Policy Based Routing HPE Aruba 3800 series

Today busy with some Policy Based Routing (PBR) routing on an HPE Aruba 3800 series switch.

Situation:

pbr-3800

The default gateway is set to 172.16.1.1 which is ISP A a line dedicated for business traffic.

So in the config of the switch

ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip routing

Let’s assume that we have another ISP, named B which needs to used for Office 365 in particular Exchange Online. Of course the best option would be to change the default gateway because Microsoft has a lot of IP addreses which are changing on regular basis. So my advice would be to set the default gateway to ISP B and make a PBR for the things that should go to ISP A. Users of VLAN 5 needs to have this in place.

We start by creating a Class which contains the IP version 4 address for Exchange Online listed on this Microsoft page. The class name is case sensitive, also please not that we can’t use normal subnetmasks (the switch accepts it, but it’s not working) we should use Wildcard masking over here.

class ipv4 “Office365-Subnets”
5 match ip 0.0.0.0 255.255.255.255 13.107.6.152 0.0.0.1
10 match ip 0.0.0.0 255.255.255.255 13.107.9.152 0.0.0.1
15 match ip 0.0.0.0 255.255.255.255 13.107.18.10 0.0.0.1
20 match ip 0.0.0.0 255.255.255.255 13.107.19.10 0.0.0.1
25 match ip 0.0.0.0 255.255.255.255 23.103.160.0 0.0.15.255
30 match ip 0.0.0.0 255.255.255.255 23.103.224.0 0.0.31.255
35 match ip 0.0.0.0 255.255.255.255 40.96.0.0 0.7.255.255
40 match ip 0.0.0.0 255.255.255.255 40.104.0.0 0.3.255.255
45 match ip 0.0.0.0 255.255.255.255 70.37.151.128 0.0.0.127
50 match ip 0.0.0.0 255.255.255.255 111.221.112.0 0.0.7.255
55 match ip 0.0.0.0 255.255.255.255 131.253.33.215 0.0.0.0
60 match ip 0.0.0.0 255.255.255.255 132.245.1.128 0.0.0.127
65 match ip 0.0.0.0 255.255.255.255 132.245.2.0 0.0.1.255
70 match ip 0.0.0.0 255.255.255.255 132.245.4.0 0.0.3.255
75 match ip 0.0.0.0 255.255.255.255 132.245.8.0 0.0.7.255
80 match ip 0.0.0.0 255.255.255.255 132.245.16.0 0.0.15.255
85 match ip 0.0.0.0 255.255.255.255 132.245.32.0 0.0.31.255
90 match ip 0.0.0.0 255.255.255.255 132.245.64.0 0.0.31.255
95 match ip 0.0.0.0 255.255.255.255 132.245.96.0 0.0.15.255
100 match ip 0.0.0.0 255.255.255.255 132.245.113.128 0.0.0.127
105 match ip 0.0.0.0 255.255.255.255 132.245.114.0 0.0.1.255
110 match ip 0.0.0.0 255.255.255.255 132.245.116.0 0.0.3.255
115 match ip 0.0.0.0 255.255.255.255 132.245.120.0 0.0.7.255
120 match ip 0.0.0.0 255.255.255.255 132.245.129.128 0.0.0.127
125 match ip 0.0.0.0 255.255.255.255 132.245.130.0 0.0.1.255
130 match ip 0.0.0.0 255.255.255.255 132.245.132.0 0.0.3.255
135 match ip 0.0.0.0 255.255.255.255 132.245.136.0 0.0.7.255
140 match ip 0.0.0.0 255.255.255.255 132.245.144.0 0.0.15.255
145 match ip 0.0.0.0 255.255.255.255 132.245.160.0 0.0.31.255
150 match ip 0.0.0.0 255.255.255.255 132.245.192.0 0.0.63.255
155 match ip 0.0.0.0 255.255.255.255 134.170.68.0 0.0.1.255
160 match ip 0.0.0.0 255.255.255.255 157.56.96.16 0.0.0.15
165 match ip 0.0.0.0 255.255.255.255 157.56.96.224 0.0.0.15
170 match ip 0.0.0.0 255.255.255.255 157.56.106.128 0.0.0.15
175 match ip 0.0.0.0 255.255.255.255 157.56.232.0 0.0.7.255
180 match ip 0.0.0.0 255.255.255.255 157.56.240.0 0.0.15.255
185 match ip 0.0.0.0 255.255.255.255 191.232.96.0 0.0.31.255
190 match ip 0.0.0.0 255.255.255.255 191.234.6.152 0.0.0.0
195 match ip 0.0.0.0 255.255.255.255 191.234.140.0 0.0.3.255
200 match ip 0.0.0.0 255.255.255.255 191.234.224.0 0.0.3.255
205 match ip 0.0.0.0 255.255.255.255 204.79.197.215 0.0.0.0
210 match ip 0.0.0.0 255.255.255.255 206.191.224.0 0.0.31.255
215 match ip 0.0.0.0 255.255.255.255 207.46.150.128 0.0.0.127
220 match ip 0.0.0.0 255.255.255.255 207.46.203.128 0.0.0.63
exit

Now we have a class we can bind it in a policy and set the next-hop to 172.16.1.2.

policy pbr “POL-Office365-Subnets”
     5 class ipv4 “Office365-Subnets”
      action ip next-hop 172.16.1.2
      exit
   exit

Since the implementation of HPE states that we need to map to a VLAN and we only created a policy but didn’t bind it anywhere we have to do the following:

vlan 5
   name “test”
   untagged 1
   ip address 192.168.1.0 255.255.255.0
   service-policy “POL-Office365-Subnets” in
   exit

Keep in mind that you only can bind one PBR to a VLAN. You can enter again the command service-policy “POL-test” in and give enter, you won’t get a warning but you simply override the PBR. Also you can only set the PBR to incoming packets on a VLAN.

Some show commands:

show policy POL-Office365-Subnets

Output
Statements for policy “POL-Office365-Subnets”
policy pbr “POL-Office365-Subnets”
     5 class ipv4 “Office365-Subnets”
      action ip next-hop 172.16.1.2
      exit
   exit

 show statistics policy POL-Office365-Subnets vlan 5 in

Output:
 Hit Counts for Policy POL-Office365-Subnets

  Total

 5 class ipv4 Office365-Subnets action ignore
(       0 )      5 match ip 0.0.0.0 255.255.255.255 13.107.6.152 0.0.0.1
(       0 )      10 match ip 0.0.0.0 255.255.255.255 13.107.9.152 0.0.0.1
(       0 )      15 match ip 0.0.0.0 255.255.255.255 13.107.18.10 0.0.0.1
(       0 )      20 match ip 0.0.0.0 255.255.255.255 13.107.19.10 0.0.0.1
(       0 )      25 match ip 0.0.0.0 255.255.255.255 23.103.160.0 0.0.15.255
(       0 )      30 match ip 0.0.0.0 255.255.255.255 23.103.224.0 0.0.31.255
(       0 )      35 match ip 0.0.0.0 255.255.255.255 40.96.0.0 0.7.255.255
(       0 )      40 match ip 0.0.0.0 255.255.255.255 40.104.0.0 0.3.255.255
(       0 )      45 match ip 0.0.0.0 255.255.255.255 70.37.151.128 0.0.0.127
(       0 )      50 match ip 0.0.0.0 255.255.255.255 111.221.112.0 0.0.7.255
(       0 )      55 match ip 0.0.0.0 255.255.255.255 131.253.33.215 0.0.0.0
(       0 )      60 match ip 0.0.0.0 255.255.255.255 132.245.1.128 0.0.0.127
(       0 )      65 match ip 0.0.0.0 255.255.255.255 132.245.2.0 0.0.1.255
(       0 )      70 match ip 0.0.0.0 255.255.255.255 132.245.4.0 0.0.3.255
(       0 )      75 match ip 0.0.0.0 255.255.255.255 132.245.8.0 0.0.7.255
(       0 )      80 match ip 0.0.0.0 255.255.255.255 132.245.16.0 0.0.15.255
(       0 )      85 match ip 0.0.0.0 255.255.255.255 132.245.32.0 0.0.31.255
(       0 )      90 match ip 0.0.0.0 255.255.255.255 132.245.64.0 0.0.31.255
(       0 )      95 match ip 0.0.0.0 255.255.255.255 132.245.96.0 0.0.15.255
(       0 )      100 match ip 0.0.0.0 255.255.255.255 132.245.113.128 0.0.0.127
(       0 )      105 match ip 0.0.0.0 255.255.255.255 132.245.114.0 0.0.1.255
(       0 )      110 match ip 0.0.0.0 255.255.255.255 132.245.116.0 0.0.3.255
(       0 )      115 match ip 0.0.0.0 255.255.255.255 132.245.120.0 0.0.7.255
(       0 )      120 match ip 0.0.0.0 255.255.255.255 132.245.129.128 0.0.0.127
(       0 )      125 match ip 0.0.0.0 255.255.255.255 132.245.130.0 0.0.1.255
(       0 )      130 match ip 0.0.0.0 255.255.255.255 132.245.132.0 0.0.3.255
(       0 )      135 match ip 0.0.0.0 255.255.255.255 132.245.136.0 0.0.7.255
(       0 )      140 match ip 0.0.0.0 255.255.255.255 132.245.144.0 0.0.15.255
(       0 )      145 match ip 0.0.0.0 255.255.255.255 132.245.160.0 0.0.31.255
(       0 )      150 match ip 0.0.0.0 255.255.255.255 132.245.192.0 0.0.63.255
(       0 )      155 match ip 0.0.0.0 255.255.255.255 134.170.68.0 0.0.1.255
(       0 )      160 match ip 0.0.0.0 255.255.255.255 157.56.96.16 0.0.0.15
(       0 )      165 match ip 0.0.0.0 255.255.255.255 157.56.96.224 0.0.0.15
(       0 )      170 match ip 0.0.0.0 255.255.255.255 157.56.106.128 0.0.0.15
(       0 )      175 match ip 0.0.0.0 255.255.255.255 157.56.232.0 0.0.7.255
(       0 )      180 match ip 0.0.0.0 255.255.255.255 157.56.240.0 0.0.15.255
(       0 )      185 match ip 0.0.0.0 255.255.255.255 191.232.96.0 0.0.31.255
(       0 )      190 match ip 0.0.0.0 255.255.255.255 191.234.6.152 0.0.0.0
(       0 )      195 match ip 0.0.0.0 255.255.255.255 191.234.140.0 0.0.3.255
(       0 )      200 match ip 0.0.0.0 255.255.255.255 191.234.224.0 0.0.3.255
(       0 )      205 match ip 0.0.0.0 255.255.255.255 204.79.197.215 0.0.0.0
(       0 )      210 match ip 0.0.0.0 255.255.255.255 206.191.224.0 0.0.31.255
(       0 )      215 match ip 0.0.0.0 255.255.255.255 207.46.150.128 0.0.0.127
(       0 )      220 match ip 0.0.0.0 255.255.255.255 207.46.203.128 0.0.0.63

 

IPv4 Translation Table

IPv4 Translation Table

Netmask Inverse /CIDR Usable Size
255.255.255.255 0.0.0.0 /32 1 1 Host
255.255.255.254 0.0.0.1 /31 0 2 Hosts
255.255.255.252 0.0.0.3 /30 2 4 Hosts
255.255.255.248 0.0.0.7 /29 6 8 Hosts
255.255.255.240 0.0.0.15 /28 14 16 Hosts
255.255.255.224 0.0.0.31 /27 30 32 Hosts
255.255.255.192 0.0.0.63 /26 62 64 Hosts
255.255.255.128 0.0.0.127 /25 126 128 Hosts
255.255.255.0 0.0.0.255 /24 254 1 Class ‘C’
255.255.254.0 0.0.1.255 /23 510 2 Class ‘C’s
255.255.252.0 0.0.3.255 /22 1,022 4 Class ‘C’s
255.255.248.0 0.0.7.255 /21 2,046 8 Class ‘C’s
255.255.240.0 0.0.15.255 /20 4,094 16 Class ‘C’s
255.255.224.0 0.0.31.255 /19 8,190 32 Class ‘C’s
255.255.192.0 0.0.63.255 /18 16,382 64 Class ‘C’s
255.255.128.0 0.0.127.255 /17 32,766 128 Class ‘C’s
255.255.0.0 0.0.255.255 /16 65,534 1 Class ‘B’
255.254.0.0 0.1.255.255 /15 131,070 2 Class ‘B’s
255.252.0.0 0.3.255.255 /14 262,142 4 Class ‘B’s
255.248.0.0 0.7.255.255 /13 524,286 8 Class ‘B’s
255.240.0.0 0.15.255.255 /12 1,048,574 16 Class ‘B’s
255.224.0.0 0.31.255.255 /11 2,097,150 32 Class ‘B’s
255.192.0.0 0.63.255.255 /10 4,194,302 64 Class ‘B’s
255.128.0.0 0.127.255.255 /9 8,388,606 128 Class ‘B’s
255.0.0.0 0.255.255.255 /8 16,777,214 1 Class ‘A’
254.0.0.0 1.255.255.255 /7 33,554,430 2 Class ‘A’s
252.0.0.0 3.255.255.255 /6 67,108,862 4 Class ‘A’s
248.0.0.0 7.255.255.255 /5 134,217,726 8 Class ‘A’s
240.0.0.0 15.255.255.255 /4 268,435,454 16 Class ‘A’s
224.0.0.0 31.255.255.255 /3 536,870,910 32 Class ‘A’s
192.0.0.0 63.255.255.255 /2 1,073,741,822 64 Class ‘A’s
128.0.0.0 127.255.255.255 /1 2,147,483,646 128 Class ‘A’s
0.0.0.0 255.255.255.255 /0 4,294,967,294 Any

Cisco FirePower Management Center 6.0.0 Password

In the previous versions of Cisco FirePower Management Center  < 5.x the default credentials were:

Username: admin
Password: Sourcefire

With version 6 > the default password is changed and not listed (yet) in the Cisco documentation.

Username: admin
Password: Admin123

 

 

NetScaler: Configuring ActiveSync Filtering with XenMobile XNC

NetScaler: Configuring ActiveSync Filtering with XenMobile Netscaler Connector (XNC)

When you have XenMobile XNC then it is possible to filter ActiveSync requests going thru the NetScaler.

It works as follows:

  1. The NetScaler appliance sits between the client and the XNC and CAS servers.
  2. All requests from the client devices go to the NetScaler appliance.
  3. The NetScaler then sends a request to the XNC with the device details to retrieve information about the device, whether the device is a whitelisted one or a blacklisted one.
  4. Based on the response from the XNC, the NetScaler either drops the connection from a blacklisted device or forwards the request from a whitelisted device to the backend server.

You need the following features on the NetScaler and configure this properly:

  • Load Balancing
  • SSL
  • HTTP Callout
  • Responder
  • Integrated Caching (IC)

This mean that you need NetScaler Enterprise + IC or NetScaler Platinum.

Integrated Caching is needed because of performance reasons. With IC it has the capability of storing the callout response from the XNC in the local cache. For subsequent requests from the same device, the NetScaler reuses the stored callout response to make decisions locally to either drop the connection or forward the request.

The process as mentioned above now on technical level:

  1. First, an ActiveSync request is sent from the client to the NetScaler.
  2. Then, the NetScaler sends a request to the XNC server for information on the client device details.
  3. Then, the XNC server sends the response – allow or deny to the NetScaler.
  4. If the request is allowed, NetScaler forwards it to the server. If the response is deny, NetScaler drops the request.
  5. For a request that is allowed, the NetScaler send the server’s response to the client.

Example:

  • MIP: 10.100.100.11
  • VIP: 10.100.100.21
  • Exchange CAS: 10.100.100.31
  • XNC: 10.100.100.41

Below is an example configuration:

Step 1
enable ns feature LB SSL IC RESPONDER
add ns ip 10.100.100.11 255.255.255.0 -type MIP

Step 2
add service XNC1 10.100.100.41 HTTP 9080
add lb vserver active_sync_filter_vserver HTTP 0.0.0.0 0
bind lb vserver active_sync_filter_vserver XNC1

Step 3
add service CAS1 10.100.100.31 SSL 443
add lb vserver ExchangeCAS SSL 10.100.100.21 443
bind lb vserver ExchangeCAS CAS1

Step 4
add ssl certKey customercert -cert “/nsconfig/ssl/customercert.cert” -key “/nsconfig/ssl/customercert.key”
bind ssl vserver ExchangeCAS -certkeyName customercert

Step 5
add policy httpCallout active_sync_filter
add policy httpCallout active_sync_filter_deviceid

Step 6
set policy httpCallout active_sync_filter -vServer active_sync_filter_vserver -returnType TEXT -hostExpr “\”callout.asfilter.internal\”” -urlStemExpr “\”/services/ActiveSync/Authorize\”” -parameters user(HTTP.REQ.HEADER(“authorization”).AFTER_STR(“Basic “).B64DECODE.BEFORE_STR(“:”).HTTP_URL_SAFE) agent(HTTP.REQ.HEADER(“user-agent”).HTTP_URL_SAFE) ip(CLIENT.IP.SRC) url((“https://”+HTTP.REQ.HOSTNAME+HTTP.REQ.URL).B64ENCODE) resultType(“json”) -resultExpr “HTTP.RES.BODY(20)”

Step 7
set policy httpCallout active_sync_filter_deviceid -vServer active_sync_filter_vserver -returnType TEXT -hostExpr “\”callout.asfilter.internal\”” -urlStemExpr “\”/services/ActiveSync/Authorize\”” -parameters user(HTTP.REQ.HEADER(“authorization”).AFTER_STR(“Basic “).B64DECODE.BEFORE_STR(“:”).HTTP_URL_SAFE) agent(HTTP.REQ.HEADER(“user-agent”).HTTP_URL_SAFE) ip(CLIENT.IP.SRC) url((“https://”+HTTP.REQ.HOSTNAME+HTTP.REQ.URL).B64ENCODE) resultType(“json”) DeviceId(HTTP.REQ.URL.QUERY.VALUE(“DeviceId”)) – resultExpr “HTTP.RES.BODY(20)”

Step 8
add responder policy active_sync_filter “HTTP.REQ.URL.QUERY.CONTAINS(\”DeviceId\”).NOT && HTTP.REQ.URL.STARTSWITH(\”/Microsoft-Server-ActiveSync\”) && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ(\”callout.asfilter.internal\”).NOT && SYS.HTTP_CALLOUT(active_sync_filter).SET_TEXT_MODE(IGNORECASE).CONTA INS(\”allow\”).NOT” DROP

Step 9
add responder policy active_sync_filter_deviceid “HTTP.REQ.URL.QUERY.CONTAINS(\”DeviceId\”) && HTTP.REQ.URL.STARTSWITH(\”/Microsoft-Server-ActiveSync\”) && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ(\”callout.asfilter.internal\”).NOT && SYS.HTTP_CALLOUT(active_sync_filter_deviceid).SET_TEXT_MODE(IGNORECA SE).CONTAINS(\”allow\”).NOT” DROP

If you have NetScaler Gateway or NetScaler Standard you still can use the XNC but it can have a significant impact because every request needs to go the backend server. See step 18.

Step 10
set cache parameter -memLimit 200 -via “NS-CACHE-10.1: 180”
add cache selector Url_Match “HTTP.REQ.URL.QUERY.VALUE(\”url\”)”

Step 11
add cache selector DeviceId_Match HTTP.REQ.URL.PATH HTTP.REQ.HOSTNAME “HTTP.REQ.URL.QUERY.VALUE(\”DeviceId\”) + \”-\” + HTTP.REQ.URL.QUERY.VALUE(\”user\”)”

Step 12
add cache contentGroup Req_with_DeviceId -relExpiry 300 -hitSelector DeviceId_Match

Step 13
add cache contentGroup Req_without_DeviceId -relExpiry 300 -hitSelector Url_Match

Step 14
add cache policy cache_req_with_DeviceId -rule “HTTP.REQ.HEADER(\”Host\”).CONTAINS(\”callout\”) && HTTP.REQ.URL.QUERY.CONTAINS(\”DeviceId\”)” -action CACHE -storeInGroup Req_with_DeviceId

Step 15
add cache policy cache_req_without_DeviceId -rule “HTTP.REQ.HEADER(\”Host\”).CONTAINS(\”callout\”) && HTTP.REQ.URL.QUERY.CONTAINS(\”DeviceId\”).NOT && HTTP.REQ.URL.QUERY.CONTAINS(\”url\”)” -action CACHE -storeInGroup Req_without_DeviceId

Step 16
bind lb vserver active_sync_filter_vserver -policyName cache_req_without_DeviceId -priority 90 -gotoPriorityExpression END -type REQUEST
bind lb vserver active_sync_filter_vserver -policyName cache_req_with_DeviceId -priority 100 -gotoPriorityExpression END – type REQUEST

Step 17
bind lb vserver ExchangeCAS -policyName active_sync_filter_deviceid -priority 90 -gotoPriorityExpression END -type REQUEST
bind lb vserver ExchangeCAS -policyName active_sync_filter – priority 100 -gotoPriorityExpression END -type REQUEST

Step 18 (WITHOUT IC license)
bind lb vserver ExchangeCAS -policyName active_sync_filter_deviceid -priority 90 -gotoPriorityExpression END -type REQUEST

bind lb vserver ExchangeCAS -policyName active_sync_filter -priority 100 -gotoPriorityExpression END -type REQUEST