Clavister Advanced Routing. cos Core Version:

Transcription

1 Clavister Advanced Routing cos Core Version:

2 VNC edu.clavister.com:1000x edu.clavister.com:1001x Intoro123

3 Agenda 1. Basics of Routing 2. Static Routing 3. Policy-based Routing 4. Virtual Routing 5. Dynamic Routing 6. Multicast Routing 7. Transparent Mode 3

4 Clavister HQ, Örnsköldsvik, Sweden

5 Clavister HQ, Örnsköldsvik, Sweden

6 Clavister Product Lineup PolarBear Series (ATCA, Stream) Wolf Series P P P P P8 W5 (Core) W3 (Core) Eagle Series Lynx Series Virtual Series E7 / E7 Remote X8 V3, V5, V7, V9 All Series (not V or E7R) are sold with either Standard or Professional license

7 Practical details: Breaks Breaks 10:00-10:15 14:00-14:15 Or when it best fits in the training Lunch 12:00-13:00 CET Practical Details Breaks Lunch 7

8 Lab Setup via VNC Lab Environment LabPC/InControl Clavister ISP/DNS Internet LabNet Student X *VNC Client on one screen *PPT slides on one screen/ projector Group X 1<=X<=6 VMware based server Internet

9 Lab Network: Detailed description Server HTTP, FTP, SimpServ, LabNet /16 ISP / DNS LabPC X X.2 Group X LAN X.0/24 Group X WAN: X.1 LAN: X.1

10 Setting Up VNC Online course: Skip this chapter, was included in the Course Preparation Document Link to next chapter

11 Exercise: Installing VNC Objectives Install the VNC Viewer software Connect to your LabPC What you will know Your Lab Group has a number (1 to 4) which replaces the X in many exercises (in IP numbers etc). How to download and install the VNC Viewer How to connect to the LabPC and work on it via VNC 11

12 Exercise: Installing the VNC client VNC is a free product for viewing desktops over TCP/IP The trainer have the VNC viewer on a USB memory Optionally: Download the VNC Enterprise Viewer from It supports scaling, which the standard viewer does not support Install the software It is actually just an.exe file that you start Why not RDP? VNC can have multiple viewers of the same desktop and also support resizing (scaling) and enabling/disabling of input. VNC makes the instructor's work much easier than RDP would. Remember that Clavister AB will monitor and log all activity on those machines, including, but not limited to, the desktop itself. 2 October,

13 Onsite ONLY: Setting up your PC The PC's IP settings IP: X X = your group number Mask: GW: none DNS: none Connect the PC to the switch that leads to the VMware Server Start the VNC client.exe file, no installation needed Connect to: X X = your group number Password: Intoro123 Same for VNC and for WinXP This is where you will do all the exercises in this course

14 Online ONLY Use your normal IP settings to reach the Internet Make sure your local firewall(s) allow traffic to TCP/5900 to Clavister Start the VNC client Connect to: edux.demo.clavister.com X = your group number, see invitation Password: Intoro123 Same for VNC and for WinXP This is where you will do all the exercises in this course

15 Configure Internet Access Online course: Skip this chapter, was included in the Course Preparation Document Link to next chapter

16 Exercise: Internet Access Objectives Configure cos Core to do NAT of traffic from LAN to WAN. Web browsing Ping your external interface from the LabPC Upgrade cos Core to the latest available version 16

17 Exercise: IP Rules The IP Rule syntax in this course material is as follows: Name Action Source Int Source Net Dest Int Dest Net Service NAT_HTTP NAT lan lan_net wan all-nets HTTP In the WebUI it looks something like this: 17

18 Exercise: Create IP Rules Open the WebUI on Add these rules in Rules > IP Rule Sets > main: Enable Logging on all of them DropNetBIOS Drop any all-nets any all-nets smb-all LOG PingWan Allow lan lannet core wan_ip ping-inbound LOG Why Core? See next slide! NAT_All NAT lan lannet wan all-nets All_services LOG DropAll Drop any all-nets any all-nets All_services LOG Save and Activate Test by Browse to Ping X.1 from your LabPC Watch the System Log You should see your traffic. 18

19 Core owns the interfaces IP addresses lan_ip= x.1 wan_ip= x.1 cos Core lan_net= x.0/24 wan_net= /16 CLI: routes -all Lists all routes, including core routes WebUI: Status > Routes, enable "Show all routes" 19

20 Exercise: Upgrade Loader & Core Check current version in the WebUI Status page, cos Core Version cos Core or higher Check via the CLI Device:/> About cos Core or higher If necessary, do an update from the WebUI: Status > Maintenance > Upgrade > Firmware Browse for the.upg file provided by the trainer Online course: Resources on your Desktop The.upg file contains Core + Loader + Webui.rc (resource file)

21 Basics of Routing

22 Overview IP Routing Fundamental functionality in cos Core All Packets are routed at least once going through cos Core cos Core supports Static Routing Dynamic Routing Virtual Routing Route Load Balancing Route Monitoring Fail-over capabilities 22

23 The Principles of Routing Gateway Router Internet Routing Table Company Routing Table ISP Internet 23

24 Routing basics The router is a member of both networks. The nodes have the router as default gateway. If they can t find the destination in their local network, they ask the default gateway /24 Router /24 Client Server

25 Packet Flow Schematic 25

26 Packet Flow Schematic Details in a later slide 26

27 Packet Flow Schematic 27

28 The "Apply Rules" box, in more detail 28

29 Static Routing

30 Introduction to Static Routing Static Routing Entries manually added Time consuming for complex networks Permanent entries Non-changing networks Dynamic Routing Complex networks Changing networks Roaming units Ships entering different harbors 30

31 A Static Routing Table Route # Interface Destination Gateway 1 lan /24 2 wan /24 3 wan / Gateway Router Internet lannet wannet all-nets 31

32 Route lookup and State awareness IP Packet is Received Consult the Connection table Existing connection found route the packet More efficient than routing table lookup High forwarding performance on non-asic No existing connection found Consult routing table Consult the IP rules Add to Connection table First as SYN_RCVD Then as SYN_ACK_RCVD Finally as TCP_OPEN UDP, RAWIP etc have their own states Knowing the Source/Destination before consulting the Rules gives fine granular control. 32

33 Routing Table Windows XP Workstation cos Core uses a slightly different way of describing routes compared to most other systems. ==================================================================== Interface List 0x1... MS TCP Loopback interface 0x d4 51 8d dd... Intel(R) PRO/1000 CT Network We believe that our way of describing routes is easier to understand, making it less likely for users to cause errors or breaches in security. 0x WAN (PPP/SLIP) Interface ==================================================================== ==================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric Default Gateway: ==================================================================== Persistent Routes: None This routing table is from a Microsoft Windows XP workstation: Most systems do not use the specific interface in the routing table, but specifies the IP address of the interface instead. 33

34 Routing Table Clavister cos Core This routing table is from a cos Core system. Flags Network Iface Gateway Local IP Metric /24 lan /8 wan /0 wan dmz It s perfectly legal to specify ranges in the routing table! Hence cos Core is highly suitable for routing tasks in very complex network topologies. There are Core routes and Multicast routes missing, to be fair. 34

35 Displaying the Routing Table Displaying the Routing Table How to display the contents of the configured routing table as well as the active routing table. Clavister WebUI CLI Status > Routes Device:> routes Flags Network Interface Gateway Local IP Metric /24 Lan /24 Wan /0 Wan

36 Displaying Core Routes Displaying the Core Routes This example illustrates how to display the core routes in the active routing table. CLI Device:> routes -all Flag Network Iface Gw Local IP Metric core (Shared IP) core (Iface IP) core (Iface IP) core (Iface IP) /24 lan /24 wan /4 core (Iface IP) /0 Wan

37 Proxy ARP Using Proxy ARP, cos Core responds to ARP requests with its own MAC address. The IP based traffic is then forwarded to the destination host. Who has X.200? Proxy ARP reply with MAC from cos Core.X.0/25.X.128/ X.5 /24 I do! X X X.200 /24 37

38 Exercise: Static Routing, Basic setup Objectives Setup the static routing of the Clavister Security Gateway, including an all-nets route and NATing of traffic to the Internet. What you will know Static routing Default route setup NATing of traffic 38

39 Exercise: Lab Setup Required equipment Computer Web browser installed Security Gateway Default configuration on cos Core 10.x Knowledge of the layout of the network The slide Basic setup for lab Your group number 39

40 Exercise: Lab Network Server HTTP, FTP, SimpServ, LabNet /16 ISP / DNS LabPC X X.2 Group X LAN X.0/24 Group X WAN: X.1 LAN: X.1

41 Exercise: Address book Objects > Address Book IP Name X.1 wan_ip /16 wan_net wan_gw X X.0/24 lan_ip lan_net 41

42 Exercise: Routing Table Network > Routing > Routing Tables > main These routes have been automatically created Interface Network Gateway lan lan_net wan wan_net wan all-nets wan_gw 42

43 Exercise: Rules Policies > Firewalling > Main IP Rules Now add IP Rules for the traffic and test the setup Name Action Src If Src Net Dest If Dest Net Service NAT_All NAT lan lan_net wan all-nets All_services 43

44 Exercise: Test the setup Save and Activate Test by web browsing and pinging hosts on the public Internet You should be able to access the Internet from your lab PC. This exercise is finished 44

45 Exercise: Proxy ARP Objectives Setup the proxy ARP example found on the Proxy ARP slide. What you will know Static routing with Proxy ARP How to introduce cos Core in an existing network with no configuration changes to any hosts (Transparent Mode). 45

46 Exercise: Proxy ARP Scenario Who has X.200? Proxy ARP reply with MAC from cos Core.X.0/25.X.128/ X.5 /24 I do! X X X.200 /24 46

47 Exercise: Configuration Make a Configuration Backup We will restore the configuration after this exercise Objects > Address book lan_ip = X.1 lan_net = X.0/25 Network > Routing > main, add these routes IPv4Route lan lan_net proxyarp on dmz IPv4Route dmz dmz_net proxyarp on lan local IP = lan_ip dmz_ip = X.129 dmz_net = X.128/25 Network > Interfaces > Ethernet Open lan and dmz and go to the tab Advanced Disable the Automatically add a route feature Alternate solutions (not done now) Use VLANs to segment the network Use ranges instead of /25 networks. 47

48 Exercise: IP Rules IP Rules Name Action SrcIf SrcNet DstIf DstNet Service LanToDmz Allow Lan Lannet Dmz Dmznet All_tcpudpicmp DmzToLan Allow Dmz Dmznet Lan Lannet All_tcpudpicmp NAT_Servers NAT Dmz Dmznet Wan All-nets All_tcpudpicmp For Onsite course only: Interfaces > Interface groups Create an Interface group "Internal" containing Lan and Dmz System > Remote Management Allow HTTP/HTTPS from Internal all-nets 48

49 Exercise: Testing Online course We only have one LabPC, so Ping Simulation can be used to test the setup: Ping X.200 -srcif lan -srcip X.2 verbose Ping X.2 srcif dmz srcip X.200 v Ping srcif dmz srcip X.200 -v Onsite course Move your LabPC to the DMZ interface: Either do a "Repair" on your LabPC's NIC or delete the ARP table in the DOS prompt with arp -d * Optionally, make an ARP Notify from cos Core: arp -notify dmz: x.1 Try reaching the Internet and look in the System Log Restore your configuration backup This exercise is finished

50 Exercise: Route Failover Objectives Setup two ISPs to the Clavister Security Gateway, including an all-nets route to each, different metrics and Monitoring on the primary route. What you will know Metrics and Monitoring of routes Interface groups NATing of traffic to Interface groups Required IP number, network and GW to the secondary ISP 50

51 Exercise: Route Failover Scenario ISP ISP2 Wan Dmz Lan_net 51

52 Exercise: Address Book Objects > Address Book Edit the following IPv4 Address Objects dmz_ip = X.1 dmz_net = /16 Add the dmz_gw for the secondary ISP: dmz_gw =

53 Exercise: Interfaces Network > Interfaces Open the WAN interface On the Advanced tab, disable the "Automatically add a default route..." We need to add it manually to be able to add Monitoring Open the DMZ interface Set the Default Gateway: dmz_gw Go to the Advanced tab Route Metric: 200 The Wan default route has 100 as metric and this is the backup route Allow the default route to be automatically created...or disallow it and add the route manually (see next slide)

54 Exercise: Routing Table Network >Routing > Routing Tables > Main Add the Wan default route (and the Dmz default route if not automatically created) Route wan all-nets wan_gw metric 100 Monitor tab Enable Monitoring via Link status and ARP This is what you should have in your routing table: 54

55 Exercise: Interface Groups Network > Interfaces > Interface Groups Add an Interface Group Name: RFO Add: WAN and DMZ Do not enable Security/Transport Equivalent It will delay the failover by approximately 30 seconds A new ISP means new source IP, we can t reuse the same connection 55

56 Exercise: The NAT IP Rule IP Rules Edit your current NAT rule to have the Interface Group (RFO) as Destination Interface Now it will trigger for traffic to both ISP1 and ISP2 Alternative solution: Create one separate IP rule for each ISP. Save & Activate 56

57 Exercise: Testing Windows: Add a public DNS server ( will not be available!) Test the route failover functionality by surfing and removing the Wan cable. Online course: Ask the trainer to do it in VMware (see next slide or the slide notes here) The web surfing should still work The logs should have DMZ as source for the NAT rules You should find an entry about the failed route In the CLI, issue these commands to see more about the routing status: routes -all routemon Network > Routing > Routing Settings Modify options 57

58 Exercise: Trigger the RLB VMware workstation Team menu > Settings Disable the corresponding (nr 2) Adapter/Virtual machine. (1=lan, 2=wan, 3=dmz) Click OK to enable Restore the setting after the RFO exercise is finished Vsphere Client (ESXi) Open the Summary tab on the cos Core machine Click Edit Settings Select the Nic (2, LabNet) and disable the "Connected" option Click Ok Restore the setting after the RFO exercise is finished

59 Exercise: Route Load Balancing Objectives Setup Route Load Balancing (RLB) on two ISPs cos Core supports more ISPs, this is just a basic scenario 59

60 Exercise: Scenario ISP Mbps Wan ISP2 25 Mbps Dmz Lan_net 60

61 Exercise: Address Book Objects > Address Book Edit the following IPv4 Address Objects dmz_ip = X.1 dmz_net = /16 Add the dmz_gw for the secondary ISP: dmz_gw =

62 Exercise: Route Load Balancing Network > Routing > Route Load Balancing > Instances Add a Route Balancing Instance Routing Table: Algorithm: Main Round Robin

63 Exercise: Routing Network > Interfaces > Ethernet For all the interfaces, do the following: Go to the Advanced tab Disable the "Automatically add a default route..." Route Metric: 1 "The local routes must have lower metric than the all-nets routes" Source: cos Core Manual

64 Exercise: Routing Network > Routing > Routing Tables > Main Add the two default routes: Route wan all-nets wan_gw metric 10 Route dmz all-nets dmz_gw metric 13 The DMZ route is 1/4 th as quick, so they must have different metrics 1/3 means that we should have 10 and 12 as metrics (or 100/102) etc. These values are found by trial and error and analysis of the System Log 13 64

65 Exercise: Interface Groups Network > Interfaces > Interface Groups Add an Interface Group Name: RFO Add: WAN and DMZ Do not enable Security/Transport Equivalent It will not be used here anyway. A connection is not moving between the interfaces. 65

66 Exercise: IP Rules IP Rules Edit your current NAT rule to have the Interface Group (RFO) as Destination Interface Now it will trigger for traffic to both ISP1 and ISP2 Optionally Add a second NAT rule instead, from Dmz to Wan Save & Activate 66

67 Exercise: Testing Open a web page that has a lot of stuff on it For every 4 conn_open sent to ISP1, 1 should be sent to ISP2. RLB can also be combined with Route Monitoring. You can try with different Metric values on the Dmz all-nets route This exercise is finished

68 Policy-based Routing

69 PBR Overview Policy-based Routing (PBR) Extension of Static Routing Routes chosen can be based on various parameters Source address Service type Connection aware Control over both forward and return direction Policy-based Routing Rules decide which routing table to route packets in. "PBR" / "PBR Rules" 69

70 Routing Decision Source based routing Route depends on Source address One source address range routed through one ISP Another source address range routed through another ISP Service based routing Route depending on the protocol HTTP traffic routed through one ISP All other traffic through another ISP 70

71 PBR Policy-based Routing implementation in cos Core consists of One or more user-defined alternate Routing Tables In addition to the default Main routing table. Ordering controls behaviour Routing Rules Determines which routing table to use. Pre-defined Routing Rules Each interface have a "hidden" Routing Rule, which is placed last in the Routing Rules table: Route lan all-nets any all-nets <main> <main> all-services Routing Rules precede these, and can therefore redirect the traffic. See the Virtual Routing Chapter for details 71

72 Routing Table Ordering Ordering The Ordering parameter of Alternate Routing Tables How route lookup is done in conjunction with the Main routing table If the source interface has Routing Table Membership set, route lookup is done in conjunction with the membership table instead. The total number of routing tables available is limited by the License 72

73 Routing Rules Routing Rules Routing Rules decide which routing table to use based on Source/Destination Interface Source/Destination Network Service Top to bottom matching in the rule set 73

74 Routing Table Membership Routing Table Membership Is consulted only if no matching Routing Rule is found Decides the Primary routing table for an interface If a particular routing table should always be used for traffic from a given source interface, regardless of the Service type. Routing Rules are more fine-grained as you control the routing based on a Service. This modifies the hidden PBR Rule (ISP2 is our RTM): lan all-nets any all-nets <ISP2> <ISP2> all-services Virtual Systems Created with Routing Table Membership on the interfaces Routing tables with ordering Only A chapter in this course is dedicated to this functionality 74

75 Ordering Routing table is now chosen It is an alternate routing table The Ordering parameter decides How the alternate table is combined with the main/routing Table Membership table Lookup the appropriate route Three available options are described on the following pages. Default First Only Important The All-nets route must exist in the main table If no smaller route is an exact match then the connection will be dropped. Routing Table Membership will not function if the default route is missing 76

76 Ordering Default Ordering Default Lookup the route in the main table Main If only the Default Route matches, consult the Alternate table If no match is found in the alternate table, use the Default Route in the main table Alternate Typical scenario Redirect a specific service (http) over a secondary ISP 77

77 Ordering First Ordering First Lookup the route in the Alternate table Any matching route will be taken Including the Default Route Alternate If no matching route is found, consult the Main table It must have a default route, so there will be a match Main Typical scenario To redirect a route in the Main table, which is not the Default Route 78

78 Ordering Only Ordering Only Lookup the route in the Alternate table No other table is consulted Policy-based Routing Rules *can* still force a lookup in another routing table Alternate Typical scenario Virtual Systems / Virtual Routers Dedicate a single routing table to a set of interfaces 79

79 Exercise: Ordering Default, HTTP via ISP2 Objectives Two ISPs. HTTP traffic will go in and out from the secondary ISP (Dmz). All other traffic goes via the primary ISP (Wan) Optional: All incoming traffic on either interface, returns on the same interface. What you will know How to setup Routing Tables and Routing Rules for Ordering Default. The Main Routing table is first consulted. If the Default route is the only matching route, the alternate Routing Table is consulted. 80

80 Exercise: Schematic All HTTP traffic goes out/in via ISP2 All other traffic via ISP1 ISP Other traffic Wan ISP2 Dmz http LabPC 81

81 Exercise: Remove the RLB feature To avoid problems, remove the RLB feature from the previous exercise.

82 Exercise: Address Book Objects > Address Book Edit the following IPv4 Address Objects dmz_ip = X.1 dmz_net = /16 Add the dmz_gw for the secondary ISP: dmz_gw =

83 Exercise: Add a Routing Table Network > Routing > Routing Tables Add a new Routing Table Name ISP2 Ordering Default 84

84 Exercise: Routes Network > Routing > Routing Tables > ISP2 Add a Default (all-nets) IPv4 route Interface Network Gateway dmz all-nets dmz_gw This will redirect all traffic that is consulting the ISP2 routing table over the DMZ interface 85

85 Exercise: Remove Auto Created Routes Network > Interfaces > Ethernet > Dmz > Advanced tab Remove the Automatically add a default route... checkmark Only needed if you have specified a Gateway on the General tab

86 Exercise: Routing Rules Network > Routing > Policy-based Routing Rules Add a Routing Rule which redirects HTTP traffic to ISP2 The Destination Interface is Wan Not Dmz which might be your first thought, as we must match what we matched in the Main routing table The resulting PBRs for "lan": lan lan_net wan all-nets <ISP2> <ISP2> http lan all-nets any all-nets <main> <main> allservices

87 Exercise: Add HTTP NAT IP Rule Policies > Firewalling > Main IP Rules Add a NAT rule for traffic from Lan_net via Dmz to Internet The Routing Rules will automatically re-route the http traffic, but we need an IP Rule for the new destination interface Dmz All other traffic uses your regular NAT IP Rule(s) NAT_HTTP_DMZ NAT lan lan_net dmz all-nets http

88 Exercise: Test your setup Save & Activate In the System Log, look for the destination interface "Dmz" You should see that all http traffic uses the Dmz interface The exercise is finished 89

89 Virtual Routing Virtual Systems

90 Virtual Routing or Virtual Systems Virtual Routing or Virtual Systems Multiple logically separated systems from a single cos Core installation Their own routing table Each logical interface is associated with a specific routing table Many features can be run separately on each system Separate OSPF processes One administrator using the WebUI Several administrators requires InControl and an API based portal Communication between these systems SAT-Allow Bounce on the ISP Routing Rules Different routing tables in Forward and Return directions Loopback Interfaces Connects the routing tables 111

91 Components in Virtual Routing Separate Routing Tables for each Virtual System. Routing Table Membership Physical interfaces or Virtual LAN (VLAN) Loopback interface pairs Communication between virtual systems IP Rules for the traffic Routing Rules Optional To re-direct traffic, even though Routing Table Membership is enabled. We have two different exercises in this course on this theme 112

92 Routing Table Membership The effect of setting RTM is to add, or rather change, the "hidden" Routing Rules that are last in the Routing Rules table. Each interface is by default a "member of all routing tables" It has a Routing Rule like this, last and hidden in the PBR rule set Route lan all-nets any all-nets <main> <main> all-services All interfaces are Core routed in all routing tables If you set RTM on an interface, to Routing table 2 (RT2), this happens: The hidden Routing Rule is modified to look like this: Route lan all-nets any all-nets <RT2> <RT2> all-services Its Core routes are removed from all routing tables, except from RT2.

93 RTM + Routing Rules To change the Forward direction of the LAN interface, currently a member of RT2 Add a Routing Rule: Route lan all-nets wan all-nets <main> <RT2> all-services Wan is the destination interface because of the hidden rule: wan all-nets any all-nets <main><main> all-services

94 Exercise: Virtual routers exercise #1 Objectives Make it appear to the customers that they have their own Clavister Security Gateway, from a network perspective. See picture of network setup. What you will know How to use Ordering Only Loopback interfaces 115

95 Exercise: Ordering Only Scenario wan X.1 Main Company1 "Only" X.100 Loopback Company2 "Only" X.200 lan X X.1 dmz X.0/ X.0/24 116

96 Exercise: Scenario Description We have several customers, we will configure one of them Each customer has Their own Virtual Router Their own external IP address Outgoing traffic 1. Enters the loopback interface, via the default route in the VR 2. Is NATed to the Main routing table 3. Is Allowed to the Internet Incoming traffic 1. Is targeted to the external IP, Proxy ARPed on the loopback interface 2. Allowed through the loopback interface 3. SAT/Allowed to the customer's server 117

97 Exercise: Address Book It might be a good idea to restore the backup of the initial configuration from the start of the course before continuing. Company 1 Lan_ip Lan_net Company1_server Company1_ip X X.0/ X X.100 Main Wan_ip X.1 Wan_net /16 Wan_gw

98 Exercise: Create Routing Tables Routing > Routing Tables Create one Ordering Only Routing Tables Company1 Company 2 through N would also get their own Routing Table.

99 Exercise: Modify Routing Table Membership Specify routing tables for the interfaces belonging to the Company1 (etc) Network > Interfaces > Ethernet > Lan > Virtual Routing tab Routing table: Company1 For any other Virtual Systems, you do a matching modification to put their interface(s) in their routing table.

100 Exercise: Loopback Interfaces Network > Interfaces > Loopback Interfaces Add Loopback Interfaces for the communication between the Routing Tables The Loop To on the first interface need to be added when the second has been created Name Loop To IP Address Network Routing Table Membership c1_main main_c /24 Company1 main_c1 c1_main /24 main

101 Exercise: Main Routing Table Edit the Main Routing Table so it only has these routes (for the interfaces involved here) Add: Route main_c1 Company1_ip "Proxy ARP on wan" So ARP queries from Internet will be responded to

102 Exercise: Company1 Routing Table Routing > Routing Tables > Company1 Add the Default route Route c1_main all-nets

103 Exercise: IP Rules (Company 1) Outgoing and incoming traffic See next slide for details! Outgoing Company1_to_main NAT lan lan_net c1_main all-nets all_services Setsource=Company1_ip Company1_to_Internet Allow main_c1 Company1_ip wan all-nets all_services Incoming (to a web server published on Company1_ip, located on Lan_net) Internet_to_Company1_ip Allow wan all-nets main_c1 Company1_ip http SAT_Company1_ip SAT c1_main all-nets c1_main Company1_ip http Setdest=Company1_server Allow_Company1_ip Allow c1_main all-nets c1_main Company1_ip http

104 Exercise: Outgoing IP Rules 9. Rule explanation, Outgoing traffic Rule 2: Outgoing traffic is NATed with SETSOURCE = Company1_ip Main X.1 Loopback X.100 Company1 "Only" X.1 Company2 "Only" X X.200 Rule 3: Traffic from Loopback arrives in Main and is Allowed to All-nets on WAN X.0/ X.0/24 125

105 Exercise: Incoming IP Rules 10. Rule explanation, Incoming traffic Rule 5: Traffic from Internet enters the public IP and is Allowed to the Loopback interface Main X.1 Rules 6&7 (SAT-Allow): Translate the address from the public IP to the server IP Company1 "Only" X.100 Loopback Company2 "Only" X X X X.0/ X.0/24 126

106 Exercise: Testing Save & Activate If you get "error in config" without any reason: Testing Set the main_c1 interface Membership to "company1", click OK, set it back to "main". Now you should be able to deploy. Use your web browser Look in the System log output. There should be two log lines per outbound connection (NAT + Allow Rules) Web server Install/start the shttpd_137.exe file from the Resources folder on your desktop. Verify your neighbour s server (Group Y) on Y.1 Here your Allow + SAT/Allow rules should permit the traffic. Since we in cos Core got IPsec VR IPsec tunnels can now be terminated in any routing table L2TP/IPsec servers can now also run in separate VRs This exercise is finished 127

107 Exercise: Virtual routers exercise #2 Objectives The customers have "their own" Clavister Security Gateway. See picture of the scenario. What you will know Ordering "Only" 128

108 Exercise: Scenario Scenario Main Company1 "Only" wan X.1 Company2 "Only" VLAN_ X.1 lan dmz X.0/ X.0/24 129

109 Exercise: Scenario Description Ordering Only Two ISPs Two completely separated networks in their own routing tables. Main is used by Company1 Company2 has a separate Routing Table. Since all interfaces belonging to Company2 has Routing Table Membership set to the Company2 routing table, there is no need for Routing Rules. 130

110 Exercise: Address Book Restore your system to the initial configuration before starting with this exercise. Company 1 ISP Wan_ip X.1 Wan_net /16 Wan_gw Company 2 ISP Vlan100_ip X.1 Vlan100_net /16 Vlan100_gw Internal Lan_ip Lan_net Dmz_ip Dmz_net X X.0/ X X.0/24 131

111 Exercise: Routing Table Ordering Only Routing Tables Create a new Ordering Only routing table: Company2 Remove the ISP2 Routing Table from our last exercise Also remove the Routing Rule 132

112 Exercise: Add the VLAN Name Vlan_100 Interface Wan Vlan ID 100 IP Address Vlan100_ip Network Vlan100_net Default GW Vlan100_gw Virtual Routing tab Make the VLAN interface a member of Company2

113 Exercise: Ethernet Interfaces Routing Table Membership Lan and Wan Main Dmz Company2

114 Exercise: Main Routing Table Enter the following routes for Company 1 in the Main routing table, if they don't already exist. Automatic route generation might have to be disabled on other interfaces Type Interface Network Gateway Route wan all-nets wan_gw Route wan wan_net Route lan lan_net 135

115 Exercise: Company 2 Routing Table You need these routes for Company 2 Automatic route generation might have to be disabled on other interfaces Type Interface Network Gateway Route Vlan100 Vlan100_net Route dmz dmz_net Route Vlan100 all-nets Vlan100_gw 136

116 Exercise: IP Rules NAT out HTTP, HTTPS and DNS for the companies. Create a Service Group, HTTP_DNS, with HTTP-all and DNS-udp 137

117 Exercise: (Optional!) IP Rules, Servers Inbound SAT rules for servers The external IPs are wan_ip and Vlan100_ip The SAT rules address translate to the internal IP of the Server 138

118 Exercise: Testing Testing the setup Save and Activate Company 1 can be tested immediately Onsite course only: The Remote Management must have an entry for management from DMZ if you want to test from Company 2. Test the setup by connecting your Lab PC to LAN respectively DMZ. You need to change the IP on the LabPC. If you are running a web server (shttpd.exe), it should now be accessible from the Internet on both local networks. 139

119 Exercise: Add Communication Objectives We will add three ways of communication between the companies: SAT-Allow Bounce on the ISP, using the external IP Same local networks possible Routing Rules Different local networks required Loopback interfaces Different local networks required What you will know Methods of routing traffic in VR scenarios 140

120 Exercise: SAT-Allow We start by setting up SAT-Allow rules for bouncing on the ISP All traffic utilizes the wan/vlan links to the ISPs. Main Company1 "Only" wan X.1 Company2 "Only" VLAN_ X.1 lan dmz X.0/ X.0/24

121 Exercise: IP Rules Company 1 SAT-Allow IP Rules for inter-company traffic This should be similar to the rules you created earlier Rules for Company 1 Action Src If Src Net Dest If Dest Net Service Outgoing traffic from Lan to Internet and Company 2 NAT lan lannet wan all-nets HTTP_DNS NAT lan lannet core all-nets http Incoming traffic to the Server on Lan SAT any all-nets core wan_ip http setdest=server_ip Allow any all-nets core wan_ip http Server_ip = X.2 142

122 Exercise: IP Rules Company 2 Rules for Company 2 Action Src If Src Net Dest If Dest Net Service Outgoing traffic from Dmz to Internet and Company 1 NAT dmz dmznet vlan100 all-nets HTTP_DNS NAT dmz dmznet core all-nets http Incoming traffic to the server on Dmz SAT any all-nets core vlan_ip http Setdest=Server_ip Allow any all-nets core vlan_ip http Server_ip = X.2 (or X.2 to be fully compliant) Testing: Start the Web server (shttpd.exe) Use Ping Simulation from C2 to C1: Ping X.1 srcif=dmz srcip= x.5 -verbose -tcp -port=80 143

123 Exercise: Routing Rules Send the traffic via Routing Rules with different Fwd and Return routing tables The traffic does not utilize the ISP link Different local networks required (kind of) Main Company1 "Only" wan X.1 Company2 "Only" VLAN_ X.1 lan dmz X.0/ X.0/24

124 Exercise: Routing Rules Routing Rules for the inter-company traffic Routing > Routing Rules Src If Src Net Dest If Dest Net Fwd RT Ret RT Lan lannet wan dmznet <company2> <main> Dmz dmznet any lannet <main> <company2> Since we have different routing tables in the Forward and Return direction, we (may) also need to create an Access rule Network > Routing > Access Accept Any Allnets IP Rules Allow lan lannet Allow dmz dmznet any lannet Testing dmz dmznet all_tcpudpicmp all_tcpudpicmp Use Ping Simulation from Company 2 to Company 1: Ping X.2 -srcif dmz -srcip X.5 -v -tcp -port=80 145

125 Exercise: Loopback Interfaces Send the traffic via Loopback Interfaces between the routing tables The traffic does not utilize the ISP link Different local networks required (kind of) Main Company1 "Only" wan X.1 Company2 "Only" VLAN_ X.1 lan dmz X.0/ X.0/24

126 Exercise: Loopback Interfaces Loopback interfaces for the inter-company traffic Interfaces > Loopback Interfaces Name IP Addr Net Loop To RT Membership c2_main /24 main_c2 <company2> main_c /24 c2_main <main> Add the following routes to the existing routes Routing > Routes > Company2 c2_main lannet Routing > Routes > Main main_c2 dmznet 147

127 Exercise: IP Rules for Loopback Traffic Rules Action Src If Src Net Dest If Dest Net Service Company 1 to Company 2 Allow Lan lannet main_c2 dmznet All Allow c2_main lannet dmz dmznet All Company 2 to Company 1 Allow dmz dmznet c2_main lannet All Allow main_c2 dmznet lan lannet All (verified!) Testing Use Ping Simulation from C2 to C1: Ping X.2 -srcif dmz -srcip X.5 -v -tcp -port=80 148

128 Dynamic Routing OSPF

129 Routing Metrics Routing metrics The criteria a routing algorithm uses to compute the "best" route to a destination. Path length The sum of the costs associated with each link. Hop count Item Bandwidth Load Delay MTU The number of routing devices a packet must pass through The traffic capacity of a path, rated by "Mbps" The usage of a router CPU utilization and throughput The time it takes to move a packet from the source to the destination Depends on various factors, including bandwidth, load, and the length of the path Reliability

130 Distance Vector Algorithms The Distance vector (DV) algorithm Decentralized routing algorithm Computes the "best" path in a distributed way Each router computes the costs of its own attached links Shares the route information only with immediate neighbours The router will gradually learns the least-cost path by iterative computation and information exchange with its neighbors. Path determination Length of the path The number of intermediate routers, "hops" 151

131 Distance Vector Protocols Routing Information Protocol, RIPv1 and RIPv2 Utilizes the DV algorithm and sends regular update messages Stores routing changes in the routing table. Transmitts its entire routing table to neighboring routers Uses Split Horizon with Poison Reverse technique to reduce the chance of forming loops and use a maximum number of hops to counter the count-to-infinity problem. Split Horizon: prohibiting a router from advertising a route back onto the interface from which it was learned. Poison Reverse: a router sends updates with unreachable hop counts back to the sender for every route received to help prevent routing loops Interior Gateway Routing Protocol, IGRP Invented by Cisco to overcome RIP limitations Routes exchange routing data within an autonomous system Multiple metrics for each route, including bandwidth, delay, load, MTU, and reliability To compare two routes these metrics are combined together into a single metric, using a formula which can be adjusted through the use of pre-set constants. A classful routing protocol No subnet mask field All addresses are assumed to have the same subnet mask 152

132 Path Vector Algorithms A path vector protocol maintains the path information that gets updated dynamically. Updates which have looped through the network and returned to the same node are easily detected and discarded. This algorithm is sometimes used in Bellman-Ford routing algorithms to avoid "Count to Infinity" problems. It is different from the distance vector routing and link state routing. Back entry in the routing table contains the destination network, the next router and the path to reach the destination. Path vector protocols are a class of Distance Vector protocols in contrast to Link State protocols.

133 Path Vector Protocols Border Gateway Protocol, BGP Not a pure DV protocol, but sometimes counts as one (is a PV protocol) A distance-vector protocol calculates routes based only on link costs For BGP, the local route preference value takes priority over the link cost. The core routing protocol of the Internet BGP State machine: 154

134 Link State Algorithms Link State (LS) algorithms Routers keep routing tables with the topology of the entire network. Each router broadcasts its attached links and link costs to all other routers in the network. When a router receives these broadcasts it runs the LS algorithm and calculates its own set of least-cost paths. Any change of the link state will be sent everywhere in the network, so that all routers keep the same routing table information. 155

135 Link State protocols Open Shortest Path First, OSPF Interior Gateway Protocol Intermediate System to Intermediate System, IS-IS "i-sys" Interior Gateway Protocol It operates by reliably flooding topology information throughout a network of routers. Each router then independently builds a picture of the network's topology. Packets or datagrams are forwarded based on the best topological path through the network to the destination. IS-IS uses Dijkstra's algorithm for computing the best path through the network.

136 The OSPF Protocol Open Shortest Path First (OSPF) LS algorithm. An OSPF router Identifies the routers and subnets that are directly connected to it Broadcasts the information to all the other routers. Broadcast updates inform of changes and not the entire routing table. Link-state advertisements (LSAs) Each router builds a table of what the whole network looks like. Each router can identify the subnetworks and routers that lead to any destination. OSPF metrics for path determination Hops, bandwidth, load and delay. Control over the routing process since the parameters can finely tuned. 157

137 OSPF Open Shortest Path First (OSPF) Based upon RFC 2328, with compatibility to RFC OSPF routes IP packets based only on the destination IP address No encapsulation as they transit the Autonomous System (AS). OSPF quickly detects topological changes in the AS Calculates new loop-free routes after a period of time. Each router constructs a tree of shortest paths to each destination in the AS itself as root Authentication OSPF protocol exchanges can be authenticated. Only routers with correct authentication can join the Autonomous System None, passphrase or MD5 digest Separate authentication methods for each Autonomous System 158

138 OSPF Areas OSPF Areas OSPF allows sets of networks to be grouped together to an area The topology of an area is hidden from the rest of the AS Reduces the amount of routing traffic The area protected from bad routing data An area is a generalization of an IP subnetted network 159

139 OSPF Area Terms Areas An area consists of networks and hosts within an AS that have been grouped together. Internal Routers All interfaces on internal routers are directly connected to networks within the area. The topology of an area is hidden from the rest of the AS. ABR Area Border Router Routers that have interfaces in more than one area A separate topological database for each area 160

140 OSPF Area Terms ASBR Autonomous System Boundary Router Exchange routing information with routers in other Autonomous Systems Advertise externally learned routes Backbone Areas All OSPF networks have at least the backbone area, ID 0 All other areas should be connected to this Distribute routing information between the connected areas Areas not directly connected to the backbone need a virtual link to it Virtual links Linking an area without direct connection to the backbone Linking the backbone in case of a partitioned backbone 161

141 OSPF Area Terms Stub Areas AS external advertisements are not flooded to these areas The router will advertise a default route so routers in the stub area can reach destinations outside the area. Transit Areas Transit areas are used to pass traffic from an area that is not directly connected to the backbone area. 162

142 OSPF DR / BDR Designated Router / Backup Designated Router Each OSPF broadcast network has a DR and a BDR The OSPF hello protocol help elect the DR and BDR based on the priorities advertised by all routers If there already is an DR on the network The new router will accept that, regardless of its own router priority 163

143 OSPF Neighbours Neighbours Routers in the same area become neighbors. Neighbors are elected via the Hello protocol. Hello packets are sent periodically out of each interface using IP multicast. Routers become neighbors as soon as they see themselves listed in the neighbor's Hello packet. Two way communication is guaranteed. Neighbour States Down Init This is the initial state of the neighbor relationship. When a HELLO packet is received from a neighbor, but does NOT include the Router ID of the gateway in it, the neighbor will be placed in Init state. When the neighbor receives a HELLO packet it will know the sending routers' Router ID and will send a HELLO packet with that included. The state of the neighbors will change to 2-way state. 164

144 OSPF Neighbour States 2-Way Communication between the router and the neighbor is bi-directional. On Point-to-Point and Point-to-Multipoint interfaces, the state will be changed to Full. On Broadcast interfaces, only the DR/BDR will advance to Full state with their neighbors, all the remaining neighbors will remain in the 2-Way state. ExStart Preparing to build adjacency. Exchange Routers are exchanging Data Descriptors. Loading Full Routers are exchanging LSAs. This is the normal state of an adjacency between a router and the DR/BDR. 165

145 OSPF Aggregation OSPF Aggregation Combines groups of routes with common addresses into a single entry in the routing table Minimize the routing table 166

146 Virtual Links Virtual links Linking an area that does not have a direct connection to the backbone. The backbone must be the center of all areas A logical path to the backbone area Established between two ABRs that are on one common area, with one of the ABRs connected to the backbone area. Linking the backbone in case of a partitioned backbone. 167

147 OSPF High Availability Support Limitations in High Availability support for OSPF The nodes in an HA cluster runs separate OSPF processes The inactive node will make sure it is not the preferred choice for routing They will not form adjacency with each other They are not allowed to become DR/BDR on broadcast networks. This is done by forcing the router priority to 0 Broadcast Interface HA must have a broadcast interface with at least ONE neighbour for ALL areas it is attached to. The inactive part of the cluster needs a neighbour to get the link state database from. It is not possible to put an HA cluster on the same broadcast network without any other neighbours They won't form adjacency with each other because of the router priority 0 It may be possible to setup a point-to-point link between them instead. 3 separate links: one to the shared, one the master and one to the slave router ID 168

148 Dynamic Routing Rules Dynamic Routing Rules Routers need to regulate how they participate in the routing exchange Not accept or trust all received routing information Avoid that parts of the routing database gets published to other routers Regulates the flow of dynamic routing information Filters either statically configured or OSPF learned routes Origin of the routes, destination, metric and so on. Matched routes are controlled by actions: Exported to OSPF processes Added to one or more routing tables 169

149 Dynamic Routing Rule Usage Common usage Importing OSPF routes from an OSPF process into a routing table. Exporting routes from a routing table to an OSPF process. Exporting routes from one OSPF process to another. By default, cos Core will not import or export any routes. It is mandatory to define at least one Dynamic Routing Policy rule. 170

150 Exercise: OSPF Import Routes Objectives Use OSPF to import the other groups internal networks with their public IP as gateway. See picture of network setup. What you will know How to use OSPF 171

151 Exercise: Scenario Scenario The local routes are imported from the peer group (Y) Shared LAN /16 Group X WAN: X.1 LAN: X.1 Group Y WAN: Y.1 LAN: Y.1 Group X Group Y 172

152 Exercise: New Router Process Network > Routing > OSPF Add an OSPF Router Process Name: Group_X Ref. BW: 100 Mbps Enable Logging 173

153 Exercise: OSPF Area Open the Router Process Add a New OSPF Area, Name: area0 Area ID: Sometimes you must enter , Save & Activate, then change it back to

154 Exercise: OSPF Interfaces Open the OSPF Area Add two OSPF Interfaces wan, wan_net lan, lan_net 175

155 Exercise: Dynamic Routing Rules Network > Routing > Routing Rules Add a Dynamic Routing Rule Name: OSPF_Import From OSPF As: Group_X Dest net is within: All-nets Enable Logging 176

156 Exercise: Routing Actions Define where to import routes by creating a New Routing Action Import to the Main routing table 177

157 Exercise: Test the OSPF scenario Save & Activate Deploy the configuration in both peer groups, then look at the routes CLI: with the routes command WebUI: Status > Routes, "Show all routes" enabled You should get the local networks of all peer groups imported to your main routing table To communicate with them, IP Rules are needed Device:> routes Flags Network Iface Gateway Local IP Metric /24 lan /16 wan 0 O /24 wan O /24 wan /0 wan O means imported by OSPF 178

158 Exercise: CLI, OSPF command Open the CLI, Look at the OSPF configuration: OSPF Group_X Old screen shot: 179

159 Multicast Routing

160 Multicast Routing Overview Conferencing and audio/video broadcasts require a single computer to send the same packet to multiple receivers. Unicast The sender duplicates the packet with different receiving IP addresses Does not scale well to large numbers of receivers Broadcast Broadcast of the packet across the internet/network All nodes in the network receives the packets, wasting resources on nodes not interested in the packets. Broadcasts will be filtered out, not reaching some listeners 181

161 Multicast Routing Overview Multicast Routing The network routers replicates and forwards packets via the optimum route to all members of a multicast group. The IETF standards that enable Multicast Routing are: Class D of the IP address space which is reserved for multicast traffic. Each multicast IP address represent an arbitrary group of recipients /4 Internet Group Membership Protocol (IGMP) Receivers tells the network that it is a member of a particular multicast group Problems Protocol Independent Multicast (PIM) is a group of routing protocols for deciding the optimal path for multicast packets. PIM routers duplicate and forward packets to all members PIM uses the routing information from existing protocols, such as OSPF, to decide the optimal path (distribution tree) Nodes not compatible or filtering out Multicast will stop the flow of packets to downstream nodes. 182

162 Reverse Path Forwarding Reverse Path Forwarding For unicast traffic, a router is concerned only with a packet's destination With multicast, the router is also concerned with a packet's source It forwards the packet on paths which are known to be downstream, away from the packet's source. Prevent loops in the distribution tree. 183

163 IGMP IGMP messages are IP packets with IP Protocol number 2. IGMP Reports Hosts send reports towards routers to subscribe/change multicast groups IGMP Queries Routers send queries to clients to see if they still want the multicast stream thereby refresh the group membership state for all systems on its network

164 IGMP IGMP Queries Group-Specific Queries Determining the reception state for a particular multicast address Group-and-Source-Specific Queries State for reception of messages sent to a multicast group from a specific source address

165 IGMP Snoop and Proxy Mode Snoop mode Transparent forwarding of queries and reports Proxy mode Act as an IGMP router Send queries to clients Subscribe to multicast groups on behalf of its clients

166 Multicast in cos Core Multicast components Routing By default multicast packets are routed to the Core interface /4 SAT Multiplex IP Rules Forwards the packets to one or more interfaces. IGMP can be required to only send to interfaces with listeners, or without to send to all specified interfaces all the time. IP Rule with Allow or NAT is also needed. It must be stateful forwarding. IGMP Rules Filters and control IGMP traffic. Note Address translation can be performed Ethernet interfaces must have multicast handling set to On or Auto. 187

167 SAT Multiplex Rules SAT Multiplex rule Achieve duplication and forwarding of multicast packets through more than one interface. This rule overrides the normal routing tables, so packets that should be duplicated by the multiplex rule are routed to the core interface for processing /4 is by default core routed Each specified output interface can be configured with static address translation of the destination address. The Interface field in the Interface/Net dialog of the Multiplex SAT rule can be left empty if the IP Address field is set The output interface will be determined by a route lookup on the specified IP address 188

168 SAT Multiplex Rules The multiplex rule can operate in one of two modes: Use IGMP The traffic flow specified by the multiplex rule must have been requested by hosts using IGMP before any multicast packets are forwarded through the specified interfaces. This is the default behaviour of cos Core. Not using IGMP The traffic flow will be forwarded according to the specified interfaces directly without any inference from IGMP. An Allow or NAT rule has to be specified together with the Multiplex rule. Fwdfast will not work, as a lot of extra operations would be needed on each packet, instead of now and then. The state engine takes care of it much better. 189

169 Exercise based on "Forwarding of Multicast Traffic using the SAT Multiplex Rule" and "IGMP - No Address Translation" in cos Core Admin Guide, chapter Multicast Routing 190 Exercise: Multicast without NAT Objectives Use IGMP to do forwarding of Multicast Traffic using the SAT Multiplex Rule What you will know How to forward Multicast Traffic How to handle IGMP reports and queries Use SAP Announce to advertise the stream What you need VLC Player ( Increase the TTL of VLC streams to 5+

170 Exercise: Scenario Multicast sender is , generating a multicast stream over UDP /24:1234. Forward from Wan to Lan and optionally to other internal interfaces The streams should only be forwarded if a host has requested the streams using the IGMP protocol. Upstream Multicast Router X.0/24 191

171 Exercise: What to do A UDP service for port 1234 A Multiplex IP Rule to forward the multicast groups /24:1234 to the interfaces lan and other internal interfaces All groups have the same sender, , which is located somewhere upstream of the wan interface. IP Rules for IGMP and SAP announcements IGMP Rules for each internal interface, with Wan as upstream interface Require IGMP to forward to an interface 192

172 Exercise: Services Create a Custom UDP service Name: UDP_1234 Type: UDP Source: Destination: 1234

173 Exercise: Multiplex IP Rule Create a Multiplex SAT Rule Name: Multiplex Action: Multiplex SAT Service: UDP_1234 Source if: wan Source net: Dest: core Dest net: /24 Open the Multiplex SAT tab 194

174 Exercise: Multiplex SAT Tab On the Multiplex SAT tab Add the destination interface Lan Optionally: dmz, and other internal interfaces Make sure the "use IGMP" is enabled 195

175 Exercise: IP Rules Add more IP rules (1, 3, 4 below), and sort them as follows IGMP_Core Allow any all-nets core all-nets IGMP Multiplex Multiplex_SAT wan core /24 UDP_1234 Multiplex: lan Multicast Allow wan core /24 UDP_1234 SAP_Announcements Allow any all-nets core /16 All_services 196

176 Exercise: IGMP Rules Add Snoop rules for each of the internal interfaces (or make an interface group!) Network > Routing > IGMP Rules Name: IGMP_<iface> Type: Report Action: Snoop Relay interface: Wan Source If: lan Source net: lan_net Dest: core Multicast src: /4 Multicast Group: all-nets 197

177 Exercise: Save & Activate Save & Activate Now, let's setup VLC Server (classroom computer) that sends the stream Client (you) opening the stream Install the latest version of VLC Resources folder... or

178 Exercise: VLC Server VLC settings on the Server side Open the file and create the multicast stream from To UDP/1234 VLC > Media > Advanced Open File Add the file (Firewall.mpg from Resources) Click Play > Stream (Alt+S) Next New Destination: UDP (legacy), Add Activate Transcoding: Video Mpeg-2 + MPGA(TS) Next TTL = 5 (or more) (you will need to set this in the Advanced Preferences) Stream Press the Play icon for each time 199

179 Exercise: VLC Client VLC settings on the Client side Open the multicast stream (Ctrl-N) udp:// :1234 The film should play now Check the System Log If TTL=1 on receiving, the outgoing packet would have TTL=0, which means it will (silently!) be dropped by the Clavister. Ask that the film is restarted if it has stopped This exercise is finished 200

180 Transparent Mode

181 Transparent Mode There are two methods to create transparency Switch Route Relays the ARP query Keeps track of who is on which interface CAM table No HA Support CAM table not synchronized No loop avoidance Clients can roam between interfaces, keeping the same IP CAM table updated when they do an ARP query If there is incoming traffic before the ARP query arrives, it will be sent to the wrong interface and become retransmitted after timeout. Hybrid mode When using regular routing together with Switch Routes. Proxy ARP Proxy ARP responds with the GW's MAC address. HA support No Roaming when keeping the same IP 202

182 Switch Route Switch Route ARP transactions pass through cos Core, who learns relationships between IP addresses, physical addresses and interfaces. Endpoints not aware of cos Core. CAM table updated ARP Query For X.2 ARP Query Forwarded Switch routed interfaces X X.2 203

183 Switch Route Learning from the ARP traffic cos Core learns the source address information for both ends from the ARP traffic Two tables to store this information: Content Addressable Memory (CAM) Tracks the MAC addresses available on a given interface. The Layer 3 Cache Maps an IP address to MAC address and interface. Only used for IP traffic Single host entries in the routing table CAM table MAC & Interface Routing Table Single host Routes 204

184 Listing IP Interface - MAC routes -switched verbose (cleaned up output!) Device:/> routes -switched -verbose Flags Network Iface MAC D ge6 0 Originator: Layer 3 Cache MAC: D ge1 0 Originator: Layer 3 Cache MAC: b d D ge4 0 Originator: Layer 3 Cache MAC: e a D ge4 0 Originator: Layer 3 Cache MAC: d D ge4 0 Originator: Layer 3 Cache MAC: bc-6c-1e-af D ge1 0 Originator: Layer 3 Cache MAC: d-e7-ca-e1 D ge4 0 Originator: Layer 3 Cache MAC: c9-8f D ge1 0 Originator: Layer 3 Cache MAC: a-fe-af-14 D ge1 0 Originator: Layer 3 Cache MAC: 84-c9-b2-63-f1-29

185 Switch Route ARP Transactions Each IP packet passing cos Core triggers a route lookup for the destination. L3 Cache / Switch Route Handle packet in a transparent manner If the route matches a Layer 3 Cache entry Destination interface and MAC address are available Forward the packet to the destination. If the route is a Switch Route No specific information about the destination is available Discover where the destination is located in the network! CAM table MAC & Interface Routing Table Single host Routes 206

186 Switch Route Destination Discovery cos Core sends out ARP and ICMP (ping) requests Acting as the initiating sender of the original IP packet On the interfaces specified in the Switch Route If an ARP reply is received Update the CAM table and Layer 3 Cache Forward the packet to the destination CAM table MAC & Interface Routing Table Single host Routes 207

187 Switch Route Full table If the CAM table or the Layer 3 Cache is full, the tables are partially flushed automatically. The discovery mechanism of sending ARP and ICMP requests is used to rediscover active destinations that may have been flushed. CAM table flushed ARP Ping Broadcast Host ARP Ping Broadcast host Switch routed interfaces X X.2 208

188 Exercise: Transparent Mode using Switch Route Objectives Use Switch Route to make the Clavister transparent. What you will know How to setup Switch Routes and how they operate. Note! Only one group at a time can be connected to the Classroom SeGW! Example taken from: cos Core Admin Guide Chapter Transparent Mode Setting up Transparent Mode - Scenario 1 209

189 Exercise: Scenario Description of the scenario cos Core is placed transparently between a NAT:ing router and the internal network. LabPCs on the internal network is in the X.0/16 address space. cos Core can this way do traffic inspection without changes to existing equipment GroupX GW lan wan gw= Classroom GW X.0/16 210

190 Exercise: Restore basic setup Restore the initial configuration We have done so many labs already. We need to start with a fresh configuration.

191 Exercise: Address Book Name IP External side wan_ip X.1 wan_net /16 wan_gw Internal side lan_ip X.1 lan_net /16 212

192 Exercise: Interface Group Add the lan and wan interfaces. Enable S/T Equivalent It allows the hosts to move freely between the switch routed interfaces. 213

193 Exercise: Routes Add a switch route to connect the Interface Group with the shared network. Remove all other routes to the common network (wannet) and the interfaces (wan, lan) Open Interfaces > Ethernet > <iface> and on the Advanced tab, remove the Automatic Route Creation for local routes. The all-nets route is needed for Antivirus/IDP updates, NTP etc 214

194 Exercise: IP Rules Add inbound and outbound rules The Interface Group can be used or not in the IP Rules, depending on scenario and effect wanted. Server01 = X.2 Use Add new object

195 Exercise: Save & Activate Remote Management > Advanced Settings Validation Timeout: 90 seconds (or more) Lan_net is updated to the new value, so management should work with the new config. Save and Activate Now you have 90 seconds to change the IP of the Lab PC and login: IP = X.2 Mask = GW = DNS = Try to login to to do the validation of the configuration You should be able to access the Internet and study the System Log The exercise is finished 217

196 Exercise: Splitting a network to two interfaces Objectives Use Switch Route to connect servers to a separate interface, but on the same network as the clients. What you will know How to control the access to servers, even though they are in the same address range as the clients. Example taken from cos Core Admin Guide Chapter Transparent Mode Setting up Transparent Mode - Scenario 2 218

197 Exercise: Scenario All hosts connected to LAN and DMZ share the X.0/24 address space. Any IP address can be used for the servers Hosts on the internal network does not know if a resource is on the same network or placed on the DMZ The hosts on the internal network are allowed to communicate with an HTTP server on DMZ The HTTP server on the DMZ can be reached from the internet. dmz lan wan gw= X.0/24 219

198 Exercise: Address Book IP Name External X.1 wan_ip /16 wan_net wan_gw Internal X X.0/24 lan_ip lan_net X X.0/24 dmz_ip dmz_net X.2 server_ip 220

199 Exercise: Interface Group Add the lan and dmz interfaces. S/T Equivalent should not be needed It allows the hosts to move freely between the switch routed interfaces and no hosts should be moving around here. 221

200 Exercise: Routes Add a switch route to connect the Interface Group with the shared network. Remove all other routes to Lan_net Dmz_net 222

201 Exercise: IP Rules Add inbound and outbound rules The Interface Group can be used or not in the rules depending on scenario and effect wanted. Outbound: All can reach the Internet with DNS and HTTP Lan-Dmz: Lan can reach HTTP on Dmz 223

202 Exercise: Testing Testing the setup Need several LabPCs (Not possible in Online course) Ping simulation is one method available Set the IP of your lab PC to X.2, put it on dmz (Online: Ask the trainer) and it should be possible to access its web server from the Lan interface Device:> ping X.2 -srcip= x.3 -srcif=lan -tcp -port=80 -verbose This exercise is finished. 224

203 Exercise: Transparent Mode using Proxy ARP Objectives Use Proxy ARP to create a Transparent Security Gateway What you will know How to setup Transparent Mode with Proxy ARP 225