GeoSite&GeoIP-VPP Case

introduction introduction this guide provides a step by step tutorial for configuring application aware routing and security compliance policies using the geosite/geoip capabilities of the asterfusion et2500 open intelligent gateway running asternos vpp what this guide will accomplish what this guide will accomplish by following this guide, you will upgrade a basic routed network into an intelligent, application aware gateway unlike traditional layer 3 routing based solely on ip addresses, this guide demonstrates how to route and filter traffic based on domain names (geosite) and geographic location (geoip) the scenarios covered are smart traffic steering (app aware routing) configuring the gateway to intelligently identify "office/saas" traffic (e g , google) and route it through a dedicated premium line , while keeping general traffic on the standard isp line security compliance (geoip & filtering) implementing security policies to block employee access to "gaming/gambling" categories and restricting internal server access to domestic ip addresses only phase 1 preparation and environmental overview phase 1 preparation and environmental overview network topology plan network topology plan we will utilize the following interfaces to simulate a dual uplink enterprise environment based on your current lab setup we use a secondary laptop to simulate the "premium" gateway for verification purposes ethernet 1 (wan 1 isp) the standard internet connection (connected to upstream switch) ethernet 2 (wan 2 premium) a simulated low latency line we will connect a laptop here to act as the traffic destination/analyzer ethernet 3 (lan) the internal user network target configuration plan target configuration plan the following table outlines the ip addressing scheme we will implement device / interface ip address / subnet gateway role asternos (eth1) 192 168 200 166/24 192 168 200 1 wan isp line (default internet access) asternos (eth2) 10 200 200 1/24 10 200 200 2 wan premium line (simulated path for baidu traffic) asternos (eth3) 172 16 10 1/24 n/a lan gateway (internal user gateway) laptop (eth2) 10 200 200 2/24 n/a traffic analyzer (simulates premium gw) internal pc 172 16 10 100/24 172 16 10 1 internal user note for the laptop connected to ethernet 2, you must manually set its static ip to 10 200 200 2 it will capture the traffic steered by the pbr policy required tools required tools wireshark installed on the laptop (eth2) to verify traffic steering ping / browser on the internal pc to generate traffic phase 2 building the basic network phase 2 building the basic network in this phase, we establish the physical connectivity and basic nat services we will configure ethernet 1 as the isp link and ethernet 2 as the premium link both interfaces will have nat enabled to ensure internal users can communicate correctly with external networks (or our simulated probe) configuration steps configuration steps step 1 configure lan interface (ethernet 3) step 1 configure lan interface (ethernet 3) configure the interface connecting to your internal test pc sonic# configure terminal # configure lan gateway # configure lan gateway sonic(config)# interface ethernet 3 sonic(config if 3)# ip address 172 16 10 1/24 sonic(config if 3)# no shutdown sonic(config if 3)# exit step 2 configure wan interfaces (isp & premium) step 2 configure wan interfaces (isp & premium) we configure both wan interfaces with their respective subnets and enable nat zone 1 on both to support outbound address translation # configure wan 1 (isp line) # configure wan 1 (isp line) sonic(config)# interface ethernet 1 sonic(config if 1)# ip address 192 168 200 166/24 sonic(config if 1)# nat zone 1 sonic(config if 1)# no shutdown sonic(config if 1)# exit # configure wan 2 (premium line / simulation) \# connect your laptop here (static ip 10 200 200 2) # configure wan 2 (premium line / simulation) \# connect your laptop here (static ip 10 200 200 2) sonic(config)# interface ethernet 2 sonic(config if 2)# ip address 10 200 200 1/24 sonic(config if 2)# nat zone 1 sonic(config if 2)# no shutdown sonic(config if 2)# exit step 3 configure routing and nat rules step 3 configure routing and nat rules we set the default route to the isp and define nat pools for both uplinks this ensures that whichever path traffic takes (steered by pbr or default), it gets a valid source ip # 1 default route (traffic defaults to isp) # 1 default route (traffic defaults to isp) sonic(config)# ip route 0 0 0 0/0 192 168 200 1 # 2 enable global nat # 2 enable global nat sonic(config)# nat enable # 3 define nat pools # 3 define nat pools # pool for isp line (matches eth1 ip) # pool for isp line (matches eth1 ip) sonic(config)# nat pool isp pool 192 168 200 166 # pool for premium line (matches eth2 ip) # pool for premium line (matches eth2 ip) sonic(config)# nat pool premium pool 10 200 200 1 # 4 bind nat pools to the rule \# bind for isp path # 4 bind nat pools to the rule \# bind for isp path sonic(config)# nat binding snat isp isp pool # bind for premium path (traffic steered here will use this pool) # bind for premium path (traffic steered here will use this pool) sonic(config)# nat binding snat premium premium pool phase 3 smart traffic steering (pbr) phase 3 smart traffic steering (pbr) we will now configure policy based routing (pbr) to intelligently hijack baidu traffic and force it through the premium line (ethernet 2) configuration steps configuration steps step 1 configure pbr for smart steering step 1 configure pbr for smart steering we define the policy map note we include match src ip 0 0 0 0/0 to satisfy the flow key requirement, combined with geosite baidu for application identification sonic# configure terminal # create pbr map matching baidu # create pbr map matching baidu sonic(config)# pbr map smart steer seq 10 # base match all source ips (required for flow key) # base match all source ips (required for flow key) sonic(config pbr map)# match src ip 0 0 0 0/0 # application match specific domain category # application match specific domain category sonic(config pbr map)# geosite baidu # action force next hop to premium gateway (laptop) # action force next hop to premium gateway (laptop) sonic(config pbr map)# set nexthop 10 200 200 2 sonic(config pbr map)# exit step 2 apply policy to lan interface step 2 apply policy to lan interface bind the pbr policy to the interface where traffic enters the gateway ( ethernet 3 ) sonic(config)# interface ethernet 3 sonic(config if 3)# pbr policy smart steer sonic(config if 3)# exit # save configuration # save configuration sonic(config)# exit sonic# write phase 4 security compliance (acl + geoip) phase 4 security compliance (acl + geoip) in this phase, we will shift focus from routing to security we will deploy an access control list (acl) to block access to specific content categories and restrict traffic based on geographic location prerequisites clean up pbr policy prerequisites clean up pbr policy before applying the new security policies, we must remove the pbr policy configured in phase 3 to ensure a clean testing environment and avoid policy conflicts sonic(config)# interface ethernet 3 # remove the pbr policy from the lan interface # remove the pbr policy from the lan interface sonic(config if 3)# no pbr policy smart steer sonic(config if 3)# exit configuration steps configuration steps step 1 create security acl step 1 create security acl we define an acl named secure acl applied in the inbound direction rule 10 blocks all websites classified as "media" (e g , bbc, cnn) rule20 blocks all ip addresses located in china (cn) default behavior traffic not matching these rules will be permitted by default # create the ipv4 layer 3 acl # create the ipv4 layer 3 acl sonic(config)# access list l3 secure acl ingress # rule 10 block media applications (e g , cnn) \# we use the geosite category 'category media' # rule 10 block media applications (e g , cnn) \# we use the geosite category 'category media' sonic(config l3 acl secure acl)# rule 10 geosite category media packet action deny # rule 20 deny domestic traffic (geoip china) \# we use the geoip code 'cn' # rule 20 deny domestic traffic (geoip china) \# we use the geoip code 'cn' sonic(config l3 acl secure acl)# rule 20 geoip cn packet action deny sonic(config l3 acl secure acl)# exit step 2 apply acl to lan interface step 2 apply acl to lan interface we apply this security policy to the lan interface crucially, we also update the nat binding we will replace the global nat binding with an acl based nat binding this ensures that only traffic permitted by secure acl is translated and allowed to access the internet sonic(config)# interface ethernet 3 sonic(config if 3)# acl secure acl sonic(config if 3)# exit sonic(config)# no nat binding snat isp sonic(config)# nat binding secure bind isp pool secure acl step 3 save configuration step 3 save configuration sonic(config)# exit sonic# write verification (phase 4) verification (phase 4) 1\ verify media block action on the internal pc, try to access an international media site (e g , www cnn com ) result the connection should fail/timeout cli validation check the counters to see rule 10 incrementing sonic# show counters acl 2\ verify geoip permit action access a china website (e g , www baidu com ) result the connection should fail/timeout (matches rule 20 deny) 3\ verify normal access action try to access a non media, non cn site (e g , a us based technical site like www gnu org http //www gnu org or stackoverflow\ com ) result access successful the traffic does not match rule 10 or 20, so it is permitted and successfully nated conclusion conclusion you have successfully transformed the asternos gateway into an intelligent, application aware edge device routing traffic is steered based on application identity (google > premium line) using pbr security traffic is filtered based on content category (games) and geography (cn) using acls