网络设备配置清单

网络设备配置清单核心路由器配置基础配置```hostnameCore-Router-01enablesecret51kH5n$v8XmP9R2qL3sK7mN4wH8jFservicepassword-encryptionclocktimezoneCST8ipdomain-name```接口配置```interfaceGigabitEthernet0/0descriptionUplink-to-ISP-Primaryipaddress52ipnatoutsideduplexautospeedautonoshutdowninterfaceGigabitEthernet0/1descriptionUplink-to-ISP-Secondaryipaddress52ipnatoutsideduplexautospeedautonoshutdowninterfaceGigabitEthernet0/2descriptionDownlink-to-Core-Switchipaddress52ipnatinsideduplexautospeedautonoshutdown```路由配置```iproute10iproute20routerospf1router-idnetworkarea0passive-interfaceGigabitEthernet0/2default-informationoriginatemetric10```安全与优化```ipaccess-listextendedBLOCK-ICMPdenyicmpanyanyfragmentsdenyicmpanyanyechopermiticmpanyanyecho-replypermiticmpanyanytime-exceededpermiticmpanyanyunreachabledenyipanyanyinterfaceGigabitEthernet0/0ipaccess-groupBLOCK-ICMPiniptcpinterceptlist100access-list100permittcpanyanyiptcpinterceptconnection-timeout30iptcpinterceptwatch-timeout15servicetcp-keepalives-inservicetcp-keepalives-out```核心交换机配置VLAN与Trunk配置```vlan10nameServersvlan20nameWorkstationsvlan30nameWirelessvlan40nameVoicevlan99nameManagementinterfacerangeGigabitEthernet1/0/1-2descriptionTrunk-to-Core-Routerswitchportmodetrunkswitchporttrunkallowedvlan10,20,30,40,99switchportnonegotiatespanning-treeportfasttrunkspanning-treebpduguardenableinterfacerangeGigabitEthernet1/0/3-4descriptionTrunk-to-Distribution-Switchesswitchportmodetrunkswitchporttrunkallowedvlan10,20,30,40,99switchportnonegotiatechannel-group1modeactive```SVI接口配置```interfaceVlan10ipaddressiphelper-address0standby10ip54standby10priority110standby10preemptinterfaceVlan20ipaddressiphelper-address0standby20ip54standby20priority100standby20preemptinterfaceVlan99ipaddressstandby99ip54standby99priority110standby99preempt```生成树优化```spanning-treemoderapid-pvstspanning-treevlan10,20,30,40,99priority4096spanning-treeportfastdefaultspanning-treeportfastbpduguarddefaultspanning-treeuplinkfastspanning-treebackbonefastinterfacerangeGigabitEthernet1/0/5-48switchportmodeaccessswitchportaccessvlan20spanning-treeportfastspanning-treebpduguardenable```防火墙配置接口与安全区域```interfaceGigabitEthernet0/0nameifoutsidesecurity-level0ipaddress52interfaceGigabitEthernet0/1nameifdmzsecurity-level50ipaddressinterfaceGigabitEthernet0/2nameifinsidesecurity-level100ipaddress```NAT配置```objectnetworkINSIDE-NETsubnetnat(inside,outside)dynamicinterfaceobjectnetworkDMZ-WEBhost0nat(dmz,outside)static0objectnetworkDMZ-MAILhost0nat(dmz,outside)static0```访问控制列表```access-listOUTSIDE-INextendedpermittcpanyhost0eqwwwaccess-listOUTSIDE-INextendedpermittcpanyhost0eq443access-listOUTSIDE-INextendedpermittcpanyhost0eqsmtpaccess-listOUTSIDE-INextendedpermittcpanyhost0eq993access-listOUTSIDE-INextendeddenyipanyanylogaccess-listINSIDE-OUTextendedpermitipanyaccess-listINSIDE-OUTextendeddenyipanyanylogaccess-groupOUTSIDE-INininterfaceoutsideaccess-groupINSIDE-OUToutinterfaceinside```高级安全特性```threat-detectionbasic-threatthreat-detectionstatisticsthreat-detectionstatisticstcp-interceptrate-interval30burst-rate400average-rate200class-mapinspection_defaultmatchdefault-inspection-trafficpolicy-mapglobal_policyclassinspection_defaultinspectdnsinspectftpinspecth323h225inspecth323rasinspectrshinspectrtspinspectesmtpinspectsqlnetinspectskinnyinspectsunrpcinspectxdmcpinspectsipinspectnetbiosinspecttftpinspectip-optionsservice-policyglobal_policyglobal```无线控制器配置基础设置```configpagingdisableconfigtimentpserverindex1configtimentpserverindex2configtimentpinterval3600configinterfacecreatemanagementconfiginterfacevlanmanagement99configinterfaceportmanagement1configinterfacecreatewireless54configinterfacevlanwireless30configinterfacedhcpwirelessprimary0```WLAN配置```configwlancreate1Corporate-WLANCorporate-WLANconfigwlansecurity1wpa2enableconfigwlansecurity1wpa2ciphersaesconfigwlansecurity1wpa2akmpskenableconfigwlansecurity1wpa2akmpskset-keyasciiMySecureP@ssw0rd123configwlaninterface1wirelessconfigwlanbroadcast-ssidenable1configwlanenable1configwlancreate2Guest-WLANGuest-WLANconfigwlansecurity2noneconfigwlaninterface2guestconfigwlanbroadcast-ssidenable2configwlanwebauthenable2configwlanwebauthauthentication-listlocalconfigwlanenable2```RF优化```config802.11adisablenetworkconfig802.11bdisablenetworkconfig802.11a11nSupportenableconfig802.11b11nSupportenableconfig802.11achannelglobalautoconfig802.11bchannelglobalautoconfig802.11atxPowerglobalautoconfig802.11btxPowerglobalautoconfigadvanced802.11achanneladd36configadvanced802.11achanneladd40configadvanced802.11achanneladd44configadvanced802.11achanneladd48configadvanced802.11achanneladd149configadvanced802.11achanneladd153configadvanced802.11achanneladd157configadvanced802.11achanneladd161configadvanced802.11bchanneladd1configadvanced802.11bchanneladd6configadvanced802.11bchanneladd11config802.11aenablenetworkconfig802.11benablenetwork```接入交换机配置端口安全配置```interfacerangeGigabitEthernet0/1-48switchportmodeaccessswitchportport-securityswitchportport-securitymaximum3switchportport-securityviolationrestrictswitchportport-securityagingtime60switchportport-securityagingtypeinactivityspanning-treeportfastspanning-treebpduguardenable```QoS配置```mlsqosmapcos-dscp08162432464856mlsqosmapdscp-cos9101112131415to0mlsqosmapdscp-cos25262728293031to3mlsqosmapdscp-cos41424344454647to5class-mapmatch-anyVOICEmatchipdscpefclass-mapmatch-anyVIDEOmatchipdscpaf41matchipdscpaf31class-mapmatch-anyCRITICAL-DATAmatchipdscpaf21matchipdscpaf31policy-mapACCESS-EDGEclassVOICEprioritypercent20classVIDEOprioritypercent15classCRITICAL-DATAbandwidthpercent25classclass-defaultbandwidthpercent40interfacerangeGigabitEthernet0/1-48service-policyinputACCESS-EDGE```PoE优化```powerinlineconsumptiondefault15400powerinlinepolicepowerinlineautomax30000interfacerangeGigabitEthernet0/1-24powerinlinestaticmax30000powerinlineportpriorityhighinterfacerangeGigabitEthernet0/25-48powerinlinestaticmax15400powerinlineportprioritylow```服务器接入配置服务器端口聚合```interfacerangeGigabitEthernet1/0/45-46descriptionServer-PortChannelswitchportmodetrunkswitchporttrunkallowedvlan10,99channel-protocollacpchannel-group10modeactivenoshutdowninterfacePort-channel10descriptionServer-Aggregationswitchportmodetrunkswitchporttrunkallowedvlan10,99spanning-treeportfasttrunkspanning-treebpduguardenable```服务器专用VLAN```vlan101private-vlanprimaryprivate-vlanassociation102-103vlan102private-vlanisolatedvlan103private-vlancommunityinterfaceVlan101ipaddressprivate-vlanmapping102-103interfacerangeGigabitEthernet1/0/47-48switchportmodeprivate-vlanhostswitchportprivate-vlanhost-association101102spanning-treeportfast```网络管理配置SNMPv3配置```snmp-servergroupNETWORK-ADMINv3privsnmp-serveruseradminNETWORK-ADMINv3authshaAdminAuthKey123privaes128AdminPrivKey123snmp-serverhost5version3privadminsnmp-serverenabletrapssnmpauthenticationlinkdownlinkupcoldstartwarmstartsnmp-serverenabletrapsconfigsnmp-serverenabletrapsenvmonsnmp-serverenabletrapscputhreshold```Syslog配置```loggingbuffered32768loggingconsolewarningsloggingtrapinformationalloggingfacilitylocal7loggingsource-interfaceVlan99logginghost0transportudpport514logginghost1transporttcpport514archivelogconfigloggingenablehidekeysnotifysyslogcontenttypeplaintext```NetFlow配置```ipflow-exportversion9ipflow-exportdestination09995ipflow-exportsourceVlan99ipflow-cachetimeoutactive1ipflow-cachetimeoutinactive15interfaceVlan10ipflowingressipflowegressinterfaceVlan20ipflowingressipflowegressipflow-top-talkerstop50sort-bybytescache-timeout60```冗余与高可用配置VRRP配置```interfaceVlan10vrrp10ip54vrrp10priority120vrrp10preemptvrrp10authenticationmd5key-stringVRRP@Secure10interfaceVlan20vrrp20ip54vrrp20priority110vrrp20preemptvrrp20authenticationmd5key-stringVRRP@Secure20track10interfaceGigabitEthernet0/0line-protocolinterfaceVlan10vrrp10track10decrement30```链路聚合与冗余```interfacerangeGigabitEthernet0/47-48descriptionRedundant-Uplinkswitchportmodetrunkswitchporttrunkallowedvlan10,20,30,40,99channel-protocollacpchannel-group20modeactivelacpratefastinterfacePort-channel20descriptionRedundant-Uplink-Coreswitchportmodetrunkswitchporttrunkallowedvlan10,20,30,40,99spanning-treelink-typepoint-to-point```安全加固配置控制平面保护```control-planeservice-policyinputCOPP-Policypolicy-mapCOPP-PolicyclassCOPP-CRITICALpolice800015001500conform-actiontransmitexceed-actiondropclassCOPP-IMPORTANTpolice10002000020000conform-actiontransmitexceed-actiondropclassCOPP-NORMALpolice5001000010000conform-actiontransmitexceed-actiondropclassCOPP-UNDESIRABLEpolice815001500conform-actiondropexceed-actiondropclass-mapmatch-allCOPP-CRITICALmatchaccess-groupnameCOPP-CRITICAL-ACLclass-mapmatch-allCOPP-IMPORTANTmatchaccess-groupnameCOPP-IMPORTANT-ACLclass-mapmatch-allCOPP-NORMALmatchaccess-groupnameCOPP-NORMAL-ACLclass-mapmatch-allCOPP-UNDESIRABLEmatchaccess-groupnameCOPP-UNDESIRABLE-ACL```管理访问控制```ipaccess-liststandardMGMT-ACCESSpermit55permit55denyanyloglinevty015access-classMGMT-ACCESSintransportinputsshexec-timeout100loggingsynchronousipsshversion2ipsshtime-out60ipsshauthentication-retries3ipsshsource-interfaceVlan99```性能优化配置缓冲区调优```bufferssmallpermanent600buffersmiddlepermanent600buffersbigpermanent600buffersverybigpermanent300bufferslargepermanent100buffershugepermanent50bufferssmallmax-free900buffersmiddlemax-free900buffersbigmax-free900buffersverybigmax-free450bufferslargemax-free150buffershugemax-free75bufferssmallmin-free300buffersmiddlemin-free300buffersbigmin-free300buffersverybigmin-free150bufferslargemin-free50buffershugemin-free25```硬件加速```platformhardwarethroughputlevel4000000platformhardwareqfputilizationmonitorload80platformhardwareqfputilizationmonitormemory90platformhardwareqfputilizationmonitorbuffer80platformhardwareqfpfeaturewaasenableplatformhardwareqfpfeatureinspectenableplatformhardwareqfpfeaturenatenableplatformhardwareqfpfeaturemplsenable```监控与告警配置IPSLA监控```ipsla1icmp-echosource-ipthreshold500timeout1000frequency10ipslaschedule1lifeforeverstart-timenowipsla2udp-jitter016384source-ipthreshold100timeout1000frequency30ipslaschedule2lifeforeverstart-timenowtrack1ipsla1reachabilitytrack2ipsla2reachability```EEM脚本```eventmanagerappletINTERFACE-FLAPeventtrack1statedownaction1.0syslogmsg"PrimaryISPdownswitchingtosecondary"action2.0clicommand"enable"action3.0clicommand"configureterminal"action4.0clicommand"interfacegigabitethernet0/0"action5.0clicommand"shutdown"action6.0clicommand"interfacegigabitethernet0/1"action7.0clicommand"noshutdown"action8.0clicommand"end"eventmanagerappletMEMORY-ALERTeventsnmpoid...5.1get-typeexactentry-opgeentry-val90exit-opleexit-val80poll-interval300action1.0syslogmsg"Memoryutilizationhighcurrentvalue:$_snmp_oid_val"action2.0mailserver5tonetadmin@fromnoc@subject"MemoryAlerton$_event_pub_sec"action3.0snmp-trapstrdata"Memoryutilizationexceeded90%"```配置备份与恢复自动备份脚本```kronoccurrenceBACKUPat2:00recurringpolicy-listBACKUP-TASKkronpolicy-listBACKUP-TASKclishowrunning-config|redirectt0/backup/(hostname)-(date).cfgclishowstartup-config|redirectt0/backup/(hostname)-startup-(date).cfgarchivepatht0/archive/$(hostname)-config-maximum14time-period1440write-memory```配置版本控制```archivelogconfigloggingenablenotifysyslogcontenttypeplaintexthidekeysrecordrcpathbootflash:archive/maximum20write-memorytime-period10080parserconfigcacheinterfaceparserconfigpartition```文档与变更管理配置标准化```bannermotd^******************ThissystemisforauthorizeduseonlyThissystemisforauthorizeduseonlyAllactivitiesmaybemonitoredandrecordedAllactivitiesmaybemonitoredandrecorded