Cisco Cisco IPS 4360 Sensor Libro blanco
18
Firewall
August 2012 Series
18
Step 15:
Configure the management VLAN and set the DMZ switch to be
the spanning tree root for the management VLAN.
vlan
1123
name dmz-mgmt
spanning-tree vlan 1-4094
root primary
Step 16:
Configure the interfaces that connect to the Cisco ASA firewalls.
interface GigabitEthernet
1/0/24
description
IE-ASA5545a Gig0/1
!
interface GigabitEthernet
2/0/24
description
IE-ASA5545b Gig0/1
!
interface range GigabitEthernet
1/0/24,
GigabitEthernet
2/0/24
switchport trunk encapsulation dot1q
switchport trunk allowed vlan
1123
switchport mode trunk
spanning-tree portfast trunk
macro apply EgressQoS
logging event link-status
logging event trunk-status
no shutdown
Step 17:
Configure the switch with an IP address so that it can be managed
via in-band connectivity.
interface Vlan
1123
description In-band management
ip address
192.168.23.5 255.255.255.0
no shutdown
Step 18:
Configure the appliance as the DMZ switch’s default route.
ip default-gateway
192.168.23.1
Step 19:
Configure bridge protocol data unit (BPDU) Guard globally to
protect portfast-enabled interfaces.
spanning-tree portfast bpduguard default
Procedure 2
Configure the demilitarized zone interface
Step 1:
Connect to Cisco Adaptive Security Device Manager (ASDM) by
navigating to https://ie-asa5545.cisco.local/admin, and then logging in with
your username and password.
your username and password.
Step 2:
Navigate to
Configuration > Device Setup > Interfaces.
Step 3:
Select the interface that is connected to the DMZ switch, and
then click
Edit
(Example: GigabitEthernet0/1). The Edit Interface dialog box
appears.
Step 4:
Select
Enable Interface
, and then click
OK
.
Step 5:
In the Interface pane, click
Add
and choose
Interface
. The Add
Interface dialog box appears.
Step 6:
In the Add Interface window, in the
Hardware Port
list, select the
interface configured in Step 3 (Example: GigabitEthernet0/1)
Step 7:
In the
VLAN ID
box, enter the VLAN number for the DMZ VLAN.
(Example: 1123)
Step 8:
In the
Subinterface ID
box, enter the VLAN number for the DMZ
VLAN. (Example: 1123)
Step 9:
Enter an
Interface Name
. (Example: dmz-management)
Step 10:
In the
Security Level
box, enter a value of
50
.
Step 11:
Enter the interface
IP Address
. (Example: 192.168.23.1)