Routing + QoS + Security all free for you and your small business

OK, you catch me as this is not from Cisco, but is related to networking and security, so I believe it fit in the idea of this blog. What I’m talking about here?! Well, let’s assume that you are the IT guy of one small business or even your home network, and like all of us, you want what’s the best for your network. With today’s key words (even I don’t understand why) like saving, cost reduction, zero budget for new deployments no manager will approve new hardware to be bought. And to be fair enough why would you like to buy an expensive Cisco 6500 if you have 50 PCs in your network and some servers? Cisco and other brands in the same line are good, actually very good, and money worth spending to have them, but only if they are really required. Continuing on this idea, somebody asked me to find a solution for his small to medium business as he has a small user network and some servers. Of course he wanted all the possible features and security but without investing too much, or if possible nothing. To keep everything into this limits, I had the idea to use a Linux box with 3 NICs and a bunch of software for achieving the other features like QoS, routing and so on. But I found something better to manage and to maintain over the time.

The product is called Untangle and I found out to be perfect for my solution and maybe for yours if you want to give it a try. Among the other good features that it has integrated, you will see that this is a FREE product. Of course nothing is just white and black, and if you want some features you have to pay for them. Anyway I managed to do everything without paying anything. Untangle can be installed on a dedicated machine or as an application in Windows. Installing on Windows is …how can I say…useless, at least from my point of view. I mean who put the trust of his network gateway on a Windows machine?!  As a dedicated machine is one of the best solutions that I tested.

As explained on the Untangle documentation, this solution can be installed on any regular Intel / AMD machine with some decent configuration. If you want to keep this solution for a longer time and logs I would recommend something dual core with 2 GB of memory and at least 80GB hard-disk capacity. The minimum requirements from the developers would be a 800Mhz processor with 512KB of memory and 20GB hard-drive, if you plan to run this for a network with less than 50 stations. The process is very simple, you download an image, burn it on a disc and then install it. If you ever installed another OS, you will handle this for sure.

The new device can be deployed as a router or as a transparent bridge:
untangle-deployment On my private installation I deployed it as a router, as I wanted this to be the main gateway and to separate the LAN from the DMZ area.  After you configure the basic stuff, you may want to choose what services you will use on this machine. Everything is modular. You have a virtual rack in which you insert free or paid applications. Maybe you are wondering which are the free applications. Here is the list: Web Filter, Virus Blocker, Spam Blocker, Ad Blocker, Attack Blocker, Phish Blocker, Spyware Blocker, Firewall, Routing & QoS, Intrusion Prevention, Protocol Control, OpenVPN, Reports. This covers most of my basics needs for a small network. If you want advanced features like WAN Load Balancer, WAN Failover or Remote Access Portal than you have to buy this applications. Of course I would preferred to have this also for free, but as I said in other articles, nothing is 100% free on this world.

Every module is than configured in a graphical interface with easy to understand and follow menus. You can choose what to activate, what traffic to be inspected, what packets to be subject of QoS and may more. One thing before you proceed to test this. By routing please don’t understand Dynamic Routing Protocol or other advanced features. Like I said before this solution is for small to medium sites which does not have to support complex routing environment. However it does support basic routing and it can be installed as a router. Regarding the support you get for this product there is good forum and also a Wiki page

Below I prepared a small gallery with screenshots from Untangle. The screenshots are copyrighted to Untangle.com and can be found on there site together with a some nice video presentations of the product.

Please be aware that this site is not affiliated in any way with Untangle.com. The opinion presented here represent my own experience with Untagle product.

[nggallery id=16]

New Cisco certifications announced

Source: https://cisco.hosted.jivesoftware.com/docs/DOC-5365

As this are quite new to me, I do not have too much to comment on the subject. Cisco Certifies Architect seems to be the new “hit” from Cisco regarding the knowledge and experience that a candidate has to achieve before applying, but also in regarding the amount of money that this will cost. Since I only heard rumors I will not write here the price, but is sure that is not accessible to any individual.

Some excerpt from the source already mentioned above you can find below.

Cisco Certified Architect

Built in response to the growing customer and market demand to recognize comprehensive competence in network infrastructure design, Cisco introduces the Cisco Certified Architect Certification. This prestigious credential recognizes a new standard of excellence for network designers who can architect and support the increasingly complex networks within global organizations and effectively translate business strategy into (r)evolutionary technology systems.

Cisco Certified Architect is the pinnacle for individuals wishing to establish formal validation of both design and IT skills in Cisco technologies and infrastructure. There is, as yet, no formal training program for the Cisco Certified Architect certification. Candidates appear before an in-person Cisco-appointed board of experts to present and defend their proposed network solution.

CCNP Wireless

The CCNP Wireless certification was developed to support the growing need for trained professionals who can effectively design, implement, secure, and operate wireless networks and mobility infrastructures. This certification recognizes the critical importance of preparing professionals to support and manage Cisco wireless LANs and networks. It reinforces the ability to assess and translate network business requirements into technical specifications that can then be installed and maintained successfully. Achieving CCNP Wireless demonstrates significant knowledge in designing, deploying and maintaining end-to-end Cisco Wireless LAN solutions.

Prerequisites:  Must hold a valid CCNA and CCNA Wireless certification in order to achieve a CCNP Wireless certification.

Availability: Courses and exams for the new CCNP Wireless certification will be made available on July 24, 2009

Cisco Data Center Unified Computing Specialist Certifications

Two (2) new certifications–The Cisco Data Center Unified Computing Support Specialist and the Cisco Data Center Unified Computing Design Specialist–validate the data center computing professional’s knowledge, expertise, and ability to run mission-critical computer operations.

General Prerequisites: If you already have a background in Cisco data center design and implementation, you may select a Fast-Start option for each of these specialist certifications. Fast-Start offers a “Qualifier” exam, that, when passed, fulfills the prerequisite knowledge requirements. If you don’t have prior background, you must first complete all of the Data Center Specialist Certifications for Architects and Engineers

Availability: Courses and exams for both new Cisco Data Center Unified Computing Specialist certifications will be made available at the end of 2009.

Useful documentation sheets at packetlife.net

Packetlife.net offers some “cheat sheets” with useful information. This are like very small handbooks with the most useful informations about BGP, EIGRP, IPsec, Multicast, IS-IS, OSPF, Spanning-Three, TCPdump and more. I found this very useful during my preparations for Cisco exams and not only, so I want to share them here. Of course any copyrights goes to the owner of packetlife.net. And if you are worry about the “cheat” word, look what the owner of packetlife.net is saying:

Are these for cheating?

No. The term “cheat sheet” is a slang term for a small collection of notes or a quick reference guide (my apologies if this isn’t a familiar term in your locale). I don’t condone cheating of any sort, and you’re only doing yourself a disservice if you decide to take that path.”

You can check this materials at: http://packetlife.net/cheatsheets/

Cisco: How to use CEF for load-balancing

According to Cisco’s website, Cisco Express Forwarding (CEF) is advanced, Layer 3 IP switching technology. CEF optimizes network performance and scalability for networks with large and dynamic traffic patterns, such as the Internet, on networks characterized by intensive Web-based applications, or interactive sessions.

The term Load balancing describes a functionality in a router that distributes packets across multiple links based on layer 3 routing information.

Now, putting this two terms together we obtain Load balancing with CEF. Cisco IOS software basically supports two modes of load balancing: On per-destination or per-packet basis.
In per-destination mode all packets for a given destination are forwarded along the same path. Usage of only one path will lead to a unequal usage of the lines, as the packets to the same destination will use only one line, leaving the other unused. This can be a problem in a small environment where let’s say that a location is having 2 x E1 connection. In per-destination mode, all the packets to one destination will use one E1 connection, and the other line will remain unused. In addition to this, if this one destination is a server on which most on the site’s users will connect to, the per-destination mode will lead to an exhaust of the bandwidth available on one E1 line leaving the other one empty. On the other hand, on more developed location, where there are more destination available, the per-destination method will not have too much impact about the usage of the lines, as in this case the traffic will be split for the multiple destinations over multiple paths.

The per-packet mode guarantees equal load across all links because the forwarding process determines the outgoing interface for each packet by looking up the route table and picking the least used interface. If you read until now, than most probably you will say that this method is the best and then why the per-destination mode is the default one. Some issues with the per-packet mode would be that this method will almost always result in out-of-order packets, as advised by Ivan Pepelnjak, on his blog. What I can tell you is that this out-of-order packets has not a big impact on low-speed environment where TCP stack can deal with this problem. On the other hand on high-speed environment where video or voice traffic is expected, you can have big problems and it’s better to avoid the usage of per-packet load-balancing. Also, Cisco is advising that this ensures equal utilization of the links, but is a processor intensive task and impacts the overall forwarding performance. How much will impact on the CPU / resources usage? I cannot tell exactly because this depend on the task and traffic that the device has to handle.

OK, so if this per-packet mode is not so great, than why we should use it? The answer is that in some particular topologies or environments you cannot use other method of load-balancing and you are in desperate need of such mechanism. Below you will see an example of what kind of topology can force us to use per-packet load-balancing.

Before you configure load-balancing, you have to be sure that IP CEF is enabled on your router. In case that it is disabled, please enable it:

configure terminal
ip cef

If you want to fine tune the IP CEF load-balancing algorithm you can do this with the command:

configure terminal
ip cef load-balancing algorithm “name parameter”

where for “name” you have 3 choices:
original – Sets the load sharing algorithm to the original based on a source and destination hash.
tunnel – Sets the load sharing algorithm for use in tunnel environments or in environments where there are only a few IP source and destination address pairs.
universal – Sets the load sharing algorithm to the universal algorithm that uses a source and destination, and ID hash.
Skipping the tunnel option which you should use only if you are sure that you need it, the other choices would be universal and original. Original algorithm use IP addresses to generate the 4-bit hash. On the other hand universal algorithm add a router specific information to the hash leading to a more complex development of the hash value. Since universal option is the default one, exception the case where you know what you are doing, you should not change this value.

To enable IP CEF load-balancing on per-destination base, you don’t have to modify anything, as it’s enabled by default. For per-packet mode, you have to use the following commands:

configure terminal
interface FastEthernet x/y
ip load-balancing per-packet

ip-cef-load-balancingOne scenario where I had to use per-packet load-balancing is the one below.
Let’s assume that we have client (c-ubuntu-1, 10.10.20.100) which is sending traffic to one server (s-ubuntu-1,10.10.10.100). The routing protocol is already configured in such way that CE1 and CE2 routers are announcing, through OSPF, 2 default routes (equal cost) to SC device. The rest of the routing part is assure by BGP towards PE routers and another IGP protocols, but this has no importance for the topic discussed here.

SC1#sh ip route | i 110/1
O*E2 0.0.0.0/0 [110/1] via 172.29.190.237, 02:35:46, Vlan23
[110/1] via 172.29.190.229, 02:35:46, Vlan13

On the SC devices I used L3 interface vlan 23 to connect to CE2 and vlan 13 to connect to CE1. With the CEF enabled and per-destination load-balancing mechanism, only one  path (either vlan 23 or vlan 13) was used, leading to only one WAN serial connections to be used. Since this was client to server traffic, and quite a lot, from time to time one WAN connection was exhausted while the other one  remains unused. You can see this, in the excerpt below:

SC#sh ip cef exact-route 10.10.20.100 10.10.10.100
10.10.20.100    -> 10.10.10.100   : Vlan23 (next hop 172.29.190.237)
SC#sh ip cef exact-route 10.10.20.100 10.10.10.100
10.10.20.100    -> 10.10.10.100   : Vlan23 (next hop 172.29.190.237)
SC#sh ip cef exact-route 10.10.20.100 10.10.10.100
10.10.20.100    -> 10.10.10.100   : Vlan23 (next hop 172.29.190.237)
SC#sh ip cef exact-route 10.10.20.100 10.10.10.100
10.10.20.100    -> 10.10.10.100   : Vlan23 (next hop 172.29.190.237)
SC#sh ip cef exact-route 10.10.20.100 10.10.10.100
10.10.20.100    -> 10.10.10.100   : Vlan23 (next hop 172.29.190.237)

After I enabled the per-packet load-balancing, the situation has changed since both lines to CE routers where used, leading to a equal utilization of the WAN lines:

SC#sh ip cef exact-route 10.10.20.100 10.10.10.100
10.10.20.100 -> 10.10.10.100 : Vlan23 (next hop 172.29.190.237)
SC#sh ip cef exact-route 10.10.20.100 10.10.10.100
10.10.20.100 -> 10.10.10.100 : Vlan13 (next hop 172.29.190.229)
SC#sh ip cef exact-route 10.10.20.100 10.10.10.100
10.10.20.100 -> 10.10.10.100 : Vlan13 (next hop 172.29.190.229)
SC#sh ip cef exact-route 10.10.20.100 10.10.10.100
10.10.20.100 -> 10.10.10.100 : Vlan23 (next hop 172.29.190.237)
SC#sh ip cef exact-route 10.10.20.100 10.10.10.100
10.10.20.100 -> 10.10.10.100 : Vlan23 (next hop 172.29.190.237)
SC#sh ip cef exact-route 10.10.20.100 10.10.10.100
10.10.20.100 -> 10.10.10.100 : Vlan13 (next hop 172.29.190.229)
SC#sh ip cef exact-route 10.10.20.100 10.10.10.100
10.10.20.100 -> 10.10.10.100 : Vlan23 (next hop 172.29.190.237)
SC#sh ip cef exact-route 10.10.20.100 10.10.10.100
10.10.20.100 -> 10.10.10.100 : Vlan13 (next hop 172.29.190.229)
SC#sh ip cef exact-route 10.10.20.100 10.10.10.100
10.10.20.100 -> 10.10.10.100 : Vlan13 (next hop 172.29.190.229)
SC#sh ip cef exact-route 10.10.20.100 10.10.10.100
10.10.20.100 -> 10.10.10.100 : Vlan23 (next hop 172.29.190.237)

I had to choose this method to force the equal usage of the WAN links and I rely on TCP stack to solve the out-of-order packets as there is not so high traffic over this interfaces.