# STORM

config traffic control_trap both

config traffic control 1-23 broadcast enable action shutdown threshold 128000 time_interval 5 countdown 5

config traffic control 1-23 multicast enable action shutdown threshold 128000

config traffic control 1 unicast enable threshold 128000

config traffic control 2-3 unicast disable threshold 128000

config traffic control 24 broadcast disable action shutdown threshold 128000 time_interval 5 countdown 0

config traffic control 24 multicast disable action shutdown threshold 128000

config traffic control 4-5 broadcast disable multicast disable unicast disable  action drop threshold 128000


# LOOP_DETECT


enable loopdetect

config loopdetect recover_timer 60

config loopdetect interval 10

config loopdetect mode port-based

config loopdetect ports 1-23 state enabled

config loopdetect ports 24-26 state disabled


# GM


config sim candidate

enable sim

config sim dp_interval 30

config sim hold_time 100


# SYSLOG


enable syslog

config system_severity trap information

config system_severity log information


# QOS


config scheduling 0 max_packet 12 max_latency 15

config scheduling 1 max_packet 9 max_latency 12

config scheduling 2 max_packet 6 max_latency 9

config scheduling 3 max_packet 3 max_latency 6

config 802.1p user_priority 0  1

config 802.1p user_priority 1  0

config 802.1p user_priority 2  0

config 802.1p user_priority 3  1

config 802.1p user_priority 4  2

config 802.1p user_priority 5  2

config 802.1p user_priority 6  3

config 802.1p user_priority 7  3

config 802.1p default_priority 1-18,20-23 5

config 802.1p default_priority 19 3

config 802.1p default_priority 24 0

config 802.1p default_priority 25-26 4

config bandwidth_control 1-18,20-26 rx_rate no_limit tx_rate no_limit

config bandwidth_control 19 rx_rate 1 tx_rate 1


# MIRROR


disable mirror


# TRAF-SEGMENTATION


config traffic_segmentation 1-26 forward_list 1-26


# PORT


config ports 1 speed auto flow_control enable mdix auto learning enable state enable description "dom14_kvartira5_31m" trap enable

config ports 2 speed auto flow_control enable mdix auto learning enable state enable description "dom14_kvartira21" trap enable

config ports 3 speed auto flow_control enable mdix auto learning enable state enable description "dom14_kvartira 2" trap enable

config ports 4 speed auto flow_control enable mdix auto learning enable state enable description "dom14_kvartira 32" trap enable

config ports 5 speed auto flow_control enable mdix auto learning enable state enable description "test" trap enable

config ports 6-18 speed auto flow_control enable mdix auto learning enable state disable trap enable

config ports 19 speed auto flow_control enable mdix auto learning enable state enable description "Administraciya, gheltoe volokno" trap enable

config ports 20,22 speed auto flow_control enable mdix auto learning enable state enable trap enable

config ports 21 speed 100_full flow_control enable mdix auto learning enable state enable description "Link to dom 10, dom 9" trap enable

config ports 23 speed 100_full flow_control enable mdix auto learning enable state enable description "Link to dom 6, dom 5,  11,  12" trap enable

config ports 24 speed 100_full flow_control enable mdix auto learning enable state enable description "Uplink" trap enable

config ports 25 medium_type copper speed auto flow_control enable mdix auto learning enable state enable trap enable

config ports 25 medium_type fiber speed auto flow_control enable learning enable state enable trap enable

config ports 26 medium_type copper speed auto flow_control enable mdix auto learning enable state enable description "Link dom 12, krasn vol siniy SFP" trap enable

config ports 26 medium_type fiber speed auto flow_control enable learning enable state enable description  trap enable


# PORT_LOCK


disable port_security trap_log

config port_security ports 1-26 admin_state disable max_learning_addr 1 lock_address_mode DeleteOnReset


# 8021X


disable 802.1x

config 802.1x auth_protocol radius_eap

config 802.1x capability ports 1-26 none

config 802.1x auth_parameter ports 1-26 direction both port_control auto quiet_period 60 tx_period 30 supp_timeout 30 server_timeout 30 max_req 2 reauth_period 3600 enable_reauth disable


# SNMPv3


delete snmp community public

delete snmp community private

delete snmp user initial

delete snmp group initial

delete snmp view restricted all

delete snmp view CommunityView all

# MANAGEMENT


enable snmp traps

enable snmp authenticate traps

disable rmon


# VLAN


disable asymmetric_vlan

config vlan default delete 1-26

config vlan default add tagged 24-26

config vlan default add untagged 1-18,20-23

config vlan default advertisement enable

create vlan Users tag 2

config vlan Users add tagged 24-26

config vlan Users advertisement disable

create vlan Yur_lica tag 10

config vlan Yur_lica add tagged 24

config vlan Yur_lica add untagged 19

config vlan Yur_lica advertisement disable

disable gvrp

config gvrp 1-18,20-26 state disable ingress_checking enable acceptable_frame admit_all pvid 1

config gvrp 19 state disable ingress_checking enable acceptable_frame admit_all pvid 10


# FDB


config fdb aging_time 300

config multicast port_filtering_mode 1-26 forward_unregistered_groups


# MAC_ADDRESS_TABLE_NOTIFICATION


config mac_notification interval 1 historysize 1

enable mac_notification

config mac_notification ports 1-23 enable

config mac_notification ports 24-26 disable

# STP

# SSH


config ssh server maxsession 8

config ssh server contimeout 300

config ssh server authfail 2

config ssh server rekey never

config ssh server port 22

disable ssh


# SSL


disable ssl

enable ssl ciphersuite RSA_with_RC4_128_MD5

enable ssl ciphersuite RSA_with_3DES_EDE_CBC_SHA

enable ssl ciphersuite DHE_DSS_with_3DES_EDE_CBC_SHA

enable ssl ciphersuite RSA_EXPORT_with_RC4_40_MD5

config ssl cachetimeout timeout 600


# SAFE_GUARD


config safeguard_engine state enable cpu_utilization rising_threshold 100 falling_threshold 20 trap_log disable


# TIMERANGE



# ACL


disable cpu_interface_filtering


# SNTP


enable sntp

config time_zone operator + hour 3 min 0

config sntp primary IP_SNTP_servera secondary 0.0.0.0 poll-interval 720

config dst repeating s_week last s_day sun s_mth 3 s_time 3:0 e_week last e_day sun e_mth 10 e_time 2:0 offset 60


# IPBIND

config address_binding ip_mac ports 19 state enable

create address_binding permit_ip_pool start_ip 172.16.1.2 end_ip 172.16.1.254 ports 19

config address_binding ip_mac ports 19 allow_zeroip enable

enable address_binding acl_mode

enable address_binding trap_log

enable address_binding dhcp_snoop

config address_binding dhcp_snoop max_entry ports 1-18,20-26 limit 5

config address_binding dhcp_snoop max_entry ports 19 limit no_limit



# FILTER



# ARP_Spoofing_Prevention

config arp_spoofing_prevention add gateway_ip 172.16.1.1 gateway_mac 00-0F-8F-8E-F8-E0 ports 19



# ROUTE


create iproute default IP_GATEWAY 1


# SNOOP


disable igmp_snooping

config igmp_snooping default host_timeout 260 router_timeout 260 leave_timer 2 state disable

config igmp_snooping querier default query_interval 125 max_response_time 10 robustness_variable 2

config igmp_snooping querier default last_member_query_interval 1 state disable

config igmp_snooping Users host_timeout 260 router_timeout 260 leave_timer 2 state disable

config igmp_snooping querier Users query_interval 125 max_response_time 10 robustness_variable 2

config igmp_snooping querier Users last_member_query_interval 1 state disable

config igmp_snooping Yur_lica host_timeout 260 router_timeout 260 leave_timer 2 state disable

config igmp_snooping querier Yur_lica query_interval 125 max_response_time 10 robustness_variable 2

config igmp_snooping querier Yur_lica last_member_query_interval 1 state disable

config limited_multicast_addr ports 1-26 access deny state disable


# LACP


config link_aggregation algorithm mac_source

config lacp_port 1-26 mode passive


# GVLAN



# IP


config ipif System vlan default ipaddress IP_switcha/24 state enable

disable autoconfig


# ARP


config arp_aging time 20

config gratuitous_arp send ipif_status_up enable

config gratuitous_arp send dup_ip_detected enable

config gratuitous_arp learning enable

enable gratuitous_arp ipif System trap


# LLDP


disable lldp

config lldp message_tx_interval 30

config lldp tx_delay 2

config lldp message_tx_hold_multiplier 4

config lldp reinit_delay 2

config lldp notification_interval 5

config lldp ports 1-26 notification disable

config lldp ports 1-26 admin_status tx_and_rx


# ACCESS_AUTHENTICATION_CONTROL


config authen_login default method local

config authen_enable default method local_enable

config authen application console login default

config authen application console enable default

config authen application telnet login default

config authen application telnet enable default

config authen application ssh login default

config authen application ssh enable default

config authen application http login default

config authen application http enable default

config authen parameter response_timeout 0

config authen parameter attempt 3

config authen enable_admin all state enable

disable authen_policy


# DHCP_RELAY


enable dhcp_relay

config dhcp_relay hops 4 time 0

config dhcp_relay option_82 state disable

config dhcp_relay option_82 check disable

config dhcp_relay option_82 policy replace

config dhcp_relay option_82 remote_id default

config dhcp_relay option_60 state disable

config dhcp_relay option_60 default mode drop

config dhcp_relay option_61 state disable

config dhcp_relay option_61 default drop

config dhcp_relay add ipif System IP_DHCP_SERVERA


# DHCP_LOCAL_RELAY


enable dhcp_local_relay

config dhcp_local_relay vlan vlanid 10 state enable

config dhcp_local_relay vlan vlanid 10 state enable

config dhcp_relay add ipif System IP_DHCP_SERVERA

disable address_binding acl_mode

config address_binding dhcp_snoop max_entry ports 19 limit 1

# IPBIND

config address_binding ip_mac ports 19 state enable
- включение IMP на 19 порту коммутатора

create address_binding permit_ip_pool start_ip 172.16.1.2 end_ip 172.16.1.254 ports 19
- Пул IP адресов которые может выдать DHCP сервер

config address_binding ip_mac ports 19 allow_zeroip enable
- разрешаем DHCP запросы с клиентского IP 0.0.0.0

disable address_binding acl_mode
- выключаем что ????

enable address_binding trap_log
- посылать SNMP трапы при срабатывании IMP

enable address_binding dhcp_snoop
- включаем связку IMP + DHCP Snooping

config address_binding dhcp_snoop max_entry ports 1-18,20-26 limit 5
 - выставляем максимальное количество клиентских MAC на портах 1-18, 20-26, но т.к. IMP не включено на этих портах, то не обращаем внимание

config address_binding dhcp_snoop max_entry ports 19 limit 1
- выставляем максимальное количество клиентских MAC на порту 19

# DHCP_RELAY


enable dhcp_relay
- включаем пересылку DHCP запросов

config dhcp_relay hops 4 time 0
- не понял что это ???

config dhcp_relay add ipif System X.X.X.X
- включаем пересылку в управляющем VLAN с IP адреса нашего коммутатора на X.X.X.X адрес DHCP сервера, соответственно интерфейс DHCP сервера должен быть в управляющем VLAN и должен пинговаться с коммутатора и коммутатор должен пинговаться с сервера

# DHCP_LOCAL_RELAY


enable dhcp_local_relay
- я так понял эта строчка нужна для перенаправления DHCP запросов внутри коммутатора