EMEA Partners XTM Network Training

Slides:



Advertisements
Similar presentations
Static Routing Exercise AFNOG 2003/ Track 2 # 1 Static Routing Exercise u Unix network interface configuration u Cisco network interface configuration.
Advertisements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.
Static Routing Exercise. What will the exercise involve?  Unix network interface configuration  Cisco network interface configuration  Static routes.
Implementing Inter-VLAN Routing
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.
Routing Basics By Craig Lindstrom. Overview Routing Process Routing Process Default Routing Default Routing Static Routing Static Routing Dynamic Routing.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Routing Working at a Small-to-Medium Business or ISP – Chapter 6.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—3-1 Determining IP Routes Introducing Routing.
CCNA 2 v3.1 Module 6.
Routing and Routing Protocols Introduction to Static Routing.
Routing and Routing Protocols
Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.
Institute of Technology Sligo - Dept of Computing Chapter 11 Layer 3 Protocols Paul Flynn.
1 25\10\2010 Unit-V Connecting LANs Unit – 5 Connecting DevicesConnecting Devices Backbone NetworksBackbone Networks Virtual LANsVirtual LANs.
WiNG 5.3.
IP ROUTING -1 STATIC ROUTING DEFAULT ROUTING.  A routing protocol is used by routers to dynamically find all the networks in the internetwork and to.
1 Semester 2 Module 6 Routing and Routing Protocols YuDa college of business James Chen
Fundamentals of Networking Discovery 2, Chapter 6 Routing.
DrayTek VPN Solution. Outline What is VPN What does VPN Do Supported VPN Protocol How Many Tunnels does Vigor Support VPN Application Special VPN Application.
Routing. A world without networks and routing  No connection between offices, people and applications  Worldwide chaos because of the lack of centralized.
Module 3: Planning and Troubleshooting Routing and Switching.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—5-1 WAN Connections Enabling Static Routing.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
6: Routing Working at a Small to Medium Business.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 12: Routing.
Routing/Routed Protocols. Remember: A Routed Protocol – defines logical addressing. Most notable example on the test – IP A Routing Protocol – fills the.
Objectives Configure routing in Windows Server 2008 Configure Network Address Translation 1.
Routing and Routing Protocols Routing Protocols Overview.
1 Introducing Routing 1. Dynamic routing - information is learned from other routers, and routing protocols adjust routes automatically. 2. Static routing.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 6 Routing and Routing Protocols.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 6 Routing and Routing Protocols.
XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.
Routing protocols Basic Routing Routing Information Protocol (RIP) Open Shortest Path First (OSPF)
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
1/28/2010 Network Plus Network Device Review. Physical Layer Devices Repeater –Repeats all signals or bits from one port to the other –Can be used extend.
Objectives: Chapter 5: Network/Internet Layer  How Networks are connected Network/Internet Layer Routed Protocols Routing Protocols Autonomous Systems.
Router and Routing Basics
What’s New in Fireware v11.9.5
© 2002, Cisco Systems, Inc. All rights reserved..
Chapter 9. Implementing Scalability Features in Your Internetwork.
Page 110/27/2015 A router ‘knows’ only of networks attached to it directly – unless you configure a static route or use routing protocols Routing protocols.
TeraPaths TeraPaths: Establishing End-to-End QoS Paths through L2 and L3 WAN Connections Presented by Presented by Dimitrios Katramatos, BNL Dimitrios.
Module 1: Configuring Routing by Using Routing and Remote Access.
CCNA 2 Week 6 Routing Protocols. Copyright © 2005 University of Bolton Topics Static Routing Dynamic Routing Routing Protocols Overview.
Routing and Routing Protocols
IP Routing Principles. Network-Layer Protocol Operations Each router provides network layer (routing) services X Y A B C Application Presentation Session.
1 Version 3.1 Module 6 Routed & Routing Protocols.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.
Chapter 4 Version 1 Virtual LANs. Introduction By default, switches forward broadcasts, this means that all segments connected to a switch are in one.
WEEK 11 – TOPOLOGIES, TCP/IP, SHARING & SECURITY IT1001- Personal Computer Hardware System & Operations.
© 2002, Cisco Systems, Inc. All rights reserved..
6.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 6: Designing.
 RIP — A distance vector interior routing protocol  IGRP — The Cisco distance vector interior routing protocol (not used nowadays)  OSPF — A link-state.
+ Routing Concepts 1 st semester Objectives  Describe the primary functions and features of a router.  Explain how routers use information.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—5-1 Customer-to-Provider Connectivity with BGP Connecting a Multihomed Customer to a Single Service.
1 Chapter 4: Internetworking (IP Routing) Dr. Rocky K. C. Chang 16 March 2004.
1 © 2004, Cisco Systems, Inc. All rights reserved. Routing and Routing Protocols: Routing Static.
ROUTING AND ROUTING TABLES 2 nd semester
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Routing Working at a Small-to-Medium Business or ISP – Chapter 6.
100% Exam Passing Guarantee & Money Back Assurance
Planning and Troubleshooting Routing and Switching
Routing and Routing Protocols: Routing Static
Chapter 4: Routing Concepts
CCNA 2 v3.1 Module 6 Routing and Routing Protocols
Chapter 3: Dynamic Routing
BGP Overview BGP concepts and operation.
Routing and Routing Protocols: Routing Static
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.
Virtual LAN VLAN Trunking Protocol and Inter-VLAN Routing
Presentation transcript:

EMEA Partners XTM Network Training This training material is currently unofficial and may not be redistributed unless cleared by Product Training and Publishing. Carlo Alvarez Technical Trainer - APAC WatchGuard Training

Agenda Traffic Management and Quality of Service (QoS) VLAN Basic (Trusted/Optional, External) Advanced (FireCluster with devices on different locations) Routing on XTM Devices Static Dynamic (BGP, OSPF, RIP) Enhanced Net Failover Public IP Address subnet behind XTM (DMZ with Public IP) Tunnel Switching Manual Managed Special Scenario – Advanced BOVPN Test Case BOVPN with dual active gateways on both ends, load-sharing/failover WatchGuard Training WatchGuard Training

Traffic Management and QoS WatchGuard Training

Traffic Management and QoS Guarantee or limit bandwidth Control the rate at which the XTM device sends packets to the network Prioritize when to send packets to the network Disabled by default. To enable, WatchGuard Training WatchGuard Training

TM - Guaranteed Bandwidth The minimum amount of bandwidth allocated to a specific policy or group of policies at any given time Bandwidth is measured as outgoing with respect to an interface When max is set to 0 it can go as high as the line speed depending on the utilization of the link WatchGuard Training WatchGuard Training

TM - Restricted Bandwidth The maximum amount of bandwidth a specific policy or group of policies can only use at any given time Bandwidth is measured as outgoing with respect to an interface When minimum is set to 0 it means there is no reserved bandwidth for the policy or group of policies WatchGuard Training WatchGuard Training

TM – Helpful Hints The total amount of guaranteed bandwidth for all used Traffic Management Actions must not exceed the line speed of the corresponding interface/s. All host using the same policy with TM Action in effect will share the allocated bandwidth when restricted. Always note the traffic direction when implementing TM Action. WatchGuard Training WatchGuard Training

Quality of Service (QoS) Marking Types IP Precedence (aka Class of Service) Differentiated Service Code Point (DSCP) Marking Methods Preserve Assign Clear WatchGuard Training WatchGuard Training

QoS – Interface Settings The default interface settings applied to all traffic passing through it. WatchGuard Training WatchGuard Training

QoS – Policy Override Supersedes the QoS settings on the interface where the traffic allowed in this policy is going to pass through. WatchGuard Training WatchGuard Training

VLAN WatchGuard Training

Not So Basic VLAN Trunks Allowing VLANs 10 and 20 STP VLAN 10 VLAN 20 WatchGuard Training WatchGuard Training

Not So Basic VLAN – Use Case Customer requires redundancy on the LAN. Have at least two managed switch that supports Spanning Tree Protocol (STP). Zones are segregated into VLANs. WatchGuard Training WatchGuard Training

VLAN Switches and FireCluster ISP-1 ISP-2 Trunk VLAN 10 – External-1 VLAN 20 – External-2 VLAN 30 – Trusted VLAN 40 – FireCluster IF WatchGuard Training WatchGuard Training

VLAN Switches and FireCluster – Use Case Customer has Head Office and a DR Site but would opt to buy only one XTM each sites. Recommended to have two private lines (TRUNK) from different providers to ensure redundancy at all times. Internet lines from two ISPs are terminated one at each ends. WatchGuard Training WatchGuard Training

Routing Protocols on XTM Devices WatchGuard Training

Static Routing WatchGuard Training

Static Routing on a Point-to-Point Link Static Route to: 10.0.30.0/24 Next Hop (Gateway) is: 192.168.100.2 Static Route to: 10.0.20.0/24 Next Hop (Gateway) is: 192.168.100.1 Point-to-Point Link 192.168.100.0/30 To reach 10.0.30.0/24 from this network To reach 10.0.20.0/24 from this network WatchGuard Training WatchGuard Training

Static Routing on a Multi-Hop Link Note that Static Routes must be correctly and consistently defined on the Firebox/XTM devices and routers in between First, Static Route to: 10.0.30.0/24 Next Hop (Gateway) is: 192.168.1.2 First, Static Route to: 10.0.20.0/24 Next Hop (Gateway) is: 192.168.5.254 Then, Static Route to: 10.0.30.0/24 Next Hop (Gateway) is: 172.16.0.2 Finally, Static Route to: 10.0.30.0/24 Next Hop (Gateway) is: 192.168.5.253 Finally, Static Route to: 10.0.20.0/24 Next Hop (Gateway) is: 192.168.1.1 Then, Static Route to: 10.0.20.0/24 Next Hop (Gateway) is: 172.16.0.1 Multi-Hop Link To reach 10.0.30.0/24 from this network To reach 10.0.20.0/24 from this network WatchGuard Training WatchGuard Training

Dynamic Routing WatchGuard Training

Dynamic Routing Tips: To establish Dynamic Routing both ends must be able to reach the interface they are trying to peer with Point-to-Point links are no issue since the opposite interface is of the same directly connected subnet For Multi-Hop links such as MPLS it is a must to establish routes first to the peering interfaces before Dynamic Routing can be established WatchGuard Training WatchGuard Training

Common Cause of Inconsistency WatchGuard Training WatchGuard Training

Dynamic Routing on a Multi-Hop Link First, Static Route to: 192.168.5.252/30 Next Hop (Gateway) is: 192.168.1.2 First, Static Route to: 192.168.1.0/30 Next Hop (Gateway) is: 192.168.5.254 Then, Static Route to: 192.168.1.0/30 Next Hop (Gateway) is: 172.16.0.1 Similarly this XTM does not know how to reach the other remote peering interface Then, Static Route to: 192.168.5.252/30 Next Hop (Gateway) is: 172.16.0.2 Initially this Firebox does not know how to reach the remote peering interface We need to let this Firebox know how to get to 192.168.5.253 Likewise this XTM must know return to 192.168.1.1 Peering Interfaces WatchGuard Training WatchGuard Training

Test if the Peering Interfaces are Reachable Use the Diagnostic Task to do an Extended Ping This is an extended ping from the Firebox, Source address is 192.168.1.1 and Destination Address is 192.168.5.253 If both interfaces are reachable from the opposite ends you are now ready to define your Dynamic Routing WatchGuard Training WatchGuard Training

Configure Dynamic Routing WatchGuard Training

Which Dynamic Routing Protocol to use? Open Shortest Path First (OSPF) is Link-State Routing Protocol and is commonly used for Point-to-Point links. Border Gateway Protocol (BGP) and Routing Information Protocol (RIP) are examples of Distance-Vector Routing Protocol. RIP rely only on link cost while BGP prioritize preference over link cost. BGP is commonly used for multi-hop links WatchGuard Training WatchGuard Training

Configure RIP (using Point-to-Point link) Firebox XTM WatchGuard Training WatchGuard Training

Configure RIP (using Point-to-Point link) Manually add the RIP Policy WatchGuard Training WatchGuard Training

Configure OSPF (using Point-to-Point link) Firebox XTM Passive Interface command means you are not going to listen to OSPF advertisements in this interface WatchGuard Training WatchGuard Training

Configure OSPF (using Point-to-Point link) Manually add the OSPF Policy WatchGuard Training WatchGuard Training

Configure BGP (using Multi-Hop link) Firebox XTM Use Private AS Number for Internal BGP, no need to register for a Public AS Number. No need to add BGP Policy on Policy Manager. WatchGuard Training WatchGuard Training

Enhanced Net Failover Feature Launched in XTM Version 11.3.1 Routes internal traffic over to BOVPN when internal link becomes unavailable Works only between Firebox or XTM devices on both ends Works in conjunction with Static Routing or Dynamic Routing Internal link can be a simple Leased Line (or Fiber Optic) or connectivity through MPLS Network WatchGuard Training WatchGuard Training

Static Routing vs. Dynamic Routing WatchGuard Training

When used with Enhanced Net Failover, Static Routing Dynamic Routing Advantage Works in a FireCluster environment Failover is triggered automatically Disadvantage Failover has to be triggered manually by removing the static routes on both ends FireCluster does not support Dynamic Routing therefore does not work in such environment WatchGuard Training WatchGuard Training

Enhanced Net Failover Requirements WatchGuard Training

This Feature Requires: BOVPN skills Firebox or XTM devices on both ends When used with Dynamic Routing the device should be at least an XTM 2 Series Static or Dynamic Routing on the Firebox or XTM devices Spare Interface for the Internal Routing on each ends WatchGuard Training WatchGuard Training

Configure Branch Office VPN WatchGuard Training

Configure BOVPN Configure BOVPN just like any regular BOVPN Go to VPN  VPN Settings… Ready to test Failover from the chosen routing protocol to BOVPN WatchGuard Training WatchGuard Training

Additional Tips Failover from Dynamic Routing to BOVPN takes about 150 seconds. (Hope this gets improved in future releases). When using Static Routing, you must remove the static routes manually on both devices. This is because you can still reach the interface IP Address (ex. Ping) even if you unplug the cable. This forces the Firebox/XTM to route the subnet since it assumes that the next hop which is on the same subnet of the interface IP Address is still reachable. There are cases where you will need to add static routes on multiple routers in between about the target subnets on each side. Make sure you are pointing to the right direction on your next hops. Most MPLS network doesn’t require static routes in between especially if they are using iBGP and redistributes routes to their Virtual Routing and Forwarding (VRF). WatchGuard Training WatchGuard Training

Public IP Address subnet behind XTM (DMZ with Public IP) WatchGuard Training

Public IP Address subnet behind XTM Internet Public IP Address subnet behind XTM The appropriate example of Mixed Routed Mode (Routing + NAT) Static Route must be present in the Router for subnet 206.197.101.0/24 with next hop to 202.80.78.2 Router 202.80.78.1/30 202.80.78.2/30 206.197.101.0/24 192.168.1.0/24 WatchGuard Training WatchGuard Training

Public IP Address subnet behind XTM – Policy NAT has no bearing on the inbound and outbound policies For inbound policies the destination address is the IP address or Hostname of the target host or server WatchGuard Training WatchGuard Training

Tunnel Switching WatchGuard Training

Tunnel Switching Overview The traffic is passed from the trusted network of Remote Office A to the trusted network of Remote Office B without creating a third BOVPN tunnel between the two remote offices. Useful when you require control of network security at the Central Office. Policies can be applied to traffic between the two tunnels at the Central Office WatchGuard Training WatchGuard Training

Tunnel Switching – Remote Office and Group Central Office Announces Remote A’s subnet to Remote B as Local Subnet on the Tunnel Routes creating sort of a Group A. WatchGuard Training WatchGuard Training

Tunnel Switching – Remote Office and Group Central Office Announces Remote B’s subnet to Remote A as Local Subnet on the Tunnel Routes creating sort of a Group B. WatchGuard Training WatchGuard Training

THANK YOU! WatchGuard Training

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.