KAREN wiki

KIWI ADVANCED RESEARCH AND EDUCATION NETWORK

Allied Telesis Router Configuration

From KAREN wiki

Jump to: navigation, search

This configuration script is an example of how a 9924 has been used to connect a set of schools to the NEN and to the Internet.


Contents

System

Set up some standard host identification parameters

set system name="<Host Name>" set system location="<Location>" set system contact="<Contact>" set system territory=newzealand set system country=newzealand


Enable Jumbo packet forwarding

set switch jumbo=on


Set up NTP

enable ntp set ntp utc=+12:00:00 add ntp peer=203.109.252.7


Device Management

  • Remove the default user account, and create a new one with another name

delete user=manager add user=<user name> password=<password> privilege=security login=yes

  • Disable unsecured HTTP access

disable HTTP server

  • disable unsecured TELNET access

disable telnet server

  • Create encryption keys for SSH, and enable SSH

create enco key=0 type=rsa length=1024 description="Host Key" form=ssh create enco key=1 type=rsa length=768 description="Server Key" form=ssh

enable ssh server serverkey=1 hostkey=0 expirytime=1 logintimeout=60 add ssh user=<user name> password=<password>

enable system security


VLANS

Create VLANs to interface to the differnet networks to which the switch will be connected. In this case, the switch is connected to KAREN, the NEN, an Internet provider, and the WIX.

create vlan="schools" vid=2 create vlan="Internet" vid=20 create vlan="WIX" vid=21 create vlan="Management" vid=100 create vlan="KAREN" vid=900 create vlan="NEN" vid=910

Also, create a "blackhole VLAN to put all the unused ports into. create vlan="Blackhole" vid=4094

Assign ports to the VLANs. These are the physical ports that will attach to the relevant networks.

add vlan=2 port=1 add vlan=20 port=24 add vlan=21 port=22 add vlan=100 port=9-10


Note that the connection to KAREN and the NEN are both via the same physical port. The traffic for the two different networks is differentiated by tagging the NEN traffic.

add vlan=900 port=4 add vlan=910 port=4 frame=tagged

The unused ports are parked off into the Blackhole VLAN add vlan=4094 port=2-3,5-6,8,11-21,23

When Jumbo mode is enabled, the switch will default to Layer-2 forwarding frames of up to 9000 bytes on all ports. But, the MTU for layer-3 forwarding remains at the default of 1500 bytes. SO, to enable jumbo frames to be layer-3 switched into a given VLAN, the MTU on that VLAN needs to be set to 9000.

set interface=vlan910 mtu=9000


IP interfaces and routes

enable ip set ip autonomous=<AS Number>


  1. Attach IP addresses to the VLANs

add ip int=vlan20 ip=202.21.137.109 mask=255.255.255.224 add ip int=vlan21 ip=202.7.0.40 mask=255.255.254.0 add ip int=vlan100 ip=10.50.100.100 mask=255.255.255.0 add ip int=vlan2 ip=117.18.80.1 mask=255.255.255.224 add ip int=vlan910 ip=140.200.0.19 mask=255.255.248.0


  1. Some static routes are created to direct traffic to the subnets in use on
  2. the schools that are attached to the switch

add ip route=117.18.81.0 mask=255.255.255.224 int=vlan2 next=117.18.80.11 add ip route=117.18.81.32 mask=255.255.255.248 int=vlan2 next=117.18.80.16 add ip route=117.18.82.0 mask=255.255.255.224 int=vlan2 next=117.18.80.12 add ip route=117.18.83.0 mask=255.255.255.224 int=vlan2 next=117.18.80.13 add ip route=117.18.85.0 mask=255.255.255.224 int=vlan2 next=117.18.80.15


  1. The switch will be adverising the whole 117.18.80.0/21 route, but the only
  2. active subnets within that range are the ones covered by the static routes
  3. above. So, if traffic arrives for ANY other addresses in the the
  4. 117.18.80.0/21 subnet, it should be dropped. Create a blackhole
  5. routes to cover the whole 117.18.80.0/21 subnet, but give it a higher
  6. preference vlaue than the static routes.
  7. The route lookup algorithm in these switches puts preference ahead of
  8. longest prefix match. So, to ensure that the static routes above are matched
  9. first, the blackhole route needs to be given a higher (less prefered) preference
  10. value

add ip route=117.18.80.0 bla mask=255.255.248.0 pref=200

add ip dns primary=117.18.81.3 secondary=202.126.80.62


BGP

Create a filter to limit the routes that the switch will advertise to its BGP neighbours. In this case, the only routes that the switch is supposed to advertise are in the 117.18.80.0/21 subnet. So, the filter will prevent any other routes being advertised from this router. The filter is applied as an outfilter on each BGP peer definition

add ip filter=301 source=117.18.80.0 entry=1 smask=255.255.248.0 action=include add ip filter=301 source=0.0.0.0 entry=2 action=exclude

set bgp router=140.200.0.2


Define the BGP neighbours. An ASnumber MUST be specified for each neighbour Also, you can see that the filter to limit which rotues are advertised is set as an outfilter for each neighbour.

add bgp peer=140.200.0.1 remoteas=38022 set bgp peer=140.200.0.1 desc="KAREN-ANR1" set bgp peer=140.200.0.1 outfilter=301 set bgp peer=140.200.0.1 authentication=MD5 password=<password> ena bgp peer=140.200.0.1

add bgp peer=140.200.0.2 remoteas=38022 set bgp peer=140.200.0.2 desc="KAREN-ANR2" set bgp peer=140.200.0.2 outfilter=301 set bgp peer=140.200.0.2 authentication=MD5 password=<password> ena bgp peer=140.200.0.2

add bgp peer=202.7.0.2 remoteas=9439 set bgp peer=202.7.0.2 desc="WIX-R1" set bgp peer=202.7.0.2 outfilter=301 ena bgp peer=202.7.0.2

add bgp peer=202.7.0.3 remoteas=9439 set bgp peer=202.7.0.3 desc="WIX-R2" set bgp peer=202.7.0.3 outfilter=301 ena bgp peer=202.7.0.3

add bgp peer=202.21.137.97 remoteas=18119 set bgp peer=202.21.137.97 desc="ACS Data" set bgp peer=202.21.137.97 outfilter=301 ena bgp peer=202.21.137.97

Rather than advertise each of the school subnets separately, it is more efficent to advertise just the one aggregate route that covers the whole subnet that has been allocated to the school side of the switch. The "add BGP aggregate" command has the effect that as soon as BGP learns of ANY subnet within the aggregate, it will start advertising the whole aggregate route. If all the constituent routes are withdrawn, then BGP will stop advertising the aggregate route.

add bgp aggregate=117.18.80.0/21 summary=yes


Import static and interface (connected) routes into BGP. add bgp import=static add bgp import=interface

Retrieved from "http://www.wiki.karen.net.nz/index.php/Allied_Telesis_Router_Configuration"