Solved

Replace existing router with linux server

Posted on 2011-09-02
25
702 Views
Last Modified: 2012-05-12
I need some help from someone with Cisco IOS expertise and linux configuration expertise.  I have to replace a cisco 3800 router with a linux server which will do the same functions that the router was doing.  Router is terminating GRE-IPSEC tunnels as well as normal routing and some firewalling.  I can do the general config on the linux but there are tweaks and tuning in the Cisco IOS that was done for performance reasons and I need help translating those tweaks to the linux configuration.
For example, in the router we used a route map to turn off the Don't Fragment bit...
So on the corresponding physical interface I have:
ip policy route-map DF
whereas the route map is...
route-map DF permit 10
 match ip address 111
 set ip df 0
access-list 111 permit tcp any <<internal user IPs>>

Another example for the tunnel interface...
int tun0
  ip add 10.1.1.2 255.255.255.0
  ip mtu 1300
  ip tcp adjust-mss 1200     --->  what is it in linux?
  tun sou FastEthernet0/0
  tun dest 172.21.2.36
  tunnel path-mtu-discovery   ---> what in linux?
  crypto ipsec df-bit clear     ---> what in linux?

Another example, we had to increase the maximum number of datagrams that can be reassembled...
interface FastEthernet0/0
ip virtual-reassembly max-reassemblies 32

There are more but these three are the most pressing.  Anyone well versed in Cisco IOS and linux that could lend a hand?
0
Comment
Question by:mrkent
  • 11
  • 7
  • 4
  • +3
25 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36474748
I don't have an answer, but I am curious about why...
0
 
LVL 25

Assisted Solution

by:Fred Marshall
Fred Marshall earned 159 total points
ID: 36474775
You didn't say which Linux distribution you're using.
Check this out:
http://en.wikipedia.org/wiki/List_of_router_or_firewall_distributions

.. even if it's outdated (I don't know) the implication is that one might want to use one of these in that Red Hat and Ubuntu are NOT listed.  That seems to send a message.  Up to you to figure out what it means to you.

So, I'm sorry but I'm afraid that the question may be a bit vague in that regard.  
I say that because I imagine that all those "commands" you want to  instantiate are very likely *not* in a common Linux distribution but, rather, part of a special distribution or package tailored to the purpose of making a router.

I'm curious about the cost effectiveness of paying someone to do this with Linux vs. using the Cisco box.  What's the motivation and how does it pencil out?
0
 

Author Comment

by:mrkent
ID: 36474832
The 3845 is eol, Smartnet expired, it has had some hardward failures (bad HWIC, etc.) and they want to replace it.  They have already purchased several servers and want to use them.  It is not a critical need for this particular workspace and they just want to try it.  If it works out they may use this from now on.
They have three offices.  This is for the least used office that they are planning to move in a year anyway.  They hope to expand to two more locations.
It hasn't been set in stone that we will persue this but because they already have several of these servers there is talk about taking these servers and replacing the routers eventually.
0
 

Author Comment

by:mrkent
ID: 36474896
And yes, that is odd that neither Red Hat, Ubuntu, Centos, debian are NOT mentioned.  I never heard of the majority of distributions on that list.  I obviously would rather use the well known distros.  I haven't opened the servers yet so I don't know which is in them but I guarantee it isn't one from that list.
0
 
LVL 9

Assisted Solution

by:bz43
bz43 earned 37 total points
ID: 36474989
good forum for help http://ipcop.org/support.php
0
 
LVL 25

Assisted Solution

by:Fred Marshall
Fred Marshall earned 159 total points
ID: 36475482
I would suggest you use one of those router-oriented distributions on one machine and see how it goes.  There's clearly a lot of learning to be done.

Then you might consider migrating to the delivered distribution on your new boxes and see what it means to you after getting the experience above.
0
 

Author Comment

by:mrkent
ID: 36475619
I know this will sound like I'm chicken but I'm weak in linux, and though I can do basic static routing and basic firewalling and terminate a VPN (via racoon), there is not a whole lot else.  So I am hesitant to dig into those router-oriented distributions.  Further, I wouldn't know how to do this   --loading the new distro, migrating to the delivered disto, etc.  
But you're right, I should...
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 37 total points
ID: 36476781
I would look at picking up some used Cisco equipment instead.  It is cheap.  I just replaced 3640 routers last year with new routers only because they had Wi-Fi and cellular backup. My core infrastructure runs on Cat 6509 that just got upgraded 3 years ago to Sup32. I figure I will run those for another 5-10 years without SmartNET.  
0
 

Author Comment

by:mrkent
ID: 36479069
Yep, I may end up doing that in the end.  Meantime wouldn't be a bad idea to get smart on the linux stuff.
0
 

Author Comment

by:mrkent
ID: 36479155
bz43  -Side question, why would I need ipcop or similar product over just a basic iptables configuration?  May seem like a stupid unrelated question but just curious how much improvement I get vs manual manipulation of the iptables that come with my base distribution.
0
 
LVL 25

Accepted Solution

by:
Fred Marshall earned 159 total points
ID: 36479703
I find that installing a new distro is easier than installing some app's.  
So, I still encourage you to install a router distro on one of those machnines to get the needed experience with setting up a router of this type.
Otherwise, I'm pretty sure you're NOT going to find the commands you want until you load various app's.  
And, as above, I think that's often harder than loading a distro.

Up to you.....
0
 

Author Comment

by:mrkent
ID: 36483864
Can that be done remotely?  SImilar to using apt-get and yum to load new apps remotely?  Similar to TFTP a new IOS for a Cisco router?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 25

Assisted Solution

by:Fred Marshall
Fred Marshall earned 159 total points
ID: 36484801
I have no idea but I rather doubt it unless you know how to get around inserting boot CD/DVDs...
Generally the point is that you want to boot from a different source.
I suppose you could try to load the files and then add a pointer to the boot loader so that the boot moves, or is selectable to that place.  

If there's no disaster in failure then I'd try it.

Maybe post a new Question.
0
 
LVL 39

Assisted Solution

by:noci
noci earned 267 total points
ID: 36495352
Select a mss:

echo 1200 >/proc/sys/net/ipv4/tcp_base_mss
(512 is default)

PMTU is on by default,

echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc

will disable it (set it to 0 to enable)

Clearing a dont fragment can be done using iptables -t mangle.
But disabling PMTU should also not set DF.

This is still an interesting document about how to setup in combination with IPSEC ...:
http://www.freeswan.org/freeswan_trees/freeswan-2.01/doc/firewall.html
0
 
LVL 39

Assisted Solution

by:noci
noci earned 267 total points
ID: 36495378
This was another i intended to attach:
http://www.akadia.com/services/pppoe_iptables.html
0
 

Author Comment

by:mrkent
ID: 36516993
Thank you, good info.  On the subect of iptables, I get nervous when I am configuing them remotely, via ssh, because I worry about inadvertently knocking myself off and not being able to get back in.  Are there safeguards against that happening?  Like perhaps first line of iptables is allow port 22?  I don't know whether there is an implicit "deny all" at the end when you implement iptables, like there is in acls and firewalls.  Is there a way I can protect against myself? ;-)
0
 
LVL 39

Assisted Solution

by:noci
noci earned 267 total points
ID: 36518282
Not exactly.

You can make a backup of the current rules and run an cronjob that restores it every X minutes .

BTW iptables-restore uses a transactional method to restore either all or nothing.....
0
 
LVL 39

Assisted Solution

by:noci
noci earned 267 total points
ID: 36519090
It can help that you have  a first rule that allway allows yoir IP access and no others...
0
 

Author Comment

by:mrkent
ID: 36521027
OK, I'm getting there but not quite yet.  I'm allowing ssh from all locations (in case I am soewhere else trying to get in);
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
then I'm allowing ping:
iptables -A INPUT -p icmp -j ACCEPT
then allowing established sessions to contunue:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Now I think I'm safe from self destruction.  I see reference to flushing the rules with iptables -F but I I'm afraid it will self destruct my session.
Then I can continue allowing certain ports and protocols.  And also do natting.  Anything I'm missing?

How does that look?

And how do I save these so that if the system reboots, these rules will stick?  Put the lines in rc.local?  Put in /etc/sysconfig/iptables? --what if there was no such file as /etc/sysconfig/iptables?  "service iptables save" is all that is needed to permanantly save the iptables after reboot?
0
 
LVL 39

Assisted Solution

by:noci
noci earned 267 total points
ID: 36521319
From a performance view, make the 3rd rule the first (...-m state --state ESTABL... )
It will probably get hit most.

"/etc/init.d/iptables save"  or "service iptables save"
(run the firewall startup script , using the save parameter, works with most distributions)
iptables-save >save-config  is what gets executed, the location of the save-config is distro dependant.


During booting these will get loaded,  but you can only handle ONE ruleset.
If you do a regular reboot almost all distributions do a save during shutdown.
0
 

Author Comment

by:mrkent
ID: 36522379
Thank you.  What do you mean only one ruleset?
0
 
LVL 39

Assisted Solution

by:noci
noci earned 267 total points
ID: 36523191
One ruleset is everything you can see with iptables-save
written to your screen.

ie. in more human readable format:
iptables -L -nv       [ 3+ chains]
iptables -t nat -L -nv [4+ chains]
iptables -t mangle -L -nv [5+ chains ]

The + means you can add some extra to the default ones.
That contains all rules you can have with iptables.
0
 

Author Comment

by:mrkent
ID: 36523600
Gotcha, thanks.  So I see that it also includes any natting that I need to save.

One last question and we can finish, and it will be the dumbest.  Do I have to end the iptables with a deny all statement, or is it already implicitly there like it is with Cisco acls and firewalls?
0
 
LVL 39

Assisted Solution

by:noci
noci earned 267 total points
ID: 36525680
You can choose if you want an implicit DENY or ACCEPT.
It is called the Policy. (That in in the built in ones..).

iptables -P ...
or
iptables --policy ...

0
 

Author Closing Comment

by:mrkent
ID: 36525824
Thanks to all
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now