WiNG 5.X How To Policy Based Routing Cache Redirection Part No. TME-05-2012-01 Rev. A
MOTOROLA, MOTO, MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark Holdings, LLC and are used under license. All other trademarks are the property of their respective owners. 2012 Motorola Solutions, Inc. All Rights Reserved.
Table of Contents Table of Contents... 3 1. Introduction... 4 1.1 Overview... 5 2. Configuration... 7 2.1 IP Access Control Lists... 7 2.2 Virtual IP Interfaces & Port Assignments... 8 2.3 Network Address Translation... 10 2.4 Policy Based Routing... 12 3. Verification... 14 3.1 Basic Networking... 14 3.2 Routing Policy... 15 3.3 Network Address Translation... 16 4. Appendix... 18 4.1 Running-Configuration... 18
1. Introduction WiNG 5.3 introduces Policy Based Routing (PBR) which allows a WiNG 5 device to make IPv4 forwarding decisions based on user defined match criterion. Prior to PBR, all IPv4 forwarding decisions were made using destination based routing. The introduction of BPR allows WiNG 5 to address multiple challenges faced by administrators in remote branch networks. Using policies network administrators can configure a WiNG 5 device to forward IPv4 outside the constraints enforced with destination based routing without having to deploy additional hardware at a branch site. For example PBR can be employed to: 1) Distribute traffic over different WAN, MPLS or Internet paths. 2) Provide failover between multiple WAN, MPLS or Internet paths. 3) Load-balance traffic across multiple WAN, MPLS or Internet paths while providing failover. 4) Mark and forward select traffic for QoS purposes. 5) Forward select traffic to specific hosts for inspection or other services. With PBR forwarding decisions can now be made a WiNG 5 device using a number of criterion including source VLAN, source / destination IPv4 address, protocol type, traffic class, associated Wireless LAN or the users assigned role. As an action PBR can be configured to mark the QoS value for the select traffic or forward the select traffic to a specific host. For availability PBR can also leverages Critical Resource Monitoring which allows routers and network paths to be monitored for liveliness. If the next-hop router or network path is un-reachable, traffic can be forwarded using another PBR policy or can be subjected to destination based routing. Page 4
1.1 Overview This guide focuses on utilizing PBR on a RFS4000 to forward select traffic to host that resides locally at a branch site. In this example PBR will be configured to forward TCP port 80 (HTTP) traffic to a caching server to optimize Internet bandwidth. Non HTTP traffic will bypass the caching server and will be subjected to destination based routing. The configuration in this guide consists of the following components: 1) One RFS4000 running WiNG 5.3.0.0-088R firmware that is directly connected to the users, cache server and public Internet. 2) Policy Based Routing (PBR) will be enabled to forward user HTTP traffic to the cache server. Non HTTP traffic will be ignored. 3) Network Address Translation (NAT) will be enabled allowing the cache server and users to access the Internet. NAT will also be configured to ignore user HTTP traffic destined to the caching server. 4) Critical Resource Monitoring will be employed to check the liveliness of the caching server. If the caching server fails, user traffic is subjected to destination based routing. Page 5
1.1.1 Operation During normal operation Policy Based Routing (PBR) will forward HTTP traffic from the users directly to the cache server. If the cache server has the content pre-cached, it responds to the users with the content without accessing the public Internet. If the content is not pre-cached, the caching server accesses the public Internet to cache the content and will respond to the user directly. Subsequent requests to the cached content will be served directly by caching server without re-accessing the public Internet. Non-HTTP traffic such as DNS, FTP or HTTPS will be subject to normal destination based routing. Non- HTTP traffic will be NATTed and forwarded to the RFS4000s default gateway. No non-http traffic is forwarded to the caching server in this example. If the caching server fails and is not reachable from the RFS4000, traffic will be subjected to destination based routing. HTTP and non-http traffic will both be forwarded to the RFS4000s default gateway. Once the caching server is on-line, HTTP traffic will be forwarded to the caching server. Page 6
2. Configuration 2.1 IP Access Control Lists For this configuration step three IP Access Control Lists (ACLs) are required: 2.1.1 Network Address Translation (NAT) The first IP ACL that is required is for network address translation (NAT). NAT is required so that hosts connected to the RFS4000 can access the public Internet. The NAT ACL contains three rules: 1) Rule 1 Denies TCP port 80 (HTTP) traffic from the user subnet (192.168.20.0/24) destined to the cache server (192.168.26.10). This rule is required so that HTTP traffic from users redirected to the cache server is not NATTed. 2) Rule 2 Permits IP traffic from the user subnet (192.168.20.0/24) destined to the public internet (any). This rule is required so that user s traffic destined to the public Internet is NATTed to the public interface on the RFS4000. 3) Rule 3 Permits IP traffic from the cache server (192.168.26.10/24) destined to the public internet (any). This rule is required so that cache server traffic destined to the public Internet is NATTed to the public interface on the RFS4000. During normal operation users HTTP traffic will be captured and re-directed to the cache server using policy based routing. The cache server will either serve the content from is cache and respond to the request or it will access the Internet to pull the content. Non HTTP traffic will be NATTed directly and forwarded to the public Internet bypassing policy based routing. If the cache server becomes unreachable, all user traffic is NATTed to the public interface directly. NAT ACL: ip access-list NAT deny tcp 192.168.20.0/24 host 192.168.26.10 eq www rule -precedence 10 permit ip 192.168.20.0/24 any rule-precedence 20 permit ip host 192.168.26.10 any rule-precedence 30 2.1.2 Cache Redirection The second IP ACL that is required is for policy based routing (PBR). The CACHE ACL contains one rule: 1) Rule 1 Permits TCP port 80 (HTTP) traffic from the user subnet (192.168.20.0/24) destined to the public Internet. This rule is required so that PBR can re-direct HTTP traffic to the cache server. Cache Redirection ACL: ip access-list CACHE permit tcp 192.168.20.0/24 any eq www rule-precedence 20 Page 7
2.1.3 Inbound Internet The third IP ACL that is required is for inbound traffic received on the public IP interface on the RFS4000. The INTERNET-INBOUND ACL contains one rule: 1) Rule 1 Denies all IP traffic and logs matches. This rule is required so that inbound traffic received on the public IP interface on the RFS4000 is denied. If this rule was absent, hosts on the public Internet would be able to directly communicate with the RFS4000. Inbound Internet ACL: ip access-list INTERNET-INBOUND deny ip any any log rule-precedence 100 2.2 Virtual IP Interfaces & Port Assignments For this configuration step three virtual IP interfaces are required. In this example the virtual IP interfaces and VLAN port assignments will be assigned directly to the RFS4000s device configuration as overrides: 2.2.1 VLAN 20 (Users) The first virtual IP interface that is required is for VLAN 20 which is used for users and device management. All wired and wireless users will be assigned to VLAN 20. In this example the IP address 192.168.20.1/24 is assigned to VLAN 20 which will be the default gateway for users at the site. User Virtual IP Interface: interface vlan20 description USERS ip address 192.168.20.1/24 2.2.2 VLAN 26 (Cache Server) The second virtual IP interface that is required is for VLAN 26 which is used by the cache server. In this example the IP address 192.168.26.1/24 is assigned to VLAN 26 which will be the default gateway for the cache server at the site. Cache Virtual IP Interface: interface vlan26 description CACHE ip address 192.168.26.1/24 Page 8
2.2.3 VLAN 4094 (Internet) The third virtual IP interface that is required is for VLAN 4094 which is the public interface on the RFS4000. In this example IP addressing will be provided by DHCP from the service provider. Additionally the IP ACL named INTERNET-INBOUND is assigned to the virtual IP interface to deny and log any inbound traffic received by the public interface: Internet Virtual IP Interface: interface vlan4094 description INTERNET ip address dhcp ip dhcp client request options all use ip-access-list in INTERNET-INBOUND 2.2.4 VLAN Port Membership In this configuration example the public internet connection, cache server and users are directly connected to the RFS4000 so VLAN port assignments need to be defined: 1) Users Are connected to Gigabit Ethernet ports 1 3. Ports Ge1 Ge3 are defined as access ports with the native VLAN id set to 20. 2) Cache Server Is connected to Gigabit Ethernet port 4. Ge3 is defined as an access port with the native VLAN id set to 26. 3) Internet Is connected to Gigabit Ethernet port 5. Ge5 is defined as an access port with the native VLAN id set to 4094. Switchport Assignments: rfs4000 00-23-68-22-9D-E4 use profile default-rfs4000 use rf-domain default hostname rfs4000-1 license AP DEFAULT-6AP-LICENSE interface ge1 switchport mode access switchport access vlan 20 interface ge2 switchport mode access switchport access vlan 20 interface ge3 switchport mode access switchport access vlan 20 interface ge4 switchport mode access Page 9
switchport access vlan 26 interface ge5 description INTERNET switchport mode access switchport access vlan 4094 Configuration Removed for Brevity 2.3 Network Address Translation For this configuration step each virtual IP interface will be enabled for NAT and a NAT rule will be defined. In this example the NAT interfaces and rule will be assigned directly to the RFS4000s device configuration as overrides: 2.3.1 NAT Interfaces For NAT to function each virtual IP interface needs to be designated as a NAT inside or outside interface. If no designation is made, NAT will not function: 1) VLAN 20 Will be designated as a NAT inside interface. 2) VLAN 26 Will be designated as a NAT inside interface. 3) VLAN 4094 Will be designated as a NAT outside interface. NAT Interfaces: interface vlan20 description USERS ip address 192.168.20.1/24 ip nat inside interface vlan26 description CACHE ip address 192.168.26.1/24 ip nat inside interface vlan4094 description INTERNET ip address dhcp ip dhcp client request options all use ip-access-list in INTERNET-INBOUND ip nat outside Page 10
2.3.2 Dynamic NAT Rule Once each virtual IP interface has been enabled for NAT, a dynamic NAT rule needs to be defined that tells the RFS4000 which traffic is subjected to NAT and where to translate the traffic to. In this example the IP ACL named NAT is used to determine which traffic is subjected to NAT and all the internal traffic will be translated to single IP address on the public virtual IP interface VLAN 4094. NAT Rule Assignment: rfs4000 00-23-68-22-9D-E4 use profile default-rfs4000 use rf-domain default hostname rfs4000-1 Configuration Removed for Brevity ip nat inside source list NAT interface vlan4094 overload Page 11
2.4 Policy Based Routing For this configuration step a routing policy and map will be defined to forward TCP port 80 (HTTP) traffic to the cache server. In this example the routing policy will be assigned directly to the RFS4000s device configuration as an override: 2.4.1 Routing Policy and Map A routing policy and route-map need to be defined to re-direct TCP port 80 (HTTP) traffic to the cache server. The routing policy forwards IPv4 traffic based on match conditions defined in the route-map. In this example a routing policy named PBR will be created with a single route-map. The route-map will match HTTP traffic received by the user s subnet (192.168.20.0/24) and will forward the HTTP traffic to the cache server host (192.168.26.10). The IP ACL named CACHE determines which traffic the routemap will select. Traffic that is not matched by the routing policy is subjected to normal destination based routing and will be forwarded out the RFS4000s default gateway. HTTP traffic received from the cache server will also be forwarded using destination based routing. Only HTTP traffic forwarded from the users on the 192.168.20.0/24 network will be matched by the routing policy. By default the routing policy will use Critical Resource Monitoring (CRM) to monitor the health of the cache server. CRM monitors the health of the Cache server by sending ICMP packets and monitoring the ARP cache. If the cache server becomes un-reachable, HTTP traffic is subjected to destination based and is forwarded out the RFS4000s default gateway. Note Critical Resource Monitoring (CRM) can only detect if the Cache server responds to ARP and ICMP and cannot validate if the caching service is operational. If the caching service fails but the caching server is reachable, the route-map will continue to forward traffic to the cache server. Routing Policy: routing-policy PBR route-map 1 match ip-access-list CACHE match incoming-interface vlan20 next-hop 192.168.26.10 Page 12
2.4.2 Routing Policy Assignment Once the routing policy and route-map has been defined, it needs to be assigned to the RFS4000. In this example the routing policy named BPR is assigned directly to the RFS4000s device configuration as a device override: Routing Policy Assignment: rfs4000 00-23-68-22-9D-E4 use profile default-rfs4000 use rf-domain default hostname rfs4000-1 Configuration Removed for Brevity ip nat inside source list NAT interface vlan4094 overload use routing-policy PBR Page 13
3. Verification 3.1 Basic Networking Issue the show ip interface brief command to verify the virtual IP interfaces have been defined correctly and the STATUS and PROTOCOL is up. In this example virtual IP interfaces for VLANs 20, 26 and 4094 have been defined and each and up and operational: rfs4000-1# show ip interface brief ------------------------------------------------------------------------------- INTERFACE IP-ADDRESS/MASK TYPE STATUS PROTOCOL ------------------------------------------------------------------------------- vlan1 unassigned n/a UP up vlan20 192.168.20.1/24 primary UP up vlan4094 10.1.1.100/24(DHCP) primary UP up vlan26 192.168.26.1/24 primary UP up ------------------------------------------------------------------------------- Issue the show ip route command to verify the default gateway has been defined. In this example the default gateway 10.1.1.1 has been learned from the ISP using DHCP: rfs4000-1# show ip route -------------------------------------------------------------------------------- DESTINATION GATEWAY FLAGS INTERFACE -------------------------------------------------------------------- ------------ 10.1.1.0/24 direct C vlan4094 192.168.26.0/24 direct C vlan26 192.168.20.0/24 direct C vlan20 default 10.1.1.1 CG vlan4094 -------------------------------------------------------------------------------- Flags: C - Connected G - Gateway Page 14
Issue the show interface switchport command to verify the VLANs are assigned to the correct ports. In this example VLAN 20 (Users) is assigned to ports Ge1 Ge3, VLAN 26 (Cache) is assigned to Ge4 and VLAN 4094 (Internet) is assigned to Ge5: rfs4000-1# show ip route --------------------------------------------------------------------------------------- INTERFACE STATUS MODE VLAN(S) -------------------------------------------------------------------------------- ------- ge1 UP access 20 ge2 DOWN access 20 ge3 DOWN access 20 ge4 UP access 26 ge5 UP access 4094 up1 DOWN access 1 --------------------------------------------------------------------------------------- A '*' next to the VLAN ID indicates the native vlan for that trunk port 3.2 Routing Policy Issue the show route-maps command to display the state of the routing policy and determine if any traffic is being forwarded to the cache server. In this example the cache server is UP and reachable and the HITCOUNT counter is incrementing each time a new HTTP session is initiated indicating HTTP traffic is being forwarded to the cache server: rfs4000-1# show route-maps ------------------------------------------------------------------------------- Route Map 1 primary next-hop: 192.168.26.10, status UP (Gateway monitoring) Rules: Incoming interface: vlan20 permit tcp 192.168.20.0/24 any eq www HITCOUNT 654 If the cache server becomes un-reachable, the status of the cache server will change to UNREACHABLE and the traffic will be subjected to normal destination based routing. The HITCOUNT counter will not increment if the cache server is not reachable: rfs4000-1# show route-maps ------------------------------------------------------------------------------- Route Map 1 primary next-hop: 192.168.26.10, status UNREACHABLE (Gateway monitoring) Rules: Incoming interface: vlan20 permit tcp 192.168.20.0/24 any eq www HITCOUNT 654 Page 15
3.3 Network Address Translation Issue the show ip nat translations verbose command to view the NAT translation table. During normal operation HTTP traffic will be forwarded to the cache server: 1) If the requested web content is not already cached by the cache server, it will contact the web server and pull the content. The cache server then responds with the content to the user. 2) If the content is cached, the cache server responds with the content to the user without accessing the Internet. Each time the cache server contacts an external web server a NAT translation entry will be created. Users accessing non HTTP sites will be forwarded and NATTed directly bypassing the cache server. The following NAT translation table shows various entries for HTTP and non HTTP traffic. Traffic from the host IP address 192.168.26.10 represents HTTP or DNS traffic originated from the caching server while traffic from hosts on the user s network 192.168.20.0/24 represents non HTTP and DNS traffic that is bypassing the cache server: rfs4000-1# show ip nat translations verbose PROTO ACTUAL SOURCE ACTUAL DESTINATION NATTED SOURCE NATTED DESTINATION --------------------------------------------------------------------------------------- TCP 192.168.26.10:60174 204.245.162.17:80 10.1.1.100:56602 204.245.162.17:80 TCP 192.168.26.10:60164 204.245.162.17:80 10.1.1.100:51332 204.245.162.17:80 UDP 192.168.26.10:46225 208.67.222.222:53 10.1.1.100:42270 208.67.222.222:53 TCP 192.168.26.10:60162 204.245.162.17:80 10.1.1.100:59045 204.245.162.17:80 TCP 192.168.26.10:37299 192.150.16.64:80 10.1.1.100:45744 192.150.16.64:80 TCP 192.168.20.254:1515 98.139.240.23:443 10.1.1.100:55203 98.139.240.23:443 TCP 192.168.26.10:60166 204.245.162.17:80 10.1.1.100:50858 204.245.162.17:80 TCP 192.168.26.10:42352 66.235.147.77:80 10.1.1.100:36863 66.235.147.77:80 TCP 192.168.26.10:60165 204.245.162.17:80 10.1.1.100:58649 204.245.162.17:80 TCP 192.168.26.10:60161 204.245.162.17:80 10.1.1.100:34627 204.245.162.17:80 TCP 192.168.26.10:60158 204.245.162.17:80 10.1.1.100:54530 204.245.162.17:80 TCP 192.168.26.10:60159 204.245.162.17:80 10.1.1.100:58627 204.245.162.17:80 TCP 192.168.26.10:60171 204.245.162.17:80 10.1.1.100:50525 204.245.162.17:80 TCP 192.168.26.10:60167 204.245.162.17:80 10.1.1.100:65411 204.245.162.17:80 TCP 192.168.26.10:60163 204.245.162.17:80 10.1.1.100:35877 204.245.162.17:80 TCP 192.168.26.10:60169 204.245.162.17:80 10.1.1.100:65048 204.245.162.17:80 TCP 192.168.26.10:36470 193.104.215.66:80 10.1.1.100:41675 193.104.215.66:80 TCP 192.168.26.10:60173 204.245.162.17:80 10.1.1.100:37718 204.245.162.17:80 TCP 192.168.20.254:1513 23.1.203.120:443 10.1.1.100:33671 23.1.203.120:443 TCP 192.168.26.10:60168 204.245.162.17:80 10.1.1.100:64675 204.245.162.17:80 TCP 192.168.26.10:60170 204.245.162.17:80 10.1.1.100:39853 204.245.162.17:80 TCP 192.168.26.10:60160 204.245.162.17:80 10.1.1.100:39917 204.245.162.17:80 Page 16
If the cache server becomes un-reachable, the users traffic is subjected to normal destination based routing. The following NAT translation table shows various entries for HTTP and non HTTP traffic originating from the user network 192.168.20.0/24 which is NATTed directly by the RFS4000: rfs4000-1# show ip nat translations verbose PROTO ACTUAL SOURCE ACTUAL DESTINATION NATTED SOURCE NATTED DESTINATION --------------------------------------------------------------------------------------- TCP 192.168.20.254:1536 192.150.16.58:80 10.1.1.100:46728 192.150.16.58:80 UDP 192.168.20.254:1031 208.67.222.222:53 10.1.1.100:45364 208.67.222.222:53 TCP 192.168.20.254:1538 204.245.162.17:80 10.1.1.100:61602 204.245.162.17:80 TCP 192.168.20.254:1534 192.150.16.64:80 10.1.1.100:40813 192.150.16.64:80 TCP 192.168.20.254:1545 98.139.241.94:443 10.1.1.100:47124 98.139.241.94:443 TCP 192.168.20.254:1547 65.55.13.243:80 10.1.1.100:57065 65.55.13.243:80 TCP 192.168.20.254:1532 204.245.162.17:80 10.1.1.100:49814 204.245.162.17:80 TCP 192.168.20.254:1541 23.1.203.120:443 10.1.1.100:35459 23.1.203.120:443 TCP 192.168.20.254:1533 204.245.162.17:80 10.1.1.100:58861 204.245.162.17:80 TCP 192.168.20.254:1537 204.245.162.17:80 10.1.1.100:42072 204.245.162.17:80 TCP 192.168.20.254:1542 66.235.147.77:80 10.1.1.100:44107 66.235.147.7 7:80 TCP 192.168.20.254:1535 192.150.16.58:80 10.1.1.100:33153 192.150.16.58:80 Page 17
4. Appendix 4.1 Running-Configuration Routing Policy Assignment: Configuration of RFS4000 version 5.3.0.0-088R version 2.1 ip access-list CACHE permit tcp 192.168.20.0/24 any eq www rule-precedence 20 ip access-list INTERNET-INBOUND deny ip any any log rule-precedence 100 ip access-list NAT deny tcp 192.168.20.0/24 host 192.168.26.10 eq www rule -precedence 10 permit ip 192.168.20.0/24 any rule-precedence 50 permit ip host 192.168.26.10 any rule-precedence 60 firewall-policy default mint-policy global-default wlan-qos-policy default qos trust dscp qos trust wmm radio-qos-policy default ap300 default-ap300 interface radio1 interface radio2 dhcp-server-policy default dhcp-pool vlan20 network 192.168.20.0/24 address range 192.168.20.100 192.168.20.254 domain-name tmelabs.local default-router 192.168.20.1 Page 18
dns-server 208.67.222.222 208.67.220.220 management-policy default no http server https server ssh user admin password 0 motorola role superuser access all user operator password 0 operator role monitor access all no snmp-server manager v2 snmp-server community public ro snmp-server user snmpoperator v3 encrypted des auth md5 0 operator snmp-server user snmptrap v3 encrypted des auth md5 0 motorola snmp-server user snmpmanager v3 encrypted des auth md5 0 motorola routing-policy PBR route-map 1 match ip-access-list CACHE match incoming-interface vlan20 next-hop 192.168.26.10 l2tpv3 policy default profile rfs4000 default-rfs4000 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure interface radio1 interface radio2 interface up1 ip dhcp trust qos trust dscp qos trust 802.1p interface ge1 ip dhcp trust qos trust dscp qos trust 802.1p interface ge2 ip dhcp trust Page 19
qos trust dscp qos trust 802.1p interface ge3 ip dhcp trust qos trust dscp qos trust 802.1p interface ge4 ip dhcp trust qos trust dscp qos trust 802.1p interface ge5 ip dhcp trust qos trust dscp qos trust 802.1p interface wwan1 interface pppoe1 use firewall-policy default logging on service pm sys-restart router ospf rf-domain default no country-code rfs4000 00-23-68-22-9D-E4 use profile default-rfs4000 use rf-domain default hostname rfs4000-1 license AP DEFAULT-6AP-LICENSE interface ge1 switchport mode access switchport access vlan 20 interface ge2 switchport mode access switchport access vlan 20 interface ge3 switchport mode access switchport access vlan 20 interface ge4 switchport mode access switchport access vlan 26 interface ge5 description INTERNET switchport mode access switchport access vlan 4094 interface vlan20 Page 20
description USERS ip address 192.168.20.1/24 ip nat inside interface vlan26 description CACHE ip address 192.168.26.1/24 ip nat inside interface vlan4094 description INTERNET ip address dhcp ip dhcp client request options all use ip-access-list in INTERNET-INBOUND ip nat outside use dhcp-server-policy default logging on logging console warnings logging buffered warnings ip nat inside source list NAT interface vlan4094 overload use routing-policy PBR end Page 21
Page 22