D-Link DFL-260 Product Manual - Page 209
Enabling Transparent Mode, Restricting the, Parameter, Multiple Switch Routes are Connected Together
UPC - 790069296802
View all D-Link DFL-260 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 209 highlights
4.7.1. Overview Chapter 4. Routing the network. Discovery is done by NetDefendOS sending out ARP as well as ICMP (ping) requests, acting as the initiating sender of the original IP packet for the destination on the interfaces specified in the Switch Route. If an ARP reply is received, NetDefendOS will update the CAM table and Layer 3 Cache and forward the packet to the destination. If the CAM table or the Layer 3 Cache is full, the tables are partially flushed automatically. Using the discovery mechanism of sending ARP and ICMP requests, NetDefendOS will rediscover destinations that may have been flushed. Enabling Transparent Mode The following steps are required to enable NetDefendOS Transparent Mode: 1. The interfaces that are to be transparent should be first collected together into a single Interface Group object. Interfaces in the group should be marked as Security transport equivalent if hosts are to move freely between them. 2. A Switch Route is now created in the appropriate routing table and the interface group associated with it. Any existing non-switch routes for interfaces in the group should be removed from the routing table. For the Network parameter in the switch route, specify all-nets or alternatively, specify a network or range of IP addresses that will be transparent between the interfaces (this latter option is discussed further below). 3. Create the appropriate IP rules in the IP rule set to allow the desired traffic to flow between the interfaces operating in Transparent Mode. If no restriction at all is to be initially placed on traffic flowing in transparent mode, the following single IP rule could be added but more restrictive IP rules are recommended. Action Allow Src Interface any Src Network all-nets Dest Interface any Dest Network all-nets Service all Restricting the Network Parameter As NetDefendOS listens to ARP traffic, it continuously adds single host routes to the routing table as it discovers on which interface IP addresses are located. As the name suggests, single hosts routes give a route for a single IP address. The number of these routes can therefore become large as connections are made to more and more hosts. A key advantage of specifying a network or a range of IP addresses instead of all-nets for the Network parameter is that the number of routes automatically generated by NetDefendOS will be significantly smaller. A single host route will only be added if the IP address falls within the network or address specified. Reducing the number of routes added will reduce the processing overhead of route lookups. Specifying a network or address range is, of course, only possible if the administrator has some knowledge of the network topology and often this may not be the case. Multiple Switch Routes are Connected Together The setup steps listed above describe placing all the interfaces into a single interface group object which is associated with a single switch route. An alternative to one switch route is to not use an interface group but instead use an individual switch route for each interface. The end result is the same. All the switch routes defined in a single 209