From: Darby Weaver (darbyweaver@yahoo.com)
Date: Sat Feb 09 2008 - 08:37:59 ARST
PCI Compliance is the driver on this one.
No Sales Manager
Designed by some very technical engineer types and
tight on the bufget.
Every "U" of space and watt/amp is accounted for.
Seriously, there is not much waste if any.
In fact the reason this is kind of a pretzel is that
the interfaces were simply not there to take advantage
of...
Ever had two OSPF processes both being Area 0 on the
same device and talking to to two other devices each
in Area 0... kind looks like a triangle.
Another inter-area being brought in for
"summarization"...
And then we still needed the VFR to get traffic to
properly route those pesky IPSec S2S and end-users
back to where they came from and away from the "other"
zones...
Yep, we looked at 12.4.6 feature called Zone-Based
Firewallas and we are using private vlans to make even
more efficient usage out of a given switch (stack)...
This ain't the average cage.
--- Joseph Brunner <joe@affirmedsystems.com> wrote:
> This is what happens when you let Cisco sales
> managers design a colo.
>
> I have worked at colo's many times, at level 3,
> exodus, globix, att,
> psi.net, from installing a 2924XL to dual pix 535's
> and lately, asa 5520's,
> 3750 stacks, etc, to bigger cages with 6509's,
> 7300's with 0C-3's, etc...
>
> So I have been in many "chicken wire" types colos, I
> even have eyeball shots
> of the old cnbc and wsj.com cages at Weehawken
> exodus '00 in my head (from
> many hours of working in the cage next door).
>
> I'm pretty sure you guys over engineered, or you let
> the customer over
> engineer. I can't see a cage being this complex.
> Again, my argument back to
> your post is K.I.S.S. is the best way to design
> everything. You're sales
> manager may not make his little quota, or the
> customer engineer might not
> complete his resume, but oh, its right after raise
> time, so perhaps those
> goodies will get him a new gig.
>
> -Joe
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Darby Weaver
> Sent: Saturday, February 09, 2008 3:48 AM
> To: ccielab@groupstudy.com
> Subject: Anyone else up past 3:00am on this Saturday
> Morning... and gotta be
> ready for 9:00am the next day in a few hours?
>
> As I sit here at 3:14am on a "lab" that I've been
> working on on from physical to layer 2, to layer 3,
> and now I'm finally on to the upper layer issues...
>
> Nope not even a CCIE lab. Though if this guy who
> designed it ever becomes one, I suspect the pace of
> CCIE's would slow tremendously - the funny thing is
> that his name is "Proctor".
>
> There were three "issues" in this project that I
> just
> do not think I have seen in anyone's CCIE labs so
> far.
> Concepts... yes... but they work and they are
> eloquent and I'd really hate to be the person coming
> in having to play catchup... it can hurt the head a
> little.
>
> Anyway, I'm working out the logic of what I have to
> do
> tomorrow starting at or about 9:00am sharp at a
> Co-Lo...
>
> So I brought my gear in and in a manner similar to
> Caslow's opening "scenario" in Bridges, Routers, and
> Switches...
>
> I had to build this monstrosity to spec. Then
> figure
> out where the hardware I am using to build my rules
> from comes up short with the actual design
> specifications (limitations - new gear costs more
> than
> my pod of ebay rejects). Funny I actually have more
> phyiscal interfaces to work with (but mine are 100mb
> versus the gig links in production).
>
> So after working literally to about 6 pm and only
> getting the devices put together and physically
> cabled... Here I sit.
>
> I finally got it all under control at about 2:42am -
> that is all my phyiscal cabling, vlans, trunking,
> vtp,
> passwords misc commands were in place. The routing
> was in place. The firewalls (I used PIX 520's to
> simulate the ASA 5540's and a 501 to simulate the
> Border Firwall Failover pair) I had to get upgrade
> the
> code on everything and it had to be the same version
> of code and except the firewalls - I'm only running
> 6.3.5 in my test pod. Then there are the routing
> protocols with authentication. The VRRP was
> straight
> forward and so was the Radius, syslog, a plethora of
> security tools - remember to the use Cisco's
> configuration validation tool and verify the deltas
> that somehow always show up.
>
> The VRF's gave me a little issue since I nearly
> forgot
> them but the IPsec VPN came up easy enough, and I
> mean
> both the Site-to-Site and the client VPN. I had a
> question early in the day about WebVPN and sure
> enough
> the 7206's have a default option of using SSL VPNs
> too. But there is a trick little gotcha when you
> disable http and enable http secure-server. Which
> by
> the way had to be authenticated using the AAA list
> and... Radius like everything else. We are
> religious
> about SSH and so everything is SSH not telnet, so
> those restrictions coupled with access-lists are
> employed and on every item... in the pod.
>
> The pod I used from my gear for this "little"
> project
> was:
>
> 2 3745s with 12.4.16 code - Yes - I found out the
> hard
> way I should have upgraded the CF. I wanted to fuly
> simulate the 7206 VXRs in production. I did suffer
> one command not present in my crypto maps. But is
> was
> a reverse tag and probably not a deal breaker.
>
> 2 PIX 520's (to simulate the ASA 5540's) they do a
> pretty good job and all of the interfaces come in
> handy as well. In the production there is a lot of
> vlan tagging going on... On the 520's I have more
> real
> interfaces (they max out at 12). I bought them to
> emulate this project and such got the appropriate
> number of interaces.
>
> 1 PIX 501 - To simulate the rules coming from the
> Internet and generally outside of the test
> environment
> I'm building.
>
> 3 3550's - each represents a stack and they support
> VRF's as well as the 3750's - well VRF-Lite really.
>
> Only one needed it for this equation.
>
> Whew!
>
> Ok, I got to move on I still have to get all of the
> object-groups validated and work out all of the NAT
> and hope I do not make too many mistakes before
> tomorrow morning - well this morning.
>
> I had a little time to write this and get my nerves
> back together before I get started on the downslope.
>
> Remmeber, I could have just went out the DC and did
> all of this in that cold shell of a Hell... but...
> I
> wanted to make sure I had a firm first-hand
> implementor's point-of-view on this little project
> before it goes prime-time and I am asked to support
> it.
>
> No better way than building it by hand and getting
> one's hands dirty a bit.
>
> I guess some might call this the "trenches"... I'm
> cold at the moment, thirsty but my throat hurts, a
> little sore from sitting for the last nearly 10
> hours
> straight with only RR breaks... My head is
> throbbing
> (I could not sleep at all the night before) and so
> I'm
> generally working under less than the best physical
> conditions at the moment.
>
> But this is where all the fun, action, and toys
> are...
>
> Back to the coal mine...
>
> :)
>
>
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2008 - 16:54:48 ARST