AI, ML, Development + Cisco Learning Blog Learning about Machine Learning, Artificial Intelligence, related devlopment topics and formerly Routing and Switching, Datacenter, Security and other topics, CCIE #23664, Frank Wagner

28. Oktober 2007

road to ccie with dynamips

Filed under: dynamips — ocsic @ 13:48

I came along some topics that do not work with dynamips and that have to be covered with other devices for training. The only problem is with 3560 specific features that are not availble on the NM-16ESW:

  • some optional available STP features, like bpduguard, bpdufilter
  • MSTP
  • layer 3 port-channel
  • different etherchannel protocols, a channel-group can only be turned on, no lacp/pgacp
  • private-vlans
  • sdm modes
  • udld
  • port security
  • port protected
  • qos specific configuration of hardware queues like srr-queue
  • port configurations like dynamic, desirable
  • some configurations are similar but do not look the same like on the 3560, for example vlan config, on the NM-16ESW there is only the old vlan database mode available
  • vtp transparent mode with vlan numbers from 1006 – 4094. Dynamips only knows about 1005 vlan numbers also in transparent mode, some workbooks might ask for vlan numbers greater than 1005, what then indicates that you have to use vtp transparent mode

Other features that are not only switching dependent

  • clocking feature for serial lines (no need to set up „clock 64000“)

There are probably other features to add here. I will keep up completing this list.

10. Oktober 2007

asa 5510 active/active

Filed under: Security — ocsic @ 21:59

Doing currently a failover installation with two 5510 on both sides so there will be four devices altogether. Seems like there was some kind of not planning things good enough.

The customer situation is, there we have two leased lines that are direct connections from one site to the other.Both leased lines are direct connected from site to site. So the idea was to make a failover config with both firewalls in an active/active failover configuration.

But the pitfall was, that the traffic has to be encrypted over a site-to-site vpn tunnel. But active/active you have to configure in multiple context mode. And multiple context mode does not have ipsec available. So in multiple context mode, you can not configure any vpn’s.

So then you have only active/standby. There’s acatch also. If you configure active/standby and both end’s are active, everthing is ok. But if one side goes standby and the other side is still active because the „monitored“ interface is just working fine, this will be a dead lock. Neither side will match and the tunnel will not come  again.

It would be a great advantage if you could track or monitor the tunnel interface. Then you could switch from active to standby if the tunnel is no longer available.

Small diagramm:

fw1(active) — leased line(vpn) — fw3(active)

fw2(standby) — leased line(vpn) — fw4(standby)

active/active does also not real load balancing. You can switch the different vlan’s over both leased lines, so that the traffic is about the same amount.

The better solution for such a szenario is, if possible, two routers with vpn and VRRP/HSRP and OSPF/EIGRP. So you can to real load balancing and also can have  both lines active.

Powered by WordPress