Lab
Route Summarization for the ERS8600
8 months ago
As networks grow in size the routing tables on each router grows as well. As a result the overhead to process the routes can grow exponentially and take resources away from other functions the router can be performing. As well, large routing tables can be difficult to read quickly, efficiently and troubleshoot. You can make your life extremely easy if you engineer your IP addressing using an harmonious numbering system and avoid using a discontinuous network address scheme. If you adhere to these methods and use CIDR addresses you can also take advantage of Route Summarization (aka Route Aggregation)
An example of a route summariztion would be: If you have an ASBR that manages five 24bit networks.
172.16.0.1/24
172.16.1.1/24
172.16.2.1/24
172.16.3.1/24
172.16.4.1/24
In a neighbouring router’s table, these networks will be listed as attached networks with a next hop and value. And each route will be advertised to the LSDB. We can reduce the amount of advertisements by summerizing these 5 networks on the ASBR as one large Network so the neighbouring router will only receive one advertisement. This is accomplished by using a CIDR mask length that will encompass the entire range of the 5 example networks.
The five networks listed above consist of the range 172.16.0.1 – 172.16.4.255. This can be summarized as 172.16.0.0/21 or 172.16.0.0/255.255.248.0
To accomplish this you will need to understand CIDR, VLSM, IP, and binary Math. The best site I have found that explains the math behind the calculations is. http://subnettingmadeeasy.blogspot.com/2007/11/router-summarization.html note: the author of this article makes some great observations on how summarizing your routes can cause issues. He also describes some great work arounds.
or if you are like me. You can use an online calculator. The best one I have found is http://buchananweb.co.uk/security51.aspx
An ERS8600 CLI example of the route summary described above would look like this.
ip ospf admin-state enable ip ospf router-id 172.16.0.0 ip ospf enable ip ospf area 0.0.0.1 create ip ospf area 0.0.0.1 range 172.16.0.0/255.255.248.0 create advertise-mode summarize lsa-type summary-link advertise-metric 10
Interconnecting Avaya(Nortel) OSPF and RIP Network Devices.
8 months ago
It is a safe assumption that most “greenfield” networks are built using OSPF. But a time could come when you have to add a RIP network device to your OSPF network. In the Nortel/Avaya world this case could be true if you have an existing OSPF Network consisting of ERS8600′s and you wish to add an ERS5500, ERS4500 or a legacy Cisco Device. Should this requirement arise you will need to research OSPF Redistribute functions. OSPF Redistribute configurations will accept external routes from devices running different routing protocols into the OSPF domain at the ASBR.
The Setup 
In the scenario I have built for you I have three ERS8600′s participating in a simple OSPF area. Each ERS8600 has two vlans, as well as two BRouter ports configured as the OSPF Broadcast interfaces. The BRouter ports act as the interconnections for the three routers. The fourth router added to the network is an ERS5510. The ERS5510 only supports RIP so it will be connected to Router #3 because Router #3 will assume the role of the ASBR for the OSPF Area. The role of the ASBR is important because it will be the router that will manage of the RIP routes from the ERS5510 and will need to be configured according with the appropriate routing Redistribute policies.
The Configuration
ERS8600#3 BRouter Port Config
ethernet 1/5 ip create 192.168.13.1/255.255.255.0 13 mac_offset 4
ERS5510 BRouter Port Config
brouter port 1 vlan 13 subnet 192.168.13.2/24
ERS8600#3 OSPF Config
ip ospf admin-state enable ip ospf as-boundary-router enable ip ospf router-id 172.16.5.1 ip ospf enable
ERS8600#3 RIP Config
ip ospf redistribute rip create ip ospf redistribute rip metric 10 ip ospf redistribute rip enable ethernet 1/5 ip rip enable
ERS8600#3 Route Policy
ip route-policy "to other domain" seq 1 create ip route-policy "to other domain" seq 1 enable ip route-policy "to other domain" seq 1 action permit ip route-policy "to other domain" seq 1 match-protocol local|static|ospf ip route-policy "to other domain" seq 1 set-metric 10 ip rip interface 192.168.13.1 out-policy "to other domain"
ERS8600#3 OSPF Redistribute Function.
ip ospf redistribute rip create ip ospf redistribute rip metric 10 ip ospf redistribute rip enable
Outcome
Now that Router#3 is configured as the ASBR and configured to accept the RIP routes from the 5510 the two vlans on the 5510 will be visible to the other devices in the OSPF area.
Telnet ACL Based On Network Source
9 months ago
This is something quick and easy if you wish to limit Telnet access based on network source.
The Setup:
On one Avaya ERS8600 I have the management interface configured for a 192.168.1.0/24 network.
I have the native Vlan1 configured as a mock user network with the address 10.10.10.0/24.
The goal is to only grant Telnet access to users that are from the 192.168.1.0 network.
The Configuration:
You will be configuring two policies and then enabling access policies globally. Policy #2 will be the “allow” policy specifying the telnet service and the allowed network. Policy #3 will be the “deny” equivalent for the user network. Note that you can not delete the native policy #1.
sys access-policy enable true sys access-policy policy 1 service http disable sys access-policy policy 1 service ssh disable sys access-policy policy 1 service telnet disable sys access-policy policy 2 create sys access-policy policy 2 accesslevel rwa sys access-policy policy 2 access-strict true sys access-policy policy 2 name "allow telnet" sys access-policy policy 2 username "" sys access-policy policy 2 network 192.168.1.0/24 sys access-policy policy 2 service snmpv3 enable sys access-policy policy 2 service telnet enable sys access-policy policy 3 create sys access-policy policy 3 accesslevel rwa sys access-policy policy 3 access-strict true sys access-policy policy 3 mode deny sys access-policy policy 3 name "telnet deny" sys access-policy policy 3 precedence 11 sys access-policy policy 3 username "" sys access-policy policy 3 network 10.10.10.0/24 sys access-policy policy 3 service telnet enable
Outcome:
Any attempt to login with telnet from the user network 10.10.10.0 is instantly dropped by the 8600 an the event is recorded into the log.
New Addition To The Lab: 3rd ERS 8600
9 months ago
by Paul A. Leroux
in Lab
I bought a new ERS 8603 for The Lab. This is the third one I have bought from eBay and it was by far the bet equipped and the cheapest. If you ask me nicely I might tell you privately what I paid for it.
I am excited to work with it in some complex network configurations. With my ERS5510 and Vyatta Core router it brings my router count to 5 so I plan on doing some more advanced OSPF and BGP experiments in the near future.
On a side note. To make room I did retire my two ES450′s and the D-Link DES 3225G . They won’t be missed, I never used them anyways.
My DIY N.A.S: FreeNAS Server for $500
10 months ago
by Paul A. Leroux
in Lab
In the new year I started consumer research for a home NAS solution. I had specific requirements: It had to support Apple, Windows and Linux systems. It had to support varying levels of User and Grouped based access and privileges, file shares assigned (and hidden) on a per user/group basis. And it had to support RAID1 or 5. My first choices were between D-Link, Linksys, and Buffalo. But I found their product info extremely vague. I then shifted my research to Small Office solutions like LaCIE and Drobo. Excellent products, but outside of my price range for the features I was looking for.
But during my early research I stumbled across FreeNAS. A free NAS solution based on FreeBSD that will run on a standard PC or server platform. STOP!, you had me at “free”. I downloaded the IOS image (v7.2.5543 at the time) and dusted off a PC that had two IDE Hard drives. I was quickly impressed how easy it was to install, create user accounts, setup shares and enable services and features like AFS, CIFS, FTP, Software and hardware RAID, LACP, iSCSI. FreeNAS matched all my requirements as well as offering enhanced support for ZFS in version 8. I made up my mind, I was going to use FreeNAS so I started to procure the parts I needed to build my FreeNAS server. But could I do it for less than a mid range LaCIE or Drobo NAS system and keep the features I was looking for? My system build is as follows.
The Hardware
HP D530 CMT, Pentium 4 2.8ghz with 1gb/s on-board NIC (used)....$50 Adaptec 2410SA PCI SATA RAID Controller (Used from ebay)........$45 2x 1TB Seagate SATA HDD (Newfrom Local reseller)................$130 4x 1GB DIMM = 4GB (New from local reseller).....................$250 2GB 40pin IDE Flash Module (New from local reseller)............$40 Donation to the FreeNAS Project via SourceFroge.................$20 Total Build Cost================================================$535
I had bought the HP D530 CMT for another project but ended up using it for this FreeNAS build because at 2.8ghz it is still fast enough for FreeNAS. Yet it is quiet, robust, has a 1gb/s eathernet port and it has 6 drive bays for future expansion. I chose the Adaptec 2410SA RAID controller because it supports RAID 0 1 5 and JBOD, it has 4 SATA ports and it’s PCI. For my storage I wanted to start simple so I only purchased two 1TB SATA Drives that would be configured in a RAID1 setup. The most expensive part of the build was to upgrade the HP D530′s RAM from 512mb to 4GB. 512mb -to-1Gb of RAM is adequate for FreeNAS version 7. But if you are running version 8 with ZFS, 4GB is recommended. Lastly, the authors of FreeNAS are adamant that you run FreeNAS off a USB Key or a solid state Flash device. It was on the FreeNAS user forum that someone pointed me towards these Transcend’s 40pin IDE Flash Modules. They fit right on the IDE bus and you don’t have to worry about protruding USB keys. My last expense was a Donation to the FreeNAS project. Something I was glad to do.
The Solution
Right now I have FreeNAS v8-RC5 running on this hardware. It is currently holding 100GB of backed up data on it’s 1TB RAID1 volume. I have setup separate windows and apple shares for a Windows7 system and a MacBook Pro. All while utilizing ZFS and saving the data on two separate ZFS sub volumes so my two users can’t see each others Data….. And I love it, but it did come with some pain. The biggest pain was dealing with Adaptec RAID controller. It took some trial and error and about 72hrs to format the two 1TB drives, create the RAID1 Volume and initialize it. And there was a small learning curve with the FreeNAS product as well as time spent experimenting with the stable v7.2 release and the two v8 RC4 and RC5 releases. In the end v8-RC5 was the best.
Conclusion
Yes you can build your own NAS server for less than the cost of a Drobo and LaCie. And with FreeNAS you get more features than you could ever use and you have the satisfactions of building the solution yourself.
Here are some images of my build.
UPDATE: FreeNAS v8 is now GA.
Vyatta Core v6.1 Evaluation: Home Router Replacement
12 months ago
Late last year I was researching for platforms to experiment with so I can improve my networking security, NAT, firewall, load balancing, routing interoperability, IPv6 and VPN skill sets. So my search began for a Nortel Contivity router, a Cisco PIX/ASA and a Nortel Alteon 2424. All expensive options. But during my research I stumbled across Vyatta. A Free, open source router and firewall solution that utilizes a standard PCx86 hardware platform. With nothing to lose I downloaded the ISO image, burnt the CD and dusted off an eight year old PC and three 3Com PCI NICs I had laying around. After a quick install of the hardware and the Vyatta software I now had a fully functional 4 port Vyatta v6.1 Core router added into my lab.
To test my new Vyatta router I configured it to replace my Linksys WRT54G home router. It would be an exercise to test the simplicity, ease of use of the Vyatta CLI and to learn some additional key networking principles. It would also double as a functional test because I was loosing faith in my linksys router. To add a small level of complexity to my experiment I added a second vlan on the inside LAN and URL filtering.(see image)
Vyatta Configuration Checklist. 
IP interfaces / VLANs
DHCP interface to receive address from TeleCo.
DHCP pools for inside hosts.
NAT
Web filtering
Telnet enabling
Observations and Conclusions:
I was able to research, design, configure and validate the PCx86 router configuration in less than 60 minutes. Much less time than I expected it would take. The online resources are amazing. Between the Vyatta user forum, the Vyatta documentation (which is spectacular), other blogs and DIY youtube videos you can probably accomplish anything you want with this platform. I had no hardware issues during the install and initial configuration. I was using an old ASUS AMD 1.67GHz system with 512mb of ram. The router software had no issue discovering the on-board NIC. For the other NICs Vyatta recommends using 10/100 3com PCI nics “the older the better”. Lucky for us PCI NICs grow on trees and you can buy them used online for under $5 each.
The biggest learning curve was learning the new CLI syntax and figuring out that you can’t “Tab key” to complete phrases. The CLI itself is adequate but not as easy to use as you would find on a Cisco or Avaya/Nortel device. The CLI does have an “Open and Close” bracket structure that is a little annoying to look at. This became more of an annoyance as the complexity of my configuration grew. It sometimes became difficult to make sense of what I was looking at. It is much cleaner to read if you export it, (see below)
As for value, v6.1 Core is free and the cost of my system is under $40. And the fact that you can configure IP routing (RIP, OSPF, BGP), IPv6, NAT, Stateful Firewalls, URL filtering, VPN, Load-balancing and QoS makes it very attractive. I would certainly recommend the Core v6.1 platform for the home networking user, hobbyist, and the extremely small business owner. I am impressed with my initial trial and will certainly continue to experiment with the product’s other features and blog again.
here is my final configuration that I used to replace my Linksys home router.
eth0 is the WAN interface.
eth1 and 2 are the inside LANs with their dedicated DHCP pools.
As well, I experimented with blocking and allowing Webmail, Porn, gaming sites, facebook etc etc.
vyatta@vyatta:~$ show configuration
interfaces {
ethernet eth0 {
address dhcp
duplex auto
hw-id 00:0e:a6:a4:05:f1
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.2.1/24
duplex auto
hw-id 00:60:08:16:a8:0f
smp_affinity auto
speed auto
}
ethernet eth2 {
address 10.10.10.1/24
duplex auto
hw-id 00:a0:24:cb:7a:32
smp_affinity auto
speed auto
}
ethernet eth3 {
duplex auto
hw-id 00:50:ba:c6:be:34
smp_affinity auto
speed auto
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
shared-network-name POOL1 {
authoritative disable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
domain-name Leroux.local1
lease 86400
start 192.168.2.50 {
stop 192.168.2.200
}
}
}
shared-network-name POOL2 {
authoritative disable
subnet 10.10.10.0/24 {
default-router 10.10.10.1
dns-server 10.10.10.1
lease 86400
start 10.10.10.105 {
stop 10.10.10.200
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
name-server 8.8.8.8
name-server 8.8.8.4
}
}
nat {
rule 10 {
outbound-interface eth0
source {
address 192.168.2.0/24
}
type masquerade
}
rule 20 {
outbound-interface eth0
source {
address 10.10.10.0/24
}
type masquerade
}
}
telnet {
allow-root
port 23
}
webproxy {
cache-size 100
default-port 3128
listen-address 192.168.2.1 {
}
url-filtering {
squidguard {
allow-category webmail
auto-update {
update-hour 23
}
block-category malware
block-category porn
block-category warez
block-category proxy
block-category games
default-action allow
local-block facebook.com
local-block yahoo.com
local-block-url facebook.com
redirect-url http://www.google.com
}
}
}
}
system {
host-name vyatta
login {
user vyatta {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp-server 0.vyatta.pool.ntp.org
package {
auto-sync 1
repository community {
components main
distribution stable
password ****************
url http://packages.vyatta.com/vyatta
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone GMT
}
vyatta@vyatta:~$
SSH for the Avaya ERS8600
1 year ago
SSH is a protocol developed to address the inherent weakness within Telnet. Telnet of course transfers all information and passwords in plaintext, that can be captured and reconstituted by anyone who is sniffing on your network. SSH enabled devices will offer you that extra layer of security within your network and will protect you from IP Spoofing, DNS Spoofing, TCP hijacking attacks, and password sniffing. This is accomplished by enhanced authentication and encryption that SSH provides.
Before you begin enabling SSH on your ERS 8600 you will require the following.
Please note: For my experiment I used a 8603 chassis with a 8691/256SF running v4.1.8.5
1- Nortel/Avaya console cable. Avaya recommends that you perform this configuration at the local console.
2- The 3DES image file copied to the flash of the Switch Fabric. “p80c4XXX.img”
3- A maintenance window because you are required to re-boot the switch.
So lets begin……………….
***First you must disable the SSH Daemon, SNMP, rlogin, tftp, ftp, and telnet. Once that is complete you must load the 3DES encryption module.
config bootconfig flags sshd false config bootconfig flags block-snmp true config bootconfig flags rlogind false config bootconfig flags telnetd false config bootconfig flags ftpd false config load-encryption-module 3DES
Once the services listed above have been disabled we will now re-enable the SSH Daemon, save the bootconfig, and ****reboot the switch.
config bootconfig flags sshd true save bootconfig boot -y
Upon reboot, log back into the switch. This series of commands will create a basic SSH server on your ERS8600.
NOTE: These are default settings.
config sys set ssh action rsa-keygen 1024 config sys set ssh action dsa-keygen 1024 config sys set ssh dsa-auth true config sys set ssh max-sessions 4 config sys set ssh pass-auth true config sys set ssh port 22 config sys set ssh rsa-auth true config sys set ssh timeout 60 config sys set ssh version v2only config sys set ssh enable true config sys set ssh info save config.
Verify your work: The following command will show you the current SSH settings on your ERS8600
show sys ssh global|session
You will soon notice that you can no longer utilize your normal Telnet and SNMP tools to manage your switch. Supported SSH clients you can use are Tera Term Pro and OpenSSH. Other options are PuTTY, and of course CLImanager.
References and Further Reading.
- http://forums.networkinfrastructure.info/ Mike’s Nortel/Avaya user form.
- Nortel Ethernet Routing Switch 8600: Configuring and Managing Security NN46205-601
***UPDATE: As per Mike’s comments below. You are not required to disable SNMP, TFTP, FTP, Rlogin and Telnet. They are the recommendations I gleaned from the NN46205-601 Guide
***** Mike has also brought it to my attention that a reboot is not required. But it is recommended by Nortel/Avaya
Securing Your ERS8600: Disable Unused Accounts
1 year ago
When working with any network device a good Network Engineer understands how dangerous default settings can be. Especially when it comes to local and remote access. Once a device has been powered on for the first time it has become an instinct for many to configure new telnet passwords, configure ssh, disable SNMP and configure SNMPv3 accounts. When an engineer wants to harden a device even further an Engineer can also consider changing user-names, creating access lists, using strong passwords or even configuring a RADIUS or TACACS solution. But all of this effort can be for not if a little door is left open.
For the ERS8600, the Management Access Control is the little back door. Every ERS8600 has 12 levels of access, each with their own default user-name and password. Each access-level has varying levels of controls and visibility from read only to full access. But to prying eyes even a little bit of information can cascade into further problems for any Network Engineer that wants to maintain a secure network. The access-levels are as follows; l1, l2, l3, l4admin, l4oper, oper, ro, rw, rwa, slbadmin, slboper, ssladmin. The weakness with each access-level is that for each access-level the default password string is the user-name.
The description for each access-level and the access they grant are:
Read only: This level lets you view the device settings, but you cannot change any of the settings. Layer 1 Read Write: This level lets you view switch configuration and status information and change only physical port parameters. Layer 2 Read Write: This level lets you view and edit device settings related to Layer 2 (bridging) functionality. The Layer 3 settings (such as OSPF, DHCP) are not accessible. You cannot change the security and password settings. Layer 3 Read Write: This level lets you view and edit device settings related to Layer 2 (bridging) and Layer 3 (routing). You cannot change the security and password settings. Read Write: This level lets you view and edit most device settings. You cannot change the security and password Read Write All : This level lets you do everything. You have all the privileges of read-write access and the ability to change the security settings. The security settings include access passwords and the Web-based management user names and passwords. ssladmin: This level lets you login to connect to and configure the SAM (ssl acceleration module). User, SLB Operator, Layer 4 Operator, Operator: Each one of these access-levles will grant read access if the Web Switching Module is present.
The common Network Engineer will use the Read Write ALL “rwa” account to manage all aspects of the switch exclusively. And in common environments a Read Only “ro” account can be created for technicians. But rarely would someone want to delegate out granular and varying controls of the ERS utilising the other 10 access-levels. The problems this poses are too numerous and obvious to list.
So what are your solutions? You can give each access-level a new password. This can still haunt you if you use weak passwords. Or you can simply disable the unused access-level accounts.
This command, repeated for all access-levels except rwa will disable all remaining access-levels.
Note: this is a hidden command. You can not short type the word “password”
ERS-8603:3/config/cli/password# access-level l1 disable ERS-8603:3/config/cli/password# access-level l2 disable ERS-8603:3/config/cli/password# access-level l3 disable ERS-8603:3/config/cli/password# access-level l4admin disable ERS-8603:3/config/cli/password# access-level l4oper disable ERS-8603:3/config/cli/password# access-level oper disable ERS-8603:3/config/cli/password# access-level ro disable ERS-8603:3/config/cli/password# access-level rw disable ERS-8603:3/config/cli/password# access-level slbadmin disable ERS-8603:3/config/cli/password# access-level slboper disable ERS-8603:3/config/cli/password# access-level ssladmin disable
In addition to disabling all unused access-levels. You can also set the “hsecure” flag in the bootconfig. This will ensure that all future passwords are over 8 characters in length.
In conclusion. If you have a requirement to hand out varying access-levels make sure that the passwords are strong. And that the technicians with this access have the proper training and understanding of their control. If you have no requirement for the other access-levels other than “rwa”, you can simply save yourself the headache and possible threat of a hack and disable the other accounts.
Nortel Lab Is Back Up: with a new addition
1 year ago
by Paul A. Leroux
in Lab
My home lab is back up and running. This time all my switches, routers, cables and power are all tucked away in my new rack and cable management system. I now feel much better that my investment is off the ground (literally), in its own dedicated space, on its own circuit and grounded.
My next steps are to:
1- Buy some Cisco devices so users can work on Nortel/Cisco interoperability.
2- Buy a Console Server.
3- Develop a remote access system like our friend at http://packetlife.net/lab/ so people can book time in the lab. Please visit JS’s site, he does a great job.
If anyone wants to support My lab in anyway, I will accept any and all help.
Also, please let me know if you would be interested in reserving time in the lab. If there is demand I will apply more to the lab.
you can contact me by emailing me at paul “at” paulleroux “dot” net
or leave me a comment below.
Facebook
LinkedIn
Twitter