Presentation is loading. Please wait.

Presentation is loading. Please wait.

EMEA Partners XTM Network Training

Published byRosamund Malone Modified over 9 years ago

Similar presentations

Presentation on theme: "EMEA Partners XTM Network Training"— Presentation transcript:

1 EMEA Partners XTM Network Training
This training material is currently unofficial and may not be redistributed unless cleared by Product Training and Publishing. Carlo Alvarez Technical Trainer - APAC WatchGuard Training

2 Agenda Traffic Management and Quality of Service (QoS) VLAN
Basic (Trusted/Optional, External) Advanced (FireCluster with devices on different locations) Routing on XTM Devices Static Dynamic (BGP, OSPF, RIP) Enhanced Net Failover Public IP Address subnet behind XTM (DMZ with Public IP) Tunnel Switching Manual Managed Special Scenario – Advanced BOVPN Test Case BOVPN with dual active gateways on both ends, load-sharing/failover WatchGuard Training WatchGuard Training

3 Traffic Management and QoS
WatchGuard Training

4 Traffic Management and QoS
Guarantee or limit bandwidth Control the rate at which the XTM device sends packets to the network Prioritize when to send packets to the network Disabled by default. To enable, WatchGuard Training WatchGuard Training

5 TM - Guaranteed Bandwidth
The minimum amount of bandwidth allocated to a specific policy or group of policies at any given time Bandwidth is measured as outgoing with respect to an interface When max is set to 0 it can go as high as the line speed depending on the utilization of the link WatchGuard Training WatchGuard Training

6 TM - Restricted Bandwidth
The maximum amount of bandwidth a specific policy or group of policies can only use at any given time Bandwidth is measured as outgoing with respect to an interface When minimum is set to 0 it means there is no reserved bandwidth for the policy or group of policies WatchGuard Training WatchGuard Training

7 TM – Helpful Hints The total amount of guaranteed bandwidth for all used Traffic Management Actions must not exceed the line speed of the corresponding interface/s. All host using the same policy with TM Action in effect will share the allocated bandwidth when restricted. Always note the traffic direction when implementing TM Action. WatchGuard Training WatchGuard Training

8 Quality of Service (QoS)
Marking Types IP Precedence (aka Class of Service) Differentiated Service Code Point (DSCP) Marking Methods Preserve Assign Clear WatchGuard Training WatchGuard Training

9 QoS – Interface Settings
The default interface settings applied to all traffic passing through it. WatchGuard Training WatchGuard Training

10 QoS – Policy Override Supersedes the QoS settings on the interface where the traffic allowed in this policy is going to pass through. WatchGuard Training WatchGuard Training

11 VLAN WatchGuard Training

12 Not So Basic VLAN Trunks Allowing VLANs 10 and 20 STP VLAN 10 VLAN 20
WatchGuard Training WatchGuard Training

13 Not So Basic VLAN – Use Case
Customer requires redundancy on the LAN. Have at least two managed switch that supports Spanning Tree Protocol (STP). Zones are segregated into VLANs. WatchGuard Training WatchGuard Training

14 VLAN Switches and FireCluster
ISP-1 ISP-2 Trunk VLAN 10 – External-1 VLAN 20 – External-2 VLAN 30 – Trusted VLAN 40 – FireCluster IF WatchGuard Training WatchGuard Training

15 VLAN Switches and FireCluster – Use Case
Customer has Head Office and a DR Site but would opt to buy only one XTM each sites. Recommended to have two private lines (TRUNK) from different providers to ensure redundancy at all times. Internet lines from two ISPs are terminated one at each ends. WatchGuard Training WatchGuard Training

16 Routing Protocols on XTM Devices
WatchGuard Training

17 Static Routing WatchGuard Training

18 Static Routing on a Point-to-Point Link
Static Route to: /24 Next Hop (Gateway) is: Static Route to: /24 Next Hop (Gateway) is: Point-to-Point Link /30 To reach /24 from this network To reach /24 from this network WatchGuard Training WatchGuard Training

19 Static Routing on a Multi-Hop Link
Note that Static Routes must be correctly and consistently defined on the Firebox/XTM devices and routers in between First, Static Route to: /24 Next Hop (Gateway) is: First, Static Route to: /24 Next Hop (Gateway) is: Then, Static Route to: /24 Next Hop (Gateway) is: Finally, Static Route to: /24 Next Hop (Gateway) is: Finally, Static Route to: /24 Next Hop (Gateway) is: Then, Static Route to: /24 Next Hop (Gateway) is: Multi-Hop Link To reach /24 from this network To reach /24 from this network WatchGuard Training WatchGuard Training

20 Dynamic Routing WatchGuard Training

21 Dynamic Routing Tips: To establish Dynamic Routing both ends must be able to reach the interface they are trying to peer with Point-to-Point links are no issue since the opposite interface is of the same directly connected subnet For Multi-Hop links such as MPLS it is a must to establish routes first to the peering interfaces before Dynamic Routing can be established WatchGuard Training WatchGuard Training

22 Common Cause of Inconsistency
WatchGuard Training WatchGuard Training

23 Dynamic Routing on a Multi-Hop Link
First, Static Route to: /30 Next Hop (Gateway) is: First, Static Route to: /30 Next Hop (Gateway) is: Then, Static Route to: /30 Next Hop (Gateway) is: Similarly this XTM does not know how to reach the other remote peering interface Then, Static Route to: /30 Next Hop (Gateway) is: Initially this Firebox does not know how to reach the remote peering interface We need to let this Firebox know how to get to Likewise this XTM must know return to Peering Interfaces WatchGuard Training WatchGuard Training

24 Test if the Peering Interfaces are Reachable
Use the Diagnostic Task to do an Extended Ping This is an extended ping from the Firebox, Source address is and Destination Address is If both interfaces are reachable from the opposite ends you are now ready to define your Dynamic Routing WatchGuard Training WatchGuard Training

25 Configure Dynamic Routing
WatchGuard Training

26 Which Dynamic Routing Protocol to use?
Open Shortest Path First (OSPF) is Link-State Routing Protocol and is commonly used for Point-to-Point links. Border Gateway Protocol (BGP) and Routing Information Protocol (RIP) are examples of Distance-Vector Routing Protocol. RIP rely only on link cost while BGP prioritize preference over link cost. BGP is commonly used for multi-hop links WatchGuard Training WatchGuard Training

27 Configure RIP (using Point-to-Point link)
Firebox XTM WatchGuard Training WatchGuard Training

28 Configure RIP (using Point-to-Point link)
Manually add the RIP Policy WatchGuard Training WatchGuard Training

29 Configure OSPF (using Point-to-Point link)
Firebox XTM Passive Interface command means you are not going to listen to OSPF advertisements in this interface WatchGuard Training WatchGuard Training

30 Configure OSPF (using Point-to-Point link)
Manually add the OSPF Policy WatchGuard Training WatchGuard Training

31 Configure BGP (using Multi-Hop link)
Firebox XTM Use Private AS Number for Internal BGP, no need to register for a Public AS Number. No need to add BGP Policy on Policy Manager. WatchGuard Training WatchGuard Training

32 Enhanced Net Failover Feature
Launched in XTM Version Routes internal traffic over to BOVPN when internal link becomes unavailable Works only between Firebox or XTM devices on both ends Works in conjunction with Static Routing or Dynamic Routing Internal link can be a simple Leased Line (or Fiber Optic) or connectivity through MPLS Network WatchGuard Training WatchGuard Training

33 Static Routing vs. Dynamic Routing
WatchGuard Training

34 When used with Enhanced Net Failover,
Static Routing Dynamic Routing Advantage Works in a FireCluster environment Failover is triggered automatically Disadvantage Failover has to be triggered manually by removing the static routes on both ends FireCluster does not support Dynamic Routing therefore does not work in such environment WatchGuard Training WatchGuard Training

35 Enhanced Net Failover Requirements
WatchGuard Training

36 This Feature Requires:
BOVPN skills Firebox or XTM devices on both ends When used with Dynamic Routing the device should be at least an XTM 2 Series Static or Dynamic Routing on the Firebox or XTM devices Spare Interface for the Internal Routing on each ends WatchGuard Training WatchGuard Training

37 Configure Branch Office VPN
WatchGuard Training

38 Configure BOVPN Configure BOVPN just like any regular BOVPN
Go to VPN  VPN Settings… Ready to test Failover from the chosen routing protocol to BOVPN WatchGuard Training WatchGuard Training

39 Additional Tips Failover from Dynamic Routing to BOVPN takes about 150 seconds. (Hope this gets improved in future releases). When using Static Routing, you must remove the static routes manually on both devices. This is because you can still reach the interface IP Address (ex. Ping) even if you unplug the cable. This forces the Firebox/XTM to route the subnet since it assumes that the next hop which is on the same subnet of the interface IP Address is still reachable. There are cases where you will need to add static routes on multiple routers in between about the target subnets on each side. Make sure you are pointing to the right direction on your next hops. Most MPLS network doesn’t require static routes in between especially if they are using iBGP and redistributes routes to their Virtual Routing and Forwarding (VRF). WatchGuard Training WatchGuard Training

40 Public IP Address subnet behind XTM (DMZ with Public IP)
WatchGuard Training

41 Public IP Address subnet behind XTM
Internet Public IP Address subnet behind XTM The appropriate example of Mixed Routed Mode (Routing + NAT) Static Route must be present in the Router for subnet /24 with next hop to Router /30 /30 /24 /24 WatchGuard Training WatchGuard Training

42 Public IP Address subnet behind XTM – Policy
NAT has no bearing on the inbound and outbound policies For inbound policies the destination address is the IP address or Hostname of the target host or server WatchGuard Training WatchGuard Training

43 Tunnel Switching WatchGuard Training

44 Tunnel Switching Overview
The traffic is passed from the trusted network of Remote Office A to the trusted network of Remote Office B without creating a third BOVPN tunnel between the two remote offices. Useful when you require control of network security at the Central Office. Policies can be applied to traffic between the two tunnels at the Central Office WatchGuard Training WatchGuard Training

45 Tunnel Switching – Remote Office and Group
Central Office Announces Remote A’s subnet to Remote B as Local Subnet on the Tunnel Routes creating sort of a Group A. WatchGuard Training WatchGuard Training

46 Tunnel Switching – Remote Office and Group
Central Office Announces Remote B’s subnet to Remote A as Local Subnet on the Tunnel Routes creating sort of a Group B. WatchGuard Training WatchGuard Training

47 THANK YOU! WatchGuard Training

Download ppt "EMEA Partners XTM Network Training"

Similar presentations

Static Routing Exercise AFNOG 2003/ Track 2 # 1 Static Routing Exercise u Unix network interface configuration u Cisco network interface configuration.

Static Routing Exercise AFNOG 2003/ Track 2 # 1 Static Routing Exercise u Unix network interface configuration u Cisco network interface configuration.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.
Static Routing Exercise. What will the exercise involve?  Unix network interface configuration  Cisco network interface configuration  Static routes.

Static Routing Exercise. What will the exercise involve?  Unix network interface configuration  Cisco network interface configuration  Static routes.
Implementing Inter-VLAN Routing

Implementing Inter-VLAN Routing
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.
Routing Basics By Craig Lindstrom. Overview Routing Process Routing Process Default Routing Default Routing Static Routing Static Routing Dynamic Routing.

Routing Basics By Craig Lindstrom. Overview Routing Process Routing Process Default Routing Default Routing Static Routing Static Routing Dynamic Routing.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Routing Working at a Small-to-Medium Business or ISP – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Routing Working at a Small-to-Medium Business or ISP – Chapter 6.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—3-1 Determining IP Routes Introducing Routing.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—3-1 Determining IP Routes Introducing Routing.
CCNA 2 v3.1 Module 6.

CCNA 2 v3.1 Module 6.
Routing and Routing Protocols Introduction to Static Routing.

Routing and Routing Protocols Introduction to Static Routing.
Routing and Routing Protocols

Routing and Routing Protocols
Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.

Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.
Institute of Technology Sligo - Dept of Computing Chapter 11 Layer 3 Protocols Paul Flynn.

Institute of Technology Sligo - Dept of Computing Chapter 11 Layer 3 Protocols Paul Flynn.
1 25\10\2010 Unit-V Connecting LANs Unit – 5 Connecting DevicesConnecting Devices Backbone NetworksBackbone Networks Virtual LANsVirtual LANs.

1 25\10\2010 Unit-V Connecting LANs Unit – 5 Connecting DevicesConnecting Devices Backbone NetworksBackbone Networks Virtual LANsVirtual LANs.
WiNG 5.3.

WiNG 5.3.
IP ROUTING -1 STATIC ROUTING DEFAULT ROUTING.  A routing protocol is used by routers to dynamically find all the networks in the internetwork and to.

IP ROUTING -1 STATIC ROUTING DEFAULT ROUTING.  A routing protocol is used by routers to dynamically find all the networks in the internetwork and to.
1 Semester 2 Module 6 Routing and Routing Protocols YuDa college of business James Chen

1 Semester 2 Module 6 Routing and Routing Protocols YuDa college of business James Chen
Fundamentals of Networking Discovery 2, Chapter 6 Routing.

Fundamentals of Networking Discovery 2, Chapter 6 Routing.
DrayTek VPN Solution. Outline What is VPN What does VPN Do Supported VPN Protocol How Many Tunnels does Vigor Support VPN Application Special VPN Application.

DrayTek VPN Solution. Outline What is VPN What does VPN Do Supported VPN Protocol How Many Tunnels does Vigor Support VPN Application Special VPN Application.
Routing. A world without networks and routing  No connection between offices, people and applications  Worldwide chaos because of the lack of centralized.

Routing. A world without networks and routing  No connection between offices, people and applications  Worldwide chaos because of the lack of centralized.

Similar presentations

Ads by Google