Cisco PCI Solution for Retail 2.0 Design and Implementation Guide

Detailed Full Running Configurations

This appendix includes the following device configurations:

•Branch Configurations

–Large Store Router #1, page E-2

–Large Store Router #2, page E-15

–Medium Store Router #1, page E-28

–Medium Store Router #2, page E-41

–Small Store Router #1, page E-52

–Data Center WAN Router #1, page E-65

–Data Center WAN Router #2, page E-70

–Large Store Switch #1, page E-76

–Large Store Switch #2, page E-83

–Large Store Switch #3, page E-90

–Large Store Switch #4, page E-96

–Medium StoreBranch Switch #1, page E-103

–Medium Store Switch #2, page E-109

–Large StoreWireless Controller, page E-115

–Medium StoreWireless Controller, page E-132

–Small Store Wireless controller in the Data Center, page E-147

–Large Store Access Point, page E-162

–Medium Store Access Point, page E-163

–Small Store Access Point, page E-164

•Internet Edge Configurations

–Cisco Firewall Service Module, page E-165

–Cisco Catalyst 3750, page E-171

–Cisco Catalyst 6500, page E-176

–Cisco 7200 Edge Router, page E-186

–Cisco Application Control Engine, page E-192

•Data Center Configurations, page E-195

–Cisco Catalyst 3750, page E-195

–Cisco Catalyst 6500, page E-198

–Cisco 7206 VXR Router, page E-200

–Cisco Adaptive Security Appliance, page E-205

ASA-DC-1

: Saved

ASA Version 8.4(1) <context>

firewall transparent

hostname dca-vc1

domain-name cisco-irn.com

enable password <removed> encrypted

passwd <removed> encrypted

names

interface outside

 nameif north

 bridge-group 1

 security-level 0

interface inside

 nameif south

 bridge-group 1

 security-level 100

interface BVI1

 ip address 192.168.162.21 255.255.255.0 standby 192.168.162.22

dns domain-lookup south

dns server-group DefaultDNS

 name-server 192.168.42.130

 domain-name cisco-irn.com

object-group network AdminStation

 network-object 192.168.41.101 255.255.255.255

object-group network AdminStation2

 network-object 192.168.41.102 255.255.255.255

object-group network AdminStation4-bart

 network-object 10.19.151.99 255.255.255.255

object-group network CSM_INLINE_src_rule_77309411633

 description Generated by CS-Manager from src of FirewallRule# 2 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object AdminStation

 group-object AdminStation2

 group-object AdminStation4-bart

object-group network DC-ALL

 description All of the Data Center

 network-object 192.168.0.0 255.255.0.0

object-group network Stores-ALL

 description all store networks

 network-object 10.10.0.0 255.255.0.0

object-group network CSM_INLINE_dst_rule_77309411633

 description Generated by CS-Manager from dst of FirewallRule# 2 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network EMC-NCM

 description EMC Network Configuration Manager

 network-object 192.168.42.122 255.255.255.255

object-group network CSManager

 description Cisco Security Manager

 network-object 192.168.42.133 255.255.255.255

object-group network RSA-enVision

 description RSA EnVision Syslog collector and SIM

 network-object 192.168.42.124 255.255.255.255

object-group network AdminStation3

 network-object 192.168.42.138 255.255.255.255

object-group network Admin-Systems

 group-object EMC-NCM

 group-object AdminStation

 group-object AdminStation2

 group-object CSManager

 group-object RSA-enVision

 group-object AdminStation3

 group-object AdminStation4-bart

object-group network DC-DMZ

 description (Optimized by CS-Manager)

 network-object 192.168.20.0 255.255.252.0

 network-object 192.168.24.0 255.255.255.0

object-group network CSM_INLINE_dst_rule_77309411635

 description Generated by CS-Manager from dst of FirewallRule# 3 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

 group-object DC-DMZ

object-group network CSM_INLINE_src_rule_77309414079

 description Generated by CS-Manager from src of FirewallRule# 4 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_src_rule_77309414081

 description Generated by CS-Manager from src of FirewallRule# 5 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network ActiveDirectory.cisco-irn.com

 network-object 192.168.42.130 255.255.255.255

object-group network vSphere-1

 description vSphere server for Lab

 network-object 192.168.41.102 255.255.255.255

object-group network WCSManager

 description Wireless Manager

 network-object 192.168.43.135 255.255.255.255

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 network-object 192.168.43.21 255.255.255.255

 network-object 192.168.43.22 255.255.255.255

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 network-object 192.168.43.31 255.255.255.255

 network-object 192.168.43.32 255.255.255.255

object-group network CSM_INLINE_src_rule_77309411641

 description Generated by CS-Manager from src of FirewallRule# 9 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network PAME-DC-1

 network-object 192.168.44.111 255.255.255.255

object-group network MSP-DC-1

 description Data Center VSOM

 network-object 192.168.44.121 255.255.255.255

object-group network CSM_INLINE_src_rule_77309411643

 description Generated by CS-Manager from src of FirewallRule# 10 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 network-object 192.168.48.10 255.255.255.255

 network-object 192.168.49.10 255.255.255.255

 network-object 192.168.47.11 255.255.255.255

 network-object 192.168.47.12 255.255.255.255

object-group network CSM_INLINE_src_rule_77309414071

 description Generated by CS-Manager from src of FirewallRule# 15 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network NTP-Servers

 description NTP Servers

 network-object 192.168.62.161 255.255.255.255

 network-object 162.168.62.162 255.255.255.255

object-group network TACACS

 description Csico Secure ACS server for TACACS and Radius

 network-object 192.168.42.131 255.255.255.255

object-group network RSA-AM

 description RSA Authentication Manager for SecureID

 network-object 192.168.42.137 255.255.255.255

object-group network NAC-2

 network-object 192.168.42.112 255.255.255.255

object-group network NAC-1

 description ISE server for NAC

 network-object 192.168.42.111 255.255.255.255

object-group network CSM_INLINE_dst_rule_77309411663

 description Generated by CS-Manager from dst of FirewallRule# 25 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object TACACS

 group-object RSA-AM

 group-object NAC-2

 group-object NAC-1

object-group network CSM_INLINE_dst_rule_77309411665

 description Generated by CS-Manager from dst of FirewallRule# 26 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object NAC-2

 group-object NAC-1

object-group network CSM_INLINE_dst_rule_77309411669

 description Generated by CS-Manager from dst of FirewallRule# 28 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network CSM_INLINE_dst_rule_77309411671

 description Generated by CS-Manager from dst of FirewallRule# 29 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network MS-Update

 description Windows Update Server

 network-object 192.168.42.150 255.255.255.255

object-group network MSExchange

 description Mail Server

 network-object 192.168.42.140 255.255.255.255

object-group network POS-Store-Conv

 network-object 10.10.160.81 255.255.255.255

object-group network POS-Store-MSP

 network-object 10.10.176.81 255.255.255.255

object-group network POS-Store-SMALL-1

 description Small Store POS devices

 network-object 10.10.128.81 255.255.255.255

 network-object 10.10.128.82 255.255.255.255

object-group network POS-Store-Medium

 network-object 10.10.112.81 255.255.255.255

 network-object 10.10.125.40 255.255.255.255

object-group network POS-Store-Mini

 network-object 10.10.144.81 255.255.255.255

object-group network POS-Store-3g

 network-object 10.10.192.82 255.255.255.255

object-group network POS-Store-Large

 network-object 10.10.96.81 255.255.255.255

 network-object 10.10.96.82 255.255.255.255

object-group network CSM_INLINE_src_rule_77309411683

 description Generated by CS-Manager from src of FirewallRule# 35 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object POS-Store-Conv

 group-object POS-Store-MSP

 group-object POS-Store-SMALL-1

 group-object POS-Store-Medium

 group-object POS-Store-Mini

 group-object POS-Store-3g

 group-object POS-Store-Large

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 network-object 192.168.52.96 255.255.255.224

object-group network DC-POS

 description POS in the Data Center

 network-object 192.168.52.0 255.255.255.0

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 network-object 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 network-object 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_dst_rule_77309411683

 description Generated by CS-Manager from dst of FirewallRule# 35 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object DC-POS-Tomax

 group-object DC-POS

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_77309414158

 description Generated by CS-Manager from src of FirewallRule# 36 
(ASA-DC-1-vdc1_v1/mandatory)

 network-object 192.168.22.11 255.255.255.255

 network-object 192.168.22.12 255.255.255.255

 network-object 192.168.21.0 255.255.255.0

object-group network CSM_INLINE_src_rule_77309414160

 description Generated by CS-Manager from src of FirewallRule# 37 
(ASA-DC-1-vdc1_v1/mandatory)

 network-object 192.168.22.11 255.255.255.255

 network-object 192.168.22.12 255.255.255.255

 network-object 192.168.21.0 255.255.255.0

object-group network CSM_INLINE_src_rule_77309414162

 description Generated by CS-Manager from src of FirewallRule# 38 
(ASA-DC-1-vdc1_v1/mandatory)

 network-object 192.168.22.11 255.255.255.255

 network-object 192.168.22.12 255.255.255.255

 network-object 192.168.21.0 255.255.255.0

object-group service HTTPS-8443

 service-object tcp destination eq 8443

object-group service CSM_INLINE_svc_rule_77309411635

 description Generated by CS-Manager from service of FirewallRule# 3 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq ssh

 service-object tcp destination eq https

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_77309414079

 description Generated by CS-Manager from service of FirewallRule# 4 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq smtp

 service-object tcp destination eq https

 service-object tcp destination eq ssh

object-group service CSM_INLINE_svc_rule_77309414081

 description Generated by CS-Manager from service of FirewallRule# 5 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq ssh

object-group service RPC

 service-object tcp destination eq 135

object-group service LDAP-GC

 service-object tcp destination eq 3268

object-group service LDAP-GC-SSL

 service-object tcp destination eq 3269

object-group service DNS-Resolving

 description Domain Name Server

 service-object tcp destination eq domain

 service-object udp destination eq domain

object-group service Kerberos-TCP

 service-object tcp destination eq 88

object-group service Microsoft-DS-SMB

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

 service-object tcp destination eq 445

object-group service LDAP-UDP

 service-object udp destination eq 389

object-group service RPC-HighPorts

 service-object tcp destination range 1024 65535

object-group service CSM_INLINE_svc_rule_77309411637

 description Generated by CS-Manager from service of FirewallRule# 7 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

 service-object udp destination eq 88

 service-object udp destination eq ntp

 service-object udp destination eq netbios-dgm

 group-object RPC

 group-object LDAP-GC

 group-object LDAP-GC-SSL

 group-object DNS-Resolving

 group-object Kerberos-TCP

 group-object Microsoft-DS-SMB

 group-object LDAP-UDP

 group-object RPC-HighPorts

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 service-object tcp destination eq 5989

 service-object tcp destination eq 8000

 service-object tcp destination eq 902

 service-object tcp destination eq 903

object-group service CSM_INLINE_svc_rule_77309411639

 description Generated by CS-Manager from service of FirewallRule# 8 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq ssh

 group-object vCenter-to-ESX4

object-group service IP-Protocol-97

 description IP protocol 97

 service-object 97

object-group service TFTP

 description Trivial File Transfer

 service-object tcp destination eq 69

 service-object udp destination eq tftp

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 service-object udp destination eq 12222

 service-object udp destination eq 12223

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 service-object udp destination eq 5246

 service-object udp destination eq 5247

object-group service CSM_INLINE_svc_rule_77309411641

 description Generated by CS-Manager from service of FirewallRule# 9 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq www

 service-object udp destination eq isakmp

 service-object tcp destination eq telnet

 service-object tcp destination eq ssh

 group-object IP-Protocol-97

 group-object TFTP

 group-object LWAPP

 group-object CAPWAP

object-group service TCP1080

 service-object tcp destination eq 1080

object-group service TCP8080

 service-object tcp destination eq 8080

object-group service RDP

 description Windows Remote Desktop

 service-object tcp destination eq 3389

object-group service CSM_INLINE_svc_rule_77309411645

 description Generated by CS-Manager from service of FirewallRule# 11 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object icmp echo

 service-object icmp echo-reply

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq ssh

 service-object tcp destination eq ftp

 group-object HTTPS-8443

 group-object TCP1080

 group-object TCP8080

 group-object RDP

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 service-object tcp destination eq 4050

object-group service Netbios

 description Netbios Servers

 service-object udp destination eq netbios-dgm

 service-object udp destination eq netbios-ns

 service-object tcp destination eq netbios-ssn

object-group service CSM_INLINE_svc_rule_77309411647

 description Generated by CS-Manager from service of FirewallRule# 12 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

 group-object Netbios

object-group service CSM_INLINE_svc_rule_77309411649

 description Generated by CS-Manager from service of FirewallRule# 13 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp-udp destination eq sip

 service-object tcp destination eq 2000

object-group service CSM_INLINE_svc_rule_77309414071

 description Generated by CS-Manager from service of FirewallRule# 15 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object icmp echo

 service-object icmp echo-reply

 service-object icmp unreachable

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq ftp

 service-object tcp destination eq ssh

 group-object TCP1080

 group-object TCP8080

 group-object RDP

object-group service NTP

 description NTP Protocols

 service-object tcp destination eq 123

 service-object udp destination eq ntp

object-group service CSM_INLINE_svc_rule_77309414073

 description Generated by CS-Manager from service of FirewallRule# 16 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object DNS-Resolving

 group-object NTP

object-group service CSM_INLINE_svc_rule_77309414077

 description Generated by CS-Manager from service of FirewallRule# 18 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

 group-object LDAP-GC

 group-object LDAP-GC-SSL

 group-object LDAP-UDP

object-group service CSM_INLINE_svc_rule_77309411655

 description Generated by CS-Manager from service of FirewallRule# 21 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object udp destination eq snmptrap

 service-object udp destination eq snmp

 service-object udp destination eq syslog

object-group service CSM_INLINE_svc_rule_77309411657

 description Generated by CS-Manager from service of FirewallRule# 22 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object udp destination eq domain

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

object-group service CSM_INLINE_svc_rule_77309411663

 description Generated by CS-Manager from service of FirewallRule# 25 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object udp destination eq 1812

 service-object udp destination eq 1813

object-group service CSM_INLINE_svc_rule_77309411665

 description Generated by CS-Manager from service of FirewallRule# 26 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq www

 group-object HTTPS-8443

object-group service ESX-SLP

 description CIM Service Location Protocol (SLP) for VMware systems

 service-object udp destination eq 427

 service-object tcp destination eq 427

object-group service CSM_INLINE_svc_rule_77309411667

 description Generated by CS-Manager from service of FirewallRule# 27 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq www

 service-object tcp destination eq ssh

 group-object vCenter-to-ESX4

 group-object ESX-SLP

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 service-object udp destination eq 16666

 service-object udp destination eq 16667

object-group service CSM_INLINE_svc_rule_77309411671

 description Generated by CS-Manager from service of FirewallRule# 29 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq https

 service-object udp destination eq isakmp

 group-object Cisco-Mobility

 group-object IP-Protocol-97

 group-object LWAPP

 group-object CAPWAP

object-group service CSM_INLINE_svc_rule_77309411673

 description Generated by CS-Manager from service of FirewallRule# 30 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp-udp destination eq sip

 service-object tcp destination eq 2000

object-group service CSM_INLINE_svc_rule_77309411675

 description Generated by CS-Manager from service of FirewallRule# 31 
(ASA-DC-1-vdc1_v1/mandatory)

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

 group-object Netbios

object-group service CSM_INLINE_svc_rule_77309411677

 description Generated by CS-Manager from service of FirewallRule# 32 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

 service-object udp destination eq 88

 service-object udp destination eq ntp

 service-object udp destination eq netbios-dgm

 group-object RPC

 group-object LDAP-GC

 group-object LDAP-GC-SSL

 group-object DNS-Resolving

 group-object Kerberos-TCP

 group-object Microsoft-DS-SMB

 group-object LDAP-UDP

 group-object RPC-HighPorts

object-group service CSM_INLINE_svc_rule_77309411679

 description Generated by CS-Manager from service of FirewallRule# 33 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq www

 service-object tcp destination eq https

object-group service CSM_INLINE_svc_rule_77309411681

 description Generated by CS-Manager from service of FirewallRule# 34 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq smtp

 service-object tcp destination eq pop3

 service-object tcp destination eq imap4

object-group service CSM_INLINE_svc_rule_77309414166

 description Generated by CS-Manager from service of FirewallRule# 40 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object tcp destination eq smtp

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_77309414172

 description Generated by CS-Manager from service of FirewallRule# 43 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object udp destination eq 1812

 service-object udp destination eq 1813

object-group service CSM_INLINE_svc_rule_77309414176

 description Generated by CS-Manager from service of FirewallRule# 45 
(ASA-DC-1-vdc1_v1/mandatory)

 service-object icmp

 service-object tcp destination eq ssh

 service-object tcp destination eq telnet

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq 8880

 service-object tcp destination eq 8444

 service-object tcp destination eq 5900

 service-object tcp destination eq 5800

 group-object RDP

 group-object TCP1080

 group-object TCP8080

 group-object TFTP

 group-object HTTPS-8443

 group-object vCenter-to-ESX4

access-list CSM_FW_ACL_north extended permit ospf 192.168.162.0 255.255.255.0 
192.168.162.0 255.255.255.0

access-list CSM_FW_ACL_north extended permit tcp object-group Stores-ALL object-group 
EMC-NCM eq ssh

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411655 
object-group Stores-ALL object-group RSA-enVision

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411657 
object-group Stores-ALL object-group ActiveDirectory.cisco-irn.com

access-list CSM_FW_ACL_north extended permit tcp object-group Stores-ALL object-group 
TACACS eq tacacs

access-list CSM_FW_ACL_north extended permit udp object-group Stores-ALL object-group 
NTP-Servers eq ntp

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411663 
object-group Stores-ALL object-group CSM_INLINE_dst_rule_77309411663

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411665 
object-group Stores-ALL object-group CSM_INLINE_dst_rule_77309411665

access-list CSM_FW_ACL_north remark VMWare ESX to Data Center

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411667 
object-group Stores-ALL object-group vSphere-1

access-list CSM_FW_ACL_north remark Physical security systems

access-list CSM_FW_ACL_north extended permit tcp object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_77309411669 eq https

access-list CSM_FW_ACL_north remark Wireless control systems

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411671 
object-group Stores-ALL object-group CSM_INLINE_dst_rule_77309411671

access-list CSM_FW_ACL_north remark Voice calls

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411673 
object-group Stores-ALL object-group DC-ALL

access-list CSM_FW_ACL_north remark WAAS systems

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411675 
object-group Stores-ALL object-group DC-WAAS

access-list CSM_FW_ACL_north remark Allow Active Directory Domain

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411677 
object-group Stores-ALL object-group ActiveDirectory.cisco-irn.com

access-list CSM_FW_ACL_north remark Allow Windows Updates

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411679 
object-group Stores-ALL object-group MS-Update

access-list CSM_FW_ACL_north remark Allow Mail

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411681 
object-group Stores-ALL object-group MSExchange

access-list CSM_FW_ACL_north remark Allow Applications

access-list CSM_FW_ACL_north extended permit tcp object-group 
CSM_INLINE_src_rule_77309411683 object-group CSM_INLINE_dst_rule_77309411683 eq https

access-list CSM_FW_ACL_north extended permit udp object-group 
CSM_INLINE_src_rule_77309414158 object-group NTP-Servers eq ntp

access-list CSM_FW_ACL_north remark - RIE-2

access-list CSM_FW_ACL_north extended permit udp object-group 
CSM_INLINE_src_rule_77309414160 object-group RSA-enVision eq syslog

access-list CSM_FW_ACL_north extended permit tcp object-group 
CSM_INLINE_src_rule_77309414162 object-group TACACS eq tacacs

access-list CSM_FW_ACL_north extended permit udp 192.168.21.0 255.255.255.0 object-group 
ActiveDirectory.cisco-irn.com eq domain

access-list CSM_FW_ACL_north remark Ironport traffic in from DNZ

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309414166 
host 192.168.23.68 any

access-list CSM_FW_ACL_north extended permit udp host 192.168.23.68 object-group 
RSA-enVision eq syslog

access-list CSM_FW_ACL_north extended permit udp host 192.168.23.68 object-group 
NTP-Servers eq ntp

access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309414172 
host 192.168.23.68 object-group TACACS

access-list CSM_FW_ACL_north remark Drop all other traffic

access-list CSM_FW_ACL_north extended deny ip any any log

access-list CSM_FW_ACL_south extended permit ospf 192.168.162.0 255.255.255.0 
192.168.162.0 255.255.255.0

access-list CSM_FW_ACL_south extended permit ip object-group 
CSM_INLINE_src_rule_77309411633 object-group CSM_INLINE_dst_rule_77309411633

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411635 
object-group Admin-Systems object-group CSM_INLINE_dst_rule_77309411635

access-list CSM_FW_ACL_south remark Allow services for Ironport apps

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414079 
object-group CSM_INLINE_src_rule_77309414079 192.168.23.64 255.255.255.224

access-list CSM_FW_ACL_south remark Allow traffic to DMZ

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414081 
object-group CSM_INLINE_src_rule_77309414081 host 192.168.20.30

access-list CSM_FW_ACL_south remark Drop unauthorized traffic to DMZ

access-list CSM_FW_ACL_south extended deny ip any 192.168.20.0 255.255.252.0 log

access-list CSM_FW_ACL_south remark Allow Active Directory Domain

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411637 
object-group ActiveDirectory.cisco-irn.com object-group Stores-ALL

access-list CSM_FW_ACL_south remark VMWare - ESX systems

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411639 
object-group vSphere-1 object-group Stores-ALL

access-list CSM_FW_ACL_south remark Wireless Management to Stores

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411641 
object-group CSM_INLINE_src_rule_77309411641 object-group Stores-ALL

access-list CSM_FW_ACL_south remark Physical security systems

access-list CSM_FW_ACL_south extended permit tcp object-group 
CSM_INLINE_src_rule_77309411643 object-group Stores-ALL eq https

access-list CSM_FW_ACL_south remark Allow Management of store systems

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411645 
object-group DC-ALL object-group Stores-ALL

access-list CSM_FW_ACL_south remark WAAS systems

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411647 
object-group DC-WAAS object-group Stores-ALL

access-list CSM_FW_ACL_south remark Voice calls

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411649 
object-group DC-ALL object-group Stores-ALL

access-list CSM_FW_ACL_south extended deny ip any object-group Stores-ALL

access-list CSM_FW_ACL_south remark Allow outbound services for Internet

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414071 
object-group CSM_INLINE_src_rule_77309414071 any

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414073 
object-group ActiveDirectory.cisco-irn.com any

access-list CSM_FW_ACL_south extended permit udp object-group NTP-Servers any eq ntp

access-list CSM_FW_ACL_south remark Allow LDAP out LAB test

access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414077 
object-group PAME-DC-1 any log

access-list CSM_FW_ACL_south remark Drop and Log all other traffic

access-list CSM_FW_ACL_south extended deny ip any any log

pager lines 24

logging host south 192.168.42.124

mtu north 1500

mtu south 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any north

icmp permit any south

asdm history enable

arp timeout 14400

access-group CSM_FW_ACL_north in interface north

access-group CSM_FW_ACL_south in interface south

route north 0.0.0.0 0.0.0.0 192.168.162.1 1

route south 192.168.38.0 255.255.255.0 192.168.162.7 1

route south 192.168.39.0 255.255.255.0 192.168.162.7 1

route south 192.168.40.0 255.255.255.0 192.168.162.7 1

route south 192.168.41.0 255.255.255.0 192.168.162.7 1

route south 192.168.42.0 255.255.255.0 192.168.162.7 1

route south 192.168.43.0 255.255.255.0 192.168.162.7 1

route south 192.168.44.0 255.255.255.0 192.168.162.7 1

route south 192.168.45.0 255.255.255.0 192.168.162.7 1

route south 192.168.46.0 255.255.255.0 192.168.162.7 1

route south 192.168.52.0 255.255.255.0 192.168.162.7 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

aaa-server RETAIL protocol tacacs+

aaa-server RETAIL (south) host 192.168.42.131

 key *****

aaa authentication ssh console RETAIL LOCAL

aaa authentication enable console RETAIL LOCAL

aaa authentication http console RETAIL LOCAL

aaa accounting ssh console RETAIL

aaa accounting enable console RETAIL

aaa accounting command privilege 15 RETAIL

aaa authentication secure-http-client

aaa local authentication attempts max-fail 6

aaa authorization exec authentication-server

http server enable

http server idle-timeout 15

http server session-timeout 60

http 10.19.151.99 255.255.255.255 north

http 192.168.41.101 255.255.255.255 south

http 192.168.41.102 255.255.255.255 south

http 192.168.42.122 255.255.255.255 south

http 192.168.42.124 255.255.255.255 south

http 192.168.42.133 255.255.255.255 south

http 192.168.42.138 255.255.255.255 south

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh 10.19.151.99 255.255.255.255 north

ssh 192.168.41.101 255.255.255.255 south

ssh 192.168.41.102 255.255.255.255 south

ssh 192.168.42.122 255.255.255.255 south

ssh 192.168.42.124 255.255.255.255 south

ssh 192.168.42.133 255.255.255.255 south

ssh 192.168.42.138 255.255.255.255 south

ssh timeout 15

ssh version 2

no threat-detection statistics tcp-intercept

username csmadmin password  <removed> encrypted privilege 15

username retail password <removed> encrypted privilege 15

username bmcgloth password <removed> encrypted privilege 15

class-map inspection_default

 match default-inspection-traffic

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

service-policy global_policy global

Cryptochecksum:70afa3a2a3007db41f3f336aca5cf51d

: end

asdm history enable

ASA-IE-1

: Saved

: Written by retail at 20:28:46.793 PDT Fri Apr 29 2011

ASA Version 8.4(1)

hostname ASA-IE-1

domain-name cisco-irn.com

enable password <removed> encrypted

passwd <removed> encrypted

names

dns-guard

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 192.168.21.1 255.255.255.0 standby 192.168.21.2

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.11.60 255.255.255.0 standby 192.168.11.62

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

interface GigabitEthernet0/3

 description LAN/STATE Failover Interface

interface Management0/0

 no nameif

 no security-level

 no ip address

 management-only

boot system disk0:/asa841-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 192.168.42.130

 domain-name cisco-irn.com

same-security-traffic permit inter-interface

object network AdminStation

 host 192.168.41.101

object network AdminStation2

 host 192.168.41.102

object network EMC-NCM

 host 192.168.42.122

 description EMC Network Configuration Manager

object network CSManager

 host 192.168.42.133

 description Cisco Security Manager

object network RSA-enVision

 host 192.168.42.124

 description RSA EnVision Syslog collector and SIM

object network AdminStation3

 host 192.168.42.138

object network AdminStation4-bart

 host 10.19.151.99

object network DC-ALL

 subnet 192.168.0.0 255.255.0.0

 description All of the Data Center

object network Stores-ALL

 subnet 10.10.0.0 255.255.0.0

 description all store networks

object network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object network PAME-DC-1

 host 192.168.44.111

object network TACACS

 host 192.168.42.131

 description Csico Secure ACS server for TACACS and Radius

object service TCP1080

 service tcp destination eq 1080

object service TCP8080

 service tcp destination eq 8080

object service RDP

 service tcp destination eq 3389

 description Windows Remote Desktop

object service LDAP-GC

 service tcp destination eq 3268

object service LDAP-GC-SSL

 service tcp destination eq 3269

object service LDAP-UDP

 service udp destination eq 389

object-group network CSM_INLINE_src_rule_77309412132

 description Generated by CS-Manager from src of FirewallRule# 3 (ASA-IE-1_v1/mandatory)

 network-object object EMC-NCM

 network-object object AdminStation

 network-object object CSManager

 network-object object AdminStation2

 network-object object RSA-enVision

 network-object object AdminStation3

 network-object object AdminStation4-bart

object-group network CSM_INLINE_src_rule_77309412156

 description Generated by CS-Manager from src of FirewallRule# 4 (ASA-IE-1_v1/mandatory)

 network-object object DC-ALL

 network-object object Stores-ALL

object-group network CSM_INLINE_src_rule_77309412168

 description Generated by CS-Manager from src of FirewallRule# 5 (ASA-IE-1_v1/mandatory)

 network-object object DC-ALL

 network-object object Stores-ALL

object-group network CSM_INLINE_src_rule_77309412178

 description Generated by CS-Manager from src of FirewallRule# 7 (ASA-IE-1_v1/mandatory)

 network-object object DC-ALL

 network-object object Stores-ALL

object-group network NTP-Servers

 description NTP Servers

 network-object 192.168.62.161 255.255.255.255

 network-object 162.168.62.162 255.255.255.255

object-group network CSM_INLINE_src_rule_77309412254

 description Generated by CS-Manager from src of FirewallRule# 15 (ASA-IE-1_v1/mandatory)

 network-object 192.168.22.11 255.255.255.255

 network-object 192.168.22.12 255.255.255.255

 network-object 192.168.21.0 255.255.255.0

object-group network CSM_INLINE_src_rule_77309412258

 description Generated by CS-Manager from src of FirewallRule# 16 (ASA-IE-1_v1/mandatory)

 network-object 192.168.22.11 255.255.255.255

 network-object 192.168.22.12 255.255.255.255

 network-object 192.168.21.0 255.255.255.0

object-group network CSM_INLINE_src_rule_77309412260

 description Generated by CS-Manager from src of FirewallRule# 17 (ASA-IE-1_v1/mandatory)

 network-object 192.168.22.11 255.255.255.255

 network-object 192.168.22.12 255.255.255.255

 network-object 192.168.21.0 255.255.255.0

object-group service CSM_INLINE_svc_rule_77309412132

 description Generated by CS-Manager from service of FirewallRule# 3 
(ASA-IE-1_v1/mandatory)

 service-object tcp destination eq ssh

 service-object tcp destination eq https

object-group service CSM_INLINE_svc_rule_77309412156

 description Generated by CS-Manager from service of FirewallRule# 4 
(ASA-IE-1_v1/mandatory)

 service-object tcp destination eq smtp

 service-object tcp destination eq https

 service-object tcp destination eq ssh

object-group service CSM_INLINE_svc_rule_77309412168

 description Generated by CS-Manager from service of FirewallRule# 5 
(ASA-IE-1_v1/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq ssh

object-group service CSM_INLINE_svc_rule_77309412178

 description Generated by CS-Manager from service of FirewallRule# 7 
(ASA-IE-1_v1/mandatory)

 service-object icmp echo

 service-object icmp echo-reply

 service-object icmp unreachable

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq ftp

 service-object tcp destination eq ssh

 service-object object TCP1080

 service-object object TCP8080

 service-object object RDP

object-group service DNS-Resolving

 description Domain Name Server

 service-object tcp destination eq domain

 service-object udp destination eq domain

object-group service NTP

 description NTP Protocols

 service-object tcp destination eq 123

 service-object udp destination eq ntp

object-group service CSM_INLINE_svc_rule_77309412202

 description Generated by CS-Manager from service of FirewallRule# 8 
(ASA-IE-1_v1/mandatory)

 group-object DNS-Resolving

 group-object NTP

object-group service CSM_INLINE_svc_rule_77309412216

 description Generated by CS-Manager from service of FirewallRule# 10 
(ASA-IE-1_v1/mandatory)

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

 service-object object LDAP-GC

 service-object object LDAP-GC-SSL

 service-object object LDAP-UDP

object-group service TFTP

 description Trivial File Transfer

 service-object tcp destination eq 69

 service-object udp destination eq tftp

object-group service HTTPS-8443

 service-object tcp destination eq 8443

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 service-object tcp destination eq 5989

 service-object tcp destination eq 8000

 service-object tcp destination eq 902

 service-object tcp destination eq 903

object-group service CSM_INLINE_svc_rule_77309412222

 description Generated by CS-Manager from service of FirewallRule# 13 
(ASA-IE-1_v1/mandatory)

 service-object icmp

 service-object tcp destination eq ssh

 service-object tcp destination eq telnet

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq 8880

 service-object tcp destination eq 8444

 service-object tcp destination eq 5900

 service-object tcp destination eq 5800

 service-object object RDP

 service-object object TCP1080

 service-object object TCP8080

 group-object TFTP

 group-object HTTPS-8443

 group-object vCenter-to-ESX4

object-group service CSM_INLINE_svc_rule_77309412276

 description Generated by CS-Manager from service of FirewallRule# 19 
(ASA-IE-1_v1/mandatory)

 service-object tcp destination eq smtp

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_77309412288

 description Generated by CS-Manager from service of FirewallRule# 22 
(ASA-IE-1_v1/mandatory)

 service-object udp destination eq 1812

 service-object udp destination eq 1813

access-list all extended permit ip any any

access-list INSIDE extended permit ip object AdminStation any

access-list INSIDE extended permit ip object AdminStation2 any

access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_77309412132 
object-group CSM_INLINE_src_rule_77309412132 192.168.20.0 255.255.252.0

access-list INSIDE remark Allow services for Ironport apps

access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_77309412156 
object-group CSM_INLINE_src_rule_77309412156 192.168.23.64 255.255.255.224

access-list INSIDE remark Allow traffic to DMZ

access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_77309412168 
object-group CSM_INLINE_src_rule_77309412168 host 192.168.20.30

access-list INSIDE remark Drop unauthorized traffic to DMZ

access-list INSIDE extended deny ip any 192.168.20.0 255.255.255.0 log

access-list INSIDE remark Allow outbound services for Internet

access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_77309412178 
object-group CSM_INLINE_src_rule_77309412178 any

access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_77309412202 object 
ActiveDirectory.cisco-irn.com any

access-list INSIDE extended permit udp object-group NTP-Servers any eq ntp

access-list INSIDE remark Allow LDAP out LAB test

access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_77309412216 object 
PAME-DC-1 any log

access-list INSIDE remark Drop and Log all other traffic

access-list INSIDE extended deny ip any any log

access-list OUTSIDE remark Allow SSL VPN

access-list OUTSIDE extended permit tcp any host 192.168.21.1 eq https log

access-list OUTSIDE extended permit udp object-group CSM_INLINE_src_rule_77309412254 
object-group NTP-Servers eq ntp

access-list OUTSIDE remark - RIE-2

access-list OUTSIDE extended permit udp object-group CSM_INLINE_src_rule_77309412258 
object RSA-enVision eq syslog

access-list OUTSIDE extended permit tcp object-group CSM_INLINE_src_rule_77309412260 
object TACACS eq tacacs

access-list OUTSIDE extended permit udp 192.168.21.0 255.255.255.0 object 
ActiveDirectory.cisco-irn.com eq domain

access-list OUTSIDE remark Ironport traffic in from DNZ

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_77309412276 host 
192.168.23.68 any

access-list OUTSIDE extended permit udp host 192.168.23.68 object RSA-enVision eq syslog

access-list OUTSIDE extended permit udp host 192.168.23.68 object-group NTP-Servers eq ntp

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_77309412288 host 
192.168.23.68 object TACACS

access-list OUTSIDE remark Drop all other traffic

access-list OUTSIDE extended deny ip any any log

access-list all-web webtype permit url any log default

pager lines 24

logging asdm informational

logging host inside 192.168.42.124

mtu outside 1500

mtu inside 1500

failover

failover lan unit primary

failover lan interface folink GigabitEthernet0/3

failover link folink GigabitEthernet0/3

failover interface ip folink 192.168.12.31 255.255.255.0 standby 192.168.12.32

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-641.bin

asdm history enable

arp timeout 14400

access-group OUTSIDE in interface outside

access-group INSIDE in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.21.10 1

route inside 10.10.0.0 255.255.0.0 192.168.11.1 1

route outside 10.10.0.0 255.255.255.0 192.168.21.10 1

route inside 192.168.0.0 255.255.0.0 192.168.11.10 1

route outside 192.168.20.0 255.255.255.0 192.168.21.10 1

route outside 192.168.22.0 255.255.255.0 192.168.21.10 1

route outside 192.168.23.0 255.255.255.0 192.168.21.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

 network-acl all

 webvpn

  appl-acl all-web

  url-list value page1

  file-browsing enable

  file-entry enable

  http-proxy enable

  url-entry enable

  svc ask enable default webvpn

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host 192.168.42.137

 timeout 5

 key *****

 radius-common-pw *****

aaa-server RETAIL protocol tacacs+

aaa-server RETAIL (inside) host 192.168.42.131

 key *****

aaa authentication ssh console RETAIL LOCAL

aaa authentication enable console RETAIL LOCAL

aaa authentication http console RETAIL LOCAL

aaa accounting ssh console RETAIL

aaa accounting enable console RETAIL

aaa accounting command privilege 15 RETAIL

aaa authentication secure-http-client

aaa local authentication attempts max-fail 6

aaa authorization exec authentication-server

http server enable

http server idle-timeout 15

http server session-timeout 60

http 10.19.151.99 255.255.255.255 inside

http 192.168.41.101 255.255.255.255 inside

http 192.168.41.102 255.255.255.255 inside

http 192.168.42.122 255.255.255.255 inside

http 192.168.42.124 255.255.255.255 inside

http 192.168.42.133 255.255.255.255 inside

http 192.168.42.138 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no snmp-server enable

telnet timeout 5

ssh 10.19.151.99 255.255.255.255 inside

ssh 192.168.41.101 255.255.255.255 inside

ssh 192.168.41.102 255.255.255.255 inside

ssh 192.168.42.122 255.255.255.255 inside

ssh 192.168.42.124 255.255.255.255 inside

ssh 192.168.42.133 255.255.255.255 inside

ssh 192.168.42.138 255.255.255.255 inside

ssh timeout 15

ssh version 2

console timeout 15

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.62.162 source inside

ntp server 192.168.62.161 source inside prefer

webvpn

 enable outside

 internal-password enable

 smart-tunnel list AllExternalApplications All-Applications * platform windows

group-policy DfltGrpPolicy attributes

 webvpn

  url-list value page1

  smart-tunnel enable AllExternalApplications

group-policy Retail-PCI internal

group-policy Retail-PCI attributes

 vpn-tunnel-protocol ssl-clientless

username csmadmin password  <removed> encrypted privilege 15

username retail password <removed> encrypted privilege 15

username bmcgloth password <removed> encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

 authentication-server-group partnerauth

tunnel-group DefaultWEBVPNGroup general-attributes

 authentication-server-group partnerauth

tunnel-group Retail-Lab type remote-access

tunnel-group Retail-Lab general-attributes

 authentication-server-group partnerauth LOCAL

 default-group-policy Retail-PCI

class-map inspection_default

 match default-inspection-traffic

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect ip-options

service-policy global_policy global

prompt hostname context

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

password encryption aes

Cryptochecksum:7523e3d4b6eac19b34c670de405c3e45

: end

ASA-WAN-1

: Saved

: Written by retail at 18:21:22.920 PDT Fri Apr 29 2011

ASA Version 8.4(1)

firewall transparent

hostname ASA-WAN-1

domain-name cisco-irn.com

enable password <removed> encrypted

passwd <removed> encrypted

names

interface GigabitEthernet0/0

 nameif outside

 bridge-group 1

 security-level 0

interface GigabitEthernet0/1

 nameif inside

 bridge-group 1

 security-level 100

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

interface GigabitEthernet0/3

 description LAN/STATE Failover Interface

interface Management0/0

 shutdown

 no nameif

 no security-level

 management-only

interface BVI1

 ip address 192.168.11.20 255.255.255.0 standby 192.168.11.21

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

 domain-name cisco-irn.com

object network AdminStation

 host 192.168.41.101

object network AdminStation2

 host 192.168.41.102

object network AdminStation4-bart

 host 10.19.151.99

object network EMC-NCM

 host 192.168.42.122

 description EMC Network Configuration Manager

object network CSManager

 host 192.168.42.133

 description Cisco Security Manager

object network AdminStation3

 host 192.168.42.138

object network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object network Stores-ALL

 subnet 10.10.0.0 255.255.0.0

 description all store networks

object network vSphere-1

 host 192.168.41.102

 description vSphere server for Lab

object network WCSManager

 host 192.168.43.135

 description Wireless Manager

object network PAME-DC-1

 host 192.168.44.111

object network MSP-DC-1

 host 192.168.44.121

 description Data Center VSOM

object network DC-ALL

 subnet 192.168.0.0 255.255.0.0

 description All of the Data Center

object network RSA-enVision

 host 192.168.42.124

 description RSA EnVision Syslog collector and SIM

object network TACACS

 host 192.168.42.131

 description Csico Secure ACS server for TACACS and Radius

object network RSA-AM

 host 192.168.42.137

 description RSA Authentication Manager for SecureID

object network NAC-2

 host 192.168.42.112

object network NAC-1

 host 192.168.42.111

 description ISE server for NAC

object network MS-Update

 host 192.168.42.150

 description Windows Update Server

object network MSExchange

 host 192.168.42.140

 description Mail Server

object network DC-POS

 subnet 192.168.52.0 255.255.255.0

 description POS in the Data Center

object service RPC

 service tcp destination eq 135

object service LDAP-GC

 service tcp destination eq 3268

object service LDAP-GC-SSL

 service tcp destination eq 3269

object service Kerberos-TCP

 service tcp destination eq 88

object service Microsoft-DS-SMB

 service tcp destination eq 445

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

object service LDAP-UDP

 service udp destination eq 389

object service RPC-HighPorts

 service tcp destination range 1024 65535

object service IP-Protocol-97

 service 97

 description IP protocol 97

object service TCP1080

 service tcp destination eq 1080

object service TCP8080

 service tcp destination eq 8080

object service RDP

 service tcp destination eq 3389

 description Windows Remote Desktop

object-group network CSM_INLINE_src_rule_73014456577

 description Generated by CS-Manager from src of FirewallRule# 1 (ASA-WAN_1/mandatory)

 network-object object AdminStation

 network-object object AdminStation2

 network-object object AdminStation4-bart

object-group network STORE-POS

 network-object 10.10.0.0 255.255.0.0

object-group network Admin-Systems

 network-object object EMC-NCM

 network-object object AdminStation

 network-object object AdminStation2

 network-object object CSManager

 network-object object AdminStation3

 network-object object AdminStation4-bart

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 network-object 192.168.43.21 255.255.255.255

 network-object 192.168.43.22 255.255.255.255

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 network-object 192.168.43.31 255.255.255.255

 network-object 192.168.43.32 255.255.255.255

object-group network CSM_INLINE_src_rule_73014456585

 description Generated by CS-Manager from src of FirewallRule# 5 (ASA-WAN_1/mandatory)

 network-object object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network CSM_INLINE_src_rule_73014456587

 description Generated by CS-Manager from src of FirewallRule# 6 (ASA-WAN_1/mandatory)

 network-object object PAME-DC-1

 network-object object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 network-object 192.168.48.10 255.255.255.255

 network-object 192.168.49.10 255.255.255.255

 network-object 192.168.47.11 255.255.255.255

 network-object 192.168.47.12 255.255.255.255

object-group network NTP-Servers

 description NTP Servers

 network-object 192.168.62.161 255.255.255.255

 network-object 162.168.62.162 255.255.255.255

object-group network CSM_INLINE_dst_rule_73014456607

 description Generated by CS-Manager from dst of FirewallRule# 16 (ASA-WAN_1/mandatory)

 network-object object TACACS

 network-object object RSA-AM

 network-object object NAC-2

 network-object object NAC-1

object-group network CSM_INLINE_dst_rule_73014456609

 description Generated by CS-Manager from dst of FirewallRule# 17 (ASA-WAN_1/mandatory)

 network-object object NAC-2

 network-object object NAC-1

object-group network CSM_INLINE_dst_rule_73014456613

 description Generated by CS-Manager from dst of FirewallRule# 19 (ASA-WAN_1/mandatory)

 network-object object PAME-DC-1

 network-object object MSP-DC-1

object-group network CSM_INLINE_dst_rule_73014456615

 description Generated by CS-Manager from dst of FirewallRule# 20 (ASA-WAN_1/mandatory)

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 network-object 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 network-object 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 network-object 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_dst_rule_73014456627

 description Generated by CS-Manager from dst of FirewallRule# 26 (ASA-WAN_1/mandatory)

 group-object DC-POS-Tomax

 network-object object DC-POS

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group service HTTPS-8443

 service-object tcp destination eq 8443

object-group service CSM_INLINE_svc_rule_73014456579

 description Generated by CS-Manager from service of FirewallRule# 2 (ASA-WAN_1/mandatory)

 service-object tcp destination eq ssh

 service-object tcp destination eq https

 group-object HTTPS-8443

object-group service DNS-Resolving

 description Domain Name Server

 service-object tcp destination eq domain

 service-object udp destination eq domain

object-group service CSM_INLINE_svc_rule_73014456581

 description Generated by CS-Manager from service of FirewallRule# 3 (ASA-WAN_1/mandatory)

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

 service-object udp destination eq 88

 service-object udp destination eq ntp

 service-object udp destination eq netbios-dgm

 service-object object RPC

 service-object object LDAP-GC

 service-object object LDAP-GC-SSL

 service-object object Kerberos-TCP

 service-object object Microsoft-DS-SMB

 service-object object LDAP-UDP

 service-object object RPC-HighPorts

 group-object DNS-Resolving

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 service-object tcp destination eq 5989

 service-object tcp destination eq 8000

 service-object tcp destination eq 902

 service-object tcp destination eq 903

object-group service CSM_INLINE_svc_rule_73014456583

 description Generated by CS-Manager from service of FirewallRule# 4 (ASA-WAN_1/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq ssh

 group-object vCenter-to-ESX4

object-group service TFTP

 description Trivial File Transfer

 service-object tcp destination eq 69

 service-object udp destination eq tftp

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 service-object udp destination eq 12222

 service-object udp destination eq 12223

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 service-object udp destination eq 5246

 service-object udp destination eq 5247

object-group service CSM_INLINE_svc_rule_73014456585

 description Generated by CS-Manager from service of FirewallRule# 5 (ASA-WAN_1/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq www

 service-object udp destination eq isakmp

 service-object tcp destination eq telnet

 service-object tcp destination eq ssh

 service-object object IP-Protocol-97

 group-object TFTP

 group-object LWAPP

 group-object CAPWAP

object-group service CSM_INLINE_svc_rule_73014456589

 description Generated by CS-Manager from service of FirewallRule# 7 (ASA-WAN_1/mandatory)

 service-object icmp echo

 service-object icmp echo-reply

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq ssh

 service-object tcp destination eq ftp

 service-object object TCP1080

 service-object object TCP8080

 service-object object RDP

 group-object HTTPS-8443

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 service-object tcp destination eq 4050

object-group service Netbios

 description Netbios Servers

 service-object udp destination eq netbios-dgm

 service-object udp destination eq netbios-ns

 service-object tcp destination eq netbios-ssn

object-group service CSM_INLINE_svc_rule_73014456591

 description Generated by CS-Manager from service of FirewallRule# 8 (ASA-WAN_1/mandatory)

 service-object object Microsoft-DS-SMB

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Netbios

object-group service CSM_INLINE_svc_rule_73014456593

 description Generated by CS-Manager from service of FirewallRule# 9 (ASA-WAN_1/mandatory)

 service-object tcp-udp destination eq sip

 service-object tcp destination eq 2000

object-group service CSM_INLINE_svc_rule_73014456599

 description Generated by CS-Manager from service of FirewallRule# 12 
(ASA-WAN_1/mandatory)

 service-object udp destination eq snmptrap

 service-object udp destination eq snmp

 service-object udp destination eq syslog

object-group service CSM_INLINE_svc_rule_73014456601

 description Generated by CS-Manager from service of FirewallRule# 13 
(ASA-WAN_1/mandatory)

 service-object udp destination eq domain

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

object-group service CSM_INLINE_svc_rule_73014456607

 description Generated by CS-Manager from service of FirewallRule# 16 
(ASA-WAN_1/mandatory)

 service-object udp destination eq 1812

 service-object udp destination eq 1813

object-group service CSM_INLINE_svc_rule_73014456609

 description Generated by CS-Manager from service of FirewallRule# 17 
(ASA-WAN_1/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq www

 group-object HTTPS-8443

object-group service ESX-SLP

 description CIM Service Location Protocol (SLP) for VMware systems

 service-object udp destination eq 427

 service-object tcp destination eq 427

object-group service CSM_INLINE_svc_rule_73014456611

 description Generated by CS-Manager from service of FirewallRule# 18 
(ASA-WAN_1/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq www

 service-object tcp destination eq ssh

 group-object vCenter-to-ESX4

 group-object ESX-SLP

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 service-object udp destination eq 16666

 service-object udp destination eq 16667

object-group service CSM_INLINE_svc_rule_73014456615

 description Generated by CS-Manager from service of FirewallRule# 20 
(ASA-WAN_1/mandatory)

 service-object tcp destination eq https

 service-object udp destination eq isakmp

 service-object object IP-Protocol-97

 group-object Cisco-Mobility

 group-object LWAPP

 group-object CAPWAP

object-group service CSM_INLINE_svc_rule_73014456617

 description Generated by CS-Manager from service of FirewallRule# 21 
(ASA-WAN_1/mandatory)

 service-object tcp-udp destination eq sip

 service-object tcp destination eq 2000

object-group service CSM_INLINE_svc_rule_73014456619

 description Generated by CS-Manager from service of FirewallRule# 22 
(ASA-WAN_1/mandatory)

 service-object object Microsoft-DS-SMB

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Netbios

object-group service CSM_INLINE_svc_rule_73014456621

 description Generated by CS-Manager from service of FirewallRule# 23 
(ASA-WAN_1/mandatory)

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

 service-object udp destination eq 88

 service-object udp destination eq ntp

 service-object udp destination eq netbios-dgm

 service-object object RPC

 service-object object LDAP-GC

 service-object object LDAP-GC-SSL

 service-object object Kerberos-TCP

 service-object object Microsoft-DS-SMB

 service-object object LDAP-UDP

 service-object object RPC-HighPorts

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_73014456623

 description Generated by CS-Manager from service of FirewallRule# 24 
(ASA-WAN_1/mandatory)

 service-object tcp destination eq www

 service-object tcp destination eq https

object-group service CSM_INLINE_svc_rule_73014456625

 description Generated by CS-Manager from service of FirewallRule# 25 
(ASA-WAN_1/mandatory)

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq smtp

 service-object tcp destination eq pop3

 service-object tcp destination eq imap4

object-group network DM_INLINE_NETWORK_1

 network-object 10.10.0.0 255.255.0.0

 network-object object Stores-ALL

object-group service DM_INLINE_SERVICE_1

 service-object tcp destination eq ftp

 service-object tcp destination eq ssh

 service-object udp destination eq tftp

access-list INSIDE extended permit ip object-group CSM_INLINE_src_rule_73014456577 
object-group STORE-POS

access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_73014456579 
object-group Admin-Systems object-group STORE-POS

access-list INSIDE remark Allow Active Directory Domain

access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_73014456581 object 
ActiveDirectory.cisco-irn.com object Stores-ALL

access-list INSIDE remark VMWare - ESX systems

access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_73014456583 object 
vSphere-1 object Stores-ALL

access-list INSIDE remark Wireless Management to Stores

access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_73014456585 
object-group CSM_INLINE_src_rule_73014456585 object Stores-ALL

access-list INSIDE remark Physical security systems

access-list INSIDE extended permit tcp object-group CSM_INLINE_src_rule_73014456587 object 
Stores-ALL eq https

access-list INSIDE remark Allow Management of store systems

access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_73014456589 object 
DC-ALL object Stores-ALL

access-list INSIDE remark WAAS systems

access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_73014456591 
object-group DC-WAAS object Stores-ALL

access-list INSIDE remark Voice calls

access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_73014456593 object 
DC-ALL object Stores-ALL

access-list INSIDE remark Drop and Log all other traffic

access-list INSIDE extended deny ip any any log

access-list OUTSIDE extended permit tcp object Stores-ALL object EMC-NCM eq ssh

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456599 object 
Stores-ALL object RSA-enVision

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456601 object 
Stores-ALL object ActiveDirectory.cisco-irn.com

access-list OUTSIDE extended permit tcp object Stores-ALL object TACACS eq tacacs

access-list OUTSIDE extended permit udp object Stores-ALL object-group NTP-Servers eq ntp

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456607 object 
Stores-ALL object-group CSM_INLINE_dst_rule_73014456607

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456609 object 
Stores-ALL object-group CSM_INLINE_dst_rule_73014456609

access-list OUTSIDE remark VMWare ESX to Data Center

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456611 object 
Stores-ALL object vSphere-1

access-list OUTSIDE remark Physical security systems

access-list OUTSIDE extended permit tcp object Stores-ALL object-group 
CSM_INLINE_dst_rule_73014456613 eq https

access-list OUTSIDE remark Wireless control systems

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456615 object 
Stores-ALL object-group CSM_INLINE_dst_rule_73014456615

access-list OUTSIDE remark Voice calls

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456617 object 
Stores-ALL object DC-ALL

access-list OUTSIDE remark WAAS systems

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456619 object 
Stores-ALL object-group DC-WAAS

access-list OUTSIDE remark Allow Active Directory Domain

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456621 object 
Stores-ALL object ActiveDirectory.cisco-irn.com

access-list OUTSIDE remark Allow Windows Updates

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456623 object 
Stores-ALL object MS-Update

access-list OUTSIDE remark Allow Mail

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456625 object 
Stores-ALL object MSExchange

access-list OUTSIDE remark Allow Applications

access-list OUTSIDE extended permit tcp object Stores-ALL object-group 
CSM_INLINE_dst_rule_73014456627 eq https

access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_1 object-group 
DM_INLINE_NETWORK_1 object AdminStation2 log disable

access-list OUTSIDE remark Drop all other traffic

access-list OUTSIDE extended deny ip any any log

pager lines 24

logging host inside 192.168.42.124

mtu outside 1500

mtu inside 1500

failover

failover lan unit primary

failover lan interface folink GigabitEthernet0/3

failover link folink GigabitEthernet0/3

failover interface ip folink 192.168.12.20 255.255.255.0 standby 192.168.12.21

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-641.bin

asdm history enable

arp timeout 14400

access-group OUTSIDE in interface outside

access-group INSIDE in interface inside

route inside 0.0.0.0 0.0.0.0 192.168.11.60 1

route outside 10.10.0.0 255.255.0.0 192.168.11.1 1

route inside 10.10.0.0 255.255.255.0 192.168.11.60 1

route outside 10.10.1.0 255.255.255.0 192.168.11.2 1

route outside 10.10.2.0 255.255.255.0 192.168.11.3 1

route inside 10.10.3.0 255.255.255.0 192.168.11.60 1

route inside 10.10.4.0 255.255.255.0 192.168.11.60 1

route outside 10.10.254.0 255.255.255.0 192.168.11.3 1

route outside 10.10.255.0 255.255.255.0 192.168.11.2 1

route inside 192.168.0.0 255.255.0.0 192.168.11.10 1

route outside 192.168.1.111 255.255.255.255 192.168.11.2 1

route outside 192.168.1.112 255.255.255.255 192.168.11.3 1

route inside 192.168.20.0 255.255.252.0 192.168.11.60 1

route inside 192.168.24.0 255.255.255.0 192.168.11.60 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RETAIL protocol tacacs+

aaa-server RETAIL (inside) host 192.168.42.131

 key *****

aaa authentication ssh console RETAIL LOCAL

aaa authentication enable console RETAIL LOCAL

aaa authentication http console RETAIL LOCAL

aaa accounting ssh console RETAIL

aaa accounting enable console RETAIL

aaa accounting command privilege 15 RETAIL

aaa authentication secure-http-client

aaa local authentication attempts max-fail 6

aaa authorization exec authentication-server

http server enable

http server idle-timeout 15

http server session-timeout 60

http 192.168.41.102 255.255.255.255 inside

http 10.19.151.99 255.255.255.255 inside

http 192.168.41.101 255.255.255.255 inside

http 192.168.42.122 255.255.255.255 inside

http 192.168.42.124 255.255.255.255 inside

http 192.168.42.133 255.255.255.255 inside

http 192.168.42.138 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no snmp-server enable

telnet timeout 1

ssh scopy enable

ssh 10.19.151.99 255.255.255.255 inside

ssh 192.168.41.101 255.255.255.255 inside

ssh 192.168.41.102 255.255.255.255 inside

ssh 192.168.42.122 255.255.255.255 inside

ssh 192.168.42.124 255.255.255.255 inside

ssh 192.168.42.133 255.255.255.255 inside

ssh 192.168.42.138 255.255.255.255 inside

ssh timeout 15

ssh version 2

console timeout 15

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.62.162 source inside

ntp server 192.168.62.161 source inside prefer

username csmadmin password <removed> encrypted privilege 15

username retail password <removed>  encrypted privilege 15

username bmcgloth password <removed>  encrypted privilege 15

class-map inspection_default

 match default-inspection-traffic

class-map global-class-PCI

 match any

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 description IPS inspection policy for Cisco PCI LAB

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

 class global-class-PCI

  ips promiscuous fail-open

service-policy global_policy global

prompt hostname context

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

password encryption aes

Cryptochecksum:6711019c0f0a6b2f849474306a18ba82

: end

ASA-WAN-1_IDS

! ------------------------------

! Current configuration last modified Thu Apr 28 23:24:09 2011

! ------------------------------

! Version 7.0(4)

! Host:

!     Realm Keys          key1.0

! Signature Definition:

!     Signature Update    S500.0   2010-07-09

! ------------------------------

service interface

exit

! ------------------------------

service authentication

attemptLimit 6

password-strength

size 7-64

digits-min 1

lowercase-min 1

other-min 1

number-old-passwords 4

exit

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 192.168.11.23/24,192.168.11.10

host-name ASA-WAN-1_IPS

telnet-option disabled

access-list 10.19.151.99/32

access-list 192.168.41.101/32

access-list 192.168.41.102/32

access-list 192.168.42.122/32

access-list 192.168.42.124/32

access-list 192.168.42.133/32

access-list 192.168.42.138/32

dns-primary-server enabled

address 192.168.42.130

exit

dns-secondary-server disabled

dns-tertiary-server disabled

http-proxy proxy-server

address 128.107.241.169

port 80

exit

exit

time-zone-settings

offset -8

standard-time-zone-name PST

exit

ntp-option enabled-ntp-unauthenticated

ntp-server 192.168.62.161

exit

summertime-option recurring

summertime-zone-name PDT

exit

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

trap-destinations 192.168.42.124

trap-community-name <removed>

exit

enable-notifications true

trap-community-name <removed>

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service aaa

aaa radius

primary-server

server-address 192.168.42.131

shared-secret <removed>

exit

nas-id DMZ-IDS1

local-fallback enabled

console-authentication radius-and-local

default-user-role administrator

exit

exit

! ------------------------------

service analysis-engine

exit

ASA-WAN-2_IDS

! ------------------------------

! Current configuration last modified Thu Apr 28 23:26:43 2011

! ------------------------------

! Version 7.0(4)

! Host:

!     Realm Keys          key1.0

! Signature Definition:

!     Signature Update    S500.0   2010-07-09

! ------------------------------

service interface

exit

! ------------------------------

service authentication

attemptLimit 6

password-strength

size 7-64

digits-min 1

lowercase-min 1

other-min 1

number-old-passwords 4

exit

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 192.168.11.24/24,192.168.11.10

host-name ASA-WAN-2_IPS

telnet-option disabled

access-list 10.19.151.99/32

access-list 192.168.41.101/32

access-list 192.168.41.102/32

access-list 192.168.42.122/32

access-list 192.168.42.124/32

access-list 192.168.42.133/32

access-list 192.168.42.138/32

dns-primary-server enabled

address 192.168.42.130

exit

dns-secondary-server disabled

dns-tertiary-server disabled

http-proxy proxy-server

address 128.107.241.169

port 80

exit

exit

time-zone-settings

offset -8

standard-time-zone-name PST

exit

ntp-option enabled-ntp-unauthenticated

ntp-server 192.168.62.161

exit

summertime-option recurring

summertime-zone-name PDT

exit

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

trap-destinations 192.168.42.124

trap-community-name <removed>

exit

enable-notifications true

trap-community-name <removed>

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service aaa

aaa radius

primary-server

server-address 192.168.42.131

shared-secret <removed>

exit

nas-id DMZ-IDS1

local-fallback enabled

console-authentication radius-and-local

default-user-role administrator

exit

exit

! ------------------------------

service analysis-engine

exit

DMZ-ACE-1

logging enable

logging timestamp

logging trap 6

logging buffered 6

logging device-id context-name

logging host 192.168.42.124 udp/514

logging rate-limit 1 120 message 302027

login timeout 15

hostname ACE1

boot system image:c6ace-t1k9-mz.3.0.0_A1_4a.bin

resource-class Gold

  limit-resource all minimum 0.00 maximum unlimited

  limit-resource conc-connections minimum 10.00 maximum unlimited

  limit-resource sticky minimum 10.00 maximum unlimited

tacacs-server host 192.168.42.131 key 7 "<removed>"

aaa group server tacacs+ RETAIL

  server 192.168.42.131

clock timezone standard PST

clock summer-time standard PDT

aaa authentication login default group RETAIL local

aaa authentication login console group RETAIL local

aaa accounting default group RETAIL local

class-map type management match-any remote-mgmt

  9 match protocol ssh source-address 192.168.41.102 255.255.255.255

  10 match protocol ssh source-address 192.168.42.131 255.255.255.255

  30 match protocol icmp any

  31 match protocol ssh source-address 10.19.151.99 255.255.255.255

  32 match protocol ssh source-address 192.168.41.101 255.255.255.255

  33 match protocol ssh source-address 192.168.42.111 255.255.255.255

  34 match protocol ssh source-address 192.168.42.122 255.255.255.255

  35 match protocol ssh source-address 192.168.42.124 255.255.255.255

  36 match protocol ssh source-address 192.168.42.133 255.255.255.255

  37 match protocol ssh source-address 192.168.42.138 255.255.255.255

policy-map type management first-match remote-access

  class remote-mgmt

    permit

interface vlan 21

  ip address 192.168.21.95 255.255.255.0

  service-policy input remote-access

  no shutdown

ft interface vlan 85

  ip address 192.168.20.9 255.255.255.252

  peer ip address 192.168.20.10 255.255.255.252

  no shutdown

ft peer 1

  heartbeat interval 300

  heartbeat count 10

  ft-interface vlan 85

ft group 11

  peer 1

  priority 110

  peer priority 105

  associate-context Admin

  inservice

domain cisco-irn.com

ip route 0.0.0.0 0.0.0.0 192.168.21.1

context PCI

  allocate-interface vlan 82-83

  allocate-interface vlan 95

ft group 10

  peer 1

  priority 110

  peer priority 105

  associate-context PCI

  inservice

username admin password 5 <removed>   role Admin domain default-domain

username www password 5 <removed>   role Admin domain default-domain

username retail password 5 <removed>   role Admin domain default-domain

username csmadmin password 5 <removed>   role Admin domain default-domain

ssh key rsa 1024 force

DMZ-ACE-1_PCI

ACE1/PCI# sh run

Generating configuration....

logging enable

logging timestamp

logging buffered 7

logging monitor 7

logging device-id context-name

logging host 192.168.42.124 udp/514

logging rate-limit 1 120 message 302027

login timeout 15

tacacs-server host 192.168.42.131 key 7 "<removed>"

aaa group server tacacs+ RETAIL

  server 192.168.42.131

aaa authentication login default group RETAIL local

aaa authentication login console group RETAIL local

aaa accounting default group RETAIL local

access-list allow2server line 20 extended permit ip any host 192.168.20.3

access-list allow2server line 21 extended permit tcp host 192.168.20.44 host 192

.168.42.130 eq ldap

access-list allow2server line 22 extended deny ip any any

access-list in2out line 10 extended permit ip host 192.168.20.3 any

access-list in2out line 15 extended deny ip any any

access-list out2in line 10 extended permit tcp any host 192.168.20.1 eq www

access-list out2in line 15 extended deny ip any any

probe icmp ICMP

  interval 2

  faildetect 2

  passdetect interval 60

  passdetect count 2

rserver host ECOM

  ip address 192.168.20.44

  inservice

serverfarm host PCI-ECOM

  predictor leastconns

  probe ICMP

  rserver ECOM

    inservice

class-map match-any ECOMVIP

  11 match virtual-address 192.168.20.1 any

class-map type management match-any remote-mgmt

  30 match protocol icmp any

  31 match protocol ssh source-address 10.19.151.99 255.255.255.255

  32 match protocol ssh source-address 192.168.41.101 255.255.255.255

  33 match protocol ssh source-address 192.168.41.102 255.255.255.255

  34 match protocol ssh source-address 192.168.42.111 255.255.255.255

  35 match protocol ssh source-address 192.168.42.122 255.255.255.255

  36 match protocol ssh source-address 192.168.42.124 255.255.255.255

  37 match protocol ssh source-address 192.168.42.131 255.255.255.255

  38 match protocol ssh source-address 192.168.42.133 255.255.255.255

  39 match protocol ssh source-address 192.168.42.138 255.255.255.255

policy-map type management first-match remote-access

  class remote-mgmt

    permit

policy-map type loadbalance first-match ECOMPOLICY

  class class-default

    serverfarm PCI-ECOM

policy-map multi-match ECOM_MATCH

  class ECOMVIP

    loadbalance vip inservice

    loadbalance policy ECOMPOLICY

service-policy input remote-access

interface vlan 82

  description ACE_outside

  ip address 192.168.20.28 255.255.255.248

  ip verify reverse-path

  alias 192.168.20.30 255.255.255.248

  peer ip address 192.168.20.29 255.255.255.248

  access-group input out2in

  service-policy input ECOM_MATCH

  no shutdown

interface vlan 83

  description ACE_inside

  ip address 192.168.20.4 255.255.255.248

  ip verify reverse-path

  alias 192.168.20.6 255.255.255.248

  peer ip address 192.168.20.5 255.255.255.248

  access-group input in2out

  no shutdown

domain cisco-irn.com

ip route 0.0.0.0 0.0.0.0 192.168.20.25

username csmadmin password 5 <removed>   role Admin doma

in default-domain

username retail password 5 <removed>   role Admin domain

 default-domain

username bmcgloth password 5 <removed>   role Admin doma

in default-domain

DMZ-ACE-2_Admin

ACE2/Admin# sh run

Generating configuration....

logging enable

logging timestamp

logging trap 6

logging buffered 6

logging device-id context-name

logging host 192.168.42.124 udp/514

logging rate-limit 1 120 message 302027

login timeout 15

hostname ACE2

boot system image:c6ace-t1k9-mz.3.0.0_A1_4a.bin

resource-class Gold

  limit-resource all minimum 0.00 maximum unlimited

  limit-resource conc-connections minimum 10.00 maximum unlimited

  limit-resource sticky minimum 10.00 maximum unlimited

tacacs-server host 192.168.42.131 key 7 "<removed>"

aaa group server tacacs+ RETAIL

  server 192.168.42.131

clock timezone standard PST

clock summer-time standard PDT

aaa authentication login default group RETAIL local

aaa authentication login console group RETAIL local

aaa accounting default group RETAIL local

class-map type management match-any remote-mgmt

  9 match protocol ssh source-address 192.168.41.102 255.255.255.255

  10 match protocol ssh source-address 192.168.42.131 255.255.255.255

  30 match protocol icmp any

  31 match protocol ssh source-address 10.19.151.99 255.255.255.255

  32 match protocol ssh source-address 192.168.41.101 255.255.255.255

  33 match protocol ssh source-address 192.168.42.111 255.255.255.255

  34 match protocol ssh source-address 192.168.42.122 255.255.255.255

  35 match protocol ssh source-address 192.168.42.124 255.255.255.255

  36 match protocol ssh source-address 192.168.42.133 255.255.255.255

  37 match protocol ssh source-address 192.168.42.138 255.255.255.255

policy-map type management first-match remote-access

  class remote-mgmt

    permit

interface vlan 21

  peer ip address 192.168.21.95 255.255.255.0

  service-policy input remote-access

  no shutdown

ft interface vlan 85

  ip address 192.168.20.10 255.255.255.252

  peer ip address 192.168.20.9 255.255.255.252

  no shutdown

ft peer 1

  heartbeat interval 300

  heartbeat count 10

  ft-interface vlan 85

ft group 11

  peer 1

  priority 105

  peer priority 110

  associate-context Admin

  inservice

domain cisco-irn.com

ip route 0.0.0.0 0.0.0.0 192.168.21.1

context PCI

  allocate-interface vlan 82-83

  allocate-interface vlan 95

ft group 10

  peer 1

  priority 105

  peer priority 110

  associate-context PCI

  inservice

username admin password 5 <removed>   role Admin domain

default-domain

username www password 5 <removed>   role Admin domain de

fault-domain

username retail password 5 <removed>   role Admin domain

 default-domain

username csmadmin password 5 <removed>   role Admin doma

in default-domain

ssh key rsa 1024 force

ACE2/Admin#

DMZ-ACE-2_PCI

ACE2/PCI# sh run

Generating configuration....

logging enable

logging timestamp

logging buffered 7

logging monitor 7

logging device-id context-name

logging host 192.168.42.124 udp/514

logging rate-limit 1 120 message 302027

login timeout 15

tacacs-server host 192.168.42.131 key 7 "<removed>"

aaa group server tacacs+ RETAIL

  server 192.168.42.131

aaa authentication login default group RETAIL local

aaa authentication login console group RETAIL local

aaa accounting default group RETAIL local

access-list allow2server line 20 extended permit ip any host 192.168.20.3

access-list allow2server line 21 extended permit tcp host 192.168.20.44 host 192

.168.42.130 eq ldap

access-list allow2server line 22 extended deny ip any any

access-list in2out line 10 extended permit ip host 192.168.20.3 any

access-list in2out line 15 extended deny ip any any

access-list out2in line 10 extended permit tcp any host 192.168.20.1 eq www

access-list out2in line 15 extended deny ip any any

probe icmp ICMP

  interval 2

  faildetect 2

  passdetect interval 60

  passdetect count 2

rserver host ECOM

  ip address 192.168.20.44

  inservice

serverfarm host PCI-ECOM

  predictor leastconns

  probe ICMP

  rserver ECOM

    inservice

class-map match-any ECOMVIP

  11 match virtual-address 192.168.20.1 any

class-map type management match-any remote-mgmt

  30 match protocol icmp any

  31 match protocol ssh source-address 10.19.151.99 255.255.255.255

  32 match protocol ssh source-address 192.168.41.101 255.255.255.255

  33 match protocol ssh source-address 192.168.41.102 255.255.255.255

  34 match protocol ssh source-address 192.168.42.111 255.255.255.255

  35 match protocol ssh source-address 192.168.42.122 255.255.255.255

  36 match protocol ssh source-address 192.168.42.124 255.255.255.255

  37 match protocol ssh source-address 192.168.42.131 255.255.255.255

  38 match protocol ssh source-address 192.168.42.133 255.255.255.255

  39 match protocol ssh source-address 192.168.42.138 255.255.255.255

policy-map type management first-match remote-access

  class remote-mgmt

    permit

policy-map type loadbalance first-match ECOMPOLICY

  class class-default

    serverfarm PCI-ECOM

policy-map multi-match ECOM_MATCH

  class ECOMVIP

    loadbalance vip inservice

    loadbalance policy ECOMPOLICY

service-policy input remote-access

interface vlan 82

  description ACE_outside

  ip address 192.168.20.29 255.255.255.248

  ip verify reverse-path

  alias 192.168.20.30 255.255.255.248

  peer ip address 192.168.20.28 255.255.255.248

  access-group input out2in

  service-policy input ECOM_MATCH

  no shutdown

interface vlan 83

  description ACE_inside

  ip address 192.168.20.5 255.255.255.248

  ip verify reverse-path

  alias 192.168.20.6 255.255.255.248

  peer ip address 192.168.20.4 255.255.255.248

  access-group input in2out

  no shutdown

domain cisco-irn.com

ip route 0.0.0.0 0.0.0.0 192.168.20.25

username csmadmin password 5 <removed>   role Admin doma

in default-domain

username retail password 5 <removed>   role Admin domain

 default-domain

username bmcgloth password 5 <removed>   role Admin doma

in default-domain

ACE2/PCI#

DMZ-IDS-1

! ------------------------------

! Current configuration last modified Thu Apr 28 21:34:42 2011

! ------------------------------

! Version 7.0(4)

! Host:

!     Realm Keys          key1.0

! Signature Definition:

!     Signature Update    S500.0   2010-07-09

! ------------------------------

service interface

physical-interfaces GigabitEthernet0/7

subinterface-type inline-vlan-pair

subinterface 1

description INT1 vlans 83 and 84

vlan1 83

vlan2 84

exit

exit

exit

exit

! ------------------------------

service authentication

attemptLimit 6

password-strength

size 7-64

digits-min 1

lowercase-min 1

other-min 1

number-old-passwords 4

exit

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 192.168.21.93/24,192.168.21.1

host-name DMZ-IDS1

telnet-option disabled

access-list 10.19.151.99/32

access-list 192.168.41.101/32

access-list 192.168.41.102/32

access-list 192.168.42.122/32

access-list 192.168.42.124/32

access-list 192.168.42.133/32

access-list 192.168.42.138/32

dns-primary-server enabled

address 192.168.42.130

exit

dns-secondary-server disabled

dns-tertiary-server disabled

http-proxy proxy-server

address 128.107.241.169

port 80

exit

exit

time-zone-settings

offset -8

standard-time-zone-name PST

exit

ntp-option enabled-ntp-unauthenticated

ntp-server 192.168.62.161

exit

summertime-option recurring

summertime-zone-name PDT

exit

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

trap-destinations 192.168.42.124

trap-community-name <removed>

exit

enable-notifications true

trap-community-name <removed>

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service aaa

aaa radius

primary-server

server-address 192.168.42.131

shared-secret <removed>

exit

nas-id DMZ-IDS1

local-fallback enabled

console-authentication radius-and-local

default-user-role administrator

exit

exit

! ------------------------------

service analysis-engine

exit

DMZ-IDSM2

! ------------------------------

! Current configuration last modified Thu Apr 28 22:06:38 2011

! ------------------------------

! Version 7.0(4)

! Host:

!     Realm Keys          key1.0

! Signature Definition:

!     Signature Update    S500.0   2010-07-09

! ------------------------------

service interface

physical-interfaces GigabitEthernet0/7

subinterface-type inline-vlan-pair

subinterface 1

description INT1 vlans 83 and 84

vlan1 83

vlan2 84

exit

exit

exit

exit

! ------------------------------

service authentication

attemptLimit 6

password-strength

size 7-64

digits-min 1

lowercase-min 1

other-min 1

number-old-passwords 4

exit

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 192.168.21.94/24,192.168.21.1

host-name DMZ-IDS2

telnet-option disabled

access-list 10.19.151.99/32

access-list 192.168.41.101/32

access-list 192.168.41.102/32

access-list 192.168.42.122/32

access-list 192.168.42.124/32

access-list 192.168.42.133/32

access-list 192.168.42.138/32

dns-primary-server enabled

address 192.168.42.130

exit

dns-secondary-server disabled

dns-tertiary-server disabled

http-proxy proxy-server

address 128.107.241.169

port 80

exit

exit

time-zone-settings

offset -8

standard-time-zone-name PST

exit

ntp-option enabled-ntp-unauthenticated

ntp-server 192.168.62.161

exit

summertime-option recurring

summertime-zone-name PDT

exit

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

trap-destinations 192.168.42.124

trap-community-name <removed>

exit

enable-notifications true

trap-community-name <removed>

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service aaa

aaa radius

primary-server

server-address 192.168.42.131

shared-secret <removed>

exit

nas-id DMZ-IDS1

local-fallback enabled

console-authentication radius-and-local

default-user-role administrator

exit

exit

! ------------------------------

service analysis-engine

exit

FW-A2-MSP-1

: Saved

: Written by retail at 18:15:18.945 PDT Fri Apr 29 2011

ASA Version 8.4(1)

hostname FW-A2-MSP-1

domain-name cisco-irn.com

enable password <removed>  encrypted

passwd <removed>  encrypted

names

dns-guard

interface Ethernet0/0

 nameif MSP-WAN

 security-level 0

 ip address 10.10.255.176 255.255.255.0

interface Ethernet0/1

 no nameif

 no security-level

 no ip address

interface Ethernet0/1.11

 vlan 11

 nameif POS

 security-level 95

 ip address 10.10.176.1 255.255.255.0

interface Ethernet0/1.12

 vlan 12

 nameif DATA

 security-level 85

 ip address 10.10.177.1 255.255.255.0

interface Ethernet0/1.13

 vlan 13

 nameif VOICE

 security-level 80

 ip address 10.10.178.1 255.255.255.0

interface Ethernet0/1.14

 vlan 14

 nameif WIRELESS

 security-level 70

 ip address 10.10.179.1 255.255.255.0

interface Ethernet0/1.15

 vlan 15

 nameif WIRELESS-POS

 security-level 90

 ip address 10.10.180.1 255.255.255.0

interface Ethernet0/1.16

 vlan 16

 nameif PARTNER

 security-level 65

 ip address 10.10.181.1 255.255.255.0

interface Ethernet0/1.17

 vlan 17

 nameif WIRELESS-GUEST

 security-level 10

 ip address 10.10.182.1 255.255.255.0

interface Ethernet0/1.18

 vlan 18

 nameif WIRELESS-CONTROL

 security-level 75

 ip address 10.10.183.1 255.255.255.0

interface Ethernet0/1.19

 vlan 19

 nameif WAAS

 security-level 100

 ip address 10.10.184.1 255.255.255.0

interface Ethernet0/1.1000

 vlan 1000

 nameif MANAGEMENT

 security-level 100

 ip address 10.10.191.1 255.255.255.0

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

interface Management0/0

 shutdown

 no nameif

 no security-level

 no ip address

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

 domain-name cisco-irn.com

same-security-traffic permit inter-interface

object network AdminStation

 host 192.168.41.101

object network AdminStation2

 host 192.168.41.102

object network AdminStation4-bart

 host 10.19.151.99

object network EMC-NCM

 host 192.168.42.122

 description EMC Network Configuration Manager

object network CSManager

 host 192.168.42.133

 description Cisco Security Manager

object network AdminStation3

 host 192.168.42.138

object network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object network DC-POS

 subnet 192.168.52.0 255.255.255.0

 description POS in the Data Center

object network WCSManager

 host 192.168.43.135

 description Wireless Manager

object network PAME-DC-1

 host 192.168.44.111

object network MSP-DC-1

 host 192.168.44.121

 description Data Center VSOM

object network DC-ALL

 subnet 192.168.0.0 255.255.0.0

 description All of the Data Center

object network RSA-enVision

 host 192.168.42.124

 description RSA EnVision Syslog collector and SIM

object network TACACS

 host 192.168.42.131

 description Csico Secure ACS server for TACACS and Radius

object network RSA-AM

 host 192.168.42.137

 description RSA Authentication Manager for SecureID

object network NAC-2

 host 192.168.42.112

object network NAC-1

 host 192.168.42.111

 description ISE server for NAC

object network MS-Update

 host 192.168.42.150

 description Windows Update Server

object network MSExchange

 host 192.168.42.140

 description Mail Server

object service RPC

 service tcp destination eq 135

object service LDAP-GC

 service tcp destination eq 3268

object service LDAP-GC-SSL

 service tcp destination eq 3269

object service Kerberos-TCP

 service tcp destination eq 88

object service Microsoft-DS-SMB

 service tcp destination eq 445

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

object service LDAP-UDP

 service udp destination eq 389

object service RPC-HighPorts

 service tcp destination range 1024 65535

object service ORACLE-OAS

 service tcp destination eq 12601

 description OAS uses one port for HTTP and RMI - 12601.

object service TOMAX-8990

 service tcp destination eq 8990

 description Tomax Application Port

object service IP-Protocol-97

 service 97

 description IP protocol 97

object service TCP1080

 service tcp destination eq 1080

object service TCP8080

 service tcp destination eq 8080

object service RDP

 service tcp destination eq 3389

 description Windows Remote Desktop

object-group network CSM_INLINE_src_rule_73014461090

 description Generated by CS-Manager from src of FirewallRule# 1 (ASA-Store_V2/mandatory)

 network-object object AdminStation

 network-object object AdminStation2

 network-object object AdminStation4-bart

object-group network Admin-Systems

 network-object object EMC-NCM

 network-object object AdminStation

 network-object object AdminStation2

 network-object object CSManager

 network-object object AdminStation3

 network-object object AdminStation4-bart

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 network-object 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 network-object 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 network-object 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_src_rule_73014461184

 description Generated by CS-Manager from src of FirewallRule# 4 (ASA-Store_V2/mandatory)

 group-object DC-POS-Tomax

 network-object object DC-POS

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network POS-Store-MSP

 network-object 10.10.176.81 255.255.255.255

object-group network CSM_INLINE_dst_rule_73014461438

 description Generated by CS-Manager from dst of FirewallRule# 5 (ASA-Store_V2/mandatory)

 group-object DC-POS-Tomax

 network-object object DC-POS

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network Store-MSP-POS-net

 network-object 10.10.176.0 255.255.255.0

 network-object 10.10.180.0 255.255.255.0

object-group network CSM_INLINE_dst_rule_73014461436

 description Generated by CS-Manager from dst of FirewallRule# 7 (ASA-Store_V2/mandatory)

 group-object DC-POS-Tomax

 network-object object DC-POS

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 network-object 192.168.43.21 255.255.255.255

 network-object 192.168.43.22 255.255.255.255

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 network-object 192.168.43.31 255.255.255.255

 network-object 192.168.43.32 255.255.255.255

object-group network CSM_INLINE_src_rule_73014461098

 description Generated by CS-Manager from src of FirewallRule# 8 (ASA-Store_V2/mandatory)

 network-object object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network CSM_INLINE_src_rule_73014461100

 description Generated by CS-Manager from src of FirewallRule# 9 (ASA-Store_V2/mandatory)

 network-object object PAME-DC-1

 network-object object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 network-object 192.168.48.10 255.255.255.255

 network-object 192.168.49.10 255.255.255.255

 network-object 192.168.47.11 255.255.255.255

 network-object 192.168.47.12 255.255.255.255

object-group network NTP-Servers

 description NTP Servers

 network-object 192.168.62.161 255.255.255.255

 network-object 162.168.62.162 255.255.255.255

object-group network CSM_INLINE_dst_rule_73014461120

 description Generated by CS-Manager from dst of FirewallRule# 17 (ASA-Store_V2/mandatory)

 network-object object TACACS

 network-object object RSA-AM

 network-object object NAC-2

 network-object object NAC-1

object-group network CSM_INLINE_dst_rule_73014461126

 description Generated by CS-Manager from dst of FirewallRule# 18 (ASA-Store_V2/mandatory)

 network-object object PAME-DC-1

 network-object object MSP-DC-1

object-group network CSM_INLINE_dst_rule_73014461128

 description Generated by CS-Manager from dst of FirewallRule# 19 (ASA-Store_V2/mandatory)

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group service HTTPS-8443

 service-object tcp destination eq 8443

object-group service CSM_INLINE_svc_rule_73014461092

 description Generated by CS-Manager from service of FirewallRule# 2 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq ssh

 service-object tcp destination eq https

 group-object HTTPS-8443

object-group service DNS-Resolving

 description Domain Name Server

 service-object tcp destination eq domain

 service-object udp destination eq domain

object-group service CSM_INLINE_svc_rule_73014461094

 description Generated by CS-Manager from service of FirewallRule# 3 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

 service-object udp destination eq 88

 service-object udp destination eq ntp

 service-object udp destination eq netbios-dgm

 service-object object RPC

 service-object object LDAP-GC

 service-object object LDAP-GC-SSL

 service-object object Kerberos-TCP

 service-object object Microsoft-DS-SMB

 service-object object LDAP-UDP

 service-object object RPC-HighPorts

 group-object DNS-Resolving

object-group service ORACLE-RMI

 description RMI TCP ports 1300 and 1301-1319.

 service-object tcp destination range 1300 1319

object-group service ORACLE-Weblogic

 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.

 service-object tcp destination eq 7001

 service-object tcp destination eq 7002

 service-object tcp destination eq sqlnet

object-group service ORACLE-WAS

 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414

 service-object tcp destination eq 2809

 service-object tcp destination eq 9443

 service-object tcp destination eq 1414

object-group service CSM_INLINE_svc_rule_73014461184

 description Generated by CS-Manager from service of FirewallRule# 4 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq ssh

 service-object object ORACLE-OAS

 service-object object TOMAX-8990

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object HTTPS-8443

object-group service TFTP

 description Trivial File Transfer

 service-object tcp destination eq 69

 service-object udp destination eq tftp

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 service-object udp destination eq 12222

 service-object udp destination eq 12223

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 service-object udp destination eq 5246

 service-object udp destination eq 5247

object-group service CSM_INLINE_svc_rule_73014461098

 description Generated by CS-Manager from service of FirewallRule# 8 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq https

 service-object tcp destination eq www

 service-object udp destination eq isakmp

 service-object tcp destination eq telnet

 service-object tcp destination eq ssh

 service-object object IP-Protocol-97

 group-object TFTP

 group-object LWAPP

 group-object CAPWAP

object-group service CSM_INLINE_svc_rule_73014461102

 description Generated by CS-Manager from service of FirewallRule# 10 
(ASA-Store_V2/mandatory)

 service-object icmp echo

 service-object icmp echo-reply

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq ssh

 service-object tcp destination eq ftp

 service-object object TCP1080

 service-object object TCP8080

 service-object object RDP

 group-object HTTPS-8443

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 service-object tcp destination eq 4050

object-group service Netbios

 description Netbios Servers

 service-object udp destination eq netbios-dgm

 service-object udp destination eq netbios-ns

 service-object tcp destination eq netbios-ssn

object-group service CSM_INLINE_svc_rule_73014461104

 description Generated by CS-Manager from service of FirewallRule# 11 
(ASA-Store_V2/mandatory)

 service-object object Microsoft-DS-SMB

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Netbios

object-group service CSM_INLINE_svc_rule_73014461106

 description Generated by CS-Manager from service of FirewallRule# 12 
(ASA-Store_V2/mandatory)

 service-object tcp-udp destination eq sip

 service-object tcp destination eq 2000

object-group service CSM_INLINE_svc_rule_73014461112

 description Generated by CS-Manager from service of FirewallRule# 14 
(ASA-Store_V2/mandatory)

 service-object udp destination eq snmptrap

 service-object udp destination eq snmp

 service-object udp destination eq syslog

object-group service CSM_INLINE_svc_rule_73014461120

 description Generated by CS-Manager from service of FirewallRule# 17 
(ASA-Store_V2/mandatory)

 service-object udp destination eq 1812

 service-object udp destination eq 1813

 service-object tcp destination eq https

 service-object tcp destination eq www

 group-object HTTPS-8443

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 service-object udp destination eq 16666

 service-object udp destination eq 16667

object-group service CSM_INLINE_svc_rule_73014461128

 description Generated by CS-Manager from service of FirewallRule# 19 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq https

 service-object udp destination eq isakmp

 service-object object IP-Protocol-97

 group-object Cisco-Mobility

 group-object LWAPP

 group-object CAPWAP

object-group service CSM_INLINE_svc_rule_73014461130

 description Generated by CS-Manager from service of FirewallRule# 20 
(ASA-Store_V2/mandatory)

 service-object tcp-udp destination eq sip

 service-object tcp destination eq 2000

object-group service CSM_INLINE_svc_rule_73014461132

 description Generated by CS-Manager from service of FirewallRule# 21 
(ASA-Store_V2/mandatory)

 service-object object Microsoft-DS-SMB

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Netbios

object-group service CSM_INLINE_svc_rule_73014461134

 description Generated by CS-Manager from service of FirewallRule# 22 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq ldap

 service-object tcp destination eq ldaps

 service-object udp destination eq 88

 service-object udp destination eq ntp

 service-object udp destination eq netbios-dgm

 service-object object RPC

 service-object object LDAP-GC

 service-object object LDAP-GC-SSL

 service-object object Kerberos-TCP

 service-object object Microsoft-DS-SMB

 service-object object LDAP-UDP

 service-object object RPC-HighPorts

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_73014461136

 description Generated by CS-Manager from service of FirewallRule# 23 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq www

 service-object tcp destination eq https

object-group service CSM_INLINE_svc_rule_73014461138

 description Generated by CS-Manager from service of FirewallRule# 24 
(ASA-Store_V2/mandatory)

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq smtp

 service-object tcp destination eq pop3

 service-object tcp destination eq imap4

access-list OUTSIDE remark LAB Testing

access-list OUTSIDE extended permit ip object-group CSM_INLINE_src_rule_73014461090 
10.10.176.0 255.255.248.0

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461092 
object-group Admin-Systems 10.10.176.0 255.255.248.0

access-list OUTSIDE remark Allow Active Directory Domain

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461094 object 
ActiveDirectory.cisco-irn.com 10.10.176.0 255.255.248.0

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461184 
object-group CSM_INLINE_src_rule_73014461184 object-group POS-Store-MSP

access-list OUTSIDE extended deny ip any object-group Store-MSP-POS-net

access-list OUTSIDE extended deny ip any object-group CSM_INLINE_dst_rule_73014461436

access-list OUTSIDE remark Wireless Management to Stores

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461098 
object-group CSM_INLINE_src_rule_73014461098 10.10.183.0 255.255.255.0

access-list OUTSIDE remark Physical security systems

access-list OUTSIDE extended permit tcp object-group CSM_INLINE_src_rule_73014461100 
10.10.191.0 255.255.255.0 eq https

access-list OUTSIDE remark Allow Management of store systems

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461102 object 
DC-ALL 10.10.176.0 255.255.248.0

access-list OUTSIDE remark WAAS systems

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461104 
object-group DC-WAAS 10.10.184.0 255.255.255.0

access-list OUTSIDE remark Voice calls

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461106 object 
DC-ALL 10.10.178.0 255.255.255.0

access-list OUTSIDE extended permit tcp 10.10.176.0 255.255.248.0 object EMC-NCM eq ssh

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461112 
10.10.176.0 255.255.248.0 object RSA-enVision

access-list OUTSIDE extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq tacacs

access-list OUTSIDE extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers 
eq ntp

access-list OUTSIDE remark Drop all other traffic

access-list OUTSIDE extended deny ip any any log

access-list CSM_FW_ACL_POS remark Allow Applications

access-list CSM_FW_ACL_POS extended permit tcp object-group POS-Store-MSP object-group 
CSM_INLINE_dst_rule_73014461438 eq https

access-list CSM_FW_ACL_POS extended deny ip any object-group Store-MSP-POS-net

access-list CSM_FW_ACL_POS extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436

access-list CSM_FW_ACL_POS extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp

access-list CSM_FW_ACL_POS extended permit object-group CSM_INLINE_svc_rule_73014461120 
10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120

access-list CSM_FW_ACL_POS remark Allow Active Directory Domain

access-list CSM_FW_ACL_POS extended permit object-group CSM_INLINE_svc_rule_73014461134 
10.10.176.0 255.255.248.0 object ActiveDirectory.cisco-irn.com

access-list CSM_FW_ACL_POS remark Allow Windows Updates

access-list CSM_FW_ACL_POS extended permit object-group CSM_INLINE_svc_rule_73014461136 
10.10.176.0 255.255.248.0 object MS-Update

access-list CSM_FW_ACL_POS remark Allow Mail

access-list CSM_FW_ACL_POS extended permit object-group CSM_INLINE_svc_rule_73014461138 
10.10.176.0 255.255.248.0 object MSExchange

access-list CSM_FW_ACL_POS remark Drop all other traffic

access-list CSM_FW_ACL_POS extended deny ip any any log

access-list CSM_FW_ACL_WIRELESS-POS remark Allow Applications

access-list CSM_FW_ACL_WIRELESS-POS extended permit tcp object-group POS-Store-MSP 
object-group CSM_INLINE_dst_rule_73014461438 eq https

access-list CSM_FW_ACL_WIRELESS-POS extended deny ip any object-group Store-MSP-POS-net

access-list CSM_FW_ACL_WIRELESS-POS extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436

access-list CSM_FW_ACL_WIRELESS-POS extended permit udp 10.10.176.0 255.255.248.0 
object-group NTP-Servers eq ntp

access-list CSM_FW_ACL_WIRELESS-POS remark Allow Active Directory Domain

access-list CSM_FW_ACL_WIRELESS-POS extended permit object-group 
CSM_INLINE_svc_rule_73014461134 10.10.176.0 255.255.248.0 object 
ActiveDirectory.cisco-irn.com

access-list CSM_FW_ACL_WIRELESS-POS remark Allow Windows Updates

access-list CSM_FW_ACL_WIRELESS-POS extended permit object-group 
CSM_INLINE_svc_rule_73014461136 10.10.176.0 255.255.248.0 object MS-Update

access-list CSM_FW_ACL_WIRELESS-POS remark Allow Mail

access-list CSM_FW_ACL_WIRELESS-POS extended permit object-group 
CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange

access-list CSM_FW_ACL_WIRELESS-POS remark Drop all other traffic

access-list CSM_FW_ACL_WIRELESS-POS extended deny ip any any log

access-list CSM_FW_ACL_DATA extended deny ip any object-group Store-MSP-POS-net

access-list CSM_FW_ACL_DATA extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436

access-list CSM_FW_ACL_DATA extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp

access-list CSM_FW_ACL_DATA extended permit object-group CSM_INLINE_svc_rule_73014461120 
10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120

access-list CSM_FW_ACL_DATA remark Allow Active Directory Domain

access-list CSM_FW_ACL_DATA extended permit object-group CSM_INLINE_svc_rule_73014461134 
10.10.176.0 255.255.248.0 object ActiveDirectory.cisco-irn.com

access-list CSM_FW_ACL_DATA remark Allow Windows Updates

access-list CSM_FW_ACL_DATA extended permit object-group CSM_INLINE_svc_rule_73014461136 
10.10.176.0 255.255.248.0 object MS-Update

access-list CSM_FW_ACL_DATA remark Allow Mail

access-list CSM_FW_ACL_DATA extended permit object-group CSM_INLINE_svc_rule_73014461138 
10.10.176.0 255.255.248.0 object MSExchange

access-list CSM_FW_ACL_DATA remark Drop all other traffic

access-list CSM_FW_ACL_DATA extended deny ip any any log

access-list CSM_FW_ACL_MANAGEMENT extended deny ip any object-group Store-MSP-POS-net

access-list CSM_FW_ACL_MANAGEMENT extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436

access-list CSM_FW_ACL_MANAGEMENT extended permit tcp 10.10.176.0 255.255.248.0 object 
EMC-NCM eq ssh

access-list CSM_FW_ACL_MANAGEMENT extended permit object-group 
CSM_INLINE_svc_rule_73014461112 10.10.176.0 255.255.248.0 object RSA-enVision

access-list CSM_FW_ACL_MANAGEMENT extended permit tcp 10.10.176.0 255.255.248.0 object 
TACACS eq tacacs

access-list CSM_FW_ACL_MANAGEMENT extended permit udp 10.10.176.0 255.255.248.0 
object-group NTP-Servers eq ntp

access-list CSM_FW_ACL_MANAGEMENT extended permit object-group 
CSM_INLINE_svc_rule_73014461120 10.10.176.0 255.255.248.0 object-group 
CSM_INLINE_dst_rule_73014461120

access-list CSM_FW_ACL_MANAGEMENT remark Physical security systems

access-list CSM_FW_ACL_MANAGEMENT extended permit tcp 10.10.191.0 255.255.255.0 
object-group CSM_INLINE_dst_rule_73014461126 eq https

access-list CSM_FW_ACL_MANAGEMENT remark Allow Mail

access-list CSM_FW_ACL_MANAGEMENT extended permit object-group 
CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange

access-list CSM_FW_ACL_MANAGEMENT remark Drop all other traffic

access-list CSM_FW_ACL_MANAGEMENT extended deny ip any any log

access-list CSM_FW_ACL_PARTNER extended deny ip any object-group Store-MSP-POS-net

access-list CSM_FW_ACL_PARTNER extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436

access-list CSM_FW_ACL_PARTNER extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp

access-list CSM_FW_ACL_PARTNER extended permit object-group 
CSM_INLINE_svc_rule_73014461120 10.10.176.0 255.255.248.0 object-group 
CSM_INLINE_dst_rule_73014461120

access-list CSM_FW_ACL_PARTNER remark Allow Mail

access-list CSM_FW_ACL_PARTNER extended permit object-group 
CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange

access-list CSM_FW_ACL_PARTNER remark Drop all other traffic

access-list CSM_FW_ACL_PARTNER extended deny ip any any log

access-list CSM_FW_ACL_VOICE extended deny ip any object-group Store-MSP-POS-net

access-list CSM_FW_ACL_VOICE extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436

access-list CSM_FW_ACL_VOICE extended permit tcp 10.10.176.0 255.255.248.0 object EMC-NCM 
eq ssh

access-list CSM_FW_ACL_VOICE extended permit object-group CSM_INLINE_svc_rule_73014461112 
10.10.176.0 255.255.248.0 object RSA-enVision

access-list CSM_FW_ACL_VOICE extended permit tcp 10.10.176.0 255.255.248.0 object TACACS 
eq tacacs

access-list CSM_FW_ACL_VOICE extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp

access-list CSM_FW_ACL_VOICE extended permit object-group CSM_INLINE_svc_rule_73014461120 
10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120

access-list CSM_FW_ACL_VOICE remark Voice calls

access-list CSM_FW_ACL_VOICE extended permit object-group CSM_INLINE_svc_rule_73014461130 
10.10.178.0 255.255.255.0 object DC-ALL

access-list CSM_FW_ACL_VOICE remark Allow Mail

access-list CSM_FW_ACL_VOICE extended permit object-group CSM_INLINE_svc_rule_73014461138 
10.10.176.0 255.255.248.0 object MSExchange

access-list CSM_FW_ACL_VOICE remark Drop all other traffic

access-list CSM_FW_ACL_VOICE extended deny ip any any log

access-list CSM_FW_ACL_WAAS extended deny ip any object-group Store-MSP-POS-net

access-list CSM_FW_ACL_WAAS extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436

access-list CSM_FW_ACL_WAAS extended permit tcp 10.10.176.0 255.255.248.0 object EMC-NCM 
eq ssh

access-list CSM_FW_ACL_WAAS extended permit object-group CSM_INLINE_svc_rule_73014461112 
10.10.176.0 255.255.248.0 object RSA-enVision

access-list CSM_FW_ACL_WAAS extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq 
tacacs

access-list CSM_FW_ACL_WAAS extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp

access-list CSM_FW_ACL_WAAS remark WAAS systems

access-list CSM_FW_ACL_WAAS extended permit object-group CSM_INLINE_svc_rule_73014461132 
10.10.184.0 255.255.255.0 object-group DC-WAAS

access-list CSM_FW_ACL_WAAS remark Allow Active Directory Domain

access-list CSM_FW_ACL_WAAS extended permit object-group CSM_INLINE_svc_rule_73014461134 
10.10.176.0 255.255.248.0 object ActiveDirectory.cisco-irn.com

access-list CSM_FW_ACL_WAAS remark Drop all other traffic

access-list CSM_FW_ACL_WAAS extended deny ip any any log

access-list CSM_FW_ACL_WIRELESS extended deny ip any object-group Store-MSP-POS-net

access-list CSM_FW_ACL_WIRELESS extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436

access-list CSM_FW_ACL_WIRELESS extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp

access-list CSM_FW_ACL_WIRELESS remark Allow Active Directory Domain

access-list CSM_FW_ACL_WIRELESS extended permit object-group 
CSM_INLINE_svc_rule_73014461134 10.10.176.0 255.255.248.0 object 
ActiveDirectory.cisco-irn.com

access-list CSM_FW_ACL_WIRELESS remark Allow Windows Updates

access-list CSM_FW_ACL_WIRELESS extended permit object-group 
CSM_INLINE_svc_rule_73014461136 10.10.176.0 255.255.248.0 object MS-Update

access-list CSM_FW_ACL_WIRELESS remark Allow Mail

access-list CSM_FW_ACL_WIRELESS extended permit object-group 
CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange

access-list CSM_FW_ACL_WIRELESS remark Drop all other traffic

access-list CSM_FW_ACL_WIRELESS extended deny ip any any log

access-list CSM_FW_ACL_WIRELESS-CONTROL extended deny ip any object-group 
Store-MSP-POS-net

access-list CSM_FW_ACL_WIRELESS-CONTROL extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436

access-list CSM_FW_ACL_WIRELESS-CONTROL extended permit tcp 10.10.176.0 255.255.248.0 
object EMC-NCM eq ssh

access-list CSM_FW_ACL_WIRELESS-CONTROL extended permit object-group 
CSM_INLINE_svc_rule_73014461112 10.10.176.0 255.255.248.0 object RSA-enVision

access-list CSM_FW_ACL_WIRELESS-CONTROL extended permit tcp 10.10.176.0 255.255.248.0 
object TACACS eq tacacs

access-list CSM_FW_ACL_WIRELESS-CONTROL extended permit udp 10.10.176.0 255.255.248.0 
object-group NTP-Servers eq ntp

access-list CSM_FW_ACL_WIRELESS-CONTROL extended permit object-group 
CSM_INLINE_svc_rule_73014461120 10.10.176.0 255.255.248.0 object-group 
CSM_INLINE_dst_rule_73014461120

access-list CSM_FW_ACL_WIRELESS-CONTROL remark Wireless control systems

access-list CSM_FW_ACL_WIRELESS-CONTROL extended permit object-group 
CSM_INLINE_svc_rule_73014461128 10.10.183.0 255.255.255.0 object-group 
CSM_INLINE_dst_rule_73014461128

access-list CSM_FW_ACL_WIRELESS-CONTROL remark Drop all other traffic

access-list CSM_FW_ACL_WIRELESS-CONTROL extended deny ip any any log

access-list CSM_FW_ACL_WIRELESS-GUEST extended deny ip any object-group Store-MSP-POS-net

access-list CSM_FW_ACL_WIRELESS-GUEST extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436

access-list CSM_FW_ACL_WIRELESS-GUEST extended permit udp 10.10.176.0 255.255.248.0 
object-group NTP-Servers eq ntp

access-list CSM_FW_ACL_WIRELESS-GUEST remark Drop all other traffic

access-list CSM_FW_ACL_WIRELESS-GUEST extended deny ip any any log

pager lines 24

logging enable

logging trap debugging

logging asdm debugging

logging host MSP-WAN 192.168.42.124

mtu MSP-WAN 1500

mtu POS 1500

mtu DATA 1500

mtu VOICE 1500

mtu WIRELESS 1500

mtu WIRELESS-POS 1500

mtu PARTNER 1500

mtu WIRELESS-GUEST 1500

mtu WIRELESS-CONTROL 1500

mtu WAAS 1500

mtu MANAGEMENT 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any MSP-WAN

icmp permit any POS

icmp permit any DATA

icmp permit any VOICE

icmp permit any WIRELESS

icmp permit any WIRELESS-POS

icmp permit any PARTNER

icmp permit any WIRELESS-GUEST

icmp permit any WIRELESS-CONTROL

icmp permit any WAAS

icmp permit any MANAGEMENT

asdm image disk0:/asdm-641.bin

asdm history enable

arp timeout 14400

access-group OUTSIDE in interface MSP-WAN

access-group CSM_FW_ACL_POS in interface POS

access-group CSM_FW_ACL_DATA in interface DATA

access-group CSM_FW_ACL_VOICE in interface VOICE

access-group CSM_FW_ACL_WIRELESS in interface WIRELESS

access-group CSM_FW_ACL_WIRELESS-POS in interface WIRELESS-POS

access-group CSM_FW_ACL_PARTNER in interface PARTNER

access-group CSM_FW_ACL_WIRELESS-GUEST in interface WIRELESS-GUEST

access-group CSM_FW_ACL_WIRELESS-CONTROL in interface WIRELESS-CONTROL

access-group CSM_FW_ACL_WAAS in interface WAAS

access-group CSM_FW_ACL_MANAGEMENT in interface MANAGEMENT

route MSP-WAN 0.0.0.0 0.0.0.0 10.10.255.11 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RETAIL protocol tacacs+

aaa-server RETAIL (MANAGEMENT) host 192.168.42.131

 key ******

aaa authentication enable console RETAIL LOCAL

aaa authentication http console RETAIL LOCAL

aaa authentication ssh console RETAIL LOCAL

aaa accounting ssh console RETAIL

aaa accounting enable console RETAIL

aaa accounting command privilege 15 RETAIL

aaa authentication secure-http-client

aaa local authentication attempts max-fail 6

aaa authorization exec authentication-server

http server enable

http server idle-timeout 15

http server session-timeout 60

http 10.19.151.99 255.255.255.255 MSP-WAN

http 192.168.41.101 255.255.255.255 MSP-WAN

http 192.168.41.102 255.255.255.255 MSP-WAN

http 192.168.42.122 255.255.255.255 MSP-WAN

http 192.168.42.124 255.255.255.255 MSP-WAN

http 192.168.42.133 255.255.255.255 MSP-WAN

http 192.168.42.138 255.255.255.255 MSP-WAN

no snmp-server location

no snmp-server contact

snmp-server community RetailCMOprivate

no snmp-server enable

telnet timeout 5

ssh 10.19.151.99 255.255.255.255 MSP-WAN

ssh 192.168.41.101 255.255.255.255 MSP-WAN

ssh 192.168.41.102 255.255.255.255 MSP-WAN

ssh 192.168.42.122 255.255.255.255 MSP-WAN

ssh 192.168.42.124 255.255.255.255 MSP-WAN

ssh 192.168.42.133 255.255.255.255 MSP-WAN

ssh 192.168.42.138 255.255.255.255 MSP-WAN

ssh timeout 15

ssh version 2

console timeout 15

dhcprelay server 192.168.42.130 MSP-WAN

dhcprelay enable POS

dhcprelay enable DATA

dhcprelay enable VOICE

dhcprelay enable WIRELESS

dhcprelay enable WIRELESS-POS

dhcprelay enable PARTNER

dhcprelay enable WIRELESS-GUEST

dhcprelay enable WIRELESS-CONTROL

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.62.162 source MSP-WAN

ntp server 192.168.62.161 source MSP-WAN prefer

webvpn

username csmadmin password <removed> encrypted privilege 15

username retail password <removed>  encrypted privilege 15

username bmcgloth password <removed> encrypted privilege 15

prompt hostname context

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

password encryption aes

Cryptochecksum:0b5ca833caa61d445ed02aeee4bbf096

: end

FWSM-DMZ-1

FWSM-RIE-3# sh run

: Saved

FWSM Version 4.1(5)

hostname FWSM-RIE-3

domain-name cisco-irn.com

enable password <removed>  encrypted

names

dns-guard

interface Vlan21

 nameif inside

 security-level 100

 ip address 192.168.21.10 255.255.255.0

interface Vlan22

 nameif outside

 security-level 0

 ip address 192.168.22.1 255.255.255.0 standby 192.168.22.2

interface Vlan82

 nameif DMZ

 security-level 20

 ip address 192.168.20.25 255.255.255.248 standby 192.168.20.26

interface Vlan91

 description LAN Failover Interface

interface Vlan92

 description STATE Failover Interface

interface Vlan2305

 nameif EmailSecurityAppliance

 security-level 50

 ip address 192.168.23.65 255.255.255.240 standby 192.168.23.66

interface Vlan2306

 nameif EmailSecurityMgrAppliance

 security-level 60

 ip address 192.168.23.81 255.255.255.240 standby 192.168.23.82

passwd <removed>  encrypted

ftp mode passive

dns domain-lookup inside

dns name-server 192.168.42.130

same-security-traffic permit inter-interface

object-group icmp-type CSM_INLINE_svc_rule_81604379602.icmp

 description Generated by CS-Manager from service of FirewallRule# 10 
(FWSM-DMZ-1_v1/mandatory)

 icmp-object echo

 icmp-object echo-reply

 icmp-object unreachable

object-group network CSM_INLINE_src_rule_81604379520

 description Generated by CS-Manager from src of FirewallRule# 1 (FWSM-DMZ-1_v1/mandatory)

 network-object 192.168.23.68 255.255.255.255

 network-object 192.168.23.84 255.255.255.255

object-group network CSM_INLINE_src_rule_81604379526

 description Generated by CS-Manager from src of FirewallRule# 2 (FWSM-DMZ-1_v1/mandatory)

 network-object 192.168.23.68 255.255.255.255

 network-object 192.168.23.84 255.255.255.255

object-group network RSA-enVision_1

 description RSA EnVision Syslog collector and SIM

 network-object 192.168.42.124 255.255.255.255

object-group network CSM_INLINE_src_rule_81604379528

 description Generated by CS-Manager from src of FirewallRule# 3 (FWSM-DMZ-1_v1/mandatory)

 network-object 192.168.23.68 255.255.255.255

 network-object 192.168.23.84 255.255.255.255

object-group network NTP-Servers

 description NTP Servers

 network-object 192.168.62.161 255.255.255.255

 network-object 162.168.62.162 255.255.255.255

object-group network CSM_INLINE_src_rule_81604379532

 description Generated by CS-Manager from src of FirewallRule# 4 (FWSM-DMZ-1_v1/mandatory)

 network-object 192.168.23.68 255.255.255.255

 network-object 192.168.23.84 255.255.255.255

object-group network TACACS_1

 description Csico Secure ACS server for TACACS and Radius

 network-object 192.168.42.131 255.255.255.255

object-group network AdminStation

 network-object 192.168.41.101 255.255.255.255

object-group network AdminStation2

 network-object 192.168.41.102 255.255.255.255

object-group network CSM_INLINE_src_rule_81604379552

 description Generated by CS-Manager from src of FirewallRule# 5 (FWSM-DMZ-1_v1/mandatory)

 group-object AdminStation

 group-object AdminStation2

object-group network EMC-NCM

 description EMC Network Configuration Manager

 network-object 192.168.42.122 255.255.255.255

object-group network CSManager

 description Cisco Security Manager

 network-object 192.168.42.133 255.255.255.255

object-group network RSA-enVision

 description RSA EnVision Syslog collector and SIM

 network-object 192.168.42.124 255.255.255.255

object-group network AdminStation3

 network-object 192.168.42.138 255.255.255.255

object-group network AdminStation4-bart

 network-object 10.19.151.99 255.255.255.255

object-group network Admin-Systems

 group-object EMC-NCM

 group-object AdminStation

 group-object AdminStation2

 group-object CSManager

 group-object RSA-enVision

 group-object AdminStation3

 group-object AdminStation4-bart

object-group network DC-ALL

 description All of the Data Center

 network-object 192.168.0.0 255.255.0.0

object-group network Stores-ALL

 description all store networks

 network-object 10.10.0.0 255.255.0.0

object-group network CSM_INLINE_src_rule_81604379580

 description Generated by CS-Manager from src of FirewallRule# 7 (FWSM-DMZ-1_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_src_rule_81604379592

 description Generated by CS-Manager from src of FirewallRule# 8 (FWSM-DMZ-1_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_src_rule_81604379602

 description Generated by CS-Manager from src of FirewallRule# 10 
(FWSM-DMZ-1_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network ActiveDirectory.cisco-irn.com

 network-object 192.168.42.130 255.255.255.255

object-group network PAME-DC-1

 network-object 192.168.44.111 255.255.255.255

object-group network TACACS

 description Csico Secure ACS server for TACACS and Radius

 network-object 192.168.42.131 255.255.255.255

object-group network CSM_INLINE_src_rule_81604379688

 description Generated by CS-Manager from src of FirewallRule# 21 
(FWSM-DMZ-1_v1/mandatory)

 network-object 192.168.22.11 255.255.255.255

 network-object 192.168.22.12 255.255.255.255

object-group network CSM_INLINE_src_rule_81604379690

 description Generated by CS-Manager from src of FirewallRule# 22 
(FWSM-DMZ-1_v1/mandatory)

 network-object 192.168.22.11 255.255.255.255

 network-object 192.168.22.12 255.255.255.255

object-group network CSM_INLINE_src_rule_81604379692

 description Generated by CS-Manager from src of FirewallRule# 23 
(FWSM-DMZ-1_v1/mandatory)

 network-object 192.168.22.11 255.255.255.255

 network-object 192.168.22.12 255.255.255.255

object-group service CSM_INLINE_svc_rule_81604379520.tcp tcp

 description Generated by CS-Manager from service of FirewallRule# 1 
(FWSM-DMZ-1_v1/mandatory)

 port-object eq smtp

 port-object eq domain

object-group service CSM_INLINE_svc_rule_81604379532 udp

 description Generated by CS-Manager from service of FirewallRule# 4 
(FWSM-DMZ-1_v1/mandatory)

 port-object eq 1812

 port-object eq 1813

object-group service CSM_INLINE_svc_rule_81604379556 tcp

 description Generated by CS-Manager from service of FirewallRule# 6 
(FWSM-DMZ-1_v1/mandatory)

 port-object eq ssh

 port-object eq https

object-group service CSM_INLINE_svc_rule_81604379580 tcp

 description Generated by CS-Manager from service of FirewallRule# 7 
(FWSM-DMZ-1_v1/mandatory)

 port-object eq smtp

 port-object eq https

 port-object eq ssh

object-group service CSM_INLINE_svc_rule_81604379592 tcp

 description Generated by CS-Manager from service of FirewallRule# 8 
(FWSM-DMZ-1_v1/mandatory)

 port-object eq https

 port-object eq ssh

object-group service CSM_INLINE_svc_rule_81604379602.tcp tcp

 description Generated by CS-Manager from service of FirewallRule# 10 
(FWSM-DMZ-1_v1/mandatory)

 port-object eq www

 port-object eq ftp

 port-object eq https

 port-object eq 8443

 port-object eq 1080

 port-object eq 8080

 port-object eq telnet

 port-object eq ssh

object-group service CSM_INLINE_svc_rule_81604379626.tcp tcp

 description Generated by CS-Manager from service of FirewallRule# 11 
(FWSM-DMZ-1_v1/mandatory)

 port-object eq domain

 port-object eq 123

object-group service CSM_INLINE_svc_rule_81604379626.udp udp

 description Generated by CS-Manager from service of FirewallRule# 11 
(FWSM-DMZ-1_v1/mandatory)

 port-object eq domain

 port-object eq ntp

object-group service CSM_INLINE_svc_rule_81604379640.tcp tcp

 description Generated by CS-Manager from service of FirewallRule# 13 
(FWSM-DMZ-1_v1/mandatory)

 port-object eq ldap

 port-object eq 3268

 port-object eq 3269

 port-object eq ldaps

object-group service CSM_INLINE_svc_rule_81604379680 tcp

 description Generated by CS-Manager from service of FirewallRule# 18 
(FWSM-DMZ-1_v1/mandatory)

 port-object eq https

 port-object eq ssh

object-group service vCenter-to-ESX4 tcp

 description Communication from vCetner to ESX hosts

 port-object eq 5989

 port-object eq 8000

 port-object eq 902

 port-object eq 903

object-group service CSM_INLINE_svc_rule_81604380215.tcp tcp

 description Generated by CS-Manager from service of FirewallRule# 25 
(FWSM-DMZ-1_v1/mandatory)

 port-object eq 8880

 port-object eq 8444

 port-object eq 5900

 port-object eq 5800

 port-object eq ssh

 port-object eq 3389

 port-object eq 1080

 port-object eq 8080

 port-object eq telnet

 port-object eq 69

 port-object eq www

 port-object eq https

 port-object eq 8443

 group-object vCenter-to-ESX4

access-list Ironport1-in remark Allow main and DNZ

access-list Ironport1-in extended permit udp object-group CSM_INLINE_src_rule_81604379520 
any eq domain

access-list Ironport1-in extended permit tcp object-group CSM_INLINE_src_rule_81604379520 
any object-group CSM_INLINE_svc_rule_81604379520.tcp

access-list Ironport1-in extended permit udp object-group CSM_INLINE_src_rule_81604379526 
object-group RSA-enVision_1 eq syslog

access-list Ironport1-in extended permit udp object-group CSM_INLINE_src_rule_81604379528 
object-group NTP-Servers eq ntp

access-list Ironport1-in extended permit udp object-group CSM_INLINE_src_rule_81604379532 
object-group TACACS_1 object-group CSM_INLINE_svc_rule_81604379532

access-list From-DMZ extended permit udp 192.168.20.0 255.255.255.0 object-group 
RSA-enVision eq syslog

access-list From-DMZ extended permit tcp 192.168.20.0 255.255.255.0 object-group TACACS eq 
tacacs

access-list From-DMZ extended permit udp 192.168.20.0 255.255.255.0 object-group 
NTP-Servers eq ntp

access-list Ironport2-in remark Allow main and DNZ

access-list Ironport2-in extended permit udp object-group CSM_INLINE_src_rule_81604379520 
any eq domain

access-list Ironport2-in extended permit tcp object-group CSM_INLINE_src_rule_81604379520 
any object-group CSM_INLINE_svc_rule_81604379520.tcp

access-list Ironport2-in extended permit udp object-group CSM_INLINE_src_rule_81604379526 
object-group RSA-enVision_1 eq syslog

access-list Ironport2-in extended permit udp object-group CSM_INLINE_src_rule_81604379528 
object-group NTP-Servers eq ntp

access-list Ironport2-in extended permit udp object-group CSM_INLINE_src_rule_81604379532 
object-group TACACS_1 object-group CSM_INLINE_svc_rule_81604379532

access-list INSIDE extended permit tcp object-group Admin-Systems 192.168.20.0 
255.255.252.0 object-group CSM_INLINE_svc_rule_81604379556

access-list INSIDE remark Allow services for Ironport apps

access-list INSIDE extended permit tcp object-group CSM_INLINE_src_rule_81604379580 
192.168.23.64 255.255.255.224 object-group CSM_INLINE_svc_rule_81604379580

access-list INSIDE remark Allow traffic to DMZ

access-list INSIDE extended permit tcp object-group CSM_INLINE_src_rule_81604379592 host 
192.168.20.30 object-group CSM_INLINE_svc_rule_81604379592

access-list INSIDE remark - Drop unauthorized traffic to DMZ

access-list INSIDE extended deny ip any 192.168.20.0 255.255.252.0 log

access-list INSIDE remark Allow outbound services for Internet

access-list INSIDE extended permit icmp object-group CSM_INLINE_src_rule_81604379602 any 
object-group CSM_INLINE_svc_rule_81604379602.icmp

access-list INSIDE extended permit tcp object-group CSM_INLINE_src_rule_81604379602 any 
object-group CSM_INLINE_svc_rule_81604379602.tcp

access-list INSIDE extended permit tcp object-group ActiveDirectory.cisco-irn.com any 
object-group CSM_INLINE_svc_rule_81604379626.tcp

access-list INSIDE extended permit udp object-group ActiveDirectory.cisco-irn.com any 
object-group CSM_INLINE_svc_rule_81604379626.udp

access-list INSIDE extended permit udp object-group NTP-Servers any eq ntp

access-list INSIDE remark Allow LDAP out LAB test

access-list INSIDE extended permit udp object-group PAME-DC-1 any eq 389 log

access-list INSIDE extended permit tcp object-group PAME-DC-1 any object-group 
CSM_INLINE_svc_rule_81604379640.tcp log

access-list INSIDE remark Drop and Log all other traffic - END-OF-LINE

access-list INSIDE extended deny ip any any log

access-list OUTSIDE remark Allow traffic to DMZ e-commerce Server

access-list OUTSIDE extended permit tcp any host 192.168.20.30 object-group 
CSM_INLINE_svc_rule_81604379680

access-list OUTSIDE remark Mail to Ironport

access-list OUTSIDE extended permit tcp any host 192.168.23.68 eq smtp

access-list OUTSIDE remark Remote Access SSL VPN

access-list OUTSIDE extended permit tcp any host 192.168.21.1 eq https

access-list OUTSIDE remark Allow traffic from edge routers - RIE-1

access-list OUTSIDE extended permit udp object-group CSM_INLINE_src_rule_81604379688 
object-group RSA-enVision eq syslog

access-list OUTSIDE remark Allow traffic from edge routers - RIE-1

access-list OUTSIDE extended permit tcp object-group CSM_INLINE_src_rule_81604379690 
object-group TACACS eq tacacs

access-list OUTSIDE remark Allow traffic from edge routers - RIE-1

access-list OUTSIDE extended permit udp object-group CSM_INLINE_src_rule_81604379692 
object-group NTP-Servers eq ntp

access-list OUTSIDE remark Drop all other traffic

access-list OUTSIDE extended deny ip any any log

pager lines 24

logging host inside 192.168.42.124

mtu inside 1500

mtu outside 1500

mtu EmailSecurityAppliance 1500

mtu EmailSecurityMgrAppliance 1500

mtu DMZ 1500

failover

failover lan unit primary

failover lan interface failover Vlan91

failover link statelink Vlan92

failover interface ip failover 192.168.20.13 255.255.255.252 standby 192.168.20.14

failover interface ip statelink 192.168.20.33 255.255.255.252 standby 192.168.20.34

icmp permit any inside

icmp permit any outside

icmp permit any EmailSecurityAppliance

icmp permit any EmailSecurityMgrAppliance

asdm history enable

arp timeout 14400

access-group INSIDE in interface inside

access-group OUTSIDE in interface outside

access-group Ironport1-in in interface EmailSecurityAppliance

access-group Ironport2-in in interface EmailSecurityMgrAppliance

access-group From-DMZ in interface DMZ

route inside 192.168.0.0 255.255.0.0 192.168.21.1 1

route inside 10.10.0.0 255.255.0.0 192.168.21.1 1

route outside 10.10.0.0 255.255.255.0 192.168.22.10 1

route outside 0.0.0.0 0.0.0.0 192.168.22.10 1

route outside 10.10.3.0 255.255.255.0 192.168.22.11 1

route outside 10.10.4.0 255.255.255.0 192.168.22.12 1

route DMZ 192.168.20.0 255.255.255.248 192.168.20.28 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-invite 0:03:00 sip-disconnect 0:02:00

timeout pptp-gre 0:02:00

timeout uauth 0:05:00 absolute

aaa-server RETAIL protocol tacacs+

aaa-server RETAIL host 192.168.42.131

 key ******

username csmadmin password <removed> encrypted privilege 15

username retail password <removed> encrypted privilege 15

username bmcgloth password <removed> encrypted privilege 15

aaa authentication ssh console RETAIL LOCAL

aaa authentication enable console RETAIL LOCAL

aaa authentication http console RETAIL LOCAL

aaa accounting ssh console RETAIL

aaa accounting enable console RETAIL

aaa accounting command privilege 15 RETAIL

aaa authentication secure-http-client

aaa local authentication attempts max-fail 6

http server enable

http 10.19.151.99 255.255.255.255 inside

http 192.168.41.101 255.255.255.255 inside

http 192.168.41.102 255.255.255.255 inside

http 192.168.42.122 255.255.255.255 inside

http 192.168.42.124 255.255.255.255 inside

http 192.168.42.133 255.255.255.255 inside

http 192.168.42.138 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no snmp-server enable

service reset no-connection

no service reset connection marked-for-deletion

telnet timeout 5

ssh 10.19.151.99 255.255.255.255 inside

ssh 192.168.41.101 255.255.255.255 inside

ssh 192.168.41.102 255.255.255.255 inside

ssh 192.168.42.122 255.255.255.255 inside

ssh 192.168.42.124 255.255.255.255 inside

ssh 192.168.42.133 255.255.255.255 inside

ssh 192.168.42.138 255.255.255.255 inside

ssh timeout 15

ssh version 2

console timeout 15

class-map inspection_default

 match default-inspection-traffic

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect skinny

  inspect smtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

service-policy global_policy global

prompt hostname context

Cryptochecksum:0ce5577c4093206d7ce2fc0f65139d9d

: end

FWSM-RIE-3#

MDS-DC-1-running

!Command: show running-config

!Time: Sun Apr 24 16:47:39 2011

version 5.0(1a)

system default switchport mode F

feature npiv

feature privilege

feature tacacs+

role name default-role

  description This is a system defined role and applies to all users.

  rule 5 permit show feature environment

  rule 4 permit show feature hardware

  rule 3 permit show feature module

  rule 2 permit show feature snmp

  rule 1 permit show feature system

username admin password 5 <removed> role network-admin

username retail password 5 <removed>   role network-admin

username emc-ncm password 5 <removed>   role network-admin

username bart password 5 <removed>   role network-admin

enable secret 5 <removed>

banner motd #WARNING:    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail 
****                    **** AUTHORIZED USERS ONLY! ****ANY USE OF THIS COMPUTER NETWORK 
SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENTTO MONITORING OF SUCH USE AND TO SUCH 
ADDITIONAL MONITORING AS MAY BE NECESSARYTO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM 
ADMINISTRATOR OR OTHERREPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY 
TIME WITHOUTFURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY 
OTHERCRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAWENFORCEMENT 
OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.UNAUTHORIZED ACCESS IS A VIOLATION 
OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.#

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

ip host MDS-DC-1 192.168.41.51

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

aaa group server radius radius

snmp-server user bart network-admin auth md5 <removed>  priv <removed>  localizedkey

snmp-server user admin network-admin auth md5 <removed>  priv <removed>  localizedkey

snmp-server user retail network-admin auth md5 <removed>  priv <removed>  localizedkey

snmp-server user emc-ncm network-admin auth md5 <removed>  priv <removed>  localizedkey

snmp-server host 192.168.41.101 traps version 2c public  udp-port 2162

snmp-server host 192.168.42.121 traps version 3 auth public

no snmp-server enable traps entity entity_mib_change

no snmp-server enable traps entity entity_module_status_change

no snmp-server enable traps entity entity_power_status_change

no snmp-server enable traps entity entity_module_inserted

no snmp-server enable traps entity entity_module_removed

no snmp-server enable traps entity entity_unrecognised_module

no snmp-server enable traps entity entity_fan_status_change

no snmp-server enable traps entity entity_power_out_change

no snmp-server enable traps rf redundancy_framework

ntp server 192.168.62.161

ntp server 192.168.62.162

aaa authentication login default group CiscoACS

aaa authentication login console group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

ip access-list 23 permit ip 127.0.0.1 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 permit ip 192.168.41.101 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 permit ip 192.168.41.102 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 permit ip 192.168.42.111 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 permit ip 192.168.42.121 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 permit ip 192.168.42.122 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 permit ip 192.168.42.131 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 permit ip 192.168.42.133 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 permit ip 192.168.42.138 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 permit ip 10.19.151.99 0.0.0.0 192.168.41.51 0.0.0.0

ip access-list 23 deny ip any any log-deny

vsan database

  vsan 2 name "Promise-2"

  vsan 10 name "UIM_VSAN_A_10"

fcdomain fcid database

  vsan 1 wwn 50:00:40:20:03:fc:44:6a fcid 0x020000 dynamic

  vsan 1 wwn 50:00:40:21:03:fc:44:6a fcid 0x020001 dynamic

  vsan 1 wwn 21:00:00:e0:8b:19:70:09 fcid 0x020100 area dynamic

  vsan 1 wwn 20:89:00:05:30:00:99:de fcid 0x020200 area dynamic

  vsan 1 wwn 20:8a:00:05:30:00:99:de fcid 0x020300 area dynamic

  vsan 1 wwn 23:00:00:05:30:00:99:e0 fcid 0x020002 dynamic

  vsan 1 wwn 23:01:00:05:30:00:99:e0 fcid 0x020003 dynamic

  vsan 1 wwn 23:02:00:05:30:00:99:e0 fcid 0x020004 dynamic

  vsan 1 wwn 23:03:00:05:30:00:99:e0 fcid 0x020005 dynamic

  vsan 1 wwn 23:04:00:05:30:00:99:e0 fcid 0x020006 dynamic

  vsan 1 wwn 23:05:00:05:30:00:99:e0 fcid 0x020007 dynamic

  vsan 1 wwn 23:06:00:05:30:00:99:e0 fcid 0x020008 dynamic

  vsan 1 wwn 23:07:00:05:30:00:99:e0 fcid 0x020009 dynamic

  vsan 1 wwn 23:08:00:05:30:00:99:e0 fcid 0x02000a dynamic

  vsan 1 wwn 22:02:00:05:30:00:99:e0 fcid 0x02000b dynamic

  vsan 1 wwn 22:04:00:05:30:00:99:e0 fcid 0x02000c dynamic

  vsan 1 wwn 22:06:00:05:30:00:99:e0 fcid 0x02000d dynamic

  vsan 1 wwn 22:08:00:05:30:00:99:e0 fcid 0x02000e dynamic

  vsan 1 wwn 22:0a:00:05:30:00:99:e0 fcid 0x02000f dynamic

  vsan 1 wwn 22:0c:00:05:30:00:99:e0 fcid 0x020010 dynamic

  vsan 1 wwn 10:00:00:00:c9:60:df:80 fcid 0x020011 dynamic

  vsan 1 wwn 23:12:00:05:30:00:99:e0 fcid 0x020012 dynamic

  vsan 1 wwn 23:13:00:05:30:00:99:e0 fcid 0x020013 dynamic

  vsan 1 wwn 23:14:00:05:30:00:99:e0 fcid 0x020014 dynamic

  vsan 1 wwn 23:15:00:05:30:00:99:e0 fcid 0x020015 dynamic

  vsan 1 wwn 23:17:00:05:30:00:99:e0 fcid 0x020016 dynamic

  vsan 1 wwn 23:16:00:05:30:00:99:e0 fcid 0x020017 dynamic

  vsan 1 wwn 23:18:00:05:30:00:99:e0 fcid 0x020018 dynamic

  vsan 1 wwn 23:19:00:05:30:00:99:e0 fcid 0x020019 dynamic

  vsan 1 wwn 11:00:00:00:00:00:00:01 fcid 0x02001a dynamic

  vsan 1 wwn 20:00:00:00:00:00:00:01 fcid 0x02001b dynamic

  vsan 1 wwn 10:00:00:00:c9:77:94:21 fcid 0x02001c dynamic

  vsan 1 wwn 10:00:00:00:c9:77:92:e9 fcid 0x02001d dynamic

  vsan 1 wwn 10:00:00:00:c9:77:dd:bc fcid 0x02001e dynamic

  vsan 1 wwn 20:41:00:05:9b:73:10:c0 fcid 0x02001f dynamic

  vsan 1 wwn 20:41:00:05:9b:73:17:40 fcid 0x020020 dynamic

  vsan 1 wwn 10:00:00:00:c9:77:dc:c3 fcid 0x020021 dynamic

  vsan 1 wwn 10:00:00:00:c9:75:68:c3 fcid 0x020022 dynamic

  vsan 1 wwn 20:4c:00:0d:ec:2d:94:c0 fcid 0x020400 area dynamic

  vsan 1 wwn 20:64:00:0d:ec:2d:94:c0 fcid 0x020500 area dynamic

  vsan 1 wwn 10:00:00:00:c9:77:db:c3 fcid 0x020023 dynamic

  vsan 2 wwn 20:4c:00:0d:ec:2d:94:c0 fcid 0xef0000 area dynamic

  vsan 2 wwn 10:00:00:00:c9:75:68:c3 fcid 0xef0100 dynamic

  vsan 2 wwn 10:00:00:00:c9:77:dc:c3 fcid 0xef0101 dynamic

  vsan 2 wwn 10:00:00:00:c9:77:dd:bc fcid 0xef0102 dynamic

  vsan 2 wwn 10:00:00:00:c9:77:db:c3 fcid 0xef0103 dynamic

  vsan 2 wwn 10:00:00:00:c9:77:92:e9 fcid 0xef0104 dynamic

  vsan 2 wwn 50:06:01:60:46:e0:33:aa fcid 0xef01ef dynamic

  vsan 2 wwn 20:41:00:05:9b:73:10:c0 fcid 0xef0105 dynamic

  vsan 1 wwn 50:06:01:68:46:e0:33:aa fcid 0x0200ef dynamic

  vsan 1 wwn 50:06:01:60:46:e0:33:aa fcid 0x0206ef dynamic

  vsan 2 wwn 20:41:00:05:9b:73:17:40 fcid 0xef0106 dynamic

  vsan 2 wwn 10:00:00:00:c9:77:94:21 fcid 0xef0107 dynamic

  vsan 2 wwn 20:64:00:0d:ec:2d:94:c0 fcid 0xef0200 area dynamic

  vsan 2 wwn 50:06:01:68:46:e0:33:aa fcid 0xef03ef dynamic

  vsan 10 wwn 50:06:01:60:46:e0:33:aa fcid 0xd800ef dynamic

  vsan 10 wwn 20:41:00:05:9b:73:10:c0 fcid 0xd80000 dynamic

  vsan 10 wwn 20:41:00:05:9b:73:17:40 fcid 0xd80001 dynamic

  vsan 10 wwn 10:00:00:00:c9:77:94:21 fcid 0xd80002 dynamic

  vsan 10 wwn 50:06:01:61:46:e0:33:aa fcid 0xd801ef dynamic

  vsan 10 wwn 50:06:01:69:46:e0:33:aa fcid 0xd802ef dynamic

  vsan 10 wwn 20:42:00:05:9b:73:10:c0 fcid 0xd80003 dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:0f fcid 0xd80004 dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:18 fcid 0xd80005 dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:12 fcid 0xd80006 dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:15 fcid 0xd80007 dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:19 fcid 0xd80008 dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:10 fcid 0xd80009 dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:1c fcid 0xd8000a dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:25 fcid 0xd8000b dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:22 fcid 0xd8000c dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:1f fcid 0xd8000d dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:2b fcid 0xd8000e dynamic

  vsan 10 wwn 20:00:00:25:b5:01:11:28 fcid 0xd8000f dynamic

vsan database

  vsan 2 interface fc2/1

  vsan 2 interface fc2/2

  vsan 2 interface fc2/3

  vsan 2 interface fc2/4

  vsan 2 interface fc2/5

  vsan 2 interface fc2/6

  vsan 2 interface fc2/7

  vsan 2 interface fc2/8

  vsan 2 interface fc2/9

  vsan 2 interface fc2/10

  vsan 2 interface fc2/11

  vsan 2 interface fc2/12

  vsan 2 interface fc2/13

  vsan 2 interface fc2/14

  vsan 2 interface fc2/15

  vsan 2 interface fc2/16

  vsan 2 interface fc2/17

  vsan 2 interface fc2/18

  vsan 2 interface fc2/19

  vsan 2 interface fc2/20

  vsan 2 interface fc2/21

  vsan 2 interface fc2/22

  vsan 2 interface fc2/23

  vsan 10 interface fc2/24

  vsan 10 interface fc2/25

  vsan 10 interface fc2/26

  vsan 2 interface fc2/27

  vsan 2 interface fc2/28

  vsan 2 interface fc2/29

  vsan 2 interface fc2/30

  vsan 2 interface fc2/31

  vsan 2 interface fc2/32

  vsan 2 interface fc2/33

  vsan 2 interface fc2/34

  vsan 2 interface fc2/35

  vsan 2 interface fc2/36

  vsan 2 interface fc2/37

  vsan 2 interface fc2/38

  vsan 2 interface fc2/39

  vsan 2 interface fc2/40

  vsan 2 interface fc2/41

  vsan 2 interface fc2/42

  vsan 2 interface fc2/43

  vsan 2 interface fc2/44

  vsan 2 interface fc2/45

  vsan 2 interface fc2/46

  vsan 2 interface fc2/47

  vsan 10 interface fc2/48

  vsan 2 interface fc4/1

  vsan 2 interface fc4/2

  vsan 2 interface fc4/3

  vsan 2 interface fc4/4

  vsan 2 interface fc4/5

  vsan 2 interface fc4/6

  vsan 2 interface fc4/7

  vsan 2 interface fc4/8

  vsan 2 interface fc4/9

  vsan 2 interface fc4/10

  vsan 2 interface fc4/11

  vsan 2 interface fc4/12

  vsan 2 interface fc4/13

  vsan 2 interface fc4/14

  vsan 2 interface fc4/15

  vsan 2 interface fc4/16

  vsan 2 interface fc4/17

  vsan 2 interface fc4/18

clock timezone PST -8 0

clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60

ip default-gateway 192.168.41.1

switchname MDS-DC-1

line vty

  exec-timeout 15

line console

  exec-timeout 15

boot kickstart bootflash:/m9500-sf2ek9-kickstart-mzg.5.0.1a.bin.S4 sup-1

boot system bootflash:/m9500-sf2ek9-mzg.5.0.1a.bin.S4 sup-1

boot kickstart bootflash:/m9500-sf2ek9-kickstart-mzg.5.0.1a.bin.S4 sup-2

boot system bootflash:/m9500-sf2ek9-mzg.5.0.1a.bin.S4 sup-2

interface fc2/12

  switchport speed 4000

  switchport rate-mode shared

interface fc2/11

  switchport rate-mode dedicated

interface fc2/36

  switchport rate-mode dedicated

interface fc2/1

interface fc2/2

interface fc2/3

interface fc2/4

interface fc2/5

interface fc2/6

interface fc2/7

interface fc2/8

interface fc2/9

interface fc2/10

interface fc2/12

  switchport mode FL

interface fc2/13

interface fc2/14

interface fc2/15

interface fc2/16

interface fc2/17

interface fc2/18

interface fc2/19

interface fc2/20

interface fc2/21

interface fc2/22

interface fc2/23

interface fc2/24

interface fc2/25

interface fc2/26

interface fc2/27

interface fc2/28

interface fc2/29

interface fc2/30

interface fc2/31

interface fc2/32

interface fc2/33

interface fc2/34

interface fc2/35

interface fc2/37

interface fc2/38

interface fc2/39

interface fc2/40

interface fc2/41

interface fc2/42

interface fc2/43

interface fc2/44

interface fc2/45

interface fc2/46

interface fc2/47

interface fc2/48

interface fc2/11

  switchport mode auto

interface fc2/36

  switchport mode auto

interface fc4/1

interface fc4/2

interface fc4/3

interface fc4/4

interface fc4/5

interface fc4/6

interface fc4/7

interface fc4/8

interface fc4/9

interface fc4/10

interface fc4/11

interface fc4/12

interface fc4/13

interface fc4/14

interface fc4/15

interface fc4/16

interface fc4/17

interface fc4/18

logging server 192.168.42.121

logging server 192.168.42.124 6

system default zone default-zone permit

system default zone distribute full

zone default-zone permit vsan 2

zone default-zone permit vsan 10

zoneset distribute full vsan 1-2

zoneset distribute full vsan 10

!Full Zone Database Section for vsan 2

zone name global_zone vsan 2

    member pwwn 26:00:00:01:55:35:7e:44

    member pwwn 26:02:00:01:55:35:7e:44

    member pwwn 10:00:00:00:c9:75:68:c3

    member pwwn 10:00:00:00:c9:77:92:e9

    member pwwn 10:00:00:00:c9:77:db:c3

    member pwwn 10:00:00:00:c9:77:dc:c3

    member pwwn 10:00:00:00:c9:77:dd:bc

    member pwwn 21:00:00:1b:32:00:33:0c

    member pwwn 21:00:00:1b:32:00:3a:0c

    member pwwn 21:00:00:1b:32:00:5d:0d

    member pwwn 21:00:00:1b:32:00:5e:0d

    member pwwn 21:00:00:1b:32:00:70:0d

    member pwwn 21:00:00:1b:32:00:ab:0d

    member pwwn 21:00:00:1b:32:80:0b:10

    member pwwn 21:00:00:1b:32:80:52:10

    member pwwn 21:00:00:1b:32:80:da:0f

    member pwwn 21:00:00:1b:32:80:f1:0f

zoneset name promise-2_zs vsan 2

    member global_zone

zoneset activate name promise-2_zs vsan 2

!Full Zone Database Section for vsan 10

zone name UIM_20000025B5011112_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:12

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011110_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:10

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011112_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:12

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011110_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:10

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011112_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:12

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011110_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:10

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011112_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:12

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011110_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:10

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011115_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:15

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011116_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:16

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011115_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:15

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011116_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:16

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011115_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:15

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011116_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:16

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011115_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:15

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011116_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:16

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501111A_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1a

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011119_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:19

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501111A_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1a

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011119_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:19

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501111A_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1a

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011119_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:19

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501111A_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1a

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011119_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:19

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501111D_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1d

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501111C_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1c

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501111D_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1d

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501111C_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1c

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501111D_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1d

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501111C_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1c

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501111D_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1d

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501111C_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1c

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501111F_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1f

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011120_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:20

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501111F_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1f

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011120_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:20

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501111F_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1f

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011120_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:20

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501111F_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:1f

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011120_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:20

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011123_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:23

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011122_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:22

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011123_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:23

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011122_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:22

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011123_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:23

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011122_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:22

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011123_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:23

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011122_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:22

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011125_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:25

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011126_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:26

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011125_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:25

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011126_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:26

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011125_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:25

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011126_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:26

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011125_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:25

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011126_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:26

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011129_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:29

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011128_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:28

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011129_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:29

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011128_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:28

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011129_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:29

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011128_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:28

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011129_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:29

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011128_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:28

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501112B_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:2b

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501112C_5006016946E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:2c

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501112B_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:2b

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501112C_5006016846E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:2c

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501112B_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:2b

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501112C_5006016046E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:2c

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501112B_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:2b

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501112C_5006016146E033AA vsan 10

    member pwwn 20:00:00:25:b5:01:11:2c

    member pwwn 50:06:01:61:46:e0:33:aa

zoneset name UIM_ZONESET_A vsan 10

    member UIM_20000025B5011112_5006016046E033AA

    member UIM_20000025B5011110_5006016046E033AA

    member UIM_20000025B5011112_5006016946E033AA

    member UIM_20000025B5011110_5006016946E033AA

    member UIM_20000025B5011112_5006016846E033AA

    member UIM_20000025B5011110_5006016846E033AA

    member UIM_20000025B5011112_5006016146E033AA

    member UIM_20000025B5011110_5006016146E033AA

    member UIM_20000025B5011115_5006016846E033AA

    member UIM_20000025B5011116_5006016846E033AA

    member UIM_20000025B5011115_5006016146E033AA

    member UIM_20000025B5011116_5006016146E033AA

    member UIM_20000025B5011115_5006016946E033AA

    member UIM_20000025B5011116_5006016946E033AA

    member UIM_20000025B5011115_5006016046E033AA

    member UIM_20000025B5011116_5006016046E033AA

    member UIM_20000025B501111A_5006016946E033AA

    member UIM_20000025B5011119_5006016946E033AA

    member UIM_20000025B501111A_5006016146E033AA

    member UIM_20000025B5011119_5006016146E033AA

    member UIM_20000025B501111A_5006016846E033AA

    member UIM_20000025B5011119_5006016846E033AA

    member UIM_20000025B501111A_5006016046E033AA

    member UIM_20000025B5011119_5006016046E033AA

    member UIM_20000025B501111D_5006016146E033AA

    member UIM_20000025B501111C_5006016146E033AA

    member UIM_20000025B501111D_5006016846E033AA

    member UIM_20000025B501111C_5006016846E033AA

    member UIM_20000025B501111D_5006016946E033AA

    member UIM_20000025B501111C_5006016946E033AA

    member UIM_20000025B501111D_5006016046E033AA

    member UIM_20000025B501111C_5006016046E033AA

    member UIM_20000025B501111F_5006016146E033AA

    member UIM_20000025B5011120_5006016146E033AA

    member UIM_20000025B501111F_5006016946E033AA

    member UIM_20000025B5011120_5006016946E033AA

    member UIM_20000025B501111F_5006016846E033AA

    member UIM_20000025B5011120_5006016846E033AA

    member UIM_20000025B501111F_5006016046E033AA

    member UIM_20000025B5011120_5006016046E033AA

    member UIM_20000025B5011123_5006016946E033AA

    member UIM_20000025B5011122_5006016946E033AA

    member UIM_20000025B5011123_5006016146E033AA

    member UIM_20000025B5011122_5006016146E033AA

    member UIM_20000025B5011123_5006016846E033AA

    member UIM_20000025B5011122_5006016846E033AA

    member UIM_20000025B5011123_5006016046E033AA

    member UIM_20000025B5011122_5006016046E033AA

    member UIM_20000025B5011125_5006016146E033AA

    member UIM_20000025B5011126_5006016146E033AA

    member UIM_20000025B5011125_5006016946E033AA

    member UIM_20000025B5011126_5006016946E033AA

    member UIM_20000025B5011125_5006016846E033AA

    member UIM_20000025B5011126_5006016846E033AA

    member UIM_20000025B5011125_5006016046E033AA

    member UIM_20000025B5011126_5006016046E033AA

    member UIM_20000025B5011129_5006016846E033AA

    member UIM_20000025B5011128_5006016846E033AA

    member UIM_20000025B5011129_5006016046E033AA

    member UIM_20000025B5011128_5006016046E033AA

    member UIM_20000025B5011129_5006016146E033AA

    member UIM_20000025B5011128_5006016146E033AA

    member UIM_20000025B5011129_5006016946E033AA

    member UIM_20000025B5011128_5006016946E033AA

    member UIM_20000025B501112B_5006016946E033AA

    member UIM_20000025B501112C_5006016946E033AA

    member UIM_20000025B501112B_5006016846E033AA

    member UIM_20000025B501112C_5006016846E033AA

    member UIM_20000025B501112B_5006016046E033AA

    member UIM_20000025B501112C_5006016046E033AA

    member UIM_20000025B501112B_5006016146E033AA

    member UIM_20000025B501112C_5006016146E033AA

zoneset activate name UIM_ZONESET_A vsan 10

interface fc2/1

interface fc2/2

interface fc2/3

interface fc2/4

interface fc2/5

interface fc2/6

interface fc2/7

interface fc2/8

interface fc2/9

interface fc2/10

interface fc2/11

  no shutdown

interface fc2/12

  no shutdown

interface fc2/13

interface fc2/14

interface fc2/15

interface fc2/16

interface fc2/17

interface fc2/18

interface fc2/19

interface fc2/20

interface fc2/21

interface fc2/22

interface fc2/23

interface fc2/24

  no shutdown

interface fc2/25

  no shutdown

interface fc2/26

  no shutdown

interface fc2/27

interface fc2/28

interface fc2/29

interface fc2/30

interface fc2/31

interface fc2/32

interface fc2/33

interface fc2/34

interface fc2/35

interface fc2/36

  no shutdown

interface fc2/37

  shutdown

interface fc2/38

interface fc2/39

interface fc2/40

interface fc2/41

interface fc2/42

interface fc2/43

interface fc2/44

interface fc2/45

interface fc2/46

interface fc2/47

interface fc2/48

  no shutdown

interface fc4/1

interface fc4/2

interface fc4/3

interface fc4/4

interface fc4/5

interface fc4/6

interface fc4/7

interface fc4/8

interface fc4/9

interface fc4/10

interface fc4/11

interface fc4/12

interface fc4/13

interface fc4/14

interface fc4/15

interface fc4/16

interface fc4/17

interface fc4/18

interface GigabitEthernet4/1

interface GigabitEthernet4/2

interface GigabitEthernet4/3

interface GigabitEthernet4/4

interface mgmt0

  ip address 192.168.41.51 255.255.255.0

  ip access-group 23 in

no system default switchport shutdown

MDS-DC-2-running

!Command: show running-config

!Time: Sun Apr 24 16:48:05 2011

version 5.0(4)

system default switchport mode F

feature npiv

feature privilege

feature tacacs+

role name default-role

  description This is a system defined role and applies to all users.

  rule 5 permit show feature environment

  rule 4 permit show feature hardware

  rule 3 permit show feature module

  rule 2 permit show feature snmp

  rule 1 permit show feature system

username admin password 5 <removed>   role network-admin

username retail password 5 <removed>   role network-admin

username emc-ncm password 5 <removed>   role network-admin

username bart password 5 <removed>   role network-admin

enable secret 5 <removed>

banner motd #

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

ip host MDS-DC-2 192.168.41.52

ip host MDS-DC-2 192.168.41.52

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

aaa group server radius radius

snmp-server user bart network-admin auth md5 <removed>  priv <removed> localizedkey

snmp-server user admin network-admin auth md5 <removed> localizedkey

snmp-server user retail network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user emc-ncm network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server host 192.168.41.101 traps version 2c public  udp-port 2162

snmp-server host 192.168.42.121 traps version 3 auth public

rmon event 1 log trap public description FATAL(1) owner PMON@FATAL

rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL

rmon event 3 log trap public description ERROR(3) owner PMON@ERROR

rmon event 4 log trap public description WARNING(4) owner PMON@WARNING

rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO

ntp server 192.168.62.161

ntp server 192.168.62.162

aaa authentication login default group CiscoACS

aaa authentication login console group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

ip access-list 23 permit ip 127.0.0.1 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 permit ip 192.168.41.101 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 permit ip 192.168.41.102 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 permit ip 192.168.42.111 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 permit ip 192.168.42.121 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 permit ip 192.168.42.122 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 permit ip 192.168.42.131 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 permit ip 192.168.42.133 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 permit ip 192.168.42.138 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 permit ip 10.19.151.99 0.0.0.0 192.168.41.52 0.0.0.0

ip access-list 23 deny ip any any log-deny

vsan database

  vsan 2 name "Promise-2"

  vsan 11 name "UIM_VSAN_B_11"

fcdomain fcid database

  vsan 1 wwn 21:01:00:e0:8b:39:35:58 fcid 0x010000 area dynamic

  vsan 1 wwn 22:03:00:0d:ec:20:2b:40 fcid 0x010100 area dynamic

  vsan 11 wwn 20:41:00:05:9b:73:17:40 fcid 0xd40000 dynamic

  vsan 11 wwn 20:42:00:05:9b:73:17:40 fcid 0xd40001 dynamic

  vsan 1 wwn 21:00:00:e0:8b:19:35:58 fcid 0x010200 area dynamic

  vsan 11 wwn 50:06:01:69:46:e0:33:aa fcid 0xd400ef dynamic

  vsan 11 wwn 50:06:01:68:46:e0:33:aa fcid 0xd401ef dynamic

  vsan 1 wwn 26:01:00:01:55:35:7e:44 fcid 0x010300 dynamic

  vsan 2 wwn 26:01:00:01:55:35:7e:44 fcid 0x890000 dynamic

  vsan 2 wwn 20:64:00:0d:ec:38:76:00 fcid 0x890100 area dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:10 fcid 0xd40002 dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:19 fcid 0xd40003 dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:13 fcid 0xd40004 dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:16 fcid 0xd40005 dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:1a fcid 0xd40006 dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:12 fcid 0xd40007 dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:1d fcid 0xd40008 dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:26 fcid 0xd40009 dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:23 fcid 0xd4000a dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:20 fcid 0xd4000b dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:2c fcid 0xd4000c dynamic

  vsan 11 wwn 20:00:00:25:b5:01:11:29 fcid 0xd4000d dynamic

vsan database

  vsan 11 interface fc2/24

  vsan 11 interface fc2/25

  vsan 11 interface fc2/26

  vsan 11 interface fc2/48

clock timezone PST -8 0

clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60

ip default-gateway 192.168.41.1

switchname MDS-DC-2

line vty

  session-limit 32

  exec-timeout 15

line console

  exec-timeout 15

boot kickstart bootflash:/m9500-sf2ek9-kickstart-mz.5.0.4.bin sup-1

boot system bootflash:/m9500-sf2ek9-mz.5.0.4.bin sup-1

boot kickstart bootflash:/m9500-sf2ek9-kickstart-mz.5.0.4.bin sup-2

boot system bootflash:/m9500-sf2ek9-mz.5.0.4.bin sup-2

interface fc2/1

interface fc2/2

interface fc2/3

interface fc2/4

interface fc2/5

interface fc2/6

interface fc2/7

interface fc2/8

interface fc2/9

interface fc2/10

interface fc2/11

interface fc2/12

interface fc2/13

interface fc2/14

interface fc2/15

interface fc2/16

interface fc2/17

interface fc2/18

interface fc2/19

interface fc2/20

interface fc2/21

interface fc2/22

interface fc2/23

interface fc2/24

interface fc2/25

interface fc2/26

interface fc2/27

interface fc2/28

interface fc2/29

interface fc2/30

interface fc2/31

interface fc2/32

interface fc2/33

interface fc2/34

interface fc2/35

interface fc2/36

interface fc2/37

interface fc2/38

interface fc2/39

interface fc2/40

interface fc2/41

interface fc2/42

interface fc2/43

interface fc2/44

interface fc2/45

interface fc2/46

interface fc2/47

interface fc2/48

logging server 192.168.42.121

logging server 192.168.42.124 6

system default zone default-zone permit

system default zone distribute full

zone default-zone permit vsan 2

zone default-zone permit vsan 11

zoneset distribute full vsan 1-2

zoneset distribute full vsan 11

!Full Zone Database Section for vsan 2

zone name global_zone vsan 2

zoneset name promise-2_zs vsan 2

    member global_zone

!Full Zone Database Section for vsan 11

zone name UIM_20000025B5011110_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:10

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011112_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:12

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011110_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:10

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011112_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:12

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011110_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:10

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011112_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:12

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011110_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:10

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011112_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:12

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011116_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:16

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011115_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:15

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011116_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:16

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011115_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:15

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011116_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:16

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011115_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:15

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011116_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:16

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011115_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:15

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011119_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:19

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501111A_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1a

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011119_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:19

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501111A_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1a

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011119_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:19

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501111A_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1a

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011119_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:19

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501111A_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1a

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501111D_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1d

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501111C_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1c

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501111D_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1d

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501111C_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1c

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501111D_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1d

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501111C_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1c

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501111D_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1d

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501111C_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1c

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011120_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:20

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501111F_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1f

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011120_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:20

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501111F_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1f

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011120_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:20

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501111F_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1f

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011120_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:20

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501111F_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:1f

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011122_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:22

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011123_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:23

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011122_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:22

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011123_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:23

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011122_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:22

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011123_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:23

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011122_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:22

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011123_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:23

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011126_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:26

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011125_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:25

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011126_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:26

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011125_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:25

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011126_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:26

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011125_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:25

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011126_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:26

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011125_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:25

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011128_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:28

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011129_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:29

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B5011128_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:28

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011129_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:29

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B5011128_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:28

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011129_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:29

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B5011128_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:28

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B5011129_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:29

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501112C_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:2c

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501112B_5006016046E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:2b

    member pwwn 50:06:01:60:46:e0:33:aa

zone name UIM_20000025B501112C_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:2c

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501112B_5006016946E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:2b

    member pwwn 50:06:01:69:46:e0:33:aa

zone name UIM_20000025B501112C_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:2c

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501112B_5006016846E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:2b

    member pwwn 50:06:01:68:46:e0:33:aa

zone name UIM_20000025B501112C_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:2c

    member pwwn 50:06:01:61:46:e0:33:aa

zone name UIM_20000025B501112B_5006016146E033AA vsan 11

    member pwwn 20:00:00:25:b5:01:11:2b

    member pwwn 50:06:01:61:46:e0:33:aa

zoneset name UIM_ZONESET_B vsan 11

    member UIM_20000025B5011110_5006016946E033AA

    member UIM_20000025B5011112_5006016946E033AA

    member UIM_20000025B5011110_5006016046E033AA

    member UIM_20000025B5011112_5006016046E033AA

    member UIM_20000025B5011110_5006016146E033AA

    member UIM_20000025B5011112_5006016146E033AA

    member UIM_20000025B5011110_5006016846E033AA

    member UIM_20000025B5011112_5006016846E033AA

    member UIM_20000025B5011116_5006016046E033AA

    member UIM_20000025B5011115_5006016046E033AA

    member UIM_20000025B5011116_5006016946E033AA

    member UIM_20000025B5011115_5006016946E033AA

    member UIM_20000025B5011116_5006016846E033AA

    member UIM_20000025B5011115_5006016846E033AA

    member UIM_20000025B5011116_5006016146E033AA

    member UIM_20000025B5011115_5006016146E033AA

    member UIM_20000025B5011119_5006016146E033AA

    member UIM_20000025B501111A_5006016146E033AA

    member UIM_20000025B5011119_5006016046E033AA

    member UIM_20000025B501111A_5006016046E033AA

    member UIM_20000025B5011119_5006016946E033AA

    member UIM_20000025B501111A_5006016946E033AA

    member UIM_20000025B5011119_5006016846E033AA

    member UIM_20000025B501111A_5006016846E033AA

    member UIM_20000025B501111D_5006016146E033AA

    member UIM_20000025B501111C_5006016146E033AA

    member UIM_20000025B501111D_5006016846E033AA

    member UIM_20000025B501111C_5006016846E033AA

    member UIM_20000025B501111D_5006016946E033AA

    member UIM_20000025B501111C_5006016946E033AA

    member UIM_20000025B501111D_5006016046E033AA

    member UIM_20000025B501111C_5006016046E033AA

    member UIM_20000025B5011120_5006016846E033AA

    member UIM_20000025B501111F_5006016846E033AA

    member UIM_20000025B5011120_5006016146E033AA

    member UIM_20000025B501111F_5006016146E033AA

    member UIM_20000025B5011120_5006016046E033AA

    member UIM_20000025B501111F_5006016046E033AA

    member UIM_20000025B5011120_5006016946E033AA

    member UIM_20000025B501111F_5006016946E033AA

    member UIM_20000025B5011122_5006016946E033AA

    member UIM_20000025B5011123_5006016946E033AA

    member UIM_20000025B5011122_5006016146E033AA

    member UIM_20000025B5011123_5006016146E033AA

    member UIM_20000025B5011122_5006016046E033AA

    member UIM_20000025B5011123_5006016046E033AA

    member UIM_20000025B5011122_5006016846E033AA

    member UIM_20000025B5011123_5006016846E033AA

    member UIM_20000025B5011126_5006016846E033AA

    member UIM_20000025B5011125_5006016846E033AA

    member UIM_20000025B5011126_5006016946E033AA

    member UIM_20000025B5011125_5006016946E033AA

    member UIM_20000025B5011126_5006016146E033AA

    member UIM_20000025B5011125_5006016146E033AA

    member UIM_20000025B5011126_5006016046E033AA

    member UIM_20000025B5011125_5006016046E033AA

    member UIM_20000025B5011128_5006016946E033AA

    member UIM_20000025B5011129_5006016946E033AA

    member UIM_20000025B5011128_5006016046E033AA

    member UIM_20000025B5011129_5006016046E033AA

    member UIM_20000025B5011128_5006016146E033AA

    member UIM_20000025B5011129_5006016146E033AA

    member UIM_20000025B5011128_5006016846E033AA

    member UIM_20000025B5011129_5006016846E033AA

    member UIM_20000025B501112C_5006016046E033AA

    member UIM_20000025B501112B_5006016046E033AA

    member UIM_20000025B501112C_5006016946E033AA

    member UIM_20000025B501112B_5006016946E033AA

    member UIM_20000025B501112C_5006016846E033AA

    member UIM_20000025B501112B_5006016846E033AA

    member UIM_20000025B501112C_5006016146E033AA

    member UIM_20000025B501112B_5006016146E033AA

zoneset activate name UIM_ZONESET_B vsan 11

interface fc2/1

interface fc2/2

interface fc2/3

interface fc2/4

interface fc2/5

interface fc2/6

interface fc2/7

interface fc2/8

interface fc2/9

interface fc2/10

interface fc2/11

interface fc2/12

interface fc2/13

interface fc2/14

interface fc2/15

interface fc2/16

interface fc2/17

interface fc2/18

interface fc2/19

interface fc2/20

interface fc2/21

interface fc2/22

interface fc2/23

interface fc2/24

interface fc2/25

interface fc2/26

interface fc2/27

interface fc2/28

interface fc2/29

interface fc2/30

interface fc2/31

interface fc2/32

interface fc2/33

interface fc2/34

interface fc2/35

interface fc2/36

interface fc2/37

interface fc2/38

interface fc2/39

interface fc2/40

interface fc2/41

interface fc2/42

interface fc2/43

interface fc2/44

interface fc2/45

interface fc2/46

interface fc2/47

interface fc2/48

interface mgmt0

  ip address 192.168.41.52 255.255.255.0

  ip access-group 23 in

no system default switchport shutdown

N1kv-1-running

!Command: show running-config

!Time: Sat Apr 30 03:02:54 2011

version 4.2(1)SV1(4)

no feature telnet

feature tacacs+

username admin password 5 <removed>   role network-admin

username retail password 5 <removed>   role network-admin

banner motd # 
WARNING: 
    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail **** 
                    **** AUTHORIZED USERS ONLY! **** 
 
ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT 
TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY 
TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER 
REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT 
FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER 
CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW 
ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. 
 
UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. 
#

ssh key rsa 2048

ip domain-lookup

ip domain-lookup

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    use-vrf management

    source-interface mgmt0

aaa group server tacacs+ tacacs

hostname N1kv-1

ip access-list 23

  10 permit ip 192.168.42.0/24 any

  20 permit ip any any

  30 deny ip any any

ip access-list 88

  10 permit ip 192.168.42.0/24 any

  20 permit ip any any

  30 deny ip any any

vem 3

  host vmware id 414e3537-3441-3255-5838-34353034544b

vem 4

  host vmware id 414e3537-3441-3255-5838-34353034544d

vem 5

  host vmware id 414e3537-3441-3255-5838-333930345046

vem 6

  host vmware id 414e3537-3441-3255-5838-34353034544c

vem 7

  host vmware id 414e3537-3441-3255-5838-333930344e59

vem 8

  host vmware id 414e3537-3441-3255-5838-333830333330

vem 9

  host vmware id 414e3537-3441-3255-5838-333930345057

vem 10

  host vmware id 414e3537-3441-3255-5838-343530345630

vem 11

  host vmware id 414e3537-3441-3255-5838-343530345448

vem 12

  host vmware id 414e3537-3441-3255-5838-333930345048

snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user retail network-admin auth md5 <removed> priv <removed> localizedkey

ntp server 192.168.62.161 use-vrf management

ntp server 192.168.62.162 use-vrf management

ntp source 192.168.41.61

aaa authentication login default group CiscoACS

aaa authentication login console group CiscoACS

vrf context management

  ip route 0.0.0.0/0 192.168.41.1

vlan 1

vlan 36

  name VLAN36

vlan 37

  name VLAN37

vlan 38

  name VLAN38

vlan 39

  name VLAN39

vlan 40

  name VLAN40

vlan 41

  name VLAN41

vlan 42

  name VLAN42

vlan 43

  name VLAN43

vlan 44

  name VLAN44

vlan 45

  name VLAN45

vlan 46

  name VLAN46

vlan 52

  name VLAN52

vlan 64

  name VLAN64

vlan 72

  name VLAN72

vlan 80

  name VLAN80

vlan 81

  name VLAN81

vlan 82

  name VLAN82

vlan 83

  name VLAN83

port-channel load-balance ethernet source-mac

port-profile default max-ports 32

port-profile type vethernet VLAN38

  vmware port-group

  switchport mode access

  switchport access vlan 38

  no shutdown

  state enabled

port-profile type vethernet VLAN36

  vmware port-group

  switchport mode access

  switchport access vlan 36

  no shutdown

  state enabled

port-profile type vethernet VLAN37

  vmware port-group

  switchport mode access

  switchport access vlan 37

  no shutdown

  state enabled

port-profile type vethernet VLAN39

  vmware port-group

  switchport mode access

  switchport access vlan 39

  no shutdown

  state enabled

port-profile type vethernet VLAN40

  vmware port-group

  switchport mode access

  switchport access vlan 40

  no shutdown

  state enabled

port-profile type vethernet VLAN41

  vmware port-group

  switchport mode access

  switchport access vlan 41

  no shutdown

  system vlan 41

  state enabled

port-profile type vethernet VLAN42

  vmware port-group

  switchport mode access

  switchport access vlan 42

  no shutdown

  state enabled

port-profile type vethernet VLAN43

  vmware port-group

  switchport mode access

  switchport access vlan 43

  no shutdown

  state enabled

port-profile type vethernet VLAN44

  vmware port-group

  switchport mode access

  switchport access vlan 44

  no shutdown

  state enabled

port-profile type vethernet VLAN45

  vmware port-group

  switchport mode access

  switchport access vlan 45

  no shutdown

  state enabled

port-profile type vethernet VLAN46

  vmware port-group

  switchport mode access

  switchport access vlan 46

  no shutdown

  state enabled

port-profile type vethernet VLAN52

  vmware port-group

  switchport mode access

  switchport access vlan 52

  no shutdown

  state enabled

port-profile type vethernet VLAN64

  vmware port-group

  switchport mode access

  switchport access vlan 64

  no shutdown

  state enabled

port-profile type vethernet VLAN72

  vmware port-group

  switchport mode access

  switchport access vlan 72

  no shutdown

  state enabled

port-profile type vethernet VLAN80

  vmware port-group

  switchport mode access

  switchport access vlan 80

  no shutdown

  state enabled

port-profile type vethernet VLAN81

  vmware port-group

  switchport mode access

  switchport access vlan 81

  no shutdown

  state enabled

port-profile type vethernet VLAN82

  vmware port-group

  switchport mode access

  switchport access vlan 82

  no shutdown

  state enabled

port-profile type vethernet VLAN83

  vmware port-group

  switchport mode access

  switchport access vlan 83

  no shutdown

  state enabled

port-profile type ethernet Unused_Or_Quarantine_Uplink

  vmware port-group

  shutdown

  description Port-group created for Nexus1000V internal usage. Do not use.

  state enabled

port-profile type vethernet Unused_Or_Quarantine_Veth

  vmware port-group

  shutdown

  description Port-group created for Nexus1000V internal usage. Do not use.

  state enabled

port-profile type ethernet sysuplink

  vmware port-group

  switchport mode trunk

  switchport trunk allowed vlan 36-83

  no shutdown

  system vlan 41

  state enabled

port-profile type vethernet VSG-DADA-HA

  vmware port-group

  switchport access vlan 41

  no shutdown

  state enabled

port-profile type vethernet Tenant-1

  vmware port-group

  org root/Tenant-1

  vn-service ip-address 192.168.52.11 vlan 52 security-profile SecurityProfile-1

  switchport mode access

  switchport access vlan 41

  no shutdown

  state enabled

vdc N1kv-1 id 1

  limit-resource vlan minimum 16 maximum 2049

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource vrf minimum 16 maximum 8192

  limit-resource port-channel minimum 0 maximum 768

  limit-resource u4route-mem minimum 32 maximum 32

  limit-resource u6route-mem minimum 16 maximum 16

  limit-resource m4route-mem minimum 58 maximum 58

  limit-resource m6route-mem minimum 8 maximum 8

interface mgmt0

  ip address 192.168.41.61/24

interface Vethernet3

  inherit port-profile VLAN42

  description RSA-Archer,Network Adapter 1

  vmware dvport 207 dvswitch uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0"

  vmware vm mac 0050.56BB.001E

interface Vethernet5

  inherit port-profile VSG-DADA-HA

  description Nexus1000VSG,Network Adapter 3

  vmware dvport 1057 dvswitch uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0"

  vmware vm mac 0050.56BB.0004

interface Vethernet6

  inherit port-profile VSG-DADA-HA

  description Nexus1000VSG,Network Adapter 1

  vmware dvport 1056 dvswitch uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0"

  vmware vm mac 0050.56BB.0002

interface Vethernet7

  inherit port-profile VLAN52

  description POS Terminal,Network Adapter 1

  vmware dvport 352 dvswitch uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0"

  vmware vm mac 0050.56BB.0005

interface control0

clock timezone PST -8 0

clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60

line vty

  exec-timeout 15

line console

  exec-timeout 15

boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.4.bin sup-1

boot system bootflash:/nexus-1000v-mz.4.2.1.SV1.4.bin sup-1

boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.4.bin sup-2

boot system bootflash:/nexus-1000v-mz.4.2.1.SV1.4.bin sup-2

svs-domain

  domain id 2

  control vlan 41

  packet vlan 41

  svs mode L2

svs connection vc

  protocol vmware-vim

  remote ip address 192.168.41.102 port 80

  vmware dvs uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0" datacenter-name Retail 
Lab-CMO

  connect

vnm-policy-agent

  registration-ip 192.168.41.65

  shared-secret **********

  policy-agent-image bootflash:/vnmc-vsmpa.1.0.1j.bin

  log-level

logging server 192.168.42.124 7 facility syslog

logging timestamp milliseconds

r-a2-conv-1

! Last configuration change at 00:53:21 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 00:53:22 PST Sat Apr 30 2011 by retail

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

no service password-recovery

hostname R-A2-Conv-1

boot-start-marker

boot system flash c890-universalk9-mz.151-3.T.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default

 action-type start-stop

 group tacacs+

aaa accounting commands 15 default

 action-type start-stop

 group tacacs+

aaa accounting system default

 action-type start-stop

 group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PST recurring

service-module wlan-ap 0 bootimage autonomous

crypto pki token default removal timeout 0

crypto pki trustpoint TP-self-signed-479252603

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-479252603

 revocation-check none

 rsakeypair TP-self-signed-479252603

crypto pki certificate chain TP-self-signed-479252603

 certificate self-signed 01

  <removed>

  	quit

no ip source-route

ip cef

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip multicast-routing

ip port-map user-8443 port tcp 8443

ip ips config location flash: retries 1 timeout 1

ip ips name Store-IPS

ip ips signature-category

  category all

   retired true

  category ios_ips default

   retired false

ip inspect log drop-pkt

ip inspect audit-trail

ip wccp 61

ip wccp 62

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

no ipv6 cef

multilink bundle-name authenticated

parameter-map type inspect Inspect-1

 audit-trail on

parameter-map type inspect global

 WAAS enable

parameter-map type trend-global trend-glob-map

password encryption aes

license udi pid CISCO891W-AGN-N-K9 sn <removed>

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

object-group network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 udp eq 5246

 udp eq 5247

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 tcp eq 4050

object-group network DC-ALL

 description All of the Data Center

 192.168.0.0 255.255.0.0

object-group network Stores-ALL

 description all store networks

 10.10.0.0 255.255.0.0

object-group network CSM_INLINE_dst_rule_68719541425

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network WCSManager

 description Wireless Manager

 host 192.168.43.135

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 host 192.168.43.21

 host 192.168.43.22

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 host 192.168.43.31

 host 192.168.43.32

object-group network CSM_INLINE_dst_rule_68719541431

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network PAME-DC-1

 host 192.168.44.111

object-group network MSP-DC-1

 description Data Center VSOM

 host 192.168.44.121

object-group network CSM_INLINE_dst_rule_68719541435

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network CSM_INLINE_dst_rule_68719541457

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_68719541461

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_68719541465

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network EMC-NCM

 description EMC Network Configuration Manager

 host 192.168.42.122

object-group network RSA-enVision

 description RSA EnVision Syslog collector and SIM

 host 192.168.42.124

object-group network CSM_INLINE_dst_rule_73014451187

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object EMC-NCM

 group-object RSA-enVision

object-group network TACACS

 description Csico Secure ACS server for TACACS and Radius

 host 192.168.42.131

object-group network RSA-AM

 description RSA Authentication Manager for SecureID

 host 192.168.42.137

object-group network NAC-1

 description ISE server for NAC

 host 192.168.42.111

object-group network CSM_INLINE_dst_rule_73014451193

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object ActiveDirectory.cisco-irn.com

 group-object TACACS

 group-object RSA-AM

 group-object NAC-1

object-group network NAC-2

 host 192.168.42.112

object-group network CSM_INLINE_dst_rule_73014451223

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object NAC-2

 group-object NAC-1

object-group network DC-Admin

 description DC Admin Systems

 host 192.168.41.101

 host 192.168.41.102

object-group network CSManager

 description Cisco Security Manager

 host 192.168.42.133

object-group network CSM_INLINE_src_rule_68719541409

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object EMC-NCM

 group-object CSManager

object-group network CSM_INLINE_src_rule_68719541427

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_src_rule_68719541429

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network CSM_INLINE_src_rule_68719541433

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 host 192.168.48.10

 host 192.168.49.10

 host 192.168.47.11

 host 192.168.47.12

object-group network CSM_INLINE_src_rule_68719541437

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object DC-WAAS

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_src_rule_73014451215

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_73014451217

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group service CSM_INLINE_svc_rule_68719541409

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

object-group service CSM_INLINE_svc_rule_68719541425

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service CSM_INLINE_svc_rule_68719541427

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 udp eq 12222

 udp eq 12223

object-group service TFTP

 description Trivial File Transfer

 tcp eq 69

 udp eq tftp

object-group service IP-Protocol-97

 description IP protocol 97

object-group service CSM_INLINE_svc_rule_68719541429

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq www

 tcp eq 22

 tcp eq telnet

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object TFTP

 group-object IP-Protocol-97

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 udp eq 16666

 udp eq 16667

object-group service CSM_INLINE_svc_rule_68719541431

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object Cisco-Mobility

 group-object IP-Protocol-97

object-group service HTTPS-8443

 tcp eq 8443

object-group service Microsoft-DS-SMB

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

 tcp eq 445

object-group service CSM_INLINE_svc_rule_68719541437

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_68719541439

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_68719541455

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp

 tcp-udp eq 5060

 tcp eq 2000

 tcp eq www

 tcp eq 443

 group-object TFTP

object-group service CSM_INLINE_svc_rule_68719541457

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp-udp eq 5060

 tcp eq 2000

object-group service Netbios

 description Netbios Servers

 udp eq netbios-dgm

 udp eq netbios-ns

 tcp eq 139

object-group service ORACLE-SIM

 description Oracle Store Inventory Management

 tcp eq 7777

 tcp eq 6003

 tcp range 12401 12500

object-group service RDP

 description Windows Remote Desktop

 tcp eq 3389

object-group service Workbrain

 tcp eq 8444

object-group service CSM_INLINE_svc_rule_68719541459

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq ftp

 tcp eq www

 tcp eq 443

 udp eq 88

 tcp-udp eq 42

 group-object Microsoft-DS-SMB

 group-object Netbios

 group-object ORACLE-SIM

 group-object RDP

 group-object Workbrain

object-group service CSM_INLINE_svc_rule_73014451187

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 udp eq syslog

 udp eq snmp

 udp eq snmptrap

object-group service CSM_INLINE_svc_rule_73014451193

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq tacacs

 udp eq 1812

 udp eq 1813

 tcp eq 389

 tcp eq 636

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 tcp eq 5989

 tcp eq 8000

 tcp eq 902

 tcp eq 903

object-group service CSM_INLINE_svc_rule_73014451195

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq 22

 group-object vCenter-to-ESX4

object-group service ESX-SLP

 description CIM Service Location Protocol (SLP) for VMware systems

 udp eq 427

 tcp eq 427

object-group service CSM_INLINE_svc_rule_73014451197

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 group-object vCenter-to-ESX4

 group-object ESX-SLP

object-group service ORACLE-RMI

 description RMI TCP ports 1300 and 1301-1319.

 tcp range 1300 1319

object-group service ORACLE-Weblogic

 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.

 tcp eq 7001

 tcp eq 7002

 tcp eq 1521

object-group service ORACLE-WAS

 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414

 tcp eq 2809

 tcp eq 9443

 tcp eq 1414

object-group service ORACLE-OAS

 description OAS uses one port for HTTP and RMI - 12601.

 tcp eq 12601

object-group service CSM_INLINE_svc_rule_73014451203

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_73014451205

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_73014451207

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_73014451209

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service TOMAX-8990

 description Tomax Application Port

 tcp eq 8990

object-group service CSM_INLINE_svc_rule_73014451211

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service CSM_INLINE_svc_rule_73014451213

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service ICMP-Requests

 description ICMP requests

 icmp information-request

 icmp mask-request

 icmp timestamp-request

object-group service CSM_INLINE_svc_rule_73014451215

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_73014451217

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service DNS-Resolving

 description Domain Name Server

 tcp eq domain

 udp eq domain

object-group service CSM_INLINE_svc_rule_73014451221

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 udp eq bootps

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_73014451223

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_73014451388

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

 tcp eq 139

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_73014451393

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service CSM_INLINE_svc_rule_73014451395

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_73014451397

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

udp

 tcp eq 443

object-group service CSM_INLINE_svc_rule_73014451404

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_73014451406

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group network DC-Applications

 description Applications in the Data Center that are non-PCI related(Optimized by 
CS-Manager)

 192.168.180.0 255.255.254.0

object-group network DC-Voice

 description Data Center Voice

 192.168.45.0 255.255.255.0

object-group network MS-Update

 description Windows Update Server

 host 192.168.42.150

object-group network MSExchange

 description Mail Server

 host 192.168.42.140

object-group service NTP

 description NTP Protocols

 tcp eq 123

 udp eq ntp

object-group network NTP-Servers

 description NTP Servers

 host 192.168.62.161

 host 162.168.62.162

object-group network STORE-POS

 10.10.0.0 255.255.0.0

object-group network vSphere-1

 description vSphere server for Lab

 host 192.168.41.102

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7

 match protocol http

 match protocol https

 match protocol microsoft-ds

 match protocol ms-sql

 match protocol ms-sql-m

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol oracle

 match protocol oracle-em-vp

 match protocol oraclenames

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_10

 match access-group name CSM_ZBF_CMAP_ACL_10

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16

 match protocol http

 match protocol https

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_23

 match access-group name CSM_ZBF_CMAP_ACL_23

 match class-map CSM_ZBF_CMAP_PLMAP_16

class-map type inspect match-all CSM_ZBF_CLASS_MAP_32

 match access-group name CSM_ZBF_CMAP_ACL_32

class-map type inspect match-all CSM_ZBF_CLASS_MAP_11

 match access-group name CSM_ZBF_CMAP_ACL_11

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_22

 match access-group name CSM_ZBF_CMAP_ACL_22

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4

 match protocol http

 match protocol https

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_33

 match access-group name CSM_ZBF_CMAP_ACL_33

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tftp

 match protocol http

 match protocol https

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_12

 match access-group name CSM_ZBF_CMAP_ACL_12

 match class-map CSM_ZBF_CMAP_PLMAP_8

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15

 match protocol http

 match protocol https

 match protocol netbios-ns

 match protocol netbios-dgm

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_21

 match access-group name CSM_ZBF_CMAP_ACL_21

 match class-map CSM_ZBF_CMAP_PLMAP_15

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17

 match protocol http

 match protocol https

 match protocol imap3

 match protocol pop3

 match protocol pop3s

 match protocol smtp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_30

 match access-group name CSM_ZBF_CMAP_ACL_30

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9

 match protocol syslog

 match protocol syslog-conn

 match protocol snmp

 match protocol snmptrap

class-map type inspect match-all CSM_ZBF_CLASS_MAP_13

 match access-group name CSM_ZBF_CMAP_ACL_13

 match class-map CSM_ZBF_CMAP_PLMAP_9

class-map type inspect match-all CSM_ZBF_CLASS_MAP_20

 match access-group name CSM_ZBF_CMAP_ACL_20

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol ftp

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_31

 match access-group name CSM_ZBF_CMAP_ACL_31

 match class-map CSM_ZBF_CMAP_PLMAP_20

class-map match-all BRANCH-BULK-DATA

 match protocol tftp

 match protocol nfs

 match access-group name BULK-DATA-APPS

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10

 match protocol ldaps

 match protocol ldap

 match protocol ldap-admin

 match protocol radius

 match protocol tacacs

 match protocol tacacs-ds

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_14

 match access-group name CSM_ZBF_CMAP_ACL_14

 match class-map CSM_ZBF_CMAP_PLMAP_10

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18

 match protocol http

 match protocol https

 match protocol udp

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_27

 match access-group name CSM_ZBF_CMAP_ACL_27

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_36

 match access-group name CSM_ZBF_CMAP_ACL_36

 match class-map CSM_ZBF_CMAP_PLMAP_22

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11

 match protocol ntp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_15

 match access-group name CSM_ZBF_CMAP_ACL_15

 match class-map CSM_ZBF_CMAP_PLMAP_11

class-map type inspect match-all CSM_ZBF_CLASS_MAP_26

 match access-group name CSM_ZBF_CMAP_ACL_26

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12

 match protocol bootpc

 match protocol bootps

 match protocol udp

 match protocol tcp

 match protocol dns

 match protocol dhcp-failover

class-map type inspect match-all CSM_ZBF_CLASS_MAP_16

 match access-group name CSM_ZBF_CMAP_ACL_16

 match class-map CSM_ZBF_CMAP_PLMAP_12

class-map type inspect match-all CSM_ZBF_CLASS_MAP_25

 match access-group name CSM_ZBF_CMAP_ACL_25

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_34

 match access-group name CSM_ZBF_CMAP_ACL_34

class-map type inspect match-all CSM_ZBF_CLASS_MAP_17

 match access-group name CSM_ZBF_CMAP_ACL_17

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_24

 match access-group name CSM_ZBF_CMAP_ACL_24

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21

 match protocol tcp

 match protocol udp

 match protocol http

 match protocol https

class-map type inspect match-all CSM_ZBF_CLASS_MAP_35

 match access-group name CSM_ZBF_CMAP_ACL_35

 match class-map CSM_ZBF_CMAP_PLMAP_21

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13

 match protocol https

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_18

 match access-group name CSM_ZBF_CMAP_ACL_18

 match class-map CSM_ZBF_CMAP_PLMAP_13

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14

 match protocol http

 match protocol https

 match protocol user-8443

class-map type inspect match-all CSM_ZBF_CLASS_MAP_19

 match access-group name CSM_ZBF_CMAP_ACL_19

 match class-map CSM_ZBF_CMAP_PLMAP_14

class-map type inspect match-all CSM_ZBF_CLASS_MAP_29

 match access-group name CSM_ZBF_CMAP_ACL_29

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19

 match protocol http

 match protocol https

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_28

 match access-group name CSM_ZBF_CMAP_ACL_28

 match class-map CSM_ZBF_CMAP_PLMAP_19

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1

 match protocol https

 match protocol ssh

class-map type inspect match-all CSM_ZBF_CLASS_MAP_1

 match access-group name CSM_ZBF_CMAP_ACL_1

 match class-map CSM_ZBF_CMAP_PLMAP_1

class-map type inspect match-all CSM_ZBF_CLASS_MAP_3

 match access-group name CSM_ZBF_CMAP_ACL_3

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2

 match protocol https

 match protocol http

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_2

 match access-group name CSM_ZBF_CMAP_ACL_2

 match class-map CSM_ZBF_CMAP_PLMAP_2

class-map type inspect match-all CSM_ZBF_CLASS_MAP_5

 match access-group name CSM_ZBF_CMAP_ACL_5

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3

 match protocol http

 match protocol https

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

 match access-group name CSM_ZBF_CMAP_ACL_4

 match class-map CSM_ZBF_CMAP_PLMAP_3

class-map type inspect match-all CSM_ZBF_CLASS_MAP_7

 match access-group name CSM_ZBF_CMAP_ACL_7

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_6

 match access-group name CSM_ZBF_CMAP_ACL_6

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_9

 match access-group name CSM_ZBF_CMAP_ACL_9

 match protocol tcp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6

 match protocol http

 match protocol https

 match protocol ssh

 match protocol telnet

 match protocol tftp

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_8

 match access-group name CSM_ZBF_CMAP_ACL_8

 match class-map CSM_ZBF_CMAP_PLMAP_6

class-map match-all BULK-DATA

 match ip dscp af11  af12

class-map match-all INTERACTIVE-VIDEO

 match ip dscp af41  af42

class-map match-any BRANCH-TRANSACTIONAL-DATA

 match protocol citrix

 match protocol ldap

 match protocol telnet

 match protocol sqlnet

 match protocol http url "*SalesReport*"

 match access-group name TRANSACTIONAL-DATA-APPS

class-map match-all BRANCH-MISSION-CRITICAL

 match access-group name MISSION-CRITICAL-SERVERS

class-map match-all VOICE

 match ip dscp ef

class-map match-all MISSION-CRITICAL-DATA

 match ip dscp 25

class-map match-any BRANCH-NET-MGMT

 match protocol snmp

 match protocol syslog

 match protocol dns

 match protocol icmp

 match protocol ssh

 match access-group name NET-MGMT-APPS

class-map match-all ROUTING

 match ip dscp cs6

class-map match-all SCAVENGER

 match ip dscp cs1

class-map match-all NET-MGMT

 match ip dscp cs2

class-map match-any BRANCH-SCAVENGER

 match protocol gnutella

 match protocol fasttrack

 match protocol kazaa2

class-map match-any CALL-SIGNALING

 match ip dscp cs3

class-map match-all TRANSACTIONAL-DATA

 match ip dscp af21  af22

policy-map type inspect CSM_ZBF_POLICY_S_Security_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Data_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Data-W_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_WAN_S_Guest

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_WAN_S_Data-W

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Voice_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Guest_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_MGMT_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_LOOPBACK_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_POS-W

 class class-default

  drop log

policy-map BRANCH-LAN-EDGE-OUT

 class class-default

policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_Partners

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_POS

 class class-default

  drop log

policy-map BRANCH-WAN-EDGE

 class VOICE

  priority percent 18

 class INTERACTIVE-VIDEO

  priority percent 15

 class CALL-SIGNALING

  bandwidth percent 5

 class ROUTING

  bandwidth percent 3

 class NET-MGMT

  bandwidth percent 2

 class MISSION-CRITICAL-DATA

  bandwidth percent 15

  random-detect

 class TRANSACTIONAL-DATA

  bandwidth percent 12

  random-detect dscp-based

 class BULK-DATA

  bandwidth percent 4

  random-detect dscp-based

 class SCAVENGER

  bandwidth percent 1

 class class-default

  bandwidth percent 25

  random-detect

policy-map type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_18

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_19

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_31

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_16

 class type inspect CSM_ZBF_CLASS_MAP_24

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_17

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_14

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_15

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_23

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_12

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_21

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_34

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_35

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_S_MGMT_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_13

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_21

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_20

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_33

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_10

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_11

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_22

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_36

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Voice_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Guest_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_9

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_8

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_12

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_7

 class type inspect CSM_ZBF_CLASS_MAP_9

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_10

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_11

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_6

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_5

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_8

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_4

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_7

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_3

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_5

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_2

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_4

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_1

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_2

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_S_Partners_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Security_S_POS

 class class-default

  drop log

policy-map BRANCH-LAN-EDGE-IN

 class BRANCH-MISSION-CRITICAL

  set ip dscp 25

 class BRANCH-TRANSACTIONAL-DATA

  set ip dscp af21

 class BRANCH-NET-MGMT

  set ip dscp cs2

 class BRANCH-BULK-DATA

  set ip dscp af11

 class BRANCH-SCAVENGER

  set ip dscp cs1

policy-map type inspect CSM_ZBF_POLICY_S_Data_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Data-W_S_POS-W

 class class-default

  drop log

zone security S_WAN

 description Store WAN Link

zone security LOOPBACK

 description Loopback interface

zone security S_MGMT

 description VLAN1000 Management

zone security S_Security

 description VLAN20 Physical Security Systems

zone security S_WAAS

 description VLAN19 WAAS optimization

zone security S_WLC-AP

 description VLAN18 Wireless Systems

zone security S_Data

 description VLAN12 Store Data

zone security S_Data-W

 description VLAN14 Store Wireless Data

zone security S_Guest

 description VLAN17 Guest/Public Wireless

zone security S_Voice

 description VLAN13 Store Voice

zone security S_Partners

 description VLAN16 Partner network

zone security S_POS

 description VLAN 11 POS Data

zone security S_POS-W

 description VLAN15 Store Wireless POS

zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_S_WAN_S_Data-W

zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_S_WAN_S_Guest

zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_8

zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_9

zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_LOOPBACK_S_POS-W

zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_11

zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_MGMT_S_POS

zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_MGMT_S_POS-W

zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_12

zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Security_S_POS

zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Security_S_POS-W

zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_POS

zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_POS-W

zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_Partners

zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS

zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS-W

zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Data_S_POS

zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Data_S_POS-W

zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Data-W_S_POS

zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Data-W_S_POS-W

zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Guest_S_POS

zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Guest_S_POS-W

zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Partners_S_POS

zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Voice_S_POS

zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Voice_S_POS-W

zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_22

interface Loopback0

 ip address 10.10.174.1 255.255.255.255

 ip pim sparse-dense-mode

 zone-member security LOOPBACK

interface FastEthernet0

 switchport mode trunk

interface FastEthernet1

 switchport access vlan 17

 switchport protected

interface FastEthernet2

 switchport access vlan 17

 switchport protected

interface FastEthernet3

 switchport access vlan 17

 switchport protected

interface FastEthernet4

 switchport access vlan 17

 switchport protected

interface FastEthernet5

 switchport access vlan 17

 switchport protected

interface FastEthernet6

 switchport access vlan 17

 switchport protected

interface FastEthernet7

 switchport access vlan 17

 switchport protected

interface FastEthernet8

 no ip address

 duplex auto

 speed auto

interface FastEthernet8.1

interface GigabitEthernet0

 ip address 10.10.255.160 255.255.255.0

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_WAN

 duplex auto

 speed auto

 service-policy output BRANCH-WAN-EDGE

interface wlan-ap0

 description Service module interface to manage the embedded AP

 ip address 10.10.174.33 255.255.255.252

 zone-member security S_WLC-AP

 service-module ip address 10.10.174.34 255.255.255.252

 service-module ip default-gateway 10.10.174.33

 arp timeout 0

interface Wlan-GigabitEthernet0

 description Internal switch interface connecting to the embedded AP

 switchport mode trunk

 zone-member security S_WLC-AP

 service-module ip address 10.10.174.34 255.255.255.252

 service-module ip default-gateway 10.10.174.33

interface Vlan1

 no ip address

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS

interface Vlan11

 description POS

 ip address 10.10.160.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS

 standby 11 ip 10.10.160.1

 standby 11 priority 101

 standby 11 preempt

 ip igmp query-interval 125

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan12

 description DATA

 ip address 10.10.161.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip wccp 61 redirect in

 ip pim sparse-dense-mode

 zone-member security S_Data

 standby 12 ip 10.10.161.1

 standby 12 priority 101

 standby 12 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan13

 description VOICE

 ip address 10.10.162.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Voice

 standby 13 ip 10.10.162.1

 standby 13 priority 101

 standby 13 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan14

 description WIRELESS

 ip address 10.10.163.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Data-W

 standby 14 ip 10.10.163.1

 standby 14 priority 101

 standby 14 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan15

 description WIRELESS-POS

 ip address 10.10.164.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS-W

 standby 15 ip 10.10.164.1

 standby 15 priority 101

 standby 15 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan16

 description PARTNER

 ip address 10.10.165.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Partners

 standby 16 ip 10.10.165.1

 standby 16 priority 101

 standby 16 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan17

 description WIRELESS-GUEST

 ip address 10.10.166.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Guest

 standby 17 ip 10.10.166.1

 standby 17 priority 101

 standby 17 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan18

 description WIRELESS-CONTROL

 ip address 10.10.167.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WLC-AP

 standby 18 ip 10.10.167.1

 standby 18 priority 101

 standby 18 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan19

 description WAAS

 ip address 10.10.168.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WAAS

 standby 19 ip 10.10.168.1

 standby 19 priority 101

 standby 19 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan20

 description SECURITY

 ip address 10.10.169.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Security

 standby 20 ip 10.10.169.1

 standby 20 priority 101

 standby 20 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Vlan1000

 description MANAGEMENT

 ip address 10.10.175.2 255.255.255.0

 zone-member security S_MGMT

 standby 100 ip 10.10.175.1

 standby 100 priority 101

 standby 100 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Async1

 no ip address

 encapsulation slip

interface Group-Async0

 physical-layer async

 no ip address

 encapsulation slip

 no group-range

router ospf 5

 router-id 10.10.174.1

 passive-interface default

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 10.10.255.11

ip tacacs source-interface Loopback0

ip access-list extended BULK-DATA-APPS

 remark ---File Transfer---

 permit tcp any any eq ftp

 permit tcp any any eq ftp-data

 remark ---E-mail traffic---

 permit tcp any any eq smtp

 permit tcp any any eq pop3

 permit tcp any any eq 143

 remark ---other EDM app protocols---

 permit tcp any any range 3460 3466

 permit tcp any range 3460 3466 any

 remark ---messaging services---

 permit tcp any any eq 2980

 permit tcp any eq 2980 any

 remark ---Microsoft file services---

 permit tcp any any range 137 139

 permit tcp any range 137 139 any

ip access-list extended CSM_ZBF_CMAP_ACL_1

 remark Data Center Mgmt to Devices

 permit object-group CSM_INLINE_svc_rule_68719541409 object-group 
CSM_INLINE_src_rule_68719541409 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_10

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451205 object-group DC-POS-Oracle 
object-group STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451209 object-group DC-POS-SAP object-group 
STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451213 object-group DC-POS-Tomax 
object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_11

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451215 object-group 
CSM_INLINE_src_rule_73014451215 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_12

 remark Data Center VOICE (wired and Wireless)

 permit object-group CSM_INLINE_svc_rule_68719541455 object-group DC-Voice object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_13

 remark Syslog and SNMP Alerts

 permit object-group CSM_INLINE_svc_rule_73014451187 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451187

ip access-list extended CSM_ZBF_CMAP_ACL_14

 remark Store to Data Center Authentications

 permit object-group CSM_INLINE_svc_rule_73014451193 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451193

ip access-list extended CSM_ZBF_CMAP_ACL_15

 remark Store to Data Center for NTP

 permit object-group NTP object-group Stores-ALL object-group NTP-Servers

ip access-list extended CSM_ZBF_CMAP_ACL_16

 remark Store to Data Center for DHCP and DNS

 permit object-group CSM_INLINE_svc_rule_73014451221 object-group Stores-ALL object-group 
ActiveDirectory.cisco-irn.com

ip access-list extended CSM_ZBF_CMAP_ACL_17

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_68719541425 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541425

ip access-list extended CSM_ZBF_CMAP_ACL_18

 remark Store UCS Express to Data Center vShphere

 permit object-group CSM_INLINE_svc_rule_73014451197 object-group Stores-ALL object-group 
vSphere-1

ip access-list extended CSM_ZBF_CMAP_ACL_19

 remark Store NAC

 permit object-group CSM_INLINE_svc_rule_73014451223 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451223

ip access-list extended CSM_ZBF_CMAP_ACL_2

 remark Data Center subscribe to IPS SDEE events

 permit tcp object-group RSA-enVision object-group Stores-ALL eq 443

ip access-list extended CSM_ZBF_CMAP_ACL_20

 remark Store to Data Center Physical Security

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541435

ip access-list extended CSM_ZBF_CMAP_ACL_21

 remark Store WAAS (WAAS Devices need their own zone)

 permit object-group CSM_INLINE_svc_rule_68719541439 object-group Stores-ALL object-group 
DC-WAAS

ip access-list extended CSM_ZBF_CMAP_ACL_22

 remark Store WAAS to Clients and Servers

 permit object-group CSM_INLINE_svc_rule_73014451388 object-group Stores-ALL object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_23

 remark Store to Data Center wireless controller traffic

 permit object-group CSM_INLINE_svc_rule_68719541431 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541431

ip access-list extended CSM_ZBF_CMAP_ACL_24

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451203 object-group STORE-POS object-group 
DC-POS-Oracle

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451207 object-group STORE-POS object-group 
DC-POS-SAP

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451211 object-group STORE-POS object-group 
DC-POS-Tomax

ip access-list extended CSM_ZBF_CMAP_ACL_25

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451217 object-group 
CSM_INLINE_src_rule_73014451217 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_26

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_73014451393 object-group STORE-POS object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_27

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_73014451395 object-group STORE-POS object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_28

 remark Permit POS clients to talk to store POS server

 permit object-group CSM_INLINE_svc_rule_73014451397 object-group STORE-POS object-group 
STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_29

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_73014451404 object-group Stores-ALL object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_3

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_68719541427 object-group 
CSM_INLINE_src_rule_68719541427 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_30

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_73014451406 object-group Stores-ALL object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_31

 remark Store DATA (wired and Wireless - Access to DC Other applications)

 permit object-group CSM_INLINE_svc_rule_68719541459 object-group Stores-ALL object-group 
DC-Applications

ip access-list extended CSM_ZBF_CMAP_ACL_32

 remark Store GUEST - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541465

ip access-list extended CSM_ZBF_CMAP_ACL_33

 remark Store GUEST (access to internet/DMZ web servers)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_34

 remark Store PARTNERS - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541461

ip access-list extended CSM_ZBF_CMAP_ACL_35

 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_36

 remark Store VOICE (wired and Wireless - Acess to corporate wide voice)

 permit object-group CSM_INLINE_svc_rule_68719541457 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541457

ip access-list extended CSM_ZBF_CMAP_ACL_4

 remark Data Center vSphere to UCS Express

 permit object-group CSM_INLINE_svc_rule_73014451195 object-group vSphere-1 object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_5

 remark Data Center to Store Physical Security

 permit ip object-group CSM_INLINE_src_rule_68719541433 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_6

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_7

 remark Data Center WAAS to Store

 permit object-group CSM_INLINE_svc_rule_68719541437 object-group 
CSM_INLINE_src_rule_68719541437 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_8

 remark Data Center Wireless Control to AP's and Controllers in stores

 permit object-group CSM_INLINE_svc_rule_68719541429 object-group 
CSM_INLINE_src_rule_68719541429 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_9

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group STORE-POS

ip access-list extended MISSION-CRITICAL-SERVERS

 remark ---POS Applications---

 permit ip any 192.168.52.0 0.0.0.255

ip access-list extended NET-MGMT-APPS

 remark - Router user Authentication - Identifies TACACS Control traffic

 permit tcp any any eq tacacs

 permit tcp any eq tacacs any

ip access-list extended TRANSACTIONAL-DATA-APPS

 remark ---Workbrain Application---

 remark --Large Store Clock Server to Central Clock Application

 permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444

 remark --Large store Clock Server to CUAE

 permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000

 remark ---LiteScape Application---

 permit ip any host 192.168.46.82

 permit ip any 239.192.0.0 0.0.0.255

 permit ip any host 239.255.255.250

 remark ---Remote Desktop---

 permit tcp any any eq 3389

 permit tcp any eq 3389 any

 remark ---Oracle SIM---

 permit tcp any 192.168.46.0 0.0.0.255 eq 7777

 permit tcp any 192.168.46.0 0.0.0.255 eq 6003

 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500

 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any

 permit tcp 192.168.46.0 0.0.0.255 eq 6003 any

 permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any

logging esm config

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group causer v3 priv

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps flash insertion removal

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps energywise

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps ipsla

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

banner exec C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line 1

 modem InOut

 stopbits 1

 speed 115200

 flowcontrol hardware

line 2

 no activation-character

 no exec

 transport preferred none

 transport input ssh

 transport output none

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 login authentication RETAIL

 no exec

 transport preferred none

 transport output none

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

scheduler max-task-time 5000

ntp source Loopback0

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

end

r-a2-lrg-1

! Last configuration change at 00:54:49 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 00:54:49 PST Sat Apr 30 2011 by retail

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname R-A2-Lrg-1

boot-start-marker

boot system flash0 c3900-universalk9-mz.SPA.151-3.T.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default

 action-type start-stop

 group tacacs+

aaa accounting commands 15 default

 action-type start-stop

 group tacacs+

aaa accounting system default

 action-type start-stop

 group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PST recurring

crypto pki token default removal timeout 0

crypto pki trustpoint TP-self-signed-72006796

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-72006796

 revocation-check none

crypto pki certificate chain TP-self-signed-72006796

 certificate self-signed 03

  <removed>

  	quit

no ipv6 cef

no ip source-route

ip cef

ip multicast-routing

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip port-map user-8443 port tcp 8443

ip inspect log drop-pkt

ip inspect audit-trail

ip ips config location flash0: retries 1 timeout 1

ip ips name Store-IPS

ip ips signature-category

  category all

   retired true

  category ios_ips default

   retired false

ip wccp 61

ip wccp 62

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

multilink bundle-name authenticated

parameter-map type inspect global

 WAAS enable

parameter-map type inspect Inspect-1

 audit-trail on

parameter-map type trend-global trend-glob-map

password encryption aes

voice-card 0

license udi pid C3900-SPE150/K9 sn <removed>

hw-module pvdm 0/0

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

object-group network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 udp eq 5246

 udp eq 5247

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 tcp eq 4050

object-group network EMC-NCM

 description EMC Network Configuration Manager

 host 192.168.42.122

object-group network RSA-enVision

 description RSA EnVision Syslog collector and SIM

 host 192.168.42.124

object-group network CSM_INLINE_dst_rule_81604380995

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object EMC-NCM

 group-object RSA-enVision

object-group network TACACS

 description Csico Secure ACS server for TACACS and Radius

 host 192.168.42.131

object-group network RSA-AM

 description RSA Authentication Manager for SecureID

 host 192.168.42.137

object-group network NAC-1

 description ISE server for NAC

 host 192.168.42.111

object-group network CSM_INLINE_dst_rule_81604381001

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object ActiveDirectory.cisco-irn.com

 group-object TACACS

 group-object RSA-AM

 group-object NAC-1

object-group network NAC-2

 host 192.168.42.112

object-group network CSM_INLINE_dst_rule_81604381037

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object NAC-2

 group-object NAC-1

object-group network DC-ALL

 description All of the Data Center

 192.168.0.0 255.255.0.0

object-group network Stores-ALL

 description all store networks

 10.10.0.0 255.255.0.0

object-group network CSM_INLINE_dst_rule_81604381039

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network WCSManager

 description Wireless Manager

 host 192.168.43.135

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 host 192.168.43.21

 host 192.168.43.22

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 host 192.168.43.31

 host 192.168.43.32

object-group network CSM_INLINE_dst_rule_81604381045

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network PAME-DC-1

 host 192.168.44.111

object-group network MSP-DC-1

 description Data Center VSOM

 host 192.168.44.121

object-group network CSM_INLINE_dst_rule_81604381049

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network CSM_INLINE_dst_rule_81604381059

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381067

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381071

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381150

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network CSM_INLINE_dst_rule_81604381152

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network DC-Admin

 description DC Admin Systems

 host 192.168.41.101

 host 192.168.41.102

object-group network CSManager

 description Cisco Security Manager

 host 192.168.42.133

object-group network CSM_INLINE_src_rule_81604380993

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object EMC-NCM

 group-object CSManager

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_src_rule_81604381021

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_81604381023

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_81604381041

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_src_rule_81604381043

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network CSM_INLINE_src_rule_81604381047

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 host 192.168.48.10

 host 192.168.49.10

 host 192.168.47.11

 host 192.168.47.12

object-group network CSM_INLINE_src_rule_81604381051

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-WAAS

object-group network CSM_INLINE_src_rule_81604381150

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network CSM_INLINE_src_rule_81604381152

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group service CSM_INLINE_svc_rule_81604380993

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

object-group service CSM_INLINE_svc_rule_81604380995

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq syslog

 udp eq snmp

 udp eq snmptrap

object-group service CSM_INLINE_svc_rule_81604381001

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq tacacs

 udp eq 1812

 udp eq 1813

 tcp eq 389

 tcp eq 636

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 tcp eq 5989

 tcp eq 8000

 tcp eq 902

 tcp eq 903

object-group service CSM_INLINE_svc_rule_81604381003

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq 22

 group-object vCenter-to-ESX4

object-group service ESX-SLP

 description CIM Service Location Protocol (SLP) for VMware systems

 udp eq 427

 tcp eq 427

object-group service CSM_INLINE_svc_rule_81604381005

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object vCenter-to-ESX4

 group-object ESX-SLP

object-group service ORACLE-RMI

 description RMI TCP ports 1300 and 1301-1319.

 tcp range 1300 1319

object-group service ORACLE-Weblogic

 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.

 tcp eq 7001

 tcp eq 7002

 tcp eq 1521

object-group service ORACLE-WAS

 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414

 tcp eq 2809

 tcp eq 9443

 tcp eq 1414

object-group service ORACLE-OAS

 description OAS uses one port for HTTP and RMI - 12601.

 tcp eq 12601

object-group service CSM_INLINE_svc_rule_81604381009

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_81604381011

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service HTTPS-8443

 tcp eq 8443

object-group service CSM_INLINE_svc_rule_81604381013

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_81604381015

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service TOMAX-8990

 description Tomax Application Port

 tcp eq 8990

object-group service CSM_INLINE_svc_rule_81604381017

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service CSM_INLINE_svc_rule_81604381019

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service ICMP-Requests

 description ICMP requests

 icmp information-request

 icmp mask-request

 icmp timestamp-request

object-group service CSM_INLINE_svc_rule_81604381021

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_81604381023

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_81604381025

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service CSM_INLINE_svc_rule_81604381027

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_81604381029

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

udp

 tcp eq 443

object-group service DNS-Resolving

 description Domain Name Server

 tcp eq domain

 udp eq domain

object-group service CSM_INLINE_svc_rule_81604381035

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq bootps

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_81604381037

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_81604381039

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service CSM_INLINE_svc_rule_81604381041

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 udp eq 12222

 udp eq 12223

object-group service TFTP

 description Trivial File Transfer

 tcp eq 69

 udp eq tftp

object-group service IP-Protocol-97

 description IP protocol 97

object-group service CSM_INLINE_svc_rule_81604381043

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq www

 tcp eq 22

 tcp eq telnet

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object TFTP

 group-object IP-Protocol-97

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 udp eq 16666

 udp eq 16667

object-group service CSM_INLINE_svc_rule_81604381045

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object Cisco-Mobility

 group-object IP-Protocol-97

object-group service Microsoft-DS-SMB

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

 tcp eq 445

object-group service CSM_INLINE_svc_rule_81604381051

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381053

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381055

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381057

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp

 tcp-udp eq 5060

 tcp eq 2000

 tcp eq www

 tcp eq 443

 group-object TFTP

object-group service CSM_INLINE_svc_rule_81604381059

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp-udp eq 5060

 tcp eq 2000

object-group service CSM_INLINE_svc_rule_81604381061

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_81604381063

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service Netbios

 description Netbios Servers

 udp eq netbios-dgm

 udp eq netbios-ns

 tcp eq 139

object-group service ORACLE-SIM

 description Oracle Store Inventory Management

 tcp eq 7777

 tcp eq 6003

 tcp range 12401 12500

object-group service RDP

 description Windows Remote Desktop

 tcp eq 3389

object-group service Workbrain

 tcp eq 8444

object-group service CSM_INLINE_svc_rule_81604381065

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq ftp

 tcp eq www

 tcp eq 443

 udp eq 88

 tcp-udp eq 42

 group-object Microsoft-DS-SMB

 group-object Netbios

 group-object ORACLE-SIM

 group-object RDP

 group-object Workbrain

object-group network DC-Applications

 description Applications in the Data Center that are non-PCI related(Optimized by 
CS-Manager)

 192.168.180.0 255.255.254.0

object-group network DC-Voice

 description Data Center Voice

 192.168.45.0 255.255.255.0

object-group network MS-Update

 description Windows Update Server

 host 192.168.42.150

object-group network MSExchange

 description Mail Server

 host 192.168.42.140

object-group service NTP

 description NTP Protocols

 tcp eq 123

 udp eq ntp

object-group network NTP-Servers

 description NTP Servers

 host 192.168.62.161

 host 162.168.62.162

object-group network STORE-POS

 10.10.0.0 255.255.0.0

object-group network vSphere-1

 description vSphere server for Lab

 host 192.168.41.102

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

redundancy

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7

 match protocol http

 match protocol https

 match protocol microsoft-ds

 match protocol ms-sql

 match protocol ms-sql-m

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol oracle

 match protocol oracle-em-vp

 match protocol oraclenames

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_10

 match access-group name CSM_ZBF_CMAP_ACL_10

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4

 match protocol http

 match protocol https

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_23

 match access-group name CSM_ZBF_CMAP_ACL_23

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17

 match protocol http

 match protocol https

 match protocol imap3

 match protocol pop3

 match protocol pop3s

 match protocol smtp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_32

 match access-group name CSM_ZBF_CMAP_ACL_32

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-all CSM_ZBF_CLASS_MAP_11

 match access-group name CSM_ZBF_CMAP_ACL_11

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14

 match protocol http

 match protocol https

 match protocol user-8443

class-map type inspect match-all CSM_ZBF_CLASS_MAP_22

 match access-group name CSM_ZBF_CMAP_ACL_22

 match class-map CSM_ZBF_CMAP_PLMAP_14

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol ftp

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_33

 match access-group name CSM_ZBF_CMAP_ACL_33

 match class-map CSM_ZBF_CMAP_PLMAP_20

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tftp

 match protocol http

 match protocol https

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_12

 match access-group name CSM_ZBF_CMAP_ACL_12

 match class-map CSM_ZBF_CMAP_PLMAP_8

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13

 match protocol https

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_21

 match access-group name CSM_ZBF_CMAP_ACL_21

 match class-map CSM_ZBF_CMAP_PLMAP_13

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19

 match protocol http

 match protocol https

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_30

 match access-group name CSM_ZBF_CMAP_ACL_30

 match class-map CSM_ZBF_CMAP_PLMAP_19

class-map type inspect match-all CSM_ZBF_CLASS_MAP_13

 match access-group name CSM_ZBF_CMAP_ACL_13

class-map type inspect match-all CSM_ZBF_CLASS_MAP_20

 match access-group name CSM_ZBF_CMAP_ACL_20

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18

 match protocol http

 match protocol https

 match protocol udp

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_31

 match access-group name CSM_ZBF_CMAP_ACL_31

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map match-all BRANCH-BULK-DATA

 match protocol tftp

 match protocol nfs

 match access-group name BULK-DATA-APPS

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_14

 match access-group name CSM_ZBF_CMAP_ACL_14

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_27

 match access-group name CSM_ZBF_CMAP_ACL_27

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_36

 match access-group name CSM_ZBF_CMAP_ACL_36

class-map type inspect match-all CSM_ZBF_CLASS_MAP_15

 match access-group name CSM_ZBF_CMAP_ACL_15

class-map type inspect match-all CSM_ZBF_CLASS_MAP_26

 match access-group name CSM_ZBF_CMAP_ACL_26

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21

 match protocol tcp

 match protocol udp

 match protocol http

 match protocol https

class-map type inspect match-all CSM_ZBF_CLASS_MAP_37

 match access-group name CSM_ZBF_CMAP_ACL_37

 match class-map CSM_ZBF_CMAP_PLMAP_21

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9

 match protocol syslog

 match protocol syslog-conn

 match protocol snmp

 match protocol snmptrap

class-map type inspect match-all CSM_ZBF_CLASS_MAP_16

 match access-group name CSM_ZBF_CMAP_ACL_16

 match class-map CSM_ZBF_CMAP_PLMAP_9

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16

 match protocol http

 match protocol https

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_25

 match access-group name CSM_ZBF_CMAP_ACL_25

 match class-map CSM_ZBF_CMAP_PLMAP_16

class-map type inspect match-all CSM_ZBF_CLASS_MAP_34

 match access-group name CSM_ZBF_CMAP_ACL_34

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10

 match protocol ldaps

 match protocol ldap

 match protocol ldap-admin

 match protocol radius

 match protocol tacacs

 match protocol tacacs-ds

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_17

 match access-group name CSM_ZBF_CMAP_ACL_17

 match class-map CSM_ZBF_CMAP_PLMAP_10

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15

 match protocol http

 match protocol https

 match protocol netbios-ns

 match protocol netbios-dgm

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_24

 match access-group name CSM_ZBF_CMAP_ACL_24

 match class-map CSM_ZBF_CMAP_PLMAP_15

class-map type inspect match-all CSM_ZBF_CLASS_MAP_35

 match access-group name CSM_ZBF_CMAP_ACL_35

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11

 match protocol ntp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_18

 match access-group name CSM_ZBF_CMAP_ACL_18

 match class-map CSM_ZBF_CMAP_PLMAP_11

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12

 match protocol bootpc

 match protocol bootps

 match protocol udp

 match protocol tcp

 match protocol dns

 match protocol dhcp-failover

class-map type inspect match-all CSM_ZBF_CLASS_MAP_19

 match access-group name CSM_ZBF_CMAP_ACL_19

 match class-map CSM_ZBF_CMAP_PLMAP_12

class-map type inspect match-all CSM_ZBF_CLASS_MAP_29

 match access-group name CSM_ZBF_CMAP_ACL_29

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_38

 match access-group name CSM_ZBF_CMAP_ACL_38

 match class-map CSM_ZBF_CMAP_PLMAP_22

class-map type inspect match-all CSM_ZBF_CLASS_MAP_28

 match access-group name CSM_ZBF_CMAP_ACL_28

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1

 match protocol https

 match protocol ssh

class-map type inspect match-all CSM_ZBF_CLASS_MAP_1

 match access-group name CSM_ZBF_CMAP_ACL_1

 match class-map CSM_ZBF_CMAP_PLMAP_1

class-map type inspect match-all CSM_ZBF_CLASS_MAP_3

 match access-group name CSM_ZBF_CMAP_ACL_3

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2

 match protocol https

 match protocol http

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_2

 match access-group name CSM_ZBF_CMAP_ACL_2

 match class-map CSM_ZBF_CMAP_PLMAP_2

class-map type inspect match-all CSM_ZBF_CLASS_MAP_5

 match access-group name CSM_ZBF_CMAP_ACL_5

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3

 match protocol http

 match protocol https

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

 match access-group name CSM_ZBF_CMAP_ACL_4

 match class-map CSM_ZBF_CMAP_PLMAP_3

class-map type inspect match-all CSM_ZBF_CLASS_MAP_7

 match access-group name CSM_ZBF_CMAP_ACL_7

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_6

 match access-group name CSM_ZBF_CMAP_ACL_6

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_9

 match access-group name CSM_ZBF_CMAP_ACL_9

 match protocol tcp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6

 match protocol http

 match protocol https

 match protocol ssh

 match protocol telnet

 match protocol tftp

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_8

 match access-group name CSM_ZBF_CMAP_ACL_8

 match class-map CSM_ZBF_CMAP_PLMAP_6

class-map match-all BULK-DATA

 match ip dscp af11  af12

class-map match-all INTERACTIVE-VIDEO

 match ip dscp af41  af42

class-map match-any BRANCH-TRANSACTIONAL-DATA

 match protocol citrix

 match protocol ldap

 match protocol telnet

 match protocol sqlnet

 match protocol http url "*SalesReport*"

 match access-group name TRANSACTIONAL-DATA-APPS

class-map match-all BRANCH-MISSION-CRITICAL

 match access-group name MISSION-CRITICAL-SERVERS

class-map match-all VOICE

 match ip dscp ef

class-map match-all MISSION-CRITICAL-DATA

 match ip dscp 25

class-map match-any BRANCH-NET-MGMT

 match protocol snmp

 match protocol syslog

 match protocol dns

 match protocol icmp

 match protocol ssh

 match access-group name NET-MGMT-APPS

class-map match-all ROUTING

 match ip dscp cs6

class-map match-all SCAVENGER

 match ip dscp cs1

class-map match-all NET-MGMT

 match ip dscp cs2

class-map match-any BRANCH-SCAVENGER

 match protocol gnutella

 match protocol fasttrack

 match protocol kazaa2

class-map match-any CALL-SIGNALING

 match ip dscp cs3

class-map match-all TRANSACTIONAL-DATA

 match ip dscp af21  af22

policy-map BRANCH-LAN-EDGE-OUT

 class class-default

policy-map BRANCH-WAN-EDGE

 class VOICE

  priority percent 18

 class INTERACTIVE-VIDEO

  priority percent 15

 class CALL-SIGNALING

  bandwidth percent 5

 class ROUTING

  bandwidth percent 3

 class NET-MGMT

  bandwidth percent 2

 class MISSION-CRITICAL-DATA

  bandwidth percent 15

  random-detect

 class TRANSACTIONAL-DATA

  bandwidth percent 12

  random-detect dscp-based

 class BULK-DATA

  bandwidth percent 4

  random-detect dscp-based

 class SCAVENGER

  bandwidth percent 1

 class class-default

  bandwidth percent 25

  random-detect

policy-map type inspect CSM_ZBF_POLICY_MAP_18

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_19

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_16

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_23

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_25

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_36

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_37

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_17

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_24

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_24

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_34

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_35

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_14

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_27

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_15

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_21

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_26

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_38

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_12

 class type inspect CSM_ZBF_CLASS_MAP_15

  pass

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_21

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_13

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_20

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_10

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_23

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_31

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_33

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_11

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_22

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_9

 class type inspect CSM_ZBF_CLASS_MAP_13

  pass

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_8

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_12

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_7

 class type inspect CSM_ZBF_CLASS_MAP_9

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_10

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_11

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_6

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_5

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_8

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_4

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_7

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_3

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_5

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_2

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_4

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_1

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_2

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop

policy-map BRANCH-LAN-EDGE-IN

 class BRANCH-MISSION-CRITICAL

  set ip dscp 25

 class BRANCH-TRANSACTIONAL-DATA

  set ip dscp af21

 class BRANCH-NET-MGMT

  set ip dscp cs2

 class BRANCH-BULK-DATA

  set ip dscp af11

 class BRANCH-SCAVENGER

  set ip dscp cs1

zone security S_WAN

 description Store WAN Link

zone security S_R-2-R

 description Bridge link between routers

zone security LOOPBACK

 description Loopback interface

zone security S_MGMT

 description VLAN1000 Management

zone security S_Security

 description VLAN20 Physical Security Systems

zone security S_WAAS

 description VLAN19 WAAS optimization

zone security S_WLC-AP

 description VLAN18 Wireless Systems

zone security S_Data

 description VLAN12 Store Data

zone security S_Data-W

 description VLAN14 Store Wireless Data

zone security S_Guest

 description VLAN17 Guest/Public Wireless

zone security S_Voice

 description VLAN13 Store Voice

zone security S_Partners

 description VLAN16 Partner network

zone security S_POS

 description VLAN 11 POS Data

zone security S_POS-W

 description VLAN15 Store Wireless POS

zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_8

zone-pair security CSM_S_R-2-R-LOOPBACK_1 source S_R-2-R destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_R-2-R-S_MGMT_1 source S_R-2-R destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_R-2-R-S_Security_1 source S_R-2-R destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_R-2-R-S_WAAS_1 source S_R-2-R destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_R-2-R-S_WLC-AP_1 source S_R-2-R destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_R-2-R-self_1 source S_R-2-R destination self

 service-policy type inspect CSM_ZBF_POLICY_MAP_9

zone-pair security CSM_S_R-2-R-S_Data_1 source S_R-2-R destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_Data-W_1 source S_R-2-R destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_Guest_1 source S_R-2-R destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_R-2-R-S_Partners_1 source S_R-2-R destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_POS_1 source S_R-2-R destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_R-2-R-S_POS-W_1 source S_R-2-R destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_R-2-R-S_Voice_1 source S_R-2-R destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_11

zone-pair security CSM_self-S_R-2-R_1 source self destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_12

zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_LOOPBACK-S_R-2-R_1 source LOOPBACK destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_MGMT-S_R-2-R_1 source S_MGMT destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_Security-S_R-2-R_1 source S_Security destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_WAAS-S_R-2-R_1 source S_WAAS destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_WLC-AP-S_R-2-R_1 source S_WLC-AP destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_POS-S_R-2-R_1 source S_POS destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_POS-W-S_R-2-R_1 source S_POS-W destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_22

zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-S_R-2-R_1 source S_Data destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-W-S_R-2-R_1 source S_Data-W destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_24

zone-pair security CSM_S_Guest-S_R-2-R_1 source S_Guest destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_24

zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_25

zone-pair security CSM_S_Partners-S_R-2-R_1 source S_Partners destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_25

zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_26

zone-pair security CSM_S_Voice-S_R-2-R_1 source S_Voice destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_27

interface Loopback0

 ip address 10.10.110.1 255.255.255.255

 ip pim sparse-dense-mode

 zone-member security LOOPBACK

interface GigabitEthernet0/0

 description ROUTER LINK TO SWITCH

 no ip address

 duplex auto

 speed auto

interface GigabitEthernet0/0.11

 description POS

 encapsulation dot1Q 11

 ip address 10.10.96.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip helper-address 192.168.42.111

 ip pim sparse-dense-mode

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS

 standby 11 ip 10.10.96.1

 standby 11 priority 101

 standby 11 preempt

 ip igmp query-interval 125

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.12

 description DATA

 encapsulation dot1Q 12

 ip address 10.10.97.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip wccp 61 redirect in

 ip pim sparse-dense-mode

 zone-member security S_Data

 standby 12 ip 10.10.97.1

 standby 12 priority 101

 standby 12 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.13

 description VOICE

 encapsulation dot1Q 13

 ip address 10.10.98.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Voice

 standby 13 ip 10.10.98.1

 standby 13 priority 101

 standby 13 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.14

 description WIRELESS

 encapsulation dot1Q 14

 ip address 10.10.99.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Data-W

 standby 14 ip 10.10.99.1

 standby 14 priority 101

 standby 14 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.15

 description WIRELESS-POS

 encapsulation dot1Q 15

 ip address 10.10.100.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS-W

 standby 15 ip 10.10.100.1

 standby 15 priority 101

 standby 15 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.16

 description PARTNER

 encapsulation dot1Q 16

 ip address 10.10.101.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Partners

 standby 16 ip 10.10.101.1

 standby 16 priority 101

 standby 16 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.17

 description WIRELESS-GUEST

 encapsulation dot1Q 17

 ip address 10.10.102.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Guest

 standby 17 ip 10.10.102.1

 standby 17 priority 101

 standby 17 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.18

 description WIRELESS-CONTROL

 encapsulation dot1Q 18

 ip address 10.10.103.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WLC-AP

 standby 18 ip 10.10.103.1

 standby 18 priority 101

 standby 18 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.19

 description WAAS

 encapsulation dot1Q 19

 ip address 10.10.104.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WAAS

 standby 19 ip 10.10.104.1

 standby 19 priority 101

 standby 19 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.20

 description SECURITY-SYSTEMS

 encapsulation dot1Q 20

 ip address 10.10.105.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Security

 standby 20 ip 10.10.105.1

 standby 20 priority 101

 standby 20 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.102

 description ROUTER LINK TO

 encapsulation dot1Q 102

 ip address 10.10.110.29 255.255.255.252

 ip pim sparse-dense-mode

 zone-member security S_R-2-R

 service-policy input BRANCH-LAN-EDGE-IN

interface GigabitEthernet0/0.1000

 description MANAGEMENT

 encapsulation dot1Q 1000

 ip address 10.10.111.2 255.255.255.0

 zone-member security S_MGMT

 standby 100 ip 10.10.111.1

 standby 100 priority 101

 standby 100 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1

 no ip address

 duplex auto

 speed auto

interface GigabitEthernet0/1.101

 description ROUTER LINK TO

 encapsulation dot1Q 101

 ip address 10.10.110.25 255.255.255.252

 ip pim sparse-dense-mode

 zone-member security S_R-2-R

 service-policy input BRANCH-LAN-EDGE-IN

interface GigabitEthernet0/2

 ip address 10.10.255.96 255.255.255.0

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_WAN

 duplex auto

 speed auto

 service-policy output BRANCH-WAN-EDGE

router ospf 5

 router-id 10.10.110.1

 redistribute connected subnets

 passive-interface default

 no passive-interface GigabitEthernet0/0.102

 no passive-interface GigabitEthernet0/1.101

 network 10.10.0.0 0.0.255.255 area 10

 default-information originate

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 10.10.255.11

ip tacacs source-interface Loopback0

ip access-list extended BULK-DATA-APPS

 remark ---File Transfer---

 permit tcp any any eq ftp

 permit tcp any any eq ftp-data

 remark ---E-mail traffic---

 permit tcp any any eq smtp

 permit tcp any any eq pop3

 permit tcp any any eq 143

 remark ---other EDM app protocols---

 permit tcp any any range 3460 3466

 permit tcp any range 3460 3466 any

 remark ---messaging services---

 permit tcp any any eq 2980

 permit tcp any eq 2980 any

 remark ---Microsoft file services---

 permit tcp any any range 137 139

 permit tcp any range 137 139 any

ip access-list extended CSM_ZBF_CMAP_ACL_1

 remark Data Center Mgmt to Devices

 permit object-group CSM_INLINE_svc_rule_81604380993 object-group 
CSM_INLINE_src_rule_81604380993 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_10

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381011 object-group DC-POS-Oracle 
object-group STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381015 object-group DC-POS-SAP object-group 
STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381019 object-group DC-POS-Tomax 
object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_11

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381021 object-group 
CSM_INLINE_src_rule_81604381021 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_12

 remark Data Center VOICE (wired and Wireless)

 permit object-group CSM_INLINE_svc_rule_81604381057 object-group DC-Voice object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_13

 permit ospf object-group CSM_INLINE_src_rule_81604381150 object-group 
CSM_INLINE_dst_rule_81604381150

ip access-list extended CSM_ZBF_CMAP_ACL_14

 remark Store WAAS to Clients and Servers

 permit object-group CSM_INLINE_svc_rule_81604381055 object-group Stores-ALL object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_15

 permit ospf object-group CSM_INLINE_src_rule_81604381152 object-group 
CSM_INLINE_dst_rule_81604381152

ip access-list extended CSM_ZBF_CMAP_ACL_16

 remark Syslog and SNMP Alerts

 permit object-group CSM_INLINE_svc_rule_81604380995 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604380995

ip access-list extended CSM_ZBF_CMAP_ACL_17

 remark Store to Data Center Authentications

 permit object-group CSM_INLINE_svc_rule_81604381001 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381001

ip access-list extended CSM_ZBF_CMAP_ACL_18

 remark Store to Data Center for NTP

 permit object-group NTP object-group Stores-ALL object-group NTP-Servers

ip access-list extended CSM_ZBF_CMAP_ACL_19

 remark Store to Data Center for DHCP and DNS

 permit object-group CSM_INLINE_svc_rule_81604381035 object-group Stores-ALL object-group 
ActiveDirectory.cisco-irn.com

ip access-list extended CSM_ZBF_CMAP_ACL_2

 remark Data Center subscribe to IPS SDEE events

 permit tcp object-group RSA-enVision object-group Stores-ALL eq 443

ip access-list extended CSM_ZBF_CMAP_ACL_20

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_81604381039 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381039

ip access-list extended CSM_ZBF_CMAP_ACL_21

 remark Store UCS Express to Data Center vShphere

 permit object-group CSM_INLINE_svc_rule_81604381005 object-group Stores-ALL object-group 
vSphere-1

ip access-list extended CSM_ZBF_CMAP_ACL_22

 remark Store NAC

 permit object-group CSM_INLINE_svc_rule_81604381037 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381037

ip access-list extended CSM_ZBF_CMAP_ACL_23

 remark Store to Data Center Physical Security

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381049

ip access-list extended CSM_ZBF_CMAP_ACL_24

 remark Store WAAS (WAAS Devices need their own zone)

 permit object-group CSM_INLINE_svc_rule_81604381053 object-group Stores-ALL object-group 
DC-WAAS

ip access-list extended CSM_ZBF_CMAP_ACL_25

 remark Store to Data Center wireless controller traffic

 permit object-group CSM_INLINE_svc_rule_81604381045 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381045

ip access-list extended CSM_ZBF_CMAP_ACL_26

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381009 object-group STORE-POS object-group 
DC-POS-Oracle

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381013 object-group STORE-POS object-group 
DC-POS-SAP

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381017 object-group STORE-POS object-group 
DC-POS-Tomax

ip access-list extended CSM_ZBF_CMAP_ACL_27

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381023 object-group 
CSM_INLINE_src_rule_81604381023 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_28

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_81604381025 object-group STORE-POS object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_29

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_81604381027 object-group STORE-POS object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_3

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_81604381041 object-group 
CSM_INLINE_src_rule_81604381041 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_30

 remark Permit POS clients to talk to store POS server

 permit object-group CSM_INLINE_svc_rule_81604381029 object-group STORE-POS object-group 
STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_31

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_81604381061 object-group Stores-ALL object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_32

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_81604381063 object-group Stores-ALL object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_33

 remark Store DATA (wired and Wireless - Access to DC Other applications)

 permit object-group CSM_INLINE_svc_rule_81604381065 object-group Stores-ALL object-group 
DC-Applications

ip access-list extended CSM_ZBF_CMAP_ACL_34

 remark Store GUEST - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381071

ip access-list extended CSM_ZBF_CMAP_ACL_35

 remark Store GUEST (access to internet/DMZ web servers)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_36

 remark Store PARTNERS - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381067

ip access-list extended CSM_ZBF_CMAP_ACL_37

 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_38

 remark Store VOICE (wired and Wireless - Acess to corporate wide voice)

 permit object-group CSM_INLINE_svc_rule_81604381059 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381059

ip access-list extended CSM_ZBF_CMAP_ACL_4

 remark Data Center vSphere to UCS Express

 permit object-group CSM_INLINE_svc_rule_81604381003 object-group vSphere-1 object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_5

 remark Data Center to Store Physical Security

 permit ip object-group CSM_INLINE_src_rule_81604381047 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_6

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_7

 remark Data Center WAAS to Store

 permit object-group CSM_INLINE_svc_rule_81604381051 object-group 
CSM_INLINE_src_rule_81604381051 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_8

 remark Data Center Wireless Control to AP's and Controllers in stores

 permit object-group CSM_INLINE_svc_rule_81604381043 object-group 
CSM_INLINE_src_rule_81604381043 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_9

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group STORE-POS

ip access-list extended MISSION-CRITICAL-SERVERS

 remark ---POS Applications---

 permit ip any 192.168.52.0 0.0.0.255

ip access-list extended NET-MGMT-APPS

 remark - Router user Authentication - Identifies TACACS Control traffic

 permit tcp any any eq tacacs

 permit tcp any eq tacacs any

ip access-list extended TRANSACTIONAL-DATA-APPS

 remark ---Workbrain Application---

 remark --Large Store Clock Server to Central Clock Application

 permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444

 remark --Large store Clock Server to CUAE

 permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000

 remark ---LiteScape Application---

 permit ip any host 192.168.46.82

 permit ip any 239.192.0.0 0.0.0.255

 permit ip any host 239.255.255.250

 remark ---Remote Desktop---

 permit tcp any any eq 3389

 permit tcp any eq 3389 any

 remark ---Oracle SIM---

 permit tcp any 192.168.46.0 0.0.0.255 eq 7777

 permit tcp any 192.168.46.0 0.0.0.255 eq 6003

 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500

 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any

 permit tcp 192.168.46.0 0.0.0.255 eq 6003 any

 permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any

logging esm config

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

nls resp-timeout 1

cpd cr-id 1

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps flash insertion removal

snmp-server enable traps energywise

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps ipsla

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

mgcp profile default

gatekeeper

 shutdown

banner exec C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 login authentication RETAIL

 no exec

 transport preferred none

 transport output none

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

scheduler allocate 20000 1000

ntp source Loopback0

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

end

r-a2-lrg-2

! Last configuration change at 00:59:26 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:00:56 PST Sat Apr 30 2011 by retail

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname R-A2-Lrg-2

boot-start-marker

boot system flash0 c3900-universalk9-mz.SPA.151-3.T.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default

 action-type start-stop

 group tacacs+

aaa accounting commands 15 default

 action-type start-stop

 group tacacs+

aaa accounting system default

 action-type start-stop

 group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PST recurring

crypto pki token default removal timeout 0

crypto pki trustpoint TP-self-signed-660084654

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-660084654

 revocation-check none

 rsakeypair TP-self-signed-660084654

crypto pki certificate chain TP-self-signed-660084654

 certificate self-signed 01

  <removed>

  	quit

no ipv6 cef

no ip source-route

ip cef

ip multicast-routing

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip port-map user-8443 port tcp 8443

ip inspect log drop-pkt

ip inspect audit-trail

ip ips config location flash0: retries 1 timeout 1

ip ips name Store-IPS

ip ips signature-category

  category all

   retired true

  category ios_ips default

   retired false

ip wccp 61

ip wccp 62

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

multilink bundle-name authenticated

parameter-map type inspect global

 WAAS enable

parameter-map type inspect Inspect-1

 audit-trail on

parameter-map type trend-global trend-glob-map

password encryption aes

voice-card 0

license udi pid C3900-SPE150/K9 sn <removed>

hw-module pvdm 0/0

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

object-group network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 udp eq 5246

 udp eq 5247

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 tcp eq 4050

object-group network EMC-NCM

 description EMC Network Configuration Manager

 host 192.168.42.122

object-group network RSA-enVision

 description RSA EnVision Syslog collector and SIM

 host 192.168.42.124

object-group network CSM_INLINE_dst_rule_81604380995

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object EMC-NCM

 group-object RSA-enVision

object-group network TACACS

 description Csico Secure ACS server for TACACS and Radius

 host 192.168.42.131

object-group network RSA-AM

 description RSA Authentication Manager for SecureID

 host 192.168.42.137

object-group network NAC-1

 description ISE server for NAC

 host 192.168.42.111

object-group network CSM_INLINE_dst_rule_81604381001

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object ActiveDirectory.cisco-irn.com

 group-object TACACS

 group-object RSA-AM

 group-object NAC-1

object-group network NAC-2

 host 192.168.42.112

object-group network CSM_INLINE_dst_rule_81604381037

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object NAC-2

 group-object NAC-1

object-group network DC-ALL

 description All of the Data Center

 192.168.0.0 255.255.0.0

object-group network Stores-ALL

 description all store networks

 10.10.0.0 255.255.0.0

object-group network CSM_INLINE_dst_rule_81604381039

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network WCSManager

 description Wireless Manager

 host 192.168.43.135

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 host 192.168.43.21

 host 192.168.43.22

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 host 192.168.43.31

 host 192.168.43.32

object-group network CSM_INLINE_dst_rule_81604381045

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network PAME-DC-1

 host 192.168.44.111

object-group network MSP-DC-1

 description Data Center VSOM

 host 192.168.44.121

object-group network CSM_INLINE_dst_rule_81604381049

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network CSM_INLINE_dst_rule_81604381059

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381067

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381071

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381150

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network CSM_INLINE_dst_rule_81604381152

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network DC-Admin

 description DC Admin Systems

 host 192.168.41.101

 host 192.168.41.102

object-group network CSManager

 description Cisco Security Manager

 host 192.168.42.133

object-group network CSM_INLINE_src_rule_81604380993

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object EMC-NCM

 group-object CSManager

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_src_rule_81604381021

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_81604381023

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_81604381041

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_src_rule_81604381043

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network CSM_INLINE_src_rule_81604381047

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 host 192.168.48.10

 host 192.168.49.10

 host 192.168.47.11

 host 192.168.47.12

object-group network CSM_INLINE_src_rule_81604381051

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-WAAS

object-group network CSM_INLINE_src_rule_81604381150

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network CSM_INLINE_src_rule_81604381152

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group service CSM_INLINE_svc_rule_81604380993

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

object-group service CSM_INLINE_svc_rule_81604380995

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq syslog

 udp eq snmp

 udp eq snmptrap

object-group service CSM_INLINE_svc_rule_81604381001

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq tacacs

 udp eq 1812

 udp eq 1813

 tcp eq 389

 tcp eq 636

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 tcp eq 5989

 tcp eq 8000

 tcp eq 902

 tcp eq 903

object-group service CSM_INLINE_svc_rule_81604381003

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq 22

 group-object vCenter-to-ESX4

object-group service ESX-SLP

 description CIM Service Location Protocol (SLP) for VMware systems

 udp eq 427

 tcp eq 427

object-group service CSM_INLINE_svc_rule_81604381005

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object vCenter-to-ESX4

 group-object ESX-SLP

object-group service ORACLE-RMI

 description RMI TCP ports 1300 and 1301-1319.

 tcp range 1300 1319

object-group service ORACLE-Weblogic

 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.

 tcp eq 7001

 tcp eq 7002

 tcp eq 1521

object-group service ORACLE-WAS

 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414

 tcp eq 2809

 tcp eq 9443

 tcp eq 1414

object-group service ORACLE-OAS

 description OAS uses one port for HTTP and RMI - 12601.

 tcp eq 12601

object-group service CSM_INLINE_svc_rule_81604381009

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_81604381011

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service HTTPS-8443

 tcp eq 8443

object-group service CSM_INLINE_svc_rule_81604381013

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_81604381015

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service TOMAX-8990

 description Tomax Application Port

 tcp eq 8990

object-group service CSM_INLINE_svc_rule_81604381017

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service CSM_INLINE_svc_rule_81604381019

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service ICMP-Requests

 description ICMP requests

 icmp information-request

 icmp mask-request

 icmp timestamp-request

object-group service CSM_INLINE_svc_rule_81604381021

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_81604381023

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_81604381025

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service CSM_INLINE_svc_rule_81604381027

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_81604381029

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

udp

 tcp eq 443

object-group service DNS-Resolving

 description Domain Name Server

 tcp eq domain

 udp eq domain

object-group service CSM_INLINE_svc_rule_81604381035

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq bootps

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_81604381037

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_81604381039

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service CSM_INLINE_svc_rule_81604381041

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 udp eq 12222

 udp eq 12223

object-group service TFTP

 description Trivial File Transfer

 tcp eq 69

 udp eq tftp

object-group service IP-Protocol-97

 description IP protocol 97

object-group service CSM_INLINE_svc_rule_81604381043

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq www

 tcp eq 22

 tcp eq telnet

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object TFTP

 group-object IP-Protocol-97

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 udp eq 16666

 udp eq 16667

object-group service CSM_INLINE_svc_rule_81604381045

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object Cisco-Mobility

 group-object IP-Protocol-97

object-group service Microsoft-DS-SMB

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

 tcp eq 445

object-group service CSM_INLINE_svc_rule_81604381051

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381053

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381055

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381057

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp

 tcp-udp eq 5060

 tcp eq 2000

 tcp eq www

 tcp eq 443

 group-object TFTP

object-group service CSM_INLINE_svc_rule_81604381059

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp-udp eq 5060

 tcp eq 2000

object-group service CSM_INLINE_svc_rule_81604381061

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_81604381063

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service Netbios

 description Netbios Servers

 udp eq netbios-dgm

 udp eq netbios-ns

 tcp eq 139

object-group service ORACLE-SIM

 description Oracle Store Inventory Management

 tcp eq 7777

 tcp eq 6003

 tcp range 12401 12500

object-group service RDP

 description Windows Remote Desktop

 tcp eq 3389

object-group service Workbrain

 tcp eq 8444

object-group service CSM_INLINE_svc_rule_81604381065

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq ftp

 tcp eq www

 tcp eq 443

 udp eq 88

 tcp-udp eq 42

 group-object Microsoft-DS-SMB

 group-object Netbios

 group-object ORACLE-SIM

 group-object RDP

 group-object Workbrain

object-group network DC-Applications

 description Applications in the Data Center that are non-PCI related(Optimized by 
CS-Manager)

 192.168.180.0 255.255.254.0

object-group network DC-Voice

 description Data Center Voice

 192.168.45.0 255.255.255.0

object-group network MS-Update

 description Windows Update Server

 host 192.168.42.150

object-group network MSExchange

 description Mail Server

 host 192.168.42.140

object-group service NTP

 description NTP Protocols

 tcp eq 123

 udp eq ntp

object-group network NTP-Servers

 description NTP Servers

 host 192.168.62.161

 host 162.168.62.162

object-group network STORE-POS

 10.10.0.0 255.255.0.0

object-group network vSphere-1

 description vSphere server for Lab

 host 192.168.41.102

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

redundancy

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7

 match protocol http

 match protocol https

 match protocol microsoft-ds

 match protocol ms-sql

 match protocol ms-sql-m

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol oracle

 match protocol oracle-em-vp

 match protocol oraclenames

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_10

 match access-group name CSM_ZBF_CMAP_ACL_10

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4

 match protocol http

 match protocol https

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_23

 match access-group name CSM_ZBF_CMAP_ACL_23

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17

 match protocol http

 match protocol https

 match protocol imap3

 match protocol pop3

 match protocol pop3s

 match protocol smtp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_32

 match access-group name CSM_ZBF_CMAP_ACL_32

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-all CSM_ZBF_CLASS_MAP_11

 match access-group name CSM_ZBF_CMAP_ACL_11

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14

 match protocol http

 match protocol https

 match protocol user-8443

class-map type inspect match-all CSM_ZBF_CLASS_MAP_22

 match access-group name CSM_ZBF_CMAP_ACL_22

 match class-map CSM_ZBF_CMAP_PLMAP_14

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol ftp

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_33

 match access-group name CSM_ZBF_CMAP_ACL_33

 match class-map CSM_ZBF_CMAP_PLMAP_20

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tftp

 match protocol http

 match protocol https

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_12

 match access-group name CSM_ZBF_CMAP_ACL_12

 match class-map CSM_ZBF_CMAP_PLMAP_8

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13

 match protocol https

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_21

 match access-group name CSM_ZBF_CMAP_ACL_21

 match class-map CSM_ZBF_CMAP_PLMAP_13

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19

 match protocol http

 match protocol https

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_30

 match access-group name CSM_ZBF_CMAP_ACL_30

 match class-map CSM_ZBF_CMAP_PLMAP_19

class-map type inspect match-all CSM_ZBF_CLASS_MAP_13

 match access-group name CSM_ZBF_CMAP_ACL_13

class-map type inspect match-all CSM_ZBF_CLASS_MAP_20

 match access-group name CSM_ZBF_CMAP_ACL_20

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18

 match protocol http

 match protocol https

 match protocol udp

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_31

 match access-group name CSM_ZBF_CMAP_ACL_31

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map match-all BRANCH-BULK-DATA

 match protocol tftp

 match protocol nfs

 match access-group name BULK-DATA-APPS

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_14

 match access-group name CSM_ZBF_CMAP_ACL_14

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_27

 match access-group name CSM_ZBF_CMAP_ACL_27

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_36

 match access-group name CSM_ZBF_CMAP_ACL_36

class-map type inspect match-all CSM_ZBF_CLASS_MAP_15

 match access-group name CSM_ZBF_CMAP_ACL_15

class-map type inspect match-all CSM_ZBF_CLASS_MAP_26

 match access-group name CSM_ZBF_CMAP_ACL_26

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21

 match protocol tcp

 match protocol udp

 match protocol http

 match protocol https

class-map type inspect match-all CSM_ZBF_CLASS_MAP_37

 match access-group name CSM_ZBF_CMAP_ACL_37

 match class-map CSM_ZBF_CMAP_PLMAP_21

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9

 match protocol syslog

 match protocol syslog-conn

 match protocol snmp

 match protocol snmptrap

class-map type inspect match-all CSM_ZBF_CLASS_MAP_16

 match access-group name CSM_ZBF_CMAP_ACL_16

 match class-map CSM_ZBF_CMAP_PLMAP_9

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16

 match protocol http

 match protocol https

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_25

 match access-group name CSM_ZBF_CMAP_ACL_25

 match class-map CSM_ZBF_CMAP_PLMAP_16

class-map type inspect match-all CSM_ZBF_CLASS_MAP_34

 match access-group name CSM_ZBF_CMAP_ACL_34

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10

 match protocol ldaps

 match protocol ldap

 match protocol ldap-admin

 match protocol radius

 match protocol tacacs

 match protocol tacacs-ds

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_17

 match access-group name CSM_ZBF_CMAP_ACL_17

 match class-map CSM_ZBF_CMAP_PLMAP_10

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15

 match protocol http

 match protocol https

 match protocol netbios-ns

 match protocol netbios-dgm

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_24

 match access-group name CSM_ZBF_CMAP_ACL_24

 match class-map CSM_ZBF_CMAP_PLMAP_15

class-map type inspect match-all CSM_ZBF_CLASS_MAP_35

 match access-group name CSM_ZBF_CMAP_ACL_35

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11

 match protocol ntp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_18

 match access-group name CSM_ZBF_CMAP_ACL_18

 match class-map CSM_ZBF_CMAP_PLMAP_11

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12

 match protocol bootpc

 match protocol bootps

 match protocol udp

 match protocol tcp

 match protocol dns

 match protocol dhcp-failover

class-map type inspect match-all CSM_ZBF_CLASS_MAP_19

 match access-group name CSM_ZBF_CMAP_ACL_19

 match class-map CSM_ZBF_CMAP_PLMAP_12

class-map type inspect match-all CSM_ZBF_CLASS_MAP_29

 match access-group name CSM_ZBF_CMAP_ACL_29

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_38

 match access-group name CSM_ZBF_CMAP_ACL_38

 match class-map CSM_ZBF_CMAP_PLMAP_22

class-map type inspect match-all CSM_ZBF_CLASS_MAP_28

 match access-group name CSM_ZBF_CMAP_ACL_28

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1

 match protocol https

 match protocol ssh

class-map type inspect match-all CSM_ZBF_CLASS_MAP_1

 match access-group name CSM_ZBF_CMAP_ACL_1

 match class-map CSM_ZBF_CMAP_PLMAP_1

class-map type inspect match-all CSM_ZBF_CLASS_MAP_3

 match access-group name CSM_ZBF_CMAP_ACL_3

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2

 match protocol https

 match protocol http

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_2

 match access-group name CSM_ZBF_CMAP_ACL_2

 match class-map CSM_ZBF_CMAP_PLMAP_2

class-map type inspect match-all CSM_ZBF_CLASS_MAP_5

 match access-group name CSM_ZBF_CMAP_ACL_5

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3

 match protocol http

 match protocol https

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

 match access-group name CSM_ZBF_CMAP_ACL_4

 match class-map CSM_ZBF_CMAP_PLMAP_3

class-map type inspect match-all CSM_ZBF_CLASS_MAP_7

 match access-group name CSM_ZBF_CMAP_ACL_7

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_6

 match access-group name CSM_ZBF_CMAP_ACL_6

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_9

 match access-group name CSM_ZBF_CMAP_ACL_9

 match protocol tcp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6

 match protocol http

 match protocol https

 match protocol ssh

 match protocol telnet

 match protocol tftp

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_8

 match access-group name CSM_ZBF_CMAP_ACL_8

 match class-map CSM_ZBF_CMAP_PLMAP_6

class-map match-all BULK-DATA

 match ip dscp af11  af12

class-map match-all INTERACTIVE-VIDEO

 match ip dscp af41  af42

class-map match-any BRANCH-TRANSACTIONAL-DATA

 match protocol citrix

 match protocol ldap

 match protocol telnet

 match protocol sqlnet

 match protocol http url "*SalesReport*"

 match access-group name TRANSACTIONAL-DATA-APPS

class-map match-all BRANCH-MISSION-CRITICAL

 match access-group name MISSION-CRITICAL-SERVERS

class-map match-all VOICE

 match ip dscp ef

class-map match-all MISSION-CRITICAL-DATA

 match ip dscp 25

class-map match-any BRANCH-NET-MGMT

 match protocol snmp

 match protocol syslog

 match protocol dns

 match protocol icmp

 match protocol ssh

 match access-group name NET-MGMT-APPS

class-map match-all ROUTING

 match ip dscp cs6

class-map match-all SCAVENGER

 match ip dscp cs1

class-map match-all NET-MGMT

 match ip dscp cs2

class-map match-any BRANCH-SCAVENGER

 match protocol gnutella

 match protocol fasttrack

 match protocol kazaa2

class-map match-any CALL-SIGNALING

 match ip dscp cs3

class-map match-all TRANSACTIONAL-DATA

 match ip dscp af21  af22

policy-map BRANCH-LAN-EDGE-OUT

 class class-default

policy-map BRANCH-WAN-EDGE

 class VOICE

  priority percent 18

 class INTERACTIVE-VIDEO

  priority percent 15

 class CALL-SIGNALING

  bandwidth percent 5

 class ROUTING

  bandwidth percent 3

 class NET-MGMT

  bandwidth percent 2

 class MISSION-CRITICAL-DATA

  bandwidth percent 15

  random-detect

 class TRANSACTIONAL-DATA

  bandwidth percent 12

  random-detect dscp-based

 class BULK-DATA

  bandwidth percent 4

  random-detect dscp-based

 class SCAVENGER

  bandwidth percent 1

 class class-default

  bandwidth percent 25

  random-detect

policy-map type inspect CSM_ZBF_POLICY_MAP_18

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_19

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_16

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_23

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_25

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_36

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_37

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_17

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_24

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_24

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_34

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_35

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_14

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_27

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_15

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_21

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_26

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_38

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_12

 class type inspect CSM_ZBF_CLASS_MAP_15

  pass

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_21

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_13

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_20

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_10

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_23

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_31

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_33

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_11

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_22

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_9

 class type inspect CSM_ZBF_CLASS_MAP_13

  pass

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_8

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_12

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_7

 class type inspect CSM_ZBF_CLASS_MAP_9

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_10

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_11

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_6

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_5

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_8

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_4

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_7

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_3

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_5

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_2

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_4

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_1

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_2

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop

policy-map BRANCH-LAN-EDGE-IN

 class BRANCH-MISSION-CRITICAL

  set ip dscp 25

 class BRANCH-TRANSACTIONAL-DATA

  set ip dscp af21

 class BRANCH-NET-MGMT

  set ip dscp cs2

 class BRANCH-BULK-DATA

  set ip dscp af11

 class BRANCH-SCAVENGER

  set ip dscp cs1

zone security S_WAN

 description Store WAN Link

zone security S_R-2-R

 description Bridge link between routers

zone security LOOPBACK

 description Loopback interface

zone security S_MGMT

 description VLAN1000 Management

zone security S_Security

 description VLAN20 Physical Security Systems

zone security S_WAAS

 description VLAN19 WAAS optimization

zone security S_WLC-AP

 description VLAN18 Wireless Systems

zone security S_Data

 description VLAN12 Store Data

zone security S_Data-W

 description VLAN14 Store Wireless Data

zone security S_Guest

 description VLAN17 Guest/Public Wireless

zone security S_Voice

 description VLAN13 Store Voice

zone security S_Partners

 description VLAN16 Partner network

zone security S_POS

 description VLAN 11 POS Data

zone security S_POS-W

 description VLAN15 Store Wireless POS

zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_8

zone-pair security CSM_S_R-2-R-LOOPBACK_1 source S_R-2-R destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_R-2-R-S_MGMT_1 source S_R-2-R destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_R-2-R-S_Security_1 source S_R-2-R destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_R-2-R-S_WAAS_1 source S_R-2-R destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_R-2-R-S_WLC-AP_1 source S_R-2-R destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_R-2-R-self_1 source S_R-2-R destination self

 service-policy type inspect CSM_ZBF_POLICY_MAP_9

zone-pair security CSM_S_R-2-R-S_Data_1 source S_R-2-R destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_Data-W_1 source S_R-2-R destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_Guest_1 source S_R-2-R destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_R-2-R-S_Partners_1 source S_R-2-R destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_POS_1 source S_R-2-R destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_R-2-R-S_POS-W_1 source S_R-2-R destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_R-2-R-S_Voice_1 source S_R-2-R destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_11

zone-pair security CSM_self-S_R-2-R_1 source self destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_12

zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_LOOPBACK-S_R-2-R_1 source LOOPBACK destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_MGMT-S_R-2-R_1 source S_MGMT destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_Security-S_R-2-R_1 source S_Security destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_WAAS-S_R-2-R_1 source S_WAAS destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_WLC-AP-S_R-2-R_1 source S_WLC-AP destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_POS-S_R-2-R_1 source S_POS destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_POS-W-S_R-2-R_1 source S_POS-W destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_22

zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-S_R-2-R_1 source S_Data destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-W-S_R-2-R_1 source S_Data-W destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_24

zone-pair security CSM_S_Guest-S_R-2-R_1 source S_Guest destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_24

zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_25

zone-pair security CSM_S_Partners-S_R-2-R_1 source S_Partners destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_25

zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_26

zone-pair security CSM_S_Voice-S_R-2-R_1 source S_Voice destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_27

interface Loopback0

 ip address 10.10.110.2 255.255.255.255

 ip pim sparse-dense-mode

 zone-member security LOOPBACK

interface GigabitEthernet0/0

 no ip address

 duplex auto

 speed auto

interface GigabitEthernet0/0.102

 description ROUTER LINK TO

 encapsulation dot1Q 102

 ip address 10.10.110.30 255.255.255.252

 ip pim sparse-dense-mode

 zone-member security S_R-2-R

interface GigabitEthernet0/1

 description ROUTER LINK TO SWITCH

 no ip address

 duplex auto

 speed auto

 media-type rj45

interface GigabitEthernet0/1.11

 description POS

 encapsulation dot1Q 11

 ip address 10.10.96.3 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS

 standby 11 ip 10.10.96.1

 standby 11 priority 99

 standby 11 preempt

 ip igmp query-interval 125

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.12

 description DATA

 encapsulation dot1Q 12

 ip address 10.10.97.3 255.255.255.0

 ip helper-address 192.168.42.130

 ip wccp 61 redirect in

 ip pim sparse-dense-mode

 zone-member security S_Data

 standby 12 ip 10.10.97.1

 standby 12 priority 99

 standby 12 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.13

 description VOICE

 encapsulation dot1Q 13

 ip address 10.10.98.3 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Voice

 standby 13 ip 10.10.98.1

 standby 13 priority 99

 standby 13 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.14

 description WIRELESS

 encapsulation dot1Q 14

 ip address 10.10.99.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Data-W

 standby 14 ip 10.10.99.1

 standby 14 priority 99

 standby 14 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.15

 description WIRELESS-POS

 encapsulation dot1Q 15

 ip address 10.10.100.3 255.255.255.0

 ip helper-address 192.168.42.130

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS-W

 standby 15 ip 10.10.100.1

 standby 15 priority 99

 standby 15 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.16

 description PARTNER

 encapsulation dot1Q 16

 ip address 10.10.101.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Partners

 standby 16 ip 10.10.101.1

 standby 16 priority 99

 standby 16 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.17

 description WIRELESS-GUEST

 encapsulation dot1Q 17

 ip address 10.10.102.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Guest

 standby 17 ip 10.10.102.1

 standby 17 priority 99

 standby 17 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.18

 description WIRELESS-CONTROL

 encapsulation dot1Q 18

 ip address 10.10.103.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WLC-AP

 standby 18 ip 10.10.103.1

 standby 18 priority 99

 standby 18 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.19

 description WAAS

 encapsulation dot1Q 19

 ip address 10.10.104.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WAAS

 standby 19 ip 10.10.104.1

 standby 19 priority 99

 standby 19 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.20

 description SECURITY-SYSTEMS

 encapsulation dot1Q 20

 ip address 10.10.105.3 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Security

 standby 20 ip 10.10.105.1

 standby 20 priority 99

 standby 20 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.101

 description ROUTER LINK TO

 encapsulation dot1Q 101

 ip address 10.10.110.26 255.255.255.252

 ip pim sparse-dense-mode

 zone-member security S_R-2-R

interface GigabitEthernet0/1.1000

 description MANAGEMENT

 encapsulation dot1Q 1000

 ip address 10.10.111.3 255.255.255.0

 zone-member security S_MGMT

 standby 100 ip 10.10.111.1

 standby 100 priority 99

 standby 100 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/2

 ip address 10.10.254.96 255.255.255.0

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_WAN

 duplex auto

 speed auto

 service-policy output BRANCH-WAN-EDGE

router ospf 5

 router-id 10.10.110.2

 redistribute connected subnets

 passive-interface default

 no passive-interface GigabitEthernet0/0.102

 no passive-interface GigabitEthernet0/1.101

 network 10.10.0.0 0.0.255.255 area 10

 default-information originate

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 10.10.254.11

ip tacacs source-interface Loopback0

ip access-list extended BULK-DATA-APPS

 remark ---File Transfer---

 permit tcp any any eq ftp

 permit tcp any any eq ftp-data

 remark ---E-mail traffic---

 permit tcp any any eq smtp

 permit tcp any any eq pop3

 permit tcp any any eq 143

 remark ---other EDM app protocols---

 permit tcp any any range 3460 3466

 permit tcp any range 3460 3466 any

 remark ---messaging services---

 permit tcp any any eq 2980

 permit tcp any eq 2980 any

 remark ---Microsoft file services---

 permit tcp any any range 137 139

 permit tcp any range 137 139 any

ip access-list extended CSM_ZBF_CMAP_ACL_1

 remark Data Center Mgmt to Devices

 permit object-group CSM_INLINE_svc_rule_81604380993 object-group 
CSM_INLINE_src_rule_81604380993 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_10

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381011 object-group DC-POS-Oracle 
object-group STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381015 object-group DC-POS-SAP object-group 
STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381019 object-group DC-POS-Tomax 
object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_11

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381021 object-group 
CSM_INLINE_src_rule_81604381021 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_12

 remark Data Center VOICE (wired and Wireless)

 permit object-group CSM_INLINE_svc_rule_81604381057 object-group DC-Voice object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_13

 permit ospf object-group CSM_INLINE_src_rule_81604381150 object-group 
CSM_INLINE_dst_rule_81604381150

ip access-list extended CSM_ZBF_CMAP_ACL_14

 remark Store WAAS to Clients and Servers

 permit object-group CSM_INLINE_svc_rule_81604381055 object-group Stores-ALL object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_15

 permit ospf object-group CSM_INLINE_src_rule_81604381152 object-group 
CSM_INLINE_dst_rule_81604381152

ip access-list extended CSM_ZBF_CMAP_ACL_16

 remark Syslog and SNMP Alerts

 permit object-group CSM_INLINE_svc_rule_81604380995 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604380995

ip access-list extended CSM_ZBF_CMAP_ACL_17

 remark Store to Data Center Authentications

 permit object-group CSM_INLINE_svc_rule_81604381001 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381001

ip access-list extended CSM_ZBF_CMAP_ACL_18

 remark Store to Data Center for NTP

 permit object-group NTP object-group Stores-ALL object-group NTP-Servers

ip access-list extended CSM_ZBF_CMAP_ACL_19

 remark Store to Data Center for DHCP and DNS

 permit object-group CSM_INLINE_svc_rule_81604381035 object-group Stores-ALL object-group 
ActiveDirectory.cisco-irn.com

ip access-list extended CSM_ZBF_CMAP_ACL_2

 remark Data Center subscribe to IPS SDEE events

 permit tcp object-group RSA-enVision object-group Stores-ALL eq 443

ip access-list extended CSM_ZBF_CMAP_ACL_20

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_81604381039 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381039

ip access-list extended CSM_ZBF_CMAP_ACL_21

 remark Store UCS Express to Data Center vShphere

 permit object-group CSM_INLINE_svc_rule_81604381005 object-group Stores-ALL object-group 
vSphere-1

ip access-list extended CSM_ZBF_CMAP_ACL_22

 remark Store NAC

 permit object-group CSM_INLINE_svc_rule_81604381037 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381037

ip access-list extended CSM_ZBF_CMAP_ACL_23

 remark Store to Data Center Physical Security

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381049

ip access-list extended CSM_ZBF_CMAP_ACL_24

 remark Store WAAS (WAAS Devices need their own zone)

 permit object-group CSM_INLINE_svc_rule_81604381053 object-group Stores-ALL object-group 
DC-WAAS

ip access-list extended CSM_ZBF_CMAP_ACL_25

 remark Store to Data Center wireless controller traffic

 permit object-group CSM_INLINE_svc_rule_81604381045 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381045

ip access-list extended CSM_ZBF_CMAP_ACL_26

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381009 object-group STORE-POS object-group 
DC-POS-Oracle

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381013 object-group STORE-POS object-group 
DC-POS-SAP

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381017 object-group STORE-POS object-group 
DC-POS-Tomax

ip access-list extended CSM_ZBF_CMAP_ACL_27

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381023 object-group 
CSM_INLINE_src_rule_81604381023 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_28

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_81604381025 object-group STORE-POS object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_29

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_81604381027 object-group STORE-POS object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_3

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_81604381041 object-group 
CSM_INLINE_src_rule_81604381041 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_30

 remark Permit POS clients to talk to store POS server

 permit object-group CSM_INLINE_svc_rule_81604381029 object-group STORE-POS object-group 
STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_31

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_81604381061 object-group Stores-ALL object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_32

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_81604381063 object-group Stores-ALL object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_33

 remark Store DATA (wired and Wireless - Access to DC Other applications)

 permit object-group CSM_INLINE_svc_rule_81604381065 object-group Stores-ALL object-group 
DC-Applications

ip access-list extended CSM_ZBF_CMAP_ACL_34

 remark Store GUEST - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381071

ip access-list extended CSM_ZBF_CMAP_ACL_35

 remark Store GUEST (access to internet/DMZ web servers)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_36

 remark Store PARTNERS - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381067

ip access-list extended CSM_ZBF_CMAP_ACL_37

 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_38

 remark Store VOICE (wired and Wireless - Acess to corporate wide voice)

 permit object-group CSM_INLINE_svc_rule_81604381059 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381059

ip access-list extended CSM_ZBF_CMAP_ACL_4

 remark Data Center vSphere to UCS Express

 permit object-group CSM_INLINE_svc_rule_81604381003 object-group vSphere-1 object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_5

 remark Data Center to Store Physical Security

 permit ip object-group CSM_INLINE_src_rule_81604381047 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_6

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_7

 remark Data Center WAAS to Store

 permit object-group CSM_INLINE_svc_rule_81604381051 object-group 
CSM_INLINE_src_rule_81604381051 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_8

 remark Data Center Wireless Control to AP's and Controllers in stores

 permit object-group CSM_INLINE_svc_rule_81604381043 object-group 
CSM_INLINE_src_rule_81604381043 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_9

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group STORE-POS

ip access-list extended MISSION-CRITICAL-SERVERS

 remark ---POS Applications---

 permit ip any 192.168.52.0 0.0.0.255

ip access-list extended NET-MGMT-APPS

 remark - Router user Authentication - Identifies TACACS Control traffic

 permit tcp any any eq tacacs

 permit tcp any eq tacacs any

ip access-list extended TRANSACTIONAL-DATA-APPS

 remark ---Workbrain Application---

 remark --Large Store Clock Server to Central Clock Application

 permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444

 remark --Large store Clock Server to CUAE

 permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000

 remark ---LiteScape Application---

 permit ip any host 192.168.46.82

 permit ip any 239.192.0.0 0.0.0.255

 permit ip any host 239.255.255.250

 remark ---Remote Desktop---

 permit tcp any any eq 3389

 permit tcp any eq 3389 any

 remark ---Oracle SIM---

 permit tcp any 192.168.46.0 0.0.0.255 eq 7777

 permit tcp any 192.168.46.0 0.0.0.255 eq 6003

 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500

 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any

 permit tcp 192.168.46.0 0.0.0.255 eq 6003 any

 permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any

logging esm config

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

nls resp-timeout 1

cpd cr-id 1

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps flash insertion removal

snmp-server enable traps energywise

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps ipsla

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

mgcp profile default

gatekeeper

 shutdown

banner exec C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 login authentication RETAIL

 no exec

 transport preferred none

 transport output none

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

scheduler allocate 20000 1000

ntp source Loopback0

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

end

r-a2-med-1

! Last configuration change at 00:29:32 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 00:29:32 PSTDST Sat Apr 30 2011 by retail

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname R-A2-Med-1

boot-start-marker

boot system flash0 c2951-universalk9-mz.SPA.151-3.T.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default

 action-type start-stop

 group tacacs+

aaa accounting commands 15 default

 action-type start-stop

 group tacacs+

aaa accounting system default

 action-type start-stop

 group tacacs+

aaa session-id common

memory-size iomem 25

clock timezone PST -8 0

clock summer-time PSTDST recurring

crypto pki token default removal timeout 0

crypto pki trustpoint TP-self-signed-1670063162

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1670063162

 revocation-check none

 rsakeypair TP-self-signed-1670063162

crypto pki certificate chain TP-self-signed-1670063162

 certificate self-signed 01

  <removed>

  	quit

no ipv6 cef

no ip source-route

ip cef

ip multicast-routing

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip inspect audit-trail

ip ips config location ipstest retries 1 timeout 1

ip ips notify SDEE

ip ips name Retail-PCI

ip ips signature-category

  category all

   retired true

  category ios_ips basic

   retired false

ip wccp 61

ip wccp 62

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

multilink bundle-name authenticated

parameter-map type inspect global

 WAAS enable

parameter-map type inspect Inspect-1

 audit-trail on

parameter-map type trend-global trend-glob-map

password encryption aes

voice-card 0

license udi pid STARSCREAM sn <removed>

hw-module pvdm 0/2

hw-module sm 1

hw-module sm 2

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

object-group network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 udp eq 5246

 udp eq 5247

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 tcp eq 4050

object-group network EMC-NCM

 description EMC Network Configuration Manager

 host 192.168.42.122

object-group network RSA-enVision

 description RSA EnVision Syslog collector and SIM

 host 192.168.42.124

object-group network CSM_INLINE_dst_rule_81604380995

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object EMC-NCM

 group-object RSA-enVision

object-group network TACACS

 description Csico Secure ACS server for TACACS and Radius

 host 192.168.42.131

object-group network RSA-AM

 description RSA Authentication Manager for SecureID

 host 192.168.42.137

object-group network NAC-1

 description ISE server for NAC

 host 192.168.42.111

object-group network CSM_INLINE_dst_rule_81604381001

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object ActiveDirectory.cisco-irn.com

 group-object TACACS

 group-object RSA-AM

 group-object NAC-1

object-group network NAC-2

 host 192.168.42.112

object-group network CSM_INLINE_dst_rule_81604381037

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object NAC-2

 group-object NAC-1

object-group network DC-ALL

 description All of the Data Center

 192.168.0.0 255.255.0.0

object-group network Stores-ALL

 description all store networks

 10.10.0.0 255.255.0.0

object-group network CSM_INLINE_dst_rule_81604381039

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network WCSManager

 description Wireless Manager

 host 192.168.43.135

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 host 192.168.43.21

 host 192.168.43.22

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 host 192.168.43.31

 host 192.168.43.32

object-group network CSM_INLINE_dst_rule_81604381045

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network PAME-DC-1

 host 192.168.44.111

object-group network MSP-DC-1

 description Data Center VSOM

 host 192.168.44.121

object-group network CSM_INLINE_dst_rule_81604381049

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network CSM_INLINE_dst_rule_81604381059

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381067

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381071

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381150

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network CSM_INLINE_dst_rule_81604381152

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network DC-Admin

 description DC Admin Systems

 host 192.168.41.101

 host 192.168.41.102

object-group network CSManager

 description Cisco Security Manager

 host 192.168.42.133

object-group network CSM_INLINE_src_rule_81604380993

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object EMC-NCM

 group-object CSManager

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_src_rule_81604381021

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_81604381023

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_81604381041

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_src_rule_81604381043

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network CSM_INLINE_src_rule_81604381047

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 host 192.168.48.10

 host 192.168.49.10

 host 192.168.47.11

 host 192.168.47.12

object-group network CSM_INLINE_src_rule_81604381051

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-WAAS

object-group network CSM_INLINE_src_rule_81604381150

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network CSM_INLINE_src_rule_81604381152

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group service CSM_INLINE_svc_rule_81604380993

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

object-group service CSM_INLINE_svc_rule_81604380995

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq syslog

 udp eq snmp

 udp eq snmptrap

object-group service CSM_INLINE_svc_rule_81604381001

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq tacacs

 udp eq 1812

 udp eq 1813

 tcp eq 389

 tcp eq 636

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 tcp eq 5989

 tcp eq 8000

 tcp eq 902

 tcp eq 903

object-group service CSM_INLINE_svc_rule_81604381003

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq 22

 group-object vCenter-to-ESX4

object-group service ESX-SLP

 description CIM Service Location Protocol (SLP) for VMware systems

 udp eq 427

 tcp eq 427

object-group service CSM_INLINE_svc_rule_81604381005

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object vCenter-to-ESX4

 group-object ESX-SLP

object-group service ORACLE-RMI

 description RMI TCP ports 1300 and 1301-1319.

 tcp range 1300 1319

object-group service ORACLE-Weblogic

 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.

 tcp eq 7001

 tcp eq 7002

 tcp eq 1521

object-group service ORACLE-WAS

 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414

 tcp eq 2809

 tcp eq 9443

 tcp eq 1414

object-group service ORACLE-OAS

 description OAS uses one port for HTTP and RMI - 12601.

 tcp eq 12601

object-group service CSM_INLINE_svc_rule_81604381009

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_81604381011

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service HTTPS-8443

 tcp eq 8443

object-group service CSM_INLINE_svc_rule_81604381013

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_81604381015

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service TOMAX-8990

 description Tomax Application Port

 tcp eq 8990

object-group service CSM_INLINE_svc_rule_81604381017

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service CSM_INLINE_svc_rule_81604381019

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service ICMP-Requests

 description ICMP requests

 icmp information-request

 icmp mask-request

 icmp timestamp-request

object-group service CSM_INLINE_svc_rule_81604381021

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_81604381023

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_81604381025

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service CSM_INLINE_svc_rule_81604381027

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_81604381029

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

udp

 tcp eq 443

object-group service DNS-Resolving

 description Domain Name Server

 tcp eq domain

 udp eq domain

object-group service CSM_INLINE_svc_rule_81604381035

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq bootps

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_81604381037

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_81604381039

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service CSM_INLINE_svc_rule_81604381041

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 udp eq 12222

 udp eq 12223

object-group service TFTP

 description Trivial File Transfer

 tcp eq 69

 udp eq tftp

object-group service IP-Protocol-97

 description IP protocol 97

object-group service CSM_INLINE_svc_rule_81604381043

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq www

 tcp eq 22

 tcp eq telnet

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object TFTP

 group-object IP-Protocol-97

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 udp eq 16666

 udp eq 16667

object-group service CSM_INLINE_svc_rule_81604381045

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object Cisco-Mobility

 group-object IP-Protocol-97

object-group service Microsoft-DS-SMB

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

 tcp eq 445

object-group service CSM_INLINE_svc_rule_81604381051

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381053

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381055

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381057

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp

 tcp-udp eq 5060

 tcp eq 2000

 tcp eq www

 tcp eq 443

 group-object TFTP

object-group service CSM_INLINE_svc_rule_81604381059

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp-udp eq 5060

 tcp eq 2000

object-group service CSM_INLINE_svc_rule_81604381061

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_81604381063

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service Netbios

 description Netbios Servers

 udp eq netbios-dgm

 udp eq netbios-ns

 tcp eq 139

object-group service ORACLE-SIM

 description Oracle Store Inventory Management

 tcp eq 7777

 tcp eq 6003

 tcp range 12401 12500

object-group service RDP

 description Windows Remote Desktop

 tcp eq 3389

object-group service Workbrain

 tcp eq 8444

object-group service CSM_INLINE_svc_rule_81604381065

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq ftp

 tcp eq www

 tcp eq 443

 udp eq 88

 tcp-udp eq 42

 group-object Microsoft-DS-SMB

 group-object Netbios

 group-object ORACLE-SIM

 group-object RDP

 group-object Workbrain

object-group network DC-Applications

 description Applications in the Data Center that are non-PCI related(Optimized by 
CS-Manager)

 192.168.180.0 255.255.254.0

object-group network DC-Voice

 description Data Center Voice

 192.168.45.0 255.255.255.0

object-group network MS-Update

 description Windows Update Server

 host 192.168.42.150

object-group network MSExchange

 description Mail Server

 host 192.168.42.140

object-group service NTP

 description NTP Protocols

 tcp eq 123

 udp eq ntp

object-group network NTP-Servers

 description NTP Servers

 host 192.168.62.161

 host 162.168.62.162

object-group network STORE-POS

 10.10.0.0 255.255.0.0

object-group network vSphere-1

 description vSphere server for Lab

 host 192.168.41.102

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

redundancy

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7

 match protocol http

 match protocol https

 match protocol microsoft-ds

 match protocol ms-sql

 match protocol ms-sql-m

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol oracle

 match protocol oracle-em-vp

 match protocol oraclenames

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_10

 match access-group name CSM_ZBF_CMAP_ACL_10

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4

 match protocol http

 match protocol https

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_23

 match access-group name CSM_ZBF_CMAP_ACL_23

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17

 match protocol http

 match protocol https

 match protocol imap3

 match protocol pop3

 match protocol pop3s

 match protocol smtp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_32

 match access-group name CSM_ZBF_CMAP_ACL_32

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-all CSM_ZBF_CLASS_MAP_11

 match access-group name CSM_ZBF_CMAP_ACL_11

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14

 match protocol http

 match protocol https

class-map type inspect match-all CSM_ZBF_CLASS_MAP_22

 match access-group name CSM_ZBF_CMAP_ACL_22

 match class-map CSM_ZBF_CMAP_PLMAP_14

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol ftp

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_33

 match access-group name CSM_ZBF_CMAP_ACL_33

 match class-map CSM_ZBF_CMAP_PLMAP_20

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tftp

 match protocol http

 match protocol https

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_12

 match access-group name CSM_ZBF_CMAP_ACL_12

 match class-map CSM_ZBF_CMAP_PLMAP_8

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13

 match protocol https

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_21

 match access-group name CSM_ZBF_CMAP_ACL_21

 match class-map CSM_ZBF_CMAP_PLMAP_13

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19

 match protocol http

 match protocol https

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_30

 match access-group name CSM_ZBF_CMAP_ACL_30

 match class-map CSM_ZBF_CMAP_PLMAP_19

class-map type inspect match-all CSM_ZBF_CLASS_MAP_13

 match access-group name CSM_ZBF_CMAP_ACL_13

class-map type inspect match-all CSM_ZBF_CLASS_MAP_20

 match access-group name CSM_ZBF_CMAP_ACL_20

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18

 match protocol http

 match protocol https

 match protocol udp

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_31

 match access-group name CSM_ZBF_CMAP_ACL_31

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map match-all BRANCH-BULK-DATA

 match protocol tftp

 match protocol nfs

 match access-group name BULK-DATA-APPS

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_14

 match access-group name CSM_ZBF_CMAP_ACL_14

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_27

 match access-group name CSM_ZBF_CMAP_ACL_27

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_36

 match access-group name CSM_ZBF_CMAP_ACL_36

class-map type inspect match-all CSM_ZBF_CLASS_MAP_15

 match access-group name CSM_ZBF_CMAP_ACL_15

class-map type inspect match-all CSM_ZBF_CLASS_MAP_26

 match access-group name CSM_ZBF_CMAP_ACL_26

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21

 match protocol tcp

 match protocol udp

 match protocol http

 match protocol https

class-map type inspect match-all CSM_ZBF_CLASS_MAP_37

 match access-group name CSM_ZBF_CMAP_ACL_37

 match class-map CSM_ZBF_CMAP_PLMAP_21

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9

 match protocol syslog

 match protocol syslog-conn

 match protocol snmp

 match protocol snmptrap

class-map type inspect match-all CSM_ZBF_CLASS_MAP_16

 match access-group name CSM_ZBF_CMAP_ACL_16

 match class-map CSM_ZBF_CMAP_PLMAP_9

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16

 match protocol http

 match protocol https

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_25

 match access-group name CSM_ZBF_CMAP_ACL_25

 match class-map CSM_ZBF_CMAP_PLMAP_16

class-map type inspect match-all CSM_ZBF_CLASS_MAP_34

 match access-group name CSM_ZBF_CMAP_ACL_34

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10

 match protocol ldaps

 match protocol ldap

 match protocol ldap-admin

 match protocol radius

 match protocol tacacs

 match protocol tacacs-ds

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_17

 match access-group name CSM_ZBF_CMAP_ACL_17

 match class-map CSM_ZBF_CMAP_PLMAP_10

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15

 match protocol http

 match protocol https

 match protocol netbios-ns

 match protocol netbios-dgm

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_24

 match access-group name CSM_ZBF_CMAP_ACL_24

 match class-map CSM_ZBF_CMAP_PLMAP_15

class-map type inspect match-all CSM_ZBF_CLASS_MAP_35

 match access-group name CSM_ZBF_CMAP_ACL_35

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11

 match protocol ntp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_18

 match access-group name CSM_ZBF_CMAP_ACL_18

 match class-map CSM_ZBF_CMAP_PLMAP_11

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12

 match protocol bootpc

 match protocol bootps

 match protocol udp

 match protocol tcp

 match protocol dns

 match protocol dhcp-failover

class-map type inspect match-all CSM_ZBF_CLASS_MAP_19

 match access-group name CSM_ZBF_CMAP_ACL_19

 match class-map CSM_ZBF_CMAP_PLMAP_12

class-map type inspect match-all CSM_ZBF_CLASS_MAP_29

 match access-group name CSM_ZBF_CMAP_ACL_29

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_38

 match access-group name CSM_ZBF_CMAP_ACL_38

 match class-map CSM_ZBF_CMAP_PLMAP_22

class-map type inspect match-all CSM_ZBF_CLASS_MAP_28

 match access-group name CSM_ZBF_CMAP_ACL_28

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1

 match protocol https

 match protocol ssh

class-map type inspect match-all CSM_ZBF_CLASS_MAP_1

 match access-group name CSM_ZBF_CMAP_ACL_1

 match class-map CSM_ZBF_CMAP_PLMAP_1

class-map type inspect match-all CSM_ZBF_CLASS_MAP_3

 match access-group name CSM_ZBF_CMAP_ACL_3

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2

 match protocol https

 match protocol http

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_2

 match access-group name CSM_ZBF_CMAP_ACL_2

 match class-map CSM_ZBF_CMAP_PLMAP_2

class-map type inspect match-all CSM_ZBF_CLASS_MAP_5

 match access-group name CSM_ZBF_CMAP_ACL_5

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3

 match protocol http

 match protocol https

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

 match access-group name CSM_ZBF_CMAP_ACL_4

 match class-map CSM_ZBF_CMAP_PLMAP_3

class-map type inspect match-all CSM_ZBF_CLASS_MAP_7

 match access-group name CSM_ZBF_CMAP_ACL_7

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_6

 match access-group name CSM_ZBF_CMAP_ACL_6

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_9

 match access-group name CSM_ZBF_CMAP_ACL_9

 match protocol tcp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6

 match protocol http

 match protocol https

 match protocol ssh

 match protocol telnet

 match protocol tftp

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_8

 match access-group name CSM_ZBF_CMAP_ACL_8

 match class-map CSM_ZBF_CMAP_PLMAP_6

class-map match-all BULK-DATA

 match ip dscp af11  af12

class-map match-all INTERACTIVE-VIDEO

 match ip dscp af41  af42

class-map match-any BRANCH-TRANSACTIONAL-DATA

 match protocol citrix

 match protocol ldap

 match protocol telnet

 match protocol sqlnet

 match protocol http url "*SalesReport*"

 match access-group name TRANSACTIONAL-DATA-APPS

class-map match-all BRANCH-MISSION-CRITICAL

 match access-group name MISSION-CRITICAL-SERVERS

class-map match-all VOICE

 match ip dscp ef

class-map match-all MISSION-CRITICAL-DATA

 match ip dscp 25

class-map match-any BRANCH-NET-MGMT

 match protocol snmp

 match protocol syslog

 match protocol dns

 match protocol icmp

 match protocol ssh

 match access-group name NET-MGMT-APPS

class-map match-all ROUTING

 match ip dscp cs6

class-map match-all SCAVENGER

 match ip dscp cs1

class-map match-all NET-MGMT

 match ip dscp cs2

class-map match-any BRANCH-SCAVENGER

 match protocol gnutella

 match protocol fasttrack

 match protocol kazaa2

class-map match-any CALL-SIGNALING

 match ip dscp cs3

class-map match-all TRANSACTIONAL-DATA

 match ip dscp af21  af22

policy-map BRANCH-LAN-EDGE-OUT

 class class-default

policy-map BRANCH-WAN-EDGE

 class VOICE

  priority percent 18

 class INTERACTIVE-VIDEO

  priority percent 15

 class CALL-SIGNALING

  bandwidth percent 5

 class ROUTING

  bandwidth percent 3

 class NET-MGMT

  bandwidth percent 2

 class MISSION-CRITICAL-DATA

  bandwidth percent 15

  random-detect

 class TRANSACTIONAL-DATA

  bandwidth percent 12

  random-detect dscp-based

 class BULK-DATA

  bandwidth percent 4

  random-detect dscp-based

 class SCAVENGER

  bandwidth percent 1

 class class-default

  bandwidth percent 25

  random-detect

policy-map type inspect CSM_ZBF_POLICY_MAP_18

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_19

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_16

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_23

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_25

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_36

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_37

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_17

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_24

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_24

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_34

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_35

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_14

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_27

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_15

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_21

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_26

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_38

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_12

 class type inspect CSM_ZBF_CLASS_MAP_15

  pass

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_21

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_13

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_20

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_10

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_23

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_31

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_33

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_11

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_22

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_9

 class type inspect CSM_ZBF_CLASS_MAP_13

  pass

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_8

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_12

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_7

 class type inspect CSM_ZBF_CLASS_MAP_9

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_10

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_11

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_6

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_5

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_8

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_4

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_7

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_3

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_5

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_2

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_4

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_1

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_2

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop

policy-map BRANCH-LAN-EDGE-IN

 class BRANCH-MISSION-CRITICAL

  set ip dscp 25

 class BRANCH-TRANSACTIONAL-DATA

  set ip dscp af21

 class BRANCH-NET-MGMT

  set ip dscp cs2

 class BRANCH-BULK-DATA

  set ip dscp af11

 class BRANCH-SCAVENGER

  set ip dscp cs1

zone security S_WAN

 description Store WAN Link

zone security S_R-2-R

 description Bridge link between routers

zone security LOOPBACK

 description Loopback interface

zone security S_MGMT

 description VLAN1000 Management

zone security S_Security

 description VLAN20 Physical Security Systems

zone security S_WAAS

 description VLAN19 WAAS optimization

zone security S_WLC-AP

 description VLAN18 Wireless Systems

zone security S_Data

 description VLAN12 Store Data

zone security S_Data-W

 description VLAN14 Store Wireless Data

zone security S_Guest

 description VLAN17 Guest/Public Wireless

zone security S_Voice

 description VLAN13 Store Voice

zone security S_Partners

 description VLAN16 Partner network

zone security S_POS

 description VLAN 11 POS Data

zone security S_POS-W

 description VLAN15 Store Wireless POS

zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_8

zone-pair security CSM_S_R-2-R-LOOPBACK_1 source S_R-2-R destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_R-2-R-S_MGMT_1 source S_R-2-R destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_R-2-R-S_Security_1 source S_R-2-R destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_R-2-R-S_WAAS_1 source S_R-2-R destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_R-2-R-S_WLC-AP_1 source S_R-2-R destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_R-2-R-self_1 source S_R-2-R destination self

 service-policy type inspect CSM_ZBF_POLICY_MAP_9

zone-pair security CSM_S_R-2-R-S_Data_1 source S_R-2-R destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_Data-W_1 source S_R-2-R destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_Guest_1 source S_R-2-R destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_R-2-R-S_Partners_1 source S_R-2-R destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_POS_1 source S_R-2-R destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_R-2-R-S_POS-W_1 source S_R-2-R destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_R-2-R-S_Voice_1 source S_R-2-R destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_11

zone-pair security CSM_self-S_R-2-R_1 source self destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_12

zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_LOOPBACK-S_R-2-R_1 source LOOPBACK destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_MGMT-S_R-2-R_1 source S_MGMT destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_Security-S_R-2-R_1 source S_Security destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_WAAS-S_R-2-R_1 source S_WAAS destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_WLC-AP-S_R-2-R_1 source S_WLC-AP destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_POS-S_R-2-R_1 source S_POS destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_POS-W-S_R-2-R_1 source S_POS-W destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_22

zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-S_R-2-R_1 source S_Data destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-W-S_R-2-R_1 source S_Data-W destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_24

zone-pair security CSM_S_Guest-S_R-2-R_1 source S_Guest destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_24

zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_25

zone-pair security CSM_S_Partners-S_R-2-R_1 source S_Partners destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_25

zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_26

zone-pair security CSM_S_Voice-S_R-2-R_1 source S_Voice destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_27

interface Loopback0

 ip address 10.10.126.1 255.255.255.255

 ip pim sparse-dense-mode

 zone-member security LOOPBACK

interface GigabitEthernet0/0

 ip address 10.10.255.112 255.255.255.0

 ip ips Retail-PCI in

 zone-member security S_WAN

 duplex auto

 speed auto

 service-policy output BRANCH-WAN-EDGE

interface GigabitEthernet0/1

 description ROUTER LINK TO SWITCH

 no ip address

 duplex auto

 speed auto

 media-type rj45

interface GigabitEthernet0/1.11

 description POS

 encapsulation dot1Q 11

 ip address 10.10.112.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_POS

 standby 11 ip 10.10.112.1

 standby 11 priority 101

 standby 11 preempt

 ip igmp query-interval 125

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.12

 description DATA

 encapsulation dot1Q 12

 ip address 10.10.113.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip wccp 61 redirect in

 ip pim sparse-dense-mode

 zone-member security S_Data

 standby 12 ip 10.10.113.1

 standby 12 priority 101

 standby 12 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.13

 description VOICE

 encapsulation dot1Q 13

 ip address 10.10.114.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Voice

 standby 13 ip 10.10.114.1

 standby 13 priority 101

 standby 13 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.14

 description WIRELESS

 encapsulation dot1Q 14

 ip address 10.10.115.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Data-W

 standby 14 ip 10.10.115.1

 standby 14 priority 101

 standby 14 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.15

 description WIRELESS-POS

 encapsulation dot1Q 15

 ip address 10.10.116.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_POS-W

 standby 15 ip 10.10.116.1

 standby 15 priority 101

 standby 15 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.16

 description PARTNER

 encapsulation dot1Q 16

 ip address 10.10.117.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Partners

 standby 16 ip 10.10.117.1

 standby 16 priority 101

 standby 16 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.17

 description WIRELESS-GUEST

 encapsulation dot1Q 17

 ip address 10.10.118.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Guest

 standby 17 ip 10.10.118.1

 standby 17 priority 101

 standby 17 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.18

 description WIRELESS-CONTROL

 encapsulation dot1Q 18

 ip address 10.10.119.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WLC-AP

 standby 18 ip 10.10.119.1

 standby 18 priority 101

 standby 18 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.19

 description WAAS

 encapsulation dot1Q 19

 ip address 10.10.120.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WAAS

 standby 19 ip 10.10.120.1

 standby 19 priority 101

 standby 19 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.20

 description SECURITY-SYSTEMS

 encapsulation dot1Q 20

 ip address 10.10.121.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Security

 standby 20 ip 10.10.121.1

 standby 20 priority 101

 standby 20 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.102

 description ROUTER LINK TO

 encapsulation dot1Q 102

 ip address 10.10.126.29 255.255.255.252

 ip pim sparse-dense-mode

 zone-member security S_R-2-R

 service-policy input BRANCH-LAN-EDGE-IN

interface GigabitEthernet0/1.1000

 description MANAGEMENT

 encapsulation dot1Q 1000

 ip address 10.10.127.2 255.255.255.0

 zone-member security S_MGMT

 standby 100 ip 10.10.127.1

 standby 100 priority 101

 standby 100 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/2

 no ip address

 duplex auto

 speed auto

interface GigabitEthernet0/2.101

 description ROUTER LINK TO

 encapsulation dot1Q 101

 ip address 10.10.126.25 255.255.255.252

 ip pim sparse-dense-mode

 zone-member security S_R-2-R

 service-policy input BRANCH-LAN-EDGE-IN

interface SM1/0

 ip address 10.10.126.41 255.255.255.252

 zone-member security S_WAAS

 service-module fail-open

 service-module ip address 10.10.126.42 255.255.255.252

 service-module ip default-gateway 10.10.126.41

 hold-queue 60 out

interface SM1/1

 description Internal switch interface connected to Service Module

interface Vlan1

 no ip address

router ospf 5

 router-id 10.10.126.1

 redistribute connected subnets

 passive-interface default

 no passive-interface GigabitEthernet0/1.102

 no passive-interface GigabitEthernet0/2.101

 network 10.10.0.0 0.0.255.255 area 10

 default-information originate

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 10.10.255.11

ip tacacs source-interface Loopback0

ip access-list extended BULK-DATA-APPS

 remark ---File Transfer---

 permit tcp any any eq ftp

 permit tcp any any eq ftp-data

 remark ---E-mail traffic---

 permit tcp any any eq smtp

 permit tcp any any eq pop3

 permit tcp any any eq 143

 remark ---other EDM app protocols---

 permit tcp any any range 3460 3466

 permit tcp any range 3460 3466 any

 remark ---messaging services---

 permit tcp any any eq 2980

 permit tcp any eq 2980 any

 remark ---Microsoft file services---

 permit tcp any any range 137 139

 permit tcp any range 137 139 any

ip access-list extended CSM_ZBF_CMAP_ACL_1

 remark Data Center Mgmt to Devices

 permit object-group CSM_INLINE_svc_rule_81604380993 object-group 
CSM_INLINE_src_rule_81604380993 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_10

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381011 object-group DC-POS-Oracle 
object-group STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381015 object-group DC-POS-SAP object-group 
STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381019 object-group DC-POS-Tomax 
object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_11

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381021 object-group 
CSM_INLINE_src_rule_81604381021 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_12

 remark Data Center VOICE (wired and Wireless)

 permit object-group CSM_INLINE_svc_rule_81604381057 object-group DC-Voice object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_13

 permit ospf object-group CSM_INLINE_src_rule_81604381150 object-group 
CSM_INLINE_dst_rule_81604381150

ip access-list extended CSM_ZBF_CMAP_ACL_14

 remark Store WAAS to Clients and Servers

 permit object-group CSM_INLINE_svc_rule_81604381055 object-group Stores-ALL object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_15

 permit ospf object-group CSM_INLINE_src_rule_81604381152 object-group 
CSM_INLINE_dst_rule_81604381152

ip access-list extended CSM_ZBF_CMAP_ACL_16

 remark Syslog and SNMP Alerts

 permit object-group CSM_INLINE_svc_rule_81604380995 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604380995

ip access-list extended CSM_ZBF_CMAP_ACL_17

 remark Store to Data Center Authentications

 permit object-group CSM_INLINE_svc_rule_81604381001 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381001

ip access-list extended CSM_ZBF_CMAP_ACL_18

 remark Store to Data Center for NTP

 permit object-group NTP object-group Stores-ALL object-group NTP-Servers

ip access-list extended CSM_ZBF_CMAP_ACL_19

 remark Store to Data Center for DHCP and DNS

 permit object-group CSM_INLINE_svc_rule_81604381035 object-group Stores-ALL object-group 
ActiveDirectory.cisco-irn.com

ip access-list extended CSM_ZBF_CMAP_ACL_2

 remark Data Center subscribe to IPS SDEE events

 permit tcp object-group RSA-enVision object-group Stores-ALL eq 443

ip access-list extended CSM_ZBF_CMAP_ACL_20

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_81604381039 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381039

ip access-list extended CSM_ZBF_CMAP_ACL_21

 remark Store UCS Express to Data Center vShphere

 permit object-group CSM_INLINE_svc_rule_81604381005 object-group Stores-ALL object-group 
vSphere-1

ip access-list extended CSM_ZBF_CMAP_ACL_22

 remark Store NAC

 permit object-group CSM_INLINE_svc_rule_81604381037 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381037

ip access-list extended CSM_ZBF_CMAP_ACL_23

 remark Store to Data Center Physical Security

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381049

ip access-list extended CSM_ZBF_CMAP_ACL_24

 remark Store WAAS (WAAS Devices need their own zone)

 permit object-group CSM_INLINE_svc_rule_81604381053 object-group Stores-ALL object-group 
DC-WAAS

ip access-list extended CSM_ZBF_CMAP_ACL_25

 remark Store to Data Center wireless controller traffic

 permit object-group CSM_INLINE_svc_rule_81604381045 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381045

ip access-list extended CSM_ZBF_CMAP_ACL_26

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381009 object-group STORE-POS object-group 
DC-POS-Oracle

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381013 object-group STORE-POS object-group 
DC-POS-SAP

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381017 object-group STORE-POS object-group 
DC-POS-Tomax

ip access-list extended CSM_ZBF_CMAP_ACL_27

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381023 object-group 
CSM_INLINE_src_rule_81604381023 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_28

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_81604381025 object-group STORE-POS object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_29

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_81604381027 object-group STORE-POS object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_3

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_81604381041 object-group 
CSM_INLINE_src_rule_81604381041 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_30

 remark Permit POS clients to talk to store POS server

 permit object-group CSM_INLINE_svc_rule_81604381029 object-group STORE-POS object-group 
STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_31

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_81604381061 object-group Stores-ALL object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_32

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_81604381063 object-group Stores-ALL object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_33

 remark Store DATA (wired and Wireless - Access to DC Other applications)

 permit object-group CSM_INLINE_svc_rule_81604381065 object-group Stores-ALL object-group 
DC-Applications

ip access-list extended CSM_ZBF_CMAP_ACL_34

 remark Store GUEST - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381071

ip access-list extended CSM_ZBF_CMAP_ACL_35

 remark Store GUEST (access to internet/DMZ web servers)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_36

 remark Store PARTNERS - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381067

ip access-list extended CSM_ZBF_CMAP_ACL_37

 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_38

 remark Store VOICE (wired and Wireless - Acess to corporate wide voice)

 permit object-group CSM_INLINE_svc_rule_81604381059 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381059

ip access-list extended CSM_ZBF_CMAP_ACL_4

 remark Data Center vSphere to UCS Express

 permit object-group CSM_INLINE_svc_rule_81604381003 object-group vSphere-1 object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_5

 remark Data Center to Store Physical Security

 permit ip object-group CSM_INLINE_src_rule_81604381047 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_6

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_7

 remark Data Center WAAS to Store

 permit object-group CSM_INLINE_svc_rule_81604381051 object-group 
CSM_INLINE_src_rule_81604381051 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_8

 remark Data Center Wireless Control to AP's and Controllers in stores

 permit object-group CSM_INLINE_svc_rule_81604381043 object-group 
CSM_INLINE_src_rule_81604381043 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_9

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group STORE-POS

ip access-list extended MISSION-CRITICAL-SERVERS

 remark ---POS Applications---

 permit ip any 192.168.52.0 0.0.0.255

ip access-list extended NET-MGMT-APPS

 remark - Router user Authentication - Identifies TACACS Control traffic

 permit tcp any any eq tacacs

 permit tcp any eq tacacs any

ip access-list extended TRANSACTIONAL-DATA-APPS

 remark ---Workbrain Application---

 remark --Large Store Clock Server to Central Clock Application

 permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444

 remark --Large store Clock Server to CUAE

 permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000

 remark ---LiteScape Application---

 permit ip any host 192.168.46.82

 permit ip any 239.192.0.0 0.0.0.255

 permit ip any host 239.255.255.250

 remark ---Remote Desktop---

 permit tcp any any eq 3389

 permit tcp any eq 3389 any

 remark ---Oracle SIM---

 permit tcp any 192.168.46.0 0.0.0.255 eq 7777

 permit tcp any 192.168.46.0 0.0.0.255 eq 6003

 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500

 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any

 permit tcp 192.168.46.0 0.0.0.255 eq 6003 any

 permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any

logging esm config

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

nls resp-timeout 1

cpd cr-id 1

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps flash insertion removal

snmp-server enable traps energywise

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps ipsla

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

mgcp fax t38 ecm

mgcp profile default

gatekeeper

 shutdown

banner exec C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 login authentication RETAIL

 no exec

 transport preferred none

 transport output none

line 67

 no activation-character

 no exec

 transport preferred none

 transport input ssh

 transport output none

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

exception data-corruption buffer truncate

scheduler allocate 20000 1000

ntp source Loopback0

ntp update-calendar

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

end

r-a2-med-2

! Last configuration change at 23:30:34 PCTime Fri Apr 29 2011 by retail

! NVRAM config last updated at 23:30:35 PCTime Fri Apr 29 2011 by retail

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

hostname R-A2-MED-2

boot-start-marker

boot system flash:c2951-universalk9-mz.SPA.151-3.T.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 500000

no logging rate-limit

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default

 action-type start-stop

 group tacacs+

aaa accounting commands 15 default

 action-type start-stop

 group tacacs+

aaa accounting system default

 action-type start-stop

 group tacacs+

aaa session-id common

clock timezone PCTime -8 0

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

crypto pki token default removal timeout 0

crypto pki trustpoint TP-self-signed-104836678

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-104836678

 revocation-check none

crypto pki certificate chain TP-self-signed-104836678

 certificate self-signed 02

  <removed>

  	quit

no ipv6 cef

no ip source-route

no ip gratuitous-arps

ip cef

ip multicast-routing

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip port-map user-8443 port tcp 8443

ip ips notify SDEE

ip ips name Retail-PCI

ip ips signature-category

  category all

   retired true

  category ios_ips default

   retired false

ip wccp 61

ip wccp 62

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

multilink bundle-name authenticated

parameter-map type inspect global

 WAAS enable

parameter-map type inspect Inspect-1

 audit-trail on

parameter-map type trend-global trend-glob-map

password encryption aes

voice-card 0

license udi pid CISCO2951/K9 sn <removed>

hw-module sm 1

hw-module sm 2

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

object-group network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 udp eq 5246

 udp eq 5247

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 tcp eq 4050

object-group network EMC-NCM

 description EMC Network Configuration Manager

 host 192.168.42.122

object-group network RSA-enVision

 description RSA EnVision Syslog collector and SIM

 host 192.168.42.124

object-group network CSM_INLINE_dst_rule_81604380995

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object EMC-NCM

 group-object RSA-enVision

object-group network TACACS

 description Csico Secure ACS server for TACACS and Radius

 host 192.168.42.131

object-group network RSA-AM

 description RSA Authentication Manager for SecureID

 host 192.168.42.137

object-group network NAC-1

 description ISE server for NAC

 host 192.168.42.111

object-group network CSM_INLINE_dst_rule_81604381001

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object ActiveDirectory.cisco-irn.com

 group-object TACACS

 group-object RSA-AM

 group-object NAC-1

object-group network NAC-2

 host 192.168.42.112

object-group network CSM_INLINE_dst_rule_81604381037

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object NAC-2

 group-object NAC-1

object-group network DC-ALL

 description All of the Data Center

 192.168.0.0 255.255.0.0

object-group network Stores-ALL

 description all store networks

 10.10.0.0 255.255.0.0

object-group network CSM_INLINE_dst_rule_81604381039

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network WCSManager

 description Wireless Manager

 host 192.168.43.135

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 host 192.168.43.21

 host 192.168.43.22

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 host 192.168.43.31

 host 192.168.43.32

object-group network CSM_INLINE_dst_rule_81604381045

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network PAME-DC-1

 host 192.168.44.111

object-group network MSP-DC-1

 description Data Center VSOM

 host 192.168.44.121

object-group network CSM_INLINE_dst_rule_81604381049

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network CSM_INLINE_dst_rule_81604381059

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381067

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381071

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_81604381150

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network CSM_INLINE_dst_rule_81604381152

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network DC-Admin

 description DC Admin Systems

 host 192.168.41.101

 host 192.168.41.102

object-group network CSManager

 description Cisco Security Manager

 host 192.168.42.133

object-group network CSM_INLINE_src_rule_81604380993

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object EMC-NCM

 group-object CSManager

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_src_rule_81604381021

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_81604381023

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_81604381041

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_src_rule_81604381043

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network CSM_INLINE_src_rule_81604381047

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 host 192.168.48.10

 host 192.168.49.10

 host 192.168.47.11

 host 192.168.47.12

object-group network CSM_INLINE_src_rule_81604381051

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 group-object DC-Admin

 group-object DC-WAAS

object-group network CSM_INLINE_src_rule_81604381150

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group network CSM_INLINE_src_rule_81604381152

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)

 10.10.126.0 255.255.255.0

 10.10.110.0 255.255.255.0

object-group service CSM_INLINE_svc_rule_81604380993

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

object-group service CSM_INLINE_svc_rule_81604380995

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq syslog

 udp eq snmp

 udp eq snmptrap

object-group service CSM_INLINE_svc_rule_81604381001

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq tacacs

 udp eq 1812

 udp eq 1813

 tcp eq 389

 tcp eq 636

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 tcp eq 5989

 tcp eq 8000

 tcp eq 902

 tcp eq 903

object-group service CSM_INLINE_svc_rule_81604381003

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq 22

 group-object vCenter-to-ESX4

object-group service ESX-SLP

 description CIM Service Location Protocol (SLP) for VMware systems

 udp eq 427

 tcp eq 427

object-group service CSM_INLINE_svc_rule_81604381005

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object vCenter-to-ESX4

 group-object ESX-SLP

object-group service ORACLE-RMI

 description RMI TCP ports 1300 and 1301-1319.

 tcp range 1300 1319

object-group service ORACLE-Weblogic

 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.

 tcp eq 7001

 tcp eq 7002

 tcp eq 1521

object-group service ORACLE-WAS

 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414

 tcp eq 2809

 tcp eq 9443

 tcp eq 1414

object-group service ORACLE-OAS

 description OAS uses one port for HTTP and RMI - 12601.

 tcp eq 12601

object-group service CSM_INLINE_svc_rule_81604381009

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_81604381011

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service HTTPS-8443

 tcp eq 8443

object-group service CSM_INLINE_svc_rule_81604381013

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_81604381015

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service TOMAX-8990

 description Tomax Application Port

 tcp eq 8990

object-group service CSM_INLINE_svc_rule_81604381017

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service CSM_INLINE_svc_rule_81604381019

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service ICMP-Requests

 description ICMP requests

 icmp information-request

 icmp mask-request

 icmp timestamp-request

object-group service CSM_INLINE_svc_rule_81604381021

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_81604381023

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_81604381025

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service CSM_INLINE_svc_rule_81604381027

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_81604381029

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

udp

 tcp eq 443

object-group service DNS-Resolving

 description Domain Name Server

 tcp eq domain

 udp eq domain

object-group service CSM_INLINE_svc_rule_81604381035

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq bootps

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_81604381037

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_81604381039

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service CSM_INLINE_svc_rule_81604381041

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 udp eq 12222

 udp eq 12223

object-group service TFTP

 description Trivial File Transfer

 tcp eq 69

 udp eq tftp

object-group service IP-Protocol-97

 description IP protocol 97

object-group service CSM_INLINE_svc_rule_81604381043

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq 443

 tcp eq www

 tcp eq 22

 tcp eq telnet

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object TFTP

 group-object IP-Protocol-97

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 udp eq 16666

 udp eq 16667

object-group service CSM_INLINE_svc_rule_81604381045

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object Cisco-Mobility

 group-object IP-Protocol-97

object-group service Microsoft-DS-SMB

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

 tcp eq 445

object-group service CSM_INLINE_svc_rule_81604381051

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381053

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381055

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

tcp

 tcp eq 139

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_81604381057

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 icmp

 tcp-udp eq 5060

 tcp eq 2000

 tcp eq www

 tcp eq 443

 group-object TFTP

object-group service CSM_INLINE_svc_rule_81604381059

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp-udp eq 5060

 tcp eq 2000

object-group service CSM_INLINE_svc_rule_81604381061

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_81604381063

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service Netbios

 description Netbios Servers

 udp eq netbios-dgm

 udp eq netbios-ns

 tcp eq 139

object-group service ORACLE-SIM

 description Oracle Store Inventory Management

 tcp eq 7777

 tcp eq 6003

 tcp range 12401 12500

object-group service RDP

 description Windows Remote Desktop

 tcp eq 3389

object-group service Workbrain

 tcp eq 8444

object-group service CSM_INLINE_svc_rule_81604381065

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)

 tcp eq ftp

 tcp eq www

 tcp eq 443

 udp eq 88

 tcp-udp eq 42

 group-object Microsoft-DS-SMB

 group-object Netbios

 group-object ORACLE-SIM

 group-object RDP

 group-object Workbrain

object-group network DC-Applications

 description Applications in the Data Center that are non-PCI related(Optimized by 
CS-Manager)

 192.168.180.0 255.255.254.0

object-group network DC-Voice

 description Data Center Voice

 192.168.45.0 255.255.255.0

object-group network MS-Update

 description Windows Update Server

 host 192.168.42.150

object-group network MSExchange

 description Mail Server

 host 192.168.42.140

object-group service NTP

 description NTP Protocols

 tcp eq 123

 udp eq ntp

object-group network NTP-Servers

 description NTP Servers

 host 192.168.62.161

 host 162.168.62.162

object-group network STORE-POS

 10.10.0.0 255.255.0.0

object-group network vSphere-1

 description vSphere server for Lab

 host 192.168.41.102

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

redundancy

ip tcp synwait-time 10

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7

 match protocol http

 match protocol https

 match protocol microsoft-ds

 match protocol ms-sql

 match protocol ms-sql-m

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol oracle

 match protocol oracle-em-vp

 match protocol oraclenames

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_10

 match access-group name CSM_ZBF_CMAP_ACL_10

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4

 match protocol http

 match protocol https

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_23

 match access-group name CSM_ZBF_CMAP_ACL_23

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17

 match protocol http

 match protocol https

 match protocol imap3

 match protocol pop3

 match protocol pop3s

 match protocol smtp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_32

 match access-group name CSM_ZBF_CMAP_ACL_32

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-all CSM_ZBF_CLASS_MAP_11

 match access-group name CSM_ZBF_CMAP_ACL_11

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14

 match protocol http

 match protocol https

 match protocol user-8443

class-map type inspect match-all CSM_ZBF_CLASS_MAP_22

 match access-group name CSM_ZBF_CMAP_ACL_22

 match class-map CSM_ZBF_CMAP_PLMAP_14

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol ftp

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_33

 match access-group name CSM_ZBF_CMAP_ACL_33

 match class-map CSM_ZBF_CMAP_PLMAP_20

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tftp

 match protocol http

 match protocol https

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_12

 match access-group name CSM_ZBF_CMAP_ACL_12

 match class-map CSM_ZBF_CMAP_PLMAP_8

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13

 match protocol https

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_21

 match access-group name CSM_ZBF_CMAP_ACL_21

 match class-map CSM_ZBF_CMAP_PLMAP_13

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19

 match protocol http

 match protocol https

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_30

 match access-group name CSM_ZBF_CMAP_ACL_30

 match class-map CSM_ZBF_CMAP_PLMAP_19

class-map type inspect match-all CSM_ZBF_CLASS_MAP_13

 match access-group name CSM_ZBF_CMAP_ACL_13

class-map type inspect match-all CSM_ZBF_CLASS_MAP_20

 match access-group name CSM_ZBF_CMAP_ACL_20

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18

 match protocol http

 match protocol https

 match protocol udp

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_31

 match access-group name CSM_ZBF_CMAP_ACL_31

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map match-all BRANCH-BULK-DATA

 match protocol tftp

 match protocol nfs

 match access-group name BULK-DATA-APPS

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_14

 match access-group name CSM_ZBF_CMAP_ACL_14

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_27

 match access-group name CSM_ZBF_CMAP_ACL_27

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_36

 match access-group name CSM_ZBF_CMAP_ACL_36

class-map type inspect match-all CSM_ZBF_CLASS_MAP_15

 match access-group name CSM_ZBF_CMAP_ACL_15

class-map type inspect match-all CSM_ZBF_CLASS_MAP_26

 match access-group name CSM_ZBF_CMAP_ACL_26

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21

 match protocol tcp

 match protocol udp

 match protocol http

 match protocol https

class-map type inspect match-all CSM_ZBF_CLASS_MAP_37

 match access-group name CSM_ZBF_CMAP_ACL_37

 match class-map CSM_ZBF_CMAP_PLMAP_21

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9

 match protocol syslog

 match protocol syslog-conn

 match protocol snmp

 match protocol snmptrap

class-map type inspect match-all CSM_ZBF_CLASS_MAP_16

 match access-group name CSM_ZBF_CMAP_ACL_16

 match class-map CSM_ZBF_CMAP_PLMAP_9

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16

 match protocol http

 match protocol https

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_25

 match access-group name CSM_ZBF_CMAP_ACL_25

 match class-map CSM_ZBF_CMAP_PLMAP_16

class-map type inspect match-all CSM_ZBF_CLASS_MAP_34

 match access-group name CSM_ZBF_CMAP_ACL_34

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10

 match protocol ldaps

 match protocol ldap

 match protocol ldap-admin

 match protocol radius

 match protocol tacacs

 match protocol tacacs-ds

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_17

 match access-group name CSM_ZBF_CMAP_ACL_17

 match class-map CSM_ZBF_CMAP_PLMAP_10

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15

 match protocol http

 match protocol https

 match protocol netbios-ns

 match protocol netbios-dgm

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_24

 match access-group name CSM_ZBF_CMAP_ACL_24

 match class-map CSM_ZBF_CMAP_PLMAP_15

class-map type inspect match-all CSM_ZBF_CLASS_MAP_35

 match access-group name CSM_ZBF_CMAP_ACL_35

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11

 match protocol ntp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_18

 match access-group name CSM_ZBF_CMAP_ACL_18

 match class-map CSM_ZBF_CMAP_PLMAP_11

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12

 match protocol bootpc

 match protocol bootps

 match protocol udp

 match protocol tcp

 match protocol dns

 match protocol dhcp-failover

class-map type inspect match-all CSM_ZBF_CLASS_MAP_19

 match access-group name CSM_ZBF_CMAP_ACL_19

 match class-map CSM_ZBF_CMAP_PLMAP_12

class-map type inspect match-all CSM_ZBF_CLASS_MAP_29

 match access-group name CSM_ZBF_CMAP_ACL_29

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_38

 match access-group name CSM_ZBF_CMAP_ACL_38

 match class-map CSM_ZBF_CMAP_PLMAP_22

class-map type inspect match-all CSM_ZBF_CLASS_MAP_28

 match access-group name CSM_ZBF_CMAP_ACL_28

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1

 match protocol https

 match protocol ssh

class-map type inspect match-all CSM_ZBF_CLASS_MAP_1

 match access-group name CSM_ZBF_CMAP_ACL_1

 match class-map CSM_ZBF_CMAP_PLMAP_1

class-map type inspect match-all CSM_ZBF_CLASS_MAP_3

 match access-group name CSM_ZBF_CMAP_ACL_3

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2

 match protocol https

 match protocol http

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_2

 match access-group name CSM_ZBF_CMAP_ACL_2

 match class-map CSM_ZBF_CMAP_PLMAP_2

class-map type inspect match-all CSM_ZBF_CLASS_MAP_5

 match access-group name CSM_ZBF_CMAP_ACL_5

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3

 match protocol http

 match protocol https

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

 match access-group name CSM_ZBF_CMAP_ACL_4

 match class-map CSM_ZBF_CMAP_PLMAP_3

class-map type inspect match-all CSM_ZBF_CLASS_MAP_7

 match access-group name CSM_ZBF_CMAP_ACL_7

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_6

 match access-group name CSM_ZBF_CMAP_ACL_6

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_9

 match access-group name CSM_ZBF_CMAP_ACL_9

 match protocol tcp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6

 match protocol http

 match protocol https

 match protocol ssh

 match protocol telnet

 match protocol tftp

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_8

 match access-group name CSM_ZBF_CMAP_ACL_8

 match class-map CSM_ZBF_CMAP_PLMAP_6

class-map match-all BULK-DATA

 match ip dscp af11  af12

class-map match-all INTERACTIVE-VIDEO

 match ip dscp af41  af42

class-map match-any BRANCH-TRANSACTIONAL-DATA

 match protocol citrix

 match protocol ldap

 match protocol telnet

 match protocol sqlnet

 match protocol http url "*SalesReport*"

 match access-group name TRANSACTIONAL-DATA-APPS

class-map match-all BRANCH-MISSION-CRITICAL

 match access-group name MISSION-CRITICAL-SERVERS

class-map match-all VOICE

 match ip dscp ef

class-map match-all MISSION-CRITICAL-DATA

 match ip dscp 25

class-map match-any BRANCH-NET-MGMT

 match protocol snmp

 match protocol syslog

 match protocol dns

 match protocol icmp

 match protocol ssh

 match access-group name NET-MGMT-APPS

class-map match-all ROUTING

 match ip dscp cs6

class-map match-all SCAVENGER

 match ip dscp cs1

class-map match-all NET-MGMT

 match ip dscp cs2

class-map match-any BRANCH-SCAVENGER

 match protocol gnutella

 match protocol fasttrack

 match protocol kazaa2

class-map match-any CALL-SIGNALING

 match ip dscp cs3

class-map match-all TRANSACTIONAL-DATA

 match ip dscp af21  af22

policy-map BRANCH-LAN-EDGE-OUT

 class class-default

policy-map BRANCH-WAN-EDGE

 class VOICE

  priority percent 18

 class INTERACTIVE-VIDEO

  priority percent 15

 class CALL-SIGNALING

  bandwidth percent 5

 class ROUTING

  bandwidth percent 3

 class NET-MGMT

  bandwidth percent 2

 class MISSION-CRITICAL-DATA

  bandwidth percent 15

  random-detect

 class TRANSACTIONAL-DATA

  bandwidth percent 12

  random-detect dscp-based

 class BULK-DATA

  bandwidth percent 4

  random-detect dscp-based

 class SCAVENGER

  bandwidth percent 1

 class class-default

  bandwidth percent 25

  random-detect

policy-map type inspect CSM_ZBF_POLICY_MAP_18

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_19

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_16

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_23

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_25

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_36

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_37

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_17

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_24

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_24

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_34

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_35

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_14

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_27

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_15

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_21

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_26

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_38

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_12

 class type inspect CSM_ZBF_CLASS_MAP_15

  pass

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_21

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_13

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_20

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_10

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_23

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_31

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_33

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_11

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_22

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_9

 class type inspect CSM_ZBF_CLASS_MAP_13

  pass

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_8

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_12

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_7

 class type inspect CSM_ZBF_CLASS_MAP_9

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_10

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_11

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_6

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_5

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_8

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_4

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_7

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_3

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_5

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_2

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_4

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_1

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_2

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop

policy-map BRANCH-LAN-EDGE-IN

 class BRANCH-MISSION-CRITICAL

  set ip dscp 25

 class BRANCH-TRANSACTIONAL-DATA

  set ip dscp af21

 class BRANCH-NET-MGMT

  set ip dscp cs2

 class BRANCH-BULK-DATA

  set ip dscp af11

 class BRANCH-SCAVENGER

  set ip dscp cs1

zone security S_WAN

 description Store WAN Link

zone security S_R-2-R

 description Bridge link between routers

zone security LOOPBACK

 description Loopback interface

zone security S_MGMT

 description VLAN1000 Management

zone security S_Security

 description VLAN20 Physical Security Systems

zone security S_WAAS

 description VLAN19 WAAS optimization

zone security S_WLC-AP

 description VLAN18 Wireless Systems

zone security S_Data

 description VLAN12 Store Data

zone security S_Data-W

 description VLAN14 Store Wireless Data

zone security S_Guest

 description VLAN17 Guest/Public Wireless

zone security S_Voice

 description VLAN13 Store Voice

zone security S_Partners

 description VLAN16 Partner network

zone security S_POS

 description VLAN 11 POS Data

zone security S_POS-W

 description VLAN15 Store Wireless POS

zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_8

zone-pair security CSM_S_R-2-R-LOOPBACK_1 source S_R-2-R destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_R-2-R-S_MGMT_1 source S_R-2-R destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_R-2-R-S_Security_1 source S_R-2-R destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_R-2-R-S_WAAS_1 source S_R-2-R destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_R-2-R-S_WLC-AP_1 source S_R-2-R destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_R-2-R-self_1 source S_R-2-R destination self

 service-policy type inspect CSM_ZBF_POLICY_MAP_9

zone-pair security CSM_S_R-2-R-S_Data_1 source S_R-2-R destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_Data-W_1 source S_R-2-R destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_Guest_1 source S_R-2-R destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_R-2-R-S_Partners_1 source S_R-2-R destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_R-2-R-S_POS_1 source S_R-2-R destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_R-2-R-S_POS-W_1 source S_R-2-R destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_R-2-R-S_Voice_1 source S_R-2-R destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_11

zone-pair security CSM_self-S_R-2-R_1 source self destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_12

zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_LOOPBACK-S_R-2-R_1 source LOOPBACK destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_MGMT-S_R-2-R_1 source S_MGMT destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_Security-S_R-2-R_1 source S_Security destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_WAAS-S_R-2-R_1 source S_WAAS destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_WLC-AP-S_R-2-R_1 source S_WLC-AP destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_POS-S_R-2-R_1 source S_POS destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_POS-W-S_R-2-R_1 source S_POS-W destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_22

zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-S_R-2-R_1 source S_Data destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Data-W-S_R-2-R_1 source S_Data-W destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_23

zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_24

zone-pair security CSM_S_Guest-S_R-2-R_1 source S_Guest destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_24

zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_25

zone-pair security CSM_S_Partners-S_R-2-R_1 source S_Partners destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_25

zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_26

zone-pair security CSM_S_Voice-S_R-2-R_1 source S_Voice destination S_R-2-R

 service-policy type inspect CSM_ZBF_POLICY_MAP_27

interface Loopback0

 ip address 10.10.126.2 255.255.255.255

 ip pim sparse-dense-mode

 zone-member security LOOPBACK

interface GigabitEthernet0/0

 ip address 10.10.254.112 255.255.255.0

 ip ips Retail-PCI in

 zone-member security S_WAN

 duplex auto

 speed auto

 service-policy output BRANCH-WAN-EDGE

interface GigabitEthernet0/1

 description ROUTER LINK TO SWITCH

 no ip address

 duplex auto

 speed auto

 media-type rj45

interface GigabitEthernet0/1.11

 description POS

 encapsulation dot1Q 11

 ip address 10.10.112.3 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_POS

 standby 11 ip 10.10.112.1

 standby 11 priority 99

 standby 11 preempt

 ip igmp query-interval 125

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.12

 description DATA

 encapsulation dot1Q 12

 ip address 10.10.113.3 255.255.255.0

 ip helper-address 192.168.42.130

 ip wccp 61 redirect in

 ip pim sparse-dense-mode

 zone-member security S_Data

 standby 12 ip 10.10.113.1

 standby 12 priority 99

 standby 12 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.13

 description VOICE

 encapsulation dot1Q 13

 ip address 10.10.114.3 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Voice

 standby 13 ip 10.10.114.1

 standby 13 priority 99

 standby 13 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.14

 description WIRELESS

 encapsulation dot1Q 14

 ip address 10.10.115.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Data-W

 standby 14 ip 10.10.115.1

 standby 14 priority 99

 standby 14 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.15

 description WIRELESS-POS

 encapsulation dot1Q 15

 ip address 10.10.116.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_POS-W

 standby 15 ip 10.10.116.1

 standby 15 priority 99

 standby 15 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.16

 description PARTNER

 encapsulation dot1Q 16

 ip address 10.10.117.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Partners

 standby 16 ip 10.10.117.1

 standby 16 priority 99

 standby 16 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.17

 description WIRELESS-GUEST

 encapsulation dot1Q 17

 ip address 10.10.118.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Guest

 standby 17 ip 10.10.118.1

 standby 17 priority 99

 standby 17 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.18

 description WIRELESS-CONTROL

 encapsulation dot1Q 18

 ip address 10.10.119.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WLC-AP

 standby 18 ip 10.10.119.1

 standby 18 priority 99

 standby 18 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.19

 description WAAS

 encapsulation dot1Q 19

 ip address 10.10.120.3 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WAAS

 standby 19 ip 10.10.120.1

 standby 19 priority 99

 standby 19 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.20

 description SECURITY-SYSTEMS

 encapsulation dot1Q 20

 ip address 10.10.121.3 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Security

 standby 20 ip 10.10.121.1

 standby 20 priority 99

 standby 20 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.101

 description ROUTER LINK TO

 encapsulation dot1Q 101

 ip address 10.10.126.26 255.255.255.252

 ip pim sparse-dense-mode

 zone-member security S_R-2-R

 service-policy input BRANCH-LAN-EDGE-IN

interface GigabitEthernet0/1.1000

 description MANAGEMENT

 encapsulation dot1Q 1000

 ip address 10.10.127.3 255.255.255.0

 zone-member security S_MGMT

 standby 100 ip 10.10.127.1

 standby 100 priority 99

 standby 100 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/2

 no ip address

 duplex auto

 speed auto

interface GigabitEthernet0/2.102

 description ROUTER LINK TO

 encapsulation dot1Q 102

 ip address 10.10.126.30 255.255.255.252

 ip pim sparse-dense-mode

 zone-member security S_R-2-R

 service-policy input BRANCH-LAN-EDGE-IN

interface SM1/0

 description Video Survillance VMSS Module

 ip address 10.10.126.45 255.255.255.252

 zone-member security S_Security

 service-module ip address 10.10.126.46 255.255.255.252

 !Application: FNDN Running on SM

 service-module ip default-gateway 10.10.126.45

 hold-queue 60 out

interface SM1/1

 description Internal switch interface connected to Service Module

interface SM2/0

 ip address 10.10.126.50 255.255.255.252

 zone-member security S_MGMT

 service-module ip address 10.10.126.49 255.255.255.252

 !Application: SRE-V Running on SMV

 service-module ip default-gateway 10.10.126.50

 service-module mgf ip address 10.10.125.49 255.255.255.0

 hold-queue 60 out

interface SM2/1

 description Internal switch interface connected to Service Module

interface Vlan1

 description ESXi Host and Virtual Machines$ES_LAN$

 ip address 10.10.125.50 255.255.255.0

 zone-member security S_POS

router ospf 5

 router-id 10.10.126.2

 redistribute connected subnets

 passive-interface default

 no passive-interface GigabitEthernet0/1.101

 no passive-interface GigabitEthernet0/2.102

 network 10.10.0.0 0.0.255.255 area 10

 default-information originate

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 10.10.254.11

ip tacacs source-interface Loopback0

ip access-list extended BULK-DATA-APPS

 remark ---File Transfer---

 permit tcp any any eq ftp

 permit tcp any any eq ftp-data

 remark ---E-mail traffic---

 permit tcp any any eq smtp

 permit tcp any any eq pop3

 permit tcp any any eq 143

 remark ---other EDM app protocols---

 permit tcp any any range 3460 3466

 permit tcp any range 3460 3466 any

 remark ---messaging services---

 permit tcp any any eq 2980

 permit tcp any eq 2980 any

 remark ---Microsoft file services---

 permit tcp any any range 137 139

 permit tcp any range 137 139 any

ip access-list extended CSM_ZBF_CMAP_ACL_1

 remark Data Center Mgmt to Devices

 permit object-group CSM_INLINE_svc_rule_81604380993 object-group 
CSM_INLINE_src_rule_81604380993 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_10

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381011 object-group DC-POS-Oracle 
object-group STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381015 object-group DC-POS-SAP object-group 
STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381019 object-group DC-POS-Tomax 
object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_11

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381021 object-group 
CSM_INLINE_src_rule_81604381021 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_12

 remark Data Center VOICE (wired and Wireless)

 permit object-group CSM_INLINE_svc_rule_81604381057 object-group DC-Voice object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_13

 permit ospf object-group CSM_INLINE_src_rule_81604381150 object-group 
CSM_INLINE_dst_rule_81604381150

ip access-list extended CSM_ZBF_CMAP_ACL_14

 remark Store WAAS to Clients and Servers

 permit object-group CSM_INLINE_svc_rule_81604381055 object-group Stores-ALL object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_15

 permit ospf object-group CSM_INLINE_src_rule_81604381152 object-group 
CSM_INLINE_dst_rule_81604381152

ip access-list extended CSM_ZBF_CMAP_ACL_16

 remark Syslog and SNMP Alerts

 permit object-group CSM_INLINE_svc_rule_81604380995 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604380995

ip access-list extended CSM_ZBF_CMAP_ACL_17

 remark Store to Data Center Authentications

 permit object-group CSM_INLINE_svc_rule_81604381001 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381001

ip access-list extended CSM_ZBF_CMAP_ACL_18

 remark Store to Data Center for NTP

 permit object-group NTP object-group Stores-ALL object-group NTP-Servers

ip access-list extended CSM_ZBF_CMAP_ACL_19

 remark Store to Data Center for DHCP and DNS

 permit object-group CSM_INLINE_svc_rule_81604381035 object-group Stores-ALL object-group 
ActiveDirectory.cisco-irn.com

ip access-list extended CSM_ZBF_CMAP_ACL_2

 remark Data Center subscribe to IPS SDEE events

 permit tcp object-group RSA-enVision object-group Stores-ALL eq 443

ip access-list extended CSM_ZBF_CMAP_ACL_20

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_81604381039 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381039

ip access-list extended CSM_ZBF_CMAP_ACL_21

 remark Store UCS Express to Data Center vShphere

 permit object-group CSM_INLINE_svc_rule_81604381005 object-group Stores-ALL object-group 
vSphere-1

ip access-list extended CSM_ZBF_CMAP_ACL_22

 remark Store NAC

 permit object-group CSM_INLINE_svc_rule_81604381037 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381037

ip access-list extended CSM_ZBF_CMAP_ACL_23

 remark Store to Data Center Physical Security

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381049

ip access-list extended CSM_ZBF_CMAP_ACL_24

 remark Store WAAS (WAAS Devices need their own zone)

 permit object-group CSM_INLINE_svc_rule_81604381053 object-group Stores-ALL object-group 
DC-WAAS

ip access-list extended CSM_ZBF_CMAP_ACL_25

 remark Store to Data Center wireless controller traffic

 permit object-group CSM_INLINE_svc_rule_81604381045 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381045

ip access-list extended CSM_ZBF_CMAP_ACL_26

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381009 object-group STORE-POS object-group 
DC-POS-Oracle

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381013 object-group STORE-POS object-group 
DC-POS-SAP

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381017 object-group STORE-POS object-group 
DC-POS-Tomax

ip access-list extended CSM_ZBF_CMAP_ACL_27

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_81604381023 object-group 
CSM_INLINE_src_rule_81604381023 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_28

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_81604381025 object-group STORE-POS object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_29

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_81604381027 object-group STORE-POS object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_3

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_81604381041 object-group 
CSM_INLINE_src_rule_81604381041 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_30

 remark Permit POS clients to talk to store POS server

 permit object-group CSM_INLINE_svc_rule_81604381029 object-group STORE-POS object-group 
STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_31

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_81604381061 object-group Stores-ALL object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_32

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_81604381063 object-group Stores-ALL object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_33

 remark Store DATA (wired and Wireless - Access to DC Other applications)

 permit object-group CSM_INLINE_svc_rule_81604381065 object-group Stores-ALL object-group 
DC-Applications

ip access-list extended CSM_ZBF_CMAP_ACL_34

 remark Store GUEST - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381071

ip access-list extended CSM_ZBF_CMAP_ACL_35

 remark Store GUEST (access to internet/DMZ web servers)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_36

 remark Store PARTNERS - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_81604381067

ip access-list extended CSM_ZBF_CMAP_ACL_37

 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_38

 remark Store VOICE (wired and Wireless - Acess to corporate wide voice)

 permit object-group CSM_INLINE_svc_rule_81604381059 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_81604381059

ip access-list extended CSM_ZBF_CMAP_ACL_4

 remark Data Center vSphere to UCS Express

 permit object-group CSM_INLINE_svc_rule_81604381003 object-group vSphere-1 object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_5

 remark Data Center to Store Physical Security

 permit ip object-group CSM_INLINE_src_rule_81604381047 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_6

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_7

 remark Data Center WAAS to Store

 permit object-group CSM_INLINE_svc_rule_81604381051 object-group 
CSM_INLINE_src_rule_81604381051 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_8

 remark Data Center Wireless Control to AP's and Controllers in stores

 permit object-group CSM_INLINE_svc_rule_81604381043 object-group 
CSM_INLINE_src_rule_81604381043 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_9

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group STORE-POS

ip access-list extended MISSION-CRITICAL-SERVERS

 remark ---POS Applications---

 permit ip any 192.168.52.0 0.0.0.255

ip access-list extended NET-MGMT-APPS

 remark - Router user Authentication - Identifies TACACS Control traffic

 permit tcp any any eq tacacs

 permit tcp any eq tacacs any

ip access-list extended TRANSACTIONAL-DATA-APPS

 remark ---Workbrain Application---

 remark --Large Store Clock Server to Central Clock Application

 permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444

 remark --Large store Clock Server to CUAE

 permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000

 remark ---LiteScape Application---

 permit ip any host 192.168.46.82

 permit ip any 239.192.0.0 0.0.0.255

 permit ip any host 239.255.255.250

 remark ---Remote Desktop---

 permit tcp any any eq 3389

 permit tcp any eq 3389 any

 remark ---Oracle SIM---

 permit tcp any 192.168.46.0 0.0.0.255 eq 7777

 permit tcp any 192.168.46.0 0.0.0.255 eq 6003

 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500

 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any

 permit tcp 192.168.46.0 0.0.0.255 eq 6003 any

 permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any

logging esm config

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

nls resp-timeout 1

cpd cr-id 1

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps flash insertion removal

snmp-server enable traps energywise

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps ipsla

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

mgcp profile default

gatekeeper

 shutdown

banner exec

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 login authentication RETAIL

 no exec

 transport preferred none

 transport output none

line 67

 no activation-character

 no exec

 transport preferred none

 transport input ssh

 transport output none

 stopbits 1

line 131

 no activation-character

 no exec

 transport preferred none

 transport input ssh

 transport output none

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

scheduler allocate 20000 1000

scheduler interval 500

ntp source Loopback0

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

end

r-a2-mini-1

! Last configuration change at 00:50:32 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 00:50:35 PST Sat Apr 30 2011 by retail

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname R-A2-Mini-1

boot-start-marker

boot system flash0 c1900-universalk9-mz.SPA.151-3.T.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default

 action-type start-stop

 group tacacs+

aaa accounting commands 15 default

 action-type start-stop

 group tacacs+

aaa accounting system default

 action-type start-stop

 group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PST recurring

service-module wlan-ap 0 bootimage autonomous

no ipv6 cef

no ip source-route

ip cef

ip multicast-routing

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip port-map user-8443 port tcp 8443

ip inspect log drop-pkt

ip inspect audit-trail

ip ips config location flash0: retries 1 timeout 1

ip ips notify SDEE

ip ips name Store-IPS

ip ips signature-category

  category all

   retired true

  category ios_ips default

   retired false

ip wccp 61

ip wccp 62

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

multilink bundle-name authenticated

parameter-map type inspect Inspect-1

 audit-trail on

parameter-map type inspect global

 WAAS enable

parameter-map type trend-global trend-glob-map

password encryption aes

crypto pki token default removal timeout 0

crypto pki trustpoint TP-self-signed-1721465088

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1721465088

 revocation-check none

 rsakeypair TP-self-signed-1721465088

crypto pki certificate chain TP-self-signed-1721465088

 certificate self-signed 01

  <removed>

  	quit

license udi pid CISCO1941W-A/K9 sn <removed>

hw-module ism 0

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

object-group network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 udp eq 5246

 udp eq 5247

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 tcp eq 4050

object-group network DC-ALL

 description All of the Data Center

 192.168.0.0 255.255.0.0

object-group network Stores-ALL

 description all store networks

 10.10.0.0 255.255.0.0

object-group network CSM_INLINE_dst_rule_68719541425

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network WCSManager

 description Wireless Manager

 host 192.168.43.135

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 host 192.168.43.21

 host 192.168.43.22

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 host 192.168.43.31

 host 192.168.43.32

object-group network CSM_INLINE_dst_rule_68719541431

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network PAME-DC-1

 host 192.168.44.111

object-group network MSP-DC-1

 description Data Center VSOM

 host 192.168.44.121

object-group network CSM_INLINE_dst_rule_68719541435

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network CSM_INLINE_dst_rule_68719541457

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_68719541461

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_68719541465

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network EMC-NCM

 description EMC Network Configuration Manager

 host 192.168.42.122

object-group network RSA-enVision

 description RSA EnVision Syslog collector and SIM

 host 192.168.42.124

object-group network CSM_INLINE_dst_rule_73014451187

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object EMC-NCM

 group-object RSA-enVision

object-group network TACACS

 description Csico Secure ACS server for TACACS and Radius

 host 192.168.42.131

object-group network RSA-AM

 description RSA Authentication Manager for SecureID

 host 192.168.42.137

object-group network NAC-1

 description ISE server for NAC

 host 192.168.42.111

object-group network CSM_INLINE_dst_rule_73014451193

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object ActiveDirectory.cisco-irn.com

 group-object TACACS

 group-object RSA-AM

 group-object NAC-1

object-group network NAC-2

 host 192.168.42.112

object-group network CSM_INLINE_dst_rule_73014451223

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object NAC-2

 group-object NAC-1

object-group network DC-Admin

 description DC Admin Systems

 host 192.168.41.101

 host 192.168.41.102

object-group network CSManager

 description Cisco Security Manager

 host 192.168.42.133

object-group network CSM_INLINE_src_rule_68719541409

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object EMC-NCM

 group-object CSManager

object-group network CSM_INLINE_src_rule_68719541427

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_src_rule_68719541429

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network CSM_INLINE_src_rule_68719541433

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 host 192.168.48.10

 host 192.168.49.10

 host 192.168.47.11

 host 192.168.47.12

object-group network CSM_INLINE_src_rule_68719541437

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object DC-WAAS

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_src_rule_73014451215

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_73014451217

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group service CSM_INLINE_svc_rule_68719541409

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

object-group service CSM_INLINE_svc_rule_68719541425

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service CSM_INLINE_svc_rule_68719541427

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 udp eq 12222

 udp eq 12223

object-group service TFTP

 description Trivial File Transfer

 tcp eq 69

 udp eq tftp

object-group service IP-Protocol-97

 description IP protocol 97

object-group service CSM_INLINE_svc_rule_68719541429

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq www

 tcp eq 22

 tcp eq telnet

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object TFTP

 group-object IP-Protocol-97

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 udp eq 16666

 udp eq 16667

object-group service CSM_INLINE_svc_rule_68719541431

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object Cisco-Mobility

 group-object IP-Protocol-97

object-group service HTTPS-8443

 tcp eq 8443

object-group service Microsoft-DS-SMB

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

 tcp eq 445

object-group service CSM_INLINE_svc_rule_68719541437

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_68719541439

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_68719541455

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp

 tcp-udp eq 5060

 tcp eq 2000

 tcp eq www

 tcp eq 443

 group-object TFTP

object-group service CSM_INLINE_svc_rule_68719541457

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp-udp eq 5060

 tcp eq 2000

object-group service Netbios

 description Netbios Servers

 udp eq netbios-dgm

 udp eq netbios-ns

 tcp eq 139

object-group service ORACLE-SIM

 description Oracle Store Inventory Management

 tcp eq 7777

 tcp eq 6003

 tcp range 12401 12500

object-group service RDP

 description Windows Remote Desktop

 tcp eq 3389

object-group service Workbrain

 tcp eq 8444

object-group service CSM_INLINE_svc_rule_68719541459

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq ftp

 tcp eq www

 tcp eq 443

 udp eq 88

 tcp-udp eq 42

 group-object Microsoft-DS-SMB

 group-object Netbios

 group-object ORACLE-SIM

 group-object RDP

 group-object Workbrain

object-group service CSM_INLINE_svc_rule_73014451187

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 udp eq syslog

 udp eq snmp

 udp eq snmptrap

object-group service CSM_INLINE_svc_rule_73014451193

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq tacacs

 udp eq 1812

 udp eq 1813

 tcp eq 389

 tcp eq 636

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 tcp eq 5989

 tcp eq 8000

 tcp eq 902

 tcp eq 903

object-group service CSM_INLINE_svc_rule_73014451195

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq 22

 group-object vCenter-to-ESX4

object-group service ESX-SLP

 description CIM Service Location Protocol (SLP) for VMware systems

 udp eq 427

 tcp eq 427

object-group service CSM_INLINE_svc_rule_73014451197

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 group-object vCenter-to-ESX4

 group-object ESX-SLP

object-group service ORACLE-RMI

 description RMI TCP ports 1300 and 1301-1319.

 tcp range 1300 1319

object-group service ORACLE-Weblogic

 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.

 tcp eq 7001

 tcp eq 7002

 tcp eq 1521

object-group service ORACLE-WAS

 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414

 tcp eq 2809

 tcp eq 9443

 tcp eq 1414

object-group service ORACLE-OAS

 description OAS uses one port for HTTP and RMI - 12601.

 tcp eq 12601

object-group service CSM_INLINE_svc_rule_73014451203

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_73014451205

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_73014451207

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_73014451209

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service TOMAX-8990

 description Tomax Application Port

 tcp eq 8990

object-group service CSM_INLINE_svc_rule_73014451211

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service CSM_INLINE_svc_rule_73014451213

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service ICMP-Requests

 description ICMP requests

 icmp information-request

 icmp mask-request

 icmp timestamp-request

object-group service CSM_INLINE_svc_rule_73014451215

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_73014451217

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service DNS-Resolving

 description Domain Name Server

 tcp eq domain

 udp eq domain

object-group service CSM_INLINE_svc_rule_73014451221

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 udp eq bootps

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_73014451223

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_73014451388

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

 tcp eq 139

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_73014451393

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service CSM_INLINE_svc_rule_73014451395

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_73014451397

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

udp

 tcp eq 443

object-group service CSM_INLINE_svc_rule_73014451404

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_73014451406

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group network DC-Applications

 description Applications in the Data Center that are non-PCI related(Optimized by 
CS-Manager)

 192.168.180.0 255.255.254.0

object-group network DC-Voice

 description Data Center Voice

 192.168.45.0 255.255.255.0

object-group network MS-Update

 description Windows Update Server

 host 192.168.42.150

object-group network MSExchange

 description Mail Server

 host 192.168.42.140

object-group service NTP

 description NTP Protocols

 tcp eq 123

 udp eq ntp

object-group network NTP-Servers

 description NTP Servers

 host 192.168.62.161

 host 162.168.62.162

object-group network STORE-POS

 10.10.0.0 255.255.0.0

object-group network vSphere-1

 description vSphere server for Lab

 host 192.168.41.102

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

redundancy

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7

 match protocol http

 match protocol https

 match protocol microsoft-ds

 match protocol ms-sql

 match protocol ms-sql-m

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol oracle

 match protocol oracle-em-vp

 match protocol oraclenames

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_10

 match access-group name CSM_ZBF_CMAP_ACL_10

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16

 match protocol http

 match protocol https

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_23

 match access-group name CSM_ZBF_CMAP_ACL_23

 match class-map CSM_ZBF_CMAP_PLMAP_16

class-map type inspect match-all CSM_ZBF_CLASS_MAP_32

 match access-group name CSM_ZBF_CMAP_ACL_32

class-map type inspect match-all CSM_ZBF_CLASS_MAP_11

 match access-group name CSM_ZBF_CMAP_ACL_11

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_22

 match access-group name CSM_ZBF_CMAP_ACL_22

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4

 match protocol http

 match protocol https

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_33

 match access-group name CSM_ZBF_CMAP_ACL_33

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tftp

 match protocol http

 match protocol https

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_12

 match access-group name CSM_ZBF_CMAP_ACL_12

 match class-map CSM_ZBF_CMAP_PLMAP_8

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15

 match protocol http

 match protocol https

 match protocol netbios-ns

 match protocol netbios-dgm

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_21

 match access-group name CSM_ZBF_CMAP_ACL_21

 match class-map CSM_ZBF_CMAP_PLMAP_15

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17

 match protocol http

 match protocol https

 match protocol imap3

 match protocol pop3

 match protocol pop3s

 match protocol smtp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_30

 match access-group name CSM_ZBF_CMAP_ACL_30

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9

 match protocol syslog

 match protocol syslog-conn

 match protocol snmp

 match protocol snmptrap

class-map type inspect match-all CSM_ZBF_CLASS_MAP_13

 match access-group name CSM_ZBF_CMAP_ACL_13

 match class-map CSM_ZBF_CMAP_PLMAP_9

class-map type inspect match-all CSM_ZBF_CLASS_MAP_20

 match access-group name CSM_ZBF_CMAP_ACL_20

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol ftp

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_31

 match access-group name CSM_ZBF_CMAP_ACL_31

 match class-map CSM_ZBF_CMAP_PLMAP_20

class-map match-all BRANCH-BULK-DATA

 match protocol tftp

 match protocol nfs

 match access-group name BULK-DATA-APPS

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10

 match protocol ldaps

 match protocol ldap

 match protocol ldap-admin

 match protocol radius

 match protocol tacacs

 match protocol tacacs-ds

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_14

 match access-group name CSM_ZBF_CMAP_ACL_14

 match class-map CSM_ZBF_CMAP_PLMAP_10

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18

 match protocol http

 match protocol https

 match protocol udp

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_27

 match access-group name CSM_ZBF_CMAP_ACL_27

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_36

 match access-group name CSM_ZBF_CMAP_ACL_36

 match class-map CSM_ZBF_CMAP_PLMAP_22

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11

 match protocol ntp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_15

 match access-group name CSM_ZBF_CMAP_ACL_15

 match class-map CSM_ZBF_CMAP_PLMAP_11

class-map type inspect match-all CSM_ZBF_CLASS_MAP_26

 match access-group name CSM_ZBF_CMAP_ACL_26

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12

 match protocol bootpc

 match protocol bootps

 match protocol udp

 match protocol tcp

 match protocol dns

 match protocol dhcp-failover

class-map type inspect match-all CSM_ZBF_CLASS_MAP_16

 match access-group name CSM_ZBF_CMAP_ACL_16

 match class-map CSM_ZBF_CMAP_PLMAP_12

class-map type inspect match-all CSM_ZBF_CLASS_MAP_25

 match access-group name CSM_ZBF_CMAP_ACL_25

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_34

 match access-group name CSM_ZBF_CMAP_ACL_34

class-map type inspect match-all CSM_ZBF_CLASS_MAP_17

 match access-group name CSM_ZBF_CMAP_ACL_17

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_24

 match access-group name CSM_ZBF_CMAP_ACL_24

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21

 match protocol tcp

 match protocol udp

 match protocol http

 match protocol https

class-map type inspect match-all CSM_ZBF_CLASS_MAP_35

 match access-group name CSM_ZBF_CMAP_ACL_35

 match class-map CSM_ZBF_CMAP_PLMAP_21

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13

 match protocol https

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_18

 match access-group name CSM_ZBF_CMAP_ACL_18

 match class-map CSM_ZBF_CMAP_PLMAP_13

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14

 match protocol http

 match protocol https

 match protocol user-8443

class-map type inspect match-all CSM_ZBF_CLASS_MAP_19

 match access-group name CSM_ZBF_CMAP_ACL_19

 match class-map CSM_ZBF_CMAP_PLMAP_14

class-map type inspect match-all CSM_ZBF_CLASS_MAP_29

 match access-group name CSM_ZBF_CMAP_ACL_29

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19

 match protocol http

 match protocol https

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_28

 match access-group name CSM_ZBF_CMAP_ACL_28

 match class-map CSM_ZBF_CMAP_PLMAP_19

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1

 match protocol https

 match protocol ssh

class-map type inspect match-all CSM_ZBF_CLASS_MAP_1

 match access-group name CSM_ZBF_CMAP_ACL_1

 match class-map CSM_ZBF_CMAP_PLMAP_1

class-map type inspect match-all CSM_ZBF_CLASS_MAP_3

 match access-group name CSM_ZBF_CMAP_ACL_3

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2

 match protocol https

 match protocol http

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_2

 match access-group name CSM_ZBF_CMAP_ACL_2

 match class-map CSM_ZBF_CMAP_PLMAP_2

class-map type inspect match-all CSM_ZBF_CLASS_MAP_5

 match access-group name CSM_ZBF_CMAP_ACL_5

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3

 match protocol http

 match protocol https

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

 match access-group name CSM_ZBF_CMAP_ACL_4

 match class-map CSM_ZBF_CMAP_PLMAP_3

class-map type inspect match-all CSM_ZBF_CLASS_MAP_7

 match access-group name CSM_ZBF_CMAP_ACL_7

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_6

 match access-group name CSM_ZBF_CMAP_ACL_6

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_9

 match access-group name CSM_ZBF_CMAP_ACL_9

 match protocol tcp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6

 match protocol http

 match protocol https

 match protocol ssh

 match protocol telnet

 match protocol tftp

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_8

 match access-group name CSM_ZBF_CMAP_ACL_8

 match class-map CSM_ZBF_CMAP_PLMAP_6

class-map match-all BULK-DATA

 match ip dscp af11  af12

class-map match-all INTERACTIVE-VIDEO

 match ip dscp af41  af42

class-map match-any BRANCH-TRANSACTIONAL-DATA

 match protocol citrix

 match protocol ldap

 match protocol telnet

 match protocol sqlnet

 match protocol http url "*SalesReport*"

 match access-group name TRANSACTIONAL-DATA-APPS

class-map match-all BRANCH-MISSION-CRITICAL

 match access-group name MISSION-CRITICAL-SERVERS

class-map match-all VOICE

 match ip dscp ef

class-map match-all MISSION-CRITICAL-DATA

 match ip dscp 25

class-map match-any BRANCH-NET-MGMT

 match protocol snmp

 match protocol syslog

 match protocol dns

 match protocol icmp

 match protocol ssh

 match access-group name NET-MGMT-APPS

class-map match-all ROUTING

 match ip dscp cs6

class-map match-all SCAVENGER

 match ip dscp cs1

class-map match-all NET-MGMT

 match ip dscp cs2

class-map match-any BRANCH-SCAVENGER

 match protocol gnutella

 match protocol fasttrack

 match protocol kazaa2

class-map match-any CALL-SIGNALING

 match ip dscp cs3

class-map match-all TRANSACTIONAL-DATA

 match ip dscp af21  af22

policy-map type inspect CSM_ZBF_POLICY_S_Security_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Data_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Data-W_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_WAN_S_Guest

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_WAN_S_Data-W

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Voice_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Guest_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_MGMT_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_LOOPBACK_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_POS-W

 class class-default

  drop log

policy-map BRANCH-LAN-EDGE-OUT

 class class-default

policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_Partners

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_POS

 class class-default

  drop log

policy-map BRANCH-WAN-EDGE

 class VOICE

  priority percent 18

 class INTERACTIVE-VIDEO

  priority percent 15

 class CALL-SIGNALING

  bandwidth percent 5

 class ROUTING

  bandwidth percent 3

 class NET-MGMT

  bandwidth percent 2

 class MISSION-CRITICAL-DATA

  bandwidth percent 15

  random-detect

 class TRANSACTIONAL-DATA

  bandwidth percent 12

  random-detect dscp-based

 class BULK-DATA

  bandwidth percent 4

  random-detect dscp-based

 class SCAVENGER

  bandwidth percent 1

 class class-default

  bandwidth percent 25

  random-detect

policy-map type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_18

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_19

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_31

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_16

 class type inspect CSM_ZBF_CLASS_MAP_24

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_17

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_14

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_15

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_23

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_12

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_21

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_34

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_35

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_S_MGMT_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_13

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_21

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_20

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_33

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_10

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_11

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_22

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_36

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Voice_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Guest_S_POS-W

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_9

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_8

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_12

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_7

 class type inspect CSM_ZBF_CLASS_MAP_9

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_10

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_11

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_6

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_5

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_8

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_4

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_7

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_3

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_5

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_2

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_4

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_1

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_2

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_S_Partners_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Security_S_POS

 class class-default

  drop log

policy-map BRANCH-LAN-EDGE-IN

 class BRANCH-MISSION-CRITICAL

  set ip dscp 25

 class BRANCH-TRANSACTIONAL-DATA

  set ip dscp af21

 class BRANCH-NET-MGMT

  set ip dscp cs2

 class BRANCH-BULK-DATA

  set ip dscp af11

 class BRANCH-SCAVENGER

  set ip dscp cs1

policy-map type inspect CSM_ZBF_POLICY_S_Data_S_POS

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_S_Data-W_S_POS-W

 class class-default

  drop log

zone security S_WAN

 description Store WAN Link

zone security LOOPBACK

 description Loopback interface

zone security S_MGMT

 description VLAN1000 Management

zone security S_Security

 description VLAN20 Physical Security Systems

zone security S_WAAS

 description VLAN19 WAAS optimization

zone security S_WLC-AP

 description VLAN18 Wireless Systems

zone security S_Data

 description VLAN12 Store Data

zone security S_Data-W

 description VLAN14 Store Wireless Data

zone security S_Guest

 description VLAN17 Guest/Public Wireless

zone security S_Voice

 description VLAN13 Store Voice

zone security S_Partners

 description VLAN16 Partner network

zone security S_POS

 description VLAN 11 POS Data

zone security S_POS-W

 description VLAN15 Store Wireless POS

zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_S_WAN_S_Data-W

zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_S_WAN_S_Guest

zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_8

zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_9

zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_LOOPBACK_S_POS-W

zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_11

zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_MGMT_S_POS

zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_MGMT_S_POS-W

zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_12

zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Security_S_POS

zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Security_S_POS-W

zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_POS

zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_POS-W

zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_Partners

zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS

zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS-W

zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Data_S_POS

zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Data_S_POS-W

zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Data-W_S_POS

zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Data-W_S_POS-W

zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Guest_S_POS

zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Guest_S_POS-W

zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Partners_S_POS

zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_S_Voice_S_POS

zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_S_Voice_S_POS-W

zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_22

interface Loopback0

 ip address 10.10.158.1 255.255.255.255

 ip pim sparse-dense-mode

 zone-member security LOOPBACK

interface GigabitEthernet0/0

 ip address 10.10.255.144 255.255.255.0

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_WAN

 duplex auto

 speed auto

 service-policy output BRANCH-WAN-EDGE

interface wlan-ap0

 description Service module interface to manage the embedded AP

 ip address 10.10.158.33 255.255.255.252

 zone-member security S_WLC-AP

 service-module ip address 10.10.158.34 255.255.255.252

 service-module ip default-gateway 10.10.158.33

 arp timeout 0

 no mop enabled

 no mop sysid

interface GigabitEthernet0/1

 description ROUTER LINK TO SWITCH

 no ip address

 duplex auto

 speed auto

interface GigabitEthernet0/1.11

 description POS

 encapsulation dot1Q 11

 ip address 10.10.144.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS

 standby 11 ip 10.10.144.1

 standby 11 priority 101

 standby 11 preempt

 ip igmp query-interval 125

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.12

 description DATA

 encapsulation dot1Q 12

 ip address 10.10.145.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip wccp 61 redirect in

 ip pim sparse-dense-mode

 zone-member security S_Data

 standby 12 ip 10.10.145.1

 standby 12 priority 101

 standby 12 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.13

 description VOICE

 encapsulation dot1Q 13

 ip address 10.10.146.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Voice

 standby 13 ip 10.10.146.1

 standby 13 priority 101

 standby 13 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.14

 description WIRELESS

 encapsulation dot1Q 14

 ip address 10.10.147.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Data-W

 standby 14 ip 10.10.147.1

 standby 14 priority 101

 standby 14 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.15

 description WIRELESS-POS

 encapsulation dot1Q 15

 ip address 10.10.148.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS-W

 standby 15 ip 10.10.148.1

 standby 15 priority 101

 standby 15 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.16

 description PARTNER

 encapsulation dot1Q 16

 ip address 10.10.149.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Partners

 standby 16 ip 10.10.149.1

 standby 16 priority 101

 standby 16 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.17

 description WIRELESS-GUEST

 encapsulation dot1Q 17

 ip address 10.10.150.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Guest

 standby 17 ip 10.10.150.1

 standby 17 priority 101

 standby 17 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.18

 description WIRELESS-CONTROL

 encapsulation dot1Q 18

 ip address 10.10.151.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WLC-AP

 standby 18 ip 10.10.151.1

 standby 18 priority 101

 standby 18 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.19

 description WAAS

 encapsulation dot1Q 19

 ip address 10.10.152.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WAAS

 standby 19 ip 10.10.152.1

 standby 19 priority 101

 standby 19 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.20

 zone-member security S_Security

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/1.1000

 description MANAGEMENT

 encapsulation dot1Q 1000

 ip address 10.10.159.2 255.255.255.0

 zone-member security S_MGMT

 standby 100 ip 10.10.159.1

 standby 100 priority 101

 standby 100 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface Wlan-GigabitEthernet0/0

 description Internal switch interface connecting to the embedded AP

 zone-member security S_WLC-AP

 service-module ip address 10.10.158.34 255.255.255.252

 service-module ip default-gateway 10.10.158.33

interface Vlan1

 no ip address

 ip ips Store-IPS in

 ip ips Store-IPS out

 zone-member security S_POS

interface Vlan15

 no ip address

 zone-member security S_POS-W

interface Vlan1000

 no ip address

 zone-member security S_MGMT

router ospf 5

 router-id 10.10.158.1

 passive-interface default

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 10.10.255.11

ip tacacs source-interface Loopback0

ip access-list extended BULK-DATA-APPS

 remark ---File Transfer---

 permit tcp any any eq ftp

 permit tcp any any eq ftp-data

 remark ---E-mail traffic---

 permit tcp any any eq smtp

 permit tcp any any eq pop3

 permit tcp any any eq 143

 remark ---other EDM app protocols---

 permit tcp any any range 3460 3466

 permit tcp any range 3460 3466 any

 remark ---messaging services---

 permit tcp any any eq 2980

 permit tcp any eq 2980 any

 remark ---Microsoft file services---

 permit tcp any any range 137 139

 permit tcp any range 137 139 any

ip access-list extended CSM_ZBF_CMAP_ACL_1

 remark Data Center Mgmt to Devices

 permit object-group CSM_INLINE_svc_rule_68719541409 object-group 
CSM_INLINE_src_rule_68719541409 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_10

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451205 object-group DC-POS-Oracle 
object-group STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451209 object-group DC-POS-SAP object-group 
STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451213 object-group DC-POS-Tomax 
object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_11

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451215 object-group 
CSM_INLINE_src_rule_73014451215 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_12

 remark Data Center VOICE (wired and Wireless)

 permit object-group CSM_INLINE_svc_rule_68719541455 object-group DC-Voice object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_13

 remark Syslog and SNMP Alerts

 permit object-group CSM_INLINE_svc_rule_73014451187 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451187

ip access-list extended CSM_ZBF_CMAP_ACL_14

 remark Store to Data Center Authentications

 permit object-group CSM_INLINE_svc_rule_73014451193 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451193

ip access-list extended CSM_ZBF_CMAP_ACL_15

 remark Store to Data Center for NTP

 permit object-group NTP object-group Stores-ALL object-group NTP-Servers

ip access-list extended CSM_ZBF_CMAP_ACL_16

 remark Store to Data Center for DHCP and DNS

 permit object-group CSM_INLINE_svc_rule_73014451221 object-group Stores-ALL object-group 
ActiveDirectory.cisco-irn.com

ip access-list extended CSM_ZBF_CMAP_ACL_17

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_68719541425 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541425

ip access-list extended CSM_ZBF_CMAP_ACL_18

 remark Store UCS Express to Data Center vShphere

 permit object-group CSM_INLINE_svc_rule_73014451197 object-group Stores-ALL object-group 
vSphere-1

ip access-list extended CSM_ZBF_CMAP_ACL_19

 remark Store NAC

 permit object-group CSM_INLINE_svc_rule_73014451223 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451223

ip access-list extended CSM_ZBF_CMAP_ACL_2

 remark Data Center subscribe to IPS SDEE events

 permit tcp object-group RSA-enVision object-group Stores-ALL eq 443

ip access-list extended CSM_ZBF_CMAP_ACL_20

 remark Store to Data Center Physical Security

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541435

ip access-list extended CSM_ZBF_CMAP_ACL_21

 remark Store WAAS (WAAS Devices need their own zone)

 permit object-group CSM_INLINE_svc_rule_68719541439 object-group Stores-ALL object-group 
DC-WAAS

ip access-list extended CSM_ZBF_CMAP_ACL_22

 remark Store WAAS to Clients and Servers

 permit object-group CSM_INLINE_svc_rule_73014451388 object-group Stores-ALL object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_23

 remark Store to Data Center wireless controller traffic

 permit object-group CSM_INLINE_svc_rule_68719541431 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541431

ip access-list extended CSM_ZBF_CMAP_ACL_24

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451203 object-group STORE-POS object-group 
DC-POS-Oracle

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451207 object-group STORE-POS object-group 
DC-POS-SAP

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451211 object-group STORE-POS object-group 
DC-POS-Tomax

ip access-list extended CSM_ZBF_CMAP_ACL_25

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451217 object-group 
CSM_INLINE_src_rule_73014451217 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_26

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_73014451393 object-group STORE-POS object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_27

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_73014451395 object-group STORE-POS object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_28

 remark Permit POS clients to talk to store POS server

 permit object-group CSM_INLINE_svc_rule_73014451397 object-group STORE-POS object-group 
STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_29

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_73014451404 object-group Stores-ALL object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_3

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_68719541427 object-group 
CSM_INLINE_src_rule_68719541427 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_30

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_73014451406 object-group Stores-ALL object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_31

 remark Store DATA (wired and Wireless - Access to DC Other applications)

 permit object-group CSM_INLINE_svc_rule_68719541459 object-group Stores-ALL object-group 
DC-Applications

ip access-list extended CSM_ZBF_CMAP_ACL_32

 remark Store GUEST - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541465

ip access-list extended CSM_ZBF_CMAP_ACL_33

 remark Store GUEST (access to internet/DMZ web servers)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_34

 remark Store PARTNERS - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541461

ip access-list extended CSM_ZBF_CMAP_ACL_35

 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_36

 remark Store VOICE (wired and Wireless - Acess to corporate wide voice)

 permit object-group CSM_INLINE_svc_rule_68719541457 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541457

ip access-list extended CSM_ZBF_CMAP_ACL_4

 remark Data Center vSphere to UCS Express

 permit object-group CSM_INLINE_svc_rule_73014451195 object-group vSphere-1 object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_5

 remark Data Center to Store Physical Security

 permit ip object-group CSM_INLINE_src_rule_68719541433 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_6

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_7

 remark Data Center WAAS to Store

 permit object-group CSM_INLINE_svc_rule_68719541437 object-group 
CSM_INLINE_src_rule_68719541437 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_8

 remark Data Center Wireless Control to AP's and Controllers in stores

 permit object-group CSM_INLINE_svc_rule_68719541429 object-group 
CSM_INLINE_src_rule_68719541429 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_9

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group STORE-POS

ip access-list extended MISSION-CRITICAL-SERVERS

 remark ---POS Applications---

 permit ip any 192.168.52.0 0.0.0.255

ip access-list extended NET-MGMT-APPS

 remark - Router user Authentication - Identifies TACACS Control traffic

 permit tcp any any eq tacacs

 permit tcp any eq tacacs any

ip access-list extended TRANSACTIONAL-DATA-APPS

 remark ---Workbrain Application---

 remark --Large Store Clock Server to Central Clock Application

 permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444

 remark --Large store Clock Server to CUAE

 permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000

 remark ---LiteScape Application---

 permit ip any host 192.168.46.82

 permit ip any 239.192.0.0 0.0.0.255

 permit ip any host 239.255.255.250

 remark ---Remote Desktop---

 permit tcp any any eq 3389

 permit tcp any eq 3389 any

 remark ---Oracle SIM---

 permit tcp any 192.168.46.0 0.0.0.255 eq 7777

 permit tcp any 192.168.46.0 0.0.0.255 eq 6003

 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500

 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any

 permit tcp 192.168.46.0 0.0.0.255 eq 6003 any

 permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any

logging esm config

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group causer v3 priv

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps flash insertion removal

snmp-server enable traps energywise

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps ipsla

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

banner exec C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITACCESS IS A 
VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 login authentication RETAIL

 no exec

 transport preferred none

 transport output none

line 67

 no activation-character

 no exec

 transport preferred none

 transport output none

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

exception data-corruption buffer truncate

scheduler allocate 20000 1000

ntp source Loopback0

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

end

R-a2-Small

! Last configuration change at 00:44:15 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 00:44:16 PSTDST Sat Apr 30 2011 by retail

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname R-A2-Small-1

boot-start-marker

boot system flash0 c2900-universalk9-mz.SPA.151-3.T.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PSTDST recurring

no ipv6 cef

ip source-route

ip cef

ip multicast-routing

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip port-map user-8443 port tcp 8443

ip ips notify SDEE

ip ips name Retail-PCI

ip ips signature-category

  category all

   retired true

  category ios_ips default

   retired false

ip wccp 61

ip wccp 62

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

multilink bundle-name authenticated

parameter-map type inspect global

 WAAS enable

parameter-map type inspect Inspect-1

 audit-trail on

parameter-map type trend-global trend-glob-map

password encryption aes

crypto pki token default removal timeout 0

crypto pki trustpoint TP-self-signed-503450500

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-503450500

 revocation-check none

 rsakeypair TP-self-signed-503450500

crypto pki certificate chain TP-self-signed-503450500

 certificate self-signed 01

  <removed>

  	quit

voice-card 0

license udi pid CISCO2921/K9 sn <removed>

hw-module ism 0

hw-module sm 1

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

object-group network ActiveDirectory.cisco-irn.com

 host 192.168.42.130

object-group service CAPWAP

 description CAPWAP UDP ports 5246 and 5247

 udp eq 5246

 udp eq 5247

object-group service CISCO-WAAS

 description Ports for Cisco WAAS

 tcp eq 4050

object-group network DC-ALL

 description All of the Data Center

 192.168.0.0 255.255.0.0

object-group network Stores-ALL

 description all store networks

 10.10.0.0 255.255.0.0

object-group network CSM_INLINE_dst_rule_68719541425

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network WCSManager

 description Wireless Manager

 host 192.168.43.135

object-group network DC-Wifi-Controllers

 description Central Wireless Controllers for stores

 host 192.168.43.21

 host 192.168.43.22

object-group network DC-Wifi-MSE

 description Mobility Service Engines

 host 192.168.43.31

 host 192.168.43.32

object-group network CSM_INLINE_dst_rule_68719541431

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network PAME-DC-1

 host 192.168.44.111

object-group network MSP-DC-1

 description Data Center VSOM

 host 192.168.44.121

object-group network CSM_INLINE_dst_rule_68719541435

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network CSM_INLINE_dst_rule_68719541457

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_68719541461

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_dst_rule_68719541465

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network EMC-NCM

 description EMC Network Configuration Manager

 host 192.168.42.122

object-group network RSA-enVision

 description RSA EnVision Syslog collector and SIM

 host 192.168.42.124

object-group network CSM_INLINE_dst_rule_73014451187

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object EMC-NCM

 group-object RSA-enVision

object-group network TACACS

 description Csico Secure ACS server for TACACS and Radius

 host 192.168.42.131

object-group network RSA-AM

 description RSA Authentication Manager for SecureID

 host 192.168.42.137

object-group network NAC-1

 description ISE server for NAC

 host 192.168.42.111

object-group network CSM_INLINE_dst_rule_73014451193

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object ActiveDirectory.cisco-irn.com

 group-object TACACS

 group-object RSA-AM

 group-object NAC-1

object-group network NAC-2

 host 192.168.42.112

object-group network CSM_INLINE_dst_rule_73014451223

 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object NAC-2

 group-object NAC-1

object-group network DC-Admin

 description DC Admin Systems

 host 192.168.41.101

 host 192.168.41.102

object-group network CSManager

 description Cisco Security Manager

 host 192.168.42.133

object-group network CSM_INLINE_src_rule_68719541409

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object EMC-NCM

 group-object CSManager

object-group network CSM_INLINE_src_rule_68719541427

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-ALL

 group-object Stores-ALL

object-group network CSM_INLINE_src_rule_68719541429

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object WCSManager

 group-object DC-Wifi-Controllers

 group-object DC-Wifi-MSE

object-group network CSM_INLINE_src_rule_68719541433

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object PAME-DC-1

 group-object MSP-DC-1

object-group network DC-WAAS

 description WAE Appliances in Data Center

 host 192.168.48.10

 host 192.168.49.10

 host 192.168.47.11

 host 192.168.47.12

object-group network CSM_INLINE_src_rule_68719541437

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object DC-WAAS

object-group network DC-POS-Tomax

 description Tomax POS Communication from Store to Data Center

 192.168.52.96 255.255.255.224

object-group network DC-POS-SAP

 description SAP POS Communication from Store to Data Center

 192.168.52.144 255.255.255.240

object-group network DC-POS-Oracle

 description Oracle POS Communication from Store to Data Center

 192.168.52.128 255.255.255.240

object-group network CSM_INLINE_src_rule_73014451215

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group network CSM_INLINE_src_rule_73014451217

 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)

 group-object DC-Admin

 group-object DC-POS-Tomax

 group-object DC-POS-SAP

 group-object DC-POS-Oracle

object-group service CSM_INLINE_svc_rule_68719541409

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

object-group service CSM_INLINE_svc_rule_68719541425

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service CSM_INLINE_svc_rule_68719541427

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

object-group service LWAPP

 description LWAPP UDP ports 12222 and 12223

 udp eq 12222

 udp eq 12223

object-group service TFTP

 description Trivial File Transfer

 tcp eq 69

 udp eq tftp

object-group service IP-Protocol-97

 description IP protocol 97

object-group service CSM_INLINE_svc_rule_68719541429

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq www

 tcp eq 22

 tcp eq telnet

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object TFTP

 group-object IP-Protocol-97

object-group service Cisco-Mobility

 description Mobility ports for Wireless

 udp eq 16666

 udp eq 16667

object-group service CSM_INLINE_svc_rule_68719541431

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 udp eq isakmp

 group-object CAPWAP

 group-object LWAPP

 group-object Cisco-Mobility

 group-object IP-Protocol-97

object-group service HTTPS-8443

 tcp eq 8443

object-group service Microsoft-DS-SMB

 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing

 tcp eq 445

object-group service CSM_INLINE_svc_rule_68719541437

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_68719541439

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

 tcp eq 139

 group-object CISCO-WAAS

 group-object HTTPS-8443

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_68719541455

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp

 tcp-udp eq 5060

 tcp eq 2000

 tcp eq www

 tcp eq 443

 group-object TFTP

object-group service CSM_INLINE_svc_rule_68719541457

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp-udp eq 5060

 tcp eq 2000

object-group service Netbios

 description Netbios Servers

 udp eq netbios-dgm

 udp eq netbios-ns

 tcp eq 139

object-group service ORACLE-SIM

 description Oracle Store Inventory Management

 tcp eq 7777

 tcp eq 6003

 tcp range 12401 12500

object-group service RDP

 description Windows Remote Desktop

 tcp eq 3389

object-group service Workbrain

 tcp eq 8444

object-group service CSM_INLINE_svc_rule_68719541459

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq ftp

 tcp eq www

 tcp eq 443

 udp eq 88

 tcp-udp eq 42

 group-object Microsoft-DS-SMB

 group-object Netbios

 group-object ORACLE-SIM

 group-object RDP

 group-object Workbrain

object-group service CSM_INLINE_svc_rule_73014451187

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 udp eq syslog

 udp eq snmp

 udp eq snmptrap

object-group service CSM_INLINE_svc_rule_73014451193

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq tacacs

 udp eq 1812

 udp eq 1813

 tcp eq 389

 tcp eq 636

object-group service vCenter-to-ESX4

 description Communication from vCetner to ESX hosts

 tcp eq 5989

 tcp eq 8000

 tcp eq 902

 tcp eq 903

object-group service CSM_INLINE_svc_rule_73014451195

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq 22

 group-object vCenter-to-ESX4

object-group service ESX-SLP

 description CIM Service Location Protocol (SLP) for VMware systems

 udp eq 427

 tcp eq 427

object-group service CSM_INLINE_svc_rule_73014451197

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 group-object vCenter-to-ESX4

 group-object ESX-SLP

object-group service ORACLE-RMI

 description RMI TCP ports 1300 and 1301-1319.

 tcp range 1300 1319

object-group service ORACLE-Weblogic

 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.

 tcp eq 7001

 tcp eq 7002

 tcp eq 1521

object-group service ORACLE-WAS

 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414

 tcp eq 2809

 tcp eq 9443

 tcp eq 1414

object-group service ORACLE-OAS

 description OAS uses one port for HTTP and RMI - 12601.

 tcp eq 12601

object-group service CSM_INLINE_svc_rule_73014451203

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_73014451205

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object ORACLE-RMI

 group-object ORACLE-Weblogic

 group-object ORACLE-WAS

 group-object ORACLE-OAS

object-group service CSM_INLINE_svc_rule_73014451207

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_73014451209

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 tcp eq 22

 group-object HTTPS-8443

object-group service TOMAX-8990

 description Tomax Application Port

 tcp eq 8990

object-group service CSM_INLINE_svc_rule_73014451211

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service CSM_INLINE_svc_rule_73014451213

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq 443

 group-object TOMAX-8990

object-group service ICMP-Requests

 description ICMP requests

 icmp information-request

 icmp mask-request

 icmp timestamp-request

object-group service CSM_INLINE_svc_rule_73014451215

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service CSM_INLINE_svc_rule_73014451217

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 icmp echo

 icmp echo-reply

 icmp traceroute

 icmp unreachable

 icmp redirect

 icmp alternate-address

 group-object ICMP-Requests

object-group service DNS-Resolving

 description Domain Name Server

 tcp eq domain

 udp eq domain

object-group service CSM_INLINE_svc_rule_73014451221

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 udp eq bootps

 group-object DNS-Resolving

object-group service CSM_INLINE_svc_rule_73014451223

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 group-object HTTPS-8443

object-group service CSM_INLINE_svc_rule_73014451388

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

 tcp eq 139

 group-object Microsoft-DS-SMB

object-group service CSM_INLINE_svc_rule_73014451393

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group service CSM_INLINE_svc_rule_73014451395

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_73014451397

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

tcp

udp

 tcp eq 443

object-group service CSM_INLINE_svc_rule_73014451404

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

object-group service CSM_INLINE_svc_rule_73014451406

 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)

 tcp eq www

 tcp eq 443

 tcp eq smtp

 tcp eq pop3

 tcp eq 143

object-group network DC-Applications

 description Applications in the Data Center that are non-PCI related(Optimized by 
CS-Manager)

 192.168.180.0 255.255.254.0

object-group network DC-Voice

 description Data Center Voice

 192.168.45.0 255.255.255.0

object-group network MS-Update

 description Windows Update Server

 host 192.168.42.150

object-group network MSExchange

 description Mail Server

 host 192.168.42.140

object-group service NTP

 description NTP Protocols

 tcp eq 123

 udp eq ntp

object-group network NTP-Servers

 description NTP Servers

 host 192.168.62.161

 host 162.168.62.162

object-group network POS-Store-SMALL-1

 description Small Store POS devices

 host 10.10.128.81

 host 10.10.128.82

object-group network STORE-POS

 group-object POS-Store-SMALL-1

object-group network vSphere-1

 description vSphere server for Lab

 host 192.168.41.102

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed> username bmcgloth privilege 15 secret 5 
<removed>

username csmadmin privilege 15 secret 5 <removed>

redundancy

ip ssh version 2

ip scp server enable

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7

 match protocol http

 match protocol https

 match protocol microsoft-ds

 match protocol ms-sql

 match protocol ms-sql-m

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol oracle

 match protocol oracle-em-vp

 match protocol oraclenames

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_10

 match access-group name CSM_ZBF_CMAP_ACL_10

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16

 match protocol http

 match protocol https

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_23

 match access-group name CSM_ZBF_CMAP_ACL_23

 match class-map CSM_ZBF_CMAP_PLMAP_16

class-map type inspect match-all CSM_ZBF_CLASS_MAP_32

 match access-group name CSM_ZBF_CMAP_ACL_32

class-map type inspect match-all CSM_ZBF_CLASS_MAP_11

 match access-group name CSM_ZBF_CMAP_ACL_11

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_22

 match access-group name CSM_ZBF_CMAP_ACL_22

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4

 match protocol http

 match protocol https

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_33

 match access-group name CSM_ZBF_CMAP_ACL_33

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tftp

 match protocol http

 match protocol https

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_12

 match access-group name CSM_ZBF_CMAP_ACL_12

 match class-map CSM_ZBF_CMAP_PLMAP_8

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15

 match protocol http

 match protocol https

 match protocol netbios-ns

 match protocol netbios-dgm

 match protocol netbios-ssn

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_21

 match access-group name CSM_ZBF_CMAP_ACL_21

 match class-map CSM_ZBF_CMAP_PLMAP_15

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17

 match protocol http

 match protocol https

 match protocol imap3

 match protocol pop3

 match protocol pop3s

 match protocol smtp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_30

 match access-group name CSM_ZBF_CMAP_ACL_30

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9

 match protocol syslog

 match protocol syslog-conn

 match protocol snmp

 match protocol snmptrap

class-map type inspect match-all CSM_ZBF_CLASS_MAP_13

 match access-group name CSM_ZBF_CMAP_ACL_13

 match class-map CSM_ZBF_CMAP_PLMAP_9

class-map type inspect match-all CSM_ZBF_CLASS_MAP_20

 match access-group name CSM_ZBF_CMAP_ACL_20

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20

 match protocol http

 match protocol https

 match protocol netbios-dgm

 match protocol netbios-ns

 match protocol netbios-ssn

 match protocol ftp

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_31

 match access-group name CSM_ZBF_CMAP_ACL_31

 match class-map CSM_ZBF_CMAP_PLMAP_20

class-map match-all BRANCH-BULK-DATA

 match protocol tftp

 match protocol nfs

 match access-group name BULK-DATA-APPS

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10

 match protocol ldaps

 match protocol ldap

 match protocol ldap-admin

 match protocol radius

 match protocol tacacs

 match protocol tacacs-ds

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_14

 match access-group name CSM_ZBF_CMAP_ACL_14

 match class-map CSM_ZBF_CMAP_PLMAP_10

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18

 match protocol http

 match protocol https

 match protocol udp

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_27

 match access-group name CSM_ZBF_CMAP_ACL_27

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22

 match protocol sip

 match protocol sip-tls

 match protocol skinny

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_36

 match access-group name CSM_ZBF_CMAP_ACL_36

 match class-map CSM_ZBF_CMAP_PLMAP_22

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11

 match protocol ntp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_15

 match access-group name CSM_ZBF_CMAP_ACL_15

 match class-map CSM_ZBF_CMAP_PLMAP_11

class-map type inspect match-all CSM_ZBF_CLASS_MAP_26

 match access-group name CSM_ZBF_CMAP_ACL_26

 match class-map CSM_ZBF_CMAP_PLMAP_17

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12

 match protocol bootpc

 match protocol bootps

 match protocol udp

 match protocol tcp

 match protocol dns

 match protocol dhcp-failover

class-map type inspect match-all CSM_ZBF_CLASS_MAP_16

 match access-group name CSM_ZBF_CMAP_ACL_16

 match class-map CSM_ZBF_CMAP_PLMAP_12

class-map type inspect match-all CSM_ZBF_CLASS_MAP_25

 match access-group name CSM_ZBF_CMAP_ACL_25

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_34

 match access-group name CSM_ZBF_CMAP_ACL_34

class-map type inspect match-all CSM_ZBF_CLASS_MAP_17

 match access-group name CSM_ZBF_CMAP_ACL_17

 match protocol icmp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_24

 match access-group name CSM_ZBF_CMAP_ACL_24

 match class-map CSM_ZBF_CMAP_PLMAP_7

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21

 match protocol tcp

 match protocol udp

 match protocol http

 match protocol https

class-map type inspect match-all CSM_ZBF_CLASS_MAP_35

 match access-group name CSM_ZBF_CMAP_ACL_35

 match class-map CSM_ZBF_CMAP_PLMAP_21

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13

 match protocol https

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_18

 match access-group name CSM_ZBF_CMAP_ACL_18

 match class-map CSM_ZBF_CMAP_PLMAP_13

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14

 match protocol http

 match protocol https

 match protocol user-8443

class-map type inspect match-all CSM_ZBF_CLASS_MAP_19

 match access-group name CSM_ZBF_CMAP_ACL_19

 match class-map CSM_ZBF_CMAP_PLMAP_14

class-map type inspect match-all CSM_ZBF_CLASS_MAP_29

 match access-group name CSM_ZBF_CMAP_ACL_29

 match class-map CSM_ZBF_CMAP_PLMAP_18

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19

 match protocol http

 match protocol https

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_28

 match access-group name CSM_ZBF_CMAP_ACL_28

 match class-map CSM_ZBF_CMAP_PLMAP_19

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1

 match protocol https

 match protocol ssh

class-map type inspect match-all CSM_ZBF_CLASS_MAP_1

 match access-group name CSM_ZBF_CMAP_ACL_1

 match class-map CSM_ZBF_CMAP_PLMAP_1

class-map type inspect match-all CSM_ZBF_CLASS_MAP_3

 match access-group name CSM_ZBF_CMAP_ACL_3

 match protocol icmp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2

 match protocol https

 match protocol http

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_2

 match access-group name CSM_ZBF_CMAP_ACL_2

 match class-map CSM_ZBF_CMAP_PLMAP_2

class-map type inspect match-all CSM_ZBF_CLASS_MAP_5

 match access-group name CSM_ZBF_CMAP_ACL_5

 match class-map CSM_ZBF_CMAP_PLMAP_4

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3

 match protocol http

 match protocol https

 match protocol ssh

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

 match access-group name CSM_ZBF_CMAP_ACL_4

 match class-map CSM_ZBF_CMAP_PLMAP_3

class-map type inspect match-all CSM_ZBF_CLASS_MAP_7

 match access-group name CSM_ZBF_CMAP_ACL_7

 match class-map CSM_ZBF_CMAP_PLMAP_5

class-map type inspect match-all CSM_ZBF_CLASS_MAP_6

 match access-group name CSM_ZBF_CMAP_ACL_6

 match protocol tcp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_9

 match access-group name CSM_ZBF_CMAP_ACL_9

 match protocol tcp

class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6

 match protocol http

 match protocol https

 match protocol ssh

 match protocol telnet

 match protocol tftp

 match protocol isakmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all CSM_ZBF_CLASS_MAP_8

 match access-group name CSM_ZBF_CMAP_ACL_8

 match class-map CSM_ZBF_CMAP_PLMAP_6

class-map match-all BULK-DATA

 match ip dscp af11  af12

class-map match-all INTERACTIVE-VIDEO

 match ip dscp af41  af42

class-map match-any BRANCH-TRANSACTIONAL-DATA

 match protocol citrix

 match protocol ldap

 match protocol telnet

 match protocol sqlnet

 match protocol http url "*SalesReport*"

 match access-group name TRANSACTIONAL-DATA-APPS

class-map match-all BRANCH-MISSION-CRITICAL

 match access-group name MISSION-CRITICAL-SERVERS

class-map match-all VOICE

 match ip dscp ef

class-map match-all MISSION-CRITICAL-DATA

 match ip dscp 25

class-map match-any BRANCH-NET-MGMT

 match protocol snmp

 match protocol syslog

 match protocol dns

 match protocol icmp

 match protocol ssh

 match access-group name NET-MGMT-APPS

class-map match-all ROUTING

 match ip dscp cs6

class-map match-all SCAVENGER

 match ip dscp cs1

class-map match-all NET-MGMT

 match ip dscp cs2

class-map match-any BRANCH-SCAVENGER

 match protocol gnutella

 match protocol fasttrack

 match protocol kazaa2

class-map match-any CALL-SIGNALING

 match ip dscp cs3

class-map match-all TRANSACTIONAL-DATA

 match ip dscp af21  af22

policy-map BRANCH-LAN-EDGE-OUT

 class class-default

policy-map BRANCH-WAN-EDGE

 class VOICE

  priority percent 18

 class INTERACTIVE-VIDEO

  priority percent 15

 class CALL-SIGNALING

  bandwidth percent 5

 class ROUTING

  bandwidth percent 3

 class NET-MGMT

  bandwidth percent 2

 class MISSION-CRITICAL-DATA

  bandwidth percent 15

  random-detect

 class TRANSACTIONAL-DATA

  bandwidth percent 12

  random-detect dscp-based

 class BULK-DATA

  bandwidth percent 4

  random-detect dscp-based

 class SCAVENGER

  bandwidth percent 1

 class class-default

  bandwidth percent 25

  random-detect

policy-map type inspect CSM_ZBF_POLICY_MAP_18

 class type inspect CSM_ZBF_CLASS_MAP_28

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_19

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_29

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_31

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_16

 class type inspect CSM_ZBF_CLASS_MAP_24

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_17

 class type inspect CSM_ZBF_CLASS_MAP_25

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_26

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_27

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_14

 class type inspect CSM_ZBF_CLASS_MAP_22

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_15

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_23

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_12

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_20

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_21

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_30

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_34

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_35

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_13

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_21

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_20

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_32

  drop log

 class type inspect CSM_ZBF_CLASS_MAP_33

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_10

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_11

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_18

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_22

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_19

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_36

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_9

 class type inspect CSM_ZBF_CLASS_MAP_13

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_14

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_15

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_16

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_17

  inspect Inspect-1

 class class-default

  drop

policy-map type inspect CSM_ZBF_POLICY_MAP_8

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_12

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_7

 class type inspect CSM_ZBF_CLASS_MAP_9

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_10

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_11

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_6

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_5

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_8

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_4

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_6

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_7

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_3

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_5

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_2

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_4

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop log

policy-map type inspect CSM_ZBF_POLICY_MAP_1

 class type inspect CSM_ZBF_CLASS_MAP_1

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_2

  inspect Inspect-1

 class type inspect CSM_ZBF_CLASS_MAP_3

  inspect Inspect-1

 class class-default

  drop

policy-map BRANCH-LAN-EDGE-IN

 class BRANCH-MISSION-CRITICAL

  set ip dscp 25

 class BRANCH-TRANSACTIONAL-DATA

  set ip dscp af21

 class BRANCH-NET-MGMT

  set ip dscp cs2

 class BRANCH-BULK-DATA

  set ip dscp af11

 class BRANCH-SCAVENGER

  set ip dscp cs1

zone security S_WAN

 description Store WAN Link

zone security LOOPBACK

 description Loopback interface

zone security S_MGMT

 description VLAN1000 Management

zone security S_Security

 description VLAN20 Physical Security Systems

zone security S_WAAS

 description VLAN19 WAAS optimization

zone security S_WLC-AP

 description VLAN18 Wireless Systems

zone security S_Data

 description VLAN12 Store Data

zone security S_Data-W

 description VLAN14 Store Wireless Data

zone security S_Guest

 description VLAN17 Guest/Public Wireless

zone security S_Voice

 description VLAN13 Store Voice

zone security S_Partners

 description VLAN16 Partner network

zone security S_POS

 description VLAN 11 POS Data

zone security S_POS-W

 description VLAN15 Store Wireless POS

zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK

 service-policy type inspect CSM_ZBF_POLICY_MAP_1

zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT

 service-policy type inspect CSM_ZBF_POLICY_MAP_2

zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security

 service-policy type inspect CSM_ZBF_POLICY_MAP_3

zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS

 service-policy type inspect CSM_ZBF_POLICY_MAP_4

zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP

 service-policy type inspect CSM_ZBF_POLICY_MAP_5

zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_6

zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_7

zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice

 service-policy type inspect CSM_ZBF_POLICY_MAP_8

zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_9

zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_11

zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_12

zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_13

zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners

 service-policy type inspect CSM_ZBF_POLICY_MAP_14

zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_15

zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_16

zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_17

zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_18

zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_19

zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_20

zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_21

zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W

 service-policy type inspect CSM_ZBF_POLICY_MAP_10

zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN

 service-policy type inspect CSM_ZBF_POLICY_MAP_22

interface Loopback0

 ip address 10.10.142.1 255.255.255.255

 ip pim sparse-dense-mode

 zone-member security LOOPBACK

interface GigabitEthernet0/0

 description ROUTER LINK TO SWITCH

 no ip address

 duplex auto

 speed auto

interface GigabitEthernet0/0.11

 description POS

 encapsulation dot1Q 11

 ip address 10.10.128.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_POS

 standby 11 ip 10.10.128.1

 standby 11 priority 101

 standby 11 preempt

 ip igmp query-interval 125

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.12

 description DATA

 encapsulation dot1Q 12

 ip address 10.10.129.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip wccp 61 redirect in

 ip pim sparse-dense-mode

 zone-member security S_Data

 standby 12 ip 10.10.129.1

 standby 12 priority 101

 standby 12 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.13

 description VOICE

 encapsulation dot1Q 13

 ip address 10.10.130.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Voice

 standby 13 ip 10.10.130.1

 standby 13 priority 101

 standby 13 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.14

 description WIRELESS

 encapsulation dot1Q 14

 ip address 10.10.131.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Data-W

 standby 14 ip 10.10.131.1

 standby 14 priority 101

 standby 14 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.15

 description WIRELESS-POS

 encapsulation dot1Q 15

 ip address 10.10.132.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_POS-W

 standby 15 ip 10.10.132.1

 standby 15 priority 101

 standby 15 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.16

 description PARTNER

 encapsulation dot1Q 16

 ip address 10.10.133.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Partners

 standby 16 ip 10.10.133.1

 standby 16 priority 101

 standby 16 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.17

 description WIRELESS-GUEST

 encapsulation dot1Q 17

 ip address 10.10.134.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_Guest

 standby 17 ip 10.10.134.1

 standby 17 priority 101

 standby 17 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.18

 description WIRELESS-CONTROL

 encapsulation dot1Q 18

 ip address 10.10.135.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WLC-AP

 standby 18 ip 10.10.135.1

 standby 18 priority 101

 standby 18 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.19

 description WAAS

 encapsulation dot1Q 19

 ip address 10.10.136.2 255.255.255.0

 ip helper-address 192.168.42.130

 zone-member security S_WAAS

 standby 19 ip 10.10.136.1

 standby 19 priority 101

 standby 19 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.20

 description SECURITY-SYSTEMS

 encapsulation dot1Q 20

 ip address 10.10.137.2 255.255.255.0

 ip helper-address 192.168.42.130

 ip pim sparse-dense-mode

 zone-member security S_Security

 standby 20 ip 10.10.137.1

 standby 20 priority 101

 standby 20 preempt

 service-policy output BRANCH-LAN-EDGE-OUT

interface GigabitEthernet0/0.1000

 description MANAGEMENT

 encapsulation dot1Q 1000

 ip address 10.10.143.2 255.255.255.0

 zone-member security S_MGMT

 standby 100 ip 10.10.143.1

 standby 100 priority 101

 standby 100 preempt

 service-policy input BRANCH-LAN-EDGE-IN

 service-policy output BRANCH-LAN-EDGE-OUT

interface ISM0/0

 no ip address

 shutdown

 !Application: Online on SME

 hold-queue 60 out

interface GigabitEthernet0/1

 ip address 10.10.255.128 255.255.255.0

 ip ips Retail-PCI in

 zone-member security S_WAN

 duplex auto

 speed auto

 service-policy output BRANCH-WAN-EDGE

interface GigabitEthernet0/2

 ip address 10.10.254.128 255.255.255.0

 ip ips Retail-PCI in

 zone-member security S_WAN

 duplex auto

 speed auto

 service-policy output BRANCH-WAN-EDGE

interface ISM0/1

 description Internal switch interface connected to Internal Service Module

 shutdown

interface SM1/0

 no ip address

 zone-member security S_Security

 shutdown

 service-module fail-open

 hold-queue 60 out

interface SM1/1

 description Internal switch interface connected to Service Module

interface Vlan1

 no ip address

 zone-member security S_POS

router ospf 5

 router-id 10.10.142.1

 passive-interface default

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 10.10.255.11

ip route 0.0.0.0 0.0.0.0 10.10.254.11 50

ip tacacs source-interface Loopback0

ip access-list extended BULK-DATA-APPS

 remark ---File Transfer---

 permit tcp any any eq ftp

 permit tcp any any eq ftp-data

 remark ---E-mail traffic---

 permit tcp any any eq smtp

 permit tcp any any eq pop3

 permit tcp any any eq 143

 remark ---other EDM app protocols---

 permit tcp any any range 3460 3466

 permit tcp any range 3460 3466 any

 remark ---messaging services---

 permit tcp any any eq 2980

 permit tcp any eq 2980 any

 remark ---Microsoft file services---

 permit tcp any any range 137 139

 permit tcp any range 137 139 any

ip access-list extended CSM_ZBF_CMAP_ACL_1

 remark Data Center Mgmt to Devices

 permit object-group CSM_INLINE_svc_rule_68719541409 object-group 
CSM_INLINE_src_rule_68719541409 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_10

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451205 object-group DC-POS-Oracle 
object-group STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451209 object-group DC-POS-SAP object-group 
STORE-POS

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451213 object-group DC-POS-Tomax 
object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_11

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451215 object-group 
CSM_INLINE_src_rule_73014451215 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_12

 remark Data Center VOICE (wired and Wireless)

 permit object-group CSM_INLINE_svc_rule_68719541455 object-group DC-Voice object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_13

 remark Syslog and SNMP Alerts

 permit object-group CSM_INLINE_svc_rule_73014451187 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451187

ip access-list extended CSM_ZBF_CMAP_ACL_14

 remark Store to Data Center Authentications

 permit object-group CSM_INLINE_svc_rule_73014451193 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451193

ip access-list extended CSM_ZBF_CMAP_ACL_15

 remark Store to Data Center for NTP

 permit object-group NTP object-group Stores-ALL object-group NTP-Servers

ip access-list extended CSM_ZBF_CMAP_ACL_16

 remark Store to Data Center for DHCP and DNS

 permit object-group CSM_INLINE_svc_rule_73014451221 object-group Stores-ALL object-group 
ActiveDirectory.cisco-irn.com

ip access-list extended CSM_ZBF_CMAP_ACL_17

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_68719541425 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541425

ip access-list extended CSM_ZBF_CMAP_ACL_18

 remark Store UCS Express to Data Center vShphere

 permit object-group CSM_INLINE_svc_rule_73014451197 object-group Stores-ALL object-group 
vSphere-1

ip access-list extended CSM_ZBF_CMAP_ACL_19

 remark Store NAC

 permit object-group CSM_INLINE_svc_rule_73014451223 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451223

ip access-list extended CSM_ZBF_CMAP_ACL_2

 remark Data Center subscribe to IPS SDEE events

 permit tcp object-group RSA-enVision object-group Stores-ALL eq 443

ip access-list extended CSM_ZBF_CMAP_ACL_20

 remark Store to Data Center Physical Security

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541435

ip access-list extended CSM_ZBF_CMAP_ACL_21

 remark Store WAAS (WAAS Devices need their own zone)

 permit object-group CSM_INLINE_svc_rule_68719541439 object-group Stores-ALL object-group 
DC-WAAS

ip access-list extended CSM_ZBF_CMAP_ACL_22

 remark Store WAAS to Clients and Servers

 permit object-group CSM_INLINE_svc_rule_73014451388 object-group Stores-ALL object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_23

 remark Store to Data Center wireless controller traffic

 permit object-group CSM_INLINE_svc_rule_68719541431 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541431

ip access-list extended CSM_ZBF_CMAP_ACL_24

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451203 object-group STORE-POS object-group 
DC-POS-Oracle

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451207 object-group STORE-POS object-group 
DC-POS-SAP

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451211 object-group STORE-POS object-group 
DC-POS-Tomax

ip access-list extended CSM_ZBF_CMAP_ACL_25

 remark Permit POS systems to talk to Data Center Servers

 permit object-group CSM_INLINE_svc_rule_73014451217 object-group 
CSM_INLINE_src_rule_73014451217 object-group STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_26

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_73014451393 object-group STORE-POS object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_27

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_73014451395 object-group STORE-POS object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_28

 remark Permit POS clients to talk to store POS server

 permit object-group CSM_INLINE_svc_rule_73014451397 object-group STORE-POS object-group 
STORE-POS

ip access-list extended CSM_ZBF_CMAP_ACL_29

 remark Store to Data Center for Windows Updates

 permit object-group CSM_INLINE_svc_rule_73014451404 object-group Stores-ALL object-group 
MS-Update

ip access-list extended CSM_ZBF_CMAP_ACL_3

 remark Permit ICMP traffic

 permit object-group CSM_INLINE_svc_rule_68719541427 object-group 
CSM_INLINE_src_rule_68719541427 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_30

 remark Store to Data Center for E-mail

 permit object-group CSM_INLINE_svc_rule_73014451406 object-group Stores-ALL object-group 
MSExchange

ip access-list extended CSM_ZBF_CMAP_ACL_31

 remark Store DATA (wired and Wireless - Access to DC Other applications)

 permit object-group CSM_INLINE_svc_rule_68719541459 object-group Stores-ALL object-group 
DC-Applications

ip access-list extended CSM_ZBF_CMAP_ACL_32

 remark Store GUEST - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541465

ip access-list extended CSM_ZBF_CMAP_ACL_33

 remark Store GUEST (access to internet/DMZ web servers)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_34

 remark Store PARTNERS - Drop Traffic to Enterprise

 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541461

ip access-list extended CSM_ZBF_CMAP_ACL_35

 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN)

 permit ip object-group Stores-ALL any

ip access-list extended CSM_ZBF_CMAP_ACL_36

 remark Store VOICE (wired and Wireless - Acess to corporate wide voice)

 permit object-group CSM_INLINE_svc_rule_68719541457 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541457

ip access-list extended CSM_ZBF_CMAP_ACL_4

 remark Data Center vSphere to UCS Express

 permit object-group CSM_INLINE_svc_rule_73014451195 object-group vSphere-1 object-group 
Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_5

 remark Data Center to Store Physical Security

 permit ip object-group CSM_INLINE_src_rule_68719541433 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_6

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_7

 remark Data Center WAAS to Store

 permit object-group CSM_INLINE_svc_rule_68719541437 object-group 
CSM_INLINE_src_rule_68719541437 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_8

 remark Data Center Wireless Control to AP's and Controllers in stores

 permit object-group CSM_INLINE_svc_rule_68719541429 object-group 
CSM_INLINE_src_rule_68719541429 object-group Stores-ALL

ip access-list extended CSM_ZBF_CMAP_ACL_9

 remark Data Center Mgmt to Devices

 permit object-group RDP object-group DC-Admin object-group STORE-POS

ip access-list extended MISSION-CRITICAL-SERVERS

 remark ---POS Applications---

 permit ip any 192.168.52.0 0.0.0.255

ip access-list extended NET-MGMT-APPS

 remark - Router user Authentication - Identifies TACACS Control traffic

 permit tcp any any eq tacacs

 permit tcp any eq tacacs any

ip access-list extended TRANSACTIONAL-DATA-APPS

 remark ---Workbrain Application---

 remark --Large Store Clock Server to Central Clock Application

 permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444

 remark --Large store Clock Server to CUAE

 permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000

 remark ---LiteScape Application---

 permit ip any host 192.168.46.82

 permit ip any 239.192.0.0 0.0.0.255

 permit ip any host 239.255.255.250

 remark ---Remote Desktop---

 permit tcp any any eq 3389

 permit tcp any eq 3389 any

 remark ---Oracle SIM---

 permit tcp any 192.168.46.0 0.0.0.255 eq 7777

 permit tcp any 192.168.46.0 0.0.0.255 eq 6003

 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500

 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any

 permit tcp 192.168.46.0 0.0.0.255 eq 6003 any

 permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any

logging esm config

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps flash insertion removal

snmp-server enable traps energywise

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps ipsla

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

mgcp profile default

gatekeeper

 shutdown

banner exec C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

**** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 no exec

 transport preferred none

 transport output none

line 67

 no activation-character

 no exec

 transport preferred none

 transport input ssh

 transport output none

 stopbits 1

 flowcontrol software

line 131

 no activation-character

 no exec

 transport preferred none

 transport input ssh

 transport output none

 stopbits 1

 flowcontrol software

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

scheduler allocate 20000 1000

ntp source Loopback0

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

end

RAGG-1-running

!Command: show running-config

!Time: Sun Apr 24 16:49:11 2011

version 5.1(2)

hostname RAGG-1

vdc RAGG-1 id 1

  limit-resource vlan minimum 16 maximum 4094

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource monitor-session-erspan-dst minimum 0 maximum 23

  limit-resource vrf minimum 2 maximum 1000

  limit-resource port-channel minimum 0 maximum 768

  limit-resource u4route-mem minimum 32 maximum 32

  limit-resource u6route-mem minimum 16 maximum 16

  limit-resource m4route-mem minimum 48 maximum 48

  limit-resource m6route-mem minimum 8 maximum 8

vdc vdc1 id 2

  allocate interface Ethernet1/1,Ethernet1/3,Ethernet1/5,Ethernet1/7,Ethernet1/25-32

  allocate interface Ethernet2/1-12

  boot-order 1

  limit-resource vlan minimum 16 maximum 4094

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource monitor-session-erspan-dst minimum 0 maximum 23

  limit-resource vrf minimum 2 maximum 1000

  limit-resource port-channel minimum 0 maximum 768

  limit-resource u4route-mem minimum 8 maximum 8

  limit-resource u6route-mem minimum 4 maximum 4

  limit-resource m4route-mem minimum 8 maximum 8

  limit-resource m6route-mem minimum 5 maximum 5

vdc vdc2 id 3

  allocate interface Ethernet1/2,Ethernet1/4,Ethernet1/6,Ethernet1/8-24

  allocate interface Ethernet2/13-48

  boot-order 1

  limit-resource vlan minimum 16 maximum 4094

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource monitor-session-erspan-dst minimum 0 maximum 23

  limit-resource vrf minimum 2 maximum 1000

  limit-resource port-channel minimum 0 maximum 768

  limit-resource u4route-mem minimum 8 maximum 8

  limit-resource u6route-mem minimum 4 maximum 4

  limit-resource m4route-mem minimum 8 maximum 8

  limit-resource m6route-mem minimum 5 maximum 5

feature privilege

feature tacacs+

username admin password 5 <removed>   role network-admin

username retail password 5 <removed> role network-admin

username bart password 5 <removed> role network-admin

username emc-ncm password 5 <removed>  role network-admin

enable secret 5 <removed>

banner motd @

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

ip host RAGG-1 192.168.42.36

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    use-vrf management

ip access-list 23

  statistics per-entry

  10 permit ip 127.0.0.1/32 192.168.42.36/32

  20 permit ip 192.168.41.101/32 192.168.42.36/32

  30 permit ip 192.168.41.102/32 192.168.42.36/32

  40 permit ip 192.168.42.111/32 192.168.42.36/32

  50 permit ip 192.168.42.122/32 192.168.42.36/32

  60 permit ip 192.168.42.131/32 192.168.42.36/32

  70 permit ip 192.168.42.133/32 192.168.42.36/32

  80 permit ip 192.168.42.138/32 192.168.42.36/32

  90 permit ip 10.19.151.99/32 192.168.42.36/32

  100 deny ip any any

ip access-list 88

  statistics per-entry

  10 permit ip 192.168.42.122/32 192.168.42.36/32

  20 deny ip any any

ip access-list copp-system-acl-bgp

  10 permit tcp any gt 1024 any eq bgp

  20 permit tcp any eq bgp any gt 1024

ipv6 access-list copp-system-acl-bgp6

  10 permit tcp any gt 1024 any eq bgp

  20 permit tcp any eq bgp any gt 1024

ip access-list copp-system-acl-eigrp

  10 permit eigrp any any

ip access-list copp-system-acl-ftp

  10 permit tcp any any eq ftp-data

  20 permit tcp any any eq ftp

  30 permit tcp any eq ftp-data any

  40 permit tcp any eq ftp any

ip access-list copp-system-acl-glbp

  10 permit udp any eq 3222 224.0.0.0/24 eq 3222

ip access-list copp-system-acl-hsrp

  10 permit udp any 224.0.0.0/24 eq 1985

ip access-list copp-system-acl-icmp

  10 permit icmp any any echo

  20 permit icmp any any echo-reply

ipv6 access-list copp-system-acl-icmp6

  10 permit icmp any any echo-request

  20 permit icmp any any echo-reply

ipv6 access-list copp-system-acl-icmp6-msgs

  10 permit icmp any any router-advertisement

  20 permit icmp any any router-solicitation

  30 permit icmp any any nd-na

  40 permit icmp any any nd-ns

  50 permit icmp any any mld-query

  60 permit icmp any any mld-report

  70 permit icmp any any mld-reduction

ip access-list copp-system-acl-igmp

  10 permit igmp any 224.0.0.0/3

ip access-list copp-system-acl-msdp

  10 permit tcp any gt 1024 any eq 639

  20 permit tcp any eq 639 any gt 1024

ip access-list copp-system-acl-ntp

  10 permit udp any any eq ntp

  20 permit udp any eq ntp any

ipv6 access-list copp-system-acl-ntp6

  10 permit udp any any eq ntp

  20 permit udp any eq ntp any

ip access-list copp-system-acl-ospf

  10 permit ospf any any

ipv6 access-list copp-system-acl-ospf6

  10 permit 89 any any

ip access-list copp-system-acl-pim

  10 permit pim any 224.0.0.0/24

  20 permit udp any any eq pim-auto-rp

ip access-list copp-system-acl-pim-reg

  10 permit pim any any

ipv6 access-list copp-system-acl-pim6

  10 permit 103 any ff02::d/128

  20 permit udp any any eq pim-auto-rp

ip access-list copp-system-acl-radius

  10 permit udp any any eq 1812

  20 permit udp any any eq 1813

  30 permit udp any any eq 1645

  40 permit udp any any eq 1646

  50 permit udp any eq 1812 any

  60 permit udp any eq 1813 any

  70 permit udp any eq 1645 any

  80 permit udp any eq 1646 any

ipv6 access-list copp-system-acl-radius6

  10 permit udp any any eq 1812

  20 permit udp any any eq 1813

  30 permit udp any any eq 1645

  40 permit udp any any eq 1646

  50 permit udp any eq 1812 any

  60 permit udp any eq 1813 any

  70 permit udp any eq 1645 any

  80 permit udp any eq 1646 any

ip access-list copp-system-acl-rip

  10 permit udp any 224.0.0.0/24 eq rip

ip access-list copp-system-acl-sftp

  10 permit tcp any any eq 115

  20 permit tcp any eq 115 any

ip access-list copp-system-acl-snmp

  10 permit udp any any eq snmp

  20 permit udp any any eq snmptrap

ip access-list copp-system-acl-ssh

  10 permit tcp any any eq 22

  20 permit tcp any eq 22 any

ipv6 access-list copp-system-acl-ssh6

  10 permit tcp any any eq 22

  20 permit tcp any eq 22 any

ip access-list copp-system-acl-tacacs

  10 permit tcp any any eq tacacs

  20 permit tcp any eq tacacs any

ipv6 access-list copp-system-acl-tacacs6

  10 permit tcp any any eq tacacs

  20 permit tcp any eq tacacs any

ip access-list copp-system-acl-telnet

  10 permit tcp any any eq telnet

  20 permit tcp any any eq 107

  30 permit tcp any eq telnet any

  40 permit tcp any eq 107 any

ipv6 access-list copp-system-acl-telnet6

  10 permit tcp any any eq telnet

  20 permit tcp any any eq 107

  30 permit tcp any eq telnet any

  40 permit tcp any eq 107 any

ip access-list copp-system-acl-tftp

  10 permit udp any any eq tftp

  20 permit udp any any eq 1758

  30 permit udp any eq tftp any

  40 permit udp any eq 1758 any

ipv6 access-list copp-system-acl-tftp6

  10 permit udp any any eq tftp

  20 permit udp any any eq 1758

  30 permit udp any eq tftp any

  40 permit udp any eq 1758 any

ip access-list copp-system-acl-traceroute

  10 permit icmp any any ttl-exceeded

  20 permit icmp any any port-unreachable

ip access-list copp-system-acl-undesirable

  10 permit udp any any eq 1434

ip access-list copp-system-acl-vpc

  10 permit udp any any eq 3200

ip access-list copp-system-acl-vrrp

  10 permit 112 any 224.0.0.0/24

class-map type control-plane match-any copp-system-class-critical

  match access-group name copp-system-acl-bgp

  match access-group name copp-system-acl-bgp6

  match access-group name copp-system-acl-eigrp

  match access-group name copp-system-acl-igmp

  match access-group name copp-system-acl-msdp

  match access-group name copp-system-acl-ospf

  match access-group name copp-system-acl-ospf6

  match access-group name copp-system-acl-pim

  match access-group name copp-system-acl-pim6

  match access-group name copp-system-acl-rip

  match access-group name copp-system-acl-vpc

class-map type control-plane match-any copp-system-class-exception

  match exception ip option

  match exception ip icmp unreachable

  match exception ipv6 option

  match exception ipv6 icmp unreachable

class-map type control-plane match-any copp-system-class-important

  match access-group name copp-system-acl-glbp

  match access-group name copp-system-acl-hsrp

  match access-group name copp-system-acl-vrrp

  match access-group name copp-system-acl-icmp6-msgs

  match access-group name copp-system-acl-pim-reg

class-map type control-plane match-any copp-system-class-management

  match access-group name copp-system-acl-ftp

  match access-group name copp-system-acl-ntp

  match access-group name copp-system-acl-ntp6

  match access-group name copp-system-acl-radius

  match access-group name copp-system-acl-sftp

  match access-group name copp-system-acl-snmp

  match access-group name copp-system-acl-ssh

  match access-group name copp-system-acl-ssh6

  match access-group name copp-system-acl-tacacs

  match access-group name copp-system-acl-telnet

  match access-group name copp-system-acl-tftp

  match access-group name copp-system-acl-tftp6

  match access-group name copp-system-acl-radius6

  match access-group name copp-system-acl-tacacs6

  match access-group name copp-system-acl-telnet6

class-map type control-plane match-any copp-system-class-monitoring

  match access-group name copp-system-acl-icmp

  match access-group name copp-system-acl-icmp6

  match access-group name copp-system-acl-traceroute

class-map type control-plane match-any copp-system-class-normal

  match protocol arp

class-map type control-plane match-any copp-system-class-redirect

  match redirect dhcp-snoop

  match redirect arp-inspect

class-map type control-plane match-any copp-system-class-undesirable

  match access-group name copp-system-acl-undesirable

policy-map type control-plane copp-system-policy

  class copp-system-class-critical

    police cir 39600 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-important

    police cir 1060 kbps bc 1000 ms conform transmit violate drop

  class copp-system-class-management

    police cir 10000 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-normal

    police cir 680 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-redirect

    police cir 280 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-monitoring

    police cir 130 kbps bc 1000 ms conform transmit violate drop

  class copp-system-class-exception

    police cir 360 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-undesirable

    police cir 32 kbps bc 250 ms conform drop violate drop

  class class-default

    police cir 100 kbps bc 250 ms conform transmit violate drop

control-plane

  service-policy input copp-system-policy

snmp-server user bart network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user retail network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user emc-ncm network-admin auth md5 <removed> priv <removed> localizedkey

ntp server 192.168.62.161 use-vrf management

ntp server 192.168.62.162 use-vrf management

aaa authentication login default group CiscoACS

aaa authentication login console group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

vrf context management

  ip route 0.0.0.0/0 192.168.42.1

vlan 1

interface mgmt0

  ip address 192.168.42.36/24

clock timezone PST -8 0

clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60

  logout-warning 20

line console

  exec-timeout 15

line vty

  exec-timeout 15

  access-class 23 in

boot kickstart bootflash:/n7000-s1-kickstart.5.1.2.bin sup-1

boot system bootflash:/n7000-s1-dk9.5.1.2.bin sup-1

boot kickstart bootflash:/n7000-s1-kickstart.5.1.2.bin sup-2

boot system bootflash:/n7000-s1-dk9.5.1.2.bin sup-2

logging server 192.168.42.124 6 use-vrf management

RAGG-1-vdc1-running

!Command: show running-config

!Time: Sun Apr 24 16:50:08 2011

version 5.1(2)

hostname vdc1

feature privilege

feature tacacs+

cfs eth distribute

feature ospf

feature pim

feature udld

feature interface-vlan

feature hsrp

feature lacp

feature glbp

feature vpc

username admin password 5 <removed> role vdc-admin

username retail password 5 <removed> role vdc-admin

username emc-ncm password 5 <removed> role vdc-admin

username bart password 5 <removed>  role vdc-admin

enable secret 5 <removed>

banner motd @

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    source-interface loopback0

ip access-list 23

  statistics per-entry

  10 permit ip 127.0.0.1/32 192.168.1.11/32

  20 permit ip 192.168.41.101/32 192.168.1.11/32

  30 permit ip 192.168.41.102/32 192.168.1.11/32

  40 permit ip 192.168.42.111/32 192.168.1.11/32

  50 permit ip 192.168.42.122/32 192.168.1.11/32

  60 permit ip 192.168.42.131/32 192.168.1.11/32

  70 permit ip 192.168.42.133/32 192.168.1.11/32

  80 permit ip 192.168.42.138/32 192.168.1.11/32

  90 permit ip 10.19.151.99/32 192.168.1.11/32

  100 deny ip any any

ip access-list 88

  statistics per-entry

  10 permit ip 192.168.42.122/32 192.168.1.11/32

  20 deny ip any any

snmp-server source-interface trap loopback0

snmp-server source-interface inform loopback0

snmp-server user bart vdc-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user admin vdc-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user retail vdc-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user emc-ncm vdc-admin auth md5 <removed> priv <removed> localizedkey

no snmp-server enable traps entity entity_mib_change

no snmp-server enable traps entity entity_module_status_change

no snmp-server enable traps entity entity_power_status_change

no snmp-server enable traps entity entity_module_inserted

no snmp-server enable traps entity entity_module_removed

no snmp-server enable traps entity entity_unrecognised_module

no snmp-server enable traps entity entity_fan_status_change

no snmp-server enable traps entity entity_power_out_change

no snmp-server enable traps link linkDown

no snmp-server enable traps link linkUp

no snmp-server enable traps link IETF-extended-linkDown

no snmp-server enable traps link IETF-extended-linkUp

no snmp-server enable traps link cisco-extended-linkDown

no snmp-server enable traps link cisco-extended-linkUp

snmp-server enable traps callhome event-notify

snmp-server enable traps callhome smtp-send-fail

snmp-server enable traps cfs state-change-notif

snmp-server enable traps cfs merge-failure

no snmp-server enable traps rf redundancy_framework

snmp-server enable traps aaa server-state-change

no snmp-server enable traps license notify-license-expiry

no snmp-server enable traps license notify-no-license-for-feature

no snmp-server enable traps license notify-licensefile-missing

no snmp-server enable traps license notify-license-expiry-warning

snmp-server enable traps hsrp state-change

no snmp-server enable traps upgrade UpgradeOpNotifyOnCompletion

no snmp-server enable traps upgrade UpgradeJobStatusNotify

snmp-server enable traps feature-control FeatureOpStatusChange

snmp-server enable traps link cisco-xcvr-mon-status-chg

snmp-server enable traps vtp notifs

snmp-server enable traps vtp vlancreate

snmp-server enable traps vtp vlandelete

snmp-server enable traps bridge newroot

snmp-server enable traps bridge topologychange

snmp-server enable traps stpx inconsistency

snmp-server enable traps stpx root-inconsistency

snmp-server enable traps stpx loop-inconsistency

aaa authentication login default group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

vrf context management

vlan 1,3,151,161

interface Vlan1

interface Vlan3

  no shutdown

  ip address 192.168.10.61/30

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip ospf dead-interval 3

  ip ospf hello-interval 1

  ip router ospf 5 area 0.0.0.0

interface Vlan151

  no shutdown

  ip address 192.168.152.3/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip ospf priority 3

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.152.1

interface Vlan161

  no shutdown

  ip address 192.168.162.3/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip ospf priority 5

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.162.1

interface port-channel99

  switchport

  switchport mode trunk

  spanning-tree port type network

interface Ethernet1/1

  description 10Gig LINK to RCORE-1 T2/1

  no switchport

  logging event port link-status

  no ip redirects

  ip address 192.168.10.14/30

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip ospf dead-interval 6

  ip ospf hello-interval 2

  ip ospf network point-to-point

  ip router ospf 5 area 0.0.0.0

  ip pim sparse-mode

  ip igmp version 3

  no shutdown

interface Ethernet1/3

  description 10Gig LINK to RCORE-2 T2/1

  no switchport

  logging event port link-status

  no ip redirects

  ip address 192.168.10.22/30

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip ospf dead-interval 6

  ip ospf hello-interval 2

  ip ospf network point-to-point

  ip router ospf 5 area 0.0.0.0

  ip pim sparse-mode

  ip igmp version 3

  no shutdown

interface Ethernet1/5

  description to DC-ASA-1 vc1 T0/6

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 161

  spanning-tree port type normal

  no shutdown

interface Ethernet1/7

  description to DC-ASA-1 vc2 T0/8

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 151

  spanning-tree port type normal

  no shutdown

interface Ethernet1/25

  no switchport

interface Ethernet1/26

  no switchport

interface Ethernet1/27

  no switchport

interface Ethernet1/28

  no switchport

interface Ethernet1/29

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  channel-group 99 mode active

  no shutdown

interface Ethernet1/30

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  channel-group 99 mode active

  no shutdown

interface Ethernet1/31

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  channel-group 99 mode active

  no shutdown

interface Ethernet1/32

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  channel-group 99 mode active

  no shutdown

interface Ethernet2/1

  no switchport

interface Ethernet2/2

  no switchport

interface Ethernet2/3

  no switchport

interface Ethernet2/4

  no switchport

interface Ethernet2/5

  no switchport

interface Ethernet2/6

  no switchport

interface Ethernet2/7

  no switchport

interface Ethernet2/8

  no switchport

interface Ethernet2/9

  no switchport

interface Ethernet2/10

  no switchport

interface Ethernet2/11

  no switchport

interface Ethernet2/12

  no switchport

interface loopback0

  ip address 192.168.1.11/32

  ip router ospf 5 area 0.0.0.0

logging server 192.168.42.124 6

logging source-interface loopback 0

  logout-warning 20

line console

  exec-timeout 15

line vty

  exec-timeout 15

  access-class 23 in

router ospf 5

  router-id 192.168.1.11

  area 0.0.0.81 nssa

  area 0.0.0.0 range 192.168.1.11/32

  area 0.0.0.0 range 192.168.10.12/30

  area 0.0.0.0 range 192.168.10.20/30

  area 0.0.0.0 range 192.168.10.60/30

  area 0.0.0.81 range 192.168.152.0/24

  area 0.0.0.81 range 192.168.162.0/24

  area 0.0.0.0 authentication message-digest

  area 0.0.0.81 authentication message-digest

  timers throttle spf 10 100 5000

  auto-cost reference-bandwidth 10000

ip pim ssm range 232.0.0.0/8

RAGG-1-vdc2-running

!Command: show running-config

!Time: Sun Apr 24 16:50:48 2011

version 5.1(2)

hostname vdc2

feature privilege

feature tacacs+

cfs eth distribute

feature ospf

feature pim

feature udld

feature interface-vlan

feature hsrp

feature lacp

feature vpc

username admin password 5 <removed>   role vdc-admin

username retail password 5 <removed>   role vdc-admin

username bart password 5 <removed>   role vdc-admin

username emc-ncm password 5 <removed> role vdc-admin

enable secret 5 <removed>

banner motd @

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    use-vrf servers1

    source-interface loopback0

ip access-list 23

  statistics per-entry

  10 permit ip 127.0.0.1/32 192.168.1.31/32

  20 permit ip 192.168.41.101/32 192.168.1.31/32

  30 permit ip 192.168.41.102/32 192.168.1.31/32

  40 permit ip 192.168.42.111/32 192.168.1.31/32

  50 permit ip 192.168.42.122/32 192.168.1.31/32

  60 permit ip 192.168.42.131/32 192.168.1.31/32

  70 permit ip 192.168.42.133/32 192.168.1.31/32

  80 permit ip 192.168.42.138/32 192.168.1.31/32

  90 permit ip 10.19.151.99/32 192.168.1.31/32

  100 deny ip any any

ip access-list 88

  statistics per-entry

  10 permit ip 192.168.42.122/32 192.168.1.31/32

  20 deny ip any any

snmp-server source-interface trap loopback0

snmp-server source-interface inform loopback0

snmp-server user bart vdc-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user admin vdc-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user retail vdc-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user emc-ncm vdc-admin auth md5 <removed> priv <removed> localizedkey

no snmp-server enable traps entity entity_mib_change

no snmp-server enable traps entity entity_module_status_change

no snmp-server enable traps entity entity_power_status_change

no snmp-server enable traps entity entity_module_inserted

no snmp-server enable traps entity entity_module_removed

no snmp-server enable traps entity entity_unrecognised_module

no snmp-server enable traps entity entity_fan_status_change

no snmp-server enable traps entity entity_power_out_change

no snmp-server enable traps link linkDown

no snmp-server enable traps link linkUp

no snmp-server enable traps link IETF-extended-linkDown

no snmp-server enable traps link IETF-extended-linkUp

no snmp-server enable traps link cisco-extended-linkDown

no snmp-server enable traps link cisco-extended-linkUp

snmp-server enable traps callhome event-notify

snmp-server enable traps callhome smtp-send-fail

snmp-server enable traps cfs state-change-notif

snmp-server enable traps cfs merge-failure

no snmp-server enable traps rf redundancy_framework

snmp-server enable traps aaa server-state-change

no snmp-server enable traps license notify-license-expiry

no snmp-server enable traps license notify-no-license-for-feature

no snmp-server enable traps license notify-licensefile-missing

no snmp-server enable traps license notify-license-expiry-warning

snmp-server enable traps hsrp state-change

no snmp-server enable traps upgrade UpgradeOpNotifyOnCompletion

no snmp-server enable traps upgrade UpgradeJobStatusNotify

snmp-server enable traps feature-control FeatureOpStatusChange

snmp-server enable traps link cisco-xcvr-mon-status-chg

snmp-server enable traps vtp notifs

snmp-server enable traps vtp vlancreate

snmp-server enable traps vtp vlandelete

snmp-server enable traps bridge newroot

snmp-server enable traps bridge topologychange

snmp-server enable traps stpx inconsistency

snmp-server enable traps stpx root-inconsistency

snmp-server enable traps stpx loop-inconsistency

aaa authentication login default group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

vrf context VPC

vrf context servers1

  ip route 0.0.0.0/0 192.168.162.1

  ip route 192.168.41.0/24 192.168.42.135

  ip pim ssm range 232.0.0.0/8

vrf context servers2

  ip pim ssm range 232.0.0.0/8

vrf context management

vlan 1

vlan 36

  name DeviceMgmtHigh

vlan 37

  name DeviceMgmtLow

vlan 38

  name UIM-OS-INSTALL

vlan 40-41

vlan 42

  name CoreManagement

vlan 43

  name WirelessSystems

vlan 44

  name PhysicalSec

vlan 45

  name VOICE

vlan 52

  name POS

vlan 151-152,154,161-162,164,180-181

spanning-tree domain 777

spanning-tree vlan 1 priority 4096

ip prefix-list VLAN41 seq 5 permit 192.168.41.0/24

route-map VLAN41 permit 20

  match ip address prefix-list VLAN41

vpc domain 99

  peer-switch

  peer-keepalive destination 192.168.10.66 source 192.168.10.65 vrf VPC

  peer-gateway

interface Vlan1

  no shutdown

  no ip redirects

interface Vlan36

  no shutdown

  description DeviceMgmtHigh

  vrf member servers1

  no ip redirects

  ip address 192.168.36.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.36.1

interface Vlan37

  no shutdown

  description DeviceMgmtLow

  vrf member servers1

  no ip redirects

  ip address 192.168.37.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.37.1

interface Vlan38

  no shutdown

  description UIM OS Install only

  vrf member servers1

  no ip redirects

  ip address 192.168.38.201/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

interface Vlan40

  no shutdown

  vrf member servers1

  no ip redirects

  ip address 192.168.40.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 120 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.40.1

interface Vlan41

  shutdown

  description SHUTDOWN - NOW ROUTE VIA HyTrust

  vrf member servers1

  no ip redirects

  ip address 192.168.41.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 120 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.41.1

interface Vlan42

  no shutdown

  vrf member servers1

  no ip redirects

  ip address 192.168.42.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 120 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.42.1

interface Vlan43

  no shutdown

  description Wireless Systems

  vrf member servers1

  no ip redirects

  ip address 192.168.43.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.43.1

interface Vlan44

  no shutdown

  description Wireless Systems

  vrf member servers1

  no ip redirects

  ip address 192.168.44.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.44.1

interface Vlan45

  no shutdown

  description VOICE

  vrf member servers1

  no ip redirects

  ip address 192.168.45.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.45.1

interface Vlan52

  no shutdown

  description POS

  vrf member servers1

  no ip redirects

  ip address 192.168.52.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.52.1

interface Vlan154

  no shutdown

  vrf member servers2

  no ip redirects

  ip address 192.168.152.5/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.152.7

interface Vlan164

  no shutdown

  vrf member servers1

  no ip redirects

  ip address 192.168.162.5/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 120 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.162.7

interface Vlan180

  no shutdown

  vrf member servers1

  no ip redirects

  ip address 192.168.180.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 120 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.180.1

interface Vlan181

  no shutdown

  vrf member servers2

  no ip redirects

  ip address 192.168.181.3/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.181.1

interface port-channel1

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-42,44

  vpc 1

interface port-channel2

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-42,44

  vpc 2

interface port-channel3

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  vpc 3

interface port-channel4

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  vpc 4

interface port-channel11

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  spanning-tree port type edge trunk

  vpc 11

interface port-channel12

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  spanning-tree port type edge trunk

  vpc 12

interface port-channel99

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  spanning-tree port type network

  spanning-tree guard loop

  vpc peer-link

interface Ethernet1/2

  description F-UCS-1_E2/1 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  channel-group 11 mode active

  no shutdown

interface Ethernet1/4

  description F-UCS-1_E2/2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  channel-group 11 mode active

  no shutdown

interface Ethernet1/6

  description F-UCS-2_E2/1 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  channel-group 12 mode active

  no shutdown

interface Ethernet1/8

  description F-UCS-2_E2/2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  channel-group 12 mode active

  no shutdown

interface Ethernet1/9

  description SACCESS-3 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  channel-group 3 mode active

  no shutdown

interface Ethernet1/10

  description SACCESS-3 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  channel-group 3 mode active

  no shutdown

interface Ethernet1/11

  description SACCESS-4 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  channel-group 4 mode active

  no shutdown

interface Ethernet1/12

  description SACCESS-4 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  channel-group 4 mode active

  no shutdown

interface Ethernet1/13

  description SACCESS-1 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-42,44

  channel-group 1 mode active

  no shutdown

interface Ethernet1/14

  description SACCESS-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-42,44

  channel-group 2 mode active

  no shutdown

interface Ethernet1/15

  description to RSERV-1 T2/1

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 162

  spanning-tree port type normal

  no shutdown

interface Ethernet1/16

  description to RSERV-1 T2/2

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 152

  spanning-tree port type normal

  no shutdown

interface Ethernet1/17

  description to RSERV-1 T2/5

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 41-44,164

  spanning-tree port type normal

  no shutdown

interface Ethernet1/18

  description to RSERV-1 T2/6

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 154

  spanning-tree port type normal

  no shutdown

interface Ethernet1/19

  description to DC-ASA-1 vc1 T5/1

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 162

  spanning-tree port type normal

  no shutdown

interface Ethernet1/20

  description to DC-ASA-1 vc2 T7/1

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 152

  spanning-tree port type normal

  no shutdown

interface Ethernet1/21

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  udld aggressive

  channel-group 99 mode active

  no shutdown

interface Ethernet1/22

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  udld aggressive

  channel-group 99 mode active

  no shutdown

interface Ethernet1/23

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  udld aggressive

  channel-group 99 mode active

  no shutdown

interface Ethernet1/24

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  udld aggressive

  channel-group 99 mode active

  no shutdown

interface Ethernet2/13

  description SACCESS-5

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  no shutdown

interface Ethernet2/14

  description linkstate for vpc

  no switchport

  vrf member VPC

  ip address 192.168.10.65/30

  no shutdown

interface Ethernet2/15

  no switchport

interface Ethernet2/16

  no switchport

interface Ethernet2/17

  no switchport

interface Ethernet2/18

  no switchport

interface Ethernet2/19

  no switchport

interface Ethernet2/20

  no switchport

interface Ethernet2/21

  no switchport

interface Ethernet2/22

  no switchport

interface Ethernet2/23

  no switchport

interface Ethernet2/24

  no switchport

interface Ethernet2/25

  no switchport

interface Ethernet2/26

  no switchport

interface Ethernet2/27

  no switchport

interface Ethernet2/28

  no switchport

interface Ethernet2/29

  no switchport

interface Ethernet2/30

  no switchport

interface Ethernet2/31

  no switchport

interface Ethernet2/32

  no switchport

interface Ethernet2/33

  no switchport

interface Ethernet2/34

  no switchport

interface Ethernet2/35

  no switchport

interface Ethernet2/36

  no switchport

interface Ethernet2/37

  no switchport

interface Ethernet2/38

  no switchport

interface Ethernet2/39

  no switchport

interface Ethernet2/40

  no switchport

interface Ethernet2/41

  no switchport

interface Ethernet2/42

  no switchport

interface Ethernet2/43

  no switchport

interface Ethernet2/44

  no switchport

interface Ethernet2/45

  no switchport

interface Ethernet2/46

  no switchport

interface Ethernet2/47

  no switchport

interface Ethernet2/48

  no switchport

interface loopback0

  vrf member servers1

  ip address 192.168.1.31/32

  ip router ospf 5 area 0.0.0.81

logging server 192.168.42.124 6 use-vrf servers1

logging source-interface loopback 0

  logout-warning 20

line console

  exec-timeout 15

line vty

  exec-timeout 15

  access-class 23 in

router ospf 5

  vrf servers1

    router-id 4.4.4.1

    area 0.0.0.81 nssa

    redistribute static route-map VLAN41

    area 0.0.0.81 range 192.168.0.0/16

    area 0.0.0.81 range 192.168.162.0/24

    area 0.0.0.81 authentication message-digest

    timers throttle spf 10 100 5000

  vrf servers2

    router-id 5.5.5.1

    area 0.0.0.81 nssa

    area 0.0.0.81 range 192.168.0.0/16

    area 0.0.0.81 range 192.168.152.0/24

    area 0.0.0.81 authentication message-digest

    timers throttle spf 10 100 5000

ip pim ssm range 232.0.0.0/8

RAGG-2-running

!Command: show running-config

!Time: Sun Apr 24 16:52:03 2011

version 5.1(2)

hostname RAGG-2

vdc RAGG-2 id 1

  limit-resource vlan minimum 16 maximum 4094

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource monitor-session-erspan-dst minimum 0 maximum 23

  limit-resource vrf minimum 2 maximum 1000

  limit-resource port-channel minimum 0 maximum 768

  limit-resource u4route-mem minimum 32 maximum 32

  limit-resource u6route-mem minimum 16 maximum 16

  limit-resource m4route-mem minimum 48 maximum 48

  limit-resource m6route-mem minimum 8 maximum 8

vdc vdc1 id 2

  allocate interface Ethernet1/1,Ethernet1/3,Ethernet1/5,Ethernet1/7,Ethernet1/25-32

  allocate interface Ethernet2/1-12

  boot-order 1

  limit-resource vlan minimum 16 maximum 4094

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource monitor-session-erspan-dst minimum 0 maximum 23

  limit-resource vrf minimum 2 maximum 1000

  limit-resource port-channel minimum 0 maximum 768

  limit-resource u4route-mem minimum 8 maximum 8

  limit-resource u6route-mem minimum 4 maximum 4

  limit-resource m4route-mem minimum 8 maximum 8

  limit-resource m6route-mem minimum 5 maximum 5

vdc vdc2 id 3

  allocate interface Ethernet1/2,Ethernet1/4,Ethernet1/6,Ethernet1/8-24

  allocate interface Ethernet2/13-48

  boot-order 1

  limit-resource vlan minimum 16 maximum 4094

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource monitor-session-erspan-dst minimum 0 maximum 23

  limit-resource vrf minimum 2 maximum 1000

  limit-resource port-channel minimum 0 maximum 768

  limit-resource u4route-mem minimum 8 maximum 8

  limit-resource u6route-mem minimum 4 maximum 4

  limit-resource m4route-mem minimum 8 maximum 8

  limit-resource m6route-mem minimum 5 maximum 5

feature privilege

feature tacacs+

username admin password 5 <removed> role network-admin

username retail password 5 <removed> role network-admin

username bart password 5 <removed> role network-admin

username emc-ncm password 5 <removed> role network-admin

enable secret 5 <removed>

banner motd @

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

ip host RAGG-2 192.168.42.37

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    use-vrf management

ip access-list 23

  statistics per-entry

  10 permit ip 127.0.0.1/32 192.168.42.37/32

  20 permit ip 192.168.41.101/32 192.168.42.37/32

  30 permit ip 192.168.41.102/32 192.168.42.37/32

  40 permit ip 192.168.42.111/32 192.168.42.37/32

  50 permit ip 192.168.42.122/32 192.168.42.37/32

  60 permit ip 192.168.42.131/32 192.168.42.37/32

  70 permit ip 192.168.42.133/32 192.168.42.37/32

  80 permit ip 192.168.42.138/32 192.168.42.37/32

  90 permit ip 10.19.151.99/32 192.168.42.37/32

  100 deny ip any any

ip access-list 88

  statistics per-entry

  10 permit ip 192.168.42.122/32 192.168.42.37/32

  20 deny ip any any

ip access-list copp-system-acl-bgp

  10 permit tcp any gt 1024 any eq bgp

  20 permit tcp any eq bgp any gt 1024

ipv6 access-list copp-system-acl-bgp6

  10 permit tcp any gt 1024 any eq bgp

  20 permit tcp any eq bgp any gt 1024

ip access-list copp-system-acl-eigrp

  10 permit eigrp any any

ip access-list copp-system-acl-ftp

  10 permit tcp any any eq ftp-data

  20 permit tcp any any eq ftp

  30 permit tcp any eq ftp-data any

  40 permit tcp any eq ftp any

ip access-list copp-system-acl-glbp

  10 permit udp any eq 3222 224.0.0.0/24 eq 3222

ip access-list copp-system-acl-hsrp

  10 permit udp any 224.0.0.0/24 eq 1985

ip access-list copp-system-acl-icmp

  10 permit icmp any any echo

  20 permit icmp any any echo-reply

ipv6 access-list copp-system-acl-icmp6

  10 permit icmp any any echo-request

  20 permit icmp any any echo-reply

ipv6 access-list copp-system-acl-icmp6-msgs

  10 permit icmp any any router-advertisement

  20 permit icmp any any router-solicitation

  30 permit icmp any any nd-na

  40 permit icmp any any nd-ns

  50 permit icmp any any mld-query

  60 permit icmp any any mld-report

  70 permit icmp any any mld-reduction

ip access-list copp-system-acl-igmp

  10 permit igmp any 224.0.0.0/3

ip access-list copp-system-acl-msdp

  10 permit tcp any gt 1024 any eq 639

  20 permit tcp any eq 639 any gt 1024

ip access-list copp-system-acl-ntp

  10 permit udp any any eq ntp

  20 permit udp any eq ntp any

ipv6 access-list copp-system-acl-ntp6

  10 permit udp any any eq ntp

  20 permit udp any eq ntp any

ip access-list copp-system-acl-ospf

  10 permit ospf any any

ipv6 access-list copp-system-acl-ospf6

  10 permit 89 any any

ip access-list copp-system-acl-pim

  10 permit pim any 224.0.0.0/24

  20 permit udp any any eq pim-auto-rp

ip access-list copp-system-acl-pim-reg

  10 permit pim any any

ipv6 access-list copp-system-acl-pim6

  10 permit 103 any ff02::d/128

  20 permit udp any any eq pim-auto-rp

ip access-list copp-system-acl-radius

  10 permit udp any any eq 1812

  20 permit udp any any eq 1813

  30 permit udp any any eq 1645

  40 permit udp any any eq 1646

  50 permit udp any eq 1812 any

  60 permit udp any eq 1813 any

  70 permit udp any eq 1645 any

  80 permit udp any eq 1646 any

ipv6 access-list copp-system-acl-radius6

  10 permit udp any any eq 1812

  20 permit udp any any eq 1813

  30 permit udp any any eq 1645

  40 permit udp any any eq 1646

  50 permit udp any eq 1812 any

  60 permit udp any eq 1813 any

  70 permit udp any eq 1645 any

  80 permit udp any eq 1646 any

ip access-list copp-system-acl-rip

  10 permit udp any 224.0.0.0/24 eq rip

ip access-list copp-system-acl-sftp

  10 permit tcp any any eq 115

  20 permit tcp any eq 115 any

ip access-list copp-system-acl-snmp

  10 permit udp any any eq snmp

  20 permit udp any any eq snmptrap

ip access-list copp-system-acl-ssh

  10 permit tcp any any eq 22

  20 permit tcp any eq 22 any

ipv6 access-list copp-system-acl-ssh6

  10 permit tcp any any eq 22

  20 permit tcp any eq 22 any

ip access-list copp-system-acl-tacacs

  10 permit tcp any any eq tacacs

  20 permit tcp any eq tacacs any

ipv6 access-list copp-system-acl-tacacs6

  10 permit tcp any any eq tacacs

  20 permit tcp any eq tacacs any

ip access-list copp-system-acl-telnet

  10 permit tcp any any eq telnet

  20 permit tcp any any eq 107

  30 permit tcp any eq telnet any

  40 permit tcp any eq 107 any

ipv6 access-list copp-system-acl-telnet6

  10 permit tcp any any eq telnet

  20 permit tcp any any eq 107

  30 permit tcp any eq telnet any

  40 permit tcp any eq 107 any

ip access-list copp-system-acl-tftp

  10 permit udp any any eq tftp

  20 permit udp any any eq 1758

  30 permit udp any eq tftp any

  40 permit udp any eq 1758 any

ipv6 access-list copp-system-acl-tftp6

  10 permit udp any any eq tftp

  20 permit udp any any eq 1758

  30 permit udp any eq tftp any

  40 permit udp any eq 1758 any

ip access-list copp-system-acl-traceroute

  10 permit icmp any any ttl-exceeded

  20 permit icmp any any port-unreachable

ip access-list copp-system-acl-undesirable

  10 permit udp any any eq 1434

ip access-list copp-system-acl-vpc

  10 permit udp any any eq 3200

ip access-list copp-system-acl-vrrp

  10 permit 112 any 224.0.0.0/24

class-map type control-plane match-any copp-system-class-critical

  match access-group name copp-system-acl-bgp

  match access-group name copp-system-acl-bgp6

  match access-group name copp-system-acl-eigrp

  match access-group name copp-system-acl-igmp

  match access-group name copp-system-acl-msdp

  match access-group name copp-system-acl-ospf

  match access-group name copp-system-acl-ospf6

  match access-group name copp-system-acl-pim

  match access-group name copp-system-acl-pim6

  match access-group name copp-system-acl-rip

  match access-group name copp-system-acl-vpc

class-map type control-plane match-any copp-system-class-exception

  match exception ip option

  match exception ip icmp unreachable

  match exception ipv6 option

  match exception ipv6 icmp unreachable

class-map type control-plane match-any copp-system-class-important

  match access-group name copp-system-acl-glbp

  match access-group name copp-system-acl-hsrp

  match access-group name copp-system-acl-vrrp

  match access-group name copp-system-acl-icmp6-msgs

  match access-group name copp-system-acl-pim-reg

class-map type control-plane match-any copp-system-class-management

  match access-group name copp-system-acl-ftp

  match access-group name copp-system-acl-ntp

  match access-group name copp-system-acl-ntp6

  match access-group name copp-system-acl-radius

  match access-group name copp-system-acl-sftp

  match access-group name copp-system-acl-snmp

  match access-group name copp-system-acl-ssh

  match access-group name copp-system-acl-ssh6

  match access-group name copp-system-acl-tacacs

  match access-group name copp-system-acl-telnet

  match access-group name copp-system-acl-tftp

  match access-group name copp-system-acl-tftp6

  match access-group name copp-system-acl-radius6

  match access-group name copp-system-acl-tacacs6

  match access-group name copp-system-acl-telnet6

class-map type control-plane match-any copp-system-class-monitoring

  match access-group name copp-system-acl-icmp

  match access-group name copp-system-acl-icmp6

  match access-group name copp-system-acl-traceroute

class-map type control-plane match-any copp-system-class-normal

  match protocol arp

class-map type control-plane match-any copp-system-class-redirect

  match redirect dhcp-snoop

  match redirect arp-inspect

class-map type control-plane match-any copp-system-class-undesirable

  match access-group name copp-system-acl-undesirable

policy-map type control-plane copp-system-policy

  class copp-system-class-critical

    police cir 39600 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-important

    police cir 1060 kbps bc 1000 ms conform transmit violate drop

  class copp-system-class-management

    police cir 10000 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-normal

    police cir 680 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-redirect

    police cir 280 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-monitoring

    police cir 130 kbps bc 1000 ms conform transmit violate drop

  class copp-system-class-exception

    police cir 360 kbps bc 250 ms conform transmit violate drop

  class copp-system-class-undesirable

    police cir 32 kbps bc 250 ms conform drop violate drop

  class class-default

    police cir 100 kbps bc 250 ms conform transmit violate drop

control-plane

  service-policy input copp-system-policy

snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey

ntp server 192.168.62.161 use-vrf management

ntp server 192.168.62.162 use-vrf management

aaa authentication login default group CiscoACS

aaa authentication login console group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

vrf context management

  ip route 0.0.0.0/0 192.168.42.1

vlan 1

interface mgmt0

  ip address 192.168.42.37/24

clock timezone PST -8 0

clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60

  logout-warning 20

line console

  exec-timeout 15

line vty

  exec-timeout 15

  access-class 23 in

boot kickstart bootflash:/n7000-s1-kickstart.5.1.2.bin sup-1

boot system bootflash:/n7000-s1-dk9.5.1.2.bin sup-1

boot kickstart bootflash:/n7000-s1-kickstart.5.1.2.bin sup-2

boot system bootflash:/n7000-s1-dk9.5.1.2.bin sup-2

logging server 192.168.42.124 6 use-vrf management

RAGG-2-vdc1-running

!Command: show running-config

!Time: Sun Apr 24 16:52:35 2011

version 5.1(2)

hostname vdc1

feature privilege

feature tacacs+

cfs eth distribute

feature ospf

feature pim

feature udld

feature interface-vlan

feature hsrp

feature lacp

feature glbp

feature vpc

username admin password 5 <removed>   role vdc-admin

username retail password 5 <removed>   role vdc-admin

username emc-ncm password 5 <removed>   role vdc-admin

username bart password 5 <removed>   role vdc-admin

enable secret 5 <removed>

banner motd @

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    source-interface loopback0

ip access-list 23

  statistics per-entry

  10 permit ip 127.0.0.1/32 192.168.1.12/32

  20 permit ip 192.168.41.101/32 192.168.1.12/32

  30 permit ip 192.168.41.102/32 192.168.1.12/32

  40 permit ip 192.168.42.111/32 192.168.1.12/32

  50 permit ip 192.168.42.122/32 192.168.1.12/32

  60 permit ip 192.168.42.131/32 192.168.1.12/32

  70 permit ip 192.168.42.133/32 192.168.1.12/32

  80 permit ip 192.168.42.138/32 192.168.1.12/32

  90 permit ip 10.19.151.99/32 192.168.1.12/32

  100 deny ip any any

ip access-list 88

  statistics per-entry

  10 permit ip 192.168.42.122/32 192.168.1.12/32

  20 deny ip any any

snmp-server user admin vdc-admin auth md5 <removed> priv <removed> localizedkey

aaa authentication login default group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

vrf context management

vlan 1,3,151,161

interface Vlan1

interface Vlan3

  no shutdown

  ip address 192.168.10.62/30

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip ospf dead-interval 3

  ip ospf hello-interval 1

  ip router ospf 5 area 0.0.0.0

interface Vlan151

  no shutdown

  ip address 192.168.152.4/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.152.1

interface Vlan161

  no shutdown

  ip address 192.168.162.4/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 10 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.162.1

interface port-channel99

  switchport

  switchport mode trunk

  spanning-tree port type network

interface Ethernet1/1

  description 10Gig LINK to RCORE-1 T2/2

  no switchport

  logging event port link-status

  no ip redirects

  ip address 192.168.10.18/30

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip ospf dead-interval 6

  ip ospf hello-interval 2

  ip ospf network point-to-point

  ip router ospf 5 area 0.0.0.0

  ip pim sparse-mode

  ip igmp version 3

  no shutdown

interface Ethernet1/3

  description 10Gig LINK to RCORE-2 T2/2

  no switchport

  logging event port link-status

  no ip redirects

  ip address 192.168.10.26/30

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip ospf dead-interval 6

  ip ospf hello-interval 2

  ip ospf network point-to-point

  ip router ospf 5 area 0.0.0.0

  ip pim sparse-mode

  ip igmp version 3

  no shutdown

interface Ethernet1/5

  description to DC-ASA-2 vc1 T0/6

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 161

  spanning-tree port type normal

  no shutdown

interface Ethernet1/7

  description to DC-ASA-2 vc2 T0/8

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 151

  spanning-tree port type normal

  no shutdown

interface Ethernet1/25

  no switchport

interface Ethernet1/26

  no switchport

interface Ethernet1/27

  no switchport

interface Ethernet1/28

  no switchport

interface Ethernet1/29

  description RAGG-1 vPC Channel link

  switchport

  switchport mode trunk

  channel-group 99 mode active

  no shutdown

interface Ethernet1/30

  description RAGG-1 vPC Channel link

  switchport

  switchport mode trunk

  channel-group 99 mode active

  no shutdown

interface Ethernet1/31

  description RAGG-1 vPC Channel link

  switchport

  switchport mode trunk

  channel-group 99 mode active

  no shutdown

interface Ethernet1/32

  description RAGG-1 vPC Channel link

  switchport

  switchport mode trunk

  channel-group 99 mode active

  no shutdown

interface Ethernet2/1

  no switchport

interface Ethernet2/2

  no switchport

interface Ethernet2/3

  no switchport

interface Ethernet2/4

  no switchport

interface Ethernet2/5

  no switchport

interface Ethernet2/6

  no switchport

interface Ethernet2/7

  no switchport

interface Ethernet2/8

  no switchport

interface Ethernet2/9

  no switchport

interface Ethernet2/10

  no switchport

interface Ethernet2/11

  no switchport

interface Ethernet2/12

  no switchport

interface loopback0

  ip address 192.168.1.12/32

  ip router ospf 5 area 0.0.0.0

logging server 192.168.42.124 6

logging source-interface loopback 0

  logout-warning 20

line console

  exec-timeout 15

line vty

  exec-timeout 15

  access-class 23 in

router ospf 5

  router-id 192.168.1.12

  area 0.0.0.81 nssa

  area 0.0.0.0 range 192.168.1.12/32

  area 0.0.0.0 range 192.168.10.12/30

  area 0.0.0.0 range 192.168.10.20/30

  area 0.0.0.0 range 192.168.10.60/30

  area 0.0.0.81 range 192.168.152.0/24

  area 0.0.0.81 range 192.168.162.0/24

  area 0.0.0.0 authentication message-digest

  area 0.0.0.81 authentication message-digest

  timers throttle spf 10 100 5000

  auto-cost reference-bandwidth 10000

ip pim ssm range 232.0.0.0/8

RAGG-2-vdc2-running

!Command: show running-config

!Time: Sun Apr 24 16:53:03 2011

version 5.1(2)

hostname vdc2

feature privilege

feature tacacs+

cfs eth distribute

feature ospf

feature pim

feature udld

feature interface-vlan

feature hsrp

feature lacp

feature dhcp

feature vpc

username admin password 5 <removed>   role vdc-admin

username retail password 5 <removed>   role vdc-admin

username bart password 5 <removed>   role vdc-admin

username emc-ncm password 5 <removed>   role vdc-admin

enable secret 5 <removed>

banner motd @

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    use-vrf servers1

    source-interface loopback0

ip access-list 23

  statistics per-entry

  10 permit ip 127.0.0.1/32 192.168.1.32/32

  20 permit ip 192.168.41.101/32 192.168.1.32/32

  30 permit ip 192.168.41.102/32 192.168.1.32/32

  40 permit ip 192.168.42.111/32 192.168.1.32/32

  50 permit ip 192.168.42.122/32 192.168.1.32/32

  60 permit ip 192.168.42.131/32 192.168.1.32/32

  70 permit ip 192.168.42.133/32 192.168.1.32/32

  80 permit ip 192.168.42.138/32 192.168.1.32/32

  90 permit ip 10.19.151.99/32 192.168.1.32/32

  100 deny ip any any

ip access-list 88

  statistics per-entry

  10 permit ip 192.168.42.122/32 192.168.1.32/32

  20 deny ip any any

snmp-server user admin vdc-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user retail vdc-admin auth md5 <removed> priv <removed> localizedkey

aaa authentication login default group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

vrf context VPC

vrf context servers1

  ip route 0.0.0.0/0 192.168.36.3

  ip pim ssm range 232.0.0.0/8

vrf context servers2

  ip pim ssm range 232.0.0.0/8

vrf context management

vlan 1

vlan 36

  name DeviceMgmtHigh

vlan 37

  name DeviceMgmtLow

vlan 38

  name UIM-OS-INSTALL

vlan 40-41

vlan 42

  name CoreManagement

vlan 43

  name WirelessSystems

vlan 44

  name PhysicalSec

vlan 45

  name VOICE

vlan 52

  name POS

vlan 151-152,154,161-162,164,180-181

spanning-tree domain 777

ip prefix-list VLAN41 seq 5 permit 192.168.41.0/24

route-map VLAN41 permit 20

  match ip address prefix-list VLAN41

service dhcp

ip dhcp relay

vpc domain 99

  peer-keepalive destination 192.168.10.65 source 192.168.10.66 vrf VPC

interface Vlan1

  no ip redirects

  no shutdown

interface Vlan36

  vrf member servers1

  no ip redirects

  ip address 192.168.36.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 105 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.36.1

  no shutdown

  description DeviceMgmtHigh

interface Vlan37

  vrf member servers1

  no ip redirects

  ip address 192.168.37.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 105 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.37.1

  no shutdown

  description DeviceMgmtLow

interface Vlan38

  vrf member servers1

  no ip redirects

  ip address 192.168.38.202/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  no shutdown

  description UIM OS Install only

interface Vlan40

  vrf member servers1

  no ip redirects

  ip address 192.168.40.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 105 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.40.1

  no shutdown

interface Vlan41

  vrf member servers1

  ip address 192.168.41.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 90 forwarding-threshold lower 1 upper 1

    timers  1  3

    ip 192.168.41.1

  shutdown

  description SHUTDOWN - NOW ROUTE VIA HyTrust

interface Vlan42

  vrf member servers1

  no ip redirects

  ip address 192.168.42.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 105 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.42.1

  no shutdown

interface Vlan43

  vrf member servers1

  no ip redirects

  ip address 192.168.43.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 105 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.43.1

  no shutdown

  description Wireless Systems

interface Vlan44

  vrf member servers1

  no ip redirects

  ip address 192.168.44.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 105 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.44.1

  no shutdown

  description Wireless Systems

interface Vlan45

  vrf member servers1

  no ip redirects

  ip address 192.168.45.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 105 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.45.1

  no shutdown

  description VOICE

interface Vlan52

  vrf member servers1

  no ip redirects

  ip address 192.168.52.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 105 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.52.1

  no shutdown

  description POS

interface Vlan154

  vrf member servers2

  no ip redirects

  ip address 192.168.152.6/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 120 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.152.7

  no shutdown

interface Vlan164

  vrf member servers1

  no ip redirects

  ip address 192.168.162.6/24

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 3 <removed>

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 2

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.162.7

  no shutdown

interface Vlan180

  vrf member servers1

  no ip redirects

  ip address 192.168.180.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 110 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.180.1

  no shutdown

interface Vlan181

  vrf member servers2

  no ip redirects

  ip address 192.168.181.4/24

  ip ospf passive-interface

  ip router ospf 5 area 0.0.0.81

  ip pim sparse-mode

  ip igmp version 3

  hsrp 1

    authentication text c1sc0

    preempt delay minimum 180

    priority 120 forwarding-threshold lower 0 upper 0

    timers  1  3

    ip 192.168.181.1

  no shutdown

interface port-channel1

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-42,44

  vpc 1

interface port-channel2

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-42,44

  vpc 2

interface port-channel3

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  vpc 3

interface port-channel4

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  vpc 4

interface port-channel11

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  spanning-tree port type edge trunk

  vpc 11

interface port-channel12

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  spanning-tree port type edge trunk

  vpc 12

interface port-channel99

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  spanning-tree port type network

  spanning-tree guard loop

  vpc peer-link

interface Ethernet1/2

  description F-UCS-1_E2/1 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  channel-group 11 mode active

  no shutdown

interface Ethernet1/4

  description F-UCS-1_E2/2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  spanning-tree port type normal

  channel-group 11 mode active

  no shutdown

interface Ethernet1/6

  description F-UCS-2_E2/1 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  channel-group 12 mode active

  no shutdown

interface Ethernet1/8

  description F-UCS-2_E2/2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41,45-46

  channel-group 12 mode active

  no shutdown

interface Ethernet1/9

  description SACCESS-3 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  channel-group 3 mode active

  no shutdown

interface Ethernet1/10

  description SACCESS-3 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  channel-group 3 mode active

  no shutdown

interface Ethernet1/11

  description SACCESS-4 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  channel-group 4 mode active

  no shutdown

interface Ethernet1/12

  description SACCESS-4 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  channel-group 4 mode active

  no shutdown

interface Ethernet1/13

  description SACCESS-1 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-42,44

  channel-group 1 mode active

  no shutdown

interface Ethernet1/14

  description SACCESS-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 38,41-42,44

  channel-group 2 mode active

  no shutdown

interface Ethernet1/15

  no switchport

interface Ethernet1/16

  no switchport

interface Ethernet1/17

  description to RSERV-2 T2/6

  switchport

  switchport mode trunk

  spanning-tree port type normal

  no shutdown

interface Ethernet1/18

  description to RSERV-2 T2/5

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 42,164

  no shutdown

interface Ethernet1/19

  description to DC-ASA-2 vc1 T5/1

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 152

  spanning-tree port type normal

  no shutdown

interface Ethernet1/20

  description to DC-ASA-2 vc2 T7/1

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 152

  spanning-tree port type normal

  no shutdown

interface Ethernet1/21

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  udld aggressive

  channel-group 99 mode active

  no shutdown

interface Ethernet1/22

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  udld aggressive

  channel-group 99 mode active

  no shutdown

interface Ethernet1/23

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  udld aggressive

  channel-group 99 mode active

  no shutdown

interface Ethernet1/24

  description RAGG-2 vPC Channel link

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 36-52

  udld aggressive

  channel-group 99 mode active

  no shutdown

interface Ethernet2/13

  description SACCESS-5 vPC Channel link

  switchport

  switchport mode trunk

interface Ethernet2/14

  description linkstate for vpc

  no switchport

  vrf member VPC

  ip address 192.168.10.66/30

  no shutdown

interface Ethernet2/15

  no switchport

interface Ethernet2/16

  no switchport

interface Ethernet2/17

  no switchport

interface Ethernet2/18

  no switchport

interface Ethernet2/19

  no switchport

interface Ethernet2/20

  no switchport

interface Ethernet2/21

  no switchport

interface Ethernet2/22

  no switchport

interface Ethernet2/23

  no switchport

interface Ethernet2/24

  no switchport

interface Ethernet2/25

  no switchport

interface Ethernet2/26

  no switchport

interface Ethernet2/27

  no switchport

interface Ethernet2/28

  no switchport

interface Ethernet2/29

  no switchport

interface Ethernet2/30

  no switchport

interface Ethernet2/31

  no switchport

interface Ethernet2/32

  no switchport

interface Ethernet2/33

  no switchport

interface Ethernet2/34

  no switchport

interface Ethernet2/35

  no switchport

interface Ethernet2/36

  no switchport

interface Ethernet2/37

  no switchport

interface Ethernet2/38

  no switchport

interface Ethernet2/39

  no switchport

interface Ethernet2/40

  no switchport

interface Ethernet2/41

  no switchport

interface Ethernet2/42

  no switchport

interface Ethernet2/43

  no switchport

interface Ethernet2/44

  no switchport

interface Ethernet2/45

  no switchport

interface Ethernet2/46

  no switchport

interface Ethernet2/47

  no switchport

interface Ethernet2/48

  no switchport

interface loopback0

  vrf member servers1

  ip address 192.168.1.32/32

  ip router ospf 5 area 0.0.0.81

logging server 192.168.42.124 6 use-vrf servers1

logging source-interface loopback 0

  logout-warning 20

line console

  exec-timeout 15

line vty

  exec-timeout 15

  access-class 23 in

router ospf 5

  vrf servers1

    router-id 4.4.4.2

    area 0.0.0.81 nssa

    area 0.0.0.81 range 192.168.0.0/16

    area 0.0.0.81 range 192.168.162.0/24

    area 0.0.0.81 authentication message-digest

    timers throttle spf 10 100 5000

  vrf servers2

    router-id 5.5.5.2

    area 0.0.0.81 nssa

    area 0.0.0.81 range 192.168.0.0/16

    area 0.0.0.81 range 192.168.152.0/24

    area 0.0.0.81 authentication message-digest

    timers throttle spf 10 100 5000

ip pim ssm range 232.0.0.0/8

rcore-1

! Last configuration change at 01:37:46 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:37:47 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

service counters max age 5

hostname RCORE-1

boot-start-marker

boot system flash disk0:s72033-adventerprisek9_wan-mz.122-33.SXJ.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

ip wccp 61

ip wccp 62

no ip bootp server

ip multicast-routing

ip ssh version 2

ip scp server enable

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

ipv6 mfib hardware-switching replication-mode ingress

vtp domain CiscoRetail

vtp mode transparent

mls ip cef load-sharing full simple

no mls acl tcam share-global

mls netflow interface

mls cef error action freeze

password encryption aes

crypto pki trustpoint TP-self-signed-1104

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1104

 revocation-check none

 rsakeypair TP-self-signed-1104

crypto pki certificate chain TP-self-signed-1104

 certificate self-signed 01

  <removed>

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode rapid-pvst

spanning-tree loopguard default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

spanning-tree pathcost method long

environment temperature-controlled

diagnostic bootup level minimal

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

redundancy

 main-cpu

  auto-sync running-config

 mode sso

vlan internal allocation policy descending

vlan dot1q tag native

vlan access-log ratelimit 2000

interface Loopback0

 ip address 192.168.1.1 255.255.255.255

interface Port-channel99

 ip address 192.168.10.29 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 <removed>

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

interface GigabitEthernet1/1

 description to DC WAN_SWAN-3

 ip address 192.168.11.11 255.255.255.0

 standby 0 ip 192.168.11.10

 standby 0 priority 101

 standby 0 preempt

interface GigabitEthernet1/2

 no ip address

 shutdown

interface GigabitEthernet1/3

 no ip address

 shutdown

interface GigabitEthernet1/4

 no ip address

 shutdown

interface GigabitEthernet1/5

 no ip address

 shutdown

interface GigabitEthernet1/6

 no ip address

 shutdown

interface GigabitEthernet1/7

 no ip address

 shutdown

interface GigabitEthernet1/8

 no ip address

 shutdown

interface GigabitEthernet1/9

 no ip address

 shutdown

interface GigabitEthernet1/10

 no ip address

 shutdown

interface GigabitEthernet1/11

 no ip address

 shutdown

interface GigabitEthernet1/12

 no ip address

 shutdown

interface GigabitEthernet1/13

 no ip address

 shutdown

interface GigabitEthernet1/14

 no ip address

 shutdown

interface GigabitEthernet1/15

 no ip address

 shutdown

interface GigabitEthernet1/16

 no ip address

 shutdown

interface GigabitEthernet1/17

 no ip address

 shutdown

interface GigabitEthernet1/18

 no ip address

 shutdown

interface GigabitEthernet1/19

 no ip address

 shutdown

interface GigabitEthernet1/20

 no ip address

 shutdown

interface GigabitEthernet1/21

 no ip address

 shutdown

interface GigabitEthernet1/22

 no ip address

 shutdown

interface GigabitEthernet1/23

 no ip address

 shutdown

interface GigabitEthernet1/24

 no ip address

 shutdown

interface GigabitEthernet1/25

 no ip address

 shutdown

interface GigabitEthernet1/26

 no ip address

 shutdown

interface GigabitEthernet1/27

 no ip address

 shutdown

interface GigabitEthernet1/28

 no ip address

 shutdown

interface GigabitEthernet1/29

 no ip address

 shutdown

interface GigabitEthernet1/30

 no ip address

 shutdown

interface GigabitEthernet1/31

 no ip address

 shutdown

interface GigabitEthernet1/32

 no ip address

 shutdown

interface GigabitEthernet1/33

 no ip address

 shutdown

interface GigabitEthernet1/34

 no ip address

 shutdown

interface GigabitEthernet1/35

 no ip address

 shutdown

interface GigabitEthernet1/36

 no ip address

 shutdown

interface GigabitEthernet1/37

 no ip address

 shutdown

interface GigabitEthernet1/38

 no ip address

 shutdown

interface GigabitEthernet1/39

 no ip address

 shutdown

interface GigabitEthernet1/40

 no ip address

 shutdown

interface GigabitEthernet1/41

 no ip address

 shutdown

interface GigabitEthernet1/42

 no ip address

 shutdown

interface GigabitEthernet1/43

 no ip address

 shutdown

interface GigabitEthernet1/44

 no ip address

 shutdown

interface GigabitEthernet1/45

 no ip address

 shutdown

interface GigabitEthernet1/46

 no ip address

 shutdown

interface GigabitEthernet1/47

 no ip address

 shutdown

interface GigabitEthernet1/48

 no ip address

 shutdown

interface TenGigabitEthernet2/1

 description 10Gig LINK to RAGG-1 T1/3

 ip address 192.168.10.13 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip igmp query-interval 125

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 <removed>

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

interface TenGigabitEthernet2/2

 description 10Gig LINK to RAGG-2 T1/3

 ip address 192.168.10.17 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip igmp query-interval 125

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 <removed>

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

interface TenGigabitEthernet2/3

 description 10Gig LINK to RCORE-2

 no ip address

 channel-group 99 mode active

interface TenGigabitEthernet2/4

 description 10Gig LINK to RCORE-2

 no ip address

 channel-group 99 mode active

interface TenGigabitEthernet2/5

 no ip address

 shutdown

interface TenGigabitEthernet2/6

 no ip address

 shutdown

interface TenGigabitEthernet2/7

 no ip address

 shutdown

interface TenGigabitEthernet2/8

 no ip address

 shutdown

interface GigabitEthernet5/1

 no ip address

 shutdown

interface GigabitEthernet5/2

 no ip address

 shutdown

interface GigabitEthernet6/1

 no ip address

 shutdown

interface GigabitEthernet6/2

 no ip address

 shutdown

interface Vlan1

 no ip address

 shutdown

router ospf 5

 router-id 192.168.1.1

 log-adjacency-changes

 auto-cost reference-bandwidth 10000

nsf

 redistribute static subnets

 passive-interface default

 no passive-interface TenGigabitEthernet2/1

 no passive-interface TenGigabitEthernet2/2

 no passive-interface Port-channel99

 network 192.168.0.0 0.0.255.255 area 0

 default-information originate metric 20 metric-type 1

ip classless

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.11.60 name default-to-internet

ip route 10.10.0.0 255.255.0.0 192.168.11.1 name route-to-stores

ip route 10.10.0.0 255.255.255.0 192.168.11.60 name route-to-SP

ip route 10.10.1.0 255.255.255.0 192.168.11.2

ip route 10.10.2.0 255.255.255.0 192.168.11.3

ip route 10.10.110.1 255.255.255.255 192.168.11.2

ip route 10.10.110.2 255.255.255.255 192.168.11.3

ip route 10.10.126.1 255.255.255.255 192.168.11.2

ip route 10.10.126.2 255.255.255.255 192.168.11.3

ip route 10.10.254.0 255.255.255.0 192.168.11.3

ip route 10.10.255.0 255.255.255.0 192.168.11.2

ip route 192.168.1.111 255.255.255.255 192.168.11.2

ip route 192.168.1.112 255.255.255.255 192.168.11.3

ip route 192.168.20.0 255.255.255.0 192.168.11.60 name route-to-DMZ

ip route 192.168.21.0 255.255.255.0 192.168.11.60 name route-to-DMZ

ip route 192.168.22.0 255.255.255.0 192.168.11.60 name route-to-DMZ

ip route 192.168.23.0 255.255.255.0 192.168.11.60 name route-to-DMZ

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip pim send-rp-discovery scope 2

ip tacacs source-interface Loopback0

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps hsrp

snmp-server enable traps MAC-Notification change move threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps port-security

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

dial-peer cor custom

banner exec C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp source Loopback0

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

mac-address-table aging-time 480

end

rcore-2

! Last configuration change at 01:42:02 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:42:02 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

service counters max age 5

hostname RCORE-2

boot-start-marker

boot system flash disk1:s72033-adventerprisek9_wan-mz.122-33.SXJ.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 
<removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

call-home

 no alert-group configuration

 no alert-group diagnostic

 no alert-group environment

 no alert-group inventory

 no alert-group syslog

ip wccp 61

ip wccp 62

no ip bootp server

ip multicast-routing

ip ssh version 2

ip scp server enable

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

ipv6 mfib hardware-switching replication-mode ingress

vtp domain CiscoRetail

vtp mode transparent

mls ip cef load-sharing full simple

no mls acl tcam share-global

mls netflow interface

mls cef error action freeze

password encryption aes

crypto pki trustpoint TP-self-signed-1051

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1051

 revocation-check none

 rsakeypair TP-self-signed-1051

crypto pki certificate chain TP-self-signed-1051

 certificate self-signed 01

  <removed>

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode rapid-pvst

spanning-tree loopguard default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

spanning-tree pathcost method long

environment temperature-controlled

diagnostic bootup level minimal

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

redundancy

 main-cpu

  auto-sync running-config

 mode sso

vlan internal allocation policy descending

vlan dot1q tag native

vlan access-log ratelimit 2000

interface Loopback0

 ip address 192.168.1.2 255.255.255.255

interface Port-channel99

 description link between CORE's

 ip address 192.168.10.30 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 <removed>

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

interface GigabitEthernet1/1

 description to DC WAN_SWAN-3/4

 ip address 192.168.11.12 255.255.255.0

 standby 0 ip 192.168.11.10

 standby 0 priority 99

 standby 0 preempt

interface GigabitEthernet1/2

 no ip address

 shutdown

interface GigabitEthernet1/3

 no ip address

 shutdown

interface GigabitEthernet1/4

 no ip address

 shutdown

interface GigabitEthernet1/5

 no ip address

 shutdown

interface GigabitEthernet1/6

 no ip address

 shutdown

interface GigabitEthernet1/7

 no ip address

 shutdown

interface GigabitEthernet1/8

 no ip address

 shutdown

interface GigabitEthernet1/9

 no ip address

 shutdown

interface GigabitEthernet1/10

 no ip address

 shutdown

interface GigabitEthernet1/11

 no ip address

 shutdown

interface GigabitEthernet1/12

 no ip address

 shutdown

interface GigabitEthernet1/13

 no ip address

 shutdown

interface GigabitEthernet1/14

 no ip address

 shutdown

interface GigabitEthernet1/15

 no ip address

 shutdown

interface GigabitEthernet1/16

 no ip address

 shutdown

interface GigabitEthernet1/17

 no ip address

 shutdown

interface GigabitEthernet1/18

 no ip address

 shutdown

interface GigabitEthernet1/19

 no ip address

 shutdown

interface GigabitEthernet1/20

 no ip address

 shutdown

interface GigabitEthernet1/21

 no ip address

 shutdown

interface GigabitEthernet1/22

 no ip address

 shutdown

interface GigabitEthernet1/23

 no ip address

 shutdown

interface GigabitEthernet1/24

 no ip address

 shutdown

interface GigabitEthernet1/25

 no ip address

 shutdown

interface GigabitEthernet1/26

 no ip address

 shutdown

interface GigabitEthernet1/27

 no ip address

 shutdown

interface GigabitEthernet1/28

 no ip address

 shutdown

interface GigabitEthernet1/29

 no ip address

 shutdown

interface GigabitEthernet1/30

 no ip address

 shutdown

interface GigabitEthernet1/31

 no ip address

 shutdown

interface GigabitEthernet1/32

 no ip address

 shutdown

interface GigabitEthernet1/33

 no ip address

 shutdown

interface GigabitEthernet1/34

 no ip address

 shutdown

interface GigabitEthernet1/35

 no ip address

 shutdown

interface GigabitEthernet1/36

 no ip address

 shutdown

interface GigabitEthernet1/37

 no ip address

 shutdown

interface GigabitEthernet1/38

 no ip address

 shutdown

interface GigabitEthernet1/39

 no ip address

 shutdown

interface GigabitEthernet1/40

 no ip address

 shutdown

interface GigabitEthernet1/41

 no ip address

 shutdown

interface GigabitEthernet1/42

 no ip address

 shutdown

interface GigabitEthernet1/43

 no ip address

 shutdown

interface GigabitEthernet1/44

 no ip address

 shutdown

interface GigabitEthernet1/45

 no ip address

 shutdown

interface GigabitEthernet1/46

 no ip address

 shutdown

interface GigabitEthernet1/47

 no ip address

 shutdown

interface GigabitEthernet1/48

 no ip address

 shutdown

interface TenGigabitEthernet2/1

 description 10Gig LINK to RAGG-1 T1/4

 ip address 192.168.10.21 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip igmp query-interval 125

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 <removed>

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

interface TenGigabitEthernet2/2

 description 10Gig LINK to RAGG-2 T1/4

 ip address 192.168.10.25 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip igmp query-interval 125

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 <removed>

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

interface TenGigabitEthernet2/3

 description 10Gig LINK to RCORE-1

 no ip address

 channel-group 99 mode active

interface TenGigabitEthernet2/4

 description 10Gig LINK to RCORE-1

 no ip address

 channel-group 99 mode active

interface TenGigabitEthernet2/5

 no ip address

 shutdown

interface TenGigabitEthernet2/6

 no ip address

 shutdown

interface TenGigabitEthernet2/7

 no ip address

 shutdown

interface TenGigabitEthernet2/8

 no ip address

 shutdown

interface GigabitEthernet5/1

 no ip address

 shutdown

interface GigabitEthernet5/2

 no ip address

 shutdown

interface GigabitEthernet6/1

 no ip address

 shutdown

interface GigabitEthernet6/2

 no ip address

 shutdown

interface Vlan1

 no ip address

 shutdown

router ospf 5

 router-id 192.168.1.2

 log-adjacency-changes

 auto-cost reference-bandwidth 10000

nsf

 redistribute static subnets

 passive-interface default

 no passive-interface TenGigabitEthernet2/1

 no passive-interface TenGigabitEthernet2/2

 no passive-interface Port-channel99

 network 192.168.0.0 0.0.255.255 area 0

 default-information originate metric 22 metric-type 1

ip classless

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.11.60 name default-to-internet

ip route 10.10.0.0 255.255.0.0 192.168.11.1 name route-to-stores

ip route 10.10.0.0 255.255.255.0 192.168.11.60 name route-to-SP

ip route 10.10.1.0 255.255.255.0 192.168.11.2

ip route 10.10.2.0 255.255.255.0 192.168.11.3

ip route 10.10.110.1 255.255.255.255 192.168.11.2

ip route 10.10.110.2 255.255.255.255 192.168.11.3

ip route 10.10.126.1 255.255.255.255 192.168.11.2

ip route 10.10.126.2 255.255.255.255 192.168.11.3

ip route 10.10.254.0 255.255.255.0 192.168.11.3

ip route 10.10.255.0 255.255.255.0 192.168.11.2

ip route 192.168.20.0 255.255.255.0 192.168.11.60 name route-to-DMZ

ip route 192.168.21.0 255.255.255.0 192.168.11.60 name route-to-DMZ

ip route 192.168.22.0 255.255.255.0 192.168.11.60 name route-to-DMZ

ip route 192.168.23.0 255.255.255.0 192.168.11.60 name route-to-DMZ

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip pim send-rp-discovery scope 2

ip tacacs source-interface Loopback0

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps hsrp

snmp-server enable traps MAC-Notification change move threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps port-security

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131 timeout 5

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

dial-peer cor custom

banner exec C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp source Loopback0

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

mac-address-table aging-time 480

end

rie-1

! Last configuration change at 01:06:14 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:06:15 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:06:15 PST Sat Apr 30 2011 by retail

upgrade fpd auto

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname RIE-1

boot-start-marker

boot system flash disk2:/c7200-advipservicesk9-mz.151-4.M.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default

 action-type start-stop

 group tacacs+

aaa accounting commands 15 default

 action-type start-stop

 group tacacs+

aaa accounting system default

 action-type start-stop

 group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PST recurring

ip source-route

ip cef

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip inspect audit-trail

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

no ipv6 cef

multilink bundle-name authenticated

password encryption aes

crypto pki token default removal timeout 0

crypto pki trustpoint TP-self-signed-26793975

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-26793975

 revocation-check none

 rsakeypair TP-self-signed-26793975

crypto pki certificate chain TP-self-signed-26793975

 certificate self-signed 01

  <removed>

  	quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

redundancy

ip ssh version 2

ip scp server enable

interface GigabitEthernet0/1

 description link to RIE-3 G1/1

 ip address 192.168.22.11 255.255.255.0

 standby 1 ip 192.168.22.10

 standby 1 priority 105

 standby 1 preempt

 duplex auto

 speed auto

 media-type rj45

 no negotiation auto

interface GigabitEthernet0/2

 description link to RIE-4 G1/1

 no ip address

 shutdown

 duplex full

 speed 1000

 media-type rj45

 no negotiation auto

interface GigabitEthernet0/3

 description Link to RSP-3 G0/2

 ip address 10.10.3.6 255.255.255.0

 ip access-group COARSE-FILTER-INTERNET-IN in

 ip access-group COARSE-FILTER-INTERNET-OUT out

 duplex auto

 speed auto

 media-type rj45

 no negotiation auto

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 10.10.3.1

ip route 10.10.0.0 255.255.0.0 192.168.22.1

ip route 10.10.0.0 255.255.255.0 10.10.3.1

ip route 10.10.4.0 255.255.255.0 192.168.22.12

ip route 192.168.0.0 255.255.0.0 192.168.22.1

ip tacacs source-interface GigabitEthernet0/1

ip access-list extended COARSE-FILTER-INTERNET-IN

 remark -------------------------------------------------------

 remark ---Block Private Networks---

 deny   ip 10.0.0.0 0.255.255.255 any log

 deny   ip 172.16.0.0 0.15.255.255 any log

 deny   ip 192.168.0.0 0.0.255.255 any log

 remark -

 remark ---Block Autoconfiguration Networks---

 deny   ip 169.254.0.0 0.0.255.255 any log

 remark -

 remark ---Block Loopback Networks---

 deny   ip 127.0.0.0 0.0.255.255 any log

 remark -

 remark ---Block Multicast Networks---

 deny   ip 224.0.0.0 15.255.255.255 any log

 remark -

 remark ---Block Traffic targeted at DMZ Network Edge Devices---

 deny   ip any 192.168.22.0 0.0.0.255 log

 remark -

 remark ---Allow remaining public internet traffic---

 permit ip any any

ip access-list extended COARSE-FILTER-INTERNET-OUT

 remark ---Block private networks from reaching Internet---

 remark -------------------------------------------------------

 remark ---Block Private Networks---

 deny   ip 10.0.0.0 0.255.255.255 any log

 deny   ip 172.16.0.0 0.15.255.255 any log

 deny   ip 192.168.0.0 0.0.255.255 any log

 remark -

 remark ---Block Autoconfiguration Networks---

 deny   ip 169.254.0.0 0.0.255.255 any log

 remark -

 remark ---Block Loopback Networks---

 deny   ip 127.0.0.0 0.0.255.255 any log

 remark -

 remark ---Block Multicast Networks---

 deny   ip 224.0.0.0 15.255.255.255 any log

 remark -

 remark ---Block Traffic targeted at DMZ Network Edge Devices---

 deny   ip any 192.168.22.0 0.0.0.255 log

 remark -

 remark ---Allow remaining traffic to Internet---

 remark The source address should be your ISP assigned IP's

 permit ip <your ISP Public Block> any

logging esm config

logging trap debugging

logging source-interface GigabitEthernet0/1

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source GigabitEthernet0/1

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps flash insertion removal

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps ipsla

snmp-server enable traps syslog

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

mgcp profile default

gatekeeper

 shutdown

banner exec C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 stopbits 1

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 no exec

 transport preferred none

 transport output none

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

scheduler allocate 4000 200

ntp source GigabitEthernet0/1

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

end

rie-2

! Last configuration change at 01:07:38 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:07:38 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:07:38 PST Sat Apr 30 2011 by retail

upgrade fpd auto

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname RIE-2

boot-start-marker

boot system flash bootflash:/c7200p-advipservicesk9-mz.151-4.M.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PST recurring

ip source-route

ip cef

no ip bootp server

ip domain name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 65535

login quiet-mode access-class 23

login on-failure log

login on-success log

no ipv6 cef

multilink bundle-name authenticated

password encryption aes

crypto pki token default removal timeout 0

crypto pki trustpoint TP-self-signed-26800067

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-26800067

 revocation-check none

 rsakeypair TP-self-signed-26800067

crypto pki certificate chain TP-self-signed-26800067

 certificate self-signed 01

  <removed>

  	quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

redundancy

ip ssh version 2

ip scp server enable

interface GigabitEthernet0/1

 description RIE-3 port G1/2

 no ip address

 shutdown

 duplex auto

 speed auto

 media-type rj45

 negotiation auto

interface FastEthernet0/2

 no ip address

 shutdown

 duplex auto

 speed auto

interface GigabitEthernet0/2

 description RIE-4 port G1/2

 ip address 192.168.22.12 255.255.255.0

 standby 1 ip 192.168.22.10

 standby 1 priority 95

 standby 1 preempt

 duplex auto

 speed auto

 media-type rj45

 negotiation auto

interface GigabitEthernet0/3

 description Link to RSP-4 G0/2

 ip address 10.10.4.6 255.255.255.0

 ip access-group COARSE-FILTER-INTERNET-IN in

 ip access-group COARSE-FILTER-INTERNET-OUT out

 duplex auto

 speed auto

 media-type rj45

 negotiation auto

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 10.10.4.1

ip route 10.10.0.0 255.255.0.0 192.168.22.1

ip route 10.10.0.0 255.255.255.0 10.10.4.1

ip route 10.10.3.0 255.255.255.0 192.168.22.11

ip route 192.168.0.0 255.255.0.0 192.168.22.1

ip tacacs source-interface GigabitEthernet0/2

ip access-list extended COARSE-FILTER-INTERNET-IN

 remark ---Block Private Networks---

 deny   ip 10.0.0.0 0.255.255.255 any log

 deny   ip 172.16.0.0 0.15.255.255 any log

 deny   ip 192.168.0.0 0.0.255.255 any log

 remark -

 remark ---Block Autoconfiguration Networks---

 deny   ip 169.254.0.0 0.0.255.255 any log

 remark -

 remark ---Block Loopback Networks---

 deny   ip 127.0.0.0 0.0.255.255 any log

 remark -

 remark ---Block Multicast Networks---

 deny   ip 224.0.0.0 15.255.255.255 any log

 remark -

 remark ---Block Traffic targeted at DMZ Network Edge Devices---

 deny   ip any 192.168.22.0 0.0.0.255 log

 remark -

 remark ---Allow remaining public internet traffic---

 permit ip any any

ip access-list extended COARSE-FILTER-INTERNET-OUT

 remark ---Block private networks from reaching Internet---

 remark -------------------------------------------------------

 remark ---Block Private Networks---

 deny   ip 10.0.0.0 0.255.255.255 any log

 deny   ip 172.16.0.0 0.15.255.255 any log

 deny   ip 192.168.0.0 0.0.255.255 any log

 remark -

 remark ---Block Autoconfiguration Networks---

 deny   ip 169.254.0.0 0.0.255.255 any log

 remark -

 remark ---Block Loopback Networks---

 deny   ip 127.0.0.0 0.0.255.255 any log

 remark -

 remark ---Block Multicast Networks---

 deny   ip 224.0.0.0 15.255.255.255 any log

 remark -

 remark ---Block Traffic targeted at DMZ Network Edge Devices---

 deny   ip any 192.168.22.0 0.0.0.255 log

 remark -

 remark ---Allow remaining traffic to Internet---

 remark The source address should be your ISP assigned IP's

 permit ip <your ISP Public Block> any

logging esm config

logging alarm informational

logging trap debugging

logging source-interface GigabitEthernet0/2

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source GigabitEthernet0/2

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps flash insertion removal

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps ipsla

snmp-server enable traps syslog

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server domain-stripping

tacacs-server key 7 <removed>

control-plane

mgcp profile default

banner exec C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 stopbits 1

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 no exec

 transport preferred none

 transport output none

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

scheduler allocate 4000 200

ntp source GigabitEthernet0/2

ntp server 192.168.62.161 prefer

ntp server 192.168.62.162

end

RIE-3

! Last configuration change at 08:36:26 PSTDST Thu Apr 28 2011 by retail

! NVRAM config last updated at 22:33:54 PSTDST Wed Apr 27 2011 by retail

upgrade fpd auto

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

service counters max age 5

hostname RIE-3

boot-start-marker

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 51200

enable secret 5 <removed>.

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

svclc multiple-vlan-interfaces

svclc module 3 vlan-group 21,82,83,85

svclc vlan-group 21  21

svclc vlan-group 82  82

svclc vlan-group 83  83

svclc vlan-group 85  85

firewall multiple-vlan-interfaces

firewall module 4 vlan-group 21,82,200,250,300

firewall vlan-group 200  22,2305-2307

firewall vlan-group 300  91,92

intrusion-detection module 2 management-port access-vlan 21

intrusion-detection module 2 data-port 1 trunk allowed-vlan 83,84

no ip bootp server

ip ssh version 2

ip scp server enable

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

vtp mode transparent

no mls acl tcam share-global

mls netflow interface

mls cef error action freeze

password encryption aes

crypto pki trustpoint TP-self-signed-1014

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1014

 revocation-check none

 rsakeypair TP-self-signed-1014

crypto pki certificate chain TP-self-signed-1014

 certificate self-signed 01

  <removed>  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

diagnostic bootup level minimal

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.122 log

access-list 88 deny   any log

access-list 101 permit gre host 192.168.21.91 host 128.107.147.109

redundancy

 main-cpu

  auto-sync running-config

 mode sso

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

vlan 21

 name fwsm_inside

vlan 22

 name fwsm_outside

vlan 82

 name fwsm_ace_outside

vlan 83

 name ace_IDSM

vlan 84

 name IDSM_DMZ-inside

vlan 85

 name ft_ace

vlan 91

 name fwsm_failover

vlan 92

 name fwsm_statelink

vlan 993

 name Management

vlan 995

 name DMZ_Management

vlan 2305

 name fwsm_EmailSecurityAppliance

vlan 2306

 name fwsm_EmailSecurityMgrAppliance

vlan 2307

 name fwsm_WebSecApp

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key ciscokey address 128.107.147.109

crypto ipsec transform-set to_fred esp-des esp-md5-hmac

crypto map myvpn 10 ipsec-isakmp

 set peer 128.107.147.109

 set transform-set to_fred

 match address 101

interface Tunnel0

 ip address 172.26.0.1 255.255.255.0

 tunnel source Vlan21

 tunnel destination 128.107.147.109

interface Port-channel99

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet1/1

 description RIE-1 G0/1

 switchport

 switchport access vlan 22

interface GigabitEthernet1/2

 description RIE-2 G0/1

 switchport

 switchport access vlan 22

interface GigabitEthernet1/3

 no ip address

interface GigabitEthernet1/4

 no ip address

interface GigabitEthernet1/5

 description ASA-IE-1 G0

 switchport

 switchport access vlan 21

interface GigabitEthernet1/6

 no ip address

interface GigabitEthernet1/7

 no ip address

interface GigabitEthernet1/8

 no ip address

interface GigabitEthernet1/9

 no ip address

interface GigabitEthernet1/10

 no ip address

interface GigabitEthernet1/11

 no ip address

interface GigabitEthernet1/12

 no ip address

interface GigabitEthernet1/13

 description ESA-IE-1 port M

 switchport

 switchport access vlan 2306

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet1/14

 description ESA-IE-1 port D1

 switchport

 switchport access vlan 2306

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet1/15

 description ESA-IE-1 port D2

 switchport

 switchport access vlan 2306

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet1/16

 description ESA-IE-1 port D3

 switchport

 switchport access vlan 2306

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet1/17

 description WSA-IE-1 port P1

 no ip address

interface GigabitEthernet1/18

 description WSA-IE-1 port P2

 no ip address

interface GigabitEthernet1/19

 description WSA-IE-1 port T1

 no ip address

interface GigabitEthernet1/20

 description WSA-IE-1 port T2

 no ip address

interface GigabitEthernet1/21

 description ESA-IE-1 port M

 switchport

 switchport access vlan 2305

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet1/22

 description ESA-IE-1 port D1

 switchport

 switchport access vlan 2305

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet1/23

 description ESA-IE-1 port D2

 switchport

 switchport access vlan 2305

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet1/24

 description ESA-IE-1 port D3

 switchport

 switchport access vlan 2305

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet1/25

 description WSA-IE-1 port M

 switchport

 switchport access vlan 2307

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet1/26

 no ip address

interface GigabitEthernet1/27

 no ip address

interface GigabitEthernet1/28

 no ip address

interface GigabitEthernet1/29

 no ip address

interface GigabitEthernet1/30

 no ip address

interface GigabitEthernet1/31

 no ip address

interface GigabitEthernet1/32

 no ip address

interface GigabitEthernet1/33

 no ip address

interface GigabitEthernet1/34

 no ip address

interface GigabitEthernet1/35

 no ip address

interface GigabitEthernet1/36

 no ip address

interface GigabitEthernet1/37

 no ip address

interface GigabitEthernet1/38

 no ip address

interface GigabitEthernet1/39

 no ip address

interface GigabitEthernet1/40

 no ip address

interface GigabitEthernet1/41

 no ip address

interface GigabitEthernet1/42

 no ip address

interface GigabitEthernet1/43

 no ip address

interface GigabitEthernet1/44

 no ip address

interface GigabitEthernet1/45

 no ip address

interface GigabitEthernet1/46

 no ip address

interface GigabitEthernet1/47

 no ip address

interface GigabitEthernet1/48

 no ip address

interface GigabitEthernet5/1

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

 channel-group 99 mode active

interface GigabitEthernet5/2

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

 channel-group 99 mode active

interface Vlan1

 no ip address

interface Vlan21

 description RIE-3 Management

 ip address 192.168.21.91 255.255.255.0

 crypto map myvpn

ip classless

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.21.10

ip route 10.10.0.0 255.255.0.0 192.168.21.1

ip route 10.10.0.0 255.255.252.0 192.168.21.10

ip route 10.10.192.0 255.255.240.0 172.26.0.2

ip route 192.168.0.0 255.255.0.0 192.168.21.1

ip route 192.168.23.0 255.255.255.0 192.168.21.10

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan21

logging trap debugging

logging source-interface Vlan21

logging 192.168.42.124

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  23

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps hsrp

snmp-server enable traps MAC-Notification change move threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps port-security

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

dial-peer cor custom

banner exec

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

scheduler allocate 20000 1000

ntp clock-period 17180154

ntp source Vlan21

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

RIE-4

! Last configuration change at 23:18:02 PSTDST Wed Apr 27 2011 by retail

! NVRAM config last updated at 23:18:04 PSTDST Wed Apr 27 2011 by retail

upgrade fpd auto

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log uptime

service password-encryption

service sequence-numbers

service counters max age 5

hostname RIE-4

boot-start-marker

boot system flash disk0:s72033-adventerprisek9_wan-mz.122-33.SXI5.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 51200

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

svclc multiple-vlan-interfaces

svclc module 3 vlan-group 82,83,85

svclc vlan-group 82  82

svclc vlan-group 83  83

svclc vlan-group 85  85

firewall multiple-vlan-interfaces

firewall vlan-group 200  21,22,2305-2307

firewall vlan-group 300  91,92

intrusion-detection module 2 management-port access-vlan 21

intrusion-detection module 2 data-port 1 trunk allowed-vlan 83,84

no ip bootp server

ip ssh version 2

ip scp server enable

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

ipv6 mfib hardware-switching replication-mode ingress

vtp mode transparent

no mls acl tcam share-global

mls netflow interface

mls cef error action freeze

password encryption aes

crypto pki trustpoint TP-self-signed-1112

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1112

 revocation-check none

 rsakeypair TP-self-signed-1112

crypto pki certificate chain TP-self-signed-1112

 certificate self-signed 01

  <removed>  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

diagnostic bootup level minimal

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.122 log

access-list 88 deny   any log

access-list 101 permit gre host 192.168.21.91 host 128.107.147.109

redundancy

 main-cpu

  auto-sync running-config

 mode sso

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

vlan 21

 name fwsm_inside

vlan 22

 name fwsm_outside

vlan 82

 name fwsm_ace_outside

vlan 83

 name ace_IDSM

vlan 84

 name IDSM_DMZ-inside

vlan 85

 name ft_ace

vlan 91

 name fwsm_failover

vlan 92

 name fwsm_statelink

vlan 993

 name Management

vlan 995

 name DMZ_Management

vlan 2305

 name fwsm_EmailSecurityAppliance

vlan 2306

 name fwsm_EmailSecurityMgrAppliance

vlan 2307

 name fwsm_WebSecApp

interface Port-channel99

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet1/1

 description RIE-1 G0/2

 switchport

 switchport access vlan 22

 shutdown

interface GigabitEthernet1/2

 description RIE-2 G0/2

 switchport

 switchport access vlan 22

interface GigabitEthernet1/3

 no ip address

 shutdown

interface GigabitEthernet1/4

 no ip address

 shutdown

interface GigabitEthernet1/5

 description ASA-IE-2 G0

 switchport

 switchport access vlan 21

 shutdown

interface GigabitEthernet1/6

 no ip address

 shutdown

interface GigabitEthernet1/7

 no ip address

 shutdown

interface GigabitEthernet1/8

 no ip address

 shutdown

interface GigabitEthernet1/9

 no ip address

 shutdown

interface GigabitEthernet1/10

 no ip address

 shutdown

interface GigabitEthernet1/11

 no ip address

 shutdown

interface GigabitEthernet1/12

 no ip address

 shutdown

interface GigabitEthernet1/13

 description ESA-IE-2 port M

 switchport

 switchport access vlan 2306

 switchport mode access

 shutdown

interface GigabitEthernet1/14

 description ESA-IE-2 port D1

 switchport

 switchport access vlan 2306

 switchport mode access

 shutdown

interface GigabitEthernet1/15

 description ESA-IE-2 port D2

 switchport

 switchport access vlan 2306

 switchport mode access

 shutdown

interface GigabitEthernet1/16

 description ESA-IE-2 port D3

 switchport

 switchport access vlan 2306

 switchport mode access

 shutdown

interface GigabitEthernet1/17

 description WSA-IE-2 port P1

 no ip address

 shutdown

interface GigabitEthernet1/18

 description WSA-IE-2 port P2

 no ip address

 shutdown

interface GigabitEthernet1/19

 description WSA-IE-2 port T1

 no ip address

 shutdown

interface GigabitEthernet1/20

 description WSA-IE-2 port T2

 no ip address

 shutdown

interface GigabitEthernet1/21

 description ESA-IE-2 port M

 switchport

 switchport access vlan 2305

 switchport mode access

 shutdown

interface GigabitEthernet1/22

 description ESA-IE-2 port D1

 switchport

 switchport access vlan 2305

 switchport mode access

 shutdown

interface GigabitEthernet1/23

 description ESA-IE-2 port D2

 switchport

 switchport access vlan 2305

 switchport mode access

 shutdown

interface GigabitEthernet1/24

 description ESA-IE-2 port D3

 switchport

 switchport access vlan 2305

 switchport mode access

 shutdown

interface GigabitEthernet1/25

 description WSA-IE-2 port M

 switchport

 switchport access vlan 2307

 switchport mode access

interface GigabitEthernet1/26

 no ip address

 shutdown

interface GigabitEthernet1/27

 no ip address

 shutdown

interface GigabitEthernet1/28

 no ip address

 shutdown

interface GigabitEthernet1/29

 no ip address

 shutdown

interface GigabitEthernet1/30

 no ip address

 shutdown

interface GigabitEthernet1/31

 no ip address

 shutdown

interface GigabitEthernet1/32

 no ip address

 shutdown

interface GigabitEthernet1/33

 no ip address

 shutdown

interface GigabitEthernet1/34

 no ip address

 shutdown

interface GigabitEthernet1/35

 no ip address

 shutdown

interface GigabitEthernet1/36

 no ip address

 shutdown

interface GigabitEthernet1/37

 no ip address

 shutdown

interface GigabitEthernet1/38

 no ip address

 shutdown

interface GigabitEthernet1/39

 no ip address

 shutdown

interface GigabitEthernet1/40

 no ip address

 shutdown

interface GigabitEthernet1/41

 no ip address

 shutdown

interface GigabitEthernet1/42

 no ip address

 shutdown

interface GigabitEthernet1/43

 no ip address

 shutdown

interface GigabitEthernet1/44

 no ip address

 shutdown

interface GigabitEthernet1/45

 no ip address

 shutdown

interface GigabitEthernet1/46

 no ip address

 shutdown

interface GigabitEthernet1/47

 no ip address

 shutdown

interface GigabitEthernet1/48

 no ip address

 shutdown

interface GigabitEthernet5/1

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

 channel-group 99 mode active

interface GigabitEthernet5/2

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

 channel-group 99 mode active

interface Vlan1

 no ip address

interface Vlan21

 description RIE-3 Management

 ip address 192.168.21.92 255.255.255.0

ip classless

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.21.10

ip route 10.10.0.0 255.255.0.0 192.168.21.1

ip route 10.10.0.0 255.255.252.0 192.168.21.10

ip route 10.10.192.0 255.255.240.0 172.26.0.2

ip route 192.168.0.0 255.255.0.0 192.168.21.1

ip route 192.168.23.0 255.255.255.0 192.168.21.10

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

logging trap debugging

logging source-interface Vlan21

logging 192.168.42.124

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  23

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps hsrp

snmp-server enable traps MAC-Notification change move threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps port-security

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

dial-peer cor custom

banner exec

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 17179993

ntp source Vlan21

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

rserv-1

! Last configuration change at 01:53:06 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:53:07 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

service counters max age 5

hostname RSERV-1

boot-start-marker

boot system flash sup-bootdisk:/s72033-adventerprisek9_wan-mz.122-33.SXJ.bin

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

svclc module 4 vlan-group 162,163

svclc vlan-group 162  152,162

svclc vlan-group 163  153,163

intrusion-detection module 9 management-port access-vlan 42

intrusion-detection module 9 data-port 1 trunk allowed-vlan 153,154

intrusion-detection module 9 data-port 2 trunk allowed-vlan 163,164

ip wccp 61

ip wccp 62

no ip bootp server

ip multicast-routing

ip ssh version 2

ip scp server enable

no ip domain-lookup

ip domain-name cisco-irn.com

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

ipv6 mfib hardware-switching replication-mode ingress

vtp domain datacenter

vtp mode transparent

no mls acl tcam share-global

mls netflow interface

mls cef error action freeze

password encryption aes

crypto pki trustpoint TP-self-signed-1027

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1027

 revocation-check none

 rsakeypair TP-self-signed-1027

crypto pki certificate chain TP-self-signed-1027

 certificate self-signed 01

  <removed>

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

no power enable module 8

diagnostic bootup level minimal

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

redundancy

 main-cpu

  auto-sync running-config

 mode sso

vlan internal allocation policy descending

vlan dot1q tag native

vlan access-log ratelimit 2000

vlan 41

 name DeviceManagementHTA

vlan 42

 name DeviceManagement

vlan 43

 name WIRELESS-CONTROL

vlan 44

 name PhysicalSec

vlan 47

 name WAAS_Central_Manager

vlan 49

 name WAAS_DC

vlan 152

 name NorthSide_facing_ASA_Servers2

vlan 153

 name ACE_to_IDS_Servers2

vlan 154

 name SouthSide_facing_Servers2

vlan 162

 name NorthSide_facing_ASA_Servers1

vlan 163

 name ACE_to_IDS_Servers1

vlan 164

 name SouthSide_facing_Servers1

vlan 803

 name RSERV-1_to_RAGG-1-VDC-2

vlan 1000

interface Loopback0

 ip address 192.168.1.21 255.255.255.255

interface Loopback62

 ip address 192.168.62.161 255.255.255.255

interface GigabitEthernet1/1

 no ip address

 shutdown

interface GigabitEthernet1/2

 no ip address

 shutdown

interface GigabitEthernet1/3

 no ip address

 shutdown

interface GigabitEthernet1/4

 no ip address

 shutdown

interface GigabitEthernet1/5

 no ip address

 shutdown

interface GigabitEthernet1/6

 no ip address

 shutdown

interface GigabitEthernet1/7

 no ip address

 shutdown

interface GigabitEthernet1/8

 no ip address

 shutdown

interface GigabitEthernet1/9

 no ip address

 shutdown

interface GigabitEthernet1/10

 no ip address

 shutdown

interface GigabitEthernet1/11

 no ip address

 shutdown

interface GigabitEthernet1/12

 no ip address

 shutdown

interface GigabitEthernet1/13

 no ip address

 shutdown

interface GigabitEthernet1/14

 no ip address

 shutdown

interface GigabitEthernet1/15

 no ip address

 shutdown

interface GigabitEthernet1/16

 no ip address

 shutdown

interface TenGigabitEthernet2/1

 description to RAGG-1 vdc2 T1/15

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 162

 switchport mode trunk

interface TenGigabitEthernet2/2

 description to RAGG-1 vdc2 T1/16

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 152

 switchport mode trunk

interface TenGigabitEthernet2/3

 no ip address

 shutdown

interface TenGigabitEthernet2/4

 no ip address

 shutdown

interface TenGigabitEthernet2/5

 description to RAGG-1 vdc2 T1/17

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 41-44,164,803

 switchport mode trunk

interface TenGigabitEthernet2/6

 description to RAGG-1 vdc2 T1/18

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 154

 switchport mode trunk

interface TenGigabitEthernet2/7

 no ip address

 shutdown

interface TenGigabitEthernet2/8

 no ip address

 shutdown

interface GigabitEthernet5/1

 no ip address

 shutdown

interface GigabitEthernet5/2

 no ip address

 shutdown

interface GigabitEthernet6/1

 no ip address

 shutdown

interface GigabitEthernet6/2

 no ip address

 shutdown

interface GigabitEthernet7/1

 no ip address

 shutdown

interface GigabitEthernet7/2

 no ip address

 shutdown

interface GigabitEthernet7/3

 no ip address

interface GigabitEthernet7/4

 no ip address

interface GigabitEthernet7/5

 no ip address

interface GigabitEthernet7/6

 no ip address

interface GigabitEthernet7/7

 no ip address

interface GigabitEthernet7/8

 no ip address

interface GigabitEthernet7/9

 no ip address

interface GigabitEthernet7/10

 no ip address

interface GigabitEthernet7/11

 no ip address

interface GigabitEthernet7/12

 no ip address

interface GigabitEthernet7/13

 no ip address

interface GigabitEthernet7/14

 no ip address

interface GigabitEthernet7/15

 no ip address

interface GigabitEthernet7/16

 no ip address

interface GigabitEthernet7/17

 description WAAS Central Manager

 switchport

 switchport access vlan 47

 switchport mode access

interface GigabitEthernet7/18

 no ip address

interface GigabitEthernet7/19

 no ip address

interface GigabitEthernet7/20

 no ip address

interface GigabitEthernet7/21

 description AW-DC-1_G1

 switchport

 switchport access vlan 43

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/22

 description AW-DC-2_G1

 switchport

 switchport access vlan 43

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/23

 description MDS Management PAME-DC-1

 switchport

 switchport access vlan 44

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/24

 description MDS Management MDS-DC-1_M0

 switchport

 switchport access vlan 41

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/25

 description MDS Management MDS-DC-2_M0

 switchport

 switchport access vlan 41

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/26

 no ip address

interface GigabitEthernet7/27

 description ASA-WAN-1_M0

 switchport

 switchport access vlan 42

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/28

 no ip address

interface GigabitEthernet7/29

 description MSE-DC-1_G1

 switchport

 switchport access vlan 43

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/30

 description MSE-DC-2_G1

 switchport

 switchport access vlan 43

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/31

 no ip address

interface GigabitEthernet7/32

 no ip address

interface GigabitEthernet7/33

 description RSA enVision

 switchport

 switchport access vlan 42

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/34

 no ip address

interface GigabitEthernet7/35

 description WAE-DC-1

 switchport

 switchport access vlan 49

 switchport mode access

interface GigabitEthernet7/36

 no ip address

interface GigabitEthernet7/37

 no ip address

interface GigabitEthernet7/38

 no ip address

interface GigabitEthernet7/39

 no ip address

interface GigabitEthernet7/40

 no ip address

interface GigabitEthernet7/41

 no ip address

interface GigabitEthernet7/42

 no ip address

interface GigabitEthernet7/43

 no ip address

interface GigabitEthernet7/44

 no ip address

interface GigabitEthernet7/45

 description hard crossover bridge

 no ip address

 shutdown

interface GigabitEthernet7/46

 no ip address

interface GigabitEthernet7/47

 no ip address

 shutdown

interface GigabitEthernet7/48

 no ip address

 shutdown

interface Vlan1

 no ip address

 shutdown

interface Vlan803

 description ** South Side facing Servers1 **

 ip address 192.168.130.10 255.255.255.252

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 <removed>

 ip ospf priority 0

router ospf 5

 router-id 192.168.1.21

 log-adjacency-changes

 area 81 authentication message-digest

 area 81 nssa

 area 81 range 192.168.0.0 255.255.0.0

 timers throttle spf 10 100 5000

 passive-interface default

 no passive-interface Vlan803

 network 192.168.0.0 0.0.255.255 area 81

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Loopback0

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps hsrp

snmp-server enable traps MAC-Notification change move threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps port-security

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

dial-peer cor custom

banner exec C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp source Loopback0

ntp master 5

ntp update-calendar

ntp server 171.68.10.150

ntp server 171.68.10.80 prefer

mac-address-table aging-time 480

end

rserv-2

! Last configuration change at 01:50:12 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:50:13 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

service counters max age 5

hostname RSERV-2

boot-start-marker

boot-end-marker

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

svclc module 4 vlan-group 162,163

svclc vlan-group 162  152,162

svclc vlan-group 163  153,163

intrusion-detection module 9 management-port access-vlan 42

intrusion-detection module 9 data-port 1 trunk allowed-vlan 153,154

intrusion-detection module 9 data-port 2 trunk allowed-vlan 163,164

ip wccp 61

ip wccp 62

no ip bootp server

ip multicast-routing

ip ssh version 2

ip scp server enable

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

ipv6 mfib hardware-switching replication-mode ingress

vtp domain CiscoRetail

vtp mode transparent

no mls acl tcam share-global

mls netflow interface

mls cef error action freeze

password encryption aes

crypto pki trustpoint TP-self-signed-1027

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1027

 revocation-check none

 rsakeypair TP-self-signed-1027

crypto pki certificate chain TP-self-signed-1027

 certificate self-signed 01

  30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  2B312930 27060355 04031320 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31303237 301E170D 31313034 32313030 30353139 5A170D32

  30303130 31303030 3030305A 302B3129 30270603 55040313 20494F53 2D53656C

  662D5369 676E6564 2D436572 74696669 63617465 2D313032 3730819F 300D0609

  2A864886 F70D0101 01050003 818D0030 81890281 8100A365 80CA486A 1FCC3F72

  4B6DDFE1 AA57CE0A 4726554C B0D6B6F3 BC9F3F3A 84AAD96D 0C8D4E07 3E5C42FD

  2AB0BA8A 1E5E28AE BDA4FE3A F1A425A6 2D2F09E0 3DC30109 F4561A9B EADC4896

  87FD5133 4FEAFA2F C214CB35 11B7AEB6 F0C3DE4F 4453DA89 6177A6D3 9FDA59BA

  EE11414E 008C40A8 FF768B0D 0CE97204 82FB71C6 10C30203 010001A3 75307330

  0F060355 1D130101 FF040530 030101FF 30200603 551D1104 19301782 15525345

  52562D32 2E636973 636F2D69 726E2E63 6F6D301F 0603551D 23041830 16801425

  E9402754 9D8FF072 B2B9284C D1157536 23A79C30 1D060355 1D0E0416 041425E9

  4027549D 8FF072B2 B9284CD1 15753623 A79C300D 06092A86 4886F70D 01010405

  00038181 003EACB3 84C4E98F 65FE3BE2 F4984B3D 908DCF32 E89B4217 6F3444EB

  E844C491 A50B817E 508BE874 E4C1FE1E 9A92EDC5 8566CC69 AB760674 E802086B

  DDD7DF6A 3964355C 0F88B1AB 52E69373 D25A2877 3379ECAF A8D3DAE8 239C2708

  8B1C24DF 4210091C 8C3DF041 7B10147C E399480E 6A7D00DD 64D8AD86 528815E4

  7FAECE3C 2B

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

no power enable module 8

diagnostic bootup level minimal

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

redundancy

 main-cpu

  auto-sync running-config

 mode sso

vlan internal allocation policy descending

vlan dot1q tag native

vlan access-log ratelimit 2000

vlan 41

 name DeviceManagementHTA

vlan 42

 name DeviceManagement

vlan 43

 name WIRELESS-CONTROL

vlan 44

 name PhysicalSec

vlan 47

 name WAAS_Central_Manager

vlan 49

 name WAAS_DC

vlan 152

 name NorthSide_facing_ASA_Servers2

vlan 153

 name ACE_to_IDS_Servers2

vlan 154

 name SouthSide_facing_Servers2

vlan 162

 name NorthSide_facing_ASA_Servers1

vlan 163

 name ACE_to_IDS_Servers1

vlan 164

 name SouthSide_facing_Servers1

vlan 804

 name RSERV-2_to_RAGG-2-VDC-2

vlan 1000

interface Loopback0

 ip address 192.168.1.22 255.255.255.255

interface Loopback62

 ip address 192.168.62.162 255.255.255.255

interface GigabitEthernet1/1

 no ip address

 shutdown

interface GigabitEthernet1/2

 no ip address

 shutdown

interface GigabitEthernet1/3

 no ip address

 shutdown

interface GigabitEthernet1/4

 no ip address

 shutdown

interface GigabitEthernet1/5

 no ip address

 shutdown

interface GigabitEthernet1/6

 no ip address

 shutdown

interface GigabitEthernet1/7

 no ip address

 shutdown

interface GigabitEthernet1/8

 no ip address

 shutdown

interface GigabitEthernet1/9

 no ip address

 shutdown

interface GigabitEthernet1/10

 no ip address

 shutdown

interface GigabitEthernet1/11

 no ip address

 shutdown

interface GigabitEthernet1/12

 no ip address

 shutdown

interface GigabitEthernet1/13

 no ip address

 shutdown

interface GigabitEthernet1/14

 no ip address

 shutdown

interface GigabitEthernet1/15

 no ip address

 shutdown

interface GigabitEthernet1/16

 no ip address

 shutdown

interface TenGigabitEthernet2/1

 description to RAGG-2 vdc2 T1/15

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 162

 switchport mode trunk

interface TenGigabitEthernet2/2

 description to RAGG-2 vdc2 T1/16

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 152

 switchport mode trunk

interface TenGigabitEthernet2/3

 no ip address

 shutdown

interface TenGigabitEthernet2/4

 no ip address

 shutdown

interface TenGigabitEthernet2/5

 description to RAGG-2 vdc2 T1/18

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 41-44,164,804

 switchport mode trunk

interface TenGigabitEthernet2/6

 description to RAGG-2 vdc2 T1/17

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 154

 switchport mode trunk

interface TenGigabitEthernet2/7

 no ip address

 shutdown

interface TenGigabitEthernet2/8

 no ip address

 shutdown

interface GigabitEthernet5/1

 no ip address

 shutdown

interface GigabitEthernet5/2

 no ip address

 shutdown

interface GigabitEthernet6/1

 no ip address

 shutdown

interface GigabitEthernet6/2

 no ip address

 shutdown

interface GigabitEthernet7/1

 switchport

 switchport access vlan 42

interface GigabitEthernet7/2

 no ip address

interface GigabitEthernet7/3

 no ip address

interface GigabitEthernet7/4

 no ip address

interface GigabitEthernet7/5

 description WAE-DC-2

 switchport

 switchport access vlan 48

 switchport mode access

interface GigabitEthernet7/6

 no ip address

interface GigabitEthernet7/7

 no ip address

interface GigabitEthernet7/8

 no ip address

interface GigabitEthernet7/9

 no ip address

interface GigabitEthernet7/10

 no ip address

interface GigabitEthernet7/11

 no ip address

interface GigabitEthernet7/12

 no ip address

interface GigabitEthernet7/13

 no ip address

interface GigabitEthernet7/14

 no ip address

interface GigabitEthernet7/15

 no ip address

interface GigabitEthernet7/16

 no ip address

interface GigabitEthernet7/17

 no ip address

interface GigabitEthernet7/18

 no ip address

interface GigabitEthernet7/19

 no ip address

interface GigabitEthernet7/20

 no ip address

interface GigabitEthernet7/21

 no ip address

interface GigabitEthernet7/22

 no ip address

interface GigabitEthernet7/23

 description PAME-DC-1

 switchport

 switchport access vlan 44

 switchport mode access

interface GigabitEthernet7/24

 no ip address

interface GigabitEthernet7/25

 no ip address

interface GigabitEthernet7/26

 no ip address

interface GigabitEthernet7/27

 description ASA-WAN-2_M0

 switchport

 switchport access vlan 42

 switchport mode access

 spanning-tree portfast edge

interface GigabitEthernet7/28

 no ip address

interface GigabitEthernet7/29

 no ip address

interface GigabitEthernet7/30

 no ip address

interface GigabitEthernet7/31

 no ip address

interface GigabitEthernet7/32

 no ip address

interface GigabitEthernet7/33

 no ip address

interface GigabitEthernet7/34

 no ip address

interface GigabitEthernet7/35

 no ip address

interface GigabitEthernet7/36

 no ip address

interface GigabitEthernet7/37

 no ip address

interface GigabitEthernet7/38

 no ip address

interface GigabitEthernet7/39

 no ip address

interface GigabitEthernet7/40

 no ip address

interface GigabitEthernet7/41

 no ip address

interface GigabitEthernet7/42

 no ip address

interface GigabitEthernet7/43

 no ip address

interface GigabitEthernet7/44

 no ip address

interface GigabitEthernet7/45

 no ip address

interface GigabitEthernet7/46

 no ip address

interface GigabitEthernet7/47

 no ip address

interface GigabitEthernet7/48

 no ip address

interface Vlan1

 no ip address

 shutdown

interface Vlan42

 ip address 192.168.42.47 255.255.255.0

interface Vlan804

 description ** South Side facing Servers1 **

 ip address 192.168.130.14 255.255.255.252

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 <removed>

 ip ospf priority 0

router ospf 5

 router-id 192.168.1.22

 log-adjacency-changes

 area 81 authentication message-digest

 area 81 nssa

 area 81 range 192.168.0.0 255.255.0.0

 timers throttle spf 10 100 5000

 passive-interface default

 no passive-interface Vlan804

 network 192.168.0.0 0.0.255.255 area 81

ip classless

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.42.1 255 name backup_default

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Loopback0

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps hsrp

snmp-server enable traps MAC-Notification change move threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps port-security

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

dial-peer cor custom

banner exec C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp source Loopback0

ntp master 5

ntp update-calendar

ntp server 171.68.10.150

ntp server 171.68.10.80 prefer

mac-address-table aging-time 480

end

rwan-1

! Last configuration change at 01:17:13 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:17:14 PSTDST Sat Apr 30 2011 by retail

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

no platform punt-keepalive disable-kernel-core

hostname RWAN-1

boot-start-marker

boot-end-marker

vrf definition Mgmt-intf

 address-family ipv4

 exit-address-family

 address-family ipv6

 exit-address-family

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 4 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PSTDST recurring

ip source-route

no ip bootp server

no ip domain lookup

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip multicast-routing distributed

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

multilink bundle-name authenticated

password encryption aes

crypto pki trustpoint TP-self-signed-1264044905

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1264044905

 revocation-check none

 rsakeypair TP-self-signed-1264044905

crypto pki certificate chain TP-self-signed-1264044905

 certificate self-signed 01

  <removed>   	quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

username retail privilege 15 secret 4 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 4 <removed>

username bmcgloth privilege 15 secret 4 <removed>

username csmadmin privilege 15 secret 4 <removed>

redundancy

 mode none

ip ssh version 2

ip scp server enable

class-map match-all BRANCH-BULK-DATA

 match access-group name BULK-DATA-APPS

class-map match-all BULK-DATA

 match ip dscp af11  af12

class-map match-all INTERACTIVE-VIDEO

 match ip dscp af41  af42

class-map match-any BRANCH-TRANSACTIONAL-DATA

 match protocol telnet

 match access-group name TRANSACTIONAL-DATA-APPS

class-map match-all BRANCH-MISSION-CRITICAL

 match access-group name MISSION-CRITICAL-SERVERS

class-map match-all VOICE

 match ip dscp ef

class-map match-all MISSION-CRITICAL-DATA

 match ip dscp 25

class-map match-any BRANCH-NET-MGMT

 match protocol dns

 match access-group name NET-MGMT-APPS

class-map match-all ROUTING

 match ip dscp cs6

class-map match-all SCAVENGER

 match ip dscp cs1

class-map match-all NET-MGMT

 match ip dscp cs2

class-map match-any BRANCH-SCAVENGER

class-map match-any CALL-SIGNALING

 match ip dscp cs3

class-map match-all TRANSACTIONAL-DATA

 match ip dscp af21  af22

policy-map DataCenter-LAN-EDGE-OUT

 class class-default

policy-map DataCenter-LAN-EDGE-IN

 class BRANCH-MISSION-CRITICAL

  set ip dscp 25

 class BRANCH-TRANSACTIONAL-DATA

  set ip dscp af21

 class BRANCH-NET-MGMT

  set ip dscp cs2

 class BRANCH-BULK-DATA

  set ip dscp af11

 class BRANCH-SCAVENGER

  set ip dscp cs1

policy-map DataCenter-WAN-EDGE

 class VOICE

  priority percent 18

 class INTERACTIVE-VIDEO

  priority percent 15

 class CALL-SIGNALING

  bandwidth percent 5

 class ROUTING

  bandwidth percent 3

 class NET-MGMT

  bandwidth percent 2

 class MISSION-CRITICAL-DATA

  bandwidth percent 15

  random-detect

 class TRANSACTIONAL-DATA

  bandwidth percent 1

  random-detect dscp-based

 class class-default

  bandwidth percent 25

  random-detect

interface Loopback0

 ip address 192.168.1.111 255.255.255.255

interface GigabitEthernet0/0/0

 description SWAN-1

 ip address 192.168.11.2 255.255.255.0

 standby 1 ip 192.168.11.1

 standby 1 priority 105

 standby 1 preempt

 no negotiation auto

 service-policy input DataCenter-LAN-EDGE-IN

 service-policy output DataCenter-LAN-EDGE-OUT

interface GigabitEthernet0/0/1

 no ip address

 no negotiation auto

interface GigabitEthernet0/0/2

 description RSP-1 G0/1

 ip address 10.10.1.6 255.255.255.0

 no negotiation auto

 service-policy output DataCenter-WAN-EDGE

interface GigabitEthernet0/0/3

 no ip address

 shutdown

 no negotiation auto

interface GigabitEthernet0

 vrf forwarding Mgmt-intf

 no ip address

 shutdown

 negotiation auto

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 192.168.11.60

ip route 10.10.0.0 255.255.0.0 10.10.1.1

ip route 10.10.0.0 255.255.0.0 192.168.11.3 50

ip route 10.10.0.0 255.255.255.0 192.168.11.60

ip route 10.10.2.0 255.255.255.0 192.168.11.3

ip route 10.10.3.0 255.255.255.0 192.168.11.60

ip route 10.10.4.0 255.255.255.0 192.168.11.60

ip route 10.10.110.2 255.255.255.255 192.168.11.3

ip route 10.10.126.2 255.255.255.255 192.168.11.3

ip route 10.10.254.0 255.255.255.0 192.168.11.3

ip route 192.168.0.0 255.255.0.0 192.168.11.10

ip route 192.168.1.112 255.255.255.255 192.168.11.3

ip route 192.168.20.0 255.255.252.0 192.168.11.60

ip route 192.168.24.0 255.255.255.0 192.168.11.60

ip tacacs source-interface Loopback0

ip access-list extended BULK-DATA-APPS

 remark ---File Transfer---

 permit tcp any any eq ftp

 permit tcp any any eq ftp-data

 remark ---E-mail traffic---

 permit tcp any any eq smtp

 permit tcp any any eq pop3

 permit tcp any any eq 143

 remark ---other EDM app protocols---

 permit tcp any any range 3460 3466

 permit tcp any range 3460 3466 any

 remark ---messaging services---

 permit tcp any any eq 2980

 permit tcp any eq 2980 any

 remark ---Microsoft file services---

 permit tcp any any range 137 139

 permit tcp any range 137 139 any

ip access-list extended MISSION-CRITICAL-SERVERS

 remark ---POS Applications---

 permit ip 192.168.52.0 0.0.0.255 any

ip access-list extended NET-MGMT-APPS

 remark - Router user Authentication - Identifies TACACS Control traffic

 permit tcp any any eq tacacs

 permit tcp any eq tacacs any

ip access-list extended TRANSACTIONAL-DATA-APPS

 remark ---Workbrain Application---

 remark --Large Store Clock Server to Central Clock Application

 permit tcp host 192.168.46.72 eq 8444 host 10.10.49.94

 remark --Large store Clock Server to CUAE

 permit tcp host 192.168.45.185 eq 8000 host 10.10.49.94

 remark ---LiteScape Application---

 permit ip host 192.168.46.82 any

 permit ip 239.192.0.0 0.0.0.255 any

 permit ip host 239.255.255.250 any

 remark ---Remote Desktop---

 permit tcp any any eq 3389

 permit tcp any eq 3389 any

 remark ---Oracle SIM---

 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any

 permit tcp 192.168.46.0 0.0.0.255 eq 6003 any

 permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any

logging esm config

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

cdp run

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps ipsla

snmp-server enable traps syslog

snmp-server enable traps flash insertion removal

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

banner exec C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 stopbits 1

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 no exec

 transport preferred none

 transport output none

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 17186047

ntp source Loopback0

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

rwan-2

! Last configuration change at 01:31:03 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:31:04 PST Sat Apr 30 2011 by retail

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

no platform punt-keepalive disable-kernel-core

hostname RWAN-2

boot-start-marker

boot-end-marker

vrf definition Mgmt-intf

 address-family ipv4

 exit-address-family

 address-family ipv6

 exit-address-family

security authentication failure rate 2 log

security passwords min-length 7

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8 0

clock summer-time PST recurring

ip source-route

no ip bootp server

no ip domain lookup

ip domain name cisco-irn.com

ip name-server 192.168.42.130

ip multicast-routing distributed

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

multilink bundle-name authenticated

password encryption aes

crypto pki trustpoint TP-self-signed-1414178861

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1414178861

 revocation-check none

 rsakeypair TP-self-signed-1414178861

crypto pki certificate chain TP-self-signed-1414178861

 certificate self-signed 01

  <removed>

  	quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

username retail privilege 15 secret 4 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 4 <removed>

username bmcgloth privilege 15 secret 4 <removed>

username csmadmin privilege 15 secret 4 <removed>

redundancy

 mode none

ip ssh version 2

ip scp server enable

interface Loopback0

 ip address 192.168.1.112 255.255.255.255

 ip pim sparse-dense-mode

interface GigabitEthernet0/0/0

 description SWAN-2

 ip address 192.168.11.3 255.255.255.0

 standby 1 ip 192.168.11.1

 standby 1 priority 95

 no negotiation auto

interface GigabitEthernet0/0/1

 no ip address

 no negotiation auto

interface GigabitEthernet0/0/2

 description RSP-2 G0/1

 ip address 10.10.2.6 255.255.255.0

 no negotiation auto

interface GigabitEthernet0/0/3

 no ip address

 no negotiation auto

interface GigabitEthernet0

 vrf forwarding Mgmt-intf

 no ip address

 shutdown

 negotiation auto

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip route 0.0.0.0 0.0.0.0 192.168.11.60

ip route 10.10.0.0 255.255.0.0 10.10.2.1

ip route 10.10.0.0 255.255.0.0 192.168.11.2 50

ip route 10.10.0.0 255.255.255.0 192.168.11.60

ip route 10.10.1.0 255.255.255.0 192.168.11.2

ip route 10.10.3.0 255.255.255.0 192.168.11.60

ip route 10.10.4.0 255.255.255.0 192.168.11.60

ip route 10.10.110.1 255.255.255.255 192.168.11.2

ip route 10.10.126.1 255.255.255.255 192.168.11.2

ip route 10.10.255.0 255.255.255.0 192.168.11.2

ip route 192.168.0.0 255.255.0.0 192.168.11.10

ip route 192.168.1.111 255.255.255.255 192.168.11.2

ip route 192.168.20.0 255.255.252.0 192.168.11.60

ip route 192.168.24.0 255.255.255.0 192.168.11.60

ip tacacs source-interface Loopback0

logging esm config

logging trap debugging

logging source-interface Loopback0

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth

snmp-server trap-source Loopback0

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps ipsla

snmp-server enable traps syslog

snmp-server enable traps flash insertion removal

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

banner exec C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 stopbits 1

line aux 0

 session-timeout 1  output

 exec-timeout 0 1

 privilege level 0

 login authentication RETAIL

 no exec

 transport preferred none

 transport output none

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 17219603

ntp source Loopback0

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

S-A2-Conv-1

Building configuration...

Current configuration : 8808 bytes

! Last configuration change at 02:11:23 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:11:23 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

service sequence-numbers

hostname S-A2-Conv-1

boot-start-marker

boot-end-marker

logging buffered 50000

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

system mtu routing 1500

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-3179870208

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3179870208

 revocation-check none

 rsakeypair TP-self-signed-3179870208

crypto pki certificate chain TP-self-signed-3179870208

 certificate self-signed 01

  <removed>

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

ip ssh version 2

ip scp server enable

interface FastEthernet0/1

 switchport mode trunk

interface FastEthernet0/2

 description AIR-CAP1042N

 switchport trunk native vlan 18

 switchport trunk allowed vlan 14-18

 switchport mode trunk

interface FastEthernet0/3

interface FastEthernet0/4

interface FastEthernet0/5

interface FastEthernet0/6

interface FastEthernet0/7

interface FastEthernet0/8

interface GigabitEthernet0/1

 switchport mode trunk

interface Vlan1

 no ip address

 no ip route-cache

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.175.11 255.255.255.0

 no ip route-cache

ip default-gateway 10.10.175.1

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

ip sla enable reaction-alerts

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps power-ethernet group 1

snmp-server enable traps power-ethernet police

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps energywise

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131 timeout 5

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 36028799

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

S-A2-Lrg-1

S-A2-LRG-1#sh run

Building configuration...

Current configuration : 21232 bytes

! Last configuration change at 02:39:20 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:39:22 PSTDST Sat Apr 30 2011 by retail

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service compress-config

service sequence-numbers

hostname S-A2-LRG-1

boot-start-marker

boot system flash bootflash:cat4500e-universalk9.SPA.03.01.00.SG.150-1.XO.bin

boot-end-marker

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

ip subnet-zero

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

no ip bootp server

ip vrf Mgmt-vrf

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

vtp mode transparent

password encryption aes

crypto pki trustpoint CISCO_IDEVID_SUDI

 revocation-check none

 rsakeypair CISCO_IDEVID_SUDI

crypto pki trustpoint CISCO_IDEVID_SUDI0

 revocation-check none

crypto pki trustpoint TP-self-signed-145264

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-145264

 revocation-check none

 rsakeypair TP-self-signed-145264

crypto pki certificate chain CISCO_IDEVID_SUDI

 certificate 686CBFDE00000015EFB1

  <removed>

  quit

 certificate ca 6A6967B3000000000003

  <removed>

  quit

crypto pki certificate chain CISCO_IDEVID_SUDI0

 certificate ca 5FF87B282B54DC8D42A315B568C9ADFF

  <removed>

  quit

crypto pki certificate chain TP-self-signed-145264

 certificate self-signed 01

  <removed>

  quit

power redundancy-mode redundant

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

redundancy

 mode rpr

vlan internal allocation policy ascending

vlan 11

 name POS

vlan 12

 name DATA

vlan 13

 name VOICE

vlan 14

 name WIRELESS

vlan 15

 name WIRELESS-POS

vlan 16

 name PARTNER

vlan 17

 name WIRELESS-GUEST

vlan 18

 name WIRELESS-CONTROL

vlan 19

 name WAAS

vlan 20

 name SECURITY-SYSTEMS

vlan 101

 name RouterLink101

vlan 102

 name RouterLink102

vlan 1000

 name MANAGEMENT

ip ssh version 2

ip scp server enable

interface FastEthernet1

 ip vrf forwarding Mgmt-vrf

 no ip address

 shutdown

 speed auto

 duplex auto

interface TenGigabitEthernet3/1

 shutdown

interface TenGigabitEthernet3/2

 shutdown

interface TenGigabitEthernet3/3

 shutdown

interface TenGigabitEthernet3/4

 shutdown

interface GigabitEthernet5/1

 shutdown

interface GigabitEthernet5/2

 shutdown

interface GigabitEthernet5/3

 shutdown

interface GigabitEthernet5/4

 shutdown

interface GigabitEthernet5/5

 shutdown

interface GigabitEthernet5/6

 shutdown

interface GigabitEthernet5/7

 shutdown

interface GigabitEthernet5/8

 shutdown

interface GigabitEthernet5/9

 shutdown

interface GigabitEthernet5/10

 shutdown

interface GigabitEthernet5/11

 shutdown

interface GigabitEthernet5/12

 shutdown

interface GigabitEthernet5/13

 shutdown

interface GigabitEthernet5/14

 shutdown

interface GigabitEthernet5/15

 shutdown

interface GigabitEthernet5/16

 shutdown

interface GigabitEthernet5/17

 shutdown

interface GigabitEthernet5/18

 shutdown

interface GigabitEthernet5/19

 shutdown

interface GigabitEthernet5/20

 shutdown

interface GigabitEthernet5/21

 shutdown

interface GigabitEthernet5/22

 shutdown

interface GigabitEthernet5/23

 shutdown

interface GigabitEthernet5/24

 shutdown

interface GigabitEthernet5/25

 shutdown

interface GigabitEthernet5/26

 shutdown

interface GigabitEthernet5/27

 shutdown

interface GigabitEthernet5/28

 shutdown

interface GigabitEthernet5/29

 shutdown

interface GigabitEthernet5/30

 shutdown

interface GigabitEthernet5/31

 shutdown

interface GigabitEthernet5/32

 shutdown

interface GigabitEthernet5/33

 shutdown

interface GigabitEthernet5/34

 shutdown

interface GigabitEthernet5/35

 shutdown

interface GigabitEthernet5/36

 shutdown

interface GigabitEthernet5/37

 shutdown

interface GigabitEthernet5/38

 shutdown

interface GigabitEthernet5/39

 shutdown

interface GigabitEthernet5/40

 shutdown

interface GigabitEthernet5/41

 shutdown

interface GigabitEthernet5/42

 shutdown

interface GigabitEthernet5/43

 shutdown

interface GigabitEthernet5/44

 shutdown

interface GigabitEthernet5/45

 shutdown

interface GigabitEthernet5/46

 shutdown

interface GigabitEthernet5/47

 shutdown

interface GigabitEthernet5/48

 shutdown

interface GigabitEthernet6/1

interface GigabitEthernet6/2

 shutdown

interface GigabitEthernet6/3

 shutdown

interface GigabitEthernet6/4

 shutdown

interface GigabitEthernet6/5

 shutdown

interface GigabitEthernet6/6

 shutdown

interface GigabitEthernet6/7

 shutdown

interface GigabitEthernet6/8

 shutdown

interface GigabitEthernet6/9

 shutdown

interface GigabitEthernet6/10

 description MSP-A2-LRG-1

 switchport access vlan 20

 switchport mode access

 spanning-tree portfast

interface GigabitEthernet6/11

 shutdown

interface GigabitEthernet6/12

 shutdown

interface GigabitEthernet6/13

 shutdown

interface GigabitEthernet6/14

 shutdown

interface GigabitEthernet6/15

 shutdown

interface GigabitEthernet6/16

 shutdown

interface GigabitEthernet6/17

 description WLC-A2-LRG-1_G1

 switchport access vlan 18

 switchport mode access

 spanning-tree portfast

interface GigabitEthernet6/18

 description WLC-A2-LRG-1_G2

 switchport trunk allowed vlan 14-17

 switchport mode trunk

interface GigabitEthernet6/19

 shutdown

interface GigabitEthernet6/20

 shutdown

interface GigabitEthernet6/21

 shutdown

interface GigabitEthernet6/22

 shutdown

interface GigabitEthernet6/23

 shutdown

interface GigabitEthernet6/24

 shutdown

interface GigabitEthernet6/25

 shutdown

interface GigabitEthernet6/26

 shutdown

interface GigabitEthernet6/27

 shutdown

interface GigabitEthernet6/28

 shutdown

interface GigabitEthernet6/29

 shutdown

interface GigabitEthernet6/30

 shutdown

interface GigabitEthernet6/31

 shutdown

interface GigabitEthernet6/32

 shutdown

interface GigabitEthernet6/33

 shutdown

interface GigabitEthernet6/34

 shutdown

interface GigabitEthernet6/35

 shutdown

interface GigabitEthernet6/36

 shutdown

interface GigabitEthernet6/37

 shutdown

interface GigabitEthernet6/38

 shutdown

interface GigabitEthernet6/39

 shutdown

interface GigabitEthernet6/40

 shutdown

interface GigabitEthernet6/41

 switchport mode trunk

interface GigabitEthernet6/42

 shutdown

interface GigabitEthernet6/43

 switchport mode trunk

interface GigabitEthernet6/44

 shutdown

interface GigabitEthernet6/45

 switchport mode trunk

interface GigabitEthernet6/46

interface GigabitEthernet6/47

 switchport mode trunk

interface GigabitEthernet6/48

 shutdown

interface Vlan1

 no ip address

 shutdown

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.111.11 255.255.255.0

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.10.111.1

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

no snmp-server enable traps license

snmp-server enable traps entity

snmp-server enable traps flash insertion removal

snmp-server enable traps power-ethernet police

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps port-security

snmp-server enable traps energywise

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps errdisable

snmp-server enable traps vlan-membership

snmp-server enable traps mac-notification change move threshold

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec ^CC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^CC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^CC

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 17202862

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

S-A2-LRG-1#

S-A2-Lrg-2

S-A2-LRG-2#sh run

Building configuration...

Current configuration : 20118 bytes

! Last configuration change at 02:45:12 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:45:13 PSTDST Sat Apr 30 2011 by retail

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service compress-config

service sequence-numbers

hostname S-A2-LRG-2

boot-start-marker

boot system flash bootflash:cat4500e-universalk9.SPA.03.01.00.SG.150-1.XO.bin

boot-end-marker

logging buffered 50000

no logging rate-limit

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

ip subnet-zero

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

no ip bootp server

ip vrf Mgmt-vrf

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

vtp mode transparent

password encryption aes

crypto pki trustpoint CISCO_IDEVID_SUDI

 revocation-check none

 rsakeypair CISCO_IDEVID_SUDI

crypto pki trustpoint CISCO_IDEVID_SUDI0

 revocation-check none

crypto pki trustpoint TP-self-signed-145261

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-145261

 revocation-check none

 rsakeypair TP-self-signed-145261

crypto pki certificate chain CISCO_IDEVID_SUDI

 certificate 6B46CD9B00000015F50E

  <removed>

  quit

 certificate ca 6A6967B3000000000003

  <removed>

  quit

crypto pki certificate chain CISCO_IDEVID_SUDI0

 certificate ca 5FF87B282B54DC8D42A315B568C9ADFF

  <removed>

  quit

crypto pki certificate chain TP-self-signed-145261

 certificate self-signed 01

  <removed>

  quit

power redundancy-mode redundant

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

redundancy

 mode rpr

vlan internal allocation policy ascending

vlan 11

 name POS

vlan 12

 name DATA

vlan 13

 name VOICE

vlan 14

 name WIRELESS

vlan 15

 name WIRELESS-POS

vlan 16

 name PARTNER

vlan 17

 name WIRELESS-GUEST

vlan 18

 name WIRELESS-CONTROL

vlan 19

 name WAAS

vlan 20

 name SECURITY-SYSTEMS

vlan 101

 name RouterLink101

vlan 102

 name RouterLink102

vlan 1000

 name MANAGEMENT

ip ssh version 2

ip scp server enable

interface FastEthernet1

 ip vrf forwarding Mgmt-vrf

 no ip address

 shutdown

 speed auto

 duplex auto

interface TenGigabitEthernet3/1

 shutdown

interface TenGigabitEthernet3/2

 shutdown

interface TenGigabitEthernet3/3

 shutdown

interface TenGigabitEthernet3/4

 shutdown

interface GigabitEthernet6/1

interface GigabitEthernet6/2

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/3

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/4

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/5

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/6

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/7

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/8

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/9

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/10

 description MSP-A2-LRG-1

 switchport access vlan 20

 switchport mode access

 spanning-tree portfast

interface GigabitEthernet6/11

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/12

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/13

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/14

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/15

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/16

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/17

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/18

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/19

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/20

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/21

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/22

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/23

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/24

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/25

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/26

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/27

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/28

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/29

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/30

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/31

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/32

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/33

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/34

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/35

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/36

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/37

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/38

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/39

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/40

 switchport access vlan 17

 shutdown

interface GigabitEthernet6/41

 switchport mode trunk

interface GigabitEthernet6/42

interface GigabitEthernet6/43

 switchport mode trunk

interface GigabitEthernet6/44

interface GigabitEthernet6/45

 switchport mode trunk

interface GigabitEthernet6/46

interface GigabitEthernet6/47

 switchport mode trunk

interface GigabitEthernet6/48

interface Vlan1

 no ip address

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.111.12 255.255.255.0

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.10.111.1

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

no snmp-server enable traps license

snmp-server enable traps entity

snmp-server enable traps flash insertion removal

snmp-server enable traps power-ethernet police

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps port-security

snmp-server enable traps energywise

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps errdisable

snmp-server enable traps vlan-membership

snmp-server enable traps mac-notification change move threshold

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec ^CC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^CC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^CC

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 17211501

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

S-A2-Lrg-3

S-A2-LRG-3#sh run

Building configuration...

Current configuration : 20730 bytes

! Last configuration change at 02:52:21 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:52:23 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname S-A2-LRG-3

boot-start-marker

boot-end-marker

logging buffered 50000

logging monitor informational

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

macro name dot1x

switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

macro global description dot1x

macro auto sticky

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authentication dot1x default group radius local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa authorization configuration default group radius

aaa accounting update newinfo

aaa accounting auth-proxy default start-stop group radius

aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa server radius dynamic-author

 client 192.168.42.111

 server-key 7 <removed>

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

system mtu routing 1500

authentication mac-move permit

ip dhcp snooping vlan 1,11

no ip dhcp snooping information option

ip dhcp snooping

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

ip device tracking

ip admission name ise proxy http inactivity-time 60

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

vtp mode transparent

cts sxp enable

cts sxp default source-ip 10.10.111.13

password encryption aes

crypto pki trustpoint TP-self-signed-4268543232

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-4268543232

 revocation-check none

 rsakeypair TP-self-signed-4268543232

crypto pki certificate chain TP-self-signed-4268543232

 certificate self-signed 01

  <removed>

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

dot1x system-auth-control

fallback profile ise

 ip access-group ACL-DEFAULT in

 ip admission ise

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

vlan 11

 name POS

vlan 12

 name DATA

vlan 13

 name VOICE

vlan 14

 name WIRELESS

vlan 15

 name WIRELESS-POS

vlan 16

 name PARTNER

vlan 17

 name WIRELESS-GUEST

vlan 18

 name WIRELESS-CONTROL

vlan 19

 name WAAS

vlan 20

 name SECURITY-SYSTEMS

vlan 101

 name RouterLink101

vlan 102

 name RouterLink102

vlan 1000

 name MANAGEMENT

ip ssh version 2

ip scp server enable

interface FastEthernet0

 no ip address

 shutdown

interface GigabitEthernet0/1

 description uplink

interface GigabitEthernet0/2

 description uplink

interface GigabitEthernet0/3

 shutdown

interface GigabitEthernet0/4

 description Cisco9971 IP phone

 switchport access vlan 11

 switchport voice vlan 13

 spanning-tree portfast

interface GigabitEthernet0/5

 description IP Camera - 4300

 switchport access vlan 20

 switchport mode access

interface GigabitEthernet0/6

 description CIAC-GW

 switchport access vlan 20

 switchport mode access

interface GigabitEthernet0/7

 shutdown

interface GigabitEthernet0/8

 shutdown

interface GigabitEthernet0/9

 shutdown

interface GigabitEthernet0/10

 shutdown

interface GigabitEthernet0/11

 shutdown

interface GigabitEthernet0/12

 shutdown

interface GigabitEthernet0/13

 shutdown

interface GigabitEthernet0/14

 shutdown

interface GigabitEthernet0/15

 shutdown

interface GigabitEthernet0/16

 shutdown

interface GigabitEthernet0/17

 shutdown

interface GigabitEthernet0/18

 shutdown

interface GigabitEthernet0/19

 shutdown

interface GigabitEthernet0/20

 shutdown

interface GigabitEthernet0/21

 shutdown

interface GigabitEthernet0/22

 shutdown

interface GigabitEthernet0/23

 shutdown

interface GigabitEthernet0/24

 shutdown

interface GigabitEthernet0/25

 description open-mode 802.1x+mab+mda+acl

 switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

interface GigabitEthernet0/26

 description mobile worker

 switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 macro description dot1x

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

interface GigabitEthernet0/27

 shutdown

interface GigabitEthernet0/28

 shutdown

interface GigabitEthernet0/29

 shutdown

interface GigabitEthernet0/30

 switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 macro description dot1x

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

interface GigabitEthernet0/31

 switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 macro description dot1x

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

interface GigabitEthernet0/32

 switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 macro description dot1x

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

interface GigabitEthernet0/33

 switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 macro description dot1x

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

interface GigabitEthernet0/34

 switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 macro description dot1x

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

interface GigabitEthernet0/35

 switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 macro description dot1x

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

interface GigabitEthernet0/36

 switchport access vlan 11

 switchport mode access

 switchport voice vlan 13

 ip arp inspection limit rate 1000

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 authentication fallback ise

mab

 snmp trap mac-notification change added

 macro description dot1x

 dot1x pae authenticator

 dot1x timeout tx-period 5

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 200

interface GigabitEthernet0/37

 shutdown

interface GigabitEthernet0/38

 shutdown

interface GigabitEthernet0/39

 shutdown

interface GigabitEthernet0/40

 shutdown

interface GigabitEthernet0/41

 shutdown

interface GigabitEthernet0/42

 shutdown

interface GigabitEthernet0/43

 shutdown

interface GigabitEthernet0/44

 shutdown

interface GigabitEthernet0/45

 shutdown

interface GigabitEthernet0/46

 shutdown

interface GigabitEthernet0/47

 shutdown

interface GigabitEthernet0/48

 shutdown

interface GigabitEthernet1/1

 shutdown

interface GigabitEthernet1/2

 shutdown

interface GigabitEthernet1/3

 shutdown

interface GigabitEthernet1/4

 shutdown

interface TenGigabitEthernet1/1

 shutdown

interface TenGigabitEthernet1/2

 shutdown

interface Vlan1

 no ip address

 shutdown

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.111.13 255.255.255.0

ip default-gateway 10.10.111.1

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

ip access-list extended ACL-ALLOW

 permit ip any any

ip access-list extended ACL-DEFAULT

 remark DHCP

 permit udp any eq bootpc any eq bootps

 remark DNS

 permit udp any any eq domain

 remark ICMP Ping

 permit icmp any any

 remark PXE Boot

 permit udp any any eq tftp

 remark URL Redirect

 permit tcp any host 192.168.42.111 eq www

 permit tcp any host 192.168.42.111 eq 443

 permit tcp any host 192.168.42.112 eq www

 permit tcp any host 192.168.42.112 eq 443

 remark Guest Portal

 permit tcp any host 192.168.42.111 eq 8443

 permit tcp any host 192.168.42.112 eq 8443

 deny   ip any any

ip access-list extended ACL-POSTURE-REDIRECT

 deny   ip any host 192.168.42.111

 deny   ip any host 192.168.42.130

 permit ip any any

ip access-list extended ACL-WEBAUTH-REDIRECT

 remark Don't match traffic sent to ISE PDP Nodes

 deny   ip any host 192.168.42.111

 deny   ip any host 192.168.42.112

 deny   ip any host 10.35.48.242

 deny   ip any host 171.71.169.207

 permit ip any any

ip sla enable reaction-alerts

logging trap debugging

logging origin-id ip

logging source-interface Vlan1000

logging 192.168.42.124

logging host 192.168.42.111 transport udp port 20514

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps power-ethernet group 1

snmp-server enable traps power-ethernet police

snmp-server enable traps cpu threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps errdisable

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server host 192.168.42.124 remoteuser

snmp-server host 192.168.42.111 version 2c retaillabISE  dot1x mac-notification snmp

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server dead-criteria time 5 tries 3

radius-server host 192.168.42.111 auth-port 1812 acct-port 1813 key 7 <removed>

radius-server vsa send accounting

radius-server vsa send authentication

banner exec ^CC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^CC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^CC

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 36027134

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

mac address-table notification change interval 0

mac address-table notification change

end

S-A2-Lrg-4

S-A2-LRG-4#sh run

Building configuration...

Current configuration : 26605 bytes

! Last configuration change at 02:56:42 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:56:45 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname S-A2-LRG-4

boot-start-marker

boot-end-marker

logging buffered 50000

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 
<removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

macro auto device media-player ACCESS_VLAN=12

macro auto device ip-camera ACCESS_VLAN=20

macro auto device phone ACCESS_VLAN=17 VOICE_VLAN=13

macro auto device access-point ACCESS_VLAN=18

macro auto device lightweight-ap ACCESS_VLAN=18

macro auto global processing fallback cdp

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authentication dot1x default group radius local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa accounting update newinfo

aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

system mtu routing 1500

authentication mac-move permit

ip subnet-zero

no ip source-route

ip domain-name cisco-irn.com

ip host nac-2 192.168.42.112

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

mls qos map policed-dscp  24 26 46 to 0

mls qos map cos-dscp 0 8 16 24 32 46 48 56

mls qos srr-queue input bandwidth 90 10

mls qos srr-queue input threshold 1 8 16

mls qos srr-queue input threshold 2 34 66

mls qos srr-queue input buffers 67 33

mls qos srr-queue input cos-map queue 1 threshold 2 1

mls qos srr-queue input cos-map queue 1 threshold 3 0

mls qos srr-queue input cos-map queue 2 threshold 1 2

mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7

mls qos srr-queue input cos-map queue 2 threshold 3 3 5

mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15

mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7

mls qos srr-queue input dscp-map queue 1 threshold 3 32

mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23

mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48

mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56

mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63

mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31

mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47

mls qos srr-queue output cos-map queue 1 threshold 3 5

mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7

mls qos srr-queue output cos-map queue 3 threshold 3 2 4

mls qos srr-queue output cos-map queue 4 threshold 2 1

mls qos srr-queue output cos-map queue 4 threshold 3 0

mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47

mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31

mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55

mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63

mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23

mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39

mls qos srr-queue output dscp-map queue 4 threshold 1 8

mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15

mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7

mls qos queue-set output 1 threshold 1 138 138 92 138

mls qos queue-set output 1 threshold 2 138 138 92 400

mls qos queue-set output 1 threshold 3 36 77 100 318

mls qos queue-set output 1 threshold 4 20 50 67 400

mls qos queue-set output 2 threshold 1 149 149 100 149

mls qos queue-set output 2 threshold 2 118 118 100 235

mls qos queue-set output 2 threshold 3 41 68 100 272

mls qos queue-set output 2 threshold 4 42 72 100 242

mls qos queue-set output 1 buffers 10 10 26 54

mls qos queue-set output 2 buffers 16 6 17 61

mls qos

password encryption aes

crypto pki trustpoint TP-self-signed-4268542976

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-4268542976

 revocation-check none

 rsakeypair TP-self-signed-4268542976

crypto pki certificate chain TP-self-signed-4268542976

 certificate self-signed 01

  <removed> 1

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

dot1x system-auth-control

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

vlan internal allocation policy ascending

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

class-map match-all AutoQoS-VoIP-RTP-Trust

 match ip dscp ef

class-map match-all AutoQoS-VoIP-Control-Trust

 match ip dscp cs3  af31

policy-map AutoQoS-Police-CiscoPhone

 class AutoQoS-VoIP-RTP-Trust

  set dscp ef

  police 320000 8000 exceed-action policed-dscp-transmit

 class AutoQoS-VoIP-Control-Trust

  set dscp cs3

  police 32000 8000 exceed-action policed-dscp-transmit

interface FastEthernet0

 no ip address

 shutdown

interface GigabitEthernet0/1

 switchport trunk encapsulation dot1q

 switchport mode trunk

 srr-queue bandwidth share 10 10 60 20

 queue-set 2

 priority-queue out

 mls qos trust cos

 macro description CISCO_SWITCH_EVENT

 auto qos voip trust

interface GigabitEthernet0/2

 switchport trunk encapsulation dot1q

 switchport mode trunk

 srr-queue bandwidth share 10 10 60 20

 queue-set 2

 priority-queue out

 mls qos trust cos

 macro description CISCO_SWITCH_EVENT

 auto qos voip trust

interface GigabitEthernet0/3

 description AIR-CAP3502E

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 18

 switchport trunk allowed vlan 14-18

 switchport mode access

 switchport block unicast

 switchport port-security aging time 1

 switchport port-security violation protect

 switchport port-security aging type inactivity

 load-interval 30

 srr-queue bandwidth share 10 10 60 20

 priority-queue out

 mls qos trust dscp

 macro description CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT

 storm-control broadcast level pps 1k

 storm-control multicast level pps 2k

 storm-control action trap

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 15

interface GigabitEthernet0/4

 description AIR-CAP3502I

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 18

 switchport trunk allowed vlan 14-18

 switchport mode access

 switchport block unicast

 switchport port-security aging time 1

 switchport port-security violation protect

 switchport port-security aging type inactivity

 load-interval 30

 srr-queue bandwidth share 10 10 60 20

 priority-queue out

 mls qos trust dscp

 macro description CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT

 storm-control broadcast level pps 1k

 storm-control multicast level pps 2k

 storm-control action trap

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip dhcp snooping limit rate 15

interface GigabitEthernet0/5

 shutdown

interface GigabitEthernet0/6

 shutdown

interface GigabitEthernet0/7

 switchport trunk encapsulation dot1q

 switchport mode trunk

 srr-queue bandwidth share 10 10 60 20

 queue-set 2

 priority-queue out

 mls qos trust cos

 macro description CISCO_SWITCH_EVENT

 auto qos voip trust

interface GigabitEthernet0/8

 shutdown

interface GigabitEthernet0/9

 shutdown

interface GigabitEthernet0/10

 shutdown

interface GigabitEthernet0/11

 description Cisco7975 IP phone

 switchport mode access

 switchport block unicast

 switchport voice vlan 2

 switchport port-security maximum 3

 switchport port-security maximum 2 vlan access

 switchport port-security

 switchport port-security aging time 1

 switchport port-security violation restrict

 switchport port-security aging type inactivity

 load-interval 30

 srr-queue bandwidth share 10 10 60 20

 queue-set 2

 priority-queue out

 mls qos trust device cisco-phone

 mls qos trust cos

 macro description CISCO_PHONE_EVENT

 auto qos voip cisco-phone

 storm-control broadcast level pps 1k

 storm-control multicast level pps 2k

 storm-control action trap

 spanning-tree portfast

 spanning-tree bpduguard enable

 service-policy input AutoQoS-Police-CiscoPhone

 ip dhcp snooping limit rate 15

interface GigabitEthernet0/12

 shutdown

interface GigabitEthernet0/13

 shutdown

interface GigabitEthernet0/14

 shutdown

interface GigabitEthernet0/15

 shutdown

interface GigabitEthernet0/16

 shutdown

interface GigabitEthernet0/17

 shutdown

interface GigabitEthernet0/18

 shutdown

interface GigabitEthernet0/19

 shutdown

interface GigabitEthernet0/20

 shutdown

interface GigabitEthernet0/21

 shutdown

interface GigabitEthernet0/22

 shutdown

interface GigabitEthernet0/23

 shutdown

interface GigabitEthernet0/24

 shutdown

interface GigabitEthernet0/25

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/26

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/27

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/28

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/29

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/30

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/31

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/32

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/33

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/34

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/35

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/36

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/37

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/38

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/39

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/40

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/41

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/42

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/43

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/44

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/45

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/46

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/47

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet0/48

 description open-mode 802.1x+mab+mda+acl

 switchport mode access

 switchport voice vlan 13

 ip access-group ACL-DEFAULT in

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

mab

 spanning-tree portfast

interface GigabitEthernet1/1

 shutdown

interface GigabitEthernet1/2

 shutdown

interface GigabitEthernet1/3

 shutdown

interface GigabitEthernet1/4

 shutdown

interface TenGigabitEthernet1/1

 shutdown

interface TenGigabitEthernet1/2

 shutdown

interface Vlan1

 no ip address

 shutdown

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.111.14 255.255.255.0

ip default-gateway 10.10.111.1

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

ip access-list extended ACL-DEFAULT

 remark DHCP

 permit udp any eq bootpc any eq bootps

 remark DNS

 permit udp any any eq domain

 remark ICMP Ping

 permit icmp any any

 remark PXE Boot

 permit udp any any eq tftp

 remark URL Redirect

 permit tcp any host 192.168.42.111 eq www

 permit tcp any host 192.168.42.111 eq 443

 permit tcp any host 192.168.42.112 eq www

 permit tcp any host 192.168.42.112 eq 443

 remark Guest Portal

 permit tcp any host 192.168.42.111 eq 8443

 permit tcp any host 192.168.42.112 eq 8443

 deny   ip any any

ip access-list extended ACL-WEBAUTH-REDIRECT

 remark Don't match traffic sent to ISE PDP Nodes

 deny   ip any host 192.168.42.111

 deny   ip any host 192.168.42.112

 deny   ip any host 10.35.48.242

 remark Don't match traffic sent to remediation services (wwwin-download.cisco.com)

 deny   ip any host 171.71.169.207

 remark Match all other traffic for redirection

 permit ip any any

ip sla enable reaction-alerts

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps power-ethernet group 1

snmp-server enable traps power-ethernet police

snmp-server enable traps cpu threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps errdisable

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server host 192.168.42.124 remoteuser

snmp-server host 192.168.42.111 version 2c retaillabISE  dot1x mac-notification snmp

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

radius-server dead-criteria time 5 tries 3

radius-server host 192.168.42.111 auth-port 1812 acct-port 1813 key 7 <removed>

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 36027569

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

S-A2-Lrg-5

S-A2-LRG-5#sh run

Building configuration...

Current configuration : 10739 bytes

! Last configuration change at 03:00:15 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 03:00:17 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname S-A2-LRG-5

boot-start-marker

boot-end-marker

shell trigger POS-Systems POS-Systems

logging buffered 51200

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

macro global description cisco-desktop

macro auto execute CISCO_LAST_RESORT_EVENT builtin CISCO_AP_AUTO_SMARTPORT ACCESS_VLAN=17

macro auto execute Retail-POS builtin CISCO_PHONE_AUTO_SMARTPORT ACCESS_VLAN=11 
VOICE_VLAN=13

macro auto execute POS-Systems remote scp://SMARTPORT@192.168.42.122/POS-Systems.txt 
ACCESS_VLAN=11 VOICE_VLAN=13

macro auto mac-address-group Retail-POS

 oui list 001C26

 oui list 001C25

 mac-address list 0021.5C02.1DEF

 mac-address list 001C.25BE.99C2

macro auto device media-player ACCESS_VLAN=12

macro auto device ip-camera ACCESS_VLAN=20

macro auto device phone ACCESS_VLAN=17 VOICE_VLAN=13

macro auto device access-point ACCESS_VLAN=18

macro auto device lightweight-ap ACCESS_VLAN=18

macro auto global processing fallback cdp

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

system mtu routing 1500

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

mls qos map cos-dscp 0 8 16 24 32 46 48 56

mls qos srr-queue output cos-map queue 1 threshold 3 4 5

mls qos srr-queue output cos-map queue 2 threshold 1 2

mls qos srr-queue output cos-map queue 2 threshold 2 3

mls qos srr-queue output cos-map queue 2 threshold 3 6 7

mls qos srr-queue output cos-map queue 3 threshold 3 0

mls qos srr-queue output cos-map queue 4 threshold 3 1

mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45

mls qos srr-queue output dscp-map queue 1 threshold 3 46 47

mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23

mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35

mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39

mls qos srr-queue output dscp-map queue 2 threshold 2 24

mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55

mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63

mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7

mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15

mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14

mls qos queue-set output 1 threshold 1 100 100 50 200

mls qos queue-set output 1 threshold 2 125 125 100 400

mls qos queue-set output 1 threshold 3 100 100 100 400

mls qos queue-set output 1 threshold 4 60 150 50 200

mls qos queue-set output 1 buffers 15 25 40 20

mls qos

password encryption aes

crypto pki trustpoint TP-self-signed-3964801920

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3964801920

 revocation-check none

 rsakeypair TP-self-signed-3964801920

crypto pki certificate chain TP-self-signed-3964801920

 certificate self-signed 01

  <removed>

  quit

spanning-tree mode pvst

spanning-tree extend system-id

auto qos srnd4

vlan internal allocation policy ascending

ip ssh version 2

ip scp server enable

interface GigabitEthernet0/1

 switchport access vlan 17

interface GigabitEthernet0/2

 switchport access vlan 17

interface GigabitEthernet0/3

 switchport access vlan 17

interface GigabitEthernet0/4

 switchport access vlan 17

interface GigabitEthernet0/5

 switchport access vlan 17

interface GigabitEthernet0/6

 switchport access vlan 17

interface GigabitEthernet0/7

 switchport access vlan 17

interface GigabitEthernet0/8

 switchport access vlan 17

interface GigabitEthernet0/9

 description Uplink to S-A2-LRG-4 G0/7

 switchport trunk encapsulation dot1q

 switchport mode trunk

 srr-queue bandwidth share 1 30 35 5

 queue-set 2

 priority-queue out

 mls qos trust cos

 macro description CISCO_SWITCH_EVENT

 auto qos trust

interface GigabitEthernet0/10

interface Vlan1

 no ip address

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.111.15 255.255.255.0

ip default-gateway 10.10.111.1

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

ip sla enable reaction-alerts

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131 timeout 5

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 speed 115200

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 22518292

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

S-a2-med-1

S-A2-MED-1/2#sh run

Building configuration...

Current configuration : 16629 bytes

! Last configuration change at 02:28:28 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:28:32 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

hostname S-A2-MED-1/2

boot-start-marker

boot-end-marker

logging buffered 50000

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

switch 1 provision ws-c3750x-48p

switch 2 provision ws-c3750x-48p

system mtu routing 1500

authentication mac-move permit

ip subnet-zero

no ip source-route

no ip gratuitous-arps

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-4271428864

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-4271428864

 revocation-check none

 rsakeypair TP-self-signed-4271428864

crypto pki certificate chain TP-self-signed-4271428864

 certificate self-signed 01

  <removed>  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

vlan internal allocation policy ascending

ip tcp synwait-time 10

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

interface FastEthernet0

 no ip address

 shutdown

interface GigabitEthernet1/0/1

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet1/0/2

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet1/0/3

 description Cisco9971 IP phone

 switchport access vlan 11

 switchport trunk encapsulation dot1q

 switchport voice vlan 13

 spanning-tree portfast

interface GigabitEthernet1/0/4

 description Cisco7975 IP phone

 switchport access vlan 11

 switchport trunk encapsulation dot1q

 switchport voice vlan 13

 spanning-tree portfast

interface GigabitEthernet1/0/5

 switchport access vlan 20

interface GigabitEthernet1/0/6

 description CPAM Gateway

 switchport access vlan 20

interface GigabitEthernet1/0/7

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet1/0/8

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/9

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/10

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/11

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/12

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/13

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/14

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/15

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/16

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/17

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/18

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/19

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/20

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/21

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/22

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/23

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/24

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/25

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/26

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/27

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/28

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/29

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/30

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/31

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/32

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/33

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/34

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/35

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/36

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/37

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/38

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/39

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/40

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/41

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/42

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/43

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/44

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/45

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/46

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/47

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/48

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/1/1

 shutdown

interface GigabitEthernet1/1/2

 shutdown

interface GigabitEthernet1/1/3

 shutdown

interface GigabitEthernet1/1/4

 shutdown

interface TenGigabitEthernet1/1/1

 shutdown

interface TenGigabitEthernet1/1/2

 shutdown

interface GigabitEthernet2/0/1

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet2/0/2

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet2/0/3

interface GigabitEthernet2/0/4

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet2/0/5

 description AIR-CAP3502E

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 18

 switchport trunk allowed vlan 14-18

 switchport mode trunk

interface GigabitEthernet2/0/6

 description AIR-LAP1262N

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 18

 switchport trunk allowed vlan 14-18

 switchport mode trunk

interface GigabitEthernet2/0/7

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet2/0/8

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/9

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/10

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/11

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/12

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/13

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/14

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/15

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/16

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/17

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/18

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/19

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/20

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/21

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/22

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/23

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/24

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/25

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/26

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/27

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/28

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/29

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/30

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/31

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/32

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/33

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/34

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/35

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/36

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/37

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/38

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/39

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/40

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/41

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/42

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/43

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/44

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/45

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/46

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/47

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/48

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/1/1

 shutdown

interface GigabitEthernet2/1/2

 shutdown

interface GigabitEthernet2/1/3

 shutdown

interface GigabitEthernet2/1/4

 shutdown

interface TenGigabitEthernet2/1/1

 shutdown

interface TenGigabitEthernet2/1/2

 shutdown

interface Vlan1

 no ip address

 shutdown

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.127.11 255.255.255.0

ip default-gateway 10.10.127.1

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

ip sla enable reaction-alerts

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps power-ethernet group 1-4

snmp-server enable traps power-ethernet police

snmp-server enable traps cpu threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps errdisable

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 speed 115200

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

scheduler interval 500

ntp clock-period 36027426

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

S-A2-MED-1/2#

S-A2-Med-3

S-A2-MED-3#sh run

Building configuration...

Current configuration : 8650 bytes

! Last configuration change at 02:34:20 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:34:21 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname S-A2-MED-3

boot-start-marker

boot-end-marker

logging buffered 50000

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

system mtu routing 1500

no ip source-route

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-1308417408

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1308417408

 revocation-check none

 rsakeypair TP-self-signed-1308417408

crypto pki certificate chain TP-self-signed-1308417408

 certificate self-signed 01

  <removed>  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

interface FastEthernet0/1

 switchport access vlan 17

 shutdown

interface FastEthernet0/2

 switchport access vlan 17

 shutdown

interface FastEthernet0/3

 switchport access vlan 17

 shutdown

interface FastEthernet0/4

 switchport access vlan 17

 shutdown

interface FastEthernet0/5

 switchport access vlan 17

 shutdown

interface FastEthernet0/6

 switchport access vlan 17

 shutdown

interface FastEthernet0/7

 switchport access vlan 17

 shutdown

interface FastEthernet0/8

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/1

 shutdown

interface GigabitEthernet0/2

interface Vlan1

 no ip address

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.127.13 255.255.255.0

ip default-gateway 10.10.127.1

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

ip sla enable reaction-alerts

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps power-ethernet group 1

snmp-server enable traps power-ethernet police

snmp-server enable traps cpu threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps errdisable

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    *                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO ADMINISTRATOR OR OTHEMIME WITHOUT

FU L

NFORCEMENT OFFCIAL NDPRSETHO OF STATEAND FEER^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 speed 115200

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 36028775

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

S-A2-Mini-1

S-A2-Mini-1#sh run

Building configuration...

Current configuration : 9017 bytes

! Last configuration change at 02:15:02 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:15:04 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

hostname S-A2-Mini-1

boot-start-marker

boot-end-marker

logging buffered 50000

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

system mtu routing 1500

ip subnet-zero

no ip source-route

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-1919348736

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1919348736

 revocation-check none

 rsakeypair TP-self-signed-1919348736

crypto pki certificate chain TP-self-signed-1919348736

 certificate self-signed 01

  <removed>

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

interface GigabitEthernet0/1

 switchport mode trunk

interface GigabitEthernet0/2

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/3

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/4

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/5

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/6

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/7

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/8

 switchport mode trunk

interface Vlan1

 no ip address

 no ip route-cache

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.159.11 255.255.255.0

 no ip route-cache

ip default-gateway 10.10.159.1

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps power-ethernet group 1

snmp-server enable traps power-ethernet police

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps energywise

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 36028654

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

S-A2-Mini-2

S-A2-Mini-2#sh run

Building configuration...

Current configuration : 9094 bytes

! Last configuration change at 02:19:10 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:19:11 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

hostname S-A2-Mini-2

boot-start-marker

boot-end-marker

logging buffered 50000

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

system mtu routing 1500

ip subnet-zero

no ip source-route

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-1919334912

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1919334912

 revocation-check none

 rsakeypair TP-self-signed-1919334912

crypto pki certificate chain TP-self-signed-1919334912

 certificate self-signed 01

  <removed>

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

interface GigabitEthernet0/1

 description AIR-CAP3502E

 switchport trunk native vlan 18

 switchport trunk allowed vlan 14-18

 switchport mode trunk

interface GigabitEthernet0/2

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/3

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/4

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/5

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/6

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/7

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/8

 switchport mode trunk

interface Vlan1

 no ip address

 no ip route-cache

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.159.12 255.255.255.0

 no ip route-cache

ip default-gateway 10.10.159.1

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps power-ethernet group 1

snmp-server enable traps power-ethernet police

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps energywise

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

control-plane

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 36028680

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

S-A2-MSP-1

Building configuration...

Current configuration : 10554 bytes

! Last configuration change at 02:08:19 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:08:21 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

service sequence-numbers

hostname S-A2-MSP-1

logging buffered 50000 debugging

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

system mtu routing 1500

ip subnet-zero

no ip source-route

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-4189032704

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-4189032704

 revocation-check none

 rsakeypair TP-self-signed-4189032704

crypto pki certificate chain TP-self-signed-4189032704

 certificate self-signed 01

  <removed>

  quit

archive

 log config

  logging enable

  hidekeys

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

interface FastEthernet0

 no ip address

 shutdown

interface GigabitEthernet0/1

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet0/2

 description AIR-CAP3502I

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 18

 switchport trunk allowed vlan 14-18

 switchport mode trunk

interface GigabitEthernet0/3

interface GigabitEthernet0/4

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/5

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/6

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/7

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/8

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/9

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/10

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/11

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/12

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/13

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/14

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/15

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/16

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/17

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/18

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/19

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/20

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/21

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/22

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/23

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/24

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/25

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/26

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/27

 switchport access vlan 17

 shutdown

interface GigabitEthernet0/28

 switchport access vlan 17

 shutdown

interface TenGigabitEthernet0/1

 shutdown

interface TenGigabitEthernet0/2

 shutdown

interface Vlan1

 no ip address

 shutdown

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.191.11 255.255.255.0

ip default-gateway 10.10.191.1

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps power-ethernet group 1

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps hsrp

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps vlan-membership

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

radius-server source-ports 1645-1646

control-plane

banner exec ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^C

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^C

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 36026372

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

S-A2-Small

S-A2-Small-1#sh run

Building configuration...

Current configuration : 16143 bytes

! Last configuration change at 02:23:14 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:23:18 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname S-A2-Small-1

boot-start-marker

boot-end-marker

logging buffered 50000

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed> username emc-ncm privilege 15 secret 5 
<removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

switch 1 provision ws-c2960s-48fps-l

switch 2 provision ws-c2960s-48fps-l

authentication mac-move permit

ip subnet-zero

no ip source-route

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-1383908352

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1383908352

 revocation-check none

 rsakeypair TP-self-signed-1383908352

crypto pki certificate chain TP-self-signed-1383908352

 certificate self-signed 01

  30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31333833 39303833 3532301E 170D3131 30343232 30333331

  35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33383339

  30383335 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100BD50 C6915FE3 A1789C0E 11A0BABD EC2528DB 3F8FBCF6 64D90C72 AD2D2A13

  A012AB72 F5F9EEDE 4E77EDA9 D3CE6985 BA2246A1 21FF6D61 B8FFC558 331CD608

  DB59F546 838396C6 29266AF9 6B968127 75A7CE55 6D0B3734 0454EA42 24E9C995

  1AC5D0C3 0850D703 F58A2E82 6FB13D8D 372F03D8 A5B2B577 CDB7A9D5 7AFC40B6

  B26B0203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603

  551D1104 1E301C82 1A532D41 322D536D 616C6C2D 312E6369 73636F2D 69726E2E

  636F6D30 1F060355 1D230418 30168014 107F4DD8 762989FE 887F813D 62A1D871

  C9A4D3D4 301D0603 551D0E04 16041410 7F4DD876 2989FE88 7F813D62 A1D871C9

  A4D3D430 0D06092A 864886F7 0D010104 05000381 810045BF 884709EE FA837D06

  262E65C8 865912B1 44D5DE7F 459A7DEF DAEB3D94 B2D5A978 5CCF425E 1FED41CE

  2046BA9D 130DE1BD 4A7F3F99 B6AD32CA 3857A088 01083AAB 24557476 73F8AAC6

  634964A5 455F4DB2 AC36D64E EA2C71AD 296D82B6 CE1EDCCB 0724DB5D 0D332C10

  A17D5B1F E8926DC9 137519A1 521C9155 AF9AF52B 00BD

  quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

vlan internal allocation policy ascending

ip ssh time-out 30

ip ssh authentication-retries 2

ip ssh version 2

ip scp server enable

interface FastEthernet0

 no ip address

interface GigabitEthernet1/0/1

 switchport mode trunk

interface GigabitEthernet1/0/2

 switchport mode trunk

interface GigabitEthernet1/0/3

 description IP Cameras - 4300

 switchport access vlan 20

 switchport mode access

interface GigabitEthernet1/0/4

 description CPAM Gateway

 switchport access vlan 20

interface GigabitEthernet1/0/5

 switchport mode trunk

interface GigabitEthernet1/0/6

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/7

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/8

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/9

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/10

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/11

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/12

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/13

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/14

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/15

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/16

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/17

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/18

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/19

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/20

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/21

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/22

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/23

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/24

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/25

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/26

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/27

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/28

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/29

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/30

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/31

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/32

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/33

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/34

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/35

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/36

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/37

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/38

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/39

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/40

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/41

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/42

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/43

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/44

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/45

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/46

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/47

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/48

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/49

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/50

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/51

 switchport access vlan 17

 shutdown

interface GigabitEthernet1/0/52

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/1

 shutdown

interface GigabitEthernet2/0/2

 shutdown

interface GigabitEthernet2/0/3

 description Cisco7975 IP phone

 switchport access vlan 11

 switchport voice vlan 13

 spanning-tree portfast

interface GigabitEthernet2/0/4

 description AIR-CAP3502I

 switchport trunk native vlan 18

 switchport trunk allowed vlan 14-18

 switchport mode trunk

interface GigabitEthernet2/0/5

 description Cisco9971 IP phone

 switchport access vlan 11

 switchport voice vlan 13

 spanning-tree portfast

interface GigabitEthernet2/0/6

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/7

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/8

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/9

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/10

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/11

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/12

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/13

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/14

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/15

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/16

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/17

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/18

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/19

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/20

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/21

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/22

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/23

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/24

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/25

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/26

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/27

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/28

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/29

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/30

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/31

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/32

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/33

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/34

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/35

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/36

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/37

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/38

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/39

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/40

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/41

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/42

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/43

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/44

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/45

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/46

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/47

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/48

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/49

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/50

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/51

 switchport access vlan 17

 shutdown

interface GigabitEthernet2/0/52

 switchport access vlan 17

 shutdown

interface Vlan1

 no ip address

 shutdown

interface Vlan1000

 description Management VLAN for Switch

 ip address 10.10.143.11 255.255.255.0

ip default-gateway 10.10.143.1

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan1000

ip sla enable reaction-alerts

logging trap debugging

logging source-interface Vlan1000

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan1000

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps power-ethernet group 1-4

snmp-server enable traps power-ethernet police

snmp-server enable traps cpu threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps errdisable

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec ^CC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner incoming ^CC

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

^C

banner login ^CC

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

^C

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 22518357

ntp source Vlan1000

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

saccess-1

! Last configuration change at 01:58:36 PSTDST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:58:36 PSTDST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

service compress-config

service sequence-numbers

hostname SACCESS-1

boot-start-marker

boot-end-marker

logging snmp-authfail

logging buffered 51200 debugging

enable secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username retail privilege 15 secret 5 <removed> username bart privilege 15 secret 5 
<removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PSTDST recurring

ip subnet-zero

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

no ip bootp server

ip ssh version 2

ip scp server enable

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

vtp mode transparent

password encryption aes

crypto pki trustpoint TP-self-signed-112603

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-112603

 revocation-check none

 rsakeypair TP-self-signed-112603

crypto pki certificate chain TP-self-signed-112603

 certificate self-signed 01

  <removed>

  quit

power redundancy-mode redundant

archive

 log config

  logging enable

  hidekeys

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

vlan 20,41-43

vlan 44

 name PhysicalSec

vlan 45-50,52,62

vlan 64

 name Databases

vlan 72,146,164,256,666,1000

interface Loopback0

 no ip address

interface Port-channel1

 description to Aggregation Switches

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 38,41,42,44

 switchport mode trunk

 logging event link-status

 flowcontrol receive on

interface GigabitEthernet1/1

 description SRV-DC-1

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/2

 description SRV-DC-2

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 41

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/3

 description SRV-DC-3

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/4

 description SRV-DC-4

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/5

 description SRV-DC-5

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/6

 description SRV-DC-6=CUAE

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/7

 description SRV-DC-7=CCM511

 switchport access vlan 45

 spanning-tree portfast

interface GigabitEthernet1/8

 description SRV-DC-8 - Oracle RDBMS 10g

 switchport access vlan 64

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 64

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/9

 description MSP-DC-1

 switchport access vlan 44

 switchport trunk encapsulation dot1q

 switchport mode access

 spanning-tree portfast

interface GigabitEthernet1/10

 description SRV-DC-10

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/11

 description SRV-DC-11

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/12

 description SRV-DC-12

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/13

 description SRV-DC-13

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/14

 description SRV-DC-14

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/15

 description SRV-DC-15

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/16

 description SRV-DC-16

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/17

 description SRV-DC-17

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/18

 description SRV-DC-18

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/19

 description SRV-DC-19

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/20

 description SRV-DC-20

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/21

 description SRV-DC-21

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/22

 description SRV-DC-22

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/23

 description SRV-DC-23

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/24

 description SRV-DC-24

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/25

 description SRV-DC-25

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/26

 description server 14 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/27

 description server 15 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/28

 description server 16 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/29

 description server 18 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/30

 description server 19 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/31

 description server 20 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/32

 description server 21 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/33

 description VXML Rouer VEM

 switchport access vlan 45

 spanning-tree portfast

interface GigabitEthernet1/34

 description SPAN to SRV-DC-28-NICE VoiceRecorder

 switchport trunk encapsulation dot1q

 spanning-tree portfast

interface GigabitEthernet1/35

 description Small store 1800 server e1

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 spanning-tree portfast

interface GigabitEthernet1/36

 description small store 1800 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/37

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/38

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/39

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/40

 description IPcelerate Server

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/41

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/42

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/43

 description EMC SAN Mgt-A

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/44

 description PRomise SAN M1

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/45

 switchport access vlan 42

 switchport mode access

 spanning-tree portfast

interface GigabitEthernet1/46

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/47

 description Uplink to RSERV-1 Management G7/1

 switchport access vlan 42

 switchport mode access

 spanning-tree portfast

interface GigabitEthernet1/48

 description Uplink to RSERV-2 Management G7/1

 switchport access vlan 42

 switchport mode access

 spanning-tree portfast

interface TenGigabitEthernet1/49

 description Uplink to RAGG-1-VDC2 T1/13

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 38,41,42,44

 switchport mode trunk

 channel-group 1 mode active

 spanning-tree portfast trunk

interface TenGigabitEthernet1/50

 description Uplink to RAGG-2-VDC2 T1/13

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 38,41,42,44

 switchport mode trunk

 channel-group 1 mode active

 spanning-tree portfast trunk

interface Vlan1

 no ip address

interface Vlan42

 ip address 192.168.42.33 255.255.255.0

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.42.1

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan42

logging source-interface Vlan42

logging 192.168.42.121

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan42

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps entity

snmp-server enable traps flash insertion removal

snmp-server enable traps cpu threshold

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps port-security

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps hsrp

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps vlan-membership

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

no tacacs-server directed-request

tacacs-server key 7 <removed>

radius-server source-ports 1645-1646

control-plane

banner exec

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

monitor session 1 source interface Gi1/33

monitor session 1 destination interface Gi1/34

ntp clock-period 17181001

ntp server 192.168.0.1

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

saccess-2

! Last configuration change at 01:59:33 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:59:33 PST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service compress-config

service sequence-numbers

hostname SACCESS-2

boot-start-marker

boot-end-marker

logging buffered 51200 debugging

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PST recurring

vtp mode transparent

ip subnet-zero

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

no ip bootp server

ip ssh version 2

ip scp server enable

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

power redundancy-mode redundant

vlan internal allocation policy ascending

vlan 20,40-43

vlan 44

 name PhysicalSec

vlan 45-49,52,62,64,72,146,164,256,666,1000

interface Port-channel2

 description to Aggregation Switches

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 38,41,42,44

 switchport mode trunk

 logging event link-status

 flowcontrol receive on

interface GigabitEthernet1/1

 description SRV-DC-1

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/2

 description SRV-DC-2

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/3

 description SRV-DC-3

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/4

 description SRV-DC-4

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/5

 description SRV-DC-5

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/6

 description SRV-DC-6=CUAE

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/7

 description SRV-DC-7=CCM511

 switchport access vlan 45

 spanning-tree portfast

interface GigabitEthernet1/8

 description SRV-DC-8

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/9

 description MSP-DC-1

 switchport access vlan 44

 switchport trunk encapsulation dot1q

 switchport mode access

 spanning-tree portfast

interface GigabitEthernet1/10

 description SRV-DC-10

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/11

 description SRV-DC-11

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/12

 description SRV-DC-12

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/13

 description SRV-DC-13

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/14

 description SRV-DC-14

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/15

 description SRV-DC-15

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/16

 description SRV-DC-16

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/17

 description SRV-DC-17

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/18

 description SRV-DC-18

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/19

 description SRV-DC-19

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/20

 description SRV-DC-20

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/21

 description SRV-DC-21

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/22

 description SRV-DC-22

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 4094

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/23

 description SRV-DC-23

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/24

 description SRV-DC-24

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/25

 description SRV-DC-25

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/26

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/27

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/28

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/29

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/30

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/31

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/32

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/33

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/34

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/35

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/36

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/37

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/38

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/39

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/40

 description IPcelerate Server

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/41

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/42

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/43

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/44

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/45

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 spanning-tree portfast trunk

interface GigabitEthernet1/46

 switchport access vlan 42

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 42

 switchport mode trunk

 shutdown

 spanning-tree portfast trunk

interface GigabitEthernet1/47

 description TEMP Uplink to RSERV-1 Management G7/2

 switchport access vlan 42

 switchport mode access

 spanning-tree portfast

interface GigabitEthernet1/48

 description TEMP Uplink to RSERV-2 Management G7/2

 switchport access vlan 42

 switchport mode access

 spanning-tree portfast

interface TenGigabitEthernet1/49

 description Uplink to RAGG-1-VDC2 T1/14

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 38,41,42,44

 switchport mode trunk

 spanning-tree portfast trunk

 channel-group 2 mode active

interface TenGigabitEthernet1/50

 description Uplink to RAGG-2-VDC2 T1/14

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 38,41,42,44

 switchport mode trunk

 spanning-tree portfast trunk

 channel-group 2 mode active

interface Vlan1

 no ip address

interface Vlan42

 ip address 192.168.42.34 255.255.255.0

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.42.1

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan42

logging trap debugging

logging source-interface Vlan42

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access 88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan42

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps port-security

snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps flash insertion removal

snmp-server enable traps syslog

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps hsrp

snmp-server enable traps vlan-membership

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

radius-server source-ports 1645-1646

banner exec

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

 stopbits 1

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 17181029

ntp source Vlan42

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

SACCESS-3

!Command: show running-config

!Time: Sat Apr 30 01:56:18 2011

version 5.0(3)N1(1b)

feature fcoe

feature privilege

no feature telnet

no telnet server enable

feature tacacs+

cfs eth distribute

feature lacp

feature vpc

feature lldp

feature fex

username admin password 5 <removed>   role network-admin

username retail password 5 <removed>   role network-admin

username bart password 5 <removed>  role network-admin

username emc-ncm password 5 <removed>  role network-admin

enable secret 5 <removed>

banner motd #

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

ip host SACCESS-3 192.168.41.33

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    use-vrf management

    source-interface mgmt0

hostname SACCESS-3

ip access-list 23

  statistics per-entry

  10 permit ip 127.0.0.1/32 192.168.41.33/32

  20 permit ip 192.168.41.101/32 192.168.41.33/32

  30 permit ip 192.168.41.102/32 192.168.41.33/32

  40 permit ip 192.168.42.111/32 192.168.41.33/32

  50 permit ip 192.168.42.122/32 192.168.41.33/32

  60 permit ip 192.168.42.131/32 192.168.41.33/32

  70 permit ip 192.168.42.133/32 192.168.41.33/32

  80 permit ip 192.168.42.138/32 192.168.41.33/32

  90 permit ip 10.19.151.99/32 192.168.41.33/32

  100 deny ip any any

ip access-list 88

  statistics per-entry

  10 permit ip 192.168.42.122/32 192.168.41.33/32

  20 deny ip any any

class-map type qos class-fcoe

class-map type queuing class-all-flood

  match qos-group 2

class-map type queuing class-ip-multicast

  match qos-group 2

class-map type network-qos class-all-flood

  match qos-group 2

class-map type network-qos class-ip-multicast

  match qos-group 2

snmp-server user bart network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user retail network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user emc-ncm network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server host 192.168.41.101 traps version 2c public  udp-port 2162

no snmp-server enable traps entity entity_mib_change

no snmp-server enable traps entity entity_module_status_change

no snmp-server enable traps entity entity_power_status_change

no snmp-server enable traps entity entity_module_inserted

no snmp-server enable traps entity entity_module_removed

no snmp-server enable traps entity entity_unrecognised_module

no snmp-server enable traps entity entity_fan_status_change

no snmp-server enable traps rf redundancy_framework

snmp-server enable traps entity fru

ntp server 192.168.62.161 use-vrf management

ntp server 192.168.62.162 use-vrf management

aaa authentication login default group CiscoACS

aaa authentication login console group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

vrf context management

  ip route 0.0.0.0/0 192.168.41.1

vlan 1

vlan 36

  name DeviceMgmtHigh

vlan 37

  name DeviceMgmtLow

vlan 38

  name HyTrust

vlan 40

  name Server_iLO

vlan 41

  name ESX_Server

vlan 42

  name CoreManagement

vlan 43

  name WirelessSystems

vlan 45

vlan 52

  name POS

vlan 80-82,140-141

vlan 302

  fcoe vsan 2

vsan database

  vsan 2 name "Promise-2"

fcdomain fcid database

  vsan 2 wwn 21:00:00:1b:32:00:ab:0d fcid 0xee0000 area dynamic

  vsan 2 wwn 21:00:00:1b:32:00:70:0d fcid 0xee0100 area dynamic

  vsan 2 wwn 21:00:00:1b:32:00:33:0c fcid 0xee0200 area dynamic

  vsan 2 wwn 21:00:00:1b:32:00:5d:0d fcid 0xee0300 area dynamic

  vsan 2 wwn 21:00:00:1b:32:80:0b:10 fcid 0xee0400 area dynamic

  vsan 2 wwn 21:00:00:1b:32:80:52:10 fcid 0xee0500 area dynamic

  vsan 2 wwn 21:00:00:1b:32:80:da:0f fcid 0xee0600 area dynamic

  vsan 2 wwn 21:00:00:1b:32:00:3a:0c fcid 0xee0700 area dynamic

  vsan 2 wwn 21:00:00:1b:32:80:f1:0f fcid 0xee0800 area dynamic

  vsan 1 wwn 26:01:00:01:55:35:7e:44 fcid 0xee0000 dynamic

  vsan 2 wwn 21:00:00:1b:32:00:5e:0d fcid 0xee0900 area dynamic

interface port-channel3

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

interface vfc513

  bind interface Ethernet1/13

  no shutdown

interface vfc514

  bind interface Ethernet1/14

  no shutdown

interface vfc515

  bind interface Ethernet1/15

  no shutdown

interface vfc516

  bind interface Ethernet1/16

  no shutdown

interface vfc517

  bind interface Ethernet1/17

  no shutdown

interface vfc518

  bind interface Ethernet1/18

  no shutdown

interface vfc519

  bind interface Ethernet1/19

  no shutdown

interface vfc520

  bind interface Ethernet1/20

  no shutdown

interface vfc521

  bind interface Ethernet1/21

  no shutdown

interface vfc522

  bind interface Ethernet1/22

  no shutdown

interface vfc523

  bind interface Ethernet1/23

  no shutdown

interface vfc524

  bind interface Ethernet1/24

  no shutdown

interface vfc525

  bind interface Ethernet1/25

  no shutdown

interface vfc526

  bind interface Ethernet1/26

  no shutdown

interface vfc527

  bind interface Ethernet1/27

  no shutdown

interface vfc528

  bind interface Ethernet1/28

  no shutdown

interface vfc529

  bind interface Ethernet1/29

  no shutdown

interface vfc530

  bind interface Ethernet1/30

  no shutdown

interface vfc531

  bind interface Ethernet1/31

  no shutdown

interface vfc532

  bind interface Ethernet1/32

  no shutdown

interface vfc505

  bind interface Ethernet1/5

  no shutdown

interface vfc506

  bind interface Ethernet1/6

  no shutdown

interface vfc507

  bind interface Ethernet1/7

  no shutdown

interface vfc508

  bind interface Ethernet1/8

  no shutdown

interface vfc509

  bind interface Ethernet1/9

  no shutdown

interface vfc510

  bind interface Ethernet1/10

  no shutdown

interface vfc511

  bind interface Ethernet1/11

  no shutdown

interface vfc512

  bind interface Ethernet1/12

  no shutdown

vsan database

  vsan 2 interface vfc513

  vsan 2 interface vfc514

  vsan 2 interface vfc515

  vsan 2 interface vfc516

  vsan 2 interface vfc517

  vsan 2 interface vfc518

  vsan 2 interface vfc519

  vsan 2 interface vfc520

  vsan 2 interface vfc521

  vsan 2 interface vfc522

  vsan 2 interface vfc523

  vsan 2 interface vfc524

  vsan 2 interface vfc525

  vsan 2 interface vfc526

  vsan 2 interface vfc527

  vsan 2 interface vfc528

  vsan 2 interface vfc529

  vsan 2 interface vfc530

  vsan 2 interface vfc531

  vsan 2 interface vfc532

  vsan 4094 interface vfc505

  vsan 4094 interface vfc506

  vsan 4094 interface vfc507

  vsan 4094 interface vfc508

  vsan 4094 interface vfc509

  vsan 4094 interface vfc510

  vsan 2 interface vfc511

  vsan 2 interface vfc512

  vsan 2 interface fc2/1

  vsan 2 interface fc2/2

  vsan 2 interface fc2/3

  vsan 2 interface fc2/4

  vsan 2 interface fc3/1

  vsan 2 interface fc3/2

  vsan 2 interface fc3/3

  vsan 2 interface fc3/4

interface fc2/1

  switchport description Connection to MDS-DC-1

  no shutdown

interface fc2/2

interface fc2/3

interface fc2/4

interface fc3/1

  switchport description Connection to Promise 600 san

  no shutdown

interface fc3/2

interface fc3/3

interface fc3/4

interface Ethernet1/1

  description to DC-F-UCS-1 TG0/1

  switchport mode trunk

  spanning-tree port type network

interface Ethernet1/2

  description to DC-F-UCS-1 TG0/2

  switchport mode trunk

  spanning-tree port type network

interface Ethernet1/3

  description to DC-F-UCS-2 TG0/3

  switchport mode trunk

  spanning-tree port type network

interface Ethernet1/4

  description to DC-F-UCS-2 TG0/4

  switchport mode trunk

  spanning-tree port type network

interface Ethernet1/5

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/6

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/7

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/8

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/9

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/10

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/11

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/12

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/13

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/14

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/15

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/16

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/17

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/18

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/19

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/20

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/21

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/22

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/23

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/24

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/25

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/26

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/27

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/28

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/29

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/30

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/31

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/32

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/33

  description to RAGG-1-VDC2 TG1/9

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  spanning-tree port type network

  channel-group 3 mode active

interface Ethernet1/34

  description to RAGG-1-VDC2 TG1/10

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  spanning-tree port type network

  channel-group 3 mode active

interface Ethernet1/35

  description to RAGG-2-VDC2 TG1/11

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  spanning-tree port type network

  channel-group 3 mode active

interface Ethernet1/36

  description to RAGG-2-VDC2 TG1/12

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  spanning-tree port type network

  channel-group 3 mode active

interface Ethernet1/37

  shutdown

interface Ethernet1/38

  shutdown

interface Ethernet1/39

  description to SACCESS-4

  shutdown

interface Ethernet1/40

  description to SACCESS-4

  shutdown

interface Ethernet2/1

interface Ethernet2/2

interface Ethernet2/3

interface Ethernet2/4

interface Ethernet3/1

interface Ethernet3/2

interface Ethernet3/3

interface Ethernet3/4

interface mgmt0

  ip address 192.168.41.33/24

clock timezone PST -8 0

clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60

system default zone default-zone permit

system default zone distribute full

line console

  exec-timeout 15

line vty

  exec-timeout 15

  access-class 23 in

boot kickstart bootflash:/n5000-uk9-kickstart.5.0.3.N1.1b.bin

boot system bootflash:/n5000-uk9.5.0.3.N1.1b.bin

interface fc2/2

interface fc2/3

interface fc2/4

interface fc2/1

  switchport fcrxbbcredit 1

  switchport fcrxbbcredit 2 mode E

interface fc3/1

interface fc3/2

interface fc3/3

interface fc3/4

logging server 192.168.42.124 6

zone default-zone permit vsan 2

zoneset distribute full vsan 2

!Full Zone Database Section for vsan 2

zone name global_zone vsan 2

    member pwwn 26:00:00:01:55:35:7e:44

    member pwwn 26:02:00:01:55:35:7e:44

    member pwwn 10:00:00:00:c9:75:68:c3

    member pwwn 10:00:00:00:c9:77:92:e9

    member pwwn 10:00:00:00:c9:77:db:c3

    member pwwn 10:00:00:00:c9:77:dc:c3

    member pwwn 10:00:00:00:c9:77:dd:bc

    member pwwn 21:00:00:1b:32:00:33:0c

    member pwwn 21:00:00:1b:32:00:3a:0c

    member pwwn 21:00:00:1b:32:00:5d:0d

    member pwwn 21:00:00:1b:32:00:5e:0d

    member pwwn 21:00:00:1b:32:00:70:0d

    member pwwn 21:00:00:1b:32:00:ab:0d

    member pwwn 21:00:00:1b:32:80:0b:10

    member pwwn 21:00:00:1b:32:80:52:10

    member pwwn 21:00:00:1b:32:80:da:0f

    member pwwn 21:00:00:1b:32:80:f1:0f

zoneset name promise-2_zs vsan 2

    member global_zone

zoneset activate name promise-2_zs vsan 2

SACCESS-4

!Command: show running-config

!Time: Sat Apr 30 01:57:14 2011

version 5.0(3)N1(1b)

feature fcoe

feature privilege

no feature telnet

no telnet server enable

feature tacacs+

cfs eth distribute

feature lacp

feature vpc

feature lldp

feature fex

username admin password 5 <removed> role network-admin

username retail password 5 <removed> role network-admin

username emc-ncm password 5 <removed> role network-admin

username bart password 5 <removed> role network-admin

enable secret 5 <removed>

banner motd #

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

ssh login-attempts 6

ip domain-lookup

ip domain-name cisco-irn.com

ip host SACCESS-4 192.168.41.34

tacacs-server key 7 "<removed>"

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    use-vrf management

    source-interface mgmt0

switchname SACCESS-4

ip access-list 23

  statistics per-entry

  10 permit ip 127.0.0.1/32 192.168.41.34/32

  20 permit ip 192.168.41.101/32 192.168.41.34/32

  30 permit ip 192.168.41.102/32 192.168.41.34/32

  40 permit ip 192.168.42.111/32 192.168.41.34/32

  50 permit ip 192.168.42.122/32 192.168.41.34/32

  60 permit ip 192.168.42.131/32 192.168.41.34/32

  70 permit ip 192.168.42.133/32 192.168.41.34/32

  80 permit ip 192.168.42.138/32 192.168.41.34/32

  90 permit ip 10.19.151.99/32 192.168.41.34/32

  100 deny ip any any

ip access-list 88

  statistics per-entry

  10 permit ip 192.168.42.122/32 192.168.41.34/32

  20 deny ip any any

class-map type qos class-fcoe

class-map type queuing class-all-flood

  match qos-group 2

class-map type queuing class-ip-multicast

  match qos-group 2

class-map type network-qos class-all-flood

  match qos-group 2

class-map type network-qos class-ip-multicast

  match qos-group 2

snmp-server user bart network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user retail network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server user emc-ncm network-admin auth md5 <removed> priv <removed> localizedkey

snmp-server enable traps entity fru

no snmp-server enable traps entity entity_mib_change

no snmp-server enable traps entity entity_module_status_change

no snmp-server enable traps entity entity_power_status_change

no snmp-server enable traps entity entity_module_inserted

no snmp-server enable traps entity entity_module_removed

no snmp-server enable traps entity entity_unrecognised_module

no snmp-server enable traps entity entity_fan_status_change

no snmp-server enable traps rf redundancy_framework

aaa authentication login default group CiscoACS

aaa authentication login console group CiscoACS

aaa authorization ssh-certificate default group CiscoACS

aaa accounting default group CiscoACS

aaa authentication login error-enable

vrf context management

  ip route 0.0.0.0/0 192.168.41.1

vlan 1

vlan 36

  name DeviceMgmtHigh

vlan 37

  name DeviceMgmtLow

vlan 38

  name HyTrust

vlan 40

  name Server_iLO

vlan 41

  name ESX_Server

vlan 42

  name CoreManagement

vlan 45,80-82,141-142

vlan 402

  fcoe vsan 2

vsan database

  vsan 2

fcdomain fcid database

  vsan 2 wwn 21:01:00:1b:32:20:5e:0d fcid 0xa20000 area dynamic

  vsan 2 wwn 21:01:00:1b:32:20:ab:0d fcid 0xa20100 area dynamic

  vsan 2 wwn 21:01:00:1b:32:20:70:0d fcid 0xa20200 area dynamic

  vsan 2 wwn 21:01:00:1b:32:20:33:0c fcid 0xa20300 area dynamic

  vsan 2 wwn 21:01:00:1b:32:20:5d:0d fcid 0xa20400 area dynamic

  vsan 2 wwn 21:01:00:1b:32:a0:0b:10 fcid 0xa20500 area dynamic

  vsan 2 wwn 21:01:00:1b:32:a0:52:10 fcid 0xa20600 area dynamic

  vsan 2 wwn 21:01:00:1b:32:a0:da:0f fcid 0xa20700 area dynamic

  vsan 2 wwn 21:01:00:1b:32:a0:f1:0f fcid 0xa20800 area dynamic

  vsan 2 wwn 21:01:00:1b:32:20:3a:0c fcid 0xa20900 area dynamic

interface port-channel4

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

interface vfc513

  bind interface Ethernet1/13

  no shutdown

interface vfc514

  bind interface Ethernet1/14

  no shutdown

interface vfc515

  bind interface Ethernet1/15

  no shutdown

interface vfc516

  bind interface Ethernet1/16

  no shutdown

interface vfc517

  bind interface Ethernet1/17

  no shutdown

interface vfc518

  bind interface Ethernet1/18

  no shutdown

interface vfc519

  bind interface Ethernet1/19

  no shutdown

interface vfc520

  bind interface Ethernet1/20

  no shutdown

interface vfc521

  bind interface Ethernet1/21

  no shutdown

interface vfc522

  bind interface Ethernet1/22

  no shutdown

interface vfc523

  bind interface Ethernet1/23

  no shutdown

interface vfc524

  bind interface Ethernet1/24

  no shutdown

interface vfc525

  bind interface Ethernet1/25

  no shutdown

interface vfc526

  bind interface Ethernet1/26

  no shutdown

interface vfc527

  bind interface Ethernet1/27

  no shutdown

interface vfc528

  bind interface Ethernet1/28

  no shutdown

interface vfc529

  bind interface Ethernet1/29

  no shutdown

interface vfc530

  bind interface Ethernet1/30

  no shutdown

interface vfc531

  bind interface Ethernet1/31

  no shutdown

interface vfc532

  bind interface Ethernet1/32

  no shutdown

interface vfc505

  bind interface Ethernet1/5

  no shutdown

interface vfc506

  bind interface Ethernet1/6

  no shutdown

interface vfc507

  bind interface Ethernet1/7

  no shutdown

interface vfc508

  bind interface Ethernet1/8

  no shutdown

interface vfc509

  bind interface Ethernet1/9

  no shutdown

interface vfc510

  bind interface Ethernet1/10

  no shutdown

interface vfc511

  bind interface Ethernet1/11

  no shutdown

interface vfc512

  bind interface Ethernet1/12

  no shutdown

vsan database

  vsan 2 interface vfc513

  vsan 2 interface vfc514

  vsan 2 interface vfc515

  vsan 2 interface vfc516

  vsan 2 interface vfc517

  vsan 2 interface vfc518

  vsan 2 interface vfc519

  vsan 2 interface vfc520

  vsan 2 interface vfc521

  vsan 2 interface vfc522

  vsan 2 interface vfc523

  vsan 2 interface vfc524

  vsan 2 interface vfc525

  vsan 2 interface vfc526

  vsan 2 interface vfc527

  vsan 2 interface vfc528

  vsan 2 interface vfc529

  vsan 2 interface vfc530

  vsan 2 interface vfc531

  vsan 2 interface vfc532

  vsan 2 interface vfc505

  vsan 2 interface vfc506

  vsan 2 interface vfc507

  vsan 2 interface vfc508

  vsan 2 interface vfc509

  vsan 2 interface vfc510

  vsan 2 interface vfc511

  vsan 2 interface vfc512

  vsan 2 interface fc3/1

interface fc2/1

  switchport description Connection to MDS-DC-1

  no shutdown

interface fc2/2

interface fc2/3

interface fc2/4

interface fc3/1

  switchport description Connection to Promise 600 san

  no shutdown

interface fc3/2

interface fc3/3

interface fc3/4

interface Ethernet1/1

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/2

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/3

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/4

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/5

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/6

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/7

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/8

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/9

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/10

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/11

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/12

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/13

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/14

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/15

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/16

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/17

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/18

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/19

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/20

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/21

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/22

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/23

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/24

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/25

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/26

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/27

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/28

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/29

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/30

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/31

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/32

  switchport mode trunk

  spanning-tree port type edge trunk

interface Ethernet1/33

  description to RAGG-2-VDC2 TG1/9

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  spanning-tree port type network

  channel-group 4 mode active

interface Ethernet1/34

  description to RAGG-2-VDC2 TG1/10

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  spanning-tree port type network

  channel-group 4 mode active

interface Ethernet1/35

  description to RAGG-1-VDC2 TG1/11

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  spanning-tree port type network

  channel-group 4 mode active

interface Ethernet1/36

  description to RAGG-1-VDC2 TG1/12

  switchport mode trunk

  switchport trunk allowed vlan 38,41-45,52

  spanning-tree port type network

  channel-group 4 mode active

interface Ethernet1/37

  shutdown

interface Ethernet1/38

  shutdown

interface Ethernet1/39

  description link to SACCESS-3

  shutdown

interface Ethernet1/40

  description link to SACCESS-3

  shutdown

interface Ethernet2/1

interface Ethernet2/2

interface Ethernet2/3

interface Ethernet2/4

interface Ethernet3/1

interface Ethernet3/2

interface Ethernet3/3

interface Ethernet3/4

interface mgmt0

  ip address 192.168.41.34/24

clock timezone PST -8 0

clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60

line console

  exec-timeout 15

line vty

  exec-timeout 15

  access-class 23 in

boot kickstart bootflash:/n5000-uk9-kickstart.5.0.3.N1.1b.bin

boot system bootflash:/n5000-uk9.5.0.3.N1.1b.bin

interface fc2/1

interface fc2/2

interface fc2/3

interface fc2/4

interface fc3/1

interface fc3/2

interface fc3/3

interface fc3/4

logging server 192.168.42.124 6

zone default-zone permit vsan 2

!Full Zone Database Section for vsan 2

zone name global_zone vsan 2

zoneset name promise-2_zs vsan 2

    member global_zone

saccess-5

! Last configuration change at 02:02:07 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 02:02:10 PST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname SACCESS-5

boot-start-marker

boot-end-marker

logging buffered 51200

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PST recurring

switch 1 provision ws-c3750e-48td

system mtu routing 1500

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 65535

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-2654502656

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-2654502656

 revocation-check none

 rsakeypair TP-self-signed-2654502656

crypto pki certificate chain TP-self-signed-2654502656

 certificate self-signed 01

  <removed>   quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

vlan dot1q tag native

ip ssh version 2

ip scp server enable

interface FastEthernet0

 no ip address

 shutdown

interface GigabitEthernet1/0/1

 description SRV-DC-22 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/2

 description SRV-DC-23 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/3

 description SRV-DC-24 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/4

 description SRV-DC-25 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/5

 description SRV-DC-26 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/6

 description SRV-DC-27 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/7

 description SRV-DC-28 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/8

 description SRV-DC-29 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/9

 description SRV-DC-30 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/10

 description SRV-DC-31 iLO

 switchport access vlan 40

 spanning-tree portfast

interface GigabitEthernet1/0/11

 description DC-UCSFabric-1-A Mgmt0

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/12

 description DC-UCSFabric-1-B Mgmt0

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/13

 description DC-ASA-1 Mgmt0

 switchport access vlan 42

 spanning-tree portfast

interface GigabitEthernet1/0/14

 description DC-ASA-2 Mgmt0

 switchport access vlan 42

 spanning-tree portfast

interface GigabitEthernet1/0/15

interface GigabitEthernet1/0/16

interface GigabitEthernet1/0/17

interface GigabitEthernet1/0/18

interface GigabitEthernet1/0/19

interface GigabitEthernet1/0/20

interface GigabitEthernet1/0/21

interface GigabitEthernet1/0/22

 description SRV-DC-22 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/23

 description SRV-DC-23 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/24

 description SRV-DC-24 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/25

 description SRV-DC-25 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/26

 description SRV-DC-26 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/27

 description SRV-DC-27 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/28

 description SRV-DC-28 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/29

 description SRV-DC-29 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/30

 description SRV-DC-30 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/31

 description SRV-DC-31 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/32

 description SRV-DC-32 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/33

 description SRV-DC-33 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/34

 description SRV-DC-34 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/35

 description SRV-DC-35 ESXi

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/36

interface GigabitEthernet1/0/37

 description SACCESS-3 Mgmt

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/38

 description SACCESS-4 Mgmt

 switchport access vlan 41

 spanning-tree portfast

interface GigabitEthernet1/0/39

 description RCORE-1 Mgmt-a

 switchport access vlan 42

 spanning-tree portfast

interface GigabitEthernet1/0/40

 description RCORE-1 Mgmt-b

 switchport access vlan 42

 spanning-tree portfast

interface GigabitEthernet1/0/41

 description RCORE-2 Mgmt-a

 switchport access vlan 42

 spanning-tree portfast

interface GigabitEthernet1/0/42

 description RCORE-2 Mgmt-b

 switchport access vlan 42

 spanning-tree portfast

interface GigabitEthernet1/0/43

interface GigabitEthernet1/0/44

interface GigabitEthernet1/0/45

interface GigabitEthernet1/0/46

interface GigabitEthernet1/0/47

 description Uplink to RAGG-2-vdc2 T2/13

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet1/0/48

 description Uplink to RAGG-1-vdc2 T2/13

 switchport trunk encapsulation dot1q

 switchport mode trunk

interface GigabitEthernet1/0/49

interface GigabitEthernet1/0/50

interface GigabitEthernet1/0/51

interface GigabitEthernet1/0/52

interface TenGigabitEthernet1/0/1

interface TenGigabitEthernet1/0/2

interface Vlan1

 no ip address

 shutdown

interface Vlan41

 ip address 192.168.41.222 255.255.255.0

interface Vlan42

 ip address 192.168.42.30 255.255.255.0

interface Vlan1000

 no ip address

ip default-gateway 192.168.42.1

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface Vlan42

ip sla enable reaction-alerts

logging trap debugging

logging source-interface Vlan42

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server trap-source Vlan42

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps entity

snmp-server enable traps hsrp

snmp-server enable traps power-ethernet group 1-4

snmp-server enable traps power-ethernet police

snmp-server enable traps cpu threshold

snmp-server enable traps rtr

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps errdisable

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131 timeout 5

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

ntp clock-period 36029147

ntp source Vlan42

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

swan-1

! Last configuration change at 01:33:45 PST Sat Apr 30 2011 by retail

! NVRAM config last updated at 01:33:48 PST Sat Apr 30 2011 by retail

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname SWAN-1

boot-start-marker

boot-end-marker

logging buffered 51200

enable secret 5 <removed>

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PST recurring

switch 1 provision ws-c3750-48p

switch 2 provision ws-c3750-48p

system mtu routing 1500

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-722491520

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-722491520

 revocation-check none

 rsakeypair TP-self-signed-722491520

crypto pki certificate chain TP-self-signed-722491520

 certificate self-signed 01

  <removed>   quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

ip ssh version 2

ip scp server enable

interface FastEthernet1/0/1

interface FastEthernet1/0/2

interface FastEthernet1/0/3

interface FastEthernet1/0/4

interface FastEthernet1/0/5

interface FastEthernet1/0/6

interface FastEthernet1/0/7

interface FastEthernet1/0/8

interface FastEthernet1/0/9

interface FastEthernet1/0/10

interface FastEthernet1/0/11

interface FastEthernet1/0/12

interface FastEthernet1/0/13

interface FastEthernet1/0/14

interface FastEthernet1/0/15

interface FastEthernet1/0/16

interface FastEthernet1/0/17

interface FastEthernet1/0/18

interface FastEthernet1/0/19

interface FastEthernet1/0/20

interface FastEthernet1/0/21

interface FastEthernet1/0/22

interface FastEthernet1/0/23

interface FastEthernet1/0/24

interface FastEthernet1/0/25

interface FastEthernet1/0/26

interface FastEthernet1/0/27

interface FastEthernet1/0/28

interface FastEthernet1/0/29

interface FastEthernet1/0/30

interface FastEthernet1/0/31

interface FastEthernet1/0/32

interface FastEthernet1/0/33

interface FastEthernet1/0/34

interface FastEthernet1/0/35

interface FastEthernet1/0/36

interface FastEthernet1/0/37

interface FastEthernet1/0/38

interface FastEthernet1/0/39

interface FastEthernet1/0/40

interface FastEthernet1/0/41

interface FastEthernet1/0/42

interface FastEthernet1/0/43

interface FastEthernet1/0/44

interface FastEthernet1/0/45

interface FastEthernet1/0/46

interface FastEthernet1/0/47

interface FastEthernet1/0/48

 description SNiffer Uplink to Server10_fe2

interface GigabitEthernet1/0/1

interface GigabitEthernet1/0/2

interface GigabitEthernet1/0/3

interface GigabitEthernet1/0/4

interface FastEthernet2/0/1

interface FastEthernet2/0/2

interface FastEthernet2/0/3

interface FastEthernet2/0/4

interface FastEthernet2/0/5

interface FastEthernet2/0/6

interface FastEthernet2/0/7

interface FastEthernet2/0/8

interface FastEthernet2/0/9

interface FastEthernet2/0/10

interface FastEthernet2/0/11

interface FastEthernet2/0/12

interface FastEthernet2/0/13

interface FastEthernet2/0/14

interface FastEthernet2/0/15

interface FastEthernet2/0/16

interface FastEthernet2/0/17

interface FastEthernet2/0/18

interface FastEthernet2/0/19

interface FastEthernet2/0/20

interface FastEthernet2/0/21

interface FastEthernet2/0/22

interface FastEthernet2/0/23

interface FastEthernet2/0/24

interface FastEthernet2/0/25

interface FastEthernet2/0/26

interface FastEthernet2/0/27

interface FastEthernet2/0/28

interface FastEthernet2/0/29

interface FastEthernet2/0/30

interface FastEthernet2/0/31

interface FastEthernet2/0/32

interface FastEthernet2/0/33

interface FastEthernet2/0/34

interface FastEthernet2/0/35

interface FastEthernet2/0/36

interface FastEthernet2/0/37

interface FastEthernet2/0/38

interface FastEthernet2/0/39

interface FastEthernet2/0/40

interface FastEthernet2/0/41

interface FastEthernet2/0/42

interface FastEthernet2/0/43

interface FastEthernet2/0/44

interface FastEthernet2/0/45

interface FastEthernet2/0/46

interface FastEthernet2/0/47

interface FastEthernet2/0/48

interface GigabitEthernet2/0/1

interface GigabitEthernet2/0/2

interface GigabitEthernet2/0/3

interface GigabitEthernet2/0/4

interface Vlan1

 ip address 192.168.11.14 255.255.255.0

ip default-gateway 192.168.11.10

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip sla enable reaction-alerts

logging trap debugging

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps power-ethernet group 1-4

snmp-server enable traps power-ethernet police

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps hsrp

snmp-server enable traps energywise

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps rtr

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

monitor session 1 source interface Fa1/0/1

monitor session 1 destination interface Fa1/0/48

ntp clock-period 36029297

ntp server 192.168.62.162

ntp server 192.168.62.161 prefer

end

swan-3

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

hostname SWAN-3

boot-start-marker

boot-end-marker

enable secret 5 <removed>!

username retail privilege 15 secret 5 <removed>

username bart privilege 15 secret 5 <removed>

username emc-ncm privilege 15 secret 5 <removed>

username bmcgloth privilege 15 secret 5 <removed>

username csmadmin privilege 15 secret 5 <removed>

aaa new-model

aaa authentication login RETAIL group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

clock timezone PST -8

clock summer-time PST recurring

switch 1 provision ws-c3750-48p

switch 2 provision ws-c3750-48p

system mtu routing 1500

ip domain-name cisco-irn.com

ip name-server 192.168.42.130

login block-for 1800 attempts 6 within 1800

login quiet-mode access-class 23

login on-failure log

login on-success log

password encryption aes

crypto pki trustpoint TP-self-signed-1834566784

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1834566784

 revocation-check none

 rsakeypair TP-self-signed-1834566784

crypto pki certificate chain TP-self-signed-1834566784

 certificate self-signed 01

  <removed>   quit

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

ip ssh version 2

ip scp server enable

interface Loopback0

 no ip address

interface FastEthernet1/0/1

interface FastEthernet1/0/2

interface FastEthernet1/0/3

interface FastEthernet1/0/4

interface FastEthernet1/0/5

interface FastEthernet1/0/6

interface FastEthernet1/0/7

interface FastEthernet1/0/8

interface FastEthernet1/0/9

interface FastEthernet1/0/10

interface FastEthernet1/0/11

 description Link to ASA-WAN-1_1 SSM Port

interface FastEthernet1/0/12

interface FastEthernet1/0/13

interface FastEthernet1/0/14

interface FastEthernet1/0/15

interface FastEthernet1/0/16

interface FastEthernet1/0/17

interface FastEthernet1/0/18

interface FastEthernet1/0/19

interface FastEthernet1/0/20

interface FastEthernet1/0/21

interface FastEthernet1/0/22

interface FastEthernet1/0/23

interface FastEthernet1/0/24

interface FastEthernet1/0/25

interface FastEthernet1/0/26

interface FastEthernet1/0/27

interface FastEthernet1/0/28

interface FastEthernet1/0/29

interface FastEthernet1/0/30

interface FastEthernet1/0/31

interface FastEthernet1/0/32

interface FastEthernet1/0/33

interface FastEthernet1/0/34

interface FastEthernet1/0/35

interface FastEthernet1/0/36

interface FastEthernet1/0/37

interface FastEthernet1/0/38

interface FastEthernet1/0/39

interface FastEthernet1/0/40

interface FastEthernet1/0/41

interface FastEthernet1/0/42

interface FastEthernet1/0/43

interface FastEthernet1/0/44

interface FastEthernet1/0/45

interface FastEthernet1/0/46

interface FastEthernet1/0/47

interface FastEthernet1/0/48

interface GigabitEthernet1/0/1

 description link to RCORE-1 port G1/1

interface GigabitEthernet1/0/2

 description link to ASA-WAN-1_1 Port G0/1

interface GigabitEthernet1/0/3

interface GigabitEthernet1/0/4

interface FastEthernet2/0/1

interface FastEthernet2/0/2

interface FastEthernet2/0/3

interface FastEthernet2/0/4

interface FastEthernet2/0/5

interface FastEthernet2/0/6

interface FastEthernet2/0/7

interface FastEthernet2/0/8

interface FastEthernet2/0/9

interface FastEthernet2/0/10

interface FastEthernet2/0/11

 description Link to ASA-WAN-1_2 SSM Port

interface FastEthernet2/0/12

interface FastEthernet2/0/13

interface FastEthernet2/0/14

interface FastEthernet2/0/15

interface FastEthernet2/0/16

interface FastEthernet2/0/17

interface FastEthernet2/0/18

interface FastEthernet2/0/19

interface FastEthernet2/0/20

interface FastEthernet2/0/21

interface FastEthernet2/0/22

interface FastEthernet2/0/23

interface FastEthernet2/0/24

interface FastEthernet2/0/25

interface FastEthernet2/0/26

interface FastEthernet2/0/27

interface FastEthernet2/0/28

interface FastEthernet2/0/29

interface FastEthernet2/0/30

interface FastEthernet2/0/31

interface FastEthernet2/0/32

interface FastEthernet2/0/33

interface FastEthernet2/0/34

interface FastEthernet2/0/35

interface FastEthernet2/0/36

interface FastEthernet2/0/37

interface FastEthernet2/0/38

interface FastEthernet2/0/39

interface FastEthernet2/0/40

interface FastEthernet2/0/41

interface FastEthernet2/0/42

interface FastEthernet2/0/43

interface FastEthernet2/0/44

interface FastEthernet2/0/45

interface FastEthernet2/0/46

interface FastEthernet2/0/47

interface FastEthernet2/0/48

interface GigabitEthernet2/0/1

 description link to RCORE-2 port G1/1

interface GigabitEthernet2/0/2

 description link to ASA-WAN-1_2 Port G0/1

interface GigabitEthernet2/0/3

interface GigabitEthernet2/0/4

interface Vlan1

 ip address 192.168.11.13 255.255.255.0

interface Vlan40

 no ip address

ip default-gateway 192.168.11.10

ip classless

no ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication aaa login-authentication RETAIL

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http timeout-policy idle 60 life 86400 requests 10000

ip sla enable reaction-alerts

logging trap debugging

logging 192.168.42.124

access-list 23 permit 192.168.41.101 log

access-list 23 permit 192.168.41.102 log

access-list 23 permit 192.168.42.111 log

access-list 23 permit 192.168.42.122 log

access-list 23 permit 192.168.42.124 log

access-list 23 permit 127.0.0.1 log

access-list 23 permit 192.168.42.131 log

access-list 23 permit 192.168.42.133 log

access-list 23 permit 192.168.42.138 log

access-list 23 permit 10.19.151.99 log

access-list 23 deny   any log

access-list 88 permit 192.168.42.124 log

access-list 88 deny   any log

snmp-server engineID remote 192.168.42.124 0000000000

snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88

snmp-server user remoteuser remoteuser v3

snmp-server group remoteuser v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-server packetsize 8192

snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps power-ethernet group 1-4

snmp-server enable traps power-ethernet police

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps hsrp

snmp-server enable traps energywise

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps rtr

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server enable traps errdisable

snmp-server host 192.168.42.124 remoteuser

tacacs-server host 192.168.42.131 timeout 5

tacacs-server directed-request

tacacs-server key 7 <removed>

banner exec

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner incoming

WARNING:

    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****

                    **** AUTHORIZED USERS ONLY! ****

ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT

TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY

TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER

REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT

FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER

CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW

ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.

UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.

banner login

WARNING:

THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!

line con 0

 session-timeout 15  output

 exec-timeout 15 0

 login authentication RETAIL

line vty 0 4

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

line vty 5 15

 session-timeout 15  output

 access-class 23 in

 exec-timeout 15 0

 logging synchronous

 login authentication RETAIL

 transport preferred none

 transport input ssh

 transport output none

end

VSG-Tenant-1-running

!Command: show running-config

!Time: Sat Apr 30 03:09:08 2011

version 4.2(1)VSG1(1)

no feature telnet

feature tacacs+

username admin password 5 <removed> role network-admin

banner motd # 
WARNING: 
    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail **** 
                    **** AUTHORIZED USERS ONLY! **** 
 
ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT 
TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY 
TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER 
REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT 
FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER 
CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW 
ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. 
 
UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. 
#

ssh key rsa 2048

ip domain-lookup

ip domain-lookup

tacacs-server key 7 " <removed> "

tacacs-server host 192.168.42.131

aaa group server tacacs+ CiscoACS

    server 192.168.42.131

    use-vrf management

    source-interface mgmt0

aaa group server tacacs+ tacacs

hostname VSG-Tenant-1

no snmp-server protocol enable

snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey

ntp source 192.168.41.63

aaa authentication login default group CiscoACS

aaa authentication login console group CiscoACS

vrf context management

  ip domain-name cisco-irn.com

  ip name-server 192.168.42.130

  ip route 0.0.0.0/0 192.168.41.1

vlan 1

port-channel load-balance ethernet source-mac

port-profile default max-ports 32

vdc VSG-Tenant-1 id 1

  limit-resource vlan minimum 16 maximum 2049

  limit-resource monitor-session minimum 0 maximum 2

  limit-resource vrf minimum 16 maximum 8192

  limit-resource port-channel minimum 0 maximum 768

  limit-resource u4route-mem minimum 32 maximum 32

  limit-resource u6route-mem minimum 16 maximum 16

  limit-resource m4route-mem minimum 58 maximum 58

  limit-resource m6route-mem minimum 8 maximum 8

interface mgmt0

  ip address 192.168.41.63/24

interface data0

  ip address 192.168.52.11/24

clock timezone PST -8 0

clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60

line vty

  exec-timeout 15

line console

  exec-timeout 15

boot kickstart bootflash:/nexus-1000v-kickstart-mz.VSG1.1.bin sup-1

boot system bootflash:/nexus-1000v-mz.VSG1.1.bin sup-1

boot kickstart bootflash:/nexus-1000v-kickstart-mz.VSG1.1.bin sup-2

boot system bootflash:/nexus-1000v-mz.VSG1.1.bin sup-2

ip access-list match-local-traffic

  ha-pair id 41

security-profile SecurityProfile-1@root/Tenant-1

  policy PolicySet-A@root/Tenant-1

  custom-attribute vnsporg "root/tenant-1"

security-profile default@root

  policy default@root

  custom-attribute vnsporg "root"

rule default/default-rule@root

  action 10 drop

rule PolicyA/allow_ICMP@root/Tenant-1

  condition 10 dst.net.ip-address eq 192.168.1.1

  condition 11 net.protocol eq 1

  action 10 log

  action 11 permit

policy default@root

  rule default/default-rule@root order 2

policy PolicySet-A@root/Tenant-1

  rule PolicyA/allow_ICMP@root/Tenant-1 order 101

vnm-policy-agent

  registration-ip 192.168.41.65

  shared-secret **********

  policy-agent-image bootflash:/vnmc-vsgpa.1.0.1j.bin

  log-level

logging logfile messages 2

logging server 192.168.42.124 6 facility local0

logging monitor 2

Bias-Free Language

Results

Chapter: Detailed Full Running Configurations