GeoSite&GeoIP-VPP Case
22 min
\<font color="#1d50a2">introduction\</font> this guide provides a step by step tutorial for configuring application aware routing and security compliance policies using the geosite/geoip capabilities of the asterfusion et2500 open intelligent gateway running asternos vpp \<font color="#1d50a2">what this guide will accomplish\</font> by following this guide, you will upgrade a basic routed network into an intelligent, application aware gateway unlike traditional layer 3 routing based solely on ip addresses, this guide demonstrates how to route and filter traffic based on domain names (geosite) and geographic location (geoip) the scenarios covered are smart traffic steering (app aware routing) configuring the gateway to intelligently identify "office/saas" traffic (e g , google) and route it through a dedicated premium line , while keeping general traffic on the standard isp line security compliance (geoip & filtering) implementing security policies to block employee access to "gaming/gambling" categories and restricting internal server access to domestic ip addresses only \<font color="#1d50a2">phase 1 preparation and environmental overview\</font> \<font color="#1d50a2">network topology plan\</font> we will utilize the following interfaces to simulate a dual uplink enterprise environment based on your current lab setup we use a secondary laptop to simulate the "premium" gateway for verification purposes ethernet 1 (wan 1 isp) the standard internet connection (connected to upstream switch) ethernet 2 (wan 2 premium) a simulated low latency line we will connect a laptop here to act as the traffic destination/analyzer ethernet 3 (lan) the internal user network \<font color="#1d50a2">target configuration plan\</font> the following table outlines the ip addressing scheme we will implement device / interface ip address / subnet gateway role asternos (eth1) 192 168 200 166/24 192 168 200 1 wan isp line (default internet access) asternos (eth2) 10 200 200 1/24 10 200 200 2 wan premium line (simulated path for baidu traffic) asternos (eth3) 172 16 10 1/24 n/a lan gateway (internal user gateway) laptop (eth2) 10 200 200 2/24 n/a traffic analyzer (simulates premium gw) internal pc 172 16 10 100/24 172 16 10 1 internal user note for the laptop connected to ethernet 2, you must manually set its static ip to 10 200 200 2 it will capture the traffic steered by the pbr policy \<font color="#1d50a2">required tools\</font> wireshark installed on the laptop (eth2) to verify traffic steering ping / browser on the internal pc to generate traffic \<font color="#1d50a2">phase 2 building the basic network\</font> in this phase, we establish the physical connectivity and basic nat services we will configure ethernet 1 as the isp link and ethernet 2 as the premium link both interfaces will have nat enabled to ensure internal users can communicate correctly with external networks (or our simulated probe) \<font color="#1d50a2">configuration steps\</font> \<font color="#1d50a2">step 1 configure lan interface (ethernet 3)\</font> configure the interface connecting to your internal test pc sonic# configure terminal \<font color="#5fd74e"># configure lan gateway\</font> sonic(config)# interface ethernet 3 sonic(config if 3)# ip address 172 16 10 1/24 sonic(config if 3)# no shutdown sonic(config if 3)# exit \<font color="#1d50a2">step 2 configure wan interfaces (isp \& premium)\</font> we configure both wan interfaces with their respective subnets and enable nat zone 1 on both to support outbound address translation \<font color="#5fd74e"># configure wan 1 (isp line)\</font> sonic(config)# interface ethernet 1 sonic(config if 1)# ip address 192 168 200 166/24 sonic(config if 1)# nat zone 1 sonic(config if 1)# no shutdown sonic(config if 1)# exit \<font color="#5fd74e"># configure wan 2 (premium line / simulation) \# connect your laptop here (static ip 10 200 200 2)\</font> sonic(config)# interface ethernet 2 sonic(config if 2)# ip address 10 200 200 1/24 sonic(config if 2)# nat zone 1 sonic(config if 2)# no shutdown sonic(config if 2)# exit \<font color="#1d50a2">step 3 configure routing and nat rules\</font> we set the default route to the isp and define nat pools for both uplinks this ensures that whichever path traffic takes (steered by pbr or default), it gets a valid source ip \<font color="#5fd74e"># 1 default route (traffic defaults to isp)\</font> sonic(config)# ip route 0 0 0 0/0 192 168 200 1 \<font color="#5fd74e"># 2 enable global nat\</font> sonic(config)# nat enable \<font color="#5fd74e"># 3 define nat pools\</font> \<font color="#5fd74e"># pool for isp line (matches eth1 ip)\</font> sonic(config)# nat pool isp pool 192 168 200 166 \<font color="#5fd74e"># pool for premium line (matches eth2 ip)\</font> sonic(config)# nat pool premium pool 10 200 200 1 \<font color="#5fd74e"># 4 bind nat pools to the rule \# bind for isp path\</font> sonic(config)# nat binding snat isp isp pool \<font color="#5fd74e"># bind for premium path (traffic steered here will use this pool)\</font> sonic(config)# nat binding snat premium premium pool \<font color="#1d50a2">phase 3 smart traffic steering (pbr)\</font> we will now configure policy based routing (pbr) to intelligently hijack baidu traffic and force it through the premium line (ethernet 2) \<font color="#1d50a2">configuration steps\</font> \<font color="#1d50a2">step 1 configure pbr for smart steering\</font> we define the policy map note we include match src ip 0 0 0 0/0 to satisfy the flow key requirement, combined with geosite baidu for application identification sonic# configure terminal \<font color="#5fd74e"># create pbr map matching baidu\</font> sonic(config)# pbr map smart steer seq 10 \<font color="#5fd74e"># base match all source ips (required for flow key)\</font> sonic(config pbr map)# match src ip 0 0 0 0/0 \<font color="#5fd74e"># application match specific domain category\</font> sonic(config pbr map)# geosite baidu \<font color="#5fd74e"># action force next hop to premium gateway (laptop)\</font> sonic(config pbr map)# set nexthop 10 200 200 2 sonic(config pbr map)# exit \<font color="#1d50a2">step 2 apply policy to lan interface\</font> bind the pbr policy to the interface where traffic enters the gateway ( ethernet 3 ) sonic(config)# interface ethernet 3 sonic(config if 3)# pbr policy smart steer sonic(config if 3)# exit \<font color="#5fd74e"># save configuration\</font> sonic(config)# exit sonic# write \<font color="#1d50a2">phase 4 security compliance (acl + geoip)\</font> in this phase, we will shift focus from routing to security we will deploy an access control list (acl) to block access to specific content categories and restrict traffic based on geographic location \<font color="#1d50a2">prerequisites clean up pbr policy\</font> before applying the new security policies, we must remove the pbr policy configured in phase 3 to ensure a clean testing environment and avoid policy conflicts sonic(config)# interface ethernet 3 \<font color="#5fd74e"># remove the pbr policy from the lan interface\</font> sonic(config if 3)# no pbr policy smart steer sonic(config if 3)# exit \<font color="#1d50a2">configuration steps\</font> \<font color="#1d50a2">step 1 create security acl\</font> we define an acl named secure acl applied in the inbound direction rule 10 blocks all websites classified as "media" (e g , bbc, cnn) rule20 blocks all ip addresses located in china (cn) default behavior traffic not matching these rules will be permitted by default \<font color="#5fd74e"># create the ipv4 layer 3 acl\</font> sonic(config)# access list l3 secure acl ingress \<font color="#5fd74e"># rule 10 block media applications (e g , cnn) \# we use the geosite category 'category media'\</font> sonic(config l3 acl secure acl)# rule 10 geosite category media packet action deny \<font color="#5fd74e"># rule 20 deny domestic traffic (geoip china) \# we use the geoip code 'cn'\</font> sonic(config l3 acl secure acl)# rule 20 geoip cn packet action deny sonic(config l3 acl secure acl)# exit \<font color="#1d50a2">step 2 apply acl to lan interface\</font> we apply this security policy to the lan interface crucially, we also update the nat binding we will replace the global nat binding with an acl based nat binding this ensures that only traffic permitted by secure acl is translated and allowed to access the internet sonic(config)# interface ethernet 3 sonic(config if 3)# acl secure acl sonic(config if 3)# exit sonic(config)# no nat binding snat isp sonic(config)# nat binding secure bind isp pool secure acl \<font color="#1d50a2">step 3 save configuration\</font> sonic(config)# exit sonic# write \<font color="#1d50a2">verification (phase 4)\</font> 1\ verify media block action on the internal pc, try to access an international media site (e g , www cnn com ) result the connection should fail/timeout cli validation check the counters to see rule 10 incrementing sonic# show counters acl 2\ verify geoip permit action access a china website (e g , www baidu com ) result the connection should fail/timeout (matches rule 20 deny) 3\ verify normal access action try to access a non media, non cn site (e g , a us based technical site like www gnu org http //www gnu org or stackoverflow\ com ) result access successful the traffic does not match rule 10 or 20, so it is permitted and successfully nated \<font color="#1d50a2">conclusion\</font> you have successfully transformed the asternos gateway into an intelligent, application aware edge device routing traffic is steered based on application identity (google > premium line) using pbr security traffic is filtered based on content category (games) and geography (cn) using acls
