Wireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007

Rev. 1.5 1

© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.

ProCurve Wireless Edge ProCurve Wireless Edge Services xl Module v.2 Software Services xl Module v.2 Software NPI Technical TrainingNPI Technical Training

NPI Technical TrainingVersion: 1.512 June 2007

Sampl

e ex

cerp

t

Wireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007

Rev. 1.5 2

Rev. 1.5 2

Discussion Topics

Layer 3 RP adoptionInternal RADIUS serverFirewall and ACLsInternal DHCP server

NAT Types of NAT supportedGuidelines for configuring NATConfiguring NAT

Expanded redundancy groupsImproved roaming between modules sFlow supportGRESecure NTPWeb-UsersOther enhancements

The Wireless Edge Services xl Module’s internal firewall also supports NAT, often in conjunction with the module’s role as a router and DHCP server.

Wireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007

Rev. 1.5 3

Rev. 1.5 3

WLAN 1 = VLAN 8

Types of NAT

• Dynamic, or many-to-one, NAT—translates source address using port address translation (PAT)

• Static, or one-to-one, NAT—translates either source address or destination address

WLAN 1 = VLAN 8

Wired Network = VLAN 1

192.168.1.5010.1.1.15

192.168.1.50

192.168.1.40

Dynamic Source NAT

192.168.1.40

Static Destination NAT

192.168.1.50

Server10.1.1.15

192.168.1.4010.1.1.20

10.1.1.10:121110.1.1.15

10.1.1.10:121210.1.1.20

VLAN 1: 10.1.1.10

192.168.1.50192.168.1.1

192.168.1.40192.168.1.1

VLAN 8: 192.168.1.1

192.168.1.5010.1.1.15

192.168.1.4010.1.1.15

The two types of NAT you will configure on your Wireless Edge Services xl Module are dynamic NAT and static NAT. They have a couple of major differences, the first being that, you can only configure dynamic NAT on source IP addresses, whereas, you can configure static NAT on either source or destination IP addresses. The other big difference is that if you are configuring dynamic NAT, you choose IP addresses by using ACLs, and the Wireless Module NATs the many source addresses specified in that ACL to the same IP address on one of its interfaces (also called overloading the interface). Port address translation (PAT) is what enables the module to translate multiple IP addresses to the same IP address. The module assigns different source port numbers each NATed address so that it can keep track of the device to which return traffic belongs, even though all return traffic is destined to the same IP address. Instead of using ACLs for static NAT, however, you configure IP addresses and port settings manually. I will explain these configurations in more detail a little later on.One more thing to remember: the Wireless Module automatically handles all traffic in a NAT session. So, for example, when the server in the wired network shown in the top section of the slide sends return traffic, it sends it to 10.1.1.10—the apparent source of the traffic. But the Wireless Module forwards the return traffic to the correct wireless station using PAT. Similarly, when the server shown in the bottom half of the slide sends return traffic back to the wireless stations, the Wireless Module automatically conceals the server’s address, translating it to the original destination address.

Wireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007

Rev. 1.5 4

Rev. 1.5 4

Wireless network = Inside

Guidelines for Configuring NAT

• Wireless Module implements NAT on the border between:– Inside (private) network– Outside (public) network

• You define inside and outside interfaces for your NAT implementation.

Uplin

k

WLAN VLANs

Wireless Edge Services xl Module

VLAN 12

Dow

nlin

k

RPs

VLANs

VLAN 1

Wired Network =

Outside

VLAN 8

VLAN 1

Inside Outside

Inside NAT is applied to traffic incoming on inside interfaces

The inside traffic is routed to the outside network

Before you plan your NAT configuration, you must understand how the Wireless Edge Services xl Module divides interfaces into inside and outside interfaces. In theory, an inside interface in one that connects to a private network, and an outside interface is one that connects to a public network. However, you might define “public” and “private” in various ways. The most important distinction between the inside and outside networks is that—for whatever reason—IP addresses used in one cannot be supported in the other. For example, the Wireless Module might place wireless stations in subnetworks isolated within the wireless world. You decide to define these isolated subnetworks as the “inside” network and the wired network as the “outside” network. Devices in the wired network do not know about the subnetworks and IP addresses used in the wireless network. So the Wireless Module applies dynamic source NAT to inside traffic and, in the wired network, masquerades as the source of all traffic from the wireless network.As you can see in the picture, the Wireless Module applies inside NAT on traffic that arrives on inside interfaces. If you configured outside NAT, the module would apply it on traffic incoming on an outside interface, here VLAN 1.Note that the Wireless Module must route traffic in order to perform NAT.

Wireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007

Rev. 1.5 5

Rev. 1.5 5

10.1.8.50

Specifying Addresses for Your NAT Implementation• Local IP address—an IP address as it appears before translation• Global IP address—an IP address as it appears after translation

WLAN

10.1.8.10

RP VLAN 1VLAN 8

VLAN 1

10.1.1.10

Global address

Local address

10.1.1.15

WLAN

10.1.8.10

RP VLAN 1VLAN 8

VLAN 1

10.1.1.10

Local address Global address

10.1.8.50

Source NAT

Destination NAT

As you set up NAT, you will specify “local” and “global” addresses, so you must understand how the Wireless Module defines these addresses.A local IP address is an IP address (either source or destination depending on the type of NAT) as it appears before it is translated with NAT. A global IP address, conversely, is the IP address as it appears after it is translated with NAT. For source NAT, the concept is straight-forward enough. For example, a station in a wireless network could have a local IP address of 10.1.8.50. After this address is translated by the module, the station would have a global IP address of 10.1.1.10, which is the Wireless Module’s address in VLAN 1 (the VLAN used in the wired network). Each local address would, of course, be different for each wireless station, but typically (that is, with dynamic NAT) every local addresses would be translated to the same global address of 10.1.1.10.Destination NAT reverses the local and global addresses. For example, you might set up destination NAT to force wireless stations to contact a private server at a public address (say, the address of the Wireless Module on the wireless network) rather than at the server’s private address. Originally, the wireless station destines the traffic to the Wireless Module (the address that the server appears to use), so that is the local address. The global address is the server’s actual IP address because this is the address after destination NAT has occurred.

Wireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007

Rev. 1.5 6

Rev. 1.5 6

Plan Your NAT Configuration

Consider your network topology and security needsDetermine your requirements for NAT• Conserve IP addresses and separate VLANs for wireless and wired

traffic• Conceal IP addresses of servers on the private, wired network

Record the IP addresses needed for your NAT configuration

Now you have all the concepts and tools you need to plan your NAT configuration. First, consider your network topology and security needs and determine your requirements for NAT. In other words, which types of NAT must you configure, and to which traffic should you apply NAT?There are a couple of reasons why you might want to use NAT. In the first scenario, you want to separate wireless and wired subnetworks—to conserve address space on your LAN and perhaps to increase security. However, you want to integrate wireless traffic onto the wired network with a minimum of hassle. You don’t want to configure routes back to the wireless subnetworks and so forth. Have the module place wireless stations in a certain VLAN reserved for them. Remember to configure DHCP to assign addresses to wireless stations in that VLAN. Define the VLAN as an inside VLAN, and configure dynamic NAT on inside traffic. Now, all wireless stations seem to have the address on one of the Wireless Module’s outside interfaces. In the second scenario, you configure NAT because you need to conceal IP addresses used in your LAN from wireless users. You would still want to separate wired and wireless VLANs. However, instead of configuring inside source NAT, you would configure inside destination NAT. Wireless stations direct traffic to the private servers to a public address, and the Wireless Module translates the destination to the correct server address. You set up static definitions for destination NAT. Each definition allows you to map a destination port, as well as IP address, to a particular new address, so several wired servers can share the same public address advertised to wireless users. Once you have decided what your requirements are, record the IP addresses necessary for your NAT configuration.

Wireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007

Rev. 1.5 7

Rev. 1.5 7

Configure an ACL to Select Traffic for Dynamic NATDetermine which IP addresses the standard IP ACL should select:• Typically, permit all addresses in subnets corresponding to the

NATed interfaces.• Often, these addresses are issued through DHCP.• In this example, you would configure an ACL with two rules:

– permit 10.1.8.0/24– permit 10.1.12.0/24

Wireless network = Inside U

plin

k

WLANs VLANs

Wireless Edge Services xl Module

VLAN 12

Dow

nlin

k

RPs VLAN 1VLAN 8

Inside Outside

DHCP Pools

Pool 1 (VLAN 8)10.1.8.0/24

.

.

.

Pool 2 (VLAN 12)10.1.12.0/24

.

.

.

Remember that with dynamic NAT, you select the local source addresses on which to apply NAT by configuring a standard IP ACL. The simplest way to configure the ACL is to first determine to which interfaces NAT applies. Each VLAN is, of course, associated with a subnetwork, and stations in the VLAN use IP addresses in that subnetwork—often assigned through DHCP. Typically, you should permit NAT on all addresses in these subnets.In this example, you are configuring dynamic source NAT on inside traffic and the inside interfaces will be VLANs 8 and 12. The DHCP pools in the slide show the subnetworks associated with the VLANs, and the slide also lists the two rules for permitting addresses in those subnets.We’ve laid the groundwork for planning the NAT configuration. Now I’ll take you step through the Web browser screens.

Wireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007

Rev. 1.5 8

Rev. 1.5 8

Define Outside or Inside Interfaces

1

2

3

4

5

You will now learn how to assign interfaces as either inside or outside interfaces, as I talked about earlier. NAT configurations have no effect until you do this. To define an interface to either inside or outside, you need to go to the Add Interface screen. Get there by selecting Security > NAT and clicking the Interfacestab.To add an interface, click the Add button. The Add Interface screen displays.In the Interface field, use the drop-down menu to select an interface configured on the module (such as VLAN1, shown in the slide). In the Type field, use the drop-down menu to select either Inside (Private) or Outside (Public). Then click the OK button.

Wireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007

Rev. 1.5 9

Rev. 1.5 9

Configure Dynamic Translation

1

2

3

4

You can now configure dynamic NAT. For each NAT configuration that will use dynamic NAT, you need to first set up an ACL, as I mentioned earlier, to select the source addresses for NAT.Now select Security > NAT and click the Dynamic Translation tab. Then click the Add button. On the Add Dynamic Translation screen, from the NAT Interface drop-down menu, select the interfaces to which dynamic NAT applies: Inside (Private) or Outside (Public). You just defined these interfaces, so you should remember which type you want. Then, in the NAT Address Typefield, leave the setting at Source, since it is the only option permitted for dynamic translation.From the Access List drop-down menu, select the ACL you already configured. Remember: for inside NAT choose an ACL that selects IP addresses in inside VLANs and vice versa for outside NAT. Next, from the Interface drop-down menu, select one of the module’s VLAN or tunnel interfaces. The Wireless Module translates the source address to the IP address on the specified interface. Ethernet interfaces are named vlan1, vlan2, and so on; GRE tunnel interfaces are named tunnel1, tunnel2, and so on. You should select an interface of a different type than the NAT interface for this configuration. For example, if you have selected Inside (Private) for the NAT Interface, choose, for the Interface, an interface on the outside network. If you are configuring dynamic NAT on wireless traffic, choose an interface that is tagged on the uplink port.Then click the OK button.The definition for dynamic translation is now listed on the Security > NAT > Dynamic Translation screen.

Wireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007

Rev. 1.5 10

Rev. 1.5 10

Configure Static NAT

1

2

3

5

4

This slide shows you how to configure static translation should you decide that this is the type of NAT best for you environment. Select Security > NAT and click the Static Translation tab. Then click the Add button, which will take you to the Add Static Translation screen.The NAT section of this screen, gives you similar choices to those for the first two drop-down menus of the dynamic NAT screen. For the Interface Type, select either Inside (Private) or Outside (Public), remembering the definitions you made earlier. So if you choose Inside (Public), the Wireless Module applies this static NAT definition to traffic that arrives on an inside interface as defined by you. Unlike for dynamic NAT, you can choose the Address Type: Source (translate the source IP address in the IP header) or Destination (translate the destination IP address in the IP header). Next, in the Local Address field, enter the IP address to be translated. This address depends on the your choice for the Address Type. Remember that a few slides ago, you saw where to find the local and global addresses for both source and destination NAT. Then, choose either TCP or UDP in the Protocol drop-down menu and, in the Local Port field, enter the port on which traffic to be translated arrives (from 1 through 65,535). These are important settings for destination NAT because it allows you to set up port forwarding. For example, you can configure one definition that applies to only HTTP traffic and another that applies only to FTP traffic, and both types of traffic reach the appropriate server.Finally, in the Global Address field, enter the address as it should appear after translation. In the Global Port field, enter the port to which the Wireless Module should forward the traffic. This field is optional and provides port translation. (If you don’t enter anything, the module sends the traffic to the port on which it arrived.) For example, your company’s Web server uses a private port. Traffic for the server is destined to the Wireless Module and the standard HTML port (80). The Wireless Module translates the traffic to the Web server’s private address and a private port, selected by your company. The private port is what you enter in the Global Port field.Click the OK button. The static NAT definition is now listed on the Security > NAT > Static Translation screen.

Wireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007

Rev. 1.5 11

Rev. 1.5 11

View NAT Status

1

Now that you have configured NAT, you can check its status. To view NAT status, select Security > NATand click the Status tab. The screen displays a row for each active session to which the Wireless Edge Services xl Module has applied NAT. The columns show the IP addresses associated with the session:

• Inside-Global refers to the source IP address as it appears in the destination network (that is after translation).

• Inside-Local refers to the source IP address as it appears originally in the source network.• Outside-Global refers to the destination IP address as it appears after translation in the destination

device’s network • Outside-Local refers to the destination IP address as it appears originally in the source device’s

network.For example, if you have configured dynamic source NAT on inside traffic, the Inside-Local column lists the IP address of the source device in the inside network, and the Inside-Global column lists the translated IP address.

Wireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007

Rev. 1.5 12

Rev. 1.5 12

Use ModelSecuring a small network from less trusted wireless traffic

MyCompany

Uplin

k

WLAN 1

Wireless Services xl ModuleAs a Router, DHCP Server, and RADIUS Server

Dow

nlin

k

Dynamic VLANs

FirewallACLsNAT

Management VLAN

VLAN 4 (Servers)

Servers

VLAN 12

RADIUS ServerEmployees Contractors

DHCP PoolsVLAN 12—

10.1.12.0/24VLAN 14—

10.1.14.0/24

RADIUS requests

VLAN 8

WPA with 802.1X

VLAN 14

VLAN12

VLAN14

VLAN 410.1.4.0/24

Dynamic VLANs

We’ve covered a lot of capabilities. Let’s pause for a minute and look at how to combine them for a complete solution. The company in this scenario has a relatively small LAN with limited security capabilities. However, the company does have several servers that store sensitive information. The company’s new Wireless LAN System is intended to provide mobile access to these servers for contractors and employees. However, network administrators are well aware that without careful planning granting mobile access for legitimate users can easily lead to allowing unauthorized access by illegitimate users.The first step to securing the network is guarding the WLAN with strong encryption and user-based authentication. The company chooses WPA with 802.1X. Even though this small company does not have a RADIUS server, the internal RADIUS server on the Wireless Module enables it to choose this high-security option. The internal server also enables dynamic VLANs; the module places mobile users in two different VLANs based on whether they are employees or contractors. As you can see, after the module’s RADIUS server assigns users to VLANs, the module also takes responsibility, as a DHCP server, for assigning IP addresses to the wireless stations. Finally, the module routes traffic from the wireless stations to the servers’ VLAN, which is tagged on the module’s uplink port. As the module routes the traffic, it runs basic firewall checks and applies the appropriate ACLs. For example, you could place an ACL on the VLAN 14 interface (the contractors’ VLAN) that permits access to one server, but denies access to another.The module also implements NAT, translating IP addresses for the wireless stations to the module’s IP address on the server VLAN, allowing the servers to send traffic back to the VLANs for wireless users.

Wireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007

Rev. 1.5 13

Rev. 1.5 13

Use ModelSecuring wireless and wired traffic in a small network

Management VLAN

Servers LAN

802.1X

RADIUS requests

MyCompany

Uplin

k

WLAN 1

Wireless Services xl ModuleAs a Router, DHCP Server, and RADIUS Server

Dow

nlin

k

Dynamic VLANs

FirewallACLsNAT

Management VLANVLAN 4 (Servers)

VLAN 12

RADIUS ServerEmployees Contractors

RADIUS requests

VLAN 8

WPA with 802.1X

VLAN 14

VLAN12

VLAN14

DHCP PoolsVLAN 12—

10.1.12.0/24VLAN 14—

10.1.14.0/24

VLAN 410.1.4.0/24 Dynamic

VLANs

Dynamic VLANs

This use model is similar to the last. However, this company is very small and has decided to use the Wireless Edge Services xl Module to provide services for all stations—wired as well as wireless.Wired stations connect to the wireless services-enabled switch, which enforces 802.1X on all interfaces to which workstations might connect. You’ve configured the switch as a client on the Wireless Module’s internal RADIUS server, and the switch forwards RADIUS requests to this server, allowing wired stations to complete 802.1X authentication.At this point, the Wireless Module treats the wired stations much as it would wireless stations. It places them in dynamic VLANs and issues IP addresses to them from its DHCP pool. The Wireless Module can route and filters traffic that it receives from the wired stations, just as it routes and filters that from the wireless stations. Note, however, that you must tag the module’s uplink port for these VLANs to allow the module to receive traffic on them from the wired stations.

Wireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007

Rev. 1.5 14

Rev. 1.5 14