数据中心防火墙部署...doc

资源描述

红塔烟草（集团）万兆以太网建设项目红塔烟草（集团）万兆以太网建设项目数据中心防火墙部署改造方案（V1.4）北京联信永益信息技术有限公司2010年2月- 31 -目录一、概述- 1 -二、人员及时间- 2 -1、参与人员- 2 -2、操作时间- 2 -三、业务影响- 2 -四、前期准备工作- 2 -五、网络拓扑图- 3 -六、数据中心设备配置- 6 -1.数据中心两台6509E设备VSS部署及设备配置- 6 -2.数据中心两台6509E防火墙 FWSM透明模式配置- 28 -七、防火墙失效切换测试- 30 -八、应急方案- 30 -一、概述数据中心网络现状：一台部署在商务楼4楼机房数据中心汇聚交换机6509E与一台部署在技术中心机房数据中心汇聚交换机6509E分别通过1条10GE上联到核心6509E交换机，两台汇聚交换机之间通过一条10GE链路Trunk互联；放置在商务楼的数据中心服务器和放置在技术中心的数据中心服务器通过单链路，分别连接到对应区域的数据中心交换机上，所有服务器网关指向部署在商务楼4楼数据中心交换机上对应的vlan实地址。两台数据中心交换机上分别部署一块FWSM防火墙模块，通过Failover技术实现对数据中心网络安全保护。本次工程将部署在技术中心的数据汇聚6509E交换机搬迁到商务楼1楼新机房，在两台数据中心6509E设备上部署VSS，采用Virtual Switching Supervisor 720 10GE引擎板卡上的万兆以太网上行链路端口进行互联，同时使用两条万兆链路进行捆绑，保证VSS系统的可靠性。采用两条10GE链路捆绑与核心设备互联，同时对防火墙模块部署透明模式。二、人员及时间1、参与人员序号姓名职责手机1卢立杰项目经理（整体协调）138012682022何沿平割接操作（设备调试）132400506333扎西割接操作（配合设备调试）135291496284朱洺奇监督协调138877556795代宁厂商技术支持135770255942、操作时间2010年2月9日 2010年2月9日三、业务影响本次割接操作将对数据中心6509E设备部署VSS，同时，防火墙FWSM模块部署透明模式，对数据中心网络进行规划和调试。因此会影响数据中心服务器与集团网络间的互相访问。四、前期准备工作以下为联信永益需要准备的工作1、软件版本测试通过；2、核对设备配置、端口类型、端口状态；3、文件序号文件名称数量1割接方案3份2测试报告3份4、工具序号物品名称数量1静电带12十字、一字螺丝刀2以下为红塔集团信息网络科需要准备的工作1、配合割接人员进入机房；2、提供console配置权限登陆口令；五、网络拓扑图现状：数据中心FWSM路由模式拓扑图备注：1、HT_SWLDA_4F_6509E_01、HT_SWLDA_1F_6509E_01设备上的Interface Vlan411接口为OSPF路由协议报文传递使用。2、Vlan402为服务器业务使用（inside接口）；Vlan413、Vlan414为两台6509E设备上防火墙模块的Failover协议使用，HT_SWLDA_4F_6509E_01上的防火墙模块为Primary，HT_SWLDA_1F_6509E_01上的防火墙模块为Secondary；Vlan412为两台6509E与其防火墙模块的Outside接口连接使用，两台6509E的 Interface Vlan412接口启用HSRP协议，HT_SWLDA_4F_6509E_01为Active，HT_SWLDA_1F_6509E_01为Standby。改造后：数据中心FWSM透明模式拓扑图备注：1、Gi1/3/48、Gi2/3/48接口为BFD使用。2、vlan402为服务器业务使用；vlan402为inside接口；Vlan413、Vlan414为两台6509E设备上防火墙模块的Failover协议使用，商务楼4楼6509E设备上的防火墙模块为Primary，商务楼1楼6509E上的防火墙模块为Secondary；Vlan412为两台6509E与其防火墙模块的Outside接口连接使用，vlan402服务器的网关指向vlan412的接口ip地址。六、数据中心设备配置 1.数据中心两台6509E设备VSS部署及设备配置割接内容：两台数据中心6509E设备调试割接时间：2010.02.07割接地点：商务楼4楼、商务楼1楼操作人：配置：联信永益：卢立杰电话：13801268202 联信永益：何沿平电话：13240050633 联信永益：扎西电话：13240050633配合人：信息科：朱洺奇电话：138877556791、备份设备配置copy running bootflash:wr2、两台数据中心6509E设备间互联链路及VSS调试!switch virtual domain 100 switch 1!interface port-channel 110switch virtual link 1no shut!interface range Ten 5/4-5channel-group 110 mode onno shut!platform hardware vsl pfc mode pfc3cswitch convert mode virtual!switch virtual domain 100 switch 2 !interface port-channel 120switch virtual link 2no shut!interface range Ten 5/4-5channel-group 120 mode onno shut!platform hardware vsl pfc mode pfc3cswitch convert mode virtual!switch accept mode virtual!interface gigabitethernet 1/3/48 description VSS_FOR_BFD no switchport ip address 10.96.63.77 255.255.255.252 bfd interval 100 min_rx 100 multiplier 3 no shutinterface gigabitethernet 2/3/48 description VSS_FOR_BFDno switchportip address 10.96.63.81 255.255.255.252bfd interval 100 min_rx 100 multiplier 3no shut!switch virtual domain 100dual-active detection bfddual-active pair interface g 1/3/48 interface g 2/3/48 bfd!3、核心6509E设备基础信息配置调试!hostname HT_SWLDA_4F_6509E_01!service timestamps debug datetime localtimeservice timestamps log datetime localtime!clock timezone GMT 8!no ip domain-lookup!interface Loopback1 ip address 10.96.60.252 255.255.255.255 no shut!logging facility local6logging source-interface Loopback1logging 10.96.47.66logging 10.96.49.87!snmp-server community hongtpublic ROsnmp-server community hongtprivate RW!line con 0 exec-timeout 5 0 logging synchronous password 0 adminht loginline vty 0 4 exec-timeout 5 0 password 0 adminht login！ntp server 10.96.60.253！4、设备接口及路由调试HT_BONE_4F_6509E_01：!interface Port-channel6 no switchport description connect to HT_SWLDA_4F_6509E_01 ip address 10.96.63.13 255.255.255.252 no shut!interface TenGigabitEthernet1/4/1 no switchport no ip address description connect to HT_SWLDA_4F_6509E_01 channel-group 6 mode on no shut!interface TenGigabitEthernet2/4/1 no switchport no ip address description connect to HT_SWLDA_4F_6509E_01 channel-group 6 mode on no shut!router ospf 877 no passive-interface Port-channel6 no network 10.96.63.8 0.0.0.3 area 0！HT_SWLDA_4F_6509E_01：!interface Port-channel6 no switchport description connect to HT_BONE_4F_6509E_01 ip address 10.96.63.14 255.255.255.252 no shut!interface TenGigabitEthernet1/1/1 no switchport description connect to HT_BONE_4F_6509E_01 channel-group 6 mode on no shut!interface TenGigabitEthernet2/1/1 no switchport description connect to HT_BONE_4F_6509E_01 channel-group 6 mode on no shut！Vlan 402Vlan 403Vlan 404Vlan 405Vlan 406Vlan 411Vlan 412Vlan 413Vlan 414Vlan 500 name sniffer!interface Vlan403 ip address 10.96.45.1 255.255.255.192 ip flow ingress ip flow egress no shut!interface Vlan404 ip address 10.96.45.65 255.255.255.192 ip flow ingress ip flow egress no shut!interface Vlan405 ip address 10.96.45.129 255.255.255.192 ip flow ingress ip flow egress no shut!interface Vlan406 ip address 10.96.45.193 255.255.255.192 ip flow ingress ip flow egress no shut!interface Vlan412 ip address 10.96.0.1 255.255.255.0 ip flow ingress ip flow egress no shut!router ospf 877 router-id 10.96.60.252 log-adjacency-changes passive-interface default no passive-interface TenGigabitEthernet1/1/1 no passive-interface TenGigabitEthernet2/1/1 no passive-interface port-channel 6network 10.96.45.0 0.0.0.63 area 0 network 10.96.45.64 0.0.0.63 area 0 network 10.96.45.128 0.0.0.63 area 0 network 10.96.45.192 0.0.0.63 area 0 network 10.96.60.252 0.0.0.0 area 0 network 10.96.63.12 0.0.0.3 area 0 network 10.96.0.0 0.0.0.255 area 0!interface GigabitEthernet1/3/1 switchport switchport access vlan 402 switchport mode access load-interval 30 no shut!interface GigabitEthernet1/3/2 description connect to HT_SWLDA_1F_3750_01 switchport switchport trunk encapsulation dot1q switchport mode trunk spanning-tree portfast no shut!interface GigabitEthernet1/3/3 description connect to HT_JSZXDA_2F_3750_01 switchport switchport trunk encapsulation dot1q switchport mode trunk spanning-tree portfast no shut!interface GigabitEthernet1/7/1 switchport switchport access vlan 403 switchport mode access no shut!interface GigabitEthernet1/7/2 switchport switchport access vlan 403 switchport mode access no shut!interface range gi1/7/3 10 no shut!interface GigabitEthernet1/7/11 switchport switchport access vlan 403 switchport mode access no shut!interface GigabitEthernet1/7/12 switchport switchport access vlan 402 switchport mode access load-interval 30 no shut!interface GigabitEthernet1/7/13 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/14 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/15 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/16 switchport switchport access vlan 402 switchport mode access load-interval 30 no shut!interface GigabitEthernet1/7/17 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/18 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/19 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/20 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/21 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/22 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/23 switchport switchport access vlan 402 switchport mode access load-interval 30 storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/24 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/25 switchport switchport access vlan 406 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/26 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/27 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/28 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/29 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/30 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/31 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/32 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/33 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/34 switchport switchport access vlan 402 switchport mode access load-interval 30 storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/35 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/36 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/37 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/38 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/39 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/40 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/41 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/42 switchport switchport access vlan 406 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/43 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/44 switchport switchport access vlan 403 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/45 switchport switchport access vlan 403 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/46 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/47 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/7/48 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/1 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/2 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/3 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/4 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/5 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/6 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/7 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/8 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/9 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/10 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/11 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/12 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/13 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/14 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/15 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/16 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/17 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/18 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/19 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/20 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/21 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/22 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/23 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/24 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/25 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/26 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/27 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/28 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/29 switchport switchport access vlan 406 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/30 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/31 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/32 switchport switchport access vlan 402 switchport mode access storm-control broadcast level 0.10 storm-control multicast level 0.10 no shut!interface GigabitEthernet1/8/33 switchport switchport access vlan 402 switchport mode access storm

展开阅读全文