Choosing ASA connectivity with vPC

`There always comes a point where a design decision has to be made. When we connect ASA with the nexus switch, we have the option of making the connection with vPC or with a straightforward port-channel.

The above is a free-hand drawing i put up depicting the options we have. I assume AGG1 & AGG2 are in a vPC domain. AGG1 is having the higher role priority, HSRP active forwarder and ASA1 to be the active firewall. ASA2 is in standby state.

The above drawing the first topology shows the ASA connected to a nexus switch with VPC. Assuming we have a ASA 5585-X, we assume that there are 2x10G links connected to each ASA. One link from each chassis. The connectivity is established using vPC. Now the advantage is that the connectivity is made using both the chassis & leveraging vPC. In realisty we have a 20G link from the AGG switch to the ASA.

Assuming we lose AGG1 switch due to some problem we effectively have only 10G link connecting the AGG Switch & the ASA firewall. Irrespective of which ASA firewall is considered we only have a 10G link.

In the second second topology we see the ASA1 connected to AGG1 using a port-channel & ASA2 connected to AGG2 using a port-channel. Assuming the same failure condition, if AGG1 fails we can swithover ASA2 be the active forwarder & still effectively have a 20G link towards between the ASA and AGG. But the disadvantage being as long as ASA1 is the active firewall, there will be some traffic traversing the peer-link.

I always prefer placing the ASA in a vPC with the nexus switch. I assume the failure rate of the nexus switch to be very negligible and very rare. But in environments where we need to maintain a 20G link between the switch and the firewall we can go ahead with the port-channel. But  when laying out a design I always prefer the vPC connection.

ASA - Dynamic Routing in Multiple Context mode

Aye Caramba !! My greatest requirement with the ASA firewall has been implemented !!

Yes it is enabling dynamic routing protocols when the firewall is in multiple-context mode. Its taken cisco quite a bit of time , but they have finally did it. Now I can implement virtualised datacenters with ease. I no longer have to go and add static routes on the firewall for every new subnet that will grow, eases my job & enables me to have my ospf area on the firewall .. woohoo.

The official statement snapshot as seen on the release note  is seen below

The actual link with the complete list of features can be found here

 

Why OTV and not Fabricpath for DCI,

Cisco has been fast at implementing the near-TRILL standard calling it Fabricpath which is an easy and simple way of using all of the available links. It is more of a LAN cloud, where all available links are made available & the forwarding of the frame is based on switch-id. ISIS is the protocol used to calculate the shortest path to the switch that has the efficient link to deliver the packet to the destination switch where the destination mac address is connected to.

Now lets remember to enable fabricpath you need a license which is very expensive. If you want to run OTV again you need a license. Clients often ask me why not we use the fabricpath for the interconnect also.

Now lets understand mac forwarding topology is built using fabricpath. while it might be very efficient to use within a datacenter it is not advisable to use across the DC. Here's why;

• If there is any flooding in one datacenter it is carried to the other datacenter also which is completely not desirable, needless to say if there are multiple datacenter interconected you have one hell of a problem. OTV has the upper hand as it localizes all this to a single datacenter.
• Both datacenter need to run fabricpath & all vlans needs to be configured, because it becomes one single topology. when we use OTV we only extend the required vlans and not all vlans
• Gateways cannot be local on the datacenter and there will be a single forwaring HSRP gateway for both datacenter making it inefficient in every way & the DCI link will forwarding traffic full fledged.
• The arp optimization that OTV delivers cannot be leveraged when using the fabric path

Taking into consideration the above mentioned important factors we definetly cant use fabricpath as a DCI solution. OTV is the way to go. So the use of fabricpath and OTV protocol, in their diversities, advantages and disadvantages have to be clearly understood before we design the DC

CCIE DC prep blog 4 - OTV

I love OTV. I have designed multiple data centers with OTV & I simply love the way it works & most importantly how simple it is to configure it up.  However to justify my preparation for the CCIE lab I did go though my favorite documentation on the Cisco site which can be found here.

I have always implemented the multicast mode of deployment and have never done the unicast mode. I think that is one area I need to practice using the lab setup. Most importantly i will serve as POC for my designs and also help me heavenly in the CCIE lab preparation. I want to create some labs and do some extensive troubleshooting when we use the unicast mode. I want to see the  adjacency server as it come back online what update it gives to a new client joining OTV.  I don't want to get into the details of it but nevertheless it will be a good option to try it out.

Once I start renting out labs for the full fledged exercises I think I will perform these tests. I am planning to buy INE workbooks. But unfortunately I don't have the money to buy it, so I think  I will wait for a couple of months save some money and then purchase it. We can use the INE labs only if we have their workbooks which to me makes sense. SO I think I need to save money for the workbook/racks and then go buy it. Until then it will be preparation using my pod.

I love the OTV simply because it maintains the IP boundary on each of the data center & yet extends the L2 on either side. Also I love the fact that the L2 issues are localized. The only part is that the OTV is available on the Nexus &k and it needs a license to function. I need a bit of convincing to do to my clients when I tell them the cost part for the license.

Action Item to track will include: Practice the Unicast mode of operation and create some troubleshooting scenarios for the same

CCIE DC prep blog 3 - UCS

Spent a good deal of time labbing all the LAN & SAN options.  They were basic options, good enough to give me a good understanding of the UCSM. For the lab, I initiated the FI, made the port assignments, created port-channels, vlans, performed static pinning, tested some traffic flows, assigned vlans to certain ports. Most interesting was the  implementation of the disjoint networks, I was interested in knowing how they are actually used in treat life scenarios. Some of the useful links for disjoint layer2 can be found here and here

On the SAN side i created VSANS, port-channels, performed basic SAN connectivity. I dint not go deep on the SAN side yet. I need to work it further.

I got a fair idea on the service profile creation. I explored the various options on the GUI to configure these options. However I have not worked on these topics in detail. I started losing steam on the UCS prep. Whatever I have prepared I learnt well, I will revisit the UCS configuration after a few days.

I will be moving on to some core networking concepts like OTV and Fabricpath. I will be revisiting UCS again after few days.

CCIE DC prep blog 2 - UCS

I have been lucky to work for cisco partner and the PEC is lending a helping hand in many ways. I enjoyed attending the ecamp they have on the PEC for UCS. Also a friend of mine demonstrated  how to initialise the FI and other basics of UCS.

It was interesting to learn the various models of UCS, how the B series and the C series are positioned in the market and where they can be used. Although this information  is not required for the CCIE lab exam, my job role of providing solution will require this information.

I will be working with a colleague of mine who is a expert on UCS and has desinged multiple V-Blocks. Using the GUI I think I can grasp things quickly, but the vital part will be getting to know how to use the UCS for various requirements.

I will be focussing on the following topics for the first half of the week;

Implement LAN Connectivity in a Unified Computing Environment
Configure different Port types
Implement Ethernet end Host Mode
Implement VLANs and Port Channels.
Implement Pinning and PIN Groups
Implement Disjoint Layer 2

Followed by these topics;

• Implement SAN Connectivity in a Unified Computing Environment
  Implement FC ports for SAN Connectivity
  Implement VSANs
  Implement FC Port Channels
  Implement FC Trunking and SAN pinning

• Implement Unified Computing Server Resources
  Create and Implement Service Profiles
  Create and Implement Policies
  Create and Implement Server Resource Pools
  Implement Updating and Initial Templates
  Implement Boot From remote storage
  Implement Fabric Failover 

If I can get through this information in the next one week, & have the hands on the UCS, I think i will be in great shape to get started on my job role for UCS.

Apart from this I think I will be focusing on Nexus security and OT parts this week. I know the plan is pretty intense, but this is the only way I can make inroads with the little time I have to prepare.

Enter the UCS world - CCIE DC

After 7 years, it is now to time to enter the compute part of the datacenter. It brings back good old memories of me aspiring to be a MCSE and stirving to be one. Life took a full turn and led me to the network world. It is inevitable now in the datacenter world for the compute and the network world to fuse, probably if I still have it in me I can probable consider putting effort into vmware and windows 2008 server stuff. But at the moment I  will stick to UCS :-)

Focus of today's study will be to know the currently available products, the hardware architecture & the initializing the UCS.

Couple of links from cisco for anyone starting up on UCS should include this & this.With cisco providing the UCS emulator, this will be helpful.

Documentation roadmap from cisco can be found here.

This is a monster site for UCS & his youtube channel can be found here.

CCIE DC prep blog 1 - Storage

I have started with storage preparation as this is one the areas where I was not sure if i was strong or not. However progress was teribly slow but I have progressed well.

From the blueprint I have completed learning and practicing the following topics;

Implement Fiber Channel Protocols Features

Implement Port Channel, ISL and Trunking

Implement VSANs

Implement Basic and Enhanced Zoning

Implement FC Domain Parameters

Implement basic FC in NXOS environment

Implement Fiber channel over Ethernet (FCoE)
(I have not implemented this practically but I did study and practice this in detail)
Implement NPV and NPIV features 
(I had reiterate the concepts as I have practically implemented these in my designs)


The following topics are still pending;

Implement Fiber Channel Security Features
Implement Proper Oversubscription in an FC environment
Implement NXOS Unified Fabric Features
Implement Unified Fabric Switch different modes of operation 
Implement QoS Features
Implement FCoE NPV features
Implement multihop FCoE
Implement SAN Extension tuner
Implement FCIP and Security Features
Implement iSCSI security features 

Hopefully I finish these topics by this weekend and wrap up the SAN part. I am eager to get started with UCS and 1000v and finish the same by July end. Which means in august I can start with full fledged labs in august and I should be good to go for the lab by september. It is a aggresive plan, but I truly hope to achieve it.

CCIE datacenter preparation strategy

Ok I love it when it comes to strategy. Especially when I need to prepare for an exam. Only problem is keeping up with the execution. I have broken down the CCIE-DC prep into five parts namely;

Nexus Switches - Swithing and features
Storage - MDS and nexus switches implementation of the storage
ACE - The load balancer
1000v - The nexus 1000v switch
UCS - Cisco UCS preparation

So the first task is the Nexus switches, but as I am engaged in some SAN switcing activity I will complete the storage first and probably start of with the nexus switch preparation. As I have extensive hands on the nexus swithces I am hoping to complete it at the earliest possible time frame. My pain points will include the 1000v, ACE and UCS. so probably I will start with ACE followed by UCS  and finally end with the 1000v.

For workbooks I am looking forward to the INE workbooks. There has been a heavy recommendation on the IPExpert workbook also. But ultimately unless IPExpert is going to come down on the price I dont  thing I can afford the workbook offered from them. It will also be interesting to see the workbook that will come out from narbik.

I will be using the cisco documentation and ciscolive365 material predominantly. I will have to lab full scale mock labs once they become available from either of the vendors.

Those of you who are prepating do comment on my posts and ensure to follow my  tweets. Its going to be an interesting road ahead up until september where I decide to take up my lab exam.

Busy Summer !!

Have been very busy setting up a new office for my organization.It was fun interacting with a variety of vendors, going through quotes and discussing possible options to setup the office. I have the opportunity to facilitate the integration of avaya system. I will go through the process one more time two months down the line.  The technical side of things  - configuration, testing etc just took one day and I am very proud of that fact. Its not very day you setup something like this  and have it setup in one go.

Coming back to CCIE data center preparation. I have been preparing SAN connectivity side of things. This is one of the areas that I want to push aside. I still remember how weak I was in such topics exactly a year ago & now its a breeze for me as I push through the technical aspects and configuration  part of it.

I have decided to blog my prep with count. I will blog both CCIE DC & CCIE SECURITY. I am going for the kill. I cant emphasize the aspect how much of respect a CCIE receives and the kind of tasks that we are asked to work through. Life is getting interesting every day in the technical world. I  truly hope it is more rewarding monetarily.

CCIE Datacenter - NXOS L2 functionality preparation

For the first phase of preparation, It is going to be NXOS L2 functionality.

So what am I looking at here; Obviously its going to be VPC . There are couple of  documents I need to read through to make myself up to date on this topic. I have designed and implemented 10+ data centers with these technologies. It should be a straightforward and smooth walk on these topics. However having been to the R&S lab I know they use alternate terms and indicators to make use of a certain technology.

I will follow that up by VLAN and pVLAN concepts. They are not different technology wise but cli wise yes. Port-channels and UDLD are easy stuff. STP and FEX mechanisms are daily ops stuff.

I am looking at 10 days for completion. I want to ensure i read through all the documents and desin guides before I mark them as complete. I will implement them and play around as necessary so that the troubleshooting arenas in the exam will be well covered.

My approach is going to be reading the design guides, documentation, nx-os book and then some hands-on lab. I will be making a lots of note as I progress, It will be easy for me when I create the design documents in my work.

Its interesting to note that INE is producing only VOD and ip-expert is creating only workbook. there is no end-to-end solution from any of the vendors. Also at the moment I am not going to procure any of the material from either vendor, purely because - (A) I have enough hand-on to prepare on my own. (B) I cant offord the materials or the rack-rental cost to perform the labs end-to-end (C) I need to save money for the lab as I will to travel, because the lab is not available in all of the lab locations.

Anyways, a good start this monday should get me going !!

CCIE Datacenter Preparation

Its  almost 2 years now since i attained my ccie status. Its time now to re-certify. It was a clinical decision point for me as i have to take a decision on the track I had to take to re-certify. I can very well re-certified in R&S or have the option to take up a different CCIE.

I am very interested in taking up both Security and Datacenter. I am in the midst of designing and deploying datacenters which easily leads up to my choice of taking up CCIE datacenter to re-certify my status as CCIE.

The written exam to be taken up includes the following given in this link.

I am well versed with the nexus switches. UCS is a prep area, I am well versed with it but not from an exam perspective. The ACE is also a complete prep area followed by the 1000v.

So any of you interested in following a blog that leads up to the CCIE DC exam or is also interested in preparing alongside please do follow this blog.

As far as preparation for CCIE Security is concerned, It will be after I complete my CCIE DC but the preparation will be alongside DC. WSA and ISE are some of the interesting blogposts that will be coming up.

Timeline for CCIE DC prep would be end of April or start of may for wriiten and followed by Lab in a matter of 4 to 5 months.

IPv6 Reading List

We are in a transformation era, where the buzz word is 'IPv4 to IPv6 migration'. Eveyone everywhere is talking about IPv6 migration. As network engineers where are we in this transformation.
If you are not in the thick of things dont worry  the transformation is just getting started.

It is important to know the protocol inside out & Learn how the control plane protocols are enabled with IPv6 and how to design IPv6 networks. I thought hey why not put up a post with a reading list with a must read books, rfc, blogs and other materials for IPv6. I have read these and found them to be extremely useful.



IPv6 Fundamentals

IPv6 for Enterprise Networks

Deploying IPv6 Networks

IPv6 Security

Implementing IPv6 Networks

IPv6 RFC

Cisco Migration

Computer Weekly



This page will be updated regularly as newer and better materials come to light !!

If you have any links to be posted please share it here. Please let me know your comments.

CCIE Storage Retired

With the advent of the much awaited CCIE Data Center certification, the CCIE Storage certification is being retired. The official announcement is on the Cisco site and can be found here.

Now the interesting part of things comes where some of the network engineers dont want to be part of the compute part . But here is the thing, Cisco datacenter brings together the requirement to know a fair part of the compute block and the storage block along with the network block.

For those who are looking at the datacenter side of things here is the deal. Cisco has integrated SAN  on the nexus switches, it is not available off the shelf.,We need to purchase a license to enable it. So the need for MDS switches will fade. The Network and the storage ability is now integrated. The cisco UCS will bring in the Compute part. We cant be totally ignorant about the compute side of things. So there is a need to have a holistic view on the datacenter.

If you are one of them looking to become a datacenter Guru - you can work  & gain knowledge on the storage products such as  EMC & Netapp along with VMware and preferably Microsoft server products so that there is a complete end to end knowledge of the data-center.( I have touched only the high points of the DC as there is more than what is mentioned).

For those of you looking at the CCIE Data-center more information can be found here.