object network NAC-2

 host 192.168.42.112

object network NAC-1

 host 192.168.42.111

 description ISE server for NAC

object network MS-Update

 host 192.168.42.150

 description Windows Update Server

object network MSExchange

 host 192.168.42.140

 description Mail Server

object service RPC

 service tcp destination eq 135

object service LDAP-GC

 service tcp destination eq 3268

object service LDAP-GC-SSL

 service tcp destination eq 3269

object service Kerberos-TCP

 service tcp destination eq 88

object service Microsoft-DS-SMB

 service tcp destination eq 445

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

object service LDAP-UDP

 service udp destination eq 389

object service RPC-HighPorts

 service tcp destination range 1024 65535

object service ORACLE-OAS

 service tcp destination eq 12601

 description OAS uses one port for HTTP and RMI - 12601.

object service TOMAX-8990

 service tcp destination eq 8990

 description Tomax Application Port

object service IP-Protocol-97

 service 97

 description IP protocol 97

object service TCP1080

 service tcp destination eq 1080

object service TCP8080

 service tcp destination eq 8080

object service RDP

 service tcp destination eq 3389

 description Windows Remote Desktop

object-group network CSM_INLINE_src_rule_73014461090

 description Generated by CS-Manager from src of FirewallRule# 1 (ASA-Store_V2/mandatory)

 network-object object AdminStation

 network-object object AdminStation2

 network-object object AdminStation4-bart

object-group network Admin-Systems

 network-object object AdminStation

 network-object object AdminStation2

 network-object object CSManager

 network-object object AdminStation4-bart

 network-object object LMS

 network-object object AdminStation3

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 network-object 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 network-object 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 network-object 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_src_rule_73014461184

 description Generated by CS-Manager from src of FirewallRule# 4 (ASA-Store_V2/mandatory)

 group-object DC-POS-Tomax

 network-object object DC-POS

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network POS-Store-MSP

 network-object 10.10.176.81 255.255.255.255

object-group network CSM_INLINE_dst_rule_73014461438

 description Generated by CS-Manager from dst of FirewallRule# 5 (ASA-Store_V2/mandatory)

 group-object DC-POS-Tomax

 network-object object DC-POS

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network Store-MSP-POS-net

 network-object 10.10.176.0 255.255.255.0

 network-object 10.10.180.0 255.255.255.0

object-group network CSM_INLINE_dst_rule_73014461436

 description Generated by CS-Manager from dst of FirewallRule# 7 (ASA-Store_V2/mandatory)

 group-object DC-POS-Tomax

 network-object object DC-POS

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 network-object 192.168.43.21 255.255.255.255

 network-object 192.168.43.22 255.255.255.255

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 network-object 192.168.43.31 255.255.255.255

 network-object 192.168.43.32 255.255.255.255

object-group network CSM_INLINE_src_rule_73014461098

 description Generated by CS-Manager from src of FirewallRule# 8 (ASA-Store_V2/mandatory)

 network-object object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network CSM_INLINE_src_rule_73014461100

 description Generated by CS-Manager from src of FirewallRule# 9 (ASA-Store_V2/mandatory)

 network-object object PAME-DC-1

 network-object object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 network-object 192.168.48.10 255.255.255.255

 network-object 192.168.49.10 255.255.255.255

 network-object 192.168.47.11 255.255.255.255

 network-object 192.168.47.12 255.255.255.255

object-group network NTP-Servers

 description NTP Servers

 network-object 192.168.62.161 255.255.255.255

 network-object 162.168.62.162 255.255.255.255

object-group network CSM_INLINE_dst_rule_73014461120

 description Generated by CS-Manager from dst of FirewallRule# 17 (ASA-Store_V2/mandatory)

 network-object object TACACS

 network-object object RSA-AM

 network-object object NAC-2

 network-object object NAC-1

object-group network CSM_INLINE_dst_rule_73014461126

 description Generated by CS-Manager from dst of FirewallRule# 18 (ASA-Store_V2/mandatory)

 network-object object PAME-DC-1

 network-object object MSP-DC-1

object-group network CSM_INLINE_dst_rule_73014461128

 description Generated by CS-Manager from dst of FirewallRule# 19 (ASA-Store_V2/mandatory)

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group service HTTPS-8443

 service-object tcp destination eq 8443

object-group service CSM_INLINE_svc_rule_73014461092

 description Generated by CS-Manager from service of FirewallRule# 2 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq ssh

 service-object tcp destination eq https

 group-object HTTPS-8443

 service-object udp destination eq snmp

object-group service DNS-Resolving

 description Domain Name Server

 service-object tcp destination eq domain

 service-object udp destination eq domain

object-group service CSM_INLINE_svc_rule_73014461094

 description Generated by CS-Manager from service of FirewallRule# 3 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

 service-object udp destination eq 88

 service-object udp destination eq ntp

 service-object udp destination eq netbios-dgm

 service-object object RPC

 service-object object LDAP-GC

 service-object object LDAP-GC-SSL

 service-object object Kerberos-TCP

 service-object object Microsoft-DS-SMB

 service-object object LDAP-UDP

 service-object object RPC-HighPorts

 group-object DNS-Resolving

object-group service ORACLE-RMI

 description RMI TCP ports 1300 and 1301-1319.

 service-object tcp destination range 1300 1319

object-group service ORACLE-Weblogic

 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.

 service-object tcp destination eq 7001

 service-object tcp destination eq 7002

 service-object tcp destination eq sqlnet

object-group service ORACLE-WAS

 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414

 service-object tcp destination eq 2809

 service-object tcp destination eq 9443

 service-object tcp destination eq 1414

object-group service CSM_INLINE_svc_rule_73014461184

 description Generated by CS-Manager from service of FirewallRule# 4 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq ssh

 service-object object ORACLE-OAS

 service-object object TOMAX-8990

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object HTTPS-8443

object-group service TFTP

 description Trivial File Transfer

 service-object tcp destination eq 69

 service-object udp destination eq tftp

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 service-object udp destination eq 12222

 service-object udp destination eq 12223

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 service-object udp destination eq 5246

 service-object udp destination eq 5247

object-group service CSM_INLINE_svc_rule_73014461098

 description Generated by CS-Manager from service of FirewallRule# 8 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq www

 service-object udp destination eq isakmp

 service-object tcp destination eq telnet

 service-object tcp destination eq ssh

 service-object object IP-Protocol-97

 group-object TFTP

 group-object LWAPP

 group-object CAPWAP

object-group service CSM_INLINE_svc_rule_73014461102

 description Generated by CS-Manager from service of FirewallRule# 10 
(ASA-Store_V2/mandatory)

 service-object icmp echo

 service-object icmp echo-reply

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq ssh

 service-object tcp destination eq ftp

 service-object object TCP1080

 service-object object TCP8080

 service-object object RDP

 group-object HTTPS-8443

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 service-object tcp destination eq 4050

object-group service Netbios

 description Netbios Servers

 service-object udp destination eq netbios-dgm

 service-object udp destination eq netbios-ns

 service-object tcp destination eq netbios-ssn

object-group service CSM_INLINE_svc_rule_73014461104

 description Generated by CS-Manager from service of FirewallRule# 11 
(ASA-Store_V2/mandatory)

 service-object object Microsoft-DS-SMB

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Netbios

object-group service CSM_INLINE_svc_rule_73014461106

 description Generated by CS-Manager from service of FirewallRule# 12 
(ASA-Store_V2/mandatory)

 service-object tcp-udp destination eq sip

 service-object tcp destination eq 2000

object-group service CSM_INLINE_svc_rule_73014461112

 description Generated by CS-Manager from service of FirewallRule# 14 
(ASA-Store_V2/mandatory)

 service-object udp destination eq snmptrap

 service-object udp destination eq snmp

 service-object udp destination eq syslog

object-group service CSM_INLINE_svc_rule_73014461120

 description Generated by CS-Manager from service of FirewallRule# 17 
(ASA-Store_V2/mandatory)

 service-object udp destination eq 1812

 service-object udp destination eq 1813

 service-object tcp destination eq https

 service-object tcp destination eq www

 group-object HTTPS-8443

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 service-object udp destination eq 16666

 service-object udp destination eq 16667

object-group service CSM_INLINE_svc_rule_73014461128

 description Generated by CS-Manager from service of FirewallRule# 19 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq https

 service-object udp destination eq isakmp

 service-object object IP-Protocol-97

 group-object Cisco-Mobility

 group-object LWAPP

 group-object CAPWAP

object-group service CSM_INLINE_svc_rule_73014461130

 description Generated by CS-Manager from service of FirewallRule# 20 
(ASA-Store_V2/mandatory)

 service-object tcp-udp destination eq sip

 service-object tcp destination eq 2000

object-group service CSM_INLINE_svc_rule_73014461132

 description Generated by CS-Manager from service of FirewallRule# 21 
(ASA-Store_V2/mandatory)

 service-object object Microsoft-DS-SMB

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Netbios

object-group service CSM_INLINE_svc_rule_73014461134

 description Generated by CS-Manager from service of FirewallRule# 22 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

 service-object udp destination eq 88

 service-object udp destination eq ntp

 service-object udp destination eq netbios-dgm

 service-object object RPC

 service-object object LDAP-GC

 service-object object LDAP-GC-SSL

 service-object object Kerberos-TCP

 service-object object Microsoft-DS-SMB

 service-object object LDAP-UDP

 service-object object RPC-HighPorts

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_73014461136

 description Generated by CS-Manager from service of FirewallRule# 23 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq www

 service-object tcp destination eq https

object-group service CSM_INLINE_svc_rule_73014461138

 description Generated by CS-Manager from service of FirewallRule# 24 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq smtp

 service-object tcp destination eq pop3

 service-object tcp destination eq imap4

object-group network DM_INLINE_NETWORK_2

 network-object object NAC-1

 network-object object NAC-2

 network-object object TACACS

object-group service DM_INLINE_SERVICE_1

 service-object icmp6 echo

 service-object udp destination eq ntp

object-group service DM_INLINE_SERVICE_2

 service-object icmp echo

 service-object tcp destination eq tacacs

object-group service DM_INLINE_SERVICE_3

 service-object icmp echo

 service-object udp destination eq radius

 service-object udp destination eq radius-acct

object-group service DM_INLINE_SERVICE_4

 service-object icmp echo

 service-object udp destination eq snmp

 service-object udp destination eq snmptrap

 service-object udp destination eq syslog

object-group network DM_INLINE_NETWORK_3

 network-object object LMS

 network-object object RSA-enVision

access-list OUTSIDE remark LAB Testing

access-list OUTSIDE extended permit ip object-group CSM_INLINE_src_rule_73014461090 
10.10.176.0 255.255.248.0

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461092 
object-group Admin-Systems 10.10.176.0 255.255.24                                                       
8.0

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461092 
object-group Admin-Systems host 10.10.255.176

access-list OUTSIDE remark Allow Active Directory Domain

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461094 object 
ActiveDirectory.cisco-irn.com 10.10.176.0                                                        
255.255.248.0

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461184 
object-group CSM_INLINE_src_rule_73014461184 obje                                                       
ct-group POS-Store-MSP

access-list OUTSIDE extended deny ip any object-group Store-MSP-POS-net

access-list OUTSIDE extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list OUTSIDE remark Wireless Management to Stores

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461098 
object-group CSM_INLINE_src_rule_73014461098 10.1                                                       
0.183.0 255.255.255.0

access-list OUTSIDE remark Physical security systems

access-list OUTSIDE extended permit tcp object-group CSM_INLINE_src_rule_73014461100 
10.10.191.0 255.255.255.0 eq https

access-list OUTSIDE remark Allow Management of store systems

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461102 object 
DC-ALL 10.10.176.0 255.255.248.0

access-list OUTSIDE remark WAAS systems

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461104 
object-group DC-WAAS 10.10.184.0 255.255.255.0

access-list OUTSIDE remark Voice calls

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461106 object 
DC-ALL 10.10.178.0 255.255.255.0

access-list OUTSIDE extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq ssh

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461112 
10.10.176.0 255.255.248.0 object RSA-enVision

access-list OUTSIDE extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq tacacs

access-list OUTSIDE extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers 
eq ntp

access-list OUTSIDE remark Drop all other traffic

access-list OUTSIDE extended deny ip any any log

access-list POS remark Allow Applications

access-list POS extended permit tcp object-group POS-Store-MSP object-group 
CSM_INLINE_dst_rule_73014461438 eq https

access-list POS extended deny ip any object-group Store-MSP-POS-net

access-list POS extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list POS extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq 
ntp

access-list POS extended permit object-group CSM_INLINE_svc_rule_73014461120 10.10.176.0 
255.255.248.0 object-group CSM_INLINE_dst                                                       
_rule_73014461120

access-list POS remark Allow Active Directory Domain

access-list POS extended permit object-group CSM_INLINE_svc_rule_73014461134 10.10.176.0 
255.255.248.0 object ActiveDirectory.cisc                                                       
o-irn.com

access-list POS remark Allow Windows Updates

access-list POS extended permit object-group CSM_INLINE_svc_rule_73014461136 10.10.176.0 
255.255.248.0 object MS-Update

access-list POS remark Allow Mail

access-list POS extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 
255.255.248.0 object MSExchange

access-list POS remark Drop all other traffic

access-list POS extended deny ip any any log

access-list WIRELESS-POS remark Allow Applications

access-list WIRELESS-POS extended permit tcp object-group POS-Store-MSP object-group 
CSM_INLINE_dst_rule_73014461438 eq https

access-list WIRELESS-POS extended deny ip any object-group Store-MSP-POS-net

access-list WIRELESS-POS extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list WIRELESS-POS extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp

access-list WIRELESS-POS remark Allow Active Directory Domain

access-list WIRELESS-POS extended permit object-group CSM_INLINE_svc_rule_73014461134 
10.10.176.0 255.255.248.0 object ActiveDirectory.cisco-irn.com

access-list WIRELESS-POS remark Allow Windows Updates

access-list WIRELESS-POS extended permit object-group CSM_INLINE_svc_rule_73014461136 
10.10.176.0 255.255.248.0 object MS-Update

access-list WIRELESS-POS remark Allow Mail

access-list WIRELESS-POS extended permit object-group CSM_INLINE_svc_rule_73014461138 
10.10.176.0 255.255.248.0 object MSExchange

access-list WIRELESS-POS remark Drop all other traffic

access-list WIRELESS-POS extended deny ip any any log

access-list DATA extended deny ip any object-group Store-MSP-POS-net

access-list DATA extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list DATA extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq 
ntp

access-list DATA extended permit object-group CSM_INLINE_svc_rule_73014461120 10.10.176.0 
255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120

access-list DATA remark Allow Active Directory Domain

access-list DATA extended permit object-group CSM_INLINE_svc_rule_73014461134 10.10.176.0 
255.255.248.0 object ActiveDirectory.cisco-irn.com

access-list DATA remark Allow Windows Updates

access-list DATA extended permit object-group CSM_INLINE_svc_rule_73014461136 10.10.176.0 
255.255.248.0 object MS-Update

access-list DATA remark Allow Mail

access-list DATA extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 
255.255.248.0 object MSExchange

access-list DATA remark Drop all other traffic

access-list DATA extended deny ip any any log

access-list MANAGEMENT extended deny ip any object-group Store-MSP-POS-net

access-list MANAGEMENT extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list MANAGEMENT extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq ssh

access-list MANAGEMENT extended permit object-group CSM_INLINE_svc_rule_73014461112 
10.10.176.0 255.255.248.0 object RSA-enVision

access-list MANAGEMENT extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq 
tacacs

access-list MANAGEMENT extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp

access-list MANAGEMENT extended permit icmp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers

access-list MANAGEMENT extended permit object-group CSM_INLINE_svc_rule_73014461120 
10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120

access-list MANAGEMENT remark Physical security systems

access-list MANAGEMENT extended permit tcp 10.10.191.0 255.255.255.0 object-group 
CSM_INLINE_dst_rule_73014461126 eq https

access-list MANAGEMENT remark Allow Mail

access-list MANAGEMENT extended permit object-group CSM_INLINE_svc_rule_73014461138 
10.10.176.0 255.255.248.0 object MSExchange

access-list MANAGEMENT remark Drop all other traffic

access-list MANAGEMENT extended deny ip any any log

access-list PARTNER extended deny ip any object-group Store-MSP-POS-net

access-list PARTNER extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list PARTNER extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers 
eq ntp

access-list PARTNER extended permit object-group CSM_INLINE_svc_rule_73014461120 
10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120

access-list PARTNER remark Allow Mail

access-list PARTNER extended permit object-group CSM_INLINE_svc_rule_73014461138 
10.10.176.0 255.255.248.0 object MSExchange

access-list PARTNER remark Drop all other traffic

access-list PARTNER extended deny ip any any log

access-list VOICE extended deny ip any object-group Store-MSP-POS-net

access-list VOICE extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list VOICE extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq ssh

access-list VOICE extended permit object-group CSM_INLINE_svc_rule_73014461112 10.10.176.0 
255.255.248.0 object RSA-enVision

access-list VOICE extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq tacacs

access-list VOICE extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers 
eq ntp

access-list VOICE extended permit object-group CSM_INLINE_svc_rule_73014461120 10.10.176.0 
255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120

access-list VOICE remark Voice calls

access-list VOICE extended permit object-group CSM_INLINE_svc_rule_73014461130 10.10.178.0 
255.255.255.0 object DC-ALL

access-list VOICE remark Allow Mail

access-list VOICE extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 
255.255.248.0 object MSExchange

access-list VOICE remark Drop all other traffic

access-list VOICE extended deny ip any any log

access-list WAAS extended deny ip any object-group Store-MSP-POS-net

access-list WAAS extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list WAAS extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq ssh

access-list WAAS extended permit object-group CSM_INLINE_svc_rule_73014461112 10.10.176.0 
255.255.248.0 object RSA-enVision

access-list WAAS extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq tacacs

access-list WAAS extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq 
ntp

access-list WAAS remark WAAS systems

access-list WAAS extended permit object-group CSM_INLINE_svc_rule_73014461132 10.10.184.0 
255.255.255.0 object-group DC-WAAS

access-list WAAS remark Allow Active Directory Domain

access-list WAAS extended permit object-group CSM_INLINE_svc_rule_73014461134 10.10.176.0 
255.255.248.0 object ActiveDirectory.cisco-irn.com

access-list WAAS remark Drop all other traffic

access-list WAAS extended deny ip any any log

access-list WIRELESS extended deny ip any object-group Store-MSP-POS-net

access-list WIRELESS extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list WIRELESS extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp

access-list WIRELESS remark Allow Active Directory Domain

access-list WIRELESS extended permit object-group CSM_INLINE_svc_rule_73014461134 
10.10.176.0 255.255.248.0 object ActiveDirectory.cisco-irn.com

access-list WIRELESS remark Allow Windows Updates

access-list WIRELESS extended permit object-group CSM_INLINE_svc_rule_73014461136 
10.10.176.0 255.255.248.0 object MS-Update

access-list WIRELESS remark Allow Mail

access-list WIRELESS extended permit object-group CSM_INLINE_svc_rule_73014461138 
10.10.176.0 255.255.248.0 object MSExchange

access-list WIRELESS remark Drop all other traffic

access-list WIRELESS extended deny ip any any log

access-list WIRELESS-CONTROL extended deny ip any object-group Store-MSP-POS-net

access-list WIRELESS-CONTROL extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436

access-list WIRELESS-CONTROL extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq 
ssh

access-list WIRELESS-CONTROL extended permit object-group CSM_INLINE_svc_rule_73014461112 
10.10.176.0 255.255.248.0 object RSA-enVision

access-list WIRELESS-CONTROL extended permit tcp 10.10.176.0 255.255.248.0 object TACACS 
eq tacacs

access-list WIRELESS-CONTROL extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp

access-list WIRELESS-CONTROL extended permit object-group CSM_INLINE_svc_rule_73014461120 
10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120

access-list WIRELESS-CONTROL remark Wireless control systems

access-list WIRELESS-CONTROL extended permit object-group CSM_INLINE_svc_rule_73014461128 
10.10.183.0 255.255.255.0 object-group CSM_INLINE_dst_rule_73014461128

access-list WIRELESS-CONTROL remark Drop all other traffic

access-list WIRELESS-CONTROL extended deny ip any any log

access-list WIRELESS-GUEST extended deny ip any object-group Store-MSP-POS-net

access-list WIRELESS-GUEST extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436

access-list WIRELESS-GUEST extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp

access-list WIRELESS-GUEST remark Drop all other traffic

access-list WIRELESS-GUEST extended deny ip any any log

access-list DROP-ALL extended deny ip any any log disable

access-list MANAGEMENT_access_in extended permit object-group DM_INLINE_SERVICE_1 
10.10.191.0 255.255.255.0 object-group NTP-Servers log disable

access-list MANAGEMENT_access_in extended permit object-group DM_INLINE_SERVICE_2 
10.10.191.0 255.255.255.0 object TACACS

access-list MANAGEMENT_access_in extended permit object-group DM_INLINE_SERVICE_3 
10.10.191.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 log disable

access-list MANAGEMENT_access_in extended permit object-group DM_INLINE_SERVICE_4 
10.10.191.0 255.255.255.0 object-group DM_INLINE_NETWORK_3 log disable

access-list MANAGEMENT_access_in extended deny ip any any

pager lines 24

logging enable

logging timestamp

logging buffer-size 100000

logging trap informational

logging asdm informational

logging host MSP-WAN 192.168.42.124

mtu MSP-WAN 1500

mtu POS 1500

mtu DATA 1500

mtu VOICE 1500

mtu WIRELESS 1500

mtu WIRELESS-POS 1500

mtu PARTNER 1500

mtu WIRELESS-GUEST 1500

mtu WIRELESS-CONTROL 1500

mtu WAAS 1500

mtu MANAGEMENT 1500

mtu IPS-Mgmt 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any MSP-WAN

icmp permit any POS

icmp permit any DATA

icmp permit any VOICE

icmp permit any WIRELESS

icmp permit any WIRELESS-POS

icmp permit any PARTNER

icmp permit any WIRELESS-GUEST

icmp permit any WIRELESS-CONTROL

icmp permit any WAAS

icmp permit any MANAGEMENT

asdm image disk0:/asdm-70040.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group OUTSIDE in interface MSP-WAN

access-group POS in interface POS

access-group DATA in interface DATA

access-group VOICE in interface VOICE

access-group WIRELESS in interface WIRELESS

access-group WIRELESS-POS in interface WIRELESS-POS

access-group PARTNER in interface PARTNER

access-group WIRELESS-GUEST in interface WIRELESS-GUEST

access-group WIRELESS-CONTROL in interface WIRELESS-CONTROL

access-group WAAS in interface WAAS

access-group MANAGEMENT_access_in in interface MANAGEMENT

access-group DROP-ALL in interface IPS-Mgmt

route MSP-WAN 0.0.0.0 0.0.0.0 10.10.255.11 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RETAIL protocol tacacs+

aaa-server RETAIL (MANAGEMENT) host 192.168.42.131

 key *****

aaa-server COMPLIANCE protocol tacacs+

aaa-server COMPLIANCE (MSP-WAN) host 192.168.42.131

 key *****

user-identity default-domain LOCAL

aaa authentication enable console COMPLIANCE LOCAL

aaa authentication http console COMPLIANCE LOCAL

aaa authentication ssh console COMPLIANCE LOCAL

aaa authorization command COMPLIANCE LOCAL

aaa accounting enable console COMPLIANCE

aaa accounting ssh console COMPLIANCE

aaa accounting command privilege 15 COMPLIANCE

aaa authentication secure-http-client

aaa local authentication attempts max-fail 6

aaa authorization exec authentication-server

http server enable

http server idle-timeout 15

http server session-timeout 15

http 192.168.41.101 255.255.255.255 MSP-WAN

http 192.168.41.102 255.255.255.255 MSP-WAN

http 192.168.42.122 255.255.255.255 MSP-WAN

http 192.168.42.124 255.255.255.255 MSP-WAN

http 192.168.42.133 255.255.255.255 MSP-WAN

http 192.168.42.138 255.255.255.255 MSP-WAN

http 192.168.42.139 255.255.255.255 MSP-WAN

http 192.168.42.134 255.255.255.255 MSP-WAN

snmp-server group V3Group v3 priv

snmp-server user ciscolms V3Group v3 encrypted auth sha 
56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db priv aes 256 
56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db:88:e3:53:03:7b:f1:02:30:bc:14:
98:e5

snmp-server user csmadmin V3Group v3 encrypted auth sha 
56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db priv aes 256 
56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db:88:e3:53:03:7b:f1:02:30:bc:14:
98:e5

snmp-server host MSP-WAN 192.168.42.134 version 3 ciscolms

snmp-server host MSP-WAN 192.168.42.139 version 3 ciscolms

snmp-server host MSP-WAN 192.168.42.133 version 3 csmadmin

snmp-server location Building SJC-17-1 Aisle 2 Rack 3

snmp-server contact Bart McGlothin

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps memory-threshold

snmp-server enable traps interface-threshold

snmp-server enable traps remote-access session-threshold-exceeded

snmp-server enable traps connection-limit-reached

snmp-server enable traps cpu threshold rising

snmp-server enable traps ikev2 start stop

snmp-server enable traps nat packet-discard

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh scopy enable

ssh 192.168.41.101 255.255.255.255 MSP-WAN

ssh 192.168.41.102 255.255.255.255 MSP-WAN

ssh 192.168.42.122 255.255.255.255 MSP-WAN

ssh 192.168.42.124 255.255.255.255 MSP-WAN

ssh 192.168.42.133 255.255.255.255 MSP-WAN

ssh 192.168.42.138 255.255.255.255 MSP-WAN

ssh 192.168.42.139 255.255.255.255 MSP-WAN

ssh 192.168.42.134 255.255.255.255 MSP-WAN

ssh timeout 15

ssh version 2

console timeout 15

dhcprelay server 192.168.42.130 MSP-WAN

dhcprelay enable POS

dhcprelay enable DATA

dhcprelay enable VOICE

dhcprelay enable WIRELESS

dhcprelay enable WIRELESS-POS

dhcprelay enable PARTNER

dhcprelay enable WIRELESS-GUEST

dhcprelay enable WIRELESS-CONTROL

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.62.162 source MSP-WAN

ntp server 192.168.62.161 source MSP-WAN prefer

ssl encryption aes128-sha1 aes256-sha1 3des-sha1

webvpn

 anyconnect-essentials

username csmadmin password 9CmOJ.jq4D54PXDW encrypted privilege 15

username retail password XgJyMnijuEPQSGoY encrypted privilege 15

username jchambers password zkGq5ojduHyZK1bA encrypted privilege 15

username ciscolms password huo2PmvTsMk6Cv1L encrypted privilege 15

username bmcgloth password gITSY3iZ3UnCQoKf encrypted privilege 15

class-map inspection_default

 match default-inspection-traffic

class-map global-class-PCI

 match any

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 description IPS inspection policy for Cisco PCI LAB

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

 class global-class-PCI

  ips inline fail-close

 class class-default

  ips promiscuous fail-open

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

password encryption aes

Cryptochecksum:0c17bedaf99e8d7c1ce43105b2a7d2c5

: end

FW-A2-MSP-1#

IPS-A2-MSP-1# show configuration

! ------------------------------

! Current configuration last modified Fri Dec 21 12:24:05 2012

! ------------------------------

! Version 7.1(6)

! Host:

!     Realm Keys          key1.0

! Signature Definition:

!     Signature Update    S648.0   2012-05-30

! ------------------------------

service interface

exit

! ------------------------------

service authentication

attemptLimit 6

password-strength

size 7-64

digits-min 1

lowercase-min 1

other-min 1

number-old-passwords 4

exit

cli-inactivity-timeout 15

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 10.10.191.21/24,10.10.191.1

host-name IPS-A2-MSP-1

telnet-option disabled

access-list 192.168.41.101/32

access-list 192.168.41.102/32

access-list 192.168.42.122/32

access-list 192.168.42.124/32

access-list 192.168.42.133/32

access-list 192.168.42.134/32

access-list 192.168.42.138/32

access-list 192.168.42.139/32

login-banner-text WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS 
ONLY!

dns-primary-server enabled

address 192.168.42.130

exit

dns-secondary-server disabled

dns-tertiary-server disabled

exit

time-zone-settings

offset -480

standard-time-zone-name PST

exit

ntp-option enabled-ntp-unauthenticated

ntp-server 192.168.62.161

exit

summertime-option recurring

summertime-zone-name PDT

start-summertime

month march

week-of-month second

day-of-week sunday

time-of-day 02:00:00

exit

end-summertime

month november

week-of-month first

day-of-week sunday

time-of-day 02:00:00

exit

exit

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

trap-destinations 192.168.42.124

trap-community-name RSAenvision

exit

enable-notifications true

trap-community-name RSAenvision

system-location Building SJC-17-1 Row 1 Rack 1

system-contact EmployeeA

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

enable-tls true

port 443

server-id IPS-A2-MSP-1

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service aaa

aaa radius

primary-server

server-address 192.168.42.131

shared-secret retailpci

exit

nas-id IPS-A2-MSP-1

local-fallback enabled

console-authentication radius-and-local

default-user-role administrator

exit

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

physical-interface PortChannel0/0

exit

exit

IPS-A2-MSP-1#

S-A2-MSP-1

Building configuration...

Current configuration : 10554 bytes

! Last configuration change at 02:08:19 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:08:21 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

service sequence-numbers

hostname S-A2-MSP-1

logging buffered 50000 debugging

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

system mtu routing 1500

ip subnet-zero

no ip source-route

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-4189032704

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-4189032704

 revocation-check none

 rsakeypair TP-self-signed-4189032704

crypto pki certificate chain TP-self-signed-4189032704

 certificate self-signed 01

  <removed>

  quit

archive

 log config

  logging enable

  hidekeys

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

interface FastEthernet0

 no ip address

 shutdown

interface GigabitEthernet0/1

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet0/2

 description AIR-CAP3502I

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 18

 switchport trunk allowed vlan 14-18

 switchport mode trunk

interface GigabitEthernet0/3

interface GigabitEthernet0/4

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/5

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/6

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/7

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/8

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/9

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/10

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/11

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/12

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/13

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/14

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/15

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/16

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/17

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/18

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/19

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/20

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/21

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/22

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/23

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/24

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/25

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/26

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/27

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/28

 switchport access vlan 17

 shutdown

interface TenGigabitEthernet0/1

 shutdown

interface TenGigabitEthernet0/2

 shutdown

interface Vlan1

 no ip address

 shutdown

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.191.11 255.255.255.0

ip default-gateway 10.10.191.1

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps power-ethernet group 1

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps hsrp

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps vlan-membership

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

radius-server source-ports 1645-1646

control-plane

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 36026372

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

	Cisco Compliance Solution for PCI DSS 2.0 Design and Implementation Guide
	Detailed Full Running Configurations
Cisco Compliance Solution for PCI DSS 2.0 Design and Implementation Guide Authors Preface Solution Overview PCI and the Solution Framework Solution Architecture Solution Implementation Component Assessment Summary Bill of Materials Cisco Products and Software Versions Verizon Business Architecture Report The Art of Compliance Detailed Full Running Configurations	Download this chapter Detailed Full Running Configurations Download the complete book PCI_20_DIG.pdf (PDF - 36 MB) Table Of Contents Detailed Full Running Configurations Data Center WAN ASA-WAN-1 ASA-WAN-1_IDS RWAN-1 RWAN-2 SWAN-1 SWAN-3 Core RCORE-1 RCORE-2 Aggregation ASA-DC-1 RAGG-1-RUNNING RAGG-1-VDC1-RUNNING RAGG-1-VDC2-RUNNING RAGG-2-RUNNING RAGG-2-VDC1-RUNNING RAGG-2-VDC2-RUNNING N1KV-1-RUNNING VSG-TENANT-1-RUNNING RSERV-1 RSERV-2 Access SACCESS-1 SACCESS-2 SACCESS-3 SACCESS-4 SACCESS-5 Storage MDS-DC-1-RUNNING MDS-DC-2-RUNNING Internet Edge WAN RIE-1 RIE-2 Converged Core/Aggregation ASA-IE-1 DMZ-IDS-1 DMZ-ASASM DMZ-ACE-1 DMZ-ACE-1_PCI RIE-3 Branch Large Branch R-A2-LRG-1 R-A2-LRG-2 S-A2-LRG-1 S-A2-LRG-2 S-A2-LRG-3 S-A2-LRG-4 S-A2-LRG-5 Medium Branch R-A2-MED-1 R-A2-MED-2 S-A2-MED-1 S-A2-MED-3 Small Branch R-A2-SMALL S-A2-SMALL Mini Branch R-A2-MINI-1 S-A2-MINI-1 S-A2-MINI-2 Convenience R-A2-CONV-1 S-A2-CONV-1 Managed Service Provider FW-A2-MSP-1 S-A2-MSP-1 Detailed Full Running Configurations Data Center WAN ASA-WAN-1 ASA Version 9.1(1) ! firewall transparent terminal width 511 hostname ASA-WAN-1 domain-name cisco-irn.com enable password <removed> passwd <removed> names ! interface GigabitEthernet0/0 nameif outside bridge-group 1 security-level 0 ! interface GigabitEthernet0/1 nameif inside bridge-group 1 security-level 100 ! interface GigabitEthernet0/2 shutdown no nameif no security-level ! interface GigabitEthernet0/3 description LAN/STATE Failover Interface ! interface GigabitEthernet0/4 shutdown no nameif no security-level ! interface GigabitEthernet0/5 shutdown no nameif no security-level ! interface GigabitEthernet0/6 shutdown no nameif no security-level ! interface GigabitEthernet0/7 shutdown no nameif no security-level ! interface Management0/0 management-only no nameif no security-level ! interface BVI1 ip address 192.168.11.20 255.255.255.0 standby 192.168.11.21 ! boot system disk0:/asa911-smp-k8.bin boot system disk0:/asa900-129-smp-k8.bin ftp mode passive clock timezone PST -8 clock summer-time PDT recurring dns server-group DefaultDNS domain-name cisco-irn.com object network AdminStation host 192.168.41.101 object network AdminStation2 host 192.168.41.102 object network AdminStation4-bart host 10.19.151.99 object network EMC-NCM host 192.168.42.122 description EMC Network Configuration Manager object network CSManager host 192.168.42.133 description Cisco Security Manager object network AdminStation3 host 192.168.42.138 object network ActiveDirectory.cisco-irn.com host 192.168.42.130 object network Stores-ALL subnet 10.10.0.0 255.255.0.0 description all store networks object network vSphere-1 host 192.168.41.102 description vSphere server for Lab object network WCSManager host 192.168.43.135 description Wireless Manager object network PAME-DC-1 host 192.168.44.111 object network MSP-DC-1 host 192.168.44.121 description Data Center VSOM object network DC-ALL subnet 192.168.0.0 255.255.0.0 description All of the Data Center object network RSA-enVision host 192.168.42.124 description RSA EnVision Syslog collector and SIM object network TACACS host 192.168.42.131 description Csico Secure ACS server for TACACS and Radius object network RSA-AM host 192.168.42.137 description RSA Authentication Manager for SecureID object network ISE-2 host 192.168.42.112 description HA ISE Server object network ISE-1 host 192.168.42.111 description ISE server for NAC object network MS-Update host 192.168.42.150 description Windows Update Server object network MSExchange host 192.168.42.140 description Mail Server object network DC-POS subnet 192.168.52.0 255.255.255.0 description POS in the Data Center object service RPC service tcp destination eq 135 object service LDAP-GC service tcp destination eq 3268 object service LDAP-GC-SSL service tcp destination eq 3269 object service Kerberos-TCP service tcp destination eq 88 object service Microsoft-DS-SMB service tcp destination eq 445 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing object service LDAP-UDP service udp destination eq 389 object service RPC-HighPorts service tcp destination range 1024 65535 object service IP-Protocol-97 service 97 description IP protocol 97 object service TCP1080 service tcp destination eq 1080 object service TCP8080 service tcp destination eq 8080 object service RDP service tcp destination eq 3389 description Windows Remote Desktop object network LMS host 192.168.42.139 description Cisco Prime LMS object-group network STORE-POS network-object 10.10.0.0 255.255.0.0 object-group network Admin-Systems network-object object EMC-NCM network-object object AdminStation network-object object AdminStation2 network-object object CSManager network-object object AdminStation3 network-object object ISE-1 network-object object ISE-2 network-object object LMS object-group network DC-Wifi-Controllers description Central Wireless Controllers for stores network-object 192.168.43.21 255.255.255.255 network-object 192.168.43.22 255.255.255.255 object-group network DC-Wifi-MSE description Mobility Service Engines network-object 192.168.43.31 255.255.255.255 network-object 192.168.43.32 255.255.255.255 object-group network DM_INLINE_NETWORK_5 network-object object ISE-1 network-object object ISE-2 network-object object RSA-AM network-object object TACACS object-group network DM_INLINE_NETWORK_6 network-object object ISE-1 network-object object ISE-2 object-group network DC-WAAS description WAE Appliances in Data Center network-object 192.168.48.10 255.255.255.255 network-object 192.168.49.10 255.255.255.255 network-object 192.168.47.11 255.255.255.255 network-object 192.168.47.12 255.255.255.255 object-group network NTP-Servers description NTP Servers network-object 192.168.62.161 255.255.255.255 network-object 162.168.62.162 255.255.255.255 object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object echo-reply icmp-object time-exceeded icmp-object traceroute icmp-object unreachable object-group service DM_INLINE_TCP_3 tcp port-object eq www port-object eq https object-group network DC-POS-Tomax description Tomax POS Communication from Store to Data Center network-object 192.168.52.96 255.255.255.224 object-group network DC-POS-SAP description SAP POS Communication from Store to Data Center network-object 192.168.52.144 255.255.255.240 object-group network DC-POS-Oracle description Oracle POS Communication from Store to Data Center network-object 192.168.52.128 255.255.255.240 object-group service HTTPS-8443 service-object tcp destination eq 8443 object-group network DM_INLINE_NETWORK_7 network-object object MSP-DC-1 network-object object PAME-DC-1 object-group service DNS-Resolving description Domain Name Server service-object tcp destination eq domain service-object udp destination eq domain object-group network DM_INLINE_NETWORK_8 group-object DC-Wifi-Controllers group-object DC-Wifi-MSE object-group service vCenter-to-ESX4 description Communication from vCetner to ESX hosts service-object tcp destination eq 5989 service-object tcp destination eq 8000 service-object tcp destination eq 902 service-object tcp destination eq 903 object-group network DM_INLINE_NETWORK_9 network-object object DC-POS group-object DC-POS-Oracle group-object DC-POS-SAP group-object DC-POS-Tomax object-group service TFTP description Trivial File Transfer service-object tcp destination eq 69 service-object udp destination eq tftp object-group service LWAPP description LWAPP UDP ports 12222 and 12223 service-object udp destination eq 12222 service-object udp destination eq 12223 object-group service CAPWAP description CAPWAP UDP ports 5246 and 5247 service-object udp destination eq 5246 service-object udp destination eq 5247 object-group service DM_INLINE_SERVICE_10 group-object HTTPS-8443 service-object tcp destination eq www service-object tcp destination eq https object-group service ESX-SLP description CIM Service Location Protocol (SLP) for VMware systems service-object udp destination eq 427 service-object tcp destination eq 427 object-group service DM_INLINE_SERVICE_11 group-object ESX-SLP service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq ssh group-object vCenter-to-ESX4 object-group service CISCO-WAAS description Ports for Cisco WAAS service-object tcp destination eq 4050 object-group service Netbios description Netbios Servers service-object udp destination eq netbios-dgm service-object udp destination eq netbios-ns service-object tcp destination eq netbios-ssn object-group service Cisco-Mobility description Mobility ports for Wireless service-object udp destination eq 16666 service-object udp destination eq 16667 object-group service DM_INLINE_SERVICE_12 group-object CAPWAP group-object Cisco-Mobility service-object object IP-Protocol-97 group-object LWAPP service-object tcp destination eq https service-object udp destination eq isakmp object-group service DM_INLINE_SERVICE_13 service-object tcp-udp destination eq sip service-object tcp destination eq 2000 object-group network DM_INLINE_NETWORK_2 group-object DC-Wifi-Controllers group-object DC-Wifi-MSE network-object object WCSManager object-group network DM_INLINE_NETWORK_3 network-object object DC-ALL group-object STORE-POS object-group network DM_INLINE_NETWORK_4 network-object object MSP-DC-1 network-object object PAME-DC-1 object-group service DM_INLINE_SERVICE_2 service-object icmp group-object HTTPS-8443 service-object tcp destination eq https service-object tcp destination eq ssh service-object udp destination eq snmp object-group service DM_INLINE_SERVICE_3 group-object DNS-Resolving service-object object Kerberos-TCP service-object object LDAP-GC service-object object LDAP-GC-SSL service-object object LDAP-UDP service-object object Microsoft-DS-SMB service-object object RPC service-object object RPC-HighPorts service-object tcp destination eq ldap service-object tcp destination eq ldaps service-object udp destination eq 88 service-object udp destination eq netbios-dgm service-object udp destination eq ntp object-group service DM_INLINE_SERVICE_4 service-object tcp destination eq https service-object tcp destination eq ssh group-object vCenter-to-ESX4 object-group service DM_INLINE_SERVICE_5 group-object CAPWAP service-object object IP-Protocol-97 group-object LWAPP group-object TFTP service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq ssh service-object tcp destination eq telnet service-object udp destination eq isakmp object-group service DM_INLINE_SERVICE_6 group-object HTTPS-8443 service-object object RDP service-object object TCP1080 service-object object TCP8080 service-object icmp echo service-object icmp echo-reply service-object tcp destination eq ftp service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq ssh object-group service DM_INLINE_SERVICE_7 group-object CISCO-WAAS group-object HTTPS-8443 service-object object Microsoft-DS-SMB group-object Netbios object-group service DM_INLINE_SERVICE_8 service-object tcp-udp destination eq sip service-object tcp destination eq 2000 object-group service DM_INLINE_SERVICE_14 group-object CISCO-WAAS group-object HTTPS-8443 service-object object Microsoft-DS-SMB group-object Netbios object-group service DM_INLINE_SERVICE_15 group-object DNS-Resolving service-object object Kerberos-TCP service-object object LDAP-GC service-object object LDAP-GC-SSL service-object object LDAP-UDP service-object object Microsoft-DS-SMB service-object object RPC service-object object RPC-HighPorts service-object tcp destination eq ldap service-object tcp destination eq ldaps service-object udp destination eq 88 service-object udp destination eq netbios-dgm service-object udp destination eq ntp object-group service DM_INLINE_SERVICE_9 service-object tcp destination eq ldap service-object tcp destination eq ldaps service-object udp destination eq domain object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_2 tcp port-object eq www port-object eq https port-object eq imap4 port-object eq pop3 port-object eq smtp object-group service DM_INLINE_UDP_1 udp port-object eq snmp port-object eq snmptrap port-object eq syslog object-group service DM_INLINE_UDP_2 udp port-object eq 1812 port-object eq 1813 access-list INSIDE extended permit ip any any access-list INSIDE extended permit object-group DM_INLINE_SERVICE_2 object-group Admin-Systems object-group DM_INLINE_NETWORK_3 access-list INSIDE remark Allow Active Directory Domain access-list INSIDE extended permit object-group DM_INLINE_SERVICE_3 object ActiveDirectory.cisco-irn.com object Stores-ALL access-list INSIDE remark VMWare - ESX systems access-list INSIDE extended permit object-group DM_INLINE_SERVICE_4 object vSphere-1 object Stores-ALL access-list INSIDE remark Wireless Management to Stores access-list INSIDE extended permit object-group DM_INLINE_SERVICE_5 object-group DM_INLINE_NETWORK_2 object Stores-ALL access-list INSIDE remark Physical security systems access-list INSIDE extended permit tcp object-group DM_INLINE_NETWORK_4 object Stores-ALL eq https access-list INSIDE remark Allow Management of store systems access-list INSIDE extended permit object-group DM_INLINE_SERVICE_6 object DC-ALL object Stores-ALL access-list INSIDE remark WAAS systems access-list INSIDE extended permit object-group DM_INLINE_SERVICE_7 object-group DC-WAAS object Stores-ALL access-list INSIDE remark Voice calls access-list INSIDE extended permit object-group DM_INLINE_SERVICE_8 object DC-ALL object Stores-ALL access-list INSIDE remark Drop and Log all other traffic access-list INSIDE extended deny ip any any log access-list OUTSIDE extended permit ip any any access-list OUTSIDE remark Connectivity validation access-list OUTSIDE extended permit icmp object Stores-ALL any object-group DM_INLINE_ICMP_1 access-list OUTSIDE remark Internet Browsing access-list OUTSIDE extended permit tcp object Stores-ALL any object-group DM_INLINE_TCP_3 access-list OUTSIDE remark Config uploading access-list OUTSIDE extended permit tcp object Stores-ALL object EMC-NCM eq ssh access-list OUTSIDE remark Log reporting access-list OUTSIDE extended permit udp object Stores-ALL object RSA-enVision object-group DM_INLINE_UDP_1 access-list OUTSIDE remark Authentication and DNS lookup access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_9 object Stores-ALL object ActiveDirectory.cisco-irn.com access-list OUTSIDE remark Authentication and authorization access-list OUTSIDE extended permit tcp object Stores-ALL object TACACS eq tacacs access-list OUTSIDE remark Time Sync access-list OUTSIDE extended permit udp object Stores-ALL object-group NTP-Servers eq ntp access-list OUTSIDE remark Authentication access-list OUTSIDE extended permit udp object Stores-ALL object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_UDP_2 access-list OUTSIDE remark Authentication web portal access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_10 object Stores-ALL object-group DM_INLINE_NETWORK_6 access-list OUTSIDE remark VMWare ESX to Data Center access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_11 object Stores-ALL object vSphere-1 access-list OUTSIDE remark Physical security systems access-list OUTSIDE extended permit tcp object Stores-ALL object-group DM_INLINE_NETWORK_7 eq https access-list OUTSIDE remark Wireless control systems access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_12 object Stores-ALL object-group DM_INLINE_NETWORK_8 access-list OUTSIDE remark Voice calls access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_13 object Stores-ALL object DC-ALL access-list OUTSIDE remark WAAS systems access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_14 object Stores-ALL object-group DC-WAAS access-list OUTSIDE remark Allow Active Directory Domain access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_15 object Stores-ALL object ActiveDirectory.cisco-irn.com access-list OUTSIDE remark Allow Windows Updates access-list OUTSIDE extended permit tcp object Stores-ALL object MS-Update object-group DM_INLINE_TCP_1 access-list OUTSIDE remark Allow Mail access-list OUTSIDE extended permit tcp object Stores-ALL object MSExchange object-group DM_INLINE_TCP_2 access-list OUTSIDE remark Allow Applications access-list OUTSIDE extended permit tcp object Stores-ALL object-group DM_INLINE_NETWORK_9 eq https access-list OUTSIDE remark Drop all other traffic access-list OUTSIDE extended deny ip any any log pager lines 24 logging enable logging host inside 192.168.42.124 logging host inside 192.168.42.139 mtu outside 1500 mtu inside 1500 failover failover lan unit primary failover lan interface folink GigabitEthernet0/3 failover link folink GigabitEthernet0/3 failover interface ip folink 192.168.12.20 255.255.255.0 standby 192.168.12.21 icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside icmp permit any inside asdm image disk0:/asdm-711.bin asdm history enable arp timeout 14400 no arp permit-nonconnected access-group OUTSIDE in interface outside access-group INSIDE in interface inside route inside 0.0.0.0 0.0.0.0 192.168.11.60 1 route outside 10.10.0.0 255.255.0.0 192.168.11.1 1 route inside 10.10.0.0 255.255.255.0 192.168.11.60 1 route outside 10.10.1.0 255.255.255.0 192.168.11.2 1 route outside 10.10.2.0 255.255.255.0 192.168.11.3 1 route inside 10.10.3.0 255.255.255.0 192.168.11.60 1 route inside 10.10.4.0 255.255.255.0 192.168.11.60 1 route outside 10.10.254.0 255.255.255.0 192.168.11.3 1 route outside 10.10.255.0 255.255.255.0 192.168.11.2 1 route inside 192.168.0.0 255.255.0.0 192.168.11.10 1 route outside 192.168.1.111 255.255.255.255 192.168.11.2 1 route outside 192.168.1.112 255.255.255.255 192.168.11.3 1 route inside 192.168.20.0 255.255.252.0 192.168.11.60 1 route inside 192.168.24.0 255.255.255.0 192.168.11.60 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server RETAIL protocol tacacs+ aaa-server RETAIL (inside) host 192.168.42.131 key *** user-identity default-domain LOCAL aaa authentication ssh console RETAIL LOCAL aaa authentication enable console RETAIL LOCAL aaa authentication http console RETAIL LOCAL aaa accounting ssh console RETAIL aaa accounting enable console RETAIL aaa accounting command privilege 15 RETAIL aaa authentication secure-http-client aaa local authentication attempts max-fail 6 aaa authorization exec authentication-server http server enable http server idle-timeout 15 http server session-timeout 60 http 192.168.41.102 255.255.255.255 inside http 192.168.41.101 255.255.255.255 inside http 192.168.42.122 255.255.255.255 inside http 192.168.42.124 255.255.255.255 inside http 192.168.42.133 255.255.255.255 inside http 192.168.42.138 255.255.255.255 inside http 192.168.42.139 255.255.255.255 inside http 192.168.42.134 255.255.255.255 inside snmp-server group V3Group v3 priv snmp-server user csmadmin V3Group v3 encrypted auth sha 9e:72:6a:fa:06:f5:29:f9:8a:87:ce:fa:46:19:a5:80:6c:2d:2e:b8 priv aes 256 9e:72:6a:fa:06:f5:29:f9:8a:87:ce:fa:46:19:a5:80:6c:2d:2e:b8:bb:47:d1:68:d7:39:58:f4:62:f7: 38:36 snmp-server user ciscolms V3Group v3 encrypted auth sha 9e:72:6a:fa:06:f5:29:f9:8a:87:ce:fa:46:19:a5:80:6c:2d:2e:b8 priv aes 256 9e:72:6a:fa:06:f5:29:f9:8a:87:ce:fa:46:19:a5:80:6c:2d:2e:b8:bb:47:d1:68:d7:39:58:f4:62:f7: 38:36 snmp-server host inside 192.168.42.134 version 3 ciscolms snmp-server host inside 192.168.42.139 version 3 ciscolms snmp-server host inside 192.168.42.133 version 3 csmadmin snmp-server location Building SJC-17-1 Aisle 1 Rack 3 snmp-server contact EmployeeA snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart snmp-server enable traps syslog snmp-server enable traps ipsec start stop snmp-server enable traps memory-threshold snmp-server enable traps interface-threshold snmp-server enable traps remote-access session-threshold-exceeded snmp-server enable traps connection-limit-reached snmp-server enable traps cpu threshold rising snmp-server enable traps ikev2 start stop snmp-server enable traps nat packet-discard crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 1 ssh scopy enable ssh 192.168.41.101 255.255.255.255 inside ssh 192.168.41.102 255.255.255.255 inside ssh 192.168.42.122 255.255.255.255 inside ssh 192.168.42.124 255.255.255.255 inside ssh 192.168.42.133 255.255.255.255 inside ssh 192.168.42.138 255.255.255.255 inside ssh 192.168.42.139 255.255.255.255 inside ssh 192.168.42.134 255.255.255.255 inside ssh timeout 15 ssh version 2 console timeout 15 ! tls-proxy maximum-session 1000 ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 192.168.62.162 source inside ntp server 192.168.62.161 source inside prefer ssl encryption aes256-sha1 3des-sha1 username csmadmin password <removed> privilege 15 username retail password <removed> privilege 15 username ciscolms password <removed> privilege 15 username bmcgloth password <removed> privilege 15 ! class-map inspection_default match default-inspection-traffic class-map global-class-PCI match any ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy description IPS inspection policy for Cisco PCI LAB class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options class global-class-PCI ips promiscuous fail-open ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily password encryption aes Cryptochecksum:74ca008c5477bc602c2080c680584775 : end ASA-WAN-1_IDS ! ------------------------------ ! Current configuration last modified Fri Dec 07 09:38:41 2012 ! ------------------------------ ! Version 7.1(6) ! Host: ! Realm Keys key1.0 ! Signature Definition: ! Signature Update S648.0 2012-05-30 ! ------------------------------ service interface exit ! ------------------------------ service authentication attemptLimit 6 password-strength size 7-64 digits-min 1 lowercase-min 1 other-min 1 number-old-passwords 4 exit cli-inactivity-timeout 15 exit ! ------------------------------ service event-action-rules rules0 exit ! ------------------------------ service host network-settings host-ip 192.168.11.23/24,192.168.11.10 host-name IPS-WAN-1 telnet-option disabled access-list 192.168.41.101/32 access-list 192.168.41.102/32 access-list 192.168.42.122/32 access-list 192.168.42.124/32 access-list 192.168.42.133/32 access-list 192.168.42.134/32 access-list 192.168.42.138/32 access-list 192.168.42.139/32 login-banner-text WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! dns-primary-server enabled address 192.168.42.130 exit dns-secondary-server disabled dns-tertiary-server disabled exit time-zone-settings offset -480 standard-time-zone-name PST exit ntp-option enabled-ntp-unauthenticated ntp-server 192.168.62.161 exit summertime-option recurring summertime-zone-name PDT start-summertime month march week-of-month second day-of-week sunday time-of-day 02:00:00 exit end-summertime month november week-of-month first day-of-week sunday time-of-day 02:00:00 exit exit exit ! ------------------------------ service logger exit ! ------------------------------ service network-access exit ! ------------------------------ service notification trap-destinations 192.168.42.124 trap-community-name RSAenvision exit enable-notifications true trap-community-name RSAenvision system-location Building SJC-17-1 Row 1 Rack 1 system-contact EmployeeA exit ! ------------------------------ service signature-definition sig0 exit ! ------------------------------ service ssh-known-hosts exit ! ------------------------------ service trusted-certificates exit ! ------------------------------ service web-server enable-tls true port 443 server-id IPS-WAN-1 exit ! ------------------------------ service anomaly-detection ad0 exit ! ------------------------------ service external-product-interface exit ! ------------------------------ service health-monitor exit ! ------------------------------ service global-correlation exit ! ------------------------------ service aaa aaa radius primary-server server-address 192.168.42.131 shared-secret retailpci exit nas-id IPS-WAN-1 local-fallback enabled console-authentication radius-and-local default-user-role administrator exit exit ! ------------------------------ service analysis-engine exit IPS-WAN-1# RWAN-1 ! ! Last configuration change at 01:17:13 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 01:17:14 PSTDST Sat Apr 30 2011 by retail ! version 15.1 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers no platform punt-keepalive disable-kernel-core ! hostname RWAN-1 ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! security authentication failure rate 2 log security passwords min-length 7 logging buffered 50000 no logging rate-limit enable secret 4 <removed> ! aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! ! ! aaa session-id common ! ! ! clock timezone PST -8 0 clock summer-time PSTDST recurring ip source-route ! ! ! no ip bootp server no ip domain lookup ip domain name cisco-irn.com ip name-server 192.168.42.130 ip multicast-routing distributed ! ! login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! ! ! multilink bundle-name authenticated ! password encryption aes ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-1264044905 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1264044905 revocation-check none rsakeypair TP-self-signed-1264044905 ! ! crypto pki certificate chain TP-self-signed-1264044905 certificate self-signed 01 <removed> quit archive log config logging enable notify syslog contenttype plaintext hidekeys ! username retail privilege 15 secret 4 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 4 <removed> username bmcgloth privilege 15 secret 4 <removed> username csmadmin privilege 15 secret 4 <removed> ! redundancy mode none ! ! ! ip ssh version 2 ip scp server enable ! class-map match-all BRANCH-BULK-DATA match access-group name BULK-DATA-APPS class-map match-all BULK-DATA match ip dscp af11 af12 class-map match-all INTERACTIVE-VIDEO match ip dscp af41 af42 class-map match-any BRANCH-TRANSACTIONAL-DATA match protocol telnet match access-group name TRANSACTIONAL-DATA-APPS class-map match-all BRANCH-MISSION-CRITICAL match access-group name MISSION-CRITICAL-SERVERS class-map match-all VOICE match ip dscp ef class-map match-all MISSION-CRITICAL-DATA match ip dscp 25 class-map match-any BRANCH-NET-MGMT match protocol dns match access-group name NET-MGMT-APPS class-map match-all ROUTING match ip dscp cs6 class-map match-all SCAVENGER match ip dscp cs1 class-map match-all NET-MGMT match ip dscp cs2 class-map match-any BRANCH-SCAVENGER class-map match-any CALL-SIGNALING match ip dscp cs3 class-map match-all TRANSACTIONAL-DATA match ip dscp af21 af22 ! policy-map DataCenter-LAN-EDGE-OUT class class-default policy-map DataCenter-LAN-EDGE-IN class BRANCH-MISSION-CRITICAL set ip dscp 25 class BRANCH-TRANSACTIONAL-DATA set ip dscp af21 class BRANCH-NET-MGMT set ip dscp cs2 class BRANCH-BULK-DATA set ip dscp af11 class BRANCH-SCAVENGER set ip dscp cs1 policy-map DataCenter-WAN-EDGE class VOICE priority percent 18 class INTERACTIVE-VIDEO priority percent 15 class CALL-SIGNALING bandwidth percent 5 class ROUTING bandwidth percent 3 class NET-MGMT bandwidth percent 2 class MISSION-CRITICAL-DATA bandwidth percent 15 random-detect class TRANSACTIONAL-DATA bandwidth percent 1 random-detect dscp-based class class-default bandwidth percent 25 random-detect ! ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.1.111 255.255.255.255 ! interface GigabitEthernet0/0/0 description SWAN-1 ip address 192.168.11.2 255.255.255.0 standby 1 ip 192.168.11.1 standby 1 priority 105 standby 1 preempt no negotiation auto service-policy input DataCenter-LAN-EDGE-IN service-policy output DataCenter-LAN-EDGE-OUT ! interface GigabitEthernet0/0/1 no ip address no negotiation auto ! interface GigabitEthernet0/0/2 description RSP-1 G0/1 ip address 10.10.1.6 255.255.255.0 no negotiation auto service-policy output DataCenter-WAN-EDGE ! interface GigabitEthernet0/0/3 no ip address shutdown no negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! no ip forward-protocol nd ! no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip route 0.0.0.0 0.0.0.0 192.168.11.60 ip route 10.10.0.0 255.255.0.0 10.10.1.1 ip route 10.10.0.0 255.255.0.0 192.168.11.3 50 ip route 10.10.0.0 255.255.255.0 192.168.11.60 ip route 10.10.2.0 255.255.255.0 192.168.11.3 ip route 10.10.3.0 255.255.255.0 192.168.11.60 ip route 10.10.4.0 255.255.255.0 192.168.11.60 ip route 10.10.110.2 255.255.255.255 192.168.11.3 ip route 10.10.126.2 255.255.255.255 192.168.11.3 ip route 10.10.254.0 255.255.255.0 192.168.11.3 ip route 192.168.0.0 255.255.0.0 192.168.11.10 ip route 192.168.1.112 255.255.255.255 192.168.11.3 ip route 192.168.20.0 255.255.252.0 192.168.11.60 ip route 192.168.24.0 255.255.255.0 192.168.11.60 ip tacacs source-interface Loopback0 ! ip access-list extended BULK-DATA-APPS remark ---File Transfer--- permit tcp any any eq ftp permit tcp any any eq ftp-data remark ---E-mail traffic--- permit tcp any any eq smtp permit tcp any any eq pop3 permit tcp any any eq 143 remark ---other EDM app protocols--- permit tcp any any range 3460 3466 permit tcp any range 3460 3466 any remark ---messaging services--- permit tcp any any eq 2980 permit tcp any eq 2980 any remark ---Microsoft file services--- permit tcp any any range 137 139 permit tcp any range 137 139 any ip access-list extended MISSION-CRITICAL-SERVERS remark ---POS Applications--- permit ip 192.168.52.0 0.0.0.255 any ip access-list extended NET-MGMT-APPS remark - Router user Authentication - Identifies TACACS Control traffic permit tcp any any eq tacacs permit tcp any eq tacacs any ip access-list extended TRANSACTIONAL-DATA-APPS remark ---Workbrain Application--- remark --Large Store Clock Server to Central Clock Application permit tcp host 192.168.46.72 eq 8444 host 10.10.49.94 remark --Large store Clock Server to CUAE permit tcp host 192.168.45.185 eq 8000 host 10.10.49.94 remark ---LiteScape Application--- permit ip host 192.168.46.82 any permit ip 239.192.0.0 0.0.0.255 any permit ip host 239.255.255.250 any remark ---Remote Desktop--- permit tcp any any eq 3389 permit tcp any eq 3389 any remark ---Oracle SIM--- permit tcp 192.168.46.0 0.0.0.255 eq 7777 any permit tcp 192.168.46.0 0.0.0.255 eq 6003 any permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any ! logging esm config logging trap debugging logging source-interface Loopback0 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log cdp run ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth snmp-server trap-source Loopback0 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps entity snmp-server enable traps hsrp snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps ipsla snmp-server enable traps syslog snmp-server enable traps flash insertion removal snmp-server host 192.168.42.124 remoteuser ! tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> ! ! control-plane ! ! ! ! banner exec C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner incoming C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL stopbits 1 line aux 0 session-timeout 1 output exec-timeout 0 1 privilege level 0 no exec transport preferred none transport output none stopbits 1 line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ntp clock-period 17186047 ntp source Loopback0 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer end RWAN-2 ! ! Last configuration change at 01:31:03 PST Sat Apr 30 2011 by retail ! NVRAM config last updated at 01:31:04 PST Sat Apr 30 2011 by retail ! version 15.1 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers no platform punt-keepalive disable-kernel-core ! hostname RWAN-2 ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! security authentication failure rate 2 log security passwords min-length 7 logging buffered 50000 no logging rate-limit enable secret 5 <removed> ! aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! ! ! aaa session-id common ! ! ! clock timezone PST -8 0 clock summer-time PST recurring ip source-route ! ! ! no ip bootp server no ip domain lookup ip domain name cisco-irn.com ip name-server 192.168.42.130 ip multicast-routing distributed ! ! login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! ! ! multilink bundle-name authenticated ! password encryption aes ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-1414178861 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1414178861 revocation-check none rsakeypair TP-self-signed-1414178861 ! ! crypto pki certificate chain TP-self-signed-1414178861 certificate self-signed 01 <removed> quit archive log config logging enable notify syslog contenttype plaintext hidekeys ! username retail privilege 15 secret 4 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 4 <removed> username bmcgloth privilege 15 secret 4 <removed> username csmadmin privilege 15 secret 4 <removed> ! redundancy mode none ! ! ! ip ssh version 2 ip scp server enable ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.1.112 255.255.255.255 ip pim sparse-dense-mode ! interface GigabitEthernet0/0/0 description SWAN-2 ip address 192.168.11.3 255.255.255.0 standby 1 ip 192.168.11.1 standby 1 priority 95 no negotiation auto ! interface GigabitEthernet0/0/1 no ip address no negotiation auto ! interface GigabitEthernet0/0/2 description RSP-2 G0/1 ip address 10.10.2.6 255.255.255.0 no negotiation auto ! interface GigabitEthernet0/0/3 no ip address no negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! no ip forward-protocol nd ! no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip route 0.0.0.0 0.0.0.0 192.168.11.60 ip route 10.10.0.0 255.255.0.0 10.10.2.1 ip route 10.10.0.0 255.255.0.0 192.168.11.2 50 ip route 10.10.0.0 255.255.255.0 192.168.11.60 ip route 10.10.1.0 255.255.255.0 192.168.11.2 ip route 10.10.3.0 255.255.255.0 192.168.11.60 ip route 10.10.4.0 255.255.255.0 192.168.11.60 ip route 10.10.110.1 255.255.255.255 192.168.11.2 ip route 10.10.126.1 255.255.255.255 192.168.11.2 ip route 10.10.255.0 255.255.255.0 192.168.11.2 ip route 192.168.0.0 255.255.0.0 192.168.11.10 ip route 192.168.1.111 255.255.255.255 192.168.11.2 ip route 192.168.20.0 255.255.252.0 192.168.11.60 ip route 192.168.24.0 255.255.255.0 192.168.11.60 ip tacacs source-interface Loopback0 ! ! logging esm config logging trap debugging logging source-interface Loopback0 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth snmp-server trap-source Loopback0 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps entity snmp-server enable traps hsrp snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps ipsla snmp-server enable traps syslog snmp-server enable traps flash insertion removal snmp-server host 192.168.42.124 remoteuser ! tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> ! ! control-plane ! ! ! ! banner exec C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner incoming C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL stopbits 1 line aux 0 session-timeout 1 output exec-timeout 0 1 privilege level 0 login authentication RETAIL no exec transport preferred none transport output none stopbits 1 line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ntp clock-period 17219603 ntp source Loopback0 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer end SWAN-1 Current configuration : 12174 bytes ! ! Last configuration change at 14:08:38 PST Fri Dec 21 2012 by bmcgloth ! NVRAM config last updated at 13:54:15 PST Fri Dec 21 2012 by bmcgloth ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers ! hostname SWAN-1 ! boot-start-marker boot-end-marker ! logging buffered 51200 enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> username ciscolms privilege 15 secret 5 <removed> ! ! aaa new-model ! ! aaa group server tacacs+ PRIMARY1 ! aaa authentication login RETAIL group tacacs+ local aaa authentication login COMPLIANCE group PRIMARY1 local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! aaa session-id common clock timezone PST -8 clock summer-time PST recurring switch 1 provision ws-c3750x-48p switch 2 provision ws-c3750x-48p system mtu routing 1500 authentication mac-move permit ip subnet-zero no ip source-route no ip gratuitous-arps ! ! ip domain-name cisco-irn.com ip name-server 192.168.42.130 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! password encryption aes ! crypto pki trustpoint TP-self-signed-722491520 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-722491520 revocation-check none rsakeypair TP-self-signed-722491520 ! ! crypto pki certificate chain TP-self-signed-722491520 certificate self-signed 01 <removed> quit ! ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys spanning-tree mode pvst spanning-tree etherchannel guard misconfig spanning-tree extend system-id ! vlan internal allocation policy ascending ! ip tcp synwait-time 10 ip ssh time-out 30 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable ! ! interface GigabitEthernet1/0/1 description Link to RWAN-1 G0-0-0 ! interface GigabitEthernet1/0/2 description Link to ASA-WAN-1 G0-0 ! \| !<removed for brevity> ! \| interface GigabitEthernet1/0/48 shutdown ! interface GigabitEthernet1/1/1 shutdown ! interface GigabitEthernet1/1/2 shutdown ! interface GigabitEthernet1/1/3 shutdown ! interface GigabitEthernet1/1/4 shutdown ! interface TenGigabitEthernet1/1/1 shutdown ! interface TenGigabitEthernet1/1/2 shutdown ! ! interface GigabitEthernet2/0/1 description Link to RWAN-2 G0-0-0 ! interface GigabitEthernet2/0/2 description Link to ASA-WAN-2 G0-0 ! ! <removed for brevity> ! interface GigabitEthernet2/0/48 shutdown ! interface GigabitEthernet2/1/1 shutdown ! interface GigabitEthernet2/1/2 shutdown ! interface GigabitEthernet2/1/3 shutdown ! interface GigabitEthernet2/1/4 shutdown ! interface TenGigabitEthernet2/1/1 shutdown ! interface TenGigabitEthernet2/1/2 shutdown ! ! interface Vlan1 ip address 192.168.11.14 255.255.255.0 ! ip default-gateway 192.168.11.10 ip classless no ip forward-protocol nd no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip sla enable reaction-alerts logging trap debugging logging 192.168.42.124 logging 192.168.42.139 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 192.168.42.139 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 permit 192.168.42.139 log access-list 88 deny any log snmp-server group V3Group v3 priv read V3Read write V3Write notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server view V3Read iso included snmp-server view V3Write iso included snmp-server packetsize 8192 snmp-server location Building SJC-17-1 Aisle 2 Rack 3 snmp-server contact Bart McGlothin snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps entity snmp-server enable traps cpu threshold snmp-server enable traps power-ethernet group 1-4 snmp-server enable traps power-ethernet police snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps port-security snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps hsrp snmp-server enable traps energywise snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps rtr snmp-server enable traps mac-notification change move threshold snmp-server enable traps vlan-membership snmp-server enable traps errdisable snmp-server host 192.168.42.134 version 3 priv ciscolms snmp-server host 192.168.42.139 version 3 priv ciscolms snmp-server host 192.168.42.133 version 3 priv csmadmin tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> ! banner exec ^C WARNING: * THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner incoming ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner login ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ^C ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ! monitor session 1 source interface Fa1/0/1 monitor session 1 destination interface Fa1/0/48 ntp clock-period 36029318 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer end SWAN-3 Current configuration : 12174 bytes ! ! Last configuration change at 14:08:38 PST Fri Dec 21 2012 by bmcgloth ! NVRAM config last updated at 13:54:15 PST Fri Dec 21 2012 by bmcgloth ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers ! hostname SWAN-3 ! boot-start-marker boot-end-marker ! logging buffered 51200 enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> username ciscolms privilege 15 secret 5 <removed> ! ! aaa new-model ! ! aaa group server tacacs+ PRIMARY1 ! aaa authentication login RETAIL group tacacs+ local aaa authentication login COMPLIANCE group PRIMARY1 local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! aaa session-id common clock timezone PST -8 clock summer-time PST recurring switch 1 provision ws-c3750x-48p switch 2 provision ws-c3750x-48p system mtu routing 1500 authentication mac-move permit ip subnet-zero no ip source-route no ip gratuitous-arps ! ! ip domain-name cisco-irn.com ip name-server 192.168.42.130 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! password encryption aes ! crypto pki trustpoint TP-self-signed-722491520 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-722491520 revocation-check none rsakeypair TP-self-signed-722491520 ! ! crypto pki certificate chain TP-self-signed-722491520 certificate self-signed 01 <removed> quit ! ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys spanning-tree mode pvst spanning-tree etherchannel guard misconfig spanning-tree extend system-id ! vlan internal allocation policy ascending ! ip tcp synwait-time 10 ip ssh time-out 30 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable ! ! interface GigabitEthernet1/0/1 description Link to RCORE-2 G1-1 ! interface GigabitEthernet1/0/2 description Link to ASA-WAN-1 G0-1 ! \| !<removed for brevity> ! \| interface GigabitEthernet1/0/48 shutdown ! interface GigabitEthernet1/1/1 shutdown ! interface GigabitEthernet1/1/2 shutdown ! interface GigabitEthernet1/1/3 shutdown ! interface GigabitEthernet1/1/4 shutdown ! interface TenGigabitEthernet1/1/1 shutdown ! interface TenGigabitEthernet1/1/2 shutdown ! ! interface GigabitEthernet2/0/1 description Link to RCORE-1 G1-1 ! interface GigabitEthernet2/0/2 description Link to ASA-WAN-2 G0-1 ! ! <removed for brevity> ! interface GigabitEthernet2/0/48 shutdown ! interface GigabitEthernet2/1/1 shutdown ! interface GigabitEthernet2/1/2 shutdown ! interface GigabitEthernet2/1/3 shutdown ! interface GigabitEthernet2/1/4 shutdown ! interface TenGigabitEthernet2/1/1 shutdown ! interface TenGigabitEthernet2/1/2 shutdown ! ! interface Vlan1 ip address 192.168.11.14 255.255.255.0 ! ip default-gateway 192.168.11.10 ip classless no ip forward-protocol nd no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip sla enable reaction-alerts logging trap debugging logging 192.168.42.124 logging 192.168.42.139 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 192.168.42.139 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 permit 192.168.42.139 log access-list 88 deny any log snmp-server group V3Group v3 priv read V3Read write V3Write notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server view V3Read iso included snmp-server view V3Write iso included snmp-server packetsize 8192 snmp-server location Building SJC-17-1 Aisle 2 Rack 3 snmp-server contact Bart McGlothin snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps entity snmp-server enable traps cpu threshold snmp-server enable traps power-ethernet group 1-4 snmp-server enable traps power-ethernet police snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps port-security snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps hsrp snmp-server enable traps energywise snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps rtr snmp-server enable traps mac-notification change move threshold snmp-server enable traps vlan-membership snmp-server enable traps errdisable snmp-server host 192.168.42.134 version 3 priv ciscolms snmp-server host 192.168.42.139 version 3 priv ciscolms snmp-server host 192.168.42.133 version 3 priv csmadmin tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> ! banner exec ^C WARNING: * THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner incoming ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner login ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ^C ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ! monitor session 1 source interface Fa1/0/1 monitor session 1 destination interface Fa1/0/48 ntp clock-period 36029318 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer end Core RCORE-1 ! ! Last configuration change at 01:37:46 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 01:37:47 PSTDST Sat Apr 30 2011 by retail ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers service counters max age 5 ! hostname RCORE-1 ! boot-start-marker boot system flash disk0:s72033-adventerprisek9_wan-mz.122-33.SXJ.bin boot-end-marker ! security authentication failure rate 2 log security passwords min-length 7 logging buffered 50000 no logging rate-limit enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! aaa session-id common clock timezone PST -8 clock summer-time PSTDST recurring ip wccp 61 ip wccp 62 ! ! ! no ip bootp server ip multicast-routing ip ssh version 2 ip scp server enable ip domain-name cisco-irn.com ip name-server 192.168.42.130 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ipv6 mfib hardware-switching replication-mode ingress vtp domain CiscoRetail vtp mode transparent mls ip cef load-sharing full simple no mls acl tcam share-global mls netflow interface mls cef error action freeze password encryption aes ! crypto pki trustpoint TP-self-signed-1104 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1104 revocation-check none rsakeypair TP-self-signed-1104 ! ! crypto pki certificate chain TP-self-signed-1104 certificate self-signed 01 <removed> quit ! ! ! ! ! ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys ! spanning-tree mode rapid-pvst spanning-tree loopguard default no spanning-tree optimize bpdu transmission spanning-tree extend system-id spanning-tree pathcost method long environment temperature-controlled diagnostic bootup level minimal access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ! redundancy main-cpu auto-sync running-config mode sso ! ! vlan internal allocation policy descending vlan dot1q tag native vlan access-log ratelimit 2000 ! ! ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.255 ! interface Port-channel99 ip address 192.168.10.29 255.255.255.252 no ip redirects no ip proxy-arp ip pim sparse-dense-mode ip ospf authentication message-digest ip ospf message-digest-key 1 md5 7 <removed> ip ospf network point-to-point ip ospf hello-interval 2 ip ospf dead-interval 6 logging event link-status ! interface GigabitEthernet1/1 description to DC WAN_SWAN-3 ip address 192.168.11.11 255.255.255.0 standby 0 ip 192.168.11.10 standby 0 priority 101 standby 0 preempt ! interface GigabitEthernet1/2 no ip address shutdown ! interface GigabitEthernet1/3 no ip address shutdown ! interface GigabitEthernet1/4 no ip address shutdown ! interface GigabitEthernet1/5 no ip address shutdown ! interface GigabitEthernet1/6 no ip address shutdown ! interface GigabitEthernet1/7 no ip address shutdown ! interface GigabitEthernet1/8 no ip address shutdown ! interface GigabitEthernet1/9 no ip address shutdown ! interface GigabitEthernet1/10 no ip address shutdown ! interface GigabitEthernet1/11 no ip address shutdown ! interface GigabitEthernet1/12 no ip address shutdown ! interface GigabitEthernet1/13 no ip address shutdown ! interface GigabitEthernet1/14 no ip address shutdown ! interface GigabitEthernet1/15 no ip address shutdown ! interface GigabitEthernet1/16 no ip address shutdown ! interface GigabitEthernet1/17 no ip address shutdown ! interface GigabitEthernet1/18 no ip address shutdown ! interface GigabitEthernet1/19 no ip address shutdown ! interface GigabitEthernet1/20 no ip address shutdown ! interface GigabitEthernet1/21 no ip address shutdown ! interface GigabitEthernet1/22 no ip address shutdown ! interface GigabitEthernet1/23 no ip address shutdown ! interface GigabitEthernet1/24 no ip address shutdown ! interface GigabitEthernet1/25 no ip address shutdown ! interface GigabitEthernet1/26 no ip address shutdown ! interface GigabitEthernet1/27 no ip address shutdown ! interface GigabitEthernet1/28 no ip address shutdown ! interface GigabitEthernet1/29 no ip address shutdown ! interface GigabitEthernet1/30 no ip address shutdown ! interface GigabitEthernet1/31 no ip address shutdown ! interface GigabitEthernet1/32 no ip address shutdown ! interface GigabitEthernet1/33 no ip address shutdown ! interface GigabitEthernet1/34 no ip address shutdown ! interface GigabitEthernet1/35 no ip address shutdown ! interface GigabitEthernet1/36 no ip address shutdown ! interface GigabitEthernet1/37 no ip address shutdown ! interface GigabitEthernet1/38 no ip address shutdown ! interface GigabitEthernet1/39 no ip address shutdown ! interface GigabitEthernet1/40 no ip address shutdown ! interface GigabitEthernet1/41 no ip address shutdown ! interface GigabitEthernet1/42 no ip address shutdown ! interface GigabitEthernet1/43 no ip address shutdown ! interface GigabitEthernet1/44 no ip address shutdown ! interface GigabitEthernet1/45 no ip address shutdown ! interface GigabitEthernet1/46 no ip address shutdown ! interface GigabitEthernet1/47 no ip address shutdown ! interface GigabitEthernet1/48 no ip address shutdown ! interface TenGigabitEthernet2/1 description 10Gig LINK to RAGG-1 T1/3 ip address 192.168.10.13 255.255.255.252 no ip redirects no ip proxy-arp ip pim sparse-dense-mode ip igmp query-interval 125 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 7 <removed> ip ospf network point-to-point ip ospf hello-interval 2 ip ospf dead-interval 6 logging event link-status ! interface TenGigabitEthernet2/2 description 10Gig LINK to RAGG-2 T1/3 ip address 192.168.10.17 255.255.255.252 no ip redirects no ip proxy-arp ip pim sparse-dense-mode ip igmp query-interval 125 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 7 <removed> ip ospf network point-to-point ip ospf hello-interval 2 ip ospf dead-interval 6 logging event link-status ! interface TenGigabitEthernet2/3 description 10Gig LINK to RCORE-2 no ip address channel-group 99 mode active ! interface TenGigabitEthernet2/4 description 10Gig LINK to RCORE-2 no ip address channel-group 99 mode active ! interface TenGigabitEthernet2/5 no ip address shutdown ! interface TenGigabitEthernet2/6 no ip address shutdown ! interface TenGigabitEthernet2/7 no ip address shutdown ! interface TenGigabitEthernet2/8 no ip address shutdown ! interface GigabitEthernet5/1 no ip address shutdown ! interface GigabitEthernet5/2 no ip address shutdown ! interface GigabitEthernet6/1 no ip address shutdown ! interface GigabitEthernet6/2 no ip address shutdown ! interface Vlan1 no ip address shutdown ! router ospf 5 router-id 192.168.1.1 log-adjacency-changes auto-cost reference-bandwidth 10000 nsf redistribute static subnets passive-interface default no passive-interface TenGigabitEthernet2/1 no passive-interface TenGigabitEthernet2/2 no passive-interface Port-channel99 network 192.168.0.0 0.0.255.255 area 0 default-information originate metric 20 metric-type 1 ! ip classless no ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.11.60 name default-to-internet ip route 10.10.0.0 255.255.0.0 192.168.11.1 name route-to-stores ip route 10.10.0.0 255.255.255.0 192.168.11.60 name route-to-SP ip route 10.10.1.0 255.255.255.0 192.168.11.2 ip route 10.10.2.0 255.255.255.0 192.168.11.3 ip route 10.10.110.1 255.255.255.255 192.168.11.2 ip route 10.10.110.2 255.255.255.255 192.168.11.3 ip route 10.10.126.1 255.255.255.255 192.168.11.2 ip route 10.10.126.2 255.255.255.255 192.168.11.3 ip route 10.10.254.0 255.255.255.0 192.168.11.3 ip route 10.10.255.0 255.255.255.0 192.168.11.2 ip route 192.168.1.111 255.255.255.255 192.168.11.2 ip route 192.168.1.112 255.255.255.255 192.168.11.3 ip route 192.168.20.0 255.255.255.0 192.168.11.60 name route-to-DMZ ip route 192.168.21.0 255.255.255.0 192.168.11.60 name route-to-DMZ ip route 192.168.22.0 255.255.255.0 192.168.11.60 name route-to-DMZ ip route 192.168.23.0 255.255.255.0 192.168.11.60 name route-to-DMZ ! ! no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip pim send-rp-discovery scope 2 ip tacacs source-interface Loopback0 ! logging trap debugging logging source-interface Loopback0 logging 192.168.42.124 ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth snmp-server trap-source Loopback0 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps hsrp snmp-server enable traps MAC-Notification change move threshold snmp-server enable traps rtr snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps energywise snmp-server enable traps entity snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps port-security snmp-server enable traps errdisable snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> ! ! control-plane ! ! dial-peer cor custom ! ! ! banner exec C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner incoming C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ! ntp source Loopback0 ntp server 192.168.62.161 prefer ntp server 192.168.62.162 mac-address-table aging-time 480 ! end RCORE-2 ! ! Last configuration change at 01:42:02 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 01:42:02 PSTDST Sat Apr 30 2011 by retail ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers service counters max age 5 ! hostname RCORE-2 ! boot-start-marker boot system flash disk1:s72033-adventerprisek9_wan-mz.122-33.SXJ.bin boot-end-marker ! security authentication failure rate 2 log security passwords min-length 7 logging buffered 50000 no logging rate-limit enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! aaa session-id common clock timezone PST -8 clock summer-time PSTDST recurring call-home no alert-group configuration no alert-group diagnostic no alert-group environment no alert-group inventory no alert-group syslog ip wccp 61 ip wccp 62 ! ! ! no ip bootp server ip multicast-routing ip ssh version 2 ip scp server enable ip domain-name cisco-irn.com ip name-server 192.168.42.130 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ipv6 mfib hardware-switching replication-mode ingress vtp domain CiscoRetail vtp mode transparent mls ip cef load-sharing full simple no mls acl tcam share-global mls netflow interface mls cef error action freeze password encryption aes ! crypto pki trustpoint TP-self-signed-1051 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1051 revocation-check none rsakeypair TP-self-signed-1051 ! ! crypto pki certificate chain TP-self-signed-1051 certificate self-signed 01 <removed> quit ! ! ! ! ! ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys ! spanning-tree mode rapid-pvst spanning-tree loopguard default no spanning-tree optimize bpdu transmission spanning-tree extend system-id spanning-tree pathcost method long environment temperature-controlled diagnostic bootup level minimal access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ! redundancy main-cpu auto-sync running-config mode sso ! ! vlan internal allocation policy descending vlan dot1q tag native vlan access-log ratelimit 2000 ! ! ! ! ! interface Loopback0 ip address 192.168.1.2 255.255.255.255 ! interface Port-channel99 description link between CORE's ip address 192.168.10.30 255.255.255.252 no ip redirects no ip proxy-arp ip pim sparse-dense-mode ip ospf authentication message-digest ip ospf message-digest-key 1 md5 7 <removed> ip ospf network point-to-point ip ospf hello-interval 2 ip ospf dead-interval 6 logging event link-status ! interface GigabitEthernet1/1 description to DC WAN_SWAN-3/4 ip address 192.168.11.12 255.255.255.0 standby 0 ip 192.168.11.10 standby 0 priority 99 standby 0 preempt ! interface GigabitEthernet1/2 no ip address shutdown ! interface GigabitEthernet1/3 no ip address shutdown ! interface GigabitEthernet1/4 no ip address shutdown ! interface GigabitEthernet1/5 no ip address shutdown ! interface GigabitEthernet1/6 no ip address shutdown ! interface GigabitEthernet1/7 no ip address shutdown ! interface GigabitEthernet1/8 no ip address shutdown ! interface GigabitEthernet1/9 no ip address shutdown ! interface GigabitEthernet1/10 no ip address shutdown ! interface GigabitEthernet1/11 no ip address shutdown ! interface GigabitEthernet1/12 no ip address shutdown ! interface GigabitEthernet1/13 no ip address shutdown ! interface GigabitEthernet1/14 no ip address shutdown ! interface GigabitEthernet1/15 no ip address shutdown ! interface GigabitEthernet1/16 no ip address shutdown ! interface GigabitEthernet1/17 no ip address shutdown ! interface GigabitEthernet1/18 no ip address shutdown ! interface GigabitEthernet1/19 no ip address shutdown ! interface GigabitEthernet1/20 no ip address shutdown ! interface GigabitEthernet1/21 no ip address shutdown ! interface GigabitEthernet1/22 no ip address shutdown ! interface GigabitEthernet1/23 no ip address shutdown ! interface GigabitEthernet1/24 no ip address shutdown ! interface GigabitEthernet1/25 no ip address shutdown ! interface GigabitEthernet1/26 no ip address shutdown ! interface GigabitEthernet1/27 no ip address shutdown ! interface GigabitEthernet1/28 no ip address shutdown ! interface GigabitEthernet1/29 no ip address shutdown ! interface GigabitEthernet1/30 no ip address shutdown ! interface GigabitEthernet1/31 no ip address shutdown ! interface GigabitEthernet1/32 no ip address shutdown ! interface GigabitEthernet1/33 no ip address shutdown ! interface GigabitEthernet1/34 no ip address shutdown ! interface GigabitEthernet1/35 no ip address shutdown ! interface GigabitEthernet1/36 no ip address shutdown ! interface GigabitEthernet1/37 no ip address shutdown ! interface GigabitEthernet1/38 no ip address shutdown ! interface GigabitEthernet1/39 no ip address shutdown ! interface GigabitEthernet1/40 no ip address shutdown ! interface GigabitEthernet1/41 no ip address shutdown ! interface GigabitEthernet1/42 no ip address shutdown ! interface GigabitEthernet1/43 no ip address shutdown ! interface GigabitEthernet1/44 no ip address shutdown ! interface GigabitEthernet1/45 no ip address shutdown ! interface GigabitEthernet1/46 no ip address shutdown ! interface GigabitEthernet1/47 no ip address shutdown ! interface GigabitEthernet1/48 no ip address shutdown ! interface TenGigabitEthernet2/1 description 10Gig LINK to RAGG-1 T1/4 ip address 192.168.10.21 255.255.255.252 no ip redirects no ip proxy-arp ip pim sparse-dense-mode ip igmp query-interval 125 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 7 <removed> ip ospf network point-to-point ip ospf hello-interval 2 ip ospf dead-interval 6 logging event link-status ! interface TenGigabitEthernet2/2 description 10Gig LINK to RAGG-2 T1/4 ip address 192.168.10.25 255.255.255.252 no ip redirects no ip proxy-arp ip pim sparse-dense-mode ip igmp query-interval 125 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 7 <removed> ip ospf network point-to-point ip ospf hello-interval 2 ip ospf dead-interval 6 logging event link-status ! interface TenGigabitEthernet2/3 description 10Gig LINK to RCORE-1 no ip address channel-group 99 mode active ! interface TenGigabitEthernet2/4 description 10Gig LINK to RCORE-1 no ip address channel-group 99 mode active ! interface TenGigabitEthernet2/5 no ip address shutdown ! interface TenGigabitEthernet2/6 no ip address shutdown ! interface TenGigabitEthernet2/7 no ip address shutdown ! interface TenGigabitEthernet2/8 no ip address shutdown ! interface GigabitEthernet5/1 no ip address shutdown ! interface GigabitEthernet5/2 no ip address shutdown ! interface GigabitEthernet6/1 no ip address shutdown ! interface GigabitEthernet6/2 no ip address shutdown ! interface Vlan1 no ip address shutdown ! router ospf 5 router-id 192.168.1.2 log-adjacency-changes auto-cost reference-bandwidth 10000 nsf redistribute static subnets passive-interface default no passive-interface TenGigabitEthernet2/1 no passive-interface TenGigabitEthernet2/2 no passive-interface Port-channel99 network 192.168.0.0 0.0.255.255 area 0 default-information originate metric 22 metric-type 1 ! ip classless no ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.11.60 name default-to-internet ip route 10.10.0.0 255.255.0.0 192.168.11.1 name route-to-stores ip route 10.10.0.0 255.255.255.0 192.168.11.60 name route-to-SP ip route 10.10.1.0 255.255.255.0 192.168.11.2 ip route 10.10.2.0 255.255.255.0 192.168.11.3 ip route 10.10.110.1 255.255.255.255 192.168.11.2 ip route 10.10.110.2 255.255.255.255 192.168.11.3 ip route 10.10.126.1 255.255.255.255 192.168.11.2 ip route 10.10.126.2 255.255.255.255 192.168.11.3 ip route 10.10.254.0 255.255.255.0 192.168.11.3 ip route 10.10.255.0 255.255.255.0 192.168.11.2 ip route 192.168.20.0 255.255.255.0 192.168.11.60 name route-to-DMZ ip route 192.168.21.0 255.255.255.0 192.168.11.60 name route-to-DMZ ip route 192.168.22.0 255.255.255.0 192.168.11.60 name route-to-DMZ ip route 192.168.23.0 255.255.255.0 192.168.11.60 name route-to-DMZ ! ! no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip pim send-rp-discovery scope 2 ip tacacs source-interface Loopback0 ! logging trap debugging logging source-interface Loopback0 logging 192.168.42.124 ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth snmp-server trap-source Loopback0 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps hsrp snmp-server enable traps MAC-Notification change move threshold snmp-server enable traps rtr snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps energywise snmp-server enable traps entity snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps port-security snmp-server enable traps errdisable snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 timeout 5 tacacs-server directed-request tacacs-server key 7 <removed> ! ! control-plane ! ! dial-peer cor custom ! ! ! banner exec C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner incoming C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ntp source Loopback0 ntp server 192.168.62.161 prefer ntp server 192.168.62.162 mac-address-table aging-time 480 ! end Aggregation ASA-DC-1 : Saved : ASA Version 8.4(1) <context> ! firewall transparent hostname dca-vc1 domain-name cisco-irn.com enable password <removed> encrypted passwd <removed> encrypted names ! interface outside nameif north bridge-group 1 security-level 0 ! interface inside nameif south bridge-group 1 security-level 100 ! interface BVI1 ip address 192.168.162.21 255.255.255.0 standby 192.168.162.22 ! dns domain-lookup south dns server-group DefaultDNS name-server 192.168.42.130 domain-name cisco-irn.com object-group network AdminStation network-object 192.168.41.101 255.255.255.255 object-group network AdminStation2 network-object 192.168.41.102 255.255.255.255 object-group network AdminStation4-bart network-object 10.19.151.99 255.255.255.255 object-group network CSM_INLINE_src_rule_77309411633 description Generated by CS-Manager from src of FirewallRule# 2 (ASA-DC-1-vdc1_v1/mandatory) group-object AdminStation group-object AdminStation2 group-object AdminStation4-bart object-group network DC-ALL description All of the Data Center network-object 192.168.0.0 255.255.0.0 object-group network Stores-ALL description all store networks network-object 10.10.0.0 255.255.0.0 object-group network CSM_INLINE_dst_rule_77309411633 description Generated by CS-Manager from dst of FirewallRule# 2 (ASA-DC-1-vdc1_v1/mandatory) group-object DC-ALL group-object Stores-ALL object-group network EMC-NCM description EMC Network Configuration Manager network-object 192.168.42.122 255.255.255.255 object-group network CSManager description Cisco Security Manager network-object 192.168.42.133 255.255.255.255 object-group network RSA-enVision description RSA EnVision Syslog collector and SIM network-object 192.168.42.124 255.255.255.255 object-group network AdminStation3 network-object 192.168.42.138 255.255.255.255 object-group network Admin-Systems group-object EMC-NCM group-object AdminStation group-object AdminStation2 group-object CSManager group-object RSA-enVision group-object AdminStation3 group-object AdminStation4-bart object-group network DC-DMZ description (Optimized by CS-Manager) network-object 192.168.20.0 255.255.252.0 network-object 192.168.24.0 255.255.255.0 object-group network CSM_INLINE_dst_rule_77309411635 description Generated by CS-Manager from dst of FirewallRule# 3 (ASA-DC-1-vdc1_v1/mandatory) group-object DC-ALL group-object Stores-ALL group-object DC-DMZ object-group network CSM_INLINE_src_rule_77309414079 description Generated by CS-Manager from src of FirewallRule# 4 (ASA-DC-1-vdc1_v1/mandatory) group-object DC-ALL group-object Stores-ALL object-group network CSM_INLINE_src_rule_77309414081 description Generated by CS-Manager from src of FirewallRule# 5 (ASA-DC-1-vdc1_v1/mandatory) group-object DC-ALL group-object Stores-ALL object-group network ActiveDirectory.cisco-irn.com network-object 192.168.42.130 255.255.255.255 object-group network vSphere-1 description vSphere server for Lab network-object 192.168.41.102 255.255.255.255 object-group network WCSManager description Wireless Manager network-object 192.168.43.135 255.255.255.255 object-group network DC-Wifi-Controllers description Central Wireless Controllers for stores network-object 192.168.43.21 255.255.255.255 network-object 192.168.43.22 255.255.255.255 object-group network DC-Wifi-MSE description Mobility Service Engines network-object 192.168.43.31 255.255.255.255 network-object 192.168.43.32 255.255.255.255 object-group network CSM_INLINE_src_rule_77309411641 description Generated by CS-Manager from src of FirewallRule# 9 (ASA-DC-1-vdc1_v1/mandatory) group-object WCSManager group-object DC-Wifi-Controllers group-object DC-Wifi-MSE object-group network PAME-DC-1 network-object 192.168.44.111 255.255.255.255 object-group network MSP-DC-1 description Data Center VSOM network-object 192.168.44.121 255.255.255.255 object-group network CSM_INLINE_src_rule_77309411643 description Generated by CS-Manager from src of FirewallRule# 10 (ASA-DC-1-vdc1_v1/mandatory) group-object PAME-DC-1 group-object MSP-DC-1 object-group network DC-WAAS description WAE Appliances in Data Center network-object 192.168.48.10 255.255.255.255 network-object 192.168.49.10 255.255.255.255 network-object 192.168.47.11 255.255.255.255 network-object 192.168.47.12 255.255.255.255 object-group network CSM_INLINE_src_rule_77309414071 description Generated by CS-Manager from src of FirewallRule# 15 (ASA-DC-1-vdc1_v1/mandatory) group-object DC-ALL group-object Stores-ALL object-group network NTP-Servers description NTP Servers network-object 192.168.62.161 255.255.255.255 network-object 162.168.62.162 255.255.255.255 object-group network TACACS description Csico Secure ACS server for TACACS and Radius network-object 192.168.42.131 255.255.255.255 object-group network RSA-AM description RSA Authentication Manager for SecureID network-object 192.168.42.137 255.255.255.255 object-group network NAC-2 network-object 192.168.42.112 255.255.255.255 object-group network NAC-1 description ISE server for NAC network-object 192.168.42.111 255.255.255.255 object-group network CSM_INLINE_dst_rule_77309411663 description Generated by CS-Manager from dst of FirewallRule# 25 (ASA-DC-1-vdc1_v1/mandatory) group-object TACACS group-object RSA-AM group-object NAC-2 group-object NAC-1 object-group network CSM_INLINE_dst_rule_77309411665 description Generated by CS-Manager from dst of FirewallRule# 26 (ASA-DC-1-vdc1_v1/mandatory) group-object NAC-2 group-object NAC-1 object-group network CSM_INLINE_dst_rule_77309411669 description Generated by CS-Manager from dst of FirewallRule# 28 (ASA-DC-1-vdc1_v1/mandatory) group-object PAME-DC-1 group-object MSP-DC-1 object-group network CSM_INLINE_dst_rule_77309411671 description Generated by CS-Manager from dst of FirewallRule# 29 (ASA-DC-1-vdc1_v1/mandatory) group-object DC-Wifi-Controllers group-object DC-Wifi-MSE object-group network MS-Update description Windows Update Server network-object 192.168.42.150 255.255.255.255 object-group network MSExchange description Mail Server network-object 192.168.42.140 255.255.255.255 object-group network POS-Store-Conv network-object 10.10.160.81 255.255.255.255 object-group network POS-Store-MSP network-object 10.10.176.81 255.255.255.255 object-group network POS-Store-SMALL-1 description Small Store POS devices network-object 10.10.128.81 255.255.255.255 network-object 10.10.128.82 255.255.255.255 object-group network POS-Store-Medium network-object 10.10.112.81 255.255.255.255 network-object 10.10.125.40 255.255.255.255 object-group network POS-Store-Mini network-object 10.10.144.81 255.255.255.255 object-group network POS-Store-3g network-object 10.10.192.82 255.255.255.255 object-group network POS-Store-Large network-object 10.10.96.81 255.255.255.255 network-object 10.10.96.82 255.255.255.255 object-group network CSM_INLINE_src_rule_77309411683 description Generated by CS-Manager from src of FirewallRule# 35 (ASA-DC-1-vdc1_v1/mandatory) group-object POS-Store-Conv group-object POS-Store-MSP group-object POS-Store-SMALL-1 group-object POS-Store-Medium group-object POS-Store-Mini group-object POS-Store-3g group-object POS-Store-Large object-group network DC-POS-Tomax description Tomax POS Communication from Store to Data Center network-object 192.168.52.96 255.255.255.224 object-group network DC-POS description POS in the Data Center network-object 192.168.52.0 255.255.255.0 object-group network DC-POS-SAP description SAP POS Communication from Store to Data Center network-object 192.168.52.144 255.255.255.240 object-group network DC-POS-Oracle description Oracle POS Communication from Store to Data Center network-object 192.168.52.128 255.255.255.240 object-group network CSM_INLINE_dst_rule_77309411683 description Generated by CS-Manager from dst of FirewallRule# 35 (ASA-DC-1-vdc1_v1/mandatory) group-object DC-POS-Tomax group-object DC-POS group-object DC-POS-SAP group-object DC-POS-Oracle object-group network CSM_INLINE_src_rule_77309414158 description Generated by CS-Manager from src of FirewallRule# 36 (ASA-DC-1-vdc1_v1/mandatory) network-object 192.168.22.11 255.255.255.255 network-object 192.168.22.12 255.255.255.255 network-object 192.168.21.0 255.255.255.0 object-group network CSM_INLINE_src_rule_77309414160 description Generated by CS-Manager from src of FirewallRule# 37 (ASA-DC-1-vdc1_v1/mandatory) network-object 192.168.22.11 255.255.255.255 network-object 192.168.22.12 255.255.255.255 network-object 192.168.21.0 255.255.255.0 object-group network CSM_INLINE_src_rule_77309414162 description Generated by CS-Manager from src of FirewallRule# 38 (ASA-DC-1-vdc1_v1/mandatory) network-object 192.168.22.11 255.255.255.255 network-object 192.168.22.12 255.255.255.255 network-object 192.168.21.0 255.255.255.0 object-group service HTTPS-8443 service-object tcp destination eq 8443 object-group service CSM_INLINE_svc_rule_77309411635 description Generated by CS-Manager from service of FirewallRule# 3 (ASA-DC-1-vdc1_v1/mandatory) service-object tcp destination eq ssh service-object tcp destination eq https group-object HTTPS-8443 object-group service CSM_INLINE_svc_rule_77309414079 description Generated by CS-Manager from service of FirewallRule# 4 (ASA-DC-1-vdc1_v1/mandatory) service-object tcp destination eq smtp service-object tcp destination eq https service-object tcp destination eq ssh object-group service CSM_INLINE_svc_rule_77309414081 description Generated by CS-Manager from service of FirewallRule# 5 (ASA-DC-1-vdc1_v1/mandatory) service-object tcp destination eq https service-object tcp destination eq ssh object-group service RPC service-object tcp destination eq 135 object-group service LDAP-GC service-object tcp destination eq 3268 object-group service LDAP-GC-SSL service-object tcp destination eq 3269 object-group service DNS-Resolving description Domain Name Server service-object tcp destination eq domain service-object udp destination eq domain object-group service Kerberos-TCP service-object tcp destination eq 88 object-group service Microsoft-DS-SMB description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing service-object tcp destination eq 445 object-group service LDAP-UDP service-object udp destination eq 389 object-group service RPC-HighPorts service-object tcp destination range 1024 65535 object-group service CSM_INLINE_svc_rule_77309411637 description Generated by CS-Manager from service of FirewallRule# 7 (ASA-DC-1-vdc1_v1/mandatory) service-object tcp destination eq ldap service-object tcp destination eq ldaps service-object udp destination eq 88 service-object udp destination eq ntp service-object udp destination eq netbios-dgm group-object RPC group-object LDAP-GC group-object LDAP-GC-SSL group-object DNS-Resolving group-object Kerberos-TCP group-object Microsoft-DS-SMB group-object LDAP-UDP group-object RPC-HighPorts object-group service vCenter-to-ESX4 description Communication from vCetner to ESX hosts service-object tcp destination eq 5989 service-object tcp destination eq 8000 service-object tcp destination eq 902 service-object tcp destination eq 903 object-group service CSM_INLINE_svc_rule_77309411639 description Generated by CS-Manager from service of FirewallRule# 8 (ASA-DC-1-vdc1_v1/mandatory) service-object tcp destination eq https service-object tcp destination eq ssh group-object vCenter-to-ESX4 object-group service IP-Protocol-97 description IP protocol 97 service-object 97 object-group service TFTP description Trivial File Transfer service-object tcp destination eq 69 service-object udp destination eq tftp object-group service LWAPP description LWAPP UDP ports 12222 and 12223 service-object udp destination eq 12222 service-object udp destination eq 12223 object-group service CAPWAP description CAPWAP UDP ports 5246 and 5247 service-object udp destination eq 5246 service-object udp destination eq 5247 object-group service CSM_INLINE_svc_rule_77309411641 description Generated by CS-Manager from service of FirewallRule# 9 (ASA-DC-1-vdc1_v1/mandatory) service-object tcp destination eq https service-object tcp destination eq www service-object udp destination eq isakmp service-object tcp destination eq telnet service-object tcp destination eq ssh group-object IP-Protocol-97 group-object TFTP group-object LWAPP group-object CAPWAP object-group service TCP1080 service-object tcp destination eq 1080 object-group service TCP8080 service-object tcp destination eq 8080 object-group service RDP description Windows Remote Desktop service-object tcp destination eq 3389 object-group service CSM_INLINE_svc_rule_77309411645 description Generated by CS-Manager from service of FirewallRule# 11 (ASA-DC-1-vdc1_v1/mandatory) service-object icmp echo service-object icmp echo-reply service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq ssh service-object tcp destination eq ftp group-object HTTPS-8443 group-object TCP1080 group-object TCP8080 group-object RDP object-group service CISCO-WAAS description Ports for Cisco WAAS service-object tcp destination eq 4050 object-group service Netbios description Netbios Servers service-object udp destination eq netbios-dgm service-object udp destination eq netbios-ns service-object tcp destination eq netbios-ssn object-group service CSM_INLINE_svc_rule_77309411647 description Generated by CS-Manager from service of FirewallRule# 12 (ASA-DC-1-vdc1_v1/mandatory) group-object CISCO-WAAS group-object HTTPS-8443 group-object Microsoft-DS-SMB group-object Netbios object-group service CSM_INLINE_svc_rule_77309411649 description Generated by CS-Manager from service of FirewallRule# 13 (ASA-DC-1-vdc1_v1/mandatory) service-object tcp-udp destination eq sip service-object tcp destination eq 2000 object-group service CSM_INLINE_svc_rule_77309414071 description Generated by CS-Manager from service of FirewallRule# 15 (ASA-DC-1-vdc1_v1/mandatory) service-object icmp echo service-object icmp echo-reply service-object icmp unreachable service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq ftp service-object tcp destination eq ssh group-object TCP1080 group-object TCP8080 group-object RDP object-group service NTP description NTP Protocols service-object tcp destination eq 123 service-object udp destination eq ntp object-group service CSM_INLINE_svc_rule_77309414073 description Generated by CS-Manager from service of FirewallRule# 16 (ASA-DC-1-vdc1_v1/mandatory) group-object DNS-Resolving group-object NTP object-group service CSM_INLINE_svc_rule_77309414077 description Generated by CS-Manager from service of FirewallRule# 18 (ASA-DC-1-vdc1_v1/mandatory) service-object tcp destination eq ldap service-object tcp destination eq ldaps group-object LDAP-GC group-object LDAP-GC-SSL group-object LDAP-UDP object-group service CSM_INLINE_svc_rule_77309411655 description Generated by CS-Manager from service of FirewallRule# 21 (ASA-DC-1-vdc1_v1/mandatory) service-object udp destination eq snmptrap service-object udp destination eq snmp service-object udp destination eq syslog object-group service CSM_INLINE_svc_rule_77309411657 description Generated by CS-Manager from service of FirewallRule# 22 (ASA-DC-1-vdc1_v1/mandatory) service-object udp destination eq domain service-object tcp destination eq ldap service-object tcp destination eq ldaps object-group service CSM_INLINE_svc_rule_77309411663 description Generated by CS-Manager from service of FirewallRule# 25 (ASA-DC-1-vdc1_v1/mandatory) service-object udp destination eq 1812 service-object udp destination eq 1813 object-group service CSM_INLINE_svc_rule_77309411665 description Generated by CS-Manager from service of FirewallRule# 26 (ASA-DC-1-vdc1_v1/mandatory) service-object tcp destination eq https service-object tcp destination eq www group-object HTTPS-8443 object-group service ESX-SLP description CIM Service Location Protocol (SLP) for VMware systems service-object udp destination eq 427 service-object tcp destination eq 427 object-group service CSM_INLINE_svc_rule_77309411667 description Generated by CS-Manager from service of FirewallRule# 27 (ASA-DC-1-vdc1_v1/mandatory) service-object tcp destination eq https service-object tcp destination eq www service-object tcp destination eq ssh group-object vCenter-to-ESX4 group-object ESX-SLP object-group service Cisco-Mobility description Mobility ports for Wireless service-object udp destination eq 16666 service-object udp destination eq 16667 object-group service CSM_INLINE_svc_rule_77309411671 description Generated by CS-Manager from service of FirewallRule# 29 (ASA-DC-1-vdc1_v1/mandatory) service-object tcp destination eq https service-object udp destination eq isakmp group-object Cisco-Mobility group-object IP-Protocol-97 group-object LWAPP group-object CAPWAP object-group service CSM_INLINE_svc_rule_77309411673 description Generated by CS-Manager from service of FirewallRule# 30 (ASA-DC-1-vdc1_v1/mandatory) service-object tcp-udp destination eq sip service-object tcp destination eq 2000 object-group service CSM_INLINE_svc_rule_77309411675 description Generated by CS-Manager from service of FirewallRule# 31 (ASA-DC-1-vdc1_v1/mandatory) group-object CISCO-WAAS group-object HTTPS-8443 group-object Microsoft-DS-SMB group-object Netbios object-group service CSM_INLINE_svc_rule_77309411677 description Generated by CS-Manager from service of FirewallRule# 32 (ASA-DC-1-vdc1_v1/mandatory) service-object tcp destination eq ldap service-object tcp destination eq ldaps service-object udp destination eq 88 service-object udp destination eq ntp service-object udp destination eq netbios-dgm group-object RPC group-object LDAP-GC group-object LDAP-GC-SSL group-object DNS-Resolving group-object Kerberos-TCP group-object Microsoft-DS-SMB group-object LDAP-UDP group-object RPC-HighPorts object-group service CSM_INLINE_svc_rule_77309411679 description Generated by CS-Manager from service of FirewallRule# 33 (ASA-DC-1-vdc1_v1/mandatory) service-object tcp destination eq www service-object tcp destination eq https object-group service CSM_INLINE_svc_rule_77309411681 description Generated by CS-Manager from service of FirewallRule# 34 (ASA-DC-1-vdc1_v1/mandatory) service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq smtp service-object tcp destination eq pop3 service-object tcp destination eq imap4 object-group service CSM_INLINE_svc_rule_77309414166 description Generated by CS-Manager from service of FirewallRule# 40 (ASA-DC-1-vdc1_v1/mandatory) service-object tcp destination eq smtp group-object DNS-Resolving object-group service CSM_INLINE_svc_rule_77309414172 description Generated by CS-Manager from service of FirewallRule# 43 (ASA-DC-1-vdc1_v1/mandatory) service-object udp destination eq 1812 service-object udp destination eq 1813 object-group service CSM_INLINE_svc_rule_77309414176 description Generated by CS-Manager from service of FirewallRule# 45 (ASA-DC-1-vdc1_v1/mandatory) service-object icmp service-object tcp destination eq ssh service-object tcp destination eq telnet service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq 8880 service-object tcp destination eq 8444 service-object tcp destination eq 5900 service-object tcp destination eq 5800 group-object RDP group-object TCP1080 group-object TCP8080 group-object TFTP group-object HTTPS-8443 group-object vCenter-to-ESX4 access-list CSM_FW_ACL_north extended permit ospf 192.168.162.0 255.255.255.0 192.168.162.0 255.255.255.0 access-list CSM_FW_ACL_north extended permit tcp object-group Stores-ALL object-group EMC-NCM eq ssh access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411655 object-group Stores-ALL object-group RSA-enVision access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411657 object-group Stores-ALL object-group ActiveDirectory.cisco-irn.com access-list CSM_FW_ACL_north extended permit tcp object-group Stores-ALL object-group TACACS eq tacacs access-list CSM_FW_ACL_north extended permit udp object-group Stores-ALL object-group NTP-Servers eq ntp access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411663 object-group Stores-ALL object-group CSM_INLINE_dst_rule_77309411663 access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411665 object-group Stores-ALL object-group CSM_INLINE_dst_rule_77309411665 access-list CSM_FW_ACL_north remark VMWare ESX to Data Center access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411667 object-group Stores-ALL object-group vSphere-1 access-list CSM_FW_ACL_north remark Physical security systems access-list CSM_FW_ACL_north extended permit tcp object-group Stores-ALL object-group CSM_INLINE_dst_rule_77309411669 eq https access-list CSM_FW_ACL_north remark Wireless control systems access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411671 object-group Stores-ALL object-group CSM_INLINE_dst_rule_77309411671 access-list CSM_FW_ACL_north remark Voice calls access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411673 object-group Stores-ALL object-group DC-ALL access-list CSM_FW_ACL_north remark WAAS systems access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411675 object-group Stores-ALL object-group DC-WAAS access-list CSM_FW_ACL_north remark Allow Active Directory Domain access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411677 object-group Stores-ALL object-group ActiveDirectory.cisco-irn.com access-list CSM_FW_ACL_north remark Allow Windows Updates access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411679 object-group Stores-ALL object-group MS-Update access-list CSM_FW_ACL_north remark Allow Mail access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411681 object-group Stores-ALL object-group MSExchange access-list CSM_FW_ACL_north remark Allow Applications access-list CSM_FW_ACL_north extended permit tcp object-group CSM_INLINE_src_rule_77309411683 object-group CSM_INLINE_dst_rule_77309411683 eq https access-list CSM_FW_ACL_north extended permit udp object-group CSM_INLINE_src_rule_77309414158 object-group NTP-Servers eq ntp access-list CSM_FW_ACL_north remark - RIE-2 access-list CSM_FW_ACL_north extended permit udp object-group CSM_INLINE_src_rule_77309414160 object-group RSA-enVision eq syslog access-list CSM_FW_ACL_north extended permit tcp object-group CSM_INLINE_src_rule_77309414162 object-group TACACS eq tacacs access-list CSM_FW_ACL_north extended permit udp 192.168.21.0 255.255.255.0 object-group ActiveDirectory.cisco-irn.com eq domain access-list CSM_FW_ACL_north remark Ironport traffic in from DNZ access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309414166 host 192.168.23.68 any access-list CSM_FW_ACL_north extended permit udp host 192.168.23.68 object-group RSA-enVision eq syslog access-list CSM_FW_ACL_north extended permit udp host 192.168.23.68 object-group NTP-Servers eq ntp access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309414172 host 192.168.23.68 object-group TACACS access-list CSM_FW_ACL_north remark Drop all other traffic access-list CSM_FW_ACL_north extended deny ip any any log access-list CSM_FW_ACL_south extended permit ospf 192.168.162.0 255.255.255.0 192.168.162.0 255.255.255.0 access-list CSM_FW_ACL_south extended permit ip object-group CSM_INLINE_src_rule_77309411633 object-group CSM_INLINE_dst_rule_77309411633 access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411635 object-group Admin-Systems object-group CSM_INLINE_dst_rule_77309411635 access-list CSM_FW_ACL_south remark Allow services for Ironport apps access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414079 object-group CSM_INLINE_src_rule_77309414079 192.168.23.64 255.255.255.224 access-list CSM_FW_ACL_south remark Allow traffic to DMZ access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414081 object-group CSM_INLINE_src_rule_77309414081 host 192.168.20.30 access-list CSM_FW_ACL_south remark Drop unauthorized traffic to DMZ access-list CSM_FW_ACL_south extended deny ip any 192.168.20.0 255.255.252.0 log access-list CSM_FW_ACL_south remark Allow Active Directory Domain access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411637 object-group ActiveDirectory.cisco-irn.com object-group Stores-ALL access-list CSM_FW_ACL_south remark VMWare - ESX systems access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411639 object-group vSphere-1 object-group Stores-ALL access-list CSM_FW_ACL_south remark Wireless Management to Stores access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411641 object-group CSM_INLINE_src_rule_77309411641 object-group Stores-ALL access-list CSM_FW_ACL_south remark Physical security systems access-list CSM_FW_ACL_south extended permit tcp object-group CSM_INLINE_src_rule_77309411643 object-group Stores-ALL eq https access-list CSM_FW_ACL_south remark Allow Management of store systems access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411645 object-group DC-ALL object-group Stores-ALL access-list CSM_FW_ACL_south remark WAAS systems access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411647 object-group DC-WAAS object-group Stores-ALL access-list CSM_FW_ACL_south remark Voice calls access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411649 object-group DC-ALL object-group Stores-ALL access-list CSM_FW_ACL_south extended deny ip any object-group Stores-ALL access-list CSM_FW_ACL_south remark Allow outbound services for Internet access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414071 object-group CSM_INLINE_src_rule_77309414071 any access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414073 object-group ActiveDirectory.cisco-irn.com any access-list CSM_FW_ACL_south extended permit udp object-group NTP-Servers any eq ntp access-list CSM_FW_ACL_south remark Allow LDAP out LAB test access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414077 object-group PAME-DC-1 any log access-list CSM_FW_ACL_south remark Drop and Log all other traffic access-list CSM_FW_ACL_south extended deny ip any any log pager lines 24 logging host south 192.168.42.124 mtu north 1500 mtu south 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any north icmp permit any south asdm history enable arp timeout 14400 access-group CSM_FW_ACL_north in interface north access-group CSM_FW_ACL_south in interface south route north 0.0.0.0 0.0.0.0 192.168.162.1 1 route south 192.168.38.0 255.255.255.0 192.168.162.7 1 route south 192.168.39.0 255.255.255.0 192.168.162.7 1 route south 192.168.40.0 255.255.255.0 192.168.162.7 1 route south 192.168.41.0 255.255.255.0 192.168.162.7 1 route south 192.168.42.0 255.255.255.0 192.168.162.7 1 route south 192.168.43.0 255.255.255.0 192.168.162.7 1 route south 192.168.44.0 255.255.255.0 192.168.162.7 1 route south 192.168.45.0 255.255.255.0 192.168.162.7 1 route south 192.168.46.0 255.255.255.0 192.168.162.7 1 route south 192.168.52.0 255.255.255.0 192.168.162.7 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 aaa-server RETAIL protocol tacacs+ aaa-server RETAIL (south) host 192.168.42.131 key * aaa authentication ssh console RETAIL LOCAL aaa authentication enable console RETAIL LOCAL aaa authentication http console RETAIL LOCAL aaa accounting ssh console RETAIL aaa accounting enable console RETAIL aaa accounting command privilege 15 RETAIL aaa authentication secure-http-client aaa local authentication attempts max-fail 6 aaa authorization exec authentication-server http server enable http server idle-timeout 15 http server session-timeout 60 http 10.19.151.99 255.255.255.255 north http 192.168.41.101 255.255.255.255 south http 192.168.41.102 255.255.255.255 south http 192.168.42.122 255.255.255.255 south http 192.168.42.124 255.255.255.255 south http 192.168.42.133 255.255.255.255 south http 192.168.42.138 255.255.255.255 south no snmp-server location no snmp-server contact telnet timeout 5 ssh 10.19.151.99 255.255.255.255 north ssh 192.168.41.101 255.255.255.255 south ssh 192.168.41.102 255.255.255.255 south ssh 192.168.42.122 255.255.255.255 south ssh 192.168.42.124 255.255.255.255 south ssh 192.168.42.133 255.255.255.255 south ssh 192.168.42.138 255.255.255.255 south ssh timeout 15 ssh version 2 no threat-detection statistics tcp-intercept username csmadmin password <removed> encrypted privilege 15 username retail password <removed> encrypted privilege 15 username bmcgloth password <removed> encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global Cryptochecksum:70afa3a2a3007db41f3f336aca5cf51d : end asdm history enable RAGG-1-RUNNING !Command: show running-config !Time: Sun Apr 24 16:49:11 2011 version 5.1(2) hostname RAGG-1 vdc RAGG-1 id 1 limit-resource vlan minimum 16 maximum 4094 limit-resource monitor-session minimum 0 maximum 2 limit-resource monitor-session-erspan-dst minimum 0 maximum 23 limit-resource vrf minimum 2 maximum 1000 limit-resource port-channel minimum 0 maximum 768 limit-resource u4route-mem minimum 32 maximum 32 limit-resource u6route-mem minimum 16 maximum 16 limit-resource m4route-mem minimum 48 maximum 48 limit-resource m6route-mem minimum 8 maximum 8 vdc vdc1 id 2 allocate interface Ethernet1/1,Ethernet1/3,Ethernet1/5,Ethernet1/7,Ethernet1/25-32 allocate interface Ethernet2/1-12 boot-order 1 limit-resource vlan minimum 16 maximum 4094 limit-resource monitor-session minimum 0 maximum 2 limit-resource monitor-session-erspan-dst minimum 0 maximum 23 limit-resource vrf minimum 2 maximum 1000 limit-resource port-channel minimum 0 maximum 768 limit-resource u4route-mem minimum 8 maximum 8 limit-resource u6route-mem minimum 4 maximum 4 limit-resource m4route-mem minimum 8 maximum 8 limit-resource m6route-mem minimum 5 maximum 5 vdc vdc2 id 3 allocate interface Ethernet1/2,Ethernet1/4,Ethernet1/6,Ethernet1/8-24 allocate interface Ethernet2/13-48 boot-order 1 limit-resource vlan minimum 16 maximum 4094 limit-resource monitor-session minimum 0 maximum 2 limit-resource monitor-session-erspan-dst minimum 0 maximum 23 limit-resource vrf minimum 2 maximum 1000 limit-resource port-channel minimum 0 maximum 768 limit-resource u4route-mem minimum 8 maximum 8 limit-resource u6route-mem minimum 4 maximum 4 limit-resource m4route-mem minimum 8 maximum 8 limit-resource m6route-mem minimum 5 maximum 5 feature privilege feature tacacs+ username admin password 5 <removed> role network-admin username retail password 5 <removed> role network-admin username bart password 5 <removed> role network-admin username emc-ncm password 5 <removed> role network-admin enable secret 5 <removed> banner motd @ WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. @ ssh login-attempts 6 ip domain-lookup ip domain-name cisco-irn.com ip host RAGG-1 192.168.42.36 tacacs-server key 7 "<removed>" tacacs-server host 192.168.42.131 aaa group server tacacs+ CiscoACS server 192.168.42.131 use-vrf management ip access-list 23 statistics per-entry 10 permit ip 127.0.0.1/32 192.168.42.36/32 20 permit ip 192.168.41.101/32 192.168.42.36/32 30 permit ip 192.168.41.102/32 192.168.42.36/32 40 permit ip 192.168.42.111/32 192.168.42.36/32 50 permit ip 192.168.42.122/32 192.168.42.36/32 60 permit ip 192.168.42.131/32 192.168.42.36/32 70 permit ip 192.168.42.133/32 192.168.42.36/32 80 permit ip 192.168.42.138/32 192.168.42.36/32 90 permit ip 10.19.151.99/32 192.168.42.36/32 100 deny ip any any ip access-list 88 statistics per-entry 10 permit ip 192.168.42.122/32 192.168.42.36/32 20 deny ip any any ip access-list copp-system-acl-bgp 10 permit tcp any gt 1024 any eq bgp 20 permit tcp any eq bgp any gt 1024 ipv6 access-list copp-system-acl-bgp6 10 permit tcp any gt 1024 any eq bgp 20 permit tcp any eq bgp any gt 1024 ip access-list copp-system-acl-eigrp 10 permit eigrp any any ip access-list copp-system-acl-ftp 10 permit tcp any any eq ftp-data 20 permit tcp any any eq ftp 30 permit tcp any eq ftp-data any 40 permit tcp any eq ftp any ip access-list copp-system-acl-glbp 10 permit udp any eq 3222 224.0.0.0/24 eq 3222 ip access-list copp-system-acl-hsrp 10 permit udp any 224.0.0.0/24 eq 1985 ip access-list copp-system-acl-icmp 10 permit icmp any any echo 20 permit icmp any any echo-reply ipv6 access-list copp-system-acl-icmp6 10 permit icmp any any echo-request 20 permit icmp any any echo-reply ipv6 access-list copp-system-acl-icmp6-msgs 10 permit icmp any any router-advertisement 20 permit icmp any any router-solicitation 30 permit icmp any any nd-na 40 permit icmp any any nd-ns 50 permit icmp any any mld-query 60 permit icmp any any mld-report 70 permit icmp any any mld-reduction ip access-list copp-system-acl-igmp 10 permit igmp any 224.0.0.0/3 ip access-list copp-system-acl-msdp 10 permit tcp any gt 1024 any eq 639 20 permit tcp any eq 639 any gt 1024 ip access-list copp-system-acl-ntp 10 permit udp any any eq ntp 20 permit udp any eq ntp any ipv6 access-list copp-system-acl-ntp6 10 permit udp any any eq ntp 20 permit udp any eq ntp any ip access-list copp-system-acl-ospf 10 permit ospf any any ipv6 access-list copp-system-acl-ospf6 10 permit 89 any any ip access-list copp-system-acl-pim 10 permit pim any 224.0.0.0/24 20 permit udp any any eq pim-auto-rp ip access-list copp-system-acl-pim-reg 10 permit pim any any ipv6 access-list copp-system-acl-pim6 10 permit 103 any ff02::d/128 20 permit udp any any eq pim-auto-rp ip access-list copp-system-acl-radius 10 permit udp any any eq 1812 20 permit udp any any eq 1813 30 permit udp any any eq 1645 40 permit udp any any eq 1646 50 permit udp any eq 1812 any 60 permit udp any eq 1813 any 70 permit udp any eq 1645 any 80 permit udp any eq 1646 any ipv6 access-list copp-system-acl-radius6 10 permit udp any any eq 1812 20 permit udp any any eq 1813 30 permit udp any any eq 1645 40 permit udp any any eq 1646 50 permit udp any eq 1812 any 60 permit udp any eq 1813 any 70 permit udp any eq 1645 any 80 permit udp any eq 1646 any ip access-list copp-system-acl-rip 10 permit udp any 224.0.0.0/24 eq rip ip access-list copp-system-acl-sftp 10 permit tcp any any eq 115 20 permit tcp any eq 115 any ip access-list copp-system-acl-snmp 10 permit udp any any eq snmp 20 permit udp any any eq snmptrap ip access-list copp-system-acl-ssh 10 permit tcp any any eq 22 20 permit tcp any eq 22 any ipv6 access-list copp-system-acl-ssh6 10 permit tcp any any eq 22 20 permit tcp any eq 22 any ip access-list copp-system-acl-tacacs 10 permit tcp any any eq tacacs 20 permit tcp any eq tacacs any ipv6 access-list copp-system-acl-tacacs6 10 permit tcp any any eq tacacs 20 permit tcp any eq tacacs any ip access-list copp-system-acl-telnet 10 permit tcp any any eq telnet 20 permit tcp any any eq 107 30 permit tcp any eq telnet any 40 permit tcp any eq 107 any ipv6 access-list copp-system-acl-telnet6 10 permit tcp any any eq telnet 20 permit tcp any any eq 107 30 permit tcp any eq telnet any 40 permit tcp any eq 107 any ip access-list copp-system-acl-tftp 10 permit udp any any eq tftp 20 permit udp any any eq 1758 30 permit udp any eq tftp any 40 permit udp any eq 1758 any ipv6 access-list copp-system-acl-tftp6 10 permit udp any any eq tftp 20 permit udp any any eq 1758 30 permit udp any eq tftp any 40 permit udp any eq 1758 any ip access-list copp-system-acl-traceroute 10 permit icmp any any ttl-exceeded 20 permit icmp any any port-unreachable ip access-list copp-system-acl-undesirable 10 permit udp any any eq 1434 ip access-list copp-system-acl-vpc 10 permit udp any any eq 3200 ip access-list copp-system-acl-vrrp 10 permit 112 any 224.0.0.0/24 class-map type control-plane match-any copp-system-class-critical match access-group name copp-system-acl-bgp match access-group name copp-system-acl-bgp6 match access-group name copp-system-acl-eigrp match access-group name copp-system-acl-igmp match access-group name copp-system-acl-msdp match access-group name copp-system-acl-ospf match access-group name copp-system-acl-ospf6 match access-group name copp-system-acl-pim match access-group name copp-system-acl-pim6 match access-group name copp-system-acl-rip match access-group name copp-system-acl-vpc class-map type control-plane match-any copp-system-class-exception match exception ip option match exception ip icmp unreachable match exception ipv6 option match exception ipv6 icmp unreachable class-map type control-plane match-any copp-system-class-important match access-group name copp-system-acl-glbp match access-group name copp-system-acl-hsrp match access-group name copp-system-acl-vrrp match access-group name copp-system-acl-icmp6-msgs match access-group name copp-system-acl-pim-reg class-map type control-plane match-any copp-system-class-management match access-group name copp-system-acl-ftp match access-group name copp-system-acl-ntp match access-group name copp-system-acl-ntp6 match access-group name copp-system-acl-radius match access-group name copp-system-acl-sftp match access-group name copp-system-acl-snmp match access-group name copp-system-acl-ssh match access-group name copp-system-acl-ssh6 match access-group name copp-system-acl-tacacs match access-group name copp-system-acl-telnet match access-group name copp-system-acl-tftp match access-group name copp-system-acl-tftp6 match access-group name copp-system-acl-radius6 match access-group name copp-system-acl-tacacs6 match access-group name copp-system-acl-telnet6 class-map type control-plane match-any copp-system-class-monitoring match access-group name copp-system-acl-icmp match access-group name copp-system-acl-icmp6 match access-group name copp-system-acl-traceroute class-map type control-plane match-any copp-system-class-normal match protocol arp class-map type control-plane match-any copp-system-class-redirect match redirect dhcp-snoop match redirect arp-inspect class-map type control-plane match-any copp-system-class-undesirable match access-group name copp-system-acl-undesirable policy-map type control-plane copp-system-policy class copp-system-class-critical police cir 39600 kbps bc 250 ms conform transmit violate drop class copp-system-class-important police cir 1060 kbps bc 1000 ms conform transmit violate drop class copp-system-class-management police cir 10000 kbps bc 250 ms conform transmit violate drop class copp-system-class-normal police cir 680 kbps bc 250 ms conform transmit violate drop class copp-system-class-redirect police cir 280 kbps bc 250 ms conform transmit violate drop class copp-system-class-monitoring police cir 130 kbps bc 1000 ms conform transmit violate drop class copp-system-class-exception police cir 360 kbps bc 250 ms conform transmit violate drop class copp-system-class-undesirable police cir 32 kbps bc 250 ms conform drop violate drop class class-default police cir 100 kbps bc 250 ms conform transmit violate drop control-plane service-policy input copp-system-policy snmp-server user bart network-admin auth md5 <removed> priv <removed> localizedkey snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey snmp-server user retail network-admin auth md5 <removed> priv <removed> localizedkey snmp-server user emc-ncm network-admin auth md5 <removed> priv <removed> localizedkey ntp server 192.168.62.161 use-vrf management ntp server 192.168.62.162 use-vrf management aaa authentication login default group CiscoACS aaa authentication login console group CiscoACS aaa authorization ssh-certificate default group CiscoACS aaa accounting default group CiscoACS aaa authentication login error-enable vrf context management ip route 0.0.0.0/0 192.168.42.1 vlan 1 interface mgmt0 ip address 192.168.42.36/24 clock timezone PST -8 0 clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60 logout-warning 20 line console exec-timeout 15 line vty exec-timeout 15 access-class 23 in boot kickstart bootflash:/n7000-s1-kickstart.5.1.2.bin sup-1 boot system bootflash:/n7000-s1-dk9.5.1.2.bin sup-1 boot kickstart bootflash:/n7000-s1-kickstart.5.1.2.bin sup-2 boot system bootflash:/n7000-s1-dk9.5.1.2.bin sup-2 logging server 192.168.42.124 6 use-vrf management RAGG-1-VDC1-RUNNING !Command: show running-config !Time: Sun Apr 24 16:50:08 2011 version 5.1(2) hostname vdc1 feature privilege feature tacacs+ cfs eth distribute feature ospf feature pim feature udld feature interface-vlan feature hsrp feature lacp feature glbp feature vpc username admin password 5 <removed> role vdc-admin username retail password 5 <removed> role vdc-admin username emc-ncm password 5 <removed> role vdc-admin username bart password 5 <removed> role vdc-admin enable secret 5 <removed> banner motd @ WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. @ ssh login-attempts 6 ip domain-lookup ip domain-name cisco-irn.com ip name-server 192.168.42.130 tacacs-server key 7 "<removed>" tacacs-server host 192.168.42.131 aaa group server tacacs+ CiscoACS server 192.168.42.131 source-interface loopback0 ip access-list 23 statistics per-entry 10 permit ip 127.0.0.1/32 192.168.1.11/32 20 permit ip 192.168.41.101/32 192.168.1.11/32 30 permit ip 192.168.41.102/32 192.168.1.11/32 40 permit ip 192.168.42.111/32 192.168.1.11/32 50 permit ip 192.168.42.122/32 192.168.1.11/32 60 permit ip 192.168.42.131/32 192.168.1.11/32 70 permit ip 192.168.42.133/32 192.168.1.11/32 80 permit ip 192.168.42.138/32 192.168.1.11/32 90 permit ip 10.19.151.99/32 192.168.1.11/32 100 deny ip any any ip access-list 88 statistics per-entry 10 permit ip 192.168.42.122/32 192.168.1.11/32 20 deny ip any any snmp-server source-interface trap loopback0 snmp-server source-interface inform loopback0 snmp-server user bart vdc-admin auth md5 <removed> priv <removed> localizedkey snmp-server user admin vdc-admin auth md5 <removed> priv <removed> localizedkey snmp-server user retail vdc-admin auth md5 <removed> priv <removed> localizedkey snmp-server user emc-ncm vdc-admin auth md5 <removed> priv <removed> localizedkey no snmp-server enable traps entity entity_mib_change no snmp-server enable traps entity entity_module_status_change no snmp-server enable traps entity entity_power_status_change no snmp-server enable traps entity entity_module_inserted no snmp-server enable traps entity entity_module_removed no snmp-server enable traps entity entity_unrecognised_module no snmp-server enable traps entity entity_fan_status_change no snmp-server enable traps entity entity_power_out_change no snmp-server enable traps link linkDown no snmp-server enable traps link linkUp no snmp-server enable traps link IETF-extended-linkDown no snmp-server enable traps link IETF-extended-linkUp no snmp-server enable traps link cisco-extended-linkDown no snmp-server enable traps link cisco-extended-linkUp snmp-server enable traps callhome event-notify snmp-server enable traps callhome smtp-send-fail snmp-server enable traps cfs state-change-notif snmp-server enable traps cfs merge-failure no snmp-server enable traps rf redundancy_framework snmp-server enable traps aaa server-state-change no snmp-server enable traps license notify-license-expiry no snmp-server enable traps license notify-no-license-for-feature no snmp-server enable traps license notify-licensefile-missing no snmp-server enable traps license notify-license-expiry-warning snmp-server enable traps hsrp state-change no snmp-server enable traps upgrade UpgradeOpNotifyOnCompletion no snmp-server enable traps upgrade UpgradeJobStatusNotify snmp-server enable traps feature-control FeatureOpStatusChange snmp-server enable traps link cisco-xcvr-mon-status-chg snmp-server enable traps vtp notifs snmp-server enable traps vtp vlancreate snmp-server enable traps vtp vlandelete snmp-server enable traps bridge newroot snmp-server enable traps bridge topologychange snmp-server enable traps stpx inconsistency snmp-server enable traps stpx root-inconsistency snmp-server enable traps stpx loop-inconsistency aaa authentication login default group CiscoACS aaa authorization ssh-certificate default group CiscoACS aaa accounting default group CiscoACS aaa authentication login error-enable vrf context management vlan 1,3,151,161 interface Vlan1 interface Vlan3 no shutdown ip address 192.168.10.61/30 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 3 <removed> ip ospf dead-interval 3 ip ospf hello-interval 1 ip router ospf 5 area 0.0.0.0 interface Vlan151 no shutdown ip address 192.168.152.3/24 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 3 <removed> ip ospf priority 3 ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 1 authentication text c1sc0 preempt delay minimum 180 priority 10 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.152.1 interface Vlan161 no shutdown ip address 192.168.162.3/24 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 3 <removed> ip ospf priority 5 ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 1 authentication text c1sc0 preempt delay minimum 180 priority 10 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.162.1 interface port-channel99 switchport switchport mode trunk spanning-tree port type network interface Ethernet1/1 description 10Gig LINK to RCORE-1 T2/1 no switchport logging event port link-status no ip redirects ip address 192.168.10.14/30 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 3 <removed> ip ospf dead-interval 6 ip ospf hello-interval 2 ip ospf network point-to-point ip router ospf 5 area 0.0.0.0 ip pim sparse-mode ip igmp version 3 no shutdown interface Ethernet1/3 description 10Gig LINK to RCORE-2 T2/1 no switchport logging event port link-status no ip redirects ip address 192.168.10.22/30 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 3 <removed> ip ospf dead-interval 6 ip ospf hello-interval 2 ip ospf network point-to-point ip router ospf 5 area 0.0.0.0 ip pim sparse-mode ip igmp version 3 no shutdown interface Ethernet1/5 description to DC-ASA-1 vc1 T0/6 switchport switchport mode trunk switchport trunk allowed vlan 161 spanning-tree port type normal no shutdown interface Ethernet1/7 description to DC-ASA-1 vc2 T0/8 switchport switchport mode trunk switchport trunk allowed vlan 151 spanning-tree port type normal no shutdown interface Ethernet1/25 no switchport interface Ethernet1/26 no switchport interface Ethernet1/27 no switchport interface Ethernet1/28 no switchport interface Ethernet1/29 description RAGG-2 vPC Channel link switchport switchport mode trunk channel-group 99 mode active no shutdown interface Ethernet1/30 description RAGG-2 vPC Channel link switchport switchport mode trunk channel-group 99 mode active no shutdown interface Ethernet1/31 description RAGG-2 vPC Channel link switchport switchport mode trunk channel-group 99 mode active no shutdown interface Ethernet1/32 description RAGG-2 vPC Channel link switchport switchport mode trunk channel-group 99 mode active no shutdown interface Ethernet2/1 no switchport interface Ethernet2/2 no switchport interface Ethernet2/3 no switchport interface Ethernet2/4 no switchport interface Ethernet2/5 no switchport interface Ethernet2/6 no switchport interface Ethernet2/7 no switchport interface Ethernet2/8 no switchport interface Ethernet2/9 no switchport interface Ethernet2/10 no switchport interface Ethernet2/11 no switchport interface Ethernet2/12 no switchport interface loopback0 ip address 192.168.1.11/32 ip router ospf 5 area 0.0.0.0 logging server 192.168.42.124 6 logging source-interface loopback 0 logout-warning 20 line console exec-timeout 15 line vty exec-timeout 15 access-class 23 in router ospf 5 router-id 192.168.1.11 area 0.0.0.81 nssa area 0.0.0.0 range 192.168.1.11/32 area 0.0.0.0 range 192.168.10.12/30 area 0.0.0.0 range 192.168.10.20/30 area 0.0.0.0 range 192.168.10.60/30 area 0.0.0.81 range 192.168.152.0/24 area 0.0.0.81 range 192.168.162.0/24 area 0.0.0.0 authentication message-digest area 0.0.0.81 authentication message-digest timers throttle spf 10 100 5000 auto-cost reference-bandwidth 10000 ip pim ssm range 232.0.0.0/8 RAGG-1-VDC2-RUNNING !Command: show running-config !Time: Sun Apr 24 16:50:48 2011 version 5.1(2) hostname vdc2 feature privilege feature tacacs+ cfs eth distribute feature ospf feature pim feature udld feature interface-vlan feature hsrp feature lacp feature vpc username admin password 5 <removed> role vdc-admin username retail password 5 <removed> role vdc-admin username bart password 5 <removed> role vdc-admin username emc-ncm password 5 <removed> role vdc-admin enable secret 5 <removed> banner motd @ WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. @ ssh login-attempts 6 ip domain-lookup ip domain-name cisco-irn.com tacacs-server key 7 "<removed>" tacacs-server host 192.168.42.131 aaa group server tacacs+ CiscoACS server 192.168.42.131 use-vrf servers1 source-interface loopback0 ip access-list 23 statistics per-entry 10 permit ip 127.0.0.1/32 192.168.1.31/32 20 permit ip 192.168.41.101/32 192.168.1.31/32 30 permit ip 192.168.41.102/32 192.168.1.31/32 40 permit ip 192.168.42.111/32 192.168.1.31/32 50 permit ip 192.168.42.122/32 192.168.1.31/32 60 permit ip 192.168.42.131/32 192.168.1.31/32 70 permit ip 192.168.42.133/32 192.168.1.31/32 80 permit ip 192.168.42.138/32 192.168.1.31/32 90 permit ip 10.19.151.99/32 192.168.1.31/32 100 deny ip any any ip access-list 88 statistics per-entry 10 permit ip 192.168.42.122/32 192.168.1.31/32 20 deny ip any any snmp-server source-interface trap loopback0 snmp-server source-interface inform loopback0 snmp-server user bart vdc-admin auth md5 <removed> priv <removed> localizedkey snmp-server user admin vdc-admin auth md5 <removed> priv <removed> localizedkey snmp-server user retail vdc-admin auth md5 <removed> priv <removed> localizedkey snmp-server user emc-ncm vdc-admin auth md5 <removed> priv <removed> localizedkey no snmp-server enable traps entity entity_mib_change no snmp-server enable traps entity entity_module_status_change no snmp-server enable traps entity entity_power_status_change no snmp-server enable traps entity entity_module_inserted no snmp-server enable traps entity entity_module_removed no snmp-server enable traps entity entity_unrecognised_module no snmp-server enable traps entity entity_fan_status_change no snmp-server enable traps entity entity_power_out_change no snmp-server enable traps link linkDown no snmp-server enable traps link linkUp no snmp-server enable traps link IETF-extended-linkDown no snmp-server enable traps link IETF-extended-linkUp no snmp-server enable traps link cisco-extended-linkDown no snmp-server enable traps link cisco-extended-linkUp snmp-server enable traps callhome event-notify snmp-server enable traps callhome smtp-send-fail snmp-server enable traps cfs state-change-notif snmp-server enable traps cfs merge-failure no snmp-server enable traps rf redundancy_framework snmp-server enable traps aaa server-state-change no snmp-server enable traps license notify-license-expiry no snmp-server enable traps license notify-no-license-for-feature no snmp-server enable traps license notify-licensefile-missing no snmp-server enable traps license notify-license-expiry-warning snmp-server enable traps hsrp state-change no snmp-server enable traps upgrade UpgradeOpNotifyOnCompletion no snmp-server enable traps upgrade UpgradeJobStatusNotify snmp-server enable traps feature-control FeatureOpStatusChange snmp-server enable traps link cisco-xcvr-mon-status-chg snmp-server enable traps vtp notifs snmp-server enable traps vtp vlancreate snmp-server enable traps vtp vlandelete snmp-server enable traps bridge newroot snmp-server enable traps bridge topologychange snmp-server enable traps stpx inconsistency snmp-server enable traps stpx root-inconsistency snmp-server enable traps stpx loop-inconsistency aaa authentication login default group CiscoACS aaa authorization ssh-certificate default group CiscoACS aaa accounting default group CiscoACS aaa authentication login error-enable vrf context VPC vrf context servers1 ip route 0.0.0.0/0 192.168.162.1 ip route 192.168.41.0/24 192.168.42.135 ip pim ssm range 232.0.0.0/8 vrf context servers2 ip pim ssm range 232.0.0.0/8 vrf context management vlan 1 vlan 36 name DeviceMgmtHigh vlan 37 name DeviceMgmtLow vlan 38 name UIM-OS-INSTALL vlan 40-41 vlan 42 name CoreManagement vlan 43 name WirelessSystems vlan 44 name PhysicalSec vlan 45 name VOICE vlan 52 name POS vlan 151-152,154,161-162,164,180-181 spanning-tree domain 777 spanning-tree vlan 1 priority 4096 ip prefix-list VLAN41 seq 5 permit 192.168.41.0/24 route-map VLAN41 permit 20 match ip address prefix-list VLAN41 vpc domain 99 peer-switch peer-keepalive destination 192.168.10.66 source 192.168.10.65 vrf VPC peer-gateway interface Vlan1 no shutdown no ip redirects interface Vlan36 no shutdown description DeviceMgmtHigh vrf member servers1 no ip redirects ip address 192.168.36.3/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 110 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.36.1 interface Vlan37 no shutdown description DeviceMgmtLow vrf member servers1 no ip redirects ip address 192.168.37.3/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 110 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.37.1 interface Vlan38 no shutdown description UIM OS Install only vrf member servers1 no ip redirects ip address 192.168.38.201/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 interface Vlan40 no shutdown vrf member servers1 no ip redirects ip address 192.168.40.3/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 120 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.40.1 interface Vlan41 shutdown description SHUTDOWN - NOW ROUTE VIA HyTrust vrf member servers1 no ip redirects ip address 192.168.41.3/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 120 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.41.1 interface Vlan42 no shutdown vrf member servers1 no ip redirects ip address 192.168.42.3/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 120 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.42.1 interface Vlan43 no shutdown description Wireless Systems vrf member servers1 no ip redirects ip address 192.168.43.3/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 110 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.43.1 interface Vlan44 no shutdown description Wireless Systems vrf member servers1 no ip redirects ip address 192.168.44.3/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 110 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.44.1 interface Vlan45 no shutdown description VOICE vrf member servers1 no ip redirects ip address 192.168.45.3/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 110 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.45.1 interface Vlan52 no shutdown description POS vrf member servers1 no ip redirects ip address 192.168.52.3/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 110 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.52.1 interface Vlan154 no shutdown vrf member servers2 no ip redirects ip address 192.168.152.5/24 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 3 <removed> ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 110 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.152.7 interface Vlan164 no shutdown vrf member servers1 no ip redirects ip address 192.168.162.5/24 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 3 <removed> ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 120 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.162.7 interface Vlan180 no shutdown vrf member servers1 no ip redirects ip address 192.168.180.3/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 1 authentication text c1sc0 preempt delay minimum 180 priority 120 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.180.1 interface Vlan181 no shutdown vrf member servers2 no ip redirects ip address 192.168.181.3/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 1 authentication text c1sc0 preempt delay minimum 180 priority 110 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.181.1 interface port-channel1 switchport switchport mode trunk switchport trunk allowed vlan 38,41-42,44 vpc 1 interface port-channel2 switchport switchport mode trunk switchport trunk allowed vlan 38,41-42,44 vpc 2 interface port-channel3 switchport switchport mode trunk switchport trunk allowed vlan 38,41-45,52 vpc 3 interface port-channel4 switchport switchport mode trunk switchport trunk allowed vlan 38,41-45,52 vpc 4 interface port-channel11 switchport switchport mode trunk switchport trunk allowed vlan 38,41,45-46 spanning-tree port type edge trunk vpc 11 interface port-channel12 switchport switchport mode trunk switchport trunk allowed vlan 38,41,45-46 spanning-tree port type edge trunk vpc 12 interface port-channel99 switchport switchport mode trunk switchport trunk allowed vlan 36-52 spanning-tree port type network spanning-tree guard loop vpc peer-link interface Ethernet1/2 description F-UCS-1_E2/1 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41,45-46 channel-group 11 mode active no shutdown interface Ethernet1/4 description F-UCS-1_E2/2 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41,45-46 channel-group 11 mode active no shutdown interface Ethernet1/6 description F-UCS-2_E2/1 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41,45-46 channel-group 12 mode active no shutdown interface Ethernet1/8 description F-UCS-2_E2/2 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41,45-46 channel-group 12 mode active no shutdown interface Ethernet1/9 description SACCESS-3 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41-45,52 channel-group 3 mode active no shutdown interface Ethernet1/10 description SACCESS-3 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41-45,52 channel-group 3 mode active no shutdown interface Ethernet1/11 description SACCESS-4 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41-45,52 channel-group 4 mode active no shutdown interface Ethernet1/12 description SACCESS-4 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41-45,52 channel-group 4 mode active no shutdown interface Ethernet1/13 description SACCESS-1 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41-42,44 channel-group 1 mode active no shutdown interface Ethernet1/14 description SACCESS-2 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41-42,44 channel-group 2 mode active no shutdown interface Ethernet1/15 description to RSERV-1 T2/1 switchport switchport mode trunk switchport trunk allowed vlan 162 spanning-tree port type normal no shutdown interface Ethernet1/16 description to RSERV-1 T2/2 switchport switchport mode trunk switchport trunk allowed vlan 152 spanning-tree port type normal no shutdown interface Ethernet1/17 description to RSERV-1 T2/5 switchport switchport mode trunk switchport trunk allowed vlan 41-44,164 spanning-tree port type normal no shutdown interface Ethernet1/18 description to RSERV-1 T2/6 switchport switchport mode trunk switchport trunk allowed vlan 154 spanning-tree port type normal no shutdown interface Ethernet1/19 description to DC-ASA-1 vc1 T5/1 switchport switchport mode trunk switchport trunk allowed vlan 162 spanning-tree port type normal no shutdown interface Ethernet1/20 description to DC-ASA-1 vc2 T7/1 switchport switchport mode trunk switchport trunk allowed vlan 152 spanning-tree port type normal no shutdown interface Ethernet1/21 description RAGG-2 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 36-52 udld aggressive channel-group 99 mode active no shutdown interface Ethernet1/22 description RAGG-2 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 36-52 udld aggressive channel-group 99 mode active no shutdown interface Ethernet1/23 description RAGG-2 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 36-52 udld aggressive channel-group 99 mode active no shutdown interface Ethernet1/24 description RAGG-2 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 36-52 udld aggressive channel-group 99 mode active no shutdown interface Ethernet2/13 description SACCESS-5 switchport switchport mode trunk switchport trunk allowed vlan 36-52 no shutdown interface Ethernet2/14 description linkstate for vpc no switchport vrf member VPC ip address 192.168.10.65/30 no shutdown interface Ethernet2/15 no switchport interface Ethernet2/16 no switchport interface Ethernet2/17 no switchport interface Ethernet2/18 no switchport interface Ethernet2/19 no switchport interface Ethernet2/20 no switchport interface Ethernet2/21 no switchport interface Ethernet2/22 no switchport interface Ethernet2/23 no switchport interface Ethernet2/24 no switchport interface Ethernet2/25 no switchport interface Ethernet2/26 no switchport interface Ethernet2/27 no switchport interface Ethernet2/28 no switchport interface Ethernet2/29 no switchport interface Ethernet2/30 no switchport interface Ethernet2/31 no switchport interface Ethernet2/32 no switchport interface Ethernet2/33 no switchport interface Ethernet2/34 no switchport interface Ethernet2/35 no switchport interface Ethernet2/36 no switchport interface Ethernet2/37 no switchport interface Ethernet2/38 no switchport interface Ethernet2/39 no switchport interface Ethernet2/40 no switchport interface Ethernet2/41 no switchport interface Ethernet2/42 no switchport interface Ethernet2/43 no switchport interface Ethernet2/44 no switchport interface Ethernet2/45 no switchport interface Ethernet2/46 no switchport interface Ethernet2/47 no switchport interface Ethernet2/48 no switchport interface loopback0 vrf member servers1 ip address 192.168.1.31/32 ip router ospf 5 area 0.0.0.81 logging server 192.168.42.124 6 use-vrf servers1 logging source-interface loopback 0 logout-warning 20 line console exec-timeout 15 line vty exec-timeout 15 access-class 23 in router ospf 5 vrf servers1 router-id 4.4.4.1 area 0.0.0.81 nssa redistribute static route-map VLAN41 area 0.0.0.81 range 192.168.0.0/16 area 0.0.0.81 range 192.168.162.0/24 area 0.0.0.81 authentication message-digest timers throttle spf 10 100 5000 vrf servers2 router-id 5.5.5.1 area 0.0.0.81 nssa area 0.0.0.81 range 192.168.0.0/16 area 0.0.0.81 range 192.168.152.0/24 area 0.0.0.81 authentication message-digest timers throttle spf 10 100 5000 ip pim ssm range 232.0.0.0/8 RAGG-2-RUNNING !Command: show running-config !Time: Sun Apr 24 16:52:03 2011 version 5.1(2) hostname RAGG-2 vdc RAGG-2 id 1 limit-resource vlan minimum 16 maximum 4094 limit-resource monitor-session minimum 0 maximum 2 limit-resource monitor-session-erspan-dst minimum 0 maximum 23 limit-resource vrf minimum 2 maximum 1000 limit-resource port-channel minimum 0 maximum 768 limit-resource u4route-mem minimum 32 maximum 32 limit-resource u6route-mem minimum 16 maximum 16 limit-resource m4route-mem minimum 48 maximum 48 limit-resource m6route-mem minimum 8 maximum 8 vdc vdc1 id 2 allocate interface Ethernet1/1,Ethernet1/3,Ethernet1/5,Ethernet1/7,Ethernet1/25-32 allocate interface Ethernet2/1-12 boot-order 1 limit-resource vlan minimum 16 maximum 4094 limit-resource monitor-session minimum 0 maximum 2 limit-resource monitor-session-erspan-dst minimum 0 maximum 23 limit-resource vrf minimum 2 maximum 1000 limit-resource port-channel minimum 0 maximum 768 limit-resource u4route-mem minimum 8 maximum 8 limit-resource u6route-mem minimum 4 maximum 4 limit-resource m4route-mem minimum 8 maximum 8 limit-resource m6route-mem minimum 5 maximum 5 vdc vdc2 id 3 allocate interface Ethernet1/2,Ethernet1/4,Ethernet1/6,Ethernet1/8-24 allocate interface Ethernet2/13-48 boot-order 1 limit-resource vlan minimum 16 maximum 4094 limit-resource monitor-session minimum 0 maximum 2 limit-resource monitor-session-erspan-dst minimum 0 maximum 23 limit-resource vrf minimum 2 maximum 1000 limit-resource port-channel minimum 0 maximum 768 limit-resource u4route-mem minimum 8 maximum 8 limit-resource u6route-mem minimum 4 maximum 4 limit-resource m4route-mem minimum 8 maximum 8 limit-resource m6route-mem minimum 5 maximum 5 feature privilege feature tacacs+ username admin password 5 <removed> role network-admin username retail password 5 <removed> role network-admin username bart password 5 <removed> role network-admin username emc-ncm password 5 <removed> role network-admin enable secret 5 <removed> banner motd @ WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. @ ssh login-attempts 6 ip domain-lookup ip domain-name cisco-irn.com ip host RAGG-2 192.168.42.37 tacacs-server key 7 "<removed>" tacacs-server host 192.168.42.131 aaa group server tacacs+ CiscoACS server 192.168.42.131 use-vrf management ip access-list 23 statistics per-entry 10 permit ip 127.0.0.1/32 192.168.42.37/32 20 permit ip 192.168.41.101/32 192.168.42.37/32 30 permit ip 192.168.41.102/32 192.168.42.37/32 40 permit ip 192.168.42.111/32 192.168.42.37/32 50 permit ip 192.168.42.122/32 192.168.42.37/32 60 permit ip 192.168.42.131/32 192.168.42.37/32 70 permit ip 192.168.42.133/32 192.168.42.37/32 80 permit ip 192.168.42.138/32 192.168.42.37/32 90 permit ip 10.19.151.99/32 192.168.42.37/32 100 deny ip any any ip access-list 88 statistics per-entry 10 permit ip 192.168.42.122/32 192.168.42.37/32 20 deny ip any any ip access-list copp-system-acl-bgp 10 permit tcp any gt 1024 any eq bgp 20 permit tcp any eq bgp any gt 1024 ipv6 access-list copp-system-acl-bgp6 10 permit tcp any gt 1024 any eq bgp 20 permit tcp any eq bgp any gt 1024 ip access-list copp-system-acl-eigrp 10 permit eigrp any any ip access-list copp-system-acl-ftp 10 permit tcp any any eq ftp-data 20 permit tcp any any eq ftp 30 permit tcp any eq ftp-data any 40 permit tcp any eq ftp any ip access-list copp-system-acl-glbp 10 permit udp any eq 3222 224.0.0.0/24 eq 3222 ip access-list copp-system-acl-hsrp 10 permit udp any 224.0.0.0/24 eq 1985 ip access-list copp-system-acl-icmp 10 permit icmp any any echo 20 permit icmp any any echo-reply ipv6 access-list copp-system-acl-icmp6 10 permit icmp any any echo-request 20 permit icmp any any echo-reply ipv6 access-list copp-system-acl-icmp6-msgs 10 permit icmp any any router-advertisement 20 permit icmp any any router-solicitation 30 permit icmp any any nd-na 40 permit icmp any any nd-ns 50 permit icmp any any mld-query 60 permit icmp any any mld-report 70 permit icmp any any mld-reduction ip access-list copp-system-acl-igmp 10 permit igmp any 224.0.0.0/3 ip access-list copp-system-acl-msdp 10 permit tcp any gt 1024 any eq 639 20 permit tcp any eq 639 any gt 1024 ip access-list copp-system-acl-ntp 10 permit udp any any eq ntp 20 permit udp any eq ntp any ipv6 access-list copp-system-acl-ntp6 10 permit udp any any eq ntp 20 permit udp any eq ntp any ip access-list copp-system-acl-ospf 10 permit ospf any any ipv6 access-list copp-system-acl-ospf6 10 permit 89 any any ip access-list copp-system-acl-pim 10 permit pim any 224.0.0.0/24 20 permit udp any any eq pim-auto-rp ip access-list copp-system-acl-pim-reg 10 permit pim any any ipv6 access-list copp-system-acl-pim6 10 permit 103 any ff02::d/128 20 permit udp any any eq pim-auto-rp ip access-list copp-system-acl-radius 10 permit udp any any eq 1812 20 permit udp any any eq 1813 30 permit udp any any eq 1645 40 permit udp any any eq 1646 50 permit udp any eq 1812 any 60 permit udp any eq 1813 any 70 permit udp any eq 1645 any 80 permit udp any eq 1646 any ipv6 access-list copp-system-acl-radius6 10 permit udp any any eq 1812 20 permit udp any any eq 1813 30 permit udp any any eq 1645 40 permit udp any any eq 1646 50 permit udp any eq 1812 any 60 permit udp any eq 1813 any 70 permit udp any eq 1645 any 80 permit udp any eq 1646 any ip access-list copp-system-acl-rip 10 permit udp any 224.0.0.0/24 eq rip ip access-list copp-system-acl-sftp 10 permit tcp any any eq 115 20 permit tcp any eq 115 any ip access-list copp-system-acl-snmp 10 permit udp any any eq snmp 20 permit udp any any eq snmptrap ip access-list copp-system-acl-ssh 10 permit tcp any any eq 22 20 permit tcp any eq 22 any ipv6 access-list copp-system-acl-ssh6 10 permit tcp any any eq 22 20 permit tcp any eq 22 any ip access-list copp-system-acl-tacacs 10 permit tcp any any eq tacacs 20 permit tcp any eq tacacs any ipv6 access-list copp-system-acl-tacacs6 10 permit tcp any any eq tacacs 20 permit tcp any eq tacacs any ip access-list copp-system-acl-telnet 10 permit tcp any any eq telnet 20 permit tcp any any eq 107 30 permit tcp any eq telnet any 40 permit tcp any eq 107 any ipv6 access-list copp-system-acl-telnet6 10 permit tcp any any eq telnet 20 permit tcp any any eq 107 30 permit tcp any eq telnet any 40 permit tcp any eq 107 any ip access-list copp-system-acl-tftp 10 permit udp any any eq tftp 20 permit udp any any eq 1758 30 permit udp any eq tftp any 40 permit udp any eq 1758 any ipv6 access-list copp-system-acl-tftp6 10 permit udp any any eq tftp 20 permit udp any any eq 1758 30 permit udp any eq tftp any 40 permit udp any eq 1758 any ip access-list copp-system-acl-traceroute 10 permit icmp any any ttl-exceeded 20 permit icmp any any port-unreachable ip access-list copp-system-acl-undesirable 10 permit udp any any eq 1434 ip access-list copp-system-acl-vpc 10 permit udp any any eq 3200 ip access-list copp-system-acl-vrrp 10 permit 112 any 224.0.0.0/24 class-map type control-plane match-any copp-system-class-critical match access-group name copp-system-acl-bgp match access-group name copp-system-acl-bgp6 match access-group name copp-system-acl-eigrp match access-group name copp-system-acl-igmp match access-group name copp-system-acl-msdp match access-group name copp-system-acl-ospf match access-group name copp-system-acl-ospf6 match access-group name copp-system-acl-pim match access-group name copp-system-acl-pim6 match access-group name copp-system-acl-rip match access-group name copp-system-acl-vpc class-map type control-plane match-any copp-system-class-exception match exception ip option match exception ip icmp unreachable match exception ipv6 option match exception ipv6 icmp unreachable class-map type control-plane match-any copp-system-class-important match access-group name copp-system-acl-glbp match access-group name copp-system-acl-hsrp match access-group name copp-system-acl-vrrp match access-group name copp-system-acl-icmp6-msgs match access-group name copp-system-acl-pim-reg class-map type control-plane match-any copp-system-class-management match access-group name copp-system-acl-ftp match access-group name copp-system-acl-ntp match access-group name copp-system-acl-ntp6 match access-group name copp-system-acl-radius match access-group name copp-system-acl-sftp match access-group name copp-system-acl-snmp match access-group name copp-system-acl-ssh match access-group name copp-system-acl-ssh6 match access-group name copp-system-acl-tacacs match access-group name copp-system-acl-telnet match access-group name copp-system-acl-tftp match access-group name copp-system-acl-tftp6 match access-group name copp-system-acl-radius6 match access-group name copp-system-acl-tacacs6 match access-group name copp-system-acl-telnet6 class-map type control-plane match-any copp-system-class-monitoring match access-group name copp-system-acl-icmp match access-group name copp-system-acl-icmp6 match access-group name copp-system-acl-traceroute class-map type control-plane match-any copp-system-class-normal match protocol arp class-map type control-plane match-any copp-system-class-redirect match redirect dhcp-snoop match redirect arp-inspect class-map type control-plane match-any copp-system-class-undesirable match access-group name copp-system-acl-undesirable policy-map type control-plane copp-system-policy class copp-system-class-critical police cir 39600 kbps bc 250 ms conform transmit violate drop class copp-system-class-important police cir 1060 kbps bc 1000 ms conform transmit violate drop class copp-system-class-management police cir 10000 kbps bc 250 ms conform transmit violate drop class copp-system-class-normal police cir 680 kbps bc 250 ms conform transmit violate drop class copp-system-class-redirect police cir 280 kbps bc 250 ms conform transmit violate drop class copp-system-class-monitoring police cir 130 kbps bc 1000 ms conform transmit violate drop class copp-system-class-exception police cir 360 kbps bc 250 ms conform transmit violate drop class copp-system-class-undesirable police cir 32 kbps bc 250 ms conform drop violate drop class class-default police cir 100 kbps bc 250 ms conform transmit violate drop control-plane service-policy input copp-system-policy snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey ntp server 192.168.62.161 use-vrf management ntp server 192.168.62.162 use-vrf management aaa authentication login default group CiscoACS aaa authentication login console group CiscoACS aaa authorization ssh-certificate default group CiscoACS aaa accounting default group CiscoACS aaa authentication login error-enable vrf context management ip route 0.0.0.0/0 192.168.42.1 vlan 1 interface mgmt0 ip address 192.168.42.37/24 clock timezone PST -8 0 clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60 logout-warning 20 line console exec-timeout 15 line vty exec-timeout 15 access-class 23 in boot kickstart bootflash:/n7000-s1-kickstart.5.1.2.bin sup-1 boot system bootflash:/n7000-s1-dk9.5.1.2.bin sup-1 boot kickstart bootflash:/n7000-s1-kickstart.5.1.2.bin sup-2 boot system bootflash:/n7000-s1-dk9.5.1.2.bin sup-2 logging server 192.168.42.124 6 use-vrf management RAGG-2-VDC1-RUNNING !Command: show running-config !Time: Sun Apr 24 16:52:35 2011 version 5.1(2) hostname vdc1 feature privilege feature tacacs+ cfs eth distribute feature ospf feature pim feature udld feature interface-vlan feature hsrp feature lacp feature glbp feature vpc username admin password 5 <removed> role vdc-admin username retail password 5 <removed> role vdc-admin username emc-ncm password 5 <removed> role vdc-admin username bart password 5 <removed> role vdc-admin enable secret 5 <removed> banner motd @ WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. @ ssh login-attempts 6 ip domain-lookup ip domain-name cisco-irn.com ip name-server 192.168.42.130 tacacs-server key 7 "<removed>" tacacs-server host 192.168.42.131 aaa group server tacacs+ CiscoACS server 192.168.42.131 source-interface loopback0 ip access-list 23 statistics per-entry 10 permit ip 127.0.0.1/32 192.168.1.12/32 20 permit ip 192.168.41.101/32 192.168.1.12/32 30 permit ip 192.168.41.102/32 192.168.1.12/32 40 permit ip 192.168.42.111/32 192.168.1.12/32 50 permit ip 192.168.42.122/32 192.168.1.12/32 60 permit ip 192.168.42.131/32 192.168.1.12/32 70 permit ip 192.168.42.133/32 192.168.1.12/32 80 permit ip 192.168.42.138/32 192.168.1.12/32 90 permit ip 10.19.151.99/32 192.168.1.12/32 100 deny ip any any ip access-list 88 statistics per-entry 10 permit ip 192.168.42.122/32 192.168.1.12/32 20 deny ip any any snmp-server user admin vdc-admin auth md5 <removed> priv <removed> localizedkey aaa authentication login default group CiscoACS aaa authorization ssh-certificate default group CiscoACS aaa accounting default group CiscoACS aaa authentication login error-enable vrf context management vlan 1,3,151,161 interface Vlan1 interface Vlan3 no shutdown ip address 192.168.10.62/30 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 3 <removed> ip ospf dead-interval 3 ip ospf hello-interval 1 ip router ospf 5 area 0.0.0.0 interface Vlan151 no shutdown ip address 192.168.152.4/24 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 3 <removed> ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 1 authentication text c1sc0 preempt delay minimum 180 priority 10 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.152.1 interface Vlan161 no shutdown ip address 192.168.162.4/24 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 3 <removed> ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 1 authentication text c1sc0 preempt delay minimum 180 priority 10 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.162.1 interface port-channel99 switchport switchport mode trunk spanning-tree port type network interface Ethernet1/1 description 10Gig LINK to RCORE-1 T2/2 no switchport logging event port link-status no ip redirects ip address 192.168.10.18/30 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 3 <removed> ip ospf dead-interval 6 ip ospf hello-interval 2 ip ospf network point-to-point ip router ospf 5 area 0.0.0.0 ip pim sparse-mode ip igmp version 3 no shutdown interface Ethernet1/3 description 10Gig LINK to RCORE-2 T2/2 no switchport logging event port link-status no ip redirects ip address 192.168.10.26/30 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 3 <removed> ip ospf dead-interval 6 ip ospf hello-interval 2 ip ospf network point-to-point ip router ospf 5 area 0.0.0.0 ip pim sparse-mode ip igmp version 3 no shutdown interface Ethernet1/5 description to DC-ASA-2 vc1 T0/6 switchport switchport mode trunk switchport trunk allowed vlan 161 spanning-tree port type normal no shutdown interface Ethernet1/7 description to DC-ASA-2 vc2 T0/8 switchport switchport mode trunk switchport trunk allowed vlan 151 spanning-tree port type normal no shutdown interface Ethernet1/25 no switchport interface Ethernet1/26 no switchport interface Ethernet1/27 no switchport interface Ethernet1/28 no switchport interface Ethernet1/29 description RAGG-1 vPC Channel link switchport switchport mode trunk channel-group 99 mode active no shutdown interface Ethernet1/30 description RAGG-1 vPC Channel link switchport switchport mode trunk channel-group 99 mode active no shutdown interface Ethernet1/31 description RAGG-1 vPC Channel link switchport switchport mode trunk channel-group 99 mode active no shutdown interface Ethernet1/32 description RAGG-1 vPC Channel link switchport switchport mode trunk channel-group 99 mode active no shutdown interface Ethernet2/1 no switchport interface Ethernet2/2 no switchport interface Ethernet2/3 no switchport interface Ethernet2/4 no switchport interface Ethernet2/5 no switchport interface Ethernet2/6 no switchport interface Ethernet2/7 no switchport interface Ethernet2/8 no switchport interface Ethernet2/9 no switchport interface Ethernet2/10 no switchport interface Ethernet2/11 no switchport interface Ethernet2/12 no switchport interface loopback0 ip address 192.168.1.12/32 ip router ospf 5 area 0.0.0.0 logging server 192.168.42.124 6 logging source-interface loopback 0 logout-warning 20 line console exec-timeout 15 line vty exec-timeout 15 access-class 23 in router ospf 5 router-id 192.168.1.12 area 0.0.0.81 nssa area 0.0.0.0 range 192.168.1.12/32 area 0.0.0.0 range 192.168.10.12/30 area 0.0.0.0 range 192.168.10.20/30 area 0.0.0.0 range 192.168.10.60/30 area 0.0.0.81 range 192.168.152.0/24 area 0.0.0.81 range 192.168.162.0/24 area 0.0.0.0 authentication message-digest area 0.0.0.81 authentication message-digest timers throttle spf 10 100 5000 auto-cost reference-bandwidth 10000 ip pim ssm range 232.0.0.0/8 RAGG-2-VDC2-RUNNING !Command: show running-config !Time: Sun Apr 24 16:53:03 2011 version 5.1(2) hostname vdc2 feature privilege feature tacacs+ cfs eth distribute feature ospf feature pim feature udld feature interface-vlan feature hsrp feature lacp feature dhcp feature vpc username admin password 5 <removed> role vdc-admin username retail password 5 <removed> role vdc-admin username bart password 5 <removed> role vdc-admin username emc-ncm password 5 <removed> role vdc-admin enable secret 5 <removed> banner motd @ WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. @ ssh login-attempts 6 ip domain-lookup ip domain-name cisco-irn.com tacacs-server key 7 "<removed>" tacacs-server host 192.168.42.131 aaa group server tacacs+ CiscoACS server 192.168.42.131 use-vrf servers1 source-interface loopback0 ip access-list 23 statistics per-entry 10 permit ip 127.0.0.1/32 192.168.1.32/32 20 permit ip 192.168.41.101/32 192.168.1.32/32 30 permit ip 192.168.41.102/32 192.168.1.32/32 40 permit ip 192.168.42.111/32 192.168.1.32/32 50 permit ip 192.168.42.122/32 192.168.1.32/32 60 permit ip 192.168.42.131/32 192.168.1.32/32 70 permit ip 192.168.42.133/32 192.168.1.32/32 80 permit ip 192.168.42.138/32 192.168.1.32/32 90 permit ip 10.19.151.99/32 192.168.1.32/32 100 deny ip any any ip access-list 88 statistics per-entry 10 permit ip 192.168.42.122/32 192.168.1.32/32 20 deny ip any any snmp-server user admin vdc-admin auth md5 <removed> priv <removed> localizedkey snmp-server user retail vdc-admin auth md5 <removed> priv <removed> localizedkey aaa authentication login default group CiscoACS aaa authorization ssh-certificate default group CiscoACS aaa accounting default group CiscoACS aaa authentication login error-enable vrf context VPC vrf context servers1 ip route 0.0.0.0/0 192.168.36.3 ip pim ssm range 232.0.0.0/8 vrf context servers2 ip pim ssm range 232.0.0.0/8 vrf context management vlan 1 vlan 36 name DeviceMgmtHigh vlan 37 name DeviceMgmtLow vlan 38 name UIM-OS-INSTALL vlan 40-41 vlan 42 name CoreManagement vlan 43 name WirelessSystems vlan 44 name PhysicalSec vlan 45 name VOICE vlan 52 name POS vlan 151-152,154,161-162,164,180-181 spanning-tree domain 777 ip prefix-list VLAN41 seq 5 permit 192.168.41.0/24 route-map VLAN41 permit 20 match ip address prefix-list VLAN41 service dhcp ip dhcp relay vpc domain 99 peer-keepalive destination 192.168.10.65 source 192.168.10.66 vrf VPC interface Vlan1 no ip redirects no shutdown interface Vlan36 vrf member servers1 no ip redirects ip address 192.168.36.4/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 105 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.36.1 no shutdown description DeviceMgmtHigh interface Vlan37 vrf member servers1 no ip redirects ip address 192.168.37.4/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 105 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.37.1 no shutdown description DeviceMgmtLow interface Vlan38 vrf member servers1 no ip redirects ip address 192.168.38.202/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 no shutdown description UIM OS Install only interface Vlan40 vrf member servers1 no ip redirects ip address 192.168.40.4/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 105 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.40.1 no shutdown interface Vlan41 vrf member servers1 ip address 192.168.41.4/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 90 forwarding-threshold lower 1 upper 1 timers 1 3 ip 192.168.41.1 shutdown description SHUTDOWN - NOW ROUTE VIA HyTrust interface Vlan42 vrf member servers1 no ip redirects ip address 192.168.42.4/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 105 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.42.1 no shutdown interface Vlan43 vrf member servers1 no ip redirects ip address 192.168.43.4/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 105 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.43.1 no shutdown description Wireless Systems interface Vlan44 vrf member servers1 no ip redirects ip address 192.168.44.4/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 105 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.44.1 no shutdown description Wireless Systems interface Vlan45 vrf member servers1 no ip redirects ip address 192.168.45.4/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 105 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.45.1 no shutdown description VOICE interface Vlan52 vrf member servers1 no ip redirects ip address 192.168.52.4/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 105 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.52.1 no shutdown description POS interface Vlan154 vrf member servers2 no ip redirects ip address 192.168.152.6/24 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 3 <removed> ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 120 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.152.7 no shutdown interface Vlan164 vrf member servers1 no ip redirects ip address 192.168.162.6/24 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 3 <removed> ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 2 authentication text c1sc0 preempt delay minimum 180 priority 110 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.162.7 no shutdown interface Vlan180 vrf member servers1 no ip redirects ip address 192.168.180.4/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 1 authentication text c1sc0 preempt delay minimum 180 priority 110 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.180.1 no shutdown interface Vlan181 vrf member servers2 no ip redirects ip address 192.168.181.4/24 ip ospf passive-interface ip router ospf 5 area 0.0.0.81 ip pim sparse-mode ip igmp version 3 hsrp 1 authentication text c1sc0 preempt delay minimum 180 priority 120 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.181.1 no shutdown interface port-channel1 switchport switchport mode trunk switchport trunk allowed vlan 38,41-42,44 vpc 1 interface port-channel2 switchport switchport mode trunk switchport trunk allowed vlan 38,41-42,44 vpc 2 interface port-channel3 switchport switchport mode trunk switchport trunk allowed vlan 38,41-45,52 vpc 3 interface port-channel4 switchport switchport mode trunk switchport trunk allowed vlan 38,41-45,52 vpc 4 interface port-channel11 switchport switchport mode trunk switchport trunk allowed vlan 38,41,45-46 spanning-tree port type edge trunk vpc 11 interface port-channel12 switchport switchport mode trunk switchport trunk allowed vlan 38,41,45-46 spanning-tree port type edge trunk vpc 12 interface port-channel99 switchport switchport mode trunk switchport trunk allowed vlan 36-52 spanning-tree port type network spanning-tree guard loop vpc peer-link interface Ethernet1/2 description F-UCS-1_E2/1 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41,45-46 channel-group 11 mode active no shutdown interface Ethernet1/4 description F-UCS-1_E2/2 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41,45-46 spanning-tree port type normal channel-group 11 mode active no shutdown interface Ethernet1/6 description F-UCS-2_E2/1 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41,45-46 channel-group 12 mode active no shutdown interface Ethernet1/8 description F-UCS-2_E2/2 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41,45-46 channel-group 12 mode active no shutdown interface Ethernet1/9 description SACCESS-3 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41-45,52 channel-group 3 mode active no shutdown interface Ethernet1/10 description SACCESS-3 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41-45,52 channel-group 3 mode active no shutdown interface Ethernet1/11 description SACCESS-4 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41-45,52 channel-group 4 mode active no shutdown interface Ethernet1/12 description SACCESS-4 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41-45,52 channel-group 4 mode active no shutdown interface Ethernet1/13 description SACCESS-1 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41-42,44 channel-group 1 mode active no shutdown interface Ethernet1/14 description SACCESS-2 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 38,41-42,44 channel-group 2 mode active no shutdown interface Ethernet1/15 no switchport interface Ethernet1/16 no switchport interface Ethernet1/17 description to RSERV-2 T2/6 switchport switchport mode trunk spanning-tree port type normal no shutdown interface Ethernet1/18 description to RSERV-2 T2/5 switchport switchport mode trunk switchport trunk allowed vlan 42,164 no shutdown interface Ethernet1/19 description to DC-ASA-2 vc1 T5/1 switchport switchport mode trunk switchport trunk allowed vlan 152 spanning-tree port type normal no shutdown interface Ethernet1/20 description to DC-ASA-2 vc2 T7/1 switchport switchport mode trunk switchport trunk allowed vlan 152 spanning-tree port type normal no shutdown interface Ethernet1/21 description RAGG-2 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 36-52 udld aggressive channel-group 99 mode active no shutdown interface Ethernet1/22 description RAGG-2 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 36-52 udld aggressive channel-group 99 mode active no shutdown interface Ethernet1/23 description RAGG-2 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 36-52 udld aggressive channel-group 99 mode active no shutdown interface Ethernet1/24 description RAGG-2 vPC Channel link switchport switchport mode trunk switchport trunk allowed vlan 36-52 udld aggressive channel-group 99 mode active no shutdown interface Ethernet2/13 description SACCESS-5 vPC Channel link switchport switchport mode trunk interface Ethernet2/14 description linkstate for vpc no switchport vrf member VPC ip address 192.168.10.66/30 no shutdown interface Ethernet2/15 no switchport interface Ethernet2/16 no switchport interface Ethernet2/17 no switchport interface Ethernet2/18 no switchport interface Ethernet2/19 no switchport interface Ethernet2/20 no switchport interface Ethernet2/21 no switchport interface Ethernet2/22 no switchport interface Ethernet2/23 no switchport interface Ethernet2/24 no switchport interface Ethernet2/25 no switchport interface Ethernet2/26 no switchport interface Ethernet2/27 no switchport interface Ethernet2/28 no switchport interface Ethernet2/29 no switchport interface Ethernet2/30 no switchport interface Ethernet2/31 no switchport interface Ethernet2/32 no switchport interface Ethernet2/33 no switchport interface Ethernet2/34 no switchport interface Ethernet2/35 no switchport interface Ethernet2/36 no switchport interface Ethernet2/37 no switchport interface Ethernet2/38 no switchport interface Ethernet2/39 no switchport interface Ethernet2/40 no switchport interface Ethernet2/41 no switchport interface Ethernet2/42 no switchport interface Ethernet2/43 no switchport interface Ethernet2/44 no switchport interface Ethernet2/45 no switchport interface Ethernet2/46 no switchport interface Ethernet2/47 no switchport interface Ethernet2/48 no switchport interface loopback0 vrf member servers1 ip address 192.168.1.32/32 ip router ospf 5 area 0.0.0.81 logging server 192.168.42.124 6 use-vrf servers1 logging source-interface loopback 0 logout-warning 20 line console exec-timeout 15 line vty exec-timeout 15 access-class 23 in router ospf 5 vrf servers1 router-id 4.4.4.2 area 0.0.0.81 nssa area 0.0.0.81 range 192.168.0.0/16 area 0.0.0.81 range 192.168.162.0/24 area 0.0.0.81 authentication message-digest timers throttle spf 10 100 5000 vrf servers2 router-id 5.5.5.2 area 0.0.0.81 nssa area 0.0.0.81 range 192.168.0.0/16 area 0.0.0.81 range 192.168.152.0/24 area 0.0.0.81 authentication message-digest timers throttle spf 10 100 5000 ip pim ssm range 232.0.0.0/8 N1KV-1-RUNNING !Command: show running-config !Time: Sat Apr 30 03:02:54 2011 version 4.2(1)SV1(4) no feature telnet feature tacacs+ username admin password 5 <removed> role network-admin username retail password 5 <removed> role network-admin banner motd # WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. # ssh key rsa 2048 ip domain-lookup ip domain-lookup tacacs-server key 7 "<removed>" tacacs-server host 192.168.42.131 aaa group server tacacs+ CiscoACS server 192.168.42.131 use-vrf management source-interface mgmt0 aaa group server tacacs+ tacacs hostname N1kv-1 ip access-list 23 10 permit ip 192.168.42.0/24 any 20 permit ip any any 30 deny ip any any ip access-list 88 10 permit ip 192.168.42.0/24 any 20 permit ip any any 30 deny ip any any vem 3 host vmware id 414e3537-3441-3255-5838-34353034544b vem 4 host vmware id 414e3537-3441-3255-5838-34353034544d vem 5 host vmware id 414e3537-3441-3255-5838-333930345046 vem 6 host vmware id 414e3537-3441-3255-5838-34353034544c vem 7 host vmware id 414e3537-3441-3255-5838-333930344e59 vem 8 host vmware id 414e3537-3441-3255-5838-333830333330 vem 9 host vmware id 414e3537-3441-3255-5838-333930345057 vem 10 host vmware id 414e3537-3441-3255-5838-343530345630 vem 11 host vmware id 414e3537-3441-3255-5838-343530345448 vem 12 host vmware id 414e3537-3441-3255-5838-333930345048 snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey snmp-server user retail network-admin auth md5 <removed> priv <removed> localizedkey ntp server 192.168.62.161 use-vrf management ntp server 192.168.62.162 use-vrf management ntp source 192.168.41.61 aaa authentication login default group CiscoACS aaa authentication login console group CiscoACS vrf context management ip route 0.0.0.0/0 192.168.41.1 vlan 1 vlan 36 name VLAN36 vlan 37 name VLAN37 vlan 38 name VLAN38 vlan 39 name VLAN39 vlan 40 name VLAN40 vlan 41 name VLAN41 vlan 42 name VLAN42 vlan 43 name VLAN43 vlan 44 name VLAN44 vlan 45 name VLAN45 vlan 46 name VLAN46 vlan 52 name VLAN52 vlan 64 name VLAN64 vlan 72 name VLAN72 vlan 80 name VLAN80 vlan 81 name VLAN81 vlan 82 name VLAN82 vlan 83 name VLAN83 port-channel load-balance ethernet source-mac port-profile default max-ports 32 port-profile type vethernet VLAN38 vmware port-group switchport mode access switchport access vlan 38 no shutdown state enabled port-profile type vethernet VLAN36 vmware port-group switchport mode access switchport access vlan 36 no shutdown state enabled port-profile type vethernet VLAN37 vmware port-group switchport mode access switchport access vlan 37 no shutdown state enabled port-profile type vethernet VLAN39 vmware port-group switchport mode access switchport access vlan 39 no shutdown state enabled port-profile type vethernet VLAN40 vmware port-group switchport mode access switchport access vlan 40 no shutdown state enabled port-profile type vethernet VLAN41 vmware port-group switchport mode access switchport access vlan 41 no shutdown system vlan 41 state enabled port-profile type vethernet VLAN42 vmware port-group switchport mode access switchport access vlan 42 no shutdown state enabled port-profile type vethernet VLAN43 vmware port-group switchport mode access switchport access vlan 43 no shutdown state enabled port-profile type vethernet VLAN44 vmware port-group switchport mode access switchport access vlan 44 no shutdown state enabled port-profile type vethernet VLAN45 vmware port-group switchport mode access switchport access vlan 45 no shutdown state enabled port-profile type vethernet VLAN46 vmware port-group switchport mode access switchport access vlan 46 no shutdown state enabled port-profile type vethernet VLAN52 vmware port-group switchport mode access switchport access vlan 52 no shutdown state enabled port-profile type vethernet VLAN64 vmware port-group switchport mode access switchport access vlan 64 no shutdown state enabled port-profile type vethernet VLAN72 vmware port-group switchport mode access switchport access vlan 72 no shutdown state enabled port-profile type vethernet VLAN80 vmware port-group switchport mode access switchport access vlan 80 no shutdown state enabled port-profile type vethernet VLAN81 vmware port-group switchport mode access switchport access vlan 81 no shutdown state enabled port-profile type vethernet VLAN82 vmware port-group switchport mode access switchport access vlan 82 no shutdown state enabled port-profile type vethernet VLAN83 vmware port-group switchport mode access switchport access vlan 83 no shutdown state enabled port-profile type ethernet Unused_Or_Quarantine_Uplink vmware port-group shutdown description Port-group created for Nexus1000V internal usage. Do not use. state enabled port-profile type vethernet Unused_Or_Quarantine_Veth vmware port-group shutdown description Port-group created for Nexus1000V internal usage. Do not use. state enabled port-profile type ethernet sysuplink vmware port-group switchport mode trunk switchport trunk allowed vlan 36-83 no shutdown system vlan 41 state enabled port-profile type vethernet VSG-DADA-HA vmware port-group switchport access vlan 41 no shutdown state enabled port-profile type vethernet Tenant-1 vmware port-group org root/Tenant-1 vn-service ip-address 192.168.52.11 vlan 52 security-profile SecurityProfile-1 switchport mode access switchport access vlan 41 no shutdown state enabled vdc N1kv-1 id 1 limit-resource vlan minimum 16 maximum 2049 limit-resource monitor-session minimum 0 maximum 2 limit-resource vrf minimum 16 maximum 8192 limit-resource port-channel minimum 0 maximum 768 limit-resource u4route-mem minimum 32 maximum 32 limit-resource u6route-mem minimum 16 maximum 16 limit-resource m4route-mem minimum 58 maximum 58 limit-resource m6route-mem minimum 8 maximum 8 interface mgmt0 ip address 192.168.41.61/24 interface Vethernet3 inherit port-profile VLAN42 description RSA-Archer,Network Adapter 1 vmware dvport 207 dvswitch uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0" vmware vm mac 0050.56BB.001E interface Vethernet5 inherit port-profile VSG-DADA-HA description Nexus1000VSG,Network Adapter 3 vmware dvport 1057 dvswitch uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0" vmware vm mac 0050.56BB.0004 interface Vethernet6 inherit port-profile VSG-DADA-HA description Nexus1000VSG,Network Adapter 1 vmware dvport 1056 dvswitch uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0" vmware vm mac 0050.56BB.0002 interface Vethernet7 inherit port-profile VLAN52 description POS Terminal,Network Adapter 1 vmware dvport 352 dvswitch uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0" vmware vm mac 0050.56BB.0005 interface control0 clock timezone PST -8 0 clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60 line vty exec-timeout 15 line console exec-timeout 15 boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.4.bin sup-1 boot system bootflash:/nexus-1000v-mz.4.2.1.SV1.4.bin sup-1 boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.4.bin sup-2 boot system bootflash:/nexus-1000v-mz.4.2.1.SV1.4.bin sup-2 svs-domain domain id 2 control vlan 41 packet vlan 41 svs mode L2 svs connection vc protocol vmware-vim remote ip address 192.168.41.102 port 80 vmware dvs uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0" datacenter-name Retail Lab-CMO connect vnm-policy-agent registration-ip 192.168.41.65 shared-secret ****** policy-agent-image bootflash:/vnmc-vsmpa.1.0.1j.bin log-level logging server 192.168.42.124 7 facility syslog logging timestamp milliseconds VSG-TENANT-1-RUNNING !Command: show running-config !Time: Sat Apr 30 03:09:08 2011 version 4.2(1)VSG1(1) no feature telnet feature tacacs+ username admin password 5 <removed> role network-admin banner motd # WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. # ssh key rsa 2048 ip domain-lookup ip domain-lookup tacacs-server key 7 " <removed> " tacacs-server host 192.168.42.131 aaa group server tacacs+ CiscoACS server 192.168.42.131 use-vrf management source-interface mgmt0 aaa group server tacacs+ tacacs hostname VSG-Tenant-1 no snmp-server protocol enable snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey ntp source 192.168.41.63 aaa authentication login default group CiscoACS aaa authentication login console group CiscoACS vrf context management ip domain-name cisco-irn.com ip name-server 192.168.42.130 ip route 0.0.0.0/0 192.168.41.1 vlan 1 port-channel load-balance ethernet source-mac port-profile default max-ports 32 vdc VSG-Tenant-1 id 1 limit-resource vlan minimum 16 maximum 2049 limit-resource monitor-session minimum 0 maximum 2 limit-resource vrf minimum 16 maximum 8192 limit-resource port-channel minimum 0 maximum 768 limit-resource u4route-mem minimum 32 maximum 32 limit-resource u6route-mem minimum 16 maximum 16 limit-resource m4route-mem minimum 58 maximum 58 limit-resource m6route-mem minimum 8 maximum 8 interface mgmt0 ip address 192.168.41.63/24 interface data0 ip address 192.168.52.11/24 clock timezone PST -8 0 clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60 line vty exec-timeout 15 line console exec-timeout 15 boot kickstart bootflash:/nexus-1000v-kickstart-mz.VSG1.1.bin sup-1 boot system bootflash:/nexus-1000v-mz.VSG1.1.bin sup-1 boot kickstart bootflash:/nexus-1000v-kickstart-mz.VSG1.1.bin sup-2 boot system bootflash:/nexus-1000v-mz.VSG1.1.bin sup-2 ip access-list match-local-traffic ha-pair id 41 security-profile SecurityProfile-1@root/Tenant-1 policy PolicySet-A@root/Tenant-1 custom-attribute vnsporg "root/tenant-1" security-profile default@root policy default@root custom-attribute vnsporg "root" rule default/default-rule@root action 10 drop rule PolicyA/allow_ICMP@root/Tenant-1 condition 10 dst.net.ip-address eq 192.168.1.1 condition 11 net.protocol eq 1 action 10 log action 11 permit policy default@root rule default/default-rule@root order 2 policy PolicySet-A@root/Tenant-1 rule PolicyA/allow_ICMP@root/Tenant-1 order 101 vnm-policy-agent registration-ip 192.168.41.65 shared-secret ****** policy-agent-image bootflash:/vnmc-vsgpa.1.0.1j.bin log-level logging logfile messages 2 logging server 192.168.42.124 6 facility local0 logging monitor 2 RSERV-1 ! ! Last configuration change at 01:53:06 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 01:53:07 PSTDST Sat Apr 30 2011 by retail ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers service counters max age 5 ! hostname RSERV-1 ! boot-start-marker boot system flash sup-bootdisk:/s72033-adventerprisek9_wan-mz.122-33.SXJ.bin boot-end-marker ! security authentication failure rate 2 log security passwords min-length 7 logging buffered 50000 no logging rate-limit enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! aaa session-id common clock timezone PST -8 clock summer-time PSTDST recurring svclc module 4 vlan-group 162,163 svclc vlan-group 162 152,162 svclc vlan-group 163 153,163 intrusion-detection module 9 management-port access-vlan 42 intrusion-detection module 9 data-port 1 trunk allowed-vlan 153,154 intrusion-detection module 9 data-port 2 trunk allowed-vlan 163,164 ip wccp 61 ip wccp 62 ! ! ! no ip bootp server ip multicast-routing ip ssh version 2 ip scp server enable no ip domain-lookup ip domain-name cisco-irn.com login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ipv6 mfib hardware-switching replication-mode ingress vtp domain datacenter vtp mode transparent no mls acl tcam share-global mls netflow interface mls cef error action freeze password encryption aes ! crypto pki trustpoint TP-self-signed-1027 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1027 revocation-check none rsakeypair TP-self-signed-1027 ! ! crypto pki certificate chain TP-self-signed-1027 certificate self-signed 01 <removed> quit ! ! ! ! ! ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys ! spanning-tree mode pvst ! no power enable module 8 diagnostic bootup level minimal access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ! redundancy main-cpu auto-sync running-config mode sso ! ! vlan internal allocation policy descending vlan dot1q tag native vlan access-log ratelimit 2000 ! vlan 41 name DeviceManagementHTA ! vlan 42 name DeviceManagement ! vlan 43 name WIRELESS-CONTROL ! vlan 44 name PhysicalSec ! vlan 47 name WAAS_Central_Manager ! vlan 49 name WAAS_DC ! vlan 152 name NorthSide_facing_ASA_Servers2 ! vlan 153 name ACE_to_IDS_Servers2 ! vlan 154 name SouthSide_facing_Servers2 ! vlan 162 name NorthSide_facing_ASA_Servers1 ! vlan 163 name ACE_to_IDS_Servers1 ! vlan 164 name SouthSide_facing_Servers1 ! vlan 803 name RSERV-1_to_RAGG-1-VDC-2 ! vlan 1000 ! ! ! ! ! interface Loopback0 ip address 192.168.1.21 255.255.255.255 ! interface Loopback62 ip address 192.168.62.161 255.255.255.255 ! interface GigabitEthernet1/1 no ip address shutdown ! interface GigabitEthernet1/2 no ip address shutdown ! interface GigabitEthernet1/3 no ip address shutdown ! interface GigabitEthernet1/4 no ip address shutdown ! interface GigabitEthernet1/5 no ip address shutdown ! interface GigabitEthernet1/6 no ip address shutdown ! interface GigabitEthernet1/7 no ip address shutdown ! interface GigabitEthernet1/8 no ip address shutdown ! interface GigabitEthernet1/9 no ip address shutdown ! interface GigabitEthernet1/10 no ip address shutdown ! interface GigabitEthernet1/11 no ip address shutdown ! interface GigabitEthernet1/12 no ip address shutdown ! interface GigabitEthernet1/13 no ip address shutdown ! interface GigabitEthernet1/14 no ip address shutdown ! interface GigabitEthernet1/15 no ip address shutdown ! interface GigabitEthernet1/16 no ip address shutdown ! interface TenGigabitEthernet2/1 description to RAGG-1 vdc2 T1/15 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 162 switchport mode trunk ! interface TenGigabitEthernet2/2 description to RAGG-1 vdc2 T1/16 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 152 switchport mode trunk ! interface TenGigabitEthernet2/3 no ip address shutdown ! interface TenGigabitEthernet2/4 no ip address shutdown ! interface TenGigabitEthernet2/5 description to RAGG-1 vdc2 T1/17 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 41-44,164,803 switchport mode trunk ! interface TenGigabitEthernet2/6 description to RAGG-1 vdc2 T1/18 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 154 switchport mode trunk ! interface TenGigabitEthernet2/7 no ip address shutdown ! interface TenGigabitEthernet2/8 no ip address shutdown ! interface GigabitEthernet5/1 no ip address shutdown ! interface GigabitEthernet5/2 no ip address shutdown ! interface GigabitEthernet6/1 no ip address shutdown ! interface GigabitEthernet6/2 no ip address shutdown ! interface GigabitEthernet7/1 no ip address shutdown ! interface GigabitEthernet7/2 no ip address shutdown ! interface GigabitEthernet7/3 no ip address ! interface GigabitEthernet7/4 no ip address ! interface GigabitEthernet7/5 no ip address ! interface GigabitEthernet7/6 no ip address ! interface GigabitEthernet7/7 no ip address ! interface GigabitEthernet7/8 no ip address ! interface GigabitEthernet7/9 no ip address ! interface GigabitEthernet7/10 no ip address ! interface GigabitEthernet7/11 no ip address ! interface GigabitEthernet7/12 no ip address ! interface GigabitEthernet7/13 no ip address ! interface GigabitEthernet7/14 no ip address ! interface GigabitEthernet7/15 no ip address ! interface GigabitEthernet7/16 no ip address ! interface GigabitEthernet7/17 description WAAS Central Manager switchport switchport access vlan 47 switchport mode access ! interface GigabitEthernet7/18 no ip address ! interface GigabitEthernet7/19 no ip address ! interface GigabitEthernet7/20 no ip address ! interface GigabitEthernet7/21 description AW-DC-1_G1 switchport switchport access vlan 43 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet7/22 description AW-DC-2_G1 switchport switchport access vlan 43 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet7/23 description MDS Management PAME-DC-1 switchport switchport access vlan 44 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet7/24 description MDS Management MDS-DC-1_M0 switchport switchport access vlan 41 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet7/25 description MDS Management MDS-DC-2_M0 switchport switchport access vlan 41 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet7/26 no ip address ! interface GigabitEthernet7/27 description ASA-WAN-1_M0 switchport switchport access vlan 42 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet7/28 no ip address ! interface GigabitEthernet7/29 description MSE-DC-1_G1 switchport switchport access vlan 43 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet7/30 description MSE-DC-2_G1 switchport switchport access vlan 43 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet7/31 no ip address ! interface GigabitEthernet7/32 no ip address ! interface GigabitEthernet7/33 description RSA enVision switchport switchport access vlan 42 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet7/34 no ip address ! interface GigabitEthernet7/35 description WAE-DC-1 switchport switchport access vlan 49 switchport mode access ! interface GigabitEthernet7/36 no ip address ! interface GigabitEthernet7/37 no ip address ! interface GigabitEthernet7/38 no ip address ! interface GigabitEthernet7/39 no ip address ! interface GigabitEthernet7/40 no ip address ! interface GigabitEthernet7/41 no ip address ! interface GigabitEthernet7/42 no ip address ! interface GigabitEthernet7/43 no ip address ! interface GigabitEthernet7/44 no ip address ! interface GigabitEthernet7/45 description hard crossover bridge no ip address shutdown ! interface GigabitEthernet7/46 no ip address ! interface GigabitEthernet7/47 no ip address shutdown ! interface GigabitEthernet7/48 no ip address shutdown ! interface Vlan1 no ip address shutdown ! interface Vlan803 description South Side facing Servers1 ip address 192.168.130.10 255.255.255.252 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 7 <removed> ip ospf priority 0 ! router ospf 5 router-id 192.168.1.21 log-adjacency-changes area 81 authentication message-digest area 81 nssa area 81 range 192.168.0.0 255.255.0.0 timers throttle spf 10 100 5000 passive-interface default no passive-interface Vlan803 network 192.168.0.0 0.0.255.255 area 81 ! ip classless no ip forward-protocol nd ! ! no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip tacacs source-interface Loopback0 ! logging trap debugging logging source-interface Loopback0 logging 192.168.42.124 ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth snmp-server trap-source Loopback0 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps hsrp snmp-server enable traps MAC-Notification change move threshold snmp-server enable traps rtr snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps energywise snmp-server enable traps entity snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps port-security snmp-server enable traps errdisable snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> ! ! control-plane ! ! dial-peer cor custom ! ! ! banner exec C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner incoming C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ! ntp source Loopback0 ntp master 5 ntp update-calendar ntp server 171.68.10.150 ntp server 171.68.10.80 prefer mac-address-table aging-time 480 ! end RSERV-2 ! ! Last configuration change at 01:50:12 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 01:50:13 PSTDST Sat Apr 30 2011 by retail ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers service counters max age 5 ! hostname RSERV-2 ! boot-start-marker boot-end-marker ! security authentication failure rate 2 log security passwords min-length 7 logging buffered 50000 no logging rate-limit enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! aaa session-id common clock timezone PST -8 clock summer-time PSTDST recurring svclc module 4 vlan-group 162,163 svclc vlan-group 162 152,162 svclc vlan-group 163 153,163 intrusion-detection module 9 management-port access-vlan 42 intrusion-detection module 9 data-port 1 trunk allowed-vlan 153,154 intrusion-detection module 9 data-port 2 trunk allowed-vlan 163,164 ip wccp 61 ip wccp 62 ! ! ! no ip bootp server ip multicast-routing ip ssh version 2 ip scp server enable ip domain-name cisco-irn.com ip name-server 192.168.42.130 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ipv6 mfib hardware-switching replication-mode ingress vtp domain CiscoRetail vtp mode transparent no mls acl tcam share-global mls netflow interface mls cef error action freeze password encryption aes ! crypto pki trustpoint TP-self-signed-1027 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1027 revocation-check none rsakeypair TP-self-signed-1027 ! ! crypto pki certificate chain TP-self-signed-1027 certificate self-signed 01 30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030 2B312930 27060355 04031320 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31303237 301E170D 31313034 32313030 30353139 5A170D32 30303130 31303030 3030305A 302B3129 30270603 55040313 20494F53 2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D313032 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100A365 80CA486A 1FCC3F72 4B6DDFE1 AA57CE0A 4726554C B0D6B6F3 BC9F3F3A 84AAD96D 0C8D4E07 3E5C42FD 2AB0BA8A 1E5E28AE BDA4FE3A F1A425A6 2D2F09E0 3DC30109 F4561A9B EADC4896 87FD5133 4FEAFA2F C214CB35 11B7AEB6 F0C3DE4F 4453DA89 6177A6D3 9FDA59BA EE11414E 008C40A8 FF768B0D 0CE97204 82FB71C6 10C30203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603 551D1104 19301782 15525345 52562D32 2E636973 636F2D69 726E2E63 6F6D301F 0603551D 23041830 16801425 E9402754 9D8FF072 B2B9284C D1157536 23A79C30 1D060355 1D0E0416 041425E9 4027549D 8FF072B2 B9284CD1 15753623 A79C300D 06092A86 4886F70D 01010405 00038181 003EACB3 84C4E98F 65FE3BE2 F4984B3D 908DCF32 E89B4217 6F3444EB E844C491 A50B817E 508BE874 E4C1FE1E 9A92EDC5 8566CC69 AB760674 E802086B DDD7DF6A 3964355C 0F88B1AB 52E69373 D25A2877 3379ECAF A8D3DAE8 239C2708 8B1C24DF 4210091C 8C3DF041 7B10147C E399480E 6A7D00DD 64D8AD86 528815E4 7FAECE3C 2B quit ! ! ! ! ! ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys ! spanning-tree mode pvst ! no power enable module 8 diagnostic bootup level minimal access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ! redundancy main-cpu auto-sync running-config mode sso ! ! vlan internal allocation policy descending vlan dot1q tag native vlan access-log ratelimit 2000 ! vlan 41 name DeviceManagementHTA ! vlan 42 name DeviceManagement ! vlan 43 name WIRELESS-CONTROL ! vlan 44 name PhysicalSec ! vlan 47 name WAAS_Central_Manager ! vlan 49 name WAAS_DC ! vlan 152 name NorthSide_facing_ASA_Servers2 ! vlan 153 name ACE_to_IDS_Servers2 ! vlan 154 name SouthSide_facing_Servers2 ! vlan 162 name NorthSide_facing_ASA_Servers1 ! vlan 163 name ACE_to_IDS_Servers1 ! vlan 164 name SouthSide_facing_Servers1 ! vlan 804 name RSERV-2_to_RAGG-2-VDC-2 ! vlan 1000 ! ! ! ! ! interface Loopback0 ip address 192.168.1.22 255.255.255.255 ! interface Loopback62 ip address 192.168.62.162 255.255.255.255 ! interface GigabitEthernet1/1 no ip address shutdown ! interface GigabitEthernet1/2 no ip address shutdown ! interface GigabitEthernet1/3 no ip address shutdown ! interface GigabitEthernet1/4 no ip address shutdown ! interface GigabitEthernet1/5 no ip address shutdown ! interface GigabitEthernet1/6 no ip address shutdown ! interface GigabitEthernet1/7 no ip address shutdown ! interface GigabitEthernet1/8 no ip address shutdown ! interface GigabitEthernet1/9 no ip address shutdown ! interface GigabitEthernet1/10 no ip address shutdown ! interface GigabitEthernet1/11 no ip address shutdown ! interface GigabitEthernet1/12 no ip address shutdown ! interface GigabitEthernet1/13 no ip address shutdown ! interface GigabitEthernet1/14 no ip address shutdown ! interface GigabitEthernet1/15 no ip address shutdown ! interface GigabitEthernet1/16 no ip address shutdown ! interface TenGigabitEthernet2/1 description to RAGG-2 vdc2 T1/15 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 162 switchport mode trunk ! interface TenGigabitEthernet2/2 description to RAGG-2 vdc2 T1/16 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 152 switchport mode trunk ! interface TenGigabitEthernet2/3 no ip address shutdown ! interface TenGigabitEthernet2/4 no ip address shutdown ! interface TenGigabitEthernet2/5 description to RAGG-2 vdc2 T1/18 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 41-44,164,804 switchport mode trunk ! interface TenGigabitEthernet2/6 description to RAGG-2 vdc2 T1/17 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 154 switchport mode trunk ! interface TenGigabitEthernet2/7 no ip address shutdown ! interface TenGigabitEthernet2/8 no ip address shutdown ! interface GigabitEthernet5/1 no ip address shutdown ! interface GigabitEthernet5/2 no ip address shutdown ! interface GigabitEthernet6/1 no ip address shutdown ! interface GigabitEthernet6/2 no ip address shutdown ! interface GigabitEthernet7/1 switchport switchport access vlan 42 ! interface GigabitEthernet7/2 no ip address ! interface GigabitEthernet7/3 no ip address ! interface GigabitEthernet7/4 no ip address ! interface GigabitEthernet7/5 description WAE-DC-2 switchport switchport access vlan 48 switchport mode access ! interface GigabitEthernet7/6 no ip address ! interface GigabitEthernet7/7 no ip address ! interface GigabitEthernet7/8 no ip address ! interface GigabitEthernet7/9 no ip address ! interface GigabitEthernet7/10 no ip address ! interface GigabitEthernet7/11 no ip address ! interface GigabitEthernet7/12 no ip address ! interface GigabitEthernet7/13 no ip address ! interface GigabitEthernet7/14 no ip address ! interface GigabitEthernet7/15 no ip address ! interface GigabitEthernet7/16 no ip address ! interface GigabitEthernet7/17 no ip address ! interface GigabitEthernet7/18 no ip address ! interface GigabitEthernet7/19 no ip address ! interface GigabitEthernet7/20 no ip address ! interface GigabitEthernet7/21 no ip address ! interface GigabitEthernet7/22 no ip address ! interface GigabitEthernet7/23 description PAME-DC-1 switchport switchport access vlan 44 switchport mode access ! interface GigabitEthernet7/24 no ip address ! interface GigabitEthernet7/25 no ip address ! interface GigabitEthernet7/26 no ip address ! interface GigabitEthernet7/27 description ASA-WAN-2_M0 switchport switchport access vlan 42 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet7/28 no ip address ! interface GigabitEthernet7/29 no ip address ! interface GigabitEthernet7/30 no ip address ! interface GigabitEthernet7/31 no ip address ! interface GigabitEthernet7/32 no ip address ! interface GigabitEthernet7/33 no ip address ! interface GigabitEthernet7/34 no ip address ! interface GigabitEthernet7/35 no ip address ! interface GigabitEthernet7/36 no ip address ! interface GigabitEthernet7/37 no ip address ! interface GigabitEthernet7/38 no ip address ! interface GigabitEthernet7/39 no ip address ! interface GigabitEthernet7/40 no ip address ! interface GigabitEthernet7/41 no ip address ! interface GigabitEthernet7/42 no ip address ! interface GigabitEthernet7/43 no ip address ! interface GigabitEthernet7/44 no ip address ! interface GigabitEthernet7/45 no ip address ! interface GigabitEthernet7/46 no ip address ! interface GigabitEthernet7/47 no ip address ! interface GigabitEthernet7/48 no ip address ! interface Vlan1 no ip address shutdown ! interface Vlan42 ip address 192.168.42.47 255.255.255.0 ! interface Vlan804 description South Side facing Servers1 ip address 192.168.130.14 255.255.255.252 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 7 <removed> ip ospf priority 0 ! router ospf 5 router-id 192.168.1.22 log-adjacency-changes area 81 authentication message-digest area 81 nssa area 81 range 192.168.0.0 255.255.0.0 timers throttle spf 10 100 5000 passive-interface default no passive-interface Vlan804 network 192.168.0.0 0.0.255.255 area 81 ! ip classless no ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.42.1 255 name backup_default ! ! no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip tacacs source-interface Loopback0 ! logging trap debugging logging source-interface Loopback0 logging 192.168.42.124 ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth snmp-server trap-source Loopback0 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps hsrp snmp-server enable traps MAC-Notification change move threshold snmp-server enable traps rtr snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps energywise snmp-server enable traps entity snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps port-security snmp-server enable traps errdisable snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> ! ! control-plane ! ! dial-peer cor custom ! ! ! banner exec C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner incoming C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ! ntp source Loopback0 ntp master 5 ntp update-calendar ntp server 171.68.10.150 ntp server 171.68.10.80 prefer mac-address-table aging-time 480 ! end Access SACCESS-1 ! ! Last configuration change at 01:58:36 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 01:58:36 PSTDST Sat Apr 30 2011 by retail ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption service compress-config service sequence-numbers ! hostname SACCESS-1 ! boot-start-marker boot-end-marker ! logging snmp-authfail logging buffered 51200 debugging enable secret 5 <removed> ! username emc-ncm privilege 15 secret 5 <removed> username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> aaa new-model aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! aaa session-id common clock timezone PST -8 clock summer-time PSTDST recurring ip subnet-zero ip domain-name cisco-irn.com ip name-server 192.168.42.130 ! no ip bootp server ip ssh version 2 ip scp server enable login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log vtp mode transparent ! password encryption aes ! crypto pki trustpoint TP-self-signed-112603 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-112603 revocation-check none rsakeypair TP-self-signed-112603 ! ! crypto pki certificate chain TP-self-signed-112603 certificate self-signed 01 <removed> quit ! ! power redundancy-mode redundant archive log config logging enable hidekeys no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 20,41-43 ! vlan 44 name PhysicalSec ! vlan 45-50,52,62 ! vlan 64 name Databases ! vlan 72,146,164,256,666,1000 ! interface Loopback0 no ip address ! interface Port-channel1 description to Aggregation Switches switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 38,41,42,44 switchport mode trunk logging event link-status flowcontrol receive on ! interface GigabitEthernet1/1 description SRV-DC-1 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/2 description SRV-DC-2 switchport trunk encapsulation dot1q switchport trunk native vlan 41 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/3 description SRV-DC-3 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/4 description SRV-DC-4 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/5 description SRV-DC-5 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/6 description SRV-DC-6=CUAE switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/7 description SRV-DC-7=CCM511 switchport access vlan 45 spanning-tree portfast ! interface GigabitEthernet1/8 description SRV-DC-8 - Oracle RDBMS 10g switchport access vlan 64 switchport trunk encapsulation dot1q switchport trunk native vlan 64 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/9 description MSP-DC-1 switchport access vlan 44 switchport trunk encapsulation dot1q switchport mode access spanning-tree portfast ! interface GigabitEthernet1/10 description SRV-DC-10 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/11 description SRV-DC-11 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/12 description SRV-DC-12 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/13 description SRV-DC-13 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/14 description SRV-DC-14 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/15 description SRV-DC-15 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/16 description SRV-DC-16 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/17 description SRV-DC-17 switchport trunk encapsulation dot1q switchport trunk native vlan 4094 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/18 description SRV-DC-18 switchport trunk encapsulation dot1q switchport trunk native vlan 4094 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/19 description SRV-DC-19 switchport trunk encapsulation dot1q switchport trunk native vlan 4094 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/20 description SRV-DC-20 switchport trunk encapsulation dot1q switchport trunk native vlan 4094 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/21 description SRV-DC-21 switchport trunk encapsulation dot1q switchport trunk native vlan 4094 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/22 description SRV-DC-22 switchport trunk encapsulation dot1q switchport trunk native vlan 4094 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/23 description SRV-DC-23 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/24 description SRV-DC-24 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/25 description SRV-DC-25 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/26 description server 14 iLO switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/27 description server 15 iLO switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/28 description server 16 iLO switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/29 description server 18 iLO switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/30 description server 19 iLO switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/31 description server 20 iLO switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/32 description server 21 iLO switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/33 description VXML Rouer VEM switchport access vlan 45 spanning-tree portfast ! interface GigabitEthernet1/34 description SPAN to SRV-DC-28-NICE VoiceRecorder switchport trunk encapsulation dot1q spanning-tree portfast ! interface GigabitEthernet1/35 description Small store 1800 server e1 switchport access vlan 42 switchport trunk encapsulation dot1q spanning-tree portfast ! interface GigabitEthernet1/36 description small store 1800 iLO switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/37 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/38 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/39 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/40 description IPcelerate Server switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/41 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/42 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/43 description EMC SAN Mgt-A switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/44 description PRomise SAN M1 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/45 switchport access vlan 42 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/46 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/47 description Uplink to RSERV-1 Management G7/1 switchport access vlan 42 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/48 description Uplink to RSERV-2 Management G7/1 switchport access vlan 42 switchport mode access spanning-tree portfast ! interface TenGigabitEthernet1/49 description Uplink to RAGG-1-VDC2 T1/13 switchport trunk encapsulation dot1q switchport trunk allowed vlan 38,41,42,44 switchport mode trunk channel-group 1 mode active spanning-tree portfast trunk ! interface TenGigabitEthernet1/50 description Uplink to RAGG-2-VDC2 T1/13 switchport trunk encapsulation dot1q switchport trunk allowed vlan 38,41,42,44 switchport mode trunk channel-group 1 mode active spanning-tree portfast trunk ! interface Vlan1 no ip address ! interface Vlan42 ip address 192.168.42.33 255.255.255.0 ! no ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.42.1 no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ! ip tacacs source-interface Vlan42 ! ! logging source-interface Vlan42 logging 192.168.42.121 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ! ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server trap-source Vlan42 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps entity snmp-server enable traps flash insertion removal snmp-server enable traps cpu threshold snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps port-security snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps hsrp snmp-server enable traps mac-notification change move threshold snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps vlan-membership snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 no tacacs-server directed-request tacacs-server key 7 <removed> radius-server source-ports 1645-1646 ! control-plane ! banner exec WARNING: * THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner incoming WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL stopbits 1 line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ! monitor session 1 source interface Gi1/33 monitor session 1 destination interface Gi1/34 ntp clock-period 17181001 ntp server 192.168.0.1 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer end SACCESS-2 ! ! Last configuration change at 01:59:33 PST Sat Apr 30 2011 by retail ! NVRAM config last updated at 01:59:33 PST Sat Apr 30 2011 by retail ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service compress-config service sequence-numbers ! hostname SACCESS-2 ! boot-start-marker boot-end-marker ! logging buffered 51200 debugging enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> ! aaa new-model aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! aaa session-id common clock timezone PST -8 clock summer-time PST recurring vtp mode transparent ip subnet-zero ip domain-name cisco-irn.com ip name-server 192.168.42.130 ! no ip bootp server ip ssh version 2 ip scp server enable login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! password encryption aes ! ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id power redundancy-mode redundant ! ! ! vlan internal allocation policy ascending ! vlan 20,40-43 ! vlan 44 name PhysicalSec ! vlan 45-49,52,62,64,72,146,164,256,666,1000 ! interface Port-channel2 description to Aggregation Switches switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 38,41,42,44 switchport mode trunk logging event link-status flowcontrol receive on ! interface GigabitEthernet1/1 description SRV-DC-1 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/2 description SRV-DC-2 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/3 description SRV-DC-3 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/4 description SRV-DC-4 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/5 description SRV-DC-5 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/6 description SRV-DC-6=CUAE switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/7 description SRV-DC-7=CCM511 switchport access vlan 45 spanning-tree portfast ! interface GigabitEthernet1/8 description SRV-DC-8 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/9 description MSP-DC-1 switchport access vlan 44 switchport trunk encapsulation dot1q switchport mode access spanning-tree portfast ! interface GigabitEthernet1/10 description SRV-DC-10 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/11 description SRV-DC-11 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/12 description SRV-DC-12 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/13 description SRV-DC-13 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/14 description SRV-DC-14 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/15 description SRV-DC-15 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/16 description SRV-DC-16 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/17 description SRV-DC-17 switchport trunk encapsulation dot1q switchport trunk native vlan 4094 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/18 description SRV-DC-18 switchport trunk encapsulation dot1q switchport trunk native vlan 4094 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/19 description SRV-DC-19 switchport trunk encapsulation dot1q switchport trunk native vlan 4094 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/20 description SRV-DC-20 switchport trunk encapsulation dot1q switchport trunk native vlan 4094 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/21 description SRV-DC-21 switchport trunk encapsulation dot1q switchport trunk native vlan 4094 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/22 description SRV-DC-22 switchport trunk encapsulation dot1q switchport trunk native vlan 4094 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/23 description SRV-DC-23 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/24 description SRV-DC-24 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/25 description SRV-DC-25 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/26 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/27 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/28 switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/29 switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/30 switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/31 switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/32 switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/33 switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/34 switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/35 switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/36 switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/37 switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/38 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/39 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/40 description IPcelerate Server switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/41 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/42 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/43 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/44 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/45 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk spanning-tree portfast trunk ! interface GigabitEthernet1/46 switchport access vlan 42 switchport trunk encapsulation dot1q switchport trunk native vlan 42 switchport mode trunk shutdown spanning-tree portfast trunk ! interface GigabitEthernet1/47 description TEMP Uplink to RSERV-1 Management G7/2 switchport access vlan 42 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/48 description TEMP Uplink to RSERV-2 Management G7/2 switchport access vlan 42 switchport mode access spanning-tree portfast ! interface TenGigabitEthernet1/49 description Uplink to RAGG-1-VDC2 T1/14 switchport trunk encapsulation dot1q switchport trunk allowed vlan 38,41,42,44 switchport mode trunk spanning-tree portfast trunk channel-group 2 mode active ! interface TenGigabitEthernet1/50 description Uplink to RAGG-2-VDC2 T1/14 switchport trunk encapsulation dot1q switchport trunk allowed vlan 38,41,42,44 switchport mode trunk spanning-tree portfast trunk channel-group 2 mode active ! interface Vlan1 no ip address ! interface Vlan42 ip address 192.168.42.34 255.255.255.0 ! no ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.42.1 no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip tacacs source-interface Vlan42 ! ! ! logging trap debugging logging source-interface Vlan42 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ! ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server trap-source Vlan42 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps port-security snmp-server enable traps config snmp-server enable traps entity snmp-server enable traps cpu threshold snmp-server enable traps flash insertion removal snmp-server enable traps syslog snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps hsrp snmp-server enable traps vlan-membership snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> radius-server source-ports 1645-1646 banner exec WARNING: * THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner incoming WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL stopbits 1 line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ntp clock-period 17181029 ntp source Vlan42 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer ! end SACCESS-3 !Command: show running-config !Time: Sat Apr 30 01:56:18 2011 version 5.0(3)N1(1b) feature fcoe feature privilege no feature telnet no telnet server enable feature tacacs+ cfs eth distribute feature lacp feature vpc feature lldp feature fex username admin password 5 <removed> role network-admin username retail password 5 <removed> role network-admin username bart password 5 <removed> role network-admin username emc-ncm password 5 <removed> role network-admin enable secret 5 <removed> banner motd # WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. # ssh login-attempts 6 ip domain-lookup ip domain-name cisco-irn.com ip host SACCESS-3 192.168.41.33 tacacs-server key 7 "<removed>" tacacs-server host 192.168.42.131 aaa group server tacacs+ CiscoACS server 192.168.42.131 use-vrf management source-interface mgmt0 hostname SACCESS-3 ip access-list 23 statistics per-entry 10 permit ip 127.0.0.1/32 192.168.41.33/32 20 permit ip 192.168.41.101/32 192.168.41.33/32 30 permit ip 192.168.41.102/32 192.168.41.33/32 40 permit ip 192.168.42.111/32 192.168.41.33/32 50 permit ip 192.168.42.122/32 192.168.41.33/32 60 permit ip 192.168.42.131/32 192.168.41.33/32 70 permit ip 192.168.42.133/32 192.168.41.33/32 80 permit ip 192.168.42.138/32 192.168.41.33/32 90 permit ip 10.19.151.99/32 192.168.41.33/32 100 deny ip any any ip access-list 88 statistics per-entry 10 permit ip 192.168.42.122/32 192.168.41.33/32 20 deny ip any any class-map type qos class-fcoe class-map type queuing class-all-flood match qos-group 2 class-map type queuing class-ip-multicast match qos-group 2 class-map type network-qos class-all-flood match qos-group 2 class-map type network-qos class-ip-multicast match qos-group 2 snmp-server user bart network-admin auth md5 <removed> priv <removed> localizedkey snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey snmp-server user retail network-admin auth md5 <removed> priv <removed> localizedkey snmp-server user emc-ncm network-admin auth md5 <removed> priv <removed> localizedkey snmp-server host 192.168.41.101 traps version 2c public udp-port 2162 no snmp-server enable traps entity entity_mib_change no snmp-server enable traps entity entity_module_status_change no snmp-server enable traps entity entity_power_status_change no snmp-server enable traps entity entity_module_inserted no snmp-server enable traps entity entity_module_removed no snmp-server enable traps entity entity_unrecognised_module no snmp-server enable traps entity entity_fan_status_change no snmp-server enable traps rf redundancy_framework snmp-server enable traps entity fru ntp server 192.168.62.161 use-vrf management ntp server 192.168.62.162 use-vrf management aaa authentication login default group CiscoACS aaa authentication login console group CiscoACS aaa authorization ssh-certificate default group CiscoACS aaa accounting default group CiscoACS aaa authentication login error-enable vrf context management ip route 0.0.0.0/0 192.168.41.1 vlan 1 vlan 36 name DeviceMgmtHigh vlan 37 name DeviceMgmtLow vlan 38 name HyTrust vlan 40 name Server_iLO vlan 41 name ESX_Server vlan 42 name CoreManagement vlan 43 name WirelessSystems vlan 45 vlan 52 name POS vlan 80-82,140-141 vlan 302 fcoe vsan 2 vsan database vsan 2 name "Promise-2" fcdomain fcid database vsan 2 wwn 21:00:00:1b:32:00:ab:0d fcid 0xee0000 area dynamic vsan 2 wwn 21:00:00:1b:32:00:70:0d fcid 0xee0100 area dynamic vsan 2 wwn 21:00:00:1b:32:00:33:0c fcid 0xee0200 area dynamic vsan 2 wwn 21:00:00:1b:32:00:5d:0d fcid 0xee0300 area dynamic vsan 2 wwn 21:00:00:1b:32:80:0b:10 fcid 0xee0400 area dynamic vsan 2 wwn 21:00:00:1b:32:80:52:10 fcid 0xee0500 area dynamic vsan 2 wwn 21:00:00:1b:32:80:da:0f fcid 0xee0600 area dynamic vsan 2 wwn 21:00:00:1b:32:00:3a:0c fcid 0xee0700 area dynamic vsan 2 wwn 21:00:00:1b:32:80:f1:0f fcid 0xee0800 area dynamic vsan 1 wwn 26:01:00:01:55:35:7e:44 fcid 0xee0000 dynamic vsan 2 wwn 21:00:00:1b:32:00:5e:0d fcid 0xee0900 area dynamic interface port-channel3 switchport mode trunk switchport trunk allowed vlan 38,41-45,52 interface vfc513 bind interface Ethernet1/13 no shutdown interface vfc514 bind interface Ethernet1/14 no shutdown interface vfc515 bind interface Ethernet1/15 no shutdown interface vfc516 bind interface Ethernet1/16 no shutdown interface vfc517 bind interface Ethernet1/17 no shutdown interface vfc518 bind interface Ethernet1/18 no shutdown interface vfc519 bind interface Ethernet1/19 no shutdown interface vfc520 bind interface Ethernet1/20 no shutdown interface vfc521 bind interface Ethernet1/21 no shutdown interface vfc522 bind interface Ethernet1/22 no shutdown interface vfc523 bind interface Ethernet1/23 no shutdown interface vfc524 bind interface Ethernet1/24 no shutdown interface vfc525 bind interface Ethernet1/25 no shutdown interface vfc526 bind interface Ethernet1/26 no shutdown interface vfc527 bind interface Ethernet1/27 no shutdown interface vfc528 bind interface Ethernet1/28 no shutdown interface vfc529 bind interface Ethernet1/29 no shutdown interface vfc530 bind interface Ethernet1/30 no shutdown interface vfc531 bind interface Ethernet1/31 no shutdown interface vfc532 bind interface Ethernet1/32 no shutdown interface vfc505 bind interface Ethernet1/5 no shutdown interface vfc506 bind interface Ethernet1/6 no shutdown interface vfc507 bind interface Ethernet1/7 no shutdown interface vfc508 bind interface Ethernet1/8 no shutdown interface vfc509 bind interface Ethernet1/9 no shutdown interface vfc510 bind interface Ethernet1/10 no shutdown interface vfc511 bind interface Ethernet1/11 no shutdown interface vfc512 bind interface Ethernet1/12 no shutdown vsan database vsan 2 interface vfc513 vsan 2 interface vfc514 vsan 2 interface vfc515 vsan 2 interface vfc516 vsan 2 interface vfc517 vsan 2 interface vfc518 vsan 2 interface vfc519 vsan 2 interface vfc520 vsan 2 interface vfc521 vsan 2 interface vfc522 vsan 2 interface vfc523 vsan 2 interface vfc524 vsan 2 interface vfc525 vsan 2 interface vfc526 vsan 2 interface vfc527 vsan 2 interface vfc528 vsan 2 interface vfc529 vsan 2 interface vfc530 vsan 2 interface vfc531 vsan 2 interface vfc532 vsan 4094 interface vfc505 vsan 4094 interface vfc506 vsan 4094 interface vfc507 vsan 4094 interface vfc508 vsan 4094 interface vfc509 vsan 4094 interface vfc510 vsan 2 interface vfc511 vsan 2 interface vfc512 vsan 2 interface fc2/1 vsan 2 interface fc2/2 vsan 2 interface fc2/3 vsan 2 interface fc2/4 vsan 2 interface fc3/1 vsan 2 interface fc3/2 vsan 2 interface fc3/3 vsan 2 interface fc3/4 interface fc2/1 switchport description Connection to MDS-DC-1 no shutdown interface fc2/2 interface fc2/3 interface fc2/4 interface fc3/1 switchport description Connection to Promise 600 san no shutdown interface fc3/2 interface fc3/3 interface fc3/4 interface Ethernet1/1 description to DC-F-UCS-1 TG0/1 switchport mode trunk spanning-tree port type network interface Ethernet1/2 description to DC-F-UCS-1 TG0/2 switchport mode trunk spanning-tree port type network interface Ethernet1/3 description to DC-F-UCS-2 TG0/3 switchport mode trunk spanning-tree port type network interface Ethernet1/4 description to DC-F-UCS-2 TG0/4 switchport mode trunk spanning-tree port type network interface Ethernet1/5 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/6 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/7 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/8 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/9 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/10 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/11 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/12 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/13 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/14 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/15 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/16 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/17 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/18 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/19 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/20 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/21 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/22 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/23 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/24 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/25 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/26 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/27 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/28 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/29 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/30 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/31 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/32 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/33 description to RAGG-1-VDC2 TG1/9 switchport mode trunk switchport trunk allowed vlan 38,41-45,52 spanning-tree port type network channel-group 3 mode active interface Ethernet1/34 description to RAGG-1-VDC2 TG1/10 switchport mode trunk switchport trunk allowed vlan 38,41-45,52 spanning-tree port type network channel-group 3 mode active interface Ethernet1/35 description to RAGG-2-VDC2 TG1/11 switchport mode trunk switchport trunk allowed vlan 38,41-45,52 spanning-tree port type network channel-group 3 mode active interface Ethernet1/36 description to RAGG-2-VDC2 TG1/12 switchport mode trunk switchport trunk allowed vlan 38,41-45,52 spanning-tree port type network channel-group 3 mode active interface Ethernet1/37 shutdown interface Ethernet1/38 shutdown interface Ethernet1/39 description to SACCESS-4 shutdown interface Ethernet1/40 description to SACCESS-4 shutdown interface Ethernet2/1 interface Ethernet2/2 interface Ethernet2/3 interface Ethernet2/4 interface Ethernet3/1 interface Ethernet3/2 interface Ethernet3/3 interface Ethernet3/4 interface mgmt0 ip address 192.168.41.33/24 clock timezone PST -8 0 clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60 system default zone default-zone permit system default zone distribute full line console exec-timeout 15 line vty exec-timeout 15 access-class 23 in boot kickstart bootflash:/n5000-uk9-kickstart.5.0.3.N1.1b.bin boot system bootflash:/n5000-uk9.5.0.3.N1.1b.bin interface fc2/2 interface fc2/3 interface fc2/4 interface fc2/1 switchport fcrxbbcredit 1 switchport fcrxbbcredit 2 mode E interface fc3/1 interface fc3/2 interface fc3/3 interface fc3/4 logging server 192.168.42.124 6 zone default-zone permit vsan 2 zoneset distribute full vsan 2 !Full Zone Database Section for vsan 2 zone name global_zone vsan 2 member pwwn 26:00:00:01:55:35:7e:44 member pwwn 26:02:00:01:55:35:7e:44 member pwwn 10:00:00:00:c9:75:68:c3 member pwwn 10:00:00:00:c9:77:92:e9 member pwwn 10:00:00:00:c9:77:db:c3 member pwwn 10:00:00:00:c9:77:dc:c3 member pwwn 10:00:00:00:c9:77:dd:bc member pwwn 21:00:00:1b:32:00:33:0c member pwwn 21:00:00:1b:32:00:3a:0c member pwwn 21:00:00:1b:32:00:5d:0d member pwwn 21:00:00:1b:32:00:5e:0d member pwwn 21:00:00:1b:32:00:70:0d member pwwn 21:00:00:1b:32:00:ab:0d member pwwn 21:00:00:1b:32:80:0b:10 member pwwn 21:00:00:1b:32:80:52:10 member pwwn 21:00:00:1b:32:80:da:0f member pwwn 21:00:00:1b:32:80:f1:0f zoneset name promise-2_zs vsan 2 member global_zone zoneset activate name promise-2_zs vsan 2 SACCESS-4 !Command: show running-config !Time: Sat Apr 30 01:57:14 2011 version 5.0(3)N1(1b) feature fcoe feature privilege no feature telnet no telnet server enable feature tacacs+ cfs eth distribute feature lacp feature vpc feature lldp feature fex username admin password 5 <removed> role network-admin username retail password 5 <removed> role network-admin username emc-ncm password 5 <removed> role network-admin username bart password 5 <removed> role network-admin enable secret 5 <removed> banner motd # WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. # ssh login-attempts 6 ip domain-lookup ip domain-name cisco-irn.com ip host SACCESS-4 192.168.41.34 tacacs-server key 7 "<removed>" tacacs-server host 192.168.42.131 aaa group server tacacs+ CiscoACS server 192.168.42.131 use-vrf management source-interface mgmt0 switchname SACCESS-4 ip access-list 23 statistics per-entry 10 permit ip 127.0.0.1/32 192.168.41.34/32 20 permit ip 192.168.41.101/32 192.168.41.34/32 30 permit ip 192.168.41.102/32 192.168.41.34/32 40 permit ip 192.168.42.111/32 192.168.41.34/32 50 permit ip 192.168.42.122/32 192.168.41.34/32 60 permit ip 192.168.42.131/32 192.168.41.34/32 70 permit ip 192.168.42.133/32 192.168.41.34/32 80 permit ip 192.168.42.138/32 192.168.41.34/32 90 permit ip 10.19.151.99/32 192.168.41.34/32 100 deny ip any any ip access-list 88 statistics per-entry 10 permit ip 192.168.42.122/32 192.168.41.34/32 20 deny ip any any class-map type qos class-fcoe class-map type queuing class-all-flood match qos-group 2 class-map type queuing class-ip-multicast match qos-group 2 class-map type network-qos class-all-flood match qos-group 2 class-map type network-qos class-ip-multicast match qos-group 2 snmp-server user bart network-admin auth md5 <removed> priv <removed> localizedkey snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey snmp-server user retail network-admin auth md5 <removed> priv <removed> localizedkey snmp-server user emc-ncm network-admin auth md5 <removed> priv <removed> localizedkey snmp-server enable traps entity fru no snmp-server enable traps entity entity_mib_change no snmp-server enable traps entity entity_module_status_change no snmp-server enable traps entity entity_power_status_change no snmp-server enable traps entity entity_module_inserted no snmp-server enable traps entity entity_module_removed no snmp-server enable traps entity entity_unrecognised_module no snmp-server enable traps entity entity_fan_status_change no snmp-server enable traps rf redundancy_framework aaa authentication login default group CiscoACS aaa authentication login console group CiscoACS aaa authorization ssh-certificate default group CiscoACS aaa accounting default group CiscoACS aaa authentication login error-enable vrf context management ip route 0.0.0.0/0 192.168.41.1 vlan 1 vlan 36 name DeviceMgmtHigh vlan 37 name DeviceMgmtLow vlan 38 name HyTrust vlan 40 name Server_iLO vlan 41 name ESX_Server vlan 42 name CoreManagement vlan 45,80-82,141-142 vlan 402 fcoe vsan 2 vsan database vsan 2 fcdomain fcid database vsan 2 wwn 21:01:00:1b:32:20:5e:0d fcid 0xa20000 area dynamic vsan 2 wwn 21:01:00:1b:32:20:ab:0d fcid 0xa20100 area dynamic vsan 2 wwn 21:01:00:1b:32:20:70:0d fcid 0xa20200 area dynamic vsan 2 wwn 21:01:00:1b:32:20:33:0c fcid 0xa20300 area dynamic vsan 2 wwn 21:01:00:1b:32:20:5d:0d fcid 0xa20400 area dynamic vsan 2 wwn 21:01:00:1b:32:a0:0b:10 fcid 0xa20500 area dynamic vsan 2 wwn 21:01:00:1b:32:a0:52:10 fcid 0xa20600 area dynamic vsan 2 wwn 21:01:00:1b:32:a0:da:0f fcid 0xa20700 area dynamic vsan 2 wwn 21:01:00:1b:32:a0:f1:0f fcid 0xa20800 area dynamic vsan 2 wwn 21:01:00:1b:32:20:3a:0c fcid 0xa20900 area dynamic interface port-channel4 switchport mode trunk switchport trunk allowed vlan 38,41-45,52 interface vfc513 bind interface Ethernet1/13 no shutdown interface vfc514 bind interface Ethernet1/14 no shutdown interface vfc515 bind interface Ethernet1/15 no shutdown interface vfc516 bind interface Ethernet1/16 no shutdown interface vfc517 bind interface Ethernet1/17 no shutdown interface vfc518 bind interface Ethernet1/18 no shutdown interface vfc519 bind interface Ethernet1/19 no shutdown interface vfc520 bind interface Ethernet1/20 no shutdown interface vfc521 bind interface Ethernet1/21 no shutdown interface vfc522 bind interface Ethernet1/22 no shutdown interface vfc523 bind interface Ethernet1/23 no shutdown interface vfc524 bind interface Ethernet1/24 no shutdown interface vfc525 bind interface Ethernet1/25 no shutdown interface vfc526 bind interface Ethernet1/26 no shutdown interface vfc527 bind interface Ethernet1/27 no shutdown interface vfc528 bind interface Ethernet1/28 no shutdown interface vfc529 bind interface Ethernet1/29 no shutdown interface vfc530 bind interface Ethernet1/30 no shutdown interface vfc531 bind interface Ethernet1/31 no shutdown interface vfc532 bind interface Ethernet1/32 no shutdown interface vfc505 bind interface Ethernet1/5 no shutdown interface vfc506 bind interface Ethernet1/6 no shutdown interface vfc507 bind interface Ethernet1/7 no shutdown interface vfc508 bind interface Ethernet1/8 no shutdown interface vfc509 bind interface Ethernet1/9 no shutdown interface vfc510 bind interface Ethernet1/10 no shutdown interface vfc511 bind interface Ethernet1/11 no shutdown interface vfc512 bind interface Ethernet1/12 no shutdown vsan database vsan 2 interface vfc513 vsan 2 interface vfc514 vsan 2 interface vfc515 vsan 2 interface vfc516 vsan 2 interface vfc517 vsan 2 interface vfc518 vsan 2 interface vfc519 vsan 2 interface vfc520 vsan 2 interface vfc521 vsan 2 interface vfc522 vsan 2 interface vfc523 vsan 2 interface vfc524 vsan 2 interface vfc525 vsan 2 interface vfc526 vsan 2 interface vfc527 vsan 2 interface vfc528 vsan 2 interface vfc529 vsan 2 interface vfc530 vsan 2 interface vfc531 vsan 2 interface vfc532 vsan 2 interface vfc505 vsan 2 interface vfc506 vsan 2 interface vfc507 vsan 2 interface vfc508 vsan 2 interface vfc509 vsan 2 interface vfc510 vsan 2 interface vfc511 vsan 2 interface vfc512 vsan 2 interface fc3/1 interface fc2/1 switchport description Connection to MDS-DC-1 no shutdown interface fc2/2 interface fc2/3 interface fc2/4 interface fc3/1 switchport description Connection to Promise 600 san no shutdown interface fc3/2 interface fc3/3 interface fc3/4 interface Ethernet1/1 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/2 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/3 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/4 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/5 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/6 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/7 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/8 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/9 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/10 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/11 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/12 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/13 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/14 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/15 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/16 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/17 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/18 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/19 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/20 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/21 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/22 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/23 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/24 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/25 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/26 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/27 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/28 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/29 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/30 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/31 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/32 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/33 description to RAGG-2-VDC2 TG1/9 switchport mode trunk switchport trunk allowed vlan 38,41-45,52 spanning-tree port type network channel-group 4 mode active interface Ethernet1/34 description to RAGG-2-VDC2 TG1/10 switchport mode trunk switchport trunk allowed vlan 38,41-45,52 spanning-tree port type network channel-group 4 mode active interface Ethernet1/35 description to RAGG-1-VDC2 TG1/11 switchport mode trunk switchport trunk allowed vlan 38,41-45,52 spanning-tree port type network channel-group 4 mode active interface Ethernet1/36 description to RAGG-1-VDC2 TG1/12 switchport mode trunk switchport trunk allowed vlan 38,41-45,52 spanning-tree port type network channel-group 4 mode active interface Ethernet1/37 shutdown interface Ethernet1/38 shutdown interface Ethernet1/39 description link to SACCESS-3 shutdown interface Ethernet1/40 description link to SACCESS-3 shutdown interface Ethernet2/1 interface Ethernet2/2 interface Ethernet2/3 interface Ethernet2/4 interface Ethernet3/1 interface Ethernet3/2 interface Ethernet3/3 interface Ethernet3/4 interface mgmt0 ip address 192.168.41.34/24 clock timezone PST -8 0 clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60 line console exec-timeout 15 line vty exec-timeout 15 access-class 23 in boot kickstart bootflash:/n5000-uk9-kickstart.5.0.3.N1.1b.bin boot system bootflash:/n5000-uk9.5.0.3.N1.1b.bin interface fc2/1 interface fc2/2 interface fc2/3 interface fc2/4 interface fc3/1 interface fc3/2 interface fc3/3 interface fc3/4 logging server 192.168.42.124 6 zone default-zone permit vsan 2 !Full Zone Database Section for vsan 2 zone name global_zone vsan 2 zoneset name promise-2_zs vsan 2 member global_zone SACCESS-5 ! ! Last configuration change at 02:02:07 PST Sat Apr 30 2011 by retail ! NVRAM config last updated at 02:02:10 PST Sat Apr 30 2011 by retail ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers ! hostname SACCESS-5 ! boot-start-marker boot-end-marker ! logging buffered 51200 enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> ! ! aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! aaa session-id common clock timezone PST -8 clock summer-time PST recurring switch 1 provision ws-c3750e-48td system mtu routing 1500 ! ! ip domain-name cisco-irn.com ip name-server 192.168.42.130 login block-for 1800 attempts 6 within 65535 login quiet-mode access-class 23 login on-failure log login on-success log ! password encryption aes ! crypto pki trustpoint TP-self-signed-2654502656 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2654502656 revocation-check none rsakeypair TP-self-signed-2654502656 ! ! crypto pki certificate chain TP-self-signed-2654502656 certificate self-signed 01 <removed> quit archive log config logging enable notify syslog contenttype plaintext hidekeys spanning-tree mode pvst spanning-tree extend system-id ! ! ! ! vlan internal allocation policy ascending vlan dot1q tag native ! ip ssh version 2 ip scp server enable ! ! ! interface FastEthernet0 no ip address shutdown ! interface GigabitEthernet1/0/1 description SRV-DC-22 iLO switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/0/2 description SRV-DC-23 iLO switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/0/3 description SRV-DC-24 iLO switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/0/4 description SRV-DC-25 iLO switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/0/5 description SRV-DC-26 iLO switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/0/6 description SRV-DC-27 iLO switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/0/7 description SRV-DC-28 iLO switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/0/8 description SRV-DC-29 iLO switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/0/9 description SRV-DC-30 iLO switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/0/10 description SRV-DC-31 iLO switchport access vlan 40 spanning-tree portfast ! interface GigabitEthernet1/0/11 description DC-UCSFabric-1-A Mgmt0 switchport access vlan 41 spanning-tree portfast ! interface GigabitEthernet1/0/12 description DC-UCSFabric-1-B Mgmt0 switchport access vlan 41 spanning-tree portfast ! interface GigabitEthernet1/0/13 description DC-ASA-1 Mgmt0 switchport access vlan 42 spanning-tree portfast ! interface GigabitEthernet1/0/14 description DC-ASA-2 Mgmt0 switchport access vlan 42 spanning-tree portfast ! interface GigabitEthernet1/0/15 ! interface GigabitEthernet1/0/16 ! interface GigabitEthernet1/0/17 ! interface GigabitEthernet1/0/18 ! interface GigabitEthernet1/0/19 ! interface GigabitEthernet1/0/20 ! interface GigabitEthernet1/0/21 ! interface GigabitEthernet1/0/22 description SRV-DC-22 ESXi switchport access vlan 41 spanning-tree portfast ! interface GigabitEthernet1/0/23 description SRV-DC-23 ESXi switchport access vlan 41 spanning-tree portfast ! interface GigabitEthernet1/0/24 description SRV-DC-24 ESXi switchport access vlan 41 spanning-tree portfast ! interface GigabitEthernet1/0/25 description SRV-DC-25 ESXi switchport access vlan 41 spanning-tree portfast ! interface GigabitEthernet1/0/26 description SRV-DC-26 ESXi switchport access vlan 41 spanning-tree portfast ! interface GigabitEthernet1/0/27 description SRV-DC-27 ESXi switchport access vlan 41 spanning-tree portfast ! interface GigabitEthernet1/0/28 description SRV-DC-28 ESXi switchport access vlan 41 spanning-tree portfast ! interface GigabitEthernet1/0/29 description SRV-DC-29 ESXi switchport access vlan 41 spanning-tree portfast ! interface GigabitEthernet1/0/30 description SRV-DC-30 ESXi switchport access vlan 41 spanning-tree portfast ! interface GigabitEthernet1/0/31 description SRV-DC-31 ESXi switchport access vlan 41 spanning-tree portfast ! interface GigabitEthernet1/0/32 description SRV-DC-32 ESXi switchport access vlan 41 spanning-tree portfast ! interface GigabitEthernet1/0/33 description SRV-DC-33 ESXi switchport access vlan 41 spanning-tree portfast ! interface GigabitEthernet1/0/34 description SRV-DC-34 ESXi switchport access vlan 41 spanning-tree portfast ! interface GigabitEthernet1/0/35 description SRV-DC-35 ESXi switchport access vlan 41 spanning-tree portfast ! interface GigabitEthernet1/0/36 ! interface GigabitEthernet1/0/37 description SACCESS-3 Mgmt switchport access vlan 41 spanning-tree portfast ! interface GigabitEthernet1/0/38 description SACCESS-4 Mgmt switchport access vlan 41 spanning-tree portfast ! interface GigabitEthernet1/0/39 description RCORE-1 Mgmt-a switchport access vlan 42 spanning-tree portfast ! interface GigabitEthernet1/0/40 description RCORE-1 Mgmt-b switchport access vlan 42 spanning-tree portfast ! interface GigabitEthernet1/0/41 description RCORE-2 Mgmt-a switchport access vlan 42 spanning-tree portfast ! interface GigabitEthernet1/0/42 description RCORE-2 Mgmt-b switchport access vlan 42 spanning-tree portfast ! interface GigabitEthernet1/0/43 ! interface GigabitEthernet1/0/44 ! interface GigabitEthernet1/0/45 ! interface GigabitEthernet1/0/46 ! interface GigabitEthernet1/0/47 description Uplink to RAGG-2-vdc2 T2/13 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/0/48 description Uplink to RAGG-1-vdc2 T2/13 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/0/49 ! interface GigabitEthernet1/0/50 ! interface GigabitEthernet1/0/51 ! interface GigabitEthernet1/0/52 ! interface TenGigabitEthernet1/0/1 ! interface TenGigabitEthernet1/0/2 ! interface Vlan1 no ip address shutdown ! interface Vlan41 ip address 192.168.41.222 255.255.255.0 ! interface Vlan42 ip address 192.168.42.30 255.255.255.0 ! interface Vlan1000 no ip address ! ip default-gateway 192.168.42.1 ip classless no ip forward-protocol nd ! no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip tacacs source-interface Vlan42 ! ! ip sla enable reaction-alerts logging trap debugging logging source-interface Vlan42 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server trap-source Vlan42 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps energywise snmp-server enable traps entity snmp-server enable traps hsrp snmp-server enable traps power-ethernet group 1-4 snmp-server enable traps power-ethernet police snmp-server enable traps cpu threshold snmp-server enable traps rtr snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps port-security snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps errdisable snmp-server enable traps mac-notification change move threshold snmp-server enable traps vlan-membership snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 timeout 5 tacacs-server directed-request tacacs-server key 7 <removed> ! banner exec WARNING: * THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner incoming WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ntp clock-period 36029147 ntp source Vlan42 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer end Storage MDS-DC-1-RUNNING !Command: show running-config !Time: Sun Apr 24 16:47:39 2011 version 5.0(1a) system default switchport mode F feature npiv feature privilege feature tacacs+ role name default-role description This is a system defined role and applies to all users. rule 5 permit show feature environment rule 4 permit show feature hardware rule 3 permit show feature module rule 2 permit show feature snmp rule 1 permit show feature system username admin password 5 <removed> role network-admin username retail password 5 <removed> role network-admin username emc-ncm password 5 <removed> role network-admin username bart password 5 <removed> role network-admin enable secret 5 <removed> banner motd #WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENTTO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARYTO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHERREPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUTFURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHERCRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAWENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.# ssh login-attempts 6 ip domain-lookup ip domain-name cisco-irn.com ip host MDS-DC-1 192.168.41.51 tacacs-server key 7 "<removed>" tacacs-server host 192.168.42.131 aaa group server tacacs+ CiscoACS server 192.168.42.131 aaa group server radius radius snmp-server user bart network-admin auth md5 <removed> priv <removed> localizedkey snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey snmp-server user retail network-admin auth md5 <removed> priv <removed> localizedkey snmp-server user emc-ncm network-admin auth md5 <removed> priv <removed> localizedkey snmp-server host 192.168.41.101 traps version 2c public udp-port 2162 snmp-server host 192.168.42.121 traps version 3 auth public no snmp-server enable traps entity entity_mib_change no snmp-server enable traps entity entity_module_status_change no snmp-server enable traps entity entity_power_status_change no snmp-server enable traps entity entity_module_inserted no snmp-server enable traps entity entity_module_removed no snmp-server enable traps entity entity_unrecognised_module no snmp-server enable traps entity entity_fan_status_change no snmp-server enable traps entity entity_power_out_change no snmp-server enable traps rf redundancy_framework ntp server 192.168.62.161 ntp server 192.168.62.162 aaa authentication login default group CiscoACS aaa authentication login console group CiscoACS aaa authorization ssh-certificate default group CiscoACS aaa accounting default group CiscoACS aaa authentication login error-enable ip access-list 23 permit ip 127.0.0.1 0.0.0.0 192.168.41.51 0.0.0.0 ip access-list 23 permit ip 192.168.41.101 0.0.0.0 192.168.41.51 0.0.0.0 ip access-list 23 permit ip 192.168.41.102 0.0.0.0 192.168.41.51 0.0.0.0 ip access-list 23 permit ip 192.168.42.111 0.0.0.0 192.168.41.51 0.0.0.0 ip access-list 23 permit ip 192.168.42.121 0.0.0.0 192.168.41.51 0.0.0.0 ip access-list 23 permit ip 192.168.42.122 0.0.0.0 192.168.41.51 0.0.0.0 ip access-list 23 permit ip 192.168.42.131 0.0.0.0 192.168.41.51 0.0.0.0 ip access-list 23 permit ip 192.168.42.133 0.0.0.0 192.168.41.51 0.0.0.0 ip access-list 23 permit ip 192.168.42.138 0.0.0.0 192.168.41.51 0.0.0.0 ip access-list 23 permit ip 10.19.151.99 0.0.0.0 192.168.41.51 0.0.0.0 ip access-list 23 deny ip any any log-deny vsan database vsan 2 name "Promise-2" vsan 10 name "UIM_VSAN_A_10" fcdomain fcid database vsan 1 wwn 50:00:40:20:03:fc:44:6a fcid 0x020000 dynamic vsan 1 wwn 50:00:40:21:03:fc:44:6a fcid 0x020001 dynamic vsan 1 wwn 21:00:00:e0:8b:19:70:09 fcid 0x020100 area dynamic vsan 1 wwn 20:89:00:05:30:00:99:de fcid 0x020200 area dynamic vsan 1 wwn 20:8a:00:05:30:00:99:de fcid 0x020300 area dynamic vsan 1 wwn 23:00:00:05:30:00:99:e0 fcid 0x020002 dynamic vsan 1 wwn 23:01:00:05:30:00:99:e0 fcid 0x020003 dynamic vsan 1 wwn 23:02:00:05:30:00:99:e0 fcid 0x020004 dynamic vsan 1 wwn 23:03:00:05:30:00:99:e0 fcid 0x020005 dynamic vsan 1 wwn 23:04:00:05:30:00:99:e0 fcid 0x020006 dynamic vsan 1 wwn 23:05:00:05:30:00:99:e0 fcid 0x020007 dynamic vsan 1 wwn 23:06:00:05:30:00:99:e0 fcid 0x020008 dynamic vsan 1 wwn 23:07:00:05:30:00:99:e0 fcid 0x020009 dynamic vsan 1 wwn 23:08:00:05:30:00:99:e0 fcid 0x02000a dynamic vsan 1 wwn 22:02:00:05:30:00:99:e0 fcid 0x02000b dynamic vsan 1 wwn 22:04:00:05:30:00:99:e0 fcid 0x02000c dynamic vsan 1 wwn 22:06:00:05:30:00:99:e0 fcid 0x02000d dynamic vsan 1 wwn 22:08:00:05:30:00:99:e0 fcid 0x02000e dynamic vsan 1 wwn 22:0a:00:05:30:00:99:e0 fcid 0x02000f dynamic vsan 1 wwn 22:0c:00:05:30:00:99:e0 fcid 0x020010 dynamic vsan 1 wwn 10:00:00:00:c9:60:df:80 fcid 0x020011 dynamic vsan 1 wwn 23:12:00:05:30:00:99:e0 fcid 0x020012 dynamic vsan 1 wwn 23:13:00:05:30:00:99:e0 fcid 0x020013 dynamic vsan 1 wwn 23:14:00:05:30:00:99:e0 fcid 0x020014 dynamic vsan 1 wwn 23:15:00:05:30:00:99:e0 fcid 0x020015 dynamic vsan 1 wwn 23:17:00:05:30:00:99:e0 fcid 0x020016 dynamic vsan 1 wwn 23:16:00:05:30:00:99:e0 fcid 0x020017 dynamic vsan 1 wwn 23:18:00:05:30:00:99:e0 fcid 0x020018 dynamic vsan 1 wwn 23:19:00:05:30:00:99:e0 fcid 0x020019 dynamic vsan 1 wwn 11:00:00:00:00:00:00:01 fcid 0x02001a dynamic vsan 1 wwn 20:00:00:00:00:00:00:01 fcid 0x02001b dynamic vsan 1 wwn 10:00:00:00:c9:77:94:21 fcid 0x02001c dynamic vsan 1 wwn 10:00:00:00:c9:77:92:e9 fcid 0x02001d dynamic vsan 1 wwn 10:00:00:00:c9:77:dd:bc fcid 0x02001e dynamic vsan 1 wwn 20:41:00:05:9b:73:10:c0 fcid 0x02001f dynamic vsan 1 wwn 20:41:00:05:9b:73:17:40 fcid 0x020020 dynamic vsan 1 wwn 10:00:00:00:c9:77:dc:c3 fcid 0x020021 dynamic vsan 1 wwn 10:00:00:00:c9:75:68:c3 fcid 0x020022 dynamic vsan 1 wwn 20:4c:00:0d:ec:2d:94:c0 fcid 0x020400 area dynamic vsan 1 wwn 20:64:00:0d:ec:2d:94:c0 fcid 0x020500 area dynamic vsan 1 wwn 10:00:00:00:c9:77:db:c3 fcid 0x020023 dynamic vsan 2 wwn 20:4c:00:0d:ec:2d:94:c0 fcid 0xef0000 area dynamic vsan 2 wwn 10:00:00:00:c9:75:68:c3 fcid 0xef0100 dynamic vsan 2 wwn 10:00:00:00:c9:77:dc:c3 fcid 0xef0101 dynamic vsan 2 wwn 10:00:00:00:c9:77:dd:bc fcid 0xef0102 dynamic vsan 2 wwn 10:00:00:00:c9:77:db:c3 fcid 0xef0103 dynamic vsan 2 wwn 10:00:00:00:c9:77:92:e9 fcid 0xef0104 dynamic vsan 2 wwn 50:06:01:60:46:e0:33:aa fcid 0xef01ef dynamic vsan 2 wwn 20:41:00:05:9b:73:10:c0 fcid 0xef0105 dynamic vsan 1 wwn 50:06:01:68:46:e0:33:aa fcid 0x0200ef dynamic vsan 1 wwn 50:06:01:60:46:e0:33:aa fcid 0x0206ef dynamic vsan 2 wwn 20:41:00:05:9b:73:17:40 fcid 0xef0106 dynamic vsan 2 wwn 10:00:00:00:c9:77:94:21 fcid 0xef0107 dynamic vsan 2 wwn 20:64:00:0d:ec:2d:94:c0 fcid 0xef0200 area dynamic vsan 2 wwn 50:06:01:68:46:e0:33:aa fcid 0xef03ef dynamic vsan 10 wwn 50:06:01:60:46:e0:33:aa fcid 0xd800ef dynamic vsan 10 wwn 20:41:00:05:9b:73:10:c0 fcid 0xd80000 dynamic vsan 10 wwn 20:41:00:05:9b:73:17:40 fcid 0xd80001 dynamic vsan 10 wwn 10:00:00:00:c9:77:94:21 fcid 0xd80002 dynamic vsan 10 wwn 50:06:01:61:46:e0:33:aa fcid 0xd801ef dynamic vsan 10 wwn 50:06:01:69:46:e0:33:aa fcid 0xd802ef dynamic vsan 10 wwn 20:42:00:05:9b:73:10:c0 fcid 0xd80003 dynamic vsan 10 wwn 20:00:00:25:b5:01:11:0f fcid 0xd80004 dynamic vsan 10 wwn 20:00:00:25:b5:01:11:18 fcid 0xd80005 dynamic vsan 10 wwn 20:00:00:25:b5:01:11:12 fcid 0xd80006 dynamic vsan 10 wwn 20:00:00:25:b5:01:11:15 fcid 0xd80007 dynamic vsan 10 wwn 20:00:00:25:b5:01:11:19 fcid 0xd80008 dynamic vsan 10 wwn 20:00:00:25:b5:01:11:10 fcid 0xd80009 dynamic vsan 10 wwn 20:00:00:25:b5:01:11:1c fcid 0xd8000a dynamic vsan 10 wwn 20:00:00:25:b5:01:11:25 fcid 0xd8000b dynamic vsan 10 wwn 20:00:00:25:b5:01:11:22 fcid 0xd8000c dynamic vsan 10 wwn 20:00:00:25:b5:01:11:1f fcid 0xd8000d dynamic vsan 10 wwn 20:00:00:25:b5:01:11:2b fcid 0xd8000e dynamic vsan 10 wwn 20:00:00:25:b5:01:11:28 fcid 0xd8000f dynamic vsan database vsan 2 interface fc2/1 vsan 2 interface fc2/2 vsan 2 interface fc2/3 vsan 2 interface fc2/4 vsan 2 interface fc2/5 vsan 2 interface fc2/6 vsan 2 interface fc2/7 vsan 2 interface fc2/8 vsan 2 interface fc2/9 vsan 2 interface fc2/10 vsan 2 interface fc2/11 vsan 2 interface fc2/12 vsan 2 interface fc2/13 vsan 2 interface fc2/14 vsan 2 interface fc2/15 vsan 2 interface fc2/16 vsan 2 interface fc2/17 vsan 2 interface fc2/18 vsan 2 interface fc2/19 vsan 2 interface fc2/20 vsan 2 interface fc2/21 vsan 2 interface fc2/22 vsan 2 interface fc2/23 vsan 10 interface fc2/24 vsan 10 interface fc2/25 vsan 10 interface fc2/26 vsan 2 interface fc2/27 vsan 2 interface fc2/28 vsan 2 interface fc2/29 vsan 2 interface fc2/30 vsan 2 interface fc2/31 vsan 2 interface fc2/32 vsan 2 interface fc2/33 vsan 2 interface fc2/34 vsan 2 interface fc2/35 vsan 2 interface fc2/36 vsan 2 interface fc2/37 vsan 2 interface fc2/38 vsan 2 interface fc2/39 vsan 2 interface fc2/40 vsan 2 interface fc2/41 vsan 2 interface fc2/42 vsan 2 interface fc2/43 vsan 2 interface fc2/44 vsan 2 interface fc2/45 vsan 2 interface fc2/46 vsan 2 interface fc2/47 vsan 10 interface fc2/48 vsan 2 interface fc4/1 vsan 2 interface fc4/2 vsan 2 interface fc4/3 vsan 2 interface fc4/4 vsan 2 interface fc4/5 vsan 2 interface fc4/6 vsan 2 interface fc4/7 vsan 2 interface fc4/8 vsan 2 interface fc4/9 vsan 2 interface fc4/10 vsan 2 interface fc4/11 vsan 2 interface fc4/12 vsan 2 interface fc4/13 vsan 2 interface fc4/14 vsan 2 interface fc4/15 vsan 2 interface fc4/16 vsan 2 interface fc4/17 vsan 2 interface fc4/18 clock timezone PST -8 0 clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60 ip default-gateway 192.168.41.1 switchname MDS-DC-1 line vty exec-timeout 15 line console exec-timeout 15 boot kickstart bootflash:/m9500-sf2ek9-kickstart-mzg.5.0.1a.bin.S4 sup-1 boot system bootflash:/m9500-sf2ek9-mzg.5.0.1a.bin.S4 sup-1 boot kickstart bootflash:/m9500-sf2ek9-kickstart-mzg.5.0.1a.bin.S4 sup-2 boot system bootflash:/m9500-sf2ek9-mzg.5.0.1a.bin.S4 sup-2 interface fc2/12 switchport speed 4000 switchport rate-mode shared interface fc2/11 switchport rate-mode dedicated interface fc2/36 switchport rate-mode dedicated interface fc2/1 interface fc2/2 interface fc2/3 interface fc2/4 interface fc2/5 interface fc2/6 interface fc2/7 interface fc2/8 interface fc2/9 interface fc2/10 interface fc2/12 switchport mode FL interface fc2/13 interface fc2/14 interface fc2/15 interface fc2/16 interface fc2/17 interface fc2/18 interface fc2/19 interface fc2/20 interface fc2/21 interface fc2/22 interface fc2/23 interface fc2/24 interface fc2/25 interface fc2/26 interface fc2/27 interface fc2/28 interface fc2/29 interface fc2/30 interface fc2/31 interface fc2/32 interface fc2/33 interface fc2/34 interface fc2/35 interface fc2/37 interface fc2/38 interface fc2/39 interface fc2/40 interface fc2/41 interface fc2/42 interface fc2/43 interface fc2/44 interface fc2/45 interface fc2/46 interface fc2/47 interface fc2/48 interface fc2/11 switchport mode auto interface fc2/36 switchport mode auto interface fc4/1 interface fc4/2 interface fc4/3 interface fc4/4 interface fc4/5 interface fc4/6 interface fc4/7 interface fc4/8 interface fc4/9 interface fc4/10 interface fc4/11 interface fc4/12 interface fc4/13 interface fc4/14 interface fc4/15 interface fc4/16 interface fc4/17 interface fc4/18 logging server 192.168.42.121 logging server 192.168.42.124 6 system default zone default-zone permit system default zone distribute full zone default-zone permit vsan 2 zone default-zone permit vsan 10 zoneset distribute full vsan 1-2 zoneset distribute full vsan 10 !Full Zone Database Section for vsan 2 zone name global_zone vsan 2 member pwwn 26:00:00:01:55:35:7e:44 member pwwn 26:02:00:01:55:35:7e:44 member pwwn 10:00:00:00:c9:75:68:c3 member pwwn 10:00:00:00:c9:77:92:e9 member pwwn 10:00:00:00:c9:77:db:c3 member pwwn 10:00:00:00:c9:77:dc:c3 member pwwn 10:00:00:00:c9:77:dd:bc member pwwn 21:00:00:1b:32:00:33:0c member pwwn 21:00:00:1b:32:00:3a:0c member pwwn 21:00:00:1b:32:00:5d:0d member pwwn 21:00:00:1b:32:00:5e:0d member pwwn 21:00:00:1b:32:00:70:0d member pwwn 21:00:00:1b:32:00:ab:0d member pwwn 21:00:00:1b:32:80:0b:10 member pwwn 21:00:00:1b:32:80:52:10 member pwwn 21:00:00:1b:32:80:da:0f member pwwn 21:00:00:1b:32:80:f1:0f zoneset name promise-2_zs vsan 2 member global_zone zoneset activate name promise-2_zs vsan 2 !Full Zone Database Section for vsan 10 zone name UIM_20000025B5011112_5006016046E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:12 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011110_5006016046E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:10 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011112_5006016946E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:12 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011110_5006016946E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:10 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011112_5006016846E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:12 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011110_5006016846E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:10 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011112_5006016146E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:12 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011110_5006016146E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:10 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011115_5006016846E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:15 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011116_5006016846E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:16 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011115_5006016146E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:15 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011116_5006016146E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:16 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011115_5006016946E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:15 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011116_5006016946E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:16 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011115_5006016046E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:15 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011116_5006016046E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:16 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B501111A_5006016946E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:1a member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011119_5006016946E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:19 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B501111A_5006016146E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:1a member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011119_5006016146E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:19 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B501111A_5006016846E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:1a member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011119_5006016846E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:19 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B501111A_5006016046E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:1a member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011119_5006016046E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:19 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B501111D_5006016146E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:1d member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B501111C_5006016146E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:1c member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B501111D_5006016846E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:1d member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B501111C_5006016846E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:1c member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B501111D_5006016946E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:1d member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B501111C_5006016946E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:1c member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B501111D_5006016046E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:1d member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B501111C_5006016046E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:1c member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B501111F_5006016146E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:1f member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011120_5006016146E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:20 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B501111F_5006016946E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:1f member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011120_5006016946E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:20 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B501111F_5006016846E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:1f member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011120_5006016846E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:20 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B501111F_5006016046E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:1f member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011120_5006016046E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:20 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011123_5006016946E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:23 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011122_5006016946E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:22 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011123_5006016146E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:23 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011122_5006016146E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:22 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011123_5006016846E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:23 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011122_5006016846E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:22 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011123_5006016046E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:23 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011122_5006016046E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:22 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011125_5006016146E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:25 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011126_5006016146E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:26 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011125_5006016946E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:25 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011126_5006016946E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:26 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011125_5006016846E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:25 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011126_5006016846E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:26 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011125_5006016046E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:25 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011126_5006016046E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:26 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011129_5006016846E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:29 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011128_5006016846E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:28 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011129_5006016046E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:29 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011128_5006016046E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:28 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011129_5006016146E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:29 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011128_5006016146E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:28 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011129_5006016946E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:29 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011128_5006016946E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:28 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B501112B_5006016946E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:2b member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B501112C_5006016946E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:2c member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B501112B_5006016846E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:2b member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B501112C_5006016846E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:2c member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B501112B_5006016046E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:2b member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B501112C_5006016046E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:2c member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B501112B_5006016146E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:2b member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B501112C_5006016146E033AA vsan 10 member pwwn 20:00:00:25:b5:01:11:2c member pwwn 50:06:01:61:46:e0:33:aa zoneset name UIM_ZONESET_A vsan 10 member UIM_20000025B5011112_5006016046E033AA member UIM_20000025B5011110_5006016046E033AA member UIM_20000025B5011112_5006016946E033AA member UIM_20000025B5011110_5006016946E033AA member UIM_20000025B5011112_5006016846E033AA member UIM_20000025B5011110_5006016846E033AA member UIM_20000025B5011112_5006016146E033AA member UIM_20000025B5011110_5006016146E033AA member UIM_20000025B5011115_5006016846E033AA member UIM_20000025B5011116_5006016846E033AA member UIM_20000025B5011115_5006016146E033AA member UIM_20000025B5011116_5006016146E033AA member UIM_20000025B5011115_5006016946E033AA member UIM_20000025B5011116_5006016946E033AA member UIM_20000025B5011115_5006016046E033AA member UIM_20000025B5011116_5006016046E033AA member UIM_20000025B501111A_5006016946E033AA member UIM_20000025B5011119_5006016946E033AA member UIM_20000025B501111A_5006016146E033AA member UIM_20000025B5011119_5006016146E033AA member UIM_20000025B501111A_5006016846E033AA member UIM_20000025B5011119_5006016846E033AA member UIM_20000025B501111A_5006016046E033AA member UIM_20000025B5011119_5006016046E033AA member UIM_20000025B501111D_5006016146E033AA member UIM_20000025B501111C_5006016146E033AA member UIM_20000025B501111D_5006016846E033AA member UIM_20000025B501111C_5006016846E033AA member UIM_20000025B501111D_5006016946E033AA member UIM_20000025B501111C_5006016946E033AA member UIM_20000025B501111D_5006016046E033AA member UIM_20000025B501111C_5006016046E033AA member UIM_20000025B501111F_5006016146E033AA member UIM_20000025B5011120_5006016146E033AA member UIM_20000025B501111F_5006016946E033AA member UIM_20000025B5011120_5006016946E033AA member UIM_20000025B501111F_5006016846E033AA member UIM_20000025B5011120_5006016846E033AA member UIM_20000025B501111F_5006016046E033AA member UIM_20000025B5011120_5006016046E033AA member UIM_20000025B5011123_5006016946E033AA member UIM_20000025B5011122_5006016946E033AA member UIM_20000025B5011123_5006016146E033AA member UIM_20000025B5011122_5006016146E033AA member UIM_20000025B5011123_5006016846E033AA member UIM_20000025B5011122_5006016846E033AA member UIM_20000025B5011123_5006016046E033AA member UIM_20000025B5011122_5006016046E033AA member UIM_20000025B5011125_5006016146E033AA member UIM_20000025B5011126_5006016146E033AA member UIM_20000025B5011125_5006016946E033AA member UIM_20000025B5011126_5006016946E033AA member UIM_20000025B5011125_5006016846E033AA member UIM_20000025B5011126_5006016846E033AA member UIM_20000025B5011125_5006016046E033AA member UIM_20000025B5011126_5006016046E033AA member UIM_20000025B5011129_5006016846E033AA member UIM_20000025B5011128_5006016846E033AA member UIM_20000025B5011129_5006016046E033AA member UIM_20000025B5011128_5006016046E033AA member UIM_20000025B5011129_5006016146E033AA member UIM_20000025B5011128_5006016146E033AA member UIM_20000025B5011129_5006016946E033AA member UIM_20000025B5011128_5006016946E033AA member UIM_20000025B501112B_5006016946E033AA member UIM_20000025B501112C_5006016946E033AA member UIM_20000025B501112B_5006016846E033AA member UIM_20000025B501112C_5006016846E033AA member UIM_20000025B501112B_5006016046E033AA member UIM_20000025B501112C_5006016046E033AA member UIM_20000025B501112B_5006016146E033AA member UIM_20000025B501112C_5006016146E033AA zoneset activate name UIM_ZONESET_A vsan 10 interface fc2/1 interface fc2/2 interface fc2/3 interface fc2/4 interface fc2/5 interface fc2/6 interface fc2/7 interface fc2/8 interface fc2/9 interface fc2/10 interface fc2/11 no shutdown interface fc2/12 no shutdown interface fc2/13 interface fc2/14 interface fc2/15 interface fc2/16 interface fc2/17 interface fc2/18 interface fc2/19 interface fc2/20 interface fc2/21 interface fc2/22 interface fc2/23 interface fc2/24 no shutdown interface fc2/25 no shutdown interface fc2/26 no shutdown interface fc2/27 interface fc2/28 interface fc2/29 interface fc2/30 interface fc2/31 interface fc2/32 interface fc2/33 interface fc2/34 interface fc2/35 interface fc2/36 no shutdown interface fc2/37 shutdown interface fc2/38 interface fc2/39 interface fc2/40 interface fc2/41 interface fc2/42 interface fc2/43 interface fc2/44 interface fc2/45 interface fc2/46 interface fc2/47 interface fc2/48 no shutdown interface fc4/1 interface fc4/2 interface fc4/3 interface fc4/4 interface fc4/5 interface fc4/6 interface fc4/7 interface fc4/8 interface fc4/9 interface fc4/10 interface fc4/11 interface fc4/12 interface fc4/13 interface fc4/14 interface fc4/15 interface fc4/16 interface fc4/17 interface fc4/18 interface GigabitEthernet4/1 interface GigabitEthernet4/2 interface GigabitEthernet4/3 interface GigabitEthernet4/4 interface mgmt0 ip address 192.168.41.51 255.255.255.0 ip access-group 23 in no system default switchport shutdown MDS-DC-2-RUNNING !Command: show running-config !Time: Sun Apr 24 16:48:05 2011 version 5.0(4) system default switchport mode F feature npiv feature privilege feature tacacs+ role name default-role description This is a system defined role and applies to all users. rule 5 permit show feature environment rule 4 permit show feature hardware rule 3 permit show feature module rule 2 permit show feature snmp rule 1 permit show feature system username admin password 5 <removed> role network-admin username retail password 5 <removed> role network-admin username emc-ncm password 5 <removed> role network-admin username bart password 5 <removed> role network-admin enable secret 5 <removed> banner motd # WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. # ssh login-attempts 6 ip domain-lookup ip domain-name cisco-irn.com ip host MDS-DC-2 192.168.41.52 ip host MDS-DC-2 192.168.41.52 tacacs-server key 7 "<removed>" tacacs-server host 192.168.42.131 aaa group server tacacs+ CiscoACS server 192.168.42.131 aaa group server radius radius snmp-server user bart network-admin auth md5 <removed> priv <removed> localizedkey snmp-server user admin network-admin auth md5 <removed> localizedkey snmp-server user retail network-admin auth md5 <removed> priv <removed> localizedkey snmp-server user emc-ncm network-admin auth md5 <removed> priv <removed> localizedkey snmp-server host 192.168.41.101 traps version 2c public udp-port 2162 snmp-server host 192.168.42.121 traps version 3 auth public rmon event 1 log trap public description FATAL(1) owner PMON@FATAL rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL rmon event 3 log trap public description ERROR(3) owner PMON@ERROR rmon event 4 log trap public description WARNING(4) owner PMON@WARNING rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO ntp server 192.168.62.161 ntp server 192.168.62.162 aaa authentication login default group CiscoACS aaa authentication login console group CiscoACS aaa authorization ssh-certificate default group CiscoACS aaa accounting default group CiscoACS aaa authentication login error-enable ip access-list 23 permit ip 127.0.0.1 0.0.0.0 192.168.41.52 0.0.0.0 ip access-list 23 permit ip 192.168.41.101 0.0.0.0 192.168.41.52 0.0.0.0 ip access-list 23 permit ip 192.168.41.102 0.0.0.0 192.168.41.52 0.0.0.0 ip access-list 23 permit ip 192.168.42.111 0.0.0.0 192.168.41.52 0.0.0.0 ip access-list 23 permit ip 192.168.42.121 0.0.0.0 192.168.41.52 0.0.0.0 ip access-list 23 permit ip 192.168.42.122 0.0.0.0 192.168.41.52 0.0.0.0 ip access-list 23 permit ip 192.168.42.131 0.0.0.0 192.168.41.52 0.0.0.0 ip access-list 23 permit ip 192.168.42.133 0.0.0.0 192.168.41.52 0.0.0.0 ip access-list 23 permit ip 192.168.42.138 0.0.0.0 192.168.41.52 0.0.0.0 ip access-list 23 permit ip 10.19.151.99 0.0.0.0 192.168.41.52 0.0.0.0 ip access-list 23 deny ip any any log-deny vsan database vsan 2 name "Promise-2" vsan 11 name "UIM_VSAN_B_11" fcdomain fcid database vsan 1 wwn 21:01:00:e0:8b:39:35:58 fcid 0x010000 area dynamic vsan 1 wwn 22:03:00:0d:ec:20:2b:40 fcid 0x010100 area dynamic vsan 11 wwn 20:41:00:05:9b:73:17:40 fcid 0xd40000 dynamic vsan 11 wwn 20:42:00:05:9b:73:17:40 fcid 0xd40001 dynamic vsan 1 wwn 21:00:00:e0:8b:19:35:58 fcid 0x010200 area dynamic vsan 11 wwn 50:06:01:69:46:e0:33:aa fcid 0xd400ef dynamic vsan 11 wwn 50:06:01:68:46:e0:33:aa fcid 0xd401ef dynamic vsan 1 wwn 26:01:00:01:55:35:7e:44 fcid 0x010300 dynamic vsan 2 wwn 26:01:00:01:55:35:7e:44 fcid 0x890000 dynamic vsan 2 wwn 20:64:00:0d:ec:38:76:00 fcid 0x890100 area dynamic vsan 11 wwn 20:00:00:25:b5:01:11:10 fcid 0xd40002 dynamic vsan 11 wwn 20:00:00:25:b5:01:11:19 fcid 0xd40003 dynamic vsan 11 wwn 20:00:00:25:b5:01:11:13 fcid 0xd40004 dynamic vsan 11 wwn 20:00:00:25:b5:01:11:16 fcid 0xd40005 dynamic vsan 11 wwn 20:00:00:25:b5:01:11:1a fcid 0xd40006 dynamic vsan 11 wwn 20:00:00:25:b5:01:11:12 fcid 0xd40007 dynamic vsan 11 wwn 20:00:00:25:b5:01:11:1d fcid 0xd40008 dynamic vsan 11 wwn 20:00:00:25:b5:01:11:26 fcid 0xd40009 dynamic vsan 11 wwn 20:00:00:25:b5:01:11:23 fcid 0xd4000a dynamic vsan 11 wwn 20:00:00:25:b5:01:11:20 fcid 0xd4000b dynamic vsan 11 wwn 20:00:00:25:b5:01:11:2c fcid 0xd4000c dynamic vsan 11 wwn 20:00:00:25:b5:01:11:29 fcid 0xd4000d dynamic vsan database vsan 11 interface fc2/24 vsan 11 interface fc2/25 vsan 11 interface fc2/26 vsan 11 interface fc2/48 clock timezone PST -8 0 clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60 ip default-gateway 192.168.41.1 switchname MDS-DC-2 line vty session-limit 32 exec-timeout 15 line console exec-timeout 15 boot kickstart bootflash:/m9500-sf2ek9-kickstart-mz.5.0.4.bin sup-1 boot system bootflash:/m9500-sf2ek9-mz.5.0.4.bin sup-1 boot kickstart bootflash:/m9500-sf2ek9-kickstart-mz.5.0.4.bin sup-2 boot system bootflash:/m9500-sf2ek9-mz.5.0.4.bin sup-2 interface fc2/1 interface fc2/2 interface fc2/3 interface fc2/4 interface fc2/5 interface fc2/6 interface fc2/7 interface fc2/8 interface fc2/9 interface fc2/10 interface fc2/11 interface fc2/12 interface fc2/13 interface fc2/14 interface fc2/15 interface fc2/16 interface fc2/17 interface fc2/18 interface fc2/19 interface fc2/20 interface fc2/21 interface fc2/22 interface fc2/23 interface fc2/24 interface fc2/25 interface fc2/26 interface fc2/27 interface fc2/28 interface fc2/29 interface fc2/30 interface fc2/31 interface fc2/32 interface fc2/33 interface fc2/34 interface fc2/35 interface fc2/36 interface fc2/37 interface fc2/38 interface fc2/39 interface fc2/40 interface fc2/41 interface fc2/42 interface fc2/43 interface fc2/44 interface fc2/45 interface fc2/46 interface fc2/47 interface fc2/48 logging server 192.168.42.121 logging server 192.168.42.124 6 system default zone default-zone permit system default zone distribute full zone default-zone permit vsan 2 zone default-zone permit vsan 11 zoneset distribute full vsan 1-2 zoneset distribute full vsan 11 !Full Zone Database Section for vsan 2 zone name global_zone vsan 2 zoneset name promise-2_zs vsan 2 member global_zone !Full Zone Database Section for vsan 11 zone name UIM_20000025B5011110_5006016946E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:10 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011112_5006016946E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:12 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011110_5006016046E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:10 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011112_5006016046E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:12 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011110_5006016146E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:10 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011112_5006016146E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:12 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011110_5006016846E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:10 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011112_5006016846E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:12 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011116_5006016046E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:16 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011115_5006016046E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:15 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011116_5006016946E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:16 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011115_5006016946E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:15 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011116_5006016846E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:16 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011115_5006016846E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:15 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011116_5006016146E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:16 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011115_5006016146E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:15 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011119_5006016146E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:19 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B501111A_5006016146E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:1a member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011119_5006016046E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:19 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B501111A_5006016046E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:1a member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011119_5006016946E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:19 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B501111A_5006016946E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:1a member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011119_5006016846E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:19 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B501111A_5006016846E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:1a member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B501111D_5006016146E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:1d member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B501111C_5006016146E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:1c member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B501111D_5006016846E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:1d member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B501111C_5006016846E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:1c member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B501111D_5006016946E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:1d member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B501111C_5006016946E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:1c member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B501111D_5006016046E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:1d member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B501111C_5006016046E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:1c member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011120_5006016846E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:20 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B501111F_5006016846E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:1f member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011120_5006016146E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:20 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B501111F_5006016146E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:1f member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011120_5006016046E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:20 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B501111F_5006016046E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:1f member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011120_5006016946E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:20 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B501111F_5006016946E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:1f member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011122_5006016946E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:22 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011123_5006016946E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:23 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011122_5006016146E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:22 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011123_5006016146E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:23 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011122_5006016046E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:22 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011123_5006016046E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:23 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011122_5006016846E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:22 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011123_5006016846E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:23 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011126_5006016846E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:26 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011125_5006016846E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:25 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011126_5006016946E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:26 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011125_5006016946E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:25 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011126_5006016146E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:26 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011125_5006016146E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:25 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011126_5006016046E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:26 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011125_5006016046E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:25 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011128_5006016946E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:28 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011129_5006016946E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:29 member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B5011128_5006016046E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:28 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011129_5006016046E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:29 member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B5011128_5006016146E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:28 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011129_5006016146E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:29 member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B5011128_5006016846E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:28 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B5011129_5006016846E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:29 member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B501112C_5006016046E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:2c member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B501112B_5006016046E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:2b member pwwn 50:06:01:60:46:e0:33:aa zone name UIM_20000025B501112C_5006016946E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:2c member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B501112B_5006016946E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:2b member pwwn 50:06:01:69:46:e0:33:aa zone name UIM_20000025B501112C_5006016846E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:2c member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B501112B_5006016846E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:2b member pwwn 50:06:01:68:46:e0:33:aa zone name UIM_20000025B501112C_5006016146E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:2c member pwwn 50:06:01:61:46:e0:33:aa zone name UIM_20000025B501112B_5006016146E033AA vsan 11 member pwwn 20:00:00:25:b5:01:11:2b member pwwn 50:06:01:61:46:e0:33:aa zoneset name UIM_ZONESET_B vsan 11 member UIM_20000025B5011110_5006016946E033AA member UIM_20000025B5011112_5006016946E033AA member UIM_20000025B5011110_5006016046E033AA member UIM_20000025B5011112_5006016046E033AA member UIM_20000025B5011110_5006016146E033AA member UIM_20000025B5011112_5006016146E033AA member UIM_20000025B5011110_5006016846E033AA member UIM_20000025B5011112_5006016846E033AA member UIM_20000025B5011116_5006016046E033AA member UIM_20000025B5011115_5006016046E033AA member UIM_20000025B5011116_5006016946E033AA member UIM_20000025B5011115_5006016946E033AA member UIM_20000025B5011116_5006016846E033AA member UIM_20000025B5011115_5006016846E033AA member UIM_20000025B5011116_5006016146E033AA member UIM_20000025B5011115_5006016146E033AA member UIM_20000025B5011119_5006016146E033AA member UIM_20000025B501111A_5006016146E033AA member UIM_20000025B5011119_5006016046E033AA member UIM_20000025B501111A_5006016046E033AA member UIM_20000025B5011119_5006016946E033AA member UIM_20000025B501111A_5006016946E033AA member UIM_20000025B5011119_5006016846E033AA member UIM_20000025B501111A_5006016846E033AA member UIM_20000025B501111D_5006016146E033AA member UIM_20000025B501111C_5006016146E033AA member UIM_20000025B501111D_5006016846E033AA member UIM_20000025B501111C_5006016846E033AA member UIM_20000025B501111D_5006016946E033AA member UIM_20000025B501111C_5006016946E033AA member UIM_20000025B501111D_5006016046E033AA member UIM_20000025B501111C_5006016046E033AA member UIM_20000025B5011120_5006016846E033AA member UIM_20000025B501111F_5006016846E033AA member UIM_20000025B5011120_5006016146E033AA member UIM_20000025B501111F_5006016146E033AA member UIM_20000025B5011120_5006016046E033AA member UIM_20000025B501111F_5006016046E033AA member UIM_20000025B5011120_5006016946E033AA member UIM_20000025B501111F_5006016946E033AA member UIM_20000025B5011122_5006016946E033AA member UIM_20000025B5011123_5006016946E033AA member UIM_20000025B5011122_5006016146E033AA member UIM_20000025B5011123_5006016146E033AA member UIM_20000025B5011122_5006016046E033AA member UIM_20000025B5011123_5006016046E033AA member UIM_20000025B5011122_5006016846E033AA member UIM_20000025B5011123_5006016846E033AA member UIM_20000025B5011126_5006016846E033AA member UIM_20000025B5011125_5006016846E033AA member UIM_20000025B5011126_5006016946E033AA member UIM_20000025B5011125_5006016946E033AA member UIM_20000025B5011126_5006016146E033AA member UIM_20000025B5011125_5006016146E033AA member UIM_20000025B5011126_5006016046E033AA member UIM_20000025B5011125_5006016046E033AA member UIM_20000025B5011128_5006016946E033AA member UIM_20000025B5011129_5006016946E033AA member UIM_20000025B5011128_5006016046E033AA member UIM_20000025B5011129_5006016046E033AA member UIM_20000025B5011128_5006016146E033AA member UIM_20000025B5011129_5006016146E033AA member UIM_20000025B5011128_5006016846E033AA member UIM_20000025B5011129_5006016846E033AA member UIM_20000025B501112C_5006016046E033AA member UIM_20000025B501112B_5006016046E033AA member UIM_20000025B501112C_5006016946E033AA member UIM_20000025B501112B_5006016946E033AA member UIM_20000025B501112C_5006016846E033AA member UIM_20000025B501112B_5006016846E033AA member UIM_20000025B501112C_5006016146E033AA member UIM_20000025B501112B_5006016146E033AA zoneset activate name UIM_ZONESET_B vsan 11 interface fc2/1 interface fc2/2 interface fc2/3 interface fc2/4 interface fc2/5 interface fc2/6 interface fc2/7 interface fc2/8 interface fc2/9 interface fc2/10 interface fc2/11 interface fc2/12 interface fc2/13 interface fc2/14 interface fc2/15 interface fc2/16 interface fc2/17 interface fc2/18 interface fc2/19 interface fc2/20 interface fc2/21 interface fc2/22 interface fc2/23 interface fc2/24 interface fc2/25 interface fc2/26 interface fc2/27 interface fc2/28 interface fc2/29 interface fc2/30 interface fc2/31 interface fc2/32 interface fc2/33 interface fc2/34 interface fc2/35 interface fc2/36 interface fc2/37 interface fc2/38 interface fc2/39 interface fc2/40 interface fc2/41 interface fc2/42 interface fc2/43 interface fc2/44 interface fc2/45 interface fc2/46 interface fc2/47 interface fc2/48 interface mgmt0 ip address 192.168.41.52 255.255.255.0 ip access-group 23 in no system default switchport shutdown Internet Edge WAN RIE-1 Building configuration... No l4r_shim subsystem is included in this platform. Current configuration : 16789 bytes ! ! Last configuration change at 16:43:41 PST Thu Dec 6 2012 by bmcgloth ! NVRAM config last updated at 16:45:21 PST Thu Dec 6 2012 by bmcgloth ! version 15.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers no platform punt-keepalive disable-kernel-core ! hostname RIE-1 ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! security authentication failure rate 2 log security passwords min-length 7 logging buffered 50000 no logging rate-limit enable secret 4 4mpXLtxxAt3wHwQSfKdYXXs2NGTp5BcHyPEnpZ9P/Tk ! aaa new-model ! ! aaa group server tacacs+ PRIMARY1 server name PRIMARY ip tacacs source-interface GigabitEthernet0/0/1 ! aaa authentication login COMPLIANCE group PRIMARY1 local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default action-type start-stop group tacacs+ ! aaa accounting commands 15 default action-type start-stop group tacacs+ ! aaa accounting system default action-type start-stop group tacacs+ ! ! ! ! ! ! aaa session-id common clock timezone PST -8 0 clock summer-time PST recurring ! ! ! ! ! no ip bootp server ip domain name cisco-irn.com ip name-server 192.168.42.130 ! ! ! login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log no ipv6 source-route ipv6 unicast-routing ipv6 multicast rpf use-bgp ! ! multilink bundle-name authenticated password encryption aes ! crypto pki trustpoint TP-self-signed-2651906707 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2651906707 revocation-check none rsakeypair TP-self-signed-2651906707 ! ! crypto pki certificate chain TP-self-signed-2651906707 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 32363531 39303637 3037301E 170D3132 31313036 31323232 33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36353139 30363730 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100AECB 6BFA1E96 248A2BFB E7B5D97E 9E9F99B1 4A2A7548 89CBC154 14CA1328 5625CD4E 0E7F9D0F 8B0A76D7 48B1A6EB 264E67FE 70BBC476 B21A22C7 6431842D E5C6FBD1 3E0BBBDF 73A3088C BA6B8172 C32D446F 406F1269 0C4638D5 A422A709 7AF6DCCE 8ACE5CD8 D686075C 46E44292 308E3E34 EFA13429 E198C0CA E8FE7300 2A130203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 14EB092C 62224E75 39C28FA2 B39CD19D 58235B24 FB301D06 03551D0E 04160414 EB092C62 224E7539 C28FA2B3 9CD19D58 235B24FB 300D0609 2A864886 F70D0101 05050003 81810077 4AF3549B 69563163 6AB2398F 3068F49F 48284235 25D42BF2 A4C45F09 17AF8EFF 5C92A80E 50AD61C8 C309E328 AE7EA370 02CCC23E 31F1034D 69A35747 C954DFA1 0F08DB33 081F69B4 43D00153 33F03918 68B2FD17 7070FA3C 344CB4D9 AFFE2671 3B7087F0 177F7AF2 DF3F9B1D 08144FC0 1F42863C 4948E425 DFF1C657 1B37D6 quit archive log config logging enable notify syslog contenttype plaintext hidekeys ! ! ! ! ! ! username retail privilege 15 secret 4 <removed> username bart privilege 15 secret 4 <removed> username emc-ncm privilege 15 secret 4 <removed> username bmcgloth privilege 15 secret 4 <removed> username csmadmin privilege 15 secret 4 <removed> username ciscolms privilege 15 secret 4 <removed> ! redundancy mode none ! ! ! ip ssh version 2 ip scp server enable ! policy-map COPPr class class-default police 8000 ! ! ! ! ! ! ! ! interface GigabitEthernet0/0/0 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/1 description link to RIE-3 G1/1 ip address 192.168.22.11 255.255.255.0 ip access-group INTERNAL-FILTER-IN in standby version 2 standby 1 ip 192.168.22.10 standby 1 priority 105 standby 1 preempt standby 1 authentication TheCure standby 2 ipv6 2001:DB8:192:22::10/64 standby 2 priority 105 standby 2 preempt standby 2 authentication TheCure speed 1000 no negotiation auto ipv6 address 2001:DB8:192:22::11/64 ipv6 verify unicast source reachable-via rx ipv6 traffic-filter IPv6-INTERNAL-FILTER-IN in ! interface GigabitEthernet0/0/2 description link to RIE-4 G1/1 no ip address shutdown speed 1000 no negotiation auto ! interface GigabitEthernet0/0/3 description Link to RSP-3 G0/2 ip address 10.10.3.6 255.255.255.0 ip access-group COARSE-FILTER-INTERNET-IN in ip access-group COARSE-FILTER-INTERNET-OUT out speed 1000 no negotiation auto ipv6 address 2001:DB8:1010:3::6/64 no ipv6 redirects ipv6 verify unicast source reachable-via rx allow-default ipv6 traffic-filter IPv6-COARSE-FILTER-INTERNET-IN in ipv6 traffic-filter IPv6-COARSE-FILTER-INTERNET-OUT out ! interface GigabitEthernet0/0/4 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/5 no ip address shutdown negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! no ip forward-protocol nd ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 10.10.3.1 ip route 10.10.0.0 255.255.0.0 192.168.22.1 ip route 10.10.0.0 255.255.255.0 10.10.3.1 ip route 10.10.4.0 255.255.255.0 192.168.22.12 ip route 192.168.0.0 255.255.0.0 192.168.22.1 ip tacacs source-interface GigabitEthernet0/0/1 ! ip access-list extended COARSE-FILTER-INTERNET-IN remark ---Temporary LAB permit - will remove from PCI GUIDE--- permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255 permit ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255 permit ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255 remark ------------------------------------------------------- remark ---Block Private Networks--- deny ip 10.0.0.0 0.255.255.255 any log deny ip 172.16.0.0 0.15.255.255 any log deny ip 192.168.0.0 0.0.255.255 any remark - remark ---Block Autoconfiguration Networks--- deny ip 169.254.0.0 0.0.255.255 any log remark - remark ---Block Loopback Networks--- deny ip 127.0.0.0 0.0.255.255 any log remark - remark ---Block Multicast Networks--- deny ip 224.0.0.0 15.255.255.255 any log remark - remark ---Block Traffic targeted at DMZ Network Edge Devices--- deny ip any 192.168.22.0 0.0.0.255 log remark - remark ---Block Spoofing of your networks--- remark enter your IP block here remark ---Permit all other traffic--- permit ip any any ip access-list extended COARSE-FILTER-INTERNET-OUT remark ---Block private networks from reaching Internet--- remark ---Temporary LAB permit - will remove from PCI GUIDE--- permit ip any any remark ------------------------------------------------------- remark ---Block Private Networks--- deny ip 10.0.0.0 0.255.255.255 any log deny ip 172.16.0.0 0.15.255.255 any log deny ip 192.168.0.0 0.0.255.255 any log remark - remark ---Block Autoconfiguration Networks--- deny ip 169.254.0.0 0.0.255.255 any log remark - remark ---Block Loopback Networks--- deny ip 127.0.0.0 0.0.255.255 any log remark - remark ---Block Multicast Networks--- deny ip 224.0.0.0 15.255.255.255 any log remark - remark ---Block Traffic targeted at DMZ Network Edge Devices--- deny ip any 192.168.22.0 0.0.0.255 log remark - remark ---Permit all other traffic--- permit tcp any any permit udp any any permit icmp any any ip access-list extended INTERNAL-FILTER-IN remark ------------------------------------------------------- remark ---Permit Admin Management--- permit icmp any any permit tcp host 192.168.41.101 host 192.168.22.11 eq 22 log permit tcp host 192.168.41.102 host 192.168.22.11 eq 22 log permit tcp host 192.168.42.122 host 192.168.22.11 eq 22 log permit tcp host 192.168.42.124 host 192.168.22.11 eq 22 log permit tcp host 192.168.42.131 eq tacacs host 192.168.22.11 permit tcp host 192.168.42.133 host 192.168.22.11 eq 22 log permit tcp host 192.168.42.139 host 192.168.22.11 eq 22 log permit tcp host 10.19.151.104 host 192.168.22.11 eq 22 log permit tcp host 10.19.151.102 host 192.168.22.11 eq 22 log permit tcp host 10.19.151.103 host 192.168.22.11 eq 22 log permit tcp host 10.19.151.100 host 192.168.22.11 eq 22 log permit tcp host 10.19.151.101 host 192.168.22.11 eq 22 log permit tcp host 10.19.151.98 host 192.168.22.11 eq 22 log permit tcp host 10.19.151.99 host 192.168.22.11 eq 22 log permit udp host 192.168.42.122 host 192.168.22.11 eq snmp permit udp host 192.168.42.124 host 192.168.22.11 eq snmp permit udp host 192.168.42.133 host 192.168.22.11 eq snmp permit udp host 192.168.42.139 host 192.168.22.11 eq snmp remark - remark ---Permit HSRP V2 packets--- permit udp host 192.168.22.12 host 224.0.0.102 eq 1985 remark - remark ---Deny other connections to Edge Router--- deny ip any host 192.168.22.11 log deny ip any host 192.168.22.10 log deny ip any host 10.10.0.3 log remark - remark ---Permit all other traffic to Internet--- permit ip any any ! logging trap debugging logging source-interface GigabitEthernet0/0/1 logging host 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 192.168.42.139 log access-list 23 permit 10.19.151.104 log access-list 23 permit 10.19.151.102 log access-list 23 permit 10.19.151.103 log access-list 23 permit 10.19.151.100 log access-list 23 permit 10.19.151.101 log access-list 23 permit 10.19.151.98 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ipv6 route 2001:DB8:192::/48 2001:DB8:192:22::1 ipv6 route ::/0 2001:DB8:1010:3::1 ! snmp-server group V3Group v3 priv read V3Read write V3Write snmp-server view V3Read iso included snmp-server view V3Write iso included snmp-server trap-source GigabitEthernet0/0/1 snmp-server packetsize 8192 snmp-server location Building SJC-17-1 Aisle 1 Rack 1 snmp-server contact Bart McGlothin snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps entity snmp-server enable traps hsrp snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps ipsla snmp-server enable traps flash insertion removal snmp-server host 192.168.42.134 version 3 priv <removed> snmp-server host 192.168.42.139 version 3 priv <removed> snmp-server host 192.168.42.133 version 3 priv <removed> ! tacacs server PRIMARY address ipv4 192.168.42.131 key 7 <removed> ! ! ipv6 access-list BLOCKALL-IPv6 deny ipv6 any any log ! ipv6 access-list IPv6-COARSE-FILTER-INTERNET-IN remark ---Temporary LAB permit for use of documentation IPv6 space--- permit ipv6 2001:DB8::/32 2001:DB8::/32 remark -------------------------------------------------------------- remark ---Block all traffic DHCP server -> client--- deny udp any eq 547 any eq 546 remark ---Block all traffic DHCP client -> server--- deny udp any eq 546 any eq 547 remark ---Block all traffic Routing Header Type 0--- deny ipv6 any any routing-type 0 remark - remark ---Accept all ICMPv6 packets for Neighbor Discovery and Path MTU Discovery --- permit icmp any any nd-na permit icmp any any nd-ns permit icmp any any router-advertisement permit icmp any any router-solicitation permit icmp any any packet-too-big permit icmp any any destination-unreachable permit icmp any any unreachable permit icmp any any no-route permit icmp any any echo-reply permit icmp any any echo-request permit icmp any any time-exceeded permit icmp any any parameter-problem permit icmp any any mld-query permit icmp any any mld-reduction permit icmp any any mld-report permit icmp any any port-unreachable remark -- remark ---Block IETF Documentation Network--- deny ipv6 2001:DB8::/32 any remark --- remark ---Block Spoofing of Your Networks--- deny ipv6 2001:DB8:192::/48 any remark ---- remark ---Block Traffic targeted at DMZ Network Edge Devices--- deny ipv6 any 2001:DB8:192:22::/64 log remark ------ remark ---Permit Only Assigned Networks to Your Network--- permit ipv6 2000::/3 2001:DB8:192::/48 ! ipv6 access-list IPv6-COARSE-FILTER-INTERNET-OUT remark ---Temporary LAB permit for use of documentation IPv6 space--- permit ipv6 2001:DB8::/32 2001:DB8::/32 remark ------------------------------------------------------- remark ---Block private networks from reaching Internet--- remark ---Block IETF reserved Networks--- deny ipv6 FEC0::/10 any log deny ipv6 FC00::/7 any log deny ipv6 host :: any log deny ipv6 ::/96 any log deny ipv6 ::/8 any log deny ipv6 ::FFFF:0.0.0.0/96 any log deny ipv6 2001:DB8::/32 any log remark - remark ---Block Loopback Address--- deny ipv6 host ::1 any log remark -- remark ---Block Multicast Networks--- deny ipv6 FE00::/7 any log remark --- remark ---Alternate is to Permit Traffic From My Network to Assigned Networks--- remark ---- permit ipv6 2001:DB8:192::/48 2000::/3 remark ----- remark ---Explicit Deny for All Other Networks and Log--- deny ipv6 any any log ! ipv6 access-list IPv6-INTERNAL-FILTER-IN remark ------------------------------------------------------- permit icmp any any remark - remark ---Permit HSRP V2 packets--- permit udp host 2001:DB8:192:22::12 eq 2029 host FF02::66 eq 2029 permit udp host FE80::E6D3:F1FF:FE77:A202 eq 2029 host FF02::66 eq 2029 remark ---Deny other connections to Edge Router--- deny ipv6 any 2001:DB8:192:22::/64 log remark ---Permit My Network Traffic to Assigned Networks--- permit ipv6 2001:DB8:192::/48 2000::/3 ! control-plane ! banner exec ^CCC WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner incoming ^CCC WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner login ^CCC WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ^C ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication COMPLIANCE stopbits 1 line aux 0 session-timeout 1 output exec-timeout 0 1 privilege level 0 no exec transport preferred none transport output none stopbits 1 line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 ipv6 access-class BLOCKALL-IPv6 in logging synchronous login authentication COMPLIANCE transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 ipv6 access-class BLOCKALL-IPv6 in logging synchronous login authentication COMPLIANCE transport preferred none transport input ssh transport output none ! ntp source GigabitEthernet0/0/3 ntp server 171.68.10.80 prefer ntp server 171.68.10.150 ! ! end RIE-2 Building configuration... No l4r_shim subsystem is included in this platform. Current configuration : 15119 bytes ! ! Last configuration change at 14:30:46 PST Fri Nov 30 2012 by bmcgloth ! version 15.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers no platform punt-keepalive disable-kernel-core ! hostname RIE-2 ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! security authentication failure rate 2 log security passwords min-length 7 logging buffered 50000 no logging rate-limit enable secret 4 4mpXLtxxAt3wHwQSfKdYXXs2NGTp5BcHyPEnpZ9P/Tk ! aaa new-model ! ! aaa group server tacacs+ PRIMARY1 server name PRIMARY ip tacacs source-interface GigabitEthernet0/0/2 ! aaa authentication login COMPLIANCE group PRIMARY1 local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default action-type start-stop group tacacs+ ! aaa accounting commands 15 default action-type start-stop group tacacs+ ! aaa accounting system default action-type start-stop group tacacs+ ! ! ! ! ! ! aaa session-id common clock timezone PST -8 0 clock summer-time PST recurring ! ! ! ! ! no ip bootp server ip domain name cisco-irn.com ip name-server 192.168.42.130 ! ! ! login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log no ipv6 source-route ipv6 unicast-routing ipv6 multicast rpf use-bgp ! ! multilink bundle-name authenticated password encryption aes ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys ! ! ! ! ! ! username retail privilege 15 secret 4 4mpXLtxxAt3wHwQSfKdYXXs2NGTp5BcHyPEnpZ9P/Tk username bart privilege 15 secret 4 y.Hu5omquu3STdi3Z65rJiGArfomMTMWv75ITNG12f2 username emc-ncm privilege 15 secret 4 4mpXLtxxAt3wHwQSfKdYXXs2NGTp5BcHyPEnpZ9P/Tk username bmcgloth privilege 15 secret 4 y.Hu5omquu3STdi3Z65rJiGArfomMTMWv75ITNG12f2 username csmadmin privilege 15 secret 4 4mpXLtxxAt3wHwQSfKdYXXs2NGTp5BcHyPEnpZ9P/Tk username ciscolms privilege 15 secret 4 4mpXLtxxAt3wHwQSfKdYXXs2NGTp5BcHyPEnpZ9P/Tk ! redundancy mode none ! ! ! ip ssh version 2 ip scp server enable ! policy-map COPPr class class-default police 8000 ! ! ! ! ! ! ! ! interface GigabitEthernet0/0/0 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/1 description link to RIE-3 G1/2 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/2 description link to RIE-4 G1/2 ip address 192.168.22.12 255.255.255.0 ip access-group INTERNAL-FILTER-IN in standby version 2 standby 1 ip 192.168.22.10 standby 1 authentication TheCure standby 2 ipv6 2001:DB8:192:22::10/64 standby 2 authentication TheCure negotiation auto ipv6 address 2001:DB8:192:22::12/64 ipv6 verify unicast source reachable-via rx ipv6 traffic-filter IPv6-INTERNAL-FILTER-IN in ! interface GigabitEthernet0/0/3 description Link to RSP-4 G0/2 RIE-2# RIE-2# RIE-2# RIE-2# RIE-2#sh tech RIE-2#sh tech-support ? cef CEF related information ipc IPC related information ipmulticast IP multicast related information isis CLNS and ISIS related information mfib MFIB related information ospf OSPF related information page Page through output password Include passwords rsvp IP RSVP related information vrrp VRRP related information wccp WCCP related information \| Output modifiers <cr> RIE-2#sh tech-support page RIE-2#sh tech-support page ------------------ show clock ------------------ 14:03:13.372 PST Wed Jan 30 2013 ------------------ show version ------------------ Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.3(1)S, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2012 by Cisco Systems, Inc. Compiled Tue 27-Nov-12 11:16 by mcpre IOS XE Version: 03.08.00.S Cisco IOS-XE software, Copyright (c) 2005-2012 by cisco Systems, Inc. All rights reserved. Certain components of Cisco IOS-XE software are licensed under the GNU General Public License ("GPL") Version 2.0. The software code licensed under GPL Version 2.0 is free software that comes with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such GPL code under the terms of GPL Version 2.0. For more details, see the documentation or "License Notice" file accompanying the IOS-XE software, or the applicable URL provided on the flyer accompanying the IOS-XE software. ROM: IOS-XE ROMMON RIE-2 uptime is 8 weeks, 5 days, 2 hours, 32 minutes Uptime for this control processor is 8 weeks, 5 days, 2 hours, 34 minutes System returned to ROM by reload at 11:27:32 PST Fri Nov 30 2012 System image file is "bootflash:/asr1002x-universalk9.03.08.00.S.153-1.S.SPA.bin" Last reload reason: Reload Command This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. License Level: ipbase License Type: Default. No valid license found. Next reload license Level: ipbase cisco ASR1002-X (2RU-X) processor with 1140957K/6147K bytes of memory. Processor board ID SSI16150DLD 6 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 4194304K bytes of physical memory. 6684671K bytes of eUSB flash at bootflash:. Configuration register is 0x2102 ------------------ show running-config ------------------ Building configuration... No l4r_shim subsystem is included in this platform. Current configuration : 14907 bytes ! ! Last configuration change at 14:30:46 PST Fri Nov 30 2012 by bmcgloth ! version 15.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers no platform punt-keepalive disable-kernel-core ! hostname RIE-2 ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! security authentication failure rate 2 log security passwords min-length 7 logging buffered 50000 no logging rate-limit enable secret 4 4mpXLtxxAt3wHwQSfKdYXXs2NGTp5BcHyPEnpZ9P/Tk ! aaa new-model ! ! aaa group server tacacs+ PRIMARY1 server name PRIMARY ip tacacs source-interface GigabitEthernet0/0/2 ! aaa authentication login COMPLIANCE group PRIMARY1 local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default action-type start-stop group tacacs+ ! aaa accounting commands 15 default action-type start-stop group tacacs+ ! aaa accounting system default action-type start-stop group tacacs+ ! ! ! ! ! ! aaa session-id common clock timezone PST -8 0 clock summer-time PST recurring ! ! ! ! ! no ip bootp server ip domain name cisco-irn.com ip name-server 192.168.42.130 ! ! ! login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log no ipv6 source-route ipv6 unicast-routing ipv6 multicast rpf use-bgp ! ! multilink bundle-name authenticated password encryption aes ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys ! ! ! ! ! ! username retail privilege 15 secret 4 <removed> username bart privilege 15 secret 4 <removed> username emc-ncm privilege 15 secret 4 <removed> username bmcgloth privilege 15 secret 4 <removed> username csmadmin privilege 15 secret 4 <removed> username ciscolms privilege 15 secret 4 <removed> ! redundancy mode none ! ! ! ip ssh version 2 ip scp server enable ! policy-map COPPr class class-default police 8000 ! ! ! ! ! ! ! ! interface GigabitEthernet0/0/0 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/1 description link to RIE-3 G1/2 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/2 description link to RIE-4 G1/2 ip address 192.168.22.12 255.255.255.0 ip access-group INTERNAL-FILTER-IN in standby version 2 standby 1 ip 192.168.22.10 standby 1 authentication TheCure standby 2 ipv6 2001:DB8:192:22::10/64 standby 2 authentication TheCure negotiation auto ipv6 address 2001:DB8:192:22::12/64 ipv6 verify unicast source reachable-via rx ipv6 traffic-filter IPv6-INTERNAL-FILTER-IN in ! interface GigabitEthernet0/0/3 description Link to RSP-4 G0/2 ip address 10.10.4.6 255.255.255.0 ip access-group COARSE-FILTER-INTERNET-IN in ip access-group COARSE-FILTER-INTERNET-OUT out negotiation auto ipv6 address 2001:DB8:1010:4::6/64 no ipv6 redirects ipv6 verify unicast source reachable-via rx ipv6 traffic-filter IPv6-COARSE-FILTER-INTERNET-IN in ipv6 traffic-filter IPv6-COARSE-FILTER-INTERNET-OUT out ! interface GigabitEthernet0/0/4 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/5 no ip address shutdown negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! no ip forward-protocol nd ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 10.10.4.1 ip route 10.10.0.0 255.255.0.0 192.168.22.1 ip route 10.10.0.0 255.255.255.0 10.10.4.1 ip route 10.10.3.0 255.255.255.0 192.168.22.11 ip route 192.168.0.0 255.255.0.0 192.168.22.1 ! ip access-list extended COARSE-FILTER-INTERNET-IN remark ---Temporary LAB permit - will remove from PCI GUIDE--- permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255 permit ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255 permit ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255 remark ------------------------------------------------------- remark ---Block Private Networks--- deny ip 10.0.0.0 0.255.255.255 any log deny ip 172.16.0.0 0.15.255.255 any log deny ip 192.168.0.0 0.0.255.255 any log remark - remark ---Block Autoconfiguration Networks--- deny ip 169.254.0.0 0.0.255.255 any log remark - remark ---Block Loopback Networks--- deny ip 127.0.0.0 0.0.255.255 any log remark - remark ---Block Multicast Networks--- deny ip 224.0.0.0 15.255.255.255 any log remark - remark ---Block Traffic targeted at DMZ Network Edge Devices--- deny ip any 192.168.22.0 0.0.0.255 log remark - remark ---Block Spoofing of your networks--- remark enter your IP block here deny ip 192.168.20.0 0.0.0.255 any remark -- remark ---Permit all other traffic--- permit ip any any ip access-list extended COARSE-FILTER-INTERNET-OUT remark ---Block private networks from reaching Internet--- remark ---Temporary LAB permit - will remove from PCI GUIDE--- permit ip any any remark ------------------------------------------------------- remark ---Block Private Networks--- deny ip 10.0.0.0 0.255.255.255 any log deny ip 172.16.0.0 0.15.255.255 any log deny ip 192.168.0.0 0.0.255.255 any log remark - remark ---Block Autoconfiguration Networks--- deny ip 169.254.0.0 0.0.255.255 any log remark - remark ---Block Loopback Networks--- deny ip 127.0.0.0 0.0.255.255 any log remark - remark ---Block Multicast Networks--- deny ip 224.0.0.0 15.255.255.255 any log remark - remark ---Block Traffic targeted at DMZ Network Edge Devices--- deny ip any 192.168.22.0 0.0.0.255 log remark - remark ---Permit all other traffic--- permit tcp any any permit udp any any permit icmp any any ip access-list extended INTERNAL-FILTER-IN remark ------------------------------------------------------- remark ---Permit Admin Management--- permit icmp any any permit tcp host 192.168.41.101 host 192.168.22.12 eq 22 log permit tcp host 192.168.41.102 host 192.168.22.12 eq 22 log permit tcp host 192.168.42.122 host 192.168.22.12 eq 22 log permit tcp host 192.168.42.124 host 192.168.22.12 eq 22 log permit tcp host 192.168.42.131 eq tacacs host 192.168.22.12 permit tcp host 192.168.42.133 host 192.168.22.12 eq 22 log permit tcp host 192.168.42.139 host 192.168.22.12 eq 22 log permit tcp host 10.19.151.104 host 192.168.22.12 eq 22 log permit tcp host 10.19.151.102 host 192.168.22.12 eq 22 log permit tcp host 10.19.151.103 host 192.168.22.12 eq 22 log permit tcp host 10.19.151.100 host 192.168.22.12 eq 22 log permit tcp host 10.19.151.101 host 192.168.22.12 eq 22 log permit tcp host 10.19.151.98 host 192.168.22.12 eq 22 log permit tcp host 10.19.151.99 host 192.168.22.12 eq 22 log permit udp host 192.168.42.122 host 192.168.22.12 eq snmp permit udp host 192.168.42.124 host 192.168.22.12 eq snmp permit udp host 192.168.42.133 host 192.168.22.12 eq snmp permit udp host 192.168.42.139 host 192.168.22.12 eq snmp remark - remark ---Permit HSRP V2 packets--- permit udp host 192.168.22.11 host 224.0.0.102 eq 1985 remark - remark ---Deny other connections to Edge Router--- deny ip any host 192.168.22.12 log deny ip any host 192.168.22.10 log deny ip any host 10.10.0.3 log remark - remark ---Permit all other traffic to Internet--- permit ip any any ! logging trap debugging logging source-interface GigabitEthernet0/0/2 logging host 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 192.168.42.139 log access-list 23 permit 10.19.151.104 log access-list 23 permit 10.19.151.102 log access-list 23 permit 10.19.151.103 log access-list 23 permit 10.19.151.100 log access-list 23 permit 10.19.151.101 log access-list 23 permit 10.19.151.98 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ipv6 route 2001:DB8:192::/48 2001:DB8:192:22::1 ipv6 route ::/0 2001:DB8:1010:4::1 ! snmp-server group V3Group v3 priv read V3Read write V3Write snmp-server view V3Read iso included snmp-server view V3Write iso included snmp-server trap-source GigabitEthernet0/0/2 snmp-server packetsize 8192 snmp-server location Building SJC-17-1 Aisle 1 Rack 1 snmp-server contact Bart McGlothin snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps entity snmp-server enable traps hsrp snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps ipsla snmp-server enable traps flash insertion removal snmp-server host 192.168.42.134 version 3 priv <removed> snmp-server host 192.168.42.139 version 3 priv <removed> snmp-server host 192.168.42.133 version 3 priv <removed> ! tacacs server PRIMARY address ipv4 192.168.42.131 key 7 <removed> ! ! ipv6 access-list BLOCKALL-IPv6 deny ipv6 any any log ! ipv6 access-list IPv6-COARSE-FILTER-INTERNET-IN remark -------------------------------------------------------------- remark ---Block all traffic DHCP server -> client--- deny udp any eq 547 any eq 546 remark ---Block all traffic DHCP client -> server--- deny udp any eq 546 any eq 547 remark ---Block all traffic Routing Header Type 0--- deny ipv6 any any routing-type 0 remark - remark ---Accept all ICMPv6 packets for Neighbor Discovery and Path MTU Discovery --- permit icmp any any nd-na permit icmp any any nd-ns permit icmp any any router-advertisement permit icmp any any router-solicitation permit icmp any any packet-too-big permit icmp any any destination-unreachable permit icmp any any unreachable permit icmp any any no-route permit icmp any any echo-reply permit icmp any any echo-request permit icmp any any time-exceeded permit icmp any any parameter-problem permit icmp any any mld-query permit icmp any any mld-reduction permit icmp any any mld-report permit icmp any any port-unreachable remark -- remark ---Block IETF Documentation Network--- remark - deny ipv6 2001:DB8::/32 any - need for Lab validation remark --- remark ---Block Spoofing of Your Networks--- deny ipv6 2001:DB8:192::/48 any remark ---- remark ---Block Traffic targeted at DMZ Network Edge Devices--- deny ipv6 any 2001:DB8:192:22::/64 log remark ------ remark ---Permit Only Assigned Networks to Your Network--- permit ipv6 2000::/3 2001:DB8:192::/48 ! ipv6 access-list IPv6-COARSE-FILTER-INTERNET-OUT remark ---Temporary LAB permit for use of documentation IPv6 space--- permit ipv6 2001:DB8::/32 2001:DB8::/32 remark ------------------------------------------------------- remark ---Block private networks from reaching Internet--- remark ---Block IETF reserved Networks--- deny ipv6 FEC0::/10 any log deny ipv6 FC00::/7 any log deny ipv6 host :: any log deny ipv6 ::/96 any log deny ipv6 ::/8 any log deny ipv6 ::FFFF:0.0.0.0/96 any log deny ipv6 2001:DB8::/32 any log remark - remark ---Block Loopback Address--- deny ipv6 host ::1 any log remark -- remark ---Block Multicast Networks--- deny ipv6 FE00::/7 any log remark --- remark ---Alternate is to Permit Traffic From My Network to Assigned Networks--- remark ---- permit ipv6 2001:DB8:192::/48 2000::/3 remark ----- remark ---Explicit Deny for All Other Networks and Log--- deny ipv6 any any log ! ipv6 access-list IPv6-INTERNAL-FILTER-IN remark ------------------------------------------------------- permit icmp any any remark - remark ---Permit HSRP V2 packets--- permit udp host 2001:DB8:192:22::11 eq 2029 host FF02::66 eq 2029 permit udp host FE80::E6D3:F1FF:FE77:D901 eq 2029 host FF02::66 eq 2029 remark ---Deny other connections to Edge Router--- deny ipv6 any 2001:DB8:192:22::/64 log remark ---Permit My Network Traffic to Assigned Networks--- permit ipv6 2001:DB8:192::/48 2000::/3 ! control-plane ! banner exec ^CC WARNING: * THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner incoming ^CC WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner login ^CC WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ^C ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication COMPLIANCE stopbits 1 line aux 0 session-timeout 1 output exec-timeout 0 1 privilege level 0 no exec transport preferred none transport output none stopbits 1 line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 ipv6 access-class BLOCKALL-IPv6 in logging synchronous login authentication COMPLIANCE transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 ipv6 access-class BLOCKALL-IPv6 in logging synchronous login authentication COMPLIANCE transport preferred none transport input ssh transport output none ! ntp source GigabitEthernet0/0/3 ntp server 171.68.10.80 prefer ntp server 171.68.10.150 ! ! end Converged Core/Aggregation ASA-IE-1 ASA-IE-1# sh run : Saved : ASA Version 9.1(1) ! hostname ASA-IE-1 domain-name cisco-irn.com enable password WKlYt0jXwtQLFcz7 encrypted passwd WKlYt0jXwtQLFcz7 encrypted names dns-guard ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 192.168.21.1 255.255.255.0 standby 192.168.21.2 ipv6 address 2001:db8:192:21::1/64 standby 2001:db8:192:21::2 ipv6 enable ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.11.60 255.255.255.0 standby 192.168.11.62 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 description LAN/STATE Failover Interface ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/7 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif management security-level 0 no ip address ! banner exec WARNING: banner exec THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF COMPLIANCE banner exec AUTHORIZED USERS ONLY! banner exec banner exec ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT banner exec TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY banner exec TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER banner exec REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT banner exec FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER banner exec CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW banner exec ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. banner exec banner exec UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login WARNING: banner login THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! banner asdm WARNING: banner asdm THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF COMPLIANCE banner asdm AUTHORIZED USERS ONLY! banner asdm banner asdm ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE F banner asdm banner asdm UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS boot system disk0:/asa911-smp-k8.bin ftp mode passive clock timezone PST -8 clock summer-time PDT recurring dns domain-lookup outside dns domain-lookup inside dns server-group DefaultDNS name-server 192.168.42.130 domain-name cisco-irn.com same-security-traffic permit inter-interface object network PrimeLMS host 192.168.42.139 description Cisco Prime LMS object network RIE-1_G0-0-1 host 192.168.22.11 description ASA1002-X object network RIE-1_G0-0-1_ipv6 host 2001:db8:192:22::11 object network RIE-2_G0-0-2 host 192.168.22.12 description ASR1002-x object network RIE-2_G0-0-2_ipv6 host 2001:db8:192:22::12 object network RIE1+2_HSRP_ipv6 host 2001:db8:192:22::10 object network RIE1+2_HSRP host 192.168.22.10 object network ASA-IE-1-outside.cisco-irn.com host 192.168.21.1 object network Bart-Admin99 host 10.19.151.99 object network DMZ-Network-4 subnet 192.168.20.24 255.255.255.248 object network DMZ-Networks subnet 192.168.20.0 255.255.252.0 object network DMZ-VIP-30 host 192.168.20.30 object network DataCenter-Networks subnet 192.168.0.0 255.255.0.0 description Private 1918 block object network EMC-NCM.cisco-irn.com host 192.168.42.122 object network ESA-IE-1.cisco-irn.com host 192.168.23.68 object network ESMA-IE-1.cisco-irn.com host 192.168.23.84 object network EmailSecurityAppliance-Network subnet 192.168.23.64 255.255.255.240 object network EmailSecurityManager-Network subnet 192.168.23.80 255.255.255.240 object network FSU.cisco-irn.com host 192.168.42.138 object network InSide-Network subnet 192.168.21.0 255.255.255.0 object network InternetEdge-Networks subnet 192.168.20.0 255.255.252.0 object network NTP1.cisco-irn.com host 192.168.62.161 object network NTP2.cisco-irn.com host 192.168.62.162 object network OutSide-Network subnet 192.168.22.0 255.255.255.0 object network PAME-DC-1.cisco-irn.com host 192.168.44.111 object network RSA-enVision.cisco-irn.com host 192.168.42.124 object network SRV-DC-1.cisco-irn.com host 192.168.41.101 object network SRV-DC-2.cisco-irn.com host 192.168.41.102 object network Branch-Networks subnet 10.10.0.0 255.255.0.0 object network WebSecurityAppliance-Network subnet 192.168.23.96 255.255.255.240 object network csmanager.cisco-irn.com host 192.168.42.133 object network tacacs.cisco-irn.com host 192.168.42.131 object network ActiveDirectory host 192.168.42.130 object network LABNTP-1.cisco.com host 171.68.10.150 object network LABNTP-2.cisco.com host 171.68.10.80 object network nist-chicago-NoDNS- host 38.106.177.10 description Chicago, Illinois object network nist-time-server.eoni.com host 216.228.192.69 description La Grande, Oregon object network nist.expertsmi.com host 50.77.217.185 description Monroe, Michigan object network nist.netservicesgroup.com host 64.113.32.5 description Southfield, Michigan object network nist.time.nosc.us host 96.226.123.117 description Carrollton, Texas object network nist1-atl.ustiming.org host 64.250.177.145 description Atlanta, Georgia object network nist1-chi.ustiming.org host 216.171.120.36 description Chicago, Illinois object network nist1-la.ustiming.org host 64.147.116.229 description Los Angeles, California object network nist1-lnk.binary.net host 216.229.0.179 description Lincoln, Nebraska object network nist1-lv.ustiming.org host 64.250.229.100 description Las Vegas, Nevada object network nist1-nj.ustiming.org host 96.47.67.105 description Bridgewater, NJ object network nist1-nj2.ustiming.org host 165.193.126.229 description Weehawken, NJ object network nist1-ny.ustiming.org host 64.90.182.55 description New York City, NY object network nist1-pa.ustiming.org host 206.246.122.250 description Hatfield, PA object network nist1-sj.ustiming.org host 216.171.124.36 description San Jose, California object network nist1.aol-ca.symmetricom.com host 207.200.81.113 description Mountain View, California object network nist1.aol-va.symmetricom.com host 64.236.96.53 description Reston, Virginia object network nist1.columbiacountyga.gov host 216.119.63.113 description Columbia County, Georgia object network nist1.symmetricom.com host 69.25.96.13 description San Jose, California object network nist2-nj2.ustiming.org host 165.193.126.232 description Weehawken, NJ object network nisttime.carsoncity.k12.mi.us host 66.219.116.140 description Carson City, Michigan object network ntp-nist.ldsbc.edu host 198.60.73.8 description LDSBC, Salt Lake City, Utah object network time-a.nist.gov host 129.6.15.28 description NIST, Gaithersburg, Maryland object network time-a.timefreq.bldrdoc.gov host 132.163.4.101 description NIST, Boulder, Colorado object network time-b.nist.gov host 129.6.15.29 description NIST, Gaithersburg, Maryland object network time-b.timefreq.bldrdoc.gov host 132.163.4.102 description NIST, Boulder, Colorado object network time-c.timefreq.bldrdoc.gov host 132.163.4.103 description NIST, Boulder, Colorado object network time-d.nist.gov host 2610:20:6f15:15::27 description NIST, Gaithersburg, Maryland object network time-nw.nist.gov host 131.107.13.100 description Microsoft, Redmond, Washington object network utcnist.colorado.edu host 128.138.140.44 description University of Colorado, Boulder object network utcnist2.colorado.edu host 128.138.141.172 description University of Colorado, Boulder object network wwv.nist.gov host 24.56.178.140 description WWV, Fort Collins, Colorado object network ASA-IE-1-outside_ipv6.cisco-irn.com host 2001:db8:192:21::1 object network DMZ-VIP-30_ipv6 host 2001:db8:192:20a4::30 object network CiscoLAB10-Network subnet 10.0.0.0 255.0.0.0 description Private 1918 block object network CiscoLAB171-Network subnet 171.68.0.0 255.255.0.0 description ARIN Block object network CiscoLAB172-Network subnet 172.16.0.0 255.240.0.0 description Private 1918 block object network DMZ-Network-4v6 subnet 2001:db8:192:20a4::/64 object network EmailSecurityAppliance-Networkv6 subnet 2001:db8:192:23a5::/64 object network EmailSecurityManager-Networkv6 subnet 2001:db8:192:23a6::/64 object network InSide-Networkv6 subnet 2001:db8:192:21::/64 object network OutSide-Networkv6 subnet 2001:db8:192:22::/64 object network WebSecurityAppliance-Networkv6 subnet 2001:db8:192:23a7::/64 object network ESA-IE-1.cisco-irn.com_ipv6 host 2001:db8:192:23a5::68 object network ESMA-IE-1.cisco-irn.com_ipv6 host 2001:db8:192:23a6::84 object network WSA-IE-1.cisco-irn.com host 192.168.23.100 object network WSA-IE-1.cisco-irn.com_ipv6 host 2001:db8:192:23a7::100 object network ASASM-DMZ-1.cisco-irn.com host 192.168.21.10 object network ASASM-DMZ-2.cicso-irn.com host 192.168.21.12 object network ASASM-DMZ-1.cisco-irn.com_ipv6 host 2001:db8:192:21::10 object-group service RDP tcp port-object eq 3389 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service vCenter-to-ESX4 tcp description Communication from vCetner to ESX hosts port-object eq 5989 port-object eq 8000 port-object eq 902 port-object eq 903 object-group network NTP-Servers description NTP Servers network-object object NTP1.cisco-irn.com network-object object NTP2.cisco-irn.com network-object object ActiveDirectory object-group network NTP-PublicServers description Public time.nist.gov servers network-object object nist-chicago-NoDNS- network-object object nist-time-server.eoni.com network-object object nist.expertsmi.com network-object object nist.netservicesgroup.com network-object object nist.time.nosc.us network-object object nist1-atl.ustiming.org network-object object nist1-chi.ustiming.org network-object object nist1-la.ustiming.org network-object object nist1-lnk.binary.net network-object object nist1-lv.ustiming.org network-object object nist1-nj.ustiming.org network-object object nist1-nj2.ustiming.org network-object object nist1-ny.ustiming.org network-object object nist1-pa.ustiming.org network-object object nist1-sj.ustiming.org network-object object nist1.aol-ca.symmetricom.com network-object object nist1.aol-va.symmetricom.com network-object object nist1.columbiacountyga.gov network-object object nist1.symmetricom.com network-object object nist2-nj2.ustiming.org network-object object nisttime.carsoncity.k12.mi.us network-object object ntp-nist.ldsbc.edu network-object object time-a.nist.gov network-object object time-a.timefreq.bldrdoc.gov network-object object time-b.nist.gov network-object object time-b.timefreq.bldrdoc.gov network-object object time-c.timefreq.bldrdoc.gov network-object object time-d.nist.gov network-object object time-nw.nist.gov network-object object utcnist.colorado.edu network-object object utcnist2.colorado.edu network-object object wwv.nist.gov network-object object LABNTP-1.cisco.com network-object object LABNTP-2.cisco.com object-group network Admin-Systems network-object object PrimeLMS network-object object Bart-Admin99 network-object object EMC-NCM.cisco-irn.com network-object object RSA-enVision.cisco-irn.com network-object object SRV-DC-1.cisco-irn.com network-object object SRV-DC-2.cisco-irn.com network-object object csmanager.cisco-irn.com object-group network DM_INLINE_NETWORK_1 network-object object EMC-NCM.cisco-irn.com network-object object PrimeLMS network-object object csmanager.cisco-irn.com object-group network DM_INLINE_NETWORK_2 network-object object Branch-Networks network-object object DataCenter-Networks object-group network DM_INLINE_NETWORK_3 network-object object EmailSecurityAppliance-Network network-object object EmailSecurityManager-Network network-object object WebSecurityAppliance-Network object-group network DM_INLINE_NETWORK_4 network-object object Branch-Networks network-object object DataCenter-Networks object-group network DM_INLINE_NETWORK_5 network-object object Branch-Networks network-object object DataCenter-Networks object-group network DM_INLINE_NETWORK_6 network-object object Branch-Networks network-object object DataCenter-Networks object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object echo-reply icmp-object information-reply icmp-object information-request icmp-object redirect icmp-object time-exceeded icmp-object traceroute object-group service DM_INLINE_TCP_1 tcp group-object RDP port-object eq https port-object eq ssh group-object vCenter-to-ESX4 object-group service DM_INLINE_TCP_2 tcp port-object eq https port-object eq smtp port-object eq ssh object-group service DM_INLINE_TCP_3 tcp port-object eq https port-object eq ssh object-group service DM_INLINE_TCP_4 tcp port-object eq 1080 port-object eq 8080 port-object eq 8443 port-object eq www port-object eq https port-object eq ssh object-group network DM_INLINE_NETWORK_10 network-object object Branch-Networks network-object object DataCenter-Networks object-group network DM_INLINE_NETWORK_11 network-object object CiscoLAB10-Network network-object object CiscoLAB171-Network network-object object CiscoLAB172-Network object-group network DM_INLINE_NETWORK_12 network-object object Branch-Networks network-object object DataCenter-Networks object-group network DM_INLINE_NETWORK_7 network-object object RIE-1_G0-0-1 network-object object RIE-2_G0-0-2 network-object object DMZ-Networks object-group network DM_INLINE_NETWORK_8 network-object object RIE-1_G0-0-1 network-object object RIE-2_G0-0-2 network-object object DMZ-Networks network-object object ASASM-DMZ-1.cisco-irn.com network-object object ASASM-DMZ-2.cicso-irn.com object-group network DM_INLINE_NETWORK_9 network-object object CiscoLAB10-Network network-object object CiscoLAB171-Network network-object object CiscoLAB172-Network object-group service DM_INLINE_TCP_5 tcp group-object RDP port-object eq 1080 port-object eq 8080 port-object eq 8443 port-object eq 8444 port-object eq 8880 port-object eq www port-object eq https port-object eq ssh group-object vCenter-to-ESX4 object-group network DM_INLINE_NETWORK_13 network-object object RIE-1_G0-0-1 network-object object RIE-2_G0-0-2 network-object object DMZ-Networks access-list all extended permit ip any any access-list OUTSIDE_IN extended permit icmp6 any6 any6 access-list OUTSIDE_IN remark Clientless VPN for IPv6 access-list OUTSIDE_IN extended permit tcp any6 object ASASM-DMZ-1.cisco-irn.com_ipv6 eq https access-list OUTSIDE_IN remark Clientless VPN access-list OUTSIDE_IN extended permit tcp any object ASA-IE-1-outside_ipv6.cisco-irn.com eq https access-list OUTSIDE_IN remark DMZ Systems send Syslog messages access-list OUTSIDE_IN extended permit udp object-group DM_INLINE_NETWORK_7 object RSA-enVision.cisco-irn.com eq syslog access-list OUTSIDE_IN remark DMZ Systems Authenticate access access-list OUTSIDE_IN extended permit tcp object-group DM_INLINE_NETWORK_8 object tacacs.cisco-irn.com eq tacacs access-list OUTSIDE_IN remark DMZ Systems Authenticate access access-list OUTSIDE_IN extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_13 object ActiveDirectory eq domain access-list OUTSIDE_IN remark ====LAB ACCESS to TEST===REMOVE=== access-list OUTSIDE_IN extended permit icmp object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10 access-list OUTSIDE_IN remark ====LAB ACCESS to TEST===REMOVE=== access-list OUTSIDE_IN extended permit tcp object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_NETWORK_12 object-group DM_INLINE_TCP_5 access-list OUTSIDE_IN remark Drop all other traffic access-list OUTSIDE_IN extended deny ip any any log access-list DROP-ALL extended deny ip any any access-list INSIDE_IN remark Admin Access to DMZ access-list INSIDE_IN extended permit tcp object-group Admin-Systems object DMZ-Networks object-group DM_INLINE_TCP_1 access-list INSIDE_IN remark Manage DMZ Devices access-list INSIDE_IN extended permit udp object-group DM_INLINE_NETWORK_1 object DMZ-Networks eq snmp access-list INSIDE_IN remark Network Time access-list INSIDE_IN extended permit udp object-group NTP-Servers object-group NTP-PublicServers eq ntp access-list INSIDE_IN remark Allow Access to services for Ironport Apps access-list INSIDE_IN extended permit tcp object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_TCP_2 access-list INSIDE_IN remark Allow Secure traffic to DMZ access-list INSIDE_IN extended permit tcp object-group DM_INLINE_NETWORK_4 object DMZ-VIP-30 object-group DM_INLINE_TCP_3 access-list INSIDE_IN remark - Block non-secure traffic to DMZ access-list INSIDE_IN extended deny ip any object DMZ-Networks access-list INSIDE_IN remark Allow outbound services for Internet access-list INSIDE_IN extended permit icmp object-group DM_INLINE_NETWORK_5 any object-group DM_INLINE_ICMP_1 access-list INSIDE_IN remark General Internet Browsing access-list INSIDE_IN extended permit tcp object-group DM_INLINE_NETWORK_6 any object-group DM_INLINE_TCP_4 access-list INSIDE_IN remark DNS Services access-list INSIDE_IN extended permit object-group TCPUDP object ActiveDirectory any eq domain access-list INSIDE_IN remark Drop and Log all other traffic - END-OF-LINE access-list INSIDE_IN extended deny ip any any log access-list all-web webtype permit url any log default pager lines 24 logging enable logging timestamp logging standby logging buffer-size 1048576 logging asdm-buffer-size 512 logging trap informational logging asdm informational logging host inside 192.168.42.124 mtu outside 1500 mtu inside 1500 mtu management 1500 failover failover lan unit primary failover lan interface folink GigabitEthernet0/3 failover link folink GigabitEthernet0/3 failover interface ip folink 192.168.12.31 255.255.255.0 standby 192.168.12.32 icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside icmp permit any inside asdm image disk0:/asdm-711.bin asdm history enable arp timeout 14400 no arp permit-nonconnected access-group OUTSIDE_IN in interface outside access-group INSIDE_IN in interface inside access-group DROP-ALL in interface management ipv6 icmp permit any echo outside ipv6 icmp permit any echo-reply outside ipv6 icmp permit any membership-query inside ipv6 icmp permit any membership-reduction inside ipv6 icmp permit any membership-report inside ipv6 icmp permit any neighbor-advertisement inside ipv6 icmp permit any neighbor-redirect inside ipv6 icmp permit any neighbor-solicitation inside ipv6 icmp permit any packet-too-big inside ipv6 icmp permit any parameter-problem inside ipv6 icmp permit any router-advertisement inside ipv6 icmp permit any router-solicitation inside ipv6 icmp permit any time-exceeded inside ipv6 icmp permit any unreachable inside ipv6 route outside ::/0 2001:db8:192:21::10 route outside 0.0.0.0 0.0.0.0 192.168.21.10 1 route inside 10.10.0.0 255.255.0.0 192.168.11.1 1 route outside 10.10.0.0 255.255.255.0 192.168.21.10 1 route inside 192.168.0.0 255.255.0.0 192.168.11.10 10 route outside 192.168.20.0 255.255.255.0 192.168.21.10 1 route outside 192.168.22.0 255.255.255.0 192.168.21.10 1 route outside 192.168.23.0 255.255.255.0 192.168.21.10 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy network-acl all webvpn appl-acl all-web file-browsing enable file-entry enable http-proxy enable url-entry enable svc ask enable default webvpn aaa-server partnerauth protocol radius aaa-server partnerauth (inside) host 192.168.42.137 timeout 5 key * radius-common-pw * aaa-server COMPLIANCE protocol tacacs+ reactivation-mode depletion deadtime 15 max-failed-attempts 5 aaa-server COMPLIANCE (inside) host 192.168.42.131 key *** user-identity default-domain LOCAL aaa authentication enable console COMPLIANCE LOCAL aaa authentication http console COMPLIANCE LOCAL aaa authentication serial console COMPLIANCE LOCAL aaa authentication ssh console COMPLIANCE LOCAL aaa authorization command COMPLIANCE LOCAL aaa accounting enable console COMPLIANCE aaa accounting serial console COMPLIANCE aaa accounting ssh console COMPLIANCE aaa accounting command COMPLIANCE aaa authentication secure-http-client aaa local authentication attempts max-fail 6 aaa authorization exec authentication-server http server enable http server idle-timeout 15 http server session-timeout 15 http 192.168.41.101 255.255.255.255 inside http 192.168.41.102 255.255.255.255 inside http 192.168.42.122 255.255.255.255 inside http 192.168.42.124 255.255.255.255 inside http 192.168.42.133 255.255.255.255 inside http 192.168.42.138 255.255.255.255 inside http 192.168.42.139 255.255.255.255 inside snmp-server group V3Group v3 priv snmp-server user ciscolms V3Group v3 encrypted auth sha 56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db priv aes 256 56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db:88:e3:53:03:7b:f1:02:30:bc:14: 98:e5 snmp-server user csmadmin V3Group v3 encrypted auth sha 56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db priv aes 256 56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db:88:e3:53:03:7b:f1:02:30:bc:14: 98:e5 snmp-server host inside 192.168.42.134 version 3 ciscolms snmp-server host inside 192.168.42.139 version 3 ciscolms snmp-server host inside 192.168.42.133 version 3 csmadmin snmp-server location Building SJC-17-1 Aisle 2 Rack 3 snmp-server contact EmployeeA snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart snmp-server enable traps syslog snmp-server enable traps ipsec start stop snmp-server enable traps memory-threshold snmp-server enable traps interface-threshold snmp-server enable traps remote-access session-threshold-exceeded snmp-server enable traps connection-limit-reached snmp-server enable traps cpu threshold rising snmp-server enable traps ikev2 start stop snmp-server enable traps nat packet-discard crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh scopy enable ssh 192.168.41.101 255.255.255.255 inside ssh 192.168.41.102 255.255.255.255 inside ssh 192.168.42.122 255.255.255.255 inside ssh 192.168.42.124 255.255.255.255 inside ssh 192.168.42.133 255.255.255.255 inside ssh 192.168.42.138 255.255.255.255 inside ssh 192.168.42.139 255.255.255.255 inside ssh timeout 15 ssh version 2 console timeout 15 management-access inside ! tls-proxy maximum-session 1000 ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 192.168.62.162 source inside ntp server 192.168.62.161 source inside prefer ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 webvpn enable outside anyconnect-essentials internal-password enable smart-tunnel list AllExternalApplications All-Applications * platform windows group-policy DfltGrpPolicy attributes webvpn smart-tunnel enable AllExternalApplications group-policy Retail-PCI internal group-policy Retail-PCI attributes vpn-tunnel-protocol ssl-clientless username csmadmin password 9CmOJ.jq4D54PXDW encrypted privilege 15 username retail password XgJyMnijuEPQSGoY encrypted privilege 15 username emc-ncm password 4gFPrpXqWo/ncR1h encrypted privilege 15 username ciscolms password huo2PmvTsMk6Cv1L encrypted privilege 15 username bmcgloth password gITSY3iZ3UnCQoKf encrypted privilege 15 tunnel-group DefaultRAGroup general-attributes authentication-server-group partnerauth tunnel-group DefaultWEBVPNGroup general-attributes authentication-server-group partnerauth tunnel-group Retail-Lab type remote-access tunnel-group Retail-Lab general-attributes authentication-server-group partnerauth LOCAL default-group-policy Retail-PCI ! class-map inspection_default match default-inspection-traffic class-map global-class-PCI match any ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy description IPS inspection policy for Cisco PCI LAB class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options class global-class-PCI ips inline fail-close policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum client auto message-length maximum 512 ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily password encryption aes Cryptochecksum:d01b4c45ee6507fcc152f2f9e01983b1 : end ASA-IE-1# $ DMZ-IDS-1 ! ------------------------------ ! Current configuration last modified Thu Apr 28 21:34:42 2011 ! ------------------------------ ! Version 7.0(4) ! Host: ! Realm Keys key1.0 ! Signature Definition: ! Signature Update S500.0 2010-07-09 ! ------------------------------ service interface physical-interfaces GigabitEthernet0/7 subinterface-type inline-vlan-pair subinterface 1 description INT1 vlans 83 and 84 vlan1 83 vlan2 84 exit exit exit exit ! ------------------------------ service authentication attemptLimit 6 password-strength size 7-64 digits-min 1 lowercase-min 1 other-min 1 number-old-passwords 4 exit exit ! ------------------------------ service event-action-rules rules0 exit ! ------------------------------ service host network-settings host-ip 192.168.21.93/24,192.168.21.1 host-name DMZ-IDS1 telnet-option disabled access-list 10.19.151.99/32 access-list 192.168.41.101/32 access-list 192.168.41.102/32 access-list 192.168.42.122/32 access-list 192.168.42.124/32 access-list 192.168.42.133/32 access-list 192.168.42.138/32 dns-primary-server enabled address 192.168.42.130 exit dns-secondary-server disabled dns-tertiary-server disabled http-proxy proxy-server address 128.107.241.169 port 80 exit exit time-zone-settings offset -8 standard-time-zone-name PST exit ntp-option enabled-ntp-unauthenticated ntp-server 192.168.62.161 exit summertime-option recurring summertime-zone-name PDT exit exit ! ------------------------------ service logger exit ! ------------------------------ service network-access exit ! ------------------------------ service notification trap-destinations 192.168.42.124 trap-community-name <removed> exit enable-notifications true trap-community-name <removed> exit ! ------------------------------ service signature-definition sig0 exit ! ------------------------------ service ssh-known-hosts exit ! ------------------------------ service trusted-certificates exit ! ------------------------------ service web-server exit ! ------------------------------ service anomaly-detection ad0 exit ! ------------------------------ service external-product-interface exit ! ------------------------------ service health-monitor exit ! ------------------------------ service global-correlation exit ! ------------------------------ service aaa aaa radius primary-server server-address 192.168.42.131 shared-secret <removed> exit nas-id DMZ-IDS1 local-fallback enabled console-authentication radius-and-local default-user-role administrator exit exit ! ------------------------------ service analysis-engine exit DMZ-ASASM ASASM-RIE-3# sh run : Saved : ASA Version 9.1(1) ! hostname ASASM-RIE-3 domain-name cisco-irn.com enable password WKlYt0jXwtQLFcz7 encrypted passwd WKlYt0jXwtQLFcz7 encrypted names dns-guard ! interface Vlan21 nameif inside security-level 100 ip address 192.168.21.10 255.255.255.0 standby 192.168.21.12 ipv6 address 2001:db8:192:21::10/64 standby 2001:db8:192:21::12 ipv6 enable ! interface Vlan22 nameif outside security-level 0 ip address 192.168.22.1 255.255.255.0 standby 192.168.22.2 ipv6 address 2001:db8:192:22::1/64 standby 2001:db8:192:22::3 ipv6 enable ! interface Vlan82 nameif DMZ security-level 20 ip address 192.168.20.25 255.255.255.248 standby 192.168.20.26 ipv6 address 2001:db8:192:20a4::25/64 standby 2001:db8:192:20a4::26 ipv6 enable ! interface Vlan91 description LAN Failover Interface ! interface Vlan92 description STATE Failover Interface ! interface Vlan2305 nameif EmailSecurityAppliance security-level 50 ip address 192.168.23.65 255.255.255.240 standby 192.168.23.66 ipv6 address 2001:db8:192:23a5::65/64 standby 2001:db8:192:23a5::66 ipv6 enable ! interface Vlan2306 nameif EmailSecurityMgrAppliance security-level 60 ip address 192.168.23.81 255.255.255.240 standby 192.168.23.82 ipv6 address 2001:db8:192:23a6::81/64 standby 2001:db8:192:23a6::82 ipv6 enable ! interface Vlan2307 shutdown nameif WebSecurityAppliance security-level 40 ip address 192.168.23.97 255.255.255.240 standby 192.168.23.98 ipv6 address 2001:db8:192:23a7::97/64 standby 2001:db8:192:23a7::98 ipv6 enable ! banner exec WARNING: banner exec ** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF COMPLIANCE banner exec AUTHORIZED USERS ONLY! banner exec banner exec ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT banner exec TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY banner exec TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER banner exec REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT banner exec FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER banner exec CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW banner exec ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. banner exec banner exec UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login WARNING: banner login THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! banner asdm WARNING: banner asdm THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF COMPLIANCE banner asdm AUTHORIZED USERS ONLY! banner asdm banner asdm ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT banner asdm TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY banner asdm TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER banner asdm REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT banner asdm FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER banner asdm CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW banner asdm ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. banner asdm banner asdm UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS boot system disk0:/asa911-smp-k8.bin boot system disk0:/asa901-smp-k8.bin ftp mode passive dns domain-lookup inside dns server-group DefaultDNS name-server 192.168.42.130 domain-name cisco-irn.com same-security-traffic permit inter-interface object network PrimeLMS host 192.168.42.139 description Cisco Prime LMS object network RIE-1_G0-0-1 host 192.168.22.11 description ASA1002-X object network RIE-1_G0-0-1_ipv6 host 2001:db8:192:22::11 object network RIE-2_G0-0-2 host 192.168.22.12 description ASR1002-x object network RIE-2_G0-0-2_ipv6 host 2001:db8:192:22::12 object network RIE1+2_HSRP_ipv6 host 2001:db8:192:22::10 object network RIE1+2_HSRP host 192.168.22.10 object network ASA-IE-1-outside.cisco-irn.com host 192.168.21.1 object network Bart-Admin99 host 10.19.151.99 object network DMZ-Network-4 subnet 192.168.20.24 255.255.255.248 object network DMZ-Networks subnet 192.168.20.0 255.255.255.0 object network DMZ-VIP-30 host 192.168.20.30 object network DataCenter-Networks subnet 192.168.0.0 255.255.0.0 description Private 1918 block object network EMC-NCM.cisco-irn.com host 192.168.42.122 object network ESA-IE-1.cisco-irn.com host 192.168.23.68 object network ESMA-IE-1.cisco-irn.com host 192.168.23.84 object network EmailSecurityAppliance-Network subnet 192.168.23.64 255.255.255.240 object network EmailSecurityManager-Network subnet 192.168.23.80 255.255.255.240 object network FSU.cisco-irn.com host 192.168.42.138 object network InSide-Network subnet 192.168.21.0 255.255.255.0 object network InternetEdge-Networks subnet 192.168.20.0 255.255.252.0 object network NTP1.cisco-irn.com host 192.168.62.161 object network NTP2.cisco-irn.com host 192.168.62.162 object network OutSide-Network subnet 192.168.22.0 255.255.255.0 object network PAME-DC-1.cisco-irn.com host 192.168.44.111 object network RSA-enVision.cisco-irn.com host 192.168.42.124 object network SRV-DC-1.cisco-irn.com host 192.168.41.101 object network SRV-DC-2.cisco-irn.com host 192.168.41.102 object network Branch-Networks subnet 10.10.0.0 255.255.0.0 object network WebSecurityAppliance-Network subnet 192.168.23.96 255.255.255.240 object network csmanager.cisco-irn.com host 192.168.42.133 object network tacacs.cisco-irn.com host 192.168.42.131 object network ActiveDirectory host 192.168.42.130 object network LABNTP-1.cisco.com host 172.26.129.252 object network LABNTP-2.cisco.com host 172.28.189.1 object network nist-chicago-NoDNS- host 38.106.177.10 description Chicago, Illinois object network nist-time-server.eoni.com host 216.228.192.69 description La Grande, Oregon object network nist.expertsmi.com host 50.77.217.185 description Monroe, Michigan object network nist.netservicesgroup.com host 64.113.32.5 description Southfield, Michigan object network nist.time.nosc.us host 96.226.123.117 description Carrollton, Texas object network nist1-atl.ustiming.org host 64.250.177.145 description Atlanta, Georgia object network nist1-chi.ustiming.org host 216.171.120.36 description Chicago, Illinois object network nist1-la.ustiming.org host 64.147.116.229 description Los Angeles, California object network nist1-lnk.binary.net host 216.229.0.179 description Lincoln, Nebraska object network nist1-lv.ustiming.org host 64.250.229.100 description Las Vegas, Nevada object network nist1-nj.ustiming.org host 96.47.67.105 description Bridgewater, NJ object network nist1-nj2.ustiming.org host 165.193.126.229 description Weehawken, NJ object network nist1-ny.ustiming.org host 64.90.182.55 description New York City, NY object network nist1-pa.ustiming.org host 206.246.122.250 description Hatfield, PA object network nist1-sj.ustiming.org host 216.171.124.36 description San Jose, California object network nist1.aol-ca.symmetricom.com host 207.200.81.113 description Mountain View, California object network nist1.aol-va.symmetricom.com host 64.236.96.53 description Reston, Virginia object network nist1.columbiacountyga.gov host 216.119.63.113 description Columbia County, Georgia object network nist1.symmetricom.com host 69.25.96.13 description San Jose, California object network nist2-nj2.ustiming.org host 165.193.126.232 description Weehawken, NJ object network nisttime.carsoncity.k12.mi.us host 66.219.116.140 description Carson City, Michigan object network ntp-nist.ldsbc.edu host 198.60.73.8 description LDSBC, Salt Lake City, Utah object network time-a.nist.gov host 129.6.15.28 description NIST, Gaithersburg, Maryland object network time-a.timefreq.bldrdoc.gov host 132.163.4.101 description NIST, Boulder, Colorado object network time-b.nist.gov host 129.6.15.29 description NIST, Gaithersburg, Maryland object network time-b.timefreq.bldrdoc.gov host 132.163.4.102 description NIST, Boulder, Colorado object network time-c.timefreq.bldrdoc.gov host 132.163.4.103 description NIST, Boulder, Colorado object network time-d.nist.gov host 2610:20:6f15:15::27 description NIST, Gaithersburg, Maryland object network time-nw.nist.gov host 131.107.13.100 description Microsoft, Redmond, Washington object network utcnist.colorado.edu host 128.138.140.44 description University of Colorado, Boulder object network utcnist2.colorado.edu host 128.138.141.172 description University of Colorado, Boulder object network wwv.nist.gov host 24.56.178.140 description WWV, Fort Collins, Colorado object network ASA-IE-1-outside_ipv6.cisco-irn.com host 2001:db8:192:21::1 object network DMZ-VIP-30_ipv6 host 2001:db8:192:20a4::30 object network CiscoLAB10-Network subnet 10.0.0.0 255.0.0.0 description Private 1918 block object network CiscoLAB171-Network subnet 171.68.0.0 255.255.0.0 description ARIN Block object network CiscoLAB172-Network subnet 172.16.0.0 255.240.0.0 description Private 1918 block object network DMZ-Network-4v6 subnet 2001:db8:192:20a4::/64 object network EmailSecurityAppliance-Networkv6 subnet 2001:db8:192:23a5::/64 object network EmailSecurityManager-Networkv6 subnet 2001:db8:192:23a6::/64 object network InSide-Networkv6 subnet 2001:db8:192:21::/64 object network OutSide-Networkv6 subnet 2001:db8:192:22::/64 object network WebSecurityAppliance-Networkv6 subnet 2001:db8:192:23a7::/64 object network ESA-IE-1.cisco-irn.com_ipv6 host 2001:db8:192:23a5::68 object network ESMA-IE-1.cisco-irn.com_ipv6 host 2001:db8:192:23a6::84 object network WSA-IE-1.cisco-irn.com host 192.168.23.100 object network WSA-IE-1.cisco-irn.com_ipv6 host 2001:db8:192:23a7::100 object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object echo-reply icmp-object information-reply icmp-object redirect icmp-object time-exceeded icmp-object traceroute object-group network DM_INLINE_NETWORK_27 network-object object ESA-IE-1.cisco-irn.com network-object object ESA-IE-1.cisco-irn.com_ipv6 object-group protocol ICMP-v6 protocol-object icmp6 object-group network DM_INLINE_NETWORK_20 network-object object ESA-IE-1.cisco-irn.com network-object object ESA-IE-1.cisco-irn.com_ipv6 object-group service DM_INLINE_SERVICE_1 service-object tcp destination eq https service-object tcp destination eq ssh object-group network NTP-Servers description NTP Servers network-object object NTP1.cisco-irn.com network-object object NTP2.cisco-irn.com network-object object ActiveDirectory object-group network DM_INLINE_NETWORK_6 network-object object EmailSecurityAppliance-Network network-object object EmailSecurityManager-Network network-object object WebSecurityAppliance-Network object-group service RDP tcp port-object eq 3389 object-group service vCenter-to-ESX4 tcp description Communication from vCetner to ESX hosts port-object eq 5989 port-object eq 8000 port-object eq 902 port-object eq 903 object-group service DM_INLINE_TCP_2 tcp group-object RDP port-object eq https port-object eq ssh group-object vCenter-to-ESX4 object-group service DM_INLINE_UDP_1 udp port-object eq 1812 port-object eq 1813 object-group service DM_INLINE_UDP_2 udp port-object eq 1812 port-object eq 1813 object-group network DM_INLINE_NETWORK_2 network-object object EMC-NCM.cisco-irn.com network-object object PrimeLMS network-object object csmanager.cisco-irn.com object-group service DM_INLINE_UDP_3 udp port-object eq 1812 port-object eq 1813 object-group network DM_INLINE_NETWORK_21 network-object object Branch-Networks network-object object DataCenter-Networks object-group service DM_INLINE_TCP_3 tcp port-object eq https port-object eq smtp port-object eq ssh object-group network DM_INLINE_NETWORK_22 network-object object Branch-Networks network-object object DataCenter-Networks object-group network DM_INLINE_NETWORK_23 network-object object Branch-Networks network-object object DataCenter-Networks object-group network Admin-Systems network-object object PrimeLMS network-object object Bart-Admin99 network-object object EMC-NCM.cisco-irn.com network-object object RSA-enVision.cisco-irn.com network-object object SRV-DC-1.cisco-irn.com network-object object SRV-DC-2.cisco-irn.com network-object object csmanager.cisco-irn.com object-group network DM_INLINE_NETWORK_24 network-object object Branch-Networks network-object object DataCenter-Networks object-group service DM_INLINE_TCP_4 tcp port-object eq https port-object eq ssh object-group service DM_INLINE_TCP_5 tcp port-object eq 1080 port-object eq 8080 port-object eq 8443 port-object eq www port-object eq https port-object eq ssh object-group network DM_INLINE_NETWORK_25 network-object object RIE-1_G0-0-1 network-object object RIE-2_G0-0-2 object-group network DM_INLINE_NETWORK_26 network-object object RIE-1_G0-0-1 network-object object RIE-2_G0-0-2 object-group network DM_INLINE_NETWORK_3 network-object object DataCenter-Networks network-object object Branch-Networks object-group network NTP-PublicServers description Public time.nist.gov servers network-object object LABNTP-1.cisco.com network-object object LABNTP-2.cisco.com network-object object nist-chicago-NoDNS- network-object object nist-time-server.eoni.com network-object object nist.expertsmi.com network-object object nist.netservicesgroup.com network-object object nist.time.nosc.us network-object object nist1-atl.ustiming.org network-object object nist1-chi.ustiming.org network-object object nist1-la.ustiming.org network-object object nist1-lnk.binary.net network-object object nist1-lv.ustiming.org network-object object nist1-nj.ustiming.org network-object object nist1-nj2.ustiming.org network-object object nist1-ny.ustiming.org network-object object nist1-pa.ustiming.org network-object object nist1-sj.ustiming.org network-object object nist1.aol-ca.symmetricom.com network-object object nist1.aol-va.symmetricom.com network-object object nist1.columbiacountyga.gov network-object object nist1.symmetricom.com network-object object nist2-nj2.ustiming.org network-object object nisttime.carsoncity.k12.mi.us network-object object ntp-nist.ldsbc.edu network-object object time-a.nist.gov network-object object time-a.timefreq.bldrdoc.gov network-object object time-b.nist.gov network-object object time-b.timefreq.bldrdoc.gov network-object object time-c.timefreq.bldrdoc.gov network-object object time-d.nist.gov network-object object time-nw.nist.gov network-object object utcnist.colorado.edu network-object object utcnist2.colorado.edu network-object object wwv.nist.gov object-group network DM_INLINE_NETWORK_4 network-object object DMZ-VIP-30 network-object object DMZ-VIP-30_ipv6 object-group network DM_INLINE_NETWORK_5 network-object object ASA-IE-1-outside.cisco-irn.com network-object object ASA-IE-1-outside_ipv6.cisco-irn.com object-group network DM_INLINE_NETWORK_7 network-object object DataCenter-Networks network-object object Branch-Networks object-group service DM_INLINE_TCP_1 tcp group-object RDP port-object eq www port-object eq https port-object eq ssh group-object vCenter-to-ESX4 port-object eq 1080 port-object eq 8080 port-object eq 8443 port-object eq 8444 port-object eq 8880 object-group network DM_INLINE_NETWORK_8 network-object object CiscoLAB10-Network network-object object CiscoLAB171-Network network-object object CiscoLAB172-Network object-group network DM_INLINE_NETWORK_9 network-object object CiscoLAB10-Network network-object object CiscoLAB171-Network network-object object CiscoLAB172-Network object-group network DM_INLINE_NETWORK_1 network-object object WSA-IE-1.cisco-irn.com network-object object WSA-IE-1.cisco-irn.com_ipv6 object-group network DM_INLINE_NETWORK_10 network-object object ESMA-IE-1.cisco-irn.com network-object object ESMA-IE-1.cisco-irn.com_ipv6 object-group network DM_INLINE_NETWORK_11 network-object object WSA-IE-1.cisco-irn.com network-object object WSA-IE-1.cisco-irn.com_ipv6 object-group network DM_INLINE_NETWORK_12 network-object object ESMA-IE-1.cisco-irn.com network-object object ESMA-IE-1.cisco-irn.com_ipv6 object-group network DM_INLINE_NETWORK_13 network-object object ESA-IE-1.cisco-irn.com network-object object ESA-IE-1.cisco-irn.com_ipv6 object-group network DM_INLINE_NETWORK_14 network-object object WebSecurityAppliance-Network network-object object WebSecurityAppliance-Networkv6 object-group network DM_INLINE_NETWORK_15 network-object object DataCenter-Networks network-object object Branch-Networks object-group network DM_INLINE_NETWORK_16 network-object object EmailSecurityManager-Network network-object object EmailSecurityManager-Networkv6 object-group network DM_INLINE_NETWORK_17 network-object object DataCenter-Networks network-object object Branch-Networks object-group network DM_INLINE_NETWORK_18 network-object object EmailSecurityAppliance-Network network-object object EmailSecurityAppliance-Networkv6 object-group network DM_INLINE_NETWORK_19 network-object object DataCenter-Networks network-object object Branch-Networks object-group service DM_INLINE_SERVICE_2 service-object tcp-udp destination eq domain service-object tcp destination eq smtp object-group service DM_INLINE_SERVICE_3 service-object tcp-udp destination eq domain service-object tcp destination eq www service-object tcp destination eq https object-group service DM_INLINE_SERVICE_4 service-object tcp-udp destination eq domain service-object tcp destination eq smtp object-group service DM_INLINE_SERVICE_5 service-object tcp-udp destination eq domain service-object tcp destination eq www service-object tcp destination eq https object-group service DM_INLINE_SERVICE_6 service-object tcp-udp destination eq domain service-object tcp destination eq smtp object-group service DM_INLINE_SERVICE_7 service-object tcp-udp destination eq domain service-object tcp destination eq smtp object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list Ironport-ESA_IN remark IPv6 Discovery-opperation access-list Ironport-ESA_IN extended permit object-group ICMP-v6 any6 any6 access-list Ironport-ESA_IN remark Block traffic from DMZ to Internal networks access-list Ironport-ESA_IN extended deny object-group DM_INLINE_SERVICE_7 object-group DM_INLINE_NETWORK_18 object-group DM_INLINE_NETWORK_19 access-list Ironport-ESA_IN remark DNS lookup and Mail to Internet access-list Ironport-ESA_IN extended permit object-group DM_INLINE_SERVICE_4 object-group DM_INLINE_NETWORK_27 any access-list Ironport-ESA_IN remark Network Time access-list Ironport-ESA_IN extended permit udp object-group DM_INLINE_NETWORK_13 object-group NTP-PublicServers eq ntp access-list Ironport-ESA_IN remark Logging access-list Ironport-ESA_IN extended permit udp object ESA-IE-1.cisco-irn.com object RSA-enVision.cisco-irn.com eq syslog access-list Ironport-ESA_IN remark Authentication access-list Ironport-ESA_IN extended permit udp object ESA-IE-1.cisco-irn.com object tacacs.cisco-irn.com object-group DM_INLINE_UDP_1 access-list DMZ-WebServers_IN remark IPv6 Discovery-opperation access-list DMZ-WebServers_IN extended permit object-group ICMP-v6 any6 any6 access-list DMZ-WebServers_IN remark Logging access-list DMZ-WebServers_IN extended permit udp object DMZ-Networks object RSA-enVision.cisco-irn.com eq syslog access-list DMZ-WebServers_IN remark Authentication access-list DMZ-WebServers_IN extended permit tcp object DMZ-Networks object tacacs.cisco-irn.com eq tacacs access-list DMZ-WebServers_IN remark Network Time access-list DMZ-WebServers_IN extended permit udp object DMZ-Networks object-group NTP-PublicServers eq ntp access-list Ironport-ESMA_IN remark IPv6 Discovery-opperation access-list Ironport-ESMA_IN extended permit object-group ICMP-v6 any6 any6 access-list Ironport-ESMA_IN remark Block traffic from DMZ to Internal networks access-list Ironport-ESMA_IN extended deny object-group DM_INLINE_SERVICE_6 object-group DM_INLINE_NETWORK_16 object-group DM_INLINE_NETWORK_17 access-list Ironport-ESMA_IN remark DNS Lookup and Mail relay access-list Ironport-ESMA_IN extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_10 any access-list Ironport-ESMA_IN remark Network Time access-list Ironport-ESMA_IN extended permit udp object-group DM_INLINE_NETWORK_12 object-group NTP-PublicServers eq ntp access-list Ironport-ESMA_IN remark Logging access-list Ironport-ESMA_IN extended permit udp object ESMA-IE-1.cisco-irn.com object RSA-enVision.cisco-irn.com eq syslog access-list Ironport-ESMA_IN remark Authentication access-list Ironport-ESMA_IN extended permit udp object ESMA-IE-1.cisco-irn.com object tacacs.cisco-irn.com object-group DM_INLINE_UDP_2 access-list INSIDE remark Admin Access to DMZ access-list INSIDE extended permit tcp object-group Admin-Systems object InternetEdge-Networks object-group DM_INLINE_TCP_2 access-list INSIDE remark Manage DMZ Devices access-list INSIDE extended permit udp object-group DM_INLINE_NETWORK_2 object InternetEdge-Networks eq snmp access-list INSIDE remark Network Time access-list INSIDE extended permit udp object-group NTP-Servers object-group NTP-PublicServers eq ntp access-list INSIDE remark Allow Access to services for Ironport Apps access-list INSIDE extended permit tcp object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_TCP_3 access-list INSIDE remark Allow Secure traffic to DMZ access-list INSIDE extended permit tcp object-group DM_INLINE_NETWORK_21 object DMZ-VIP-30 object-group DM_INLINE_TCP_4 access-list INSIDE remark - Block non-secure traffic to DMZ access-list INSIDE extended deny ip any object InternetEdge-Networks log access-list INSIDE remark Allow outbound services for Internet access-list INSIDE extended permit icmp object-group DM_INLINE_NETWORK_23 any object-group DM_INLINE_ICMP_1 access-list INSIDE remark General Internet Browsing access-list INSIDE extended permit tcp object-group DM_INLINE_NETWORK_24 any object-group DM_INLINE_TCP_5 access-list INSIDE remark DNS Services access-list INSIDE extended permit object-group TCPUDP object ActiveDirectory any eq domain access-list INSIDE remark Drop and Log all other traffic - END-OF-LINE access-list INSIDE extended deny ip any any log access-list OUTSIDE remark IPv6 Discovery-opperation access-list OUTSIDE extended permit object-group ICMP-v6 any6 any6 access-list OUTSIDE remark Allow traffic to DMZ e-commerce Server access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_1 any object-group DM_INLINE_NETWORK_4 access-list OUTSIDE remark Mail to Ironport access-list OUTSIDE extended permit tcp any object-group DM_INLINE_NETWORK_20 eq smtp access-list OUTSIDE remark Remote Access SSL VPN access-list OUTSIDE extended permit tcp any object-group DM_INLINE_NETWORK_5 eq https access-list OUTSIDE remark Allow traffic from edge routers - RIE-1 access-list OUTSIDE extended permit udp object-group DM_INLINE_NETWORK_25 object RSA-enVision.cisco-irn.com eq syslog access-list OUTSIDE remark Allow traffic from edge routers - RIE-1 access-list OUTSIDE extended permit tcp object-group DM_INLINE_NETWORK_26 object tacacs.cisco-irn.com eq tacacs access-list OUTSIDE remark ====LAB ACCESS to TEST===REMOVE=== access-list OUTSIDE extended permit icmp object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_7 access-list OUTSIDE remark ====LAB ACCESS TO TEST===REMOVE==== access-list OUTSIDE extended permit tcp object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_TCP_1 access-list OUTSIDE remark Drop all other traffic access-list OUTSIDE extended deny ip any any log access-list Ironport-WSA_IN remark IPv6 Discovery-opperation access-list Ironport-WSA_IN extended permit object-group ICMP-v6 any6 any6 access-list Ironport-WSA_IN remark Block traffic from DMZ to Internal networks access-list Ironport-WSA_IN extended deny object-group DM_INLINE_SERVICE_5 object-group DM_INLINE_NETWORK_14 object-group DM_INLINE_NETWORK_15 access-list Ironport-WSA_IN remark DNS Lookup, Web Surfing access-list Ironport-WSA_IN extended permit object-group DM_INLINE_SERVICE_3 object-group DM_INLINE_NETWORK_11 any access-list Ironport-WSA_IN remark Network Time access-list Ironport-WSA_IN extended permit udp object-group DM_INLINE_NETWORK_1 object-group NTP-PublicServers eq ntp access-list Ironport-WSA_IN remark Logging access-list Ironport-WSA_IN extended permit udp object WSA-IE-1.cisco-irn.com object RSA-enVision.cisco-irn.com eq syslog access-list Ironport-WSA_IN remark Authentication access-list Ironport-WSA_IN extended permit udp object WSA-IE-1.cisco-irn.com object tacacs.cisco-irn.com object-group DM_INLINE_UDP_3 pager lines 24 logging enable logging standby logging buffer-size 1048576 logging asdm-buffer-size 512 logging asdm informational logging host inside 192.168.42.124 mtu inside 1500 mtu outside 1500 mtu DMZ 1500 mtu EmailSecurityAppliance 1500 mtu EmailSecurityMgrAppliance 1500 mtu WebSecurityAppliance 1500 failover failover lan unit primary failover lan interface failover Vlan91 failover link statelink Vlan92 failover interface ip failover 192.168.20.13 255.255.255.252 standby 192.168.20.14 failover interface ip statelink 192.168.20.33 255.255.255.252 standby 192.168.20.34 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any outside icmp permit any DMZ icmp permit any EmailSecurityAppliance icmp permit any EmailSecurityMgrAppliance icmp permit any WebSecurityAppliance asdm image disk0:/asdm-711.bin asdm history enable arp timeout 14400 no arp permit-nonconnected access-group INSIDE in interface inside access-group OUTSIDE in interface outside access-group DMZ-WebServers_IN in interface DMZ access-group Ironport-ESA_IN in interface EmailSecurityAppliance access-group Ironport-ESMA_IN in interface EmailSecurityMgrAppliance access-group Ironport-WSA_IN in interface WebSecurityAppliance ipv6 route DMZ 2001:db8:192:20a1::/64 2001:db8:192:20a4::28 ipv6 route outside ::/0 2001:db8:192:22::10 route outside 0.0.0.0 0.0.0.0 192.168.22.10 1 route inside 10.10.0.0 255.255.0.0 192.168.21.1 1 route outside 10.10.0.0 255.255.255.0 192.168.22.10 1 route outside 10.10.3.0 255.255.255.0 192.168.22.11 1 route outside 10.10.4.0 255.255.255.0 192.168.22.12 1 route inside 192.168.0.0 255.255.0.0 192.168.21.1 1 route DMZ 192.168.20.0 255.255.255.248 192.168.20.28 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server COMPLIANCE protocol tacacs+ reactivation-mode depletion deadtime 15 max-failed-attempts 5 aaa-server COMPLIANCE (inside) host 192.168.42.131 key * user-identity default-domain LOCAL aaa authentication enable console COMPLIANCE LOCAL aaa authentication http console COMPLIANCE LOCAL aaa authentication ssh console COMPLIANCE LOCAL aaa authentication serial console COMPLIANCE LOCAL aaa authorization command COMPLIANCE LOCAL aaa accounting enable console COMPLIANCE aaa accounting serial console COMPLIANCE aaa accounting ssh console COMPLIANCE aaa accounting command privilege 15 COMPLIANCE aaa authentication secure-http-client aaa local authentication attempts max-fail 6 aaa authorization exec authentication-server http server enable http server idle-timeout 15 http server session-timeout 15 http 192.168.41.101 255.255.255.255 inside http 192.168.41.102 255.255.255.255 inside http 192.168.42.122 255.255.255.255 inside http 192.168.42.124 255.255.255.255 inside http 192.168.42.133 255.255.255.255 inside http 192.168.42.138 255.255.255.255 inside http 192.168.42.139 255.255.255.255 inside snmp-server group Authentication&Encryption v3 priv snmp-server user ciscolms Authentication&Encryption v3 encrypted auth sha 22:c2:d0:4d:34:22:54:cd:e7:15:55:63:70:0e:b9:49:c6:09:75:17 priv aes 256 22:c2:d0:4d:34:22:54:cd:e7:15:55:63:70:0e:b9:49:c6:09:75:17:14:95:f7:2f:f8:6a:ee:62:d6:03: 7f:db snmp-server user csmadmin Authentication&Encryption v3 encrypted auth sha 22:c2:d0:4d:34:22:54:cd:e7:15:55:63:70:0e:b9:49:c6:09:75:17 priv aes 256 22:c2:d0:4d:34:22:54:cd:e7:15:55:63:70:0e:b9:49:c6:09:75:17:14:95:f7:2f:f8:6a:ee:62:d6:03: 7f:db snmp-server host inside 192.168.42.134 version 3 ciscolms snmp-server host inside 192.168.42.139 version 3 ciscolms snmp-server host inside 192.168.42.133 version 3 csmadmin no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart no snmp-server enable crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh scopy enable ssh 192.168.41.101 255.255.255.255 inside ssh 192.168.41.102 255.255.255.255 inside ssh 192.168.42.122 255.255.255.255 inside ssh 192.168.42.124 255.255.255.255 inside ssh 192.168.42.133 255.255.255.255 inside ssh 192.168.42.138 255.255.255.255 inside ssh 192.168.42.139 255.255.255.255 inside ssh timeout 15 ssh version 2 console timeout 15 ! tls-proxy maximum-session 1000 ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl encryption aes256-sha1 aes128-sha1 3des-sha1 username csmadmin password 9CmOJ.jq4D54PXDW encrypted privilege 15 username retail password XgJyMnijuEPQSGoY encrypted privilege 15 username bmcgloth password gITSY3iZ3UnCQoKf encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly 8 subscribe-to-alert-group configuration periodic monthly 8 subscribe-to-alert-group telemetry periodic daily Cryptochecksum:3461835c1b952f647c39ea90dc41d8b4 : end DMZ-ACE-1 ACE1/Admin# sh run Generating configuration.... logging enable logging timestamp logging trap 6 logging buffered 6 logging device-id context-name logging host 192.168.42.124 udp/514 logging rate-limit 1 120 message 302027 login timeout 15 hostname ACE1 boot system image:c6ace-t1k9-mz.A5_1_2.bin resource-class Gold limit-resource all minimum 0.00 maximum unlimited limit-resource conc-connections minimum 10.00 maximum unlimited limit-resource sticky minimum 10.00 maximum unlimited tacacs-server host 192.168.42.131 key 7 "uaxfalkha" aaa group server tacacs+ COMPLIANCE server 192.168.42.131 clock timezone standard PST clock summer-time standard PDT aaa authentication login default group COMPLIANCE local aaa authentication login console group COMPLIANCE local aaa accounting default group COMPLIANCE local class-map type management match-any remote-mgmt 9 match protocol ssh source-address 192.168.41.102 255.255.255.255 10 match protocol ssh source-address 192.168.42.131 255.255.255.255 30 match protocol icmp any 32 match protocol ssh source-address 192.168.41.101 255.255.255.255 33 match protocol ssh source-address 192.168.42.111 255.255.255.255 34 match protocol ssh source-address 192.168.42.122 255.255.255.255 35 match protocol ssh source-address 192.168.42.124 255.255.255.255 36 match protocol ssh source-address 192.168.42.133 255.255.255.255 37 match protocol ssh source-address 192.168.42.138 255.255.255.255 policy-map type management first-match remote-access class remote-mgmt permit interface vlan 21 ip address 192.168.21.95 255.255.255.0 service-policy input remote-access no shutdown ft interface vlan 85 ip address 192.168.20.9 255.255.255.252 peer ip address 192.168.20.10 255.255.255.252 no shutdown ft peer 1 heartbeat interval 300 heartbeat count 10 ft-interface vlan 85 ft group 11 peer 1 priority 110 peer priority 105 associate-context Admin inservice domain cisco-irn.com ip route 0.0.0.0 0.0.0.0 192.168.21.1 context PCI allocate-interface vlan 82-83 allocate-interface vlan 95 ft group 10 peer 1 priority 110 peer priority 105 associate-context PCI inservice username admin password 5 $1$nCzsvkY0$QKCSN2jtbE8nsgxxeHMKe1 role Admin domain default-domain username www password 5 $1$.4drq4sB$qBpfZsTgtJufI865poqTr1 role Admin domain default-domain username csmadmin password 5 $1$1VYOv92B$VMTmZoUY0NNcYV1paA1eo0 role Admin domain default-domain cisco-irn.com username bmcgloth password 5 $1$IVI7Dovp$tGZ11k6CUpxTAfuI.pAax/ role Admin domain default-domain cisco-irn.com username lmsadmin password 5 $1$vnpXp4FR$KrnWUl8lwQYbyxmcKOGc5. role Admin domain default-domain cisco-irn.com ssh key rsa 2048 force ACE1/Admin# DMZ-ACE-1_PCI ACE1/PCI# sh run Generating configuration.... logging enable logging timestamp logging buffered 7 logging monitor 7 logging device-id context-name logging host 192.168.42.124 udp/514 logging rate-limit 1 120 message 302027 login timeout 15 tacacs-server host 192.168.42.131 key 7 "uaxfalkha" aaa group server tacacs+ COMPLIANCE server 192.168.42.131 aaa authentication login default group COMPLIANCE local aaa authentication login console group COMPLIANCE local aaa accounting default group COMPLIANCE local access-list in2out line 10 extended permit ip host 192.168.20.2 any access-list in2out line 12 extended permit ip host 192.168.20.1 any access-list in2out line 15 extended deny ip any any access-list out2in line 10 extended permit tcp any host 192.168.20.1 eq ssh access-list out2in line 11 extended permit tcp any host 192.168.20.2 eq ssh access-list out2in line 12 extended permit tcp any host 192.168.20.1 eq https access-list out2in line 13 extended permit tcp any host 192.168.20.2 eq https access-list out2in line 14 extended permit icmp any host 192.168.20.1 access-list out2in line 15 extended permit icmp any host 192.168.20.2 access-list out2in line 16 extended deny ip any any access-list out2in_ipv6 line 8 extended permit icmpv6 anyv6 host 2001:db8:192:20a1::1 access-list out2in_ipv6 line 16 extended permit tcp anyv6 host 2001:db8:192:20a1::1 eq ssh access-list out2in_ipv6 line 24 extended permit tcp anyv6 host 2001:db8:192:20a1::1 eq https probe icmp ICMP interval 2 faildetect 2 passdetect count 2 rserver host ECOM ip address 192.168.20.2 inservice serverfarm host PCI-ECOM predictor leastconns probe ICMP rserver ECOM inservice class-map match-any ECOMVIP 5 match virtual-address 2001:db8:192:20a1::1 tcp eq 22 6 match virtual-address 2001:db8:192:20a1::1 tcp eq https class-map match-any ECOMVIP_v4 3 match virtual-address 192.168.20.1 tcp eq 22 4 match virtual-address 192.168.20.1 tcp eq https class-map type management match-any MANAGEMENT 7 match protocol icmp any 8 match protocol ssh source-address 192.168.41.101 255.255.255.255 9 match protocol ssh source-address 192.168.41.102 255.255.255.255 10 match protocol ssh source-address 192.168.42.111 255.255.255.255 11 match protocol ssh source-address 192.168.42.122 255.255.255.255 12 match protocol ssh source-address 192.168.42.124 255.255.255.255 13 match protocol ssh source-address 192.168.42.131 255.255.255.255 14 match protocol ssh source-address 192.168.42.133 255.255.255.255 15 match protocol ssh source-address 192.168.42.138 255.255.255.255 16 match protocol ssh source-address 192.168.42.139 255.255.255.255 class-map type management match-all V6-MGMT 2 match protocol icmpv6 anyv6 policy-map type management first-match MGMT class MANAGEMENT permit class V6-MGMT permit policy-map type loadbalance first-match ECOMPOLICY class class-default serverfarm PCI-ECOM nat dynamic 2 vlan 83 serverfarm primary insert-http x-forward-for header-value "%is" policy-map type loadbalance first-match ECOMPOLICY_v4 class class-default serverfarm PCI-ECOM policy-map multi-match ECOM_MATCH class ECOMVIP loadbalance vip inservice loadbalance policy ECOMPOLICY loadbalance vip icmp-reply active class ECOMVIP_v4 loadbalance vip inservice loadbalance policy ECOMPOLICY_v4 loadbalance vip icmp-reply active interface vlan 82 description ACE_outside ipv6 enable ip address 2001:db8:192:20a4::28/64 ip address 192.168.20.28 255.255.255.248 alias 192.168.20.30 255.255.255.248 peer ip address 192.168.20.29 255.255.255.248 access-group input out2in access-group input out2in_ipv6 service-policy input ECOM_MATCH service-policy input MGMT no shutdown interface vlan 83 description ACE_inside ip address 192.168.20.4 255.255.255.248 alias 192.168.20.6 255.255.255.248 peer ip address 192.168.20.5 255.255.255.248 access-group input in2out nat-pool 2 192.168.20.3 192.168.20.3 netmask 255.255.255.248 no shutdown domain cisco-irn.com ip route 0.0.0.0 0.0.0.0 192.168.20.25 ip route ::/0 2001:db8:192:20a4::25 username csmadmin password 5 $1$1VYOv92B$VMTmZoUY0NNcYV1paA1eo0 role Admin domain default-domain cisco-irn.com username bmcgloth password 5 $1$IVI7Dovp$tGZ11k6CUpxTAfuI.pAax/ role Admin domain default-domain cisco-irn.com username lmsadmin password 5 $1$vnpXp4FR$KrnWUl8lwQYbyxmcKOGc5. role Admin domain default-domain cisco-irn.com ACE1/PCI# RIE-3 Building configuration... Current configuration : 14480 bytes ! ! Last configuration change at 08:57:09 PST Thu Dec 6 2012 by bmcgloth ! NVRAM config last updated at 08:57:11 PST Thu Dec 6 2012 by bmcgloth ! version 15.1 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers service counters max age 5 ! hostname RIE-3 ! boot-start-marker boot system flash disk0:/s72033-adventerprisek9-mz.151-1.SY.bin boot-end-marker ! ! security authentication failure rate 2 log security passwords min-length 7 logging buffered 51200 logging cns-events enable secret 5 <removed> enable password 7 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! ! ! ! aaa session-id common svclc multiple-vlan-interfaces svclc module 3 vlan-group 21,82,83,85 svclc vlan-group 21 21 svclc vlan-group 82 82 svclc vlan-group 83 83 svclc vlan-group 85 85 firewall multiple-vlan-interfaces firewall module 7 vlan-group 21,82,200,300 firewall vlan-group 200 22,2305-2307 firewall vlan-group 300 91,92 intrusion-detection module 2 management-port access-vlan 21 intrusion-detection module 2 data-port 1 trunk allowed-vlan 21,83,84,421 clock timezone PST -8 clock summer-time PSTDST recurring vtp mode transparent ! ! no ip bootp server ip domain-name cisco-irn.com ip name-server 192.168.42.130 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ipv6 multicast rpf use-bgp mls netflow interface no mls acl tcam share-global mls cef error action freeze password encryption aes ! crypto pki trustpoint TP-self-signed-1014 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1014 revocation-check none rsakeypair TP-self-signed-1014 ! ! crypto pki certificate chain TP-self-signed-1014 certificate self-signed 01 3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 2B312930 27060355 04031320 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31303134 301E170D 31313032 31323030 35393332 5A170D32 30303130 31303030 3030305A 302B3129 30270603 55040313 20494F53 2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D313031 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100BD3E 21BA6626 B7F82E4E 6B794439 27C36926 27B198DA D92E879D A437284D 4076D650 F671EA49 CC7A9DA4 BC96B207 7807450D A55F5A9B 85CACE8E E9B85199 B84525E5 FBC82F1D 733A1942 C47E1F87 87E1026B CD22859C 52307096 B3A6EEEB BCCB3C20 7F39EBCF 6729C4FC A13306CF 90815A20 CFA00678 E0856486 3BC8BB88 D51D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603 551D1104 17301582 13524945 2D332E63 6973636F 2D69726E 2E636F6D 301F0603 551D2304 18301680 14E7FF36 6947643E 752F921F 7674D7DE F1370E50 C6301D06 03551D0E 04160414 E7FF3669 47643E75 2F921F76 74D7DEF1 370E50C6 300D0609 2A864886 F70D0101 04050003 81810080 3C7C2250 36EB62DD 12772E91 E3A2CB7D 3D175E31 611404A1 947D97EA 37E4A5B5 8E888072 B765C977 08C0108C 34FD4AE5 D642F10D 839BE779 F6F2E03F 581EC8E1 012FA710 583A0E9E B97CCFC0 16AB39CE B8E7A5AB E42C38EB 33CD9F4C 1D9D5666 1EF8DC52 22C084B1 1C33DB38 0C9E2045 6EBD8BCD B779B172 0B5BE8F5 E5D9DB quit ! ! ! ! ! ! ! ! ! no power enable module 4 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! diagnostic bootup level minimal ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys ! spanning-tree mode pvst spanning-tree extend system-id ! redundancy main-cpu auto-sync running-config mode sso ! vlan internal allocation policy ascending vlan access-log ratelimit 2000 ! vlan 21 name asasm_inside ! vlan 22 name asasm_outside ! vlan 82 name asasm_Loadbalance_top ! vlan 83 name Loadbalance_bottom ! vlan 84 name Servers ! vlan 85 name Loadbalance_sync ! vlan 91 name asasm_failover ! vlan 92 name asasm_statelink ! vlan 421 name ASASM-to-IDSM ! vlan 993 name Management ! vlan 995 name DMZ_Management ! vlan 2305 name asasm_EmailSecurityAppliance ! vlan 2306 name asasm_EmailSecurityMgrAppliance ! vlan 2307 name asasm_WebSecApp ! ip ssh version 2 ip scp server enable ! ! ! ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key <removed> address 128.107.147.109 ! ! crypto ipsec transform-set to_fred esp-des esp-md5-hmac mode tunnel ! ! ! crypto map myvpn 10 ipsec-isakmp set peer 128.107.147.109 set transform-set to_fred match address 101 ! ! ! ! ! interface Port-channel99 switchport switchport trunk encapsulation dot1q switchport mode trunk ! interface Tunnel0 ip address 172.26.0.1 255.255.255.0 tunnel source Vlan21 tunnel destination 128.107.147.109 ! interface GigabitEthernet1/1 description RIE-1 G0/1 switchport switchport access vlan 22 ! interface GigabitEthernet1/2 description RIE-2 G0/1 switchport switchport access vlan 22 ! interface GigabitEthernet1/3 no ip address ! interface GigabitEthernet1/4 no ip address ! interface GigabitEthernet1/5 description ASA-IE-1 G0 switchport switchport access vlan 21 ! interface GigabitEthernet1/6 no ip address ! interface GigabitEthernet1/7 no ip address ! interface GigabitEthernet1/8 no ip address ! interface GigabitEthernet1/9 no ip address ! interface GigabitEthernet1/10 no ip address ! interface GigabitEthernet1/11 no ip address ! interface GigabitEthernet1/12 no ip address ! interface GigabitEthernet1/13 description ESA-IE-1 port M switchport switchport access vlan 2306 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet1/14 description ESA-IE-1 port D1 switchport switchport access vlan 2306 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet1/15 description ESA-IE-1 port D2 switchport switchport access vlan 2306 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet1/16 description ESA-IE-1 port D3 switchport switchport access vlan 2306 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet1/17 description WSA-IE-1 port P1 no ip address ! interface GigabitEthernet1/18 description WSA-IE-1 port P2 no ip address ! interface GigabitEthernet1/19 description WSA-IE-1 port T1 no ip address ! interface GigabitEthernet1/20 description WSA-IE-1 port T2 no ip address ! interface GigabitEthernet1/21 description ESA-IE-1 port M switchport switchport access vlan 2305 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet1/22 description ESA-IE-1 port D1 switchport switchport access vlan 2305 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet1/23 description ESA-IE-1 port D2 switchport switchport access vlan 2305 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet1/24 description ESA-IE-1 port D3 switchport switchport access vlan 2305 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet1/25 description WSA-IE-1 port M switchport switchport access vlan 2307 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet1/26 no ip address ! interface GigabitEthernet1/27 no ip address ! interface GigabitEthernet1/28 no ip address ! interface GigabitEthernet1/29 no ip address ! interface GigabitEthernet1/30 no ip address ! interface GigabitEthernet1/31 no ip address ! interface GigabitEthernet1/32 no ip address ! interface GigabitEthernet1/33 no ip address ! interface GigabitEthernet1/34 no ip address ! interface GigabitEthernet1/35 no ip address ! interface GigabitEthernet1/36 no ip address ! interface GigabitEthernet1/37 no ip address ! interface GigabitEthernet1/38 no ip address ! interface GigabitEthernet1/39 no ip address ! interface GigabitEthernet1/40 no ip address ! interface GigabitEthernet1/41 no ip address ! interface GigabitEthernet1/42 no ip address ! interface GigabitEthernet1/43 no ip address ! interface GigabitEthernet1/44 no ip address ! interface GigabitEthernet1/45 no ip address ! interface GigabitEthernet1/46 no ip address ! interface GigabitEthernet1/47 description UPLINK from SIE-1 switchport switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/48 description UPLINK from SIE-2 switchport switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet5/1 switchport switchport trunk encapsulation dot1q switchport mode trunk channel-group 99 mode active ! interface GigabitEthernet5/2 switchport switchport trunk encapsulation dot1q switchport mode trunk channel-group 99 mode active ! interface Vlan1 no ip address ! interface Vlan21 description RIE-3 Management ip address 192.168.21.91 255.255.255.0 crypto map myvpn ! no ip forward-protocol nd no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha rc4-128-sha ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip route 0.0.0.0 0.0.0.0 192.168.21.10 ip route 10.10.0.0 255.255.0.0 192.168.21.1 ip route 10.10.0.0 255.255.252.0 192.168.21.10 ip route 10.10.192.0 255.255.240.0 172.26.0.2 ip route 192.168.0.0 255.255.0.0 192.168.21.1 ip route 192.168.23.0 255.255.255.0 192.168.21.10 ip tacacs source-interface Vlan21 ! ! logging trap debugging logging source-interface Vlan21 logging host 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 192.168.42.139 log access-list 23 permit 10.19.151.104 log access-list 23 permit 10.19.151.102 log access-list 23 permit 10.19.151.103 log access-list 23 permit 10.19.151.100 log access-list 23 permit 10.19.151.101 log access-list 23 permit 10.19.151.98 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.122 log access-list 88 deny any log access-list 101 permit gre host 192.168.21.91 host 128.107.147.109 ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 23 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps energywise snmp-server enable traps entity snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps port-security snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps hsrp snmp-server enable traps mac-notification move threshold change snmp-server enable traps ipsla snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps errdisable snmp-server host 192.168.42.124 <removed> tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> ! ! control-plane ! ! dial-peer cor custom ! banner exec ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner incoming ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner login ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ^C ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ! scheduler allocate 20000 1000 ntp source Vlan21 ntp server 192.168.62.161 prefer ntp server 192.168.62.162 ! end Branch Large Branch R-A2-LRG-1 ! ! Last configuration change at 00:54:49 PST Sat Apr 30 2011 by retail ! NVRAM config last updated at 00:54:49 PST Sat Apr 30 2011 by retail ! version 15.1 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers ! hostname R-A2-Lrg-1 ! boot-start-marker boot system flash0 c3900-universalk9-mz.SPA.151-3.T.bin boot-end-marker ! ! security authentication failure rate 2 log security passwords min-length 7 logging buffered 50000 no logging rate-limit enable secret 5 <removed> ! aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default action-type start-stop group tacacs+ ! aaa accounting commands 15 default action-type start-stop group tacacs+ ! aaa accounting system default action-type start-stop group tacacs+ ! ! ! ! ! ! aaa session-id common ! clock timezone PST -8 0 clock summer-time PST recurring ! crypto pki token default removal timeout 0 ! crypto pki trustpoint TP-self-signed-72006796 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-72006796 revocation-check none ! ! crypto pki certificate chain TP-self-signed-72006796 certificate self-signed 03 <removed> quit no ipv6 cef no ip source-route ip cef ! ! ! ip multicast-routing ! ! no ip bootp server ip domain name cisco-irn.com ip name-server 192.168.42.130 ip port-map user-8443 port tcp 8443 ip inspect log drop-pkt ip inspect audit-trail ip ips config location flash0: retries 1 timeout 1 ip ips name Store-IPS ! ip ips signature-category category all retired true category ios_ips default retired false ! ip wccp 61 ip wccp 62 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! multilink bundle-name authenticated ! parameter-map type inspect global WAAS enable parameter-map type inspect Inspect-1 audit-trail on parameter-map type trend-global trend-glob-map ! ! ! ! password encryption aes voice-card 0 ! ! ! ! ! ! ! license udi pid C3900-SPE150/K9 sn <removed> hw-module pvdm 0/0 ! ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys object-group network ActiveDirectory.cisco-irn.com host 192.168.42.130 ! object-group service CAPWAP description CAPWAP UDP ports 5246 and 5247 udp eq 5246 udp eq 5247 ! object-group service CISCO-WAAS description Ports for Cisco WAAS tcp eq 4050 ! object-group network EMC-NCM description EMC Network Configuration Manager host 192.168.42.122 ! object-group network RSA-enVision description RSA EnVision Syslog collector and SIM host 192.168.42.124 ! object-group network CSM_INLINE_dst_rule_81604380995 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object EMC-NCM group-object RSA-enVision ! object-group network TACACS description Csico Secure ACS server for TACACS and Radius host 192.168.42.131 ! object-group network RSA-AM description RSA Authentication Manager for SecureID host 192.168.42.137 ! object-group network NAC-1 description ISE server for NAC host 192.168.42.111 ! object-group network CSM_INLINE_dst_rule_81604381001 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object ActiveDirectory.cisco-irn.com group-object TACACS group-object RSA-AM group-object NAC-1 ! object-group network NAC-2 host 192.168.42.112 ! object-group network CSM_INLINE_dst_rule_81604381037 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object NAC-2 group-object NAC-1 ! object-group network DC-ALL description All of the Data Center 192.168.0.0 255.255.0.0 ! object-group network Stores-ALL description all store networks 10.10.0.0 255.255.0.0 ! object-group network CSM_INLINE_dst_rule_81604381039 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network WCSManager description Wireless Manager host 192.168.43.135 ! object-group network DC-Wifi-Controllers description Central Wireless Controllers for stores host 192.168.43.21 host 192.168.43.22 ! object-group network DC-Wifi-MSE description Mobility Service Engines host 192.168.43.31 host 192.168.43.32 ! object-group network CSM_INLINE_dst_rule_81604381045 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object WCSManager group-object DC-Wifi-Controllers group-object DC-Wifi-MSE ! object-group network PAME-DC-1 host 192.168.44.111 ! object-group network MSP-DC-1 description Data Center VSOM host 192.168.44.121 ! object-group network CSM_INLINE_dst_rule_81604381049 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object PAME-DC-1 group-object MSP-DC-1 ! object-group network CSM_INLINE_dst_rule_81604381059 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_dst_rule_81604381067 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_dst_rule_81604381071 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_dst_rule_81604381150 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) 10.10.126.0 255.255.255.0 10.10.110.0 255.255.255.0 ! object-group network CSM_INLINE_dst_rule_81604381152 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) 10.10.126.0 255.255.255.0 10.10.110.0 255.255.255.0 ! object-group network DC-Admin description DC Admin Systems host 192.168.41.101 host 192.168.41.102 ! object-group network CSManager description Cisco Security Manager host 192.168.42.133 ! object-group network CSM_INLINE_src_rule_81604380993 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-Admin group-object EMC-NCM group-object CSManager ! object-group network DC-POS-Tomax description Tomax POS Communication from Store to Data Center 192.168.52.96 255.255.255.224 ! object-group network DC-POS-SAP description SAP POS Communication from Store to Data Center 192.168.52.144 255.255.255.240 ! object-group network DC-POS-Oracle description Oracle POS Communication from Store to Data Center 192.168.52.128 255.255.255.240 ! object-group network CSM_INLINE_src_rule_81604381021 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-Admin group-object DC-POS-Tomax group-object DC-POS-SAP group-object DC-POS-Oracle ! object-group network CSM_INLINE_src_rule_81604381023 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-Admin group-object DC-POS-Tomax group-object DC-POS-SAP group-object DC-POS-Oracle ! object-group network CSM_INLINE_src_rule_81604381041 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_src_rule_81604381043 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object WCSManager group-object DC-Wifi-Controllers group-object DC-Wifi-MSE ! object-group network CSM_INLINE_src_rule_81604381047 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object PAME-DC-1 group-object MSP-DC-1 ! object-group network DC-WAAS description WAE Appliances in Data Center host 192.168.48.10 host 192.168.49.10 host 192.168.47.11 host 192.168.47.12 ! object-group network CSM_INLINE_src_rule_81604381051 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-Admin group-object DC-WAAS ! object-group network CSM_INLINE_src_rule_81604381150 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) 10.10.126.0 255.255.255.0 10.10.110.0 255.255.255.0 ! object-group network CSM_INLINE_src_rule_81604381152 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) 10.10.126.0 255.255.255.0 10.10.110.0 255.255.255.0 ! object-group service CSM_INLINE_svc_rule_81604380993 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 ! object-group service CSM_INLINE_svc_rule_81604380995 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) udp eq syslog udp eq snmp udp eq snmptrap ! object-group service CSM_INLINE_svc_rule_81604381001 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq tacacs udp eq 1812 udp eq 1813 tcp eq 389 tcp eq 636 ! object-group service vCenter-to-ESX4 description Communication from vCetner to ESX hosts tcp eq 5989 tcp eq 8000 tcp eq 902 tcp eq 903 ! object-group service CSM_INLINE_svc_rule_81604381003 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 tcp eq 22 group-object vCenter-to-ESX4 ! object-group service ESX-SLP description CIM Service Location Protocol (SLP) for VMware systems udp eq 427 tcp eq 427 ! object-group service CSM_INLINE_svc_rule_81604381005 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 group-object vCenter-to-ESX4 group-object ESX-SLP ! object-group service ORACLE-RMI description RMI TCP ports 1300 and 1301-1319. tcp range 1300 1319 ! object-group service ORACLE-Weblogic description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521. tcp eq 7001 tcp eq 7002 tcp eq 1521 ! object-group service ORACLE-WAS description RMI/IIOP over 2809 HTTP over 9443 IBM-MQ 1414 tcp eq 2809 tcp eq 9443 tcp eq 1414 ! object-group service ORACLE-OAS description OAS uses one port for HTTP and RMI - 12601. tcp eq 12601 ! object-group service CSM_INLINE_svc_rule_81604381009 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 group-object ORACLE-RMI group-object ORACLE-Weblogic group-object ORACLE-WAS group-object ORACLE-OAS ! object-group service CSM_INLINE_svc_rule_81604381011 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 group-object ORACLE-RMI group-object ORACLE-Weblogic group-object ORACLE-WAS group-object ORACLE-OAS ! object-group service HTTPS-8443 tcp eq 8443 ! object-group service CSM_INLINE_svc_rule_81604381013 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 group-object HTTPS-8443 ! object-group service CSM_INLINE_svc_rule_81604381015 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 group-object HTTPS-8443 ! object-group service TOMAX-8990 description Tomax Application Port tcp eq 8990 ! object-group service CSM_INLINE_svc_rule_81604381017 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 group-object TOMAX-8990 ! object-group service CSM_INLINE_svc_rule_81604381019 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 group-object TOMAX-8990 ! object-group service ICMP-Requests description ICMP requests icmp information-request icmp mask-request icmp timestamp-request ! object-group service CSM_INLINE_svc_rule_81604381021 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable icmp redirect icmp alternate-address group-object ICMP-Requests ! object-group service CSM_INLINE_svc_rule_81604381023 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable icmp redirect icmp alternate-address group-object ICMP-Requests ! object-group service CSM_INLINE_svc_rule_81604381025 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 tcp eq smtp tcp eq pop3 tcp eq 143 ! object-group service CSM_INLINE_svc_rule_81604381027 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 ! object-group service CSM_INLINE_svc_rule_81604381029 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp udp tcp eq 443 ! object-group service DNS-Resolving description Domain Name Server tcp eq domain udp eq domain ! object-group service CSM_INLINE_svc_rule_81604381035 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) udp eq bootps group-object DNS-Resolving ! object-group service CSM_INLINE_svc_rule_81604381037 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 group-object HTTPS-8443 ! object-group service CSM_INLINE_svc_rule_81604381039 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable ! object-group service CSM_INLINE_svc_rule_81604381041 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable ! object-group service LWAPP description LWAPP UDP ports 12222 and 12223 udp eq 12222 udp eq 12223 ! object-group service TFTP description Trivial File Transfer tcp eq 69 udp eq tftp ! object-group service IP-Protocol-97 description IP protocol 97 97 ! object-group service CSM_INLINE_svc_rule_81604381043 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq www tcp eq 22 tcp eq telnet udp eq isakmp group-object CAPWAP group-object LWAPP group-object TFTP group-object IP-Protocol-97 ! object-group service Cisco-Mobility description Mobility ports for Wireless udp eq 16666 udp eq 16667 ! object-group service CSM_INLINE_svc_rule_81604381045 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) udp eq isakmp group-object CAPWAP group-object LWAPP group-object Cisco-Mobility group-object IP-Protocol-97 ! object-group service Microsoft-DS-SMB description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing tcp eq 445 ! object-group service CSM_INLINE_svc_rule_81604381051 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp tcp eq 139 group-object CISCO-WAAS group-object HTTPS-8443 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_81604381053 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp tcp eq 139 group-object CISCO-WAAS group-object HTTPS-8443 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_81604381055 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp tcp eq 139 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_81604381057 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp tcp-udp eq 5060 tcp eq 2000 tcp eq www tcp eq 443 group-object TFTP ! object-group service CSM_INLINE_svc_rule_81604381059 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp-udp eq 5060 tcp eq 2000 ! object-group service CSM_INLINE_svc_rule_81604381061 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 ! object-group service CSM_INLINE_svc_rule_81604381063 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 tcp eq smtp tcp eq pop3 tcp eq 143 ! object-group service Netbios description Netbios Servers udp eq netbios-dgm udp eq netbios-ns tcp eq 139 ! object-group service ORACLE-SIM description Oracle Store Inventory Management tcp eq 7777 tcp eq 6003 tcp range 12401 12500 ! object-group service RDP description Windows Remote Desktop tcp eq 3389 ! object-group service Workbrain tcp eq 8444 ! object-group service CSM_INLINE_svc_rule_81604381065 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq ftp tcp eq www tcp eq 443 udp eq 88 tcp-udp eq 42 group-object Microsoft-DS-SMB group-object Netbios group-object ORACLE-SIM group-object RDP group-object Workbrain ! object-group network DC-Applications description Applications in the Data Center that are non-PCI related(Optimized by CS-Manager) 192.168.180.0 255.255.254.0 ! object-group network DC-Voice description Data Center Voice 192.168.45.0 255.255.255.0 ! object-group network MS-Update description Windows Update Server host 192.168.42.150 ! object-group network MSExchange description Mail Server host 192.168.42.140 ! object-group service NTP description NTP Protocols tcp eq 123 udp eq ntp ! object-group network NTP-Servers description NTP Servers host 192.168.62.161 host 162.168.62.162 ! object-group network STORE-POS 10.10.0.0 255.255.0.0 ! object-group network vSphere-1 description vSphere server for Lab host 192.168.41.102 ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> ! redundancy ! ! ! ! ip ssh time-out 30 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable ! class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7 match protocol http match protocol https match protocol microsoft-ds match protocol ms-sql match protocol ms-sql-m match protocol netbios-dgm match protocol netbios-ns match protocol oracle match protocol oracle-em-vp match protocol oraclenames match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_10 match access-group name CSM_ZBF_CMAP_ACL_10 match class-map CSM_ZBF_CMAP_PLMAP_7 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4 match protocol http match protocol https match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_23 match access-group name CSM_ZBF_CMAP_ACL_23 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17 match protocol http match protocol https match protocol imap3 match protocol pop3 match protocol pop3s match protocol smtp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_32 match access-group name CSM_ZBF_CMAP_ACL_32 match class-map CSM_ZBF_CMAP_PLMAP_17 class-map type inspect match-all CSM_ZBF_CLASS_MAP_11 match access-group name CSM_ZBF_CMAP_ACL_11 match protocol icmp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14 match protocol http match protocol https match protocol user-8443 class-map type inspect match-all CSM_ZBF_CLASS_MAP_22 match access-group name CSM_ZBF_CMAP_ACL_22 match class-map CSM_ZBF_CMAP_PLMAP_14 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20 match protocol http match protocol https match protocol netbios-dgm match protocol netbios-ns match protocol netbios-ssn match protocol ftp match protocol ssh match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_33 match access-group name CSM_ZBF_CMAP_ACL_33 match class-map CSM_ZBF_CMAP_PLMAP_20 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8 match protocol sip match protocol sip-tls match protocol skinny match protocol tftp match protocol http match protocol https match protocol icmp class-map type inspect match-all CSM_ZBF_CLASS_MAP_12 match access-group name CSM_ZBF_CMAP_ACL_12 match class-map CSM_ZBF_CMAP_PLMAP_8 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13 match protocol https match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_21 match access-group name CSM_ZBF_CMAP_ACL_21 match class-map CSM_ZBF_CMAP_PLMAP_13 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19 match protocol http match protocol https match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_30 match access-group name CSM_ZBF_CMAP_ACL_30 match class-map CSM_ZBF_CMAP_PLMAP_19 class-map type inspect match-all CSM_ZBF_CLASS_MAP_13 match access-group name CSM_ZBF_CMAP_ACL_13 class-map type inspect match-all CSM_ZBF_CLASS_MAP_20 match access-group name CSM_ZBF_CMAP_ACL_20 match protocol icmp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18 match protocol http match protocol https match protocol udp match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_31 match access-group name CSM_ZBF_CMAP_ACL_31 match class-map CSM_ZBF_CMAP_PLMAP_18 class-map match-all BRANCH-BULK-DATA match protocol tftp match protocol nfs match access-group name BULK-DATA-APPS class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5 match protocol http match protocol https match protocol netbios-dgm match protocol netbios-ns match protocol netbios-ssn match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_14 match access-group name CSM_ZBF_CMAP_ACL_14 match class-map CSM_ZBF_CMAP_PLMAP_5 class-map type inspect match-all CSM_ZBF_CLASS_MAP_27 match access-group name CSM_ZBF_CMAP_ACL_27 match protocol icmp class-map type inspect match-all CSM_ZBF_CLASS_MAP_36 match access-group name CSM_ZBF_CMAP_ACL_36 class-map type inspect match-all CSM_ZBF_CLASS_MAP_15 match access-group name CSM_ZBF_CMAP_ACL_15 class-map type inspect match-all CSM_ZBF_CLASS_MAP_26 match access-group name CSM_ZBF_CMAP_ACL_26 match class-map CSM_ZBF_CMAP_PLMAP_7 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21 match protocol tcp match protocol udp match protocol http match protocol https class-map type inspect match-all CSM_ZBF_CLASS_MAP_37 match access-group name CSM_ZBF_CMAP_ACL_37 match class-map CSM_ZBF_CMAP_PLMAP_21 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9 match protocol syslog match protocol syslog-conn match protocol snmp match protocol snmptrap class-map type inspect match-all CSM_ZBF_CLASS_MAP_16 match access-group name CSM_ZBF_CMAP_ACL_16 match class-map CSM_ZBF_CMAP_PLMAP_9 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16 match protocol http match protocol https match protocol isakmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_25 match access-group name CSM_ZBF_CMAP_ACL_25 match class-map CSM_ZBF_CMAP_PLMAP_16 class-map type inspect match-all CSM_ZBF_CLASS_MAP_34 match access-group name CSM_ZBF_CMAP_ACL_34 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10 match protocol ldaps match protocol ldap match protocol ldap-admin match protocol radius match protocol tacacs match protocol tacacs-ds match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_17 match access-group name CSM_ZBF_CMAP_ACL_17 match class-map CSM_ZBF_CMAP_PLMAP_10 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15 match protocol http match protocol https match protocol netbios-ns match protocol netbios-dgm match protocol netbios-ssn match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_24 match access-group name CSM_ZBF_CMAP_ACL_24 match class-map CSM_ZBF_CMAP_PLMAP_15 class-map type inspect match-all CSM_ZBF_CLASS_MAP_35 match access-group name CSM_ZBF_CMAP_ACL_35 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11 match protocol ntp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_18 match access-group name CSM_ZBF_CMAP_ACL_18 match class-map CSM_ZBF_CMAP_PLMAP_11 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12 match protocol bootpc match protocol bootps match protocol udp match protocol tcp match protocol dns match protocol dhcp-failover class-map type inspect match-all CSM_ZBF_CLASS_MAP_19 match access-group name CSM_ZBF_CMAP_ACL_19 match class-map CSM_ZBF_CMAP_PLMAP_12 class-map type inspect match-all CSM_ZBF_CLASS_MAP_29 match access-group name CSM_ZBF_CMAP_ACL_29 match class-map CSM_ZBF_CMAP_PLMAP_18 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22 match protocol sip match protocol sip-tls match protocol skinny match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_38 match access-group name CSM_ZBF_CMAP_ACL_38 match class-map CSM_ZBF_CMAP_PLMAP_22 class-map type inspect match-all CSM_ZBF_CLASS_MAP_28 match access-group name CSM_ZBF_CMAP_ACL_28 match class-map CSM_ZBF_CMAP_PLMAP_17 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1 match protocol https match protocol ssh class-map type inspect match-all CSM_ZBF_CLASS_MAP_1 match access-group name CSM_ZBF_CMAP_ACL_1 match class-map CSM_ZBF_CMAP_PLMAP_1 class-map type inspect match-all CSM_ZBF_CLASS_MAP_3 match access-group name CSM_ZBF_CMAP_ACL_3 match protocol icmp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2 match protocol https match protocol http match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_2 match access-group name CSM_ZBF_CMAP_ACL_2 match class-map CSM_ZBF_CMAP_PLMAP_2 class-map type inspect match-all CSM_ZBF_CLASS_MAP_5 match access-group name CSM_ZBF_CMAP_ACL_5 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3 match protocol http match protocol https match protocol ssh match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_4 match access-group name CSM_ZBF_CMAP_ACL_4 match class-map CSM_ZBF_CMAP_PLMAP_3 class-map type inspect match-all CSM_ZBF_CLASS_MAP_7 match access-group name CSM_ZBF_CMAP_ACL_7 match class-map CSM_ZBF_CMAP_PLMAP_5 class-map type inspect match-all CSM_ZBF_CLASS_MAP_6 match access-group name CSM_ZBF_CMAP_ACL_6 match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_9 match access-group name CSM_ZBF_CMAP_ACL_9 match protocol tcp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6 match protocol http match protocol https match protocol ssh match protocol telnet match protocol tftp match protocol isakmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_8 match access-group name CSM_ZBF_CMAP_ACL_8 match class-map CSM_ZBF_CMAP_PLMAP_6 class-map match-all BULK-DATA match ip dscp af11 af12 class-map match-all INTERACTIVE-VIDEO match ip dscp af41 af42 class-map match-any BRANCH-TRANSACTIONAL-DATA match protocol citrix match protocol ldap match protocol telnet match protocol sqlnet match protocol http url "SalesReport" match access-group name TRANSACTIONAL-DATA-APPS class-map match-all BRANCH-MISSION-CRITICAL match access-group name MISSION-CRITICAL-SERVERS class-map match-all VOICE match ip dscp ef class-map match-all MISSION-CRITICAL-DATA match ip dscp 25 class-map match-any BRANCH-NET-MGMT match protocol snmp match protocol syslog match protocol dns match protocol icmp match protocol ssh match access-group name NET-MGMT-APPS class-map match-all ROUTING match ip dscp cs6 class-map match-all SCAVENGER match ip dscp cs1 class-map match-all NET-MGMT match ip dscp cs2 class-map match-any BRANCH-SCAVENGER match protocol gnutella match protocol fasttrack match protocol kazaa2 class-map match-any CALL-SIGNALING match ip dscp cs3 class-map match-all TRANSACTIONAL-DATA match ip dscp af21 af22 ! ! policy-map BRANCH-LAN-EDGE-OUT class class-default policy-map BRANCH-WAN-EDGE class VOICE priority percent 18 class INTERACTIVE-VIDEO priority percent 15 class CALL-SIGNALING bandwidth percent 5 class ROUTING bandwidth percent 3 class NET-MGMT bandwidth percent 2 class MISSION-CRITICAL-DATA bandwidth percent 15 random-detect class TRANSACTIONAL-DATA bandwidth percent 12 random-detect dscp-based class BULK-DATA bandwidth percent 4 random-detect dscp-based class SCAVENGER bandwidth percent 1 class class-default bandwidth percent 25 random-detect policy-map type inspect CSM_ZBF_POLICY_MAP_18 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_19 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_25 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_16 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_23 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_25 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_32 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_36 drop log class type inspect CSM_ZBF_CLASS_MAP_37 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_17 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_24 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_24 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_34 drop log class type inspect CSM_ZBF_CLASS_MAP_35 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_14 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_27 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_15 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_21 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_26 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_38 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_12 class type inspect CSM_ZBF_CLASS_MAP_15 pass class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_21 class type inspect CSM_ZBF_CLASS_MAP_27 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_28 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_29 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_13 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_20 class type inspect CSM_ZBF_CLASS_MAP_26 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_27 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_28 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_29 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_10 class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_23 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_31 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_32 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_33 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_11 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_22 class type inspect CSM_ZBF_CLASS_MAP_30 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_9 class type inspect CSM_ZBF_CLASS_MAP_13 pass class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_8 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_12 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_7 class type inspect CSM_ZBF_CLASS_MAP_9 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_10 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_11 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_6 class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_5 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_8 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_4 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_7 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_3 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_5 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_2 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_4 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_1 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_2 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop policy-map BRANCH-LAN-EDGE-IN class BRANCH-MISSION-CRITICAL set ip dscp 25 class BRANCH-TRANSACTIONAL-DATA set ip dscp af21 class BRANCH-NET-MGMT set ip dscp cs2 class BRANCH-BULK-DATA set ip dscp af11 class BRANCH-SCAVENGER set ip dscp cs1 ! zone security S_WAN description Store WAN Link zone security S_R-2-R description Bridge link between routers zone security LOOPBACK description Loopback interface zone security S_MGMT description VLAN1000 Management zone security S_Security description VLAN20 Physical Security Systems zone security S_WAAS description VLAN19 WAAS optimization zone security S_WLC-AP description VLAN18 Wireless Systems zone security S_Data description VLAN12 Store Data zone security S_Data-W description VLAN14 Store Wireless Data zone security S_Guest description VLAN17 Guest/Public Wireless zone security S_Voice description VLAN13 Store Voice zone security S_Partners description VLAN16 Partner network zone security S_POS description VLAN 11 POS Data zone security S_POS-W description VLAN15 Store Wireless POS zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK service-policy type inspect CSM_ZBF_POLICY_MAP_1 zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT service-policy type inspect CSM_ZBF_POLICY_MAP_2 zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security service-policy type inspect CSM_ZBF_POLICY_MAP_3 zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS service-policy type inspect CSM_ZBF_POLICY_MAP_4 zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP service-policy type inspect CSM_ZBF_POLICY_MAP_5 zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice service-policy type inspect CSM_ZBF_POLICY_MAP_8 zone-pair security CSM_S_R-2-R-LOOPBACK_1 source S_R-2-R destination LOOPBACK service-policy type inspect CSM_ZBF_POLICY_MAP_1 zone-pair security CSM_S_R-2-R-S_MGMT_1 source S_R-2-R destination S_MGMT service-policy type inspect CSM_ZBF_POLICY_MAP_2 zone-pair security CSM_S_R-2-R-S_Security_1 source S_R-2-R destination S_Security service-policy type inspect CSM_ZBF_POLICY_MAP_3 zone-pair security CSM_S_R-2-R-S_WAAS_1 source S_R-2-R destination S_WAAS service-policy type inspect CSM_ZBF_POLICY_MAP_4 zone-pair security CSM_S_R-2-R-S_WLC-AP_1 source S_R-2-R destination S_WLC-AP service-policy type inspect CSM_ZBF_POLICY_MAP_5 zone-pair security CSM_S_R-2-R-self_1 source S_R-2-R destination self service-policy type inspect CSM_ZBF_POLICY_MAP_9 zone-pair security CSM_S_R-2-R-S_Data_1 source S_R-2-R destination S_Data service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_R-2-R-S_Data-W_1 source S_R-2-R destination S_Data-W service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_R-2-R-S_Guest_1 source S_R-2-R destination S_Guest service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_R-2-R-S_Partners_1 source S_R-2-R destination S_Partners service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_R-2-R-S_POS_1 source S_R-2-R destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_R-2-R-S_POS-W_1 source S_R-2-R destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_R-2-R-S_Voice_1 source S_R-2-R destination S_Voice service-policy type inspect CSM_ZBF_POLICY_MAP_11 zone-pair security CSM_self-S_R-2-R_1 source self destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_12 zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_13 zone-pair security CSM_LOOPBACK-S_R-2-R_1 source LOOPBACK destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_13 zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_15 zone-pair security CSM_S_MGMT-S_R-2-R_1 source S_MGMT destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_15 zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_16 zone-pair security CSM_S_Security-S_R-2-R_1 source S_Security destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_16 zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_17 zone-pair security CSM_S_WAAS-S_R-2-R_1 source S_WAAS destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_17 zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data service-policy type inspect CSM_ZBF_POLICY_MAP_18 zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W service-policy type inspect CSM_ZBF_POLICY_MAP_18 zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners service-policy type inspect CSM_ZBF_POLICY_MAP_18 zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_19 zone-pair security CSM_S_WLC-AP-S_R-2-R_1 source S_WLC-AP destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_19 zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_20 zone-pair security CSM_S_POS-S_R-2-R_1 source S_POS destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_20 zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_21 zone-pair security CSM_S_POS-W-S_R-2-R_1 source S_POS-W destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_21 zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_22 zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_23 zone-pair security CSM_S_Data-S_R-2-R_1 source S_Data destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_23 zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_23 zone-pair security CSM_S_Data-W-S_R-2-R_1 source S_Data-W destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_23 zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_24 zone-pair security CSM_S_Guest-S_R-2-R_1 source S_Guest destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_24 zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_25 zone-pair security CSM_S_Partners-S_R-2-R_1 source S_Partners destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_25 zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_26 zone-pair security CSM_S_Voice-S_R-2-R_1 source S_Voice destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_27 ! ! ! ! ! ! ! interface Loopback0 ip address 10.10.110.1 255.255.255.255 ip pim sparse-dense-mode zone-member security LOOPBACK ! interface GigabitEthernet0/0 description ROUTER LINK TO SWITCH no ip address duplex auto speed auto ! interface GigabitEthernet0/0.11 description POS encapsulation dot1Q 11 ip address 10.10.96.2 255.255.255.0 ip helper-address 192.168.42.130 ip helper-address 192.168.42.111 ip pim sparse-dense-mode ip ips Store-IPS in ip ips Store-IPS out zone-member security S_POS standby 11 ip 10.10.96.1 standby 11 priority 101 standby 11 preempt ip igmp query-interval 125 service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.12 description DATA encapsulation dot1Q 12 ip address 10.10.97.2 255.255.255.0 ip helper-address 192.168.42.130 ip wccp 61 redirect in ip pim sparse-dense-mode zone-member security S_Data standby 12 ip 10.10.97.1 standby 12 priority 101 standby 12 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.13 description VOICE encapsulation dot1Q 13 ip address 10.10.98.2 255.255.255.0 ip helper-address 192.168.42.130 ip pim sparse-dense-mode zone-member security S_Voice standby 13 ip 10.10.98.1 standby 13 priority 101 standby 13 preempt service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.14 description WIRELESS encapsulation dot1Q 14 ip address 10.10.99.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Data-W standby 14 ip 10.10.99.1 standby 14 priority 101 standby 14 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.15 description WIRELESS-POS encapsulation dot1Q 15 ip address 10.10.100.2 255.255.255.0 ip helper-address 192.168.42.130 ip ips Store-IPS in ip ips Store-IPS out zone-member security S_POS-W standby 15 ip 10.10.100.1 standby 15 priority 101 standby 15 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.16 description PARTNER encapsulation dot1Q 16 ip address 10.10.101.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Partners standby 16 ip 10.10.101.1 standby 16 priority 101 standby 16 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.17 description WIRELESS-GUEST encapsulation dot1Q 17 ip address 10.10.102.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Guest standby 17 ip 10.10.102.1 standby 17 priority 101 standby 17 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.18 description WIRELESS-CONTROL encapsulation dot1Q 18 ip address 10.10.103.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_WLC-AP standby 18 ip 10.10.103.1 standby 18 priority 101 standby 18 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.19 description WAAS encapsulation dot1Q 19 ip address 10.10.104.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_WAAS standby 19 ip 10.10.104.1 standby 19 priority 101 standby 19 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.20 description SECURITY-SYSTEMS encapsulation dot1Q 20 ip address 10.10.105.2 255.255.255.0 ip helper-address 192.168.42.130 ip pim sparse-dense-mode zone-member security S_Security standby 20 ip 10.10.105.1 standby 20 priority 101 standby 20 preempt service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.102 description ROUTER LINK TO encapsulation dot1Q 102 ip address 10.10.110.29 255.255.255.252 ip pim sparse-dense-mode zone-member security S_R-2-R service-policy input BRANCH-LAN-EDGE-IN ! interface GigabitEthernet0/0.1000 description MANAGEMENT encapsulation dot1Q 1000 ip address 10.10.111.2 255.255.255.0 zone-member security S_MGMT standby 100 ip 10.10.111.1 standby 100 priority 101 standby 100 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1 no ip address duplex auto speed auto ! interface GigabitEthernet0/1.101 description ROUTER LINK TO encapsulation dot1Q 101 ip address 10.10.110.25 255.255.255.252 ip pim sparse-dense-mode zone-member security S_R-2-R service-policy input BRANCH-LAN-EDGE-IN ! interface GigabitEthernet0/2 ip address 10.10.255.96 255.255.255.0 ip ips Store-IPS in ip ips Store-IPS out zone-member security S_WAN duplex auto speed auto service-policy output BRANCH-WAN-EDGE ! ! router ospf 5 router-id 10.10.110.1 redistribute connected subnets passive-interface default no passive-interface GigabitEthernet0/0.102 no passive-interface GigabitEthernet0/1.101 network 10.10.0.0 0.0.255.255 area 10 default-information originate ! no ip forward-protocol nd ! no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ! ip route 0.0.0.0 0.0.0.0 10.10.255.11 ip tacacs source-interface Loopback0 ! ip access-list extended BULK-DATA-APPS remark ---File Transfer--- permit tcp any any eq ftp permit tcp any any eq ftp-data remark ---E-mail traffic--- permit tcp any any eq smtp permit tcp any any eq pop3 permit tcp any any eq 143 remark ---other EDM app protocols--- permit tcp any any range 3460 3466 permit tcp any range 3460 3466 any remark ---messaging services--- permit tcp any any eq 2980 permit tcp any eq 2980 any remark ---Microsoft file services--- permit tcp any any range 137 139 permit tcp any range 137 139 any ip access-list extended CSM_ZBF_CMAP_ACL_1 remark Data Center Mgmt to Devices permit object-group CSM_INLINE_svc_rule_81604380993 object-group CSM_INLINE_src_rule_81604380993 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_10 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381011 object-group DC-POS-Oracle object-group STORE-POS remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381015 object-group DC-POS-SAP object-group STORE-POS remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381019 object-group DC-POS-Tomax object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_11 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381021 object-group CSM_INLINE_src_rule_81604381021 object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_12 remark Data Center VOICE (wired and Wireless) permit object-group CSM_INLINE_svc_rule_81604381057 object-group DC-Voice object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_13 permit ospf object-group CSM_INLINE_src_rule_81604381150 object-group CSM_INLINE_dst_rule_81604381150 ip access-list extended CSM_ZBF_CMAP_ACL_14 remark Store WAAS to Clients and Servers permit object-group CSM_INLINE_svc_rule_81604381055 object-group Stores-ALL object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_15 permit ospf object-group CSM_INLINE_src_rule_81604381152 object-group CSM_INLINE_dst_rule_81604381152 ip access-list extended CSM_ZBF_CMAP_ACL_16 remark Syslog and SNMP Alerts permit object-group CSM_INLINE_svc_rule_81604380995 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604380995 ip access-list extended CSM_ZBF_CMAP_ACL_17 remark Store to Data Center Authentications permit object-group CSM_INLINE_svc_rule_81604381001 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381001 ip access-list extended CSM_ZBF_CMAP_ACL_18 remark Store to Data Center for NTP permit object-group NTP object-group Stores-ALL object-group NTP-Servers ip access-list extended CSM_ZBF_CMAP_ACL_19 remark Store to Data Center for DHCP and DNS permit object-group CSM_INLINE_svc_rule_81604381035 object-group Stores-ALL object-group ActiveDirectory.cisco-irn.com ip access-list extended CSM_ZBF_CMAP_ACL_2 remark Data Center subscribe to IPS SDEE events permit tcp object-group RSA-enVision object-group Stores-ALL eq 443 ip access-list extended CSM_ZBF_CMAP_ACL_20 remark Permit ICMP traffic permit object-group CSM_INLINE_svc_rule_81604381039 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381039 ip access-list extended CSM_ZBF_CMAP_ACL_21 remark Store UCS E-series server to Data Center vShphere permit object-group CSM_INLINE_svc_rule_81604381005 object-group Stores-ALL object-group vSphere-1 ip access-list extended CSM_ZBF_CMAP_ACL_22 remark Store NAC permit object-group CSM_INLINE_svc_rule_81604381037 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381037 ip access-list extended CSM_ZBF_CMAP_ACL_23 remark Store to Data Center Physical Security permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381049 ip access-list extended CSM_ZBF_CMAP_ACL_24 remark Store WAAS (WAAS Devices need their own zone) permit object-group CSM_INLINE_svc_rule_81604381053 object-group Stores-ALL object-group DC-WAAS ip access-list extended CSM_ZBF_CMAP_ACL_25 remark Store to Data Center wireless controller traffic permit object-group CSM_INLINE_svc_rule_81604381045 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381045 ip access-list extended CSM_ZBF_CMAP_ACL_26 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381009 object-group STORE-POS object-group DC-POS-Oracle remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381013 object-group STORE-POS object-group DC-POS-SAP remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381017 object-group STORE-POS object-group DC-POS-Tomax ip access-list extended CSM_ZBF_CMAP_ACL_27 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381023 object-group CSM_INLINE_src_rule_81604381023 object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_28 remark Store to Data Center for E-mail permit object-group CSM_INLINE_svc_rule_81604381025 object-group STORE-POS object-group MSExchange ip access-list extended CSM_ZBF_CMAP_ACL_29 remark Store to Data Center for Windows Updates permit object-group CSM_INLINE_svc_rule_81604381027 object-group STORE-POS object-group MS-Update ip access-list extended CSM_ZBF_CMAP_ACL_3 remark Permit ICMP traffic permit object-group CSM_INLINE_svc_rule_81604381041 object-group CSM_INLINE_src_rule_81604381041 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_30 remark Permit POS clients to talk to store POS server permit object-group CSM_INLINE_svc_rule_81604381029 object-group STORE-POS object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_31 remark Store to Data Center for Windows Updates permit object-group CSM_INLINE_svc_rule_81604381061 object-group Stores-ALL object-group MS-Update ip access-list extended CSM_ZBF_CMAP_ACL_32 remark Store to Data Center for E-mail permit object-group CSM_INLINE_svc_rule_81604381063 object-group Stores-ALL object-group MSExchange ip access-list extended CSM_ZBF_CMAP_ACL_33 remark Store DATA (wired and Wireless - Access to DC Other applications) permit object-group CSM_INLINE_svc_rule_81604381065 object-group Stores-ALL object-group DC-Applications ip access-list extended CSM_ZBF_CMAP_ACL_34 remark Store GUEST - Drop Traffic to Enterprise permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381071 ip access-list extended CSM_ZBF_CMAP_ACL_35 remark Store GUEST (access to internet/DMZ web servers) permit ip object-group Stores-ALL any ip access-list extended CSM_ZBF_CMAP_ACL_36 remark Store PARTNERS - Drop Traffic to Enterprise permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381067 ip access-list extended CSM_ZBF_CMAP_ACL_37 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN) permit ip object-group Stores-ALL any ip access-list extended CSM_ZBF_CMAP_ACL_38 remark Store VOICE (wired and Wireless - Acess to corporate wide voice) permit object-group CSM_INLINE_svc_rule_81604381059 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381059 ip access-list extended CSM_ZBF_CMAP_ACL_4 remark Data Center vSphere to UCS E-series server permit object-group CSM_INLINE_svc_rule_81604381003 object-group vSphere-1 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_5 remark Data Center to Store Physical Security permit ip object-group CSM_INLINE_src_rule_81604381047 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_6 remark Data Center Mgmt to Devices permit object-group RDP object-group DC-Admin object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_7 remark Data Center WAAS to Store permit object-group CSM_INLINE_svc_rule_81604381051 object-group CSM_INLINE_src_rule_81604381051 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_8 remark Data Center Wireless Control to AP's and Controllers in stores permit object-group CSM_INLINE_svc_rule_81604381043 object-group CSM_INLINE_src_rule_81604381043 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_9 remark Data Center Mgmt to Devices permit object-group RDP object-group DC-Admin object-group STORE-POS ip access-list extended MISSION-CRITICAL-SERVERS remark ---POS Applications--- permit ip any 192.168.52.0 0.0.0.255 ip access-list extended NET-MGMT-APPS remark - Router user Authentication - Identifies TACACS Control traffic permit tcp any any eq tacacs permit tcp any eq tacacs any ip access-list extended TRANSACTIONAL-DATA-APPS remark ---Workbrain Application--- remark --Large Store Clock Server to Central Clock Application permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444 remark --Large store Clock Server to CUAE permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000 remark ---LiteScape Application--- permit ip any host 192.168.46.82 permit ip any 239.192.0.0 0.0.0.255 permit ip any host 239.255.255.250 remark ---Remote Desktop--- permit tcp any any eq 3389 permit tcp any eq 3389 any remark ---Oracle SIM--- permit tcp any 192.168.46.0 0.0.0.255 eq 7777 permit tcp any 192.168.46.0 0.0.0.255 eq 6003 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any permit tcp 192.168.46.0 0.0.0.255 eq 6003 any permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any ! logging esm config logging trap debugging logging source-interface Loopback0 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ! ! ! ! nls resp-timeout 1 cpd cr-id 1 ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth snmp-server trap-source Loopback0 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps flash insertion removal snmp-server enable traps energywise snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps entity snmp-server enable traps hsrp snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps syslog snmp-server enable traps vtp snmp-server enable traps ipsla snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server domain-stripping tacacs-server key 7 <removed> ! ! control-plane ! ! ! ! mgcp profile default ! ! ! ! ! gatekeeper shutdown ! ! banner exec C WARNING: ** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner incoming C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line aux 0 session-timeout 1 output exec-timeout 0 1 privilege level 0 login authentication RETAIL no exec transport preferred none transport output none line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! scheduler allocate 20000 1000 ntp source Loopback0 ntp server 192.168.62.161 prefer ntp server 192.168.62.162 end R-A2-LRG-2 ! ! Last configuration change at 00:59:26 PST Sat Apr 30 2011 by retail ! NVRAM config last updated at 01:00:56 PST Sat Apr 30 2011 by retail ! version 15.1 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers ! hostname R-A2-Lrg-2 ! boot-start-marker boot system flash0 c3900-universalk9-mz.SPA.151-3.T.bin boot-end-marker ! ! security authentication failure rate 2 log security passwords min-length 7 logging buffered 50000 no logging rate-limit enable secret 5 <removed> ! aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default action-type start-stop group tacacs+ ! aaa accounting commands 15 default action-type start-stop group tacacs+ ! aaa accounting system default action-type start-stop group tacacs+ ! ! ! ! ! ! aaa session-id common ! clock timezone PST -8 0 clock summer-time PST recurring ! crypto pki token default removal timeout 0 ! crypto pki trustpoint TP-self-signed-660084654 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-660084654 revocation-check none rsakeypair TP-self-signed-660084654 ! ! crypto pki certificate chain TP-self-signed-660084654 certificate self-signed 01 <removed> quit no ipv6 cef no ip source-route ip cef ! ! ! ip multicast-routing ! ! no ip bootp server ip domain name cisco-irn.com ip name-server 192.168.42.130 ip port-map user-8443 port tcp 8443 ip inspect log drop-pkt ip inspect audit-trail ip ips config location flash0: retries 1 timeout 1 ip ips name Store-IPS ! ip ips signature-category category all retired true category ios_ips default retired false ! ip wccp 61 ip wccp 62 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! multilink bundle-name authenticated ! parameter-map type inspect global WAAS enable parameter-map type inspect Inspect-1 audit-trail on parameter-map type trend-global trend-glob-map ! ! ! ! password encryption aes voice-card 0 ! ! ! ! ! ! ! license udi pid C3900-SPE150/K9 sn <removed> hw-module pvdm 0/0 ! ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys object-group network ActiveDirectory.cisco-irn.com host 192.168.42.130 ! object-group service CAPWAP description CAPWAP UDP ports 5246 and 5247 udp eq 5246 udp eq 5247 ! object-group service CISCO-WAAS description Ports for Cisco WAAS tcp eq 4050 ! object-group network EMC-NCM description EMC Network Configuration Manager host 192.168.42.122 ! object-group network RSA-enVision description RSA EnVision Syslog collector and SIM host 192.168.42.124 ! object-group network CSM_INLINE_dst_rule_81604380995 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object EMC-NCM group-object RSA-enVision ! object-group network TACACS description Csico Secure ACS server for TACACS and Radius host 192.168.42.131 ! object-group network RSA-AM description RSA Authentication Manager for SecureID host 192.168.42.137 ! object-group network NAC-1 description ISE server for NAC host 192.168.42.111 ! object-group network CSM_INLINE_dst_rule_81604381001 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object ActiveDirectory.cisco-irn.com group-object TACACS group-object RSA-AM group-object NAC-1 ! object-group network NAC-2 host 192.168.42.112 ! object-group network CSM_INLINE_dst_rule_81604381037 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object NAC-2 group-object NAC-1 ! object-group network DC-ALL description All of the Data Center 192.168.0.0 255.255.0.0 ! object-group network Stores-ALL description all store networks 10.10.0.0 255.255.0.0 ! object-group network CSM_INLINE_dst_rule_81604381039 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network WCSManager description Wireless Manager host 192.168.43.135 ! object-group network DC-Wifi-Controllers description Central Wireless Controllers for stores host 192.168.43.21 host 192.168.43.22 ! object-group network DC-Wifi-MSE description Mobility Service Engines host 192.168.43.31 host 192.168.43.32 ! object-group network CSM_INLINE_dst_rule_81604381045 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object WCSManager group-object DC-Wifi-Controllers group-object DC-Wifi-MSE ! object-group network PAME-DC-1 host 192.168.44.111 ! object-group network MSP-DC-1 description Data Center VSOM host 192.168.44.121 ! object-group network CSM_INLINE_dst_rule_81604381049 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object PAME-DC-1 group-object MSP-DC-1 ! object-group network CSM_INLINE_dst_rule_81604381059 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_dst_rule_81604381067 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_dst_rule_81604381071 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_dst_rule_81604381150 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) 10.10.126.0 255.255.255.0 10.10.110.0 255.255.255.0 ! object-group network CSM_INLINE_dst_rule_81604381152 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) 10.10.126.0 255.255.255.0 10.10.110.0 255.255.255.0 ! object-group network DC-Admin description DC Admin Systems host 192.168.41.101 host 192.168.41.102 ! object-group network CSManager description Cisco Security Manager host 192.168.42.133 ! object-group network CSM_INLINE_src_rule_81604380993 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-Admin group-object EMC-NCM group-object CSManager ! object-group network DC-POS-Tomax description Tomax POS Communication from Store to Data Center 192.168.52.96 255.255.255.224 ! object-group network DC-POS-SAP description SAP POS Communication from Store to Data Center 192.168.52.144 255.255.255.240 ! object-group network DC-POS-Oracle description Oracle POS Communication from Store to Data Center 192.168.52.128 255.255.255.240 ! object-group network CSM_INLINE_src_rule_81604381021 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-Admin group-object DC-POS-Tomax group-object DC-POS-SAP group-object DC-POS-Oracle ! object-group network CSM_INLINE_src_rule_81604381023 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-Admin group-object DC-POS-Tomax group-object DC-POS-SAP group-object DC-POS-Oracle ! object-group network CSM_INLINE_src_rule_81604381041 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_src_rule_81604381043 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object WCSManager group-object DC-Wifi-Controllers group-object DC-Wifi-MSE ! object-group network CSM_INLINE_src_rule_81604381047 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object PAME-DC-1 group-object MSP-DC-1 ! object-group network DC-WAAS description WAE Appliances in Data Center host 192.168.48.10 host 192.168.49.10 host 192.168.47.11 host 192.168.47.12 ! object-group network CSM_INLINE_src_rule_81604381051 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-Admin group-object DC-WAAS ! object-group network CSM_INLINE_src_rule_81604381150 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) 10.10.126.0 255.255.255.0 10.10.110.0 255.255.255.0 ! object-group network CSM_INLINE_src_rule_81604381152 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) 10.10.126.0 255.255.255.0 10.10.110.0 255.255.255.0 ! object-group service CSM_INLINE_svc_rule_81604380993 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 ! object-group service CSM_INLINE_svc_rule_81604380995 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) udp eq syslog udp eq snmp udp eq snmptrap ! object-group service CSM_INLINE_svc_rule_81604381001 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq tacacs udp eq 1812 udp eq 1813 tcp eq 389 tcp eq 636 ! object-group service vCenter-to-ESX4 description Communication from vCetner to ESX hosts tcp eq 5989 tcp eq 8000 tcp eq 902 tcp eq 903 ! object-group service CSM_INLINE_svc_rule_81604381003 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 tcp eq 22 group-object vCenter-to-ESX4 ! object-group service ESX-SLP description CIM Service Location Protocol (SLP) for VMware systems udp eq 427 tcp eq 427 ! object-group service CSM_INLINE_svc_rule_81604381005 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 group-object vCenter-to-ESX4 group-object ESX-SLP ! object-group service ORACLE-RMI description RMI TCP ports 1300 and 1301-1319. tcp range 1300 1319 ! object-group service ORACLE-Weblogic description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521. tcp eq 7001 tcp eq 7002 tcp eq 1521 ! object-group service ORACLE-WAS description RMI/IIOP over 2809 HTTP over 9443 IBM-MQ 1414 tcp eq 2809 tcp eq 9443 tcp eq 1414 ! object-group service ORACLE-OAS description OAS uses one port for HTTP and RMI - 12601. tcp eq 12601 ! object-group service CSM_INLINE_svc_rule_81604381009 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 group-object ORACLE-RMI group-object ORACLE-Weblogic group-object ORACLE-WAS group-object ORACLE-OAS ! object-group service CSM_INLINE_svc_rule_81604381011 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 group-object ORACLE-RMI group-object ORACLE-Weblogic group-object ORACLE-WAS group-object ORACLE-OAS ! object-group service HTTPS-8443 tcp eq 8443 ! object-group service CSM_INLINE_svc_rule_81604381013 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 group-object HTTPS-8443 ! object-group service CSM_INLINE_svc_rule_81604381015 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 group-object HTTPS-8443 ! object-group service TOMAX-8990 description Tomax Application Port tcp eq 8990 ! object-group service CSM_INLINE_svc_rule_81604381017 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 group-object TOMAX-8990 ! object-group service CSM_INLINE_svc_rule_81604381019 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 group-object TOMAX-8990 ! object-group service ICMP-Requests description ICMP requests icmp information-request icmp mask-request icmp timestamp-request ! object-group service CSM_INLINE_svc_rule_81604381021 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable icmp redirect icmp alternate-address group-object ICMP-Requests ! object-group service CSM_INLINE_svc_rule_81604381023 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable icmp redirect icmp alternate-address group-object ICMP-Requests ! object-group service CSM_INLINE_svc_rule_81604381025 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 tcp eq smtp tcp eq pop3 tcp eq 143 ! object-group service CSM_INLINE_svc_rule_81604381027 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 ! object-group service CSM_INLINE_svc_rule_81604381029 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp udp tcp eq 443 ! object-group service DNS-Resolving description Domain Name Server tcp eq domain udp eq domain ! object-group service CSM_INLINE_svc_rule_81604381035 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) udp eq bootps group-object DNS-Resolving ! object-group service CSM_INLINE_svc_rule_81604381037 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 group-object HTTPS-8443 ! object-group service CSM_INLINE_svc_rule_81604381039 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable ! object-group service CSM_INLINE_svc_rule_81604381041 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable ! object-group service LWAPP description LWAPP UDP ports 12222 and 12223 udp eq 12222 udp eq 12223 ! object-group service TFTP description Trivial File Transfer tcp eq 69 udp eq tftp ! object-group service IP-Protocol-97 description IP protocol 97 97 ! object-group service CSM_INLINE_svc_rule_81604381043 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq www tcp eq 22 tcp eq telnet udp eq isakmp group-object CAPWAP group-object LWAPP group-object TFTP group-object IP-Protocol-97 ! object-group service Cisco-Mobility description Mobility ports for Wireless udp eq 16666 udp eq 16667 ! object-group service CSM_INLINE_svc_rule_81604381045 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) udp eq isakmp group-object CAPWAP group-object LWAPP group-object Cisco-Mobility group-object IP-Protocol-97 ! object-group service Microsoft-DS-SMB description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing tcp eq 445 ! object-group service CSM_INLINE_svc_rule_81604381051 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp tcp eq 139 group-object CISCO-WAAS group-object HTTPS-8443 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_81604381053 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp tcp eq 139 group-object CISCO-WAAS group-object HTTPS-8443 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_81604381055 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp tcp eq 139 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_81604381057 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp tcp-udp eq 5060 tcp eq 2000 tcp eq www tcp eq 443 group-object TFTP ! object-group service CSM_INLINE_svc_rule_81604381059 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp-udp eq 5060 tcp eq 2000 ! object-group service CSM_INLINE_svc_rule_81604381061 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 ! object-group service CSM_INLINE_svc_rule_81604381063 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 tcp eq smtp tcp eq pop3 tcp eq 143 ! object-group service Netbios description Netbios Servers udp eq netbios-dgm udp eq netbios-ns tcp eq 139 ! object-group service ORACLE-SIM description Oracle Store Inventory Management tcp eq 7777 tcp eq 6003 tcp range 12401 12500 ! object-group service RDP description Windows Remote Desktop tcp eq 3389 ! object-group service Workbrain tcp eq 8444 ! object-group service CSM_INLINE_svc_rule_81604381065 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq ftp tcp eq www tcp eq 443 udp eq 88 tcp-udp eq 42 group-object Microsoft-DS-SMB group-object Netbios group-object ORACLE-SIM group-object RDP group-object Workbrain ! object-group network DC-Applications description Applications in the Data Center that are non-PCI related(Optimized by CS-Manager) 192.168.180.0 255.255.254.0 ! object-group network DC-Voice description Data Center Voice 192.168.45.0 255.255.255.0 ! object-group network MS-Update description Windows Update Server host 192.168.42.150 ! object-group network MSExchange description Mail Server host 192.168.42.140 ! object-group service NTP description NTP Protocols tcp eq 123 udp eq ntp ! object-group network NTP-Servers description NTP Servers host 192.168.62.161 host 162.168.62.162 ! object-group network STORE-POS 10.10.0.0 255.255.0.0 ! object-group network vSphere-1 description vSphere server for Lab host 192.168.41.102 ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> ! redundancy ! ! ! ! ip ssh time-out 30 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable ! class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7 match protocol http match protocol https match protocol microsoft-ds match protocol ms-sql match protocol ms-sql-m match protocol netbios-dgm match protocol netbios-ns match protocol oracle match protocol oracle-em-vp match protocol oraclenames match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_10 match access-group name CSM_ZBF_CMAP_ACL_10 match class-map CSM_ZBF_CMAP_PLMAP_7 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4 match protocol http match protocol https match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_23 match access-group name CSM_ZBF_CMAP_ACL_23 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17 match protocol http match protocol https match protocol imap3 match protocol pop3 match protocol pop3s match protocol smtp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_32 match access-group name CSM_ZBF_CMAP_ACL_32 match class-map CSM_ZBF_CMAP_PLMAP_17 class-map type inspect match-all CSM_ZBF_CLASS_MAP_11 match access-group name CSM_ZBF_CMAP_ACL_11 match protocol icmp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14 match protocol http match protocol https match protocol user-8443 class-map type inspect match-all CSM_ZBF_CLASS_MAP_22 match access-group name CSM_ZBF_CMAP_ACL_22 match class-map CSM_ZBF_CMAP_PLMAP_14 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20 match protocol http match protocol https match protocol netbios-dgm match protocol netbios-ns match protocol netbios-ssn match protocol ftp match protocol ssh match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_33 match access-group name CSM_ZBF_CMAP_ACL_33 match class-map CSM_ZBF_CMAP_PLMAP_20 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8 match protocol sip match protocol sip-tls match protocol skinny match protocol tftp match protocol http match protocol https match protocol icmp class-map type inspect match-all CSM_ZBF_CLASS_MAP_12 match access-group name CSM_ZBF_CMAP_ACL_12 match class-map CSM_ZBF_CMAP_PLMAP_8 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13 match protocol https match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_21 match access-group name CSM_ZBF_CMAP_ACL_21 match class-map CSM_ZBF_CMAP_PLMAP_13 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19 match protocol http match protocol https match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_30 match access-group name CSM_ZBF_CMAP_ACL_30 match class-map CSM_ZBF_CMAP_PLMAP_19 class-map type inspect match-all CSM_ZBF_CLASS_MAP_13 match access-group name CSM_ZBF_CMAP_ACL_13 class-map type inspect match-all CSM_ZBF_CLASS_MAP_20 match access-group name CSM_ZBF_CMAP_ACL_20 match protocol icmp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18 match protocol http match protocol https match protocol udp match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_31 match access-group name CSM_ZBF_CMAP_ACL_31 match class-map CSM_ZBF_CMAP_PLMAP_18 class-map match-all BRANCH-BULK-DATA match protocol tftp match protocol nfs match access-group name BULK-DATA-APPS class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5 match protocol http match protocol https match protocol netbios-dgm match protocol netbios-ns match protocol netbios-ssn match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_14 match access-group name CSM_ZBF_CMAP_ACL_14 match class-map CSM_ZBF_CMAP_PLMAP_5 class-map type inspect match-all CSM_ZBF_CLASS_MAP_27 match access-group name CSM_ZBF_CMAP_ACL_27 match protocol icmp class-map type inspect match-all CSM_ZBF_CLASS_MAP_36 match access-group name CSM_ZBF_CMAP_ACL_36 class-map type inspect match-all CSM_ZBF_CLASS_MAP_15 match access-group name CSM_ZBF_CMAP_ACL_15 class-map type inspect match-all CSM_ZBF_CLASS_MAP_26 match access-group name CSM_ZBF_CMAP_ACL_26 match class-map CSM_ZBF_CMAP_PLMAP_7 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21 match protocol tcp match protocol udp match protocol http match protocol https class-map type inspect match-all CSM_ZBF_CLASS_MAP_37 match access-group name CSM_ZBF_CMAP_ACL_37 match class-map CSM_ZBF_CMAP_PLMAP_21 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9 match protocol syslog match protocol syslog-conn match protocol snmp match protocol snmptrap class-map type inspect match-all CSM_ZBF_CLASS_MAP_16 match access-group name CSM_ZBF_CMAP_ACL_16 match class-map CSM_ZBF_CMAP_PLMAP_9 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16 match protocol http match protocol https match protocol isakmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_25 match access-group name CSM_ZBF_CMAP_ACL_25 match class-map CSM_ZBF_CMAP_PLMAP_16 class-map type inspect match-all CSM_ZBF_CLASS_MAP_34 match access-group name CSM_ZBF_CMAP_ACL_34 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10 match protocol ldaps match protocol ldap match protocol ldap-admin match protocol radius match protocol tacacs match protocol tacacs-ds match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_17 match access-group name CSM_ZBF_CMAP_ACL_17 match class-map CSM_ZBF_CMAP_PLMAP_10 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15 match protocol http match protocol https match protocol netbios-ns match protocol netbios-dgm match protocol netbios-ssn match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_24 match access-group name CSM_ZBF_CMAP_ACL_24 match class-map CSM_ZBF_CMAP_PLMAP_15 class-map type inspect match-all CSM_ZBF_CLASS_MAP_35 match access-group name CSM_ZBF_CMAP_ACL_35 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11 match protocol ntp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_18 match access-group name CSM_ZBF_CMAP_ACL_18 match class-map CSM_ZBF_CMAP_PLMAP_11 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12 match protocol bootpc match protocol bootps match protocol udp match protocol tcp match protocol dns match protocol dhcp-failover class-map type inspect match-all CSM_ZBF_CLASS_MAP_19 match access-group name CSM_ZBF_CMAP_ACL_19 match class-map CSM_ZBF_CMAP_PLMAP_12 class-map type inspect match-all CSM_ZBF_CLASS_MAP_29 match access-group name CSM_ZBF_CMAP_ACL_29 match class-map CSM_ZBF_CMAP_PLMAP_18 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22 match protocol sip match protocol sip-tls match protocol skinny match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_38 match access-group name CSM_ZBF_CMAP_ACL_38 match class-map CSM_ZBF_CMAP_PLMAP_22 class-map type inspect match-all CSM_ZBF_CLASS_MAP_28 match access-group name CSM_ZBF_CMAP_ACL_28 match class-map CSM_ZBF_CMAP_PLMAP_17 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1 match protocol https match protocol ssh class-map type inspect match-all CSM_ZBF_CLASS_MAP_1 match access-group name CSM_ZBF_CMAP_ACL_1 match class-map CSM_ZBF_CMAP_PLMAP_1 class-map type inspect match-all CSM_ZBF_CLASS_MAP_3 match access-group name CSM_ZBF_CMAP_ACL_3 match protocol icmp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2 match protocol https match protocol http match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_2 match access-group name CSM_ZBF_CMAP_ACL_2 match class-map CSM_ZBF_CMAP_PLMAP_2 class-map type inspect match-all CSM_ZBF_CLASS_MAP_5 match access-group name CSM_ZBF_CMAP_ACL_5 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3 match protocol http match protocol https match protocol ssh match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_4 match access-group name CSM_ZBF_CMAP_ACL_4 match class-map CSM_ZBF_CMAP_PLMAP_3 class-map type inspect match-all CSM_ZBF_CLASS_MAP_7 match access-group name CSM_ZBF_CMAP_ACL_7 match class-map CSM_ZBF_CMAP_PLMAP_5 class-map type inspect match-all CSM_ZBF_CLASS_MAP_6 match access-group name CSM_ZBF_CMAP_ACL_6 match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_9 match access-group name CSM_ZBF_CMAP_ACL_9 match protocol tcp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6 match protocol http match protocol https match protocol ssh match protocol telnet match protocol tftp match protocol isakmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_8 match access-group name CSM_ZBF_CMAP_ACL_8 match class-map CSM_ZBF_CMAP_PLMAP_6 class-map match-all BULK-DATA match ip dscp af11 af12 class-map match-all INTERACTIVE-VIDEO match ip dscp af41 af42 class-map match-any BRANCH-TRANSACTIONAL-DATA match protocol citrix match protocol ldap match protocol telnet match protocol sqlnet match protocol http url "SalesReport" match access-group name TRANSACTIONAL-DATA-APPS class-map match-all BRANCH-MISSION-CRITICAL match access-group name MISSION-CRITICAL-SERVERS class-map match-all VOICE match ip dscp ef class-map match-all MISSION-CRITICAL-DATA match ip dscp 25 class-map match-any BRANCH-NET-MGMT match protocol snmp match protocol syslog match protocol dns match protocol icmp match protocol ssh match access-group name NET-MGMT-APPS class-map match-all ROUTING match ip dscp cs6 class-map match-all SCAVENGER match ip dscp cs1 class-map match-all NET-MGMT match ip dscp cs2 class-map match-any BRANCH-SCAVENGER match protocol gnutella match protocol fasttrack match protocol kazaa2 class-map match-any CALL-SIGNALING match ip dscp cs3 class-map match-all TRANSACTIONAL-DATA match ip dscp af21 af22 ! ! policy-map BRANCH-LAN-EDGE-OUT class class-default policy-map BRANCH-WAN-EDGE class VOICE priority percent 18 class INTERACTIVE-VIDEO priority percent 15 class CALL-SIGNALING bandwidth percent 5 class ROUTING bandwidth percent 3 class NET-MGMT bandwidth percent 2 class MISSION-CRITICAL-DATA bandwidth percent 15 random-detect class TRANSACTIONAL-DATA bandwidth percent 12 random-detect dscp-based class BULK-DATA bandwidth percent 4 random-detect dscp-based class SCAVENGER bandwidth percent 1 class class-default bandwidth percent 25 random-detect policy-map type inspect CSM_ZBF_POLICY_MAP_18 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_19 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_25 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_16 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_23 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_25 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_32 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_36 drop log class type inspect CSM_ZBF_CLASS_MAP_37 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_17 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_24 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_24 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_34 drop log class type inspect CSM_ZBF_CLASS_MAP_35 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_14 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_27 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_15 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_21 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_26 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_38 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_12 class type inspect CSM_ZBF_CLASS_MAP_15 pass class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_21 class type inspect CSM_ZBF_CLASS_MAP_27 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_28 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_29 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_13 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_20 class type inspect CSM_ZBF_CLASS_MAP_26 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_27 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_28 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_29 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_10 class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_23 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_31 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_32 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_33 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_11 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_22 class type inspect CSM_ZBF_CLASS_MAP_30 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_9 class type inspect CSM_ZBF_CLASS_MAP_13 pass class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_8 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_12 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_7 class type inspect CSM_ZBF_CLASS_MAP_9 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_10 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_11 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_6 class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_5 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_8 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_4 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_7 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_3 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_5 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_2 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_4 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_1 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_2 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop policy-map BRANCH-LAN-EDGE-IN class BRANCH-MISSION-CRITICAL set ip dscp 25 class BRANCH-TRANSACTIONAL-DATA set ip dscp af21 class BRANCH-NET-MGMT set ip dscp cs2 class BRANCH-BULK-DATA set ip dscp af11 class BRANCH-SCAVENGER set ip dscp cs1 ! zone security S_WAN description Store WAN Link zone security S_R-2-R description Bridge link between routers zone security LOOPBACK description Loopback interface zone security S_MGMT description VLAN1000 Management zone security S_Security description VLAN20 Physical Security Systems zone security S_WAAS description VLAN19 WAAS optimization zone security S_WLC-AP description VLAN18 Wireless Systems zone security S_Data description VLAN12 Store Data zone security S_Data-W description VLAN14 Store Wireless Data zone security S_Guest description VLAN17 Guest/Public Wireless zone security S_Voice description VLAN13 Store Voice zone security S_Partners description VLAN16 Partner network zone security S_POS description VLAN 11 POS Data zone security S_POS-W description VLAN15 Store Wireless POS zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK service-policy type inspect CSM_ZBF_POLICY_MAP_1 zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT service-policy type inspect CSM_ZBF_POLICY_MAP_2 zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security service-policy type inspect CSM_ZBF_POLICY_MAP_3 zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS service-policy type inspect CSM_ZBF_POLICY_MAP_4 zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP service-policy type inspect CSM_ZBF_POLICY_MAP_5 zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice service-policy type inspect CSM_ZBF_POLICY_MAP_8 zone-pair security CSM_S_R-2-R-LOOPBACK_1 source S_R-2-R destination LOOPBACK service-policy type inspect CSM_ZBF_POLICY_MAP_1 zone-pair security CSM_S_R-2-R-S_MGMT_1 source S_R-2-R destination S_MGMT service-policy type inspect CSM_ZBF_POLICY_MAP_2 zone-pair security CSM_S_R-2-R-S_Security_1 source S_R-2-R destination S_Security service-policy type inspect CSM_ZBF_POLICY_MAP_3 zone-pair security CSM_S_R-2-R-S_WAAS_1 source S_R-2-R destination S_WAAS service-policy type inspect CSM_ZBF_POLICY_MAP_4 zone-pair security CSM_S_R-2-R-S_WLC-AP_1 source S_R-2-R destination S_WLC-AP service-policy type inspect CSM_ZBF_POLICY_MAP_5 zone-pair security CSM_S_R-2-R-self_1 source S_R-2-R destination self service-policy type inspect CSM_ZBF_POLICY_MAP_9 zone-pair security CSM_S_R-2-R-S_Data_1 source S_R-2-R destination S_Data service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_R-2-R-S_Data-W_1 source S_R-2-R destination S_Data-W service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_R-2-R-S_Guest_1 source S_R-2-R destination S_Guest service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_R-2-R-S_Partners_1 source S_R-2-R destination S_Partners service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_R-2-R-S_POS_1 source S_R-2-R destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_R-2-R-S_POS-W_1 source S_R-2-R destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_R-2-R-S_Voice_1 source S_R-2-R destination S_Voice service-policy type inspect CSM_ZBF_POLICY_MAP_11 zone-pair security CSM_self-S_R-2-R_1 source self destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_12 zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_13 zone-pair security CSM_LOOPBACK-S_R-2-R_1 source LOOPBACK destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_13 zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_15 zone-pair security CSM_S_MGMT-S_R-2-R_1 source S_MGMT destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_15 zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_16 zone-pair security CSM_S_Security-S_R-2-R_1 source S_Security destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_16 zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_17 zone-pair security CSM_S_WAAS-S_R-2-R_1 source S_WAAS destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_17 zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data service-policy type inspect CSM_ZBF_POLICY_MAP_18 zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W service-policy type inspect CSM_ZBF_POLICY_MAP_18 zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners service-policy type inspect CSM_ZBF_POLICY_MAP_18 zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_19 zone-pair security CSM_S_WLC-AP-S_R-2-R_1 source S_WLC-AP destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_19 zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_20 zone-pair security CSM_S_POS-S_R-2-R_1 source S_POS destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_20 zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_21 zone-pair security CSM_S_POS-W-S_R-2-R_1 source S_POS-W destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_21 zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_22 zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_23 zone-pair security CSM_S_Data-S_R-2-R_1 source S_Data destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_23 zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_23 zone-pair security CSM_S_Data-W-S_R-2-R_1 source S_Data-W destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_23 zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_24 zone-pair security CSM_S_Guest-S_R-2-R_1 source S_Guest destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_24 zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_25 zone-pair security CSM_S_Partners-S_R-2-R_1 source S_Partners destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_25 zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_26 zone-pair security CSM_S_Voice-S_R-2-R_1 source S_Voice destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_27 ! ! ! ! ! ! ! interface Loopback0 ip address 10.10.110.2 255.255.255.255 ip pim sparse-dense-mode zone-member security LOOPBACK ! interface GigabitEthernet0/0 no ip address duplex auto speed auto ! interface GigabitEthernet0/0.102 description ROUTER LINK TO encapsulation dot1Q 102 ip address 10.10.110.30 255.255.255.252 ip pim sparse-dense-mode zone-member security S_R-2-R ! interface GigabitEthernet0/1 description ROUTER LINK TO SWITCH no ip address duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1.11 description POS encapsulation dot1Q 11 ip address 10.10.96.3 255.255.255.0 ip helper-address 192.168.42.130 ip pim sparse-dense-mode ip ips Store-IPS in ip ips Store-IPS out zone-member security S_POS standby 11 ip 10.10.96.1 standby 11 priority 99 standby 11 preempt ip igmp query-interval 125 service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.12 description DATA encapsulation dot1Q 12 ip address 10.10.97.3 255.255.255.0 ip helper-address 192.168.42.130 ip wccp 61 redirect in ip pim sparse-dense-mode zone-member security S_Data standby 12 ip 10.10.97.1 standby 12 priority 99 standby 12 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.13 description VOICE encapsulation dot1Q 13 ip address 10.10.98.3 255.255.255.0 ip helper-address 192.168.42.130 ip pim sparse-dense-mode zone-member security S_Voice standby 13 ip 10.10.98.1 standby 13 priority 99 standby 13 preempt service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.14 description WIRELESS encapsulation dot1Q 14 ip address 10.10.99.3 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Data-W standby 14 ip 10.10.99.1 standby 14 priority 99 standby 14 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.15 description WIRELESS-POS encapsulation dot1Q 15 ip address 10.10.100.3 255.255.255.0 ip helper-address 192.168.42.130 ip ips Store-IPS in ip ips Store-IPS out zone-member security S_POS-W standby 15 ip 10.10.100.1 standby 15 priority 99 standby 15 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.16 description PARTNER encapsulation dot1Q 16 ip address 10.10.101.3 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Partners standby 16 ip 10.10.101.1 standby 16 priority 99 standby 16 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.17 description WIRELESS-GUEST encapsulation dot1Q 17 ip address 10.10.102.3 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Guest standby 17 ip 10.10.102.1 standby 17 priority 99 standby 17 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.18 description WIRELESS-CONTROL encapsulation dot1Q 18 ip address 10.10.103.3 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_WLC-AP standby 18 ip 10.10.103.1 standby 18 priority 99 standby 18 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.19 description WAAS encapsulation dot1Q 19 ip address 10.10.104.3 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_WAAS standby 19 ip 10.10.104.1 standby 19 priority 99 standby 19 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.20 description SECURITY-SYSTEMS encapsulation dot1Q 20 ip address 10.10.105.3 255.255.255.0 ip helper-address 192.168.42.130 ip pim sparse-dense-mode zone-member security S_Security standby 20 ip 10.10.105.1 standby 20 priority 99 standby 20 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.101 description ROUTER LINK TO encapsulation dot1Q 101 ip address 10.10.110.26 255.255.255.252 ip pim sparse-dense-mode zone-member security S_R-2-R ! interface GigabitEthernet0/1.1000 description MANAGEMENT encapsulation dot1Q 1000 ip address 10.10.111.3 255.255.255.0 zone-member security S_MGMT standby 100 ip 10.10.111.1 standby 100 priority 99 standby 100 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/2 ip address 10.10.254.96 255.255.255.0 ip ips Store-IPS in ip ips Store-IPS out zone-member security S_WAN duplex auto speed auto service-policy output BRANCH-WAN-EDGE ! ! router ospf 5 router-id 10.10.110.2 redistribute connected subnets passive-interface default no passive-interface GigabitEthernet0/0.102 no passive-interface GigabitEthernet0/1.101 network 10.10.0.0 0.0.255.255 area 10 default-information originate ! no ip forward-protocol nd ! no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ! ip route 0.0.0.0 0.0.0.0 10.10.254.11 ip tacacs source-interface Loopback0 ! ip access-list extended BULK-DATA-APPS remark ---File Transfer--- permit tcp any any eq ftp permit tcp any any eq ftp-data remark ---E-mail traffic--- permit tcp any any eq smtp permit tcp any any eq pop3 permit tcp any any eq 143 remark ---other EDM app protocols--- permit tcp any any range 3460 3466 permit tcp any range 3460 3466 any remark ---messaging services--- permit tcp any any eq 2980 permit tcp any eq 2980 any remark ---Microsoft file services--- permit tcp any any range 137 139 permit tcp any range 137 139 any ip access-list extended CSM_ZBF_CMAP_ACL_1 remark Data Center Mgmt to Devices permit object-group CSM_INLINE_svc_rule_81604380993 object-group CSM_INLINE_src_rule_81604380993 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_10 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381011 object-group DC-POS-Oracle object-group STORE-POS remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381015 object-group DC-POS-SAP object-group STORE-POS remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381019 object-group DC-POS-Tomax object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_11 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381021 object-group CSM_INLINE_src_rule_81604381021 object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_12 remark Data Center VOICE (wired and Wireless) permit object-group CSM_INLINE_svc_rule_81604381057 object-group DC-Voice object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_13 permit ospf object-group CSM_INLINE_src_rule_81604381150 object-group CSM_INLINE_dst_rule_81604381150 ip access-list extended CSM_ZBF_CMAP_ACL_14 remark Store WAAS to Clients and Servers permit object-group CSM_INLINE_svc_rule_81604381055 object-group Stores-ALL object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_15 permit ospf object-group CSM_INLINE_src_rule_81604381152 object-group CSM_INLINE_dst_rule_81604381152 ip access-list extended CSM_ZBF_CMAP_ACL_16 remark Syslog and SNMP Alerts permit object-group CSM_INLINE_svc_rule_81604380995 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604380995 ip access-list extended CSM_ZBF_CMAP_ACL_17 remark Store to Data Center Authentications permit object-group CSM_INLINE_svc_rule_81604381001 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381001 ip access-list extended CSM_ZBF_CMAP_ACL_18 remark Store to Data Center for NTP permit object-group NTP object-group Stores-ALL object-group NTP-Servers ip access-list extended CSM_ZBF_CMAP_ACL_19 remark Store to Data Center for DHCP and DNS permit object-group CSM_INLINE_svc_rule_81604381035 object-group Stores-ALL object-group ActiveDirectory.cisco-irn.com ip access-list extended CSM_ZBF_CMAP_ACL_2 remark Data Center subscribe to IPS SDEE events permit tcp object-group RSA-enVision object-group Stores-ALL eq 443 ip access-list extended CSM_ZBF_CMAP_ACL_20 remark Permit ICMP traffic permit object-group CSM_INLINE_svc_rule_81604381039 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381039 ip access-list extended CSM_ZBF_CMAP_ACL_21 remark Store UCS E-series server to Data Center vShphere permit object-group CSM_INLINE_svc_rule_81604381005 object-group Stores-ALL object-group vSphere-1 ip access-list extended CSM_ZBF_CMAP_ACL_22 remark Store NAC permit object-group CSM_INLINE_svc_rule_81604381037 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381037 ip access-list extended CSM_ZBF_CMAP_ACL_23 remark Store to Data Center Physical Security permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381049 ip access-list extended CSM_ZBF_CMAP_ACL_24 remark Store WAAS (WAAS Devices need their own zone) permit object-group CSM_INLINE_svc_rule_81604381053 object-group Stores-ALL object-group DC-WAAS ip access-list extended CSM_ZBF_CMAP_ACL_25 remark Store to Data Center wireless controller traffic permit object-group CSM_INLINE_svc_rule_81604381045 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381045 ip access-list extended CSM_ZBF_CMAP_ACL_26 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381009 object-group STORE-POS object-group DC-POS-Oracle remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381013 object-group STORE-POS object-group DC-POS-SAP remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381017 object-group STORE-POS object-group DC-POS-Tomax ip access-list extended CSM_ZBF_CMAP_ACL_27 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381023 object-group CSM_INLINE_src_rule_81604381023 object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_28 remark Store to Data Center for E-mail permit object-group CSM_INLINE_svc_rule_81604381025 object-group STORE-POS object-group MSExchange ip access-list extended CSM_ZBF_CMAP_ACL_29 remark Store to Data Center for Windows Updates permit object-group CSM_INLINE_svc_rule_81604381027 object-group STORE-POS object-group MS-Update ip access-list extended CSM_ZBF_CMAP_ACL_3 remark Permit ICMP traffic permit object-group CSM_INLINE_svc_rule_81604381041 object-group CSM_INLINE_src_rule_81604381041 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_30 remark Permit POS clients to talk to store POS server permit object-group CSM_INLINE_svc_rule_81604381029 object-group STORE-POS object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_31 remark Store to Data Center for Windows Updates permit object-group CSM_INLINE_svc_rule_81604381061 object-group Stores-ALL object-group MS-Update ip access-list extended CSM_ZBF_CMAP_ACL_32 remark Store to Data Center for E-mail permit object-group CSM_INLINE_svc_rule_81604381063 object-group Stores-ALL object-group MSExchange ip access-list extended CSM_ZBF_CMAP_ACL_33 remark Store DATA (wired and Wireless - Access to DC Other applications) permit object-group CSM_INLINE_svc_rule_81604381065 object-group Stores-ALL object-group DC-Applications ip access-list extended CSM_ZBF_CMAP_ACL_34 remark Store GUEST - Drop Traffic to Enterprise permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381071 ip access-list extended CSM_ZBF_CMAP_ACL_35 remark Store GUEST (access to internet/DMZ web servers) permit ip object-group Stores-ALL any ip access-list extended CSM_ZBF_CMAP_ACL_36 remark Store PARTNERS - Drop Traffic to Enterprise permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381067 ip access-list extended CSM_ZBF_CMAP_ACL_37 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN) permit ip object-group Stores-ALL any ip access-list extended CSM_ZBF_CMAP_ACL_38 remark Store VOICE (wired and Wireless - Acess to corporate wide voice) permit object-group CSM_INLINE_svc_rule_81604381059 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381059 ip access-list extended CSM_ZBF_CMAP_ACL_4 remark Data Center vSphere to UCS E-series server permit object-group CSM_INLINE_svc_rule_81604381003 object-group vSphere-1 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_5 remark Data Center to Store Physical Security permit ip object-group CSM_INLINE_src_rule_81604381047 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_6 remark Data Center Mgmt to Devices permit object-group RDP object-group DC-Admin object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_7 remark Data Center WAAS to Store permit object-group CSM_INLINE_svc_rule_81604381051 object-group CSM_INLINE_src_rule_81604381051 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_8 remark Data Center Wireless Control to AP's and Controllers in stores permit object-group CSM_INLINE_svc_rule_81604381043 object-group CSM_INLINE_src_rule_81604381043 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_9 remark Data Center Mgmt to Devices permit object-group RDP object-group DC-Admin object-group STORE-POS ip access-list extended MISSION-CRITICAL-SERVERS remark ---POS Applications--- permit ip any 192.168.52.0 0.0.0.255 ip access-list extended NET-MGMT-APPS remark - Router user Authentication - Identifies TACACS Control traffic permit tcp any any eq tacacs permit tcp any eq tacacs any ip access-list extended TRANSACTIONAL-DATA-APPS remark ---Workbrain Application--- remark --Large Store Clock Server to Central Clock Application permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444 remark --Large store Clock Server to CUAE permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000 remark ---LiteScape Application--- permit ip any host 192.168.46.82 permit ip any 239.192.0.0 0.0.0.255 permit ip any host 239.255.255.250 remark ---Remote Desktop--- permit tcp any any eq 3389 permit tcp any eq 3389 any remark ---Oracle SIM--- permit tcp any 192.168.46.0 0.0.0.255 eq 7777 permit tcp any 192.168.46.0 0.0.0.255 eq 6003 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any permit tcp 192.168.46.0 0.0.0.255 eq 6003 any permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any ! logging esm config logging trap debugging logging source-interface Loopback0 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ! ! ! ! nls resp-timeout 1 cpd cr-id 1 ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth snmp-server trap-source Loopback0 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps flash insertion removal snmp-server enable traps energywise snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps entity snmp-server enable traps hsrp snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps syslog snmp-server enable traps vtp snmp-server enable traps ipsla snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server domain-stripping tacacs-server key 7 <removed> ! ! control-plane ! ! ! ! mgcp profile default ! ! ! ! ! gatekeeper shutdown ! ! banner exec C WARNING: ** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner incoming C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line aux 0 session-timeout 1 output exec-timeout 0 1 privilege level 0 login authentication RETAIL no exec transport preferred none transport output none line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! scheduler allocate 20000 1000 ntp source Loopback0 ntp server 192.168.62.161 prefer ntp server 192.168.62.162 end S-A2-LRG-1 S-A2-LRG-1#sh run Building configuration... Current configuration : 21232 bytes ! ! Last configuration change at 02:39:20 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 02:39:22 PSTDST Sat Apr 30 2011 by retail ! version 15.0 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service compress-config service sequence-numbers ! hostname S-A2-LRG-1 ! boot-start-marker boot system flash bootflash:cat4500e-universalk9.SPA.03.01.00.SG.150-1.XO.bin boot-end-marker ! logging buffered 50000 no logging rate-limit enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> ! ! aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! aaa session-id common clock timezone PST -8 clock summer-time PSTDST recurring ip subnet-zero ip domain-name cisco-irn.com ip name-server 192.168.42.130 ! ! no ip bootp server ip vrf Mgmt-vrf ! login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log vtp mode transparent ! password encryption aes ! crypto pki trustpoint CISCO_IDEVID_SUDI revocation-check none rsakeypair CISCO_IDEVID_SUDI ! crypto pki trustpoint CISCO_IDEVID_SUDI0 revocation-check none ! crypto pki trustpoint TP-self-signed-145264 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-145264 revocation-check none rsakeypair TP-self-signed-145264 ! ! crypto pki certificate chain CISCO_IDEVID_SUDI certificate 686CBFDE00000015EFB1 <removed> quit certificate ca 6A6967B3000000000003 <removed> quit crypto pki certificate chain CISCO_IDEVID_SUDI0 certificate ca 5FF87B282B54DC8D42A315B568C9ADFF <removed> quit crypto pki certificate chain TP-self-signed-145264 certificate self-signed 01 <removed> quit power redundancy-mode redundant ! ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys spanning-tree mode pvst spanning-tree extend system-id ! redundancy mode rpr ! vlan internal allocation policy ascending ! vlan 11 name POS ! vlan 12 name DATA ! vlan 13 name VOICE ! vlan 14 name WIRELESS ! vlan 15 name WIRELESS-POS ! vlan 16 name PARTNER ! vlan 17 name WIRELESS-GUEST ! vlan 18 name WIRELESS-CONTROL ! vlan 19 name WAAS ! vlan 20 name SECURITY-SYSTEMS ! vlan 101 name RouterLink101 ! vlan 102 name RouterLink102 ! vlan 1000 name MANAGEMENT ! ip ssh version 2 ip scp server enable ! ! interface FastEthernet1 ip vrf forwarding Mgmt-vrf no ip address shutdown speed auto duplex auto ! interface TenGigabitEthernet3/1 shutdown ! interface TenGigabitEthernet3/2 shutdown ! interface TenGigabitEthernet3/3 shutdown ! interface TenGigabitEthernet3/4 shutdown ! interface GigabitEthernet5/1 shutdown ! interface GigabitEthernet5/2 shutdown ! interface GigabitEthernet5/3 shutdown ! interface GigabitEthernet5/4 shutdown ! interface GigabitEthernet5/5 shutdown ! interface GigabitEthernet5/6 shutdown ! interface GigabitEthernet5/7 shutdown ! interface GigabitEthernet5/8 shutdown ! interface GigabitEthernet5/9 shutdown ! interface GigabitEthernet5/10 shutdown ! interface GigabitEthernet5/11 shutdown ! interface GigabitEthernet5/12 shutdown ! interface GigabitEthernet5/13 shutdown ! interface GigabitEthernet5/14 shutdown ! interface GigabitEthernet5/15 shutdown ! interface GigabitEthernet5/16 shutdown ! interface GigabitEthernet5/17 shutdown ! interface GigabitEthernet5/18 shutdown ! interface GigabitEthernet5/19 shutdown ! interface GigabitEthernet5/20 shutdown ! interface GigabitEthernet5/21 shutdown ! interface GigabitEthernet5/22 shutdown ! interface GigabitEthernet5/23 shutdown ! interface GigabitEthernet5/24 shutdown ! interface GigabitEthernet5/25 shutdown ! interface GigabitEthernet5/26 shutdown ! interface GigabitEthernet5/27 shutdown ! interface GigabitEthernet5/28 shutdown ! interface GigabitEthernet5/29 shutdown ! interface GigabitEthernet5/30 shutdown ! interface GigabitEthernet5/31 shutdown ! interface GigabitEthernet5/32 shutdown ! interface GigabitEthernet5/33 shutdown ! interface GigabitEthernet5/34 shutdown ! interface GigabitEthernet5/35 shutdown ! interface GigabitEthernet5/36 shutdown ! interface GigabitEthernet5/37 shutdown ! interface GigabitEthernet5/38 shutdown ! interface GigabitEthernet5/39 shutdown ! interface GigabitEthernet5/40 shutdown ! interface GigabitEthernet5/41 shutdown ! interface GigabitEthernet5/42 shutdown ! interface GigabitEthernet5/43 shutdown ! interface GigabitEthernet5/44 shutdown ! interface GigabitEthernet5/45 shutdown ! interface GigabitEthernet5/46 shutdown ! interface GigabitEthernet5/47 shutdown ! interface GigabitEthernet5/48 shutdown ! interface GigabitEthernet6/1 ! interface GigabitEthernet6/2 shutdown ! interface GigabitEthernet6/3 shutdown ! interface GigabitEthernet6/4 shutdown ! interface GigabitEthernet6/5 shutdown ! interface GigabitEthernet6/6 shutdown ! interface GigabitEthernet6/7 shutdown ! interface GigabitEthernet6/8 shutdown ! interface GigabitEthernet6/9 shutdown ! interface GigabitEthernet6/10 description MSP-A2-LRG-1 switchport access vlan 20 switchport mode access spanning-tree portfast ! interface GigabitEthernet6/11 shutdown ! interface GigabitEthernet6/12 shutdown ! interface GigabitEthernet6/13 shutdown ! interface GigabitEthernet6/14 shutdown ! interface GigabitEthernet6/15 shutdown ! interface GigabitEthernet6/16 shutdown ! interface GigabitEthernet6/17 description WLC-A2-LRG-1_G1 switchport access vlan 18 switchport mode access spanning-tree portfast ! interface GigabitEthernet6/18 description WLC-A2-LRG-1_G2 switchport trunk allowed vlan 14-17 switchport mode trunk ! interface GigabitEthernet6/19 shutdown ! interface GigabitEthernet6/20 shutdown ! interface GigabitEthernet6/21 shutdown ! interface GigabitEthernet6/22 shutdown ! interface GigabitEthernet6/23 shutdown ! interface GigabitEthernet6/24 shutdown ! interface GigabitEthernet6/25 shutdown ! interface GigabitEthernet6/26 shutdown ! interface GigabitEthernet6/27 shutdown ! interface GigabitEthernet6/28 shutdown ! interface GigabitEthernet6/29 shutdown ! interface GigabitEthernet6/30 shutdown ! interface GigabitEthernet6/31 shutdown ! interface GigabitEthernet6/32 shutdown ! interface GigabitEthernet6/33 shutdown ! interface GigabitEthernet6/34 shutdown ! interface GigabitEthernet6/35 shutdown ! interface GigabitEthernet6/36 shutdown ! interface GigabitEthernet6/37 shutdown ! interface GigabitEthernet6/38 shutdown ! interface GigabitEthernet6/39 shutdown ! interface GigabitEthernet6/40 shutdown ! interface GigabitEthernet6/41 switchport mode trunk ! interface GigabitEthernet6/42 shutdown ! interface GigabitEthernet6/43 switchport mode trunk ! interface GigabitEthernet6/44 shutdown ! interface GigabitEthernet6/45 switchport mode trunk ! interface GigabitEthernet6/46 ! interface GigabitEthernet6/47 switchport mode trunk ! interface GigabitEthernet6/48 shutdown ! interface Vlan1 no ip address shutdown ! interface Vlan1000 description Management VLAN for Switch ip address 10.10.111.11 255.255.255.0 ! no ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 10.10.111.1 no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip tacacs source-interface Vlan1000 ! ! logging trap debugging logging source-interface Vlan1000 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server trap-source Vlan1000 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart no snmp-server enable traps license snmp-server enable traps entity snmp-server enable traps flash insertion removal snmp-server enable traps power-ethernet police snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps port-security snmp-server enable traps energywise snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps errdisable snmp-server enable traps vlan-membership snmp-server enable traps mac-notification change move threshold snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> banner exec ^CC WARNING: * THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner incoming ^CC WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner login ^CC WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ^C ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL stopbits 1 line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ntp clock-period 17202862 ntp source Vlan1000 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer end S-A2-LRG-1# S-A2-LRG-2 S-A2-LRG-2#sh run Building configuration... Current configuration : 20118 bytes ! ! Last configuration change at 02:45:12 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 02:45:13 PSTDST Sat Apr 30 2011 by retail ! version 15.0 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service compress-config service sequence-numbers ! hostname S-A2-LRG-2 ! boot-start-marker boot system flash bootflash:cat4500e-universalk9.SPA.03.01.00.SG.150-1.XO.bin boot-end-marker ! logging buffered 50000 no logging rate-limit enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> ! ! aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! aaa session-id common clock timezone PST -8 clock summer-time PSTDST recurring ip subnet-zero ip domain-name cisco-irn.com ip name-server 192.168.42.130 ! ! no ip bootp server ip vrf Mgmt-vrf ! login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log vtp mode transparent ! password encryption aes ! crypto pki trustpoint CISCO_IDEVID_SUDI revocation-check none rsakeypair CISCO_IDEVID_SUDI ! crypto pki trustpoint CISCO_IDEVID_SUDI0 revocation-check none ! crypto pki trustpoint TP-self-signed-145261 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-145261 revocation-check none rsakeypair TP-self-signed-145261 ! ! crypto pki certificate chain CISCO_IDEVID_SUDI certificate 6B46CD9B00000015F50E <removed> quit certificate ca 6A6967B3000000000003 <removed> quit crypto pki certificate chain CISCO_IDEVID_SUDI0 certificate ca 5FF87B282B54DC8D42A315B568C9ADFF <removed> quit crypto pki certificate chain TP-self-signed-145261 certificate self-signed 01 <removed> quit power redundancy-mode redundant ! ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys spanning-tree mode pvst spanning-tree extend system-id ! redundancy mode rpr ! vlan internal allocation policy ascending ! vlan 11 name POS ! vlan 12 name DATA ! vlan 13 name VOICE ! vlan 14 name WIRELESS ! vlan 15 name WIRELESS-POS ! vlan 16 name PARTNER ! vlan 17 name WIRELESS-GUEST ! vlan 18 name WIRELESS-CONTROL ! vlan 19 name WAAS ! vlan 20 name SECURITY-SYSTEMS ! vlan 101 name RouterLink101 ! vlan 102 name RouterLink102 ! vlan 1000 name MANAGEMENT ! ip ssh version 2 ip scp server enable ! ! interface FastEthernet1 ip vrf forwarding Mgmt-vrf no ip address shutdown speed auto duplex auto ! interface TenGigabitEthernet3/1 shutdown ! interface TenGigabitEthernet3/2 shutdown ! interface TenGigabitEthernet3/3 shutdown ! interface TenGigabitEthernet3/4 shutdown ! interface GigabitEthernet6/1 ! interface GigabitEthernet6/2 switchport access vlan 17 shutdown ! interface GigabitEthernet6/3 switchport access vlan 17 shutdown ! interface GigabitEthernet6/4 switchport access vlan 17 shutdown ! interface GigabitEthernet6/5 switchport access vlan 17 shutdown ! interface GigabitEthernet6/6 switchport access vlan 17 shutdown ! interface GigabitEthernet6/7 switchport access vlan 17 shutdown ! interface GigabitEthernet6/8 switchport access vlan 17 shutdown ! interface GigabitEthernet6/9 switchport access vlan 17 shutdown ! interface GigabitEthernet6/10 description MSP-A2-LRG-1 switchport access vlan 20 switchport mode access spanning-tree portfast ! interface GigabitEthernet6/11 switchport access vlan 17 shutdown ! interface GigabitEthernet6/12 switchport access vlan 17 shutdown ! interface GigabitEthernet6/13 switchport access vlan 17 shutdown ! interface GigabitEthernet6/14 switchport access vlan 17 shutdown ! interface GigabitEthernet6/15 switchport access vlan 17 shutdown ! interface GigabitEthernet6/16 switchport access vlan 17 shutdown ! interface GigabitEthernet6/17 switchport access vlan 17 shutdown ! interface GigabitEthernet6/18 switchport access vlan 17 shutdown ! interface GigabitEthernet6/19 switchport access vlan 17 shutdown ! interface GigabitEthernet6/20 switchport access vlan 17 shutdown ! interface GigabitEthernet6/21 switchport access vlan 17 shutdown ! interface GigabitEthernet6/22 switchport access vlan 17 shutdown ! interface GigabitEthernet6/23 switchport access vlan 17 shutdown ! interface GigabitEthernet6/24 switchport access vlan 17 shutdown ! interface GigabitEthernet6/25 switchport access vlan 17 shutdown ! interface GigabitEthernet6/26 switchport access vlan 17 shutdown ! interface GigabitEthernet6/27 switchport access vlan 17 shutdown ! interface GigabitEthernet6/28 switchport access vlan 17 shutdown ! interface GigabitEthernet6/29 switchport access vlan 17 shutdown ! interface GigabitEthernet6/30 switchport access vlan 17 shutdown ! interface GigabitEthernet6/31 switchport access vlan 17 shutdown ! interface GigabitEthernet6/32 switchport access vlan 17 shutdown ! interface GigabitEthernet6/33 switchport access vlan 17 shutdown ! interface GigabitEthernet6/34 switchport access vlan 17 shutdown ! interface GigabitEthernet6/35 switchport access vlan 17 shutdown ! interface GigabitEthernet6/36 switchport access vlan 17 shutdown ! interface GigabitEthernet6/37 switchport access vlan 17 shutdown ! interface GigabitEthernet6/38 switchport access vlan 17 shutdown ! interface GigabitEthernet6/39 switchport access vlan 17 shutdown ! interface GigabitEthernet6/40 switchport access vlan 17 shutdown ! interface GigabitEthernet6/41 switchport mode trunk ! interface GigabitEthernet6/42 ! interface GigabitEthernet6/43 switchport mode trunk ! interface GigabitEthernet6/44 ! interface GigabitEthernet6/45 switchport mode trunk ! interface GigabitEthernet6/46 ! interface GigabitEthernet6/47 switchport mode trunk ! interface GigabitEthernet6/48 ! interface Vlan1 no ip address ! interface Vlan1000 description Management VLAN for Switch ip address 10.10.111.12 255.255.255.0 ! no ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 10.10.111.1 no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip tacacs source-interface Vlan1000 ! ! logging trap debugging logging source-interface Vlan1000 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server trap-source Vlan1000 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart no snmp-server enable traps license snmp-server enable traps entity snmp-server enable traps flash insertion removal snmp-server enable traps power-ethernet police snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps port-security snmp-server enable traps energywise snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps errdisable snmp-server enable traps vlan-membership snmp-server enable traps mac-notification change move threshold snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> banner exec ^CC WARNING: * THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner incoming ^CC WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner login ^CC WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ^C ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL stopbits 1 line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ntp clock-period 17211501 ntp source Vlan1000 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer end S-A2-LRG-3 S-A2-LRG-3#sh run Building configuration... Current configuration : 20730 bytes ! ! Last configuration change at 02:52:21 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 02:52:23 PSTDST Sat Apr 30 2011 by retail ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers ! hostname S-A2-LRG-3 ! boot-start-marker boot-end-marker ! logging buffered 50000 logging monitor informational enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> ! macro name dot1x switchport access vlan 11 switchport mode access switchport voice vlan 13 ip arp inspection limit rate 1000 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab webauth authentication priority dot1x mab authentication port-control auto authentication timer reauthenticate server authentication timer inactivity server authentication violation restrict authentication fallback ise mab snmp trap mac-notification change added dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast spanning-tree bpduguard enable ip dhcp snooping limit rate 200 @ ! macro global description dot1x macro auto sticky aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authentication dot1x default group radius local aaa authorization exec default group tacacs+ if-authenticated aaa authorization network default group radius aaa authorization auth-proxy default group radius aaa authorization configuration default group radius aaa accounting update newinfo aaa accounting auth-proxy default start-stop group radius aaa accounting dot1x default start-stop group radius aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! aaa server radius dynamic-author client 192.168.42.111 server-key 7 <removed> ! aaa session-id common clock timezone PST -8 clock summer-time PSTDST recurring system mtu routing 1500 authentication mac-move permit ! ! ip dhcp snooping vlan 1,11 no ip dhcp snooping information option ip dhcp snooping ip domain-name cisco-irn.com ip name-server 192.168.42.130 ip device tracking ip admission name ise proxy http inactivity-time 60 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log vtp mode transparent ! cts sxp enable cts sxp default source-ip 10.10.111.13 password encryption aes ! crypto pki trustpoint TP-self-signed-4268543232 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4268543232 revocation-check none rsakeypair TP-self-signed-4268543232 ! ! crypto pki certificate chain TP-self-signed-4268543232 certificate self-signed 01 <removed> quit archive log config logging enable notify syslog contenttype plaintext hidekeys dot1x system-auth-control ! fallback profile ise ip access-group ACL-DEFAULT in ip admission ise ! spanning-tree mode pvst spanning-tree extend system-id ! ! ! ! vlan internal allocation policy ascending ! vlan 11 name POS ! vlan 12 name DATA ! vlan 13 name VOICE ! vlan 14 name WIRELESS ! vlan 15 name WIRELESS-POS ! vlan 16 name PARTNER ! vlan 17 name WIRELESS-GUEST ! vlan 18 name WIRELESS-CONTROL ! vlan 19 name WAAS ! vlan 20 name SECURITY-SYSTEMS ! vlan 101 name RouterLink101 ! vlan 102 name RouterLink102 ! vlan 1000 name MANAGEMENT ! ip ssh version 2 ip scp server enable ! ! interface FastEthernet0 no ip address shutdown ! interface GigabitEthernet0/1 description uplink ! interface GigabitEthernet0/2 description uplink ! interface GigabitEthernet0/3 shutdown ! interface GigabitEthernet0/4 description Cisco9971 IP phone switchport access vlan 11 switchport voice vlan 13 spanning-tree portfast ! interface GigabitEthernet0/5 description IP Camera - 4300 switchport access vlan 20 switchport mode access ! interface GigabitEthernet0/6 description CIAC-GW switchport access vlan 20 switchport mode access ! interface GigabitEthernet0/7 shutdown ! interface GigabitEthernet0/8 shutdown ! interface GigabitEthernet0/9 shutdown ! interface GigabitEthernet0/10 shutdown ! interface GigabitEthernet0/11 shutdown ! interface GigabitEthernet0/12 shutdown ! interface GigabitEthernet0/13 shutdown ! interface GigabitEthernet0/14 shutdown ! interface GigabitEthernet0/15 shutdown ! interface GigabitEthernet0/16 shutdown ! interface GigabitEthernet0/17 shutdown ! interface GigabitEthernet0/18 shutdown ! interface GigabitEthernet0/19 shutdown ! interface GigabitEthernet0/20 shutdown ! interface GigabitEthernet0/21 shutdown ! interface GigabitEthernet0/22 shutdown ! interface GigabitEthernet0/23 shutdown ! interface GigabitEthernet0/24 shutdown ! interface GigabitEthernet0/25 description open-mode 802.1x+mab+mda+acl switchport access vlan 11 switchport mode access switchport voice vlan 13 ip arp inspection limit rate 1000 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab webauth authentication priority dot1x mab authentication port-control auto authentication timer reauthenticate server authentication timer inactivity server authentication violation restrict authentication fallback ise mab snmp trap mac-notification change added dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast spanning-tree bpduguard enable ip dhcp snooping limit rate 200 ! interface GigabitEthernet0/26 description mobile worker switchport access vlan 11 switchport mode access switchport voice vlan 13 ip arp inspection limit rate 1000 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab webauth authentication priority dot1x mab authentication port-control auto authentication timer reauthenticate server authentication timer inactivity server authentication violation restrict authentication fallback ise mab snmp trap mac-notification change added macro description dot1x dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast spanning-tree bpduguard enable ip dhcp snooping limit rate 200 ! interface GigabitEthernet0/27 shutdown ! interface GigabitEthernet0/28 shutdown ! interface GigabitEthernet0/29 shutdown ! interface GigabitEthernet0/30 switchport access vlan 11 switchport mode access switchport voice vlan 13 ip arp inspection limit rate 1000 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab webauth authentication priority dot1x mab authentication port-control auto authentication timer reauthenticate server authentication timer inactivity server authentication violation restrict authentication fallback ise mab snmp trap mac-notification change added macro description dot1x dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast spanning-tree bpduguard enable ip dhcp snooping limit rate 200 ! interface GigabitEthernet0/31 switchport access vlan 11 switchport mode access switchport voice vlan 13 ip arp inspection limit rate 1000 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab webauth authentication priority dot1x mab authentication port-control auto authentication timer reauthenticate server authentication timer inactivity server authentication violation restrict authentication fallback ise mab snmp trap mac-notification change added macro description dot1x dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast spanning-tree bpduguard enable ip dhcp snooping limit rate 200 ! interface GigabitEthernet0/32 switchport access vlan 11 switchport mode access switchport voice vlan 13 ip arp inspection limit rate 1000 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab webauth authentication priority dot1x mab authentication port-control auto authentication timer reauthenticate server authentication timer inactivity server authentication violation restrict authentication fallback ise mab snmp trap mac-notification change added macro description dot1x dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast spanning-tree bpduguard enable ip dhcp snooping limit rate 200 ! interface GigabitEthernet0/33 switchport access vlan 11 switchport mode access switchport voice vlan 13 ip arp inspection limit rate 1000 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab webauth authentication priority dot1x mab authentication port-control auto authentication timer reauthenticate server authentication timer inactivity server authentication violation restrict authentication fallback ise mab snmp trap mac-notification change added macro description dot1x dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast spanning-tree bpduguard enable ip dhcp snooping limit rate 200 ! interface GigabitEthernet0/34 switchport access vlan 11 switchport mode access switchport voice vlan 13 ip arp inspection limit rate 1000 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab webauth authentication priority dot1x mab authentication port-control auto authentication timer reauthenticate server authentication timer inactivity server authentication violation restrict authentication fallback ise mab snmp trap mac-notification change added macro description dot1x dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast spanning-tree bpduguard enable ip dhcp snooping limit rate 200 ! interface GigabitEthernet0/35 switchport access vlan 11 switchport mode access switchport voice vlan 13 ip arp inspection limit rate 1000 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab webauth authentication priority dot1x mab authentication port-control auto authentication timer reauthenticate server authentication timer inactivity server authentication violation restrict authentication fallback ise mab snmp trap mac-notification change added macro description dot1x dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast spanning-tree bpduguard enable ip dhcp snooping limit rate 200 ! interface GigabitEthernet0/36 switchport access vlan 11 switchport mode access switchport voice vlan 13 ip arp inspection limit rate 1000 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab webauth authentication priority dot1x mab authentication port-control auto authentication timer reauthenticate server authentication timer inactivity server authentication violation restrict authentication fallback ise mab snmp trap mac-notification change added macro description dot1x dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast spanning-tree bpduguard enable ip dhcp snooping limit rate 200 ! interface GigabitEthernet0/37 shutdown ! interface GigabitEthernet0/38 shutdown ! interface GigabitEthernet0/39 shutdown ! interface GigabitEthernet0/40 shutdown ! interface GigabitEthernet0/41 shutdown ! interface GigabitEthernet0/42 shutdown ! interface GigabitEthernet0/43 shutdown ! interface GigabitEthernet0/44 shutdown ! interface GigabitEthernet0/45 shutdown ! interface GigabitEthernet0/46 shutdown ! interface GigabitEthernet0/47 shutdown ! interface GigabitEthernet0/48 shutdown ! interface GigabitEthernet1/1 shutdown ! interface GigabitEthernet1/2 shutdown ! interface GigabitEthernet1/3 shutdown ! interface GigabitEthernet1/4 shutdown ! interface TenGigabitEthernet1/1 shutdown ! interface TenGigabitEthernet1/2 shutdown ! interface Vlan1 no ip address shutdown ! interface Vlan1000 description Management VLAN for Switch ip address 10.10.111.13 255.255.255.0 ! ip default-gateway 10.10.111.1 ip classless no ip forward-protocol nd no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip tacacs source-interface Vlan1000 ! ip access-list extended ACL-ALLOW permit ip any any ip access-list extended ACL-DEFAULT remark DHCP permit udp any eq bootpc any eq bootps remark DNS permit udp any any eq domain remark ICMP Ping permit icmp any any remark PXE Boot permit udp any any eq tftp remark URL Redirect permit tcp any host 192.168.42.111 eq www permit tcp any host 192.168.42.111 eq 443 permit tcp any host 192.168.42.112 eq www permit tcp any host 192.168.42.112 eq 443 remark Guest Portal permit tcp any host 192.168.42.111 eq 8443 permit tcp any host 192.168.42.112 eq 8443 deny ip any any ip access-list extended ACL-POSTURE-REDIRECT deny ip any host 192.168.42.111 deny ip any host 192.168.42.130 permit ip any any ip access-list extended ACL-WEBAUTH-REDIRECT remark Don't match traffic sent to ISE PDP Nodes deny ip any host 192.168.42.111 deny ip any host 192.168.42.112 deny ip any host 10.35.48.242 deny ip any host 171.71.169.207 permit ip any any ! ip sla enable reaction-alerts logging trap debugging logging origin-id ip logging source-interface Vlan1000 logging 192.168.42.124 logging host 192.168.42.111 transport udp port 20514 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server trap-source Vlan1000 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps energywise snmp-server enable traps entity snmp-server enable traps hsrp snmp-server enable traps power-ethernet group 1 snmp-server enable traps power-ethernet police snmp-server enable traps cpu threshold snmp-server enable traps rtr snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps port-security snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps errdisable snmp-server enable traps mac-notification change move threshold snmp-server enable traps vlan-membership snmp-server host 192.168.42.124 remoteuser snmp-server host 192.168.42.111 version 2c retaillabISE dot1x mac-notification snmp tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> radius-server attribute 6 on-for-login-auth radius-server attribute 6 support-multiple radius-server attribute 8 include-in-access-req radius-server dead-criteria time 5 tries 3 radius-server host 192.168.42.111 auth-port 1812 acct-port 1813 key 7 <removed> radius-server vsa send accounting radius-server vsa send authentication ! banner exec ^CC WARNING: * THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner incoming ^CC WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner login ^CC WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ^C ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL stopbits 1 line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ntp clock-period 36027134 ntp source Vlan1000 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer mac address-table notification change interval 0 mac address-table notification change end S-A2-LRG-4 S-A2-LRG-4#sh run Building configuration... Current configuration : 26605 bytes ! ! Last configuration change at 02:56:42 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 02:56:45 PSTDST Sat Apr 30 2011 by retail ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers ! hostname S-A2-LRG-4 ! boot-start-marker boot-end-marker ! logging buffered 50000 enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> ! ! macro auto device media-player ACCESS_VLAN=12 macro auto device ip-camera ACCESS_VLAN=20 macro auto device phone ACCESS_VLAN=17 VOICE_VLAN=13 macro auto device access-point ACCESS_VLAN=18 macro auto device lightweight-ap ACCESS_VLAN=18 ! macro auto global processing fallback cdp aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authentication dot1x default group radius local aaa authorization exec default group tacacs+ if-authenticated aaa authorization network default group radius aaa authorization auth-proxy default group radius aaa accounting update newinfo aaa accounting dot1x default start-stop group radius aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! aaa session-id common clock timezone PST -8 clock summer-time PSTDST recurring system mtu routing 1500 authentication mac-move permit ip subnet-zero no ip source-route ! ! ip domain-name cisco-irn.com ip host nac-2 192.168.42.112 ip name-server 192.168.42.130 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! mls qos map policed-dscp 24 26 46 to 0 mls qos map cos-dscp 0 8 16 24 32 46 48 56 mls qos srr-queue input bandwidth 90 10 mls qos srr-queue input threshold 1 8 16 mls qos srr-queue input threshold 2 34 66 mls qos srr-queue input buffers 67 33 mls qos srr-queue input cos-map queue 1 threshold 2 1 mls qos srr-queue input cos-map queue 1 threshold 3 0 mls qos srr-queue input cos-map queue 2 threshold 1 2 mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7 mls qos srr-queue input cos-map queue 2 threshold 3 3 5 mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15 mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7 mls qos srr-queue input dscp-map queue 1 threshold 3 32 mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23 mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48 mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56 mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63 mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31 mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47 mls qos srr-queue output cos-map queue 1 threshold 3 5 mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7 mls qos srr-queue output cos-map queue 3 threshold 3 2 4 mls qos srr-queue output cos-map queue 4 threshold 2 1 mls qos srr-queue output cos-map queue 4 threshold 3 0 mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47 mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31 mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55 mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63 mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23 mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39 mls qos srr-queue output dscp-map queue 4 threshold 1 8 mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15 mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7 mls qos queue-set output 1 threshold 1 138 138 92 138 mls qos queue-set output 1 threshold 2 138 138 92 400 mls qos queue-set output 1 threshold 3 36 77 100 318 mls qos queue-set output 1 threshold 4 20 50 67 400 mls qos queue-set output 2 threshold 1 149 149 100 149 mls qos queue-set output 2 threshold 2 118 118 100 235 mls qos queue-set output 2 threshold 3 41 68 100 272 mls qos queue-set output 2 threshold 4 42 72 100 242 mls qos queue-set output 1 buffers 10 10 26 54 mls qos queue-set output 2 buffers 16 6 17 61 mls qos password encryption aes ! crypto pki trustpoint TP-self-signed-4268542976 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4268542976 revocation-check none rsakeypair TP-self-signed-4268542976 ! ! crypto pki certificate chain TP-self-signed-4268542976 certificate self-signed 01 <removed> 1 quit archive log config logging enable notify syslog contenttype plaintext hidekeys dot1x system-auth-control spanning-tree mode pvst spanning-tree etherchannel guard misconfig spanning-tree extend system-id ! ! ! ! vlan internal allocation policy ascending ! ip ssh time-out 30 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable ! class-map match-all AutoQoS-VoIP-RTP-Trust match ip dscp ef class-map match-all AutoQoS-VoIP-Control-Trust match ip dscp cs3 af31 ! ! policy-map AutoQoS-Police-CiscoPhone class AutoQoS-VoIP-RTP-Trust set dscp ef police 320000 8000 exceed-action policed-dscp-transmit class AutoQoS-VoIP-Control-Trust set dscp cs3 police 32000 8000 exceed-action policed-dscp-transmit ! ! ! interface FastEthernet0 no ip address shutdown ! interface GigabitEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk srr-queue bandwidth share 10 10 60 20 queue-set 2 priority-queue out mls qos trust cos macro description CISCO_SWITCH_EVENT auto qos voip trust ! interface GigabitEthernet0/2 switchport trunk encapsulation dot1q switchport mode trunk srr-queue bandwidth share 10 10 60 20 queue-set 2 priority-queue out mls qos trust cos macro description CISCO_SWITCH_EVENT auto qos voip trust ! interface GigabitEthernet0/3 description AIR-CAP3502E switchport trunk encapsulation dot1q switchport trunk native vlan 18 switchport trunk allowed vlan 14-18 switchport mode access switchport block unicast switchport port-security aging time 1 switchport port-security violation protect switchport port-security aging type inactivity load-interval 30 srr-queue bandwidth share 10 10 60 20 priority-queue out mls qos trust dscp macro description CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT storm-control broadcast level pps 1k storm-control multicast level pps 2k storm-control action trap spanning-tree portfast spanning-tree bpduguard enable ip dhcp snooping limit rate 15 ! interface GigabitEthernet0/4 description AIR-CAP3502I switchport trunk encapsulation dot1q switchport trunk native vlan 18 switchport trunk allowed vlan 14-18 switchport mode access switchport block unicast switchport port-security aging time 1 switchport port-security violation protect switchport port-security aging type inactivity load-interval 30 srr-queue bandwidth share 10 10 60 20 priority-queue out mls qos trust dscp macro description CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT storm-control broadcast level pps 1k storm-control multicast level pps 2k storm-control action trap spanning-tree portfast spanning-tree bpduguard enable ip dhcp snooping limit rate 15 ! interface GigabitEthernet0/5 shutdown ! interface GigabitEthernet0/6 shutdown ! interface GigabitEthernet0/7 switchport trunk encapsulation dot1q switchport mode trunk srr-queue bandwidth share 10 10 60 20 queue-set 2 priority-queue out mls qos trust cos macro description CISCO_SWITCH_EVENT auto qos voip trust ! interface GigabitEthernet0/8 shutdown ! interface GigabitEthernet0/9 shutdown ! interface GigabitEthernet0/10 shutdown ! interface GigabitEthernet0/11 description Cisco7975 IP phone switchport mode access switchport block unicast switchport voice vlan 2 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security switchport port-security aging time 1 switchport port-security violation restrict switchport port-security aging type inactivity load-interval 30 srr-queue bandwidth share 10 10 60 20 queue-set 2 priority-queue out mls qos trust device cisco-phone mls qos trust cos macro description CISCO_PHONE_EVENT auto qos voip cisco-phone storm-control broadcast level pps 1k storm-control multicast level pps 2k storm-control action trap spanning-tree portfast spanning-tree bpduguard enable service-policy input AutoQoS-Police-CiscoPhone ip dhcp snooping limit rate 15 ! interface GigabitEthernet0/12 shutdown ! interface GigabitEthernet0/13 shutdown ! interface GigabitEthernet0/14 shutdown ! interface GigabitEthernet0/15 shutdown ! interface GigabitEthernet0/16 shutdown ! interface GigabitEthernet0/17 shutdown ! interface GigabitEthernet0/18 shutdown ! interface GigabitEthernet0/19 shutdown ! interface GigabitEthernet0/20 shutdown ! interface GigabitEthernet0/21 shutdown ! interface GigabitEthernet0/22 shutdown ! interface GigabitEthernet0/23 shutdown ! interface GigabitEthernet0/24 shutdown ! interface GigabitEthernet0/25 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/26 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/27 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/28 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/29 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/30 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/31 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/32 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/33 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/34 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/35 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/36 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/37 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/38 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/39 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/40 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/41 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/42 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/43 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/44 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/45 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/46 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/47 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/48 description open-mode 802.1x+mab+mda+acl switchport mode access switchport voice vlan 13 ip access-group ACL-DEFAULT in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet1/1 shutdown ! interface GigabitEthernet1/2 shutdown ! interface GigabitEthernet1/3 shutdown ! interface GigabitEthernet1/4 shutdown ! interface TenGigabitEthernet1/1 shutdown ! interface TenGigabitEthernet1/2 shutdown ! interface Vlan1 no ip address shutdown ! interface Vlan1000 description Management VLAN for Switch ip address 10.10.111.14 255.255.255.0 ! ip default-gateway 10.10.111.1 ip classless no ip forward-protocol nd no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip tacacs source-interface Vlan1000 ! ip access-list extended ACL-DEFAULT remark DHCP permit udp any eq bootpc any eq bootps remark DNS permit udp any any eq domain remark ICMP Ping permit icmp any any remark PXE Boot permit udp any any eq tftp remark URL Redirect permit tcp any host 192.168.42.111 eq www permit tcp any host 192.168.42.111 eq 443 permit tcp any host 192.168.42.112 eq www permit tcp any host 192.168.42.112 eq 443 remark Guest Portal permit tcp any host 192.168.42.111 eq 8443 permit tcp any host 192.168.42.112 eq 8443 deny ip any any ip access-list extended ACL-WEBAUTH-REDIRECT remark Don't match traffic sent to ISE PDP Nodes deny ip any host 192.168.42.111 deny ip any host 192.168.42.112 deny ip any host 10.35.48.242 remark Don't match traffic sent to remediation services (wwwin-download.cisco.com) deny ip any host 171.71.169.207 remark Match all other traffic for redirection permit ip any any ! ip sla enable reaction-alerts logging trap debugging logging source-interface Vlan1000 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server trap-source Vlan1000 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps energywise snmp-server enable traps entity snmp-server enable traps hsrp snmp-server enable traps power-ethernet group 1 snmp-server enable traps power-ethernet police snmp-server enable traps cpu threshold snmp-server enable traps rtr snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps port-security snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps errdisable snmp-server enable traps mac-notification change move threshold snmp-server enable traps vlan-membership snmp-server host 192.168.42.124 remoteuser snmp-server host 192.168.42.111 version 2c retaillabISE dot1x mac-notification snmp tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> radius-server dead-criteria time 5 tries 3 radius-server host 192.168.42.111 auth-port 1812 acct-port 1813 key 7 <removed> ! banner exec ^C WARNING: * THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner incoming ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner login ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ^C ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ntp clock-period 36027569 ntp source Vlan1000 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer end S-A2-LRG-5 S-A2-LRG-5#sh run Building configuration... Current configuration : 10739 bytes ! ! Last configuration change at 03:00:15 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 03:00:17 PSTDST Sat Apr 30 2011 by retail ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers ! hostname S-A2-LRG-5 ! boot-start-marker boot-end-marker ! shell trigger POS-Systems POS-Systems logging buffered 51200 enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> ! ! macro global description cisco-desktop macro auto execute CISCO_LAST_RESORT_EVENT builtin CISCO_AP_AUTO_SMARTPORT ACCESS_VLAN=17 macro auto execute Retail-POS builtin CISCO_PHONE_AUTO_SMARTPORT ACCESS_VLAN=11 VOICE_VLAN=13 macro auto execute POS-Systems remote scp://SMARTPORT@192.168.42.122/POS-Systems.txt ACCESS_VLAN=11 VOICE_VLAN=13 ! macro auto mac-address-group Retail-POS oui list 001C26 oui list 001C25 mac-address list 0021.5C02.1DEF mac-address list 001C.25BE.99C2 macro auto device media-player ACCESS_VLAN=12 macro auto device ip-camera ACCESS_VLAN=20 macro auto device phone ACCESS_VLAN=17 VOICE_VLAN=13 macro auto device access-point ACCESS_VLAN=18 macro auto device lightweight-ap ACCESS_VLAN=18 ! macro auto global processing fallback cdp aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! aaa session-id common clock timezone PST -8 clock summer-time PSTDST recurring system mtu routing 1500 ! ! ip domain-name cisco-irn.com ip name-server 192.168.42.130 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! mls qos map cos-dscp 0 8 16 24 32 46 48 56 mls qos srr-queue output cos-map queue 1 threshold 3 4 5 mls qos srr-queue output cos-map queue 2 threshold 1 2 mls qos srr-queue output cos-map queue 2 threshold 2 3 mls qos srr-queue output cos-map queue 2 threshold 3 6 7 mls qos srr-queue output cos-map queue 3 threshold 3 0 mls qos srr-queue output cos-map queue 4 threshold 3 1 mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45 mls qos srr-queue output dscp-map queue 1 threshold 3 46 47 mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23 mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35 mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39 mls qos srr-queue output dscp-map queue 2 threshold 2 24 mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55 mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63 mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7 mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15 mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14 mls qos queue-set output 1 threshold 1 100 100 50 200 mls qos queue-set output 1 threshold 2 125 125 100 400 mls qos queue-set output 1 threshold 3 100 100 100 400 mls qos queue-set output 1 threshold 4 60 150 50 200 mls qos queue-set output 1 buffers 15 25 40 20 mls qos password encryption aes ! crypto pki trustpoint TP-self-signed-3964801920 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3964801920 revocation-check none rsakeypair TP-self-signed-3964801920 ! ! crypto pki certificate chain TP-self-signed-3964801920 certificate self-signed 01 <removed> quit spanning-tree mode pvst spanning-tree extend system-id auto qos srnd4 ! ! ! ! vlan internal allocation policy ascending ! ip ssh version 2 ip scp server enable ! ! interface GigabitEthernet0/1 switchport access vlan 17 ! interface GigabitEthernet0/2 switchport access vlan 17 ! interface GigabitEthernet0/3 switchport access vlan 17 ! interface GigabitEthernet0/4 switchport access vlan 17 ! interface GigabitEthernet0/5 switchport access vlan 17 ! interface GigabitEthernet0/6 switchport access vlan 17 ! interface GigabitEthernet0/7 switchport access vlan 17 ! interface GigabitEthernet0/8 switchport access vlan 17 ! interface GigabitEthernet0/9 description Uplink to S-A2-LRG-4 G0/7 switchport trunk encapsulation dot1q switchport mode trunk srr-queue bandwidth share 1 30 35 5 queue-set 2 priority-queue out mls qos trust cos macro description CISCO_SWITCH_EVENT auto qos trust ! interface GigabitEthernet0/10 ! interface Vlan1 no ip address ! interface Vlan1000 description Management VLAN for Switch ip address 10.10.111.15 255.255.255.0 ! ip default-gateway 10.10.111.1 ip classless no ip forward-protocol nd no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip tacacs source-interface Vlan1000 ! ! ip sla enable reaction-alerts logging trap debugging logging source-interface Vlan1000 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server trap-source Vlan1000 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps energywise snmp-server enable traps entity snmp-server enable traps hsrp snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 timeout 5 tacacs-server directed-request tacacs-server key 7 <removed> ! banner exec ^C WARNING: * THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner incoming ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner login ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ^C ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL speed 115200 line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ntp clock-period 22518292 ntp source Vlan1000 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer ! end Medium Branch R-A2-MED-1 ! ! Last configuration change at 00:29:32 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 00:29:32 PSTDST Sat Apr 30 2011 by retail ! version 15.1 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers ! hostname R-A2-Med-1 ! boot-start-marker boot system flash0 c2951-universalk9-mz.SPA.151-3.T.bin boot-end-marker ! ! security authentication failure rate 2 log security passwords min-length 7 logging buffered 50000 no logging rate-limit enable secret 5 <removed> ! aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default action-type start-stop group tacacs+ ! aaa accounting commands 15 default action-type start-stop group tacacs+ ! aaa accounting system default action-type start-stop group tacacs+ ! ! ! ! ! ! aaa session-id common ! memory-size iomem 25 clock timezone PST -8 0 clock summer-time PSTDST recurring ! crypto pki token default removal timeout 0 ! crypto pki trustpoint TP-self-signed-1670063162 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1670063162 revocation-check none rsakeypair TP-self-signed-1670063162 ! ! crypto pki certificate chain TP-self-signed-1670063162 certificate self-signed 01 <removed> quit no ipv6 cef no ip source-route ip cef ! ! ! ip multicast-routing ! ! no ip bootp server ip domain name cisco-irn.com ip name-server 192.168.42.130 ip inspect audit-trail ip ips config location ipstest retries 1 timeout 1 ip ips notify SDEE ip ips name Retail-PCI ! ip ips signature-category category all retired true category ios_ips basic retired false ! ip wccp 61 ip wccp 62 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! multilink bundle-name authenticated ! parameter-map type inspect global WAAS enable parameter-map type inspect Inspect-1 audit-trail on parameter-map type trend-global trend-glob-map ! ! ! ! password encryption aes voice-card 0 ! ! ! ! ! ! ! license udi pid STARSCREAM sn <removed> hw-module pvdm 0/2 ! hw-module sm 1 ! hw-module sm 2 ! ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys object-group network ActiveDirectory.cisco-irn.com host 192.168.42.130 ! object-group service CAPWAP description CAPWAP UDP ports 5246 and 5247 udp eq 5246 udp eq 5247 ! object-group service CISCO-WAAS description Ports for Cisco WAAS tcp eq 4050 ! object-group network EMC-NCM description EMC Network Configuration Manager host 192.168.42.122 ! object-group network RSA-enVision description RSA EnVision Syslog collector and SIM host 192.168.42.124 ! object-group network CSM_INLINE_dst_rule_81604380995 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object EMC-NCM group-object RSA-enVision ! object-group network TACACS description Csico Secure ACS server for TACACS and Radius host 192.168.42.131 ! object-group network RSA-AM description RSA Authentication Manager for SecureID host 192.168.42.137 ! object-group network NAC-1 description ISE server for NAC host 192.168.42.111 ! object-group network CSM_INLINE_dst_rule_81604381001 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object ActiveDirectory.cisco-irn.com group-object TACACS group-object RSA-AM group-object NAC-1 ! object-group network NAC-2 host 192.168.42.112 ! object-group network CSM_INLINE_dst_rule_81604381037 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object NAC-2 group-object NAC-1 ! object-group network DC-ALL description All of the Data Center 192.168.0.0 255.255.0.0 ! object-group network Stores-ALL description all store networks 10.10.0.0 255.255.0.0 ! object-group network CSM_INLINE_dst_rule_81604381039 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network WCSManager description Wireless Manager host 192.168.43.135 ! object-group network DC-Wifi-Controllers description Central Wireless Controllers for stores host 192.168.43.21 host 192.168.43.22 ! object-group network DC-Wifi-MSE description Mobility Service Engines host 192.168.43.31 host 192.168.43.32 ! object-group network CSM_INLINE_dst_rule_81604381045 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object WCSManager group-object DC-Wifi-Controllers group-object DC-Wifi-MSE ! object-group network PAME-DC-1 host 192.168.44.111 ! object-group network MSP-DC-1 description Data Center VSOM host 192.168.44.121 ! object-group network CSM_INLINE_dst_rule_81604381049 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object PAME-DC-1 group-object MSP-DC-1 ! object-group network CSM_INLINE_dst_rule_81604381059 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_dst_rule_81604381067 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_dst_rule_81604381071 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_dst_rule_81604381150 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) 10.10.126.0 255.255.255.0 10.10.110.0 255.255.255.0 ! object-group network CSM_INLINE_dst_rule_81604381152 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) 10.10.126.0 255.255.255.0 10.10.110.0 255.255.255.0 ! object-group network DC-Admin description DC Admin Systems host 192.168.41.101 host 192.168.41.102 ! object-group network CSManager description Cisco Security Manager host 192.168.42.133 ! object-group network CSM_INLINE_src_rule_81604380993 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-Admin group-object EMC-NCM group-object CSManager ! object-group network DC-POS-Tomax description Tomax POS Communication from Store to Data Center 192.168.52.96 255.255.255.224 ! object-group network DC-POS-SAP description SAP POS Communication from Store to Data Center 192.168.52.144 255.255.255.240 ! object-group network DC-POS-Oracle description Oracle POS Communication from Store to Data Center 192.168.52.128 255.255.255.240 ! object-group network CSM_INLINE_src_rule_81604381021 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-Admin group-object DC-POS-Tomax group-object DC-POS-SAP group-object DC-POS-Oracle ! object-group network CSM_INLINE_src_rule_81604381023 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-Admin group-object DC-POS-Tomax group-object DC-POS-SAP group-object DC-POS-Oracle ! object-group network CSM_INLINE_src_rule_81604381041 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_src_rule_81604381043 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object WCSManager group-object DC-Wifi-Controllers group-object DC-Wifi-MSE ! object-group network CSM_INLINE_src_rule_81604381047 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object PAME-DC-1 group-object MSP-DC-1 ! object-group network DC-WAAS description WAE Appliances in Data Center host 192.168.48.10 host 192.168.49.10 host 192.168.47.11 host 192.168.47.12 ! object-group network CSM_INLINE_src_rule_81604381051 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-Admin group-object DC-WAAS ! object-group network CSM_INLINE_src_rule_81604381150 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) 10.10.126.0 255.255.255.0 10.10.110.0 255.255.255.0 ! object-group network CSM_INLINE_src_rule_81604381152 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) 10.10.126.0 255.255.255.0 10.10.110.0 255.255.255.0 ! object-group service CSM_INLINE_svc_rule_81604380993 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 ! object-group service CSM_INLINE_svc_rule_81604380995 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) udp eq syslog udp eq snmp udp eq snmptrap ! object-group service CSM_INLINE_svc_rule_81604381001 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq tacacs udp eq 1812 udp eq 1813 tcp eq 389 tcp eq 636 ! object-group service vCenter-to-ESX4 description Communication from vCetner to ESX hosts tcp eq 5989 tcp eq 8000 tcp eq 902 tcp eq 903 ! object-group service CSM_INLINE_svc_rule_81604381003 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 tcp eq 22 group-object vCenter-to-ESX4 ! object-group service ESX-SLP description CIM Service Location Protocol (SLP) for VMware systems udp eq 427 tcp eq 427 ! object-group service CSM_INLINE_svc_rule_81604381005 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 group-object vCenter-to-ESX4 group-object ESX-SLP ! object-group service ORACLE-RMI description RMI TCP ports 1300 and 1301-1319. tcp range 1300 1319 ! object-group service ORACLE-Weblogic description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521. tcp eq 7001 tcp eq 7002 tcp eq 1521 ! object-group service ORACLE-WAS description RMI/IIOP over 2809 HTTP over 9443 IBM-MQ 1414 tcp eq 2809 tcp eq 9443 tcp eq 1414 ! object-group service ORACLE-OAS description OAS uses one port for HTTP and RMI - 12601. tcp eq 12601 ! object-group service CSM_INLINE_svc_rule_81604381009 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 group-object ORACLE-RMI group-object ORACLE-Weblogic group-object ORACLE-WAS group-object ORACLE-OAS ! object-group service CSM_INLINE_svc_rule_81604381011 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 group-object ORACLE-RMI group-object ORACLE-Weblogic group-object ORACLE-WAS group-object ORACLE-OAS ! object-group service HTTPS-8443 tcp eq 8443 ! object-group service CSM_INLINE_svc_rule_81604381013 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 group-object HTTPS-8443 ! object-group service CSM_INLINE_svc_rule_81604381015 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 group-object HTTPS-8443 ! object-group service TOMAX-8990 description Tomax Application Port tcp eq 8990 ! object-group service CSM_INLINE_svc_rule_81604381017 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 group-object TOMAX-8990 ! object-group service CSM_INLINE_svc_rule_81604381019 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 group-object TOMAX-8990 ! object-group service ICMP-Requests description ICMP requests icmp information-request icmp mask-request icmp timestamp-request ! object-group service CSM_INLINE_svc_rule_81604381021 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable icmp redirect icmp alternate-address group-object ICMP-Requests ! object-group service CSM_INLINE_svc_rule_81604381023 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable icmp redirect icmp alternate-address group-object ICMP-Requests ! object-group service CSM_INLINE_svc_rule_81604381025 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 tcp eq smtp tcp eq pop3 tcp eq 143 ! object-group service CSM_INLINE_svc_rule_81604381027 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 ! object-group service CSM_INLINE_svc_rule_81604381029 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp udp tcp eq 443 ! object-group service DNS-Resolving description Domain Name Server tcp eq domain udp eq domain ! object-group service CSM_INLINE_svc_rule_81604381035 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) udp eq bootps group-object DNS-Resolving ! object-group service CSM_INLINE_svc_rule_81604381037 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 group-object HTTPS-8443 ! object-group service CSM_INLINE_svc_rule_81604381039 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable ! object-group service CSM_INLINE_svc_rule_81604381041 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable ! object-group service LWAPP description LWAPP UDP ports 12222 and 12223 udp eq 12222 udp eq 12223 ! object-group service TFTP description Trivial File Transfer tcp eq 69 udp eq tftp ! object-group service IP-Protocol-97 description IP protocol 97 97 ! object-group service CSM_INLINE_svc_rule_81604381043 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq www tcp eq 22 tcp eq telnet udp eq isakmp group-object CAPWAP group-object LWAPP group-object TFTP group-object IP-Protocol-97 ! object-group service Cisco-Mobility description Mobility ports for Wireless udp eq 16666 udp eq 16667 ! object-group service CSM_INLINE_svc_rule_81604381045 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) udp eq isakmp group-object CAPWAP group-object LWAPP group-object Cisco-Mobility group-object IP-Protocol-97 ! object-group service Microsoft-DS-SMB description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing tcp eq 445 ! object-group service CSM_INLINE_svc_rule_81604381051 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp tcp eq 139 group-object CISCO-WAAS group-object HTTPS-8443 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_81604381053 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp tcp eq 139 group-object CISCO-WAAS group-object HTTPS-8443 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_81604381055 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp tcp eq 139 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_81604381057 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp tcp-udp eq 5060 tcp eq 2000 tcp eq www tcp eq 443 group-object TFTP ! object-group service CSM_INLINE_svc_rule_81604381059 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp-udp eq 5060 tcp eq 2000 ! object-group service CSM_INLINE_svc_rule_81604381061 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 ! object-group service CSM_INLINE_svc_rule_81604381063 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 tcp eq smtp tcp eq pop3 tcp eq 143 ! object-group service Netbios description Netbios Servers udp eq netbios-dgm udp eq netbios-ns tcp eq 139 ! object-group service ORACLE-SIM description Oracle Store Inventory Management tcp eq 7777 tcp eq 6003 tcp range 12401 12500 ! object-group service RDP description Windows Remote Desktop tcp eq 3389 ! object-group service Workbrain tcp eq 8444 ! object-group service CSM_INLINE_svc_rule_81604381065 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq ftp tcp eq www tcp eq 443 udp eq 88 tcp-udp eq 42 group-object Microsoft-DS-SMB group-object Netbios group-object ORACLE-SIM group-object RDP group-object Workbrain ! object-group network DC-Applications description Applications in the Data Center that are non-PCI related(Optimized by CS-Manager) 192.168.180.0 255.255.254.0 ! object-group network DC-Voice description Data Center Voice 192.168.45.0 255.255.255.0 ! object-group network MS-Update description Windows Update Server host 192.168.42.150 ! object-group network MSExchange description Mail Server host 192.168.42.140 ! object-group service NTP description NTP Protocols tcp eq 123 udp eq ntp ! object-group network NTP-Servers description NTP Servers host 192.168.62.161 host 162.168.62.162 ! object-group network STORE-POS 10.10.0.0 255.255.0.0 ! object-group network vSphere-1 description vSphere server for Lab host 192.168.41.102 ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> ! redundancy ! ! ! ! ip ssh time-out 30 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable ! class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7 match protocol http match protocol https match protocol microsoft-ds match protocol ms-sql match protocol ms-sql-m match protocol netbios-dgm match protocol netbios-ns match protocol oracle match protocol oracle-em-vp match protocol oraclenames match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_10 match access-group name CSM_ZBF_CMAP_ACL_10 match class-map CSM_ZBF_CMAP_PLMAP_7 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4 match protocol http match protocol https match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_23 match access-group name CSM_ZBF_CMAP_ACL_23 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17 match protocol http match protocol https match protocol imap3 match protocol pop3 match protocol pop3s match protocol smtp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_32 match access-group name CSM_ZBF_CMAP_ACL_32 match class-map CSM_ZBF_CMAP_PLMAP_17 class-map type inspect match-all CSM_ZBF_CLASS_MAP_11 match access-group name CSM_ZBF_CMAP_ACL_11 match protocol icmp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14 match protocol http match protocol https class-map type inspect match-all CSM_ZBF_CLASS_MAP_22 match access-group name CSM_ZBF_CMAP_ACL_22 match class-map CSM_ZBF_CMAP_PLMAP_14 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20 match protocol http match protocol https match protocol netbios-dgm match protocol netbios-ns match protocol netbios-ssn match protocol ftp match protocol ssh match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_33 match access-group name CSM_ZBF_CMAP_ACL_33 match class-map CSM_ZBF_CMAP_PLMAP_20 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8 match protocol sip match protocol sip-tls match protocol skinny match protocol tftp match protocol http match protocol https match protocol icmp class-map type inspect match-all CSM_ZBF_CLASS_MAP_12 match access-group name CSM_ZBF_CMAP_ACL_12 match class-map CSM_ZBF_CMAP_PLMAP_8 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13 match protocol https match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_21 match access-group name CSM_ZBF_CMAP_ACL_21 match class-map CSM_ZBF_CMAP_PLMAP_13 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19 match protocol http match protocol https match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_30 match access-group name CSM_ZBF_CMAP_ACL_30 match class-map CSM_ZBF_CMAP_PLMAP_19 class-map type inspect match-all CSM_ZBF_CLASS_MAP_13 match access-group name CSM_ZBF_CMAP_ACL_13 class-map type inspect match-all CSM_ZBF_CLASS_MAP_20 match access-group name CSM_ZBF_CMAP_ACL_20 match protocol icmp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18 match protocol http match protocol https match protocol udp match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_31 match access-group name CSM_ZBF_CMAP_ACL_31 match class-map CSM_ZBF_CMAP_PLMAP_18 class-map match-all BRANCH-BULK-DATA match protocol tftp match protocol nfs match access-group name BULK-DATA-APPS class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5 match protocol http match protocol https match protocol netbios-dgm match protocol netbios-ns match protocol netbios-ssn match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_14 match access-group name CSM_ZBF_CMAP_ACL_14 match class-map CSM_ZBF_CMAP_PLMAP_5 class-map type inspect match-all CSM_ZBF_CLASS_MAP_27 match access-group name CSM_ZBF_CMAP_ACL_27 match protocol icmp class-map type inspect match-all CSM_ZBF_CLASS_MAP_36 match access-group name CSM_ZBF_CMAP_ACL_36 class-map type inspect match-all CSM_ZBF_CLASS_MAP_15 match access-group name CSM_ZBF_CMAP_ACL_15 class-map type inspect match-all CSM_ZBF_CLASS_MAP_26 match access-group name CSM_ZBF_CMAP_ACL_26 match class-map CSM_ZBF_CMAP_PLMAP_7 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21 match protocol tcp match protocol udp match protocol http match protocol https class-map type inspect match-all CSM_ZBF_CLASS_MAP_37 match access-group name CSM_ZBF_CMAP_ACL_37 match class-map CSM_ZBF_CMAP_PLMAP_21 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9 match protocol syslog match protocol syslog-conn match protocol snmp match protocol snmptrap class-map type inspect match-all CSM_ZBF_CLASS_MAP_16 match access-group name CSM_ZBF_CMAP_ACL_16 match class-map CSM_ZBF_CMAP_PLMAP_9 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16 match protocol http match protocol https match protocol isakmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_25 match access-group name CSM_ZBF_CMAP_ACL_25 match class-map CSM_ZBF_CMAP_PLMAP_16 class-map type inspect match-all CSM_ZBF_CLASS_MAP_34 match access-group name CSM_ZBF_CMAP_ACL_34 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10 match protocol ldaps match protocol ldap match protocol ldap-admin match protocol radius match protocol tacacs match protocol tacacs-ds match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_17 match access-group name CSM_ZBF_CMAP_ACL_17 match class-map CSM_ZBF_CMAP_PLMAP_10 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15 match protocol http match protocol https match protocol netbios-ns match protocol netbios-dgm match protocol netbios-ssn match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_24 match access-group name CSM_ZBF_CMAP_ACL_24 match class-map CSM_ZBF_CMAP_PLMAP_15 class-map type inspect match-all CSM_ZBF_CLASS_MAP_35 match access-group name CSM_ZBF_CMAP_ACL_35 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11 match protocol ntp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_18 match access-group name CSM_ZBF_CMAP_ACL_18 match class-map CSM_ZBF_CMAP_PLMAP_11 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12 match protocol bootpc match protocol bootps match protocol udp match protocol tcp match protocol dns match protocol dhcp-failover class-map type inspect match-all CSM_ZBF_CLASS_MAP_19 match access-group name CSM_ZBF_CMAP_ACL_19 match class-map CSM_ZBF_CMAP_PLMAP_12 class-map type inspect match-all CSM_ZBF_CLASS_MAP_29 match access-group name CSM_ZBF_CMAP_ACL_29 match class-map CSM_ZBF_CMAP_PLMAP_18 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22 match protocol sip match protocol sip-tls match protocol skinny match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_38 match access-group name CSM_ZBF_CMAP_ACL_38 match class-map CSM_ZBF_CMAP_PLMAP_22 class-map type inspect match-all CSM_ZBF_CLASS_MAP_28 match access-group name CSM_ZBF_CMAP_ACL_28 match class-map CSM_ZBF_CMAP_PLMAP_17 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1 match protocol https match protocol ssh class-map type inspect match-all CSM_ZBF_CLASS_MAP_1 match access-group name CSM_ZBF_CMAP_ACL_1 match class-map CSM_ZBF_CMAP_PLMAP_1 class-map type inspect match-all CSM_ZBF_CLASS_MAP_3 match access-group name CSM_ZBF_CMAP_ACL_3 match protocol icmp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2 match protocol https match protocol http match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_2 match access-group name CSM_ZBF_CMAP_ACL_2 match class-map CSM_ZBF_CMAP_PLMAP_2 class-map type inspect match-all CSM_ZBF_CLASS_MAP_5 match access-group name CSM_ZBF_CMAP_ACL_5 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3 match protocol http match protocol https match protocol ssh match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_4 match access-group name CSM_ZBF_CMAP_ACL_4 match class-map CSM_ZBF_CMAP_PLMAP_3 class-map type inspect match-all CSM_ZBF_CLASS_MAP_7 match access-group name CSM_ZBF_CMAP_ACL_7 match class-map CSM_ZBF_CMAP_PLMAP_5 class-map type inspect match-all CSM_ZBF_CLASS_MAP_6 match access-group name CSM_ZBF_CMAP_ACL_6 match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_9 match access-group name CSM_ZBF_CMAP_ACL_9 match protocol tcp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6 match protocol http match protocol https match protocol ssh match protocol telnet match protocol tftp match protocol isakmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_8 match access-group name CSM_ZBF_CMAP_ACL_8 match class-map CSM_ZBF_CMAP_PLMAP_6 class-map match-all BULK-DATA match ip dscp af11 af12 class-map match-all INTERACTIVE-VIDEO match ip dscp af41 af42 class-map match-any BRANCH-TRANSACTIONAL-DATA match protocol citrix match protocol ldap match protocol telnet match protocol sqlnet match protocol http url "SalesReport" match access-group name TRANSACTIONAL-DATA-APPS class-map match-all BRANCH-MISSION-CRITICAL match access-group name MISSION-CRITICAL-SERVERS class-map match-all VOICE match ip dscp ef class-map match-all MISSION-CRITICAL-DATA match ip dscp 25 class-map match-any BRANCH-NET-MGMT match protocol snmp match protocol syslog match protocol dns match protocol icmp match protocol ssh match access-group name NET-MGMT-APPS class-map match-all ROUTING match ip dscp cs6 class-map match-all SCAVENGER match ip dscp cs1 class-map match-all NET-MGMT match ip dscp cs2 class-map match-any BRANCH-SCAVENGER match protocol gnutella match protocol fasttrack match protocol kazaa2 class-map match-any CALL-SIGNALING match ip dscp cs3 class-map match-all TRANSACTIONAL-DATA match ip dscp af21 af22 ! ! policy-map BRANCH-LAN-EDGE-OUT class class-default policy-map BRANCH-WAN-EDGE class VOICE priority percent 18 class INTERACTIVE-VIDEO priority percent 15 class CALL-SIGNALING bandwidth percent 5 class ROUTING bandwidth percent 3 class NET-MGMT bandwidth percent 2 class MISSION-CRITICAL-DATA bandwidth percent 15 random-detect class TRANSACTIONAL-DATA bandwidth percent 12 random-detect dscp-based class BULK-DATA bandwidth percent 4 random-detect dscp-based class SCAVENGER bandwidth percent 1 class class-default bandwidth percent 25 random-detect policy-map type inspect CSM_ZBF_POLICY_MAP_18 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_19 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_25 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_16 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_23 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_25 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_32 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_36 drop log class type inspect CSM_ZBF_CLASS_MAP_37 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_17 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_24 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_24 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_34 drop log class type inspect CSM_ZBF_CLASS_MAP_35 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_14 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_27 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_15 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_21 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_26 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_38 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_12 class type inspect CSM_ZBF_CLASS_MAP_15 pass class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_21 class type inspect CSM_ZBF_CLASS_MAP_27 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_28 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_29 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_13 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_20 class type inspect CSM_ZBF_CLASS_MAP_26 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_27 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_28 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_29 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_10 class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_23 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_31 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_32 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_33 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_11 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_22 class type inspect CSM_ZBF_CLASS_MAP_30 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_9 class type inspect CSM_ZBF_CLASS_MAP_13 pass class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_8 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_12 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_7 class type inspect CSM_ZBF_CLASS_MAP_9 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_10 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_11 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_6 class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_5 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_8 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_4 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_7 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_3 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_5 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_2 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_4 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_1 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_2 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop policy-map BRANCH-LAN-EDGE-IN class BRANCH-MISSION-CRITICAL set ip dscp 25 class BRANCH-TRANSACTIONAL-DATA set ip dscp af21 class BRANCH-NET-MGMT set ip dscp cs2 class BRANCH-BULK-DATA set ip dscp af11 class BRANCH-SCAVENGER set ip dscp cs1 ! zone security S_WAN description Store WAN Link zone security S_R-2-R description Bridge link between routers zone security LOOPBACK description Loopback interface zone security S_MGMT description VLAN1000 Management zone security S_Security description VLAN20 Physical Security Systems zone security S_WAAS description VLAN19 WAAS optimization zone security S_WLC-AP description VLAN18 Wireless Systems zone security S_Data description VLAN12 Store Data zone security S_Data-W description VLAN14 Store Wireless Data zone security S_Guest description VLAN17 Guest/Public Wireless zone security S_Voice description VLAN13 Store Voice zone security S_Partners description VLAN16 Partner network zone security S_POS description VLAN 11 POS Data zone security S_POS-W description VLAN15 Store Wireless POS zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK service-policy type inspect CSM_ZBF_POLICY_MAP_1 zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT service-policy type inspect CSM_ZBF_POLICY_MAP_2 zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security service-policy type inspect CSM_ZBF_POLICY_MAP_3 zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS service-policy type inspect CSM_ZBF_POLICY_MAP_4 zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP service-policy type inspect CSM_ZBF_POLICY_MAP_5 zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice service-policy type inspect CSM_ZBF_POLICY_MAP_8 zone-pair security CSM_S_R-2-R-LOOPBACK_1 source S_R-2-R destination LOOPBACK service-policy type inspect CSM_ZBF_POLICY_MAP_1 zone-pair security CSM_S_R-2-R-S_MGMT_1 source S_R-2-R destination S_MGMT service-policy type inspect CSM_ZBF_POLICY_MAP_2 zone-pair security CSM_S_R-2-R-S_Security_1 source S_R-2-R destination S_Security service-policy type inspect CSM_ZBF_POLICY_MAP_3 zone-pair security CSM_S_R-2-R-S_WAAS_1 source S_R-2-R destination S_WAAS service-policy type inspect CSM_ZBF_POLICY_MAP_4 zone-pair security CSM_S_R-2-R-S_WLC-AP_1 source S_R-2-R destination S_WLC-AP service-policy type inspect CSM_ZBF_POLICY_MAP_5 zone-pair security CSM_S_R-2-R-self_1 source S_R-2-R destination self service-policy type inspect CSM_ZBF_POLICY_MAP_9 zone-pair security CSM_S_R-2-R-S_Data_1 source S_R-2-R destination S_Data service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_R-2-R-S_Data-W_1 source S_R-2-R destination S_Data-W service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_R-2-R-S_Guest_1 source S_R-2-R destination S_Guest service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_R-2-R-S_Partners_1 source S_R-2-R destination S_Partners service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_R-2-R-S_POS_1 source S_R-2-R destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_R-2-R-S_POS-W_1 source S_R-2-R destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_R-2-R-S_Voice_1 source S_R-2-R destination S_Voice service-policy type inspect CSM_ZBF_POLICY_MAP_11 zone-pair security CSM_self-S_R-2-R_1 source self destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_12 zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_13 zone-pair security CSM_LOOPBACK-S_R-2-R_1 source LOOPBACK destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_13 zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_15 zone-pair security CSM_S_MGMT-S_R-2-R_1 source S_MGMT destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_15 zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_16 zone-pair security CSM_S_Security-S_R-2-R_1 source S_Security destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_16 zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_17 zone-pair security CSM_S_WAAS-S_R-2-R_1 source S_WAAS destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_17 zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data service-policy type inspect CSM_ZBF_POLICY_MAP_18 zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W service-policy type inspect CSM_ZBF_POLICY_MAP_18 zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners service-policy type inspect CSM_ZBF_POLICY_MAP_18 zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_19 zone-pair security CSM_S_WLC-AP-S_R-2-R_1 source S_WLC-AP destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_19 zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_20 zone-pair security CSM_S_POS-S_R-2-R_1 source S_POS destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_20 zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_21 zone-pair security CSM_S_POS-W-S_R-2-R_1 source S_POS-W destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_21 zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_22 zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_23 zone-pair security CSM_S_Data-S_R-2-R_1 source S_Data destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_23 zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_23 zone-pair security CSM_S_Data-W-S_R-2-R_1 source S_Data-W destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_23 zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_24 zone-pair security CSM_S_Guest-S_R-2-R_1 source S_Guest destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_24 zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_25 zone-pair security CSM_S_Partners-S_R-2-R_1 source S_Partners destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_25 zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_26 zone-pair security CSM_S_Voice-S_R-2-R_1 source S_Voice destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_27 ! ! ! ! ! ! ! interface Loopback0 ip address 10.10.126.1 255.255.255.255 ip pim sparse-dense-mode zone-member security LOOPBACK ! interface GigabitEthernet0/0 ip address 10.10.255.112 255.255.255.0 ip ips Retail-PCI in zone-member security S_WAN duplex auto speed auto service-policy output BRANCH-WAN-EDGE ! interface GigabitEthernet0/1 description ROUTER LINK TO SWITCH no ip address duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1.11 description POS encapsulation dot1Q 11 ip address 10.10.112.2 255.255.255.0 ip helper-address 192.168.42.130 ip pim sparse-dense-mode zone-member security S_POS standby 11 ip 10.10.112.1 standby 11 priority 101 standby 11 preempt ip igmp query-interval 125 service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.12 description DATA encapsulation dot1Q 12 ip address 10.10.113.2 255.255.255.0 ip helper-address 192.168.42.130 ip wccp 61 redirect in ip pim sparse-dense-mode zone-member security S_Data standby 12 ip 10.10.113.1 standby 12 priority 101 standby 12 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.13 description VOICE encapsulation dot1Q 13 ip address 10.10.114.2 255.255.255.0 ip helper-address 192.168.42.130 ip pim sparse-dense-mode zone-member security S_Voice standby 13 ip 10.10.114.1 standby 13 priority 101 standby 13 preempt service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.14 description WIRELESS encapsulation dot1Q 14 ip address 10.10.115.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Data-W standby 14 ip 10.10.115.1 standby 14 priority 101 standby 14 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.15 description WIRELESS-POS encapsulation dot1Q 15 ip address 10.10.116.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_POS-W standby 15 ip 10.10.116.1 standby 15 priority 101 standby 15 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.16 description PARTNER encapsulation dot1Q 16 ip address 10.10.117.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Partners standby 16 ip 10.10.117.1 standby 16 priority 101 standby 16 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.17 description WIRELESS-GUEST encapsulation dot1Q 17 ip address 10.10.118.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Guest standby 17 ip 10.10.118.1 standby 17 priority 101 standby 17 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.18 description WIRELESS-CONTROL encapsulation dot1Q 18 ip address 10.10.119.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_WLC-AP standby 18 ip 10.10.119.1 standby 18 priority 101 standby 18 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.19 description WAAS encapsulation dot1Q 19 ip address 10.10.120.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_WAAS standby 19 ip 10.10.120.1 standby 19 priority 101 standby 19 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.20 description SECURITY-SYSTEMS encapsulation dot1Q 20 ip address 10.10.121.2 255.255.255.0 ip helper-address 192.168.42.130 ip pim sparse-dense-mode zone-member security S_Security standby 20 ip 10.10.121.1 standby 20 priority 101 standby 20 preempt service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.102 description ROUTER LINK TO encapsulation dot1Q 102 ip address 10.10.126.29 255.255.255.252 ip pim sparse-dense-mode zone-member security S_R-2-R service-policy input BRANCH-LAN-EDGE-IN ! interface GigabitEthernet0/1.1000 description MANAGEMENT encapsulation dot1Q 1000 ip address 10.10.127.2 255.255.255.0 zone-member security S_MGMT standby 100 ip 10.10.127.1 standby 100 priority 101 standby 100 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/2 no ip address duplex auto speed auto ! interface GigabitEthernet0/2.101 description ROUTER LINK TO encapsulation dot1Q 101 ip address 10.10.126.25 255.255.255.252 ip pim sparse-dense-mode zone-member security S_R-2-R service-policy input BRANCH-LAN-EDGE-IN ! interface SM1/0 ip address 10.10.126.41 255.255.255.252 zone-member security S_WAAS service-module fail-open service-module ip address 10.10.126.42 255.255.255.252 service-module ip default-gateway 10.10.126.41 hold-queue 60 out ! interface SM1/1 description Internal switch interface connected to Service Module ! interface Vlan1 no ip address ! ! router ospf 5 router-id 10.10.126.1 redistribute connected subnets passive-interface default no passive-interface GigabitEthernet0/1.102 no passive-interface GigabitEthernet0/2.101 network 10.10.0.0 0.0.255.255 area 10 default-information originate ! no ip forward-protocol nd ! no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ! ip route 0.0.0.0 0.0.0.0 10.10.255.11 ip tacacs source-interface Loopback0 ! ip access-list extended BULK-DATA-APPS remark ---File Transfer--- permit tcp any any eq ftp permit tcp any any eq ftp-data remark ---E-mail traffic--- permit tcp any any eq smtp permit tcp any any eq pop3 permit tcp any any eq 143 remark ---other EDM app protocols--- permit tcp any any range 3460 3466 permit tcp any range 3460 3466 any remark ---messaging services--- permit tcp any any eq 2980 permit tcp any eq 2980 any remark ---Microsoft file services--- permit tcp any any range 137 139 permit tcp any range 137 139 any ip access-list extended CSM_ZBF_CMAP_ACL_1 remark Data Center Mgmt to Devices permit object-group CSM_INLINE_svc_rule_81604380993 object-group CSM_INLINE_src_rule_81604380993 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_10 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381011 object-group DC-POS-Oracle object-group STORE-POS remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381015 object-group DC-POS-SAP object-group STORE-POS remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381019 object-group DC-POS-Tomax object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_11 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381021 object-group CSM_INLINE_src_rule_81604381021 object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_12 remark Data Center VOICE (wired and Wireless) permit object-group CSM_INLINE_svc_rule_81604381057 object-group DC-Voice object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_13 permit ospf object-group CSM_INLINE_src_rule_81604381150 object-group CSM_INLINE_dst_rule_81604381150 ip access-list extended CSM_ZBF_CMAP_ACL_14 remark Store WAAS to Clients and Servers permit object-group CSM_INLINE_svc_rule_81604381055 object-group Stores-ALL object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_15 permit ospf object-group CSM_INLINE_src_rule_81604381152 object-group CSM_INLINE_dst_rule_81604381152 ip access-list extended CSM_ZBF_CMAP_ACL_16 remark Syslog and SNMP Alerts permit object-group CSM_INLINE_svc_rule_81604380995 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604380995 ip access-list extended CSM_ZBF_CMAP_ACL_17 remark Store to Data Center Authentications permit object-group CSM_INLINE_svc_rule_81604381001 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381001 ip access-list extended CSM_ZBF_CMAP_ACL_18 remark Store to Data Center for NTP permit object-group NTP object-group Stores-ALL object-group NTP-Servers ip access-list extended CSM_ZBF_CMAP_ACL_19 remark Store to Data Center for DHCP and DNS permit object-group CSM_INLINE_svc_rule_81604381035 object-group Stores-ALL object-group ActiveDirectory.cisco-irn.com ip access-list extended CSM_ZBF_CMAP_ACL_2 remark Data Center subscribe to IPS SDEE events permit tcp object-group RSA-enVision object-group Stores-ALL eq 443 ip access-list extended CSM_ZBF_CMAP_ACL_20 remark Permit ICMP traffic permit object-group CSM_INLINE_svc_rule_81604381039 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381039 ip access-list extended CSM_ZBF_CMAP_ACL_21 remark Store UCS E-series server to Data Center vShphere permit object-group CSM_INLINE_svc_rule_81604381005 object-group Stores-ALL object-group vSphere-1 ip access-list extended CSM_ZBF_CMAP_ACL_22 remark Store NAC permit object-group CSM_INLINE_svc_rule_81604381037 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381037 ip access-list extended CSM_ZBF_CMAP_ACL_23 remark Store to Data Center Physical Security permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381049 ip access-list extended CSM_ZBF_CMAP_ACL_24 remark Store WAAS (WAAS Devices need their own zone) permit object-group CSM_INLINE_svc_rule_81604381053 object-group Stores-ALL object-group DC-WAAS ip access-list extended CSM_ZBF_CMAP_ACL_25 remark Store to Data Center wireless controller traffic permit object-group CSM_INLINE_svc_rule_81604381045 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381045 ip access-list extended CSM_ZBF_CMAP_ACL_26 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381009 object-group STORE-POS object-group DC-POS-Oracle remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381013 object-group STORE-POS object-group DC-POS-SAP remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381017 object-group STORE-POS object-group DC-POS-Tomax ip access-list extended CSM_ZBF_CMAP_ACL_27 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381023 object-group CSM_INLINE_src_rule_81604381023 object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_28 remark Store to Data Center for E-mail permit object-group CSM_INLINE_svc_rule_81604381025 object-group STORE-POS object-group MSExchange ip access-list extended CSM_ZBF_CMAP_ACL_29 remark Store to Data Center for Windows Updates permit object-group CSM_INLINE_svc_rule_81604381027 object-group STORE-POS object-group MS-Update ip access-list extended CSM_ZBF_CMAP_ACL_3 remark Permit ICMP traffic permit object-group CSM_INLINE_svc_rule_81604381041 object-group CSM_INLINE_src_rule_81604381041 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_30 remark Permit POS clients to talk to store POS server permit object-group CSM_INLINE_svc_rule_81604381029 object-group STORE-POS object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_31 remark Store to Data Center for Windows Updates permit object-group CSM_INLINE_svc_rule_81604381061 object-group Stores-ALL object-group MS-Update ip access-list extended CSM_ZBF_CMAP_ACL_32 remark Store to Data Center for E-mail permit object-group CSM_INLINE_svc_rule_81604381063 object-group Stores-ALL object-group MSExchange ip access-list extended CSM_ZBF_CMAP_ACL_33 remark Store DATA (wired and Wireless - Access to DC Other applications) permit object-group CSM_INLINE_svc_rule_81604381065 object-group Stores-ALL object-group DC-Applications ip access-list extended CSM_ZBF_CMAP_ACL_34 remark Store GUEST - Drop Traffic to Enterprise permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381071 ip access-list extended CSM_ZBF_CMAP_ACL_35 remark Store GUEST (access to internet/DMZ web servers) permit ip object-group Stores-ALL any ip access-list extended CSM_ZBF_CMAP_ACL_36 remark Store PARTNERS - Drop Traffic to Enterprise permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381067 ip access-list extended CSM_ZBF_CMAP_ACL_37 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN) permit ip object-group Stores-ALL any ip access-list extended CSM_ZBF_CMAP_ACL_38 remark Store VOICE (wired and Wireless - Acess to corporate wide voice) permit object-group CSM_INLINE_svc_rule_81604381059 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381059 ip access-list extended CSM_ZBF_CMAP_ACL_4 remark Data Center vSphere to UCS E-series server permit object-group CSM_INLINE_svc_rule_81604381003 object-group vSphere-1 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_5 remark Data Center to Store Physical Security permit ip object-group CSM_INLINE_src_rule_81604381047 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_6 remark Data Center Mgmt to Devices permit object-group RDP object-group DC-Admin object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_7 remark Data Center WAAS to Store permit object-group CSM_INLINE_svc_rule_81604381051 object-group CSM_INLINE_src_rule_81604381051 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_8 remark Data Center Wireless Control to AP's and Controllers in stores permit object-group CSM_INLINE_svc_rule_81604381043 object-group CSM_INLINE_src_rule_81604381043 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_9 remark Data Center Mgmt to Devices permit object-group RDP object-group DC-Admin object-group STORE-POS ip access-list extended MISSION-CRITICAL-SERVERS remark ---POS Applications--- permit ip any 192.168.52.0 0.0.0.255 ip access-list extended NET-MGMT-APPS remark - Router user Authentication - Identifies TACACS Control traffic permit tcp any any eq tacacs permit tcp any eq tacacs any ip access-list extended TRANSACTIONAL-DATA-APPS remark ---Workbrain Application--- remark --Large Store Clock Server to Central Clock Application permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444 remark --Large store Clock Server to CUAE permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000 remark ---LiteScape Application--- permit ip any host 192.168.46.82 permit ip any 239.192.0.0 0.0.0.255 permit ip any host 239.255.255.250 remark ---Remote Desktop--- permit tcp any any eq 3389 permit tcp any eq 3389 any remark ---Oracle SIM--- permit tcp any 192.168.46.0 0.0.0.255 eq 7777 permit tcp any 192.168.46.0 0.0.0.255 eq 6003 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any permit tcp 192.168.46.0 0.0.0.255 eq 6003 any permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any ! logging esm config logging trap debugging logging source-interface Loopback0 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ! ! ! ! nls resp-timeout 1 cpd cr-id 1 ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth snmp-server trap-source Loopback0 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps flash insertion removal snmp-server enable traps energywise snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps entity snmp-server enable traps hsrp snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps syslog snmp-server enable traps vtp snmp-server enable traps ipsla snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server domain-stripping tacacs-server key 7 <removed> ! ! control-plane ! ! ! mgcp fax t38 ecm ! mgcp profile default ! ! ! ! ! gatekeeper shutdown ! ! banner exec C WARNING: ** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner incoming C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login C WARNING: THIS SYSTEM IS PRIVATE PROPERTY ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line aux 0 session-timeout 1 output exec-timeout 0 1 privilege level 0 login authentication RETAIL no exec transport preferred none transport output none line 67 no activation-character no exec transport preferred none transport input ssh transport output none stopbits 1 line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! exception data-corruption buffer truncate scheduler allocate 20000 1000 ntp source Loopback0 ntp update-calendar ntp server 192.168.62.161 prefer ntp server 192.168.62.162 end R-A2-MED-2 ! ! Last configuration change at 23:30:34 PCTime Fri Apr 29 2011 by retail ! NVRAM config last updated at 23:30:35 PCTime Fri Apr 29 2011 by retail ! version 15.1 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname R-A2-MED-2 ! boot-start-marker boot system flash:c2951-universalk9-mz.SPA.151-3.T.bin boot-end-marker ! ! security authentication failure rate 2 log security passwords min-length 7 logging buffered 500000 no logging rate-limit enable secret 5 <removed> ! aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default action-type start-stop group tacacs+ ! aaa accounting commands 15 default action-type start-stop group tacacs+ ! aaa accounting system default action-type start-stop group tacacs+ ! ! ! ! ! ! aaa session-id common ! clock timezone PCTime -8 0 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 ! crypto pki token default removal timeout 0 ! crypto pki trustpoint TP-self-signed-104836678 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-104836678 revocation-check none ! ! crypto pki certificate chain TP-self-signed-104836678 certificate self-signed 02 <removed> quit no ipv6 cef no ip source-route no ip gratuitous-arps ip cef ! ! ! ip multicast-routing ! ! no ip bootp server ip domain name cisco-irn.com ip name-server 192.168.42.130 ip port-map user-8443 port tcp 8443 ip ips notify SDEE ip ips name Retail-PCI ! ip ips signature-category category all retired true category ios_ips default retired false ! ip wccp 61 ip wccp 62 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! multilink bundle-name authenticated ! parameter-map type inspect global WAAS enable parameter-map type inspect Inspect-1 audit-trail on parameter-map type trend-global trend-glob-map ! ! ! ! password encryption aes voice-card 0 ! ! ! ! ! ! ! license udi pid CISCO2951/K9 sn <removed> hw-module sm 1 ! hw-module sm 2 ! ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys object-group network ActiveDirectory.cisco-irn.com host 192.168.42.130 ! object-group service CAPWAP description CAPWAP UDP ports 5246 and 5247 udp eq 5246 udp eq 5247 ! object-group service CISCO-WAAS description Ports for Cisco WAAS tcp eq 4050 ! object-group network EMC-NCM description EMC Network Configuration Manager host 192.168.42.122 ! object-group network RSA-enVision description RSA EnVision Syslog collector and SIM host 192.168.42.124 ! object-group network CSM_INLINE_dst_rule_81604380995 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object EMC-NCM group-object RSA-enVision ! object-group network TACACS description Csico Secure ACS server for TACACS and Radius host 192.168.42.131 ! object-group network RSA-AM description RSA Authentication Manager for SecureID host 192.168.42.137 ! object-group network NAC-1 description ISE server for NAC host 192.168.42.111 ! object-group network CSM_INLINE_dst_rule_81604381001 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object ActiveDirectory.cisco-irn.com group-object TACACS group-object RSA-AM group-object NAC-1 ! object-group network NAC-2 host 192.168.42.112 ! object-group network CSM_INLINE_dst_rule_81604381037 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object NAC-2 group-object NAC-1 ! object-group network DC-ALL description All of the Data Center 192.168.0.0 255.255.0.0 ! object-group network Stores-ALL description all store networks 10.10.0.0 255.255.0.0 ! object-group network CSM_INLINE_dst_rule_81604381039 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network WCSManager description Wireless Manager host 192.168.43.135 ! object-group network DC-Wifi-Controllers description Central Wireless Controllers for stores host 192.168.43.21 host 192.168.43.22 ! object-group network DC-Wifi-MSE description Mobility Service Engines host 192.168.43.31 host 192.168.43.32 ! object-group network CSM_INLINE_dst_rule_81604381045 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object WCSManager group-object DC-Wifi-Controllers group-object DC-Wifi-MSE ! object-group network PAME-DC-1 host 192.168.44.111 ! object-group network MSP-DC-1 description Data Center VSOM host 192.168.44.121 ! object-group network CSM_INLINE_dst_rule_81604381049 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object PAME-DC-1 group-object MSP-DC-1 ! object-group network CSM_INLINE_dst_rule_81604381059 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_dst_rule_81604381067 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_dst_rule_81604381071 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_dst_rule_81604381150 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) 10.10.126.0 255.255.255.0 10.10.110.0 255.255.255.0 ! object-group network CSM_INLINE_dst_rule_81604381152 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory) 10.10.126.0 255.255.255.0 10.10.110.0 255.255.255.0 ! object-group network DC-Admin description DC Admin Systems host 192.168.41.101 host 192.168.41.102 ! object-group network CSManager description Cisco Security Manager host 192.168.42.133 ! object-group network CSM_INLINE_src_rule_81604380993 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-Admin group-object EMC-NCM group-object CSManager ! object-group network DC-POS-Tomax description Tomax POS Communication from Store to Data Center 192.168.52.96 255.255.255.224 ! object-group network DC-POS-SAP description SAP POS Communication from Store to Data Center 192.168.52.144 255.255.255.240 ! object-group network DC-POS-Oracle description Oracle POS Communication from Store to Data Center 192.168.52.128 255.255.255.240 ! object-group network CSM_INLINE_src_rule_81604381021 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-Admin group-object DC-POS-Tomax group-object DC-POS-SAP group-object DC-POS-Oracle ! object-group network CSM_INLINE_src_rule_81604381023 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-Admin group-object DC-POS-Tomax group-object DC-POS-SAP group-object DC-POS-Oracle ! object-group network CSM_INLINE_src_rule_81604381041 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_src_rule_81604381043 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object WCSManager group-object DC-Wifi-Controllers group-object DC-Wifi-MSE ! object-group network CSM_INLINE_src_rule_81604381047 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object PAME-DC-1 group-object MSP-DC-1 ! object-group network DC-WAAS description WAE Appliances in Data Center host 192.168.48.10 host 192.168.49.10 host 192.168.47.11 host 192.168.47.12 ! object-group network CSM_INLINE_src_rule_81604381051 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) group-object DC-Admin group-object DC-WAAS ! object-group network CSM_INLINE_src_rule_81604381150 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) 10.10.126.0 255.255.255.0 10.10.110.0 255.255.255.0 ! object-group network CSM_INLINE_src_rule_81604381152 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory) 10.10.126.0 255.255.255.0 10.10.110.0 255.255.255.0 ! object-group service CSM_INLINE_svc_rule_81604380993 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 ! object-group service CSM_INLINE_svc_rule_81604380995 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) udp eq syslog udp eq snmp udp eq snmptrap ! object-group service CSM_INLINE_svc_rule_81604381001 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq tacacs udp eq 1812 udp eq 1813 tcp eq 389 tcp eq 636 ! object-group service vCenter-to-ESX4 description Communication from vCetner to ESX hosts tcp eq 5989 tcp eq 8000 tcp eq 902 tcp eq 903 ! object-group service CSM_INLINE_svc_rule_81604381003 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 tcp eq 22 group-object vCenter-to-ESX4 ! object-group service ESX-SLP description CIM Service Location Protocol (SLP) for VMware systems udp eq 427 tcp eq 427 ! object-group service CSM_INLINE_svc_rule_81604381005 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 group-object vCenter-to-ESX4 group-object ESX-SLP ! object-group service ORACLE-RMI description RMI TCP ports 1300 and 1301-1319. tcp range 1300 1319 ! object-group service ORACLE-Weblogic description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521. tcp eq 7001 tcp eq 7002 tcp eq 1521 ! object-group service ORACLE-WAS description RMI/IIOP over 2809 HTTP over 9443 IBM-MQ 1414 tcp eq 2809 tcp eq 9443 tcp eq 1414 ! object-group service ORACLE-OAS description OAS uses one port for HTTP and RMI - 12601. tcp eq 12601 ! object-group service CSM_INLINE_svc_rule_81604381009 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 group-object ORACLE-RMI group-object ORACLE-Weblogic group-object ORACLE-WAS group-object ORACLE-OAS ! object-group service CSM_INLINE_svc_rule_81604381011 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 group-object ORACLE-RMI group-object ORACLE-Weblogic group-object ORACLE-WAS group-object ORACLE-OAS ! object-group service HTTPS-8443 tcp eq 8443 ! object-group service CSM_INLINE_svc_rule_81604381013 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 group-object HTTPS-8443 ! object-group service CSM_INLINE_svc_rule_81604381015 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq 22 group-object HTTPS-8443 ! object-group service TOMAX-8990 description Tomax Application Port tcp eq 8990 ! object-group service CSM_INLINE_svc_rule_81604381017 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 group-object TOMAX-8990 ! object-group service CSM_INLINE_svc_rule_81604381019 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 group-object TOMAX-8990 ! object-group service ICMP-Requests description ICMP requests icmp information-request icmp mask-request icmp timestamp-request ! object-group service CSM_INLINE_svc_rule_81604381021 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable icmp redirect icmp alternate-address group-object ICMP-Requests ! object-group service CSM_INLINE_svc_rule_81604381023 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable icmp redirect icmp alternate-address group-object ICMP-Requests ! object-group service CSM_INLINE_svc_rule_81604381025 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 tcp eq smtp tcp eq pop3 tcp eq 143 ! object-group service CSM_INLINE_svc_rule_81604381027 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 ! object-group service CSM_INLINE_svc_rule_81604381029 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp udp tcp eq 443 ! object-group service DNS-Resolving description Domain Name Server tcp eq domain udp eq domain ! object-group service CSM_INLINE_svc_rule_81604381035 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) udp eq bootps group-object DNS-Resolving ! object-group service CSM_INLINE_svc_rule_81604381037 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 group-object HTTPS-8443 ! object-group service CSM_INLINE_svc_rule_81604381039 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable ! object-group service CSM_INLINE_svc_rule_81604381041 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable ! object-group service LWAPP description LWAPP UDP ports 12222 and 12223 udp eq 12222 udp eq 12223 ! object-group service TFTP description Trivial File Transfer tcp eq 69 udp eq tftp ! object-group service IP-Protocol-97 description IP protocol 97 97 ! object-group service CSM_INLINE_svc_rule_81604381043 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq 443 tcp eq www tcp eq 22 tcp eq telnet udp eq isakmp group-object CAPWAP group-object LWAPP group-object TFTP group-object IP-Protocol-97 ! object-group service Cisco-Mobility description Mobility ports for Wireless udp eq 16666 udp eq 16667 ! object-group service CSM_INLINE_svc_rule_81604381045 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) udp eq isakmp group-object CAPWAP group-object LWAPP group-object Cisco-Mobility group-object IP-Protocol-97 ! object-group service Microsoft-DS-SMB description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing tcp eq 445 ! object-group service CSM_INLINE_svc_rule_81604381051 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp tcp eq 139 group-object CISCO-WAAS group-object HTTPS-8443 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_81604381053 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp tcp eq 139 group-object CISCO-WAAS group-object HTTPS-8443 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_81604381055 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp tcp eq 139 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_81604381057 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) icmp tcp-udp eq 5060 tcp eq 2000 tcp eq www tcp eq 443 group-object TFTP ! object-group service CSM_INLINE_svc_rule_81604381059 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp-udp eq 5060 tcp eq 2000 ! object-group service CSM_INLINE_svc_rule_81604381061 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 ! object-group service CSM_INLINE_svc_rule_81604381063 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq www tcp eq 443 tcp eq smtp tcp eq pop3 tcp eq 143 ! object-group service Netbios description Netbios Servers udp eq netbios-dgm udp eq netbios-ns tcp eq 139 ! object-group service ORACLE-SIM description Oracle Store Inventory Management tcp eq 7777 tcp eq 6003 tcp range 12401 12500 ! object-group service RDP description Windows Remote Desktop tcp eq 3389 ! object-group service Workbrain tcp eq 8444 ! object-group service CSM_INLINE_svc_rule_81604381065 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-HA_v1/mandatory) tcp eq ftp tcp eq www tcp eq 443 udp eq 88 tcp-udp eq 42 group-object Microsoft-DS-SMB group-object Netbios group-object ORACLE-SIM group-object RDP group-object Workbrain ! object-group network DC-Applications description Applications in the Data Center that are non-PCI related(Optimized by CS-Manager) 192.168.180.0 255.255.254.0 ! object-group network DC-Voice description Data Center Voice 192.168.45.0 255.255.255.0 ! object-group network MS-Update description Windows Update Server host 192.168.42.150 ! object-group network MSExchange description Mail Server host 192.168.42.140 ! object-group service NTP description NTP Protocols tcp eq 123 udp eq ntp ! object-group network NTP-Servers description NTP Servers host 192.168.62.161 host 162.168.62.162 ! object-group network STORE-POS 10.10.0.0 255.255.0.0 ! object-group network vSphere-1 description vSphere server for Lab host 192.168.41.102 ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> ! redundancy ! ! ! ! ip tcp synwait-time 10 ip ssh time-out 30 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable ! class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7 match protocol http match protocol https match protocol microsoft-ds match protocol ms-sql match protocol ms-sql-m match protocol netbios-dgm match protocol netbios-ns match protocol oracle match protocol oracle-em-vp match protocol oraclenames match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_10 match access-group name CSM_ZBF_CMAP_ACL_10 match class-map CSM_ZBF_CMAP_PLMAP_7 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4 match protocol http match protocol https match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_23 match access-group name CSM_ZBF_CMAP_ACL_23 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17 match protocol http match protocol https match protocol imap3 match protocol pop3 match protocol pop3s match protocol smtp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_32 match access-group name CSM_ZBF_CMAP_ACL_32 match class-map CSM_ZBF_CMAP_PLMAP_17 class-map type inspect match-all CSM_ZBF_CLASS_MAP_11 match access-group name CSM_ZBF_CMAP_ACL_11 match protocol icmp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14 match protocol http match protocol https match protocol user-8443 class-map type inspect match-all CSM_ZBF_CLASS_MAP_22 match access-group name CSM_ZBF_CMAP_ACL_22 match class-map CSM_ZBF_CMAP_PLMAP_14 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20 match protocol http match protocol https match protocol netbios-dgm match protocol netbios-ns match protocol netbios-ssn match protocol ftp match protocol ssh match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_33 match access-group name CSM_ZBF_CMAP_ACL_33 match class-map CSM_ZBF_CMAP_PLMAP_20 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8 match protocol sip match protocol sip-tls match protocol skinny match protocol tftp match protocol http match protocol https match protocol icmp class-map type inspect match-all CSM_ZBF_CLASS_MAP_12 match access-group name CSM_ZBF_CMAP_ACL_12 match class-map CSM_ZBF_CMAP_PLMAP_8 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13 match protocol https match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_21 match access-group name CSM_ZBF_CMAP_ACL_21 match class-map CSM_ZBF_CMAP_PLMAP_13 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19 match protocol http match protocol https match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_30 match access-group name CSM_ZBF_CMAP_ACL_30 match class-map CSM_ZBF_CMAP_PLMAP_19 class-map type inspect match-all CSM_ZBF_CLASS_MAP_13 match access-group name CSM_ZBF_CMAP_ACL_13 class-map type inspect match-all CSM_ZBF_CLASS_MAP_20 match access-group name CSM_ZBF_CMAP_ACL_20 match protocol icmp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18 match protocol http match protocol https match protocol udp match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_31 match access-group name CSM_ZBF_CMAP_ACL_31 match class-map CSM_ZBF_CMAP_PLMAP_18 class-map match-all BRANCH-BULK-DATA match protocol tftp match protocol nfs match access-group name BULK-DATA-APPS class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5 match protocol http match protocol https match protocol netbios-dgm match protocol netbios-ns match protocol netbios-ssn match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_14 match access-group name CSM_ZBF_CMAP_ACL_14 match class-map CSM_ZBF_CMAP_PLMAP_5 class-map type inspect match-all CSM_ZBF_CLASS_MAP_27 match access-group name CSM_ZBF_CMAP_ACL_27 match protocol icmp class-map type inspect match-all CSM_ZBF_CLASS_MAP_36 match access-group name CSM_ZBF_CMAP_ACL_36 class-map type inspect match-all CSM_ZBF_CLASS_MAP_15 match access-group name CSM_ZBF_CMAP_ACL_15 class-map type inspect match-all CSM_ZBF_CLASS_MAP_26 match access-group name CSM_ZBF_CMAP_ACL_26 match class-map CSM_ZBF_CMAP_PLMAP_7 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21 match protocol tcp match protocol udp match protocol http match protocol https class-map type inspect match-all CSM_ZBF_CLASS_MAP_37 match access-group name CSM_ZBF_CMAP_ACL_37 match class-map CSM_ZBF_CMAP_PLMAP_21 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9 match protocol syslog match protocol syslog-conn match protocol snmp match protocol snmptrap class-map type inspect match-all CSM_ZBF_CLASS_MAP_16 match access-group name CSM_ZBF_CMAP_ACL_16 match class-map CSM_ZBF_CMAP_PLMAP_9 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16 match protocol http match protocol https match protocol isakmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_25 match access-group name CSM_ZBF_CMAP_ACL_25 match class-map CSM_ZBF_CMAP_PLMAP_16 class-map type inspect match-all CSM_ZBF_CLASS_MAP_34 match access-group name CSM_ZBF_CMAP_ACL_34 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10 match protocol ldaps match protocol ldap match protocol ldap-admin match protocol radius match protocol tacacs match protocol tacacs-ds match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_17 match access-group name CSM_ZBF_CMAP_ACL_17 match class-map CSM_ZBF_CMAP_PLMAP_10 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15 match protocol http match protocol https match protocol netbios-ns match protocol netbios-dgm match protocol netbios-ssn match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_24 match access-group name CSM_ZBF_CMAP_ACL_24 match class-map CSM_ZBF_CMAP_PLMAP_15 class-map type inspect match-all CSM_ZBF_CLASS_MAP_35 match access-group name CSM_ZBF_CMAP_ACL_35 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11 match protocol ntp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_18 match access-group name CSM_ZBF_CMAP_ACL_18 match class-map CSM_ZBF_CMAP_PLMAP_11 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12 match protocol bootpc match protocol bootps match protocol udp match protocol tcp match protocol dns match protocol dhcp-failover class-map type inspect match-all CSM_ZBF_CLASS_MAP_19 match access-group name CSM_ZBF_CMAP_ACL_19 match class-map CSM_ZBF_CMAP_PLMAP_12 class-map type inspect match-all CSM_ZBF_CLASS_MAP_29 match access-group name CSM_ZBF_CMAP_ACL_29 match class-map CSM_ZBF_CMAP_PLMAP_18 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22 match protocol sip match protocol sip-tls match protocol skinny match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_38 match access-group name CSM_ZBF_CMAP_ACL_38 match class-map CSM_ZBF_CMAP_PLMAP_22 class-map type inspect match-all CSM_ZBF_CLASS_MAP_28 match access-group name CSM_ZBF_CMAP_ACL_28 match class-map CSM_ZBF_CMAP_PLMAP_17 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1 match protocol https match protocol ssh class-map type inspect match-all CSM_ZBF_CLASS_MAP_1 match access-group name CSM_ZBF_CMAP_ACL_1 match class-map CSM_ZBF_CMAP_PLMAP_1 class-map type inspect match-all CSM_ZBF_CLASS_MAP_3 match access-group name CSM_ZBF_CMAP_ACL_3 match protocol icmp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2 match protocol https match protocol http match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_2 match access-group name CSM_ZBF_CMAP_ACL_2 match class-map CSM_ZBF_CMAP_PLMAP_2 class-map type inspect match-all CSM_ZBF_CLASS_MAP_5 match access-group name CSM_ZBF_CMAP_ACL_5 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3 match protocol http match protocol https match protocol ssh match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_4 match access-group name CSM_ZBF_CMAP_ACL_4 match class-map CSM_ZBF_CMAP_PLMAP_3 class-map type inspect match-all CSM_ZBF_CLASS_MAP_7 match access-group name CSM_ZBF_CMAP_ACL_7 match class-map CSM_ZBF_CMAP_PLMAP_5 class-map type inspect match-all CSM_ZBF_CLASS_MAP_6 match access-group name CSM_ZBF_CMAP_ACL_6 match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_9 match access-group name CSM_ZBF_CMAP_ACL_9 match protocol tcp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6 match protocol http match protocol https match protocol ssh match protocol telnet match protocol tftp match protocol isakmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_8 match access-group name CSM_ZBF_CMAP_ACL_8 match class-map CSM_ZBF_CMAP_PLMAP_6 class-map match-all BULK-DATA match ip dscp af11 af12 class-map match-all INTERACTIVE-VIDEO match ip dscp af41 af42 class-map match-any BRANCH-TRANSACTIONAL-DATA match protocol citrix match protocol ldap match protocol telnet match protocol sqlnet match protocol http url "SalesReport" match access-group name TRANSACTIONAL-DATA-APPS class-map match-all BRANCH-MISSION-CRITICAL match access-group name MISSION-CRITICAL-SERVERS class-map match-all VOICE match ip dscp ef class-map match-all MISSION-CRITICAL-DATA match ip dscp 25 class-map match-any BRANCH-NET-MGMT match protocol snmp match protocol syslog match protocol dns match protocol icmp match protocol ssh match access-group name NET-MGMT-APPS class-map match-all ROUTING match ip dscp cs6 class-map match-all SCAVENGER match ip dscp cs1 class-map match-all NET-MGMT match ip dscp cs2 class-map match-any BRANCH-SCAVENGER match protocol gnutella match protocol fasttrack match protocol kazaa2 class-map match-any CALL-SIGNALING match ip dscp cs3 class-map match-all TRANSACTIONAL-DATA match ip dscp af21 af22 ! ! policy-map BRANCH-LAN-EDGE-OUT class class-default policy-map BRANCH-WAN-EDGE class VOICE priority percent 18 class INTERACTIVE-VIDEO priority percent 15 class CALL-SIGNALING bandwidth percent 5 class ROUTING bandwidth percent 3 class NET-MGMT bandwidth percent 2 class MISSION-CRITICAL-DATA bandwidth percent 15 random-detect class TRANSACTIONAL-DATA bandwidth percent 12 random-detect dscp-based class BULK-DATA bandwidth percent 4 random-detect dscp-based class SCAVENGER bandwidth percent 1 class class-default bandwidth percent 25 random-detect policy-map type inspect CSM_ZBF_POLICY_MAP_18 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_19 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_25 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_16 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_23 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_25 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_32 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_36 drop log class type inspect CSM_ZBF_CLASS_MAP_37 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_17 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_24 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_24 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_34 drop log class type inspect CSM_ZBF_CLASS_MAP_35 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_14 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_27 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_15 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_21 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_26 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_38 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_12 class type inspect CSM_ZBF_CLASS_MAP_15 pass class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_21 class type inspect CSM_ZBF_CLASS_MAP_27 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_28 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_29 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_13 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_20 class type inspect CSM_ZBF_CLASS_MAP_26 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_27 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_28 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_29 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_10 class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_23 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_31 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_32 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_33 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_11 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_22 class type inspect CSM_ZBF_CLASS_MAP_30 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_9 class type inspect CSM_ZBF_CLASS_MAP_13 pass class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_8 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_12 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_7 class type inspect CSM_ZBF_CLASS_MAP_9 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_10 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_11 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_6 class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_5 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_8 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_4 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_7 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_3 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_5 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_2 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_4 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_1 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_2 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop policy-map BRANCH-LAN-EDGE-IN class BRANCH-MISSION-CRITICAL set ip dscp 25 class BRANCH-TRANSACTIONAL-DATA set ip dscp af21 class BRANCH-NET-MGMT set ip dscp cs2 class BRANCH-BULK-DATA set ip dscp af11 class BRANCH-SCAVENGER set ip dscp cs1 ! zone security S_WAN description Store WAN Link zone security S_R-2-R description Bridge link between routers zone security LOOPBACK description Loopback interface zone security S_MGMT description VLAN1000 Management zone security S_Security description VLAN20 Physical Security Systems zone security S_WAAS description VLAN19 WAAS optimization zone security S_WLC-AP description VLAN18 Wireless Systems zone security S_Data description VLAN12 Store Data zone security S_Data-W description VLAN14 Store Wireless Data zone security S_Guest description VLAN17 Guest/Public Wireless zone security S_Voice description VLAN13 Store Voice zone security S_Partners description VLAN16 Partner network zone security S_POS description VLAN 11 POS Data zone security S_POS-W description VLAN15 Store Wireless POS zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK service-policy type inspect CSM_ZBF_POLICY_MAP_1 zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT service-policy type inspect CSM_ZBF_POLICY_MAP_2 zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security service-policy type inspect CSM_ZBF_POLICY_MAP_3 zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS service-policy type inspect CSM_ZBF_POLICY_MAP_4 zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP service-policy type inspect CSM_ZBF_POLICY_MAP_5 zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice service-policy type inspect CSM_ZBF_POLICY_MAP_8 zone-pair security CSM_S_R-2-R-LOOPBACK_1 source S_R-2-R destination LOOPBACK service-policy type inspect CSM_ZBF_POLICY_MAP_1 zone-pair security CSM_S_R-2-R-S_MGMT_1 source S_R-2-R destination S_MGMT service-policy type inspect CSM_ZBF_POLICY_MAP_2 zone-pair security CSM_S_R-2-R-S_Security_1 source S_R-2-R destination S_Security service-policy type inspect CSM_ZBF_POLICY_MAP_3 zone-pair security CSM_S_R-2-R-S_WAAS_1 source S_R-2-R destination S_WAAS service-policy type inspect CSM_ZBF_POLICY_MAP_4 zone-pair security CSM_S_R-2-R-S_WLC-AP_1 source S_R-2-R destination S_WLC-AP service-policy type inspect CSM_ZBF_POLICY_MAP_5 zone-pair security CSM_S_R-2-R-self_1 source S_R-2-R destination self service-policy type inspect CSM_ZBF_POLICY_MAP_9 zone-pair security CSM_S_R-2-R-S_Data_1 source S_R-2-R destination S_Data service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_R-2-R-S_Data-W_1 source S_R-2-R destination S_Data-W service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_R-2-R-S_Guest_1 source S_R-2-R destination S_Guest service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_R-2-R-S_Partners_1 source S_R-2-R destination S_Partners service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_R-2-R-S_POS_1 source S_R-2-R destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_R-2-R-S_POS-W_1 source S_R-2-R destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_R-2-R-S_Voice_1 source S_R-2-R destination S_Voice service-policy type inspect CSM_ZBF_POLICY_MAP_11 zone-pair security CSM_self-S_R-2-R_1 source self destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_12 zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_13 zone-pair security CSM_LOOPBACK-S_R-2-R_1 source LOOPBACK destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_13 zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_15 zone-pair security CSM_S_MGMT-S_R-2-R_1 source S_MGMT destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_15 zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_16 zone-pair security CSM_S_Security-S_R-2-R_1 source S_Security destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_16 zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_17 zone-pair security CSM_S_WAAS-S_R-2-R_1 source S_WAAS destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_17 zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data service-policy type inspect CSM_ZBF_POLICY_MAP_18 zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W service-policy type inspect CSM_ZBF_POLICY_MAP_18 zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners service-policy type inspect CSM_ZBF_POLICY_MAP_18 zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_19 zone-pair security CSM_S_WLC-AP-S_R-2-R_1 source S_WLC-AP destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_19 zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_20 zone-pair security CSM_S_POS-S_R-2-R_1 source S_POS destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_20 zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_21 zone-pair security CSM_S_POS-W-S_R-2-R_1 source S_POS-W destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_21 zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_22 zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_23 zone-pair security CSM_S_Data-S_R-2-R_1 source S_Data destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_23 zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_23 zone-pair security CSM_S_Data-W-S_R-2-R_1 source S_Data-W destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_23 zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_24 zone-pair security CSM_S_Guest-S_R-2-R_1 source S_Guest destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_24 zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_25 zone-pair security CSM_S_Partners-S_R-2-R_1 source S_Partners destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_25 zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_26 zone-pair security CSM_S_Voice-S_R-2-R_1 source S_Voice destination S_R-2-R service-policy type inspect CSM_ZBF_POLICY_MAP_27 ! ! ! ! ! ! ! interface Loopback0 ip address 10.10.126.2 255.255.255.255 ip pim sparse-dense-mode zone-member security LOOPBACK ! interface GigabitEthernet0/0 ip address 10.10.254.112 255.255.255.0 ip ips Retail-PCI in zone-member security S_WAN duplex auto speed auto service-policy output BRANCH-WAN-EDGE ! interface GigabitEthernet0/1 description ROUTER LINK TO SWITCH no ip address duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1.11 description POS encapsulation dot1Q 11 ip address 10.10.112.3 255.255.255.0 ip helper-address 192.168.42.130 ip pim sparse-dense-mode zone-member security S_POS standby 11 ip 10.10.112.1 standby 11 priority 99 standby 11 preempt ip igmp query-interval 125 service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.12 description DATA encapsulation dot1Q 12 ip address 10.10.113.3 255.255.255.0 ip helper-address 192.168.42.130 ip wccp 61 redirect in ip pim sparse-dense-mode zone-member security S_Data standby 12 ip 10.10.113.1 standby 12 priority 99 standby 12 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.13 description VOICE encapsulation dot1Q 13 ip address 10.10.114.3 255.255.255.0 ip helper-address 192.168.42.130 ip pim sparse-dense-mode zone-member security S_Voice standby 13 ip 10.10.114.1 standby 13 priority 99 standby 13 preempt service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.14 description WIRELESS encapsulation dot1Q 14 ip address 10.10.115.3 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Data-W standby 14 ip 10.10.115.1 standby 14 priority 99 standby 14 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.15 description WIRELESS-POS encapsulation dot1Q 15 ip address 10.10.116.3 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_POS-W standby 15 ip 10.10.116.1 standby 15 priority 99 standby 15 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.16 description PARTNER encapsulation dot1Q 16 ip address 10.10.117.3 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Partners standby 16 ip 10.10.117.1 standby 16 priority 99 standby 16 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.17 description WIRELESS-GUEST encapsulation dot1Q 17 ip address 10.10.118.3 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Guest standby 17 ip 10.10.118.1 standby 17 priority 99 standby 17 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.18 description WIRELESS-CONTROL encapsulation dot1Q 18 ip address 10.10.119.3 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_WLC-AP standby 18 ip 10.10.119.1 standby 18 priority 99 standby 18 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.19 description WAAS encapsulation dot1Q 19 ip address 10.10.120.3 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_WAAS standby 19 ip 10.10.120.1 standby 19 priority 99 standby 19 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.20 description SECURITY-SYSTEMS encapsulation dot1Q 20 ip address 10.10.121.3 255.255.255.0 ip helper-address 192.168.42.130 ip pim sparse-dense-mode zone-member security S_Security standby 20 ip 10.10.121.1 standby 20 priority 99 standby 20 preempt service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.101 description ROUTER LINK TO encapsulation dot1Q 101 ip address 10.10.126.26 255.255.255.252 ip pim sparse-dense-mode zone-member security S_R-2-R service-policy input BRANCH-LAN-EDGE-IN ! interface GigabitEthernet0/1.1000 description MANAGEMENT encapsulation dot1Q 1000 ip address 10.10.127.3 255.255.255.0 zone-member security S_MGMT standby 100 ip 10.10.127.1 standby 100 priority 99 standby 100 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/2 no ip address duplex auto speed auto ! interface GigabitEthernet0/2.102 description ROUTER LINK TO encapsulation dot1Q 102 ip address 10.10.126.30 255.255.255.252 ip pim sparse-dense-mode zone-member security S_R-2-R service-policy input BRANCH-LAN-EDGE-IN ! interface SM1/0 description Video Survillance VMSS Module ip address 10.10.126.45 255.255.255.252 zone-member security S_Security service-module ip address 10.10.126.46 255.255.255.252 !Application: FNDN Running on SM service-module ip default-gateway 10.10.126.45 hold-queue 60 out ! interface SM1/1 description Internal switch interface connected to Service Module ! interface SM2/0 ip address 10.10.126.50 255.255.255.252 zone-member security S_MGMT service-module ip address 10.10.126.49 255.255.255.252 !Application: SRE-V Running on SMV service-module ip default-gateway 10.10.126.50 service-module mgf ip address 10.10.125.49 255.255.255.0 hold-queue 60 out ! interface SM2/1 description Internal switch interface connected to Service Module ! interface Vlan1 description ESXi Host and Virtual Machines$ES_LAN$ ip address 10.10.125.50 255.255.255.0 zone-member security S_POS ! ! router ospf 5 router-id 10.10.126.2 redistribute connected subnets passive-interface default no passive-interface GigabitEthernet0/1.101 no passive-interface GigabitEthernet0/2.102 network 10.10.0.0 0.0.255.255 area 10 default-information originate ! no ip forward-protocol nd ! no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ! ip route 0.0.0.0 0.0.0.0 10.10.254.11 ip tacacs source-interface Loopback0 ! ip access-list extended BULK-DATA-APPS remark ---File Transfer--- permit tcp any any eq ftp permit tcp any any eq ftp-data remark ---E-mail traffic--- permit tcp any any eq smtp permit tcp any any eq pop3 permit tcp any any eq 143 remark ---other EDM app protocols--- permit tcp any any range 3460 3466 permit tcp any range 3460 3466 any remark ---messaging services--- permit tcp any any eq 2980 permit tcp any eq 2980 any remark ---Microsoft file services--- permit tcp any any range 137 139 permit tcp any range 137 139 any ip access-list extended CSM_ZBF_CMAP_ACL_1 remark Data Center Mgmt to Devices permit object-group CSM_INLINE_svc_rule_81604380993 object-group CSM_INLINE_src_rule_81604380993 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_10 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381011 object-group DC-POS-Oracle object-group STORE-POS remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381015 object-group DC-POS-SAP object-group STORE-POS remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381019 object-group DC-POS-Tomax object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_11 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381021 object-group CSM_INLINE_src_rule_81604381021 object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_12 remark Data Center VOICE (wired and Wireless) permit object-group CSM_INLINE_svc_rule_81604381057 object-group DC-Voice object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_13 permit ospf object-group CSM_INLINE_src_rule_81604381150 object-group CSM_INLINE_dst_rule_81604381150 ip access-list extended CSM_ZBF_CMAP_ACL_14 remark Store WAAS to Clients and Servers permit object-group CSM_INLINE_svc_rule_81604381055 object-group Stores-ALL object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_15 permit ospf object-group CSM_INLINE_src_rule_81604381152 object-group CSM_INLINE_dst_rule_81604381152 ip access-list extended CSM_ZBF_CMAP_ACL_16 remark Syslog and SNMP Alerts permit object-group CSM_INLINE_svc_rule_81604380995 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604380995 ip access-list extended CSM_ZBF_CMAP_ACL_17 remark Store to Data Center Authentications permit object-group CSM_INLINE_svc_rule_81604381001 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381001 ip access-list extended CSM_ZBF_CMAP_ACL_18 remark Store to Data Center for NTP permit object-group NTP object-group Stores-ALL object-group NTP-Servers ip access-list extended CSM_ZBF_CMAP_ACL_19 remark Store to Data Center for DHCP and DNS permit object-group CSM_INLINE_svc_rule_81604381035 object-group Stores-ALL object-group ActiveDirectory.cisco-irn.com ip access-list extended CSM_ZBF_CMAP_ACL_2 remark Data Center subscribe to IPS SDEE events permit tcp object-group RSA-enVision object-group Stores-ALL eq 443 ip access-list extended CSM_ZBF_CMAP_ACL_20 remark Permit ICMP traffic permit object-group CSM_INLINE_svc_rule_81604381039 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381039 ip access-list extended CSM_ZBF_CMAP_ACL_21 remark Store UCS E-series server to Data Center vShphere permit object-group CSM_INLINE_svc_rule_81604381005 object-group Stores-ALL object-group vSphere-1 ip access-list extended CSM_ZBF_CMAP_ACL_22 remark Store NAC permit object-group CSM_INLINE_svc_rule_81604381037 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381037 ip access-list extended CSM_ZBF_CMAP_ACL_23 remark Store to Data Center Physical Security permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381049 ip access-list extended CSM_ZBF_CMAP_ACL_24 remark Store WAAS (WAAS Devices need their own zone) permit object-group CSM_INLINE_svc_rule_81604381053 object-group Stores-ALL object-group DC-WAAS ip access-list extended CSM_ZBF_CMAP_ACL_25 remark Store to Data Center wireless controller traffic permit object-group CSM_INLINE_svc_rule_81604381045 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381045 ip access-list extended CSM_ZBF_CMAP_ACL_26 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381009 object-group STORE-POS object-group DC-POS-Oracle remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381013 object-group STORE-POS object-group DC-POS-SAP remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381017 object-group STORE-POS object-group DC-POS-Tomax ip access-list extended CSM_ZBF_CMAP_ACL_27 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_81604381023 object-group CSM_INLINE_src_rule_81604381023 object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_28 remark Store to Data Center for E-mail permit object-group CSM_INLINE_svc_rule_81604381025 object-group STORE-POS object-group MSExchange ip access-list extended CSM_ZBF_CMAP_ACL_29 remark Store to Data Center for Windows Updates permit object-group CSM_INLINE_svc_rule_81604381027 object-group STORE-POS object-group MS-Update ip access-list extended CSM_ZBF_CMAP_ACL_3 remark Permit ICMP traffic permit object-group CSM_INLINE_svc_rule_81604381041 object-group CSM_INLINE_src_rule_81604381041 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_30 remark Permit POS clients to talk to store POS server permit object-group CSM_INLINE_svc_rule_81604381029 object-group STORE-POS object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_31 remark Store to Data Center for Windows Updates permit object-group CSM_INLINE_svc_rule_81604381061 object-group Stores-ALL object-group MS-Update ip access-list extended CSM_ZBF_CMAP_ACL_32 remark Store to Data Center for E-mail permit object-group CSM_INLINE_svc_rule_81604381063 object-group Stores-ALL object-group MSExchange ip access-list extended CSM_ZBF_CMAP_ACL_33 remark Store DATA (wired and Wireless - Access to DC Other applications) permit object-group CSM_INLINE_svc_rule_81604381065 object-group Stores-ALL object-group DC-Applications ip access-list extended CSM_ZBF_CMAP_ACL_34 remark Store GUEST - Drop Traffic to Enterprise permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381071 ip access-list extended CSM_ZBF_CMAP_ACL_35 remark Store GUEST (access to internet/DMZ web servers) permit ip object-group Stores-ALL any ip access-list extended CSM_ZBF_CMAP_ACL_36 remark Store PARTNERS - Drop Traffic to Enterprise permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381067 ip access-list extended CSM_ZBF_CMAP_ACL_37 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN) permit ip object-group Stores-ALL any ip access-list extended CSM_ZBF_CMAP_ACL_38 remark Store VOICE (wired and Wireless - Acess to corporate wide voice) permit object-group CSM_INLINE_svc_rule_81604381059 object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381059 ip access-list extended CSM_ZBF_CMAP_ACL_4 remark Data Center vSphere to UCS E-series server permit object-group CSM_INLINE_svc_rule_81604381003 object-group vSphere-1 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_5 remark Data Center to Store Physical Security permit ip object-group CSM_INLINE_src_rule_81604381047 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_6 remark Data Center Mgmt to Devices permit object-group RDP object-group DC-Admin object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_7 remark Data Center WAAS to Store permit object-group CSM_INLINE_svc_rule_81604381051 object-group CSM_INLINE_src_rule_81604381051 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_8 remark Data Center Wireless Control to AP's and Controllers in stores permit object-group CSM_INLINE_svc_rule_81604381043 object-group CSM_INLINE_src_rule_81604381043 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_9 remark Data Center Mgmt to Devices permit object-group RDP object-group DC-Admin object-group STORE-POS ip access-list extended MISSION-CRITICAL-SERVERS remark ---POS Applications--- permit ip any 192.168.52.0 0.0.0.255 ip access-list extended NET-MGMT-APPS remark - Router user Authentication - Identifies TACACS Control traffic permit tcp any any eq tacacs permit tcp any eq tacacs any ip access-list extended TRANSACTIONAL-DATA-APPS remark ---Workbrain Application--- remark --Large Store Clock Server to Central Clock Application permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444 remark --Large store Clock Server to CUAE permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000 remark ---LiteScape Application--- permit ip any host 192.168.46.82 permit ip any 239.192.0.0 0.0.0.255 permit ip any host 239.255.255.250 remark ---Remote Desktop--- permit tcp any any eq 3389 permit tcp any eq 3389 any remark ---Oracle SIM--- permit tcp any 192.168.46.0 0.0.0.255 eq 7777 permit tcp any 192.168.46.0 0.0.0.255 eq 6003 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any permit tcp 192.168.46.0 0.0.0.255 eq 6003 any permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any ! logging esm config logging trap debugging logging source-interface Loopback0 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ! ! ! ! nls resp-timeout 1 cpd cr-id 1 ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth snmp-server trap-source Loopback0 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps flash insertion removal snmp-server enable traps energywise snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps entity snmp-server enable traps hsrp snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps syslog snmp-server enable traps vtp snmp-server enable traps ipsla snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server domain-stripping tacacs-server key 7 <removed> ! ! control-plane ! ! ! ! mgcp profile default ! ! ! ! ! gatekeeper shutdown ! ! banner exec WARNING: ** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner incoming WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line aux 0 session-timeout 1 output exec-timeout 0 1 privilege level 0 login authentication RETAIL no exec transport preferred none transport output none line 67 no activation-character no exec transport preferred none transport input ssh transport output none stopbits 1 line 131 no activation-character no exec transport preferred none transport input ssh transport output none stopbits 1 line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! scheduler allocate 20000 1000 scheduler interval 500 ntp source Loopback0 ntp server 192.168.62.161 prefer ntp server 192.168.62.162 end S-A2-MED-1 S-A2-MED-1/2#sh run Building configuration... Current configuration : 16629 bytes ! ! Last configuration change at 02:28:28 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 02:28:32 PSTDST Sat Apr 30 2011 by retail ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname S-A2-MED-1/2 ! boot-start-marker boot-end-marker ! logging buffered 50000 enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> ! ! aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! aaa session-id common clock timezone PST -8 clock summer-time PSTDST recurring switch 1 provision ws-c3750x-48p switch 2 provision ws-c3750x-48p system mtu routing 1500 authentication mac-move permit ip subnet-zero no ip source-route no ip gratuitous-arps ! ! ip domain-name cisco-irn.com ip name-server 192.168.42.130 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! password encryption aes ! crypto pki trustpoint TP-self-signed-4271428864 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4271428864 revocation-check none rsakeypair TP-self-signed-4271428864 ! ! crypto pki certificate chain TP-self-signed-4271428864 certificate self-signed 01 <removed> quit archive log config logging enable notify syslog contenttype plaintext hidekeys spanning-tree mode pvst spanning-tree etherchannel guard misconfig spanning-tree extend system-id ! ! ! ! vlan internal allocation policy ascending ! ip tcp synwait-time 10 ip ssh time-out 30 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable ! ! interface FastEthernet0 no ip address shutdown ! interface GigabitEthernet1/0/1 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/0/2 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/0/3 description Cisco9971 IP phone switchport access vlan 11 switchport trunk encapsulation dot1q switchport voice vlan 13 spanning-tree portfast ! interface GigabitEthernet1/0/4 description Cisco7975 IP phone switchport access vlan 11 switchport trunk encapsulation dot1q switchport voice vlan 13 spanning-tree portfast ! interface GigabitEthernet1/0/5 switchport access vlan 20 ! interface GigabitEthernet1/0/6 description CPAM Gateway switchport access vlan 20 ! interface GigabitEthernet1/0/7 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/0/8 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/9 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/10 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/11 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/12 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/13 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/14 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/15 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/16 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/17 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/18 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/19 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/20 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/21 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/22 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/23 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/24 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/25 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/26 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/27 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/28 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/29 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/30 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/31 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/32 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/33 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/34 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/35 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/36 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/37 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/38 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/39 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/40 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/41 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/42 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/43 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/44 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/45 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/46 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/47 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/48 switchport access vlan 17 shutdown ! interface GigabitEthernet1/1/1 shutdown ! interface GigabitEthernet1/1/2 shutdown ! interface GigabitEthernet1/1/3 shutdown ! interface GigabitEthernet1/1/4 shutdown ! interface TenGigabitEthernet1/1/1 shutdown ! interface TenGigabitEthernet1/1/2 shutdown ! interface GigabitEthernet2/0/1 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet2/0/2 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet2/0/3 ! interface GigabitEthernet2/0/4 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet2/0/5 description AIR-CAP3502E switchport trunk encapsulation dot1q switchport trunk native vlan 18 switchport trunk allowed vlan 14-18 switchport mode trunk ! interface GigabitEthernet2/0/6 description AIR-LAP1262N switchport trunk encapsulation dot1q switchport trunk native vlan 18 switchport trunk allowed vlan 14-18 switchport mode trunk ! interface GigabitEthernet2/0/7 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet2/0/8 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/9 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/10 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/11 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/12 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/13 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/14 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/15 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/16 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/17 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/18 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/19 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/20 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/21 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/22 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/23 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/24 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/25 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/26 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/27 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/28 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/29 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/30 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/31 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/32 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/33 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/34 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/35 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/36 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/37 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/38 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/39 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/40 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/41 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/42 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/43 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/44 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/45 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/46 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/47 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/48 switchport access vlan 17 shutdown ! interface GigabitEthernet2/1/1 shutdown ! interface GigabitEthernet2/1/2 shutdown ! interface GigabitEthernet2/1/3 shutdown ! interface GigabitEthernet2/1/4 shutdown ! interface TenGigabitEthernet2/1/1 shutdown ! interface TenGigabitEthernet2/1/2 shutdown ! interface Vlan1 no ip address shutdown ! interface Vlan1000 description Management VLAN for Switch ip address 10.10.127.11 255.255.255.0 ! ip default-gateway 10.10.127.1 ip classless no ip forward-protocol nd no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip tacacs source-interface Vlan1000 ! ! ip sla enable reaction-alerts logging trap debugging logging source-interface Vlan1000 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server trap-source Vlan1000 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps energywise snmp-server enable traps entity snmp-server enable traps hsrp snmp-server enable traps power-ethernet group 1-4 snmp-server enable traps power-ethernet police snmp-server enable traps cpu threshold snmp-server enable traps rtr snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps port-security snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps errdisable snmp-server enable traps mac-notification change move threshold snmp-server enable traps vlan-membership snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> ! banner exec ^C WARNING: * THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner incoming ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner login ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ^C ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL speed 115200 line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! scheduler interval 500 ntp clock-period 36027426 ntp source Vlan1000 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer end S-A2-MED-1/2# S-A2-MED-3 S-A2-MED-3#sh run Building configuration... Current configuration : 8650 bytes ! ! Last configuration change at 02:34:20 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 02:34:21 PSTDST Sat Apr 30 2011 by retail ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers ! hostname S-A2-MED-3 ! boot-start-marker boot-end-marker ! logging buffered 50000 enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> ! ! aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! aaa session-id common clock timezone PST -8 clock summer-time PSTDST recurring system mtu routing 1500 no ip source-route ! ! ip domain-name cisco-irn.com ip name-server 192.168.42.130 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! password encryption aes ! crypto pki trustpoint TP-self-signed-1308417408 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1308417408 revocation-check none rsakeypair TP-self-signed-1308417408 ! ! crypto pki certificate chain TP-self-signed-1308417408 certificate self-signed 01 <removed> quit archive log config logging enable notify syslog contenttype plaintext hidekeys spanning-tree mode pvst spanning-tree extend system-id ! ! ! ! vlan internal allocation policy ascending ! ip ssh time-out 30 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable ! ! interface FastEthernet0/1 switchport access vlan 17 shutdown ! interface FastEthernet0/2 switchport access vlan 17 shutdown ! interface FastEthernet0/3 switchport access vlan 17 shutdown ! interface FastEthernet0/4 switchport access vlan 17 shutdown ! interface FastEthernet0/5 switchport access vlan 17 shutdown ! interface FastEthernet0/6 switchport access vlan 17 shutdown ! interface FastEthernet0/7 switchport access vlan 17 shutdown ! interface FastEthernet0/8 switchport access vlan 17 shutdown ! interface GigabitEthernet0/1 shutdown ! interface GigabitEthernet0/2 ! interface Vlan1 no ip address ! interface Vlan1000 description Management VLAN for Switch ip address 10.10.127.13 255.255.255.0 ! ip default-gateway 10.10.127.1 ip classless no ip forward-protocol nd no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip tacacs source-interface Vlan1000 ! ! ip sla enable reaction-alerts logging trap debugging logging source-interface Vlan1000 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server trap-source Vlan1000 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps energywise snmp-server enable traps entity snmp-server enable traps power-ethernet group 1 snmp-server enable traps power-ethernet police snmp-server enable traps cpu threshold snmp-server enable traps rtr snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps port-security snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps errdisable snmp-server enable traps mac-notification change move threshold snmp-server enable traps vlan-membership snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> banner exec ^C WARNING: * THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner incoming ^C WARNING: * ** AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO ADMINISTRATOR OR OTHEMIME WITHOUT FU L NFORCEMENT OFFCIAL NDPRSETHO OF STATEAND FEER^C banner login ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ^C ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL speed 115200 line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ntp clock-period 36028775 ntp source Vlan1000 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer end Small Branch R-A2-SMALL ! ! Last configuration change at 00:44:15 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 00:44:16 PSTDST Sat Apr 30 2011 by retail ! version 15.1 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers ! hostname R-A2-Small-1 ! boot-start-marker boot system flash0 c2900-universalk9-mz.SPA.151-3.T.bin boot-end-marker ! ! security authentication failure rate 2 log security passwords min-length 7 logging buffered 50000 no logging rate-limit enable secret 5 <removed> ! aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! ! ! aaa session-id common ! clock timezone PST -8 0 clock summer-time PSTDST recurring ! no ipv6 cef ip source-route ip cef ! ! ! ip multicast-routing ! ! no ip bootp server ip domain name cisco-irn.com ip name-server 192.168.42.130 ip port-map user-8443 port tcp 8443 ip ips notify SDEE ip ips name Retail-PCI ! ip ips signature-category category all retired true category ios_ips default retired false ! ip wccp 61 ip wccp 62 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! multilink bundle-name authenticated ! parameter-map type inspect global WAAS enable parameter-map type inspect Inspect-1 audit-trail on parameter-map type trend-global trend-glob-map ! ! ! ! password encryption aes crypto pki token default removal timeout 0 ! crypto pki trustpoint TP-self-signed-503450500 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-503450500 revocation-check none rsakeypair TP-self-signed-503450500 ! ! crypto pki certificate chain TP-self-signed-503450500 certificate self-signed 01 <removed> quit voice-card 0 ! ! ! ! ! ! ! license udi pid CISCO2921/K9 sn <removed> hw-module ism 0 ! hw-module sm 1 ! ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys object-group network ActiveDirectory.cisco-irn.com host 192.168.42.130 ! object-group service CAPWAP description CAPWAP UDP ports 5246 and 5247 udp eq 5246 udp eq 5247 ! object-group service CISCO-WAAS description Ports for Cisco WAAS tcp eq 4050 ! object-group network DC-ALL description All of the Data Center 192.168.0.0 255.255.0.0 ! object-group network Stores-ALL description all store networks 10.10.0.0 255.255.0.0 ! object-group network CSM_INLINE_dst_rule_68719541425 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network WCSManager description Wireless Manager host 192.168.43.135 ! object-group network DC-Wifi-Controllers description Central Wireless Controllers for stores host 192.168.43.21 host 192.168.43.22 ! object-group network DC-Wifi-MSE description Mobility Service Engines host 192.168.43.31 host 192.168.43.32 ! object-group network CSM_INLINE_dst_rule_68719541431 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object WCSManager group-object DC-Wifi-Controllers group-object DC-Wifi-MSE ! object-group network PAME-DC-1 host 192.168.44.111 ! object-group network MSP-DC-1 description Data Center VSOM host 192.168.44.121 ! object-group network CSM_INLINE_dst_rule_68719541435 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object PAME-DC-1 group-object MSP-DC-1 ! object-group network CSM_INLINE_dst_rule_68719541457 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_dst_rule_68719541461 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_dst_rule_68719541465 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network EMC-NCM description EMC Network Configuration Manager host 192.168.42.122 ! object-group network RSA-enVision description RSA EnVision Syslog collector and SIM host 192.168.42.124 ! object-group network CSM_INLINE_dst_rule_73014451187 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object EMC-NCM group-object RSA-enVision ! object-group network TACACS description Csico Secure ACS server for TACACS and Radius host 192.168.42.131 ! object-group network RSA-AM description RSA Authentication Manager for SecureID host 192.168.42.137 ! object-group network NAC-1 description ISE server for NAC host 192.168.42.111 ! object-group network CSM_INLINE_dst_rule_73014451193 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object ActiveDirectory.cisco-irn.com group-object TACACS group-object RSA-AM group-object NAC-1 ! object-group network NAC-2 host 192.168.42.112 ! object-group network CSM_INLINE_dst_rule_73014451223 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object NAC-2 group-object NAC-1 ! object-group network DC-Admin description DC Admin Systems host 192.168.41.101 host 192.168.41.102 ! object-group network CSManager description Cisco Security Manager host 192.168.42.133 ! object-group network CSM_INLINE_src_rule_68719541409 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-Admin group-object EMC-NCM group-object CSManager ! object-group network CSM_INLINE_src_rule_68719541427 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_src_rule_68719541429 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object WCSManager group-object DC-Wifi-Controllers group-object DC-Wifi-MSE ! object-group network CSM_INLINE_src_rule_68719541433 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object PAME-DC-1 group-object MSP-DC-1 ! object-group network DC-WAAS description WAE Appliances in Data Center host 192.168.48.10 host 192.168.49.10 host 192.168.47.11 host 192.168.47.12 ! object-group network CSM_INLINE_src_rule_68719541437 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-Admin group-object DC-WAAS ! object-group network DC-POS-Tomax description Tomax POS Communication from Store to Data Center 192.168.52.96 255.255.255.224 ! object-group network DC-POS-SAP description SAP POS Communication from Store to Data Center 192.168.52.144 255.255.255.240 ! object-group network DC-POS-Oracle description Oracle POS Communication from Store to Data Center 192.168.52.128 255.255.255.240 ! object-group network CSM_INLINE_src_rule_73014451215 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-Admin group-object DC-POS-Tomax group-object DC-POS-SAP group-object DC-POS-Oracle ! object-group network CSM_INLINE_src_rule_73014451217 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-Admin group-object DC-POS-Tomax group-object DC-POS-SAP group-object DC-POS-Oracle ! object-group service CSM_INLINE_svc_rule_68719541409 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 tcp eq 22 ! object-group service CSM_INLINE_svc_rule_68719541425 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable ! object-group service CSM_INLINE_svc_rule_68719541427 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable ! object-group service LWAPP description LWAPP UDP ports 12222 and 12223 udp eq 12222 udp eq 12223 ! object-group service TFTP description Trivial File Transfer tcp eq 69 udp eq tftp ! object-group service IP-Protocol-97 description IP protocol 97 97 ! object-group service CSM_INLINE_svc_rule_68719541429 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 tcp eq www tcp eq 22 tcp eq telnet udp eq isakmp group-object CAPWAP group-object LWAPP group-object TFTP group-object IP-Protocol-97 ! object-group service Cisco-Mobility description Mobility ports for Wireless udp eq 16666 udp eq 16667 ! object-group service CSM_INLINE_svc_rule_68719541431 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) udp eq isakmp group-object CAPWAP group-object LWAPP group-object Cisco-Mobility group-object IP-Protocol-97 ! object-group service HTTPS-8443 tcp eq 8443 ! object-group service Microsoft-DS-SMB description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing tcp eq 445 ! object-group service CSM_INLINE_svc_rule_68719541437 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp tcp eq 139 group-object CISCO-WAAS group-object HTTPS-8443 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_68719541439 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp tcp eq 139 group-object CISCO-WAAS group-object HTTPS-8443 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_68719541455 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) icmp tcp-udp eq 5060 tcp eq 2000 tcp eq www tcp eq 443 group-object TFTP ! object-group service CSM_INLINE_svc_rule_68719541457 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp-udp eq 5060 tcp eq 2000 ! object-group service Netbios description Netbios Servers udp eq netbios-dgm udp eq netbios-ns tcp eq 139 ! object-group service ORACLE-SIM description Oracle Store Inventory Management tcp eq 7777 tcp eq 6003 tcp range 12401 12500 ! object-group service RDP description Windows Remote Desktop tcp eq 3389 ! object-group service Workbrain tcp eq 8444 ! object-group service CSM_INLINE_svc_rule_68719541459 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq ftp tcp eq www tcp eq 443 udp eq 88 tcp-udp eq 42 group-object Microsoft-DS-SMB group-object Netbios group-object ORACLE-SIM group-object RDP group-object Workbrain ! object-group service CSM_INLINE_svc_rule_73014451187 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) udp eq syslog udp eq snmp udp eq snmptrap ! object-group service CSM_INLINE_svc_rule_73014451193 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq tacacs udp eq 1812 udp eq 1813 tcp eq 389 tcp eq 636 ! object-group service vCenter-to-ESX4 description Communication from vCetner to ESX hosts tcp eq 5989 tcp eq 8000 tcp eq 902 tcp eq 903 ! object-group service CSM_INLINE_svc_rule_73014451195 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq www tcp eq 443 tcp eq 22 group-object vCenter-to-ESX4 ! object-group service ESX-SLP description CIM Service Location Protocol (SLP) for VMware systems udp eq 427 tcp eq 427 ! object-group service CSM_INLINE_svc_rule_73014451197 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 group-object vCenter-to-ESX4 group-object ESX-SLP ! object-group service ORACLE-RMI description RMI TCP ports 1300 and 1301-1319. tcp range 1300 1319 ! object-group service ORACLE-Weblogic description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521. tcp eq 7001 tcp eq 7002 tcp eq 1521 ! object-group service ORACLE-WAS description RMI/IIOP over 2809 HTTP over 9443 IBM-MQ 1414 tcp eq 2809 tcp eq 9443 tcp eq 1414 ! object-group service ORACLE-OAS description OAS uses one port for HTTP and RMI - 12601. tcp eq 12601 ! object-group service CSM_INLINE_svc_rule_73014451203 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 tcp eq 22 group-object ORACLE-RMI group-object ORACLE-Weblogic group-object ORACLE-WAS group-object ORACLE-OAS ! object-group service CSM_INLINE_svc_rule_73014451205 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 tcp eq 22 group-object ORACLE-RMI group-object ORACLE-Weblogic group-object ORACLE-WAS group-object ORACLE-OAS ! object-group service CSM_INLINE_svc_rule_73014451207 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 tcp eq 22 group-object HTTPS-8443 ! object-group service CSM_INLINE_svc_rule_73014451209 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 tcp eq 22 group-object HTTPS-8443 ! object-group service TOMAX-8990 description Tomax Application Port tcp eq 8990 ! object-group service CSM_INLINE_svc_rule_73014451211 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 group-object TOMAX-8990 ! object-group service CSM_INLINE_svc_rule_73014451213 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 group-object TOMAX-8990 ! object-group service ICMP-Requests description ICMP requests icmp information-request icmp mask-request icmp timestamp-request ! object-group service CSM_INLINE_svc_rule_73014451215 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable icmp redirect icmp alternate-address group-object ICMP-Requests ! object-group service CSM_INLINE_svc_rule_73014451217 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable icmp redirect icmp alternate-address group-object ICMP-Requests ! object-group service DNS-Resolving description Domain Name Server tcp eq domain udp eq domain ! object-group service CSM_INLINE_svc_rule_73014451221 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) udp eq bootps group-object DNS-Resolving ! object-group service CSM_INLINE_svc_rule_73014451223 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq www tcp eq 443 group-object HTTPS-8443 ! object-group service CSM_INLINE_svc_rule_73014451388 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp tcp eq 139 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_73014451393 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq www tcp eq 443 tcp eq smtp tcp eq pop3 tcp eq 143 ! object-group service CSM_INLINE_svc_rule_73014451395 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq www tcp eq 443 ! object-group service CSM_INLINE_svc_rule_73014451397 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp udp tcp eq 443 ! object-group service CSM_INLINE_svc_rule_73014451404 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq www tcp eq 443 ! object-group service CSM_INLINE_svc_rule_73014451406 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq www tcp eq 443 tcp eq smtp tcp eq pop3 tcp eq 143 ! object-group network DC-Applications description Applications in the Data Center that are non-PCI related(Optimized by CS-Manager) 192.168.180.0 255.255.254.0 ! object-group network DC-Voice description Data Center Voice 192.168.45.0 255.255.255.0 ! object-group network MS-Update description Windows Update Server host 192.168.42.150 ! object-group network MSExchange description Mail Server host 192.168.42.140 ! object-group service NTP description NTP Protocols tcp eq 123 udp eq ntp ! object-group network NTP-Servers description NTP Servers host 192.168.62.161 host 162.168.62.162 ! object-group network POS-Store-SMALL-1 description Small Store POS devices host 10.10.128.81 host 10.10.128.82 ! object-group network STORE-POS group-object POS-Store-SMALL-1 ! object-group network vSphere-1 description vSphere server for Lab host 192.168.41.102 ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> ! redundancy ! ! ! ! ip ssh version 2 ip scp server enable ! class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7 match protocol http match protocol https match protocol microsoft-ds match protocol ms-sql match protocol ms-sql-m match protocol netbios-dgm match protocol netbios-ns match protocol oracle match protocol oracle-em-vp match protocol oraclenames match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_10 match access-group name CSM_ZBF_CMAP_ACL_10 match class-map CSM_ZBF_CMAP_PLMAP_7 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16 match protocol http match protocol https match protocol isakmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_23 match access-group name CSM_ZBF_CMAP_ACL_23 match class-map CSM_ZBF_CMAP_PLMAP_16 class-map type inspect match-all CSM_ZBF_CLASS_MAP_32 match access-group name CSM_ZBF_CMAP_ACL_32 class-map type inspect match-all CSM_ZBF_CLASS_MAP_11 match access-group name CSM_ZBF_CMAP_ACL_11 match protocol icmp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5 match protocol http match protocol https match protocol netbios-dgm match protocol netbios-ns match protocol netbios-ssn match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_22 match access-group name CSM_ZBF_CMAP_ACL_22 match class-map CSM_ZBF_CMAP_PLMAP_5 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4 match protocol http match protocol https match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_33 match access-group name CSM_ZBF_CMAP_ACL_33 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8 match protocol sip match protocol sip-tls match protocol skinny match protocol tftp match protocol http match protocol https match protocol icmp class-map type inspect match-all CSM_ZBF_CLASS_MAP_12 match access-group name CSM_ZBF_CMAP_ACL_12 match class-map CSM_ZBF_CMAP_PLMAP_8 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15 match protocol http match protocol https match protocol netbios-ns match protocol netbios-dgm match protocol netbios-ssn match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_21 match access-group name CSM_ZBF_CMAP_ACL_21 match class-map CSM_ZBF_CMAP_PLMAP_15 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17 match protocol http match protocol https match protocol imap3 match protocol pop3 match protocol pop3s match protocol smtp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_30 match access-group name CSM_ZBF_CMAP_ACL_30 match class-map CSM_ZBF_CMAP_PLMAP_17 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9 match protocol syslog match protocol syslog-conn match protocol snmp match protocol snmptrap class-map type inspect match-all CSM_ZBF_CLASS_MAP_13 match access-group name CSM_ZBF_CMAP_ACL_13 match class-map CSM_ZBF_CMAP_PLMAP_9 class-map type inspect match-all CSM_ZBF_CLASS_MAP_20 match access-group name CSM_ZBF_CMAP_ACL_20 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20 match protocol http match protocol https match protocol netbios-dgm match protocol netbios-ns match protocol netbios-ssn match protocol ftp match protocol ssh match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_31 match access-group name CSM_ZBF_CMAP_ACL_31 match class-map CSM_ZBF_CMAP_PLMAP_20 class-map match-all BRANCH-BULK-DATA match protocol tftp match protocol nfs match access-group name BULK-DATA-APPS class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10 match protocol ldaps match protocol ldap match protocol ldap-admin match protocol radius match protocol tacacs match protocol tacacs-ds match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_14 match access-group name CSM_ZBF_CMAP_ACL_14 match class-map CSM_ZBF_CMAP_PLMAP_10 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18 match protocol http match protocol https match protocol udp match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_27 match access-group name CSM_ZBF_CMAP_ACL_27 match class-map CSM_ZBF_CMAP_PLMAP_18 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22 match protocol sip match protocol sip-tls match protocol skinny match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_36 match access-group name CSM_ZBF_CMAP_ACL_36 match class-map CSM_ZBF_CMAP_PLMAP_22 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11 match protocol ntp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_15 match access-group name CSM_ZBF_CMAP_ACL_15 match class-map CSM_ZBF_CMAP_PLMAP_11 class-map type inspect match-all CSM_ZBF_CLASS_MAP_26 match access-group name CSM_ZBF_CMAP_ACL_26 match class-map CSM_ZBF_CMAP_PLMAP_17 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12 match protocol bootpc match protocol bootps match protocol udp match protocol tcp match protocol dns match protocol dhcp-failover class-map type inspect match-all CSM_ZBF_CLASS_MAP_16 match access-group name CSM_ZBF_CMAP_ACL_16 match class-map CSM_ZBF_CMAP_PLMAP_12 class-map type inspect match-all CSM_ZBF_CLASS_MAP_25 match access-group name CSM_ZBF_CMAP_ACL_25 match protocol icmp class-map type inspect match-all CSM_ZBF_CLASS_MAP_34 match access-group name CSM_ZBF_CMAP_ACL_34 class-map type inspect match-all CSM_ZBF_CLASS_MAP_17 match access-group name CSM_ZBF_CMAP_ACL_17 match protocol icmp class-map type inspect match-all CSM_ZBF_CLASS_MAP_24 match access-group name CSM_ZBF_CMAP_ACL_24 match class-map CSM_ZBF_CMAP_PLMAP_7 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21 match protocol tcp match protocol udp match protocol http match protocol https class-map type inspect match-all CSM_ZBF_CLASS_MAP_35 match access-group name CSM_ZBF_CMAP_ACL_35 match class-map CSM_ZBF_CMAP_PLMAP_21 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13 match protocol https match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_18 match access-group name CSM_ZBF_CMAP_ACL_18 match class-map CSM_ZBF_CMAP_PLMAP_13 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14 match protocol http match protocol https match protocol user-8443 class-map type inspect match-all CSM_ZBF_CLASS_MAP_19 match access-group name CSM_ZBF_CMAP_ACL_19 match class-map CSM_ZBF_CMAP_PLMAP_14 class-map type inspect match-all CSM_ZBF_CLASS_MAP_29 match access-group name CSM_ZBF_CMAP_ACL_29 match class-map CSM_ZBF_CMAP_PLMAP_18 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19 match protocol http match protocol https match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_28 match access-group name CSM_ZBF_CMAP_ACL_28 match class-map CSM_ZBF_CMAP_PLMAP_19 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1 match protocol https match protocol ssh class-map type inspect match-all CSM_ZBF_CLASS_MAP_1 match access-group name CSM_ZBF_CMAP_ACL_1 match class-map CSM_ZBF_CMAP_PLMAP_1 class-map type inspect match-all CSM_ZBF_CLASS_MAP_3 match access-group name CSM_ZBF_CMAP_ACL_3 match protocol icmp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2 match protocol https match protocol http match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_2 match access-group name CSM_ZBF_CMAP_ACL_2 match class-map CSM_ZBF_CMAP_PLMAP_2 class-map type inspect match-all CSM_ZBF_CLASS_MAP_5 match access-group name CSM_ZBF_CMAP_ACL_5 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3 match protocol http match protocol https match protocol ssh match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_4 match access-group name CSM_ZBF_CMAP_ACL_4 match class-map CSM_ZBF_CMAP_PLMAP_3 class-map type inspect match-all CSM_ZBF_CLASS_MAP_7 match access-group name CSM_ZBF_CMAP_ACL_7 match class-map CSM_ZBF_CMAP_PLMAP_5 class-map type inspect match-all CSM_ZBF_CLASS_MAP_6 match access-group name CSM_ZBF_CMAP_ACL_6 match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_9 match access-group name CSM_ZBF_CMAP_ACL_9 match protocol tcp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6 match protocol http match protocol https match protocol ssh match protocol telnet match protocol tftp match protocol isakmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_8 match access-group name CSM_ZBF_CMAP_ACL_8 match class-map CSM_ZBF_CMAP_PLMAP_6 class-map match-all BULK-DATA match ip dscp af11 af12 class-map match-all INTERACTIVE-VIDEO match ip dscp af41 af42 class-map match-any BRANCH-TRANSACTIONAL-DATA match protocol citrix match protocol ldap match protocol telnet match protocol sqlnet match protocol http url "SalesReport" match access-group name TRANSACTIONAL-DATA-APPS class-map match-all BRANCH-MISSION-CRITICAL match access-group name MISSION-CRITICAL-SERVERS class-map match-all VOICE match ip dscp ef class-map match-all MISSION-CRITICAL-DATA match ip dscp 25 class-map match-any BRANCH-NET-MGMT match protocol snmp match protocol syslog match protocol dns match protocol icmp match protocol ssh match access-group name NET-MGMT-APPS class-map match-all ROUTING match ip dscp cs6 class-map match-all SCAVENGER match ip dscp cs1 class-map match-all NET-MGMT match ip dscp cs2 class-map match-any BRANCH-SCAVENGER match protocol gnutella match protocol fasttrack match protocol kazaa2 class-map match-any CALL-SIGNALING match ip dscp cs3 class-map match-all TRANSACTIONAL-DATA match ip dscp af21 af22 ! ! policy-map BRANCH-LAN-EDGE-OUT class class-default policy-map BRANCH-WAN-EDGE class VOICE priority percent 18 class INTERACTIVE-VIDEO priority percent 15 class CALL-SIGNALING bandwidth percent 5 class ROUTING bandwidth percent 3 class NET-MGMT bandwidth percent 2 class MISSION-CRITICAL-DATA bandwidth percent 15 random-detect class TRANSACTIONAL-DATA bandwidth percent 12 random-detect dscp-based class BULK-DATA bandwidth percent 4 random-detect dscp-based class SCAVENGER bandwidth percent 1 class class-default bandwidth percent 25 random-detect policy-map type inspect CSM_ZBF_POLICY_MAP_18 class type inspect CSM_ZBF_CLASS_MAP_28 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_19 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_29 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_30 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_31 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_16 class type inspect CSM_ZBF_CLASS_MAP_24 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_25 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_26 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_27 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_17 class type inspect CSM_ZBF_CLASS_MAP_25 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_26 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_27 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_14 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_15 class type inspect CSM_ZBF_CLASS_MAP_13 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_23 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_12 class type inspect CSM_ZBF_CLASS_MAP_13 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_21 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_30 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_34 drop log class type inspect CSM_ZBF_CLASS_MAP_35 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_13 class type inspect CSM_ZBF_CLASS_MAP_13 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_21 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_20 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_32 drop log class type inspect CSM_ZBF_CLASS_MAP_33 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_10 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_11 class type inspect CSM_ZBF_CLASS_MAP_13 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_22 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_36 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_9 class type inspect CSM_ZBF_CLASS_MAP_13 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_8 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_12 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_7 class type inspect CSM_ZBF_CLASS_MAP_9 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_10 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_11 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_6 class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_5 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_8 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_4 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_7 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_3 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_5 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_2 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_4 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_1 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_2 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop policy-map BRANCH-LAN-EDGE-IN class BRANCH-MISSION-CRITICAL set ip dscp 25 class BRANCH-TRANSACTIONAL-DATA set ip dscp af21 class BRANCH-NET-MGMT set ip dscp cs2 class BRANCH-BULK-DATA set ip dscp af11 class BRANCH-SCAVENGER set ip dscp cs1 ! zone security S_WAN description Store WAN Link zone security LOOPBACK description Loopback interface zone security S_MGMT description VLAN1000 Management zone security S_Security description VLAN20 Physical Security Systems zone security S_WAAS description VLAN19 WAAS optimization zone security S_WLC-AP description VLAN18 Wireless Systems zone security S_Data description VLAN12 Store Data zone security S_Data-W description VLAN14 Store Wireless Data zone security S_Guest description VLAN17 Guest/Public Wireless zone security S_Voice description VLAN13 Store Voice zone security S_Partners description VLAN16 Partner network zone security S_POS description VLAN 11 POS Data zone security S_POS-W description VLAN15 Store Wireless POS zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK service-policy type inspect CSM_ZBF_POLICY_MAP_1 zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT service-policy type inspect CSM_ZBF_POLICY_MAP_2 zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security service-policy type inspect CSM_ZBF_POLICY_MAP_3 zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS service-policy type inspect CSM_ZBF_POLICY_MAP_4 zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP service-policy type inspect CSM_ZBF_POLICY_MAP_5 zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice service-policy type inspect CSM_ZBF_POLICY_MAP_8 zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_9 zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_11 zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_12 zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_13 zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_15 zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_16 zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_17 zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_18 zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_19 zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_19 zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_20 zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_21 zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_22 ! ! ! ! ! ! ! interface Loopback0 ip address 10.10.142.1 255.255.255.255 ip pim sparse-dense-mode zone-member security LOOPBACK ! interface GigabitEthernet0/0 description ROUTER LINK TO SWITCH no ip address duplex auto speed auto ! interface GigabitEthernet0/0.11 description POS encapsulation dot1Q 11 ip address 10.10.128.2 255.255.255.0 ip helper-address 192.168.42.130 ip pim sparse-dense-mode zone-member security S_POS standby 11 ip 10.10.128.1 standby 11 priority 101 standby 11 preempt ip igmp query-interval 125 service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.12 description DATA encapsulation dot1Q 12 ip address 10.10.129.2 255.255.255.0 ip helper-address 192.168.42.130 ip wccp 61 redirect in ip pim sparse-dense-mode zone-member security S_Data standby 12 ip 10.10.129.1 standby 12 priority 101 standby 12 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.13 description VOICE encapsulation dot1Q 13 ip address 10.10.130.2 255.255.255.0 ip helper-address 192.168.42.130 ip pim sparse-dense-mode zone-member security S_Voice standby 13 ip 10.10.130.1 standby 13 priority 101 standby 13 preempt service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.14 description WIRELESS encapsulation dot1Q 14 ip address 10.10.131.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Data-W standby 14 ip 10.10.131.1 standby 14 priority 101 standby 14 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.15 description WIRELESS-POS encapsulation dot1Q 15 ip address 10.10.132.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_POS-W standby 15 ip 10.10.132.1 standby 15 priority 101 standby 15 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.16 description PARTNER encapsulation dot1Q 16 ip address 10.10.133.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Partners standby 16 ip 10.10.133.1 standby 16 priority 101 standby 16 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.17 description WIRELESS-GUEST encapsulation dot1Q 17 ip address 10.10.134.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Guest standby 17 ip 10.10.134.1 standby 17 priority 101 standby 17 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.18 description WIRELESS-CONTROL encapsulation dot1Q 18 ip address 10.10.135.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_WLC-AP standby 18 ip 10.10.135.1 standby 18 priority 101 standby 18 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.19 description WAAS encapsulation dot1Q 19 ip address 10.10.136.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_WAAS standby 19 ip 10.10.136.1 standby 19 priority 101 standby 19 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.20 description SECURITY-SYSTEMS encapsulation dot1Q 20 ip address 10.10.137.2 255.255.255.0 ip helper-address 192.168.42.130 ip pim sparse-dense-mode zone-member security S_Security standby 20 ip 10.10.137.1 standby 20 priority 101 standby 20 preempt service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/0.1000 description MANAGEMENT encapsulation dot1Q 1000 ip address 10.10.143.2 255.255.255.0 zone-member security S_MGMT standby 100 ip 10.10.143.1 standby 100 priority 101 standby 100 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface ISM0/0 no ip address shutdown !Application: Online on SME hold-queue 60 out ! interface GigabitEthernet0/1 ip address 10.10.255.128 255.255.255.0 ip ips Retail-PCI in zone-member security S_WAN duplex auto speed auto service-policy output BRANCH-WAN-EDGE ! interface GigabitEthernet0/2 ip address 10.10.254.128 255.255.255.0 ip ips Retail-PCI in zone-member security S_WAN duplex auto speed auto service-policy output BRANCH-WAN-EDGE ! interface ISM0/1 description Internal switch interface connected to Internal Service Module shutdown ! interface SM1/0 no ip address zone-member security S_Security shutdown service-module fail-open hold-queue 60 out ! interface SM1/1 description Internal switch interface connected to Service Module ! interface Vlan1 no ip address zone-member security S_POS ! ! router ospf 5 router-id 10.10.142.1 passive-interface default ! no ip forward-protocol nd ! no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ! ip route 0.0.0.0 0.0.0.0 10.10.255.11 ip route 0.0.0.0 0.0.0.0 10.10.254.11 50 ip tacacs source-interface Loopback0 ! ip access-list extended BULK-DATA-APPS remark ---File Transfer--- permit tcp any any eq ftp permit tcp any any eq ftp-data remark ---E-mail traffic--- permit tcp any any eq smtp permit tcp any any eq pop3 permit tcp any any eq 143 remark ---other EDM app protocols--- permit tcp any any range 3460 3466 permit tcp any range 3460 3466 any remark ---messaging services--- permit tcp any any eq 2980 permit tcp any eq 2980 any remark ---Microsoft file services--- permit tcp any any range 137 139 permit tcp any range 137 139 any ip access-list extended CSM_ZBF_CMAP_ACL_1 remark Data Center Mgmt to Devices permit object-group CSM_INLINE_svc_rule_68719541409 object-group CSM_INLINE_src_rule_68719541409 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_10 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451205 object-group DC-POS-Oracle object-group STORE-POS remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451209 object-group DC-POS-SAP object-group STORE-POS remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451213 object-group DC-POS-Tomax object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_11 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451215 object-group CSM_INLINE_src_rule_73014451215 object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_12 remark Data Center VOICE (wired and Wireless) permit object-group CSM_INLINE_svc_rule_68719541455 object-group DC-Voice object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_13 remark Syslog and SNMP Alerts permit object-group CSM_INLINE_svc_rule_73014451187 object-group Stores-ALL object-group CSM_INLINE_dst_rule_73014451187 ip access-list extended CSM_ZBF_CMAP_ACL_14 remark Store to Data Center Authentications permit object-group CSM_INLINE_svc_rule_73014451193 object-group Stores-ALL object-group CSM_INLINE_dst_rule_73014451193 ip access-list extended CSM_ZBF_CMAP_ACL_15 remark Store to Data Center for NTP permit object-group NTP object-group Stores-ALL object-group NTP-Servers ip access-list extended CSM_ZBF_CMAP_ACL_16 remark Store to Data Center for DHCP and DNS permit object-group CSM_INLINE_svc_rule_73014451221 object-group Stores-ALL object-group ActiveDirectory.cisco-irn.com ip access-list extended CSM_ZBF_CMAP_ACL_17 remark Permit ICMP traffic permit object-group CSM_INLINE_svc_rule_68719541425 object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541425 ip access-list extended CSM_ZBF_CMAP_ACL_18 remark Store UCS E-series server to Data Center vShphere permit object-group CSM_INLINE_svc_rule_73014451197 object-group Stores-ALL object-group vSphere-1 ip access-list extended CSM_ZBF_CMAP_ACL_19 remark Store NAC permit object-group CSM_INLINE_svc_rule_73014451223 object-group Stores-ALL object-group CSM_INLINE_dst_rule_73014451223 ip access-list extended CSM_ZBF_CMAP_ACL_2 remark Data Center subscribe to IPS SDEE events permit tcp object-group RSA-enVision object-group Stores-ALL eq 443 ip access-list extended CSM_ZBF_CMAP_ACL_20 remark Store to Data Center Physical Security permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541435 ip access-list extended CSM_ZBF_CMAP_ACL_21 remark Store WAAS (WAAS Devices need their own zone) permit object-group CSM_INLINE_svc_rule_68719541439 object-group Stores-ALL object-group DC-WAAS ip access-list extended CSM_ZBF_CMAP_ACL_22 remark Store WAAS to Clients and Servers permit object-group CSM_INLINE_svc_rule_73014451388 object-group Stores-ALL object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_23 remark Store to Data Center wireless controller traffic permit object-group CSM_INLINE_svc_rule_68719541431 object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541431 ip access-list extended CSM_ZBF_CMAP_ACL_24 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451203 object-group STORE-POS object-group DC-POS-Oracle remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451207 object-group STORE-POS object-group DC-POS-SAP remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451211 object-group STORE-POS object-group DC-POS-Tomax ip access-list extended CSM_ZBF_CMAP_ACL_25 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451217 object-group CSM_INLINE_src_rule_73014451217 object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_26 remark Store to Data Center for E-mail permit object-group CSM_INLINE_svc_rule_73014451393 object-group STORE-POS object-group MSExchange ip access-list extended CSM_ZBF_CMAP_ACL_27 remark Store to Data Center for Windows Updates permit object-group CSM_INLINE_svc_rule_73014451395 object-group STORE-POS object-group MS-Update ip access-list extended CSM_ZBF_CMAP_ACL_28 remark Permit POS clients to talk to store POS server permit object-group CSM_INLINE_svc_rule_73014451397 object-group STORE-POS object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_29 remark Store to Data Center for Windows Updates permit object-group CSM_INLINE_svc_rule_73014451404 object-group Stores-ALL object-group MS-Update ip access-list extended CSM_ZBF_CMAP_ACL_3 remark Permit ICMP traffic permit object-group CSM_INLINE_svc_rule_68719541427 object-group CSM_INLINE_src_rule_68719541427 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_30 remark Store to Data Center for E-mail permit object-group CSM_INLINE_svc_rule_73014451406 object-group Stores-ALL object-group MSExchange ip access-list extended CSM_ZBF_CMAP_ACL_31 remark Store DATA (wired and Wireless - Access to DC Other applications) permit object-group CSM_INLINE_svc_rule_68719541459 object-group Stores-ALL object-group DC-Applications ip access-list extended CSM_ZBF_CMAP_ACL_32 remark Store GUEST - Drop Traffic to Enterprise permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541465 ip access-list extended CSM_ZBF_CMAP_ACL_33 remark Store GUEST (access to internet/DMZ web servers) permit ip object-group Stores-ALL any ip access-list extended CSM_ZBF_CMAP_ACL_34 remark Store PARTNERS - Drop Traffic to Enterprise permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541461 ip access-list extended CSM_ZBF_CMAP_ACL_35 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN) permit ip object-group Stores-ALL any ip access-list extended CSM_ZBF_CMAP_ACL_36 remark Store VOICE (wired and Wireless - Acess to corporate wide voice) permit object-group CSM_INLINE_svc_rule_68719541457 object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541457 ip access-list extended CSM_ZBF_CMAP_ACL_4 remark Data Center vSphere to UCS E-series server permit object-group CSM_INLINE_svc_rule_73014451195 object-group vSphere-1 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_5 remark Data Center to Store Physical Security permit ip object-group CSM_INLINE_src_rule_68719541433 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_6 remark Data Center Mgmt to Devices permit object-group RDP object-group DC-Admin object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_7 remark Data Center WAAS to Store permit object-group CSM_INLINE_svc_rule_68719541437 object-group CSM_INLINE_src_rule_68719541437 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_8 remark Data Center Wireless Control to AP's and Controllers in stores permit object-group CSM_INLINE_svc_rule_68719541429 object-group CSM_INLINE_src_rule_68719541429 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_9 remark Data Center Mgmt to Devices permit object-group RDP object-group DC-Admin object-group STORE-POS ip access-list extended MISSION-CRITICAL-SERVERS remark ---POS Applications--- permit ip any 192.168.52.0 0.0.0.255 ip access-list extended NET-MGMT-APPS remark - Router user Authentication - Identifies TACACS Control traffic permit tcp any any eq tacacs permit tcp any eq tacacs any ip access-list extended TRANSACTIONAL-DATA-APPS remark ---Workbrain Application--- remark --Large Store Clock Server to Central Clock Application permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444 remark --Large store Clock Server to CUAE permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000 remark ---LiteScape Application--- permit ip any host 192.168.46.82 permit ip any 239.192.0.0 0.0.0.255 permit ip any host 239.255.255.250 remark ---Remote Desktop--- permit tcp any any eq 3389 permit tcp any eq 3389 any remark ---Oracle SIM--- permit tcp any 192.168.46.0 0.0.0.255 eq 7777 permit tcp any 192.168.46.0 0.0.0.255 eq 6003 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any permit tcp 192.168.46.0 0.0.0.255 eq 6003 any permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any ! logging esm config logging trap debugging logging source-interface Loopback0 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ! ! ! ! ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth snmp-server trap-source Loopback0 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps flash insertion removal snmp-server enable traps energywise snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps entity snmp-server enable traps hsrp snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps syslog snmp-server enable traps vtp snmp-server enable traps ipsla snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server domain-stripping tacacs-server key 7 <removed> ! ! control-plane ! ! ! ! mgcp profile default ! ! ! ! ! gatekeeper shutdown ! ! banner exec C WARNING: ** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner incoming C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line aux 0 session-timeout 1 output exec-timeout 0 1 privilege level 0 no exec transport preferred none transport output none line 67 no activation-character no exec transport preferred none transport input ssh transport output none stopbits 1 flowcontrol software line 131 no activation-character no exec transport preferred none transport input ssh transport output none stopbits 1 flowcontrol software line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! scheduler allocate 20000 1000 ntp source Loopback0 ntp server 192.168.62.161 prefer ntp server 192.168.62.162 end S-A2-SMALL S-A2-Small-1#sh run Building configuration... Current configuration : 16143 bytes ! ! Last configuration change at 02:23:14 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 02:23:18 PSTDST Sat Apr 30 2011 by retail ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers ! hostname S-A2-Small-1 ! boot-start-marker boot-end-marker ! logging buffered 50000 enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> ! ! aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! aaa session-id common clock timezone PST -8 clock summer-time PSTDST recurring switch 1 provision ws-c2960s-48fps-l switch 2 provision ws-c2960s-48fps-l authentication mac-move permit ip subnet-zero no ip source-route ! ! ip domain-name cisco-irn.com ip name-server 192.168.42.130 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! password encryption aes ! crypto pki trustpoint TP-self-signed-1383908352 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1383908352 revocation-check none rsakeypair TP-self-signed-1383908352 ! ! crypto pki certificate chain TP-self-signed-1383908352 certificate self-signed 01 30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31333833 39303833 3532301E 170D3131 30343232 30333331 35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33383339 30383335 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100BD50 C6915FE3 A1789C0E 11A0BABD EC2528DB 3F8FBCF6 64D90C72 AD2D2A13 A012AB72 F5F9EEDE 4E77EDA9 D3CE6985 BA2246A1 21FF6D61 B8FFC558 331CD608 DB59F546 838396C6 29266AF9 6B968127 75A7CE55 6D0B3734 0454EA42 24E9C995 1AC5D0C3 0850D703 F58A2E82 6FB13D8D 372F03D8 A5B2B577 CDB7A9D5 7AFC40B6 B26B0203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603 551D1104 1E301C82 1A532D41 322D536D 616C6C2D 312E6369 73636F2D 69726E2E 636F6D30 1F060355 1D230418 30168014 107F4DD8 762989FE 887F813D 62A1D871 C9A4D3D4 301D0603 551D0E04 16041410 7F4DD876 2989FE88 7F813D62 A1D871C9 A4D3D430 0D06092A 864886F7 0D010104 05000381 810045BF 884709EE FA837D06 262E65C8 865912B1 44D5DE7F 459A7DEF DAEB3D94 B2D5A978 5CCF425E 1FED41CE 2046BA9D 130DE1BD 4A7F3F99 B6AD32CA 3857A088 01083AAB 24557476 73F8AAC6 634964A5 455F4DB2 AC36D64E EA2C71AD 296D82B6 CE1EDCCB 0724DB5D 0D332C10 A17D5B1F E8926DC9 137519A1 521C9155 AF9AF52B 00BD quit archive log config logging enable notify syslog contenttype plaintext hidekeys spanning-tree mode pvst spanning-tree etherchannel guard misconfig spanning-tree extend system-id ! ! ! ! vlan internal allocation policy ascending ! ip ssh time-out 30 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable ! ! interface FastEthernet0 no ip address ! interface GigabitEthernet1/0/1 switchport mode trunk ! interface GigabitEthernet1/0/2 switchport mode trunk ! interface GigabitEthernet1/0/3 description IP Cameras - 4300 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/0/4 description CPAM Gateway switchport access vlan 20 ! interface GigabitEthernet1/0/5 switchport mode trunk ! interface GigabitEthernet1/0/6 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/7 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/8 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/9 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/10 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/11 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/12 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/13 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/14 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/15 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/16 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/17 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/18 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/19 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/20 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/21 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/22 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/23 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/24 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/25 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/26 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/27 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/28 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/29 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/30 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/31 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/32 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/33 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/34 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/35 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/36 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/37 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/38 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/39 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/40 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/41 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/42 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/43 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/44 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/45 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/46 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/47 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/48 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/49 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/50 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/51 switchport access vlan 17 shutdown ! interface GigabitEthernet1/0/52 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/1 shutdown ! interface GigabitEthernet2/0/2 shutdown ! interface GigabitEthernet2/0/3 description Cisco7975 IP phone switchport access vlan 11 switchport voice vlan 13 spanning-tree portfast ! interface GigabitEthernet2/0/4 description AIR-CAP3502I switchport trunk native vlan 18 switchport trunk allowed vlan 14-18 switchport mode trunk ! interface GigabitEthernet2/0/5 description Cisco9971 IP phone switchport access vlan 11 switchport voice vlan 13 spanning-tree portfast ! interface GigabitEthernet2/0/6 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/7 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/8 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/9 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/10 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/11 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/12 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/13 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/14 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/15 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/16 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/17 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/18 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/19 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/20 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/21 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/22 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/23 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/24 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/25 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/26 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/27 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/28 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/29 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/30 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/31 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/32 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/33 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/34 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/35 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/36 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/37 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/38 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/39 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/40 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/41 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/42 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/43 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/44 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/45 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/46 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/47 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/48 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/49 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/50 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/51 switchport access vlan 17 shutdown ! interface GigabitEthernet2/0/52 switchport access vlan 17 shutdown ! interface Vlan1 no ip address shutdown ! interface Vlan1000 description Management VLAN for Switch ip address 10.10.143.11 255.255.255.0 ! ip default-gateway 10.10.143.1 no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip tacacs source-interface Vlan1000 ! ip sla enable reaction-alerts logging trap debugging logging source-interface Vlan1000 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server trap-source Vlan1000 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps energywise snmp-server enable traps entity snmp-server enable traps power-ethernet group 1-4 snmp-server enable traps power-ethernet police snmp-server enable traps cpu threshold snmp-server enable traps rtr snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps port-security snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps errdisable snmp-server enable traps mac-notification change move threshold snmp-server enable traps vlan-membership snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> ! banner exec ^CC WARNING: * THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner incoming ^CC WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner login ^CC WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ^C ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ntp clock-period 22518357 ntp source Vlan1000 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer end Mini Branch R-A2-MINI-1 ! ! Last configuration change at 00:50:32 PST Sat Apr 30 2011 by retail ! NVRAM config last updated at 00:50:35 PST Sat Apr 30 2011 by retail ! version 15.1 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers ! hostname R-A2-Mini-1 ! boot-start-marker boot system flash0 c1900-universalk9-mz.SPA.151-3.T.bin boot-end-marker ! ! security authentication failure rate 2 log security passwords min-length 7 logging buffered 50000 no logging rate-limit enable secret 5 <removed> ! aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default action-type start-stop group tacacs+ ! aaa accounting commands 15 default action-type start-stop group tacacs+ ! aaa accounting system default action-type start-stop group tacacs+ ! ! ! ! ! ! aaa session-id common ! clock timezone PST -8 0 clock summer-time PST recurring service-module wlan-ap 0 bootimage autonomous ! no ipv6 cef no ip source-route ip cef ! ! ! ip multicast-routing ! ! no ip bootp server ip domain name cisco-irn.com ip name-server 192.168.42.130 ip port-map user-8443 port tcp 8443 ip inspect log drop-pkt ip inspect audit-trail ip ips config location flash0: retries 1 timeout 1 ip ips notify SDEE ip ips name Store-IPS ! ip ips signature-category category all retired true category ios_ips default retired false ! ip wccp 61 ip wccp 62 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! multilink bundle-name authenticated ! parameter-map type inspect Inspect-1 audit-trail on parameter-map type inspect global WAAS enable parameter-map type trend-global trend-glob-map password encryption aes crypto pki token default removal timeout 0 ! crypto pki trustpoint TP-self-signed-1721465088 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1721465088 revocation-check none rsakeypair TP-self-signed-1721465088 ! ! crypto pki certificate chain TP-self-signed-1721465088 certificate self-signed 01 <removed> quit license udi pid CISCO1941W-A/K9 sn <removed> hw-module ism 0 ! ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys object-group network ActiveDirectory.cisco-irn.com host 192.168.42.130 ! object-group service CAPWAP description CAPWAP UDP ports 5246 and 5247 udp eq 5246 udp eq 5247 ! object-group service CISCO-WAAS description Ports for Cisco WAAS tcp eq 4050 ! object-group network DC-ALL description All of the Data Center 192.168.0.0 255.255.0.0 ! object-group network Stores-ALL description all store networks 10.10.0.0 255.255.0.0 ! object-group network CSM_INLINE_dst_rule_68719541425 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network WCSManager description Wireless Manager host 192.168.43.135 ! object-group network DC-Wifi-Controllers description Central Wireless Controllers for stores host 192.168.43.21 host 192.168.43.22 ! object-group network DC-Wifi-MSE description Mobility Service Engines host 192.168.43.31 host 192.168.43.32 ! object-group network CSM_INLINE_dst_rule_68719541431 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object WCSManager group-object DC-Wifi-Controllers group-object DC-Wifi-MSE ! object-group network PAME-DC-1 host 192.168.44.111 ! object-group network MSP-DC-1 description Data Center VSOM host 192.168.44.121 ! object-group network CSM_INLINE_dst_rule_68719541435 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object PAME-DC-1 group-object MSP-DC-1 ! object-group network CSM_INLINE_dst_rule_68719541457 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_dst_rule_68719541461 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_dst_rule_68719541465 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network EMC-NCM description EMC Network Configuration Manager host 192.168.42.122 ! object-group network RSA-enVision description RSA EnVision Syslog collector and SIM host 192.168.42.124 ! object-group network CSM_INLINE_dst_rule_73014451187 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object EMC-NCM group-object RSA-enVision ! object-group network TACACS description Csico Secure ACS server for TACACS and Radius host 192.168.42.131 ! object-group network RSA-AM description RSA Authentication Manager for SecureID host 192.168.42.137 ! object-group network NAC-1 description ISE server for NAC host 192.168.42.111 ! object-group network CSM_INLINE_dst_rule_73014451193 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object ActiveDirectory.cisco-irn.com group-object TACACS group-object RSA-AM group-object NAC-1 ! object-group network NAC-2 host 192.168.42.112 ! object-group network CSM_INLINE_dst_rule_73014451223 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object NAC-2 group-object NAC-1 ! object-group network DC-Admin description DC Admin Systems host 192.168.41.101 host 192.168.41.102 ! object-group network CSManager description Cisco Security Manager host 192.168.42.133 ! object-group network CSM_INLINE_src_rule_68719541409 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-Admin group-object EMC-NCM group-object CSManager ! object-group network CSM_INLINE_src_rule_68719541427 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_src_rule_68719541429 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object WCSManager group-object DC-Wifi-Controllers group-object DC-Wifi-MSE ! object-group network CSM_INLINE_src_rule_68719541433 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object PAME-DC-1 group-object MSP-DC-1 ! object-group network DC-WAAS description WAE Appliances in Data Center host 192.168.48.10 host 192.168.49.10 host 192.168.47.11 host 192.168.47.12 ! object-group network CSM_INLINE_src_rule_68719541437 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-Admin group-object DC-WAAS ! object-group network DC-POS-Tomax description Tomax POS Communication from Store to Data Center 192.168.52.96 255.255.255.224 ! object-group network DC-POS-SAP description SAP POS Communication from Store to Data Center 192.168.52.144 255.255.255.240 ! object-group network DC-POS-Oracle description Oracle POS Communication from Store to Data Center 192.168.52.128 255.255.255.240 ! object-group network CSM_INLINE_src_rule_73014451215 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-Admin group-object DC-POS-Tomax group-object DC-POS-SAP group-object DC-POS-Oracle ! object-group network CSM_INLINE_src_rule_73014451217 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-Admin group-object DC-POS-Tomax group-object DC-POS-SAP group-object DC-POS-Oracle ! object-group service CSM_INLINE_svc_rule_68719541409 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 tcp eq 22 ! object-group service CSM_INLINE_svc_rule_68719541425 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable ! object-group service CSM_INLINE_svc_rule_68719541427 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable ! object-group service LWAPP description LWAPP UDP ports 12222 and 12223 udp eq 12222 udp eq 12223 ! object-group service TFTP description Trivial File Transfer tcp eq 69 udp eq tftp ! object-group service IP-Protocol-97 description IP protocol 97 97 ! object-group service CSM_INLINE_svc_rule_68719541429 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 tcp eq www tcp eq 22 tcp eq telnet udp eq isakmp group-object CAPWAP group-object LWAPP group-object TFTP group-object IP-Protocol-97 ! object-group service Cisco-Mobility description Mobility ports for Wireless udp eq 16666 udp eq 16667 ! object-group service CSM_INLINE_svc_rule_68719541431 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) udp eq isakmp group-object CAPWAP group-object LWAPP group-object Cisco-Mobility group-object IP-Protocol-97 ! object-group service HTTPS-8443 tcp eq 8443 ! object-group service Microsoft-DS-SMB description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing tcp eq 445 ! object-group service CSM_INLINE_svc_rule_68719541437 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp tcp eq 139 group-object CISCO-WAAS group-object HTTPS-8443 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_68719541439 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp tcp eq 139 group-object CISCO-WAAS group-object HTTPS-8443 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_68719541455 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) icmp tcp-udp eq 5060 tcp eq 2000 tcp eq www tcp eq 443 group-object TFTP ! object-group service CSM_INLINE_svc_rule_68719541457 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp-udp eq 5060 tcp eq 2000 ! object-group service Netbios description Netbios Servers udp eq netbios-dgm udp eq netbios-ns tcp eq 139 ! object-group service ORACLE-SIM description Oracle Store Inventory Management tcp eq 7777 tcp eq 6003 tcp range 12401 12500 ! object-group service RDP description Windows Remote Desktop tcp eq 3389 ! object-group service Workbrain tcp eq 8444 ! object-group service CSM_INLINE_svc_rule_68719541459 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq ftp tcp eq www tcp eq 443 udp eq 88 tcp-udp eq 42 group-object Microsoft-DS-SMB group-object Netbios group-object ORACLE-SIM group-object RDP group-object Workbrain ! object-group service CSM_INLINE_svc_rule_73014451187 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) udp eq syslog udp eq snmp udp eq snmptrap ! object-group service CSM_INLINE_svc_rule_73014451193 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq tacacs udp eq 1812 udp eq 1813 tcp eq 389 tcp eq 636 ! object-group service vCenter-to-ESX4 description Communication from vCetner to ESX hosts tcp eq 5989 tcp eq 8000 tcp eq 902 tcp eq 903 ! object-group service CSM_INLINE_svc_rule_73014451195 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq www tcp eq 443 tcp eq 22 group-object vCenter-to-ESX4 ! object-group service ESX-SLP description CIM Service Location Protocol (SLP) for VMware systems udp eq 427 tcp eq 427 ! object-group service CSM_INLINE_svc_rule_73014451197 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 group-object vCenter-to-ESX4 group-object ESX-SLP ! object-group service ORACLE-RMI description RMI TCP ports 1300 and 1301-1319. tcp range 1300 1319 ! object-group service ORACLE-Weblogic description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521. tcp eq 7001 tcp eq 7002 tcp eq 1521 ! object-group service ORACLE-WAS description RMI/IIOP over 2809 HTTP over 9443 IBM-MQ 1414 tcp eq 2809 tcp eq 9443 tcp eq 1414 ! object-group service ORACLE-OAS description OAS uses one port for HTTP and RMI - 12601. tcp eq 12601 ! object-group service CSM_INLINE_svc_rule_73014451203 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 tcp eq 22 group-object ORACLE-RMI group-object ORACLE-Weblogic group-object ORACLE-WAS group-object ORACLE-OAS ! object-group service CSM_INLINE_svc_rule_73014451205 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 tcp eq 22 group-object ORACLE-RMI group-object ORACLE-Weblogic group-object ORACLE-WAS group-object ORACLE-OAS ! object-group service CSM_INLINE_svc_rule_73014451207 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 tcp eq 22 group-object HTTPS-8443 ! object-group service CSM_INLINE_svc_rule_73014451209 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 tcp eq 22 group-object HTTPS-8443 ! object-group service TOMAX-8990 description Tomax Application Port tcp eq 8990 ! object-group service CSM_INLINE_svc_rule_73014451211 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 group-object TOMAX-8990 ! object-group service CSM_INLINE_svc_rule_73014451213 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 group-object TOMAX-8990 ! object-group service ICMP-Requests description ICMP requests icmp information-request icmp mask-request icmp timestamp-request ! object-group service CSM_INLINE_svc_rule_73014451215 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable icmp redirect icmp alternate-address group-object ICMP-Requests ! object-group service CSM_INLINE_svc_rule_73014451217 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable icmp redirect icmp alternate-address group-object ICMP-Requests ! object-group service DNS-Resolving description Domain Name Server tcp eq domain udp eq domain ! object-group service CSM_INLINE_svc_rule_73014451221 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) udp eq bootps group-object DNS-Resolving ! object-group service CSM_INLINE_svc_rule_73014451223 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq www tcp eq 443 group-object HTTPS-8443 ! object-group service CSM_INLINE_svc_rule_73014451388 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp tcp eq 139 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_73014451393 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq www tcp eq 443 tcp eq smtp tcp eq pop3 tcp eq 143 ! object-group service CSM_INLINE_svc_rule_73014451395 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq www tcp eq 443 ! object-group service CSM_INLINE_svc_rule_73014451397 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp udp tcp eq 443 ! object-group service CSM_INLINE_svc_rule_73014451404 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq www tcp eq 443 ! object-group service CSM_INLINE_svc_rule_73014451406 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq www tcp eq 443 tcp eq smtp tcp eq pop3 tcp eq 143 ! object-group network DC-Applications description Applications in the Data Center that are non-PCI related(Optimized by CS-Manager) 192.168.180.0 255.255.254.0 ! object-group network DC-Voice description Data Center Voice 192.168.45.0 255.255.255.0 ! object-group network MS-Update description Windows Update Server host 192.168.42.150 ! object-group network MSExchange description Mail Server host 192.168.42.140 ! object-group service NTP description NTP Protocols tcp eq 123 udp eq ntp ! object-group network NTP-Servers description NTP Servers host 192.168.62.161 host 162.168.62.162 ! object-group network STORE-POS 10.10.0.0 255.255.0.0 ! object-group network vSphere-1 description vSphere server for Lab host 192.168.41.102 ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> ! redundancy ! ! ! ! ip ssh time-out 30 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable ! class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7 match protocol http match protocol https match protocol microsoft-ds match protocol ms-sql match protocol ms-sql-m match protocol netbios-dgm match protocol netbios-ns match protocol oracle match protocol oracle-em-vp match protocol oraclenames match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_10 match access-group name CSM_ZBF_CMAP_ACL_10 match class-map CSM_ZBF_CMAP_PLMAP_7 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16 match protocol http match protocol https match protocol isakmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_23 match access-group name CSM_ZBF_CMAP_ACL_23 match class-map CSM_ZBF_CMAP_PLMAP_16 class-map type inspect match-all CSM_ZBF_CLASS_MAP_32 match access-group name CSM_ZBF_CMAP_ACL_32 class-map type inspect match-all CSM_ZBF_CLASS_MAP_11 match access-group name CSM_ZBF_CMAP_ACL_11 match protocol icmp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5 match protocol http match protocol https match protocol netbios-dgm match protocol netbios-ns match protocol netbios-ssn match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_22 match access-group name CSM_ZBF_CMAP_ACL_22 match class-map CSM_ZBF_CMAP_PLMAP_5 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4 match protocol http match protocol https match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_33 match access-group name CSM_ZBF_CMAP_ACL_33 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8 match protocol sip match protocol sip-tls match protocol skinny match protocol tftp match protocol http match protocol https match protocol icmp class-map type inspect match-all CSM_ZBF_CLASS_MAP_12 match access-group name CSM_ZBF_CMAP_ACL_12 match class-map CSM_ZBF_CMAP_PLMAP_8 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15 match protocol http match protocol https match protocol netbios-ns match protocol netbios-dgm match protocol netbios-ssn match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_21 match access-group name CSM_ZBF_CMAP_ACL_21 match class-map CSM_ZBF_CMAP_PLMAP_15 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17 match protocol http match protocol https match protocol imap3 match protocol pop3 match protocol pop3s match protocol smtp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_30 match access-group name CSM_ZBF_CMAP_ACL_30 match class-map CSM_ZBF_CMAP_PLMAP_17 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9 match protocol syslog match protocol syslog-conn match protocol snmp match protocol snmptrap class-map type inspect match-all CSM_ZBF_CLASS_MAP_13 match access-group name CSM_ZBF_CMAP_ACL_13 match class-map CSM_ZBF_CMAP_PLMAP_9 class-map type inspect match-all CSM_ZBF_CLASS_MAP_20 match access-group name CSM_ZBF_CMAP_ACL_20 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20 match protocol http match protocol https match protocol netbios-dgm match protocol netbios-ns match protocol netbios-ssn match protocol ftp match protocol ssh match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_31 match access-group name CSM_ZBF_CMAP_ACL_31 match class-map CSM_ZBF_CMAP_PLMAP_20 class-map match-all BRANCH-BULK-DATA match protocol tftp match protocol nfs match access-group name BULK-DATA-APPS class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10 match protocol ldaps match protocol ldap match protocol ldap-admin match protocol radius match protocol tacacs match protocol tacacs-ds match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_14 match access-group name CSM_ZBF_CMAP_ACL_14 match class-map CSM_ZBF_CMAP_PLMAP_10 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18 match protocol http match protocol https match protocol udp match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_27 match access-group name CSM_ZBF_CMAP_ACL_27 match class-map CSM_ZBF_CMAP_PLMAP_18 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22 match protocol sip match protocol sip-tls match protocol skinny match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_36 match access-group name CSM_ZBF_CMAP_ACL_36 match class-map CSM_ZBF_CMAP_PLMAP_22 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11 match protocol ntp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_15 match access-group name CSM_ZBF_CMAP_ACL_15 match class-map CSM_ZBF_CMAP_PLMAP_11 class-map type inspect match-all CSM_ZBF_CLASS_MAP_26 match access-group name CSM_ZBF_CMAP_ACL_26 match class-map CSM_ZBF_CMAP_PLMAP_17 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12 match protocol bootpc match protocol bootps match protocol udp match protocol tcp match protocol dns match protocol dhcp-failover class-map type inspect match-all CSM_ZBF_CLASS_MAP_16 match access-group name CSM_ZBF_CMAP_ACL_16 match class-map CSM_ZBF_CMAP_PLMAP_12 class-map type inspect match-all CSM_ZBF_CLASS_MAP_25 match access-group name CSM_ZBF_CMAP_ACL_25 match protocol icmp class-map type inspect match-all CSM_ZBF_CLASS_MAP_34 match access-group name CSM_ZBF_CMAP_ACL_34 class-map type inspect match-all CSM_ZBF_CLASS_MAP_17 match access-group name CSM_ZBF_CMAP_ACL_17 match protocol icmp class-map type inspect match-all CSM_ZBF_CLASS_MAP_24 match access-group name CSM_ZBF_CMAP_ACL_24 match class-map CSM_ZBF_CMAP_PLMAP_7 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21 match protocol tcp match protocol udp match protocol http match protocol https class-map type inspect match-all CSM_ZBF_CLASS_MAP_35 match access-group name CSM_ZBF_CMAP_ACL_35 match class-map CSM_ZBF_CMAP_PLMAP_21 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13 match protocol https match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_18 match access-group name CSM_ZBF_CMAP_ACL_18 match class-map CSM_ZBF_CMAP_PLMAP_13 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14 match protocol http match protocol https match protocol user-8443 class-map type inspect match-all CSM_ZBF_CLASS_MAP_19 match access-group name CSM_ZBF_CMAP_ACL_19 match class-map CSM_ZBF_CMAP_PLMAP_14 class-map type inspect match-all CSM_ZBF_CLASS_MAP_29 match access-group name CSM_ZBF_CMAP_ACL_29 match class-map CSM_ZBF_CMAP_PLMAP_18 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19 match protocol http match protocol https match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_28 match access-group name CSM_ZBF_CMAP_ACL_28 match class-map CSM_ZBF_CMAP_PLMAP_19 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1 match protocol https match protocol ssh class-map type inspect match-all CSM_ZBF_CLASS_MAP_1 match access-group name CSM_ZBF_CMAP_ACL_1 match class-map CSM_ZBF_CMAP_PLMAP_1 class-map type inspect match-all CSM_ZBF_CLASS_MAP_3 match access-group name CSM_ZBF_CMAP_ACL_3 match protocol icmp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2 match protocol https match protocol http match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_2 match access-group name CSM_ZBF_CMAP_ACL_2 match class-map CSM_ZBF_CMAP_PLMAP_2 class-map type inspect match-all CSM_ZBF_CLASS_MAP_5 match access-group name CSM_ZBF_CMAP_ACL_5 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3 match protocol http match protocol https match protocol ssh match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_4 match access-group name CSM_ZBF_CMAP_ACL_4 match class-map CSM_ZBF_CMAP_PLMAP_3 class-map type inspect match-all CSM_ZBF_CLASS_MAP_7 match access-group name CSM_ZBF_CMAP_ACL_7 match class-map CSM_ZBF_CMAP_PLMAP_5 class-map type inspect match-all CSM_ZBF_CLASS_MAP_6 match access-group name CSM_ZBF_CMAP_ACL_6 match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_9 match access-group name CSM_ZBF_CMAP_ACL_9 match protocol tcp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6 match protocol http match protocol https match protocol ssh match protocol telnet match protocol tftp match protocol isakmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_8 match access-group name CSM_ZBF_CMAP_ACL_8 match class-map CSM_ZBF_CMAP_PLMAP_6 class-map match-all BULK-DATA match ip dscp af11 af12 class-map match-all INTERACTIVE-VIDEO match ip dscp af41 af42 class-map match-any BRANCH-TRANSACTIONAL-DATA match protocol citrix match protocol ldap match protocol telnet match protocol sqlnet match protocol http url "SalesReport" match access-group name TRANSACTIONAL-DATA-APPS class-map match-all BRANCH-MISSION-CRITICAL match access-group name MISSION-CRITICAL-SERVERS class-map match-all VOICE match ip dscp ef class-map match-all MISSION-CRITICAL-DATA match ip dscp 25 class-map match-any BRANCH-NET-MGMT match protocol snmp match protocol syslog match protocol dns match protocol icmp match protocol ssh match access-group name NET-MGMT-APPS class-map match-all ROUTING match ip dscp cs6 class-map match-all SCAVENGER match ip dscp cs1 class-map match-all NET-MGMT match ip dscp cs2 class-map match-any BRANCH-SCAVENGER match protocol gnutella match protocol fasttrack match protocol kazaa2 class-map match-any CALL-SIGNALING match ip dscp cs3 class-map match-all TRANSACTIONAL-DATA match ip dscp af21 af22 ! ! policy-map type inspect CSM_ZBF_POLICY_S_Security_S_POS-W class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_Data_S_POS-W class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_Data-W_S_POS class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_WAN_S_Guest class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_WAN_S_Data-W class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_Voice_S_POS class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_Guest_S_POS class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_MGMT_S_POS-W class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS class class-default drop log policy-map type inspect CSM_ZBF_POLICY_LOOPBACK_S_POS-W class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_POS-W class class-default drop log policy-map BRANCH-LAN-EDGE-OUT class class-default policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_Partners class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_POS class class-default drop log policy-map BRANCH-WAN-EDGE class VOICE priority percent 18 class INTERACTIVE-VIDEO priority percent 15 class CALL-SIGNALING bandwidth percent 5 class ROUTING bandwidth percent 3 class NET-MGMT bandwidth percent 2 class MISSION-CRITICAL-DATA bandwidth percent 15 random-detect class TRANSACTIONAL-DATA bandwidth percent 12 random-detect dscp-based class BULK-DATA bandwidth percent 4 random-detect dscp-based class SCAVENGER bandwidth percent 1 class class-default bandwidth percent 25 random-detect policy-map type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS-W class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_18 class type inspect CSM_ZBF_CLASS_MAP_28 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_19 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_29 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_30 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_31 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_16 class type inspect CSM_ZBF_CLASS_MAP_24 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_25 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_26 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_27 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_17 class type inspect CSM_ZBF_CLASS_MAP_25 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_26 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_27 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_14 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_15 class type inspect CSM_ZBF_CLASS_MAP_13 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_23 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_12 class type inspect CSM_ZBF_CLASS_MAP_13 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_21 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_30 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_34 drop log class type inspect CSM_ZBF_CLASS_MAP_35 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_S_MGMT_S_POS class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_13 class type inspect CSM_ZBF_CLASS_MAP_13 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_21 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_20 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_32 drop log class type inspect CSM_ZBF_CLASS_MAP_33 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_10 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_11 class type inspect CSM_ZBF_CLASS_MAP_13 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_22 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_36 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_Voice_S_POS-W class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_Guest_S_POS-W class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_9 class type inspect CSM_ZBF_CLASS_MAP_13 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_8 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_12 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_7 class type inspect CSM_ZBF_CLASS_MAP_9 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_10 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_11 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_6 class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_5 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_8 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_4 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_7 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_3 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_5 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_2 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_4 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_1 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_2 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_S_Partners_S_POS class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_Security_S_POS class class-default drop log policy-map BRANCH-LAN-EDGE-IN class BRANCH-MISSION-CRITICAL set ip dscp 25 class BRANCH-TRANSACTIONAL-DATA set ip dscp af21 class BRANCH-NET-MGMT set ip dscp cs2 class BRANCH-BULK-DATA set ip dscp af11 class BRANCH-SCAVENGER set ip dscp cs1 policy-map type inspect CSM_ZBF_POLICY_S_Data_S_POS class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_Data-W_S_POS-W class class-default drop log ! zone security S_WAN description Store WAN Link zone security LOOPBACK description Loopback interface zone security S_MGMT description VLAN1000 Management zone security S_Security description VLAN20 Physical Security Systems zone security S_WAAS description VLAN19 WAAS optimization zone security S_WLC-AP description VLAN18 Wireless Systems zone security S_Data description VLAN12 Store Data zone security S_Data-W description VLAN14 Store Wireless Data zone security S_Guest description VLAN17 Guest/Public Wireless zone security S_Voice description VLAN13 Store Voice zone security S_Partners description VLAN16 Partner network zone security S_POS description VLAN 11 POS Data zone security S_POS-W description VLAN15 Store Wireless POS zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK service-policy type inspect CSM_ZBF_POLICY_MAP_1 zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT service-policy type inspect CSM_ZBF_POLICY_MAP_2 zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security service-policy type inspect CSM_ZBF_POLICY_MAP_3 zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS service-policy type inspect CSM_ZBF_POLICY_MAP_4 zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP service-policy type inspect CSM_ZBF_POLICY_MAP_5 zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W service-policy type inspect CSM_ZBF_POLICY_S_WAN_S_Data-W zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest service-policy type inspect CSM_ZBF_POLICY_S_WAN_S_Guest zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice service-policy type inspect CSM_ZBF_POLICY_MAP_8 zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_9 zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_LOOPBACK_S_POS-W zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_11 zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS service-policy type inspect CSM_ZBF_POLICY_S_MGMT_S_POS zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_S_MGMT_S_POS-W zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_12 zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS service-policy type inspect CSM_ZBF_POLICY_S_Security_S_POS zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_S_Security_S_POS-W zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_13 zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_POS zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_POS-W zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_Partners zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_15 zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS service-policy type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS-W zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_16 zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_17 zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_18 zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS service-policy type inspect CSM_ZBF_POLICY_S_Data_S_POS zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_S_Data_S_POS-W zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_19 zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS service-policy type inspect CSM_ZBF_POLICY_S_Data-W_S_POS zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_S_Data-W_S_POS-W zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_19 zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS service-policy type inspect CSM_ZBF_POLICY_S_Guest_S_POS zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_S_Guest_S_POS-W zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_20 zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS service-policy type inspect CSM_ZBF_POLICY_S_Partners_S_POS zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_21 zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS service-policy type inspect CSM_ZBF_POLICY_S_Voice_S_POS zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_S_Voice_S_POS-W zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_22 ! ! ! ! ! ! ! interface Loopback0 ip address 10.10.158.1 255.255.255.255 ip pim sparse-dense-mode zone-member security LOOPBACK ! interface GigabitEthernet0/0 ip address 10.10.255.144 255.255.255.0 ip ips Store-IPS in ip ips Store-IPS out zone-member security S_WAN duplex auto speed auto service-policy output BRANCH-WAN-EDGE ! interface wlan-ap0 description Service module interface to manage the embedded AP ip address 10.10.158.33 255.255.255.252 zone-member security S_WLC-AP service-module ip address 10.10.158.34 255.255.255.252 service-module ip default-gateway 10.10.158.33 arp timeout 0 no mop enabled no mop sysid ! interface GigabitEthernet0/1 description ROUTER LINK TO SWITCH no ip address duplex auto speed auto ! interface GigabitEthernet0/1.11 description POS encapsulation dot1Q 11 ip address 10.10.144.2 255.255.255.0 ip helper-address 192.168.42.130 ip pim sparse-dense-mode ip ips Store-IPS in ip ips Store-IPS out zone-member security S_POS standby 11 ip 10.10.144.1 standby 11 priority 101 standby 11 preempt ip igmp query-interval 125 service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.12 description DATA encapsulation dot1Q 12 ip address 10.10.145.2 255.255.255.0 ip helper-address 192.168.42.130 ip wccp 61 redirect in ip pim sparse-dense-mode zone-member security S_Data standby 12 ip 10.10.145.1 standby 12 priority 101 standby 12 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.13 description VOICE encapsulation dot1Q 13 ip address 10.10.146.2 255.255.255.0 ip helper-address 192.168.42.130 ip pim sparse-dense-mode zone-member security S_Voice standby 13 ip 10.10.146.1 standby 13 priority 101 standby 13 preempt service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.14 description WIRELESS encapsulation dot1Q 14 ip address 10.10.147.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Data-W standby 14 ip 10.10.147.1 standby 14 priority 101 standby 14 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.15 description WIRELESS-POS encapsulation dot1Q 15 ip address 10.10.148.2 255.255.255.0 ip helper-address 192.168.42.130 ip ips Store-IPS in ip ips Store-IPS out zone-member security S_POS-W standby 15 ip 10.10.148.1 standby 15 priority 101 standby 15 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.16 description PARTNER encapsulation dot1Q 16 ip address 10.10.149.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Partners standby 16 ip 10.10.149.1 standby 16 priority 101 standby 16 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.17 description WIRELESS-GUEST encapsulation dot1Q 17 ip address 10.10.150.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Guest standby 17 ip 10.10.150.1 standby 17 priority 101 standby 17 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.18 description WIRELESS-CONTROL encapsulation dot1Q 18 ip address 10.10.151.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_WLC-AP standby 18 ip 10.10.151.1 standby 18 priority 101 standby 18 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.19 description WAAS encapsulation dot1Q 19 ip address 10.10.152.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_WAAS standby 19 ip 10.10.152.1 standby 19 priority 101 standby 19 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.20 zone-member security S_Security service-policy output BRANCH-LAN-EDGE-OUT ! interface GigabitEthernet0/1.1000 description MANAGEMENT encapsulation dot1Q 1000 ip address 10.10.159.2 255.255.255.0 zone-member security S_MGMT standby 100 ip 10.10.159.1 standby 100 priority 101 standby 100 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface Wlan-GigabitEthernet0/0 description Internal switch interface connecting to the embedded AP zone-member security S_WLC-AP service-module ip address 10.10.158.34 255.255.255.252 service-module ip default-gateway 10.10.158.33 ! interface Vlan1 no ip address ip ips Store-IPS in ip ips Store-IPS out zone-member security S_POS ! interface Vlan15 no ip address zone-member security S_POS-W ! interface Vlan1000 no ip address zone-member security S_MGMT ! router ospf 5 router-id 10.10.158.1 passive-interface default ! no ip forward-protocol nd ! no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ! ip route 0.0.0.0 0.0.0.0 10.10.255.11 ip tacacs source-interface Loopback0 ! ip access-list extended BULK-DATA-APPS remark ---File Transfer--- permit tcp any any eq ftp permit tcp any any eq ftp-data remark ---E-mail traffic--- permit tcp any any eq smtp permit tcp any any eq pop3 permit tcp any any eq 143 remark ---other EDM app protocols--- permit tcp any any range 3460 3466 permit tcp any range 3460 3466 any remark ---messaging services--- permit tcp any any eq 2980 permit tcp any eq 2980 any remark ---Microsoft file services--- permit tcp any any range 137 139 permit tcp any range 137 139 any ip access-list extended CSM_ZBF_CMAP_ACL_1 remark Data Center Mgmt to Devices permit object-group CSM_INLINE_svc_rule_68719541409 object-group CSM_INLINE_src_rule_68719541409 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_10 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451205 object-group DC-POS-Oracle object-group STORE-POS remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451209 object-group DC-POS-SAP object-group STORE-POS remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451213 object-group DC-POS-Tomax object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_11 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451215 object-group CSM_INLINE_src_rule_73014451215 object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_12 remark Data Center VOICE (wired and Wireless) permit object-group CSM_INLINE_svc_rule_68719541455 object-group DC-Voice object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_13 remark Syslog and SNMP Alerts permit object-group CSM_INLINE_svc_rule_73014451187 object-group Stores-ALL object-group CSM_INLINE_dst_rule_73014451187 ip access-list extended CSM_ZBF_CMAP_ACL_14 remark Store to Data Center Authentications permit object-group CSM_INLINE_svc_rule_73014451193 object-group Stores-ALL object-group CSM_INLINE_dst_rule_73014451193 ip access-list extended CSM_ZBF_CMAP_ACL_15 remark Store to Data Center for NTP permit object-group NTP object-group Stores-ALL object-group NTP-Servers ip access-list extended CSM_ZBF_CMAP_ACL_16 remark Store to Data Center for DHCP and DNS permit object-group CSM_INLINE_svc_rule_73014451221 object-group Stores-ALL object-group ActiveDirectory.cisco-irn.com ip access-list extended CSM_ZBF_CMAP_ACL_17 remark Permit ICMP traffic permit object-group CSM_INLINE_svc_rule_68719541425 object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541425 ip access-list extended CSM_ZBF_CMAP_ACL_18 remark Store UCS E-series server to Data Center vShphere permit object-group CSM_INLINE_svc_rule_73014451197 object-group Stores-ALL object-group vSphere-1 ip access-list extended CSM_ZBF_CMAP_ACL_19 remark Store NAC permit object-group CSM_INLINE_svc_rule_73014451223 object-group Stores-ALL object-group CSM_INLINE_dst_rule_73014451223 ip access-list extended CSM_ZBF_CMAP_ACL_2 remark Data Center subscribe to IPS SDEE events permit tcp object-group RSA-enVision object-group Stores-ALL eq 443 ip access-list extended CSM_ZBF_CMAP_ACL_20 remark Store to Data Center Physical Security permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541435 ip access-list extended CSM_ZBF_CMAP_ACL_21 remark Store WAAS (WAAS Devices need their own zone) permit object-group CSM_INLINE_svc_rule_68719541439 object-group Stores-ALL object-group DC-WAAS ip access-list extended CSM_ZBF_CMAP_ACL_22 remark Store WAAS to Clients and Servers permit object-group CSM_INLINE_svc_rule_73014451388 object-group Stores-ALL object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_23 remark Store to Data Center wireless controller traffic permit object-group CSM_INLINE_svc_rule_68719541431 object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541431 ip access-list extended CSM_ZBF_CMAP_ACL_24 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451203 object-group STORE-POS object-group DC-POS-Oracle remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451207 object-group STORE-POS object-group DC-POS-SAP remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451211 object-group STORE-POS object-group DC-POS-Tomax ip access-list extended CSM_ZBF_CMAP_ACL_25 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451217 object-group CSM_INLINE_src_rule_73014451217 object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_26 remark Store to Data Center for E-mail permit object-group CSM_INLINE_svc_rule_73014451393 object-group STORE-POS object-group MSExchange ip access-list extended CSM_ZBF_CMAP_ACL_27 remark Store to Data Center for Windows Updates permit object-group CSM_INLINE_svc_rule_73014451395 object-group STORE-POS object-group MS-Update ip access-list extended CSM_ZBF_CMAP_ACL_28 remark Permit POS clients to talk to store POS server permit object-group CSM_INLINE_svc_rule_73014451397 object-group STORE-POS object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_29 remark Store to Data Center for Windows Updates permit object-group CSM_INLINE_svc_rule_73014451404 object-group Stores-ALL object-group MS-Update ip access-list extended CSM_ZBF_CMAP_ACL_3 remark Permit ICMP traffic permit object-group CSM_INLINE_svc_rule_68719541427 object-group CSM_INLINE_src_rule_68719541427 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_30 remark Store to Data Center for E-mail permit object-group CSM_INLINE_svc_rule_73014451406 object-group Stores-ALL object-group MSExchange ip access-list extended CSM_ZBF_CMAP_ACL_31 remark Store DATA (wired and Wireless - Access to DC Other applications) permit object-group CSM_INLINE_svc_rule_68719541459 object-group Stores-ALL object-group DC-Applications ip access-list extended CSM_ZBF_CMAP_ACL_32 remark Store GUEST - Drop Traffic to Enterprise permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541465 ip access-list extended CSM_ZBF_CMAP_ACL_33 remark Store GUEST (access to internet/DMZ web servers) permit ip object-group Stores-ALL any ip access-list extended CSM_ZBF_CMAP_ACL_34 remark Store PARTNERS - Drop Traffic to Enterprise permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541461 ip access-list extended CSM_ZBF_CMAP_ACL_35 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN) permit ip object-group Stores-ALL any ip access-list extended CSM_ZBF_CMAP_ACL_36 remark Store VOICE (wired and Wireless - Acess to corporate wide voice) permit object-group CSM_INLINE_svc_rule_68719541457 object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541457 ip access-list extended CSM_ZBF_CMAP_ACL_4 remark Data Center vSphere to UCS E-series server permit object-group CSM_INLINE_svc_rule_73014451195 object-group vSphere-1 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_5 remark Data Center to Store Physical Security permit ip object-group CSM_INLINE_src_rule_68719541433 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_6 remark Data Center Mgmt to Devices permit object-group RDP object-group DC-Admin object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_7 remark Data Center WAAS to Store permit object-group CSM_INLINE_svc_rule_68719541437 object-group CSM_INLINE_src_rule_68719541437 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_8 remark Data Center Wireless Control to AP's and Controllers in stores permit object-group CSM_INLINE_svc_rule_68719541429 object-group CSM_INLINE_src_rule_68719541429 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_9 remark Data Center Mgmt to Devices permit object-group RDP object-group DC-Admin object-group STORE-POS ip access-list extended MISSION-CRITICAL-SERVERS remark ---POS Applications--- permit ip any 192.168.52.0 0.0.0.255 ip access-list extended NET-MGMT-APPS remark - Router user Authentication - Identifies TACACS Control traffic permit tcp any any eq tacacs permit tcp any eq tacacs any ip access-list extended TRANSACTIONAL-DATA-APPS remark ---Workbrain Application--- remark --Large Store Clock Server to Central Clock Application permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444 remark --Large store Clock Server to CUAE permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000 remark ---LiteScape Application--- permit ip any host 192.168.46.82 permit ip any 239.192.0.0 0.0.0.255 permit ip any host 239.255.255.250 remark ---Remote Desktop--- permit tcp any any eq 3389 permit tcp any eq 3389 any remark ---Oracle SIM--- permit tcp any 192.168.46.0 0.0.0.255 eq 7777 permit tcp any 192.168.46.0 0.0.0.255 eq 6003 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any permit tcp 192.168.46.0 0.0.0.255 eq 6003 any permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any ! logging esm config logging trap debugging logging source-interface Loopback0 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ! ! ! ! ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group causer v3 priv snmp-server group remoteuser v3 noauth snmp-server trap-source Loopback0 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps flash insertion removal snmp-server enable traps energywise snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps entity snmp-server enable traps hsrp snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps syslog snmp-server enable traps vtp snmp-server enable traps ipsla snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server domain-stripping tacacs-server key 7 <removed> ! ! control-plane ! ! banner exec C WARNING: ** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner incoming C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line aux 0 session-timeout 1 output exec-timeout 0 1 privilege level 0 login authentication RETAIL no exec transport preferred none transport output none line 67 no activation-character no exec transport preferred none transport output none line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! exception data-corruption buffer truncate scheduler allocate 20000 1000 ntp source Loopback0 ntp server 192.168.62.161 prefer ntp server 192.168.62.162 end S-A2-MINI-1 S-A2-Mini-1#sh run Building configuration... Current configuration : 9017 bytes ! ! Last configuration change at 02:15:02 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 02:15:04 PSTDST Sat Apr 30 2011 by retail ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname S-A2-Mini-1 ! boot-start-marker boot-end-marker ! logging buffered 50000 enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! aaa session-id common clock timezone PST -8 clock summer-time PSTDST recurring system mtu routing 1500 ip subnet-zero no ip source-route ! ! ip domain-name cisco-irn.com ip name-server 192.168.42.130 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! password encryption aes ! crypto pki trustpoint TP-self-signed-1919348736 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1919348736 revocation-check none rsakeypair TP-self-signed-1919348736 ! ! crypto pki certificate chain TP-self-signed-1919348736 certificate self-signed 01 <removed> quit ! ! ! ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ip ssh time-out 30 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable ! ! interface GigabitEthernet0/1 switchport mode trunk ! interface GigabitEthernet0/2 switchport access vlan 17 shutdown ! interface GigabitEthernet0/3 switchport access vlan 17 shutdown ! interface GigabitEthernet0/4 switchport access vlan 17 shutdown ! interface GigabitEthernet0/5 switchport access vlan 17 shutdown ! interface GigabitEthernet0/6 switchport access vlan 17 shutdown ! interface GigabitEthernet0/7 switchport access vlan 17 shutdown ! interface GigabitEthernet0/8 switchport mode trunk ! interface Vlan1 no ip address no ip route-cache ! interface Vlan1000 description Management VLAN for Switch ip address 10.10.159.11 255.255.255.0 no ip route-cache ! ip default-gateway 10.10.159.1 no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip tacacs source-interface Vlan1000 ! logging trap debugging logging source-interface Vlan1000 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server trap-source Vlan1000 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps entity snmp-server enable traps cpu threshold snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps port-security snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps power-ethernet group 1 snmp-server enable traps power-ethernet police snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps energywise snmp-server enable traps rtr snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps mac-notification change move threshold snmp-server enable traps vlan-membership snmp-server enable traps errdisable snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> ! control-plane ! banner exec ^C WARNING: * THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner incoming ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner login ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ^C ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ntp clock-period 36028654 ntp source Vlan1000 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer end S-A2-MINI-2 S-A2-Mini-2#sh run Building configuration... Current configuration : 9094 bytes ! ! Last configuration change at 02:19:10 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 02:19:11 PSTDST Sat Apr 30 2011 by retail ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname S-A2-Mini-2 ! boot-start-marker boot-end-marker ! logging buffered 50000 enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! aaa session-id common clock timezone PST -8 clock summer-time PSTDST recurring system mtu routing 1500 ip subnet-zero no ip source-route ! ! ip domain-name cisco-irn.com ip name-server 192.168.42.130 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! password encryption aes ! crypto pki trustpoint TP-self-signed-1919334912 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1919334912 revocation-check none rsakeypair TP-self-signed-1919334912 ! ! crypto pki certificate chain TP-self-signed-1919334912 certificate self-signed 01 <removed> quit ! ! ! ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ip ssh time-out 30 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable ! ! interface GigabitEthernet0/1 description AIR-CAP3502E switchport trunk native vlan 18 switchport trunk allowed vlan 14-18 switchport mode trunk ! interface GigabitEthernet0/2 switchport access vlan 17 shutdown ! interface GigabitEthernet0/3 switchport access vlan 17 shutdown ! interface GigabitEthernet0/4 switchport access vlan 17 shutdown ! interface GigabitEthernet0/5 switchport access vlan 17 shutdown ! interface GigabitEthernet0/6 switchport access vlan 17 shutdown ! interface GigabitEthernet0/7 switchport access vlan 17 shutdown ! interface GigabitEthernet0/8 switchport mode trunk ! interface Vlan1 no ip address no ip route-cache ! interface Vlan1000 description Management VLAN for Switch ip address 10.10.159.12 255.255.255.0 no ip route-cache ! ip default-gateway 10.10.159.1 no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip tacacs source-interface Vlan1000 ! logging trap debugging logging source-interface Vlan1000 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server trap-source Vlan1000 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps entity snmp-server enable traps cpu threshold snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps port-security snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps power-ethernet group 1 snmp-server enable traps power-ethernet police snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps energywise snmp-server enable traps rtr snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps mac-notification change move threshold snmp-server enable traps vlan-membership snmp-server enable traps errdisable snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> ! control-plane ! banner exec ^C WARNING: * THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner incoming ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner login ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ^C ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ntp clock-period 36028680 ntp source Vlan1000 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer end Convenience R-A2-CONV-1 ! ! Last configuration change at 00:53:21 PST Sat Apr 30 2011 by retail ! NVRAM config last updated at 00:53:22 PST Sat Apr 30 2011 by retail ! version 15.1 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers no service password-recovery ! hostname R-A2-Conv-1 ! boot-start-marker boot system flash c890-universalk9-mz.151-3.T.bin boot-end-marker ! ! security authentication failure rate 2 log security passwords min-length 7 logging buffered 50000 no logging rate-limit enable secret 5 <removed> ! aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default action-type start-stop group tacacs+ ! aaa accounting commands 15 default action-type start-stop group tacacs+ ! aaa accounting system default action-type start-stop group tacacs+ ! ! ! ! ! ! aaa session-id common ! clock timezone PST -8 0 clock summer-time PST recurring service-module wlan-ap 0 bootimage autonomous crypto pki token default removal timeout 0 ! crypto pki trustpoint TP-self-signed-479252603 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-479252603 revocation-check none rsakeypair TP-self-signed-479252603 ! ! crypto pki certificate chain TP-self-signed-479252603 certificate self-signed 01 <removed> quit no ip source-route ! ! ! ! ! ip cef no ip bootp server ip domain name cisco-irn.com ip name-server 192.168.42.130 ip multicast-routing ip port-map user-8443 port tcp 8443 ip ips config location flash: retries 1 timeout 1 ip ips name Store-IPS ! ip ips signature-category category all retired true category ios_ips default retired false ! ip inspect log drop-pkt ip inspect audit-trail ip wccp 61 ip wccp 62 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log no ipv6 cef ! multilink bundle-name authenticated parameter-map type inspect Inspect-1 audit-trail on parameter-map type inspect global WAAS enable parameter-map type trend-global trend-glob-map password encryption aes license udi pid CISCO891W-AGN-N-K9 sn <removed> ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys object-group network ActiveDirectory.cisco-irn.com host 192.168.42.130 ! object-group service CAPWAP description CAPWAP UDP ports 5246 and 5247 udp eq 5246 udp eq 5247 ! object-group service CISCO-WAAS description Ports for Cisco WAAS tcp eq 4050 ! object-group network DC-ALL description All of the Data Center 192.168.0.0 255.255.0.0 ! object-group network Stores-ALL description all store networks 10.10.0.0 255.255.0.0 ! object-group network CSM_INLINE_dst_rule_68719541425 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network WCSManager description Wireless Manager host 192.168.43.135 ! object-group network DC-Wifi-Controllers description Central Wireless Controllers for stores host 192.168.43.21 host 192.168.43.22 ! object-group network DC-Wifi-MSE description Mobility Service Engines host 192.168.43.31 host 192.168.43.32 ! object-group network CSM_INLINE_dst_rule_68719541431 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object WCSManager group-object DC-Wifi-Controllers group-object DC-Wifi-MSE ! object-group network PAME-DC-1 host 192.168.44.111 ! object-group network MSP-DC-1 description Data Center VSOM host 192.168.44.121 ! object-group network CSM_INLINE_dst_rule_68719541435 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object PAME-DC-1 group-object MSP-DC-1 ! object-group network CSM_INLINE_dst_rule_68719541457 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_dst_rule_68719541461 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_dst_rule_68719541465 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network EMC-NCM description EMC Network Configuration Manager host 192.168.42.122 ! object-group network RSA-enVision description RSA EnVision Syslog collector and SIM host 192.168.42.124 ! object-group network CSM_INLINE_dst_rule_73014451187 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object EMC-NCM group-object RSA-enVision ! object-group network TACACS description Csico Secure ACS server for TACACS and Radius host 192.168.42.131 ! object-group network RSA-AM description RSA Authentication Manager for SecureID host 192.168.42.137 ! object-group network NAC-1 description ISE server for NAC host 192.168.42.111 ! object-group network CSM_INLINE_dst_rule_73014451193 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object ActiveDirectory.cisco-irn.com group-object TACACS group-object RSA-AM group-object NAC-1 ! object-group network NAC-2 host 192.168.42.112 ! object-group network CSM_INLINE_dst_rule_73014451223 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory) group-object NAC-2 group-object NAC-1 ! object-group network DC-Admin description DC Admin Systems host 192.168.41.101 host 192.168.41.102 ! object-group network CSManager description Cisco Security Manager host 192.168.42.133 ! object-group network CSM_INLINE_src_rule_68719541409 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-Admin group-object EMC-NCM group-object CSManager ! object-group network CSM_INLINE_src_rule_68719541427 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-ALL group-object Stores-ALL ! object-group network CSM_INLINE_src_rule_68719541429 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object WCSManager group-object DC-Wifi-Controllers group-object DC-Wifi-MSE ! object-group network CSM_INLINE_src_rule_68719541433 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object PAME-DC-1 group-object MSP-DC-1 ! object-group network DC-WAAS description WAE Appliances in Data Center host 192.168.48.10 host 192.168.49.10 host 192.168.47.11 host 192.168.47.12 ! object-group network CSM_INLINE_src_rule_68719541437 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-Admin group-object DC-WAAS ! object-group network DC-POS-Tomax description Tomax POS Communication from Store to Data Center 192.168.52.96 255.255.255.224 ! object-group network DC-POS-SAP description SAP POS Communication from Store to Data Center 192.168.52.144 255.255.255.240 ! object-group network DC-POS-Oracle description Oracle POS Communication from Store to Data Center 192.168.52.128 255.255.255.240 ! object-group network CSM_INLINE_src_rule_73014451215 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-Admin group-object DC-POS-Tomax group-object DC-POS-SAP group-object DC-POS-Oracle ! object-group network CSM_INLINE_src_rule_73014451217 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory) group-object DC-Admin group-object DC-POS-Tomax group-object DC-POS-SAP group-object DC-POS-Oracle ! object-group service CSM_INLINE_svc_rule_68719541409 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 tcp eq 22 ! object-group service CSM_INLINE_svc_rule_68719541425 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable ! object-group service CSM_INLINE_svc_rule_68719541427 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable ! object-group service LWAPP description LWAPP UDP ports 12222 and 12223 udp eq 12222 udp eq 12223 ! object-group service TFTP description Trivial File Transfer tcp eq 69 udp eq tftp ! object-group service IP-Protocol-97 description IP protocol 97 97 ! object-group service CSM_INLINE_svc_rule_68719541429 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 tcp eq www tcp eq 22 tcp eq telnet udp eq isakmp group-object CAPWAP group-object LWAPP group-object TFTP group-object IP-Protocol-97 ! object-group service Cisco-Mobility description Mobility ports for Wireless udp eq 16666 udp eq 16667 ! object-group service CSM_INLINE_svc_rule_68719541431 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) udp eq isakmp group-object CAPWAP group-object LWAPP group-object Cisco-Mobility group-object IP-Protocol-97 ! object-group service HTTPS-8443 tcp eq 8443 ! object-group service Microsoft-DS-SMB description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing tcp eq 445 ! object-group service CSM_INLINE_svc_rule_68719541437 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp tcp eq 139 group-object CISCO-WAAS group-object HTTPS-8443 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_68719541439 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp tcp eq 139 group-object CISCO-WAAS group-object HTTPS-8443 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_68719541455 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) icmp tcp-udp eq 5060 tcp eq 2000 tcp eq www tcp eq 443 group-object TFTP ! object-group service CSM_INLINE_svc_rule_68719541457 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp-udp eq 5060 tcp eq 2000 ! object-group service Netbios description Netbios Servers udp eq netbios-dgm udp eq netbios-ns tcp eq 139 ! object-group service ORACLE-SIM description Oracle Store Inventory Management tcp eq 7777 tcp eq 6003 tcp range 12401 12500 ! object-group service RDP description Windows Remote Desktop tcp eq 3389 ! object-group service Workbrain tcp eq 8444 ! object-group service CSM_INLINE_svc_rule_68719541459 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq ftp tcp eq www tcp eq 443 udp eq 88 tcp-udp eq 42 group-object Microsoft-DS-SMB group-object Netbios group-object ORACLE-SIM group-object RDP group-object Workbrain ! object-group service CSM_INLINE_svc_rule_73014451187 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) udp eq syslog udp eq snmp udp eq snmptrap ! object-group service CSM_INLINE_svc_rule_73014451193 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq tacacs udp eq 1812 udp eq 1813 tcp eq 389 tcp eq 636 ! object-group service vCenter-to-ESX4 description Communication from vCetner to ESX hosts tcp eq 5989 tcp eq 8000 tcp eq 902 tcp eq 903 ! object-group service CSM_INLINE_svc_rule_73014451195 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq www tcp eq 443 tcp eq 22 group-object vCenter-to-ESX4 ! object-group service ESX-SLP description CIM Service Location Protocol (SLP) for VMware systems udp eq 427 tcp eq 427 ! object-group service CSM_INLINE_svc_rule_73014451197 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 group-object vCenter-to-ESX4 group-object ESX-SLP ! object-group service ORACLE-RMI description RMI TCP ports 1300 and 1301-1319. tcp range 1300 1319 ! object-group service ORACLE-Weblogic description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521. tcp eq 7001 tcp eq 7002 tcp eq 1521 ! object-group service ORACLE-WAS description RMI/IIOP over 2809 HTTP over 9443 IBM-MQ 1414 tcp eq 2809 tcp eq 9443 tcp eq 1414 ! object-group service ORACLE-OAS description OAS uses one port for HTTP and RMI - 12601. tcp eq 12601 ! object-group service CSM_INLINE_svc_rule_73014451203 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 tcp eq 22 group-object ORACLE-RMI group-object ORACLE-Weblogic group-object ORACLE-WAS group-object ORACLE-OAS ! object-group service CSM_INLINE_svc_rule_73014451205 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 tcp eq 22 group-object ORACLE-RMI group-object ORACLE-Weblogic group-object ORACLE-WAS group-object ORACLE-OAS ! object-group service CSM_INLINE_svc_rule_73014451207 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 tcp eq 22 group-object HTTPS-8443 ! object-group service CSM_INLINE_svc_rule_73014451209 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 tcp eq 22 group-object HTTPS-8443 ! object-group service TOMAX-8990 description Tomax Application Port tcp eq 8990 ! object-group service CSM_INLINE_svc_rule_73014451211 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 group-object TOMAX-8990 ! object-group service CSM_INLINE_svc_rule_73014451213 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq 443 group-object TOMAX-8990 ! object-group service ICMP-Requests description ICMP requests icmp information-request icmp mask-request icmp timestamp-request ! object-group service CSM_INLINE_svc_rule_73014451215 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable icmp redirect icmp alternate-address group-object ICMP-Requests ! object-group service CSM_INLINE_svc_rule_73014451217 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) icmp echo icmp echo-reply icmp traceroute icmp unreachable icmp redirect icmp alternate-address group-object ICMP-Requests ! object-group service DNS-Resolving description Domain Name Server tcp eq domain udp eq domain ! object-group service CSM_INLINE_svc_rule_73014451221 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) udp eq bootps group-object DNS-Resolving ! object-group service CSM_INLINE_svc_rule_73014451223 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq www tcp eq 443 group-object HTTPS-8443 ! object-group service CSM_INLINE_svc_rule_73014451388 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp tcp eq 139 group-object Microsoft-DS-SMB ! object-group service CSM_INLINE_svc_rule_73014451393 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq www tcp eq 443 tcp eq smtp tcp eq pop3 tcp eq 143 ! object-group service CSM_INLINE_svc_rule_73014451395 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq www tcp eq 443 ! object-group service CSM_INLINE_svc_rule_73014451397 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp udp tcp eq 443 ! object-group service CSM_INLINE_svc_rule_73014451404 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq www tcp eq 443 ! object-group service CSM_INLINE_svc_rule_73014451406 description Generated by CS-Manager from service of ZbfInspectRule# 0 (Store-Small/mandatory) tcp eq www tcp eq 443 tcp eq smtp tcp eq pop3 tcp eq 143 ! object-group network DC-Applications description Applications in the Data Center that are non-PCI related(Optimized by CS-Manager) 192.168.180.0 255.255.254.0 ! object-group network DC-Voice description Data Center Voice 192.168.45.0 255.255.255.0 ! object-group network MS-Update description Windows Update Server host 192.168.42.150 ! object-group network MSExchange description Mail Server host 192.168.42.140 ! object-group service NTP description NTP Protocols tcp eq 123 udp eq ntp ! object-group network NTP-Servers description NTP Servers host 192.168.62.161 host 162.168.62.162 ! object-group network STORE-POS 10.10.0.0 255.255.0.0 ! object-group network vSphere-1 description vSphere server for Lab host 192.168.41.102 ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> ! ! ! ! ip ssh time-out 30 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable ! class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7 match protocol http match protocol https match protocol microsoft-ds match protocol ms-sql match protocol ms-sql-m match protocol netbios-dgm match protocol netbios-ns match protocol oracle match protocol oracle-em-vp match protocol oraclenames match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_10 match access-group name CSM_ZBF_CMAP_ACL_10 match class-map CSM_ZBF_CMAP_PLMAP_7 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16 match protocol http match protocol https match protocol isakmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_23 match access-group name CSM_ZBF_CMAP_ACL_23 match class-map CSM_ZBF_CMAP_PLMAP_16 class-map type inspect match-all CSM_ZBF_CLASS_MAP_32 match access-group name CSM_ZBF_CMAP_ACL_32 class-map type inspect match-all CSM_ZBF_CLASS_MAP_11 match access-group name CSM_ZBF_CMAP_ACL_11 match protocol icmp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5 match protocol http match protocol https match protocol netbios-dgm match protocol netbios-ns match protocol netbios-ssn match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_22 match access-group name CSM_ZBF_CMAP_ACL_22 match class-map CSM_ZBF_CMAP_PLMAP_5 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4 match protocol http match protocol https match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_33 match access-group name CSM_ZBF_CMAP_ACL_33 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8 match protocol sip match protocol sip-tls match protocol skinny match protocol tftp match protocol http match protocol https match protocol icmp class-map type inspect match-all CSM_ZBF_CLASS_MAP_12 match access-group name CSM_ZBF_CMAP_ACL_12 match class-map CSM_ZBF_CMAP_PLMAP_8 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15 match protocol http match protocol https match protocol netbios-ns match protocol netbios-dgm match protocol netbios-ssn match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_21 match access-group name CSM_ZBF_CMAP_ACL_21 match class-map CSM_ZBF_CMAP_PLMAP_15 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17 match protocol http match protocol https match protocol imap3 match protocol pop3 match protocol pop3s match protocol smtp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_30 match access-group name CSM_ZBF_CMAP_ACL_30 match class-map CSM_ZBF_CMAP_PLMAP_17 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9 match protocol syslog match protocol syslog-conn match protocol snmp match protocol snmptrap class-map type inspect match-all CSM_ZBF_CLASS_MAP_13 match access-group name CSM_ZBF_CMAP_ACL_13 match class-map CSM_ZBF_CMAP_PLMAP_9 class-map type inspect match-all CSM_ZBF_CLASS_MAP_20 match access-group name CSM_ZBF_CMAP_ACL_20 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20 match protocol http match protocol https match protocol netbios-dgm match protocol netbios-ns match protocol netbios-ssn match protocol ftp match protocol ssh match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_31 match access-group name CSM_ZBF_CMAP_ACL_31 match class-map CSM_ZBF_CMAP_PLMAP_20 class-map match-all BRANCH-BULK-DATA match protocol tftp match protocol nfs match access-group name BULK-DATA-APPS class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10 match protocol ldaps match protocol ldap match protocol ldap-admin match protocol radius match protocol tacacs match protocol tacacs-ds match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_14 match access-group name CSM_ZBF_CMAP_ACL_14 match class-map CSM_ZBF_CMAP_PLMAP_10 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18 match protocol http match protocol https match protocol udp match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_27 match access-group name CSM_ZBF_CMAP_ACL_27 match class-map CSM_ZBF_CMAP_PLMAP_18 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22 match protocol sip match protocol sip-tls match protocol skinny match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_36 match access-group name CSM_ZBF_CMAP_ACL_36 match class-map CSM_ZBF_CMAP_PLMAP_22 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11 match protocol ntp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_15 match access-group name CSM_ZBF_CMAP_ACL_15 match class-map CSM_ZBF_CMAP_PLMAP_11 class-map type inspect match-all CSM_ZBF_CLASS_MAP_26 match access-group name CSM_ZBF_CMAP_ACL_26 match class-map CSM_ZBF_CMAP_PLMAP_17 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12 match protocol bootpc match protocol bootps match protocol udp match protocol tcp match protocol dns match protocol dhcp-failover class-map type inspect match-all CSM_ZBF_CLASS_MAP_16 match access-group name CSM_ZBF_CMAP_ACL_16 match class-map CSM_ZBF_CMAP_PLMAP_12 class-map type inspect match-all CSM_ZBF_CLASS_MAP_25 match access-group name CSM_ZBF_CMAP_ACL_25 match protocol icmp class-map type inspect match-all CSM_ZBF_CLASS_MAP_34 match access-group name CSM_ZBF_CMAP_ACL_34 class-map type inspect match-all CSM_ZBF_CLASS_MAP_17 match access-group name CSM_ZBF_CMAP_ACL_17 match protocol icmp class-map type inspect match-all CSM_ZBF_CLASS_MAP_24 match access-group name CSM_ZBF_CMAP_ACL_24 match class-map CSM_ZBF_CMAP_PLMAP_7 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21 match protocol tcp match protocol udp match protocol http match protocol https class-map type inspect match-all CSM_ZBF_CLASS_MAP_35 match access-group name CSM_ZBF_CMAP_ACL_35 match class-map CSM_ZBF_CMAP_PLMAP_21 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13 match protocol https match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_18 match access-group name CSM_ZBF_CMAP_ACL_18 match class-map CSM_ZBF_CMAP_PLMAP_13 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14 match protocol http match protocol https match protocol user-8443 class-map type inspect match-all CSM_ZBF_CLASS_MAP_19 match access-group name CSM_ZBF_CMAP_ACL_19 match class-map CSM_ZBF_CMAP_PLMAP_14 class-map type inspect match-all CSM_ZBF_CLASS_MAP_29 match access-group name CSM_ZBF_CMAP_ACL_29 match class-map CSM_ZBF_CMAP_PLMAP_18 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19 match protocol http match protocol https match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_28 match access-group name CSM_ZBF_CMAP_ACL_28 match class-map CSM_ZBF_CMAP_PLMAP_19 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1 match protocol https match protocol ssh class-map type inspect match-all CSM_ZBF_CLASS_MAP_1 match access-group name CSM_ZBF_CMAP_ACL_1 match class-map CSM_ZBF_CMAP_PLMAP_1 class-map type inspect match-all CSM_ZBF_CLASS_MAP_3 match access-group name CSM_ZBF_CMAP_ACL_3 match protocol icmp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2 match protocol https match protocol http match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_2 match access-group name CSM_ZBF_CMAP_ACL_2 match class-map CSM_ZBF_CMAP_PLMAP_2 class-map type inspect match-all CSM_ZBF_CLASS_MAP_5 match access-group name CSM_ZBF_CMAP_ACL_5 match class-map CSM_ZBF_CMAP_PLMAP_4 class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3 match protocol http match protocol https match protocol ssh match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_4 match access-group name CSM_ZBF_CMAP_ACL_4 match class-map CSM_ZBF_CMAP_PLMAP_3 class-map type inspect match-all CSM_ZBF_CLASS_MAP_7 match access-group name CSM_ZBF_CMAP_ACL_7 match class-map CSM_ZBF_CMAP_PLMAP_5 class-map type inspect match-all CSM_ZBF_CLASS_MAP_6 match access-group name CSM_ZBF_CMAP_ACL_6 match protocol tcp class-map type inspect match-all CSM_ZBF_CLASS_MAP_9 match access-group name CSM_ZBF_CMAP_ACL_9 match protocol tcp class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6 match protocol http match protocol https match protocol ssh match protocol telnet match protocol tftp match protocol isakmp match protocol tcp match protocol udp class-map type inspect match-all CSM_ZBF_CLASS_MAP_8 match access-group name CSM_ZBF_CMAP_ACL_8 match class-map CSM_ZBF_CMAP_PLMAP_6 class-map match-all BULK-DATA match ip dscp af11 af12 class-map match-all INTERACTIVE-VIDEO match ip dscp af41 af42 class-map match-any BRANCH-TRANSACTIONAL-DATA match protocol citrix match protocol ldap match protocol telnet match protocol sqlnet match protocol http url "SalesReport" match access-group name TRANSACTIONAL-DATA-APPS class-map match-all BRANCH-MISSION-CRITICAL match access-group name MISSION-CRITICAL-SERVERS class-map match-all VOICE match ip dscp ef class-map match-all MISSION-CRITICAL-DATA match ip dscp 25 class-map match-any BRANCH-NET-MGMT match protocol snmp match protocol syslog match protocol dns match protocol icmp match protocol ssh match access-group name NET-MGMT-APPS class-map match-all ROUTING match ip dscp cs6 class-map match-all SCAVENGER match ip dscp cs1 class-map match-all NET-MGMT match ip dscp cs2 class-map match-any BRANCH-SCAVENGER match protocol gnutella match protocol fasttrack match protocol kazaa2 class-map match-any CALL-SIGNALING match ip dscp cs3 class-map match-all TRANSACTIONAL-DATA match ip dscp af21 af22 ! ! policy-map type inspect CSM_ZBF_POLICY_S_Security_S_POS-W class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_Data_S_POS-W class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_Data-W_S_POS class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_WAN_S_Guest class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_WAN_S_Data-W class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_Voice_S_POS class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_Guest_S_POS class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_MGMT_S_POS-W class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS class class-default drop log policy-map type inspect CSM_ZBF_POLICY_LOOPBACK_S_POS-W class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_POS-W class class-default drop log policy-map BRANCH-LAN-EDGE-OUT class class-default policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_Partners class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_POS class class-default drop log policy-map BRANCH-WAN-EDGE class VOICE priority percent 18 class INTERACTIVE-VIDEO priority percent 15 class CALL-SIGNALING bandwidth percent 5 class ROUTING bandwidth percent 3 class NET-MGMT bandwidth percent 2 class MISSION-CRITICAL-DATA bandwidth percent 15 random-detect class TRANSACTIONAL-DATA bandwidth percent 12 random-detect dscp-based class BULK-DATA bandwidth percent 4 random-detect dscp-based class SCAVENGER bandwidth percent 1 class class-default bandwidth percent 25 random-detect policy-map type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS-W class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_18 class type inspect CSM_ZBF_CLASS_MAP_28 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_19 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_29 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_30 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_31 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_16 class type inspect CSM_ZBF_CLASS_MAP_24 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_25 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_26 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_27 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_17 class type inspect CSM_ZBF_CLASS_MAP_25 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_26 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_27 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_14 class type inspect CSM_ZBF_CLASS_MAP_22 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_15 class type inspect CSM_ZBF_CLASS_MAP_13 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_23 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_12 class type inspect CSM_ZBF_CLASS_MAP_13 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_20 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_21 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_30 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_34 drop log class type inspect CSM_ZBF_CLASS_MAP_35 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_S_MGMT_S_POS class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_13 class type inspect CSM_ZBF_CLASS_MAP_13 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_21 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_20 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_32 drop log class type inspect CSM_ZBF_CLASS_MAP_33 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_10 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_11 class type inspect CSM_ZBF_CLASS_MAP_13 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_18 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_22 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_19 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_36 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_Voice_S_POS-W class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_Guest_S_POS-W class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_9 class type inspect CSM_ZBF_CLASS_MAP_13 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_14 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_15 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_16 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_17 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_MAP_8 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_12 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_7 class type inspect CSM_ZBF_CLASS_MAP_9 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_10 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_11 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_6 class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_5 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_8 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_4 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_6 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_7 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_3 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_5 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_2 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_4 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop log policy-map type inspect CSM_ZBF_POLICY_MAP_1 class type inspect CSM_ZBF_CLASS_MAP_1 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_2 inspect Inspect-1 class type inspect CSM_ZBF_CLASS_MAP_3 inspect Inspect-1 class class-default drop policy-map type inspect CSM_ZBF_POLICY_S_Partners_S_POS class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_Security_S_POS class class-default drop log policy-map BRANCH-LAN-EDGE-IN class BRANCH-MISSION-CRITICAL set ip dscp 25 class BRANCH-TRANSACTIONAL-DATA set ip dscp af21 class BRANCH-NET-MGMT set ip dscp cs2 class BRANCH-BULK-DATA set ip dscp af11 class BRANCH-SCAVENGER set ip dscp cs1 policy-map type inspect CSM_ZBF_POLICY_S_Data_S_POS class class-default drop log policy-map type inspect CSM_ZBF_POLICY_S_Data-W_S_POS-W class class-default drop log ! zone security S_WAN description Store WAN Link zone security LOOPBACK description Loopback interface zone security S_MGMT description VLAN1000 Management zone security S_Security description VLAN20 Physical Security Systems zone security S_WAAS description VLAN19 WAAS optimization zone security S_WLC-AP description VLAN18 Wireless Systems zone security S_Data description VLAN12 Store Data zone security S_Data-W description VLAN14 Store Wireless Data zone security S_Guest description VLAN17 Guest/Public Wireless zone security S_Voice description VLAN13 Store Voice zone security S_Partners description VLAN16 Partner network zone security S_POS description VLAN 11 POS Data zone security S_POS-W description VLAN15 Store Wireless POS zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK service-policy type inspect CSM_ZBF_POLICY_MAP_1 zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT service-policy type inspect CSM_ZBF_POLICY_MAP_2 zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security service-policy type inspect CSM_ZBF_POLICY_MAP_3 zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS service-policy type inspect CSM_ZBF_POLICY_MAP_4 zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP service-policy type inspect CSM_ZBF_POLICY_MAP_5 zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W service-policy type inspect CSM_ZBF_POLICY_S_WAN_S_Data-W zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest service-policy type inspect CSM_ZBF_POLICY_S_WAN_S_Guest zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners service-policy type inspect CSM_ZBF_POLICY_MAP_6 zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_7 zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice service-policy type inspect CSM_ZBF_POLICY_MAP_8 zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_9 zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_LOOPBACK_S_POS-W zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_11 zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS service-policy type inspect CSM_ZBF_POLICY_S_MGMT_S_POS zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_S_MGMT_S_POS-W zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_12 zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS service-policy type inspect CSM_ZBF_POLICY_S_Security_S_POS zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_S_Security_S_POS-W zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_13 zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_POS zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_POS-W zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W service-policy type inspect CSM_ZBF_POLICY_MAP_14 zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_Partners zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_15 zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS service-policy type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS-W zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_16 zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_17 zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS service-policy type inspect CSM_ZBF_POLICY_MAP_18 zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS service-policy type inspect CSM_ZBF_POLICY_S_Data_S_POS zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_S_Data_S_POS-W zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_19 zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS service-policy type inspect CSM_ZBF_POLICY_S_Data-W_S_POS zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_S_Data-W_S_POS-W zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_19 zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS service-policy type inspect CSM_ZBF_POLICY_S_Guest_S_POS zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_S_Guest_S_POS-W zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_20 zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS service-policy type inspect CSM_ZBF_POLICY_S_Partners_S_POS zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_MAP_10 zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_21 zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS service-policy type inspect CSM_ZBF_POLICY_S_Voice_S_POS zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W service-policy type inspect CSM_ZBF_POLICY_S_Voice_S_POS-W zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN service-policy type inspect CSM_ZBF_POLICY_MAP_22 ! ! ! ! ! ! ! interface Loopback0 ip address 10.10.174.1 255.255.255.255 ip pim sparse-dense-mode zone-member security LOOPBACK ! interface FastEthernet0 switchport mode trunk ! interface FastEthernet1 switchport access vlan 17 switchport protected ! interface FastEthernet2 switchport access vlan 17 switchport protected ! interface FastEthernet3 switchport access vlan 17 switchport protected ! interface FastEthernet4 switchport access vlan 17 switchport protected ! interface FastEthernet5 switchport access vlan 17 switchport protected ! interface FastEthernet6 switchport access vlan 17 switchport protected ! interface FastEthernet7 switchport access vlan 17 switchport protected ! interface FastEthernet8 no ip address duplex auto speed auto ! interface FastEthernet8.1 ! interface GigabitEthernet0 ip address 10.10.255.160 255.255.255.0 ip ips Store-IPS in ip ips Store-IPS out zone-member security S_WAN duplex auto speed auto service-policy output BRANCH-WAN-EDGE ! interface wlan-ap0 description Service module interface to manage the embedded AP ip address 10.10.174.33 255.255.255.252 zone-member security S_WLC-AP service-module ip address 10.10.174.34 255.255.255.252 service-module ip default-gateway 10.10.174.33 arp timeout 0 ! interface Wlan-GigabitEthernet0 description Internal switch interface connecting to the embedded AP switchport mode trunk zone-member security S_WLC-AP service-module ip address 10.10.174.34 255.255.255.252 service-module ip default-gateway 10.10.174.33 ! interface Vlan1 no ip address ip ips Store-IPS in ip ips Store-IPS out zone-member security S_POS ! interface Vlan11 description POS ip address 10.10.160.2 255.255.255.0 ip helper-address 192.168.42.130 ip pim sparse-dense-mode ip ips Store-IPS in ip ips Store-IPS out zone-member security S_POS standby 11 ip 10.10.160.1 standby 11 priority 101 standby 11 preempt ip igmp query-interval 125 service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface Vlan12 description DATA ip address 10.10.161.2 255.255.255.0 ip helper-address 192.168.42.130 ip wccp 61 redirect in ip pim sparse-dense-mode zone-member security S_Data standby 12 ip 10.10.161.1 standby 12 priority 101 standby 12 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface Vlan13 description VOICE ip address 10.10.162.2 255.255.255.0 ip helper-address 192.168.42.130 ip pim sparse-dense-mode zone-member security S_Voice standby 13 ip 10.10.162.1 standby 13 priority 101 standby 13 preempt service-policy output BRANCH-LAN-EDGE-OUT ! interface Vlan14 description WIRELESS ip address 10.10.163.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Data-W standby 14 ip 10.10.163.1 standby 14 priority 101 standby 14 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface Vlan15 description WIRELESS-POS ip address 10.10.164.2 255.255.255.0 ip helper-address 192.168.42.130 ip ips Store-IPS in ip ips Store-IPS out zone-member security S_POS-W standby 15 ip 10.10.164.1 standby 15 priority 101 standby 15 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface Vlan16 description PARTNER ip address 10.10.165.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Partners standby 16 ip 10.10.165.1 standby 16 priority 101 standby 16 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface Vlan17 description WIRELESS-GUEST ip address 10.10.166.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Guest standby 17 ip 10.10.166.1 standby 17 priority 101 standby 17 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface Vlan18 description WIRELESS-CONTROL ip address 10.10.167.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_WLC-AP standby 18 ip 10.10.167.1 standby 18 priority 101 standby 18 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface Vlan19 description WAAS ip address 10.10.168.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_WAAS standby 19 ip 10.10.168.1 standby 19 priority 101 standby 19 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface Vlan20 description SECURITY ip address 10.10.169.2 255.255.255.0 ip helper-address 192.168.42.130 zone-member security S_Security standby 20 ip 10.10.169.1 standby 20 priority 101 standby 20 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface Vlan1000 description MANAGEMENT ip address 10.10.175.2 255.255.255.0 zone-member security S_MGMT standby 100 ip 10.10.175.1 standby 100 priority 101 standby 100 preempt service-policy input BRANCH-LAN-EDGE-IN service-policy output BRANCH-LAN-EDGE-OUT ! interface Async1 no ip address encapsulation slip ! interface Group-Async0 physical-layer async no ip address encapsulation slip no group-range ! router ospf 5 router-id 10.10.174.1 passive-interface default ! no ip forward-protocol nd ! ! no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip route 0.0.0.0 0.0.0.0 10.10.255.11 ip tacacs source-interface Loopback0 ! ip access-list extended BULK-DATA-APPS remark ---File Transfer--- permit tcp any any eq ftp permit tcp any any eq ftp-data remark ---E-mail traffic--- permit tcp any any eq smtp permit tcp any any eq pop3 permit tcp any any eq 143 remark ---other EDM app protocols--- permit tcp any any range 3460 3466 permit tcp any range 3460 3466 any remark ---messaging services--- permit tcp any any eq 2980 permit tcp any eq 2980 any remark ---Microsoft file services--- permit tcp any any range 137 139 permit tcp any range 137 139 any ip access-list extended CSM_ZBF_CMAP_ACL_1 remark Data Center Mgmt to Devices permit object-group CSM_INLINE_svc_rule_68719541409 object-group CSM_INLINE_src_rule_68719541409 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_10 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451205 object-group DC-POS-Oracle object-group STORE-POS remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451209 object-group DC-POS-SAP object-group STORE-POS remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451213 object-group DC-POS-Tomax object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_11 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451215 object-group CSM_INLINE_src_rule_73014451215 object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_12 remark Data Center VOICE (wired and Wireless) permit object-group CSM_INLINE_svc_rule_68719541455 object-group DC-Voice object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_13 remark Syslog and SNMP Alerts permit object-group CSM_INLINE_svc_rule_73014451187 object-group Stores-ALL object-group CSM_INLINE_dst_rule_73014451187 ip access-list extended CSM_ZBF_CMAP_ACL_14 remark Store to Data Center Authentications permit object-group CSM_INLINE_svc_rule_73014451193 object-group Stores-ALL object-group CSM_INLINE_dst_rule_73014451193 ip access-list extended CSM_ZBF_CMAP_ACL_15 remark Store to Data Center for NTP permit object-group NTP object-group Stores-ALL object-group NTP-Servers ip access-list extended CSM_ZBF_CMAP_ACL_16 remark Store to Data Center for DHCP and DNS permit object-group CSM_INLINE_svc_rule_73014451221 object-group Stores-ALL object-group ActiveDirectory.cisco-irn.com ip access-list extended CSM_ZBF_CMAP_ACL_17 remark Permit ICMP traffic permit object-group CSM_INLINE_svc_rule_68719541425 object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541425 ip access-list extended CSM_ZBF_CMAP_ACL_18 remark Store UCS E-series server to Data Center vShphere permit object-group CSM_INLINE_svc_rule_73014451197 object-group Stores-ALL object-group vSphere-1 ip access-list extended CSM_ZBF_CMAP_ACL_19 remark Store NAC permit object-group CSM_INLINE_svc_rule_73014451223 object-group Stores-ALL object-group CSM_INLINE_dst_rule_73014451223 ip access-list extended CSM_ZBF_CMAP_ACL_2 remark Data Center subscribe to IPS SDEE events permit tcp object-group RSA-enVision object-group Stores-ALL eq 443 ip access-list extended CSM_ZBF_CMAP_ACL_20 remark Store to Data Center Physical Security permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541435 ip access-list extended CSM_ZBF_CMAP_ACL_21 remark Store WAAS (WAAS Devices need their own zone) permit object-group CSM_INLINE_svc_rule_68719541439 object-group Stores-ALL object-group DC-WAAS ip access-list extended CSM_ZBF_CMAP_ACL_22 remark Store WAAS to Clients and Servers permit object-group CSM_INLINE_svc_rule_73014451388 object-group Stores-ALL object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_23 remark Store to Data Center wireless controller traffic permit object-group CSM_INLINE_svc_rule_68719541431 object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541431 ip access-list extended CSM_ZBF_CMAP_ACL_24 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451203 object-group STORE-POS object-group DC-POS-Oracle remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451207 object-group STORE-POS object-group DC-POS-SAP remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451211 object-group STORE-POS object-group DC-POS-Tomax ip access-list extended CSM_ZBF_CMAP_ACL_25 remark Permit POS systems to talk to Data Center Servers permit object-group CSM_INLINE_svc_rule_73014451217 object-group CSM_INLINE_src_rule_73014451217 object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_26 remark Store to Data Center for E-mail permit object-group CSM_INLINE_svc_rule_73014451393 object-group STORE-POS object-group MSExchange ip access-list extended CSM_ZBF_CMAP_ACL_27 remark Store to Data Center for Windows Updates permit object-group CSM_INLINE_svc_rule_73014451395 object-group STORE-POS object-group MS-Update ip access-list extended CSM_ZBF_CMAP_ACL_28 remark Permit POS clients to talk to store POS server permit object-group CSM_INLINE_svc_rule_73014451397 object-group STORE-POS object-group STORE-POS ip access-list extended CSM_ZBF_CMAP_ACL_29 remark Store to Data Center for Windows Updates permit object-group CSM_INLINE_svc_rule_73014451404 object-group Stores-ALL object-group MS-Update ip access-list extended CSM_ZBF_CMAP_ACL_3 remark Permit ICMP traffic permit object-group CSM_INLINE_svc_rule_68719541427 object-group CSM_INLINE_src_rule_68719541427 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_30 remark Store to Data Center for E-mail permit object-group CSM_INLINE_svc_rule_73014451406 object-group Stores-ALL object-group MSExchange ip access-list extended CSM_ZBF_CMAP_ACL_31 remark Store DATA (wired and Wireless - Access to DC Other applications) permit object-group CSM_INLINE_svc_rule_68719541459 object-group Stores-ALL object-group DC-Applications ip access-list extended CSM_ZBF_CMAP_ACL_32 remark Store GUEST - Drop Traffic to Enterprise permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541465 ip access-list extended CSM_ZBF_CMAP_ACL_33 remark Store GUEST (access to internet/DMZ web servers) permit ip object-group Stores-ALL any ip access-list extended CSM_ZBF_CMAP_ACL_34 remark Store PARTNERS - Drop Traffic to Enterprise permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541461 ip access-list extended CSM_ZBF_CMAP_ACL_35 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN) permit ip object-group Stores-ALL any ip access-list extended CSM_ZBF_CMAP_ACL_36 remark Store VOICE (wired and Wireless - Acess to corporate wide voice) permit object-group CSM_INLINE_svc_rule_68719541457 object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541457 ip access-list extended CSM_ZBF_CMAP_ACL_4 remark Data Center vSphere to UCS E-series server permit object-group CSM_INLINE_svc_rule_73014451195 object-group vSphere-1 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_5 remark Data Center to Store Physical Security permit ip object-group CSM_INLINE_src_rule_68719541433 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_6 remark Data Center Mgmt to Devices permit object-group RDP object-group DC-Admin object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_7 remark Data Center WAAS to Store permit object-group CSM_INLINE_svc_rule_68719541437 object-group CSM_INLINE_src_rule_68719541437 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_8 remark Data Center Wireless Control to AP's and Controllers in stores permit object-group CSM_INLINE_svc_rule_68719541429 object-group CSM_INLINE_src_rule_68719541429 object-group Stores-ALL ip access-list extended CSM_ZBF_CMAP_ACL_9 remark Data Center Mgmt to Devices permit object-group RDP object-group DC-Admin object-group STORE-POS ip access-list extended MISSION-CRITICAL-SERVERS remark ---POS Applications--- permit ip any 192.168.52.0 0.0.0.255 ip access-list extended NET-MGMT-APPS remark - Router user Authentication - Identifies TACACS Control traffic permit tcp any any eq tacacs permit tcp any eq tacacs any ip access-list extended TRANSACTIONAL-DATA-APPS remark ---Workbrain Application--- remark --Large Store Clock Server to Central Clock Application permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444 remark --Large store Clock Server to CUAE permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000 remark ---LiteScape Application--- permit ip any host 192.168.46.82 permit ip any 239.192.0.0 0.0.0.255 permit ip any host 239.255.255.250 remark ---Remote Desktop--- permit tcp any any eq 3389 permit tcp any eq 3389 any remark ---Oracle SIM--- permit tcp any 192.168.46.0 0.0.0.255 eq 7777 permit tcp any 192.168.46.0 0.0.0.255 eq 6003 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any permit tcp 192.168.46.0 0.0.0.255 eq 6003 any permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any ! logging esm config logging trap debugging logging source-interface Loopback0 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log ! ! ! ! ! snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group causer v3 priv snmp-server group remoteuser v3 noauth snmp-server trap-source Loopback0 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps flash insertion removal snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps energywise snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps entity snmp-server enable traps hsrp snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps ipsla snmp-server enable traps syslog snmp-server enable traps vtp snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server domain-stripping tacacs-server key 7 <removed> ! ! control-plane ! banner exec C WARNING: ** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner incoming C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line 2 no activation-character no exec transport preferred none transport input ssh transport output none line aux 0 session-timeout 1 output exec-timeout 0 1 privilege level 0 login authentication RETAIL no exec transport preferred none transport output none line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! scheduler max-task-time 5000 ntp source Loopback0 ntp server 192.168.62.161 prefer ntp server 192.168.62.162 end S-A2-CONV-1 Building configuration... Current configuration : 8808 bytes ! ! Last configuration change at 02:11:23 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 02:11:23 PSTDST Sat Apr 30 2011 by retail ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption service sequence-numbers ! hostname S-A2-Conv-1 ! boot-start-marker boot-end-marker ! logging buffered 50000 enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> ! ! aaa new-model ! ! aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! aaa session-id common clock timezone PST -8 clock summer-time PSTDST recurring system mtu routing 1500 ! ! ip domain-name cisco-irn.com ip name-server 192.168.42.130 login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! password encryption aes ! crypto pki trustpoint TP-self-signed-3179870208 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3179870208 revocation-check none rsakeypair TP-self-signed-3179870208 ! ! crypto pki certificate chain TP-self-signed-3179870208 certificate self-signed 01 <removed> quit ! ! ! archive log config logging enable notify syslog contenttype plaintext hidekeys spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ip ssh version 2 ip scp server enable ! ! interface FastEthernet0/1 switchport mode trunk ! interface FastEthernet0/2 description AIR-CAP1042N switchport trunk native vlan 18 switchport trunk allowed vlan 14-18 switchport mode trunk ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface GigabitEthernet0/1 switchport mode trunk ! interface Vlan1 no ip address no ip route-cache ! interface Vlan1000 description Management VLAN for Switch ip address 10.10.175.11 255.255.255.0 no ip route-cache ! ip default-gateway 10.10.175.1 no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip tacacs source-interface Vlan1000 ! ip sla enable reaction-alerts logging trap debugging logging source-interface Vlan1000 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server trap-source Vlan1000 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps entity snmp-server enable traps cpu threshold snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps port-security snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps power-ethernet group 1 snmp-server enable traps power-ethernet police snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps energywise snmp-server enable traps rtr snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps mac-notification change move threshold snmp-server enable traps vlan-membership snmp-server enable traps errdisable snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 timeout 5 tacacs-server directed-request tacacs-server key 7 <removed> banner exec ^C WARNING: * THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner incoming ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner login ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ^C ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ntp clock-period 36028799 ntp source Vlan1000 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer end Managed Service Provider FW-A2-MSP-1 FW-A2-MSP-1# sh ver Cisco Adaptive Security Appliance Software Version 9.0(0)129 Device Manager Version 7.0(0)40 Compiled on Wed 03-Oct-12 14:19 PDT by builders System image file is "disk0:/asa900-129-smp-k8.bin" Config file at boot was "startup-config" FW-A2-MSP-1 up 97 days 23 hours Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores) ASA: 4096 MB RAM, 1 CPU (1 core) Internal ATA Compact Flash, 8192MB BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1) Boot microcode : CNPx-MC-BOOT-2.00 SSL/IKE microcode : CNPx-MC-SSL-PLUS-T020 IPSec microcode : CNPx-MC-IPSEC-MAIN-0022 Number of accelerators: 1 Baseboard Management Controller (revision 0x1) Firmware Version: 2.4 0: Int: Internal-Data0/0 : address is d48c.b54d.9520, irq 11 1: Ext: GigabitEthernet0/0 : address is d48c.b54d.9524, irq 10 2: Ext: GigabitEthernet0/1 : address is d48c.b54d.9521, irq 10 3: Ext: GigabitEthernet0/2 : address is d48c.b54d.9525, irq 5 4: Ext: GigabitEthernet0/3 : address is d48c.b54d.9522, irq 5 5: Ext: GigabitEthernet0/4 : address is d48c.b54d.9526, irq 10 6: Ext: GigabitEthernet0/5 : address is d48c.b54d.9523, irq 10 7: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0 8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0 9: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0 10: Ext: Management0/0 : address is d48c.b54d.9520, irq 0 Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 100 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual Encryption-DES : Enabled perpetual Encryption-3DES-AES : Enabled perpetual Security Contexts : 5 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 10 perpetual AnyConnect Essentials : 250 perpetual Other VPN Peers : 250 perpetual Total VPN Peers : 250 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Enabled perpetual AnyConnect for Cisco VPN Phone : Enabled perpetual Advanced Endpoint Assessment : Enabled perpetual UC Phone Proxy Sessions : 2 perpetual Total UC Proxy Sessions : 2 perpetual Botnet Traffic Filter : Disabled perpetual Intercompany Media Engine : Enabled perpetual IPS Module : Enabled perpetual Cluster : Disabled perpetual This platform has an ASA 5515 Security Plus license. Serial Number: FCH162771K6 Running Permanent Activation Key: 0xbb3ac554 0x607ed951 0x5d428d70 0xcec038dc 0x0d09f584 Configuration register is 0x1 Configuration last modified by bmcgloth at 13:15:34.337 PST Fri Dec 21 2012 FW-A2-MSP-1# FW-A2-MSP-1# FW-A2-MSP-1# FW-A2-MSP-1# FW-A2-MSP-1# sh run : Saved : ASA Version 9.0(0)129 ! terminal width 511 hostname FW-A2-MSP-1 domain-name cisco-irn.com enable password WKlYt0jXwtQLFcz7 encrypted passwd WKlYt0jXwtQLFcz7 encrypted names dns-guard ! interface GigabitEthernet0/0 nameif MSP-WAN security-level 0 ip address 10.10.255.176 255.255.255.0 ! interface GigabitEthernet0/1 no nameif no security-level no ip address ! interface GigabitEthernet0/1.11 vlan 11 nameif POS security-level 95 ip address 10.10.176.1 255.255.255.0 ! interface GigabitEthernet0/1.12 vlan 12 nameif DATA security-level 85 ip address 10.10.177.1 255.255.255.0 ! interface GigabitEthernet0/1.13 vlan 13 nameif VOICE security-level 80 ip address 10.10.178.1 255.255.255.0 ! interface GigabitEthernet0/1.14 vlan 14 nameif WIRELESS security-level 70 ip address 10.10.179.1 255.255.255.0 ! interface GigabitEthernet0/1.15 vlan 15 nameif WIRELESS-POS security-level 90 ip address 10.10.180.1 255.255.255.0 ! interface GigabitEthernet0/1.16 vlan 16 nameif PARTNER security-level 65 ip address 10.10.181.1 255.255.255.0 ! interface GigabitEthernet0/1.17 vlan 17 nameif WIRELESS-GUEST security-level 10 ip address 10.10.182.1 255.255.255.0 ! interface GigabitEthernet0/1.18 vlan 18 nameif WIRELESS-CONTROL security-level 75 ip address 10.10.183.1 255.255.255.0 ! interface GigabitEthernet0/1.19 vlan 19 nameif WAAS security-level 100 ip address 10.10.184.1 255.255.255.0 ! interface GigabitEthernet0/1.1000 vlan 1000 nameif MANAGEMENT security-level 100 ip address 10.10.191.1 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 description IPS management connection management-only nameif IPS-Mgmt security-level 1 no ip address ! banner exec WARNING: banner exec THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF COMPLIANCE banner exec AUTHORIZED USERS ONLY! banner exec banner exec ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT banner exec TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY banner exec TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER banner exec REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT banner exec FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER banner exec CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW banner exec ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. banner exec banner exec UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login WARNING: banner login THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! banner asdm WARNING: banner asdm THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF COMPLIANCE banner asdm AUTHORIZED USERS ONLY! banner asdm banner asdm ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH AD DITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF T HE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY O THER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE F banner asdm banner asdm UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS boot system disk0:/asa900-129-smp-k8.bin ftp mode passive clock timezone PST -8 clock summer-time PDT recurring dns domain-lookup MSP-WAN dns server-group DefaultDNS name-server 192.168.42.130 domain-name cisco-irn.com same-security-traffic permit inter-interface object network AdminStation host 192.168.41.101 object network AdminStation2 host 192.168.41.102 object network AdminStation4-bart host 10.19.151.99 object network LMS host 192.168.42.139 object network CSManager host 192.168.42.133 description Cisco Security Manager object network AdminStation3 host 192.168.42.139 object network ActiveDirectory.cisco-irn.com host 192.168.42.130 object network DC-POS subnet 192.168.52.0 255.255.255.0 description POS in the Data Center object network WCSManager host 192.168.43.135 description Wireless Manager object network PAME-DC-1 host 192.168.44.111 object network MSP-DC-1 host 192.168.44.121 description Data Center VSOM object network DC-ALL subnet 192.168.0.0 255.255.0.0 description All of the Data Center object network RSA-enVision host 192.168.42.124 description RSA EnVision Syslog collector and SIM object network TACACS host 192.168.42.131 description Csico Secure ACS server for TACACS and Radius object network RSA-AM host 192.168.42.137 description RSA Authentication Manager for SecureID object network NAC-2 host 192.168.42.112 object network NAC-1 host 192.168.42.111 description ISE server for NAC object network MS-Update host 192.168.42.150 description Windows Update Server object network MSExchange host 192.168.42.140 description Mail Server object service RPC service tcp destination eq 135 object service LDAP-GC service tcp destination eq 3268 object service LDAP-GC-SSL service tcp destination eq 3269 object service Kerberos-TCP service tcp destination eq 88 object service Microsoft-DS-SMB service tcp destination eq 445 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing object service LDAP-UDP service udp destination eq 389 object service RPC-HighPorts service tcp destination range 1024 65535 object service ORACLE-OAS service tcp destination eq 12601 description OAS uses one port for HTTP and RMI - 12601. object service TOMAX-8990 service tcp destination eq 8990 description Tomax Application Port object service IP-Protocol-97 service 97 description IP protocol 97 object service TCP1080 service tcp destination eq 1080 object service TCP8080 service tcp destination eq 8080 object service RDP service tcp destination eq 3389 description Windows Remote Desktop object-group network CSM_INLINE_src_rule_73014461090 description Generated by CS-Manager from src of FirewallRule# 1 (ASA-Store_V2/mandatory) network-object object AdminStation network-object object AdminStation2 network-object object AdminStation4-bart object-group network Admin-Systems network-object object AdminStation network-object object AdminStation2 network-object object CSManager network-object object AdminStation4-bart network-object object LMS network-object object AdminStation3 object-group network DC-POS-Tomax description Tomax POS Communication from Store to Data Center network-object 192.168.52.96 255.255.255.224 object-group network DC-POS-SAP description SAP POS Communication from Store to Data Center network-object 192.168.52.144 255.255.255.240 object-group network DC-POS-Oracle description Oracle POS Communication from Store to Data Center network-object 192.168.52.128 255.255.255.240 object-group network CSM_INLINE_src_rule_73014461184 description Generated by CS-Manager from src of FirewallRule# 4 (ASA-Store_V2/mandatory) group-object DC-POS-Tomax network-object object DC-POS group-object DC-POS-SAP group-object DC-POS-Oracle object-group network POS-Store-MSP network-object 10.10.176.81 255.255.255.255 object-group network CSM_INLINE_dst_rule_73014461438 description Generated by CS-Manager from dst of FirewallRule# 5 (ASA-Store_V2/mandatory) group-object DC-POS-Tomax network-object object DC-POS group-object DC-POS-SAP group-object DC-POS-Oracle object-group network Store-MSP-POS-net network-object 10.10.176.0 255.255.255.0 network-object 10.10.180.0 255.255.255.0 object-group network CSM_INLINE_dst_rule_73014461436 description Generated by CS-Manager from dst of FirewallRule# 7 (ASA-Store_V2/mandatory) group-object DC-POS-Tomax network-object object DC-POS group-object DC-POS-SAP group-object DC-POS-Oracle object-group network DC-Wifi-Controllers description Central Wireless Controllers for stores network-object 192.168.43.21 255.255.255.255 network-object 192.168.43.22 255.255.255.255 object-group network DC-Wifi-MSE description Mobility Service Engines network-object 192.168.43.31 255.255.255.255 network-object 192.168.43.32 255.255.255.255 object-group network CSM_INLINE_src_rule_73014461098 description Generated by CS-Manager from src of FirewallRule# 8 (ASA-Store_V2/mandatory) network-object object WCSManager group-object DC-Wifi-Controllers group-object DC-Wifi-MSE object-group network CSM_INLINE_src_rule_73014461100 description Generated by CS-Manager from src of FirewallRule# 9 (ASA-Store_V2/mandatory) network-object object PAME-DC-1 network-object object MSP-DC-1 object-group network DC-WAAS description WAE Appliances in Data Center network-object 192.168.48.10 255.255.255.255 network-object 192.168.49.10 255.255.255.255 network-object 192.168.47.11 255.255.255.255 network-object 192.168.47.12 255.255.255.255 object-group network NTP-Servers description NTP Servers network-object 192.168.62.161 255.255.255.255 network-object 162.168.62.162 255.255.255.255 object-group network CSM_INLINE_dst_rule_73014461120 description Generated by CS-Manager from dst of FirewallRule# 17 (ASA-Store_V2/mandatory) network-object object TACACS network-object object RSA-AM network-object object NAC-2 network-object object NAC-1 object-group network CSM_INLINE_dst_rule_73014461126 description Generated by CS-Manager from dst of FirewallRule# 18 (ASA-Store_V2/mandatory) network-object object PAME-DC-1 network-object object MSP-DC-1 object-group network CSM_INLINE_dst_rule_73014461128 description Generated by CS-Manager from dst of FirewallRule# 19 (ASA-Store_V2/mandatory) group-object DC-Wifi-Controllers group-object DC-Wifi-MSE object-group service HTTPS-8443 service-object tcp destination eq 8443 object-group service CSM_INLINE_svc_rule_73014461092 description Generated by CS-Manager from service of FirewallRule# 2 (ASA-Store_V2/mandatory) service-object tcp destination eq ssh service-object tcp destination eq https group-object HTTPS-8443 service-object udp destination eq snmp object-group service DNS-Resolving description Domain Name Server service-object tcp destination eq domain service-object udp destination eq domain object-group service CSM_INLINE_svc_rule_73014461094 description Generated by CS-Manager from service of FirewallRule# 3 (ASA-Store_V2/mandatory) service-object tcp destination eq ldap service-object tcp destination eq ldaps service-object udp destination eq 88 service-object udp destination eq ntp service-object udp destination eq netbios-dgm service-object object RPC service-object object LDAP-GC service-object object LDAP-GC-SSL service-object object Kerberos-TCP service-object object Microsoft-DS-SMB service-object object LDAP-UDP service-object object RPC-HighPorts group-object DNS-Resolving object-group service ORACLE-RMI description RMI TCP ports 1300 and 1301-1319. service-object tcp destination range 1300 1319 object-group service ORACLE-Weblogic description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521. service-object tcp destination eq 7001 service-object tcp destination eq 7002 service-object tcp destination eq sqlnet object-group service ORACLE-WAS description RMI/IIOP over 2809 HTTP over 9443 IBM-MQ 1414 service-object tcp destination eq 2809 service-object tcp destination eq 9443 service-object tcp destination eq 1414 object-group service CSM_INLINE_svc_rule_73014461184 description Generated by CS-Manager from service of FirewallRule# 4 (ASA-Store_V2/mandatory) service-object tcp destination eq https service-object tcp destination eq ssh service-object object ORACLE-OAS service-object object TOMAX-8990 group-object ORACLE-RMI group-object ORACLE-Weblogic group-object ORACLE-WAS group-object HTTPS-8443 object-group service TFTP description Trivial File Transfer service-object tcp destination eq 69 service-object udp destination eq tftp object-group service LWAPP description LWAPP UDP ports 12222 and 12223 service-object udp destination eq 12222 service-object udp destination eq 12223 object-group service CAPWAP description CAPWAP UDP ports 5246 and 5247 service-object udp destination eq 5246 service-object udp destination eq 5247 object-group service CSM_INLINE_svc_rule_73014461098 description Generated by CS-Manager from service of FirewallRule# 8 (ASA-Store_V2/mandatory) service-object tcp destination eq https service-object tcp destination eq www service-object udp destination eq isakmp service-object tcp destination eq telnet service-object tcp destination eq ssh service-object object IP-Protocol-97 group-object TFTP group-object LWAPP group-object CAPWAP object-group service CSM_INLINE_svc_rule_73014461102 description Generated by CS-Manager from service of FirewallRule# 10 (ASA-Store_V2/mandatory) service-object icmp echo service-object icmp echo-reply service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq ssh service-object tcp destination eq ftp service-object object TCP1080 service-object object TCP8080 service-object object RDP group-object HTTPS-8443 object-group service CISCO-WAAS description Ports for Cisco WAAS service-object tcp destination eq 4050 object-group service Netbios description Netbios Servers service-object udp destination eq netbios-dgm service-object udp destination eq netbios-ns service-object tcp destination eq netbios-ssn object-group service CSM_INLINE_svc_rule_73014461104 description Generated by CS-Manager from service of FirewallRule# 11 (ASA-Store_V2/mandatory) service-object object Microsoft-DS-SMB group-object CISCO-WAAS group-object HTTPS-8443 group-object Netbios object-group service CSM_INLINE_svc_rule_73014461106 description Generated by CS-Manager from service of FirewallRule# 12 (ASA-Store_V2/mandatory) service-object tcp-udp destination eq sip service-object tcp destination eq 2000 object-group service CSM_INLINE_svc_rule_73014461112 description Generated by CS-Manager from service of FirewallRule# 14 (ASA-Store_V2/mandatory) service-object udp destination eq snmptrap service-object udp destination eq snmp service-object udp destination eq syslog object-group service CSM_INLINE_svc_rule_73014461120 description Generated by CS-Manager from service of FirewallRule# 17 (ASA-Store_V2/mandatory) service-object udp destination eq 1812 service-object udp destination eq 1813 service-object tcp destination eq https service-object tcp destination eq www group-object HTTPS-8443 object-group service Cisco-Mobility description Mobility ports for Wireless service-object udp destination eq 16666 service-object udp destination eq 16667 object-group service CSM_INLINE_svc_rule_73014461128 description Generated by CS-Manager from service of FirewallRule# 19 (ASA-Store_V2/mandatory) service-object tcp destination eq https service-object udp destination eq isakmp service-object object IP-Protocol-97 group-object Cisco-Mobility group-object LWAPP group-object CAPWAP object-group service CSM_INLINE_svc_rule_73014461130 description Generated by CS-Manager from service of FirewallRule# 20 (ASA-Store_V2/mandatory) service-object tcp-udp destination eq sip service-object tcp destination eq 2000 object-group service CSM_INLINE_svc_rule_73014461132 description Generated by CS-Manager from service of FirewallRule# 21 (ASA-Store_V2/mandatory) service-object object Microsoft-DS-SMB group-object CISCO-WAAS group-object HTTPS-8443 group-object Netbios object-group service CSM_INLINE_svc_rule_73014461134 description Generated by CS-Manager from service of FirewallRule# 22 (ASA-Store_V2/mandatory) service-object tcp destination eq ldap service-object tcp destination eq ldaps service-object udp destination eq 88 service-object udp destination eq ntp service-object udp destination eq netbios-dgm service-object object RPC service-object object LDAP-GC service-object object LDAP-GC-SSL service-object object Kerberos-TCP service-object object Microsoft-DS-SMB service-object object LDAP-UDP service-object object RPC-HighPorts group-object DNS-Resolving object-group service CSM_INLINE_svc_rule_73014461136 description Generated by CS-Manager from service of FirewallRule# 23 (ASA-Store_V2/mandatory) service-object tcp destination eq www service-object tcp destination eq https object-group service CSM_INLINE_svc_rule_73014461138 description Generated by CS-Manager from service of FirewallRule# 24 (ASA-Store_V2/mandatory) service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq smtp service-object tcp destination eq pop3 service-object tcp destination eq imap4 object-group network DM_INLINE_NETWORK_2 network-object object NAC-1 network-object object NAC-2 network-object object TACACS object-group service DM_INLINE_SERVICE_1 service-object icmp6 echo service-object udp destination eq ntp object-group service DM_INLINE_SERVICE_2 service-object icmp echo service-object tcp destination eq tacacs object-group service DM_INLINE_SERVICE_3 service-object icmp echo service-object udp destination eq radius service-object udp destination eq radius-acct object-group service DM_INLINE_SERVICE_4 service-object icmp echo service-object udp destination eq snmp service-object udp destination eq snmptrap service-object udp destination eq syslog object-group network DM_INLINE_NETWORK_3 network-object object LMS network-object object RSA-enVision access-list OUTSIDE remark LAB Testing access-list OUTSIDE extended permit ip object-group CSM_INLINE_src_rule_73014461090 10.10.176.0 255.255.248.0 access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461092 object-group Admin-Systems 10.10.176.0 255.255.24 8.0 access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461092 object-group Admin-Systems host 10.10.255.176 access-list OUTSIDE remark Allow Active Directory Domain access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461094 object ActiveDirectory.cisco-irn.com 10.10.176.0 255.255.248.0 access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461184 object-group CSM_INLINE_src_rule_73014461184 obje ct-group POS-Store-MSP access-list OUTSIDE extended deny ip any object-group Store-MSP-POS-net access-list OUTSIDE extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list OUTSIDE remark Wireless Management to Stores access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461098 object-group CSM_INLINE_src_rule_73014461098 10.1 0.183.0 255.255.255.0 access-list OUTSIDE remark Physical security systems access-list OUTSIDE extended permit tcp object-group CSM_INLINE_src_rule_73014461100 10.10.191.0 255.255.255.0 eq https access-list OUTSIDE remark Allow Management of store systems access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461102 object DC-ALL 10.10.176.0 255.255.248.0 access-list OUTSIDE remark WAAS systems access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461104 object-group DC-WAAS 10.10.184.0 255.255.255.0 access-list OUTSIDE remark Voice calls access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461106 object DC-ALL 10.10.178.0 255.255.255.0 access-list OUTSIDE extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq ssh access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461112 10.10.176.0 255.255.248.0 object RSA-enVision access-list OUTSIDE extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq tacacs access-list OUTSIDE extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list OUTSIDE remark Drop all other traffic access-list OUTSIDE extended deny ip any any log access-list POS remark Allow Applications access-list POS extended permit tcp object-group POS-Store-MSP object-group CSM_INLINE_dst_rule_73014461438 eq https access-list POS extended deny ip any object-group Store-MSP-POS-net access-list POS extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list POS extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list POS extended permit object-group CSM_INLINE_svc_rule_73014461120 10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst _rule_73014461120 access-list POS remark Allow Active Directory Domain access-list POS extended permit object-group CSM_INLINE_svc_rule_73014461134 10.10.176.0 255.255.248.0 object ActiveDirectory.cisc o-irn.com access-list POS remark Allow Windows Updates access-list POS extended permit object-group CSM_INLINE_svc_rule_73014461136 10.10.176.0 255.255.248.0 object MS-Update access-list POS remark Allow Mail access-list POS extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange access-list POS remark Drop all other traffic access-list POS extended deny ip any any log access-list WIRELESS-POS remark Allow Applications access-list WIRELESS-POS extended permit tcp object-group POS-Store-MSP object-group CSM_INLINE_dst_rule_73014461438 eq https access-list WIRELESS-POS extended deny ip any object-group Store-MSP-POS-net access-list WIRELESS-POS extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list WIRELESS-POS extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list WIRELESS-POS remark Allow Active Directory Domain access-list WIRELESS-POS extended permit object-group CSM_INLINE_svc_rule_73014461134 10.10.176.0 255.255.248.0 object ActiveDirectory.cisco-irn.com access-list WIRELESS-POS remark Allow Windows Updates access-list WIRELESS-POS extended permit object-group CSM_INLINE_svc_rule_73014461136 10.10.176.0 255.255.248.0 object MS-Update access-list WIRELESS-POS remark Allow Mail access-list WIRELESS-POS extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange access-list WIRELESS-POS remark Drop all other traffic access-list WIRELESS-POS extended deny ip any any log access-list DATA extended deny ip any object-group Store-MSP-POS-net access-list DATA extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list DATA extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list DATA extended permit object-group CSM_INLINE_svc_rule_73014461120 10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120 access-list DATA remark Allow Active Directory Domain access-list DATA extended permit object-group CSM_INLINE_svc_rule_73014461134 10.10.176.0 255.255.248.0 object ActiveDirectory.cisco-irn.com access-list DATA remark Allow Windows Updates access-list DATA extended permit object-group CSM_INLINE_svc_rule_73014461136 10.10.176.0 255.255.248.0 object MS-Update access-list DATA remark Allow Mail access-list DATA extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange access-list DATA remark Drop all other traffic access-list DATA extended deny ip any any log access-list MANAGEMENT extended deny ip any object-group Store-MSP-POS-net access-list MANAGEMENT extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list MANAGEMENT extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq ssh access-list MANAGEMENT extended permit object-group CSM_INLINE_svc_rule_73014461112 10.10.176.0 255.255.248.0 object RSA-enVision access-list MANAGEMENT extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq tacacs access-list MANAGEMENT extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list MANAGEMENT extended permit icmp 10.10.176.0 255.255.248.0 object-group NTP-Servers access-list MANAGEMENT extended permit object-group CSM_INLINE_svc_rule_73014461120 10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120 access-list MANAGEMENT remark Physical security systems access-list MANAGEMENT extended permit tcp 10.10.191.0 255.255.255.0 object-group CSM_INLINE_dst_rule_73014461126 eq https access-list MANAGEMENT remark Allow Mail access-list MANAGEMENT extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange access-list MANAGEMENT remark Drop all other traffic access-list MANAGEMENT extended deny ip any any log access-list PARTNER extended deny ip any object-group Store-MSP-POS-net access-list PARTNER extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list PARTNER extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list PARTNER extended permit object-group CSM_INLINE_svc_rule_73014461120 10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120 access-list PARTNER remark Allow Mail access-list PARTNER extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange access-list PARTNER remark Drop all other traffic access-list PARTNER extended deny ip any any log access-list VOICE extended deny ip any object-group Store-MSP-POS-net access-list VOICE extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list VOICE extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq ssh access-list VOICE extended permit object-group CSM_INLINE_svc_rule_73014461112 10.10.176.0 255.255.248.0 object RSA-enVision access-list VOICE extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq tacacs access-list VOICE extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list VOICE extended permit object-group CSM_INLINE_svc_rule_73014461120 10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120 access-list VOICE remark Voice calls access-list VOICE extended permit object-group CSM_INLINE_svc_rule_73014461130 10.10.178.0 255.255.255.0 object DC-ALL access-list VOICE remark Allow Mail access-list VOICE extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange access-list VOICE remark Drop all other traffic access-list VOICE extended deny ip any any log access-list WAAS extended deny ip any object-group Store-MSP-POS-net access-list WAAS extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list WAAS extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq ssh access-list WAAS extended permit object-group CSM_INLINE_svc_rule_73014461112 10.10.176.0 255.255.248.0 object RSA-enVision access-list WAAS extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq tacacs access-list WAAS extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list WAAS remark WAAS systems access-list WAAS extended permit object-group CSM_INLINE_svc_rule_73014461132 10.10.184.0 255.255.255.0 object-group DC-WAAS access-list WAAS remark Allow Active Directory Domain access-list WAAS extended permit object-group CSM_INLINE_svc_rule_73014461134 10.10.176.0 255.255.248.0 object ActiveDirectory.cisco-irn.com access-list WAAS remark Drop all other traffic access-list WAAS extended deny ip any any log access-list WIRELESS extended deny ip any object-group Store-MSP-POS-net access-list WIRELESS extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list WIRELESS extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list WIRELESS remark Allow Active Directory Domain access-list WIRELESS extended permit object-group CSM_INLINE_svc_rule_73014461134 10.10.176.0 255.255.248.0 object ActiveDirectory.cisco-irn.com access-list WIRELESS remark Allow Windows Updates access-list WIRELESS extended permit object-group CSM_INLINE_svc_rule_73014461136 10.10.176.0 255.255.248.0 object MS-Update access-list WIRELESS remark Allow Mail access-list WIRELESS extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange access-list WIRELESS remark Drop all other traffic access-list WIRELESS extended deny ip any any log access-list WIRELESS-CONTROL extended deny ip any object-group Store-MSP-POS-net access-list WIRELESS-CONTROL extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list WIRELESS-CONTROL extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq ssh access-list WIRELESS-CONTROL extended permit object-group CSM_INLINE_svc_rule_73014461112 10.10.176.0 255.255.248.0 object RSA-enVision access-list WIRELESS-CONTROL extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq tacacs access-list WIRELESS-CONTROL extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list WIRELESS-CONTROL extended permit object-group CSM_INLINE_svc_rule_73014461120 10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120 access-list WIRELESS-CONTROL remark Wireless control systems access-list WIRELESS-CONTROL extended permit object-group CSM_INLINE_svc_rule_73014461128 10.10.183.0 255.255.255.0 object-group CSM_INLINE_dst_rule_73014461128 access-list WIRELESS-CONTROL remark Drop all other traffic access-list WIRELESS-CONTROL extended deny ip any any log access-list WIRELESS-GUEST extended deny ip any object-group Store-MSP-POS-net access-list WIRELESS-GUEST extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list WIRELESS-GUEST extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list WIRELESS-GUEST remark Drop all other traffic access-list WIRELESS-GUEST extended deny ip any any log access-list DROP-ALL extended deny ip any any log disable access-list MANAGEMENT_access_in extended permit object-group DM_INLINE_SERVICE_1 10.10.191.0 255.255.255.0 object-group NTP-Servers log disable access-list MANAGEMENT_access_in extended permit object-group DM_INLINE_SERVICE_2 10.10.191.0 255.255.255.0 object TACACS access-list MANAGEMENT_access_in extended permit object-group DM_INLINE_SERVICE_3 10.10.191.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 log disable access-list MANAGEMENT_access_in extended permit object-group DM_INLINE_SERVICE_4 10.10.191.0 255.255.255.0 object-group DM_INLINE_NETWORK_3 log disable access-list MANAGEMENT_access_in extended deny ip any any pager lines 24 logging enable logging timestamp logging buffer-size 100000 logging trap informational logging asdm informational logging host MSP-WAN 192.168.42.124 mtu MSP-WAN 1500 mtu POS 1500 mtu DATA 1500 mtu VOICE 1500 mtu WIRELESS 1500 mtu WIRELESS-POS 1500 mtu PARTNER 1500 mtu WIRELESS-GUEST 1500 mtu WIRELESS-CONTROL 1500 mtu WAAS 1500 mtu MANAGEMENT 1500 mtu IPS-Mgmt 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any MSP-WAN icmp permit any POS icmp permit any DATA icmp permit any VOICE icmp permit any WIRELESS icmp permit any WIRELESS-POS icmp permit any PARTNER icmp permit any WIRELESS-GUEST icmp permit any WIRELESS-CONTROL icmp permit any WAAS icmp permit any MANAGEMENT asdm image disk0:/asdm-70040.bin asdm history enable arp timeout 14400 no arp permit-nonconnected access-group OUTSIDE in interface MSP-WAN access-group POS in interface POS access-group DATA in interface DATA access-group VOICE in interface VOICE access-group WIRELESS in interface WIRELESS access-group WIRELESS-POS in interface WIRELESS-POS access-group PARTNER in interface PARTNER access-group WIRELESS-GUEST in interface WIRELESS-GUEST access-group WIRELESS-CONTROL in interface WIRELESS-CONTROL access-group WAAS in interface WAAS access-group MANAGEMENT_access_in in interface MANAGEMENT access-group DROP-ALL in interface IPS-Mgmt route MSP-WAN 0.0.0.0 0.0.0.0 10.10.255.11 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server RETAIL protocol tacacs+ aaa-server RETAIL (MANAGEMENT) host 192.168.42.131 key * aaa-server COMPLIANCE protocol tacacs+ aaa-server COMPLIANCE (MSP-WAN) host 192.168.42.131 key * user-identity default-domain LOCAL aaa authentication enable console COMPLIANCE LOCAL aaa authentication http console COMPLIANCE LOCAL aaa authentication ssh console COMPLIANCE LOCAL aaa authorization command COMPLIANCE LOCAL aaa accounting enable console COMPLIANCE aaa accounting ssh console COMPLIANCE aaa accounting command privilege 15 COMPLIANCE aaa authentication secure-http-client aaa local authentication attempts max-fail 6 aaa authorization exec authentication-server http server enable http server idle-timeout 15 http server session-timeout 15 http 192.168.41.101 255.255.255.255 MSP-WAN http 192.168.41.102 255.255.255.255 MSP-WAN http 192.168.42.122 255.255.255.255 MSP-WAN http 192.168.42.124 255.255.255.255 MSP-WAN http 192.168.42.133 255.255.255.255 MSP-WAN http 192.168.42.138 255.255.255.255 MSP-WAN http 192.168.42.139 255.255.255.255 MSP-WAN http 192.168.42.134 255.255.255.255 MSP-WAN snmp-server group V3Group v3 priv snmp-server user ciscolms V3Group v3 encrypted auth sha 56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db priv aes 256 56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db:88:e3:53:03:7b:f1:02:30:bc:14: 98:e5 snmp-server user csmadmin V3Group v3 encrypted auth sha 56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db priv aes 256 56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db:88:e3:53:03:7b:f1:02:30:bc:14: 98:e5 snmp-server host MSP-WAN 192.168.42.134 version 3 ciscolms snmp-server host MSP-WAN 192.168.42.139 version 3 ciscolms snmp-server host MSP-WAN 192.168.42.133 version 3 csmadmin snmp-server location Building SJC-17-1 Aisle 2 Rack 3 snmp-server contact Bart McGlothin snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart snmp-server enable traps syslog snmp-server enable traps ipsec start stop snmp-server enable traps memory-threshold snmp-server enable traps interface-threshold snmp-server enable traps remote-access session-threshold-exceeded snmp-server enable traps connection-limit-reached snmp-server enable traps cpu threshold rising snmp-server enable traps ikev2 start stop snmp-server enable traps nat packet-discard crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh scopy enable ssh 192.168.41.101 255.255.255.255 MSP-WAN ssh 192.168.41.102 255.255.255.255 MSP-WAN ssh 192.168.42.122 255.255.255.255 MSP-WAN ssh 192.168.42.124 255.255.255.255 MSP-WAN ssh 192.168.42.133 255.255.255.255 MSP-WAN ssh 192.168.42.138 255.255.255.255 MSP-WAN ssh 192.168.42.139 255.255.255.255 MSP-WAN ssh 192.168.42.134 255.255.255.255 MSP-WAN ssh timeout 15 ssh version 2 console timeout 15 dhcprelay server 192.168.42.130 MSP-WAN dhcprelay enable POS dhcprelay enable DATA dhcprelay enable VOICE dhcprelay enable WIRELESS dhcprelay enable WIRELESS-POS dhcprelay enable PARTNER dhcprelay enable WIRELESS-GUEST dhcprelay enable WIRELESS-CONTROL dhcprelay timeout 60 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 192.168.62.162 source MSP-WAN ntp server 192.168.62.161 source MSP-WAN prefer ssl encryption aes128-sha1 aes256-sha1 3des-sha1 webvpn anyconnect-essentials username csmadmin password 9CmOJ.jq4D54PXDW encrypted privilege 15 username retail password XgJyMnijuEPQSGoY encrypted privilege 15 username jchambers password zkGq5ojduHyZK1bA encrypted privilege 15 username ciscolms password huo2PmvTsMk6Cv1L encrypted privilege 15 username bmcgloth password gITSY3iZ3UnCQoKf encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic class-map global-class-PCI match any ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy description IPS inspection policy for Cisco PCI LAB class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options class global-class-PCI ips inline fail-close class class-default ips promiscuous fail-open ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily password encryption aes Cryptochecksum:0c17bedaf99e8d7c1ce43105b2a7d2c5 : end FW-A2-FW-A2-MSP-1# sh ver Cisco Adaptive Security Appliance Software Version 9.0(0)129 Device Manager Version 7.0(0)40 Compiled on Wed 03-Oct-12 14:19 PDT by builders System image file is "disk0:/asa900-129-smp-k8.bin" Config file at boot was "startup-config" FW-A2-MSP-1 up 97 days 23 hours Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores) ASA: 4096 MB RAM, 1 CPU (1 core) Internal ATA Compact Flash, 8192MB BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1) Boot microcode : CNPx-MC-BOOT-2.00 SSL/IKE microcode : CNPx-MC-SSL-PLUS-T020 IPSec microcode : CNPx-MC-IPSEC-MAIN-0022 Number of accelerators: 1 Baseboard Management Controller (revision 0x1) Firmware Version: 2.4 0: Int: Internal-Data0/0 : address is d48c.b54d.9520, irq 11 1: Ext: GigabitEthernet0/0 : address is d48c.b54d.9524, irq 10 2: Ext: GigabitEthernet0/1 : address is d48c.b54d.9521, irq 10 3: Ext: GigabitEthernet0/2 : address is d48c.b54d.9525, irq 5 4: Ext: GigabitEthernet0/3 : address is d48c.b54d.9522, irq 5 5: Ext: GigabitEthernet0/4 : address is d48c.b54d.9526, irq 10 6: Ext: GigabitEthernet0/5 : address is d48c.b54d.9523, irq 10 7: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0 8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0 9: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0 10: Ext: Management0/0 : address is d48c.b54d.9520, irq 0 Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 100 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual Encryption-DES : Enabled perpetual Encryption-3DES-AES : Enabled perpetual Security Contexts : 5 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 10 perpetual AnyConnect Essentials : 250 perpetual Other VPN Peers : 250 perpetual Total VPN Peers : 250 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Enabled perpetual AnyConnect for Cisco VPN Phone : Enabled perpetual Advanced Endpoint Assessment : Enabled perpetual UC Phone Proxy Sessions : 2 perpetual Total UC Proxy Sessions : 2 perpetual Botnet Traffic Filter : Disabled perpetual Intercompany Media Engine : Enabled perpetual IPS Module : Enabled perpetual Cluster : Disabled perpetual This platform has an ASA 5515 Security Plus license. Serial Number: FCH162771K6 Running Permanent Activation Key: 0xbb3ac554 0x607ed951 0x5d428d70 0xcec038dc 0x0d09f584 Configuration register is 0x1 Configuration last modified by bmcgloth at 13:15:34.337 PST Fri Dec 21 2012 FW-A2-MSP-1# FW-A2-MSP-1# FW-A2-MSP-1# FW-A2-MSP-1# FW-A2-MSP-1# sh run : Saved : ASA Version 9.0(0)129 ! terminal width 511 hostname FW-A2-MSP-1 domain-name cisco-irn.com enable password WKlYt0jXwtQLFcz7 encrypted passwd WKlYt0jXwtQLFcz7 encrypted names dns-guard ! interface GigabitEthernet0/0 nameif MSP-WAN security-level 0 ip address 10.10.255.176 255.255.255.0 ! interface GigabitEthernet0/1 no nameif no security-level no ip address ! interface GigabitEthernet0/1.11 vlan 11 nameif POS security-level 95 ip address 10.10.176.1 255.255.255.0 ! interface GigabitEthernet0/1.12 vlan 12 nameif DATA security-level 85 ip address 10.10.177.1 255.255.255.0 ! interface GigabitEthernet0/1.13 vlan 13 nameif VOICE security-level 80 ip address 10.10.178.1 255.255.255.0 ! interface GigabitEthernet0/1.14 vlan 14 nameif WIRELESS security-level 70 ip address 10.10.179.1 255.255.255.0 ! interface GigabitEthernet0/1.15 vlan 15 nameif WIRELESS-POS security-level 90 ip address 10.10.180.1 255.255.255.0 ! interface GigabitEthernet0/1.16 vlan 16 nameif PARTNER security-level 65 ip address 10.10.181.1 255.255.255.0 ! interface GigabitEthernet0/1.17 vlan 17 nameif WIRELESS-GUEST security-level 10 ip address 10.10.182.1 255.255.255.0 ! interface GigabitEthernet0/1.18 vlan 18 nameif WIRELESS-CONTROL security-level 75 ip address 10.10.183.1 255.255.255.0 ! interface GigabitEthernet0/1.19 vlan 19 nameif WAAS security-level 100 ip address 10.10.184.1 255.255.255.0 ! interface GigabitEthernet0/1.1000 vlan 1000 nameif MANAGEMENT security-level 100 ip address 10.10.191.1 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 description IPS management connection management-only nameif IPS-Mgmt security-level 1 no ip address ! banner exec WARNING: banner exec THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF COMPLIANCE banner exec AUTHORIZED USERS ONLY! banner exec banner exec ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT banner exec TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY banner exec TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER banner exec REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT banner exec FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER banner exec CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW banner exec ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. banner exec banner exec UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. banner login WARNING: banner login THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! banner asdm WARNING: banner asdm THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF COMPLIANCE banner asdm AUTHORIZED USERS ONLY! banner asdm banner asdm ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH AD DITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF T HE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY O THER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE F banner asdm banner asdm UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS boot system disk0:/asa900-129-smp-k8.bin ftp mode passive clock timezone PST -8 clock summer-time PDT recurring dns domain-lookup MSP-WAN dns server-group DefaultDNS name-server 192.168.42.130 domain-name cisco-irn.com same-security-traffic permit inter-interface object network AdminStation host 192.168.41.101 object network AdminStation2 host 192.168.41.102 object network AdminStation4-bart host 10.19.151.99 object network LMS host 192.168.42.139 object network CSManager host 192.168.42.133 description Cisco Security Manager object network AdminStation3 host 192.168.42.139 object network ActiveDirectory.cisco-irn.com host 192.168.42.130 object network DC-POS subnet 192.168.52.0 255.255.255.0 description POS in the Data Center object network WCSManager host 192.168.43.135 description Wireless Manager object network PAME-DC-1 host 192.168.44.111 object network MSP-DC-1 host 192.168.44.121 description Data Center VSOM object network DC-ALL subnet 192.168.0.0 255.255.0.0 description All of the Data Center object network RSA-enVision host 192.168.42.124 description RSA EnVision Syslog collector and SIM object network TACACS host 192.168.42.131 description Csico Secure ACS server for TACACS and Radius object network RSA-AM host 192.168.42.137 description RSA Authentication Manager for SecureID object network NAC-2 host 192.168.42.112 object network NAC-1 host 192.168.42.111 description ISE server for NAC object network MS-Update host 192.168.42.150 description Windows Update Server object network MSExchange host 192.168.42.140 description Mail Server object service RPC service tcp destination eq 135 object service LDAP-GC service tcp destination eq 3268 object service LDAP-GC-SSL service tcp destination eq 3269 object service Kerberos-TCP service tcp destination eq 88 object service Microsoft-DS-SMB service tcp destination eq 445 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing object service LDAP-UDP service udp destination eq 389 object service RPC-HighPorts service tcp destination range 1024 65535 object service ORACLE-OAS service tcp destination eq 12601 description OAS uses one port for HTTP and RMI - 12601. object service TOMAX-8990 service tcp destination eq 8990 description Tomax Application Port object service IP-Protocol-97 service 97 description IP protocol 97 object service TCP1080 service tcp destination eq 1080 object service TCP8080 service tcp destination eq 8080 object service RDP service tcp destination eq 3389 description Windows Remote Desktop object-group network CSM_INLINE_src_rule_73014461090 description Generated by CS-Manager from src of FirewallRule# 1 (ASA-Store_V2/mandatory) network-object object AdminStation network-object object AdminStation2 network-object object AdminStation4-bart object-group network Admin-Systems network-object object AdminStation network-object object AdminStation2 network-object object CSManager network-object object AdminStation4-bart network-object object LMS network-object object AdminStation3 object-group network DC-POS-Tomax description Tomax POS Communication from Store to Data Center network-object 192.168.52.96 255.255.255.224 object-group network DC-POS-SAP description SAP POS Communication from Store to Data Center network-object 192.168.52.144 255.255.255.240 object-group network DC-POS-Oracle description Oracle POS Communication from Store to Data Center network-object 192.168.52.128 255.255.255.240 object-group network CSM_INLINE_src_rule_73014461184 description Generated by CS-Manager from src of FirewallRule# 4 (ASA-Store_V2/mandatory) group-object DC-POS-Tomax network-object object DC-POS group-object DC-POS-SAP group-object DC-POS-Oracle object-group network POS-Store-MSP network-object 10.10.176.81 255.255.255.255 object-group network CSM_INLINE_dst_rule_73014461438 description Generated by CS-Manager from dst of FirewallRule# 5 (ASA-Store_V2/mandatory) group-object DC-POS-Tomax network-object object DC-POS group-object DC-POS-SAP group-object DC-POS-Oracle object-group network Store-MSP-POS-net network-object 10.10.176.0 255.255.255.0 network-object 10.10.180.0 255.255.255.0 object-group network CSM_INLINE_dst_rule_73014461436 description Generated by CS-Manager from dst of FirewallRule# 7 (ASA-Store_V2/mandatory) group-object DC-POS-Tomax network-object object DC-POS group-object DC-POS-SAP group-object DC-POS-Oracle object-group network DC-Wifi-Controllers description Central Wireless Controllers for stores network-object 192.168.43.21 255.255.255.255 network-object 192.168.43.22 255.255.255.255 object-group network DC-Wifi-MSE description Mobility Service Engines network-object 192.168.43.31 255.255.255.255 network-object 192.168.43.32 255.255.255.255 object-group network CSM_INLINE_src_rule_73014461098 description Generated by CS-Manager from src of FirewallRule# 8 (ASA-Store_V2/mandatory) network-object object WCSManager group-object DC-Wifi-Controllers group-object DC-Wifi-MSE object-group network CSM_INLINE_src_rule_73014461100 description Generated by CS-Manager from src of FirewallRule# 9 (ASA-Store_V2/mandatory) network-object object PAME-DC-1 network-object object MSP-DC-1 object-group network DC-WAAS description WAE Appliances in Data Center network-object 192.168.48.10 255.255.255.255 network-object 192.168.49.10 255.255.255.255 network-object 192.168.47.11 255.255.255.255 network-object 192.168.47.12 255.255.255.255 object-group network NTP-Servers description NTP Servers network-object 192.168.62.161 255.255.255.255 network-object 162.168.62.162 255.255.255.255 object-group network CSM_INLINE_dst_rule_73014461120 description Generated by CS-Manager from dst of FirewallRule# 17 (ASA-Store_V2/mandatory) network-object object TACACS network-object object RSA-AM network-object object NAC-2 network-object object NAC-1 object-group network CSM_INLINE_dst_rule_73014461126 description Generated by CS-Manager from dst of FirewallRule# 18 (ASA-Store_V2/mandatory) network-object object PAME-DC-1 network-object object MSP-DC-1 object-group network CSM_INLINE_dst_rule_73014461128 description Generated by CS-Manager from dst of FirewallRule# 19 (ASA-Store_V2/mandatory) group-object DC-Wifi-Controllers group-object DC-Wifi-MSE object-group service HTTPS-8443 service-object tcp destination eq 8443 object-group service CSM_INLINE_svc_rule_73014461092 description Generated by CS-Manager from service of FirewallRule# 2 (ASA-Store_V2/mandatory) service-object tcp destination eq ssh service-object tcp destination eq https group-object HTTPS-8443 service-object udp destination eq snmp object-group service DNS-Resolving description Domain Name Server service-object tcp destination eq domain service-object udp destination eq domain object-group service CSM_INLINE_svc_rule_73014461094 description Generated by CS-Manager from service of FirewallRule# 3 (ASA-Store_V2/mandatory) service-object tcp destination eq ldap service-object tcp destination eq ldaps service-object udp destination eq 88 service-object udp destination eq ntp service-object udp destination eq netbios-dgm service-object object RPC service-object object LDAP-GC service-object object LDAP-GC-SSL service-object object Kerberos-TCP service-object object Microsoft-DS-SMB service-object object LDAP-UDP service-object object RPC-HighPorts group-object DNS-Resolving object-group service ORACLE-RMI description RMI TCP ports 1300 and 1301-1319. service-object tcp destination range 1300 1319 object-group service ORACLE-Weblogic description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521. service-object tcp destination eq 7001 service-object tcp destination eq 7002 service-object tcp destination eq sqlnet object-group service ORACLE-WAS description RMI/IIOP over 2809 HTTP over 9443 IBM-MQ 1414 service-object tcp destination eq 2809 service-object tcp destination eq 9443 service-object tcp destination eq 1414 object-group service CSM_INLINE_svc_rule_73014461184 description Generated by CS-Manager from service of FirewallRule# 4 (ASA-Store_V2/mandatory) service-object tcp destination eq https service-object tcp destination eq ssh service-object object ORACLE-OAS service-object object TOMAX-8990 group-object ORACLE-RMI group-object ORACLE-Weblogic group-object ORACLE-WAS group-object HTTPS-8443 object-group service TFTP description Trivial File Transfer service-object tcp destination eq 69 service-object udp destination eq tftp object-group service LWAPP description LWAPP UDP ports 12222 and 12223 service-object udp destination eq 12222 service-object udp destination eq 12223 object-group service CAPWAP description CAPWAP UDP ports 5246 and 5247 service-object udp destination eq 5246 service-object udp destination eq 5247 object-group service CSM_INLINE_svc_rule_73014461098 description Generated by CS-Manager from service of FirewallRule# 8 (ASA-Store_V2/mandatory) service-object tcp destination eq https service-object tcp destination eq www service-object udp destination eq isakmp service-object tcp destination eq telnet service-object tcp destination eq ssh service-object object IP-Protocol-97 group-object TFTP group-object LWAPP group-object CAPWAP object-group service CSM_INLINE_svc_rule_73014461102 description Generated by CS-Manager from service of FirewallRule# 10 (ASA-Store_V2/mandatory) service-object icmp echo service-object icmp echo-reply service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq ssh service-object tcp destination eq ftp service-object object TCP1080 service-object object TCP8080 service-object object RDP group-object HTTPS-8443 object-group service CISCO-WAAS description Ports for Cisco WAAS service-object tcp destination eq 4050 object-group service Netbios description Netbios Servers service-object udp destination eq netbios-dgm service-object udp destination eq netbios-ns service-object tcp destination eq netbios-ssn object-group service CSM_INLINE_svc_rule_73014461104 description Generated by CS-Manager from service of FirewallRule# 11 (ASA-Store_V2/mandatory) service-object object Microsoft-DS-SMB group-object CISCO-WAAS group-object HTTPS-8443 group-object Netbios object-group service CSM_INLINE_svc_rule_73014461106 description Generated by CS-Manager from service of FirewallRule# 12 (ASA-Store_V2/mandatory) service-object tcp-udp destination eq sip service-object tcp destination eq 2000 object-group service CSM_INLINE_svc_rule_73014461112 description Generated by CS-Manager from service of FirewallRule# 14 (ASA-Store_V2/mandatory) service-object udp destination eq snmptrap service-object udp destination eq snmp service-object udp destination eq syslog object-group service CSM_INLINE_svc_rule_73014461120 description Generated by CS-Manager from service of FirewallRule# 17 (ASA-Store_V2/mandatory) service-object udp destination eq 1812 service-object udp destination eq 1813 service-object tcp destination eq https service-object tcp destination eq www group-object HTTPS-8443 object-group service Cisco-Mobility description Mobility ports for Wireless service-object udp destination eq 16666 service-object udp destination eq 16667 object-group service CSM_INLINE_svc_rule_73014461128 description Generated by CS-Manager from service of FirewallRule# 19 (ASA-Store_V2/mandatory) service-object tcp destination eq https service-object udp destination eq isakmp service-object object IP-Protocol-97 group-object Cisco-Mobility group-object LWAPP group-object CAPWAP object-group service CSM_INLINE_svc_rule_73014461130 description Generated by CS-Manager from service of FirewallRule# 20 (ASA-Store_V2/mandatory) service-object tcp-udp destination eq sip service-object tcp destination eq 2000 object-group service CSM_INLINE_svc_rule_73014461132 description Generated by CS-Manager from service of FirewallRule# 21 (ASA-Store_V2/mandatory) service-object object Microsoft-DS-SMB group-object CISCO-WAAS group-object HTTPS-8443 group-object Netbios object-group service CSM_INLINE_svc_rule_73014461134 description Generated by CS-Manager from service of FirewallRule# 22 (ASA-Store_V2/mandatory) service-object tcp destination eq ldap service-object tcp destination eq ldaps service-object udp destination eq 88 service-object udp destination eq ntp service-object udp destination eq netbios-dgm service-object object RPC service-object object LDAP-GC service-object object LDAP-GC-SSL service-object object Kerberos-TCP service-object object Microsoft-DS-SMB service-object object LDAP-UDP service-object object RPC-HighPorts group-object DNS-Resolving object-group service CSM_INLINE_svc_rule_73014461136 description Generated by CS-Manager from service of FirewallRule# 23 (ASA-Store_V2/mandatory) service-object tcp destination eq www service-object tcp destination eq https object-group service CSM_INLINE_svc_rule_73014461138 description Generated by CS-Manager from service of FirewallRule# 24 (ASA-Store_V2/mandatory) service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq smtp service-object tcp destination eq pop3 service-object tcp destination eq imap4 object-group network DM_INLINE_NETWORK_2 network-object object NAC-1 network-object object NAC-2 network-object object TACACS object-group service DM_INLINE_SERVICE_1 service-object icmp6 echo service-object udp destination eq ntp object-group service DM_INLINE_SERVICE_2 service-object icmp echo service-object tcp destination eq tacacs object-group service DM_INLINE_SERVICE_3 service-object icmp echo service-object udp destination eq radius service-object udp destination eq radius-acct object-group service DM_INLINE_SERVICE_4 service-object icmp echo service-object udp destination eq snmp service-object udp destination eq snmptrap service-object udp destination eq syslog object-group network DM_INLINE_NETWORK_3 network-object object LMS network-object object RSA-enVision access-list OUTSIDE remark LAB Testing access-list OUTSIDE extended permit ip object-group CSM_INLINE_src_rule_73014461090 10.10.176.0 255.255.248.0 access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461092 object-group Admin-Systems 10.10.176.0 255.255.24 8.0 access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461092 object-group Admin-Systems host 10.10.255.176 access-list OUTSIDE remark Allow Active Directory Domain access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461094 object ActiveDirectory.cisco-irn.com 10.10.176.0 255.255.248.0 access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461184 object-group CSM_INLINE_src_rule_73014461184 obje ct-group POS-Store-MSP access-list OUTSIDE extended deny ip any object-group Store-MSP-POS-net access-list OUTSIDE extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list OUTSIDE remark Wireless Management to Stores access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461098 object-group CSM_INLINE_src_rule_73014461098 10.1 0.183.0 255.255.255.0 access-list OUTSIDE remark Physical security systems access-list OUTSIDE extended permit tcp object-group CSM_INLINE_src_rule_73014461100 10.10.191.0 255.255.255.0 eq https access-list OUTSIDE remark Allow Management of store systems access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461102 object DC-ALL 10.10.176.0 255.255.248.0 access-list OUTSIDE remark WAAS systems access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461104 object-group DC-WAAS 10.10.184.0 255.255.255.0 access-list OUTSIDE remark Voice calls access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461106 object DC-ALL 10.10.178.0 255.255.255.0 access-list OUTSIDE extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq ssh access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461112 10.10.176.0 255.255.248.0 object RSA-enVision access-list OUTSIDE extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq tacacs access-list OUTSIDE extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list OUTSIDE remark Drop all other traffic access-list OUTSIDE extended deny ip any any log access-list POS remark Allow Applications access-list POS extended permit tcp object-group POS-Store-MSP object-group CSM_INLINE_dst_rule_73014461438 eq https access-list POS extended deny ip any object-group Store-MSP-POS-net access-list POS extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list POS extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list POS extended permit object-group CSM_INLINE_svc_rule_73014461120 10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst _rule_73014461120 access-list POS remark Allow Active Directory Domain access-list POS extended permit object-group CSM_INLINE_svc_rule_73014461134 10.10.176.0 255.255.248.0 object ActiveDirectory.cisc o-irn.com access-list POS remark Allow Windows Updates access-list POS extended permit object-group CSM_INLINE_svc_rule_73014461136 10.10.176.0 255.255.248.0 object MS-Update access-list POS remark Allow Mail access-list POS extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange access-list POS remark Drop all other traffic access-list POS extended deny ip any any log access-list WIRELESS-POS remark Allow Applications access-list WIRELESS-POS extended permit tcp object-group POS-Store-MSP object-group CSM_INLINE_dst_rule_73014461438 eq https access-list WIRELESS-POS extended deny ip any object-group Store-MSP-POS-net access-list WIRELESS-POS extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list WIRELESS-POS extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list WIRELESS-POS remark Allow Active Directory Domain access-list WIRELESS-POS extended permit object-group CSM_INLINE_svc_rule_73014461134 10.10.176.0 255.255.248.0 object ActiveDirectory.cisco-irn.com access-list WIRELESS-POS remark Allow Windows Updates access-list WIRELESS-POS extended permit object-group CSM_INLINE_svc_rule_73014461136 10.10.176.0 255.255.248.0 object MS-Update access-list WIRELESS-POS remark Allow Mail access-list WIRELESS-POS extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange access-list WIRELESS-POS remark Drop all other traffic access-list WIRELESS-POS extended deny ip any any log access-list DATA extended deny ip any object-group Store-MSP-POS-net access-list DATA extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list DATA extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list DATA extended permit object-group CSM_INLINE_svc_rule_73014461120 10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120 access-list DATA remark Allow Active Directory Domain access-list DATA extended permit object-group CSM_INLINE_svc_rule_73014461134 10.10.176.0 255.255.248.0 object ActiveDirectory.cisco-irn.com access-list DATA remark Allow Windows Updates access-list DATA extended permit object-group CSM_INLINE_svc_rule_73014461136 10.10.176.0 255.255.248.0 object MS-Update access-list DATA remark Allow Mail access-list DATA extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange access-list DATA remark Drop all other traffic access-list DATA extended deny ip any any log access-list MANAGEMENT extended deny ip any object-group Store-MSP-POS-net access-list MANAGEMENT extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list MANAGEMENT extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq ssh access-list MANAGEMENT extended permit object-group CSM_INLINE_svc_rule_73014461112 10.10.176.0 255.255.248.0 object RSA-enVision access-list MANAGEMENT extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq tacacs access-list MANAGEMENT extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list MANAGEMENT extended permit icmp 10.10.176.0 255.255.248.0 object-group NTP-Servers access-list MANAGEMENT extended permit object-group CSM_INLINE_svc_rule_73014461120 10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120 access-list MANAGEMENT remark Physical security systems access-list MANAGEMENT extended permit tcp 10.10.191.0 255.255.255.0 object-group CSM_INLINE_dst_rule_73014461126 eq https access-list MANAGEMENT remark Allow Mail access-list MANAGEMENT extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange access-list MANAGEMENT remark Drop all other traffic access-list MANAGEMENT extended deny ip any any log access-list PARTNER extended deny ip any object-group Store-MSP-POS-net access-list PARTNER extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list PARTNER extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list PARTNER extended permit object-group CSM_INLINE_svc_rule_73014461120 10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120 access-list PARTNER remark Allow Mail access-list PARTNER extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange access-list PARTNER remark Drop all other traffic access-list PARTNER extended deny ip any any log access-list VOICE extended deny ip any object-group Store-MSP-POS-net access-list VOICE extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list VOICE extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq ssh access-list VOICE extended permit object-group CSM_INLINE_svc_rule_73014461112 10.10.176.0 255.255.248.0 object RSA-enVision access-list VOICE extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq tacacs access-list VOICE extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list VOICE extended permit object-group CSM_INLINE_svc_rule_73014461120 10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120 access-list VOICE remark Voice calls access-list VOICE extended permit object-group CSM_INLINE_svc_rule_73014461130 10.10.178.0 255.255.255.0 object DC-ALL access-list VOICE remark Allow Mail access-list VOICE extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange access-list VOICE remark Drop all other traffic access-list VOICE extended deny ip any any log access-list WAAS extended deny ip any object-group Store-MSP-POS-net access-list WAAS extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list WAAS extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq ssh access-list WAAS extended permit object-group CSM_INLINE_svc_rule_73014461112 10.10.176.0 255.255.248.0 object RSA-enVision access-list WAAS extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq tacacs access-list WAAS extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list WAAS remark WAAS systems access-list WAAS extended permit object-group CSM_INLINE_svc_rule_73014461132 10.10.184.0 255.255.255.0 object-group DC-WAAS access-list WAAS remark Allow Active Directory Domain access-list WAAS extended permit object-group CSM_INLINE_svc_rule_73014461134 10.10.176.0 255.255.248.0 object ActiveDirectory.cisco-irn.com access-list WAAS remark Drop all other traffic access-list WAAS extended deny ip any any log access-list WIRELESS extended deny ip any object-group Store-MSP-POS-net access-list WIRELESS extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list WIRELESS extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list WIRELESS remark Allow Active Directory Domain access-list WIRELESS extended permit object-group CSM_INLINE_svc_rule_73014461134 10.10.176.0 255.255.248.0 object ActiveDirectory.cisco-irn.com access-list WIRELESS remark Allow Windows Updates access-list WIRELESS extended permit object-group CSM_INLINE_svc_rule_73014461136 10.10.176.0 255.255.248.0 object MS-Update access-list WIRELESS remark Allow Mail access-list WIRELESS extended permit object-group CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange access-list WIRELESS remark Drop all other traffic access-list WIRELESS extended deny ip any any log access-list WIRELESS-CONTROL extended deny ip any object-group Store-MSP-POS-net access-list WIRELESS-CONTROL extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list WIRELESS-CONTROL extended permit tcp 10.10.176.0 255.255.248.0 object LMS eq ssh access-list WIRELESS-CONTROL extended permit object-group CSM_INLINE_svc_rule_73014461112 10.10.176.0 255.255.248.0 object RSA-enVision access-list WIRELESS-CONTROL extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq tacacs access-list WIRELESS-CONTROL extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list WIRELESS-CONTROL extended permit object-group CSM_INLINE_svc_rule_73014461120 10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120 access-list WIRELESS-CONTROL remark Wireless control systems access-list WIRELESS-CONTROL extended permit object-group CSM_INLINE_svc_rule_73014461128 10.10.183.0 255.255.255.0 object-group CSM_INLINE_dst_rule_73014461128 access-list WIRELESS-CONTROL remark Drop all other traffic access-list WIRELESS-CONTROL extended deny ip any any log access-list WIRELESS-GUEST extended deny ip any object-group Store-MSP-POS-net access-list WIRELESS-GUEST extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 access-list WIRELESS-GUEST extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers eq ntp access-list WIRELESS-GUEST remark Drop all other traffic access-list WIRELESS-GUEST extended deny ip any any log access-list DROP-ALL extended deny ip any any log disable access-list MANAGEMENT_access_in extended permit object-group DM_INLINE_SERVICE_1 10.10.191.0 255.255.255.0 object-group NTP-Servers log disable access-list MANAGEMENT_access_in extended permit object-group DM_INLINE_SERVICE_2 10.10.191.0 255.255.255.0 object TACACS access-list MANAGEMENT_access_in extended permit object-group DM_INLINE_SERVICE_3 10.10.191.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 log disable access-list MANAGEMENT_access_in extended permit object-group DM_INLINE_SERVICE_4 10.10.191.0 255.255.255.0 object-group DM_INLINE_NETWORK_3 log disable access-list MANAGEMENT_access_in extended deny ip any any pager lines 24 logging enable logging timestamp logging buffer-size 100000 logging trap informational logging asdm informational logging host MSP-WAN 192.168.42.124 mtu MSP-WAN 1500 mtu POS 1500 mtu DATA 1500 mtu VOICE 1500 mtu WIRELESS 1500 mtu WIRELESS-POS 1500 mtu PARTNER 1500 mtu WIRELESS-GUEST 1500 mtu WIRELESS-CONTROL 1500 mtu WAAS 1500 mtu MANAGEMENT 1500 mtu IPS-Mgmt 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any MSP-WAN icmp permit any POS icmp permit any DATA icmp permit any VOICE icmp permit any WIRELESS icmp permit any WIRELESS-POS icmp permit any PARTNER icmp permit any WIRELESS-GUEST icmp permit any WIRELESS-CONTROL icmp permit any WAAS icmp permit any MANAGEMENT asdm image disk0:/asdm-70040.bin asdm history enable arp timeout 14400 no arp permit-nonconnected access-group OUTSIDE in interface MSP-WAN access-group POS in interface POS access-group DATA in interface DATA access-group VOICE in interface VOICE access-group WIRELESS in interface WIRELESS access-group WIRELESS-POS in interface WIRELESS-POS access-group PARTNER in interface PARTNER access-group WIRELESS-GUEST in interface WIRELESS-GUEST access-group WIRELESS-CONTROL in interface WIRELESS-CONTROL access-group WAAS in interface WAAS access-group MANAGEMENT_access_in in interface MANAGEMENT access-group DROP-ALL in interface IPS-Mgmt route MSP-WAN 0.0.0.0 0.0.0.0 10.10.255.11 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server RETAIL protocol tacacs+ aaa-server RETAIL (MANAGEMENT) host 192.168.42.131 key * aaa-server COMPLIANCE protocol tacacs+ aaa-server COMPLIANCE (MSP-WAN) host 192.168.42.131 key *** user-identity default-domain LOCAL aaa authentication enable console COMPLIANCE LOCAL aaa authentication http console COMPLIANCE LOCAL aaa authentication ssh console COMPLIANCE LOCAL aaa authorization command COMPLIANCE LOCAL aaa accounting enable console COMPLIANCE aaa accounting ssh console COMPLIANCE aaa accounting command privilege 15 COMPLIANCE aaa authentication secure-http-client aaa local authentication attempts max-fail 6 aaa authorization exec authentication-server http server enable http server idle-timeout 15 http server session-timeout 15 http 192.168.41.101 255.255.255.255 MSP-WAN http 192.168.41.102 255.255.255.255 MSP-WAN http 192.168.42.122 255.255.255.255 MSP-WAN http 192.168.42.124 255.255.255.255 MSP-WAN http 192.168.42.133 255.255.255.255 MSP-WAN http 192.168.42.138 255.255.255.255 MSP-WAN http 192.168.42.139 255.255.255.255 MSP-WAN http 192.168.42.134 255.255.255.255 MSP-WAN snmp-server group V3Group v3 priv snmp-server user ciscolms V3Group v3 encrypted auth sha 56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db priv aes 256 56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db:88:e3:53:03:7b:f1:02:30:bc:14: 98:e5 snmp-server user csmadmin V3Group v3 encrypted auth sha 56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db priv aes 256 56:bd:0f:20:11:a7:78:6e:08:cc:a9:43:f7:86:0e:ab:04:7c:a7:db:88:e3:53:03:7b:f1:02:30:bc:14: 98:e5 snmp-server host MSP-WAN 192.168.42.134 version 3 ciscolms snmp-server host MSP-WAN 192.168.42.139 version 3 ciscolms snmp-server host MSP-WAN 192.168.42.133 version 3 csmadmin snmp-server location Building SJC-17-1 Aisle 2 Rack 3 snmp-server contact Bart McGlothin snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart snmp-server enable traps syslog snmp-server enable traps ipsec start stop snmp-server enable traps memory-threshold snmp-server enable traps interface-threshold snmp-server enable traps remote-access session-threshold-exceeded snmp-server enable traps connection-limit-reached snmp-server enable traps cpu threshold rising snmp-server enable traps ikev2 start stop snmp-server enable traps nat packet-discard crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh scopy enable ssh 192.168.41.101 255.255.255.255 MSP-WAN ssh 192.168.41.102 255.255.255.255 MSP-WAN ssh 192.168.42.122 255.255.255.255 MSP-WAN ssh 192.168.42.124 255.255.255.255 MSP-WAN ssh 192.168.42.133 255.255.255.255 MSP-WAN ssh 192.168.42.138 255.255.255.255 MSP-WAN ssh 192.168.42.139 255.255.255.255 MSP-WAN ssh 192.168.42.134 255.255.255.255 MSP-WAN ssh timeout 15 ssh version 2 console timeout 15 dhcprelay server 192.168.42.130 MSP-WAN dhcprelay enable POS dhcprelay enable DATA dhcprelay enable VOICE dhcprelay enable WIRELESS dhcprelay enable WIRELESS-POS dhcprelay enable PARTNER dhcprelay enable WIRELESS-GUEST dhcprelay enable WIRELESS-CONTROL dhcprelay timeout 60 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 192.168.62.162 source MSP-WAN ntp server 192.168.62.161 source MSP-WAN prefer ssl encryption aes128-sha1 aes256-sha1 3des-sha1 webvpn anyconnect-essentials username csmadmin password 9CmOJ.jq4D54PXDW encrypted privilege 15 username retail password XgJyMnijuEPQSGoY encrypted privilege 15 username jchambers password zkGq5ojduHyZK1bA encrypted privilege 15 username ciscolms password huo2PmvTsMk6Cv1L encrypted privilege 15 username bmcgloth password gITSY3iZ3UnCQoKf encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic class-map global-class-PCI match any ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy description IPS inspection policy for Cisco PCI LAB class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options class global-class-PCI ips inline fail-close class class-default ips promiscuous fail-open ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily password encryption aes Cryptochecksum:0c17bedaf99e8d7c1ce43105b2a7d2c5 : end FW-A2-MSP-1# IPS-A2-MSP-1# show configuration ! ------------------------------ ! Current configuration last modified Fri Dec 21 12:24:05 2012 ! ------------------------------ ! Version 7.1(6) ! Host: ! Realm Keys key1.0 ! Signature Definition: ! Signature Update S648.0 2012-05-30 ! ------------------------------ service interface exit ! ------------------------------ service authentication attemptLimit 6 password-strength size 7-64 digits-min 1 lowercase-min 1 other-min 1 number-old-passwords 4 exit cli-inactivity-timeout 15 exit ! ------------------------------ service event-action-rules rules0 exit ! ------------------------------ service host network-settings host-ip 10.10.191.21/24,10.10.191.1 host-name IPS-A2-MSP-1 telnet-option disabled access-list 192.168.41.101/32 access-list 192.168.41.102/32 access-list 192.168.42.122/32 access-list 192.168.42.124/32 access-list 192.168.42.133/32 access-list 192.168.42.134/32 access-list 192.168.42.138/32 access-list 192.168.42.139/32 login-banner-text WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! dns-primary-server enabled address 192.168.42.130 exit dns-secondary-server disabled dns-tertiary-server disabled exit time-zone-settings offset -480 standard-time-zone-name PST exit ntp-option enabled-ntp-unauthenticated ntp-server 192.168.62.161 exit summertime-option recurring summertime-zone-name PDT start-summertime month march week-of-month second day-of-week sunday time-of-day 02:00:00 exit end-summertime month november week-of-month first day-of-week sunday time-of-day 02:00:00 exit exit exit ! ------------------------------ service logger exit ! ------------------------------ service network-access exit ! ------------------------------ service notification trap-destinations 192.168.42.124 trap-community-name RSAenvision exit enable-notifications true trap-community-name RSAenvision system-location Building SJC-17-1 Row 1 Rack 1 system-contact EmployeeA exit ! ------------------------------ service signature-definition sig0 exit ! ------------------------------ service ssh-known-hosts exit ! ------------------------------ service trusted-certificates exit ! ------------------------------ service web-server enable-tls true port 443 server-id IPS-A2-MSP-1 exit ! ------------------------------ service anomaly-detection ad0 exit ! ------------------------------ service external-product-interface exit ! ------------------------------ service health-monitor exit ! ------------------------------ service global-correlation exit ! ------------------------------ service aaa aaa radius primary-server server-address 192.168.42.131 shared-secret retailpci exit nas-id IPS-A2-MSP-1 local-fallback enabled console-authentication radius-and-local default-user-role administrator exit exit ! ------------------------------ service analysis-engine virtual-sensor vs0 physical-interface PortChannel0/0 exit exit IPS-A2-MSP-1# S-A2-MSP-1 Building configuration... Current configuration : 10554 bytes ! ! Last configuration change at 02:08:19 PSTDST Sat Apr 30 2011 by retail ! NVRAM config last updated at 02:08:21 PSTDST Sat Apr 30 2011 by retail ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption service sequence-numbers ! hostname S-A2-MSP-1 ! logging buffered 50000 debugging enable secret 5 <removed> ! username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 <removed> username csmadmin privilege 15 secret 5 <removed> aaa new-model aaa authentication login RETAIL group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! aaa session-id common clock timezone PST -8 clock summer-time PSTDST recurring system mtu routing 1500 ip subnet-zero no ip source-route ip domain-name cisco-irn.com ip name-server 192.168.42.130 ! ip ssh time-out 30 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable login block-for 1800 attempts 6 within 1800 login quiet-mode access-class 23 login on-failure log login on-success log ! password encryption aes ! crypto pki trustpoint TP-self-signed-4189032704 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4189032704 revocation-check none rsakeypair TP-self-signed-4189032704 ! ! crypto pki certificate chain TP-self-signed-4189032704 certificate self-signed 01 <removed> quit ! ! archive log config logging enable hidekeys no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface FastEthernet0 no ip address shutdown ! interface GigabitEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet0/2 description AIR-CAP3502I switchport trunk encapsulation dot1q switchport trunk native vlan 18 switchport trunk allowed vlan 14-18 switchport mode trunk ! interface GigabitEthernet0/3 ! interface GigabitEthernet0/4 switchport access vlan 17 shutdown ! interface GigabitEthernet0/5 switchport access vlan 17 shutdown ! interface GigabitEthernet0/6 switchport access vlan 17 shutdown ! interface GigabitEthernet0/7 switchport access vlan 17 shutdown ! interface GigabitEthernet0/8 switchport access vlan 17 shutdown ! interface GigabitEthernet0/9 switchport access vlan 17 shutdown ! interface GigabitEthernet0/10 switchport access vlan 17 shutdown ! interface GigabitEthernet0/11 switchport access vlan 17 shutdown ! interface GigabitEthernet0/12 switchport access vlan 17 shutdown ! interface GigabitEthernet0/13 switchport access vlan 17 shutdown ! interface GigabitEthernet0/14 switchport access vlan 17 shutdown ! interface GigabitEthernet0/15 switchport access vlan 17 shutdown ! interface GigabitEthernet0/16 switchport access vlan 17 shutdown ! interface GigabitEthernet0/17 switchport access vlan 17 shutdown ! interface GigabitEthernet0/18 switchport access vlan 17 shutdown ! interface GigabitEthernet0/19 switchport access vlan 17 shutdown ! interface GigabitEthernet0/20 switchport access vlan 17 shutdown ! interface GigabitEthernet0/21 switchport access vlan 17 shutdown ! interface GigabitEthernet0/22 switchport access vlan 17 shutdown ! interface GigabitEthernet0/23 switchport access vlan 17 shutdown ! interface GigabitEthernet0/24 switchport access vlan 17 shutdown ! interface GigabitEthernet0/25 switchport access vlan 17 shutdown ! interface GigabitEthernet0/26 switchport access vlan 17 shutdown ! interface GigabitEthernet0/27 switchport access vlan 17 shutdown ! interface GigabitEthernet0/28 switchport access vlan 17 shutdown ! interface TenGigabitEthernet0/1 shutdown ! interface TenGigabitEthernet0/2 shutdown ! interface Vlan1 no ip address shutdown ! interface Vlan1000 description Management VLAN for Switch ip address 10.10.191.11 255.255.255.0 ! ip default-gateway 10.10.191.1 ip classless no ip forward-protocol nd no ip http server ip http access-class 23 ip http authentication aaa login-authentication RETAIL ip http secure-server ip http secure-ciphersuite 3des-ede-cbc-sha ip http timeout-policy idle 60 life 86400 requests 10000 ip tacacs source-interface Vlan1000 ! ! logging trap debugging logging source-interface Vlan1000 logging 192.168.42.124 access-list 23 permit 192.168.41.101 log access-list 23 permit 192.168.41.102 log access-list 23 permit 192.168.42.111 log access-list 23 permit 192.168.42.122 log access-list 23 permit 192.168.42.124 log access-list 23 permit 127.0.0.1 log access-list 23 permit 192.168.42.131 log access-list 23 permit 192.168.42.133 log access-list 23 permit 192.168.42.138 log access-list 23 permit 10.19.151.99 log access-list 23 deny any log access-list 88 permit 192.168.42.124 log access-list 88 deny any log snmp-server engineID remote 192.168.42.124 0000000000 snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88 snmp-server user remoteuser remoteuser v3 snmp-server group remoteuser v3 noauth notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server trap-source Vlan1000 snmp-server packetsize 8192 snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps entity snmp-server enable traps cpu threshold snmp-server enable traps power-ethernet group 1 snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps port-security snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps hsrp snmp-server enable traps rtr snmp-server enable traps bridge newroot topologychange snmp-server enable traps syslog snmp-server enable traps vlan-membership snmp-server host 192.168.42.124 remoteuser tacacs-server host 192.168.42.131 tacacs-server directed-request tacacs-server key 7 <removed> radius-server source-ports 1645-1646 ! control-plane ! banner exec ^C WARNING: * THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner incoming ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail AUTHORIZED USERS ONLY! ** ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. ^C banner login ^C WARNING: THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY! ^C ! line con 0 session-timeout 15 output exec-timeout 15 0 login authentication RETAIL line vty 0 4 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none line vty 5 15 session-timeout 15 output access-class 23 in exec-timeout 15 0 logging synchronous login authentication RETAIL transport preferred none transport input ssh transport output none ! ntp clock-period 36026372 ntp source Vlan1000 ntp server 192.168.62.162 ntp server 192.168.62.161 prefer end
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks

Table Of Contents

Detailed Full Running Configurations

Data Center

WAN

ASA-WAN-1

ASA-WAN-1_IDS

RWAN-1

RWAN-2

SWAN-1

SWAN-3

Core

RCORE-1

RCORE-2

Aggregation

ASA-DC-1

RAGG-1-RUNNING

RAGG-1-VDC1-RUNNING

RAGG-1-VDC2-RUNNING

RAGG-2-RUNNING

RAGG-2-VDC1-RUNNING

RAGG-2-VDC2-RUNNING

N1KV-1-RUNNING

VSG-TENANT-1-RUNNING

RSERV-1

RSERV-2

Access

SACCESS-1

SACCESS-2

SACCESS-3

SACCESS-4

SACCESS-5

Storage

MDS-DC-1-RUNNING

MDS-DC-2-RUNNING

Internet Edge

WAN

RIE-1

RIE-2

Converged Core/Aggregation

ASA-IE-1

DMZ-IDS-1

DMZ-ASASM

DMZ-ACE-1

DMZ-ACE-1_PCI

RIE-3

Branch

Large Branch

R-A2-LRG-1

R-A2-LRG-2

S-A2-LRG-1

S-A2-LRG-2

S-A2-LRG-3

S-A2-LRG-4

S-A2-LRG-5

Medium Branch

R-A2-MED-1

R-A2-MED-2

S-A2-MED-1

S-A2-MED-3

Small Branch

R-A2-SMALL

S-A2-SMALL

Mini Branch

R-A2-MINI-1

S-A2-MINI-1

S-A2-MINI-2

Convenience

R-A2-CONV-1

S-A2-CONV-1

Managed Service Provider

FW-A2-MSP-1

S-A2-MSP-1