FireBrick

FireBrick - Firewalls, Bonding ADSL, Routers, Traffic Shaping...

FireBrick FB6000
FireBrick FB6000

FB6202 L2TP

The FB6202 is designed primarily for termination of a gigabit BT WBMC link allowing termination of L2TP sessions from BT Broadband WBC, IPStream Connect, and FTTC circuits. It is designed to handle a full gigabit of normal internet traffic levels and handle sufficient tunnels and sessions for that level of usage.

Authentication and accounting is by means of RADIUS. Allocated IPv4 and IPv6 addresses being announced by BGP/OSPF sessions.

Overview

  • Full gigabit capability making simple deployment - one pair of FB6202's per BT gigabit WBMC link or Be-Wholesale handover (one connected to each gigabit WES / link).
  • Very low power consumption (around 30W), dual PSU, 1U box. Save money on space and power in data centre.
  • Constant Quality Monitoring - graphs for every line. Integrate with support systems and save on support staff costs.
  • Simple L2TP relay for reselling L2TP hand-off to smaller ISPs.
  • PPPoE server and L2TP integration acting as a BRAS for direct connection to DSLAMs.
  • Comprehensive shaper sharing between multiple LNSs allows multiple gigabit handling with aggregate shaping in to the carrier network.

Licencing

Full features for one price, no per session licencing or other extra costs.

Warranty

One year warranty on hardware against any manufacturing defect. Normal working hours / courier replacement. Recommended that two units are used together to provide hardware redundancy. On-going maintenance contracts available for extended hardware support beyond one year.

Hardware

1U, dual AC 120/240V inlets (monitored), 2 internal fans (monitored), approx 30W total power consumption.

Multi-position 19" rack mount ears, with variation for hanging mount in shallow depth telco racks.

Power at rear, ethernet ports at front.

Software upgrades

Free of charge, beta and released software. Internal flash holds last 10 versions with automatic fallback on crash/watchdog.

Reboot or software upgrade with clean shutdown of L2TP, BGP, VRRP, etc, for minimal disruption. Boot time under 1 second.

UK based s/w support team - email and irc support during office hours.

Configuration

Configuration defined by an XML document according to a published XSD schema. The configuration may be uploaded and downloaded by HTTP (e.g. using curl). In addition the web interface contains an interactive configuration editor as does the command line interface.

Configuration changes are applied as seamlessly as possible when loaded without the need to re-boot.

Command line interface

The command line provides a number of commands to provide viewing of BGP, OSPF, and L2TP data, as well as clearing BGP sessions and clearing L2TP tunnels and sessions. Includes tab completion and interactive help text.

The command line is available via telnet and ssh and serial connection.

Ports

Two physical copper gigabit ethernet ports allowing 4096 VLANs on each. 100 independent routing tables which can be used with BGP and L2TP (ideal for management LAN, segregating customer traffic, walled garden and credit control LAN). Each port/VLAN can be attached to a specific routing table.

Access control

Access lists of telnet, ssh, tftp, web, snmp. These can also be attached to an independent routing table for specific port/VLANs.

Syslog

Syslog to external server with various levels of debugging data available. Logs also available live via command line interface.

L2TP

L2TP incoming connections and outgoing L2TP relay. RADIUS is used for authentication and accounting.

  • Routing of multiple IPv4 and IPv6 address blocks to a session allocated by RADIUS.
  • Routing IP blocks to multiple sessions (same metric) to perform load balancing based on line speed.
  • Fallback routing of IP blocks (different metric).
  • Source IP checking IPv4, IPv6, and tunneled IPv6 including 2002::/16 prefix against IPv4 source addresses.
  • Native and tunneled IPv6 wrapped and unwrapped at the L2TP interface.
  • Constant Quality Monitoring (CQM) graphs.
  • 20000 tunnels max.
  • 65535 sessions max (total across all tunnels).
  • 4096 simultaneously negotiating sessions.
  • 32767 closed user groups which can also incorporate specific port/VLANs for hosted servers as part of the group.
  • 100 independent routing tables, which can be assigned by RADIUS.
  • Snapshot RADIUS accounting on configurable interval, e.g. accounting for all lines on the hour.
  • 64 bit counters for RADIUS byte counts to allow for high speed lines and hourly reporting.
  • Per session traffic shaping from RADIUS.
  • DOS limiter per session, dropping line on DOS at configurable level.
  • Configurable aggregate traffic shaping and metering to work with BT's split WBC/IPSC operation.
  • L2TP relay on static pattern match, and per line on RADIUS.
  • PPPoE server integration acting as a BRAS to direct linking to DSLAMs.

CQM

CQM provides graphs for last day, and for nightly archive, for L2TP sessions based on circuit ID from RADIUS, and for external interfaces.

  • 100,000 separate graphs.
  • LCP echo every second on every session aggregated to 100 second samples over last day.
  • Packet loss to 1%.
  • Minimum, Average, and Maximum latency to 4 decimal places of ns.
  • Average Tx and Rx rate.
  • Directly http served CSV for analysis.
  • Directly http served PNG graphs for direct integration in to support systems.
  • MD5 in URL for linking for external authenticated viewing.
  • Configurable colours and text and data selection.
  • Configurable scoring of graphs for matching similar lines and identifying common problems.
  • Shaper sharing with other FireBricks for aggregate policing of traffic over multi gigabit networks.

RADIUS

RADIUS authentication and accounting allows configuration of session settings and logging of usage.

Configurable fallback and blacklisting of non responsible servers.

RADIUS DM and CoA

RFC5176 Disconnect message and change of authorisation are supported allowing on the fly changes of routing table, closed user group, routes, and line speed without dropping session. Ideal for handling BRAS rate changes seamlessly.

Platform RADIUS

A RADIUS server provides responses to platform RADIUS requests directing sessions to the FB6000 or alternative endpoints based on simple pattern match. Tested against BT, Be and 3UK hand-overs.

  • Allows control over RADIUS response based on calling and called station ID, and username including pattern matching.
  • Allows tagged and untagged responses, with ordering/selection controlled by in various ways including hash based ordering on calling or called ID, login, username, realm or random.
  • Includes additional parameters for working with mobile GGSN hand-over.
  • Includes additional parameters for working with BT 20CN session steering on IPSC (SIN502).

BGP

BGP is provided to allow interface to carrier (e.g. BT) to accept routes to BRASs, etc, and announcing routes to ISP core network.

  • Up to 50 BGP sessions.
  • IPv4 and IPv6 BGP sessions.
  • IPv4 and IPv6 routing data.
  • AS4 (32 bit) AS number support.
  • IPv6 protocol 41 tunnel announcements using 2002::/16 next hop.

SNMP

SNMP (read only) support for a number of functions including interface stats for each port/VLAN in use.

NTP

Simple NTP client to set clock for accurate logging with fallback via list of configured servers.

DHCP/RA

DHCP client mode available, multiple instances. Also RA client for IPv6 addressing.

RA server for passive IPv6 adress allocation to LAN.

VRRP

IPv4 VRRP2 and IPv4/6 VRRP3 server.

  • Multiple VRRP IP addresses per port/VLAN.
  • Can use standard floating MAC address, or can use fixed per machine MAC with promiscuous ARPs as configured.
  • Dynamic VRRP priority based on routability of a list of addresses, allows VRRP to only become master when external routing in place.
  • Pingable VRRP addresses for easier diagnostics.

Upgrading from L2TPNS

A number of ISPs are upgrading from L2TPNS, an open source LNS package. We have compiled a list of differences to help with the upgrade process.