Cisco Cisco IPS 4520 Sensor White Paper
25
Firewall
August 2012 Series
25
Step 16:
Configure the interface that is connected to the ISP router.
interface GigabitEthernet
1/0/23
description ISP-A
switchport access vlan
16
switchport host
no cdp enable
Step 17:
Configure the interfaces that connect to the appliances.
interface GigabitEthernet
1/0/24
description
IE-ASA5545a Gig0/3
!
interface GigabitEthernet
2/0/24
description
IE-ASA5545b Gig0/3
!
interface range GigabitEthernet
1/0/24,
GigabitEthernet
2/0/24
switchport trunk allowed vlan
16
switchport mode trunk
spanning-tree portfast trunk
macro apply EgressQoS
logging event link-status
logging event trunk-status
no shutdown
Step 18:
Configure the switch with an IP address so that it can be managed
via out-of-band connectivity.
interface FastEthernet0
description to DMZ-3750X Gig1/0/17
ip address
192.168.23.6 255.255.255.0
no shutdown
Step 19:
Configure the appliance as the DMZ switch’s default route.
ip default-gateway
192.168.23.1
Step 20:
On the DMZ switch, configure the interface connected to the
outside switch to be in the management DMZ.
interface GigabitEthernet
1/0/17
description
OUT-2960Sa Fas0
!
interface GigabitEthernet
2/0/17
description
OUT-2960Sb Fas0
!
interface range GigabitEthernet
1/0/17,
GigabitEthernet
2/0/17
switchport access vlan
1123
switchport host
no shutdown
Step 21:
On the outside switch, configure BPDU Guard globally to protect
portfast-enabled interfaces.
spanning-tree portfast bpduguard default
If you are using a single ISP, you can skip to the next procedure.
Dual ISP design
Step 22:
On the outside switch, add the VLAN for the backup ISP.
vlan
17
name ISP-B
Step 23:
Configure the interface that connects to the ISP router.
interface GigabitEthernet
2/0/23
description ISP-B
switchport access vlan
17
switchport host
no cdp enable
Step 24:
Configure the interfaces that connect to the appliances.
interface range GigabitEthernet
1/0/24,
GigabitEthernet
2/0/24
switchport trunk allowed vlan
add 17
no shutdown