Design and Implementation Guide. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter

Transcription

1 Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter

2 Table of Contents Introduction...3 McAfee Next Generation Firewall...3 Purpose of the document....3 Audience...3 Resources...3 Terminology...4 McAfee Next Generation Firewall cluster....4 Cisco Virtual PortChannel (vpc)....9 Secure Data Center Design with McAfee Next Generation Firewall Design overview Equipment used in this design Best Practices for McAfee Firewall Cluster Implementation Implement a native firewall cluster Implement backup heartbeat on a native cluster Graceful shutdown of a firewall Performing maintenance tasks on a native cluster McAfee Firewall Cluster with Cisco vpc Configuration McAfee Next Generation Firewall configuration Cisco 9000 Series configuration Support Evaluating McAfee Next Generation Firewall McAfee Next Generation Firewall customers Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 2

3 Introduction The integration of McAfee Next Generation Firewall (McAfee NGFW) and Cisco Nexus 9000 Series Switches delivers a secure, feature-rich, highly available, industry-leading data center solution. A reliable network firewall helps protect your business from unauthorized access, while permitting legitimate traffic. It s an essential component of networks of all sizes. Customers can choose switches from any networking vendor that supports a feature similar to the vpc feature in Cisco Switches, commonly known as multichassis link aggregation. McAfee Next Generation Firewall McAfee NGFW protects enterprise networks with high-performance, intelligence-aware security controls supported by real-time updates from the Security Connected ecosystem. Known for industry-leading evasion prevention technology, McAfee NGFW provides complete protection when and where businesses need it at the network edge, in data centers, at branch offices, and at remote sites. Native clustering, built-in load balancing, granular application control, intrusion prevention system (IPS), virtual private networking (VPN), and deep packet inspection capabilities form a solid foundation of network performance and protection. In addition, McAfee NGFW adds powerful evasion prevention technologies that fully normalize network traffic flows prior to inspection, exposing and blocking the most advanced attack methods. Unique high-availability features and flexible deployment options are tightly integrated into an efficient, flexible, and scalable unified design. McAfee NGFW is available in hardware appliance, virtual appliance, and software form factors. Purpose of the document The purpose of this document is to provide information about design considerations and implementation steps when deploying McAfee NGFW in a data center. The scenarios in this document were designed to simulate a typical data center deployment and were validated in internal test environment at McAfee, a part of Intel Security. Customers can use these best practices to design and implement similar configurations in their environments. These examples can also be used by Intel Security system engineers, architects, and professional services teams to create customer proof-of-concept (PoC) implementations. Note that each scenario will provide an overview of the design with validated results, but there is no need to review the scenarios in any order. Audience This document is designed for customers who want to deploy McAfee NGFW in their data centers. The document contains McAfee NGFW and Cisco Nexus 9000 series switch designs and configurations; it also recommends best practices for deploying McAfee NGFW in the data center. The document includes results of customer network scenarios that are simulated in our lab. Resources To learn more about the McAfee NGFW, find additional documentation, download a product evaluation, or to get product support, please visit our website at Product documentation. McAfee Expert Center McAfee Next Generation Firewall. Product evaluation. McAfee Evader test tool. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 3

4 Terminology McAfee Next Generation Firewall cluster Overview A McAfee NGFW cluster consists of two to 16 physical firewall appliances that function as a single entity. Clustering is a standard feature that can be activated on any McAfee NGFW models, provided you have two or more licensed firewalls. Benefits of clustering McAfee Next Generation Firewall is designed to enable high availability through native clustering, ensuring that administrators are able to maintain network connectivity in the event of failures. Native clustering also provides scaling of both bandwidth and processing power, allowing IT to provide the necessary performance for demanding workloads. As shown in Figure 1, the traditional method of achieving high availability is to manually implement a cluster composed of two nodes an active node and a passive backup node. If the active node fails, the network connections and operations move to the passive node. This implementation requires the administrator to keep the configuration of the active and passive nodes in sync. Although traditional active-passive configurations provide some degree of high availability, this method does not provide scaling for bandwidth or performance. Because the traditional method requires that the hardware and software versions for the nodes be the same, any sort of maintenance or software upgrade requires planned downtime. Figure 1. Clustering choices. The next level of availability is best described as non-native clustering because the clustering technology is not built into the security solution. Non-native clustering is built on the traditional active-passive clustering methodology and implements additional active nodes. Because the nodes are not cluster-aware and do not communicate or cooperate, non-native clustering must implement external third-party load balancers on either side of the security infrastructure to provide both availability and scaling of bandwidth and performance. As with traditional clustering, configuration synchronization must be implemented often manually by the IT administrator, and the additional cost and management of load balancers must be taken into account. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 4

5 McAfee NGFW implements native clustering, in which all nodes in the cluster are aware of and communicate with all other nodes in the cluster. Load balancing is automatically handled by the nodes, eliminating the need for external devices and greatly simplifying implementation and management. McAfee Security Management Center (SMC) maintains the central repository of the security infrastructure configuration. When changes are made to the configuration, McAfee SMC updates the configuration in each node, maintaining configuration synchronization automatically. If a node in the cluster is taken offline for any reason, the other nodes in the cluster automatically pick up the workload, providing resilience and high availability with minimal performance impact and without administrator intervention. As the cluster is expanded, the processing power and network bandwidth of the new nodes provide additional packet processing and network capacity, scaling the security infrastructure for both performance and bandwidth. In McAfee NGFW, clustering of the firewall engines is integrated into the product, introducing true built-in high availability and active-active load balancing. Firewall engines dynamically load balance individual connections between the cluster nodes, transparently transferring connections to available nodes if a node becomes overloaded or experiences a failure. Another important benefit of McAfee NGFW clustering is that the hardware on which the cluster nodes run does not need to be identical. In addition, different cluster nodes can run different software versions. Different types of equipment can be used as long as all nodes have enough network interfaces for your configuration. Firewall clusters can run on a McAfee Next Generation Firewall appliance, on a standard server with an Intel-compatible processor, or between master nodes in a virtual context environment. If equipment with different performance characteristics is clustered together, the load-balancing technology automatically distributes the load so that lowerperformance nodes handle less traffic than higher-performance nodes. However, when a node goes offline, the remaining node(s) must be able to handle all traffic on their own to help ensure high availability. For this reason, it is usually best to cluster nodes with similar performance characteristics. McAfee NGFW also supports active standby clustering, in which only one node actively processes traffic, and other nodes wait on standby, ready to take over if the currently active node goes offline. Nodes that should not take over automatically can be set offline as usual. The drawback of standby mode, as mentioned earlier, is that clustering the firewalls provides no performance benefit, and it is not a recommended best practice. What problem are we solving? Security infrastructure scalability, resilience, and performance are significant challenges as organizations take on the critical role of providing information security in the face of ever-expanding threats against the network. This results in customers having to make a difficult choice between performance and security, turning off some important features to help ensure high network bandwidth. Traditional solutions have relied on monolithic architectures requiring custom hardware and over-provisioning to meet these challenges or have used third-party load balancers to insert more independent appliances into the network path. McAfee NGFW native clustering offers scalability and resilience while securing the network. With these clustering capabilities, customers no longer have to choose between performance and security. A 4r-node firewall cluster can achieve a performance gain of up to 370%. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 5

6 Communication between firewall nodes Firewall cluster nodes exchange information constantly. The state tables that list open connections (state sync) and the operating state of the other nodes (heartbeat) are exchanged. This exchange of information helps ensure that all firewall nodes have the same information about the connections, and that if a firewall node becomes unavailable, the other nodes in the cluster immediately notice this. The exchange of information between clustered firewall nodes is synchronized through selected interfaces through a heartbeat network using multicast transmissions. The heartbeat messages are authenticated and can also be encrypted if necessary (authentication is enabled by default). Configuration of firewall clusters McAfee NGFWs are configured and managed centrally through McAfee SMC. The firewall cluster element represents the firewall cluster s configuration on McAfee SMC. The main configuration options in the firewall cluster element include the settings related to network interfaces and clustering. In a firewall cluster configuration, the recommended approach is load-balanced clustering, in which traffic is balanced between the nodes dynamically. Load-balanced clustering provides both fault tolerance and performance benefits. The traffic arriving at the firewall cluster is balanced across the nodes according to the settings of the cluster s load balancing filter. This filtering process distributes packets between the firewall nodes and keeps track of packet distribution. The firewall determines the packet ownership of the firewall nodes by comparing the incoming packet with firewall node-specific values based on the packet headers. The load-balancing filter is pre-configured for optimal performance and is not meant to be adjusted independently by system administrators. The firewall cluster keeps track of every connection. It knows which firewall node is handling which connection. As a result, all packets that are part of a given connection can be handled by the same firewall node. Some protocols use multiple connections, which are sometimes handled by different nodes, but this situation does not usually affect the processing of the traffic. Network interfaces and IP addresses To work as replacements for each another, cluster members must have nearly identical network interface configurations. A physical interface definition in the McAfee SMC always represents a network interface definition on each node of the cluster. Table 1 describes the 2 types of IP addresses that you can add to a physical interface definition. You can add several IP addresses of each type to a single physical interface. IP Address Type Cluster Virtual IP Address (CVI) Node Dedicated IP Address (NDI) Description A CVI handles the traffic directed to the firewall cluster for inspection. The CVI is shared by all the nodes in the cluster. The selected clustering mode determines how this shared IP address is used. The CVI gives the cluster a single identity on the network, reducing the complexity of routing and network design. An NDI handles all communication for which the endpoint is the node itself, including node-to-node, management server to node, and node-initiated connections. Each node in the cluster has its own dedicated IP address that is used as the NDI. In most cases, you must define an NDI for each physical interface. If necessary, you can define more than one NDI for the same physical interface Table 1. Firewall cluster IP address types. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 6

7 Figure 2. Cluster interfaces. Figure 2 shows how CVIs and NDIs are used in a firewall cluster. In this example, Interface ID 0 on each node has an NDI that is used for heartbeat traffic between the nodes in a dedicated network. There is no CVI on Interface ID 0, because this node handles only node-to-node traffic. Interface ID 1 has a CVI that is used for Internet traffic (for example, web browsing), and it also has an NDI for traffic that the nodes send toward the Internet (for example, automatic tests the firewall uses to check connectivity). Interface ID 2 has a CVI for protected network traffic and an NDI for management connections to and from the nodes. Clustering modes Several modes are available to direct traffic to the cluster. The recommended clustering mode is packet dispatch, so the network design in this document refers to packet dispatch clustering mode. Packet dispatch is the recommended clustering mode. One node per physical interface is the dispatcher that handles the distribution of traffic between the different nodes for all CVIs on that physical interface. The assigned node handles the traffic processing. No additional switch configuration is needed. This mode can also be used with hubs, but it is not the optimal clustering mode with hubs. How packet dispatch works In packet dispatch mode, the node selected as the dispatcher on the physical interface assigns the packets to one of the nodes (to itself or to some other node). The assigned node then handles the actual resource-intensive traffic processing. The dispatcher attempts to balance the nodes loads evenly, but it assigns all packets that belong to the same connection to the same node. The node that acts as the packet dispatcher can be (and often is) different for CVIs on different physical interfaces. The example in Figure 3 shows how packet dispatch mode handles a connection. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 7

8 Figure 3. Packet dispatch mode. 1. The dispatcher node for CVI 1 receives a new packet. 2. The dispatcher node either handles the packet itself or dispatches the packet to one of the other firewall nodes for processing according to the load-balancing filter. The packet is sent to the other node through the interface from which the packet arrived 3. The dispatcher node for CVI 2 may be different. In Figure 3, the dispatcher node for CVI 2 is different than the dispatcher node for CVI 1. As mentioned earlier, the firewall cluster keeps track of every ongoing connection the firewall cluster knows which firewall node is handling which connection. Because the center node is processing the ongoing connection that was initiated from CVI 1, the dispatcher node for CVI 2 forwards the reply with this open connection to the same center node. One node is responsible for handling each connection. The node responsible for the connection handles all resource-consuming tasks. It determines whether the connection is allowed to continue, translates addresses as necessary, and logs the connection. The dispatcher node controls the CVI s IP address and MAC address. The other nodes each use their own physical interface s MAC address for the same CVI. When the dispatcher node goes offline, one of the other nodes becomes the dispatcher node. The new dispatcher node changes its interface s MAC address to the address defined for the Packet Dispatch CVI. The network switch must update its address table without significant delay when the packet dispatcher MAC address is moved to another firewall node. This is a standard network addressing operation in which the switch learns that the MAC address is located behind a different switch port. Then the switch forwards traffic destined for the CVI to this new packet dispatcher. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 8

9 Cisco Virtual PortChannel (vpc) Overview Cisco virtual Port Channel (vpc) technology allows links that are physically connected to two different Cisco Nexus 9000 Series Switches to appear as a single port channel to McAfee NGFW. After you enable the vpc function, it will be necessary to create a peer keepalive link, which sends heartbeat messages between the two vpc peer devices. A vpc peer link must be created to synchronize states between the vpc peer devices. This vpc peer link carries control traffic between the two vpc switches and also multicast and broadcast data traffic. In some link failure scenarios, it also carries unicast traffic. The vpc domain includes vpc peer devices, the vpc peer keepalive link, the vpc peer link, and all the port channels in the vpc domain connected to the downstream device. You can have only one vpc domain ID on each device. Benefits of vpc A vpc provides the following benefits: Allows a single device to use a port channel across two upstream devices. Eliminates spanning tree protocol blocked ports. Provides a loop-free topology. Uses all available uplink bandwidth. Provides fast convergence if either the link or a device fails. Provides link-level resiliency. Helps ensure high availability. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 9

10 Secure Data Center Design with McAfee Next Generation Firewall Design overview The data center firewall design shown in Figure 4, represents a typical layer three data center design with a native clustered pair of McAfee NGFW 5206 appliances that provides high availability for the data center network. Both the firewalls are in the active state, and all links are active. The heartbeat link between the two firewalls is a 1 Gigabit Ethernet link; the rest of the network is a 10 Gigabit Ethernet environment. The firewall cluster forms a two-port link aggregation group (LAG), where each 10 Gigabit Ethernet link in the LAG connects to two separate Cisco Nexus 9504 Switch chassis. The two Cisco Nexus 9504 Switches form one vpc bundle with each McAfee NGFW. The network consists of two vpc bundles: vpc 300 and vpc 301. For example, vpc 300 allows links that are physically connected to two different Cisco Nexus 9504 Switches to appear as a single port channel to McAfee NGFW A. This type of architecture provides a highly available solution in the data center without incurring the problems related to traditional spanning tree protocol, such as long convergence times and potential risk of broadcast storms, which have been notorious for causing outages if the event of any misconfiguration or product code issue. Another benefit is that the vpc uses both links in the switch pair, allowing it to use additional bandwidth when there are bursts of traffic, which are commonly found in today s data center networks. WAN N7018 VDC A N7018 VDC B 1/12 1/13 R1: R2: /14 2/14 Virtual IP (VIP): /12 2/13 1/0 2/0 int1 int1 2/0 1/0 2/1 1/1 McAfee Next Generation Firewall A /1 4/23 4/24 2/23 2/24 2/1 McAfee Next Generation Firewall B /35 1/35 Cisco N9504A 4/31 2/31 Cisco N9504B 4/1 4/2 2/1 2/2 Cisco Legend vpc Peer Link vpc Keepalive vpc 300 to Firewall vpc 301 to Firewall vpc 100 to 9504 A-B vpc 101 to 9504 A-B 1/32 1/3 Cisco N5548 1/4 Spirent Avalanche 1/3 1/4 Cisco N9396 Client/Server Pair 2/1 2/2 Client/Server Pair /12 Intel Security Legend NGFW Cluster Heartbeat 2-Port LAG from Firewall Cluster to 9504 A-B Vlan 600 Under LAG interface CVI: Vlan 601 Under LAG interface CVI: Figure 4. McAfee NGFW native cluster design with Cisco Nexus 9000 Series Switches in the data center. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 10

11 Figure 5 shows a comparison of which on board physical interfaces should be used for layer 1 connectivity when they are configured through McAfee SMC. Figure 5. Interface comparison: McAfee SMC configuration interface versus onboard interface. The best practice scenarios in this document depend on the interoperability of McAfee NGFW and the Cisco Nexus 9000 Series Switches. The best practice recommendations are based on various failure scenarios (refer to Figure 4) performed on both the McAfee NGFW cluster and Cisco Nexus 9000 Series Switches using Cisco vpc technology. Note: In all the failure scenarios mentioned in this document, network performance and network security were neither negatively affected nor compromised. The McAfee NGFW cluster is configured to support a 2-port Link Aggregation Control Protocol (LACP) LAG with the pair of Cisco Nexus 9504 Series Switches. Physical interfaces 1/1 and 2/1 (shown as McAfee SMC interfaces 3 and 5, respectively) on McAfee NGFW A and McAfee NGFW B form this 2-port LACP LAG that connects to vpc 300 and vpc 301, respectively, on the Cisco Nexus 9504 Switches. This design has two configured VLAN interfaces (VLAN 600 and VLAN 601) on the two-port LACP LAG. Because the design uses the McAfee NGFW layer 3 mode, the CVIs for these VLAN interfaces are the gateways to all nodes on these networks (the Spirent Avalanche client and server ports in the test setup). Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 11

12 Figure 6. Firewall cluster interface configuration on McAfee SMC. The Spirent Avalanche was used to generate traffic between the two configured client-server pairs to test the failure scenarios for the design. For most of the examples in this document, port 2/1 on Spirent is the client port with an IP range of to , and port 2/2 on Spirent is the server port with IP range to (Figure 7). Figure 7. Spirent Avalanche client configuration. Cisco switches require trunking to be turned on for the VLANs to which the vpc member port belongs. In Figure 8, the highlighted vpc member ports belong to VLAN 600 and VLAN 601. As required by Cisco switches, trunking is turned on for VLAN 600 and VLAN 601 under every port channel. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 12

13 Figure 8 shows vpc 100, which exists between a pair of Cisco Nexus 9504 Switches and the Cisco Nexus 9396PX switch. Figure 8. vpc 101 configuration on Cisco Nexus Switches N9504A, N9504B, and N9396PX. For a full configuration on Cisco switches, please refer to the Appendix. Although the data center design in this document focuses on McAfee NGFW with Cisco Nexus 9000 Series Switches, customers can choose switches from any networking vendor that supports a feature similar to the vpc feature in Cisco Nexus 9000 Series Switches, commonly known as multichassis link aggregation. Refer to the vendor switch configuration or administration guides for details about the required configuration. Equipment used in this design Product Model Software Version McAfee Next Generation Firewall 5206 Version 5.7 McAfee Security Management Center McAfee SMC Version 5.7 Cisco Nexus 9000 Series Switches N9504 A-B 9396PX Version 6.1(2)I2(1) Version 6.1(2)I2(2a) Cisco Nexus 5000 Series 5548UP Version 6.0(2)N2(1) Cisco Nexus 7000 Series Switches N7018 Version 6.2(8a) Spirent Spirent Avalanche NA Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 13

14 Best Practices for McAfee Firewall Cluster Implementation Implement a native firewall cluster As a best practice, implement native clustering that provides high availability and offers scalability for performance. Businesses are growing quickly, so data centers must be able to adapt quickly. To meet these growth requirements, data centers must be able to scale easily and effectively. With McAfee NGFW native clustering, adding a firewall node to meet the needs of an expanding business is easy and effective. The clustering capabilities of McAfee NGFW provide a performance gain of up to 370%, with just four nodes in a single cluster. As mentioned earlier, adding a node to the McAfee NGFW cluster takes only a few steps. The cluster configuration section of McAfee SMC has an Add Node tab. Use this tab to add a McAfee NGFW node to an existing cluster. All the IP addresses are automatically populated in the cluster configuration. Figure 9 shows the ability to add a McAfee NGFW node to an existing cluster. Figure 9. Adding a McAfee NGFW node to an existing McAfee NGFW firewall cluster. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 14

15 With native clustering, if a node in the cluster is taken offline for any reason, service is not interrupted and performance impact is small. The recommended approach is native clustering, so this document focuses on the best practices implementation of native clustering. Even though Intel Security supports different hardware versions in a McAfee NGFW cluster, the recommended approach is to use the same hardware in a cluster to help ensure that the same performance is delivered by identical nodes. Dispatcher Node B Goes Offline int1 int1 2/1 1/1 McAfee Next Generation Firewall A /1 4/23 4/24 2/23 2/24 2/1 McAfee Next Generation Firewall B /35 1/35 Cisco N9504A 4/31 2/31 Cisco N9504B Figure 10. Dispatcher Node B goes offline in the firewall cluster. Figure 10 shows the behavior of a native cluster solution when one node goes offline. Using the packet dispatch mechanism discussed earlier, the dispatcher node on the physical interface makes the packet processing decisions. In this example, node B is the dispatcher node for east-west traffic. After the packet dispatch method is selected for the clustering mode, the firewall cluster will take care of the packet processing by making node assignments. The example here is presented just to show how the cluster behaves if the dispatcher node goes offline for any reason. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 15

16 Consider a scenario in which the dispatcher node (node B) has to go offline for some reason. With a native cluster implementation, there is no loss in connections per second or of packets when node B goes offline. Figure 11 shows the results from Spirent Avalanche when node B was taken offline during ongoing transactions. No unsuccessful or dropped connections occurred, and there was no noticeable packet loss. Figure 11. Results of a dispatcher node going offline during an active test. Because the dispatcher node (node B) went offline in this scenario, node A is now the new dispatcher node for all traffic originating from Spirent Avalanche. For any additional scenarios that refer to the dispatcher node, node A is the dispatcher node. Implement backup heartbeat on a native cluster The firewall cluster nodes exchange information constantly through a heartbeat network using multicast transmissions. The state tables that list open connections (state sync) and the operating state of the other nodes (heartbeat) are exchanged. This exchange of information helps ensure that all firewall nodes have the same information about the connections and that, if a firewall node becomes unavailable, the other nodes in the cluster immediately notice this. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 16

17 The exchange of this information is critical for a firewall cluster; hence, a backup heartbeat interface is highly recommended for protection in the event of a primary heartbeat failure. The network design in Figure 4 shows that interface 1 instances on both the firewalls form a heartbeat connection. VLAN interface 600 is configured as the backup heartbeat interface (Figure 12). Figure 12. VLAN interface 600 configured as backup heartbeat interface. When the primary heartbeat interface failed, the exchange of information between the two firewall nodes was immediately performed through the backup interface. No connection loss or packet loss was noticed from the primary heartbeat failure. This behavior was expected because the configured VLAN interface 600 was used as the backup heartbeat interface and is now exchanging information between the two firewall nodes (Figure 13). Figure 13. Results of heartbeat failure during an active test. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 17

18 Graceful shutdown of a firewall In a data center, an administrator may sometimes need to gracefully shut down a firewall. For example, during a hardware upgrade, the firewall that is being replaced should be shut down. With the McAfee Next Generation Firewall native cluster design shown in Figure 4, no packet loss or connection drop was noticed when the cluster dispatcher node, node A was gracefully shut down (Figure 14). Figure 14. Results of graceful shutdown of a firewall node. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 18

19 Performing maintenance tasks on a native cluster Another benefit of implementing McAfee Native Cluster is to perform maintenance tasks such as software upgrades in real time without having to schedule a downtime window. With the design show in Figure 4, 200 connections per second were sent through the native cluster, and then a software upgrade on Node A was performed in real time. The software upgrade was completed on Node A, and no packet loss or connection drop was noticed on Spirent Avalanche. Figure 15 shows the test results. Figure 15. Results of a software upgrade in real time with no maintenance window scheduled. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 19

20 McAfee Firewall Cluster with Cisco vpc The network design in Figure 4 shows the McAfee NGFW firewall cluster implemented with Cisco Nexus 9000 Series Switches using Cisco vpc technology. This part of the document shows McAfee Next Generation Firewall interoperability with Cisco Nexus 9000 Series Switches in various failover scenarios. To learn more about the Cisco Nexus 9000 Series Switches, find additional documentation, download a product evaluation, or get product support, please visit switches/nexus-9000-series-switches/index.html. The design overview section explains the traffic flow path for all the traffic generated by Spirent client-server ports. Cisco vpc technology eliminates the need for spanning tree protocol and provides all forwarding ports. This loop-free technology uses all available uplinks and these active links: traffic originating from Spirent will be forwarded to the McAfee NGFW cluster. The McAfee NGFW cluster then uses the selected packet dispatch method to forward all the traffic to the server interface on Spirent Avalanche Using the design in Figure 4, real data center failure scenarios were performed between the Cisco Nexus 9000 Series Switches and the McAfee NGFW cluster (Figure 16). Cisco vpc technology on the Cisco Nexus 9000 Series Switches interoperates with the McAfee NGFW cluster and was proven to have no negative impact on security or performance in any of the failure scenarios. WAN N7018 VDC A N7018 VDC B R1: R2: /12 1/14 2/14 2/12 1/13 Virtual IP (VIP): /13 1/0 2/0 int1 Scenario 1 vpc Link Failure int1 2/0 1/0 2/1 1/1 McAfee Next Generation Firewall A Continuous ICMP During Both Scenarios 1/1 4/23 4/24 1/35 1/35 2/23 2/24 2/1 McAfee Next Generation Firewall B Scenario 2 vpc Bundle Down Cisco N9504A 4/31 2/31 Cisco N9504B 4/1 4/2 2/1 2/2 Cisco Legend vpc Peer Link vpc Keepalive vpc 300 to Firewall vpc 301 to Firewall vpc 100 to 9504 A-B vpc 101 to 9504 A-B 1/32 1/3 Cisco N5548 1/4 Spirent Avalanche 1/3 1/4 Cisco N9396 Client-Server Pair 2/1 2/2 Client-Server Pair /12 Intel Security Legend NGFW Cluster Heartbeat 2-Port LAG from Firewall Cluster to 9504 A-B Vlan 600 Under LAG interface CVI: Vlan 601 Under LAG interface CVI: Figure 16. Scenario 1 (vpc link failure) and scenario 2 (vpc bundle failure). Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 20

21 The first scenario demonstrates a situation in the data center in which a vpc link failure occurs in the network between the Cisco Nexus 9000 Series Switches and the McAfee NGFW firewall cluster. Scenario 1 in Figure 16 shows vpc member port interface 4/24 failing on the Cisco N9504A switch. McAfee SMC generates an alert reporting a link failure on interface 1/1 of firewall node B. While the link failure occurred between the Cisco and McAfee NGFW, there was no packet loss or connection drop noticed on Spirent Avalanche. Because there was no packet loss or connection drop noticed in scenario 1, this scenario was extended to fail an entire vpc bundle during the same test: scenario 2. In this scenario, an entire vpc bundle fails between a pair of Cisco Nexus 9000 Series Switches and the McAfee NGFW cluster. So while scenario 1 was still in the vpc link failure state, scenario 2 was implemented, in which vpc member port interface 2/24 failed on the Cisco N9504B switch. This scenario resulted in an entire vpc 301 failure between the pair of Cisco Nexus 9000 Series Switches and McAfee NGFW node B. Firewall node B goes to an offline state while firewall node A is still in the active state because this is a native cluster. The results on Spirent Avalanche showed no packet loss and no connection drops. During scenarios 1 and 2, a continuous Internet Control Message Protocol (ICMP) ping was initiated, starting from the Cisco N5548 to the core switch Cisco N7018. For both the vpc link failure test and the vpc bundle failure test, there was no ICMP time-out noticed on the Cisco N5548 switch (Figure 17). These scenarios demonstrate the compatibility of the McAfee NGFW cluster with Cisco vpc technology. Figure 17. Results from vpc link failure and vpc bundle failure. There were no packet losses and no connection drops. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 21

22 Scenario 3 demonstrates vpc peer link failure (Figure 18). The vpc peer link is the link used to synchronize states between the vpc peer devices. The vpc peer link carries control traffic between two vpc switches and also multicast and broadcast data traffic. In some link failure scenarios, it also carries unicast traffic. You should have at least two 10 Gigabit Ethernet interfaces for peer links. A second 10 Gigabit Ethernet link was added in this design, following Cisco s recommendation to use at least two 10 Gigabit Ethernet interfaces for peer links. Interface 1/35 was shut down for vpc peer link failure, and results were observed on Spirent Avalanche. int1 int1 2/1 1/1 McAfee Next Generation Firewall A /1 4/23 4/24 2/23 2/24 2/1 McAfee Next Generation Firewall B /35 1/35 Cisco N9504A 4/31 2/31 Cisco N9504B Figure 18. Two vpc peer links exist, and one vpc peer link fails. The results on Spirent Avalanche showed no packet loss or connection drop during a vpc peer link failure. Figure 19. Results from vpc peer link failure. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 22

23 Scenario 4 demonstrates vpc peer keepalive link failure (Figure 20). The peer keepalive link monitors the vitality of a vpc peer switch. The peer keepalive link sends periodic keepalive messages between vpc peer devices. The vpc peer keepalive link can be a management interface or switched virtual interface (SVI). No data or synchronization traffic moves over the vpc peer keepalive link; the only traffic on this link is a message that indicates that the originating switch is operating and running vpc. Interface 4/31 on Cisco N9504A was shut down to demonstrate a vpc peer keepalive link failure. The results were observed on Spirent Avalanche. int1 int1 2/1 1/1 McAfee Next Generation Firewall A /1 4/23 4/24 2/23 2/24 2/1 McAfee Next Generation Firewall B /35 1/35 Cisco N9504A 4/31 2/31 Cisco N9504B Figure 20. vpc peer keepalive link failure. The results on Spirent showed no packet loss or connection drops (Figure 21). Even though there was no traffic loss, immediate repair or replacement of the bad vpc peer keepalive link is recommended. Figure 21. Results from vpc peer keepalive link failure. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 23

24 Configuration McAfee Next Generation Firewall configuration Figures 22 through 24 show the configuration for the McAfee NGFW. Figure 22. McAfee SMC status view. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 24

25 Design and Implementation Guide Two-port LAG from the McAfee NGFW cluster to the Cisco 9000 Series Figure 23. McAfee NGFW cluster interface configuration. Figure 24. McAfee SMC log view during active connections generated from Spirent. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 25

26 Cisco 9000 Series configuration The configuration for the Cisco nexus 9000 Series Switches is shown here. Cisco Nexus A N9504A# show run!command: show running-config!time: Tue Oct 7 17:56: version 6.1(2)I2(1) hostname N9504A vlan 600 name Client_Network_1 vlan 601 name Client_Network_2 vlan 1000 name Native-Vlan vrf context VPC_Keepalive vrf context management ip route / vpc domain 5 peer-switch role priority 1 system-priority 4000 peer-keepalive destination source vrf VPC_Keepalive peer-gateway interface Vlan1 no ip redirects no ipv6 redirects interface Vlan600 no ip redirects ip address /24 no ipv6 redirects interface Vlan601 no ip redirects ip address /24 no ipv6 redirects interface port-channel1 no buffer-boost vrf member VPC_Keepalive ip address /30 interface port-channel2 description VPC peerlink mode trunk trunk native vlan 1000 trunk allowed vlan spanning-tree port type network vpc peer-link Cisco Nexus B N9504B# show run!command: show running-config!time: Tue Oct 7 17:59: version 6.1(2)I2(1) hostname N9504B vlan 600 name Client_Network_1 vlan 601 name Client_Network_2 vlan 1000 name Native-Vlan vrf context VPC_Keepalive vrf context management ip route / vpc domain 5 peer-switch role priority 1 system-priority 4000 peer-keepalive destination source vrf VPC_Keepalive peer-gateway interface Vlan1 no ip redirects no ipv6 redirects interface Vlan600 no ip redirects ip address /24 no ipv6 redirects interface Vlan601 no ip redirects ip address /24 no ipv6 redirects interface port-channel1 no buffer-boost vrf member VPC_Keepalive ip address /30 interface port-channel2 description VPC peerlink mode trunk trunk native vlan 1000 trunk allowed vlan spanning-tree port type network vpc peer-link Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 26

27 Cisco Nexus A interface port-channel100 description VPC to Nexus5548 mode trunk trunk native vlan 1000 trunk allowed vlan spanning-tree port type normal vpc 100 interface port-channel101 description VPC to Nexus9396 mode trunk trunk native vlan 1000 trunk allowed vlan spanning-tree port type normal vpc 101 interface port-channel300 description VPC to McAfee NGFW A mode trunk trunk native vlan 1000 trunk allowed vlan spanning-tree port type normal vpc 300 interface port-channel301 description VPC to McAfee NGFW B mode trunk trunk native vlan 1000 trunk allowed vlan spanning-tree port type normal vpc 301 interface Ethernet1/35 description vpc-keepalive mode trunk spanning-tree port type network channel-group 2 mode active interface Ethernet4/1 mode trunk spanning-tree port type normal channel-group 100 mode active interface Ethernet4/2 mode trunk spanning-tree port type normal channel-group 101 mode active Cisco Nexus B interface port-channel100 description VPC to Nexus5548 mode trunk trunk native vlan 1000 trunk allowed vlan spanning-tree port type normal vpc 100 interface port-channel101 description VPC to Nexus9396 mode trunk trunk native vlan 1000 trunk allowed vlan spanning-tree port type normal vpc 101 interface port-channel300 description VPC to McAfee NGFW A mode trunk trunk native vlan 1000 trunk allowed vlan spanning-tree port type normal vpc 300 interface port-channel301 description VPC to McAfee NGFW B mode trunk trunk native vlan 1000 trunk allowed vlan spanning-tree port type normal vpc 301 interface Ethernet1/35 mode trunk spanning-tree port type network channel-group 2 mode active interface Ethernet2/1 mode trunk spanning-tree port type normal channel-group 100 mode active interface Ethernet2/2 mode trunk spanning-tree port type normal channel-group 101 mode active Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 27

28 Cisco Nexus A interface Ethernet4/23 mode trunk spanning-tree port type normal channel-group 300 mode active interface Ethernet4/24 mode trunk spanning-tree port type network channel-group 301 mode active interface Ethernet4/31 no buffer-boost channel-group 1 mode active interface mgmt0 vrf member management ip address /24 clock timezone PST -8 0 clock summer-time PDT 2 Sun Mar 02:00 1 Sun Nov 02:00 60 line console line vty boot nxos bootflash:/n9000-dk i2.1.bin sup-1 Cisco Nexus B interface Ethernet2/23 mode trunk spanning-tree port type network channel-group 300 mode active interface Ethernet2/24 mode trunk spanning-tree port type normal channel-group 301 mode active interface Ethernet2/31 description vpc-keepalive no buffer-boost channel-group 1 mode active interface mgmt0 vrf member management ip address /24 clock timezone PST -8 0 clock summer-time PDT 2 Sun Mar 02:00 1 Sun Nov 02:00 60 line console line vty boot nxos bootflash:/n9000-dk i2.1.bin sup-1 Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter 28

29 Support Each section of this document provides examples and recommended test cases or steps you can take to validate whether or not you have followed the guidance correctly. If those steps do not work, refer to the product documentation. If you need additional assistance, we are available to help. Evaluating McAfee Next Generation Firewall Visit the Intel Security product website at and open a chat session to interact with a member of the support team. Let the expert know that you are evaluating our products and are attempting to performance a proof-of-concept test using this guide. McAfee Next Generation Firewall customers As an Intel Security customer, you will receive a grant number for support. Using the grant number, you can register for an account on the Technical Support Service Portal. After you have set up an account, you can log in at any time, 24 hours a day, 7 days a week, with your credentials and access support resources. About McAfee McAfee is now part of Intel Security. With its Security Connected strategy, innovative approach to hardware-enhanced security, and unique Global Threat Intelligence, Intel Security is intensely focused on developing proactive, proven security solutions and services that protect systems, networks, and mobile devices for business and personal use around the world. Intel Security combines the experience and expertise of McAfee with the innovation and proven performance of Intel to make security an essential ingredient in every architecture and on every computing platform. Intel Security s mission is to give everyone the confidence to live and work safely and securely in the digital world. McAfee. Part of Intel Security Mission College Boulevard Santa Clara, CA Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2015 McAfee, Inc gde_data-center-ngfw_0515_ETMG