Scenario: V114 Configuration on Vyatta

Similar documents
200AE1 Network Services Gateway

firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name

EdgeMarc 4552 Networking Gateway

4562 Converged Networking Router

VPN Definition SonicWall:

EdgeMarc 250W Network Services Gateway

Lab : Challenge OSPF Configuration Lab. Topology Diagram. Addressing Table. Default Gateway. Device Interface IP Address Subnet Mask

Reference. Application

Deploy ERSPAN with the ExtraHop Discover Appliance and Brocade 5600 vrouter in AWS

G806+H3C WSR realize VPN networking

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

Chapter 5 Advanced Configuration

Reference. Application. Installation

Lab Configuring and Verifying Extended ACLs Topology

Application Note Startup Tool - Getting Started Guide

Application Note. Microsoft OCS 2007 Configuration Guide

Lab 9.6.2: Challenge EIGRP Configuration Lab

AirLive RS Security Bandwidth Management. Quick Setup Guide

IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance

Startup Tool TG - Getting Started Guide

Remote User - Mediatrix SBC on the Edge

MAC Address Filtering Setup (3G18Wn)

EdgeConnect for Amazon Web Services (AWS)

Yealink VCS Network Deployment Solution

Use this section to help you quickly locate a command.

Remote User - Mediatrix SBC on the Edge

Device Interface IP Address Subnet Mask Default Gateway

GajShield UTM Series uide uick Start G Q

Sonicwall NSA240 / TZ210 Configuration Guide (Firmware: SonicOS Enhanced o & up)

Step 3 - How to Configure Basic System Settings

Application Note Asterisk BE with Remote Phones - Configuration Guide

Example - Allowing SIP-based VoIP Traffic

Internet Telephony PBX System IPX Quick Installation Guide

Yealink VCS Network Deployment Solution

Broadband Router. User s Manual

Application Note Asterisk BE with SIP Trunking - Configuration Guide

Configuring a Palo Alto Firewall in AWS

Chapter 7 LAN Configuration

PANASONIC. Optimum Business Trunking and the Panasonic KX-NCP500 IP PBX V Configuration Guide

LAN Setup Reflection

Silver Peak EC-V and Microsoft Azure Deployment Guide

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

CHAPTER 7 ADVANCED ADMINISTRATION PC

ARCSERVE UDP CLOUD DIRECT DISASTER RECOVERY APPLIANCE VMWARE

LevelOne FBR User s Manual. 1W, 4L 10/100 Mbps ADSL Router. Ver

Networking Fundamentals. An Introduction to Networks. tel: +44 (0) fax: +44 (0) web:

SonicWALL Security Appliances. SonicWALL SSL-VPN 200 Getting Started Guide

Quick Installation Guide of Acer WLAN 11b Broadband Router

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview

VG422R. User s Manual. Rev , 5

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Application Note Configuration Guide for ShoreTel and Ingate

Multi-site Configuration and Installation Guide Port Forwarding Option

Chapter 4 Software-Based IP Access Control Lists (ACLs)

Route Explorer. Contents

Table of Contents. CRA-200 Analog Telephone Adapter 2 x Ethernet Port + 2 x VoIP Line. Quick Installation Guide. CRA-200 Quick Installation Guide

RX3041. User's Manual

Yealink VCS Network Deployment Solution

Example - Configuring a Site-to-Site IPsec VPN Tunnel

Chapter 3 LAN Configuration

Multihoming with BGP and NAT

User Manual Electronic Systems Protection, Inc. / Technical Support: / espei.com

Peplink Balance Multi-WAN Routers

Wireless-G Router User s Guide

Volume SKYSWITCH. Configuring an Edgemarc Nov Configuring An Edgemarc

AirCruiser G Wireless Router GN-BR01G

DC-228. ADSL2+ Modem/Router. User Manual. -Annex A- Version: 1.0

Three interface Router without NAT Cisco IOS Firewall Configuration

Lab - Troubleshooting ACL Configuration and Placement Topology

Aggregate Load Balance with BGP and MPLS MUM ID Oktober 2018 Yogyakarta, Indonesia

Lab: RIP v2 with VLSM

Barracuda Link Balancer

CNPE Communications and Networks Lab Book: Data Transmission Over Digital Networks

Configuration Guide. For Managing EAPs via EAP Controller

A+ Certification Guide. Chapter 16 (Part B) Networking

Introduction to Firewalls using IPTables

Installation with a DSL Connection.

Use of the TCP/IP Protocols and the OSI Model in Packet Tracer

Lab Configuring and Verifying Standard ACLs Topology

Department Of Computer Science

Vendor: Cisco. Exam Code: Exam Name: Cisco Interconnecting Cisco Networking Devices Part 1 (ICND1 v3.0) Version: Demo

Connecting CoovaAP 1.x with RADIUSdesk - Basic

Lab 5.6.2: Challenge RIP Configuration

How to open ports in the DSL router firmware version 2.xx and above

DSL/CABLE ROUTER with PRINT SERVER

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

Yealink Video Conferencing System. Network Deployment Solution

LAN Setup Reflection. Ask yourself some questions: o Does your VM have the correct IP? o Are you able to ping some locations, internal and external?

SoHo 401 VPN. Shared Broadband Internet Access VPN Gateway 3-Port Switching Hub, DMZ Port. Quick Install Guide

Quick Start Guide. Manual Legal Docs Other important documentation

Shaw Business Hitron Modem (CGNM-2250) Configuration User Guide

Lab : OSPF Troubleshooting Lab

Spectre RT3G Quick Start Guide and FAQ

Gnet BB005x ADSL modem/router *Configuration and Installation Guide*

SonicWALL / Toshiba General Installation Guide

Application Note Configuration Guide for ShoreTel and Ingate with PAETEC

Set-up for a Netgear DG834G (802.11b & g) ADSL Router with the Adpro FastTrace

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

Deployment Guide: Routing Mode with No DMZ

Lab Configuring DHCP

Transcription:

Scenario: V114 Configuration on Vyatta This section steps you through initial system configuration tasks. These are tasks that are required for almost any scenario in which you might use the V114 on the Vyatta system. These include: Vyatta: Logging On Entering Configuration Mode Configuring Interfaces Configuring Access to DNS Server Configuring DHCP Server Configuring NAT Configuring Firewall to allow SIP/RTP traffic to the V114 from internet. V114: LED on the V114 Accessibility to the Positron-GUI Configuring Interface Figure 1 shows a network diagram of the V114 configuration scenario. Note: This whitepaper assumes we are using a standard vyatta live CD thus the V114 s PCI driver is not compiled into the vyatta source code. Logging On The first step is to log on. Our examples use the predefined non-root user vyatta. Procedure: Log on as user vyatta. The default password for this user is vyatta. The password is not echoed onto the screen. Welcome to Vyatta - vyatta tty1 vyatta login: vyatta Password: Linux vyatta 2.6.30-1-586-vyatta #2 SMP Tue Sep 15 18:34:05 CEST 2009 i686 Welcome to Vyatta. This system is open-source software. The exact distribution terms for each module comprising the full system are described in the individual files in /usr/share/doc/*/copyright. vyatta@vyatta:~$ Entering Configuration Mode When you log on, you are in operational mode. To configure the system, you must enter configuration mode. Vyatta-Positron 1

Procedure: Enter configuration mode by entering configure. vyatta@vyatta:~$ configure Note: The command prompt changes to mark the move from operational mode ( :~$ ) to configuration mode ( # ). Configuring Interfaces The kind and number of interfaces you configure will depend on your physical device and the topology of your network. However, almost every topology will require that at least one Ethernet interface be configured. The Vyatta System automatically discovers all physical interfaces on startup and creates configuration nodes for them. In this basic scenario, we ll configure the Ethernet interface eth0 as an Internetfacing interface, while eth1 is the Ethernet Interface facing the Local area network. The loopback interface, which is a software interface automatically, created on startup is preconfigured to IP address 127.0.0.1/8. The loopback interface will always be available as long as the device is reachable at all. This makes the loopback interface particularly useful for mapping to the system host name, as a router ID in routing protocols such as BGP and OSPF, or as a peer ID for internal BGP peers. Procedure for configuring an Internet-facing Ethernet interface Assuming that ISP provided the dynamic IP address, the interface eth0 is configured as below. vyatta@vyatta # set interfaces ethernet eth0 address dhcp vyatta@vyatta # commit Procedure for configuring the Office LAN-facing Ethernet interface vyatta@vyatta # set interfaces ethernet eth1 address 192.168.5.1/24 vyatta@vyatta # commit To view the configuration we use the show command: show interfaces ethernet eth0 { address dhcp hw-id 08:00:27:d0:ea:b3 Vyatta-Positron 2

ethernet eth1 { address 192.168.5.1/24 hw-id 08:00:27:d0:ea:03 loopback lo { Note: The default gateway for the internet facing Ethernet interface is obtained from the dhcp IP address provided by the ISP. Configuring Access to a DNS server In order to be able to translate host names (such as www.vyatta.com) to IP addresses (such as 76.74.103.45), the system must be able to access a DNS server. Procedure for Specifying a DNS server In our example, the DNS server IP Address is provided by the ISP, i.e 24.200.243.189. Add the DNS server using the set system name-server command. set system name-server 24.200.243.189 commit Configuring DHCP Server DHCP provides dynamic IP addresses to hosts on a specified subnet. In our scenario, the DHCP server provides addresses to hosts on the Office LAN (attached to interface eth1 ). Procedure for setting up DHCP Server For the DHCP server, define an address pool from 192.168.5.100 to 192.168.5.199 to dynamically assign addresses to hosts on the Office LAN. Also, set the default router and DNS server to the values that will be assigned to hosts on the Office LAN. The default router for these devices will be the LAN-facing interface of the Internet gateway. set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.5.0/24 start 192.168.5.100 stop 192.168.5.199 set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.5.0/24 default-router 192.168.5.1 set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.5.0/24 dns-server 24.200.243.189 commit Vyatta-Positron 3

To view the configuration we use the below command: show service dhcp-server shared-network-name ETH1_POOL { subnet 192.168.5.0/24 { dns-server 24.200.243.189 default-router 192.168.5.1 start 192.168.5.100 { stop 192.168.5.199 Configuring NAT The Internet gateway should send outbound traffic from the Office LAN out through the Internetfacing interface and translate all internal private IP addresses to a single public address. This is done by defining a Network Address Translation (NAT) rule. Procedure to define a NAT rule Define a rule that allows traffic from network 192.168.5.0/24 to proceed to the Internet through interface eth0, and translates any internal addresses to eth0 s IP address. (This is called masquerade translation.) set service nat rule 1 source address 192.168.5.0/24 set service nat rule 1 outbound-interface eth0 set service nat rule 1 type masquerade commit We would also need to configure the nat rules so that the remote users can register their SIP Phones from internet to the V114. Nat rules 2, 3 are used for this purpose. set service nat rule 2 description SIP-V114 set service nat rule 2 destination port 5060-5065 set service nat rule 2 inbound-interface eth0 set service nat rule 2 inside-address address 192.168.5.10 set service nat rule 2 inside-address port 5060-5065 set service nat rule 2 protocol udp set service nat rule 2 type destination commit Vyatta-Positron 4

set service nat rule 3 description RTP-V114 set service nat rule 3 destination port 10001-20000 set service nat rule 3 inbound-interface eth0 set service nat rule 3 inside-address address 192.168.5.10 set service nat rule 3 inside-address port 10001-20000 set service nat rule 3 protocol udp set service nat rule 3 type destination commit To view the configuration we use the below command: show service nat rule 1 { outbound-interface eth0 source { address 192.168.5.0/24 type masquerade rule 2 { description SIP-V114 destination { port 5060-5065 inbound-interface eth0 inside-address { address 192.168.5.10 port 5060-5065 protocol udp type destination rule 3 { description RTP-V114 destination { port 10001-20000 inbound-interface eth0 inside-address { address 192.168.5.10 port 10001-20000 protocol udp type destination Vyatta-Positron 5

Network Design The Network design used for this whitepaper is as shown in Figure 1. A Positron V-114 is installed in the Vyatta Router in one of the PCI Slots. Figure 1: Network Design Configuring Firewall As it is shipped, the Vyatta System does not restrict traffic flow through it, unless a firewall rule is applied. The firewall functionality provides packet filtering which enables great flexibility in restricting traffic as required. In this simple scenario, the Internet gateway should allow hosts on the local network and services on the gateway itself to initiate traffic to the Internet, but it should drop all traffic that is initiated from the Internet. This section sets up a basic firewall configuration to do this. Essentially, this sequence defines a firewall rule set allowing traffic initiated from, or passing through, Vyatta-Positron 6

the gateway to the Internet. All other packets are implicitly denied, because there is an implicit deny all rule at the end of any rule set. In general, to configure a firewall on an interface: You define a number of named firewall rule sets, each of which contains one or more firewall rules. You apply the each of the named rule sets to an interface as a filter. You can apply one named rule set as each of the following on an interface: o in. If you apply the rule set to an interface as in, the rule set filters packets entering the interface. o out. If you apply the rule set to an interface as out, the rule set filters packets leaving the interface. o local. If you apply the rule set to an interface as local, the rule set filters packets destined for the system itself. Procedure to define a firewall rule set Consider a simple example; the natural inclination is to simply create a rule to deny all inbound traffic (i.e. from any source network to any destination network) on the internet-facing interface. The problem with this approach is that outbound connections will not complete properly because response packets required to complete these connections will be denied as well. To circumvent this issue we must explicitly allow only these response packets as shown in the following example. This can be interpreted as accept packets from established connections only (where established connections includes responses to new connections). Because the final (implicit) rule in the rule set is deny all, this rule set will deny all other traffic on the interface destination (i.e. in, out, or local) that it is applied to. set firewall name ETH0IN set firewall name ETH0IN rule 10 set firewall name ETH0IN rule 10 action accept set firewall name ETH0IN rule 10 state established enable set firewall name ETH0IN rule 20 action accept set firewall name ETH0IN rule 20 protocol udp set firewall name ETH0IN rule 20 source address 0.0.0.0/0 set firewall name ETH0IN rule 20 source port 5060-5065 set firewall name ETH0IN rule 20 destination address 192.168.5.10 set firewall name ETH0IN rule 20 state new enable set firewall name ETH0IN rule 20 state established enable set firewall name ETH0IN rule 20 state related enable set firewall name ETH0IN rule 30 action accept set firewall name ETH0IN rule 30 protocol udp Vyatta-Positron 7

set firewall name ETH0IN rule 30 source address 0.0.0.0/0 set firewall name ETH0IN rule 30 source port 10001-20000 set firewall name ETH0IN rule 30 destination address 192.168.5.10 set firewall name ETH0IN rule 30 state new enable set firewall name ETH0IN rule 30 state established enable set firewall name ETH0IN rule 30 state related enable commit Procedure for applying the rule set to an interface Now that we have the rule set, we need to apply it as in and local on the internet-facing interface (eth0 in our example) so that connections can only be established from these locations to the Internet. set interfaces ethernet eth0 firewall in name ETH0IN set interfaces ethernet eth0 firewall local name ETH0IN commit To view the firewall rule set we created: show firewall name ETH0IN { rule 10 { action accept state { established enable rule 20 { action accept destination { address 192.168.5.10 protocol udp source { address 0.0.0.0/0 port 5060-5065 state { established enable new enable related enable rule 30 { action accept Vyatta-Positron 8

destination { address 192.168.5.10 protocol udp source { address 0.0.0.0/0 port 10001-20000 state { established enable new enable related enable Now let s see this rule set applied as a filter to in and local on interface eth0: show interfaces ethernet ethernet eth0 { address dhcp firewall { in { name ETH0IN local { name ETH0IN hw-id 08:00:27:d0:ea:b3 ethernet eth1 { address 192.168.5.1/24 hw-id 08:00:27:d0:ea:03 This completes configuration of a basic Internet Gateway. LED on the V114 We need to make sure the green LED on the V114 is Solid green which would mean the V114 does not have any software/hardware issues. Accessibility to the Positron-GUI It is also important to connect a cable from the Ethernet port on the V114 to a PC/Laptop. The V114 has the default IP address as 192.168.1.2/24. Hence to access the V114, we will assign the IP address of 192.168.1.100/24 to the PC/Laptop connected to the other end of the cable. Once the IP Address is configured, we would check the following. 1. Check to see the link is connected on the PC as 100 MBPS Full duplex connection. 2. Ensure we have successful ping responses to the V114. i.e, a successful ping 192.168.1.2. Vyatta-Positron 9

If the ping responses are successful, we can open browser of our choice and type in the IP address of the V114 to access the Positron GUI as shown in Figure 2. Figure 2: Positron GUI The default username/password for the Positron GUI is admin/password. If the ping responses are not successful, please check the ip address assigned to the PC/Laptop and if the cable is properly connected. Configuring Interface We configure the IP address of the V114 as 192.168.5.10/24 as shown in the network design (Figure 1) using the Positron GUI Figure 3. Please click on the System Network to configure the Network interface on the V114. Vyatta-Positron 10

Figure 3: Network Configuration Once we saved the network configuration, we can plug the V114 to the Ethernet port to the LAN switch using an Ethernet cable. We would also change the IP on the PC from 192.168.1.100/24 to its original IP address. Now you can ping the 192.168.5.10 from any PC or Server in the Office LAN. This also implies you can register all the SIP phones to the V114 over the LAN. The firewall rules are programmed to accept any SIP traffic on the eth0 (WAN) ethernet interface on the vyatta to be redirected to the V114 IP address. Thus, SIP phones can also be registered to the V114 from the internet. Vyatta-Positron 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback