Latest Updates
LinkedIn RSS
Technology
General
Cisco Hierarchical Internetworking Model with Vyatta – Distribution
2 January 25, 2010 Tags: , , , , , , , , , , , , , , ,

Cisco Hierarchical Internetworking Model with Vyatta – Distribution

 Share

This is a continuation of the first part of this series where I discussed the implementation of a core layer router using Vyatta on any Intel x-86 machine. This can be found here. The reasons for implementing this type of architecture at home probably makes no sense at all. Rest assured, my wonderful reasons are also covered in the first part. However, this can be tweaked to be used in a SOHO or business environment.

Moving forward, what are the primary differences between the distribution layer and the core and access? The distribution layer is where all the routing, policies and filtering take place.

Setting up the Distribution Router

Similar to the core router, we’re going to need a computer that is equipped with two network interfaces.

  • configure the external interface
  • configure the internal interface

Going forward from the Core Configuration

In Part 1, we configured the core router to have an external address of 1.1.1.1/24 and an internal address of 10.0.0.1/29. Ensure you follow the same steps of installing Vyatta on the machine and getting to the configuration page in order to proceed.

Configuring the External Interface (eth0)

Here, we’ll configure the external address of the router to be on the same subnet as the internal address of the core router.

set interfaces ethernet eth0 address 10.0.0.2/29
commit

Configuring the Internal Interface (eth1)

We can now configure the internal address in the same way.

set interfaces ethernet eth1 address 172.16.0.1/29
commit

So, from here we’ve set our internal network to be 172.16.0.1 with a subnet address of 255.255.255.248. This distribution router has the .1 address, and so the access router will get the .2 address.

Policies and Filtering

This section can get quite lengthy based on the options you want to implement in your setup.

Instead of re-inventing the wheel, I’m going to include a few configuration settings from resources that are already available on the Carbonwind.net site. For the complete list of firewall configurations, please visit the Vyatta VC5 – Simple Firewall and NAT Rules.

Keep in mind that the difference with the configurations below is that the subnet of the internal network is set to 192.168.40.0.

Allow DNS name resolution for Vyatta itself
Maybe you obtain the IP address on your Internet facing interface through DHPC, so you do not know the IP addresses of the ISP DNS servers, as their IP addresses might change.

set firewall name eth0local rule 10 action accept
set firewall name eth0local rule 10 protocol udp
set firewall name eth0local rule 10 source port 53
set firewall name eth0local rule 10 state established enable
set firewall name eth0local rule 10 state related enable
set interfaces ethernet eth0 firewall local name eth0local

Or maybe you have a static IP address on your Internet facing interface, and you know the IP addresses of the ISP DNS servers. Bellow, we have assumed that the public IP address on eth0 interface is 192.168.22.240 and the IP address of the ISP server is 192.168.22.1.

set firewall name eth0local rule 10 action accept
set firewall name eth0local rule 10 protocol udp
set firewall name eth0local rule 10 source port 53
set firewall name eth0local rule 10 source address 192.168.22.1
set firewall name eth0local rule 10 destination address 192.168.22.240
set firewall name eth0local rule 10 state established enable
set firewall name eth0local rule 10 state related enable
set interfaces ethernet eth0 firewall local name eth0local

Or you may use internal DNS server(s) and you’ve configured on Vyatta this DNS server(s) as name server(s)(note that in addition to the rule bellow you need to allow DNS through Vyatta from the internal DNS, search this article for that).

set firewall name eth1local rule 10 action accept
set firewall name eth1local rule 10 protocol udp
set firewall name eth1local rule 10 source address 192.168.40.2
set firewall name eth1local rule 10 source port 53
set firewall name eth1local rule 10 destination address 192.168.40.1
set firewall name eth1local rule 10 state established enable
set firewall name eth1local rule 10 state related enable
set interfaces ethernet eth1 firewall local name eth1local

Allow NTP for Vyatta itself
Say you’ve configured an NTP server on Vyatta. By default there is an external NTP server configured.

For this configured NTP server, we can add on the Internet facing interface a firewall rule allowing returning NTP traffic(NTP server’s replies) like (bellow, we have assumed that the public IP address on eth0 interface is 192.168.22.240 and the IP address of the NTP server is 69.59.150.135):

set firewall name eth0local rule 10 action accept
set firewall name eth0local rule 10 protocol udp
set firewall name eth0local rule 10 source address 69.59.150.135
set firewall name eth0local rule 10 source port 123
set firewall name eth0local rule 10 destination address 192.168.22.240
set firewall name eth0local rule 10 state established enable
set firewall name eth0local rule 10 state related enable

set interfaces ethernet eth0 firewall local name eth0local

Allow HTTP and HTTPS for Vyatta itself
Say you want to allow for updates or so, HTTP/HTTPS traffic from Vyatta itself(destined to the Internet). So you need to allow returning HTTP/HTTPS traffic to Vyatta itself on that interface(connections initiated by Vyatta itself, bellow, we have assumed that the public IP address on eth0 interface is 192.168.22.240).

set firewall conntrack-tcp-loose disable
set firewall name eth0local rule 10 action accept
set firewall name eth0local rule 10 protocol tcp
set firewall name eth0local rule 10 source port 80,443
set firewall name eth0local rule 10 destination address 192.168.22.240
set firewall name eth0local rule 10 state established enable
set firewall name eth0local rule 10 state related enable
set interfaces ethernet eth0 firewall local name eth0local

Dynamic IP address from DHCP on an interface

Say, the Internet facing interface(eth0) obtains its IP configuration from a DHCP server.

Basically we need to allow the DHCP server’s reply messages.

set firewall name eth0local rule 10 action accept
set firewall name eth0local rule 10 protocol udp
set firewall name eth0local rule 10 destination port 68
set firewall name eth0local rule 10 source port 67
set firewall name eth0local rule 10 state established enable
set firewall name eth0local rule 10 state related enable

set interfaces ethernet eth0 firewall local name eth0local

I will conclude with this portion of the series here. The next one will look at the Access router and how this can be implemented and deployed in your network.

Related

2 Comments

  1. Allan Leinwand
    January 25, 2010

    RT @ahmeddirie: Bringing Home the Cisco Hierarchical Internetworking Model, with Vyatta of course – Part 2 http://bit.ly/5HJtAh #vyatta

  2. M8
    November 17, 2010

    In the previous article, you configure the backbone router with a DHCP server and a pool of 5 host IP’s:

    set service dhcp-server shared-network-name Pool1 subnet 10.0.0.0 start 10.0.0.2 end 10.0.0.6

    Yet in this post you configure the distribution router with a static IP of 10.0.0.2, instead of obtaining it dynamically using a DHCP client.

    Isn’t this going to pose a problem?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Ahmed Dirié © 2023