Apply Vyatta Gateway Configuration!

!

These configuration steps will be accomplished by logging into the private IP of your Vyatta Gateway via the SoftLayer Management VPN @https://vpn.softlayer.com:!

!

Utilize the portal @ https://manage.softlayer.com , Private Network -> Gateway Appliances ->

View Gateway Appliances to collect the Management IP.!

! !

!

(A) Configure bond interfaces to link to each VLAN & Subnet to be routed. The Vyatta ports will not be trunked & the IP addresses will not be accessible on the VLANs until a future step where the VLANS and their associated Subnets will be routed to the Vyatta.!

!

! ssh into the Vyatta:!

!

• configure!

• set interfaces bonding bond0 vif 1101 address ‘##.###.###.###/##’ (Enter Default gateway of Primary Subnet Bound to VLAN 1101)"

• set interfaces bonding bond0 vif 1101 address ‘##.###.###.###/##’ (Enter Default gateway of Portable Subnet Bound to VLAN 1101)"

• set interfaces bonding bond0 vif 1102 address ‘##.###.###.###/##’ (Enter Default gateway of Portable Subnet Bound to VLAN 1102)!

• set interfaces bonding bond0 vif 1103 address ‘##.###.###.###/##’ (Enter Default gateway of Portable Subnet Bound to VLAN 1103)"

• commit!

• save!

! !

!

(B) Configure SNAT!

!

• (if not still in configure mode) configure!

SNAT For CCI’s (Utility) Bound to VLAN 1101!

!

• set nat source rule 10!

• set nat source rule 10 source address ##.###.###.###/## (Primary Subnet VLAN1101)!

• set nat source rule 10 translation address ##.###.###.### (Vyatta bond1 IP)!

• set nat source rule 10 outbound-interface bond1!

!

SNAT For Management VMs Bound to VLAN 1101!

• set nat source rule 20!

• set nat source rule 20 source address ##.###.###.###/## (Portable Subnet VLAN1101)!

• set nat source rule 20 translation address ##.###.###.### (Vyatta bond1 IP)!

• set nat source rule 20 outbound-interface bond1!

!

SNAT For Access VMs Bound to VLAN 1103!

• set nat source rule 30!

• set nat source rule 30 source address ##.###.###.###/## (Portable Subnet VLAN1103)!

• set nat source rule 30 translation address ##.###.###.### (Vyatta bond1 IP)!

• set nat source rule 30 outbound-interface bond1!

• commit!

• save!

!

(C) Configure L2TP/IPSEC Remote Access VPN from MAC/Linux/Windows.!

!

• (if not still in configure mode) configure!

• set vpn ipsec ipsec-interfaces interface bond1!

• set vpn ipsec nat-traversal enable!

• set vpn ipsec net-networks allowed-network 0.0.0.0/0!

• set vpn l2tp remote-access authentication local-users username (user u are creating) password (user password)!

• set vpn l2tp remote-access authentication mode local !

• set vpn l2tp remote-access client-ip-pool start 172.16.100.1 (Start IP from non used CIDR)!

• set vpn l2tp remote-access client-ip-pool stop 172.16.100.10 (End IP from non used CIDR)!

• set vpn l2tp remote-access dns-servers server-1 ###.###.###.### (Installed DNS server from Previous Step)!

• set vpn l2tp remote-access dns-servers server-2 ###.###.###.### (Secondary DNS or SoftLayer DNS) !

• set vpn l2tp remote-access outside-address ##.###.###.### (Vyatta bond1 IP) !

• set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret !

• set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret (Enter Shared Secret Key)!

• commit!

• save!

! !

(D) Configure Firewall Groups!

!

Create Network Group Objects of IP Address ranges from Similar Security Zones.!

!

• (if not still in configure mode) configure!

• set firewall group network-group SLSERVICES!

• set firewall group network-group SLSERVICES network 10.1.128.0/19!

• set firewall group network-group SLSERVICES network 10.0.86.0/24!

• set firewall group network-group SLSERVICES network 10.1.176.0/24!

• set firewall group network-group SLSERVICES network 10.1.64.0/19!

• set firewall group network-group SLSERVICES network 10.1.96.0/19!

• set firewall group network-group SLSERVICES network 10.1.192.0/20!

• set firewall group network-group SLSERVICES network 10.1.160.0/20!

• set firewall group network-group SLSERVICES network 10.2.32.0/20!

• set firewall group network-group SLSERVICES network 10.2.64.0/20!

• set firewall group network-group SLSERVICES network 10.0.64.0/19!

• set firewall group network-group SLSERVICES network 10.2.128.0.20!

• set firewall group network-group SLSERVICES network 10.2.200.0/24!

• set firewall group network-group SLSERVICES network 10.1.0.0/24!

• set firewall group network-group SLSERVICES network 10.1.24.0/24!

• set firewall group network-group SLSERVICES network 10.2.208.0/24!

• set firewall group network-group SLSERVICES network 10.1.236.0/24!

• set firewall group network-group SLSERVICES network 10.1.56.0/24!

• set firewall group network-group SLSERVICES network 10.1.8.0/24!

• set firewall group network-group SLSERVICES network 10.1.224.0/24!

• set firewall group network-group SLSERVICES network 10.2.192.0/24!

• set firewall group network-group SLSERVICES network 10.1.16.0/24!

• set firewall group network-group 1101PRIMARY network ###.###.###.### (Primary Subnet 1101)!

• set firewall group network-group 1101VMMGMT network ###.###.###.### (Portable Subnet 1101)!

• set firewall group network-group 1102PRIMARY network ###.###.###.### (Primary Subnet 1102)!

• set firewall group network-group 1102VMKISCSI network ###.###.###.### (Portable Subnet 1102)!

• set firewall group network-group 1103VMACCESS network ###.###.###.### (Portable Subnet 1101)!

• commit!

• save!

! !

(E) Configure Firewall Name Rules!

!

Define Firewall Rules for each direction of Traffic.!

!

• (if not still in configure mode) configure!

• set firewall name INSIDE2OUTSIDE!

• set firewall name INSIDE2OUTSIDE default-action drop!

• set firewall name INSIDE2OUTSIDE rule 10 action accept!

• set firewall name INSIDE2OUTSIDE rule 10 protocol all!

• set firewall name INSIDE2OUTSIDE rule 10 source group network-group 1101VMMGMT!

• set firewall name INSIDE2OUTSIDE rule 20 action accept!

• set firewall name INSIDE2OUTSIDE rule 20 protocol all!

• set firewall name INSIDE2OUTSIDE rule 20 source group network-group 1103VMACCESS!

• set firewall name OUTSIDE2INSIDE^!

• set firewall name OUTSIDE2INSIDE default-action drop!

• set firewall name OUTSIDE2INSIDE rule 10 action accept!

• set firewall name OUTSIDE2INSIDE rule 10 protocol udp!

• set firewall name OUTSIDE2INSIDE rule 20 action accept!

• set firewall name OUTSIDE2INSIDE rule 20 protocol udp!

• set firewall name OUTSIDE2INSIDE rule 20 destination port 4500!

• set firewall name OUTSIDE2INSIDE rule 30 action accept!

• set firewall name OUTSIDE2INSIDE rule 30 protocol udp!

• set firewall name OUTSIDE2INSIDE rule 30 destination port 500!

• set firewall name OUTSIDE2INSIDE rule 40 action accept!

• set firewall name OUTSIDE2INSIDE rule 40 ipsec match-ipsec!

• set firewall name OUTSIDE2INSIDE rule 50 action accept!

• set firewall name OUTSIDE2INSIDE rule 50 protocol gre!

• set firewall name OUTSIDE2INSIDE rule 60 action accept!

• set firewall name OUTSIDE2INSIDE rule 60 protocol tcp!

• set firewall name OUTSIDE2INSIDE rule 60 destination port 1723!

• set firewall name OUTSIDE2INSIDE rule 70 action accept!

• set firewall name OUTSIDE2INSIDE rule 70 protocol tcp!

• set firewall name OUTSIDE2INSIDE rule 70 destination port 80!

• set firewall name OUTSIDE2INSIDE rule 80 action accept!

• set firewall name OUTSIDE2INSIDE rule 80 protocol tcp!

• set firewall name OUTSIDE2INSIDE rule 80 destination port 443!

• set firewall name OUTSIDE2INSIDE rule 90 action accept!

• set firewall name OUTSIDE2INSIDE rule 90 state established enable!

• set firewall name SLSERVICE2INSIDE!

• set firewall name SLSERVICE2INSIDE default-action drop!

• set firewall name SLSERVICE2INSIDE rule 10 action accept!

• set firewall name SLSERVICE2INSIDE rule 10 protocol all!

• set firewall name SLSERVICE2INSIDE rule 10 source group network-group SLSERVICES!

• set firewall name INSIDE2SLSERVICE!

• set firewall name INSIDE2SLSERVICE default-action drop!

• set firewall name INSIDE2SLSERVICE rule 10 action accept!

• set firewall name INSIDE2SLSERVICE rule 10 protocol all!

• set firewall name INSIDE2SLSERVICE rule 10 destination group network-group SLSERVICES!

• set firewall name L2TP2MGMT!

• set firewall name L2TP2MGMT default-action drop!

• set firewall name L2TP2MGMT rule 10 action accept!

• set firewall name L2TP2MGMT rule 10 protocol all!

• set firewall name L2TP2MGMT rule 10 source group 1101VMMGMT!

• set firewall name MGMT2L2TP!

• set firewall name MGMT2L2TP default-action drop!

• set firewall name MGMT2L2TP rule 10 action accept!

• set firewall name MGMT2L2TP rule 10 protocol all!

• set firewall name MGMT2L2TP rule 10 destination group 1101VMMGMT!

• set firewall name VMACCESS2MGMT!

• set firewall name VMACCESS2MGMT default-action drop!

• set firewall name VMACCESS2MGMT rule 10 action drop!

• set firewall name VMACCESS2MGMT rule 10 protocol all!

• set firewall name VMACCESS2MGMT rule 10 source group 1103VMACCESS!

• commit!

• save!

!

(F) Configure Zone bindings!

!

• (if not still in configure mode) configure!

• set zone-policy zone OUTSIDE description “Internet Zone”!

• set zone-policy zone OUTSIDE default-action drop!

• set zone-policy zone OUTSIDE interface bond1!

• set zone-policy zone SLSERVICE description “SoftLayer Services”!

• set zone-policy zone SLSERVICE default-action drop!

• set zone-policy zone SLSERVICE interface bond0!

• set zone-policy zone MGMT description “Management VMs & ESX Host Access”!

• set zone-policy zone MGMT default-action drop!

• set zone-policy zone MGMT interface bond0.1101!

• set zone-policy zone VMACCESS description “VM Access”!

• set zone-policy zone VMACCESS default-action drop!

• set zone-policy zone VMACCESS interface bond0.1103!

• set zone-policy zone L2TP description “Remote VPN Access”!

• set zone-policy zone L2TP default-action drop!

• set zone-policy zone L2TP interface l2tp+ (Error Prompt can be ignored)!

• commit!

• save!

!

(G) Configure Zone-Policy!

!

• (if not still in configure mode) configure!

• set zone-policy zone OUTSIDE from MGMT firewall name INSIDE2OUTSIDE!

• set zone-policy zone OUTSIDE from VMACCESS firewall name INSIDE2OUTSIDE!

• set zone-policy zone VMACCESS from OUTSIDE firewall name OUTSIDE2INSIDE!

• set zone-policy zone MGMT from OUTSIDE firewall name OUTSIDE2INSIDE!

• set zone-policy zone SLSERVICE from MGMT firewall name INSIDE2SLSERVICE!

• set zone-policy zone MGMT from SLSERVICE firewall name SLSERVICE2INSIDE!

• set zone-policy zone MGMT from L2TP firewall name L2TP2MGMT!

• set zone-policy zone L2TP from MGMT firewall name MGMT2L2TP!

(H) ‘Route’ Private & Public Subnets!

!

After the Vyatta has been configured, The VLANs to be protected will have to be routed to the Vyatta gateway VLANS.!

!

This process will disable the existing SoftLayer default routing, the existing default gateways will be removed from the VLANS (this is why the same default gateways IP Addresses were assigned to the Vyatta bond0.#### interfaces).!

!

Ensure the Vyatta configuration is correct as connectivity may be lost to the subnets located in each VLAN. if the configuration is not correct.!

!

http://knowledgelayer.softlayer.com/faqs/266"

! !

• Utilize the portal @ https://manage.softlayer.com , Private Network > Gateway Appliances

-> [gateway appliance]"

• Navigate to the Associated VLANs section & Select Action = Route.!

!

! !

! !

• This task will trunk the VLANs and hand off routing of the associated subnets to the Vyatta.!

! !

If All steps have been completed properly, a functional Basic vSphere implementation should now exist within your SoftLayer DataCenter.!

! !

In document vsphere Basic Site Reference Architecture! (Page 47-52)