returnspace 2020-06-10
设备标准化配置文档
第一节、文档说明
此文档用于生产系统设备的基本配置。按照此文档进行设置即可直接部署生产环境。
第二节、设备分类
1、网络设备
1.1、网络防火墙
1.2、路由器
1.3、核心交换机
2、服务器设备
第三节、具体配置说明
一、网络设备配置说明
1、防火墙配置文档
a、防火墙用户名密码登陆配置
防火墙需要开启SSH和AAA认证配置
aaa-server AAA5525 protocol tacacs+
aaa-server AAA5525 (inside) host 192.168.103.101
key *****
user-identity default-domain LOCAL
aaa authentication ssh console AAA5525
aaa accounting ssh console AAA5525
aaa accounting command AAA5525
b、对内网的IP进行标识
name 192.168.100.0 Run_net
name 192.168.103.0 Watch_net
name 192.168.101.0 BAK_net
name 192.168.90.0 DB_net
c、防火墙端口绑定配置
interface Redundant1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
d、在防火墙上做双机热备
failover
failover lan unit primary
failover lan interface fover Redundant2
failover link fover Redundant2
failover interface ip fover 1.1.1.1 255.255.255.252 standby 1.1.1.2
e、防火墙ACL配置
access-list SDH_ACL extended permit tcp any host 192.168.100.11 eq ssh
access-list SDH_ACL extended permit tcp any host 192.168.100.10 eq ssh
c、防火墙NAT配置
object network LT_192.168.100.11-static
host 192.168.100.11
nat (inside,LToutside) static 210.12.98.231
d、防火墙IPS配置
class-map sfr
match access-list sfr-redirect
e、开启防火墙的监控功能使用vertion2c
snmp-server host inside 192.168.103.12 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove fan-failure power-supply power-supply-presence cpu-temperature chassis-temperature power-supply-temperature chassis-fan-failure
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
f、放开对1521长连接的限制
policy-map conns1521
class conns1521
set connection conn-max 1000 embryonic-conn-max 3000
set connection timeout idle 12:00:00
!
service-policy global_policy global
service-policy conns1521 interface inside
prompt hostname context
no call-home reporting anonymous
2、交换机配置文档
a、交换机用户名密码登陆配置
aaa new-model
aaa authentication login AAA3750 group tacacs+
aaa authentication enable default group tacacs+ enable
aaa authorization exec AAA3750 group tacacs+
aaa accounting commands 0 AAA3750 start-stop group tacacs+
aaa accounting commands 15 AAA3750 start-stop group tacacs+
tacacs server AUTH
address ipv4 192.168.103.101
key hxt96299
line vty 0 4
accounting commands 0 AAA3750
accounting commands 15 AAA3750
login authentication AAA3750
transport input ssh
b、双机汇聚配置
interface GigabitEthernet1/0/2
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
c、使用SSH登陆方式并开启version2
ip ssh version 2
d、开启vlan间路由功能
ip routing
e、配置各个端口使用
interface GigabitEthernet1/0/4
description IBM_192.168.100.11_master
switchport access vlan 100
f、不需要的端口对其端口关闭
interface GigabitEthernet1/0/5
shutdow
g、给交换机配置vlan
interface Vlan100
description RUN_net
ip address 192.168.100.2 255.255.255.0
standby 100 ip 192.168.100.1
standby 100 priority 150
standby 100 preempt
g、给交换机上配置静态路由
ip route 0.0.0.0 0.0.0.0 10.0.0.1
h、给交换机上配置监控
snmp-server community hxtsd RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps flowmon
snmp-server enable traps transceiver all
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps license
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps cluster
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps energywise
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps power-ethernet police
snmp-server enable traps cpu threshold
snmp-server enable traps vstack
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps stackwise
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps errdisable
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server host 192.168.103.12 hxtsd
3、路由器配置文档
a、路由器登陆用户名密码配置
aaa new-model
aaa session-id common
tacacs-server host 149.100.100.12
tacacs-server directed-request
tacacs-server key cisco
line vty 0 4
transport input ssh
b、端口配置
interface GigabitEthernet0/0
ip address 149.100.100.31 255.255.255.0
ip nat inside
ip virtual-reassembly in
standby 30 ip 149.100.100.30
standby 30 timers 5 15
standby 30 priority 150
standby 30 preempt
duplex auto
speed auto
c、静态路由配置
ip route 145.96.29.31 255.255.255.255 145.96.129.77
ip route 145.96.29.52 255.255.255.255 145.96.129.77
d、nat配置
ip nat inside source list 1 pool DianLi overload
ip nat inside source static 149.100.100.11 144.96.65.77