Configuration Reference

Table Of Contents

Configuration Reference

Integrated Services Design Configurations

Core Switch 1

Aggregation Switch 1

Core Switch 2

Aggregation Switch 2

Access Switch 4948-7

Access Switch 4948-8

Access Switch 6500-1

FWSM 1-Aggregation Switch 1 and 2

Services Switch Design Configurations

Core Switch 1

Core Switch 2

Distribution Switch 1

Distribution Switch 2

Service Switch 1

Service Switch 2

Access Switch 6500

ACE and FWSM

FWSM Baseline

ACE Baseline

FWSM Failover

ACE Failover

Additional References

Configuration Reference

---

This chapter provides the test bed diagram and configurations used in tests to support this guide. The chapter is broken down into two main sections,Integrated Services Design Configurations and Services Switch Design Configurations.

Integrated Services Design Configurations

The following configurations were used in testing the integrated services design:

•Core Switch 1

•Aggregation Switch 1

•Core Switch 2

•Aggregation Switch 2

•Access Switch 4948-7

•Access Switch 4948-8

•Access Switch 6500-1

•FWSM 1-Aggregation Switch 1 and 2

Figure 8-1 shows the test bed used without services switches.

Figure 8-1 Integrated Services Configuration Test Bed

Core Switch 1

version 12.2

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

no service password-encryption

service counters max age 10

!

hostname CORE1

!

boot system sup-bootflash:s720_18SXD3.bin

logging snmp-authfail

enable secret 5 $1$3OjN$l/80W4JIQJf7l7fRlS7A2.

!

no aaa new-model

clock timezone PST -8

clock summer-time PDT recurring

vtp domain datacenter

vtp mode transparent

udld enable

ip subnet-zero

no ip source-route

!

!

no ip ftp passive

no ip domain-lookup

ip domain-name cisco.com

!

no ip bootp server

ip multicast-routing 

mls ip cef load-sharing full simple

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

spanning-tree pathcost method long

!

vlan internal allocation policy descending

vlan dot1q tag native 

vlan access-log ratelimit 2000

!

vlan 2 

!

vlan 15

 name testgear

!

vlan 16 

 name testgear2

!

vlan 20

 name DNS-CA

!

vlan 802

 name mgmt_vlan

!

!

interface Loopback0

 ip address 10.10.3.3 255.255.255.0

!

interface Port-channel1

 description to 4948-1 testgear

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

!

interface Port-channel2

 description to 4948-4 testgear

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

!

interface GigabitEthernet3/33

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 1 mode active

!

interface GigabitEthernet3/34

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 1 mode active

!

interface GigabitEthernet3/41

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 2 mode active

!

interface GigabitEthernet3/42

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 2 mode active

!

interface TenGigabitEthernet4/1

 description to Agg1

 ip address 10.10.20.2 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

!

interface TenGigabitEthernet4/2

 description to Agg2

 ip address 10.10.30.2 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

!

interface TenGigabitEthernet4/3

 description to core2

 ip address 10.10.55.1 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

!

interface GigabitEthernet6/1

 no ip address

 shutdown

!

interface GigabitEthernet6/2

********************

!

interface Vlan1

 no ip address

 shutdown

!

interface Vlan15

 description test_client_subnet

 ip address 10.20.15.1 255.255.255.0

 no ip redirects

 no ip proxy-arp

!

interface Vlan16

 description test_client_ subnet2

 ip address 10.20.16.2 255.255.255.0

no ip redirects

 no ip proxy-arp

!

router ospf 10

 log-adjacency-changes

 auto-cost reference-bandwidth 1000000

 nsf

 area 10 authentication message-digest

 area 10 nssa default-information-originate

timers throttle spf 1000 1000 1000

 passive-interface default

no passive-interface TenGigabitEthernet4/1

 no passive-interface TenGigabitEthernet4/2

 no passive-interface TenGigabitEthernet4/3

 network 10.10.3.0 0.0.0.255 area 10

 network 10.10.20.0 0.0.0.255 area 10

 network 10.10.30.0 0.0.0.255 area 10

 network 10.10.55.0 0.0.0.255 area 10

 network 10.20.15.0 0.0.0.255 area 0

 network 10.20.16.0 0.0.0.255 area 0

!

ip classless

no ip http server

ip pim send-rp-discovery scope 2

!

!

control-plane

!

!

line con 0

 exec-timeout 0 0

line vty 0 4

 exec-timeout 60 0

 password 7 05080F1C2243

 login local

 transport input telnet ssh

!

ntp authentication-key 1 md5 02050D480809 7

ntp trusted-key 1

ntp clock-period 17180053

ntp master 1

ntp update-calendar

end

Aggregation Switch 1

Current configuration : 22460 bytes

!

! No configuration change since last restart

!

upgrade fpd auto

version 12.2

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

no service password-encryption

service counters max age 10

!

hostname Aggregation-1

!

boot system disk0:s720_18SXD3.bin

logging snmp-authfail

no aaa new-model

clock timezone PST -8

clock summer-time PDT recurring

clock calendar-valid

firewall multiple-vlan-interfaces

firewall module 4 vlan-group 1

firewall vlan-group 1  5-6,20,100,101,105-106

analysis module 9 management-port access-vlan 20

analysis module 9 data-port 1 capture allowed-vlan 5,6,105,106

analysis module 9 data-port 2 capture allowed-vlan 106

ip subnet-zero

no ip source-route

ip icmp rate-limit unreachable 2000

!

!

!

ip multicast-routing 

udld enable

udld message time 7

vtp domain datacenter

vtp mode transparent

mls ip cef load-sharing full

mls ip multicast flow-stat-timer 9

no mls flow ip

no mls flow ipv6

mls acl tcam default-result permit

no mls acl tcam share-global

mls cef error action freeze

!

redundancy

 mode sso

 main-cpu

  auto-sync running-config

  auto-sync standard

!

spanning-tree mode rapid-pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

spanning-tree pathcost method long

spanning-tree vlan 1-4094 priority 24576

module ContentSwitchingModule 3 

 ft group 1 vlan 102 

  priority 20

  heartbeat-time 1 

  failover 3 

  preempt 

!

 vlan 44 server

  ip address 10.20.44.42 255.255.255.0

  gateway 10.20.44.1

  alias 10.20.44.44 255.255.255.0

!

 probe RHI icmp

  interval 3

  failed 10

!

 serverfarm SERVER200

  nat server

  no nat client

  real 10.20.6.56

   inservice

  probe RHI

!

 serverfarm SERVER201

  nat server

  no nat client

  real 10.20.6.25

   inservice

  probe RHI

!

 vserver SERVER200

  virtual 10.20.6.200 any

  vlan 44

  serverfarm SERVER200

  advertise active

  sticky 10

  replicate csrp sticky

  replicate csrp connection

  persistent rebalance

  inservice

!

 vserver SERVER201

  virtual 10.20.6.201 any

  vlan 44

  serverfarm SERVER201

  advertise active

  sticky 10

  replicate csrp sticky

  replicate csrp connection

  persistent rebalance

  inservice

!

port-channel load-balance src-dst-port

!

vlan internal allocation policy descending

vlan dot1q tag native 

vlan access-log ratelimit 2000

!

vlan 3

 name AGG1_to_AGG2_L3-OSPF

!

vlan 5 

!

vlan 6

 Webapp Inside

!

vlan 7 

!

vlan 10

 name Database Inside

!

vlan 20 

!

vlan 44

 name CSM_Onearm_Server_VLAN

!

vlan 45

 name Service_switch_CSM_Onearm

!

vlan 46

 name SERV-CSM2-onearm

!

vlan 100

 name AGG_FWSM_failover_interface

!

vlan 101

 name AGG_FWSM_failover_state

!

vlan 102

 name AGG_CSM_FT_Vlan

!

vlan 106

 name WebappOutside 

!

vlan 110

 name DatabaseOutside

!

interface Loopback0

 ip address 10.10.1.1 255.255.255.0

!

interface Null0

 no ip unreachables

!

interface Port-channel1

 description ETHERCHANNEL_TO_AGG2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 1-19,21-4094

 switchport mode trunk

 no ip address

 logging event link-status

 arp timeout 200

 spanning-tree guard loop

!

interface Port-channel10

 description to SERVICE_SWITCH1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 no ip address

 logging event link-status

spanning-tree guard loop

!

interface Port-channel12

 description to SERVICE_SWITCH2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

switchport mode trunk

 no ip address

 logging event link-status

spanning-tree guard loop

!

!

interface GigabitEthernet1/13

 description to Service_1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 no ip address

 channel-protocol lacp

 channel-group 10 mode active

!

interface GigabitEthernet1/14

 description to Service_1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 no ip address

 channel-protocol lacp

 channel-group 10 mode active

!

interface GigabitEthernet1/19

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 1-5,7-105,107-300,1010-1110

 switchport mode trunk

 no ip address

 channel-protocol lacp

 channel-group 12 mode active

!

!

interface GigabitEthernet5/1

***************

!

interface GigabitEthernet5/2

****************

!

interface GigabitEthernet6/1

 no ip address

 shutdown

!

interface GigabitEthernet6/2

 no ip address

 shutdown

 media-type rj45

!

interface TenGigabitEthernet7/2

 description to Core2

 ip address 10.10.40.1 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 112A481634424A

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

!

interface TenGigabitEthernet7/3

 description to Core1 

 ip address 10.10.20.1 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 15315A1F277A6A

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

!

interface TenGigabitEthernet7/4

 description TO_ACCESS1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 105

 switchport mode trunk

 no ip address

 logging event link-status

!

interface TenGigabitEthernet8/1

 description TO_AGG2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 1-19,21-4094

 switchport mode trunk

 no ip address

 logging event link-status

 channel-protocol lacp

 channel-group 1 mode active

!

interface TenGigabitEthernet8/2

 description TO_4948-7

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 106

 switchport mode trunk

 no ip address

 logging event link-status

spanning-tree guard root

!

interface TenGigabitEthernet8/3

 description TO_4948-8

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 106

 switchport mode trunk

 no ip address

 logging event link-status

 spanning-tree guard root

!

interface TenGigabitEthernet8/4

 description TO_AGG2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 1-19,21-4094

 switchport mode trunk

 no ip address

 logging event link-status

 channel-protocol lacp

 channel-group 1 mode active

!

interface Vlan1

 no ip address

 shutdown

!

interface Vlan3

 description AGG1_to_AGG2_L3-RP

 bandwidth 10000000

 ip address 10.10.110.1 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

!

interface Vlan6

 description Outside_Webapp_Tier

 ip address 10.20.6.2 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip policy route-map csmpbr

 ntp disable

 standby 1 ip 10.20.6.1

 standby 1 timers 1 3

 standby 1 priority 120

 standby 1 preempt delay minimum 60

!

!

interface Vlan44

 description AGG_CSM_Onearm

 ip address 10.20.44.2 255.255.255.0

 no ip redirects

 no ip proxy-arp

 standby 1 ip 10.20.44.1

 standby 1 timers 1 3

 standby 1 priority 120

 standby 1 preempt delay minimum 60

!

router ospf 10

 log-adjacency-changes

 auto-cost reference-bandwidth 1000000

 nsf

 area 10 authentication message-digest

 area 10 nssa

 timers throttle spf 1000 1000 1000

 redistribute static subnets route-map rhi

 passive-interface default

 no passive-interface Vlan3

 no passive-interface TenGigabitEthernet7/2

 no passive-interface TenGigabitEthernet7/3

 network 10.10.1.0 0.0.0.255 area 10

 network 10.10.20.0 0.0.0.255 area 10

 network 10.10.40.0 0.0.0.255 area 10

 network 10.10.110.0 0.0.0.255 area 10

 distribute-list 1 in TenGigabitEthernet7/2 (for PBR testing purposes)

 distribute-list 1 in TenGigabitEthernet7/3 (for PBR testing purposes)

!

ip classless

ip pim accept-rp auto-rp

!

access-list 1 deny   10.20.16.0

access-list 1 deny   10.20.15.0

access-list 1 permit any

access-list 44 permit 10.20.6.200 log

access-list 44 permit 10.20.6.201 log

!

route-map csmpbr permit 10

 set ip default next-hop 10.20.44.44

!

route-map rhi permit 10

 match ip address 44

 set metric-type type-1

!

privilege exec level 1 show

!

line con 0

 exec-timeout 0 0

 password 7 110D1A16021F060510

 login local

line vty 0 4

 no motd-banner

 exec-timeout 0 0

 password 7 110D1A16021F060510

 login local

 transport input telnet ssh

!

!

no monitor session servicemodule

ntp authentication-key 1 md5 104D000A0618 7

ntp authenticate

ntp trusted-key 1

ntp clock-period 17179928

ntp update-calendar

ntp server *********.42 key 1

end

Core Switch 2

Current configuration : 10867 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

no service password-encryption

service counters max age 10

!

hostname CORE2

!

boot system sup-bootflash:s720_18SXD3.bin

enable secret 5 $1$k2Df$vfhT/CMz0IqFqluRCENw//

!

no aaa new-model

clock timezone PST -8

clock summer-time PDT recurring

vtp domain datacenter

vtp mode transparent

udld enable

!

ip subnet-zero

no ip source-route

!

!

no ip domain-lookup

ip domain-name cisco.com

!

no ip bootp server

ip multicast-routing 

mls ip multicast flow-stat-timer 9

no mls flow ip

no mls flow ipv6

mls cef error action freeze

!

power redundancy-mode combined

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

spanning-tree pathcost method long

!

vlan internal allocation policy descending

vlan dot1q tag native 

vlan access-log ratelimit 2000

!

vlan 2,15-16 

!

!

interface Loopback0

 ip address 10.10.4.4 255.255.255.0

!

interface Port-channel1

 description to 4948-1

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

!

interface Port-channel2

 description to 4948-4

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

!

interface GigabitEthernet2/9

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 1 mode active

!

interface GigabitEthernet2/10

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 1 mode active

!

interface GigabitEthernet2/13

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 2 mode active

!

interface GigabitEthernet2/14

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 2 mode active

!

interface TenGigabitEthernet4/1

 description to Agg1

 ip address 10.10.40.2 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

!

interface TenGigabitEthernet4/2

 description to Agg2

 ip address 10.10.50.2 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

!

interface TenGigabitEthernet4/3

 description to core1

 ip address 10.10.55.2 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

!

interface GigabitEthernet6/1

 no ip address

 shutdown

!

interface GigabitEthernet6/2

*****************

!

interface Vlan1

 no ip address

 shutdown

!

interface Vlan15

 ip address 10.20.15.2 255.255.255.0

!

interface Vlan16

 description test_client_subnet

 ip address 10.20.16.1 255.255.255.0

 no ip redirects

 no ip proxy-arp

!

router ospf 10

 log-adjacency-changes

 auto-cost reference-bandwidth 1000000

 nsf

 area 10 authentication message-digest

 area 10 nssa default-information-originate

timers throttle spf 1000 1000 1000

 passive-interface default

 no passive-interface TenGigabitEthernet4/1

 no passive-interface TenGigabitEthernet4/2

 no passive-interface TenGigabitEthernet4/3

 no passive-interface TenGigabitEthernet4/4

 network 10.10.4.0 0.0.0.255 area 10

 network 10.10.40.0 0.0.0.255 area 10

 network 10.10.50.0 0.0.0.255 area 10

 network 10.10.55.0 0.0.0.255 area 10

 network 10.20.15.0 0.0.0.255 area 0

 network 10.20.16.0 0.0.0.255 area 0

!

ip classless

no ip http server

ip pim send-rp-discovery scope 2

!

!

line con 0

 exec-timeout 0 0

line vty 0 4

 exec-timeout 60 0

 password cisco

 login local

 transport input telnet ssh

!

ntp authentication-key 1 md5 104D000A0618 7

ntp authenticate

ntp trusted-key 1

ntp clock-period 17179940

ntp update-calendar

ntp server ********* key 1

end

Aggregation Switch 2

Current configuration : 18200 bytes

version 12.2

service timestamps debug datetime msec localtime

service timestamps log datetime msec

no service password-encryption

service counters max age 10

!

hostname Aggregation-2

!

boot system disk0:s720_18SXD3.bin

no aaa new-model

clock timezone PST -8

clock summer-time PDT recurring

clock calendar-valid

firewall multiple-vlan-interfaces

firewall module 4 vlan-group 1

firewall vlan-group 1  5,6,20,100,101,105,106

vtp domain datacenter

vtp mode transparent

udld enable

!

udld message time 7

!

ip subnet-zero

no ip source-route

ip icmp rate-limit unreachable 2000

!

!

ip multicast-routing 

no ip igmp snooping

mls ip cef load-sharing full

mls ip multicast flow-stat-timer 9

no mls flow ip

no mls flow ipv6

mls acl tcam default-result permit 

mls cef error action freeze

!

!

spanning-tree mode rapid-pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

spanning-tree pathcost method long

spanning-tree vlan 1-4094 priority 28672

port-channel load-balance src-dst-port

module ContentSwitchingModule 3 

 ft group 1 vlan 102 

  priority 10

  heartbeat-time 1 

  failover 3 

  preempt 

!

 vlan 44 server

  ip address 10.20.44.43 255.255.255.0

  gateway 10.20.44.1

  alias 10.20.44.44 255.255.255.0

!

 probe RHI icmp

  interval 3 

  failed 10 

!

 serverfarm SERVER200

  nat server

  no nat client

  real 10.20.6.56

   inservice

  probe RHI

!

 serverfarm SERVER201

  nat server

  no nat client

  real 10.20.6.25

   inservice

  probe RHI

!

 vserver SERVER200

  virtual 10.20.6.200 any

  vlan 44

  serverfarm SERVER200

  advertise active

  sticky 10

  replicate csrp sticky

  replicate csrp connection

  persistent rebalance

  inservice

!

 vserver SERVER201

  virtual 10.20.6.201 any

  vlan 44

  serverfarm SERVER201

  advertise active

  sticky 10

  replicate csrp sticky

  replicate csrp connection

  persistent rebalance

  inservice

!

!

vlan internal allocation policy descending

vlan dot1q tag native 

vlan access-log ratelimit 2000

!

vlan 3

 name AGG1_to_AGG2_L3-RP

!

vlan 5

 name Outside_Webapp

!

vlan 6

 name Outside_Webapp

!

!

vlan 10

 name Outside_Database_Tier

!

vlan 20 

!

vlan 44

 name AGG_CSM_Onearm

!

vlan 45

 name Service_switch_CSM_Onearm

!

vlan 46

 name SERV-CSM2-onearm

!

vlan 100

 name AGG_FWSM_failover_interface

!

vlan 101

 name AGG_FWSM_failover_state

!

vlan 102

 name AGG_CSM_FT_Vlan

!

vlan 105

 name Inside_Webapp_Tier

!

vlan 106

 name Inside_Webapp

!

vlan 110

 name Inside_Database_Tier

!

!

interface Loopback0

 ip address 10.10.2.2 255.255.255.0

!

interface Null0

 no ip unreachables

!

interface Port-channel1

 description ETHERCHANNEL_TO_AGG1

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 1-19,21-299,301-4094

 switchport mode trunk

 arp timeout 200

 spanning-tree guard loop

!

interface Port-channel11

 description to SERVICE_SWITCH1

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

!

interface Port-channel13

 description to SERVICE_SWITCH2

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

!

interface GigabitEthernet1/13

 description to Service_2

 no ip address

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 13 mode active

!

interface GigabitEthernet1/14

 description to Service_2

 no ip address

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 13 mode active

!

interface GigabitEthernet1/19

 description to Service_1

 no ip address

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 11 mode active

!

interface GigabitEthernet1/20

 description to Service_1

 no ip address

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 11 mode active

!

interface GigabitEthernet5/1

!

interface GigabitEthernet5/2

************

!

interface TenGigabitEthernet7/2

 description to Core2 

 ip address 10.10.50.1 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

!

interface TenGigabitEthernet7/3

 description to Core1 

 ip address 10.10.30.1 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

!

interface TenGigabitEthernet7/4

 description TO_ACCESS1

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 5,6

 switchport mode trunk

 channel-protocol lacp

!

interface TenGigabitEthernet8/1

 description TO_AGG1

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 1-19,21-299,301-4094

 switchport mode trunk

 channel-protocol lacp

 channel-group 1 mode passive

!

!

interface TenGigabitEthernet8/3

 description TO_4948-8

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 106

 switchport mode trunk

 spanning-tree guard root

!

interface TenGigabitEthernet8/4

 description TO_AGG1

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 1-19,21-299,301-4094

 switchport mode trunk

 channel-protocol lacp

 channel-group 1 mode passive

!

interface Vlan1

 no ip address

 shutdown

!

interface Vlan3

 description AGG1_to_AGG2_L3-RP

 bandwidth 10000000

 ip address 10.10.110.2 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

!

interface Vlan5

 description Outside_Webapp_Tier

 no ip address

 no ip redirects

 ntp disable

 standby 1 ip 10.20.5.1

 standby 1 timers 1 3

 standby 1 priority 115

 standby 1 preempt delay minimum 60

!

interface Vlan6

 ip address 10.20.6.3 255.255.255.0

 no ip redirects

 no ip proxy-arp

 ip policy route-map csmpbr

 ntp disable

 standby 1 ip 10.20.6.1

 standby 1 timers 1 3

 standby 1 priority 115

 standby 1 preempt delay minimum 60

!

interface Vlan44

 description AGG_CSM_Onearm

 ip address 10.20.44.3 255.255.255.0

 no ip redirects

 no ip proxy-arp

 standby 1 ip 10.20.44.1

 standby 1 timers 1 3

 standby 1 priority 115

 standby 1 preempt delay minimum 60

!

!

router ospf 10

 log-adjacency-changes

 auto-cost reference-bandwidth 1000000

 nsf

 area 10 authentication message-digest

 area 10 nssa

 timers throttle spf 1000 1000 1000

 redistribute static subnets route-map rhi

 passive-interface default

 no passive-interface Vlan3

 no passive-interface TenGigabitEthernet7/2

 no passive-interface TenGigabitEthernet7/3

 network 10.10.2.0 0.0.0.255 area 10

 network 10.10.30.0 0.0.0.255 area 10

 network 10.10.50.0 0.0.0.255 area 10

 network 10.10.110.0 0.0.0.255 area 10

 distribute-list 1 in TenGigabitEthernet7/2

 distribute-list 1 in TenGigabitEthernet7/3

!

ip classless

ip pim accept-rp auto-rp

!

access-list 1 deny   10.20.16.0

access-list 1 deny   10.20.15.0

access-list 1 permit any

access-list 44 permit 10.20.6.200 log

access-list 44 permit 10.20.6.201 log

!

route-map csmpbr permit 10

 set ip default next-hop 10.20.44.44

!

route-map rhi permit 10

 match ip address 44

 set metric +40

 set metric-type type-1

!

line con 0

 exec-timeout 0 0

 password dcsummit

 login local

line vty 0 4

 exec-timeout 0 0

 password dcsummit

 login local

 transport input telnet ssh

 transport output pad telnet ssh acercon

!

no monitor session servicemodule

ntp authentication-key 1 md5 08701C1A2D495547335B5A5572 7

ntp authenticate

ntp clock-period 17179998

ntp update-calendar

ntp server ***********key 1

end

Access Switch 4948-7

Current configuration : 4612 bytes

version 12.2

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

no service password-encryption

service compress-config

!

hostname 4948-7

!

boot-start-marker

boot system bootflash:cat4000-i5k91s-mz.122-25.EWA2.bin

boot-end-marker

!

logging snmp-authfail

no aaa new-model

clock timezone PST -8

clock summer-time PDT recurring

clock calendar-valid

vtp domain datacenter

vtp mode transparent

udld enable

ip subnet-zero

no ip source-route

no ip domain-lookup

ip domain-name cisco.com

!

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree portfast bpduguard default

spanning-tree extend system-id

spanning-tree pathcost method long

port-channel load-balance src-dst-port

power redundancy-mode redundant

!

!

!

vlan internal allocation policy descending

vlan dot1q tag native 

!

vlan 5-6 

!

vlan 105

 name Outside_Webapp

!

vlan 106

name Outside Webapp

!

vlan 110

 name Outside_Database_Tier

!

interface Port-channel1

 description inter_4948

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 logging event link-status

!

interface GigabitEthernet1/1  (all ports)

 switchport access vlan 106

 switchport mode access

 no cdp enable

 spanning-tree portfast

!

interface GigabitEthernet1/45

 description to 4948-8

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 1 mode active

!

interface GigabitEthernet1/46

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 1 mode active

!

interface GigabitEthernet1/47

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 1 mode active

!

interface GigabitEthernet1/48

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 1 mode active

!

interface TenGigabitEthernet1/49

 description to_AGG1

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

!

interface TenGigabitEthernet1/50

shutdown

!

interface Vlan1

 no ip address

 shutdown

!

!

line con 0

 exec-timeout 0 0

 stopbits 1

line vty 0 4

 exec-timeout 0 0

 password dcsummit

 login local

!

ntp authenticate

ntp trusted-key 1

ntp update-calendar

ntp server *********** key 1

!

end

Access Switch 4948-8

Current configuration : 4646 bytes

!

version 12.2

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

no service password-encryption

service compress-config

!

hostname 4948-8

!

boot-start-marker

boot system bootflash:cat4000-i5k91s-mz.122-25.EWA2.bin

boot-end-marker

!

no aaa new-model

clock timezone PST -8

clock summer-time PDT recurring

clock calendar-valid

vtp domain datacenter

vtp mode transparent

udld enable

!

ip subnet-zero

no ip source-route

no ip domain-lookup

ip domain-name cisco.com

!

no ip bootp server

!

no file verify auto

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree portfast bpduguard default

spanning-tree extend system-id

spanning-tree pathcost method long

port-channel load-balance src-dst-port

power redundancy-mode redundant

!

!

vlan internal allocation policy descending

vlan dot1q tag native 

!

vlan 2,5-6 

!

vlan 105

 name Outside_Webapp_Tier

!

vlan 106 

 name Outside_Webapp_Tier

!

vlan 110

 name Outside_Database_Tier

!

interface Port-channel1

 description inter_4948

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 logging event link-status

!

interface GigabitEthernet1/1 (all ports)

 switchport access vlan 106

 switchport trunk encapsulation dot1q

 switchport mode access

 no cdp enable

 spanning-tree portfast

!

interface GigabitEthernet1/45

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 1 mode passive

!

interface GigabitEthernet1/46

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 1 mode passive

!

interface GigabitEthernet1/47

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 1 mode passive

!

interface GigabitEthernet1/48

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 channel-protocol lacp

 channel-group 1 mode passive

!

interface TenGigabitEthernet1/49

shutdown

!

interface TenGigabitEthernet1/50

 description to_AGG2

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

!

interface Vlan1

 no ip address

 shutdown

!

line con 0

 exec-timeout 0 0

 stopbits 1

line vty 0 4

 exec-timeout 0 0

 password dcsummit

 login local

!

ntp authenticate

ntp trusted-key 1

ntp update-calendar

ntp server ********* key 1

!

end

Access Switch 6500-1

ACCESS1-6500#

Building configuration...

Current configuration : 11074 bytes

!

! Last configuration change at 13:33:08 PST Thu Feb 9 2006

! NVRAM config last updated at 16:58:39 PST Thu Nov 17 2005

!

upgrade fpd auto

version 12.2

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

service counters max age 10

!

hostname ACCESS1-6500

!

boot system sup-bootflash:s720_18SXD3.bin

no aaa new-model

clock timezone PST -8

clock summer-time PDT recurring

clock calendar-valid

ip subnet-zero

no ip source-route

!

!

!

no ip bootp server

ip domain-list cisco.com

no ip domain-lookup

ip domain-name cisco.com

udld enable

!

udld message time 7

!

vtp domain datacenter

vtp mode transparent

no mls acl tcam share-global

mls cef error action freeze

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree portfast bpduguard default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

spanning-tree pathcost method long

!

power redundancy-mode combined

no diagnostic cns publish

no diagnostic cns subscribe

fabric buffer-reserve queue

port-channel load-balance src-dst-port

!

vlan internal allocation policy descending

vlan dot1q tag native 

vlan access-log ratelimit 2000

!

vlan 5

 name Outside_Webapp_Tier

!

vlan 105

name Outside_Webapp_Tier

!

vlan 110

 name Outside_Database_Tier

!

interface TenGigabitEthernet1/1

 description to_AGG1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 no ip address

 logging event link-status

!

interface TenGigabitEthernet1/2

 description to_AGG2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 no ip address

 logging event link-status

 logging event spanning-tree status

!!

interface GigabitEthernet2/1  (all test ports)

 description webapp_penguin_kvm5

 switchport

 switchport access vlan 5

 switchport mode access

 no ip address

 no cdp enable

 spanning-tree portfast

!

!

interface Vlan1

 no ip address

 shutdown

!

no ip http server

!

line con 0

 exec-timeout 0 0

line vty 0 4

 exec-timeout 0 0

 password 7 05080F1C2243

 login local

 transport input telnet ssh

!

no monitor event-trace timestamps

ntp authentication-key 1 md5 110A1016141D 7

ntp authenticate

ntp trusted-key 1

ntp clock-period 17179938

ntp update-calendar

ntp server ***********key 1

no cns aaa enable

end

FWSM 1-Aggregation Switch 1 and 2

FWSM Version 2.3(2) <system>

firewall transparent

resource acl-partition 12

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname FWSM1-AGG1and2

ftp mode passive

pager lines 24

logging buffer-size 4096

logging console debugging

class default

  limit-resource PDM 5

  limit-resource All 0

  limit-resource IPSec 5

  limit-resource Mac-addresses 65535

  limit-resource SSH 5

  limit-resource Telnet 5

!

failover

failover lan unit primary

failover lan interface failover vlan 100

failover polltime unit msec 500 holdtime 3

failover polltime interface 3

failover interface-policy 100%

failover replication http

failover link state vlan 101

failover interface ip failover 10.20.100.1 255.255.255.0 standby 10.20.100.2

failover interface ip state 10.20.101.1 255.255.255.0 standby 10.20.101.2

arp timeout 14400

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00

 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

sysopt nodnsalias inbound

sysopt nodnsalias outbound

terminal width 511

admin-context admin

context admin

  allocate-interface vlan20 outside

  config-url disk:/admin.cfg

!             

context vlan6-106

  description vlan6-106 context

  allocate-interface vlan6 outside

  allocate-interface vlan106 inside

  config-url disk:/vlan6-106.cfg

!

Cryptochecksum:a73fe039e4dbeb45a9c6730bc2a55201

: end

[OK]

FWSM1-AGG1and2# ch co vlan6-106

FWSM1-AGG1and2/vlan6-106# wr t

Building configuration...

: Saved

:

FWSM Version 2.3(2) <context>

firewall transparent

nameif outside vlan6 security0

nameif inside vlan106 security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname vlan6-106

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 H225 1720

fixup protocol h323 ras 1718-1719

fixup protocol rsh 514

fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list deny-flow-max 4096

access-list alert-interval 300

access-list IP extended permit ip any any 

access-list IP extended permit icmp any any 

access-list BPDU ethertype permit bpdu 

pager lines 24

logging on

logging timestamp

logging buffer-size 4096

logging trap informational

logging device-id hostname

mtu vlan6 1500

mtu vlan106 1500

ip address  10.20.6.104 255.255.255.0 standby 10.20.6.105

icmp permit any vlan6

icmp permit any vlan106

no pdm history enable

arp timeout 14400

access-group BPDU in interface vlan6

access-group IP in interface vlan6

access-group BPDU in interface vlan106

access-group IP in interface vlan106

!

interface vlan6

!

!

interface vlan106

!

!

route vlan6 0.0.0.0 0.0.0.0 10.20.6.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00

 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server LOCAL protocol local 

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp

floodguard enable

fragment size 200 vlan6

fragment chain 24 vlan6

fragment size 200 vlan106

fragment chain 24 vlan106

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 vlan6

ssh timeout 60

terminal width 511

Cryptochecksum:00000000000000000000000000000000

: end

[OK]

FWSM1-AGG1and2/vlan6-106# ch co admin

FWSM1-AGG1and2/admin# wr t

Building configuration...

: Saved

:

FWSM Version 2.3(2) <context>

firewall transparent

nameif outside vlan20 security0

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname admin

domain-name example.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 H225 1720

fixup protocol h323 ras 1718-1719

fixup protocol rsh 514

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list deny-flow-max 4096

access-list alert-interval 300

access-list IP extended permit ip any any 

access-list IP extended permit icmp any any 

access-list IP extended permit udp any any 

access-list BPDU ethertype permit bpdu 

pager lines 24

logging on

logging timestamp

logging buffer-size 4096

logging trap informational

logging device-id hostname

mtu vlan20 1500

ip address  *********.34 255.255.255.0 standby *********.35

icmp permit any vlan20

no pdm history enable

arp timeout 14400

access-group IP in interface vlan20

!

interface vlan20

!

!

route vlan20 0.0.0.0 0.0.0.0 *********.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00

 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username mshinn password fgXai3fBCmTT1r2e encrypted privilege 15

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server LOCAL protocol local 

http server enable

http 0.0.0.0 0.0.0.0 vlan20

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp

floodguard enable

fragment size 200 vlan20

fragment chain 24 vlan20

sysopt nodnsalias inbound

sysopt nodnsalias outbound

telnet timeout 5

ssh 0.0.0.

Services Switch Design Configurations

The following configurations were used in support of the service chassis testing:

•Core Switch 1

•Core Switch 2

•Distribution Switch 1

•Distribution Switch 2

•Service Switch 1

•Service Switch 2

•Access Switch 6500

•ACE and FWSM

Figure 8-2 shows the test bed used with services switches.

Figure 8-2 Service Switches Configuration Test Bed

Core Switch 1

hostname dcb-core-1

!

boot system flash disk0:s72033-adventerprisek9_wan-vz.122-18.SXF9.bin

!

no aaa new-model

clock timezone EDT -5

clock summer-time EDT recurring

ip subnet-zero

no ip source-route

!

no ip bootp server

ip multicast-routing 

no ip domain-lookup

ip domain-name ese.cisco.com

udld enable

vtp domain datacenter

vtp mode transparent

mls ip cef load-sharing full simple

mls ip multicast flow-stat-timer 9

no mls flow ip

no mls flow ipv6

no mls acl tcam share-global

mls cef error action freeze

!

redundancy

 mode sso

 main-cpu

  auto-sync running-config

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

spanning-tree pathcost method long

!

fabric buffer-reserve queue

port-channel per-module load-balance

!

vlan internal allocation policy descending

vlan dot1q tag native 

vlan access-log ratelimit 2000

! 

interface Loopback0

 ip address 10.151.1.10 255.255.255.255

!

interface TenGigabitEthernet1/2

 description To DCb-Dist-1 - Ten 1/8

 ip address 10.160.1.1 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

!

interface TenGigabitEthernet1/3

 description to DCB-Dist-2 Ten 1/8

 ip address 10.160.1.5 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

!

interface TenGigabitEthernet1/4

 description TO DCB-Core-2 - Ten 1/4

 ip address 10.199.0.5 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

!

interface GigabitEthernet6/1

 description flashnet

 ip address 10.150.1.3 255.255.255.0

no mop enabled 

 media-type rj45

!

interface GigabitEthernet6/2

 no ip address 

 shutdown

!

interface Vlan1

 no ip address

 shutdown

!

router ospf 2

 log-adjacency-changes

 auto-cost reference-bandwidth 1000000

 nsf

 area 0 authentication message-digest

 area 0 nssa default-information-originate

 area 0 range 10.199.0.0 255.255.0.0

 area 2 authentication message-digest

 area 2 nssa default-information-originate

 area 2 range 10.160.0.0 255.255.255.0

 area 2 range 10.161.0.0 255.255.0.0

 area 2 range 10.151.1.0 255.255.255.0

 timers throttle spf 1000 1000 1000

 passive-interface default

 no passive-interface TenGigabitEthernet1/1

 no passive-interface TenGigabitEthernet1/2

 no passive-interface TenGigabitEthernet1/3

 no passive-interface TenGigabitEthernet1/4

 network 10.160.1.0 0.0.0.3 area 2

 network 10.161.0.0 0.0.0.3 area 2

 network 10.199.0.0 0.0.0.3 area 0

!

ip classless

!

no ip http server

!

snmp-server community public RO

snmp-server community cisco RW

!

control-plane

!

dial-peer cor custom

!

line con 0

line vty 0 4

 exec-timeout 0 0

 password cisco

 login

line vty 5 15

 exec-timeout 0 0

 password cisco

 login

!

no cns aaa enable

end

Core Switch 2

hostname dcb-core-2

!

no aaa new-model

clock timezone EST -5

clock summer-time EDT recurring

ip subnet-zero

no ip source-route

!

boot system flash disk0:s72033-adventerprisek9_wan-vz.122-18.SXF9.bin

!

no ip ftp passive

no ip bootp server

ip multicast-routing 

no ip domain-lookup

ip domain-name cisco.com

udld enable

!

vtp domain datacenter

vtp mode transparent

mls ip cef load-sharing full simple

mls ip multicast flow-stat-timer 9

no mls flow ip

no mls flow ipv6

no mls acl tcam share-global

mls cef error action freeze

!

redundancy

 mode sso

 main-cpu

  auto-sync running-config

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

spanning-tree pathcost method long

!

fabric buffer-reserve queue

port-channel per-module load-balance

!

vlan internal allocation policy descending

vlan dot1q tag native 

vlan access-log ratelimit 2000

! 

interface Loopback0

 ip address 10.151.1.11 255.255.255.255

!

interface TenGigabitEthernet1/2

 description To DCb-Dist-1 - Ten 1/7

 ip address 10.160.1.9 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

 load-interval 30

!

interface TenGigabitEthernet1/3

 description To DCb-Dist-2 - Ten 1/7

 ip address 10.160.1.13 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

 load-interval 30

!

interface TenGigabitEthernet1/4

 description DCB-Core-1 - Ten 1/4

 ip address 10.199.0.6 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf network point-to-point

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

!

interface GigabitEthernet6/1

 description flashnet 

 ip address 10.150.1.4 255.255.255.0

 media-type rj45

!

interface GigabitEthernet6/2

 no ip address 

 shutdown

!

interface Vlan1

 no ip address

 shutdown

!

router ospf 2

 log-adjacency-changes

 auto-cost reference-bandwidth 1000000

 nsf

 area 0 authentication message-digest

 area 0 nssa default-information-originate

 area 0 range 10.199.0.0 255.255.0.0

 area 2 authentication message-digest

 area 2 nssa default-information-originate

 area 2 range 10.160.0.0 255.255.0.0

 area 2 range 10.161.0.0 255.255.0.0

 area 2 range 10.151.1.0 255.255.255.0

 timers throttle spf 1000 1000 1000

 passive-interface default

 no passive-interface TenGigabitEthernet1/1

 no passive-interface TenGigabitEthernet1/2

 no passive-interface TenGigabitEthernet1/4

 no passive-interface TenGigabitEthernet1/3

 network 10.160.1.0 0.0.0.3 area 2

 network 10.161.0.0 0.0.0.3 area 2

 network 10.199.0.0 0.0.0.3 area 0

!

ip classless

!

no ip http server

!

snmp-server community public RO

snmp-server community cisco RW

!

control-plane

!

dial-peer cor custom

!

line con 0

line vty 0 4

 exec-timeout 0 0

 password cisco

 login

line vty 5 15

 exec-timeout 0 0

 password cisco

 login

!

no cns aaa enable

end

Distribution Switch 1

upgrade fpd auto

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

service counters max age 5

!

hostname dcb-Dist-1

!

boot system flash disk0:s72033-adventerprisek9_wan-vz.122-18.SXF10.bin

enable secret 5 $1$wVQ/$8nsaKkBneJbHVrph5VnS41

enable password cisco

!

no aaa new-model

clock timezone EDT -5

clock summer-time EDT recurring

vtp domain datacenter

vtp mode transparent

ip subnet-zero

no ip source-route

ip icmp rate-limit unreachable 2000

!

no ip domain-lookup

ip domain-name cisco.com

ip multicast-routing 

no ip igmp snooping

!

udld enable

udld message time 7

no mls flow ip

mls acl tcam default-result permit

no mls acl tcam share-global

mls ip cef load-sharing full simple

mls ip multicast flow-stat-timer 9

mls cef error action freeze

!

fabric switching-mode force bus-mode

fabric buffer-reserve queue

port-channel per-module load-balance

port-channel load-balance src-dst-port

diagnostic cns publish cisco.cns.device.diag_results

diagnostic cns subscribe cisco.cns.device.diag_commands

!

redundancy

 mode sso

 main-cpu

  auto-sync running-config

!

power redundancy-mode combined

!

spanning-tree mode rapid-pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

spanning-tree pathcost method long

spanning-tree vlan 1-4094 priority 24576

!

vlan internal allocation policy descending

vlan dot1q tag native 

vlan access-log ratelimit 2000

!

vlan 2-7,106,107,206,207

!

no crypto ipsec nat-transparency udp-encaps

!

interface Loopback0

 ip address 10.151.1.12 255.255.255.255

!

interface TenGigabitEthernet1/1

 description to_dcb-Acc-1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

switchport trunk allowed vlan 2,3,106,107,206,207

 switchport mode trunk

 no ip address

 logging event link-status

spanning-tree guard loop

!

interface TenGigabitEthernet1/2

 description dcb-dist2-6k Te1/2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 2,3,7,106,107,206,207

 switchport mode trunk

 no ip address

 logging event link-status

 spanning-tree guard loop

!

interface TenGigabitEthernet1/5

 description dcb-svc1-6k Te9/1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 2,3,7,106,107,206,207

 switchport mode trunk

 no ip address

 logging event link-status

 logging event bundle-status

 spanning-tree guard root

!

interface TenGigabitEthernet1/6

 description dcb-svc2-6k Te9/1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 2,3,7,106,107,206,207

 switchport mode trunk

no ip address

 logging event link-status

 logging event bundle-status

 spanning-tree guard root

!

interface TenGigabitEthernet1/7

 description dcb-core-2 Te1/2

 ip address 10.160.1.10 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

 load-interval 30

!

interface TenGigabitEthernet1/8

 description dcb-core-1 Te1/2

 ip address 10.160.1.2 255.255.255.252

 no ip redirects

 no ip proxy-arp

ip pim sparse-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

 load-interval 30

!

interface Vlan7

 ip address 10.80.1.2 255.255.0.0

 no ip redirects

 no ip proxy-arp

 ip flow ingress

 ip route-cache flow

 logging event link-status

 load-interval 30

 standby 1 ip 10.80.1.1

 standby 1 timers 1 3

 standby 1 priority 51

 standby 1 preempt delay minimum 120

 !

router ospf 2

 log-adjacency-changes

 auto-cost reference-bandwidth 1000000

 nsf

 area 2 authentication message-digest

 area 2 nssa default-information-originate

 area 2 range 10.151.1.0 255.255.255.0

 area 2 range 10.151.0.0 255.255.0.0

 area 2 range 10.160.0.0 255.255.255.0

 area 2 range 10.161.0.0 255.255.0.0

 timers throttle spf 1000 1000 1000

 redistribute static subnets route-map rhi

 passive-interface default

 no passive-interface TenGigabitEthernet1/7

 no passive-interface TenGigabitEthernet1/8

no passive-interface GigabitEthernet3/24

 network 10.74.0.0 0.0.255.255 area 2

 network 10.80.0.0 0.0.255.255 area 2

 network 10.81.0.0 0.0.255.255 area 2

 network 10.151.1.0 0.0.0.0 area 2

 network 10.151.0.0 0.0.255.255 area 2

 network 10.160.1.0 0.0.0.255 area 2

 network 10.161.0.0 0.0.0.0 area 2

!

ip classless

!

no ip http server

!

snmp-server community public RO

snmp-server community cisco RW

!

control-plane

!

dial-peer cor custom

!

line con 0

line vty 0 4

 password cisco

 login

!

exception core-file 

no cns aaa enable

end

Distribution Switch 2

upgrade fpd auto

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

service counters max age 5

!

hostname dcb-Dist-2

!

boot system flash disk0:s72033-adventerprisek9_wan-vz.122-18.SXF10.bin

enable secret 5 $1$VUjJ$onovPQGW3pDtcxU2GlqY5.

enable password cisco

!

no aaa new-model

clock timezone EDT -5

clock summer-time EDT recurring

vtp domain datacenter

vtp mode transparent

ip subnet-zero

no ip source-route

ip icmp rate-limit unreachable 2000

!

no ip domain-lookup

ip domain-name cisco.com

ip multicast-routing 

no ip igmp snooping

!

udld enable

udld message time 7

no mls flow ip

mls acl tcam default-result permit

no mls acl tcam share-global

mls ip cef load-sharing full

mls ip multicast flow-stat-timer 9

mls cef error action freeze

!

fabric switching-mode force bus-mode

fabric buffer-reserve queue

port-channel per-module load-balance

port-channel load-balance src-dst-port

diagnostic cns publish cisco.cns.device.diag_results

diagnostic cns subscribe cisco.cns.device.diag_commands

!

redundancy

 mode sso

 main-cpu

  auto-sync running-config

!

power redundancy-mode combined

!

spanning-tree mode rapid-pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

spanning-tree pathcost method long

spanning-tree vlan 1-4094 priority 28672

!

vlan internal allocation policy descending

vlan dot1q tag native 

vlan access-log ratelimit 2000

!

vlan 2-7,106,107,206,207 

! 

no crypto ipsec nat-transparency udp-encaps

!

interface Loopback0

 ip address 10.151.1.13 255.255.255.255

!

!

interface TenGigabitEthernet1/1

 description to_dcb-Acc-1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

switchport trunk allowed vlan 2,3,106,107,206,207

 switchport mode trunk

 no ip address

 logging event link-status

spanning-tree guard loop

!

interface TenGigabitEthernet1/2

 description dcb-dist1-6k Te1/2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

switchport trunk allowed vlan 2,3,7,106,107,206,207

switchport mode trunk

 no ip address

 logging event link-status

 spanning-tree guard loop

!

!

interface TenGigabitEthernet1/4

 no ip address

!

interface TenGigabitEthernet1/5

 description dcb-svc1-6k Te9/1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 2,3,7,106,107,206,207

 switchport mode trunk

 no ip address

logging event link-status

 logging event bundle-status

 spanning-tree guard root

!

interface TenGigabitEthernet1/6

 description dcb-svc2-6k Te9/1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 2,3,7,106,107,206,207

 switchport mode trunk

 no ip address

 logging event link-status

 logging event bundle-status

 spanning-tree guard root

!

interface TenGigabitEthernet1/7

 description dcb-core-2 Te1/2

 ip address 10.160.1.14 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-mode

 ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

 load-interval 30

!

interface TenGigabitEthernet1/8

 description dcb-core-1 Te1/2

 ip address 10.160.1.6 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip pim sparse-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 C1sC0!

 ip ospf hello-interval 2

 ip ospf dead-interval 6

 logging event link-status

 load-interval 30

!

!

interface Vlan7

ip address 10.80.1.3 255.255.0.0

 no ip redirects

 no ip proxy-arp

 ip flow ingress

 logging event link-status

 load-interval 30

 standby 1 ip 10.80.1.1

 standby 1 timers 1 3

 standby 1 priority 50

 standby 1 preempt

!

router ospf 2

 log-adjacency-changes

 auto-cost reference-bandwidth 1000000

 nsf

 area 2 authentication message-digest

 area 2 nssa default-information-originate

 area 2 range 10.151.0.0 255.255.0.0

 area 2 range 10.160.0.0 255.255.255.0

 area 2 range 10.161.0.0 255.255.0.0

 timers throttle spf 1000 1000 1000

 redistribute static subnets route-map rhi

 passive-interface default

 no passive-interface TenGigabitEthernet1/7

 no passive-interface TenGigabitEthernet1/8

 no passive-interface GigabitEthernet3/24

 network 10.80.0.0 0.0.255.255 area 2

 network 10.81.0.0 0.0.255.255 area 2

network 10.151.0.0 0.0.255.255 area 2

 network 10.160.1.0 0.0.0.0 area 2

 network 10.160.1.0 0.0.0.255 area 2

 network 10.161.0.0 0.0.0.0 area 2

 network 10.161.0.0 0.0.255.255 area 2

!

ip classless

!

no ip http server

!

snmp-server community public RO

snmp-server community cisco RW

!

control-plane

!

dial-peer cor custom

!

line con 0

line vty 0 4

 password cisco

 login

!

exception core-file 

no cns aaa enable

end

Service Switch 1

upgrade fpd auto

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

service counters max age 5

!

hostname Svc-1

boot system flash disk0:s72033-adventerprisek9_wan-vz.122-18.SXF10.bin

!

enable secret 5 $1$rPXa$F4EKAVs1cCaD.X5WG68iK0

enable password cisco

!

no aaa new-model

ip subnet-zero

!

ipv6 mfib hardware-switching replication-mode ingress

vtp domain datacenter

vtp mode transparent

mls ip multicast flow-stat-timer 9

no mls flow ip

no mls flow ipv6

no mls acl tcam share-global

mls cef error action freeze

!

redundancy

 mode sso

 main-cpu

  auto-sync running-config

spanning-tree mode pvst

diagnostic cns publish cisco.cns.device.diag_results

diagnostic cns subscribe cisco.cns.device.diag_commands

fabric buffer-reserve queue

port-channel per-module load-balance

!

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

!

vlan 2-7,106,107,206,207

!

svclc autostate

svclc multiple-vlan-interfaces

svclc module 3 vlan-group 1,2

svclc vlan-group 1 6,206,207

svclc vlan-group 2 106,107

svclc vlan-group 3 3,4,5,7,

firewall multiple-vlan-interfaces

firewall module 2 vlan-group 2,3

!

interface Loopback0

 ip address 10.151.1.17 255.255.255.255

!

!

interface TenGigabitEthernet9/1

 description conx to dist1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

switchport trunk allowed vlan 2,3,7,106,107,206,207 

switchport mode trunk

 no ip address

 logging event link-status

 logging event bundle-status

 spanning-tree guard root

!

interface TenGigabitEthernet9/2

 description conx to dist2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

switchport trunk allowed vlan 2,3,7,106,107,206,207

switchport mode trunk

no ip address

 logging event link-status

 logging event bundle-status

 spanning-tree guard root

!

interface TenGigabitEthernet9/3

description connx to svc2 switch

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

switchport trunk allowed vlan 4,5,6

 switchport mode trunk

no ip address

 logging event link-status

 logging event bundle-status

!

no ip http server

!

snmp-server community public RO

!

control-plane

!

dial-peer cor custom

!

line con 0

line vty 0 4

 password cisco

 login

!

no cns aaa enable

end

Service Switch 2

upgrade fpd auto

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

service counters max age 5

!

hostname Svc-2

boot system flash disk0:s72033-adventerprisek9_wan-vz.122-18.SXF10.bin

!

enable secret 5 $1$lB0P$HAIQrXSPQjLQtTDklRg2V.

enable password cisco

!

no aaa new-model

ip subnet-zero

!

ipv6 mfib hardware-switching replication-mode ingress

vtp domain datacenter

vtp mode transparent

mls ip multicast flow-stat-timer 9

no mls flow ip

no mls flow ipv6

no mls acl tcam share-global

mls cef error action freeze

!

redundancy

 mode sso

 main-cpu

  auto-sync running-config

spanning-tree mode pvst

diagnostic cns publish cisco.cns.device.diag_results

diagnostic cns subscribe cisco.cns.device.diag_commands

fabric buffer-reserve queue

port-channel per-module load-balance

!

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

!

vlan 2-7,106,107,206,207

!

svclc autostate

svclc multiple-vlan-interfaces

svclc module 3 vlan-group 1,2

svclc vlan-group 1 6,206,207

svclc vlan-group 2 106,107

svclc vlan-group 3 3,4,5,7

firewall multiple-vlan-interfaces

firewall module 2 vlan-group 2,3

!

interface Loopback0

 ip address 10.151.1.18 255.255.255.255

!

!

interface TenGigabitEthernet9/1

 description connection to 6500 dist1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 2,3,7,106,107,206,207

 switchport mode trunk

 no ip address

 logging event link-status

 logging event bundle-status

 spanning-tree guard root

!

interface TenGigabitEthernet9/2

 description connection to 6500 dist 2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport trunk allowed vlan 2,3,7,106,107,206,207

switchport mode trunk

 no ip address

 logging event link-status

 logging event bundle-status

 spanning-tree guard root

!

interface TenGigabitEthernet9/3

description connx to svc1 switch

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

switchport trunk allowed vlan 4,5,6

switchport mode trunk

no ip address

 logging event link-status

 logging event bundle-status

!

no ip http server

!

snmp-server community public RO

!

control-plane

!

dial-peer cor custom

!

line con 0

line vty 0 4

 password cisco

 login

!

!

no cns aaa enable

end

Access Switch 6500

upgrade fpd auto

version 12.2

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

service counters max age 10

!

hostname DCB-Access-1

!

boot system flash disk0:s72033-adventerprisek9_wan-vz.122-18.SXF9.bin

no aaa new-model

clock timezone PST -8

clock summer-time PDT recurring

clock calendar-valid

ip subnet-zero

no ip source-route

!

no ip bootp server

ip domain-list cisco.com

no ip domain-lookup

ip domain-name cisco.com

udld enable

!

udld message time 7

!

vtp domain datacenter

vtp mode transparent

no mls acl tcam share-global

mls cef error action freeze

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree portfast bpduguard default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

spanning-tree pathcost method long

!

power redundancy-mode combined

no diagnostic cns publish

no diagnostic cns subscribe

fabric buffer-reserve queue

port-channel load-balance src-dst-port

!

vlan internal allocation policy descending

vlan dot1q tag native 

vlan access-log ratelimit 2000

!

vlan 207

 name  server Tier

!

interface TenGigabitEthernet1/1

 description to_dcb-Dist-1

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 no ip address

 logging event link-status

!

interface TenGigabitEthernet1/2

 description to_dcb-Dist-2

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 2

 switchport mode trunk

 no ip address

 logging event link-status

 logging event spanning-tree status

!!

interface GigabitEthernet2/1  (all test ports)

  switchport

 switchport access vlan 207

 switchport mode access

 no ip address

 no cdp enable

 spanning-tree portfast

!

!

interface Vlan1

 no ip address

 shutdown

!

no ip http server

!

line con 0

 exec-timeout 0 0

line vty 0 4

 exec-timeout 0 0

 password 7 05080F1C2243

 login local

 transport input telnet ssh

!

no monitor event-trace timestamps

ntp authentication-key 1 md5 110A1016141D 7

ntp authenticate

ntp trusted-key 1

ntp clock-period 17179938

ntp update-calendar

ntp server ***********key 1

no cns aaa enable

end

ACE and FWSM

FWSM Baseline

firewall transparent

!

interface Vlan107

 nameif inside

 bridge-group 1

 security-level 100

!

interface Vlan7

 nameif outside

 bridge-group 1

 security-level 0

!

interface BVI1

 ip address 10.80.1.12 255.255.255.0 standby 10.80.1.13

!

access-list outside extended permit ip any any log

access-list inside extended permit ip any any log

access-list BPDU ethertype permit bpdu 

!

access-group BPDU in interface inside

access-group inside in interface inside

access-group BPDU in interface outside

access-group outside in interface outside

route outside 0.0.0.0  0.0.0.0 10.80.1.1

ACE Baseline

access-list BPDU ethertype permit bpdu

access-list anyone line 10 extended permit ip any any

 class-map type management match-any PING

 description Allowed Admin Traffic

 10 match protocol icmp any

 11 match protocol telnet any

policy-map type management first-match PING-POLICY

 class PING

 permit

interface vlan 107 

description "Client-side Interface"

 bridge-group 1

 access-group input BPDU

 access-group input anyone

 service-policy input PING-POLICY

interface vlan 207 

description "Server-side Interface" 

bridge-group 1

 access-group input BPDU 

access-group input anyone

interface bvi 1

 ip address 10.80.1.14 255.255.255.0

 alias 10.80.1.16 255.255.255.0

 peer ip address 10.80.1.13 255.255.255.0

 no shutdown

ip route 0.0.0.0 0.0.0.0 10.80.1.1

FWSM Failover

Table 8-1 FWSM Failover Configuration

Primary FWSM Failover Configuration

Secondary FWSM Failover Configuration

interface VLAN4 description LAN Failover Interface ! Interface VLAN5 description STATE Failover Interface ! failover failover lan unit primary failover lan interface failover VLAN4 failover polltime unit msec 500 holdtime 3 failover polltime interface 3 failover replication http failover link state VLAN5 failover interface ip failover 10.81.4.1 255.255.255.0 standby 10.81.4.2 failover interface ip state 10.81.5.1 255.255.255.0 standby 10.81.5.2 failover group 1 preempt failover group 2 secondary preempt 5 context V107 allocate-interface VLAN107 allocate-interface VLAN7 config-url disk:/V107.cfg join-failover group 1

Interface VLAN4 description LAN Failover Interface ! Interface VLAN5 description STATE Failover Interface ! Failover failover lan unit secondary failover lan interface failover VLAN4 failover polltime unit msec 500 holdtime 3 failover polltime interface 3 failover replication http failover link state VLAN5 failover interface ip failover 10.81.4.1 255.255.255.0 standby 10.81.4.2 failover interface ip state 10.81.5.1 255.255.255.0 standby 10.81.5.2 failover group 1 preempt failover group 2 secondary preempt 5 context V107 allocate-interface VLAN107 allocate-interface VLAN7 config-url disk:/V107.cfg join-failover group 1

ACE Failover

ft interface vlan 6

  ip address 10.81.6.6.1 255.255.255.0

  peer ip address 10.81.6.2 255.255.255.0

  no shutdown

ft peer 1

  heartbeat interval 100

  heartbeat count 10

  ft-interface vlan 6

ft group 2

  peer 1

  no preempt

  priority 210

  peer priority 200

  associate-context Admin

  inservice

context v107

 allocate-interface vlan107

 allocate-interface vlan207

ft group 3

peer 1

priority 220

peer priority 200

associate-context vlan107

inservice

Most of the configuration is done on the primary (primary on the admin context) ACE module. Only a few items need to be defined on the secondary ACE module: the FT interface is defined with the addresses reversed, the FT peer is configured the same, and the FT group for the admin context is configured with the priorities reversed. With the FT VLAN up, this is enough for the ACE modules to synch up correctly and all of the rest of the configuration is copied over and the priority values are reversed.

Additional References

See the following URL for more information:

•Cisco Catalyst 6500—http://www.cisco.com/en/US/products/hw/switches/ps708/index.html