|
|
首先说这绝对是原创,在6509机箱中集成fwsm 和ace及msfc有非常多的部署模式,此次项目中我们接触到路由和透明的部署模式,并且做了HA和FT,由于涉及到保密的问题,现在粘出部分配置,以供分享。。。
total: 1014624 kB, used: 360960 kB, available: 653664 kB
last boot reason: SUP request
configuration register: 0x1
switch kernel uptime is 0 days 0 hour 49 minute(s) 7 second(s)
switch/Admin#
switch/Admin#
switch/Admin# show run
Generating configuration....
boot system image:c6ace-t1k9-mz.3.0.0_A1_6_3a.bin
access-list 200 line 8 extended permit icmp any any
access-list 200 line 24 extended permit ip any any
rserver host S1
ip address 192.168.1.222
inservice
rserver host S2
ip address 192.168.1.221
inservice
serverfarm host farm_test
rserver S1
inservice
rserver S2
inservice
class-map match-any VIP
2 match virtual-address 192.168.99.100 tcp eq ftp
class-map type management match-any manage
2 match protocol http any
3 match protocol icmp any
4 match protocol ssh any
5 match protocol snmp any
6 match protocol telnet any
policy-map type management first-match behavior_manage
class manage
permit
policy-map type loadbalance first-match behavior_loadbalance
class class-default
serverfarm farm_test
policy-map multi-match app_policy
class VIP
loadbalance vip inservice
loadbalance policy behavior_loadbalance
loadbalance vip icmp-reply
loadbalance vip advertise
interface vlan 5
ip address 192.168.99.1 255.255.255.0
access-group input 200
service-policy input app_policy
service-policy input behavior_manage
no shutdown
interface vlan 8
ip address 192.168.1.254 255.255.255.0
access-group input 200
service-policy input behavior_manage
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.99.2
username admin password 5 $1$faXJEFBj$TJR1Nx7sLPTi5BZ97v08c/ role Admin domain
default-domain
username www password 5 $1$UZIiwUk7$QMVYN1JASaycabrHkhGcS/ role Admin domain de
fault-domain
switch/Admin#
switch/Admin#
switch/Admin#
switch/Admin#
switch/Admin# show ip route
Routing Table for Context Admin (RouteId 0)
Codes: H - host, I - interface
S - static, N - nat
A - need arp resolve, E - ecmp
Destination Gateway Interface Flags
------------------------------------------------------------------------
0.0.0.0 192.168.99.2 vlan5 S
192.168.1.0/24 0.0.0.0 vlan8 IA
192.168.99.0/24 0.0.0.0 vlan5 IA
Total route entries = 3
switch/Admin#
switch/Admin#
switch/Admin#
switch/Admin#
switch/Admin#
switch/Admin# show had?
% invalid command
switch/Admin# show environment
Temperature:
inlet temperature : 34
outlet temperature : 37
SIBYTE temperature : 55
HYPERION temperature : 53
CDE0 temperature : 48
CDE1 temperature : 47
IXP0 temperature : 38
IXP1 temperature : 38
SSA temperature : 60
switch/Admin#
switch/Admin#
switch/Admin#
switch/Admin#
switch/Admin#
switch/Admin# exit
[Connection to 127.0.0.90 closed by foreign host]
Router#sess slo 8 pro 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.81 ... Open
User Access Verification
Password:
Type help or '?' for a list of available commands.
FWSM> en
Password:
FWSM#
FWSM#
FWSM#
FWSM#
FWSM# show ver
FWSM Firewall Version 3.2(5)
Device Manager Version 5.2(3)F
Compiled on Mon 10-Mar-08 16:03 by fwsmbld
FWSM up 47 mins 44 secs
Hardware: WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz
Flash SMART ATA FLASH DISK @ 0xc321, 20MB
0: Int: Not licensed : irq 5
1: Int: Not licensed : irq 7
2: Int: Not licensed : irq 11
The Running Activation Key is not set, using default settings:
Licensed features for this platform:
Maximum Interfaces : 256
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
BGP Stub : Disabled
VPN Peers : Unlimited
Serial Number: SAD122300KU
Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000
Configuration last modified by enable_15 at 13:06:57.054 UTC Mon Feb 28 2000
FWSM#
FWSM#
FWSM#
FWSM# show run
: Saved
:
FWSM Version 3.2(5)
!
hostname FWSM
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan2
nameif DMZ
security-level 100
ip address 192.168.88.2 255.255.255.0
!
interface Vlan7
nameif outside
security-level 0
ip address 58.83.131.74 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list 100 extended permit ip any any
access-list 100 extended permit tcp any any
access-list 100 extended permit udp any any
access-list 200 extended permit icmp any any
access-list 200 extended permit tcp any any eq ftp
pager lines 24
mtu DMZ 1500
mtu outside 1500
no failover
icmp permit any DMZ
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (DMZ) 10 192.168.1.0 255.255.255.0
static (DMZ,outside) 58.83.131.100 192.168.99.100 netmask 255.255.255.255
access-group 100 in interface DMZ
access-group 200 in interface outside
route DMZ 192.168.1.0 255.255.255.0 192.168.88.1 1
route DMZ 192.168.99.0 255.255.255.0 192.168.88.1 1
route outside 0.0.0.0 0.0.0.0 58.83.131.73 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect smtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
FWSM#
FWSM#
FWSM# show route
S 0.0.0.0 0.0.0.0 [1/0] via 58.83.131.73, outside
C 58.83.131.0 255.255.255.0 is directly connected, outside
S 192.168.1.0 255.255.255.0 [1/0] via 192.168.88.1, DMZ
C 192.168.88.0 255.255.255.0 is directly connected, DMZ
S 192.168.99.0 255.255.255.0 [1/0] via 192.168.88.1, DMZ
FWSM#
FWSM#
FWSM#
FWSM# show access
FWSM# show access-list
access-list mode auto-commit
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list 100; 3 elements
access-list 100 line 1 extended permit ip any any (hitcnt=249) 0xa2f91e1d
access-list 100 line 2 extended permit tcp any any (hitcnt=0) 0x0878ce61
access-list 100 line 3 extended permit udp any any (hitcnt=0) 0xd52c9509
access-list 200; 2 elements
access-list 200 line 1 extended permit icmp any any (hitcnt=233) 0xa7b0be37
access-list 200 line 2 extended permit tcp any any eq ftp (hitcnt=6) 0x6ce98731
FWSM#
FWSM#
FWSM#
FWSM# show hard
FWSM# show hard
^
ERROR: % Invalid input detected at '^' marker.
FWSM#
FWSM# show xl
FWSM# show xlate
3 in use, 3 most used
PAT Global 58.83.131.74(1025) Local 192.168.1.222 ICMP id 512
PAT Global 58.83.131.74(1026) Local 192.168.1.222(3904)
PAT Global 58.83.131.74(1027) Local 192.168.1.222(3905)
FWSM#
Router#
Router#
Router#
Router#show ver
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) s72033_rp Software (s72033_rp-IPSERVICES_WAN-M), Version 12.2(18)SXF13, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Thu 14-Feb-08 04:33 by kellythw
Image text-base: 0x40101040, data-base: 0x42AA0F10
ROM: System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1)
BOOTLDR: s72033_rp Software (s72033_rp-IPSERVICES_WAN-M), Version 12.2(18)SXF13, RELEASE SOFTWARE (fc1)
Router uptime is 49 minutes
Time since Router switched to active is 49 minutes
System returned to ROM by reload at 12:10:04 UTC Fri May 23 2008 (SP by reload)
System image file is "sup-bootdisk:s72033-ipservices_wan-mz.122-18.SXF13.bin"
cisco WS-C6509-E (R7000) processor (revision 1.4) with 458720K/65536K bytes of memory.
Processor board ID SMC120500CP
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from s/w reset
SuperLAT software (copyright 1990 by Meridian Technology Corp).
X.25 software, Version 3.0.0.
Bridging software.
TN3270 Emulation software.
4 Virtual Ethernet/IEEE 802.3 interfaces
56 Gigabit Ethernet/IEEE 802.3 interfaces
1 Ten Gigabit Ethernet/IEEE 802.3 interface
1917K bytes of non-volatile configuration memory.
8192K bytes of packet buffer memory.
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
Router#
Router#
Router#
Router#sh ip int brief
Router#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES unset administratively down down
Vlan2 192.168.88.1 YES manual up up
Vlan5 192.168.99.2 YES manual up up
Vlan7 unassigned YES manual up up
GigabitEthernet5/1 unassigned YES unset administratively down down
GigabitEthernet5/2 unassigned YES unset administratively down down
GigabitEthernet7/1 unassigned YES unset up up
GigabitEthernet7/2 unassigned YES unset administratively down down
GigabitEthernet7/3 unassigned YES unset administratively down down
GigabitEthernet7/4 unassigned YES unset administratively down down
GigabitEthernet7/5 unassigned YES unset administratively down down
GigabitEthernet7/6 unassigned YES unset administratively down down
GigabitEthernet7/7 unassigned YES unset administratively down down
GigabitEthernet7/8 unassigned YES unset administratively down down
GigabitEthernet7/9 unassigned YES unset administratively down down
GigabitEthernet7/10 unassigned YES unset administratively down down
GigabitEthernet7/11 unassigned YES unset administratively down down
GigabitEthernet7/12 unassigned YES unset administratively down down
GigabitEthernet7/13 unassigned YES unset administratively down down
GigabitEthernet7/14 unassigned YES unset administratively down down
GigabitEthernet7/15 unassigned YES unset administratively down down
GigabitEthernet7/16 unassigned YES unset administratively down down
GigabitEthernet7/17 unassigned YES unset administratively down down
GigabitEthernet7/18 unassigned YES unset administratively down down
GigabitEthernet7/19 unassigned YES unset administratively down down
GigabitEthernet7/20 unassigned YES unset administratively down down
GigabitEthernet7/21 unassigned YES unset administratively down down
GigabitEthernet7/22 unassigned YES unset administratively down down
GigabitEthernet7/23 unassigned YES unset administratively down down
GigabitEthernet7/24 unassigned YES unset administratively down down
GigabitEthernet7/25 unassigned YES unset administratively down down
GigabitEthernet7/26 unassigned YES unset administratively down down
GigabitEthernet7/27 unassigned YES unset administratively down down
GigabitEthernet7/28 unassigned YES unset administratively down down
GigabitEthernet7/29 unassigned YES unset administratively down down
GigabitEthernet7/30 unassigned YES unset administratively down down
GigabitEthernet7/31 unassigned YES unset administratively down down
GigabitEthernet7/32 unassigned YES unset administratively down down
GigabitEthernet7/33 unassigned YES unset administratively down down
GigabitEthernet7/34 unassigned YES unset administratively down down
GigabitEthernet7/35 unassigned YES unset administratively down down
GigabitEthernet7/36 unassigned YES unset administratively down down
GigabitEthernet7/37 unassigned YES unset administratively down down
GigabitEthernet7/38 unassigned YES unset administratively down down
GigabitEthernet7/39 unassigned YES unset administratively down down
GigabitEthernet7/40 unassigned YES unset administratively down down
GigabitEthernet7/41 unassigned YES unset administratively down down
GigabitEthernet7/42 unassigned YES unset administratively down down
GigabitEthernet7/43 unassigned YES unset administratively down down
GigabitEthernet7/44 unassigned YES unset administratively down down
GigabitEthernet7/45 unassigned YES unset administratively down down
GigabitEthernet7/46 unassigned YES unset administratively down down
GigabitEthernet7/47 unassigned YES unset up up
GigabitEthernet7/48 unassigned YES unset administratively down down
Router#
Router#
Router#
Router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.88.2 to network 0.0.0.0
C 192.168.88.0/24 is directly connected, Vlan2
192.168.99.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.99.0/24 is directly connected, Vlan5
S 192.168.99.100/32 [77/0] via 192.168.99.1, Vlan5
S 192.168.1.0/24 [1/0] via 192.168.99.1
S* 0.0.0.0/0 [1/0] via 192.168.88.2
Router#
Router#
Router#sh run
Building configuration...
Current configuration : 4231 bytes
!
upgrade fpd auto
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service counters max age 5
!
hostname Router
!
!
no aaa new-model
svclc multiple-vlan-interfaces
svclc module 9 vlan-group 2
svclc vlan-group 2 5,8
firewall multiple-vlan-interfaces
firewall module 8 vlan-group 1
firewall vlan-group 1 2,7
ip subnet-zero
!
!
!
ipv6 mfib hardware-switching replication-mode ingress
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
no mls acl tcam share-global
mls cef error action freeze
!
!
!
!
!
!
redundancy
mode sso
main-cpu
auto-sync running-config
spanning-tree mode pvst
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
!
interface GigabitEthernet5/1
no ip address
shutdown
!
interface GigabitEthernet5/2
no ip address
shutdown
!
interface GigabitEthernet7/1
switchport
switchport access vlan 7
switchport mode access
no ip address
!
interface GigabitEthernet7/2
no ip address
shutdown
!
interface GigabitEthernet7/3
no ip address
shutdown
!
interface GigabitEthernet7/4
no ip address
shutdown
!
interface GigabitEthernet7/5
no ip address
shutdown
!
interface GigabitEthernet7/6
no ip address
shutdown
!
interface GigabitEthernet7/7
no ip address
shutdown
!
interface GigabitEthernet7/8
no ip address
shutdown
!
interface GigabitEthernet7/9
no ip address
shutdown
!
interface GigabitEthernet7/10
no ip address
shutdown
!
interface GigabitEthernet7/11
no ip address
shutdown
!
interface GigabitEthernet7/12
no ip address
shutdown
!
interface GigabitEthernet7/13
no ip address
shutdown
!
interface GigabitEthernet7/14
no ip address
shutdown
!
interface GigabitEthernet7/15
no ip address
shutdown
!
interface GigabitEthernet7/16
no ip address
shutdown
!
interface GigabitEthernet7/17
no ip address
shutdown
!
interface GigabitEthernet7/18
no ip address
shutdown
!
interface GigabitEthernet7/19
no ip address
shutdown
!
interface GigabitEthernet7/20
no ip address
shutdown
!
interface GigabitEthernet7/21
no ip address
shutdown
!
interface GigabitEthernet7/22
no ip address
shutdown
!
interface GigabitEthernet7/23
no ip address
shutdown
!
interface GigabitEthernet7/24
no ip address
shutdown
!
interface GigabitEthernet7/25
no ip address
shutdown
!
interface GigabitEthernet7/26
no ip address
shutdown
!
interface GigabitEthernet7/27
no ip address
shutdown
!
interface GigabitEthernet7/28
no ip address
shutdown
!
interface GigabitEthernet7/29
no ip address
shutdown
!
interface GigabitEthernet7/30
no ip address
shutdown
!
interface GigabitEthernet7/31
no ip address
shutdown
!
interface GigabitEthernet7/32
no ip address
shutdown
!
interface GigabitEthernet7/33
no ip address
shutdown
!
interface GigabitEthernet7/34
no ip address
shutdown
!
interface GigabitEthernet7/35
no ip address
shutdown
!
interface GigabitEthernet7/36
no ip address
shutdown
!
interface GigabitEthernet7/37
no ip address
shutdown
!
interface GigabitEthernet7/38
no ip address
shutdown
!
interface GigabitEthernet7/39
no ip address
shutdown
!
interface GigabitEthernet7/40
no ip address
shutdown
!
interface GigabitEthernet7/41
no ip address
shutdown
!
interface GigabitEthernet7/42
no ip address
shutdown
!
interface GigabitEthernet7/43
no ip address
shutdown
!
interface GigabitEthernet7/44
no ip address
shutdown
!
interface GigabitEthernet7/45
no ip address
shutdown
!
interface GigabitEthernet7/46
no ip address
shutdown
!
interface GigabitEthernet7/47
switchport
switchport access vlan 8
switchport mode access
no ip address
spanning-tree portfast
!
interface GigabitEthernet7/48
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 192.168.88.1 255.255.255.0
!
interface Vlan5
ip address 192.168.99.2 255.255.255.0
!
interface Vlan7
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.88.2
ip route 192.168.1.0 255.255.255.0 192.168.99.1
!
no ip http server
!
!
!
!
control-plane
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
line vty 0 4
!
!
no cns aaa enable
end
Router#$
Router#
Router#
Router#show hard |
|
IP卡
狗仔卡
发表于 2008-10-28 11:04:43
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
发表于 2008-10-28 16:03:38
楼主