As networks grow in size the routing tables on each router grows as well. As a result the overhead to process the routes can grow exponentially and take resources away from other functions the router can be performing. As well, large routing tables can be difficult to read quickly, efficiently and troubleshoot. You can make your life extremely easy if you engineer your IP addressing using an harmonious numbering system and avoid using a discontinuous network address scheme. If you adhere to these methods and use CIDR addresses you can also take advantage of Route Summarization (aka Route Aggregation)

An example of a route summariztion would be: If you have an ASBR that manages five 24bit networks.

172.16.0.1/24
172.16.1.1/24
172.16.2.1/24
172.16.3.1/24
172.16.4.1/24

In a neighbouring router’s table, these networks will be listed as attached networks with a next hop and value. And each route will be advertised to the LSDB. We can reduce the amount of advertisements by summerizing these 5 networks on the ASBR as one large Network so the neighbouring router will only receive one advertisement. This is accomplished by using a CIDR mask length that will encompass the entire range of the 5 example networks.

The five networks listed above consist of the range 172.16.0.1 – 172.16.4.255. This can be summarized as 172.16.0.0/21 or 172.16.0.0/255.255.248.0

To accomplish this you will need to understand CIDR, VLSM, IP, and binary Math.  The best site I have found that explains the math behind the calculations is.  http://subnettingmadeeasy.blogspot.com/2007/11/router-summarization.html note: the author of this article makes some great observations on how summarizing your routes can cause issues. He also describes some great work arounds.

or if you are like me. You can use an online calculator. The best one I have found is http://buchananweb.co.uk/security51.aspx

An ERS8600 CLI example of the route summary described above would look like this.

ip ospf admin-state enable
ip ospf router-id 172.16.0.0
ip ospf enable
ip ospf area 0.0.0.1 create
ip ospf area 0.0.0.1 range 172.16.0.0/255.255.248.0 create advertise-mode summarize lsa-type summary-link advertise-metric 10

It is a safe assumption that most “greenfield” networks are built using OSPF. But a time could come when you have to add a RIP network device to your OSPF network.  In the Nortel/Avaya world this case could be true if you have an existing OSPF Network consisting of ERS8600′s and you wish to add an ERS5500, ERS4500 or a legacy Cisco Device. Should this requirement arise you will need to research OSPF Redistribute functions. OSPF Redistribute configurations will accept external routes from devices running different routing protocols into the OSPF domain at the ASBR.

The Setup
In the scenario I have built for you I have three ERS8600′s participating in a simple OSPF area. Each ERS8600 has two vlans, as well as two BRouter ports configured as the OSPF Broadcast interfaces.  The BRouter ports act as the interconnections for the three routers.  The fourth router added to the network is an ERS5510. The ERS5510 only supports RIP so it will be connected to Router #3 because Router #3 will assume the role of the ASBR for the OSPF Area. The role of the ASBR is important because it will be the router that will manage of the RIP routes from the ERS5510 and will need to be configured according with the appropriate routing Redistribute policies.

The Configuration

ERS8600#3 BRouter Port Config

ethernet 1/5 ip create 192.168.13.1/255.255.255.0 13 mac_offset 4

ERS5510 BRouter Port Config

brouter port 1 vlan 13 subnet 192.168.13.2/24

ERS8600#3 OSPF Config

ip ospf admin-state enable
ip ospf as-boundary-router enable
ip ospf router-id 172.16.5.1
ip ospf enable

ERS8600#3 RIP Config

ip ospf redistribute rip create
ip ospf redistribute rip metric 10
ip ospf redistribute rip enable
ethernet 1/5 ip rip enable

ERS8600#3 Route Policy

ip route-policy "to other domain" seq 1 create
ip route-policy "to other domain" seq 1 enable
ip route-policy "to other domain" seq 1 action permit
ip route-policy "to other domain" seq 1 match-protocol local|static|ospf
ip route-policy "to other domain" seq 1 set-metric 10
ip rip interface  192.168.13.1 out-policy "to other domain"

ERS8600#3 OSPF Redistribute Function.

ip ospf redistribute rip create
ip ospf redistribute rip metric 10
ip ospf redistribute rip enable

Outcome
Now that Router#3 is configured as the ASBR and configured to accept the RIP routes from the 5510 the two vlans on the 5510 will be visible to the other devices in the OSPF area.

This is something quick and easy if you wish to limit Telnet access based on network source.

The Setup:
On one Avaya ERS8600 I have the management interface configured for a 192.168.1.0/24 network.
I have the native Vlan1 configured as a mock user network with the address 10.10.10.0/24.
The goal is to only grant Telnet access to users that are from the 192.168.1.0 network.

The Configuration:
You will be configuring two policies and then enabling access policies globally. Policy #2 will be the “allow” policy specifying the telnet service and the allowed network. Policy #3 will be the “deny” equivalent for the user network. Note that you can not delete the native policy #1.

sys access-policy enable true
sys access-policy policy 1 service http disable
sys access-policy policy 1 service ssh disable
sys access-policy policy 1 service telnet disable
sys access-policy policy 2 create
sys access-policy policy 2 accesslevel rwa
sys access-policy policy 2 access-strict true
sys access-policy policy 2 name "allow telnet"
sys access-policy policy 2 username ""
sys access-policy policy 2 network 192.168.1.0/24
sys access-policy policy 2 service snmpv3 enable
sys access-policy policy 2 service telnet enable
sys access-policy policy 3 create
sys access-policy policy 3 accesslevel rwa
sys access-policy policy 3 access-strict true
sys access-policy policy 3 mode deny
sys access-policy policy 3 name "telnet  deny"
sys access-policy policy 3 precedence 11
sys access-policy policy 3 username ""
sys access-policy policy 3 network 10.10.10.0/24
sys access-policy policy 3 service telnet enable

Outcome:
Any attempt to login with telnet from the user network 10.10.10.0 is instantly dropped by the 8600 an the event is recorded into the log.

Your’s truly and a recent blog post from paulLEROUX.net were featured on the FreeNAS community website.

http://freenas.org/community

Thanks for the support.

I bought a new ERS 8603 for The Lab. This is the third one I have bought from eBay and it was by far the bet equipped and the cheapest.  If you ask me nicely I might tell you privately what I paid for it.

I am excited to work with it in some complex network configurations.  With my ERS5510 and Vyatta Core router it brings my router count to 5 so I plan on doing some more advanced OSPF and BGP experiments in the near future.

On a side note. To make room I did retire my two ES450′s and the D-Link DES 3225G . They won’t be missed, I never used them anyways.

In the new year I started consumer research for a home NAS solution. I had specific requirements: It had to support Apple, Windows and Linux systems. It had to support varying levels of User and Grouped based access and privileges, file shares assigned (and hidden) on a per user/group basis. And it had to support RAID1 or 5. My first choices were between D-Link, Linksys, and Buffalo. But I found their product info extremely vague. I then shifted my research to Small Office solutions like LaCIE and Drobo. Excellent products, but outside of my price range for the features I was looking for.

But during my early research I stumbled across FreeNAS. A free NAS solution based on FreeBSD that will run on a standard PC or server platform. STOP!, you had me at “free”. I downloaded the IOS image (v7.2.5543 at the time) and dusted off a PC that had two IDE Hard drives. I was quickly impressed how easy it was to install, create user accounts, setup shares and enable services and features like AFS, CIFS, FTP, Software and hardware RAID, LACP, iSCSI.  FreeNAS matched all my requirements as well as offering enhanced support for ZFS in version 8. I made up my mind, I was going to use FreeNAS so I started to procure the parts I needed to build my FreeNAS server. But could I do it for less than a mid range LaCIE or Drobo NAS system and keep the features I was looking for? My system build is as follows.

The Hardware

HP D530 CMT, Pentium 4 2.8ghz with 1gb/s on-board NIC (used)....$50
Adaptec 2410SA PCI SATA RAID Controller (Used from ebay)........$45
2x 1TB Seagate SATA HDD (Newfrom Local reseller)................$130
4x 1GB DIMM = 4GB (New from local reseller).....................$250
2GB 40pin IDE Flash Module (New from local reseller)............$40
Donation to the FreeNAS Project via SourceFroge.................$20
Total Build Cost================================================$535

I had bought the HP D530 CMT for another project but ended up using it for this FreeNAS build because at 2.8ghz it is still fast enough for FreeNAS. Yet it is quiet, robust, has a 1gb/s eathernet port and it has 6 drive bays for future expansion. I chose the Adaptec 2410SA RAID controller because it supports RAID 0 1 5 and JBOD, it has 4 SATA ports and it’s PCI. For my storage I wanted to start simple so I only purchased two 1TB SATA Drives that would be configured in a RAID1 setup. The most expensive part of the build was to upgrade the HP D530′s RAM from 512mb to 4GB. 512mb -to-1Gb of RAM is adequate for FreeNAS version 7. But if you are running version 8 with ZFS, 4GB is recommended. Lastly, the authors of FreeNAS are adamant that you run FreeNAS off a USB Key or a solid state Flash device. It was on the FreeNAS user forum that someone pointed me towards these Transcend’s 40pin IDE Flash Modules. They fit right on the IDE bus and you don’t have to worry about protruding USB keys. My last expense was a Donation to the FreeNAS project. Something I was glad to do.

The Solution

Right now I have FreeNAS v8-RC5 running on this hardware. It is currently holding 100GB of backed up data on it’s 1TB RAID1 volume. I have setup separate windows and apple shares for a Windows7 system and a MacBook Pro. All while utilizing ZFS and saving the data on two separate ZFS sub volumes so my two users can’t see each others Data….. And I love it, but it did come with some pain. The biggest pain was dealing with Adaptec RAID controller. It took some trial and error and about 72hrs to format the two 1TB drives, create the RAID1 Volume and initialize it.  And there was a small learning curve with the FreeNAS product as well as time spent experimenting with the stable v7.2 release and the two v8 RC4 and RC5 releases.  In the end v8-RC5 was the best.

Conclusion

Yes you can build your own NAS server for less than the cost of a Drobo and LaCie. And with FreeNAS you get more features than you could ever use and you have the satisfactions of building the solution yourself.

Here are some images of my build.

UPDATE: FreeNAS v8 is now GA.

Everyone that has ever worked with a computer has experienced (or will eventually experience) an “Oh Sh!t” moment.  The technical term for an “Oh Sh!t” moment is a partial or complete loss of all your personal data.  Possible scenarios of this could stem from either the accidental deletion of data, virus or hacker attacker,  theft of a computer system or a hard drive failure.  The sinking feeling of turning on a computer or laptop, only to get greeted with the “can not find hard drive” message is a feeling I have felt once before. And when it happens to you the first thoughts through your head will be “How much time, effort and money will it take to get my data back?”.  Or if it’s even possible at all?

If you want to put a value on your data, consider the following and do your own math at home.

Music: Between my girlfriend and I we have over 100GB of iTunes music at an estimated value of $500-$1000. If you steal your music just think of the time it would take to find and download it all over again. If you are with a carrier that now has download caps this stolen music might cost you after all if you have to get it again.

Pictures and Videos: Think of all your vacations, family holidays, special events and the pictures from these events.  The cost to replace these moments in time would be in upwards to several thousands ($5,000+) to priceless and impossible. A perfect example: In 2004 I went to London England and during that trip I took about 500 pictures.  If you consider airfare, accommodations, and expensiveness, that trip cost me over $2000.  I can go to London again, but I could never reproduce the images of Arsenal FC playing at Highbury Stadium.

Work related documents and financials: This is the big category because when you lose this data it can hit you where it hurts the most. Think of all the time and effort it would take to reproduce all the documents and records for your personal affairs or business. As well as the impact to the operation of your daily business. If you are an entrepreneur the cost to you and your company could be bankruptcy.

Conclusion:

If I look at the dollar value of my data, the value of my iTunes library alone warrants me to look at some kind of data backup or NAS solution. And if you were doing your own math at home I am sure you are now thinking the same. So protect your data! The cost to buy or engineer a backup solution will be much less than the value of your data. Here are some data backup options and solutions.

1.  2TB Sata hard drive and a USB to IDE/SATA adapter ($100 + $30).

2. A COTS NAS solution like D-LInk, Buffalo, or Drobo. ($200-$2000)

3. Online solution like Google Docs  ($256 for 1TB) or a Subscription based service like http://www.carbonite.com

4. A D.I.Y NAS product like FreeNAS (software is $0.00 + cost of an old server or PC)

5. Apple users can experiment with Time Machine.

Footnote: I recently built a NAS server using FreeNAS v8RC5. I will blog about my setup in the near future.

Late last year I was researching for platforms to experiment with so I can improve my networking security, NAT, firewall, load balancing, routing interoperability, IPv6 and VPN skill sets. So my search began for a Nortel Contivity router, a Cisco PIX/ASA and a Nortel Alteon 2424. All expensive options. But during my research I stumbled across Vyatta. A Free, open source router and firewall solution that utilizes a standard PCx86 hardware platform. With nothing to lose I downloaded the ISO image, burnt the CD and dusted off an eight year old PC and three 3Com PCI NICs I had laying around. After a quick install of the hardware and the Vyatta software I now had a fully functional 4 port Vyatta v6.1 Core router added into my lab.

To test my new Vyatta router I configured it to replace my Linksys WRT54G home router. It would be an exercise to test the simplicity, ease of use of the Vyatta CLI and to learn some additional key networking principles. It would also double as a functional test because I was loosing faith in my linksys router. To add a small level of complexity to my experiment I added a second vlan on the inside LAN and URL filtering.(see image)

Vyatta Configuration Checklist.

IP interfaces / VLANs

DHCP interface to receive address from TeleCo.

DHCP pools for inside hosts.

NAT

Web filtering

Telnet enabling

Observations and Conclusions:

I was able to research, design, configure and validate the PCx86 router configuration in less than 60 minutes.  Much less time than I expected it would take. The online resources are amazing. Between the Vyatta user forum, the Vyatta documentation (which is spectacular), other blogs and DIY youtube videos you can probably accomplish anything you want with this platform.  I had no hardware issues during the install and initial configuration. I was using an old ASUS AMD 1.67GHz system with 512mb of ram. The router software had no issue discovering the on-board NIC. For the other NICs Vyatta recommends using 10/100 3com PCI nics “the older the better”. Lucky for us PCI NICs grow on trees and you can buy them used online for under $5 each.

The biggest learning curve was learning the new CLI syntax and figuring out that you can’t “Tab key” to complete phrases.  The CLI itself is adequate but not as easy to use as you would find on a Cisco or Avaya/Nortel device. The CLI does have an “Open and Close” bracket structure that is a little annoying to look at. This became more of an annoyance as the complexity of my configuration grew. It sometimes became difficult to make sense of what I was looking at.  It is much cleaner to read if you export it, (see below)

As for value, v6.1 Core is free and the cost of my system is under $40. And the fact that you can configure IP routing (RIP, OSPF, BGP), IPv6, NAT, Stateful Firewalls, URL filtering, VPN, Load-balancing and QoS makes it very attractive.  I would certainly recommend the Core v6.1 platform for the home networking user, hobbyist, and the extremely small business owner.  I am impressed with my initial trial and will certainly continue to experiment with the product’s other features and blog again.

here is my final configuration that I used to replace my Linksys home router.

eth0 is the WAN interface.

eth1 and 2 are the inside LANs with their dedicated DHCP pools.

As well,  I experimented with blocking and allowing Webmail, Porn, gaming sites, facebook etc etc.

vyatta@vyatta:~$ show configuration
interfaces {
ethernet eth0 {
address dhcp
duplex auto
hw-id 00:0e:a6:a4:05:f1
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.2.1/24
duplex auto
hw-id 00:60:08:16:a8:0f
smp_affinity auto
speed auto
}
ethernet eth2 {
address 10.10.10.1/24
duplex auto
hw-id 00:a0:24:cb:7a:32
smp_affinity auto
speed auto
}
ethernet eth3 {
duplex auto
hw-id 00:50:ba:c6:be:34
smp_affinity auto
speed auto
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
shared-network-name POOL1 {
authoritative disable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
domain-name Leroux.local1
lease 86400
start 192.168.2.50 {
stop 192.168.2.200
}
}
}
shared-network-name POOL2 {
authoritative disable
subnet 10.10.10.0/24 {
default-router 10.10.10.1
dns-server 10.10.10.1
lease 86400
start 10.10.10.105 {
stop 10.10.10.200
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
name-server 8.8.8.8
name-server 8.8.8.4
}
}
nat {
rule 10 {
outbound-interface eth0
source {
address 192.168.2.0/24
}
type masquerade
}
rule 20 {
outbound-interface eth0
source {
address 10.10.10.0/24
}
type masquerade
}
}
telnet {
allow-root
port 23
}
webproxy {
cache-size 100
default-port 3128
listen-address 192.168.2.1 {
}
url-filtering {
squidguard {
allow-category webmail
auto-update {
update-hour 23
}
block-category malware
block-category porn
block-category warez
block-category proxy
block-category games
default-action allow
local-block facebook.com
local-block yahoo.com
local-block-url facebook.com
redirect-url http://www.google.com
}
}
}
}
system {
host-name vyatta
login {
user vyatta {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp-server 0.vyatta.pool.ntp.org
package {
auto-sync 1
repository community {
components main
distribution stable
password ****************
url http://packages.vyatta.com/vyatta
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone GMT
}
vyatta@vyatta:~$

SSH is a protocol developed to address the inherent weakness within Telnet.  Telnet of course transfers all information and passwords in plaintext, that can be captured and reconstituted by anyone who is sniffing on your network.  SSH enabled devices will offer you that extra layer of security within your network and will protect you from IP Spoofing, DNS Spoofing, TCP hijacking attacks, and password sniffing. This is accomplished by enhanced authentication and encryption that SSH provides.

Before you begin enabling SSH on your ERS 8600 you will require the following.

Please note: For my experiment I used a 8603 chassis with a 8691/256SF running v4.1.8.5

1- Nortel/Avaya console cable. Avaya recommends that you perform this configuration at the local console.
2- The 3DES image file copied to the flash of the Switch Fabric.  “p80c4XXX.img”
3- A maintenance window because you are required to re-boot the switch.

So lets begin……………….

***First you must disable the SSH Daemon, SNMP, rlogin, tftp, ftp, and telnet. Once that is complete you must load the 3DES encryption module.

config bootconfig flags sshd false
config bootconfig flags block-snmp true
config bootconfig flags rlogind false
config bootconfig flags telnetd false
config bootconfig flags ftpd false
config load-encryption-module 3DES

Once the services listed above have been disabled we will now re-enable the SSH Daemon, save the bootconfig, and ****reboot the switch.

config bootconfig flags sshd true
save bootconfig
boot -y

Upon reboot, log back into the switch. This series of commands will create a basic SSH server on your ERS8600.
NOTE: These are default settings.

config sys set ssh action rsa-keygen 1024
config sys set ssh action dsa-keygen 1024
config sys set ssh dsa-auth true
config sys set ssh max-sessions 4
config sys set ssh pass-auth true
config sys set ssh port 22
config sys set ssh rsa-auth true
config sys set ssh timeout 60
config sys set ssh version v2only
config sys set ssh enable true
config sys set ssh info
save config.

Verify your work: The following command will show you the current SSH settings on your ERS8600

show sys ssh global|session

You will soon notice that you can no longer utilize your normal Telnet and SNMP tools to manage your switch. Supported SSH clients you can use are Tera Term Pro and OpenSSH. Other options are PuTTY, and of course CLImanager.

References and Further Reading.
- http://forums.networkinfrastructure.info/ Mike’s Nortel/Avaya user form.
-  Nortel Ethernet Routing Switch 8600: Configuring and Managing Security NN46205-601

***UPDATE: As per Mike’s comments below. You are not required to disable SNMP, TFTP, FTP, Rlogin and Telnet.  They are the recommendations I gleaned from the NN46205-601 Guide
***** Mike has also brought it to my attention that a reboot is not required. But it is recommended by Nortel/Avaya

When a network engineer is asked about network management one often thinks about CiscoWorks, HPopenview, SolarWinds etc. If only it was that simple. “Total” Network management reaches well beyond the configuring and monitoring of your switches and routers. Here are some things to consider when you are asked to think about network management.

Cable Management:
FYI, Poor cable management is my biggest pet peeve.
Orphan cables: Have you ever seen a cable hanging out of a rack with no home and not sure what port it is plugged into on the other end? Well get ride of it. Next time around someone will see it hanging there and plug it into something it shouldn’t.
Label your cables: I would never expect all cables to be labeled. But all key links such as inter-router, inter-switch, firewalls and circuit links should be labeled.
Cable Lengths: When ordering your cables always error on the side of too long. But too much excess cable rolled up in your racks is unsightly and takes up space in your cable managers.
Tie downs: When asked what kind of tie downs I prefer my personal preference is Velcro strips. Zipties work great as well. But zipties are not reusable and when you need to get inside a bundle of cables you always need to have scissors or side cutters handy. Sharp objects around delicate fiber optics is not a good idea.
Cable Managers: If you have racks that come with horizontal and vertical cable managers, D-Rings and Chimneys just take the extra 90 seconds and pull your cables through them.

Tidiness and Cleanliness:
Much like the points made above, a clean and neat environment is an environment that is easy to work in and troubleshoot if necessary.
Keep the production areas clean: Very straight forward.
Surplus gear: If its not in use simply dismount it from the rack and store it, sell it, donate it, or trash it.
Wire-closets are not storage areas: I can respect that office real-estate space is premium. People will look for anywhere to store their office supplies and old files. But when you can, limit who and what has access to the areas you manage. High traffic areas can tend to be high damage and theft areas.

Living Documents and Diagrams:
Documentation can be a taxing demand, but they are necessary.
Diagrams: Network diagrams are mandatory for any network design because there are some things that one can not express in words. Network diagrams should be simple and expressed in a way so it can be easily read by others.

If a network design is too complex to express in Visio or if your diagram is a bloody mess you probably need to re-visit your design.

Most importantly, Network diagrams should be a living document. Networks are never static therefore once a change is made in the physical network environment the change should be reflected in the diagram as well. There is nothing worse than dusting off a diagram to research a problem just to find that the document has not been edited in 3 years.
Change Logs: For all core devices in your network you might want to consider creating a change log with an excel spread sheet. Whenever you make a change, add, delete to a switch configuration or a topology change, simply make a note in the change log. When researching network problems a change log is a valuable tool when you want to find out “who, when, where, and what” made the network changes. More importantly, a change log just might prove your innocence if something terrible happens. It has for me.

Crash carts
Prepare for the worse, hope for the best and always keep an emergency kit handy. When the network has failed every minute wasted trying to track down your equipment can cost your organizations thousands, perhaps millions $/per minute. Your crash cart should consist of….

- Laptop(s) with a power supply and working battery
- an extension cord
- Every type of console cable you require.
- Assortment of cables that are for emergency only. Fiber, copper, x-over, in varying lengths and corrector types that you require.
- Backups of config files and image files. This can be on a USB key or a system you have direct access to. *remember, the network might be down.
- Assortment of gbics.
- Philips screw driver.
- Side cutters. * see above if you use zipties.
- Up-to-Date diagrams * see above, Living documents.
- Phone number list. Co-workers, help desks, 1-800 numbers etc etc. Because everyone at one time or another needs to call for help. And if the network or email is down you will need to have those numbers in hand.

Lastly; know where your spare switches, routers and modules are and make sure you have boxes or containers to transport them. And make sure your stand-by devices are running the production image versions.

Addition reading:

Excellent list of rules for document writing

http://etherealmind.com/rules-design-documentation-etherealmind/

images of cable management No No’s

http://www.vibrant.com/cable-messes.php

If there are any points you would like to add please leave a comment.