年度奉献:6509HSRP工程实例(原创)

network · 发表于 2007-12-30 07:40:21

年度奉献:6509HSRP工程实例(原创)

刚做的一个医院的工程,网络环境如拓朴图(拓朴只是列出了主要的设备,至于下面接的网管服务器,PC等没有一一列出),电信进线边缘设备是ASA5510------->核心是两台Cat6509------->Cat2950,客户要实现核心冗余备份,同时通过CWSNMS管理软件对整个网络进行管理,在这里我只举出了HSRP.对于ASA5510的配置没有贴出来 .因为本论坛太多的案例了
参考语句:
standby 105 timers 5 10# 定义105组5秒交换一次hello信息，10秒没收到hello信息就开始切换 #
standby 105 priority * # 定义105组的主权值，值越大，为主希望越大 #
standby 105 preempt # 定义105组的hsrp抢占功能 #
standby 105 authentication * # 设置105组身份验证串 #
standby 105 ip *.*.*.* # 定义105组的浮动地址#
standby 105 track * # 定义监控的端口 #

[ 本帖最后由 blake 于 2007-2-10 11:59 PM 编辑 ]

附件
2007-2-10 11:50 PM

HSRP.jpg (43.95 KB)

network · 发表于 2007-12-30 07:40:59

ciscoasa# sh run
: Saved
:
ASA Version 7.0(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 211.143.*.* 255.255.255.0
!
interface Ethernet0/1
nameif inside-1
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/2
nameif inside-2
security-level 100
ip address 172.16.2.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list inside-1_nat0_outbound extended permit ip any 172.16.1.0 255.255.255.0
access-list inside-2_nat0_outbound extended permit ip any 172.16.1.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside-1 1500
mtu inside-2 1500
ip local pool vpn-pool 172.16.1.100-172.16.1.199 mask 255.255.255.0
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm504.bin
asdm history enable
arp timeout 14400
nat (inside-1) 0 access-list inside-1_nat0_outbound
nat (inside-2) 0 access-list inside-2_nat0_outbound
route outside 0.0.0.0 0.0.0.0 211.143.244.17 1
route inside-1 192.168.0.0 255.255.0.0 172.16.1.1 1
route inside-2 192.168.0.0 255.255.0.0 172.16.2.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server hys protocol radius
group-policy bsoft internal
group-policy hys internal
group-policy ge internal
group-policy ydjt internal
username hys1 password a0/Gs9lUAItoVNZ0 encrypted
username hys1 attributes
vpn-group-policy ydjt
webvpn
username hys01 password WJtuEGYrWtLdYkBL encrypted
username hys01 attributes
vpn-group-policy hys
vpn-tunnel-protocol IPSec
webvpn
username test password P4ttSyrm33SV8TYp encrypted
username gemg password MWfk9mbZNvZYzCXp encrypted
username gemg attributes
vpn-group-policy ge
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
http server enable
http 192.168.8.222 255.255.255.255 inside-1
http 192.168.8.240 255.255.255.255 inside-1
http 192.168.8.34 255.255.255.255 inside-1
http 192.168.8.241 255.255.255.255 inside-1
http 192.168.50.200 255.255.255.255 inside-1
http 192.168.8.150 255.255.255.255 inside-1
http 172.16.1.3 255.255.255.255 inside-1
http 192.168.8.222 255.255.255.255 inside-2
http 192.168.8.240 255.255.255.255 inside-2
http 192.168.8.34 255.255.255.255 inside-2
http 192.168.8.241 255.255.255.255 inside-2
http 192.168.50.200 255.255.255.255 inside-2
http 192.168.8.150 255.255.255.255 inside-2
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group bsoft type ipsec-ra
tunnel-group bsoft general-attributes
address-pool vpn-pool
default-group-policy bsoft
tunnel-group bsoft ipsec-attributes
pre-shared-key *
tunnel-group ydjt type ipsec-ra
tunnel-group ydjt general-attributes
address-pool vpn-pool
default-group-policy ydjt
tunnel-group ydjt ipsec-attributes
pre-shared-key *
tunnel-group ge type ipsec-ra
tunnel-group ge general-attributes
address-pool vpn-pool
default-group-policy ge
tunnel-group ge ipsec-attributes
pre-shared-key *
tunnel-group hys type ipsec-ra
tunnel-group hys general-attributes
address-pool vpn-pool
default-group-policy hys
tunnel-group hys ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
tftp-server inside-1 192.168.8.150 asdm512.bin
Cryptochecksum:40cdf8978bbbb04b172ed3683fac1d7b
: end
ciscoas

cxyonline · 发表于 2008-1-2 09:48:01

唉，怎么附件不存在呢，管理员请查询一下

network · 发表于 2008-1-2 10:15:28

有啊，是你权限不够

ymynet · 发表于 2008-1-3 08:44:20

高老师正需要这个呢！

账号		自动登录	找回密码
密码			注册