In large networks, it often happens that multiple logical networks use the same network devices for their traffic. This traffic needs to be separated at the devices, first and foremost to reduce the risk of unauthorized cross-network access.
Virtual routers, or Virtual Routing and Forwarding (VRF) features, provide traffic separation by organizing network interfaces into independent groups. The traffic from one interface group cannot reach other interface groups.
Each virtual router has its own routing table. A virtual router's routing table can contain route records defined statically or obtained using dynamic routing protocols, such as BGP, OSPF, or RIP.
Different virtual routers are allowed to use the same IP networks (IP overlapping).
Network interfaces that have not been assigned explicitly to one of the virtual routers are automatically assigned to the Default virtual router.
Virtual routers have the following limitations:
-
These services can only be used in the default virtual router:
-
WCCP
-
ICAP
-
DNS
-
Authorization
-
Any network traffic that is generated by the device itself, such as license checks, update downloads, log uploads, sending email/SMS messages, SNMP traps, etc.
-
The NAT, DNAT, and port forwarding rules apply to all virtual routers.
-
The zones are global --- that is, the zone settings and interface-to-zone mappings apply to all virtual routers.
To add a virtual router, follow these steps:
Name |
Description |
---|---|
Step 1. Create a new virtual router. |
In the Network ➜ Virtual routers section, click "Add" and provide a name and description for the new virtual router. Specify the name of the cluster node on which this virtual router is being created, if you have a cluster. |
Step 2. Add network interfaces to the newly created virtual router. |
On the Interfaces tab, select the network interfaces that should be added to this virtual router. Interfaces that are already added to other virtual routers are not available for selection; any single interface can only belong to one virtual router. All types of interfaces, including physical, virtual (VLAN), bond, VPN, and others can be added to a virtual router. |
Step 3. (Optional) Add static routes. |
Add the routes (except the default route) that will be applied to the traffic in this virtual router. For more details, see the Static Routes section. The default route is added in the Network ➜ Gateways section. For more details on configuring gateways, see the section Gateway Configuration. |
Step 4. (Optional) Add dynamic routes obtained using the OSPF routing protocol. |
Configure the OSPF protocol to build a dynamic route map. For more details, see the section OSPF. |
Step 5. (Optional) Add dynamic routes obtained using the BGP routing protocol. |
Configure the BGP protocol to build a dynamic route map. For more details, see the BGP section. |
Step 6. (Optional) Add dynamic routes obtained using the RIP routing protocol. |
Configure the RIP protocol to build a dynamic route map. For more details, see the RIP section. |
Step 7. (Optional) Configure multicasting. |
Configure the multicasting settings for this virtual router. For more details, see the Multicasting section. |
Static Routes
This section describes how to specify a route to a network that is behind a specific router. For example, a local network can have a router that combines several IP subnets. The route is applied locally to the specific cluster node and virtual router where it is created.
To add a route, follow these steps:
Name |
Description |
---|---|
Step 1. Select a virtual router. |
If there are several virtual routers, select the desired one. |
Step 2. Provide a name and description for the route. |
In the Network ➜ Virtual routers section, select Static routes in the menu and click Add. Provide a name for the new route. Optionally, you can also provide a description for the route. |
Step 3. Select the route type. |
The following route types are available:
|
Step 4. Specify the destination address. |
Specify the subnet where the route will point to, such as 172.16.20.0/24 or 172.16.20.5/32. |
Step 5. Specify the gateway. |
Specify the IP address of the gateway through which the above subnet will be accessible. This IP address must be reachable from NGFW. |
Step 6. Specify the network interface. |
Specify the network interface through which the route will be added. If you keep the default value, Automatically, NGFW will determine the interface based on the IP address settings of the available network interfaces. |
Step 7. Specify the metric. |
Specify the metric for the route. The lower the metric value, the higher the route's priority, if there are multiple routes to this network. |
Dynamic Routing Protocols
Dynamic routing protocols are used to signal which networks are currently connected to each of the routers. Routers communicate using routing protocols. NGFW updates the kernel routing table in accordance with the information it receives from the neighboring routers.
Dynamic routing does not change how the kernel performs routing at the IP layer. The kernel keeps looking up routes to hosts and networks as well as default routes in its routing table. The only thing that changes is how routes are managed in the routing table: instead of the manual method, they are added and removed dynamically.
NGFW supports three dynamic routing protocols: OSPF, BGP, and RIP.
OSPF
Dynamic routing protocols are used to signal which networks are currently connected to each of the routers. Routers communicate using routing protocols. NGFW updates the kernel routing table in accordance with the information it receives from the neighboring routers. Dynamic routing does not change how the kernel performs routing at the IP layer. The kernel keeps looking up routes to hosts and networks as well as default routes in its routing table. The only thing that changes is how routes are managed in the routing table: instead of the manual method, they are added and removed dynamically. Routes are only added to the virtual router in which the OSPF protocol is configured.
OSPF (Open Shortest Path First) is a dynamic routing protocol based on the link-state monitoring technology and using Dijkstra's algorithm to find the shortest path.
The OSPF protocol disseminates information on the available routes among the routers that operate within a single autonomous system (AS). For more details on how the OSPF protocol works, see the relevant technical documentation.
To configure OSPF in NGFW, follow these steps:
Name |
Description |
---|---|
Step 1. Select a virtual router. |
If there are several virtual routers, select the desired one. |
Step 2. Enable the OSPF router. |
In the NGFW console, go to the Network→Virtual routers section, select OSPF in the menu, and configure the OSPF router. |
To configure an OSPF router, provide the following settings:
Name |
Description |
---|---|
Enabled |
Enables or disables this OSPF router. |
Router ID |
The router's IP address. Must be unique and specified in IPv4 format (for convenience, it can match one of the IP addresses assigned to the NGFW network interfaces that belong to this virtual router). |
Redistribute |
Distribute routes towards networks directly connected to NGFW (connected) or static routes added by the administrator for this virtual router (kernel) to other OSPF routers. |
Metric |
Set a metric for the distributed routes. |
Default originate |
Notify other routers that this router has a default route. |
To configure OSPF interfaces, provide these settings:
Name |
Description |
---|---|
Enabled |
Enable or disable the interface. |
Interface |
Select one of the existing interfaces on which OSPF will run. Only the interfaces belonging to this virtual router are available for selection. |
Network type |
Select a network type to optimize the adjacency establishment process. The following settings are available:
|
Passive mode |
Enable/disable the passive operating mode of the interface, in which routing protocol update packets are prohibited from being sent through the interface. |
Cost |
The link cost for this interface. This value is reported in the LSA (link-state advertisement) to the neighboring routers which use it to compute the shortest path. Default value: 1. |
Priority |
An integer in the range from 0 to 255. The higher the value, the higher the probability that this router will become the network's designated router for sending out LSAs. A value of 0 excludes the router from being designated. Default value: 1. |
Hello interval |
The time interval in seconds between hello packets sent by the router. This should be the same for all routers in an autonomous system. The default value is 10 seconds. |
Dead interval |
The time interval in seconds after which the neighboring router is considered offline. The time is counted from the moment of receiving the last hello packet from the neighboring router. The default value is 40 seconds. |
Retransmit interval |
The time interval before LSA packet retransmission. The default value is 5 seconds. |
Transmit delay |
The approximate time it takes to deliver a link state update to the neighboring routers. The default value is 1 second. |
Bfd profile |
Defines BFD settings for OSPF monitoring. This makes it possible for the corresponding BFD session connection events to instantly update the OSPF interface status. |
Authentication Enabled |
Turns on mandatory authentication for each OSPF message received by the router. Authentication is normally used to prevent the injection of a fake route from illegitimate routers. |
Authentication type |
The options are:
The Key value can only include Latin letters, numbers, and the underscore character. Maximum length: 16 characters. |
To configure OSPF areas, provide these settings:
Name |
Description |
---|---|
Enabled |
Enables or disables this area. |
Name |
The area name. |
Cost |
The cost of an LSA announced in the stub area. |
Area ID |
The ID for the area. The ID can be specified in decimal format or IP address record format. The area ID must match to establish an OSPF adjacency. |
Authorization type |
The options are:
The interface-level authentication takes precedence over zone-level authorization. |
Area type |
Defines the type of the area. The following area types are supported:
|
No summary |
Prohibits injecting summarized routes into stub-type areas. |
Interfaces |
Select the OSPF interfaces on which this area will be available. |
Virtual links |
This is a special type of connection that makes it possible, for example, to interconnect a partitioned area or connect an area to the backbone area via another area. It is configured between two ABRs. Routers can transmit OSPF packets encapsulated in IP packets over such links. This mechanism is used as a temporary solution or as a backup in case the primary connections fail. You can specify the IDs of the routers available via this zone. |
BGP
Dynamic routing protocols are used to signal which networks are currently connected to each of the routers. Routers communicate using routing protocols. NGFW updates the kernel routing table in accordance with the information it receives from the neighboring routers. Dynamic routing does not change how the kernel performs routing at the IP layer. The kernel keeps looking up routes to hosts and networks as well as default routes in its routing table. The only thing that changes is how routes are managed in the routing table: instead of the manual method, they are added and removed dynamically. Routes are only added to the virtual router in which the BGP protocol is configured.
BGP (Border Gateway Protocol) --- динамический протокол маршрутизации, относится к классу протоколов маршрутизации внешнего шлюза (англ. EGP --- External Gateway Protocol). Currently, it is the main dynamic routingprotocol used on the Internet. The BGP protocol is designed to exchange routing and reachability information among autonomous systems (AS), which are groups of routers with common technical management and administration that use intra-domain routing protocols to determine routes within a group and an inter-domain routing protocol to determine routes for packet delivery to other ASs. The information transmitted includes the list of ASs that can be accessed via this system. The best routes are selected based on the rules that are in place in the network. For more details on how the BGP protocol works, see the relevant technical documentation.
To configure BGP in NGFW, follow these steps:
Name |
Description |
---|---|
Step 1. Select a virtual router. |
If there are several virtual routers, select the desired one. |
Step 2. Enable the BGP router. |
In the NGFW console, go to the Network→Virtual routers section, select BGP in the menu, and configure the BGP router. |
Step 3. Specify the filters and optional routemaps to limit the number of routes to receive. |
In the Filters section, click Add and configure the Routemap and filter settings. Add as many routemaps/filters as required for BGP to work in your organization. |
Step 4. Add at least one BGP neighbor (peer). |
In the Neighbors section, click Add and configure the router settings for the neighboring AS. Add as many neighbors as required. Important! RFC 8212 includes a mandatory requirement that export and import filters be added for each neighbor. Without import filters, the router will not receive routes from that neighbor, and without export filters, the router will not advertise routes to that neighbor. If several IP addresses are assigned to the NGFW interface from which the connection to a neighbor is being established, then in absence of a NAT rule that force-assigns a source address to the BGP session with this neighbor, you need to specify the primary IP address (i.e., the one listed first in the interface settings) as the NGFW address when configuring the BGP neighbor. |
To configure a BGP router, provide the following settings:
Name |
Description |
---|---|
Enabled |
Enables or disables this BGP router. |
Router ID |
The router's IP address. Must match one of the IP addresses assigned to the NGFW network interfaces that belong to this virtual router. |
AS number |
An autonomous system is a system of IP networks and routers managed by one or more operators that have a single routing policy. The autonomous system number identifies the router as belonging to that system. |
Redistribute |
Enables the routes towards networks directly connected to NGFW, static routes added by the administrator for this virtual router (kernel), or routes received using the OSPF protocol to be distributed to other BGP routers. |
Multiple path |
Enables traffic load balancing to routes with identical cost. |
Networks |
The list of networks that belong to this AS. |
To add BGP neighbors, click Add and provide these settings:
Name |
Description |
---|---|
Enabled |
Enables or disables this neighbor. |
Host |
The neighbor's IP address. |
Description |
An arbitrary description for the neighbor. |
Remote ASN |
The neighbor's AS number. |
Weight |
The weight assigned to route data received from this neighbor. |
TTL |
The maximum allowed number of hops to this neighbor. |
Bfd profile |
Configure BGP monitoring using the BFD profile to enable faster detection of connection faults. For more information on configuring BFD, see BFD Profiles. |
Announce self as next hop for BGP |
Replace the next-hop-self value with own IP address, if the neighbor uses BGP. |
Multihop for eBGP |
Indicates that the connection to this neighbor is indirect (more than a single hop). |
Route reflector client |
Indicates if the neighbor is a route reflector client. |
Soft reconfiguration |
Use soft reconfiguration (without terminating connections) for configuration updates. |
Default originate |
Advertise the default route to this neighbor. |
Authentication |
Enables authentication for this neighbor. The authentication password is set here. |
BGP neighbor filters |
Limits the route information received from the neighbors or advertised to them. |
Routemaps |
Routemaps are used to manage routing tables and specify the match conditions under which routes are passed between domains. |
A routemap allows filtering of routes on redistribution and modification of various route attributes. To create a routemap, provide the following settings:
Name |
Description |
---|---|
Name |
The routemap name. |
Action |
Sets the action for this routemap. Can take the following values:
|
Match by |
Routemap conditions. Can take the following values:
|
Set next hop |
Set the next hop value for the filtered routes to this IP address. |
Set weight |
Set the weight for the filtered routes to this value. |
Set metric |
Set the metric for the filtered routes to this value. |
Set preference |
Set the preference for the filtered routes to this value. |
Set AS prepend |
Set the AS-prepend value, which is a list of autonomous systems added for this route. |
Community |
Set the BGP community value for the filtered routes. |
Filters allow you to filter routes when redistributing. To create a filter, provide the following settings:
Name |
Description |
---|---|
Name |
The filter name. |
Action |
Sets the action for this filter. Can take the following values:
|
Filter by |
Filter conditions. Can take the following values:
|
RIP
Dynamic routing protocols are used to signal which networks are currently connected to each of the routers. Routers communicate using routing protocols. NGFW updates the kernel routing table in accordance with the information it receives from the neighboring routers. Dynamic routing does not change how the kernel performs routing at the IP layer. The kernel keeps looking up routes to hosts and networks as well as default routes in its routing table. The only thing that changes is how routes are managed in the routing table: instead of the manual method, they are added and removed dynamically. Routes are only added to the virtual router in which the RIP protocol is configured.
RIP (Routing Information Protocol) is a distance-vector routing protocol that uses intermediate sections (hops) as a routing metric. For more details on how the RIP protocol works, see the relevant technical documentation.
To configure RIP in NGFW, follow these steps:
Name |
Description |
---|---|
Step 1. Select a virtual router. |
If there are several virtual routers, select the desired one. |
Step 2. Enable the RIP router. |
In the NGFW console, go to the Network ➜ Virtual routers section, select RIP in the menu, and configure the RIP router. |
Step 3. Specify the RIP networks. |
In the NGFW console, go to the Network ➜ Virtual routers section, select RIP in the menu, and specify the RIP networks for which the RIP protocol will be used. |
Step 4. Configure the RIP interfaces. |
In the NGFW console, go to the Network ➜ Virtual routers section, select RIP in the menu, and configure the RIP interfaces. |
To configure an RIP router, provide the following settings:
Name |
Description |
---|---|
Enabled |
Enables or disables this RIP router. |
RIP version |
Specifies the RIP protocol version. Normally, v2 is used. |
Default metric |
The route cost. The metric is normally equal to 1 and cannot exceed 15. |
Administrative distance |
The cost of routes received using the RIP protocol. Default value for RIP protocol: 120. This is used for route selection when routes can be received using multiple methods (OSPF, BGP, static). |
Default originate |
Notify other routers that this router has a default route. |
A RIP router will send routing updates only from the interfaces for which RIP networks are specified. At least one network must be specified for the protocol to work correctly. The administrator can specify the RIP network using the CIDR notation, such as 192.168.1.0/24, or select the network interface from which updates will be sent.
To configure RIP interfaces, provide these settings:
Name |
Description |
---|---|
Interface |
Select the interface that will be used for RIP routing. Only the interfaces belonging to this virtual router are available for selection. |
Send version |
Specify the RIP protocol version that the router will send. |
Receive version |
Specify the RIP protocol version that the router will receive. |
Password |
The authorization string that will be sent and received in RIP packets. All routes participating in RIP information exchange must have an identical password. |
Split horizon |
A method of preventing routing loops where the router does not send network information via the interface on which the update was received. |
Poison reverse |
A method of preventing routing loops where the router sets a route cost of 16 and sends it to the neighbor from which it was received. |
Passive mode |
Sets an operating mode where the interface receives RIP updates but does not send them. |
In the route redistribution settings, you can specify which routes need to be sent to the neighbors. Redistribution can be enabled for routes received using the OSPF and BGPG dynamic routing protocols, routes directly connected to the NGFW network (connected), and routes added by the administrator in the Routes section (kernel).
Multicasting
The IP multicast technology enables a significant reduction in the amount of network traffic by delivering a single information stream to thousands and even larger numbers of consumers, which is especially efficient for voice and video traffic delivery. The traditional traffic delivery methods are unicast (point-to-point) and broadcast. Multicast allows delivery of traffic to a group of hosts, called a multicast group. The recipient hosts that want to receive this traffic must join (become members of) the corresponding multicast group. To add hosts to a multicast group, the Internet Group Management Protocol (IGMP) is used. A multicast group is identified by its multicast address. For multicast addresses, a Class D subnet is reserved with the most significant 4 bits set to 1110. Thus, the address range for multicasting is defined as 224.0.0.0 --- 239.255.255.255.
Routers need to provide efficient traffic delivery from the multicast source to the recipients. For that purpose, the Protocol Independent Multicast (PIM) is used in routers.
Routers in a multicast environment can have one of the three roles: First Hop Router (FHR), Rendezvous Point (RP), and Last Hop Router (LHR). The FHR is located closest to the multicast source and is responsible for registering the source in the network. The RP is a catalog of available multicast sources for the Any Source Multicast (ASM) mode. The LHR is located closest to the multicast recipient. Clients (multicast recipients) in local networks connected to the LHR use the IGMP protocol to register in the multicast group of interest by sending an IGMP membership report message.
NGFW can be used as an LHR for the local networks connected to it. For client (recipient) registration, NGFW supports the IGMPv3 and IGMPv2 protocols.
For communicating with other multicast routers, NGFW can only use the PIM Sparse Mode (PIM-SM). This is a mode where multicast traffic is sent only to those recipients that have explicitly requested it. The recipients must periodically confirm their desire to receive multicast traffic.
NGFW supports the Source Specific Multicast (SSM) mode and Any Source Multicast (ASM) modes.
Source Specific Multicast (SSM) is used when the recipient of the traffic explicitly specifies a multicast source known to it. In this mode, addresses are written as follows:
rtp://<src_ip>@<group_address>:<port>, where src_ip is the multicast source address, group_address is the multicast group address, and port is the port. Example: rtp://10.10.10.10@239.0.0.5:4344
In Any Source Multicast (ASM) mode, the multicast recipient specifies the multicast group from which it wants to receive multicast traffic. For this mode to work, a Rendezvous Point (RP) router is required. The RP determines the multicast source for this multicast group and this recipient, and then the source and recipient choose the best network path for sending this multicast traffic. In this mode, addresses are written as follows:
rtp://@<group_address>:<port>, where group_address is the multicast group address and port is the port. Example: rtp://@239.0.0.5:4344
To configure NGFW as an LHR multicast router, follow these steps:
Name |
Description |
---|---|
Step 1. Configure a multicast router. |
In the NGFW console, go to the Network ➜ Virtual routers section, select Multicast router in the menu, and configure it. |
Step 2. Specify the interfaces on which this router will work. |
Select the interface that will be used for multicasting. Only the interfaces belonging to this virtual router are available for selection. |
Step 3. (Optional) Define the Rendezvous points for ASM. |
In the NGFW console, go to the Network ➜ Virtual routers section, select Rendezvous points in the menu, and specify the addresses of the rendezvous points. |
Step 4. (Optional) Set the desired restrictions on the available multicast groups for ASM. |
In the NGFW console, go to the Network ➜ Virtual routers section, select Rendezvous points in the menu, go to the ASM allowed groups tab, and specify the addresses of the allowed multicast groups. If you leave the list empty, all multicast group addresses will be allowed. |
Step 5. (Optional) Set the desired restrictions on the available multicast groups for SSM. |
In the NGFW console, go to the Network ➜ Virtual routers section, select SSM allowed groups in the menu, and specify the addresses of the allowed multicast groups. If you leave the list empty, all multicast group addresses will be allowed. |
When configuring a multicast router, you can provide these settings:
Name |
Description |
---|---|
Enabled |
Enables or disables the multicast router in this virtual router. |
Use ECMP |
Enables multi-path traffic distribution using the Equal Cost Multi Path (ECMP) technology. Requires that several routes exist to the network node of interest. If this option is disabled, all traffic to a specific destination host will be sent through only one of the routers (next hop). |
Use ECMP rebalance |
If this option is enabled and one of the interfaces used for sending traffic has gone offline, all existing streams will be redistributed between the remaining routes (next hop). If disabled, only those streams will be redistributed which were sent via the now-offline interface. |
JOIN/PRUNE time (sec) |
The time interval in seconds (60-600) used to send messages to the PIM neighbors about multicast groups from which the router wants or no longer wants to receive traffic. |
Multicast register suppress time (sec) |
The time interval in seconds (5-60,000) after which the router sends a register suppress message. |
Keep-alive time (sec) |
The time interval in seconds (31-60,000) which the router will use to send keepalive messages to neighbors as well as the time to wait before considering the neighbor unavailable. |
When configuring interfaces, you can provide these settings:
Name |
Description |
---|---|
Enabled |
Enables or disables multicasting on this interface. |
Interface |
Select the interface that will be used for multicasting. Only the interfaces belonging to this virtual router are available for selection. |
Multicast HELLO sending timeout (sec) |
The time interval in seconds (1-180) used to send PIM HELLO messages. These messages are sent periodically from all interfaces on which multicasting is enabled. These messages let the router know about neighbor routers that support multicasting. |
DR selection priority |
The router's priority (1-4294967295) in the selection of a Designated router (DR). The administrator can use this to manage DR selection for the local network. |
Enable IGMP |
Receive IGMP report and IGMP query messages on this interface. |
Use IGMPv2 |
Use version 2 of IGMP. By default, version 3 (IGMP v3) is used. |
When configuring Rendezvous points, you can specify the following parameters:
Name |
Description |
---|---|
Enabled |
Enables or disables this RP. |
Name |
The RP name. |
IP address |
The unicast IP address of this RP. |
Allowed ASM groups |
The list of allowed multicast group addresses for any-source multicast from this RP. Any networks in the range 224.0.0.0/4. If empty, there are no restrictions. |
Allowed SSM groups: specifies the list of allowed multicast group addresses for source-specific multicast. Any networks from the range 232.0.0.0/8 can be specified. If empty, there are no restrictions.
SPT exclusions: specifies the list of IPv4 multicast groups excluded from switching to the shortest path tree.