2016 Edgecore Networks BMF virtual LAB

D907136acebc72f1df878541b26f271a?s=47 Phil Huang
November 03, 2016
Technology
0
74

2016 Edgecore Networks BMF virtual LAB

D907136acebc72f1df878541b26f271a?s=128

Phil Huang

November 03, 2016
Tweet

More Decks by Phil Huang

See All by Phil Huang
D907136acebc72f1df878541b26f271a?s=48 pichuang
2
370
D907136acebc72f1df878541b26f271a?s=48 pichuang
0
35
D907136acebc72f1df878541b26f271a?s=48 pichuang
2
370
D907136acebc72f1df878541b26f271a?s=48 pichuang
3
1k
D907136acebc72f1df878541b26f271a?s=48 pichuang
0
80
D907136acebc72f1df878541b26f271a?s=48 pichuang
0
310
D907136acebc72f1df878541b26f271a?s=48 pichuang
1
420
D907136acebc72f1df878541b26f271a?s=48 pichuang
0
63
D907136acebc72f1df878541b26f271a?s=48 pichuang
0
98

Other Decks in Technology

See All in Technology
2102a6b8760bd6f57f672805723dd83a?s=48 line_developers_tw
0
1k
Cad863e7fd94ece3248e0af21882259c?s=48 kennygt51
0
110
Ac85568dfa460d48c36095d142632b1a?s=48 wps
0
170
3bf6da1f63cd8b7a2f802f95c269ed80?s=48 fromatom
5
550
88964b936e864ca7d326272eaa70fa9a?s=48 hgsgtk
0
110
0af658ea4f11fa7bf803115451890d4c?s=48 ararajp
2
110
0e742980c48d689f31700b208f22fd5a?s=48 k_koheyi
1
130
847a328633b1df6b11cc2f72430025e6?s=48 ks91
0
170
8a84268593355816432ceaf78777d585?s=48 dena_tech
1
1.9k
C58d9fc209cfdc0b822f851911110fa6?s=48 coe
12
5k
53e2d354b3299d64a54af680865516d5?s=48 satotakeshi
3
170
8a84268593355816432ceaf78777d585?s=48 dena_tech
0
140

Featured

See All Featured
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
334
15k
78b475797a14c84799063c7cd073962f?s=48 holman
287
130k
Fe6b81005d1553accd6b2a28f6a2bef1?s=48 phodgson
84
3.8k
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
281
46k
E14f55d3f939977cecbf51b64ff6f861?s=48 keithpitt
399
20k
651dcfe41723207fbb0aa044a4f7c07f?s=48 dotmariusz
94
5k
78b475797a14c84799063c7cd073962f?s=48 holman
448
130k
44b54d2ffcb7857004071cc6795dde11?s=48 cassininazir
345
20k
7c8469ee8c9e594c65c59b919626c08d?s=48 scottboms
250
11k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
391
60k
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
190
17k
F29327647a9cff5c69618bae420792ea?s=48 tenderlove
49
3.2k

Transcript

  1. Edgecore Networks Big Monitoring Fabric Virtual Lab Phil Huang <phil_huang@edge-core.com>

    Open Networking Division

  2. Integrate with BMF and Firewall Integrate with BMF and SPAN

    Hands-On Lab Overview © 2016 Edgecore Networks. All rights reserved. Subject to errors and misprints. | www.edge-core.com Big Monitoring Fabric Overview 01 04 05 02 Setting BMF Environment 03

  3. Big Monitoring Fabric Overview 3 LEGACY Trusted Untrusted FIREWALL IPS

    INTERNET DMZ Complex & Expensive Limited Tool Optimization Operational Challenges ✗ ✗ ✗ INLINE TOOLS Simple & Economical Enhanced Tool Optimization Clear Role Separation between network and security admins ü ü ü BIG MON: INLINE BIG MON INLINE Switches (1/10/40/100G) FIREWALL IPS WEB PROXY Untrusted Trusted INLINE TOOLS TRAFFIC DISTRIBUTION / LOAD SHARING BIG MONITORING FABRIC CONTROLLERS (HA PAIR) ACL-based SPAN OUT-OF-BAND TOOL FARM WEB PROXY © 2016 Edgecore Networks. All rights reserved. Subject to errors and misprints. | www.edge-core.com

  4. Hands-On Lab Overview Provided by Big Switch & Edgecore Networks

    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com 4

  5. BMF Inline Mode Hands-On Lab 5 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Learn the fundamental concepts of Big Monitoring Fabric inline § How to work in BMF inline mode? § Create service chain § Create service § Insert Firewall service instance in chain § Insert SPAN service in chain

  6. Login BSN Labs & Edgecore Networks 6 © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com http://labs.bigswitch.com/edgecore Type information that you are given

  7. Launch Big Monitoring Fabric Module 1 7 © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com Press “LAUNCH” button Choose “Big Monitoring Fabric”

  8. Access Hands-On Lab 8 © 2016 Edgecore Networks. All rights

    reserved | www.edge-core.com Lab Topology & options to access the BMF Controller

  9. Lab Topology Overview 9 © 2016 Edgecore Networks. All rights

    reserved | www.edge-core.com 10.0.0.1

  10. Introduction of Component 10 © 2016 Edgecore Networks. All rights

    reserved | www.edge-core.com 1 2 4 5 3 7 6 10.0.0.2 10.0.0.1 BMF Switch * switch name: sw11 BMF Controller * Control BMF Switch Firewall * Drop ICMP echo request Wireshark * Network traffic analyzer

  11. Access Big Monitoring Fabric Controller 11 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Action 1. Right click Big Monitoring Fabric (BMF) Controller icon 2. Select the “Controller GUI” § Default controller username/password is “admin/bsn123”

  12. Deploy Switch in BMF Inline Mode Ready to ship from

    Edgecore Networks © 2016 Edgecore Networks. All rights reserved | www.edge-core.com 12

  13. Deploy Switch for Big Chain mode 13 © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com § Setting deployment to Big Chain mode § Default deployment is Big Tap mode § Action 1. Navigate to Fabric -> Switches 2. Click 3. Choose Deploy for Big Chain Default deployment, Need to change to Big Chain mode 1 2 3

  14. Test Traffic 14 © 2016 Edgecore Networks. All rights reserved

    | www.edge-core.com § Traffic will be block if no chain is defined over the switch ports connecting the hosts § Action 1. Right click External host 2. Access the Web CLI 3. Ping the trusted host in internal network 1 2 3

  15. Create a Chain Logical, Layer-1 and Bidirectional Wire © 2016

    Edgecore Networks. All rights reserved | www.edge-core.com 15

  16. What is Chain? 16 © 2016 Edgecore Networks. All rights

    reserved | www.edge-core.com § Logical, Layer-1, bidirectional wire that connects WAN (untrusted) device and LAN switch (trusted) § Multiple services may be assign to a chain § Firewalls § IPS § Web Proxy § Without services, the chain letting all traffic through in both directions, without modifying packets Chain IPS: Intrusion Prevention System

  17. Devices Connection 17 © 2016 Edgecore Networks. All rights reserved

    | www.edge-core.com § View devices connected to ports of BMF inline switch § Firewall, IPS, Wireshark, Trusted and Untrusted networks § Action 1. Right click on the inline switch sw11 2. Use Device Information 1 2 Reminder: More clear topology at page 10 J Interface Devices Connect Ethernet1 Trusted Network Ethernet2 Untrusted Network Ethernet3 Wireshark Ethernet4 Firewall (In) Ethernet5 Firewall (Out) Ethernet6 IPS (In) Ethernet7 IPS (Out)

  18. Create Internal/External Chain (1/2) 18 © 2016 Edgecore Networks. All

    rights reserved | www.edge-core.com § Action 1. Navigate to Big Chain -> Chains 2. Click on + to add chain 1 2

  19. Create Internal/External Chain (2/2) 19 © 2016 Edgecore Networks. All

    rights reserved | www.edge-core.com Chain name: Edgecore_Chain Select sw11 (00::00:0a) Ethernet1 connected to trusted network Ethernet2 connected to untrusted network Save configuration

  20. Test Internal/External Chain 20 © 2016 Edgecore Networks. All rights

    reserved | www.edge-core.com § Verify Edgecore_Chain is forwarding traffic § Action 1. Right click External host 2. Access the CLI Access 3. Ping the trusted host in internal network 1 2 3

  21. Create a Firewall Service Services instances and Services © 2016

    Edgecore Networks. All rights reserved | www.edge-core.com 21

  22. Big Chain Service Instances and Services 22 © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com § Service instance § A pair of switch ports that are connected to an inline tool (FW, IPS…etc) § Services § Include one or more service instances § Apply to specific subsets of chains, for enhanced tool performance § Configure with Health Check to alert for tool failure

  23. Create a Firewall Service (1/2) 23 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Action 1. Navigate to Fabric -> Switches 2. Click Switch DPID 3. Click to add a services 1 2 3

  24. Create a Firewall Service (2/2) 24 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Action 4. Naming Firewall_Service 5. For action choose Use Service, and For traffic type All 6. Click submit to finish 4 5

  25. Create a Firewall Service Instance (1/2) 25 © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com § Action 1. Select Firewall_Service in Service list 2. Click New service instance 1 2

  26. Create a Firewall Service Instance (2/2) 26 © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com Ethernet4 connected to Firewall input interface Ethernet5 connected to Firewall output interface

  27. Verify Firewall Service 27 © 2016 Edgecore Networks. All rights

    reserved | www.edge-core.com § Show connected graph by BMF WEB GUI

  28. Insert Firewall Service Instance Drop ICMP by firewall within BMF

    chain © 2016 Edgecore Networks. All rights reserved | www.edge-core.com 28

  29. Insert Firewall Service Instance (1/2) 29 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Action 1. Select Edgecore_Chain under Chains 2. Click Insert service to begin 1 2

  30. Insert Firewall Service Instance (2/2) 30 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Action 1. Select Firewall_Service and Instance 1 for Service instance 2. Click Submit 1 2

  31. What does it look like? 31 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com 1 2 4 5 2 1 4 5 Hands-on Lab Topology View BMF Controller View

  32. Verify Traffic Drop on Chain Edgecore_Chain 32 © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com § By default, the Firewall will drop all ICMP echo requests (type 8) § Action 1. Right click External host 2. Access the Web CLI 3. Ping the trusted host in internal network § PING should fail in either direction § Firewall drops ICMP echo requests 1 3

  33. Drop Firewall Service Instance Remove instance easily if you want

    © 2016 Edgecore Networks. All rights reserved | www.edge-core.com 33

  34. Drop Firewall Service Instance 34 © 2016 Edgecore Networks. All

    rights reserved | www.edge-core.com § Action 1. Click and drag to remove 2. Click Summit 2 1

  35. Verify Traffic Drop on Chain Edgecore_Chain 35 © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com § Real time response § Action 1. Right click External host 2. Access the Web CLI 3. Ping the trusted host in internal network 1 2 3

  36. Create a SPAN Service © 2016 Edgecore Networks. All rights

    reserved | www.edge-core.com 36

  37. Create a SPAN Service (1/2) 37 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Action 1. Navigate to Fabric -> Switches 2. Click Switch DPID 3. Click to add a SPAN services 1 2 3

  38. Create a SPAN Service (2/2) 38 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Action 4. Naming Wireshark, and click Next 5. Click to add rules 6. Select all traffic with Match All Traffic, click Append then Submit to finish 5 4 6

  39. Create a SPAN Service Instance (1/2) 39 © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com § Action 1. Select Wireshark in Span Services 2. Click New span service instance 1 2

  40. Create a SPAN Service Instance (2/2) 40 © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com § Action 3. Choose ethernet3, and click Submit 4. Show WEB GUI on BMF 3 4

  41. Insert SPAN Service Instance Simple and easy to monitor your

    network © 2016 Edgecore Networks. All rights reserved | www.edge-core.com 41

  42. Insert SPAN Service Instance (1/2) 42 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Action 1. Click Edgecore_Chain in Chains list 2. Insert SPAN service instance at Endpoint 2 1 2

  43. Insert SPAN Service Instance (2/2) 43 © 2016 Edgecore Networks.

    All rights reserved | www.edge-core.com § Action 3. Select Wireshark, Instance 1 4. Click Submit 3 4

  44. Trace SPAN Traffic 44 © 2016 Edgecore Networks. All rights

    reserved | www.edge-core.com § All ingress traffic at ethernet2 is copied to Wireshark § External-to-Internal direction 1 2 3

  45. Verify SPAN Traffic 45 © 2016 Edgecore Networks. All rights

    reserved | www.edge-core.com § Action 1. Right click External host 2. Access the Web CLI 3. Ping the trusted host in internal network 4. Right click the Wireshark icon and choose Real-time Capture 4 3 Wireshark Output Result

  46. 46 Open Networking from Freedom Control Innovation © 2016 Edgecore

    Networks. All rights reserved | www.edge-core.com

  47. © 2015 Edgecore Networks. All rights reserved. Subject to errors

    and misprints. | www.edge-core.com