One of the many things that my customer ask why we donot go for layer 3 switch instead of router when ethernet is our only requirement. Cisco 1 port FE card still have GPL of 950 USD. While L3 switches comes with 24/48 port and this is really cheaper when customer require many Ethernet interfaces.
Well although in some cases the customer may opt the option but i still don't encourage them as one obvious answer is router is still intended for routing while L3 switch is still have switching hardware and intended for LAN . It cannot support many necessary features like IPSEC VPN, GRE tunnel and even NAT that are necessary for WAN edge
Well i still remember from my previous job experience that one of my colleague purchase 3560 for site to site vpn with router, only to figure out that IPsec is not supported on it.
To summarize L3 switches were introduced by keeping mind to perform efficient intervlan routing and are best within campus. Routers are destined for edge and will still be used at WAN edges.
Friday, December 25, 2009
Subinterface, SVI and Catalyst Catch!!!
Well there are many who do not know this
You cannot make subinterfaces on Cisco switches. No matter its 2960,3560 or 3750. No matter its LANLITE or LAN base. No matter its standard image or enhanced image. Subinterfaces are simply not supported.
So what the alternative solution? You get it. Use SVI instead. You can do almost every thing that you can do with physical interface
Int vlan 10
ip address x.x.x.x x.x.x.x
Access-group 101
IP ospf cost 10
You cannot make subinterfaces on Cisco switches. No matter its 2960,3560 or 3750. No matter its LANLITE or LAN base. No matter its standard image or enhanced image. Subinterfaces are simply not supported.
So what the alternative solution? You get it. Use SVI instead. You can do almost every thing that you can do with physical interface
Int vlan 10
ip address x.x.x.x x.x.x.x
Access-group 101
IP ospf cost 10
Monday, November 9, 2009
SSL VPN Configuration...Good Resources!!!
On group study i found good links for SSL VPN config. I find it useful to document it for future reference!!!
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml
http://www.cisco.com/E-Learning/bulk/public/celc/Cisco_QLM13_ASA_beta/course_skin.html
http://www.tech21century.com/how-to-configure-anyconnect-ssl-vpn-on-cisco-asa-5500/
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml
http://www.cisco.com/E-Learning/bulk/public/celc/Cisco_QLM13_ASA_beta/course_skin.html
http://www.tech21century.com/how-to-configure-anyconnect-ssl-vpn-on-cisco-asa-5500/
Saturday, October 24, 2009
BGP Support on ASA
Lesson of the Day: BGP is not supported on ASA
Juniper SSG using ScreenOS are featured rich but it can also become internet facing device even if you need dual homing, as it supports BGP
Beside other feaures Cisco ASA with Linux kernell left behinf in routing protocol support. Till now BGP is still unsupported on ASA platform.
SSG support RIPv1/2, OSPF, BGP, Frame Relay, Multilink Frame Relay, PPP, Multilink PPP, HDLC and ASA only RIPv1/2, OSPF.
Juniper SSG using ScreenOS are featured rich but it can also become internet facing device even if you need dual homing, as it supports BGP
Beside other feaures Cisco ASA with Linux kernell left behinf in routing protocol support. Till now BGP is still unsupported on ASA platform.
SSG support RIPv1/2, OSPF, BGP, Frame Relay, Multilink Frame Relay, PPP, Multilink PPP, HDLC and ASA only RIPv1/2, OSPF.
Thursday, October 22, 2009
Repartition Cisco Flash
Repartition Flash
Well I have 2621XM in my hand; I need to enable IPsec VPN on it. Ooops it shows no option for Cypto isamkp. I need to upgrade to Security IOS. Before that I must figure out the version that fits in my little 32MB Flash. After a while I were able to find it, download it. Now TFTP server is ready to finsh the job and make the router ready tor VPN.
Copy tftp flash …………………
Oh I get error Error : Your flash is 16 MB you cannot copy 24 Mb IOS.
I check flash again
Router# show flash
The repartition process involves erasing Flash memory, so as per a document I found on a forum that
1- Reboot the router to run in ROM mode.
2- Change the config-register to 0x2101 and reload, using the following commands
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config) # config-register 0x2101
Router(config) # exit
Router # reload
Below is excerpting what I found on this document that is originally written for 25XX.
This will bring the router up in boot mode and Flash will be idle. You can not change the partition when the router is running under a full IOS from Flash. You will see a different router prompt, but enable passwords and most commands will remain the same.
3- Now Erase the flash using
Router # erase flash
4- Now repartition it to a single 32 MB flash using command,
Router # configure t
Router(config) # partition flash 1 32
Where 1 in above command denotes number of partition
5- Change the config register value again
Router(config) # config-register 0x2102
Router(config) # exit
Router # reload
Before reloading donot forget to copy new ios to the flash, else you should know how play with Xmodem on Saturday night (:
Work done!!! Now it 2:00 AM …Go to sleep now (:
Well I have 2621XM in my hand; I need to enable IPsec VPN on it. Ooops it shows no option for Cypto isamkp. I need to upgrade to Security IOS. Before that I must figure out the version that fits in my little 32MB Flash. After a while I were able to find it, download it. Now TFTP server is ready to finsh the job and make the router ready tor VPN.
Copy tftp flash …………………
Oh I get error Error : Your flash is 16 MB you cannot copy 24 Mb IOS.
I check flash again
Router# show flash
The repartition process involves erasing Flash memory, so as per a document I found on a forum that
1- Reboot the router to run in ROM mode.
2- Change the config-register to 0x2101 and reload, using the following commands
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config) # config-register 0x2101
Router(config) # exit
Router # reload
Below is excerpting what I found on this document that is originally written for 25XX.
This will bring the router up in boot mode and Flash will be idle. You can not change the partition when the router is running under a full IOS from Flash. You will see a different router prompt, but enable passwords and most commands will remain the same.
3- Now Erase the flash using
Router # erase flash
4- Now repartition it to a single 32 MB flash using command,
Router # configure t
Router(config) # partition flash 1 32
Where 1 in above command denotes number of partition
5- Change the config register value again
Router(config) # config-register 0x2102
Router(config) # exit
Router # reload
Before reloading donot forget to copy new ios to the flash, else you should know how play with Xmodem on Saturday night (:
Work done!!! Now it 2:00 AM …Go to sleep now (:
Saturday, August 8, 2009
Back It Up! By Omair Siddiqui
This article is already published and copied from CIO pakistan March 2009 edition This was also republished in network worldhttp://www.networkworld.com/news/2009/030609-back-it.html
Your business is only as redundant as the integrity of the data that you have stored on your servers. For companies that service customers in the cloud, if you can’t offer 99.9999% uptime and absolutely ensure data backup and restoration, you might as well not be in business.
There are a few issues at hand here. Not only must you ensure that the data is accurately and securely backed up whereby every packet and byte is accounted for, but you must also ensure that when the time comes, the data is “clean” enough to be plugged back into the system without a hiccup. It’s the hiccup that companies need to avoid which is why they look for ways to backup their data to begin with, however they aren’t always as proactive as the results they were expecting.
There has to be a process to acquire backups. Recent advancements in network and backup technologies have improved the performance, making it easier to backup data over the network. The traditional process which involves tape drives at branch servers, where an end-of-day-tape backup is usually taken and physically sent to the head office. This, by the way, is not what they were talking about when the term “data in transit” was discussed.
There are obvious problems with physically moving data – the unavailability of qualified technical resources to take properly handle the backups, verification of the backed up data before shipping it to the head office, risk of damaging the tape, data loss or theft during transportation; the list is quite endless. More importantly, because the backup in the current scenario, at least is done on an ad hoc basis, when the IT Administrator tries to sync the data into the data center, they find that it was not a successful backup to begin with. But most of these issues are usually revealed beyond the point of no return - when the restoration or a DR (Disaster Recovery) drill is performed.
By virtue of the technological advancements, there are solutions available which support a wide variety of operating systems and applications which can take optimized backups over WAN links.
The Solution
The solution in this case is actually a paradigm shift making use of modern data protection technologies to cope up with the ever increasing backup data vis a vis bandwidth. It uses fingerprint technology to distinguish unique file segments and maintain a check on all the redundant data in the remote sites. The solution that addresses these requirement includes a storage pool at each remote locations which then replicate the data over the WAN. These agents are thin software deployed in the remote servers. The software makes sure to send only new unique segments of file to a local storage pool, which automatically reduces the size of the transfer. It then becomes the job of the pool to check the uniqueness of the file across all local agents. It only replicates unique file segments to the main storage located in the centralized Data Center. This minimizes WAN bandwidth requirements and allows scalability because of the reduced storage capacity requirements.
A storage pool on the remote site optimizes the data over all the branch’s clients by identifying unique contents and storing the backup data locally. This shortens backup and restore tasks, and enables synchronization with central locations. Instead the files can be backed up over the WAN to a central storage.
The solution is also able to deal with one of the most important aspect of data security over the WAN by encrypting every file segment that it sends to the storage. The data in transit, as discussed earlier, comes to life in this segment of the solution whereby the data is encrypted before it is sent over the WAN to the storage, ensuring that the data is secure during the communication. This architecture eliminates the risk of accidental loss of tapes and unauthorized access of data, both in transit and at rest.
The solution has a very tangible return on investment. It is cost effective because the alternative would be to deploy separate tape drives, media, backup software, and technical support at each distinct site. There are then additional costs involved in the administration of each site and management of the off-site storage of the tape media. Since the solution removes the need for on-site tapes, the customers who have deployed this, have been able to justify their investment in a relatively short span of time.
Bank Islami – A Case Study
Innovative Integration recently deployed the solution at Bank Islami, ensuring that they had scalable, high performance data protection architecture for the bank’s Linux environment. Their environment includes more than 100 HP servers and a centralized pool of Network Appliance Storage. The problem the bank was having was to consolidate the data from its more than 100 branches across the major cities, located all over Pakistan. The institution was relying on a local data protection solution, built on an Open Source backup software. Almost all of the PCs and servers operated by the bank are running a SuSe Linux environment, which extended to the branch network as well.
Bank-Islami Setup at a Glance
“Each Bank Islami branch contains a file server which holds files from the specific branch users,” says Asad Alim, Head of Information Technology at Bank Islami. “At that time, there was no option other than to place a tape drive in each of the branches and use conventional scripts to perform the requisite backup.”
Using the traditional method, it could take up to a day to manage a recovery. As long as the tape was readable, it could always restore successfully providing the tapes were acquired from the remote location, locating the right tape containing the right block of information and then getting down to the restoration before having to send the tape back to the site. “Now none of this hassle is involved,” explains Asad.
Talking about bandwidth constraints Asad Alim commented that “We were concerned about the pressure the backup would put on the network, but despite of the 256Kbps bandwidth connectivity, the performance has proven to be stable”. Changes in data is first compressed at source and then sent across WAN to the central storage where it is decompressed and then stored in a duplicated fashion. It then employs an intelligent algorithm for data transfer. In case a backup fails during the process due to link failure or connectivity loss, the backup will resume from the point it was interrupted.
“The cost savings are a great endorsement but what is most important is that the branch data is now secure. You have to remember that in the past, we could never be 100% certain that we could restore a lost file. Now we are. With PureDisk, we are reducing our reliance on tapes for Disaster Recovery with secure replication of the data we backup,” says Asad Alim.
Please visit www.innovativeintegration.net for more details.
Tuesday, July 28, 2009
Cisco's Fast Ethernet Support
Well Cisco has huge database of its lively documentation. I guess they seriously require some solution for handling it. I have personally see many contradictory information on there site. They do update on one site but forget to synchronize on other locations. Few months back i have face a situation where a customer need 4 Ethernet port on 2801, to my surprise cisco router 1841 and 28XX do not support 2 port FE card and eventually i end up with giving two 1 port FE cards. Similar requirement arise and i again check website to make sure to cover any change happening. I found following link which saysQ. Is the 2-port HWIC supported on the Cisco 1800 and 2800 Series Integrated Services Routers?
A. No, the 2-port HWIC is supported only on the Cisco 3800 Series Integrated Services Routers. The Cisco 1841 can support only a single additional Fast Ethernet interface. The Cisco 2800 Series can support up to two additional interfaces, but this density must be attained using two 1-port HWICs
After making sure i presented my solution and inform the customer about cisco inabilty to support 2 port FE card. I were told that cisco do support 2 port FE card on 2801. As i had already double check so i were sure. I were surprise when i got the link
Now what to do after searching a bit, i found that the cisco latest IOS start supporting it and eliminate the previous limitation. I were again surprised but can't to any thing about it. Cisco keep it up (:. You Rocks !!!
Subscribe to:
Posts (Atom)