L3 Configuration

Get Started. It's Free
or sign up with your email address
Rocket clouds
L3 Configuration by Mind Map: L3 Configuration

1. dynamic 1-to-1 translation public pool IP mapped to bigger private pool IP

2. CLI verification

2.1. show running ippool

2.2. show running nat-policy

2.3. test nat-policy-match

3. Demo

3.1. Create DMZ server running http service

3.2. Create loopback in FW

3.2.1. e.g

3.3. Create manual route from Desktop to next hop unTrust interface

3.4. Test from unTrust

3.5. Leverage

3.5.1. Port forwarding

3.5.2. uTurn NAT

4. not supported on Dynamic Interface

4.1. DHCP or PPoE

5. Original Packet

5.1. Source Zone

5.2. Destination Zone

5.2.1. Depend on FIB decision

5.3. Destination Interface

5.4. Source Address

5.5. Destination Address

5.6. Service

6. Translated Packet

6.1. Source Translation

6.2. Destination Translation

6.2.1. Be careful on the translated zone post NAT Will be the zone that configured on security policy

7. L3 interfaces

7.1. Provide routing and NAT

7.1.1. Devices on the same Virtual Router use the same Routing Table

7.2. Flow Logic

7.2.1. PBF/Forwarding lookup Consult Virtual Router RT

7.2.2. NAT Policy Evaluated Not apply the NAT yet

8. Interface Mgmt Profile

8.1. Network > Network Profiles > Interface Mgmt

8.2. ACL

8.2.1. Permitted IP address

9. Service Route Configuration

9.1. Use non-mgmt - standard traffic interface

9.1.1. To handle management traps snmp syslog email ,etcs

9.2. Device > Setup > Services

9.2.1. Service Features

9.3. DNS and NTP

9.3.1. NTP CLI show ntp show clock debug software ntp manually restart ntp process

10. DHCP

10.1. Server

10.1.1. Mode Enable Disable Auto disable if detect another DHCP server in network

10.1.2. Can be used in IPsec tunnel

10.2. Relay

10.2.1. Forward up to 4 DHCP server

11. Virtual Router

11.1. Routing instances in the FW for L3 routing funcionality

11.1.1. Pre-configured : Default Virtual FW

11.2. L3 interface

11.2.1. assigned to 1 VR

11.3. Static Route

11.3.1. VRouter cannot have overlapped subnet allocation Demo Static Route to Another VR Explanation on subnet cannot be duplicate

11.3.2. Next Hop IP Interface another VR

11.4. Dynamic Routing

11.4.1. RIPv4

11.4.2. BGPv4

11.4.3. OSPFv2 OSPFv3

11.5. PBF

11.5.1. Overrides forwarding decision on VR

11.5.2. Create condition Source address Destination Address Source Zone Destination application Source User Destination Service

11.5.3. Reverts to VR If the PBF destination is unreachable

12. NAT

12.1. Source NAT

12.1.1. Used for internal users to access the internet Dynamic IP/Port (PAT) multiple client assigned address Source port is changed Dynamic IP Private source IP look for the available public IP Source port is unchanged Static IP 1-to-1 fixed translation Source port unchanged

12.2. Destination NAT

12.2.1. provide external access to company public servers static IP Port Forwarding single public IP destination port can be directed to different destination ports

12.3. Nat64

12.4. BiDirectional NAT

12.5. Security policy

12.5.1. match pre- NAT IP address post NAT zone

12.6. Flow Logic

13. NAT Policy

14. IPv6 Feature

14.1. Capabilities

14.1.1. L3 interface

14.1.2. Static Routes in VR

14.1.3. ICMPv6 DHCPv6

14.1.4. ND

14.1.5. Dual Stack

14.1.6. SLAAC

14.1.7. Radius

14.2. Matrix

14.2.1. Not supported Dynamic Routing IPSec VPN SSL VPN

14.2.2. Supported IPv6 over IPv4 IPsec tunnel

14.3. IPv6 ND

14.3.1. DAD Connections to PAN update server and BrightCloud server require IPv4

15. OSPFv3

15.1. ECMP is not supported

15.2. No "clear"

15.3. One instance ID per OSPFv3 interface

15.4. Not support fast-hellos

15.5. Comparison with OSPFv2

15.5.1. OSPFv3 support Link-LSA and Intra-Area-Prefix LSA

15.5.2. Protocol Processing per-link not per-subnet

16. QoS

16.1. QoS Steps

16.1.1. 1. Qos Policy Rule Policy Identify traffic into class

16.1.2. 2. QoS Profile Network > QoS Profile Give class BW/Priority Ex

16.1.3. 3. Apply QoS profile to Egress Interface Network > QoS QoS Interface Clear Text Traffic Tunneled Traffic If we adjust configuration in the Tab, the physical interface configuration will not be used

16.1.4. 4. Apply the policy marking to MPLS provider (DSCP, IP Precedence) in the security policy

16.2. 4 Queues

16.2.1. Real-Time

16.2.2. High

16.2.3. Med

16.2.4. Low

16.3. QoS User Hierarchical Fair Service Curve (HFSC)

16.4. Unassigned Goes to Class 4 (Max 8)