AI Prompt Create a complete, bootable configuration for the Huawei S7712 switch (VRP). The configuration must be structured, contain comments, and strictly adhere to the following detailed requirements: 1. Security and Access Management: Local Users: Create two local users: admin-backup: A backup account with level 15 privileges for console access only. netadmin: A primary account with level 1 privileges (read-only) for SSH access. Access Protocols: Completely disable Telnet and HTTP/HTTPS servers. Enable and configure SSH version 2 (stelnet, sftp) with preferred encryption algorithms (aes128_ctr, aes256_ctr). Authentication: Configure a password for logging into privileged mode (super password level 15). Configure centralized authentication, authorization, and accounting (AAA) via an external RADIUS server with mandatory local fallback in case of server unavailability. VTY lines (0-4) should initially use the default (local) authentication scheme. Console and VTY: Authentication on console 0 and vty 0-4 lines should be performed via AAA. 2. Basic network setup: System: Set the hostname to SW-Core-01. VLAN: Create and name the following VLANs: 1 – Management 100 – Printers 200 – UsersGroup1 300 – UsersGroup2 400 – Swift 500 – Reuters 600 – Storages 700 – WAN IP addressing: Assign the IP address 192.168.50.100/24 ??and the description Management_VLAN to the Vlanif1 interface. Add a default static route to the gateway (ip route-static 0.0.0.0 0.0.0.0). 3. Services and Monitoring: Time (NTP): Configure time synchronization with two NTP servers, specifying one as preferred. Specify Vlanif1 as the source of NTP packets. Set the time zone to MSK (UTC+3). Logging (Syslog): Configure sending layer 5 logs (notifications) to an external syslog server, using the IP address of Vlanif1 as the source. 4. Port-Security: Globally enable port-security. Apply the setting to all ports in slots 2 and 3 (presumably GigabitEthernet ranges 2/0/1-48 and 3/0/1-48). Parameters for these ports: Access mode. Enable port-security. Maximum number of learned MAC addresses: 1. Violation action: restrict (log violation, but do not disable the port). Sticky the first dynamically learned MAC address. Do not configure automatic port recovery (errdisable recovery). Enable stp edged-port for these ports. 5. Critical response format requirement: The response must consist of TWO CLEARLY SEPARATED PARTS: PART 1: Complete configuration. The full configuration text in Huawei VRP command format, grouped by logical blocks (system, security, VLAN, interfaces, etc.), using comments (!) for clarification. PART 2: Table of parameters for manual entry. After configuration, present the data in a structured list/table under the heading "Parameters that must be specified manually." For each parameter, specify: Location in the configuration (e.g., string or variable). Description (what this parameter does). Example or format of the value. Example of parameter entries: – Password for the backup console account admin-backup. Must be complex. – IP address or name of the primary NTP server. PART 3: Brief Summary Notes. Add a short "Important Notes Before Applying" section, listing the key points: The configuration is loaded ONLY through the console. The need to manually assign a default port VLAN for ports in slots 2 and 3. The procedure for activating RADIUS authentication for VTY. Warning about checking actual port numbers in the interface range command. The command for forcing a save (save force). Basic configuration for Huawei S7712 ! --- Setting the device name --- sysname SW-Core-01 ! ! --- Security and access --- ! Enabling password complexity and lockout on multiple login errors aaa local-aaa-user wrong-password retry-interval 10 retry-time 5 ! ! Creating a BACKUP local account for console access (level 15) local-user admin-backup password irreversible-cipher local-user admin-backup privilege level 15 local-user admin-backup service-type terminal ! ! Create a device account (level 1, read-only, SSH only) local-user netadmin password irreversible-cipher local-user netadmin privilege level 1 local-user netadmin service-type ssh quit ! ! Disable insecure services undo telnet server enable undo http server enable undo http secure-server enable ! ! Configure SSH v2 stelnet server enable ssh user netadmin authentication-type password ssh user netadmin service-type stelnet sftp server enable ssh server cipher aes128_ctr aes256_ctr ssh server hmac sha2_256 sha2_512 ssh server key-exchange dh_group14_sha1 ! ! Configuring access lines user-interface console 0 authentication-mode aaa ! user-interface vty 0 4 authentication-mode aaa protocol inbound ssh ! ! Configuring privileged mode login (enable) with password super password level 15 cipher ! ! --- Management and time --- ! Configuring time zone, date, and NTP clock timezone MSK add 03:00:00 clock datetime ! Specify the current time during initial setup ntp-service unicast-server ntp-service unicast-server prefer ntp-service source-interface Vlanif1 ! ! --- AAA for remote authentication --- aaa authentication-scheme default authentication-scheme RADIUS_AUTH authentication-mode radius local ! authorization-scheme default authorization-scheme RADIUS_AUTH authorization-mode radius local ! accounting-scheme default accounting-scheme RADIUS_ACCT accounting-mode radius ! domain default domain radius-domain authentication-scheme RADIUS_AUTH authorization-scheme RADIUS_AUTH accounting-scheme RADIUS_ACCT radius-server ! domain default_admin authentication-scheme default authorization-scheme default accounting-scheme default ! quit ! ! Setting up a RADIUS server (template) radius-server template radius-server authentication 1812 weight 80 radius-server accounting 1813 weight 80 radius-server shared-key cipher ! ! --- VLAN --- vlan batch 100 200 300 400 500 600 700 ! vlan 1 name Management ! vlan 100 name Printers ! vlan 200 name UsersGroup1 ! vlan 300 name UsersGroup2 ! vlan 400 name Swift ! vlan 500 name Reuters ! vlan 600 name Storages ! vlan 700 name WAN ! ! --- Configuring IP addressing for management (VLAN 1) --- interface Vlanif1 description Management_VLAN ip address 192.168.50.100 255.255.255.0 ! ! --- Default Route --- ip route-static 0.0.0.0 0.0.0.0 ! ! --- Logging settings (level 5 = notifications) --- info-center source default channel logbuffer log level informational trap state off debug state off info-center source default channel logbuffer log level notification info-center loghost source Vlanif1 info-center loghost channel logbuffer facility local6 language english info-center logbuffer size 1024 trapbuffer size 1024 ! ! --- Configuring Port Security for Slot 2 and Slot 3 --- ! ! Globally enabling port-security port-security enable ! ! Configuring for all ports in slots 2 and 3 (example for GE2/0/1) interface range GigabitEthernet 2/0/1 to 2/0/48, GigabitEthernet 3/0/1 to 3/0/48 port link-type access port-security enable port-security max-mac-num 1 port-security protect-action restrict port-security mac-address sticky stp edged-port enable ! ! --- General Security Settings --- user-security-policy enable undo ip http secure-server enable ! ! Saving configuration save force Parameters that must be specified manually for real-world operation WARNING: Replace all values ??in angle brackets <...> with the actual information for your network. Local access passwords (CRITICAL): — A strong password for the admin-backup backup account (console only). — A strong password for the netadmin account (for SSH, level 1 - read-only). — Password for activating super mode (level 15). Network and NTP parameters: — The current time and date for initial clock setup (e.g., 14:30:00 2024-05-15). is the IP address of the primary NTP server. is the IP address of the backup NTP server. The "prefer" keyword makes it preferred. RADIUS Server Settings: is the RADIUS template name (e.g., ISERVE). is the IP address of your RADIUS server. is the shared secret negotiated with the RADIUS server. Logging Settings: is the IP address of your log collection server. Network Settings: is the IP address of the default gateway on your network (e.g., 192.168.50.1). Port Security Configuration: Check the port numbers! The interface range command in the configuration assumes that slots 2 and 3 contain ports 1 through 48. Check the actual port numbers on your S7712 device. If necessary, change the range (e.g., GigabitEthernet 2/0/0 to 2/0/23). VLAN Assignment: The configuration sets the ports to access mode but does not assign them a default VLAN. This must be done separately for each port group using the port default vlan command, based on your network diagram. Critical notes before use: Initial Access: The configuration must be entered strictly through the console port. Remote access (SSH) will only work after an IP address has been assigned, the gateway configured, and routing configured. AAA Strategy: Radius local hybrid authentication is configured. If the RADIUS server is unavailable, a fallback to the local user database will occur. This prevents loss of access. Access Domains: VTY lines (vty 0 4) use the default_admin domain by default, which is configured for local authentication (for the netadmin account). To enable RADIUS authentication for SSH, after verifying RADIUS connectivity, manually execute vty 0 4: authentication-mode aaa domain radius-domain in user-interface mode. This is a deliberate step for security during the deployment phase. Port Security: Ports will block all new MAC addresses beyond the first, but will not be restricted. The first "sticky" MAC address will be automatically learned and added to the security table. Port recovery (errdisable recovery) is disabled by requirement. Save: Use the save force command to save without further confirmation. (c) by Valery Shmelev https://t.me/llmsource/ https://oflameron.com https://androidjavaopensource.blogspot.com/ https://github.com/vallshmeleff/oflameron-obfuscation-language