Friday, 21 December 2012

HA Routers.

I recently had to build a new POP. As part of the build I needed to configure two 10G WAN links in a HA configuration.

I have a pair of Nexus 7k's at one end (A) and a pair of Nexus 5k's at the other (B). The idea is to provide a low latency L3 connection for database replication as well as all the other trappings of Windows hosting... The databases will eventually be BIG hence the 10G links.

So I wanted HA across the two links, ideally  I would like to use both links at the same time and not active passive.

Fist off I wanted to use OTV, no that is not quite right, I really wanted to use OTV. I was excited about the possibilities of what we could do with VMWARE and the Nexus 1000v. VMotion a virtual machine to either DC and the 1000v would handle it.  YES PLEASE I said.

Then I found out you need to have Nexus 7000 at each end, so that idea was scrapped.

Etherchannel is out because while the fibre it trying to be Ethernet its not real Ethernet and I have been down that road before without success. That and the WAN link supplier said no.

So I was back to the old faithful, HSRP or VRRP, then by luck I came across GLBP.

"GLBP provides path redundancy for IP by sharing protocol and Media Access Control (MAC) addresses between redundant gateways. Additionally, GLBP allows a group of Layer 3 routers to share the load of the default gateway on a LAN. A GLBP router can automatically assume the forwarding function of another router in the group if the other router fails."

Sounds promising I thought, so I created a network using GNS3 to replicate what I described above, I also ran a single OSPF area to distribute the routes.

GLBP really works. Here is a snip on my config.

interface FastEthernet1/1
 ip address
 ip ospf network broadcast
 duplex full
 speed 100
 glbp 1 ip
 glbp 1 timers 5 18
 glbp 1 timers redirect 1800 28800
 glbp 1 priority 102
 glbp 1 preempt delay minimum 7
 glbp 1 authentication text Bend
! Preshared key not required but seemed like a good idea.
 glbp 1 weighting track 1 decrement 100
 glbp 1 forwarder preempt delay minimum 7
router ospf 101
 network area 0
 network area 0

So within my little GNS network all was working, HA was achieved and ping worked a treat. In GNS I has used Cisco 7206 routers, after all I was only confirming my config..

However in the real world. The Nexus 7000 comes with GLBP support out the box no extra licenses needed. Not the case with the Nexus 5000! Not even with a L3 daughter card and respective L3 license.

Back to HSRP and active passive until we have the money for the advanced license.
UPDATE 8/2/13. Despite all the Nexus 5000 and GLBP documentation on its not a released feature yet. I have been told it will be available first half of 2013.

Tuesday, 6 November 2012

Brocade ADX1000, so you want to use ssh instead of Telnet, if not you should!.

Using ssh (Version 2) instead of Telnet is a given. Telnet is dead. 

Do not use Telnet. Bad bad bad. Hope we are clear on that.

After spending way too much time searching and trying to find the answer to make ssh work, I have decided to put it here in the hope it will help someone else.

When initially configuring your Brocade ADX1000 ServerIron getting ssh to work is a lot harder than you would expect. If you have done the right thing and are using the official Brocade manuals then you will be given examples of enabling ssh using RSA keys.

This is what is in the manual.
The SSH service is not enabled by default. The SSH server starts once you configure a host RSA public and
private key pair for SSH:
ServerIronADX(config)# crypto key generate rsa
ServerIronADX(config)# write mem

This will not work. The RSA keys were used for ssh v1, but are not used by v2, they are however used by the Brocades for GSLB (Global Server load balancing) so not redundant.

Instead do the following. (Assuming you are using a console and or Telnet for initial config)

Clear off any keys you might have created bashing away trying to make ssh work, this will also disable ssh should you want to do that.
ServerIronADX(config)# crypto key zeroize rsa
ServerIronADX(config)# crypto key zeroize dsa

Create a new random seed.
 ServerIronADX(config)# crypto random-number-seed generate

Create the DSA keys (not RSA).
ServerIronADX(config)# crypto key generate dsa

Wait for it to finish, it can take 20 seconds or so after which time you will get a certificate created message. If you look in your running config the certs will be down the bottom.

Something also not present and correct in the manuals, you need to tell the ADX to check the local user’s database. Else you will enter into a fail loop of never being able to login over ssh.
ServerIronADX(config)#  aaa authentication login default local

Now you should be able to enjoy secure ssh v2 cli remote access. If ssh works, disable telnet then save your config.
ServerIronADX(config)# no telnet server
ServerIronADX# wr m

Happy secure days.