IPS design review

Hello ,
Could you review my IPS design (the topology picture is in the attachment) ? Can I have one IPS with three or four ports attached to the same switch in an etherchannel? I am talking about one IPS with multiple interfaces. For example two IPS with four interfaces in the switch's etherchannel group with eigth ports. ( IPS's interfaces are in VLAN pair mode )
Kind Regards.

Sorry, i have forgotten to attach the topology picture.

Similar Messages

VSphere 5.5 Design Review Checklist

In my new assignment, I am doing Design Review of a vSphere 5.5 Environment.
Is there a brief Checklist that mentions All the Best Practices; To get me started.
Thank You !

Hi,
Usually companies like IBM, VMware, HP, etc. have their own Reference Architectures.
A lot of Reference Architectures are posted publically by VMware. Try to search, if you can find the one which suits your needs.
If you work in one of the BIG companies, try to check your internal documentations.
Good Luck

BI Technical Design Review Criteria/Best Practice Assessments

Dear Experts,
I am currently involved in conducting a pre-build BITechnical Design Review i.e. Data Model structure/Extractor/Transformation Logic/Data Flow Diagrams.
Are there any tangible criteria/review template/methods out there to ensure all components are included in a BI design and that they conform to the SAP Best Practices?
Thanks,
Jony

Hi jonathan,
The BW Project guidelines can be as follows ,
Stages in BW project
1 Project Preparation / Requirement Gathering
2 Business Blueprint
3 Realization
4 Final Preparation
5 GO Live & Support
Project Preparation / Requirement Gathering
Collect requirement thru interviews with Business teams /Core users / Information Leaders .
Study & analyze KPI 's (key figures) of Business process .
Identify the measurement criteria's (Characteristics).
Understand the Drill down requirements if any.
Understand the Business process data flow if any .
Identify the needs for data staging layers in BW (i.e need for ODS if any)
Understand the system landscape .
Prepare Final Requirements Documents in the form of Functional Specifications containing :
Report Owners,
Data flow ,
KPIs ,
measurement criterias,
Report format along with drilldown requirements .
2 Business Blueprint
Check Business content against the requirements
Check for appropriate
Info Objects - Key figures & Characters
Check for Info cubes / ODS
Check for data sources & identify fields in source system
Identify Master data
document all the information in a file follow standard templates
Prepare final solution
Identify differences (Gaps) between Business Content & Functional
specification. propose new solutions/Developments & changes if required at different levels such as Info Objects ,Info cube , Data source etc . Document the gaps & respective solutions proposed follow standard templates
Design & Documentation
Design the ERD & MDM diagrams for each cube & related objects
Design the primary keys/data fields for intermediate Storage in ODS
Design the Data flow charts right from data source up to Cube .
Consider the performance parameters while designing data models
Prepare High level / Low level design documents for each data model.--- follow standard templates
Identify the Roles & Authorizations required and Document it follow standard templates
final review of design with core BW users .
Sign off the BBP documents
3 Realization
Check & Apply Latest Patches/Packages ...in BW & R/3 systems.
Activate/Build & enhance the cubes/ODS as per data model designs...maintain the version documents .
Identify & activate Info objects / Master data info sources / attributes ,prepare update rules
Assign data sources .prepare transfer rules , prepare multi providers . prepare Info packages .
perform the unit testing for data loads.both for master data & transaction data .
develop & test the end user queries .
Design the process chains ,schedule & test
create authorizations / Roles assign to users ..and test
Apply necessary patches & Notes if any .
freeze & release the final objects to quality systems
perform quality tests .
Re design if required . (document changes, maintain versions)
4 Final Preparation
Prepare the final check list of objects to be released .identify the dependencies & sequence of release
perform Go Live checks as recommended by SAP in production system
keep up to date Patch Levels in Production system
Test for production scenarios in a pre-production system which is a replica of production system .
Do not Encourage the changes at this stage .
freeze the objects .
5 GO Live & Support
keep up to date Patch Levels
Release the objects to production system
Run the set ups in R/3 source system & Initialize Loads in BW
Schedule Batch jobs in R/3 system (Delta loads)
schedule the process chains in BW .
Performance tuning on going activity
Enhancements - if any
You can get some detailed information in the following link.
http://sap.ittoolbox.com/documents/document.asp?i=3581
Try to go to ASAP implementation roadmap.
https://websmp103.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000420636&_SCENARIO=01100035870000000202
Check the links below that gives you brief overview of the above steps .
https://websmp201.sap-ag.de/asap
http://www.geocities.com/santosh_karkhanis/ASAP/
ASAP
https://websmp201.sap-ag.de/asap
http://www.geocities.com/santosh_karkhanis/ASAP/
https://service.sap.com/roadmaps
https://websmp104.sap-ag.de/bi
***Please reward if useful.**
Blue Print:
http://www.sap.com/services/servsuptech/bestpractices/index.epx --- look for blueprint
http://iris.tennessee.edu/Blueprint/BW/BW-Blue%20Print-Final.doc
http://help.sap.com/bp_biv335/BI_EN/html/Business_Blueprint.htm
You can get some detailed information in the following link.
http://sap.ittoolbox.com/documents/document.asp?i=3581
also please chck out
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/2e8e5288-0b01-0010-2ea8-bcd4df5084a7
a hwo to on BI7.0 upgrade .. also as suggested check out the BW upgrade roadmap on the support portal..
Hope it helps..
CSM Reddy
Assign points if helpful
Message was edited by:
CSM REDDY

IPS Design Help

Hi All,
There are two ASA with failover and two switches, one internal switch and one DMZ switch. Both ASAs connected to two switches. Now we want to implement IPS here. we are using 4240 model. I want to use two inline interface pairs one for DMZ and one for internal. But the problem is there two ASA. If you show me high level design and how connect ASA to IPS then to switch, that would be very appreciated.
Thanks
Al

THanks for your reply,
ASA has three interfaces, one is outside, one is inside and the other one is DMZ. inside and DMZ interfaces are trunk ports with bunch of VLANs each and they are connected to two switches with trunk ports. these two switches are not connected to each other and they are connected to seperate network.
sorry for incomplete description. any suggestion would be very apprecited.
thanks

HA IPS Design

Hi,
I'm designing a security system that involves:
2 x inside firewalls (ASA5520)
2 x switches connected together (for failover)
2 x IPS (4240IPS)
2 x switches connected together (for failover)
2 x outside firewalls (Juniper SSG)
I'm at looking at active/standby or active/active for the firewalls but am not sure if the IPS supports the same with stateful failover? My concern is with asymmetric routing if both IPS's are active and independant. Can I guarantee that a session will use the same IPS for inbound/outbound flows and not get separated across two IPS's?
Any guidance is appreciated.
Thanks, Wayne

IPSec Stateful Failover (VPN High Availability) is a feature that enables a router to continue processing and forwarding packets after a planned or unplanned outage. You can employ a backup (standby) router that automatically takes over the primary (active) router's tasks in the event of an active router failure. The process is transparent to users and to remote IPSec peers. The time that it takes for the standby router to take over depends on HSRP timers.
IPSec Stateful Failover (VPN High Availability) is designed to work in conjunction with Reverse Route Injection (RRI) and Hot Standby Router Protocol (HSRP) with IPSec. When used together, RRI and HSRP provide a more reliable network design for VPNs and reduce configuration complexity on remote peers.
RRI and HSRP are supported together with the restriction that the HSRP configuration on the outside interface uses equal priorities on both routers. As an option, when not using RRI, you can use an HSRP configuration on the LAN side of the network (equal HSRP priority restriction still applies).

IDP IPS Design

Where is the best place to put IDS/IPS device? For example, outside/inside of the Firewall?
Does Cisco has any recommendation?
Does anybody has good design to share with?
Thanks,

There's probably not a "1 size fits all" answer here. If you have unlimited $$$ then you could sprinkle sensors all over you network but I'm guessing that's not the case.
As such your going to need to take a few steps that will help you design your IDS/P deployment.
First you'll need to map out your network and then decide what assets are the most critical. one place where most people will deploy some IDS/P is in a DMZ. This is an obvious choice as the assets there are accessed by untrusted sources.
Another good spot is behind the firewall. Assuming that the sensor can handle the bandwidth this will let you see traffic coming in from the DMZ(s) and going out from the trusted networks. You'll be able to see things like traffic from PCs infected with Zombies and the like on this sensor.
Next if you have your "critical" assets (say like DB servers and the like) segmented off on their own internal network then putting a sensor where it can see traffic going to/from them makes good sense too. This will again give you a good look into what if any attacks are being directed at them. If it's a server in the DMZ you'll already pick that up on the DNZ sensor but the one near you critical assets will also show any infected PCs or hosts on the inside trying to hit them.
I don't normally put a sensor on the "outside" as there's not much value in that. There's way too much data there to handle and if 90% of the traffic is being dropped by your firewall rules why bother worrying about that anyway? Putting sensors in the firewall like the AIP-SSMs or putting external sensors where they can see the other firewall interfaces will show you the same traffic minus all the junk that gets dropped by not matching a rule.
Hope this helps. I know it's very general but you really need a detailed map of your network topology and traffic flows to make the best choices where sensors should be.

Network Design Review - Best Practices

Looking to start a discussion around best practices for inbound network design at the core.
The planned devices are as followings:
Edge Routing / DMVPN - Cisco 2951
Cisco UCM / IP Phone VPN Concentrator - Cisco ASA 5512-X
Cisco AnyConnect SSL Client Concentrator - Cisco ASA 5515-X
Cisco FirePower / IPS Device - Cisco ASA 5515-X
The plan is as follows:
All traffic enters through the 2951.
DMVPN traffic will go directly to the FirePower Device and then to the core network.
IP Phones will pass-through 2951, enter 5512-X for VPN, go to FirePower and then to the core network.
AnyConnect Clients will pass-through 2951, enter 5515-X for VPN, go to FirePower and then to the core network.
Wondering if anyone else has completed a similar setup and any issues you may have fun into.
Basic diagram attached.
Thanks!

There really isn't a true two factor authentication you can just do with radius unless its ISE and your doing EAP Chaining. One way that is a workaround and works with ACS or ISE is to use "Was machine authenticated". This again only works for Domain Computers. How Microsoft works:) is you have a setting for user or computer... this does not mean user AND computer. So when a windows machine boots up, it will sen its system name first and then the user credentials. System name or machine authentication only happens once and that is during the boot up. User happens every time there is a full authentication that has to happen.
Check out these threads and it explains it pretty well.
https://supportforums.cisco.com/message/3525085#3525085
https://supportforums.cisco.com/thread/2166573
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

IPS design

I have 2 unit ASA 5520 with AIP-SSM-20 for front-end and 2 units ASA5520 with AIP_SSM-20 for back-end.I also have 2 units catalyst 6509. How should my design looks like.

It all depends on what you are trying to accomplish and what features you are using in each ASA. The outside ASA, as a firewall can host serveral inside networks (limited by the number of interfaces in the ASA) each netowrk can have a different firewall policy assigned. If that meets your firewall needs, then you might not require a second set of ASAs.
You have not provided enough network requirements detail to even make an guess of what you need.

IPS design question

Hi All,
I have two ASA as active/standby failover. these two are connected to 3750 switch through trunk port that carry vlan 10,20 and 30. I want to deploy IPS in between with inline mode. I am little confuse how to connect IPS here. should it be connected with both two ports to switch, or it should be connected to ASA from one end and then connected to switch with another end.
If you show me how to connect IPS here, that would be very appreciated.
thanks
Alex

With inline vlan pair only one IPS interface is utilized (it has to be a trunk), have a look at:
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_example09186a0080876d9f.shtml
Regards
Farrukh

Technical Design Review Question: mySAP Execution Architecture.

I got my hands on technical design documentation for a project on COPA budget. I came up with a few questions but I will post them separately for fast closing and awards:
1. In the Requirements discussion, I came across something
Job naming conventions apply and completion of Autosys Job Schedule request form is required.Forward this form to the mySAP Execution Architecture team for processing
Is this a an internal team or it refers to some group at SAP company?
Is the Autosys Job Schedule request form a standard for or you think the environment had just come up a form for their internal processes? What may this include?
Thanks.

Hi,
If I understood correctly, The organization wants to maintain a document on jobs to be maintained regularly in production system. It will be used as a reference in the support of BW production activities.
I hope, the mySAP Execution Architecture team for processing is the internal team from your client.
With rgds,
Anil Kumar Sharma .P
Message was edited by: Anil Kumar Sharma

Multiple WAN site redundancy design review (dark fiber, p2p, DMVPN)

I'm re-designing a couple of wan sites. I'm using EIGRP over both some leased dark fiber and p2p provider connections. The attached (pdf) physical topology says it all, I'm thinking of using ip sla to track and inject routes over prefered connections, but really just looking for feed back if someone is interested in taking a look.
I've bought 2 2951's with es3g-16-p modules so I can build svi's and do hsrp between the paths, building redundancy between the 3 available paths back to our enterprise core (1Gbps, 40Mbps, 50Mbps).
multiple vlans at both sites...
e.g.: (wan site1 (vlan 10-15), want site2 (vlan 16-20))
Thoughts and thanks?

hi there
not sure why you need to use DMVPN if it all internal same internal network unless you need to have all the traffic between sites to be encrypted
anyway in general i would say of use the direct link to reach the directly connected networks per site
example using site one 100M link to reach DC and WAN
and use site2 50M local link to reach WAN as primary path and use the site1-site2 fibre to reach DC as primary path for site2 this could archive a good load sharing and reduce the load on the link between site1 and site2
IP SLA in a topology like your for sure can very helpful to improve failover time and make the routing more topology aware
hope this helps

DMZ layer design review

Hello,
I would appreciate if some can share their experience/problems with below design between Core-Firewall-DMZ-Aggregation setup.
1. There is a Layer-3 connectivity between core and firewall segments with L3 point-to-point links running OSPF. The active firewall(FW-A) forms ospf neighborship with Core-A and similarly FW-B forms ospf neighborship with Core-B and Core-A / Core-B form ospf neighborship.
2. Aggregation switch and Firewall are connected over L2 trunks and OSPF is running over SVIs (VLAN 13 / bcast segment), Aggregation switch-A is elected as DR and Aggregation switch-B is BDR, both firewalls have configured ospf priority to zero. FW-A(active) forms ospf adjacency with Aggregation-A and Aggregation-B, and each Aggregation switch forms ospf neighborship with the active firewall only.
Is there any chance that the broadcast network b/w Aggregation switch and Firewall can cause any problem when any of the aggregation switch reloads.
I have attached a rough sketch for better understanding.
Regards,
Akhtar

Hello,
I would appreciate if some can share their experience/problems with below design between Core-Firewall-DMZ-Aggregation setup.
1. There is a Layer-3 connectivity between core and firewall segments with L3 point-to-point links running OSPF. The active firewall(FW-A) forms ospf neighborship with Core-A and similarly FW-B forms ospf neighborship with Core-B and Core-A / Core-B form ospf neighborship.
2. Aggregation switch and Firewall are connected over L2 trunks and OSPF is running over SVIs (VLAN 13 / bcast segment), Aggregation switch-A is elected as DR and Aggregation switch-B is BDR, both firewalls have configured ospf priority to zero. FW-A(active) forms ospf adjacency with Aggregation-A and Aggregation-B, and each Aggregation switch forms ospf neighborship with the active firewall only.
Is there any chance that the broadcast network b/w Aggregation switch and Firewall can cause any problem when any of the aggregation switch reloads.
I have attached a rough sketch for better understanding.
Regards,
Akhtar

Flash Design Review

Hi
I have designed hanging flash menu for my web design web site
Hope this is compatible with all web browers
Please give your comment on this unique flash design
kushan

It's cute but Flash for navigation is pure poison because many browsers don't support it. Most notably Apple iPad, iPhone & iTouch do not support Flash. How will those users navigate your site?
For all practical purposes, Flash is dead as a web technology except for gaming sites and special device apps.
I think a better choice is CSS styled menus to support the majority of users. If you want to add some animation to your site, look at HTML5, CSS3 transitions and JavaScript
See Adobe Edge
http://labs.adobe.com/technologies/edge/
Nancy O.
Alt-Web Design & Publishing
Web | Graphics | Print | Media Specialists
http://alt-web.com/

Technical Design Review Question: Key Figures

I got my hands on technical design documentation for a project on COPA budget. I came up with a few questions but I will post them separately for fast closing and awards:
In the discussions of Key Figures, a table was provided showing Name, description, source field, data type and Unit. With the exception of 5 of them, all the key figures had data type as Curr(17,2).
My confusion is why all their equivalent Units were 0Currency while the 4 exceptions which had Data Type QUAN(17,2) had Units of the form zvv90_ME, zvv094_ME, etc.
I will appreciate your thoughts on these.
Thanks

All the Key figures which are curr(17,2) are meant to be used as Amounts which can be ties to different currencies..
Like The key figure might have a number 1,000 and the corresponding entry in 0currency might be USD which means its $1000.
You can find all the valid currency keys in the TCURC table..
On similar lines For Key figures which specify quantity a few examples will be ;
100 pc
30 Hr
Where the unit is stored in 0UNIT.
Ashish

Technical Design Review Question: Requirements.

I got my hands on technical design documentation for a project on COPA budget. I came up with a few questions but I will post them separately for fast closing and awards:
1. In the Requirements, I saw a reference to some terms and I am wondering whether they are standard BW terms that I missed or, whether they are some abbreviations related to the particular project.
Product Contribution, Gross Margin, etc. reports from SAID, RAPID, and SMRS must be enabled from the BW COPA design
Any clarification on the above quote and are SAID, RAPID, and SMRS some terms in BW or some abbreviations in the project.
Thanks.

Hi Caud,
I think it's better to directly ask your client !
Probably it's something related to reportins system...
??? SMRS = (Study Management and Reporting System from PercipEnz Technologies, Inc) or (Standard Mortality Ratios)
RAPID = http://www.microwavenews.com/rapidereport.html
...but are you working on an healht and science project ?!?

IPS design review

Similar Messages

Maybe you are looking for