WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME Rev. A

Transcription

1 WiNG 5.X How To Policy Based Routing Cache Redirection Part No. TME Rev. A

2 MOTOROLA, MOTO, MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark Holdings, LLC and are used under license. All other trademarks are the property of their respective owners Motorola Solutions, Inc. All Rights Reserved.

3 Table of Contents Table of Contents Introduction Overview Configuration IP Access Control Lists Virtual IP Interfaces & Port Assignments Network Address Translation Policy Based Routing Verification Basic Networking Routing Policy Network Address Translation Appendix Running-Configuration... 18

4 1. Introduction WiNG 5.3 introduces Policy Based Routing (PBR) which allows a WiNG 5 device to make IPv4 forwarding decisions based on user defined match criterion. Prior to PBR, all IPv4 forwarding decisions were made using destination based routing. The introduction of BPR allows WiNG 5 to address multiple challenges faced by administrators in remote branch networks. Using policies network administrators can configure a WiNG 5 device to forward IPv4 outside the constraints enforced with destination based routing without having to deploy additional hardware at a branch site. For example PBR can be employed to: 1) Distribute traffic over different WAN, MPLS or Internet paths. 2) Provide failover between multiple WAN, MPLS or Internet paths. 3) Load-balance traffic across multiple WAN, MPLS or Internet paths while providing failover. 4) Mark and forward select traffic for QoS purposes. 5) Forward select traffic to specific hosts for inspection or other services. With PBR forwarding decisions can now be made a WiNG 5 device using a number of criterion including source VLAN, source / destination IPv4 address, protocol type, traffic class, associated Wireless LAN or the users assigned role. As an action PBR can be configured to mark the QoS value for the select traffic or forward the select traffic to a specific host. For availability PBR can also leverages Critical Resource Monitoring which allows routers and network paths to be monitored for liveliness. If the next-hop router or network path is un-reachable, traffic can be forwarded using another PBR policy or can be subjected to destination based routing. Page 4

5 1.1 Overview This guide focuses on utilizing PBR on a RFS4000 to forward select traffic to host that resides locally at a branch site. In this example PBR will be configured to forward TCP port 80 (HTTP) traffic to a caching server to optimize Internet bandwidth. Non HTTP traffic will bypass the caching server and will be subjected to destination based routing. The configuration in this guide consists of the following components: 1) One RFS4000 running WiNG R firmware that is directly connected to the users, cache server and public Internet. 2) Policy Based Routing (PBR) will be enabled to forward user HTTP traffic to the cache server. Non HTTP traffic will be ignored. 3) Network Address Translation (NAT) will be enabled allowing the cache server and users to access the Internet. NAT will also be configured to ignore user HTTP traffic destined to the caching server. 4) Critical Resource Monitoring will be employed to check the liveliness of the caching server. If the caching server fails, user traffic is subjected to destination based routing. Page 5

6 1.1.1 Operation During normal operation Policy Based Routing (PBR) will forward HTTP traffic from the users directly to the cache server. If the cache server has the content pre-cached, it responds to the users with the content without accessing the public Internet. If the content is not pre-cached, the caching server accesses the public Internet to cache the content and will respond to the user directly. Subsequent requests to the cached content will be served directly by caching server without re-accessing the public Internet. Non-HTTP traffic such as DNS, FTP or HTTPS will be subject to normal destination based routing. Non- HTTP traffic will be NATTed and forwarded to the RFS4000s default gateway. No non-http traffic is forwarded to the caching server in this example. If the caching server fails and is not reachable from the RFS4000, traffic will be subjected to destination based routing. HTTP and non-http traffic will both be forwarded to the RFS4000s default gateway. Once the caching server is on-line, HTTP traffic will be forwarded to the caching server. Page 6

7 2. Configuration 2.1 IP Access Control Lists For this configuration step three IP Access Control Lists (ACLs) are required: Network Address Translation (NAT) The first IP ACL that is required is for network address translation (NAT). NAT is required so that hosts connected to the RFS4000 can access the public Internet. The NAT ACL contains three rules: 1) Rule 1 Denies TCP port 80 (HTTP) traffic from the user subnet ( /24) destined to the cache server ( ). This rule is required so that HTTP traffic from users redirected to the cache server is not NATTed. 2) Rule 2 Permits IP traffic from the user subnet ( /24) destined to the public internet (any). This rule is required so that user s traffic destined to the public Internet is NATTed to the public interface on the RFS ) Rule 3 Permits IP traffic from the cache server ( /24) destined to the public internet (any). This rule is required so that cache server traffic destined to the public Internet is NATTed to the public interface on the RFS4000. During normal operation users HTTP traffic will be captured and re-directed to the cache server using policy based routing. The cache server will either serve the content from is cache and respond to the request or it will access the Internet to pull the content. Non HTTP traffic will be NATTed directly and forwarded to the public Internet bypassing policy based routing. If the cache server becomes unreachable, all user traffic is NATTed to the public interface directly. NAT ACL: ip access-list NAT deny tcp /24 host eq www rule -precedence 10 permit ip /24 any rule-precedence 20 permit ip host any rule-precedence Cache Redirection The second IP ACL that is required is for policy based routing (PBR). The CACHE ACL contains one rule: 1) Rule 1 Permits TCP port 80 (HTTP) traffic from the user subnet ( /24) destined to the public Internet. This rule is required so that PBR can re-direct HTTP traffic to the cache server. Cache Redirection ACL: ip access-list CACHE permit tcp /24 any eq www rule-precedence 20 Page 7

8 2.1.3 Inbound Internet The third IP ACL that is required is for inbound traffic received on the public IP interface on the RFS4000. The INTERNET-INBOUND ACL contains one rule: 1) Rule 1 Denies all IP traffic and logs matches. This rule is required so that inbound traffic received on the public IP interface on the RFS4000 is denied. If this rule was absent, hosts on the public Internet would be able to directly communicate with the RFS4000. Inbound Internet ACL: ip access-list INTERNET-INBOUND deny ip any any log rule-precedence Virtual IP Interfaces & Port Assignments For this configuration step three virtual IP interfaces are required. In this example the virtual IP interfaces and VLAN port assignments will be assigned directly to the RFS4000s device configuration as overrides: VLAN 20 (Users) The first virtual IP interface that is required is for VLAN 20 which is used for users and device management. All wired and wireless users will be assigned to VLAN 20. In this example the IP address /24 is assigned to VLAN 20 which will be the default gateway for users at the site. User Virtual IP Interface: interface vlan20 description USERS ip address / VLAN 26 (Cache Server) The second virtual IP interface that is required is for VLAN 26 which is used by the cache server. In this example the IP address /24 is assigned to VLAN 26 which will be the default gateway for the cache server at the site. Cache Virtual IP Interface: interface vlan26 description CACHE ip address /24 Page 8

9 2.2.3 VLAN 4094 (Internet) The third virtual IP interface that is required is for VLAN 4094 which is the public interface on the RFS4000. In this example IP addressing will be provided by DHCP from the service provider. Additionally the IP ACL named INTERNET-INBOUND is assigned to the virtual IP interface to deny and log any inbound traffic received by the public interface: Internet Virtual IP Interface: interface vlan4094 description INTERNET ip address dhcp ip dhcp client request options all use ip-access-list in INTERNET-INBOUND VLAN Port Membership In this configuration example the public internet connection, cache server and users are directly connected to the RFS4000 so VLAN port assignments need to be defined: 1) Users Are connected to Gigabit Ethernet ports 1 3. Ports Ge1 Ge3 are defined as access ports with the native VLAN id set to 20. 2) Cache Server Is connected to Gigabit Ethernet port 4. Ge3 is defined as an access port with the native VLAN id set to 26. 3) Internet Is connected to Gigabit Ethernet port 5. Ge5 is defined as an access port with the native VLAN id set to Switchport Assignments: rfs D-E4 use profile default-rfs4000 use rf-domain default hostname rfs license AP DEFAULT-6AP-LICENSE interface ge1 switchport mode access switchport access vlan 20 interface ge2 switchport mode access switchport access vlan 20 interface ge3 switchport mode access switchport access vlan 20 interface ge4 switchport mode access Page 9

10 switchport access vlan 26 interface ge5 description INTERNET switchport mode access switchport access vlan 4094 Configuration Removed for Brevity 2.3 Network Address Translation For this configuration step each virtual IP interface will be enabled for NAT and a NAT rule will be defined. In this example the NAT interfaces and rule will be assigned directly to the RFS4000s device configuration as overrides: NAT Interfaces For NAT to function each virtual IP interface needs to be designated as a NAT inside or outside interface. If no designation is made, NAT will not function: 1) VLAN 20 Will be designated as a NAT inside interface. 2) VLAN 26 Will be designated as a NAT inside interface. 3) VLAN 4094 Will be designated as a NAT outside interface. NAT Interfaces: interface vlan20 description USERS ip address /24 ip nat inside interface vlan26 description CACHE ip address /24 ip nat inside interface vlan4094 description INTERNET ip address dhcp ip dhcp client request options all use ip-access-list in INTERNET-INBOUND ip nat outside Page 10

11 2.3.2 Dynamic NAT Rule Once each virtual IP interface has been enabled for NAT, a dynamic NAT rule needs to be defined that tells the RFS4000 which traffic is subjected to NAT and where to translate the traffic to. In this example the IP ACL named NAT is used to determine which traffic is subjected to NAT and all the internal traffic will be translated to single IP address on the public virtual IP interface VLAN NAT Rule Assignment: rfs D-E4 use profile default-rfs4000 use rf-domain default hostname rfs Configuration Removed for Brevity ip nat inside source list NAT interface vlan4094 overload Page 11

12 2.4 Policy Based Routing For this configuration step a routing policy and map will be defined to forward TCP port 80 (HTTP) traffic to the cache server. In this example the routing policy will be assigned directly to the RFS4000s device configuration as an override: Routing Policy and Map A routing policy and route-map need to be defined to re-direct TCP port 80 (HTTP) traffic to the cache server. The routing policy forwards IPv4 traffic based on match conditions defined in the route-map. In this example a routing policy named PBR will be created with a single route-map. The route-map will match HTTP traffic received by the user s subnet ( /24) and will forward the HTTP traffic to the cache server host ( ). The IP ACL named CACHE determines which traffic the routemap will select. Traffic that is not matched by the routing policy is subjected to normal destination based routing and will be forwarded out the RFS4000s default gateway. HTTP traffic received from the cache server will also be forwarded using destination based routing. Only HTTP traffic forwarded from the users on the /24 network will be matched by the routing policy. By default the routing policy will use Critical Resource Monitoring (CRM) to monitor the health of the cache server. CRM monitors the health of the Cache server by sending ICMP packets and monitoring the ARP cache. If the cache server becomes un-reachable, HTTP traffic is subjected to destination based and is forwarded out the RFS4000s default gateway. Note Critical Resource Monitoring (CRM) can only detect if the Cache server responds to ARP and ICMP and cannot validate if the caching service is operational. If the caching service fails but the caching server is reachable, the route-map will continue to forward traffic to the cache server. Routing Policy: routing-policy PBR route-map 1 match ip-access-list CACHE match incoming-interface vlan20 next-hop Page 12

13 2.4.2 Routing Policy Assignment Once the routing policy and route-map has been defined, it needs to be assigned to the RFS4000. In this example the routing policy named BPR is assigned directly to the RFS4000s device configuration as a device override: Routing Policy Assignment: rfs D-E4 use profile default-rfs4000 use rf-domain default hostname rfs Configuration Removed for Brevity ip nat inside source list NAT interface vlan4094 overload use routing-policy PBR Page 13

14 3. Verification 3.1 Basic Networking Issue the show ip interface brief command to verify the virtual IP interfaces have been defined correctly and the STATUS and PROTOCOL is up. In this example virtual IP interfaces for VLANs 20, 26 and 4094 have been defined and each and up and operational: rfs4000-1# show ip interface brief INTERFACE IP-ADDRESS/MASK TYPE STATUS PROTOCOL vlan1 unassigned n/a UP up vlan /24 primary UP up vlan /24(DHCP) primary UP up vlan /24 primary UP up Issue the show ip route command to verify the default gateway has been defined. In this example the default gateway has been learned from the ISP using DHCP: rfs4000-1# show ip route DESTINATION GATEWAY FLAGS INTERFACE /24 direct C vlan /24 direct C vlan /24 direct C vlan20 default CG vlan Flags: C - Connected G - Gateway Page 14

15 Issue the show interface switchport command to verify the VLANs are assigned to the correct ports. In this example VLAN 20 (Users) is assigned to ports Ge1 Ge3, VLAN 26 (Cache) is assigned to Ge4 and VLAN 4094 (Internet) is assigned to Ge5: rfs4000-1# show ip route INTERFACE STATUS MODE VLAN(S) ge1 UP access 20 ge2 DOWN access 20 ge3 DOWN access 20 ge4 UP access 26 ge5 UP access 4094 up1 DOWN access A '*' next to the VLAN ID indicates the native vlan for that trunk port 3.2 Routing Policy Issue the show route-maps command to display the state of the routing policy and determine if any traffic is being forwarded to the cache server. In this example the cache server is UP and reachable and the HITCOUNT counter is incrementing each time a new HTTP session is initiated indicating HTTP traffic is being forwarded to the cache server: rfs4000-1# show route-maps Route Map 1 primary next-hop: , status UP (Gateway monitoring) Rules: Incoming interface: vlan20 permit tcp /24 any eq www HITCOUNT 654 If the cache server becomes un-reachable, the status of the cache server will change to UNREACHABLE and the traffic will be subjected to normal destination based routing. The HITCOUNT counter will not increment if the cache server is not reachable: rfs4000-1# show route-maps Route Map 1 primary next-hop: , status UNREACHABLE (Gateway monitoring) Rules: Incoming interface: vlan20 permit tcp /24 any eq www HITCOUNT 654 Page 15

16 3.3 Network Address Translation Issue the show ip nat translations verbose command to view the NAT translation table. During normal operation HTTP traffic will be forwarded to the cache server: 1) If the requested web content is not already cached by the cache server, it will contact the web server and pull the content. The cache server then responds with the content to the user. 2) If the content is cached, the cache server responds with the content to the user without accessing the Internet. Each time the cache server contacts an external web server a NAT translation entry will be created. Users accessing non HTTP sites will be forwarded and NATTed directly bypassing the cache server. The following NAT translation table shows various entries for HTTP and non HTTP traffic. Traffic from the host IP address represents HTTP or DNS traffic originated from the caching server while traffic from hosts on the user s network /24 represents non HTTP and DNS traffic that is bypassing the cache server: rfs4000-1# show ip nat translations verbose PROTO ACTUAL SOURCE ACTUAL DESTINATION NATTED SOURCE NATTED DESTINATION TCP : : : :80 TCP : : : :80 UDP : : : :53 TCP : : : :80 TCP : : : :80 TCP : : : :443 TCP : : : :80 TCP : : : :80 TCP : : : :80 TCP : : : :80 TCP : : : :80 TCP : : : :80 TCP : : : :80 TCP : : : :80 TCP : : : :80 TCP : : : :80 TCP : : : :80 TCP : : : :80 TCP : : : :443 TCP : : : :80 TCP : : : :80 TCP : : : :80 Page 16

17 If the cache server becomes un-reachable, the users traffic is subjected to normal destination based routing. The following NAT translation table shows various entries for HTTP and non HTTP traffic originating from the user network /24 which is NATTed directly by the RFS4000: rfs4000-1# show ip nat translations verbose PROTO ACTUAL SOURCE ACTUAL DESTINATION NATTED SOURCE NATTED DESTINATION TCP : : : :80 UDP : : : :53 TCP : : : :80 TCP : : : :80 TCP : : : :443 TCP : : : :80 TCP : : : :80 TCP : : : :443 TCP : : : :80 TCP : : : :80 TCP : : : :80 TCP : : : :80 Page 17

18 4. Appendix 4.1 Running-Configuration Routing Policy Assignment: Configuration of RFS4000 version R version 2.1 ip access-list CACHE permit tcp /24 any eq www rule-precedence 20 ip access-list INTERNET-INBOUND deny ip any any log rule-precedence 100 ip access-list NAT deny tcp /24 host eq www rule -precedence 10 permit ip /24 any rule-precedence 50 permit ip host any rule-precedence 60 firewall-policy default mint-policy global-default wlan-qos-policy default qos trust dscp qos trust wmm radio-qos-policy default ap300 default-ap300 interface radio1 interface radio2 dhcp-server-policy default dhcp-pool vlan20 network /24 address range domain-name tmelabs.local default-router Page 18

19 dns-server management-policy default no http server https server ssh user admin password 0 motorola role superuser access all user operator password 0 operator role monitor access all no snmp-server manager v2 snmp-server community public ro snmp-server user snmpoperator v3 encrypted des auth md5 0 operator snmp-server user snmptrap v3 encrypted des auth md5 0 motorola snmp-server user snmpmanager v3 encrypted des auth md5 0 motorola routing-policy PBR route-map 1 match ip-access-list CACHE match incoming-interface vlan20 next-hop l2tpv3 policy default profile rfs4000 default-rfs4000 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure interface radio1 interface radio2 interface up1 ip dhcp trust qos trust dscp qos trust 802.1p interface ge1 ip dhcp trust qos trust dscp qos trust 802.1p interface ge2 ip dhcp trust Page 19

20 qos trust dscp qos trust 802.1p interface ge3 ip dhcp trust qos trust dscp qos trust 802.1p interface ge4 ip dhcp trust qos trust dscp qos trust 802.1p interface ge5 ip dhcp trust qos trust dscp qos trust 802.1p interface wwan1 interface pppoe1 use firewall-policy default logging on service pm sys-restart router ospf rf-domain default no country-code rfs D-E4 use profile default-rfs4000 use rf-domain default hostname rfs license AP DEFAULT-6AP-LICENSE interface ge1 switchport mode access switchport access vlan 20 interface ge2 switchport mode access switchport access vlan 20 interface ge3 switchport mode access switchport access vlan 20 interface ge4 switchport mode access switchport access vlan 26 interface ge5 description INTERNET switchport mode access switchport access vlan 4094 interface vlan20 Page 20

21 description USERS ip address /24 ip nat inside interface vlan26 description CACHE ip address /24 ip nat inside interface vlan4094 description INTERNET ip address dhcp ip dhcp client request options all use ip-access-list in INTERNET-INBOUND ip nat outside use dhcp-server-policy default logging on logging console warnings logging buffered warnings ip nat inside source list NAT interface vlan4094 overload use routing-policy PBR end Page 21

22 Page 22