• Routing and Switching - An Introduction
• What is the difference between a Layer-3 switch and a router?
• Should I use Layer-3 switch or router?
• Layer-3 Switch recommendation
• Various Network Design using Routers, Layer-3 Switches, and more

Introduction to Routing and Switching

Prerequisite reading
»Cisco Forum FAQ »Quick and Easy Subnetting on Routing, Switching and Network Design Relationship
»Cisco Forum FAQ »Choosing Gateway IP Address for a network
»Cisco Forum FAQ »What is the difference between the different gateways in the routing table?

Brief
Routing
Switching

Industry-Standard RFC
RFC 1180: A TCP/IP Tutorial

Some discussions

»[CCNA] CCNA Help for Test question
»[CCNA] How to show specific mac address in a switch table ?
»[CCNA] Inter VLAN Routing
»UDP Broadcasts across Layer 3 devices
»[CCNA] Load Sharing using static routes

Sample Configuration

Basic DLSw+ Configurations

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2011-12-28 08:23:19

Hopefully this will help settle the long running confusion about Layer-3 switches in this forum...

Some content part of this FAQ is taken out of the CiscoPress book Cisco LAN Switching, pp.451-453; authored by Kennedy Clark CCIE #2175 CCSI, and Kevin Hamilton CCSI Copyright© 1999 Cisco Press

In general, a Layer-3 switch (routing switch) is primarily a switch (a Layer-2 device) that has been enhanced or taught some routing (Layer 3) capabilities. A router is a Layer-3 device that simply do routing only. In the case of a switching router, it is primarily a router that may use switching technology (high-speed ASICs) for speed and performance (as well as also supporting Layer-2 bridging functions).

As illustration, here are some examples

Layer-2 switches
Cisco: Catalyst 2950, 2960 series

Layer-3 switches or routing switches
Cisco: Catalyst 3550, 3560, 3750, 4500, 6500 series
Juniper: EX series

Routers (with some bridging and/or security features) or switching routers
Cisco: 1800, 1900, 2600, 2800, 2900, 3700, 3800, 3900, 7200, 7600, ASR 1000 series
Juniper: MX series, J series, M series

Several factors have created significant confusion surrounding the subject of Layer-3 switch and Layer-3 switching. Some of this bewilderment arises from the recent merging of several technologies. In the past, switches and routers have been separate and distinct devices. The term switch was reserved for hardware-based platforms that generally functioned at Layer-2. For example, ATM switches perform hardware-based forwarding of fixed-length cells whereas Ethernet switches use MAC addresses to make forwarding decisions. Conversely, the term router has been used to refer to a device that runs routing protocols to discover the Layer-3 topology and makes forwarding decisions based on hierarchical Layer-3 addresses. Because of the complexity of these tasks, routers have traditionally been software-based devices. Routers have also performed a wide variety of "high touch" and value added features such as tunneling, data-link switching (DLSw), protocol translation, access lists, and Dynamic Host Configuration Protocol (DHCP) relay.

To understand better of switching router and routing switch differences, following is an illustration. In early Cisco switches (i.e. Catalyst 3500 switches), there are only basic Layer-2 capabilities such as bridging and switching. With newer models (i.e. Catalyst 3550 or 3560 switches), there are also some routing capabilities such as terminating multiple Layer-3 interfaces and running dynamic routing protocol. In router world, early Cisco routers (i.e. 1600 or 2500 model), there are only basic Layer-3 capabilities such as running dynamic routing protocol, terminating Serial ports, and running non-IP protocols such as IPX and SNA. With newer models (i.e. 1700, 1800, 2600 or 2800 models), there are also some Layer-2 capabilities such as bridging and switching. In addition there are some WIC (WAN Interface Cards) and NM (Network Modules) with Ethernet ports supporting bridging and switching in those newer router models even further such as WIC-4ESW Ethernet Switching card for 1700 series, HWIC-4ESW High-Density Ethernet Switching card for 1800 and 2800 series, and NM-16ESW Ethernet Switching module for 2600 and 2800 series.

As a broad category, routing switches use hardware to create shortcut paths through the middle of the network, by bypassing the traditional software-based router. However, unlike traditional routers that utilize general-purpose CPUs for both control-plane and data-plane functions, Layer-3 switches use high-speed application specific integrated circuits (ASICs) in the data plane. By removing CPUs from the data-plane forwarding path, wire-speed performance can be obtained. This results in a much faster version of the traditional router. In Cisco world, this routing switch ASIC technology implementation as example applies to Catalyst 6500 switch series. These kind of switches are typically blade or module based switch which you have to specify which "switch brain" (called Supervisor Engine in Cisco world) and which port modules you like the switch to have.

In the case of a switching router as primarily a router that uses switching technology (high-speed ASICs) for speed and performance (as well as also supporting Layer-2 bridging functions), there are Cisco 7600 series and Juniper MX series routers as examples. These kind of routers are typically blade or module-based router which you have to specify which "router brain" (also called Supervisor Engine in Cisco world) and which port modules you like the router to have.

Further, the Cisco 7600 series router Supervisor Engine modules are compatible with the Cisco Catalyst 6500 series switch due to identical architecture between the router and the switch. In other words, you could use the same Supervisor Engine model on either Cisco 7600 series router or Catalyst 6500 series switch.

Some network topologies as illustrations

1. Single Router

                                        Internet
                                            |
                                            | 1.1.1.0/24
                                            |
                                         Router
                                            |
                             LAN 1 with Unmanaged Switch (UM)
                                       10.0.1.0/24

2. Single Router with multiple LAN subnets

                                        Internet
                                            |
                                            | 1.1.1.0/24
                                            |
                                         Router --- LAN 2 with UM 10.0.2.0/24
                                            |
                                      LAN 1 with UM
                                       10.0.1.0/24

3. Single Router with single connection to a switch and with multiple LAN subnets (also known as "Router on A Stick" design)

                                        Internet
                                            |
                                            | 1.1.1.0/24
                                            |
                                         Router
                                            *
                                            * Single Connection to a Switch using feature  called Trunking
                                            * 
                                  Layer-2 Managed Switch
                                    |       |       |
                                    |     LAN 2     |
                                    |    with UM    |
                                    |  10.0.2.0/24  |
                                    |               |
                                  LAN 1           LAN 3
                                 with UM         with UM
                               10.0.1.0/24     10.0.3.0/24

4. Single Router with Layer-3 Switch and with multiple LAN subnets

                                        Internet
                                            |
                                            | 1.1.1.0/24
                                            |
                                     Internet Router
                                            |
                                            | 10.0.0.0/24
                                            |
                                      Layer-3 Switch
                                     |     |       |
                                     |   LAN 2     |
                                     |   with UM   |
                                     | 10.0.2.0/24 |
                                     |             |
                                   LAN 1         LAN 3
                                  with UM       with UM
                                10.0.1.0/24   10.0.3.0/24

5. Multiple Routers with multiple unmanaged (dumb) switches and with multiple LAN subnets

                                        Internet
                                            |
                                            | 1.1.1.0/24
                                            |
                                     Internet Router
                                            |
                                            | 10.0.0.0/24
                                            |
                                   Unmanaged Switch (UM) 
                                     |     |       |
                                     |  Router 2   |
                                     |     |       |
                                     |   LAN 2     |
                                     |   with UM   |
                                     | 10.0.2.0/24 |
                                     |             |
                                  Router 1      Router 3
                                     |             |
                                   LAN 1         LAN 3
                                  with UM       with UM
                                10.0.1.0/24   10.0.3.0/24

Of the variety of other switching devices and terminology released by vendors, Layer-4 and Layer-7 switching have received considerable attention. In general, these approaches refer to the capability of a switch to act on Layer 4 (transport layer) information contained in packets. For example, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port numbers can be used to make decisions affecting issues such as security and Quality of Service (QoS). However, rather than being viewed as a third type of campus switching devices, these should be seen as a logical extension and enhancement to the two types of switches already discussed. In fact, both routing switches and switching routers can perform these upper-layer functions.

For further understanding in differences between the topologies with advantages of one over the other and more, check out the following FAQ
»Cisco Forum FAQ »Should I use Layer-3 switch or router?

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by rolande edited by aryoba
last modified: 2011-08-07 05:45:21

Introduction

In general, you want to use a router when most of the time the device does routing. Likewise, you want to use a switch when when most of the time the device does switching. This statement becomes more apparent when dealing with larger network like an ISP or large corporation.

Example in ISP is that they use routers (at least 7600 series) to have full view of BGP (the edge router). As for their "internal network", they use layer-3 switches (usually Catalyst 6500 series). In smaller environment, companies use something like 800, 1800, or 2800 series router as the Internet router and/or WAN router to their private WAN point-to-point, Frame Relay, or MPLS network while they use Catalyst 3560 series Layer-2/3 switches for local routing between different departments or between servers and hosts, and for some Spanning-Tree with Layer-2 access switches (if any).

The idea of creating Layer-3 switch is basically to efficiently do inter-VLAN routing or to do internal routing between multiple broadcast domains (multiple LAN where each LAN has its own subnet) while keeping Layer-2 features such as spanning tree and trunking. However to deal with "border" or "edge" of the network where there are less spanning tree or trunking (less Layer-2) or where there is a need for Layer-2 network termination (edge network), a router is used since a router is basically designed to handle traffic across the border or the edge network.

For more info, you can check out the following FAQ:
»Cisco Forum FAQ »What is the difference between a Layer-3 switch and a router?

Following is illustration of using Layer-3 switch to do inter-VLAN routing where the LAN 1 is user network, LAN 2 is server network, and LAN 3 is guest network.

                                            Internet
                                               |
                                             Router
                                               |
                                               | 10.0.0.0/24
                                               |
                                         Layer-3 Switch
                                        |      |      |
                                        |    LAN 2    |
                                        | 10.0.2.0/24 |
                                        |             |
                                      LAN 1         LAN 3
                                   10.0.1.0/24   10.0.3.0/24

Sample Configuration of Layer-3 Switch design implementation

Router:

interface FastEthernet0/0
description Internet
ip address dhcp
ip nat outside
!
interface FastEthernet0/1
description To Layer-3 Switch
ip address 10.0.0.1 255.255.255.252
ip nat inside
!
ip route 10.0.0.0 255.0.0.0 10.0.0.2
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
!

Switch

vlan 1,11-13
!
ip routing
!
interface FastEthernet0/1
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/2
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/3
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/4
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/5
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/6
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/7
description LAN 3
switchport access vlan 13
switchport mode access
!
interface FastEthernet0/8
description LAN 3
switchport access vlan 13
switchport mode access
!
interface FastEthernet0/9
description LAN 3
switchport access vlan 13
switchport mode access
!
interface FastEthernet0/12
description To Router
no switchport
ip address 10.0.0.2 255.255.255.252
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan11
description LAN 1 - Users
ip address 10.0.1.1 255.255.255.0
!
interface Vlan12
description LAN 2 - Servers
ip address 10.0.2.1 255.255.255.0
!
interface Vlan13
description LAN 3 - Guests
ip address 10.0.3.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!

Keep in mind that Layer-3 switches' prices in general are not cheap from SOHO users or small businesses' perspective since Layer-3 switches are designed for organizations that need physical hardware separation between router and switch when routing is in need. Therefore should there be cheap Layer-3 switches available, SOHO users or small businesses are more than welcome to use them.

When small businesses need to do inter-VLAN routing (i.e. data interchange between multiple departments) or internal routing between LAN subnets (multiple broadcast domains), there are some "cheap" and might still be reliable solutions beside using layer-3 switches.

One solution is to use a "Router On A Stick" design. Such design consists of a router and a layer-2 switch that are capable of doing trunking. Following is illustration.

                                            Internet
                                               |
                                  Router with Trunking Capability
                                               *
                                               *  Trunk between router and switch
                                               *
                                  Switch with Trunking Capability
                                   |      |       |      |      |
                                   |      |       |      |      |
                                   |    LAN 2     |    LAN 4    |
                                   | 10.0.2.0/24  | 10.0.4.0/24 |
                                   |              |             |
                                 LAN 1          LAN 3         LAN 5
                              10.0.1.0/24    10.0.3.0/24   10.0.5.0/24
 

Sample Configuration of "Router On A Stick" design implementation

Router:

interface FastEthernet0/0
description Internet
ip address dhcp
ip nat outside
!
interface FastEthernet0/1
description Trunk to Switch
no ip address
!
interface FastEthernet0/1.2
description Native VLAN
ip address 10.0.0.1 255.255.255.252
encapsulation dot1q 2 native
ip nat inside
!
interface FastEthernet0/1.11
description LAN 1
ip address 10.0.1.1 255.255.255.0
encapsulation dot1q 11
ip nat inside
!
interface FastEthernet0/1.12
description LAN 2
ip address 10.0.2.1 255.255.255.0
encapsulation dot1q 12
ip nat inside
!
interface FastEthernet0/1.13
description LAN 3
ip address 10.0.1.1 255.255.255.0
encapsulation dot1q 13
ip nat inside
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
!

Switch

vlan 1-2,11-13
!
interface FastEthernet0/1
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/2
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/3
description LAN 3
switchport access vlan 13
switchport mode access
!
interface FastEthernet0/12
description Trunk to Router
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-2,11-13
switchport mode trunk
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan2
description Native VLAN
ip address 10.0.0.2 255.255.255.252
!

Another solution that is probably cheaper is to setup multiple unmanaged (dumb) switches with also multiple routers. While "Router On A Stick" design means single router terminates multiple LAN subnets, this second solution means each router terminates its own LAN subnet. Following is illustration.

                                            Internet
                                               |
                                         Internet Router
                                               |
                                               | 10.0.0.0/24
                                               |
                                        Unmanaged Switch
                                        |      |      |
                                        |   Router 2  |
                                        |      |      |
                                        |    LAN 2    |
                                        | 10.0.2.0/24 |
                                        |             |
                                    Router 1      Router 3
                                        |             |
                                      LAN 1         LAN 3
                                   10.0.1.0/24   10.0.3.0/24

Sample Configuration of multiple router design implementation

1. Static Routing

When there are only few LAN (broadcast domain), then static routing network design should be sufficient.

Internet Router:

interface FastEthernet0/0
description Internet
ip address dhcp
ip nat outside
!
interface FastEthernet0/1
description Unmanaged Switch (LAN)
ip address 10.0.0.254 255.255.255.0
ip nat inside
!
ip route 10.0.1.0 255.255.255.0 10.0.0.1
ip route 10.0.2.0 255.255.255.0 10.0.0.2
ip route 10.0.3.0 255.255.255.0 10.0.0.3
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
!

Router 1

interface FastEthernet0/0
description Unmanaged Switch
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/1
description LAN 1
ip address 10.0.1.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.0.254
ip route 10.0.2.0 255.255.255.0 10.0.0.2
ip route 10.0.3.0 255.255.255.0 10.0.0.3
!

Router 2

interface FastEthernet0/0
description Unmanaged Switch
ip address 10.0.0.2 255.255.255.0
!
interface FastEthernet0/1
description LAN 2
ip address 10.0.2.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.0.254
ip route 10.0.1.0 255.255.255.0 10.0.0.1
ip route 10.0.3.0 255.255.255.0 10.0.0.3
!

Router 3

interface FastEthernet0/0
description Unmanaged Switch
ip address 10.0.0.3 255.255.255.0
!
interface FastEthernet0/1
description LAN 3
ip address 10.0.3.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.0.254
ip route 10.0.1.0 255.255.255.0 10.0.0.1
ip route 10.0.2.0 255.255.255.0 10.0.0.2
!

When there are more LAN (broadcast domain) in place or when there are multiple connections to reach the same destination (such as having multiple ISP to connect to the Internet), then network design based on dynamic routing might be more scalable than static route approach. Following is illustration.

                ISP 1                                    ISP 2
                  |                                        |
               Router 1                                 Router 2
                  |                                        |
                  | 10.1.0.0/24                            | 10.2.0.0/24
                  |               10.0.0.0/30              |
           Layer-3 Switch 1 ----------------------- Layer-3 Switch 2
            |      |      | .1                   .2  |      |      |
            |    LAN 2    |                          |    LAN 2    |
            | 10.1.2.0/24 |                          | 10.2.2.0/24 |
            |             |                          |             |
           LAN 1         LAN 3                      LAN 1         LAN 3
        10.1.1.0/24   10.1.3.0/24                10.2.1.0/24   10.2.3.0/24
 
              Building #1                              Building #2

Sample Configuration of multiple router and Layer-3 switch design implementation

2. Dynamic Routing

In this sample configuration, RIP as dynamic routing protocol is used to provide dynamic inter-connectivity between two buildings. You may notice that RIP as the dynamic routing protocol in place decides that machines within Building #1 use ISP 1 to go out to the Internet as default, and will only use ISP #2 through point-to-point link between the two switches when ISP #1 becomes unavailable. Similarly, machines within Building #2 use ISP 2 to go out to the Internet as default, and will only use ISP #1 when ISP #2 becomes unavailable.

Router 1:

interface FastEthernet0/0
description ISP 1
ip address dhcp
ip nat outside
!
interface FastEthernet0/1
description Layer-3 Switch 1
ip address 10.1.0.254 255.255.255.0
ip nat inside
!
router rip
version 2
redistribute static route-map STATIC-to-RIP
network 10.0.0.0
no auto-summary
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 remark Permitted Subnet to access Internet
access-list 1 permit 10.0.0.0 0.3.255.255
access-list 10 remark Permitted Routes to Redistribute
access-list 10 permit 0.0.0.0
!
route-map STATIC-to-RIP permit 10
match ip address 10
set metric 1
!

Switch 1

vlan 1-2,11-13
!
ip routing
!
interface FastEthernet0/1
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/2
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/3
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/4
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/5
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/6
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/7
description LAN 3
switchport access vlan 13
switchport mode access
!
interface FastEthernet0/8
description LAN 3
switchport access vlan 13
switchport mode access
!
interface FastEthernet0/9
description LAN 3
switchport access vlan 13
switchport mode access
!
interface FastEthernet0/11
description Layer-3 Switch 2 (Building #2)
no switchport
ip address 10.0.0.1 255.255.255.252
ip summary-address rip 10.1.0.0 255.255.0.0
!
interface FastEthernet0/12
description Router 1
switchport access vlan 2
switchport mode access
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan2
description Management VLAN
ip address 10.1.0.2 255.255.255.0
!
interface Vlan11
description LAN 1
ip address 10.1.1.1 255.255.255.0
!
interface Vlan12
description LAN 2
ip address 10.1.2.1 255.255.255.0
!
interface Vlan13
description LAN 3
ip address 10.1.3.1 255.255.255.0
!
router rip
version 2
passive-interface Vlan11
passive-interface Vlan12
passive-interface Vlan13
network 10.0.0.0
no auto-summary
!

Router 2:

interface FastEthernet0/0
description ISP 2
ip address dhcp
ip nat outside
!
interface FastEthernet0/1
description Layer-3 Switch 1
ip address 10.2.0.254 255.255.255.0
ip nat inside
!
router rip
version 2
redistribute static route-map STATIC-to-RIP
network 10.0.0.0
no auto-summary
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 remark Permitted Subnet to access Internet
access-list 1 permit 10.0.0.0 0.3.255.255
access-list 10 remark Permitted Routes to Redistribute
access-list 10 permit 0.0.0.0
!
route-map STATIC-to-RIP permit 10
match ip address 10
set metric 1
!

Switch 2

vlan 1-2, 11-13
!
ip routing
!
interface FastEthernet0/1
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/2
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/3
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/4
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/5
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/6
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/7
description LAN 3
switchport access vlan 13
switchport mode access
!
interface FastEthernet0/8
description LAN 3
switchport access vlan 13
switchport mode access
!
interface FastEthernet0/9
description LAN 3
switchport access vlan 13
switchport mode access
!
interface FastEthernet0/11
description Layer-3 Switch 1 (Building #1)
no switchport
ip address 10.0.0.2 255.255.255.252
ip summary-address rip 10.2.0.0 255.255.0.0
!
interface FastEthernet0/12
description Router 2
switchport access vlan 2
switchport mode access
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan2
description Management VLAN
ip address 10.2.0.2 255.255.255.0
!
interface Vlan11
description LAN 1
ip address 10.2.1.1 255.255.255.0
!
interface Vlan12
description LAN 2
ip address 10.2.2.1 255.255.255.0
!
interface Vlan13
description LAN 3
ip address 10.2.3.1 255.255.255.0
!
router rip
version 2
passive-interface Vlan11
passive-interface Vlan12
passive-interface Vlan13
network 10.0.0.0
no auto-summary
!

Whichever solution to choose, you should always use managed switch instead of unmanaged switch since in general, managed switch is more reliable and has more functionality to tune.

Connectivity to Business Partner's Network

Now let's review the following network topology which is typical datacenter layout or Ethernet-based network topology.

Switch A1 ----- Switch A2
       \        /
         \    /
       Switch A3       External network (business partner)
========================
       Switch B3       Your network
        /     \
      /         \
Switch B1 ----- Switch B2

You have a network consisting of three switches (B1, B2, B3) and there is a business partner's network consisting of also three switches (A1, A2, A3). Each network may or may not run Spanning Tree to avoid Layer-2 network loop. The objective is to interconnect your network and the business partner's network somehow with less equipment in place, less complicated, reliable, and most importantly you still maintain your network control and administration.

One may suggest that you simply run cables between switches A3 and B3 running layer-2 connectivity. By having Layer-2 connectivity, there is a danger of Layer-2 network loop which can bring down network immediately.

From different perspective, you may have to surrender your Layer-2 network control over to your business partner since Layer-2 connectivity requires full control by single network administration and more likely, your business partner is the single network administration rather than yourself. When you have internal Layer-2 network within switches B1, B2, or B3; then you lose control of those internal network administrations as well which is typically unwanted. In other words, permitting your business partner to be the single network administration requires such switches B1, B2, and B3 to be dedicated switches for external connectivity to business partner and no internal Layer-2 network is allowed.

Should there be a need to maintain internal Layer-2 network within switches B1, B2, and B3 while having external connection to your business network, Layer-3 connectivity should be your best bet. Even though there is a thing called Layer-3 network loop, such loop does not bring down network severely as Layer-2 network loop. Further, you still maintain your network integrity while having external connection to your business network with Layer-3 connectivity between your network and business partner's.

At this point, let's consider Layer-3 connectivity between your network and business partner's. For the sake of illustration, assume the following

Your network: 10.10.10.0/24
Your business partner's network: 100.32.10.0/24
Point-to-point WAN between your network and business partner's: 1.1.1.0/30

The internal IP subnet you use within your network is 10.10.10.0/24. For this connectivity, your business network uses 100.32.10.0/24 for your network to reach.

Since there will be Layer-3 connectivity, there must be a device within your network that is able to do routing. One solution is to put a router between Switch A3 and Switch B3 like following

Switch A1 ----- Switch A2
       \        /
         \    /
       Switch A3
           |
         Router
           |
       Switch B3
        /     \
      /         \
Switch B1 ----- Switch B2

Note that the router is on your network edge since the router terminates your Layer-2 network to connect to your business partner's network.

The configurations are the following

Switch B1

vlan 1-2
!
interface FastEthernet0/1
description User 1
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/2
description User 2
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/3
description User 3
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/11
description Switch B2
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/12
description Switch B3
switchport access vlan 2
switchport mode access
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan2
description User VLAN
ip address 10.10.10.1 255.255.255.0
!

Switch B2

vlan 1-2
!
interface FastEthernet0/1
description User 4
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/2
description User 5
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/3
description User 6
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/11
description Switch B1
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/12
description Switch B3
switchport access vlan 2
switchport mode access
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan2
description User VLAN
ip address 10.10.10.2 255.255.255.0
!

Switch B3

vlan 1-2
!
interface FastEthernet0/1
description User 7
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/2
description User 8
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/3
description User 9
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/10
description Router
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/11
description Switch B1
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/12
description Switch B2
switchport access vlan 2
switchport mode access
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan2
description User VLAN
ip address 10.10.10.3 255.255.255.0
!

Router

interface FastEthernet0/0
description Business Partner's Switch A3
ip address 1.1.1.2 255.255.255.252
!
interface FastEthernet0/1
description Switch B3
ip address 10.10.10.254 255.255.255.0
!
ip route 100.32.10.0 255.255.255.0 1.1.1.1
!

When your Switch B3 is a Layer-2/3 switch, then you don't need to put a router between your network and your business partner's since you can utilize the Switch B3 routing functionality to reach the business partner's 100.32.10.0/24 network. No additional router means less equipment to deal with, save physical space, less power consumption, and simplify network topology. The network topology and configuration are as follow

Switch A1 ----- Switch A2
       \        /
         \    /
       Switch A3
           |
           | routing is in place
           |
       Switch B3 (Layer-2/3 switch)
        /     \
      /         \
Switch B1 ----- Switch B2

Switch B1

vlan 1-2
!
interface FastEthernet0/1
description User 1
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/2
description User 2
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/3
description User 3
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/11
description Switch B2
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/12
description Switch B3
switchport access vlan 2
switchport mode access
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan2
description User VLAN
ip address 10.10.10.1 255.255.255.0
!

Switch B2

vlan 1-2
!
interface FastEthernet0/1
description User 4
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/2
description User 5
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/3
description User 6
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/11
description Switch B1
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/12
description Switch B3
switchport access vlan 2
switchport mode access
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan2
description User VLAN
ip address 10.10.10.2 255.255.255.0
!

Switch B3

vlan 1-2
!
ip routing
!
interface FastEthernet0/1
description User 7
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/2
description User 8
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/3
description User 9
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/10
description Switch B1
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/11
description Switch B2
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/12
description Business Partner's Switch A3
no switchport
ip address 1.1.1.2 255.255.255.252
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan2
description User VLAN
ip address 10.10.10.3 255.255.255.0
!
ip route 100.32.10.0 255.255.255.0 1.1.1.1
!

More Sample Design and Configuration
»Cisco Forum FAQ »Various Network Design using Routers, Layer-3 Switches, and more

Some discussions

»Suggestion for cisco 3560 Needed
»HELP...Conguration not working...Cisco 1961
»[Config] What would the switch and router configuration be ???

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2012-01-12 17:02:22

As this FAQ posted, the current Cisco Catalyst layer-3 switches are 3560, 3750, 4500 series, 4900 series, and 6500 series. The following are illustrations of layer-3 switch with examples of Catalyst 3550 and 3560 feature and capabilities. Note that Catalyst 3550 is considered EOL and the current replacement is the 3560.

»RE: can a l3 switch with full dynamic protocol set
»Layer 3 Switches? Recommendations

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2009-06-17 08:54:54

Prerequisite reading
»Cisco Forum FAQ »Should I use Layer-3 switch or router?

The above FAQ link shows some basic network setup using routers and switches. Following is more network design samples that are also common in many organizations.

Sample 1:

                                           Internet
                                              |
                                              |
                                            Router
                                              |
                                              |
                                           Firewall
                                              |
                                              |
                                        Layer-3 Switch
                                         |    |     |
                                         |    |     |
                                      Layer-2 |  Layer-2
                                      Switch  |  Switch
                                              |
                                        Layer-2 Switch

Background

* This sample configuration assumes the Router to do NAT/PAT, firewall to do statefull firewall, and Layer-3 Switch to act as both switch and router to route internal traffic. To learn more about NAT/PAT, check out the following FAQ for detail »Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices

Sample 1 Configuration

Router

version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
!!!!!!!!!!!!! This is the ISP's DNS IP addresses
ip name-server 1.1.1.2
ip name-server 1.1.1.3
!!!!!!!!!!!!!
!
!
!
!
!
!!!!!!!!!!!! This is the LAN side facing the PIX outside interface
interface Ethernet0
 ip address 10.10.10.1 255.255.255.252
 ip nat inside
 no cdp enable
!
!!!!!!!!!!!! This is to the ISP modem
interface Ethernet1
 ip address 1.1.0.2 255.255.255.252
 ip nat outside
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.0.1
ip route 10.0.0.0 255.0.0.0 10.10.10.2
no ip http server
!
ip nat inside source static tcp 10.10.11.2 80 1.1.0.2 80
ip nat inside source static tcp 10.10.11.2 443 1.1.0.2 443
ip nat inside source static tcp 10.10.11.3 20 1.1.0.2 20
ip nat inside source static tcp 10.10.11.3 21 1.1.0.2 21
ip nat inside source static tcp 10.10.11.4 25 1.1.0.2 25
ip nat inside source static tcp 10.10.11.4 110 1.1.0.2 110
ip nat inside source list 1 interface Ethernet1 overload
!
access-list 1 remark Permit Only Inside Subnets
access-list 1 permit 10.10.8.0 0.0.3.255
no cdp run
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 access-class 1 in
 login local
 length 0
!
scheduler max-task-time 5000
end
 

PIX Firewall

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network WEB
network-object host 10.10.11.2
object-group network FTP
network-object host 10.10.11.3
object-group network MAIL
network-object host 10.10.11.4
object-group service MAIL_SERVICES tcp
port-object eq smtp
port-object eq pop3
object-group service WEB_SERVICES tcp
port-object eq www
port-object eq https
access-list INBOUND permit icmp any any
access-list INBOUND permit tcp any object-group WEB object-group WEB_SERVICES
access-list INBOUND permit tcp any object-group MAIL object-group MAIL_SERVICES
access-list INBOUND permit tcp any object-group FTP range ftp-data ftp
access-list nonat permit ip any any
pager lines 24
logging on
logging console warnings
logging monitor warnings
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.2 255.255.255.252
ip address inside 10.10.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.11.5 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
route inside 10.0.0.0 255.0.0.0 10.10.11.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.11.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.10.11.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
 

Switch

vlan 1,7,11-13
!
ip routing
!
interface FastEthernet0/1
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/2
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/3
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/4
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/5
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/6
description Management port
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/7
description Layer-2 Switch 3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/8
description Layer-2 Switch 2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/9
description Layer-2 Switch 1 
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/12
description To Firewall
switchport access vlan 7
switchport mode access
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan7
description Management
ip address 10.10.11.2 255.255.255.0
!
interface Vlan11
description LAN 1
ip address 10.0.1.1 255.255.255.0
!
interface Vlan12
description LAN 2
ip address 10.0.2.1 255.255.255.0
!
interface Vlan13
description LAN 3
ip address 10.0.3.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.10.11.1
 

Sample 2:

                                           Internet
                                              |
                                              |
                                            Router
                                              |
                                              |
                                            Switch
                                            |    |
                           DMZ ----- Firewall - Firewall  (two redundant firewalls)
                                         1         2
                                         |         |
                                    Layer-3 ---- Layer-3  (two redundant Layer-3 switches)
                                   Switch 1      Switch 2
                                    |  |  |      |  |  |
                                    |  |  |      |  |  |
                                    |  |  Layer-2   |  |
                                    |  |   Switch   |  |
                                    |  |            |  |
                                    |  Layer-2 Switch  |
                                    |                  |
                                    |                  |
                                    +- Layer-2 Switch -+

Background

Switch
* The Layer-3 switches act as Spanning-Tree Root Bridges of all switches and as HSRP service providers. For preliminary info on Root Bridge, check out the following link: Understanding and Configuring Spanning Tree Protocol (STP) on Catalyst Switches. For preliminary info on HSRP, check out the following link: Hot Standby Router Protocol Features and Functionality
* Rapid Spanning Tree protocol is used to provide faster convergence yet stable network. For more info on Rapid Spanning Tree, check out the following link: Understanding Rapid Spanning Tree Protocol (802.1w)
* For some VLAN, the Layer-3 Switch 1 is the Root Bridge primary while the Layer-3 Switch 2 is the backup. For other VLAN, the Layer-3 Switch 2 is the Root Bridge primary while the Layer-3 Switch 1 is the backup.
* Similarly; for some VLAN, the Layer-3 Switch 1 is the HSRP primary while the Layer-3 Switch 2 is the backup. For other VLAN, the Layer-3 Switch 2 is the HSRP primary while the Layer-3 Switch 1 is the backup.
* For VLAN connection reliability, the same Layer-3 switch should be for both Root Bridge and HSRP primary
* In this sample configuration; VLAN 5, 7, 100 Root Bridge and HSRP primaries are at Layer-3 Switch 1 while VLAN 1, 20, 200 Root Bridge and HSRP primaries are at Layer-3 Switch 2
* To avoid unnecessary traffic flow, only some VLAN is allowed to pass through on some trunks between switches
* There is IP routing in place between Layer-3 switches and the firewalls

Firewall
* The firewall could be either PIX Firewall or ASA, running OS 7.x or later
* Firewall setup is LAN-based Active/Standby failover, which in a sense is similar to HSRP/VRRP mechanism where the firewall primary interface IP address is the "virtual" gateway for the interface subnet to reach other network. For more info on PIX/ASA Active/Standby failover, check out the following link: How Failover Works on the Cisco Secure PIX Firewall
* The firewall acts as both Internet firewall and IPSec VPN Concentrator. For more info on this, check out the forum's FAQ »Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator

(The Internet or Outside) Router/Switch
* There is a basic Internet firewall at the router to filter absolute questionable inbound traffic from the Internet to the network. For more info on this, check out the forum's FAQ »Cisco Forum FAQ »Basic Internet Firewall for Routers without IOS image Firewall feature
* There is no need for the router to do stateful firewall since there is already the firewall appliance (PIX/ASA) to do the stateful firewall functionality

AAA Command Set
* All Cisco devices on this sample configuration uses proper AAA command set for security reason. For more info on this, check out the forum's FAQ »Cisco Forum FAQ »Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level

Sample 2 Configuration

Router

version 12.3
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 16384
enable secret 5 *****
!
username **** secret 5 *****
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local 
aaa authorization commands 15 default group tacacs+ local 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip domain-list ****
ip domain-list ****
no ip domain-lookup
ip domain-name ****
!
!
interface FastEthernet0/0
 description To Internet Switch
 ip address 1.0.0.2 255.255.255.248
 speed 100
 duplex full
!
interface Serial0/0
 description To ISP
 ip address 1.1.1.2 255.255.255.252
 ip access-group SecureRouter in
 no cdp enable
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 1.0.0.112 255.255.255.240 1.0.0.6
ip route 10.0.0.0 255.0.0.0 1.0.0.6
ip route 172.16.0.0 255.240.0.0 1.0.0.6
!
ip classless
no ip http server
no ip http secure-server
!
ip tacacs source-interface FastEthernet0/0
!
ip access-list extended SecureRouter
 remark Access List used to Secure Perimeter Router
 remark Deny Special Use IP Address Sources (RFC 3330)
 deny   ip host 0.0.0.0 any
 deny   ip host 255.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 192.0.2.0 0.0.0.255 any
 deny   ip 224.0.0.0 0.15.255.255 any
 remark Deny Private IP Address Space (RFC 1918)
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 remark Permit SSH Traffic
 permit tcp any 1.0.0.104 0.0.0.7 eq 22
 remark Permit Necessary ICMP traffic
 permit icmp any host 1.0.0.2 echo-reply
 permit icmp any host 1.0.0.6 echo-reply
 permit icmp any 1.0.0.104 0.0.0.7 echo-reply
 permit icmp any 1.0.0.112 0.0.0.15 echo-reply
 permit icmp any host 1.0.0.2 unreachable
 permit icmp any host 1.0.0.6 unreachable
 permit icmp any 1.0.0.104 0.0.0.7 unreachable
 permit icmp any 1.0.0.112 0.0.0.15 unreachable
 permit icmp any host 1.0.0.2 time-exceeded
 permit icmp any host 1.0.0.6 time-exceeded
 permit icmp any 1.0.0.104 0.0.0.7 time-exceeded
 permit icmp any 1.0.0.112 0.0.0.15 time-exceeded
 deny   icmp any any
 remark Permit VPN Access
 permit esp any host 1.0.0.106
 permit ahp any host 1.0.0.106
 permit udp any host 1.0.0.106 eq isakmp
 permit udp any host 1.0.0.106 eq non500-isakmp
 remark Permit Internet Firewall to control Global IP Address
 permit ip any host 1.0.0.108
 remark Permit Internet Firewall to control DMZ
 permit ip any 1.0.0.112 0.0.0.15
 remark Permit Established TCP session
 permit tcp any host 1.0.0.2 established
 permit tcp any host 1.0.0.6 established
 permit tcp any 1.0.0.104 0.0.0.7 established
 deny   ip any any
!
logging source-interface FastEthernet0/0
logging 172.17.200.232
access-list 52 remark Internal SNMP RO access
access-list 52 permit 172.17.100.0 0.0.0.255
access-list 52 permit 172.17.200.0 0.0.0.255
access-list 52 permit 10.4.5.0 0.0.0.255
access-list 85 permit 1.169.31.226
access-list 85 permit 1.148.0.138
access-list 85 permit 1.43.53.170
access-list 85 permit 1.87.201.10
access-list 85 permit 1.109.89.198
access-list 85 permit 1.194.74.26
access-list 85 permit 1.194.74.22
access-list 85 permit 1.169.195.194
access-list 85 permit 1.169.198.96 0.0.0.7
access-list 85 permit 172.17.100.0 0.0.0.255
access-list 85 permit 172.17.190.0 0.0.0.255
access-list 85 permit 172.17.200.0 0.0.0.255
access-list 85 permit 10.13.100.0 0.0.0.255
access-list 85 permit 10.13.190.0 0.0.0.255
access-list 85 permit 10.13.200.0 0.0.0.255
access-list 85 permit 12.14.179.64 0.0.0.31
access-list 85 permit 1.117.15.128 0.0.0.31
access-list 85 permit 1.148.22.96 0.0.0.15
access-list 85 permit 1.252.30.96 0.0.0.31
access-list 85 permit 1.128.17.64 0.0.0.15
access-list 85 permit 1.169.34.0 0.0.0.7
access-list 85 permit 1.162.70.192 0.0.0.15
!
snmp-server community ***** RO 52
snmp-server enable traps tty
snmp-server enable traps syslog
tacacs-server host 172.17.200.231
tacacs-server directed-request
tacacs-server key 7 ******
!
control-plane
!
banner motd ^C
WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AUTHORISED PERSONS!
Activities on and access to this system are monitored and recorded.
Use of this system is your express consent to such monitoring and recording.
 
ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULT IN CRIMINAL AND/OR CIVIL PENALTIES.^C
!
line con 0
 exec-timeout 5 0
line vty 0 4
 access-class 85 in
 exec-timeout 30 0
 transport input ssh
line vty 5 15
 access-class 85 in
 exec-timeout 30 0
 transport input ssh
!
ntp clock-period 36028978
ntp source FastEthernet0/0
ntp server 10.4.5.5
ntp server 172.16.0.5 prefer
end
 

Switch (Layer-3 capable)

version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 16384
enable secret 5 *****
!
username **** secret 5 *****
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local 
aaa authorization commands 15 default group tacacs+ local 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-list ****
ip domain-list ****
no ip domain-lookup
ip domain-name ****
!
!
!         
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet0/1
 description To Internet Router
 no switchport
 ip address 1.0.0.6 255.255.255.248
 speed 100
 duplex full
!
interface FastEthernet0/2
 no switchport
 no ip address
 speed 100
 duplex full
!
interface FastEthernet0/3
 description ASA Internet Active
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/4
 description ASA Internet Standby
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/5
 shutdown
!
interface FastEthernet0/6
 shutdown
!
interface FastEthernet0/7
 shutdown
!
interface FastEthernet0/8
 shutdown
!
interface FastEthernet0/9
 shutdown
!
interface FastEthernet0/10
 shutdown
!
interface FastEthernet0/11
 shutdown
!
interface FastEthernet0/12
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 description Outside Network
 ip address 1.0.0.105 255.255.255.248
!
ip route 0.0.0.0 0.0.0.0 1.0.0.1
ip route 1.0.0.112 255.255.255.240 1.0.0.106
ip route 10.0.0.0 255.0.0.0 1.0.0.106
ip route 172.16.0.0 255.240.0.0 1.0.0.106
!
ip classless
no ip http server
no ip http secure-server
!
ip tacacs source-interface Vlan2
!
!
logging source-interface Vlan2
logging 172.17.200.232
access-list 52 remark Internal SNMP RO access
access-list 52 permit 172.17.100.0 0.0.0.255
access-list 52 permit 172.17.200.0 0.0.0.255
access-list 52 permit 10.4.5.0 0.0.0.255
access-list 85 permit 1.169.31.226
access-list 85 permit 1.148.0.138
access-list 85 permit 1.43.53.170
access-list 85 permit 1.87.201.10
access-list 85 permit 1.109.89.198
access-list 85 permit 1.194.74.26
access-list 85 permit 1.194.74.22
access-list 85 permit 1.169.195.194
access-list 85 permit 1.169.198.96 0.0.0.7
access-list 85 permit 172.17.100.0 0.0.0.255
access-list 85 permit 172.17.190.0 0.0.0.255
access-list 85 permit 172.17.200.0 0.0.0.255
access-list 85 permit 10.13.100.0 0.0.0.255
access-list 85 permit 10.13.190.0 0.0.0.255
access-list 85 permit 10.13.200.0 0.0.0.255
access-list 85 permit 12.14.179.64 0.0.0.31
access-list 85 permit 1.117.15.128 0.0.0.31
access-list 85 permit 1.148.22.96 0.0.0.15
access-list 85 permit 1.252.30.96 0.0.0.31
access-list 85 permit 1.128.17.64 0.0.0.15
access-list 85 permit 1.169.34.0 0.0.0.7
access-list 85 permit 1.162.70.192 0.0.0.15
!
snmp-server community ***** RO 52
snmp-server enable traps tty
snmp-server enable traps syslog
tacacs-server host 172.17.200.231
tacacs-server directed-request
tacacs-server key 7 ******
!
control-plane
!
banner motd ^C
WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AUTHORISED PERSONS!
Activities on and access to this system are monitored and recorded.
Use of this system is your express consent to such monitoring and recording.
 
ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULT IN CRIMINAL AND/OR CIVIL PENALTIES.^C
!
line con 0
 exec-timeout 5 0
line vty 0 4
 access-class 85 in
 exec-timeout 30 0
 transport input ssh
line vty 5 15
 access-class 85 in
 exec-timeout 30 0
 transport input ssh
!
ntp clock-period 36028978
ntp source Vlan2
ntp server 10.4.5.5
ntp server 172.16.0.5 prefer
end
 

Firewall 1 (Active)

ASA Version 7.2(3) 
!
hostname ****
domain-name ****
enable password ***** encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 description Outside Switch
 nameif outside
 security-level 0
 ip address 1.0.0.106 255.255.255.248 standby 1.0.0.107 
!
interface GigabitEthernet0/1
 description Core Switches
 nameif inside
 security-level 100
 ip address 10.7.0.4 255.255.255.0 standby 10.7.0.5 
!
interface GigabitEthernet0/2
 description DMZ Switches
 nameif dmz
 security-level 50
 ip address 1.0.0.113 255.255.255.240 standby 1.0.0.114 
!
interface GigabitEthernet0/3
!
interface Management0/0
!
interface Management0/0.254
 description STATE Failover Interface
 vlan 254
!
interface Management0/0.255
 description LAN Failover Interface
 vlan 255
!
passwd **** encrypted
banner motd WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AUTHORISED PERSONS!
banner motd Activities on and access to this system are monitored and recorded. 
banner motd Use of this system is your express consent to such monitoring and recording. 
banner motd 
banner motd ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULTIN CRIMINAL AND/OR CIVIL PENALTIES.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name ****
object-group protocol TCP-UDP
 protocol-object tcp
 protocol-object udp
object-group service Nachi_Worm tcp-udp
 port-object eq 707
object-group service Kerberos tcp-udp
 port-object eq 4444
object-group service MS_Ports tcp-udp
 port-object eq 135
 port-object range 137 139
 port-object eq 445
 port-object eq 593
object-group service IM_Virus tcp-udp
 port-object eq 5001
object-group service Zincite_Virus tcp-udp
 port-object eq 1034
object-group service Sasser_Worm tcp
 port-object eq 5554
 port-object eq 9996
object-group service Beagle.O_Virus tcp-udp
 port-object eq 81
object-group network gotomypc.com
 network-object host 66.151.158.177
object-group service Dameware tcp-udp
 port-object eq 6129
object-group service Mail_Services tcp
 port-object eq smtp
 port-object eq pop3
object-group network INSIDE
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0
object-group network IT
 network-object 172.17.190.0 255.255.255.0
 network-object 10.13.190.0 255.255.255.0
 network-object 10.13.100.0 255.255.255.0
 network-object 10.13.200.0 255.255.255.0
 network-object 172.17.100.0 255.255.255.0
 network-object 172.17.200.0 255.255.255.0
object-group network Net_Monitor
 network-object host 172.17.200.126
 network-object host 172.17.200.130
 network-object host 172.17.200.131
 network-object host 172.17.200.132
 network-object host 172.17.200.127
object-group network DC
 network-object host 10.13.200.161
 network-object host 172.17.200.161
 network-object host 172.17.200.162
object-group network NTP
 network-object host 172.16.0.5
 network-object host 10.4.5.5
object-group network Internet_Routers
 network-object host 1.0.0.2
 network-object host 1.0.0.6
object-group network Internet_Switches
 network-object host 1.0.0.105
object-group network MARS
 network-object host 172.17.200.232
object-group service SYSLOG udp
 port-object eq syslog
object-group network ACS
 network-object host 172.17.200.231
object-group service TACACS tcp
 port-object eq tacacs
object-group service MARS_UDP udp
 port-object eq syslog
 port-object eq 2055
object-group network CISCOOUTSIDE
 group-object Internet_Routers
 group-object Internet_Switches
object-group network DMZ_NET
 network-object 1.0.0.112 255.255.255.240
object-group network OUTSIDE
 group-object DMZ_NET
object-group network Blocked_Subnet
 network-object 168.95.5.0 255.255.255.192
object-group network Vendor_Subnet
 network-object 10.7.180.0 255.255.255.0
object-group network Special_Subnets
 group-object IT
 group-object Vendor_Subnet
object-group network MXtremes
 network-object host 1.0.0.117
object-group network WWW
 network-object host 1.0.0.118
 network-object host 1.0.0.110
object-group service WEB_SERVICES tcp
 port-object eq www
 port-object eq https
object-group network DMZ_SWITCH
 network-object host 1.0.0.115
 network-object host 1.0.0.116
object-group service LDAP tcp
 port-object eq ldap
object-group network XBH
 network-object host 10.13.100.13
 network-object host 172.16.0.10
 network-object host 172.17.100.50
 network-object host 172.17.100.60
 network-object host 172.17.100.61
 network-object host 172.17.100.62
object-group network MXtremes-FTP-Inside
 network-object host 172.17.200.102
object-group network Outside_Network
 network-object 1.252.30.96 255.255.255.224
 network-object 1.162.70.192 255.255.255.240
 network-object 1.14.179.64 255.255.255.224
object-group network Outside
 network-object 1.0.0.0 255.255.255.248
 network-object 1.0.0.104 255.255.255.248
object-group network Borderware
 network-object host 207.236.65.226
object-group service MXtremes_TCP tcp
 port-object eq https
 port-object eq 10101
object-group network CTXCAG
 network-object host 1.0.0.120
object-group network CTXCAGMGMT
 network-object 10.13.100.0 255.255.255.0
 network-object 10.13.190.0 255.255.255.0
 network-object 10.13.200.0 255.255.255.0
 network-object 172.17.100.0 255.255.255.0
 network-object 172.17.200.0 255.255.255.0
 network-object host 172.17.150.120
 network-object host 172.17.150.121
 network-object host 172.17.150.122
 network-object host 172.17.150.123
 network-object host 172.17.150.124
 network-object 172.17.190.0 255.255.255.0
object-group service CITRIXCAG tcp
 port-object range 9001 9002
 port-object eq 9005
object-group network CTXFARM
 network-object host 172.17.200.170
 network-object host 172.17.200.173
 network-object host 172.17.200.174
 network-object host 172.17.200.175
 network-object host 172.17.200.176
 network-object host 172.17.150.120
 network-object host 172.17.150.121
 network-object host 172.17.150.122
 network-object host 172.17.150.123
 network-object host 172.17.150.124
 network-object 172.17.50.0 255.255.255.0
 network-object 172.17.60.0 255.255.255.0
 network-object 10.13.50.0 255.255.255.0
 network-object 10.13.60.0 255.255.255.0
 network-object 10.13.100.0 255.255.255.0
 network-object 10.13.200.0 255.255.255.0
object-group service CITRIXPROD tcp
 port-object eq www
 port-object eq citrix-ica
 port-object eq 2598
object-group service VNC_TCP tcp
 port-object eq 5900
object-group service backup tcp-udp
 description ports for backupexec
 port-object range 1025 1030
 port-object eq 10000
object-group network VPN_Group2
 network-object 192.168.185.0 255.255.255.0
object-group network VPN_Group1
 network-object 192.168.189.0 255.255.255.0
access-list nonat remark No NAT for Special Subnets
access-list nonat extended permit ip object-group INSIDE object-group CISCOOUTSIDE 
access-list nonat extended permit ip object-group INSIDE object-group OUTSIDE 
access-list nonat extended permit ip object-group INSIDE object-group VPN_Group1 
access-list nonat extended permit ip object-group INSIDE object-group VPN_Group2
access-list inside remark Allow Mail Server to Send Mail to anyone
access-list inside extended permit tcp object-group XBH any eq smtp 
access-list inside remark Block other users from pop3 and smtp mail
access-list inside extended deny tcp any any object-group Mail_Services 
access-list inside remark Deny Control Channel Commands for Nachi worm
access-list inside extended deny object-group TCP-UDP any any object-group Nachi_Worm 
access-list inside remark Deny Kerberos Authentication
access-list inside extended deny object-group TCP-UDP any any object-group Kerberos 
access-list inside remark Block Vulnerable Microsoft Ports
access-list inside extended deny object-group TCP-UDP any any object-group MS_Ports 
access-list inside remark Block IM VIRUS
access-list inside extended deny object-group TCP-UDP any any object-group IM_Virus 
access-list inside remark Block zincite virus
access-list inside extended deny object-group TCP-UDP any any object-group Zincite_Virus 
access-list inside remark Block Sasser Worm
access-list inside extended deny tcp any any object-group Sasser_Worm 
access-list inside remark Block Beagle.O virus
access-list inside extended deny object-group TCP-UDP any any object-group Beagle.O_Virus 
access-list inside remark Block gotomypc.com
access-list inside extended deny ip any object-group gotomypc.com 
access-list inside remark Block Dameware
access-list inside extended deny object-group TCP-UDP any any object-group Dameware 
access-list inside remark Allow SNMP Monitoring to DMZ from Inside
access-list inside extended permit udp object-group Net_Monitor object-group DMZ_NET range snmp snmptrap 
access-list inside remark Allow GTO to do ICMP management to DMZ
access-list inside extended permit icmp object-group IT object-group DMZ_NET 
access-list inside remark Allow GTO to telnet and SSH to DMZ
access-list inside extended permit tcp object-group IT object-group DMZ_NET range ssh telnet 
access-list inside remark Allow GTO to open http and https on DMZ
access-list inside extended permit tcp object-group IT object-group DMZ_NET object-group WEB_SERVICES 
access-list inside remark Allow Remote Control of servers by GTO
access-list inside extended permit tcp object-group IT object-group DMZ_NET object-group VNC_TCP 
access-list inside remark Allow backupexec to dmz
access-list inside extended permit tcp object-group IT object-group DMZ_NET object-group backup 
access-list inside remark Allow CAG Management into the DMZ
access-list inside extended permit tcp object-group CTXCAGMGMT object-group CTXCAG object-group CITRIXCAG 
access-list inside remark Deny other access to DMZ
access-list inside extended deny ip any object-group DMZ_NET 
access-list inside remark Permit All traffic thereafter
access-list inside extended permit ip any any 
access-list nonat_dmz remark No NAT for DMZ Subnets
access-list nonat_dmz extended permit ip object-group DMZ_NET any 
access-list outside remark Permitted Inbound Traffic
access-list outside remark deny this IP to anywhere
access-list outside extended deny ip object-group Blocked_Subnet any 
access-list outside remark TACACS Traffic
access-list outside extended permit tcp object-group CISCOOUTSIDE object-group ACS object-group TACACS 
access-list outside remark MARS Traffic
access-list outside extended permit udp object-group CISCOOUTSIDE object-group MARS object-group MARS_UDP 
access-list outside remark NTP Traffic
access-list outside extended permit udp object-group CISCOOUTSIDE object-group NTP eq ntp 
access-list outside remark allow all ping traffic
access-list outside extended permit icmp any any 
access-list outside remark allow anyone to smtp to Mail Firewalls in DMZ
access-list outside extended permit tcp any object-group MXtremes eq smtp 
access-list outside remark allow Outside network to manage MXtremes
access-list outside extended permit tcp object-group Outside_Network object-group MXtremes eq https 
access-list outside remark allow Borderware support access to MXtreme
access-list outside extended permit tcp object-group Borderware object-group MXtremes object-group MXtremes_TCP 
access-list outside remark allow traffic to access WWW server
access-list outside extended permit tcp any object-group WWW object-group WEB_SERVICES 
access-list outside remark allow SSL to the CAGs from anyone
access-list outside extended permit tcp any object-group CTXCAG object-group WEB_SERVICES 
access-list dmz remark Permitted Inbound Traffic
access-list dmz remark allow TACACS traffic from DMZ Switches to ACS
access-list dmz extended permit tcp object-group DMZ_SWITCH object-group ACS eq tacacs 
access-list dmz remark MARS Traffic
access-list dmz extended permit udp object-group DMZ_SWITCH object-group MARS object-group MARS_UDP 
access-list dmz remark allow DMZ network to get internal time
access-list dmz extended permit udp object-group DMZ_NET object-group NTP eq ntp 
access-list dmz remark allow ping
access-list dmz extended permit icmp any any 
access-list dmz remark allow MXtremes to do LDAP against inside
access-list dmz extended permit tcp object-group MXtremes object-group DC object-group LDAP 
access-list dmz remark allow MXtremes to do DNS lookups inside
access-list dmz extended permit udp object-group MXtremes object-group DC eq domain 
access-list dmz remark deny MXtremes to source WWW and SSL on their own to INSIDE
access-list dmz extended deny tcp object-group MXtremes object-group INSIDE object-group WEB_SERVICES 
access-list dmz remark allow MXtremes WWW and SSL to ANY
access-list dmz extended permit tcp object-group MXtremes any object-group WEB_SERVICES 
access-list dmz remark allow MXtremes to forward mail to Mail servers and Internet
access-list dmz extended permit tcp object-group MXtremes object-group XBH eq smtp 
access-list dmz extended deny tcp object-group MXtremes object-group INSIDE eq smtp 
access-list dmz extended permit tcp object-group MXtremes any eq smtp 
access-list dmz remark Allow MXtremes to upload mail logs to nycsrvmxl1
access-list dmz extended permit tcp object-group MXtremes object-group MXtremes-FTP-Inside range ftp-data ftp 
access-list dmz remark deny Web server to source www and SSL on its own to INSIDE
access-list dmz extended deny tcp object-group WWW object-group INSIDE object-group WEB_SERVICES 
access-list dmz remark allow Web server WWW and SSL to Anyone
access-list dmz extended permit tcp object-group WWW any object-group WEB_SERVICES 
access-list dmz remark allow Citrix CAGs to Citrix Farm
access-list dmz extended permit tcp object-group CTXCAG object-group CTXFARM object-group CITRIXPROD 
access-list dmz remark deny Citrix CAGs to SSL on its own to INSIDE
access-list dmz extended deny tcp object-group CTXCAG object-group INSIDE eq https 
access-list dmz remark allow Citrix CAGs to SSL on its own to others
access-list dmz extended permit tcp object-group CTXCAG any eq https 
access-list IPS_Inspection remark ASA IPS Inspect following traffic flow
access-list IPS_Inspection extended permit ip object-group INSIDE object-group Outside_Network
access-list IPS_Inspection extended permit ip object-group INSIDE object-group DMZ_NET 
access-list IPS_Inspection extended permit ip object-group INSIDE object-group VPN_Group1
access-list IPS_Inspection extended permit ip object-group INSIDE object-group VPN_Group2
access-list IPS_Inspection extended permit ip object-group INSIDE any 
access-list IPS_Inspection extended permit ip object-group DMZ_NET any 
access-list IPS_Inspection extended permit ip object-group Outside_Network any 
access-list IPS_Inspection extended permit ip any object-group Outside 
access-list IPS_Inspection extended permit ip any object-group DMZ_NET 
access-list IPS_Inspection extended permit ip any object-group INSIDE 
access-list IPS_Inspection extended permit ip any any log 
access-list nonat-VPN_Group1 remark No NAT for VPN Group 1
access-list nonat-VPN_Group1 extended permit ip object-group INSIDE object-group VPN_Group1
access-list nonat-VPN_Group2 remark No NAT for VPN Group 2
access-list nonat-VPN_Group2 extended permit ip object-group INSIDE object-group VPN_Group2
pager lines 24
logging enable
logging timestamp
logging standby
logging buffer-size 16384
logging buffered errors
logging trap debugging
logging history errors
logging asdm informational
logging mail debugging
logging facility 19
logging device-id hostname
logging host inside 172.17.200.232
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool group2 192.168.185.1-192.168.185.254
ip local pool group1 192.168.189.1-192.168.189.254
failover
failover lan unit primary
failover lan interface failover Management0/0.255
failover link state Management0/0.254
failover interface ip failover 192.168.0.249 255.255.255.252 standby 192.168.0.250
failover interface ip state 192.168.0.253 255.255.255.252 standby 192.168.0.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 1.0.0.108
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nonat_dmz
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
!
route outside 0.0.0.0 0.0.0.0 1.0.0.105
route inside 10.0.0.0 255.0.0.0 10.7.0.1
route inside 172.16.0.0 255.240.0.0 10.7.0.1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server NT_DOMAIN protocol nt
aaa-server NT_DOMAIN host 10.7.200.161
 nt-auth-domain-controller *****
aaa-server TACACS protocol tacacs+
 reactivation-mode depletion deadtime 3
 max-failed-attempts 4
aaa-server TACACS host 172.17.200.231
 key *****
aaa authentication http console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication serial console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authorization command TACACS LOCAL
aaa accounting enable console TACACS
aaa accounting serial console TACACS
aaa accounting ssh console TACACS
aaa accounting telnet console TACACS
aaa accounting command privilege 15 TACACS
snmp-server host inside 172.17.200.126 community *****
snmp-server host inside 172.17.200.127 community *****
snmp-server host inside 172.17.200.130 community *****
snmp-server host inside 172.17.200.131 community *****
snmp-server host inside 172.17.200.132 community *****
no snmp-server location
no snmp-server contact
snmp-server community ****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
service resetoutside
crypto ipsec transform-set set10 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set set20 esp-3des esp-md5-hmac 
crypto dynamic-map dynmap 10 set transform-set set10
crypto dynamic-map dynmap 20 set transform-set set20
crypto map map 10 ipsec-isakmp dynamic dynmap
crypto map map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh 1.252.30.96 255.255.255.224 outside
ssh 1.14.179.64 255.255.255.224 outside
ssh 10.13.100.0 255.255.255.0 inside
ssh 10.13.200.0 255.255.255.0 inside
ssh 10.13.190.0 255.255.255.0 inside
ssh 10.13.0.0 255.255.255.0 inside
ssh 172.17.100.0 255.255.255.0 inside
ssh 172.17.190.0 255.255.255.0 inside
ssh 172.17.200.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
!
class-map IPS_Class
 match access-list IPS_Inspection
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
 class IPS_Class
  ips promiscuous fail-open
!
service-policy global_policy global
ntp server 10.4.5.5 source inside
ntp server 172.16.0.5 source inside prefer
group-policy Group1 internal
group-policy Group1 attributes
 wins-server value 10.13.100.103
 dns-server value 10.13.100.103
 vpn-idle-timeout 1440
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value nonat-VPN_Group1
 default-domain value *****
group-policy Group2 internal
group-policy Group2 attributes
 wins-server value 10.13.100.103
 dns-server value 10.13.100.103
 vpn-idle-timeout 1440
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value nonat-VPN_Group2
 default-domain value *****
username ***** password ****** encrypted privilege 15
username ***** attributes
 vpn-group-policy Group1
 group-lock value Group1
username ***** password ****** encrypted privilege 15
tunnel-group Group2 type ipsec-ra
tunnel-group Group2 general-attributes
 address-pool group2
 authentication-server-group NT_DOMAIN
 default-group-policy Group2
tunnel-group Group2 ipsec-attributes
 pre-shared-key *
tunnel-group Group1 type ipsec-ra
tunnel-group Group1 general-attributes
 address-pool group1
 authentication-server-group NT_DOMAIN LOCAL
 default-group-policy Group1
tunnel-group Group1 ipsec-attributes
 pre-shared-key *
prompt hostname context 
: end
 

Firewall 2 (Standby)

ASA Version 7.2(3) 
!
hostname ****
domain-name ****
enable password ***** encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 description Outside Switch
 nameif outside
 security-level 0
 ip address 1.0.0.106 255.255.255.248 standby 1.0.0.107 
!
interface GigabitEthernet0/1
 description Core Switches
 nameif inside
 security-level 100
 ip address 10.7.0.4 255.255.255.0 standby 10.7.0.5 
!
interface GigabitEthernet0/2
 description DMZ Switches
 nameif dmz
 security-level 50
 ip address 1.0.0.113 255.255.255.240 standby 1.0.0.114 
!
interface GigabitEthernet0/3
!
interface Management0/0
!
interface Management0/0.254
 description STATE Failover Interface
 vlan 254
!
interface Management0/0.255
 description LAN Failover Interface
 vlan 255
!
passwd **** encrypted
banner motd WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AUTHORISED PERSONS!
banner motd Activities on and access to this system are monitored and recorded. 
banner motd Use of this system is your express consent to such monitoring and recording. 
banner motd 
banner motd ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULTIN CRIMINAL AND/OR CIVIL PENALTIES.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name ****
object-group protocol TCP-UDP
 protocol-object tcp
 protocol-object udp
object-group service Nachi_Worm tcp-udp
 port-object eq 707
object-group service Kerberos tcp-udp
 port-object eq 4444
object-group service MS_Ports tcp-udp
 port-object eq 135
 port-object range 137 139
 port-object eq 445
 port-object eq 593
object-group service IM_Virus tcp-udp
 port-object eq 5001
object-group service Zincite_Virus tcp-udp
 port-object eq 1034
object-group service Sasser_Worm tcp
 port-object eq 5554
 port-object eq 9996
object-group service Beagle.O_Virus tcp-udp
 port-object eq 81
object-group network gotomypc.com
 network-object host 66.151.158.177
object-group service Dameware tcp-udp
 port-object eq 6129
object-group service Mail_Services tcp
 port-object eq smtp
 port-object eq pop3
object-group network INSIDE
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0
object-group network IT
 network-object 172.17.190.0 255.255.255.0
 network-object 10.13.190.0 255.255.255.0
 network-object 10.13.100.0 255.255.255.0
 network-object 10.13.200.0 255.255.255.0
 network-object 172.17.100.0 255.255.255.0
 network-object 172.17.200.0 255.255.255.0
object-group network Net_Monitor
 network-object host 172.17.200.126
 network-object host 172.17.200.130
 network-object host 172.17.200.131
 network-object host 172.17.200.132
 network-object host 172.17.200.127
object-group network DC
 network-object host 10.13.200.161
 network-object host 172.17.200.161
 network-object host 172.17.200.162
object-group network NTP
 network-object host 172.16.0.5
 network-object host 10.4.5.5
object-group network Internet_Routers
 network-object host 1.0.0.2
 network-object host 1.0.0.6
object-group network Internet_Switches
 network-object host 1.0.0.105
object-group network MARS
 network-object host 172.17.200.232
object-group service SYSLOG udp
 port-object eq syslog
object-group network ACS
 network-object host 172.17.200.231
object-group service TACACS tcp
 port-object eq tacacs
object-group service MARS_UDP udp
 port-object eq syslog
 port-object eq 2055
object-group network CISCOOUTSIDE
 group-object Internet_Routers
 group-object Internet_Switches
object-group network DMZ_NET
 network-object 1.0.0.112 255.255.255.240
object-group network OUTSIDE
 group-object DMZ_NET
object-group network Blocked_Subnet
 network-object 168.95.5.0 255.255.255.192
object-group network Vendor_Subnet
 network-object 10.7.180.0 255.255.255.0
object-group network Special_Subnets
 group-object IT
 group-object Vendor_Subnet
object-group network MXtremes
 network-object host 1.0.0.117
object-group network WWW
 network-object host 1.0.0.118
 network-object host 1.0.0.110
object-group service WEB_SERVICES tcp
 port-object eq www
 port-object eq https
object-group network DMZ_SWITCH
 network-object host 1.0.0.115
 network-object host 1.0.0.116
object-group service LDAP tcp
 port-object eq ldap
object-group network XBH
 network-object host 10.13.100.13
 network-object host 172.16.0.10
 network-object host 172.17.100.50
 network-object host 172.17.100.60
 network-object host 172.17.100.61
 network-object host 172.17.100.62
object-group network MXtremes-FTP-Inside
 network-object host 172.17.200.102
object-group network Outside_Network
 network-object 1.252.30.96 255.255.255.224
 network-object 1.162.70.192 255.255.255.240
 network-object 1.14.179.64 255.255.255.224
object-group network Outside
 network-object 1.0.0.0 255.255.255.248
 network-object 1.0.0.104 255.255.255.248
object-group network Borderware
 network-object host 207.236.65.226
object-group service MXtremes_TCP tcp
 port-object eq https
 port-object eq 10101
object-group network CTXCAG
 network-object host 1.0.0.120
object-group network CTXCAGMGMT
 network-object 10.13.100.0 255.255.255.0
 network-object 10.13.190.0 255.255.255.0
 network-object 10.13.200.0 255.255.255.0
 network-object 172.17.100.0 255.255.255.0
 network-object 172.17.200.0 255.255.255.0
 network-object host 172.17.150.120
 network-object host 172.17.150.121
 network-object host 172.17.150.122
 network-object host 172.17.150.123
 network-object host 172.17.150.124
 network-object 172.17.190.0 255.255.255.0
object-group service CITRIXCAG tcp
 port-object range 9001 9002
 port-object eq 9005
object-group network CTXFARM
 network-object host 172.17.200.170
 network-object host 172.17.200.173
 network-object host 172.17.200.174
 network-object host 172.17.200.175
 network-object host 172.17.200.176
 network-object host 172.17.150.120
 network-object host 172.17.150.121
 network-object host 172.17.150.122
 network-object host 172.17.150.123
 network-object host 172.17.150.124
 network-object 172.17.50.0 255.255.255.0
 network-object 172.17.60.0 255.255.255.0
 network-object 10.13.50.0 255.255.255.0
 network-object 10.13.60.0 255.255.255.0
 network-object 10.13.100.0 255.255.255.0
 network-object 10.13.200.0 255.255.255.0
object-group service CITRIXPROD tcp
 port-object eq www
 port-object eq citrix-ica
 port-object eq 2598
object-group service VNC_TCP tcp
 port-object eq 5900
object-group service backup tcp-udp
 description ports for backupexec
 port-object range 1025 1030
 port-object eq 10000
object-group network VPN_Group2
 network-object 192.168.185.0 255.255.255.0
object-group network VPN_Group1
 network-object 192.168.189.0 255.255.255.0
access-list nonat remark No NAT for Special Subnets
access-list nonat extended permit ip object-group INSIDE object-group CISCOOUTSIDE 
access-list nonat extended permit ip object-group INSIDE object-group OUTSIDE 
access-list nonat extended permit ip object-group INSIDE object-group VPN_Group1 
access-list nonat extended permit ip object-group INSIDE object-group VPN_Group2
access-list inside remark Allow Mail Server to Send Mail to anyone
access-list inside extended permit tcp object-group XBH any eq smtp 
access-list inside remark Block other users from pop3 and smtp mail
access-list inside extended deny tcp any any object-group Mail_Services 
access-list inside remark Deny Control Channel Commands for Nachi worm
access-list inside extended deny object-group TCP-UDP any any object-group Nachi_Worm 
access-list inside remark Deny Kerberos Authentication
access-list inside extended deny object-group TCP-UDP any any object-group Kerberos 
access-list inside remark Block Vulnerable Microsoft Ports
access-list inside extended deny object-group TCP-UDP any any object-group MS_Ports 
access-list inside remark Block IM VIRUS
access-list inside extended deny object-group TCP-UDP any any object-group IM_Virus 
access-list inside remark Block zincite virus
access-list inside extended deny object-group TCP-UDP any any object-group Zincite_Virus 
access-list inside remark Block Sasser Worm
access-list inside extended deny tcp any any object-group Sasser_Worm 
access-list inside remark Block Beagle.O virus
access-list inside extended deny object-group TCP-UDP any any object-group Beagle.O_Virus 
access-list inside remark Block gotomypc.com
access-list inside extended deny ip any object-group gotomypc.com 
access-list inside remark Block Dameware
access-list inside extended deny object-group TCP-UDP any any object-group Dameware 
access-list inside remark Allow SNMP Monitoring to DMZ from Inside
access-list inside extended permit udp object-group Net_Monitor object-group DMZ_NET range snmp snmptrap 
access-list inside remark Allow GTO to do ICMP management to DMZ
access-list inside extended permit icmp object-group IT object-group DMZ_NET 
access-list inside remark Allow GTO to telnet and SSH to DMZ
access-list inside extended permit tcp object-group IT object-group DMZ_NET range ssh telnet 
access-list inside remark Allow GTO to open http and https on DMZ
access-list inside extended permit tcp object-group IT object-group DMZ_NET object-group WEB_SERVICES 
access-list inside remark Allow Remote Control of servers by GTO
access-list inside extended permit tcp object-group IT object-group DMZ_NET object-group VNC_TCP 
access-list inside remark Allow backupexec to dmz
access-list inside extended permit tcp object-group IT object-group DMZ_NET object-group backup 
access-list inside remark Allow CAG Management into the DMZ
access-list inside extended permit tcp object-group CTXCAGMGMT object-group CTXCAG object-group CITRIXCAG 
access-list inside remark Deny other access to DMZ
access-list inside extended deny ip any object-group DMZ_NET 
access-list inside remark Permit All traffic thereafter
access-list inside extended permit ip any any 
access-list nonat_dmz remark No NAT for DMZ Subnets
access-list nonat_dmz extended permit ip object-group DMZ_NET any 
access-list outside remark Permitted Inbound Traffic
access-list outside remark deny this IP to anywhere
access-list outside extended deny ip object-group Blocked_Subnet any 
access-list outside remark TACACS Traffic
access-list outside extended permit tcp object-group CISCOOUTSIDE object-group ACS object-group TACACS 
access-list outside remark MARS Traffic
access-list outside extended permit udp object-group CISCOOUTSIDE object-group MARS object-group MARS_UDP 
access-list outside remark NTP Traffic
access-list outside extended permit udp object-group CISCOOUTSIDE object-group NTP eq ntp 
access-list outside remark allow all ping traffic
access-list outside extended permit icmp any any 
access-list outside remark allow anyone to smtp to Mail Firewalls in DMZ
access-list outside extended permit tcp any object-group MXtremes eq smtp 
access-list outside remark allow Outside network to manage MXtremes
access-list outside extended permit tcp object-group Outside_Network object-group MXtremes eq https 
access-list outside remark allow Borderware support access to MXtreme
access-list outside extended permit tcp object-group Borderware object-group MXtremes object-group MXtremes_TCP 
access-list outside remark allow traffic to access WWW server
access-list outside extended permit tcp any object-group WWW object-group WEB_SERVICES 
access-list outside remark allow SSL to the CAGs from anyone
access-list outside extended permit tcp any object-group CTXCAG object-group WEB_SERVICES 
access-list dmz remark Permitted Inbound Traffic
access-list dmz remark allow TACACS traffic from DMZ Switches to ACS
access-list dmz extended permit tcp object-group DMZ_SWITCH object-group ACS eq tacacs 
access-list dmz remark MARS Traffic
access-list dmz extended permit udp object-group DMZ_SWITCH object-group MARS object-group MARS_UDP 
access-list dmz remark allow DMZ network to get internal time
access-list dmz extended permit udp object-group DMZ_NET object-group NTP eq ntp 
access-list dmz remark allow ping
access-list dmz extended permit icmp any any 
access-list dmz remark allow MXtremes to do LDAP against inside
access-list dmz extended permit tcp object-group MXtremes object-group DC object-group LDAP 
access-list dmz remark allow MXtremes to do DNS lookups inside
access-list dmz extended permit udp object-group MXtremes object-group DC eq domain 
access-list dmz remark deny MXtremes to source WWW and SSL on their own to INSIDE
access-list dmz extended deny tcp object-group MXtremes object-group INSIDE object-group WEB_SERVICES 
access-list dmz remark allow MXtremes WWW and SSL to ANY
access-list dmz extended permit tcp object-group MXtremes any object-group WEB_SERVICES 
access-list dmz remark allow MXtremes to forward mail to Mail servers and Internet
access-list dmz extended permit tcp object-group MXtremes object-group XBH eq smtp 
access-list dmz extended deny tcp object-group MXtremes object-group INSIDE eq smtp 
access-list dmz extended permit tcp object-group MXtremes any eq smtp 
access-list dmz remark Allow MXtremes to upload mail logs to nycsrvmxl1
access-list dmz extended permit tcp object-group MXtremes object-group MXtremes-FTP-Inside range ftp-data ftp 
access-list dmz remark deny Web server to source www and SSL on its own to INSIDE
access-list dmz extended deny tcp object-group WWW object-group INSIDE object-group WEB_SERVICES 
access-list dmz remark allow Web server WWW and SSL to Anyone
access-list dmz extended permit tcp object-group WWW any object-group WEB_SERVICES 
access-list dmz remark allow Citrix CAGs to Citrix Farm
access-list dmz extended permit tcp object-group CTXCAG object-group CTXFARM object-group CITRIXPROD 
access-list dmz remark deny Citrix CAGs to SSL on its own to INSIDE
access-list dmz extended deny tcp object-group CTXCAG object-group INSIDE eq https 
access-list dmz remark allow Citrix CAGs to SSL on its own to others
access-list dmz extended permit tcp object-group CTXCAG any eq https 
access-list IPS_Inspection remark ASA IPS Inspect following traffic flow
access-list IPS_Inspection extended permit ip object-group INSIDE object-group Outside_Network
access-list IPS_Inspection extended permit ip object-group INSIDE object-group DMZ_NET 
access-list IPS_Inspection extended permit ip object-group INSIDE object-group VPN_Group1
access-list IPS_Inspection extended permit ip object-group INSIDE object-group VPN_Group2
access-list IPS_Inspection extended permit ip object-group INSIDE any 
access-list IPS_Inspection extended permit ip object-group DMZ_NET any 
access-list IPS_Inspection extended permit ip object-group Outside_Network any 
access-list IPS_Inspection extended permit ip any object-group Outside 
access-list IPS_Inspection extended permit ip any object-group DMZ_NET 
access-list IPS_Inspection extended permit ip any object-group INSIDE 
access-list IPS_Inspection extended permit ip any any log 
access-list nonat-VPN_Group1 remark No NAT for VPN Group 1
access-list nonat-VPN_Group1 extended permit ip object-group INSIDE object-group VPN_Group1
access-list nonat-VPN_Group2 remark No NAT for VPN Group 2
access-list nonat-VPN_Group2 extended permit ip object-group INSIDE object-group VPN_Group2
pager lines 24
logging enable
logging timestamp
logging standby
logging buffer-size 16384
logging buffered errors
logging trap debugging
logging history errors
logging asdm informational
logging mail debugging
logging facility 19
logging device-id hostname
logging host inside 172.17.200.232
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool group2 192.168.185.1-192.168.185.254
ip local pool group1 192.168.189.1-192.168.189.254
failover
failover lan interface failover Management0/0.255
failover link state Management0/0.254
failover interface ip failover 192.168.0.249 255.255.255.252 standby 192.168.0.250
failover interface ip state 192.168.0.253 255.255.255.252 standby 192.168.0.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 1.0.0.108
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nonat_dmz
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
!
route outside 0.0.0.0 0.0.0.0 1.0.0.105
route inside 10.0.0.0 255.0.0.0 10.7.0.1
route inside 172.16.0.0 255.240.0.0 10.7.0.1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server NT_DOMAIN protocol nt
aaa-server NT_DOMAIN host 10.7.200.161
 nt-auth-domain-controller *****
aaa-server TACACS protocol tacacs+
 reactivation-mode depletion deadtime 3
 max-failed-attempts 4
aaa-server TACACS host 172.17.200.231
 key *****
aaa authentication http console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication serial console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authorization command TACACS LOCAL
aaa accounting enable console TACACS
aaa accounting serial console TACACS
aaa accounting ssh console TACACS
aaa accounting telnet console TACACS
aaa accounting command privilege 15 TACACS
snmp-server host inside 172.17.200.126 community *****
snmp-server host inside 172.17.200.127 community *****
snmp-server host inside 172.17.200.130 community *****
snmp-server host inside 172.17.200.131 community *****
snmp-server host inside 172.17.200.132 community *****
no snmp-server location
no snmp-server contact
snmp-server community ****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
service resetoutside
crypto ipsec transform-set set10 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set set20 esp-3des esp-md5-hmac 
crypto dynamic-map dynmap 10 set transform-set set10
crypto dynamic-map dynmap 20 set transform-set set20
crypto map map 10 ipsec-isakmp dynamic dynmap
crypto map map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh 1.252.30.96 255.255.255.224 outside
ssh 1.14.179.64 255.255.255.224 outside
ssh 10.13.100.0 255.255.255.0 inside
ssh 10.13.200.0 255.255.255.0 inside
ssh 10.13.190.0 255.255.255.0 inside
ssh 10.13.0.0 255.255.255.0 inside
ssh 172.17.100.0 255.255.255.0 inside
ssh 172.17.190.0 255.255.255.0 inside
ssh 172.17.200.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
!
class-map IPS_Class
 match access-list IPS_Inspection
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
 class IPS_Class
  ips promiscuous fail-open
!
service-policy global_policy global
ntp server 10.4.5.5 source inside
ntp server 172.16.0.5 source inside prefer
group-policy Group1 internal
group-policy Group1 attributes
 wins-server value 10.13.100.103
 dns-server value 10.13.100.103
 vpn-idle-timeout 1440
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value nonat-VPN_Group1
 default-domain value *****
group-policy Group2 internal
group-policy Group2 attributes
 wins-server value 10.13.100.103
 dns-server value 10.13.100.103
 vpn-idle-timeout 1440
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value nonat-VPN_Group2
 default-domain value *****
username ***** password ****** encrypted privilege 15
username ***** attributes
 vpn-group-policy Group1
 group-lock value Group1
username ***** password ****** encrypted privilege 15
tunnel-group Group2 type ipsec-ra
tunnel-group Group2 general-attributes
 address-pool group2
 authentication-server-group NT_DOMAIN
 default-group-policy Group2
tunnel-group Group2 ipsec-attributes
 pre-shared-key *
tunnel-group Group1 type ipsec-ra
tunnel-group Group1 general-attributes
 address-pool group1
 authentication-server-group NT_DOMAIN LOCAL
 default-group-policy Group1
tunnel-group Group1 ipsec-attributes
 pre-shared-key *
prompt hostname context 
: end
 

Layer 3 Switch 1

version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname *****
!
logging buffered 16384 debugging
enable secret 5 ********
!
username ****** secret 5 ******
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local 
aaa authorization commands 15 default group tacacs+ local 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
system mtu routing 1500
udld enable
 
ip subnet-zero
ip routing
ip domain-list *****
ip domain-list *****
no ip domain-lookup
ip domain-name *****
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
spanning-tree vlan 1,20,200 priority 16384
spanning-tree vlan 5,7,100 priority 8192
!
vlan internal allocation policy ascending
!
!
!         
!
interface Port-channel1
 switchport trunk encapsulation isl
 switchport trunk allowed vlan 1,5,7
 switchport mode trunk
!
interface GigabitEthernet0/1
 description To Firewall 1
 switchport access vlan 7
 switchport mode access
!
interface GigabitEthernet0/2
 switchport access vlan 7
 switchport mode access
!
interface GigabitEthernet0/3
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/4
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/5
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/6
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/7
 description To Layer-2 Private Switch port 11
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,7,20
 switchport mode trunk
!
interface GigabitEthernet0/8
 description To Layer-2 Switch 3 port 11
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,5,7
 switchport mode trunk
!
interface GigabitEthernet0/9
 description To Layer-2 Switch 2 port 11
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,7,100
 switchport mode trunk
!
interface GigabitEthernet0/10
 description To Layer-2 Switch 1 port 11
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,7,200
 switchport mode trunk
!
interface GigabitEthernet0/11
 description To Layer-3 Switch 2 port 11
 switchport trunk encapsulation isl
 switchport trunk allowed vlan 1,5,7
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet0/12
 description To Layer-3 Switch 2 port 11
 switchport trunk encapsulation isl
 switchport trunk allowed vlan 1,5,7
 switchport mode trunk
 channel-group 1 mode on
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan5
 description Production (Active)
 ip address 10.0.7.2 255.255.255.0
 ip directed-broadcast 30
 standby 5 ip 10.0.7.1
 standby 5 priority 105
 standby 5 preempt
!
interface Vlan7
 description Management (Active)
 ip address 10.7.0.2 255.255.255.0
 standby 7 ip 10.7.0.1
 standby 7 priority 105
 standby 7 preempt
!
interface Vlan20
 description Private Network (Standby)
 ip address 172.20.6.2 255.255.255.0
 standby 20 ip 172.20.6.1
 standby 20 preempt
!
interface Vlan100
 description Server 1 (Active)
 ip address 10.7.100.2 255.255.255.0
 standby 100 ip 10.7.100.1
 standby 100 priority 105
 standby 100 preempt
!
interface Vlan200
 description Server 2 (Standby)
 ip address 10.7.200.2 255.255.255.0
 standby 200 ip 10.7.200.1
!
ip route 0.0.0.0 0.0.0.0 10.7.0.4
!
ip classless
no ip http server
no ip http secure-server
!
ip tacacs source-interface Vlan7
!
logging source-interface Vlan7
logging 172.17.200.232
access-list 30 remark Wake-On LAN
access-list 30 permit 172.17.200.125
access-list 50 permit 10.7.0.0 0.0.0.7
access-list 50 permit 172.17.100.0 0.0.0.255
access-list 50 permit 172.17.190.0 0.0.0.255
access-list 50 permit 172.17.200.0 0.0.0.255
access-list 50 permit 10.13.100.0 0.0.0.255
access-list 50 permit 10.13.190.0 0.0.0.255
access-list 50 permit 10.13.200.0 0.0.0.255
access-list 50 permit 192.168.189.0 0.0.0.255
access-list 50 permit 192.168.190.0 0.0.0.255
access-list 52 remark Internal SNMP RO access
access-list 52 permit 172.17.100.0 0.0.0.255
access-list 52 permit 172.17.200.0 0.0.0.255
access-list 52 permit 10.13.100.0 0.0.0.255
access-list 52 permit 10.13.200.0 0.0.0.255
access-list 115 remark Private Network
access-list 115 deny   icmp any any
access-list 115 permit ip 172.20.6.0 0.0.0.255 host 224.0.0.2
access-list 115 permit ip 172.20.6.0 0.0.0.255 host 224.0.0.10
access-list 115 permit ip 172.20.6.0 0.0.0.255 host 224.0.0.102
access-list 115 permit ip 172.20.6.0 0.0.0.255 172.20.0.0 0.0.255.255
snmp-server community ***** RO 52
tacacs-server host 172.17.200.231 key 7 *******
tacacs-server directed-request
radius-server source-ports 1645-1646
!
control-plane
!
banner motd ^C
WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AUTHORISED PERSONS!
Activities on and access to this system are monitored and recorded.
Use of this system is your express consent to such monitoring and recording.
 
ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULT IN CRIMINAL AND/OR CIVIL PENALTIES.^C
!         
line con 0
 logging synchronous
line vty 0 4
 access-class 50 in
 logging synchronous
 transport input ssh
line vty 5 15
 access-class 50 in
 transport input ssh
!
ntp clock-period 36028537
ntp source Vlan7
ntp server 10.4.5.5
ntp server 172.16.0.5 prefer
end
 

Layer 3 Switch 2

version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname *****
!
logging buffered 16384 debugging
enable secret 5 *****
!
username ***** secret 5 *****
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local 
aaa authorization commands 15 default group tacacs+ local 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
system mtu routing 1500
udld enable
 
ip subnet-zero
ip routing
ip domain-list *****
ip domain-list *****
no ip domain-lookup
ip domain-name *****
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
spanning-tree vlan 1,20,200 priority 8192
spanning-tree vlan 5,7,100 priority 16384
!
vlan internal allocation policy ascending
!
!
!         
!
interface Port-channel1
 switchport trunk encapsulation isl
 switchport trunk allowed vlan 1,5,7
 switchport mode trunk
!
interface GigabitEthernet0/1
 description To Firewall 2
 switchport access vlan 7
 switchport mode access
!
interface GigabitEthernet0/2
 switchport access vlan 7
 switchport mode access
!
interface GigabitEthernet0/3
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/4
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/5
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/6
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/7
 description To Layer-2 Private Switch port 12
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,7,20
 switchport mode trunk
!
interface GigabitEthernet0/8
 description To Layer-2 Switch 3 port 12
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,5,7
 switchport mode trunk
!
interface GigabitEthernet0/9
 description To Layer-2 Switch 2 port 12
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,7,200
 switchport mode trunk
!
interface GigabitEthernet0/10
 description To Layer-2 Switch 1 port 12
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,7,100
 switchport mode trunk
!
interface GigabitEthernet0/11
 description To Layer-3 Switch 1 port 12
 switchport trunk encapsulation isl
 switchport trunk allowed vlan 1,5,7
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet0/12
 description To Layer-3 Switch 1 port 12
 switchport trunk encapsulation isl
 switchport trunk allowed vlan 1,5,7
 switchport mode trunk
 channel-group 1 mode on
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan5
 description Production (Standby)
 ip address 10.0.7.3 255.255.255.0
 ip directed-broadcast 30
 standby 5 ip 10.0.7.1
!
interface Vlan7
 description Management (Standby)
 ip address 10.7.0.3 255.255.255.0
 standby 7 ip 10.7.0.1
!
interface Vlan20
 description Private Network (Active)
 ip address 172.20.6.3 255.255.255.0
 standby 20 ip 172.20.6.1
 standby 20 priority 105
 standby 20 preempt
!
interface Vlan100
 description Server 1 (Standby)
 ip address 10.7.100.3 255.255.255.0
 standby 100 ip 10.7.100.1
!
interface Vlan200
 description Server 2 (Active)
 ip address 10.7.200.3 255.255.255.0
 standby 200 ip 10.7.200.1
 standby 200 priority 105
 standby 200 preempt
!
ip route 0.0.0.0 0.0.0.0 10.7.0.4
!
ip classless
no ip http server
no ip http secure-server
!
ip tacacs source-interface Vlan7
!
logging source-interface Vlan7
logging 172.17.200.232
access-list 30 remark Wake-On LAN
access-list 30 permit 172.17.200.125
access-list 50 permit 10.7.0.0 0.0.0.7
access-list 50 permit 172.17.100.0 0.0.0.255
access-list 50 permit 172.17.190.0 0.0.0.255
access-list 50 permit 172.17.200.0 0.0.0.255
access-list 50 permit 10.13.100.0 0.0.0.255
access-list 50 permit 10.13.190.0 0.0.0.255
access-list 50 permit 10.13.200.0 0.0.0.255
access-list 50 permit 192.168.189.0 0.0.0.255
access-list 50 permit 192.168.190.0 0.0.0.255
access-list 52 remark Internal SNMP RO access
access-list 52 permit 172.17.100.0 0.0.0.255
access-list 52 permit 172.17.200.0 0.0.0.255
access-list 52 permit 10.13.100.0 0.0.0.255
access-list 52 permit 10.13.200.0 0.0.0.255
access-list 115 remark Private Network
access-list 115 deny   icmp any any
access-list 115 permit ip 172.20.6.0 0.0.0.255 host 224.0.0.2
access-list 115 permit ip 172.20.6.0 0.0.0.255 host 224.0.0.10
access-list 115 permit ip 172.20.6.0 0.0.0.255 host 224.0.0.102
access-list 115 permit ip 172.20.6.0 0.0.0.255 172.20.0.0 0.0.255.255
snmp-server community ****** RO 52
tacacs-server host 172.17.200.231 key 7 ******
tacacs-server directed-request
radius-server source-ports 1645-1646
!
control-plane
!
banner motd ^C
WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AUTHORISED PERSONS!
Activities on and access to this system are monitored and recorded.
Use of this system is your express consent to such monitoring and recording.
 
ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULT IN CRIMINAL AND/OR CIVIL PENALTIES.^C
!
line con 0
 logging synchronous
line vty 0 4
 access-class 50 in
 logging synchronous
 transport input ssh
line vty 5 15
 access-class 50 in
 transport input ssh
!
ntp clock-period 36029003
ntp source Vlan7
ntp server 10.4.5.5
ntp server 172.16.0.5 prefer
end
 

Sample 3:

                                          Internet
                                           |    | 
                                           |    | 
                                    Internet    Internet
                                    Router 1    Router 2
                                        |          |
                                        |          |
                           DMZ ----- Firewall   Firewall  (two redundant firewalls)
                                         1         2
                                         |         |
                                         |         |
        Bluecoat ProxySG1 int 0:0 --- Router 1  Router 2 --- Bluecoat ProxySG1 int 1:0
                                         | \     / |
                                         |   \ /   |
                                    Layer-3 ---- Layer-3  (two redundant Layer-3 switches)
                                   Switch 1      Switch 2
                                    |  |  |      |  |  |
                                    |  |  |      |  |  |
                                    |  |  Layer-2   |  |
                                    |  |   Switch   |  |
                                    |  |            |  |
                                    |  Layer-2 Switch  |
                                    |                  |
                                    |                  |
                                    +-- WAN Router 1 --+
                                              |
                                              |
                                        WAN Router 2
                                              |
                                              |
        Bluecoat ProxySG2 int 0:0 ---- Layer-3 Switch --- Firewall --- Internet Router ---   Internet
                                        |    |     |
                                        |    |     |
                                     Layer-2 |  Layer-2
                                     Switch  |  Switch
                                             |
                                       Layer-2 Switch

Background

* The Bluecoat ProxySG appliances do WCCP with routers and switch that support WCCP version 2 "redirect out" command. More detail on WCCP can be found here: »Cisco Forum FAQ »WCCP with Router/MSFC and Blue Coat ProxySG
* Site that has two Internet connections (the HQ) does Internet traffic load share which some subnets take ISP 1 as primary and other subnets take ISP 2 as primary
* The ProxySG appliances intercept outbound traffic from Inside machines out to the Internet and initiate outbound connection using the appliances IP address on behalf of Inside machines as part of the proxy mechanism
* Note that the proxy mechanism could screw up the BGP load share mechanism. Therefore any BGP load share mechanism must occur before the traffic is intercepted or proxied. This is the reason why the HQ has Routers 1 and 2 to do the WCCP for the interception, redirection, and proxy mechanism and let the Layer-3 Switches 1 and 2 do the BGP load share mechanism.
* Similar Routers 1 and 2 are not needed in Branch site since the site only has single Internet connection and no Internet load share.
* All Outbound BGP load share mechanism at HQ site can be seen as "too complex" from Branch site perspective, hence the reason of HQ site has BGP Confederation in place. For more info on BGP Confederation, check out the following link: BGP Case Studies: BGP Confederation

Sample 3 Configuration

Internet Router 1:

interface FastEthernet0
description Internet
ip address dhcp
ip nat outside
no cdp enable
!
interface FastEthernet1
description Firewall 1
ip address 10.0.0.1 255.255.255.252
ip nat inside
!
router bgp 64748
no synchronization
bgp log-neighbor-changes
network 0.0.0.0
network 10.0.0.0 mask 255.255.255.252
neighbor 10.0.1.1 remote-as 64750
neighbor 10.0.1.1 description Router 1
neighbor 10.0.1.1 ebgp-multihop 3
neighbor 10.0.1.1 prefix-list NON-IN in
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 dhcp
ip route 10.0.0.0 255.0.0.0 10.0.0.2
ip route 172.16.0.0 255.240.0.0 10.0.0.2
ip route 192.168.0.0 255.255.0.0 10.0.0.2
!
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.0.50 80 interface FastEthernet0 80
!
ip prefix-list NON-IN description Internal Subnets are never visible
ip prefix-list NON-IN seq 10 deny 0.0.0.0/0 le 32
access-list 1 remark Permitted Subnets to go out to the Internet
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 1 permit 192.168.0.0 0.0.255.255
 

Internet Router 2:

interface FastEthernet0
description Physical xDSL Interface
no ip address
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet1
description Firewall 2
ip address 10.0.0.5 255.255.255.252
ip nat inside
!
interface Dialer1
description Logical xDSL Interface
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname
ppp chap password
ppp pap sent-username password
ppp ipcp route default
ppp ipcp dns request
ppp ipcp address accept
!
router bgp 64749
no synchronization
bgp log-neighbor-changes
network 0.0.0.0
network 10.0.0.4 mask 255.255.255.252
neighbor 10.0.1.5 remote-as 64750
neighbor 10.0.1.5 description Router 2
neighbor 10.0.1.5 ebgp-multihop 3
neighbor 10.0.1.5 prefix-list NON-IN in
no auto-summary
!
ip route 10.0.0.0 255.0.0.0 10.0.0.6
ip route 172.16.0.0 255.240.0.0 10.0.0.6
ip route 192.168.0.0 255.255.0.0 10.0.0.6
ip nat inside source list 1 interface Dialer1 overload
!
ip prefix-list NON-IN description Internal Subnets are never visible
ip prefix-list NON-IN seq 10 deny 0.0.0.0/0 le 32
access-list 1 remark Permitted Subnets to go out to the Internet
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 1 permit 192.168.0.0 0.0.255.255
!
dialer-list 1 protocol ip permit
 

Firewall 1

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
object-group icmp-type ICMP-INBOUND
icmp-object 0
icmp-object 3
icmp-object 11
access-list outside remark Permitted Inbound Traffic
access-list outside permit icmp any any object-group ICMP-INBOUND
access-list outside permit tcp any host 192.168.0.50 eq 80
ip address outside 10.0.0.2 255.255.255.252
ip address inside 10.0.1.2 255.255.255.252
ip address dmz 192.168.0.1 255.255.255.0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
route inside 10.0.0.0 255.0.0.0 10.0.1.1 1
route inside 172.16.0.0 255.240.0.0 10.0.1.1 1
route inside 192.168.0.0 255.255.0.0 10.0.1.1 1
 

Firewall 2

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
object-group icmp-type ICMP-INBOUND
icmp-object 0
icmp-object 3
icmp-object 11
access-list outside remark Permitted Inbound Traffic
access-list outside permit icmp any any object-group ICMP-INBOUND
ip address outside 10.0.0.6 255.255.255.252
ip address inside 10.0.1.6 255.255.255.252
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 10.0.0.5 1
route inside 10.0.0.0 255.0.0.0 10.0.1.5 1
route inside 172.16.0.0 255.240.0.0 10.0.1.5 1
route inside 192.168.0.0 255.255.0.0 10.0.1.5 1
 

Router 1

ip wccp version 2
ip wccp 10
ip wccp 20
!
interface Loopback0
description Blue Coat ProxySG Home Router 1
ip address 192.168.66.1 255.255.255.255
!
interface FastEthernet0
description Firewall 1
ip address 10.0.1.1 255.255.255.252
ip wccp 10 redirect out
ip wccp 20 redirect out
!
interface FastEthernet1
description Layer-3 Switch 1
ip address 10.0.1.9 255.255.255.252
!
interface FastEthernet2
description Layer-3 Switch 2
ip address 10.0.1.13 255.255.255.252
!
interface FastEthernet3
description Blue Coat ProxySG int 0:0
ip address 10.0.2.1 255.255.255.0
!
router rip
version 2
redistribute bgp 65002 route-map BGP-to-RIP
passive-interface FastEthernet0
network 10.0.0.0
default-information originate
no auto-summary
!
router bgp 65002
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 64750
bgp confederation peers 65001 65003 65004
network 10.0.1.0 mask 255.255.255.252
network 10.0.2.0 mask 255.255.255.0
neighbor 10.0.0.1 remote-as 64748
neighbor 10.0.0.1 description Internet Router 1
neighbor 10.0.0.1 ebgp-multihop 3
neighbor 10.0.0.1 soft-reconfiguration inbound
neighbor 10.0.1.10 remote-as 65001
neighbor 10.0.1.10 description Layer-3 Switch 1
neighbor 10.0.1.10 soft-reconfiguration inbound
neighbor 10.0.1.14 remote-as 65001
neighbor 10.0.1.14 description Layer-3 Switch 2
neighbor 10.0.1.14 soft-reconfiguration inbound
no auto-summary
!
ip route 10.0.0.1 255.255.255.255 10.0.1.2
!
access-list 10 remark Permitted Subnets to Redistribute
access-list 10 deny 10.0.1.0 0.0.0.3
access-list 10 deny 10.0.1.8 0.0.0.7
access-list 10 deny 10.0.2.0 0.0.0.255
access-list 10 permit any
!
route-map BGP-to-RIP permit 10
match ip address 10
set metric 1
set tag 64748
 

Router 2

ip wccp version 2
ip wccp 10
ip wccp 20
!
interface Loopback0
description Blue Coat ProxySG Home Router 2
ip address 192.168.66.2 255.255.255.255
!
interface FastEthernet0
description Firewall 2
ip address 10.0.1.5 255.255.255.252
ip wccp 10 redirect out
ip wccp 20 redirect out
!
interface FastEthernet1
description Layer-3 Switch 1
ip address 10.0.1.17 255.255.255.252
!
interface FastEthernet2
description Layer-3 Switch 2
ip address 10.0.1.21 255.255.255.252
!
interface FastEthernet3
description Blue Coat ProxySG int 1:0
ip address 10.0.3.1 255.255.255.0
!
router rip
version 2
redistribute bgp 65003 route-map BGP-to-RIP
passive-interface FastEthernet0
network 10.0.0.0
default-information originate
no auto-summary
!
router bgp 65003
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 64750
bgp confederation peers 65001 65002 65004
network 10.0.1.4 mask 255.255.255.252
network 10.0.3.0 mask 255.255.255.0
neighbor 10.0.0.5 remote-as 64749
neighbor 10.0.0.5 description Internet Router 2
neighbor 10.0.0.5 ebgp-multihop 3
neighbor 10.0.0.5 soft-reconfiguration inbound
neighbor 10.0.1.18 remote-as 65001
neighbor 10.0.1.18 description Layer-3 Switch 1
neighbor 10.0.1.18 soft-reconfiguration inbound
neighbor 10.0.1.22 remote-as 65001
neighbor 10.0.1.22 description Layer-3 Switch 2
neighbor 10.0.1.22 soft-reconfiguration inbound
no auto-summary
!
ip route 10.0.0.5 255.255.255.255 10.0.1.6
!
access-list 10 remark Permitted Subnets to Redistribute
access-list 10 deny 10.0.1.4 0.0.0.3
access-list 10 deny 10.0.1.16 0.0.0.7
access-list 10 deny 10.0.3.0 0.0.0.255
access-list 10 permit any
!
route-map BGP-to-RIP permit 10
match ip address 10
set metric 1
set tag 64749
 

Blue Coat ProxySG1 configuration

1. Interface

interface 0:0
IP Address     : 10.0.2.6
Subnet Mask    : 255.255.255.0
Default Gateway: 10.0.2.1
 
interface 1:0
IP Address     : 10.0.3.6
Subnet Mask    : 255.255.255.0
Default Gateway: 10.0.3.1

2. WCCP

wccp enable
wccp version 2
service-group 20
assignment-type mask
mask-scheme destination-ip
priority 1
protocol 6
ports 80 80 80 80 80 80 80 80
interface 0:0
interface 1:0
home-router 192.168.66.1
home-router 192.168.66.2
forwarding-type GRE
end
service-group 10
assignment-type mask
mask-scheme destination-ip
priority 1
protocol 6
ports 80 21 443 554 5004 5005 1755 8554
interface 0:0
interface 1:0
home-router 192.168.66.1
home-router 192.168.66.2
forwarding-type GRE
end

3. Static Routes for Home Router IP Address Reachability

192.168.66.1 255.255.255.255 10.0.2.1
192.168.66.2 255.255.255.255 10.0.3.1

Layer-3 Switch 1

vlan 1,11-13,100
!
ip routing
!
interface FastEthernet0/1
description WAN Router 1
no switchport
ip address 10.0.1.25 255.255.255.252
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
description To Layer-2 Switch 1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,100
switchport mode trunk
!
interface FastEthernet0/7
description To Layer-2 Switch 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11
switchport mode trunk
!
interface FastEthernet0/8
description To Layer-2 Switch 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11-12
switchport mode trunk
!
interface FastEthernet0/9
description To Layer-2 Switch 4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,13
switchport mode trunk
!
interface FastEthernet0/10
description To Router 1
no switchport
ip address 10.0.1.10 255.255.255.252
!
interface FastEthernet0/11
description To Router 2
no switchport
ip address 10.0.1.14 255.255.255.252
!
interface FastEthernet0/12
description To Layer-3 Switch 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1
switchport mode trunk
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan11
description Network Management (Active)
ip address 10.0.11.2 255.255.255.0
standby 11 ip 10.0.11.1
standby 11 priority 105
standby 11 preempt
!
interface Vlan12
description Administration (Standby)
ip address 10.0.12.2 255.255.255.0
standby 12 ip 10.0.12.1
!
interface Vlan13
description Sales (Active)
ip address 10.0.13.2 255.255.255.0
standby 13 ip 10.0.13.1
standby 13 priority 105
standby 13 preempt
!
interface Vlan100
description Server (Standby)
ip address 10.0.100.2 255.255.255.0
standby 100 ip 10.0.100.1
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 64750
bgp confederation peers 65002 65003 65004
network 10.0.1.8 mask 255.255.255.252
network 10.0.1.12 mask 255.255.255.252
network 10.0.11.0 mask 255.255.255.0
network 10.0.12.0 mask 255.255.255.0
network 10.0.13.0 mask 255.255.255.0
network 10.0.100.0 mask 255.255.255.0
neighbor 10.0.1.9 remote-as 65002
neighbor 10.0.1.9 description Router 1
neighbor 10.0.1.9 soft-reconfiguration inbound
neighbor 10.0.1.9 route-map ISP1 out
neighbor 10.0.1.13 remote-as 65003
neighbor 10.0.1.13 description Router 2
neighbor 10.0.1.13 soft-reconfiguration inbound
neighbor 10.0.1.13 route-map ISP2 out
neighbor 10.0.1.26 remote-as 65004
neighbor 10.0.1.26 description WAN Router 1
neighbor 10.0.1.26 soft-reconfiguration inbound
neighbor 10.0.11.3 remote-as 65001
neighbor 10.0.11.3 description Layer-3 Switch 2
neighbor 10.0.11.3 soft-reconfiguration inbound
no auto-summary
!
access-list 20 remark Subnets to use ISP1 as Primary
access-list 20 permit 10.0.11.0 0.0.0.255
access-list 20 permit 10.0.100.0 0.0.0.255
access-list 20 permit 10.1.11.0 0.0.0.255
!
access-list 21 remark Subnets to use ISP2 as Primary
access-list 21 permit 10.0.12.0 0.0.0.255
access-list 21 permit 10.0.13.0 0.0.0.255
access-list 21 permit 10.1.12.0 0.0.0.255
access-list 21 permit 10.1.13.0 0.0.0.255
!
route-map ISP1 permit 10
match ip address 20
set local-preference 105
!
route-map ISP1 permit 20
match ip address 21
set local-preference 100
!
route-map ISP2 permit 10
match ip address 20
set local-preference 100
!
route-map ISP2 permit 20
match ip address 21
set local-preference 105
 

Layer-3 Switch 2

vlan 1,11-13,100
!
ip routing
!
interface FastEthernet0/1
description WAN Router 1
no switchport
ip address 10.0.1.29 255.255.255.252
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
description To Layer-2 Switch 1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,100
switchport mode trunk
!
interface FastEthernet0/7
description To Layer-2 Switch 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11
switchport mode trunk
!
interface FastEthernet0/8
description To Layer-2 Switch 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11-12
switchport mode trunk
!
interface FastEthernet0/9
description To Layer-2 Switch 4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,13
switchport mode trunk
!
interface FastEthernet0/10
description To Router 1
no switchport
ip address 10.0.1.18 255.255.255.252
!
interface FastEthernet0/11
description To Router 2
no switchport
ip address 10.0.1.22 255.255.255.252
!
interface FastEthernet0/12
description To Layer-3 Switch 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1
switchport mode trunk
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan11
description Network Management (Standby)
ip address 10.0.11.3 255.255.255.0
standby 11 ip 10.0.11.1
!
interface Vlan12
description Administration (Active)
ip address 10.0.12.3 255.255.255.0
standby 12 ip 10.0.12.1
standby 12 priority 105
standby 12 preempt
!
interface Vlan13
description Sales (Standby)
ip address 10.0.13.3 255.255.255.0
standby 13 ip 10.0.13.1
!
interface Vlan100
description Server (Active)
ip address 10.0.100.3 255.255.255.0
standby 100 ip 10.0.100.1
standby 100 priority 105
standby 100 preempt
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 64750
bgp confederation peers 65002 65003 65004
network 10.0.1.16 mask 255.255.255.252
network 10.0.1.20 mask 255.255.255.252
network 10.0.11.0 mask 255.255.255.0
network 10.0.12.0 mask 255.255.255.0
network 10.0.13.0 mask 255.255.255.0
network 10.0.100.0 mask 255.255.255.0
neighbor 10.0.1.17 remote-as 65002
neighbor 10.0.1.17 description Router 1
neighbor 10.0.1.17 soft-reconfiguration inbound
neighbor 10.0.1.17 route-map ISP1 out
neighbor 10.0.1.21 remote-as 65003
neighbor 10.0.1.21 description Router 2
neighbor 10.0.1.21 soft-reconfiguration inbound
neighbor 10.0.1.23 route-map ISP2 out
neighbor 10.0.1.30 remote-as 65004
neighbor 10.0.1.30 description WAN Router 1
neighbor 10.0.1.30 soft-reconfiguration inbound
neighbor 10.0.11.2 remote-as 65001
neighbor 10.0.11.2 description Layer-3 Switch 1
neighbor 10.0.11.2 soft-reconfiguration inbound
no auto-summary
!
access-list 20 remark Subnets to use ISP1 as Primary
access-list 20 permit 10.0.11.0 0.0.0.255
access-list 20 permit 10.0.100.0 0.0.0.255
access-list 20 permit 10.1.11.0 0.0.0.255
!
access-list 21 remark Subnets to use ISP2 as Primary
access-list 21 permit 10.0.12.0 0.0.0.255
access-list 21 permit 10.0.13.0 0.0.0.255
access-list 21 permit 10.1.12.0 0.0.0.255
access-list 21 permit 10.1.13.0 0.0.0.255
!
route-map ISP1 permit 10
match ip address 20
set local-preference 105
!
route-map ISP1 permit 20
match ip address 21
set local-preference 100
!
route-map ISP2 permit 10
match ip address 20
set local-preference 100
!
route-map ISP2 permit 20
match ip address 21
set local-preference 105
 

WAN 1 Router

interface FastEthernet0
description Layer-3 Switch 1
ip address 10.0.1.26 255.255.255.252
!
interface FastEthernet1
description Layer-3 Switch 2
ip address 10.0.1.30 255.255.255.252
!
interface Serial0
description WAN Router 2
ip address 10.250.0.1 255.255.255.252
!
router rip
version 2
redistribute bgp 65004 route-map BGP-to-RIP
passive-interface Serial0
network 10.0.0.0
default-information originate
no auto-summary
!
router bgp 65004
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 64750
bgp confederation peers 65001 65002 65003
network 10.0.1.24 mask 255.255.255.252
network 10.0.1.28 mask 255.255.255.252
aggregate-address 10.0.0.0 255.255.0.0
neighbor 10.0.1.25 remote as 65001
neighbor 10.0.1.25 description Layer-3 Switch 1
neighbor 10.0.1.25 soft-reconfiguration inbound
neighbor 10.0.1.29 remote-as 65001
neighbor 10.0.1.29 description Layer-3 Switch 2
neighbor 10.0.1.29 soft-reconfiguration inbound
neighbor 10.250.0.2 remote-as 64751
neighbor 10.250.0.2 description Remote Office
neighbor 10.250.0.2 soft-reconfiguration inbound
neighbor 10.250.0.2 prefix-list HQ out
no auto-summary
!
ip prefix-list HQ description Permitted BGP Subnet Announcement
ip prefix-list HQ seq 10 permit 0.0.0.0/0
ip prefix-list HQ seq 20 permit 10.0.0.0/16
!
access-list 10 remark Permitted Subnets to Redistribute
access-list 10 deny 10.0.1.24 0.0.0.7
access-list 10 deny 10.250.0.0 0.0.0.3
access-list 10 permit any
!
route-map BGP-to-RIP permit 10
match ip address 10
set metric 1
set tag 64751
 

WAN 2 Router

interface FastEthernet0
description Layer-3 Switch
ip address 10.1.1.26 255.255.255.252
!
interface Serial0
description WAN Router 1
ip address 10.250.0.2 255.255.255.252
!
router rip
version 2
redistribute bgp 64751 route-map BGP-to-RIP
passive-interface Serial0
network 10.0.0.0
default-information originate
no auto-summary
!
router bgp 64751
no synchronization
bgp log-neighbor-changes
network 10.1.1.24 mask 255.255.255.252
aggregate-address 10.1.0.0 255.255.0.0
neighbor 10.1.1.25 remote as 64751
neighbor 10.1.1.25 description Internet Router
neighbor 10.1.1.25 soft-reconfiguration inbound
neighbor 10.250.0.1 remote-as 64750
neighbor 10.250.0.1 description HQ
neighbor 10.250.0.1 soft-reconfiguration inbound
neighbor 10.250.0.1 prefix-list Branch out
no auto-summary
!
ip prefix-list Branch description Permitted BGP Subnet Announcement
ip prefix-list Branch seq 10 permit 0.0.0.0/0
ip prefix-list Branch seq 20 permit 10.1.0.0/16
!
access-list 10 remark Permitted Subnets to redistribute
access-list 10 deny 10.250.0.0 0.0.0.3
access-list 10 permit any
!
route-map BGP-to-RIP permit 10
match ip address 10
set metric 1
!
 

Layer-3 Switch

vlan 1,11-13,100
!
ip routing
!
ip wccp version 2
ip wccp 10
ip wccp 20
!
interface Loopback0
ip address 192.168.67.1 255.255.255.255
!
interface FastEthernet0/1
description WAN Router 2
no switchport
ip address 10.1.1.25 255.255.255.252
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
description Bluecoat ProxySG2 int 0:0
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/6
description To Layer-2 Switch 1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,100
switchport mode trunk
!
interface FastEthernet0/7
description To Layer-2 Switch 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11
switchport mode trunk
!
interface FastEthernet0/8
description To Layer-2 Switch 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11-12
switchport mode trunk
!
interface FastEthernet0/9
description To Layer-2 Switch 4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,13
switchport mode trunk
!
interface FastEthernet0/10
description To Firewall
no switchport
ip address 10.1.1.5 255.255.255.252
ip wccp 10 redirect out
ip wccp 20 redirect out
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan2
description Bluecoat ProxySG 2 int 0:0
ip address 10.1.2.1 255.255.255.0
!
interface Vlan11
description Network Management
ip address 10.1.11.1 255.255.255.0
!
interface Vlan12
description Administration
ip address 10.1.12.1 255.255.255.0
!
interface Vlan13
description Sales
ip address 10.1.13.1 255.255.255.0
!
interface Vlan100
description Server
ip address 10.1.100.1 255.255.255.0
!
router rip
version 2
redistribute bgp 64751 route-map BGP-to-RIP
passive-interface FastEthernet0/10
network 10.0.0.0
default-information originate
no auto-summary
!
router bgp 64751
no synchronization
bgp log-neighbor-changes
network 10.1.1.4 mask 255.255.255.252
network 10.1.11.0 mask 255.255.255.0
network 10.1.12.0 mask 255.255.255.0
network 10.1.13.0 mask 255.255.255.0
network 10.1.100.0 mask 255.255.255.0
neighbor 10.1.0.1 remote-as 64752
neighbor 10.1.0.1 description Internet Router
neighbor 10.1.0.1 ebgp-multihop 3
neighbor 10.1.0.1 soft-reconfiguration inbound
neighbor 10.1.1.26 remote-as 64751
neighbor 10.1.1.26 description WAN Router 2
neighbor 10.1.1.26 soft-reconfiguration inbound
no auto-summary
!
ip route 10.1.0.1 255.255.255.255 10.1.1.6
!
access-list 10 remark Permitted Subnets to redistribute
access-list 10 deny 10.0.1.16 0.0.0.7
access-list 10 deny 10.0.11.0 0.0.0.255
access-list 10 deny 10.0.12.0 0.0.0.255
access-list 10 deny 10.0.13.0 0.0.0.255
access-list 10 deny 10.0.100.0 0.0.0.255
access-list 10 permit any
!
route-map BGP-to-RIP permit 10
match ip address 10
set metric 1
 

Blue Coat ProxySG2 configuration

1. Interface

interface 0:0
IP Address     : 10.1.2.6
Subnet Mask    : 255.255.255.0
Default Gateway: 10.1.2.1

2. WCCP

wccp enable
wccp version 2
service-group 20
assignment-type mask
mask-scheme destination-ip
priority 1
protocol 6
ports 80 80 80 80 80 80 80 80
interface 0:0
interface 1:0
home-router 192.168.67.1
forwarding-type GRE
end
service-group 10
assignment-type mask
mask-scheme destination-ip
priority 1
protocol 6
ports 80 21 443 554 5004 5005 1755 8554
interface 0:0
interface 1:0
home-router 192.168.67.1
forwarding-type GRE
end

3. Static Routes for Home Router IP Address Reachability

192.168.67.1 255.255.255.255 10.1.2.1

Firewall

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
object-group icmp-type ICMP-INBOUND
icmp-object 0
icmp-object 3
icmp-object 11
access-list outside remark Permitted Inbound Traffic
access-list outside permit icmp any any object-group ICMP-INBOUND
ip address outside 10.1.0.2 255.255.255.252
ip address inside 10.1.1.6 255.255.255.252
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 10.1.0.1 1
route inside 10.0.0.0 255.0.0.0 10.1.1.5 1
route inside 172.16.0.0 255.240.0.0 10.1.1.5 1
route inside 192.168.0.0 255.255.0.0 10.1.1.5 1
 

Internet Router:

interface FastEthernet0
description Internet
ip address dhcp
ip nat outside
no cdp enable
!
interface FastEthernet1
description Firewall
ip address 10.1.0.1 255.255.255.252
ip nat inside
!
router bgp 64752
no synchronization
bgp log-neighbor-changes
network 0.0.0.0
network 10.1.0.0 mask 255.255.255.252
neighbor 10.1.1.5 remote-as 64751
neighbor 10.1.1.5 description Layer-3 Switch
neighbor 10.1.1.5 ebgp-multihop 3
neighbor 10.1.1.5 prefix-list NON-IN in
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 dhcp
ip route 10.0.0.0 255.0.0.0 10.1.0.2
ip route 172.16.0.0 255.240.0.0 10.1.0.2
ip route 192.168.0.0 255.255.0.0 10.1.0.2
!
ip nat inside source list 1 interface FastEthernet0 overload
!
ip prefix-list NON-IN description Internal Subnets are never visible
ip prefix-list NON-IN seq 10 deny 0.0.0.0/0 le 32
access-list 1 remark Permitted Subnets to go out to the Internet
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 1 permit 192.168.0.0 0.0.255.255
 

Some discussions

»DHCP Question
»Design concept!

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2010-07-27 12:59:15