10.2.3.2. Address group setting¶
Operation Confirmed Version: | |
---|---|
Brocade 5600vRouter Version4.2R1S1 |
What is an address group?
Note
Up to 32 address groups can be set. Groups beyond this number cannot be created.
Setting for grouping multiple IP addresses¶
Presumed case for sample setting
To create a group composed of IP addresses “192.168.2.12” and “192.168.2.13”
To name the address group g1
Command to be entered with CLI
set resources group address-group g1 address '192.168.2.12'
set resources group address-group g1 address '192.168.2.13'
resources {
group {
address-group g1 {
address 192.168.2.12
address 192.168.2.13
}
}
}
Setting for adding one IP address to multiple groups¶
Presumed case for sample setting
To create a group composed of IP addresses “192.168.2.12” and “192.168.2.13”
To name the address group above g1
To create a group composed of IP addresses “192.168.2.12” and “192.168.2.6”
To name the address group above g2
Command to be entered with CLI
set resources group address-group g1 address '192.168.2.12'
set resources group address-group g1 address '192.168.2.13'
set resources group address-group g2 address '192.168.2.12'
set resources group address-group g2 address '192.168.2.6'
resources {
group {
address-group g1 {
address 192.168.2.12
address 192.168.2.13
}
address-group g2 {
address 192.168.2.12
address 192.168.2.6
}
}
}
Setting for grouping a range (network) of IP addresses¶
Presumed case for sample setting
To create an address group for each of IP address ranges (networks) “192.168.2.4/30” and “192.168.2.12/30”
To name the address group above g3
Note
Command to be entered with CLI
set resources group address-group g3 address '192.168.2.4/30'
set resources group address-group g3 address '192.168.2.12/30'
resources {
group {
address-group g3 {
address 192.168.2.4/30
address 192.168.2.12/30
}
}
}
Setting for using a created group for packet filtering¶
Note
The address group is available as a list having multiple IP addresses registered. Grouping allows to set policies to the list.
Presumed case for sample setting
To forward communications originated from only IP addresses “192.168.2.6” and “192.168.2.13”
To set the addresses above as an address group
To enable for traffic which is input to interface “dp0s5”
To reject all communications originated from IP addresses which do not belong to address groups
Setting flow in a presumed case
Command to be entered with CLI
set interfaces dataplane dp0s5 firewall in 'test_rule'
set resources group address-group g1 address '192.168.2.13'
set resources group address-group g1 address '192.168.2.6'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 source address 'g1'
Note
To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.
interfaces {
dataplane dp0s4 {
address 192.168.1.50/24
}
dataplane dp0s5 {
address 192.168.2.50/24
firewall {
in test_rule
}
}
dataplane dp0s6 {
address 192.168.3.5/24
}
}
resources {
group {
address-group g1 {
address 192.168.2.13
address 192.168.2.6
}
}
}
security {
firewall {
name test_rule {
default-action drop
rule 10 {
action accept
source {
address g1
}
}
}
}
}
Operation check result
#From 192.168.2.6 -> OK
test@ubu01:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
64 bytes from 192.168.3.3: icmp_seq=1 ttl=63 time=3.07 ms
64 bytes from 192.168.3.3: icmp_seq=2 ttl=63 time=1.19 ms
64 bytes from 192.168.3.3: icmp_seq=3 ttl=63 time=1.78 ms
64 bytes from 192.168.3.3: icmp_seq=4 ttl=63 time=1.43 ms
64 bytes from 192.168.3.3: icmp_seq=5 ttl=63 time=1.78 ms
64 bytes from 192.168.3.3: icmp_seq=6 ttl=63 time=1.31 ms
64 bytes from 192.168.3.3: icmp_seq=7 ttl=63 time=1.56 ms
64 bytes from 192.168.3.3: icmp_seq=8 ttl=63 time=1.54 ms
64 bytes from 192.168.3.3: icmp_seq=9 ttl=63 time=1.48 ms
^C
--- 192.168.3.3 ping statistics ---
9 packets transmitted, 9 received, 0% packet loss, time 8013ms
rtt min/avg/max/mdev = 1.194/1.684/3.071/0.524 ms
#From 192.168.2.12 -> NG
test@ubu03:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
^C
--- 192.168.3.3 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7055ms
Setting for using a created group for NAT¶
Presumed case for sample setting
To subject communications originated from IP addresses “192.168.2.6” and “192.168.2.12” to SourceNAT
To set the addresses above as an address group
To enable for traffic which is output from interface “dp0s6”
Setting flow in a presumed case
Command to be entered with CLI
set resources group address-group g1 address '192.168.2.6'
set resources group address-group g1 address '192.168.2.12'
set service nat source rule 10 outbound-interface 'dp0s6'
set service nat source rule 10 source address 'g1'
set service nat source rule 10 translation address 'masquerade'
set service nat destination rule 10 destination address '192.168.2.50'
set service nat destination rule 10 inbound-interface 'dp0s5'
set service nat destination rule 10 translation address '192.168.3.3'
resources {
group {
address-group g1 {
address 192.168.2.6
address 192.168.2.12
}
}
}
service {
nat {
destination {
rule 10 {
destination {
address 192.168.2.50
}
inbound-interface dp0s5
translation {
address 192.168.3.3
}
}
}
source {
rule 10 {
outbound-interface dp0s6
source {
address g1
}
translation {
address masquerade
}
}
}
}
}
Operation check result
Note
For NAT operations and configuration, see the descriptions for the NAT function in the network function setting example.
#From client
test@ubu01:~$ wget -O - http://192.168.2.50/ > /dev/null
--2016-07-29 13:46:17-- http://192.168.2.50/
192.168.2.50:80 Connecting ... Connected
200 OK
Length: 616 [text/html]
Save `STDOUT'
100%[========================================================================================================================================================================================================>] 616 --.-K/s Time 0s
2016-07-29 13:46:17 (161 MB/s) - stdout へ出力完了 [616/616]
#web access
test@web1:~$ tail /usr/local/nginx/logs/access.log
192.168.2.6 - - [26/Jul/2016:11:29:10 +0900] "GET / HTTP/1.1" 200 616 "-" "Wget/1.15 (linux-gnu)" "-"
192.168.2.6 - - [29/Jul/2016:10:50:25 +0900] "GET / HTTP/1.1" 200 616 "-" "Wget/1.15 (linux-gnu)" "-"
192.168.3.5 - - [29/Jul/2016:10:53:59 +0900] "GET / HTTP/1.1" 200 616 "-" "Wget/1.15 (linux-gnu)" "-"
192.168.3.5 - - [29/Jul/2016:11:40:57 +0900] "GET / HTTP/1.1" 200 616 "-" "Wget/1.15 (linux-gnu)" "-"
192.168.3.5 - - [29/Jul/2016:13:46:16 +0900] "GET / HTTP/1.1" 200 616 "-" "Wget/1.15 (linux-gnu)" "-"