TechNet Home Page   All Products  |   Support  |   Search  |   microsoft.com Home  
Microsoft
  TechNet Home  |   Site Map  |   Events  |   Downloads  |   Personalize  |   Worldwide  |   Advanced Search  |

Cisco and Microsoft E-Commerce Framework Architecture

Topics on this Page
down Overview
down Introduction
down E-Commerce Network Building Blocks
down E-Commerce Architectures
down Cisco and Microsoft E-Commerce Lab Implementation
down Configuration Recommendations
down E-Commerce Lab Environment
down E-Commerce Lab Test Results
down Conclusion
down Acronym Glossary
down Appendix – Cisco Configuration
down Appendix – Microsoft References

Overview Back to Top

Objective

To compete in today's Internet Economy, companies must provide e-commerce sites that are highly available, scalable, and secure. These sites must also be deployed quickly, which is no easy task. However, these are the challenges faced by businesses today in deploying their e-commerce architectures.

To address these challenges, Cisco Systems and Microsoft Corporation have teamed up to create this E-Commerce Framework Architecture. The architecture provides customers an end-to-end solution for the development and deployment of their e-commerce sites. The architecture was fully tested in a joint lab and focuses on delivering the three key requirements for an e-commerce site: high availability, scalability, and security.

The goal of this document is to communicate best practices and test results achieved by Cisco and Microsoft engineers in the collaboration effort. The document shares network configuration recommendations and test results using available Microsoft and Cisco products. The intent of this document is for customers to use this information to replicate and facilitate their own e-commerce deployment efforts.

Audience

This document is intended for technical readers, including network managers, e-commerce architects, Web developers, and application developers.

The Solution

A successful e-commerce architecture requires a merged approach combining expertise from both the network and application development camps. Experience has proven that keeping network operations and application development as separate disciplines does not work. Too often, the network architecture deployed has not been designed to maximize the value of the applications. This results in slow response times or system downtime that may directly result in lost sales, lost profits, and lost customers.

Cisco and Microsoft have teamed together to define a framework architecture for building e-commerce sites that combines the best practices from the worlds of network operations and application development into a single solution. The E-Commerce Framework Architecture takes an end-to-end approach to developing an e-commerce site. This document:

  • Provides an overview of high availability, scalability and security service requirements
  • Details the base components, system configuration, and hardware platform used in the architecture
  • Recommends network configuration designs and explains single- and multisite e-commerce architectures
  • Documents laboratory test results

Test Environment

The scope of the joint Cisco and Microsoft collaboration effort was to design an e-commerce framework that was highly available, scalable, and secure, and test it in a lab environment. Technical engineers from both companies, who have helped build and deploy successful e-commerce sites, collaborated on the best ways to combine each company's products to achieve the optimal benefits from an e-commerce site.

The engineers used Duwamish Books¡{¡ See Appendix – Microsoft Reference for further information}, a sample Microsoft sales and inventory application, to test design concepts and deployed it over a Cisco network architecture. Duwamish Books represents a fictional company that sells its books via an e-commerce site. The Duwamish Books e-commerce site was scaled to simulate thousands of concurrent users.

The entire network configuration was tested on shipping Cisco and Microsoft products. The Cisco products tested included:

  • Cisco DistributedDirector
  • Cisco IOS®-Powered Edge Router
  • Cisco Cache Engine
  • Cisco Catalyst® Multilayer Switch
  • Cisco LocalDirector
  • Cisco Secure PIX™ Firewall

The Microsoft products tested included:

  • Microsoft Windows® 2000 Advanced Server
  • Microsoft Internet Information Services 5.0
  • Microsoft SQL Server™ 7.0

The architecture hardware platform consisted of Compaq ProLiant servers on the front-end and back-end network. Compaq DeskPro PCs were used as test machines. The Compaq servers and PCs included Intel Pentium 500MHz processors.

Results

The E-commerce Framework Architecture laboratory focused on tests targeted specifically at high availability, scalability, and security. Test results were within Cisco and Microsoft service requirements in all areas. Not only did the architecture scale as new hardware was added but it remained secure and reliant during the battery of tests conducted. This document contains a complete review of the test results.

Conclusion

The E-Commerce Framework Architecture assists customers in expediting their e-business deployment efforts while reducing network and configuration design time. This paper documents for customers the collaborative work of Microsoft and Cisco Systems to integrate and design a highly available, scalable, and secure Internet site combining the technologies and products of both companies. Customers may benefit from this joint learning and best practices of this endeavor.

The E-Commerce Framework Architecture is based on real world customer examples and has been validated in a laboratory environment. The configuration test results are included in the document. The work detailed in this document provides a solid framework for Web site design and, as new technologies and products emerge, the best practices referenced in this document remain sound guidance for designing a powerful e-commerce solution.

As Internet industry leaders, Microsoft and Cisco have extensive experience in building e-commerce infrastructures. Both companies will continue working together to address future e-business and customer requirements.

Introduction Back to Top

To create the Cisco and Microsoft E-Commerce Framework Architecture, four main criteria were used to provide direction for the design chosen. Design considerations included:

  • Representation of baseline design which can be customized as required
  • Ease of replication and deployment by customers and partners
  • Use of proven products and services from both Cisco and Microsoft
  • Leveraging of e-commerce experiences of Cisco and Microsoft

It was important to provide a baseline solution that could be easily understood and replicated by customers, as well as the Cisco and Microsoft partners and integrators. The products and services that are featured in this e-commerce infrastructure comprise proven products that are readily available and tested, and reference new products that were not available during the testing stage. Although both Cisco and Microsoft constantly release new products, building the baseline design using products and services with a customer-proven track record minimizes risk. The baseline design can readily be upgraded with new technology offerings as they become available. Finally, both Cisco and Microsoft have vast experience in e-commerce design and deployments. The e-commerce infrastructure presented here represents a combination of the best practices from both partners.

E-Commerce Service Requirements

To deploy a successful e-commerce implementation, you must address three key characteristics: high availability, scalability, and security. A solid e-commerce solution can only be achieved through an architecture that meets these requirements across the network, Web applications, database, and server operating system.

cisco01

Figure 1 E-Commerce Service Requirements

High Availability

High availability is the ability to provide continuous access to e-commerce services for your customers. To deliver these e-commerce services successfully, high availability must be maximized across all layers of an infrastructure to include session and service availability. Session availability is the ability of the infrastructure to maintain the state of a network session in the event of a failure. Service availability is the ongoing ability of users to connect to an e-commerce service in the event of a failure.

A highly available e-commerce infrastructure begins with the right network design. The right network design ensures that failures do not impact the high availability of the overall system. Designing for high availability includes the elimination of any single point of failure by providing redundant network devices and network paths. Then, in the event of a failure, the network must be able to respond quickly by routing around the failed device. In addition, wherever necessary, devices need to provide the stateful failover to a standby unit. This ensures that certain application sessions, such as commerce transactions, do not time out and cause user sessions to be lost.

For additional levels of high availability, you can build a remote site that offers e-commerce services geographically and acts as a backup by taking advantage of geographic load balancing. These solutions vary depending on the degree of transactions desired from the remote location.

High availability can also be achieved at the operating system, system services, and application code layers through a mixture of server redundancy and failover. Within an e-commerce site, server redundancy means that multiple servers are available to process a request. For example, a Web page could be served from any one of the multiple Web servers in the farm. The concept of failover is that a feature is implemented via a specific process; if that process fails then an alternate process automatically steps in and takes over. For example, a database server implements failover to another database server.

Scalability

One of the most common mistakes e-commerce sites make is to underestimate their scaling requirements. This is because scalability is often associated only with performance enhancements such as increased CPU speed, increased network bandwidth, and so forth. However, support for a large number of simultaneous user sessions and commerce transactions must be considered. This means that scalability must be addressed across all facets of an e-commerce infrastructure, including Web applications, databases, server operating systems, and the network.

Estimating scalability requirements can be very difficult. For example, Forrester Research analyzed the growth of 50 e-commerce sites in 1999. The results in their report showed that the growth of these sites varied from 0 to 400 percent. Managing the scalability of an e-commerce site that is growing by 400 percent is not easy. The key is to identify any scalability problems within an e-commerce site and address them as quickly as possible.

Scaling an e-commerce site can be achieved by either scaling up with bigger servers or scaling out with more servers. Scaling up is when a single server is made larger through the addition of processors, memory, disk storage, and so forth. Scaling up requires an operating system, system services, and application code that can use the additional hardware. E-commerce sites can scale up their Web, application, and data servers to increase the number of requests that a site can process. Scaling out is when multiple servers function as a single logic unit or "farm " Scaling out also achieves the desired result of increasing the number of requests that a site can process. As with scaling up, scaling out can be done on any of the logical site layers. E-commerce sites should be positioned to take advantage of both scaling up and scaling out.

When does an e-commerce site scale up versus scale out? In the past, sites typically scaled up their data servers and scaled out their Web servers. The pros and cons of scaling up versus scaling out are generally opposites. For example, the cost associated with scaling up is usually more than the cost associated with scaling out. Likewise, scaling out data servers is more complex than scaling out Web servers, but managing a scaled-out farm is more complex than managing a single server. Finally, scaling up takes advantage of increased hardware capability while the multiple servers in a scale-out solution provide redundancy, which means higher availability. Today's solutions offer e-commerce sites the ability to mix scaling up and scaling out across their Web, application, and data servers. Sites should engineer for the virtually limitless capabilities of scaling out while maximizing the benefits of scaling up. This supports a "pay as you grow" approach to expanding the technology as opposed to a "grow into what you've bought" approach. The result is smaller initial software and hardware investments, which can be expanded as the business grows, and support for the key e-commerce strategies of speed-to-market and lower initial investment.

And finally, an e-commerce site can achieve infrastructure scalability by taking advantage of certain networking products. For example, a networking infrastructure can scale Web servers through the use of server load-balancing products. Server load-balancing products intelligently distribute user requests among a group of servers to maximize server usage. You can also take advantage of content caching to offload user requests for static content from Web servers. This helps accelerate content delivery to the end user and allows servers to focus on more interactive sessions.

Security

Overall, strong security is a major consideration for the e-commerce network infrastructure. Because the nature of an e-commerce network is to conduct financial transactions, it becomes a likely target for malicious activity originating from the Internet community at large. However, the security solution chosen should be based on the nature of the e-commerce business being conducted, the comfort level of the IT organization, and the understanding of associated risks with each degree of security implementation. The security components of an e-commerce solution include five key elements:

  • Perimeter Security - Protects against malicious activity
  • Identity Security - Provides user authentication services
  • Data Integrity and Privacy - Ensures confidentiality of data through encryption
  • Firewall Security - Provides stateful security services
  • Security Monitoring - Recognizes vulnerabilities and detects and reacts to intruders

Perimeter security provides the first line of defense for an e-commerce network. This security is easily achieved through the use of an edge router or firewall on the network. Security services can be established on the edge router or firewall to protect against malicious activity and only permit valid traffic onto the e-commerce network. For example, an edge router or firewall can be configured to permit only valid Web traffic.

For identity security, authentication is the first task in every request, even if it equates to anonymous or public users. Authentication identifies who is making the request and is the basis of authorization, which controls what content and services a request can gain access to. Authentication can occur through various levels of security, from simple user ID and password combinations to highly encrypted certifications. Security levels can also be intermixed.

To increase data integrity and privacy, e-commerce sites should support Secure Sockets Layer (SSL) connections. SSL can be implemented at the software layer or hardware acceleration cards and can be used to offload processing from the server CPUs.

Firewall security is used in areas of the e-commerce network where stateful security services are required. This is typically in front of database servers that contain confidential customer information to ensure that the integrity of the data is not compromised. Stateful security services track the state of every user session and terminate the connection at the end of the session.

And finally, every e-commerce should include a certain degree of security monitoring. Security monitoring provides the ability to scan your e-commerce infrastructure routinely, detect any potential security holes, and report them to be corrected. Security monitoring also provides the ability to spot an attack in progress, generate an alert, and stop the attack.

E-Commerce Network Building Blocks Back to Top

A user executing a transaction creates many network connections within an e-commerce site. These connections pass through a series of devices that define the building blocks of the E-Commerce Framework Architecture, as shown in Figure 2. Each of these devices provides different services that are necessary to make an e-commerce site successful. This section provides an overview of the different devices in an e-commerce architecture and the services they offer.


If your browser does not support inline frames, click here to view on a separate page.

Figure 2 E-Commerce Services

Geographic Load Balancer

A geographic load balancer is used when an e-commerce site is expanded to include geographically distributed sites. A geographic load balancer directs connection requests from clients to the e-commerce site with the closest proximity based on information about the network topology. This helps improve the response times of e-commerce applications as seen by end users, especially when the geographic e-commerce sites are widely distributed.

The use of a geographic load balancer provides scalability to multiple sites, and delivers a high degree of availability by monitoring the state of each distributed e-commerce site. If a site is rendered inoperable, the geographic load balancer stops directing new client connections to the failed site.

Site architects must be ready to handle the complexities of content replication under a geographically load-balanced solution. There will be a delay between when content is originally modified and when it is consistent across all sites. The solution is relatively simple if the business model allows for the sites to continue running during this inconsistency. However, if the business model requires all sites to function only when all content is consistent then some kind of staging and synchronization solution must be implemented.

Edge Router

Edge routers are located at the perimeter of an e-commerce network and provide several functions. Edge routers connect an e-commerce site to the Internet and advertise the site's reachability. Through the use of exterior routing protocols, such as the Border Gateway Protocol (BGP), edge routers propagate the IP addresses used in the front end of the e-commerce network to the Internet community. If redundant connections to Internet service providers (ISPs) exist, the BGP protocol allows for load distribution across multiple Internet connections and failover across such connections.

Edge routers also provide preliminary security services. Through the use of packet filtering or extended access control lists (ACLs), the edge routers can block any unwanted traffic and permit only desired traffic onto the e-commerce network. For example, filters can be applied on edge routers to allow only HTTP Web traffic, SSL traffic, and Domain Name System (DNS) traffic into the network. Filters can also be applied to block traffic with invalid user source addresses that are indicative of a possible malicious attack. For additional security services, edge routers can also provide stateful filtering, which tracks the state of every network connection and terminates them as necessary.

Content Caching

Content caching devices provide accelerated services to e-commerce users by augmenting the capacity of the front-end Web servers to handle client connections. Content caching devices sit in front of Web servers and handle user requests for static content. This solution is very effective in environments that have a high degree of static Web content. The static content includes graphics, text, and toolbars.

In a content caching environment, user Web requests are forwarded to the caching devices. If the content being requested is cacheable, the caching device fills the request and stores a local copy of the content for future requests. Future requests for the same content from the caching device are fulfilled directly. When caching devices fulfill user requests with local content, they offload traffic from the Web servers. This helps improve content download times and increases Web server capacity for more interactive sessions.

Multilayer Switch

Multilayer switches provide the core network switching of an e-commerce site, including the connectivity of Web, application. and database servers. Thus they need to deliver high-performance Layer 2 and Layer 3 switching while supporting services that meet the requirements for availability, scalability, and security in an e-commerce environment.

For example, multilayer switches must support high-speed interfaces, redundant power supplies, quality-of-service (QoS)services, virtual local-area networks (VLANs) high port density, and rapid fault recovery. Plus, the switches must be able to carry a large number of user connections while providing Layer 3 forwarding at millions of packets per second (pps). This ensures that the switch is not a performance bottleneck in the e-commerce network architecture.

Server Load Balancer

Server load balancers help increase the scalability of an e-commerce site. Server load balancing works by distributing user requests among a group of servers that appear as single virtual server to the end user. Its main function is to forward user traffic to the most available or the "best" server that can provide a response to the user. Server load balancers use sophisticated mechanisms to detect the best server. These mechanisms include finding the server with the least connections, the least load, or the fastest response times. They can also detect failed servers and automatically redirect users to the active servers. Ultimately, server load balancing helps maximize the use of servers and improves the response times to end users.

Web Servers

Web servers host the actual site content that clients see on their Web browsers. Web servers generate the presentation services. Whether it is static content, such as graphics, or dynamic content, Web servers are the only systems in direct contact with the end client. In addition, Web servers are the only authorized hosts able to access the back-end database and application services as necessary. The majority of e-commerce sites address their scalability and high availability requirements for presentation services by scaling out their Web servers.

The application servers are responsible for the business logic services. The application servers can be dedicated servers. Alternatively, the services that the application servers provide can be combined with the Web servers or the database servers. The decision is based on how the presentation, business, and database services communicate. If the presentation services make many small requests to the business services then it probably makes sense to move the services closer together. Conversely, if the business services process lots of data into small results then you can move the business closer to data. Additionally, the placement of application servers influences scalability, high availability, and security. There is no "golden rule" and each e-commerce site architects server placement to best meet its business needs. However, because of the ease of scaling out and the low cost of Web servers, many e-commerce sites place application services onto Web servers. This means the application services simply and efficiently inherit the scalability, high availability, and security of the Web servers.

Stateful Firewall

Stateful firewalls provide security services through connection control. They are predominantly used when protecting mission-critical or sensitive data is of the utmost importance. This is typically on the back-end databases and application servers. Firewalls secure the communication to application and database servers by providing stateful inspection on all connections and allowing only authorized devices, such as Web servers, to access data on the servers.

Because firewalls protect the most sensitive data, they play an important role in reaching the servers. Thus, firewalls are often implemented in pairs, whereby one is the active unit and the other is the standby unit. In the event of a failure of the active unit, the standby unit becomes operational. To ensure that connections to the application and database servers are maintained in the event of a failure of the firewall, firewalls must be able to perform stateful failover.

Database Servers

The database servers reside in the back end of the network and house the data for e-commerce transactions as well as sensitive customer information. This is commonly referred to as the data services. Although Internet-based clients do not directly connect to these servers, the front-end Web servers initiate connections to these servers when a client conducts a series of actions such as logging in, checking inventory, or placing an order. Most e-commerce sites scale up their database servers for scalability and implement failover clustering for high availability. Partitioned databases, where segments of data are stored on separate database servers, are also used to enhance scalability and high availability in a scale-out fashion.

E-Commerce Architectures Back to Top

E-commerce architectures fall into two basic categories: single-site and multisite architectures. This section describes the basic components of the two architectures. Cisco and Microsoft tested both architectures.

Single-Site E-Commerce Architecture

A single-site e-commerce architecture consists of two main sections: the front-end and the back-end network. The front-end network consists of Web and application servers that are accessible from the Internet by users. The network devices that connect the Web and application servers include edge routers, multilayer switches, content caching devices, load balancers, and intrusion detection systems.

The back-end network consists of database servers, firewalls, and multilayer switches. A firewall typically serves as the delineation point between the front-end and back-end sections of the network.

cisco03

Figure 3 Functional Representation of a Single-Site Network

Figure 3 is a functional representation of the single-site implementation with a high degree of redundancy across the network and the servers. This solution can be located at an enterprise site or at a co-location service provider facility. To provide access to the e-commerce network within a co-location facility, additional circuits must be installed from the enterprise site to the e-commerce network. These circuits allow for remote management and integration with back-office systems such as Enterprise Resource Planning (ERP) applications.

Multisite E-Commerce Architecture

A multisite architecture can be constructed in several ways. The architecture typically comprises a main e-commerce site and one or more satellite sites that extend the e-commerce service offerings of a company. The satellite sites can contain a portion or the entire architecture of the main site. The key determining factors in the architecture selection are the degrees of database synchronization desired between the e-commerce sites and the amount of traffic that must be backhauled to a main site.

Companies move to multisite architectures when their user bases expand beyond their local geographies, and they have a requirement to improve the e-commerce application response times to these geographically dispersed users. Multisite architectures also provide a certain degree of redundancy and backup to companies should the primary site fail. The satellite e-commerce sites are connected to the main site over a corporate backbone, such as Frame Relay or ATM. Database synchronization and updates, remote management, and integration with a corporation's ERP system are performed over the corporate backbone. Some of the different types of multisite architectures are discussed below using three scenarios:

In Scenario 1, the front end of a main e-commerce site is replicated and geographically distributed. Because the front end consists primarily of Web servers and their associated content, the ability to replicate and distribute the data on these servers allows the remote sites to handle user requests for static content. Using these remote sites alleviates the need to backhaul user requests for static content to the main site. It also improves the response times on user requests for Web content.

Scenario 2 consists of replicating the front-end network of the main site along with a portion of the back-end network. In this scenario, application servers and associated database servers, which are primarily responsible for maintaining and serving relatively static content, are replicated at a remote site. Information such as user account information, product catalog information, and "specials" information (for example, special discounts, pricing, and so forth) can be replicated on remote servers and alleviates the need to backhaul such traffic to the main site. In this scenario, only traffic involving dynamic information such as a commerce transaction is backhauled to the main site. This solution also improves the response time on user requests for content.

A third scenario involves the creation of a completely redundant site that can host the entire set of e-commerce services should the primary site fail. In this scenario, all databases and applications are completely replicated and synchronized in real time, or as close to real time as possible. Scenario 3 can permit the primary site to completely fail without losing the ability to provide e-commerce services to users. This solution provides the ultimate in e-commerce service availability.

For the purposes of the joint testing between Cisco and Microsoft, Scenario 2 was used. Figure 4 is a functional representation of the multisite site implementation tested.


If your browser does not support inline frames, click here to view on a separate page.

Figure 4 Functional Representation of a Multisite Network

Cisco and Microsoft E-Commerce Lab Implementation Back to Top

The following sections outline the actual lab implementation used for the joint Cisco and Microsoft e-commerce architecture validation. All components used in the lab and their associated functions are detailed below.

The "Configuration Recommendation" section outlines recommendations for each component within the network. This section is followed by the methodologies and results of the actual lab testing. Finally, the specific model numbers and configuration files of the network components are provided in the appendix "Cisco Configuration" for reference.

Base E-Commerce Components

The base e-commerce components tested within the joint Cisco and Microsoft framework architecture are as follows:

  • Cisco DistributedDirector
  • Cisco IOS-Powered Edge Router
  • Cisco Cache Engine
  • Cisco Catalyst Multilayer Switch
  • Cisco LocalDirector
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Internet Information Server 5.0
  • Cisco Secure PIX Firewall
  • Microsoft SQL Server 7

A high-level representation of these products, relative to one another in an e-commerce network, is shown in Figure 5. The following sections outline the primary function of each of the e-commerce components.


If your browser does not support inline frames, click here to view on a separate page.

Figure 5 Cisco and Microsoft E-Commerce Base Components

Cisco DistributedDirector

The key enabler for a distributed e-commerce network architecture is a geographic load balancer such as Cisco DistributedDirector. DistributedDirector is responsible for making load-balancing decisions on a geographic level. The load-balancing decisions are made based on a series of collected metrics from the networks participating in offering the distributed e-commerce services.

The primary function of the DistributedDirector is to play the role of an authoritative DNS server for the e-commerce domain (for example, www.cisco.com). A client who wants to access an e-commerce site initiates a DNS request for the appropriate URL. DistributedDirector receives the DNS request and responds with the unique IP address of the e-commerce site's data center that will provide the best service to the end client. The decision by DistributedDirector is based on the collected network metrics.

For the lab, the Cisco DistributedDirector 4700M was used at the main site and the DistributedDirector 2501 was used at the remote site.

Cisco IOS-Powered Edge Router

Whether the e-commerce solution is hosted at a co-location service provider, or self-hosted by the enterprise itself, Cisco IOS-powered edge routers provide the ideal interconnect for Internet access. An e-commerce edge router must enable the main services of e-commerce: security, high availability, and scalability.

Cisco IOS security services provide a secure front-door to any e-commerce network through the use of features such as extended ACLs, integrated stateful Firewall Feature Set (FFS), TACACS+/Radius AAA services, and Kerberized device configuration access.

At the top of the Cisco high availability feature set is The Cisco Hot Standby Routing Protocol (HSRP). Robust routing protocols such as Open Shortest Path First (OSPF) and BGP provide routing availability and load-balancing capability. Cisco edge routers also provide a rich set of QoS features that improve the availability of user sessions during times of peak load on the network.

Regardless of the implemented network size, Cisco offers a variety of router platforms to meet each need while offering the full Cisco IOS suite of services. Larger implementations can benefit from the performance offered by Cisco 7200, 7500, and 12000 high-capacity router platforms. Smaller network implementations can choose the Cisco 3600 Series Routers.

The Cisco IOS routers tested in the lab included two Cisco 7200 Series Routers for the main site and a Cisco 3660 Series Router for the satellite site.

Cisco Cache Engine

Content caching provides an easy method of increasing the scaling and performance of an e-commerce site. An e-commerce provider can deliver accelerated services to its customers by front-ending Web server farms with cache engine clusters such as the Cisco Cache Engines.

In this solution, Web content requests by users are redirected to a Cisco Cache Engine cluster instead of directly forwarding them to the Web servers. If the content that is requested is cacheable, the Cache Engines fulfill the request. When the cache cluster fulfills these requests, it offloads traffic from the Web servers thereby minimizing content download latency and increasing Web server capacity. After a customer requests a particular piece of cacheable content, it is cached so that successive requests are not directed repeatedly to a Web server. Within an e-commerce environment, the Cache Engine cluster only caches the content that is available on the local Web servers. This arrangement is referred to as the Reverse Proxy Caching function.

At the heart of a Cisco caching solution is the Web Cache Communication Protocol (WCCP) that facilitates the link between Cisco IOS-enabled routers and the Cache Engines themselves. Through WCCP, Cache Engines can be clustered to provide scalability and resiliency. In addition, several Cisco IOS Software-enabled routers can use the cache cluster simultaneously for a robust high-availability solution.

Cisco offers several cache products to address a variety of e-commerce solutions. The Cisco Cache Engine 500 Series supports all the enhancements offered by WCCP version 2 to provide a solid e-commerce solution.

For the purpose of the e-commerce testing lab, multiple Cisco Cache Engine 505 devices were used.

Cisco Catalyst Multilayer Switch

Part of the e-commerce architecture includes Web, application, and database servers. To interconnect these servers, high-speed multilayer network switches are required. Cisco provides the Catalyst 5500 and 6000 Multilayer Switches, which offer a highly resilient and scalable switch platform to interconnect servers. The Catalyst Switches offer a high degree of intelligent network services, such as security, high availability, and scalability. For example, the Catalyst 5500 and 6000 platforms offer dual power supplies, fans, and supervisor engines to provide enhanced high availability. In addition, the Catalyst 6000 Series Switch offers wire-rate intelligent services including ACLs for security, QoS for session high availability, integrated server load balancing, and private VLANs for enhanced security. High availability is further enhanced though several optimized Layer 2 and Layer 3 protocols that offer fault recovery in less than 2 seconds in most failure scenarios.

For the lab tests, the Catalyst 6506 Switches were used at the main site, and the Catalyst 5505 Switch was used at the satellite site.

Because security is of primary importance in an e-commerce environment, the Cisco private VLAN feature is used to further enhance such security. The Cisco private VLAN feature, available on the Catalyst 6000 and 3500 Series Switches, is an advanced Layer 2 feature for providing port-based security between adjacent ports within a VLAN. A private VLAN is a VLAN in which ports designated as access ports are allowed to communicate only with ports designated as promiscuous. This ensures that if an attacker compromises the security integrity of one server on a port, access cannot be gained to other Web servers on the network. This prevents the use of adjacent servers as launch pads for further attacks.

Cisco LocalDirector

A top priority in any server-hosting environment is the high availability of the applications themselves. Server load balancing (SLB) provides the key to IP connection load distribution while simultaneously improving the availability of servers. Through many sophisticated features and algorithms, the server load-balancing solutions from Cisco ensure that connection load is fairly distributed among available servers. This allows for ease of configuration should servers and their applications need to be added or removed from service.

Enhanced high availability is provided by Cisco technology and its ability to provide stateful failover and no loss of connection should an SLB path fail. Cisco offers several solutions for server load balancing including the stand-alone Cisco LocalDirector appliance and the integrated IOS SLB function found on the Cisco Catalyst 6000 Family multilayer Switches and the Catalyst 4840G Switches. Each of these products offers all the required services for extreme application availability and high connection throughput. For the purpose of the e-commerce testing lab, Cisco LocalDirector 430 appliances were used.

Microsoft Windows 2000 Advanced Server

The operating system used on both the Web and database servers within the E-Commerce Framework Architecture is Microsoft Windows 2000 Advanced Server. Windows 2000 Advanced Server provides scale-up capabilities by using the latest server hardware for up to 8-way SMP and up to 8 GB of RAM. Additionally, Windows 2000 Advanced Server increases high availability by supporting two-node, high availability clustering, which ensures that critical e-commerce applications are up and running on demand. Windows 2000 Advanced Server also provides additional services such as component services with COM+ and message queuing with Microsoft Message Queue (MSMQ) to the e-commerce sites.

Microsoft Internet Information Services 5.0

Internet Information Services (IIS) 5.0, which provides Web services, is fully integrated at the Windows 2000 Server operating system level. E-commerce sites use this integration during authentication and authorization. For extreme performance, E-commerce sites can develop Internet Server API (ISAPI) filters and applications. This places the e-commerce solution in the same memory space as IIS for the most intensive tasks. Active Server Pages (ASP) provide a quick and easy way to produce dynamic content. Application high availability can be increased through IIS application isolation.

Cisco Secure PIX Firewall

The most highly sensitive and valuable data within an e-business network is housed on back-end database servers. Information, including customer account histories and profiles, product inventories, and financial transaction details, must all be secured from potential malicious activity at all costs. To address such a security concern, stateful firewall services are used to secure connections from front-end Web servers and application servers to back-end database servers.

Cisco offers a set of high-performance stateful firewalls in the PIX Firewall Series, which accommodates extensive load while maintaining high availability. The PIX Firewall offers stateful session inspection, user authentication and authorization, and stateful failover should the firewall fail. The high availability, performance, and security of the PIX Firewall makes it a perfect fit for any e-commerce environment. For the purpose of the e-commerce lab testing, Cisco Secure PIX 520 Firewalls were used.

Microsoft SQL Server 7

Microsoft SQL Server 7 provides database services in the E-Commerce Framework Architecture for reliable storage of persistent data such as transactions, profiles, and catalogs. E-commerce sites can scale up their database capabilities with SQL Server 7 and Windows Advanced Server to 8 processors and 3 GB of RAM. High availability is increased with clustering. For e-commerce sites with large volumes of data, the database can be partitioned across multiple servers to distribute the processing load.

SQL Server 2000, released in August 2000, delivers a new generation of features and functionality that extend its capabilities as a high performance relational database powering Internet solutions.

Configuration Recommendations Back to Top

The purpose of the Cisco and Microsoft joint initiative was to discover the best way to combine technologies from both companies in an effort to design a solid e-commerce solution. In doing so, both parties were able to jointly discover and develop a series of best practices that relate to the design and configuration of the joint e-commerce solution.

The following sections of this document relay these best practices and configured options within the joint E-Commerce Framework Architecture. The best practice recommendations are organized under the three main deterministic design criteria of e-commerce: high availability, scalability, and security.

For each design component, three main descriptive characteristics are presented. The characteristics include the following:

  • Service Requirement—outlines the required service from the specified component in terms of high availability, scalability, or security.
  • Recommendation— Outlines the recommended configuration for the design component.
  • Service Function—Outlines the high-level function of the component.

For each design component, the specific component's classification is presented in addition to the specific model number that was used in the case of specific network devices.

High Availability

When you consider high availability design, the ability of the redundancy incorporated within a design needs to be strategically applied. It is one thing to create a redundant design by adding extra network components and links ad-hoc, but it is another thing to add the right amount of redundancy and appropriately configure supporting protocols to optimize its effects.

High availability design incorporates four main requirements for deployment:

  • Elimination of any single point of failure
  • Stateful failover where applicable
  • Predictable failover recovery mechanisms
  • Load-sharing across a redundant design

In creating the joint E-Commerce Framework Architecture, all single points of failure have been removed through the use of redundancy and proper configuration of supporting protocols.

Cisco DistributedDirector
High Availability Service Requirement:

Provide a load-balancing function between e-commerce sites from a global perspective. Within a distributed architecture, one of the most important design issues is load balancing among different data centers. The Cisco DistributedDirector (DD) offers load balancing to geographically dispersed sites.

Recommendations:

· Implement one DistributedDirector at the main e-commerce site
· Implement a second redundant DD at either the main site or at a backup or satellite e-commerce site.
· Configure Director Response Protocol (DRP) agents within the ISP-facing routers to feed the appropriate metrics back to the DD system.

Service Function:

DD has two functional modes : DNS mode and HTTP redirect mode. DNS mode is mainly used within an e-commerce environment and is chosen in this lab verification exercise. The Cisco Network Registrar (CNR) DNS server services the "duwamishbooks.com" domain. DD acts as the authoritative name server for the www.duwamishbooks.com subdomain.
DD uses DRP to determine how far a client is from a data center. DD queries DRP agents within ISP-facing routers for metrics from the client or client's local DNS to the requested subdomain or servers. It then calculates the metrics, chooses the IP address of the server within a data center with the lowest metric to the client as the best server, and responds to the client's local DNS with the DNS result. Network designers have the choice of using routing table metrics and client-to-server link latency metrics. Depending on where a client is in the Internet, they are potentially directed to a different data center. Therefore, global load balancing and enhanced performance are achieved.
Multiple DDs are implemented in this design for redundancy. Each DD acts as an authoritative DNS source for the e-commerce site domain.
Each DD is aware of both e-commerce sites and directs clients to the site that can provide the best service for a particular client.

Cisco IOS-Powered 7200 Series Internet Router
High Availability Service Requirement:

Connect to redundant Internet service providers and provide rerouting capability and best path selection through provider networks.

Recommendations:

· Implement redundant routers for the headquarter site to eliminate the single point of failure of having only one router. Tie each router into one ISP connection for maximum high availability.
· To fully use ISP routing information, routers with BGP capability are recommended. This might not seem as critical in a one-ISP scenario as in a multiple ISPs scenario, where network load balancing and policing routing is important, however it is recommended to be ready for future growth.
· Default routes are propagated to Catalyst Switches down all available links to provide switches with multiple routes to the default network.

Service Function:

Multiple routers are used, each one to connect to an individual ISP. The routers share Internal BGP (I-BGP) routing information to allow for optimal routes to be chosen through the two ISPs for return traffic. Should one router, uplink, or ISP fail, the remaining router, uplink, or ISP resumes full service for the e-commerce network.

Cisco Cache Engine
High Availability Service Requirement:

Provide a caching function for static Web content thereby offloading the real Web servers from their requirement to successively deliver the same static content for identical client requests.

Recommendations:

· Implement caching on the front-end in those scenarios where heavy amounts of static content are used in the Web pages (for example, graphics, and so forth) and extra front-end capacity is needed. Caching allows for plug-and-play additional capacity for those client requests for static content. The use of caching alleviates the need for additional front-end Web servers. Case-by-case evaluations must be made as to the effectiveness of deploying a caching service. In many cases the current capacity of the front-end Web servers may be sufficient, thereby alleviating the need for caching.
· In scenarios where caching is used, implement cache cluster topology to prevent single points of failure of the Cache Engine. Using multiple cache engines in a cluster topology allows for additional caching capacity and alleviates single points of failure.
· The use of the WCCP version 2 protocol allows multiple routers to bind with the cache engine cluster to increase overall high availability and allow for scaling requirements. When a Cache Engine is brought online, it sends out a WCCP packet to the WCCP-enabled routers to report its existence. Each router builds up its view of the Cache Engines through information exchange. Each router with the view of cache engines can redirect HTTP traffic as appropriate.

Service Function:

The use of caching allows Web servers to be relieved of the tasks associated with repetitively responding to client requests for static content. Cache Engines store copies of the static content can respond to client requests without involving Web servers. You must evaluate the effectiveness of cache technology, because it is currently applicable only for static content. If the particular e-commerce site does not possess large amounts of cacheable content, the use of cache engines can pose an unnecessary bottleneck for the overall service.

Cisco Catalyst 6500 Multilayer Switch
High Availability Service Requirement:

Provides redundant interconnectivity for all redundant Internet appliances, Web servers, and ISP-facing routers. Uses VLANs to create separate broadcast domains. Uses Gigabit EtherChannel® to alleviate single points of failure by creating multiple links between adjacent devices.

Recommendations:

· Implement redundant switches to alleviate single points of failure.
· Network components as well as servers are dual homed to both switches to increase the e-commerce site's high availability in case of switch failure.
· Redundant supervisor cards within the Catalyst Switches are optional in this configuration because there is sufficient design redundancy.
· The use of dual power supplies is also optional because of design redundancy but is recommended for Catalyst Switch resiliency.
· Create fully meshed topologies between all network appliances, routers, and switches to provide for Layer 2 and 3 reconvergence if individual links or devices fail.
· Rely more on using Layer 3 protocols to provide recovery such as OSPF and enhanced Interior Gateway Routing Protocol (EIGRP) versus Spanning Tree.
· An EtherChannel is created between the two Catalyst 6500 Family Switches for resiliency.
· Port Aggregation Protocol (PAgP) provides dynamic configuration of port channels between two Catalyst Switches. In this configuration, the ports that are designated to be EtherChannels remain as such and do not require the PAgP function. Setting port channel mode to On disables PAgP.

Service Function:

Multiple Catalyst Switches allow for multiple routes within the Layer 2 and Layer 3 domains as well as server connections. The use of multiple Layer 2 and Layer 3 paths allows for survival after multiple incidence failures in addition to the simple single failure within the network.
The use of multiple VLANs allows connections to be set up as if they were serial point-to-point links. By reducing the span of Spanning Tree, additional resiliency is gained and Layer 3 protocols are relied upon to reconverge after failures. The logical topology and recovery mechanisms become easier to understand after most of the links within the design become Layer 3 links (separate subnet).
EtherChannel bundles multiple Ethernet links into a single channel. It can provide bandwidth up to 1600 Mbps (Fast EtherChannel) or 16 Gbps (Gigabit EtherChannel) between Catalyst 6000 Family Switches. By using EtherChannel, additional bandwidth can be added to an interconnect while also adding high availability.

Cisco LocalDirector
High Availability Service Requirement:

Provide a load-balancing function between mirrored servers adding high availability and capacity to the content delivery systems.
There are many members of the Cisco server load-balancing family. The basis of the family is Cisco LocalDirector. This stand-alone device offering server load balancing can be accelerated through the use of a Catalyst 6500 Switch and the Accelerated Server Load Balancing (ASLB) feature. For a Cisco IOS-only implementation, the Catalyst 6500 offers IOS Server Load Balancing (IOS-SLB). In addition, Cisco offers the new Catalyst 4840G small density/high performance server load balancer. For the purposes of the lab testing, Cisco LocalDirector was used.

Recommendations:

There are two functional modes for load balancing to servers offering the exact same content, namely Directed Mode and Dispatch Mode. These modes define the mechanism that is used to directs TCP connections to an actual real server within the mirrored group of servers. Directed mode is sometimes called Network Address Translation (NAT) mode and incorporates an IP and media access control (MAC) address translation to steer the connection towards a real server. Dispatch mode relies on destination MAC address rewrite functionality only, and thus operates at higher speeds.
· Directed mode is recommended for customers who do not have enough public IP address space and for whom NAT is necessary.
· Dispatch mode is recommended for customers whose emphasis is on higher performance. Dispatch mode is used in this framework in anticipating the migration to accelerated forms of server load balancing including ASLB and IOS-SLB. In their initial forms, both ASLB and IOS-SLB support Directed mode at a much higher performance.
· Multiple virtual IP addresses in the LDs are recommended in this framework to improve high availability of application servers. There are two NIC cards installed on each application server; each belongs to different subnets. Each virtual IP address points to a specific NIC on each server. Neither NIC failure nor a switch failure results in the total loss of a server because connectivity is regained through the redundant switch or NIC and the active LD automatically assigns transactions to functional real servers.
· The Least Connections load distribution (predictor) algorithm is recommended in this framework to successively assign transactions to a Web server that has the least number of connections in progress at a particular moment. This method works well where server performance characteristics are not equal and transactions take different resources in terms of network bandwidth and CPU cycles.
· Sticky connections are implemented in LD to allow for persistence between multiple connections from a particular client. This ensures that a client who has generated "state" on a particular Web server (filled a shopping cart) is directed back to the same server for successive connections within a particular timeframe.
· Sticky functionality provides methods for persistent LD load balancing as described above. However, construct the site architecture to best eliminate stickiness. Implement one centralized database server at the back end to maintain user state for objects that require persistence, such as items placed in a shopping cart, thereby removing state from the front-end Web servers. This architecture alleviates the need to implement any sticky functionality in the Cisco LocalDirectors.
· Use the Content Verification System (CVS) within the e-commerce infrastructure. CVS works with LD. The purpose of CVS is to verify the validity of Web content and remove servers with failed applications or invalid content from service as quickly as possible to avoid packets being sent to an invalid server. The CVS system constantly probes servers managed by an LD, discovers the state of those servers, determines the health condition of the applications, and takes necessary actions against servers through a LD.
· Use the Dynamic Feedback Protocol (DFP) to provide for a more granular load distribution among real servers. DFP is supported in LD and can be used to check the health condition of servers through agents installed in the servers. Metrics such as CPU usage, memory consumption, and storage capacity can be probed and used in ongoing weight calculations used within the LD for connection load distribution. The DFP system instructs the LD to treat servers based on the new weight, thereby distributing load among different servers dynamically and fairly according to environmental metric retrieved from the servers.
· To insure high availability, stateful failover of LD is recommended for the site. Stateful failover requires the installation of a separate Ethernet connection and serial cable between both LocalDirectors to allow for real-time state synchronization. A pair of LDs is set up such that one is active and the other one is in standby mode. All traffic is sent to the active LD for distribution amongst real servers. Only in the event of active LD device or link failure does the standby LD become active. To achieve this effect, a failover serial cable and dedicated Ethernet cable are used to connect the two LDs together. The side with "primary" printed on the cable wins by default and this LD is the initial active LD.

Service Function:

The total collection of front-end Web servers is represented to the user community as a single virtual server. Users from the Internet create connections to the virtual server resulting in a load-balancing directive to one associated real server. Depending on the use of Directed or Dispatch mode, the load-balancing mechanism either uses an IP/MAC address or a MAC-only rewrite. Using CVS, specific content within the Web servers can be tracked for availability and accuracy, increasing the overall service high availability. In addition, DFP allows for environmental metrics retrieved from the real servers to be factored into the load-balancing algorithm, enabling connections to be directed to servers relative to their load snapshots. From a high availability perspective, it takes approximately 30 seconds to switch control from the primary LocalDirector to the backup LocalDirector if the primary unit fails. The failover cable transfers heartbeats between the two LDs. The purpose of the Ethernet cable between the pair is to synchronize the state of transactions in progress.

Microsoft Internet Information Services 5.0 (IIS)
High Availability Service Requirement:

Provide a front-end application driven by HTTP to which clients can connect. The Web servers are the only servers to which the client community will directly connect.

Recommendations:

· Implement a series of front-end Web servers, each with a mirrored copy of the same content.
· Large e-commerce sites should group front-end Web servers by the service provided thus enabling the site to adjust the number of servers performing the service as demand requires.
· Within each Web server, use a redundant NIC configuration to allow for increased overall high availability.
· Employ three NICs in each Web server front end, one to connect to each switch, and one for the management LAN. Connecting a server to multiple switches ensures continued high availability of the server in case of a NIC or switch failure.
· For the redundant NIC configuration, use Layer 2 redundancy services. Layer 2 features are often included in the drivers provided with the NIC. Layer 2 features are transparent to the server and its applications and offer very fast failover (1-2s) without reliance on any Layer 3 mechanisms such as DNS.
· Windows 2000 Reliability and Availability Improvements¡{¡ See Appendix – Microsoft Reference for further information}

Service Function:

Front-end Web servers are grouped by the specific service they provide to the overall e-commerce configuration, namely basic Web presence, search facilities, SMTP (e-mail), or File Transfer Protocol (FTP) for download. SSL services are similarly segregated from normal HTTP traffic. Each group of systems (for a particular service or function), called a Web cluster, consists of a set of identical systems called clones. All clones in a Web cluster run the same software and have access, either through content replication or from a highly available file share, to the same Web content, HTML files, ASP files, scripts, and so forth. The front-end systems are made highly available through the use of multiple systems in a Web cluster coupled with the LocalDirector load-balancing system. A single virtual IP address for a Web cluster is advertised to the clients. Client requests are made to each Web cluster using this virtual IP address that all the front-end systems in a Web cluster can respond to. Building failure detection into the load-balancing system increases service availability: a system that no longer offers a service can be automatically removed from the load-balance set while the remaining clones continue to offer the service.
Web applications can be designed to better support high availability and redundancy by not maintaining client state in the front-end systems. Maintaining client state on these front-end systems works against transparent client failover and load balancing because client state is lost if the front-end server fails. A solid way to maintain client state and support failover mechanisms is to store client state in a partitioned back-end server (in this case it is necessary to retrieve this state on each client request). However, some applications and some protocols require a persistent client-to-server connection, which means failure transparency cannot be achieved with such applications or protocols. Using SSL to send encrypted data and authenticate the server is a prime example. In these cases, several sticky mechanisms on the LocalDirector can be used to provide the desired persistence.
It is also important to isolate potential programming errors from different Web applications. Running the application code out of process from the Web server is the best way to avoid causing the Web server to fail because of application errors. When the IIS Web server fails on Windows 2000, it restarts automatically. However, a nonresponsive IIS Web server must be detected using a monitoring tool such as the Microsoft HTTPMon or the Cisco CVS product.

Cisco Secure PIX Firewall
High Availability Service Requirement:

Provide a stateful-aware security function between the front-end Web servers and the back-end database and application servers.

Recommendations:

· Install Cisco Secure PIX Firewalls in a redundant configuration to take full advantage of the stateful failover functionality.
· Install the PIX Firewalls with both the dedicated failover serial cable and a dedicated Ethernet cable between them to facilitate the state synchronization between them.
· Open essential services only through the firewalls. The Web servers are the only devices that need to originate traffic destined through the PIX Firewalls. The only service that is required between front-end Web servers and back-end systems uses TCP port 1433. All other services should be denied.
· Connect the "inside" interfaces of the firewalls to the application and database servers. Configure the Web servers as part of the "outside" domain.

Service Function:

In this e-commerce framework, a pair of PIX Firewalls is set up in the main site such that one is active and the other one is standby. All traffic is sent to the active PIX for checking and handling. Only in the event of the primary PIX device or link failure does the standby PIX become active.

Microsoft SQL Server
High Availability Service Requirement:

Provides resilient database services for the e-commerce applications.

Recommendations:

· Deploy a duplicate database server with fully replicated components. This configuration removes any single point of failure within the database service.
· Partition the data served by the back-end servers or partition the logical services provided by the back-end systems into functionally specialized systems. This configuration allows for a distribution of service loads while providing higher availability by not having one particular server totally responsible for all services.
· Windows Cluster Service¡{¡ See Appendix – Microsoft Reference for further information}

Service Function:

Back-end systems are more challenging to make highly available, primarily because of the data or state they maintain. They are made highly available by using failover-clustering technology. Microsoft Cluster Services enable multiple servers to share resources such as SQL Server databases and storage subsystems. The servers in a cluster use a dedicated NIC to detect failed applications or servers by sending periodic messages ("heartbeats") over a dedicated LAN. In the event of a failed server, ownership of resources (such as disk drives and IP addresses) are automatically transferred to a surviving server and the failed server's workload is restarted on the new server.
The basis of partitioning can be by object (such as mailboxes, customer accounts, or product lines), temporal (for example, by day or quarter) or random. A replica of the data can also increase the high availability of a site by being available at a remote geographic location.
Partitioning the logical services provided by the back-end systems into functionally specialized systems is another model for high availability. Dedicating specific servers to task-specific services, such as searching or order entry, isolates the services from each other. For example, a failure in the searching service does not result in a failure in the order entry service.
All three partitioning approaches require software that routes the request to the appropriate data partition or specialized server. Typically, the Web server runs this application logic. It is coded to know about the location of the relevant data, and based on the contents of the client request, client ID, or a client-supplied cookie, it routes the request to the appropriate server where the data partition is located. It also knows the location of any functionally specialized servers and sends the request to be processed there. This application software facilitates stateful load balancing. Software also needs to be developed to manage the splitting and merging of partitions so that the load can be evenly spread across all of the partitions, thus avoiding any single partition becoming a hot spot. Microsoft SQL Server 2000 provides enhanced support for partitioned databases. Cloning and partitioning, along with functionally specialized services, enable these systems to have an exceptional degree of scalability by growing each service independently.

Scalability

The scalability of an e-commerce solution is another major concern for the enterprise. All too often e-commerce services become vastly popular in a relatively short period of time thereby driving site load to unexpected levels. When such sites become heavily loaded, it is not feasible to have maintenance windows so that the site can be expanded to handle a larger capacity of transactions. For this reason, it is important to provide a scalable infrastructure immediately to allow for incremental updates to site capacity without interrupting the daily transaction volumes.

The Cisco and Microsoft joint e-commerce allows for gradual increases in capacity without service disruption. The key to providing a scalable service is the ability to increase capacity while maintaining the functional characteristics of the original design. In addition, capacity cannot be added if it might compromise the high availability of the overall service.

Cisco DistributedDirector
Scalability Service Requirement:

Provide a global load-balancing function as a single site is expanded into multiple distributed sites.

Recommendations:

· Use the DistributedDirector (DD) only when deploying a distributed e-commerce architecture
· Deploy at least two DistributedDirectors. You can deploy both DDs at the main site, but a better solution is to deploy one of the DDs at a distributed site to provide higher availability.

Service Function:

The e-commerce solution has two basic scaling methodologies. One approach is to grow a single site by adding more network components, bandwidth, and servers. Another approach is to scale horizontally by building multiple sites. The latter approach is harder to achieve yet offers added benefits of disaster recovery applications and general overall higher availability. The DistributedDirector helps the latter scenario by strategically distributing client connection load among geographically disbursed sites through a DNS facility. A client's proximity is compared to the known locations of the distributed sites to determine the closest facility to route the request. After this site is determined, the client is directed to that site via a DNS response from the DD with the address of the virtual IP within that site.

Cisco IOS-Powered 7200 Series Internet Router
Scalability Service Requirement:

Provide a scalable interconnection to one or many different ISPs, as additional bandwidth is required.

Recommendations:

· Create multiple paths through the network infrastructure for higher availability and make use of these paths to allow for load sharing and higher scalability through routing protocol load balancing.
· In this e-commerce framework, it is required to run the External BGP (EBGP) on the border routers. EBGP allows the propagation of local IP network routes to the interconnected ISPs allowing for path discovery to the e-commerce site. By exchanging full Internet BGP routes with all ISPs, the border routers can determine the best return path and thereby offer the quickest response to the customer.
· Run internal BGP (IBGP) between both border routers and both Multilayer Switch Feature Cards (MSFCs) within the Catalyst 6500 Switches to allow for optimal return path determination through an optimal ISP.

Service Function:

In order to propagate local IP network routes to the chosen ISPs, you must run EBGP between the e-commerce site and the ISP edge routers. By doing so, the ISP routers learn and propagate the IP network information associated with the e-commerce site. In addition, the border routers within the e-commerce site learn the entire Internet routing tables in order to allow them to collectively determine the optimal path for return traffic to a client. This BGP routing table can be also exchanged with the MSFCs within the Catalyst 6500 Switches to allow them to make an optimal decision on which uplink to use to forward traffic back to the clients. With all four routers, namely the two ISP routers and the two MSFCs that exchange BGP information, load balancing can be achieved across ISPs in an optimal fashion.

Cisco Cache Engine
Scalability Service Requirement:

Provide additional plug-and-play Web capacity for static content.

Recommendations:

· Evaluate the composition of the Web server content to determine the amount of static content. If the static content is excessive (graphics, and so forth) and the existing Web servers are heavily utilized, install a caching solution to reduce the load on the Web servers.
· If you are installing a caching solution, create a Web cache cluster using WCCP version 2 and continually add additional cache engines as necessary to increase overall capacity.

Service Function:

Cache engines provide an effective way to increase scalability in an e-commerce site and improve the perceived performance to the clients without excessive cost. Cache engines are implemented in front of the Web servers, thereby offloading connections. The use of cache engines front-ending Web servers is known as a reverse-proxy arrangement. The Cisco WCCP protocol is implemented in both Cisco's Cache Engine products and Cisco IOS-based routers. Both routers and Cisco Cache Engines communicate with each other using WCCP. Specifically, when an HTTP connection request arrives at a WCCP-enabled router, the router forwards it to one of the Cisco Cache Engines in the cluster. If the Cisco Cache Engine already has the URL cached, it sends back the objects directly to the client thereby offloading the 'real' Web server. Otherwise, it fetches the object on behalf of the client and then responds back to the client.

Cisco Catalyst 6500 Multilayer Switch
Scalability Service Requirement:

Provide a highly scalable Ethernet interconnect for all servers, network appliances, and routers.

Recommendations:

· Deploy Catalyst 6500 Multilayer Switches. The Catalyst Switches will offer many upgrade options to provide additional capacity in the future as the e-commerce site grows.

Service Function:

The multilayer switching component of the e-commerce solution offers vast performance and bandwidth capacity. The Catalyst 6500 Multilayer Switch in its basic configuration offers 32 Gbps of switching capacity, which translates to approximately 15 million pps. This represents an extraordinary amount of capacity relative to other devices in the configuration and will not need to be considered for additional performance upgrades for quite some time in most cases.

Cisco LocalDirector
Scalability Service Requirement:

Provide scalable server load-balancing services that can allow for additional servers to be added to the loadbalancing function without interruption of service.

Recommendations:

· Use the 'least connections' predictor algorithm on the LocalDirector to ensure that the available 'real' servers are used most efficiently.
· Enable the TCP Slow-Start feature of the LocalDirector to protect newly added servers from being overwhelmed with large amounts of initial connections when added into service.

Service Function:

For server load balancing, the ability to easily add new servers into the pool is mandatory. Not only must this be an easy process, the configured predictor must incorporate the new servers into the algorithm quickly and efficiently. The LocalDirector distributes traffic to servers offering the same content and applications fairly and efficiently using the preconfigured predictor. It load balances traffic to the real servers and helps to avoid server-overloaded situations. Additional servers can be added without disrupting servers already in service.

Microsoft Internet Information Services 5.0 (IIS)
Scalability Service Requirement:

Provide a scalable architecture for e-commerce application deployment.

Recommendations:

· Deploy specific functions associated with the e-commerce application (browsing, searching, purchasing, and so forth) on function-specific pools of servers. By increasing the number of Web servers within specific groups, you can increase the capacity of a specific function. The concept of pooling together servers providing a common function is referred to as grouping them into Web clusters, and using a load-balancing system is the principal techniques for increasing the number of clients supported. Applications designed to support a stateless environment enable scalability, both vertical and horizontal, because successive connections can land on any available server without regard for previously stored state.
· Process asynchronously whenever possible. Most Web requests are synchronous in that they arrive, are processed, and return. Requests that demand extended processing time are difficult to scale because of the limited resources available on a server. If too many of these types of requests are received then the server will become overloaded. Accepting the request and placing it into a queue for later processing allows the work to be throttled and avoids server overloading.

Service Function:

Web servers in the front end of the e-commerce infrastructure are assigned based on the specific e-commerce client task they perform. For each task such as browsing, searching, and ordering, a dedicated group of mirrored servers is assigned to provide the e-commerce function. The LocalDirector load balancer distributes connections among the various mirrored servers. As a particular e-commerce function requires more capacity, more mirrored servers are added to the load-balancing algorithm.

Microsoft SQL Server
Scalability Service Requirement:

Provide scalable and resilient database services that can be expanded with minimal impact to the e-commerce service.

Recommendations:

· Arrange multiple Microsoft SQL Servers in a clustered arrangement. The clustering capabilities of Windows 2000 Advanced Server enable multiple SQL Servers to be configured to represent one virtual address that provides both high availability and scalability for the e-commerce solution.
· Use multiple NICs within the back-end servers and disk storage with RAID technology, which allows for scaling while maintaining the high availability attributes.
· Add more memory and more processors to a multiprocessor system to vertically scale the capacity of back-end systems. The Windows 2000 Advanced Server operating system supports up to 8 CPUs and 8 gigabytes of memory. For even more power, the Windows 2000 Datacenter supports up to 32 CPUs and 64 gigabytes of memory. However at some point it may become undesirable to have so much data dependent on the availability of a single system. At that point, it is necessary to horizontally scale the back-end systems by partitioning the data they serve or partition the logical services they provide as described in the high availability section.
· Separate Online Transaction Processing (OLTP) systems from Online Analytical Processing (OLAP) systems. Although both types of systems are used in the e-commerce solution, supporting both services simultaneously on a common system negatively impacts scalability.
· SQL Server Replication¡{¡ See Appendix – Microsoft Reference for further information}

Service Function:

The scalability of database services must be designed into the e-commerce site from the beginning. Transactions must efficiently access data while minimizing the level of contention with each other.

Security

Security is one of the most important aspects of an e-commerce solution. Without tight security, confidential customer information such as credit card numbers and complete home addresses can be compromised. The effects of any sort of security breach results in a much lower customer confidence in the e-commerce service followed by a substantial loss of business. However, there is a balance between security and the usability of the site. Too much security can lead to very poor performance and a virtually unusable site. For this reason, the joint e-commerce solution proposes a security solution that is sufficient in most e-commerce cases. There will always be varying degrees of integrated security based on the enterprise's comfort level. However, the site is designed in such a way that additional security can be added if required.

The key components of a security solution are ranked in their order of ease of deployment and relative security strength. Those solutions that are typically easy to deploy might not provide an adequate level of security on their own. The best security solution comprises a combination of security options with the ability to add more in the future. The three main network components of an e-commerce security solution include:

  • Extended Access Control Lists (ACLs) on routers
  • Cisco IOS Firewall Feature Set (FFS)
  • Cisco Secure PIX Firewalls

These three network security components are explained in the next section and are in addition to host-based security within the Microsoft components of the e-commerce solution.

Cisco IOS-Powered 7200 Series Internet Router
Security Service Requirement:

Provide in initial line of defense against extraneous traffic entering the e-commerce site.

Recommendations:

· Apply tight Extended ACLs to the inbound interfaces to the routers. These ACLs need only to allow traffic that is relevant to the e-commerce site.
· Deny any traffic destined to the routers themselves using ACLs with the exception of BGP traffic that uses TCP/179 and should be permitted only if sourced from the adjacent ISP routers.
· Do not allow ICMP to transit the router. Support for the ping command, and similar capabilities, are not really necessary and can lead to potential attacks.
· Install a "spoofing" ACL to prevent traffic from entering the data center that is structured to appear as if it was sourced from the data center.
· Secure the console interface on the routers themselves with logins and passwords. A better solution is to use an AAA server (Tacacs+ or Radius) to authenticate and account for those administrators who log into the router consoles. Use Kerberos or SSH to access the router console.
· Allow only TCP/80 (HTTP), TCP/443 (SSL), and UDP/53 (DNS) to enter the data center. If customized applications are developed that allow the clients to perform additional actions such as FTP, adjust the ACLs.

Service Function:

The function of the front-end routers is to filter extraneous traffic. Although you might need to permit several TCP/UDP ports using ACLs, at a minimum you must permit HTTP (TCP/80), SSL (TCP/443), and DNS (UDP/53). Other traffic such as ping, Telnet, and FTP are not required and should be denied. In addition, take special precautions to secure the routers themselves. Do not allow login ability from the "outside" network. Use security technologies such as Tacacs+/Radius, SSL/Kerberos, and others to secure and account for access to the router consoles.

Cisco Catalyst 6500 Multilayer Switch
Security Service Requirement:

Provide a secure environment for interconnection of all network appliances, routers, and servers.

Recommendations:

· In addition to applying ACLs to the router interfaces, apply wire-rate ACLs to the switch as a secondary security measure.
· Use private VLANs as another useful feature to strengthen security. A private VLAN offers additional security by preventing network traffic sourced from one server from reaching another, all while remaining a single VLAN. Put individual Web servers that do not need to communicate with one another into isolated ports within the private VLAN that can still communicate with the router ports. Such segregation is a backup measure if one server is compromised.
· Secure the console access to the switches through the use of an AAA service involving Tacacs+ or Radius.

Service Function:

The Catalyst Multilayer Switches serve as a second line of defense against unwanted traffic. As a minimum, ACLs can be applied within the Catalyst Switch that provides the same sort of function as those within the routers. All ACLs that are applied within the switch do not pose any performance degradation, as they will run at wire-speed. In addition, you must take special precautions to fully secure the console access to the switches themselves through AAA services.

Cisco LocalDirector
Security Service Requirement:

Provide server load-balancing services in a secure manner to the front-end Web servers while assisting in the protection from malicious activity reaching the 'real' servers.

Recommendations:

· Use specific port mapping when creating a virtual IP address, a "real" server designation, and a binding of the two. The object is to allow only TCP port 80 for Web traffic or TCP port 443 for SSL traffic. All other traffic is refused.
· Use the alias command, which enables you to hide the addresses of the real servers from the outside world regardless of whether you are using the dispatched or directed mode of SLB.
· Implement the SynGuard feature, which limits the amounts of "orphaned" TCP connections that can be present at one time. Excessive orphaned TCP connections indicate malicious activity. An orphaned TCP connection is one where the initial TCP three-way handshake does not fully complete and resources are left hanging open on the server to which the orphaned connection is destined.

Service Function:

The SLB function of the LocalDirector can have a level of security associated with it using some of the inherent features. One of the main functions of the SLB device from a security perspective is to hide the addresses of the 'real' servers from the outside world. This prevents directed attacks to the real servers themselves. In addition, commands that create VIPs and map VIPs to real servers can be specified to allow only specific TCP ports. This is an important filtering feature, which prevents connections to extraneous ports from reaching the 'real' servers.

Microsoft Internet Information Services 5.0 (IIS)
Security Service Requirement:

Provide a secure system environment to host the e-commerce application.

Recommendations:

· Make full use of host-based network security components when building the server. Services like SSL, Web-server-based authentication, and host-based IP filtering offer strong security.
· Completely secure host-based user security solidifying services such as directory and file permissions, removing unnecessary user accounts and services.
· Deploy the servers using a remote Keyboard/Video/Mouse (KVM) device and remove all local keyboards, monitors, and mice.
· Enable database access for the Web service instead of hard coding a login or, worse yet, reading the login from a file or registry.
· Windows Security Services¡{¡ See Appendix – Microsoft Reference for further information}

Service Function:

Individual hosts must be fully secured before any application components can be installed. Several Microsoft documents describe best practices to "harden" a server running Windows 2000 and IIS prior to installing applications. The servers themselves also offer many network-based security features, such as address and port filtering, that further augment the network infrastructure security components.

Cisco Secure PIX Firewall
Security Service Requirement:

Provide a high level of stateful aware security between the front-end Web servers and the back-end database and application servers.

Recommendations:

· Use PIX Firewalls in front of the back-end servers to create a secure zone and protect the most valuable customer data.
· Configure the PIX Firewalls such that the "inside" interface is connected to the database and application servers, and the "outside" interface is connected to the front-end Web servers.
· Translate the inside addresses using NAT to hide them from the outside world.
· Do not allow ICMP (ping) through the firewalls.
· Implement Floodguard on the PIX Firewalls to reduce the effects of orphaned TCP connections (see the LocalDirector configuration above)
· Allow only trusted stations to access the PIX Firewall. Trusted stations must be known by the PIX and authorized through a rule set to access the PIX console.

Service Function:

The PIX Firewalls provide a stateful-aware boundary between the front-end Web servers and the back-end database and application servers. This piece of the design is critical because the most crucial and private data is stored in the back end. Using the PIX Firewalls, specific policies are installed to only allow communication between the front-end Web servers and the back-end database and application servers. Under no circumstances should any rules allow connectivity from the outside world to anything behind the firewalls. Using NAT, the addresses of the back-end servers are hidden from the outside world.

Microsoft SQL Server
Security Service Requirement:

Provide a secure system environment to host Microsoft SQL Server databases.

Recommendations:

· Use Windows-based security instead of SQL Server- based security.
· Limit access into production, especially from development.
· SQL Server Security¡{¡ See Appendix – Microsoft Reference for further information}

Service Function:

Just like the Web servers, servers configured to host the Microsoft SQL Server database services must be "hardened" prior to any application installment. Documents located on the Microsoft Web site provide more details on hardening a Windows-based 2000 server and SQL Server.

E-Commerce Lab Environment Back to Top

The following diagram shows the physical layout of the joint Cisco and Microsoft e-commerce infrastructure. The lab includes one main site and a satellite site. The main site is fully redundant and serves as the repository for all e-commerce transaction data. The purpose of the satellite site is to scale the front end of the e-commerce service to support additional users. Clients of an e-commerce service spend a long time browsing product or service offerings. The browsed Web content is typically static and can be replicated and pushed to remote sites called satellites. With the ability of the distributed client base to access such static content within close proximity, the overall client experience becomes more enjoyable. Any transactions or requests for dynamic data at the satellite site are backhauled through a private network to the main site.

The following sections detail the configuration of the e-commerce infrastructure tested by Cisco and Microsoft in the lab.


If your browser does not support inline frames, click here to view on a separate page.

Figure 6 E-Commerce Lab Network

Connectivity Analysis

To better understand the network topology used in the lab, a detailed connectivity analysis is provided below.

When a client on the Internet wants to connect to the e-commerce site, it must first resolve the DNS name of the site itself. In this case, the site is named www.duwamishbooks.com. The device that will inevitably provide this address resolution is the DistributedDirector (DD1). The DistributedDirector evaluates the proximity of the client to the two data centers (main and satellite) and returns the IP address of the closest center. The IP address that is returned is that of the primary LocalDirector. For the case where the main site is chosen, the returned address becomes the virtual IP address in the LocalDirector (LD1), which represents the series of "real" front-end Web servers.

After the client has resolved the IP address, it must connect to the virtual IP address on the LocalDirector (LD1) through the Internet. The front-end routers (R1 and R2) advertise the IP address of the e-commerce network to the Internet via BGP. A connection request from the client travels through the Internet towards the front-end routers. The front-end routers verify that the packet is for a valid protocol (HTTP, SSL, or DNS) and pass the packet to the Catalyst Switch (S1 or S2). The Catalyst Switches (S1 and S2) also propagate the IP network of the virtual IP address to the front-end routers via BGP .

The Catalyst Switches run WCCP, which allows Web requests to be redirected to available cache engines. In this case, the TCP port 80 call of an HTTP request is recognized by the Catalyst Switch and tunneled via a Generic Routing Encapsulation (GRE) tunnel to the Cache Engine (CE1). If the Cache Engine does not have the requested content, the Cache Engine acts on behalf of the client and requests the content from the actual Web servers. To accomplish this, the connection is passed to the primary LocalDirector (LD1) through the Catalyst Switch (S1).

Now that the connection has arrived at the LocalDirector (LD1), the LocalDirector must make a load-balancing decision on which "real" Web server to forward the connection to. After the decision is made, the connection is passed to a Web server running Microsoft IIS and e-commerce applications.

If the Web or application server needs to retrieve data from the database, it makes a call to the database server through the PIX Firewall (PIX1). The PIX Firewall verifies that the connection attempt is to a valid port (SQL defaults to 1433) and a valid source address (Web server) and passes the connection to a Microsoft SQL Server.

After data is returned to the Web or application server, the server must form the Web page and pass the data back to the client. The default route on the Web or application server is set to return data to the default gateway. However, in this scenario, the client has now been masked to look like the Cache Engine (CE1). The data is passed to the Cache Engine through the Catalyst Switch (S1).

The Cache Engine (CE1), now having received the data, caches the data (if possible) and passes the response back to the client through the Catalyst Switch (S1). When the Catalyst Switch (S1) receives the data from the Cache Engine, it uses its BGP routing table to determine the best front-end router to which to pass the data. When the router has been chosen, the data is passed to the front-end router and through the Internet back to the client.

The previous passage describes the typical client request procedure and the function performed by each device. The previous diagram of the lab layout, combined with the device configurations in the appendix, provides the complete picture of the lab configuration and operation.

Configuration Details

The configuration details provided highlight specific aspects of each network device. The entire configuration files of each device are presented in the appendix.

Cisco DistributedDirector

The Domain Name Service (DNS) mode of the DistributedDirector was used in this framework architecture. The DistributedDirector is used to load balance connections between the main site and the satellite site by responding to client DNS requests with specific addresses of the main site or the satellite site.

A primary DNS server for the test domain 'duwamishbooks.com' was set up using the Cisco Network Registrar (CNR) product. This name server refers a recursive DNS request from the client's local DNS server to the DistributedDirector, which serves as the authoritative name server for the www.duwamishbooks.com subdomain. From configured and discovered network metrics, the DistributedDirector resolves the address of www.duwamishbooks.com to the address of a LocalDirector virtual IP address at the main site or the satellite site depending on which one is a better choice for the client. The LocalDirector can then direct the client to one of the Web servers in the Web farm to balance the load on the servers.


If your browser does not support inline frames, click here to view on a separate page.

Figure 7 DistributedDirector Processing Flow

The desired configuration of the DistributedDirector was achieved using the following steps:

  • Specify main (forwarder) DNS name server for the duwamishbooks.com domain:

    ip name-server <name of CNR server> <IP address of the CNR server for duwamishbooks.com>

  • Define the virtual host name to be used for the site:

    ip director host <www.duwamishbooks.com>

  • Define IP addresses of the remote servers and associate them with the virtual host name:

    ip host <name> <IP address of LD for main site> <IP address of LD for the satellite site>

  • Add a ) start of authority (SOA) record that gives the director authority for the subdomain:

    ip DNS primary <www.duwamishbooks.com> SOA <primary> <contact> [refresh [retry [expire [ minimum ]]]]

Cisco Cache Engine

The Cache Engines provide content caching services in what is referred to as a reverse-proxy function. This means that the Cache Engines store copies of static Web content that can be served to clients alleviating the need to forward the connection request to the actual real servers. In order to configure the caching service, a relationship must be established between the Cache Engines themselves and routers that are enabled for WCCP. The following commands are configured on the Cache Engines:

  • Create a list of routers that will forward requests to this Cache Engine:

    wccp router-list

  • Apply the router lists to the Web-cache service:

    wccp reverse-proxy router-list-number

  • Set the WCCP version:

    wccp version 2

Cache Engine support must also be enabled on routers:

  • Enable the global command:

    ip wccp 99

  • Enable WCCP on the router interface:

    ip wccp 99 redirect

Cisco LocalDirector

The LocalDirector is used to load balance client connections to servers offering identical content. There are several steps required to configure the LocalDirector. The following list presents the steps and the associated LocalDirector commands:

  • Define a virtual server:

    virtual

  • Define real servers:

    real

  • Put servers in service:

    in-service

  • Associate each virtual server to a real server:

    bind

  • Define algorithm for load balancing:

    predictor

In the stateful failover configuration scenario, the hardware and software configuration of the two LocalDirector units must be exactly the same. This means not only the software version but also the software configuration must be identical. To ensure that the configuration is identical, you only need to configure the primary unit. The secondary unit is synchronized with the primary when the two are connected via the failover cable and the primary unit is rebooted. Forcing updates from the active LD achieves the same result.

Microsoft Internet Information Services

Microsoft Internet Information Services (IIS) processes requests from Web clients.

The Web cluster in the front-end network consisted of six Compaq ProLiant 1850R servers, each with a single Intel Pentium III 500MHz processor; 256MB RAM; a RAID level 0 disk array; and three 100- Mbps NICs. One NIC was connected to the front-end network, the second NIC was connected to the database server on the back end through a firewall on the network, and the third NIC was connected to the isolated management network.

Each of the servers was running Windows 2000 Advanced Server, IIS 5 Web Server, Microsoft Distributed Transaction Coordinator service, the Duwamish Books application's presentation and workflow layers, and Terminal Services to allow remote logins. Norton's Ghost and the Microsoft SysPrep utility were used for cloning server configurations.

The TCP/IP configuration of the network interface connected to the front-end network included the virtual IP address within the LocalDirector as a secondary IP address. This is necessary when the LocalDirector uses the dispatch mode of load balancing in order that the server itself will accept packets that are destined to the IP address associated with the virtual IP address but the MAC address of the server.

The Web servers hosted the Workflow Layer (WFL) layer components of the Duwamish Books application, while the database server on the back-end network hosted the Business Logic Layer (BLL) and the Data Access Layer (DAL).

Cisco Secure PIX Firewall

The PIX Firewalls are used to secure connections between the front-end Web servers and the back-end database and application servers. Several steps are required to configure the PIX Firewalls. The following list presents the steps and the associated PIX commands:

  • Set up a global address pool for inside hosts to access outside hosts using NAT:

    global (outside)

  • Set up internal addresses that can use addresses from the global NAT pool:

    NAT (inside) 1 0.0.0.0 0.0.0.0

  • Assign a static address translation to allow the outside Web server to access inside resources:

    static(inside, outside)

  • Permit specific applications to pass through the firewall from the outside Web servers:

    conduit permit

Like LDs, the two PIX Firewalls must have identical hardware and software configurations and versions. You only need to configure the primary unit and synchronize the two firewalls afterwards.

Microsoft SQL Server

Microsoft SQL Server is used to store the e-commerce data.

The back-end network consisted of a single Compaq ProLiant 1850R server with a single Pentium III 500 MHz processor, 512MB RAM, and (3) 100-Mbps NICs. The server ran Windows 2000 Advanced Server with Microsoft SQL Server 7.0 Enterprise Edition (Service Pack 1) and English Query.

Due to hardware constraints, the configuration did not use a SQL cluster with RAID shared disks for failover support as a real world system would typically support.

Also, the Duwamish Books application did not use data partitioning as a real world production system might use to increase scalability.

Test Configuration and Methodology

Test Application

Duwamish Books is a sample sales and inventory system that illustrates many of the features common to three-tier applications designed and built using Windows distributed internet application architecture. It is beyond the scope of this document to go into the details of Duwamish Books application or designing a generic Web application using the Microsoft products and technologies; several references listed in the appendix can be used for that purpose. The purpose of providing the following short description of components of the Duwamish Books sample application is to help you with the interpretation of the test results.

cisco08

The Duwamish Books Phase 4 application consists of:

  • A Presentation Layer that can be customized to support browser clients with varying level of HTML conformance. The test environment consisted of clients running the Microsoft Web Application Stress tool using Internet Explorer 5. For this type of client, the Duwamish Books application leverages the built-in XML support in IE5 to reduce server side processing considerably thereby increasing Web site performance. At the same time, response time perceived by clients is improved by eliminating unnecessary round trips to the server. The client fetches data from the server into non visible HTML elements, such as a DIV element or an XML data island. This is reformatted into HTML using an XSL style sheetand rendered in the browser.
  • A stateful Workflow Layer that consists of a component that transforms data from ADO record sets received from the Business Logic Layer into XML, caches static data (such as list of book titles for a particular category) in the Web server memory using a high-performance C++ COM component, and stores user context data for the current session as XML.
  • A stateless Business Login Layer that handles the transactional work for the Workflow layer. Because the transactional resources are acquired through the BLL, the number of open transactional resources does not grow directly with the number of simultaneous workflow instances, offering scalability and usability advantages. This component also supports legacy clients from earlier phases of the Duwamish Books application.
  • A Data Access Layer that encapsulates the data access functionality leading to increased flexibility, maintainability, and security as compared to data access code being incorporated throughout the application.

Test Tools

Client Simulation

Microsoft Web Application Stress (WAS)¡{¡ See Appendix – Microsoft Reference for further information} tool was used to simulate multiple clients accessing the Duwamish Books application on the front-end Web farm. The script used for the tests simulated a user activity of browsing for the book titles in a specified category of books. The detailed HTTP calls this translates into are listed in the appendix.

All tests were run on eight clients, four of which were Compaq DeskPro EN with Intel Pentium III 500MHz processors and 256MB RAM running Windows 2000 Professional. The other four clients were Compaq ProLiant 1850R with Intel Pentium III 500 MHz processors and 256MB RAM running Windows 2000 Advanced Server. Each client used 5 threads with 8 sockets per thread (which simulates 320 users) to stress the Web application for 5 minutes using the test script. This configuration was optimal for generating maximum requests from the clients as equipped while not loading the clients beyond the point where the results become invalid as documented in the WAS tool documentation.

Recording Performance Statistics on Servers and Network Devices

Two new Windows NT® PerfMon Counter Logs were created to capture the parameters of interest on the Web servers and the database servers; these parameters are listed in the appendix along with the associated descriptions. The counter log was installed locally on each server and captured data in CSV format to a local file. Such a configuration was used to avoid skewing the test results because of the network and processor overhead of writing data to a central location while a test was in progress. At the end of each test, the data from all servers, the client stress tool, and the network devices was written to a central location.

An MFC application was developed that automated the collection of monitoring measurements from the network appliances. Using the WinSNMP API, the tool was configured to issue SNMP get requests at a specific time interval and log the results into a CSV file. The tool was used to collect router, switch, LocalDirector, and PIX Firewall monitoring measurements.

Traffic Flow

To better understand the design, tracing a traffic flow can be helpful. This diagram illustrates the sequence of traffic flows. An outline of the key steps follows the diagram.

cisco09

Figure 8 Test Traffic Flow in E-Commerce Lab

  1. Client request for www.duwamishbooks.com is sent to the local DNS.
  2. Local DNS queries duwamishbooks.com's DNS server (the CNR) for the IP address of www.duwamishbooks.com.
  3. CNR refers the local DNS server to the DD, which is the authoritative name server for duwamishbooks.com.
  4. Local DNS queries DD.
  5. DD sends the resolved IP address back to the client's local DNS based on the configuration, which is the weight of each LD's virtual IP addresses in this case.
  6. Local DNS returns the virtual IP address of the LD to the client.
  7. Client connects to the IP address resolved as www.duwamishbooks.com.
  8. LD picks a Web server to forward the client request on to based on the configured predictor, which is least-connections in this case.
  9. If database access is needed, the Web server initiates a database query to the SQL Server using TCP port 1433. Database queries are directed to the active PIX Firewall. PIX Firewall examines each packet and determines whether to pass or drop it. If it is legitimate based on the rules configured, it is passed through the inside interface to the SQL Server for further action.
  10. The Web server, having received the data from the database, builds the page and sends it back to the client's Web browser.

E-Commerce Lab Test Results Back to Top

A series of tests were run to demonstrate the high availability and scalability of the E-Commerce Framework Architecture. The following list shows the tests for high availability. For scalability, the team tested the capability to add Web servers into the site.

  • Router power failover
  • Router uplink failover
  • Switch uplink failover
  • Switch power failover
  • DistributedDirector uplink failover
  • DistributedDirector power failover
  • Main site failover
  • LocalDirector uplink failover
  • LocalDirector power failover
  • PIX Firewall uplink failover
  • PIX Firewall power failover
  • Web server failover
  • Cache engine failover

Several snapshots from the charted results are displayed in the appropriate test results sections to illustrate highlights of the results. The results are not meant to demonstrate the optimum possibilities, but rather to show that the E-Commerce Framework Architecture provides high availability and scalability. Each chart shows the get requests per second for selected Web servers. The monitoring start time of each server was intentionally delayed to better show each server's activity. Without this delay, the graphs for each server generally overlap and blur into a single line.

High Availability Testing

Purpose:

To test the effect of induced network and system failures on overall service availability. High availability is measured in consideration of three perspectives, namely service, client, and network session state availability. Service availability considers the ongoing ability for clients to connect to the service. Client availability considers the ability of an individual client to maintain access to the service. Network session availability considers the ability of the state of an individual session to be maintained during failure.

Process:

The test script used for this test invoked a dynamic page on the Web server that simulates listing all book titles available in a particular category. This translates into six HTTP GET calls (one for the HTML constituting the page that displays a book category, one for the ASP page listing all titles in the category, and the four .gif files in the page). Eight client machines were used to simulate 320 users (5 threads per client sending requests over 8 sockets per thread) with no delay between successive requests. The LocalDirector load balanced the client requests between three Web servers. No caching was done on the cache engines.

Various components along the established data path were individually failed to test recovery and reestablishment of service availability. As each device failover is completed, the baseline traffic pattern must be reestablished. Measurements were taken to record the time for the failover and the network convergence time (including routing convergence and Spanning-Tree Protocol convergence).

Results:

The following diagram identifies the order of devices to be failed.

cisco10

Figure 9 Availability Testing Steps

(1) Router power failover

With dual routers setup in the main site and both edge routers having the full routing table, no router was a single point of failure. Loss of power on a router resulted in a failover time of 16 seconds. The HTTP GET requests per second graph on the Web servers displayed only a slight impact during the failover time, as the server continued to process ASP requests from the queue while the failover happened. The failover was totally transparent to the clients as shown by the errors reported by the clients.


If your browser does not support inline frames, click here to view on a separate page.

Figure 10 Router Power Failover Test Results

(2) Router uplink failover

The two routers in the main site each had one uplink to the ISP. BGP was running on these routers. When one uplink failed, another uplink carried all traffic to the main site. The resultant failover time was 12 seconds. Again, the impact on Web server performance was minimal and the failover was transparent to the clients.


If your browser does not support inline frames, click here to view on a separate page.

Figure 11 Router Uplink Failover Test Results

(3) Switch uplink failover

The Catalyst Switches were dual-homed to the border routers in the main site. Neither switch uplink was a single point of failure.

The switch uplink failover time observed was 10 seconds.


If your browser does not support inline frames, click here to view on a separate page.

Figure 12 Switch Uplink Failover Test Results

(4) Switch power failover

Switches in the main site are Catalyst 6500 Multilayer Switches with Multilayer Switch Feature Cards (MSFC). Multiple network components and servers are dual-homed to these switches. The Hot-Standby Routing Protocol (HSRP) is implemented on the MSFCs. If one switch fails, the other switch processes not only traffic it carries normally but also load that would otherwise be carried by the failed switch. LD plays a role in this failover. It comprises two virtual IP addresses with each one representing one subnet of a NIC card, NIC card A and NIC card B of each server. Under normal circumstances, NIC card A is used. When the switch to which NIC card A connects fails, LD forwards traffic to NIC card B.

Switch power failover time observed was 14 seconds.

(5) One DistributedDirector uplink failover in the main site

There are several record types in DNS. At the top level of a domain, the name database must contain a Start of Authority (SOA) record, which identifies the current version of the database and who has authoritative responsibility for this domain.. The DD contains the SOA record for the subdomain www.duwamishbooks.com in our testing. Therefore ,it is important to maintain high availability for the DD. Dual Ethernet connections on the main site provided the needed failover capability for the DD on the main site.

Failover time for one of the Ethernet uplink was 14 seconds in our test.


If your browser does not support inline frames, click here to view on a separate page.

Figure 13 DistributedDirector Uplink Failover Test Results

(6) DistributedDirector power failover

There are two DDs in this design, one at the main site and one at the satellite site. Each DD is the backup for the other DD to avoid DD single point of failure.

The failover time observed for power failure on the DD at the main site was 60 seconds.

(7) Main site failover

DDs at different sites ensure that clients know about geographically dispersed servers provided that one DD is functioning normally. Dynamic Response Protocol (DRP) queries or administrative weights can be used to determine the best server to serve client requests. The Cisco IOS Software supports DRP. DRP is a protocol for communicating between BGP border routers and the DDs. It provides metrics based on BGP AS path lengths, IGP metrics, Round Trip Time (RTT), and so forth.

It took 64 seconds for the main site to failover to the satellite sites during testing.

Note that Microsoft Internet Explorer 5.0 caches DNS entries with a timeout of approximately 15 minutes. If a client PC running IE 5.0 is closer to the main site, all requests are sent to the main site. In case of a main site failure, the client browser keeps using the cached DNS entry to access the server URL (www.duwamishbooks.com in this case) until it times out. The only way to reestablish a connection from a browser that has cached the DNS address of the DD on the failed main site is to close the browser session and start another one. In this way, the client can reach www.duwamishbooks.com through the satellite site within the routing convergence time frame, which is 64 seconds in this case. In the case of only a DD failure, sessions in progress will continue because the DNS name resolution has been cached in the browser.

(8) LocalDirector uplink failover

LD stateful failover enables the servers to serve clients without interruption in case of a primary LD failure. The failover serial cable between the primary and secondary LDs allows monitoring packets to pass through. When a network failure is detected, the status is communicated through the failover cable.

The LD uplink failover time observed was 22 seconds. During this failover time the clients observed 316 socket-receive errors due to timeout on the open connections.


If your browser does not support inline frames, click here to view on a separate page.

Figure 14 LocalDirector Uplink Failover Test Results

(9) LocalDirector power failover

If the active LD encounters a power failure, the standby LD assumes the active role immediately.

LD power failover took 24 seconds. During this failover time the clients observed 320 socket-receive errors due to timeout on the open connections.


If your browser does not support inline frames, click here to view on a separate page.

Figure 15 LocalDirector Power Failover Test Results

(10) PIX Firewall uplink failover

PIX Firewall stateful failover provides clients continuous services in case of primary PIX Firewall failure. The stateful failover feature passes stateful information to the standby PIX unit. Primary and standby units have the same configuration. In the event of primary unit failure, the state information is passed to the standby unit, which in turn becomes the active unit and takes over the function of the primary unit. The stateful information includes address translation information, connection state, and so forth. The failover is transparent to the client. When the uplink of the active PIX fails, it takes 45 seconds by default for the PIX to detect the failure at which time the standby PIX takes over.

PIX uplink failover time observed was 60 seconds. The failover was completely transparent to the clients.


If your browser does not support inline frames, click here to view on a separate page.

Figure 16 PIX Firewall Uplink Failover Test Results

(11) PIX Firewall power failover

When the active PIX fails, the standby PIX takes charge immediately.

PIX power failover took 18 seconds. The failover was completely transparent to the clients.


If your browser does not support inline frames, click here to view on a separate page.

Figure 17 PIX Firewall Power Failover Test Results

(12) Web Server failover

LD snoops the TCP handshake between the client and server to the port level to manage server availability. In the event of a server failure, LD takes the server out of service, eliminating the possibility of client traffic being sent to the failed server.

Three servers were used in this test. After shutting down one server, the active LD took it out of service and only sent traffic to the other two. The clients experienced no service disruptions.


If your browser does not support inline frames, click here to view on a separate page.

Figure 18 Web Server Failover Test Results

(14) Cache engine failover

The cache solution provides both cache and network fault tolerance. If one cache engine fails, traffic is redirected among other cache members in the cluster. If the primary router fails, a standby router automatically takes over, redirecting Web requests to the cache cluster.

The caching service is transparent to the user and, during the failover test, remained transparent to the user.

Scalability

Purpose:

To test the ability to expand the design to meet growth needs. For many customers, making a solution scalable to meet the demand of rapid business growth is a key to success in a competitive market space. The number of requests served by the server per second measures performance. Scalability is measured by how easy it is to expand the network and server farm.

Process:

To demonstrate how the proposed framework can scale linearly, a series of tests was performed starting with one Web server in the Web farm and adding one server to the farm in each new test until the Web farm had six servers. The test script invoked a dynamic page on the Web server that simulates listing all book titles available in a particular category. This translates into six HTTP GET calls (one for the HTML constituting the page that displays a book category, one for the ASP page listing all titles in the category, and the four gif files in the page). Eight client machines were used to simulate 320 users (5 threads per client sending requests over 8 sockets per thread) with no delay between successive requests because. The LocalDirector load balanced the client requests between the available servers in the Web farm that varied from one to six. No caching was performed using the cache engines during this test.

Results:

The number of Web requests served by the Web farm to the clients scaled nearly linearly from 83 GET requests per second with one server in the farm to 475 GET requests per second with six servers in the farm. The number of Web requests with an intermediate number of servers in the farm fell on this linear trend. All servers in the Web farm were equally loaded in terms of server resources usage (processor, memory, and so forth), served equal number of requests per second (about 80), had equal number of ASP requests in the queue (about 28), and had an equal number of open client connections (about 55). This demonstrates that the Web farm can be scaled horizontally in a linear fashion by simply adding new servers to the farm. This test script stressed the Web servers that created COM+ components to implement the functionality in the workflow, business logic, and the database access layers, but did not stress the single database server enough. Therefore, no attempt was made to demonstrate scalability at the back end by partitioning the data or vertically scaling the server.


If your browser does not support inline frames, click here to view on a separate page.

Figure 19 Scalability Test Results

To demonstrate vertical scaling of the Web farm, the single Web server test was repeated by upgrading the server. A second 500Mhz Pentium III processor was plugged in to the server (because the tests used 100 percent of the CPU), however no additional memory was added (the 256MB available memory was not fully utilized with approximately 119MB available throughout the test). The number of Web requests served by the upgraded server was 144 GET requests/sec, which scaled linearly from the 83 requests per second served by the same server with one processor.

In addition to server scalability demonstrated above, the network equipment is also highly scalable. Below is the brief summarization of how to add more Internet appliances to accommodate the need of a growing network.

  • Add cache engines into the design. Cache engines offer the ability to optimize WAN usage while functioning in default mode. They improve service availability and quality and provide great scalability. Using WCCP version 2 cluster support on cache engines with multiple routers enables network designers to build large-scale, highly reliable server farms without extra server hardware. The task of building a new server is in most cases costly and time consuming. Heavy traffic loads can be easily handled by the clustering cache engines, which work in parallel, resulting in great scalability. Adding and removing cache engines is easy and transparent to users. Reverse proxy of cache engines improves performance and response time and increases scalability. By using cache engines to front-end server farms, you can offload the processing of static content requests from the servers. It was recorded that with cache engines in place, more than 75 percent of traffic previously hitting the servers was handled by the engines themselves. The result is that the servers have more CPU cycles to handle dynamic content generation while the cache engines serve the requests for static content such as the .gif files.
  • DD provides the ability to scale globally. Adding mirrored distributed sites is made easy and transparent to the clients.
  • LD offers a high availability solution that helps scale the server farm. Adding in new servers in existing sites is totally transparent to the client because the VIP address of the LD is the only one known to the clients.
  • LD also provides an easy way to introduce new services on the existing cluster of servers.

Security

Site security is one of the most important requests from customers who are concerned with personal information being revealed on the Internet. Companies risk losing customers and revenue if the security of the solution is compromised. Security includes the ability to protect legitimate transactions, to prevent illegal transactions or packets from intruding into various network components, and to protect the servers.

In this design, various network components provide security functions.

  • Extensive ACLs on the border routers were used to filter RFC 1918 address space and allow BGP routing updates, Web traffic, DNS lookups and other needed services such as SSL or FTP, to pass. The ACLs denied all other traffic. Be specific on the source or destination addresses if needed.
  • Wire rate ACLs were installed on the Catalyst 6500 Switches.
  • LD offers strong server security through two features:

    Bind—Maps a service on a per-port bases to control the access to individual servers

    NAT—Allows servers with private addresses to access the Internet

  • Private VLANs within the Catalyst 6500 were used to provide additional security at Layer 2. This feature allows multiple access switch ports to communicate only with a designated switch port while preventing any such access ports from communicating with one another. Though there is traffic flow between the individual access ports and one or more designated ports, no communication is allowed amongst the access ports themselves. It is advantageous to build the server farm with the private VLAN feature. If one server is compromised, other servers cannot be seen from the compromised server.
  • The PIX Firewall provided security for e-commerce sites based on the policy and rule set. It also guarded against various attacks including the Denial of Service attack.

Conclusion Back to Top

The purpose of the joint Cisco and Microsoft e-commerce testing lab was to verify that two leading industry players in the e-commerce market can find synergy in the unification of their respective e-commerce solutions. Combined technologies from Cisco and Microsoft provide a comprehensive and powerful solution for the enterprise that is looking for a highly available, scalable, and secure e-commerce solution.

Both Cisco and Microsoft have extensive experience in building e-commerce infrastructures. The work detailed in this document is a result of their combined efforts.

As Cisco and Microsoft continue to build and release new products, the best practices outlined in this document remain a sound guidance for designing a powerful e-commerce solution.

Acronym Glossary Back to Top

The following is a list of acronyms found in the E-Commerce Framework Architecture.
ACL

Access Control Lists

ADO

ActiveX® Data Object

ASLB

Accelerated Server Load Balancing

ASP

Active Server Pages

BGP

Border Gateway Protocol

BLL

Business Logic Layer

CNR

Cisco Network Registrar

COM

Component Object Model

CVS

Content Verification System

DAL

Data Access Layer

DD

DistributedDirector

DFP

Dynamic Feedback Protocol

DNS

Domain Name Service

DoS

Denial of Service

DRP

Director Response Protocol

EBGP

External Border Gateway Protocol

FFS

Firewall Feature Set

GRE

Generic Routing Encapsulation

HSRP

Hot-Standby Routing Protocol

IDS

Intrusion Detection System

ISP

Internet Service Providers

KVM

Keyboard/Video/Mouse

LD

LocalDirector

MFC

Microsoft Foundation Classes

MSFC

Multilayer Switch Feature Card

NAT

Network Address Translation

OLTP

Online Transaction Processing

OSPF

Open Shortest Path First

PAgP

Port Aggregation Protocol

SLB

Server Load Balancing

SOA

Start of Authority

SSL

Secure Sockets Layer

TCP

Transmission Control Protocol

VIP

Virtual IP

WAS

Web Application Stress tool

WCCP

Web Cache Communication Protocol

WFL

Workflow Layer

XML

Extensible Markup Language

Appendix – Cisco Configuration Back to Top

Network Devices

The individual Cisco networking devices used in the E-Commerce Lab environment are captured below. Highlighted for each device are the type of device, the interfaces on the device, and the software version used.

The devices are referenced in Figure 6 on page 1 of this document.
Name
 Chassis
 Cards
 Software version
Main Site Cisco Router 1 (R1)

Cisco 7507

Slot0: VIP2-32M
PA-2FEISL-TX
PA-FDDI-DAS-MM
Slot2: RSP2-32M
Slot4: VIP2-16M
PA-1FE-TX
PA-1FE-TX
Slot6: VIP2-64M
PA-ATM-Deluxe-oc3-MM

IOS-12.0(5) RSP-ISV-M

Main Site Cisco Router 2 (R2)

Cisco 7507

Slot0: VIP2-32M
PA-2FEISL-TX
PA-FDDI-DAS-MM
Slot2: RSP2-32M
Slot4: VIP2-16M
PA-1FE-TX
PA-1FE-TX
Slot6: VIP2-64M
PA-ATM-Deluxe-oc3-MM

IOS-12.0(5) RSP-ISV-M

Main Site Cisco Catalyst Switch 1 (S1)

Cisco Catalyst 6506

Slot1: WS-X6K-SUP1A-2GE
Slot2: WS-X6408-GBIC
Slot3: WS-X6248-RJ-45
Slot4: WS-X6248-RJ-45

SW software: 5.3(1a)CSX
MSFC software: IOS 12.0(3) XE1 C6MSFC-IS-M

Main Site Cisco Catalyst Switch 2 (S2)

Cisco Catalyst 6506

Slot1: WS-X6K-SUP1A-2GE
Slot2: WS-X6408-GBIC
Slot3: WS-X6248-RJ-45
Slot4: WS-X6248-RJ-45

SW software: 5.3(1a)CSX
MSFC software: IOS 12.0(3) XE1 C6MSFC-IS-M

Main Site Cisco LocalDirector 1 (LD1)

Cisco LD430


3.2(1)

Main Site Cisco LocalDirector 2 (LD2)

Cisco LD430


3.2(1)

Main Site Cisco Secure PIX Firewall 1 (PIX1)

Cisco PIX FW 520


5.0(2)

Main Site Cisco Secure PIX Firewall 2 (PIX2)

Cisco PIX FW 520


5.0(2)

Main Site Cisco DistributedDirector (DD1)

Cisco 4700 DD


IOS 12.0(7)T C2500-W3-L

Main Site Cisco Cache Engine (CE1)

Cisco Cache Engine 550


2.03

Main Site Cisco Cache Engine (CE2)

Cisco Cache Engine 550


2.03

Main Site Cisco Router (R3)

Cisco 2503


IOS-12.0(8) C2500-JS-L

Main Site Cisco Router (R4)

Cisco 2503


IOS-12.0(8) C2500-JS-L

Satellite Site Cisco Router (R5)

Cisco 7206
NPE-150

Slot0: c7200-I/O-FE-MII
Slot4: PA-A1-OC3-MM
Slot6: PA-4E

IOS-12.0(8) C7200-JS-M

Satellite Site Cisco Catalyst Switch (S3)

Cisco Catalyst 4003

Slot1: WS-X4012
Slot2: WS-X4148
Slot3: WS-X4306

4.5(1)

Satellite Site Cisco Cache Engine (CE3)

Cisco Cache Engine 550


2.03

Satellite Site Cisco DistributedDirector (DD2)

Cisco 2501 DD


IOS-12.0(7)T C2500-W3-L

Satellite Site Cisco LocalDirector (LD3)

Cisco LD430


3.2(1)

Satellite Site Cisco Secure PIX Firewall (PIX3)

Cisco PIX FW520


5.0(2)

Satellite Site Cisco Router (R6)

Cisco 2503


IOS-120(8) C2500-JS-L

Device Configuration

Captured below is the configuration for each of the Cisco devices used in the lab. These examples can be used as a reference when configuring the Cisco devices in your environment. They should only be used as a guide.

Headquarter Site

Vlan assignment on S1 and S2

S1 and S2 (catalyst 6500)
Vlan 5: port 3/25-36, 4/25-36
Vlan 44: port3/4, 3/6-12, 4/1-12

Address assignment

Vlan 90: 172.26.184.0/30
Vlan 91: 172.26.230.0/26
Vlan 92: 172.26.184.4/30
Vlan 93: 172.26.184.8/30
Vlan 94: 172.26.184.12/30
Vlan 44: 172.26.230.0/26

BGP border network: 172.26.230.160/29
Loopback address: 172.26.230.225-172.26.230.254
R1 loopback 0: 172.26.230.225
BGP R1 of ISP loopback 0: 172.26.230.226
R2 loopback 0: 172.26.230.227
BGP R2 of ISP loopback: 172.26.230.228

S1: 172.26.230.10/26, default gateway: 172.26.230.1
S1/MSFC/vlan91: 172.26.230.1/26
S1/MSFC/vlan90: 172.26.184.2/30
S1/MSFC/vlan92: 172.26.184.5/30
R1/FE4/0/0: 172.26.184.1/30
R1/FE4/1/0: 172.26.184.10/30
R1/FE0/0/0: 172.26.230.153/29 --- IBGP peer: 172.26.230.154/29, AS#65230
R1/FE0/1/0: 172.26.230.161/29 --- EBGP peer : 172.26.230.162/29
DD1/e0: 172.26.230.7/26
DD1/e1: 172.26.230.129/29
LD1/actual: 172.26.230.11/26
LD1/virtual: 172.26.230.2/26
CE1: 172.26.230.5/26, default gateway: 172.26.230.1
PIX-fw1/outside: 172.26.230.14/26
PIX-fw1/inside: 12.12.1.1/26
PIX-fw1/failover: 12.12.1.129/32
R3/e0: 12.12.1.3/26
R3/s0: 12.12.100.1/30
R3/s1: 12.12.102.2/30

S2: 172.26.230.131/29, default gateway: 172.26.230.12
S2/MSFC/vlan91: 172.26.230.3/26
S2/MSFC/vlan93: 172.26.184.9/30
S2/MSFC/vlan94: 172.26.184.13/30
R2/FE4/0/0: 172.26.184.14/30
R2/FE4/1/0: 172.26.184.6/30

R2/FE/0/1/0: 172.26.230.163/29 – EBGP peer: 172.26.230.164/29
LD2/actual: 172.26.230.11/26
LD2/virtual: 172.26.230.2/26
CE2: 172.26.230.6/26, default gateway: 172.26.230.3
PIX-fw2/outside: 172.26.230.14/26
PIX-fw2/inside: 12.12.1.1/26
PIX-fw2/failover: 12.12.1.130/32
R4/e0: 12.12.1.4/26
R4/s0: 12.12.101.1/30
R4/s1: 12.12.100.2/30

A/B/C servers: 172.26.230.21—60/26
172.26.230.70—100/26
SQL/LDAPservers: 12.12.1.21—60/26

Remote Site

VLANS:

Vlan 1: ports 2/1-24
Vlan 5: ports 2/25-48
Vlan44: ports 2/

Subnets:

Vlan1: 172.26.231.0/26
Vlan5: 12.15.1.0/26
BGP network 2: 172.26.231.160/29
User network: 172.26.231.192/27
Loopback address 172.26.231.169-172.26.231.174
R3 loopback address: 172.26.231.169
ISP BGP router R3 loopback address: 172.26.231.170

S3: 172.26.231.2/26, default gateway: 172.26.231.1
R5/FE0/0: 172.26.231.1/26
R5/E6/0: 172.26.231.161/29 (AS# 65231) – EGGP peer: 172.26.231.162
DD2/e0: 172.26.231.3/26
LD3/actual: 172.26.231.4/26
LD3/virtual: 172.26.231.5/26
CE3: 172.26.231.6/26
PIX-fw3/outside: 172.26.231.7/26
PIX-fw3/inside: 12.15.1.1/26
A/B/C servers: 172.26.231.21-50/26
SQL/LDAPservers: 12.15.1.21-50/26
R6/e0: 12.15.1.3/26
R6/S0: 12.12.102.1/30
R6/S1: 12.12.101.2/30

Network Device Configurations

Main Site Cisco Router 1 (R1)

ecom-hq-rtr-a1#sh config
Using 4024 out of 126968 bytes
!
version 12.0
no service pad
service timestamps debug datetime
service timestamps log uptime

!
hostname ecom-hq-rtr-a1
!
boot system flash slot0:

!
ip subnet-zero
ip cef
ip domain-name esclab.com
ip name-server 172.26.231.202
ip dvmrp route-limit 20000
!
!
process-max-time 200
!
interface Loopback0
ip address 172.26.230.225 255.255.255.255
no ip directed-broadcast
!
interface FastEthernet0/0/0
ip address 172.26.230.153 255.255.255.248
no ip directed-broadcast
no ip route-cache cef
no ip route-cache distributed
full-duplex
!
interface FastEthernet0/0/1
ip address 172.26.231.194 255.255.255.240
no ip directed-broadcast
ip accounting output-packets
ip accounting mac-address input
no ip route-cache cef
no ip route-cache distributed
shutdown
full-duplex
!
interface FastEthernet4/0/0
ip address 172.26.184.1 255.255.255.252
no ip directed-broadcast
ip web-cache redirect
ip hello-interval eigrp 123 2
ip hold-time eigrp 123 6
no ip route-cache cef
no ip route-cache distributed
full-duplex
!
interface FastEthernet4/1/0
ip address 172.26.184.10 255.255.255.252
no ip directed-broadcast
ip web-cache redirect
ip hello-interval eigrp 123 2
ip hold-time eigrp 123 6
no ip route-cache cef
no ip route-cache distributed
full-duplex
!
interface ATM6/0/0
no ip address
no ip directed-broadcast
no ip route-cache distributed
no atm ilmi-keepalive
!
interface ATM6/0/0.1 point-to-point
ip address 172.26.230.161 255.255.255.248
ip access-group 101 in
no ip directed-broadcast
ip hello-interval eigrp 123 2
ip hold-time eigrp 123 6
ip pim dense-mode
atm pvc 166 1 177 aal5snap inarp
!
router eigrp 123
network 172.26.0.0
network 0.0.0.0
no auto-summary
!
router bgp 65230
no synchronization
network 172.26.184.0 mask 255.255.255.252
network 172.26.184.8 mask 255.255.255.252
network 172.26.184.128 mask 255.255.255.248
network 172.26.230.152 mask 255.255.255.248
network 172.26.230.160 mask 255.255.255.248
redistribute connected
neighbor 172.26.184.2 remote-as 65230
neighbor 172.26.184.2 description ibgp link to ecom-hq-msfc-a1
neighbor 172.26.184.9 remote-as 65230
neighbor 172.26.184.9 description ibgp link to ecom-hq-msfc-b1
neighbor 172.26.230.154 remote-as 65230
neighbor 172.26.230.154 description IBGP link to ecom-hq-rtr-b1
neighbor 172.26.230.162 remote-as 1
neighbor 172.26.230.162 description EBGP link ar1
neighbor 172.26.230.162 route-map permit-route in
maximum-paths 3
distance 200 172.26.230.162 0.0.0.0 2
distance 200 172.26.230.154 0.0.0.0 2
!
ip classless
ip default-network 0.0.0.0
ip default-network 131.108.0.0
ip route 0.0.0.0 0.0.0.0 ATM6/0/0.1
ip route 12.0.0.0 255.0.0.0 172.26.230.66
!
logging trap errors
access-list 1 permit 0.0.0.0
access-list 1 deny any
access-list 2 permit 172.26.230.251
access-list 2 deny any
access-list 5 deny 172.26.184.0 0.0.0.3
access-list 5 deny 172.26.184.8 0.0.0.3
access-list 5 deny 172.26.184.128 0.0.0.7
access-list 5 deny 172.26.230.152 0.0.0.7
access-list 5 permit any
access-list 101 deny tcp 192.168.0.0 0.0.255.255 any
access-list 101 deny udp 192.168.0.0 0.0.255.255 any
access-list 101 deny tcp 10.0.0.0 0.255.255.255 any
access-list 101 deny udp 10.0.0.0 0.255.255.255 any
access-list 101 permit tcp any any eq bgp
access-list 101 permit tcp any any eq www
access-list 101 permit udp any any eq domain
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any eq 443
access-list 101 deny tcp any any
access-list 101 deny udp any any
route-map permit-route permit 10
match ip address 5
!
snmp-server community public RO
snmp-server community private RW
snmp-server community cisco RO
tftp-server slot0:c2500-w3-l_120-7_T.bin
!
line con 0
transport input none
line aux 0
line vty 0 4
password esc
login
!
end

Main Site Cisco Router 2 (R2)

ecom-hq-rtr-b1#sh config
Using 3713 out of 126968 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime

!
hostname ecom-hq-rtr-b1
!
logging buffered warnings

!
ip subnet-zero
ip cef
ip domain-name esclab.com
ip name-server 172.26.231.202
ip dvmrp route-limit 20000
!
!
process-max-time 200
!
interface Loopback0
ip address 172.26.230.227 255.255.255.255
no ip directed-broadcast
!
interface FastEthernet0/0/0
ip address 172.26.230.154 255.255.255.248
no ip directed-broadcast
no ip route-cache distributed
!
interface FastEthernet4/0/0
ip address 172.26.184.14 255.255.255.252
no ip directed-broadcast
ip web-cache redirect
ip hello-interval eigrp 123 2
ip hold-time eigrp 123 6
no ip route-cache distributed
full-duplex
!
interface FastEthernet4/1/0
ip address 172.26.184.6 255.255.255.252
no ip directed-broadcast
ip web-cache redirect
ip hello-interval eigrp 123 2
ip hold-time eigrp 123 6
no ip route-cache distributed
full-duplex
!
interface ATM6/0/0
no ip address
no ip directed-broadcast
no ip route-cache distributed
no atm ilmi-keepalive
!
interface ATM6/0/0.1 point-to-point
ip address 172.26.230.169 255.255.255.248
ip access-group 101 in
no ip directed-broadcast
ip hello-interval eigrp 123 2
ip hold-time eigrp 123 6
ip pim dense-mode
atm pvc 66 1 77 aal5snap inarp
!
router eigrp 123
network 172.26.0.0
network 0.0.0.0
no auto-summary
!
router bgp 65230
no synchronization
network 172.26.184.4 mask 255.255.255.252
network 172.26.184.12 mask 255.255.255.252
network 172.26.184.128 mask 255.255.255.248
network 172.26.230.152 mask 255.255.255.248
network 172.26.230.168 mask 255.255.255.248
redistribute connected
neighbor 172.26.184.5 remote-as 65230
neighbor 172.26.184.5 description ibgp link to ecom-hq-msfc-a1
neighbor 172.26.184.13 remote-as 65230
neighbor 172.26.184.13 description ibgp link to ecom-hq-msfc-b1
neighbor 172.26.230.153 remote-as 65230
neighbor 172.26.230.153 description IBGP link to ecom-hq-rtr-a1
neighbor 172.26.230.170 remote-as 1
neighbor 172.26.230.170 description EBGP link ar2
neighbor 172.26.230.170 route-map permit-route in
maximum-paths 3
distance 200 172.26.230.153 0.0.0.0 2
distance 200 172.26.230.170 0.0.0.0 2
!
ip classless
ip default-network 0.0.0.0
ip default-network 131.108.0.0
ip route 0.0.0.0 0.0.0.0 ATM6/0/0.1
!
access-list 1 permit 0.0.0.0
access-list 1 deny any
access-list 2 permit 172.26.230.251
access-list 2 deny any
access-list 5 deny 172.26.184.4 0.0.0.3
access-list 5 deny 172.26.184.12 0.0.0.3
access-list 5 deny 172.26.184.128 0.0.0.7
access-list 5 deny 172.26.230.152 0.0.0.7
access-list 5 permit any
access-list 101 deny tcp 192.168.0.0 0.0.255.255 any
access-list 101 deny udp 192.168.0.0 0.0.255.255 any
access-list 101 deny tcp 10.0.0.0 0.255.255.255 any
access-list 101 deny udp 10.0.0.0 0.255.255.255 any
access-list 101 permit tcp any any eq bgp
access-list 101 permit tcp any any eq www
access-list 101 permit udp any any eq domain
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any eq 443
access-list 101 deny tcp any any
access-list 101 deny udp any any
arp 172.26.230.2 00e0.b600.943b ARPA
route-map permit-route permit 10
match ip address 5
!
snmp-server community cisco RO
snmp-server community public RO
snmp-server community private RW
tftp-server slot0:c2500-w3-l_120-7_T.bin
!
line con 0
transport input none
line aux 0
line vty 0 4
password esc
login
!
end

Main Site Cisco Catalyst Switch 1 (S1)

ecom-hq-sw-a1 (enable) sh config
.......
..............
..............
.............
.............


............

..

begin
!
#version 5.3(1a)CSX
!
set prompt ecom-hq-sw-a1
set length 24 default
set logout 20
set banner motd ^C^C
!
#system
set system baud 9600
set system modem disable
set system name
set system location
set system contact
!
#power
set power redundancy enable
!
#frame distribution method
set port channel all distribution ip both
!
#snmp
set snmp community read-only public
set snmp community read-write private
set snmp community read-write-all secret
set snmp rmon enable
set snmp trap enable module
set snmp trap enable chassis
set snmp trap enable repeater
set snmp trap enable vtp
set snmp trap enable auth
set snmp trap disable ippermit
set snmp trap disable vmps
set snmp trap disable entity
set snmp trap disable config
set snmp trap disable syslog
set snmp trap disable stpx
!
#tacacs+
set tacacs attempts 3
set tacacs directedrequest disable
!
#radius
set radius deadtime 0
set radius timeout 5
set radius retransmit 2
!
#authentication
set authentication login tacacs disable console
set authentication login tacacs disable telnet
set authentication enable tacacs disable console
set authentication enable tacacs disable telnet
set authentication login radius disable console
set authentication login radius disable telnet
set authentication enable radius disable console
set authentication enable radius disable telnet
set authentication login local enable console
set authentication login local enable telnet
set authentication enable local enable console
set authentication enable local enable telnet
!
#vtp
set vtp domain B2
set vtp mode server
set vtp v2 disable
set vtp pruning disable
set vtp pruneeligible 2-1000
clear vtp pruneeligible 1001-1005
set vlan 1 name default type ethernet mtu 1500 said 100001 state active
set vlan 2 name VLAN0002 type ethernet mtu 1500 said 100002 state active
set vlan 4 name VLAN0004 type ethernet mtu 1500 said 100004 state active
set vlan 5 name VLAN0005 type ethernet mtu 1500 said 100005 state active
set vlan 11 name VLAN0011 type ethernet mtu 1500 said 100011 state active
set vlan 12 name VLAN0012 type ethernet mtu 1500 said 100012 state active
set vlan 44 name VLAN0044 type ethernet mtu 1500 said 100044 state active
set vlan 50 name VLAN0050 type ethernet mtu 1500 said 100050 state active
set vlan 90 name VLAN0090 type ethernet mtu 1500 said 100090 state active
set vlan 91 name VLAN0091 type ethernet mtu 1500 said 100091 state active
set vlan 92 name VLAN0092 type ethernet mtu 1500 said 100092 state active
set vlan 93 name VLAN0093 type ethernet mtu 1500 said 100093 state active
set vlan 94 name VLAN0094 type ethernet mtu 1500 said 100094 state active
set vlan 99 name VLAN0099 type ethernet mtu 1500 said 100099 state active
set vlan 100 name VLAN0100 type ethernet mtu 1500 said 100100 state active
set vlan 111 name VLAN0111 type ethernet mtu 1500 said 100111 state active
set vlan 1002 name fddi-default type fddi mtu 1500 said 101002 state active
set vlan 1004 name fddinet-default type fddinet mtu 1500 said 101004 state activ
e bridge 0x0 stp ieee
set vlan 1005 name trnet-default type trbrf mtu 1500 said 101005 state active br
idge 0x0 stp ibm
set vlan 1003 name token-ring-default type trcrf mtu 1500 said 101003 state acti
ve parent 0 ring 0x0 mode srb aremaxhop 0 stemaxhop 0
!
#ip
set interface sc0 91 172.26.230.10/255.255.255.192 172.26.230.63

set interface sc0 up
set interface sl0 0.0.0.0 0.0.0.0
set interface sl0 up
set arp agingtime 120
set ip redirect enable
set ip unreachable enable
set ip fragmentation enable
set ip route 0.0.0.0/0.0.0.0 172.26.230.1 1
set ip alias default 0.0.0.0
!
#Command alias
!
#vmps
set vmps server retry 3
set vmps server reconfirminterval 60
!
#dns
set ip dns disable
!
#spantree
#uplinkfast groups
set spantree uplinkfast disable
#backbonefast
set spantree backbonefast disable
#vlan 1
set spantree enable 1
set spantree fwddelay 7 1
set spantree hello 1 1
set spantree maxage 10 1
set spantree priority 32768 1
#vlan 2
set spantree enable 2
set spantree fwddelay 15 2
set spantree hello 2 2
set spantree maxage 20 2
set spantree priority 32768 2
#vlan 4
set spantree enable 4
set spantree fwddelay 15 4
set spantree hello 2 4
set spantree maxage 20 4
set spantree priority 32768 4
#vlan 5
set spantree enable 5
set spantree fwddelay 7 5
set spantree hello 1 5
set spantree maxage 10 5
set spantree priority 32768 5
#vlan 11
set spantree enable 11
set spantree fwddelay 15 11
set spantree hello 2 11
set spantree maxage 20 11
set spantree priority 32768 11
#vlan 12
set spantree enable 12
set spantree fwddelay 15 12
set spantree hello 2 12
set spantree maxage 20 12
set spantree priority 32768 12
#vlan 44
set spantree enable 44
set spantree fwddelay 7 44
set spantree hello 1 44
set spantree maxage 10 44
set spantree priority 32768 44
#vlan 50
set spantree enable 50
set spantree fwddelay 15 50
set spantree hello 2 50
set spantree maxage 20 50
set spantree priority 32768 50
#vlan 90
set spantree enable 90
set spantree fwddelay 15 90
set spantree hello 2 90
set spantree maxage 20 90
set spantree priority 32768 90
#vlan 91
set spantree enable 91
set spantree fwddelay 7 91
set spantree hello 1 91
set spantree maxage 10 91
set spantree priority 32768 91
#vlan 92
set spantree enable 92
set spantree fwddelay 15 92
set spantree hello 2 92
set spantree maxage 20 92
set spantree priority 32768 92
#vlan 93
set spantree enable 93
set spantree fwddelay 15 93
set spantree hello 2 93
set spantree maxage 20 93
set spantree priority 32768 93
#vlan 94
set spantree enable 94
set spantree fwddelay 15 94
set spantree hello 2 94
set spantree maxage 20 94
set spantree priority 32768 94
#vlan 99
set spantree enable 99
set spantree fwddelay 15 99
set spantree hello 2 99
set spantree maxage 20 99
set spantree priority 32768 99
#vlan 100
set spantree enable 100
set spantree fwddelay 15 100
set spantree hello 2 100
set spantree maxage 20 100
set spantree priority 32768 100
#vlan 111
set spantree enable 111
set spantree fwddelay 15 111
set spantree hello 2 111
set spantree maxage 20 111
set spantree priority 32768 111
#vlan 1003
set spantree enable 1003
set spantree fwddelay 15 1003
set spantree hello 2 1003
set spantree maxage 20 1003
set spantree priority 32768 1003
#vlan 1005
set spantree disable 1005
set spantree fwddelay 15 1005
set spantree hello 2 1005
set spantree maxage 20 1005
set spantree priority 32768 1005
!
#syslog
set logging console enable
set logging server disable
set logging level cdp 4 default
set logging level mcast 2 default
set logging level dtp 5 default
set logging level dvlan 2 default
set logging level earl 2 default
set logging level ip 2 default
set logging level pruning 2 default
set logging level snmp 2 default
set logging level spantree 2 default
set logging level sys 5 default
set logging level tac 2 default
set logging level tcp 2 default
set logging level telnet 2 default
set logging level tftp 2 default
set logging level vtp 2 default
set logging level kernel 2 default
set logging level filesys 2 default
set logging level pagp 5 default
set logging level mgmt 5 default
set logging level mls 5 default
set logging level protfilt 2 default
set logging level security 2 default
set logging level radius 2 default
set logging level udld 4 default
set logging level gvrp 2 default
set logging level cops 2 default
set logging level qos 2 default
set logging level acl 2 default
set logging server facility LOCAL7
set logging server severity 4
set logging buffer 500
set logging timestamp enable
!
#ntp
set ntp broadcastclient disable
set ntp broadcastdelay 3000
set ntp client disable
clear timezone
set summertime disable
!
#set boot command
set boot config-register 0x2
set boot system flash bootflash:cat6000-sup.5-3-1a-CSX.bin
!
#permit list
set ip permit disable
!
#igmp
set igmp disable
!
#protocolfilter
set protocolfilter disable
!
#mls
set mls agingtime 256
set mls agingtime fast 0 0
set mls flow destination
set mls nde version 7
set mls nde disable
!
#qos
set qos disable
set qos drop-threshold 1q4t rx queue 1 50 60 80 100
set qos map 2q2t tx 1 1 cos 0
set qos map 2q2t tx 1 1 cos 1
set qos map 2q2t tx 1 2 cos 2
set qos map 2q2t tx 1 2 cos 3
set qos map 2q2t tx 2 1 cos 4
set qos map 2q2t tx 2 1 cos 5
set qos map 2q2t tx 2 2 cos 6
set qos map 2q2t tx 2 2 cos 7
set qos drop-threshold 2q2t tx queue 1 80 100
set qos drop-threshold 2q2t tx queue 2 80 100
set qos wrr 2q2t 5 255
set qos txq-ratio 2q2t 80 20
set qos map 1p1q4t rx 1 1 cos 0
set qos map 1p1q4t rx 1 1 cos 1
set qos map 1p1q4t rx 1 2 cos 2
set qos map 1p1q4t rx 1 2 cos 3
set qos map 1p1q4t rx 1 3 cos 4
set qos map 1p1q4t rx 1 3 cos 5
set qos map 1p1q4t rx 2 1 cos 6
set qos map 1p1q4t rx 1 4 cos 7
set qos drop-threshold 1p1q4t rx queue 1 50 60 80 100
set qos map 1p2q2t tx 1 1 cos 0
set qos map 1p2q2t tx 1 1 cos 1
set qos map 1p2q2t tx 1 2 cos 2
set qos map 1p2q2t tx 1 2 cos 3
set qos map 1p2q2t tx 2 1 cos 4
set qos map 1p2q2t tx 2 1 cos 5
set qos map 1p2q2t tx 3 1 cos 6
set qos map 1p2q2t tx 2 2 cos 7
set qos wred 1p2q2t tx queue 1 80 100
set qos wred 1p2q2t tx queue 2 80 100
set qos wrr 1p2q2t 5 255
set qos txq-ratio 1p2q2t 70 15 15
set qos bridged-microflow-policing disable 1-1000
set qos cos-dscp-map 0 8 16 24 32 40 48 56
set qos ipprec-dscp-map 0 8 16 24 32 40 48 56
set qos dscp-cos-map 0-7:0
set qos dscp-cos-map 8-15:1
set qos dscp-cos-map 16-23:2
set qos dscp-cos-map 24-31:3
set qos dscp-cos-map 32-39:4
set qos dscp-cos-map 40-47:5
set qos dscp-cos-map 48-55:6
set qos dscp-cos-map 56-63:7
set qos policed-dscp-map 0:0
set qos policed-dscp-map 1:1
set qos policed-dscp-map 2:2
set qos policed-dscp-map 3:3
set qos policed-dscp-map 4:4
set qos policed-dscp-map 5:5
set qos policed-dscp-map 6:6
set qos policed-dscp-map 7:7
set qos policed-dscp-map 8:8
set qos policed-dscp-map 9:9
set qos policed-dscp-map 10:10
set qos policed-dscp-map 11:11
set qos policed-dscp-map 12:12
set qos policed-dscp-map 13:13
set qos policed-dscp-map 14:14
set qos policed-dscp-map 15:15
set qos policed-dscp-map 16:16
set qos policed-dscp-map 17:17
set qos policed-dscp-map 18:18
set qos policed-dscp-map 19:19
set qos policed-dscp-map 20:20
set qos policed-dscp-map 21:21
set qos policed-dscp-map 22:22
set qos policed-dscp-map 23:23
set qos policed-dscp-map 24:24
set qos policed-dscp-map 25:25
set qos policed-dscp-map 26:26
set qos policed-dscp-map 27:27
set qos policed-dscp-map 28:28
set qos policed-dscp-map 29:29
set qos policed-dscp-map 30:30
set qos policed-dscp-map 31:31
set qos policed-dscp-map 32:32
set qos policed-dscp-map 33:33
set qos policed-dscp-map 34:34
set qos policed-dscp-map 35:35
set qos policed-dscp-map 36:36
set qos policed-dscp-map 37:37
set qos policed-dscp-map 38:38
set qos policed-dscp-map 39:39
set qos policed-dscp-map 40:40
set qos policed-dscp-map 41:41
set qos policed-dscp-map 42:42
set qos policed-dscp-map 43:43
set qos policed-dscp-map 44:44
set qos policed-dscp-map 45:45
set qos policed-dscp-map 46:46
set qos policed-dscp-map 47:47
set qos policed-dscp-map 48:48
set qos policed-dscp-map 49:49
set qos policed-dscp-map 50:50
set qos policed-dscp-map 51:51
set qos policed-dscp-map 52:52
set qos policed-dscp-map 53:53
set qos policed-dscp-map 54:54
set qos policed-dscp-map 55:55
set qos policed-dscp-map 56:56
set qos policed-dscp-map 57:57
set qos policed-dscp-map 58:58
set qos policed-dscp-map 59:59
set qos policed-dscp-map 60:60
set qos policed-dscp-map 61:61
set qos policed-dscp-map 62:62
set qos policed-dscp-map 63:63
set qos acl default-action ip dscp 0
set qos acl default-action ipx dscp 0
set qos acl default-action mac dscp 0
set qos policy-source local
set cops retry-interval 30 30 300
set qos rsvp disable
set qos rsvp policy-timeout 30
set qos rsvp local-policy forward
!
#vlan mapping
!
#gmrp
set gmrp disable
!
#garp
set garp timer join 200
set garp timer leave 600
set garp timer leaveall 10000
!
#CDP
set cdp interval 60
set cdp holdtime 180
set cdp enable
!
#UDLD
set udld disable
!
#Port Channel
set port channel 3/1-4 34
set port channel 3/5-8 35
set port channel 3/9-12 36
set port channel 3/13-16 37
set port channel 3/17-20 38
set port channel 3/21-24 39
set port channel 3/25-28 40
set port channel 3/29-32 41
set port channel 3/33-36 42
set port channel 3/37-40 43
set port channel 3/41-44 44
set port channel 3/45-48 45
set port channel 2/5-8 49
set port channel 4/1-4 71
set port channel 4/5-8 72
set port channel 4/9-12 73
set port channel 4/13-16 74
set port channel 4/17-20 75
set port channel 4/21-24 76
set port channel 4/25-28 77
set port channel 4/29-32 78
set port channel 4/33-36 79
set port channel 4/37-40 80
set port channel 4/41-44 81
set port channel 4/45-48 82
set port channel 2/1-2 83
set port channel 2/3-4 112
set port channel 1/1-2 491
!
#Security ACLs
clear security acl all
commit security acl all
!
#Local Director Acceleration
set lda disable
!
#module 1 : 2-port 1000BaseX Supervisor
set module name 1
set vlan 1 1/1-2
set port enable 1/1-2
set port trap 1/1-2 disable
set port name 1/1-2
set port security 1/1-2 disable
set port broadcast 1/1-2 100%
set port membership 1/1-2 static
set port protocol 1/1-2 ip on
set port protocol 1/1-2 ipx auto
set port protocol 1/1-2 group auto
set port negotiation 1/1-2 enable
set port flowcontrol 1/1-2 send desired
set port flowcontrol 1/1-2 receive off
set cdp enable 1/1-2
set udld disable 1/1-2
set trunk 1/1 auto negotiate 1-1005
set trunk 1/2 auto negotiate 1-1005
set spantree portfast 1/1-2 disable
set spantree portcost 1/1-2 4
set spantree portpri 1/1-2 32
set spantree portvlanpri 1/1 0
set spantree portvlanpri 1/2 0
set spantree portvlancost 1/1 cost 3
set spantree portvlancost 1/2 cost 3
set port qos 1/1-2 cos 0
set port qos 1/1-2 trust untrusted
set port qos 1/1-2 port-based
set port qos 1/1-2 policy-source cops
set port rsvp 1/1-2 dsbm-election disable 128
set port gvrp 1/1-2 disable
set gvrp registration normal 1/1-2
set gvrp applicant normal 1/1-2
set port gmrp 1/1-2 enable
set gmrp registration normal 1/1-2
set gmrp fwdall disable 1/1-2
set port channel 1/1-2 mode auto silent
set port jumbo 1/1 disable
set port jumbo 1/2 disable
!
#module 2 : 8-port 1000BaseX Ethernet
set module name 2
set module enable 2
set vlan 1 2/5-6
set vlan 44 2/8
set vlan 50 2/1-4
set vlan 91 2/7
set port enable 2/3-8
set port disable 2/1-2

set port trap 2/1-8 disable
set port name 2/1-8
set port security 2/1-8 disable
set port broadcast 2/1-8 100%
set port membership 2/1-8 static
set port protocol 2/1-8 ip on
set port protocol 2/1-8 ipx auto
set port protocol 2/1-8 group auto
set port negotiation 2/1-8 enable
set port flowcontrol 2/1-8 send desired
set port flowcontrol 2/1-8 receive off
set cdp enable 2/1-8
set udld enable 2/3-4,2/7-8
set udld disable 2/1-2,2/5-6
set trunk 2/1 auto negotiate 1-1005
set trunk 2/2 auto negotiate 1-1005
set trunk 2/3 desirable dot1q 1-1005
set trunk 2/4 desirable dot1q 1-1005
set trunk 2/5 auto negotiate 1-1005
set trunk 2/6 auto negotiate 1-1005
set trunk 2/7 auto negotiate 1-1005
set trunk 2/8 off isl 1-1005
set spantree portfast 2/7-8 enable
set spantree portfast 2/1-6 disable
set spantree portcost 2/1-8 4
set spantree portpri 2/1-8 32
set spantree portvlanpri 2/1 0
set spantree portvlanpri 2/2 0
set spantree portvlanpri 2/3 0
set spantree portvlanpri 2/4 0
set spantree portvlanpri 2/5 0
set spantree portvlanpri 2/6 0
set spantree portvlanpri 2/7 0
set spantree portvlanpri 2/8 0
set spantree portvlancost 2/1 cost 3
set spantree portvlancost 2/2 cost 3
set spantree portvlancost 2/3 cost 3
set spantree portvlancost 2/4 cost 3
set spantree portvlancost 2/5 cost 3
set spantree portvlancost 2/6 cost 3
set spantree portvlancost 2/7 cost 3
set spantree portvlancost 2/8 cost 3
set port qos 2/1-8 cos 0
set port qos 2/1-8 trust untrusted
set port qos 2/1-8 port-based
set port qos 2/1-8 policy-source cops
set port rsvp 2/1-8 dsbm-election disable 128
set port gvrp 2/1-8 disable
set gvrp registration normal 2/1-8
set gvrp applicant normal 2/1-8
set port gmrp 2/1-8 enable
set gmrp registration normal 2/1-8
set gmrp fwdall disable 2/1-8
set port channel 2/5-8 mode auto silent
set port channel 2/1-4 mode desirable silent
set port jumbo 2/1 disable
set port jumbo 2/2 disable
set port jumbo 2/3 disable
set port jumbo 2/4 disable
set port jumbo 2/5 disable
set port jumbo 2/6 disable
set port jumbo 2/7 disable
set port jumbo 2/8 disable
!
#module 3 : 48-port 10/100BaseTX (RJ-45)
set module name 3
set module enable 3
set vlan 1 3/1
set vlan 2 3/39-40
set vlan 4 3/17-24
set vlan 5 3/25-36
set vlan 11 3/41-43
set vlan 12 3/44-47
set vlan 44 3/7-8,3/11-13
set vlan 90 3/37
set vlan 91 3/2,3/5-6,3/9,3/15,3/48
set vlan 92 3/38
set port enable 3/1-2,3/6-9,3/11-13,3/17-48
set port disable 3/3-5,3/10,3/14-16

set port speed 3/26 10
set port speed 3/1-25,3/27-48 100
set port duplex 3/1-8,3/10-25,3/27-48 full
set port duplex 3/9,3/26 half
set port trap 3/1-48 disable
set port name 3/1 to R1/fa4/0/0
set port name 3/2 to DD1
set port name 3/3 to LD1/e0
set port name 3/4 to LD1/e1
set port name 3/5 to CE1
set port name 3/6 to CVS
set port name 3/13 to PIX-1/e0
set port name 3/15 to-CE-10
set port name 3/16 to-CE-11
set port name 3/25 to PIX-1/e1
set port name 3/7-12,3/14,3/17-24,3/26-48
set port security 3/1-48 disable
set port broadcast 3/1-48 100%
set port membership 3/1-48 static
set port protocol 3/1-48 ip on
set port protocol 3/1-48 ipx auto
set port protocol 3/1-48 group auto
set port flowcontrol 3/1-48 send off
set port flowcontrol 3/1-48 receive off
set cdp enable 3/1-48
set udld disable 3/1-48
set trunk 3/1 off negotiate 1-1005
set trunk 3/2 off negotiate 1-1005
set trunk 3/3 off negotiate 1-1005
set trunk 3/4 off negotiate 1-1005
set trunk 3/5 off negotiate 1-1005
set trunk 3/6 off negotiate 1-1005
set trunk 3/7 off negotiate 1-1005
set trunk 3/8 off negotiate 1-1005
set trunk 3/9 off negotiate 1-1005
set trunk 3/10 off negotiate 1-1005
set trunk 3/11 off negotiate 1-1005
set trunk 3/12 off negotiate 1-1005
set trunk 3/13 off negotiate 1-1005
set trunk 3/14 off negotiate 1-1005
set trunk 3/15 off negotiate 1-1005
set trunk 3/16 off negotiate 1-1005
set trunk 3/17 off negotiate 1-1005
set trunk 3/18 off negotiate 1-1005
set trunk 3/19 off negotiate 1-1005
set trunk 3/20 off negotiate 1-1005
set trunk 3/21 off negotiate 1-1005
set trunk 3/22 off negotiate 1-1005
set trunk 3/23 off negotiate 1-1005
set trunk 3/24 off negotiate 1-1005
set trunk 3/25 off negotiate 1-1005
set trunk 3/26 off negotiate 1-1005
set trunk 3/27 off negotiate 1-1005
set trunk 3/28 off negotiate 1-1005
set trunk 3/29 off negotiate 1-1005
set trunk 3/30 off negotiate 1-1005
set trunk 3/31 off negotiate 1-1005
set trunk 3/32 off negotiate 1-1005
set trunk 3/33 off negotiate 1-1005
set trunk 3/34 off negotiate 1-1005
set trunk 3/35 off negotiate 1-1005
set trunk 3/36 off negotiate 1-1005
set trunk 3/37 off negotiate 1-1005
set trunk 3/38 off negotiate 1-1005
set trunk 3/39 off negotiate 1-1005
set trunk 3/40 off negotiate 1-1005
set trunk 3/41 off negotiate 1-1005
set trunk 3/42 off negotiate 1-1005
set trunk 3/43 off negotiate 1-1005
set trunk 3/44 off negotiate 1-1005
set trunk 3/45 off negotiate 1-1005
set trunk 3/46 off negotiate 1-1005
set trunk 3/47 off negotiate 1-1005
set trunk 3/48 off negotiate 1-1005
set spantree portfast 3/1-48 disable
set spantree portcost 3/1-25,3/27-48 19
set spantree portcost 3/26 100
set spantree portpri 3/1-48 32
set spantree portvlanpri 3/1 0
set spantree portvlanpri 3/2 0
set spantree portvlanpri 3/3 0
set spantree portvlanpri 3/4 0
set spantree portvlanpri 3/5 0
set spantree portvlanpri 3/6 0
set spantree portvlanpri 3/7 0
set spantree portvlanpri 3/8 0
set spantree portvlanpri 3/9 0
set spantree portvlanpri 3/10 0
set spantree portvlanpri 3/11 0
set spantree portvlanpri 3/12 0
set spantree portvlanpri 3/13 0
set spantree portvlanpri 3/14 0
set spantree portvlanpri 3/15 0
set spantree portvlanpri 3/16 0
set spantree portvlanpri 3/17 0
set spantree portvlanpri 3/18 0
set spantree portvlanpri 3/19 0
set spantree portvlanpri 3/20 0
set spantree portvlanpri 3/21 0
set spantree portvlanpri 3/22 0
set spantree portvlanpri 3/23 0
set spantree portvlanpri 3/24 0
set spantree portvlanpri 3/25 0
set spantree portvlanpri 3/26 0
set spantree portvlanpri 3/27 0
set spantree portvlanpri 3/28 0
set spantree portvlanpri 3/29 0
set spantree portvlanpri 3/30 0
set spantree portvlanpri 3/31 0
set spantree portvlanpri 3/32 0
set spantree portvlanpri 3/33 0
set spantree portvlanpri 3/34 0
set spantree portvlanpri 3/35 0
set spantree portvlanpri 3/36 0
set spantree portvlanpri 3/37 0
set spantree portvlanpri 3/38 0
set spantree portvlanpri 3/39 0
set spantree portvlanpri 3/40 0
set spantree portvlanpri 3/41 0
set spantree portvlanpri 3/42 0
set spantree portvlanpri 3/43 0
set spantree portvlanpri 3/44 0
set spantree portvlanpri 3/45 0
set spantree portvlanpri 3/46 0
set spantree portvlanpri 3/47 0
set spantree portvlanpri 3/48 0
set spantree portvlancost 3/1 cost 18
set spantree portvlancost 3/2 cost 18
set spantree portvlancost 3/3 cost 18
set spantree portvlancost 3/4 cost 18
set spantree portvlancost 3/5 cost 18
set spantree portvlancost 3/6 cost 18
set spantree portvlancost 3/7 cost 18
set spantree portvlancost 3/8 cost 18
set spantree portvlancost 3/9 cost 18
set spantree portvlancost 3/10 cost 18
set spantree portvlancost 3/11 cost 18
set spantree portvlancost 3/12 cost 18
set spantree portvlancost 3/13 cost 18
set spantree portvlancost 3/14 cost 18
set spantree portvlancost 3/15 cost 18
set spantree portvlancost 3/16 cost 18
set spantree portvlancost 3/17 cost 18
set spantree portvlancost 3/18 cost 18
set spantree portvlancost 3/19 cost 18
set spantree portvlancost 3/20 cost 18
set spantree portvlancost 3/21 cost 18
set spantree portvlancost 3/22 cost 18
set spantree portvlancost 3/23 cost 18
set spantree portvlancost 3/24 cost 18
set spantree portvlancost 3/25 cost 18
set spantree portvlancost 3/26 cost 99
set spantree portvlancost 3/27 cost 18
set spantree portvlancost 3/28 cost 18
set spantree portvlancost 3/29 cost 18
set spantree portvlancost 3/30 cost 18
set spantree portvlancost 3/31 cost 18
set spantree portvlancost 3/32 cost 18
set spantree portvlancost 3/33 cost 18
set spantree portvlancost 3/34 cost 18
set spantree portvlancost 3/35 cost 18
set spantree portvlancost 3/36 cost 18
set spantree portvlancost 3/37 cost 18
set spantree portvlancost 3/38 cost 18
set spantree portvlancost 3/39 cost 18
set spantree portvlancost 3/40 cost 18
set spantree portvlancost 3/41 cost 18
set spantree portvlancost 3/42 cost 18
set spantree portvlancost 3/43 cost 18
set spantree portvlancost 3/44 cost 18
set spantree portvlancost 3/45 cost 18
set spantree portvlancost 3/46 cost 18
set spantree portvlancost 3/47 cost 18
set spantree portvlancost 3/48 cost 18
set port qos 3/1-48 cos 0
set port qos 3/1-48 trust untrusted
set port qos 3/1-48 port-based
set port qos 3/1-48 policy-source cops
set port rsvp 3/1-48 dsbm-election disable 128
set port gvrp 3/1-48 disable
set gvrp registration normal 3/1-48
set gvrp applicant normal 3/1-48
set port gmrp 3/1-48 enable
set gmrp registration normal 3/1-48
set gmrp fwdall disable 3/1-48
set port channel 3/1-48 mode off
!
#module 4 : 48-port 10/100BaseTX (RJ-45)
set module name 4
set module enable 4
set vlan 2 4/40
set vlan 4 4/13-16,4/18-24
set vlan 5 4/25-36
set vlan 11 4/41-43
set vlan 12 4/44-47
set vlan 44 4/1-12,4/17,4/37-39
set vlan 111 4/48
set port enable 4/1-48
set port speed 4/1-48 100
set port duplex 4/1-48 full
set port trap 4/1-48 disable
set port name 4/1-48
set port security 4/1-48 disable
set port broadcast 4/1-48 100%
set port membership 4/1-48 static
set port protocol 4/1-48 ip on
set port protocol 4/1-48 ipx auto
set port protocol 4/1-48 group auto
set port flowcontrol 4/1-48 send off
set port flowcontrol 4/1-48 receive off
set cdp enable 4/1-48
set udld disable 4/1-48
set trunk 4/1 off negotiate 1-1005
set trunk 4/2 off negotiate 1-1005
set trunk 4/3 off negotiate 1-1005
set trunk 4/4 off negotiate 1-1005
set trunk 4/5 off negotiate 1-1005
set trunk 4/6 off negotiate 1-1005
set trunk 4/7 off negotiate 1-1005
set trunk 4/8 off negotiate 1-1005
set trunk 4/9 off negotiate 1-1005
set trunk 4/10 off negotiate 1-1005
set trunk 4/11 off negotiate 1-1005
set trunk 4/12 off negotiate 1-1005
set trunk 4/13 off negotiate 1-1005
set trunk 4/14 off negotiate 1-1005
set trunk 4/15 off negotiate 1-1005
set trunk 4/16 off negotiate 1-1005
set trunk 4/17 off negotiate 1-1005
set trunk 4/18 off negotiate 1-1005
set trunk 4/19 off negotiate 1-1005
set trunk 4/20 off negotiate 1-1005
set trunk 4/21 off negotiate 1-1005
set trunk 4/22 off negotiate 1-1005
set trunk 4/23 off negotiate 1-1005
set trunk 4/24 off negotiate 1-1005
set trunk 4/25 off negotiate 1-1005
set trunk 4/26 off negotiate 1-1005
set trunk 4/27 off negotiate 1-1005
set trunk 4/28 off negotiate 1-1005
set trunk 4/29 off negotiate 1-1005
set trunk 4/30 off negotiate 1-1005
set trunk 4/31 off negotiate 1-1005
set trunk 4/32 off negotiate 1-1005
set trunk 4/33 off negotiate 1-1005
set trunk 4/34 off negotiate 1-1005
set trunk 4/35 off negotiate 1-1005
set trunk 4/36 off negotiate 1-1005
set trunk 4/37 off negotiate 1-1005
set trunk 4/38 off negotiate 1-1005
set trunk 4/39 off negotiate 1-1005
set trunk 4/40 off negotiate 1-1005
set trunk 4/41 off negotiate 1-1005
set trunk 4/42 off negotiate 1-1005
set trunk 4/43 off negotiate 1-1005
set trunk 4/44 off negotiate 1-1005
set trunk 4/45 off negotiate 1-1005
set trunk 4/46 off negotiate 1-1005
set trunk 4/47 off negotiate 1-1005
set trunk 4/48 off negotiate 1-1005
set spantree portfast 4/1-48 disable
set spantree portcost 4/1-48 19
set spantree portpri 4/1-48 32
set spantree portvlanpri 4/1 0
set spantree portvlanpri 4/2 0
set spantree portvlanpri 4/3 0
set spantree portvlanpri 4/4 0
set spantree portvlanpri 4/5 0
set spantree portvlanpri 4/6 0
set spantree portvlanpri 4/7 0
set spantree portvlanpri 4/8 0
set spantree portvlanpri 4/9 0
set spantree portvlanpri 4/10 0
set spantree portvlanpri 4/11 0
set spantree portvlanpri 4/12 0
set spantree portvlanpri 4/13 0
set spantree portvlanpri 4/14 0
set spantree portvlanpri 4/15 0
set spantree portvlanpri 4/16 0
set spantree portvlanpri 4/17 0
set spantree portvlanpri 4/18 0
set spantree portvlanpri 4/19 0
set spantree portvlanpri 4/20 0
set spantree portvlanpri 4/21 0
set spantree portvlanpri 4/22 0
set spantree portvlanpri 4/23 0
set spantree portvlanpri 4/24 0
set spantree portvlanpri 4/25 0
set spantree portvlanpri 4/26 0
set spantree portvlanpri 4/27 0
set spantree portvlanpri 4/28 0
set spantree portvlanpri 4/29 0
set spantree portvlanpri 4/30 0
set spantree portvlanpri 4/31 0
set spantree portvlanpri 4/32 0
set spantree portvlanpri 4/33 0
set spantree portvlanpri 4/34 0
set spantree portvlanpri 4/35 0
set spantree portvlanpri 4/36 0
set spantree portvlanpri 4/37 0
set spantree portvlanpri 4/38 0
set spantree portvlanpri 4/39 0
set spantree portvlanpri 4/40 0
set spantree portvlanpri 4/41 0
set spantree portvlanpri 4/42 0
set spantree portvlanpri 4/43 0
set spantree portvlanpri 4/44 0
set spantree portvlanpri 4/45 0
set spantree portvlanpri 4/46 0
set spantree portvlanpri 4/47 0
set spantree portvlanpri 4/48 0
set spantree portvlancost 4/1 cost 18
set spantree portvlancost 4/2 cost 18
set spantree portvlancost 4/3 cost 18
set spantree portvlancost 4/4 cost 18
set spantree portvlancost 4/5 cost 18
set spantree portvlancost 4/6 cost 18
set spantree portvlancost 4/7 cost 18
set spantree portvlancost 4/8 cost 18
set spantree portvlancost 4/9 cost 18
set spantree portvlancost 4/10 cost 18
set spantree portvlancost 4/11 cost 18
set spantree portvlancost 4/12 cost 18
set spantree portvlancost 4/13 cost 18
set spantree portvlancost 4/14 cost 18
set spantree portvlancost 4/15 cost 18
set spantree portvlancost 4/16 cost 18
set spantree portvlancost 4/17 cost 18
set spantree portvlancost 4/18 cost 18
set spantree portvlancost 4/19 cost 18
set spantree portvlancost 4/20 cost 18
set spantree portvlancost 4/21 cost 18
set spantree portvlancost 4/22 cost 18
set spantree portvlancost 4/23 cost 18
set spantree portvlancost 4/24 cost 18
set spantree portvlancost 4/25 cost 18
set spantree portvlancost 4/26 cost 18
set spantree portvlancost 4/27 cost 18
set spantree portvlancost 4/28 cost 18
set spantree portvlancost 4/29 cost 18
set spantree portvlancost 4/30 cost 18
set spantree portvlancost 4/31 cost 18
set spantree portvlancost 4/32 cost 18
set spantree portvlancost 4/33 cost 18
set spantree portvlancost 4/34 cost 18
set spantree portvlancost 4/35 cost 18
set spantree portvlancost 4/36 cost 18
set spantree portvlancost 4/37 cost 18
set spantree portvlancost 4/38 cost 18
set spantree portvlancost 4/39 cost 18
set spantree portvlancost 4/40 cost 18
set spantree portvlancost 4/41 cost 18
set spantree portvlancost 4/42 cost 18
set spantree portvlancost 4/43 cost 18
set spantree portvlancost 4/44 cost 18
set spantree portvlancost 4/45 cost 18
set spantree portvlancost 4/46 cost 18
set spantree portvlancost 4/47 cost 18
set spantree portvlancost 4/48 cost 18
set port qos 4/1-48 cos 0
set port qos 4/1-48 trust untrusted
set port qos 4/1-48 port-based
set port qos 4/1-48 policy-source cops
set port rsvp 4/1-48 dsbm-election disable 128
set port gvrp 4/1-48 disable
set gvrp registration normal 4/1-48
set gvrp applicant normal 4/1-48
set port gmrp 4/1-48 enable
set gmrp registration normal 4/1-48
set gmrp fwdall disable 4/1-48
set port channel 4/1-48 mode off
!
#module 5 empty
!
#module 6 empty
!
#module 15 : 1-port Multilayer Switch Feature Card
set module name 15
set module enable 15
set vlan 1 15/1
set port enable 15/1
set port name 15/1
set cdp enable 15/1
set trunk 15/1 nonegotiate isl 1-1005
set spantree portcost 15/1 4
set spantree portpri 15/1 32
set spantree portvlanpri 15/1 0
set spantree portvlancost 15/1 cost 3
set port rsvp 15/1 dsbm-election disable 128
set port gmrp 15/1 enable
set gmrp registration normal 15/1
set gmrp fwdall disable 15/1
!
#module 16 empty
!
#switch port analyzer
set span 2/7 3/11 both inpkts enable multicast enable learning enable create
!
#cam
set cam agingtime 1-2,4-5,11-12,44,50,90-94,99-100,111,1003,1005 300
!
#gvrp
set gvrp dynamic-vlan-creation disable
set gvrp disable
end

Main Site Cisco Catalyst Switch 2 (S2)

ecom-hq-sw-b1 (enable) sh config
.......
..............
..............
.............
.............


............

..

begin
!
#version 5.3(1a)CSX
!
set prompt ecom-hq-sw-b1
set length 24 default
set logout 20
set banner motd ^C^C
!
#system
set system baud 9600
set system modem disable
set system name
set system location
set system contact
!
#power
set power redundancy enable
!
#frame distribution method
set port channel all distribution ip both
!
#snmp
set snmp community read-only public
set snmp community read-write private
set snmp community read-write-all secret
set snmp rmon disable
set snmp trap disable module
set snmp trap disable chassis
set snmp trap disable repeater
set snmp trap disable vtp
set snmp trap disable auth
set snmp trap disable ippermit
set snmp trap disable vmps
set snmp trap disable entity
set snmp trap disable config
set snmp trap disable syslog
set snmp trap disable stpx
!
#tacacs+
set tacacs attempts 3
set tacacs directedrequest disable
!
#radius
set radius deadtime 0
set radius timeout 5
set radius retransmit 2
!
#authentication
set authentication login tacacs disable console
set authentication login tacacs disable telnet
set authentication enable tacacs disable console
set authentication enable tacacs disable telnet
set authentication login radius disable console
set authentication login radius disable telnet
set authentication enable radius disable console
set authentication enable radius disable telnet
set authentication login local enable console
set authentication login local enable telnet
set authentication enable local enable console
set authentication enable local enable telnet
!
#vtp
set vtp domain B2
set vtp mode server
set vtp v2 disable
set vtp pruning disable
set vtp pruneeligible 2-1000
clear vtp pruneeligible 1001-1005
set vlan 1 name default type ethernet mtu 1500 said 100001 state active
set vlan 2 name VLAN0002 type ethernet mtu 1500 said 100002 state active
set vlan 4 name VLAN0004 type ethernet mtu 1500 said 100004 state active
set vlan 5 name VLAN0005 type ethernet mtu 1500 said 100005 state active
set vlan 11 name VLAN0011 type ethernet mtu 1500 said 100011 state active
set vlan 12 name VLAN0012 type ethernet mtu 1500 said 100012 state active
set vlan 44 name VLAN0044 type ethernet mtu 1500 said 100044 state active
set vlan 50 name VLAN0050 type ethernet mtu 1500 said 100050 state active
set vlan 90 name VLAN0090 type ethernet mtu 1500 said 100090 state active
set vlan 91 name VLAN0091 type ethernet mtu 1500 said 100091 state active
set vlan 92 name VLAN0092 type ethernet mtu 1500 said 100092 state active
set vlan 93 name VLAN0093 type ethernet mtu 1500 said 100093 state active
set vlan 94 name VLAN0094 type ethernet mtu 1500 said 100094 state active
set vlan 99 name VLAN0099 type ethernet mtu 1500 said 100099 state active
set vlan 100 name VLAN0100 type ethernet mtu 1500 said 100100 state active
set vlan 111 name VLAN0111 type ethernet mtu 1500 said 100111 state active
set vlan 1002 name fddi-default type fddi mtu 1500 said 101002 state active
set vlan 1004 name fddinet-default type fddinet mtu 1500 said 101004 state activ
e bridge 0x0 stp ieee
set vlan 1005 name trnet-default type trbrf mtu 1500 said 101005 state active br
idge 0x0 stp ibm
set vlan 1003 name token-ring-default type trcrf mtu 1500 said 101003 state acti
ve parent 0 ring 0x0 mode srb aremaxhop 0 stemaxhop 0
!
#ip
set interface sc0 91 172.26.230.12/255.255.255.192 172.26.230.63

set interface sc0 up
set interface sl0 0.0.0.0 0.0.0.0
set interface sl0 up
set arp agingtime 120
set ip redirect enable
set ip unreachable enable
set ip fragmentation enable
set ip route 0.0.0.0/0.0.0.0 172.26.230.3 1
set ip alias default 0.0.0.0
!
#Command alias
!
#vmps
set vmps server retry 3
set vmps server reconfirminterval 60
!
#dns
set ip dns disable
!
#spantree
#uplinkfast groups
set spantree uplinkfast disable
#backbonefast
set spantree backbonefast disable
#vlan 1
set spantree enable 1
set spantree fwddelay 7 1
set spantree hello 1 1
set spantree maxage 10 1
set spantree priority 32768 1
#vlan 2
set spantree enable 2
set spantree fwddelay 15 2
set spantree hello 2 2
set spantree maxage 20 2
set spantree priority 32768 2
#vlan 4
set spantree enable 4
set spantree fwddelay 15 4
set spantree hello 2 4
set spantree maxage 20 4
set spantree priority 32768 4
#vlan 5
set spantree enable 5
set spantree fwddelay 7 5
set spantree hello 1 5
set spantree maxage 10 5
set spantree priority 32768 5
#vlan 11
set spantree enable 11
set spantree fwddelay 15 11
set spantree hello 2 11
set spantree maxage 20 11
set spantree priority 32768 11
#vlan 12
set spantree enable 12
set spantree fwddelay 15 12
set spantree hello 2 12
set spantree maxage 20 12
set spantree priority 32768 12
#vlan 44
set spantree enable 44
set spantree fwddelay 7 44
set spantree hello 1 44
set spantree maxage 10 44
set spantree priority 32768 44
#vlan 50
set spantree enable 50
set spantree fwddelay 15 50
set spantree hello 2 50
set spantree maxage 20 50
set spantree priority 32768 50
#vlan 90
set spantree enable 90
set spantree fwddelay 15 90
set spantree hello 2 90
set spantree maxage 20 90
set spantree priority 32768 90
#vlan 91
set spantree enable 91
set spantree fwddelay 7 91
set spantree hello 1 91
set spantree maxage 10 91
set spantree priority 32768 91
#vlan 92
set spantree enable 92
set spantree fwddelay 15 92
set spantree hello 2 92
set spantree maxage 20 92
set spantree priority 32768 92
#vlan 93
set spantree enable 93
set spantree fwddelay 15 93
set spantree hello 2 93
set spantree maxage 20 93
set spantree priority 32768 93
#vlan 94
set spantree enable 94
set spantree fwddelay 15 94
set spantree hello 2 94
set spantree maxage 20 94
set spantree priority 32768 94
#vlan 99
set spantree enable 99
set spantree fwddelay 15 99
set spantree hello 2 99
set spantree maxage 20 99
set spantree priority 32768 99
#vlan 100
set spantree enable 100
set spantree fwddelay 15 100
set spantree hello 2 100
set spantree maxage 20 100
set spantree priority 32768 100
#vlan 111
set spantree enable 111
set spantree fwddelay 15 111
set spantree hello 2 111
set spantree maxage 20 111
set spantree priority 32768 111
#vlan 1003
set spantree enable 1003
set spantree fwddelay 15 1003
set spantree hello 2 1003
set spantree maxage 20 1003
set spantree priority 32768 1003
#vlan 1005
set spantree disable 1005
set spantree fwddelay 15 1005
set spantree hello 2 1005
set spantree maxage 20 1005
set spantree priority 32768 1005
!
#syslog
set logging console enable
set logging server disable
set logging level cdp 4 default
set logging level mcast 2 default
set logging level dtp 5 default
set logging level dvlan 2 default
set logging level earl 2 default
set logging level ip 2 default
set logging level pruning 2 default
set logging level snmp 2 default
set logging level spantree 2 default
set logging level sys 5 default
set logging level tac 2 default
set logging level tcp 2 default
set logging level telnet 2 default
set logging level tftp 2 default
set logging level vtp 2 default
set logging level kernel 2 default
set logging level filesys 2 default
set logging level pagp 5 default
set logging level mgmt 5 default
set logging level mls 5 default
set logging level protfilt 2 default
set logging level security 2 default
set logging level radius 2 default
set logging level udld 4 default
set logging level gvrp 2 default
set logging level cops 2 default
set logging level qos 2 default
set logging level acl 2 default
set logging server facility LOCAL7
set logging server severity 4
set logging buffer 500
set logging timestamp enable
!
#ntp
set ntp broadcastclient disable
set ntp broadcastdelay 3000
set ntp client disable
clear timezone
set summertime disable
!
#set boot command
set boot config-register 0x2
set boot system flash bootflash:cat6000-sup.5-3-1a-CSX.bin
!
#permit list
set ip permit disable
!
#igmp
set igmp disable
!
#protocolfilter
set protocolfilter disable
!
#mls
set mls agingtime 256
set mls agingtime fast 0 0
set mls flow destination
set mls nde version 7
set mls nde disable
!
#qos
set qos disable
set qos drop-threshold 1q4t rx queue 1 50 60 80 100
set qos map 2q2t tx 1 1 cos 0
set qos map 2q2t tx 1 1 cos 1
set qos map 2q2t tx 1 2 cos 2
set qos map 2q2t tx 1 2 cos 3
set qos map 2q2t tx 2 1 cos 4
set qos map 2q2t tx 2 1 cos 5
set qos map 2q2t tx 2 2 cos 6
set qos map 2q2t tx 2 2 cos 7
set qos drop-threshold 2q2t tx queue 1 80 100
set qos drop-threshold 2q2t tx queue 2 80 100
set qos wrr 2q2t 5 255
set qos txq-ratio 2q2t 80 20
set qos map 1p1q4t rx 1 1 cos 0
set qos map 1p1q4t rx 1 1 cos 1
set qos map 1p1q4t rx 1 2 cos 2
set qos map 1p1q4t rx 1 2 cos 3
set qos map 1p1q4t rx 1 3 cos 4
set qos map 1p1q4t rx 1 3 cos 5
set qos map 1p1q4t rx 2 1 cos 6
set qos map 1p1q4t rx 1 4 cos 7
set qos drop-threshold 1p1q4t rx queue 1 50 60 80 100
set qos map 1p2q2t tx 1 1 cos 0
set qos map 1p2q2t tx 1 1 cos 1
set qos map 1p2q2t tx 1 2 cos 2
set qos map 1p2q2t tx 1 2 cos 3
set qos map 1p2q2t tx 2 1 cos 4
set qos map 1p2q2t tx 2 1 cos 5
set qos map 1p2q2t tx 3 1 cos 6
set qos map 1p2q2t tx 2 2 cos 7
set qos wred 1p2q2t tx queue 1 80 100
set qos wred 1p2q2t tx queue 2 80 100
set qos wrr 1p2q2t 5 255
set qos txq-ratio 1p2q2t 70 15 15
set qos bridged-microflow-policing disable 1-1000
set qos cos-dscp-map 0 8 16 24 32 40 48 56
set qos ipprec-dscp-map 0 8 16 24 32 40 48 56
set qos dscp-cos-map 0-7:0
set qos dscp-cos-map 8-15:1
set qos dscp-cos-map 16-23:2
set qos dscp-cos-map 24-31:3
set qos dscp-cos-map 32-39:4
set qos dscp-cos-map 40-47:5
set qos dscp-cos-map 48-55:6
set qos dscp-cos-map 56-63:7
set qos policed-dscp-map 0:0
set qos policed-dscp-map 1:1
set qos policed-dscp-map 2:2
set qos policed-dscp-map 3:3
set qos policed-dscp-map 4:4
set qos policed-dscp-map 5:5
set qos policed-dscp-map 6:6
set qos policed-dscp-map 7:7
set qos policed-dscp-map 8:8
set qos policed-dscp-map 9:9
set qos policed-dscp-map 10:10
set qos policed-dscp-map 11:11
set qos policed-dscp-map 12:12
set qos policed-dscp-map 13:13
set qos policed-dscp-map 14:14
set qos policed-dscp-map 15:15
set qos policed-dscp-map 16:16
set qos policed-dscp-map 17:17
set qos policed-dscp-map 18:18
set qos policed-dscp-map 19:19
set qos policed-dscp-map 20:20
set qos policed-dscp-map 21:21
set qos policed-dscp-map 22:22
set qos policed-dscp-map 23:23
set qos policed-dscp-map 24:24
set qos policed-dscp-map 25:25
set qos policed-dscp-map 26:26
set qos policed-dscp-map 27:27
set qos policed-dscp-map 28:28
set qos policed-dscp-map 29:29
set qos policed-dscp-map 30:30
set qos policed-dscp-map 31:31
set qos policed-dscp-map 32:32
set qos policed-dscp-map 33:33
set qos policed-dscp-map 34:34
set qos policed-dscp-map 35:35
set qos policed-dscp-map 36:36
set qos policed-dscp-map 37:37
set qos policed-dscp-map 38:38
set qos policed-dscp-map 39:39
set qos policed-dscp-map 40:40
set qos policed-dscp-map 41:41
set qos policed-dscp-map 42:42
set qos policed-dscp-map 43:43
set qos policed-dscp-map 44:44
set qos policed-dscp-map 45:45
set qos policed-dscp-map 46:46
set qos policed-dscp-map 47:47
set qos policed-dscp-map 48:48
set qos policed-dscp-map 49:49
set qos policed-dscp-map 50:50
set qos policed-dscp-map 51:51
set qos policed-dscp-map 52:52
set qos policed-dscp-map 53:53
set qos policed-dscp-map 54:54
set qos policed-dscp-map 55:55
set qos policed-dscp-map 56:56
set qos policed-dscp-map 57:57
set qos policed-dscp-map 58:58
set qos policed-dscp-map 59:59
set qos policed-dscp-map 60:60
set qos policed-dscp-map 61:61
set qos policed-dscp-map 62:62
set qos policed-dscp-map 63:63
set qos acl default-action ip dscp 0
set qos acl default-action ipx dscp 0
set qos acl default-action mac dscp 0
set qos policy-source local
set cops retry-interval 30 30 300
set qos rsvp disable
set qos rsvp policy-timeout 30
set qos rsvp local-policy forward
!
#vlan mapping
!
#gmrp
set gmrp disable
!
#garp
set garp timer join 200
set garp timer leave 600
set garp timer leaveall 10000
!
#CDP
set cdp interval 60
set cdp holdtime 180
set cdp enable
!
#UDLD
set udld disable
!
#Port Channel
set port channel 2/5-8 97
set port channel 3/1-4 98
set port channel 3/5-8 99
set port channel 3/9-12 100
set port channel 3/13-16 101
set port channel 3/17-20 102
set port channel 3/21-24 103
set port channel 3/25-28 104
set port channel 3/29-32 105
set port channel 3/33-36 106
set port channel 3/37-40 107
set port channel 3/41-44 108
set port channel 3/45-48 109
set port channel 4/1-4 110
set port channel 4/5-8 111
set port channel 4/9-12 112
set port channel 4/13-16 113
set port channel 4/17-20 114
set port channel 4/21-24 115
set port channel 4/25-28 116
set port channel 4/29-32 117
set port channel 4/33-36 118
set port channel 4/37-40 119
set port channel 4/41-44 120
set port channel 4/45-48 121
set port channel 2/1-2 122
set port channel 2/3-4 160
set port channel 1/1-2 185
!
#Security ACLs
clear security acl all
commit security acl all
!
#Local Director Acceleration
set lda disable
!
#module 1 : 2-port 1000BaseX Supervisor
set module name 1
set vlan 1 1/1-2
set port enable 1/1-2
set port trap 1/1-2 disable
set port name 1/1-2
set port security 1/1-2 disable
set port broadcast 1/1-2 100%
set port membership 1/1-2 static
set port protocol 1/1-2 ip on
set port protocol 1/1-2 ipx auto
set port protocol 1/1-2 group auto
set port negotiation 1/1-2 enable
set port flowcontrol 1/1-2 send desired
set port flowcontrol 1/1-2 receive off
set cdp enable 1/1-2
set udld disable 1/1-2
set trunk 1/1 auto negotiate 1-1005
set trunk 1/2 auto negotiate 1-1005
set spantree portfast 1/1-2 disable
set spantree portcost 1/1-2 4
set spantree portpri 1/1-2 32
set spantree portvlanpri 1/1 0
set spantree portvlanpri 1/2 0
set spantree portvlancost 1/1 cost 3
set spantree portvlancost 1/2 cost 3
set port qos 1/1-2 cos 0
set port qos 1/1-2 trust untrusted
set port qos 1/1-2 port-based
set port qos 1/1-2 policy-source cops
set port rsvp 1/1-2 dsbm-election disable 128
set port gvrp 1/1-2 disable
set gvrp registration normal 1/1-2
set gvrp applicant normal 1/1-2
set port gmrp 1/1-2 enable
set gmrp registration normal 1/1-2
set gmrp fwdall disable 1/1-2
set port channel 1/1-2 mode auto silent
set port jumbo 1/1 disable
set port jumbo 1/2 disable
!
#module 2 : 8-port 1000BaseX Ethernet
set module name 2
set module enable 2
set vlan 1 2/5-6
set vlan 44 2/8
set vlan 50 2/1-4
set vlan 91 2/7
set port enable 2/3-8
set port disable 2/1-2

set port trap 2/1-8 disable
set port name 2/1-8
set port security 2/1-8 disable
set port broadcast 2/1-8 100%
set port membership 2/1-8 static
set port protocol 2/1-8 ip on
set port protocol 2/1-8 ipx auto
set port protocol 2/1-8 group auto
set port negotiation 2/1-8 enable
set port flowcontrol 2/1-8 send desired
set port flowcontrol 2/1-8 receive off
set cdp enable 2/1-8
set udld enable 2/3-4,2/7-8
set udld disable 2/1-2,2/5-6
set trunk 2/1 auto negotiate 1-1005
set trunk 2/2 auto negotiate 1-1005
clear trunk 2/3 2-4,6-43,45-90,92-1000
set trunk 2/3 desirable dot1q 1,5,44,91,1001-1005
clear trunk 2/4 2-4,6-43,45-90,92-1000
set trunk 2/4 desirable dot1q 1,5,44,91,1001-1005
set trunk 2/5 auto negotiate 1-1005
set trunk 2/6 auto negotiate 1-1005
set trunk 2/7 auto negotiate 1-1005
set trunk 2/8 auto negotiate 1-1005
set spantree portfast 2/7-8 enable
set spantree portfast 2/1-6 disable
set spantree portcost 2/1-8 4
set spantree portpri 2/1-8 32
set spantree portvlanpri 2/1 0
set spantree portvlanpri 2/2 0
set spantree portvlanpri 2/3 0
set spantree portvlanpri 2/4 0
set spantree portvlanpri 2/5 0
set spantree portvlanpri 2/6 0
set spantree portvlanpri 2/7 0
set spantree portvlanpri 2/8 0
set spantree portvlancost 2/1 cost 3
set spantree portvlancost 2/2 cost 3
set spantree portvlancost 2/3 cost 3
set spantree portvlancost 2/4 cost 3
set spantree portvlancost 2/5 cost 3
set spantree portvlancost 2/6 cost 3
set spantree portvlancost 2/7 cost 3
set spantree portvlancost 2/8 cost 3
set port qos 2/1-8 cos 0
set port qos 2/1-8 trust untrusted
set port qos 2/1-8 port-based
set port qos 2/1-8 policy-source cops
set port rsvp 2/1-8 dsbm-election disable 128
set port gvrp 2/1-8 disable
set gvrp registration normal 2/1-8
set gvrp applicant normal 2/1-8
set port gmrp 2/1-8 enable
set gmrp registration normal 2/1-8
set gmrp fwdall disable 2/1-8
set port channel 2/3-8 mode auto silent
set port channel 2/1-2 mode desirable silent
set port jumbo 2/1 disable
set port jumbo 2/2 disable
set port jumbo 2/3 disable
set port jumbo 2/4 disable
set port jumbo 2/5 disable
set port jumbo 2/6 disable
set port jumbo 2/7 disable
set port jumbo 2/8 disable
!
#module 3 : 48-port 10/100BaseTX (RJ-45)
set module name 3
set module enable 3
set vlan 1 3/1
set vlan 2 3/39-40
set vlan 4 3/14,3/16-22
set vlan 5 3/25-36
set vlan 11 3/41-43
set vlan 12 3/44-48
set vlan 44 3/4,3/6-13,3/23-24
set vlan 91 3/3,3/5,3/15
set vlan 93 3/38
set vlan 94 3/37
set vlan 100 3/2
set port enable 3/1-4,3/6-14,3/17-48
set port disable 3/5,3/15-16

set port speed 3/26 10
set port speed 3/1-25,3/27-48 100
set port duplex 3/1-25,3/27-48 full
set port duplex 3/26 half
set port trap 3/1-48 disable
set port name 3/3 to LD2 port E0
set port name 3/4 to LD2 port E1
set port name 3/5 to CE-2
set port name 3/13 to PIX-2/e0
set port name 3/15 to-CE-12
set port name 3/25 to PIX-2/e1
set port name 3/1-2,3/6-12,3/14,3/16-24,3/26-48
set port security 3/1-48 disable
set port broadcast 3/1-48 100%
set port membership 3/1-48 static
set port protocol 3/1-48 ip on
set port protocol 3/1-48 ipx auto
set port protocol 3/1-48 group auto
set port flowcontrol 3/1-48 send off
set port flowcontrol 3/1-48 receive off
set cdp enable 3/1-48
set udld disable 3/1-48
set trunk 3/1 off negotiate 1-1005
set trunk 3/2 off negotiate 1-1005
set trunk 3/3 off negotiate 1-1005
set trunk 3/4 off negotiate 1-1005
set trunk 3/5 off negotiate 1-1005
set trunk 3/6 off negotiate 1-1005
set trunk 3/7 off negotiate 1-1005
set trunk 3/8 off negotiate 1-1005
set trunk 3/9 off negotiate 1-1005
set trunk 3/10 off negotiate 1-1005
set trunk 3/11 off negotiate 1-1005
set trunk 3/12 off negotiate 1-1005
set trunk 3/13 off negotiate 1-1005
set trunk 3/14 off negotiate 1-1005
set trunk 3/15 off negotiate 1-1005
set trunk 3/16 off negotiate 1-1005
set trunk 3/17 off negotiate 1-1005
set trunk 3/18 off negotiate 1-1005
set trunk 3/19 off negotiate 1-1005
set trunk 3/20 off negotiate 1-1005
set trunk 3/21 off negotiate 1-1005
set trunk 3/22 off negotiate 1-1005
set trunk 3/23 off negotiate 1-1005
set trunk 3/24 off negotiate 1-1005
set trunk 3/25 off negotiate 1-1005
set trunk 3/26 off negotiate 1-1005
set trunk 3/27 off negotiate 1-1005
set trunk 3/28 off negotiate 1-1005
set trunk 3/29 off negotiate 1-1005
set trunk 3/30 off negotiate 1-1005
set trunk 3/31 off negotiate 1-1005
set trunk 3/32 off negotiate 1-1005
set trunk 3/33 off negotiate 1-1005
set trunk 3/34 off negotiate 1-1005
set trunk 3/35 off negotiate 1-1005
set trunk 3/36 off negotiate 1-1005
set trunk 3/37 off negotiate 1-1005
set trunk 3/38 off negotiate 1-1005
set trunk 3/39 off negotiate 1-1005
set trunk 3/40 off negotiate 1-1005
set trunk 3/41 off negotiate 1-1005
set trunk 3/42 off negotiate 1-1005
set trunk 3/43 off negotiate 1-1005
set trunk 3/44 off negotiate 1-1005
set trunk 3/45 off negotiate 1-1005
set trunk 3/46 off negotiate 1-1005
set trunk 3/47 off negotiate 1-1005
set trunk 3/48 off negotiate 1-1005
set spantree portfast 3/1-48 disable
set spantree portcost 3/1-25,3/27-48 19
set spantree portcost 3/26 100
set spantree portpri 3/1-48 32
set spantree portvlanpri 3/1 0
set spantree portvlanpri 3/2 0
set spantree portvlanpri 3/3 0
set spantree portvlanpri 3/4 0
set spantree portvlanpri 3/5 0
set spantree portvlanpri 3/6 0
set spantree portvlanpri 3/7 0
set spantree portvlanpri 3/8 0
set spantree portvlanpri 3/9 0
set spantree portvlanpri 3/10 0
set spantree portvlanpri 3/11 0
set spantree portvlanpri 3/12 0
set spantree portvlanpri 3/13 0
set spantree portvlanpri 3/14 0
set spantree portvlanpri 3/15 0
set spantree portvlanpri 3/16 0
set spantree portvlanpri 3/17 0
set spantree portvlanpri 3/18 0
set spantree portvlanpri 3/19 0
set spantree portvlanpri 3/20 0
set spantree portvlanpri 3/21 0
set spantree portvlanpri 3/22 0
set spantree portvlanpri 3/23 0
set spantree portvlanpri 3/24 0
set spantree portvlanpri 3/25 0
set spantree portvlanpri 3/26 0
set spantree portvlanpri 3/27 0
set spantree portvlanpri 3/28 0
set spantree portvlanpri 3/29 0
set spantree portvlanpri 3/30 0
set spantree portvlanpri 3/31 0
set spantree portvlanpri 3/32 0
set spantree portvlanpri 3/33 0
set spantree portvlanpri 3/34 0
set spantree portvlanpri 3/35 0
set spantree portvlanpri 3/36 0
set spantree portvlanpri 3/37 0
set spantree portvlanpri 3/38 0
set spantree portvlanpri 3/39 0
set spantree portvlanpri 3/40 0
set spantree portvlanpri 3/41 0
set spantree portvlanpri 3/42 0
set spantree portvlanpri 3/43 0
set spantree portvlanpri 3/44 0
set spantree portvlanpri 3/45 0
set spantree portvlanpri 3/46 0
set spantree portvlanpri 3/47 0
set spantree portvlanpri 3/48 0
set spantree portvlancost 3/1 cost 18
set spantree portvlancost 3/2 cost 18
set spantree portvlancost 3/3 cost 18
set spantree portvlancost 3/4 cost 18
set spantree portvlancost 3/5 cost 18
set spantree portvlancost 3/6 cost 18
set spantree portvlancost 3/7 cost 18
set spantree portvlancost 3/8 cost 18
set spantree portvlancost 3/9 cost 18
set spantree portvlancost 3/10 cost 18
set spantree portvlancost 3/11 cost 18
set spantree portvlancost 3/12 cost 18
set spantree portvlancost 3/13 cost 18
set spantree portvlancost 3/14 cost 18
set spantree portvlancost 3/15 cost 18
set spantree portvlancost 3/16 cost 18
set spantree portvlancost 3/17 cost 18
set spantree portvlancost 3/18 cost 18
set spantree portvlancost 3/19 cost 18
set spantree portvlancost 3/20 cost 18
set spantree portvlancost 3/21 cost 18
set spantree portvlancost 3/22 cost 18
set spantree portvlancost 3/23 cost 18
set spantree portvlancost 3/24 cost 18
set spantree portvlancost 3/25 cost 18
set spantree portvlancost 3/26 cost 99
set spantree portvlancost 3/27 cost 18
set spantree portvlancost 3/28 cost 18
set spantree portvlancost 3/29 cost 18
set spantree portvlancost 3/30 cost 18
set spantree portvlancost 3/31 cost 18
set spantree portvlancost 3/32 cost 18
set spantree portvlancost 3/33 cost 18
set spantree portvlancost 3/34 cost 18
set spantree portvlancost 3/35 cost 18
set spantree portvlancost 3/36 cost 18
set spantree portvlancost 3/37 cost 18
set spantree portvlancost 3/38 cost 18
set spantree portvlancost 3/39 cost 18
set spantree portvlancost 3/40 cost 18
set spantree portvlancost 3/41 cost 18
set spantree portvlancost 3/42 cost 18
set spantree portvlancost 3/43 cost 18
set spantree portvlancost 3/44 cost 18
set spantree portvlancost 3/45 cost 18
set spantree portvlancost 3/46 cost 18
set spantree portvlancost 3/47 cost 18
set spantree portvlancost 3/48 cost 18
set port qos 3/1-48 cos 0
set port qos 3/1-48 trust untrusted
set port qos 3/1-48 port-based
set port qos 3/1-48 policy-source cops
set port rsvp 3/1-48 dsbm-election disable 128
set port gvrp 3/1-48 disable
set gvrp registration normal 3/1-48
set gvrp applicant normal 3/1-48
set port gmrp 3/1-48 enable
set gmrp registration normal 3/1-48
set gmrp fwdall disable 3/1-48
set port channel 3/1-48 mode off
!
#module 4 : 48-port 10/100BaseTX (RJ-45)
set module name 4
set module enable 4
set vlan 2 4/37-40
set vlan 4 4/14-24
set vlan 5 4/13,4/25-36
set vlan 11 4/41-43
set vlan 12 4/44-47
set vlan 44 4/1-12
set vlan 111 4/48
set port enable 4/1-22,4/25-48
set port disable 4/23-24

set port speed 4/1-48 100
set port duplex 4/1-48 full
set port trap 4/1-48 disable
set port name 4/1-48
set port security 4/1-48 disable
set port broadcast 4/1-48 100%
set port membership 4/1-48 static
set port protocol 4/1-48 ip on
set port protocol 4/1-48 ipx auto
set port protocol 4/1-48 group auto
set port flowcontrol 4/1-48 send off
set port flowcontrol 4/1-48 receive off
set cdp enable 4/1-48
set udld disable 4/1-48
set trunk 4/1 off negotiate 1-1005
set trunk 4/2 off negotiate 1-1005
set trunk 4/3 off negotiate 1-1005
set trunk 4/4 off negotiate 1-1005
set trunk 4/5 off negotiate 1-1005
set trunk 4/6 off negotiate 1-1005
set trunk 4/7 off negotiate 1-1005
set trunk 4/8 off negotiate 1-1005
set trunk 4/9 off negotiate 1-1005
set trunk 4/10 off negotiate 1-1005
set trunk 4/11 off negotiate 1-1005
set trunk 4/12 off negotiate 1-1005
set trunk 4/13 off negotiate 1-1005
set trunk 4/14 off negotiate 1-1005
set trunk 4/15 off negotiate 1-1005
set trunk 4/16 off negotiate 1-1005
set trunk 4/17 off negotiate 1-1005
set trunk 4/18 off negotiate 1-1005
set trunk 4/19 off negotiate 1-1005
set trunk 4/20 off negotiate 1-1005
set trunk 4/21 off negotiate 1-1005
set trunk 4/22 off negotiate 1-1005
set trunk 4/23 off negotiate 1-1005
set trunk 4/24 off negotiate 1-1005
set trunk 4/25 off negotiate 1-1005
set trunk 4/26 off negotiate 1-1005
set trunk 4/27 off negotiate 1-1005
set trunk 4/28 off negotiate 1-1005
set trunk 4/29 off negotiate 1-1005
set trunk 4/30 off negotiate 1-1005
set trunk 4/31 off negotiate 1-1005
set trunk 4/32 off negotiate 1-1005
set trunk 4/33 off negotiate 1-1005
set trunk 4/34 off negotiate 1-1005
set trunk 4/35 off negotiate 1-1005
set trunk 4/36 off negotiate 1-1005
set trunk 4/37 off negotiate 1-1005
set trunk 4/38 off negotiate 1-1005
set trunk 4/39 off negotiate 1-1005
set trunk 4/40 off negotiate 1-1005
set trunk 4/41 off negotiate 1-1005
set trunk 4/42 off negotiate 1-1005
set trunk 4/43 off negotiate 1-1005
set trunk 4/44 off negotiate 1-1005
set trunk 4/45 off negotiate 1-1005
set trunk 4/46 off negotiate 1-1005
set trunk 4/47 off negotiate 1-1005
set trunk 4/48 off negotiate 1-1005
set spantree portfast 4/1-48 disable
set spantree portcost 4/1-48 19
set spantree portpri 4/1-48 32
set spantree portvlanpri 4/1 0
set spantree portvlanpri 4/2 0
set spantree portvlanpri 4/3 0
set spantree portvlanpri 4/4 0
set spantree portvlanpri 4/5 0
set spantree portvlanpri 4/6 0
set spantree portvlanpri 4/7 0
set spantree portvlanpri 4/8 0
set spantree portvlanpri 4/9 0
set spantree portvlanpri 4/10 0
set spantree portvlanpri 4/11 0
set spantree portvlanpri 4/12 0
set spantree portvlanpri 4/13 0
set spantree portvlanpri 4/14 0
set spantree portvlanpri 4/15 0
set spantree portvlanpri 4/16 0
set spantree portvlanpri 4/17 0
set spantree portvlanpri 4/18 0
set spantree portvlanpri 4/19 0
set spantree portvlanpri 4/20 0
set spantree portvlanpri 4/21 0
set spantree portvlanpri 4/22 0
set spantree portvlanpri 4/23 0
set spantree portvlanpri 4/24 0
set spantree portvlanpri 4/25 0
set spantree portvlanpri 4/26 0
set spantree portvlanpri 4/27 0
set spantree portvlanpri 4/28 0
set spantree portvlanpri 4/29 0
set spantree portvlanpri 4/30 0
set spantree portvlanpri 4/31 0
set spantree portvlanpri 4/32 0
set spantree portvlanpri 4/33 0
set spantree portvlanpri 4/34 0
set spantree portvlanpri 4/35 0
set spantree portvlanpri 4/36 0
set spantree portvlanpri 4/37 0
set spantree portvlanpri 4/38 0
set spantree portvlanpri 4/39 0
set spantree portvlanpri 4/40 0
set spantree portvlanpri 4/41 0
set spantree portvlanpri 4/42 0
set spantree portvlanpri 4/43 0
set spantree portvlanpri 4/44 0
set spantree portvlanpri 4/45 0
set spantree portvlanpri 4/46 0
set spantree portvlanpri 4/47 0
set spantree portvlanpri 4/48 0
set spantree portvlancost 4/1 cost 18
set spantree portvlancost 4/2 cost 18
set spantree portvlancost 4/3 cost 18
set spantree portvlancost 4/4 cost 18
set spantree portvlancost 4/5 cost 18
set spantree portvlancost 4/6 cost 18
set spantree portvlancost 4/7 cost 18
set spantree portvlancost 4/8 cost 18
set spantree portvlancost 4/9 cost 18
set spantree portvlancost 4/10 cost 18
set spantree portvlancost 4/11 cost 18
set spantree portvlancost 4/12 cost 18
set spantree portvlancost 4/13 cost 18
set spantree portvlancost 4/14 cost 18
set spantree portvlancost 4/15 cost 18
set spantree portvlancost 4/16 cost 18
set spantree portvlancost 4/17 cost 18
set spantree portvlancost 4/18 cost 18
set spantree portvlancost 4/19 cost 18
set spantree portvlancost 4/20 cost 18
set spantree portvlancost 4/21 cost 18
set spantree portvlancost 4/22 cost 18
set spantree portvlancost 4/23 cost 18
set spantree portvlancost 4/24 cost 18
set spantree portvlancost 4/25 cost 18
set spantree portvlancost 4/26 cost 18
set spantree portvlancost 4/27 cost 18
set spantree portvlancost 4/28 cost 18
set spantree portvlancost 4/29 cost 18
set spantree portvlancost 4/30 cost 18
set spantree portvlancost 4/31 cost 18
set spantree portvlancost 4/32 cost 18
set spantree portvlancost 4/33 cost 18
set spantree portvlancost 4/34 cost 18
set spantree portvlancost 4/35 cost 18
set spantree portvlancost 4/36 cost 18
set spantree portvlancost 4/37 cost 18
set spantree portvlancost 4/38 cost 18
set spantree portvlancost 4/39 cost 18
set spantree portvlancost 4/40 cost 18
set spantree portvlancost 4/41 cost 18
set spantree portvlancost 4/42 cost 18
set spantree portvlancost 4/43 cost 18
set spantree portvlancost 4/44 cost 18
set spantree portvlancost 4/45 cost 18
set spantree portvlancost 4/46 cost 18
set spantree portvlancost 4/47 cost 18
set spantree portvlancost 4/48 cost 18
set port qos 4/1-48 cos 0
set port qos 4/1-48 trust untrusted
set port qos 4/1-48 port-based
set port qos 4/1-48 policy-source cops
set port rsvp 4/1-48 dsbm-election disable 128
set port gvrp 4/1-48 disable
set gvrp registration normal 4/1-48
set gvrp applicant normal 4/1-48
set port gmrp 4/1-48 enable
set gmrp registration normal 4/1-48
set gmrp fwdall disable 4/1-48
set port channel 4/1-48 mode off
!
#module 5 empty
!
#module 6 empty
!
#module 15 : 1-port Multilayer Switch Feature Card
set module name 15
set module enable 15
set vlan 1 15/1
set port enable 15/1
set port name 15/1
set cdp enable 15/1
set trunk 15/1 nonegotiate isl 1-1005
set spantree portcost 15/1 4
set spantree portpri 15/1 32
set spantree portvlanpri 15/1 0
set spantree portvlancost 15/1 cost 3
set port rsvp 15/1 dsbm-election disable 128
set port gmrp 15/1 enable
set gmrp registration normal 15/1
set gmrp fwdall disable 15/1
!
#module 16 empty
!
#switch port analyzer
set span 4/7 4/11 both inpkts enable multicast enable learning enable create
!
#cam
set cam agingtime 1-2,4-5,11-12,44,50,90-94,99-100,111,1003,1005 300
!
#gvrp
set gvrp dynamic-vlan-creation disable
set gvrp disable
end

MSFC on Main Site Cisco Catalyst Switch 1 (S1)

ecom-hq-msfc-a1#sh config
Using 2878 out of 126968 bytes
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ecom-hq-msfc-a1
!
boot system flash bootflash:c6msfc-is-mz.120-3.XE1
enable password esc
!
!
!
!
!
ip subnet-zero
ip wccp 99
ip cef
!
!
!
!
interface Loopback0
ip address 172.26.230.224 255.255.255.255
no ip directed-broadcast
!
interface Vlan90
description connection to ecom-hq-rtr-a1
bandwidth 100000
ip address 172.26.184.2 255.255.255.252
no ip directed-broadcast
ip hello-interval eigrp 123 2
ip hold-time eigrp 123 6
ip route-cache flow
!
interface Vlan91
description connection to ecom-hq-ld-a1
bandwidth 100000
ip address 172.26.230.66 255.255.255.192 secondary
ip address 172.26.230.1 255.255.255.192
no ip redirects
no ip directed-broadcast
ip wccp 99 redirect out
ip wccp 99 group-listen
ip route-cache flow
ip hello-interval eigrp 123 2
ip hold-time eigrp 123 6
standby 1 timers 2 7
standby 1 priority 100 preempt
standby 1 ip 172.26.230.16
standby 2 timers 2 7
standby 2 priority 50
standby 2 ip 172.26.230.65
!
interface Vlan92
description connection to ecom-hq-rtr-b1
bandwidth 100000
ip address 172.26.184.5 255.255.255.252
no ip directed-broadcast
ip hello-interval eigrp 123 2
ip hold-time eigrp 123 6
ip route-cache flow
!
interface Vlan111
ip address 172.26.184.17 255.255.255.252
no ip directed-broadcast
ip route-cache flow
!
router eigrp 123
network 172.26.0.0
no auto-summary
!
router bgp 65230
no synchronization
network 172.26.184.0 mask 255.255.255.252
network 172.26.184.4 mask 255.255.255.252
network 172.26.184.8 mask 255.255.255.252
network 172.26.184.16 mask 255.255.255.252
network 172.26.230.0 mask 255.255.255.192
network 172.26.230.64 mask 255.255.255.192
network 172.26.230.251 mask 255.255.255.255
redistribute connected
neighbor 172.26.184.1 remote-as 65230
neighbor 172.26.184.1 description ibgp link to ecom-hq-rtr-a1
neighbor 172.26.184.1 route-map set-loc-pref-ar1-120 in
neighbor 172.26.184.6 remote-as 65230
neighbor 172.26.184.6 description ibgp link to ecom-hq-rtr-b1
neighbor 172.26.184.6 route-map set-loc-pref-ar2-120 in
neighbor 172.26.184.18 remote-as 65230
neighbor 172.26.184.18 description ibgp link to ecom-hq-msfc-b1
maximum-paths 3
!
ip classless
ip route 12.12.1.0 255.255.255.192 172.26.230.14
no ip http server
!
access-list 12 permit 172.26.231.192 0.0.0.15
access-list 13 permit 131.108.211.0 0.0.0.15
arp 172.26.230.68 00e0.b600.943b ARPA
arp 172.26.230.2 00e0.b600.943b ARPA
route-map set-loc-pref-ar2-120 permit 10
match ip address 13
set local-preference 120
!
route-map set-loc-pref-ar1-120 permit 10
match ip address 12
set local-preference 120
!
snmp-server engineID local 000000090200000021000000
snmp-server community cisco RO
snmp-server community public RO
snmp-server community private RW
!
line con 0
transport input none
line vty 0 4
password esc
login
!
end

MSFC on Main Site Cisco Catalyst Switch 2 (S2)

ecom-hq-msfc-b1#sh config
Using 2918 out of 126968 bytes
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
!
hostname ecom-hq-msfc-b1
!
boot system flash bootflash:c6msfc-is-mz.120-3.XE1
!
!
!
!
!
ip subnet-zero
ip wccp 99
ip cef
!
!
!
!
interface Loopback0
ip address 172.26.230.226 255.255.255.255
no ip directed-broadcast
!
interface Vlan91
bandwidth 100000
ip address 172.26.230.67 255.255.255.192 secondary
ip address 172.26.230.3 255.255.255.192
no ip redirects
no ip directed-broadcast
ip wccp 99 redirect out
ip wccp 99 group-listen
ip route-cache flow
ip hello-interval eigrp 123 2
ip hold-time eigrp 123 6
standby 1 timers 2 7
standby 1 priority 50
standby 1 ip 172.26.230.16
standby 2 timers 2 7
standby 2 priority 100 preempt
standby 2 ip 172.26.230.65
!
interface Vlan93
bandwidth 100000
ip address 172.26.184.9 255.255.255.252
no ip directed-broadcast
ip hello-interval eigrp 123 2
ip hold-time eigrp 123 6
ip route-cache flow
!
interface Vlan94
bandwidth 100000
ip address 172.26.184.13 255.255.255.252
no ip directed-broadcast
ip hello-interval eigrp 123 2
ip hold-time eigrp 123 6
ip route-cache flow
!
interface Vlan100
ip address 172.26.184.129 255.255.255.248
no ip directed-broadcast
ip hello-interval eigrp 123 2
ip hold-time eigrp 123 6
ip route-cache flow
!
interface Vlan111
ip address 172.26.184.18 255.255.255.252
no ip directed-broadcast
ip route-cache flow
!
router eigrp 123
network 172.26.0.0
no default-information out
!
router bgp 65230
no synchronization
network 172.26.184.8 mask 255.255.255.252
network 172.26.184.12 mask 255.255.255.252
network 172.26.184.16 mask 255.255.255.252
network 172.26.230.0 mask 255.255.255.192
network 172.26.230.64 mask 255.255.255.192
network 172.26.230.251 mask 255.255.255.255
redistribute connected
neighbor 172.26.184.10 remote-as 65230
neighbor 172.26.184.10 description ibgp link to ecom-hq-rtr-a1
neighbor 172.26.184.10 route-map set-loc-pref-ar1-120 in
neighbor 172.26.184.14 remote-as 65230
neighbor 172.26.184.14 description ibgp link to ecom-hq-rtr-b1
neighbor 172.26.184.14 route-map set-loc-pref-ar2-120 in
neighbor 172.26.184.17 remote-as 65230
neighbor 172.26.184.17 description ibgp link to ecom-hq-msfc-a1
maximum-paths 3
!
ip classless
ip route 12.0.0.0 255.0.0.0 172.26.230.14
no ip http server
!
access-list 1 permit 0.0.0.0
access-list 12 permit 172.26.231.192 0.0.0.15
access-list 13 permit 131.108.211.0 0.0.0.15
arp 172.26.230.68 00e0.b600.943b ARPA
arp 172.26.230.2 00e0.b600.943b ARPA
route-map set-loc-pref-ar2-120 permit 10
match ip address 13
set local-preference 120
!
route-map set-loc-pref-ar1-120 permit 10
match ip address 12
set local-preference 120
!
snmp-server engineID local 000000090200000021000000
snmp-server community cisco RO
snmp-server community public RO
snmp-server community private RW
!
line con 0
transport input none
line vty 0 4
password esc
login
!
end

Main Site Cisco DistributedDirector (DD1)

ecom-hq-dd-a1#sh config
Using 1837 out of 129016 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ecom-hq-dd-a1
!
!
!
!
!
!
ip subnet-zero
ip host www.esclab.com 172.26.230.2 172.26.230.68 172.26.231.5
ip host smtp.esclab.com 172.26.230.19 172.26.230.20
!
!
!
!
interface Loopback0
ip address 172.26.230.251 255.255.255.255
no ip directed-broadcast
!
interface FastEthernet0
ip address 172.26.230.7 255.255.255.192
no ip directed-broadcast
full-duplex
!
interface FastEthernet1
ip address 172.26.184.130 255.255.255.248
no ip directed-broadcast
full-duplex
!
router eigrp 123
network 172.26.0.0
distribute-list 1 in
no auto-summary
!
no ip classless
ip route 10.26.230.0 255.255.255.192 172.26.230.16
ip route 10.26.230.64 255.255.255.192 172.26.230.16
ip route 172.26.231.0 255.255.255.192 172.26.230.16
ip route 172.26.231.192 255.255.255.240 172.26.230.16
no ip http server
ip dns primary www.esclab.com soa dd.esclab.com admin.esclab.com 10 1 1 10
ip dns primary smtp.esclab.com soa dd.esclab.com admin.esclab.com 10 1 1 10
!
ip director server 172.26.230.2 preference 5
ip director server 172.26.231.5 preference 50
ip director server 172.26.230.68 preference 5
ip director hosts www.esclab.com weights adm 1
ip director hosts www.esclab.com priority adm 1
ip director hosts www.esclab.com connect 80 interval 10
ip director hosts smtp.esclab.com weights adm 1
ip director hosts smtp.esclab.com priority adm 1
access-list 1 deny 0.0.0.0
access-list 1 permit any
snmp-server engineID local 00000009020000E01EB8EAF2
snmp-server community cisco RO
!
line con 0
transport input none
line aux 0
line vty 0 4
password esc
login
!
end

Main Site Cisco LocalDirector 1 (LD1)

Note same as LD1 due to configuration synchronization.

ecom-hq-ld-a1# sh config
: Saved
: LocalDirector 430 Version 3.2.2
syslog output 20.3
no syslog console
hostname ecom-hq-ld-a1
shutdown ethernet 0
shutdown ethernet 1
no shutdown ethernet 2
shutdown ethernet 3
no shutdown ethernet 4
no shutdown ethernet 5
interface ethernet 0 100full
interface ethernet 1 100full
interface ethernet 2 100full
interface ethernet 3 auto
interface ethernet 4 1000full
interface ethernet 5 1000full
mtu 0 1500
mtu 1 1500
mtu 2 1500
mtu 3 1500
mtu 4 1500
mtu 5 1500
multiring all
no secure 0
no secure 1
no secure 2
no secure 3
no secure 4
no secure 5
ping-allow 0
ping-allow 1
ping-allow 2
ping-allow 3
ping-allow 4
ping-allow 5
ip address 172.26.230.11 255.255.255.192
route 0.0.0.0 0.0.0.0 172.26.230.16 1
no rip passive
rip version 1
failover ip address 172.26.230.13
failover
failover hellotime 5
telnet 172.26.230.15 255.255.255.255
telnet 10.26.230.0 255.255.255.192
telnet 172.26.230.7 255.255.255.255
telnet 172.26.230.18 255.255.255.255
snmp-server host 172.26.230.35
snmp-server host 172.26.230.22
snmp-server enable traps
snmp-server community public
no snmp-server contact
no snmp-server location
virtual 172.26.230.2:80:0:tcp is
virtual 172.26.230.68:80:0:tcp is
redirection 172.26.230.2:80:0:tcp dispatched local
real 172.26.230.26:80:0:tcp is
real 172.26.230.27:80:0:tcp is
real 172.26.230.28:80:0:tcp is
real 172.26.230.77:80:0:tcp is
real 172.26.230.76:80:0:tcp is
real 172.26.230.78:80:0:tcp is
replicate interface 2
bind 172.26.230.2:80:0:tcp 172.26.230.26:80:0:tcp
bind 172.26.230.2:80:0:tcp 172.26.230.27:80:0:tcp
bind 172.26.230.2:80:0:tcp 172.26.230.28:80:0:tcp
bind 172.26.230.68:80:0:tcp 172.26.230.77:80:0:tcp
bind 172.26.230.68:80:0:tcp 172.26.230.76:80:0:tcp
bind 172.26.230.68:80:0:tcp 172.26.230.78:80:0:tcp
dynamic-feedback 172.26.230.15:8002 retry 0 attempts 180 timeout 0

Main Site Cisco Secure PIX Firewall 1 (PIX1)

Note same as PIX1 due to configuration synchronization.

ecom-hq-pix-a1# sh config
: Saved
:
PIX Version 5.0(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 pix/intf2 security10
nameif ethernet3 pix/intf3 security15
enable password PAhpa04MEmHGyj6L encrypted
passwd PAhpa04MEmHGyj6L encrypted
hostname ecom-hq-pix-a1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol sqlnet 1433
names
pager lines 24
logging timestamp
no logging standby
no logging console
no logging monitor
logging buffered warnings
no logging trap
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
mtu outside 1500
mtu inside 1500
mtu pix/intf2 1500
mtu pix/intf3 1500
ip address outside 172.26.230.14 255.255.255.192
ip address inside 12.12.1.1 255.255.255.192
ip address pix/intf2 12.12.1.129 255.255.255.252
ip address pix/intf3 12.12.1.133 255.255.255.252
failover
failover timeout 0:00:03
failover ip address outside 172.26.230.17
failover ip address inside 12.12.1.8
failover ip address pix/intf2 12.12.1.130
failover ip address pix/intf3 12.12.1.134
failover link pix/intf2
arp timeout 14400
global (outside) 1 172.26.230.45-172.26.230.55 netmask 255.255.255.192
global (outside) 1 172.26.230.56 netmask 255.255.255.192
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 12.12.1.25 12.12.1.25 netmask 255.255.255.255 34464 50
static (inside,outside) 172.26.230.14 12.12.1.1 netmask 255.255.255.255 34464 50
conduit permit icmp any any
conduit permit tcp host 12.12.1.25 eq telnet any
conduit permit tcp host 172.26.230.56 eq telnet any
conduit permit tcp host 12.12.1.25 eq 1433 172.26.230.0 255.255.255.0
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
no rip pix/intf2 passive
no rip pix/intf2 default
no rip pix/intf3 passive
no rip pix/intf3 default
route outside 0.0.0.0 0.0.0.0 172.26.230.16 1
route inside 12.12.1.0 255.255.255.192 12.12.1.3 1
timeout xlate 0:05:00 conn 0:05:00 half-closed 0:05:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
snmp-server host outside 172.26.230.22
snmp-server host outside 172.26.230.35
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet 12.12.1.3 255.255.255.192 inside
telnet timeout 5
terminal width 80
Cryptochecksum:166d1fa2230dab16c6a7f3966d9b63c1

Main Site Cisco Cache Engine (CE1)

Note same as CE1due to configuration synchronization.

ecom-hq-ce-a1#sh config

Configuration Size 637 bytes
!
!
!
group add admin gid 0
group add everyone gid 1000
group add LocalUsers gid 1004
group add mainsite gid 2001
!
user add admin uid 0 capability admin-access
!
!
!
hostname ecom-hq-ce-a1
!
interface ethernet 0
ip address 172.26.230.5 255.255.255.192
ip broadcast-address 172.26.230.63
bandwidth 100
fullduplex
exit
!
!
interface ethernet 1
exit
!
ip default-gateway 172.26.230.16
ip domain-name esclab.com
ip route 0.0.0.0 0.0.0.0 172.26.230.16
cron file /local/etc/crontab
!
http proxy outgoing exclude enable
wccp router-list 1 172.26.230.1 172.26.230.3
wccp reverse-proxy router-list-num 1 weight 50
wccp version 2

Satellite Site Cisco Router (R5)

ecom-sat-rtr-1#sh config
Using 2644 out of 129016 bytes
!
version 12.0
no service pad
service timestamps debug datetime
service timestamps log uptime
service udp-small-servers
service tcp-small-servers
!
hostname ecom-sat-rtr-1
!
boot system slot0:
boot system flash
boot system flash bootflash:
!
ip subnet-zero
no ip domain-lookup
ip cef
!
!
!
interface FastEthernet0/0
ip address 172.26.231.1 255.255.255.192
no ip directed-broadcast
ip hello-interval eigrp 123 3
ip hold-time eigrp 123 9
no ip mroute-cache
full-duplex
!
interface FastEthernet3/0
no ip address
no ip directed-broadcast
shutdown
!
interface ATM4/0
no ip address
no ip directed-broadcast
no atm ilmi-keepalive
!
interface ATM4/0.1 point-to-point
ip address 172.26.231.161 255.255.255.248
ip access-group 101 in
no ip directed-broadcast
ip hello-interval eigrp 123 3
ip hold-time eigrp 123 9
atm pvc 3 1 25 aal5snap inarp
!
router eigrp 123
network 172.26.0.0
no auto-summary
!
router bgp 4444
no synchronization
network 172.26.230.251 mask 255.255.255.255
network 172.26.231.0 mask 255.255.255.192
redistribute connected
neighbor 172.26.231.162 remote-as 1
neighbor 172.26.231.162 description EBGP AR3
neighbor 172.26.231.162 route-map DistDir out
distance 200 172.26.230.251 0.0.0.0
!
ip default-gateway 172.26.193.254
ip classless
ip route 0.0.0.0 0.0.0.0 ATM4/0.1
ip as-path access-list 5 permit ^$
!
access-list 10 permit 172.26.230.251
access-list 10 deny any
access-list 101 deny tcp 192.168.0.0 0.0.255.255 any
access-list 101 deny udp 192.168.0.0 0.0.255.255 any
access-list 101 deny tcp 10.0.0.0 0.255.255.255 any
access-list 101 deny udp 10.0.0.0 0.255.255.255 any
access-list 101 permit tcp any any eq bgp
access-list 101 permit tcp any any eq www
access-list 101 permit udp any any eq domain
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any eq 443
access-list 101 deny tcp any any
access-list 101 deny udp any any
arp 172.26.231.5 00a0.c9ef.3b53 ARPA
route-map DistDir permit 5
set as-path prepend 4444 4444
!
snmp-server community public RO
snmp-server community private RW
snmp-server community cisco RO
!
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
password esc
login
!
end

Satellite Site Cisco Catalyst Switch (S3)

ecom-sat-sw-1 (enable) sh config
.....
...........
...........
...........
..

begin
!
#version 4.5(1)
!
set password $1$0o8Z$3gPus6Hz5czogurL6PKJs0
set enablepass $1$CBqb$ZrdgAvcMV4f/d9AlhqlHQ0
set prompt ecom-sat-sw-1
set length 24 default
set logout 20
set banner motd ^C^C
!
#system
set system baud 9600
set system modem disable
set system name
set system location
set system contact
!
#snmp
set snmp community read-only public
set snmp community read-write private
set snmp community read-write-all secret
set snmp rmon disable
set snmp trap disable module
set snmp trap disable chassis
set snmp trap disable bridge
set snmp trap disable repeater
set snmp trap disable vtp
set snmp trap disable auth
set snmp trap disable ippermit
set snmp trap disable vmps
set snmp trap disable entity
set snmp trap disable config
set snmp trap disable stpx
set snmp trap disable syslog
!
#ip
set interface sc0 1 172.26.231.2 255.255.255.192 172.26.231.63

set interface sc0 up
set interface sl0 0.0.0.0 0.0.0.0
set interface sl0 down
set interface me1 0.0.0.0 0.0.0.0 0.0.0.0

set interface me1 down
set arp agingtime 1200
set ip redirect enable
set ip unreachable enable
set ip fragmentation enable
set ip route 0.0.0.0 172.26.231.1 1
set ip alias default 0.0.0.0
!
#Command alias
!
#dns
set ip dns disable
!
#tacacs+
set tacacs attempts 3
set tacacs directedrequest disable
set tacacs timeout 5
!
#authentication
set authentication login tacacs disable console
set authentication login tacacs disable telnet
set authentication enable tacacs disable console
set authentication enable tacacs disable telnet
set authentication login local enable console
set authentication login local enable telnet
set authentication enable local enable console
set authentication enable local enable telnet
!
#vtp
set vtp domain cisco.com
set vtp mode server
set vtp v2 disable
set vtp pruning disable
set vtp pruneeligible 2-1000
clear vtp pruneeligible 1001-1005
set vlan 1 name default type ethernet mtu 1500 said 100001 state active
set vlan 5 name VLAN005 type ethernet mtu 1500 said 100005 state active
set vlan 44 name VLAN0044 type ethernet mtu 1500 said 100044 state active
set vlan 1005 name trnet-default type trbrf mtu 1500 said 101005 state active br
idge 0x0 stp ibm
set vlan 1003 name token-ring-default type trcrf mtu 1500 said 101003 state acti
ve parent 0 ring 0x0 mode srb aremaxhop 7 stemaxhop 7
!
#spantree
#uplinkfast groups
set spantree uplinkfast disable
#backbonefast
set spantree backbonefast disable
#vlan 1
set spantree enable 1
set spantree fwddelay 15 1
set spantree hello 2 1
set spantree maxage 20 1
set spantree priority 32768 1
#vlan 5
set spantree enable 5
set spantree fwddelay 15 5
set spantree hello 2 5
set spantree maxage 20 5
set spantree priority 32768 5
#vlan 44
set spantree enable 44
set spantree fwddelay 15 44
set spantree hello 2 44
set spantree maxage 20 44
set spantree priority 32768 44
#vlan 1003
set spantree enable 1003
set spantree fwddelay 15 1003
set spantree hello 2 1003
set spantree maxage 20 1003
set spantree priority 32768 1003
#vlan 1005
set spantree enable 1005
set spantree fwddelay 15 1005
set spantree hello 2 1005
set spantree maxage 20 1005
set spantree priority 32768 1005
!
#cgmp
set cgmp disable
set cgmp leave disable
!
#syslog
set logging console enable
set logging server disable
set logging level cdp 2 default
set logging level mcast 2 default
set logging level dtp 5 default
set logging level earl 2 default
set logging level fddi 2 default
set logging level ip 2 default
set logging level pruning 2 default
set logging level snmp 2 default
set logging level spantree 2 default
set logging level sys 5 default
set logging level tac 2 default
set logging level tcp 2 default
set logging level telnet 2 default
set logging level tftp 2 default
set logging level vtp 2 default
set logging level kernel 2 default
set logging level filesys 2 default
set logging level drip 2 default
set logging level pagp 5 default
set logging level mgmt 5 default
set logging level mls 5 default
set logging level protfilt 2 default
set logging level security 2 default
set logging server facility LOCAL7
set logging server severity 4
set logging buffer 500
set logging timestamp enable
!
#ntp
set ntp broadcastclient disable
set ntp broadcastdelay 3000
set ntp client disable
clear timezone
set summertime disable
!
#set boot command
set boot config-register 0x2
set boot system flash bootflash:cat4000.4-5-1.bin
!
#permit list
set ip permit disable
!
#protocolfilter
set protocolfilter disable
!
#standby ports
set standbyports disable
!
#module 1 : 0-port Switching Supervisor
set module name 1
!
#module 2 : 48-port 10/100BaseTx Ethernet
set module name 2
set module enable 2
set vlan 1 2/1-3
set vlan 5 2/25-48
set vlan 44 2/4-20,2/22-24
set port channel 2/1-4 off
set port channel 2/5-8 off
set port channel 2/9-12 off
set port channel 2/13-16 off
set port channel 2/17-20 off
set port channel 2/21-24 off
set port channel 2/25-28 off
set port channel 2/29-32 off
set port channel 2/33-36 off
set port channel 2/37-40 off
set port channel 2/41-44 off
set port channel 2/45-48 off
set port channel 2/1-4 auto
set port channel 2/5-8 auto
set port channel 2/9-12 auto
set port channel 2/13-16 auto
set port channel 2/17-20 auto
set port channel 2/21-24 auto
set port channel 2/25-28 auto
set port channel 2/29-32 auto
set port channel 2/33-36 auto
set port channel 2/37-40 auto
set port channel 2/41-44 auto
set port channel 2/45-48 auto
set port enable 2/1-48
set port level 2/1-48 normal
set port speed 2/2 auto
set port speed 2/26 10
set port speed 2/1,2/3-25,2/27-48 100
set port duplex 2/1,2/3-48 full
set port trap 2/1-48 disable
set port name 2/1 to rtr
set port name 2/2 to DD-e0
set port name 2/3 to LD-e0
set port name 2/4 to LD-e1
set port name 2/5 to PIX/e0
set port name 2/25 to PIX/e1
set port name 2/6-24,2/26-48
set port security 2/1-48 disable
set port membership 2/1-48 static
set port protocol 2/1-48 ip on
set port protocol 2/1-48 ipx auto
set cdp enable 2/1-48
set cdp interval 2/1-48 60
set trunk 2/1 auto dot1q 1-1005
set trunk 2/2 auto dot1q 1-1005
set trunk 2/3 auto dot1q 1-1005
set trunk 2/4 auto dot1q 1-1005
set trunk 2/5 auto dot1q 1-1005
set trunk 2/6 auto dot1q 1-1005
set trunk 2/7 auto dot1q 1-1005
set trunk 2/8 auto dot1q 1-1005
set trunk 2/9 auto dot1q 1-1005
set trunk 2/10 auto dot1q 1-1005
set trunk 2/11 auto dot1q 1-1005
set trunk 2/12 auto dot1q 1-1005
set trunk 2/13 auto dot1q 1-1005
set trunk 2/14 auto dot1q 1-1005
set trunk 2/15 auto dot1q 1-1005
set trunk 2/16 auto dot1q 1-1005
set trunk 2/17 auto dot1q 1-1005
set trunk 2/18 auto dot1q 1-1005
set trunk 2/19 auto dot1q 1-1005
set trunk 2/20 auto dot1q 1-1005
set trunk 2/21 auto dot1q 1-1005
set trunk 2/22 auto dot1q 1-1005
set trunk 2/23 auto dot1q 1-1005
set trunk 2/24 auto dot1q 1-1005
set trunk 2/25 auto dot1q 1-1005
set trunk 2/26 auto dot1q 1-1005
set trunk 2/27 auto dot1q 1-1005
set trunk 2/28 auto dot1q 1-1005
set trunk 2/29 auto dot1q 1-1005
set trunk 2/30 auto dot1q 1-1005
set trunk 2/31 auto dot1q 1-1005
set trunk 2/32 auto dot1q 1-1005
set trunk 2/33 auto dot1q 1-1005
set trunk 2/34 auto dot1q 1-1005
set trunk 2/35 auto dot1q 1-1005
set trunk 2/36 auto dot1q 1-1005
set trunk 2/37 auto dot1q 1-1005
set trunk 2/38 auto dot1q 1-1005
set trunk 2/39 auto dot1q 1-1005
set trunk 2/40 auto dot1q 1-1005
set trunk 2/41 auto dot1q 1-1005
set trunk 2/42 auto dot1q 1-1005
set trunk 2/43 auto dot1q 1-1005
set trunk 2/44 auto dot1q 1-1005
set trunk 2/45 auto dot1q 1-1005
set trunk 2/46 auto dot1q 1-1005
set trunk 2/47 auto dot1q 1-1005
set trunk 2/48 auto dot1q 1-1005
set spantree portfast 2/1-48 disable
set spantree portcost 2/1,2/3-25,2/27-48 19
set spantree portcost 2/2,2/26 100
set spantree portpri 2/1-48 32
set spantree portvlanpri 2/1 0
set spantree portvlanpri 2/2 0
set spantree portvlanpri 2/3 0
set spantree portvlanpri 2/4 0
set spantree portvlanpri 2/5 0
set spantree portvlanpri 2/6 0
set spantree portvlanpri 2/7 0
set spantree portvlanpri 2/8 0
set spantree portvlanpri 2/9 0
set spantree portvlanpri 2/10 0
set spantree portvlanpri 2/11 0
set spantree portvlanpri 2/12 0
set spantree portvlanpri 2/13 0
set spantree portvlanpri 2/14 0
set spantree portvlanpri 2/15 0
set spantree portvlanpri 2/16 0
set spantree portvlanpri 2/17 0
set spantree portvlanpri 2/18 0
set spantree portvlanpri 2/19 0
set spantree portvlanpri 2/20 0
set spantree portvlanpri 2/21 0
set spantree portvlanpri 2/22 0
set spantree portvlanpri 2/23 0
set spantree portvlanpri 2/24 0
set spantree portvlanpri 2/25 0
set spantree portvlanpri 2/26 0
set spantree portvlanpri 2/27 0
set spantree portvlanpri 2/28 0
set spantree portvlanpri 2/29 0
set spantree portvlanpri 2/30 0
set spantree portvlanpri 2/31 0
set spantree portvlanpri 2/32 0
set spantree portvlanpri 2/33 0
set spantree portvlanpri 2/34 0
set spantree portvlanpri 2/35 0
set spantree portvlanpri 2/36 0
set spantree portvlanpri 2/37 0
set spantree portvlanpri 2/38 0
set spantree portvlanpri 2/39 0
set spantree portvlanpri 2/40 0
set spantree portvlanpri 2/41 0
set spantree portvlanpri 2/42 0
set spantree portvlanpri 2/43 0
set spantree portvlanpri 2/44 0
set spantree portvlanpri 2/45 0
set spantree portvlanpri 2/46 0
set spantree portvlanpri 2/47 0
set spantree portvlanpri 2/48 0
set spantree portvlancost 2/1 cost 18
set spantree portvlancost 2/2 cost 18
set spantree portvlancost 2/3 cost 18
set spantree portvlancost 2/4 cost 18
set spantree portvlancost 2/5 cost 18
set spantree portvlancost 2/6 cost 18
set spantree portvlancost 2/7 cost 18
set spantree portvlancost 2/8 cost 18
set spantree portvlancost 2/9 cost 18
set spantree portvlancost 2/10 cost 18
set spantree portvlancost 2/11 cost 18
set spantree portvlancost 2/12 cost 18
set spantree portvlancost 2/13 cost 18
set spantree portvlancost 2/14 cost 18
set spantree portvlancost 2/15 cost 18
set spantree portvlancost 2/16 cost 18
set spantree portvlancost 2/17 cost 18
set spantree portvlancost 2/18 cost 18
set spantree portvlancost 2/19 cost 18
set spantree portvlancost 2/20 cost 18
set spantree portvlancost 2/21 cost 18
set spantree portvlancost 2/22 cost 18
set spantree portvlancost 2/23 cost 18
set spantree portvlancost 2/24 cost 18
set spantree portvlancost 2/25 cost 18
set spantree portvlancost 2/26 cost 18
set spantree portvlancost 2/27 cost 18
set spantree portvlancost 2/28 cost 18
set spantree portvlancost 2/29 cost 18
set spantree portvlancost 2/30 cost 18
set spantree portvlancost 2/31 cost 18
set spantree portvlancost 2/32 cost 18
set spantree portvlancost 2/33 cost 18
set spantree portvlancost 2/34 cost 18
set spantree portvlancost 2/35 cost 18
set spantree portvlancost 2/36 cost 18
set spantree portvlancost 2/37 cost 18
set spantree portvlancost 2/38 cost 18
set spantree portvlancost 2/39 cost 18
set spantree portvlancost 2/40 cost 18
set spantree portvlancost 2/41 cost 18
set spantree portvlancost 2/42 cost 18
set spantree portvlancost 2/43 cost 18
set spantree portvlancost 2/44 cost 18
set spantree portvlancost 2/45 cost 18
set spantree portvlancost 2/46 cost 18
set spantree portvlancost 2/47 cost 18
set spantree portvlancost 2/48 cost 18
!
#module 3 : 6-port 1000BaseX Ethernet
set module name 3
set module enable 3
set vlan 44 3/1-6
set port channel 3/1-2 off
set port channel 3/3-6 off
set port channel 3/1-2 auto
set port channel 3/3-6 auto
set port enable 3/1-6
set port level 3/1-6 normal
set port duplex 3/1-6 full
set port trap 3/1-6 disable
set port name 3/1-6
set port security 3/1-6 disable
set port membership 3/1-6 static
set port protocol 3/1-6 ip on
set port protocol 3/1-6 ipx auto
set port negotiation 3/1-6 enable
set port flowcontrol send 3/1-6 desired
set port flowcontrol receive 3/1-6 off
set cdp enable 3/1-6
set cdp interval 3/1-6 60
set trunk 3/1 auto dot1q 1-1005
set trunk 3/2 auto dot1q 1-1005
set trunk 3/3 auto dot1q 1-1005
set trunk 3/4 auto dot1q 1-1005
set trunk 3/5 auto dot1q 1-1005
set trunk 3/6 auto dot1q 1-1005
set spantree portfast 3/1-6 disable
set spantree portcost 3/1-6 4
set spantree portpri 3/1-6 32
set spantree portvlanpri 3/1 0
set spantree portvlanpri 3/2 0
set spantree portvlanpri 3/3 0
set spantree portvlanpri 3/4 0
set spantree portvlanpri 3/5 0
set spantree portvlanpri 3/6 0
set spantree portvlancost 3/1 cost 18
set spantree portvlancost 3/2 cost 18
set spantree portvlancost 3/3 cost 18
set spantree portvlancost 3/4 cost 18
set spantree portvlancost 3/5 cost 18
set spantree portvlancost 3/6 cost 18
!
#switch port analyzer
set span 2/3 2/21 both inpkts enable
!set span enable
!
#cam
set cam agingtime 1,5,44,1003,1005 300
end

Satellite Site Cisco DistributedDirector (DD2)

ecom-sat-dd-1#sh config
Using 1420 out of 32762 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ecom-sat-dd-1
!
boot system flash c2500-w3-l.120-7.T.bin
boot system flash c2500-is56-l_112-13.bin
boot system flash bootflash:
!
!
!
!
ip subnet-zero
no ip domain-lookup
ip host www.esclab.com 172.26.231.5 172.26.230.2 172.26.230.68
!
!
!
!
interface Loopback0
ip address 172.26.230.251 255.255.255.255
no ip directed-broadcast
!
interface Ethernet0
ip address 172.26.231.3 255.255.255.192
no ip directed-broadcast
!
router eigrp 123
network 172.26.0.0
no auto-summary
!
ip default-gateway 172.26.231.1
ip classless
ip route 0.0.0.0 0.0.0.0 172.26.231.1
no ip http server
ip dns primary www.esclab.com soa dd.esclab.com webmaster.esclab.com 10 1 1 10
!
ip director server 172.26.231.5 preference 5
ip director server 172.26.230.2 preference 50
ip director server 172.26.230.68 preference 50
ip director hosts www.esclab.com connect 80 interval 60
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
password esc
login
!
end

Satellite Site Cisco LocalDirector (LD3)

ecom-sat-ld-1# sh config
: Saved
: LocalDirector 430 Version 3.1.4
syslog output 20.3
no syslog console
hostname ecom-sat-ld-1
no shutdown ethernet 0
no shutdown ethernet 1
no shutdown ethernet 2
shutdown ethernet 3
interface ethernet 0 100full
interface ethernet 1 100full
interface ethernet 2 100full
interface ethernet 3 auto
mtu 0 1500
mtu 1 1500
mtu 2 1500
mtu 3 1500
multiring all
no secure 0
no secure 1
no secure 2
no secure 3
ping-allow 0
ping-allow 1
ping-allow 2
no ping-allow 3
ip address 172.26.231.4 255.255.255.192
route 0.0.0.0 0.0.0.0 172.26.231.1 1
no rip passive
rip version 1
failover ip address 0.0.0.0
failover
snmp-server enable traps
no snmp-server contact
no snmp-server location
virtual 172.26.231.5:80:0:tcp is
redirection 172.26.231.5:80:0:tcp dispatched local
real 172.26.231.22:80:0:tcp is
real 172.26.231.21:80:0:tcp is
bind 172.26.231.5:80:0:tcp 172.26.231.22:80:0:tcp
bind 172.26.231.5:80:0:tcp 172.26.231.21:80:0:tcp

Satellite Site Cisco Secure PIX Firewall (PIX3)

ecom-sat-pix-1# sh config
: Saved
:
PIX Version 5.0(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname ecom-sat-pix-1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
names
pager lines 24
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
logging facility 20
logging queue 512
interface ethernet0 100full
interface ethernet1 100full
mtu outside 1500
mtu inside 1500
ip address outside 172.26.231.7 255.255.255.192
ip address inside 12.15.1.1 255.255.255.192
failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
global (outside) 1 172.26.231.45-172.26.231.55 netmask 255.255.255.192
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 12.15.1.25 12.15.1.25 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 12.15.1.25 eq 1433 172.26.231.0 255.255.255.0
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 172.26.231.1 1
route inside 12.15.1.0 255.255.255.192 12.15.1.3 1
timeout xlate 0:05:00 conn 0:05:00 half-closed 0:05:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
snmp-server host outside 172.26.230.22
snmp-server host outside 172.26.230.35
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
telnet timeout 5
terminal width 80
Cryptochecksum:7b3039c5af0593112c45d58b78c0e0ba

Satellite Site Cisco Cache Engine (CE3)

ecom-sat-ce-1#sh config

Configuration Size 659 bytes
!
!
!
group add admin gid 0
group add everyone gid 1000
group add LocalUsers gid 1004
group add mainsite gid 2001
!
user add admin uid 0 password 1 "b9ccbQcQe9" capability admin-access
!
!
!
hostname ecom-sat-ce-1
!
interface ethernet 0
ip address 172.26.231.6 255.255.255.192
ip broadcast-address 172.26.231.63
bandwidth 100
fullduplex
exit
!
!
interface ethernet 1
exit
!
ip default-gateway 172.26.231.1
ip domain-name esclab.com
ip route 0.0.0.0 0.0.0.0 172.26.231.1
cron file /local/etc/crontab
!
http proxy outgoing exclude enable
wccp router-list 1 172.26.230.1 172.26.230.3 172.26.231.1
wccp web-cache router-list-num 1
wccp version 2

Appendix – Microsoft References Back to Top

Application Services Technical Overview:
http://www.microsoft.com/windows2000/library/howitworks/
application/appsvcs.asp

Internet Information Services 5.0 Technical Overview:
http://www.microsoft.com/windows2000/library/howitworks/
iis/iis5techoverview.asp

IIS Tuning:
http://www.microsoft.com/windows2000/library/operations/
web/tuning.asp

SQL Server Clustering:
http://support.microsoft.com/support/sql/content/70papers/70clstr.asp

SQL Server Replication:
http://www.microsoft.com/sql/techinfo/replication.htm

SQL Server Security:
http://www.microsoft.com/sql/techinfo/security.htm

Windows Clustering Technologies:
http://www.microsoft.com/windows2000/library/technologies/
cluster/default.asp

Windows 2000 Reliability and Availability Improvements:
http://www.microsoft.com/Windows2000/library/howitworks/
management/relavail.asp

Windows Security Services:
http://www.microsoft.com/windows2000/library/technologies/
security/default.asp

Microsoft Web Application Stress (WAS) tool:
http://homer.rte.microsoft.com/

This document is for informational purposes only. CISCO SYSTEMS AND MICROSOFT MAKE NO WARRANTIES, EXPRESSED OR IMPLIED, IN THIS SUMMARY. The information contained in this document represents the current view of Cisco Systems or Microsoft Corporation on the issues discussed as of the date of publication. Microsoft, ActiveX, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Cisco, Cisco Systems, the Cisco Systems logo, Catalyst, EtherChannel, and PIX are either registered trademarks or trademarks of Cisco Systems, Inc. in the United States and/or other countries. All other product and company names herein may be the trademarks of their respective owners.

Copyright © 2000 Cisco Systems, Inc. and Microsoft Corporation. All rights reserved. The use of the word partner does not imply a partnership relationship between Cisco and any other company.



Last updated December 15, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of use.

Welcome to S.E.A.D.S. Support pages. Your comments welcome
seads_llc@bellsouth.net 

Return to S.E.A.D.S. Home page, Return to S.E.A.D.S. Support pages. Return to the September 11 Dedication pages.