Course 500-101 Overview, A&C, SLB Filtering Welcome to the module on filtering.

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Objectives Understand filtering Understand selection criteria Know how to use filtering for NAT and HTTP/HTTPS redirection By the end of this section, you will understand filtering and the selection criteria used in filtering. You will also learn how to use filtering for NAT and HTTP redirection and transparent redirection. Know how to use filtering for transparent redirection

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Overview First, let’s learn about filtering and its benefits.

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Filtering Overview Filters are a flexible set of rules that are applied on traffic before any other action. Filters can be applied either on a per port basis or per VLAN With filtering, administrators can control the traffic through the switch and process it based on rules Alteon Application Switch Operating System includes extensive filtering capabilities at the Layer 2 (MAC), Layer 3 (IP) and Layer 4 (TCP/UDP) levels. Filters are a flexible set of rules that are applied on traffic before any other action. Filters can be applied either on a per port basis or per VLAN. With filtering, administrators can control the traffic through the switch and process it based on rules

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Filtering Overview Filtering give the network administrator a powerful tool. Filtering gives the administrator control over the types of traffic permitted through the switch. Filters can be configured to allow or deny traffic from Layer 2 - Layer 7: MAC address, IP NAT can be used to map the source or destination IP Intercept transparent traffic and redirect the traffic and ports. Apply a bandwidth management contract based on selected criteria Filtering give the network administrator a powerful tool with the following benefits: Filters can be configured to allow or deny traffic from Layer 2 - Layer 7: MAC address, IP NAT can be used to map the source or destination IP Intercept transparent traffic and redirect the traffic and ports. Apply a bandwidth management contract based on selected criteria

Course 500-101 Overview, A&C, SLB Selection Criteria Selection Criteria Now that we have an overview of filtering, let’s see what the selection criteria is.

Policy-Based Filtering Engine Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Policy-Based Filtering Engine Parameter(s) AND or NOR Action Allow Layer2 MAC source/dest address VLAN ID 802.1p Layer3 IP source/dest address IP TOS Layer4 Protocol ICMP message types TCP/UDP source/dest port TCP flags Layer7 URL and Cookie Deny Frame Ingress Redirect Up to 2048 filters can be configured on the Alteon. Descriptive names can be used to define filters. Each filter can be set to perform Filtering Actions based on any combination of the following filter options: Source MAC address. Destination MAC address. Source IP address or range Destination IP address or range Protocol number or name. TCP/UDP application or source port or source port range TCP/UDP application or destination port or destination port range Advanced filtering options such as TCP flags or ICMP message types Layer 7 URL and Cookie A filtering action instructs the filter what to do once the filtering criteria are matched. • allow—Allow the frame to pass (by default). • deny—Discard frames that fit this filter's profile. This can be used for building basic security profiles. • redir—Redirect frames that fit this filter's profile, such as for web cache redirection. • goto—Allows the user to specify a target filter ID that the filter search should jump to when a match occurs. The "goto" action causes filter processing to jump to a designated filter, effectively skipping over a block of filter IDs. Filter searching then continues from the designated filter ID. • nat—Perform generic Network Address Translation (NAT). This can be used to map the source or destination IP address and port information of a private network scheme to/from the advertised network IP address and ports. GOTO NAT

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Filter Usage Configure filters globally - rule base one or more parameters to be checked are possible 2048 filters per Application Switch Assign them locally – per physical port Filter number - determines order of precedence. Filter numbering – small increments Filter naming Using these filter criteria, you could create a single filter that blocks external Telnet traffic to your main server except from a trusted IP address. Another filter could warn you if FTP access is attempted from a specific IP address. Another filter could redirect all incoming e-mail traffic to a server where it can be analyzed for spam. The options are nearly endless. You should configure filters globally, and it is possible for one or more parameters to be checked. There may be up to 2048 filters per Alteon. Assign the filters locally per physical port. When multiple filters are stacked together on a port, the filter's number determines its order of precedence: the filter with the lowest number is checked first. When traffic is encountered at the switch port, if the filter matches, its configured action takes place and the rest of the filters are ignored. If the filter criteria do not match, the next filter is tried. It is a recommended practice to number filters in small increments (5, 10, 15, 20, etc.) to make it easier to insert filters into the list at a later time. However, as the number of filters increases, you can improve performance by minimizing the increment between filters. You can name filters. When traffic is encountered at the switch port, if the filter matches, its configured action takes place and the rest of the filters are ignored. If the filter criteria do not match, the next filter is tried. Before filtering can be enabled on any given port, a default filter should be configured. This filter handles any traffic not covered by any other filter. All the criteria in the default filter must be set to the full range possible (any). Once parameter matches, action is executed Default filters – used in case no other filter matches

Source and Destination IPs Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Source and Destination IPs When using the SIP <Source IP> and DIP <Destination IP> for defining a filter there are several considerations: SIP or DIP can be a single IP SIP and DIP can be a network (From  To ranges are not supported) If the SIP (Or DIP) is part of a network the SIP then you must define the smask and / or the dmask Example: SIP = 10.10.10.0 SMASK = 255.255.255.0 OR SIP = 10.10.10.34 – no smask is needed You can specify a range of IP addresses for filtering both the source and/or destination IP address for traffic. When a range of IP addresses is needed, the source IP address or destination IP address defines the base IP address in the desired range. The source mask or destination mask is the mask that is applied to produce the range.

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Example All traffic for http needs to be send to a transparent proxy server Filter on port 80 intercepts and redirects to Proxy HTTP Traffic 1.1.1.1 Client: 1.2.3.4:2000 For example, let’s say all traffic for HTTP needs to be sent to a transparent proxy server. We would create a filter to intercept the HTTP traffic and redirect it to the Proxy Server. Proxy server 2.2.2.2. DNS server

Optimizing Filter Performance Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Optimizing Filter Performance Filter efficiency can be increased by placing filters that are used most often near the beginning of the filtering list. It is a recommended practice to number filters in small increments (5, 10, 15, 20, etc.) to make it easier to insert filters into the list at a later time. However, as the number of filters increases, you can improve performance by minimizing the increment between filters. For example, filters numbered 2, 4, 6, and 8 are more efficient than filters numbered 20, 40, 60, and 80. Filter efficiency can be increased by placing filters that are used most often near the beginning of the filtering list. It is a recommended practice to number filters in small increments (5, 10, 15, 20, etc.) to make it easier to insert filters into the list at a later time. However, as the number of filters increases, you can improve performance by minimizing the increment between filters. For example, filters numbered 2, 4, 6, and 8 are more efficient than filters numbered 20, 40, 60, and 80. Peak processing efficiency is achieved when filters are numbered sequentially beginning with 1. Peak processing efficiency is achieved when filters are numbered sequentially beginning with 1.

Configuring Redirection Filters Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Configuring Redirection Filters Create real server and group it /cfg/slb/real 6/rip 10.2.3.4/ena /cfg/slb/group 42/add 6 Create filter /cfg/slb/filt 24 proto tcp/dport 80 act redir/group 42/ena Assign filter at the port you need the filter process and add required rule number(s) /cfg/slb/port 3/add 24 /cfg/slb/port 3/filt ena To configure redirection filters, first create a real server and then create a group to add it to or add it to a previously created group. Create the filter Then assign the filter at the port you need the filter process and add the required rule numbers. Turn on server load balancing for allow and or deny filters this is optional. Turn SLB on, for allow/deny this is optional /cfg/slb/on

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Compare SLB VIP-SLB Real Server Group VIP client/server process Modifies DMAC, DIP Transparent-SLB Real Server Group Redirection filter filter process Modifies DMAC Here is a comparison of Virtual IP server load balancing and transparent load balancing. Notice the difference. For Virtual IP server load balancing, the Virtual IP and the client server process is being used whereas for transparent server load balancing, the redirection filter and the filter process are being utilized.

Course 500-101 Overview, A&C, SLB Filter Use Case: NAT Let’s now look at using filters to NAT.

Static PIP Configuration Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Static PIP Configuration Select Port or VLAN /cfg/slb/pip/type <port|vlan> Add Proxy IP address add 200.200.200.68 5 add 200.200.200.68 42 Or a range 5-8 Activate Proxy on ingress port(s) /cfg/slb/port 5/proxy ena Static NAT is all or nothing, configured on the VLAN or Port To Configuring Port- and VLAN-based Proxy IPs First, Select the Port or VLAN for whole switch /cfg/slb/pip/type <port|vlan> Then Add the Proxy IP Address add 200.200.200.68 5 add 200.200.200.68 42 You may also enter a range Lastly, Activate Proxy on ingress port(s) /cfg/slb/port 5/proxy ena

Conditional PIP Inserted On Egress Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Conditional PIP Inserted On Egress Insert PIP if packet leaves Application Switch Select proxy IP based on egress port or VLAN If filter criteria is met, SrcIP is replaced by PIP /cfg/slb/filt #/adv/proxyadv/proxyip w.x.y.z/epip ena If proxyip is not configured, /cfg/slb/pip/add is used PIP 1 ISP1 By default, the switch selects the proxy IP address based on the ingress port or VLAN. However, a proxy IP can also be selected based on the egress port or VLAN. Selection of the egress port or VLAN can be enabled on a virtual service, or on a filter. Insert Proxy IP if packet leaves the switch. You would select the proxy IP based on the egress port or VLAN. If filter criteria is met, SrcIP is replaced by PIP /cfg/slb/filt #/adv/proxyadv/proxyip w.x.y.z/epip ena If proxyip is not configured, /cfg/slb/pip/add is used PIP 2 ISP2 filter

Course 500-101 Overview, A&C, SLB Filter Use Case: HTTP To HTTPS Redirection Now let’s look at a filter use case for HTTP to HTTPS redirection

HTTP To HTTPS Redirection Course 7964 Application Switch A&C Direct Access Mode / Proxy IP HTTP To HTTPS Redirection Client type in a http request e.g. http://www.radware.com and get back a redirection to https://www.radware.com Client Client VIP listens to HTTPS Filter detect HTTP request redir to HTTPS HTTP request to VIP We can create a filter on the Alteon to redirect a client’s HTTP request to a HTTPS request. So when a client sends an HTTP request to the Virtual IP, the filter will redirect the request to an HTTPS. To do this we must configure Layer 7 elements. Web server grouped together

Configure Layer 7 Elements Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Configure Layer 7 Elements /cfg/slb/adv/direct ena /c/slb/layer7/slb >> Server Loadbalance Resource# addstr Enter type of string [l7lkup|pattern]: l7 Configure HTTP header string? (y/n) [n] y Enter HTTP header name: host:www.radware.com Enter SLB header value string: Configure URL string? (y/n) [n] add "HTTPHDR=Host:www.radware.com:443" To configure Layer 7 elements, we are going to use the command line interface and go to the layer 7 server load balancing configuration menu, and type slb. This will bring up the Server load balancing Resource. We need to add a string, so type addstr. Now we need to enter the type of string, which in our case is layer 7 lookup, so enter l7 Because we want to apply this to the header string, we need to select yes to configure HTTP header string. Next we need to enter the HTTP header name. If we were using server load balancing header value strings, we would enter it here. In our case we are not, so we may skip this. Next we need to say no to configure the URL string. Then we need to add our string. Notice that we specify the header followed by a colon and then the host name followed by a colon and finally the port number, which in this case is 443 because we want to redirect to HTTPS. Alternatively, we may specify any instead of a specific host name. Very important: no SPACE within the string Alternative: add "HTTPHDR=Host:any:443"

Configure Layer 7 Elements Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Configure Layer 7 Elements diff /c/slb/layer7/slb ren 2 "HTTPHDR=Host:www.Radware.com:" ren 3 "HTTPHDR=host:any:443" Next we need to identify the string ID numbers for the strings we just created. If we have not saved yet, we may type diff and see the ID numbers. Otherwise, we may go to the layer 7 server load balancing configuration menu and type current to see the strings and their ID numbers.

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Configure Filter /c/slb/filt 1 /ena action redir ipver v4 proto tcp dport http /c/slb/filt 1/adv/layer7 l7lkup ena addrd 2>3 /c/slb/filt 1/adv/redir dbind ena Now that we have created our strings and now their ID numbers, we need to configure our filters. To do this we go to the server load balancing configuration menu and configure filter 1. We enable the filter and specify the action, which in our case is redirection. We also need to specify the IP version, protocol and destination port. Next under the advanced menu for the filter, we select layer 7 and enable layer 7 lookup and add the redirection strings by ID number. Then under the redirection menu we need to enable dbind. We finally need to enable the filter on the port. In our case, we want to apply the filter we just created on port 1, so we need to enable the filter then add the filter we want to use by its number. Don’t forget to apply and save once you are done. /c/slb/port 1 filt ena add 1

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Trace Info Wireshark: HTTPfox plugin: We can use Wireshark or HTTPfox plugin to ensure the filter is being applied correctly and as expected.

Course 500-101 Overview, A&C, SLB Use Case: Transparent Redirection Let’s look at another use case for filters to do transparent redirection.

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Frame Flow Customer layout: All traffic for http need to be sent to proxy server 1.1.1.1 Client: 1.2.3.4:2000 Transparent proxies provide the benefits listed below when used with application redirection. Application redirection is automatically enabled when a filter with the redir action is applied on a port. • With proxy IP addresses configured on ports that use redirection filters, the application switch can redirect client requests to servers located on any subnet. • The application switch can perform transparent substitution for all source and destination addresses, including destination port remapping. This provides support for comprehensive, fully transparent proxies. No additional client configuration is needed. So, the customer layout requires that all traffic for HTTP needs to be sent to proxy server. Proxy server 2.2.2.2. DNS server

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Frame Flow (cont) Ensure proper routing; static or dynamic filter proc. 1.1.1.1 Client: 1.2.3.4:2000 This ensures proper static or dynamic routing. Proxy server 2.2.2.2. DNS server

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Frame Flow (cont) Client send any request to an application server E.g. access DNS server for IP-address resolution Prot : TCP DestPort: 80 filter proc. 1.1.1.1 Client: 1.2.3.4:2000 Dest: DNS:53 The client sends any request to an application server, for example access DNS server for IP address resolution. Proxy server 2.2.2.2. DNS server

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Frame Flow (cont) Filter process lookup session table Is there already an session table entry? On no match, check filter list Session Table Source Dest. LoadB. Protocol filter proc. 1.1.1.1 Client: 1.2.3.4:2000 Dest: DNS:53 The filter process begins by looking in the session table to see if there is already an entry. If there is no match, then it checks the filter list. Proxy server 2.2.2.2. DNS server

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Frame Flow (cont) If no session table entry, walk through filter list associated to port On no match, use L3 / L2 routing Filter on Port Filter nr. 5 http/… Filter nr. 7 mail/… Filter nr. 42 ftp/... filter proc. 1.1.1.1 Client: 1.2.3.4:2000 Dest: DNS:53 So once there is no match in the session table, the filter process will then walk through the filter list associated with that port. If there is no match, it will use Layer 3 and layer 2 routing. Proxy server 2.2.2.2. DNS server

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Frame Flow (cont) Client send http request to an application server Prot : TCP DestPort: 80 filter proc. 1.1.1.1 Client: 1.2.3.4:2000 Dest: any: TCP 80 Now the client sends an HTTP request to the application server, which means protocol TCP and Destination port 80. Proxy server 2.2.2.2. DNS server

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Frame Flow (cont) Filter process lookup session table Is there already an session table entry? On no match, check filter list Session Table Source Dest. LoadB. Protocol filter proc. 1.1.1.1 Client: 1.2.3.4:2000 Dest: any: TCP 80 The filter process begins by looking into the session table to see if there is already a session entry. If there is no match, it will then check the filter list. Proxy server 2.2.2.2. DNS server

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Frame Flow (cont) If no session table entry, walk through filter list If no filter match, forward request (Layer3; Layer2) For better performance always a filter should match filter proc. 1.1.1.1 Client: 1.2.3.4:2000 Dest: any: TCP 80 So if there is no session table entry, the filter process will then walk through the filter list. If there is no match in the filter list, it will forward the request. For better performance, a filter should always match. To do routing per session table entry is the fastest routing in Alteon and is much faster than filter rules. Try to create always an matching filter, this is called a default filter. Proxy server 2.2.2.2. DNS server

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Frame Flow (cont) If no session table entry, walk through filter list On first match (filter 5), perform action redirect Create a new session table entry Filter on Port Filter nr. 5 http/action redir Filter nr. 7 mail/… Filter nr. 42 ftp/... filter proc. 1.1.1.1 Client: 1.2.3.4:2000 Dest: any: TCP 80 Again, if there is no session table entry, the filter process will then walk through the filter list. Upon the first match, which in our example is filter 5, the required action will be performed. In our example it is the action redirect. A session table entry will be created for the session. Proxy server 2.2.2.2. DNS server

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Frame Flow (cont) Filter process lookup session table An session table entry exist Forward request to new MAC destination Session Table Source client-IP:port Dest. App-IP: app-port LoadB. Dest-MAC Protocol filter proc. 1.1.1.1 Client: 1.2.3.4:2000 Dest: any: TCP 80 On the next request, the filter process will locate the session table entry, and forward the request to the new MAC destination. Proxy server 2.2.2.2. DNS server

Application Redirection Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Application Redirection Watches traffic, if match, replaces dest. MAC address Destination is one of the real servers configured in a group Group metric determines which real server will be selected on new sessions Health check ensures to select only available servers In case all real servers are down: For HTTP redir action turn into allow For ANY prot redir action turn into deny Rport translates requested port into new value If rport is set, health check is Layer4 Real server need to be direct connected or have static routing In application redirection, the traffic is watched, and if there is a match, it replaces the destination MAC address. The destination is one of the real servers configured in a group. Group metric determines which real server will be selected on new sessions Health check ensures to select only available servers In case all real servers are down: For HTTP redir action turn into allow For ANY prot redir action turn into deny Rport translates requested port into new value If rport is set, health check is Layer4 Real server need to be direct connected or have static routing

Course 7964 Application Switch A&C Direct Access Mode / Proxy IP Transparent SLB Use transparent load balancing if no specific destination IP address is available IP 1.2.3.4 Client HTTP request to service located at Internet e.g. 1.2.3.4 IP 2.3.4.5 For transparent server load balancing, the usage would be if there is no specific IP address available. For example transparent web caches. Filter detect HTTP request redirect to web caches group transparent web caches grouped together

SSL Acceleration with ext. devices Course 7964 Application Switch A&C Direct Access Mode / Proxy IP SSL Acceleration with ext. devices Transparent load balancing for specific source IP address. Optional SrcIP + SrcPort selects real server. Client Client Filter detect HTTPS req. redir to SSL acc. group HTTPS request to Application HTTP Web server grouped together To do SSL acceleration with external devices, use transparent load balancing for specific source IP address. Optional is source IP and Source Port selects real server. SSL accelerator grouped together ext or int. 2424-SSL

Course 500-101 Overview, A&C, SLB Summary In Summary

You are now able to: Congratulations! understand filtering and the selection criteria used in filtering know how to use filtering for NAT and HTTP redirection Congratulations! You have completed this module and now have a better understanding of filtering on the Alteon. know how to use filtering for transparent redirection You are now able to understand filtering and the selection criteria used in filtering. You also know how to use filtering for NAT and HTTP redirection and transparent redirection. Congratulations! You have completed this module and now have a better understanding of filtering on the Alteon.

Thank you for your attention and time Thank you for your attention and time. You may either view this module again or close your browser window to exit.