solução rede he
Post on 25-Jan-2017
163 Views
Preview:
TRANSCRIPT
1
Índice
DIAGRAMAS FINAIS DA SOLUÇÃO DA REDE HEADEND .............................................................. 0
Figura 1 – Rede Headend Físico Final........................................................................................ 0
Figura 2 –Rede HeadEnd Lógico Final ....................................................................................... 1
FASE I ............................................................................................................................................. 0
Figura 3 – Ligações físicas Fase I ............................................................................................... 0
Configurações: .......................................................................................................................... 0
Switch Core Stack ................................................................................................................. 0
Testes de conectividade: .......................................................................................................... 1
Plano de rollback: ..................................................................................................................... 1
FASE II: .......................................................................................................................................... 1
Figura 4 – Ligações Físicas Fase II .............................................................................................. 1
Figura 5 – Diagrama Lógico Fase II ............................................................................................ 2
Configurações: .......................................................................................................................... 2
TLT-HE-SWIP001 ................................................................................................................... 2
ZAP-RT01-CORE ..................................................................................................................... 8
ZAP-RT02-ACESSOS ............................................................................................................... 9
Testes de conectividade: ........................................................................................................ 10
Plano de Rollback: .................................................................................................................. 10
ZAP-RT02-ACESSOS ............................................................................................................. 11
FASE III......................................................................................................................................... 12
Figura 6 – Diagrama das Ligações Físicas Fase III .................................................................... 12
Figura 7 – Diagrama Lógico Fase III ......................................................................................... 12
Configurações: ........................................................................................................................ 13
TLT-HE-SWIP001 ................................................................................................................. 13
Testes de conectividade: ........................................................................................................ 13
Plano de Rollback: .................................................................................................................. 14
FASE IV ........................................................................................................................................ 15
Figura 8 – Diagrama Ligações Físicas Fase IV .......................................................................... 15
Figura 9 – Diagrama Lógico Fase IV ......................................................................................... 15
Configurações ......................................................................................................................... 16
TLT-HE-SWIP001 ................................................................................................................. 16
ZAP-RT02-ACESSOS ............................................................................................................. 18
2
ZAP-RT01-CORE ................................................................................................................... 18
TLT-HE-FWIP001.................................................................................................................. 18
Testes de conectividade: ........................................................................................................ 36
Plano de Rollback: .................................................................................................................. 36
FASE V ................................................................................................................................. 36
Figura 10 – Diagrama Ligações Físicas Fase V ......................................................................... 37
Figura 11 – Diagrama Lógico Fase V ........................................................................................ 37
Configurações ......................................................................................................................... 37
TLT-DC-SWIP001 ................................................................................................................. 37
TLT-DC-SWIP002 ................................................................................................................. 38
TLT-HE-SWIP001 ................................................................................................................. 38
ZAP-SW01-PRODUTORA ..................................................................................................... 40
Testes de conectividade: ........................................................................................................ 40
Plano de Rollback: .................................................................................................................. 40
DIAGRAMAS FINAIS DA SOLUÇÃO DA REDE HEADEND
G0/0
G0/1
G0/0
G0/1
G0
/0
G0
/1
G0/4
G0/5
G0
/5
G0
/4
G0
/1
G0
/0
ZAP FibraNET
ACSTVCABOTúneis
F0/0
/0
ZAP FibraTúneis
VSAT Portugal
G1/0/1G2/0/1
G1/0/2G2/0/2
FAILOVER::LINK
FAILOVER::STATE
3
CISCO NEXUS N5548P 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
STAT
ID
3
CISCO NEXUS N5548P 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
STAT
ID
G1/1/4 G2/1/4
E1/24 E1/24
TLT-DC-SWIP002 Nexus 5548UP
MNG IP:10.151.5.11
G1/0
/3
G2
/0/3
G1
/0/6
G2/0
/6
G1/0/23G2/0/23
Catalyst 2960 Series PoE-48
37X
38X
47X
48X
25X
26X
35X
36X
13X
14X
23X
24X
1X
2X
11X
12X
POWER OVER ETHERNET 740W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PoE
SPEED
DPLX
STAT
RPS
SYST
MODE
1
3
2
4
Catalyst 2960 Series PoE-48
37X
38X
47X
48X
25X
26X
35X
36X
13X
14X
23X
24X
1X
2X
11X
12X
POWER OVER ETHERNET 740W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PoE
SPEED
DPLX
STAT
RPS
SYST
MODE
1
3
2
4
Catalyst 2960 Series PoE-48
37X
38X
47X
48X
25X
26X
35X
36X
13X
14X
23X
24X
1X
2X
11X
12X
POWER OVER ETHERNET 740W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PoE
SPEED
DPLX
STAT
RPS
SYST
MODE
1
3
2
4
G2/1/1
Catalyst 2960 Series PoE-48
37X
38X
47X
48X
25X
26X
35X
36X
13X
14X
23X
24X
1X
2X
11X
12X
POWER OVER ETHERNET 740W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PoE
SPEED
DPLX
STAT
RPS
SYST
MODE
1
3
2
4
ZAP-SW01-BELASB c2960
MNG IP:172.16.0.31
ZAP-SW02-HEc2960G
MNG IP:172.16.0.6
G1/1/1G1/1/2
G2/1/2
Catalyst 2960 Series PoE-48
37X
38X
47X
48X
25X
26X
35X
36X
13X
14X
23X
24X
1X
2X
11X
12X
POWER OVER ETHERNET 740W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PoE
SPEED
DPLX
STAT
RPS
SYST
MODE
1
3
2
4
Catalyst 2960 Series PoE-48
37X
38X
47X
48X
25X
26X
35X
36X
13X
14X
23X
24X
1X
2X
11X
12X
POWER OVER ETHERNET 740W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PoE
SPEED
DPLX
STAT
RPS
SYST
MODE
1
3
2
4
TLT-DC-SWIP001Nexus 5548UPMNG IP:10.151.5.10
ZAP-SW01-BELAS_SHOPINGc2960S
MNG IP:172.16.0.33
ZAP-SW01-HE c2960
MNG IP:172.16.0.19ZAP-SW1-P1
c2960MNG IP:172.16.0.4
ZAP-SW1-P2 C2960
MNG IP:172.16.0.3
ZAP-SW2-P2C2960+
MNG IP:172.16.0.7
ZAP-SW01-PRODUTORA c3850
MNG IP:172.16.0.37
ZAP-SW02-P1c3560v
MNG IP:172.16.0.9
ZAPC-SW01-L3-P2 c3850MNG IP:172.16.0.50 TLT-HE-SWIP001
c3850MNG IP:172.16.0.1
TLT-HE-RTIP002ISR 3845
MNG IP:172.16.0.15
TLT-HE-RTIP001 ISR 3845
MNG IP:172.16.0.2
TLT-HE-FWIP001/PRI ASA-5515-XMNG IP:172.16.0.11
TLT-HE-FWIP001/SEC ASA-5515-X
Standby IP:172.16.0.13
Catalyst 2960 Series PoE-48
37X
38X
47X
48X
25X
26X
35X
36X
13X
14X
23X
24X
1X
2X
11X
12X
POWER OVER ETHERNET 740W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PoE
SPEED
DPLX
STAT
RPS
SYST
MODE
1
3
2
4
Catalyst 2960 Series PoE-48
37X
38X
47X
48X
25X
26X
35X
36X
13X
14X
23X
24X
1X
2X
11X
12X
POWER OVER ETHERNET 740W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PoE
SPEED
DPLX
STAT
RPS
SYST
MODE
1
3
2
4
Catalyst 2960 Series PoE-48
37X
38X
47X
48X
25X
26X
35X
36X
13X
14X
23X
24X
1X
2X
11X
12X
POWER OVER ETHERNET 740W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PoE
SPEED
DPLX
STAT
RPS
SYST
MODE
1
3
2
4
G1/0/24
G2/0/24
ZAP-SW01-NOC C2960+
MNG IP:172.16.0.52
ZAP-SW3-P2C2960+
MNG IP:172.16.0.5
Catalyst 2960 Series PoE-48
37X
38X
47X
48X
25X
26X
35X
36X
13X
14X
23X
24X
1X
2X
11X
12X
POWER OVER ETHERNET 740W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PoE
SPEED
DPLX
STAT
RPS
SYST
MODE
1
3
2
4
Catalyst 2960 Series PoE-48
37X
38X
47X
48X
25X
26X
35X
36X
13X
14X
23X
24X
1X
2X
11X
12X
POWER OVER ETHERNET 740W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PoE
SPEED
DPLX
STAT
RPS
SYST
MODE
1
3
2
4
G0/2
G0/1
G0
/25
G0
/41
G0
/47
G0
/1
Fa0
/16
Fa0
/24
G0/2
G0/1
Fa0/4
8
G0
/1
G0
/2
G0
/2G
0/1
G0
/3
G1/1
/1
ZAPC-SW02-P2C2960+
MNG IP:172.16.0.51
ZAPC-SW01-P1C2960+
MNG IP:172.16.0.54
ZAPC-SW02-P1C2960+
MNG IP:172.16.0.55
G1
/0/2
4
G1
/1/2
G0/1
G0/1
Catalyst 2960 Series PoE-48
37X
38X
47X
48X
25X
26X
35X
36X
13X
14X
23X
24X
1X
2X
11X
12X
POWER OVER ETHERNET 740W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PoE
SPEED
DPLX
STAT
RPS
SYST
MODE
1
3
2
4
Catalyst 2960 Series PoE-48
37X
38X
47X
48X
25X
26X
35X
36X
13X
14X
23X
24X
1X
2X
11X
12X
POWER OVER ETHERNET 740W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PoE
SPEED
DPLX
STAT
RPS
SYST
MODE
1
3
2
4
EMISLINK TVCABO
CONSOLE
AUX
HWIC 3
N
M
E
4
PVDM 3
DO NOT REMOVE DURING NETWORK OPERATION
HWIC 2 HWIC 1 HWIC 0AIM 0AIM 1PVDM 0PVDM 1PVDM 2
CF
SPD
SPD
GigE 0/0 SFP
LINK
LINK
GigE 0/1
N
M
E
2
N
M
E
3
N
M
E
1
S / N
CLEI
PEP
Catalyst 2960 Series PoE-48
37X
38X
47X
48X
25X
26X
35X
36X
13X
14X
23X
24X
1X
2X
11X
12X
POWER OVER ETHERNET 740W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PoE
SPEED
DPLX
STAT
RPS
SYST
MODE
1
3
2
4
ZAPC-SW03-P2C2960+
MNG IP:172.16.0.53Catalyst 2960 Series PoE-48
37X
38X
47X
48X
25X
26X
35X
36X
13X
14X
23X
24X
1X
2X
11X
12X
POWER OVER ETHERNET 740W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PoE
SPEED
DPLX
STAT
RPS
SYST
MODE
1
3
2
4
Catalyst 2960 Series PoE-48
37X
38X
47X
48X
25X
26X
35X
36X
13X
14X
23X
24X
1X
2X
11X
12X
POWER OVER ETHERNET 740W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PoE
SPEED
DPLX
STAT
RPS
SYST
MODE
1
3
2
4
G1/0
/23
G0/1
G0
/2
G0
/1
G1/1
/1
ITA
CONSOLE
AUX
HWIC 3
N
M
E
4
PVDM 3
DO NOT REMOVE DURING NETWORK OPERATION
HWIC 2 HWIC 1 HWIC 0AIM 0AIM 1PVDM 0PVDM 1PVDM 2
CF
SPD
SPD
GigE 0/0 SFP
LINK
LINK
GigE 0/1
N
M
E
2
N
M
E
3
N
M
E
1
S / N
CLEI
PEP
100-240V~, 4.85A MAX, 50/60Hz
CO
NS
OL
E
5
4
3
2
1
0
SPD LNK LNK SPD LNK SPD LNK SPD
MG
MT
PO
WER
ALA
RM
BO
OT
ACTI
VE
VPN
HD
01X 12X 13X 24X
Catalyst 3850 24 PoE+STAT DUPLX SPEED STACK PoE
SYST ACTV XPS S-PWR CONSOLE
MODE
01X 12X 13X 24X
Catalyst 3850 24 PoE+STAT DUPLX SPEED STACK PoE
SYST ACTV XPS S-PWR CONSOLE
MODE
G2/0
/9G
0/7
100-240V~, 4.85A MAX, 50/60Hz
CO
NS
OL
E
5
4
3
2
1
0
SPD LNK LNK SPD LNK SPD LNK SPD
MG
MT
PO
WER
ALA
RM
BO
OT
ACTI
VE
VPN
HD
G0
/4G
1/0
/9
UCALL
154.66.104.132192.168.29.18
196.216.54.186
41.63.165.43
Figura 1 – Rede Headend Físico Final
1
VLAN 61
VLAN 60
ZAP Fibra
TVCaboACS
VRF: INTERNET
FW-CTX-FE
VLAN 50
VLAN 51
VLAN 52
VLAN 53
VLAN 550
FW-CTX-MGMT
DATACENTER
TLT-HE-CRIP001 TLT-HE-CRIP002
TLT-HE-FWIP001
TLT-HE-FWIP001
TLT-HE-SWIP001
VLAN 50
VLAN 4
VRF TRUSTED_NETS
VRF SERVER_FARM
FW_to_TRUTED_NETS
DATA VLAN
VLAN 51
VLAN 105
VRF WIRELESS
VLAN 52
VLAN 7
FW_to_SERVER_FARM
SERVER FARM
DATA WIRELESS
FW_to_WIRELESS
VRFs CORE SWITCH STACK
VLAN 153
VLAN 54 FW_to_VOZ
VOZ
VLAN 156
VLAN 16
VLAN 53 FW_to_BACKOFFICE
BACKOFFICE
...
...
LAYER 3
GATEWAY
VRFs EDGE ROUTERS
VRF TUNNELS
VRF INTERNET
VLAN 61
VLAN 60
OneContactVLAN 103
VLAN 17 Marketing
VLAN 55
VLAN 550 Management
FW_to_Management
OSPF AREA 0
BGP AS 65535
OSPF AREA 2
totally stub
p/ lojas
OSPF AREA 1
totally stub
para VRFs Users
MAJOR SUBNET
172.16.0.0/16
EMISZAP-RT03-EMIS
VRF PARCEIROS
VLAN 62ZAP-AO-HE-1
TVCABO
VRF: PARCEIROSVRF: PARCEIROS
VLAN 62
LOJAS
UCALL
VRF: TUNNELS
172.16.0.0/24 Management172.16.1.240/29 Failover
172.16.1.0/24 VRFs InterLinks
Gestão Nagra
VSAT Portugal
VRF: TUNNELS
ZAP Fibra
ITA
VRF: INTERNET
Rede 10.4.0.0/16
192.168.40.0/30
.2
.1
192.168.0.4/30
.5
.6
TLT-HE-FWIP001
.70/69
10.151.1.64/29
.65
PRIMARY SECONDARY
.57
.62 e0/7.206
VLAN 59
TLT-HE-FWIP001STACK
VLAN 206
FW-CTX-VPN
ZAP Fibra
GW:154.66.104.139
154.66.104.140
vlan 502
e0/7.502154.66.104.141
vlan 502e0/7.502
VLAN 70
VCS Server
172.16.1.232/29
.233 .234/.235
VLAN 40
172.1
6.1
.240/2
9 .242/.243
.241
Figura 2 –Rede HeadEnd Lógico Final
De modo a implementar a mudanças todas apresentadas nos diagramas acima será necessário
fazer de modo faseado.
Passo a descrever as fases todas necessárias até chegar a configuração final.
FASE I
Nesta fase irá se colocar os switches cores em stack e fazer-se as seguintes alterações a nível
físico:
Mudar a ligação para a produtora (ZAP-SW01-PRODUTORA) que se encontra no switch
core (ZAP-SW04-HE) na porta G1/1/4 para a porta G2/1/2.
Mudar a ligação para o Belas Shopping (ZAP-SW01-BELASSHOP) que se encontra no
switch core na porta G1/1/3 para a porta G2/1/1.
Catalyst 2960 Series PoE-48
37X
38X
47X
48X
25X
26X
35X
36X
13X
14X
23X
24X
1X
2X
11X
12X
POWER OVER ETHERNET 740W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PoE
SPEED
DPLX
STAT
RPS
SYST
MODE
1
3
2
4
Catalyst 2960 Series PoE-48
37X
38X
47X
48X
25X
26X
35X
36X
13X
14X
23X
24X
1X
2X
11X
12X
POWER OVER ETHERNET 740W
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PoE
SPEED
DPLX
STAT
RPS
SYST
MODE
1
3
2
4
01X 12X 13X 24X
Catalyst 3850 24 PoE+STAT DUPLX SPEED STACK PoE
SYST ACTV XPS S-PWR CONSOLE
MODE
01X 12X 13X 24X
Catalyst 3850 24 PoE+STAT DUPLX SPEED STACK PoE
SYST ACTV XPS S-PWR CONSOLE
MODE
ZAP-SW01-BELAS_SHOPINGc2960S
MNG IP:172.16.0.33
ZAP-SW01-PRODUTORA c3850
MNG IP:172.16.0.37
TLT-HE-SWIP001 c3850
MNG IP:172.16.0.15
G2/1/1 G2/1/2
G0/2
5
G1
/1/1
STACK
Figura 3 – Ligações físicas Fase I
Configurações:
Switch Core Stack
hostname TLT-HE-SWIP001
interface GigabitEthernet2/1/1
description ::: LINK to ZAP-SW01-BELASSHOPPING :::
switchport trunk allowed vlan 470,550
switchport mode trunk
interface GigabitEthernet2/1/2
description ::: LINK to ZAP-SW01-PRODUTORA :::
switchport access vlan 501
switchport mode access
1
Testes de conectividade: ping 172.16.36.254
ping 172.16.37.254
ping 172.16.49.254
ping 192.168.100.230
Plano de rollback: Mudar a ligação para a produtora (ZAP-SW01-PRODUTORA) de volta a porta G1/1/4.
Mudar a ligação para o Belas Shopping (ZAP-SW01-BELASSHOP) de volta a porta
G1/1/3.
FASE II:
Nesta fase irá se colocar o stack de switches cores em Layer 3 e como default gateway para as
redes todas. Nesta fase será também introduzido o protocolo de roteamento dinâmico OSPF
entre o switch core e os dois routers (core e acessos) de forma a facilitar a trocar de rotas
entre os equipamentos.
Serão necessárias fazer as seguintes alterações a nível físico:
Ligar o router core ao stack como indica a figura pelo tracejado.
Ligar o router acessos (ZAP-RT02-ACESSOS) ao stack como indica a figura pelo
tracejado.
As outras ligações já existentes permanecem do mesmo jeito.
CONSOLE
AUX
HWIC 3
N
M
E
4
PVDM 3
DO NOT REMOVE DURING NETWORK OPERATION
HWIC 2 HWIC 1 HWIC 0AIM 0AIM 1PVDM 0PVDM 1PVDM 2
CF
SPD
SPD
GigE 0/0 SFP
LINK
LINK
GigE 0/1
N
M
E
2
N
M
E
3
N
M
E
1
S / N
CLEI
PEP
G0
/0
G0
/0
G1/0
/1
G1/0
/2
ZAP-RT01-COREISR 3845
MNG IP:172.16.0.1
ZAP-RT02-ACESSOSISR 3845MNG IP:172.16.0.2
TLT-HE-SWIP001 c3850
MNG IP:172.16.0.15STACK
01X 12X 13X 24X
Catalyst 3850 24 PoE+STAT DUPLX SPEED STACK PoE
SYST ACTV XPS S-PWR CONSOLE
MODE
01X 12X 13X 24X
Catalyst 3850 24 PoE+STAT DUPLX SPEED STACK PoE
SYST ACTV XPS S-PWR CONSOLE
MODE
CONSOLE
AUX
HWIC 3
N
M
E
4
PVDM 3
DO NOT REMOVE DURING NETWORK OPERATION
HWIC 2 HWIC 1 HWIC 0AIM 0AIM 1PVDM 0PVDM 1PVDM 2
CF
SPD
SPD
GigE 0/0 SFP
LINK
LINK
GigE 0/1
N
M
E
2
N
M
E
3
N
M
E
1
S / N
CLEI
PEP
Figura 4 – Ligações Físicas Fase II
2
ZAP Fibra TVCaboACS
DATACENTER
ZAP-RT02-ACESSOS ZAP-RT01-CORE
ZAP-FW01-FIREWALL
ZAP-SW04-HE
LAYER 3 Gateway
OSPF AREA 0
BGP AS 65535
ITA
MAJOR SUBNET
172.16.0.0/16LOJAS 172.16.0.0/24 Management
172.16.1.0/24 VRFs InterLinks
VLAN 70
192.168.3.16/30
.17
.18ZAP Fibra
154.66.104.129
vlan 502
e0/3154.66.104.140
e0/3.105
UCallEMIS
ZAP-RT03-EMISZAP-AO-HE-1
TVCABO
.249
172.16.1.248/29
.250 .251
10.151.1.64/28.70 .65vlan 105
TLT-DC-SWIP006
Gestão Nagra
VSAT PT
.57
.62
STACK
Rede 10.4.0.0/16
Figura 5 – Diagrama Lógico Fase II
Configurações:
TLT-HE-SWIP001 !
ip access-list extended ACESSO_NET_LOJAS
permit udp any any eq bootps
permit udp any any eq bootpc
permit ip 172.16.47.0 0.0.0.255 172.16.0.0 0.0.255.255
permit ip 172.16.47.0 0.0.0.255 10.151.0.0 0.0.255.255
permit ip host 172.16.47.249 any
permit tcp 172.16.47.0 0.0.0.255 host 109.71.41.113 eq www
permit tcp 172.16.47.0 0.0.0.255 host 212.0.160.234 eq www
permit tcp 172.16.47.0 0.0.0.255 host 212.0.160.234 eq 465
permit tcp 172.16.47.0 0.0.0.255 host 212.0.160.234 eq 143
permit tcp 172.16.47.0 0.0.0.255 host 212.0.160.234 eq 993
permit tcp 172.16.47.0 0.0.0.255 host 212.0.160.234 eq 995
permit tcp 172.16.47.0 0.0.0.255 host 212.0.160.234 eq pop3
permit tcp 172.16.47.0 0.0.0.255 host 212.0.160.234 eq smtp
3
permit tcp 172.16.47.0 0.0.0.255 any eq smtp
permit tcp 172.16.47.0 0.0.0.255 any eq pop3
permit icmp any any
!
ip access-list extended ACESSO_NET_BO
permit udp any any eq bootps
permit udp any any eq bootpc
permit ip 172.16.16.0 0.0.0.255 172.16.3.0 0.0.0.255
permit ip 172.16.16.0 0.0.0.255 172.16.4.0 0.0.0.255
permit ip 172.16.16.0 0.0.0.255 172.16.5.0 0.0.0.255
permit ip 172.16.16.0 0.0.0.255 172.16.21.0 0.0.0.255
permit ip 172.16.16.0 0.0.0.255 172.16.105.0 0.0.0.255
permit ip 172.16.16.0 0.0.0.255 10.151.0.0 0.0.255.255
permit ip 172.16.16.0 0.0.0.255 192.168.60.0 0.0.0.255
permit tcp 172.16.16.0 0.0.0.255 173.194.41.0 0.0.0.255 eq 443
permit tcp 172.16.16.0 0.0.0.255 173.194.45.0 0.0.0.255 eq 443
permit tcp 172.16.16.0 0.0.0.255 173.194.45.0 0.0.0.255 eq www
permit tcp 172.16.16.0 0.0.0.255 173.194.34.0 0.0.0.255 eq 443
permit tcp 172.16.16.0 0.0.0.255 173.194.66.0 0.0.0.255 eq 443
permit tcp 172.16.16.0 0.0.0.255 74.125.24.0 0.0.0.255 eq 443
permit tcp 172.16.16.0 0.0.0.255 74.125.239.0 0.0.0.255 eq 443
permit tcp 172.16.16.0 0.0.0.255 173.194.67.0 0.0.0.255 eq 443
permit tcp 172.16.16.0 0.0.0.255 173.194.67.0 0.0.0.255 eq www
permit tcp 172.16.16.0 0.0.0.255 173.194.66.0 0.0.0.255 eq www
permit tcp 172.16.16.0 0.0.0.255 74.125.239.0 0.0.0.255 eq www
permit tcp 172.16.16.0 0.0.0.255 host 212.0.160.234 eq 443
permit tcp 172.16.16.0 0.0.0.255 host 109.71.41.113 eq www
permit tcp 172.16.16.0 0.0.0.255 host 212.0.160.234 eq 465
permit tcp 172.16.16.0 0.0.0.255 host 212.0.160.234 eq 143
permit tcp 172.16.16.0 0.0.0.255 host 212.0.160.234 eq 993
permit tcp 172.16.16.0 0.0.0.255 host 212.0.160.234 eq 995
permit tcp 172.16.16.0 0.0.0.255 host 212.0.160.234 eq pop3
permit tcp 172.16.16.0 0.0.0.255 216.58.208.0 0.0.0.255 eq 443
permit tcp 172.16.16.0 0.0.0.255 216.58.208.0 0.0.0.255 eq www
permit tcp 172.16.16.0 0.0.0.255 74.125.136.0 0.0.0.255 eq 443
permit tcp 172.16.16.0 0.0.0.255 173.194.35.0 0.0.0.255 eq 443
permit tcp 172.16.16.0 0.0.0.255 173.194.35.0 0.0.0.255 eq www
permit tcp 172.16.16.0 0.0.0.255 173.194.44.0 0.0.0.255 eq 443
4
permit tcp 172.16.16.0 0.0.0.255 173.194.44.0 0.0.0.255 eq www
permit tcp 172.16.16.0 0.0.0.255 173.194.120.0 0.0.0.255 eq 443
permit tcp 172.16.16.0 0.0.0.255 173.194.120.0 0.0.0.255 eq www
permit tcp 172.16.16.0 0.0.0.255 173.194.126.0 0.0.0.255 eq 443
permit tcp 172.16.16.0 0.0.0.255 173.194.126.0 0.0.0.255 eq www
permit tcp 172.16.16.0 0.0.0.255 74.125.135.0 0.0.0.255 eq 443
permit tcp 172.16.16.0 0.0.0.255 74.125.135.0 0.0.0.255 eq www
permit tcp 172.16.16.0 0.0.0.255 173.194.0.0 0.0.255.255 eq 443
permit tcp 172.16.16.0 0.0.0.255 173.194.0.0 0.0.255.255 eq www
permit tcp 172.16.16.0 0.0.0.255 74.125.0.0 0.0.255.255 eq 443
permit tcp 172.16.16.0 0.0.0.255 74.125.0.0 0.0.255.255 eq www
permit tcp 172.16.16.0 0.0.0.255 any eq smtp
permit tcp 172.16.16.0 0.0.0.255 any eq pop3
permit icmp any any
!
ip access-list extended ACESSO_ZAP-MOBILE
permit ip any host 172.16.17.254
permit ip any host 192.168.3.6
permit ip any host 172.16.0.12
permit ip any host 172.16.5.204
permit tcp any host 172.16.5.1 eq domain
permit udp any host 172.16.5.1 eq domain
permit tcp any host 172.16.5.4 eq domain
permit udp any host 172.16.5.4 eq domain
deny ip any 127.0.0.0 0.255.255.255
deny ip any 224.0.0.0 31.255.255.255
deny ip any 169.254.0.0 0.0.255.255
deny ip any 192.0.2.0 0.0.0.255
deny ip any 192.88.99.0 0.0.0.255
deny ip any 198.18.0.0 0.1.255.255
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
!
vlan 70
name INTERCONNECT_TEMP
!
5
interface vlan 70
description :: INTERCONNECT_TEMP ::
ip address 172.16.1.249 255.255.255.248
!
interface vlan 4
description :: Data ::
ip address 172.16.4.254 255.255.255.0
!
interface vlan 5
description :: Servicos – Canais ::
ip address 10.5.1.1 255.255.255.0
!
interface vlan 7
description :: Data_Wireless ::
ip address 172.16.7.254 255.255.255.0
!
interface vlan 8
description :: VCS ::
ip address 172.16.8.254 255.255.255.0
!
interface vlan 16
description :: Back_Office ::
ip address 172.16.16.254 255.255.255.0
ip access-group ACESSO_NET_BO in
!
interface vlan 17
description :: Marketing ::
ip address 172.16.17.254 255.255.255.0
ip access-group ACESSO_ZAP-MOBILE in
!
interface vlan 21
description :: Voice ::
ip address 172.16.21.254 255.255.255.0
!
interface vlan 105
description :: Servers ::
ip address 172.16.5.253 255.255.255.0
!
6
interface vlan 204
description :: Novo_DC ::
ip address 10.151.1.62 255.255.255.248
!
interface vlan 205
description :: Proxy_NovoDC ::
ip address 192.168.3.37 255.255.255.252
!
interface vlan 420
description :: Data_BBP ::
ip address 172.16.42.254 255.255.255.0
!
interface vlan 430
description :: Data_BBP ::
ip address 172.16.43.254 255.255.255.0
!
interface vlan 440
description :: Data_BBP ::
ip address 172.16.44.254 255.255.255.0
!
interface vlan 470
description :: Data ::
ip address 172.16.47.254 255.255.255.0
ip access-group ACESSO_NET_LOJAS in
!
interface vlan 480
description :: Data ::
ip address 172.16.48.254 255.255.255.0
!
interface vlan 501
description :: Rede Transporte Produtora ::
ip address 192.168.3.30 255.255.255.252
!
interface vlan 550
description :: Rede Gestão ::
ip address 172.16.0.1 255.255.255.0
!
7
interface vlan 802
description :: Rede Transporte Cinema ::
ip address 192.168.3.42 255.255.255.252
!
default interface g1/0/1
default interface g1/0/2
!
int po1
description :: PORT-CHANNEL to ZAP-RT02-ACESSOS ::
switchport
switchport mode trunk
switchport trunk allowed vlan 70
!
int po2
description :: PORT-CHANNEL to ZAP-RT01-CORE ::
switchport
switchport mode trunk
switchport trunk allowed vlan 70
!
int g1/0/1
description :: LINK to ZAP-RT02-ACESSOS ::
switchport
switchport mode trunk
switchport trunk allowed vlan 70
channel-group 1 mode on
!
int g2/0/1
description :: LINK to ZAP-RT02-ACESSOS ::
switchport
switchport mode trunk
switchport trunk allowed vlan 70
channel-group 1 mode on
!
int g1/0/2
description :: LINK to ZAP-RT01-CORE ::
switchport
switchport mode trunk
8
switchport trunk allowed vlan 70
channel-group 2 mode on
!
int g2/0/2
description :: LINK to ZAP-RT01-CORE ::
switchport
switchport mode trunk
switchport trunk allowed vlan 70
channel-group 2 mode on
!
ip route 192.168.100.0 255.255.255.0 192.168.3.29 name rota_voz_para_Produtora
ip route 172.30.0.0 255.255.0.0 192.168.3.41 name rota_para__Cinema_Avenida
ip route 172.16.49.0 255.255.255.0 192.168.3.29 name rota_para_Logistica
ip route 172.16.36.0 255.255.255.0 192.168.3.29 name rota_para_Produtora
ip route 172.16.37.0 255.255.255.0 192.168.3.29 name rota_voz_para_Produtora
ip route 172.16.0.39 255.255.255.255 192.168.3.29 name rota_Gestao_sw03_Produtora
ip route 172.16.0.37 255.255.255.255 192.168.3.29 name rota_Gestao_sw01_Produtora
ip route 172.16.0.38 255.255.255.255 192.168.3.29 name rota_Gestao_sw02_Produtora
ip route 10.151.0.0 255.255.0.0 10.151.1.57 name rota_novo_dc
!
router ospf 1
passive-interface default
network 172.16.0.0 0.0.255.255 area 0
network 192.168.0.0 0.0.255.255 area 0
network 10.0.0.0 0.255.255.255 area 0
no passive-interface vlan70
redistribute static subnets
!
ZAP-RT01-CORE !
interface lo0
description Gestão
ip address 172.16.0.15 255.255.255.255
!
default interface g0/0
!
int po1
9
int po1.70
encapsulation dot1Q 70
ip address 172.16.1.251 255.255.255.248
!
int g0/0
channel-group 1
!
ip prefix-list DENIED_OSPF_ROUTES seq 10 permit 0.0.0.0/0
!
route-map ROUTES_OSPF_IN deny 10
match ip address prefix-list DENIED_OSPF_ROUTES
route-map ROUTES_OSPF_IN permit 20
!
router ospf 1
passive-interface default
network 172.16.0.0 0.0.255.255 area 0
network 192.168.0.0 0.0.255.255 area 0
network 10.0.0.0 0.255.255.255 area 0
no passive-interface po1.70
redistribute static subnets
redistribute connected subnets
redistribute bgp 65535 subnets
distribute-list route-map ROUTES_OSPF_IN in
!
ZAP-RT02-ACESSOS
default interface g0/0
!
int po1
int po1.70
encapsulation dot1Q 70
ip address 172.16.1.250 255.255.255.248
ip nat inside
ip policy route-map NAT-INTERNET5
!
int g0/0
channel-group 1
10
!
router ospf 1
passive-interface default
network 172.16.0.0 0.0.255.255 area 0
network 192.168.0.0 0.0.255.255 area 0
network 10.0.0.0 0.255.255.255 area 0
no passive-interface po1.70
redistribute static subnets
redistributed connected subnets
redistribute bgp 65535 subnets
default-information originate
Testes de conectividade: ping 172.16.5.4 (vlan 105)
ping 10.151.52.1 (Datacenter)
ping 172.16.4.254 (vlan 4)
ping 10.5.1.253 (vlan 5)
ping 172.16.7.254 (vlan 7)
ping 172.16.8.10 (vlan 8)
ping 172.16.16.254 (vlan 16)
ping 172.16.17.254 (vlan 17)
ping 172.16.21.254 (vlan 21)
ping 172.16.42.254 (vlan 420)
ping 172.16.42.254 (vlan 430)
ping 172.16.42.254 (vlan 440)
ping 172.16.42.254 (vlan 470)
ping 172.16.42.254 (vlan 480)
ping 172.16.36.254 (Produtora)
ping 172.16.37.254 (Produtora)
ping 172.16.49.254 (Produtora)
ping 192.168.100.230 (Produtora)
Plano de Rollback: Remover a ligação do router core ao stack.
Ligar o router core na porta F0/3/0 ao router acessos na porta G0/0.
Ligar o router core pela porta g0/1 ao stack na porta g1/0/23.
Introduzir as seguintes configurações:
11
ZAP-RT02-ACESSOS !
default interface g0/0
!
interface GigabitEthernet0/0
description Ligacao CORE
ip address 192.168.3.6 255.255.255.252
ip accounting output-packets
ip nat inside
ip virtual-reassembly in max-reassemblies 32
ip policy route-map NAT-INTERNET5
duplex auto
speed auto
media-type rj45
end
12
FASE III
Serão feitas as seguintes alterações a nível físico nesta fase:
Tirar a ligação do router core na porta F0/0/1 e ligar ao switch core na porta g1/0/5
como ilustra a figura pelo tracejado.
Tirar a ligação do router core na porta F0/2/1 e ligar ao switch core na porta G1/0/8
como ilustra a figura pelo tracejado.
TLT-HE-SWIP001 c3850
MNG IP:172.16.0.1STACK
G1/0/12
G1/0/13G1/0/8
G1/0/5
Rede 10.4.0.0/16
01X 12X 13X 24X
Catalyst 3850 24 PoE+STAT DUPLX SPEED STACK PoE
SYST ACTV XPS S-PWR CONSOLE
MODE
01X 12X 13X 24X
Catalyst 3850 24 PoE+STAT DUPLX SPEED STACK PoE
SYST ACTV XPS S-PWR CONSOLE
MODE
Gestão Nagra
Figura 6 – Diagrama das Ligações Físicas Fase III
ZAP Fibra TVCaboACS
DATACENTER
ZAP-RT02-ACESSOS ZAP-RT01-CORE
ZAP-FW01-FIREWALL
ZAP-SW04-HE
LAYER 3 Gateway
OSPF AREA 0
BGP AS 65535
ITA
MAJOR SUBNET
172.16.0.0/16LOJAS 172.16.0.0/24 Management
172.16.1.0/24 VRFs InterLinks
VLAN 70
192.168.3.16/30
.17
.18ZAP Fibra
154.66.104.129
vlan 502
e0/3154.66.104.140
e0/3.105
UCallEMIS
ZAP-RT03-EMISZAP-AO-HE-1
TVCABO
.249
172.16.1.248/29
.250 .251
10.151.1.64/28.70 .65vlan 105
TLT-DC-SWIP006
Rede 10.4.0.0/16
VSAT PT
.57
.62
STACKGestão Nagra
Figura 7 – Diagrama Lógico Fase III
13
Configurações:
TLT-HE-SWIP001 !
vlan 40
exit
!
default interface int g1/0/5
default interface int g1/0/8
!
int g1/0/5
switchport
switchport mode trunk
switchport trunk allowed vlan 40
!
int vlan 40
ip add 192.168.40.2 255.255.255.252
!
int g1/0/8
no switchport
description ::: Gestao NAGRA :::
ip address 192.168.0.5 255.255.255.252
!
ip route 10.4.1.0 255.255.255.0 192.168.40.1
ip route 10.4.15.0 255.255.255.0 192.168.40.1
ip route 10.4.16.0 255.255.255.0 192.168.40.1
ip route 10.4.32.0 255.255.255.0 192.168.40.1
ip route 10.4.33.0 255.255.255.0 192.168.40.1
ip route 10.4.36.0 255.255.255.0 192.168.40.1
ip route 10.4.48.0 255.255.255.0 192.168.40.1
ip route 10.21.44.0 255.255.255.0 192.168.0.6 name Gestao Nagra
Testes de conectividade: ping 10.4.1.1
ping 10.4.15.1
ping 10.4.16.1
14
Plano de Rollback: Tirar a ligação do switch core na porta g1/0/5 e ligar ao router core na porta
F0/0/1.
Tirar a ligação do switch core na porta G1/0/8 e ligar ao router core na porta
F0/2/1.
15
FASE IV Nesta fase iremos introduzir as novas firewalls na infraestrutura, mas nenhum tráfego irá
passar por elas até que se ative as interfaces onde correm os protocolos de roteamento.
As firewalls estarão ligadas ao stack como ilustra a figura abaixo:
STACK
G0
/0
G0
/1
G0
/4
G0/5
G0
/5
G0
/4
G0
/1
G0
/0
FAILOVER::LINK
FAILOVER::STATE
G1
/0/3
G2
/0/3
G1
/0/6
G2
/0/6
TLT-HE-SWIP001 c3850
MNG IP:172.16.0.1
TLT-HE-FWIP001/SEC ASA-5525-X
Standby IP:172.16.0.13
TLT-HE-FWIP001/PRI ASA-5525-XMNG IP:172.16.0.11
01X 12X 13X 24X
Catalyst 3850 24 PoE+STAT DUPLX SPEED STACK PoE
SYST ACTV XPS S-PWR CONSOLE
MODE
01X 12X 13X 24X
Catalyst 3850 24 PoE+STAT DUPLX SPEED STACK PoE
SYST ACTV XPS S-PWR CONSOLE
MODE
G1
/0/9
G2
/0/9
G0
/7
G0
/7
100-240V~, 4.85A MAX, 50/60Hz
CO
NS
OL
E
5
4
3
2
1
0
SPD LNK LNK SPD LNK SPD LNK SPD
MG
MT
PO
WER
ALA
RM
BO
OT
ACTI
VE
VPN
HD
100-240V~, 4.85A MAX, 50/60Hz
CO
NS
OL
E
5
4
3
2
1
0
SPD LNK LNK SPD LNK SPD LNK SPD
MG
MT
PO
WER
ALA
RM
BO
OT
ACTI
VE
VPN
HD
Figura 8 – Diagrama Ligações Físicas Fase IV
STACK
VLAN 60
ZAP Fibra
TVCaboACS
FW-CTX-FE
VLAN 50
VLAN 550
DATACENTER
ZAP-RT02-ACESSOS
ZAP-RT01-CORE
TLT-HE-FWIP001
TLT-HE-FWIP001
TLT-HE-SWIP001
OSPF AREA 0BGP AS 65535
OSPF AREA 2
totally stub
p/ lojas
ITA
MAJOR SUBNET
172.16.0.0/16
EMISZAP-RT03-EMIS ZAP-AO-HE-1
TVCABO
LOJAS
VSAT PT
ZAP Fibra
172.16.0.0/24 Management172.16.1.240/29 Failover
172.16.1.0/24 VRFs InterLinks
PRIMARY SECONDARY
Gestão Nagra
192.168.0.4/30
LAYER 3 Gateway
172.16.1.0/29
.2 .3
FW-CTX-MGMT
.62
.57
UCALL
192.168.40.0/30
.5
.6
.1
.2
SECONDARYPRIMARY
Rede 10.4.0.0/16vlan 40
172.16.1.200/29
.204
.201 .202
VLAN 70
ZAP-FW01-FIREWALL
172.16.1.248/29
192.1
68.3
.16/3
0
.17
.18
e0/3.105 10.151.1.64/29 .65vlan 105.70
.203
.250 .251
Vla
n 5
0 .1
Vla
n 7
0 .2
49
vlan 502
ZAP Fibra
VLAN 154.66.104.129
Figura 9 – Diagrama Lógico Fase IV
16
Configurações
TLT-HE-SWIP001 !
vlan 60
name INTERCONNECT_FW_RT_VRF_TUNNELS
vlan 50
name INTERCONNECT FW_RT_VRF_TRUSTED_NETS
exit
!
int vlan 50
description INTERCONNECT FW_RT_VRF_TRUSTED_NETS
ip address 172.16.1.1 255.255.255.248
shutdown
!
int po3
description :: PORT-CHANNEL to TLT-HE-FWIP001::PRI ::
switchport
switchport mode trunk
switchport trunk allowed vlan 50,60
int g1/0/3
description :: LINK to TLT-HE-FWIP001::PRI ::
switchport
switchport mode trunk
switchport trunk allowed vlan 50,60
channel-group 3 mode active
!
int g2/0/3
description :: LINK to TLT-HE-FWIP001::PRI ::
switchport
switchport mode trunk
switchport trunk allowed vlan 50,60
channel-group 3 mode active
!
!
17
int po4
description :: PORT-CHANNEL to TLT-HE-FWIP001::PRI ::
switchport
switchport mode trunk
switchport trunk allowed vlan 50,60
int g1/0/6
description :: LINK to TLT-HE-FWIP001::SEC ::
switchport
switchport mode trunk
switchport trunk allowed vlan 50,60
channel-group 4 mode active
!
int g2/0/6
description :: LINK to TLT-HE-FWIP001::SEC ::
switchport
switchport mode trunk
switchport trunk allowed vlan 50,60
channel-group 4 mode active
!
int po1
switchport trunk allowed vlan add 60
int po2
switchport trunk allowed vlan add 60
int g1/0/1
switchport trunk allowed vlan add 60
int g2/0/1
switchport trunk allowed vlan add 60
int g1/0/2
switchport trunk allowed vlan add 60
int g1/0/2
switchport trunk allowed vlan add 60
18
ZAP-RT02-ACESSOS
int po1.60
description INTERCONNECT_FW_RT_VRF_TUNNELS
encapsulation dot1Q 60
ip address 172.16.203 255.255.255.248
shutdown
!
ZAP-RT01-CORE
int po1.60
description INTERCONNECT_FW_RT_VRF_TUNNELS
encapsulation dot1Q 60
ip address 172.16.204 255.255.255.248
shutdown
!
TLT-HE-FWIP001 SYSTEM:
!
hostname TLT-HE-FWIP001
!
enable password FINS782!$
!
interface GigabitEthernet0/0
no shutdown
channel-group 1 mode active
!
interface GigabitEthernet0/1
no shutdown
channel-group 1 mode active
!
interface GigabitEthernet0/4
no shutdown
description LAN Failover Interface
!
19
interface GigabitEthernet0/5
no shutdown
description STATE Failover Interface
!
interface GigabitEthernet0/7
no shutdown
!
interface GigabitEthernet0/7.206
vlan 206
!
interface GigabitEthernet0/7.502
vlan 502
!
interface Port-channel1
description ** LINK TO TLT-HE-SWIP001 **
lacp max-bundle 8
!
interface Port-channel1.50
description Interconnect_FW-SW
vlan 50
!
interface Port-channel1.60
description Interconnect_FW-RT
vlan 60
!
interface Port-channel1.550
description GESTAO-HEADEND
vlan 550
!
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/4
failover polltime unit 1 holdtime 3
failover polltime interface 1 holdtime 5
failover key *****
failover replication http
failover link STATEFUL-LINK GigabitEthernet0/5
failover interface ip FAILOVER 172.16.1.241 255.255.255.252 standby 172.16.1.242
20
failover interface ip STATEFUL-LINK 172.16.1.245 255.255.255.252 standby 172.16.1.246
!
class default
limit-resource All 0
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
class VPN
limit-resource VPN Other 50
limit-resource VPN Burst Other 2
!
admin-context FW-CTX-MGMT
context FW-CTX-MGMT
allocate-interface Port-channel1.550 vlan550
config-url disk0:/FW-CTX-MGMT.cfg
!
context FW-CTX-FE
allocate-interface Port-channel1.50 vlan50
allocate-interface Port-channel1.60 vlan60
config-url disk0:/FW-CTX-FE.cfg
!
context FW-CTX-VPN
member VPN
allocate-interface GigabitEthernet0/7.206 vlan206
allocate-interface GigabitEthernet0/7.502 vlan502
allocate-interface Port-channel1.59 vlan59
allocate-interface Port-channel1.70 vlan70
config-url disk0:/FW-CTX-VPN.cfg
!
prompt hostname context state priority
21
CONTEXT FW-CTX-MGMT
!
hostname FW-CTX-MGMT
!
interface vlan550
nameif GESTAO-HEADEND
security-level 100
ip address 172.16.0.11 255.255.255.0 standby 172.16.0.13
!
route GESTAO-HEADEND 0.0.0.0 0.0.0.0 172.16.0.1 1
http server enable
http 0.0.0.0 0.0.0.0 GESTAO-HEADEND
snmp-server community *****
ssh 0.0.0.0 0.0.0.0 GESTAO-HEADEND
username zap password dWCChWtZS3mhEpUz encrypted privilege 15
username finstar password DFWZfOX9qSCtNDJq encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
22
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
class class-default
set connection decrement-ttl
!
CONTEXT FW-CTX-FE
!
hostname FW-CTX-FE
enable password 8Ry2YjIyt7RRXU24 encrypted
!
interface vlan50
nameif TRUSTED_NETS
security-level 100
ip address 172.16.1.2 255.255.255.248 standby 172.16.1.3
!
interface vlan60
nameif TUNNELS
security-level 100
ip address 172.16.1.201 255.255.255.248 standby 172.16.1.202
!
monitor-interface TRUSTED_NETS
monitor-interface TUNNELS
icmp unreachable rate-limit 1 burst-size 1
icmp permit any TRUSTED_NETS
no asdm history enable
arp timeout 14400
router ospf 1
network 172.16.0.0 255.255.0.0 area 0
log-adj-changes
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
23
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
no threat-detection statistics tcp-intercept
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
24
inspect xdmcp
inspect icmp
inspect icmp error
class class-default
set connection decrement-ttl
!
service-policy global_policy global
CONTEXT FW-CTX-VPN
!
hostname FW-CTX-VPN
enable password 8Ry2YjIyt7RRXU24 encrypted
!
interface vlan206
description INTERCONNECT TO NEXUS 5k DATACENTER
shutdown
nameif ZAP_VPN_FE_to_Nexus5K
security-level 100
ip address 10.151.1.69 255.255.255.248 standby 10.151.1.70
!
interface vlan502
description INTERNET ZAP_FIBRA
shutdown
nameif INTERNET
security-level 0
ip address 154.66.104.140 255.255.255.248 standby 154.66.104.141
!
interface vlan59
description INTERCONNECT SW_FW_CTX-VPN
shutdown
nameif FW-CTX-VPN-NET
security-level 100
ip address 172.16.1.234 255.255.255.248 standby 172.16.1.235
!
interface vlan70
nameif VCS_EXTERNAL
25
security-level 100
ip address 172.16.1.242 255.255.255.248 standby 172.16.1.243
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object network ZAP_NDS_FE_BE_PP
subnet 10.151.38.0 255.255.255.192
object network SMPP_BE
host 10.151.56.1
object network VCS
host 192.168.3.14
description VCS
object network TLT-DC-EMISTR
host 10.151.58.41
object network UNITEL_SMPP
host 41.78.18.15
object network SAPRH
subnet 10.151.12.216 255.255.255.248
object service TCP-9012
service tcp destination eq 9012
object service UDP-9012
service udp destination eq 9012
object service TCP-15000-15499
service tcp destination range 15000 15499
object service TCP-25000-29999
service tcp destination range 25000 29999
object service TCP-2776
service tcp destination eq 2776
object service TCP-7001
service tcp destination eq 7001
object service UDP-6001
service udp destination eq 6001
object service TCP-2777
service tcp destination eq 2777
object service UDP-2776
service udp destination eq 2776
object service UDP-2777
26
service udp destination eq 2777
object service TCP-5061
service tcp destination eq 5061
object service RTP_port-range
service udp destination range 16384 65535
object service TCP-16968
service tcp destination eq 16968
description Site MZ
object service UDP-SIP
service udp destination eq sip
object service TCP-1194
service tcp destination eq 1194
object service TCP-1195
service tcp destination eq 1195
object service TCP-3299
service tcp destination eq 3299
object service TCP-16969
service tcp destination eq 16969
description SITE AO
object service TCP-9091
service tcp destination eq 9091
object service TCP-8090
service tcp destination eq 8090
object service TCP-8091
service tcp destination eq 8091
object service TCP-9090
service tcp destination eq 9090
object service TCP-SIP
service tcp destination eq sip
object service TCP-h323
service tcp destination eq h323
object service TCP-1719
service tcp destination eq 1719
object service TCP-5005
service tcp destination eq 5005
object service TCP-2775
service tcp destination eq 2775
object network 172.16.5.239
27
host 172.16.5.239
object network 10.151.81.251-NAT(ZON)
host 10.151.81.13
description Apenas usado para o tunel
object network VPN-Pool
subnet 192.168.251.0 255.255.255.0
object network 172.16.5.193
host 172.16.5.193
object network 172.16.4.0
subnet 172.16.4.0 255.255.255.0
object network 172.16.5.93
host 172.16.5.93
object-group network REDES_ZAP_LX
network-object 172.16.102.0 255.255.255.0
network-object 172.16.104.0 255.255.255.0
network-object 172.16.105.0 255.255.255.0
network-object host 10.0.100.1
object-group network REDES_ZAP_TUNEL_ZON
network-object 10.151.18.0 255.255.254.0
network-object 10.151.24.128 255.255.255.128
network-object 10.151.25.64 255.255.255.192
network-object 10.151.26.0 255.255.255.224
network-object 10.151.26.32 255.255.255.224
network-object 10.151.80.0 255.255.254.0
network-object 172.16.4.0 255.255.254.0
group-object REDES_ZAP_LX
network-object object ZAP_NDS_FE_BE_PP
object-group network REDES_ZON_TUNEL_ZON
network-object 10.144.20.0 255.255.255.0
network-object 10.144.24.0 255.255.255.192
network-object 10.144.27.0 255.255.255.224
network-object 10.144.27.64 255.255.255.224
network-object 10.144.97.128 255.255.255.128
network-object 10.144.174.128 255.255.255.128
object-group network REDES_ZAP_TUNEL_MPESA
network-object host 10.151.12.146
network-object host 172.16.5.70
network-object host 172.16.5.95
28
network-object host 10.151.12.161
network-object host 10.151.12.162
object-group network REDES_MPESA_TUNEL_MPESA
network-object host 10.201.44.20
network-object host 10.201.44.26
network-object host 10.201.44.28
object-group network REDES_ZAP_TUNEL_TIMWE
network-object object SMPP_BE
object-group network REDES_TIMWE_TUNEL_TIMWE
network-object host 192.168.50.172
object-group network REDES_ZAP_TUNEL_MCEL
network-object 10.151.56.0 255.255.255.224
object-group network REDES_MCEL_TUNEL_MCEL
network-object 10.1.28.32 255.255.255.240
network-object host 192.168.254.57
object-group service Portas_Tunel_ZAP_TIMWE
service-object icmp echo
service-object icmp echo-reply
service-object tcp destination eq 13033
service-object tcp destination eq 13037
service-object tcp destination eq 13038
service-object tcp destination eq 13039
object-group service Portas_Tunel_ZAP_ZON
service-object icmp
service-object ip
object-group service Portas_Tunel_ZAP_M-Pesa
service-object icmp
service-object ip
object-group service Portas_Tunel_ZAP_Mcel
service-object icmp
service-object ip
object-group network Redes_Emis
network-object 192.168.20.0 255.255.255.0
object-group network Redes_ZAP_Lx
network-object 172.16.102.0 255.255.255.0
network-object 172.16.104.0 255.255.255.0
network-object 172.16.105.0 255.255.255.0
network-object host 10.0.100.1
29
access-list ZON_CRYPTOMAP extended permit ip object-group REDES_ZAP_TUNEL_ZON object-group REDES_ZON_TUNEL_ZON
access-list MPESA_CRYPTOMAP extended permit ip object-group REDES_ZAP_TUNEL_MPESA object-group
REDES_MPESA_TUNEL_MPESA
access-list MCEL_CRYPTOMAP extended permit ip object-group REDES_ZAP_TUNEL_MCEL object-group
REDES_MCEL_TUNEL_MCEL
access-list TIMWE_CRYPTOMAP extended permit ip object-group REDES_ZAP_TUNEL_TIMWE object-group
REDES_TIMWE_TUNEL_TIMWE
access-list INGRESS-FW-CTX-VPN-NET extended permit ip any any log
access-list INGRESS-FW-CTX-VPN-NET extended permit icmp any any
access-list INGRESS-VCS_EXTERNAL extended permit ip any any log
access-list INGRESS-VCS_EXTERNAL extended permit icmp any any
access-list INGRESS-INTERNET extended permit icmp any any
access-list INGRESS-INTERNET remark Tuneis
access-list INGRESS-INTERNET extended permit gre any host 192.168.3.18
access-list INGRESS-INTERNET extended permit ipinip any host 192.168.3.18
access-list INGRESS-INTERNET extended permit tcp any host 192.168.3.18 eq pptp
access-list INGRESS-INTERNET remark Open VPN
access-list INGRESS-INTERNET extended permit tcp any host 172.16.5.93 eq 1194
access-list INGRESS-INTERNET extended permit tcp any host 172.16.5.94 eq 1194
access-list INGRESS-INTERNET extended permit tcp any host 172.16.5.78 eq 2121
access-list INGRESS-INTERNET extended permit tcp any host 172.16.5.14 eq 3298
access-list INGRESS-INTERNET extended permit tcp any host 172.16.5.14 eq 3299
access-list INGRESS-INTERNET extended permit tcp any host 172.16.5.78 eq 8090
access-list INGRESS-INTERNET extended permit tcp any host 172.16.5.78 eq 8091
access-list INGRESS-INTERNET extended permit tcp any host 172.16.5.78 eq 9090
access-list INGRESS-INTERNET extended permit tcp any host 172.16.5.78 eq 9091
access-list INGRESS-INTERNET extended permit tcp any host 172.16.5.70 eq 16968
access-list INGRESS-INTERNET extended permit tcp any host 172.16.5.71 eq 16969
access-list INGRESS-INTERNET extended permit tcp any host 172.16.5.239 eq 9012
access-list INGRESS-INTERNET extended permit udp any host 172.16.5.239 eq 9012
access-list INGRESS-INTERNET remark Acesso VCS
access-list INGRESS-INTERNET extended permit udp any object VCS eq sip
access-list INGRESS-INTERNET extended permit tcp any object VCS eq sip
access-list INGRESS-INTERNET extended permit tcp any object VCS eq 5061
access-list INGRESS-INTERNET extended permit tcp any object VCS eq 1719
access-list INGRESS-INTERNET extended permit tcp any object VCS eq h323
access-list INGRESS-INTERNET extended permit udp any object VCS range 16384 65535
access-list INGRESS-INTERNET remark H.245 q931 / H225
30
access-list INGRESS-INTERNET extended permit tcp any object VCS range 15000 15499
access-list INGRESS-INTERNET remark Turn
access-list INGRESS-INTERNET extended permit tcp any object VCS range 2776 2777
access-list INGRESS-INTERNET remark Trun
access-list INGRESS-INTERNET extended permit udp any object VCS range 2776 2777
access-list INGRESS-INTERNET remark RAS
access-list INGRESS-INTERNET extended permit udp any object VCS eq 6001
access-list INGRESS-INTERNET remark SIP-Signaling
access-list INGRESS-INTERNET extended permit tcp any object VCS range 25000 29999
access-list INGRESS-INTERNET extended permit tcp any object VCS eq 7001
access-list INGRESS-ZAP_VPN_FE_to_Nexus5K extended permit icmp any any
access-list INGRESS-ZAP_VPN_FE_to_Nexus5K extended permit object-group Portas_Tunel_ZAP_TIMWE object-group
REDES_ZAP_TUNEL_TIMWE object-group REDES_TIMWE_TUNEL_TIMWE
access-list INGRESS-ZAP_VPN_FE_to_Nexus5K extended permit object-group Portas_Tunel_ZAP_ZON object-group
REDES_ZAP_TUNEL_ZON object-group REDES_ZON_TUNEL_ZON
access-list INGRESS-ZAP_VPN_FE_to_Nexus5K extended permit ip any object SAPRH
access-list INGRESS-ZAP_VPN_FE_to_Nexus5K extended permit object-group Portas_Tunel_ZAP_M-Pesa object-group
REDES_ZAP_TUNEL_MPESA object-group REDES_MPESA_TUNEL_MPESA
access-list INGRESS-ZAP_VPN_FE_to_Nexus5K extended permit object-group Portas_Tunel_ZAP_Mcel object-group
REDES_ZAP_TUNEL_MCEL object-group REDES_MCEL_TUNEL_MCEL
access-list INGRESS-ZAP_VPN_FE_to_Nexus5K extended permit ip object SMPP_BE object UNITEL_SMPP
access-list INGRESS-ZAP_VPN_FE_to_Nexus5K extended permit ip object TLT-DC-EMISTR object-group Redes_Emis
pager lines 24
mtu ZAP_VPN_FE_to_Nexus5K 1500
mtu INTERNET 1500
mtu VCS_EXTERNAL 1500
mtu FW-CTX-VPN-NET 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (INTERNET,VCS_EXTERNAL) source static any any destination static interface VCS service TCP-h323 TCP-h323 unidirectional
nat (INTERNET,VCS_EXTERNAL) source static any any destination static interface VCS service TCP-1719 TCP-1719 unidirectional
nat (INTERNET,VCS_EXTERNAL) source static any any destination static interface VCS service TCP-SIP TCP-SIP unidirectional
nat (INTERNET,VCS_EXTERNAL) source static any any destination static interface VCS service UDP-SIP UDP-SIP unidirectional
nat (INTERNET,VCS_EXTERNAL) source static any any destination static interface VCS service TCP-5061 TCP-5061 unidirectional
nat (INTERNET,VCS_EXTERNAL) source static any any destination static interface VCS service TCP-15000-15499 TCP-15000-15499
unidirectional
nat (INTERNET,VCS_EXTERNAL) source static any any destination static interface VCS service TCP-25000-29999 TCP-25000-29999
unidirectional
nat (INTERNET,VCS_EXTERNAL) source static any any destination static interface VCS service TCP-7001 TCP-7001 unidirectional
31
nat (INTERNET,VCS_EXTERNAL) source static any any destination static interface VCS service UDP-6001 UDP-6001 unidirectional
nat (INTERNET,VCS_EXTERNAL) source static any any destination static interface VCS service TCP-2776 TCP-2776 unidirectional
nat (INTERNET,VCS_EXTERNAL) source static any any destination static interface VCS service TCP-2777 TCP-2777 unidirectional
nat (INTERNET,VCS_EXTERNAL) source static any any destination static interface VCS service UDP-2776 UDP-2776 unidirectional
nat (INTERNET,VCS_EXTERNAL) source static any any destination static interface VCS service UDP-2777 UDP-2777 unidirectional
nat (INTERNET,VCS_EXTERNAL) source static any any destination static interface VCS service RTP_port-range RTP_port-range
nat (INTERNET,FW-CTX-VPN-NET) source static any any destination static interface 172.16.5.239 service TCP-9012 TCP-9012
unidirectional
nat (INTERNET,FW-CTX-VPN-NET) source static any any destination static interface 172.16.5.239 service UDP-9012 UDP-9012
unidirectional
nat (FW-CTX-VPN-NET,INTERNET) source static Redes_ZAP_Lx 10.151.81.251-NAT(ZON) destination static
REDES_ZON_TUNEL_ZON REDES_ZON_TUNEL_ZON no-proxy-arp description Para permitir as redes de Lisboa, aceder ao Tunel
da ZON
nat (ZAP_VPN_FE_to_Nexus5K,INTERNET) source static REDES_ZAP_TUNEL_ZON REDES_ZAP_TUNEL_ZON destination static
REDES_ZON_TUNEL_ZON REDES_ZON_TUNEL_ZON no-proxy-arp route-lookup description Necessario para o tunel para a ZON
nat (ZAP_VPN_FE_to_Nexus5K,INTERNET) source static any any destination static VPN-Pool VPN-Pool no-proxy-arp route-
lookup description NAT para VPNs
nat (FW-CTX-VPN-NET,INTERNET) source static any any destination static VPN-Pool VPN-Pool no-proxy-arp route-lookup
description NAT para VPNs
nat (FW-CTX-VPN-NET,INTERNET) source static REDES_ZAP_TUNEL_MPESA REDES_ZAP_TUNEL_MPESA destination static
REDES_MPESA_TUNEL_MPESA REDES_MPESA_TUNEL_MPESA no-proxy-arp route-lookup description Necessario para o tunel
para a Vodacom-M-Pesa
nat (ZAP_VPN_FE_to_Nexus5K,INTERNET) source static REDES_ZAP_TUNEL_MPESA REDES_ZAP_TUNEL_MPESA destination
static REDES_MPESA_TUNEL_MPESA REDES_MPESA_TUNEL_MPESA no-proxy-arp route-lookup
nat (ZAP_VPN_FE_to_Nexus5K,INTERNET) source static REDES_ZAP_TUNEL_TIMWE REDES_ZAP_TUNEL_TIMWE destination
static REDES_TIMWE_TUNEL_TIMWE REDES_TIMWE_TUNEL_TIMWE no-proxy-arp route-lookup
nat (ZAP_VPN_FE_to_Nexus5K,FW-CTX-VPN-NET) source static SMPP_BE 172.16.5.193 destination static UNITEL_SMPP
UNITEL_SMPP service TCP-2775 TCP-2775 description IMPORTANTE PARA O JASMIN CHEGAR A SMS CENTER DA UNITEL
nat (FW-CTX-VPN-NET,INTERNET) source static REDES_ZAP_TUNEL_MCEL REDES_ZAP_TUNEL_MCEL destination static
REDES_MCEL_TUNEL_MCEL REDES_MCEL_TUNEL_MCEL no-proxy-arp route-lookup
nat (ZAP_VPN_FE_to_Nexus5K,INTERNET) source static REDES_ZAP_TUNEL_MCEL REDES_ZAP_TUNEL_MCEL destination static
REDES_MCEL_TUNEL_MCEL REDES_MCEL_TUNEL_MCEL no-proxy-arp route-lookup
nat (FW-CTX-VPN-NET,INTERNET) source static 172.16.4.0 10.151.81.251-NAT(ZON) destination static REDES_ZON_TUNEL_ZON
REDES_ZON_TUNEL_ZON description Necessario devido a uma rede sobreposta na ZON
nat (INTERNET,FW-CTX-VPN-NET) source static any any destination static interface 172.16.5.93 service TCP-1194 TCP-1194
unidirectional
!
object network TLT-DC-EMISTR
nat (any,any) static 172.16.5.90
!
nat (any,INTERNET) after-auto source dynamic any interface
access-group INGRESS-ZAP_VPN_FE_to_Nexus5K in interface ZAP_VPN_FE_to_Nexus5K
access-group INGRESS-INTERNET in interface INTERNET
access-group INGRESS-VCS_EXTERNAL in interface VCS_EXTERNAL
access-group INGRESS-FW-CTX-VPN-NET in interface FW-CTX-VPN-NET
32
!
prefix-list DENIED_OSPF_ROUTES seq 10 permit 0.0.0.0/0
!
prefix-list OSPF_ROUTES_IN seq 10 deny 0.0.0.0/0
!
router ospf 1
network 172.16.0.0 255.255.0.0 area 0
log-adj-changes
redistribute static subnets
!
route INTERNET 0.0.0.0 0.0.0.0 154.66.104.139 1
route INTERNET 10.101.0.1 255.255.255.255 154.66.104.139 1
route ZAP_VPN_FE_to_Nexus5K 10.151.0.0 255.255.0.0 10.151.1.65 1
route ZAP_VPN_FE_to_Nexus5K 10.152.0.0 255.255.0.0 10.151.1.65 1
route INTERNET 10.201.44.0 255.255.255.0 154.66.104.139 1
route INTERNET 10.201.239.0 255.255.255.0 154.66.104.139 1
route INTERNET 10.205.36.0 255.255.255.0 154.66.104.139 1
route INTERNET 10.205.39.0 255.255.255.0 154.66.104.139 1
route INTERNET 41.76.144.61 255.255.255.255 154.66.104.139 1
route INTERNET 95.81.0.0 255.255.0.0 154.66.104.139 1
route INTERNET 154.66.104.0 255.255.252.0 154.66.104.139 1
route INTERNET 154.118.192.0 255.255.224.0 154.66.104.13 1
route INTERNET 154.118.192.0 255.255.224.0 154.66.104.139 1
route INTERNET 212.73.244.0 255.255.255.0 154.66.104.139 1
route INTERNET 212.113.183.81 255.255.255.255 154.66.104.139 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
33
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map LAN2LAN 1 match address ZON_CRYPTOMAP
crypto map LAN2LAN 1 set pfs
crypto map LAN2LAN 1 set peer 212.113.183.81
crypto map LAN2LAN 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map LAN2LAN 1 set reverse-route
crypto map LAN2LAN 2 match address MPESA_CRYPTOMAP
crypto map LAN2LAN 2 set peer 41.76.144.61
crypto map LAN2LAN 2 set ikev1 transform-set ESP-AES-128-SHA
crypto map LAN2LAN 2 set reverse-route
crypto map LAN2LAN 3 match address TIMWE_CRYPTOMAP
crypto map LAN2LAN 3 set pfs
crypto map LAN2LAN 3 set peer 193.126.233.66
crypto map LAN2LAN 3 set ikev1 transform-set ESP-3DES-SHA
crypto map LAN2LAN 3 set reverse-route
crypto map LAN2LAN 4 match address MCEL_CRYPTOMAP
crypto map LAN2LAN 4 set pfs
crypto map LAN2LAN 4 set peer 41.220.160.19
crypto map LAN2LAN 4 set ikev1 transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-256-SHA
crypto map LAN2LAN 4 set reverse-route
crypto map LAN2LAN interface INTERNET
crypto ikev1 enable INTERNET
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto ikev1 policy 3
authentication pre-share
34
encryption 3des
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_41.220.160.19 internal
group-policy GroupPolicy_41.220.160.19 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_193.126.233.66 internal
group-policy GroupPolicy_193.126.233.66 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_212.113.183.81 internal
group-policy GroupPolicy_212.113.183.81 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_41.76.144.61 internal
group-policy GroupPolicy_41.76.144.61 attributes
vpn-tunnel-protocol ikev1
tunnel-group 212.113.183.81 type ipsec-l2l
tunnel-group 212.113.183.81 general-attributes
default-group-policy GroupPolicy_212.113.183.81
tunnel-group 212.113.183.81 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 41.76.144.61 type ipsec-l2l
tunnel-group 41.76.144.61 general-attributes
default-group-policy GroupPolicy_41.76.144.61
tunnel-group 41.76.144.61 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 193.126.233.66 type ipsec-l2l
tunnel-group 193.126.233.66 general-attributes
default-group-policy GroupPolicy_193.126.233.66
tunnel-group 193.126.233.66 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 41.220.160.19 type ipsec-l2l
tunnel-group 41.220.160.19 general-attributes
35
default-group-policy GroupPolicy_41.220.160.19
tunnel-group 41.220.160.19 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
36
inspect icmp error
class class-default
set connection decrement-ttl
!
service-policy global_policy global
Testes de conectividade: Não é necessário
Plano de Rollback: Não é necessário
FASE V
Nesta fase irá-se remover o switch TLT-DC-SWIP006 e efectuar as ligações ao switch core stack
como ilustra o diagrama abaixo Vai-se também desligar a firewall antiga e activar o novo
cluster de firewalls:
3
CISCO NEXUS N5548P 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
STAT
ID
3
CISCO NEXUS N5548P 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
STAT
ID
G1/1/4 G2/1/4
E1/24 E1/24
CONSOLE
AUX
HWIC 3
N
M
E
4
PVDM 3
DO NOT REMOVE DURING NETWORK OPERATION
HWIC 2 HWIC 1 HWIC 0AIM 0AIM 1PVDM 0PVDM 1PVDM 2
CF
SPD
SPD
GigE 0/0 SFP
LINK
LINK
GigE 0/1
N
M
E
2
N
M
E
3
N
M
E
1
S / N
CLEI
PEP
01X 12X 13X 24X
Catalyst 3850 24 PoE+STAT DUPLX SPEED STACK PoE
SYST ACTV XPS S-PWR CONSOLE
MODE
01X 12X 13X 24X
Catalyst 3850 24 PoE+STAT DUPLX SPEED STACK PoE
SYST ACTV XPS S-PWR CONSOLE
MODE
F0/0/1
G1/0/11
TLT-HE-SWIP001 c3850
MNG IP:172.16.0.1
TLT-HE-RTIP001 ISR 3845
MNG IP:172.16.0.2
37
Figura 10 – Diagrama Ligações Físicas Fase V
VLAN 60
ZAP Fibra
TVCaboACS
FW-CTX-FE
VLAN 50
VLAN 550
DATACENTER
ZAP-RT02-ACESSOS ZAP-RT01-CORE
TLT-HE-FWIP001
TLT-HE-FWIP001
TLT-HE-SWIP001
OSPF AREA 0
BGP AS 65535
OSPF AREA 2
totally stub
p/ lojas
ITA
MAJOR SUBNET
172.16.0.0/16
EMISZAP-RT03-EMIS ZAP-AO-HE-1
TVCABO
LOJAS
VSAT PT
ZAP Fibra
172.16.0.0/24 Management172.16.1.0/24 VRFs InterLinks
PRIMARY SECONDARY
Gestão Nagra192.168.0.4/30
LAYER 3 Gateway
154.66.104.140
10.151.1.64/29.70/69 .65
172.16.1.0/29
.2 .3
FW-CTX-MGMT
.62
.57
UCALL
192.168.40.0/30
.5
.6
.1
.2
vlan 502
SECONDARYPRIMARY
G0/7.502
Rede 10.4.0.0/16vlan 40
172.16.1.200/29
.203 .204
.201 .202
G0/7.206
.1
VLAN 206
VLAN 59
154.66.104.140vlan 502G0/7.502
VLAN 70
FW-CTX-VPN
VCS SERVER
172.16.1.240/29.242/.243.241
STACK
ZAP Fibra
GW:154.66.104.139
172.16.0.0/24
.11/.13 .1
Figura 11 – Diagrama Lógico Fase V
Configurações
TLT-DC-SWIP001 !
no vlan dot1Q tag native
interface port-channel34
switchport trunk allowed vlan add 206
switchport trunk native vlan 801
no int vlan105
vlan 206
name ZAP_VPN_FW_HE
interface Vlan206
description ** Connected to ASA5510 : TLT-DC-VPNIP001 **
no shutdown
vrf member dc-routing
no ip redirects
38
ip address 10.151.1.66/29
hsrp version 2
hsrp 105
authentication text !pass105
preempt delay minimum 120
priority 110
ip 10.151.1.65
!
TLT-DC-SWIP002 !
no vlan dot1Q tag native
interface port-channel34
switchport trunk allowed vlan add 206
switchport trunk native vlan 801
no int vlan105
vlan 206
name ZAP_VPN_FW_HE
!
interface Vlan206
description ** Connected to ASA5510 : TLT-DC-VPNIP001 **
no shutdown
vrf member dc-routing
no ip redirects
ip address 10.151.1.67/29
hsrp version 2
hsrp 105
authentication text !pass105
preempt delay minimum 120
ip 10.151.1.65
TLT-HE-SWIP001 !
vlan 501
name FW-FE-ASR-UPL
!
vlan 502
name OUTSIDE_FW
!
39
vlan 207
name Transporte_Produtora
!
int po5
switchport
switchport mode trunk
switchport trunk native vlan 105
switchport trunk allowed vlan 206,204,205,1125,550,987,105,501,502
!
int g1/1/4
switchport
switchport mode trunk
switchport trunk native vlan 105
switchport trunk allowed vlan 206,204,205,1125,550,987,105,501,502
channel-group 5 mode active
!
int g2/1/4
switchport
switchport mode trunk
switchport trunk native vlan 105
switchport trunk allowed vlan 206,204,205,1125,550,987,105,501,502
channel-group 5 mode active
!
int g2/1/2
switchport
switchport mode trunk
switchport trunk allowed vlan 207
!
int g1/0/11
switchport
switchport mode access
switchport access vlan 501
!
40
int g1/0/9
switchport
switchport mode trunk
switchport trunk allowed vlan 502
!
int g2/0/9
switchport
switchport mode trunk
switchport trunk allowed vlan 502
!
no int vlan501
!
int vlan 207
description Transporte_Produtora
ip address 192.168.3.30 255.255.255.252
!
ZAP-SW01-PRODUTORA !
no vlan 501
int g1/1/1
switchport
switchport mode trunk
switchport trunk allowed vlan 207
!
int vlan 207
description Transporte_Produtora
ip address 192.168.3.30 255.255.255.252
!
Testes de conectividade: ping 172.16.5.4
ping 172.16.36.254
ping 172.16.37.254
ping 172.16.49.254
Plano de Rollback: Voltar a reactivar as firewalls antigas.
top related