Purview appliance with more interfaces on different subnets

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)
Hi, is possible to deploy the Pureview appliance with more interfaces on different subnets or under a NAT device respect the Pureview Sensor?
In my scenario I've got a NAT device between my internal lan where I've got the ExtremeControl and the ExtremeAnalytics appliance (virtual) and the coreflow2 switch is on another subnet and I reach this throught the nat device.
As test, I've natted 1-1 the Extreme Analytics Appliance and I've used the NAT IP address as the remote gre endpoint on the coreflow2 switch.
In this test I see in the external interface of the nat\router the GRE packets, but nothing reach my internal Pureview appliance.
How is possible to use Pureview in a deployment like that?
Thanks
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Tony Thornton

Tony Thornton, Extreme Alumnus

  • 1,412 Points 1k badge 2x thumb
Hi Antonio,

Maybe the Knowledge article below can be of help. It specifies NetSight, but it may be of use for Purview too if you have not already reviewed it.
 How to setup NetSight to use multiple interfaces

Regards
Tony
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
Hi Tony, I've already seen the Knowledge article on Netsight with multiple nic, but it doesn't work for Purview...the configuration wizard don't permit to define different subnet masks (for example an ip  with mask 16 on the first nic and and ip with mask 24 on the second nic....I don't know if this is possible changing manually the configuration files of the interfaces and  if this works...).
In my case I'm trying to add a second NIC to the Netsight and connect one of them outside the nat device....that receive the flow from a purview applaince connected outside the nat device...
Photo of Matthew Hum

Matthew Hum, Principal Engineer, APAC

  • 1,542 Points 1k badge 2x thumb
Can you please post a diagram of what you have currently and what you are trying to accomplish? Thanks.
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
Hi Matthew, I attach the diagram of what I want to do (a Purview on my demo network 192.168.10/24 natted 1-1 by a Windows 2012 R2 NAT Router device to ip 172.16.151.102 that is the end of the gre tunned with the Purview sensor (in my lab a SSA switch).
In this demo lab, I see that GRE packets on the external interface of the NAT-Router device, but nothing reach the internal Purview engine.
In my second test, I've add a Purview engine on network 172.29/16 and then I've added a second NIC to the NetSight VM with one NIC on my internal demo lab 192.168.10/24 and the second one attached to network 172.29/16.
I prefer the first schema with only one Purview engine natted 1-1 ....is this schema possible or I nee to put the external Purview engine?
In this second case, when I add the pureview sensor to NetSight (that in this case has a second NIC connected directly to the same network 172.29/16 of the sensor), the OneView interface says that the sensor is not completly reachable....but are on the saem subnet and there is no a firewall between them..
(Edited)
Photo of Matthew Hum

Matthew Hum, Principal Engineer, APAC

  • 1,542 Points 1k badge 2x thumb
In your first test, this is expected. the GRE tunnel extends to the NAT device but then does not know what to do or where to go. If your NAT device supports GRE tunnels, then you need to create 2 tunnels, one between the SSA and the NAT device and then another one between the NAT device and Purview. you then need to ensure that traffic is forwarded across the GRE tunnels appropriately. If this is a linux device then you need to bridge the TUN interfaces.

as for your second test, I have no idea on what you are trying to accomplish. you do not need to add a second NIC to Netsight. You have one of two choices: either add an additional interface on the purview engine and have that in your demo network (192.168.1.x)

OR (and this is the better way)

move the management of the SSA onto your 172.29 network and not worry about NAT at all. Simply add an additional VLAN to the SSA, put an interface on it (with management enabled) and use "no ipforwarding" now that interface will be a completely out-of-band interface and should be able to talk directly without having to deal with NAT.
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
I Matthew, thanks for your instructions. Regarding the first test, I use a Windows 2012 R2 server that act as NAT-Router device, so I need to check if is possoble to do as you suggest for this test (two gre tunnels).
For the suggestion to move the management of the SSA switch to my demo networks, my company policy don't permit me to do that becasue in this manner I've got a switch device that bypass our internal firewalls.
Yesy, ipforwarding is disabled between the VLANs, but the security administrators don't permit me to create a such schema.
I'll try to extend the GRE tunnel as first demo.
Thanks,
Antonio
Photo of Matthew Hum

Matthew Hum, Principal Engineer, APAC

  • 1,542 Points 1k badge 2x thumb
But the SSA does not have any connectivity between the networks. they don't allow any out of band management from network devices?

Can you put another interface on the purview engine on the 192.168 network? that would be the easiest way to accomplish this. this way you can have one GRE tunnel between the SSA and the purview engine, and then everything from Netsight to the Purview engine is across a sepatate NIC/network.

I don't think you can do the GRE tunnels on windows as a GRE proxy/forwarder... also you would need to change the GRE config in the purview engine as it is a separate tunnel coming from your windows box. otherwise i am not aware of a GRE tunnel being able to be forwarded across a windows NAT, where windows is not the endpoint.
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
In first case, where I move the SSA management on the 172.29/16 networks, I've got a switch that has one NIC (the one that receive the mirror traffic) on the internal LAN and the management NIC on the demo LAB, and I know that in this case is secure, but for our policy I need to pass from the internal firewall (someone has fair that if an hacker corrupt the switch can pass between the two networks without pass thought the firewall).
Regardin add a second NIC to the purview engine, I can't because I've tried to do this, but I've got networks with different masks and the wizard on purview engine want that I use the same masks on all the interfaces...probally I need to configure this scenario in manual mode...
Photo of Matthew Hum

Matthew Hum, Principal Engineer, APAC

  • 1,542 Points 1k badge 2x thumb
You should be able to accomplish this with option 3: Interface Tunnel Mirrored, and put that second interface on the 192.168 network. If you cannot set a different subnet mask this is a bug and should be followed up with GTAC.

as a workaround you configure both this was for the same subnet mask and then later manually go back and change the mask in the system config files.
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
Thanks Matthew, I'll try do do as you suggest.
Thanks
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
Hi Matthew, now I've done as you suggest and added a secondary interface in Purview virtual appliance and then modified manually the interface configuration in manner to have a mask 16 on my secondary interface.
Now the GRE tunnel is between this secondary NIC that is not natted and my remote Purview sensor.

My ifconfig on Purview appliance is now (eth0 is connected directly to my ExtremeControl):


If i type tcpdump -i eth1 proto 47 I see the gree packets with the remote sensor:

If I type tcpdump -i gre1 I see traffic from my remote network on the gre tunnel:


But if I type tcpdump -i eth1 udp port 2055 on the same interface, I don't see netflow traffic come in:


On Purview sensor the show flowlimits stats ge.1.2


The show netflow statistics:


On the Purview sensor, if I type show tunnel:


My SSA config is the following:
SSA Chassis(su)->show config
This command shows non-default configurations only.
Use 'show config all' to show both default and non-default configurations.

begin
!
# ***** NON-DEFAULT CONFIGURATION *****
!
!
# Chassis Firmware Revision: 08.42.02.0013
!
# system
set system login admin super-user enable password :9c154d41f1f5c25abf181337c94287d69e4d6669f98d5415fe29b50e:1:
!
# license
set license l3-s130 0001:S-EOS-L3-S130:1:5486d7ab:90:EXTREMENETWORKS:0:8d86714d:KGN/x08rfOsC25ycVfv7JB07LEskF0oQLfRmFxDbMbxNu9CQllKo6PDWBdkotTYe+3ktAgEwcr9MAztCnrVySw==
set license vsb 0001:SSA-EOS-VSB:1:543d216d:90:EXTREME:0:8d86714d:QlHxiu7SPtUMhVk7I+pfVBOV5syNtrTrGkeIpiaT0LkVGzIlmbFNllnjVkBezMxgQ7C083rDFzopQCGlsoEiVw== chassis 1
set license vsb 0001:SSA-EOS-VSB:1:543d2355:90:EXTREME_NETWORKS:0:8d86714d:NAkJcD4+OR9CNV+KPIQkdidGunUG1Vtio4MCs9KXGG5UHoGA25898EQhabog6v/o8bVOLALDHCoa8L/GcPFa8A== chassis 2
!
# bonding
!
# modal configuration
!
configure terminal
!
interface vlan.0.100
ip address 192.168.1.227 255.255.255.0 primary
no shutdown
exit
interface tun.0.1
tunnel destination 172.29.151.102
tunnel mode gre l2 ge.1.3
tunnel mirror enable
tunnel source 192.168.1.227
no shutdown
exit
!
# Static routes configured on routed interfaces
ip route 0.0.0.0/0 interface vlan.0.100 1
ip route 0.0.0.0/0 192.168.1.191 interface vlan.0.100 1
!
!
!
!

# cfm modal configuration
!
!
!
!
exit
!
# ip dns
!
# ip interface
set ip interface vlan.0.100 default
!
# antispoof
!
# authentication
!
# auto-tracking
!
# banner
!
# boot high-availability
!
# bridge
!
# cdp
set cdp state disable ge.1.1-4
!
# cep
!
# ciscodp
set ciscodp port status disable ge.1.1-4
!
# cli
!
# console
!
# cos port-config
!
# cos port-resource
!
# cos reference
!
# cos settings
!
# cos state
!
# cos syslog
!
# dcb appPri
!
# dcb cn
!
# dcb pfc
!
# dot1x
!
# flowlimit
!
# forcelinkdown
!
# garp
!
# gvrp
set gvrp disable
!
# history
!
# igmp
!
# inlinepower
!
# lacp
set lacp disable
!
# length
!
# limits
!
# line-editor
!
# link-state
!
# linkflap
!
# lldp
set lldp port status disable ge.1.1-4
!
# logging
!
# logout
!
# mac
!
# macauthentication
!
# maclock
!
# macsec
!
# mgmt-auth-notify
!
# mirror
set mirror create 1
set mirror 1 mirrorN 15
set mirror ports ge.1.3 1
!
# mld
!
# movedaddrtrap
!
# mrp
!
# mtu
!
# multiauth
!
# mvrp
!
# neighbors
!
# netflow
set netflow export-interval 1
set netflow export-destination 172.29.151.102 2055
set netflow export-version 9
set netflow export-rate 20000 1
set netflow export-data enable mac
set netflow export-data enable vlan
set netflow port ge.1.2 enable rx
set netflow template refresh-rate 30 timeout 1
set netflow cache enable
!
# newaddrtrap
!
# nodealias
!
# physical
!
# pki
!
# policy
set policy profile 1 name Pureview pvid-status enable pvid 0 mirror-destination 1
set policy rule admin-profile port ge.1.2 mask 16 port-string ge.1.2 admin-pid 1
!
# port
set port duplex ge.1.1-4 full
set port jumbo enable ge.1.1
set port jumbo mtu dynamic enable ge.1.1
set port speed ge.1.1-4 1000
set port vlan ge.1.1 100
set port vlan ge.1.2 101
set port vlan ge.1.3 1234
set port vlan ge.1.4 1235
!
# prompt
!
# pwa
!
# quarantine-agent
!
# radius
!
# radius-snooping
!
# rmon alarm
!
# rmon capture
!
# rmon channel
!
# rmon event
!
# rmon filter
!
# rmon history
!
# rmon host
!
# rmon matrix
!
# rmon stats
!
# rmon topN
!
# security
!
# smon
!
# snmp
set snmp access groupRW security-model v1 exact read All write All notify All
set snmp access groupRW security-model v2c exact read All write All notify All
set snmp access v3group security-model usm privacy exact read All write All notify All
set snmp group groupRW user public security-model v1
set snmp group groupRW user public security-model v2c
set snmp group v3group user snmpuser security-model usm
set snmp user snmpuser authentication md5 :9846d86dc8a4ca8833fa6bca0e123a471fcd5294ceb99dee7c9b8787: privacy :38f4dd08ccb9ce8828e04fd2362b0e26353350aa6ca4e6a8b672e7a2:
set snmp view viewname All subtree 1
set snmp view viewname All subtree 0.0
!
# sntp
!
# spantree
set spantree stpmode none
set spantree portadmin ge.1.1 disable
set spantree portadmin ge.1.2 disable
set spantree portadmin ge.1.3 disable
set spantree portadmin ge.1.4 disable
!
# spb
!
# ssh
set ssh enabled
!
# summertime
!
# tacacs
!
# telnet
!
# timezone
!
# tunnel
!
# vlan
set vlan create 100-101,1234-1235
clear vlan egress 1 lag.0.1-62;tbp.0.1-62;ge.1.1-48;tg.1.1-4
set vlan egress 100 ge.1.1 untagged
set vlan egress 101 ge.1.2 untagged
set vlan egress 1234 ge.1.3 untagged
set vlan egress 1235 ge.1.4 untagged
!
# vlanauthorization
!
# webview
!
# width
!
end

SSA Chassis(su)->

What can be now the problem for you?

Thanks in advance for your help.
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
I forget to say before, that if I attach a pc to the same switch where is attached my ge.1.1 interface of the SSA sensor and I use a neflow packet version 9 generator, I see the packets on my Purview appliance...
Seems that my SSA sensor don't send the netflow packets out...
Photo of Matthew Hum

Matthew Hum, Principal Engineer, APAC

  • 1,542 Points 1k badge 2x thumb
Your eth0 address is 192.168.10.102, and your GRE tunnel is from the SSA to the purview appliance (not the post-NAT address), so I'm assuming the 192.168.1.x address.
also this would be the same destination interface that the netflow would go to.
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
In my case the gre tunnel is between SSA ip address 192.168.1.227 and the ip 172.29.151.102 that is the value assigned to the secondary NIC of my Purview appliance attached outside the NAT device, instead eth0 ip address is 192.168.10.102 and this interface is attached to a virtualswitch "inside" under the nat device.
So now the gre tunnes is the red line in the picture below of the new schema
Photo of Matthew Hum

Matthew Hum, Principal Engineer, APAC

  • 1,542 Points 1k badge 2x thumb
if you do successive show netflow statistics do you see the exported packets increase?
you can also try disabling the cache and re-enabling it.

Also your diagram says tg.1.2 is your mirror port but the config has ge.1.2...?
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
Hi Matthew, yes, my mirror port is ge.1.2, on the schema is writted an old interface...
Yes, the exported packets increase...

Then I've disabled and re-enabled the netflow cache, but seems that netflow udp packets on port destination 2055 don't reach the purview appliance....
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
Hi Matthew, I've removed the wrong default gateway entry in the SSA configuration:
ip route 0.0.0.0/0 interface vlan.0.100 1
and now the netflow packets udp port 2055 arrive to the purview engine also on the external interface of the Purview VMs..
Regards,
Antonio