Nile Segments Mapping to FW Zones
This document provides a solution using a 3rd party intermediate L3 switch to satisfy both the Nile L3 design and the firewalls use of incoming tagged LAN traffic segmented by security zones.
The following Proof of Concept breaks down the solution into three parts:
- Nile NSB provisioning.
- Palo Alto Firewall configuration of a trunk uplink interface and security zones mapped to each VLAN in the trunk.
- Cisco 3750 configuration acting as the Nile NSB uplink and mapping Nile segments to different VLANs on a trunk port to the Palo Alto firewall.
Segment | Subnet |
|---|---|
Nile-Dot1x | 192.168.100.0/24 |
Nile-PSK | 192.168.101.0/24 |
Nile-Guest | 192.168.102.0/24 |
set network interface ethernet ethernet1/1 layer3 ip 10.1.251.241/27 set network interface ethernet ethernet1/2 layer3 ndp-proxy enabled no set network interface ethernet ethernet1/2 layer3 sdwan-link-settings upstream-nat enable no set network interface ethernet ethernet1/2 layer3 sdwan-link-settings upstream-nat static-ip set network interface ethernet ethernet1/2 layer3 sdwan-link-settings enable no set network interface ethernet ethernet1/2 layer3 sdwan-link-settings ipv6-enable no set network interface ethernet ethernet1/2 layer3 lldp enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2.102 sdwan-link-settings upstream-nat enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2.102 sdwan-link-settings enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2.102 sdwan-link-settings ipv6-enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2.102 ndp-proxy enabled no set network interface ethernet ethernet1/2 layer3 units ethernet1/2.102 adjust-tcp-mss enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2.102 ip 192.168.0.9/30 set network interface ethernet ethernet1/2 layer3 units ethernet1/2.102 tag 102 set network interface ethernet ethernet1/2 layer3 units ethernet1/2.102 interface-management-profile Ping set network interface ethernet ethernet1/2 layer3 units ethernet1/2.100 sdwan-link-settings upstream-nat enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2.100 sdwan-link-settings enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2.100 sdwan-link-settings ipv6-enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2.100 ndp-proxy enabled no set network interface ethernet ethernet1/2 layer3 units ethernet1/2.100 adjust-tcp-mss enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2.100 tag 100 set network interface ethernet ethernet1/2 layer3 units ethernet1/2.100 ip 192.168.0.1/30 set network interface ethernet ethernet1/2 layer3 units ethernet1/2.100 interface-management-profile Ping set network interface ethernet ethernet1/2 layer3 units ethernet1/2.101 sdwan-link-settings upstream-nat enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2.101 sdwan-link-settings enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2.101 sdwan-link-settings ipv6-enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2.101 ndp-proxy enabled no set network interface ethernet ethernet1/2 layer3 units ethernet1/2.101 adjust-tcp-mss enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2.101 ip 192.168.0.5/30 set network interface ethernet ethernet1/2 layer3 units ethernet1/2.101 tag 101 set network interface ethernet ethernet1/2 layer3 units ethernet1/2.101 interface-management-profile Ping set network interface ethernet ethernet1/2 layer3 ip 172.16.10.1/30 set network interface ethernet ethernet1/2 layer3 interface-management-profile Ping set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/2.100 ethernet1/2.101 ethernet1/2.102 ] set network virtual-router default routing-table ip static-route primary-default nexthop ip-address 10.1.251.225 set network virtual-router default routing-table ip static-route primary-default bfd profile None set network virtual-router default routing-table ip static-route primary-default metric 10 set network virtual-router default routing-table ip static-route primary-default destination 0.0.0.0/0 set network virtual-router default routing-table ip static-route Nile_GTW1 nexthop ip-address 172.16.10.2 set network virtual-router default routing-table ip static-route Nile_GTW1 bfd profile None set network virtual-router default routing-table ip static-route Nile_GTW1 interface ethernet1/2 set network virtual-router default routing-table ip static-route Nile_GTW1 metric 10 set network virtual-router default routing-table ip static-route Nile_GTW1 destination 172.16.0.0/30 set network virtual-router default routing-table ip static-route Nile_GTW1 route-table unicast set network virtual-router default routing-table ip static-route Nile-Guest nexthop ip-address 192.168.0.10 set network virtual-router default routing-table ip static-route Nile-Guest bfd profile None set network virtual-router default routing-table ip static-route Nile-Guest interface ethernet1/2.102 set network virtual-router default routing-table ip static-route Nile-Guest metric 10 set network virtual-router default routing-table ip static-route Nile-Guest destination 192.168.102.0/24 set network virtual-router default routing-table ip static-route Nile-Guest route-table unicast set network virtual-router default routing-table ip static-route Nile_Infra nexthop ip-address 172.16.10.2 set network virtual-router default routing-table ip static-route Nile_Infra bfd profile None set network virtual-router default routing-table ip static-route Nile_Infra interface ethernet1/2 set network virtual-router default routing-table ip static-route Nile_Infra metric 10 set network virtual-router default routing-table ip static-route Nile_Infra destination 172.16.1.0/24 set network virtual-router default routing-table ip static-route Nile_Infra route-table unicast set network virtual-router default routing-table ip static-route Nile_Sensors nexthop ip-address 172.16.10.2 set network virtual-router default routing-table ip static-route Nile_Sensors bfd profile None set network virtual-router default routing-table ip static-route Nile_Sensors interface ethernet1/2 set network virtual-router default routing-table ip static-route Nile_Sensors metric 10 set network virtual-router default routing-table ip static-route Nile_Sensors destination 172.16.2.0/24 set network virtual-router default routing-table ip static-route Nile_Sensors route-table unicast set network virtual-router default routing-table ip static-route Nile-PSK nexthop ip-address 192.168.0.6 set network virtual-router default routing-table ip static-route Nile-PSK bfd profile None set network virtual-router default routing-table ip static-route Nile-PSK interface ethernet1/2.101 set network virtual-router default routing-table ip static-route Nile-PSK metric 10 set network virtual-router default routing-table ip static-route Nile-PSK destination 192.168.101.0/24 set network virtual-router default routing-table ip static-route Nile-PSK route-table unicast set network virtual-router default routing-table ip static-route Nile-Dot1x nexthop ip-address 192.168.0.2 set network virtual-router default routing-table ip static-route Nile-Dot1x bfd profile None set network virtual-router default routing-table ip static-route Nile-Dot1x interface ethernet1/2.100 set network virtual-router default routing-table ip static-route Nile-Dot1x metric 10 set network virtual-router default routing-table ip static-route Nile-Dot1x destination 192.168.100.0/24 set network virtual-router default routing-table ip static-route Nile-Dot1x route-table unicast set network virtual-router default routing-table ip static-route Nile-GTW2 nexthop ip-address 172.16.10.2 set network virtual-router default routing-table ip static-route Nile-GTW2 bfd profile None set network virtual-router default routing-table ip static-route Nile-GTW2 interface ethernet1/2 set network virtual-router default routing-table ip static-route Nile-GTW2 metric 10 set network virtual-router default routing-table ip static-route Nile-GTW2 destination 172.16.0.4/30 set network virtual-router default routing-table ip static-route Nile-GTW2 route-table unicast set network virtual-router default ecmp algorithm ip-modulo set zone Untrust network layer3 ethernet1/1 set zone Nile-NSB network layer3 ethernet1/2 set zone Nile-Guest network layer3 ethernet1/2.102 set zone Nile-PSK network layer3 ethernet1/2.101 set zone Nile-Dot1x network layer3 ethernet1/2.100 set rulebase security rules "Nile-NSB to Internet" to Untrust set rulebase security rules "Nile-NSB to Internet" from [ Nile-Dot1x Nile-Guest Nile-NSB Nile-PSK ] set rulebase security rules "Nile-NSB to Internet" source any set rulebase security rules "Nile-NSB to Internet" destination any set rulebase security rules "Nile-NSB to Internet" source-user any set rulebase security rules "Nile-NSB to Internet" category any set rulebase security rules "Nile-NSB to Internet" application any set rulebase security rules "Nile-NSB to Internet" service any set rulebase security rules "Nile-NSB to Internet" source-hip any set rulebase security rules "Nile-NSB to Internet" destination-hip any set rulebase security rules "Nile-NSB to Internet" action allow set rulebase security rules "Nile-NSB to Internet" log-start no set rulebase security rules "Nile-NSB to Internet" log-end yes set rulebase security rules Block-Guest-to-Internal to [ Nile-Dot1x Nile-NSB Nile-PSK ] set rulebase security rules Block-Guest-to-Internal from Nile-Guest set rulebase security rules Block-Guest-to-Internal source any set rulebase security rules Block-Guest-to-Internal destination any set rulebase security rules Block-Guest-to-Internal source-user any set rulebase security rules Block-Guest-to-Internal category any set rulebase security rules Block-Guest-to-Internal application any set rulebase security rules Block-Guest-to-Internal service application-default set rulebase security rules Block-Guest-to-Internal source-hip any set rulebase security rules Block-Guest-to-Internal destination-hip any set rulebase security rules Block-Guest-to-Internal action deny set rulebase security rules Block-Guest-to-Internal log-start no set rulebase security rules Block-Guest-to-Internal log-end yes set rulebase nat rules "Src-Nat to Internet" source-translation dynamic-ip-and-port interface-address ip 10.1.251.241/27 set rulebase nat rules "Src-Nat to Internet" source-translation dynamic-ip-and-port interface-address interface ethernet1/1 set rulebase nat rules "Src-Nat to Internet" to Untrust set rulebase nat rules "Src-Nat to Internet" from [ Nile-Dot1x Nile-Guest Nile-NSB Nile-PSK ] set rulebase nat rules "Src-Nat to Internet" source any set rulebase nat rules "Src-Nat to Internet" destination any set rulebase nat rules "Src-Nat to Internet" service any set rulebase nat rules "Src-Nat to Internet" to-interface ethernet1/1 set import network interface [ ethernet1/2 ethernet1/2.102 ethernet1/2.100 ethernet1/2.101 ]
! version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service unsupported-transceiver ! hostname MM-3750 ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt ! address-family ipv4 exit-address-family ! logging buffered 51200 logging console critical logging monitor informational ! username admin privilege 15 password 0 nile123! no aaa new-model clock timezone pst -8 0 clock summer-time pdt recurring switch 1 provision ws-c3750x-48p system mtu routing 1500 ! no ip source-route ip routing ! ip vrf mgmt ! ! no ip domain-lookup ip domain-name mmoussa.com ! ! crypto pki trustpoint TP-self-signed-2643279232 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2643279232 revocation-check none rsakeypair TP-self-signed-2643279232 ! ! crypto pki certificate chain TP-self-signed-2643279232 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 32363433 32373932 3332301E 170D3036 30313032 30303032 30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36343332 37393233 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81008D52 563048F3 30480BDC 6FF17CDC CDA19804 A319B2B8 F1CF16DC 05D35026 0D558F97 48AA1C70 A8EBEE30 2741FD5B 7A7398EF 6320710C 70EC555C 03496731 6BA6B046 58472BA4 A6E88895 1E8AA645 9995919C CA2A97EF 35045CD8 6BE029BE 993C4722 450739CE C97AC621 25B362A3 5A87AB67 8E64F909 CAE159F3 1A28FDAA BEBD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 141E4B20 49C74924 7916C386 8603A069 802A6AF5 68301D06 03551D0E 04160414 1E4B2049 C7492479 16C38686 03A06980 2A6AF568 300D0609 2A864886 F70D0101 05050003 8181003E 8257C458 D45AD4B2 EA28EDC3 3C0BCD4D E4C8C080 9D9BFD5A 27F9E581 F6D23DAA ABA778F6 47240E6F E166591F FBA952BF EF36E843 56C07D6C 55A53CEB D6B6DED9 96FC01B6 5D1B0367 06E5E4C9 E0635677 7000A9F6 52F05003 0261752E A827D9BA D5131EE7 563EA77F BD8BE6A3 2F6EB255 9F26D854 333BA225 E5CA4D73 818174 quit license boot level ipservices ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id no spanning-tree vlan 10-12,31,38,253 ! ! vlan internal allocation policy ascending no cdp run ! ! interface FastEthernet0 vrf forwarding Mgmt ip address 10.1.250.84 255.255.255.0 no ip route-cache ! ! interface GigabitEthernet1/0/37 no switchport ip address 172.16.0.1 255.255.255.252 ip policy route-map NSB_MAP ! interface GigabitEthernet1/0/38 no switchport ip address 172.16.0.5 255.255.255.252 ip access-group BLACKOUT in ip policy route-map NSB_MAP ! ! interface GigabitEthernet1/0/48 switchport trunk allowed vlan 10,100-102 switchport trunk encapsulation dot1q switchport trunk native vlan 10 switchport mode trunk spanning-tree portfast edge ! ! interface Vlan1 no ip address ! interface Vlan10 ip address 172.16.10.2 255.255.255.252 ! interface Vlan100 ip address 192.168.0.2 255.255.255.252 ! interface Vlan101 ip address 192.168.0.6 255.255.255.252 ! interface Vlan102 ip address 192.168.0.10 255.255.255.252 ! router ospf 10 network 172.16.0.0 0.0.0.3 area 0 network 172.16.0.4 0.0.0.3 area 0 default-information originate always route-map NSB_MAP ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 172.16.10.1 10 ip route vrf Mgmt 0.0.0.0 0.0.0.0 10.1.250.1 ip ssh time-out 60 ip ssh source-interface FastEthernet0 ip ssh server algorithm encryption 3des-cbc aes128-cbc aes256-cbc aes256-ctr ip ssh server algorithm authentication password keyboard publickey ! ip access-list standard MANAGEMENT permit 10.127.134.0 0.0.0.255 permit 10.0.0.0 0.255.255.255 ! ip access-list extended BLACKOUT permit ip 172.16.0.0 0.0.0.3 any permit ip 172.16.0.4 0.0.0.3 any permit ip 172.16.1.0 0.0.0.255 any permit ip 172.16.2.0 0.0.0.255 any permit ip 192.168.100.0 0.0.0.255 any permit ip 192.168.101.0 0.0.0.255 any permit ip 192.168.102.0 0.0.0.255 any deny ip any any ip access-list extended Dot1x_ACL permit ip 192.168.100.0 0.0.0.255 any ip access-list extended Guest_ACL permit ip 192.168.102.0 0.0.0.255 any ip access-list extended NSB_ACL permit ip 172.16.0.0 0.0.0.3 any permit ip 172.16.1.0 0.0.0.255 any permit ip 172.16.2.0 0.0.0.255 any permit ip 172.16.0.4 0.0.0.3 any ip access-list extended PSK_ACL permit ip 192.168.101.0 0.0.0.255 any ! logging trap warnings ! route-map NSB_MAP permit 10 match ip address NSB_ACL set ip next-hop 172.16.10.1 ! route-map NSB_MAP permit 100 match ip address Dot1x_ACL set ip next-hop 192.168.0.1 ! route-map NSB_MAP permit 101 match ip address PSK_ACL set ip next-hop 192.168.0.5 ! route-map NSB_MAP permit 102 match ip address Guest_ACL set ip next-hop 192.168.0.9 ! ! line con 0 password nile123! logging synchronous login local line vty 0 4 exec-timeout 30 0 logging synchronous login local transport preferred none transport input ssh line vty 5 15 login ! ntp server vrf Mgmt 152.70.159.102 ! end
