You are on page 1of 3

Suresh Reddy/VFServices/VF CorporationHey steve 1:04 PM

Good afternoon 1:04 PM


hru ? 1:04 PM
Steve Stettler/VFServices/VF CorporationAfternoon. Doing good. you? 1:04 PM
Suresh Reddy/VFServices/VF Corporationyeah steve feeling so tired back from home
town 1:09 PM
Steve Stettler/VFServices/VF CorporationAh. How many miles/kilometers away? Long
ride/drive, or just too much fun with family and friends and not enough sleep?
smile Back in a while; heading out for a late lunch. 1:41 PM
Suresh Reddy/VFServices/VF Corporationyeah it is around 400 kilometers away 2:16
PM
yeah I njoyed a lot, but unexpected call to me from neeraj so came in today, jou
rney made me so tired but njoyed a lot 2:17 PM
sure njoy ur lunch 2:17 PM
:) 2:17 PM
steve any updates or info for meabt retail 13.0 3:14 PM
Steve Stettler/VFServices/VF CorporationI am reviewing spreadsheets now. I will
send in a bit. 3:14 PM
Suresh Reddy/VFServices/VF Corporationok thanks steve, even I can ask if anythin
g runs in my mind 3:16 PM
Steve Stettler/VFServices/VF Corporationk 3:16 PM
Email on its way with a spreadsheet and an attempt to explain what goes in each
column. It might be easiest to use a few completed ones as examples and log into
respective routers and see what data went to what columns. Thanks. 3:48 PM
Suresh Reddy/VFServices/VF Corporationthanks much steve 3:53 PM
Steve Stettler/VFServices/VF Corporationyw 3:53 PM
Suresh Reddy/VFServices/VF Corporationwill chk it 3:53 PM
by the way is the change started for any of stores ? 3:53 PM
Steve Stettler/VFServices/VF CorporationI have not seen invites yet. I just gave
Larry about 20-25 IP address pairs for the move from DSL and he has submitted o
rders for those this week. It normally takes about 30-45 days for installation t
o be done, so I suppose around the middle of next month we should be hearing abo
ut dates. 3:55 PM
Suresh Reddy/VFServices/VF Corporationoh...so has good amount of time to work on
this 3:57 PM
steve I would like to do some real contribution with ur help 3:58 PM
i mean right from the core level 3:58 PM

Steve Stettler/VFServices/VF CorporationThat sounds scary. smile What do you hav


e in mind? 3:58 PM
Suresh Reddy/VFServices/VF Corporation 4:00 PM
nothing to worry steve 4:01 PM
thing is for example if we take this changes u have been preparing all IP addres
s details, am much interested to join u in all the parameters, for earlier NF ch
anges u used save config files i was interested abt those as well 4:02 PM
Steve Stettler/VFServices/VF CorporationOK, so see more of how things are set up
instead of just see the generated config files that were generated? If so, I wi
ll keep it in the back of my mind and see where we can fit that in. 4:13 PM
Suresh Reddy/VFServices/VF Corporationsure steve i will start from this change i
tself 4:15 PM
saw ur mail no worries i gve u my word work will be done by Monday 4:16 PM
Steve Stettler/VFServices/VF Corporationsmile OK, thanks. 4:16 PM
Suresh Reddy/VFServices/VF Corporationthanks steve :) 4:16 PM
steve i have a doubt running in my mind since long not sure whether itz silly or
useless but plz help me in resolution 4:20 PM
wat n y we use PCI,non-PCI,nac subnet 4:21 PM
wat is abt these terms n how these are related in store architecture 4:21 PM
Steve Stettler/VFServices/VF Corporationok, in a minute 4:22 PM
Suresh Reddy/VFServices/VF Corporationsure take ur time 4:22 PM
no rush 4:22 PM
Steve Stettler/VFServices/VF CorporationOK. Because of identity theft resulted i
n a bunch of new rules related to protecting credit card info, at least in the U
S. I think that PCI stands for "Payment Card Industry". So our first level of im
plementing that requirement was to put everything at the stores behind firewalls
and call it the PCI Zone. After learning more we created a secondary subnet at
the stores and called it NON_PCI; it is not behind a firewall. We have moved sev
eral devices to that subnet at stores, and have installed new devices in that su
bnet for stores. Unfortunately, some business units wanted to move devices there
, others are slower to do it. TNF has DMP digital media players and security cam
eras and DVRs there. Vans has security DVRs there and are piloting some new traf
fic counters in the NON_PCI subnet. So the NON_PCI subnet is like non-store prod
uction environment, the devices are not behind a special firewall, just the norm
al Internet facing firewall.
And NAC subnet is something that we apparently did not do a very good job of imp
lementing. All that really happens with that is that if a store device MAC addre
ss is not found in the CAM server then the switch port gets put into VLAN 990 un
til Retail Support opens a ticket stating that the device is legit and asks to h
ave it added to the CAM. Then after that switch port bounces in any form the MAC
address should be looked up again and found this time, resulting in port going
into the store PCI VLAN/subnet. What was supposed to happen was that we were sup
posed to set up DHCP scopes either on the Intel DHCP server or the store routers
for that subnet so that along with going into that VLAN the device would also g

et an IP address in the NAC subnet (if device was configured for DHCP). Once it
had an IP address then there is an ACL on the router (ACL 190) that only allows
the device to get to certain restricted addresses. I think that the concept was
to allow for some kind of remediation over the IP network without letting it get
to most of the PCI and NON_PCI/production network.