Transparent forwarding of VLANs or VLAN trunks

Security Gateway Articles and How to's
Post Reply
Tomas
Posts: 34
Joined: 15 Sep 2008, 15:57
Location: Clavister HQ - Örnsköldsvik

Transparent forwarding of VLANs or VLAN trunks

Post by Tomas » 14 Apr 2014, 09:40

This How-to applies to:
  • Clavister Security Gateway 10.x.
This document is a quick guide to setting up a test configuration that involves forwarding of traffic in separate VLANs, separated by the use of separate routing tables and transparency (switch route).

Table of contents
  • Objectives with this article
  • Configuring Transparent forwarding of VLANs or VLAN trunks
  • Scripting
  • Performance
Objectives with this article
Transparent forwarding of VLANs or VLAN trunks.
If you try to forward several VLANs in the same routing table by using switch route, you will quickly realize that you have just broken the VLAN separation and all VLANs can communicate with all VLANs... Not an ideal situation!

The solution is to keep the VLANs separated in the Clavister Security Gateway and that is done by handling them separately in their own routing table. There are a few things to keep in mind to make it work properly, and that is where this article steps in.


Configuring Transparent forwarding of VLANs or VLAN trunks

What you need to do is create a separate, Ordering Only, routing table for each VLAN you want to forward.

Assign both VLANs, one on the inbound Ethernet interface and one on the outbound Ethernet interface, to this routing table ("routing table membership" / "PBR membership", it has had different names in different versions).

Setup a switch route on each of the two interfaces. If you do know the addresses that will flow, let's say a /24 network, it gives best performance to use that as Network. If you have to use All-Nets, because you either don't know the network used, or it is used for accessing the Internet, the routing table will contain single host routes for each address and it soon becomes very big, and therefore slow to query.

Setup IP Rules between the VLANs.

If you need to setup many VLANs, first check the license parameters "Number of VLANs/Virtual Interfaces", which must be double (2x) the number of actual VLANs (one in, one out) and "Virtual Routers" which must have room for all routing tables.

Scripting
If you need to setup many (10+), look at the attached script for creating the necessary components. Note that it currently uses all-nets for the routing, which is not ideal.

Before you run the script, please modify the file "add_vlan.sgs" to have matching names on the Ethernet Interfaces to what the names of your Clavister device currently are. To be exact, it is the parameter "BaseInterface=wan_ge6" and "BaseInterface=lan_ge1" that must be adjusted to point to your inbound and outbound Ethernet interface. It can be added as parameters in a future release of this article...

Notice that High Availability Clustering (HA) is not supported, as we are using Switch Route here. To use HA, you need to use Proxy ARP instead of Switch Route. Adjust the contents of the "add_vlan.sgs" file to match your requirements.

Usage
Extract the attached "VLAN_Trunk_script.7z" file using 7-zip (http://www.7-zip.com). It contains all the files needed. I extracted it to D:\script in the examples below.

From the Command prompt in Windows (cmd):
D:\script\> createvr.bat <start_vlan_#> <end_vlan_#> <IP/FQDN of Clavister> <password of Clavister>

The file output.txt contains error output information from the Clavister, e.g. if too many Routing tables have been created, compared to what the License allows etc.

Example:
D:\script\> createvr.bat 5 25 192.168.1.1 admin
This will create VLANs 5, 6, 7, …, 24, 25 along with their routing tables and IP Rules etc.

When it is finished, open the WebUI and check that everything looks okay. Save & Activate when you are satisfied. Double check that all VLANs have been created properly, as have the Routing Tables and IP Rules.

Note that all IP Rules will be added with Index according to the formulas (VLAN_ID*2) and (VLAN_ID*2+1), so VLAN_5 will have its two rules on lines 10 and 11, etc... Make sure that no Drop All IP Rule is placed above them!

If you create a VLAN that already exists, you will have duplicate IP Rules, with the latest created with the Index above. The old ones will be pushed down, so you should manually delete them. It can be a lot of work if you have many, so use this script with caution and planning please.

If your configuration looks faulty, just issue the "Configuration > Discard changes" (CLI: reject -all) command and adjust your input parameters/script and try again.


Performance

If you have a VLAN Trunk (many VLANs, up to 4096 of them) to forward, you can easily spread the load over multiple Clavisters, by assigning a subset of VLANs to each of them and route the traffic accordingly.

To clarify: E.g. VLANs 0-2047 are handled by one device, and 2048-4096 by a second device. This division of labour can of course continue up to having 4096 Clavisters running in parallel...


Creating VLANs:
I created 250 VLANs and I noticed at the end that creating them was slower and slower. It took about 2 minutes to create all of them on a fast appliance (Similar to Wolf 5).
RAM:
Before it used 240 MB RAM (of 2 GB). With 250 VLANs/Routing Tables it used 270 MB RAM (of 2 GB). A very small increase!
Traffic:
The performance has been tested to some extent and you can expect around 3-4 Gbps from a Wolf 5, but the amount of VLANs, traffic mix and features (Antivirus, Application Control, etc) will give you a higher or lower result of course.
Attachments
VLAN_Trunk_script.7z
(179.81 KiB) Downloaded 253 times

Post Reply