Scribd
Upload
34 views15 pages

KT Internet Segment Migration

Uploaded by

shahrukh khan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
34 views15 pages

KT Internet Segment Migration

Uploaded by

shahrukh khan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 15

1

Internet Segment Migration VSS to N7706


Change Control Form
Allied Bank
ITG-Network Planning, Head office, Lahore
2

COPYRIGHT NOTICE

This work is copyright © 2017, Allied Bank Network Planning team (Information Technology Group), all rights
reserved. Only Network Planning& Development (ITG) team can reproduce, circulate, use and create derivative
works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed
to the Allied Bank Network Planning and O&M’s teams (Information Technology Group), and (c) derivative works
are shared under the same terms as this.

Document Control

Project Internet Segment Migration Plan


Document Name Inter Segment Migration VSS to NEXUS Core
Document Class For Internal Use of Network P&D (ITG) Team

Prepared by Asif Jahangir

Document Type Confidential

Created on 03/24/2017

Last Updated 03/24/2017

Enclosure None

Reference Documents ABL Design Diagram and best practice Documents

Revision History

Change Control # Date Verified By Change Description Revised by

Introduction
3

Document explains the design and configuration changes. That will be used to migrate the existing KT internet segment
from VSS-6513 to NEXUS 7706.

Current Design Diagram

Proposed Design Diagram


4

Prerequisite Steps:

1. Physical Cabling between Nexus 7706 And Internet Firewall (Installed but not plugged in Firewall)

2. Creating the vlan 215, 232 – 235,248,251 – 254,256 – 261,503, 755 on Nexus Core vDC1 & 2
5

3. Allow the vlan on the trunk between Nexus 7706 and N5K

4. redistribute static subnet that we have on VSS using ACL

5. Inform all the stake holder for the services that might effect in the activity

o Push and Pull model

o Internet banking

o Call center Services

o SMS banking/mobile banking

o Remote VPN

o All external B2B peers

o Home Remittance service

o Swift

o Proxy services

o Exchange/external Email

Migration Steps:

1. SHUT BGP Neighbors ship on Internet routers on both KT & KR.

2. SHUT Inside SVI (vlan 503) at VSS.

3. Plug the cables into the Internet ASA as per cabling plan, (we will use the existing GI0/5 & Gi0/7 on
ASA)

4. Remove the static routes that is pointing internet ASA from VSS

5. Add the static routes on Nexus 7706 that we removed from VSS

6. Redistribute the static routes in ospf using the Access-list STATIC which is already created before
activity

7. NO SHUT already created SVI (VLAN 503) at Core VDC-1 and Core VDC-2.

8. No SHUT BGP Neighbors at Kalma tower Routers and then Kashmir road after verification
6

Revert Plan:

1. SHUT inside SVI (VLAN 503) at Core VDC-1 and Core VDC-2.

2. Revert all 4 cables from ASA and plug cable back in that is coming from VSS

3. remove the redistribution of static routes from ospf process 20

4. remove the routes for Core vDC 1 and Core vDC-2

5. Add the routes on VSS

6. NO SHUT Inside SVI (vlan 503) at VSS.

7. Services verification after complete revert.

Approvals:

________________________ ________________________

Manager Network Planning & Projects DH Networks & Communication

_________________________________

Group Head IT Operations

1. Create Vlans on core VDC’s.

Core-VDC-01/Core-VDC-02

vlan 215
name eocean-BLB
vlan 232
7

name DMZ-50
vlan 233
name mobile-banking
vlan 234
name PBRP
vlan 235
name 235 SIP-CC
vlan 248
name FCDB-Prod
vlan 251
name DMZ-1
vlan 252
name DMZ-2
vlan 253
name DMZ-3
vlan 254
name CallCentre
vlan 256
name TestServices
vlan 257
name AT-PBRP
vlan 258
name UAT-PBRS
vlan 259
name remit-prod
vlan 260
name FalconPay-Web
Vlan 261
Name Oracle-Platinum
vlan 503
name Inside-MSFC
vlan 755
name ikv2

Nexus Core vDC 1 and 2


Interface port-channel 41
Switchport trunk allowed vlan add 215, 232 - 235 , 248 , 251 – 254,256 – 261, 755

N5k1 & 2
Interface port-channel29
Switchport trunk allowed vlan add 215, 232 - 235, 248, 251 – 254,256 – 261, 755

Creating ACL STATIC For Redistribution

IP access-list STATIC
permit ip 10.30.99.38/32 any
permit ip 10.42.244.2/32 any
permit ip 10.98.244.2/32 any
8

permit ip 10.110.110.0/24 any


permit ip 10.110.110.13/32 any
permit ip 10.110.110.15/32 any
permit ip 10.110.110.16/32 any
permit ip 10.110.110.21/32 any
permit ip 10.110.110.44/32 any
permit ip 10.110.110.45/32 any
permit ip 10.110.110.46/32 any
permit ip 10.110.110.47/32 any
permit ip 10.110.110.48/32 any
permit ip 10.110.110.49/32 any
permit ip 10.110.110.50/32 any
permit ip 10.110.110.51/32 any
permit ip 10.110.110.99/32 any
permit ip 10.110.110.216/32 any
permit ip 10.134.1.0/24 any
permit ip 10.134.1.9/32 any
permit ip 10.134.1.10/32 any
permit ip 10.134.1.12/32 any
permit ip 10.134.1.16/32 any
permit ip 10.134.1.17/32 any
permit ip 10.134.1.18/32 any
permit ip 10.134.1.19/32 any
permit ip 10.134.1.20/32 any
permit ip 10.134.1.22/32 any
permit ip 10.134.1.23/32 any
permit ip 10.134.1.24/32 any
permit ip 10.134.1.25/32 any
permit ip 10.134.1.28/32 any
permit ip 10.134.1.30/32 any
permit ip 10.134.1.31/32 any
permit ip 10.134.1.35/32 any
permit ip 10.134.1.36/32 any
permit ip 10.134.1.37/32 any
permit ip 10.134.1.40/32 any
permit ip 10.134.1.60/32 any
permit ip 10.134.1.65/32 any
permit ip 10.134.1.68/32 any
permit ip 10.134.2.1/32 any
permit ip 10.134.2.4/32 any
permit ip 10.134.2.5/32 any
permit ip 10.134.2.6/32 any
permit ip 10.134.2.15/32 any
permit ip 10.134.10.0/24 any
permit ip 10.135.1.0/24 any
permit ip 10.193.223.0/24 any
permit ip 10.227.22.72/32 any
permit ip 10.227.22.73/32 any
permit ip 10.227.22.74/32 any
permit ip 192.168.10.12/32 any
permit ip 192.168.10.201/32 any
permit ip 192.168.10.249/32 any
permit ip 192.168.10.251/32 any
9

permit ip 192.168.30.237/32 any


permit ip 192.168.50.0/24 any
permit ip 192.168.51.0/28 any
permit ip 192.168.51.16/28 any
permit ip 192.168.51.32/28 any
permit ip 192.168.80.0/28 any
permit ip 192.168.100.101/32 any
permit ip 192.168.250.192/28 any
permit ip 192.168.251.4/32 any
permit ip 192.168.251.20/32 any
permit ip 192.168.251.48/28 any
permit ip 192.168.251.64/28 any
permit ip 192.168.251.80/28 any
permit ip 192.168.251.96/28 any
permit ip 192.168.255.10/32 any

2. Configure VPC (Port-channel) at Nexus Core VDC’s

Core-VDC-01 ( INSIDE )

NEXUS CORE VDC 1


interface port-channel47
description *** INT-ASA-Pri ***
shutdown
switchport
switchport mode trunk
vpc 47

interface Ethernet2/47
description *** INT-ASA-Pri-GI-0/7 ***
switchport
shutdown
switchport mode trunk
channel-group 47 mode active

interface port-channel48
description *** INT-ASA-Sec ***
shutdown
switchport
switchport mode trunk
vpc 48

interface Ethernet2/48
description *** INT-ASA-Sec-GI-0/7 ***
switchport
switchport mode trunk
channel-group 48 mode active

NEXUS CORE VDC 2


10

interface port-channel47
description *** INT-ASA-Pri ***
shutdown
switchport
switchport mode trunk
vpc 47

interface Ethernet2/47
description *** INT-ASA-Pri-GI-0/5 ***
switchport
shutdown
switchport mode trunk
channel-group 47 mode active

interface port-channel48
description *** INT-ASA-Sec ***
shutdown
switchport
switchport mode trunk
vpc 48

interface Ethernet2/48
shutdown
switchport
switchport mode trunk
channel-group 48 mode active

3. Configure HSRP between Core VDC’s for layer 3 connectivity with Internet Firewalls.

NEXUS CORE VDC 1

interface Vlan503
description *** MSFC-INT-Inside ***
shutdown
no ip redirects
ip address 10.21.254.21/29
no ipv6 redirects
hsrp version 2
hsrp 503
preempt delay minimum 180 reload 360
priority 150
ip 10.21.254.17

NEXUS CORE VDC 2

interface Vlan503
description *** MSFC-INT-Inside ***
shutdown
no ip redirects
11

ip address 10.21.254.21/29
no ipv6 redirects
hsrp version 2
hsrp 503
preempt delay minimum 180 reload 360
priority 100
ip 10.21.254.17

4. Disable eBGP neighbor ship on internet routers

AT-INT-RTR-2951-1
router bgp 58515
neighbor 110.93.219.69 shutdown

AT-INT-RTR-2951-2
router bgp 58515
neighbor 221.120.209.129 shutdown

KR-RTR-INT-PRI
router bgp 58515
neighbor 221.120.216.229 shutdown
KR-RTR-INT-Sec
router bgp 58515
neighbor 110.93.205.165 shutdown

5. Disable the vlan 503 on VSS

Vlan inter 503


Shut

6. Remove the route from VSS

no ip route 0.0.0.0 0.0.0.0 10.21.254.18


no ip route 10.30.99.38 255.255.255.255 10.21.254.18
no ip route 10.42.244.2 255.255.255.255 10.21.254.18
no ip route 10.98.244.2 255.255.255.255 10.21.254.18
no ip route 10.110.110.0 255.255.255.0 10.21.254.18
no ip route 10.110.110.13 255.255.255.255 10.21.254.18
no ip route 10.110.110.15 255.255.255.255 10.21.254.18
no ip route 10.110.110.16 255.255.255.255 10.21.254.18
no ip route 10.110.110.21 255.255.255.255 10.21.254.18
no ip route 10.110.110.44 255.255.255.255 10.21.254.18
no ip route 10.110.110.45 255.255.255.255 10.21.254.18
no ip route 10.110.110.46 255.255.255.255 10.21.254.18
no ip route 10.110.110.47 255.255.255.255 10.21.254.18
no ip route 10.110.110.48 255.255.255.255 10.21.254.18
no ip route 10.110.110.49 255.255.255.255 10.21.254.18
no ip route 10.110.110.50 255.255.255.255 10.21.254.18
no ip route 10.110.110.51 255.255.255.255 10.21.254.18
12

no ip route 10.110.110.99 255.255.255.255 10.21.254.18


no ip route 10.110.110.216 255.255.255.255 10.21.254.18
no ip route 10.134.1.0 255.255.255.0 10.21.254.18
no ip route 10.134.1.9 255.255.255.255 10.21.254.18 name VPN-SajjadA
no ip route 10.134.1.10 255.255.255.255 10.21.254.18 name VPN-IAjmal
no ip route 10.134.1.12 255.255.255.255 10.21.254.18
no ip route 10.134.1.16 255.255.255.255 10.21.254.18 name VPN-Jery
no ip route 10.134.1.17 255.255.255.255 10.21.254.18 name VPN-AliOmer
no ip route 10.134.1.18 255.255.255.255 10.21.254.18 name VPN-Rashid-Dubai
no ip route 10.134.1.19 255.255.255.255 10.21.254.18 name VPN-GC-CRBG
no ip route 10.134.1.20 255.255.255.255 10.21.254.18 name VPN-Umer-Dubai
no ip route 10.134.1.22 255.255.255.255 10.21.254.18 name thassan04
no ip route 10.134.1.23 255.255.255.255 10.21.254.18 name HassanJafri
no ip route 10.134.1.24 255.255.255.255 10.21.254.18 name VPN-Myahya
no ip route 10.134.1.25 255.255.255.255 10.21.254.18 name VPN-AurangZaib
no ip route 10.134.1.28 255.255.255.255 10.21.254.18 name VPN-GH-AUDIT-MOIN-KHALID
no ip route 10.134.1.30 255.255.255.255 10.21.254.18 name VPN-EugeneP
no ip route 10.134.1.31 255.255.255.255 10.21.254.18 name VPN-GC-CIBG
no ip route 10.134.1.35 255.255.255.255 10.21.254.18
no ip route 10.134.1.36 255.255.255.255 10.21.254.18 name VPN-Aliomer
no ip route 10.134.1.37 255.255.255.255 10.21.254.18 name VPN-Chief-CAG
no ip route 10.134.1.40 255.255.255.255 10.21.254.18 name VPN-GC-CIBG
no ip route 10.134.1.60 255.255.255.255 10.21.254.18 name Test-Networks
no ip route 10.134.1.65 255.255.255.255 10.21.254.18 name Test-Networks
no ip route 10.134.1.68 255.255.255.255 10.21.254.18
no ip route 10.134.2.1 255.255.255.255 10.21.254.18
no ip route 10.134.2.4 255.255.255.255 10.21.254.18
no ip route 10.134.2.5 255.255.255.255 10.21.254.18
no ip route 10.134.2.6 255.255.255.255 10.21.254.18
no ip route 10.134.2.15 255.255.255.255 10.21.254.18
no ip route 10.134.10.0 255.255.255.0 10.21.254.18
no ip route 10.135.1.0 255.255.255.0 10.21.254.18 name ANYCONNECT-VPN
no ip route 10.193.223.0 255.255.255.0 10.21.254.18 name Bahrain
no ip route 10.227.22.72 255.255.255.255 10.21.254.18
no ip route 10.227.22.73 255.255.255.255 10.21.254.18
no ip route 10.227.22.74 255.255.255.255 10.21.254.18
no ip route 192.168.10.12 255.255.255.255 10.21.254.18 name eocean
no ip route 192.168.10.201 255.255.255.255 10.21.254.18
no ip route 192.168.10.249 255.255.255.255 10.21.254.18
no ip route 192.168.10.251 255.255.255.255 10.21.254.18
no ip route 192.168.30.237 255.255.255.255 10.21.254.18
no ip route 192.168.50.0 255.255.255.0 10.21.254.18
no ip route 192.168.51.0 255.255.255.240 10.21.254.18
no ip route 192.168.51.16 255.255.255.240 10.21.254.18
no ip route 192.168.51.32 255.255.255.240 10.21.254.18
no ip route 192.168.80.0 255.255.255.240 10.21.254.18
no ip route 192.168.100.101 255.255.255.255 10.21.254.18 name AMC
no ip route 192.168.250.192 255.255.255.240 10.21.254.18
no ip route 192.168.251.4 255.255.255.255 10.21.254.18
no ip route 192.168.251.20 255.255.255.255 10.21.254.18
no ip route 192.168.251.48 255.255.255.240 10.21.254.18
no ip route 192.168.251.64 255.255.255.240 10.21.254.18 name FCDB-Prod-Internet
no ip route 192.168.251.80 255.255.255.240 10.21.254.18 name Falcon-Pay-Web
13

no ip route 192.168.251.96 255.255.255.240 10.21.254.18 name Oracle-Platinum


no ip route 192.168.255.10 255.255.255.255 10.21.254.18 name Engro

7. Add the routes on Nexus Core vDC 1 and vDC 2

ip route 0.0.0.0 0.0.0.0 10.21.254.18


ip route 10.30.99.38 255.255.255.255 10.21.254.18
ip route 10.42.244.2 255.255.255.255 10.21.254.18
ip route 10.98.244.2 255.255.255.255 10.21.254.18
ip route 10.110.110.0 255.255.255.0 10.21.254.18
ip route 10.110.110.13 255.255.255.255 10.21.254.18
ip route 10.110.110.15 255.255.255.255 10.21.254.18
ip route 10.110.110.16 255.255.255.255 10.21.254.18
ip route 10.110.110.21 255.255.255.255 10.21.254.18
ip route 10.110.110.44 255.255.255.255 10.21.254.18
ip route 10.110.110.45 255.255.255.255 10.21.254.18
ip route 10.110.110.46 255.255.255.255 10.21.254.18
ip route 10.110.110.47 255.255.255.255 10.21.254.18
ip route 10.110.110.48 255.255.255.255 10.21.254.18
ip route 10.110.110.49 255.255.255.255 10.21.254.18
ip route 10.110.110.50 255.255.255.255 10.21.254.18
ip route 10.110.110.51 255.255.255.255 10.21.254.18
ip route 10.110.110.99 255.255.255.255 10.21.254.18
ip route 10.110.110.216 255.255.255.255 10.21.254.18
ip route 10.134.1.0 255.255.255.0 10.21.254.18
ip route 10.134.1.9 255.255.255.255 10.21.254.18 name VPN-SajjadA
ip route 10.134.1.10 255.255.255.255 10.21.254.18 name VPN-IAjmal
ip route 10.134.1.12 255.255.255.255 10.21.254.18
ip route 10.134.1.16 255.255.255.255 10.21.254.18 name VPN-Jery
ip route 10.134.1.17 255.255.255.255 10.21.254.18 name VPN-AliOmer
ip route 10.134.1.18 255.255.255.255 10.21.254.18 name VPN-Rashid-Dubai
ip route 10.134.1.19 255.255.255.255 10.21.254.18 name VPN-GC-CRBG
ip route 10.134.1.20 255.255.255.255 10.21.254.18 name VPN-Umer-Dubai
ip route 10.134.1.22 255.255.255.255 10.21.254.18 name thassan04
ip route 10.134.1.23 255.255.255.255 10.21.254.18 name HassanJafri
ip route 10.134.1.24 255.255.255.255 10.21.254.18 name VPN-Myahya
ip route 10.134.1.25 255.255.255.255 10.21.254.18 name VPN-AurangZaib
ip route 10.134.1.28 255.255.255.255 10.21.254.18 name VPN-GH-AUDIT-MOIN-KHALID
ip route 10.134.1.30 255.255.255.255 10.21.254.18 name VPN-EugeneP
ip route 10.134.1.31 255.255.255.255 10.21.254.18 name VPN-GC-CIBG
ip route 10.134.1.35 255.255.255.255 10.21.254.18
ip route 10.134.1.36 255.255.255.255 10.21.254.18 name VPN-Aliomer
ip route 10.134.1.37 255.255.255.255 10.21.254.18 name VPN-Chief-CAG
ip route 10.134.1.40 255.255.255.255 10.21.254.18 name VPN-GC-CIBG
ip route 10.134.1.60 255.255.255.255 10.21.254.18 name Test-Networks
ip route 10.134.1.65 255.255.255.255 10.21.254.18 name Test-Networks
ip route 10.134.1.68 255.255.255.255 10.21.254.18
ip route 10.134.2.1 255.255.255.255 10.21.254.18
ip route 10.134.2.4 255.255.255.255 10.21.254.18
ip route 10.134.2.5 255.255.255.255 10.21.254.18
ip route 10.134.2.6 255.255.255.255 10.21.254.18
ip route 10.134.2.15 255.255.255.255 10.21.254.18
14

ip route 10.134.10.0 255.255.255.0 10.21.254.18


ip route 10.135.1.0 255.255.255.0 10.21.254.18 name ANYCONNECT-VPN
ip route 10.193.223.0 255.255.255.0 10.21.254.18 name Bahrain
ip route 10.227.22.72 255.255.255.255 10.21.254.18
ip route 10.227.22.73 255.255.255.255 10.21.254.18
ip route 10.227.22.74 255.255.255.255 10.21.254.18
ip route 192.168.10.12 255.255.255.255 10.21.254.18 name eocean
ip route 192.168.10.201 255.255.255.255 10.21.254.18
ip route 192.168.10.249 255.255.255.255 10.21.254.18
ip route 192.168.10.251 255.255.255.255 10.21.254.18
ip route 192.168.30.237 255.255.255.255 10.21.254.18
ip route 192.168.50.0 255.255.255.0 10.21.254.18
ip route 192.168.51.0 255.255.255.240 10.21.254.18
ip route 192.168.51.16 255.255.255.240 10.21.254.18
ip route 192.168.51.32 255.255.255.240 10.21.254.18
ip route 192.168.80.0 255.255.255.240 10.21.254.18
ip route 192.168.100.101 255.255.255.255 10.21.254.18 name AMC
ip route 192.168.250.192 255.255.255.240 10.21.254.18
ip route 192.168.251.4 255.255.255.255 10.21.254.18
ip route 192.168.251.20 255.255.255.255 10.21.254.18
ip route 192.168.251.48 255.255.255.240 10.21.254.18
ip route 192.168.251.64 255.255.255.240 10.21.254.18 name FCDB-Prod-Internet
ip route 192.168.251.80 255.255.255.240 10.21.254.18 name Falcon-Pay-Web
ip route 192.168.251.96 255.255.255.240 10.21.254.18 name Oracle-Platinum
ip route 192.168.255.10 255.255.255.255 10.21.254.18 name Engro

Core-VDC-01

Router ospf 20
redistribute static route-map STATIC

Core-VDC-02
Router ospf 20
redistribute static route-map STATIC

8. Enable the vlan 503 on Nexus Core vDC1 and vDC2

Vlan 503
No shut
15

Approvals:

________________________ ________________________

Manager Network Operations DH Networks & Communication

_________________________________

Group Head IT Operations

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy