LITTLEBLACKDOG.COM

Posted: Fri Jul 27, 2007 3:24 pm Post subject: Network Thoughts Affirmation

I am needing some advice on a network configuration that I am stuck dealing with.

Right now I have a very strange network configuration at work.
The flow goes like this
T1 -> Adtran
Adtran -> Cisco 2900
Cisco 2900 -> PIX
PIX -> Cisco 2900
Cisco 2900 -> Compression Server
Compression Server -> Cisco 2900
Cisco 2900 -> Rest of Network

In my mind just to get to the internet that is 5 switch hops. Am I correct in this?

We currently have no flow to our network.
I believe it should look like
T1 -> Adtran
Adtran -> PIX
PIX -> Compression Server
Compression Server -> Cisco 2900

That would cut down on the switch hops.

I have sent this info to the Senior Net Admin but haven't received a response yet.

Sorry for asking about this, but we recently had a big server crash, and I have been doubting some of my knowledge ever since. So I am just looking for affirmation.

Also this would be a big security hole as the only security we rely on is VTP.

Posted: Fri Jul 27, 2007 6:50 pm Post subject: Re: Network Thoughts Affirmation

Skookum wrote:
I am needing some advice on a network configuration that I am stuck dealing with.

Right now I have a very strange network configuration at work.
The flow goes like this
T1 -> Adtran
Adtran -> Cisco 2900
Cisco 2900 -> PIX
PIX -> Cisco 2900
Cisco 2900 -> Compression Server
Compression Server -> Cisco 2900
Cisco 2900 -> Rest of Network

In my mind just to get to the internet that is 5 switch hops. Am I correct in this?

We currently have no flow to our network.
I believe it should look like
T1 -> Adtran
Adtran -> PIX
PIX -> Compression Server
Compression Server -> Cisco 2900

That would cut down on the switch hops.

I have sent this info to the Senior Net Admin but haven't received a response yet.

Sorry for asking about this, but we recently had a big server crash, and I have been doubting some of my knowledge ever since. So I am just looking for affirmation.

Also this would be a big security hole as the only security we rely on is VTP.

Putting a switch or router outside the firewall is commonplace. The are often used to breakout the network segment for many reasons.
-Trouble shooting
-Proving the firewall isn't causing issues Smile

-providing a means to allow for inline taping [IPS/IDS etc]

whats the compression server you speak of? Aside from the obvious name what is it's function? QOS? Proxy?

Cisco makes great network gear and thats that, their firewalls are great for static smaller type deployments. I'm a Checkpoint bigot so personally I'd suggest ripping out the PIX just because it's a PIX
Very Happy

Name dropping aside, they aren't as robust and are a pain in the ass to mange especially if you have a whole slew of them.
e
have the IOSs on both the edge router/switches been updated lately? Cisco has had several published vulnerabilities over the past 6-8 months. I belive both our pix and 2900 are affected.

Aside from that what are you really trying to accomplish? Is the network slow? ie Stuff not working? If I'm the SR tech I'm going to ask those kinds of questions when you come to me indicated you want to remove network devices just to improve the hop count. And you better have some kind of proof. and yes I'm that BOFH Rolling Eyes

Posted: Fri Jul 27, 2007 8:38 pm Post subject:

I do not believe that I had explained myself properly.

fear_nothing wrote:

Putting a switch or router outside the firewall is commonplace. The are often used to breakout the network segment for many reasons.

I do believe in this too, I normally do a firewall, router, firewall, but that's just me.

What I am stating, and something that I have never seen done before anywhere, is that our Adtran plugs directly into a switch before it goes to the PIX.
Now this is not a stand alone switch specifically used for segmenting, this is an ACTIVE internal network switch. All someone would have to do is use a DTP master request to by pass the VLAN to connect directly to the network without even going through the PIX.

This switch has users directly connected to it, this is kind of the hub of our network, everything spawns off of this one switch.

The compression server is a SteelHead server, and past that I have no clue because I haven't had time to play with it. I believe it is used for some type of VPN connection compression as we have our off site locations run production applications over the WAN on our network Rolling Eyes

As for the updates, I would assume they haven't been updated in a little over a year, as no one has the passwords to these to login. I still need to go through and finish resetting the passwords so that I can figure out the configurations.
I have been wary of doing this, as the last time I did a switch password reset on this network, the vmware servers lost communication, and because of this they kicked on HA. No biggy, except for the fact once HA was enabled 12 hours later it powered down ALL our servers, without notification, unless you checked the error logs. Mad

So I have been a little reluctant because I don't know what other bad things may happen.

fear_nothing wrote:

Aside from that what are you really trying to accomplish? Is the network slow? ie Stuff not working? If I'm the SR tech I'm going to ask those kinds of questions when you come to me indicated you want to remove network devices just to improve the hop count. And you better have some kind of proof. and yes I'm that BOFH

Right now I am working to clean up the network, as they have some atrocious practices, some of which are not known to most of the IT staff.

Basically I have a couple of goals in mind.
1. Increase network security by not having the internet directly plugged into an internal network switch.
2. Create a flow to the network, decreasing switch hops. My guesstimate would put an increase in network productivity between sites at around 10%.
3. Remove the 2900 as the main hub of the network, and put the 3560 in it's place. Reasons for this are to decrease switch hops between the servers and the internet, and also to create a gigabit backbone for the network. I am figuring on about another 10% network productivity increase.

As for removing devices, I have no desire to remove devices. I actually would like to add a router to the mix, since we have one sitting in the rack that isn't even connected.
I just want to eliminate the switch hops that are adding latency to our WAN and internet traffic needlessly. To create a flow of traffic rather than a car crash.
After that has been up and running for a while, then I would like to swap places with our 2900 and 3560 so that we can have a gigabit backbone in place.

And eventually if the everything goes good, then I would like to create a DMZ and move our websites into that, rather than hosting our websites on our internal network.

I understand your concerns, and I would state the same things. If it works don't fix it. I can't really give any reasons to go against that statement. If it works just don't touch it.

But I believe that there is a limit to that. There are some things that work that should be touched.....with a spiked baseball bat. This isn't really one of those things, but it is close at least in my mind.

I still haven't heard anything back from the Sr Net Admin on my suggestions, or even on the inconsistencies with the network documentation. But I did have to help them troubleshoot a WAN outage today. No one could figure out what was broken, but one of our WAN links went down. Turned out to be "Bloody Brummies" as the e-mail stated, but troubleshooting anything that leaves our network is a pain just for the fact of no one knows how it is configured, and the fact that it loops back through itself a half dozen times before it goes any where.

I feel that this has turned into a giant rant, but that is how most of my posts go I think Very Happy

I am still interested in everyones thoughts, and if I was incorrect with my assumption, and you understood how the network was setup from the start then I just need to re-read my job description as the Workstation Analyst, and forget networks exist Embarassed

Posted: Sat Jul 28, 2007 10:06 am Post subject:

Sounds like you have it figured out then.....

You stole my suggestion regarding the DMZ.

I would suggestion something like this. The level of creativity depends on available ports on your PIX.