Cisco Secure Data Center for Enterprise · developing integrated solutions with Cisco and previous roles in the industry. ... Active Directory User Identity User On-boarding Environment

Cisco Secure Data Center for EnterpriseSingle Site Clustering with Cisco TrustSec Technology Implementation GuideLast Updated: March 19, 2014

About the Authors

Tom Hogue

Bart McGlothin

Matt Kaneko

2

About the Authors

Tom Hogue, Security Solutions Manager, Security Business Group, Cisco Tom is the Data Center Security Solutions Manager at Cisco with over 30 years in developing integrated solutions with Cisco and previous roles in the industry. Tom led the development of the industry leading data center solutions such as the FlexPods, Vblocks, and Secure Multi-tenancy.

Bart McGlothin, Security Systems Architect, Security Business Group, Cisco Bart is a Security Solutions Architect at Cisco with over 16 years of solutions experi-ence. Bart leads Cisco's involvement with the National Retail Federation's Association for Retail Technology Standards Committee (ARTS) as a member of the ARTS board and Executive Committee. Prior to Cisco, Bart worked as the Network Architect at Safeway, Inc.

Matt Kaneko, Security Systems Architect, Security Business Group, Cisco Matt Kaneko is the solution technical lead for Secure Data Center Solution team. In this role, Matt and his team work closely with product marketing teams of various business group along with customer’s feedback to create solution architecture. Prior to this role, Matt has worked as a Technical Marketing Manager for various Cisco Security Product lines which includes Cisco ASA Next Generation Firewall, Cisco Intrusion Protection System, Cisco AnyConnect and associated Management prod-ucts line.

C O N T E N T S

Introduction 4Goal of this Document 4Intended Audience 5Validated Components 5

Solution Component Implementation 6Cisco ASA Firewall Clustering 7IPS Protection 15Cisco TrustSec 17

Validation Testing 25Summary of Tests Performed 25Summary of Results 27

Conclusion 28

Appendix A—References 29

Appendix B—Device Configurations 30ASA Cluster Configurations 30Nexus 7000 Configuration 44Nexus 1Kv 55

Appendix C—About the Cisco Validated Design Program 67

3Cisco Secure Data Center for Enterprise

Introduction

Introduction

Goal of this DocumentThe Single Site Clustering with Cisco TrustSec Technology Solution provides guidance for enterprises that are challenged with the exponential growth of data center resources and associated security policy complexity. Enterprises that want to protect against advanced data security threats can deploy a comprehensive set of security capabilities to address these needs, as shown in Figure 1. Using Cisco’s next-generation firewalls operating as a cluster with IPS and TrustSec, the goals of increased security capacity and simplicity can be jointly achieved.

Figure 1 Single Site Clustering with Cisco TrustSec Technology

This document is specifically focused on providing implementation guidance on the Single Site Clustering with Cisco TrustSec Technology solution, which is part of the Cisco Secure Data Center for the Enterprise portfolio of solutions. These solutions provide the best protection available to address today’s advanced data security threats. They contain design and implementation guidance for enterprises that want to deploy secure physical and virtualized workloads in their data centers.

The solution portfolio contains this solution and two others: Secure Enclaves Architecture and Cyber Threat Defense for the Data Center. Figure 2 illustrates the relationship among these solutions.

For additional content that lies outside the scope of this document, see the following URL: http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-secure-data-center-portfolio/index.html.

TrustSec

34

79

23

Nexus 7k

EnvironmentData

SXP

SXP

Cisco SecurityManager

Cisco ASA Clusterwith IPS

SEA Flexpod

Policies

Master

TrustSec

IdentityServicesEngine

ActiveDirectory

UserIdentity

User On-boarding

Environment Data

Enviro

nmen

t Dat

a

4

http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-secure-data-center-portfolio/index.html

Introduction

Figure 2 Cisco Secure Data Center for the Enterprise Solution Portfolio

Intended AudienceThis document is intended for, but not limited to, security architects, system architects, network design engineers, system engineers, field consultants, advanced services specialists, and customers who want to understand how to deploy a robust security architecture. This document details how specific use cases of the designs were implemented for validation. This implementation guide assumes that the reader is familiar with the basic concepts of IP protocols, quality of service (QoS), high availability (HA), and security technologies. This guide also assumes that the reader is aware of general system requirements and has knowledge of enterprise network and data center architectures.

Validated ComponentsTable 1 lists the validated components for the solution.

3479

01

Cisco Secure EnclaveArchitecture

Single-Site Clustering withCisco TrustSec Technology

Cisco Cyber Threat Defense for the Data Center

Integrated Systems• Compute• Storage• HypervisorVirtualizationInfrastructure ManagementAccess LayerSecure Enclaves

Firewall ClusteringIntrusion PreventionReal-time UpdatesManagementCisco TrustSecTechnology• SXP (SGT Exchange Protocol)• SGT (Secure Group Tags• Policy Enforcement• SGACLs (Security Group ACLs)• FWACLs (Firewall ACLs)

Lancope StealthWatchSystem• NetFlow• NSEL (NetFlow Security Event Logging)• Identity

Table 1 Validated Components

Component Role Hardware ReleaseCisco Adaptive Security Appliance (ASA)

Data center firewall cluster

Cisco ASA 5585-SSP60

Cisco ASA Software Release 9.1(4)

Cisco Intrusion Prevention Module

Application inspection engines

Cisco ASA 5585-SSP-IPS60

7.2(1)

Cisco Nexus 7000 Aggregation and FlexPod access switch

Cisco 7004 NX-OS version 6.1(2)

Cisco Identity Services Engine (ISE)

Roles-based policy management

N/A (virtual machine) Cisco ISE Software Version 1.2

5

Solution Component Implementation

Solution Component ImplementationAs stated in the Single Site Clustering with Cisco TrustSec Technology Solution Design Guide, the solution is designed around the following key design principles: provisioning, performance, and protection. Figure 3 portrays an overview of the lab deployment used for validation. The following sections show how each product was configured to match specific use cases desired in the validation.

Figure 3 Lab Overview

Four Cisco ASA 5585-X SSP60 firewalls with IPS modules are deployed as a cluster with a combination of Layer 2 and Layer 3 mode contexts (multi-mode).

The ASA cluster configuration is performed via CLI or Cisco Adaptive Security Device Manager (ASDM)—Cisco Security Manager did not support cluster creation at the time of this validation. Policies for the firewalls and IPS are managed via Cisco Security Manager. User/server device objects are managed in ISE along with TrustSec policy creation for the remaining platforms. User accounts and authentication are linked to Active Directory.

Cisco UCS Director is used to manage the deployment of new virtual machines (VMs) across the infrastructure.

3479

29

EnterpriseCore


CiscoSecurityManager

ActiveDirectory

Cisco ASACluster

SEA Flexpod

NetFlowGenerationAppliances

Cyber ThreatDefense

Storage SAN

Nexus 1kvVirtual Supervisor

Module

Data

CCL

6


Cisco ASA Firewall ClusteringInitial configuration of the firewalls was performed via the console command line. After the first ASA was configured, additional firewalls were then added to the cluster. For additional information on cluster configuration options, see the following resources:

• Cisco ASA 9.1 CLI configuration guide— http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_cluster.html

• Cisco ASA Clustering within the VMDC Architecture— http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/VMDC/ASA_Cluster/ASA_Cluster.html

• Additional Cisco ASA configuration guides— http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html

The cluster in this validation consists of four ASAs acting as a single unit. All units in the cluster are the same model with the same DRAM. The units used in the cluster were all running 9.1(4) software.

When deploying the ASA cluster, all of the ASAs must have the exact same configurations for the ASA system to work properly. In addition, they should be deployed in a consistent manner. This applies to using the same type of ports on each unit to connect to the fabric. Use the same ports for the Cluster Control Link (CCL) to the switching fabric and the same with the data links. When the ASA cluster is deployed properly, the master unit of the cluster replicates its configuration to the other units in the cluster, and so the cluster must have a consistent deployment across all the units.

Keep in mind that the following features are applied to each ASA unit, instead of the cluster as a whole:

• QoS—The QoS policy is synced across the cluster as part of configuration replication. However, the policy is enforced on each unit independently. For example, if you configure policing on output, the conform rate and conform burst values are enforced on traffic exiting a particular ASA. In a cluster with eight units and with traffic evenly distributed, the conform rate actually becomes eight times the rate for the cluster. QoS was not implemented in this validation.

• Threat detection—Threat detection works on each unit independently; for example, the top statistics are unit-specific. Port scanning detection, for example, does not work because scanning traffic is load balanced between all units (when using source-dest-ip-port balancing), and one unit does not see all traffic.

• Resource management—Resource management in multiple context mode is enforced separately on each unit based on local usage.

• IPS module—There is no configuration sync or state sharing between IPS modules. More information on this is available in the IPS section below.

ASA Connectivity

The ASA interfaces were configured as a spanned EtherChannel using a single port-channel for both inside and outside VLAN interfaces. These channels connect to a pair of Nexus 7000s using a virtual PortChannel (vPC). The EtherChannel aggregates the traffic across all the available active interfaces in the channel. A spanned EtherChannel accommodates both routed and transparent firewall modes per Cisco’s use case requirements. The EtherChannel inherently provides load balancing as part of basic operation using Cluster Link Aggregation Control Protocol (cLACP). Figure 4 shows the connections and port channels implemented.

7

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_cluster.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_cluster.html

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/VMDC/ASA_Cluster/ASA_Cluster.html


http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html

http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html


Figure 4 Cluster Connections

It is important to point out that the clustered ASAs have the same port channel configuration because of the sync from the cluster, but the Nexus 7000s have different port channels configured because these are local and not spanned across the cluster. EtherChannels configured for the CCL are configured as discrete EtherChannels on the switch.

Note Cisco recommends that the bandwidth of the CCL match at least the highest available bandwidth on the data interfaces. For example, if a 10GE port is used as a data interface, the CCL also needs to support 10GB bandwidth. The reason is that the load balancing performed by the switches connecting to the cluster can be asymmetric and as such, it is possible that all traffic hits just one unit in the cluster, resulting in increased traffic.

The interface type mode is the first item that must be specified before configuration of the ASAs. You must set the mode separately on each ASA that you want to add to the cluster. If the device is already configured for multiple context mode, configure this setting in the system execution space.

Procedure

Step 1 Configure the cluster interface mode for each unit using the console port:

ciscoasa(config)# cluster interface-mode spanned

The ASA firewall then clears all improper configurations and reboots.

Step 2 Next, configure the CCL interface, which must be enabled before joining the cluster.

interface TenGigabitEthernet0/6 channel-group 1 mode active no shutdown!interface TenGigabitEthernet0/7 channel-group 1 mode active no shutdown!

3479

18

vPCpeer-link

vPCpeer-link

vPC-20 PC-2

PC-2

PC-2

PC-2

PC-1

PC-1

PC-1

PC-1

vPC-21

vPC-22

vPC-23

vPC-24

vPC-21

vPC-22

vPC-23

vPC-24

Clustering Data Interface Clustering Control Interface

N7ka4/9

4/10

4/11

0/8

0/9

0/8

0/9

0/8

0/9

0/8

0/9

0/6

0/7

0/6

0/7

0/6

0/7

0/6

0/7

4/12

N7kb

4/9

4/10

4/11

4/12

4/5

4/6

4/7

4/8

4/5

4/6

4/7

4/8

ASA-1IPS-1

ASA-2IPS-2

ASA-3IPS-3

ASA-4IPS-4

N7ka

N7kb

8


interface Port-channel1 no shutdown

Step 3 For multi-mode, create or change to the Admin context. Be sure to assign the M0/0 interface.

Step 4 In the Admin context, configure the Cluster IP pool and then assign an IP address to the M0/0 interface, specifying the cluster pool.

ip local pool K02-SEA 172.26.164.157-172.26.164.160 mask 255.255.255.0!interface Management0/0 management-only nameif management security-level 0 ip address 172.26.164.194 255.255.255.0 cluster-pool K02-SEA

no shutdown

Step 5 Now you can either launch the Cluster Wizard in the ASDM, or use the following configuration statements to create the master node of the cluster.

mtu cluster 9000cluster group K02-SEA key ***** local-unit ASA-1 cluster-interface Port-channel1 ip 192.168.20.101 255.255.255.0 priority 1 console-replicate no health-check clacp system-mac auto system-priority 1 enable conn-rebalance frequency 3

Once completed, additional security contexts can be created and set as routed or transparent.

Note Note that ASDM has a bug: you cannot add the IP address to the sub-interface (vlan) of the routed context for a spanned port channel. In this instance, the IP address was able to be configured via the CLI. There were no problems creating a bridge interface on the transparent firewall context.

Adding Additional Slave Firewalls

Note Be sure to upgrade ASA software version to match the cluster before adding to the cluster.

Each unit in the cluster requires a bootstrap configuration to join the cluster. Typically, the first unit configured in the cluster will be the master unit. After you enable clustering, after an election period, the cluster elects a master unit. With only one unit in the cluster initially, that unit becomes the master unit. Subsequent units added to the cluster will be slave units.

Add additional cluster members via the console; Telnet and SSH are not supported.

First change the cluster interface mode to match the ASA cluster master, clear the configuration, configure the CCL interface, and join the cluster as a slave as follows:

changeto systemcluster interface-mode spanned forceclear configure clustermtu cluster 9000

9


interface TenGigabitEthernet0/6 channel-group 1 mode active no shutdowninterface TenGigabitEthernet0/7 channel-group 1 mode active no shutdowninterface Port-channel1 no shutdowncluster group K02-SEA local-unit ASA-4 priority 3 cluster-interface Port-channel1 ip 192.168.20.104 255.255.255.0 key ********* enable as-slave noconfirm

The MTU command enables jumbo-frame reservation, and should be added to the configuration manually because it is not synced via the cluster.

Firewall Contexts

The ASA cluster was partitioned into multiple virtual devices, known as security contexts. Each context acts as an independent device with its own security policy, interfaces, configuration, and administrators. Multiple contexts are similar to having multiple stand-alone devices.

Routed Firewall Mode

In routed firewall mode, the ASA is considered to be a router hop in the network. Routed firewall mode supports many interfaces. Each interface is on a different subnet. You can share interfaces between contexts. The ASA acts as a router between connected networks, and each interface requires an IP address on a different subnet. The ASA supports multiple dynamic routing protocols. However, Cisco recommends using the advanced routing capabilities of the upstream and downstream routers instead of relying on the ASA for extensive routing needs.

Transparent Firewall Mode

A security context can be operated in transparent mode, which acts like a Layer 2 firewall that appears to be a “bump in the wire” or a “stealth firewall”, and is not seen as a router hop to connected devices. The ASA connects to the same network between its interfaces. Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network. The Management and Data interfaces should not be connected to the same switch because the Data interface receives the MAC address table updates with a minimum of a 30-second delay for security reasons. At least one bridge group is required per context, but each context can support up to eight bridge groups. Each bridge group can include up to four interfaces.

Note The transparent mode ASA does not pass CDP packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. An exception is made for BPDUs and IS-IS, which are supported.

All ASA 5585-X units within the cluster share a single configuration. When configuration changes are made on the master unit, the changes are automatically replicated to all slave units in the cluster. A configuration change directly made on slave units is prohibited.

Two transparent mode contexts were created and one routed mode context was created. These were labeled as Enclaves 1 through 3 aligning with the Secure Enterprise Enclave (SEA) design guidance. Figure 5 shows the logical segmentation implemented.

10


Figure 5 Logical Topology

Management Network

All units in the cluster must be connected to a management network that is separate from the CCL. Use the dedicated management interfaces of each ASA as shown in Figure 6.

Each ASA is assigned a unique IP address, and a system IP is assigned to the master unit as its secondary IP address.

For inbound management traffic, an application such as Cisco Security Manager accesses the master ASA by using the system IP address or individual ASAs by their own IP address. For outbound traffic, such as SNMP or syslog, each ASA uses its own IP address to connect to the server. In multi-context mode, the same configuration applies to the admin context and any user contexts that allow remote management.

ip local pool enclave1-pool 10.0.101.101-10.0.101.108 mask 255.255.255.0!interface Mgmt101 description Enclave 1 Management management-only nameif management security-level 0 ip address 10.0.101.100 255.255.255.0 cluster-pool enclave1-pool

VM VM VM VM

3479

21

Contexts

Cisco ASACluster

VLAN 200 - WAN

VMs in Enclaves

Nexus1k

Nexus 7k

Enclave 1 (L2)

Enclave 2 (L2)

Enclave 3 (L3)

Outside

Outside

Outside10.3.0.254

Inside

Inside

Inside10.3.1.254

VLAN 2001 10.1.1.254 10.10.0.1

10.2.1.25410.3.0.1

VLAN 3001

VLAN 2002

VLAN 3002

VLAN 3003

VLAN 2003

Core

11


Figure 6 Management Interface Connectivity

NetFlow and Syslog

NetFlow and syslog are valuable tools for accounting, monitoring, and troubleshooting in such a high-throughput environment, and are key aspects of Cisco’s Cyber Threat Defense solution. ASA units in the cluster generate NetFlow and syslogs independently. The syslog’s HEADER field, which contains a timestamp and device ID, can be customized as required. A syslog collector uses the device ID to identify the syslog generator. The CLI is enhanced so that different ASAs can generate syslog with identical or different device ID. However, a per-unit NetFlow stream cannot be consolidated. The NetFlow collector handles each individual ASA separately.

flow-export destination management 172.26.164.240 2055flow-export template timeout-rate 1

TrustSec and SGT Exchange Protocol

Each context maintains its own configurations, databases, credentials, and environment data. The master unit of the cluster contacts ISE via SGT Exchange Protocol (SXP) connections from each context, and obtains the secure group-to-IP address mappings data, which is then replicated to all units in the cluster via reliable messaging; therefore, security group-based policies are enforced on the slave units as well. Security group-based policies are replicated as part of the configuration sync. Both routed and transparent firewall modes are supported. In this validation, the management interface was used for SXP communication with peer devices to keep it out of the normal flow of production traffic.

SXP flows from the Nexus 7000 to each of the contexts in the ASA cluster, as shown in Figure 7. The Nexus 7000s act as the “speakers” and send the secure group tag (SGT) and IP address mapping to the “listeners”, which include each of the ASA cluster contexts, via SXP.

3479

19

vPCpeer-link

ASA-1

ASA-2

IPS-1

IPS-2

ASA-3

IPS-3

ASA-4

IPS-4

ManagementSwitch

0/460/47

0/430/45

0/410/42

0/390/40

Cisco ASACluster

M0/0

M0/0

0/60/70/80/9

M0/0

M0/0

0/60/70/80/9

M0/0

M0/0

0/60/70/80/9

M0/0

M0/0

0/60/70/80/9

N7ka

N7kb

4/54/94/6

4/104/74/114/8

4/12

4/54/94/6

4/104/74/114/8

4/12

12


Figure 7 TrustSec Communication

Configuration of ASA Context (Enclave 1)cts sxp enablects sxp default password *****cts sxp default source-ip 10.0.101.100cts sxp connection peer 172.26.164.218 password default mode local listenercts sxp connection peer 172.26.164.217 password default mode local listener

Configurations of Nexus 7000cts sxp enablects sxp default password 7 <removed>cts sxp connection peer 10.0.101.100 source 172.26.164.218 password default mode listenercts sxp connection peer 10.0.102.100 source 172.26.164.218 password default mode listenercts sxp connection peer 10.0.103.100 source 172.26.164.218 password default mode listenercts sxp connection peer 172.26.164.18 source 172.26.164.218 password default mode speakercts sxp connection peer 172.26.164.186 source 172.26.164.218 password default mode speakercts sxp connection peer 192.168.250.22 source 192.168.250.252 password default mode listenercts role-based enforcement

ASA Security Policy

Cisco ASA Software Release 9.0.1 and above are necessary for secure group firewall (SGFW) functionality. Policy in the firewall has been expanded to include source and destination security groups that are downloaded from the ISE in the environment data after the ASA has established a secure connection by importing a proxy auto-configuration (PAC) file from the ISE. The ASA issues a RADIUS request for the TrustSec environment data, which includes the secure group table mapping secure group names to secure group numbers. The ASA receives the secure group numbers-to-secure group IP addresses mapping from the Nexus 7000 via SXP. If the PAC file downloaded from the ISE expires on the ASA and the ASA cannot download an updated security group table, the ASA continues to enforce security policies based on the last downloaded security group table until the ASA downloads an updated table.

34

79

22

Contexts

Cisco ASACluster

Nexus 7k

Enclave 1 (L2)

Enclave 2 (L2)

Enclave 3 (L3)

M101

M102

M103

10.0.101.100

10.0.102.100

10.0.103.100

172.26.164.218172.26.164.217


172.26.164.187172.26.164.239

RADIUS RequestEnvironment DataSXP SG:IP Map

13


As part of configuring the ASA to integrate with Cisco TrustSec, you must configure each context so that it can communicate with the ISE servers via RADIUS. The last configuration identifies the AAA server group that is used by Cisco TrustSec for environment data retrieval.

aaa-server ISE_Radius_Group protocol radiusaaa-server ISE_Radius_Group (management) host 172.26.164.187 key ***** radius-common-pw *****aaa-server ISE_Radius_Group (management) host 172.26.164.239 key ***** radius-common-pw *****!cts server-group ISE_Radius_Group

When configuring access rules from ASDM and Cisco Security Manager, objects created in the PAC files are available as source and destination criteria. (See Figure 8.)

Figure 8 Configuring Access Rules

For more information on configuring the ASA to integrate with TrustSec, see the following URL: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/aaa_trustsec.html

14

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/aaa_trustsec.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/aaa_trustsec.html


IPS ProtectionThe Single Site Clustering with Cscio TrustSec Technology Solution leverages the ASA Next Generation Firewall with IPS module to deliver most of the protection capabilities of the solution. Although TrustSec’s security group access control lists (SGACLs) also provide significant protection capabilities in the switching fabric, TrustSec is discussed in the provisioning section because of its ability to consolidate policies from a provisioning perspective. The IPS uses Cisco Security Intelligence Operations (SIO) cloud-based threat intelligence to simplify operations and creates a system that keeps itself updated.

There is no configuration sync or state sharing between IPS modules. Some IPS signatures require IPS to keep the state across multiple connections. For example, the port scanning signature is used when the IPS module detects that someone is opening many connections to one server but with different ports. In clustering, those connections are balanced between multiple ASA devices, each of which has its own IPS module. Because these IPS modules do not share state information, the cluster may not be able to detect port scanning as a result. Not all IPS alerts are actionable, if detecting subtle port scanning is required, Cisco recommends that signatures be tuned across all of the IPS modules in the cluster to accommodate for these types of detection activities. These changes can be performed using Cisco Security Manager and a common policy for the IPS modules; customizations would include dividing the event count triggers by the number of systems in the cluster for the desired signatures.

For more information on IPS signatures, see the IPS Sensor CLI Configuration Guide at the following URL: http://www.cisco.com/c/en/us/td/docs/security/ips/7-2/configuration/guide/cli/cliguide72/cli_signature_definitions.html

The ASA IPS module runs as a separate application from the ASA. Traffic goes through the firewall before being forwarded to the ASA IPS module. When traffic is identified for IPS inspection on the ASA, traffic flows through the ASA and then the IPS module.

Traffic to the ASA IPS module was configured using inline mode. This mode places the ASA IPS module directly in the traffic flow (see Figure 9). No traffic that is identify for IPS inspection can continue through the ASA without first passing through, and being inspected by, the ASA IPS module. This mode is the most secure because every packet identified for inspection is analyzed before being allowed through. Also, the ASA IPS module can implement a blocking policy on a packet-by-packet basis. This mode, however, can affect throughput.

15

http://www.cisco.com/c/en/us/td/docs/security/ips/7-2/configuration/guide/cli/cliguide72/cli_signature_definitions.html

http://www.cisco.com/c/en/us/td/docs/security/ips/7-2/configuration/guide/cli/cliguide72/cli_signature_definitions.html


Figure 9 Inline Mode

IPS Security Policies

You can create multiple security policies and apply them to individual virtual sensors. A security policy is made up of a signature definition policy, an event action rules policy, and an anomaly detection policy. Cisco IPS contains a default signature definition policy called sig0, a default event action rules policy called rules0, and a default anomaly detection policy called ad0. You can assign the default policies to a virtual sensor or you can create new policies. The use of multiple security policies lets you create security policies based on different requirements and then apply these customized policies per VLAN or physical interface. You can also apply the same policy instance, for example, sig0, rules0, or ad0, to different virtual sensors. You can assign interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups to a virtual sensor.

For this validation, all traffic was designated to pass through the IPS inspection module using the default global policy and no virtual sensor. The following sample commands show the IPS being implemented in inline mode on the ASA context, and the feature of failing open in the event of a module problem.

policy-map global-policy class class-default ips inline fail-open

On the IPS, the sensor is configured to use the default virtual-sensor in detect mode and use the backplane port-channel interface.

service analysis-enginevirtual-sensor vs0anomaly-detectionoperational-mode detectexitphysical-interface PortChannel0/0

ASA

Main System

IPS

Diverted Traffic

IPS inspection

VPNDecryption

FirewallPolicy

Block

2511

57

inside outside

16


Understanding Global Correlation

Global correlation enables the IPS sensors to be aware of network devices with a reputation for malicious activity, and enables them to take action against them. Participating IPS devices in a centralized Cisco threat database, the SensorBase Network, receive and absorb global correlation updates. The reputation information contained in the global correlation updates is factored into the analysis of network traffic, which increases IPS efficacy, because traffic is denied or allowed based on the reputation of the source IP address. The participating IPS devices send data back to the Cisco SensorBase Network, which results in a feedback loop that keeps the updates current and global.

The sensor can participate in the global correlation updates and/or in sending telemetry data. Reputation scores in events can be viewed showing the reputation score of the attacker. Statistics from the reputation filter are also available.

For enterprise data centers that allow connections from the Internet, the Cisco SIO service provides for global reputation and correlation relevant information to the IPS inspections.

To configure global correlation features, follow these steps in the IPS module:

service global-correlationglobal-correlation-inspection onglobal-correlation-inspection-influence standardreputation-filtering ontest-global-correlation on

For more information on Cisco IPS and Global Correlation, see the following URL: http://www.cisco.com/c/en/us/td/docs/security/ips/7-1/configuration/guide/cli/cliguide71/cli_collaboration.html

For more information on SIO, see the following URL: http://tools.cisco.com/security/center/home.x

Cisco TrustSecThe Single Site Clustering with Cisco TrustSec Technology Solution uses key technologies provided by Cisco TrustSec to bring typically disparate data center functions together for simplified provisioning and management. This enables you to bring the ISE, Cisco Security Manager, Cisco UCS Director, and the Cisco Nexus Switching Fabric together to participate in securing the data center.

Cisco TrustSec Solution

The Cisco TrustSec solution (see Figure 10) provides the customer with the ability to create policies to map end users, or consumers, to data center assets, or servers and applications. Typical policies for securing the data center are the 5-tuple or even recently, context-based policies. These policies have been placed at the edge of the data center in a border-based architecture. TrustSec enables you to create policies that are much deeper than just roles based or a 5-tuple-based approach, all while keeping a defense-in-depth architecture with enforcement points integrated throughout the fabric. Using the TrustSec SGTs and the advance policy capability, you can also leverage TrustSec at the data center virtualization layer to enable separation for your secure containers. For further details and comprehensive information about deploying TrustSec solutions, see the following URL: http://www.cisco.com/go/trustsec.

17

http://tools.cisco.com/security/center/home.x

http://www.cisco.com/c/en/us/td/docs/security/ips/7-1/configuration/guide/cli/cliguide71/cli_collaboration.html

http://www.cisco.com/go/trustsec


Figure 10 Cisco TrustSec

Cisco Identity Service Engine

Cisco Identity Services Engine (ISE) is an access control system. It provides authentication, authorization, and accounting (AAA) services for a variety of external actors. In the CTS architecture, it has the role of authentication and authorization server. In Figure 11, the ISE provides several key roles to the implementation of TrustSec in the data center:

• End-user authentication

• TrustSec device enrollment and authorization (switches, firewalls, management platforms)

• Establishment and central management of SGTs

• Establishment and management of roles-based policies

• Propagates environment data (secure groups, secure group names, SGACLs)

• Manages change of authorizations (CoAs)

The ISE performs other functions, but these are of most interest and relevance to the Secure Data Center for the Enterprise solution.

ISE installation was accomplished using the Cisco Identity Services Engine Installation and Upgrade Guides available at the following URL: http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-installation-guides-list.html.

Installation was deployed using a pair of VMs because the laboratory utilizations are very low. Typical enterprise deployments should be on dedicated ISE hardware and scaled to meet enterprise requirements.

Each RADIUS client must be added to the ISE network devices as shown in Figure 11. Within Cisco ISE, navigate to Administration> Network Resources > Network Devices.

34

79

24

TrustSec

Nexus 7kIdentity

ServicesEngine

API

SXP

Cisco SecurityManager

ActiveDirectory

ASA Clusterwith IPS

User On-boarding

Policies

Alerts

UserIdentity

Master

102030

1.1.1.12.2.2.23.3.3.3

SecureGroup Tag

IPAddress

HREngineeringJohn Doe

Web ServerEmail Server

1020304050

SecureGroup Name

SecureGroup Tag

Environment Data

SEA FlexpodEnvironment Data

RADIUS Request

EnvironmentData

RADIUS

SXP

18

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-installation-guides-list.html

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-installation-guides-list.html


Figure 11 ISE Network Devices

Add devices as follows:

Procedure

Step 1 Click Add.

Step 2 Enter the device name and an IP address.

Step 3 Under Network Device Group, select the Location and Device Type.

Step 4 Scroll down and check the box for Authentication Settings, and configure the shared secret.

Step 5 Scroll down and check the box for Security Group Access (SGA). Check the box to use the Device ID for SGA Identification, and configure the password to be used by the device during registration.

Step 6 Scroll down and check the box for Device Configuration Deployment. Fill in the exec mode username and password. This step is necessary for deploying the IP/hostname-to-SGT mapping.

Step 7 Click Submit.

Figure 12 shows the configuration of the ASA Enclave 1, and Figure 13 shows the configuration of the Nexus 7000.

19


Figure 12 ISE ASA Context Device

Figure 13 ISE Nexus 7000 Device

20


Each of the ASA contexts in the cluster is configured to communicate with the ISE server, as shown previously in the “ASA Security Policy” section on page 13.

The Nexus 1000v and 7000 are both configured to join the Cisco TrustSec domain and receive the SGT PAC files.

Procedure

Step 1 First, configure the ISE RADIUS group as follows:

radius-server host 172.26.164.187 key 7 <removed> authentication accountingradius-server host 172.26.164.239 key 7 <removed> authentication accountingaaa group server radius ISE-Radius-Grp server 172.26.164.187 server 172.26.164.239 use-vrf management source-interface mgmt0

Step 2 After the ISE RADIUS group is configured, next configure the Authentication and Authorization actions:

aaa authentication dot1x default group ISE-Radius-Grpaaa accounting dot1x default group ISE-Radius-Grpaaa authorization cts default group ISE-Radius-Grp

Step 3 Finally, configure the switch to join the Cisco TrustSec domain. This command invokes device registration with Cisco ISE and forces a PAC download. Make sure the device-id matches the name entry in Cisco ISE.

cts device-id k02-fp-sw-a password 7 <removed>

For more information on configuring TrustSec on Nexus devices, see the NX-OS Security Configuration Guide at the following URLs:

• http://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/products-installation-and-configuration-guides-list.html

• http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x_chapter_01101.html

Secure Group Tags

The Cisco ISE enables end-to-end policies enforced on the basis of role-based access-control lists (RBACLs). Device and user credentials acquired during authentication are used to classify packets by security groups. Every packet entering the Cisco TrustSec domain is tagged with a secure group tag (SGT). The SGT identifies the packet as belonging to either a user or an asset in the data so that policy enforcement can be applied to the packet at the appropriate enforcement point or be processed by advance processing in the ASA 5585-X. Tagging helps trusted intermediaries identify the source identity of the packet and enforce security policies along the data path. An SGT is assigned to a device through IEEE 802.1X authentication, web authentication, or MAC authentication bypass (MAB), which happens with a RADIUS vendor-specific attribute. An SGT can be assigned statically to a particular IP address or to a switch interface. An SGT is passed along dynamically to a switch or access point after successful authentication.

21

http://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/products-installation-and-configuration-guides-list.html

http://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/products-installation-and-configuration-guides-list.html

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x_chapter_01101.html




Table 2 lists examples of secure group names and their respective SGTs.

SGT Exchange Protocol

SGT Exchange Protocol (SXP) is a protocol developed for Cisco TrustSec to propagate the IP-to-SGT mapping database across network devices that do not have SGT-capable hardware support to hardware that supports SGTs and security group access lists. Typically, SXP is conceived as the protocol between the switches that is used to map SGTs to IP addresses. SXP, a control plane protocol, passes IP-SGT mappings from authentication points (such as legacy access layer switches) to upstream switches and authenticated devices in the network. The SXP connections are point-to-point and use TCP as the underlying transport protocol. SXP uses the well-known TCP port number 64999 when initiating a connection.

In Figure 14, SXP flows between the Nexus 7000 and the ASA 5585-X, the Nexus 5000 access switch, and the Nexus 1000V.

Table 2 Secure Group Names and Secure Group Tags

Secure Group Name Secure Group TagHR 10

Engineering 20

John Doe 30

Web server 40

Email server 50

22


Figure 14 Cisco TrustSec

The Nexus 5000 and the Nexus 1000V act as “speakers” and send the SGT and IP address mapping back to the Nexus 7000 via SXP. The Nexus 7000 then sends the SGT-to IP address map to the ASA 5585-X, again via SXP.

Table 3 lists examples of SGTs and their respective IP addresses.

Cisco Security Manager

Cisco Security Manager manages the policies on the ASAs as would be expected in a traditional deployment model. Security group awareness is integrated into several existing firewall rules; there is no unique TrustSec firewall policy. Security groups are downloaded from the ISE in the environment data after the Cisco Security Manager has established a secure connection and imported a PAC file from the ISE.

As described above, the Cisco Security Manager issues a request for the TrustSec environment data,

Table 3 Secure Group Tags and IP Addresses

Secure Group Tag IP Address10 1.1.1.1

20 2.2.2.2

30 3.3.3.3

23


which includes the secure group table mapping secure group names to secure group numbers and are presented as secure group objects. After the environment data is downloaded, creating policies for the firewall is similar to creating extended ACLs.

All of the TrustSec and SGT Exchange Protocol configurations described earlier can be managed through common policies in Cisco Security Manager.

For more information for using Cisco Security Manager and TrustSec, see Chapter 14 of the User Guide at the following URL: http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-4/user/guide/CSMUserGuide_wrapper.pdf

TrustSec Enforcement

In the Cisco TrustSec solution, enforcement devices use a combination of user attributes and end-point attributes to make role-based and identity-based access control decisions. Security group access transforms a topology-aware network into a role-based network, thus enabling end-to-end policies enforced on the basis of RBACLs. Tagged traffic is blocked by the closest device to the source of the traffic that is able to perform enforcement.

24

http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-4/user/guide/CSMUserGuide_wrapper.pdf

http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-4/user/guide/CSMUserGuide_wrapper.pdf

Validation Testing

Validation Testing

Summary of Tests PerformedThese test are designed to validate the integration and general functionality of the Secure Data Center design. The common structure of the architecture is based on Cisco’s integrated reference architectures.

Table 4 outlines the various tests conducted to validate the deployment.

Table 4 Test Scenarios

Test MethodologyPhysical Cisco ASA failure and recovery—Clustered mode

Fail slave

In this failure scenario, Cisco manually removed and recovered power from one of the slave ASA nodes in the cluster.

Physical Cisco ASA failure and recovery—Clustered mode

Fail master

In this failure scenario, Cisco manually removed and recovered power from the Master ASA node in the cluster.

Physical Cisco ASA failure and recovery—Clustered mode

IPS module

In this failure scenario, Cisco manually removed and reinserted an active IPS processor blade from a alave ASA node in the cluster.

ASA Cluster Data Link failures—Master and slave

Fail and recover the following links:

• Fail a data link to the master

• Fail both data links to the master

• Fail a data link to a slave

• Fail both data links to a slave

• Fail a data link to the master, and verify SXP communication switches to the new master elected

ASA Cluster Control Link failures —Master and slave

Fail and recover the following links:

• Fail a cluster link to the master

• Fail both cluster links to the master

• Fail a cluster link to a slave

• Fail both cluster links to a slave

SXP data propagation Confirm SXP configuration across the infrastructure between the following devices:

• Nexus 1000v and Nexus 7000

• Nexus 7000 and ASA virtual context

SGT integrity Confirm that the SGT tag is maintained across the enclave infrastructure. This requires data captures of the ingress and egress of the enclave components, including:

• Nexus 1000v and Nexus 7000

• ASA virtual context

• ASAv

25

Validation Testing

Intra-enclave communication Flows within each enclave models are verified point-to-point within the infrastructure. Uniform traffic patterns and then security policy is critical to SEA for each enclave. Steps include:

• Baseline traffic established

• Connections mapped through the enclave

Management traffic flows Ensure centralized management access via private VLAN and firewall access control rules

Asymmetric traffic flow validation Asymmetric traffic flows are introduced to the test bed. Ensure the ASA implementation properly manages these flows.

Validate integrity of IPS serviced flows

Traffic flows are passed through the IPS ASA Cluster configuration. Validate integrity of flow and ability to enforce policy based on SIO data.

Cisco Security Manager integration Confirm integration of the Cisco Security Manager

• ASA cluster and HA pair management

– Virtual context discovery

– Virtual context management

• ISE integration

– Security object learning

Cisco Identity Services Engine (ISE) integration

Confirm integration of the ISE with the components listed below.

• ISE authentication and authorization services across the infrastructure

– Nexus switching

– UCS domain

– ASA platforms

– StealthWatch System

• Directory service integration

– Microsoft Active Directory Services

• Security Object Modeling and Security Group ACLs

Table 4 Test Scenarios (continued)

26

Validation Testing

Summary of ResultsTable 5 lists the summary of test results.

Table 5 Summary of Results

Test Description Components ResultPhysical Cisco ASA Cluster failure and recovery (Fail Slave) (Fail Master)

Cisco ASA5585

Cisco Security Manager and Spirent

No traffic interruption and notification syslog output with acceptable packet loss

Cisco ASA behavior after IPS module failure and recovery (Fail Slave) (Fail Master)

Cisco ASA5585 IPS


ASA unit that contains the failed IPS module leaves the cluster

Cisco ASA link failure on data/clustering link

Cisco ASA5585


No traffic interruption and notification syslog output with acceptable packet loss

Cisco ASA management link failure

Cisco ASA5585


ASA unit with failed management interface leaves the cluster

TrustSec SXP recovery after cluster failure

Cisco ASA5585, ISE, 7000, Cisco Security Manager

SXP communication reestablished with new master ASA

Verify NetFlow activity and collection

Cisco ASA5585, 7000 and NGA, Lancope

All the NetFlow data has been transmitted and collected

27

Conclusion

ConclusionThe Secure Data Center the Enterprise: Single Site Clustering with Cisco TrustSec Technology Solution is a Cisco Validated Design that enables customers to confidently integrate Cisco’s security portfolio to respond to the increasing sophisticated attacks being targeted at the data center. This solution is made even stronger when customers also leverage the Secure Enclaves Architecture for securing the workloads, and leverage the Cyber Threat Defense for Data Center solution for enabling behavioral analysis, which provides zero day mitigation protections in the data center.

28

Appendix A—References

Appendix A—References • Access Control Using Security Group Firewall—Aaron Woolan, Cisco.com

• Cisco TrustSec How-To Guide: Server-to-Server Segmentation Using SGA—Aaron Woolan, Cisco.com

• Data Center Security Design Guide—Mike Storm

• Cisco ASA Series CLI Configuration Guides

• Cisco Adaptive Security Appliance Cluster Deployment Guide—Mason Harris, David Anderson, Mike Storm

29

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/access_control_using_security.pdf

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_75_server_segmentation_sga.pdf

http://www.cisco.com/en/US/netsol/ns750/networking_solutions_sub_program_home.html

http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html


Appendix B—Device Configurations


ASA Cluster Configurations

System Context ASA-1

ASA Version 9.1(4) <system>!hostname K02-ASA-Clusterdomain-name corp.sea9.comenable password <REMOVED> encryptedmac-address auto prefix 1!interface GigabitEthernet0/0 shutdown!interface GigabitEthernet0/1 shutdown!interface GigabitEthernet0/2 shutdown!interface GigabitEthernet0/3 shutdown!interface GigabitEthernet0/4 shutdown!interface GigabitEthernet0/5 shutdown!interface Management0/0!interface Management0/0.101 description ** Enclave 1 Mgmt ** vlan 101!interface Management0/0.102 vlan 102!interface Management0/0.103 vlan 103!interface Management0/0.164 description ** Flash Interface ** vlan 164!interface Management0/1!interface TenGigabitEthernet0/6 description N7k-a-T4/6 –vPC21 channel-group 1 mode active!interface TenGigabitEthernet0/7 description N7k-b-T4/6 –vPC21 channel-group 1 mode active!interface TenGigabitEthernet0/8

30


channel-group 2 mode active vss-id 1!interface TenGigabitEthernet0/9 channel-group 2 mode active vss-id 2!interface GigabitEthernet1/0 shutdown!interface GigabitEthernet1/1 shutdown!interface GigabitEthernet1/2 shutdown!interface GigabitEthernet1/3 shutdown!interface GigabitEthernet1/4 shutdown!interface GigabitEthernet1/5 shutdown!interface TenGigabitEthernet1/6 shutdown!interface TenGigabitEthernet1/7 shutdown!interface TenGigabitEthernet1/8 shutdown!interface TenGigabitEthernet1/9 shutdown!interface Port-channel1 description Clustering Control Interface!interface Port-channel2 description Cluster Spanned Data Link to PC-20 port-channel span-cluster vss-load-balance!interface Port-channel2.200 description Uplink network vlan 200!interface Port-channel2.2001 description Enclave1-outside vlan 2001!interface Port-channel2.2002 description Enclave2-outside vlan 2002!interface Port-channel2.2003 description Enclave3-outside vlan 2003!interface Port-channel2.3001 description Enclave1-inside vlan 3001!interface Port-channel2.3002 description Enclave2-inside

31


vlan 3002!interface Port-channel2.3003 description Enclave3-inside vlan 3003!class default limit-resource Mac-addresses 65535 limit-resource All 0 limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5!

boot system disk0:/asa914-smp-k8.binftp mode passiveclock timezone EST -5clock summer-time EDT recurringcluster group K02-SEA key ***** local-unit ASA-1 cluster-interface Port-channel1 ip 192.168.20.101 255.255.255.0 priority 1 console-replicate health-check holdtime 3 clacp system-mac auto system-priority 1 enable conn-rebalance frequency 3pager lines 24mtu cluster 9000no failoverasdm image disk0:/asdm-714.binno asdm history enablearp timeout 14400no arp permit-nonconnectedconsole timeout 0!tls-proxy maximum-session 11000!

admin-context admincontext admin allocate-interface Management0/0.164 config-url disk0:/admin.cfg!

context Enclave1 description Secure Enclave 1 allocate-interface Management0/0.101 Mgmt101 allocate-interface Port-channel2.2001 outside allocate-interface Port-channel2.3001 inside config-url disk0:/enclave1.cfg!


context Enclave3 description Secure Enclave 3

32


allocate-interface Management0/0.103 mgmt103 allocate-interface Port-channel2.2003 outside allocate-interface Port-channel2.3003 inside config-url disk0:/Enclave3.cfg!

prompt hostname context!jumbo-frame reservation!no call-home reporting anonymousCryptochecksum:6b81be0e4ef0f963efbcb3219464df7f: end

System Context ASA-3

ASA Version 9.1(4) <system>!hostname K02-ASA-Clusterdomain-name corp.sea9.comenable password <removed> encryptedmac-address auto prefix 1!interface GigabitEthernet0/0 shutdown!interface GigabitEthernet0/1 shutdown!interface GigabitEthernet0/2 shutdown!interface GigabitEthernet0/3 shutdown!interface GigabitEthernet0/4 shutdown!interface GigabitEthernet0/5 shutdown!interface Management0/0!interface Management0/0.101 description ** Enclave 1 Mgmt ** vlan 101!interface Management0/0.102 vlan 102!interface Management0/0.103 vlan 103!interface Management0/0.164 description ** Flash Interface ** vlan 164!interface Management0/1!interface TenGigabitEthernet0/6 description N7k-a-T4/6 -vPC3

33


channel-group 1 mode active!interface TenGigabitEthernet0/7 description N7k-b-T4/6 -vPC3 channel-group 1 mode active!interface TenGigabitEthernet0/8 channel-group 2 mode active vss-id 1!interface TenGigabitEthernet0/9 channel-group 2 mode active vss-id 2!interface GigabitEthernet1/0 shutdown!interface GigabitEthernet1/1 shutdown!interface GigabitEthernet1/2 shutdown!interface GigabitEthernet1/3 shutdown!interface GigabitEthernet1/4 shutdown!interface GigabitEthernet1/5 shutdown!interface TenGigabitEthernet1/6 shutdown!interface TenGigabitEthernet1/7 shutdown!interface TenGigabitEthernet1/8 shutdown!interface TenGigabitEthernet1/9 shutdown!interface Port-channel1 description Clustering Interface!interface Port-channel2 description Cluster Spanned Data Link to PC-20 port-channel span-cluster vss-load-balance!interface Port-channel2.200 description Uplink network vlan 200!interface Port-channel2.2001 description Enclave1-outside vlan 2001!interface Port-channel2.2002 description Enclave2-outside vlan 2002!interface Port-channel2.2003 description Enclave3-outside vlan 2003

34


!interface Port-channel2.3001 description Enclave1-inside vlan 3001!interface Port-channel2.3002 description Enclave2-inside vlan 3002!interface Port-channel2.3003 description Enclave3-inside vlan 3003!class default limit-resource Mac-addresses 65535 limit-resource All 0 limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5!boot system disk0:/asa914-smp-k8.binftp mode passiveclock timezone EST -5clock summer-time EDT recurringcluster group K02-SEA key ***** local-unit ASA-3 cluster-interface Port-channel1 ip 192.168.20.103 255.255.255.0 priority 3 console-replicate health-check holdtime 3 clacp system-mac auto system-priority 1 enable conn-rebalance frequency 3pager lines 24mtu cluster 9000no failoverasdm image disk0:/asdm-714.binno asdm history enablearp timeout 14400no arp permit-nonconnectedconsole timeout 0!tls-proxy maximum-session 11000!

admin-context admincontext admin allocate-interface Management0/0.164 config-url disk0:/admin.cfg!


context Enclave2 description Secure Enclave 2 allocate-interface Management0/0.102 Mgmt102 allocate-interface Port-channel2.2002 outside

35


allocate-interface Port-channel2.3002 inside config-url disk0:/enclave2.cfg!

context Enclave3 description Secure Enclave 3 allocate-interface Management0/0.103 mgmt103 allocate-interface Port-channel2.2003 outside allocate-interface Port-channel2.3003 inside config-url disk0:/Enclave3.cfg!

prompt hostname context!jumbo-frame reservation!no call-home reporting anonymousCryptochecksum:faca7e6346ac9c9355f24f0011b0e902: endK02-ASA-Cluster#

Admin Context

ASA Version 9.1(4) <context>!hostname adminenable password <removed> encryptednamesip local pool K02-SEA 172.26.164.157-172.26.164.160 mask 255.255.255.0!interface Management0/0.164 management-only nameif management security-level 0 ip address 172.26.164.191 255.255.255.0 cluster-pool K02-SEA!pager lines 21logging enablelogging standbylogging buffer-size 128000logging asdm-buffer-size 512logging console notificationslogging monitor notificationslogging asdm informationallogging facility 16no logging message 106015no logging message 313001no logging message 313008no logging message 106023no logging message 710003no logging message 106100no logging message 302015no logging message 302014no logging message 302013no logging message 302018no logging message 302017no logging message 302016no logging message 302021no logging message 302020flow-export destination management 172.26.164.240 2055

36


flow-export template timeout-rate 1mtu management 1500icmp unreachable rate-limit 1 burst-size 1icmp permit any managementno asdm history enablearp timeout 14400route management 0.0.0.0 0.0.0.0 172.26.164.254 1timeout xlate 3:00:00timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00aaa-server ISE_Radius_Group protocol radiusaaa-server ISE_Radius_Group (management) host 172.26.164.187 key ***** radius-common-pw *****aaa-server ISE_Radius_Group (management) host 172.26.164.239 key ***** radius-common-pw *****user-identity default-domain LOCALaaa authentication enable console ISE_Radius_Group LOCALaaa authentication ssh console ISE_Radius_Group LOCALaaa authentication http console ISE_Radius_Group LOCALaaa authentication serial console ISE_Radius_Group LOCALaaa accounting enable console ISE_Radius_Groupaaa accounting serial console ISE_Radius_Groupaaa accounting ssh console ISE_Radius_Groupaaa local authentication attempts max-fail 3aaa authorization exec authentication-serverhttp server enablehttp 0.0.0.0 0.0.0.0 managementno snmp-server locationno snmp-server contactcrypto ipsec security-association pmtu-aging infinitetelnet timeout 5ssh 0.0.0.0 0.0.0.0 managementssh timeout 60ssh version 2ssh key-exchange group dh-group1-sha1threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect ip-options inspect netbios inspect rsh inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect xdmcp

37


class class-default user-statistics accounting flow-export event-type all destination 172.26.164.240!service-policy global_policy globalCryptochecksum:85251c60c289c64cb8331d05b632c278: end

Enclave1 Context

K02-ASA-Cluster/Enclave1# sh run: Saved:ASA Version 9.1(4) <context>!firewall transparenthostname Enclave1domain-name corp.sea9.comenable password <removed> encryptedpasswd <removed> encryptednamesip local pool enclave1-pool 10.0.101.101-10.0.101.108 mask 255.255.255.0!interface BVI1 description Enclave1 ip address 10.1.1.251 255.255.255.0!interface Mgmt101 description Enclave 1 Management my management-only nameif management security-level 0 ip address 10.0.101.100 255.255.255.0 cluster-pool enclave1-pool!interface outside nameif outside bridge-group 1 security-level 0!interface inside nameif inside bridge-group 1 security-level 100!dns domain-lookup managementdns server-group DefaultDNS name-server 172.26.164.190 domain-name corp.sea9.comobject network Management subnet 172.26.164.0 255.255.255.0object network Enclave1-Mgmt-IP host 10.0.101.100 description Enclave 1 Managment IP addressaccess-list CSM_FW_ACL_ extended permit icmp 10.10.66.0 255.255.255.0 10.1.1.0 255.255.255.0access-list CSM_FW_ACL_ extended permit tcp 10.10.66.0 255.255.255.0 10.1.1.0 255.255.255.0 eq wwwaccess-list CSM_FW_ACL_ extended permit tcp 10.10.66.0 255.255.255.0 10.1.1.0 255.255.255.0 eq ftpaccess-list CSM_FW_ACL_ extended permit icmp 10.1.1.0 255.255.255.0 10.10.66.0 255.255.255.0

38


access-list CSM_FW_ACL_ extended permit tcp 10.1.1.0 255.255.255.0 10.10.66.0 255.255.255.0 eq wwwaccess-list CSM_FW_ACL_ extended permit tcp 10.1.1.0 255.255.255.0 10.10.66.0 255.255.255.0 eq ftpaccess-list CSM_FW_ACL_ extended permit ip security-group name SGT_1001_Enclave1 any security-group name enc1_30012_priv anyaccess-list CSM_TFW_ACL_INBOUND_1 ethertype permit bpdupager lines 24logging enableno logging message 106015no logging message 313001no logging message 313008no logging message 106023no logging message 710003no logging message 106100no logging message 302015no logging message 302014no logging message 302013no logging message 302018no logging message 302017no logging message 302016no logging message 302021no logging message 302020flow-export destination management 172.26.164.240 2055flow-export template timeout-rate 1mtu management 1500mtu outside 1500mtu inside 1500icmp unreachable rate-limit 1 burst-size 1icmp permit any managementicmp permit any outsideicmp permit any insideno asdm history enablearp timeout 14400access-group CSM_TFW_ACL_INBOUND_1 in interface outsideaccess-group CSM_TFW_ACL_INBOUND_1 in interface insideaccess-group CSM_FW_ACL_ globalroute outside 0.0.0.0 0.0.0.0 10.1.1.254 1route management 172.26.164.0 255.255.255.0 10.0.101.254 1route management 192.168.250.18 255.255.255.255 10.0.101.254 1timeout xlate 3:00:00timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00aaa-server ISE_Radius_Group protocol radiusaaa-server ISE_Radius_Group (management) host 172.26.164.187 key ***** radius-common-pw *****aaa-server ISE_Radius_Group (management) host 172.26.164.239 key ***** radius-common-pw *****cts server-group ISE_Radius_Groupcts sxp enablects sxp default password *****cts sxp default source-ip 10.0.101.100cts sxp connection peer 172.26.164.218 password default mode local listenercts sxp connection peer 172.26.164.217 password default mode local listeneruser-identity default-domain LOCALaaa authentication enable console ISE_Radius_Group LOCALaaa authentication http console ISE_Radius_Group LOCAL

39


aaa authentication ssh console ISE_Radius_Group LOCALaaa accounting enable console ISE_Radius_Groupaaa accounting ssh console ISE_Radius_Groupaaa local authentication attempts max-fail 3http server enablehttp 0.0.0.0 0.0.0.0 managementno snmp-server locationno snmp-server contactcrypto ipsec security-association pmtu-aging infinitetelnet timeout 5ssh 172.26.164.0 255.255.255.0 managementssh timeout 5ssh key-exchange group dh-group1-sha1no threat-detection statistics tcp-intercept!!!policy-map global-policy class class-default flow-export event-type all destination 172.26.164.240 ips inline fail-open!service-policy global-policy globalCryptochecksum:bf5cfdd35116e819b568aef07919ffa0: end

Enclave 3 Context

K02-ASA-Cluster/Enclave3# sh run: Saved:ASA Version 9.1(4) <context>!hostname Enclave3enable password <removed> encryptednamesip local pool enclave3-pool 10.0.103.101-10.0.103.108 mask 255.255.255.0!interface mgmt103 management-only nameif mgmt security-level 0 ip address 10.0.103.100 255.255.255.0 cluster-pool enclave3-pool!interface outside nameif outside security-level 0 ip address 10.3.0.254 255.255.255.0!interface inside nameif inside security-level 100 ip address 10.3.1.254 255.255.255.0!access-list CSM_FW_ACL_ extended permit icmp 10.10.66.0 255.255.255.0 10.3.1.0 255.255.255.0access-list CSM_FW_ACL_ extended permit tcp 10.10.66.0 255.255.255.0 10.3.1.0 255.255.255.0 eq ftpaccess-list CSM_FW_ACL_ extended permit tcp 10.10.66.0 255.255.255.0 10.3.1.0 255.255.255.0 eq wwwaccess-list CSM_FW_ACL_ extended permit icmp 10.3.1.0 255.255.255.0 10.10.66.0 255.255.255.0

40


access-list CSM_FW_ACL_ extended permit tcp 10.3.1.0 255.255.255.0 10.10.66.0 255.255.255.0 eq ftpaccess-list CSM_FW_ACL_ extended permit tcp 10.3.1.0 255.255.255.0 10.10.66.0 255.255.255.0 eq wwwaccess-list CSM_FW_ACL_ extended permit icmp any anypager lines 24logging enablemtu inside 1500mtu outside 1500mtu mgmt 1500icmp unreachable rate-limit 1 burst-size 1icmp permit any insideicmp permit any outsideicmp permit any mgmtno asdm history enablearp timeout 14400access-group CSM_FW_ACL_ globalroute outside 0.0.0.0 0.0.0.0 10.3.0.1 1route mgmt 172.26.164.0 255.255.255.0 10.0.103.254 1timeout xlate 3:00:00timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00aaa-server ISE_Radius_Group protocol radiusaaa-server ISE_Radius_Group (inside) host 172.26.164.187 key ***** radius-common-pw *****aaa-server ISE_Radius_Group (inside) host 172.26.164.239 key ***** radius-common-pw *****cts server-group ISE_Radius_Groupcts sxp enablects sxp default password *****cts sxp default source-ip 10.0.103.100cts sxp connection peer 172.26.164.218 source 10.0.103.100 password default mode local listenercts sxp connection peer 172.26.164.217 source 10.0.103.100 password default mode local listeneruser-identity default-domain LOCALaaa authentication enable console ISE_Radius_Group LOCALaaa authentication http console ISE_Radius_Group LOCALaaa authentication ssh console ISE_Radius_Group LOCALaaa accounting enable console ISE_Radius_Groupaaa accounting ssh console ISE_Radius_Groupno snmp-server locationno snmp-server contactauth-prompt prompt Enclave3 Contextcrypto ipsec security-association pmtu-aging infinitetelnet timeout 5ssh timeout 5ssh key-exchange group dh-group1-sha1no threat-detection statistics tcp-intercept!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto

41


message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect rsh inspect esmtp inspect sqlnet inspect sunrpc inspect xdmcp inspect netbios inspect tftp inspect ip-options class class-default ips inline fail-open!service-policy global_policy globalCryptochecksum:02ed5d10127795179b0900f540e80f07: endK02-ASA-Cluster/Enclave3#

IPS Configuration

sea-asaips-1# sh configuration! ------------------------------! Current configuration last modified Fri Jan 17 19:57:45 2014! ------------------------------! Version 7.2(1)! Host:! Realm Keys key1.0! Signature Definition:! Signature Update S771.0 2014-02-07! ------------------------------service interfaceexit! ------------------------------service authenticationexit! ------------------------------service event-action-rules rules0exit! ------------------------------service hostnetwork-settingshost-ip 172.26.164.195/24,172.26.164.254host-name sea-asaips-1telnet-option disabledsshv1-fallback enabledaccess-list 0.0.0.0/0access-list 0.0.0.0/32login-banner-text Connected to sea-asaips-1dns-primary-server enabledaddress 172.26.164.190exitdns-secondary-server disableddns-tertiary-server disabled-proxy proxy-serveraddress 64.102.255.40port 8080exitexittime-zone-settings

42


offset -5standard-time-zone-name ESTexitntp-option enabled-ntp-unauthenticatedntp-server 172.26.164.254exitsummertime-option recurringsummertime-zone-name EDTexitauto-upgradecisco-server enabledschedule-option periodic-schedulestart-time 00:00:00interval 24exituser-name bmcglothexitexitexit! ------------------------------service loggerexit! ------------------------------service network-accessexit! ------------------------------service notificationexit! ------------------------------service signature-definition sig0variables ALLPORTS web-ports 0-65535variables WEBPORTS web-ports 80-80,3128-3128,8000-8000,8010-8010,8080-8080,8888-8888,24326-24326application-policyhttp-policyhttp-enable trueaic-web-ports 80,3128,8000,8010,8080,8888,24326exitexitsignatures 2154 0statusenabled trueexitexitsignatures 64001 0sig-descriptionsig-name smb_nonstd_prt_1exitengine fixed-tcpdirection from-servicemax-payload-inspect-length 100regex-string \xff[Ss][Mm][Bb]specify-service-ports yesservice-ports 20,21,22,23,53,80,111,123,137,138,139,161,443,514,1433,1434exitexitexitsignatures 64003 0sig-descriptionsig-name snmp_nonstd_prt_1exitengine fixed-udpevent-action produce-alertmax-payload-inspect-length 64

43


regex-string \x30[\x1A-\x7F]\x02\x01\[\x00\x01\x03]specify-service-ports yesservice-ports 20,21,22,23,53,80,111,123,137,138,139,161,514,443,445,1433,1434exitexitexitexit! ------------------------------service ssh-known-hostsexit! ------------------------------service trusted-certificatesexit! ------------------------------service web-serverexit! ------------------------------service anomaly-detection ad0exit! ------------------------------service external-product-interfaceexit! ------------------------------service health-monitorexit! ------------------------------service global-correlationglobal-correlation-inspection onglobal-correlation-inspection-influence standardreputation-filtering ontest-global-correlation onexit! ------------------------------service aaaexit! ------------------------------service analysis-enginevirtual-sensor vs0anomaly-detectionoperational-mode detectexitphysical-interface PortChannel0/0exitexitsea-asaips-1#

Nexus 7000 Configurationk02-n7k-a-k02-fp-sw-a# sh run

!Command: show running-config!Time: Fri Feb 14 00:57:06 2014

version 6.1(2)switchname k02-fp-sw-a

cfs ipv4 distributecfs eth distributefeature private-vlanfeature udldfeature interface-vlanfeature dot1x

44


feature hsrpfeature lacpfeature ctscts device-id k02-fp-sw-a password 7 <removed>cts role-based counters enablects sxp enablects sxp default password 7 <removed>cts sxp connection peer 10.0.101.100 source 172.26.164.218 password default mode listenercts sxp connection peer 10.0.102.100 source 172.26.164.218 password default mode listenercts sxp connection peer 10.0.103.100 source 172.26.164.218 password default mode listenercts sxp connection peer 172.26.164.18 source 172.26.164.218 password default mode speakercts sxp connection peer 172.26.164.186 source 172.26.164.218 password default mode speakercts sxp connection peer 192.168.250.22 source 192.168.250.252 password default mode listenercts role-based enforcementfeature vpcfeature pong

logging level cts 6logging level radius 6username admin password 5 <removed> role vdc-adminusername ise-user password 5 <removed> role vdc-operatorip domain-lookupip domain-name corp.sea9.comip name-server 172.26.164.190 use-vrf managementradius-server key 7 <removed>radius distributeradius-server host 172.26.164.187 key 7 <removed> authentication accountingradius-server host 172.26.164.239 key 7 <removed> authentication accountingradius commitaaa group server radius ISE-Radius-Grp server 172.26.164.187 use-vrf management source-interface mgmt0aaa group server radius aaa-private-sg server 172.26.164.187 use-vrf management source-interface mgmt0system default switchportsnmp-server user admin vdc-admin auth md5 <removed> priv <removed> localizedkeysnmp-server user ise-user vdc-operator auth md5 0<removed> localizedkeyrmon event 1 log trap public description FATAL(1) owner PMON@FATALrmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICALrmon event 3 log trap public description ERROR(3) owner PMON@ERRORrmon event 4 log trap public description WARNING(4) owner PMON@WARNINGrmon event 5 log trap public description INFORMATION(5) owner PMON@INFOntp distributentp server 172.26.164.20 use-vrf managementntp source-interface Vlan3250ntp master 8ntp commitaaa authentication login default group ISE-Radius-Grpaaa authentication dot1x default group ISE-Radius-Grpaaa accounting dot1x default group ISE-Radius-Grpaaa authorization cts default group ISE-Radius-Grpaaa accounting default group ISE-Radius-Grpno aaa user default-role

ip route 10.0.0.0/16 172.26.164.254ip route 10.3.0.0/16 10.3.0.254 name Enclave3ip route 10.71.1.186/32 172.26.164.186vrf context management ip route 0.0.0.0/0 172.26.164.254vlan 1-2,20,98-99,200-219,666,2001-2019,3001-3019,3170-3173,3175-3179,3250-3251,3253-3255

45


vlan 2 name Native_VLANvlan 20 name ASA-Cluster-Controlvlan 98 name vsg-havlan 99 name vsg-datavlan 201 name NFS-Enclave1vlan 202 name NFS-Enclave2vlan 203 name NFS-Enclave3vlan 204 name NFS-Enclave4vlan 205 name NFS-Enclave5vlan 206 name NFS-Enclave6vlan 207 name NFS-Enclave7vlan 208 name NFS-Enclave8vlan 209 name NFS-Enclave9vlan 666 name WAN-on7kvlan 2001 name D1-Enclave1vlan 2002 name D1-Enclave2vlan 2003 name D1-Enclave3vlan 2004 name D1-Enclave4vlan 2005 name D1-Enclave5vlan 2006 name D1-Enclave6vlan 2007 name D1-Enclave7vlan 2008 name D1-Enclave8vlan 2009 name D1-Enclave9vlan 2010 name D1-Enclave10vlan 2011 name D1-Enclave11vlan 2012 name D1-Enclave12vlan 2013 name D1-Enclave13vlan 2014 name D1-Enclave14vlan 2015 name D1-Enclave15vlan 2016 name D1-Enclave16vlan 2017 name D1-Enclave17vlan 2018 name D1-Enclave18

46


vlan 2019 name D1-Enclave19vlan 3001 name D2-Enclave1vlan 3002 name D2-Enclave2vlan 3003 name D2-Enclave3vlan 3004 name D2-Enclave4vlan 3005 name D2-Enclave5vlan 3006 name D2-Enclave6vlan 3007 name D2-Enclave7vlan 3008 name D2-Enclave8vlan 3009 name D2-Enclave9vlan 3010 name D2-Enclave10vlan 3011 name D2-Enclave11vlan 3012 name D2-Enclave12vlan 3013 name D2-Enclave13vlan 3014 name D2-Enclave14vlan 3015 name D2-Enclave15vlan 3016 name D2-Enclave16vlan 3017 name D2-Enclave17vlan 3018 name D2-Enclave18vlan 3019 name D2-Enclave19vlan 3170 name NFS-VLANvlan 3171 name core-services-primary private-vlan primary private-vlan association 3172vlan 3172 name core-services-isolated private-vlan isolatedvlan 3173 name vMotion-VLANvlan 3175 name IB-MGMT-VLANvlan 3176 name Packet-Control-VLANvlan 3177 name infra-vtep-vxlanvlan 3178 name monitor-primaryvlan 3179 name monitor-isolatedvlan 3250 name sea-prod-mgmtvlan 3251

47


name vMotionvlan 3253 name prod-vtep-vxlanvlan 3254 name servicesvlan 3255 name services_HA

spanning-tree port type edge bpduguard defaultspanning-tree port type edge bpdufilter defaultspanning-tree port type network defaultvpc domain 100 role priority 10 peer-keepalive destination 172.26.164.183 source 172.26.164.182 peer-gateway auto-recoveryport-profile type port-channel UCS-FI switchport switchport mode trunk switchport trunk native vlan 2 spanning-tree port type edge trunk mtu 9216 switchport trunk allowed vlan 2,98-99,201-219,666,2001-2019,3001-3019 switchport trunk allowed vlan add 3170-3173,3175-3179,3250-3251,3253-3255 description <<**UCS Fabric Interconnect Port Profile **>> state enabledport-profile type ethernet Stand-alone-Management-Servers switchport spanning-tree port type edge trunk switchport trunk allowed vlan 98-99,3170-3173,3175-3179,3250,3254-3255 switchport trunk native vlan 2 mtu 9216 description <<** C-Series Management Server Profile **>> state enabledport-profile type ethernet Cloud-Services-Platforms switchport switchport mode trunk spanning-tree port type edge trunk switchport trunk allowed vlan 98-99,3175-3176,3250 description <<** CSP Port Profile **>> state enabledport-profile type port-channel FAS-Node switchport switchport mode trunk switchport trunk native vlan 2 spanning-tree port type edge trunk mtu 9216 switchport trunk allowed vlan 201-219,3170 description <<** NetApp FAS Node Port Profile **>> state enabled

vlan 1 cts role-based enforcementvlan 2 cts role-based enforcementvlan 98 cts role-based enforcementvlan 99 cts role-based enforcementvlan 3009 cts role-based enforcementvlan 3170 cts role-based enforcementvlan 3173

48


cts role-based enforcementvlan 3175 cts role-based enforcementvlan 3177 cts role-based enforcement

interface Vlan1 no ip redirects no ipv6 redirects

interface Vlan5 no ip redirects no ipv6 redirects

interface Vlan20 description <** ASA Cluster control **> no shutdown no ip redirects ip address 192.168.20.201/24 no ipv6 redirects

interface Vlan200 description <** Enclave Uplink **> no shutdown no ip redirects ip address 10.10.0.3/24 no ipv6 redirects hsrp 1 authentication text c1sc0 preempt delay minimum 180 priority 25 forwarding-threshold lower 0 upper 0 timers 1 3 ip 10.10.0.1

interface Vlan666 no shutdown no ip redirects ip address 10.10.66.1/24 no ipv6 redirects

interface Vlan2001 description <<** Enclave 1-outside**>> no shutdown no ip redirects ip address 10.1.1.252/24 no ipv6 redirects hsrp 1 authentication text c1sc0 preempt delay minimum 180 priority 15 forwarding-threshold lower 0 upper 0 timers 1 3 ip 10.1.1.254

interface Vlan2002 description <<** Enclave2-outside DGW **>> no shutdown no ip redirects ip address 10.10.2.201/24 no ipv6 redirects hsrp 1 authentication text c1sc0 preempt delay minimum 180 priority 25 forwarding-threshold lower 0 upper 0

49


timers 1 3 ip 10.10.2.1

interface Vlan2003 description <** Enclave 3-outside **> no shutdown no ip redirects ip address 10.3.0.3/24 no ipv6 redirects hsrp 1 authentication text c1sc0 preempt delay minimum 180 priority 15 forwarding-threshold lower 0 upper 0 timers 1 3 ip 10.3.0.1

interface Vlan3001 description <<** Enclave 1 Inside **>> no ip redirects no ipv6 redirects

interface Vlan3002 description <<** VLAN 3002 Inside Enclave2 **>> no shutdown private-vlan mapping 32 no ip redirects no ipv6 redirects

interface Vlan3009 description <<** Enclave 9 DGW - No ASA **>> no shutdown no ip redirects ip address 10.9.1.252/24 no ipv6 redirects hsrp 1 authentication text c1sc0 preempt delay minimum 180 priority 15 forwarding-threshold lower 0 upper 0 timers 1 3 ip 10.9.1.254

interface Vlan3171 private-vlan mapping 3172 ip address 192.168.0.3/24 no ipv6 redirects ip local-proxy-arp

interface Vlan3175 no shutdown management no ip redirects ip address 172.26.164.218/24 no ipv6 redirects

interface Vlan3250 description <** Production Management SVI **>> no shutdown no ip redirects ip address 192.168.250.252/24 no ipv6 redirects hsrp version 2 hsrp 1 authentication text c1sc0 preempt delay minimum 180

50


priority 15 forwarding-threshold lower 0 upper 0 timers 1 3 ip 192.168.250.1

interface port-channel8 description <<** NGA SPAN PORTS **>> switchport mode trunk switchport monitor

interface port-channel9 switchport access vlan 3175 spanning-tree port type normal vpc 9

interface port-channel10 description <<** vPC peer-link **>> switchport mode trunk switchport trunk native vlan 2 switchport trunk allowed vlan 10,20,32,71,98-99,200-209,211-219 switchport trunk allowed vlan add 300-319,400-419,666,2001-2135,3001-3135 switchport trunk allowed vlan add 3170-3177,3250-3251,3253-3255 spanning-tree port type network vpc peer-link

interface port-channel11 inherit port-profile FAS-Node description <<** fas_node1 **>> vpc 11

interface port-channel12 inherit port-profile FAS-Node description <<** fas_node2 **>> vpc 12

interface port-channel13 inherit port-profile UCS-FI description <<** k02-ucs-fab-a **> switchport mode trunk switchport trunk allowed vlan 2, 98-99, 201-219, 666, 2001-2019, 3001-3019 switchport trunk allowed vlan add 3170-3173, 3175-3179, 3250-3251, 3253-3255 spanning-tree port type edge trunk mtu 9216 vpc 13

interface port-channel14 inherit port-profile UCS-FI description <<** k02-ucs-fab-b **>> switchport mode trunk switchport trunk allowed vlan 2, 98-99, 201-219, 666, 2001-2019, 3001-3019 switchport trunk allowed vlan add 3170-3173, 3175-3179, 3250-3251, 3253-3255 spanning-tree port type edge trunk mtu 9216 vpc 14

interface port-channel20 description <<** k02-ASA-Cluster-Data **>> switchport mode trunk switchport trunk native vlan 2 switchport trunk allowed vlan 200,666,2001-2135,3001-3135 spanning-tree port type normal vpc 20

interface port-channel21 description <<** k02-ASA-1-Control **>>

51


switchport access vlan 20 spanning-tree port type normal no logging event port link-status no logging event port trunk-status vpc 21

interface port-channel22 description <<** k02-ASA-2-Control **>> switchport access vlan 20 spanning-tree port type normal vpc 22



interface port-channel3250 shutdown switchport mode trunk switchport trunk allowed vlan 3250 vpc 3250

interface Ethernet4/1 description <<** fas_node1:e3a **>> switchport mode trunk switchport trunk native vlan 2 switchport trunk allowed vlan 201-219,3170 mtu 9216 channel-group 11 mode active no shutdown

interface Ethernet4/2 description <<** fas_node2:e3a **>> switchport mode trunk switchport trunk native vlan 2 switchport trunk allowed vlan 201-219,3170 mtu 9216 channel-group 12 mode active no shutdown

interface Ethernet4/3 description <<** SEA Production Management **>> switchport mode trunk switchport trunk allowed vlan 3250 channel-group 3250 mode active no shutdown

interface Ethernet4/4

interface Ethernet4/5 description <<** VPC Peer K02-ASA-1:T6 **>> switchport access vlan 20 spanning-tree port type normal channel-group 21 mode active no shutdown

52





interface Ethernet4/9 description <<** VPC Peer K02-ASA-1:T8 **>> switchport mode trunk switchport trunk native vlan 2 switchport trunk allowed vlan 200,666,2001-2135,3001-3135 spanning-tree port type normal channel-group 20 mode active no shutdown




interface Ethernet4/17 inherit port-profile Cloud-Services-Platforms description <<** k02-n1110-1:Eth1 **>> no shutdown


53


interface Ethernet4/19 inherit port-profile Cloud-Services-Platforms description <<** k02-n1110-2:Eth1 **>> no shutdown




interface Ethernet4/27 description <<** k02-ucs-fab-a:1/27 switchport mode trunk switchport trunk native vlan 2 switchport trunk allowed vlan 2,98-99,201-219,666,2001-2019,3001-3019 switchport trunk allowed vlan add 3170-3173,3175-3179,3250-3251,3253-3255 mtu 9216 channel-group 13 mode active no shutdown

interface Ethernet4/28 description <<** k02-ucs-fab-b:1/28 **> switchport mode trunk switchport trunk native vlan 2 switchport trunk allowed vlan 2,98-99,201-219,666,2001-2019,3001-3019 switchport trunk allowed vlan add 3170-3173,3175-3179,3250-3251,3253-3255 mtu 9216 channel-group 14 mode active no shutdown

interface Ethernet4/41 description <<** VPC Peer k02-fp-sw-b:4/41 **>> switchport mode trunk switchport trunk native vlan 2 switchport trunk allowed vlan 10,20,32,71,98-99,200-209,211-219 switchport trunk allowed vlan add 300-319,400-419,666,2001-2135,3001-3135 switchport trunk allowed vlan add 3170-3177,3250-3251,3253-3255 channel-group 10 mode active no shutdown


interface Ethernet4/43 description <<** VPC Peer k02-fp-sw-b:4/43 **>> switchport mode trunk switchport trunk native vlan 2 switchport trunk allowed vlan 10,20,32,71,98-99,200-209,211-219 switchport trunk allowed vlan add 300-319,400-419,666,2001-2135,3001-3135 switchport trunk allowed vlan add 3170-3177,3250-3251,3253-3255 channel-group 10 mode active no shutdown

interface Ethernet4/44 description <<** IB-Mgmt:mgmt-sw **>> switchport access vlan 3175 channel-group 9 mode active no shutdown

interface Ethernet4/45 description eth 4/45 to r9-5548-b eth 1/17 switchport mode trunk switchport trunk allowed vlan 666 no shutdown

54



interface Ethernet4/47 switchport mode trunk switchport monitor channel-group 8 no shutdown

interface Ethernet4/48 switchport mode trunk switchport monitor channel-group 8 no shutdown

interface mgmt0 ip address 172.26.164.182/24logging monitor 6line vtyip radius source-interface mgmt0monitor session 1 type erspan-source erspan-id 1 vrf default destination ip 172.26.164.167 source interface port-channel20 bothmonitor session 2 description SPAN ASA Data Traffic from Po20 source interface port-channel20 rx destination interface port-channel8 no shutmonitor session 3 type erspan-source erspan-id 3 vrf default destination ip 172.26.164.167 source vlan 2001 both

Nexus 1Kv!Command: show running-config!Time: Tue Feb 18 14:37:46 2014

version 4.2(1)SV2(2.1a)svs switch edition advanced

no feature telnetfeature private-vlanfeature netflowfeature ctsfeature segmentationsegment mode unicast-onlysegment distribution macfeature vtracker

logging level radius 6username admin password 5 <removed> role network-admin

banner motd #Nexus 1000v Switch#

ssh key rsa 2048ip domain-lookupip domain-name corp.sea9.comip domain-name corp.sea9.com use-vrf management

55


ip name-server 172.26.164.190 use-vrf managementip host sea-vsm1 172.26.164.186radius-server key 7 <removed>ip radius source-interface mgmt0radius-server host 172.26.164.187 key 7 <removed> authentication accountingradius-server host 172.26.164.239 key 7 <removed> authentication accountingaaa group server radius aaa-private-sgaaa group server radius ISE-Radius-Grp server 172.26.164.187 server 172.26.164.239 use-vrf management source-interface mgmt0hostname sea-vsm1errdisable recovery cause failed-port-statevem 3 host id 6bd69d26-eeff-8f4d-9127-9d3eccad32d7vem 4 host id e1166bcf-4fc8-b34b-bdcc-2f1ded6bb532vem 9 host id fb302753-a797-e146-a7cc-6e21df2debc1vem 10 host id 7836efbb-6907-2144-b5e5-4e5d009bb234snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkeysnmp-server community private group network-adminntp server 172.26.164.254 use-vrf managementntp source 172.26.164.186aaa authentication login default group ISE-Radius-Grpaaa authentication cts default group ISE-Radius-Grpaaa authorization cts default group ISE-Radius-Grpaaa accounting default group ISE-Radius-Grpno aaa user default-roleaaa authentication login error-enable

vrf context management ip route 0.0.0.0/0 172.26.164.1flow exporter sea-lancope-fc1 description <<** SEA Lancope Flow Collector **>> destination 172.26.164.240 use-vrf management transport udp 2055 source mgmt0 version 9 option exporter-stats timeout 300 option interface-table timeout 300flow monitor sea-enclaves record netflow-original exporter sea-lancope-fc1 timeout inactive 15 timeout active 60vlan 1-2,98-99,666,3170-3173,3175-3177,3250vlan 2 name Native-VLANvlan 98 name ServiceHAVlanvlan 99 name ServiceVlanvlan 666 name WAN-on7kvlan 3170 name NFS-VLANvlan 3171 name core-services-primary private-vlan primary private-vlan association 3172vlan 3172

56


name core-services-isolated private-vlan isolatedvlan 3173 name vMotion-VLANvlan 3175 name IB-MGMT-VLANvlan 3177 name VXLAN_Encapsulationvlan 3250 name prod-ib-mgmt

port-channel load-balance ethernet source-dest-ip-port-vlanport-profile default max-ports 32port-profile default port-binding staticport-profile type ethernet Unused_Or_Quarantine_Uplink vmware port-group shutdown description Port-group created for Nexus1000V internal usage. Do not use. state enabledport-profile type vethernet Unused_Or_Quarantine_Veth vmware port-group shutdown description Port-group created for Nexus1000V internal usage. Do not use. state enabledport-profile type ethernet system-uplink vmware port-group switchport mode trunk switchport trunk native vlan 2 switchport trunk allowed vlan 98-99,666,3170-3173,3175-3179,3250 system mtu 9000 channel-group auto mode on mac-pinning no shutdown system vlan 3170,3173,3175-3176,3250 state enabledport-profile type vethernet NFS-VLAN vmware port-group switchport mode access switchport access vlan 3170 no shutdown system vlan 3170 state enabledport-profile type vethernet IB-MGMT-VLAN vmware port-group switchport mode access switchport access vlan 3175 no shutdown system vlan 3175 state enabledport-profile type vethernet vMotion-VLAN vmware port-group switchport mode access switchport access vlan 3173 no shutdown system vlan 3173 state enabledport-profile type vethernet VM-Trafic-VLAN vmware port-group switchport mode access no shutdown state enabledport-profile type vethernet n1kv-L3 capability l3control vmware port-group switchport mode access

57


switchport access vlan 3175 no shutdown system vlan 3175 state enabledport-profile type vethernet WAN-on7k vmware port-group switchport mode access switchport access vlan 666 no shutdown system vlan 666 state enabledport-profile type vethernet VXLAN_Encapsulation vmware port-group switchport mode access switchport access vlan 3177 capability vxlan no shutdown state enabledport-profile type vethernet HA-Srvc vmware port-group switchport mode access switchport access vlan 98 no shutdown state enabledport-profile type vethernet vPath-Srvc vmware port-group switchport mode access switchport access vlan 99 no shutdown state enabledport-profile type vethernet PROD-IB-MGMT vmware port-group switchport mode access switchport access vlan 3250 no shutdown system vlan 3250 state enabledport-profile type vethernet core_services vmware port-group switchport mode private-vlan promiscuous switchport access vlan 3171 switchport private-vlan mapping 3171 3172 ip flow monitor sea-enclaves input no shutdown state enabled

system storage-loss log time 30vdc sea-vsm1 id 1 limit-resource vlan minimum 16 maximum 2049 limit-resource monitor-session minimum 0 maximum 2 limit-resource vrf minimum 16 maximum 8192 limit-resource port-channel minimum 0 maximum 768 limit-resource u4route-mem minimum 1 maximum 1 limit-resource u6route-mem minimum 1 maximum 1cts device trackingcts interface delete-hold 60cts sxp enablects sxp default password 7 <removed>cts sxp default source-ip 172.26.164.186cts sxp connection peer 172.26.164.217 password default mode listener vrf managementcts sxp connection peer 172.26.164.218 password default mode listener vrf management

interface port-channel1

58


inherit port-profile system-uplink vem 3 mtu 9000

interface port-channel2 inherit port-profile system-uplink vem 4 mtu 9000



interface mgmt0 ip address 172.26.164.186/24

interface Vethernet1 inherit port-profile core_services description sea-cs1, Network Adapter 1 vmware dvport 897 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.7F79

interface Vethernet2 inherit port-profile PROD-IB-MGMT description VMware VMkernel, vmk5 vmware dvport 866 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.5664.103F

interface Vethernet3 inherit port-profile PROD-IB-MGMT description VMware VMkernel, vmk5 vmware dvport 867 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.5665.A497

interface Vethernet4 inherit port-profile IB-MGMT-VLAN description sea-cs1, Network Adapter 2 vmware dvport 78 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.34A7

interface Vethernet5 inherit port-profile IB-MGMT-VLAN description win2kr2-enterprise, Network Adapter 1 vmware dvport 79 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.7F34

interface Vethernet6 inherit port-profile core_services description sea-ad1, Network Adapter 3 vmware dvport 898 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.0ED1

interface Vethernet7 inherit port-profile IB-MGMT-VLAN description sea-ad1, Network Adapter 1 vmware dvport 64 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 000C.29E6.37E9

59


interface Vethernet8 inherit port-profile IB-MGMT-VLAN description sea-sql1, Network Adapter 1 vmware dvport 65 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 000C.29B6.1C11

interface Vethernet9 inherit port-profile IB-MGMT-VLAN description sea-vc1, Network Adapter 1 vmware dvport 66 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 000C.2997.C690

interface Vethernet10 inherit port-profile IB-MGMT-VLAN description sea-csm1, Network Adapter 1 vmware dvport 67 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 000C.292E.9471

interface Vethernet11 inherit port-profile VM-Trafic-VLAN description W2K8R2X64GPT-VM, Network Adapter 1 vmware dvport 130 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.6D3E

interface Vethernet12 inherit port-profile IB-MGMT-VLAN description sea-ise1, Network Adapter 1 vmware dvport 69 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.6C4D

interface Vethernet13 inherit port-profile IB-MGMT-VLAN description sea-n1kvsg-1, Network Adapter 2 vmware dvport 75 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.6EE4

interface Vethernet14 inherit port-profile IB-MGMT-VLAN description sea-vsc-oc, Network Adapter 1 vmware dvport 70 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.050E

interface Vethernet15 inherit port-profile PROD-IB-MGMT description sea-pnsc1, Network Adapter 1 vmware dvport 871 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.75AA

interface Vethernet16 inherit port-profile IB-MGMT-VLAN description sea-ocb, Network Adapter 1 vmware dvport 72 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.738B

interface Vethernet17 inherit port-profile IB-MGMT-VLAN description sea-ocb-proxy, Network Adapter 1 vmware dvport 73 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.04A8

interface Vethernet18 inherit port-profile HA-Srvc description sea-n1kvsg-1, Network Adapter 3 vmware dvport 416 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24"

60


vmware vm mac 0050.56AD.704E

interface Vethernet19 inherit port-profile IB-MGMT-VLAN description sea-lancope-fc1, Network Adapter 1 vmware dvport 74 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.1DB3

interface Vethernet20 inherit port-profile IB-MGMT-VLAN description sea-ise2, Network Adapter 1 vmware dvport 76 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.314E

interface Vethernet21 inherit port-profile IB-MGMT-VLAN description sea-splunk1, Network Adapter 1 vmware dvport 77 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.2DC7

interface Vethernet22 inherit port-profile n1kv-L3 description VMware VMkernel, vmk0 vmware dvport 167 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 5478.1A87.1BA6

interface Vethernet23 inherit port-profile PROD-IB-MGMT description sea-lancope-fc2, Network Adapter 1 vmware dvport 868 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.5E02

interface Vethernet24 inherit port-profile core_services description sea-app1, Network Adapter 1 vmware dvport 899 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.18DB

interface Vethernet25 inherit port-profile core_services description sea-client1, Network Adapter 1 vmware dvport 900 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.55C6

interface Vethernet26 inherit port-profile IB-MGMT-VLAN description sea-inet1, Network Adapter 1 vmware dvport 85 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.3807

interface Vethernet27 inherit port-profile IB-MGMT-VLAN description app-1, Network Adapter 1 vmware dvport 82 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.74F1

interface Vethernet28 inherit port-profile IB-MGMT-VLAN description sea-lancope-smc1, Network Adapter 1 vmware dvport 80 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.4F2A

interface Vethernet29 inherit port-profile vPath-Srvc

61


description sea-n1kvsg-1, Network Adapter 1 vmware dvport 448 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.6DDC

interface Vethernet30 inherit port-profile IB-MGMT-VLAN description sea-n1kvsg-2, Network Adapter 2 vmware dvport 81 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.683C

interface Vethernet31 inherit port-profile HA-Srvc description sea-n1kvsg-2, Network Adapter 3 vmware dvport 417 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.16CF

interface Vethernet32 inherit port-profile vPath-Srvc description sea-n1kvsg-2, Network Adapter 1 vmware dvport 449 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.4E1C

interface Vethernet33 inherit port-profile core_services description sea-splunk1, Network Adapter 2 vmware dvport 896 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.15C8

interface Vethernet34 inherit port-profile IB-MGMT-VLAN description sea-SpirentATC1, Network Adapter 1 vmware dvport 83 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.1EEA

interface Vethernet35 inherit port-profile WAN-on7k description sea-SpirentATC1, Network Adapter 2 vmware dvport 514 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.5E1F

interface Vethernet36 inherit port-profile IB-MGMT-VLAN description CUCSD-4.1.0.0, Network Adapter 1 vmware dvport 84 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.6F90

interface Vethernet37 inherit port-profile IB-MGMT-VLAN description sea-lancope-fc2, Network Adapter 2 vmware dvport 88 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.5E26

interface Vethernet38 inherit port-profile IB-MGMT-VLAN description sea-ucsd-BMA, Network Adapter 1 vmware dvport 86 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.0975

interface Vethernet39 inherit port-profile IB-MGMT-VLAN description sea-SpirentClient, Network Adapter 1 vmware dvport 87 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.63FF

62


interface Vethernet40 inherit port-profile PROD-IB-MGMT description sea-SpirentClient, Network Adapter 2 vmware dvport 869 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.4AEB

interface Vethernet41 inherit port-profile IB-MGMT-VLAN description sea-ocum, Network Adapter 1 vmware dvport 89 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.0C5B

interface Vethernet42 inherit port-profile n1kv-L3 description VMware VMkernel, vmk0 vmware dvport 160 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac A80C.0DDC.65D3

interface Vethernet43 inherit port-profile n1kv-L3 description VMware VMkernel, vmk0 vmware dvport 161 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac A80C.0DDC.7609

interface Vethernet44 inherit port-profile NFS-VLAN description VMware VMkernel, vmk1 vmware dvport 32 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.5662.BE8C

interface Vethernet45 inherit port-profile vMotion-VLAN description VMware VMkernel, vmk2 vmware dvport 100 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.5661.361E

interface Vethernet46 inherit port-profile VXLAN_Encapsulation description VMware VMkernel, vmk3 vmware dvport 288 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.5661.12D9

interface Vethernet47 inherit port-profile VXLAN_Encapsulation description VMware VMkernel, vmk4 vmware dvport 289 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.5660.B6DD

interface Vethernet48 inherit port-profile NFS-VLAN description VMware VMkernel, vmk1 vmware dvport 33 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.566D.DE42

interface Vethernet49 inherit port-profile vMotion-VLAN description VMware VMkernel, vmk2 vmware dvport 101 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.566D.098D

interface Vethernet50 inherit port-profile VXLAN_Encapsulation description VMware VMkernel, vmk3 vmware dvport 290 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24"

63


vmware vm mac 0050.5665.FEFC

interface Vethernet51 inherit port-profile VXLAN_Encapsulation description VMware VMkernel, vmk4 vmware dvport 291 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.5663.370B

interface Vethernet52 inherit port-profile n1kv-L3 description VMware VMkernel, vmk0 vmware dvport 169 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 5478.1A87.31D7

interface Vethernet53 inherit port-profile NFS-VLAN description VMware VMkernel, vmk1 vmware dvport 34 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.5669.F2F9

interface Vethernet54 inherit port-profile vMotion-VLAN description VMware VMkernel, vmk2 vmware dvport 102 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.5662.7871

interface Vethernet55 inherit port-profile VXLAN_Encapsulation description VMware VMkernel, vmk3 vmware dvport 292 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.566F.A14D

interface Vethernet56 inherit port-profile VXLAN_Encapsulation description VMware VMkernel, vmk4 vmware dvport 293 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.5663.2EE7

interface Vethernet57 inherit port-profile NFS-VLAN description VMware VMkernel, vmk1 vmware dvport 35 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.5666.5098

interface Vethernet58 inherit port-profile vMotion-VLAN description VMware VMkernel, vmk2 vmware dvport 103 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.5666.03F8

interface Vethernet59 inherit port-profile VXLAN_Encapsulation description VMware VMkernel, vmk3 vmware dvport 294 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.566B.4BC1

interface Vethernet60 inherit port-profile VXLAN_Encapsulation description VMware VMkernel, vmk4 vmware dvport 295 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.566E.41A8

interface Vethernet61 inherit port-profile PROD-IB-MGMT

64


description sea-vc1, Network Adapter 2 vmware dvport 865 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.6ED1

interface Vethernet62 inherit port-profile PROD-IB-MGMT description sea-ad1, Network Adapter 2 vmware dvport 864 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.1CEF

interface Vethernet63 inherit port-profile PROD-IB-MGMT description sea-cs1, Network Adapter 3 vmware dvport 870 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.26AA

interface Vethernet64 inherit port-profile PROD-IB-MGMT description sea-vpxmgr, Network Adapter 2 vmware dvport 872 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.51BA

interface Vethernet65 inherit port-profile core_services description sea-vpxmgr, Network Adapter 1 vmware dvport 901 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.5AAB

interface Vethernet66 inherit port-profile IB-MGMT-VLAN description sea-vpxmgr, Network Adapter 3 vmware dvport 71 dvswitch uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" vmware vm mac 0050.56AD.1566

interface Ethernet3/5 inherit port-profile system-uplink




interface control0 ip address 192.168.250.186/24clock timezone EST -5 0line consoleboot kickstart bootflash:/nexus-1000v-kickstart.4.2.1.SV2.2.1a.bin sup-1boot system bootflash:/nexus-1000v.4.2.1.SV2.2.1a.bin sup-1boot kickstart bootflash:/nexus-1000v-kickstart.4.2.1.SV2.2.1a.bin sup-2boot system bootflash:/nexus-1000v.4.2.1.SV2.2.1a.bin sup-2ip route 10.71.1.182/32 172.26.164.218ip route 10.71.1.183/32 172.26.164.217monitor session 1 type erspan-source source interface Vethernet19 tx destination ip 172.26.164.167 erspan-id 1 ip ttl 64 ip prec 0 ip dscp 0 mtu 1500

65


header-type 2monitor session 2 type erspan-source destination ip 172.26.164.167 erspan-id 2 ip ttl 64 ip prec 0 ip dscp 0 mtu 1500 header-type 2 no shutsvs-domain domain id 101 control vlan 3176 packet vlan 3176 svs mode L3 interface mgmt0svs connection vCenter protocol vmware-vim remote ip address 172.26.164.200 port 80 vmware dvs uuid "ba 86 2d 50 14 7b 59 7a-59 b7 87 d2 f3 59 d8 24" datacenter-name FlexPod_DC_1 max-ports 8192 connectvservice global type vsg tcp state-checks invalid-ack tcp state-checks seq-past-window no tcp state-checks window-variation no bypass asa-trafficvservice node sea-vsg1 type vsg ip address 172.26.164.168 adjacency l2 vlan 99 fail-mode closevnm-policy-agent registration-ip 192.168.250.250 shared-secret ********** policy-agent-image bootflash:/vnmc-vsmpa.2.1.1b.bin log-level info

sea-vsm1#

66

Appendix C—About the Cisco Validated Design Program

Appendix C—About the Cisco Validated Design ProgramThe CVD program consists of systems and solutions designed, tested, and documented to facilitate faster, more reliable, and more predictable customer deployments. For more information, visit http://www.cisco.com/go/designzone.

ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, “DESIGNS”) IN THIS MANUAL ARE PRESENTED “AS IS,” WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at http://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

67

http://www.cisco.com/go/designzone

http://www.cisco.com/go/trademarks

Appendix C—About the Cisco Validated Design Program

68

Documents

Cisco Secure Data Center for Enterprise · developing integrated solutions with Cisco and previous roles in the industry. ... Active Directory User Identity User On-boarding Environment