version 6.1 enable secret "******" hostname "Aruba3200" clock timezone PST -8 location "XXXXXXXX" controller config 13 ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0 ip access-list eth validuserethacl permit any ! netservice svc-pcoip2-tcp tcp 4172 netservice svc-netbios-dgm udp 138 netservice svc-snmp-trap udp 162 netservice svc-https tcp 443 netservice svc-dhcp udp 67 68 alg dhcp netservice svc-citrix tcp 2598 netservice svc-syslog udp 514 netservice svc-l2tp udp 1701 netservice svc-ike udp 500 netservice svc-smb-tcp tcp 445 netservice svc-ica tcp 1494 netservice svc-pptp tcp 1723 netservice svc-sec-papi udp 8209 netservice svc-sccp tcp 2000 alg sccp netservice svc-telnet tcp 23 netservice svc-lpd tcp 515 netservice svc-netbios-ssn tcp 139 netservice svc-sip-tcp tcp 5060 netservice svc-kerberos udp 88 netservice svc-tftp udp 69 alg tftp netservice svc-pcoip-udp udp 50002 netservice svc-pcoip-tcp tcp 50002 netservice svc-http-proxy3 tcp 8888 netservice svc-noe udp 32512 alg noe netservice svc-cfgm-tcp tcp 8211 netservice svc-adp udp 8200 netservice svc-pop3 tcp 110 netservice svc-dns udp 53 alg dns netservice svc-rtsp tcp 554 alg rtsp netservice svc-msrpc-tcp tcp 135 139 netservice svc-http tcp 80 netservice svc-h323-udp udp 1718 1719 netservice svc-h323-tcp tcp 1720 netservice svc-vocera udp 5002 alg vocera netservice svc-http-proxy2 tcp 8080 netservice svc-sip-udp udp 5060 netservice svc-nterm tcp 1026 1028 netservice svc-noe-oxo udp 5000 alg noe netservice svc-papi udp 8211 netservice svc-natt udp 4500 netservice svc-ftp tcp 21 alg ftp netservice svc-microsoft-ds tcp 445 netservice svc-svp 119 alg svp netservice svc-smtp tcp 25 netservice svc-gre 47 netservice svc-netbios-ns udp 137 netservice svc-sips tcp 5061 alg sips netservice svc-smb-udp udp 445 netservice svc-ipp-tcp tcp 631 netservice svc-esp 50 netservice svc-pcoip2-udp udp 4172 netservice svc-v6-dhcp udp 546 547 netservice svc-snmp udp 161 netservice svc-bootp udp 67 69 netservice svc-msrpc-udp udp 135 139 netservice svc-ntp udp 123 netservice svc-icmp 1 netservice svc-ipp-udp udp 631 netservice svc-ssh tcp 22 netservice svc-v6-icmp 58 netservice svc-http-proxy1 tcp 3128 netservice svc-vmware-rdp tcp 3389 netdestination Private-Subnets network 10.0.0.0 255.0.0.0 network 192.168.0.0 255.255.0.0 network 172.16.0.0 255.240.0.0 ! netdestination Public-DNS host 8.8.8.8 host 4.2.2.2 ! netexthdr default ! ip access-list session v6-icmp-acl ipv6 any any svc-v6-icmp permit ! ip access-list session control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-papi permit any any svc-sec-papi permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ! ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ! ip access-list session drop-and-log any any any deny log ! ip access-list session validuser network 169.254.0.0 255.255.0.0 any any deny any any any permit ipv6 any any any permit ! ip access-list session v6-https-acl ipv6 any any svc-https permit ! ip access-list session vocera-acl any any svc-vocera permit queue high ! ip access-list session vmware-acl ! ip access-list session icmp-acl any any svc-icmp permit ! ip access-list session v6-dhcp-acl ipv6 any any svc-v6-dhcp permit ! ip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ! ip access-list session auth-guest-access user any svc-http permit user any svc-https permit ! ip access-list session v6-dns-acl ipv6 any any svc-dns permit ! ip access-list session allowall any any any permit ipv6 any any any permit ! ip access-list session https-acl any any svc-https permit ! ip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ! ip access-list session citrix-acl ! ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ! ip access-list session dns-acl any any svc-dns permit ! ip access-list session v6-allowall ipv6 any any any permit ! ip access-list session tftp-acl any any svc-tftp permit ! ip access-list session skinny-acl any any svc-sccp permit queue high ! ip access-list session srcnat user any any src-nat ! ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ! ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit ! ip access-list session allow-printservices any any svc-lpd permit any any svc-ipp-tcp permit any any svc-ipp-udp permit ! ip access-list session cplogout user alias controller svc-https dst-nat 8081 ! ip access-list session v6-http-acl ipv6 any any svc-http permit ! ip access-list session http-acl any any svc-http permit ! ip access-list session dhcp-acl any any svc-dhcp permit ! ip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ! ip access-list session AP-Employee_Access any any any permit ! ip access-list session guest-logon-access user any udp 68 deny any any svc-dhcp permit user alias Public-DNS svc-dns permit ! ip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 224.0.0.251 udp 5353 permit ! ip access-list session noe-acl any any svc-noe permit queue high ! ip access-list session svp-acl any any svc-svp permit queue high user host 224.0.1.116 any permit ! ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ! ip access-list session block-internal-access user alias Private-Subnets any deny ! ip access-list session v6-logon-control ipv6 user any udp 68 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-v6-dhcp permit ipv6 any any svc-dns permit ! ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ! vpn-dialer default-dialer ike authentication PRE-SHARE ****** ! user-role ap-role access-list session control access-list session ap-acl ! user-role denyall ! user-role cpbase ! user-role default-vpn-role access-list session allowall access-list session v6-allowall ! user-role voice access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acl ! user-role auth-guest access-list session cplogout access-list session guest-logon-access access-list session block-internal-access access-list session auth-guest-access access-list session drop-and-log ! user-role default-via-role access-list session allowall ! user-role guest-logon captive-portal "guest-net" access-list session captiveportal access-list session guest-logon-access ! user-role guest access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acl ! user-role stateful-dot1x ! user-role AP-Employee vlan 30 access-list session AP-Employee_Access ! user-role authenticated access-list session allowall access-list session v6-allowall ! user-role logon access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6 ! aaa authentication-server internal use-local-switch ! controller-ip vlan 30 interface mgmt shutdown ! dialer group evdo_us init-string ATQ0V1E0 dial-string ATDT#777 ! dialer group gsm_us init-string AT+CGDCONT=1,"IP","ISP.CINGULAR" dial-string ATD*99# ! dialer group gsm_asia init-string AT+CGDCONT=1,"IP","internet" dial-string ATD*99***1# ! dialer group vivo_br init-string AT+CGDCONT=1,"IP","zap.vivo.com.br" dial-string ATD*99# ! vlan 30 vlan 100 vlan 110 vlan 200 interface gigabitethernet 1/0 description "GE1/0" trusted trusted vlan 1-4094 switchport access vlan 30 ! interface gigabitethernet 1/1 description "GE1/1" trusted trusted vlan 1-4094 ! interface gigabitethernet 1/2 description "GE1/2" trusted trusted vlan 1-4094 ! interface gigabitethernet 1/3 description "GE1/3" trusted trusted vlan 1-4094 ! interface vlan 30 ip address XXX.XXX.30.254 255.255.255.0 ! interface vlan 1 ip address dhcp-client shutdown ! interface vlan 110 ip address XXX.XXX.110.1 255.255.255.0 ip nat inside ! ip default-gateway XXX.XXX.30.1 uplink disable ap mesh-recovery-profile cluster RecoveryHaRJfbuV9vwn9s5j wpa-hexkey ed56331b2debc2748ad762e168748a49998d4de6d9d31c756cc2ea78839429b3d7d26e1f614d399fe9d39aae0dcb7b441c233622a710258a665359a44696b751e329574b22f2f13dbf3bddce2b4bbd1e crypto isakmp policy 20 encryption aes256 ! crypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmac crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac crypto dynamic-map default-dynamicmap 10000 set transform-set "default-transform" "default-aes" ! crypto isakmp eap-passthrough eap-tls crypto isakmp eap-passthrough eap-peap crypto isakmp eap-passthrough eap-mschapv2 vpdn group l2tp ! ip dhcp pool AP default-router XXX.XXX.30.1 dns-server XXX.XXX.30.2 lease 0 1 0 0 network XXX.XXX.30.0 255.255.255.0 authoritative ! ip dhcp pool Guest network XXX.XXX.110.0 255.255.255.0 authoritative ! service dhcp ! vpdn group pptp ! tunneled-node-address 0.0.0.0 adp discovery enable adp igmp-join enable adp igmp-vlan 0 voice rtcp-inactivity disable voice sip-midcall-req-timeout disable ap ap-blacklist-time 3600 ssh mgmt-auth username/password mgmt-user admin root d8538f5e018426143d89f0ad39e6316f3c37577625af039026 no database synchronize database synchronize rf-plan-data ip mobile domain default ! ip igmp ! ipv6 mld ! no firewall attack-rate cp 1024 ipv6 firewall ext-hdr-parse-len 100 ! firewall cp ! firewall cp packet-capture-defaults tcp disable udp disable sysmsg disable other disable ! ip domain lookup ! country DE aaa authentication mac "default" ! aaa authentication dot1x "AP-EmployeeDot1x" termination enable termination eap-type eap-peap ! aaa authentication dot1x "default" ! aaa authentication dot1x "default-psk" termination enable termination eap-type eap-peap ! aaa server-group "AP-Employee-Internal" auth-server Internal ! aaa server-group "default" auth-server Internal set role condition role value-of ! aaa server-group "guest-internal" ! aaa profile "AP-Employee_AAA" authentication-dot1x "AP-EmployeeDot1x" dot1x-default-role "logon" dot1x-server-group "AP-Employee-Internal" ! aaa profile "default" ! aaa profile "default-dot1x" initial-role "authenticated" mac-server-group "internal" authentication-dot1x "default" dot1x-default-role "authenticated" ! aaa profile "default-dot1x-psk" authentication-dot1x "default" ! aaa authentication captive-portal "default" ! aaa authentication captive-portal "guest-net" default-role "auth-guest" server-group "guest-internal" switchip-in-redirection-url ! aaa authentication wispr "default" ! aaa authentication vpn "default" ! aaa authentication vpn "default-rap" ! aaa authentication mgmt ! aaa authentication stateful-ntlm "default" ! aaa authentication stateful-kerberos "default" ! aaa authentication stateful-dot1x ! aaa authentication wired ! web-server ! papi-security ! guest-access-email ! voice logging ! voice dialplan-profile "default" ! voice real-time-config ! voice sip ! aaa password-policy mgmt ! control-plane-security no cpsec-enable ! ids management-profile ! ids wms-general-profile poll-retries 3 ! ids wms-local-system-profile ! ids ap-rule-matching ! valid-network-oui-profile ! ap system-profile "default" ! ap regulatory-domain-profile "default" country-code DE valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 52 valid-11a-channel 56 valid-11a-channel 60 valid-11a-channel 64 valid-11a-channel 100 valid-11a-channel 104 valid-11a-channel 108 valid-11a-channel 112 valid-11a-channel 116 valid-11a-channel 120 valid-11a-channel 124 valid-11a-channel 128 valid-11a-channel 132 valid-11a-channel 136 valid-11a-channel 140 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 52-56 valid-11a-40mhz-channel-pair 60-64 valid-11a-40mhz-channel-pair 100-104 valid-11a-40mhz-channel-pair 108-112 valid-11a-40mhz-channel-pair 116-120 valid-11a-40mhz-channel-pair 124-128 valid-11a-40mhz-channel-pair 132-136 ! ap wired-ap-profile "default" wired-ap-enable ! ap enet-link-profile "default" ! ap mesh-ht-ssid-profile "default" ! ap mesh-cluster-profile "default" ! ap wired-port-profile "default" ! ap mesh-radio-profile "default" ! ids general-profile "default" ! ids rate-thresholds-profile "default" ! ids signature-profile "default" ! ids impersonation-profile "default" ! ids unauthorized-device-profile "default" ! ids signature-matching-profile "default" signature "Deauth-Broadcast" signature "Disassoc-Broadcast" ! ids dos-profile "default" ! ids profile "default" ! rf arm-profile "arm-maintain" assignment maintain no scanning ! rf arm-profile "arm-scan" ! rf arm-profile "default" ! rf optimization-profile "default" ! rf event-thresholds-profile "default" ! rf am-scan-profile "default" ! rf dot11a-radio-profile "default" ! rf dot11a-radio-profile "rp-maintain-a" arm-profile "arm-maintain" ! rf dot11a-radio-profile "rp-monitor-a" mode am-mode ! rf dot11a-radio-profile "rp-scan-a" arm-profile "arm-scan" ! rf dot11g-radio-profile "default" ! rf dot11g-radio-profile "rp-maintain-g" arm-profile "arm-maintain" ! rf dot11g-radio-profile "rp-monitor-g" mode am-mode ! rf dot11g-radio-profile "rp-scan-g" arm-profile "arm-scan" ! wlan dot11k-profile "default" ! wlan voip-cac-profile "default" ! wlan ht-ssid-profile "default" ! wlan edca-parameters-profile station "default" ! wlan edca-parameters-profile ap "default" ! wlan ssid-profile "AP-Employee_SSID" essid "AP-Corp-test" opmode wpa2-aes ! wlan ssid-profile "default" ! wlan virtual-ap "AP-Employee_VAP" aaa-profile "AP-Employee_AAA" ssid-profile "AP-Employee_SSID" vlan 30 ! wlan virtual-ap "default" no vap-enable vlan 30 ! ap provisioning-profile "default" ! ap spectrum local-override ! ap-group "AP-Employee" virtual-ap "AP-Employee_VAP" ! ap-group "default" virtual-ap "default" ! logging level warnings security subcat ids logging level warnings security subcat ids-ap snmp-server enable trap process monitor log end