Implementing test network
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||
|
Posted by Andrew Hodgson on August 15, 2006, 5:52 pm
Please log in for more thread options Just wondered what people thought about the idea of a test network being used in a company. We have such a beast, however, I am just wanting to clarify some things which I am not 100% comfortable with, and just wanted to know am I being very old fashioned, or is there some basis to it? We currently have a core switch with several Vlans on it for internal purposes. The people who configured this put an extra Vlan for the test network, currently all traffic can pass through, but it will be locked down using ACLs on the core switch. The reason for this apparently is so we can use the Vlan capabilities on the internal switch to assign ports to the test network. Is this really a separate network from the "live" environment, could there be any problems? The other thing is, we have a small ADSL connection to simulate WAN access, however, for some reason, we have had a few of our existing public IP addresses (on the live system) set aside for the test network, going through our existing Pix through to the test network. The reason for this is that the ADSL connection will act as a loop through so we can do external tests. I have tested this and it works, but I was thinking we would be able to use a set of public IP addresses (or even just one address on the DSL interface), and use them/it as our external address if required? I realise I have only scratched the surface, but I just wondered what sort of problems we may come into with this type of setup (if of course there are any)? Thanks. Andrew. -- Andrew Hodgson in Bromyard, Herefordshire, UK. My Email: use <andrew at hodgsonfamily dot org>.
| ||||||||||||||||
|
Posted by amigan on August 15, 2006, 7:11 pm
Please log in for more thread options switches. Test networks are vulnerable to experimentation - and a bad experiment with say multicast or broadcasting or turning off spanning tree or...could bring down the production VLANs. Get the test network off there! I don't understand what you mean by using ADSL to simulate WAN access. WAN generally refers to connecting multiple sites together. But you go on to describe wanting to test your Internet facing services and how the production pix leads you to the test network. While I don't entirely follow - my gut reaction is - get the production Pix off the test network and use another device to protect egress to the Internet. Likely you are wanting to test your production apps from the perspective of someone outside. IOS firewall should be fine for this purpose or use another pix. Michael Andrew Hodgson wrote: > Hi,
> > Just wondered what people thought about the idea of a test network > being used in a company. > > We have such a beast, however, I am just wanting to clarify some > things which I am not 100% comfortable with, and just wanted to know > am I being very old fashioned, or is there some basis to it? > > We currently have a core switch with several Vlans on it for internal > purposes. The people who configured this put an extra Vlan for the > test network, currently all traffic can pass through, but it will be > locked down using ACLs on the core switch. The reason for this > apparently is so we can use the Vlan capabilities on the internal > switch to assign ports to the test network. > > Is this really a separate network from the "live" environment, could > there be any problems? > > The other thing is, we have a small ADSL connection to simulate WAN > access, however, for some reason, we have had a few of our existing > public IP addresses (on the live system) set aside for the test > network, going through our existing Pix through to the test network. > The reason for this is that the ADSL connection will act as a loop > through so we can do external tests. I have tested this and it works, > but I was thinking we would be able to use a set of public IP > addresses (or even just one address on the DSL interface), and use > them/it as our external address if required? > > I realise I have only scratched the surface, but I just wondered what > sort of problems we may come into with this type of setup (if of > course there are any)? > > Thanks. > Andrew. > -- > Andrew Hodgson in Bromyard, Herefordshire, UK. > My Email: use <andrew at hodgsonfamily dot org>. | ||||||||||||||||
|
Posted by Walter Roberson on August 16, 2006, 2:56 pm
Please log in for more thread options >I don't understand what you mean by using ADSL to simulate WAN access.
>WAN generally refers to connecting multiple sites together. But you go >on to describe wanting to test your Internet facing services and how >the production pix leads you to the test network. Right. In the past we've done the same thing: used a seperate link to test our connectivity and security. The seperate link was from a different ISP in a different IP range, so while we were at our desks we could be testing how our equipment interacted with "outside" packets. > While I don't
>entirely follow - my gut reaction is - get the production Pix off the >test network and use another device to protect egress to the Internet. >Likely you are wanting to test your production apps from the >perspective of someone outside. IOS firewall should be fine for this >purpose or use another pix. When we did this, our seperate link had a different demarc. We plugged it in to a layer 2 switch, on a different VLAN, and trunked that VLAN around through more layer 2 switches to reach our testbed PIX. This differs from what you are suggesting in that we did not have a *complete* seperation of test and production network. Any packets that weren't addressed to the distinct address range weren't going to make it through the ISP to our secondary demarc, and the layer 2 switches were not -themselves- going to act upon packets not addressed to them and not in their management VLAN. We considered the risk of someone managing to inject a successful VLAN hopping attack between the ISP and our demarc to be negligable, particularily as the link was encrypted. | ||||||||||||||||
| Similar Threads | Posted |
| Implementing test network | August 15, 2006, 5:52 pm |
| Test network with 2610 | January 11, 2007, 11:29 am |
| Service Provider Bandwidth Test MPLS Network | July 9, 2007, 9:47 am |
| implementing qos help | July 10, 2007, 12:07 am |
| Looking for guidance on implementing NetFlow | February 14, 2008, 12:31 pm |
| Implementing redundancy on 2 FastEhernet Interfaces on 2800 | March 7, 2007, 12:03 pm |
| Implementing health check using 'Content switching module' | January 20, 2006, 5:34 am |
| Implementing DHCP client with INIT-REBOOT state as per RFC, 'requested ip address' in dot notation? | December 4, 2007, 5:21 pm |
| Test IOS IPS | July 21, 2005, 10:29 am |
| PIX - test VPN with only one PIX ? | October 3, 2006, 3:17 pm |
| GRE test papers | July 28, 2006, 7:52 am |
| dos/ddos test | August 11, 2007, 9:10 am |
| Test SFP on Catalyst 3560 | June 20, 2007, 5:08 pm |
| Pix: how to remove transform-test? | September 10, 2005, 1:35 pm |
| CCNP Test CatOS? | February 22, 2006, 8:14 am |