I Set Up A VLAN But Can't Ping Systems On It

[netnut]

The next step is the first to prepare OpenWRT for wireless bridging of your SSID's. While I'm still unsure why your OpenWRT firewall is doing what it does, I guess we fix that with this step anyway.

You now need to do some CLI stuff on OpenWRT, nothing scary, just follow the steps below

1. SSH into your OpenWRT device from your desktop

Code: [Select]

ssh 10.0.7.2 -l root
2. Backup your current network config

Code: [Select]

cp /etc/config/network /etc/config/network.org
We're now going to rename two sections (3+4) (from your default network config), section 1 is "loopback" (leave as is), section 2 is "globals" (leave as is) section 3 is device (CHANGE) section 4 is interface "lan" (CHANGE)

3. Edit /etc/config/network and edit the third section like this:

Code: [Select]

vi /etc/config/network
Current:

Code: [Select]

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'

New:

Code: [Select]

config device
        option name 'br-vlan1'
        option type 'bridge'
        list ports 'eth0.1'

4. Edit /etc/config/network and edit the fourth section like this:

Code: [Select]

vi /etc/config/network
Current:

Code: [Select]

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'

New:

Code: [Select]

config interface 'vlan1'
        option device 'br-vlan1'
        option proto 'static'
        option ipaddr '10.0.7.2/24'
        option gateway '10.0.7.1'
        list dns '10.0.7.1'

As you can see we just renaming some interfaces and devices, preparing for your bridged wireless setup. We're not talking details right now, but this is the naming scheme the OpenWRT hostap daemon likes and give you some nice features which we discuss later if your wireless is working ;-). Just FYI, it's based on this article (which is old) but again, we discuss later https://openwrt.org/docs/guide-user/network/wifi/wireless.security.8021x

Apply the above changes, if you don't know how to use vi (it's no shame) you might want to try nano as text editor which should be more intuitive. After you applied the EXACT changes (CHECK, CHECK, DOUBLE CHECK) in /etc/config/network start a ping on your desktop to 10.0.7.2 and REBOOT the OpenWRT AP and wait until is back. If everything works we're just two steps from working wireless

If you're using windows add the -t to your ping command

Code: [Select]

ping 10.0.7.2 -t
PS, If questions are start to pop up about VLAN1 statements, keep them for now ;-). This VLAN1 configuration of your access point has nothing to do with the: "Don't use VLAN1" design priciples we discussed earlier. That applies to your Cisco switch, but again, I explain later.....

And just one thing: If you change the network configuration for a device which is connected to one of your Cisco switch ports, give it 30-60 seconds to converge. Without the port-fast option on a Cisco switch port, the switch will do some loop/BDPU checks etc before it's actually active, this might corrolate to your "Loss of Connection" experience after changing network properties.

[isaacthekind]

You're certainly right that I have questions about the VLAN1 lines in /etc/config/network. I suspect they'll become clear in time, and I'm reading the article you linked. It's important to me that i understand what I'm doing rather than relying on magic, but I trust your process. :p

No worries about using vi. I'm a 4th year software engineering student, I'm fine with programming, just a novice with networking. My daily driver is Helix.

I've backed up /etc/config/network, made the changes you wanted and rebooted the device. I can't ping it from desktop or OPNsense. I've factory reset and done your steps 3 times now, so I'm sure I'm not making a typo or something, and I waited a few minutes after each reboot. I linked the current /etc/config/network.

[netnut]

Hmmm, I did grap an old TP-Link WDR4300 (which is a slighty older model than yours, but same OpenWRT branch and exact same switch config) and flashed latest OpenWRT to check my own instructions ;-). So I'm a bit surprised you facing issues, but let's go back to the last working situation where you could ping the OpenWRT management interface 10.0.7.2/24 from the Desktop VLAN.

You say that config was working with the following setting active ?!?!:

OpenWRT -> Network -> Interfaces -> lan -> Edit -> Tab: Firewall Settings -> LAN ?

And if you changed that to "unspecified" your loosing connection ?

It's important to me that i understand what I'm doing rather than relying on magic,

That's an excellent (and appreciated) mindset

[isaacthekind]

You say that config was working with the following setting active ?!?!:

OpenWRT -> Network -> Interfaces -> lan -> Edit -> Tab: Firewall Settings -> LAN ?

And if you changed that to "unspecified" your loosing connection ?

Yes, that's exactly right.

[netnut]

I've asked you to change the firewall from the LAN zone to "Unspecified", that's where your problems started, can you try editing the /etc/config/network file again (because we NEED that naming scheme) before we move on. Now keep the interface in the LAN firewall zone, because that worked for the initial IP change to 10.0.7.2/24, we only changing the device naming scheme so that should really work.

In the mean time I'm looking at the default OpenWRT firewall4 rules, which are now nftable based (old firewall used iptables). I normally leave out the OpenWRT firewall packages (using the OpenWRT image builder) because I hate the interface and only bridge my wireless so no need...

Please confirm if you can connect to 10.0.7.2/24 with the new device names and br-vlan1 (renamed from br-lan) in the LAN firewall zone.

[isaacthekind]

Sadly no I can't connect under those conditions. If I do the suggested edit to /etc/config/network, I lose connection. Can't ping from desktop or OPNsense. So it looks like both the edit, and the change of firewall zone will independently cause connection loss. I've confirmed both form factory reset individually.

Yes, I also hope to disabled firewall and DHCP to use dummy AP mode later when everything is working.

[netnut]

Sorry, I guess i made a typo while removing the secondary ip from the list:

Code: [Select]

config interface 'vlan1'
        option device 'br-vlan1'
        option proto 'static'
        option ipaddr '10.0.7.2/24' <--- wrong
        option gateway '10.0.7.1'
        list dns '10.0.7.1'

Should be:

Code: [Select]

config interface 'vlan1'
        option device 'br-vlan1'
        option proto 'static'
        option ipaddr '10.0.7.2'  <--- right
        option netmask '255.255.255.0' <--- right
        option gateway '10.0.7.1'
        list dns '10.0.7.1'

it's hard to configure an infra from far away

Please try again with this RIGHT config and still keep it in firewall zone LAN

[isaacthekind]

Aha, I see, subnet needs its own field rather than CIDR notation.

I factory reset, then applied these settings (did not touch anything else like firewall), and rebooted, still disconnected. Current config attached.

it's hard to configure an infra from far away

I'm happy to go on a call and screenshare (Signal, Discord, etc). Whatever you prefer, I'm fine with text or voice.

[netnut]

I factory reset, then applied these settings (did not touch anything else like firewall), and rebooted, still disconnected. Current config attached.

The strange thing here is that we only change the device & interface naming, the underlying interface (eth0.1) keeps the same. I did the change back and forth here without any issue, the only diference is that I'm using a Juniper switch instead of a Cisco, which handles native VLANs differently depending on the switchport config. I don't have an answer for you yet, it might has to do something with those port profiles (https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swvlan.html#92272).

Because you need results (ie WiFi) ;-), you might start to configure your bridges and wireless manualy and forget about renaming the management interface for now. The logic is mapping a Wireless SSID to a VLAN (bridge), so you first need to create one or more VLANs for the different Wireless networks. Now you can bridge to an already existing VLAN like your Desktop VLAN or you can create a new VLAN, for instance the Guest network. If you bridge to an existing VLAN your wireless device becomes litterly part of that specific network. Where for the Guest network you probably like to isolate it completly.

Whatever you configure, remember that the VLANs you configure at OpenWRT do need to exist on OPNsense. You want a "Dumb" Access Point, so OPNsense is the one who provides routing (default gateway), DNS & DHCP and firewalling.

You can use your existing VLAN7 configuration as a template, so for a new VLAN9 you create a VLAN9 interface on OPNsense, give it an address (10.0.9.1/24), configure a DHCP pool and apply a firewall policy.

For OpenWRT:

OpenWRT -> Network -> Switch
You first create the needed VLAN at it's software switch, define a VLAN ID, an optional description and TAG to both CPU (eth0) and LAN 1. So both ports should display TAGGED all other ports OFF. I've added VLAN9 for a new wireless network.

Save & Apply

OpenWRT -> Network -> Interfaces -> TAB: Devices
Add a new device, type: Bridge, Name: br-vlan9, Bridge Ports: eth0.9, check Bring Up Empty Bridge. Leave everything else (other tabs) default for now.

Save & Apply !


OpenWRT -> Network -> Interfaces

Add a new interface, Name: vlan9, Protocol: Unmanaged, Device: br-vlan9. In the advanced settings tab, check force link, uncheck "Use default gateway", Uncheck "Delegate IPv6 prefixes". Firewall settings tab: unspecified, DHCP Server: No DHCP Server configured for this interface . This, of course is done by OPNsense.

Save & Apply


You now can add Wireless SSIDs and point the interface (vlan9 in this example) to the VLAN interfaces you created. You can even map multiple SSID's to a single VLAN (Don't know why you should do that, but you could ;-)).

[isaacthekind]

Ok, so I set this all up just like you suggested, and included photos.

I can connect vlan6 (GUEST, tag: 6, see earlier topology diagram) to a wireless interface and see the network when I look at available networks on a WIFI-capable device like my phone. However I can't connect to it. My phone gets stuck obtaining IP. If I connect lan to wireless interface instead of vlan6, I can connect to it with my phone, and the phone is given an IP on WIRELESS_MANAGEMENT via DHCP.

[netnut]

Well, that sucks 

Let's recap to understand what is happening and where the troubleshooting needs to be done:

You can connect to your WiFi SSID, so far so good, the idea is that you connect each SSID to a specific VLAN (enabled bridge), so packets flowing from the SSID will eventually land in the right VLAN further up your infrastucture (Cisco Switch, OPNsense). Now you didn't succeed with VLAN6 but you did with VLAN7 (which is also the native VLAN of your AP management / switchport). The reason is the same as why you failed to enable the initial VLAN bridge interface (br-vlan1), because there's a (still unknown) issue with the VLAN configuration of your switchport where your AP is connected to.

VLAN6 (tagged) won't go through, so your DHCP packets will stuck somewhere between your Wireless Interface and the bridge, they never reach the switch and from there the OPNsense DHCP service. When you choose VLAN7, packets can go through because this is also your _working_ management interface.

Let's talk about VLAN1 ;-), as you've noticed your default OpenWRT management interface is using device eth0.1, this is (one of) the VLAN interface naming schemes of Linux (which OpenWRT is build on). So the default configuration of this OpenWRT device is by default using VLAN1 (and VLAN2 for your WAN port).
But as you can see in your switch configuration, all the LAN ports are assigned UNTAGGED to VLAN1. In your situation, where LAN 1 is connected to the switchport, the switchport will receive UNTAGGED packets. Because you configured a NATIVE VLAN on your switchport, these untagged packets get tagged with VLAN7., that's the whole purpose of a NATIVE VLAN: "Assign the specified VLAN to UNTAGGED traffic by default". That's why your management interface works even if it's using VLAN1 (eth0.1)
So this has nothing to do with the recommendation "Never use VLAN1 in your switch config; Because we don't use VLAN1 at your switch". 

The reason why you want your OpenWRT configured this way is when you remove your Access Point from this switchport to a "normal" device, you can directly connect to it with a regular interface. If we would send tagged packets by default from the OpenWRT management interface, you have to create a VLAN aware (tagged) device on your PC/Laptop. Now this is not rocket science, but you do need to know the VLAN ID used upfront.

As you can see in the screenshot in one of my latest post, I quickly configured your situation on OpenWRT, as you can see "my" management interface is renamed (br-vlan1) which somehow fails at your site. Remember the "OpenWRT 802.1x" link I posted, this bridge naming is expected by hostapd (the wireless controller daemon of OpenWRT) for vlan aware bridging and optional 802.1x interface creation.

To understand what's happening we really need to see the CLI config of the (port) configuration. If you don't have (FULL) access to the switch, that's something you need to fix first:

https://community.cisco.com/t5/switching/cisco-3750-password-recovery/td-p/2064077

[isaacthekind]

Ok, I appreciate the explanation. I suspect this could turn into a lot of troubleshooting with the Cisco support community due to the default username weirdness I mentioned earlier. I'm not sure if it will turn into a few days of back and forth, but rest assured that I will be back once I've found a way into the switch CLI, whether that's today or takes a few days.

[isaacthekind]

Ok, I think I've got what you want.

It's really hard to get SSH to work on this switch, it's very old, just a device to learn on before I deem myself worthy of better hardware. Normally, on a new system I turn the SSH daemon on then add my public key, but in this case I had to do everything through Telnet, which was a pain because I've never used it before. I gave up for now on SSH and just looked up Telnet commands to get what I think is the info you want. I used this command:

Code: [Select]

show interfaces switchport


Note that there are really 24 ports, but I just showed the output for 1-7 since really only the first 6 are being used (see topology diagram) and 7 has the same config as all the other unused ports:

Code: [Select]

Name: Gi1/0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Name: Gi1/0/2
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 2 (VLAN0002)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Name: Gi1/0/3
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 3 (VLAN0003)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Name: Gi1/0/4
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 4 (VLAN0004)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Name: Gi1/0/5
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 5 (VLAN0005)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Name: Gi1/0/6
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 7 (VLAN0007)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Name: Gi1/0/7
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Also note that info on the corresponding smartport types is in the topology diagram. And note that I had nothing plugged in at the time of running this command except OPNsense LAN port feeding into switch port 1, and desktop plugged into one of the many non cofigured ports (number 7 or higher). I can only access the switch this way, not when desktop is on CORE.

[netnut]

Ok, I think I've got what you want.

Almost ;-). I like to see (at least) the raw port config

Code: [Select]

show running-config

It's really hard to get SSH to work on this switch, it's very old, just a device to learn on before I deem myself worthy of better hardware.

Yeah, the OpenSSH project likes to phase out legacy (unsecure) encryption fast, which is a good thing...
Does this option help to SSH into your switch ?

Code: [Select]

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 username@ciscoswitch

Are you running the latest IOS software ? Look for someone with an active Cisco Support contract and ask if he can download it for you if the downloads are not public.


Troubleshoot Tip:

You've practiced OpenWRT factory reset / recovery enough I guess  , so here''s a small tip that would really help debugging network connectivity with OpenWRT. Especially in your case, where you need to configure the primary OpenWRT interface which can (and will ;-)) cause permanent connectivity loss...

You create a temporary wireless SSID (with all the config you would normally do, WPA2/3 etc.) and connect that to a temporary (virtual) interface. Number this interface outside of your current IP plan and select the radio / ssid interface as device for this interface. The Wireless SSID gets configured with this interface in the "Network" setting, like this:

OpenWRT -> Network -> Wireless
- Create a SSID on your 2.4GHz or 5GHz radio, leave the "Network" setting unspecified (you create this interface in the next step)
- Enable Radio and wireless SSID configuration
- Save & Apply


OpenWRT -> Network -> Interfaces -> TAB: Interfaces
- Add new interface
- Name: WIFI_MANAGEMENT or WHATEVER
- Protocol: Static address
- Device: Select your wireless SSID from the dropdown, would translate to radio0.network1 or something. Depends on the radio used and sequence of SSID's on that radio.
- Configure this interface with ONLY IPv4 address and netmask, 192.168.2.1/24 might be a good choice. Won't conflict with default OpenWRT network 192.168.1.0/24
- So IPv4 address: 192.168.2.1 IPv4 netmask: 255.255.255.0
- Save & Apply

Go back to:

OpenWRT -> Network -> Wireless
- Edit the SSID and configure the interface you created in the previous step in "Network" (probably already selected)
- Save & Apply

Connect to the Wireless SSID from your laptop, which is connected via WIRED with your switch and normal LAN (with default gw, DNS etc) and WIRELESS with 192.168.2.0/24.
Configure a static IP on your Laptop wireless adapter, something like 192.168.2.2/24, no gateway, no dns, no nothing.

You now can use this Forum / Internet. open a continuous ping towards 10.0.7.2 and reconfigure your AP with browser and/or SSH at 192.168.2.1 and F*CK UP your primary OpenWRT management interface as many times as you like  , you're always connected via the Management WiFi.

[isaacthekind]

Ok how about this?

Code: [Select]

switch#show running-config
Building configuration...

Current configuration : 5809 bytes
!
! Last configuration change at 13:01:15 UTC Wed Dec 13 2023
! NVRAM config last updated at 16:10:25 UTC Tue Dec 12 2023
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 REDACTED
!
!
!
no aaa new-model
clock timezone UTC -5
clock summer-time UTC recurring
switch 1 provision ws-c3750x-24
system mtu routing 1500
!
!
ip domain-name home
!
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 70 30
mls qos srr-queue input threshold 1 80 90
mls qos srr-queue input priority-queue 2 bandwidth 30
mls qos srr-queue input cos-map queue 1 threshold 2 3
mls qos srr-queue input cos-map queue 1 threshold 3 6 7
mls qos srr-queue input cos-map queue 2 threshold 1 4
mls qos srr-queue input dscp-map queue 1 threshold 2 24
mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue input dscp-map queue 1 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue input dscp-map queue 2 threshold 3 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
!
spanning-tree mode pvst
spanning-tree extend system-id
auto qos srnd4
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
interface FastEthernet0
 no ip address
!
interface GigabitEthernet1/0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 srr-queue bandwidth share 1 30 35 5
 queue-set 2
 priority-queue out
 mls qos trust dscp
 macro description cisco-router
 auto qos trust
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/2
 switchport access vlan 2
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/3
 switchport access vlan 3
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/4
 switchport access vlan 4
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/5
 switchport access vlan 5
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/6
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 7
 switchport mode trunk
 switchport nonegotiate
 srr-queue bandwidth share 1 30 35 5
 queue-set 2
 priority-queue out
 mls qos trust cos
 macro description cisco-wireless
 auto qos trust
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
 ip address 10.0.0.2 255.255.255.0
!
ip default-gateway 10.0.0.1
ip classless
ip http server
ip http secure-server
!
ip sla enable reaction-alerts
!
!
line con 0
line vty 0 4
 password REDACTED
 login
 length 0
line vty 5 15
 password REDACTED
 login
 length 0
!
end

As for the wireless backup, that's a good idea, much better than constantly factory resetting, lol, I should try to get my laptop to do that (no WIFI on desktop). Thanks.

Hmm, sorry I made an edit to my comment but I guess it didn't go through, did not mean to miss your other 2 questions:

I'm having trouble re-enabling SSH through Telnet since factory reset. The instructions in the manual are terrible. So I'm not sure I can answer whether that SSH command works. I'll keep trying to get it running again though.

No I'm not on IOS, I use NixOS.