Cisco ASA Platform Limitations

I been working on an enterprise scale Cisco ASA firewall deployment project. In the high level design I found that there is a big limitation in the platform. The solution requires the appliances to be in true active-active mode. The other main requirement was that it should carry out VPN feature set as well. I found out that when two ASA units are in Active-Active mode you cannot have VPN. Also no dynamic routing protocol implementation either (there is a few more limitations as well in the list). Active-Active setup for ASA platform is not true active-active (no load balancing at all). These limitations is enforced in an indirect manner making it harder to identify in quick over look. Mainly Active-Active setup requires ASA units to be in multi context mode and context mode has the above limitations.

Note this for your future projects I was lucky I did my research in my detail design, avoiding major disasters. Also note that ASA platform cannot do any load balancing and no ISP active-active setup either. Big disappointment on Cisco and their ASA platform.

No Comments


VMware Network Blueprint

  • VMware network blueprint is an outcome from the best practice recommendation from VMware.
  • Below figure shows a high level overview of the proposed blueprint. Main points:
  • Best approach is using Virtual Switch VLAN Tagging (VST) model.
  • Recommended network integration is carried out using 5 VLANs.
    • Service Console (SC)
    • Fault Tolerance (FT)
    • VMotion (VM)
    • VM Network (Production)
    • iSCSI (Storage)
  • Trunk ports are used on the connecting physical switch level
  • vSwitch is set to use “IP HASH” to carry out load balancing between physical NICs in a given Port Group (IP HASH works on the outgoing traffic from the ESX host).
  • Layer 3 core switch or external router should be used for inter-vlan routing.
  • Jumbo Frames should be switches on the iSCSI and VMotion VLANs to accommodate large file movements.

 

VMware Network Blueprint

Figure 1: VMware Network High-level Blueprint

On the Physical Switch:

  • Link Aggregation is used to create a redundant physical link bundles
  • Trunk ports are implemented to carry out the VLAN traffic from the internal vSwitches to external network segments.
  • Trunk ports can be limited to carry only the required VLANs to enable some security on the ports.

 

Configuration

On the ESX Host:

To set port group properties

  1. Log into the VMware VI Client, and select the server from the inventory panel. (The hardware configuration page for this server appears)
  2. Click the Configuration tab, and then click Networking.
  3. On the right side of the window, click Properties for a network.
  4. The vSwitch Properties dialog box appears.
  5. Click the Ports tab.
  6. Select the port group and click Edit.
  7. In the Properties dialog box for the port group, click the General tab to change:
    1. Network Label — a name that identifies the port group that you are creating.
    2. VLAN ID — identifies the VLAN that the port group’s network traffic will use.
    3. NIC Teaming – Load Balancing to “Route based on IP HASH”
  8. Click OK to exit the vSwitch Properties dialog box.

 

On the External Switch:

Cisco Switch:

On channel-group <group-id>:

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk native <vlan-id>

switchport trunk allowed add <vlan-id(s)>

switchport nonegotiate

spanning-tree portfast trunk

 

HP Switch:

trunk <port-list> < trunk-id > trunk

vlan <default-vlan-id> untagged <trunk-id>

vlan <vlan-id(s)> tagged <trunk-id>

No Comments


Spanning-Tree Proposed Setup for VMware Deployment with Existing Layer 2 Core

Background for the solution design

We deploy quite a few VMware virtualization solutions where there is an existing layer 2 network core, it is important that this solution design is looked at to create the required network changes to accommodate the new infrastructure.

The main reason behind the proposed changes is due to the major change introduced with the new infrastructure by centralizing the core network resources into the vitalized platform. This shift in network resources core should follow with a layer 2 network core movements to accommodate the changes in network traffic.

 ChangeCore

Solution Deployment

Solution based on the Spanning Tree Protocol (STP). STP dictates the root or the center (core) of the Layer 2 network. Root switch or core switch is elected using the STP and all the other switches in the network after the election process, create a logical path to the root switch for all network traffic. This process creates a more efficient switching fabric as less hops to get into the core network resources makes the network function at its optimum.

Deployment Scenario #1

Existing Core: Netgear GS748TS switch stack with 4 member switches

New Core: HP 2810-48 (Top Switch) and HP 2810-48 (Bottom Switch)

DeploymentScenario1

Diagram B: Scenario #1 switch deployment

In the existing network setup the Netgear Stack Master is the STP root, in order to move the core to the new switching infrastructure follow the below steps:

· Change the STP priority to a lower value than the default (32xxxx) on the HP Top Switch.

· If required, increase the STP root priority value to a higher value on the Netgear switch stack master.

· Check if the STP process carries out the election process as planned.

 

Network Link setup

In Diagram-B following inter switch links (Trunks) exist with STP forwarding and blocked state (after root change):

HP Top Switch:

Physical Interface

Trunk Group ID

STP State

Description

Ethernet Port #21

TRK1

Forwarding

Uplink trunk to old Core

Ethernet Port #22

TRK1

Forwarding

Uplink trunk to old Core

Ethernet Port #23

TRK2

Forwarding

Uplink trunk to HP Bottom SW

Ethernet Port #24

TRK2

Forwarding

Uplink trunk to HP Bottom SW

HP Bottom Switch:

Physical Interface

Trunk Group ID

STP State

Description

Ethernet Port #21

TRK1

Block

Uplink trunk to old Core

Ethernet Port #22

TRK1

Block

Uplink trunk to old Core

Ethernet Port #23

TRK2

Forwarding

Uplink trunk to HP Top SW

Ethernet Port #24

TRK2

Forwarding

Uplink trunk to HP Top SW

Old Core Switch (Stack):

Physical Interface

Trunk Group ID

STP State

Description

Ethernet Port #X1

TRK1

Forwarding

Uplink trunk to HP Top SW

Ethernet Port #X2

TRK1

Forwarding

Uplink trunk to HP Top SW

Ethernet Port #X3

TRK2

Block

Uplink trunk to HP Bottom SW

Ethernet Port #X4

TRK2

Block

Uplink trunk to HP Bottom SW

No Comments


Cisco ASA NAT and PAT Configuration

I thought I will put together a NAT and PAT example to assist anyone who is trying to implement NAT and PAT using a Cisco ASA product.

Mainly NAT (Network Address Translation) means you make an internal network talks to outside networks using a given public/outside IP or a pool of such IPs. Below diagram shows the most common use of NAT, Internet connectivity for a private network.

 

image

 

Lets get to it then… First how to configure PAT from the ASDM

Lets look at a scenario to understand the process properly in steps. My example scenario is to tunnel traffic which hits the outside interface to my interface FTP server.

First create an access-list to allow any traffic coming to the outside interface on a given service port to pass through. In my example I am using ftp (21). Apply that using the ASDM.

image 

Next is to create a static nat to the statically nat the inside host (service server) to the outside interface.

image

First create a name object so it is easier to remember your mapping and make your configuration easier to read understand down the track.

Then create the static nat using the dialog box as below.

image

That is all there is to Port Address Translation (PAT) in order for you to open up a FTP server to the outside world in your private network using an ASA appliance.

Lets do the same using the command line (CLI).

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-group outside_access_in in interface outside

static (inside,outside) tcp interface ftp FTPServer ftp netmask 255.255.255.255

 

Next look at Network Address Translation.

This scenario is where the ISP has given you a block of public IPs and you want your network to use them in order to communicate with the public networks.

First step is to create the pool as belong using the “Edit Global Address Pool” dialog box.

image

After that add the dynamic nat as belong to use the previously created ip pool to nat to outside networks.

image

Now lets do the same using the CLI.

global (outside) 1 10.142.188.50-10.142.188.100 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0

Simple as that.

 

Let me know if you want me to clear any NAT and PAT issues with any specific scenarios.

No Comments


HSRP Configuration using 4 Cisco 3750 Switches

Hot Standby Router Protocol (HSRP) is a technology by Cisco to implement router redundancy using layer 3 switches or routers.

Basic idea of HSRP is it lets an virtual IP be hosted and shared by two different hardware units. I deployed a solution using 4 Cisco 3750 stackwise switches for client. They had two 3750 switches at the core of their network. They were connected into a single virtual unit using the stackwise technology. Which increase the resilience of the core network to some extend. My solution added another set of 3750 switches in to the cluster creating a complete HSRP cluster while increasing reliability and extending the number of ports per vlan.

Below is the solution design diagram I put together for the client.

HSRP Solution

How to implement HSRP using Cisco 3750.

To enable HSRP on an interface use the following command;

(config-if)# standby ip

Mainly using HSRP in a organize manner it is advisable to implement the HSRP group. Specially if you are using HSRP clustering.

Clients network consisted of 7 vlans and each vlan’s default gateway address were set to the 7 HSRP virtual router addresses. Furthermore the HSRP can implement load sharing using the priority to select which physical units take ownership (active router) of the virtual router in normal operation (MHSRP). HSRP priority is between 1 and 255, highest numbered router interface per HSRP group becomes the active router which holds the virtual router process.

Don’t forget to set the preempt so when a active router recovers from a failure it can become the active router for that HSRP group automatically, keeping that load sharing in place in normal operation.

Below is a complete interface configuration in order to implement HSRP.

Switch# configure terminal
 
(config)# interface vlan 1
 
(config-if)# ip address 192.168.0.1 255.255.255.0
 
(config-if)# standby 1 ip 192.168.0.254
 
(config-if)# standby 1 priority 110
 

(config-if)# standby 1 preempt
 
(config-if)# standby 1 authentication word
 
(config-if)# standby 1 timers 5 15
 
(config-if)# standby 1 name VR_VLAN1

Timers set advertising time (heart-beat) between interfaces participating in the HSRP group and authentication keeps unauthorized routing interfaces participating in the HSRP group.

After configuring all of the interfaces in a cluster with the HSRP settings, enable the cluster HSRP using the command below.

(config)# cluster standby-group VR_VLAN1 routing-redundancy

I would like to add another note in HSRP which I learn through this project. If you have ACL applied to vlan or any interface which you are implementing HSRP, make sure you add the following line in to your ACL. This allows the HSRP multicasting packets between participating interfaces.

permit udp any eq 1985 host 224.0.0.2 eq 1985

 

All in all it was a good project. Learn a lot and it is always good to brush up on switch solutions and implementations. Cisco is not just routers and ISRs :) .

1 Comment


Configure an Access Server using Cisco 2500 router

I am starting to setup my lab now. First thing first, I want to connect all of my Cisco gear through an Access Server. It is pretty ease to do.

I am using a Cisco 2510 Router with IOS 12.2 with an Octal cable (8 serial ports).

First of all you need to configure a Loop Back interface as your internal IP address.

interface lo 0
 
ip address 10.0.0.1 255.255.255.0

 

Next is setting up the console and vty connections on the router

line con 0
 
line 1 9
 
session-timeout 20
 
no exec
 
exec-timeout 10
 
transport input all

 

After you set the lines you can start adding hosts into your configuration.

ip host Router1 2001 10.0.0.1
 

In the ip host command port number 2001 is number 1 cable and 2000 is reverse telnet ports.

 

Now you are ready to proceed. Save the config and from the Access Server console you are ready to access any of the hosts mapped.

Just use the host name you gave in the IP HOST command. (eg: Router1) and to move between sessions press Ctrl+Shift+6 then release and press x.

No Comments


My new consulting firm and new lab.

Past few months has been really busy as you already may know I starting my own consulting company NCX Consulting (www.ncx.com.au). it is lot of work to own and run your own business from ground up.

The really good news out of all of these is finally I was able to spend some hard earn cash into building my own lab. So from now on, I am going to put on lots of LAB projects on which I been doing on my free time as well as on my consulting work on here.

I am doing lots of lab work for my CCNP studies, so I hope these labs will help anyone out there who is doing CCNP or like to know how to do crazy routing protocol stuff.

Stay tune. :)

No Comments


Netbook is the new best thing in IT

I brought myself a Lenovo S10 netbook the other day and I am loving it. It is perfect for my busy IT life (even though these days it has been a bit quite with changing my role and all).

Anyways it is the best tool to blog from… start the movement get yourself a new netbook and join the frontier.

No Comments


Cloud Computing

Cloud computing is not a new tech at all. But my thinking is a new way of doing it. Can you call a VPN link between the client sites and the ASP datacenter network cloud computing?
I am open to ideas on how to do this with minimal investment and change. Also would be a plus to make it user friendly while making it less complicated to implement.

No Comments


iPhone OS 3.0

Just stumbled across this article on iPhone OS 3.0 Beta Hands-On. Update looks promising, specially the cut and paste function is there, man that is a big step for Apple. Also looks like it has MMS, even though I never found it to be a big issue, it is good to have I guess. Beside those main features nothing much has changed. Searching has improved as well, but its not like you are going to get lost in your phone looking for stuff lol.

Email search function might come handy though. Lets see when the final version comes out what actually will be included in the update.

-Lal Antony

1 Comment


Windows 7 is great

I have been using Windows 7 for past 3 months and loving it. I feel like it is the os that should have come instade of Vista, basically Microsoft has jumped the gun with Vista.
Also should note that during the time I been using Windows 7 I have not had any major crashes. Wish I could have said that to Vista trial I did while back.
But must say not a lot has changed from Vista on Windows 7 beside some GUI upgrades, which does and much needed user friendlyness to the is though.
I will be posting a full review down the track. Stay tune….

No Comments


Air Show Melbourne 2009

It is great here 2009 Air Show is better and much popular than 2007. I will be putting some crazy pics soon on here. Keep tune.

F18 and C17 were the best out of all that were in the show. Sound and been able to get so close to a plane is awsome.

The funniest part was people taking cover under planes when it was raining you have to see the pics lol.

http://www.airshow.net.au/avalon2009/index.html

– Lal Antony

No Comments


New tool from WordPress

New tool from WordPress for Bloggers. http://iphone.wordpress.org/

Now it is easy as abc to blog from iPhone itself. No more third-party tools. :)

Gears of War 2 xbox gaming night tonight looking forward to kicking some asses.

No Comments


Working on a product website

It’s Saturday and a I’m working on a website for the company. FITPro is our new product which will launch us into small to medium business IT facilitator role in no time. It is an IT admin platform which can do everything an admin wants to do from a remote and mainly automated manner. Anyways let’s see how things will turn out.

Please check it out in a while. I think the website will be up soon. Http://fitpro.fit.biz/

– Post From My iPhone

No Comments


My first blog post from my iphone

Hi All,

I m on Linkedin now. So please come and say hi and join my network.

It has been so busy again and blogging has again gone down to the last in my list of things to do. But now I just got this iPhone app so I can keep up with it more.

Look for many blog posts soon all. Have a good weekend.

– Post From My iPhone

No Comments


Second try from my iphone

Hi all,
To speed things up I am now using my iPhone to blog.let’s see how that will make things fit onto my schedule.

– Post From My iPhone

No Comments


Its a lovely sunny Monday in Melbourne

Back in the office from a client. Flemington race grounds. My first time to be there so it was nice to go around the race course in my car :)

This week is the start back in Melbourne after my 6 months Gold Coast chapter. Did some exciting projects in GC.

  • Disaster Recovery project using EMC Clarion 20c platform.
  • Citrix farm upgrade from 4.0 to 4.5
  • Server consolidation project using Virtualization. (VI 3)
  • VPN backup link using Cisco 877
  • Microsoft license renewal.

It has been busy few months. But glad to be back in Melbourne where all the action is bound to happen in 2009.

 

I am getting into this blogging thing. Will be adding actual technical stuff soon.

No Comments


First Blog Day

All most 5 o’clock on a Friday… Beer time now :)

Been a busy week. I will try to put an update over the weekend about my first week back in Melbourne after 6 months in Gold Coast.

No Comments


Hello world!

Welcome to my personal blog on IT & T in Australia!

This blog

  • Technologies in IT & T
  • Latest in Virtualization Tech
  • Latest in Cisco Tech and CCNP
  • My Daily Project Work as a IT Consultant
  • Latest in Project Management
  • Insight in to IT in Australia: News, Views and Thinking…

No Comments


SetPageWidth