|
Tremblay posted:Well if they are planning on using 2100 series switches for top of rack, then it makes sense. If its only to support the UCS chassis they are looking to install then I'm with you. I don't see the point. Turns out I misspoke about the 2100 series- I really mean the in-chassis FEXs, only. So yeah, I don't see the purpose of a 5000, at all.
|
#
?
Oct 15, 2010 18:41
|
|
|
|
| # ? May 29, 2024 23:05 |
|
|
jwh posted:Turns out I misspoke about the 2100 series- I really mean the in-chassis FEXs, only. So yeah, I don't see the purpose of a 5000, at all. I think the model number for the in chassis FEXs is 21XX as well. I meant if they were planning on buying the 2148s or whatever to install in other racks.
|
|
#
?
Oct 15, 2010 18:49
|
|
|
Tremblay posted:I think the model number for the in chassis FEXs is 21XX as well. I meant if they were planning on buying the 2148s or whatever to install in other racks. Oh, that would make sense. Too many model numbers floating around these days.
|
|
#
?
Oct 15, 2010 18:55
|
|
|
Ive got a question if any of you have messed around any with WCCP. We are going to be putting in a Barracuda filtering applianace for protection/caching purposes and I would love to get away with just using a single appliance rather than having to deploy an appliance at each remote location. My idea was to put the appliance outside my firewall in a DMZ and then have my routers (combination of 1841 and 1941 ISRs) all use WCCP to fowards requests to the appliance over the internet. I drew it out on paper and it looks like it works in theory but I just dont do this stuff enough to be certain I know what I am talking about. Does this sort of scenario sound doable? The biggest question really is about the routers. They of course are doing NAT for all the internal hosts at each location. Do they do NAT translation the requests to the WCCP device?
|
|
#
?
Oct 15, 2010 20:21
|
|
|
Syano posted:Ive got a question if any of you have messed around any with WCCP. We are going to be putting in a Barracuda filtering applianace for protection/caching purposes and I would love to get away with just using a single appliance rather than having to deploy an appliance at each remote location. My idea was to put the appliance outside my firewall in a DMZ and then have my routers (combination of 1841 and 1941 ISRs) all use WCCP to fowards requests to the appliance over the internet. I drew it out on paper and it looks like it works in theory but I just dont do this stuff enough to be certain I know what I am talking about. Does this sort of scenario sound doable? The biggest question really is about the routers. They of course are doing NAT for all the internal hosts at each location. Do they do NAT translation the requests to the WCCP device? That doesn't really make any sense... you deploy a caching appliance to prevent HTTP requests from consuming your bandwidth. If you WCCP to something remote, you're still consuming that bandwidth, so it doesn't make much sense.
|
|
#
?
Oct 15, 2010 20:56
|
|
|
Sorry for being confusing. The site that the appliance will be deployed at has the vast majority of users. The main reason for using WCCP from the remote sites is to try and get the filtering abilities of the Barracuda platform rather than deploying an appliance at each remote site.
|
|
#
?
Oct 15, 2010 21:03
|
|
|
That makes more sense then. I guess it's worth a shot.
|
|
#
?
Oct 15, 2010 21:49
|
|
|
Syano posted:Sorry for being confusing. The site that the appliance will be deployed at has the vast majority of users. The main reason for using WCCP from the remote sites is to try and get the filtering abilities of the Barracuda platform rather than deploying an appliance at each remote site. When I've seen this done in the past traffic from remote sites is usually VPN'd back to the hub and WCCP and the proxies were enabled there. Might be easier on your firewall admin... Also gives you more visibility assuming your LAN is 1918 address space.
|
|
#
?
Oct 15, 2010 22:32
|
|
|
jwh posted:Our DC systems folks are attempting to move to UCS-based chassis and blades within the next six to ten months, in an attempt to consolidate our VM environment. Is the 5000 supposed to aggregate links from the 6140s? It seems like if you only have one 5000, then the implication is that you will be connecting several 6140s to it and then using a 10G uplink or two to the 6500s instead of taking up many precious 10G ports on your core switches. That way, you'll have high-bandwidth interconnects between the 6140s and the ability for a particular 6140 or two to get a a lot of bandwidth to the core when necessary, or for all to get a fair amount constantly. Basically, the 5000 seems like a distribution layer switch. ED:Oh, there are only two 6140s... Well, they may be planning for expansion, I guess.
|
|
#
?
Oct 16, 2010 18:51
|
|
|
jwh posted:Our DC systems folks are attempting to move to UCS-based chassis and blades within the next six to ten months, in an attempt to consolidate our VM environment. Are they at least buying two 5k's for redundancy?
|
|
#
?
Oct 17, 2010 07:12
|
|
|
abigserve posted:Are they at least buying two 5k's for redundancy? Hasn't been determined what they're doing yet. Personally, I don't see the point of the 5ks at all in this architecture. The 6140s are capable of switching locally, and we're not planning on aggregating a significant number of chassis. Layer-3 is being done on a pair of 6509s with a handful of 10gig availability. I don't even really know what they want here, it sounds a little bit like they're throwing everything the wall to see what sticks. I'd much rather see us replace the 6509s with 7ks, and approach this with a collapsed core.
|
|
#
?
Oct 18, 2010 21:42
|
|
|
How far are the 6509s located from the 5ks? It could be they just want to have 10Gig ports available in that part of the DC for future expansion and are slapping it into this budget request.
|
|
#
?
Oct 19, 2010 00:09
|
|
|
Is there any way to get a ringing indicator and call pickup ability on a BLF on a 7942G?
|
|
#
?
Oct 19, 2010 02:39
|
|
|
I'm currently running into a roadblock, and just want to double check before I have to move everything over an evening. I have a PIX (running 8.0ish) with three legacy internal networks attached, a DMZ, and an external network connection. All of the legacy internal networks can talk to each other and the DMZ through NAT exemption rules, and it is using PAT for the external connection. I have a new network established that I am migrating to, and: - Set a port on the new network's L3 switch with a host IP address on one of the legacy internal networks. - Added the route for the new networks on a legacy network interface of the PIX. - Made sure that there were static routes on the new network L3 switch to the legacy interface on the old network, redistributed throughout the new network with EIGRP. - Made sure there were NAT exemption rules for the new network address block on the interfaces of the legacy PIX. - Allowed intra- and inter-interface communications on the legacy PIX. I am trying to allow the migration of one network at a time from the old system to the new network while maintaining connectivity with new networks as well. The problem that I am running in to is that traffic from the two internal networks that require traffic to flow THROUGH interfaces on the PIX work perfectly. The PIX interface network that is used to cross link the new and old network does not allow traffic to any of the new networks. Traffic is getting from the new networks to hosts on the legacy network, and they are going out to the local default gateway, only to die there instead of getting routed back to the new network. Disclaimer: At this point, before you explain to me that PIX are not routers, please understand that I realize this and fully agree with you. I thought that a static identity NAT on the legacy network interface may make it work, but all it did was hose the chicken stick shaking voodoo magic that the predecessor put in the PIX. I know that hairpinning for non VPN was allowed post 7.2 or so, and thought that I did everything that was required. Oh, and no ACL hits on the traffic to use as a guide. I'm at a loss other than to take the spare interface on the PIX and convert it to a /30 private network range for the network link so that all traffic must travel through the PIX interface. What ticks me off the most is that packet tracer says that it should work, and pings DO work while normal TCP traffic does not. Wow... that was kind of ranty.
|
|
#
?
Oct 21, 2010 23:08
|
|
|
CCNA studying question: 640-802 Exam Certification Library + GNS3, or ECL + official Cisco network simulator?
|
|
#
?
Oct 22, 2010 21:05
|
|
|
BelDin posted:I'm currently running into a roadblock, and just want to double check before I have to move everything over an evening. I'm confused. The internal interface on the PIX is connected to a router or an L3 switch that has connections to legacy and the new network? I'm reading this like it does, but then that doesn't make sense if you are trying to uturn. Can you post the relevant sections of the PIX config?
|
|
#
?
Oct 22, 2010 22:28
|
|
|
'Sup fellas. Click here for the full 800x600 image.
|
|
#
?
Oct 23, 2010 22:58
|
|
|
inignot posted:'Sup fellas. Did...did you cover your name and number with paper?
|
|
#
?
Oct 23, 2010 23:35
|
|
|
inignot posted:'Sup fellas. Congrats, R&S ?
|
|
#
?
Oct 24, 2010 00:10
|
|
|
Tremblay posted:I'm confused. The internal interface on the PIX is connected to a router or an L3 switch that has connections to legacy and the new network? I'm reading this like it does, but then that doesn't make sense if you are trying to uturn. Can you post the relevant sections of the PIX config? Not until Monday when I'm at work. Here's a simplified, sanitized diagram to give an idea:  The PIX has one of three interfaces connected to a VLAN that has a L3 switch with a valid IP on that network, and I'm trying to route all the traffic for the other old networks directly connected to the PIX through the .253 IP in question back to the new network. Right now, according to the diagram above, everything works from the DMZ and Local Area Network back to the New Local Area Network, but traffic from the New Local Area Network destined for the Management Network gets back to the Firewall as the default gateway, and never gets sent back to the L3 switch. The Management Network has the route to the New Local Area Network on the firewall.
|
|
#
?
Oct 24, 2010 01:07
|
|
|
inignot posted:'Sup fellas. Hey, congrats! That's awesome.
|
|
#
?
Oct 24, 2010 16:00
|
|
|
inignot posted:'Sup fellas. Welcome to the club!
|
|
#
?
Oct 25, 2010 05:50
|
|
|
BelDin posted:Not until Monday when I'm at work. Not to be a dink, but if management network hangs off that L3 switch why route up to the FW only to route back down? I'm sure there is a good reason, but I like to ask the dumb questions. 
|
|
#
?
Oct 25, 2010 06:00
|
|
|
Tremblay posted:Not to be a dink, but if management network hangs off that L3 switch why route up to the FW only to route back down? I'm sure there is a good reason, but I like to ask the dumb questions. I assume its some kind of Firewall on a Stick topology, otherwise how else would you enforce the firewall rules between segments?
|
|
#
?
Oct 25, 2010 15:14
|
|
|
inignot posted:'Sup fellas. So, is it an actual plaque? I cannot tell from the picture.
|
|
#
?
Oct 25, 2010 15:24
|
|
|
Tremblay posted:Not to be a dink, but if management network hangs off that L3 switch why route up to the FW only to route back down? I'm sure there is a good reason, but I like to ask the dumb questions. Not a dumb question, and if you add a static route on the management network hosts to the new network it works just fine. I'm just being lazy and trying to avoid adding persistent static routes to a couple hundred computers and servers only to remove them once the network is migrated. Powercrazy posted:I assume its some kind of Firewall on a Stick topology, otherwise how else would you enforce the firewall rules between segments? The person here before me decided that using a PIX as a router was easier than using access lists on a router to do our internal network access control. This involved NAT exemptions for every local network, and access lists allowing all traffic between all local networks except the DMZ.
|
|
#
?
Oct 25, 2010 15:27
|
|
|
Hey Everyone, I'm having some trouble wrapping my head around an issue. I've got to put a FWSM in place and create a DMZ out of one of our VLANs. The part where I'm drawing a blank is that bidirectional traffic needs to be firewalled. All other VLANs < - 6509's - > VLAN 198 External FWSM < - - > VLAN 199 Internal FWSM < - - > Multiple blade chassis with servers on VLAn 199. Basically VLAN 199 needs to be firewalled off. I have two 6509 switches as the core and I need to route all traffic through VLAN 198 into VLAN 199 to create the firewalled zone. Am I wrong in thinking that traffic going to VLAN 199 will traverse the firewall, however traffic coming from VLAN 199 will go around the FWSM and logically straight into the switching fabric?
|
|
#
?
Oct 25, 2010 21:49
|
|
|
Powercrazy posted:I assume its some kind of Firewall on a Stick topology, otherwise how else would you enforce the firewall rules between segments? Physically on a stick but logically separated makes sense (vlan subints). Otherwise this isn't really a great idea...
|
|
#
?
Oct 26, 2010 01:22
|
|
|
reborn posted:Hey Everyone, So 199 is supposed to be the DMZ? The only way you can route "around" the FWSM is if both VLAN 199 and 198 are SVI on the 6k. So make 1 your SVI and the other L3 interface resides on the FWSM. If you need both VLANs to be SVI then you'll need to move 199 to it's own VRF. FWSMs can be used to create logical connections between the two routing instances.
|
|
#
?
Oct 26, 2010 01:27
|
|
|
Tremblay posted:Physically on a stick but logically separated makes sense (vlan subints). Otherwise this isn't really a great idea... My predecessor not only didn't use VLANS )all switches were using VLAN 1), but put each network on an interface all it's own. That's why I'm migrating it to a more traditional 3 layer design. As a side note, I now know what the problem above is, I just need to figure out the best way to fix it. Turns out, even with the NAT exemption, the traffic from the management network to the new LAN was getting to the outside NAT pool. I'm thinking of adding a policy NAT to only pick up the traffic in question and Uturn it, I'm nervous due to the 500+ people this would cut off to our servers while it is ocurring. I think I'm just going to bite the bullet, take a weekend outage hit, and move all the networks to the new L3 switch. I'll just have to recreate the SNATs for the DMZ and internal hosts. I should be able to advance prep everything else. We should start a thread with all the horrendous poo poo that we've all inherited over the years!
|
|
#
?
Oct 26, 2010 04:24
|
|
|
I have essentially 5 days to brush up on Cisco routing/switching stuff for a job interview and was hoping someone might know of a good "crash course" style reference. Most of my background is in server admin, but after the first phone interview it appears there are a lot more networking duties than the job listing indicated. I'm not a networking newbie, but haven't touched Cisco stuff in a long time (and never in depth in a large enterprise like this). Preferably something condensed that covers the main concepts/terminology so I can at least hold a conversation and know what they mean when they throw acronyms at me. I'm a quick learner, so 5 days is a fairly long time. Not trying to misrepresent my experience, btw. Already had to flat-out say "I don't know" to a phone interview question and don't want a repeat since somehow they managed to call me back. I think my server experience carried me through and just want to focus on that and my ability to learn, not bumbled questions.
|
|
#
?
Oct 27, 2010 22:45
|
|
|
Cavepimp posted:I have essentially 5 days to brush up on Cisco routing/switching stuff for a job interview and was hoping someone might know of a good "crash course" style reference. The Cisco Press CCNA book is decent. This is just the book without the lab sims. Search Amazon for "1587201836".
|
|
#
?
Oct 27, 2010 22:50
|
|
|
If you are familiar with networking but not IOS any questions they ask you should be straight forward. What is EIGRP? (something you should basically know) Rather than: How would you implement EIGRP on a Cisco ISR? (Integrated Services Router) Subnetting and VLANs, What is the difference between a Frame, a Packet, a Segment, and a Cell? Classless/Classful Networks MAC address vs IP Address What is Spanning Tree Protocol, where do you use it? ARP, RARP, OSI Model, etc. I'm sure they aren't going to bust your balls on Cisco specific stuff but general networking stuff you should be familiar with. Grab a CCNA book and look at the glossary of terms, if you can explain/understand most of those terms at least on a basic level then I bet you'll be fine. http://www.wildpackets.com/resources/compendium/overview
|
|
#
?
Oct 27, 2010 23:09
|
|
|
who the hell still uses EIGRP anyways?
|
|
#
?
Oct 27, 2010 23:49
|
|
|
Cool, thanks. I'm going to assume they're going to dive deeper than the basics, though. 7 of the ten questions the HR monkey lobbed at me in the phone interview were networking related, which caught me off guard considering the job listing barely mentioned networking at all. I might be over-thinking it, but I've been doing server stuff for 10+ years and have the rest of my interview strategy down, so I might as well use the 5 days to work on my weak areas (especially since it's not like it's a waste of time or something, I was planning on heading down this path eventually.)
|
|
#
?
Oct 27, 2010 23:55
|
|
|
CrazyLittle posted:who the hell still uses EIGRP anyways? A lot of people/businesses/organizations.
|
|
#
?
Oct 28, 2010 00:12
|
|
|
CrazyLittle posted:who the hell still uses EIGRP anyways? I'd rather use EIGRP than RIP, for example 
|
|
#
?
Oct 28, 2010 00:15
|
|
|
Martytoof posted:I'd rather use EIGRP than RIP, for example Back in my day, we only had UUCP and bangpaths for e-mail! Dynamic routing protocols? We just use static routes for everything! I have actually heard both these in the last two years. EIGRP being rolled out is voodoo magic as far as they are concerned.
|
|
#
?
Oct 28, 2010 01:44
|
|
|
BelDin posted:Dynamic routing protocols? We just use static routes for everything! Uh oh...maybe I'm rustier than I thought.
|
|
#
?
Oct 28, 2010 01:46
|
|
|
|
| # ? May 29, 2024 23:05 |
|
|
BelDin posted:Back in my day, we only had UUCP and bangpaths for e-mail! Does the CCNA even cover OSPF? That is my main fear. I have the ICND1, but if the ICND2 doesn't cover something that you need to know for employment. Then.... its kinda silly.
|
|
#
?
Oct 28, 2010 01:46
|
|