How to configure forwarding policy on Ericsson SmartEdge Router (Redback Networks Router)

Summary:

The main purpose of this article is to show you how you can configure forwarding policy on Ericsson SmartEdge router. This is the equivalent of policy based routing (PBR) as implemented in Cisco or Juniper router platforms.

#show version 

Redback Networks SmartEdge OS Version SEOS-6.2.1.2-Release
Built by sysbuild@SWB-node08 Fri Jan 29 16:06:29 PST 2010
Copyright (C) 1998-2010, Redback Networks Inc. All rights reserved.
System Bootstrap version is Mips,rev2.0.2.42
Installed minikernel version is 11.7

Problem or Goal:

Forwarding policy is useful in many real life traffic or production environments. The most popular use cases include:
1. If you want to direct traffic to a proxy server
2. If you want to redirect traffic to HTTP page or server (HTTP-Redirect) - not covered in this example.
3. Policy Based Routing (PBR) - where you forward traffic to a next hop (router or server)
4. Forwarding traffic to a cache server 
5. Forward traffic to a content optimizer or content accelerator (say for TCP acceleration)

Cause:

Refer to the use cases above

Solution:

Refer to a scenario in the figure below where we wish to forward traffic from mobile subscriber to a tcp content accelerator server.

1. Create the policy access list inside context "INTERNET" - this is used to filter out the traffic of interest and mark it or label it. Traffic can be filter based on source address, destination address, port number, protocol, etc. The filtered traffic is then identified using a class label.

#context INTERNET
#configure
#context INTERNET

 policy access-list subscriber_towards_internet
  seq 10 permit tcp 192.168.1.0 0.0.0.255 any class cls-CLASS1
  seq 100 permit ip any any class cls-DEFAULT

 policy access-list internet_towards_subscriber
  seq 10 permit tcp any 192.168.1.0 0.0.0.255 class cls-CLASS1
  seq 100 permit ip any any class cls-DEFAULT

2. Create the forward policy inside context "INTERNET" and apply the relevant access group (access-list in (1) above).

#context INTERNET
#configure
#context INTERNET

forward policy fp1_subscriber_to_internet 
 access-group subscriber_towards_internet INTERNET
  class cls-DEFAULT
  class cls-CLASS1
   redirect destination next-hop 10.10.10.10
!
forward policy fp2_internet_to_subscriber 
 access-group internet_towards_subscriber INTERNET
  class cls-DEFAULT
  class cls-CLASS1
   redirect destination next-hop 10.10.10.10

3. Now apply the forward policies to the relevant ports on the router interface, be mindful of the direction of the flow of traffic. For our example we are looking at traffic flowing in the "IN" direction, that is; traffic flowing from the outside towards inside.

#configure
port ethernet 1/1
 description Connection_to_upstream_provider
 no shutdown
  forward policy internet_towards_subscriber in

#configure
port ethernet 1/2
 description Connection_to_subscriber_network
 no shutdown
  forward policy subscriber_towards_internet in 

Problem Solved?

Yes, subscriber traffic was successfully forwarded to 10.10.10.10 the TCP accelerator server in both directions; that is subscriber request from mobile phone toward internet is first forwarded to TCP accelerator which fetch the request on behalf of the subscriber, and also the response returning from the internet towards subscriber is first forwarded to the TCP accelerator which servers it back to the subscriber. In this way we archive TCP acceleration in both directions. 

Download Burst Size Calculator for QOS rate limiting calculations (metering and policing)

Summary: 

For ISP network engineers implementing QOS policy for rate limiting. That is metering and policing.
This will help you in determining the proper burst size; Normal burst (in bytes) or Extended Burst (in bytes). The higher the burst size, the better the quality of experience for your subscribers when the configured bandwidth is over-utilized.

This calculation is based on a formula provided by CISCO.

Credits: Brian

Problem or Goal:

Burst-size limit is very important while implementing QOS policy

A policer burst-size limit controls the number of bytes of traffic that can pass unrestricted through a policed interface when a burst of traffic pushes the average transmit or receive rate above the configured bandwidth limit. The actual number of bytes of bursty traffic allowed to pass through a policed interface can vary from zero to the configured burst-size limit, depending on the overall traffic load.

Cause:

Setting burst size helps to alleviate the aggressive bandwidth shaping caused by rate limiting configurations.

Solution:

Download Burst Size Calculator here

Download from my dropbox here

Problem Solved?

Yes

10 Good practices you should do as a network administrator to security harden your network devices

As a network administrator or engineer, here are 10 good practices that will help you strengthen the security of your network and network devices (routers, switches and firewalls):

1. Configure a warning banner that is displayed prior to login

A warning banner is the electronic equivalent of a “No Trespassing” sign. Although it doesn’t technically protect your device, having a warning banner could help your organization by serving as a reminder and even as a legal disclaimer.

2. Setup centralized authentication for all your networks devices

An example is TACACS (Terminal Access Controller Access Control System). Configuring TACACS will benefit your network in the following ways:

• Simplifying user management; you only need to create the user account once and the same account can be allowed to access multiple devices via TACACS. This limits the number of local accounts on devices.
• User activity logging and accounting; you will be able to see what commands your users are running on each network device.

3. Keep all your network devices OS update

To make sure you don't miss out on any security features released in new software, ensure to install and upgrade to the latest recommended operating system versions for your network devices.

4. Disable all unused network ports

It's a good practice to always disable unused network ports, this practice reduces the chances of an intruder gaining access to your internal network information even if they have gained physical access to the device.  

5. Configure "logout-on-disconnect" for all your devices console ports

Console ports a enabled by default on network devices and there are two main security concerns with console port access; unattended sessions and password recovery. Network devices tend to maintain console sessions active even when you disconnect the console cable. The log-out-on-disconnect option does exactly what it says. When the console cable is physically disconnected from the device that user session will be terminated.

6. Insist on using secure SNMP and that is; SNMPv2 and SNMPv3

Stay away from common SNMP community strings, your SNMP community strings should be difficult to guess and should follow a password complexity policy. Configure read-only access; use read-write only when required.

7. Implement a password complexity policy

That is; minimum password length, upper case, lower case and special characters. Use SHA1 for password storage and ensure the root account has been configured with a strong password.

8. Disable Insecure Access Services

Access services are considered insecure when communication to the device is NOT encrypted. Clear-text communications are susceptible to sniffing and man-in-the-middle attacks. Another security risk is IP spoofing, where an attacker could impersonate a trusted IP address for the purpose of executing commands.

Insecure access services include: 

• Telnet
• HTTP
• FTP
• rsh
• rlogin
• Finger

9. Enable Secure Access Services

Access services are considered secure when communication is encrypted and protected from snooping type attacks. Secure access services include:

SSH - Secure Shell is a network protocol that allows data to be exchanged between devices using a secure channel. SSH was designed as a replacement to the telnet and other insecure access protocols. Only use SSHv2 because there are inherent design flaws in SSHv1 which make it susceptible to man-in-the-middle attacks.

SFTP - Secure FTP. This is FTP raiding over SSL (Secure Sockets Layer)

SCP - Secure Copy Protocol 

HTTPS - Secure HTTP. This is HTTP raiding over SSL

10. Set connection-limit, rate-limit and idle-time-out

Connection-Limit; Limits the total number of connections to preserve resources and reduce the chance of Denial of Service (DoS).

Rate-Limit; Limits the number of logins per minute to preserve resources and reduce the chance of Denial of Service (DoS).

Idle-Time-Out; Disconnects all idle sessions after the idle-time value expires to preserve resources and reduce the chance of Denial of Service (DoS).

HUAWEI finally opens up their Knowledge Share with eNSP

HUAWEI, one of the giant telecom and ICT vendors and service provider has finally opened their knowledge share by launching a free graphical simulation tool called eNSP (Enterprise Network Simulation Platform).

The tools very much looks like CISCO's packet tracer with a graphical user interface, drag and drop and easy to use. Students, Specialist and Experts can now use this tool to get familiar with the Huawei OS environment. I wonder why it took Huawei all this time to come up with such a simple tool? but this is a sign that the Chinese are finally opening up to the global community because of the cut throat competition in the IT industry.

eNSP Huawei

Anyway, good move Huawei and the next step should be to also open up your certification exams just like CISCO and JUNIPER so someone can become a Huawei IP expert without having to first travel to Shenzhen, China.

The software is in it's beta version and you can download it from the Huawei Enterprise Support Community. Have fun and happy learning.