Deployments and Network Topologies

Similar documents
Q-Balancer Range FAQ The Q-Balance LB Series General Sales FAQ

SD-WAN Deployment Guide (CVD)

Barracuda Link Balancer

EdgeXOS Platform QuickStart Guide

Guide to Vyatta Documentation

Guide to Vyatta Documentation

IBM Cloud for VMware Solutions NSX Edge Services Gateway Solution Architecture

Exam Name: VMware Certified Associate Network Virtualization

Cloud Services. Introduction

Cisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13

Certified SonicWALL Security Administrator (CSSA) Instructor-led Training

21CTL Disaster Recovery, Workload Mobility and Infrastructure as a Service Proposal. By Adeyemi Ademola E. Cloud Engineer

Ordering and deleting Single-node Trial for VMware vcenter Server on IBM Cloud instances

Virtual Security Gateway Overview

Dell EMC. VxBlock Systems for VMware NSX 6.2 Architecture Overview

FAQ Guide. i-mo 310 & 540 Series Bonding Routers. FAQ Guide. for the i-mo 310 & 540 Series Appliances

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

JURUMANI MERAKI CLOUD MANAGED SECURITY & SD-WAN

CompTIA Network+ Study Guide Table of Contents

VMware Validated Design for NetApp HCI

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

1V0-642.exam.30q.

Guide to Vyatta Documentation

Unity EdgeConnect SP SD-WAN Solution

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Datrium DVX Networking Best Practices

IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance

Meraki MX Family Cloud Managed Security Appliances

WINNER 2007 WINNER 2008 WINNER 2009 WINNER 2010

Layer 4 to Layer 7 Design

Cisco Data Center Network Manager 5.1

Dell EMC. VxBlock Systems for VMware NSX 6.3 Architecture Overview

Service Graph Design with Cisco Application Centric Infrastructure


MyCloud Computing Business computing in the cloud, ready to go in minutes

Leverage the Citrix WANScaler Software Client to Increase Application Performance for Mobile Users

Network Edge Innovation With Virtual Routing

Enterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.

F5 Networks F5LTM12: F5 Networks Configuring BIG-IP LTM: Local Traffic Manager. Upcoming Dates. Course Description. Course Outline

Truffle Broadband Bonding Network Appliance

VMware vshield Edge Design Guide

CISCO QUAD Cisco CCENT/CCNA/CCDA/CCNA Security (QUAD)

RecoverPoint for Virtual Machines

IPv6 Best Operational Practices of Network Functions Virtualization (NFV) With Vmware NSX. Jeremy Duncan Tachyon Dynamics

EarthLink Business SIP Trunking. ShoreTel 14.2 IP PBX Customer Configuration Guide

SERVICE DESCRIPTION SD-WAN. from NTT Communications

Cisco Meraki MX products come in 6 models. The chart below outlines MX hardware properties for each model:

Workload Mobility and Disaster Recovery to VMware Cloud IaaS Providers

Corente Cloud Services Exchange

"Charting the Course... Interconnecting Cisco Networking Devices Accelerated 3.0 (CCNAX) Course Summary

Network Configuration Guide

Cisco Stealthwatch. Installation and Configuration Guide 7.0

3/10/2011. Copyright Link Technologies, Inc.

Meraki MX Family Cloud Managed Security Appliances

VNS3 3.5 Container System Add-Ons

IT114 NETWORK+ Learning Unit 1 Objectives: 1, 2 Time In-Class Time Out-Of-Class Hours 2-3. Lectures: Course Introduction and Overview

VPN Cloud. Mako s SD-WAN Technology


Cisco 5921 Embedded Services Router

Cisco 5921 Embedded Services Router

How to Configure a Hybrid WAN in Parallel to An Existing Traditional Wan Infrastructure

From Zero Touch Provisioning to Secure Business Intent

VM-SERIES FOR VMWARE VM VM

Cisco Stealthwatch. Installation and Configuration Guide 7.0

Never Drop a Call With TecInfo SIP Proxy White Paper

Yealink VCS Network Deployment Solution

Palo Alto Networks PCNSE7 Exam

vsphere Networking Update 2 VMware vsphere 5.5 VMware ESXi 5.5 vcenter Server 5.5 EN

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

Azure Compute. Azure Virtual Machines

India Operator BNG and IP Router

Peplink Balance Multi-WAN Routers

The OSI model of network communications

VXLAN Overview: Cisco Nexus 9000 Series Switches

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

Meraki MS Series Switches

Paperspace. Architecture Overview. 20 Jay St. Suite 312 Brooklyn, NY Technical Whitepaper

Implementing Cisco Network Security (IINS) 3.0

Gigabit SSL VPN Security Router

Virtualization Design

Empowering SDN SOFTWARE-BASED NETWORKING & SECURITY FROM VYATTA. Bruno Barba Systems Engineer Mexico & CACE

Introducing VMware Validated Designs for Software-Defined Data Center

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Aggregate Load Balance with BGP and MPLS MUM ID Oktober 2018 Yogyakarta, Indonesia

Introducing VMware Validated Designs for Software-Defined Data Center

Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

CCNA-A Scope and Sequence (March 2007-Draft)

vsphere Networking 17 APR 2018 VMware vsphere 6.7 VMware ESXi 6.7 vcenter Server 6.7

Container System Overview

Security Gateway Virtual Edition

Cisco Certified Network Associate ( )

TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE. Modified

SMARTER, SIMPLER NETWORKING

Installing VMware vsphere 5.1 Components

Service Description Safecom Customer Connection Version 3.5

Advanced CSR Lab with High Availability and Transit VPC

University of British Columbia

EdgeConnect for Amazon Web Services (AWS)

Cross-vCenter NSX Installation Guide. Update 3 Modified on 20 NOV 2017 VMware NSX for vsphere 6.2

Recommended Configuration Maximums

Transcription:

TECHNICAL GUIDE Deployments and Network Topologies A technical guide to deploying Family Zone School in different network topologies.

Contents Introduction...........................................3 Transparent bridge deployments............................ 3 VLANs with a transparent bridge............................ 4 LACP bonding......................................... 4 Management IP address.................................. 5 Layer 3 router and gateway................................ 5 Layer 3 router and NAT gateway............................ 6 Network address translation - NAT.......................... 6 WAN routing.......................................... 6 Virtual private networks - VPN............................. 7 Inbound and outbound firewall............................. 7 Quality of service QOS.................................. 7 Virtual machine deployments...............................8 Summary............................................. 9 Document Family Zone Pty Ltd 2018 2 Family Zone Technical Guide: Deployments and Network Topologies

Introduction Computer networks come in many shapes and sizes. From a small network with an all-in-one WIFI router and a couple of wireless devices, to one that spans multiple campuses with several layer-3 switches or routers, hundreds of VLANs and multiple WAN connections. Your network topology and requirements will largely be determined by campus size, performance requirements and budget. Family Zone education solutions provides Family Zone School Manager, which has been designed with flexibility and ease of deployment in mind and can fit into any network environment. Family Zone School Manager operates at all levels of the networking stack as a router, firewall and application-aware content filter. It can be deployed as the edge device on a network to provide high performance routing and layer 2-4 filtering as well as application layer filtering and identity management, or simply as a transparent layer-2 bridge augmenting an existing network topology with filtering, visibility and identity management. Most deployments of Family Zone School Manager fit into three broad categories: Layer 2 transparent bridge deployment Layer 3 router Layer 3 router with NAT Each type of deployment utilises the same virtual or physical appliance, software stack and cloud management. Transparent bridge deployments The simplest way to deploy Family Zone School Manager is as a transparent bridge. Doing this means you can augment your existing network topology with Layer 7 filtering, visibility and user management without major changes to your logical network topology. In a normal transparent bridge deployment, the Family Zone Appliance becomes an inline filter between your edge router and your switching and wireless infrastructures. This means that all internet traffic will pass through the appliance transparently. Routing and NAT decisions are not made by the Family Zone Appliance, and traffic is allowed by default. Filtering capabilities in this type of deployment are similar to a traditional proxy server, but without the negative impacts. Client devices do not need to be configured to pass traffic through the appliance. IP addressing and routing do not need to be modified, and internet traffic does not need to be tunneled out through a cloud-hosted proxy or filtering solution. On a simple network, deploying Family Zone School Manager in this way means simply placing it inline with a cabling change. ISP CPE Router/Firewall Router/Firewall Uplink To Edge Device Switching Family Zone Appliance Downlink To Core Switch Wireless Endpoints Switching Augmenting an existing network with Family Zone School Manager as a Layer 2 Transparent Bridge 3 Family Zone Technical Guide: Deployments and Network Topologies

VLANs with a transparent bridge In larger networks it is common to segment the layer 2 network into VLANs. This introduces the need for a layer 3 router - commonly the Edge firewall/router. Family Zone School Manager supports this type of layout by providing full support for 802.1q VLANs even when deployed as a transparent bridge. Router/Firewall Bridge 1 Bridge 2 Bridge 3 100 Phy1 100 200 200 300 300 Phy2 Phy1 Phy2 Phy1 Phy2 Family Zone Appliance VLAN Aware Switch Uplink To Switch Uplink To Firewall Layer 2 Bridge with VLANs Accommodating a trunk link between the core switch and the Edge firewall/router is simply a matter of configuration. LACP bonding Along with VLANs, larger networks often use LACP Link Aggregation to provide failover, redundancy and performance improvements through the use of multiple physical links between a core switch and the Edge firewall/router. Router/Firewall Virtual Bridge 1 bond0 bond0 Phy0 Phy1 Phy2 Phy3 Family Zone Appliance Core Switch To Core Switch To Firewall/Router Transparent Layer 2 Bridge with LACP Bonding 4 Family Zone Technical Guide: Deployments and Network Topologies

Family Zone School has full support for 802.3ad LACP when deployed as a transparent bridge. As with VLANs, accommodating this type of topology is just a configuration change. Management IP address When deployed as a Layer 2 bridge, the Family Zone Appliance will still need an internet connection for configuration and management with the Family Zone School Manager. This can be achieved with two different methods. Apply an IPv4 Address to the virtual bridge interface. Create a separate management interface. Layer 3 router and gateway Along with being a Layer 7 firewall, Family Zone School Manager is also a Layer 3 router. This enables Family Zone School Manager to support being deployed as an internal router in your network, routing traffic between VLANs, subnets and to-and-from the internet. Routing decisions are made based on static and dynamic configuration from the cloud management platform, and all traffic passing through the Family Zone Appliance can be filtered at both layer 7 and further down the OSI stack. Deploying the Family Zone Appliance as a router allows more granular access controls between different networks, and facilitates subnet and VLAN-based user identification that may otherwise be impossible in a transparent bridge deployment. Router/Firewall Layer 2 VLAN Layer 1 Ethernet Layer 3 Routing Family Zone Appliance Intersubnet Filtering Identity Management VLAN Aware Switch Layer 7 Reporting Layer 7 Filtering Transparent Layer 2 Bridge with LACP Bonding Family Zone School Manager does not support dynamic routing protocols like RIPv2, BGP, OSPF. Routing that is not tied to WAN interfaces must be statically configured in the Family Zone School Manager. 5 Family Zone Technical Guide: Deployments and Network Topologies

Layer 3 router and NAT gateway The final common deployment topology is as an Edge device. Every internet connected network needs a NAT capable router and firewall to route traffic to and from the internet. Deployed as an Edge router/gateway, Family Zone School Manager sits behind your ISP s CPE equipment and all internet traffic, and commonly internal network traffic is routed through the appliance. As with the other deployments, VLANs and LACP bonding are fully supported in an Edge deployment. ISP CPE Layer 2 VLAN Layer 2 LACP Subnet Routing Wan Routing Family Zone Appliance Failover Load Balancing NAT Inbound Filtering Identity Management Layer 7 Application Identification VLAN Aware Switch Content Filtering QOS Malware Filtering Identity Edge Firewall and Router There are several core technologies that are generally used when Family Zone School Manager is deployed as a gateway device. Network address translation - NAT NAT for WAN traffic goes hand in hand with WAN routing in Family Zone School Manager. Source NAT decisions for outbound traffic are normally made automatically to facilitate easy configuration and management. Aside from SNAT, Family Zone School Manager also supports 1:1 NAT, DNAT (Port Forwarding) and Many:1 out of the box. Each NAT type is highly customisable and tied to the firewall automatically. WAN routing Family Zone School Manager provides very simple WAN routing when deployed as an Edge device. When managing network interfaces you can configure them as a WAN link. In an environment with multiple WAN links, a primary link must be configured and WAN routing decisions can be made based on simple rules or modes. Family Zone School Manager supports policy-based WAN routing through the use of uplink preference rules and an overarching mode of either Failover or Load Balancing. In Failover mode, the primary link is used, and in the event of failure WAN traffic is routed through the secondary links. Outbound firewall rules can then be used to reduce congestion on failover links by limiting network access. 6 Family Zone Technical Guide: Deployments and Network Topologies

Failover mode is the default for appliances configured with more than one WAN uplink. In Load Balancing mode, Family Zone School Manager balances traffic between WAN links. This provides both redundancy and performance improvements for WAN traffic. For additional control WAN preference rules can provide administrators with control over load balancing and this can be used for user-group-, application- and port-based routing. Family Zone School Manager dynamic WAN routing allows administrators to utilise multiple WAN interfaces to gain both performance and resiliency. Virtual private networks - VPN Deploying Family Zone School Manager as an Edge device means administrators can take advantage of its VPN capabilities. Family Zone School Manager supports both gateway-to-gateway VPN connections and road warrior connections through the use of IPsec technology. Gateway-to-gateway VPNs provide a way of connecting remote sites. Family Zone School Manager provides very simple gateway-to-gateway VPN configuration that can be used to connect several Family Zone School Manager Edge appliances, or a Family Zone School Manager Edge appliance to another VPN provider. Road warrior VPNs provide remote workers with a secure connection over the internet from any location. Family Zone School Manager provides a simple L2TP/IPsec-based VPN server out of the box. Inbound and outbound firewall An important part of an Edge firewall/router is WAN filtering. WAN filtering in Family Zone School Manager is split into two different types, Inbound filtering and Outbound filtering. Family Zone School Manager takes a different approach to inbound filtering that we call Automatic inbound filtering. Automatic inbound filtering offers a one-click filtering model that blocks traffic classed as suspicious and/or traffic that does not match inbound NAT rules, VPN rules and routing rules. This means when configuring VPNs, NAT rules, and other rule-sets, administrators do not have to worry about managing firewall rule-sets as well. This reduces administrative overhead and risk of intrusion due to human error. Outbound filtering and filtering between different VLANs is managed with outbound filtering firewall rules. Quality of service QOS When Family Zone School Manager is deployed as an Edge device, QOS functionality is also available. Family Zone School Manager supports two different types of QOS; Priority QOS and Rate Limiting. Priority QOS allows administrators to prioritise traffic based on layer 2-7 criteria. This means HTTPS traffic going to Youtube could be prioritized over Facebook traffic or the like. Priority QOS can be extended to apply to individual user groups or networks and is very flexible. Traffic is given a priority between 1-10. Traffic with a high priority will be prioritised over traffic with a lower priority. Rate Limiting allows administrators to limit network flows, devices and users to certain transfer rates. For example, students could be limited to 10Mb download each during the day to mitigate and control link congestion. 7 Family Zone Technical Guide: Deployments and Network Topologies

Virtual machine deployments Network appliances are traditionally provisioned using dedicated physical hardware, providing a single point of failure (SPOF). This is undesirable. Virtualisation and cloud computing solve this problem, and in an age of Software Defined Networking (SDN) the need for dedicated hardware for network firewalls is no longer a requirement. Family Zone education solutions recommends deploying the Family Zone Appliance as a Virtual Machine under VMware ESXi. VMware ESXi is an industry standard Hypervisor that packages with automatic failover, support for virtualised networking and high performance network offloading. Core Switch VMware Hosts VMware Host Switch Edge or ISP CPE VMware ESXi deployment of Family Zone School Manager When deployed with VMware ESXi, the Family Zone Appliance is hardware- and host-agnostic, and with VMware VMotion can be completely redundant in the event of host failure. The Family Zone Appliance is Linux-based and comes in 64Bit and 32Bit variations. Installation is via a ISO download from our website and installation and basic setup can take as little as 5 minutes. Hardware requirements When configuring a virtualized Family Zone Appliance, some thought should be given to allocated virtualised hardware. Packet filtering is CPU-intensive as opposed to Disk IO or memory-intensive. Minimum recommended requirements: 16Gb SCSI or IDE Disk 4GB memory 2.8Ghz dual core processor For large networks, we recommend scaling the CPU capacity, but leaving the HDD and memory at the recommended defaults above. Exact requirements will depend on a combination of how many connected devices you have, the type and intensity of browsing, and your link size. Virtual networks and VSwitches Deploying Family Zone School Manager on VMware ESXi requires the use of Virtual Networks and VSwitches tied to the host adapters. Normally a minimum of two physical host adapters will be needed, and VLANs and LACP bonding is fully supported by Family Zone School Manager and VMware. Much like physical deployments, a normal virtual deployment includes an uplink and downlink. Each link is virtually connected to a VMware Network, which is tied to a VSwitch and then a physical adapter. 8 Family Zone Technical Guide: Deployments and Network Topologies

Summary Family Zone School Manager takes a heuristic approach to application identification. Coupled with the elastic power of cloud computing and an intuitive cloud dashboard, this provides a high level of visibility and control over your network. With Family Zone School Manager you get accurate, real-time data, and up-todate user- and application-centric control. Family Zone Education Solutions is passionate about making student Internet management easy, and keeping students safe online on any device, any time. 9 Family Zone Technical Guide: Deployments and Network Topologies

About Family Zone Family Zone Education Solutions is committed to making student internet management easy, and keeping students safe online on any device, anywhere, any time. Learn more Visit us www familyzoneschools.com Email us at sales@familyzone.com www.familyzoneschools.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback