All Together Now

Previous page
Table of content
Next page
   
All Together Now

Having tackled the setup required for implementing this Policy Routing structure you want to move on to bigger projects. Luckily you have been selected to assist in incorporating a recently acquired company into the corporate network fabric.

This company has three different connections into the core network:

  • The first connection is the Internet and is mediated from an existing firewall you have no control over.

  • The second connection is the primary vendor who has provided a connection to their ordering system.

  • The third connection is the primary transport supplier who has provided a connection into their scheduling system.

The network connections all terminate into a single Token Ring network. Currently there are four small Token Ring-Ethernet routers installed between the internal Ethernets and the Token Ring. Additionally, there is a translating bridge between the two Ethernets and the Token Ring for the Internet connection. Your job is to fix and secure this mess.

The networks and connections from the three outside networks are shown in Listing 5.7.

Listing 5.7 All Together Now Initial Notes 
 # Internet Allocated DMZ Address Space from Firewall: 172.16.1.0/24 Firewall TokenRing Interface: 172.16.1.254, 192.168.1.254, 192.168.2.254 Provides NAT for all addresses in the 192.168.0/22 range # Vendor Allocated DMZ Addresses: 192.168.100.0/24 Router TokenRing Interface: 192.168.100.254 Provides Connection to 172.18/16 Allows routes to 192.168.1/24 and 192.168.2/24 # Supplier Allocated DMZ Addresses: 192.168.200.0/24 Router TokenRing Interface: 192.168.200.254 Provides Connection to 10.10/16 Allows routes to 192.168.1/24 and 192.168.2/24

You find out the two internal Ethernets use 192.168.1.0/24 and 192.168.2.0/24. Now some of the allowances from the routers make sense. Digging further you find out that only some people are supposed to be allowed into either or both of the Vendor and Supplier networks. And there are several groups of computers that management would like to not have Internet access.

You write down all of the information and distill it into Listing 5.8.

Listing 5.8 All Together Now Routing/Security Policy 
 # Allowed to Vendor network 192.168.1.0/24 192.168.2.32/27 # Allowed to Supplier network 192.168.2.0/24 192.168.128/29 # Denied Internet 192.168.1.128/25 192.168.2.32/27

Fairly simple so far. You take out all four small routers and both of the translating bridges so that nothing now connects the Token Ring with the internal Ethernets. You decide to use a single Policy Routing core router between the internal Ethernets and the Token Ring DMZ. While determining where to install the Ethernet cables you discover that the two Ethernets are actually only two different hubs with a backplane connection, thus making them one physical network. Therefore, you only need one physical Ethernet interface. Well, this will be even easier, you think, hoping that nothing else pops up to surprise you.

You start configuring your core router by notating the addresses and primary routes (see Listing 5.9).

Listing 5.9 All Together Now Address and Routes Notes 
 # tr0 172.16.1.1/24 192.168.100.1/24 192.168.200.1/24 # eth0 192.168.1.254/24 192.168.2.254/24 # Primary Routes 172.18.0.0/16 through gateway 192.168.100.254 (Vendor) 10.10.0.0/16 through gateway 192.168.200.254 (Supplier) Default through gateway 172.16.1.254 (Internet)

You now have both your configuration and your security policy. You decide to create one script to implement the corresponding Policy Routing structure. This script with comments is shown in Listing 5.10.

Listing 5.10 All Together Now ”The Script 
 # Begin script for CORPALL V1.0 # # Vendor Net: #    172.18/16 / router 192.168.100.254/24 # Supplier Net: #    10.10/16 / router 192.168.200.254/24 # Internet Firewall: #    default / router 172.16.1.254/24 # # Implement Multiple IP Addresses # # TokenRing 0 - DMZ ip addr add 172.16.1.1/24 dev tr0 brd + ip addr add 192.168.100.1/24 dev tr0 brd + ip addr add 192.168.200.1/24 dev tr0 brd + # # Ethernet 0 - Internal Ethernets ip addr add 192.168.1.254/24 dev eth0 brd + ip addr add 192.168.2.254/24 dev eth0 brd + # # Implement Routing Tables #    Table 1 = vendor #    Table 2 = supplier #    Table 3 = inet # # To Internet - use inet table ip route add default via 172.16.1.254 proto static table inet # # To Vendor Net - use vendor table ip route add 172.18/16 via 192.168.100.254 proto static table vendor # # To Supplier Net - use supplier table ip route add 10.10/16 via 192.168.200.254 proto static table supplier # # Implement Rules #    15000 - 15999 use for Vendor #    16000 - 16999 use for Supplier #    17000 - 17999 use for Internet # # To Vendor Net ip rule add from 192.168.1.0/24 to 172.18/16 prio 15000 table vendor ip rule add from 192.168.2.32/27 to 172.18/16 prio 15100 table vendor # # To Supplier Net ip rule add from 192.168.2.0/24 to 10.10/16 prio 16000 table supplier ip rule add from 192.168.1.128/29 to 10.10/16 prio 16100 table supplier # # To Internet ip rule add from 192.168.1.0/25 to 0/0 prio 17000 table inet ip rule add from 192.168.2.0/27 to 0/0 prio 17100 table inet ip rule add from 192.168.2.64/26 to 0/0 prio 17200 table inet ip rule add from 192.168.2.128/25 to 0/0 prio 17300 table inet # # Force Policy Routing Structure Update ip route flush cache # # end CORPALL version 1.0

You can then run this configuration script on your Policy Routing core router and you will have a complete implementation. This one script ties together all of the parts of basic Policy Routing implementation. You have multiple IP addresses, multiple routing tables, rules, and a defined structure for implementation.

Just to prove to yourself that this is not the only way to implement this structure, you create an alternate script (see Listing 5.11).

Listing 5.11 All Together Now ”The Other Script 
 # Begin script for CORPALL V1.0 Alternate # # Vendor Net: #    172.18/16 / router 192.168.100.254/24 # Supplier Net: #    10.10/16 / router 192.168.200.254/24 # Internet Firewall: #    default / router 172.16.1.254/24 # # Implement Multiple IP Addresses # # TokenRing 0 - DMZ ip addr add 172.16.1.1/24 dev tr0 brd + ip addr add 192.168.100.1/24 dev tr0 brd + ip addr add 192.168.200.1/24 dev tr0 brd + # # Ethernet 0 - Internal Ethernets ip addr add 192.168.1.254/24 dev eth0 brd + ip addr add 192.168.2.254/24 dev eth0 brd + # # Implement Routing Tables #     Table 1 = external # # To Internet - use main table default route ip route add default via 172.16.1.254 proto static # # To Vendor Net - use external table ip route add 172.18/16 via 192.168.100.254 proto static table external # # To Supplier Net - use external table ip route add 10.10/16 via 192.168.200.254 proto static table external # # Implement Rules #    15000 - 15999 use for Vendor #    16000 - 16999 use for Supplier #    17000 - 17999 use for Internet # # To Vendor Net ip rule add from 192.168.1.0/24 to 172.18/16 prio 15000 table external ip rule add from 192.168.2.32/27 to 172.18/16 prio 15100 table external ip rule add from 0/0 to 172.18/16 prio 15999 table external blackhole # # To Supplier Net ip rule add from 192.168.2.0/24 to 10.10/16 prio 16000 table external ip rule add from 192.168.1.128/29 to 10.10/16 prio 16100 table external ip rule add from 0/0 to 10.10/16 prio 16999 table external blackhole # # To Internet ip rule add from 192.168.1.128/25 to 0/0 prio 17000 table main blackhole ip rule add from 192.168.2.32/27 to 0/0 prio 17100 table main blackhole # Default AntiSpoof ip rule add from 192.168.1.0/24 to 0/0 dev eth0 prio 17200 ip rule add from 192.168.2.0/24 to 0/0 dev eth0 prio 17300 ip rule add from 0/0 dev eth0 prio 17999 blackhole # # Force Policy Routing Structure Update ip route flush cache # # end CORPALL version 1.0 Alternate

Upon careful study, you determine that this script would also correctly implement the Policy Routing structure you want. The first script uses three additional routing tables and simple rules. The second script uses only one additional table and more complex rules. But both will work identically from the point of view of the traffic through the router.

   
Top

Previous page
Table of content
Next page
Policy Routing Using Linux
Policy Routing Using Linux
ISBN: B000C4SRVI
EAN: N/A
Year: 2000
Pages: 105
Authors: Matthew G. Marsh
BUY ON AMAZON
Lotus Notes and Domino 6 Development (2nd Edition)
FileMaker Pro 8: The Missing Manual
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy