Using Gateway Initiated Netcon to manage HA cluster with only one public ip

Security Gateway Articles and How to's
Locked
Aron
Posts: 19
Joined: 09 Dec 2011, 22:39
Location: Clavister HQ - Örnsköldsvik

Using Gateway Initiated Netcon to manage HA cluster with only one public ip

Post by Aron » 28 Feb 2017, 14:32

This How-to applies to:
  • Clavister cOS Core 11.10
Problem:
I want to add a remote HA cluster to InControl but I don't have enough public ip addresses to assign each cluster node its own public ip for management.

Solution:
By using Gateway Initiated on the NetconMgmt object and allowing the cluster nodes to call home to the InControl server instead of vice versa the cluster can be added to and managed from InControl without the need of assigning a public ip address to each node for management.

To achieve this the netcon connection must be initiated from one interface and received on another before it can passed on by the active node to the next-hop router. These interfaces must be isolated from each other by assigning them to separate routing tables.

In this how-to, the interface initiating netcon will be called ge2, the receiver interface will be called gesw and the extra routing table will be called incontrol.

How to accomplish this:
  1. 1. Create a new routing table with ordering Only, in this example called incontrol.
  • 2. Locate an unused interface, in this example this will be the ge2 interface.
    Configure ge2 with both shared and HA ips with addresses from the same subnet used on the gesw interface.
    Under the Virtual Routing tab, check Make interface a member of a specific routing table. and select the incontrol table.
    This is the interface we will be using for initiating the netcon connection.
    vr-ge2.png
    ge2 Virtual Routing settings
    vr-ge2.png (43.12 KiB) Viewed 1864 times
  • 3. Likewise on the gesw interface select the main table. By setting Make interface. a member of a specific routing table we make sure that ARP traffic will be handled in the correct routing table for respectively interface.
    vr-gesw.png
    gesw Virtual Routing settings
    vr-gesw.png (43.51 KiB) Viewed 1864 times
  • 4. Add and verify the routes in main and incontrol routing tables, the gateway for the default route in the incontrol table will be the shared ip on the gesw interface.
    incontrol-table.png
    Routes incontrol table
    incontrol-table.png (74.22 KiB) Viewed 1864 times
    main-table.png
    Routes main table
    main-table.png (58.47 KiB) Viewed 1864 times
  • 5. Configure the NetconMgmt object for Gateway Initiated and for Outgoing Routing Table, select the incontrol table.
    netconmgmt.png
    Netcon management settings
    netconmgmt.png (36.16 KiB) Viewed 1864 times
  • 6. Make sure you have an IP policy NATing netcon traffic received on gesw interface out on WAN, and don't forget to physically connect ge2 and gesw to the same broadcast domain.

Locked