© 2006 Extreme Networks, Inc. All rights reserved.

Module 7 Preparing the Sentriant

CE150 for Operation

© 2006 Extreme Networks, Inc. All rights reserved.

page 2

Description

This module provides the necessary information and steps to prepare the Sentriant CE150 for operation (excluding the security policies.)

It explains how to configure the Sentriant CE150 local and remote ports settings.

• It reviews the local port ARP vs. MAC resolution mechanism.

• It explains how to configure the remote port in a router vs. non-router environment.

© 2006 Extreme Networks, Inc. All rights reserved.

page 3

Objectives

Upon completion of this module the successful student will be able to:

• Configure the local and remote ports on the Sentriant CE150.

• Understand when to use ARP vs. MAC to resolve Layer 2 MAC addressing on the local port.

• Know how to configure the remote port with IKE negotiation within a subnet vs. in a routed network.

© 2006 Extreme Networks, Inc. All rights reserved.

page 4

Sentriant CE150 Network Data Interfaces

The network data interfaces are labeled as the Remote and Local ports

• The local port connects to the trusted, local side of the network.

• The remote port connects to the untrusted network, which is typically a WAN, campus LAN, or MAN.

• There are two components to configure for each interface: the data port IP address and default gateway.

Remote port to Untrusted Network

Layer3

Local port to Trusted Network

Switch

© 2006 Extreme Networks, Inc. All rights reserved.

page 5

Local Port IP Address

To set the local port IP address:

• 1 At the config> prompt type interface local.

• 2 At the config-ifLocal> prompt, type ip address <ip address> [subnet mask]

• Note: The subnet mask defaults to 255.255.255.0.

The example below sets the local port IP address.• ops> con t• config> int local• config-ifLocal> ip address 192.168.10.150 255.255.255.0• config-ifLocal>exit• config> exit• ops > copy s n• ops > reboot

© 2006 Extreme Networks, Inc. All rights reserved.

page 6

Local Default Gateway MAC Resolution Options

The method that the Sentriant CE150 appliance uses to resolve Layer 2 MAC addresses depends on your network configuration.

Three common scenarios are:

• Two Sentriant CE150s are connected back-to-back, with no router between them (none)

• The Sentriant CE150 local port is connected to a Layer 2 switch (ARP)

• The Sentriant CE150 local port is connected to a router (gateway)

© 2006 Extreme Networks, Inc. All rights reserved.

page 7

192.168.144.140

Local Port192.168.144.150

192.168.144.175

Remote Port192.168.144.130

Remote Port192.168.144.125

Sentriant CE150 #2Sentriant CE150 #1

Local Port192.168.144.155

Two Sentriant CE150 Appliances Connected Back-to-Back

The remote ports of Sentriant CE150 #1 and Sentriant CE150 #2 are on the same subnet.

The routers resolve the Layer 2 MAC address of the destination stations, and traffic simply flows through the appliances.

In this scenario, the macAddressResolution command should be set to none.

© 2006 Extreme Networks, Inc. All rights reserved.

page 8

When to Configure the Sentriant CE150 Local Port for ARP

The Sentriant CE150 local port is connected to a switch, which is on the same subnet as the Sentriant CE150 local port.

The Sentriant CE150 can send an ARP request to resolve MAC addresses for Stations, on its local port side.

In this case, the macAddressResolution command takes the arp attribute.

Station S2 192.168.154.175

Local Port192.168.144.150

Station S1192.168.144.175

Remote Port192.168.154.125

Remote Port192.168.144.125

Local Port192.168.154.150

Layer 2Switch #1

Layer 2Switch #2

Sentriant CE150 #2Sentriant CE150 #1

Router Access Port192.168.154.100

Router Access Port192.168.144.100

© 2006 Extreme Networks, Inc. All rights reserved.

page 9

When to Configure the Sentriant CE150 Local Port for Gateway

The local port of Sentriant CE150 #2 is connected to Router R4.

To send packets to Station S2, Sentriant CE150 #2 uses the gateway attribute to identify the IP address of the default gateway (Router R4’s WAN port, 192.168.154.175).

The Sentriant CE150 #2 sends all packets to the specified gateway, which then forwards the packets to the destination.

Station S2 192.168.144.125

Local Port192.168.144.150

Station S1192.168.174.125

Remote Port192.168.154.125

Remote Port192.168.144.125 Local Port

192.168.154.150

Sentriant CE150 #2Sentriant CE150 #1

Router R3192.168.154.100

Router R2192.168.144.100

Router Local Port192.168.174.1

Router R1 WAN Port192.168.144.175

Router Local Port192.168.164.1

Router R4 WAN Port192.168.154.175

© 2006 Extreme Networks, Inc. All rights reserved.

page 10

Configuring the MAC Resolution Mechanism on the local interface

To set the local port MAC resolution:

1. At the config-ifLocal> prompt, type macAddrResolutionMechanism none | {arp | gateway <ip address> [sourceMac | noSource]}

sourceMac: Uses the local port MAC address as the source MAC address in decrypted packets.

noSource Uses the MAC address that is already on the incoming packet instead of the local port source MAC address.

2. Type exit to return to configuration mode.

This example the Sentriant CE150 #2 local port for gateway.config> int local

config-ifLocal> macAddrResolutionMechanism gateway 192.168.154.175

config-ifLocal> exit

This command requires a reboot to take effect.

© 2006 Extreme Networks, Inc. All rights reserved.

page 11

Configuring the Sentriant CE150 Remote Port IP Address

The remote port IP address identifies the untrusted network.

Changing the remote port IP address directly affects the IPSec policies. Previously configured policies will not recognize the new remote port IP address until the appliance is rebooted.

To set the remote port IP address:

1. At the config> prompt type interface remote

2. At the config-ifRemote> prompt, type ip address <ip address> [subnet mask]

The example below sets the Remote port IP address1. ops> con t2. config> int remote3. config-ifRemote> ip address 192.168.144.125 255.255.255.04. config-ifLocal>exit5. config> exit6. ops > copy s n7. ops > reboot

© 2006 Extreme Networks, Inc. All rights reserved.

page 12

Configuring the Default Gateway

When you configure an ikeDefaultGateway IP address, the Sentriant CE150 uses the remote port MAC address as the source MAC address in encrypted packets.

To set the remote interface default gateway:

1. At the config-ifRemote> prompt, type ikeDefaultGateway none | <ip address> [sourceMAC | noSource]

ip address The IP address of the router’s local access port must match the subnet of the remote port IP address.

ikeDefaultGateway none removes a previously configured ikeDefaultGateway IP address.

sourceMAC Uses the remote port MAC address as the source MAC address in encrypted packets.

noSource Uses the MAC address that is already on the incoming packet instead of the remote port source MAC address.

Type exit to return to configuration mode.

This command requires a reboot to take effect.

© 2006 Extreme Networks, Inc. All rights reserved.

page 13

Remote Default Gateway: Sentriants on a Single Subnet

The remote ports of the two Sentriant CE150 appliances, Sentriant CE150 #1 and Sentriant CE150 #2, are on the same subnet with no routers between them.

Sentriant CE150 #1, which is the IKE negotiation initiator, is able to send packets directly to Sentriant CE150 #2 to start the IKE negotiation.

No configuration is needed to support this scenario.

192.168.144.140

Local Port192.168.144.150

192.168.144.175

Remote Port192.168.144.130

Remote Port192.168.144.125

Sentriant CE150 #2Sentriant CE150 #1

Local Port192.168.144.155

© 2006 Extreme Networks, Inc. All rights reserved.

page 14

Remote Default Gateway: Sentriants on a Routed Network

In this scenario, there is a router between the initiating Sentriant CE150 (Sentriant CE150 #1) and the WAN. The ikeDefaultGateway command on Sentriant CE150 #1 specifies Router R2’s local router port IP address, 192.168.144.100. In this way the Sentriant CE150 #1 uses the router network to forward packets to peer Sentriant CE150 #2.

The Sentriant CE150 #2 specifies the Router R3 local access port, 192.168.154.100, as the default gateway to use to forward packets to Sentriant CE150 #1.

Station S2 192.168.144.125

Local Port192.168.144.150

Station S1192.168.174.125

Remote Port192.168.154.125

Remote Port192.168.144.125 Local Port

192.168.154.150

Sentriant CE150 #2Sentriant CE150 #1

Router R3192.168.154.100

Router R2192.168.144.100

Router Local Port192.168.174.1

Router R1 WAN Port192.168.144.175

Router Local Port192.168.164.1

Router R4 WAN Port192.168.154.175

© 2006 Extreme Networks, Inc. All rights reserved.

page 15

Remote Default Gateway: Routed Network Example

This example configures the remote default gateway on Sentriant CE150 #1, shown in the previous slide routed network.• ops> con t

• config> int remote

• config-ifRemote> ikeDefaultGateway 192.168.144.100

• config-ifRemote> exit

• config> exit

• ops > copy s n

• ops > reboot

NOTE: You must set the local port macResolutionMechanism to arp or gateway before setting the remote port ikeDefaultGateway IP address.

© 2006 Extreme Networks, Inc. All rights reserved.

page 16

Summary

This module provided the necessary information and steps to prepare the Sentriant CE150 for operation.

It explained how to configure the Sentriant CE150 local and remote ports settings.

• It reviewed the local port ARP vs. MAC resolution mechanism.

• It explained how to configure the remote port in a router vs. non-router environment.

© 2006 Extreme Networks, Inc. All rights reserved.

page 17

Summary continued

You should now be able to:

• Configure the local and remote ports on the Sentriant CE150.

• Understand when to use ARP vs. MAC to resolve Layer 2 MAC addressing on the local port.

• Configure the remote port with IKE negotiation within a subnet vs. in a routed network.

© 2006 Extreme Networks, Inc. All rights reserved.

End of Module Review

5 Minutes