$30 off During Our Annual Pro Sale. View Details »

2016 Edgecore Networks BMF virtual LAB

Phil Huang
November 03, 2016

2016 Edgecore Networks BMF virtual LAB

Phil Huang

November 03, 2016
Tweet

More Decks by Phil Huang

Other Decks in Technology

Transcript

  1. Edgecore Networks
    Big Monitoring Fabric Virtual Lab
    Phil Huang
    Open Networking Division

    View Slide

  2. Integrate with BMF and Firewall
    Integrate with BMF and SPAN
    Hands-On Lab Overview
    © 2016 Edgecore Networks. All rights reserved. Subject to errors and misprints. |
    www.edge-core.com
    Big Monitoring Fabric Overview
    01
    04
    05
    02
    Setting BMF Environment
    03

    View Slide

  3. Big Monitoring Fabric Overview
    3
    LEGACY
    Trusted
    Untrusted
    FIREWALL
    IPS
    INTERNET
    DMZ
    Complex &
    Expensive
    Limited Tool
    Optimization
    Operational
    Challenges



    INLINE TOOLS
    Simple & Economical
    Enhanced Tool
    Optimization
    Clear Role Separation
    between network and
    security admins
    ü
    ü
    ü
    BIG MON: INLINE
    BIG MON INLINE
    Switches
    (1/10/40/100G)
    FIREWALL
    IPS
    WEB PROXY
    Untrusted
    Trusted
    INLINE TOOLS
    TRAFFIC DISTRIBUTION /
    LOAD SHARING
    BIG MONITORING
    FABRIC CONTROLLERS
    (HA PAIR)
    ACL-based
    SPAN
    OUT-OF-BAND
    TOOL FARM
    WEB PROXY
    © 2016 Edgecore Networks. All rights reserved. Subject to errors and misprints. |
    www.edge-core.com

    View Slide

  4. Hands-On Lab Overview
    Provided by Big Switch & Edgecore Networks
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com 4

    View Slide

  5. BMF Inline Mode Hands-On Lab
    5
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Learn the fundamental concepts of Big Monitoring Fabric inline
    § How to work in BMF inline mode?
    § Create service chain
    § Create service
    § Insert Firewall service instance in chain
    § Insert SPAN service in chain

    View Slide

  6. Login BSN Labs & Edgecore Networks
    6
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    http://labs.bigswitch.com/edgecore
    Type information that you are
    given

    View Slide

  7. Launch Big Monitoring Fabric Module 1
    7
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    Press “LAUNCH” button
    Choose “Big Monitoring Fabric”

    View Slide

  8. Access Hands-On Lab
    8
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    Lab Topology & options to
    access the BMF Controller

    View Slide

  9. Lab Topology Overview
    9
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    10.0.0.1

    View Slide

  10. Introduction of Component
    10
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    1
    2
    4
    5 3
    7
    6
    10.0.0.2
    10.0.0.1
    BMF Switch
    * switch name: sw11
    BMF Controller
    * Control BMF Switch
    Firewall
    * Drop ICMP echo request
    Wireshark
    * Network traffic analyzer

    View Slide

  11. Access Big Monitoring Fabric Controller
    11
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Action
    1. Right click Big Monitoring Fabric (BMF) Controller icon
    2. Select the “Controller GUI”
    § Default controller username/password is “admin/bsn123”

    View Slide

  12. Deploy Switch in BMF Inline Mode
    Ready to ship from Edgecore Networks
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com 12

    View Slide

  13. Deploy Switch for Big Chain mode
    13
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Setting deployment to Big Chain mode
    § Default deployment is Big Tap mode
    § Action
    1. Navigate to Fabric -> Switches
    2. Click
    3. Choose Deploy for Big Chain
    Default deployment,
    Need to change
    to Big Chain mode
    1
    2
    3

    View Slide

  14. Test Traffic
    14
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Traffic will be block if no chain is
    defined over the switch ports
    connecting the hosts
    § Action
    1. Right click External host
    2. Access the Web CLI
    3. Ping the trusted host in
    internal network
    1
    2
    3

    View Slide

  15. Create a Chain
    Logical, Layer-1 and Bidirectional Wire
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com 15

    View Slide

  16. What is Chain?
    16
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Logical, Layer-1, bidirectional wire that connects
    WAN (untrusted) device and LAN switch (trusted)
    § Multiple services may be assign to a chain
    § Firewalls
    § IPS
    § Web Proxy
    § Without services, the chain letting all traffic
    through in both directions, without modifying packets Chain
    IPS: Intrusion Prevention System

    View Slide

  17. Devices Connection
    17
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § View devices connected to ports of BMF inline switch
    § Firewall, IPS, Wireshark, Trusted and Untrusted networks
    § Action
    1. Right click on the inline switch sw11
    2. Use Device Information
    1
    2
    Reminder: More clear topology at page 10 J
    Interface Devices Connect
    Ethernet1 Trusted Network
    Ethernet2 Untrusted Network
    Ethernet3 Wireshark
    Ethernet4 Firewall (In)
    Ethernet5 Firewall (Out)
    Ethernet6 IPS (In)
    Ethernet7 IPS (Out)

    View Slide

  18. Create Internal/External Chain (1/2)
    18
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Action
    1. Navigate to Big Chain -> Chains
    2. Click on + to add chain
    1
    2

    View Slide

  19. Create Internal/External Chain (2/2)
    19
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    Chain name: Edgecore_Chain Select sw11 (00::00:0a)
    Ethernet1 connected to
    trusted network
    Ethernet2 connected to
    untrusted network
    Save configuration

    View Slide

  20. Test Internal/External Chain
    20
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Verify Edgecore_Chain is
    forwarding traffic
    § Action
    1. Right click External host
    2. Access the CLI Access
    3. Ping the trusted host in
    internal network
    1
    2
    3

    View Slide

  21. Create a Firewall Service
    Services instances and Services
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com 21

    View Slide

  22. Big Chain Service Instances and Services
    22
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Service instance
    § A pair of switch ports that are connected to an inline tool (FW, IPS…etc)
    § Services
    § Include one or more service instances
    § Apply to specific subsets of chains, for enhanced tool performance
    § Configure with Health Check to alert for tool failure

    View Slide

  23. Create a Firewall Service (1/2)
    23
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Action
    1. Navigate to Fabric -> Switches
    2. Click Switch DPID
    3. Click to add a services
    1
    2
    3

    View Slide

  24. Create a Firewall Service (2/2)
    24
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Action
    4. Naming Firewall_Service
    5. For action choose Use Service, and For
    traffic type All
    6. Click submit to finish
    4
    5

    View Slide

  25. Create a Firewall Service Instance (1/2)
    25
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Action
    1. Select Firewall_Service in Service list
    2. Click New service instance
    1
    2

    View Slide

  26. Create a Firewall Service Instance (2/2)
    26
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    Ethernet4 connected to
    Firewall input interface
    Ethernet5 connected to
    Firewall output interface

    View Slide

  27. Verify Firewall Service
    27
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Show connected graph by BMF WEB GUI

    View Slide

  28. Insert Firewall Service Instance
    Drop ICMP by firewall within BMF chain
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com 28

    View Slide

  29. Insert Firewall Service Instance (1/2)
    29
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Action
    1. Select Edgecore_Chain under Chains
    2. Click Insert service to begin
    1
    2

    View Slide

  30. Insert Firewall Service Instance (2/2)
    30
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Action
    1. Select Firewall_Service and Instance 1 for Service instance
    2. Click Submit
    1
    2

    View Slide

  31. What does it look like?
    31
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    1
    2
    4
    5
    2
    1
    4
    5
    Hands-on Lab Topology View BMF Controller View

    View Slide

  32. Verify Traffic Drop on Chain Edgecore_Chain
    32
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § By default, the Firewall will drop all ICMP echo requests (type 8)
    § Action
    1. Right click External host
    2. Access the Web CLI
    3. Ping the trusted host in
    internal network
    § PING should fail in either direction
    § Firewall drops ICMP echo requests
    1
    3

    View Slide

  33. Drop Firewall Service Instance
    Remove instance easily if you want
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com 33

    View Slide

  34. Drop Firewall Service Instance
    34
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Action
    1. Click and drag to remove
    2. Click Summit
    2
    1

    View Slide

  35. Verify Traffic Drop on Chain Edgecore_Chain
    35
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Real time response
    § Action
    1. Right click External host
    2. Access the Web CLI
    3. Ping the trusted host in
    internal network
    1
    2
    3

    View Slide

  36. Create a SPAN Service
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com 36

    View Slide

  37. Create a SPAN Service (1/2)
    37
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Action
    1. Navigate to Fabric -> Switches
    2. Click Switch DPID
    3. Click to add a SPAN services
    1
    2
    3

    View Slide

  38. Create a SPAN Service (2/2)
    38
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Action
    4. Naming Wireshark, and click Next
    5. Click to add rules
    6. Select all traffic with Match All Traffic,
    click Append then Submit to finish
    5
    4
    6

    View Slide

  39. Create a SPAN Service Instance (1/2)
    39
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Action
    1. Select Wireshark in Span Services
    2. Click New span service instance
    1
    2

    View Slide

  40. Create a SPAN Service Instance (2/2)
    40
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Action
    3. Choose ethernet3, and click Submit
    4. Show WEB GUI on BMF
    3
    4

    View Slide

  41. Insert SPAN Service Instance
    Simple and easy to monitor your network
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com 41

    View Slide

  42. Insert SPAN Service Instance (1/2)
    42
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Action
    1. Click Edgecore_Chain in Chains list
    2. Insert SPAN service instance at Endpoint 2
    1
    2

    View Slide

  43. Insert SPAN Service Instance (2/2)
    43
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Action
    3. Select Wireshark, Instance 1
    4. Click Submit
    3
    4

    View Slide

  44. Trace SPAN Traffic
    44
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § All ingress traffic at ethernet2 is copied to
    Wireshark
    § External-to-Internal direction
    1
    2
    3

    View Slide

  45. Verify SPAN Traffic
    45
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com
    § Action
    1. Right click External host
    2. Access the Web CLI
    3. Ping the trusted host in
    internal network
    4. Right click the Wireshark icon
    and choose Real-time Capture
    4
    3
    Wireshark Output Result

    View Slide

  46. 46
    Open Networking
    from
    Freedom
    Control
    Innovation
    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com

    View Slide

  47. © 2015 Edgecore Networks. All rights reserved. Subject to errors and misprints. | www.edge-core.com

    View Slide