Always Learning

Advanced Search

Integrated Cisco and UNIX Network Architectures

Integrated Cisco and UNIX Network Architectures

Gernot Schmied

Sep 2004, Hardback, 600 pages
ISBN13: 9781587051210
ISBN10: 1587051214
This title is no longer available.
£42.99

This title cannot be purchased online
  • Print pagePrint page
  • Email this pageEmail page
  • Write a reviewWrite a review
  • Share

Design, build, and operate integrated gateway routing systems

  • Learn how to design, build, and administer integrated gateway routing systems
  • Identify the advantages and disadvantages of Cisco/UNIX integrated designs
  • Review lab exercises throughout the book that bring concepts to life
  • Encounter the fascinating world of dynamic UNIX routing and TCP/IP stacks
  • Understand the way forwarding and signaling are implemented in the UNIX world
  • Gain proficiency with tunnels and VPNs
  • Utilize advanced features such as high availability, NAT, bandwidth management, policy routing, and multicast architectures
  • Explore Linux and BSD networking concepts

UNIX gateways introduce massive performance possibilities at a fraction of the price of dedicated proprietary appliances by performing network tasks entirely in software. With Cisco Systems routers dominating the Internet and enterprise networking and UNIX routing and gateway solutions spreading from within server farms and data centers, new opportunities and possibilities arise for system and network administrators who understand the benefit of integrated designs. For example, the use of UNIX gateways can enable intrusion detection, firewalling, cable and DSL access, terminal servers and access concentrators, VPNs, roaming user support, and other LAN and WAN services. Far from being mutually exclusive, Cisco devices, UNIX operating systems, and open source applications can enjoy a peaceful, perhaps even inevitable, coexistence for years to come. Integrated Cisco and UNIX Network Architectures shows how Cisco routers, switches, and firewalls seamlessly work together with UNIX operating systems in an integrated networking and security environment.

Integrated Cisco and UNIX Network Architectures reveals not just the feasibility but also the desirability of Cisco/UNIX integrated routing with regard to systems integration, interoperability, and feature requirements. Detailed, progressively complex lab scenarios emphasize enterprise and ISP requirements, casting light on the similarities and differences of these two worlds. Platform issues, such as behavior of firewall filters, kernel features, and proper standards compliance, are discussed, analyzed with sniffers, and tested with handcrafted traffic from packet generators and test applications.

If you want to master and maximize the operation of your UNIX and Cisco network architectures, this book shows you how.

This book is part of the Networking Technology Series from Cisco Press¿ which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers.

Design, build, and operate integrated gateway routing systems

  • Learn how to design, build, and administer integrated gateway routing systems
  • Identify the advantages and disadvantages of Cisco/UNIX integrated designs
  • Review lab exercises throughout the book that bring concepts to life
  • Encounter the fascinating world of dynamic UNIX routing and TCP/IP stacks
  • Understand the way forwarding and signaling are implemented in the UNIX world
  • Gain proficiency with tunnels and VPNs
  • Utilize advanced features such as high availability, NAT, bandwidth management, policy routing, and multicast architectures
  • Explore Linux and BSD networking concepts

UNIX gateways introduce massive performance possibilities at a fraction of the price of dedicated proprietary appliances by performing network tasks entirely in software. With Cisco Systems routers dominating the Internet and enterprise networking and UNIX routing and gateway solutions spreading from within server farms and data centers, new opportunities and possibilities arise for system and network administrators who understand the benefit of integrated designs. For example, the use of UNIX gateways can enable intrusion detection, firewalling, cable and DSL access, terminal servers and access concentrators, VPNs, roaming user support, and other LAN and WAN services. Far from being mutually exclusive, Cisco devices, UNIX operating systems, and open source applications can enjoy a peaceful, perhaps even inevitable, coexistence for years to come. Integrated Cisco and UNIX Network Architectures shows how Cisco routers, switches, and firewalls seamlessly work together with UNIX operating systems in an integrated networking and security environment.

Integrated Cisco and UNIX Network Architectures reveals not just the feasibility but also the desirability of Cisco/UNIX integrated routing with regard to systems integration, interoperability, and feature requirements. Detailed, progressively complex lab scenarios emphasize enterprise and ISP requirements, casting light on the similarities and differences of these two worlds. Platform issues, such as behavior of firewall filters, kernel features, and proper standards compliance, are discussed, analyzed with sniffers, and tested with handcrafted traffic from packet generators and test applications.

If you want to master and maximize the operation of your UNIX and Cisco network architectures, this book shows you how.

Gernot Schmied is an independent consultant, analyst, and researcher focusing on systems integration, networking, UNIX, and security. He has worked for several years in enterprise and ISP environments with a focus on senior engineering and architecture projects, service, and portfolio development. Gernot holds two masters' degrees in applied physics and information systems and is currently working on his Ph.D. thesis in his "spare" time. Gernot lives in Vienna, Austria.

This book is part of the Networking Technology Series from Cisco Press¿ which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers.

Introduction

Chapter 1 Operating System Issues and Features—The Big Picture

Why UNIX Is Viable

Routing, Forwarding, and Switching Approaches

The Evolution of AT&T System V (SVR4) UNIX and 4.4-Lite BSD Derivatives

Operating Systems Design Considerations

Kernel-Space Modules Versus User-Space Applications

Cisco IOS Software

OpenBSD

FreeBSD

NetBSD

Linux

GNU Hurd/Mach

Other Commercial Unices

Summary

Recommended Reading

Endnotes

Chapter 2 User-Space Routing Software

The GNU Zebra Routing Software

Feature Description and Architecture of Zebra

Installation and Startup of Zebra

The Development Roadmap of Zebra

The Quagga Project

The routed Daemon

Feature Description of routed

Installation of routed

Lab 2-1: routed

GateD 3.6

Feature Description

Installation of GateD 3.6


Reliance on Service

Maturity, Scalability, and Stability of GateD 3.6

MRT (Multithreaded Routing Toolkit)

Feature Description of MRT

Installation of MRT

Maturity, Scalability, and Stability of MRT

The Bird Project

Feature Description of Bird

Installation of Bird

Maturity, Scalability, and Stability of Bird

The XORP Project

Feature Description of XORP

The MIT Click Modular Router Project

XORP Installation

Maturity, Scalability, and Stability of XORP

Multicast Routing Daemons: mrouted and pimd

Summary

Recommended Reading

Chapter 3 Kernel Requirements for a Full-Featured Lab

The sysctl Facility

IP Forwarding Control and Special Interfaces

VLAN Subinterface Support and Trunk Termination (802.1Q)

Alias or Secondary Interfaces

Ethernet Channel Bonding

Interface Cloning

ECMP (Equal-Cost Multi-Path)

Driver Support for LAN/WAN Interface Cards

Encapsulation Support for WAN Interface Cards

Support for Bridging Interfaces

TCP Tuning

Tunnel Support

Multicast Support

Firewall and Traffic-Shaping Support

The IPv6 Protocol Stack

Summary

Recommended Reading


Chapter 4 Gateway WAN/Metro Interfaces

Dial-on-Demand Routing: Analog and ISDN Dialup

Wireless Technologies

SDH/SONET

Powerline Communications

Ethernet to the Home/Premises

Cisco Long-Reach Ethernet (LRE)

Synchronous Serial Interface and PRIs

ATM Interfaces

Linux ATM Support

The FreeBSD HARP ATM Subsystem

Cable Access (Ethernet Interfaces)

DSL Access

Lab 4-1: Synchronous Serial Connection Setup

Exercise 4-1: Frame Relay Point-to-Multipoint Setup

Summary

Recommended Reading

Chapter 5 Ethernet and VLANs

Ethernet NICs

Hubs, Bridges, and Multilayer Switches

Access Ports, Uplinks, Trunks, and EtherChannel Port Groups

Alias Interfaces

VLAN Configurations

Linux VLAN Capabilities

FreeBSD/OpenBSD VLAN Capabilities

A Few Words on Cabling

Lab 5-1: FreeBSD Bridge Cluster Lab

Lab 5-2: Linux Bridging and the Spanning Tree

Lab 5-3: OpenBSD Bridging and Spanning Tree

A Few Words on Layer 2 Security


Exercise 5-1: Linux/FreeBSD Ethernet Channel Bonding

Exercise 5-2: STP Operation

Summary

Recommended Reading

Chapter 6 The Analyzer Toolbox, DHCP, and CDP

Terminal Emulation Software

Secure Shell Tools

Protocol Analyzer

Statistical Tools

Port Scanners

socklist and netstat

Ping and Traceroute Combinations

DNS Auditing Tools

Traffic and Packet Generators

What You Need in a Small Toolbox

The BSD ipfilter Traffic Generator

The Linux Kernel Packet Generator

Performance-Testing and Network-Benchmarking Tools

Lab 6-1: Using Sniffers—DHCP Example

Lab 6-2: UNIX CDP Configuration

Summary

Recommended Reading

Chapter 7 The UNIX Routing and ARP Tables

Address Resolution: ARP and RARP

Proxy ARP

ARP Cache

Static ARP Entries

Gratuitous ARP

Reverse ARP (RARP), the Bootstrap Protocol (BOOTP), and Dynamic H

Configuration Protocol (DHCP)

TFTP

Inverse ARP (InARP), UNARP, and DirectedARP

Power of the Linux ip, netstat, and route Utilities


ARP-Related Tools

Lab 7-1: ARP Security Issues

Summary

Recommended Reading

Endnote

Chapter 8 Static Routing Concepts

Administrative Distance and Metric

Classful Routing, VLSM, and CIDR

Default Gateways, Default Routes, and Route(s) of Last Resort

Route Caches, Routing Tables, Forwarding Tables, and the ISO Context

The Near and Far End of a Link

The route Command—Adding and Removing Routes

Route Cloning

Blackholes and Reject/Prohibit Routes

Floating Static Routes

Equal-Cost Multi-Path (ECMP) Routing

Lab 8-1: Interface Metrics, Floating Static Routes, and Multiple Equal-Cost Rou

(ECMP)

Linux TEQL (True Link Equalizer)

Adding Static Routes via Routing Daemons

Summary

Recommended Reading

Endnotes

Chapter 9 Dynamic Routing Protocols—Interior Gateway Protocols

Interaction with the UNIX Routing Table

Classification of Dynamic Routing Protocols

Link-State Protocols

Distance-Vector Protocols

From RIP to EIGRP

RIP—A Distance-Vector Routing Protocol (Bellman-Ford-Fulkerson)

(E)IGRP


Lab 9-1: RIPv2 Scenario

Lab 9-2: RIP Neighbor Granularity

Lab 9-3: RIPv2 via GateD

Exercise 9-1: RIPv2 over Frame Relay Topologies

Exercise 9-2: RIPv2 Metric Manipulation and Redistribution Control

Introduction to Link-State Routing Protocols

Area Concepts

The Full Picture—Autonomous Systems and Areas

OSPFv2

Lab 9-4: Leaf-Area Design Featuring GateD and Cisco IOS

Exercise 9-3: Exporting Loopback Addresses

Lab 9-5: Leaf-Area Design Featuring Zebra and Cisco IOS Software

ECMP—Manipulating Metric and Distance

The Art of Redistribution

Lab 9-6: Route Filtering and Redistribution

Lab 9-7: OSPF Authentication

Route Tagging and Multiple OSPF Processes/Instances

IS-IS (Intermediate System-to-Intermediate System)

Disadvantages of IS-IS

Advantages of IS-IS

Relevant IS-IS Standards

Current IS-IS Developments

Lab 9-8: IS-IS Flat Backbone Area

Lab 9-9: IS-IS Backbone and Leaf Area

Lab 9-10: OSPF Point-to-Point Lab

Exercise 9-4: Dynamic Routing in Point-to-Multipoint Scenarios

Advanced OSPF Features

Traffic-Engineering Extensions

Opaque LSAs

Quagga’s Implementation

Summary

Recommended Reading

Endnotes


Chapter 10 ISP Connectivity with BGPv4—An Exterior Gateway Path-Vector Rout

Protocol for Interdomain Routing

Exterior Gateway Protocols: EGP and BGPv4

BGPv4: Introductory Thoughts

Neighboring Relations

Limitations of IGPs

Flavors of BGPv4

BGP Message Types

Capabilities Negotiation

BGP Finite State Machine

BGP Path Attributes

BGP Active Path-Selection Criteria

BGP Loop Detection

Provider-Independent Addresses (PI Prefixes, Provider Aggregates)

Internet Exchange Points

EBGP and EBGP Multihop

Weighted Route Dampening

The next-hop-self Command

IGP Synchronization

The soft-reconfiguration Command

Multiple BGP Instances and Views and the Route Server Context

IBGP Full Mesh, Route Reflectors, and Confederation

Lab 10-1: Route Reflection

Exercise 10-1: BGP and IGP Interaction

Exercise 10-2: BGP Synchronization

Lab 10-2: Confederation

Lab 10-3: Multi-AS BGP Topology

Lab 10-4: BGP with GateD

Avoiding Single Points of Failure

Single-Homed Nontransit (Stub) Scenario with a Private AS

Multi-Homed Nontransit (Stub) Scenario

Transit Services

Route Server and Routing Registries

Requesting ASNs and IP Addresses

Zebra Route Server with Multiple Views

The Route Server Next Generation Project (RSng)

Internet Routing Registries

The Whois/Rwhois Interface


IRRd

The IRRToolSet

Looking Glasses

Cisco IOS Configuration

The Looking Glass CGI Script and HTML Code

Zebra Looking Glasses

Routing Policies

Defining an AS Policy

BGP Route Maps and Filters

BGP Communities and Extended Communities

Special BGP Topics

BGP “Pseudo” Load Balancing

BGP Security Considerations

Multiprotocol BGP Extensions

Summary

Recommended Reading

Chapter 11 VPN Technologies, Tunnel Interfaces, and Architectures

The Rationale for Tunnels in Routing Environments

The VPNC Concept of VPNs

The OSI Stack Perspective

Internet, Intranet, and Extranet Terminology

IP-IP Tunnel

Lab 11-1: IP-IP Tunnel Linux-to-FreeBSD

Lab 11-2: IP-IP Tunnel OpenBSD-to-Cisco

Generic Router Encapsulation (GRE) Tunnel

Lab 11-3: GRE Tunnel OpenBSD-to-Cisco

Lab 11-4: GRE Tunnel Linux-to-FreeBSD (Featuring gre-tun)

Lab 11-5: Linux-to-Cisco GRE Tunnel

Exercise 11-1: GRE Advanced Features

Special Multicast and IPv6 Tunneling (RFC 2473, RFC 3053)

Cisco L2F (Layer 2 Forwarding)

PPTP (Point-to-Point Tunnel Protocol)

Exercise 11-2: PPTP on UNIX

L2TP (Layer 2 Tunnel Protocol)

Securing L2TP Using IPSec (RFC 3193)

L2TP Operation


L2TPv3 and Related “Work in Progress”

L2TPd for UNIX: A Project in Transition

Exercise 11-3: L2TP

Mobile IP

User-Space Tunneling

CIPE (Crypto IP Encapsulation)

V-TUN (Virtual Tunnel)

OpenVPN

Stunnel/SSLwrap—SSL/TLS-Based “Wrapped” Tunnels and SSL Proxying/Relaying

Secure Shell (SSH)

IPSec Foundation

IPSec ESP/AH and Tunnel and Transport Mode

Manual/Automatic Keying, Preshared Secrets, and Certificates

IKE Phase 1 and 2: Main Mode and Aggressive Mode

Resolving the IKE, PKI, SA, ISAKMP, and Oakley Confusion

What Is Opportunistic Encryption (OE)?

What Is NAT-Traversal (NAT-T)?

DHCP Provisioning over IPSec Tunnel Mode

IPSec Implementations

Linux IPSec

KAME

FreeBSD

OpenBSD

General Tunnel and Specific IPSec Caveats

Tunnels and Firewalls

Tunnels Do Not Like NAT

Tunnels Cause MTU Issues

Tunnels Add Protocol Overhead

Unnumbered Links and Tunnel Routing

Multicast Transit via Point-to-Point Tunnels

Crypto Performance

High Availability

VPN Deployment and Scalability

Advice About IPSec Lab Scenarios

Lab 11-8: An IPSec with IKE (racoon/isakmpd) Scenario (Gateway-to-Gate

Tunnel Mode)

Road-Warrior Scenarios (Road Warrior-to-OpenBSD/FreeBSD Gateway with IKE)


Dynamic Routing Protocols over Point-to-Point Tunnels—Transpar

Infrastructure VPN

IPSec Development and Evolution

Summary

Recommended Reading

Endnotes

Chapter 12 Designing for High Availability

Increasing Availability

Withstanding a (D)DoS Attack

Network HA Approaches

Redundant Paths

Standby Equipment

Simple but Effective Approaches to Server HA

DNS Shuffle Records and Round-Robin (DNS RR)

Dynamic Routing Protocols

Firewall Failover

Clustering and Distributed Architectures

Linux Virtual Server Project (LVSP)

Connection Integrity Issues

LVS—Virtual Services

Linux Ultra Monkey

IP Address Takeover with Heartbeat

The Service Routing Redundancy Daemon (SRRD)

IPv4/IPv6 Anycast

A Few Words About Content Caches and Proxies

Load Balancing

Firewall Load-Balancing Approaches

HighUpTime Project loadd Daemon

Pure Load Balancer

The PEN Load Balancer

Super Sparrow

Cisco Gateway Load Balancing Protocol (GLBP)

Cisco HA and Load-Balancing Approaches

Cisco IOS Server Load Balancing (SLB) Feature

Cisco Content Networking Devices and Software


VRRP

VRRPd

Freevrrpd

Comparison of the VRRP Implementations

OpenBSD CARP

IRDP

Summary

Recommended Reading

Endnotes

Chapter 13 Policy Routing, Bandwidth Management, and QoS

Policy Routing

Policy Routing on BSD

Linux iproute2 Policy Routing

Cisco IOS Policy-Routing Example

Traffic Shaping, Queuing, Reservation, and Scheduling

Linux QoS

Layer 3 QoS: IP ToS, Precedence, CoS, IntServ, and DiffServ Codepoints

802.1P/Q Tagging/Priority—QoS at the Data-Link/MAC Sublayer

MPLS Exp Field and MPLS Traffic Engineering

DiffServ and RSVP/RSVP-TE Implementations for UNIX

Cisco IOS QoS and Queuing Architectures

UNIX Firewalling Engines and Queuing

OpenBSD ALTQ+pf

FreeBSD ipfilter+ALTQ

FreeBSD IP Firewall(ipfw) + dummynet

Linux Firewall Marking and iproute2 (ip/tc)

Bell Labs’ Eclipse—An Operating System with QoS Support

Summary

Recommended Reading

Endnote

Chapter 14 Multicast Architectures

Multicast Deployments

Multicast Addresses and Scope

Administratively Scoped IP Multicast

The Multicast Protocol Cocktail


Internet Group Management Protocol (IGMP) and Cisco Group Managem

Protocol (CGMP)

IGMPv1 Operation

IGMPv2 Operation

IGMPv3 Implementations

Cisco IOS Multicast Router Configuration and IGMP/CGMP Operation

Cisco Group Management Protocol (CGMP)

The Cisco IOS Multicast Routing Monitor (MRM)

mrouted and DVMRP

mrouted and the MBONE

Lab 14-1: DVMRP via mrouted

Native-Multicast Test Applications

The ip and smcroute Multicast Utilities

PIM Operation and Daemons

Lab 14-2: Native Linux and FreeBSD Multicast (PIM-SMv2) in Combination w

Cisco PIM-SM-DM

Lab 14-3: XORP PIM Operation

Multicast Open Shortest Path First (MOSPF)

Multicast Source Discovery Protocol (MSDP)

BGPv4 Multicast Extensions (Multiprotocol BGP, RFC 2858)

Multicast Transport Layer Protocols

Multicast Invitations and Session Announcements

Multicast Security

Summary

Recommended Reading

Chapter 15 Network Address Translation

The NAT Foundation—Basic/Traditional NAT

NAT, PAT(NAPT), Masquerading, and Port Mapping/Multiplexing

Static NAT and ARP/Routing Issues

Redirection (Port Forwarding/Relaying or Transparent Proxying)

UNIX NAT Approaches

Lab 15-1: OpenBSD ipfilter

Lab 15-2: FreeBSD ipfw+natd

Lab 15-3: BSD Packet Filter (pf)

Lab 15-4: Linux NAT (iptables)


NAT-Hostile Protocols

Future Developments: NAT-T, MPLS+NAT, Load Balancer

NAT Redundancy—Stateful Failover

Summary

Recommended Reading

Appendix A UNIX Kernel Configuration Files

Appendix B The FreeBSD Netgraph Facility

Index

Gernot Schmied is an independent consultant, analyst, and researcher focusing on systems integration, networking, UNIX, and security. He has worked for several years in enterprise and ISP environments with a focus on senior engineering and architecture projects, service, and portfolio development. Gernot holds two masters' degrees in applied physics and information systems and is currently working on his Ph.D. thesis in his "spare" time. Gernot lives in Vienna, Austria.

Your opinions count

Be the first to review this product. Write your review now.