Networking Unlimited White Papers

WHITE PAPERS

from the files of

Networking Unlimited, Inc.

WebQuery@NetworkingUnlimited.com
14 Dogwood Lane, Tenafly, NJ 07670
Phone: +1 201 568-7810

White Papers describing some general approaches to common networking problems. While most of the examples are based on Cisco routers, the techniques used can frequently be adapted to other vendors' implementations.

Configuration for Transparently Redundant Firewalls

Firewalls play a critical role in modern networks, and their importance is increasing as organizations recognize the vulnerabilities of internetworking. We can no longer be satisfied merely to have accomplished communications. The ability to communicate is now a given and the challenge is to do so safely and efficiently. It is possible and practical to configure redundant firewalls to provide continued operation despite router, access network, or firewall failure and this white paper illustrates one way that it can be done with no dependence on proprietary firewall or router capabilities. Impact on security is minimal because the only communications between inside and outside routers is through the firewalls and the only information trusted is whether or not a particular firewall can be used to reach a particular router on the other side. The firewalls do not exchange routing information with or otherwise trust any routers, and can continue to run in a conservative, secure configuration using network address translation, arbitrary state-sensitive filters, proxies, and static routing. An example configuration for Cisco routers is provided.

Performance Impact of Backbone Speed in Switched Backbone Architectures

The classic extended LAN architecture of a backbone LAN connecting multiple local access LANs has been a popular approach since the 1980s. While LAN speeds have increased by over two orders of magnitude, the fundamental limitations of this architecture can still affect high performance applications. This white paper examines the impact of the store and forwarding delays incurred when interconnecting LANs running at different data rates, and shows how to quantify the impact of changing backbone and/or access LAN speeds so that upgrades can improve, rather than degrade, end-to-end performance.

Cisco 11.2 IOS Configuration for Redundant DLSw Connecting Ethernet Attached Devices

Data Link Switching (DLSw) can provide excellent connectivity for IBM SNA applications. However, when the SNA devices are Ethernet rather than token ring attached so that source routing is no longer end-to-end, configuring redundant DLSw peers will result in an unstable network. While Cisco has introduced redundant Ethernet capability in IOS 12.0, this paper presents a DLSw peering configuration that will work with any IOS release starting with 11.2 to provide hot-standby capability and eliminate single points of failure, without introducing the switch compatibility challenges and subsequent manual configuration needs of the Cisco capability.

Using Dial-on-Demand Routing to Trigger Backup Links on Cisco Routers

Cisco provides the backup interface command set to support dial backup and bandwidth on demand. While these commands work well for bandwidth on demand, the requirement that the CSU/DSU lose carrier in order to trigger backup can result in unnecessary network outages. This paper shows how floating static routes can be used with Cisco Dial-on-Demand Routing to initiate the dial backup based on routing table changes, a much more dependable source of reachability data.

Using BGP to Trigger Multiple Levels of Dial Backup on Cisco Routers

Cisco does not support dial backup of dial backup links, such as using ISDN to backup a frame relay link and then use analog modems to backup the ISDN. This paper shows how BGP can be used in an EIGRP or OSPF routed network to force a backup link to be established in the event that the preferred dial on demand alternative route can not be established. Unlike the backup interface command set, this approach can be extended to work across multiple routers at a location or to provide any number of levels of dial backup.

Using the AUX Port on Cisco Routers for IP/IPX Router to Router Communications

The need to support IPX routing as well as TCP/IP creates additional challenges when designing dial backup solutions. This paper shows how to support both IP and IPX routing between Cisco Routers using PPP between the AUX ports connected to analog modems. While the example uses EIGRP for IP routing and RIP for IPX routing, the actual choice of routing protocols should be arbitrary as the routing protocol is used only to control the activation of floating static routes.

Automated Analysis of Cisco Log Files

Tremendous amounts of useful operations data and warnings of pending failures are available in the router logs. The challenge is that as the network gets larger, so do the number of entries in the logs, which can quickly grow to unmanageable size. Automating the analysis of router logs is essential to allow using the router logs as a proactive network management tool. Many organizations fail to take full advantage of the available information because of the high initial cost of programming around the various inconsistencies in the way various events are reported, the frequency with which individual entries are delayed, duplicated or missing, and the need to customize software to match their network configuration. This paper looks at some of the techniques used by Networking Unlimited, Inc to improve the accuracy of automated log analysis and make it a cost-effective tool for network management and improving network reliability.

Multi-Homing--Connecting to Two ISPs

Many organizations depend upon Internet connectivity to support critical applications. One popular approach for improving Internet connectivity is to connect to more than one Internet service provider (ISP), a technique called multi-homing. Multi-homing can be very effective for ensuring continuous connectivity-- eliminating the ISP as a single point of failure--and it can be cost effective as well. However, your multi-homing strategy must be carefully planned to ensure that you actually improve connectivity and do not inadvertently introduce unnecessary single points of failure.

Redundant Routes in IPSec VPNs

Building a virtual private network (VPN) using IP Security Protocol (IPSec) is a popular cost-saving approach to wide area networking. One disadvantage of using a VPN is the scarcity of convenient tools to provide resilience in the face of router, firewall, or network failure. The challenge is to automatically detect failure of an IPSec connection so that an alternate route can be used. This white paper looks at two different approaches Networking Unlimited, inc. has used to meet the challenge: using a GRE tunnel to make the IPSec transport appear as a point-to-point link, and using BGP directly over the IPSec transport. Example Cisco router configurations are provided for each approach.