Re: Network Design

LOL

You know some security teams at my place do exactly this, I was shocked when i asked for the configs of the old firewalls to compare notes....the old checkpoints had permit ip any any

The problem or excuse is oh well build a policy from logs but it never happens, nobody knows where teams are accessing from hence to scared to block genuine access !

--
BR
Tony
Sent from my iPhone on 3
On 31 Mar 2013, at 08:07, "Joseph L. Brunner" <joe_at_affirmedsystems.com> wrote:
> Easy!
> 
> Just put a permit ip any any statement on any intermediary firewalls in all acl's as the first line, that are applied to all fw interfaces or on all routers... 
> 
> Then asymmetric packets are bound to make it through!
> 
> Problem Solved, Design Validated
> 
> -Joe
> 
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of aaron1_at_gvtc.com
> Sent: Saturday, March 30, 2013 11:03 PM
> To: Tony Singh
> Cc: Cisco Fanatic; ccielab_at_groupstudy.com
> Subject: Re: Network Design
> 
> How do you run dual L3 wan links with lan-side fhrp and maintain routing symmetry?
> 
> ....and routing symmetry during fhrp failover...?
> 
> Aaron
> ----- Original Message -----
> From: Tony Singh <mothafungla_at_gmail.com>
> To: Cisco Fanatic <ebay_products_at_hotmail.com>
> Cc: ccielab_at_groupstudy.com
> Sent: Sat, 30 Mar 2013 22:54:24 -0400 (EDT)
> Subject: Re: Network Design
> is their a WAN that the 3945 connects to? does it run BGP?
> a good design IMO is something that has dual links & meshed to account for single link/device failure scenarios, but is engineered enough to ensure no asymmetric routing /. routing blackholes and routing loops, run FHRP consider that your inbound/outbound routing or east to west is tested prior to production if you have the 3750-x then get two this makes them stackable and one less problem should the single device fail BR Tony On 31 March 2013 03:44, Cisco Fanatic <ebay_products_at_hotmail.com> wrote:
>> My company hired a contractor who is a CCIE and I have learned some 
>> good things from him. But, still one question which I am not able to 
>> understand and can't get an answer for - What is considered a good 
>> network design? The answer I always get is "it depends". Understand 
>> that, so let me simplify in layman terms so that I can grasp the concept ...
>> What is recommended if say you have a router (say 3945), a switch (say 
>> 6509) and access switches (3750x). How does this fit in "The Cisco 
>> Three-Layered Hierarchical Model".
>> Should I consider 3945 as Core and 6509 as Distribution and configure 
>> InterVLAN routing on the 6509, OR, it's the other way around?
>> -yuri
>> 
>> 
>> Blogs and organic groups at http://www.ccie.net
>> 
>> ______________________________________________________________________
>> _ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
> Blogs and organic groups at http://www.ccie.net _______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> _______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net