####################### INSTRUCTIONS ####################### #Remove these instructions before uploading the file to the# #device. Every line that starts with a "#" is commented and# #the device will not accept it. This means the line must be# #reviewed and edited according to configuration needs. # #Edited this configuration and remove the "#" comment sign # #before saving the new configuration file. # ############################################################ ! service timestamps debug datetime msec service timestamps log datetime msec show-timezone service call-home platform qfp utilization monitor load 80 platform punt-keepalive disable-kernel-core ! hostname ISR-IPE ! boot-start-marker boot-end-marker ! ! logging buffered 16384 informational no logging console no logging monitor # enable secret YOUR-PASSWORD-HERE ! no aaa new-model call-home ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications. contact-email-addr sch-smart-licensing@cisco.com source-interface GigabitEthernet0/0/0 profile "CiscoTAC-1" active destination transport-method http no destination transport-method email no ip source-route ! ! ip nbar http-services ! ip name-server 1.1.1.1 8.8.8.8 no ip domain lookup ip domain name lighting.com ip dhcp excluded-address 10.0.100.0 ip dhcp excluded-address 10.0.100.255 255.255.255.255 ! ip dhcp pool LightingDHCP network 10.0.100.0 255.255.255.0 default-router 10.0.100.254 #dns-server ! ! ! login on-success log ipv6 unicast-routing ! ! ! ! ! ! ! subscriber templating ! ! ! ! vtp mode off ! multilink bundle-name authenticated ! ! ! ! object-group network Allow-Cisco-Call-Home_dst_net host 72.163.4.38 host 173.37.145.8 ! object-group network Allow-Interact-Internet_src_net 10.0.100.0 255.255.255.0 ! object-group network Allow-from-tools-cisco_src_net host 173.37.145.8 host 72.163.4.38 ! object-group service Allow-from-tools-cisco_svc tcp eq www tcp eq 443 ! diagnostic bootup level minimal ! spanning-tree extend system-id et-analytics ! ! # username admin privilege 15 secret YOUR-PASSWORD-HERE ! redundancy mode none ! ! ! ! ! vlan internal allocation policy ascending ! vlan 100 name lighting ! vlan 999 name not_in_use no cdp run ! ! class-map type inspect match-any Allow-Cisco-Call-Home_app match protocol tcp match protocol udp match protocol http match protocol https match protocol dns class-map match-all ICMP match access-group name ICMP class-map type inspect match-any Allow-DHCP-WAN_app match protocol bootpc match protocol bootps class-map type inspect match-any Allow-from-tools-cisco_app match protocol tcp match protocol udp class-map type inspect match-any Allow-DHCP-WAN-Out_app match protocol bootpc match protocol bootps class-map type inspect match-any Allow-telnet_app match protocol telnet match protocol https match protocol http class-map match-all SSH match access-group name SSH class-map type inspect match-any Allow-Interact-Internet_app match protocol http match protocol https match protocol dns match protocol icmp match protocol ntp match access-group name Allow-MQTT class-map type inspect match-all Allow-DHCP-WAN description Allow-DHCP-WAN match class-map Allow-DHCP-WAN_app match access-group name Allow-DHCP-WAN_acl class-map type inspect match-all Allow-Cisco-Call-Home description Allow-Cisco-Call-Home match access-group name Allow-Cisco-Call-Home_acl match class-map Allow-Cisco-Call-Home_app class-map type inspect match-all Allow-Interact-Internet description Allow-Interact-Internet match class-map Allow-Interact-Internet_app match access-group name Allow-Interact-Internet_acl class-map type inspect match-all Allow-telnet description Allow-telnet-test match class-map Allow-telnet_app match access-group name Allow-telnet_acl class-map type inspect match-all Allow-from-tools-cisco description Allow-from-tools-cisco match class-map Allow-from-tools-cisco_app match access-group name Allow-from-tools-cisco_acl class-map type inspect match-all Allow-DHCP-WAN-Out description Allow-DHCP-WAN-Out match class-map Allow-DHCP-WAN-Out_app match access-group name Allow-DHCP-WAN-Out_acl ! policy-map type inspect OUTSIDE-SELF-POLICY class type inspect Allow-DHCP-WAN pass class class-default drop log policy-map type inspect INSIDE-OUTSIDE-POLICY class type inspect Allow-Interact-Internet inspect class class-default drop log policy-map COPP class ICMP police 8000 conform-action transmit exceed-action drop class SSH police 8000 conform-action transmit exceed-action drop policy-map type inspect SELF-OUTSIDE-POLICY class type inspect Allow-DHCP-WAN-Out pass class type inspect Allow-telnet inspect class type inspect Allow-Cisco-Call-Home inspect class class-default drop log ! zone security INSIDE description Zone for inside interfaces zone security OUTSIDE description Zone for outside interfaces zone security default zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect INSIDE-OUTSIDE-POLICY zone-pair security OUTSIDE-SELF source OUTSIDE destination self service-policy type inspect OUTSIDE-SELF-POLICY zone-pair security SELF-OUTSIDE source self destination OUTSIDE service-policy type inspect SELF-OUTSIDE-POLICY ! ! ! ! ! ##### ACCESS INTERFACE TEMPLATE ##### # description ACCESS PORTS # switchport access vlan 100 # switchport mode access # spanning-tree portfast # spanning-tree bpdufilter enable # spanning-tree bpduguard enable ! ! ##### TRUNK INTERFACE TEMPLATE ##### # description TRUNK PORT # switchport mode trunk # switchport trunk allowed vlan 100 # switchport nonegotiate # no cdp enable ! ! ##### NOT-IN-USE INTERFACE TEMPLATE ##### # description NOT-IN-USE # switchport mode access # switchport access vlan 999 # switchport nonegotiate # no cdp enable # spanning-tree bpduguard enable # shutdown ! ! ! ! interface GigabitEthernet0/0/0 description GE_WAN_OUTSIDE # ip address / no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip nat outside zone-member security OUTSIDE media-type rj45 negotiation auto ip virtual-reassembly ! interface GigabitEthernet0/0/1 description NOT-IN-USE no ip address ip nbar protocol-discovery shutdown negotiation auto ! interface GigabitEthernet0/1/0 # # PASTE ACCESS/TRUNK INTERFACE TEMPLATE # ! interface GigabitEthernet0/1/1 # # PASTE ACCESS/TRUNK INTERFACE TEMPLATE # ! interface GigabitEthernet0/1/2 # # PASTE ACCESS/TRUNK INTERFACE TEMPLATE # ! interface GigabitEthernet0/1/3 # # PASTE ACCESS/TRUNK INTERFACE TEMPLATE # ! interface GigabitEthernet0/1/4 # # PASTE ACCESS/TRUNK INTERFACE TEMPLATE # ! interface GigabitEthernet0/1/5 # # PASTE ACCESS/TRUNK INTERFACE TEMPLATE # ! interface GigabitEthernet0/1/6 # # PASTE ACCESS/TRUNK INTERFACE TEMPLATE # ! interface GigabitEthernet0/1/7 # # PASTE ACCESS/TRUNK INTERFACE TEMPLATE # ! interface Vlan1 no ip address zone-member security INSIDE ! interface Vlan100 ip address 10.0.100.254 255.255.255.0 ip nbar protocol-discovery ip nat inside zone-member security INSIDE ipv6 address FD2E:0:100::/64 eui-64 ipv6 address autoconfig ipv6 enable ip virtual-reassembly ! ip forward-protocol nd no ip http server ip http authentication local ip http secure-server ip http max-connections 2 ip http timeout-policy idle 600 life 2400 requests 2 ip http client source-interface GigabitEthernet0/0/0 ip nat inside source list nat-list interface GigabitEthernet0/0/0 overload ip ssh version 2 ! ! #ip route 0.0.0.0 0.0.0.0 # ONLY WITH FIXED IP ! ! ip access-list standard nat-list permit 10.0.100.0 0.0.0.255 ! ip access-list extended Allow-Cisco-Call-Home_acl 10 permit ip any object-group Allow-Cisco-Call-Home_dst_net ip access-list extended Allow-DHCP-WAN-Out_acl 10 permit ip any any ip access-list extended Allow-DHCP-WAN_acl 10 permit ip any any ip access-list extended Allow-Interact-Internet_acl 10 permit ip object-group Allow-Interact-Internet_src_net any ip access-list extended Allow-MQTT permit tcp any any eq 8883 ip access-list extended Allow-from-tools-cisco_acl 10 permit ip object-group Allow-from-tools-cisco_src_net any 20 permit object-group Allow-from-tools-cisco_svc object-group Allow-from-tools-cisco_src_net any ip access-list extended Allow-telnet_acl 10 permit ip any any ip access-list extended ICMP 10 permit icmp any any ip access-list extended SSH 10 permit tcp any any eq 22 ! ip access-list extended 197 ! ! route-map track-primary-if permit 1 match ip address 197 set interface GigabitEthernet0/0/0 ! ! ! control-plane service-policy input COPP ! banner motd ^ SSSSS SSSSS III III FFFFF SSSS SSSS III III FFF FF SSS SSSSS SSS GG GG GG nn nnnnn FFF SSS SSSS SSSS SSS IIIII GGGGG GGGGG nnnnnnnnnn IIIII FFFFFFFFFF YYY YYY SSS SSS SSS III GGG GGGG nnn nnn III FFF YYY YYY SSS SSSSSSS SSS III GGG GGG nnn nnn III FFF YYY YYY SSS SSS SSS III GGGG GGGG nnn nnn III FFF YYYYY SSS SSSS SSSS SSS III GGGGGGGGGGG nnn nnn III FFF YYY SSS SSSS SSS IIIIIIIIII GGG nnn nnn IIIIIIIIII FFF YY SSSSS SSSSS GGG GGG YY YY SSSSSSSSSSSSS GGGGGGGG YYYYY SSSSS GGG YYY WARNING: Signify Authorized personnel only. UNAUTHORIZED ACCESS IS PROHIBITED! ^ ! line con 0 logging synchronous login local transport input none stopbits 1 line vty 0 4 login local length 0 transport input none line vty 5 868 login local transport input none line vty 869 962 login ! ntp server ip time.google.com prefer source GigabitEthernet0/0/0 ! ! ! ! ! end