Configuration Reference
This chapter provides the test bed diagram and configurations used in tests to support this guide. The chapter is broken down into two main sections,Integrated Services Design Configurations and Services Switch Design Configurations.
Integrated Services Design Configurations
The following configurations were used in testing the integrated services design:
•
Core Switch 1
•Aggregation Switch 1
•Core Switch 2
•Aggregation Switch 2
•Access Switch 4948-7
•Access Switch 4948-8
•Access Switch 6500-1
•FWSM 1-Aggregation Switch 1 and 2
Figure 8-1 shows the test bed used without services switches.
Figure 8-1 Integrated Services Configuration Test Bed
Core Switch 1
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
service counters max age 10
!
hostname CORE1
!
boot system sup-bootflash:s720_18SXD3.bin
logging snmp-authfail
enable secret 5 $1$3OjN$l/80W4JIQJf7l7fRlS7A2.
!
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
vtp domain datacenter
vtp mode transparent
udld enable
ip subnet-zero
no ip source-route
!
!
no ip ftp passive
no ip domain-lookup
ip domain-name cisco.com
!
no ip bootp server
ip multicast-routing
mls ip cef load-sharing full simple
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree pathcost method long
!
vlan internal allocation policy descending
vlan dot1q tag native
vlan access-log ratelimit 2000
!
vlan 2
!
vlan 15
name testgear
!
vlan 16
name testgear2
!
vlan 20
name DNS-CA
!
vlan 802
name mgmt_vlan
!
!
interface Loopback0
ip address 10.10.3.3 255.255.255.0
!
interface Port-channel1
description to 4948-1 testgear
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
!
interface Port-channel2
description to 4948-4 testgear
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
!
interface GigabitEthernet3/33
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
!
interface GigabitEthernet3/34
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
!
interface GigabitEthernet3/41
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 2 mode active
!
interface GigabitEthernet3/42
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 2 mode active
!
interface TenGigabitEthernet4/1
description to Agg1
ip address 10.10.20.2 255.255.255.0
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
!
interface TenGigabitEthernet4/2
description to Agg2
ip address 10.10.30.2 255.255.255.0
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
!
interface TenGigabitEthernet4/3
description to core2
ip address 10.10.55.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
!
interface GigabitEthernet6/1
no ip address
shutdown
!
interface GigabitEthernet6/2
********************
!
interface Vlan1
no ip address
shutdown
!
interface Vlan15
description test_client_subnet
ip address 10.20.15.1 255.255.255.0
no ip redirects
no ip proxy-arp
!
interface Vlan16
description test_client_ subnet2
ip address 10.20.16.2 255.255.255.0
no ip redirects
no ip proxy-arp
!
router ospf 10
log-adjacency-changes
auto-cost reference-bandwidth 1000000
nsf
area 10 authentication message-digest
area 10 nssa default-information-originate
timers throttle spf 1000 1000 1000
passive-interface default
no passive-interface TenGigabitEthernet4/1
no passive-interface TenGigabitEthernet4/2
no passive-interface TenGigabitEthernet4/3
network 10.10.3.0 0.0.0.255 area 10
network 10.10.20.0 0.0.0.255 area 10
network 10.10.30.0 0.0.0.255 area 10
network 10.10.55.0 0.0.0.255 area 10
network 10.20.15.0 0.0.0.255 area 0
network 10.20.16.0 0.0.0.255 area 0
!
ip classless
no ip http server
ip pim send-rp-discovery scope 2
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
line vty 0 4
exec-timeout 60 0
password 7 05080F1C2243
login local
transport input telnet ssh
!
ntp authentication-key 1 md5 02050D480809 7
ntp trusted-key 1
ntp clock-period 17180053
ntp master 1
ntp update-calendar
end
Aggregation Switch 1
Current configuration : 22460 bytes
!
! No configuration change since last restart
!
upgrade fpd auto
version 12.2
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
service counters max age 10
!
hostname Aggregation-1
!
boot system disk0:s720_18SXD3.bin
logging snmp-authfail
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
clock calendar-valid
firewall multiple-vlan-interfaces
firewall module 4 vlan-group 1
firewall vlan-group 1 5-6,20,100,101,105-106
analysis module 9 management-port access-vlan 20
analysis module 9 data-port 1 capture allowed-vlan 5,6,105,106
analysis module 9 data-port 2 capture allowed-vlan 106
ip subnet-zero
no ip source-route
ip icmp rate-limit unreachable 2000
!
!
!
ip multicast-routing
udld enable
udld message time 7
vtp domain datacenter
vtp mode transparent
mls ip cef load-sharing full
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
mls acl tcam default-result permit
no mls acl tcam share-global
mls cef error action freeze
!
redundancy
mode sso
main-cpu
auto-sync running-config
auto-sync standard
!
spanning-tree mode rapid-pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree pathcost method long
spanning-tree vlan 1-4094 priority 24576
module ContentSwitchingModule 3
ft group 1 vlan 102
priority 20
heartbeat-time 1
failover 3
preempt
!
vlan 44 server
ip address 10.20.44.42 255.255.255.0
gateway 10.20.44.1
alias 10.20.44.44 255.255.255.0
!
probe RHI icmp
interval 3
failed 10
!
serverfarm SERVER200
nat server
no nat client
real 10.20.6.56
inservice
probe RHI
!
serverfarm SERVER201
nat server
no nat client
real 10.20.6.25
inservice
probe RHI
!
vserver SERVER200
virtual 10.20.6.200 any
vlan 44
serverfarm SERVER200
advertise active
sticky 10
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
!
vserver SERVER201
virtual 10.20.6.201 any
vlan 44
serverfarm SERVER201
advertise active
sticky 10
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
!
port-channel load-balance src-dst-port
!
vlan internal allocation policy descending
vlan dot1q tag native
vlan access-log ratelimit 2000
!
vlan 3
name AGG1_to_AGG2_L3-OSPF
!
vlan 5
!
vlan 6
Webapp Inside
!
vlan 7
!
vlan 10
name Database Inside
!
vlan 20
!
vlan 44
name CSM_Onearm_Server_VLAN
!
vlan 45
name Service_switch_CSM_Onearm
!
vlan 46
name SERV-CSM2-onearm
!
vlan 100
name AGG_FWSM_failover_interface
!
vlan 101
name AGG_FWSM_failover_state
!
vlan 102
name AGG_CSM_FT_Vlan
!
vlan 106
name WebappOutside
!
vlan 110
name DatabaseOutside
!
interface Loopback0
ip address 10.10.1.1 255.255.255.0
!
interface Null0
no ip unreachables
!
interface Port-channel1
description ETHERCHANNEL_TO_AGG2
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 1-19,21-4094
switchport mode trunk
no ip address
logging event link-status
arp timeout 200
spanning-tree guard loop
!
interface Port-channel10
description to SERVICE_SWITCH1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
no ip address
logging event link-status
spanning-tree guard loop
!
interface Port-channel12
description to SERVICE_SWITCH2
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
no ip address
logging event link-status
spanning-tree guard loop
!
!
interface GigabitEthernet1/13
description to Service_1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
no ip address
channel-protocol lacp
channel-group 10 mode active
!
interface GigabitEthernet1/14
description to Service_1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
no ip address
channel-protocol lacp
channel-group 10 mode active
!
interface GigabitEthernet1/19
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 1-5,7-105,107-300,1010-1110
switchport mode trunk
no ip address
channel-protocol lacp
channel-group 12 mode active
!
!
interface GigabitEthernet5/1
***************
!
interface GigabitEthernet5/2
****************
!
interface GigabitEthernet6/1
no ip address
shutdown
!
interface GigabitEthernet6/2
no ip address
shutdown
media-type rj45
!
interface TenGigabitEthernet7/2
description to Core2
ip address 10.10.40.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 112A481634424A
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
!
interface TenGigabitEthernet7/3
description to Core1
ip address 10.10.20.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 15315A1F277A6A
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
!
interface TenGigabitEthernet7/4
description TO_ACCESS1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 105
switchport mode trunk
no ip address
logging event link-status
!
interface TenGigabitEthernet8/1
description TO_AGG2
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 1-19,21-4094
switchport mode trunk
no ip address
logging event link-status
channel-protocol lacp
channel-group 1 mode active
!
interface TenGigabitEthernet8/2
description TO_4948-7
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 106
switchport mode trunk
no ip address
logging event link-status
spanning-tree guard root
!
interface TenGigabitEthernet8/3
description TO_4948-8
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 106
switchport mode trunk
no ip address
logging event link-status
spanning-tree guard root
!
interface TenGigabitEthernet8/4
description TO_AGG2
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 1-19,21-4094
switchport mode trunk
no ip address
logging event link-status
channel-protocol lacp
channel-group 1 mode active
!
interface Vlan1
no ip address
shutdown
!
interface Vlan3
description AGG1_to_AGG2_L3-RP
bandwidth 10000000
ip address 10.10.110.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
!
interface Vlan6
description Outside_Webapp_Tier
ip address 10.20.6.2 255.255.255.0
no ip redirects
no ip proxy-arp
ip policy route-map csmpbr
ntp disable
standby 1 ip 10.20.6.1
standby 1 timers 1 3
standby 1 priority 120
standby 1 preempt delay minimum 60
!
!
interface Vlan44
description AGG_CSM_Onearm
ip address 10.20.44.2 255.255.255.0
no ip redirects
no ip proxy-arp
standby 1 ip 10.20.44.1
standby 1 timers 1 3
standby 1 priority 120
standby 1 preempt delay minimum 60
!
router ospf 10
log-adjacency-changes
auto-cost reference-bandwidth 1000000
nsf
area 10 authentication message-digest
area 10 nssa
timers throttle spf 1000 1000 1000
redistribute static subnets route-map rhi
passive-interface default
no passive-interface Vlan3
no passive-interface TenGigabitEthernet7/2
no passive-interface TenGigabitEthernet7/3
network 10.10.1.0 0.0.0.255 area 10
network 10.10.20.0 0.0.0.255 area 10
network 10.10.40.0 0.0.0.255 area 10
network 10.10.110.0 0.0.0.255 area 10
distribute-list 1 in TenGigabitEthernet7/2 (for PBR testing purposes)
distribute-list 1 in TenGigabitEthernet7/3 (for PBR testing purposes)
!
ip classless
ip pim accept-rp auto-rp
!
access-list 1 deny 10.20.16.0
access-list 1 deny 10.20.15.0
access-list 1 permit any
access-list 44 permit 10.20.6.200 log
access-list 44 permit 10.20.6.201 log
!
route-map csmpbr permit 10
set ip default next-hop 10.20.44.44
!
route-map rhi permit 10
match ip address 44
set metric-type type-1
!
privilege exec level 1 show
!
line con 0
exec-timeout 0 0
password 7 110D1A16021F060510
login local
line vty 0 4
no motd-banner
exec-timeout 0 0
password 7 110D1A16021F060510
login local
transport input telnet ssh
!
!
no monitor session servicemodule
ntp authentication-key 1 md5 104D000A0618 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17179928
ntp update-calendar
ntp server *********.42 key 1
end
Core Switch 2
Current configuration : 10867 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
service counters max age 10
!
hostname CORE2
!
boot system sup-bootflash:s720_18SXD3.bin
enable secret 5 $1$k2Df$vfhT/CMz0IqFqluRCENw//
!
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
vtp domain datacenter
vtp mode transparent
udld enable
!
ip subnet-zero
no ip source-route
!
!
no ip domain-lookup
ip domain-name cisco.com
!
no ip bootp server
ip multicast-routing
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
mls cef error action freeze
!
power redundancy-mode combined
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree pathcost method long
!
vlan internal allocation policy descending
vlan dot1q tag native
vlan access-log ratelimit 2000
!
vlan 2,15-16
!
!
interface Loopback0
ip address 10.10.4.4 255.255.255.0
!
interface Port-channel1
description to 4948-1
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
!
interface Port-channel2
description to 4948-4
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
!
interface GigabitEthernet2/9
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
!
interface GigabitEthernet2/10
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
!
interface GigabitEthernet2/13
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 2 mode active
!
interface GigabitEthernet2/14
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 2 mode active
!
interface TenGigabitEthernet4/1
description to Agg1
ip address 10.10.40.2 255.255.255.0
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
!
interface TenGigabitEthernet4/2
description to Agg2
ip address 10.10.50.2 255.255.255.0
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
!
interface TenGigabitEthernet4/3
description to core1
ip address 10.10.55.2 255.255.255.0
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
!
interface GigabitEthernet6/1
no ip address
shutdown
!
interface GigabitEthernet6/2
*****************
!
interface Vlan1
no ip address
shutdown
!
interface Vlan15
ip address 10.20.15.2 255.255.255.0
!
interface Vlan16
description test_client_subnet
ip address 10.20.16.1 255.255.255.0
no ip redirects
no ip proxy-arp
!
router ospf 10
log-adjacency-changes
auto-cost reference-bandwidth 1000000
nsf
area 10 authentication message-digest
area 10 nssa default-information-originate
timers throttle spf 1000 1000 1000
passive-interface default
no passive-interface TenGigabitEthernet4/1
no passive-interface TenGigabitEthernet4/2
no passive-interface TenGigabitEthernet4/3
no passive-interface TenGigabitEthernet4/4
network 10.10.4.0 0.0.0.255 area 10
network 10.10.40.0 0.0.0.255 area 10
network 10.10.50.0 0.0.0.255 area 10
network 10.10.55.0 0.0.0.255 area 10
network 10.20.15.0 0.0.0.255 area 0
network 10.20.16.0 0.0.0.255 area 0
!
ip classless
no ip http server
ip pim send-rp-discovery scope 2
!
!
line con 0
exec-timeout 0 0
line vty 0 4
exec-timeout 60 0
password cisco
login local
transport input telnet ssh
!
ntp authentication-key 1 md5 104D000A0618 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17179940
ntp update-calendar
ntp server ********* key 1
end
Aggregation Switch 2
Current configuration : 18200 bytes
version 12.2
service timestamps debug datetime msec localtime
service timestamps log datetime msec
no service password-encryption
service counters max age 10
!
hostname Aggregation-2
!
boot system disk0:s720_18SXD3.bin
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
clock calendar-valid
firewall multiple-vlan-interfaces
firewall module 4 vlan-group 1
firewall vlan-group 1 5,6,20,100,101,105,106
vtp domain datacenter
vtp mode transparent
udld enable
!
udld message time 7
!
ip subnet-zero
no ip source-route
ip icmp rate-limit unreachable 2000
!
!
ip multicast-routing
no ip igmp snooping
mls ip cef load-sharing full
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
mls acl tcam default-result permit
mls cef error action freeze
!
!
spanning-tree mode rapid-pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree pathcost method long
spanning-tree vlan 1-4094 priority 28672
port-channel load-balance src-dst-port
module ContentSwitchingModule 3
ft group 1 vlan 102
priority 10
heartbeat-time 1
failover 3
preempt
!
vlan 44 server
ip address 10.20.44.43 255.255.255.0
gateway 10.20.44.1
alias 10.20.44.44 255.255.255.0
!
probe RHI icmp
interval 3
failed 10
!
serverfarm SERVER200
nat server
no nat client
real 10.20.6.56
inservice
probe RHI
!
serverfarm SERVER201
nat server
no nat client
real 10.20.6.25
inservice
probe RHI
!
vserver SERVER200
virtual 10.20.6.200 any
vlan 44
serverfarm SERVER200
advertise active
sticky 10
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
!
vserver SERVER201
virtual 10.20.6.201 any
vlan 44
serverfarm SERVER201
advertise active
sticky 10
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
!
!
vlan internal allocation policy descending
vlan dot1q tag native
vlan access-log ratelimit 2000
!
vlan 3
name AGG1_to_AGG2_L3-RP
!
vlan 5
name Outside_Webapp
!
vlan 6
name Outside_Webapp
!
!
vlan 10
name Outside_Database_Tier
!
vlan 20
!
vlan 44
name AGG_CSM_Onearm
!
vlan 45
name Service_switch_CSM_Onearm
!
vlan 46
name SERV-CSM2-onearm
!
vlan 100
name AGG_FWSM_failover_interface
!
vlan 101
name AGG_FWSM_failover_state
!
vlan 102
name AGG_CSM_FT_Vlan
!
vlan 105
name Inside_Webapp_Tier
!
vlan 106
name Inside_Webapp
!
vlan 110
name Inside_Database_Tier
!
!
interface Loopback0
ip address 10.10.2.2 255.255.255.0
!
interface Null0
no ip unreachables
!
interface Port-channel1
description ETHERCHANNEL_TO_AGG1
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 1-19,21-299,301-4094
switchport mode trunk
arp timeout 200
spanning-tree guard loop
!
interface Port-channel11
description to SERVICE_SWITCH1
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
!
interface Port-channel13
description to SERVICE_SWITCH2
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
!
interface GigabitEthernet1/13
description to Service_2
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 13 mode active
!
interface GigabitEthernet1/14
description to Service_2
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 13 mode active
!
interface GigabitEthernet1/19
description to Service_1
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 11 mode active
!
interface GigabitEthernet1/20
description to Service_1
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 11 mode active
!
interface GigabitEthernet5/1
!
interface GigabitEthernet5/2
************
!
interface TenGigabitEthernet7/2
description to Core2
ip address 10.10.50.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
!
interface TenGigabitEthernet7/3
description to Core1
ip address 10.10.30.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
!
interface TenGigabitEthernet7/4
description TO_ACCESS1
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 5,6
switchport mode trunk
channel-protocol lacp
!
interface TenGigabitEthernet8/1
description TO_AGG1
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 1-19,21-299,301-4094
switchport mode trunk
channel-protocol lacp
channel-group 1 mode passive
!
!
interface TenGigabitEthernet8/3
description TO_4948-8
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 106
switchport mode trunk
spanning-tree guard root
!
interface TenGigabitEthernet8/4
description TO_AGG1
no ip address
logging event link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 1-19,21-299,301-4094
switchport mode trunk
channel-protocol lacp
channel-group 1 mode passive
!
interface Vlan1
no ip address
shutdown
!
interface Vlan3
description AGG1_to_AGG2_L3-RP
bandwidth 10000000
ip address 10.10.110.2 255.255.255.0
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
!
interface Vlan5
description Outside_Webapp_Tier
no ip address
no ip redirects
ntp disable
standby 1 ip 10.20.5.1
standby 1 timers 1 3
standby 1 priority 115
standby 1 preempt delay minimum 60
!
interface Vlan6
ip address 10.20.6.3 255.255.255.0
no ip redirects
no ip proxy-arp
ip policy route-map csmpbr
ntp disable
standby 1 ip 10.20.6.1
standby 1 timers 1 3
standby 1 priority 115
standby 1 preempt delay minimum 60
!
interface Vlan44
description AGG_CSM_Onearm
ip address 10.20.44.3 255.255.255.0
no ip redirects
no ip proxy-arp
standby 1 ip 10.20.44.1
standby 1 timers 1 3
standby 1 priority 115
standby 1 preempt delay minimum 60
!
!
router ospf 10
log-adjacency-changes
auto-cost reference-bandwidth 1000000
nsf
area 10 authentication message-digest
area 10 nssa
timers throttle spf 1000 1000 1000
redistribute static subnets route-map rhi
passive-interface default
no passive-interface Vlan3
no passive-interface TenGigabitEthernet7/2
no passive-interface TenGigabitEthernet7/3
network 10.10.2.0 0.0.0.255 area 10
network 10.10.30.0 0.0.0.255 area 10
network 10.10.50.0 0.0.0.255 area 10
network 10.10.110.0 0.0.0.255 area 10
distribute-list 1 in TenGigabitEthernet7/2
distribute-list 1 in TenGigabitEthernet7/3
!
ip classless
ip pim accept-rp auto-rp
!
access-list 1 deny 10.20.16.0
access-list 1 deny 10.20.15.0
access-list 1 permit any
access-list 44 permit 10.20.6.200 log
access-list 44 permit 10.20.6.201 log
!
route-map csmpbr permit 10
set ip default next-hop 10.20.44.44
!
route-map rhi permit 10
match ip address 44
set metric +40
set metric-type type-1
!
line con 0
exec-timeout 0 0
password dcsummit
login local
line vty 0 4
exec-timeout 0 0
password dcsummit
login local
transport input telnet ssh
transport output pad telnet ssh acercon
!
no monitor session servicemodule
ntp authentication-key 1 md5 08701C1A2D495547335B5A5572 7
ntp authenticate
ntp clock-period 17179998
ntp update-calendar
ntp server ***********key 1
end
Access Switch 4948-7
Current configuration : 4612 bytes
version 12.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
service compress-config
!
hostname 4948-7
!
boot-start-marker
boot system bootflash:cat4000-i5k91s-mz.122-25.EWA2.bin
boot-end-marker
!
logging snmp-authfail
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
clock calendar-valid
vtp domain datacenter
vtp mode transparent
udld enable
ip subnet-zero
no ip source-route
no ip domain-lookup
ip domain-name cisco.com
!
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree pathcost method long
port-channel load-balance src-dst-port
power redundancy-mode redundant
!
!
!
vlan internal allocation policy descending
vlan dot1q tag native
!
vlan 5-6
!
vlan 105
name Outside_Webapp
!
vlan 106
name Outside Webapp
!
vlan 110
name Outside_Database_Tier
!
interface Port-channel1
description inter_4948
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
logging event link-status
!
interface GigabitEthernet1/1 (all ports)
switchport access vlan 106
switchport mode access
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet1/45
description to 4948-8
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
!
interface GigabitEthernet1/46
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
!
interface GigabitEthernet1/47
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
!
interface GigabitEthernet1/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
!
interface TenGigabitEthernet1/49
description to_AGG1
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
!
interface TenGigabitEthernet1/50
shutdown
!
interface Vlan1
no ip address
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line vty 0 4
exec-timeout 0 0
password dcsummit
login local
!
ntp authenticate
ntp trusted-key 1
ntp update-calendar
ntp server *********** key 1
!
end
Access Switch 4948-8
Current configuration : 4646 bytes
!
version 12.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
service compress-config
!
hostname 4948-8
!
boot-start-marker
boot system bootflash:cat4000-i5k91s-mz.122-25.EWA2.bin
boot-end-marker
!
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
clock calendar-valid
vtp domain datacenter
vtp mode transparent
udld enable
!
ip subnet-zero
no ip source-route
no ip domain-lookup
ip domain-name cisco.com
!
no ip bootp server
!
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree pathcost method long
port-channel load-balance src-dst-port
power redundancy-mode redundant
!
!
vlan internal allocation policy descending
vlan dot1q tag native
!
vlan 2,5-6
!
vlan 105
name Outside_Webapp_Tier
!
vlan 106
name Outside_Webapp_Tier
!
vlan 110
name Outside_Database_Tier
!
interface Port-channel1
description inter_4948
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
logging event link-status
!
interface GigabitEthernet1/1 (all ports)
switchport access vlan 106
switchport trunk encapsulation dot1q
switchport mode access
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet1/45
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 1 mode passive
!
interface GigabitEthernet1/46
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 1 mode passive
!
interface GigabitEthernet1/47
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 1 mode passive
!
interface GigabitEthernet1/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
channel-protocol lacp
channel-group 1 mode passive
!
interface TenGigabitEthernet1/49
shutdown
!
interface TenGigabitEthernet1/50
description to_AGG2
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
!
interface Vlan1
no ip address
shutdown
!
line con 0
exec-timeout 0 0
stopbits 1
line vty 0 4
exec-timeout 0 0
password dcsummit
login local
!
ntp authenticate
ntp trusted-key 1
ntp update-calendar
ntp server ********* key 1
!
end
Access Switch 6500-1
ACCESS1-6500#
Building configuration...
Current configuration : 11074 bytes
!
! Last configuration change at 13:33:08 PST Thu Feb 9 2006
! NVRAM config last updated at 16:58:39 PST Thu Nov 17 2005
!
upgrade fpd auto
version 12.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service counters max age 10
!
hostname ACCESS1-6500
!
boot system sup-bootflash:s720_18SXD3.bin
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
clock calendar-valid
ip subnet-zero
no ip source-route
!
!
!
no ip bootp server
ip domain-list cisco.com
no ip domain-lookup
ip domain-name cisco.com
udld enable
!
udld message time 7
!
vtp domain datacenter
vtp mode transparent
no mls acl tcam share-global
mls cef error action freeze
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree pathcost method long
!
power redundancy-mode combined
no diagnostic cns publish
no diagnostic cns subscribe
fabric buffer-reserve queue
port-channel load-balance src-dst-port
!
vlan internal allocation policy descending
vlan dot1q tag native
vlan access-log ratelimit 2000
!
vlan 5
name Outside_Webapp_Tier
!
vlan 105
name Outside_Webapp_Tier
!
vlan 110
name Outside_Database_Tier
!
interface TenGigabitEthernet1/1
description to_AGG1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
no ip address
logging event link-status
!
interface TenGigabitEthernet1/2
description to_AGG2
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
no ip address
logging event link-status
logging event spanning-tree status
!!
interface GigabitEthernet2/1 (all test ports)
description webapp_penguin_kvm5
switchport
switchport access vlan 5
switchport mode access
no ip address
no cdp enable
spanning-tree portfast
!
!
interface Vlan1
no ip address
shutdown
!
no ip http server
!
line con 0
exec-timeout 0 0
line vty 0 4
exec-timeout 0 0
password 7 05080F1C2243
login local
transport input telnet ssh
!
no monitor event-trace timestamps
ntp authentication-key 1 md5 110A1016141D 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17179938
ntp update-calendar
ntp server ***********key 1
no cns aaa enable
end
FWSM 1-Aggregation Switch 1 and 2
FWSM Version 2.3(2) <system>
firewall transparent
resource acl-partition 12
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname FWSM1-AGG1and2
ftp mode passive
pager lines 24
logging buffer-size 4096
logging console debugging
class default
limit-resource PDM 5
limit-resource All 0
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource SSH 5
limit-resource Telnet 5
!
failover
failover lan unit primary
failover lan interface failover vlan 100
failover polltime unit msec 500 holdtime 3
failover polltime interface 3
failover interface-policy 100%
failover replication http
failover link state vlan 101
failover interface ip failover 10.20.100.1 255.255.255.0 standby 10.20.100.2
failover interface ip state 10.20.101.1 255.255.255.0 standby 10.20.101.2
arp timeout 14400
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00
h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
sysopt nodnsalias inbound
sysopt nodnsalias outbound
terminal width 511
admin-context admin
context admin
allocate-interface vlan20 outside
config-url disk:/admin.cfg
!
context vlan6-106
description vlan6-106 context
allocate-interface vlan6 outside
allocate-interface vlan106 inside
config-url disk:/vlan6-106.cfg
!
Cryptochecksum:a73fe039e4dbeb45a9c6730bc2a55201
: end
[OK]
FWSM1-AGG1and2# ch co vlan6-106
FWSM1-AGG1and2/vlan6-106# wr t
Building configuration...
: Saved
:
FWSM Version 2.3(2) <context>
firewall transparent
nameif outside vlan6 security0
nameif inside vlan106 security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname vlan6-106
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rsh 514
fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list deny-flow-max 4096
access-list alert-interval 300
access-list IP extended permit ip any any
access-list IP extended permit icmp any any
access-list BPDU ethertype permit bpdu
pager lines 24
logging on
logging timestamp
logging buffer-size 4096
logging trap informational
logging device-id hostname
mtu vlan6 1500
mtu vlan106 1500
ip address 10.20.6.104 255.255.255.0 standby 10.20.6.105
icmp permit any vlan6
icmp permit any vlan106
no pdm history enable
arp timeout 14400
access-group BPDU in interface vlan6
access-group IP in interface vlan6
access-group BPDU in interface vlan106
access-group IP in interface vlan106
!
interface vlan6
!
!
interface vlan106
!
!
route vlan6 0.0.0.0 0.0.0.0 10.20.6.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00
h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
floodguard enable
fragment size 200 vlan6
fragment chain 24 vlan6
fragment size 200 vlan106
fragment chain 24 vlan106
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 vlan6
ssh timeout 60
terminal width 511
Cryptochecksum:00000000000000000000000000000000
: end
[OK]
FWSM1-AGG1and2/vlan6-106# ch co admin
FWSM1-AGG1and2/admin# wr t
Building configuration...
: Saved
:
FWSM Version 2.3(2) <context>
firewall transparent
nameif outside vlan20 security0
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname admin
domain-name example.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rsh 514
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list deny-flow-max 4096
access-list alert-interval 300
access-list IP extended permit ip any any
access-list IP extended permit icmp any any
access-list IP extended permit udp any any
access-list BPDU ethertype permit bpdu
pager lines 24
logging on
logging timestamp
logging buffer-size 4096
logging trap informational
logging device-id hostname
mtu vlan20 1500
ip address *********.34 255.255.255.0 standby *********.35
icmp permit any vlan20
no pdm history enable
arp timeout 14400
access-group IP in interface vlan20
!
interface vlan20
!
!
route vlan20 0.0.0.0 0.0.0.0 *********.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00
h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username mshinn password fgXai3fBCmTT1r2e encrypted privilege 15
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 vlan20
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
floodguard enable
fragment size 200 vlan20
fragment chain 24 vlan20
sysopt nodnsalias inbound
sysopt nodnsalias outbound
telnet timeout 5
ssh 0.0.0.
Services Switch Design Configurations
The following configurations were used in support of the service chassis testing:
•Core Switch 1
•Core Switch 2
•Distribution Switch 1
•Distribution Switch 2
•Service Switch 1
•Service Switch 2
•Access Switch 6500
•ACE and FWSM
Figure 8-2 shows the test bed used with services switches.
Figure 8-2 Service Switches Configuration Test Bed
Core Switch 1
hostname dcb-core-1
!
boot system flash disk0:s72033-adventerprisek9_wan-vz.122-18.SXF9.bin
!
no aaa new-model
clock timezone EDT -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
!
no ip bootp server
ip multicast-routing
no ip domain-lookup
ip domain-name ese.cisco.com
udld enable
vtp domain datacenter
vtp mode transparent
mls ip cef load-sharing full simple
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
no mls acl tcam share-global
mls cef error action freeze
!
redundancy
mode sso
main-cpu
auto-sync running-config
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree pathcost method long
!
fabric buffer-reserve queue
port-channel per-module load-balance
!
vlan internal allocation policy descending
vlan dot1q tag native
vlan access-log ratelimit 2000
!
interface Loopback0
ip address 10.151.1.10 255.255.255.255
!
interface TenGigabitEthernet1/2
description To DCb-Dist-1 - Ten 1/8
ip address 10.160.1.1 255.255.255.252
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
!
interface TenGigabitEthernet1/3
description to DCB-Dist-2 Ten 1/8
ip address 10.160.1.5 255.255.255.252
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
!
interface TenGigabitEthernet1/4
description TO DCB-Core-2 - Ten 1/4
ip address 10.199.0.5 255.255.255.252
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
!
interface GigabitEthernet6/1
description flashnet
ip address 10.150.1.3 255.255.255.0
no mop enabled
media-type rj45
!
interface GigabitEthernet6/2
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
router ospf 2
log-adjacency-changes
auto-cost reference-bandwidth 1000000
nsf
area 0 authentication message-digest
area 0 nssa default-information-originate
area 0 range 10.199.0.0 255.255.0.0
area 2 authentication message-digest
area 2 nssa default-information-originate
area 2 range 10.160.0.0 255.255.255.0
area 2 range 10.161.0.0 255.255.0.0
area 2 range 10.151.1.0 255.255.255.0
timers throttle spf 1000 1000 1000
passive-interface default
no passive-interface TenGigabitEthernet1/1
no passive-interface TenGigabitEthernet1/2
no passive-interface TenGigabitEthernet1/3
no passive-interface TenGigabitEthernet1/4
network 10.160.1.0 0.0.0.3 area 2
network 10.161.0.0 0.0.0.3 area 2
network 10.199.0.0 0.0.0.3 area 0
!
ip classless
!
no ip http server
!
snmp-server community public RO
snmp-server community cisco RW
!
control-plane
!
dial-peer cor custom
!
line con 0
line vty 0 4
exec-timeout 0 0
password cisco
login
line vty 5 15
exec-timeout 0 0
password cisco
login
!
no cns aaa enable
end
Core Switch 2
hostname dcb-core-2
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
!
boot system flash disk0:s72033-adventerprisek9_wan-vz.122-18.SXF9.bin
!
no ip ftp passive
no ip bootp server
ip multicast-routing
no ip domain-lookup
ip domain-name cisco.com
udld enable
!
vtp domain datacenter
vtp mode transparent
mls ip cef load-sharing full simple
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
no mls acl tcam share-global
mls cef error action freeze
!
redundancy
mode sso
main-cpu
auto-sync running-config
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree pathcost method long
!
fabric buffer-reserve queue
port-channel per-module load-balance
!
vlan internal allocation policy descending
vlan dot1q tag native
vlan access-log ratelimit 2000
!
interface Loopback0
ip address 10.151.1.11 255.255.255.255
!
interface TenGigabitEthernet1/2
description To DCb-Dist-1 - Ten 1/7
ip address 10.160.1.9 255.255.255.252
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
load-interval 30
!
interface TenGigabitEthernet1/3
description To DCb-Dist-2 - Ten 1/7
ip address 10.160.1.13 255.255.255.252
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
load-interval 30
!
interface TenGigabitEthernet1/4
description DCB-Core-1 - Ten 1/4
ip address 10.199.0.6 255.255.255.252
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
!
interface GigabitEthernet6/1
description flashnet
ip address 10.150.1.4 255.255.255.0
media-type rj45
!
interface GigabitEthernet6/2
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
router ospf 2
log-adjacency-changes
auto-cost reference-bandwidth 1000000
nsf
area 0 authentication message-digest
area 0 nssa default-information-originate
area 0 range 10.199.0.0 255.255.0.0
area 2 authentication message-digest
area 2 nssa default-information-originate
area 2 range 10.160.0.0 255.255.0.0
area 2 range 10.161.0.0 255.255.0.0
area 2 range 10.151.1.0 255.255.255.0
timers throttle spf 1000 1000 1000
passive-interface default
no passive-interface TenGigabitEthernet1/1
no passive-interface TenGigabitEthernet1/2
no passive-interface TenGigabitEthernet1/4
no passive-interface TenGigabitEthernet1/3
network 10.160.1.0 0.0.0.3 area 2
network 10.161.0.0 0.0.0.3 area 2
network 10.199.0.0 0.0.0.3 area 0
!
ip classless
!
no ip http server
!
snmp-server community public RO
snmp-server community cisco RW
!
control-plane
!
dial-peer cor custom
!
line con 0
line vty 0 4
exec-timeout 0 0
password cisco
login
line vty 5 15
exec-timeout 0 0
password cisco
login
!
no cns aaa enable
end
Distribution Switch 1
upgrade fpd auto
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service counters max age 5
!
hostname dcb-Dist-1
!
boot system flash disk0:s72033-adventerprisek9_wan-vz.122-18.SXF10.bin
enable secret 5 $1$wVQ/$8nsaKkBneJbHVrph5VnS41
enable password cisco
!
no aaa new-model
clock timezone EDT -5
clock summer-time EDT recurring
vtp domain datacenter
vtp mode transparent
ip subnet-zero
no ip source-route
ip icmp rate-limit unreachable 2000
!
no ip domain-lookup
ip domain-name cisco.com
ip multicast-routing
no ip igmp snooping
!
udld enable
udld message time 7
no mls flow ip
mls acl tcam default-result permit
no mls acl tcam share-global
mls ip cef load-sharing full simple
mls ip multicast flow-stat-timer 9
mls cef error action freeze
!
fabric switching-mode force bus-mode
fabric buffer-reserve queue
port-channel per-module load-balance
port-channel load-balance src-dst-port
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
!
redundancy
mode sso
main-cpu
auto-sync running-config
!
power redundancy-mode combined
!
spanning-tree mode rapid-pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree pathcost method long
spanning-tree vlan 1-4094 priority 24576
!
vlan internal allocation policy descending
vlan dot1q tag native
vlan access-log ratelimit 2000
!
vlan 2-7,106,107,206,207
!
no crypto ipsec nat-transparency udp-encaps
!
interface Loopback0
ip address 10.151.1.12 255.255.255.255
!
interface TenGigabitEthernet1/1
description to_dcb-Acc-1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 2,3,106,107,206,207
switchport mode trunk
no ip address
logging event link-status
spanning-tree guard loop
!
interface TenGigabitEthernet1/2
description dcb-dist2-6k Te1/2
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 2,3,7,106,107,206,207
switchport mode trunk
no ip address
logging event link-status
spanning-tree guard loop
!
interface TenGigabitEthernet1/5
description dcb-svc1-6k Te9/1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 2,3,7,106,107,206,207
switchport mode trunk
no ip address
logging event link-status
logging event bundle-status
spanning-tree guard root
!
interface TenGigabitEthernet1/6
description dcb-svc2-6k Te9/1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 2,3,7,106,107,206,207
switchport mode trunk
no ip address
logging event link-status
logging event bundle-status
spanning-tree guard root
!
interface TenGigabitEthernet1/7
description dcb-core-2 Te1/2
ip address 10.160.1.10 255.255.255.252
no ip redirects
no ip proxy-arp
ip pim sparse-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
load-interval 30
!
interface TenGigabitEthernet1/8
description dcb-core-1 Te1/2
ip address 10.160.1.2 255.255.255.252
no ip redirects
no ip proxy-arp
ip pim sparse-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
load-interval 30
!
interface Vlan7
ip address 10.80.1.2 255.255.0.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip route-cache flow
logging event link-status
load-interval 30
standby 1 ip 10.80.1.1
standby 1 timers 1 3
standby 1 priority 51
standby 1 preempt delay minimum 120
!
router ospf 2
log-adjacency-changes
auto-cost reference-bandwidth 1000000
nsf
area 2 authentication message-digest
area 2 nssa default-information-originate
area 2 range 10.151.1.0 255.255.255.0
area 2 range 10.151.0.0 255.255.0.0
area 2 range 10.160.0.0 255.255.255.0
area 2 range 10.161.0.0 255.255.0.0
timers throttle spf 1000 1000 1000
redistribute static subnets route-map rhi
passive-interface default
no passive-interface TenGigabitEthernet1/7
no passive-interface TenGigabitEthernet1/8
no passive-interface GigabitEthernet3/24
network 10.74.0.0 0.0.255.255 area 2
network 10.80.0.0 0.0.255.255 area 2
network 10.81.0.0 0.0.255.255 area 2
network 10.151.1.0 0.0.0.0 area 2
network 10.151.0.0 0.0.255.255 area 2
network 10.160.1.0 0.0.0.255 area 2
network 10.161.0.0 0.0.0.0 area 2
!
ip classless
!
no ip http server
!
snmp-server community public RO
snmp-server community cisco RW
!
control-plane
!
dial-peer cor custom
!
line con 0
line vty 0 4
password cisco
login
!
exception core-file
no cns aaa enable
end
Distribution Switch 2
upgrade fpd auto
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service counters max age 5
!
hostname dcb-Dist-2
!
boot system flash disk0:s72033-adventerprisek9_wan-vz.122-18.SXF10.bin
enable secret 5 $1$VUjJ$onovPQGW3pDtcxU2GlqY5.
enable password cisco
!
no aaa new-model
clock timezone EDT -5
clock summer-time EDT recurring
vtp domain datacenter
vtp mode transparent
ip subnet-zero
no ip source-route
ip icmp rate-limit unreachable 2000
!
no ip domain-lookup
ip domain-name cisco.com
ip multicast-routing
no ip igmp snooping
!
udld enable
udld message time 7
no mls flow ip
mls acl tcam default-result permit
no mls acl tcam share-global
mls ip cef load-sharing full
mls ip multicast flow-stat-timer 9
mls cef error action freeze
!
fabric switching-mode force bus-mode
fabric buffer-reserve queue
port-channel per-module load-balance
port-channel load-balance src-dst-port
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
!
redundancy
mode sso
main-cpu
auto-sync running-config
!
power redundancy-mode combined
!
spanning-tree mode rapid-pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree pathcost method long
spanning-tree vlan 1-4094 priority 28672
!
vlan internal allocation policy descending
vlan dot1q tag native
vlan access-log ratelimit 2000
!
vlan 2-7,106,107,206,207
!
no crypto ipsec nat-transparency udp-encaps
!
interface Loopback0
ip address 10.151.1.13 255.255.255.255
!
!
interface TenGigabitEthernet1/1
description to_dcb-Acc-1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 2,3,106,107,206,207
switchport mode trunk
no ip address
logging event link-status
spanning-tree guard loop
!
interface TenGigabitEthernet1/2
description dcb-dist1-6k Te1/2
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 2,3,7,106,107,206,207
switchport mode trunk
no ip address
logging event link-status
spanning-tree guard loop
!
!
interface TenGigabitEthernet1/4
no ip address
!
interface TenGigabitEthernet1/5
description dcb-svc1-6k Te9/1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 2,3,7,106,107,206,207
switchport mode trunk
no ip address
logging event link-status
logging event bundle-status
spanning-tree guard root
!
interface TenGigabitEthernet1/6
description dcb-svc2-6k Te9/1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 2,3,7,106,107,206,207
switchport mode trunk
no ip address
logging event link-status
logging event bundle-status
spanning-tree guard root
!
interface TenGigabitEthernet1/7
description dcb-core-2 Te1/2
ip address 10.160.1.14 255.255.255.252
no ip redirects
no ip proxy-arp
ip pim sparse-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
load-interval 30
!
interface TenGigabitEthernet1/8
description dcb-core-1 Te1/2
ip address 10.160.1.6 255.255.255.252
no ip redirects
no ip proxy-arp
ip pim sparse-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 C1sC0!
ip ospf hello-interval 2
ip ospf dead-interval 6
logging event link-status
load-interval 30
!
!
interface Vlan7
ip address 10.80.1.3 255.255.0.0
no ip redirects
no ip proxy-arp
ip flow ingress
logging event link-status
load-interval 30
standby 1 ip 10.80.1.1
standby 1 timers 1 3
standby 1 priority 50
standby 1 preempt
!
router ospf 2
log-adjacency-changes
auto-cost reference-bandwidth 1000000
nsf
area 2 authentication message-digest
area 2 nssa default-information-originate
area 2 range 10.151.0.0 255.255.0.0
area 2 range 10.160.0.0 255.255.255.0
area 2 range 10.161.0.0 255.255.0.0
timers throttle spf 1000 1000 1000
redistribute static subnets route-map rhi
passive-interface default
no passive-interface TenGigabitEthernet1/7
no passive-interface TenGigabitEthernet1/8
no passive-interface GigabitEthernet3/24
network 10.80.0.0 0.0.255.255 area 2
network 10.81.0.0 0.0.255.255 area 2
network 10.151.0.0 0.0.255.255 area 2
network 10.160.1.0 0.0.0.0 area 2
network 10.160.1.0 0.0.0.255 area 2
network 10.161.0.0 0.0.0.0 area 2
network 10.161.0.0 0.0.255.255 area 2
!
ip classless
!
no ip http server
!
snmp-server community public RO
snmp-server community cisco RW
!
control-plane
!
dial-peer cor custom
!
line con 0
line vty 0 4
password cisco
login
!
exception core-file
no cns aaa enable
end
Service Switch 1
upgrade fpd auto
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service counters max age 5
!
hostname Svc-1
boot system flash disk0:s72033-adventerprisek9_wan-vz.122-18.SXF10.bin
!
enable secret 5 $1$rPXa$F4EKAVs1cCaD.X5WG68iK0
enable password cisco
!
no aaa new-model
ip subnet-zero
!
ipv6 mfib hardware-switching replication-mode ingress
vtp domain datacenter
vtp mode transparent
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
no mls acl tcam share-global
mls cef error action freeze
!
redundancy
mode sso
main-cpu
auto-sync running-config
spanning-tree mode pvst
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
fabric buffer-reserve queue
port-channel per-module load-balance
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
vlan 2-7,106,107,206,207
!
svclc autostate
svclc multiple-vlan-interfaces
svclc module 3 vlan-group 1,2
svclc vlan-group 1 6,206,207
svclc vlan-group 2 106,107
svclc vlan-group 3 3,4,5,7,
firewall multiple-vlan-interfaces
firewall module 2 vlan-group 2,3
!
interface Loopback0
ip address 10.151.1.17 255.255.255.255
!
!
interface TenGigabitEthernet9/1
description conx to dist1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 2,3,7,106,107,206,207
switchport mode trunk
no ip address
logging event link-status
logging event bundle-status
spanning-tree guard root
!
interface TenGigabitEthernet9/2
description conx to dist2
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 2,3,7,106,107,206,207
switchport mode trunk
no ip address
logging event link-status
logging event bundle-status
spanning-tree guard root
!
interface TenGigabitEthernet9/3
description connx to svc2 switch
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 4,5,6
switchport mode trunk
no ip address
logging event link-status
logging event bundle-status
!
no ip http server
!
snmp-server community public RO
!
control-plane
!
dial-peer cor custom
!
line con 0
line vty 0 4
password cisco
login
!
no cns aaa enable
end
Service Switch 2
upgrade fpd auto
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service counters max age 5
!
hostname Svc-2
boot system flash disk0:s72033-adventerprisek9_wan-vz.122-18.SXF10.bin
!
enable secret 5 $1$lB0P$HAIQrXSPQjLQtTDklRg2V.
enable password cisco
!
no aaa new-model
ip subnet-zero
!
ipv6 mfib hardware-switching replication-mode ingress
vtp domain datacenter
vtp mode transparent
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
no mls acl tcam share-global
mls cef error action freeze
!
redundancy
mode sso
main-cpu
auto-sync running-config
spanning-tree mode pvst
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
fabric buffer-reserve queue
port-channel per-module load-balance
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
vlan 2-7,106,107,206,207
!
svclc autostate
svclc multiple-vlan-interfaces
svclc module 3 vlan-group 1,2
svclc vlan-group 1 6,206,207
svclc vlan-group 2 106,107
svclc vlan-group 3 3,4,5,7
firewall multiple-vlan-interfaces
firewall module 2 vlan-group 2,3
!
interface Loopback0
ip address 10.151.1.18 255.255.255.255
!
!
interface TenGigabitEthernet9/1
description connection to 6500 dist1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 2,3,7,106,107,206,207
switchport mode trunk
no ip address
logging event link-status
logging event bundle-status
spanning-tree guard root
!
interface TenGigabitEthernet9/2
description connection to 6500 dist 2
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 2,3,7,106,107,206,207
switchport mode trunk
no ip address
logging event link-status
logging event bundle-status
spanning-tree guard root
!
interface TenGigabitEthernet9/3
description connx to svc1 switch
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 4,5,6
switchport mode trunk
no ip address
logging event link-status
logging event bundle-status
!
no ip http server
!
snmp-server community public RO
!
control-plane
!
dial-peer cor custom
!
line con 0
line vty 0 4
password cisco
login
!
!
no cns aaa enable
end
Access Switch 6500
upgrade fpd auto
version 12.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service counters max age 10
!
hostname DCB-Access-1
!
boot system flash disk0:s72033-adventerprisek9_wan-vz.122-18.SXF9.bin
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
clock calendar-valid
ip subnet-zero
no ip source-route
!
no ip bootp server
ip domain-list cisco.com
no ip domain-lookup
ip domain-name cisco.com
udld enable
!
udld message time 7
!
vtp domain datacenter
vtp mode transparent
no mls acl tcam share-global
mls cef error action freeze
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree pathcost method long
!
power redundancy-mode combined
no diagnostic cns publish
no diagnostic cns subscribe
fabric buffer-reserve queue
port-channel load-balance src-dst-port
!
vlan internal allocation policy descending
vlan dot1q tag native
vlan access-log ratelimit 2000
!
vlan 207
name server Tier
!
interface TenGigabitEthernet1/1
description to_dcb-Dist-1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
no ip address
logging event link-status
!
interface TenGigabitEthernet1/2
description to_dcb-Dist-2
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
no ip address
logging event link-status
logging event spanning-tree status
!!
interface GigabitEthernet2/1 (all test ports)
switchport
switchport access vlan 207
switchport mode access
no ip address
no cdp enable
spanning-tree portfast
!
!
interface Vlan1
no ip address
shutdown
!
no ip http server
!
line con 0
exec-timeout 0 0
line vty 0 4
exec-timeout 0 0
password 7 05080F1C2243
login local
transport input telnet ssh
!
no monitor event-trace timestamps
ntp authentication-key 1 md5 110A1016141D 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17179938
ntp update-calendar
ntp server ***********key 1
no cns aaa enable
end
ACE and FWSM
FWSM Baseline
firewall transparent
!
interface Vlan107
nameif inside
bridge-group 1
security-level 100
!
interface Vlan7
nameif outside
bridge-group 1
security-level 0
!
interface BVI1
ip address 10.80.1.12 255.255.255.0 standby 10.80.1.13
!
access-list outside extended permit ip any any log
access-list inside extended permit ip any any log
access-list BPDU ethertype permit bpdu
!
access-group BPDU in interface inside
access-group inside in interface inside
access-group BPDU in interface outside
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 10.80.1.1
ACE Baseline
access-list BPDU ethertype permit bpdu
access-list anyone line 10 extended permit ip any any
class-map type management match-any PING
description Allowed Admin Traffic
10 match protocol icmp any
11 match protocol telnet any
policy-map type management first-match PING-POLICY
class PING
permit
interface vlan 107
description "Client-side Interface"
bridge-group 1
access-group input BPDU
access-group input anyone
service-policy input PING-POLICY
interface vlan 207
description "Server-side Interface"
bridge-group 1
access-group input BPDU
access-group input anyone
interface bvi 1
ip address 10.80.1.14 255.255.255.0
alias 10.80.1.16 255.255.255.0
peer ip address 10.80.1.13 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.80.1.1
FWSM Failover
|
|
|
|---|---|
interface VLAN4 description LAN Failover Interface ! Interface VLAN5 description STATE Failover Interface ! failover failover lan unit primary failover lan interface failover VLAN4 failover polltime unit msec 500 holdtime 3 failover polltime interface 3 failover replication http failover link state VLAN5 failover interface ip failover 10.81.4.1 255.255.255.0 standby 10.81.4.2 failover interface ip state 10.81.5.1 255.255.255.0 standby 10.81.5.2 failover group 1 preempt failover group 2 secondary preempt 5 context V107 allocate-interface VLAN107 allocate-interface VLAN7 config-url disk:/V107.cfg join-failover group 1 |
Interface VLAN4 description LAN Failover Interface ! Interface VLAN5 description STATE Failover Interface ! Failover failover lan unit secondary failover lan interface failover VLAN4 failover polltime unit msec 500 holdtime 3 failover polltime interface 3 failover replication http failover link state VLAN5 failover interface ip failover 10.81.4.1 255.255.255.0 standby 10.81.4.2 failover interface ip state 10.81.5.1 255.255.255.0 standby 10.81.5.2 failover group 1 preempt failover group 2 secondary preempt 5 context V107 allocate-interface VLAN107 allocate-interface VLAN7 config-url disk:/V107.cfg join-failover group 1 |
ACE Failover
ft interface vlan 6
ip address 10.81.6.6.1 255.255.255.0
peer ip address 10.81.6.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 100
heartbeat count 10
ft-interface vlan 6
ft group 2
peer 1
no preempt
priority 210
peer priority 200
associate-context Admin
inservice
context v107
allocate-interface vlan107
allocate-interface vlan207
ft group 3
peer 1
priority 220
peer priority 200
associate-context vlan107
inservice
Most of the configuration is done on the primary (primary on the admin context) ACE module. Only a few items need to be defined on the secondary ACE module: the FT interface is defined with the addresses reversed, the FT peer is configured the same, and the FT group for the admin context is configured with the priorities reversed. With the FT VLAN up, this is enough for the ACE modules to synch up correctly and all of the rest of the configuration is copied over and the priority values are reversed.
Additional References
See the following URL for more information:
•Cisco Catalyst 6500—http://www.cisco.com/en/US/products/hw/switches/ps708/index.html
Разберём на будущее случай с аварией, когда отказал CEF на Cisco 6500
Пришла sms, что такой-то маршрутизатор (Cisco 6500) UP. Поясню, что система мониторинга просто пингует маршрутизатор и сообщает, если изменилось его состояние: DOWN/UP. Это очень опасная sms, т.к. каждый такой маршрутизатор — как микрорайон или его половина (дело происходит в сети интернет-провайдера). И даже то, что по sms маршрутизатор UP — не нормально.
Первая часть
Заходим мы с напарником на маршрутизатор — вроде доступен. Смотрим по логам: OSPF, LDP-соседство не рвал, это уже хорошо.
Предполагаем, что RP=Route Processor ушёл в 100% — так и есть.
show processes cpu sorted показывает, что-то вроде 95%/85% — т.к. цифры совпадают, то RP загружен не процессами, а прерываниями — т.е. много трафика обрабатывается CPU.
Делаем debug netdr — там очень много пакетов, помеченных VLAN 1044. Причём это multicast-пакеты, как те, которые идут в Global к маршрутизатору, так и те, которые в VRF идут от него к клиентам.
В логах мы видим кучу ошибок: Traceback, бла-бла-бла, ошибка памяти и т.п. Сразу некогда было подробно нагуглить, что это за ошибки.
VLAN 1044 на коммутаторе не ищется, только show vlan id 1044 internal usage показывает, что он выдан в интерфейс Po1, а вообще-то Po1 это L3-интерфейс! Почему так оказалось с VLAN 1044 я не знаю, разбираться не стали.
В общем, мы подумали, что проблема связана с передачей multicast. Стали пробовать гасить интерфейс Po1, через который заходит телевидение — но весь трафик пошёл через другой интерфейс, загрузка RP осталась 100%.
Про клиентские сервисы я решил, что точно страдает телевидение. При этом с самого маршрутизатора клиенты в VRF для «юриков» и в VRF для «физиков» пинговались — и я решил, что трафик интернета не страдает. При этом я видел сильную просадку трафика по графикам, но не до нуля. Вероятно, надо было тщательней выяснить момент про клиентские сервисы — пропинговать клиентов из мира, прикинуть, сколько трафика ушло, и сколько из него было телевидения.
Тут наша фантазия иссякла, уже 1 час прошёл, а мы аварию не устранили — эскалировали в отдел развития сети и уведомили начальника. Завели заявку самого высокого приоритета, описали симптомы, свои действия. Я написал в техподдержку, чтобы они учитывали эту аварию при звонках клиентов и сообщали голосом, если будут массовые жалобы клиентов, включенных с этого маршрутизатора.
На этом первая часть заканчивается.
Вторая часть
Итак, мы сдали проблему в отдел развития сети. Но мы оба с напарником не выключились из работы по заявке.
Всё осложнялось тем, что вечер, 21:00-22:00, ЧНН.
Пришлось отвлекаться на балансировку нагрузки во внешних каналах и заведение заявок по упавшим/поднявшимся коммутаторам, неработающим телеканалам и пр. Балансировку я сделал за 5 минут по опыту, и повезло, что крупных аварий не было, а мелкие я обработал или оставил на потом.
Напарник делал диагностику командами show на Cisco 6500, а я гуглил ошибки из сообщений в логах.
Добавлю, что с самого начала аварии Cisco 6500 тупила в консоли и иногда разрывала соединение.
Тут пришёл сигнал из техподдержки, что они не могут зайти на коммутаторы, которые включены от этого маршрутизатора, и что клиенты массово жалуются на торможение сайтов и пингуются с огромными потерями — тут стало понятно, что страдают все сервисы.
Я уже подумал по опыту, что отдел развития сети будет дебажить, а потом всё равно всё закончится перезагрузкой.:) Так что позвонил начальнику монтажников, чтобы он брал консоль с GSM-модемом и ехал на узел связи. Там он должен подключить консоль к Cisco 6500, мы через GSM зайдём на эту консоль и после этого перезагрузим Cisco 6500. Это нужно на тот случай, если после перезагрузки коммутатор не взлетит, и придётся его оживлять.
У начальника монтажников бойцов было мало, некоторым из них предстояли ночные работы, так что он поехал сам.
Ещё я всю информацию своевременно отражал в заявке, не ждал, что отпишусь после устранения аварии. И это правильно — все должны видеть, на какой стадии находится устранение аварии сейчас.
В общем, я нагуглил на cisco.com по сообщению об ошибке какой-то баг Cisco 7600, где сообщалось, что это «глюк», в результате которого коммутатор перестаёт добавлять в CEF новые маршруты. «Глюк» может возникнуть на ровном месте, т.е. не обязательно вызван какими-то обстоятельствами. Помочь должна перезагрузка маршрутизатора (ха-ха!).
Версия IOS у нас была не в точности та же, что в описании бага, но по цифрам такая же, только буквами отличалась.
Вот то сообщение в логах:
%MLSCEF-SP-2-FREEZE: hardware switching disabled on card
http://www.cisco.com/en/US/docs/ios/12_2sr/release/notes/122SRcavs5.html говорит, что это баг CSCsg40573.
И я заметил по графикам, что просело до нуля количество пакетов, обрабатываемых PFC. Я из этого сделал вывод, что страдают все сервисы. Я был взволнован крупной аварией и не очень хорошо владел темой, поэтому я не подумал спокойно: «А что же обрабатывает PFC?» — А PFC как раз продвигает пакеты CEF’ом.
На том маршрутизаторе нет DFC, поэтому всю коммутацию делает PFC.
Ещё меня смутило, что в в выводе команды show ip cef — маршруты были.
Мой напарник по результатам своей диагностики пришёл к выводу, что проблема с CEF.
В это время мне позвонил начальник и сказал, что они с отделом развития сети пришли к выводу, что CEF просто не коммутирует пакеты, и надо перезагружать маршрутизатор.
Они увидели это по команде
#show mls cef hardware
CEF TCAM v2: (FROZEN)
Size: 262144 entries
65536 rows/device, 4 device(s)
32 entries/mask-block
8192 total blocks (32b wide)
1212416 s/w table memory
Options:
sanity check: off
sanity interval: 301 seconds
consistency check: off
consistency interval: 31 seconds
redistribution: off
redistribution interval: 120 seconds
redistribution threshold: 10
compression: off
compression interval: 31 seconds
tcam/ssram shadowing: on
Operation Statistics:
Entries inserted: 0000000026486227
Entries deleted: 0000000026473952
Entries compressed: 0000000002044646
Blocks inserted: 0000000000476132
Blocks deleted: 0000000000475614
Blocks compressed: 0000000000311462
Blocks shuffled: 0000000000007388
Blocks deleted for exception: 0000000000000000
Direct h/w modifications(TCAM): 0000000000000000
Direct h/w modifications(SSRAM):0000000000000000
Background Task Statistics:
Consistency Check count: 0000000001845943
Consistency Errors: 0000000000000000
SSRAM Consistency Errors: 0000000000000000
Sanity Check count: 0000000000191853
Sanity Check Errors: 0000000000000001
Compression count: 0000000000263706
Exception Handling status: on
L3 Hardware switching status: off
Fatal Error Handling Status: Freeze
Fatal Errors: 0000000000000001
Fatal Error Recovery Count: 0000000000000000
SSRAM ECC error summary:
Uncorrectable ecc entries: 0
Correctable ecc entries: 0
Packets dropped: 0
Packets software switched: 0
FIB SSRAM Entry status
— Key: UC — Uncorrectable error, C — Correctable error
SSRAM banks: Bank0 Bank1
No ECC errors reported in FIB SSRAM.
ADJACENCY SSRAM Application errors:
— The logger for the ADJ sanity checker is disabled
Double Allocation Attempts :0
Double Freeing Attempts :0
Freeing Others’ Entries Attempts :0
Writing Others’ Entries Attempts :0
Writing To Un-Allocated Entries :0
Suspicious Application Calls :0
Надо обратить внимание на статус CEF — FROZEN и на то, что присутствует Fatal Error.
Мы не стали ждать приезда начальника монтажников, хотя он уже был на подходе, сохранили конфиг, перезагрузили маршрутизатор.
Через 10 минут он загрузился и дальше работал нормально.
Мы проверили, что все сервисы клиентов восстановились.
Прошло уже 2-3 дня, а в логах нет сообщений об ошибках.
Т.е. это был разовый программный сбой.
Для меня выводы
1. Нужно лучше учить матчасть: как работает CEF, какими командами смотреть его состояние. Тогда я бы раньше сделал вывод по графикам, что пропали пакеты с PFC, значит, маршрутизатор пакеты вообще не коммутирует!
На будущее мы сделали threshold на графике — когда количество пакетов на PFC упадёт ниже 5000 в течение 3 минут, придёт sms и e-mail.
2. Эскалацию до отдела развития сети можно было сделать раньше, а не через 1 час — всё-таки у многих клиентов страдали сервисы. На будущее, сделаю так: если я убедился, что массово страдает хотя бы один сервис, например, телевидение, и мы сами не можем починить через 30 минут — эскалируем в отдел развития сети и начальнику. Тут главное — чинить, как можно скорее.
>Конфиг покажите целиком.
там смотреть особо не на что 
железка только-что перепрошита
!
upgrade fpd auto
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service counters max age 5
!
hostname Router
!
boot system flash sup-bootdisk:s3223-adventerprisek9_wan-vz.122-18.SXF5.bin
enable password XXXXXXXXXXXXXXX
!
no aaa new-model
ip subnet-zero
!
!
!
ipv6 mfib hardware-switching replication-mode ingress
mls qos marking ignore port-trust
mls qos
mls flow ip source
no mls flow ipv6
mls acl tcam share-global
mls ip multicast flow-stat-timer 9
mls cef error action freeze
!
!
!
!
no crypto ipsec nat-transparency udp-encaps
!
!
!
!
!
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
environment temperature-controlled
!
redundancy
mode sso
main-cpu
auto-sync running-config
system flowcontrol bus auto
spanning-tree mode pvst
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
class-map match-all noc-shaper
match access-group name noc
!
!
policy-map noc-shaper
class noc-shaper
police flow mask dest-only 64000 2000 conform-action transmit exceed-action drop
!
!
!
interface Loopback1
no ip address
!
interface GigabitEthernet1/1
no ip address
!
interface GigabitEthernet1/2
no ip address
shutdown
!
interface GigabitEthernet1/3
no ip address
shutdown
!
interface GigabitEthernet1/4
no ip address
shutdown
!
interface GigabitEthernet1/5
no ip address
shutdown
!
interface GigabitEthernet1/6
no ip address
shutdown
!
interface GigabitEthernet1/7
no ip address
shutdown
!
interface GigabitEthernet1/8
no ip address
shutdown
!
interface GigabitEthernet1/9
no ip address
shutdown
!
interface GigabitEthernet1/10
no ip address
shutdown
!
interface GigabitEthernet1/11
no ip address
shutdown
!
interface GigabitEthernet1/12
no ip address
shutdown
!
interface GigabitEthernet1/13
no ip address
shutdown
!
interface GigabitEthernet1/14
no ip address
shutdown
!
interface GigabitEthernet1/15
no ip address
shutdown
!
interface GigabitEthernet1/16
no ip address
shutdown
!
interface GigabitEthernet2/1
no ip address
!
interface FastEthernet2/2
no ip address
!
interface FastEthernet2/3
no ip address
!
interface FastEthernet2/4
no ip address
!
interface FastEthernet2/5
no ip address
!
interface GigabitEthernet5/1
ip address XXXXXXXXXXXXXXX 255.255.255.252
service-policy input noc-shaper
!
interface GigabitEthernet5/2
switchport
switchport access vlan 3
switchport mode access
no ip address
mls qos vlan-based
!
interface GigabitEthernet5/3
switchport
switchport access vlan 3
switchport mode access
no ip address
!
interface GigabitEthernet5/4
switchport
switchport access vlan 3
switchport mode access
no ip address
!
interface GigabitEthernet5/5
no ip address
shutdown
!
interface GigabitEthernet5/6
no ip address
shutdown
!
interface GigabitEthernet5/7
no ip address
shutdown
!
interface GigabitEthernet5/8
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
!
interface GigabitEthernet5/9
no ip address
!
interface Vlan1
description CORE-DEVICES
ip address XXXXXXXXXXXXXXXX 255.255.255.128
no ip route-cache cef
ip route-cache flow
!
interface Vlan2
description NOC
ip address XXXXXXXXXXXXXXXXX 255.255.255.240
no ip redirects
ip route-cache flow
!
interface Vlan3
ip address XXXXXXXXXXXXXX 255.255.255.192 secondary
ip address XXXXXXXXXXXXXX 255.255.255.240
no ip redirects
ip route-cache flow
!
interface Vlan4
ip address XXXXXXXXXX 255.255.192.0
!
interface Vlan12
ip address XXXXXXXXXXXXXXX 255.255.255.0
no ip redirects
!
interface Vlan101
ip address XXXXXXXXXXXXX 255.255.224.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 XXXXXXXXXXXXXXXXXXXX
!
no ip http server
!
!
ip access-list extended noc
permit ip XXXXXXXX 0.0.0.15 any
permit ip any XXXXXXXXXX 0.0.0.15
ip access-list extended nov
!
!
!
control-plane
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
line vty 0 4
login
!
exception core-file
no cns aaa enable
end
>А также sh module
Router#sh module
Mod Ports Card Type Model Serial No.
— —— ————————————— —————— ————
1 16 SFM-capable 16 port 1000mb GBIC WS-X6516A-GBIC SAL1021NTVT
2 5 Communication Media Module WS-SVC-CMM SAD1005057L
5 9 Supervisor Engine 32 8GE (Active) WS-SUP32-GE-3B SAD102700NH
Mod MAC addresses Hw Fw Sw Status
— ———————————- —— ———— ———— ——-
1 0017.e025.c630 to 0017.e025.c63f 4.2 7.2(1) 8.5(0.46)RFW Ok
2 0016.c738.2d22 to 0016.c738.2d2b 2.8 12.4(9)T1, 12.4(9)T1, Ok
5 0017.948c.e478 to 0017.948c.e483 4.4 12.2(18r)SX2 12.2(18)SXF7 Ok
Mod Sub-Module Model Serial Hw Status
—- ————————— —————— ———— ——- ——-
5 Policy Feature Card 3 WS-F6K-PFC3B SAD102705CG 2.3 Ok
5 Cat6k MSFC 2A daughterboard WS-F6K-MSFC2A SAD102606DP 3.1 Ok
Mod Online Diag Status
—- ——————-
1 Pass
2 Pass
5 Pass
Изменено 7 февраля, 2007 пользователем KRoM