Preparing the Sentriant CE150 for Operation Module 7
 - - Training Sample

499 views

Published on

Sample of training materials produced by Content Rules Inc. for Extreme Networks.

Published in: Education, Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
499
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Preparing the Sentriant CE150 for Operation Module 7
 - - Training Sample

  1. 1. Module 7 Preparing the Sentriant CE150 for Operation © 2006 Extreme Networks, Inc. All rights reserved.
  2. 2. Description This module provides the necessary information and steps to prepare the Sentriant CE150 for operation (excluding the security policies.) It explains how to configure the Sentriant CE150 local and remote ports settings. • It reviews the local port ARP vs. MAC resolution mechanism. • It explains how to configure the remote port in a router vs. non-router environment. page 2 © 2006 Extreme Networks, Inc. All rights reserved.
  3. 3. Objectives Upon completion of this module the successful student will be able to: • Configure the local and remote ports on the Sentriant CE150. • Understand when to use ARP vs. MAC to resolve Layer 2 MAC addressing on the local port. • Know how to configure the remote port with IKE negotiation within a subnet vs. in a routed network. page 3 © 2006 Extreme Networks, Inc. All rights reserved.
  4. 4. Sentriant CE150 Network Data Interfaces Remote port to Untrusted Network Local port to Trusted Network Layer 3 Switch The network data interfaces are labeled as the Remote and Local ports • The local port connects to the trusted, local side of the network. • The remote port connects to the untrusted network, which is typically a WAN, campus LAN, or MAN. • There are two components to configure for each interface: the data port IP address and default gateway. page 4 © 2006 Extreme Networks, Inc. All rights reserved.
  5. 5. Local Port IP Address To set the local port IP address: • 1 At the config> prompt type interface local. • 2 At the config-ifLocal> prompt, type ip address <ip address> [subnet mask] • Note: The subnet mask defaults to 255.255.255.0. page 5 The example below sets the local port IP address. • ops> con t • config> int local • config-ifLocal> ip address 192.168.10.150 255.255.255.0 • config-ifLocal>exit • config> exit • ops > copy s n • ops > reboot © 2006 Extreme Networks, Inc. All rights reserved.
  6. 6. Local Default Gateway MAC Resolution Options The method that the Sentriant CE150 appliance uses to resolve Layer 2 MAC addresses depends on your network configuration. Three common scenarios are: • Two Sentriant CE150s are connected back-to-back, with no router between them (none) • The Sentriant CE150 local port is connected to a Layer 2 switch (ARP) • The Sentriant CE150 local port is connected to a router (gateway) page 6 © 2006 Extreme Networks, Inc. All rights reserved.
  7. 7. Two Sentriant CE150 Appliances Connected Back-to-Back 192.168.144.175 192.168.144.140 Local Port 192.168.144.150 Sentriant CE150 #1 Remote Port 192.168.144.125 Local Port 192.168.144.155 Sentriant CE150 #2 Remote Port 192.168.144.130 The remote ports of Sentriant CE150 #1 and Sentriant CE150 #2 are on the same subnet. The routers resolve the Layer 2 MAC address of the destination stations, and traffic simply flows through the appliances. page 7 In this scenario, the macAddressResolution command should be set to none. © 2006 Extreme Networks, Inc. All rights reserved.
  8. 8. When to Configure the Sentriant CE150 Local Port for ARP Station S1 192.168.144.175 Layer 2 Switch #1 Router Access Port 192.168.144.100 Sentriant CE150 #1 Local Port 192.168.144.150 Remote Port 192.168.144.125 Station S2 192.168.154.175 Router Access Port 192.168.154.100 Layer 2 Switch #2 Sentriant CE150 #2 Remote Port 192.168.154.125 Local Port 192.168.154.150 The Sentriant CE150 local port is connected to a switch, which is on the same subnet as the Sentriant CE150 local port. The Sentriant CE150 can send an ARP request to resolve MAC addresses for Stations, on its local port side. page 8 In this case, the macAddressResolution command takes the arp attribute. © 2006 Extreme Networks, Inc. All rights reserved.
  9. 9. When to Configure the Sentriant CE150 Local Port for Gateway Station S1 192.168.174.125 Router Local Port 192.168.174.1 Station S2 192.168.144.125 Router Local Port 192.168.164.1 Router R1 WAN Port 192.168.144.175 Router R4 WAN Port 192.168.154.175 Sentriant CE150 #1 Remote Port Local Port 192.168.144.125 Router R2 192.168.144.150 192.168.144.100 Sentriant CE150 #2 Router R3 192.168.154.100 Remote Port 192.168.154.125 Local Port 192.168.154.150 The local port of Sentriant CE150 #2 is connected to Router R4. To send packets to Station S2, Sentriant CE150 #2 uses the gateway attribute to identify the IP address of the default gateway (Router R4’s WAN port, 192.168.154.175). page 9 The Sentriant CE150 #2 sends all packets to the specified gateway, which then forwards the packets to the destination. © 2006 Extreme Networks, Inc. All rights reserved.
  10. 10. Configuring the MAC Resolution Mechanism on the local interface To set the local port MAC resolution: 1. At the config-ifLocal> prompt, type macAddrResolutionMechanism none | {arp | gateway <ip address> [sourceMac | noSource]} sourceMac: Uses the local port MAC address as the source MAC address in decrypted packets. noSource Uses the MAC address that is already on the incoming packet instead of the local port source MAC address. 1. Type exit to return to configuration mode. This example the Sentriant CE150 #2 local port for gateway. config> int local config-ifLocal> macAddrResolutionMechanism gateway 192.168.154.175 config-ifLocal> exit This command requires a reboot to take effect. page 10 © 2006 Extreme Networks, Inc. All rights reserved.
  11. 11. Configuring the Sentriant CE150 Remote Port IP Address The remote port IP address identifies the untrusted network. Changing the remote port IP address directly affects the IPSec policies. Previously configured policies will not recognize the new remote port IP address until the appliance is rebooted. To set the remote port IP address: 1. At the config> prompt type interface remote 2. At the config-ifRemote> prompt, type ip address <ip address> [subnet mask] page 11 The example below sets the Remote port IP address 1. ops> con t 2. config> int remote 3. config-ifRemote> ip address 192.168.144.125 255.255.255.0 4. config-ifLocal>exit 5. config> exit 6. ops > copy s n 7. ops > reboot © 2006 Extreme Networks, Inc. All rights reserved.
  12. 12. Configuring the Default Gateway When you configure an ikeDefaultGateway IP address, the Sentriant CE150 uses the remote port MAC address as the source MAC address in encrypted packets. To set the remote interface default gateway: 1. At the config-ifRemote> prompt, type ikeDefaultGateway none | <ip address> [sourceMAC | noSource] ip address The IP address of the router’s local access port must match the subnet of the remote port IP address. ikeDefaultGateway none removes a previously configured ikeDefaultGateway IP address. sourceMAC Uses the remote port MAC address as the source MAC address in encrypted packets. noSource Uses the MAC address that is already on the incoming packet instead of the remote port source MAC address. Type exit to return to configuration mode. page 12 This command requires a reboot to take effect. © 2006 Extreme Networks, Inc. All rights reserved.
  13. 13. Remote Default Gateway: Sentriants on a Single Subnet 192.168.144.175 192.168.144.140 Local Port 192.168.144.150 Sentriant CE150 #1 Remote Port 192.168.144.125 Local Port 192.168.144.155 Sentriant CE150 #2 Remote Port 192.168.144.130 The remote ports of the two Sentriant CE150 appliances, Sentriant CE150 #1 and Sentriant CE150 #2, are on the same subnet with no routers between them. page 13 Sentriant CE150 #1, which is the IKE negotiation initiator, is able to send packets directly to Sentriant CE150 #2 to start the IKE negotiation. No configuration is needed to support this scenario. © 2006 Extreme Networks, Inc. All rights reserved.
  14. 14. Remote Default Gateway: Sentriants on a Routed Network Station S1 192.168.174.125 Router Local Port 192.168.174.1 Station S2 192.168.144.125 Router Local Port 192.168.164.1 Router R1 WAN Port 192.168.144.175 Router R4 WAN Port 192.168.154.175 Sentriant CE150 #1 Remote Port Local Port 192.168.144.125 Router R2 192.168.144.150 192.168.144.100 Sentriant CE150 #2 Router R3 192.168.154.100 Remote Port 192.168.154.125 Local Port 192.168.154.150 In this scenario, there is a router between the initiating Sentriant CE150 (Sentriant CE150 #1) and the WAN. The ikeDefaultGateway command on Sentriant CE150 #1 specifies Router R2’s local router port IP address, 192.168.144.100. In this way the Sentriant CE150 #1 uses the router network to forward packets to peer Sentriant CE150 #2. page 14 The Sentriant CE150 #2 specifies the Router R3 local access port, 192.168.154.100, as the default gateway to use to forward packets to Sentriant CE150 #1. © 2006 Extreme Networks, Inc. All rights reserved.
  15. 15. Remote Default Gateway: Routed Network Example This example configures the remote default gateway on Sentriant CE150 #1, shown in the previous slide routed network. • ops> con t • config> int remote • config-ifRemote> ikeDefaultGateway 192.168.144.100 • config-ifRemote> exit • config> exit • ops > copy s n • ops > reboot page 15 NOTE: You must set the local port macResolutionMechanism to arp or gateway before setting the remote port ikeDefaultGateway IP address. © 2006 Extreme Networks, Inc. All rights reserved.
  16. 16. Summary This module provided the necessary information and steps to prepare the Sentriant CE150 for operation. It explained how to configure the Sentriant CE150 local and remote ports settings. • It reviewed the local port ARP vs. MAC resolution mechanism. • It explained how to configure the remote port in a router vs. non-router environment. page 16 © 2006 Extreme Networks, Inc. All rights reserved.
  17. 17. Summary continued You should now be able to: • Configure the local and remote ports on the Sentriant CE150. • Understand when to use ARP vs. MAC to resolve Layer 2 MAC addressing on the local port. • Configure the remote port with IKE negotiation within a subnet vs. in a routed network. page 17 © 2006 Extreme Networks, Inc. All rights reserved.
  18. 18. End of Module Review 5 Minutes © 2006 Extreme Networks, Inc. All rights reserved.

×