Cisco Switching/Routing :: Implement ASA 5510 / 5505 For Existing IP Block
Jun 5, 2012
some recommendations for product selection and overall infrastructure setup for our datacenter: We have an old, legacy setup, and are looking to replace equipment, improve performance, enhance security, and implement hardware redundancy (if cost effective).
1) We now have (2) IP blocks from our provider, and need to support both (because we have mailers on older IPs with a good reputation rating).
2) We have (2) aged Sonicwalls, one for each IP block, each connects to multiple internal subnets (some internal subnets need connectivity to eachother, some don't).
3) We have (mostly) public facing web servers (Linux/Apache), as well as database servers (with no external access).
Questions-
1) Should we implement a Cisco ASA 5520 w/ or w/o SSM modules for the new IP block (for webservers)?
1a) Should we implement a Cisco ASA 5510 or 5505 for the existing IP block (for mailers)?
1b) Or, can we have multiple public IP blocks connected to a single ASA 5520 (or 2 ASA's w/ failover)?
2) Can we connect both firewalls (5520 and 5510/5505) to a single Catalyst 3550 (or similar) using VLANs, and have 6 - 10 VLANs for webserver subnets, with ACLs controlling which subnets/servers can connect to eachother?
2a) Should we implement a second Catalyst 3550 (or similar) for redundancy (webservers have multiple network cards).
3) From our provider, we only have (1) dmark which both IP blocks connect through. Currently we have a switch connected to the dmark in order to 'splice' the connection, and have both existing firewalls connected. Is there a better approach to this?
4) We would like to implement SSL-VPN, and possibly site to site IPSec VPN, but only if there will not be significant performance degredation.
5) Other thoughts/recommendations for new features, enhanced security, or redundancy?
View 1 Replies
ADVERTISEMENT
Nov 29, 2012
I've configured an ASA 5510 FW with asa901-k8 ios. on it's "inside" port there is 10.90.0.0 network. there is another network (10.190.0.0) in my system that can be reached via another router which has 10.90.0.253 ip address. when a client in the 10.90 network wants to reach the 10.190 network the fw redirects the request to the router (10.90.0.253) because the fw is my gateway. there is no problem so far... but... while i can ping and traceroute a 10.190... user from 10.90... network, i can't use any non-icmp appliactions. for example i can't use rdp programs, http web interfaces of some devices on remote network (10.190.0.0). what can cause that? is there any rule in asa that blocks these protocols?
View 4 Replies
View Related
Feb 3, 2013
I am trying to implement an etherchannel on a cisco 2901 (IOS 15.1). i have already created the port-channel but i cannot assign the gig interface to the channel group.
View 1 Replies
View Related
Nov 22, 2011
I have a 3560-48 switch running Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(44)SE3 and i need to implement basic QOS commands to the fast Ethernet interfaces as well as the gig interfaces and Also I need to create port channels on the switch and need what the port channel syntax are as well for that particular IOS version?
I have only read only access and i can't see what the QOS and Port channels syntax should be for that IOS version.
View 3 Replies
View Related
Oct 29, 2012
I'm trying to implement the UDLD protocol (Cisco-compatible), but face some problems. There is no enough information for implementing this protocol neither in RFC 5171 [URL] nor on [URL] How can I get a more detailed information regarding protocol state machines and timers?
View 2 Replies
View Related
Oct 12, 2011
I have attempted to implement DHCP snooping and have been having some strange issues. I have 5 3560s taht I use for my edge and when I attempt to implement on all five, the VLAN that houses my voice data appears to no longer be able to recieve DHCP lease renewals so after the 24 expiration all of my phones lose their configs. Once I roll back the changes the voice VLAN comes back. The other VLANs seem to function correctly as theya re able to renew their DHCP addresses.
The 3560s tie into each other using GIG Ports 1 & 2 and the top and bottom switches tie into our core switch, a 4507. The config that I use is below, failry simple and straightforward.
4 of the 5 switches feed our general office vlans for voice and data however the 5th switch is there for expansion and not in use. As such I have left the config changes in place on it and have tied myself and a colleague into it and have been operating fine for over a week now. So the config that I use seems sound in theory and should work on the other 4 switches with no issue.
View 14 Replies
View Related
Feb 26, 2013
I'm in the process of upgrading my 4507R core to a new 4507R-E. The old switch has Sup IV engines (WS-X4515) running IOS 12.2(40)SG and the new switch has Sup 6L-E engines running 15.1(2)SG. I'm trying to "move" my configuration from the old switch to the new. Below shows the commands configured in the old switch. I'm trying to determine how to implement the same configuration on the new switch since these commands are no longer available.
View 2 Replies
View Related
May 1, 2013
Our enviornment includes 3560 switches and 2800 routers. We have a few remote offices using an application on TCP port 1677 that use far to much bandwidth. Our WAN provider can throttle and police this for us, if I can TAG this traffic, for example all Traffic from Florida using the Groupwise app on TCP uses TCP port 1677 and I want it tagged with CoS 3.
View 1 Replies
View Related
Nov 14, 2011
I have a 2960 that I need to limit the uplink port to 50Mbps for 3 vlans and 350Mbps for another vlan. Would the following config achieve that or is this even possible for the 2960?
class-map match-any VLAN50-51-52
match vlan 50-52
class-map match-any VLAN53
[Code].....
View 1 Replies
View Related
Aug 14, 2012
I have a vlan that is used for ip cameras. This vlan is routed with other vlans on our Cat 4506-E. how can i implement multicast feature to improve performance?
View 1 Replies
View Related
Aug 27, 2012
We are in the process of implementing secondary ISP to our ASA firewall and We would like to run both ISPs in parallel so we can test until we finally cutover?
View 2 Replies
View Related
Jan 2, 2012
I need to implement the shaping VLAN only on the trunk link between the 6500 and 3560. [code]
View 8 Replies
View Related
Oct 21, 2012
My client is asking can the Cisco ASA 5505 implement MAC ACL in Cisco ASA 5505 which is now running in Router Mode.I have tried to search the document and also tried the ASDM in the Cisco ASA 5505 but could not see any way to do the ACL by MAC address.At the same time how to find out that by using command line the ASA 5505 able to run MAC ACL in router mode?
View 2 Replies
View Related
Mar 3, 2013
I need your input on how to appropriately introduce an N5K with Jumbo enanbled to a prexisting Core Network (Stack of Cisco 3750G Switches) without making any major alteration on the Core configs (everything is happy). The idea is to move two High I/O servers to the N5K during a transitional phase. I already have a fair understanding of what Jumbo-Frames are and what it does. Keep Jumbo-Frames within the N5K ONLY.
Conditions:
- Traffic is Data traffic, not storage/iSCSI
- The servers host our ERP applications and MySQL that is accessed heavily by users
- N5K to C3750G connectivity is a Port-Channel consisting of 4x1GB ports
- The servers are to remain on VLAN 2 (Data VLAN)
- The Core Switch is L3 and the boundaries reside here
View 1 Replies
View Related
Dec 4, 2012
I have configured a site to site VPN tunnel using my Cisco ISR 891 router. The tunnel connects between my network 10.88.10.0 to the remote network 10.210.65.0. When I ping the remote nnetwork my VPN tunnel comes up and all is well.
I have recently connected a second network to my 10.88.... network. The new local network is 192.168.0.0. I have now managed to get the two local networks pinging each other. I can also carry out RDP sessions between systems on both networks. Hence I am happy that both networks are communicating.
I used the Fastethernet Port 8 on my ISR 891 to physically connect to the new 192.168 network and then entered the appropraite 'Static Routes' on the 192.168 exisiting router(Netgear Router). Hence certain traffic arriving at the netgear will now be forwarded to Port FE8 on the cisco ISR 891.. See FE8 Port config at the bottom of this post. I have used tracert to ensure that the traffic does arrive at Port FE8,(192.168.0.235).
I cannot seem to ping any device on the remote 10.210.65.0 network from the 192.168 network. However, as stated above I can sucessfully ping the same remote device from the local 10.88 network. I must be missing something that allows the 192.168 traffic to use the existing VPN tunnel. I have added the following command to the IpSec rules for the VPN tunnel using the Cisco Configuration Professionla tool.
Permit 192.168.0.0/0.0.0.255 10.210.0.0/0.0.255.255 ip
View 4 Replies
View Related
Mar 5, 2012
I have several cabinets with top-of-rack N2K's attached to N5K's via FEX's. 9 cabinets with 2 switches each.
Recently I added 3 more cabinets to the mix, for a total of 12 cabinets with 2 switches each.
I can get into the new switches and see the FEX's and configure ports, etc. but no device I attach to the 'new' N2K's is pingable over the network. I can take the same device, same cable, and attach it to a legacy N2K talking to the same N5K's, and it immediately joins and is pingable over the network
View 2 Replies
View Related
Aug 2, 2012
I've a situation where I need to add a new 3750x to a existing stack of 3750. [code] When I tried to stack them together, I get a version mismatch error. Is this because of the difference in SW Image? What are my options next ? My ultimate goal is to make the new switch stack correctly with the exisitng switches.
View 11 Replies
View Related
Jan 10, 2013
We've recently inherited a platform with little handover and also minimal networking experience.We're going 100 miles an hour in learning, but I'm a bit confused with the idea of a L2 switch with no IP assignments to ports, so using VLANs, and a L3 switch with IP assignments. And the combination of both.We have 2 Cisco 3750 switches, along with a whole host of other hardware, so we're starting at this "gateway" to start breaking things down.
View 7 Replies
View Related
Aug 8, 2012
When you use the command switchport trunk allowed vlan add [vlan-id]There should be no drop in service to the existing VLANs, correct? I am trunking from a 7K to a 2960S via 2G PoCh.
View 2 Replies
View Related
Oct 1, 2012
I need to add two additional 2960S switches to my stack. I saw a diagram that showed how a 4 switch stack can be connected, but I couldn't find much detail on adding a switch to an existing stack (besides master election). The output below shows how the existing stack is connected and its state
SW#sh switch detail
Switch/Stack Mac Address : 0011.2222.3333
H/W Current
[Code].....
I will need to break one of the stack rings between SW1 and SW2 in order to connect the new switches. Does it really matter which ring I break to connect the additional switches? Does one ring act as primary? If so, I'd rather not break that ring so this process is transparent as possible. Also, is there any benefit to disabling the stack port vs just disconnecting the cable?
View 2 Replies
View Related
Sep 29, 2012
I am a soon to be network admin and have never set up a network to an existing network. Steps you need to add a new location to a company's network. For example if they are using 8 Building with 7600 Routers and 6500 and you need another building and they are using MPLS or Private Network, or Internet.
View 4 Replies
View Related
Sep 22, 2012
I have 3 3750 staking switch with the following configuration:
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
1 Member 442b.0350.9400 1 1 Ready
2 Member 442b.0357.8780 2 1 Ready
3 Master 442b.036f.a800 3 1 Ready
The new switch is installed to be wired to the master switch. the swtich 3 (* 3 Master Ready 442b.036f.a800)my question is: if you disconnect the wiring from the master stack to connect to the new switch, it is possible that the new switch change the current configuration of stacking.
-Can I just add the new switch with clean configuration without changing the current configuration ?
-How is assigned the stack number? i need the new switch be with the GI4 / x?. I can I manually by assigning ports?
-If I want to the new 3750 member witch lower prioridad, can I change priority before adding to stack?
View 2 Replies
View Related
Jan 7, 2013
We have a requirement to build a datacenter within a datacenter for a new project. The existing Core network is 2 x Cisco 6509 in VSS configuration. We would like to connect the new datacenter to the existing Core switch from the new low-end Core switch. This datacenter would have a SAN network and blader chassis.
Listing the Cisco Switches requirements and expansion module requirements ?
- What expansion module is required at existing 6509 ? Can we have one 10Gibit modules on each switches and crate a port-channel connection from new datacenter core switch ?
- Which model of Switch you recommend for the new Datacenter Core which is only going to have one SAN Enclosure and two blade chassis? Will it be a good option to use 3750E ? If yes do we need any additional modules there ?
- Which aggregation switch should we use for the blade enclosure ?
- Should we have a Cisco Embedded Switch module on the chassis to create trunk with aggregation switch ?
- How the SAN director switch is connecting to the LAN ? should we have any particular module at new Core switch ?
View 0 Replies
View Related
Mar 25, 2012
in our network we were using three 3750-48-s switches with stacking one of the switch due to some hardware failure power problem,
now i want to add a new switch 3750-48-s in the existing Stack two switches , the old two switches ios version is = 12.2(25r)SEC the new Catalyst 3750 io verion is = 12.2(35)SE5
how to add this switch in the existing two stack switches , with documentation
View 1 Replies
View Related
Mar 30, 2013
i am not able to add new 3750G switch into existing domain even after the domain name is correct and unable to authenticate with tacacs.
View 5 Replies
View Related
Mar 23, 2012
Is it possible to rename an existing VDC on Nexus7000 without deleting it and creating it again with the new name ?
View 2 Replies
View Related
Nov 23, 2011
I am looking to add a new 3750 Switcch to an existing stack shown below
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 26 WS-C3750-24P 12.2(35)SE5 C3750-IPBASE-M
2 26 WS-C3750-24P 12.2(35)SE5 C3750-IPBASE-M
3 26 WS-C3750-24P 12.2(35)SE5 C3750-IPBASE-M
[code]....
I have looked on notes to add a switch to an existing stack and haven’t identified answers on how the IOS will be affected on the new switch – will it downgrade to the current stack version or will the current stack upgrade to its version. At this moment in time I would prefer if the new switch IOS downgraded to the current stack IOS version.The new switch is a 3750V2 – will this affect how it joins the stack?The new switch has the image of IPBASEK9-M – again will this affect how it joins the stack?
View 5 Replies
View Related
Feb 27, 2013
I have to add a 2960s PoE switch to an existing stack of two 2960s PoE switches. If The new switch has no configuration on it and the existing stack is broken by pulling te stack cables and then new cables are added and everything re-cabled correctly will the new switch assume the configuration from the stack without any issues?
View 10 Replies
View Related
Mar 1, 2011
I have a pair of Catalyst 3560 GB switches that are trunked with two of the standard ports, and that have trunk ports connecting to a failover pair of PIX 515e's. We're considering adding a pair of cluster database nodes and an iSCSI SAN, both of which would need a dedicated interconnect VLAN that I'd like to employ Jumbo frames on. I don't necessarily need the VLANs to traverse the firewall trunks since they're private interconnects, but I need each host to traverse the switch trunks.
Since it seems I can only enable Jumbo frames on the entire switch (current standard frame size is 1500 and jumbo is also 1500), when I enable it what kind of possible negative impact could this have on my trunked ports as well as my host connections? I've read mixed reviews of users with iSCSI SAN devices seeing terrible performance when enabling jumbo frames so I'm apprehensive about enabling them on an existing network.
View 3 Replies
View Related
Dec 6, 2012
I am having an issue with adding a c3750x switch to an existing switch stack Currently there is 2 x WS-C3750X-48P and I am trying to add another WS-C3750X-48P to this switch I have cabled the switch to the stack using the stack cables and added the command to provision the switch on the exisitng stack. However when I turn the switch on it just goes on its own stack.
I noticed the new switch had a later version of IOS so have downgraded this to the same version as the other switches but still no joy Here is the sh ver from the exisitng stack
uptime is 4 weeks, 4 days, 23 hours, 30 minutes
System image file is "flash:/c3750e-universalk9-mz.122-53.SE2/c3750e-universalk9-mz.122-53.SE2.bin"
License Level: ipbaseLicense Type: PermanentNext reload license Level: ipbase
cisco WS-C3750X-48P (PowerPC405) processor (revision A0) with 262144K bytes of memory.Processor board ID FDO1448Z0FJLast reset from power-on21 Virtual Ethernet interfaces1 FastEthernet interface156 Gigabit Ethernet interfaces6 Ten Gigabit Ethernet interfacesThe password-recovery mechanism is enabled.
[code]....
View 3 Replies
View Related
Oct 16, 2012
I am attempting to add and Catalyst 3750 - 12 port Gigabit switch to an existing stack of 3750 48 port switches (non-X fabric). I am not sure how to proceed. These are the two questions/thoughts I have. Any additional perspective I should have before proceeding.
What kind of configuration should I apply to the Gig switch before adding it to the stack?I am sure I will need to assign priority to the new switch, ideally, it will act as master.
View 1 Replies
View Related
Mar 7, 2013
On first floor, I have two stack switches and each stack has got 4 switches. they all are working fine.Now the client would like to add one more stack on the 2nd floor. But the second floor switches are different when compared to the 1st floor switches.
can you have differnt IOS among different stacks. I knew in a stack we need all the switches should have same IOS version. But in between two stacks to communicate do we need same IOS or they can be on differnet IOS?
1st floor switches have 15.0 version and 2nd floor new switches has 12.2.58. Is this ok ?
1st floor switches are 3500 series ( Note: only one one Vlan 20 we are using on the both stack switches and we would like add same Vlan 20 on to the new stack)
2nd floor switches aew 2 catalyst 2960 switches.
Note: on the second floor switches one is 24 port switch and the other one is 48 port switch. so can i make them as a stack?
We have already done cabling from 1st floor to second floor. So no problem with that at all.
View 9 Replies
View Related
Apr 2, 2009
I have 1841, 2800 and 3800 routers and need to do IOS upgrade to all of them. Existing routers do not have enough flash to hold 2 IOS images.if the router has 12.4.13r ROM IOS, will I be able to boot the ISR router via Cisco brand USB? That means in case something goes wrong while I am uploading new IOS to the router via WAN and something wrong, now router in ROMMON mode. If a local site person has a Cisco USB with an IOS in it, can he just stick it to the router and reboot the router and router will go out of rommon and go into normal mode? After it is working, then I can put the running IOS onto the exisitng CF card so now I can remove the USB and the CF card has a good IOS and reboot the router again.I am just trying to find a safe way to upgrade the site when they don't have big enough flash to hold 2 IOS at the same time. The local person is not technical so asking him to setup tftp server and put the IOS in the computer and so I can do tftpdnld while in rommon mode to grab the IOS from his tftp will be difficult to have the local person to set it up.
If ISR can boot off of the IOS in USB only, then I assume the requiremetn is the ROM IOS needs to be 12.4.13r. Then what is a safe way to upgrade the ROM IOS to this then? I never upgrade ROM IOS before so don't know what kind of problem I may run into and whether it's higher risk to upgrade this than upgrading the regular ios? If it is, then all my routers won't have this ROM IOS version, so that means I can't use USB to boot then? Will that means I am down to tftp server option? ( I heard xmodem won't work as it will time out before the ios can load via the slow dialup link into the router to rescue it from rommon mode).
View 33 Replies
View Related
