Various Network Design using Routers, Layer-3 Switches, and more Cisco Forum FAQ

			Search:
	login · register

FAQs

how-to block ads

	Search for: in all FAQs
All FAQs » Cisco Forum FAQ » 30.2 Between Router and Layer-3 Switch » 16332

Various Network Design using Routers, Layer-3 Switches, and more (#16332)

Prerequisite reading
»Cisco Forum FAQ »Should I use Layer-3 switch or router?

The above FAQ link shows some basic network setup using routers and switches. Following is more network design samples that are also common in many organizations.

Sample 1:


                                           Internet
                                              |
                                              |
                                            Router
                                              |
                                              |
                                           Firewall
                                              |
                                              |
                                        Layer-3 Switch
                                         |    |     |
                                         |    |     |
                                      Layer-2 |  Layer-2
                                      Switch  |  Switch
                                              |
                                        Layer-2 Switch

Background

* This sample configuration assumes the Router to do NAT/PAT, firewall to do statefull firewall, and Layer-3 Switch to act as both switch and router to route internal traffic. To learn more about NAT/PAT, check out the following FAQ for detail »Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices

Sample 1 Configuration

Router

version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
!!!!!!!!!!!!! This is the ISP's DNS IP addresses
ip name-server 1.1.1.2
ip name-server 1.1.1.3
!!!!!!!!!!!!!
!
!
!
!
!
!!!!!!!!!!!! This is the LAN side facing the PIX outside interface
interface Ethernet0
 ip address 10.10.10.1 255.255.255.252
 ip nat inside
 no cdp enable
!
!!!!!!!!!!!! This is to the ISP modem
interface Ethernet1
 ip address 1.1.0.2 255.255.255.252
 ip nat outside
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.0.1
ip route 10.0.0.0 255.0.0.0 10.10.10.2
no ip http server
!
ip nat inside source static tcp 10.10.11.2 80 1.1.0.2 80
ip nat inside source static tcp 10.10.11.2 443 1.1.0.2 443
ip nat inside source static tcp 10.10.11.3 20 1.1.0.2 20
ip nat inside source static tcp 10.10.11.3 21 1.1.0.2 21
ip nat inside source static tcp 10.10.11.4 25 1.1.0.2 25
ip nat inside source static tcp 10.10.11.4 110 1.1.0.2 110
ip nat inside source list 1 interface Ethernet1 overload
!
access-list 1 remark Permit Only Inside Subnets
access-list 1 permit 10.10.8.0 0.0.3.255
no cdp run
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 access-class 1 in
 login local
 length 0
!
scheduler max-task-time 5000
end

PIX Firewall

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network WEB
network-object host 10.10.11.2
object-group network FTP
network-object host 10.10.11.3
object-group network MAIL
network-object host 10.10.11.4
object-group service MAIL_SERVICES tcp
port-object eq smtp
port-object eq pop3
object-group service WEB_SERVICES tcp
port-object eq www
port-object eq https
access-list INBOUND permit icmp any any
access-list INBOUND permit tcp any object-group WEB object-group WEB_SERVICES
access-list INBOUND permit tcp any object-group MAIL object-group MAIL_SERVICES
access-list INBOUND permit tcp any object-group FTP range ftp-data ftp
access-list nonat permit ip any any
pager lines 24
logging on
logging console warnings
logging monitor warnings
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.2 255.255.255.252
ip address inside 10.10.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.11.5 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
route inside 10.0.0.0 255.0.0.0 10.10.11.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.11.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.10.11.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Switch

vlan 1,7,11-13
!
ip routing
!
interface FastEthernet0/1
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/2
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/3
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/4
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/5
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/6
description Management port
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/7
description Layer-2 Switch 3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/8
description Layer-2 Switch 2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/9
description Layer-2 Switch 1 
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/12
description To Firewall
switchport access vlan 7
switchport mode access
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan7
description Management
ip address 10.10.11.2 255.255.255.0
!
interface Vlan11
description LAN 1
ip address 10.0.1.1 255.255.255.0
!
interface Vlan12
description LAN 2
ip address 10.0.2.1 255.255.255.0
!
interface Vlan13
description LAN 3
ip address 10.0.3.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.10.11.1

Sample 2:


                                           Internet
                                              |
                                              |
                                            Router
                                              |
                                              |
                                            Switch
                                            |    |
                           DMZ ----- Firewall - Firewall  (two redundant firewalls)
                                         1         2
                                         |         |
                                    Layer-3 ---- Layer-3  (two redundant Layer-3 switches)
                                   Switch 1      Switch 2
                                    |  |  |      |  |  |
                                    |  |  |      |  |  |
                                    |  |  Layer-2   |  |
                                    |  |   Switch   |  |
                                    |  |            |  |
                                    |  Layer-2 Switch  |
                                    |                  |
                                    |                  |
                                    +- Layer-2 Switch -+

Background

Switch
* The Layer-3 switches act as Spanning-Tree Root Bridges of all switches and as HSRP service providers. For preliminary info on Root Bridge, check out the following link: Understanding and Configuring Spanning Tree Protocol (STP) on Catalyst Switches. For preliminary info on HSRP, check out the following link: Hot Standby Router Protocol Features and Functionality
* Rapid Spanning Tree protocol is used to provide faster convergence yet stable network. For more info on Rapid Spanning Tree, check out the following link: Understanding Rapid Spanning Tree Protocol (802.1w)
* For some VLAN, the Layer-3 Switch 1 is the Root Bridge primary while the Layer-3 Switch 2 is the backup. For other VLAN, the Layer-3 Switch 2 is the Root Bridge primary while the Layer-3 Switch 1 is the backup.
* Similarly; for some VLAN, the Layer-3 Switch 1 is the HSRP primary while the Layer-3 Switch 2 is the backup. For other VLAN, the Layer-3 Switch 2 is the HSRP primary while the Layer-3 Switch 1 is the backup.
* For VLAN connection reliability, the same Layer-3 switch should be for both Root Bridge and HSRP primary
* In this sample configuration; VLAN 5, 7, 100 Root Bridge and HSRP primaries are at Layer-3 Switch 1 while VLAN 1, 20, 200 Root Bridge and HSRP primaries are at Layer-3 Switch 2
* To avoid unnecessary traffic flow, only some VLAN is allowed to pass through on some trunks between switches
* There is IP routing in place between Layer-3 switches and the firewalls

Firewall
* The firewall could be either PIX Firewall or ASA, running OS 7.x or later
* Firewall setup is LAN-based Active/Standby failover, which in a sense is similar to HSRP/VRRP mechanism where the firewall primary interface IP address is the "virtual" gateway for the interface subnet to reach other network. For more info on PIX/ASA Active/Standby failover, check out the following link: How Failover Works on the Cisco Secure PIX Firewall
* The firewall acts as both Internet firewall and IPSec VPN Concentrator. For more info on this, check out the forum's FAQ »Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator

(The Internet or Outside) Router/Switch
* There is a basic Internet firewall at the router to filter absolute questionable inbound traffic from the Internet to the network. For more info on this, check out the forum's FAQ »Cisco Forum FAQ »Basic Internet Firewall ACL for Routers without IOS image Firewall feature
* There is no need for the router to do stateful firewall since there is already the firewall appliance (PIX/ASA) to do the stateful firewall functionality

AAA Command Set
* All Cisco devices on this sample configuration uses proper AAA command set for security reason. For more info on this, check out the forum's FAQ »Cisco Forum FAQ »Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level

Sample 2 Configuration

Router

version 12.3
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 16384
enable secret 5 *****
!
username **** secret 5 *****
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local 
aaa authorization commands 15 default group tacacs+ local 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip domain-list ****
ip domain-list ****
no ip domain-lookup
ip domain-name ****
!
!
interface FastEthernet0/0
 description To Internet Switch
 ip address 1.0.0.2 255.255.255.248
 speed 100
 duplex full
!
interface Serial0/0
 description To ISP
 ip address 1.1.1.2 255.255.255.252
 ip access-group SecureRouter in
 no cdp enable
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 1.0.0.112 255.255.255.240 1.0.0.6
ip route 10.0.0.0 255.0.0.0 1.0.0.6
ip route 172.16.0.0 255.240.0.0 1.0.0.6
!
ip classless
no ip http server
no ip http secure-server
!
ip tacacs source-interface FastEthernet0/0
!
ip access-list extended SecureRouter
 remark Access List used to Secure Perimeter Router
 remark Deny Special Use IP Address Sources (RFC 3330)
 deny   ip host 0.0.0.0 any
 deny   ip host 255.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 192.0.2.0 0.0.0.255 any
 deny   ip 224.0.0.0 0.15.255.255 any
 remark Deny Private IP Address Space (RFC 1918)
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 remark Permit SSH Traffic
 permit tcp any 1.0.0.104 0.0.0.7 eq 22
 remark Permit Necessary ICMP traffic
 permit icmp any host 1.0.0.2 echo-reply
 permit icmp any host 1.0.0.6 echo-reply
 permit icmp any 1.0.0.104 0.0.0.7 echo-reply
 permit icmp any 1.0.0.112 0.0.0.15 echo-reply
 permit icmp any host 1.0.0.2 unreachable
 permit icmp any host 1.0.0.6 unreachable
 permit icmp any 1.0.0.104 0.0.0.7 unreachable
 permit icmp any 1.0.0.112 0.0.0.15 unreachable
 permit icmp any host 1.0.0.2 time-exceeded
 permit icmp any host 1.0.0.6 time-exceeded
 permit icmp any 1.0.0.104 0.0.0.7 time-exceeded
 permit icmp any 1.0.0.112 0.0.0.15 time-exceeded
 deny   icmp any any
 remark Permit VPN Access
 permit esp any host 1.0.0.106
 permit ahp any host 1.0.0.106
 permit udp any host 1.0.0.106 eq isakmp
 permit udp any host 1.0.0.106 eq non500-isakmp
 remark Permit Internet Firewall to control Global IP Address
 permit ip any host 1.0.0.108
 remark Permit Internet Firewall to control DMZ
 permit ip any 1.0.0.112 0.0.0.15
 remark Permit Established TCP session
 permit tcp any host 1.0.0.2 established
 permit tcp any host 1.0.0.6 established
 permit tcp any 1.0.0.104 0.0.0.7 established
 deny   ip any any
!
logging source-interface FastEthernet0/0
logging 172.17.200.232
access-list 52 remark Internal SNMP RO access
access-list 52 permit 172.17.100.0 0.0.0.255
access-list 52 permit 172.17.200.0 0.0.0.255
access-list 52 permit 10.4.5.0 0.0.0.255
access-list 85 permit 1.169.31.226
access-list 85 permit 1.148.0.138
access-list 85 permit 1.43.53.170
access-list 85 permit 1.87.201.10
access-list 85 permit 1.109.89.198
access-list 85 permit 1.194.74.26
access-list 85 permit 1.194.74.22
access-list 85 permit 1.169.195.194
access-list 85 permit 1.169.198.96 0.0.0.7
access-list 85 permit 172.17.100.0 0.0.0.255
access-list 85 permit 172.17.190.0 0.0.0.255
access-list 85 permit 172.17.200.0 0.0.0.255
access-list 85 permit 10.13.100.0 0.0.0.255
access-list 85 permit 10.13.190.0 0.0.0.255
access-list 85 permit 10.13.200.0 0.0.0.255
access-list 85 permit 12.14.179.64 0.0.0.31
access-list 85 permit 1.117.15.128 0.0.0.31
access-list 85 permit 1.148.22.96 0.0.0.15
access-list 85 permit 1.252.30.96 0.0.0.31
access-list 85 permit 1.128.17.64 0.0.0.15
access-list 85 permit 1.169.34.0 0.0.0.7
access-list 85 permit 1.162.70.192 0.0.0.15
!
snmp-server community ***** RO 52
snmp-server enable traps tty
snmp-server enable traps syslog
tacacs-server host 172.17.200.231
tacacs-server directed-request
tacacs-server key 7 ******
!
control-plane
!
banner motd ^C
WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AUTHORISED PERSONS!
Activities on and access to this system are monitored and recorded.
Use of this system is your express consent to such monitoring and recording.
 
ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULT IN CRIMINAL AND/OR CIVIL PENALTIES.^C
!
line con 0
 exec-timeout 5 0
line vty 0 4
 access-class 85 in
 exec-timeout 30 0
 transport input ssh
line vty 5 15
 access-class 85 in
 exec-timeout 30 0
 transport input ssh
!
ntp clock-period 36028978
ntp source FastEthernet0/0
ntp server 10.4.5.5
ntp server 172.16.0.5 prefer
end

Switch (Layer-3 capable)

version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 16384
enable secret 5 *****
!
username **** secret 5 *****
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local 
aaa authorization commands 15 default group tacacs+ local 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-list ****
ip domain-list ****
no ip domain-lookup
ip domain-name ****
!
!
!         
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet0/1
 description To Internet Router
 no switchport
 ip address 1.0.0.6 255.255.255.248
 speed 100
 duplex full
!
interface FastEthernet0/2
 no switchport
 no ip address
 speed 100
 duplex full
!
interface FastEthernet0/3
 description ASA Internet Active
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/4
 description ASA Internet Standby
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/5
 shutdown
!
interface FastEthernet0/6
 shutdown
!
interface FastEthernet0/7
 shutdown
!
interface FastEthernet0/8
 shutdown
!
interface FastEthernet0/9
 shutdown
!
interface FastEthernet0/10
 shutdown
!
interface FastEthernet0/11
 shutdown
!
interface FastEthernet0/12
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 description Outside Network
 ip address 1.0.0.105 255.255.255.248
!
ip route 0.0.0.0 0.0.0.0 1.0.0.1
ip route 1.0.0.112 255.255.255.240 1.0.0.106
ip route 10.0.0.0 255.0.0.0 1.0.0.106
ip route 172.16.0.0 255.240.0.0 1.0.0.106
!
ip classless
no ip http server
no ip http secure-server
!
ip tacacs source-interface Vlan2
!
!
logging source-interface Vlan2
logging 172.17.200.232
access-list 52 remark Internal SNMP RO access
access-list 52 permit 172.17.100.0 0.0.0.255
access-list 52 permit 172.17.200.0 0.0.0.255
access-list 52 permit 10.4.5.0 0.0.0.255
access-list 85 permit 1.169.31.226
access-list 85 permit 1.148.0.138
access-list 85 permit 1.43.53.170
access-list 85 permit 1.87.201.10
access-list 85 permit 1.109.89.198
access-list 85 permit 1.194.74.26
access-list 85 permit 1.194.74.22
access-list 85 permit 1.169.195.194
access-list 85 permit 1.169.198.96 0.0.0.7
access-list 85 permit 172.17.100.0 0.0.0.255
access-list 85 permit 172.17.190.0 0.0.0.255
access-list 85 permit 172.17.200.0 0.0.0.255
access-list 85 permit 10.13.100.0 0.0.0.255
access-list 85 permit 10.13.190.0 0.0.0.255
access-list 85 permit 10.13.200.0 0.0.0.255
access-list 85 permit 12.14.179.64 0.0.0.31
access-list 85 permit 1.117.15.128 0.0.0.31
access-list 85 permit 1.148.22.96 0.0.0.15
access-list 85 permit 1.252.30.96 0.0.0.31
access-list 85 permit 1.128.17.64 0.0.0.15
access-list 85 permit 1.169.34.0 0.0.0.7
access-list 85 permit 1.162.70.192 0.0.0.15
!
snmp-server community ***** RO 52
snmp-server enable traps tty
snmp-server enable traps syslog
tacacs-server host 172.17.200.231
tacacs-server directed-request
tacacs-server key 7 ******
!
control-plane
!
banner motd ^C
WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AUTHORISED PERSONS!
Activities on and access to this system are monitored and recorded.
Use of this system is your express consent to such monitoring and recording.
 
ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULT IN CRIMINAL AND/OR CIVIL PENALTIES.^C
!
line con 0
 exec-timeout 5 0
line vty 0 4
 access-class 85 in
 exec-timeout 30 0
 transport input ssh
line vty 5 15
 access-class 85 in
 exec-timeout 30 0
 transport input ssh
!
ntp clock-period 36028978
ntp source Vlan2
ntp server 10.4.5.5
ntp server 172.16.0.5 prefer
end

Firewall 1 (Active)

ASA Version 7.2(3) 
!
hostname ****
domain-name ****
enable password ***** encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 description Outside Switch
 nameif outside
 security-level 0
 ip address 1.0.0.106 255.255.255.248 standby 1.0.0.107 
!
interface GigabitEthernet0/1
 description Core Switches
 nameif inside
 security-level 100
 ip address 10.7.0.4 255.255.255.0 standby 10.7.0.5 
!
interface GigabitEthernet0/2
 description DMZ Switches
 nameif dmz
 security-level 50
 ip address 1.0.0.113 255.255.255.240 standby 1.0.0.114 
!
interface GigabitEthernet0/3
!
interface Management0/0
!
interface Management0/0.254
 description STATE Failover Interface
 vlan 254
!
interface Management0/0.255
 description LAN Failover Interface
 vlan 255
!
passwd **** encrypted
banner motd WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AUTHORISED PERSONS!
banner motd Activities on and access to this system are monitored and recorded. 
banner motd Use of this system is your express consent to such monitoring and recording. 
banner motd 
banner motd ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULTIN CRIMINAL AND/OR CIVIL PENALTIES.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name ****
object-group protocol TCP-UDP
 protocol-object tcp
 protocol-object udp
object-group service Nachi_Worm tcp-udp
 port-object eq 707
object-group service Kerberos tcp-udp
 port-object eq 4444
object-group service MS_Ports tcp-udp
 port-object eq 135
 port-object range 137 139
 port-object eq 445
 port-object eq 593
object-group service IM_Virus tcp-udp
 port-object eq 5001
object-group service Zincite_Virus tcp-udp
 port-object eq 1034
object-group service Sasser_Worm tcp
 port-object eq 5554
 port-object eq 9996
object-group service Beagle.O_Virus tcp-udp
 port-object eq 81
object-group network gotomypc.com
 network-object host 66.151.158.177
object-group service Dameware tcp-udp
 port-object eq 6129
object-group service Mail_Services tcp
 port-object eq smtp
 port-object eq pop3
object-group network INSIDE
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0
object-group network IT
 network-object 172.17.190.0 255.255.255.0
 network-object 10.13.190.0 255.255.255.0
 network-object 10.13.100.0 255.255.255.0
 network-object 10.13.200.0 255.255.255.0
 network-object 172.17.100.0 255.255.255.0
 network-object 172.17.200.0 255.255.255.0
object-group network Net_Monitor
 network-object host 172.17.200.126
 network-object host 172.17.200.130
 network-object host 172.17.200.131
 network-object host 172.17.200.132
 network-object host 172.17.200.127
object-group network DC
 network-object host 10.13.200.161
 network-object host 172.17.200.161
 network-object host 172.17.200.162
object-group network NTP
 network-object host 172.16.0.5
 network-object host 10.4.5.5
object-group network Internet_Routers
 network-object host 1.0.0.2
 network-object host 1.0.0.6
object-group network Internet_Switches
 network-object host 1.0.0.105
object-group network MARS
 network-object host 172.17.200.232
object-group service SYSLOG udp
 port-object eq syslog
object-group network ACS
 network-object host 172.17.200.231
object-group service TACACS tcp
 port-object eq tacacs
object-group service MARS_UDP udp
 port-object eq syslog
 port-object eq 2055
object-group network CISCOOUTSIDE
 group-object Internet_Routers
 group-object Internet_Switches
object-group network DMZ_NET
 network-object 1.0.0.112 255.255.255.240
object-group network OUTSIDE
 group-object DMZ_NET
object-group network Blocked_Subnet
 network-object 168.95.5.0 255.255.255.192
object-group network Vendor_Subnet
 network-object 10.7.180.0 255.255.255.0
object-group network Special_Subnets
 group-object IT
 group-object Vendor_Subnet
object-group network MXtremes
 network-object host 1.0.0.117
object-group network WWW
 network-object host 1.0.0.118
 network-object host 1.0.0.110
object-group service WEB_SERVICES tcp
 port-object eq www
 port-object eq https
object-group network DMZ_SWITCH
 network-object host 1.0.0.115
 network-object host 1.0.0.116
object-group service LDAP tcp
 port-object eq ldap
object-group network XBH
 network-object host 10.13.100.13
 network-object host 172.16.0.10
 network-object host 172.17.100.50
 network-object host 172.17.100.60
 network-object host 172.17.100.61
 network-object host 172.17.100.62
object-group network MXtremes-FTP-Inside
 network-object host 172.17.200.102
object-group network Outside_Network
 network-object 1.252.30.96 255.255.255.224
 network-object 1.162.70.192 255.255.255.240
 network-object 1.14.179.64 255.255.255.224
object-group network Outside
 network-object 1.0.0.0 255.255.255.248
 network-object 1.0.0.104 255.255.255.248
object-group network Borderware
 network-object host 207.236.65.226
object-group service MXtremes_TCP tcp
 port-object eq https
 port-object eq 10101
object-group network CTXCAG
 network-object host 1.0.0.120
object-group network CTXCAGMGMT
 network-object 10.13.100.0 255.255.255.0
 network-object 10.13.190.0 255.255.255.0
 network-object 10.13.200.0 255.255.255.0
 network-object 172.17.100.0 255.255.255.0
 network-object 172.17.200.0 255.255.255.0
 network-object host 172.17.150.120
 network-object host 172.17.150.121
 network-object host 172.17.150.122
 network-object host 172.17.150.123
 network-object host 172.17.150.124
 network-object 172.17.190.0 255.255.255.0
object-group service CITRIXCAG tcp
 port-object range 9001 9002
 port-object eq 9005
object-group network CTXFARM
 network-object host 172.17.200.170
 network-object host 172.17.200.173
 network-object host 172.17.200.174
 network-object host 172.17.200.175
 network-object host 172.17.200.176
 network-object host 172.17.150.120
 network-object host 172.17.150.121
 network-object host 172.17.150.122
 network-object host 172.17.150.123
 network-object host 172.17.150.124
 network-object 172.17.50.0 255.255.255.0
 network-object 172.17.60.0 255.255.255.0
 network-object 10.13.50.0 255.255.255.0
 network-object 10.13.60.0 255.255.255.0
 network-object 10.13.100.0 255.255.255.0
 network-object 10.13.200.0 255.255.255.0
object-group service CITRIXPROD tcp
 port-object eq www
 port-object eq citrix-ica
 port-object eq 2598
object-group service VNC_TCP tcp
 port-object eq 5900
object-group service backup tcp-udp
 description ports for backupexec
 port-object range 1025 1030
 port-object eq 10000
object-group network VPN_Group2
 network-object 192.168.185.0 255.255.255.0
object-group network VPN_Group1
 network-object 192.168.189.0 255.255.255.0
access-list nonat remark No NAT for Special Subnets
access-list nonat extended permit ip object-group INSIDE object-group CISCOOUTSIDE 
access-list nonat extended permit ip object-group INSIDE object-group OUTSIDE 
access-list nonat extended permit ip object-group INSIDE object-group VPN_Group1 
access-list nonat extended permit ip object-group INSIDE object-group VPN_Group2
access-list inside remark Allow Mail Server to Send Mail to anyone
access-list inside extended permit tcp object-group XBH any eq smtp 
access-list inside remark Block other users from pop3 and smtp mail
access-list inside extended deny tcp any any object-group Mail_Services 
access-list inside remark Deny Control Channel Commands for Nachi worm
access-list inside extended deny object-group TCP-UDP any any object-group Nachi_Worm 
access-list inside remark Deny Kerberos Authentication
access-list inside extended deny object-group TCP-UDP any any object-group Kerberos 
access-list inside remark Block Vulnerable Microsoft Ports
access-list inside extended deny object-group TCP-UDP any any object-group MS_Ports 
access-list inside remark Block IM VIRUS
access-list inside extended deny object-group TCP-UDP any any object-group IM_Virus 
access-list inside remark Block zincite virus
access-list inside extended deny object-group TCP-UDP any any object-group Zincite_Virus 
access-list inside remark Block Sasser Worm
access-list inside extended deny tcp any any object-group Sasser_Worm 
access-list inside remark Block Beagle.O virus
access-list inside extended deny object-group TCP-UDP any any object-group Beagle.O_Virus 
access-list inside remark Block gotomypc.com
access-list inside extended deny ip any object-group gotomypc.com 
access-list inside remark Block Dameware
access-list inside extended deny object-group TCP-UDP any any object-group Dameware 
access-list inside remark Allow SNMP Monitoring to DMZ from Inside
access-list inside extended permit udp object-group Net_Monitor object-group DMZ_NET range snmp snmptrap 
access-list inside remark Allow GTO to do ICMP management to DMZ
access-list inside extended permit icmp object-group IT object-group DMZ_NET 
access-list inside remark Allow GTO to telnet and SSH to DMZ
access-list inside extended permit tcp object-group IT object-group DMZ_NET range ssh telnet 
access-list inside remark Allow GTO to open http and https on DMZ
access-list inside extended permit tcp object-group IT object-group DMZ_NET object-group WEB_SERVICES 
access-list inside remark Allow Remote Control of servers by GTO
access-list inside extended permit tcp object-group IT object-group DMZ_NET object-group VNC_TCP 
access-list inside remark Allow backupexec to dmz
access-list inside extended permit tcp object-group IT object-group DMZ_NET object-group backup 
access-list inside remark Allow CAG Management into the DMZ
access-list inside extended permit tcp object-group CTXCAGMGMT object-group CTXCAG object-group CITRIXCAG 
access-list inside remark Deny other access to DMZ
access-list inside extended deny ip any object-group DMZ_NET 
access-list inside remark Permit All traffic thereafter
access-list inside extended permit ip any any 
access-list nonat_dmz remark No NAT for DMZ Subnets
access-list nonat_dmz extended permit ip object-group DMZ_NET any 
access-list outside remark Permitted Inbound Traffic
access-list outside remark deny this IP to anywhere
access-list outside extended deny ip object-group Blocked_Subnet any 
access-list outside remark TACACS Traffic
access-list outside extended permit tcp object-group CISCOOUTSIDE object-group ACS object-group TACACS 
access-list outside remark MARS Traffic
access-list outside extended permit udp object-group CISCOOUTSIDE object-group MARS object-group MARS_UDP 
access-list outside remark NTP Traffic
access-list outside extended permit udp object-group CISCOOUTSIDE object-group NTP eq ntp 
access-list outside remark allow all ping traffic
access-list outside extended permit icmp any any 
access-list outside remark allow anyone to smtp to Mail Firewalls in DMZ
access-list outside extended permit tcp any object-group MXtremes eq smtp 
access-list outside remark allow Outside network to manage MXtremes
access-list outside extended permit tcp object-group Outside_Network object-group MXtremes eq https 
access-list outside remark allow Borderware support access to MXtreme
access-list outside extended permit tcp object-group Borderware object-group MXtremes object-group MXtremes_TCP 
access-list outside remark allow traffic to access WWW server
access-list outside extended permit tcp any object-group WWW object-group WEB_SERVICES 
access-list outside remark allow SSL to the CAGs from anyone
access-list outside extended permit tcp any object-group CTXCAG object-group WEB_SERVICES 
access-list dmz remark Permitted Inbound Traffic
access-list dmz remark allow TACACS traffic from DMZ Switches to ACS
access-list dmz extended permit tcp object-group DMZ_SWITCH object-group ACS eq tacacs 
access-list dmz remark MARS Traffic
access-list dmz extended permit udp object-group DMZ_SWITCH object-group MARS object-group MARS_UDP 
access-list dmz remark allow DMZ network to get internal time
access-list dmz extended permit udp object-group DMZ_NET object-group NTP eq ntp 
access-list dmz remark allow ping
access-list dmz extended permit icmp any any 
access-list dmz remark allow MXtremes to do LDAP against inside
access-list dmz extended permit tcp object-group MXtremes object-group DC object-group LDAP 
access-list dmz remark allow MXtremes to do DNS lookups inside
access-list dmz extended permit udp object-group MXtremes object-group DC eq domain 
access-list dmz remark deny MXtremes to source WWW and SSL on their own to INSIDE
access-list dmz extended deny tcp object-group MXtremes object-group INSIDE object-group WEB_SERVICES 
access-list dmz remark allow MXtremes WWW and SSL to ANY
access-list dmz extended permit tcp object-group MXtremes any object-group WEB_SERVICES 
access-list dmz remark allow MXtremes to forward mail to Mail servers and Internet
access-list dmz extended permit tcp object-group MXtremes object-group XBH eq smtp 
access-list dmz extended deny tcp object-group MXtremes object-group INSIDE eq smtp 
access-list dmz extended permit tcp object-group MXtremes any eq smtp 
access-list dmz remark Allow MXtremes to upload mail logs to nycsrvmxl1
access-list dmz extended permit tcp object-group MXtremes object-group MXtremes-FTP-Inside range ftp-data ftp 
access-list dmz remark deny Web server to source www and SSL on its own to INSIDE
access-list dmz extended deny tcp object-group WWW object-group INSIDE object-group WEB_SERVICES 
access-list dmz remark allow Web server WWW and SSL to Anyone
access-list dmz extended permit tcp object-group WWW any object-group WEB_SERVICES 
access-list dmz remark allow Citrix CAGs to Citrix Farm
access-list dmz extended permit tcp object-group CTXCAG object-group CTXFARM object-group CITRIXPROD 
access-list dmz remark deny Citrix CAGs to SSL on its own to INSIDE
access-list dmz extended deny tcp object-group CTXCAG object-group INSIDE eq https 
access-list dmz remark allow Citrix CAGs to SSL on its own to others
access-list dmz extended permit tcp object-group CTXCAG any eq https 
access-list IPS_Inspection remark ASA IPS Inspect following traffic flow
access-list IPS_Inspection extended permit ip object-group INSIDE object-group Outside_Network
access-list IPS_Inspection extended permit ip object-group INSIDE object-group DMZ_NET 
access-list IPS_Inspection extended permit ip object-group INSIDE object-group VPN_Group1
access-list IPS_Inspection extended permit ip object-group INSIDE object-group VPN_Group2
access-list IPS_Inspection extended permit ip object-group INSIDE any 
access-list IPS_Inspection extended permit ip object-group DMZ_NET any 
access-list IPS_Inspection extended permit ip object-group Outside_Network any 
access-list IPS_Inspection extended permit ip any object-group Outside 
access-list IPS_Inspection extended permit ip any object-group DMZ_NET 
access-list IPS_Inspection extended permit ip any object-group INSIDE 
access-list IPS_Inspection extended permit ip any any log 
access-list nonat-VPN_Group1 remark No NAT for VPN Group 1
access-list nonat-VPN_Group1 extended permit ip object-group INSIDE object-group VPN_Group1
access-list nonat-VPN_Group2 remark No NAT for VPN Group 2
access-list nonat-VPN_Group2 extended permit ip object-group INSIDE object-group VPN_Group2
pager lines 24
logging enable
logging timestamp
logging standby
logging buffer-size 16384
logging buffered errors
logging trap debugging
logging history errors
logging asdm informational
logging mail debugging
logging facility 19
logging device-id hostname
logging host inside 172.17.200.232
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool group2 192.168.185.1-192.168.185.254
ip local pool group1 192.168.189.1-192.168.189.254
failover
failover lan unit primary
failover lan interface failover Management0/0.255
failover link state Management0/0.254
failover interface ip failover 192.168.0.249 255.255.255.252 standby 192.168.0.250
failover interface ip state 192.168.0.253 255.255.255.252 standby 192.168.0.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 1.0.0.108
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nonat_dmz
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
!
route outside 0.0.0.0 0.0.0.0 1.0.0.105
route inside 10.0.0.0 255.0.0.0 10.7.0.1
route inside 172.16.0.0 255.240.0.0 10.7.0.1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server NT_DOMAIN protocol nt
aaa-server NT_DOMAIN host 10.7.200.161
 nt-auth-domain-controller *****
aaa-server TACACS protocol tacacs+
 reactivation-mode depletion deadtime 3
 max-failed-attempts 4
aaa-server TACACS host 172.17.200.231
 key *****
aaa authentication http console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication serial console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authorization command TACACS LOCAL
aaa accounting enable console TACACS
aaa accounting serial console TACACS
aaa accounting ssh console TACACS
aaa accounting telnet console TACACS
aaa accounting command privilege 15 TACACS
snmp-server host inside 172.17.200.126 community *****
snmp-server host inside 172.17.200.127 community *****
snmp-server host inside 172.17.200.130 community *****
snmp-server host inside 172.17.200.131 community *****
snmp-server host inside 172.17.200.132 community *****
no snmp-server location
no snmp-server contact
snmp-server community ****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
service resetoutside
crypto ipsec transform-set set10 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set set20 esp-3des esp-md5-hmac 
crypto dynamic-map dynmap 10 set transform-set set10
crypto dynamic-map dynmap 20 set transform-set set20
crypto map map 10 ipsec-isakmp dynamic dynmap
crypto map map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh 1.252.30.96 255.255.255.224 outside
ssh 1.14.179.64 255.255.255.224 outside
ssh 10.13.100.0 255.255.255.0 inside
ssh 10.13.200.0 255.255.255.0 inside
ssh 10.13.190.0 255.255.255.0 inside
ssh 10.13.0.0 255.255.255.0 inside
ssh 172.17.100.0 255.255.255.0 inside
ssh 172.17.190.0 255.255.255.0 inside
ssh 172.17.200.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
!
class-map IPS_Class
 match access-list IPS_Inspection
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
 class IPS_Class
  ips promiscuous fail-open
!
service-policy global_policy global
ntp server 10.4.5.5 source inside
ntp server 172.16.0.5 source inside prefer
group-policy Group1 internal
group-policy Group1 attributes
 wins-server value 10.13.100.103
 dns-server value 10.13.100.103
 vpn-idle-timeout 1440
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value nonat-VPN_Group1
 default-domain value *****
group-policy Group2 internal
group-policy Group2 attributes
 wins-server value 10.13.100.103
 dns-server value 10.13.100.103
 vpn-idle-timeout 1440
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value nonat-VPN_Group2
 default-domain value *****
username ***** password ****** encrypted privilege 15
username ***** attributes
 vpn-group-policy Group1
 group-lock value Group1
username ***** password ****** encrypted privilege 15
tunnel-group Group2 type ipsec-ra
tunnel-group Group2 general-attributes
 address-pool group2
 authentication-server-group NT_DOMAIN
 default-group-policy Group2
tunnel-group Group2 ipsec-attributes
 pre-shared-key *
tunnel-group Group1 type ipsec-ra
tunnel-group Group1 general-attributes
 address-pool group1
 authentication-server-group NT_DOMAIN LOCAL
 default-group-policy Group1
tunnel-group Group1 ipsec-attributes
 pre-shared-key *
prompt hostname context 
: end

Firewall 2 (Standby)

ASA Version 7.2(3) 
!
hostname ****
domain-name ****
enable password ***** encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 description Outside Switch
 nameif outside
 security-level 0
 ip address 1.0.0.106 255.255.255.248 standby 1.0.0.107 
!
interface GigabitEthernet0/1
 description Core Switches
 nameif inside
 security-level 100
 ip address 10.7.0.4 255.255.255.0 standby 10.7.0.5 
!
interface GigabitEthernet0/2
 description DMZ Switches
 nameif dmz
 security-level 50
 ip address 1.0.0.113 255.255.255.240 standby 1.0.0.114 
!
interface GigabitEthernet0/3
!
interface Management0/0
!
interface Management0/0.254
 description STATE Failover Interface
 vlan 254
!
interface Management0/0.255
 description LAN Failover Interface
 vlan 255
!
passwd **** encrypted
banner motd WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AUTHORISED PERSONS!
banner motd Activities on and access to this system are monitored and recorded. 
banner motd Use of this system is your express consent to such monitoring and recording. 
banner motd 
banner motd ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULTIN CRIMINAL AND/OR CIVIL PENALTIES.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name ****
object-group protocol TCP-UDP
 protocol-object tcp
 protocol-object udp
object-group service Nachi_Worm tcp-udp
 port-object eq 707
object-group service Kerberos tcp-udp
 port-object eq 4444
object-group service MS_Ports tcp-udp
 port-object eq 135
 port-object range 137 139
 port-object eq 445
 port-object eq 593
object-group service IM_Virus tcp-udp
 port-object eq 5001
object-group service Zincite_Virus tcp-udp
 port-object eq 1034
object-group service Sasser_Worm tcp
 port-object eq 5554
 port-object eq 9996
object-group service Beagle.O_Virus tcp-udp
 port-object eq 81
object-group network gotomypc.com
 network-object host 66.151.158.177
object-group service Dameware tcp-udp
 port-object eq 6129
object-group service Mail_Services tcp
 port-object eq smtp
 port-object eq pop3
object-group network INSIDE
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0
object-group network IT
 network-object 172.17.190.0 255.255.255.0
 network-object 10.13.190.0 255.255.255.0
 network-object 10.13.100.0 255.255.255.0
 network-object 10.13.200.0 255.255.255.0
 network-object 172.17.100.0 255.255.255.0
 network-object 172.17.200.0 255.255.255.0
object-group network Net_Monitor
 network-object host 172.17.200.126
 network-object host 172.17.200.130
 network-object host 172.17.200.131
 network-object host 172.17.200.132
 network-object host 172.17.200.127
object-group network DC
 network-object host 10.13.200.161
 network-object host 172.17.200.161
 network-object host 172.17.200.162
object-group network NTP
 network-object host 172.16.0.5
 network-object host 10.4.5.5
object-group network Internet_Routers
 network-object host 1.0.0.2
 network-object host 1.0.0.6
object-group network Internet_Switches
 network-object host 1.0.0.105
object-group network MARS
 network-object host 172.17.200.232
object-group service SYSLOG udp
 port-object eq syslog
object-group network ACS
 network-object host 172.17.200.231
object-group service TACACS tcp
 port-object eq tacacs
object-group service MARS_UDP udp
 port-object eq syslog
 port-object eq 2055
object-group network CISCOOUTSIDE
 group-object Internet_Routers
 group-object Internet_Switches
object-group network DMZ_NET
 network-object 1.0.0.112 255.255.255.240
object-group network OUTSIDE
 group-object DMZ_NET
object-group network Blocked_Subnet
 network-object 168.95.5.0 255.255.255.192
object-group network Vendor_Subnet
 network-object 10.7.180.0 255.255.255.0
object-group network Special_Subnets
 group-object IT
 group-object Vendor_Subnet
object-group network MXtremes
 network-object host 1.0.0.117
object-group network WWW
 network-object host 1.0.0.118
 network-object host 1.0.0.110
object-group service WEB_SERVICES tcp
 port-object eq www
 port-object eq https
object-group network DMZ_SWITCH
 network-object host 1.0.0.115
 network-object host 1.0.0.116
object-group service LDAP tcp
 port-object eq ldap
object-group network XBH
 network-object host 10.13.100.13
 network-object host 172.16.0.10
 network-object host 172.17.100.50
 network-object host 172.17.100.60
 network-object host 172.17.100.61
 network-object host 172.17.100.62
object-group network MXtremes-FTP-Inside
 network-object host 172.17.200.102
object-group network Outside_Network
 network-object 1.252.30.96 255.255.255.224
 network-object 1.162.70.192 255.255.255.240
 network-object 1.14.179.64 255.255.255.224
object-group network Outside
 network-object 1.0.0.0 255.255.255.248
 network-object 1.0.0.104 255.255.255.248
object-group network Borderware
 network-object host 207.236.65.226
object-group service MXtremes_TCP tcp
 port-object eq https
 port-object eq 10101
object-group network CTXCAG
 network-object host 1.0.0.120
object-group network CTXCAGMGMT
 network-object 10.13.100.0 255.255.255.0
 network-object 10.13.190.0 255.255.255.0
 network-object 10.13.200.0 255.255.255.0
 network-object 172.17.100.0 255.255.255.0
 network-object 172.17.200.0 255.255.255.0
 network-object host 172.17.150.120
 network-object host 172.17.150.121
 network-object host 172.17.150.122
 network-object host 172.17.150.123
 network-object host 172.17.150.124
 network-object 172.17.190.0 255.255.255.0
object-group service CITRIXCAG tcp
 port-object range 9001 9002
 port-object eq 9005
object-group network CTXFARM
 network-object host 172.17.200.170
 network-object host 172.17.200.173
 network-object host 172.17.200.174
 network-object host 172.17.200.175
 network-object host 172.17.200.176
 network-object host 172.17.150.120
 network-object host 172.17.150.121
 network-object host 172.17.150.122
 network-object host 172.17.150.123
 network-object host 172.17.150.124
 network-object 172.17.50.0 255.255.255.0
 network-object 172.17.60.0 255.255.255.0
 network-object 10.13.50.0 255.255.255.0
 network-object 10.13.60.0 255.255.255.0
 network-object 10.13.100.0 255.255.255.0
 network-object 10.13.200.0 255.255.255.0
object-group service CITRIXPROD tcp
 port-object eq www
 port-object eq citrix-ica
 port-object eq 2598
object-group service VNC_TCP tcp
 port-object eq 5900
object-group service backup tcp-udp
 description ports for backupexec
 port-object range 1025 1030
 port-object eq 10000
object-group network VPN_Group2
 network-object 192.168.185.0 255.255.255.0
object-group network VPN_Group1
 network-object 192.168.189.0 255.255.255.0
access-list nonat remark No NAT for Special Subnets
access-list nonat extended permit ip object-group INSIDE object-group CISCOOUTSIDE 
access-list nonat extended permit ip object-group INSIDE object-group OUTSIDE 
access-list nonat extended permit ip object-group INSIDE object-group VPN_Group1 
access-list nonat extended permit ip object-group INSIDE object-group VPN_Group2
access-list inside remark Allow Mail Server to Send Mail to anyone
access-list inside extended permit tcp object-group XBH any eq smtp 
access-list inside remark Block other users from pop3 and smtp mail
access-list inside extended deny tcp any any object-group Mail_Services 
access-list inside remark Deny Control Channel Commands for Nachi worm
access-list inside extended deny object-group TCP-UDP any any object-group Nachi_Worm 
access-list inside remark Deny Kerberos Authentication
access-list inside extended deny object-group TCP-UDP any any object-group Kerberos 
access-list inside remark Block Vulnerable Microsoft Ports
access-list inside extended deny object-group TCP-UDP any any object-group MS_Ports 
access-list inside remark Block IM VIRUS
access-list inside extended deny object-group TCP-UDP any any object-group IM_Virus 
access-list inside remark Block zincite virus
access-list inside extended deny object-group TCP-UDP any any object-group Zincite_Virus 
access-list inside remark Block Sasser Worm
access-list inside extended deny tcp any any object-group Sasser_Worm 
access-list inside remark Block Beagle.O virus
access-list inside extended deny object-group TCP-UDP any any object-group Beagle.O_Virus 
access-list inside remark Block gotomypc.com
access-list inside extended deny ip any object-group gotomypc.com 
access-list inside remark Block Dameware
access-list inside extended deny object-group TCP-UDP any any object-group Dameware 
access-list inside remark Allow SNMP Monitoring to DMZ from Inside
access-list inside extended permit udp object-group Net_Monitor object-group DMZ_NET range snmp snmptrap 
access-list inside remark Allow GTO to do ICMP management to DMZ
access-list inside extended permit icmp object-group IT object-group DMZ_NET 
access-list inside remark Allow GTO to telnet and SSH to DMZ
access-list inside extended permit tcp object-group IT object-group DMZ_NET range ssh telnet 
access-list inside remark Allow GTO to open http and https on DMZ
access-list inside extended permit tcp object-group IT object-group DMZ_NET object-group WEB_SERVICES 
access-list inside remark Allow Remote Control of servers by GTO
access-list inside extended permit tcp object-group IT object-group DMZ_NET object-group VNC_TCP 
access-list inside remark Allow backupexec to dmz
access-list inside extended permit tcp object-group IT object-group DMZ_NET object-group backup 
access-list inside remark Allow CAG Management into the DMZ
access-list inside extended permit tcp object-group CTXCAGMGMT object-group CTXCAG object-group CITRIXCAG 
access-list inside remark Deny other access to DMZ
access-list inside extended deny ip any object-group DMZ_NET 
access-list inside remark Permit All traffic thereafter
access-list inside extended permit ip any any 
access-list nonat_dmz remark No NAT for DMZ Subnets
access-list nonat_dmz extended permit ip object-group DMZ_NET any 
access-list outside remark Permitted Inbound Traffic
access-list outside remark deny this IP to anywhere
access-list outside extended deny ip object-group Blocked_Subnet any 
access-list outside remark TACACS Traffic
access-list outside extended permit tcp object-group CISCOOUTSIDE object-group ACS object-group TACACS 
access-list outside remark MARS Traffic
access-list outside extended permit udp object-group CISCOOUTSIDE object-group MARS object-group MARS_UDP 
access-list outside remark NTP Traffic
access-list outside extended permit udp object-group CISCOOUTSIDE object-group NTP eq ntp 
access-list outside remark allow all ping traffic
access-list outside extended permit icmp any any 
access-list outside remark allow anyone to smtp to Mail Firewalls in DMZ
access-list outside extended permit tcp any object-group MXtremes eq smtp 
access-list outside remark allow Outside network to manage MXtremes
access-list outside extended permit tcp object-group Outside_Network object-group MXtremes eq https 
access-list outside remark allow Borderware support access to MXtreme
access-list outside extended permit tcp object-group Borderware object-group MXtremes object-group MXtremes_TCP 
access-list outside remark allow traffic to access WWW server
access-list outside extended permit tcp any object-group WWW object-group WEB_SERVICES 
access-list outside remark allow SSL to the CAGs from anyone
access-list outside extended permit tcp any object-group CTXCAG object-group WEB_SERVICES 
access-list dmz remark Permitted Inbound Traffic
access-list dmz remark allow TACACS traffic from DMZ Switches to ACS
access-list dmz extended permit tcp object-group DMZ_SWITCH object-group ACS eq tacacs 
access-list dmz remark MARS Traffic
access-list dmz extended permit udp object-group DMZ_SWITCH object-group MARS object-group MARS_UDP 
access-list dmz remark allow DMZ network to get internal time
access-list dmz extended permit udp object-group DMZ_NET object-group NTP eq ntp 
access-list dmz remark allow ping
access-list dmz extended permit icmp any any 
access-list dmz remark allow MXtremes to do LDAP against inside
access-list dmz extended permit tcp object-group MXtremes object-group DC object-group LDAP 
access-list dmz remark allow MXtremes to do DNS lookups inside
access-list dmz extended permit udp object-group MXtremes object-group DC eq domain 
access-list dmz remark deny MXtremes to source WWW and SSL on their own to INSIDE
access-list dmz extended deny tcp object-group MXtremes object-group INSIDE object-group WEB_SERVICES 
access-list dmz remark allow MXtremes WWW and SSL to ANY
access-list dmz extended permit tcp object-group MXtremes any object-group WEB_SERVICES 
access-list dmz remark allow MXtremes to forward mail to Mail servers and Internet
access-list dmz extended permit tcp object-group MXtremes object-group XBH eq smtp 
access-list dmz extended deny tcp object-group MXtremes object-group INSIDE eq smtp 
access-list dmz extended permit tcp object-group MXtremes any eq smtp 
access-list dmz remark Allow MXtremes to upload mail logs to nycsrvmxl1
access-list dmz extended permit tcp object-group MXtremes object-group MXtremes-FTP-Inside range ftp-data ftp 
access-list dmz remark deny Web server to source www and SSL on its own to INSIDE
access-list dmz extended deny tcp object-group WWW object-group INSIDE object-group WEB_SERVICES 
access-list dmz remark allow Web server WWW and SSL to Anyone
access-list dmz extended permit tcp object-group WWW any object-group WEB_SERVICES 
access-list dmz remark allow Citrix CAGs to Citrix Farm
access-list dmz extended permit tcp object-group CTXCAG object-group CTXFARM object-group CITRIXPROD 
access-list dmz remark deny Citrix CAGs to SSL on its own to INSIDE
access-list dmz extended deny tcp object-group CTXCAG object-group INSIDE eq https 
access-list dmz remark allow Citrix CAGs to SSL on its own to others
access-list dmz extended permit tcp object-group CTXCAG any eq https 
access-list IPS_Inspection remark ASA IPS Inspect following traffic flow
access-list IPS_Inspection extended permit ip object-group INSIDE object-group Outside_Network
access-list IPS_Inspection extended permit ip object-group INSIDE object-group DMZ_NET 
access-list IPS_Inspection extended permit ip object-group INSIDE object-group VPN_Group1
access-list IPS_Inspection extended permit ip object-group INSIDE object-group VPN_Group2
access-list IPS_Inspection extended permit ip object-group INSIDE any 
access-list IPS_Inspection extended permit ip object-group DMZ_NET any 
access-list IPS_Inspection extended permit ip object-group Outside_Network any 
access-list IPS_Inspection extended permit ip any object-group Outside 
access-list IPS_Inspection extended permit ip any object-group DMZ_NET 
access-list IPS_Inspection extended permit ip any object-group INSIDE 
access-list IPS_Inspection extended permit ip any any log 
access-list nonat-VPN_Group1 remark No NAT for VPN Group 1
access-list nonat-VPN_Group1 extended permit ip object-group INSIDE object-group VPN_Group1
access-list nonat-VPN_Group2 remark No NAT for VPN Group 2
access-list nonat-VPN_Group2 extended permit ip object-group INSIDE object-group VPN_Group2
pager lines 24
logging enable
logging timestamp
logging standby
logging buffer-size 16384
logging buffered errors
logging trap debugging
logging history errors
logging asdm informational
logging mail debugging
logging facility 19
logging device-id hostname
logging host inside 172.17.200.232
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool group2 192.168.185.1-192.168.185.254
ip local pool group1 192.168.189.1-192.168.189.254
failover
failover lan interface failover Management0/0.255
failover link state Management0/0.254
failover interface ip failover 192.168.0.249 255.255.255.252 standby 192.168.0.250
failover interface ip state 192.168.0.253 255.255.255.252 standby 192.168.0.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 1.0.0.108
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nonat_dmz
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
!
route outside 0.0.0.0 0.0.0.0 1.0.0.105
route inside 10.0.0.0 255.0.0.0 10.7.0.1
route inside 172.16.0.0 255.240.0.0 10.7.0.1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server NT_DOMAIN protocol nt
aaa-server NT_DOMAIN host 10.7.200.161
 nt-auth-domain-controller *****
aaa-server TACACS protocol tacacs+
 reactivation-mode depletion deadtime 3
 max-failed-attempts 4
aaa-server TACACS host 172.17.200.231
 key *****
aaa authentication http console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication serial console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authorization command TACACS LOCAL
aaa accounting enable console TACACS
aaa accounting serial console TACACS
aaa accounting ssh console TACACS
aaa accounting telnet console TACACS
aaa accounting command privilege 15 TACACS
snmp-server host inside 172.17.200.126 community *****
snmp-server host inside 172.17.200.127 community *****
snmp-server host inside 172.17.200.130 community *****
snmp-server host inside 172.17.200.131 community *****
snmp-server host inside 172.17.200.132 community *****
no snmp-server location
no snmp-server contact
snmp-server community ****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
service resetoutside
crypto ipsec transform-set set10 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set set20 esp-3des esp-md5-hmac 
crypto dynamic-map dynmap 10 set transform-set set10
crypto dynamic-map dynmap 20 set transform-set set20
crypto map map 10 ipsec-isakmp dynamic dynmap
crypto map map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh 1.252.30.96 255.255.255.224 outside
ssh 1.14.179.64 255.255.255.224 outside
ssh 10.13.100.0 255.255.255.0 inside
ssh 10.13.200.0 255.255.255.0 inside
ssh 10.13.190.0 255.255.255.0 inside
ssh 10.13.0.0 255.255.255.0 inside
ssh 172.17.100.0 255.255.255.0 inside
ssh 172.17.190.0 255.255.255.0 inside
ssh 172.17.200.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
!
class-map IPS_Class
 match access-list IPS_Inspection
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
 class IPS_Class
  ips promiscuous fail-open
!
service-policy global_policy global
ntp server 10.4.5.5 source inside
ntp server 172.16.0.5 source inside prefer
group-policy Group1 internal
group-policy Group1 attributes
 wins-server value 10.13.100.103
 dns-server value 10.13.100.103
 vpn-idle-timeout 1440
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value nonat-VPN_Group1
 default-domain value *****
group-policy Group2 internal
group-policy Group2 attributes
 wins-server value 10.13.100.103
 dns-server value 10.13.100.103
 vpn-idle-timeout 1440
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value nonat-VPN_Group2
 default-domain value *****
username ***** password ****** encrypted privilege 15
username ***** attributes
 vpn-group-policy Group1
 group-lock value Group1
username ***** password ****** encrypted privilege 15
tunnel-group Group2 type ipsec-ra
tunnel-group Group2 general-attributes
 address-pool group2
 authentication-server-group NT_DOMAIN
 default-group-policy Group2
tunnel-group Group2 ipsec-attributes
 pre-shared-key *
tunnel-group Group1 type ipsec-ra
tunnel-group Group1 general-attributes
 address-pool group1
 authentication-server-group NT_DOMAIN LOCAL
 default-group-policy Group1
tunnel-group Group1 ipsec-attributes
 pre-shared-key *
prompt hostname context 
: end

Layer 3 Switch 1

version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname *****
!
logging buffered 16384 debugging
enable secret 5 ********
!
username ****** secret 5 ******
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local 
aaa authorization commands 15 default group tacacs+ local 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
system mtu routing 1500
udld enable
 
ip subnet-zero
ip routing
ip domain-list *****
ip domain-list *****
no ip domain-lookup
ip domain-name *****
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
spanning-tree vlan 1,20,200 priority 16384
spanning-tree vlan 5,7,100 priority 8192
!
vlan internal allocation policy ascending
!
!
!         
!
interface Port-channel1
 switchport trunk encapsulation isl
 switchport trunk allowed vlan 1,5,7
 switchport mode trunk
!
interface GigabitEthernet0/1
 description To Firewall 1
 switchport access vlan 7
 switchport mode access
!
interface GigabitEthernet0/2
 switchport access vlan 7
 switchport mode access
!
interface GigabitEthernet0/3
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/4
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/5
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/6
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/7
 description To Layer-2 Private Switch port 11
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,7,20
 switchport mode trunk
!
interface GigabitEthernet0/8
 description To Layer-2 Switch 3 port 11
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,5,7
 switchport mode trunk
!
interface GigabitEthernet0/9
 description To Layer-2 Switch 2 port 11
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,7,100
 switchport mode trunk
!
interface GigabitEthernet0/10
 description To Layer-2 Switch 1 port 11
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,7,200
 switchport mode trunk
!
interface GigabitEthernet0/11
 description To Layer-3 Switch 2 port 11
 switchport trunk encapsulation isl
 switchport trunk allowed vlan 1,5,7
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet0/12
 description To Layer-3 Switch 2 port 11
 switchport trunk encapsulation isl
 switchport trunk allowed vlan 1,5,7
 switchport mode trunk
 channel-group 1 mode on
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan5
 description Production (Active)
 ip address 10.0.7.2 255.255.255.0
 ip directed-broadcast 30
 standby 5 ip 10.0.7.1
 standby 5 priority 105
 standby 5 preempt
!
interface Vlan7
 description Management (Active)
 ip address 10.7.0.2 255.255.255.0
 standby 7 ip 10.7.0.1
 standby 7 priority 105
 standby 7 preempt
!
interface Vlan20
 description Private Network (Standby)
 ip address 172.20.6.2 255.255.255.0
 standby 20 ip 172.20.6.1
 standby 20 preempt
!
interface Vlan100
 description Server 1 (Active)
 ip address 10.7.100.2 255.255.255.0
 standby 100 ip 10.7.100.1
 standby 100 priority 105
 standby 100 preempt
!
interface Vlan200
 description Server 2 (Standby)
 ip address 10.7.200.2 255.255.255.0
 standby 200 ip 10.7.200.1
!
ip route 0.0.0.0 0.0.0.0 10.7.0.4
!
ip classless
no ip http server
no ip http secure-server
!
ip tacacs source-interface Vlan7
!
logging source-interface Vlan7
logging 172.17.200.232
access-list 30 remark Wake-On LAN
access-list 30 permit 172.17.200.125
access-list 50 permit 10.7.0.0 0.0.0.7
access-list 50 permit 172.17.100.0 0.0.0.255
access-list 50 permit 172.17.190.0 0.0.0.255
access-list 50 permit 172.17.200.0 0.0.0.255
access-list 50 permit 10.13.100.0 0.0.0.255
access-list 50 permit 10.13.190.0 0.0.0.255
access-list 50 permit 10.13.200.0 0.0.0.255
access-list 50 permit 192.168.189.0 0.0.0.255
access-list 50 permit 192.168.190.0 0.0.0.255
access-list 52 remark Internal SNMP RO access
access-list 52 permit 172.17.100.0 0.0.0.255
access-list 52 permit 172.17.200.0 0.0.0.255
access-list 52 permit 10.13.100.0 0.0.0.255
access-list 52 permit 10.13.200.0 0.0.0.255
access-list 115 remark Private Network
access-list 115 deny   icmp any any
access-list 115 permit ip 172.20.6.0 0.0.0.255 host 224.0.0.2
access-list 115 permit ip 172.20.6.0 0.0.0.255 host 224.0.0.10
access-list 115 permit ip 172.20.6.0 0.0.0.255 host 224.0.0.102
access-list 115 permit ip 172.20.6.0 0.0.0.255 172.20.0.0 0.0.255.255
snmp-server community ***** RO 52
tacacs-server host 172.17.200.231 key 7 *******
tacacs-server directed-request
radius-server source-ports 1645-1646
!
control-plane
!
banner motd ^C
WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AUTHORISED PERSONS!
Activities on and access to this system are monitored and recorded.
Use of this system is your express consent to such monitoring and recording.
 
ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULT IN CRIMINAL AND/OR CIVIL PENALTIES.^C
!         
line con 0
 logging synchronous
line vty 0 4
 access-class 50 in
 logging synchronous
 transport input ssh
line vty 5 15
 access-class 50 in
 transport input ssh
!
ntp clock-period 36028537
ntp source Vlan7
ntp server 10.4.5.5
ntp server 172.16.0.5 prefer
end

Layer 3 Switch 2

version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname *****
!
logging buffered 16384 debugging
enable secret 5 *****
!
username ***** secret 5 *****
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local 
aaa authorization commands 15 default group tacacs+ local 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
system mtu routing 1500
udld enable
 
ip subnet-zero
ip routing
ip domain-list *****
ip domain-list *****
no ip domain-lookup
ip domain-name *****
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
spanning-tree vlan 1,20,200 priority 8192
spanning-tree vlan 5,7,100 priority 16384
!
vlan internal allocation policy ascending
!
!
!         
!
interface Port-channel1
 switchport trunk encapsulation isl
 switchport trunk allowed vlan 1,5,7
 switchport mode trunk
!
interface GigabitEthernet0/1
 description To Firewall 2
 switchport access vlan 7
 switchport mode access
!
interface GigabitEthernet0/2
 switchport access vlan 7
 switchport mode access
!
interface GigabitEthernet0/3
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/4
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/5
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/6
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/7
 description To Layer-2 Private Switch port 12
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,7,20
 switchport mode trunk
!
interface GigabitEthernet0/8
 description To Layer-2 Switch 3 port 12
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,5,7
 switchport mode trunk
!
interface GigabitEthernet0/9
 description To Layer-2 Switch 2 port 12
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,7,200
 switchport mode trunk
!
interface GigabitEthernet0/10
 description To Layer-2 Switch 1 port 12
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,7,100
 switchport mode trunk
!
interface GigabitEthernet0/11
 description To Layer-3 Switch 1 port 12
 switchport trunk encapsulation isl
 switchport trunk allowed vlan 1,5,7
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet0/12
 description To Layer-3 Switch 1 port 12
 switchport trunk encapsulation isl
 switchport trunk allowed vlan 1,5,7
 switchport mode trunk
 channel-group 1 mode on
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan5
 description Production (Standby)
 ip address 10.0.7.3 255.255.255.0
 ip directed-broadcast 30
 standby 5 ip 10.0.7.1
!
interface Vlan7
 description Management (Standby)
 ip address 10.7.0.3 255.255.255.0
 standby 7 ip 10.7.0.1
!
interface Vlan20
 description Private Network (Active)
 ip address 172.20.6.3 255.255.255.0
 standby 20 ip 172.20.6.1
 standby 20 priority 105
 standby 20 preempt
!
interface Vlan100
 description Server 1 (Standby)
 ip address 10.7.100.3 255.255.255.0
 standby 100 ip 10.7.100.1
!
interface Vlan200
 description Server 2 (Active)
 ip address 10.7.200.3 255.255.255.0
 standby 200 ip 10.7.200.1
 standby 200 priority 105
 standby 200 preempt
!
ip route 0.0.0.0 0.0.0.0 10.7.0.4
!
ip classless
no ip http server
no ip http secure-server
!
ip tacacs source-interface Vlan7
!
logging source-interface Vlan7
logging 172.17.200.232
access-list 30 remark Wake-On LAN
access-list 30 permit 172.17.200.125
access-list 50 permit 10.7.0.0 0.0.0.7
access-list 50 permit 172.17.100.0 0.0.0.255
access-list 50 permit 172.17.190.0 0.0.0.255
access-list 50 permit 172.17.200.0 0.0.0.255
access-list 50 permit 10.13.100.0 0.0.0.255
access-list 50 permit 10.13.190.0 0.0.0.255
access-list 50 permit 10.13.200.0 0.0.0.255
access-list 50 permit 192.168.189.0 0.0.0.255
access-list 50 permit 192.168.190.0 0.0.0.255
access-list 52 remark Internal SNMP RO access
access-list 52 permit 172.17.100.0 0.0.0.255
access-list 52 permit 172.17.200.0 0.0.0.255
access-list 52 permit 10.13.100.0 0.0.0.255
access-list 52 permit 10.13.200.0 0.0.0.255
access-list 115 remark Private Network
access-list 115 deny   icmp any any
access-list 115 permit ip 172.20.6.0 0.0.0.255 host 224.0.0.2
access-list 115 permit ip 172.20.6.0 0.0.0.255 host 224.0.0.10
access-list 115 permit ip 172.20.6.0 0.0.0.255 host 224.0.0.102
access-list 115 permit ip 172.20.6.0 0.0.0.255 172.20.0.0 0.0.255.255
snmp-server community ****** RO 52
tacacs-server host 172.17.200.231 key 7 ******
tacacs-server directed-request
radius-server source-ports 1645-1646
!
control-plane
!
banner motd ^C
WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AUTHORISED PERSONS!
Activities on and access to this system are monitored and recorded.
Use of this system is your express consent to such monitoring and recording.
 
ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULT IN CRIMINAL AND/OR CIVIL PENALTIES.^C
!
line con 0
 logging synchronous
line vty 0 4
 access-class 50 in
 logging synchronous
 transport input ssh
line vty 5 15
 access-class 50 in
 transport input ssh
!
ntp clock-period 36029003
ntp source Vlan7
ntp server 10.4.5.5
ntp server 172.16.0.5 prefer
end

Sample 3:


                                          Internet
                                           |    | 
                                           |    | 
                                    Internet    Internet
                                    Router 1    Router 2
                                        |          |
                                        |          |
                           DMZ ----- Firewall   Firewall  (two redundant firewalls)
                                         1         2
                                         |         |
                                         |         |
        Bluecoat ProxySG1 int 0:0 --- Router 1  Router 2 --- Bluecoat ProxySG1 int 1:0
                                         | \     / |
                                         |   \ /   |
                                    Layer-3 ---- Layer-3  (two redundant Layer-3 switches)
                                   Switch 1      Switch 2
                                    |  |  |      |  |  |
                                    |  |  |      |  |  |
                                    |  |  Layer-2   |  |
                                    |  |   Switch   |  |
                                    |  |            |  |
                                    |  Layer-2 Switch  |
                                    |                  |
                                    |                  |
                                    +-- WAN Router 1 --+
                                              |
                                              |
                                        WAN Router 2
                                              |
                                              |
        Bluecoat ProxySG2 int 0:0 ---- Layer-3 Switch --- Firewall --- Internet Router ---   Internet
                                        |    |     |
                                        |    |     |
                                     Layer-2 |  Layer-2
                                     Switch  |  Switch
                                             |
                                       Layer-2 Switch

Background

* The Bluecoat ProxySG appliances do WCCP with routers and switch that support WCCP version 2 "redirect out" command. More detail on WCCP can be found here: »Cisco Forum FAQ »WCCP with Router/MSFC and Blue Coat ProxySG
* Site that has two Internet connections (the HQ) does Internet traffic load share which some subnets take ISP 1 as primary and other subnets take ISP 2 as primary
* The ProxySG appliances intercept outbound traffic from Inside machines out to the Internet and initiate outbound connection using the appliances IP address on behalf of Inside machines as part of the proxy mechanism
* Note that the proxy mechanism could screw up the BGP load share mechanism. Therefore any BGP load share mechanism must occur before the traffic is intercepted or proxied. This is the reason why the HQ has Routers 1 and 2 to do the WCCP for the interception, redirection, and proxy mechanism and let the Layer-3 Switches 1 and 2 do the BGP load share mechanism.
* Similar Routers 1 and 2 are not needed in Branch site since the site only has single Internet connection and no Internet load share.
* All Outbound BGP load share mechanism at HQ site can be seen as "too complex" from Branch site perspective, hence the reason of HQ site has BGP Confederation in place. For more info on BGP Confederation, check out the following link: BGP Case Studies: BGP Confederation

Sample 3 Configuration

Internet Router 1:

interface FastEthernet0
description Internet
ip address dhcp
ip nat outside
no cdp enable
!
interface FastEthernet1
description Firewall 1
ip address 10.0.0.1 255.255.255.252
ip nat inside
!
router bgp 64748
no synchronization
bgp log-neighbor-changes
network 0.0.0.0
network 10.0.0.0 mask 255.255.255.252
neighbor 10.0.1.1 remote-as 64750
neighbor 10.0.1.1 description Router 1
neighbor 10.0.1.1 ebgp-multihop 3
neighbor 10.0.1.1 prefix-list NON-IN in
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 dhcp
ip route 10.0.0.0 255.0.0.0 10.0.0.2
ip route 172.16.0.0 255.240.0.0 10.0.0.2
ip route 192.168.0.0 255.255.0.0 10.0.0.2
!
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.0.50 80 interface FastEthernet0 80
!
ip prefix-list NON-IN description Internal Subnets are never visible
ip prefix-list NON-IN seq 10 deny 0.0.0.0/0 le 32
access-list 1 remark Permitted Subnets to go out to the Internet
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 1 permit 192.168.0.0 0.0.255.255

Internet Router 2:

interface FastEthernet0
description Physical xDSL Interface
no ip address
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet1
description Firewall 2
ip address 10.0.0.5 255.255.255.252
ip nat inside
!
interface Dialer1
description Logical xDSL Interface
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname
ppp chap password
ppp pap sent-username password
ppp ipcp route default
ppp ipcp dns request
ppp ipcp address accept
!
router bgp 64749
no synchronization
bgp log-neighbor-changes
network 0.0.0.0
network 10.0.0.4 mask 255.255.255.252
neighbor 10.0.1.5 remote-as 64750
neighbor 10.0.1.5 description Router 2
neighbor 10.0.1.5 ebgp-multihop 3
neighbor 10.0.1.5 prefix-list NON-IN in
no auto-summary
!
ip route 10.0.0.0 255.0.0.0 10.0.0.6
ip route 172.16.0.0 255.240.0.0 10.0.0.6
ip route 192.168.0.0 255.255.0.0 10.0.0.6
ip nat inside source list 1 interface Dialer1 overload
!
ip prefix-list NON-IN description Internal Subnets are never visible
ip prefix-list NON-IN seq 10 deny 0.0.0.0/0 le 32
access-list 1 remark Permitted Subnets to go out to the Internet
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 1 permit 192.168.0.0 0.0.255.255
!
dialer-list 1 protocol ip permit

Firewall 1

Firewall 2

Router 1

ip wccp version 2
ip wccp 10
ip wccp 20
!
interface Loopback0
description Blue Coat ProxySG Home Router 1
ip address 192.168.66.1 255.255.255.255
!
interface FastEthernet0
description Firewall 1
ip address 10.0.1.1 255.255.255.252
ip wccp 10 redirect out
ip wccp 20 redirect out
!
interface FastEthernet1
description Layer-3 Switch 1
ip address 10.0.1.9 255.255.255.252
!
interface FastEthernet2
description Layer-3 Switch 2
ip address 10.0.1.13 255.255.255.252
!
interface FastEthernet3
description Blue Coat ProxySG int 0:0
ip address 10.0.2.1 255.255.255.0
!
router rip
version 2
redistribute bgp 65002 route-map BGP-to-RIP
passive-interface FastEthernet0
network 10.0.0.0
default-information originate
no auto-summary
!
router bgp 65002
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 64750
bgp confederation peers 65001 65003 65004
network 10.0.1.0 mask 255.255.255.252
network 10.0.2.0 mask 255.255.255.0
neighbor 10.0.0.1 remote-as 64748
neighbor 10.0.0.1 description Internet Router 1
neighbor 10.0.0.1 ebgp-multihop 3
neighbor 10.0.0.1 soft-reconfiguration inbound
neighbor 10.0.1.10 remote-as 65001
neighbor 10.0.1.10 description Layer-3 Switch 1
neighbor 10.0.1.10 soft-reconfiguration inbound
neighbor 10.0.1.14 remote-as 65001
neighbor 10.0.1.14 description Layer-3 Switch 2
neighbor 10.0.1.14 soft-reconfiguration inbound
no auto-summary
!
ip route 10.0.0.1 255.255.255.255 10.0.1.2
!
access-list 10 remark Permitted Subnets to Redistribute
access-list 10 deny 10.0.1.0 0.0.0.3
access-list 10 deny 10.0.1.8 0.0.0.7
access-list 10 deny 10.0.2.0 0.0.0.255
access-list 10 permit any
!
route-map BGP-to-RIP permit 10
match ip address 10
set metric 1
set tag 64748

Router 2

ip wccp version 2
ip wccp 10
ip wccp 20
!
interface Loopback0
description Blue Coat ProxySG Home Router 2
ip address 192.168.66.2 255.255.255.255
!
interface FastEthernet0
description Firewall 2
ip address 10.0.1.5 255.255.255.252
ip wccp 10 redirect out
ip wccp 20 redirect out
!
interface FastEthernet1
description Layer-3 Switch 1
ip address 10.0.1.17 255.255.255.252
!
interface FastEthernet2
description Layer-3 Switch 2
ip address 10.0.1.21 255.255.255.252
!
interface FastEthernet3
description Blue Coat ProxySG int 1:0
ip address 10.0.3.1 255.255.255.0
!
router rip
version 2
redistribute bgp 65003 route-map BGP-to-RIP
passive-interface FastEthernet0
network 10.0.0.0
default-information originate
no auto-summary
!
router bgp 65003
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 64750
bgp confederation peers 65001 65002 65004
network 10.0.1.4 mask 255.255.255.252
network 10.0.3.0 mask 255.255.255.0
neighbor 10.0.0.5 remote-as 64749
neighbor 10.0.0.5 description Internet Router 2
neighbor 10.0.0.5 ebgp-multihop 3
neighbor 10.0.0.5 soft-reconfiguration inbound
neighbor 10.0.1.18 remote-as 65001
neighbor 10.0.1.18 description Layer-3 Switch 1
neighbor 10.0.1.18 soft-reconfiguration inbound
neighbor 10.0.1.22 remote-as 65001
neighbor 10.0.1.22 description Layer-3 Switch 2
neighbor 10.0.1.22 soft-reconfiguration inbound
no auto-summary
!
ip route 10.0.0.5 255.255.255.255 10.0.1.6
!
access-list 10 remark Permitted Subnets to Redistribute
access-list 10 deny 10.0.1.4 0.0.0.3
access-list 10 deny 10.0.1.16 0.0.0.7
access-list 10 deny 10.0.3.0 0.0.0.255
access-list 10 permit any
!
route-map BGP-to-RIP permit 10
match ip address 10
set metric 1
set tag 64749

Blue Coat ProxySG1 configuration

1. Interface


interface 0:0
IP Address     : 10.0.2.6
Subnet Mask    : 255.255.255.0
Default Gateway: 10.0.2.1
 
interface 1:0
IP Address     : 10.0.3.6
Subnet Mask    : 255.255.255.0
Default Gateway: 10.0.3.1

2. WCCP


wccp enable
wccp version 2
service-group 20
assignment-type mask
mask-scheme destination-ip
priority 1
protocol 6
ports 80 80 80 80 80 80 80 80
interface 0:0
interface 1:0
home-router 192.168.66.1
home-router 192.168.66.2
forwarding-type GRE
end
service-group 10
assignment-type mask
mask-scheme destination-ip
priority 1
protocol 6
ports 80 21 443 554 5004 5005 1755 8554
interface 0:0
interface 1:0
home-router 192.168.66.1
home-router 192.168.66.2
forwarding-type GRE
end

3. Static Routes for Home Router IP Address Reachability


192.168.66.1 255.255.255.255 10.0.2.1
192.168.66.2 255.255.255.255 10.0.3.1

Layer-3 Switch 1

vlan 1,11-13,100
!
ip routing
!
interface FastEthernet0/1
description WAN Router 1
no switchport
ip address 10.0.1.25 255.255.255.252
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
description To Layer-2 Switch 1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,100
switchport mode trunk
!
interface FastEthernet0/7
description To Layer-2 Switch 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11
switchport mode trunk
!
interface FastEthernet0/8
description To Layer-2 Switch 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11-12
switchport mode trunk
!
interface FastEthernet0/9
description To Layer-2 Switch 4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,13
switchport mode trunk
!
interface FastEthernet0/10
description To Router 1
no switchport
ip address 10.0.1.10 255.255.255.252
!
interface FastEthernet0/11
description To Router 2
no switchport
ip address 10.0.1.14 255.255.255.252
!
interface FastEthernet0/12
description To Layer-3 Switch 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1
switchport mode trunk
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan11
description Network Management (Active)
ip address 10.0.11.2 255.255.255.0
standby 11 ip 10.0.11.1
standby 11 priority 105
standby 11 preempt
!
interface Vlan12
description Administration (Standby)
ip address 10.0.12.2 255.255.255.0
standby 12 ip 10.0.12.1
!
interface Vlan13
description Sales (Active)
ip address 10.0.13.2 255.255.255.0
standby 13 ip 10.0.13.1
standby 13 priority 105
standby 13 preempt
!
interface Vlan100
description Server (Standby)
ip address 10.0.100.2 255.255.255.0
standby 100 ip 10.0.100.1
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 64750
bgp confederation peers 65002 65003 65004
network 10.0.1.8 mask 255.255.255.252
network 10.0.1.12 mask 255.255.255.252
network 10.0.11.0 mask 255.255.255.0
network 10.0.12.0 mask 255.255.255.0
network 10.0.13.0 mask 255.255.255.0
network 10.0.100.0 mask 255.255.255.0
neighbor 10.0.1.9 remote-as 65002
neighbor 10.0.1.9 description Router 1
neighbor 10.0.1.9 soft-reconfiguration inbound
neighbor 10.0.1.9 route-map ISP1 out
neighbor 10.0.1.13 remote-as 65003
neighbor 10.0.1.13 description Router 2
neighbor 10.0.1.13 soft-reconfiguration inbound
neighbor 10.0.1.13 route-map ISP2 out
neighbor 10.0.1.26 remote-as 65004
neighbor 10.0.1.26 description WAN Router 1
neighbor 10.0.1.26 soft-reconfiguration inbound
neighbor 10.0.11.3 remote-as 65001
neighbor 10.0.11.3 description Layer-3 Switch 2
neighbor 10.0.11.3 soft-reconfiguration inbound
no auto-summary
!
access-list 20 remark Subnets to use ISP1 as Primary
access-list 20 permit 10.0.11.0 0.0.0.255
access-list 20 permit 10.0.100.0 0.0.0.255
access-list 20 permit 10.1.11.0 0.0.0.255
!
access-list 21 remark Subnets to use ISP2 as Primary
access-list 21 permit 10.0.12.0 0.0.0.255
access-list 21 permit 10.0.13.0 0.0.0.255
access-list 21 permit 10.1.12.0 0.0.0.255
access-list 21 permit 10.1.13.0 0.0.0.255
!
route-map ISP1 permit 10
match ip address 20
set local-preference 105
!
route-map ISP1 permit 20
match ip address 21
set local-preference 100
!
route-map ISP2 permit 10
match ip address 20
set local-preference 100
!
route-map ISP2 permit 20
match ip address 21
set local-preference 105

Layer-3 Switch 2

vlan 1,11-13,100
!
ip routing
!
interface FastEthernet0/1
description WAN Router 1
no switchport
ip address 10.0.1.29 255.255.255.252
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
description To Layer-2 Switch 1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,100
switchport mode trunk
!
interface FastEthernet0/7
description To Layer-2 Switch 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11
switchport mode trunk
!
interface FastEthernet0/8
description To Layer-2 Switch 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11-12
switchport mode trunk
!
interface FastEthernet0/9
description To Layer-2 Switch 4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,13
switchport mode trunk
!
interface FastEthernet0/10
description To Router 1
no switchport
ip address 10.0.1.18 255.255.255.252
!
interface FastEthernet0/11
description To Router 2
no switchport
ip address 10.0.1.22 255.255.255.252
!
interface FastEthernet0/12
description To Layer-3 Switch 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1
switchport mode trunk
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan11
description Network Management (Standby)
ip address 10.0.11.3 255.255.255.0
standby 11 ip 10.0.11.1
!
interface Vlan12
description Administration (Active)
ip address 10.0.12.3 255.255.255.0
standby 12 ip 10.0.12.1
standby 12 priority 105
standby 12 preempt
!
interface Vlan13
description Sales (Standby)
ip address 10.0.13.3 255.255.255.0
standby 13 ip 10.0.13.1
!
interface Vlan100
description Server (Active)
ip address 10.0.100.3 255.255.255.0
standby 100 ip 10.0.100.1
standby 100 priority 105
standby 100 preempt
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 64750
bgp confederation peers 65002 65003 65004
network 10.0.1.16 mask 255.255.255.252
network 10.0.1.20 mask 255.255.255.252
network 10.0.11.0 mask 255.255.255.0
network 10.0.12.0 mask 255.255.255.0
network 10.0.13.0 mask 255.255.255.0
network 10.0.100.0 mask 255.255.255.0
neighbor 10.0.1.17 remote-as 65002
neighbor 10.0.1.17 description Router 1
neighbor 10.0.1.17 soft-reconfiguration inbound
neighbor 10.0.1.17 route-map ISP1 out
neighbor 10.0.1.21 remote-as 65003
neighbor 10.0.1.21 description Router 2
neighbor 10.0.1.21 soft-reconfiguration inbound
neighbor 10.0.1.23 route-map ISP2 out
neighbor 10.0.1.30 remote-as 65004
neighbor 10.0.1.30 description WAN Router 1
neighbor 10.0.1.30 soft-reconfiguration inbound
neighbor 10.0.11.2 remote-as 65001
neighbor 10.0.11.2 description Layer-3 Switch 1
neighbor 10.0.11.2 soft-reconfiguration inbound
no auto-summary
!
access-list 20 remark Subnets to use ISP1 as Primary
access-list 20 permit 10.0.11.0 0.0.0.255
access-list 20 permit 10.0.100.0 0.0.0.255
access-list 20 permit 10.1.11.0 0.0.0.255
!
access-list 21 remark Subnets to use ISP2 as Primary
access-list 21 permit 10.0.12.0 0.0.0.255
access-list 21 permit 10.0.13.0 0.0.0.255
access-list 21 permit 10.1.12.0 0.0.0.255
access-list 21 permit 10.1.13.0 0.0.0.255
!
route-map ISP1 permit 10
match ip address 20
set local-preference 105
!
route-map ISP1 permit 20
match ip address 21
set local-preference 100
!
route-map ISP2 permit 10
match ip address 20
set local-preference 100
!
route-map ISP2 permit 20
match ip address 21
set local-preference 105

WAN 1 Router

interface FastEthernet0
description Layer-3 Switch 1
ip address 10.0.1.26 255.255.255.252
!
interface FastEthernet1
description Layer-3 Switch 2
ip address 10.0.1.30 255.255.255.252
!
interface Serial0
description WAN Router 2
ip address 10.250.0.1 255.255.255.252
!
router rip
version 2
redistribute bgp 65004 route-map BGP-to-RIP
passive-interface Serial0
network 10.0.0.0
default-information originate
no auto-summary
!
router bgp 65004
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 64750
bgp confederation peers 65001 65002 65003
network 10.0.1.24 mask 255.255.255.252
network 10.0.1.28 mask 255.255.255.252
aggregate-address 10.0.0.0 255.255.0.0
neighbor 10.0.1.25 remote as 65001
neighbor 10.0.1.25 description Layer-3 Switch 1
neighbor 10.0.1.25 soft-reconfiguration inbound
neighbor 10.0.1.29 remote-as 65001
neighbor 10.0.1.29 description Layer-3 Switch 2
neighbor 10.0.1.29 soft-reconfiguration inbound
neighbor 10.250.0.2 remote-as 64751
neighbor 10.250.0.2 description Remote Office
neighbor 10.250.0.2 soft-reconfiguration inbound
neighbor 10.250.0.2 prefix-list HQ out
no auto-summary
!
ip prefix-list HQ description Permitted BGP Subnet Announcement
ip prefix-list HQ seq 10 permit 0.0.0.0/0
ip prefix-list HQ seq 20 permit 10.0.0.0/16
!
access-list 10 remark Permitted Subnets to Redistribute
access-list 10 deny 10.0.1.24 0.0.0.7
access-list 10 deny 10.250.0.0 0.0.0.3
access-list 10 permit any
!
route-map BGP-to-RIP permit 10
match ip address 10
set metric 1
set tag 64751

WAN 2 Router

interface FastEthernet0
description Layer-3 Switch
ip address 10.1.1.26 255.255.255.252
!
interface Serial0
description WAN Router 1
ip address 10.250.0.2 255.255.255.252
!
router rip
version 2
redistribute bgp 64751 route-map BGP-to-RIP
passive-interface Serial0
network 10.0.0.0
default-information originate
no auto-summary
!
router bgp 64751
no synchronization
bgp log-neighbor-changes
network 10.1.1.24 mask 255.255.255.252
aggregate-address 10.1.0.0 255.255.0.0
neighbor 10.1.1.25 remote as 64751
neighbor 10.1.1.25 description Internet Router
neighbor 10.1.1.25 soft-reconfiguration inbound
neighbor 10.250.0.1 remote-as 64750
neighbor 10.250.0.1 description HQ
neighbor 10.250.0.1 soft-reconfiguration inbound
neighbor 10.250.0.1 prefix-list Branch out
no auto-summary
!
ip prefix-list Branch description Permitted BGP Subnet Announcement
ip prefix-list Branch seq 10 permit 0.0.0.0/0
ip prefix-list Branch seq 20 permit 10.1.0.0/16
!
access-list 10 remark Permitted Subnets to redistribute
access-list 10 deny 10.250.0.0 0.0.0.3
access-list 10 permit any
!
route-map BGP-to-RIP permit 10
match ip address 10
set metric 1
!

Layer-3 Switch

vlan 1,11-13,100
!
ip routing
!
ip wccp version 2
ip wccp 10
ip wccp 20
!
interface Loopback0
ip address 192.168.67.1 255.255.255.255
!
interface FastEthernet0/1
description WAN Router 2
no switchport
ip address 10.1.1.25 255.255.255.252
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
description Bluecoat ProxySG2 int 0:0
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/6
description To Layer-2 Switch 1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,100
switchport mode trunk
!
interface FastEthernet0/7
description To Layer-2 Switch 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11
switchport mode trunk
!
interface FastEthernet0/8
description To Layer-2 Switch 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11-12
switchport mode trunk
!
interface FastEthernet0/9
description To Layer-2 Switch 4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,13
switchport mode trunk
!
interface FastEthernet0/10
description To Firewall
no switchport
ip address 10.1.1.5 255.255.255.252
ip wccp 10 redirect out
ip wccp 20 redirect out
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan2
description Bluecoat ProxySG 2 int 0:0
ip address 10.1.2.1 255.255.255.0
!
interface Vlan11
description Network Management
ip address 10.1.11.1 255.255.255.0
!
interface Vlan12
description Administration
ip address 10.1.12.1 255.255.255.0
!
interface Vlan13
description Sales
ip address 10.1.13.1 255.255.255.0
!
interface Vlan100
description Server
ip address 10.1.100.1 255.255.255.0
!
router rip
version 2
redistribute bgp 64751 route-map BGP-to-RIP
passive-interface FastEthernet0/10
network 10.0.0.0
default-information originate
no auto-summary
!
router bgp 64751
no synchronization
bgp log-neighbor-changes
network 10.1.1.4 mask 255.255.255.252
network 10.1.11.0 mask 255.255.255.0
network 10.1.12.0 mask 255.255.255.0
network 10.1.13.0 mask 255.255.255.0
network 10.1.100.0 mask 255.255.255.0
neighbor 10.1.0.1 remote-as 64752
neighbor 10.1.0.1 description Internet Router
neighbor 10.1.0.1 ebgp-multihop 3
neighbor 10.1.0.1 soft-reconfiguration inbound
neighbor 10.1.1.26 remote-as 64751
neighbor 10.1.1.26 description WAN Router 2
neighbor 10.1.1.26 soft-reconfiguration inbound
no auto-summary
!
ip route 10.1.0.1 255.255.255.255 10.1.1.6
!
access-list 10 remark Permitted Subnets to redistribute
access-list 10 deny 10.0.1.16 0.0.0.7
access-list 10 deny 10.0.11.0 0.0.0.255
access-list 10 deny 10.0.12.0 0.0.0.255
access-list 10 deny 10.0.13.0 0.0.0.255
access-list 10 deny 10.0.100.0 0.0.0.255
access-list 10 permit any
!
route-map BGP-to-RIP permit 10
match ip address 10
set metric 1

Blue Coat ProxySG2 configuration

1. Interface


interface 0:0
IP Address     : 10.1.2.6
Subnet Mask    : 255.255.255.0
Default Gateway: 10.1.2.1

2. WCCP


wccp enable
wccp version 2
service-group 20
assignment-type mask
mask-scheme destination-ip
priority 1
protocol 6
ports 80 80 80 80 80 80 80 80
interface 0:0
interface 1:0
home-router 192.168.67.1
forwarding-type GRE
end
service-group 10
assignment-type mask
mask-scheme destination-ip
priority 1
protocol 6
ports 80 21 443 554 5004 5005 1755 8554
interface 0:0
interface 1:0
home-router 192.168.67.1
forwarding-type GRE
end

3. Static Routes for Home Router IP Address Reachability


192.168.67.1 255.255.255.255 10.1.2.1

Firewall

Internet Router:

interface FastEthernet0
description Internet
ip address dhcp
ip nat outside
no cdp enable
!
interface FastEthernet1
description Firewall
ip address 10.1.0.1 255.255.255.252
ip nat inside
!
router bgp 64752
no synchronization
bgp log-neighbor-changes
network 0.0.0.0
network 10.1.0.0 mask 255.255.255.252
neighbor 10.1.1.5 remote-as 64751
neighbor 10.1.1.5 description Layer-3 Switch
neighbor 10.1.1.5 ebgp-multihop 3
neighbor 10.1.1.5 prefix-list NON-IN in
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 dhcp
ip route 10.0.0.0 255.0.0.0 10.1.0.2
ip route 172.16.0.0 255.240.0.0 10.1.0.2
ip route 192.168.0.0 255.255.0.0 10.1.0.2
!
ip nat inside source list 1 interface FastEthernet0 overload
!
ip prefix-list NON-IN description Internal Subnets are never visible
ip prefix-list NON-IN seq 10 deny 0.0.0.0/0 le 32
access-list 1 remark Permitted Subnets to go out to the Internet
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 1 permit 192.168.0.0 0.0.255.255

feedback form

by aryoba
last modified: 2009-08-01 06:49:37


Saturday, 05-Dec 15:08:39	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole

All FAQs » Cisco Forum FAQ » 30.2 Between Router and Layer-3 Switch » 16332

Various Network Design using Routers, Layer-3 Switches, and more (#16332)