Transcript Document
WiNG 5.3 WiNG 5.3 Training Agenda Layer 2 Enhancements: Tunnel-Controller Load Balancing L2TPv3 Layer 2 NAT IGMP Snooping Security Enhancements: IPsec VPN Auto IPsec Secure Layer 3 Enhancements: Policy Based Routing NAT Load Balancing / Failover OSPF VRRP Critical Resource Monitoring Default Gateway Prioritization PPPoE Client Security Enhancements © 2012 Motorola Solutions Proprietary & Confidential 2 Layer 2 Enhancements Tunnel-Controller Load Balancing Overview Introduces support for load-balancing Extended VLANs between a cluster of Controllers – Must be enabled on both the Controllers and Access Points (Profile or Override) – Intended for Layer 2 or Layer 3 Adopted 802.11n Access Points – Disabled by default Allows 802.11n Access Points to operate in a similar manner to AP300 / AP650 Access Points in WiNG 4.x Controller AP AP Switch AP Controller Controller AP AP Switch AP No Tunnel Load Balancing Controller AP AP With Tunnel Load Balancing © 2012 Motorola Solutions Proprietary & Confidential 4 Layer 2 Tunneling Protocol v3 Overview L2TPv3 is an IETF standard used for transporting different types of layer2 frames over an IPv4 network Supports two peers per tunnel – Primary peer preferred over secondary peer L2TPv3 can be deployed to transport Ethernet frames between supported Access Points devices to third-party Router or Concentrator – Tunnel wireless user traffic to a third-party Router in the DMZ – Tunnel wireless user traffic from Access Points to different service provider Routers In WiNG 5.3 L2TPv3 support is only provided for certain Access Points L2TPv3 Tunnel Termination on Integrated Services Controllers will be introduced in WiNG 5.4. © 2012 Motorola Solutions Proprietary & Confidential 5 Layer 2 Tunneling Protocol v3 Configuration Example – Topology L2TPv3 Tunnels from AP7131N Access Points to a Third-Party Router © 2012 Motorola Solutions Proprietary & Confidential 6 Layer 2 NAT Overview In branch Extended VLAN environments, if an MU wants to browse Internet or communicate with a local service at the branch site (i.e. Printer, File Server etc), the MUs packets travel all the way to the Data Center where the Wireless Controllers and default router resides: – All traffic traverses the WAN or VPN connection A work around is for the MU to connect to a separate VLAN with Local Bridging but requires the user to switch Wireless LANs Layer 2 NAT and Policy Based Routing features in WiNG 5.3 address this limitation: – Allows Internet traffic to be forwarded locally at the Branch while corporate traffic is forwarded to the Data Center over the Extended VLAN – Allows users to access Printers and Servers deployed at the Branch without traversing the WAN Similar concept to Split Tunneling with IPsec VPN © 2012 Motorola Solutions Proprietary & Confidential 7 Layer 2 NAT Configuration Example – Topology © 2012 Motorola Solutions Proprietary & Confidential 8 IGMP Snooping Overview IGMP snooping provides efficient multicast delivery and bandwidth conservation mechanism for layer 2 devices – The layer 2 device only forwards Multicast groups out of ports / radios where group members are present and not to non member ports / radios – The Layer 2 device monitor IGMP membership reports (joins / leaves) and builds a IGMP table mapping groups to host ports / radios When disabled multicast forwarding behavior varies by vendor – Layer 2 devices may flood known and unknown IP Multicast groups to all ports in the broadcast domain – Layer 2 devices may suppress known Multicast groups until a single receiver joins a specific Multicast group © 2012 Motorola Solutions Proprietary & Confidential 9 IGMP Snooping Configuration Example – Topology © 2012 Motorola Solutions Proprietary & Confidential 10 WiNG 5.3 Training Agenda Layer 2 Enhancements: Tunnel-Controller Load Balancing L2TPv3 Layer 2 NAT IGMP Snooping Security Enhancements: IPsec VPN Auto IPsec Secure Layer 3 Enhancements: Policy Based Routing NAT Load Balancing / Failover OSPF VRRP Critical Resource Monitoring Default Gateway Prioritization PPPoE Client Security Enhancements © 2012 Motorola Solutions Proprietary & Confidential 11 Layer 3 Enhancements Policy Based Routing Overview The current routing infrastructure in WiNG utilizes destination based routing – Traffic is forwarded to the next hop based on best match in the routing table Policy Based Routing allows administrators to route traffic in ways that go beyond the traditional destination based routing: – Allows select traffic to be routed using criteria such as source / destination address, protocol, application and traffic class (DSCP) – Allows traffic to be load-balanced across multiple WAN links – Allows traffic to be selectively marked for QoS purposes © 2012 Motorola Solutions Proprietary & Confidential 13 Policy Based Routing Route-Maps Match Clauses Match clauses are used to select traffic: – IP Access List – Traffic matching permit rules will be subjected to PBR; those matching deny rules will be subjected to destination based routing – IP DSCP – DSCP value in the IP header of packets – Incoming WLAN – Applicable only on platforms with on-board radio (RFS4000 and AP71xx) – Wireless Client ROLE – Applicable only on platforms with on-board radio (RFS4000, AP71xx) – Incoming Interface – Ingress layer 3 interface (VLAN, PPPoE, WWAN) If a route-map has no match clauses, then it shall match all traffic © 2012 Motorola Solutions Proprietary & Confidential 14 Policy Based Routing Configuration Example – Topology © 2012 Motorola Solutions Proprietary & Confidential 15 NAT Load-Balancing / Failover Overview NAT has been enhanced to support multiple overloaded interfaces which can be used for Load-Balancing and Failover – Failover – High-availability based on Default Gateway Prioritization & Critical Resource Monitoring – Load-Balancing – Leverages Policy Based Routing to forward traffic across over Internet connections Each NAT rule can contain multiple interfaces (in any order): – Virtual IP Interfaces – PPPoE Interface – WWAN Interface Enables high-available remote branch deployments as well as flexible traffic forwarding © 2012 Motorola Solutions Proprietary & Confidential 16 Open Shortest Path First (OSPFv2) Overview Dynamic routing protocol OSPFv2 is supported in WiNG 5.3 release – OSPF implementation compliant with RFC 2328 – OSPF supported on broadcast (VLAN) interfaces Maximum number of dynamic routes supported is limited by the routing table size supported on individual platform Supports ABR, ASBR, Stub, Totally Stub, NSSA, Totally NSSA Supports route redistribution and route summarization – Only static and connected routes can be re-distributed into OSPF Interacts with VRRP by only advertising via VRRP master Interacts with Policy Based Routing © 2012 Motorola Solutions Proprietary & Confidential 17 Open Shortest Path First (OSPFv2) Standard Area Types © 2012 Motorola Solutions Proprietary & Confidential 18 Open Shortest Path First (OSPFv2) Configuration Example – Topology © 2012 Motorola Solutions Proprietary & Confidential 19 Virtual Router Redundancy Protocol (VRRP) Overview Provides default gateway redundancy for branch office deployments – Allows our Wireless Controllers / Access Points to provide default gateway services to users in the event of a primary Router failure (i.e. failover to 3G) VRRP version 2.0 (RFC 3768) and version 3.0 (RFC 5798) are supported – Default is version 2.0 – Version 3.0 supports sub-second failover but very few vendors support it for IPv4 (i.e. primarily implemented for IPv6) Proprietary implementation in Version 2.0 to support sub-second failover (i.e. advertisement interval can be specified in msec) – This feature was added, since most vendors support this for providing subsecond failover – By default advertisement interval is set to 1 second © 2012 Motorola Solutions Proprietary & Confidential 20 Virtual Router Redundancy Protocol (VRRP) Overview Cont. Supports failover in case of WAN link failover on WING or third-party Router – If the backup router detects that the WAN link in master is down, then it will become a new VRRP master – When the link comes get restored, the VRRP master will transition back to a backup state All services (DHCP, RADIUS, NAT, and VPN) running over virtual IP are supported – For DHCP relay, one can point to the DHCP server as virtual IP – For VPN, on the initiator side, remote peer can be configured as virtual IP © 2012 Motorola Solutions Proprietary & Confidential 21 Virtual Router Redundancy Protocol (VRRP) Configuration Example – Topology © 2012 Motorola Solutions Proprietary & Confidential 22 Critical Resource Monitoring Overview Used to monitor user defined IP addresses / links for liveliness – Monitoring is done by ARP and ICMP ping requests Resources can be monitored via: – IP Address – If the gateway address is statically configured – Interface – If the gateway address is dynamically learned from DHCP or PPPoE Up to four sets of critical resources can be defined: – Under each resource, up to four IP addresses can be configured for monitoring – User can choose to take action when all resources in a set are down or when any of the resources is down VRRP, Policy Based Routing and Default Route Prioritization can all leverage the results of CRM User can configure critical resources to be: – Monitored via an IP address (if the gateway address is statically configured) – VIA an interface (if the gateway address is dynamically learnt via DHCP or PPP) © 2012 Motorola Solutions Proprietary & Confidential 23 Default Gateway Prioritization Overview WiNG 5.3 devices can learn a default gateway via: – – – – Static Route DHCP Client (Virtual IP Interface) PPPoE / WWAN OSPF Feature allows administrators to prioritize the Default Gateways learnt via the above means – The default gateway with lowest priority shall be installed on the system All learned default gateways are monitored for liveliness – In case a default gateway becomes unreachable, the next preferred gateway is installed on the system. Whenever the old gateway becomes online, it is restored The default order of preferred gateways is Static Route, DHCP Client, PPPoE, WWAN and OSPF This feature is available on all WiNG 5.X platforms © 2012 Motorola Solutions Proprietary & Confidential 24 Default Gateway Prioritization Default Priorities Each Interface can be assigned a priority from 1 – 8,000: Default Gateway Learned By Default Priority Static Route 100 DHCP Client 1,000 PPPoE 2,000 3G WAN 3,000 OSPF 7,000 The default gateway with the lowest priority is installed! © 2012 Motorola Solutions Proprietary & Confidential 25 PPPoE Client Overview Many Internet service providers (ISPs) are using the Point-to-Point Protocol over Ethernet (PPPoE) to provide Digital Subscriber Link (DSL) broadband Internet access PPPoE uses a standard methods of encryption, authentication, and compression specified by the Point-to-Point Protocol (PPP) Implementing a PPPoE client allows a WiNG 5.X device to connect to the ISP over an Ethernet interface – Uses the interface name pppoe1 – Interface supports Firewall and Crypto policies as well as NAT A PPPoE client interface can be defined within a Device Profile or directly to a device as a Device Override Interface configuration MUST include the VLAN ID the DSL modem is connected to! © 2012 Motorola Solutions Proprietary & Confidential 26 WiNG 5.3 Training Agenda Layer 2 Enhancements: Tunnel-Controller Load Balancing L2TPv3 Layer 2 NAT IGMP Snooping Security Enhancements: IPsec VPN Auto IPsec Secure Layer 3 Enhancements: Policy Based Routing NAT Load Balancing / Failover OSPF VRRP Critical Resource Monitoring Default Gateway Prioritization PPPoE Client Security Enhancements © 2012 Motorola Solutions Proprietary & Confidential 27 Security Enhancements IPsec VPN Overview WiNG 5.3 re-introduces support for standards based IPsec VPN on select WiNG 5.X Access Points – Site-to-Site VPN – Remote VPN – Host to Host Remote VPN support added to Controllers! Can be used when MINT and/or user traffic needs to be secured over an IPv4 network – – – – Access Point Controller within a site or over a Public network Branch Offices Remote Teleworkers Secure communications to specific hosts (i.e. Controller RADIUS or LDAP) Completely new IPsec implementation which integrates tightly with NAT and VRRP in addition to providing support for redundant peers © 2012 Motorola Solutions Proprietary & Confidential 29 IPsec VPN VPN Configuration Example 1 – Topology © 2012 Motorola Solutions Proprietary & Confidential 30 IPsec VPN VPN Configuration Example 2 – Topology © 2012 Motorola Solutions Proprietary & Confidential 31 Auto IPsec Secure Overview IPsec security for AP to Controller, Controller to Controller traffic , with minimal configuration: – Set up IPsec tunnel based on configured list of controller host – Set up IPsec tunnel based on statically configured link configuration No explicit traffic selector configured by user. Traffic selector internally derived! No explicit transform set configured by user! Only credentials configured is identity and authentication credentials! © 2012 Motorola Solutions Proprietary & Confidential 32 Auto IPsec Secure Configuration Example – Topology © 2012 Motorola Solutions Proprietary & Confidential 33 Q&A