Version 1.5




Chapter 2
Installing Network Devices

Prescriptive Architecture Guide




Abstract

The network architectu...
Copyright © 2002 EMC Corporation. All rights reserved.


EMC believes the information in this publication is accurate as o...
CONTENTS   INTRODUCTION ..................................................................1
           Design Consideratio...
Booting the Switch into the Changed Boot Configuration                       28
Securing Inter-VLAN Communication         ...
INTRODUCTION   This document builds upon the fundamentals of the Internet Data Center
               presented in Chapter ...
•   Performance. The Internet Data Center balances performance goals
                                                     ...
Public addresses are used by customers to reach your site. These
addresses are considered “external” with respect to the a...
VLAN Numbering
                                                          VLAN numbering in this chapter differs from what ...
Configuration Sequence
The subsequent sections of this document describe how to configure the
Nortel infrastructure compon...
EDGE ROUTERS:                                             The Juniper M5 edge router provides network routing between an I...
Building a Router Configuration File

The first stage is to build a suitable router configuration file.

To build a router...
Uploading the Router Configuration

                                                          After you have logged on to ...
9. Create the root password and additional logon accounts.
root@hostname# set system root-authentication plain-text-
passw...
Interface Configuration
                                                       Configure the router interfaces using inter...
Failover Internet Connectivity on the Routers
To achieve reliable connectivity to and from the external edge of the
Intern...
user@hostname# edit protocols bgp group group-name
                                                           [edit protoc...
•   Speaking and listening: The router is sending and receiving hello
    messages.

•   Listening: The router is receivin...
Configuring Routers for VRRP
                                                       To configure routers for VRRP, perform...
Securing the Edge Router
Proper configuration of the edge router includes protecting the router and
the Internet Data Cent...
NORTEL NETWORKS                                        The Nortel Networks Passport 8000 series of switches comprise three...
Baseline Passport 8600 Configuration
The baseline configuration of the Passport 8600 used in the Internet Data
Center incl...
Installing the Passport 8600 Switch
                                                       Before configuring Passport 860...
Logging on to Passport 8600
Initial configuration of the Passport 8600 is performed at the console port
using a terminal e...
b.    To set the TFTP server IP address for the switch, add the IP
                                                       ...
23. Type show config to verify that the changes have been made.

24. Type show ip vrrp info for information about the VLAN...
MSA_BOT:5# config sys set
                                                             MSA_BOT:5/config/sys/set# name MSA_...
MSA_BOT:5# config ethernet slot/port
MSA_BOT:5/config/ethernet/slot/port# auto-negotiate
enable|disable
MSA_BOT:5/config/e...
Creating VLAN Segments
                                                       Typically, each VLAN in an IP network is ass...
Creating a Banner
The banner message appears when you are attached to the switch and
before you enter the password. The me...
Figure 2.13 Redundant Switches with Gigabit Multilink Trunking


                                                       Gi...
VLAN communication before connecting to the Internet. You need to do
this because the servers need to reach the Domain Con...
Chapter 2 Installing Network Devices
Chapter 2 Installing Network Devices
Chapter 2 Installing Network Devices
Chapter 2 Installing Network Devices
Chapter 2 Installing Network Devices
Chapter 2 Installing Network Devices
Chapter 2 Installing Network Devices
Chapter 2 Installing Network Devices
Chapter 2 Installing Network Devices
Chapter 2 Installing Network Devices
Upcoming SlideShare
Loading in …5
×

Chapter 2 Installing Network Devices

853 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
853
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Chapter 2 Installing Network Devices

  1. 1. Version 1.5 Chapter 2 Installing Network Devices Prescriptive Architecture Guide Abstract The network architecture forms the basis for any e-commerce platform. This document describes the implementation process for installing networking devices for the Partner led Microsoft® Systems Architecture (MSA) Internet Data Center (IDC).
  2. 2. Copyright © 2002 EMC Corporation. All rights reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. Trademark Information EMC2, EMC, and Symmetrix are registered trademarks and EMC Enterprise Storage, The Enterprise Storage Company, The EMC Effect, Connectrix, CLARiiON, EMC ControlCenter, ESN Manager,and EMC Navisphere are trademarks of EMC Corporation. Microsoft, Windows, Windows NT, Active Directory, ActiveX, JScript, NetMeeting, SQL Server, and Visual Basic are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
  3. 3. CONTENTS INTRODUCTION ..................................................................1 Design Considerations 1 System Prerequisites 2 Internet Connectivity 2 IP Addresses 2 Domain Name System 3 VLAN Numbering 4 Hardware Components 4 Configuration Sequence 5 EDGE ROUTERS: JUNIPER M5 ..............................................6 Baseline 6 Configuring the Router 6 To build a router configuration file: 7 Installing the Edge Router 9 Installing the Edge Router in the IDC Architecture 9 Router Configuration 9 Basic Configuration 9 Interface Configuration 10 Default Route Configuration 10 Router Naming 10 Failover Internet Connectivity on the Routers 11 Border Gateway Protocol 11 Virtual Router Redundancy Protocol 12 Configuring Routers for VRRP 14 Securing the Edge Router 15 Using System Logs 15 Securing the Management interface on the Juniper Router 15 NORTEL NETWORKS PASSPORT 8600 ................................16 Baseline Passport 8600 Configuration 17 Installing the Passport 8600 Switch 18 Configuring Passport 8600 18 Building the Configuration File 18 Logging on to Passport 8600 19 Uploading the Switch Configuration from the CLI 19 Switch Configuration Notes 21 Basic Switch Configuration 21 Configuring Ports on the 10/100 Ethernet Blades 22 Creating VLAN Segments 24 Removing a VLAN 24 Creating a Banner 25 VLAN Redundancy on Passport 8600 25 Inter-VLAN Communication 26 Changing the Boot Configuration File 27
  4. 4. Booting the Switch into the Changed Boot Configuration 28 Securing Inter-VLAN Communication 28 Routing Configuration Notes 28 Configuring a VLAN for Layer 3 Capability 28 Configure a VLAN for VRRP Capability 28 General Routing Configuration 28 Configuring Layer 3 Redundancy within the Switch 29 CONFIGURING THE ALTEON WEB SWITCH MODULE...........30 ORDERING THE INTERNET DATA CENTER CONFIGURATION ...........................................................33 Edge Router – Juniper 33 Nortel Passport 8600 34 SUMMARY .........................................................................35 More Information 35 APPENDIXES.....................................................................36 Appendix 2.1 – Network Diagram 36 Appendix 2.2 – Router Configuration 36 Appendix 2.3 – Deployment Switch Configurations 36 Appendix 2.4 – Production Switch Configurations 36 Appendix 2.5 – WSM Configuration 36
  5. 5. INTRODUCTION This document builds upon the fundamentals of the Internet Data Center presented in Chapter 2, “Network Infrastructure Design” in the Reference Architecture Guide of this documentation series. It describes the actual implementation of the network infrastructure and contains appendices that provide device configurations. Business continuity is an extremely important concept and the design of a network must take into account contingency for single points of failure (SPOFs). Each section describes the process of installing redundant equipment and required feature sets to provide for reasonable fail over. This document assumes that the reader has a basic understanding of networking terminology and is experienced with Nortel Networks and Juniper Networks network equipment, such as routers and switches. It is best to review this document while having access to the Internet as there are several references to Web-based information resources. Design Considerations The Internet Data Center was created with the following aspects of network design considerations: • Reliability. Conducting e-commerce by exploiting the Internet introduces elements beyond your control that can affect the availability of an e-commerce site. Using redundant components to incorporate high-availability protocols, and redundant and diversely routed paths to an Internet Service Provider (ISP) or diverse ISPs, removes single points of failure within your control. • Security. Connecting to the Internet to facilitate sales also introduces the potential risk for your resources to become defaced or damaged by unwanted elements. Damage might also occur from the internal portion of your network. The Internet Data Center is designed to mitigate these risks by segmenting the network and controlling traffic flow between segments. • Scalability. The infrastructure must be able to grow as your company and its infrastructure grows. • Resource usage. If you spend money on a resource, you want it to actively work for you. Where possible, network components within the Internet Data Center are configured to play an active role in managing network traffic. • Expense. The Internet Data Center was designed to maximize availability while minimizing cost. • Complexity. The infrastructure implements simple solutions whenever possible. Prescriptive Architecture Guide, Chapter 2, Installing Network Devices 1
  6. 6. • Performance. The Internet Data Center balances performance goals against each other with the aim of simultaneously providing the most convenient access, the fastest recovery time, and the least amount of downtime. For more information regarding design considerations and other details that will provide insight into the Internet Data Center network, refer to the chapter, “Network Infrastructure Design” in the Reference Architecture Guide of this documentation series. System Prerequisites Before implementing this infrastructure, it is important to establish Internet connectivity and obtain routable Internet Protocol (IP) addresses, implement a Domain Name System (DNS), and acquire the necessary hardware components. Internet Connectivity Internet connectivity is provided through an Internet service provider (ISP). Important things to consider when selecting an ISP are: • Site Access. This is the access from your site to the ISP. An ISP is a valuable resource that helps you determine your initial access needs and accommodates your future requirements. • Internet Access. This is the access from the ISP to the Internet. ISPs typically purchase large amounts of access (bandwidth) to the Internet through a Network Access Point (NAP). This large amount of access is divided into smaller amounts of access such as site access. The type of access and the amount that will be available to you is an important factor. • Service Level Agreement. This is an agreement between you and the ISP, the purpose of which is to define the performance expectations of your access to the Internet through the ISP, and the actions that must be taken if those expectations are exceeded or not met. • Technical support. You need to determine the level of technical support that will be made available to you. The ISP typically agrees to provide 24x7 support, either included in their service or at an additional cost. • Price. Although important, price should not be the sole reason for choosing an ISP. IP Addresses It is essential to determine the IP addresses that each component will use, before you build the infrastructure. The IP addressing scheme for implementing an e-commerce solution involves both public and private IP addresses. 2 Microsoft Systems Architecture Internet Data Center
  7. 7. Public addresses are used by customers to reach your site. These addresses are considered “external” with respect to the architecture. At the very least, the architecture requires a contiguous block of 32 public IP addresses (also known as a “/27”). Public IP addresses are typically arranged through your ISP. Private IP addresses are used within the architecture by the components that do not require direct access from the Internet, and by design are not able to route across the Internet. Within the IDC architecture, subnets are employed and created from the private supernet 192.168.0.0 /16. For example, 192.168.11.0 /24 and 192.168.12.0 /24. Private IP addresses have been designated by the Internet Assigned Numbers Authority (IANA) to be used freely for internal use only. The following is a list of the addresses designated by IANA as private and that can be used anywhere within the internal portion of any infrastructure: • 10.0.0.0 – 10.255.255.255 • 172.16.0.0 – 172.31.255.255 • 192.168.0.0 – 192.168.255.255 To enable internal devices to correspond across the Internet, a private IP address must be translated into a public address using Network Address Translation (NAT). Domain Name System For potential customers to reach your site by name (such as http://example.nortelnetworks.com) rather than use your IP address, you need to acquire a name for your domain (public IP address space). You can acquire a domain name on your own through a domain name registration provider, such as Network Solutions, or by working with your ISP. To acquire a domain name for your site, you must also determine if you need to host your domain name or have your ISP do this for you. One advantage of hosting your domain name is that you can directly administer any required changes. The biggest disadvantage of hosting your own domain name is the added complexity and expertise required to perform such a task. The additional expertise and equipment required to host your own domain name are beyond the scope of this document. Prescriptive Architecture Guide, Chapter 2, Installing Network Devices 3
  8. 8. VLAN Numbering VLAN numbering in this chapter differs from what is detailed in the IDC Reference Architecture Guide (RAG). Please reference the following matrix for VLAN comparison between the RAG and what is used in the Partner Solution. Note VLAN numbering may differ based on your existing configuration. VLAN Function RAG Partner Solution Numbering Numbering Web/DNS Internal VLAN 11 18 SQL Cluster & Management VLAN 12 12 Infrastructure Server VLAN 13 13 Remote Management VLAN 14 17 Router & Perimeter firewall VLAN 16 200 Perimeter firewall & External DNS VLAN 21 16 Web Cluster 1 VLAN 22 16 Web Cluster 2 VLAN 23 N/A Hardware Components As shown in Figure 2.1, the Internet Data Center network infrastructure has been built with the following components: • Nortel Networks Passport 8600 switches • Nortel Networks Alteon Switched Firewalls • Nortel Networks Contivity 4600 • Juniper Networks M5 Routers These devices are discussed in detail in subsequent sections of this document. It is assumed that the Nortel Networks equipment, along with physical plant requirements, such as equipment racks, power, and cabling, are acquired prior to implementation. 4 Microsoft Systems Architecture Internet Data Center
  9. 9. Configuration Sequence The subsequent sections of this document describe how to configure the Nortel infrastructure components. The components are presented in this document in a top-down sequence, as shown in 2.1. ISP1 ISP2 nR I/ I I0 I nRI I/ I I/ IS P P P P IL P P P P T E 2 N 3/ 1/ o / 0/ e t s c o L M M M M K R O W r M T G M u p Jn e S N O C 5 5 5 5 i r E W T E N3 1 S K R O rL 0 0 / 0 rE 0 2 0 0 e t s c r o M P C C C CP C C C C L T G M C S N O M M M M u p Jn e 5 5 5 5 i r AO M /D X UE U A D O M /E X Perimeter Firewalls VLAN 16 T E N R O W S K TE RL Ac e r 0 0 a l 8 1 D S VLAN 13 T E N R O W S K TE RL Ac e r 0 0 a l 8 1 D S DMZ Infrastructure S D Web Server Farm S D 0 - V 1 0 0 4 2 ~ 4 7 H 3 4 - z 4 7 H 0 - z 1 0 0 3 ~ 4 V 2 Domain Controllers 0 . 2 1 A 0 . 2 1 A DNS 0 - V 1 0 0 4 2 ~ 4 7 H 3 4 - z 0 . 2 1 A 4 - V 0 7 H 1 0 0 3 4 z 2 ~ 0 . 2 1 A Application Servers Switches VLAN 18 VLAN 17 DRAC Network Tools Internal VLAN 12 Firewalls Data and Management Management Console Server VPN Backup Server Firewalls Management Servers Database Servers Figure 2.1 Hardware Components Logically Connected For information on deploying the Alteon Switched Firewalls, see Chapter 8, “Deploying the Firewalls,” of this guide. Prescriptive Architecture Guide, Chapter 2, Installing Network Devices 5
  10. 10. EDGE ROUTERS: The Juniper M5 edge router provides network routing between an ISP JUNIPER M5 and the Internet Data Center. The edge router routes all data between the center and an ISP and provides the first line of security between the Internet Data Center and the Internet. This section describes the process of installing and securing the Juniper M5 edge router. Baseline The baseline configuration of the Juniper M5 routers used in the Internet Data Center includes the hardware and software shown in Table 2.1. Table 2.1. Juniper M5 Baseline Configuration Model Description Part Number Software Version Juniper M5 4 slot 750-002992 JUNOS 5.1 multiservice access router, with optional 4- port fast Ethernet module. You will learn more about the baseline hardware and software configuration in the “Ordering the Internet Data Center Configuration” section of this chapter. Note Table 2.1 displays the sample configuration used in the Internet Data Center lab environment. Your requirements may be different. Configuring the Router To configure the Juniper M5 router, you need to complete the following steps: • Build a configuration file • Log on to the router • Upload the configuration The following sections look at these steps in detail. 6 Microsoft Systems Architecture Internet Data Center
  11. 11. Building a Router Configuration File The first stage is to build a suitable router configuration file. To build a router configuration file: 1. Open a text editor such as Notepad. You use a text editor to create the configuration file. Copy the sample router configuration provided in Appendix 2.3 and paste it into the text editor window. Note Appendix 2.3 contains both primary and secondary router configurations. 2. Update the sample router configuration to reflect the particular properties of your network, such as subnet mask, IP addresses, and firewall filters. Make a copy of this file and store it in a safe place for disaster recovery. Remember that you must configure the router interfaces with the IP addresses of your own network. You must make these changes to the router configuration using a text editor before you move to the next step. See subsequent sections of this document for instructions on how to configure password and interface. For complete instructions, see the technical documentation available from the Juniper Web site at: http://www.juniper.net/techpubs Logging on to the Router Use the provided serial cable to initially configure the router. Set up a terminal session (9600, N, 1) to the console port of the router. To log on to the router: 1. Log on as root with no password. 2. Type in the keyword CLI at the prompt. Amnesiac (ttyd0) Login: root Password: Last login: Wed Aug 15 16:54:42 on ttyd0 --- JUNOS 4.3R1.4 built 2001-01-19 07:26:27 UTC % %CLI root> root> Figure 2.2 Sample Configuration Output Note Due to the security implication of attaching a modem to the edge router, the Internet Data Center architecture does not include this method of administrative access. Prescriptive Architecture Guide, Chapter 2, Installing Network Devices 7
  12. 12. Uploading the Router Configuration After you have logged on to the router, you can upload a previously created configuration for the Juniper M5 edge router. To create a configuration file from a previously created configuration file: 1. To enter the configuration mode, type configure and then press ENTER. 2. Open the configuration file in Notepad and copy the configuration information to the Clipboard. 3. Revert back to the router configuration window, and clear any active configuration by typing delete and then pressing ENTER. 4. Type commit. 5. While still in configuration mode, type load override terminal. Press ENTER and wait for prompt. Now paste the edge router configuration (modified at step 2 of “Building a Router Configuration File,” above) from Notepad into this window. After the router configuration is pasted into the window, press [CTRL+D]. This will exit the input mode. 6. To verify the configuration, type show and press ENTER. 7. To commit and save this configuration, type commit and press ENTER. 8. To save the file with the filename production.cfg, type save production.cfg. Amnesiac (ttyd0) login: root Password: <no password> Last login: Wed Aug 15 16:54:42 on ttyd0 --- JUNOS 4.3R1.4 built 2001-01-19 07:26:27 UTC %cli root> configure Entering configuration mode [edit] root# load override terminal [Type ^D to end input] < copy and paste edited router configuration here> ^D load complete [edit] admin@Juniper-B# commit commit complete [edit] root@hostname# save production.cfg root@hostname# Figure 2.3 Sample Configuration Output 8 Microsoft Systems Architecture Internet Data Center
  13. 13. 9. Create the root password and additional logon accounts. root@hostname# set system root-authentication plain-text- password New password: Retype new password: root@hostname# set system login user <userid> class superuser authentication plain-text-password Figure 2. 4 Sample Configuration Output 10. Commit the changes. root@hostname# commit Figure 2.5 Sample Configuration Output For more information about this procedure, refer to the JUNOS Configuration Guide, which is available from Juniper at: http://www.juniper.net/techpubs Installing the Edge Router Before configuring the edge routers, ensure they are installed and connected as described in the Juniper M5 Hardware Installation Guide. This guide is packaged with the routers, in book form or on a compact disc. Both these documents are also available online at the Juniper Web site (http://www.juniper.net/techpubs). Installing the Edge Router in the IDC Architecture 1. Connect the ISP cable: a. If the ISP provides a SONET/ATM/DS3 connection, verify and configure the appropriate protocol and connect it to the interface on the router. b. If the ISP provides an Ethernet connection, connect the ISP Ethernet cable to the first Ethernet interface on the router, named fe 0/0/0. 2. Connect a cable from the next Ethernet port on the edge router to the Nortel Passport 8600. Router Configuration The following sections describe the different areas of router configuration. This information helps you understand the reasons and methods for making certain selections in router configuration in the Internet Data Center. Basic Configuration The following section addresses the basic configuration of routers as implemented in the Internet Data Center. Prescriptive Architecture Guide, Chapter 2, Installing Network Devices 9
  14. 14. Interface Configuration Configure the router interfaces using interface hierarchy commands. For the Internet Data Center architecture, only fast Ethernet ports were used. The syntax to construct an interface configuration within the interface hierarchy is as follows: user@host> configure user@host#set interface fe-0/0/0/ unit 0 family inet address ip-address/mask-bits user@host# show user@host# commit As a result of this command, the interface hierarchy will appear in the configuration as: interfaces { fe-0/0/0 { unit 0 { family inet { address ip-address/mask-bits; } } } } For more information on configuring interfaces, refer to the Web site: http://www.juniper.net/techpubs Default Route Configuration Use the commands associated with the routing-options hierarchy to enter a default route to the gateway router. user@host# set routing-options static route 0.0.0.0/0 next-hop <ip-address-of-next-hop> user@host# commit As a result of this command, the routing-options hierarchy appears in the configuration as: routing-options { static { route 0.0.0.0/0 next-hop ip-address-of-gateway; } } Router Naming Name the router by using the following system hierarchy commands: user@host# set system host-name your-hostname user@host# commit As a result of this command, the system hierarchy appears in the configuration as: system { host-name your-hostname; } 10 Microsoft Systems Architecture Internet Data Center
  15. 15. Failover Internet Connectivity on the Routers To achieve reliable connectivity to and from the external edge of the Internet Data Center environment, you use redundant routers and links and employ a dynamic routing protocol. Virtual Router Redundancy Protocol (VRRP) can also be used to provide redundant exit points for the servers in the Internet Data Center network. Border Gateway Protocol Depending on the routing architecture of the Internet Data Center, you can use Border Gateway Protocol (BGP) to provide redundant links to multiple service providers. The configuration of BGP is case-dependent. For a successful BGP implementation, you need to consider dependencies specific to each Internet connection. These issues are best handled when coordinating Internet connectivity with an ISP. In fact, the ISPs may be better positioned to run BGP on your behalf. Many companies use multiple ISP providers to prevent critical reliance on a single provider and their inherent network problems. Other companies use multiple diversely routed connections to a single provider’s network. Redundant Juniper M5 edge routers provide continuity, optimized routing, and reliability by using standard dynamic routing protocols, such as BGP. As defined in RFC 1771, BGP provides loop-free inter-domain routing between autonomous systems. An autonomous system (AS) is a set of routers that operates under the same administration, and requires a registered AS number. BGP is often run among the networks of ISPs. An AS must be set up for a company by the ISP. For more information on obtaining an AS number, refer to the Web site http://www.arin.net/templates/asntemplate.txt Configuring a Router for BGP 1. To enable BGP routing, configure the routing options hierarchy by entering the following commands: user@hostname# edit routing-options [edit routing-options] user@hostname# set autonomous-system <your-AS-number> 2. Define BGP neighbors. BGP supports internal and external neighbors. Internal neighbors are in the same AS, whereas external neighbors are in different AS. Typically, external neighbors are adjacent to each other and share a subnet, while internal neighbors are anywhere within the same AS. Configure the protocol hierarchy using the following syntax: Prescriptive Architecture Guide, Chapter 2, Installing Network Devices 11
  16. 16. user@hostname# edit protocols bgp group group-name [edit protocols bgp group group-name] user@hostname# set type IBGP-or-EBGP user@hostname# set peer-as peer-or-ISP-AS-number-if- using EBGP user@hostname# set neighbor ip-address-of-neighbor user@hostname# set local-address ip-address-to-peer- from user@hostname# set local-as local-AS-if-using-EBGP For more information on BGP configuration on the Juniper M5 router, refer to the Juniper Web site (http://www.juniper.net/techpubs). Virtual Router Redundancy Protocol The Virtual Router Redundancy Protocol (VRRP) provides automatic router redundancy over Ethernet Local Area Networks (LANs). VRRP allows a backup router to automatically assume the function of the primary router if the primary router fails. VRRP uses a priority scheme to determine which VRRP-configured router is the primary active router. To configure a router as the primary active router, you assign the router a priority higher than the priority of all other VRRP-configured routers. The default priority is 100. Therefore, you need to configure just one router with a priority greater than 100 to assign that router as the primary active router. VRRP works by exchanging multicast messages that advertise priority among VRRP-configured routers. VRRP-configured routers exchange three types of multicast messages: • Hello. The hello message conveys the router's VRRP priority and state information to other VRRP routers. By default, a VRRP router sends hello messages every three seconds. • Coup. When a standby router assumes the function of the active router, it sends a coup message. • Resign. An active router sends the resign message when it is about to shut down or when a router that has a higher priority sends a hello message. When the active router fails to send a hello message within a configurable period of time, the standby router with the highest priority becomes the active router. The transition of packet-forwarding functions between routers is completely transparent to all hosts on the network. At any time, VRRP-configured routers are in one of the following states: • Active: The router is performing packet-transfer functions. • Standby: The router is prepared to assume packet-transfer functions if the active router fails. 12 Microsoft Systems Architecture Internet Data Center
  17. 17. • Speaking and listening: The router is sending and receiving hello messages. • Listening: The router is receiving hello messages. For more information about VRRP, refer to the following Web sites: http://www.juniper.net/techpubs http://www.ietf.org/rfc2338.txt In the IDC architecture, one Juniper M5 is in active state and the other is in standby state. ISP ISP Juniper M5 Juniper M5 A B fe-0/0/0 fe-0/0/0 fe-0/0/1 fe-0/0/2 fe-0/0/2 fe-0/0/1 VRRP Area VLAN 200 Figure 2.6 Routers using VRRP in the Internet Data Center In addition to providing redundant router-gateway functionality, the Internet Data Center VRRP implementation also monitors the state of the uplink ports. For example, the uplink port fe-0/0/0 can lower the priority of the VRRP interface in the event of an uplink port failure. This technique, also known as interface tracking, adjusts the priority of a VRRP interface depending on the state of the tracked-interface. Both routers have the VRRP configured to track their respective fe-0/0/0 interfaces. When a fe-0/0/0 interface changes state, the VRRP priority of the fe-0/0/1 interface is lowered by a certain value from the default value of 10. This newly calculated lower priority is then shared with other VRRP peers and compared with existing priority states. If the VRRP priority value of peer routers is greater than the lowered value, the peer router takes over as the master of the VRRP virtual IP address. For example, M5-A has a VRRP priority value of 105 and M5-B (peer) has a VRRP priority value of 100.In this case, M5-A is the master. If the fe- 0/0/0 interface on M5-A fails, the VRRP priority of this router changes to 95. M5-B that has a priority value of 100 becomes the master router. Prescriptive Architecture Guide, Chapter 2, Installing Network Devices 13
  18. 18. Configuring Routers for VRRP To configure routers for VRRP, perform the following steps: 1. Enable VRRP by using the interfaces hierarchy commands as in the following example: fe-0/0/1 { unit 0 { family inet { address 192.168.9.6/24 { vrrp-group 10 { authentication-type md5; authentication-key InternetDataCenter#ENCRYPTED#; advertise-interval 1; hold-time 3000; virtual-address 192.168.9.5; priority 100; track { interface fe-0/0/0 priority- cost 120; } } } } } } 2. Configure preshared key authentication using the MD5 algorithm and create an encoded checksum of the packet. The checksum is placed in the TCP header and the preshared key of the receiving router is used to decode the checksum. authentication-type md5 Note This is an optional step. 3. Create the preshared key that will be used by all neighbors participating in secured VRRP. authentication-key INSERT-YOUR-KEY 4. Set the Hot Standby priority used in selecting the active router. For this, use the priority command with the following syntax: priority <priority> 5. Configure the interface to track other interfaces. Therefore, if one interface goes down, the Hot Standby priority of that device is lowered. For this, use the track statement with the following syntax: set interface <interface> priority-cost <value> More details on VRRP configuration can be found at the Juniper Web site (http://www.juniper.net/techpubs). 14 Microsoft Systems Architecture Internet Data Center
  19. 19. Securing the Edge Router Proper configuration of the edge router includes protecting the router and the Internet Data Center network against malicious users by using security commands. You secure the edge router by creating access control lists and system logs. Sample configuration commands have been provided in 3.2, and are discussed here. Using System Logs You configure system logging within the system hierarchy. You can employ several variables depending on the logging requirements of your organization. Some of these variables are filename, file size, event classification, and remote logging. For more information on developing a logging strategy for your organization, refer to the Juniper Web site (http://www.juniper.net/techpubs). Securing the Management interface on the Juniper Router Administrators should configure the Juniper router to accept SSH or Telnet sessions from a known management IP network. This prevents malicious users from gaining access to the Junos CLI. Prescriptive Architecture Guide, Chapter 2, Installing Network Devices 15
  20. 20. NORTEL NETWORKS The Nortel Networks Passport 8000 series of switches comprise three PASSPORT 8600 product groups: • Passport 8100 (Layer-2 functionality) • Passport 8600 (Layer-2 and Layer-3 functionality) • Passport 8600 w/WSM (Layer-2 through layer-7 functionality) Each group of products contains similarly configured equipment. However, the only common link between the two groups is the chassis. Modules for one group cannot coexist with those of the other group. Figure 2.7 Nortel Networks Passport 8600 As shown in Figure 2.7, the Nortel Networks Passport 8600 is a routing switch that provides IP Layer 2-3 switching for the various server groups within the Internet Data Center. Systems connected to the Passport 8600 are grouped by VLAN segments. VLAN segments are logically isolated from each other. Inter-VLAN communication passes through a virtual router (Layer-3). This is known as Multi-Layer Switching (MLS), and provides for Layer-3 (IP routing) connectivity. The Passport 8600 switch configures the Layer- 2 switch functionality and Layer-3 IP router functionality within the same console. 16 Microsoft Systems Architecture Internet Data Center
  21. 21. Baseline Passport 8600 Configuration The baseline configuration of the Passport 8600 used in the Internet Data Center includes the following hardware and software. For network redundancy, you need two physical devices. Table 2.4. Passport 8600 Baseline Hardware and Software Configuration Model Qty Description Hardware Software Version Version 8010 2 Passport N/A N/A 8600 10 slot Chassis 8690SF 4 Switch N/A 3.2.1.0 Fabric 8608SX 4 8 Port SX N/A N/A Gigabit Ethernet 8648TX 6 48 Port N/A N/A 10/100TX Ethernet WSM 2 Alteon Web N/A 9.0.25 Switch Module For more information, refer to the “Ordering the IDC Configuration” section of this document. Table 2.5 shows the actual placement of modules within the 10-slot chassis: Table 2.5. Module Placements Slot Module / Card Slot Module / Card 1 WSM 10 2 8608SX 9 3 8648TX 8 8608SX 4 8648TX 7 8648TX 5 8690SF 6 8690SF Prescriptive Architecture Guide, Chapter 2, Installing Network Devices 17
  22. 22. Installing the Passport 8600 Switch Before configuring Passport 8600, ensure that the switch, modules, and power supplies are installed and connected as described in the Installing the Passport 8010 Chassis and Installing Passport 8600 Modules guides. These guides are packaged with the chassis, as either a book or a CD- ROM. The latest versions of this documentation can be found on the Nortel Networks Web site: http://www.nortelnetworks.com. Configuring Passport 8600 To configure the Layer-2 switching and Layer-3 routing functionality of Passport 8600, you need to build a configuration file using the configuration tools supplied with the unit. This configuration file is then copied to the switch and activated. Building the Configuration File For simplicity, you can use the sample Passport 8600 configuration provided in 2.4 a template for this configuration. However, you will need an engineer to replace all site-specific information, such as IP addresses, VLAN information, passwords, and so on. Remember that you must maintain backup copies of the configuration at all times for configuration management. If configuration files contain password information, you need to be careful about allowing file access and file storage to avoid potential security breaches. Therefore, a configuration management system is highly recommended. To build the configuration files needed during deployment: 1. Open a text editor such as Notepad. You use a text editor to create the configuration file. Copy the sample switch configuration provided in Appendix 2.4 and paste it in the text editor window. Note Appendix 2.4 contains both primary and secondary switch configurations for deployment. 2. Edit the file to reflect the particular properties of the target network, such as IP addresses, subnet masks, and passwords. Save the file and make a backup of this file using a version control style naming convention such as config-v1-1-0.cfg. Store this file in a safe place. 18 Microsoft Systems Architecture Internet Data Center
  23. 23. Logging on to Passport 8600 Initial configuration of the Passport 8600 is performed at the console port using a terminal emulator such as HyperTerminal, a special serial cable supplied with the unit, and the privileged username and password. This console port connection provides a Command Line Interface (CLI) to Passport 8600. For information on how to set up the terminal session to communicate with the Passport 8600 and the necessary CLI commands, refer to the Nortel Networks Passport 8600 documentation. Uploading the Switch Configuration from the CLI For configuring Passport 8600 using TFTP from the CLI, you need to perform the following steps: 1. Ensure that only the primary processor is active and the secondary processor is pulled out. 2. Connect your management system to the switch processor using a serial cable to the Console port and a network cable (RJ-45) for Management port. 3. Change the IP address on the management system to an IP to be used for switch management. (For example, IP: 10.0.0.10 and Subnet Mask: 255.255.255.0). 4. Log on to the switch. The default user name and password are both set to rwa. 5. Reset the switch using the reset –y command from the serial connection. 6. When you are asked to stop autoboot, press Enter to halt the process. This places you in the boot monitor. Note Before transferring files, you need a computer running a TFTP server. You can download several free TFTP servers on the Internet. Next you will need to connect to the Passport’s Switch Fabric module using an Ethernet cable. Your Ethernet cable needs to be plugged into the management port on the module. 7. Using the monitor, type net mgmt info to view the current net management configuration of the boot monitors. 8. To configure the net mgmt port for TFTP and other management needs, assign an IP address to the port. a. To set the port interface address on the switch, use the net mgmt ip command from the boot monitor. Monitor: net mgmt ip <address/mask> For example, net mgmt ip 10.0.0.1/24 Prescriptive Architecture Guide, Chapter 2, Installing Network Devices 19
  24. 24. b. To set the TFTP server IP address for the switch, add the IP address that you set in step 3 into the monitor using the net mgmt tftp command. Monitor: net mgmt tftp <address> For example, net mgmt tftp 10.0.0.10 9. After applying the management changes, save the changes using the save command. Monitor: save 10. Make sure that the TFTP server is running on the management system and points to the folder containing the configuration files in the “Building the Configuration File” section. 11. Copy the configuration file from your TFTP server to the switch processor’s “Flash” as config.cfg using the copy command. Monitor: copy <tftp address>: file /flash/config.cfg 12. To load your current image file and new configuration file, type boot. Monitor: boot 13. Log on to the switch. The default user name and password are both set to rwa. 14. Type show config to verify that the changes have been made. 15. Type show ip vrrp info for information about the VLAN gateway. 16. To replicate the changes to the secondary processor, insert the secondary processor. 17. Next, use the following command: save config standby /flash/config.cfg 18. Type reset –y and press Enter. 19. Log on to the switch. The default user name and password are both set to rwa. 20. You will see the @ sign in front of the prompt. This indicates that you are logged on to the secondary processor. For example, @MSA_TOP#. 21. Connect your management system to the secondary switch processor using a serial cable to the Console port and a network cable (RJ-45) for Management port. 22. Log on to the switch. The default user name and password are both set to rwa. 20 Microsoft Systems Architecture Internet Data Center
  25. 25. 23. Type show config to verify that the changes have been made. 24. Type show ip vrrp info for information about the VLAN gateway. Repeat this procedure for each Passport 8600 used in the Internet Data Center while ensuring that you apply device-specific configurations. You can now connect Passport 8600 to other equipment and test it. Switch Configuration Notes The following sections contain information about specific areas of the switch configuration. This information helps you understand the methods and reasons for selecting a specific switch configuration. Basic Switch Configuration You can use the following logical sequence of commands to configure the switch. These same commands are used in the sample configuration in Appendix 2.4 Global system settings include system name, time and date, system prompt, and passwords. To configure the global settings, use the following commands and syntax: 1. Set the system name by using the config sys set command. MSA_BOT:5# config sys set MSA_BOT:5/config/sys/set# name system name 2. Set the current date and time by using the config setdate command. MSA_BOT:5# config MSA_BOT:5/config# setdate MMddyyyyhhmmss 3. Set console password by using the following command: MSA_BOT:5# config cli password MSA_BOT:5/config/cli/password# access login password MSA_BOT:5/config/cli/password# info ACCESS LOGIN PASSWORD rwa rwa rwa rw rw rw l3 l3 l3 l2 l2 l2 l1 l1 l1 ro ro ro Prescriptive Architecture Guide, Chapter 2, Installing Network Devices 21
  26. 26. MSA_BOT:5# config sys set MSA_BOT:5/config/sys/set# name MSA_TOP MSA_TOP:5/config/sys/set# MSA_BOT:5/config# setdate 11012001203200 Local time: THU NOV 01 20:32:00 2001 UTC Utc time: THU NOV 01 20:32:00 2001 UTC MSA_BOT:5# config cli password MSA_BOT:5/config/cli/password# rwa Nortel Networks MSA_BOT:5/config/cli/password# info ACCESS LOGIN PASSWORD rwa Nortel Networks rw rw rw l3 l3 l3 l2 l2 l2 l1 l1 l1 ro ro ro Figure 2.9 Sample Output when Configuring the Global Settings Configuring Ports on the 10/100 Ethernet Blades Specific port configuration can vary depending on the interface of the hosts being connected. Remember that the speed and duplex settings configured on the switch must match the settings of the interface on the host to be connected. We recommend setting everything to auto- negotiate. To configure the ports on the switch: 1. Set the port speed of the interface. Use configure Ethernet to force the speed and duplex of the port, or to set it to auto- negotiate. MSA_BOT:5# config ethernet slot/port MSA BOT:5/config/ethernet/slot/port# auto-negotiate enable Or MSA_BOT:5/config/ethernet/slot/port# auto-negotiate disable MSA_BOT:5/config/ethernet/slot/port# duplex full MSA_BOT:5/config/ethernet/slot/port# speed 100 2. Enable the port. MSA_BOT:5# config ethernet slot/port MSA_BOT:5/config/ethernet/1/1# state enable 22 Microsoft Systems Architecture Internet Data Center
  27. 27. MSA_BOT:5# config ethernet slot/port MSA_BOT:5/config/ethernet/slot/port# auto-negotiate enable|disable MSA_BOT:5/config/ethernet/slot/port# duplex full MSA_BOT:5/config/ethernet/slot/port# speed 100 MSA BOT:5/config/ethernet/slot/port#info Port slot/port: lock : false name : auto-negotiate : true enable-diffserv : false access-diffserv : false qos-level : 1 unknown-mac-discard : disable default-vlan-id : 1115 tagged-frames-discard : disable perform-tagging : disable untagged-frames-discard : disable state : up linktrap : enable multicast rate-limit : disabled broadcast rate-limit : disabled MSA_BOT:5# config ethernet 4/48 MSA_BOT:5/config/ethernet/4/48# auto-negotiate enable|disable MSA_BOT:5/config/ethernet/4/48# duplex full MSA_BOT:5/config/ethernet/4/48# speed 100 Figure 2.10 Sample Output While Configuring a Port Prescriptive Architecture Guide, Chapter 2, Installing Network Devices 23
  28. 28. Creating VLAN Segments Typically, each VLAN in an IP network is associated with a single IP subnetwork. Therefore, all hosts in a given VLAN belong to a single subnet, use the same subnet mask, and use the default gateway connected to that subnetwork. The servers in the Internet Data Center architecture are grouped and assigned to VLAN based on the functions they perform and their relative positioning on the inner or outer network. To configure VLAN on the switch, use the following commands and syntax: 1. Create a VLAN and assign ports by using the config vlan command. MSA_BOT:5# config vlan vlan-number MSA_BOT:5/config/vlan/vlan-number# create byport 1 MSA_BOT:5/config/vlan/vlan-number# ports MSA_BOT:5/config/vlan/vlan-number/ports# add slot1/port1- slot2/port2,slot3/port3-slot4/port4 2. Verify the configuration of the VLANs. MSA_BOT:5# show vlan info all Note The IDC uses VLANs 12 through 18, and 200. Removing a VLAN To remove a VLAN from the Passport 8000, use the following command and syntax: MSA_BOT:5# config vlan vlan-number MSA_BOT:5/config/vlan/vlan-number# del MSA_BOT:5# config vlan 18 MSA_BOT:5/config/vlan/18# create byport 1 MSA_BOT:5/config/vlan/18# ports MSA_BOT:5/config/vlan/18/ports# add 1/1-1/2,4/1-4/24 MSA_BOT:5# show vlan info all MSA_BOT:5# config vlan 18 MSA_BOT:5/config/vlan/18# del Figure 2.11 Sample Output when Configuring and Removing a VLAN from Passport 8600 24 Microsoft Systems Architecture Internet Data Center
  29. 29. Creating a Banner The banner message appears when you are attached to the switch and before you enter the password. The message should make it clear that unauthorized access is prohibited. To create a banner message, use the cli banner add command with the following syntax: MSA BOT:5/config/cli/banner# add <string> This command adds lines of text to the CLI login banner. The parameter <string> is an ASCII string from 1 to 1024 characters. MSA BOT:5/config/cli/banner# defaultbanner <true|false> This enables or disables using the default CLI login banner. MSA BOT:5/config/cli/banner# delete This deletes an existing customized login banner. MSA BOT:5/config/cli# defaultlogin <true|flase> This enables or disables default logon banner using the default login string. The parameter <false> disables the default logon banner and displays the new banner. MSA BOT:5/config/cli# loginprompt <string> This changes the CLI logon prompt. The parameter <string> is an ASCII string from 1 to 1024 characters. MSA_TOP:5/config/cli/banner# add "This is a private system - KEEP OUT!"<fill in sample of creating a banner message> MSA_TOP:5/config/cli/banner# defaultbanner false MSA_TOP:5/config/cli/banner# info Sub-Context: Current Context: defaultbanner : false custom banner : This is a private system - KEEP OUT! Figure 2.12 Example of Creating a Banner Message VLAN Redundancy on Passport 8600 In VLANs, you provide redundancy by connecting the servers to separate Passport 8600 switches and using adapters in “teaming” mode. Gigabit Multilink Trunks between the two switches accommodate trunking. This provides alternate paths for the teamed servers, in case a switch fails or loses connection. VLAN redundancy has been implemented in the Internet Data Center architecture as shown in Figure 2.13. Prescriptive Architecture Guide, Chapter 2, Installing Network Devices 25
  30. 30. Figure 2.13 Redundant Switches with Gigabit Multilink Trunking Gigabit Multilink Trunking Gigabit Ethernet port bundles allow you to group multiple Gigabit Ethernet ports into a single logical transmission path between Switch A and Switch B. The switch distributes frames across the ports in a Multi Link Trunk (MLT) according to the source and destination Media Access Control (MAC) addresses. If a port within an MLT fails, traffic that would have been carried over the failed port switches to the remaining ports within the MLT. MLTs can be configured as trunk links for VLANs. This configuration is used in the Internet Data Center architecture. After a link has been formed, configuring any port in the link as a trunk applies the configuration to all ports in the channel. Identically configured trunk ports can be configured as an MLT. For more information, refer to the Nortel Networks Passport 8600 documentation. Inter-VLAN Communication The Passport 8600 switch is the foundation of connectivity for the Internet Data Center architecture. It facilitates all and also enables you to strategically implement inter-VLAN communication by employing Layer-3 routing functionality. You need to ensure that only appropriate VLANs can communicate with each other, for securing the Internet Data Center network. In this model, you can classify VLANs into two groups: • Internal – VLANs 12, 13, 17,18 • External – VLANs 16, 200 VLANs within a group must be able to communicate with each other in an operational environment. In addition, external VLANs should NOT be allowed to communicate with internal VLANs or vice versa. To implement this behavior, use port filtering similar to those (ALC’s) used with the router. However, there is one exception to this behavior. During the deployment phase of the Internet Data Center, you need to allow unrestricted inter- 26 Microsoft Systems Architecture Internet Data Center
  31. 31. VLAN communication before connecting to the Internet. You need to do this because the servers need to reach the Domain Controllers while they are being built. In addition to allowing the previously defined groups to communicate with each other, VLAN18 needs to participate in inter-VLAN communication as well. Once this phase is complete, ensure that the appropriate inter-VLAN communication behavior is restored. Deploying Servers During the deployment phase of the Internet Data Center, all servers must be able to communicate with a Domain Controller and have access to a deployment share. To provide this connectivity, you need to allow VLANs 12, 13, 16 and 18 to participate in inter-VLAN communication. You need to load the base configuration of the config.cfg file (provided in Appendix 2.3 on both switches. This includes configuring all VLAN interfaces, a routing statement, and port filters that must be temporarily removed or deactivated. Therefore, you need a “deployment” as well as a “production” boot configuration file. Passport switches allow multiple boot configurations. The following steps show how to change the boot configuration file and switch between deployment and production modes. From the switch configuration prompt, complete the following steps to configure a switch to allow for server deployment. These steps are for Switch A. You need to repeat these steps for Switch B. Note The remainder of this chapter cannot be completed until after the procedures in Chapter 8, “Deploying the Firewalls”, has been completed. Changing the Boot Configuration File Use the following commands and syntax to change the boot configuration file: MSA_BOT:5# config bootconfig MSA_BOT:5/config/bootconfig# choice primary MSA_BOT:5/config/bootconfig/choice/primart# config /flash/config.cfg MSA_BOT:5/config/bootconfig/choice/primary# save boot This saves the boot configuration file to the processors’ flash. MSA_BOT:5/config/bootconfig/choice/primary# save boot standby /flash/boot.cfg This saves the boot configurations file to the standby processors flash. Prescriptive Architecture Guide, Chapter 2, Installing Network Devices 27

×