How do you deploy a new remote site?
Iristheangel
Mod Posts: 4,133 Mod
in Off-Topic
I'm curious to see what other network engineers think about my methodology. I'm in the middle of a huge network refresh and adding Wi-Fi/CCTV to about 21 sites. Part of this involves configuring new routers and about a dozen or so switches for each site as well as utilizing existing old switches that are onsite (note: legacy equipment usually doesn't have SSH or update code) and having our wiring vendor who is pulling all the fiber and wiring for these sites physically install the equipment and turn it up for me. Usually these vendors don't have laptops on them so if something goes wrong with my config, It gets messy.
The way I've been doing it has been to configure the router and switches with pretty barebones configurations: Routing, SSH and Telnet, VTP Transparent mode, VLANs, port security local login, etc. Once I get the site up and running, I go back and update the code on legacy equipment, add DHCP snooping, get rid of telnet completely, add TACACs, VTP server/client, change all the trunks to have a different native VLAN (blackhole VLAN), add port descriptions, etc and lean on the "reload in 20" command. After I'm done with this, I create a logical and physical diagram, map the IDF/MDF locations on floorplans, copy the final configs, create a Sitepak with everything about the site and move onto the next.
I've had a pretty high success rate with little to no interruptions using the above methodology but I've been a network engineer for a little over a year now. My new co-worker has been doing this for 8+ years at other companies and he's a bit different. He adds EVERYTHING all at once including TACACS, route-maps, DHCP snooping, etc to start and sends it out. I haven't seen him bring up a site yet without issues due to his configs but of course, he's pretty insistent about sending the routers/switches out with the final config to start.
If I just took it as anecdotal, I would say based on my record of successes compared to his with deploying sites, I'd be right here but anecdotal evidence isn't always the best way to go. What do fellow network engineers say? What methodology do you employ when deploying a new site remote with dumb remote hands or mixed new/legacy equipment?
Thanks for reading!
The way I've been doing it has been to configure the router and switches with pretty barebones configurations: Routing, SSH and Telnet, VTP Transparent mode, VLANs, port security local login, etc. Once I get the site up and running, I go back and update the code on legacy equipment, add DHCP snooping, get rid of telnet completely, add TACACs, VTP server/client, change all the trunks to have a different native VLAN (blackhole VLAN), add port descriptions, etc and lean on the "reload in 20" command. After I'm done with this, I create a logical and physical diagram, map the IDF/MDF locations on floorplans, copy the final configs, create a Sitepak with everything about the site and move onto the next.
I've had a pretty high success rate with little to no interruptions using the above methodology but I've been a network engineer for a little over a year now. My new co-worker has been doing this for 8+ years at other companies and he's a bit different. He adds EVERYTHING all at once including TACACS, route-maps, DHCP snooping, etc to start and sends it out. I haven't seen him bring up a site yet without issues due to his configs but of course, he's pretty insistent about sending the routers/switches out with the final config to start.
If I just took it as anecdotal, I would say based on my record of successes compared to his with deploying sites, I'd be right here but anecdotal evidence isn't always the best way to go. What do fellow network engineers say? What methodology do you employ when deploying a new site remote with dumb remote hands or mixed new/legacy equipment?
Thanks for reading!
Comments
Usually when I deploy a site.
1. Site suvery. What services do they need, alarms, door buzzers video. What services do they have in place.
2. I get copies of the existing devices configuration and find out what is needed and whats not.
3. I put baseline configs on the new equipment, IP's, Routing,QOS, VLANS. No ACL or traffic blocking configuration.
4. Deploy the site and add the ACLs, policy maps, ETC. Start a test plan based on the information I got in Step 1.
If there is any legacy equipment that plays a major piece like a core switch or something I also start fresh with that gear as well treating it as its new.
CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related
In the scenario, that you outlined, my business requirements would have mandated an approach that would be based on the critical nature of the sites. For some sites, I would not allow an external cable-vendor to rack/stack the network equipment so I would expect that the network equipment be pre-configured to the point where local support can just rack it.
For sites that are more critical in nature, I would fund travel for the network engineer to be onsite during the upgrade. But in order to reduce downtime (usually less than 15 minutes downtime during the maintenance window), I may require that the final configs be pre-built and tested before it is deployed.
I think that either of the approaches that you mentioned are probably fine. My concern with your approach is that it implies that the configs may not have been pre-tested.
Ultimately, in our environment, I would provide the requirements but I leave it to the network engineers to do their job. But my requirements always include some level of pre-deployment testing and a roll-back plan.
It turned out that we had a "surprise" D-Link piece-of-shite in the way that was interfering with trunking and causing flaps. As soon as that was replaced with one of the old 2950s, BAM. Came right up and everything was fine.
If I have configured VTP on both switches prior to mailing the out, used the trusty "macro apply cisco-switch $native_vlan 999" (my blackhole vlan of choice!), enabled DHCP snooping on the switches, etc, I would have having to troubleshoot all those things first and start narrowing down what the issue could be before finally finding out that it was something completely out of my control.
That's why I use my method. I keep it simple at first because there are always the possibility of unknown factors popping up. Especially when you are working on something remotely.
Believe me, when I configure my site equipment, I hook it all up EXACTLY based on what I know the physical topology to be in our lab and configure from there. I label each port and switch with a label maker for all the uplinks to other switches or router. I include notes on which switch is replacing what switch and the location. I'm to the point of being OCD about it and the followup documentation when I'm done with a deployment.
As far as customer needs and requirements, that's a given. My original post is more about the methodology employed when remotely bringing up a site and how you do configurations.
Blog: www.network-node.com
In your situation, your colleague's approach of using a "sunny day scenario" deployment method seems a bit over-optimistic.
Generally speaking I would never advocate a "sunny day" deployment if changes cannot be pre-tested and confirmed based on an understanding of the existing environment. If such conditions exists and I am not willing to fund a site-survey, my expectation would then be a deployment method that reduces work-effort expenses and overall risk.
A more flexible approach which your proposed would likely be more appealing to me. A fully-preconfigured approach seems like an inefficient use of work-effort. And at worst, could introduce additional risk to the environment if there were assumptions made about the site's network which may not be accurate.
Edit - Bear in mind - my comments are not from a network engineering best-practice perspective. It's from the perspective of technology management for a line-of-business that would be ultimately responsible for a site's uptime and business processes.
Only thing I enable is for the switch to receive a DHCP address and telnes access w/ a local acc.
...
What I experience;
1. Vendor ships it
2. Switch is plugged in. Before hand, I tick a few boxes on my program to what I "want it to be"
3. I press my run button.
4.Switch comes up and it works 1 to 4 minutes later, depending on type of switch.
I'm working on the same thing for our Routers, Firewalls and AP's as well.
I love scripting & creating GUI's for my work
What program?
I will echo W Stewart. While more experienced engineers should certainly not be disregarded, that they have more experience is not necessarily going to mean they're actually doing things better or have more skill. I would say it's weakly correlated at best. I've worked with people who've been in the industry longer than I've been alive who were totally incompetent and had almost no technical knowledge. That is far from the norm, but it's important to remember that experience does not equal skill.
Hopefully more people who actually do the type of work you do day-to-day will weigh in.
Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
In progress: CLEP US GOV,
Next up: MATH 211, ECON 352, ICS 340
So I have done the full config as it will run in production, sent this to the supplier and got them to installed it, had the device delivered direct to the remote site and had a junior engineer plug it in and its up and running with out issues. I have also when time has been tighter, just set up the very basic config that will allow me to remotely connect and done the entire config remotely.
Generally for edge devices at remote sites I do all the config first, while for access and internal devices I do less upfront and more remotely. I have started now I have CISCO Prime creating a lot of baseline configs that I can push to devices which makes setting up devices remotely a lot easier.
Out of interest rather than using just "reload in..." you can try this
https://supportforums.cisco.com/thread/2237572
using an IP SLA monitor to trigger a reload, so if you screw it up (the technical term
Shipping in this case was just a matter of driving 5-15 minutes since most sites were within the same city, but things never broke due to bad initial configs as far as I can remember. It also should be said that the entire enivornment was very uniform, with all ~100 sites having more or less identical topologies and gear, with the number of access switches being the only thing that changed.