InterVlan Issue – need help please

Community Forum Forums Thunder and AX Series General InterVlan Issue – need help please

This topic contains 6 replies, has 2 voices, and was last updated by avatar diederik 1 month, 1 week ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #15392
    avatar
    hashim
    Member

    Hi,

    Before A10 Deployment, our Core firewall was doing the InterVlan Routing.

    At the moment A10 does the InterVlan Routing. While we require the Core Firewall to do that, we do have 10s of restriction policies.

    I have simulated this in a testing environment and appreciate your help.

    A10 InterVlan Roiuting Case

    Here is my full configuration,

    system ve-mac-scheme system-mac
    !
    terminal idle-timeout 0
    !
    partition ssli_innn id 1
    !
    partition ssli_iouttt id 2
    !
    web-service axapi-timeout-policy idle 0
    !
    interface management
    ip address 192.168.1.73 255.255.255.0
    enable
    lldp enable rx tx
    !
    interface ethernet 1
    enable
    !
    interface ethernet 2
    enable
    !
    interface ethernet 3
    !
    interface ethernet 4
    !
    interface ethernet 5
    !
    interface ethernet 6
    !
    interface ethernet 7
    !
    interface ethernet 8
    !
    interface ethernet 9
    !
    interface ethernet 10
    !
    interface ethernet 11
    !
    interface ethernet 12
    !
    !
    end
    !
    active-partition ssli_innn
    !
    !
    access-list 190 remark ssli_innn
    !
    access-list 190 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    !
    access-list 190 permit ip any any
    !
    access-list 191 remark block_quic
    !
    access-list 191 deny udp any any eq 80
    !
    access-list 191 deny udp any any eq 443
    !
    access-list 191 permit ip any any
    !
    vlan 10
    tagged ethernet 1
    router-interface ve 10
    !
    vlan 20
    tagged ethernet 1
    router-interface ve 20
    !
    vlan 850
    untagged ethernet 2
    router-interface ve 850
    !
    interface ethernet 1
    enable
    !
    interface ethernet 2
    enable
    !
    interface ve 10
    access-list 191 in
    ip address 192.168.10.1 255.255.255.0
    ip allow-promiscuous-vip
    !
    interface ve 20
    access-list 191 in
    ip address 192.168.20.1 255.255.255.0
    ip allow-promiscuous-vip
    !
    interface ve 850
    ip address 192.168.2.75 255.255.255.0
    ip allow-promiscuous-vip
    !
    !
    ip route 0.0.0.0 /0 192.168.2.74
    !
    slb template cipher cl_cipher_template
    TLS1_RSA_AES_128_SHA
    TLS1_RSA_AES_256_SHA
    TLS1_RSA_AES_128_GCM_SHA256
    TLS1_RSA_AES_256_GCM_SHA384
    TLS1_ECDHE_RSA_AES_128_SHA
    TLS1_ECDHE_RSA_AES_256_SHA
    TLS1_ECDHE_RSA_AES_128_SHA256
    TLS1_ECDHE_RSA_AES_128_GCM_SHA256
    !
    slb server fw1 192.168.1.76
    port 0 tcp
    health-check-disable
    port 0 udp
    health-check-disable
    port 8080 tcp
    health-check-disable
    !
    slb service-group SG_SSLi_TCP tcp
    member fw1 0
    !
    slb service-group SG_SSLi_UDP udp
    member fw1 0
    !
    slb service-group SG_SSLi_Xlated tcp
    member fw1 8080
    !
    slb template client-ssl cl_ssl
    template cipher cl_cipher_template
    forward-proxy-ca-cert InsightA10SSLi
    forward-proxy-ca-key InsightA10SSLi
    forward-proxy-ocsp-disable
    forward-proxy-crl-disable
    forward-proxy-cert-expiry hours 168
    forward-proxy-enable
    forward-proxy-failsafe-disable
    disable-sslv3
    !
    slb template http insertHeaders
    non-http-bypass service-group SG_SSLi_Xlated
    !
    slb virtual-server SSLi_in_ingress 0.0.0.0 acl 190
    port 0 tcp
    service-group SG_SSLi_TCP
    no-dest-nat
    port 0 udp
    service-group SG_SSLi_UDP
    no-dest-nat
    port 0 others
    service-group SG_SSLi_UDP
    no-dest-nat
    port 443 https
    service-group SG_SSLi_Xlated
    template http insertHeaders
    template client-ssl cl_ssl
    no-dest-nat port-translation
    !
    end
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !
    active-partition ssli_iouttt
    !
    !
    access-list 191 remark ssli_iouttt
    !
    access-list 191 permit ip any any
    !
    vlan 860
    untagged ethernet 5 to 6
    router-interface ve 860
    !
    interface ethernet 5
    enable
    !
    interface ethernet 6
    enable
    !
    interface ve 860
    ip address 192.168.1.76 255.255.255.0
    ip allow-promiscuous-vip
    !
    !
    ip route 0.0.0.0 /0 192.168.1.222
    !
    ip route 192.168.10.0 /24 192.168.1.74
    !
    ip route 192.168.20.0 /24 192.168.1.74
    !
    slb template cipher sr_cipher_template
    TLS1_RSA_AES_128_SHA
    TLS1_RSA_AES_256_SHA
    TLS1_RSA_AES_128_GCM_SHA256
    TLS1_RSA_AES_256_GCM_SHA384
    TLS1_ECDHE_RSA_AES_128_SHA
    TLS1_ECDHE_RSA_AES_256_SHA
    TLS1_ECDHE_RSA_AES_128_SHA256
    TLS1_ECDHE_RSA_AES_128_GCM_SHA256
    !
    slb template server-ssl sr_ssl
    forward-proxy-enable
    template cipher sr_cipher_template
    !
    slb server GW 192.168.1.222
    port 0 tcp
    health-check-disable
    port 0 udp
    health-check-disable
    port 443 tcp
    health-check-disable
    !
    slb service-group GW_SSL_443 tcp
    member GW 443
    !
    slb service-group GW_TCP_0 tcp
    member GW 0
    !
    slb service-group GW_UDP_0 udp
    member GW 0
    !
    slb template http removeHeaders
    non-http-bypass service-group GW_SSL_443
    !
    slb virtual-server SSLi_out_ingress 0.0.0.0 acl 191
    port 0 tcp
    source-nat auto
    service-group GW_TCP_0
    use-rcv-hop-for-resp
    no-dest-nat
    port 0 udp
    source-nat auto
    service-group GW_UDP_0
    use-rcv-hop-for-resp
    no-dest-nat
    port 0 others
    source-nat auto
    service-group GW_UDP_0
    use-rcv-hop-for-resp
    no-dest-nat
    port 443 tcp
    source-nat auto
    service-group GW_TCP_0
    use-rcv-hop-for-resp
    no-dest-nat
    port 8080 http
    source-nat auto
    service-group GW_SSL_443
    use-rcv-hop-for-resp
    template http removeHeaders
    template server-ssl sr_ssl
    no-dest-nat port-translation
    !
    end
    !Current config commit point for partition 2 is 0 & config mode is classical-mode

    #15402
    avatar
    diederik
    Member

    If you do not want the A10 to route, do not give it interfaces in the VLAN’s.

    Why not create 2 partitions? and have one partition with VLAN 20 and lets say VLAN 852, and the other partition with VLAN 10 and VLAN 851?

    This way the traffic from VLAN 20 will stay in its own partition and thus can only reach VLAN 10 over the firewall, and the same for VLAN 10…

    Or have a look at: l3-vlan-fwd-disable / vlan-global l3-vlan-fwd-disable

    Those commands might also do what you require.

    #15452
    avatar
    hashim
    Member

    Actually the number of Vlans I have (+200) is more than the number of partition supports (64).

    l3-vlan-fwd-disable \ vlan-global l3-vlan-fwd-disable

    both of these commands did not have any affect.

    I have done 50% of my requirement, in ssli-innn partition, I have removed

    no access-list 190 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    so all traffic now are included in the wildcard VIP.

    when laptop 192.168.10.100 ping 192.168.20.100, the packet goes to the firewall, and the firewall then will route it back to A10 ssli-innn partition “int ve 850”, but the issue seems int ve 850 will route it back to the firewall, I have removed “ip allow-promiscuous-vip” from ve 850, but it did no solve the issue.

    these are tcpdump from the firewall:
    19:40:11.138585 IP 192.168.10.100 > 192.168.20.100: ICMP echo request, id 1, seq 2999, length 40
    19:40:11.138833 IP 192.168.10.100 > 192.168.20.100: ICMP echo request, id 1, seq 2999, length 40
    19:40:11.138835 IP 192.168.10.100 > 192.168.20.100: ICMP echo request, id 1, seq 2999, length 40
    19:40:11.139083 IP 192.168.10.100 > 192.168.20.100: ICMP echo request, id 1, seq 2999, length 40
    19:40:11.139085 IP 192.168.10.100 > 192.168.20.100: ICMP echo request, id 1, seq 2999, length 40
    19:40:11.139333 IP 192.168.10.100 > 192.168.20.100: ICMP echo request, id 1, seq 2999, length 40
    19:40:11.139337 IP 192.168.2.74 > 192.168.10.100: ICMP time exceeded in-transit, length 36

    The solution should tell ve 850 that if you receive a packet inbound (from the firewall), and destined to one of the connected Vlans, then dont use wildcard VIP, but route it normally !!

    I am not sure if this is possible, !!

    #15462
    avatar
    diederik
    Member

    Ok, it still might be possible.

    You have told the A10 that it is not allowed to route between VLAN’s.
    You can adjust your ACL’s so that the traffic from the firewall towards 192.168.20.100 does not hit the VIP anymore… but… then you have traffic coming from VLAN 850 that needs to be routed towards VLAN 10… with the global setting this to disable VLAN routing this will not work.

    If I am correct you can also enable/disable VLAN routing on a per interface basis.
    So allow VLAN routing for the VLAN 850 interface… so that traffic from the firewall gets routed normally, and disable it for all the other VLAN’s.
    The routing action is decided when the traffic is inbound from an interface.

    Still you now need to make sure that your SSLi VIP does not need to match on the traffic between the VLAN 10 and 20 etc… make sure you adjust the ACL’s so that the action is deny for all those IP’s.

    You might actually need a second wildcard VIP with an ACL that matches you internal clients going to other internal clients and use the service group to forward the traffic to the Firewall.

    And then build the ACL for the SSLi part so that only from internal sources toward external destinations are matched and processed by SSLi.

    I am quite sure this is possible… I would advise getting your local A10 Representatives involved and possibly A10 Professional services if you have issues implementing the above suggestions.

    #15472
    avatar
    diederik
    Member

    I have played around with your setup in a lab.

    And although it is possible, it’s not very straight forward.
    Due to the fact that you disable Inter VLAN Routing, you need to use complete VIP/ServiceGroup/Server based routing.

    As far as I know you can not force traffic in the direction of a particular interface and then get the A10 to ARP for a local address, unless that address is the Server/Gateway address or you force it with aFlex.

    So by disabling the “Routing” part of the A10, you now need to use Server definitions that point to Gateways for a particular destination.

    Between every VLAN on the client side and the A10 you would need something that does routing, unique to that VLAN.

    On thing you could possibly do to remove the need for gateways in each VLAN, it use aFlex and combine the “nexthop” command with the destination of the packet. You then force the A10 to still arp for the “nexthop” and store that MAC to forward the traffic.

    So from your client side to the Firewall, you can leave the SSLi setup as is.
    All you need to make sure, is that the traffic that does not need SSLi, (when the source and destination are both internal) bypasses the SSLi process and get forwarded to the firewall.
    On the return path you can do the same.
    Add an ACL that matches the internal to internal traffic, this could hit a different wildcard VIP, and on that VIP use an aFlex, to force the A10 to still arp for the internal destination address and set it as next hop: nexthop [IP::addr [IP::remote_addr]]

    One thing that I have not been able to test, but which might actually work. Is use the A10 in “transparent” mode.

    Disable VLAN routing, have all the VLAN’s on 2 interfaces, one on the client side and one on the firewall side. When the clients ARP for their gateway, the FW will respond on the right VLAN. Now you do not need funky ACL’s or aFlex anymore.

    Best would be to have A10 PS confirm this.

    #15482
    avatar
    hashim
    Member

    Hi diederik

    Thank you for your input, I have noted this and will try to lab it,

    However, I have re-configured my ACL and now 90% of my requirement is working fine.
    Here is the new ACL:

    access-list 190 10 deny ip any any vlan 850
    access-list 190 20 permit ip any any

    So this tells ve 850 if you receive the packet from the firewall, dont put it in the wildcard VIP and route it normally.

    I can now from Vlan 10 send traffic to Vlan 20 and my firewall can see it. I have ping it as well as used RDP and both are working great.

    there is only one thing strange happens:
    in InterVlan traffic, the firewall sees duplicate packets (two packets). so if you 192.168.10.100 ping 192.168.20.100, the firewall sees two packets and not one.
    This only happens with InterVlan Routing, if I ping 8.8.8.8, the firewall sees only one packet.

    However, the computers do not see these duplicates packet, from their perspective it is fine. I have crossed check with Wireshark.

    Firewall tcpdump
    tcpdump -ni igb0 host 192.168.10.100 and icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on igb0, link-type EN10MB (Ethernet), capture size 65535 bytes
    16:05:23.530228 IP 192.168.20.100 > 192.168.10.100: ICMP echo request, id 1, seq 3920, length 40
    16:05:23.530239 IP 192.168.20.100 > 192.168.10.100: ICMP echo request, id 1, seq 3920, length 40
    16:05:23.530978 IP 192.168.10.100 > 192.168.20.100: ICMP echo reply, id 1, seq 3920, length 40
    16:05:23.530982 IP 192.168.10.100 > 192.168.20.100: ICMP echo reply, id 1, seq 3920, length 40

    Firewall tcpdump
    tcpdump -ni igb0 host 192.168.10.100 and host 192.168.20.100
    18:26:37.443725 IP 192.168.10.100.55809 > 192.168.20.100.3389: Flags [P.], seq 33049:33122, ack 331456, win 1798, length 73
    18:26:37.443726 IP 192.168.10.100.55809 > 192.168.20.100.3389: Flags [P.], seq 33049:33122, ack 331456, win 1798, length 73
    18:26:37.443975 IP 192.168.10.100.55809 > 192.168.20.100.3389: Flags [P.], seq 33122:33195, ack 331456, win 1798, length 73
    18:26:37.443976 IP 192.168.10.100.55809 > 192.168.20.100.3389: Flags [P.], seq 33122:33195, ack 331456, win 1798, length 73
    18:26:37.802975 IP 192.168.10.100.55809 > 192.168.20.100.3389: Flags [P.], seq 33195:33268, ack 331710, win 1797, length 73
    18:26:37.802978 IP 192.168.10.100.55809 > 192.168.20.100.3389: Flags [P.], seq 33195:33268, ack 331710, win 1797, length 73

    Here is the tracert from 192.168.20.100 to 192.168.10.100

    C:\Users\hashim>tracert -d 192.168.10.100

    Tracing route to 192.168.10.100 over a maximum of 30 hops

    1 25 ms <1 ms <1 ms 192.168.2.74
    2 <1 ms <1 ms <1 ms 192.168.2.74
    3 <1 ms <1 ms <1 ms 192.168.20.1
    4 1 ms 1 ms 1 ms 192.168.10.100

    Trace complete.

    I was expecting the tracert to be something like

    1 25 ms <1 ms <1 ms 192.168.20.1
    2 <1 ms <1 ms <1 ms 192.168.2.74
    3 <1 ms <1 ms <1 ms 192.168.2.75
    4 1 ms 1 ms 1 ms 192.168.10.100

    so everthing is working fine now, except this little issue, let me know if there is anything can be done on this.

    Thanks for your support.

    • This reply was modified 1 month, 1 week ago by avatar hashim.
    #15502
    avatar
    diederik
    Member

    Ok, thanks for the update.

    So if I understand correctly, you now have per vlan interface on the client side used l3-vlan-fwd-disable and you have not used this on the vlan 850 interface?
    So that the Wildcard VIP is pushing the traffic from the VLAN’s towards the firewall, and routing from the firewall back happens normally, thanks to the ACL.

    For existing SSLi sessions, the session cache should be matched first, so indeed your setup seems logical and much more easy than I cooked up ;)

    I expect the ACL + Wildcard VIP is now capturing the packets related to ping/tracrt.
    I don’t know why the A10 is duplicating the traffic, that should not happen.

    Can you check if the A10 is also sending duplicate packets for other protocols than ICMP?

    As this duplication of packets should not happen, I would definitely open a case with A10 Support so they can check it out.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

Comments are closed.