网络设备标准化配置文档

设备标准化配置文档

第一节、文档说明

此文档用于生产系统设备的基本配置。按照此文档进行设置即可直接部署生产环境。

第二节、设备分类

1、网络设备

1.1、网络防火墙

1.2、路由器

1.3、核心交换机

2、服务器设备

第三节、具体配置说明

一、网络设备配置说明

1、防火墙配置文档

a、防火墙用户名密码登陆配置

防火墙需要开启SSHAAA认证配置

aaa-server AAA5525 protocol tacacs+

aaa-server AAA5525 (inside) host 192.168.103.101

 key *****

user-identity default-domain LOCAL

aaa authentication ssh console AAA5525

aaa accounting ssh console AAA5525

aaa accounting command AAA5525

b、对内网的IP进行标识

name 192.168.100.0 Run_net

name 192.168.103.0 Watch_net

name 192.168.101.0 BAK_net

name 192.168.90.0 DB_net

c、防火墙端口绑定配置

interface Redundant1

  member-interface GigabitEthernet0/0

  member-interface GigabitEthernet0/2

  nameif inside

  security-level 100

  ip address 10.0.0.1 255.255.255.0

d、在防火墙上做双机热备

failover

failover lan unit primary

failover lan interface fover Redundant2

failover link fover Redundant2

failover interface ip fover 1.1.1.1 255.255.255.252 standby 1.1.1.2

e、防火墙ACL配置

access-list SDH_ACL extended permit tcp any host 192.168.100.11 eq ssh

access-list SDH_ACL extended permit tcp any host 192.168.100.10 eq ssh

c、防火墙NAT配置

object network LT_192.168.100.11-static

  host 192.168.100.11

nat (inside,LToutside) static 210.12.98.231

d、防火墙IPS配置

class-map sfr

  match access-list sfr-redirect

e、开启防火墙的监控功能使用vertion2c

snmp-server host inside 192.168.103.12 community ***** version 2c

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove fan-failure power-supply power-supply-presence cpu-temperature chassis-temperature power-supply-temperature chassis-fan-failure

snmp-server enable traps memory-threshold

snmp-server enable traps interface-threshold

snmp-server enable traps remote-access session-threshold-exceeded

snmp-server enable traps connection-limit-reached

snmp-server enable traps cpu threshold rising

snmp-server enable traps ikev2 start stop

snmp-server enable traps nat packet-discard

f、放开对1521长连接的限制

policy-map conns1521

  class conns1521

   set connection conn-max 1000 embryonic-conn-max 3000

   set connection timeout idle 12:00:00

!

service-policy global_policy global

service-policy conns1521 interface inside

prompt hostname context

no call-home reporting anonymous

2、交换机配置文档

a、交换机用户名密码登陆配置

aaa new-model

aaa authentication login AAA3750 group tacacs+

aaa authentication enable default group tacacs+ enable

aaa authorization exec AAA3750 group tacacs+

aaa accounting commands 0 AAA3750 start-stop group tacacs+

aaa accounting commands 15 AAA3750 start-stop group tacacs+

tacacs server AUTH

  address ipv4 192.168.103.101

  key hxt96299

line vty 0 4

  accounting commands 0 AAA3750

  accounting commands 15 AAA3750

  login authentication AAA3750

  transport input ssh

b、双机汇聚配置

interface GigabitEthernet1/0/2

  switchport trunk encapsulation dot1q

  switchport mode trunk

  channel-group 1 mode on

c、使用SSH登陆方式并开启version2

ip ssh version 2

d、开启vlan间路由功能

ip routing

e、配置各个端口使用

interface GigabitEthernet1/0/4

  description IBM_192.168.100.11_master

  switchport access vlan 100

f、不需要的端口对其端口关闭

interface GigabitEthernet1/0/5

shutdow

g、给交换机配置vlan

interface Vlan100

  description RUN_net

  ip address 192.168.100.2 255.255.255.0

  standby 100 ip 192.168.100.1

  standby 100 priority 150

  standby 100 preempt

g、给交换机上配置静态路由

ip route 0.0.0.0 0.0.0.0 10.0.0.1

h、给交换机上配置监控

snmp-server community hxtsd RO

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps flowmon

snmp-server enable traps transceiver all

snmp-server enable traps call-home message-send-fail server-fail

snmp-server enable traps tty

snmp-server enable traps license

snmp-server enable traps auth-framework sec-violation

snmp-server enable traps cluster

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps energywise

snmp-server enable traps fru-ctrl

snmp-server enable traps entity

snmp-server enable traps event-manager

snmp-server enable traps power-ethernet police

snmp-server enable traps cpu threshold

snmp-server enable traps vstack

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps stackwise

snmp-server enable traps bulkstat collection transfer

snmp-server enable traps errdisable

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server host 192.168.103.12 hxtsd

3、路由器配置文档

a、路由器登陆用户名密码配置

aaa new-model

aaa session-id common

tacacs-server host 149.100.100.12

tacacs-server directed-request

tacacs-server key cisco

line vty 0 4

  transport input ssh

b、端口配置

interface GigabitEthernet0/0

  ip address 149.100.100.31 255.255.255.0

  ip nat inside

ip virtual-reassembly in

  standby 30 ip 149.100.100.30

  standby 30 timers 5 15

  standby 30 priority 150

  standby 30 preempt

  duplex auto

  speed auto

c、静态路由配置

ip route 145.96.29.31 255.255.255.255 145.96.129.77

ip route 145.96.29.52 255.255.255.255 145.96.129.77

dnat配置

ip nat inside source list 1 pool DianLi overload

ip nat inside source static 149.100.100.11 144.96.65.77

相关推荐