Configuring IPS High Bandwidth Using EtherChannel Load Balancing



Similar documents
Chapter 2 Lab 2-2, Configuring EtherChannel Instructor Version

Configuring EtherChannel and 802.1Q Trunking Between Catalyst L2 Fixed Configuration Switches and Catalyst Switches Running CatOS

6/8/2011. Document ID: Contents. Introduction. Prerequisites. Requirements. Components Used. Conventions. Introduction

How To Balance On A Cisco Catalyst Switch With The Etherchannel On A Fast Ipv2 (Powerline) On A Microsoft Ipv1 (Powergen) On An Ipv3 (Powergadget) On Ipv4

- EtherChannel - Port Aggregation

Configuring EtherChannels

FWSM introduction Intro 5/1

Configuring EtherChannels

LINK AGGREGATION INTEROPERABILITY OF THE DELL POWERCONNECT 6200 SERIES

Application Note Gigabit Ethernet Port Modes

Chapter 7 Lab 7-1, Configuring Switches for IP Telephony Support

Configuring Redundancy

How To Configure Link Aggregation On Supermicro Switch 2 And 3 (Lan) On A Microsoft Vlan 2 And Vlan 3 (Vlan) (Lan 2) (Vlans) (Lummer) (Powerline) (

Link Aggregation Interoperability of the Dell PowerConnect 5316M with Cisco IOS or Cisco CatOS based Switches. By Bruce Holmes

Lab 7-1 Configuring Switches for IP Telephony Support

Configuring Link Aggregation

Network Detector Setup and Configuration

Link Aggregation Interoperability of the Dell PowerConnect M6220 with Cisco IOS or Cisco CatOS Based Switches

Flow-Based per Port-Channel Load Balancing

Device Interface IP Address Subnet Mask Default Gateway

hp ProLiant network adapter teaming

Chapter 3. Enterprise Campus Network Design

Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Cisco - Configure the 1721 Router for VLANs Using a Switch Module (WIC-4ESW)

How to Create VLANs Within a Virtual Switch in VMware ESXi

BLADE PVST+ Spanning Tree and Interoperability with Cisco

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Cisco Networking Academy CCNP Multilayer Switching

Virtual PortChannels: Building Networks without Spanning Tree Protocol

Lab Use Network Inspector to Observe STP Behavior

Enterprise Data Center Topology

Chapter 7 Configuring Trunk Groups and Dynamic Link Aggregation

Monitoring Load-Balancing Services

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

What is VLAN Routing?

Exhibit n.2: The layers of a hierarchical network

Firewall Load Balancing

Configuring DHCP Snooping

Configuring Port Security

Lab - Using IOS CLI with Switch MAC Address Tables

How To Configure InterVLAN Routing on Layer 3 Switches

NetFlow Subinterface Support

Catalyst Layer 3 Switch for Wake On LAN Support Across VLANs Configuration Example

Load Balancing ContentKeeper With RadWare

Interconnecting Cisco Networking Devices Part 2

Configuring LACP (802.3ad) Between a Catalyst 6500/6000 and a Catalyst 4500/4000

Migrate from Cisco Catalyst 6500 Series Switches to Cisco Nexus 9000 Series Switches

Networking and High Availability

Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing

Auspex Support for Cisco Fast EtherChannel TM

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Configuring the Switch for the Firewall Services Module

Configuring Traffic Storm Control

Skills Assessment Student Training Exam

Enabling NetFlow and NetFlow Data Export (NDE) on Cisco Catalyst Switches

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Configure IOS Catalyst Switches to Connect Cisco IP Phones Configuration Example

Networking and High Availability

CT5760 Controller and Catalyst 3850 Switch Configuration Example

Optimum Business SIP Trunk Set-up Guide

WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME Rev. A

TotalCloud Phone System

LANs and VLANs A Simplified Tutorial

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, :32 pm Pacific

F-SECURE MESSAGING SECURITY GATEWAY

Lab Load Balancing Across Multiple Paths

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

LiveAction Application Note

Network Configuration Example

Link Load Balancing :50:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Network Analysis Modules

Security Considerations in IP Telephony Network Configuration

White Paper. Intrusion Detection Deploying the Shomiti Century Tap

CCT vs. CCENT Skill Set Comparison

Best Practice Recommendations for Implementing VLANs in a ShoreTel VoIP Environment with IP Phones

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

SonicOS Enhanced Release Notes

LAB THREE STATIC ROUTING

Scaling Next-Generation Firewalls with Citrix NetScaler

VMware ESX Server Q VLAN Solutions W H I T E P A P E R

How To Understand and Configure Your Network for IntraVUE

: Interconnecting Cisco Networking Devices Part 2 v1.1

Network Agent Quick Start

Using Virtual Switches in PowerVM to Drive Maximum Value of 10 Gb Ethernet

Advanced Network Services Teaming

Cisco NetFlow Generation Appliance (NGA) 3140

Lab Diagramming Intranet Traffic Flows

DATA CENTER. Best Practices for High Availability Deployment for the Brocade ADX Switch

Troubleshooting Bundles and Load Balancing

Blue Coat Security First Steps Transparent Proxy Deployments

Data Center Multi-Tier Model Design

How To Set Up A Virtual Network On Vsphere (Vsphere) On A 2Nd Generation Vmkernel (Vklan) On An Ipv5 Vklan (Vmklan)

Configuring DHCP Snooping and IP Source Guard

RECORDING VoIP TRAFFIC via PORT MIRRORING

Barracuda Link Balancer

Configuring InterVLAN Routing and ISL/802.1Q Trunking on Catalyst 2900XL/3500XL/2940/2950/2970 Series Switches Using an External Router

Chapter 4: Spanning Tree Design Guidelines for Cisco NX-OS Software and Virtual PortChannels

Clustering. Configuration Guide IPSO 6.2

Best Practices: Pass-Through w/bypass (Bridge Mode)

Transcription:

Configuring IPS High Bandwidth Using EtherChannel Load Balancing This guide helps you to understand and deploy the high bandwidth features available with IPS v5.1 when used in conjunction with the EtherChannel Load Balancing (ECLB) feature of Cisco Catalyst OS 8.5(1) and Cisco Catalyst IOS. This document has three parts: Introduction EtherChannel and how ECLB works in conjunction with IPS appliances. ECLB/IPS Deployment step-by-step configuration and analysis of ECLB and IPS deployment. Catalyst IOS ECLB Deployment step-by-step configuration and analysis of Catalyst IOS ECLB deployment. Introduction Cisco EtherChannel Cisco EtherChannel technology builds upon standards-based 802.3 full-duplex Fast Ethernet to provide network managers with a reliable, high-speed solution for the campus network backbone. EtherChannel technology provides bandwidth scalability within the campus by providing up to 800 Mbps, 8 Gbps, or 80 Gbps of aggregate bandwidth for a Fast EtherChannel, Gigabit EtherChannel, or 10 OL-10391-01 1

Introduction Gigabit EtherChannel connection, respectively. Each of these connection speeds can vary in amounts equal to the speed of the links used (100 Mbps, 1 Gbps, or 10 Gbps). Even in the most bandwidth-demanding situations, EtherChannel technology helps aggregate traffic and keep oversubscription to a minimum, while providing effective link-resiliency mechanisms. For more information on Cisco EtherChannel technology see: Cisco EtherChannel Technology Understanding EtherChannel Load Balancing and Redundancy on Catalyst Switches Document ID: 12023 IPS v5.1 High Bandwidth Overview ECLB is a feature of Catalyst switch code that allows a Catalyst switch to split flows over different physical paths. With this technology you can place multiple IPS appliances in on-a-stick mode, clustered on an EtherChannel, to split load among the sensors. This deployment results in, incremental IPS bandwidth increase for each IPS appliance you add to the ether-channel. So if you start with a single IPS appliance with a throughput of 500 megabytes (MB) and then add a second sensor with the same throughput capabilities to the EtherChannel, you will have 1 gigabyte of resulting throughput. You should understand the following about deploying ECLB: Although the ECLB name insinuates load balancing, it is not. It is actually load splitting. ECLB works by hashing the source and destination IP addresses of a flow to determine what physical port a flow should take when traversing the Catalyst. ECLB for IPS Service Modules works only with IPS v5.1 (or later) and Cisco Catalyst OS 8.5(1) (or later) on the CAT6k platform and Cisco Catalyst IOS. ECLB for IPS appliances works with both CatOS and Cat IOS. The IPS appliances must be in on-a-stick mode, meaning that the IPS appliance can only use one sensing port on that Catalyst switch. That port is trunked so that the IPS appliance has an inbound and outbound path to and from the switch. Up to eight ports can be defined in an EtherChannel. This means that you can add up to eight IPS appliances on a single Catalyst switch. 2 OL-10391-01

Introduction Although native ECLB can use multiple hash algorithms, IPS has only been tested using the source and destination IP address as the EtherChannel Hash algorithm. ECLB guarantees that return traffic takes the same path as the initial traffic flow, thereby ensuring that IPS appliances have the symmetric traffic path required to work effectively. The IPS solution does not maintain state if a sensor goes down and that TCP flow is forced through a different IPS appliance. The resulting TCP flow must be reset before traffic can continue to flow. ECLB Packet Profile ECLB IPS Basic Design Example This section has four parts: ECLB IPS Basic Design Example Explains the basic VLAN design for ECLB. ECLB Flow #1 Provides an initial ECLB packet flow example. ECLB Flow #2 Provides a subsequent ECLB packet flow example. Value-Add of ECLB and IPS On-a-Stick - Explains the value added by ECLB and IPS on-a-stick when joined. Figure 1 details how ECLB works. There are two IPS appliances in this deployment. One is connected to port 2/22 on the Catalyst switch, the other is connected to port 2/23. Both are using 802.1q trunking VLANs 10 and 11. Both ports have been set to trunk the appropriate VLANs and added to the same EtherChannel. OL-10391-01 3

Introduction Figure 1 VLAN Design for ECLB The source IP address is 10.1.10.1, which is part of VLAN 10, and the destination address is 10.1.20.1, which is part of VLAN 20. VLAN11 is a key part of the IPS on-a-stick implementation. Since we are routing between subnets (10.1.10.x <-> 10.1.20.x) we need to define a gateway for those subnets on the MSFC. However, if you define an address on the MSFC for VLAN10, the client uses address resolution protocol (ARP) for their default gateway and the switch passes their packets directly to each other around the IPS. The traffic would never be seen or evaluated by an IPS appliance. To get around this problem, IPS simply bridges the same subnet between two VLANS, 10 and 11. So you must define your MSFC gateway on VLAN 11. This forces traffic to go through the IPS appliance for evaluation before routing takes place. 4 OL-10391-01

Introduction VLAN 11 must be associated with a hardware port and that port must have a link. We achieve that in this example by pulling a cable into another switch port allocated just for that purpose. For the procedure to configure this deployment, see ECLB/IPS Deployment, page 9. ECLB Flow #1 For the first flow, shown in Figure 2, we source traffic from VLAN 10 destined to VLAN 20. A step-by-step synopsis of how ECLB traffic passes though the switch follows: 1. The first packet with a source address in 10.1.10.1 (VLAN 10) and a destination of 10.1.20.1 (VLAN20) is generated and placed on the Catalyst back plane. 2. The ECLB engine evaluates the packet and creates a hash using the source and destination IP addresses. 3. Based on the result of the hash and the number of ports defined in ECLB, the engine decides to which port to forward the packet. In this example the path it takes is via port 2/22. 4. The IPS appliance that is connected to port 2/22 gets the packet that came from VLAN 10, so it has a VLAN 10 tag on the front of the packet. 5. The IPS on port 2/22 evaluates the traffic against it's IPS engine. If the traffic is OK, a new tag of VLAN11 is added to the packet and it is put back out the same port. If there is an alert fired, IPS appliance takes whatever action is defined for that alert, including possibly a Deny Packet action. 6. After the packet arrives in VLAN 11, the switch knows (because of ARP and ARP replies) what port the end device resides on in VLAN 11 (the MSFC's interface in VLAN 11) and forwards the packet there. 7. Traffic that has been put back out on the 2/22 port is then evaluated by the MSFC for routing. 8. The MSFC/Supervisor sees the destination subnet of 10.1.20.x and works in conjunction with the ARP tables to direct the packet to the appropriate port. OL-10391-01 5

Introduction Figure 2 ECLB Flow #1 ECLB maps a flow to a physical port within an EtherChannel; in this case port 2/22. This mapping will persist until the flow is torn down. ECLB Flow #2 The traffic path for the second flow, shown in Figure 3, is almost exactly the same as the first except that, based on the ECLB calculation that another path is selected, this time the selected path includes the port to which we have connected the other IPS appliance. Therefore, we effectively split our load and increase our bandwidth using the integrated technology of ECLB and IPS on-a-stick mode. 6 OL-10391-01

Introduction In the second flow, we are going to set up traffic from source VLAN 10 to destination VLAN 40. A step-by-step synopsis of how ECLB traffic passes though the switch follows: 1. The first packet, with a source address in VLAN 10 10.1.10.1 and a destination of VLAN40 10.1.40.1, is generated and placed on the back plane. The ECLB engine evaluates the packet and creates a hash using the source and destination IP addresses. Based on the result of the hash and the number of ports defined in ECLB, the engine decides to which port to forward the packet. In this example, the path it takes is via 2/23, which is the second IPS appliance in the EtherChannel. The IPS appliance that is connected to port 2/23 gets the packet that came from VLAN 10, so it has a VLAN 10 tag on the front of the packet. The IPS appliance on 2/23 evaluates the traffic against it's IPS engine. If the traffic is OK, a new tag of VLAN11 is added to the packet and it is put back out the same port. If there is a alert fired, the IPS appliance takes whatever action is defined for that alert, including a drop packet. Traffic that has been put back out on the 2/23 port is then evaluated by the MSFC for routing. The MSFC sees the destination subnet of 10.1.40.x and works in conjunction with the ARP tables to route the packet to the appropriate port. OL-10391-01 7

Introduction Figure 3 ECLB Flow # 2 A new connection is requested. ECLB maps a flow to a physical port within an EtherChannel; in this case port 2/23. You can see from the example that the load has been distributed to different paths using the bandwidth of both IPS appliances. Value-Add of ECLB and IPS On-a-Stick Simply stated, incremental IPS throughput is the value-add for ECLB in conjunction with IPS on-a-stick. With the addition of ECLB you can take an existing high-end system with approximately 750 megabytes of protection and turn that into (750meg * 8) or approximately 6 Gigs of theoretical IPS throughput. 8 OL-10391-01

ECLB/IPS Deployment ECLB/IPS Deployment To properly deploy ECLB you must perform a number of basic tasks. These tasks are detailed in the following sections: Configure the IPS Appliances Configure the CAT6K - L2 Configure the CAT6K MSFC - L3 Test the ECLB Configurations This section is a step-by-step guide on how to deploy the example scenario that was described in the ECLB Packet Profile section. We are going to put two IPS appliances on an EtherChannel that will bridge traffic between VLAN 10 and VLAN 11. You must configure the IPS appliance first. Otherwise layer two will not be up and the EtherChannel and trunks on the Catalyst will not come up correctly. Configure the IPS Appliances Step 1 Run SETUP on both IPS appliances. a. Set the password if required. b. Configure the sensor name. c. Configure the sensor management address and gateway. d. Configure your management access lists. Tip You do not need to define any interfaces at this point. Step 2 e. Save the configuration Launch IDS for both IPS appliances. a. Enable the interface that you plan to use on each device. Tip In our example, the on-a-stick interface from one IPS appliance is connected to 2/22 the other to 2/23 on the CAT6K device. OL-10391-01 9

ECLB/IPS Deployment b. Configure the VLAN pairs. Use the correct interface, a sub-interface of 1, and subnets of 10 and 11. c. Associate the VLAN pairs to the virtual sensor interface. Configure the CAT6K - L2 Having configured the IPS appliances, you now configure the CAT6K device. Step 1 Step 2 Configure the following information: a. Set port 2/31 to 10. b. Set port 2/32 to 20. c. Set port 2/30 to 30. d. Set port 2/33 to 40. e. Set port 2/31 to 10. f. Set trunk 2/22 to none. g. Set trunk 2/23 to none. h. Set trunk 2/22 to noneg dot1q 10,11. i. Set trunk 2/23 to noneg dot1q 10,11. j. Set port channel 2/22 mode to on. k. Set port channel 2/23 mode to on. Verify that the EtherChannel has come up correctly. a. Enter the following command: Console> (enable) sh channel stat b. Confirm the channel statistics report complies with Table 1. 10 OL-10391-01

ECLB/IPS Deployment Table 1 Channel Statistics Port 2/22 Port 2/23 Channel 1708 1708 Transmitted 0 0 Received 0 0 InFlush 0 0 RetnFlush 0 0 OutFlush 0 0 InError 0 0 Configure the CAT6K MSFC - L3 Next, configure the IP address for interfaces VLAN 11, VLAN 20, VLAN 30, and VLAN 40. Step 1 Configure VLAN 11 to use 10.1.10.254 /24. Step 2 Configure VLAN 20 to use 10.1.20.254 /24. Step 3 Configure VLAN 30 to use 10.1.30.254 /24. Step 4 Configure VLAN 40 to use 10.1.40.254 /24. Test the ECLB Configurations The next step in recreating the example is to test the ECLB configurations. Step 1 Do a continuous ping from the attack server to 10.1.20.1. Step 2 Do a continuous ping from the attack server to 10.1.30.1. OL-10391-01 11

ECLB/IPS Deployment Step 3 Do a continuous ping from the attack server to 10.1.40.1. Tip You must do all three pings or the results from this lab may be very misleading. Step 4 Verify on the CAT6K that some traffic is traversing both port 2/22 and port 2/23. a. Enter the following command: Console> (enable) sh channel traff b. Confirm the traffic reported is similar to that shown in Table 2. Table 2 Cat 6K Channel Traffic Port 2/22 Port 2/23 Channel ID 1708 1708 Port 2/22 2/23 Rx-Ucst 63.57% 36.43% Tx-Ucst 63.57% 36.43% Rx-Mcst 99.66% 0.34% Tx-Mcst 91.49 8.51% Rx-Bcst 0.00% 100.00% Tx-Bcst 0.00% 100.00% You should see approximately 33% of the traffic on one interface and 66% on the other interface. 12 OL-10391-01

Catalyst IOS ECLB Deployment Catalyst IOS ECLB Deployment This section details how to configure and test CAT IOS ECLB. Configure Catalyst IOS ECLB Step 1 Step 2 Step 3 Step 4 Step 5 Set port 2/31 to vlan 10 with the following commands: interface FastEthernet2/31 no ip address switchport switchport access vlan 10 Set port 2/32 to vlan 20 with the following commands: interface FastEthernet2/32 no ip address switchport switchport access vlan 20 Set port 2/30 to vlan 30 with the following commands: interface FastEthernet2/30 no ip address switchport switchport access vlan 30 Set port to vlan 2/33 40 with the following commands: interface FastEthernet2/33 no ip address switchport switchport access vlan 40 Set trunk 2/22 noneg dot1q 10,11 and apply EtherChannel to that trunk with the following commands: interface FastEthernet2/22 no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 10,11 switchport mode trunk channel-group 2 mode on OL-10391-01 13

Catalyst IOS ECLB Deployment Step 6 Step 7 Set trunk 2/23 noneg dot1q 10,11 with the following commands: interface FastEthernet2/23 no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 10,11 switchport mode trunk channel-group 2 mode on Configure the ELCB engine to use the source and destination IP addresses for is hash calculation port-channel load-balance src-dst-ip Test the CAT IOS ECLB Configurations After you configure the CAT IOS ECLB, next you must test it. Step 1 Do a continuous ping from the attack server to 10.1.20.1. Step 2 Do a continuous ping from the attack server to 10.1.30.1. Step 3 Do a continuous ping from the attack server to 10.1.40.1. Tip Step 4 You must do all three pings or the viewing of the results from this lab may be very misleading. Verify on the Catalyst IOS that traffic is traversing both ports in the EtherChannel: port Fastethernet2/22 and port Fastethernet 2/23. Enter the following commands to see which port will be used for each address pair: test etherchannel load-balance interface port-channel 2 ip 10.1.10.1 10.1.20.1 test etherchannel load-balance interface port-channel 2 ip 10.1.10.1 10.1.30.1 test etherchannel load-balance interface port-channel 2 ip 10.1.10.1 10.1.40.1 14 OL-10391-01

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information