2016 Edgecore Networks BMF virtual LAB

Transcript

1. Edgecore Networks Big Monitoring Fabric Virtual Lab Phil Huang <[email protected]>

   Open Networking Division

2. Integrate with BMF and Firewall Integrate with BMF and SPAN

   Hands-On Lab Overview © 2016 Edgecore Networks. All rights reserved. Subject to errors and misprints. | www.edge-core.com Big Monitoring Fabric Overview 01 04 05 02 Setting BMF Environment 03

3. Big Monitoring Fabric Overview 3 LEGACY Trusted Untrusted FIREWALL IPS

   INTERNET DMZ Complex & Expensive Limited Tool Optimization Operational Challenges ✗ ✗ ✗ INLINE TOOLS Simple & Economical Enhanced Tool Optimization Clear Role Separation between network and security admins ü ü ü BIG MON: INLINE BIG MON INLINE Switches (1/10/40/100G) FIREWALL IPS WEB PROXY Untrusted Trusted INLINE TOOLS TRAFFIC DISTRIBUTION / LOAD SHARING BIG MONITORING FABRIC CONTROLLERS (HA PAIR) ACL-based SPAN OUT-OF-BAND TOOL FARM WEB PROXY © 2016 Edgecore Networks. All rights reserved. Subject to errors and misprints. | www.edge-core.com

4. Hands-On Lab Overview Provided by Big Switch & Edgecore Networks

   © 2016 Edgecore Networks. All rights reserved | www.edge-core.com 4

5. BMF Inline Mode Hands-On Lab 5 © 2016 Edgecore Networks.

   All rights reserved | www.edge-core.com § Learn the fundamental concepts of Big Monitoring Fabric inline § How to work in BMF inline mode? § Create service chain § Create service § Insert Firewall service instance in chain § Insert SPAN service in chain

6. Login BSN Labs & Edgecore Networks 6 © 2016 Edgecore

   Networks. All rights reserved | www.edge-core.com http://labs.bigswitch.com/edgecore Type information that you are given

7. Launch Big Monitoring Fabric Module 1 7 © 2016 Edgecore

   Networks. All rights reserved | www.edge-core.com Press “LAUNCH” button Choose “Big Monitoring Fabric”

8. Access Hands-On Lab 8 © 2016 Edgecore Networks. All rights

   reserved | www.edge-core.com Lab Topology & options to access the BMF Controller

9. Lab Topology Overview 9 © 2016 Edgecore Networks. All rights

   reserved | www.edge-core.com 10.0.0.1

10. Introduction of Component 10 © 2016 Edgecore Networks. All rights

    reserved | www.edge-core.com 1 2 4 5 3 7 6 10.0.0.2 10.0.0.1 BMF Switch * switch name: sw11 BMF Controller * Control BMF Switch Firewall * Drop ICMP echo request Wireshark * Network traffic analyzer

11. Access Big Monitoring Fabric Controller 11 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Action 1. Right click Big Monitoring Fabric (BMF) Controller icon 2. Select the “Controller GUI” § Default controller username/password is “admin/bsn123”

12. Deploy Switch in BMF Inline Mode Ready to ship from

    Edgecore Networks © 2016 Edgecore Networks. All rights reserved | www.edge-core.com 12

13. Deploy Switch for Big Chain mode 13 © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com § Setting deployment to Big Chain mode § Default deployment is Big Tap mode § Action 1. Navigate to Fabric -> Switches 2. Click 3. Choose Deploy for Big Chain Default deployment, Need to change to Big Chain mode 1 2 3

14. Test Traffic 14 © 2016 Edgecore Networks. All rights reserved

    | www.edge-core.com § Traffic will be block if no chain is defined over the switch ports connecting the hosts § Action 1. Right click External host 2. Access the Web CLI 3. Ping the trusted host in internal network 1 2 3

15. Create a Chain Logical, Layer-1 and Bidirectional Wire © 2016

    Edgecore Networks. All rights reserved | www.edge-core.com 15

16. What is Chain? 16 © 2016 Edgecore Networks. All rights

    reserved | www.edge-core.com § Logical, Layer-1, bidirectional wire that connects WAN (untrusted) device and LAN switch (trusted) § Multiple services may be assign to a chain § Firewalls § IPS § Web Proxy § Without services, the chain letting all traffic through in both directions, without modifying packets Chain IPS: Intrusion Prevention System

17. Devices Connection 17 © 2016 Edgecore Networks. All rights reserved

    | www.edge-core.com § View devices connected to ports of BMF inline switch § Firewall, IPS, Wireshark, Trusted and Untrusted networks § Action 1. Right click on the inline switch sw11 2. Use Device Information 1 2 Reminder: More clear topology at page 10 J Interface Devices Connect Ethernet1 Trusted Network Ethernet2 Untrusted Network Ethernet3 Wireshark Ethernet4 Firewall (In) Ethernet5 Firewall (Out) Ethernet6 IPS (In) Ethernet7 IPS (Out)

18. Create Internal/External Chain (1/2) 18 © 2016 Edgecore Networks. All

    rights reserved | www.edge-core.com § Action 1. Navigate to Big Chain -> Chains 2. Click on + to add chain 1 2

19. Create Internal/External Chain (2/2) 19 © 2016 Edgecore Networks. All

    rights reserved | www.edge-core.com Chain name: Edgecore_Chain Select sw11 (00::00:0a) Ethernet1 connected to trusted network Ethernet2 connected to untrusted network Save configuration

20. Test Internal/External Chain 20 © 2016 Edgecore Networks. All rights

    reserved | www.edge-core.com § Verify Edgecore_Chain is forwarding traffic § Action 1. Right click External host 2. Access the CLI Access 3. Ping the trusted host in internal network 1 2 3

21. Create a Firewall Service Services instances and Services © 2016

    Edgecore Networks. All rights reserved | www.edge-core.com 21

22. Big Chain Service Instances and Services 22 © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com § Service instance § A pair of switch ports that are connected to an inline tool (FW, IPS…etc) § Services § Include one or more service instances § Apply to specific subsets of chains, for enhanced tool performance § Configure with Health Check to alert for tool failure

23. Create a Firewall Service (1/2) 23 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Action 1. Navigate to Fabric -> Switches 2. Click Switch DPID 3. Click to add a services 1 2 3

24. Create a Firewall Service (2/2) 24 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Action 4. Naming Firewall_Service 5. For action choose Use Service, and For traffic type All 6. Click submit to finish 4 5

25. Create a Firewall Service Instance (1/2) 25 © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com § Action 1. Select Firewall_Service in Service list 2. Click New service instance 1 2

26. Create a Firewall Service Instance (2/2) 26 © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com Ethernet4 connected to Firewall input interface Ethernet5 connected to Firewall output interface

27. Verify Firewall Service 27 © 2016 Edgecore Networks. All rights

    reserved | www.edge-core.com § Show connected graph by BMF WEB GUI

28. Insert Firewall Service Instance Drop ICMP by firewall within BMF

    chain © 2016 Edgecore Networks. All rights reserved | www.edge-core.com 28

29. Insert Firewall Service Instance (1/2) 29 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Action 1. Select Edgecore_Chain under Chains 2. Click Insert service to begin 1 2

30. Insert Firewall Service Instance (2/2) 30 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Action 1. Select Firewall_Service and Instance 1 for Service instance 2. Click Submit 1 2

31. What does it look like? 31 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com 1 2 4 5 2 1 4 5 Hands-on Lab Topology View BMF Controller View

32. Verify Traffic Drop on Chain Edgecore_Chain 32 © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com § By default, the Firewall will drop all ICMP echo requests (type 8) § Action 1. Right click External host 2. Access the Web CLI 3. Ping the trusted host in internal network § PING should fail in either direction § Firewall drops ICMP echo requests 1 3

33. Drop Firewall Service Instance Remove instance easily if you want

    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com 33

34. Drop Firewall Service Instance 34 © 2016 Edgecore Networks. All

    rights reserved | www.edge-core.com § Action 1. Click and drag to remove 2. Click Summit 2 1

35. Verify Traffic Drop on Chain Edgecore_Chain 35 © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com § Real time response § Action 1. Right click External host 2. Access the Web CLI 3. Ping the trusted host in internal network 1 2 3

36. Create a SPAN Service © 2016 Edgecore Networks. All rights

    reserved | www.edge-core.com 36

37. Create a SPAN Service (1/2) 37 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Action 1. Navigate to Fabric -> Switches 2. Click Switch DPID 3. Click to add a SPAN services 1 2 3

38. Create a SPAN Service (2/2) 38 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Action 4. Naming Wireshark, and click Next 5. Click to add rules 6. Select all traffic with Match All Traffic, click Append then Submit to finish 5 4 6

39. Create a SPAN Service Instance (1/2) 39 © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com § Action 1. Select Wireshark in Span Services 2. Click New span service instance 1 2

40. Create a SPAN Service Instance (2/2) 40 © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com § Action 3. Choose ethernet3, and click Submit 4. Show WEB GUI on BMF 3 4

41. Insert SPAN Service Instance Simple and easy to monitor your

    network © 2016 Edgecore Networks. All rights reserved | www.edge-core.com 41

42. Insert SPAN Service Instance (1/2) 42 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Action 1. Click Edgecore_Chain in Chains list 2. Insert SPAN service instance at Endpoint 2 1 2

43. Insert SPAN Service Instance (2/2) 43 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Action 3. Select Wireshark, Instance 1 4. Click Submit 3 4

44. Trace SPAN Traffic 44 © 2016 Edgecore Networks. All rights

    reserved | www.edge-core.com § All ingress traffic at ethernet2 is copied to Wireshark § External-to-Internal direction 1 2 3

45. Verify SPAN Traffic 45 © 2016 Edgecore Networks. All rights

    reserved | www.edge-core.com § Action 1. Right click External host 2. Access the Web CLI 3. Ping the trusted host in internal network 4. Right click the Wireshark icon and choose Real-time Capture 4 3 Wireshark Output Result

46. 46 Open Networking from Freedom Control Innovation © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com

47. © 2015 Edgecore Networks. All rights reserved. Subject to errors

    and misprints. | www.edge-core.com