|
We have a pair of next gen firewalls (fancy routers) in an Active/Passive Stateful HA pair. They have SFP interfaces and and we have been provided SC terminated cables from each of our ISPs. We have the Cisco GLC-SX-MM SFP 1000Base-SX transceivers but that would only allow us to connect an isp to one device. How do I configure this for a high availability failover? Is it as simple as getting a pair of these and hooking them up to my firewalls? http://www.acefiber.com/1x2-st-to-lc-splitter-50125-multimode-850-20mm-p-183315.html Basically, how do I create the RED lines?
|
# ¿ Mar 20, 2014 13:02 |
|
|
# ¿ Apr 27, 2024 09:20 |
|
I'm guessing since there is no enterprise WIRED networking thread, this is as good a place as any to discuss. I have a network architecture issue that's crushing my budget. I have a new pair of datacenters that share an ASN and BGP routed block. They are connected with a pair of L2 10gig links. The whole IP address scheme and systems architecture in general was designed on a shared layer 2 providing free floating VM mobility across sites. I want our routers to do all layer 3 traffic manipulation so I can force network firewall acls. To do this, I need to license the ASR-1001-x to the tune of 20gb which is crushing me. Ultimately I need HSRP or VRRP or similar to allow the .1 gateway address to float properly in a fail over situation. Obviously the $180k+ list (take that with the usual grain of salt) for that config is still crushing my budget. BSDRP or pfSense come to mind but this strikes me as insanely risky in a production enterprise environment without a full time, dedicated network engineer. Anyone have words of wisdom to share or another strategy to think about for this? I am on my iPad or I would give a drawing. Well let's try this.... � KennyG fucked around with this message at 22:32 on Jun 21, 2015 |
# ¿ Jun 21, 2015 22:17 |
|
1000101 posted:Could just do l3 on the 5ks assuming it's a 5600 or you have the l3 module. Are your firewalls running in transparent mode? Do you need stateful inspection between all your VLANs or just security zones? Stateful? Probably not. Robust ACL, yes. The issue I run into is the fact that the firewall service provide proxy content filtering, ips/dis, site to site VPN, dpi and a number of other security services beyond firewall. I like the sonicwalls we have but I get the feeling we have outgrown dell networking products at this point. If I move to a L3 license on the 5600s I have a similar problem as they are not a single shared logical unit (HSRP). There are 4 5596UPs in two sites, two In each DC.
|
# ¿ Jun 24, 2015 02:50 |
|
I just got a C-block from Cogent to use for my public BGP implementation after getting so pissed at AT&T that I have asked legal to start the ball rolling on breaking the contract. I have Cogent in all my US sites and AT&T at all sites (including US.) We have had massive issues with AT&T and they are 6 months behind schedule, including taking 4 months turning a circuit up in a loving Equinix data center. I have the opportunity to take the c-block from either provider, but once I start using those addresses it's going to be drat hard to move away from them. Which of these two evils would you hitch your corporate wagon to. We use iWAN instead of MPLS and all of our traffic is either VDI/RDP/(s)FTP/ or increasingly HTTPS hosting kCura's relativity (https://www.kcura.com/relativity/). I would say we are a large-small to a small-mid-size business. Basically, AT&T, Cogent, Other - pick 2.
|
# ¿ Dec 30, 2016 18:04 |
|
You never know what you don't know. I didn't know there were auction houses. $4k to have my very own registered space. That sounds like a good deal. April starts the new fiscal year. I didn't say I was going to sue AT&T. I said I was going to break the contract. There is a huge difference.
|
# ¿ Dec 30, 2016 23:53 |
|
Looking to improve my setup for a new site. We have previously done fail-over/interchassis-HA on ISRs. This looks like this: The ISPs I've been bitching about above are actually giving me /29s. I was talking with our VAR yesterday and they asked why don't you use both routers and allowing OSPF take care of the HA rather than risking the two fighting over 'active' state talking to the upstream device. Seems like a decent idea, Question: Is it We are running OSPF inside and it makes the handling of other devices much easier to let the routing take over. code:
KennyG fucked around with this message at 17:58 on Jan 10, 2017 |
# ¿ Jan 10, 2017 17:49 |
|
madsushi posted:What about this: I was just trying to show you the upstream "provider" router from VIRL. I think everyone else got what's going on. The As1 represented the provider of ISP1 and then AS3 represents my "customer premise equipment". Thank you Goon wisdom, iBGP seems like a great idea to make sure the routers can effectively do their duty. I'm on chapter 7 of the Cisco book recommended a few pages back - advanced routing architectures 2nd edition. Bit dated in getting started but plenty of useful info. Kind of wish Cisco would publish a 3rd edition. "Time will tell how long IPv6 will take but it's still very experimental" Cisco, 2001 "Most enterprises use serial because dedicated links are too expensive."
|
# ¿ Jan 11, 2017 05:03 |
|
adorai posted:and it looks like list on those is $22k, and I assume I would want two for each chassis. You know nobody pays that price, right? Big Business? Volume discount Small Business? Growth discount First UCS purchase? Starter discount Refreshing your obsolete purchase? loyal customer discount Considering another vendor? Drop your pants discount. Cisco quotes are like a mad lib. Since you are ___________ we will give you a special ____________ discount. You can get an 8-blade UCS-MINI starter pack the (former?) term for having the FI's in with the blade chassis for less than 10k per blade, even with reasonably high core counts and 256+ GB ram. If you have a 9504, you can swing UCS. However, as much as I like UCS (we run it in 3 of our 4 data centers) - it really doesn't SHINE until you get into the 4-5+ chassis range or are constantly re-configuring servers every day (which you shouldn't be doing). It is a bit more administrative overhead if you are just going with one chassis.
|
# ¿ Jan 15, 2017 07:29 |
|
To spine leaf or not to spine leaf Running a couple of small colo deployments (6-8 racks each). Tons of east-west traffic, lots of sw defined scale out nas and block. Total is about 100 physical devices between vmware hosts and storage nodes. I have a moderate ESXi environment of about 30 hosts per site. The new scale-out nas platform requires 40gig-e today and will likely support 25/50/100E very shortly. We are currently all Cisco networking and looking at making some changes to either extend Nexus 9332PQs and reuse in a spine leaf or abandon them and just go with 9504 or even 9508 in our larger centers and just have two single chassis switches and not have to mess with the S/L madness. Everything today is run in NX-OS mode and no ACI/NSX in play, just ACLs. Thoughts?
|
# ¿ Aug 5, 2017 02:08 |
|
I have something that's perplexing me. I am trying to use tunnels that exist on the "internal" default vrf as my site-to-site link for multi-site BGP that live on my two public VRFs - ISP100, and ISP200. I'm trying to preserve IP space as i have about 18 sites that if I needed two public sets of IPs for my internal tunnel network, it would consume 64 of my c block of addresses. Pictures are worth 1000 words so: The left side is up and running well. The traffic is spread across both and I'm moving data efficiently, but I'm trying to add in the right side so that it links up and if someone reaches the left side bound for 9.9.9.9, they ride the tunnels. The tunnels are DMVPN and multi-site connections are working but linking the VRFs are just throwing my brain for a loop. Obviously numbers have been changed to protect the ignorant. I don't think I want to 'leak' the private routes into the public side... do I?
|
# ¿ Nov 9, 2017 23:10 |
|
Thinking about this, I think this is my issue. I need to leak that 9.9.9.9 route across the vrfs. Thanks. The 9.9.9.9 should exist across all of them.
|
# ¿ Nov 10, 2017 16:11 |
|
|
# ¿ Apr 27, 2024 09:20 |
|
Thanks Ants posted:What does the web access even look like on IOS? I presume it's loving terrible like most of Cisco's other attempts at a web UI. It's basically an ad for their add-on (pay us more money) UI. Does anyone buy that? Here's a screenshot of what happens when you log in with an admin account to a Catalyst 4500...
|
# ¿ Jan 24, 2018 03:59 |