L3 Configuration

Get Started. It's Free
or sign up with your email address
Rocket clouds
L3 Configuration by Mind Map: L3 Configuration

1. dynamic 1-to-1 translation public pool IP mapped to bigger private pool IP

2. CLI verification

2.1. show running ippool

2.2. show running nat-policy

2.3. test nat-policy-match

3. Demo

3.1. Create DMZ server running http service

3.2. Create loopback in FW

3.2.1. e.g 10.10.10.1/32

3.3. Create manual route from Desktop to next hop unTrust interface

3.4. Test from unTrust

3.5. Leverage

3.5.1. Port forwarding

3.5.2. uTurn NAT

4. not supported on Dynamic Interface

4.1. DHCP or PPoE

5. Original Packet

5.1. Source Zone

5.2. Destination Zone

5.2.1. Depend on FIB decision

5.3. Destination Interface

5.4. Source Address

5.5. Destination Address

5.6. Service

6. Translated Packet

6.1. Source Translation

6.2. Destination Translation

6.2.1. Be careful on the translated zone post NAT

6.2.1.1. Will be the zone that configured on security policy

7. L3 interfaces

7.1. Provide routing and NAT

7.1.1. Devices on the same Virtual Router use the same Routing Table

7.2. Flow Logic

7.2.1. PBF/Forwarding lookup

7.2.1.1. Consult Virtual Router RT

7.2.2. NAT Policy Evaluated

7.2.2.1. Not apply the NAT yet

8. Interface Mgmt Profile

8.1. Network > Network Profiles > Interface Mgmt

8.2. ACL

8.2.1. Permitted IP address

9. Service Route Configuration

9.1. Use non-mgmt - standard traffic interface

9.1.1. To handle management traps

9.1.1.1. snmp

9.1.1.2. syslog

9.1.1.3. email ,etcs

9.2. Device > Setup > Services

9.2.1. Service Features

9.3. DNS and NTP

9.3.1. NTP CLI

9.3.1.1. show ntp

9.3.1.2. show clock

9.3.1.3. debug software ntp

9.3.1.3.1. manually restart ntp process

10. DHCP

10.1. Server

10.1.1. Mode

10.1.1.1. Enable

10.1.1.2. Disable

10.1.1.3. Auto

10.1.1.3.1. disable if detect another DHCP server in network

10.1.2. Can be used in IPsec tunnel

10.2. Relay

10.2.1. Forward up to 4 DHCP server

11. Virtual Router

11.1. Routing instances in the FW for L3 routing funcionality

11.1.1. Pre-configured : Default Virtual FW

11.2. L3 interface

11.2.1. assigned to 1 VR

11.3. Static Route

11.3.1. VRouter cannot have overlapped subnet allocation

11.3.1.1. Demo

11.3.1.1.1. Static Route to Another VR

11.3.1.1.2. Explanation on subnet cannot be duplicate

11.3.2. Next Hop IP

11.3.2.1. Interface

11.3.2.1.1. another VR

11.4. Dynamic Routing

11.4.1. RIPv4

11.4.2. BGPv4

11.4.3. OSPFv2

11.4.3.1. OSPFv3

11.5. PBF

11.5.1. Overrides forwarding decision on VR

11.5.2. Create condition

11.5.2.1. Source address

11.5.2.1.1. Destination Address

11.5.2.2. Source Zone

11.5.2.2.1. Destination application

11.5.2.3. Source User

11.5.2.3.1. Destination Service

11.5.3. Reverts to VR

11.5.3.1. If the PBF destination is unreachable

12. NAT

12.1. Source NAT

12.1.1. Used for internal users to access the internet

12.1.1.1. Dynamic IP/Port (PAT)

12.1.1.1.1. multiple client

12.1.1.1.2. assigned address

12.1.1.1.3. Source port is changed

12.1.1.2. Dynamic IP

12.1.1.2.1. Private source IP look for the available public IP

12.1.1.2.2. Source port is unchanged

12.1.1.3. Static IP

12.1.1.3.1. 1-to-1 fixed translation

12.1.1.3.2. Source port unchanged

12.2. Destination NAT

12.2.1. provide external access to company public servers

12.2.1.1. static IP

12.2.1.2. Port Forwarding

12.2.1.2.1. single public IP

12.2.1.2.2. destination port can be directed to different destination ports

12.3. Nat64

12.4. BiDirectional NAT

12.5. Security policy

12.5.1. match

12.5.1.1. pre- NAT IP address

12.5.1.2. post NAT zone

12.6. Flow Logic

13. NAT Policy

14. IPv6 Feature

14.1. Capabilities

14.1.1. L3 interface

14.1.2. Static Routes in VR

14.1.3. ICMPv6

14.1.3.1. DHCPv6

14.1.4. ND

14.1.5. Dual Stack

14.1.6. SLAAC

14.1.7. Radius

14.2. Matrix

14.2.1. Not supported

14.2.1.1. Dynamic Routing

14.2.1.2. IPSec VPN

14.2.1.2.1. SSL VPN

14.2.2. Supported

14.2.2.1. IPv6 over IPv4 IPsec tunnel

14.3. IPv6 ND

14.3.1. DAD

14.3.1.1. Connections to PAN update server and BrightCloud server require IPv4

15. OSPFv3

15.1. ECMP is not supported

15.2. No "clear"

15.3. One instance ID per OSPFv3 interface

15.4. Not support fast-hellos

15.5. Comparison with OSPFv2

15.5.1. OSPFv3 support Link-LSA and Intra-Area-Prefix LSA

15.5.2. Protocol Processing per-link not per-subnet

16. QoS

16.1. QoS Steps

16.1.1. 1. Qos Policy Rule

16.1.1.1. Policy

16.1.1.1.1. Identify traffic into class

16.1.2. 2. QoS Profile

16.1.2.1. Network > QoS Profile

16.1.2.2. Give class BW/Priority

16.1.2.2.1. Ex

16.1.3. 3. Apply QoS profile to Egress Interface

16.1.3.1. Network > QoS

16.1.3.2. QoS Interface

16.1.3.2.1. Clear Text Traffic

16.1.3.2.2. Tunneled Traffic

16.1.3.3. If we adjust configuration in the Tab, the physical interface configuration will not be used

16.1.4. 4. Apply the policy marking to MPLS provider (DSCP, IP Precedence) in the security policy

16.2. 4 Queues

16.2.1. Real-Time

16.2.2. High

16.2.3. Med

16.2.4. Low

16.3. QoS User Hierarchical Fair Service Curve (HFSC)

16.4. Unassigned Goes to Class 4 (Max 8)