Unlock the full potential of your projects.
Show full map
Copy and edit map Copy

L3 Configuration

Education
Welly Kamarudin
Get Started. It's Free
or sign up with your email address
Similar Mind Maps Mind Map Outline
L3 Configuration by Mind Map: L3 Configuration

1. dynamic 1-to-1 translation public pool IP mapped to bigger private pool IP

2. CLI verification

2.1. show running ippool

2.2. show running nat-policy

2.3. test nat-policy-match

3. Demo

3.1. Create DMZ server running http service

3.2. Create loopback in FW

3.2.1. e.g 10.10.10.1/32

3.3. Create manual route from Desktop to next hop unTrust interface

3.4. Test from unTrust

3.5. Leverage

3.5.1. Port forwarding

3.5.2. uTurn NAT

4. not supported on Dynamic Interface

4.1. DHCP or PPoE

5. Original Packet

5.1. Source Zone

5.2. Destination Zone

5.2.1. Depend on FIB decision

5.3. Destination Interface

5.4. Source Address

5.5. Destination Address

5.6. Service

6. Translated Packet

6.1. Source Translation

6.2. Destination Translation

6.2.1. Be careful on the translated zone post NAT

6.2.1.1. Will be the zone that configured on security policy

7. IPv6 Feature

7.1. Capabilities

7.1.1. L3 interface

7.1.2. Static Routes in VR

7.1.3. ICMPv6

7.1.3.1. DHCPv6

7.1.4. ND

7.1.5. Dual Stack

7.1.6. SLAAC

7.1.7. Radius

7.2. Matrix

7.2.1. Not supported

7.2.1.1. Dynamic Routing

7.2.1.2. IPSec VPN

7.2.1.2.1. SSL VPN

7.2.2. Supported

7.2.2.1. IPv6 over IPv4 IPsec tunnel

7.3. IPv6 ND

7.3.1. DAD

7.3.1.1. Connections to PAN update server and BrightCloud server require IPv4

8. NAT Policy

9. OSPFv3

9.1. ECMP is not supported

9.2. No "clear"

9.3. One instance ID per OSPFv3 interface

9.4. Not support fast-hellos

9.5. Comparison with OSPFv2

9.5.1. OSPFv3 support Link-LSA and Intra-Area-Prefix LSA

9.5.2. Protocol Processing per-link not per-subnet

10. NAT

10.1. Source NAT

10.1.1. Used for internal users to access the internet

10.1.1.1. Dynamic IP/Port (PAT)

10.1.1.1.1. multiple client

10.1.1.1.2. assigned address

10.1.1.1.3. Source port is changed

10.1.1.2. Dynamic IP

10.1.1.2.1. Private source IP look for the available public IP

10.1.1.2.2. Source port is unchanged

10.1.1.3. Static IP

10.1.1.3.1. 1-to-1 fixed translation

10.1.1.3.2. Source port unchanged

10.2. Destination NAT

10.2.1. provide external access to company public servers

10.2.1.1. static IP

10.2.1.2. Port Forwarding

10.2.1.2.1. single public IP

10.2.1.2.2. destination port can be directed to different destination ports

10.3. Nat64

10.4. BiDirectional NAT

10.5. Security policy

10.5.1. match

10.5.1.1. pre- NAT IP address

10.5.1.2. post NAT zone

10.6. Flow Logic

11. Virtual Router

11.1. Routing instances in the FW for L3 routing funcionality

11.1.1. Pre-configured : Default Virtual FW

11.2. L3 interface

11.2.1. assigned to 1 VR

11.3. Static Route

11.3.1. VRouter cannot have overlapped subnet allocation

11.3.1.1. Demo

11.3.1.1.1. Static Route to Another VR

11.3.1.1.2. Explanation on subnet cannot be duplicate

11.3.2. Next Hop IP

11.3.2.1. Interface

11.3.2.1.1. another VR

11.4. Dynamic Routing

11.4.1. RIPv4

11.4.2. BGPv4

11.4.3. OSPFv2

11.4.3.1. OSPFv3

11.5. PBF

11.5.1. Overrides forwarding decision on VR

11.5.2. Create condition

11.5.2.1. Source address

11.5.2.1.1. Destination Address

11.5.2.2. Source Zone

11.5.2.2.1. Destination application

11.5.2.3. Source User

11.5.2.3.1. Destination Service

11.5.3. Reverts to VR

11.5.3.1. If the PBF destination is unreachable

12. Interface Mgmt Profile

12.1. Network > Network Profiles > Interface Mgmt

12.2. ACL

12.2.1. Permitted IP address

13. L3 interfaces

13.1. Provide routing and NAT

13.1.1. Devices on the same Virtual Router use the same Routing Table

13.2. Flow Logic

13.2.1. PBF/Forwarding lookup

13.2.1.1. Consult Virtual Router RT

13.2.2. NAT Policy Evaluated

13.2.2.1. Not apply the NAT yet

14. Service Route Configuration

14.1. Use non-mgmt - standard traffic interface

14.1.1. To handle management traps

14.1.1.1. snmp

14.1.1.2. syslog

14.1.1.3. email ,etcs

14.2. Device > Setup > Services

14.2.1. Service Features

14.3. DNS and NTP

14.3.1. NTP CLI

14.3.1.1. show ntp

14.3.1.2. show clock

14.3.1.3. debug software ntp

14.3.1.3.1. manually restart ntp process

15. DHCP

15.1. Server

15.1.1. Mode

15.1.1.1. Enable

15.1.1.2. Disable

15.1.1.3. Auto

15.1.1.3.1. disable if detect another DHCP server in network

15.1.2. Can be used in IPsec tunnel

15.2. Relay

15.2.1. Forward up to 4 DHCP server

16. QoS

16.1. QoS Steps

16.1.1. 1. Qos Policy Rule

16.1.1.1. Policy

16.1.1.1.1. Identify traffic into class

16.1.2. 2. QoS Profile

16.1.2.1. Network > QoS Profile

16.1.2.2. Give class BW/Priority

16.1.2.2.1. Ex

16.1.3. 3. Apply QoS profile to Egress Interface

16.1.3.1. Network > QoS

16.1.3.2. QoS Interface

16.1.3.2.1. Clear Text Traffic

16.1.3.2.2. Tunneled Traffic

16.1.3.3. If we adjust configuration in the Tab, the physical interface configuration will not be used

16.1.4. 4. Apply the policy marking to MPLS provider (DSCP, IP Precedence) in the security policy

16.2. 4 Queues

16.2.1. Real-Time

16.2.2. High

16.2.3. Med

16.2.4. Low

16.3. QoS User Hierarchical Fair Service Curve (HFSC)

16.4. Unassigned Goes to Class 4 (Max 8)