For the past 18 or so months I’ve been working in the data centre team for a large governmental state body. The role is technical specialist; specialising in networking (switching, routing, etc). Naturally it’s had its boring, repetitious work (data backup and recovery), but a lot of the work I’ve been performing has been full of excellent learning opportunities, and good, fun, hardcore networking tasks.
This fortnight I’ve been planning and implementing upgrades at three regional offices (well, they’re Sydney based, but they aren’t head offices). As of Wednesday night, I implemented the final upgrade, which was ultimately a success.
The previous networks all roughly the same as the following (give or take a switch or two):
The basic network layout that the regional offices followed.
The switches were comprised of old 12 and 24 port Cisco 3500 series switches. Authentication was an enable password over telnet, which I saw as somewhat insecure, and policy breaching.
Each site had a single Cisco 2600 series router with an E1 VWIC connecting to Telstra. The routers also lacked decent authentication (again, enable password over telnet).
Most of our core devices currently use RADIUS for authentication, so the infrastructure was already in place to implement decent authentication that is trackable, secure, and centrally managed. All that was required on the new devices was that the IOS be upgraded to the K9 (or crypto) version.
The new routers that I implemented are the Cisco 2921 series, using an E1 VWIC for voice. Currently we’re using ethernet to GWIP at the sites, but there is a chance that this will be upgraded to fibre, therefore I setup the GWIP on interface GigabitEthernet0/1. The trunk to the switch stack was setup on GigabitEthernet0/0 as a router on a stick.
Each regional site has two levels, one level requiring 96 access ports, and the other requiring 48 access ports. The larger of which I set up two 3750′s as a switch stack. I had never set up a switch stack before, so this was a new learning experience (though I let the stack elect a master automatically).
Of course it was required that upgrade the switches to the new IOS using the Solarwinds TFTP tool, and the following commands:
#copy tftp://<ip_addr>/<ios.bin> flash
#copy flash1:/<ios.bin> flash2
(config)#boot system switch all flash:/<ios.bin>
#write memory
#reload
The single switch on the other level was also upgraded, and the switches were trunked with fibre on the GigabitEthernet ports.
To enable RADIUS on the devices, or more accurately aaa, I used the following configurations (note: I have modified these slightly to ensure confidentiality):
The image is a layout of the current/new network at the regional sites.
aaa new-model
!
aaa group server radius RADAUTH
server 192.168.123.254 auth-port 1812 acct-port 1813
!
aaa authentication login default group RADAUTH local enable
aaa authentication enable default group RADAUTH line
aaa authorization console
aaa authorization exec RADAUTH group radius local
!
ip radius source-interface Loopback0
!
radius-server host 192.168.123.254 auth-port 1812 acct-port 1813 key 7 <removed>
radius-server authorization default Framed-Protocol ppp
Each site had incredibly (and I mean incredibly) messy patch work, one of which was patched with the ultra stiff Cat6 cable standard.
I found that it was actually easier to pull out all the patching and rewire it. Not only was it the neater, more manageable option, but I feel that it also saved a significant amount of time.
All three upgrades were 100% successful at time of implementation. It goes to show that it only takes a few hours planning to save many hours implementing.
The following photos give you and idea of just how messy the cabling was, and the changes that needed to be put in place to make the network neat and manageable once again.
