! ============================================================ ! VantagePoint Networks — Aruba CX 6300 Access Layer Switch ! Hardened Baseline · 802.1X Ready ! AOS-CX 10.12 ! ============================================================ ! DEPLOYMENT NOTES: ! 1. Replace all with your site values ! 2. Paste into CLI or upload via REST API / TFTP ! 3. Verify VSX/LAG config matches your distribution tier ! 4. Test 802.1X with a single port before bulk rollout ! ============================================================ ! --- System --- hostname ACCESS-BLDGA-01 banner motd " =============================================================== UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. All activities are monitored and logged. =============================================================== " ! --- User Accounts --- user group administrators password plaintext user group operators password plaintext ! --- SSH Hardening --- ssh server vrf default ssh server vrf mgmt ssh maximum-auth-attempts 3 ssh idle-timeout 600 ssh ciphers aes256-ctr aes256-gcm@openssh.com ssh macs hmac-sha2-256 hmac-sha2-512 ssh key-exchange diffie-hellman-group14-sha256 ecdh-sha2-nistp521 no telnet-server ! --- Disable HTTP (use HTTPS only) --- no http-server https-server vrf default https-server vrf mgmt https-server session-idle-timeout 600 https-server rest access-mode read-write ! --- DNS --- ip dns domain-name ip dns server-address ip dns server-address ! --- NTP --- ntp server prefer ntp server ntp enable ntp authentication enable ntp authentication-key 1 md5 ntp trusted-key 1 ! --- Timezone --- clock timezone UTC ! --- Logging --- logging severity warning logging severity warning logging facility local7 logging source-interface loopback 0 logging filter auth-log severity info logging filter config-change severity info ! --- SNMP v3 --- snmp-server system-location "" snmp-server system-contact "" snmp-server system-description "Aruba CX 6300 Access - Building A" snmpv3 user auth sha auth-pass plaintext priv aes priv-pass plaintext snmpv3 group SNMPV3-RO user sec-model v3 snmpv3 access SNMPV3-RO sec-model v3 exact read all snmp-server host trap version v3 user ! --- Loopback --- interface loopback 0 ip address /32 no shutdown ! --- VLANs --- vlan 10 name MGMT description "Management VLAN" vlan 20 name USERS description "User workstations" vlan 30 name SERVERS description "Server network" vlan 40 name VOICE description "VoIP phones" vlan 50 name PRINTERS description "Printers and MFPs" vlan 60 name WIRELESS description "Wireless clients" vlan 70 name IOT description "IoT devices - restricted" vlan 80 name GUEST description "Guest network - internet only" vlan 999 name QUARANTINE description "Quarantine - unused ports" vlan 1000 name NATIVE-UNUSED description "Unused native VLAN" ! --- VLAN Interfaces (SVIs) --- interface vlan 10 description "MGMT SVI" ip address /24 no shutdown interface vlan 20 description "Users SVI" ip address /24 ip helper-address no shutdown interface vlan 30 description "Servers SVI" ip address /24 no shutdown interface vlan 40 description "Voice SVI" ip address /24 ip helper-address no shutdown interface vlan 50 description "Printers SVI" ip address /24 ip helper-address no shutdown interface vlan 60 description "Wireless SVI" ip address /24 ip helper-address no shutdown interface vlan 70 description "IoT SVI" ip address /24 ip helper-address no shutdown interface vlan 80 description "Guest SVI - internet only" ip address /24 ip helper-address no shutdown ! --- Uplinks to Distribution (LAG) --- interface lag 1 multi-chassis description "== LAG TO DIST-01 / DIST-02 ==" no shutdown no routing vlan trunk native-vlan 1000 vlan trunk allowed 10,20,30,40,50,60,70,80 lacp mode active lacp rate fast spanning-tree port-type admin-edge disable spanning-tree root-guard enable interface 1/1/49 description "== UPLINK TO DIST-01 xe-0/0/10 ==" no shutdown lag 1 speed 10000 interface 1/1/50 description "== UPLINK TO DIST-02 xe-0/0/10 ==" no shutdown lag 1 speed 10000 ! --- Stacking (if using VSF) --- ! vsf member 1 ! type jl668a ! priority 200 ! link 1 1/1/51,1/1/52 ! vsf member 2 ! type jl668a ! priority 100 ! link 1 2/1/51,2/1/52 ! vsf split-detection mgmt ! ============================================================ ! ACCESS PORT TEMPLATES ! Copy and customise per port as needed ! ============================================================ ! --- Template: Standard User Port --- ! Features: 802.1X, VLAN 20, voice VLAN, loop-protect, BPDU guard interface 1/1/1 description "User - Floor 1 Desk 01" no shutdown no routing vlan access 20 vlan trunk native-vlan 20 vlan trunk allowed 20,40 voice-vlan 40 spanning-tree port-type admin-edge spanning-tree bpdu-guard enable loop-protect port-access lldp-bypass port-access auth-mode client-mode port-access dot1x authenticator cached-reauth cached-reauth-period 86400 max-retries 3 quiet-period 30 eapol-timeout 15 reauth enable reauth-period 3600 port-access mac-auth authenticator cached-reauth cached-reauth-period 86400 quiet-period 30 port-access auth-priority dot1x mac-auth port-access role EMPLOYEE ip dhcp snooping trust no ip source-guard enable interface 1/1/2 description "User - Floor 1 Desk 02" no shutdown no routing vlan access 20 vlan trunk native-vlan 20 vlan trunk allowed 20,40 voice-vlan 40 spanning-tree port-type admin-edge spanning-tree bpdu-guard enable loop-protect port-access auth-mode client-mode port-access dot1x authenticator cached-reauth cached-reauth-period 86400 port-access mac-auth authenticator cached-reauth port-access auth-priority dot1x mac-auth port-access role EMPLOYEE ! --- Template: Printer Port --- ! Features: MAC-auth only, VLAN 50, no 802.1X (printers don't support) interface 1/1/10 description "Printer - Floor 1 MFP-01" no shutdown no routing vlan access 50 spanning-tree port-type admin-edge spanning-tree bpdu-guard enable loop-protect port-access mac-auth authenticator cached-reauth cached-reauth-period 86400 port-access role PRINTER ! --- Template: IoT Device Port --- ! Features: MAC-auth, VLAN 70, rate-limited interface 1/1/15 description "IoT - Floor 1 Sensor Hub" no shutdown no routing vlan access 70 spanning-tree port-type admin-edge spanning-tree bpdu-guard enable loop-protect rate-limit broadcast 500 pps rate-limit multicast 500 pps port-access mac-auth authenticator cached-reauth port-access role IOT ! --- Template: AP Port (Wireless Access Point) --- ! Features: Trunk for multiple SSIDs, LLDP-MED PoE, no 802.1X interface 1/1/20 description "AP - Floor 1 AP-01" no shutdown no routing vlan trunk native-vlan 60 vlan trunk allowed 60,70,80 spanning-tree port-type admin-edge spanning-tree bpdu-guard enable lldp transmit lldp receive poe-allocate-by usage port-access lldp-bypass ! --- Template: Server Port --- ! Features: VLAN 30, trunk if needed, no loop-protect interface 1/1/25 description "Server - Rack A U22" no shutdown no routing vlan access 30 spanning-tree port-type admin-edge spanning-tree bpdu-guard enable ! --- Unused Ports (bulk shutdown) --- interface 1/1/30 description "== UNUSED - DISABLED ==" shutdown no routing vlan access 999 spanning-tree port-type admin-edge spanning-tree bpdu-guard enable interface 1/1/31 description "== UNUSED - DISABLED ==" shutdown no routing vlan access 999 spanning-tree port-type admin-edge spanning-tree bpdu-guard enable interface 1/1/32 description "== UNUSED - DISABLED ==" shutdown no routing vlan access 999 spanning-tree port-type admin-edge spanning-tree bpdu-guard enable ! Repeat pattern for all unused ports: 1/1/33 through 1/1/48 ! Use CLI range: interface 1/1/33-1/1/48 ! shutdown ! no routing ! vlan access 999 ! spanning-tree port-type admin-edge ! spanning-tree bpdu-guard enable ! ============================================================ ! 802.1X / RADIUS CONFIGURATION ! ============================================================ ! --- RADIUS Servers --- radius-server host key plaintext port 1812 acct-port 1813 tracking enable tracking-interval 60 radius-server host key plaintext port 1812 acct-port 1813 tracking enable ! --- AAA --- aaa authentication port-access dot1x authenticator radius server-group RADIUS-GROUP aaa authentication port-access mac-auth authenticator radius server-group RADIUS-GROUP aaa group server radius RADIUS-GROUP server port 1812 server port 1812 aaa accounting all-mgmt default start-stop radius server-group RADIUS-GROUP ! --- Port Access Roles --- port-access role EMPLOYEE vlan access 20 voice-vlan 40 description "Authenticated employee - data + voice" gateway-zone zone-1 port-access role PRINTER vlan access 50 description "Authenticated printer/MFP" gateway-zone zone-1 port-access role IOT vlan access 70 description "Authenticated IoT device - restricted" gateway-zone zone-2 port-access role GUEST vlan access 80 description "Guest/fallback - internet only" gateway-zone zone-3 port-access role REJECT vlan access 999 description "Auth failed - quarantine" ! ============================================================ ! SECURITY HARDENING ! ============================================================ ! --- Spanning Tree --- spanning-tree mode rstp spanning-tree priority 12 spanning-tree bpdu-guard timeout 120 ! --- DHCP Snooping --- ip dhcp snooping ip dhcp snooping vlan 20,30,40,50,60,70,80 ! Trust uplink ports only interface lag 1 ip dhcp snooping trust ! --- Dynamic ARP Inspection --- ip arp inspection vlan 20,30,40,50,60,70,80 interface lag 1 ip arp inspection trust ! --- IP Source Guard --- ! Enabled per-port in access port templates above ! --- Storm Control --- interface 1/1/1-1/1/48 rate-limit broadcast 2000 pps rate-limit multicast 2000 pps rate-limit unknown-unicast 2000 pps ! --- Loop Protection (global) --- loop-protect loop-protect trap loop-detected loop-protect vlan 20,30,40,50,60,70,80,999 ! --- ACL: Management Plane Protection --- access-list ip MGMT-ACL 10 permit tcp /24 any eq ssh 20 permit tcp /24 any eq https 30 permit udp /32 any eq 161 40 permit udp /32 any eq ntp 50 permit udp /32 any eq ntp 60 permit udp /32 eq 514 any 70 permit icmp /24 any 500 deny any any any count apply access-list ip MGMT-ACL control-plane vrf default ! ============================================================ ! ROUTING ! ============================================================ ! --- OSPF (if L3 at access layer) --- ! router ospf 1 ! router-id ! passive-interface default ! area 0.0.0.0 ! interface loopback 0 ! ip ospf 1 area 0.0.0.0 ! interface vlan 10 ! ip ospf 1 area 0.0.0.0 ! ip ospf passive ! interface lag 1 ! ip ospf 1 area 0.0.0.0 ! ip ospf network point-to-point ! --- Static Default Route --- ip route 0.0.0.0/0 ! ============================================================ ! MONITORING & MANAGEMENT ! ============================================================ ! --- sFlow (traffic visibility) --- sflow 1 sampling 4096 sflow 1 polling 30 sflow 1 destination 6343 sflow 1 source loopback 0 ! --- Interface Monitoring --- interface 1/1/49 lldp transmit lldp receive interface 1/1/50 lldp transmit lldp receive ! --- Checkpoint (config backup) --- ! checkpoint auto confirm ! ============================================================ ! END OF CONFIGURATION ! VantagePoint Networks · vantagepointnetworks.com ! ============================================================