K2000 with VLANS - recommendations?
Firstly, we've got v 3.4 as a VM.
Second, our setup - cisco asa550, allot netenforcer, hp gigabit switches, gigabit everywhere else.
Third, we've got 7 vlans, but only need K2000 and RSA's on 2 of them.
Now, I'm fairly certain the only way I'm going to get this to work properly is via some inter subnet routing, but that'll cut our interface speed down to 100mbits on account of the traffic passing through the allot netenforcer, and in turn will hose the cpu utilization of the netenforcer. I know that the K2000 has a (seemingly unutilized?) second interface, but it appears to be for grabbing an IP on the same subnet as the primary only. It seems to me I've got a few options, outlined below:
Option 1: Define the routes and allow all the traffic to pass through the net enforcer and have the contents of the syncs added to the logs inside the net enforcer.
Problems: High processor utilization, MASSIVE additions to the logs (entire contents of the syncs), really slow synchronizations.
Option 2: Additional hardware within the network to pass only specific traffic between the addresses used by the k2000 and RSAs
Problems: Additional hardware cost and complexity; annoying for a modern device to lack vlan support, even when it has a second interface (that's incapable of joining another subnet).
Option 3: SSH in and manually define an additional interface (or alternative configuration for the existing secondary interface) to allow membership to a secondary network for the purposes of syncing only.
Problems: Kinda complicated, modifying the k2000 to a state outside it's initial operating parameters, it'll probably break whenever there's an update, and I don't know if there's a system integrity check performed, but I'll assume it would fail.
Any input on this would be appreciated; I was actually *really* surprised that this device doesn't have multiple interfaces and/or vlan support, as it seems all other enterprise class devices do this day. If I can assign more interfaces in vmware, I should be able to use them in the k2000. Even the hardware has a second ethernet; is it the same way, as in, unable to assign the second interface to anything other than another IP on the primary subnet? Anywho, any assistance would be greatly appreciated. Thanks!
Second, our setup - cisco asa550, allot netenforcer, hp gigabit switches, gigabit everywhere else.
Third, we've got 7 vlans, but only need K2000 and RSA's on 2 of them.
Now, I'm fairly certain the only way I'm going to get this to work properly is via some inter subnet routing, but that'll cut our interface speed down to 100mbits on account of the traffic passing through the allot netenforcer, and in turn will hose the cpu utilization of the netenforcer. I know that the K2000 has a (seemingly unutilized?) second interface, but it appears to be for grabbing an IP on the same subnet as the primary only. It seems to me I've got a few options, outlined below:
Option 1: Define the routes and allow all the traffic to pass through the net enforcer and have the contents of the syncs added to the logs inside the net enforcer.
Problems: High processor utilization, MASSIVE additions to the logs (entire contents of the syncs), really slow synchronizations.
Option 2: Additional hardware within the network to pass only specific traffic between the addresses used by the k2000 and RSAs
Problems: Additional hardware cost and complexity; annoying for a modern device to lack vlan support, even when it has a second interface (that's incapable of joining another subnet).
Option 3: SSH in and manually define an additional interface (or alternative configuration for the existing secondary interface) to allow membership to a secondary network for the purposes of syncing only.
Problems: Kinda complicated, modifying the k2000 to a state outside it's initial operating parameters, it'll probably break whenever there's an update, and I don't know if there's a system integrity check performed, but I'll assume it would fail.
Any input on this would be appreciated; I was actually *really* surprised that this device doesn't have multiple interfaces and/or vlan support, as it seems all other enterprise class devices do this day. If I can assign more interfaces in vmware, I should be able to use them in the k2000. Even the hardware has a second ethernet; is it the same way, as in, unable to assign the second interface to anything other than another IP on the primary subnet? Anywho, any assistance would be greatly appreciated. Thanks!
0 Comments
[ + ] Show comments
Answers (5)
Please log in to answer
Posted by:
jrscribner
12 years ago
shawnt,
We have a physical K2000 which has only two interfaces one that is used to pass the imaging traffic and the other one can be configured as a management interface or used for off board storage traffic, I think the virtual appliance is the same way. Your idea to SSH into the appliance to add additional interfaces won't work because Kace doesn't give you access to the command line, it keeps us from getting in there and screwing it up. Your options are to route your sync traffic thru your asa550 to the RSAs or add a the additional hardware to route between the subnets bypassing your netenforcer. The RSAs only sync the differences between what they have any what items you have told them sync, so the initial sync is large and when you make massive changes to an image or install tasks.
The IP Helper command your referring to is issued on the cisco router or asa and is used to send broadcast traffic to a specific device. I don't think Kace needs an ip helper address configured because they use a DHCP options 66 & 67 to tell the client where the PXE server is (I need to confirm this in our environment, because I have IP helper addresses configured because we used Altiris before switching to Kace and they needed the IP Helper Address configured).
Jeremy
If my posting helped please consider rating it
We have a physical K2000 which has only two interfaces one that is used to pass the imaging traffic and the other one can be configured as a management interface or used for off board storage traffic, I think the virtual appliance is the same way. Your idea to SSH into the appliance to add additional interfaces won't work because Kace doesn't give you access to the command line, it keeps us from getting in there and screwing it up. Your options are to route your sync traffic thru your asa550 to the RSAs or add a the additional hardware to route between the subnets bypassing your netenforcer. The RSAs only sync the differences between what they have any what items you have told them sync, so the initial sync is large and when you make massive changes to an image or install tasks.
The IP Helper command your referring to is issued on the cisco router or asa and is used to send broadcast traffic to a specific device. I don't think Kace needs an ip helper address configured because they use a DHCP options 66 & 67 to tell the client where the PXE server is (I need to confirm this in our environment, because I have IP helper addresses configured because we used Altiris before switching to Kace and they needed the IP Helper Address configured).
Jeremy
If my posting helped please consider rating it
Posted by:
shawnt
12 years ago
Posted by:
shawnt
12 years ago
Thanks - I thought so, but I found an hp switch config sample that showed ip-helper; I'm assuming it was wrongly stated as a config from a procurve 2810. If the RSA didn't require a heartbeat, I'd just sync it, then bounce it to the other vlan by changing the VM properties.... :) (for now at least, until I can add an L3 switch).
Thanks again.
Thanks again.
Posted by:
ronfalkoff
12 years ago
We have we have machines connecting and netbooting across subnets working without the bless command we do have a separate DHCP server did add ip igmp to the vlan and added the ip helper on the switch also we added the dhcp scope for that subnet has options to the appropriate subnet to point back to the K2000
Hope this helps!!!
Hope this helps!!!
Posted by:
shawnt
12 years ago
Sounds like you're running layer3 switches though, right?
If you're running HP Procurve 2810's you're my new best friend :D
If you're running HP Procurve 2810's you're my new best friend :D
ORIGINAL: ronfalkoff
We have we have machines connecting and netbooting across subnets working without the bless command we do have a separate DHCP server did add ip igmp to the vlan and added the ip helper on the switch also we added the dhcp scope for that subnet has options to the appropriate subnet to point back to the K2000
Hope this helps!!!
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
so that the conversation will remain readable.