某大型网站在北京某机房的网络核心交换机配置

本文的目的，主要是为有一定配置经验的技术人员，表明一个产品交换机配置，应该具备的规范性。由于大家都是行家，也就没有必要加太多的文字描述。

 

3560A#sh run
Building configuration...

Current configuration : 5756 bytes
!
! Last configuration change at 17:12:04 CST Wed Dec 19 2007 by admin
! NVRAM config last updated at 12:07:45 CST Thu Dec 13 2007 by admin
!
version 12.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime
service password-encryption
service sequence-numbers
!
hostname 3560A
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
! the following line will bring user xxxxx into enable mode after he is authenticated 

username xxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxxx
no aaa new-model
clock timezone CST 8
ip subnet-zero
ip routing
no ip domain-lookup

! give your other swithes convenient names
ip host 2970b 172.17.0.5
ip host 2950a 172.17.0.7
ip host 2960a 172.17.0.6
ip host 2970a 172.17.0.4
ip host 3560b 172.17.0.3
!
login on-failure log
!
!
!
no file verify auto
!
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 1,10,59,172,192,900-901,1000 priority 24576

! i configured my another cisco3560(3560b) as secondary root for those vlans.
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/1

! write accurate description for the ports connected to important servers or devices
 description connection to IDC c6509
 switchport access vlan 59
 switchport mode access
 ip access-group xx_mini_acl in
!
interface GigabitEthernet0/2
 switchport access vlan 59
 switchport mode access
!
interface GigabitEthernet0/3
 switchport access vlan 10
 switchport mode access
 shutdown
!
interface GigabitEthernet0/4
 switchport access vlan 10
 switchport mode access
 shutdown
!
interface GigabitEthernet0/5
 description connection to outside(eth0|OUT) port of pix
 switchport access vlan 10
 switchport mode access
 shutdown
 duplex full
!
interface GigabitEthernet0/6
 description connection to inside(eth1|IN) port of pix
 switchport access vlan 172
 switchport mode access
 shutdown
 duplex full
!
interface GigabitEthernet0/7
 switchport access vlan 10
 switchport mode access
 shutdown
!
interface GigabitEthernet0/8
 switchport access vlan 10
 switchport mode access
 shutdown
!
interface GigabitEthernet0/9
 switchport access vlan 10
 switchport mode access
 shutdown
!
interface GigabitEthernet0/10
 switchport access vlan 10
 switchport mode access
 shutdown
!
interface GigabitEthernet0/11
 switchport access vlan 10
 switchport mode access
 shutdown
!
interface GigabitEthernet0/12
 switchport access vlan 10
 switchport mode access
 shutdown
!
interface GigabitEthernet0/13
 description connection to dlink switch(remote control card)
 switchport access vlan 192
 switchport mode access
!
interface GigabitEthernet0/14
 switchport access vlan 192
 shutdown
!
interface GigabitEthernet0/15
 shutdown
!
interface GigabitEthernet0/16
 shutdown
!
interface GigabitEthernet0/17
 shutdown
!
interface GigabitEthernet0/18
 description snort monitor port
 switchport access vlan 59
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/19
 shutdown
!
interface GigabitEthernet0/20
 shutdown
!
interface GigabitEthernet0/21
 switchport access vlan 900
 switchport mode access
!
interface GigabitEthernet0/22
 switchport access vlan 900
 switchport mode access
!
interface GigabitEthernet0/23
 description connection to g0/23 of 3560B(trunk)
 switchport trunk encapsulation dot1q
 switchport mode trunk
 shutdown
!
interface GigabitEthernet0/24
 description connection to g0/24 of 2970A(trunk)
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/25

! sometimes we need modify the port priority to control the resulting spanning tree
 spanning-tree port-priority 112
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 no ip address
!
interface Vlan10
 ip address 10.17.17.2 255.255.255.0
 standby 10 ip 10.17.17.1
 standby 10 priority 20
 standby 10 preempt

! i use HSRP port track to make sure if the connection from this switch to

! IDC cisco6509 failed,  then active HSRP role failovers to 3560b,which has

! a connection to another IDC cisco6509;

! pay attention to the decrement value 15 (20 - 10 < 15, 10 is the priority

! assigned to vlan 10 by cisco3560b, another HSRP member of the group 10)  

 standby 10 track g0/1 15
!
interface Vlan59
 ip address 59.151.xx.xx 255.255.255.224
!
interface Vlan172
 ip address 172.17.0.2 255.255.0.0
 standby 172 ip 172.17.0.1
 standby 172 priority 20
 standby 172 preempt

 standby 172 track g0/1 15
!
interface Vlan192
 ip address 192.168.17.2 255.255.255.0
 standby 192 ip 192.168.17.1
 standby 192 priority 20
 standby 192 preempt

 standby 192 track g0/1 15
!
interface Vlan901
 no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 59.151.xx.xx

! sometimes i use cna, so i keep the http service open,but

! i  enforced access control for it
ip http server
ip http access-class 1
!
!

! use named ACLs as much as possible,

! and use consistent nomenclature(命名法) for your named ACLs

 ip access-list standard snmp_acl
 permit 172.17.1.252
 permit 172.17.1.253
 permit 172.17.1.251
 permit 61.145.xxx.xxx
 permit 172.17.1.1
 permit 172.17.1.3
ip access-list standard telnet_acl
 permit 218.19.xx.xxx
 permit 172.17.1.252
 permit 172.17.1.253
 permit 172.17.1.251
!
ip access-list extended xx_common_acl
 deny   tcp any any eq 22
 deny   tcp any any eq 199
 deny   udp any any eq 166
 permit icmp host 218.19.xx.xxx any
 deny   icmp any any
 permit ip any any
 permit gre any any
ip access-list extended xx_mini_acl
 permit tcp host 218.19.xxx.xxx host 59.151.xxx.xxx eq 22
 permit tcp host 218.19.xxx.xxx host 59.151.xxx.xxx eq 62222
 permit tcp host 218.19.xxx.xxx host 59.151.xxx.xxx eq 22
 permit tcp host 218.19.xxx.xxx host 59.151.xxx.xxx eq 62222
 permit tcp host 218.19.xxx.xxx host 59.151.xxx.xxx eq 22
 permit tcp host 218.19.xxx.xxx host 59.151.xxx.xxx eq 62222
 permit tcp host 218.19.xxx.xxx host 59.151.xxx.xxx eq 22
 permit tcp host 218.19.xxx.xxx host 59.151.xxx.xxx eq 62222
 deny   tcp any any eq 22
 deny   tcp any any eq 62222
 permit ip any any
 permit ahp any any
 permit gre any any
!

! for numbered ACLs, writing a remark for your ACL will bring your ACL

! more readability

access-list 1 remark acl for controlling who can access the http port of this switch.
access-list 1 permit 172.17.1.252
access-list 1 permit 172.17.1.253
access-list 1 permit 172.17.1.251

! configure SNMP to make monitoring this swith possible
snmp-server community 3560aro RO snmp_acl
!
control-plane
!
!
line con 0
line vty 0 4
 session-timeout 15

! control who can telnet into this switch
 access-class telnet_acl in
 exec-timeout 0 0

! sync-logging will make your operation smooth and convenient
 logging synchronous

! local authentication will make your switch more safe. if you have many devices,

! maybe you should use AAA.
 login local
line vty 5 15
 session-timeout 15
 access-class telnet_acl in
 exec-timeout 0 0
 logging synchronous
 login local
!
!

! the following lines configure RSPAN
monitor session 1 destination interface Gi0/18
monitor session 1 source remote vlan 1000
ntp clock-period 36028782

! use NTP to obtain accurate time 
ntp server 172.17.9.11
ntp server 172.17.9.12
!
end

3560A#