LAB‎ > ‎

Status

LAB tasks
Top todo's:


SmartPorts


Diagram for VMware showing mixed mode and septate hyper-visors with VM's - UCS Express and UCS



Configure Cisco VMWare firewall - Stargate Syed Ghayur (gghayur) <gghayur@cisco.com> provided VoD'
Set up VPN client and access to verify SecureID

Test Ironport e-mail Filter

Troubleshoot VBLOCK deployment problem - Applied hotfix1, have seven servers deployed across 2 services

troubleshoot enVision SDEE event collection problemtroubleshoot enVision SDEE event collection problem

Tom Hua to look for IDS appliance and meet with Christian the week of 2/20/2011

Finish setting up AAA to Radius/TACACS for Wireless

Need to add devices to CSM

Need to review UCS Express in Medium store - John Carney installed, researching trunk to server/second subnet best practices

Need to configure generic servers in DMZ
Need to configure more of DMZ switches and segments
Need to set up Servers/PC in Stores (connected VM server to S-LRG-3)

Adding all devices via discovery to NCM, need to probably update user credentials in many first.
the confiugre various Tests, then add them to a Standard (to check compliance) then I can add to a Policy to automatically test compliance on changes.

Need to review configurations in Store switches and routers for best practices - update to new SAFE 2 etc.  Harden. Sent initial configs to Verizon

What about E-Commerce?  Should we architect in using Cisco SSL termination blades/appliances on the internet edge and data center? key management?
What are best practice and enterprise scaling design challenges for VMWare?

Add Cisco Data Center Network Manager to product list and collateral


Additional area of expertise we need for the lab setup:

High Priority
Voice: specifically Contact Center
40-100 hours to review Lab, configure/update, Document in Design guide (depending on depth we want to cover contact center)

Lower Priority
Data Center 3.0: Nexus 7k (security)
20-40 hours to review DC 3.0 architecture, adjust configuration and help document.

Store to Data center: WAAS (Jenny and Fernando)
20-40 hours to review WAAS in a DC 3.0 architecture, adjust configuration and minor documentation.



AREA PCI Auditor StatusProduct  Business Contact      Technical Contact  Notes
Routing  Pull configs-send in e-mail ISR   Manu Parbhakar (mparbhak) <mparbhak@cisco.com> ISRs installed and configured; 
Fernando working on installing VSOM
2011-02-25 Talked wit Manu about getting a template config for the integrated wireless of the 891 and 1941 when configuring for multiple vlans
   ISR SRE  John Carney2011-02-17 UCS Express installed and working on SRE blade

got this link for installation
http://www.cisco.com/en/US/prod/collateral/ps10265/ps11273/installation_guide_c07-640002.html

John Carney also had this link from Tony:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/sre_v/1.0/user/guide/sre_v.html

Switching  Pull configs-send in e-mail  Catalyst    Bart  Done
2011-01-27 Upgraded Large store 4507's to Sup7 and R+ chassis.
 Voice  Communications Manager  Stuart Higgins2011-02-10 Upgrading to 8.5, requesting license
 Voice  NEED TME Contact Center Enterprise/CVP      NEED

Here’s the link for Contact Center Enterprise 8.5 security BP guide

http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/icm_enterprise/icm_enterprise_8_5/reference/guide/icm85securty.pdf

Manisha Gupta (manishag) <manishag@cisco.com>
is offering to update the systems .
2011-03-01 sent Manisha a reply asking her familiarity with VMWare so I can get her going on this.

Wireless  NEED TME Wireless controllers, WIPS PM-Annette Blum (annblum)
Mgr. Suresh Katukam (skatukam)
Sujit Ghosh (4085267638)
Mike Adler
Paul Lysander (lysander)4089028990 <lysander@cisco.com>
2011-01-06 Win2k3 Servers provisioned for WCS and Navigator
2011-01-18 left Sujit a EM/VM asking for status
2011-01-25 Mike brought in Paul to help deploy WCS 
2011-01-27  Paul said he has WCS manager installed and he will work with Mike to configure controllers and AP's.  As WCS Navigator does not configure controllers or AP's it is just a dashboard we will not install it in the solution at this time.
2011-02-14 Mike has finished adding the controllers and accesspoints to WCS.  Worked with Paul today and set up the MSE devices.  he will configure and license later today/tomorrow.  I sent Sujit an e-mail asking for permanent licenses for my controllers.

no license for the module or option, but shows active.  the others were installed, not sure why WCS is not up to date.
he thought AAA was all set up.  Will set meeting up next week  PSK is 12345678




DLP  for messages received how when are they encrypted,how are the keys managed

how is the stored data protected, storage location, encryption/decryption keys
how keys protected and managed

What OS, how is the is hardend, whats under the hood.

Auditable events login failure/activity etc  what specifically is logged for each level (no CC data)

need to see about Password complexity

does the app write data any where else?


 IronPort
https://private.ironport.com/pm/docs/product/#esa
http://esawiki.cisco.com/index.php/RSA_Email_DLP

It is not safe to send CC info via e-mail and it drastically expands the scope of where CC data may be.
The ironport product helps protect agains stolen CC info from being sent out of the company via e-mail

under network interface:
need to disable telnet/http and other non secure protocols that are on by default

should turn off FTP for logs and configure off box logging using SCP to push logs, need 1 years worth of logs.




 Amanda Holdan  Raymond Jett (4692556638) 2011-01-06 All Ironport devices cabled  
2011-01-18 Left Mike an EM/VM asking for status,
2011-01-19 received reply asking for more info, answered.  I am having issues sending mail out of the retail LAB to Cisco accounts or Internet mail servers.  Asked Raymond for ideas to test, he suggested pepin barrameda may have info on a Lab mail Proxy (sent Pepin and email).

NIC Teaming, ESA Active then set up Clustering for the two devices.
Then set up Manger to talk to the cluster
Set up Smart hosts on the Exchange host - Realy List
Add Exchnage to ESA server relay list, 
May need to set up Outbound relay as well.
reciepient access table contains list of domains for e-mail (RAT).


2011-02-11 Set up outside exchange server that can receive mail for test

2011-02-18 Sent e-mail to Raymond asking questions from auditor.
Security
 CSM  Tom Hua (4088532718) 2011-01-06 new Win2k3 Server provisioned 
2011-01-18 Left Tom an EM/VM asking for status
2011-01-25 Tom talked to Maria, said he has all he needs and will be done by the end of the week setting up CSM
2011-02-14 Tom has the CSM set up but no devices added yet, he is sending me the info on how to add devices.  login is admin/admin  He will meet with Christian next week to discuss IDS appliance architecture and if we want to add any.


Do we need a license?


 Security   RSA Authentication Manager/SecureID

 Tim Shea tshea@rsa.com

(781) 515-5112

 Danny Dhillon

danny.dhillon@rsa.com

Installed and configured
 Security   RSA Key Manager  Tim Shea tshea@rsa.com

(781) 515-5112

 Danny Dhillon

danny.dhillon@rsa.com

 Danny coming on site Monday 1/31 to help install KM and enVision appliance
2011-01-31 Installed and configured.  set up MDS-DC-1 to use it for key management.

 VBLOCK   EMC SAN and UCS  Vincent Shan  Sheri.Spence@vce.com(8172366165)
Michael.Dugan@vce.com
 2011-01-18 Left Sheri an EM/VM asking for status, exchanged e-mails about helping remotely and possibly on site Feb 7th.  Mike has UIM software update and possible assistance also.
Once UIM in installed it will be used to manage and configure vBlock including UCS and VM servers.  Hope to be done 1/28

2011-02-25 Installed PowerPath on Vblock ESX hosts
C:\Program Files\VMware\VMware vSphere CLI\bin>vihostupdate.pl --server 192.168.41.141 --install --bundle c:\EMCPower.VMWARE.5.4.SP2.b298.zip --username root  --password emcuim


 VBLOCK   EMC Ionix UIM  Brian Kennedy brian.kennedy2@rsa.com

415 250 8839

 Sheri Spence
Sheri.Spence@vce.com(8172366165)

Mike Dugan 914.522.7599
Michael.Dugan@vce.com

 2011-01-27 about 90% complete, have second call tomorrow to finish configuration with mike.
2011-02-07 UIM provisions and activates the new server but does not add it to vcetner.  send Mike and sheri an e-mail asking for next steps
2011-02-14 Still having issue with UIM installing ESX on some servers.  sent mike and e-mail asking for help.
2011-02-15 Applied hotfix 1

 VBLOCK   HyTrust

 Eric Chiu echiu@hytrust.com

(650) 681-8111


renata budko <rbudko@hytrust.com>
VP of Marketing Office : 650 681 8120

Ken Sigel HyTrust Systems Engineer
ksigel@hytrust.com
office: 650-681-8174
mobile: 650-722-1270
 2011-01-26 Hytrust appliance installed and configured.
2011-02-10 removed Hytrust appliance and suspended temporarily while troubleshooting vlan/routing issues with DC switches.
Compute   Nexus 1kv and Skywalker    Syed Ghayur  2011-01-05 N1kv installed on several servers, need to finish provisioning and vlans.  neeed to start on Skywalker VSG
2011-01-26 reinstalled N1kv on Servers 22-31 with new version.  NEed to start on VSG, Syed provided VoDs.  Syed traveiling 1/29-2/7 but may be available via IM

http://bock-bock.cisco.com/wiki/N1KV:Virtual_Security_Gateway


 Storage   MDS    Simone Morellato  2011-01-05 new Supervisor working and basic configuration 
2011-01-27 got second Supervisor for MDS-DC-2 from Repo Depot, upgraded with same version of software as MDS-DC-1, having periodic issue where MDS-DC-2 locks up randomly.  May be the card is flakey, Simone may be able to get a replacement on 2/3
 Compliance/Policy   RSA Archer

Eric Herrera Eric.Herrera@archer-tech.com 

(913) 239-1807

 Genarro Scalo gennaro.scalo@rsa.com


John Carney
 2011-01-18 G will provide software and remote installation assistance in the next week.
2011-02-2 receivded and e-mail with info on downloading the software and an install guide from Eric (License Key: 04C1B0951B04F048181C8964E)

In regards to the installer, you will need to download it from the Archer Community. Note that this is a large size file, so you I can’t attach it.
https://community.archer-tech.com/files/folders/installerpackages/entry3748.aspx

If you have not register with the community, please register first. Once you register, then you will be approved and we will provide you with your access credentials. Once this is done, then please proceed to the Download tab.

2011-02-11 John Completed the Application installation of Archer




 Compliance/Policy   RSA enVision  Brian Kennedy brian.kennedy2@rsa.com

415 250 8839

 Danny Dhillon 617-309-8094/408.326.4580 <danny.dhillon@rsa.com>

david.broeckelmanpost@rsa.com c. 213.321.7740

David.Valiquette@rsa.com
774-230-2208
PO received by RSA 1/25; will ship 1/26 or 1/17; scheduled for installation week of 1/31; alert and report development scheduled for week of 2/14

2011-01-27 Have initial installation scheduled for 1/31with David and Danny
Expect appliance to arrive Friday or Monday morning.  Did not receive license file for system yet.
2011-01-31 completed install of enVision, need to configure remaining lab devices to point to it, have follow up call 2/2

2011-02-07  Working with RSA Professional Services David.Valiquette@rsa.com
have device pretty much fully configured and playing with reports and activity notifications.  All looks good to go.

 Switching   Sake  Vivian Clark?  Narayanan Krishnamoorthy (narakris) <narakris@cisco.com>  2011-01-03 3560c Sake switch is in RomMon, sent e-mail trying to get assistance
2011-01-18 found tech contact Narayanan, sent email asking how to fix 3560c 
2011-01-27  Sent NK and e-mail asking for SSH software support.
2011-01-28 received and configured updated switches with SSH
 Network Management  EMC Ionix NCM   Vikram Prabhakar (cisco)
larry.baird@emc.com

david.marquez@emc.com
 Manuel (Manny) Kamer 917-620-8610 (manuel.kamer@emc.com)

 2011-01-26 Bart, I’m working on your vm now. Can we meet onsite in your offices on Thurs Feb 3 to complete this activity. I have another Cisco customer to visit earlier in week and I can drive from there to your office
2011-02-03  Installed NCM working with Manny.  Products works very well.  set up most of devices in the lab for the stores, working on adding Data Center devices.  Sent Manny an e-mail asking how to change device class that is auto detected.

2011-04-12 - Still having trouble enabling SNMP  - Manny is opening a trouble ticket.
2011-04-22 got SNMP working, but missing source IP address for clients.
Sent request for permanent license too
Larry replaced David on the team.
 Security  NEED TME NAC    Jamey Heary 303-619-7122  2011-1-24 Sent Jamey an E-mail asking what he needed provisioned to set up his NAC servers in the Lab
Jamie replied to Maria=Jamey needs 5 servers with 100 GB of space and 8 GB of RAM and a Windows XP or 7 host. He can start as early as next week and it will take him about 3 days to complete the work
2011-01-27 re-scheduled Architecture call
2011-01-31 sent lab info to Jamey, he expects to be done this week.
2011-02-07 Set up Windows 7 system for Jamey connected via Ethernet port on SRV-DC-24.  If that does not function properly I will install a PC with KVM.
2011-02-14 left VM for Jamey asking for status 

Physical Security  Physical Access Control  Craig Cotton  Rekha Krishna
rekkrish@cisco.com

W 408 525 2484

M 408 874 5347   

Access control physically installed; needs configuration; requested 1/5

2011-02-07  Fernando working on setting this up.  
2011-02-16 Set up PAM and GW for small store.  Added barts badge to reader.
http://bock-bock.cisco.com/wiki/PSBU
Rekha is looking into problem getting LDAP authentication working.  It soed not look like you can delete the default cpamadmin account or the gwadmin accounts on the gateways.  the CPAM does support password complexity and timeouts
Physical Security   Video Surveillance      Craig Cotton  Greg Varga 
grvarga@cisco.com
W 408 526 5084
Shailesh Deshmukh
shadeshm@cisco.com
W 408 526 8842
M  5107867030 
Video surveillance physically installed; needs configuration; requested 1/5
2011-02-01 Fernando is installing Video Surveillance.

2011-02-07 IP'd and placed on VLAN for Fernando the MSP systems in the Data center and large store.
 Network Management Cisco LMS    Tejas Shah (LMS) 2011-02-01 Maria to contact Tejas and see what preliminary system information he needs to set up LMS in the lab

2011-02-07 Since NCM seems to be working so well, decision needs to be made whether we install this duplicate system or remove from PCI validation.  No install progress has been started yet.

        
          



Worked with Sheri and Mike from VCE all morning to get SAN provisioned and the UIM app installed.  no work on UIM, need a license, got rest of SNA provisioned, need to get second MDS up.

Need to fix second link to MDS (port 2/48) from CX4 B0/2
Need to Change dual link from MDS to Fabrics.
Need Sup2 card for second MDS - getting from Repo-Depot.
   



Send Manuel Kramer @ EMC lab info for him to build the EMC-NCM server.  Include lab diagrams, current design guide, device list, IP address, Gateway info, DNS, Domain name.  He will build a VMserver that I will FTP download and put in the lab next week.  Then he will be out Tuesday Feb 2nd to help install and configure.

RSA-AM, installed remaining Soft token keys.  Need to set up VPN client/server and point to RADIUS Server on RSA-KM server for user authentication to test.
If i have any problems, Call Danny@RSA.  Build RSA-KM server for him to install trail on for testing.
Working with Danny on Monday 1/31 to install RSA KM and enVision appliance.







RSA and Partner
Send Danny.Dhillon@RSA.com the First Draft of DIG, he will add all of the RSA Product overview info his google ID is ddhillon@rsa.com
Send Danny status on enVision Appliance arrival (Brian Kennedy @ RSA still waiting for the PO with correct NET dates)

RSA Products - received Auth Manager software, SecureID tokens, Token Seed Records, RSA Key Manager trial 2010-12-06

RSA enVision - Working with Brian Kennedy(m415-250-8839) and Chris Bloom at RSA to get a quote for our own enVison Appliance, should have one by 12/15 with lowest $$  Sent status e-mail 12/15/10@3pm  
Talked with Brian 2011-01-18 There is a problem with the NET60/45 day terms with the PO. Tracey sent corrections for approval.  home to have order issued tomorrow.

RSA Ionix NCM - Sent request e-mail to Vikram Prabhakar (viprabha) <viprabha@cisco.com> on 12/8 and 12/15 asking for download info and design/install guidance.  
Support from EMC will be provided by david.marquez@emc.com(BDM) & manuel.kamer@emc.com (Product Expert focusing on PCI), sent new E-mail on 2011-01-18 asking for software and assistance.

HyTrust Partnership - Working with Ken Crandall (kcrandall@hytrust.com - o650-681-8171/m650-400-9293) to review LAB design and get/install software.
We have downloaded and did initial copy of appliance image, need to perform basic configurations and then advanced policies with Renata (2011-01-28?)
Send Rata @ Hytrust configs for Nexus and MDS switches.

LAB Items Orders
Need to order ASA5585's to replace Chris Jarvis's 5580's the we borrowed - sent BOM to John Carney 2010-12-06 who is working with Tracy to see if we can order these ($50k)
Ordered 4507+R chassis to support new Sup modules
Need additional SUP2 card for second MDS

Need to configure VBLOCK
Need SSH IOS on SAKE switches and 2960's? - Requested 1/27

Need SSH IOS on S-A2-LARGE 1&2 (waiting on new chassis)
Upgrade TACACS server
Need to configure UCS server profiles and add UCS ESXi servers to vCenter
Move management of devices using hytrust to new vlan's
Need to re-IP the UCS Fabric's to the .41.x network for Hytrust
Need to IP Address the EMC SAN
Need to IP Address the MDS Switches to VLAN .41.x
Build Win2k8 R1x64 Server for CSM again
Install ASA-SSM 40 in other FW
change conv store to fa8 to switch 
fix RMED-1&2 int G0/1 to switches
need to cable up PAM and Gateways
Need to connect EMC SAN
Need to connect IronPort Servers (all including management box)
Install N1kv on servers 22-31 - Done
NEed to set up 2003 server and install Fabric Manager and Data center Manager 
Need to configure HyTrust Appliance

Add routers and switches to TATACS
Need to cable up VSOM, storage, Cameras
Need to connect additional Phones and provision 
Need to configure WAAS in DC and Stores

Replace large store access layer switch with 3560x
MDS Supervisor and Encryption card (Friday 12/17) (BU provides when SAN arrives, see below): Simone Morellato (smorella) <smorella@cisco.com>
Worked with Sheri, updated FLARE to 4.30, I installed remaining enabler packages.  
Still need to upgrade MDS-DC-2 to a SUP-2 with NXOS code.
Need to configure remaining Raid Groups on the primary storage, possibly change the boot raid group from the FC drives as there is on ly 286GB free and we need about 320GB free (20GB per VM server X 16 blades)  Maybe we coudl do just 14 blades and still have it fit and be close to the VBLOCK design.  the remaining 2 servers could use local storage for dedicated servers?

Add all devices RSA-Envision (e.g. configure logging on all routers, switches and servers to point to envision)


NEED TO BUILD SERVERS FOR:

RSA NCM - Win???  Con Call scheduled for Friday 1-21-11
     RSA is building Virtual machine, will provide link on 2011-01-28 to download and be available on Thursday 2011-02-03 to provision.

RSA Archer - Win???

EMC UIM - RHEL5.5 - Have image, need to install server and UIM
RSA Key Manager - Win_2k3_x86 is fine for the Trail software version.

RSA Authentication Manager - Win2k3-R2-SP2 32bit 3GB RAM, 80GB disk
Cisco - FSU Mgr (Fabric Manager/Storage maanger/UCS Manager) software - Win2k3-R2 = Copied server, need to add to domain and install management packages
Are they installed and initialized (IPs, hostnames assigned, etc)?
Has the flare code and NXOS been updated to appropriate levels? (.507 flare 30, 4.2.3a nxos)? 
Have the element managers been installed on a host?
  • EMC Unisphere (installed Unisphere Service Manager)
  • Cisco Fabric Manager
  • Cisco Device Manager
  • UCSM
  • NXos 4.2.3a on MDS?




Firewall ports for IronPort ESA

Between the IronPort and the Internet:

- TCP/25 In – Inbound mail
- TCP/25 Out – Outbound mail
- TCP/80 Out – IronPort updates
- TCP/443 Out – SenderBase Network Participation (Optional)
- UDP/53 and TCP/53 Out - DNS queries (if using Internet Root Servers)
- UDP/123 Out - NTP Server (if using public NTP server)

Between the LAN and the IronPort:

- TCP/21 In – FTP Access to logs
- TCP/22 In – IronPort Command Line Interface over SSH
- TCP/25 In – Outbound Mail from Groupware
- TCP/25 Out – Inbound Mail to Groupware
- TCP/80 and/or TCP/443 In – IronPort Administration GUI (can be done over HTTP and/or HTTPS)
- TCP/82 and/or TCP/83 In – IronPort Spam Quarantine over HTTP or HTTPS (optional)
- TCP/389 Out (or TCP/3268 – LDAP queries to Active Directory for Recipient Validation
- UDP/53 and TCP/53 Out - DNS queries to internal DNS servers
- UDP/123 Out - NTP Server






There is a big list of Ports and Protocols for the UIM server to talk to the EMC SAN in the Installation guide page 38




Comments