From: Darby Weaver (darbyweaver@yahoo.com)
Date: Sat Feb 09 2008 - 06:48:02 ARST
As I sit here at 3:14am on a "lab" that I've been
working on on from physical to layer 2, to layer 3,
and now I'm finally on to the upper layer issues...
Nope not even a CCIE lab. Though if this guy who
designed it ever becomes one, I suspect the pace of
CCIE's would slow tremendously - the funny thing is
that his name is "Proctor".
There were three "issues" in this project that I just
do not think I have seen in anyone's CCIE labs so far.
Concepts... yes... but they work and they are
eloquent and I'd really hate to be the person coming
in having to play catchup... it can hurt the head a
little.
Anyway, I'm working out the logic of what I have to do
tomorrow starting at or about 9:00am sharp at a
Co-Lo...
So I brought my gear in and in a manner similar to
Caslow's opening "scenario" in Bridges, Routers, and
Switches...
I had to build this monstrosity to spec. Then figure
out where the hardware I am using to build my rules
from comes up short with the actual design
specifications (limitations - new gear costs more than
my pod of ebay rejects). Funny I actually have more
phyiscal interfaces to work with (but mine are 100mb
versus the gig links in production).
So after working literally to about 6 pm and only
getting the devices put together and physically
cabled... Here I sit.
I finally got it all under control at about 2:42am -
that is all my phyiscal cabling, vlans, trunking, vtp,
passwords misc commands were in place. The routing
was in place. The firewalls (I used PIX 520's to
simulate the ASA 5540's and a 501 to simulate the
Border Firwall Failover pair) I had to get upgrade the
code on everything and it had to be the same version
of code and except the firewalls - I'm only running
6.3.5 in my test pod. Then there are the routing
protocols with authentication. The VRRP was straight
forward and so was the Radius, syslog, a plethora of
security tools - remember to the use Cisco's
configuration validation tool and verify the deltas
that somehow always show up.
The VRF's gave me a little issue since I nearly forgot
them but the IPsec VPN came up easy enough, and I mean
both the Site-to-Site and the client VPN. I had a
question early in the day about WebVPN and sure enough
the 7206's have a default option of using SSL VPNs
too. But there is a trick little gotcha when you
disable http and enable http secure-server. Which by
the way had to be authenticated using the AAA list
and... Radius like everything else. We are religious
about SSH and so everything is SSH not telnet, so
those restrictions coupled with access-lists are
employed and on every item... in the pod.
The pod I used from my gear for this "little" project
was:
2 3745s with 12.4.16 code - Yes - I found out the hard
way I should have upgraded the CF. I wanted to fuly
simulate the 7206 VXRs in production. I did suffer
one command not present in my crypto maps. But is was
a reverse tag and probably not a deal breaker.
2 PIX 520's (to simulate the ASA 5540's) they do a
pretty good job and all of the interfaces come in
handy as well. In the production there is a lot of
vlan tagging going on... On the 520's I have more real
interfaces (they max out at 12). I bought them to
emulate this project and such got the appropriate
number of interaces.
1 PIX 501 - To simulate the rules coming from the
Internet and generally outside of the test environment
I'm building.
3 3550's - each represents a stack and they support
VRF's as well as the 3750's - well VRF-Lite really.
Only one needed it for this equation.
Whew!
Ok, I got to move on I still have to get all of the
object-groups validated and work out all of the NAT
and hope I do not make too many mistakes before
tomorrow morning - well this morning.
I had a little time to write this and get my nerves
back together before I get started on the downslope.
Remmeber, I could have just went out the DC and did
all of this in that cold shell of a Hell... but... I
wanted to make sure I had a firm first-hand
implementor's point-of-view on this little project
before it goes prime-time and I am asked to support
it.
No better way than building it by hand and getting
one's hands dirty a bit.
I guess some might call this the "trenches"... I'm
cold at the moment, thirsty but my throat hurts, a
little sore from sitting for the last nearly 10 hours
straight with only RR breaks... My head is throbbing
(I could not sleep at all the night before) and so I'm
generally working under less than the best physical
conditions at the moment.
But this is where all the fun, action, and toys are...
Back to the coal mine...
:)
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2008 - 16:54:48 ARST