Upload
rosamund-malone
View
224
Download
0
Tags:
Embed Size (px)
Citation preview
2WatchGuard Training
Agenda
Traffic Management and Quality of Service (QoS) VLAN• Basic (Trusted/Optional, External)
• Advanced (FireCluster with devices on different locations) Routing on XTM Devices• Static
• Dynamic (BGP, OSPF, RIP) Enhanced Net Failover Public IP Address subnet behind XTM (DMZ with Public IP) Tunnel Switching• Manual
• Managed Special Scenario – Advanced BOVPN Test Case• BOVPN with dual active gateways on both ends, load-sharing/failover
4WatchGuard Training
Traffic Management and QoS
Guarantee or limit bandwidth Control the rate at which the XTM device sends packets to the network Prioritize when to send packets to the network
Disabled by default. To enable,
5WatchGuard Training
TM - Guaranteed Bandwidth
The minimum amount of bandwidth allocated to a specific policy or group of policies at any given time
Bandwidth is measured as outgoing with respect to an interface
When max is set to 0 it can go as high as the line speed depending on the utilization of the link
6WatchGuard Training
TM - Restricted Bandwidth
The maximum amount of bandwidth a specific policy or group of policies can only use at any given time
Bandwidth is measured as outgoing with respect to an interface
When minimum is set to 0 it means there is no reserved bandwidth for the policy or group of policies
7WatchGuard Training
TM – Helpful Hints
The total amount of guaranteed bandwidth for all used Traffic Management Actions must not exceed the line speed of the corresponding interface/s.
All host using the same policy with TM Action in effect will share the allocated bandwidth when restricted.
Always note the traffic direction when implementing TM Action.
8WatchGuard Training
Quality of Service (QoS)
Marking Types• IP Precedence (aka Class of Service)
• Differentiated Service Code Point (DSCP)
Marking Methods• Preserve
• Assign
• Clear
9WatchGuard Training
QoS – Interface Settings
The default interface settings applied to all traffic passing through it.
10WatchGuard Training
QoS – Policy Override
Supersedes the QoS settings on the interface where the traffic allowed in this policy is going to pass through.
13WatchGuard Training
Not So Basic VLAN – Use Case
Customer requires redundancy on the LAN. Have at least two managed switch that supports Spanning Tree Protocol
(STP). Zones are segregated into VLANs.
ISP-1
14WatchGuard Training
VLAN Switches and FireCluster
`
ISP-2
`
Trunk
VLAN 10 – External-1
VLAN 20 – External-2
VLAN 30 – Trusted
VLAN 40 – FireCluster IF
15WatchGuard Training
VLAN Switches and FireCluster – Use Case
Customer has Head Office and a DR Site but would opt to buy only one XTM each sites.
Recommended to have two private lines (TRUNK) from different providers to ensure redundancy at all times.
Internet lines from two ISPs are terminated one at each ends.
Static Routing on a Point-to-Point Link
18WatchGuard Training
Static Route to:
10.0.30.0/24
Next Hop (Gateway) is:
192.168.100.2
Static Route to:
10.0.20.0/24
Next Hop (Gateway) is:
192.168.100.1
Point-to-Point Link
192.168.100.0/30To reach 10.0.30.0/24 from this network
To reach 10.0.20.0/24 from this network
Static Routing on a Multi-Hop Link
19WatchGuard Training
First, Static Route to:
10.0.30.0/24
Next Hop (Gateway) is:
192.168.1.2
First, Static Route to:
10.0.20.0/24
Next Hop (Gateway) is:
192.168.5.254
Multi-Hop LinkTo reach 10.0.30.0/24 from this network
Then, Static Route to:
10.0.30.0/24
Next Hop (Gateway) is:
172.16.0.2
Finally, Static Route to:
10.0.30.0/24
Next Hop (Gateway) is:
192.168.5.253
To reach 10.0.20.0/24 from this network
Finally, Static Route to:
10.0.20.0/24
Next Hop (Gateway) is:
192.168.1.1
Note that Static Routes must be correctly and consistently defined on the Firebox/XTM devices and routers in between
Then, Static Route to:
10.0.20.0/24
Next Hop (Gateway) is:
172.16.0.1
Dynamic Routing Tips:
To establish Dynamic Routing both ends must be able to reach the interface they are trying to peer with
Point-to-Point links are no issue since the opposite interface is of the same directly connected subnet
For Multi-Hop links such as MPLS it is a must to establish routes first to the peering interfaces before Dynamic Routing can be established
21WatchGuard Training
Dynamic Routing on a Multi-Hop Link
23WatchGuard Training
Peering Interfaces
Initially this Firebox does not know how to reach the remote peering interface
Similarly this XTM does not know how to reach the other remote peering interface
We need to let this Firebox know how to get to 192.168.5.253
First, Static Route to:
192.168.5.252/30
Next Hop (Gateway) is:
192.168.1.2
Then, Static Route to:
192.168.5.252/30
Next Hop (Gateway) is:
172.16.0.2Likewise this XTM must know return to 192.168.1.1
First, Static Route to:
192.168.1.0/30
Next Hop (Gateway) is:
192.168.5.254
Then, Static Route to:
192.168.1.0/30
Next Hop (Gateway) is:
172.16.0.1
Test if the Peering Interfaces are Reachable
Use the Diagnostic Task to do an Extended Ping
24WatchGuard Training
This is an extended ping from the Firebox,
Source address is
192.168.1.1 and
Destination Address is
192.168.5.253
If both interfaces are reachable from the opposite ends you are now ready to define your Dynamic Routing
Which Dynamic Routing Protocol to use?
Open Shortest Path First (OSPF) is Link-State Routing Protocol and is commonly used for Point-to-Point links.
Border Gateway Protocol (BGP) and Routing Information Protocol (RIP) are examples of Distance-Vector Routing Protocol.
RIP rely only on link cost while BGP prioritize preference over link cost. BGP is commonly used for multi-hop links
26WatchGuard Training
32WatchGuard Training
Enhanced Net Failover Feature
Launched in XTM Version 11.3.1 Routes internal traffic over to BOVPN when internal link becomes
unavailable Works only between Firebox or XTM devices on both ends Works in conjunction with Static Routing or Dynamic Routing Internal link can be a simple Leased Line (or Fiber Optic) or connectivity
through MPLS Network
When used with Enhanced Net Failover,
Works in a FireCluster environment
34WatchGuard Training
Failover is triggered automatically
Static Routing Dynamic Routing
Ad
van
tag
eD
isad
van
tag
e
Failover has to be triggered manually by removing the static routes on both ends
FireCluster does not support Dynamic Routing therefore does not work in such environment
This Feature Requires:
BOVPN skills Firebox or XTM devices on both ends When used with Dynamic Routing the device should be at least an XTM
2 Series Static or Dynamic Routing on the Firebox or XTM devices Spare Interface for the Internal Routing on each ends
36WatchGuard Training
Configure BOVPN
38WatchGuard Training
Configure BOVPN just like any regular BOVPN Go to VPN VPN Settings…
Additional Tips Failover from Dynamic Routing to BOVPN takes about 150 seconds.
(Hope this gets improved in future releases).
When using Static Routing, you must remove the static routes manually on both devices. This is because you can still reach the interface IP Address (ex. Ping) even if you unplug the cable. This forces the Firebox/XTM to route the subnet since it assumes that the next hop which is on the same subnet of the interface IP Address is still reachable.
There are cases where you will need to add static routes on multiple routers in between about the target subnets on each side. Make sure you are pointing to the right direction on your next hops.
Most MPLS network doesn’t require static routes in between especially if they are using iBGP and redistributes routes to their Virtual Routing and Forwarding (VRF).
39WatchGuard Training
Public IP Address subnet behind XTM
41WatchGuard Training
` `` `
Internet
202.80.78.1/30
202.80.78.2/30
206.197.101.0/24192.168.1.0/24
The appropriate example of Mixed Routed Mode (Routing + NAT)
Static Route must be present in the Router for subnet 206.197.101.0/24 with next hop to 202.80.78.2
Router
Public IP Address subnet behind XTM – Policy
42WatchGuard Training
NAT has no bearing on the inbound and outbound policies
For inbound policies the destination address is the IP address or Hostname of the target host or server
Tunnel Switching Overview
44WatchGuard Training
The traffic is passed from the trusted network of Remote Office A to the trusted network of Remote Office B without creating a third BOVPN tunnel between the two remote offices.
Useful when you require control of network security at the Central Office.
Policies can be applied to traffic between the two tunnels at the Central Office
Tunnel Switching – Remote Office and Group
45WatchGuard Training
Central Office Announces Remote A’s subnet to Remote B as Local Subnet on the Tunnel Routes creating sort of a Group A.
Tunnel Switching – Remote Office and Group
46WatchGuard Training
Central Office Announces Remote B’s subnet to Remote A as Local Subnet on the Tunnel Routes creating sort of a Group B.