Comware Based
1748079 Members
5137 Online
108758 Solutions
New Discussion

Re: Hooking up the 5900AF-48G-4XG-2QSFP+ to a router.

 
Spork_Schivago
Occasional Advisor

Hooking up the 5900AF-48G-4XG-2QSFP+ to a router.

Hi!

I have some experience with rackmount servers, managed switches, etc.   But my experience is a bit dated.   We have a 5900AF-48G-4XG-2QSFP+ 48-port gigabit switch.   I had some questions.   I apologize if they sound dumb.

How do people generally hook these switches to a router?   Do we buy a transceiever and hook the router to one of the 40 Gbps ports?   We do plug an ethernet cable from the router to one of the ports?

We're trying to setup a VLAN.   Right now, we want 8 ports on one network (something like 192.168.2.0 network), and the other 40 on another network (something like 192.168.3.0 network).   We want them both to be able to access the outside world through the router.   We've hooked the router to the management port on the switch, we can access the outside world from the switch.   We setup our VLANs.   We setup the DHCP server for the vlan2 (192.168.3.0 network), it never hands out an IP address to the clients for some reaosn.

We're thinking we should maybe using one of those fiber trasncievers and hooking that to the router, via fiber.   Any suggetions?

-- Never stop learning.
9 REPLIES 9
parnassus
Honored Contributor

Re: Hooking up the 5900AF-48G-4XG-2QSFP+ to a router.

Spork_Schivago wrote: We have a 5900AF-48G-4XG-2QSFP+ 48-port gigabit switch.

Pretty powerful, the HPE FlexFabric 5900AF 48G 4XG 2QSFP+ Switch (HPE SKU: JG510A) you have belongs to the Layer 3 fixed port managed Switch familiy used in datacenter as ToR (Top of Rack), it's a 48 ports Gigabit Ethernet, 4 ports 10Gigabit Ethernet plus 2 QSFP+ ports).


Spork_Schivago wrote: How do people generally hook these switches to a router?   Do we buy a transceiever and hook the router to one of the 40 Gbps ports?   We do plug an ethernet cable from the router to one of the ports?

 Well, considering tasks for which these units are engineered for, these Swithches are generally used in ToR configurations (read, as example, here and here).

Environmentally speaking they are designed to work into a cold and ventilated Data Center (DC) so - it's a matter of managing/permitting typical ToR switching/routing performances - they're for sure noisy (Acoustic noise level with Fan at Low-speed: 65.7 dB, at High-speed: 70.6 dB) and they drain a good amount of power even at idle (200W).

A Router (I think you mean as a gateway to Internet or other networks) can be directly connected using any Gigabit Ethernet port of your 5900AF (avoiding to use the Management port which is used to connect the Switch to a management separated network, if any...just for that purpose)...the port to be used depends on the port you have on the Router side (e.g. Gigabit Ethernet as LAN interface).


Spork_Schivago wrote: We're trying to setup a VLAN.   Right now, we want 8 ports on one network (something like 192.168.2.0 network), and the other 40 on another network (something like 192.168.3.0 network).   We want them both to be able to access the outside world through the router.   We've hooked the router to the management port on the switch, we can access the outside world from the switch.   We setup our VLANs.   We setup the DHCP server for the vlan2 (192.168.3.0 network), it never hands out an IP address to the clients for some reaosn.

Do not use Management port for your experiments.

You should be able to just use Port based VLANs (let's say using two free VLAN IDs, as example 100 and 101, and assigning 8 ports on the first and remaining 40 on the second...remember you also need to connect the Router)...with Port based VLANs no IP Routing is enabled between them at switch level...so you eventually need an external device to do the routing task between VLAN IDs you defined...this if the IP Routing between VLANs is really required (since your Switch isn't configured to do so...the Router needs to do so)...you then just need to configure the Router to understand, accept and manage traffic from/to VLAN IDs and the Internet (WAN side)...to do that you need to permit VLAN IDs 100 and 100 on the port connected to the Router and the Router must be configured accordingly to manage VLAN IDs you have defined on the Switch.

That's a way. Other may suggest to do the inter-VLANs routing on the Switch leaving the Router out-of-the-picture (so the Router will do only the NAT-to-the-Internet part).


I'm not an HPE Employee
Kudos and Accepted Solution banner
Spork_Schivago
Occasional Advisor

Re: Hooking up the 5900AF-48G-4XG-2QSFP+ to a router.

I'm interested in the inter-VLANs routing on the switch, but we're having a bit of a hard time setting it up.  When I say router, I do mean gateway to other LANs and the internet (cloud).   Even if I remove the router from the equation all together, I don't understand why the VLAN ports aren't handing out an IP address.   I believe I've successfully configured the DHCP server for that VLAN, but no IPv4 address is ever handed out to the client hooked to one of those ports.   This is how I thought I configured the inter-VLAN routing on the router.    I want two seperate VLANs that have no access to each other, one for the residental devices, one for the business.    8 ports dedicated to the business, the rest to the house.   I thought, with the routing capabilties of this switch, something like this was possible.   I'm having trouble figuring out how to configure to have it do that though.

It does work at the switch level.   With a cable plugged into ethernet port 48, the router we're currently using is handing out IP addresses to clinets on the VLANs, but this isn't what we want right now.   We want the switch to hand out those IP addresses.    Something like 192.168.3.0/24 network for VLAN1, 192.168.4.0/24 network for VLAN2.

I can share my configuration file if it'd help in trying to figure out what's going on.

Also, those SFP / QSFP+ ports, the ones that you hook a transciever too....from what I've been reading, they're generally used to hook more than one switch together.   But if we bought a Cisco router which had a transciever, could we provide internet to the switch directly from one of those SFP / QSFP+ ports?   Essentially, just hook a fiber line directly from the router to the switch.   Would that work?   Also, if the switch provides layer 3 routing, why can't we just hook fiber directly to the switch?   I don't know how our local fiber companies will bring fiber into the house, but do we actually need a router?

Thanks and I'm sorry for all these questions, especially if they seem real simple.   Like I've said, it's been a while since I played with technology like this and a bit has changed in the last 12 years.   We have the rack ordered.   It should be here in a few weeks.   We have the CAT 6 patch panel, the DL380 Gen 9 server, the HP 5900AF switch.    We still need a router and the fiber line, but once we get the switch properly configured, I think we'll be good to go.

Thanks!

-- Never stop learning.
Spork_Schivago
Occasional Advisor

Re: Hooking up the 5900AF-48G-4XG-2QSFP+ to a router.

I am soooo close!!!!!!

I have three vlans, 1 (the default), 2 (the business), and 3 (the residential).

I assigned GigabitEthernet ports 1/0/1 to 1/0/8 for vlan 2.    I assigned GigabitEthernet ports 1/0/9 to 1/0/47 to the residential.

I created two vlan interfaces, 2 and 3.   2 is for the business, 3 is for residential.

GigabitEthernet port 1/0/48 is our uplink to the router.   I've configured the port for route mode and enabled RIPv2 on it.   I've assigned a static IP of 192.168.2.9 to this port.   My router is on the 192.168.2.0/24 network.

I've configured a static route 0.0.0.0 0.0.0.0 192.168.2.9
I've configured my DNS servers.

At this point, I could ping the outside world from the switch.

Now, I setup the DHCP server to use the two pools to hand out IP addresses for the two virtual LAN interfaces, and that works.   If I plug an ethernet cable from my workstation into ports 1-8, I'm assigned an address on the 192.168.3.0 network.   If I plug it into ports 9-47, I'm assigned an IP address from the 192.168.4.0 network.

But now, I cannot ping the outside world, from the workstation, or from the switch.   In the vlan interface configuration, I tried setting the DHCP gateway-list to 192.168.2.9 and I even tried setting it to 192.168.2.1, but I still cannot access the outside world.

Any ideas what I'm doing wrong?   I figure I need to set a static route or two somewheres, but not sure exactly how to set it.   I've tried various things.   I'm going to save the configuration so I can atleast get back to where I am before I mess anything up!

Any ideas on how to fix it so I can get to the outside world?   Tomorrow, I'll post my startup.cfg file for you to look at.

-- Never stop learning.
parnassus
Honored Contributor

Re: Hooking up the 5900AF-48G-4XG-2QSFP+ to a router.

Supposing you own and control a Firewall (Your Default Gateway to Internet) and that Firewall has a LAN1 interface, suppose your Firewall lets you to configure and assign to LAN1 various sub-interfaces (Layer 3 VLANs) each one with a specific IP Subnet and each one with DHCP service enabled.

That way you have a Firewall with one physical interface (LAN1) that has:

  • Its default subnet (on VLAN ID = 1, Default/Primary VLAN) with its particular default IP Subnet (with/without DHCP service enabled).
  • Various LAN1 sub-Interfaces (Virtual interfaces), each one is a VLAN and each VLAN so defined has its specific non overlapping IP Subnet (with/without DHCP service enabled).
  • Firewall/NAT rules to permit (or deny) inter-VLANs IP Routing (or customized rules)...and rule that permit outgoing traffic from those VLANs to WAN (Internet).

With the Firewall so configured and in place, connect its LAN1 port to a port on the Switch (let me say you will use the GE 1/0/48)...well that port will be the uplink port between the Switch and the Firewall (Gigabit Ethernet port on both sides, clearly), at this point on the Switch tag that port - which will switch from being an Access Mode port to be a Trunk Mode port - (you have previously configured the same VLAN IDs defined on the above Firewall) this to permit VLAN IDs defined above (let me say VLAN ID = 2 and VLAN ID = 3) and leave the PVID = 1 for that port (on the Firewall Default VLAN is 1 too for LAN1 so no mismatch for untagged VLAN ID)...this way port GE 1/0/48 will be untagged member of VLAN 1 and, concurrently, tagged member of (permitting traffic of) VLAN 2 and VLAN 3:

# Setting the port to allow VLAN 2 (Business) and VLAN 3 (Residential)

[GigabitEthernet 1/0/48] port trunk permit vlan 2  3

At this point if you have tagged ports on the Switch you wanted be member of VLAN 2 or 3, as you already did (no IP routing is enabled on the Switch, no static routes are needed since VLAN are - at this level - still a Layer 2 construct)...now connecting an Host to a port member of, as example, VLAN 2 should let the host connected on that port to receive an IP Addressing governed by the Firewall's DHCP as set for its VLAN ID = 2 sub-interface (that will happen via the uplink port Firewall/Switch)...and so on.

All the routing is done at Firewall level...which is an external device...this can be considered a bad design in some scenarios (Firewall can be a bottleneck in terms of inter-VLAN throughput and is a SPoF).

If you don't want the Firewall doing the IP Routing job...you need to use VLAN Interfaces (which is a virtual interface used for Layer 3 communication between different VLANs) and configure the Switch to do the IP Routing jobs between those VLAN Interfaces (with the help of a third VLAN Interface that will act as the Default Gateway for all your other VLAN Interfaces at Switch level...then this third VLAN Interface will communicate to its defined Default Gateway - which will be the Firewall as it is normally for just a subnet (without any sub-interface VLAN, as usual).


I'm not an HPE Employee
Kudos and Accepted Solution banner
Spork_Schivago
Occasional Advisor

Re: Hooking up the 5900AF-48G-4XG-2QSFP+ to a router.

Sorry for the delay in getting back to you.

We do not want the gateway device's DHCP server handing out IP addresses though.   We want the switch to hand out IP addresses, based on what port the device is hooked to.   For example, if the device (workstation) is hooked to ports 1-8, we want the switch to hand out an IP address on the 192.168.3.0/24 network.   If it's hooked to ports 9-47, we want it to hand out addresses on the 192.168.4.0/24 network, for now at least.

This is because our cable modem is very limited.   We have graphical access to a web interface, but with extremely limited options.   For example, for Firewall options, we have Off, Medium, High.   It doesn't say what the difference is.   We plan on switching to a real router and doing away with the cable modem, but in order for us to get business grade service, we need to setup a corporation.   This is taking a bit longer than we expected.   The Small Business Development Center in our area is going through some sort of transformation and they said it'll take a bit before we can get a meeting with them.

If you don't want the Firewall doing the IP Routing job...you need to use VLAN Interfaces (which is a virtual interface used for Layer 3 communication between different VLANs) and configure the Switch to do the IP Routing jobs between those VLAN Interfaces (with the help of a third VLAN Interface that will act as the Default Gateway for all your other VLAN Interfaces at Switch level...then this third VLAN Interface will communicate to its defined Default Gateway - which will be the Firewall as it is normally for just a subnet (without any sub-interface VLAN, as usual).

This is what we've been attempting to do, but we're having some issues implementing it correctly.

We have three VLANs, the first default one, that we cannot remove.   Then the second business one, then the third residential one.   Do we tag Gigabit ethernet ports 1 - 8 for the business, 1-47 for the residential, and put port 48 in access mode?   If so, we cannot access the outside internet.   We can access the 192.168.4.0/24 network (if we're plugged into the residential vlan (#3)).  We can access the cable modems network (192.168.2.0/24).   The switch itself can ping the outside world, but the devices connected to the VLANs cannot ping the outside world.

If we put Gigabit ethernet port 48 in trunk mode, then the cable modem's DHCP server hands out IP addresses, which is not what we want.

I appreciate you taking the time to help me.   I have experience with Cisco equipment and I'm slowly adjusting to the HPE equipment.

Thank you.

-- Never stop learning.
Spork_Schivago
Occasional Advisor

Re: Hooking up the 5900AF-48G-4XG-2QSFP+ to a router.

I wonder if this should be moved to the Comware-based forum.   I believe this switch is a Comware-based switch, isn't it?  I didn't realize that when I originally posted.

-- Never stop learning.
parnassus
Honored Contributor

Re: Hooking up the 5900AF-48G-4XG-2QSFP+ to a router.


@Spork_Schivago wrote:

I wonder if this should be moved to the Comware-based forum.   I believe this switch is a Comware-based switch, isn't it?  I didn't realize that when I originally posted.


Yes, it should.

Regarding your scenario: basically you need to create some VLAN L3 Interfaces (Business VLAN, Residential VLAN, Guest VLAN, etc.) and a spcific Transit VLAN L3 Interface through which all others VLANs are routed to the Internet.

The Transit VLAN L3 Interface will have the LAN IP Address of your residential Firewall/Router as Default Gateway IP Address (so LAN Interface of your residential Firewall/Router needs to be in the same Subnet of the transit VLAN L3 Interface since both interfaces need to communicate each other). A physical port on the Switch needs to be connected (it's the Trunk link) to the LAN Interface to your residential Firewall/Router cited above...then you should enable and configure DHCP Server services for each VLAN ID you care about (So hosts on Business VLAN and Residential VLAN will receive the correct adressing by the Switch), disabling any DHCP Server in the Firewall (if not necessary) since it will contiune to release (on the VLAN it belongs) IP Addresses...and you don't want that (at least you can leave it as-is and you know its DHCP Server services will be isolated to the Transit VLAN it is connected to).

On the Firewall/Router you should create Firewall Rules to get back to your individual VLANs.


I'm not an HPE Employee
Kudos and Accepted Solution banner
Spork_Schivago
Occasional Advisor

Re: Hooking up the 5900AF-48G-4XG-2QSFP+ to a router.

I'll post my configuration, because I believe I've done just that, but it's still not working correctly.

I now have three VLANs (plus the default one).   I have Gigabit port 1/0/48 setup as a trunk line.   I have the third VLAN getting an IP address from the gateway's DHCP server (which is okay, for now).   It's assigned an IP address of 192.168.2.29.   The gateway has an IP address of 192.168.2.1.    From the switch, I can ping 192.168.2.1.   I can ping google.

I have the residential VLAN setup to hand out IP addresses on a different network.   And I have the business VLAN setup to hand out IP addresses on a different network.   I have those the ports that connect to those two VLANs configured as hybrid ports.   Let's say gigabit port 1/0/1 belongs to the business VLAN.   And let's say if I plug a device into that port, it's assigned an IP address of 192.168.3.11.   Let's say the business VLAN is VLAN 2.   With that 192.168.3.11 IP address, I can now ping 192.168.2.29, I can ping 192.168.2.1, but I still cannot ping the internet from that port.

I'll post my current running configuration and maybe you'll see where I'm going wrong?

How do I move the post to the current forum?

Thanks!

-- Never stop learning.
Spork_Schivago
Occasional Advisor

Re: Hooking up the 5900AF-48G-4XG-2QSFP+ to a router.

Here is a copy of my current configuration.   Do you see anything wrong with it?   I've tried enabling rip on the various VLAN interfaces, hoping that perhaps because the 4th "gateway" VLAN could reach the outside world, that it would spread it's routing table with the other VLANs and show them how to reach it.

I've removed things like my password and contact info.   I've replaced them with words like <my password hash> and<my contact info>.   I hope that's okay.

I'd like to add, if I tag any of the ports in any of the VLANs, then it stops working.   For example, in VLAN 2, if I tag gigabit port 1/0/1, then all of a sudden, the DHCP server that's running on that port never hands out an IP address and I can never reach anything.   I thought the purpose of tagging was so each packet would be marked with what VLAN they came from, so when the packet transverses to another network device (such as the gateway device), it'll know where to send it when the destination replies.


Thanks.

#
 version 7.1.045, Release 2432P03-US
#
 sysname switch1
#
 clock timezone EasternTime minus 05:00:00
 clock protocol ntp
#
 telnet server enable
#
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
 irf member 1 priority 1
 irf mode normal
#
rip 1
 network 0.0.0.0
#
 dhcp enable
 dhcp server forbidden-ip 192.168.3.2 192.168.3.10
 dhcp server forbidden-ip 192.168.4.2 192.168.4.10
#
 dns server 209.18.47.61
 dns server 209.18.47.62
#
 system-working-mode standard
 fan prefer-direction slot 1 port-to-power 
 password-recovery enable
#
vlan 1
 name default
 description Default Virtual LAN
#
vlan 2
 name vlan - business
 description Virtual LAN for the Business (ports 1-8)
 protocol-vlan 0 ipv4
 protocol-vlan 1 ipv6
#
vlan 3
 name vlan - residential
 description Virtual LAN for Residential (ports 9-47)
 protocol-vlan 0 ipv4
 protocol-vlan 1 ipv6
#
vlan 4
 name vlan - gateway
 description Virtual LAN that bridges our VLANs to our Gateway
 protocol-vlan 0 ipv4
 protocol-vlan 1 ipv6
#
dhcp server ip-pool business
 gateway-list 192.168.3.1
 network 192.168.3.0 mask 255.255.255.0
 address range 192.168.3.11 192.168.3.254
 dns-list 209.18.47.61 209.18.47.62
 expired day 0 hour 0 minute 30
#
dhcp server ip-pool residential
 gateway-list 192.168.4.1
 network 192.168.4.0 mask 255.255.255.0
 address range 192.168.4.11 192.168.4.254
 dns-list 209.18.47.61 209.18.47.62
 expired day 0 hour 0 minute 30
#
interface NULL0
#
interface Vlan-interface2
 description Virtual LAN interface for Business Devices
 ip address 192.168.3.1 255.255.255.0
 ipv6 address dhcp-alloc
 rip 1 enable
 rip version 2 multicast
 dhcp server apply ip-pool business
#
interface Vlan-interface3
 description Virtual LAN interface for Residential Devices
 ip address 192.168.4.1 255.255.255.0
 ipv6 address dhcp-alloc
 rip 1 enable
 rip version 2 multicast
 dhcp server apply ip-pool residential
#
interface Vlan-interface4
 description Virtual LAN interface that bridges our VLANs to our Gateway
 ip address dhcp-alloc
 ipv6 address dhcp-alloc
 rip 1 enable
 rip version 2 multicast
 dhcp select relay
#
interface FortyGigE1/0/53
 port link-mode bridge
#
interface FortyGigE1/0/54
 port link-mode bridge
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 2 4 untagged
 port hybrid pvid vlan 2
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 2 4 untagged
 port hybrid pvid vlan 2
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/3
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 2 4 untagged
 port hybrid pvid vlan 2
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/4
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 2 4 untagged
 port hybrid pvid vlan 2
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/5
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 2 4 untagged
 port hybrid pvid vlan 2
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/6
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 2 4 untagged
 port hybrid pvid vlan 2
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/7
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 2 4 untagged
 port hybrid pvid vlan 2
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/8
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 2 4 untagged
 port hybrid pvid vlan 2
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/9
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/10
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/11
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/12
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/13
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/14
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/15
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/16
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/17
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/18
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/19
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/20
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/21
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/22
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/23
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/24
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/25
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/26
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/27
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/28
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/29
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/30
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/31
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/32
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/33
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/34
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/35
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/36
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/37
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/38
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/39
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/40
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/41
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/42
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/43
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/44
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/45
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/46
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/47
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 1 3 4 untagged
 port hybrid pvid vlan 3
 stp edged-port
 dhcp snooping trust
#
interface GigabitEthernet1/0/48
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan 4 
 port trunk pvid vlan 4
#
interface M-GigabitEthernet0/0/0
 ip address 192.168.1.7 255.255.255.0
 undo dhcp select server
#
interface Ten-GigabitEthernet1/0/49
 port link-mode bridge
#
interface Ten-GigabitEthernet1/0/50
 port link-mode bridge
#
interface Ten-GigabitEthernet1/0/51
 port link-mode bridge
#
interface Ten-GigabitEthernet1/0/52
 port link-mode bridge
#
igmp
#
 scheduler logfile size 16
#
line class aux
 user-role network-admin
#
line class vty
 user-role network-operator
#
line aux 0
 authentication-mode password
 user-role network-admin
 set authentication password hash <hashed password>
#
line vty 0 15
 authentication-mode scheme
 user-role network-admin
 user-role network-operator
 set authentication password hash <hashed password>
#
line vty 16 63
 user-role network-operator
#
 snmp-agent
 snmp-agent local-engineid 800063A280BCEAFA7343E400000001
 snmp-agent sys-info contact <my contact info>
 snmp-agent sys-info location <my address>
 snmp-agent sys-info version v3 
#
 ssh server enable
 sftp server enable
 ssh user admin service-type all authentication-type password
#
 ntp-service enable
#
radius scheme system
 user-name-format without-domain
#
domain system
#
 domain default enable system
#
role name level-0
 description Predefined level-0 role
#
role name level-1
 description Predefined level-1 role
#
role name level-2
 description Predefined level-2 role
#
role name level-3
 description Predefined level-3 role
#
role name level-4
 description Predefined level-4 role
#
role name level-5
 description Predefined level-5 role
#
role name level-6
 description Predefined level-6 role
#
role name level-7
 description Predefined level-7 role
#
role name level-8
 description Predefined level-8 role
#
role name level-9
 description Predefined level-9 role
#
role name level-10
 description Predefined level-10 role
#
role name level-11
 description Predefined level-11 role
#
role name level-12
 description Predefined level-12 role
#
role name level-13
 description Predefined level-13 role
#
role name level-14
 description Predefined level-14 role
#
user-group system
#
local-user admin class manage
 password hash <hashed password>
 access-limit 3
 service-type ssh telnet https
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator
#
 ip https enable
 web idle-timeout 720
#
return

 

-- Never stop learning.