2016 Edgecore Networks BMF virtual LAB

Edgecore Networks
Big Monitoring Fabric Virtual Lab
Phil Huang
Open Networking Division

View Slide

Integrate with BMF and Firewall
Integrate with BMF and SPAN
Hands-On Lab Overview
© 2016 Edgecore Networks. All rights reserved. Subject to errors and misprints. |
www.edge-core.com
Big Monitoring Fabric Overview
01
04
05
02
Setting BMF Environment
03

View Slide

Big Monitoring Fabric Overview
3
LEGACY
Trusted
Untrusted
FIREWALL
IPS
INTERNET
DMZ
Complex &
Expensive
Limited Tool
Optimization
Operational
Challenges
✗
✗
✗
INLINE TOOLS
Simple & Economical
Enhanced Tool
Optimization
Clear Role Separation
between network and
security admins
ü
ü
ü
BIG MON: INLINE
BIG MON INLINE
Switches
(1/10/40/100G)
FIREWALL
IPS
WEB PROXY
Untrusted
Trusted
INLINE TOOLS
TRAFFIC DISTRIBUTION /
LOAD SHARING
BIG MONITORING
FABRIC CONTROLLERS
(HA PAIR)
ACL-based
SPAN
OUT-OF-BAND
TOOL FARM
WEB PROXY
© 2016 Edgecore Networks. All rights reserved. Subject to errors and misprints. |
www.edge-core.com

View Slide

Hands-On Lab Overview
Provided by Big Switch & Edgecore Networks
© 2016 Edgecore Networks. All rights reserved | www.edge-core.com 4

View Slide

BMF Inline Mode Hands-On Lab
5
© 2016 Edgecore Networks. All rights reserved | www.edge-core.com
§ Learn the fundamental concepts of Big Monitoring Fabric inline
§ How to work in BMF inline mode?
§ Create service chain
§ Create service
§ Insert Firewall service instance in chain
§ Insert SPAN service in chain

View Slide

Login BSN Labs & Edgecore Networks
6
http://labs.bigswitch.com/edgecore
Type information that you are
given

View Slide

Launch Big Monitoring Fabric Module 1
7
Press “LAUNCH” button
Choose “Big Monitoring Fabric”

View Slide

Access Hands-On Lab
8
Lab Topology & options to
access the BMF Controller

View Slide

Lab Topology Overview
9
10.0.0.1

View Slide

Introduction of Component
10
1
2
4
5 3
7
6
10.0.0.2
10.0.0.1
BMF Switch
* switch name: sw11
BMF Controller
* Control BMF Switch
Firewall
* Drop ICMP echo request
Wireshark
* Network traffic analyzer

View Slide

Access Big Monitoring Fabric Controller
11
§ Action
1. Right click Big Monitoring Fabric (BMF) Controller icon
2. Select the “Controller GUI”
§ Default controller username/password is “admin/bsn123”

View Slide

Deploy Switch in BMF Inline Mode
Ready to ship from Edgecore Networks

View Slide

Deploy Switch for Big Chain mode
13
§ Setting deployment to Big Chain mode
§ Default deployment is Big Tap mode
§ Action
1. Navigate to Fabric -> Switches
2. Click
3. Choose Deploy for Big Chain
Default deployment,
Need to change
to Big Chain mode
1
2
3

View Slide

Test Traffic
14
§ Traffic will be block if no chain is
defined over the switch ports
connecting the hosts
§ Action
1. Right click External host
2. Access the Web CLI
3. Ping the trusted host in
internal network
1
2
3

View Slide

Create a Chain
Logical, Layer-1 and Bidirectional Wire

View Slide

What is Chain?
16
§ Logical, Layer-1, bidirectional wire that connects
WAN (untrusted) device and LAN switch (trusted)
§ Multiple services may be assign to a chain
§ Firewalls
§ IPS
§ Web Proxy
§ Without services, the chain letting all traffic
through in both directions, without modifying packets Chain
IPS: Intrusion Prevention System

View Slide

Devices Connection
17
§ View devices connected to ports of BMF inline switch
§ Firewall, IPS, Wireshark, Trusted and Untrusted networks
§ Action
1. Right click on the inline switch sw11
2. Use Device Information
1
2
Reminder: More clear topology at page 10 J
Interface Devices Connect
Ethernet1 Trusted Network
Ethernet2 Untrusted Network
Ethernet3 Wireshark
Ethernet4 Firewall (In)
Ethernet5 Firewall (Out)
Ethernet6 IPS (In)
Ethernet7 IPS (Out)

View Slide

Create Internal/External Chain (1/2)
18
§ Action
1. Navigate to Big Chain -> Chains
2. Click on + to add chain
1
2

View Slide

Create Internal/External Chain (2/2)
19
Chain name: Edgecore_Chain Select sw11 (00::00:0a)
Ethernet1 connected to
trusted network
untrusted network
Save configuration

View Slide

Test Internal/External Chain
20
§ Verify Edgecore_Chain is
forwarding traffic
§ Action
2. Access the CLI Access
internal network
1
2
3

View Slide

Create a Firewall Service
Services instances and Services

View Slide

Big Chain Service Instances and Services
22
§ Service instance
§ A pair of switch ports that are connected to an inline tool (FW, IPS…etc)
§ Services
§ Include one or more service instances
§ Apply to specific subsets of chains, for enhanced tool performance
§ Configure with Health Check to alert for tool failure

View Slide

Create a Firewall Service (1/2)
23
§ Action
2. Click Switch DPID
3. Click to add a services
1
2
3

View Slide

Create a Firewall Service (2/2)
24
§ Action
4. Naming Firewall_Service
5. For action choose Use Service, and For
traffic type All
6. Click submit to finish
4
5

View Slide

Create a Firewall Service Instance (1/2)
25
§ Action
1. Select Firewall_Service in Service list
2. Click New service instance
1
2

View Slide

Create a Firewall Service Instance (2/2)
26
Firewall input interface
Firewall output interface

View Slide

Verify Firewall Service
27
§ Show connected graph by BMF WEB GUI

View Slide

Insert Firewall Service Instance
Drop ICMP by firewall within BMF chain

View Slide

Insert Firewall Service Instance (1/2)
29
§ Action
1. Select Edgecore_Chain under Chains
2. Click Insert service to begin
1
2

View Slide

Insert Firewall Service Instance (2/2)
30
§ Action
1. Select Firewall_Service and Instance 1 for Service instance
2. Click Submit
1
2

View Slide

What does it look like?
31
1
2
4
5
2
1
4
5
Hands-on Lab Topology View BMF Controller View

View Slide

Verify Traffic Drop on Chain Edgecore_Chain
32
§ By default, the Firewall will drop all ICMP echo requests (type 8)
§ Action
internal network
§ PING should fail in either direction
§ Firewall drops ICMP echo requests
1
3

View Slide

Drop Firewall Service Instance
Remove instance easily if you want

View Slide

Drop Firewall Service Instance
34
§ Action
1. Click and drag to remove
2. Click Summit
2
1

View Slide

Verify Traffic Drop on Chain Edgecore_Chain
35
§ Real time response
§ Action
internal network
1
2
3

View Slide

Create a SPAN Service

View Slide

Create a SPAN Service (1/2)
37
§ Action
2. Click Switch DPID
3. Click to add a SPAN services
1
2
3

View Slide

Create a SPAN Service (2/2)
38
§ Action
4. Naming Wireshark, and click Next
5. Click to add rules
6. Select all traffic with Match All Traffic,
click Append then Submit to finish
5
4
6

View Slide

Create a SPAN Service Instance (1/2)
39
§ Action
1. Select Wireshark in Span Services
2. Click New span service instance
1
2

View Slide

Create a SPAN Service Instance (2/2)
40
§ Action
3. Choose ethernet3, and click Submit
4. Show WEB GUI on BMF
3
4

View Slide

Insert SPAN Service Instance
Simple and easy to monitor your network

View Slide

Insert SPAN Service Instance (1/2)
42
§ Action
1. Click Edgecore_Chain in Chains list
2. Insert SPAN service instance at Endpoint 2
1
2

View Slide

Insert SPAN Service Instance (2/2)
43
§ Action
3. Select Wireshark, Instance 1
4. Click Submit
3
4

View Slide

Trace SPAN Traffic
44
§ All ingress traffic at ethernet2 is copied to
Wireshark
§ External-to-Internal direction
1
2
3

View Slide

Verify SPAN Traffic
45
§ Action
internal network
4. Right click the Wireshark icon
and choose Real-time Capture
4
3
Wireshark Output Result

View Slide

46
Open Networking
from
Freedom
Control
Innovation

View Slide

2016 Edgecore Networks BMF virtual LAB

2016 Edgecore Networks BMF virtual LAB

Phil Huang

More Decks by Phil Huang

Other Decks in Technology

Featured

Transcript