Cisco Cisco IPS 4520 Sensor Weißbuch
10
Firewall
August 2012 Series
10
This procedure assumes that the distribution switch has already
been configured following the guidance in the Cisco SBA—
been configured following the guidance in the Cisco SBA—
Borderless Networks LAN Deployment Guide. Only the proce-
dures required to support the integration of the firewall into the
deployment are included in this guide.
dures required to support the integration of the firewall into the
deployment are included in this guide.
Reader Tip
Step 1:
Configure the Internet edge VLAN on the LAN distribution switch.
vlan
300
name
InternetEdge
!
Step 2:
Configure Layer 3.
Configure a switched virtual interface (SVI) so devices in the VLAN can
communicate with the rest of the network.
communicate with the rest of the network.
interface vlan
300
description
Internet Edge SVI
ip address
10.4.24.1 255.255.255.224
no shutdown
Step 3:
Configure the interfaces that are connected to the Internet edge
firewall.
An 802.1Q trunk is used for the connection to the Internet edge firewall,
which allows the distribution switch to provide the Layer 3 services to all the
VLANs defined on the firewall. The VLANs allowed on the trunk are pruned
to only the VLANs that are active on the firewall.
which allows the distribution switch to provide the Layer 3 services to all the
VLANs defined on the firewall. The VLANs allowed on the trunk are pruned
to only the VLANs that are active on the firewall.
interface GigabitEthernet
1/0/24
description
IE-ASA5545a Gig0/0
!
interface GigabitEthernet
2/0/24
description
IE-ASA5545b Gig0/0
!
interface range GigabitEthernet
1/0/24,
GigabitEthernet
2/0/24
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan
300
switchport mode trunk
spanning-tree portfast trunk
macro apply EgressQoS
logging event link-status
logging event trunk-status
no shutdown
The Cisco Catalyst 6500 uses the command
spanning-tree portfast edge
trunk
to enable portfast on a trunk port. The Catalyst 4500 does not require
the
switchport trunk encapsulation dot1q
command.
Step 4:
Summarize the Internet edge network range towards the core.
Summarization of routes only applies to networks that use separate distribu-
tion and core layers. If your network has a collapsed core and distribution,
proceed to the next step.
tion and core layers. If your network has a collapsed core and distribution,
proceed to the next step.
interface range TenGigabitEthernet
1/1/1
,
TenGigabitEthernet
2/1/1
ip summary-address eigrp
100 10.4.24.0 255.255.248.0
Step 5:
Configure the routing protocol to form neighbor relationships on the
Internet edge VLAN.
router eigrp
100
no passive-interface Vlan
300
Procedure 2
Apply Cisco ASA initial configuration
This procedure configures connectivity to the appliance from the internal
network in order to enable management access.
network in order to enable management access.
Step 1:
Configure the appliance host name.
hostname
IE-ASA5545
Step 2:
Configure the appliance interface that is connected to the internal
LAN distribution switch as a subinterface on VLAN 300. The interface is
configured as a VLAN trunk port in order to allow flexibility to add additional
connectivity.
configured as a VLAN trunk port in order to allow flexibility to add additional
connectivity.
interface GigabitEthernet
0/0
no shutdown