This week's tip will focus on the detailed, arduous and very important task of simplifying and standardizing device configurations within an organization. This task is a critical part in identifying critical risk areas within your network as well as the first step to a successful technology migration for the future. Next time we will focus primarily on the design principles and upgrade paths for a simplified and standardized network.
One Common Goal
Have you ever been tasked with troubleshooting an unknown network? Have you, while the earth has stopped rotating due to a network outage, spent more time deciphering the work of another engineer's complex configuration than on the problem itself? The answer is most likely "yes". It's a never ending battle between those who are tasked to design and configure and those who are tasked to fix the problems they have unknowingly created. Besides detailed and frequent communication, which is not always an option, the fix for such problems is "simplify and standardize". A network design can become inherently complicated based solely on the requirements themselves. There are however several components of a design which, if simplified, can make implementation and management easier. Some examples include interface configurations and default routing configurations.
Interface Configuration Ideas
The most frustrating thing I see out there are interface configurations where the descriptions are different from interface-to-interface. The interface description should identify valid details such as: circuit type, adjacent device name and termination information. If the circuit is managed by or terminates in provider territory, circuit IDs and contact information are also helpful. While adding this information it is important to have the little things like character case, hyphen use and word order remain the same from description to description. Below is a simple example of a Gigabit Ethernet interface description.
interface g1/0/0
description P2P-2 CHRYLN.JNPR-M10I.SBC.COM-G2/1/1.0 555-5555
or
description POINT-2-POINT-chryln.jnpr-m10i.sbc.com-G2/1/1/0-
ID=12345ABCD-800.555.5555
Remember to apply any "blanket" security policies to each interface as well. Some common practices include the following standard configuration:
interface fa1/0/0
no ip icmp redirects
no ip icmp unreachables
no ip proxy-arp
Each organization is different and these particular commands may not suit your needs, but the point is to remain consistent so the engineer behind you knows what to expect.
Routing Ideas
During its lifetime, a device configuration will inevitably change in many ways. One component in the configuration of a typical network which changes often is the routing protocol. Engineers must make a conscious effort to optimize their network with increased security and performance while maintaining a manageable and scalable configuration. Creating a template for current and future devices will satisfy these basic requirements. There haven't been significant new additions to routing protocols in the past few years if not decades. While the workings of protocols such as OSPF haven't changed much in quite sometime, there have been advances in the feature sets within the vendor's operating software to support the demands for increased security and scalability to new Data Link technologies.
It is the responsibility of the engineer to evaluate and implement these new features within an operational network. Keep in mind the goal of simplicity – having too many insignificant features enabled because "you can" will create its own problem entirely. Here is an example of an OSPF template which will allow the protocol to scale securely (Cisco IOS):
router ospf 1
auto-cost reference-bandwidth 100001
area 0 authentication message-digest2
interface g1/0/0
ip ospf message-digest-key 10 md5 cisco3
1RFC 2328 does not specify a cost value for the OSPF protocol – although it was implemented by the vendor's as a 100Mbps standard. Cisco calculates cost of a link as 108/bandwidth. This command increases that value to be 1010/ bandwidth, allowing for the proper calculation and use of Gigabit Ethernet in your network.
2This command applies MD5 authentication to all links in Area 0. Alone this command sets a bit in the OSPF packet header. With this, no OSPF router will be able to establish an adjacency.
3Within the Authentication fields in the OSPF packet header a field exists for an encrypted key. If no key is specified the field will contain all 0's. The 10 in this command specifies the local KeyID which allows for seamless key management and migration. The youngest key (highest number) is always sent in an OSPF packet.
In this article I've talked about the reasons it is necessary to standardize and simplify device configurations by creating templates which will help in troubleshooting, securing and scaling your network. I've given two examples which can help achieve some of these objectives. Next time we'll talk about how to design and implement our standardized networks with prioritized tasks and calculated outcomes.
Doug Downer (CCIE #9848) is a Sr. Consultant with Callisma, INC, a wholly owned subsidiary of SBC Communications. Doug has over 7 years in the industry and currently provides high level business and technology consulting for various federal clients in the Washington D.C. area. He can be reached at ddowner@callisma.com.
