- Preface
- Ethernet-to-the-Factory Solution Overview
- Solution Architecture
- Basic Network Design
- Implementation of the Cell/Area Zone
- Implementation of Security
- Implementation of High Availability
- Implementation of Network Management
- Characterization of the EttF Cell/Area Zone Design
- Configuration of the EttF Cell/Area Zone
- Configuration of the EttF Demilitarized Zone
- EttF High Availability Testing
Configuration of the EttF Cell/Area Zone
Layer 2 Configuration
Following is a sample configuration of one of the Layer 2 devices in the ring topology:
Current configuration : 3447 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname cell-c2955-9
!
enable password factory0
!
ip subnet-zero
!
!
!
spanning-tree mode rapid-pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree vlan 1-9,11-19,21-1024 hello-time 1
!
!
!
alarm profile defaultPort
!
alarm facility temperature primary relay major
alarm facility temperature primary syslog
alarm facility temperature primary notifies
!
!
interface FastEthernet0/1
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
ip dhcp snooping limit rate 10
!
interface FastEthernet0/2
description temp_L2_isolation_link
switchport access vlan 20
switchport trunk native vlan 20
switchport trunk allowed vlan 20
switchport mode trunk
shutdown
!
interface FastEthernet0/3
switchport access vlan 20
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
ip dhcp snooping limit rate 10
!
interface FastEthernet0/4
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
ip dhcp snooping limit rate 10
!
interface FastEthernet0/5
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
ip dhcp snooping limit rate 10
!
interface FastEthernet0/6
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
ip dhcp snooping limit rate 10
!
interface FastEthernet0/7
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
ip dhcp snooping limit rate 10
!
interface FastEthernet0/8
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
ip dhcp snooping limit rate 10
!
interface FastEthernet0/9
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
ip dhcp snooping limit rate 10
!
interface FastEthernet0/10
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
ip dhcp snooping limit rate 10
!
interface FastEthernet0/11
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
ip dhcp snooping limit rate 10
!
interface FastEthernet0/12
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/1
switchport trunk native vlan 20
switchport trunk allowed vlan 20
switchport mode trunk
!
interface GigabitEthernet0/2
switchport trunk native vlan 20
switchport trunk allowed vlan 20
switchport mode trunk
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan2
no ip address
no ip route-cache
shutdown
!
interface Vlan20
ip address 10.17.20.50 255.255.255.0
no ip route-cache
!
ip default-gateway 10.17.20.1
ip http server
!
line con 0
line vty 0 4
password factory0
login
line vty 5 15
login
!
!
!
monitor session 1 source interface Fa0/12
end
Layer 3 Configuration
Following is a sample configuration of the distribution/aggregation switch:
Current configuration : 10758 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CZ-C3750-1
!
enable password factory0
!
username root privilege 15 password 0 factory0
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
!
aaa session-id common
clock timezone pst -8
switch 1 provision ws-c3750g-24ps
switch 2 provision ws-c3750g-24ps
vtp mode transparent
ip subnet-zero
no ip source-route
ip routing
ip cef load-sharing algorithm universal F9C26989
no ip domain-lookup
ip domain-name cisco.com
!
ip dhcp snooping vlan 10
ip dhcp snooping
ip multicast-routing distributed
ip ssh time-out 60
ip ssh authentication-retries 2
ip scp server enable
!
mls qos
!
crypto pki trustpoint TP-self-signed-1835000704
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1835000704
revocation-check none
rsakeypair TP-self-signed-1835000704
!
!
crypto ca certificate chain TP-self-signed-1835000704
certificate self-signed 01
30820290 308201F9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
54312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383335 30303037 30343121 301F0609 2A864886 F70D0109
02161244 4D5A2D53 572D412E 63697363 6F2E636F 6D301E17 0D393330 33303130
30303931 305A170D 32303031 30313030 30303030 5A305431 2F302D06 03550403
1326494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3138
33353030 30373034 3121301F 06092A86 4886F70D 01090216 12444D5A 2D53572D
412E6369 73636F2E 636F6D30 819F300D 06092A86 4886F70D 01010105 0003818D
00308189 02818100 B86E69EB 3AD7C959 9F2CD10B BDFAB40D 6BF1DD24 06AB79E6
4A27520F 5896ACE0 B9BE5788 A63AD836 2FD31A48 5C646E3D 2E1E19FE 2858CB63
DB826F7E 09149DBD C5AE578E C859059A C6A4727F CD1BDB06 C24632C3 E7D7A082
C00FCAD9 F84166F5 8D1E5202 742398FF D55D5323 1AAA7050 9880BE4C 08C363E3
2E46C259 6BF053E5 02030100 01A37230 70300F06 03551D13 0101FF04 05300301
01FF301D 0603551D 11041630 14821244 4D5A2D53 572D412E 63697363 6F2E636F
6D301F06 03551D23 04183016 80140689 AC22B76B 6ED2E37D 87E03F3E 0ED65D3F
C313301D 0603551D 0E041604 140689AC 22B76B6E D2E37D87 E03F3E0E D65D3FC3
13300D06 092A8648 86F70D01 01040500 03818100 73C19D50 C99E2764 95C874E7
84B1302F 5A0DDD98 E197BBEE 494B4C34 F1A30F05 55E1773D 957D3F05 69DAF284
648E4AB9 62F3716A 612AEE09 A35D122D B67644C4 84836AD5 DB17AFE2 CDC9781A
8A54FBD0 CAF9763D E32C4C8E 07D4BB89 8699E62E 9CABE244 FE93A53C FF48CF4F
C50EF6E1 4D522967 6C3020A5 9D80D5FF 66E6C1AD
quit
!
!
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-1024 priority 4096
!
vlan internal allocation policy ascending
!
vlan 2-100,200
!
vlan 250
name management
!
class-map match-all cip-priority-class
match access-group name cip-priority
class-map match-all cip-consumer-class
match access-group name cip-consumer
class-map match-all cip-producer-class
match access-group name cip-producer
!
!
policy-map cip-policy
class cip-producer-class
set ip precedence 4
class cip-consumer-class
set ip precedence 4
policy-map cip-egress-policy
!
!
!
interface Port-channel1
description CZ-C4500-1
no switchport
ip address 10.18.3.100 255.255.255.0
!
interface Port-channel2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10
switchport mode trunk
!
interface Port-channel3
description CZ-C4500-2
no switchport
ip address 10.18.4.100 255.255.255.0
!
interface GigabitEthernet1/0/1
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/2
no switchport
ip address 172.28.212.12 255.255.255.0
!
interface GigabitEthernet1/0/3
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/9
no switchport
no ip address
channel-group 1 mode active
spanning-tree portfast
!
interface GigabitEthernet1/0/10
no switchport
no ip address
channel-group 1 mode active
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/13
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10
switchport mode trunk
udld port aggressive
spanning-tree guard root
spanning-tree vlan 10 port-priority 0
!
interface GigabitEthernet1/0/14
switchport trunk encapsulation dot1q
switchport trunk native vlan 20
switchport trunk allowed vlan 20
switchport mode trunk
udld port aggressive
!
interface GigabitEthernet1/0/15
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/0/16
switchport access vlan 3
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/17
switchport access vlan 250
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 250
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 250
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/20
switchport access vlan 250
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/21
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet1/0/22
switchport access vlan 250
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/23
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/0/24
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/0/25
no switchport
no ip address
channel-group 1 mode active
!
interface GigabitEthernet1/0/26
no switchport
no ip address
channel-group 1 mode active
!
interface GigabitEthernet1/0/27
no switchport
no ip address
channel-group 3 mode active
!
interface GigabitEthernet1/0/28
no switchport
no ip address
channel-group 3 mode active
!
interface GigabitEthernet2/0/1
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet2/0/2
no switchport
no ip address
spanning-tree portfast
!
interface GigabitEthernet2/0/3
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet2/0/4
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet2/0/5
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet2/0/6
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet2/0/7
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet2/0/8
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet2/0/9
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet2/0/10
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet2/0/11
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10
switchport mode trunk
channel-group 2 mode active
spanning-tree portfast
!
interface GigabitEthernet2/0/12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10
switchport mode trunk
channel-group 2 mode active
spanning-tree portfast
!
interface GigabitEthernet2/0/13
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10
switchport mode trunk
udld port aggressive
spanning-tree guard root
spanning-tree vlan 10 port-priority 16
!
interface GigabitEthernet2/0/14
switchport trunk encapsulation dot1q
switchport trunk native vlan 20
switchport trunk allowed vlan 20
switchport mode trunk
udld port aggressive
!
interface GigabitEthernet2/0/15
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet2/0/16
switchport access vlan 3
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet2/0/17
switchport access vlan 250
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet2/0/18
switchport access vlan 250
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet2/0/19
switchport access vlan 250
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet2/0/20
switchport access vlan 250
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet2/0/21
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet2/0/22
switchport access vlan 250
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet2/0/23
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet2/0/24
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet2/0/25
!
interface GigabitEthernet2/0/26
!
interface GigabitEthernet2/0/27
!
interface GigabitEthernet2/0/28
!
interface Vlan1
no ip address
no ip mroute-cache
!
interface Vlan2
no ip address
!
interface Vlan10
ip address 10.17.10.1 255.255.255.0
ip pim sparse-dense-mode
!
interface Vlan20
ip address 10.17.20.1 255.255.255.0
ip pim sparse-dense-mode
!
interface Vlan30
ip address 10.17.30.1 255.255.255.0
ip pim sparse-dense-mode
!
interface Vlan250
ip address 172.16.250.3 255.255.255.0
!
router rip
version 2
redistribute connected metric 1
network 10.0.0.0
!
ip default-gateway 172.28.212.1
ip classless
ip route 0.0.0.0 0.0.0.0 172.28.212.1
ip http server
ip http port 2222
ip http authentication local
ip http secure-server
!
!
ip access-list extended cip-consumer
permit udp any eq 2222 any
ip access-list extended cip-priority
permit ip any any tos max-throughput
ip access-list extended cip-producer
permit udp any any eq 2222
!
logging source-interface Vlan10
logging 10.18.2.201
snmp-server community public RO
snmp-server community private RW
snmp-server community marstring RO
snmp-server host 10.18.2.201 marstring
radius-server source-ports 1645-1646
!
control-plane
!
!
line con 0
exec-timeout 0 0
line vty 0 4
rotary 1
transport input ssh
line vty 5 15
password factory0
rotary 1
!
!
end
Feedback